Thursday, October 23, 2014

Verizon Wireless injecting tracking UIDH header into HTTP requests

Reading Hacker News today, I found a frightening post on Verizon Wireless injecting tracking UIDs into HTTP requests. The upshot is that Verizon Wireless is sending a unique identifier for you to each and every unencrypted website you visit, which means that advertisers (or worse) can track everywhere you have been. This occurs even if you opt out of all the Verizon tracking, use a privacy mode in your browser, enable Do Not Track, use a different browser, send your own bogus UIDH header, change to a new phone, or use a tethered laptop for browsing. The only known solution is to encrypt all your browsing. You can do this using HTTPS Everywhere, but this only works if the website supports HTTPS. The best solution is to use full encryption using a VPN like Tunnelbear or TOR. More details follow.

First a little bit of background. When your browser accesses a webpage, it uses a protocol called HTTP to talk with the server hosting the webpage. As part of the request, your browser sends some header fields which provide information about what you want to get back. This includes your IP address and some information about your browser which can actually be enough to uniquely identify you. To see some of the information your browser is sending, check out your request headers here or here.

Verizon Wireless is adding its own header, X-UIDH, which includes a unique identifier that it sends to the webpage. You can check whether your phone is getting the header added here or here. Just make sure you turn off wifi before running the test. Verizon has two patents on the subject: Obtaining targeted services using a unique identification header (uidh) and Multi-factor authentication using a unique identification header (uidh). The most illuminating part is Figure 5 from the first patent:

It becomes very clear that all this is intentional, which was confirmed by my call to Verizon. I talked with a representative of Verizon Wireless, and once they understood the situation they offered several (ineffective) solutions. (1) Use HTTPS instead of HTTP. Naturally, this will only work for the small subset of web services that provide HTTPS. (2) Use Do-Not-Track in the browser. However, my testing showed this had no effect. (2) Use a privacy mode. Again, this had no effect. After talking with a supervisor, the representative then told me that this behavior is normal and expected. Moreover, he claimed that the UIDH header and a standard HTTP connection are a sign to the webserver that you are a good internet citizen, and not a hacker trying to do something untoward. This was a blatant misrepresentation of why some websites do not support HTTPS. After further discussion he ended up agreeing with me, but said there was nothing he could do to help.

What can we do? First off, this is already being exploited in the wild so start using a VPN. Next, let's get Verizon Wireless to change this policy. Do your own testing, tell your friends, and post your complaints online! There is already a bunch on UIDH on Twitter.

Monday, April 7, 2014

Visualization Intern & Res. Sci. Positions @ IBM Watson & Research, Cambridge MA

Update: The intern positions are no longer available.

IBM's Watson Group (Cambridge, MA) is looking to hire several summer Research Interns and Research Scientists to join the Cognitive Visualization Lab. We are looking for candidates with a research track record in Information Visualization, preferably with experience in Human-Computer Interaction, decision-making processes, and social sciences.
Our research group aims to advance the state of the art on visual analytics. We are an interdisciplinary group comprised of computer scientists, data scientists, social network analysts, and designers. We are working on a diverse set of truly fascinating projects, including pure Research and Development (R&D)/papers (VIS/InfoVis/VAST, CHI, EuroVis), applied mathematics, developing prototypes for the most important industries in the world, and gallery installations. These positions would be working directly with Cody Dunne and Mauro Martino.
Our laboratory is located a few minutes from the MIT campus in an inclusive and friendly work environment. Despite being small geographically, Boston has 58 colleges and universities and hosts a vibrant academic atmosphere.

Research Keywords

Information Visualization, Data Science, Big Data Analytics, Information Design, Social Computing, Network Analysis, Human-Computer Interaction, Cognitive Science

Key Responsibilities

  • Design, implement, and evaluate a novel visual analytics prototype following user-centered design principles.
  • Investigate creative Human-Computer Interaction systems for deeper levels of expression and engagement.
  • Publish and present results to both the academic community and to non-scientists.

Internship Postings

Research Scientist Postings

Thursday, November 29, 2012

Cygwin package manager and auto updates

I use Cygwin on my Windows machine to get access to all the wonderful Linux tools like grep, wget, etc. One problem with Cygwin is you have to run it's GUI installer again manually each time you want to add tools or update the ones you already have.

apt-cyg provides a command-line package manager that you can use to install tools without using the GUI installer. However, I didn't see a way to update the existing tools. You can write a simple batch script to do the automatic updates for you. You only need the three lines below, assuming you've installed cygwin to C:\cygwin. Then, run the batch file as administrator or create a shortcut to do that for you.

cd C:\cygwin
wget -N
setup.exe --no-desktop --no-shortcuts --no-startmenu --quiet-mode

If you want to pretty it up so you can scan the results of the commands easier, just add some echo statements:

@ECHO off
cd C:\cygwin
echo ======================================
echo Downloading latest cygwin installer...
echo ======================================
wget -N
echo ======================================
echo Updating all cygwin packages...
echo ======================================
setup.exe --no-desktop --no-shortcuts --no-startmenu --quiet-mode
echo ======================================
echo Update finished.
echo ======================================

Thursday, January 12, 2012

Suppressing BibTeX fields for specific biblatex entry types

I use LaTeX for writing academic papers and biblatex for handling the citations and references in them. One problem I ran into is that biblatex prints out the location, address, month, and publisher for a lot of entries, which I prefer not to have in my reference list. Rather than editing the BibTeX .bib file and losing that data forever, you can tell biblatex to ignore or suppress specific pieces of it.

