Windows 10: Privacy nightmare #
July 29 - the big Windows 10 release day. Rather than trying an unreliable workaround that was making the rounds, I followed RiotShielder's advice and downloaded an ISO from Microsoft, installing over a Windows 8.1 virtual machine (because you must upgrade your existing Windows OS to get a valid Windows 10 key before doing a clean install (recover the key with Nir's ProduKey)).
When installation completes, be sure to click the tiny "Customize" link on the "Get going fast" screen; you may (not) be surprised at how invasive Microsoft has become. Here's a taste (these are all enabled by default):
- "Personalize your speech, typing, and inking input by sending contacts and calendar details, along with other associated input data to Microsoft."
- "Send typing and inking data to Microsoft to improve the recognition and suggestion platform."
- "Use pge prediction to improve reading, speed up browsing, and make your overall experience better in Windows browsers. Your browsing data will be sent to Microsoft."
- "Automatically connect to suggested open hotspots. Not all networks are secure."
- "Automatically connect to networks shared by your contacts."
- "Send error and diagnostic information to Microsoft." (The toggle switch to enable or disable was hidden below the screen; a near-invisible scroll bar was required to view it.)
Number five apparently refers to Wi-Fi (Non)Sense, which Claus covered in some detail.
Much more about the mounting privacy problems in Windows 10 from Heini Järvinen:
By default, when signing into Windows with a Microsoft account, Windows syncs some of your settings and data with Microsoft servers, for example "web browser history, favorites, and websites you have open" as well as "saved app, website, mobile hotspot, and Wi-Fi network names and passwords". Users can however deactivate this transfer to the Microsoft servers by changing their settings.
More problematic from a data protection perspective is however the fact that Windows generates a unique advertising ID for each user on a device. This advertising ID can be used by third parties, such as app developers and advertising networks for profiling purposes.
Also, when device encryption is on, Windows automatically encrypts the drive Windows is installed on and generates a recovery key. The BitLocker recovery key for the user’s device is automatically backed up online in the Microsoft OneDrive account.
Microsoft’s updated terms also state that they collect basic information "from you and your devices, including for example "app use data for apps that run on Windows" and "data about the networks you connect to."
Users who chose to enable Microsoft’s personal assistant software "Cortana" have to live with the following invasion to their privacy: "To enable Cortana to provide personalized experiences and relevant suggestions, Microsoft collects and uses various types of data, such as your device location, data from your calendar, the apps you use, data from your emails and text messages, who you call, your contacts and how often you interact with them on your device. Cortana also learns about you by collecting data about how you use your device and other Microsoft services, such as your music, alarm settings, whether the lock screen is on, what you view and purchase, your browse and Bing search history, and more." But this is not all, as this piece of software also analyses undefined "speech data": "we collect your voice input, as well your name and nickname, your recent calendar events and the names of the people in your appointments, and information about your contacts including names and nicknames."
"We will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary to", for example, "protect their customers" or "enforce the terms governing
the use of the services".
At the very least, be sure to create a local account and customize the privacy settings after installation. Better yet, migrate to a truly free operating system; Richard Stallman was right all along.
/windows | Jul 29, 2015
"What else do _you_ do?" #
ZAPHOD BEEBLEBROX: . . . [W]hat's your name?
MAN: I don't know. Why, do you think I ought to have one? It seems odd to give a bundle of vague sensory perceptions a name.
ZARNIWOOP: Listen. We must ask you some questions.
. . .
ZARNIWOOP: How long have you been ruling the Universe?
MAN: Ah, this is a question about the past is it?
MAN: How can I tell that the past isn't a fiction designed to account for the discrepancy between my immediate physical sensations and my state of mind?
ZARNIWOOP: Do you answer all questions like this?
MAN: I say what it occurs to me to say when I think I hear people say things. More I cannot say.
. . .
ZARNIWOOP: People come to you, yes?
MAN: I think so.
