Sunday, April 23, 2017

Punycode

Wordfence is a security service for WordPress sites. I heard Leo Laporte talk about a recent post Wordfence had demonstrating a potential phishing technique.

To demonstrate this Wordfence created web site using an technique known as Punycode to encode the URL.

Here is a link to their demonstration site. Look closely at the address bar when you get there.

     https://www.ะตั€ั–ั.com/

Here is a link to the real site. Look closely at the address bar when you get there.

     https://www.epic.com

Can you tell the difference?

So you think you're a real geek and you always right click on a link and select "Copy link address" and then paste it into Notepad to see what the link REALLY links to. Knock yourself out. Try it.

Now is a good time to start worrying.

The only way to discern the difference in the URL is to actually browse to the demonstration site. Then highlight the URL and copy it. Now paste it into Notepad.

     https://www.xn--e1awd7f.com

That "xn--" is the Punycode.

I hope you noticed that the demonstration site also showed the padlock in the address bar. You can thank LetsEncrypt for that.

There's a workaround in Wordfence's post for Firefox and reportedly a fix in version 59 of Chrome.

In the meantime, do you think this would fool your mother?



Sunday, April 16, 2017

Shadow Breakers

There have been several leaks of supposed NSA hacks recently. Generally they have been older vulnerabilities and minimal impact.

Microsoft responded with a blog post.
Our engineers have investigated the disclosed exploits, and most of the exploits are already patched.
However there's somewhat of a back story.

You'll remember that Microsoft mysteriously pulled their February updates with no explanation.

Then in March Microsoft fixed several flaws with no attribution. You have to back into this discovery by matching this with this.

This Engadget article speculates on how/why this happened. There's more speculation from Quartz here.

Whatever happened the result is that Microsoft did a good job of protecting their current platforms from the 0-day vulnerabilities. The same can't be said for the NSA.

Sunday, April 09, 2017

iOS 10.3.Whatever

tl;dr Install iOS 10.3.1 now

On March 27, 2017 Apple released iOS 10.3 with little fanfare. Here are their release notes:
iOS 10.3
iOS 10.3 introduces new features including the ability to locate AirPods using Find my iPhone and more ways to use Siri with payment, ride booking and automaker apps.

Find My iPhone
  • View the current or last known location of your AirPods
  • Play a sound on one or both AirPods to help you find them

Siri
  • Support for paying and checking status of bills with payment apps
  • Support for scheduling with ride booking apps
  • Support for checking car fuel level, lock status, turning on lights and activating horn with automaker apps
  • Cricket sports scores and statistics for Indian Premier League and International Cricket Council

CarPlay
  • Shortcuts in the status bar for easy access to last used apps
  • Apple Music Now Playing screen gives access to Up Next and the currently playing song’s album
  • Daily curated playlists and new music categories in Apple Music

Other improvements and fixes
  • Rent once and watch your iTunes movies across your devices
  • New Settings unified view for your Apple ID account information, settings and devices
  • Hourly weather in Maps using 3D Touch on the displayed current temperature
  • Support for searching “parked car" in Maps
  • Calendar adds the ability to delete an unwanted invite and report it as junk
  • Home app support to trigger scenes using accessories with switches and buttons
  • Home app support for accessory battery level status
  • Podcasts support for 3D Touch and Today widget to access recently updated shows
  • Podcast shows or episodes are shareable to Messages with full playback support
  • Fixes an issue that could prevent Maps from displaying your current location after resetting Location & Privacy
  • VoiceOver stability improvements for Phone, Safari and Mail

Weren't we all waiting for improvements in "Cricket sports scores?"

Well, there were a few more things in iOS 10.3. Good things. Things worth talking about. Things worth shouting from the roof tops about. But Apple didn't mention them in the release notice.

MacRumors noted:
iOS 10.3 introduces a new Apple File System (APFS), which is installed when an iOS device is updated. APFS is optimized for flash/SSD storage and includes improved support for encryption. Other features include snapshots for freezing the state of a file system (better for backups), space sharing, and better space efficiency, all of which should result in a more stable platform. Customers updating to iOS 10.3 should first make a backup given that the update installs a new file system.
More on the storage savings from APFS later...

In a separate document from the release notice Apple casually mentioned a few security updates. Specifically it documents 89 CVEs (Common Vulnerabilities and Exposures).

You'd think Apple would tout that.

Maybe there was a reason they didn't though.

