This system would be more useful if it could report how these companies got my data. I want to know who betrayed me.
It wouldn't be a terrible thing to have privacy legislation that forces companies that sell your data to disclose what information they sold, when, and to whom.
You can run your own email server (or have a company host a private domain for you), set up a catch-all address that only you know, then use a different email address for every site you sign up to. That way you can find out this sort of information.
Using this technique, I know for example that spammers obtained the address I signed up to Stack Overflow with. The email is not shown on my profile now, and I can't rule out that it wasn't ever shown publicly, but evidence suggests they sold my address to spammers. I also know that spammers crawled my website and found a blog post where I stupidly made up a random address using my domain as part of an example for configuring junk filters (the irony is not lost on me).
RFC 5322 does say that a `+` is a valid character in the local part of an e-mail address.
The `+` character being used for address aliasing is, as far as I can tell, not mentioned in RFC 5321 or RFC 5322
There's no + aliasing in the specs. There's no interpretation defined for local part of email address.
I'd be surprised if many harvesters are going to bother with rules just for Fastmail domains. First of all, they have a bunch of them. Second, the spammers' objective is to get email into your mailbox. They don't care if they use an alias to get there. Bad actors who got your info in a data breach are a different story, but there's probably some safety in numbers. There could potentially be millions of accounts to go after before they start thinking about reversing my Fastmail alias. Besides, if you use one of the generic ones like qq.com or eml.cc - or even better yet, your own domain - they're not likely to notice anyway.
You want something that is sufficiently random that it can't be easily guessed or gamed, but can be quickly and easily determined on your side.
Salted cryptographic hashes might be a good place to start.
So the fact that the MTA will route it is irrelevant if it never makes it to the MTA in the first place.
+ as a magic character to effect routing isn't part of the standard. Mail servers are free to route addresses to mailboxes in whatever manner they see fit. That + can appear as a character in an address is part of the standard, just not the behavior of it; a server that treats a+1@ and a+2@ as distinct emails is conforming, and from a sending side, you cannot know if a+1@ and a+2@ will end up in the same mailbox.
(But you're absolutely right that too many sites fail to parse email addresses. Or rather, they over-parse.)
I believe this was part of the email standard?
But yes, that's why Fastmail supports the alternative syntax.
Reach out to support.
You can also do something similar with Gmail (and probably other providers) using "+" in your username, e.g. "email@example.com". This creates a unique email address that delivers to your Gmail account as if the "+<whatever>" were absent. This is more easily defeated if you're a moderately motivated spammer.
This doesn't work. I've seen legitimate companies just strip everything from the + onwards.
You'd have a better luck with *@user.your.domain if you can give each user a unique domain.
I bought a single domain @MyEmail.org, and create a new user for each site I sign up with that forwards to my gmail.
1@MyEmail.org, 2@MyEmail.org, 3@MyEmail.org etc...
and so on. So, those services have no way of fooling you by tampering with the alias parts.
But of course this isn't easy unless you roll your own mail server.
all go to firstname.lastname@example.org
Do you have any evidence at all?
1. Six months later websites listed a Joseph Kropholer in my town. Unless I actually happened on a real name, they sold me out.
2. Reading the receipt for my name, the clerks in the check out line would thank me with "Thank you Mr Crap Hole-ermmmm. mumble mumble." Then they realize what they just called me. I did not intend that, but it is constantly funny.
Most contracts that keep modern day businesses running work by pretending uninformed consent counts as consent. If we required true informed consent things would grind to a halt. Which may not be a bad thing.
The company might not have sold your info. They might have been hacked. There really isn't any way to know for sure FWICT.
My guess is it may be someone like Facebook who used to share "your friends' data" with third-party companies. So one of your friends, who may have your email, allowed a third-party company to get that list of his contacts (including your email) via the Facebook API (which at the time may have allowed this sort of sharing).
Even today, a ton of Android, and until more recently iOS, apps would collect your contact list, which means YOU shared your friends' phone numbers with some random app company. I imagine many of those friends would be pissed off at you for allowing their phone numbers to fall into the wrong hands, too, and now getting spammed all the time (if only they knew how the spam companies got their phone numbers to begin with).
Still, it doesn't matter. Whether the company sold the data or got it taken from them, they are still at fault.
Recently in EU GDPR regulation brought in some strict measures on how consent is requested and how data is shared and managed, I was delighted when websites started sending me emails asking me for content to market and share data.
However I am now seeing a bunch of websites doing the shady tactic of showing a full page pop-up on mobile site with all 30+ checkboxes pre-ticked allowing them full access of my data. Fuck such sites.
