Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla's 'Privacy Not Included' Gift Report Highlights Security Concerns (wired.com)

Posted by BeauHD on from the heads-up dept.

Mozilla has released its second annual "Privacy Not Included" guide that rates 70 products to help give you an idea as to how secure or insecure they are. "We want to provide people information about how to make informed decisions when shopping for gifts that are connected to the internet," says Ashley Boyd, vice president of advocacy at Mozilla. "These products are becoming really popular. And in some cases, it's easy to forget that they're even connected to the internet." Wired reports: Among the important signifiers of a trustworthy stocking stuffer, according to Mozilla's rubric: the use of encryption, pushing automatic software security updates, strong password hygiene, a way to deal with vulnerabilities should they arise, and a privacy policy that doesn't take a PhD to parse. The most surprising result of Mozilla's testing may be how many products actually earned its seal of approval. Thirty-three of the 70 items in the "Privacy Not Included" guide passed muster; fans of the Nintendo Switch, Google Home, and Harry Potter Kano Coding Kit can sleep a little easier.

On the other end of the scale, Mozilla highlighted seven products that may not hit the mark -- yes, including the sous vide wand, the Anova Precision Cooker. Also scoring low marks in Mozilla's accounting: the DJI Spark Selfie Drone (no encryption, does not require users to change the default password), the Parrot Bebop 2 drone (no encryption, complex privacy policy), and unsurprisingly, at least one baby monitor. The remaining 30 items on the list all exist somewhere in the murky middle, usually because Mozilla was unable to confirm at least one attribute. Which may be the real takeaway from the report: Typically, you have no reasonable way to find out if a given internet-connected device is secure. "If you can't tell, that says that there's a problem of communication between manufacturers and consumers," says Boyd. "We would love for makers of these products to be more clear and more transparent about what they're doing and not doing. That's a big place we think change is needed."

45 comments

  1. Pray tell by Anonymous Coward · · Score: 0

    What does mozilla know of "privacy"? They're not even that good at their core business, "FOSS". Or what was the argument to include closed-source "pocket" and make it hard or impossible to install again?

  2. Imagine Mozilla judging quality of others privacy. by Anonymous Coward · · Score: 0

    Considering they don't honor hosts files blocking Facebook. Fuck Firefox, fake privacy bullshit. Fuck outta here!

  3. Mozilla a mile above the fray by Anonymous Coward · · Score: 0

    Sure, nobody's perfect. But Mozilla clearly tries to work for the users not against. That makes them unique in their field(s).

    1. Re:Mozilla a mile above the fray by Anonymous Coward · · Score: 0

      If they work for the users not against them why do they do every excuse in the book to not read your hosts file?

  4. Drone FUD by Powercntrl · · Score: 4, Interesting

    I bought a DJI Spark last year. It does not need an active internet connection to fly. It also does not upload your flight records, photos, or videos to DJI's servers without manual intervention. The pictures/videos are stored on a standard MicroSD card. Mozilla is also incorrect in claiming it has a microphone - it does not (if it had one, all it would record would be the noise from the motors/propellers).

    Yes, the drone doesn't require you to change the default WiFi password, but that's because a unique password is already printed on each drone. While people have hacked control of these things under laboratory conditions, the extremely short battery life (approximately 14 minutes of actual time in the air) means you'll have landed and be long gone before anyone could "hack" your drone. All of that is assuming a malicious actor even knows your drone is in the air in the first place. At 400' up, the Spark is incredibly hard to see and nearly inaudible.

    The real reasons you wouldn't want to buy one of these things is that they're banned almost everywhere you'd really want to use one, and they're still kind of pricey for what is essentially a flying cell phone camera with extremely short battery life. As far as privacy risks go, again, it's a (flying) camera that geotags your photos/footage, which can lead to exactly the same privacy concerns as the camera which is already built into your smartphone.

