Not having these ready for the launch does seem to be a massive misstep. An IT infrastructure monitoring company should know better how sensitive corporate CISO is to this sort of thing.
3 Likes
I will revert to v2 as well I concur with the privacy issues as well.
5 Likes
@domenico Do you guys not have a security team? The fact that this even got past design phase is EXTREMELY worrying. No (none, zero, nada) competent security engineers would have ever greenlit something like this. What the hell is even going on at GlassWire? Iām pretty sure this isnāt GDPR compliant either. What will happen if a customer complains and your company gets audited for storing extremely sensitive user data in the cloud without consent or deletion controls?
2 Likes
Sending processes, IPs, data sharing etc. is just too much for me, I guess that itās fine if you collect off free users to build databases but let us paid users to turn off those cloud stuff and add wherever you can offline databases for the features and updated at each glasswire update like geoip, thanks. Also kinda worrying that they said that it cant be disabled because it is a part of v3 which is obviously false as v3 work just fine on offline PCs but i see that they said they may add an option to fully disable it, good
edit after checking everything it look like since they partnered with or have been bought by domotoz (on opencorporates it say that domotoz co-founder is now glasswire manager/director) the privacy policy page of glasswire changed a lot in november
2 Likes
paid user since 2016, currently āeliteā
Extremely disappointed in the direction thatās been taken. Glasswire is meant to be a privacy tool, itās particularly galling Iāve paid for a product which is now actively aiming to upload my data. The incessant nagging to login is an irritant too.
I hope the next release provides reassurances around privacy/opt-outs - itāll be a shame to go back to pre-glasswire options, but a privacy tool uploading data without permission is a hard red line for me.
6 Likes
@Jar_Jar Thanks for your thorough legal analysis. Despite you being āpretty sureā of the contrary, we are indeed fully compliant with GDPR. User permissioning is granted at account creation and we donāt enable any cloud based features without such permissioning. That is the reason why account creation is currently mandatory for any new user. Existing users can avoid sharing any data, even on V3, by not creating an account and using their existing license keys. As far as security goes, our larger business is SOC2 type I and type II compliant which is no small feat because of its stringent requirements. And we are in fact periodically audited by external security experts to maintain such certification. Having said all this, this is pretty much a pointless conversation and a waste of a forum post. As already indicated numerous times, we are releasing before then end of the week an updated version which grants all users with an account more controls over the cloud features they wish to use rather than the current all or none approach. We are going further than that in a second version scheduled to come out in January, where we will make account creation (and the related usage of cloud based features) entirely optional to all users, not just paid ones.
1 Like
Hello GW Team, Att Katie_GlassWire - domenico
After reviewing some of the changes from GW Version 2 to Version 3 here are some of my worrying concerns with some red flags from this security application.
First version 3.0.474 was nagging us to sign up for an account.
Then came along Version 3.0.476 No nagging on first install but now the only option is to sign-up for an account which some do not want or need. This is a forced option (Not Happy) or yes, one can enter the old legacy license key to by-pass that.
I can say I am not keen at all on the data telemetry collected. With an online account and logged in, it collects your computer name, how long you are signed into your computer, IP addresses etc. ā¦ screenshots below. All this when you might only want to use the free version and not sign up for an account.
If you are a paid user and the features again gathering this data collection. āGW scoreā There would be some back end server with all this data harvested from GW userās apps etc. I know it is an option but as a security app that is a worry for me, with a red flag waving.
As you can see, I am not the only one, and other users have mentioned some of this. Going forward it might be good to rethink some of the changes that have been implemented. For me by far version 2 is the choice and with a much safer option.
Maybe you could run a poll in the forum asking users what they might want or not, or like to have in this software.
Remember without users, GW will not exist.
This is some of my thoughts and more to come I would say.
Thank you GW Team, i know you are trying to improve this software.
Hi @GlassWare,
Iām not sure if you were able to read Domenicos latest post as it looks like you posted at the same time.
As confirmed in his post, we are in process of building a version with no account creation needed - so the same as v2.
We are also adding a feature which will allow users to opt out of any data processing. This will be release within the next few days.
Thanks,
Katie
4 Likes
Thank you for the reply, I did not see Domenicos latest post.
There is a lot going on in these posts.
All i knew was, that when Version 3.0.476 was released after some of my concerns. I thought this is what we are now presented with.
I Will be looking forward to reviewing, and testing out the new releases that should address some of these issues.
