Tuesday, November 25, 2014

NBC News Goes Down

Today I can no longer connect to nbcnews.com. Since NBC is owned by Microsoft, my theory is that their servers are running old versions of Windows Vista. For years I kept my home page set to MSN, until it became a platform to push Bing down everyone's throats. Then I switched to CNN, didn't like it and then finally switched to NBC News home page.

Looks like I need to keep looking for a browser home page:

Tuesday, November 18, 2014

SSL Certificates For The People

SSL encryption on the web has turned into an orgy of corporate influence and government interference. To enable the secure HTTPS protocol on your web site involves paying a small fortune to a "trusted" certificate "authority" for a certificate telling the world that you are who you say you are on the web.

Not only are they a scam that you have to pay into to have a secure web site, but all CA entities are trusted equally, even though some are shady as shit. Any CA can issue a certificate for any domain, and that certificate is automatically valid because it came from a "trusted" authority. Which means that _some_shady_CA can issue a trusted certificate for google.com and that certificate automatically becomes trusted by any browser surfing to it. There have been lots of documented incidents where hackers and repressive regimes use forged certificates from a shady CA to implement man-in-the-middle attacks against users who think they are browsing securely.

What's wrong with this picture: Large corporations given these CA contracts by politicians, with every web site on earth as a captive audience are responsible for creating trust on the web.

As broken as SSL is, currently it's the only game in town. Right now the two biggest problems:

1. Cost - Certificates are priced out of what small companies and individuals with web sites can afford to pay.

2. Trust - Most trusted certificate authorities don't seem that trustworthy, even though the entire system is based on their trust, which they sell for money.

Let's Encrypt

A new Certificate Authority has been created in conjunction with the EFF (Electronic Frontier Foundation) and a few other companies that give a flying fish about our privacy. It's a short list of good guys on the Internet, and the EFF is at the top of that list.

This site when it goes live will offer SSL certificates for free! A certificate I can afford from a CA that is actually trustworthy ... it doesn't sound right, but I'm exited that this may actually come to fruition.

Assuming it goes live, now small blogs and shops like me can offer the safety of encryption without borrowing money from relatives to afford being gouged for the certificates we need to have to make it happen.

Thursday, November 13, 2014

How To: Disable Video Autoplay on Google Chrome

As a guest, I wouldn't thinking of walking into someone's house and turning on their stereo. And maybe I'm a bad host, but it seems presumptuous for a web site to take it upon itself to make sounds on my speakers without my permission. I'm starting to think that these huge mega-corporations don't have very good manners. They certainly don't seemed concerned with users' bandwidth caps.

Today I finally got sick of videos I never intended to play stepping on my music or movies I watch on the computer, so I figured out how to turn this unsolicited video and sound off, but still be able to watch the video if that's what I intended.

Luckily, Google Chrome has a feature buried in its settings to restrict plugins from auto-playing media until you the user click on something.

Go into Chrome's settings screen and scroll down until you get to the Privacy section. You'll see a button labeled "Content settings." Press the button as shown below.

Then scroll down until you get to the Plug-ins section. It's probably set to "Run automatically" which makes all that crap start playing without your permission.

Change this selection to "Click to play" and click the "Done" button to save the setting.

That's it! It's buried in the settings pretty good, but it's worth the little bit of effort to find it. Now these sites won't hijack my speakers and waste my bandwidth. Some of these news sites will just start playing, sometimes after sitting there doing nothing for a period of time. The site will then start playing video until you tell it to stop, using up your device's power as well as bandwidth.

Tuesday, November 11, 2014

BolehVPN Is Awesome

After having less than positive experiences with several VPN providers, it dawned on me that I was using the Google machine wrong. What I needed to be searching for was highly rated VPN providers. Even then, the reviews are all over the map. Some of these review sites seem to have a financial interest in recommending a select few providers.

Even when the review sites look legit, they all seem to recommend a completely different set of providers. So it took me quite a while to find BolehVPN, and even then I was skeptical. It's very hard to filter through all the noise, at least for VPNs.

So I signed up for a month just to try it, and everything went smoothly. They have a well written control panel that gives you full access to your account, and all the different servers and services they offer--it's all right there.

After the month was up, I purchased a two month plan. But after I paid, the control panel still told me I was expired. Most of these sites seem geared towards recurring subscriptions, which I won't do until several months without a problem, which so far hasn't happened. The problem turned out to be that when you purchase "air time," then you have to go into their web site and press a button to activate the time you just bought.

