Jeff Rivett has worked with and written about computers since the early 1980s. His first computer was an Apple II+, built by his father and heavily customized. Jeff's writing appeared in Computist Magazine in the 1980s, and he created and sold a game utility (Ultimaker 2, reviewed in the December 1983 Washington Apple Pi Journal) to international markets during the same period. Proceeds from writing, software sales, and contract programming gigs paid his way through university, earning him a Bachelor of Science (Computer Science) degree at UWO. Jeff went on to work as a programmer, sysadmin, and manager in various industries. There's more on the About page, and on the Jeff Rivett Consulting site.

All posts by jrivett


Resources, Security, Tools

How good is your password?

Leave a comment

There’s a new chart from Hive Systems that you can use to determine how resistant your password is to brute-force cracking.

Password strength chart

Keep in mind that this is a moving target. As processor power increases and new technology arrives, brute-force attacks get faster. So if you have a similar chart published a couple of years ago, it’s likely already out of date. That’s why they included the year at the top of the chart.

It’s easy to use: find the intersection of your password’s length with its character combination.

So, for example, ‘718462’ can be cracked instantly, as can ‘xgts’.

Note that this chart does not show the effect of dictionary attacks, which are typically tried before the brute-force approach. A dictionary attack tries to guess a password based on a list of common passwords.

If your password is in the red or purple areas, you should really think about making it longer and more complex. Longer, more complicated passwords are also more difficult to remember, especially when you use a different password for every site and service (and you really should), but there’s a simple solution to that: use a password database.

I use both Password Corral, which is a free, standalone Windows program, and 1Password, which is not free, but has some useful features.

Given that most of the web-based password managers have been hacked at one time or another, I still recommend using standalone software if possible.

Boot13, Things that are bad, WordPress and other CMS

Automattic sold your site data for years

Leave a comment

If you installed and activated the popular Jetpack plugin on a self-hosted WordPress web site after 2013, and didn’t bother to read the fine print when accepting Jetpack’s Terms of Service, Automattic (the company that makes Jetpack) surreptitiously gathered your site’s data and sold it to social media and data analytics companies.

Jetpack is a free plugin that adds a useful collection of features to WordPress, including social media buttons and sharing, Markdown support, security, backups, anti-spam, stats, and so on. Some of these features have been very useful for the sites I’ve managed over the years.

How was Automattic able to do this?

There’s a somewhat hidden setting that controls whether Jetpack siphons data from your site and sends it to the Automattic mothership. Navigate to the Jetpack Dashboard, scroll to the bottom of the page, and click ‘Modules’. The setting you’re looking for (prior to Jetpack 13.3) is ‘Enhanced Distribution’. It should be named ‘Donate your content to Automattic and allow them to sell it and keep all the proceeds’.

Even if all the more obvious Jetpack features are disabled, if ‘Enhanced Distribution’ is enabled, Jetpack is sending your data to Automattic.

Making matters even worse, Jetpack updates have a nasty habit of re-enabling previously-disabled features or reverting to default settings. Whether this affected ‘Enhanced Distribution’ or not is unclear.

The Firehose

Automattic sold your site data as part of a product called Firehose, which potentially contained all of the original content from your site. Here’s the first paragraph from the Firehose product page:

WordPress publishers and visitors produce thousands of new posts and comments every hour. These content streams are available in three real-time formats from redundant servers. These streams are intended for partners like search engines, artificial intelligence (AI) products and market intelligence providers who would like to ingest a real-time stream of new content from a wide spectrum of publishers.

What does Automattic say about this?

A recent post on the wordpress.org support forum asked about Jetpack Backup & AI. Here’s how Automattic responded:

They will retire Firehose, but…

We have sold our Firehose to social and data analytics companies, and we have also used some distribution partners (like Socialgist) to sell the Firehose to these types of end users.

The release notes for Jetpack 13.3 (2024-April-03) shows this: “Enhanced Distribution: begin deprecation process as the Firehose is winding down.” The only obvious difference is that ‘Enhanced Distribution’ is no longer listed on Jetpack’s Modules page. Hopefully that means the option is now also disabled for all sites, not just further hidden.

They never sold to AI companies and don’t plan to

Neither we or our distribution partners sell the Firehose to any companies that are training LLMs or to any generative AI companies.