On April 3, 2017 Apple released iOS 10.3.1 with ONE security fix.
Wi-Fi
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later
Impact: An attacker within range may be able to execute arbitrary code on the Wi-Fi chip
Description: A stack buffer overflow was addressed through improved input validation.
CVE-2017-6975: Gal Beniamini of Google Project Zero
Read that again. Especially this part:
Impact: An attacker within range may be able to execute arbitrary code on the Wi-Fi chip
This is NASTY. The Register has a good summary. This is a problem in Broadcom's Wi-Fi stack which is used by iPhones after the iPhone 4 and in newer iPods and iPads and some Android phones including Google's Nexus 5, 6 and 6P, most Samsung flagship devices.

The good news is that Apple's ecosystem is able to respond very quickly to vulnerabilities such as this. The bad news is that Android can't.

On a related topic, the implementation of new Apple File System (APFS) that comes with the installation of iOS 10.3.Whatever yields significant savings in storage.

On my 16GB iPad Air, my available storage increased more than 1GB. It took about half an hour to install.




Sunday, April 02, 2017

Setting TuneIn Favorites on Amazon Echo

I bought an Amazon Dot on Black Friday and have been playing with it. One capability I really like is to play radio stations on it. However it doesn't always chose the right radio station. Here's how to set TuneIn Favorites for your preferred radio stations.
You can add them as favorites within the TuneIn section of the Echo App or within the iHeart Radio section.  Both work the same way--so where it says "TuneIn" below, read "iHeart Radio" if that's the one you're working with. 
To do that, select TuneIn from the sidebar menu within the app.  Search for the station (I just searched for German radio and found Antenne Bayern, as well as a bunch of others.) It should switch to that and start playing. :D   You'll see the "play bar" at the bottom of the screen, below the list of search results.  Tap on the TuneIn or Station icon.  (Some stations have their own icon.) 
Now the station play bar will fill the right side of the app.  On the right side, you'll see "Queue" and "History" and the name of the current song underneath.
To the right of the song that's playing will be a little gray down arrow that is hard to see. Tap on that.  When you do, you should see the option "Favorite Station" in gray.  Tap on that.  It should turn red. 
*** 
Now, go to the Home Screen and tap on TuneIn again.  Scroll the right side of the app where it says Browse, Local radio, Trending, etc, to see the bottom of the list. 
Under Favorites, you should see your station and you can play them from there.  In the future, you'll only have to do the parts under the *** to play favorites.
https://www.kboards.com/index.php?topic=206521.0
While this is talking about a smart device app, I found that the web interface worked just the same.

Sunday, March 26, 2017

Nougat Explorer

I always wondered why Android didn't have a native file manager. Finally Android 7 Nougat has one. It's hidden deep in the Settings menu.



Thanks to gifmaker.me

Sunday, March 19, 2017

Android Backups in Google Drive

Update: This nice feature is now gone. Thanks Google.

Android has been taking device backups and sending them to the cloud for a while but it wasn't apparent where they were stored nor how long they were kept.

Google has updated Google Drive both on Android and the web to expose this information.

Here's how it looks on Android.


Tap on "Backups" and you'll see the list of devices backed up and when those backups will expire.


Keep on drilling down and you'll see which apps were included and when they last changed their data.



Sunday, March 12, 2017

Google Maps Traffic

How does Google Maps know about traffic? Here's what Business Insider reported.
Here's how it works: All iPhones that have Google Maps open and Android phones that have location services turned on send anonymous bits of data back to Google. This allows the company to analyze the total number of cars, and how fast they're going, on a road at any given time.
Even Google has blogged about it.
If you use Google Maps for mobile with GPS enabled on your phone, that's exactly what you can do. When you choose to enable Google Maps with My Location, your phone sends anonymous bits of data back to Google describing how fast you're moving. When we combine your speed with the speed of other phones on the road, across thousands of phones moving around a city at any given time, we can get a pretty good picture of live traffic conditions.
Don't believe everything you read on the Internet.

Google also uses traffic sensors.
Contracting with these transportation agencies to share the data generated by the sensors proved to be a mutually rewarding endeavor for both parties; Google was able to expand its traffic services while the transportation agencies were able to defray part of the sensors’ costs. 
But here's the creepy thing. At a lunch over the holidays, an executive in a Memphis-based logistics company told me how a Google executive had told him how Google gets location feeds from the cell carriers.

