Sunday, March 17, 2019

Facebook Tracking - Part 2

Go read this first.

Now go try this. Login to Facebook. You can even try my sandbox technique if you like.

Logout.


Leave that alone and go away for a while. Wait until you should have gotten some kind of Facebook notification.

Now go back to the tab where you were logged out.


You just thought you were logged out. Facebook was still tracking you and even updated your profile picture to show the number of notifications you've gotten while you thought you were logged out.

Evil.

Sunday, March 10, 2019

Facebook Tracking

I realize there's lots of noise on the Internet about Facebook tracking you but I just wanted to show you what it really looks like.

I've posted before about how I try to sandbox Facebook. I'm not naive enough to think that's bulletproof but at least I'm trying.

Similarly, I NEVER click on a link in Facebook. As I suggested in the previous post, I right click and copy the link. Then I go over to another tab and paste the link.Then I go and delete all the characters starting with "?fbclid=".

Here's a recent example:
https://l.facebook.com/l.php?u=https%3A%2F%2Fgoo.gl%2FHoh4V9%3Ffbclid%3DIwAR1yCKf6gTjPq_YDl4Y-J37BZ7TIJZGXMvZvH8T9_Zn6OQf_gN0HMHp4kRM&h=AT1dP9OuIl5M0f_qB4pUFO3gx7feNV6B1whGiQYsb2QXb98_FfInyZf_H1u2BzGd15g61SR90EDeuHuljeRyLvmk6JyH_B4eVfEN30qN6ZO8d7o_uAZUyKqX4vqHE775UyKArv4Js_gcGEkBTU1p8gL84__GHE6Zv9zjA885LeHRoXSHCjvZ2SsPPRbmEjuWgkLFhmv_RNxkIW2iCoVIXjq_91x3aGNuRg5Cv26oCgHk0Jx6VYgFpGuhVWAhu22pYgHzvqFEej0iyjbvdJx3qNDxBXU9c57ggOrLcYf5rBp9zaW-RP5rxpZcmnC6RS5SRNbsVhCs1fjhGyI2ZVYfZJnR_WgeT_VgzuatreZLYzKMv9s2gajAttWgnM79qg28QFnADkQYaExt5CA1MotGiR1jCjgQP9nL1ImgQ3zTmNrlojfuzfHMzY9y7SExcHk8bMqvOU7KML1p--ds09Dbfi482AudxWzehwUdEYMUTWhQANMlLIDWBFbEzgeTyZqDD5HblobEqjYorDFd7aawWeIQhiQPIzWFarWKxXJrILwR6g4vhkP2WR_vpQ5P40IIxYmWF5zFrKdwcJpi4OaP4jkoErnnqUaeZrg4EOpho3tTJzu3Jb0xOzsX76SmgyCmMhym9o7bnKF5z7NIw2HLMIGHljlH
This URL is even encoded that further obfuscates what it's doing. I use a URL Decoder/Encoder to make it somewhat readable.
https://l.facebook.com/l.php?u=https://goo.gl/Hoh4V9?fbclid=IwAR1yCKf6gTjPq_YDl4Y-J37BZ7TIJZGXMvZvH8T9_Zn6OQf_gN0HMHp4kRM&h=AT1dP9OuIl5M0f_qB4pUFO3gx7feNV6B1whGiQYsb2QXb98_FfInyZf_H1u2BzGd15g61SR90EDeuHuljeRyLvmk6JyH_B4eVfEN30qN6ZO8d7o_uAZUyKqX4vqHE775UyKArv4Js_gcGEkBTU1p8gL84__GHE6Zv9zjA885LeHRoXSHCjvZ2SsPPRbmEjuWgkLFhmv_RNxkIW2iCoVIXjq_91x3aGNuRg5Cv26oCgHk0Jx6VYgFpGuhVWAhu22pYgHzvqFEej0iyjbvdJx3qNDxBXU9c57ggOrLcYf5rBp9zaW-RP5rxpZcmnC6RS5SRNbsVhCs1fjhGyI2ZVYfZJnR_WgeT_VgzuatreZLYzKMv9s2gajAttWgnM79qg28QFnADkQYaExt5CA1MotGiR1jCjgQP9nL1ImgQ3zTmNrlojfuzfHMzY9y7SExcHk8bMqvOU7KML1p--ds09Dbfi482AudxWzehwUdEYMUTWhQANMlLIDWBFbEzgeTyZqDD5HblobEqjYorDFd7aawWeIQhiQPIzWFarWKxXJrILwR6g4vhkP2WR_vpQ5P40IIxYmWF5zFrKdwcJpi4OaP4jkoErnnqUaeZrg4EOpho3tTJzu3Jb0xOzsX76SmgyCmMhym9o7bnKF5z7NIw2HLMIGHljlH
And notice that Facebook is not only passing a tracking ID along to the target site but using a redirect service (https://l.facebook.com) to launch it.

