tag:blogger.com,1999:blog-31509016001525775992024-03-05T21:28:39.345+10:00Do The Right ThingsA site devoted to discussing techniques that promote quality and ethical practices in software development.L. Marhttp://www.blogger.com/profile/12467212807268032119noreply@blogger.comBlogger328125tag:blogger.com,1999:blog-3150901600152577599.post-5559435522912175012020-03-02T00:57:00.001+10:002020-03-03T09:49:12.592+10:00How to deal with Windows 10 "Snip & Sketch" with LibreOffice WriterIn Windows 10, Microsoft since Windows 10 (1809) has introduced a new tool called "Snip & Sketch" Windows App (package name "<a data-noscript-removed-href="https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10?ranMID=43674&ranEAID=je6NUbpObpQ&ranSiteID=je6NUbpObpQ-.2fxZX9vcfFjQQ4s9B9RbA&epi=je6NUbpObpQ-.2fxZX9vcfFjQQ4s9B9RbA&irgwc=1&OCID=AID2000142_aff_7795_1243925&tduid=(ir__xdnzasmbcokftxgckk0sohz3xm2xlcnl2e9dc6mh00)(7795)(1243925)(je6NUbpObpQ-.2fxZX9vcfFjQQ4s9B9RbA)()&irclickid=_xdnzasmbcokftxgckk0sohz3xm2xlcnl2e9dc6mh00" href="http://microsoft./">Microsoft.</a><a data-noscript-removed-href="https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10?ranMID=43674&ranEAID=je6NUbpObpQ&ranSiteID=je6NUbpObpQ-.2fxZX9vcfFjQQ4s9B9RbA&epi=je6NUbpObpQ-.2fxZX9vcfFjQQ4s9B9RbA&irgwc=1&OCID=AID2000142_aff_7795_1243925&tduid=(ir__xdnzasmbcokftxgckk0sohz3xm2xlcnl2e9dc6mh00)(7795)(1243925)(je6NUbpObpQ-.2fxZX9vcfFjQQ4s9B9RbA)()&irclickid=_xdnzasmbcokftxgckk0sohz3xm2xlcnl2e9dc6mh00" href="https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10?ranMID=43674&ranEAID=je6NUbpObpQ&ranSiteID=je6NUbpObpQ-.2fxZX9vcfFjQQ4s9B9RbA&epi=je6NUbpObpQ-.2fxZX9vcfFjQQ4s9B9RbA&irgwc=1&OCID=AID2000142_aff_7795_1243925&tduid=(ir__xdnzasmbcokftxgckk0sohz3xm2xlcnl2e9dc6mh00)(7795)(1243925)(je6NUbpObpQ-.2fxZX9vcfFjQQ4s9B9RbA)()&irclickid=_xdnzasmbcokftxgckk0sohz3xm2xlcnl2e9dc6mh00">ScreenSketch</a>" intended to replace the trusty Snipping Tool (SnippingTool.exe).<br />
<br />
The Snip&Sketch can capture the screen (rectangle, free form, etc) like the SnippingTool, however the images it produces for some inexplicable reason cannot be pasted into a document with LibreOffice Writer. The Ctrl-V in LibreOffice does not work.<br />
<br />
There are two ways to invoke it:<br />
1) You can invoke it by launching (use the search) "Snip & Sketch" which is a Windows App. You can recognise it by its appearance once launched.<br />
2) Or you can press the Windows short cut key: <b>Windows Logo Key + Shift + S</b>, this launches the <b>Snipping bar</b><br />
<br />
If one uses Method 1) the captured image is inaccessible to LibreOffice Writer. I have experimented with AbiWord, KeepNote, and CherryTree, programs that can embed images into their document and they are all working fine.<br />
<br />
Only LibreOffice Writer (ver 6.1.63, 6.3.5, and 6.4.1.2 all running Windows 10 1903) is failing the test. With these versions of LibreOffice running in brand new laptops, old laptops and desktop, I cannot reproduce the <a href="https://ask.libreoffice.org/en/question/205775/for-a-couple-of-years-ive-used-windows-snipping-tool-to-capture-an-image-and-paste-it-into-libre-writer-ive-just-tried-the-new-snip-and-sketch-tool/">claimed effect</a> stated in LibreOffice site.<br />
<br />
Method 2) is the most reliable method as it works with Microsoft and LibreOffice Writer. When that short cut key is pressed, a small bar called <b>Snipping Bar</b> pops up on the top roll of the screen. With that the user can choose how to capture like the trusty SnippingTool.<br />
<br />
While the snipping bar does not have any menu item to indicate you can save the image, crop, or annotate etc, once an screen portion is captured, Windows will display a transient message window showing the captured part and informing the user that it has been sent to the clipboard.<br />
<br />
This transient window will then appear in the notification collection. If you are quick enough, you can click on that transient window to launch the "Snip & Sketch" App with the captured image embedded in it allowing you to do the "Sketch" or File save part.<br />
<br />
If you want to use the "Snip & Sketch" to annotate, crop, etc on the capture image and then paste that into LibreOffice Writer, here are the steps:<br />
1) Once you have completed the process with "Snip & Sketch", press the "Copy" icon just to be sure the right image is transferred to the clipboard<br />
