Do The Right Things

A site devoted to discussing techniques that promote quality and ethical practices in software development.

Monday, February 12, 2018

Linux Foxit Reader - possible leaking your document

I have been using Foxit Reader for Linux for a while and was using version in Mint 18.3 (64-bits) to read a PDF document.

All of a sudden several popup messages, like this:
popped up and some time followed by several more like this.

How can someone comments on a document if they have not read it and hence according to this message box, it is clear that Foxit Reader surreptitiously upload the user's document without consent to some cloud site to be shared. It is creepy.

This is a clear breach of privacy and I sincerely urge Foxit developers to investigate this serious matter.

May be this is caused by ConnectedPDF, something Linux users cannot turn off while the Windows version can. At least the Foxit Cloud can be eradicated by deleing the entire fxplugs directory.

In the mean time I urge all Linux users of Foxit Reader to uninstall it to protect your privacy. If you do uninstall it, make sure you delete ~/.local/share/Foxit\ Reader, ~/opt/foxitreader, and ~/.config/Foxit\ Reader.

If you need a reader with the ability to annotate your PDF document, you can use Okular which is available in Canonical or your software manager.

Apart from leaking document, Linux Foxit Reader is rather buggy - crashing randomly in different operations like annotating, printing, etc. Not only its reader is flaky, its forum is also very poorly implemented. I, a registered user, tried several times to post messages on this and so far I have yet seen any appearing. It seems to behave like a trash can.

Saturday, December 16, 2017 uses your resource to perform in-browser mining code

I was shock to see a prompt seeking my consent to run some calculation in my machine when I loosen my Tor Browser's security level using to reach another site.

Naturally that rings a bell that the "calculation" is referring to in-browser mining code.

So I set about to examine the page and through inspection and experimentation to identify that it is KProxy that is loading the in-browser mining code and not the target site, which happens to be

The in-browser minining code is not on the landing page of KProxy and they are only injected when you surf to the target site. Shame on you KProxy for not even stating that your user's resources could be used for mining purposes.

KProxy has 10 public servers and here are what they are loading:
Server 1, 2, 3, 10: https[:]//

Server 4, 5, 6, 7, 8, 9: https[:]//

The heading comment in authedmine.min.js declares that it will only run the in-browser mining code if you opt-in.

You be the judge if you can believe such declaration. As for my money, stay away from KProxy and if you are running "uBlock Origin" add these two domains into your filter to block them.

My Tor Browser is now reset to the maximum security.

Tuesday, September 19, 2017

An advice from a long time Skype user - It is time to ditch Microsoft Skype

Recently, a Skype user told me that when he tried to sign into his Skype account with his Android phone, he was pestered by Microsoft Skype that detected his mobile number on his SIM card was different from the number he recorded in his account (It is a big mistake for being too complete in the profile) and demanding some form of verification. Of course it is different as he was in some overseas country using their local SIM.

Now I have heard of 2 persons who have just returned to US from an extended overseas stay being hassled preventing them to use Skype to convey their message of arrival. They were using Skype without trouble or hassle when they were overseas. They told me their experience using Wire messenger.

As a long time user - I used Skype it was first developed and released and way way before Microsoft has acquired it - I am furious to hear this kind of hassle.

Initially I thought they might have used a wrong version of Skype (Remember Microsoft the stupid saga in Windows 8? When your Metro style Skype was half baked while everyone had to uninstall it and install the full-feature Desktop version).

I have always recommend Skype to others as a messenger that does not link to any mobile phone numbers and it seems Microsoft has decided to impose draconian imposition as stated in their FAQ to hassle their users demanding this.

While Skype is a property of Microsoft and Microsoft can do all sort of stupid things, Microsoft is reminded that the messengers space is full of competitors with more features than your aged product. Microsoft seems to still living in the past when Skype was the only messenger. Now in fact Microsoft Skype is known as a laggard and not even in the race.

It is disappointing to see Microsoft decides to spend their time and energy to implement childish snapchat style feature and then hassling their user as if Microsoft wanting to drive them away to its competitors, which are numerous, by imposing all these ridiculous demand and act of invasion of privacy.

I have yet seen a messenger asking for DOB except now Skype with the weakest excuse like "Microsoft Account requires your date of birth to give you the best experience" Please note the user's DOB is none of your business.

