Category Archives: Tools

Boot13, Tools

ChatGPT: experiments in writing

Leave a comment

As I’m sure you’ve noticed by now, I’m using ChatGPT to generate some posts defining computing terms. I’m labeling them all clearly as generated text, but I’m also checking them carefully before posting.

Checking ChatGPT’s output is extremely important, because one can be lulled into believing that the program knows what it’s talking about. The text it generates always sounds authoritative, even when it’s horribly wrong. And it’s wrong more often that you might imagine.

Note: I’m not going to call ChatGPT an Artificial Intelligence (AI), because it’s nothing of the kind. It’s just a program that is able to generate believable-sounding text, regardless of its accuracy, based on analysis of a crapload of content written by humans. True AI will include this particular skill, just as it will include the ability to play chess, to generate art, to drive cars, to make quick decisions based on unpredictable circumstances, and many thousands more specific skills that humans possess.

A recent post at Futurism does a nice job of providing real-world examples of a mainstream news site (CNET) using ChatGPT to generate articles that sound fine, but include serious errors. In this case, the publisher did not initially identify the generated articles as being from ChatGPT, and while I can understand their reluctance, I think that was a bad call.

The risks of depending on ChatGPT are enumerated in this post from KnowBe4:

  • A big downside to ChatGPT is that its sources are unknown, meaning the creators themselves may not even know where the answers it produces come from. This often leads to incorrect information being given.
  • The concerning thing about this flaw is that the inaccuracies are tough to notice, especially because it sounds confident but can really be utter nonsense.
  • You cannot use ChatGPT to find out if text has been written by ChatGPT. There is no antidote.
  • It cannot detect scams. ChatGpt is a natural language processing tool that can answer questions and generate text based on the input it receives, but it does not have the ability to detect scams or other fraudulent activities.

Meanwhile, when I asked ChatGPT “Can ChatGPT’s writing be relied upon as accurate?” it responded as follows:

ChatGPT is a machine learning model and its accuracy is based on the data it was trained on. It can provide accurate information and responses to a wide range of questions and prompts, but it may not always be completely accurate or up-to-date. It’s always a good idea to verify any information provided by ChatGPT with additional sources.

Privacy, Security, Tools

Another breach at a password storage service: LastPass

Leave a comment

Using a password manager is still the best way to securely record all your passwords. This assumes that you are in fact using different passwords for every web site and service that require one. If you’re using the same password for everything, you are risking your privacy, financial security, and sanity.

So… which password manager should you use? Most of the major password management services (1Password, LastPass, etc.) store your passwords on their own servers, and there’s no question that this provides some benefits in terms of convenience, with the main one being that you can access your passwords from anywhere. You don’t have to back up your password data or copy it between devices; it’s maintained by the service provider and easily accessible via their web site.

But this convenience comes at a huge cost: the risk that your passwords will be compromised when the service provider experiences a security breach.

A recent breach at LastPass is, sadly, only the most recent example. In this case, the LastPass servers were compromised and attackers gained access to user data. The company first reported the breach in August 2022, but downplayed the impact on users. Their latest announcement finally provides the full story, and acknowledges that the attackers gained full access to user data, including encrypted passwords.

More about the breach from Bruce Schneier.

Although LastPass is to blame for the breach and compromised user data, passwords in the user data obtained by the attackers are all encrypted, and there’s no way to magically decrypt them without knowing the master passwords of individual users. However, that just means that the people who have the data will be using brute-force techniques to crack those passwords. For users whose master password is long and complex, it would take years–if not centuries–to crack, but if your master password is simple or commonly-used, all of your passwords are now known by these attackers.

Something for your to-do list: if you use LastPass, and your master password is easy to crack (check it here), you should immediately change ALL of your passwords.

In my opinion, you’re much better off using password management software that stores its data locally, on your own computer. Then you only need to worry about someone getting access to your computer, which you can actually control.

I’ve long recommended Password Corral for Windows users. It’s simple, secure, and free, and it stores its data locally only.

Other password managers that use only local storage include PasswordSafe, KeePassXC, and KeeWeb. Password managers that can be used with local storage include Roboform, and Sticky Password.