Enhanced distribution is a feature that was released in 2013 with the purpose of driving traffic by giving blogs additional readership in the WordPress.com Reader. Content from those sites were gathered with approval by accepting the terms of service. Our partners were social and data analytics companies.

Automattic also published an article titled ‘Protecting User Choice’, a response to concerns about selling data to AI companies.

Okay, but…

If you were about to point out that posting anything on a public-facing web site makes it available for anyone to use: okay, sure, but Automattic SOLD the data they gathered. I never expected to make any money from this site, but that doesn’t mean I’m happy about anyone else making money from it.

Recommendations

Stop using Jetpack. Automattic has done, is doing, and will in all likelihood continue to do some shady things. I regret ignoring the advice I received years ago to stop using Jetpack, and can only hope that any damage caused to clients due to my recommendation and use of Jetpack is minimal.

If you can’t avoid using Jetpack, please disable the ‘Enhanced Distribution’ module. Unfortunately, if you’re using version 13.3, it’s not clear how this can be accomplished.

Most of the features provided by Jetpack can be found in other free plugins. Switching to alternatives for the functions you actually need has the additional advantage of eliminating the overhead of what is now quite a bulky Jetpack.

Here are a few alternatives to Jetpack for specific functionality:

And there are many more possibilities. Jetpack certainly was a handy and simple way to add a lot of useful functionality to WordPress. But Automattic has demonstrated that they are willing to sneakily sell your site data, and I just can’t trust them anymore.

Edge, Microsoft, Things that are bad, Windows

Microsoft’s Edge-related shenanigans continue

Leave a comment

There’s apparently a team of people at Microsoft who spend all their time trying to come up with sneaky ways to get Windows users to switch to Edge as their default web browser. To be clear, I have no direct evidence that such a team exists, but it seems likely.

The latest trick? Automatically importing Chrome bookmarks into Edge, then sneakily running Edge instead of Chrome, presumably in the hope that some users will fail to notice the difference.

In practise, though, I doubt many people will be fooled, because site passwords are not imported along with the bookmarks. They will, I think, realize that something funny is going on when their site passwords are missing.

I wonder how far Microsoft is willing to go with these tricks. They’ve been doing this kind of thing since the early Internet Explorer days, so it’s nothing new. The company has been spanked from time to time for these shenanigans, but those spankings don’t seem to have been much of a deterrent.

Tom Warren over at The Verge has the details of his own encounter with this latest trick.

UPDATE 2024Feb16: The Verge reports that Microsoft has quietly changed this behaviour in Edge, calling it a ‘bug’. Riiiiiiiight.

Edge, Microsoft, Things that are bad, User Interface (UI), Windows

Microsoft can’t stop bugging us about Edge

Leave a comment

They just can’t help themselves. Microsoft’s latest attempt to prevent Windows users from switching away from their browser of choice takes the form of a large panel that appears in Edge when you download another browser.

I suppose that as long as what they’re doing is legal, they’re just being pushy. Still, one could argue that they have an unfair advantage: the user has to use Edge to download another browser on Windows. But regardless of its legality, this behaviour is very annoying.

The Verge posted a useful summary of Microsoft’s recent attempts to steer Windows users away from other web browsers.

At least this latest intrusion seems like a sincere attempt to understand why many Windows users run Edge only to download a different browser. However, there are a few obvious answers missing from the poll:

  1. Edge won’t let me run an ad blocker or a script blocker (not actually true, but commonly believed).
  2. I hate Microsoft, and only use Windows grudgingly. I avoid Microsoft software as much as possible.
  3. I don’t trust Microsoft any more than I have to.
  4. Edge is just another way for Microsoft to shove ads down my throat.
  5. Edge doesn’t support the plugins I want to use.
  6. Windows is already more intrusive than I would like.
  7. I can’t really control how much Edge communicates with the Microsoft mothership.

And of course it could be much worse. Microsoft could nag you every time you start a non-Edge browser, when you start Windows, or even at random intervals. This latest nag screen only appears once, when you run Edge that first and only time you need it, to download a non-Edge browser.

What else will Microsoft try? Will they actually pay any attention to the results of this intrusive poll?

Dear Microsoft: if you want people to use Edge, try making it better than the other available browsers. You know, compete.

Microsoft, Things that are bad, Windows 10, Windows 11

Bug causes clock problems on Windows 10, 11, Windows Server

Leave a comment

A recently-discovered bug in newer versions of Windows is causing bizarre local time shifts.

