Watch Out: Spotify is Watching You!

Apple Music does not currently have an API or any hooks for external devices to access it directly - it's currently only supported on Apple devices and can only be passed to an external device at this time via AirPlay so the easiest way to get Apple Music at this time would be via an AirPort Express or Apple TV.

Cheers

Phil

Simon's analysis is correct.

I've tried to think how to explain it both simply and accurately, but I failed to achieve this!

For those who do want to understand it: I suggest looking up different articles on 'Private & Public Key Security' until you find one that explains it in a way that you can relate to.

IMO this is all very fair and square. If they do as they say, there is little / nothing to worry about. IMV they cannot afford to go against this statement, if found out, it would be a PR disaster and customers would leave / cancel in hordes. 

Much better that bloody WhatsApp, I wouldn't let them anywhere near my iPhone....

Chateau Diffie Hellman 

This just made my day.

Thx

spotify is history 

Wat, , you are referring to a proxy key / certificate store or 'safes' used by corporate networks and certain high latency acceleration devices that I mentioned. Blue Coat, River Bed etc have such devices. I know as I use such devices.. They hold copies of popular CA certificates or bespoke installed ones, and so effectively interspet  by decrypting and re encrypting and telling the browser to trust the connection. This can happen at a firewall interface such as used in commercial corporations. However if the certificate safe does not contain the CA certificate to re crypt and authorise the connection then no interception is possible with out the client spotting a certification error.. There is no SSL breaking .. just emulating popular other defined CA certificates  ... Period...

So yes a routing interception attack at the carrier level could take advantage of this on the Internet.. unlikely outside of government security agencies because of computing power required at an Internet Tier 1 or Tier 2 router, or at local level using wifi. Hence why I say a VPN is preferable with wifi hotspots networks or where encryption is required. An IPSEC tunnel can be rock solid and secure in such environments.

SSL site masquerading for phishing would need to inject a false root path into the global public internet ... unless this was at an edge border like a corporate firewall such as using a SSL proxy which is unlikely to be used for phishing, the processing power required to intercept such traffic on the global internet again would limit such masquerading to government bodies. Again a  VPN circumvents this even against government agencies, hence why in some parts of the world VPNs are illegal unless you deposit a copy of your private key with your local government agency.

So I repeat, if you can't trust your network access and this include private corporate networks, you use a VPN.. Of course VPNs can be blocked but  most VPN types can't be eavesdropped. If you trust your network access, then SSL/TLS is used to confirm the identity of the remote end.

Simon

When quantum computing takes off commercially, will I be accountable for any misgiven information about myself in a parallel universe ?

Hi Wat, yes back to the music, but being an engineer let me pedantic a movement 

SSL is encrypted and secure between two points, it's the certificate authentication process that arguably isn't.. What an SSL proxy does, as we know, is decrypt the data as if was you at the the domain boundary, and then encrypts within your private domain useing its own private key. The reason the browser doesn't spot this as un trusted, is because the corporate SSL proxy mirrors or spoofs the remote certificate so the new encrypted traffic appears as if it's from the remote end..however the important bit, the proxy can only do this if it has details of your remote certificate, which many commercial proxies do for popular CA'd services.

About 10 years ago when I was new to SSL proxies I set up a SSL protected service outside my then corporate firewall with users both inside and outside the private corporate network. One morning we updated the service with a new key and certificate... we had not lodged the key certificate details with our network security team... the phones went on melt down at around nine o clock when many of our users inside the corporate 'firewall' started ringing in to say their browsers were reporting the service was not to be in trusted! the key symbol on their browsers was red. We scrambled to correctly register our details with the SSL proxy team, and then all was ok .. The client browsers were none the wiser.

Simon

I've just found another problem with Spotify on a PC.

It installs several files of executable code into ...\AppData\Roaming\Spotify\ in your profile, thus bypassing part of the windows code security system, and making unauthorised tampering much easier.

This should NEVER be done (even though MS do it themselves with OneDrive).

Wow Huge, that really is rather disturbing.. What are they trying to do???

If I were to look at any part of Apple's iTunes, I haven't bothered with Music, I believe that there are masses of http executable code that can be edited and or replaced. The Ts & Cs used by Spotify causing so much bother in this thread are standard fare for many apps that you load and use on a daily basis including banking, stock broking, newspaper subscriptions etc etc. Additionally, Apple and MS, via their operating systems, have carte blanche over all your installed devices.

The moment you invested in streaming music you signed up for all sorts of intrusions into your personal lives, never mind the instant you first googled the word 'Naim' into your computer of choice. This barrage of criticism against Spotify is, apart from its unfairness, part of the audiophile, snobbish disparagement of a service that is relatively cheap, of higher potential quality than many recordings ripped from your CD collections and opens up avenues of new music to many millions of its satisfied customers. 

I own own both a Porsche and a BMW but am not arrogant enough or blindly stupid enough to believe that either of these cars is functionally or operationally more effective or reliable than a much cheaper Toyota or VW. Spotify more than does the Toyota or VW job in a musical sense. 

Really,? The streaming services I have signed up to (and I don't use Spotify) that I can access via my Sonos, and other streaming devices don't require me to sign any of my life away.