And remember that when you use a ‘cloud’ service, you’re just storing your data on a total stranger’s computer, which may or may not be managed and secured competently, and which you have basically no control over. Cloud stuff is convenient, but the risks of using it indiscriminantly are enormous.

Update 2023Sep11: Brian Krebs reports that password information obtained during this breach is being actively used by criminals to gain unauthorized access to various systems and services.

Firefox, Miscellany, Things that are bad, Tools

Dark Mode Rant

Leave a comment
What you see above is what I see after a few seconds of viewing a web site in ‘dark mode’.

Web sites are traditionally shown with dark text on a light background. Which is reminiscent of something… (checks notes)… that’s right, books! Why change something that’s worked fine for literally millennia? Apparently because a lot of people think light text on a dark background looks cool. And, to be fair, some people claim that using dark view is easier on their eyes.

So now we have a ton of web sites, apps, and other assorted crap showing up on our computer screens that is almost entirely illegible to a large proportion of the population (well, me for sure, and I’m guessing I’m not the only one).

When I look at white text on a dark background, after about five seconds, all the lines start to blur together (see image above), and I’m unable to continue. If I persist, I just end up with a headache. For the record, I’ve had my eyes checked, and aside from needing to update the prescription for my reading glasses, my eyes are fine.

Here are a few links to web sites that default to dark mode:

A request to web designers and developers: if you can’t resist making your web site dark mode by default, please, please at least provide some method for viewing it in light mode.

Some browsers have built-in features that allow viewing dark sites in light mode. But they’re inconsistent. Firefox has Reader View, which reformats a web page to show it like a book, with less clutter and — more importantly — dark text on a light background. Sadly, the Reader View button, which normally appears at the right end of the address bar, doesn’t always show up. That’s apparently because it’s only able to handle individual posts/articles, not other types of pages.

There are many Firefox plugins for showing web pages in dark mode, but initially I wasn’t able to find one that does the opposite. I had been struggling with a plugin called Dark Reader, which sort of worked, but only with a lot of fiddling, presumably because it was designed to do the opposite of what I want.

Recently, however, I discovered a Firefox plugin called Tranquility Reader. This one does exactly what I want, forcing page text to black and page background to white. So far, it’s worked perfectly on every page I’ve tried.

When installed in Firefox, Tranquility Reader adds an icon to Firefox’s toolbar. Click it once to view the current page as black text on a white background. Click it again to go back to the page’s default colour scheme. Simple!

If you ever find yourself struggling to read dark mode web pages, try Firefox with Tranquility Reader. It may save you from a headache or two.

Related:

Things that are bad, Tools

Cisco Immunet anti-malware software

Leave a comment

In brief: stay away from this software.

I’m always interested in evaluating anti-malware/antivirus software, especially when it claims to be ‘lightweight’. All too often, anti-malware software that’s configured to run in the background has a very noticeable effect on performance.

So I installed Cisco’s Immunet on my main Windows computer. About ten minutes later, I removed it.

The user interface is horrible, seeming more like a first-time coder might have produced it, rather than an organization with the resources of Cisco.

I was very careful to configure Immunet before I ran any scans. In particular, I configured it to ask me before quarantining any files. Imagine my surprise when on its initial scan, it went ahead and quarantined three executables, none of which were actually malware.

Of the three quarantined files, I was able to use Immunet to restore one. The others were irretrievable, and I had to reinstall the associated software. For one of them, I lost its settings as well.

Normally I would persist with an evaluation like this, to give it a thorough test. But really, having suffered this much in such a short space of time, why bother?

This is crappy software. Avoid at all costs.

Things that make me happy, Tools

CloudBerry Backup

Leave a comment

Backups are important. I tell people that they should think about how much work would be involved if they lost all their data, and had to create or gather it all again. Considering that work is usually enough to get people talking seriously about backups.

This consideration informs decisions about the backup process to be used: what should be backed up, how often backups should run, where backups will be stored, and how many backup versions will be kept.

My own backup requirements are like those of anyone who has done any amount of work that they would hate to lose: documents, email, financial records, pictures, artwork, and even browser bookmarks. The only difference is that I also provide full or partial backup services to my clients.