Keeping accurate time on computers is important for a lot of reasons, many of which are not obvious to non-technical users. Update schedules, scheduled background tasks, synchronization with server and cloud resources, and many other time-sensitive processes depend on your PC maintaining accurate time.

Because it’s so important, and because various factors can sometimes cause a PC’s clock to drift, operating systems use a variety of methods to check and adjust it. The most obvious of these in Windows can be seen in Windows 10 and 11 in Settings > Time & Language. Windows regularly compares the PC’s clock with an Internet-based clock, such as time.windows.com. When a discrepancy is observed, the PC’s clock is updated.

Between a PC’s internal clock and Windows’ time synchronization, most Windows-based computers are able to maintain accurate time.

But at some point, someone at Microsoft decided that Windows needed additional time checks. So they created something called Secure Time Seeding. This function regularly analyzes secure network traffic from a ‘known good’ host computer, and calculates the current time based on what it sees.

Sounds good, right? Anything that makes the clock more accurate is good, right? Well, no. There’s at least one major problem with Secure Time Seeding, which causes it to get confused about the date and time, and can set your computer’s time based on random values. This has been observed to incorrectly change the Windows clock by minutes, hours, days, or more. As you can imagine, this causes all manner of strange problems.

Microsoft’s response to the report of this bug has been disappointing: they are downplaying its scope and effects. And while it’s true that there are very few reports of this happening, the problems it can cause are bad enough that anyone running Windows 10 and up or Windows Server 2016 and up should disable Secure Time Seeding.

To disable Secure Time Seeding on a Windows 10 or 11 PC, follow the instructions provided by Microsoft.

Trying to make sense of the actions and statements of a corporate behemoth like Microsoft is an exercise in futility. It’s possible that they will realize that this bug is actually very bad, and fix it, or they may find a way to limit its effects, or they may change the feature so that it’s disabled by default. But in the meantime, there are potentially millions of computers out there that might start exhibiting strange clock problems for the forseeable future.

Microsoft, Things that are bad, Windows

Microsoft’s empty promises

Leave a comment

I was just talking about a recent announcement from Microsoft, in which they assured the general public that their days of messing around with user settings and defaults on Windows were behind them.

In that post, Microsoft claimed that they are “reaffirming our long-standing approach to put people in control of their Windows PC experience”. Which I called out as baloney, since Microsoft has a long history of reverting user settings and defaults when it suits Microsoft.

That was on March 18. Yesterday, a mere six weeks later, The Verge reported that “Microsoft is forcing Outlook and Teams to open links in Edge”.

So this is Microsoft once again changing the way Windows works, to favour their own applications. I’m sure there are workarounds, but I’d be willing to bet that these workarounds will need to be reapplied after Windows updates.

Look, I understand that once a corporation gets to a certain size, it can be very difficult for one hand to know what the other is doing. But as I pointed out in my earlier post, Microsoft has engaged in these problematic behaviours for years. For them to a) claim that they’re innocent; b) “reaffirm their approach”; then c) keep right on doing this stuff… is incredibly annoying.

UPDATE: And the shenanigans continue. As of August 2023, Microsoft is showing annoying popups in Windows 11, urging users to switch to Bing for search. These things are appearing on top of games, presentations, and in other extremely inconvenient contexts. Come on, Microsoft, this is some serious bullshit.

UPDATE 2023Sep11: Ctrl.blog has additional details. It looks like Microsoft’s recent announcements about improving Windows’ behaviour were complete bullshit.

Microsoft, Windows

Microsoft frames long-overdue Windows changes as ‘reaffirming our long-standing approach’

1 Comment

Here are the first two paragraphs of a recent post on the Windows blog:

“Today we’re reaffirming our long-standing approach to put people in control of their Windows PC experience and to empower developers to take advantage of our open platform.

We want to ensure that people are in control of what gets pinned to their Desktop, their Start menu and their Taskbar as well as to be able to control their default applications such as their default browser through consistent, clear and trustworthy Windows provided system dialogs and settings.”

These changes are very welcome, and appear to resolve some particularly annoying Windows behaviours that users have been complaining about for decades.

But for Microsoft to frame these much-needed fixes as “we’ve always done this, and now we’re just making sure” is rather amusing. Come on guys, admitting mistakes is healthy. Are you saying these issues are new? Because they’re not. Are you saying you were unaware of these issues? I doubt that very much, because people have been complaining about them for years. No, this is just Microsoft public relations attempting to revise history.