2) Open MS Paint (paint), Paste the image to it.<br />
3) Use the Select tool (mostly I use Rectangular Selection) to select the part you want to paste into your document<br />
4) Then press the Copy (or Ctrl-C) to deposit it onto the clipboard.<br />
5) Switch to your tool that you want to paste the image and press Paste (or Ctrl-V).<br />
<br />
There is no need to involve saving to file. It is already clumsy enough. <br />
<br />
It seems the fault is in LibreOffice Writer.<br />
<br />
<br />
<br />L. Marhttp://www.blogger.com/profile/12467212807268032119noreply@blogger.com0tag:blogger.com,1999:blog-3150901600152577599.post-18596597113426505602018-02-12T15:19:00.000+10:002018-02-12T15:19:33.391+10:00Linux Foxit Reader - possible leaking your documentI have been using Foxit Reader for Linux for a while and was using version 2.4.0.14978 in Mint 18.3 (64-bits) to read a PDF document.<br />
<br />
All of a sudden several popup messages, like this:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijKBZ7sRErJnURI5I8_v4EC50W22Tqvatua1MT61ALoKnZhy21_7m-vfZULi0k1Xr_kLeGqG-vE4hCxMPjxh5XEigU44NvPQjGP14PO8pxBDTImUisj7Suni4aviWGK4GiEYhQvMm8-A1b/s1600/FoxitReaderBreach.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="118" data-original-width="241" height="195" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijKBZ7sRErJnURI5I8_v4EC50W22Tqvatua1MT61ALoKnZhy21_7m-vfZULi0k1Xr_kLeGqG-vE4hCxMPjxh5XEigU44NvPQjGP14PO8pxBDTImUisj7Suni4aviWGK4GiEYhQvMm8-A1b/s400/FoxitReaderBreach.JPG" width="400" /></a></div>
popped up and some time followed by several more like this.<br />
<br />
How can someone comments on a document if they have not read it and hence according to this message box, it is clear that Foxit Reader surreptitiously upload the user's document without consent to some cloud site to be shared. It is creepy.<br />
<br />
This is a clear breach of privacy and I sincerely urge Foxit developers to investigate this serious matter.<br />
<br />
May be this is caused by ConnectedPDF, something Linux users cannot turn off while the Windows version can. At least the Foxit Cloud can be eradicated by deleing the entire fxplugs directory.<br />
<br />
In the mean time I urge all Linux users of Foxit Reader to uninstall it to protect your privacy. If you do uninstall it, make sure you delete ~/.local/share/Foxit\ Reader, ~/opt/foxitreader, and ~/.config/Foxit\ Reader.<br />
<br />
If you need a reader with the ability to annotate your PDF document, you can use <a href="https://www.kde.org/applications/graphics/okular/">Okular</a> which is available in Canonical or your software manager.<br />
<br />
Apart from leaking document, Linux Foxit Reader is rather buggy - crashing randomly in different operations like annotating, printing, etc. Not only its reader is flaky, its forum is also very poorly implemented. I, a registered user, tried several times to post messages on this and so far I have yet seen any appearing. It seems to behave like a trash can.<br />
<br />L. Marhttp://www.blogger.com/profile/12467212807268032119noreply@blogger.com0tag:blogger.com,1999:blog-3150901600152577599.post-79359086649128605942017-12-16T00:53:00.003+10:002017-12-16T00:53:40.254+10:00www.kproxy.com uses your resource to perform in-browser mining codeI was shock to see a prompt seeking my consent to run some calculation in my machine when I loosen my Tor Browser's security level using www.kproxy.com to reach another site.<br />
<br />
Naturally that rings a bell that the "calculation" is referring to in-browser mining code.<br />
<br />
So I set about to examine the page and through inspection and experimentation to identify that it is KProxy that is loading the in-browser mining code and not the target site, which happens to be https://www.google.com<br />
<br />
The in-browser minining code is not on the landing page of KProxy and they are only injected when you surf to the target site. Shame on you KProxy for not even stating that your user's resources could be used for mining purposes.<br />
<br />
KProxy has 10 public servers and here are what they are loading:<br />
Server 1, 2, 3, 10: https[:]//coinhive.com/lib/coinhive.min.js<br />
<br />
Server 4, 5, 6, 7, 8, 9: https[:]//authedmine.com/lib/authedmine.min.js <br />
<br />