A little Google searching turned up more information.
So how does Google know what traffic is like on the roads, nearly all the time? From our smartphones, of course. Whether you like it or not, “telephone companies have always known where your phone is,” Dobson says, because cell phone companies need to use location to appropriately charge customers for calls. That means the companies are constantly monitoring location based on the strength of signal to a cell tower, which allows the phone to switch towers as it travels.
GpsPasSion reported in 2011.
Google now combines AirSage cell phone triangulations with their own gps probes. AirSage monitors both Sprint and Verizon phones totaling 150 million phones 
More recently Fossbytes reported.
Google also crowdsources location data from telecom companies. These telcos monitor user location data by a method called Trilateration, in which the distance of a user measured between two or three surrounding telecom towers is used to analyse the speed and location of the user.
Look at this detail from Google Maps. There's no way that they could get this much detail from a handful of users running Google Maps.


It takes a little reading between the lines to discern that the cell carriers are selling location data to Google but my source is impeccable.

Sunday, March 05, 2017

Cloudy Day

To some I'm sure that March 1st felt like April 1st. Really, that couldn't be happening? Amazon's S3 (Simple Storage Service) went down in their Eastern Region (Ok, it just had "high error rates").

But there are a couple of lessons to be learned from this.

First, it seems nobody is listening to me.

Cloud services aren't magical (even Apple's). They rumble. They go bump.

Don't abdicate your responsibilities to the cloud provider. If you need high availability make sure that that is what your contract guarantees.

In the March 1st S3 outage either lots of customers didn't feel they needed high availability or they misunderstood what they contracted for.

Make sure you are not surprised like "Docker's Registry Hub, Trello, Travis CI, GitHub and GitLab, Quora, Medium, Signal, Slack, Imgur, Twitch.tv, Razer, heaps of publications that stored images and other media in S3, Adobe's cloud, Zendesk, Heroku, Coursera, Bitbucket, Autodesk's cloud, Twilio, Mailchimp, Citrix, Expedia, Flipboard, and Yahoo! Mail (which you probably shouldn't be using anyway)." (source)

At the same time don't over buy. One of my customers was considering migrating their on-premise servers to Azure. As part of their on-premise setup they had a specific backup system and service. When I investigated Azure's service commitments I found that Azure's committed backup and availability met my customers needs and the customer could discontinue their backup system and service.

By the way Amazon did a thorough post mortem on the outage.

Second (and more concerning since they should know better), even Amazon had highly visible services down.

Reminiscent of one of Microsoft's outages Amazon's own online public dashboard was down along with many of Amazon's customer facing services, e.g. Amazon Fire tablets.

From Amazon's post mortem "we have changed the SHD administration console to run across multiple AWS regions."

Amazon, hadn't you thought of this before? What else have you overlooked?

Sunday, February 26, 2017

You Can’t Cut Your Way to Success

One of my former co-workers used to say "You Can’t Cut Your Way to Success."

A recent article in CIO.com called out challenges that keep CIOs up at night.

Several of the points were pertinent to my former co-worker's advice.

5. Aging IT infrastructures and IT spending cuts
"Many [financial services] organizations continue to rely on IT infrastructures that are built on outdated components and are running with vulnerabilities," says Joseph Pagano, practice advisor, Financial Services, Cisco Digital Transformation Group.
8. New technology (business disrupters)
The need to unearth and deploy new technologies and systems that will better serve and streamline their customers’ experiences is now of paramount concern for maintaining long-term business viability.
Likewise CFO.com had the same message.
...treating IT as an investment that builds rather than destroys IT capability and value. Contrary to conventional wisdom, if your CIO isn’t asking you for more money, she probably isn’t doing her job. You see, when it comes to IT, it takes money to make money and it takes money to save money.
My director once said to me "I've never seen a dollar you can't spend." To which I replied "If you don't like the results find someone else." I kept my job.

Invest in IT. If your IT isn't yielding value look at IT management, including yourself.

Sunday, February 19, 2017

Windows Fast Startup

Maybe I missed this since I skipped Windows 8. Windows 8 called it "Fast Boot." Windows 10 extends this facility as default to laptops as well as desktops.

In summary, with Fast Startup the current user is logged off but then instead of shutting down the operating system as expected the current state of Windows is written to the hibernation file. Then when the system is restarted the state is resumed and the user logged back in.

The result is that Windows doesn't really get restarted, just the user is logged off and back on.

To force a complete Windows shutdown and restart, hold SHIFT while you select Shutdown or Restart.


I encountered this recently when I encountered the DHCP problems Windows 10 introduced. A Windows restart using Fast Startup wouldn't clear this.

Sunday, February 12, 2017

Winaero Tweaker

A recent post in AskWoody reminded me of a utility I came across a while back.

The AskWoody article refers to the Winaero utility Winaero Tweaker. You can download it here.

While Winaero Tweaker can do a number of things the AskWoody reference was to disabling Windows 10 telemetry.

