PushBullet - I'd pay $150
Pages: 1 2
Rob Basath (3237) 28 posts |
I was wondering if anybody could compile a PushBullet client for RISC OS: My guess is, it will not be simple crosscompiling, but I also think having a client like this will open up RISC OS to more network devices and in that making it more usable for many people. It basically opens up quick message exchange by mouse click. The benefits would be: Not sure if all features can be realized, but simply being able to share text would be awesome. Pushbullet has an API, so in theory it schould be doable. And: I am willing to pay AUD150.00 for a working client – maybe somebody else chimes in? |
Rick Murray (539) 13861 posts |
Wait… What? You are happy to connect your devices “intelligently” by bouncing private information through a third party server based in Arizona (a country which has repeatedly confirmed zero expectation of data privacy for foreigners)? Sorry, I value what’s left of my privacy too much. If I think it’s a hassle to use a screen for sending text messages, I’d use a Bluetooth keyboard. Not god-knows-what across the internet. |
Steve Pampling (1551) 8180 posts |
But Rick, it has “end to end” encryption so the data is safe all the way to the NSA so you can be sure that anyone a little bit dodgy can’t get at it. No, you have to be terminally dodgy… |
Clive Semmens (2335) 3276 posts |
Meet me somewhere and I’ll give you a memory stick with a 64GB one-time pad on it. Then we can communicate completely securely – even if someone can factorize products of arbitrarily large primes, they can’t crack one-time pad encryption…but the communicants do have to exchange the thing securely face-to-face before they can start to use it. |
David Feugey (2125) 2709 posts |
You’re right: in fact it’s much simpler than that, since there is a public API to access it :) |
Rick Murray (539) 13861 posts |
Of this, they say:
So data can be sent between devices with encryption? Nice, I guess, but hang on – how does the encryption key get from “here” to “there”? Encryption relies upon the knowledge of a shared secret… However, I then found this: How secure is PushBullet content you push across your devices actually. I noticed that the long list of permissions requested by the PushBullet app (Android) included in-app purchases. It seems as if there are restrictions on what can be done with the “free” service. While it might sound “fair enough” (somebody has to pay for the hosting), maybe if devices could communicate with each other instead of bouncing everything via the mothership, the host interaction might be able to be reduced to being little more than a springboard for getting started, and a DDNS service to devices off the LAN can still be located. Here’s an amusing read: https://www.reddit.com/r/Android/comments/3tllx9/i_am_guzba_from_pushbullet_ama/ This isn’t to say the concept of what PushBullet is trying to do isn’t bad. What is bad is the baked in dependence upon a third party website. I read something on TheRegister a while back about some sort of smart device (heater? thermostat?) that simply shut itself down because it was unable to work at all because the mothership ceased responding (AWS fell over?). Devices should be able to associate and then talk directly to each other. It’s probably not so hard to do (hell, my IPcam and its app do a simple version of this) but these days everything useful seems to include “…with a website” in the brief. And if you’re lucky “…with embedded advertising”. |
Rob Basath (3237) 28 posts |
I am sorry for the long post and the rant that follows. But I think I want/need to make my personal opinion clear. So here it goes: Well, you all are right about the encryption / privacy part or issue. But in my opinion the ‘war of personal data security’ has been lost 5 years ago. I was fighting hard against data collection, big data, camera spying, free cloud accounts, the cloud itself, fingerprint sensors, facial recognition software and free online accounts. It was very time consuming. In the end, I was running my own mail, web, news WiKi, calendar, cloud and file server at home – and maintaining them. It nearly became a job for a part time system administrator, as soon as family and friends wanted an account, too. Then I thought about how to get around this. Since you cannot trust somebody you do not know with your personal data, my concept of data itself changed. Basically my data is now split into private, personal and public. And the big decision was actually which part of my personal data is private data. - Fingerprints? The government already stores them on my passport on an unsecure RFID chip. OK, what’s left of my personal data that I wanted to keep private? Not much. Only the bits and pieces I never would store on a foreign server. Passwords, security questions, and created documents/files. Now, Pushbullet is a service that relies on a foreign server. It claims to use end to end encryption and needs a lot of Android permissions. Yes, this might be a further step towards total destruction. But the things I keep on my phone are either personal or public information. Nothing private. So I don’t care anymore. Not because me, myself and I don’t care – but friends, co-workers and family don’t care. Which means my personal contact data ends up in the