A few years ago, I realized that I needed an off-site backup system to complement my local backups. In the nightmare scenario involving total loss of all computers and storage devices resulting from a house or office fire, all local backups would also be lost.

And so I started looking at backup software that would allow me to maintain backups of critical data somewhere besides my home/office.

Storage required

Off-site backup storage takes many forms, including taking physical backup media off-site daily. These days it most often involves a paid service such as Amazon S3.

Remote services are often referred to as ‘cloud’ services, but they mean the same thing: the service runs on someone else’s computer. Of course, storing your irreplacable, private data on someone else’s computer sounds scarier than storing it ‘in the cloud’ so that’s the term we hear most often.

There are some special considerations when you start looking at using cloud storage for backups: additional costs, network bandwidth, vendor trustworthiness, privacy, and encryption.

The encryption issue alone requires careful consideration. Is your data encrypted in transit? Is it stored in encrypted form on the cloud service? Who has the keys to decrypt your data?

For my own backups, I settled on the DreamObjects storage service provided by Dreamhost. I’ve been using Dreamhost for client web sites and related services for years, and I’ve always found their support to be first rate. I have had a few problems with the DreamObjects service, including some reliability issues, but these were resolved quickly and satisfactorily by Dreamhost support.

My requirements

In my recent search for an off-site backup solution, I settled on the following requirements:

  • Runs on my main PC (Windows 8.1).
  • Stable and reliable.
  • Reasonably fast.
  • Incremental backups (back up only changed files).
  • Transmit only changed data (to save bandwidth).
  • A built-in scheduler, or compatibility with Windows Task Scheduler.
  • Compatible with DreamObjects, itself an S3-compatible service.
  • Data is encrypted in transit and when stored.
  • Storage provider does not possess encryption keys.
  • Ability to limit bandwidth used during backup operations.
  • Ability to limit the amount of storage used.
  • Backup storage pruning based on number of copies and/or storage used.
  • Straightforward restore process and tools.
  • Useful logging.
  • Does not use excessive computing resources (memory, processor, local storage, handles, and disk I/O).
  • The ability to include and exclude files and folders based on various criteria.

Enter CloudBerry

I looked at numerous possible solutions, and even purchased a few that looked promising but ultimately failed to meet my requirements, including qBackup, Arq5, Arq7, and GoodSync. I also looked again at Cobian Backup, which I still use for local backups, and Allway Sync, which I use for fast syncing of critical data to thumb drives, but they also failed to meet my needs for off-site backup.

CloudBerry was just the next solution on my list. I had never even heard of it before reading about it in this Reddit thread.

CloudBerry Backup can be downloaded and installed on a trial basis for two weeks. That was plenty long enough for me to learn what I needed.

CloudBerry Backup Features

See that list of requirements a few paragraphs back? Well, CloudBerry Backup checks all those boxes, and then some. CBB works with many storage services, including Amazon S3, Amazon S3 Glacier, Microsoft Azure, Google Cloud, Backblaze B2, Wasabi, OpenStack, various S3-compatible storage and others.

Other notable CloudBerry Backup features:

  • Grandfather-Father-Son (GFS) retention policy support
  • Backups to local drives and NAS-like storage devices
  • Microsoft SQL Server backups
  • Microsoft Exchange backups
  • Synthetic Backup for File, Image-based, VMware backups
  • Bare-metal recovery (create recovery disks and USB drives)
  • Cloud Backups (cloud-to-cloud, and cloud-to-local)
  • Image-based backups (physical or virtual machine image)
  • Modified Block Tracking for Image-based backups
  • Support for various virtual machine formats (Hyper-V, VMware, VirtualBox, and RAW)
  • Restoring image-based backups as Amazon EC2, Microsoft Azure VM, and Google Compute Engine instances
  • Hybrid (two-step) backup (applies to the legacy format only)
  • Client-side Deduplication
  • Mandatory and Full Consistency Checks
  • Backup Chains and Custom Scripts Support

One huge bonus CloudBerry provides is a clean, well thought-out user interface. This wasn’t on my requirements list, because although UI is important, backup software is typically set up once and then runs in the background. So I can live with a crappy UI in backup software, as long as it’s otherwise good. That’s unlike software I use every day, such as my email client, web browser, and document-based office applications.