"You cannot rely on silence, inactivity, pre-ticked boxes, opt-out boxes, default settings or a blanket acceptance of your terms and conditions."
“You provided a contract, and I agreed even though I chose not to read it (despite you providing it), and used the service, but I didn’t really mean to agree” is the most ridiculous cop-out, in my view.
A world where a clause doesn't become valid just because it's in a contract. That's why various jurisdictions rule void kinds of clauses, even in the US. This isn't a new concept.
OK, so what _was_ agreed? Well, a court is going to decide what a _reasonable_ person thought they were getting into, and they'll use legislation (such as that from the GDPR) to help decide that. They'll also keep in mind a theory about relative power. You wrote these T&Cs, so the court is going to conclude that you should have taken that opportunity to add any terms you really cared about. On the other hand the _user_ wasn't able to edit the terms, so really anything they reasonably expected should probably be acceptable.
The GDPR says that you need to have the user explicitly opt in, they get to reasonably assume that's how it works, you can't change that in the text they didn't read.
You might think, "Aha, but I made them check a box saying they agree they read it". Too bad, that doesn't help for a very simple and pragmatic reason:
Judges are people too. When you explain this theory to a judge, who like other people has had to check loads of these stupid "I agree I have read a 400 page document before using this free service" boxes, they are going to look at you like you just said you think they're an idiot.
If you're thinking maybe you can try this on and see for yourself, you'll probably have to be your own lawyer. Certainly in the UK no competent lawyer will take that work. Years ago the UK passed a law banning certain contract terms in "short" residential leases (a "short" lease would be e.g. renting a house for a year). Immediately scumbag landlords wrote new contracts that said basically "I, the under-signed, agree to these terms even though they're not allowed" and then demanded their tenants sign the revised contract instead. Judges were not happy, and I pity the fool who first appeared in front of a judge trying to argue that this was somehow legal when it's obviously not.
If you're so sure your users want to explicitly agree to let you do this, make it a separate opt-in, like the regulation says. When, to your disappointment, they don't want to, that is a _learning opportunity_ for you. Take it.
Re: this, I'm still fascinated how a contract that both parties are not aware of the existence of is even allowed to be treated as a contract in the first place. In many cases like local software, when you accept the T&C, the other party has no idea this happened in the first place, so they can't even claim to have a contract with you. That you can have a contract with "informed" consent from a party from a party (and interestingly this is regarding the other party, not you the consumer) that has no information about the contract's existence just blows my mind.
Probably some other mechanism could have been conjured but in our world this decision means contract law is used to manage situations where two parties would clearly benefit by cutting a deal, yet they never meet. Consider a typical car park. You drive into a sign-posted lot, park your car, and leave. Should we require the owner to have staff present to agree a deal with each user? No, it is enough to post signs explaining the general situation, e.g. "£1 per hour or part hour. Pay at machine. Car Park locked at sunset". A court will look at a situation and imply into existence any more detailed terms needed to handle the case in front of them. Is the car park owner liable for damage caused by stampeding elephants? How about if part of the car park itself falls onto a car? If the machine is broken can you still park? What if some scumbag puts an "out of order" notice on it and collects the money?
The "Meeting of Minds" formulation works very nicely. Suppose I think I'm buying a steak dinner, and you think you're selling me a live cow, once the confusion is realised there was no meeting of minds, no contract is formed. We are both embarrassed and go on our way. In the ideal case, both parties understand clearly what they're agreeing, courts never need do anything whatsoever, a good lawyer's goal in creating written contracts is to ensure this is what happens because courts are expensive and uncertain.
I would recommend seeking out an introductory Contract Law (for non-lawyers) course if you're interested, or in any case if you do freelance work or deal with contracts. Just knowing what Offer and Acceptance are can avoid some nasty situations where you might otherwise need to hire a lawyer after the fact.
The reason is that I feel a "contract" should be limited to conscious agreements on both sides -- and currently, we have contracts where neither is aware of both (one side doesn't know existence, other side either doesn't realize it's a contract or doesn't know all the terms), which is rather... nuts. Why do I think it should be limited to these situations? For a number of orthogonal reasons:
 Rules in a contracts are "open" sets rather than closed, so to speak. With something like false advertising, the rules are already set, and (at least in theory) their consequences have been brought up by various parties and taken into consideration by the government, and people just have to play by them. But with a "contract", you're letting arbitrary people make more or less arbitrary rules. Well, it seems natural that if you want to enter the rulemaking business -- society should have a reasonably high bar for that, since after all you intend to later be able to use the same society's government/legal system to enforce your more or less arbitrarily powerful terms against the other party. Requiring that all parties at least be consciously involved and aware of the rules really seems like the least you could do to demonstrate you should be making rules for someone else to play by.
