Worrying privacy implications of "cloud" features, can we disable them?

Not having these ready for the launch does seem to be a massive misstep. An IT infrastructure monitoring company should know better how sensitive corporate CISO is to this sort of thing.

3 Likes

I will revert to v2 as well I concur with the privacy issues as well.

5 Likes

@domenico Do you guys not have a security team? The fact that this even got past design phase is EXTREMELY worrying. No (none, zero, nada) competent security engineers would have ever greenlit something like this. What the hell is even going on at GlassWire? I’m pretty sure this isn’t GDPR compliant either. What will happen if a customer complains and your company gets audited for storing extremely sensitive user data in the cloud without consent or deletion controls?

2 Likes

Sending processes, IPs, data sharing etc. is just too much for me, I guess that it’s fine if you collect off free users to build databases but let us paid users to turn off those cloud stuff and add wherever you can offline databases for the features and updated at each glasswire update like geoip, thanks. Also kinda worrying that they said that it cant be disabled because it is a part of v3 which is obviously false as v3 work just fine on offline PCs but i see that they said they may add an option to fully disable it, good

edit after checking everything it look like since they partnered with or have been bought by domotoz (on opencorporates it say that domotoz co-founder is now glasswire manager/director) the privacy policy page of glasswire changed a lot in november

2 Likes

paid user since 2016, currently “elite”

Extremely disappointed in the direction that’s been taken. Glasswire is meant to be a privacy tool, it’s particularly galling I’ve paid for a product which is now actively aiming to upload my data. The incessant nagging to login is an irritant too.

I hope the next release provides reassurances around privacy/opt-outs - it’ll be a shame to go back to pre-glasswire options, but a privacy tool uploading data without permission is a hard red line for me.

5 Likes

@Jar_Jar Thanks for your thorough legal analysis. Despite you being “pretty sure” of the contrary, we are indeed fully compliant with GDPR. User permissioning is granted at account creation and we don’t enable any cloud based features without such permissioning. That is the reason why account creation is currently mandatory for any new user. Existing users can avoid sharing any data, even on V3, by not creating an account and using their existing license keys. As far as security goes, our larger business is SOC2 type I and type II compliant which is no small feat because of its stringent requirements. And we are in fact periodically audited by external security experts to maintain such certification. Having said all this, this is pretty much a pointless conversation and a waste of a forum post. As already indicated numerous times, we are releasing before then end of the week an updated version which grants all users with an account more controls over the cloud features they wish to use rather than the current all or none approach. We are going further than that in a second version scheduled to come out in January, where we will make account creation (and the related usage of cloud based features) entirely optional to all users, not just paid ones.

1 Like

Hello GW Team, Att Katie_GlassWire - domenico

After reviewing some of the changes from GW Version 2 to Version 3 here are some of my worrying concerns with some red flags from this security application.

First version 3.0.474 was nagging us to sign up for an account.
Then came along Version 3.0.476 No nagging on first install but now the only option is to sign-up for an account which some do not want or need. This is a forced option (Not Happy) or yes, one can enter the old legacy license key to by-pass that.

I can say I am not keen at all on the data telemetry collected. With an online account and logged in, it collects your computer name, how long you are signed into your computer, IP addresses etc. … screenshots below. All this when you might only want to use the free version and not sign up for an account.

Endpoints PC Name & Uptime

If you are a paid user and the features again gathering this data collection. “GW score” There would be some back end server with all this data harvested from GW user’s apps etc. I know it is an option but as a security app that is a worry for me, with a red flag waving.

As you can see, I am not the only one, and other users have mentioned some of this. Going forward it might be good to rethink some of the changes that have been implemented. For me by far version 2 is the choice and with a much safer option.

Maybe you could run a poll in the forum asking users what they might want or not, or like to have in this software.

Remember without users, GW will not exist.

This is some of my thoughts and more to come I would say.

Thank you GW Team, i know you are trying to improve this software.

Hi @GlassWare,

I’m not sure if you were able to read Domenicos latest post as it looks like you posted at the same time.

As confirmed in his post, we are in process of building a version with no account creation needed - so the same as v2.

We are also adding a feature which will allow users to opt out of any data processing. This will be release within the next few days.