    --

    ---
    DRM is like antifreeze, to the MPAA/RIAA it's sweet, to the consumers it's poison.
    1. Re:Drone FUD by Anonymous Coward · · Score: 0

      Mozilla is also incorrect in claiming it has a microphone - it does not (if it had one, all it would record would be the noise from the motors/propellers).

      I agree Mozilla seems to be playing fast and loose with how the present the information.

      I did, however, want to point out that several of the apps DJI publish to the Google Play store list microphone access in the app permissions. So while a microphone is not directly part of the product, it is still fair to say in terms of privacy that microphone use could be considered part of normal use of the product. The degree to which this is a privacy issue may still be up for debate.

    2. Re:Drone FUD by Anonymous Coward · · Score: 0

      I did, however, want to point out that several of the apps DJI publish to the Google Play store list microphone access in the app permissions.

      Mozilla is correct about the app - it accesses the microphone on a smart device to optionally record audio locally, while you're filming with the drone. However, Mozilla also claims the drone itself has a microphone, which it does not.

  5. Web Design by AmiMoJo · · Score: 5, Informative

    What a terrible web site. They only have photos of the items, no text descriptions of alt tags so you can't even identify some of them. And the good/bad icons are tiny and grey on white.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    1. Re:Web Design by Anonymous Coward · · Score: 0

      while not ideal design -- they went a little gimmicky with the filters and changing smiley face -- just choose a category at the top of https://foundation.mozilla.org... to get identifying captions below each picture.

      (and there is 'alt' text for screen readers, btw, it's just not displayed on a hover these days.. 'title' is)

    2. Re:Web Design by Carewolf · · Score: 1, Informative

      What a terrible web site. They only have photos of the items, no text descriptions of alt tags so you can't even identify some of them. And the good/bad icons are tiny and grey on white.

      Try clicking on one of them..

      Not obvious I admit, but the text is there.

    3. Re:Web Design by Anonymous Coward · · Score: 0

      AmiMoJo is SO TRIGGERED right now you guys...

    4. Re:Web Design by Anonymous Coward · · Score: 0

      AmiMoJo is SO TRIGGERED right now you guys....

  6. First link is to Wired article by Anonymous Coward · · Score: 1

    Actual link https://foundation.mozilla.org/en/privacynotincluded/

  7. Router issue by ameliagomes · · Score: 1

    when I am trying to work on Mozilla, I am facing Linksys Login issue. I have visited https://routerguide.org/how-to... for solution, didn't get the satisfying solution. Can anyone tell me the best solution?

  8. Is this on topic? You decide! by Presence+Eternal · · Score: 1

    For what it's worth I highly recommend getting a Sous vide wand, online or otherwise.

    Even if the term Sous vide is as goddamn idiotic as calling pan frying "sur le fer". A better name is "non gradient cooking" and it is fantastic.

    1. Re:Is this on topic? You decide! by Anonymous Coward · · Score: 0

      I highly recommend getting a Sous vide wand

      Do you stick it up your butt?

  9. Pushing updates ? by Anonymous Coward · · Score: 0

    pushing automatic software security updates

    While some might view that as a good thing, I see it as an unwanted invasion, and rather dangerous.

    There are already stories posted about how "good" apps have turned "bad" when the ownership of an app changed hands, and the new owners pushed an "update" with a behaviour more beneficial to them.

    And yes, although its always talking about "just security updates, we promiss" there is nothing stopping anyone from renegating on it, if the incentive (or stupidity) is large enough. [1]

    In short, as long as the device is for my personal use I tend to disable *all* phoning home, no matter how beign it might look at that moment.

    Ofcourse, it does not help that most "security" (or any other for that matter) updates are pushed without a good roll-back mechanism in place in case the change breaks something (including the customers usage of certain features). Or that those changes are seldom well documented (MS even *removed* such info). Or that they come in an all-or-nothing package.