Below is my code. It suppresses location, address, month, etc. for all entries, and suppresses the publisher and editor field unless the entry is a book. You may need to modify this for whatever style you're using.

% Loads biblatex with clickable links from citations and the reference list, 
% with back references if the style supports them.

\AtEveryBibitem{% Clean up the bibtex rather than editing it
 \ifentrytype{book}{}{% Remove publisher and editor except for books

Edit on 2/9/2012: As @siretart helpfully points out in the comments, biblatex makes distinctions between fields, name lists, and literal lists in the source file. To see whether to use \clearfield, \clearname, or \clearlist check the biblatex manual for the data type. For example, date and series are fields, location is a literal list, and editor is a name list. I've updated the code above to reflect this.

Monday, August 8, 2011

Microsoft Security Essentials Automatic Updates

I love Microsoft Security Essentials, but I'm annoyed by having to do the virus signature updates manually with each Windows Update. This could be because I have Windows Update set to download but let me choose which ones to install. However, you can use the Task Scheduler to automatically run the signature update every day.

AddictiveTips provides instructions, but on my 64-bit Win7 machine the file location was different.

Instead of
C:\Program Files\Microsoft Security Essentials\MpCmdRun.exe SignatureUpdate
I used
"C:\Program Files\Microsoft Security Client\Antimalware\MpCmdRun.exe" SignatureUpdate
So far, so good!

Tuesday, May 31, 2011

Make Firefox 4 to save passwords for ALL websites

Some websites ask web browsers to disable their password auto-complete features. This allows developers to increase the password security for important sites like banking, but can also be used for less important sites.

You can force Firefox to ignore the website settings and save all passwords, but you must then be extra vigilant about which passwords you save. Banking sites and the like will now prompt you to save the password, which you probably shouldn't do for them.

There was an easy fix for Firefox before version 4 (see this post), but there are a few hoops to jump through for the latest version. Firefox 4 packages all the necessary files into omni.jar in the program folder, which is a non-standard archive format that needs to be specially altered. Below are the directions from this comment:

0. Make a backup copy of omni.jar
1. Unzip the omni.jar (using either 7zip, Winrar)
2. Edit accordingly
3. Pack again using ZIP format + SFX option (Self-Extract)
4. Rename back to omni.jar
5. Launch Firefox!

Friday, March 25, 2011

Better APA-style: working around hyperref and apacite problems

I'm writing an article in LaTeX using APA style, so I'm using the popular
apa.cls style. It defaults to using apacite for citations and references, which works well enough.

But if I have a URL field in the BibTeX, like I always do in JabRef to remember where I found things, it prints it for each reference wasting a lot of space and not breaking lines properly. I also like the URLs I do show to be clickable hyperlinks, and my citations and cross-references as well. You can usually do this using hyperref, but a lot of things break when using apacite and hyperref together. Here's the top of the file:
And here is the output of pdflatex:
! Undefined control sequence.
\hyper@@link ->\let \Hy@reserved@a
\relax \@ifnextchar [{\hyper@link@ }{\hyp...
l.83 \cite{Aris09Visual}
! Argument of \@@cite has an extra }.

l.83 \cite{Aris09Visual}
Runaway argument?
>{\hyper@link@ }\def \reserved@b {\hyper@link@ [link]}\futurelet \@let@token \E
! Paragraph ended before \@@cite was complete.

l.83 \cite{Aris09Visual}
Other people have had this problem before, but there aren't any great solutions. See the end for a good solution using biblatex-apa instead of apacite. If you insist on using apacite, there are instructions here for how to make things mostly work:
The simplest way to fix the problem is to put a single
instance of \protect into hyperref.sty.

Turn this:
\@newl at bel{b}{#1\@extra at binfo}{%
\hyper@@link[cite]{}{cite.#1\@extra at b@citeb}{#2}%
into this:
\@newl at bel{b}{#1\@extra at binfo}{%
\protect\hyper@@link[cite]{}{cite.#1\@extra at b@citeb}{#2}%
This occurs at
line 3972 in hyperref.sty [2007/02/07 v6.75r
and at
line 4939 in hyperref.sty [2008/04/05 v6.77l
(line 8328 of the corresponding hyperref.dtx ).
but this breaks the citations. Later they added additional code to the tex file:
It's really just a matter of executing APA's version of \bibcite
before doing the extra stuff that hyperref needs to create the hyper-linking (which seems to work just fine).

For example, the following coding seems to work OK.
\let\APAbibcite\bibcite %%%% add this line

pdfauthor={Salvatore Enrico Indiogine},
pdfsubject={TAMU EDCI},
pdfcreator={LaTeX with hyperref package},
pdfproducer={dvips + ps2pdf},

%%%% add the following 2 lines
This fixes most problems, but there are still warnings and ampersands missing in the references.

A better solution for me was to use biblatex-apa with biblatex instead of apacite.

First replace \bibliography{...} at the end of your tex file with \printbibliography. Then modify the the top to look like this (note the noapacite option for apa.cls).
\documentclass[jou,noapacite]{apa} %%%% apacite is buggy with hyperref



%%%% bilatex-apa