The heading comment in authedmine.min.js declares that it will only run the in-browser mining code if you opt-in.<br />
<br />
You be the judge if you can believe such declaration. As for my money, stay away from KProxy and if you are running "uBlock Origin" add these two domains into your filter to block them.<br />
<br />
My Tor Browser is now reset to the maximum security.L. Marhttp://www.blogger.com/profile/12467212807268032119noreply@blogger.com0tag:blogger.com,1999:blog-3150901600152577599.post-23671748460408680552017-09-19T21:44:00.000+10:002017-09-19T21:44:15.841+10:00An advice from a long time Skype user - It is time to ditch Microsoft SkypeRecently, a Skype user told me that when he tried to sign into his Skype account with his Android phone, he was pestered by Microsoft Skype that detected his mobile number on his SIM card was different from the number he recorded in his account (It is a big mistake for being too complete in the profile) and demanding some form of verification. Of course it is different as he was in some overseas country using their local SIM.<br />
<br />
Now I have heard of 2 persons who have just returned to US from an extended overseas stay being hassled preventing them to use Skype to convey their message of arrival. They were using Skype without trouble or hassle when they were overseas. They told me their experience using <a href="https://wire.com/">Wire messenger</a>.<br />
<br />
As a long time user - I used Skype it was first developed and released and way way before Microsoft has acquired it - I am furious to hear this kind of hassle.<br />
<br />
Initially I thought they might have used a wrong version of Skype (Remember Microsoft the stupid saga in Windows 8? When your Metro style Skype was half baked while everyone had to uninstall it and install the full-feature Desktop version).<br />
<br />
I have always recommend Skype to others as a messenger that does not link to any mobile phone numbers and it seems Microsoft has decided to impose draconian imposition as stated in their <a href="https://support.skype.com/en/faq/FA34713/faq-and-known-issues-with-the-new-skype">FAQ</a> to hassle their users demanding this.<br />
<br />
While Skype is a property of Microsoft and Microsoft can do all sort of stupid things, Microsoft is reminded that the messengers space is full of competitors with more features than your aged product. Microsoft seems to still living in the past when Skype was the only messenger. Now in fact Microsoft Skype is known as a laggard and not even in the race.<br />
<br />
It is disappointing to see Microsoft decides to spend their time and energy to implement childish snapchat style feature and then hassling their user as if Microsoft wanting to drive them away to its competitors, which are numerous, by imposing all these ridiculous demand and act of invasion of privacy.<br />
<br />
I have yet seen a messenger asking for DOB except now Skype with the weakest excuse like "<i>Microsoft Account requires your date of birth to give you the best experience</i>" Please note the user's DOB is none of your business.<br />
<br />
If you are being hassled by Microsoft Skype, from this long time Skype users something that I have found hard to say but is driven by Microsoft's draconian imposition,<b> switch to <a href="https://wire.com/">Wire</a> or other messengers. It is time to ditch Microsoft Skype.</b><br />
<br />
Wire does not ask you for DOB, does not link you to the mobile phone number in the SIM (phone number is optional can even be your land line), and definitely do not ask you all sort of unnecessary and intrusive questions in the profile. In fact <b>Wire does not have any profile at all</b>.<br />
<br />
Wire is open source and audited while Skype is close source and no one has seen its code. You use Skype with a good dose of trust, something that I have found hard to award to Skype. Wire has end to end encryption while Skype does not publish what it does. Requiring your DOB is a clear unnecessary invasion of privacy that Microsoft tries to hide behind some weak irrational excuses.<br />
<br />
Don't waste your time with meeting Microsoft Skype's unreasonable imposition, switch to <a href="https://wire.com/">Wire</a>, <a href="https://signal.org/">Signal</a> or other more features messengers that are designed to be secure and private. I have already done the switch.<br />
<br />
<br />