They require minimal info from me. I use PayPal for those that require payment ... It insulates my online transactions from by bank account and needing to share my address.. The service provider knows what music I play and the hardware I am streaming the service with and my temporary ISP IP address... Other than that nothing... absolutely nothing...

My mobile service provider is significantly more intrusive ... and I simply leave that home when not needing it. Even buying CDs online requires me to share more personal info with the vendor than with streaming...

My streaming services require minimal personal info from me, not least my address, telephone number, credit card number, social media account  yadda yadda yadda .. and I prefer and like it that way.. 

Sure I buy CDs sometimes with cash... Just not very often...

Simon

Simon,

Never leave your house, or drive your car, or cross the road, or pay for anything other than with cash that you have got from a teller in a bank. Never use an ATM, especially from another bank other than your own. Never Google anything, never use email, do not invest on-line yourself, do not use Sky or Virgin media. Be vary careful accessing on-line forums, such as Naim. Play only CDs or vinyl records on cable connected devices with no wifi or internet connections as walls have ears (I can see, but not access, my neighbour's internet connection in my living room 50 metres from his house). Never rip to a NAS because, apart from anything else, it is illegal.

In in a very narrow focused, completely risk averse world the chances of seeing the bus that is going to hit you is thankfully small.

All of you know that you are stumbling willingly or otherwise into an Internet driven media whose actual deliverable possibilities continues to be constrained by the people who would prefer to keep us chained to very controllable output methods such as vinyl or CDs. The moguls who ran this show were none too fussy in the quality of music they deigned to offer us either. Gradually, in value for money, recording quality and output depth, streaming music is raising our potential standards, so, to paraphrase an old song, let's accentuate the positive which is much greater than any of the negatives. 

Wat,

You are so correct! I originally had a Porsche Macan Turbo on order to replace the BMW as we have only kept one car on the drive since my wife stopped being a District Midwife about 25 years ago. However, Porsche told me the truth, that it would take two years to get a brand new Macan. I got fed up , cancelled the Macan and bought the Cayman S because it was red (the wife liked it), my kids and grandkids liked it better than the potential Macan. Even better, I like it because, as you guys are all very technical, it has a Sports Exhaust, PDK Gearbox, Sports Chrono, 20" Sports wheels and, just for you Wat, I can play the Apple iPhone on the Bose system. Not Naim, I admit, but it isn't a Bentley. Believe me, anyone who has been in it, heard the roar as it takes off and the gut wrenching acceleration has complained. Had to keep the Beemer as the Cayman comes with obvious limitations. As for Apple Pay, every little helps. 

Of course, having spent all that money, am forced, as I am at the moment, to listen to a lowly Muso and cheapo Spotify. Still, the wife has just asked me me to turn it down as it interrupted her viewing of Fallen Skies in the room next door. Life is such a compromise!

I don't allow browsers on my machines to download and execute ActiveX code, and neither should anyone else, including you.  All the executable code on my machine that is transferred by HTTP has either come as a proper (controlled) install pack or executes in a protected virtual machine (aka a sandbox).  N.B. HTML is not executable.

I wasn't complaining about terms and conditions (which are at least published), but the fact that the Spotify install process violates Windows code security and leaves a code vulnerability in place making the target PC more vulnerable to malware.  Particularly as it does this without asking permission or notifying the user about the problems it's created.

Replacing code on a PC should require a administrator account privileges (you don't normally use you computer via an administrator account for normal non-administration tasks do you?), hence should cause an alert to the user.  Spotify make that possible without any alert, so helping a trojan (or other malware) to insert it's code without any difficulty and to transport itself to any PC on the network with access to the same account.

I don't feel that objecting to Spotify weakening the defences of my PC is in the least snobbish.

Apologies Huge if you thought I was accusing you of being snobbish in your security concerns, that was never intended. In my haste to respond I should also have said HTML, which is executable interpretative code, and not HTTP, which is of course a protocol, and I do and should have known better. I have a friend who was director of IT security for a multinational and he was justifiably paranoid as one of their divisions, for which he was not responsible, has had several well reported embarrassments. 

Actually I am not sure that is sound advice either - perhaps not being born might be the only guaranteed way of not experiencing any danger..

However that is slightly different from people/organizations acting potentially fraudulently, deceitfully or non transparently. Those are things we should be able to control and police such that we are able, should we wish to, trust and rely  on them not to cause us undue harm, loss or inconvienience in living a  normal (for many) life..

No problem, as the saying goes "Act in haste, repent at leisure" , we've all done it and I'm no exception.

Fortunately no one broke any of my security designs or you would all have heard about it (when it happened to our competitors, it made National TV news).  Our lapses in security were human error and theft of hardware, and they did make the news.  Having worked in that environment I also get twitchy about security.

Life is a sexually transmitted fatal condition! 

Expensive cars. High-end audio equipment. Happy spouse.

Pick any two!  

Well, it is of course 1 and 3 at the moment, but I have a room stripped and ready for redecoration which one tradesman has let me down on so far! If the stockmarket would stop tanking I might be able to distract the wife and focus on option 2 next year, but am not confident :/