cloud anyway, and there is nothing I can do about it. I know there is more to it like browsing history, GPS data, line of communication, contacts, etc. But in the end they will only access information that is irrelevant to my private data. I am not saying here that I do not take precautions and ignore the risks. All I want to make clear is that using Pushbullet can be a benefit if used correctly. I would never share private or sensitive data via these kind of services anyways. To be honest: anybody who is using any kind of smartphone already sold his privacy. To Google or to Apple. Buth companies sitting in a country which does not reflect my view of privacy and security. Maybe a BlackBerry or a BlackPhone is better, but it is unfortunately not a solution if you work in an environment of ignorant (or oblivious) people. The ‘war of personal data security’ is lost. Let’s hope we do not lose the ‘war to keep our privacy’ with the amount of insecure IoT devices lining up in the shops. You know he best about RISC OS? It runs without a connection to the internet (out of the box! Without mandatory patches!) and does not come with unnecessary, network ready, services running in the background. As long as you do not plug in a cable you can be sure it is secure from remote access. No camera, no WiFi, no Bluetooth. I see that as a security feature. It is just a shame you cannot lock the screen and secure it from on-site access. |
Rob Basath (3237) 28 posts |
@Rick: As an alternative, maybe the UniServer/UniPrint Software can be compiled to run on Linux and OSX? And Android and IOS? Then I would be really happy as it uses direct host to host communication. Not sure about inbuild security, though. My guess: there is none. But if I cannot trust my own network, I’m in trouble anyway. |
Steve Pampling (1551) 8180 posts |
Still battling away. At work the data is absolutely NOT put on the cloud since pretty much without exception that would mean it being replicated on the other side of the pond and that is just open access for the NSA. |
Clive Semmens (2335) 3276 posts |
One of the beauties of encryption using hand-to-hand transferred one-time pads is that the messages are completely indistinguishable from absolute gobbledegook. I rather like the notion of filling NSA’s servers with complete gobbledegook in a sort of massive denial of service attack by exchanging gobbledegook at high rates. Nobody knows whether it’s messages or not. |
Clive Semmens (2335) 3276 posts |
Come to think of it, most of my postings here and everywhere else aren’t much different from that anyway… |
Rob Basath (3237) 28 posts |
@Clive: yes, the one-time tokens are a good idea, but only if the encryption algorithm is strong as well. I am not sure if I want to use AES256 or AES512 to encrypt my data, knowing the NSA is using it for their purposes. On the other hand, the algorithm is open source and so far nobody has complained. I prefer Twofish whenever I can. Together with 15 to 20 characters for a password. One time passwords unfortunately only work for server based encryption, which is useless for file encryption (AFAIK). @Steve: yes, work data is not on the cloud, as I ‘declared’ it ‘personal’ data for my purposes: Personal Data: information/files/bits you want to keep to yourself Private Data: your name, address, phone numbers, email address, Photo, Fingerprint, etc. Public Data: data containing non-sensitive information, e.g. nothing of the above |
Rick Murray (539) 13861 posts |
Ooh, red flag waving time. ;-)
For the majority, yes.
While I cannot do much about Google/Samsung pilfering my contacts under the guise of “backing up valuable information” by apps baked into my phone, I can take steps to mitigate the problem:
For email:
Big data:
Cloud accounts:
Fingerprint sensors:
My private mail is via a friend who runs his own server. It was a baptism of fire, and he used to lose sleep worrying before he got it under control with things like DMARC and performing reverse IP blocking (France and UK are allowed, everything else is silently dropped). My personal server is a Pi with WebJames. It gets hit a lot (in the logfile, attack attempts outnumber the crawlers by an order of magnitude) but it all bounces off thanks to WebJames/RISC OS not looking like anything else on earth. ;-) I have a wiki on my site (/armwiki) but what started with good intentions kind of went sour when I spent most of my time not writing articles for it, but instead trying to exorcise those who would sign up just to spam advertising for toe rings. The signup process is still there somewhere. I hacked the script to change the URI so it will confuse automated spam apps. But I’d need to read the code again to remember what the URI is. Of course, a wiki with obfuscated signup and user-needs-approval-before-writing is not a friendly wiki, but a friendly anyone-can-edit wiki is one that will be forever fighting spam… I have a file server. A NAS that’s a dinky server talking to an SD card. It only works on the LAN. The Pi server and my HD IP camera are the only things that pass NAT, some devices that think they should have internet access (like my printer) are set as a restricted profile on the Livebox – no access, period. LAN only.
? It wasn’t already?
Easy. Anything I’m not prepared to share with others.