A well thought-out user interface also makes CloudBerry Backup a legitimate solution for the less technically-inclined among us. In using CBB, I frequently discovered what I was looking for without any searching for functions or settings. Preset defaults made sense, and the backup plan creation wizard is excellent. CBB even creates several backup plans automatically, for documents, web browser bookmarks, and pictures; these need only a destination to be configured before they can be used.

CloudBerry Backup Pricing and Licensing

CloudBerry Lab was founded in 2011, but is in the process of rebranding itself as MSP360, so the company web site refers to both names. For now, the product I’m interested in is MSP360’s CloudBerry Backup Desktop Edition, which sells for $49.99 USD. The company provides other backup software and services aimed at business, corporate, and educational customers. There’s also a free version of CloudBerry Backup, but it has some limitations that make it unsuitable for my purposes.

When you purchase CloudBerry Backup Desktop Edition, you have the option of paying an extra $10 USD for a year of annual maintenance. The MSP360 web site isn’t exactly clear about what this provides, but it does include support, and may be the only way to obtain software updates. If you want and/or need support, the $10/year price seems reasonable.

Conclusions

Great software makes me happy. CloudBerry Backup qualifies, and my search for an off-site backup solution is over for now.

If you or anyone you know could use an excellent backup solution, whether or not they need off-site storage, you won’t go wrong recommending CloudBerry Backup.

Edge, Microsoft, Tools, Windows 10

EdgeDeflector prevents Windows 10 from using Edge

Leave a comment

The battle for web browser dominance on the Windows desktop continues, although Google is currently winning. “Google recommends using Chrome” messages seem to appear on every Google-managed web page even if you’re already using Chrome. But while annoying, those messages are arguably reasonable compared with some of Microsoft’s recent tactics.

Microsoft likes to reset certain settings back to their defaults when Windows updates are installed. They’ve been doing this for years, reverting user browser preference to Internet Explorer at every opportunity.

As a result, power users and software developers have been engaged in a tug of war with Microsoft over the default web browser in Windows. In recent years, Microsoft has made it impossible for the default browser to be changed by software, forcing browser makers to instead provide instructions to users on how to make that change. Microsoft can of course claim that this change was made to improve security, and given the prevalance of browser hijackers in past years, it’s difficult to disagree.

With Edge in Windows 10, Microsoft has taken this battle to new extremes. Even if you have another browser selected as the default, some sites and services will always be opened in Edge. To see this in action, click on the taskbar search box. A large panel will open, showing news and weather links. Anything you click here will open in Edge, not in your default browser.

That’s because internally, Windows is using a special protocol called URL:microsoft-edge, which forces the use of Edge for opening web pages that Microsoft has designated as special in some way, despite being ordinary web pages in every sense.

This is of course exactly the sort of behaviour that got Microsoft in trouble in the 1990s: using their dominance in the desktop O/S market to push their own web browser. But these days everyone’s attention seems to be on Google and Facebook, and Microsoft’s browser pushback is being largely ignored.

EdgeDeflector to the rescue

Daniel Aleksandersen’s EdgeDeflector is a small tool that overrides the URL:microsoft-edge protocol’s normal behaviour, forcing it to actually use the web browser you’ve chosen as the default. EdgeDeflector was recently updated to make it more palatable to anti-malware software, which previously flagged the tool as suspicious because of its behaviour.

You’ll have to change this Windows 10 setting manually to make EdgeDeflector work.

Once you install EdgeDeflector, you need to complete its setup with some manual steps. I can confirm that the end result is exactly as advertised: even when clicking news links from the Windows 10 search panel, those links will open in your default browser, not in Edge.

Of course, Microsoft will probably take steps to defeat this useful tool, with the most obvious step being to revert the changes EdgeDeflector has made when Windows 10 is next updated. And so there are no winners in this stupid, never-ending battle.

Internet, Tools

Deciding whether to install a web ad blocker

Leave a comment

I just discovered an interesting and useful web site: Should I Block Ads?

