Saturday, September 16, 2017

How an LG technician broke my phone

tl;dr
  1. I sent my Nexus 5X to LG technical support as it wasn’t connecting to cellular network.
  2. LG asked $387 to “fix” it. At the same time the phone is sold for $260+tax at Walmart.
  3. I rejected the fix, and LG returned my phone:
    • With the camera infrared sensor broken,
    • With the camera lens dirty with dust particles inside,
    • With a hit on the Fingerprint sensor.

I usually don’t write complains’ posts as I much prefer to handle the situation myself. Yet, this time I cannot help but to share my awful experience with LG official technical support and their customer service, as their behaviour has been truly unprofessional.

Here’s what happened.

Try one
My Nexus 5X wasn’t getting cellular signal. I called the LG Customer Service and they gave me a free shipping label to send the phone to their repair center.

After inspecting the phone they asked for a payment of $158 for the repair (budget below). Even though I could have bought a new phone for the price of $260+tax, I decided to go ahead and have it repaired.
When filling the credit card information in the form they sent me I made a mistake and I filled the card info wrong. Instead of calling me to to rectify the mistake LG shipped the unrepaired phone back to me.

One week later when I received the phone and opened the package, I found that the device had a hit in the fingerprint sensor, which wasn’t there before.

How much it costs to buy a new phone at the time of this incident


Try two
I called LG and explained what happened. They apologized for shipping it back right away without contacting me first, and told me that as the original mistake was made by my part I would have had to pay for shipping the phone back to them. I did as requested.

The LG technical support received the phone and two days later returned it to me. I received an email explaining that my  repair request was rejected because the phone had run out of  warranty. But this was not new, it was already clear that the phone was out of warranty the first time I sent it.

Try three
Once again I called LG again and explained what happened. The LG representative apologized for the misunderstanding and provided me with a free shipping label to send the phone back for the third time.

The technician of LG received the phone, and some days later LG sent me a budget for the repair, which is this one:



The cost of fixing it jumped from $158 to $387. This was much more expensive than buying a brand new phone (prices of buying a new Nexus 5X at the time of the budget repair can be find above). I called LG to ask why this huge bump in the price of fixing it. They said that the phone was tampered, it was opened by an unofficial technician and that it had inside fake components. Out of my best intention and honesty, this is not true. I explained it to the customer service representative but they wouldn’t believe me.

I rejected the repair request and LG proceeded to send me back the phone. When I got the package I found the phone like this:


The Infrared sensor is broken. When you open the camera app the phone can’t do focus.




This is how the camera works, and the overall state of the phone https://youtu.be/7qWPWmyvcn4

The camera lens has some dust particles inside. When you open the camera app you see several marks like this:

Try four
I called LG and explain all of this from the beginning, putting emphasis on how the LG technician returned my phone more broken than how I actually send it:
Original problem: no cellular network.
Problems nowadays: no signal, camera useless, hit on the back.
I checked the phone carefully every time I received it, and the problems arose after the third time I sent it.

I definitely doubt that my phone was tampered or included fake components. All my life I used official technical support for each product’s brand to avoid headaches. Third party technicians are cheaper in the short run, but expensive in the long run. That’s why I never go to third third party technicians, ever.

The only possible explanation is that the fake/broken components were introduced by the LG technicians themselves.

Final response from the LG representative
They recommended me to take the phone to a small third party phone technical.
They said they will send a feedback request to the technician that handled my phone.
They said they won’t fix my phone or do anything about the broken state in which they returned it.


I will never buy a product from LG again. LG showed their word to be worthless mainly because of two points:
  • From one repair request to the other, they said the phone was a fake.
  • They broke and returned a phone, just like that. And they didn’t care.


Sunday, August 27, 2017

Instagram huésped y víctima de ataque cibernético

Lea este artículo en Inglés / Read in English here.

Ayer estaba mirando las "historias" de mis amigos en Instagram cuando encontré una publicidad interesante de Adidas. Decidí seguir el link para ver las ofertas.


El navegador de internet de Instagram me llevó a una fabulosa página web de Adidas que mostraba hasta 80% de descuento. Después de mirar un rato, encontré varios productos que me gustaban, además era una muy buena promo!