Once you eliminate all the tracking information, here's what you get:
https://goo.gl/Hoh4V9
Facebook is just evil.

Sunday, March 03, 2019

Zoolz Update 2

I continue to be impressed by Zools as a backup tool. You can get Lifetime of 1TB Instant Vault and 1TB of Cold Backup Storage here for $45.

Since my last post I have tried the Instant Vault storage. Think of it as 1TB of shared storage like Dropbox shared files. But you have to login to the Zoolz web interface and drag and drop files/folders onto a web page.


Then you can request shared links to the files/folders. Those files/folders are NOT automatically updated. This is a separate terabyte of storage from the Cold Backup Storage.

But what really got me looking back at Zoolz was that my CrashPlan for Small Business at 75% discount for a year expired and my monthly charge went to $10. Not a big deal but $10 more than I used to pay.

In revisiting Zoolz I came across a feature that I hadn't noticed before - Hybrid+ backup.
Zoolz Hybrid+ doubles your backup protection by creating a copy of every backed up file to a local server, external or network drive; ensuring faster recovery when needed. Zoolz restore is intelligent enough to minimize recovery time by checking your local Hybrid storage for the file before restoring it from the web, reducing time and bandwidth resources.
And it's included with the regular Zoolz offering.

So I bought a 2TB Western Digital USB 3 drive and plugged it into the back of "The Trump".

Here's how you turn it on.


It took about 4 hours to sync the 400+ GB that I have selected to backup with Zoolz.

Zoolz support was excellent in helping me understand how Hybrid+ worked, even doing some experiments to answer some of my questions.

So now I have cloud backup with Zoolz Cold Backup Storage, local backup with Zoolz Hybrid+, and offline backup with Macrium Reflect.

Sunday, February 24, 2019

PrtScn

If you liked my earlier post about Snip and Sketch I've come across another feature of this. Remember that this capability was introduced in Windows 10 1809.

Go to Settings and search for Print Screen.


Click on "Use the Print Screen key to launch screen snipping".


Slice this button to "On".

Now when you press the PrtScn key the new Snip and Sketch control will be presented.

Clicking on the screen icon will capture the entire screen.


Don't forget the old capability of holding the Alt key when you press the PrtScn to capture just the active window. This still works with the PrtScn key remapped. As well, if you press the PrtScn key first and then hold the Alt key while you click on the screen icon you'll only capture the active window.

Try it.

Sunday, February 17, 2019

VPNs


Recently one of my co-workers sent me this article (archive.is). He asked:
What do you think of his assessment that VPNs are worthless and you are better off with HTTP Anywhere, etc?
That's not going to be a quick answer.