Created by Michael Howell, it’s collection of information that can be helpful in deciding whether to install an ad blocker in your web browser. It also provides ad-blocker recommendations for various platforms and browsers.

Michael’s analysis addresses all of the concerns I’ve had with web-based advertising, and confirms my choice to install and use uBlock Origin in Firefox, my primary web browser.

If you’re considering installing an ad blocker in your web browser, keep in mind that there can be a bit of a learning curve, and that blocking ads can cause some web sites to stop working. Blocking web ads usually ends up being an ongoing process; don’t expect it to be a magic bullet.

There are of course arguments against ad-blocking. Just keep in mind that a site owner always has the option of placing hand-crafted advertisements on their site; as long as they don’t use Javascript and are not associated with known advertising networks, they will not be blocked.

Mac, Tools

Hook: find without searching

Leave a comment

A new software tool from CogSci Apps called Hook lets you link together web sites, emails, documents, and many other resoures, making it a simple matter to find those resources again later. Open one resource, then use Hook to open any or all of the related resources.

Here’s an exerpt from the Hook web site:

Hook for macOS
Find without searching.
Instantly access the information you need, without searching. Whether it’s in the Finder, email, on the web, in the cloud, a version-control system, … almost anywhere.

Currently available only for Mac, a Windows version is in the early planning stages.

If you have a Mac and want to try Hook, you can download the free version from the Hook Download page.

Paid versions of Hook include more features. You can see how the different versions compare on the Hook Buy page.

JRC is a CogSci Apps affiliate. If you purchase a paid version of Hook within 30 days after visiting the Hook Buy page using any Hook Buy page link on this page, Jeff Rivett Consulting will receive 15% of the purchase price.

Security, Things that are bad, Tools

It’s probably a good idea to stop using LastPass right now

Leave a comment

Password management tools are generally a good thing. Most of us have so many passwords now that remembering them all is difficult. While it’s tempting to use one or two passwords everywhere, this is generally viewed as a bad idea. Same goes for short or easy-to-guess passwords: bad idea.

I recommend using password management software that runs natively, on your computer. I personally use Password Corral, and have used Bruce Schneier’s Password Safe. Both store your password data on your computer, not on someone else’s computer (aka ‘the cloud’). Both are relatively basic in terms of functionality: they allow you to store all of your passwords securely; password data is encrypted and protected by a master password. They can also generate new, random passwords.

There are plenty of other password management solutions out there. Some of the most popular ones, like LastPass, provide more features and are easier to use, but there’s typically a cost. For instance, it would definitely be convenient if I could access my passwords from any computer. But if that means my password data is stored on the cloud somewhere, well, no thanks. The same goes for browser extensions that enter passwords automatically.

Which brings us to yesterday, when a Google Project Zero security researcher reported a serious vulnerability in the LastPass browser extension. With the extension enabled in your browser, a malicious web site could steal all of your passwords from the LastPass data files. Yikes. But wait, there’s more! If you’re also running the main LastPass software on your computer, a malicious web site could execute arbitrary code on your computer.

LastPass issued a response to this report, confirming the problem. Their advice to users is vague, but that’s actually a good thing: if they said too much, it could provide clues about the vulnerability to malicious hackers. But the message is clear: if you have to use LastPass, disable the Lastpass browser plugin:

Use the LastPass Vault as a launch pad – Launch sites directly from the LastPass vault. This is the safest way to access your credentials and sites until this vulnerability is resolved.

Interestingly, of the three recommendations provided, two are standard advice for anyone who uses the web: enable and use Two-Factor Authentication for sites and services that offer it; and be wary of phishing attempts.

Security, Tools

Review: Heimdal Security Software

Leave a comment

I’m always on the lookout for tools that simplify the task of keeping software up to date. I recently installed Heimdal Security Free on my Windows 8.1 PC, and took a close look at its software patching feature.

Note: the paid version of Heimdal Security includes network traffic-based malware detection. That feature appears in the free version, but it’s disabled.

The Good

The software basically does what it says. By default, it automatically checks for out of date software, and silently installs updates where needed. The software it checks includes the vulnerability-prone Flash and Java, as well as all the major browsers. It’s fast, relatively unobtrusive, and has a polished, professional user interface.