<br />
<br />L. Marhttp://www.blogger.com/profile/12467212807268032119noreply@blogger.com0tag:blogger.com,1999:blog-3150901600152577599.post-33294032265761064022017-09-03T22:47:00.001+10:002017-09-03T22:47:26.690+10:00Firefox Focus - simple effective way to stop auto-completion on entering URL<a href="https://www.mozilla.org/en-US/firefox/focus/">Firefox Focus</a> running on Android & iOS is highly recommended to protect your online privacy. It is fast and safe.<br />
<br />
However, there is one annoying feature (still there in version 1.3 Build #10 for Android) when entering the URL into the address field. After you have type several alphabets, it then attempts to offer suggestion and perform auto-completion for you. All the time it is producing gibberish and then one has to use backspace to get rid of it and to start again.<br />
<br />
There is no settings to turn this off and <a href="https://www.reddit.com/r/firefox/comments/6h37ls/firefox_focus_ios_autocompletes_url_even_though/">people have reported this bugs to Mozilla</a>.<br />
<br />
In the meantime, there is one simple effective way to stop this unintelligent auto-completion. To do this, before you enter the URL, type a space character first.<br />
<br />
The space seems to stop Firefox Focus from trying to guess what you want to enter and you are then left alone entering the URL properly. Give that a try.<br />
<br />
<br />
<br />L. Marhttp://www.blogger.com/profile/12467212807268032119noreply@blogger.com0tag:blogger.com,1999:blog-3150901600152577599.post-27464206301063523402017-05-24T22:05:00.001+10:002017-05-24T22:05:41.466+10:00The way to suppress Mono's "WARNING: The runtime version supported by this application is unavailable"Many people would have encountered following dreaded Mono runtime warning, <br />
<br />
<i>WARNING: The runtime version supported by this application is unavailable.<br />Using default runtime: v4.0.30319</i><br />
<br />
when one runs a console application in Mono.<br />
<br />
This is caused by the fact that machine running this program does not have the version of the framework used to build the program. The only version of the framework available in this machine is v4.0.30319.<br />
<br />
Sadly this warning is written to stdout and hence you can't redirect it to elsewhere if that were written to stderr.<br />
<br />
The proper way to deal with this is to tell Mono that your application can also run in whatever version of the framework it has been installed in the machine. To do so you simply add a <startup><supportedRuntime> element into the application configuration file. If your application does not have one, create one containing the following lines:<br />
<br />
<?xml version="1.0" encoding="utf-8"?><br /><configuration><br /> <startup><br /> <supportedRuntime version="v2.0.50727"/> <br /> <supportedRuntime version="v4.0.30319" /><br /> <supportedRuntime version="v4.0"/> <br /> </startup> <br /></configuration><br /><br />
This config file also says that if you have version 2 framework installed, it will use that, the one the application is built. The order of the supportedRuntime elements are important.<br />
<br />
With that if the only framework version 4.0.30319 is installed, your application will not cause that warning message. Of course as a recommended practice you must also test your application in the framework that is NOT the one you use to build it to ensure no subtle difference in reaction creeps in.<br />
<br />L. Marhttp://www.blogger.com/profile/12467212807268032119noreply@blogger.com0tag:blogger.com,1999:blog-3150901600152577599.post-19996543463447394932017-03-18T21:56:00.000+10:002017-03-18T21:56:50.444+10:00This is the way to add bi-weekly repeats into Samsung S Planner.For some obscure reason that only Samsung's Android developers would know, it <a href="https://do-the-right-things.blogspot.com.au/2012/10/android-smartphone-cannot-create-bi.html">has never have the ability to define bi-weekly or fortnightly repeat</a> event or let along repeating task.<br />
<br />
My latest NoteEdge (SM-N9150) running Android 6.0.1 still does not have it. In the process of finding a third party reminder app to supplement the deficiency in S Planner, I have discovered a very simple way to do this.<br />
<br />