ZARNIWOOP: And they ask you to take decisions—about wars, about economies, about people, about everything going on out there in the Universe?
MAN: I only decide about my Universe. My Universe is what happens to my eyes and ears. Anything else is surmise and hearsay. For all I know, these people may not exist. You may not exist. I say what it occurs to me to say.
ZARNIWOOP: But don't you see? What you decide affects the fate of millions of people.
MAN: I don't know them, I've never met them. They only exist in words I think I hear.
. . .
MAN: But it's folly to say you know what is happening to other people. Only they know. If they exist.
ZARNIWOOP: Do you think they do?
MAN: I have no opinion. How can I have?
. . .
ZARNIWOOP: But don't you see that people live or die on your word?
MAN: It's nothing to do with me, I am not involved with people. The Lord knows I am not a cruel man.
ZARNIWOOP: Ah! You say... the Lord! So, you believe in...
MAN: My cat. I call him the Lord. I am kind to him.
ZARNIWOOP: All right. How do you know he exists? How do you know he knows you to be kind, or enjoys what you think of as your kindness?
MAN: I don't. I have no idea. It merely pleases me to behave in a certain way to what appears to be a cat. What else do you do? . . .
From Douglas Adams' The Hitchhiker's Guide to the Galaxy: Secondary Phase (Original BBC Radio Series). See also The Original Hitchhiker Radio Scripts: 10th Anniversary Edition and The Hitchhiker's Guide To The Galaxy: The Complete Radio Series.
/misc | Jul 19, 2015
Download Flash videos #
(including those embedded in JW Player) with the Grab Any Media extension for Google Chrome. Installation and usage instructions. Piracy PSA.
/misc | Jul 17, 2015
Air travel essentials for long flights #
20i Acoustic Noise Cancelling Headphones||Avoid noise fatigue||+++++||Next to water, the single most important in-flight item in my opinion.|
|Flight Spray||Avoid dry nose||++++||Much more effective than the damp washcloth I used formerly.|
|No-Jet-Lag||"For the relief of tiredness and jet lag associated with flying"||?||Despite taking as directed, not really sure if this had any effect, though there are plenty of positive reviews on Amazon.|
|Source Naturals NADH 20mg||"Helps relieve drowsiness and restores alertness and energy"||++++||Definitely seemed to help keep me awake when needed.|
|Herbatonin 3mg Plant Melatonin||"Helps support normal sleep patterns when disrupted by travel and changing time zones"||++++||Definitely seemed to help get me to sleep when needed.|
|Vitalsox Graduated Compression Socks||Possibly help prevent Deep Vein Thrombosis and Pulmonary Embolism||?||Did not really feel any difference, but also did not develp DVT (not that I ever have).|
|Memory Foam Neck Pillow||Doze in relative comfort||-||Despite hours of research (and a slew of positive reviews on Amazon), this did not work for me at all - gave away after landing. The vast majority of reviews are overwhelmingly positive, however.|
|Water||Avoid dehydration (and in-flight meals)||+++++||A must.|
/misc | Jun 26, 2015
Time to replace traditional password managers like KeePass, 1Password, LastPass, et.al.? #
is a stateless password generator. It doesn't store, collect or transmit any secrets. It makes them ubiquitously available, on-demand, depends on nothing but your private master password, and is fully open source.
How Does It Work?
The user is expected to remember the following information:
- Their full name (eg. Robert Lee Mitchell):
This is a salt for the master key generation.
- Their personal master password (eg. pink fluffy door frame):
This is the secret for the master key generation.
- The site name (eg. apple.com):
The user chooses a name for each site. The bare domain name is an ideal choice.
- The site's password counter (default: 0):
This is an integer that can be incremented when the user needs a new password for the site.
- The site's password type (default: Long Password):
This type determines the format of the output password. It can be changed if the site's password policy does not accept passwords of this format.