 I think the traditional sit-down/signing/handshake is the image most people traditionally think of when they hear "contract", where both parties are aware of its existence and terms, (rather than, say, a parking lot or a ticket purchase). So treating it like this just makes the law reflect the reality that people would expect, which seems like a good thing on its own.
 There's an inherent power imbalance simply by virtue of the fact that, quite often, one side has to spend 1/#contracts'th the amount of resources per contract compared to the other, since once you write the contract for the first person then there's next to zero cost for everyone else -- and hence it encourages you to make the terms long and unfair, so that it's not worth it to the other side to challenge them. Really, I see it as something that should be practically a moral duty: if you want to have a fair "contract", with all the force of law behind it, you have to set both parties on equal footing, having humans involved on both sides and aware of everything is really the least both parties can do. It may seem radical... but can you just imagine if every company that wanted to put unfair terms in its contract had to have a representative explicitly tell the average Joe about this and have him consent to it explicitly (instead of just giving him N sheets of paper and having him sign in large blocks he obviously won't read)? People would get so upset and/or would have so much of their time wasted all the time, which introduces inherent friction and negative feedback into this route. It's just so much harder to spend 30 minutes explaining to someone that they have to sacrifice two arms and a leg if they buy your software than to just give them 10 sheets of paper to read while you move on to the next customer.
So these are why I'm not such a huge fan of lumping everything into the "contract" category... they often just seem wrong on so many of these levels.
What are the criteria that make terms by which one accesses a service irrelevant? At what point does the service provider’s consent not matter?
Your last paragraph seems to assume I am a service provider. I am not. I just think that people should be bound to the things to which they explicitly agree.
Does the “user must scroll to the bottom of the terms and tick a box affirming that they read and have agreed” serve as sufficient consent in your book?
You're just not going to sell a court on the theory that your free web service has a contract everybody is actually going to read -- so it won't matter how many pages or how large the typeface is.
People being "bound to the things to which they explicitly agree" is actually a problem for a reason I'll get to in a moment, but beyond that the problem for online services and other trivial contracts is that nobody really "explicitly agrees" to them, saying something doesn't make it so, or else all those things Jefferson claimed to be "self-evident" truths wouldn't require any effort to uphold.
Now, even when we actually _have_ agreement, not just somebody clicking OK to make the computer stop bugging them, we still run into a problem. Some terms are inherently prohibited in our society. You simply cannot agree to them even if you want to.
No it doesn't.
But you knew when you signed up to everywhere you've ever signed up that you were giving them uninformed consent to do whatever they want with your data and metadata, and you knew that they would do whatever they want, including not bothering to effectively protect your data.
And yet you signed up.
And so have I. But since this kind of thing has become front of mind the last few years, I sign up for very few to none services anymore. At signup, my first thought is "Is this service important enough to lose my money and identity for?" The answer is virtually always no.
If we stop signing up for stuff, stuff will improve or die. Both outcomes are equally good.
I googled the name and found a report  on the breach. They lost control of records on 2 billion email addresses.
"The real question that the researchers and Troy Hunt, founder of Have I Been Pwned?, want to know is how Verifications.io got its hands on all of this information in the first place. The Estonian-based company has refused to respond to questions from different news outlets and has taken down its entire website as of March 4, 2019. " 
"Verifications.io ensures third-parties’ email marketing campaigns are being sent out to verified accounts, and not just fake emails. " 
Edit: Their opt out page and main site. Notably, Firefox Developer Edition warned me and linked me to the main Firefox Monitor page, so it's something that's being built into Firefox.
Its frustrating since I never signed up for their services, and I have no control over who my data is sold to... Its getting to the point where I just assume all my data is pwned, and change passwords frequently
From your linked article: "This company validates bulk email lists for companies wanting to remove inactive addresses from newsletter mailouts."
I've seen other services (like 1Password) just rely on HaveIBeenPwned because it's pretty solid – seems like it would be nice for the industry to coalesce around it and build these kinds of alerting features on top of it.
> We're Baking Have I Been Pwned into Firefox and 1Password
> Over the coming weeks, Mozilla will begin trialling integration between HIBP and Firefox to make breach data searchable via a new tool called "Firefox Monitor".