What country? I have a crappy biometric passport, but no fingerprints. Do you think wrapping it in alu foil might Faraday cage it enough to defeat the RFID? Be careful with thinking of fingerprints as “public”. You can discard email accounts and passwords. You’re stuck with your fingerprints. Plus, there’s the problem of feasibility. If I was going to build a device using proximity radio waves to retrieve data from nearby objects, I would not concern myself with your fingerprints. What’s in it for me? Far nicer to hit NFC payment devices (pay-by-bonk phones and credit cards). They might be blocked to a maximum of twenty euros per transaction (or some roughly equivalent local currency amount) but a successful hit on thirty devices for random amounts of 10-20 euros while walking around a supermarket, it could swipe 300-600 euros. See? Unless you are somebody of importance, your fingerprints are not of importance, not when there’s a bigger carrot being dangled in the name of convenience.
I don’t socalise, so people don’t upload photos with me in them. That’s my job, and I do it rarely. My usual profile image is not me but Haruhi Suzumiya (as demonstrated here). That said, a girl at work uploaded a bunch of photos of a thing some of them did (that involved drinking and karaoke). Facebook obligingly tagged everybody. She got so creeped out that she deleted everything on her profile and ditched Facebook. Couldn’t help but smile at that. ;-)
Yes, but there’s a difference between somebody looking up your information, and you volunteering it. Do you work from home? If not, the address ought to be different. And if so, you can register business stuff at that address. Personal websites – can’t you have your contact details/address withheld from public view? If you work from home, you’re screwed – but maybe a post office box could add an extra layer of obfuscation to things? Depends upon the country. France doesn’t tend to provide information on boites postales unless you turn up at the post office in person, while the UK Post Office will tell you the address of a P.O. Box over the phone because they are not intended to hide behind. I have freaked out more than one person by sending them a letter to their home address when all they ever offered was a P.O. Box. bq – phone numbers? At least in the country I live in, phone numbers interestingly end up in call centers very often. I am not sure where they get that information from, but my guess is more than one of the many websites / shopping sites is selling them for a premium. Together with my mail address. I got cold calls on my phone when my contract was new and I hadn’t given the number to anybody.
…which is why I’d have spam arriving on an email address carrying their name for an email address given only to them. Let’s see, did you notice I ticked the “do not share” box? Say hello to the ICO for me… When I was younger, I applied with a contract agency. After I filled in the form, they told me they were obliged to inform me that my details would be sold for research and commission purposes (that’s a mighty fine way to describe advertising). I said “seriously?”. I took back my paperwork and left. A company with ethics like that is not one I would want to be involved with, no matter how good their job offers might seem.
I guess my level of cynicism is way higher than yours. My standard is simple – if I don’t choose to share it, it is private. It is getting harder to keep private things private, and Effing Zuckerberg convincing everybody that “privacy is not a thing” while living in a fortress and freaking out if his own privacy should be so much as dented… what I struggle to understand are those who share every bit of their lives on these platforms, and worse, include loads of details about family members and their own children…
Sure there is. You can share less and don’t facilitate. Your contact data may be all over the place thanks to everybody else, but PushBullet wants access to quite a lot more than your contact data. This is where the “facilitate” part kicks in. Maybe you’ve given up to the point where text messages to you are not considered private. And since there’s no encryption of an SMS, maybe they aren’t. But there is a world of difference between keeping a communication from somebody to you on your phone for your eyes, and willingly sharing it with a third party service.
Sorry, my TrustOMeter isn’t going to budge on this one, it’s reading a flat “No” and that wasn’t helped by the revelation that the API key is apparently not changeable. Their forum post on the subject was to point out that everything is protected by a fairly simple sequence – a password, a PIN number, whatever; utterly failing to realise that they are the anomaly – passwords can be changed. If your bank card is lost or stolen, issuing a new PIN is part of the replacement process.
Some of it, yes. But while Google, Apple, and PayPal keep asking for my banking information, they aren’t going to get it. Offline contacts won’t feature either. And so on. Smartphones are something of a privacy nightmare, but it is still possible to fight back. It’s just a toss up between convenience versus effort.
Sadly the UK is running headlong into “how America does it” and after Brexit there will be little to no European influence to try to keep things sane. I pity those still living in the country…
Blackberry sold out, they make Android devices now.
That’s why being an introvert on the side of antisocial is useful. My rich and varied private life doesn’t tend to include others…unless they have four legs, fur, pointy ears, and a voracious appetite.
That’s what the likes of Facebook and Google have spent millions trying to convince everybody. It’s about as truthful as the UK’s immigration figures. Don’t fall for it.
:-) My Manga software features a (turn-offable) update check where it’ll ping my site to see if there’s an update. This is like really progressive stuff in RISC OS terms.