In practice, the secret master password is the only extra thing users will actually need to remember. Their full name, they'll hopefully remember regardless. If the site is always named after the bare domain name, it needn't explicitly be remembered but can be found in the browser's address bar. The counter and type need only be remembered if they are changed from their default values."
- GitHub project page
- The Master Password Algorithm
- Discussion board
- Platforms include iOS, Android, OS X, Java, *nix (terminal app written in C), and web (beta)
- Discussions on Hacker News and reddit, including potential pitfalls and important considerations
- Some similar projects:
- Cassidy "is an open source password manager that doesn't store passwords."
- hash0 is a "synchronizable PBKDF2 based password generator."
- hashapass "automatically generates strong passwords from a master password and a parameter."
- One Shall Pass "is a browser-side service for calculating strong, site-specific passwords. It is open source. In contrast to other password services, 1SP does not save your passwords or universal passphrase anywhere."
- PasswordMaker "is a small, lightweight, free, open-source tool for Internet Explorer, Firefox, Google Chrome, iPhone, Opera, PHP, Windows, OS X, Linux, Flock, Yahoo! Widgets, Android, Python, and many other platforms & systems. It creates unique, secure passwords that are very easy for you to retrieve but no one else. Nothing is stored anywhere, anytime, so there's nothing to be hacked, lost, or stolen. PasswordMaker has been around since about 2003 and so is a mature, stable, popular solution."
- PwdHash "generates theft-resistant passwords."
- SuperGenPass "uses a hash algorithm to transform a master password into unique, complex passwords for the Web sites you visit."
/misc | Jun 26, 2015
Cross-platform, ad hoc, recursive file transfer via HTTP #
Recursively copy desired_dir located on server to current directory on client without having to fool around with usernames, passwords, config files, FTP, NetBIOS, Bonjour, etc:
On server: cd desired_dir && python -m SimpleHTTPServer
On client: wget -r -np http://server_ip_address:8000/
- SimpleHTTPServer's default listening port is 8000. Change by specifying desired port, e.g., python -m SimpleHTTPServer 8192
- Python 3 syntax: python -m http.server [<portNo>]
- A few interesting wget options:
- -r = recursive
- -np = don't ascend to the parent directory
- -nd = don't create directories (i.e., merge / flatten directories into one. WARNING: filename collisions are not handled; files with the same names will be overwritten)
- -A doc,pdf = accept only files with the extensions doc or pdf
- -R doc,pdf = reject / ignore doc and pdf files
- While both tools are preinstalled in most Linux distributions, Windows users will need to grab wget and/or Python first. OS X includes Python, but not wget; here's a binary I compiled of the latest version. Compile your own or install via Homebrew or MacPorts.
- Under Windows, the Python executable is installed to C:\Python27\ by default. Add this directory to your PATH variable if desired to make it easier to call: setx path "%path%;C:\Python27"
- A tiny, stand-alone web server like MiniWeb or HFS (HTTP File Server) will be faster and easier for Windows users who do not have Python installed already. And, though it's not tiny, OS X users may want to check out the beautiful and simple Fenix Web Server ("Finally, a simple static desktop web server. Because simple stuff shouldn't need Apache, IIS, or nginx."). Fenix review.
- Two wget alternatives for Windows:
- Ipswitch WS_FTP LE ("Transfer files over FTP, SSL, SSH, and HTTP/S transfer protocols") Copies recursively, but flattens directories without handling filename collisions.
- HttpCopy ("A command line utility that lets you copy a web file or web page to a local file") Appears to only copy individual files.
- Netcat (and the newer, more powerful Ncat) can also be used for ad hoc file transfers across the network, but it does not handle directories on its own.
- Thanks to this anonymous poster.
/nix | Jun 21, 2015
Ramana Maharshi on thought #
- "The degree of freedom from unwanted thoughts and the degree of concentration on a single thought are the measures to gauge spiritual progress."
- "You need not aspire for or get any new state. Get rid of your present thoughts, that is all."