If you are being hassled by Microsoft Skype, from this long time Skype users something that I have found hard to say but is driven by Microsoft's draconian imposition, switch to Wire or other messengers. It is time to ditch Microsoft Skype.

Wire does not ask you for DOB, does not link you to the mobile phone number in the SIM (phone number is optional can even be your land line), and definitely do not ask you all sort of unnecessary and intrusive questions in the profile. In fact Wire does not have any profile at all.

Wire is open source and audited while Skype is close source and no one has seen its code. You use Skype with a good dose of trust, something that I have found hard to award to Skype. Wire has end to end encryption while Skype does not publish what it does. Requiring your DOB is a clear unnecessary invasion of privacy that Microsoft tries to hide behind some weak irrational excuses.

Don't waste your time with meeting Microsoft Skype's unreasonable imposition, switch to Wire, Signal or other more features messengers that are designed to be secure and private.  I have already done the switch.

Sunday, September 3, 2017

Firefox Focus - simple effective way to stop auto-completion on entering URL

Firefox Focus running on Android & iOS is highly recommended to protect your online privacy. It is fast and safe.

However, there is one annoying feature (still there in version 1.3 Build #10 for Android) when entering the URL into the address field. After you have type several alphabets, it then attempts to offer suggestion and perform auto-completion for you. All the time it is producing gibberish and then one has to use backspace to get rid of it and to start again.

There is no settings to turn this off and people have reported this bugs to Mozilla.

In the meantime, there is one simple effective way to stop this unintelligent auto-completion. To do this, before you enter the URL, type a space character first.

The space seems to stop Firefox Focus from trying to guess what you want to enter and you are then left alone entering the URL properly. Give that a try.

Wednesday, May 24, 2017

The way to suppress Mono's "WARNING: The runtime version supported by this application is unavailable"

Many people would have encountered following dreaded Mono runtime warning,

WARNING: The runtime version supported by this application is unavailable.
Using default runtime: v4.0.30319

when one runs a console application in Mono.

This is caused by the fact that machine running this program does not have the version of the framework used to build the program. The only version of the framework available in this machine is v4.0.30319.

Sadly this warning is written to stdout and hence you can't redirect it to elsewhere if that were written to stderr.

The proper way to deal with this is to tell Mono that your application can also run in whatever version of the framework it has been installed in the machine. To do so you simply add a <startup><supportedRuntime> element into the application configuration file. If your application does not have one, create one containing the following lines:

<?xml version="1.0" encoding="utf-8"?>
            <supportedRuntime version="v2.0.50727"/>
            <supportedRuntime version="v4.0.30319" />
            <supportedRuntime version="v4.0"/>

This config file also says that if you have version 2 framework installed, it will use that, the one the application is built. The order of the supportedRuntime elements are important.

With that if the only framework version 4.0.30319 is installed, your application will not cause that warning message. Of course as a recommended practice you must also test your application in the framework that is NOT the one you use to build it to ensure no subtle difference in reaction creeps in.

Saturday, March 18, 2017

This is the way to add bi-weekly repeats into Samsung S Planner.

For some obscure reason that only Samsung's Android developers would know, it has never have the ability to define bi-weekly or fortnightly repeat event or let along repeating task.

My latest NoteEdge (SM-N9150) running Android 6.0.1 still does not have it. In the process of finding a third party reminder app to supplement the deficiency in S Planner, I have discovered a very simple way to do this.

To allow you to define custom repeat, you install the "To-Do Calendar Planner" which install the isoTimer app into your handset.

When you start the isoTimer for the first time grant it permission to access your Calendar. You can deny it permission to your Contact just as I do.

Then you use the isoTimer's interface, albeit a bit unusual, to create an event or task and to set bi-weekly repeat use the "Repeat every X Days" option.

What this program does is to inject those repeats into the S Planner's Calendar. I am using a localised calendar as the default and that is where the isoTimer injects the repeat event/task into.

So it seems Samsung has stubbornly refused to implement an user interface to support bi-weekly repeat, which is surprisingly a very common requirement.

Now you have a simple way to overcome Samsung's deficiency.