To allow you to define custom repeat, you install the <a href="https://play.google.com/store/apps/details?id=com.timleg.egoTimerLight&hl=en">"To-Do Calendar Planner"</a> which install the isoTimer app into your handset.<br />
<br />
When you start the isoTimer for the first time grant it permission to access your Calendar. You can deny it permission to your Contact just as I do.<br />
<br />
Then you use the isoTimer's interface, albeit a bit unusual, to create an event or task and to set bi-weekly repeat use the "Repeat every X Days" option. <br />
<br />
What this program does is to inject those repeats into the S Planner's Calendar. I am using a localised calendar as the default and that is where the isoTimer injects the repeat event/task into.<br />
<br />
So it seems Samsung has stubbornly refused to implement an user interface to support bi-weekly repeat, which is surprisingly a very common requirement.<br />
<br />
Now you have a simple way to overcome Samsung's deficiency.L. Marhttp://www.blogger.com/profile/12467212807268032119noreply@blogger.com0tag:blogger.com,1999:blog-3150901600152577599.post-72705338476879373552016-11-22T17:14:00.000+10:002016-11-22T17:14:03.871+10:00Signal Messenger vs Wire Messenger - private voice communicationI am a frequent user of Signal but I met a situation where a friend, let's call this Bob, also a Signal user, wanting to talk with me using Signal. We could chat but we could not talk to him. I have no trouble with have a voice conversation using Signal with other users using public Internet services. Attempts to connect to or from Bob always fail. He was using Signal in a campus network and I suspect the reason for these failure was due to <a href="http://support.whispersystems.org/hc/en-us/articles/213697218-Which-TCP-UDP-ports-need-to-be-available-">certain ports required by Signal calls</a> to go through being been blocked. Bob also uses Skype and there is no problem of striking up a crystal clear voice conversation with him using that.<br />
<br />
So I am wondering whether other so called private messengers supporting E2EE on voice call will suffer from the same problem?<br />
<br />
After waiting for Bob to upgrade his Android machine from his old Android 4.0 machine, as an experiment he installed <a href="https://wire.com/">Wire Messenger</a>, one that I also use, showing great promises, and I have great respect for it. This messenger also uses the Signal protocol to perform E2EE and it has far more features than Signal. However, it is not as widely known as Signal and definitely less than WhatsApp.<br />
<br />
Finally, Bob and I successfully managed to talk securely using Wire protected by Signal protocol transversing the same tightly protected network. We've decided to give Signal a miss because the new phone is now a full populated due SIM, see comments below.<br />
<br />
So if anyone having trouble talking with Signal, give Wire a try and you even can test it using your web browser. For those not familiar with Wire, Wire has several great benefits that Signal and WhatsApp fail to offer:<br />
<br />
<b><u>Benefits</u></b><br />
✔ Work without dependent of SIM or phone number<br /><br />Unlike Signal & WhatsApp, it uses an e-mail address as the identifier with name and phone number as optional identifiers. These optional identifiers can be change at will; the phone number you enter can be different from that in the SIM.<br /><br /> Moreover, the e-mail is only used during account registration for receiving the verification code. After that it is just a pure identifier, like the mobile number used in WhatsApp or Signal.<br /><br /> You can look up friends base on e-mail address, name, or number. <br /><br />
✔ Because of its independence on SIM, its desktop version is a totally stand alone program, unlike Signal and WhatsApp where theirs are appendages to their smart phone siblings.<br />
<br />
✔ Because of that, you can run Wire totally from a web browser without having to establish an account in a smart phone. No need to install anything. It is a great bonus for being able to walk up to the airport kiosk and start chatting.<br />
<br />
✔ Access to your phone's Contacts is totally optional because its primary identifier is the e-mail address and not phone number. However, if you grant it access to the Contacts, it can use the Contacts data to look up friends.<br />
<br />