- "The method is summed up in the words 'Be still' ... All that is required to realize the Self is to be still. What can be easier than that?"
/misc | May 10, 2015
The Oracle of God #
Yet still there whispers the small voice within,
Heard through Gain's silence, and o'er Glory's din:
Whatever creed be taught, or land be trod,
Man's conscience is the oracle of God.
(via Gentle World)
/misc | Apr 08, 2015
iPhone: Resize photos before texting via Messages #
While the Mail app in iOS offers to resize photos before sending (Small, Medium, Large, Actual Size), the Messages app does not; in fact, there is no built-in method for resizing photos before texting them, resulting in unnecessarily large files being sent. Even the popular photo editor Snapseed does not offer a resize option. Searching the App Store was (as usual) an exercise in futility, but a too-lengthy (i.e., over 30 second) Google search turned up the aptly-named Resize Image, which makes resizing photos and then texting them (or posting to Twitter, Facebook, Instagram) a breeze.
/mac | Apr 01, 2015
"Restore Failure #
Could not validate source - Operation not supported" kept appearing in Disk Utility as I tried unsuccessfully to restore a bootable USB flash drive image to a new USB flash drive. The asr workaround did not work either, returning Source volume format on device "/dev/disk3" is not valid for restoring. Could not validate source - error 254.
By happy chance, I stumbled onto Max's answer which credited drgeoff's reply, which linked to PureDarwin's Disk images page. The secret was to convert the image format to raw before writing with dd (attempting to restore even the converted image via Disk Utility returned the same "Restore Failure" error above).
Here is the process I used to backup my DiskWarrior bootable USB flash drive and restore it to a new flash drive:
- Insert USB flash drive to be imaged
- Open Disk Utility
- Click root of USB flash drive
- Click "New Image"
- Select desired Image Format (tested restore of "read-only" and "compressed (bzip2)" images successfully)
- Save image to desired location
- $ hdiutil convert /path/to/image_created_above.dmg -format UDTO -o new_image.img
- Remove the .cdr extension that hdiutil automatically appended to new_image.img
- Run Disk Arbitrator and set to "Block Mounts"
- Plug in new USB flash drive (WARNING: all contents will be erased) and note the assigned device name in Disk Arbitrator's Disks Window (e.g., diskx)
- $ sudo dd if=/path/to/new_image.img of=/dev/rdiskx bs=8192
(Pipe through pv or use a dd alternative like dcfldd to easily track progress.)
In retrospect, it might've been better to avoid Disk Utility altogether and simply use dd to create the image:
$ sudo dd if=/dev/rdiskx | bzip2 -9f > usb_image.bz2
obviating the need to convert with hdiutil before restoring:
$ bzip2 -dc usb_image.bz2 | sudo dd of=/dev/rdiskx
UPDATE: It appears that dd/bzip2 creates a more faithful image than Disk Utility's compressed (bzip2) format does:
- The image created using dd and bzip2 was 810.7MB vs. 626.6MB for the compressed (bzip2) image created by Disk Utility.
- The MD5 checksum of the USB flash drive differed based on which image file was restored to it, so the difference in file sizes was not merely some difference in the compression algorithm (which should have been the same anyway).
- When the dd-created image was restored and the USB flash drive plugged in, it mimicked the original DiskWarrior flash drive's behavior (only the /Volumes/DW Finder window automatically opened).
- When the Disk Utility-created image was restored and the USB flash drive plugged in, Finder windows automatically opened for both /Volumes/DW and /Volumes/DiskWarrior Recovery (unlike the original DiskWarrior flash drive).
For Disk Utility to achieve similar results as dd/bzip2, one would need to select "entire device" as the Image Format and then compress the image afterwards in Terminal: $ bzip2 -9f usb_image.dmg > compressed_usb_image.bz2. And, before restoring the image, it would need to first be converted with hdiutil as shown above. Back to dd for imaging disks!
/mac | Mar 19, 2015
Subscribe or visit the archives