The patching system can be customized: you can tell it to only check for updates, but NOT install them automatically, and you can disable checking for anything in its software list, which currently includes forty-one items.

The Bad

  • If you disable the auto-update feature, there’s no obvious way to install new versions.
  • The ‘Recommended Software’ tab has Install buttons, which at first looks useful. But closer inspection reveals that this list only shows software that isn’t currently installed. In fact, it lists some software I’ve never even heard of, much less installed.
  • Heimdal detects software that is available in both 32- and 64-bit versions. But if you have the 32-bit version installed, the ‘Recommended Software’ tab will list the 64-bit version. And vice-versa. This is not useful.
  • There’s no obvious way to tell Heimdal to perform a re-scan. I eventually realized that disabling the feature and re-enabling it does that, but a ‘Scan’ button would be a real improvement.
  • The software list cuts off some important information: the software version number is often truncated, making definite confirmation of version changes difficult. And there’s no way to resize the column, or the dialog. Update: I discovered that the missing information can be revealed by hovering the mouse over a truncated field.
  • Heimdal shows some software as needing an update when in fact that software is up to date. For example, it continues to report an available update for 7-Zip 16.04: to version 16.04.0. It looks like Heimdal fails to match versions when there are extra zeros.
  • There’s no way to shut down Heimdal once it’s installed. There’s an icon in the notification area, but it doesn’t even have a right-click menu. Your only option is to uninstall Heimdal completely.
  • When Heimdal installs something from the ‘Recommended Software’ tab, it configures itself to automatically update that software. An option to override this behaviour would be helpful.

It’s possible that some of these issues would not present themselves if I configured Heimdal to install updates automatically, but I prefer to have more control over software installation.

Conclusion

Despite its flaws, Heimdal may prove useful to some users. But I can’t recommend it.

Update 2017JFeb01: Heimdal responded to my review, addressing my concerns:

For the moment, Heimdal does not have the option to install updates manually. We wanted to make software updates fast, secure and hassle-free for Heimdal users and adding a manual option would be the opposite of that.

My response: that’s just silly. Make it an option, but default to automatic. Most users would never even see the option. It wouldn’t make anything slower, or less secure, or increase hassle. And all the necessary functionality is already in place.

We called it “recommended software” because it not installed on the system. These are apps you can install with one click, should you want to do it. If not, they don’t impede you in any way.

My response: Understood, but it’s kind of misleading, especially since in some cases they are recommending 32 bit versions of software already installed in 64 bit form.

Indeed, this is something we will work on improving, so we can match software versions to the type of system they’re recommended for.

The scan button is in Heimdal’s home screen, when you hover over the big white button with the green checkmark. We will try to make this more obvious in future versions.

My response: on the Overview tab, there’s a big white icon that’s either a checkmark (if everything is up to date) or an exclamation mark (if it isn’t). Nothing appears when you hover the mouse over this icon, and there’s no indication that clicking it will do anything. But it does work, so it would be nice to have this properly labeled.

Making windows resizable is not something customary to security applications (it would create an unnecessary burden on the system), but we will try to rearrange the elements so that they provide a clearer view in future updates.

My response: Making windows resizable is in fact standard for all Windows applications, and those that don’t allow this are probably not following Windows development guidelines. Further, the notion that adding this functionality would somehow place a ‘burden on the system’ is simply absurd. But the indicated fixes will be welcome in the absence of resize-ability.

Heimdal shows some software as needing an update when in fact that software is up to date.

I think that our support team can help you with that. If you can, send them an email at support@heimdalsecurity.com and they’ll be right on it!

My response: Done. After some back and forth, Heimdal support reproduced one of the problems on their end (7-Zip version detection), and is working on a fix.

We will add a right-click menu in the coming versions. There is no option to shut down Heimdal, because security software usually does not have this feature. If it had it, malware could easily switch it off and infect the system.

My response: if malware is present on a computer, it can kill a process as easily as it can stop a program from its system menu. I want to be able to run the update feature on-demand, and there’s simply no way to do that sensibly unless the program can be closed.