    [1] Further examples: FireFox with its "Mr Robot" advertising, MS pushing W7 updates forcing W10 to be installed, Philips "smart lamps" which regulary have updates that kick third party ones off. Phones which suddenly behave differently because of "must want" stuff like throttling to account for "old" (even though less than a year old) batteries. Etc, etc, etc.

  10. Re: Firefox = keylogger malware by default. by negRo_slim · · Score: 0, Offtopic

    Mozilla is full on SJW now as well. Fuck them.

    --
    On the Oregon Cost born and raised, On the beach is where I spent most of my days
  11. I know I live under a rock.... by reverendbeer · · Score: 1

    ...but why have I never heard of Mycroft before? That looks interesting.

    1. Re:I know I live under a rock.... by q4Fry · · Score: 1

      I am moderately excited and plan to run a server at home. (Please do not confuse that with "Home," which confusingly is Mycroft's cloud service.) See my comment from February.

      We'll see if I can mollify the paranoid side of the family and educate the "Alexa" side when the Mark II comes out.

  12. damnit again by AndyKron · · Score: 1

    Couldn't just link to the guide, could you? 25,000 thumbs down

  13. 5.02% market share by BlackOverflow · · Score: 0

    Maybe instead of criticizing others they should concentrate on their massive market share loss and why they are at 5.02% when they were once around 30%?

    1. Re:5.02% market share by Luckyo · · Score: 1

      The only thing that people with degrees in grievance studies know how to do is criticize others. With mozilla having been largely taken over by such people in recent years, it's to be expected that they at least need something to work on.

      Hence, project that tries to paint anyone who is in any kind of potential competition, or a target for the next takeover by people with degrees in grievance studies as "bad and in need of corrective action" makes perfect sense. It's not about the gutted and slowly dying mozilla. It's about spreading the parasitic ideology of the people that gutted it from inside to other companies, using the dying husk of mozilla as a host for as long as it can last.

    2. Re:5.02% market share by BlackOverflow · · Score: 0

      This is happening is lots of companies and organizations. Wizards of the Coast, Blizzard, and many other game companies are experiencing this.

    3. Re:5.02% market share by Anonymous Coward · · Score: 0

      The only thing that people with degrees in grievance studies know how to do is criticize others. With mozilla having been largely taken over by such people in recent years, it's to be expected that they at least need something to work on.

      Hence, project that tries to paint anyone who is in any kind of potential competition, or a target for the next takeover by people with degrees in grievance studies as "bad and in need of corrective action" makes perfect sense. It's not about the gutted and slowly dying mozilla. It's about spreading the parasitic ideology of the people that gutted it from inside to other companies, using the dying husk of mozilla as a host for as long as it can last.

      Those dipshits are a multi-headed terrorist cell. They track down stalkers & lynch 'em. They live by the motto "To entrap and ensnare".

  14. Junk since they moved off FF 52 by Anonymous Coward · · Score: 0

    Firefox turned to junk after whatever came next from FF 52.

    1. Re:Junk since they moved off FF 52 by Anonymous Coward · · Score: 0

      Firefox turned to junk after whatever came next from FF 52.

      Think again.

      (I'm using FF 52.x at the moment, the below is from my own experience)

      Example ? Their "most viewed webpages" snapshot tiles when you open a new tab. A new tab which you can't (anymore) put the same (start)page on as when FF starts. Reason ? Security. Yes, you read that right: Its not a problem when you start with it, but it is when you open a new tab. Go figure.

      But to continue with those tiles, They are:

      1) there so Mozilla could insert their adverts into them. And yes, its still calling home to get them. Its just that currently none are returned.

      2) Maliciously implemented (going against the users wishes). When the tile-images themselves are removed they are re-loaded from all remembered links) those while ignoring plugins. And yes, that means that my painstaking effort to kill tracking (and crap, or even malicious content delivering) websites is subverted.

      It also opens (or tries to) a staggering ammount of connections that have zero to do with my browsing. And disabeling that behaviour ? You have to malform the involved URLs as found on the about:config page. No other way available.