Decidí comprar un par de cosas, entonces desde mi laptop entré al website oficial de Adidas (buscandolo en Google). Para mi sorpresa no había ninguna promoción. Volví a mi teléfono y abrí la página en Chrome en vez de en Instagram. Chrome inmediatamente me mostró un anuncio de alerta diciendo que estaba entrando en una página web dudosa, y que posiblemente sea víctima de un engaño.



Esto me dejó perplejo. Dejando a mi ego de lado, como el ingeniero en sistemas que soy, me encontré muchas veces con intentos de ataques de "scams/phishing". Pero esta vez me tomó por sorpresa y con la guardia baja.

Hubo un par de indicios que levantaron sospechas, pero no les presté atención. Por eso, mi objetivo en este artículo es compartir estos indicios con la esperanza de que otros aprendan acerca de sofisticados intentos de estafa. ¿Por qué sofisticados? Los criminales detrás del ataque utilizaron Instagram para llevar a cabo una campaña falsa de publicidad. Lo que es aún peor, Instagram no le prestó atención al engaño. Instagram dio de alta la campaña de publicidad sin verificar que un "Juan Pérez" estaba usando la imagen de Adidas redirigiendo usuarios a una página web trucha.

1er indicio: El 'dominio' de la página web
Usualmente las grandes marcas son dueñas de su propio nombre en la Internet, por ejemplo, Adidas seguramente tiene como página oficial www.adidas.com o similar. Ahora bien, si miramos el dominio de la página a la que Instagram me redirigió notaremos que tiene una parte "-yeezyboost".
Nota: el dominio de una página web es lo que comienza con 'www.' y termina con '.com'.


Si alguna vez uno nota una empresa usando un dominio que se ve raro o que no es similar al nombre de la marca, entonces es un indicio de mala señal.

2do indicio: Prestar atención al detalle
Usualmente los atacantes no invierten tanto tiempo en crear una página web que funciona en su totalidad. A veces a las páginas truchas les faltan acabados o retoques finales, o incluso los atacantes cometen errores de branding. En las siguientes capturas de pantalla se destacan problemas con los textos flotantes, están desalineados, mal ubicados. Intuitivamente se "ven mal".



Además, preste atención a errores de gramática u ortografía, tal como se ven en la imagen a continuación. Una marca profesional como Adidas nunca cometería errores de este tipo -- le darían mala imagen a la marca al publicar contenido erróneo.
'We' debería empezar con letra mayúscula en ambas apariciones.

3er indicio: sea un poco escéptico
Si es demasiado bueno par ser verdad, quizás no sea verdad en lo absoluto!

Protección adicional
Cualquiera puede estar despistado, accidentalmente pasar por alto los indicios y tratar de interactuar con el website estafador. Esto provocaría que los atacantes obtengan nuestra información de tarjeta de crédito, información personal, o que puedan infectar nuestra computadora. Afortunadamente hay otras maneras de estar protegidos, incluso para los usuarios despistados (en los cuales me incluyo).

¡Use un navegador confiable! Chrome y Firefox inmediatamente me avisaron sobre la estafa. Pero Safari no lo hizo. Safari me permitió navegar la página web del estafador, crear una cuenta y agregar productos, y me hubiera permitido seguir hasta el final realizando una compra ¡Y cayendo en el engaño!

Firefox mostrando la alerta de estafa.

Nota: para dar un poco de crédito, hacia el final del día (6 horas más tarde) volví a probar navegar la página web maliciosa usando Safari, y esta vez Safari mostró una alerta de engaño.


Dato curioso: adicionalmente, y para mi sorpresa, traté de compartir la dirección de la página enviandome un email a mí mismo (usando mi cuenta de Gmail). Esto fue lo que ocurrió:


¡Manténganse atentos! Ante la duda corroborar con alguien que sepa! Un humano? Si, o tambien le podes preguntar a Google en esta cómoda herramienta: https://transparencyreport.google.com/safe-browsing/search

Instagram hosting & victim of a phishing attack

Read this article in Spanish / Lea en Español aqui.

Yesterday I was browsing my friend's stories in Instagram and I saw an interesting ad from Adidas. I decided to follow the link.


The in-app Instagram web browser took me to a fabulous Adidas webpage showing an amazing 80% off in lots of products. I found several products I'd like to buy, because it was an amazing deal!