Thanks,
Katie

4 Likes

Hi Katie_GlassWire

Thank you for the reply, I did not see Domenicos latest post.
There is a lot going on in these posts.
All i knew was, that when Version 3.0.476 was released after some of my concerns. I thought this is what we are now presented with.
I Will be looking forward to reviewing, and testing out the new releases that should address some of these issues.
Thank you…

1 Like

@domenico Your last post is incredibly confident regarding your compliance to regulation and whatnot, maybe even borderline arrogant. Fine, may it as it be, but the product development we’re currently experiencing from Glasswire is erratic at best. It feels like you’re trying to convert Glasswire into an EDR or at least some kind of “serious” enterprise-/business-ready security solution - which is, again, fine but probably not what most people signed up for.

If you intend to become a unicorn and be bought by some tech giants, again, seriously, fine. But changing the scope of the tool, including imposing cloud use on people, subscription policies, and account-creation to use the tool without being annoyed by it, seems like a less-then-well-thought-out idea. Or maybe some PowerPoint-decision made by committee.

Speaking for myself, after reading your data protection agreement, weighing the pros and cons of the changes in the software, and also experiencing the weird communication from the company (setting deadlines and then postponing them in other threats, borderline aggressive communication in posts, calling data privacy concerns “paranoia”, etc.) I have come to the conclusion that I’ll just throw away the rest of my elite subscription and be done.

I have no idea what kind of enterprise, security, and software architecture you’re applying or how you intend to run the business, but I’d definitely recommend setting up some communication and community guidelines - in 2022 there is enough evidence out there that firing at your community might not be as rewarding as you expect it to be. Good luck, though.

2 Likes

Hi Katie_GlassWire

Just asking after your comment 10 days ago, and now Version 3.0.482
is out, but still wants an account created on a new install, unless you have a license code.

" we are in process of building a version with no account creation needed - so the same as v2."
I guess this is not the version you are talking about?
Thank you…

Hi @GlassWare,

We released version 3.0.482 which has the new “Permissions” feature. This allows users to enable/disable data processing.

Removing the mandatory log in is still in process.

Best,
Katie

There is a separate post reporting that even with data processing disabled (permission not given) the new version is “phoning home” with outgoing connections.

Trust is a very important attribute for a security product. Hard won and easily lost.

What do these connections look like? I am still on v2.3.449 for the time being

image

Here is how it looks for me (host detection is bad here, can be either activate. or update.), happens maybe a couple times per day.

The software is checking in periodically to see if any updates are available and, in V3, to check the validity of your license. Since Version 3.0.482, no data is being sent out if you disable the data permissioning options in the settings page.

1 Like

I’m on version 3.1.484. I am not logged in at all, and under SettingsAccountsPermissions, nothing is checked (App Info and Traffic Counters). Yet, I am still getting frequent and periodic connections to api-eu-north-1.protect.glasswire.com . I’m too lazy to mitm myself and see what HTTPS info is being sent, but I would recommend everyone adding this to their host file. There are definitely more servers though. I have also added a recursive entry to my router to block all subdomains for protect.glasswire.com

2 Likes

So, some interesting stuff. I got bored and decided to mitm myself, installing a certificate and proxying all data so I can inspect HTTPS traffic. What’s weird is that I am seeing DNS requests to api-eu-north-1.protect.glasswire.com on my router, but I am not seeing it in my dump. As you can see from my DNS logs on my router, here are the top 3 requested domains (I cleared the logs to find this traffic easier)

adgd

But when we look at the proxy logs, all but the traffic to api-eu-north-1.protect.glasswire.com show up

The only explanation I have is it is bypassing the local proxy. Traffic is clearly egressing as indicated by the DNS logs. I’ve ran the proxy for over 30min, and I’ve seen all kinds of other system HTTPS requests such as Bitwarden, MS Updates etc. but this is escaping it.

It would be nice to have someone on the Glasswire team explain this, or detail what exactly is being sent via this API. For now, I am going to downgrade.

2 Likes

I was finally able to decrypt the packets to api-eu-north-1.protect.glasswire.com by setting an environment variable on my workstation to dump the TLS keys on my desktop and use Wireshark to decrypt in real time. It’s just a heartbeat. It doesn’t look like much info is being sent, I am curious as to why there is a device ID and what they’re doing with that. I would rather not have anything sent outside my network. It is also interesting that the type is ACTIVITY. I’ve tried to click around/modify settings to see if I could trigger this heartbeat but I can’t, so I’m not sure if this is sent at a set interval (looks to be sent at exactly every 5 minutes, look at the timestamps in the last 2 photos). I’m still unsure why I couldn’t see it when I mitm’d myself, but regardless I’m downgrading :slight_smile:


It says I cannot make 3 posts in a row, so I am editing this one.