      Yeah, you can, on the same page, edit some flags (if you know which ones - and sometimes you need to change multiple for a single URL) and hope it disables the behaviour, but I've found that to work only partially. At some moment - triggered by ... unknown - it will suddenly still try to connect to any of a nice handfull of websites.

      And thats just the ones you can edit, and are not hardcoded somewhere deep in the executable. Like ciscobinary.openh264.org to get-and-install something related to playing embeded movies. Which I have disabled. It still wabt to net it. Makes sense ? Not really.

      And than the shennigans that there are no master settings. Making a new/second FF account ? You need to go thru the whole about:config shebang again and hope you didn't forget anything.

      Ofcourse, you better create that new FF accound when you're offline (if you can), as the absolute first thing it does (before giving the user a chance to change its privacy and/or security settings) is to ... you guessed it: call home.

  15. glass half full (of Legionairre's disease) by epine · · Score: 1

    Take, for example, that sous vide: "Someone could hack your Wi-Fi, crank up the cooking temperature on your sous vide, and overcook your steak," reads the entry, presenting a worst-case scenario that's not quite grade A.

    It's a bad scenario if the person cooking my food thinks that overcooking is the worst-case scenario.

    Legionnaires' disease

    The bacteria grow best at warm temperatures. It thrives at water temperatures between 25 and 45 C with an optimum temperature of 35 C.

    Temperatures above 60 C (140 F) kill it.

    Sources where temperatures allow the bacteria to thrive include hot water tanks, cooling towers, and evaporative condensers of large air conditioning systems, such as those commonly found in hotels and large office buildings.

    Lots of sous-vide recipes specify less than 140 degrees F. This is already in the wheel house of one strain of bacteria, with a 10% human fatality rate once contracted.

    This is why sous-vide cookers go the extra mile to ensure precise thermal regulation.

    Not too many bacteria in food will actually kill you (yet) if only undercooked by a small amount. But as they say in antibiotics and cipher breaking, your adversary's attacks and defenses only ever improve.

  16. Privacy policy reading level by Anonymous Coward · · Score: 0

    Interesting bits on the website: Privacy policy reading level and letting people vote on creepiness/will I buy one.
    I think this is a decent first stab at rating products - I'm sure with some feedback they will make it better.
    If we could get to a point where there's a standard that you must meet before getting some sticker on the side of the box, that would be a big help for people when purchasing products.

  17. Re:Firefox = keylogger malware by default. by ebyrob · · Score: 0

    On top of that, Mozilla Foundation doesn't understand why javascript (ecmascript) should be an interpreted language and instead they compile javascript strait to exploitable machine code for performance. (Like everyone else, Chrome / Google do the same thing and that's pretty much the whole browser market right there.)

    Mozilla is not who I'd be taking security advice from.

  18. Re:Imagine Mozilla judging quality of others priva by yuvcifjt · · Score: 1

    Erm, as others pointed out, mozilla is a non-profit organisation which does more than just create the Firefox browser.

    And yes, Firefox does absolutely obey the hosts file, that's how I'm blocking countless google spyware.
    Perhaps you're mistaking Firefox with Windows 10?

    With regards to privacy, they do what they can to the extent possible without getting under the skin of their funders, thus the reason for including 'tracking blocker' by default. i.e. you can't cut the hand that feeds you!

    Who else will donate money - you?!
    Firefox is the only browser of hope left!

  19. Re:Firefox = keylogger malware by default. by yuvcifjt · · Score: 1

    If they didn't go down the route of compiling JS code, most people wouldn't be using Firefox as their browser in this day and age!

    Don't blame Mozilla/Firefox for the problems caused by hipster web devs creating a new damned JS framework every month which manages to consume twice the processing power and cause massive browser bloat!