Decided to start shopping, I went to my computer and entered the Adidas website (searching it in Google). For my surprise there was no promotion at all. Back on my phone I opened the url in Chrome instead on Instagram. Chrome showed a red warning sign saying I was entering a dubious website and that I was likely going to be victim of scam.



I was thrilled to see this. Leaving egos aside, and as a software engineer, I found myself several times realizing of cheap scams/phishing attacks. But this one took me by surprise.

There were some hints that arose distrust on myself, but I didn't paid attention. My goal in this blog post is share this hints in the hope that others will learn about this sophisticated scams. Why sophisticated? Well, the criminals behind this phishing attack were hosting an actual ad campaign in Instagram. What's worst, Instagram didn't paid attention about the fake Adidas ad and posted it without verifying that the brand was used to redirect users to a fraudulent website.

Hint no 1: Check the web domain
Usually big brands own their own name in the web. So, Adidas is expected to have an official store like www.adidas.com. Now, check below the domain of the screenshot I took from my phone (the domain is the 'words' that start with 'www.' and end with '.com'). See that the domain contains a "-yeezyboost" at the end.


If you ever notice the website of a big brand using a dubious web domain, then that's a bad sign.

Hint no 2: Pay attention to the detail
Usually attackers don't invest much time on preparing a full working fake website, or sometimes make mistakes on the finishing of the website. In the following screenshots you will see that the floating text scapes the top bar, that is not well located and it just feels bad looking.



Also check for grammar or spelling mistakes, such as in the following example. This is something a professional brand like Adidas will never do -- show a bad image by publishing content unprofessionally.
'We' should have been capitalized both times



Hint no 3: be a bit skeptical
If it is too good to be true, maybe it is not true at all!

Extra protection
Well, anyone can overlook this hints and still try to interact with the malicious website, and the bad guys may be able to get something from us (credit card info, personal info, infect our computers). But fortunately there are other ways to protect ourselves, even for the careless and negligent users.

Use a safe web browser! Chrome and Firefox immediately warned me about the phishing attack. But Safari didn't. Safari allowed me to browse the website, create an account, even populate the shopping cart and go all the way.

Firefox alerting about the malicious website.

Note: to give some credit back, by the end of day (~6 hours later) I checked again and Safari is showing a warning stating the website is malicious.


Additionally, and for my surprise, I shared with myself the dubious URL via email, sending an email to myself (within my Gmail account). This is what happened:


Stay safe, and when in doubt check with someone else! A person? Yes, well you can also ask Google in this convenient tool: https://transparencyreport.google.com/safe-browsing/search

Sunday, August 20, 2017

From Around the Web Aug 2017

From time to time I do this batch posts about interesting news from the internet. Spoiler alert, some of the stuff might be a bit oldish.


Ascii program that is both an exe and a document



SHA1 collision
Announcing the first SHA1 collision






RemixOS for Android
This is not a new concept, but I think the people form Remix did a great job by putting all this things together and getting a smooth product.
http://www.jide.com/remixos-for-pc


Machine learning

Play with machine learning to draw your own building, or your own cat. Let the machine guess what it will look like
http://affinelayer.com/pixsrv/index.html



Interactive worldwide radio



Twitter bots and US elections


Electron Framework can be dangerous
Be careful with those all-built-in mobile frameworks. They can make your app suck.

Friday, August 4, 2017

Tech Talks & Buenos Aires

Last week along with two Engineers and an University Specialist we visited my home country on a business trip. We spent a full week in Argentina doing “University Outreach”. This means that we went to a couple of universities to give tech talks about what we do on our engineering roles, how we work and what are some of the hardest problems we tackle. Also we promoted our internships for students and positions for new grads as well as experienced engineers.


"Youtube Deep Dive" at ITBA

Additionally, we hosted a set of ‘special talks’.

Firstly we gave a tech+recruiting talk at ECI (ECI is a set of one-week intensive classes that students from all around Argentina attend). The speaker was a former teacher of mine that now is working in Google Germany. She talked about the custom made linux distribution we use in Google for software development. Follow this link to learn about the talk.

"Linux at Google Scale" at ECI

Secondly, we gave a talk title “Interviewing Essentials @ Google” hosted in our Buenos Aires office. I was the speaker in this one. I talked about how to build a resume, what to study, how to prepare for interviews, and we did a mock interview sessions to practice problem solving. We had the pleasure to count on former interns to help us deal with the big group of attendants.