Winaero Tweaker makes that literally a one-click operation. Here's their write-up on it.


If that's not geeky enough for you, just scroll down and read the comments. Follow them at your own risk.

Sunday, February 05, 2017

Windows vs macOS

You always hear that macOS is more secure than Windows. In reality that perception is because macOS has been a smaller target (less devices) than Windows.

I recently came across an example that puts money behind the assertion that Windows is more secure than macOS.

Pwn2Own is a computer hacking contest held annually at the CanSecWest security conference. Contestants are challenged to exploit widely used software. Cash prizes are awarded to those contestants that successfully demonstrate the vulnerability of various software. The value of the prizes are set by the level of difficulty expected in each software.

Here is the announcement of prizes for local escalation of privilege:
Local Escalation of Privilege 
Although we’ve had some Escalation of Privilege (EoP) bugs as add-ons in past Pwn2Owns, this is the first year it has a category of its own. This is also the first time we included Linux as a target. In this category, the entry must leverage a kernel vulnerability to escalate privileges. If they do, contestants will earn $30,000 for Microsoft Windows 10, $20,000 for macOS, and $15,000 for Ubuntu Desktop. They will also get 4 Master of Pwn points for Windows and 3 for the other OSes. Considering the various types of malware that use local EoPs, this could prove to be an impactful category. As always, the latest, fully-patched version of each OS will be used – even if we have to stay up late to install the patches.
http://blog.trendmicro.com/pwn2own-returns-for-2017-to-celebrate-10-years-of-exploits/
$30,000 for Microsoft Windows 10 and $20,000 for macOS.

So when Pwn2Own put their money on the security of operating systems, they bet on Windows.

Good job Microsoft.

Sunday, January 29, 2017

I'm A Luddite


A former co-worked once called me a Luddite. I think he was joking but...

My recent efforts at trading cars reminded me of that accusation. {This will turn into a tech story shortly.)

We have had a 2013 Nissan Pathfinder for over 3 1/2 years. While we always enjoyed the ride and comfort of the Pathfinder it was fraught with recurring problems.

Normal wear and tear and indicated us to replace the tires at just over 60,000 miles. Simultaneously the sun visors began drooping (like every 2013 Pathfinder does after the warranty lapses), the tailgate resumed its former issue of not power raising or lowering, the driver's window started to go up way more slowly than the passenger's and the brakes started screeching.

My wife refused to put any more money in it so we were off to look for a replacement.

We surfed around and came up with a short list: Honda Pilot and Toyota Highlander. We have had lots of both brands but most recently I've been driving Hondas so off we went to AutoNation Honda 385.

Our first drive was a 2017 Pilot Touring. We stopped at a red light and when I released the brakes the engine gave a noticeable shudder. I asked the saleperson in the back seat what that was. He said it was the "Idle-Stop" feature.
The idle-stop feature-standard on Pilot Touring and Elite trims helps maximize fuel efficiency in stop-and-go traffic. When the vehicle is at a stop for at least 2 seconds-such as at a traffic light-the engine automatically shuts off to save fuel. When you release the brake pedal even slightly, the engine starts back up by itself.
Remember that the Pilot Touring is not a hybrid. When the Pilot Touring is sitting with the engine shut off the air conditioning stops cooling. The fan continues to run but that's going to get uncomfortable in Memphis really quickly.

When I asked the salesperson if that feature could be disabled he showed me a button on the console to disable it. But it gets reset every time you turn the vehicle off and back on.

We drove a little more and entered an Interstate. I accelerated and felt the transmission shift several times with one being a bang-bang. Again another question to the salesperson. His response was that the Pilot Touring has a ZF 9-speed transmission. While that explained the several shifts it didn't explain the bang-bang. The salesperson had no further explanation.

I inquired as to whether all Pilots had these 2 features and the salesperson said that the models below the Pilot Touring, e.g. Pilot EX-L. didn't have either.

Frustrated we headed across the way to Principle Toyota to look at Highlanders. Guess what ALL (except the entry level model LE) of the 2017 Toyota Highlanders have? Yep, "Stop-Start". And no way to turn it off.

That's where the Luddite in me started to come out.

There's lots of discussion on the Internet about why the manufacturers are so aggressive with this idle-stop feature. The EPA mileage difference between the Honda Pilot EX-L (19/27/22) and the Touring (20/27/23) are minimal and much more likely to be related to the 9-speed transmission.

We didn't drive the Honda Pilot hybrid models. I'd hope that these models would drive off under electric power and start the conventional engine while underway. This would at least mask the shudder of the engine restarting.