Thank youā¦
1 Like
@domenico Your last post is incredibly confident regarding your compliance to regulation and whatnot, maybe even borderline arrogant. Fine, may it as it be, but the product development weāre currently experiencing from Glasswire is erratic at best. It feels like youāre trying to convert Glasswire into an EDR or at least some kind of āseriousā enterprise-/business-ready security solution - which is, again, fine but probably not what most people signed up for.
If you intend to become a unicorn and be bought by some tech giants, again, seriously, fine. But changing the scope of the tool, including imposing cloud use on people, subscription policies, and account-creation to use the tool without being annoyed by it, seems like a less-then-well-thought-out idea. Or maybe some PowerPoint-decision made by committee.
Speaking for myself, after reading your data protection agreement, weighing the pros and cons of the changes in the software, and also experiencing the weird communication from the company (setting deadlines and then postponing them in other threats, borderline aggressive communication in posts, calling data privacy concerns āparanoiaā, etc.) I have come to the conclusion that Iāll just throw away the rest of my elite subscription and be done.
I have no idea what kind of enterprise, security, and software architecture youāre applying or how you intend to run the business, but Iād definitely recommend setting up some communication and community guidelines - in 2022 there is enough evidence out there that firing at your community might not be as rewarding as you expect it to be. Good luck, though.
2 Likes
Just asking after your comment 10 days ago, and now Version 3.0.482
is out, but still wants an account created on a new install, unless you have a license code.
" we are in process of building a version with no account creation needed - so the same as v2."
I guess this is not the version you are talking about?
Thank youā¦
Hi @GlassWare,
We released version 3.0.482 which has the new āPermissionsā feature. This allows users to enable/disable data processing.
Removing the mandatory log in is still in process.
Best,
Katie
There is a separate post reporting that even with data processing disabled (permission not given) the new version is āphoning homeā with outgoing connections.
Trust is a very important attribute for a security product. Hard won and easily lost.
What do these connections look like? I am still on v2.3.449 for the time being
Here is how it looks for me (host detection is bad here, can be either activate. or update.), happens maybe a couple times per day.
The software is checking in periodically to see if any updates are available and, in V3, to check the validity of your license. Since Version 3.0.482, no data is being sent out if you disable the data permissioning options in the settings page.
1 Like
Iām on version 3.1.484. I am not logged in at all, and under Settings ā Accounts ā Permissions, nothing is checked (App Info and Traffic Counters). Yet, I am still getting frequent and periodic connections to api-eu-north-1.protect.glasswire.com . Iām too lazy to mitm myself and see what HTTPS info is being sent, but I would recommend everyone adding this to their host file. There are definitely more servers though. I have also added a recursive entry to my router to block all subdomains for protect.glasswire.com
2 Likes
So, some interesting stuff. I got bored and decided to mitm myself, installing a certificate and proxying all data so I can inspect HTTPS traffic. Whatās weird is that I am seeing DNS requests to api-eu-north-1.protect.glasswire.com on my router, but I am not seeing it in my dump. As you can see from my DNS logs on my router, here are the top 3 requested domains (I cleared the logs to find this traffic easier)
But when we look at the proxy logs, all but the traffic to api-eu-north-1.protect.glasswire.com show up
The only explanation I have is it is bypassing the local proxy. Traffic is clearly egressing as indicated by the DNS logs. Iāve ran the proxy for over 30min, and Iāve seen all kinds of other system HTTPS requests such as Bitwarden, MS Updates etc. but this is escaping it.
It would be nice to have someone on the Glasswire team explain this, or detail what exactly is being sent via this API. For now, I am going to downgrade.
2 Likes
I was finally able to decrypt the packets to api-eu-north-1.protect.glasswire.com by setting an environment variable on my workstation to dump the TLS keys on my desktop and use Wireshark to decrypt in real time. Itās just a heartbeat. It doesnāt look like much info is being sent, I am curious as to why there is a device ID and what theyāre doing with that. I would rather not have anything sent outside my network. It is also interesting that the type is ACTIVITY. Iāve tried to click around/modify settings to see if I could trigger this heartbeat but I canāt, so Iām not sure if this is sent at a set interval (looks to be sent at exactly every 5 minutes, look at the timestamps in the last 2 photos). Iām still unsure why I couldnāt see it when I mitmād myself, but regardless Iām downgrading 
It says I cannot make 3 posts in a row, so I am editing this one.