"Interviewing Essentials" at Google Buenos Aires

Finally, we hosted our classic ‘Google Games’. On this one-afternoon competition we invited students to solve problems in teams. It was a 3 hour event where 7 teams competed to win prizes (I wish I could go back time and participate in Google Games, because I never heard of them until I was hired).

Part of the team with the former interns

Overall I think it was a really rewarding experience. Of course it was out of what I do day-to-day at my desk in Google NYC. But looking back, it is challenging to try new things, to speak in public and share a bit of what you work on, and to give support to students. I am not going to lie here, some nights we slept few hours (cough cough 5), but it was well invested time. Some nights students didn’t want to leave and instead ask a bunch of questions, staying one hour and a half of the supposed end time! 😄

What is the bonus content? Of course going home to visit family and old friends, eating your favourite food, and visit the love of your life (my dachshund who resides in Argentina).

This is how the Faena Hotel received me


Final score 10/10 will do it again 👍

Wanna join us?

The team

Sunday, May 7, 2017

Watch after your privacy: Needy Facebook Apps

Some of us (included myself) share a lot of personal information in Facebook. By nature we avoid publishing anything confidential nor delicate. We usually try to friend people who know for real. But often we forget about connected apps that have access to all our account, anytime, and that can act on our behalf.

A few weeks ago I saw a friend sharing some unusual posts lately. This person was never notified that this weird and garbage posts were made on their behalf. When I pointed it out my friend replied that was unaware of this, and thought has been hacked.

"Not so fast!" I said, and we reviewed together the almighty Privacy tab in the Facebook settings.



We didn't find anything suspicious there. So we moved to the Applications tab.


We found the rat! 🐀
As an astonishing surprise, we found a huge list of around 120 apps connected to the account. This are listed in the first section of the page called "Logged in with Facebook". This apps are third party companies that have access to a variety of information and actions on our behalf. Each app has its separate configuration.

To see what privileges each app has you can click on top of it to open a detailed window. Be careful not to click on the "x" that is shown when you hover the mouse on top of the particular app.


Example of the privileges an app has


Any app can be as needy as the company who created it wants, and even have the ability to post on your behalf. To know more about what permissions an app can request see the technical Facebook developer documentation in this link.

Going deeper on the problem
How this ~120 apps ended up in my friends account? Sometimes this surveys/quizzes that we take ask to link to our account and we oversee the requirements by just pushing "I accept"/"Link to account".
Some other times it's the default way to log in in other services, like Duolingo or Spotify (Please don't remove this apps otherwise you will have troubles logging in back again at their respective services).

In the past, apps used to always show a window specifying what things will be granted. This is no longer the case. Nowadays some games for example will automatically link to your account if you just open them. It will just display a small warning like this below.



By clicking on "Play Now", the company that created that game will have access to your full name, your email address, your list of friends, age, gender, profile picture, language, country and other public info.

How to be safe
The rule of the thumb is that most of the apps should not require any special permission than "Public profile". But for example apps like Duolingo also ask you to have access to your friends list, so that way the can show you a leaderboard of how well are your friends doing.
If you find an app that it's really needy, you can edit the permissions before installing it by clicking in "Edit the info you provide" shown in the previous picture.

Alternatively if you already have an app linked to your account, you can go to the app tab in your settings (https://www.facebook.com/settings?tab=applications), click on a given app and review what you are providing to them (check the third image in this article titled "Example of the privileges an app has").

What if we have old quizzes or other apps we will never use again?
I recommend go ahead and remove it! To do so, in the apps tab of Facebook settings hover the mouse on an app that you want to get rid of, click on the "x" that appears near the name of the app and you will be prompted by a dialog like this one below. But no so fast! I would strongly suggest to check the "Delete all your ____ activities..." so anything evil that the app published on your behalf is also removed.



Remember to stay safe!

Monday, March 6, 2017

From around the web March 2017

Boston Dynamics' new toy



Pix2pix
This TensorFlow model given a drawn tries to generate a real world image that match it.