It's not very intuitive at first, but after about a year with them, I get used to activating my time every time I pay. It's actually a neat feature because you can defer activation to a later date, so for example you could pay for a couple months, realize you have to be on a plane tomorrow, and just activate it when you get back.

The security seems well done, performance is good, the service is reliable, and so far, no billing shenanigans. More than one service has done funny business with the billing cycle. So on one service I even waited until the service actually expired so they couldn't shorten the billing, but then they demanded a late fee for restoring service, which is the story of how I ended up at BolehVPN.

With about a year of smooth operation, it's almost been a dull experience compared to the other providers I tried. A couple weeks ago it stopped connecting, so I went to their web site and discovered they changed the AES key strength, and all I needed to do was go to the control panel and click the update button.

Saturday, November 8, 2014

How Does A Router With NAT Protect My Computer?

A router uses something called NAT (network address translation) to share your public IP address (which you only get one of) with the numerous Internet-enabled devices that most people own these days. Letting many devices share a single IP address is not only convenient, but it gives you a nice bump in security.

Think of the router as a decoy for your network. The router takes all the malicious packets on itself and makes it harder to discover what the real targets are—your personal computer and other devices like phones, tablets, smart TVs, blue-ray players, etc. TCP/IP works because devices can connect directly to each other. But the router obscures the end point devices by making them non-directly-addressable. To attack something from the outside, you have to get through router’s NAT to connect directly to the computer you are trying to attack, which in practice almost never happens.

Most systems are compromised by tricking the target human into clicking on a malicious attachment or installing a malicious program thinking it’s harmless. If your system is compromised, it’s probably because the weak link was the human. This technique of tricking the humans into compromising their own systems is called ‘social engineering’ and even savvy people can fall for it. My wife even fell for a domain registration scammer trying to charge me $100 to have my domain submitted to Google, which no sysadmin on earth would fall for, but my wife almost just paid it.

The Weak Link is You

Social engineering could be anything from someone calling a company you do business with and impersonating you, to a phishing attack pretending to be your uncle Ned telling you about this great property for sale in Idaho. The same people who are suspicious of computers will tell you every password in the company if you convince them you are with the IT department and sound like you know your stuff.

So I think for security, some folks are thinking in the wrong directions. The biggest threat to your security is you. I don’t even trust attachments from my wife when I can walk downstairs and double check she sent me a link. The less sophisticated I think someone is, the less likely I am to open an attachment from that person. I have some relatives who only send me email or post to my Facebook wall when their computer is compromised and starts spamming everyone. The shady people I know usually have a better grasp on technology

Thursday, November 6, 2014

TorGuard Sucks

I used the TorGuard VPN service for a few months. They would send me a bill every week before it was expired. That's normal, and I usually pay bills when they come in. The problem was that they were subtracting time off my account every time I paid it early.

For example, let's say I paid it on 1/1/2103 and it was due to be renewed on 2/1/2013, which gives me a month of service. So far, so good. But then let's say they send me a bill on 1/21/2013 and I pay it on that day. Now they would show my account expiration date as 2/21/2013 and all of the sudden every time I pay a week early, I lose a week's worth of service. So in this example, I would then get a bill on 2/15/2013 telling me that my account expires on 2/21/2013 and asking me to pay a week early, and now after paying a week early two months in a row, I now get 45 days worth of service, and so on.

I'm pretty sure it's only one guy that runs this company, and if you search on sites like ripoffreport.com for this stinker of a company, you will see many rambling tirades against anyone who complains about the service. The owner is known for profanity-laden insults towards his customers.

UPDATE: Looks like I might have been the recipient of one of those insulting tirades!

I had opted out of all emails from TorGuard, but today I got an email from TorGuard support, telling me about this great new service they have. But I'm no longer a customer. In fact, I had to file a PayPal dispute to get my money back. TorGuard never responded to the PayPal dispute by the way.

So today I get an email from a company whose email I opted out of and who I had to go to PayPay to get a resolution with, using its support resolution email as a return address. Classy.

That isn't gonna happen, so naturally I replied with this:

I found it odd that the spam email they sent to me was from TorGuard support. I was no longer a customer! And true to form, they replied by opening a support ticket. At this point, all I had done was respond to spam from a company that I had a bad experience with and opted out of.

So now, with my trouble ticket generated, I waited to see what nuggets of wisdom would come from this company I had an awful experience with. And of course, they didn't disappoint!