Now for the 9-speed transmission.

This YouTube video does a much better job of explaining it than I can.

tl:dr There are 2 shift points that use dog clutches instead of the traditional plate clutches. These shift points are what I felt as a bang-bang.


Again there is no circumvention for this feature.

And the Internet is on fire with complaints about the ZF transmission. Motor Trend's long term test unit even had to have the transmission replaced.

So what did I do?

I gave Honda less money than I would have otherwise and bought a 2017 Honda Pilot EX-L.

Just to dissuade the Luddite accusers I chose a 2017 over a 2016 since the 2017s have Apple CarPlay/Android Auto. More on that later.

Sunday, January 22, 2017

How to Stop Skype from Running in the Background on Windows 10

Here's more fun and games with Windows 10 Version 1607 (aka Anniversary Update).

This article tells you how sign out of Windows 10’s new Skype Preview app.

I'm going to tell you how to attack it with an Atomic Flyswatter.

Windows + R

Type "shell:AppsFolder" without the quotes and click "OK".

Find the Skype Preview app (any any others you don't want), right click and select "Uninstall".


This technique came from here.

Do NOT uninstall the Store app. If you do, the only easy way to get it back is to reinstall Windows 10 over itself.

Sunday, January 15, 2017

Windows Installer Folder

When I ran my monthly backups recently I noticed that the X201 took way more space to backup than my other Windows 10 systems but not so much that I did anything about it. Then I ran Microsoft's Malicious Software Removal Tool just because I hadn't run it in a long time. It took hours, most of that in c:\Windows\Installer.

When I browsed to c:\Windows and looked for Installer I didn't see it. So I typed c:\Windows\Installer in Explorer's address field and it came up. I selected all the folders, right clicked and chose "Properties."

There was almost 30GB there!

It turns out that c:\Windows\Installer is used to uninstall programs. However in an old, active system (like X201) these files tend to get orphaned.

Google it if you like but there's much confusion out there. Most of the discussions wander off into telling the poster about how to run Disk Clean-Up to delete old versions of Windows. This is NOT the problem.

I saw PatchCleaner mentioned again and again. This article describes it best. PatchCleaner's home page is here and there's a download link but SourceForge has a project that has created a portable version.

I downloaded the portable version and ran it on X201. As I suspected it found over 26GB of orphaned files. I chose the option to have PatchCleaner move these orphaned files over to my Drobo.


Problem solved. I'll let you know if this created any new problems.

Sunday, January 08, 2017

Google's Internet Speed Test

I saw a post on reddit recently that referred to Google's Internet speed test.


Here's the URL to run it:

         https://www.google.com/search?q=check+internet+speed

Here's the result from my ThinkPad X201 running 802.11n.


That didn't seem as fast as I expected so I tried Google Fiber's Internet speed test.

Here's the URL to run it:

         http://speedtest.googlefiber.net/


That's more like it.

Then I tried Netflix's Internet speed test.

Here's the URL to run it:

         https://fast.com/


So I was on a roll. I tried Ookla's Internet speed test.

Here's the URL to run it:

         http://www.speedtest.net/


And Comcast's Internet speed test.

Here's the URL to run it:

         http://speedtest.xfinity.com/


Four out of five can't be wrong. Google's Internet speed test is reporting about half of the actual speed.

Sunday, January 01, 2017

Rumbling Clouds

I've written several times about "cloud" availability/reliability. A recent article on Microsoft's outlook.com service brought this back to my attention. This is Microsoft's free service so there's not really a lot of room to complain. This discussion is to compare the cloud solution to a self-hosted solution.

Microsoft has a status page which was getting updated regularly which is good but the details were a little light, e.g. "focused on remediation" and "users may be able to access the service by logging in to their Outlook.com accounts with a web browser as an alternative method". The problem existed almost a week.

Again this is a free service but these are situations you need to consider as you explore moving a service to the cloud.

Go read some of the comments:
When you go cloud hosted you are subcontracting your responsibility to a third party.
That third party may be much more capable than your IT budget will allow
I've got better reliability and almost the same service and functions as my company OWA account, free of charge as well.
Cloud is a way to free up the expense of operating your own IT services.
But putting your eggs into the hands of Microsoft, Google, Amazon or any other single entity to which you represent 0.00000000001% of their annual income is a stupid idea.
Realize that you are less than a rounding error to the cloud provider.
I don't hear many people talk about ... the time it takes to repair a massive amount of infrastructure even when know how and have a fix available. I expect this to only get worse as the cloud continues to grow.
Clouds by nature are BIG. Big things take a long time to fix. Be prepared for that.