What Microsoft is conveniently leaving out is that the worst offenses of this kind (reverting user settings, pinning and unpinning shortcuts, changing default applications, etc.) have always been committed by Microsoft. For example, Windows Update had a very annoying tendency to revert the default web browser to Internet Explorer.

Microsoft has of course run into legal trouble for some of these behaviours. It seems clear that reverting a user’s default web browser to a Microsoft browser in the process of updating the operating system is unfair to competitors. And Microsoft has been forced to stop doing some of those things.

Anyway, here’s hoping that Microsoft truly is committed, now, to avoiding such devious — and incredibly annoying — practices.

Boot13, Tools

ChatGPT: experiments in writing

Leave a comment

As I’m sure you’ve noticed by now, I’m using ChatGPT to generate some posts defining computing terms. I’m labeling them all clearly as generated text, but I’m also checking them carefully before posting.

Checking ChatGPT’s output is extremely important, because one can be lulled into believing that the program knows what it’s talking about. The text it generates always sounds authoritative, even when it’s horribly wrong. And it’s wrong more often that you might imagine.

Note: I’m not going to call ChatGPT an Artificial Intelligence (AI), because it’s nothing of the kind. It’s just a program that is able to generate believable-sounding text, regardless of its accuracy, based on analysis of a crapload of content written by humans. True AI will include this particular skill, just as it will include the ability to play chess, to generate art, to drive cars, to make quick decisions based on unpredictable circumstances, and many thousands more specific skills that humans possess.

A recent post at Futurism does a nice job of providing real-world examples of a mainstream news site (CNET) using ChatGPT to generate articles that sound fine, but include serious errors. In this case, the publisher did not initially identify the generated articles as being from ChatGPT, and while I can understand their reluctance, I think that was a bad call.

The risks of depending on ChatGPT are enumerated in this post from KnowBe4:

  • A big downside to ChatGPT is that its sources are unknown, meaning the creators themselves may not even know where the answers it produces come from. This often leads to incorrect information being given.
  • The concerning thing about this flaw is that the inaccuracies are tough to notice, especially because it sounds confident but can really be utter nonsense.
  • You cannot use ChatGPT to find out if text has been written by ChatGPT. There is no antidote.
  • It cannot detect scams. ChatGpt is a natural language processing tool that can answer questions and generate text based on the input it receives, but it does not have the ability to detect scams or other fraudulent activities.

Meanwhile, when I asked ChatGPT “Can ChatGPT’s writing be relied upon as accurate?” it responded as follows:

ChatGPT is a machine learning model and its accuracy is based on the data it was trained on. It can provide accurate information and responses to a wide range of questions and prompts, but it may not always be completely accurate or up-to-date. It’s always a good idea to verify any information provided by ChatGPT with additional sources.

Privacy, Security, Tools

Another breach at a password storage service: LastPass

Leave a comment

Using a password manager is still the best way to securely record all your passwords. This assumes that you are in fact using different passwords for every web site and service that require one. If you’re using the same password for everything, you are risking your privacy, financial security, and sanity.

So… which password manager should you use? Most of the major password management services (1Password, LastPass, etc.) store your passwords on their own servers, and there’s no question that this provides some benefits in terms of convenience, with the main one being that you can access your passwords from anywhere. You don’t have to back up your password data or copy it between devices; it’s maintained by the service provider and easily accessible via their web site.

But this convenience comes at a huge cost: the risk that your passwords will be compromised when the service provider experiences a security breach.

A recent breach at LastPass is, sadly, only the most recent example. In this case, the LastPass servers were compromised and attackers gained access to user data. The company first reported the breach in August 2022, but downplayed the impact on users. Their latest announcement finally provides the full story, and acknowledges that the attackers gained full access to user data, including encrypted passwords.

More about the breach from Bruce Schneier.

Although LastPass is to blame for the breach and compromised user data, passwords in the user data obtained by the attackers are all encrypted, and there’s no way to magically decrypt them without knowing the master passwords of individual users. However, that just means that the people who have the data will be using brute-force techniques to crack those passwords. For users whose master password is long and complex, it would take years–if not centuries–to crack, but if your master password is simple or commonly-used, all of your passwords are now known by these attackers.

Something for your to-do list: if you use LastPass, and your master password is easy to crack (check it here), you should immediately change ALL of your passwords.