Tuesday, November 22, 2016

Signal Messenger vs Wire Messenger - private voice communication

I am a frequent user of Signal but I met a situation where a friend, let's call this Bob, also a Signal user, wanting to talk with me using Signal. We could chat but we could not talk to him. I have no trouble with have a voice conversation using Signal with other users using public Internet services. Attempts to connect to or from Bob always fail. He was using Signal in a campus network and I suspect the reason for these failure was due to certain ports required by Signal calls to go through being been blocked. Bob also uses Skype and there is no problem of striking up a crystal clear voice conversation with him using that.

So I am wondering whether other so called private messengers supporting E2EE on voice call will suffer from the same problem?

After waiting for Bob to upgrade his Android machine from his old Android 4.0 machine, as an experiment he installed Wire Messenger, one that I also use, showing great promises, and I have great respect for it. This messenger also uses the Signal protocol to perform E2EE and it has far more features than Signal. However, it is not as widely known as Signal and definitely less than WhatsApp.

Finally, Bob and I successfully managed to talk securely using Wire protected by Signal protocol transversing the same tightly protected network. We've decided to give Signal a miss because the new phone is now a full populated due SIM, see comments below.

So if anyone having trouble talking with Signal, give Wire a try and you even can test it using your web browser. For those not familiar with Wire, Wire has several great benefits that Signal and WhatsApp fail to offer:

✔ Work without dependent of SIM or phone number

Unlike Signal & WhatsApp, it uses an e-mail address as the identifier with name and phone number as optional identifiers. These optional identifiers can be change at will; the phone number you enter can be different from that in the SIM.

Moreover, the e-mail is only used during account registration for receiving the verification code. After that it is just a pure identifier, like the mobile number used in WhatsApp or Signal.

You can look up friends base on e-mail address, name, or number.

✔ Because of its independence on SIM, its desktop version is a totally stand alone program, unlike Signal and WhatsApp where theirs are appendages to their smart phone siblings.

✔ Because of that, you can run Wire totally from a web browser without having to establish an account in a smart phone. No need to install anything. It is a great bonus for being able to walk up to the airport kiosk and start chatting.

✔ Access to your phone's Contacts is totally optional because its primary identifier is the e-mail address and not phone number. However, if you grant it access to the Contacts, it can use the Contacts data to look up friends.

✔ Its oblivion of a SIM is a great bonus for those operating a dual-SIM phone. Because it does not rely on the SIM, it can be used in a dual-SIM phone without the usual chaos associated with SIM dependent messengers.

If you are in a situation with a dual SIM phone, switch over to Wire and you can use the phone to the fullest rather than carrying two phyiscal phones just to escape the madness.

✔ Because it does not care about the SIM, it is a great tool for travelers who likes to use local SIM. One does not have to do anything to continue the conversation.

✔ At the time of writing and testing (Signal 3.22.2 and Wire 2.22.298) Wire is the only one with encrypted video conferencing and file attachment.

❌ Since most private messengers use encryption using various schemes to provide content integrity and safest, the degree of its privacy is now measured based solely on how much meta data the messenger retains, for how long and its purpose. Meta data are essential for the system to operate correctly. It is the system retention policy of these data or portion of them that have effect on its degree of privacy.

According to this measure, Signal ranks supreme and as the ultimate private messenger. A recent grand jury demand in US lay bare the amount of data retained by Signal - the date the user first registered and the last time the user contacted the system (it does not even record the participant of the conversation).

No messenger so far has ever published verifiable data to surpass Signal or even dare to challenge its supremacy. If you do not hold data how can one be forced to hand over the data? The best defense against authority demanding to hand over data as opposed to data retainer's expensive court fight.

While Wire has declared what kind of meta data (Creator, Timestamp, Participants list, and Conversation name) it records, it has not declared the retention period and the purpose of retaining them. As can be demonstrated, Wire collects tons of data by comparison to Signal and as a result less private and thus secure than Signal.

In fairness, what Wire collects is probably small by comparison or typical of what other messengers, such as WhatsApp, Wickr, etc, collect. At least Wire declares precisely what are being collected without explanation of the purpose rather than some general non-specific statement from WhatsApp, who even attempts, but aborted, to share data with its master.

❌ Small user base.
This can be a bonus if you really want a private private messenger without being bombarded by tons of conversations. This is not a reflection of Wire's lack of technical excellence but more human inertia to change - a Network Effect. It also demonstrates the bulk of messenger users pay little attention to encryption and meta data retention.

Blog Archive