  20. Re:Imagine Mozilla judging quality of others priva by Anonymous Coward · · Score: 0

    I don't use Windows. Are you sure you're actually blocking the Google stuff? I had both Facebook and Doubleclick blocked in my hosts, but when I tried switching to Firefox suddenly Facebook isn't blocked and Doubleclick ads are everywhere. I thought they must be using domains, but when I went to add them to the hosts I realized they were already in there! I tried all the "about:config" options that come up when you search for solutions to this egregious security failing, but it did not work. Can't trust it; only option was to uninistall.

  21. Sadly, there are few options by Anonymous Coward · · Score: 0

    I will not use a Chrome-based browser because of Google, so this rules out Chrome, Vivaldi, even Chromium, Brave. All of them call home to Google for at the very least safe browsing. Firefox is now a bloated mess on Linux and worse on Windows. I may just start using uzbl-tabbed. I already run a Pi-hole, so I'm blocking heaps of beacons, trackers, and ads at the DNS level, which makes life on a network livable. If I go uzbl, I'll have to tweak my hosts file in Arch to do a few things.

  22. And not just mystery meat by Flexagon · · Score: 1

    Yes, this whole Mozilla effort, as useful and important as it could have been, falls completely flat for me. The parent's observation makes this site a prime example of mystery meat; and webpagesthatsuck.com has been documenting such bad web design for many years. One of the responses suggests trying to click on the product photos; that's just yet more click-bait design. The best I could do was to enable "display URL on hover" in my favorite browser, and hope that the URLs were at least somewhat self-identifying. Given the site's target audience, that's not helpful.

    And now about the reviews themselves. Mozilla's "minimum security standards" bar seems pretty darned low. Just look at all of their "thumbs-up" products that on further inspection say "Yes" to the all-important factor "Shares your information with 3rd parties for unexpected reasons". In fact many "thumbs-up" reviews have 2 out of 3 sad faces in the "What does it know about me" category. How is the target audience supposed to have any confidence in these reviews?

    And though there are some tablets in the list, where are the smartphones?

    1. Re:And not just mystery meat by gnunick · · Score: 1

      The best I could do was to enable "display URL on hover" in my favorite browser, and hope that the URLs were at least somewhat self-identifying.

      Yikes. I can't imagine a browser being my favorite if it didn't already display the URL on hover, by default.

      I'm so glad that they've focused so much attention on Firefox (still my favorite browser by far, though it was painful there for a while). It sounds like the criticisms of this web site are reasonable (I haven't bothered to look), and that's a pity.

      But wholesale dismissal of Mozilla--a company which has really picked itself back up and has been doing great things again for the last couple years--based on one crappy web site isn't right (though perhaps understandable if you had poor experiences with some past versions of their browsers), and it seems strange that they would produce something of the sort. https://developer.mozilla.org/ (MDN) is a counter-example of a fantastic web resource that Mozilla provides, which is why you'll often find it at the top of the results when searching for things related to web development.

      I'm so glad we have such a good, free (in every sense) browser that isn't backed by a major data-mining company. Thanks, Mozilla!

      --
      I have no special gift, I am only passionately curious. --Albert Einstein
    2. Re:And not just mystery meat by gnunick · · Score: 1

      Sorry, I didn't mean to imply that Flexagon was dismissing Mozilla because of this. That was in response to other comments, elsewhere!

      --
      I have no special gift, I am only passionately curious. --Albert Einstein
    3. Re:And not just mystery meat by Flexagon · · Score: 1

      No worries. I'm a happy long-time Firefox and Thunderbird user. My post was strictly about gift report.

  23. Vice President of Advocacy by Anonymous Coward · · Score: 0

    Hah! Yet another meaningless title for a 'useless human'. Mozilla should fire all the useless humans, & get back into the web browser business.

  24. Re:Imagine Mozilla judging quality of others priva by yuvcifjt · · Score: 1

    Humms, sadly, you're right... Firefox isn't blocking domains based on hosts file :/
    I'm using OpenDNS for blocking various domains too, so didn't notice.

    Just checked and it appears both IE11 as well as latest Google's Chrome browser are honouring the hosts file.

    Shocking.