Ok last update, sorry, Iām really bored 
While Iām here I decided to make a Glasswire account (Nick @ Glasswire, if youāre reading this our paths will unfortunately cross once more 
) and check out whatās being sent/received. Iām pretty tired so Iāll summarize here and post screenshots of the captures below.
TLDR: Itās very possible and extremely likely (according to the privacy statement) that device hardware is being collected and sent out. Whatever theyāre collecting (Iām assuming application names, traffic in/out and whatever else) is being sent to them as a gzip. Application names, popularity, traffic in/out are being downloaded, and the application names are encoded somehow (not base64, ran through CyberChef and couldnāt figure it out. Probably double encoded or salted.) Also, there was an interesting request to update.glasswire.com to /ads/ which appears they may roll out ads in the future.
HTTP Posts
/auth/realms/glasswire/protocol/openid-connect/token
Appears to just authenticate or keep your Glasswire account logged in. Includes an access token, expiration time, refresh time and session state.
/api/v1.1/agent/detect/batch
This looks like itās just downloading the statistical values populated for each app, such as popularity, average traffic in/out etc.
/api/v1.1/agent/detect/upload
Iām guessing this is collecting your application names, average traffic in/out etc. Itās encoded/uploaded as a gzip.
GET request
/api/v1.1/agent/update/check
Just checks for updates, value is either 1 or 0 for yes and no.
/ads/
Whatās interesting here is a GET request to update.glasswire.com to /ads/. The values are empty, but it looks like they may possibly roll out a (free?) version to include ads in the future. If youāve read the above responses from the Glasswire staff, youāll see that you cannot opt out in the free version for data transmission, so this may be one way to monetize free users. This is likely a huge reason for migrating to the cloud. I guess we will see.
If you INSIST on using this or future versions of Glasswire, I recommend blocking the following in your hosts file and/or router.
api-eu-north-1.protect.glasswire.com
api-us-east-2.protect.glasswire.com
pivot.protect.glasswire.com
Ok I guess Iām not done. C:\ProgramData\GlassWire\service-full\stats has lots of files that provide clues as to whatās being collected. I ran sysinternal strings on some of the files, here are the SQL tables being created. It looks like info is being collected at the 1 second, 30 second and 10min intervals.
indextraffic_stats_protocol_idxtraffic_stats
CREATE INDEX traffic_stats_protocol_idx ON traffic_stats (protocol)t
indextraffic_stats_rport_idxtraffic_stats
CREATE INDEX traffic_stats_rport_idx ON traffic_stats (remote_port)t
indextraffic_stats_rhost_idxtraffic_stats
CREATE INDEX traffic_stats_rhost_idx ON traffic_stats (remote_host)k
indextraffic_stats_app_idxtraffic_stats
CREATE INDEX traffic_stats_app_idx ON traffic_stats (app_id)z
indextraffic_stats_timestamp_idxtraffic_stats
CREATE INDEX traffic_stats_timestamp_idx ON traffic_stats (timestamp)
)tabletraffic_statstraffic_stats
CREATE TABLE traffic_stats (timestamp INTEGER, app_id INTEGER, remote_host BLOB, remote_port INTEGER, remote_host_region BLOB, protocol INTEGER, flags INTEGER, inbound_bytes INTEGER, outbound_bytes INTEGER)
There is also an interesting folder, located at C:\ProgramData\GlassWire\service-full\cloud. Hereās the notable info in the database
tableoptionsoptions
CREATE TABLE options (name TEXT PRIMARY KEY, value BLOB)-
indexsqlite_autoindex_options_1options
qindexflux_cache_app_idxflux_cache
CREATE INDEX flux_cache_app_idx ON flux_cache(app)m
indexflux_cache_timestamp_idxflux_cache
CREATE INDEX flux_cache_timestamp_idx ON flux_cache(timestamp){
Atableflux_cacheflux_cache
CREATE TABLE flux_cache (flow BLOB PRIMARY KEY, timestamp INTEGER, app INTEGER, flux BLOB)3
indexsqlite_autoindex_flux_cache_1flux_cache
tabletraffic_stats_1sectraffic_stats_1sec
CREATE TABLE traffic_stats_1sec (timestamp INTEGER, data BLOB)
q%%
tabledetect_statsdetect_stats
CREATE TABLE detect_stats (app INTEGER PRIMARY KEY, data BLOB)
q11
tabc
tabledetect_statsdetect_stats
CREATE TABLE detect_stats (app INTEGER PRIMARY KEY, data BLOB)
7 Likes
I wonder if this stealth monitoring is finally gone from v3.2