Category Archives: Miscellany

Dark Mode Rant

What you see above is what I see after a few seconds of viewing a web site in ‘dark mode’.

Web sites are traditionally shown with dark text on a light background. Which is reminiscent of something… (checks notes)… that’s right, books! Why change something that’s worked fine for literally millennia? Apparently because a lot of people think light text on a dark background looks cool. And, to be fair, some people claim that using dark view is easier on their eyes.

So now we have a ton of web sites, apps, and other assorted crap showing up on our computer screens that is almost entirely illegible to a large proportion of the population (well, me for sure, and I’m guessing I’m not the only one).

When I look at white text on a dark background, after about five seconds, all the lines start to blur together (see image above), and I’m unable to continue. If I persist, I just end up with a headache. For the record, I’ve had my eyes checked, and aside from needing to update the prescription for my reading glasses, my eyes are fine.

Here are a few links to web sites that default to dark mode:

A request to web designers and developers: if you can’t resist making your web site dark mode by default, please, please at least provide some method for viewing it in light mode.

Some browsers have built-in features that allow viewing dark sites in light mode. But they’re inconsistent. Firefox has Reader View, which reformats a web page to show it like a book, with less clutter and — more importantly — dark text on a light background. Sadly, the Reader View button, which normally appears at the right end of the address bar, doesn’t always show up. That’s apparently because it’s only able to handle individual posts/articles, not other types of pages.

There are many Firefox plugins for showing web pages in dark mode, but initially I wasn’t able to find one that does the opposite. I had been struggling with a plugin called Dark Reader, which sort of worked, but only with a lot of fiddling, presumably because it was designed to do the opposite of what I want.

Recently, however, I discovered a Firefox plugin called Tranquility Reader. This one does exactly what I want, forcing page text to black and page background to white. So far, it’s worked perfectly on every page I’ve tried.

When installed in Firefox, Tranquility Reader adds an icon to Firefox’s toolbar. Click it once to view the current page as black text on a white background. Click it again to go back to the page’s default colour scheme. Simple!

If you ever find yourself struggling to read dark mode web pages, try Firefox with Tranquility Reader. It may save you from a headache or two.

Related:

What is a web browser, anyway?

For the uninitiated, computer jargon often seems unintelligible. The resulting confusion even allows technical support people to determine a customer’s level of understanding by observing the way they use (and mis-use) common terms.

The confusion is understandable. If someone uses their computer only for web browsing and email, and especially if their email client is web-based, the dividing lines between hardware and software, software and service, and local and remote data… tend to blur.

Mozilla, the folks who develop and maintain the web browser Firefox, recently published a useful guide that disentangles some important, common terminology: “What is the difference between the internet, browsers, search engines and websites?

Anyone who’s ever wondered how a web browser is different from “the Internet” should read the article. There’s a good chance it will clarify things for you.

Windows 10 miscellany

Ed Bott noticed that the latest release of Windows 10 (1511) was mysteriously removed from availability via the Media Creation Tool. The new version can still be obtained through Windows Update. Microsoft’s explanation isn’t very helpful, and it’s rather annoying to system builders who missed the brief window during which release 1511 was available via MCT. Update #1: Ars Technica reports on the situation, noting that there are reports of serious problems with release 1511 when installed via the MCT. Update #2: Ars Technica confirms that upgrading via MCT was causing privacy settings to be reset to defaults. The problem has been fixed, and build 1511 is once again available via MCT.

Meanwhile, Microsoft apparently updated its privacy policy in response to concerns about information gathered and transmitted by Windows 10. Changes to the policy make it clear that Microsoft will only provide law enforcement access to your data on their servers, not data stored locally on your computer. Encryption keys are backed up to Microsoft servers, but Microsoft will not use them to decrypt disks or files on your computer. The collection of telemetry data cannot be disabled, but it can be limited so that only very basic data is collected, and none of it personal.

And finally, Microsoft has relented somewhat on its Windows 10 activation policy, allowing for legitimate installs using old, unused activation keys from Windows 7 or 8.