The best security I’ve ever found with RISC OS is to just leave it running. It’s so very different to Windows that the three people who have seen it (not having known of RISC OS before) gave up almost straight away. There’s no start button, the bit at the bottom of the screen is weird… One managed to open Apps, didn’t understand what happened, and so she decided the best response was to turn the monitor off and tell me she hadn’t done anything. :-) |
Chris Mahoney (1684) 2165 posts |
Re: Cloud accounts, I know that you don’t need to tell you this, but make sure that it’s not your only copy of anything. I read a lament earlier today about someone who had lost 11 years’ worth of work because the cloud provider had had a failure. 11 years and no backups… it boggles the mind. |
Rob Basath (3237) 28 posts |
@Rick: nice! :) I agree to many things you wrote. In the end it still depends on which information will you share and how do you secure private data. In general: a) you get what you pay for IMHO my eMail and cloud provider are people I can trust (because, although I do not live in Switzerland, I know the people offering the service – and know where their children go to school). Data recovery is a total different story. Most of the ISPs say they have a method for it – until you need them to activate that. So I still keep copies of all cloud, PIM and eMail files on a mobile SSD. SMS and other text messages: yes, I no longer call them private. But that’s because of the content I use them for. If it is really important, then I usually encrypt the data before sending – or use a different medium altogether. Big Data: the thing that really worries me is that future services will demand an ‘advertisement free fee’ depending on how much your overall ‘Internet Footprint’ is worth. Basically, the more data they have about you, the more you’ll have to pay. Sounds a bit far fetched, but I’ve seen these algorithms already being worked on at two advertisement companies. I was told they currently use this to sell the ‘data record’ for the ‘correct’ price to other advertisement companies – but they are planning on opening up an API for third parties to evaluate a user (and price them correctly). A big online video streaming service was one of their ‘interested parties’. |
Rob Basath (3237) 28 posts |
But back on topic: would it be possible to port UniPrint / UniServer to Linux or Android or iOS? Not the printing part, but the file transfer and URL opening ? |
Clive Semmens (2335) 3276 posts |
Simple substitution cypher. With a 64GB one-time pad (not token) you can send 64 GB of messages before you need another pad – that is, unless your messages are mad, never. You send the address in the pad to start (using a new part of the pad for each message), followed by your message, replacing each byte(x) in your message with That’s what “one-time pad encryption” means. Of course it doesn’t have to be bytes of one of 256 values: originally it meant a smaller number, I don’t know what – possibly as few as 37 (A-Z,0-9,blank). Used to be used by military intelligence – unlike Enigma, absolutely unbreakable. (Of course if your field operative is captured and their pad taken, the captor can spoof him and read your replies. But that proviso applies to any method.) |
Chris Hall (132) 3564 posts |
But that proviso applies to any method Yes but your field operative can use seCret security checks so you know hw has been captured. The book ‘Between Silk and Cyanide’ described a ‘Mental One Time Pad’ which it said was (a) complex and (b) still secret! |
John Williams (567) 768 posts |
Is this a record? FireWorkz counts 3193 words in Rick’s posting, tho’ I don’t know how it treats the bullet points or ‘smilies’ as we old-fashioned people call them. Over 17k of characters! |
Clive Semmens (2335) 3276 posts |
Indeed. So you’ve lost contact, but you know you have. And you can spoof the enemy, if they’re daft enough to fall for it. |
Steve Pampling (1551) 8180 posts |
Interesting reference. USA and bank card security. According to a distant relation of the wifes who visited the other year swipe technology is standard except where the old fashioned “brass rubbing” style is used and chip + PIN is almost unknown. Here in the UK the swipe is a legacy feature on EPOS systems, chip + PIN is fairly old hat. |
Rick Murray (539) 13861 posts |
Apparently they don’t use CSCs either. But, then, what do you expect for a country that believes so much in the mighty dollar but has continually resisted security features typical in other modern currencies including, you know, making them look obviously different? The lesson kiddies – capitalism is fueled by fraud. I can’t think of any other explanation… |
Colin Ferris (399) 1818 posts |
With Rick’s long replies from a ‘Super Phone??’ – how about a road test of BlueTooth keyboards? :-) |
Clive Semmens (2335) 3276 posts |
I’ve often wondered what on Earth I’d want a smartphone for. Rick’s wondrous rant is a wonderful example of the utter uselessness of a smartphone…give me a massive screen (with reasonably small pixels, nothing so tiny they’re irrelevant) and a decent keyboard. And preferably a trackpad. Or a trackball if the trackpad driver’s too hard. I’ve not converted a trackball to USB yet though… 8~( (Well, you don’t need to give me them. I have them already.) |
Rick Murray (539) 13861 posts |
You just need to be short sighted and have a phone with an insane resolution. My S7 is quad HD. Then, then it looks okay. Bluetooth keyboard? Essential. ;-) |
Pages: 1 2