Just before a promotion for a commercial VPN service, the author says:
VPN services don’t make you more secure on the internet. Install HTTPS Everywhere, install an ad blocker and change your DNS settings to Quad9 or Cloudflare’s 1.1.1.1.
There are 3 points in there:
  1. Install HTTPS Everywhere
  2. Install an ad blocker
  3. Change your DNS settings to Quad9 or Cloudflare’s 1.1.1.1
HTTPS Everywhere forces HTTPS connections to any site that supports HTTPS even if the initial request is HTTP. I haven't tried HTTPS Everywhere but that's a good idea. Personally most sites that I use already force me to HTTPS anyway.

Oh, HTTPS can be spoofed. If someone has put a root certificate authority (CA) certificate on your device it could self-sign an HTTPS certificate and take a man-in-the-middle position decrypting your supposedly HTTPS traffic. At that point they could send it as HTTP or just scrape off your confidential information. This has happened more than once.

At one time, Google's Chrome validated the HTTPS certificate in use for Google sites to the one that they had issued and complained it there wasn't a match. I've heard that that is no longer happening.

To mitigate this risk, run sigcheck.exe (my blog) regularly.

And to ad-blockers.

I use uBlock Origin. Here's a comparison of cnet.com without and with uBlock Origin active.

Without

With

Not only does a good ad-blocker block the presentation of ads but it blocks any malware that potentially goes along with it. And it significantly reduces the bandwidth required.

Now to DNS.

While changing your DNS to or 1.1.1.1 or 9.9.9.9 seems like a good idea, it's not that simple.

If your scope of control DOESN'T include the Internet facing router, e.g. in a network that's not YOURS, then you really don't have ANY control over what server resolves your DNS queries. Even if your device sends a DNS request to 1.1.1.1, a malicious router can map that to a malicious DNS server and you'll get the response back from it. It can even NAT the responding IP address back to 1.1.1.1 so you'll never know.

If your scope of control DOES include the Internet facing router, e.g. in a network that is YOURS, then set the DNS server in your router to 1.1.1.1, 8.8.8.8, or 9.9.9.9. I don't really distrust Comcast's DNS servers but why not use one whose goal is to be secure and fast?

But back to the non-owned environment. Since you really can't trust legacy DNS resolution you have a couple of choices.

First, you could use a VPN provider that you trust. You do need to make sure that the VPN sends DNS requests through the tunnel and not just lets the local network (malicious?) resolve them. I'm not sure how to determine that but there's probably a way.

Second, you could use a client app that implements DNS over HTTPS (DoH) or DNS over TLS (DoT). Both of these protocols send DNS requests through an encrypted session so it can't be intercepted in flight. Even then you have to trust the DNS server that is at the end of the encrypted tunnel. There's a deep dive on this here (archive.is). There's a cryptic article from Google here (archive.is).

This is not a simple discussion.

Sunday, February 10, 2019

Chrome Password Checker

If you're not using Google's Chrome browser you should be.

Now that you are using Chrome, install the Password Checker extension.

This new extension will automatically check whether your user id / password has been exposed in a data breach. If it finds a match it will warn you.


Sunday, February 03, 2019

Friends Don't Let Friends

Microsoft Azure has had another round of problems.

Microsoft Office 365 users in Europe unable to access mailboxes for a full day

Microsoft cloud services see global authentication outage

Microsoft threw Level 3 under the bus on the second outage.
On the Azure status page, Microsoft indicated that the source of the problem is with Level 3, an US-based ISP that provides connectivity and various other services to Microsoft data centers.
At least customers could get to the Azure status page this time.

So I went of to downdetector.com. Here's what they showed several hours after the problem seemed to be resolved.


1600 incidents reported to downdetector.com at the peak.


And impacting several continents.

But Level 3 (CenturyLink) is a backbone provider. Shouldn't a Level 3 problem have affected many service providers?

So back to downdetector.com. Here's what they reported for Amazon Web Services (AWS).


No apparent correlation to the time of the Azure outage and less than 10 incidents reported in the worst hour.

So it must not be a backbone issue impacting multiple service providers?

Not so quick.


AWS' incidents were from the same geography as Azure's.