I made a screen shot of the first comment in case the person tries to delete it after the fact. I don't know for sure it was the owner of TorGuard, as blogger.com does not give me the tools to do an IP trace (which is probably coming through a VPN anyway haha) and Google has been a good host for the blog so far. This reply is consistent with the owner's attitudes towards his customers from the stories I've read, and my own personal experience.

Also, what makes a supposedly random commentor say that my story is complete nonsense? PayPal understood what I was saying when I filed the dispute. I've been building back end commercial billing systems for decades, I've seen a couple of these companies parlay billing issues with their system into greater profits. Like "oops, we'll look into that" *wink* *wink* Math isn't that hard. Seems like a pretty simple example I made of paying for 30 days and then seeing my expiration date continually giving me less and less service. When doing date calculations for billing systems, there are 3 dates a programmer cares about: Effective Date, Expiration Date and As Of date

A happy, amused and clearly angry bigot! That's quite an emotional range there, and this also marks another milestone as a blogger: my first truly bigoted comment.

Wednesday, November 5, 2014

Cropping An Animated GIF With Adobe Photoshop CS6

For animated GIFs, I've always used an online GIF maker. These online tools tend to be extremely simple and easy to use, so most of the time I will use these simple tools to manipulate animated GIFs instead of Photoshop, which seems to require a level of complexity for even simple tasks.

This time the issue was that I needed to crop an animated GIF because it was showing a prescription bottle in the background with highly personal information on it. And it dawned on me that I didn't know how to crop a GIF that had already been animated with multiple frames. A couple times I've cropped the frames separately but that's a huge hassle, and I figured there had to be a better way.

It drove me crazy figuring this out, and here's what I did:

1. When you open an animated GIF, Photoshop CS6 shows you all the layers on the side, but you only need to crop just one layer--whatever layer it happens to land you on is fine. When you go to Image -> Crop then it will crop all layers. Originally I had done Select -> All Layers but that turned out to be unnecessary, and I went back and tested it again. So all you need to do is crop one of the layers, and you will see all the layers on the side bar change size.

2. Now go to File -> Save for Web and you will get a window giving you access to all the settings for the GIF you're about to save. Then press the OK button, choose a file name and you're all set.

That's it!

Saturday, November 1, 2014

How Safe Are Your iCloud Photos?

I saw an article of the same name today but I didn't read it. With most of the mainstream medial spewing nothing but FUD (fear, uncertainty, doubt) these days, it's hard to separate the real uncertainty and doubt from what they play up to get more ad impressions and sell more clicks.

The answer is that your photos are as safe as a company like Apple can make them and still be able to hand them over to anyone with an official looking piece of paper, which is a long list. These are the so-called "back-doors" which can be and are used by Apple whenever it so desires. Many people agree with this process, as more often than not, that data is compromised to catch the bad guys.

My only problem with the equivalent of giving the banks keys to my house is that I understand completely that the bank doesn't give a single shit about me, and it would be in its best interest to have the keys to my house, where it wouldn't really be in my best interest at all. I doubt anyone these days is naive enough to think that a company like Apple is doing anything but putting itself first when it has the keys to your data.

Also, a back door is essentially a weakening of your encryption and goes against the whole paradigm of encryption in the first place, which is to guarantee that the owner, and only the owner can get to the data. Every key to your house (and your data) is one more key that can fall into the wrong hands. Every intentional weakness put in to help the good guys can just as easily be exploited by the bad guys. That's what a weakness is. And making any weakness intentional is incompatible with the whole concept of encryption.

So the ultimate answer to how safe your data is, goes something like this: Your photos and other data are not safe in the cloud. Or put another way: your data is about as safe as Apple is caring. Unless you are encrypting the data yourself outside of and completely separated from the cloud (which you probably aren't) and doing it correctly (which is doubtful,) then it's best to just assume that anybody who wants your data already has it. This is the grim reality of privacy today.

In fact, that's what's truly protecting your data. Programmers call this "security through obscurity" and it's the only thing keeping your data safe most of the time: the fact that probably nobody wants it. Nobody has hacked my photos and plastered them on the web. But just for the record, my left side is the good side.

Of course you could always encrypt all your important data like photos yourself, and that way anything in the cloud with your name on it is already encrypted by you personally with only one key. That way anyone who is able to strip Apple's encryption from your data is going to run face first into your encryption, but where would be the fun in that...