Breach data provided by Have I Been Pwned
# How does Firefox Monitor know my information was hacked during a particular breach?
Firefox Monitor gets its data breach information from a publicly searchable source, Have I Been Pwned. If you don’t want your email address to show up in this database, visit the opt-out page.
> Breach data provided by Have I Been Pwned
I love that it's a visually engaging and simple way of showing breaches. It's going to be a lot easier to share this with family, then get them on a password manager.
So why is Mozilla running an email harvesting campaign?
Since this can be heavily automated the returns don't need to be large. e.g. maybe you can spend $100 and crack 5000 accounts with a new site that's suddenly hot, you sell one of them with a cool name to some Russian wannabe-star for $50 and the rest to spammers for 10¢ each (you don't care why spammers want stolen accounts, trust me they do though), you just made $450 for almost no effort.
If you use unique passwords everywhere, you don't need to care very much. But most people do not do this. If you _mostly_ use unique passwords, but er, actually your Twitter, a PHP forum you used back in 2010 and your iTunes account all have the same password, when that PHP forum gets hacked credential stuffing means your Twitter and iTunes will soon be raided.
If the site used a _good_ hash, it buys you time in proportion to a combination of how good your password was (how much entropy) and how good the hash was (how expensive hash trials are, multiplied by how much salt was used). If your password was "pass1234" then no matter how great a hash was used, I can guess it was "pass1234" and be correct instantly. If your password was 24 random alphanumerics then even a crap hash like MD5(password) is safe.
Checking my emails, I can't see anything from them about this. Loads of the usual marketing crap, but nothing about a breach.
A link to each service's website would be awesome in the breach report on FireFox Monitor.
From: "MyFitnessPal" <email@example.com>
Subject: Important Message Regarding MyFitnessPal Account Security
Date: Thu, 29 Mar 2018 18:18:57 -0600
Note: We just released a "V2" of the site that allows you to add multiple email addresses to monitor, and (then) to have all your breach alerts sent to your single primary email address.
In all seriousness I have faith in you guys for the most part (storing my bookmarks and sharing the browsing sessions across browsers).
E.g. you can supply your email address as foo+bar@<domain> and mail sent to that address will be routed to foo@<domain> by some providers like gmail and protonmail.
But then that means enumerating every + address you use (I almost exclusively do this).
Thoughts? I know this came up in a HIBP forum and I think Troy Hunt took the position of too much work for 0.1% of users, many of whom are likely technical enough to use a password manager and do this enumeration if they wanted.
Also, what's with the cards here? I can't select any of the text on them.
I was able to add my firstname.lastname@example.org and email@example.com as separate emails.
I know that might complicate your detection system, it just might miss some breaches for people who use both.
If not: I added an email address to monitor, and the verification email said:
> We sent this message to $userEmail because the email address opted into alerts from Firefox Monitor.
Note the `$userEmail`.
Still, great job!
But future breach alerts will be sent to the Primary address. (If you select that in your preferences.)
Now look at Mozilla, it's a non profit, look at everything it does, they have never lost their principles. They will never reach the scale of Apple, Google or Microsoft, and that's a good thing.
> What makes them so unique, in your mind?
Beyond the negatives that come at their scale, Apple are doing some systematically deceitful things directly to customers that make them stand out from other companies ( talking about their attitude towards customers with defective hardware). If they think that little of individual customers, how could they possibly care about an individuals privacy?
I take issue with this. Mozilla has a corporate arm and they're the ones in control of Firefox marketing and development. Take for example the fact that they were (most likely) paid to install an extension to advertise a TV show.
Apple has yet to display any ads to me on my Mac, unlike Microsoft in Windows. I think your criticisms are well intended, but your conclusions are way off.
Mozilla weren't paid for Mr Robot. Their finances are made public.
> It owns a taxable subsidiary: the Mozilla Corporation [...] The subsidiary is 100% owned by the parent, and therefore follows the same non-profit principles
> I don't think I need to explain what those are...
Why don't you humor us and give some examples anyways?
This is just one example, In general when Apple hardware fails from any kind of defect, one of two things happens:
1. They blame the customer and suggest replacing large portions of the computer (unnecessarily) at such a high cost as to justify recommending buying a new machine.
2. In the rare cases they have been publicly pressured into admitting fault, they will replace parts with newer parts with the same defect and repeat this cycle until out of warranty or the customer just gives up.
For the cases where the user is to blame for damage, #1 is also applied, this would not be such an issue if Apple wasn't also lobbying against independent repair shops and seizing their parts under false claims of trademark violations.
They are deceitful... there is no way around it.
Personally, I think Apple is significantly different than the other company with respect to customer data, etc.