Ok last update, sorry, I’m really bored :smiley:

While I’m here I decided to make a Glasswire account (Nick @ Glasswire, if you’re reading this our paths will unfortunately cross once more :stuck_out_tongue: ) and check out what’s being sent/received. I’m pretty tired so I’ll summarize here and post screenshots of the captures below.

TLDR: It’s very possible and extremely likely (according to the privacy statement) that device hardware is being collected and sent out. Whatever they’re collecting (I’m assuming application names, traffic in/out and whatever else) is being sent to them as a gzip. Application names, popularity, traffic in/out are being downloaded, and the application names are encoded somehow (not base64, ran through CyberChef and couldn’t figure it out. Probably double encoded or salted.) Also, there was an interesting request to update.glasswire.com to /ads/ which appears they may roll out ads in the future.

HTTP Posts
/auth/realms/glasswire/protocol/openid-connect/token
Appears to just authenticate or keep your Glasswire account logged in. Includes an access token, expiration time, refresh time and session state.

/api/v1.1/agent/detect/batch
This looks like it’s just downloading the statistical values populated for each app, such as popularity, average traffic in/out etc.

/api/v1.1/agent/detect/upload
I’m guessing this is collecting your application names, average traffic in/out etc. It’s encoded/uploaded as a gzip.

GET request
/api/v1.1/agent/update/check
Just checks for updates, value is either 1 or 0 for yes and no.

/ads/
What’s interesting here is a GET request to update.glasswire.com to /ads/. The values are empty, but it looks like they may possibly roll out a (free?) version to include ads in the future. If you’ve read the above responses from the Glasswire staff, you’ll see that you cannot opt out in the free version for data transmission, so this may be one way to monetize free users. This is likely a huge reason for migrating to the cloud. I guess we will see. :slight_smile:

If you INSIST on using this or future versions of Glasswire, I recommend blocking the following in your hosts file and/or router.

api-eu-north-1.protect.glasswire.com
api-us-east-2.protect.glasswire.com
pivot.protect.glasswire.com

Ok I guess I’m not done. C:\ProgramData\GlassWire\service-full\stats has lots of files that provide clues as to what’s being collected. I ran sysinternal strings on some of the files, here are the SQL tables being created. It looks like info is being collected at the 1 second, 30 second and 10min intervals.

indextraffic_stats_protocol_idxtraffic_stats
CREATE INDEX traffic_stats_protocol_idx ON traffic_stats (protocol)t
indextraffic_stats_rport_idxtraffic_stats
CREATE INDEX traffic_stats_rport_idx ON traffic_stats (remote_port)t
indextraffic_stats_rhost_idxtraffic_stats
CREATE INDEX traffic_stats_rhost_idx ON traffic_stats (remote_host)k
indextraffic_stats_app_idxtraffic_stats
CREATE INDEX traffic_stats_app_idx ON traffic_stats (app_id)z
indextraffic_stats_timestamp_idxtraffic_stats
CREATE INDEX traffic_stats_timestamp_idx ON traffic_stats (timestamp)
)tabletraffic_statstraffic_stats
CREATE TABLE traffic_stats (timestamp INTEGER, app_id INTEGER, remote_host BLOB, remote_port INTEGER, remote_host_region BLOB, protocol INTEGER, flags INTEGER, inbound_bytes INTEGER, outbound_bytes INTEGER)


There is also an interesting folder, located at C:\ProgramData\GlassWire\service-full\cloud. Here’s the notable info in the database

tableoptionsoptions
CREATE TABLE options (name TEXT PRIMARY KEY, value BLOB)-
indexsqlite_autoindex_options_1options
qindexflux_cache_app_idxflux_cache
CREATE INDEX flux_cache_app_idx ON flux_cache(app)m
indexflux_cache_timestamp_idxflux_cache
CREATE INDEX flux_cache_timestamp_idx ON flux_cache(timestamp){
Atableflux_cacheflux_cache
CREATE TABLE flux_cache (flow BLOB PRIMARY KEY, timestamp INTEGER, app INTEGER, flux BLOB)3
indexsqlite_autoindex_flux_cache_1flux_cache
tabletraffic_stats_1sectraffic_stats_1sec
CREATE TABLE traffic_stats_1sec (timestamp INTEGER, data BLOB)
q%%
tabledetect_statsdetect_stats
CREATE TABLE detect_stats (app INTEGER PRIMARY KEY, data BLOB)
q11
tabc
tabledetect_statsdetect_stats
CREATE TABLE detect_stats (app INTEGER PRIMARY KEY, data BLOB)


1111112222222

6 Likes

Excellent sleuthing @april2 you deserve a cookie. :+1:

I wonder if this stealth monitoring is finally gone from v3.2