Interactive website: https://affinelayer.com/pixsrv
TensorFlow model: https://github.com/phillipi/pix2pix

I created a beautiful cat:


Interesting reads from the web
Virtual reality directly in Chrome
https://blog.google/products/chrome/experience-virtual-reality-web-chrome/
Finding the coaching in criticism
https://hbr.org/2014/01/find-the-coaching-in-criticism
Using machine learning for a lawyer robot
http://www.trustedreviews.com/news/worlds-first-ai-robot-lawyer-overturns-160000-parking-tickets-uk
Twitter Bots during US elections
http://www.wired.co.uk/article/twitter-bots-democracy-usa-election
❖ A Filesystem that literally stores the information in a network.
https://github.com/yarrick/pingfs

Cloud Spanner
Google introduced Spanner, a global database service: distributed, high availability, scalable, global.



Amazon Go





Wednesday, March 1, 2017

Facebook is censoring the web

tl;dr: Facebook copies and stores GIFs from other websites by converting them to mp4 videos.

Driven by my curiosity and by chance, I did this interesting and a bit polemical finding.

I was browsing a friends wall and noticed an old GIF I published there. It was a funny picture of an actor. When I click on it to open the original website I encounter myself with a security warning, and there was no way to proceed to the apparently "unsafe website".

Original post

Malicious website warning

By checking the source HTML of the page I discovered that the gif that I was seeing in my friends wall was an infinite loop video hosted in Facebook's servers "video-lga3-1.xx.fbcdn.net". And I was able to see the video in an embed player.

HTML source of the page

Embed video direct link hosted by Facebook

Finally, one last interesting thing is that Facebook stores and sends along the original URL of the image, but this is encoded and as part as their URL requests. Maybe they are using this to do some sort of caching?
This last finding allowed me to recover the original url:


Now I am able to share again the link with other friends, outside of Facebook.

Monday, February 13, 2017

From around the web February 2017

Around the world
Incredible hyperlapse around the world using Google Maps.




Done that pollinate plants
Researchers from Japan are working on a small drone that can pollinate plants, in case all the bees die.


Link to source: theverge.com/2017/2/9/14549786


Your own giant flashlight
Spireworks let's you control two giant antenna located in NYC Midtown. By using a website you can choose the light of the antenas for two minutes, separately, and pick colors and effects. How to get it? It's by invitation only ;-)





Link to website: spireworks.org


Microsoft Edge

Given that I'm having troubles finding the right time to write posts, I decided to do small posts from time to time. I came up with this fashion way of calling it "snippets of the week".


Micosoft Edge

I was at a friend's house and instead of using my favorite browser I decided to try Edge, the latest web browser from Microsoft. First of all, I'm not a pro Apple/Microsoft/etc fan, I consider myself really open and unbiased, and I didn't like it.

The visual interface seem to be the same for touch-enabled laptops as well as those that are not. This makes the buttons really big for non-touch computers. Also the dropdown menues are really big and take a lot of space while displaying just some few options. Maybe in the future all the devices will converge to tactile, but for now this is not the case. So, in my opinion, having a 13 inches laptop with this big buttons it's not optimal, 

The default homepage is confusing. Lots of information is shown: bookmarks, recent sites, top sites, and lots of feed news that apparently are automatically adjusted to the user habits. After asking my friend, he told me never uses it and finds the content irrelevant.

As an advanced user, it was really hard for me to find the right place where settings are supposed to be. I didn't find it natural.

Finally, I don't think Microsoft is doing a fair game regarding the search engines that can be configured as default for the address bar. After finding the right place where this came be tweaked, the options displayed include Facebook, YouTube and some other. I was sad to discover Yahoo, DuckDuckGo and even Google were missing. I mean, come on, who uses YouTube or Facebook as their default search engine? Unbelievable.

As for rounding up my conclusions, I think it's a nice browser for an entry level user. Someone who never browsed the web before. But arguably the overloaded default homepage and the lack of an easy to show bookmarks bar complicates things a lot.
For medium expertise and advanced users, it's no go.