Security roundup for June 2015

What’s in a name?

ICANN is the non-profit organization that governs the basic naming system used on the Internet. Anyone who owns a domain name has an ongoing relationship (even if indirect) with ICANN. Unfortunately, there’s alarming evidence that ICANN is now being guided by corporate interests. Update 2015Jul08: this is a very real privacy threat.

ICANN wants to make it impossible for site owners to be anonymous. They insist that this will only apply to commercial sites, but the definition of commercial promises to be so vague that almost any site would qualify. Spammers will be rubbing their hands together in glee, since the information associated with domain registration is extremely valuable to them.

Free proxies: use with caution

Brian Krebs reports on recent research in which 443 free, open proxy services were tested, to determine whether they: a) support secure web traffic; b) maintain the privacy of user information; and c) modify user traffic in any way. Fully 79% of the tested proxies force web pages to load non-securely, which means that the service operator can see all their user traffic in unencrypted form. Sixteen percent of the services actively insert advertising into customer web traffic.

Recommendation: if you’re looking for a free proxy service, try to find one that allows secure (HTTPS) web traffic.

Why We Encrypt

Another insightful post from security expert Bruce Schneier explains why encryption is important, why it should be enabled by default, and why recent efforts to weaken encryption are a huge mistake.

Failure to encrypt

Researchers at AppBugs used their security software to detect flaws in the way apps encrypt Internet traffic, and the results are depressing. Over fifty Android applications – downloaded by millions of users – are using encryption incorrectly, or not at all. While some of these apps probably don’t transmit anything sensitive, many do, including several high profile apps from the NBA, Match.com, Safeway, and Pizza Hut.

New method for managing passwords

The free, open source Master Password simplifies the task of securely generating and storing secure, unique passwords. It does this without the need to store or access anything on the Internet; all you need is the app itself and a master password. The catch? You’ll have to generate and set new passwords for all the sites and services you use. Master Password is available for iPhone/iPad, Mac, Windows Desktop, Android, and on the web.

Steganography toolkit for malware

Steganography is a technique used to hide information inside otherwise harmless-looking image files. Security researchers have previously detected its use in hiding malware, but now they’ve discovered software that helps malware authors use the technique. Dell SecureWorks researchers recently analyzed StegoLoader’s capabilities. From their report:

Stegoloader is stealthy in many aspects; it evades analysis tools and deploys only necessary modules, without writing them to disk. Although CTU researchers have not observed Stegoloader being used in targeted attacks, it has significant information stealing capabilities.

The dangers of using secret questions for account recovery

Anyone who uses Internet-based services has seen them: ‘secret’ questions and answers you set up to facilitate password resets and account recovery. The idea is that the service can be sure you are who you say you are because you can correctly answer one or more of these questions. The problem is that this method has serious failings, as reported by Google researchers (PDF). The authors recommend using email-based, or – better still – SMS/text-based account recovery methods.

Testing your anti-malware solution

Is your anti-malware software working? Short of visiting a web site known to distribute malware, how can you be sure? One method involves a special string of text known as the EICAR test. Visit the EICAR web site and download a file containing the text; your anti-malware software should detect the text and identify it as the EICAR test. Alternatively, you can download Didier Stevens’ EICARGen software, which generates files containing the EICAR text. Depending on your anti-malware software’s configuration, the EICAR text may be detected when you attempt to download it, or when you write, read, or execute a file containing it. I currently use Avast, which by default detects EICAR when attempting to download it, and during full and explicit scans, but only detects EICAR in existing files when they are executed.

Analysis shows people are using stronger passwords

A recent post on Ars Technica provides an interesting look at the strength of passwords.

People seem to be getting the message about using strong passwords, because the worst passwords are being used less frequently. For example, the notoriously bad password ‘123456’ was used in less than 1% of the sample data, down from 8.5% in previous studies.

But while these findings are encouraging, it’s important to recognize that the data is likely skewed, because it is mostly obtained from public dumps of data taken from compromised systems.