In my opinion, you’re much better off using password management software that stores its data locally, on your own computer. Then you only need to worry about someone getting access to your computer, which you can actually control.

I’ve long recommended Password Corral for Windows users. It’s simple, secure, and free, and it stores its data locally only.

Other password managers that use only local storage include PasswordSafe, KeePassXC, and KeeWeb. Password managers that can be used with local storage include Roboform, and Sticky Password.

And remember that when you use a ‘cloud’ service, you’re just storing your data on a total stranger’s computer, which may or may not be managed and secured competently, and which you have basically no control over. Cloud stuff is convenient, but the risks of using it indiscriminantly are enormous.

Update 2023Sep11: Brian Krebs reports that password information obtained during this breach is being actively used by criminals to gain unauthorized access to various systems and services.

Cortana, Microsoft, Windows 10

Cortana

Some technologies seem always to be just around the corner. Every few years, people get excited all over again, about 3D media, virtual reality, voice assistants, hoverboards, self-driving cars, flying cars, artificial intelligence, and other things that always turn out to be more hype than anything else.

I started writing the post below about Cortana way back in 2015, but never published it. I can’t even remember why it never got published, but presumably I just lost interest, and figured everyone else would as well.

For a while there, my main interest in Cortana was the ways in which it was making work difficult for IT staff. My favourite example of that is shown in this video of someone prepping a room full of new computers with Windows 10.

Now, all the excitement about Cortana, along with Amazon’s Alexa, has almost completely disappeared. Cortana is still around in recent versions of Windows, but much of its functionality has been stripped away (and now it’s gone). Alexa is being similarly sidelined, and increasingly viewed as a failure.

Why are voice control tools like Cortana and Alexa failing?

  1. Talking to your computer is amusing for a while, but once the novelty wears off, one can’t help noticing that it’s just as easy (and in many cases much easier) to use your mouse and keyboard.
  2. Privacy issues. Computers are really good at making our lives easier. And that’s good. But some technologies, to be truly useful, need to know about us — a lot about us. The most obvious example is Internet advertising: unless you’re blocking ads and related scripts and cookies in your web browser, the ads you see are based on what advertising networks know — or think they know — about you. And that’s just one example. A lot of what makes modern computers useful is based on this tradeoff between privacy and convenience. Computer ‘assistants’ like Cortana and Alexa rely on what they learn about you to improve their effectiveness. And of course they’re always listening.

Anyway, here’s what I wrote back in 2015:

Cortana limitations

Having a computer you can talk to is one of those things that most of us associate with science fiction. Cortana is Microsoft’s attempt to make that fantasy real. The extent to which they have succeeded depends on your point of view. There are loads of examples of cool things Cortana can do in response to your questions and commands, but they still feel very limited to me. Not to put too fine a point on it, there are some things Cortana is good at, and others it is not. If your idea of talking to your computer is to find out the weather, the time, and stock prices, or set up appointments in your calendar, you might find Cortana quite useful. To my way of thinking, unless I can debate philosophy or sports with a computer, I’m not really interested in talking to it.

That said, there are plenty of examples of useful ways to use Cortana (find some). (Editor’s note: I never found any, although admittedly I didn’t look very hard. I assumed if someone found a killer app for Cortana, I’d hear about it.)

Cortana is also region-dependent and may not be available in your country. If that’s the case, and you happen to be an English speaker (which I can assume given that you’re reading this), you can make Cortana work by configuring the Windows region settings to the US. I’m in Canada, and I’ve been using the US English Cortana for a while, and it works fine. The main difference between the versions is the speech recognition database, so the Canadian version is going to be pretty much identical to the US version. There may be other small difference as well, such as units of measurement. If you do decide to tweak the region settings to use the US Cortana, keep in mind that this will affect other apps as well. For instance, your web browser may tell search engines that you’re in the US, and your search results may be regionally skewed as a result. Still, most apps are more likely to use your location than your computer’s region configuration when doing their thing.

There are other problems. In my tests, the ‘Hey, Cortana’ feature worked for a few days, then stopped responding. Disabling and re-enabling the feature didn’t help.

Cortana is a fun feature, and it’s likely that many of the current issues will be resolved in the near future. It’s worth looking at, and anyone with Windows 10 should probably try it, but it’s not something that should figure prominently in deciding whether to use Windows 10 at all.