My assessment:

  • Level 3 (or some backbone provider) probably had an incident that affected all its customers.
  • AWS was able to tolerate the backbone outage better than Azure.

YOU get to decide where you want to put YOUR data.

Sunday, January 27, 2019

Controlled Folder Access - Windows 10 1809

I've been a big fan of Windows' Controlled Folder Access. Some of my coworkers have been "surprised" when it was enabled without their knowledge but I haven't experienced that. In fact I turn it on immediately when I build a new Windows system.

Over a recent long weekend I got on a tear upgrading 4 systems, desktops and laptops, to Windows 10 1809. I still haven't experienced any problems.

I've been posting about several new features in Windows 10 1809 that I think haven't gotten much press here, here, and here.

After my mass upgrade I've run into another unannounced feature that is valuable in relation to Controlled Folder Access.

In Windows 10 if a program violates the Controlled Folder Access you have established you get an ambiguous notification without enough information to act.


I Googled this and found that there is an event in the Event Viewer that has more information (archive.is). Here's how to get to it:

  1. Right-click on the Start button and select Event Viewer.
  2. Navigate to Applications and Services > Microsoft > Windows > Windows Defender > Operational
  3. Filter for (or just look for): Event ID 1123

Or you could just upgrade to Windows 10 1809.

Here's what the Controlled Folder Access Settings screen shows after an exception in 1803:


Not much help.

In 1809 here's what you get:


When you click on "Recently blocked apps" you get:


Nice.




Sunday, January 20, 2019

Viewing HEIC Pictures on Windows 10

Your new iPhones may be taking HEIC pictures. If you can't see them on Windows 10, install these 2 Microsoft Store apps.

HEIF Image Extensions

HEVC Video Extensions from Device Manufacturer

You will get prompted to login to Microsoft. I don't do that and choose to just install on this PC.

That was easy.

Sunday, January 13, 2019

Nexus 7 and Nougat

I've been playing with my Nexus 7 2012 for a long time. For me it's the perfect size.

When I last posted about it 2 1/2 years ago, I had updated it to Android 5.1.1 Lollipop.

Rereading that post this is what jumped out at me:
[I]ts performance is consistently Ok.
That was generous. It was so slow that I eventually set it aside and bought a Nexus 7 2013.

Recently I decided I wanted a cheap tablet to keep in the car. I looked at Amazon Fire Tablets but then came across my old Nexus 7 2012 in my junk pile.

I spent some time Googling for ROMs for it and found a couple of Android 7.1 Nougat ROMs.

The people who had flashed Nougat had good things to say.
Still have plenty of memory space. It all runs nice & smooth. Very well done guys!Everything works great with the latest version of the rom. Thank you for your work !Thank you very much for this rom. It's very smooth and fast.
So I dug out my old ThinkPad with adb and the Nexus drivers and got to work. adb is always a little bit of magic and the busted screen on the ThinkPad didn't help any.

First I had to install twrp. As usual this was the hardest part.

Then I flashed the ROM and pico Gapps.

After a couple of hours the Nexus 7 2012 was booted on Nougat.

Now it's on Android 7.1.2 with the September 2018 security patches.


Yeah, It's slow but usable and not bad for a 6+ year old device.

Sunday, January 06, 2019

Squoosh

I guess all the good domain names are gone. I've recently posted about Sweech and Zoolz.

Now there's Squoosh.

Squoosh is a web app from Google that will optimize image sizes to reduce page load time.

I would have thought that web image optimization has already jumped the shark what with 100+ Mbps home broadband but what do I know? I realize that not everyone has that bandwidth. My mother only has 10Mbps.

Squoosh runs all in the browser and after you load it the first time you can run it offline. Again, not sure WHY you'd need to do that but it does work.

Anyway, on to what it does.

I sent a 1.44MB jpeg to Squoosh and it optimized it to 521KB, a savings of 66%. There was no discernible difference in the image.

Original

Squoosh

That's nice.