✔ Its oblivion of a SIM is a great bonus for those operating a dual-SIM phone. Because it does not rely on the SIM, it can be used in a dual-SIM phone without the usual chaos associated with SIM dependent messengers.<br />
<br />
If you are in a situation with a dual SIM phone, switch over to Wire and you can use the phone to the fullest rather than carrying two phyiscal phones just to escape the madness.<br />
<br />
✔ Because it does not care about the SIM, it is a great tool for travelers who likes to use local SIM. One does not have to do anything to continue the conversation.<br />
<br />
✔ At the time of writing and testing (Signal 3.22.2 and Wire 2.22.298) Wire is the only one with encrypted video conferencing and file attachment.<br />
<br />
<u><b>Disadvantages</b></u><br />
❌ Since most private messengers use encryption using various schemes to provide content integrity and safest, the degree of its privacy is now measured based solely on how much meta data the messenger retains, for how long and its purpose. Meta data are essential for the system to operate correctly. It is the system retention policy of these data or portion of them that have effect on its degree of privacy.<br />
<br />
According to this measure, Signal ranks supreme and as the ultimate private messenger. A recent <a href="https://whispersystems.org/bigbrother/eastern-virginia-grand-jury/">grand jury demand in US</a> lay bare the amount of data retained by Signal - the date the user first registered and the last time the user contacted the system (it does not even record the participant of the conversation).<br />
<br />
No messenger so far has ever published verifiable data to surpass Signal or even dare to challenge its supremacy. If you do not hold data how can one be forced to hand over the data? The best defense against authority demanding to hand over data as <a href="http://www.digitaltrends.com/mobile/whatsapp-brazil-6-million-facebook-cash-frozen-1467391510-2/">opposed to data retainer's expensive court fight</a>.<br />
<br />
While Wire has declared <a href="https://wire.com/resource/Wire%20Privacy%20Whitepaper/download/">what kind of meta data</a> (Creator, Timestamp, Participants list, and Conversation name) it records, it has not declared the retention period and the purpose of retaining them. As can be demonstrated, Wire collects tons of data by comparison to Signal and <b>as a result less private and thus secure than Signal</b>.<br />
<br />
In fairness, what Wire collects is probably small by comparison or typical of what other messengers, such as WhatsApp, <a href="https://www.wickr.com/">Wickr</a>, etc, collect. At least Wire declares precisely what are being collected without explanation of the purpose rather than some general <a href="https://www.inverse.com/article/13839-here-s-the-information-that-whatsapp-doesn-t-encrypt">non-specific statement from WhatsApp</a>, who even <a href="https://techcrunch.com/2016/09/30/whatsapps-privacy-u-turn-on-sharing-data-with-facebook-draws-more-heat-in-europe/">attempts, but aborted, to share data with its master</a>.<br />
<br />
❌ Small user base.<br />
This can be a bonus if you really want a private private messenger without being bombarded by tons of conversations. This is not a reflection of Wire's lack of technical excellence but more human inertia to change - a Network Effect. It also demonstrates the bulk of messenger users pay little attention to encryption and meta data retention.<br />
<br />
<br />L. Marhttp://www.blogger.com/profile/12467212807268032119noreply@blogger.com0tag:blogger.com,1999:blog-3150901600152577599.post-69971983824879983252016-08-22T20:21:00.000+10:002016-08-22T20:21:56.481+10:00Remove Nagware from Foxit Reader (Linux) version 2.1.0805It is disappointing to see a perfectly good, useful, and feature rich PDF viewer damaging its reputation by engaging nagware in the <a href="https://www.foxitsoftware.com/downloads/">latest version</a> of Foxit Reader for Linux.<br />
<br />
The nagware is very persistent trying to force user to use <a href="https://www.connectedpdf.com/">ConnectedPDF</a> every time one launches Foxit Reader. There is no way to tell it to stop pestering me.<br />
<br />
Furthermore, in the preference dialog box, the settings for ConnectedPDF fails (possibly deliberately) to remember my change in the setting for "Use ConnectedPDF Format". I unchecked the "Automatically save PDF files in ConnectedPDF format" but the dialog box failed to record my change. <br />