Apple Pay, iOS vault, etc., come to mind.
So yeah even if they're driven by money, their best interest is aligned with their customers'- living up to the promise that your data is yours with them.
The other thing is that there seems to be a better chance at being private with a company that does not start its promise by telling they want to know everything about you and "index the world"
That's all fine and good, but privacy is a float, not a bool, and let's not assume Apple's going to go any further than they have to. They won't ever ask their users to do something inconvenient to get better privacy. They're not discussing specific threat models that they're trying to protect their users against. Just features that they support in specific use cases.
Which may sound like a hollow problem, but it leaves each user to deal with understanding all the threats they're under and what measures they should take. That's fertile ground for an adaptive adversary to work with.
Originally my address was breached by Dropbox and Kickstarter.
It took me many months to switch over, as I did not have a complete list of all services I had registered with.
So for many average people switching email adresses is often a very difficult task, so people keep them even in light of breaches.
More important for the average user is to have a good password management system and know whether a certain password has been hacked.
Traditional authentication methods have failed us. I'm still waiting for a reasonable alternative, but the best we've come up with are things like 2FA and magic links?
Companies insist on sucking as much data out of their users as possible. What are your options? Hand over your personal information and give hackers a reason to attack your favorite services? Create a million different phone numbers, burner addresses, and fake personas? How exhausting.
Then there's the problem of treating data like SSNs, phone numbers, and legal names as private. These things could be public if central authorities could do their jobs correctly, but we've shifted the blame of e.g. "identity theft" to the end user who ultimately has no control over this stuff.
Further, official ID/passport/etc. scans are required of so many transactions and I guarantee my slumlord does not follow good security practices so what can I do other than sit like a duck? Monitors like this are a noble effort, and I'll definitely use them, but it sucks that it's come to this.
* Sensitive Breaches
* "Retired" Breaches
* Spam Lists
* Fabricated Breaches
* non-Verified Breaches
Watch this space: https://github.com/mozilla/blurts-addon/issues/142
You then just check.
He's behind Have I Been Pwned, and Firefox Monitor is an alternative interface for it. I believe he verifies the breaches by contacting a few people in a new breach that have already signed up for HIBP notifications.
And then I can use the leak and get access to their account? Shouldn't this information be mailed to the email address queried rather than displaying upfront
However, in most leaks, you can't just use the information as the passwords are (hopefully) hashed/salted. That said, it is trivial to crack md5 if passwords are stored using that method.
Also, not all leaks contain passwords, some might just be lists of email addresses or other information.
Anything that anyone does after the fact is moot.
Also do you think this is the same value as LifeLock?
I personally don’t see a benefit to Firefox Monitor, aside from a new channel of exposure and branding for Firefox, if they are providing the same data Have I Been Pwned is.
imo, this distinction is too important to be omitted from a short summary.
I say they should capitalize on it with the ultimate announcement. Bring back Firefox OS!
I'm actually surprised it's not more given how many sites/forums/services I've shared this with over the years.
"Find out what hackers already know about you." unnecessarily grinds my gears, as a hacker (programmer) who wants Firefox to succeed.
imho, they've already achieved this and have a great browser that's at least comparably-competent against Chrome.
The battle Mozilla has with Firefox isn't in improving its tech specs, it's in winning over hearts and minds, and that's a complicated, somewhat costly game.
(I say this as a long-term Firefox user who encourages it with all my friends and family)
Many try to switch and then some scandal happens, or it just seems as cluttered as any other browser, and they give up. I think the people who think Firefox Monitor is a good idea are probably the ones who thought the Mr. Robot promo was a good idea.
A good browser should stay out of the way. Chrome did for a long time. Having a "Save to Pocket" button in my toolbar is intrusive.
It's trivial to remove the pocket button - right-click and select "remove from address bar".
If I might ask - how is a "save to pocket" intrusive? This isn't like any of the billions of social media buttons you'll come across on the web; it's not a tracker or anything (and if you do click it, you're going to need to make an account first; and it's only going to save what you ask it explicitly to save).
Mozilla's promotions on HN/reddit won't amount to much.
I think it's fair to say that you're never going to find a set of features and UI that have universal appeal, but if the UI really distracts you even after the first few times (I honestly don't notice it anymore), you could suggest a feature that allows disabling the icon or at least turning off the animation. Sounds like a reasonable request to me at least...
Pity the stand costs so much.
How does this help at all? What can I do about it? Some of the breaches are years old...
Second, you can look into each incident to see what exactly was breached -- personal information, payment info, and so on. It's good information to know.