Wednesday, February 1, 2017

Lyft: Absurd battery consumption

Today all of a sudden I realized my phone ran out of battery in less than 5 hours.
I opened the battery consumption and found out that the top consumer was Lyft; this was shocking as I hadn't been using it the whole day. Digging into the issue, the statistics have shown that Lyft app consumed 336 MB of RAM (on avg) in the last 3 hours. This is huge! Especially if compared to the other apps sitting on my phone:

RAM in last
3 hours
Battery
consumption
Lyft
336 MB
19%
Whatsapp
51 MB
3%
Snapchat
16 MB
0%
Google Maps
0 MB
0%
Uber
0 MB
0%


Was it a glitch?
A priori we can’t tell. But it seems quite unlikely. Why? The last update of Lyft app’s latest update was on Jan 25, 2017. That’s exactly one week ago. If there was such a failure introduced by accident, they should have had catch it in QA. Lyft, a billion dollar company with tens of millions of users, is likely to have a really intensive QA procedure. Especially if we consider that they only have one product on the market (their mobile app). Also, they are likely to collect both statistics and usage. But this was not enough during a seven day period of time to catch the bug, which doesn’t really make sense.

Can the user do something about this?
Yes and no. If the app is bad or evil (where bad means not well developed and evil means developed to obtain something from the user) the phone’s owner can’t do much about it. Uninstalling might be a possibility, but considering that, sometimes, Lyft has better fares than Uber, it’s good to keep it handy.

Can we protect our privacy?
Yes! Android and iPhones allow controlling what is shared with the App developer. If you go to:
Android: Settings -> Apps -> tap on ‘Lyft’ -> tap on permissions
iPhone: Settings -> Scroll down and tap on ‘Lyft’ -> tap on permissions
Afterwards you can disable what is shared with the app. I would suggest disabling everything for now. But remember, the next time you need to book a ride you will have to re-enable the permissions.

The app from Uber is pretty humble on this, I always had used it with only permissions for Camera, Location and Phone.

I am not aware of what are the minimum permissions Lyft need to run, you can experiment on disabling some and try to request a ride.
But also, this is a tricky topic: some companies develop their apps in a really poor way, requiring the user to enable all the permissions in order to use their app. This is mainly because of two possibilities reasons:
  • The development team want’s to save time, so they just ask for permissions once, and the whole app relies that they will be granted.
  • The development team is evil, and wants to collect extra data from you while they give you this amazing app for free. This is the case for example of several free video games. They require permission to read your contacts, calendar, or SMS. But why? They don't need them.

Disabling permissions will not save us of the app consuming an insanely amount of battery, but will limit the damage the app can do to us.

Finally, we can limit the background internet usage (google for ‘how to limit background data’ for Android or iPhone). Again, try to disable it and request a ride. Maybe the app will not work properly, so experiment by yourself. Optionally, you can enable background data for Lyft only while you are about to use the app.

Are you telling me that Lyft is a super evil megacorp?
No, not necessarily. Maybe it was just a series of unfortunate events.

How so? Maybe they are experimenting with new features in their app and something went wrong. I guess that they might try to get information about your movement, maybe if you are commuting home via car or public transport, and to try to guess how the traffic is like. Why am I saying this? Well, I noticed the big chunk of battery consumption comes from CPU, but not that much from RAM. Also, the internet background usage was not really high (15 MB). So whatever they had been doing, it was expensive on resources but not on network.


Thursday, January 12, 2017

While I was away

I am really sorry that this huge span of time since my last post.


In this last two years lots of things happened.
I started 2015 working as an iOS developer in a medium-sized company in Palermo, Buenos Aires, Argentina.

In late 2015 I moved to Zurich, Switzerland where I joined Google in YouTube Shopping, VideoAds. I mostly worked on pipelines (parallel data processing), backend/serving, experiments, data analysis. I spent a little bit more than one year in Zurich (chocolate, sports outdoor, hiking, cold, too quiet, Sundays everything closes).

Lot’s of things happened in the middle:
  • I mentored in a Hackathon for the first time.
  • I gave my first public tech talk representing Google, and then I gave four more in Universities in Europe and Argentina, and even in a High School in USA.
  • I visited my dog in Argentina several times, because, why not? 🐶


In late 2016 I moved to NYC, where I am right now writing this. I am still in Google, now switched to something more tangible. I am doing iOS development again, this time in Google Docs, specifically in Slides for iPhones. I not only switched teams, but also PAs (from Ads to Apps).

NYC so far seems like an interesting place (hamburgers, English, colder, hi officer). And lot’s of opportunities and challenges to deal with!

What will happen next? I certainly have no idea, but I will start with 🐶🇦🇷.