<br />
If you are annoyed by this nagware or pester-ware and have no intention of using ConnectedPdf, you can get rid of it easily.<br />
<br />
Just go to the foxit reader's installation directory, typically in <b>~/opt/foxitsoftware/foxitreader</b>, and either rename or delete the <b>fxplugins</b> folder to summarily dismiss the pesterware. You may have to elevate your privilege in order to accomplish that. Once this is done, you will not see the nagware again. Peace at last.<br />
<br />
Shame on you Foxit and that is a good way to drive away users.L. Marhttp://www.blogger.com/profile/12467212807268032119noreply@blogger.com1tag:blogger.com,1999:blog-3150901600152577599.post-3190917090158017422016-05-21T00:13:00.001+10:002016-05-21T00:13:34.319+10:00Dumb algorithm in Yahoo Mail is a laughing stockI tried to send an e-mail to a Yahoo mail recipient warning him about not to use the e-mail account's password as the password when registering on site that asks him for his e-mail address. I cited the case of <a href="https://krebsonsecurity.com/2016/05/as-scope-of-2012-breach-expands-linkedin-to-again-reset-passwords-for-some-users/">LinkedIn</a>. I told him site other than his e-mail account has no right to know his e-mail account's password.<br />
<br />
The e-mail was blocked with the "<a href="https://help.yahoo.com/kb/SLN4781.html">554 Message not allowed - [298]</a>" and Yahoo is the only mail server blocking that message as the other recipients in other mail services have no problem. Clearly their services are smarter than dumb Yahoo.<br />
<br />
Not deter and to demonstrate how easy to by-pass Yahoo's so-called algorithm and automatic scanning of the mail content to block offending materials, I simply use the Windows' Snipping tool to convert the content to a bitmap and embedded that into the content of the message.<br />
<br />
The exact content is preserved and the dumb Yahoo algorithm is by-passed!! If it was objectionable to Yahoo, the same objectionable content is being waved past as it totally lacks any intelligent. It is not even steganography.<br />
<br />
What Yahoo has done is nothing but a theatrical. What a joke their implementation is. L. Marhttp://www.blogger.com/profile/12467212807268032119noreply@blogger.com0tag:blogger.com,1999:blog-3150901600152577599.post-26546989367299683862016-03-29T13:24:00.003+10:002016-03-29T13:24:36.242+10:00Which of the 10 URL Shorteners are not hostile to Tor?I examine <a href="http://webtrends.about.com/od/twitter/tp/Shorten-Links-Url-Shorteners.htm">10 URL Shortener Services</a> one by one to evaluate its hostility towards Tor Browser.<br />
<br />
Those that put road blocks in the way such as using CAPTCHA or other techniques are classified as hostile services. Another requirement is that it should also operate properly in Android's <a href="https://play.google.com/store/apps/details?id=info.guardianproject.orfox&hl=en">Orfox</a>, the Android's kind of equivalent to Tor Browser.<br />
<br />
If it works in laptop/desktop Tor Browser and not in Orfox, it is still classified as hostile. Any service that requires log in etc. even though not presenting any hostility road blocks is placed in the "Useless" category. Too much trouble.<br />
<br />
Tor Browser users should black list those hostile services as they do not possess any uniqueness as the review below shows there are friendly alternatives. In that way the Tor community can deny them of visits and advertising dollars, much like AdBlock Plus.<br />
<br />
Tor users can refer to this <a href="https://trac.torproject.org/projects/tor/wiki/org/doc/ListOfServicesBlockingTor">Tor Project sites</a> for more comprehensive list of Tor hostile sites.<br />
<br />
Only 5 out of 10 are Tor friendly. Naturally Google is one of the hostile one.<br />
<b></b><br />
<h3>
<b>Tor Friendly site</b></h3>
<a href="https://bitly.com/">Bitly</a><br />
In Orfox, one needs to add cloudfront.net and Googleapis.com to NoScript's whitelist.<br />
<br />
<a href="http://tinyurl.com/">TinyURL</a><a href="http://tinyurl.com/">.</a><a href="http://tinyurl.com/">com</a><a href="http://tinyurl.com/"> </a><br />
There are times that this site demands CAPTCHA validation and need more experiment to determine its friendliness.<br />
<br />
<a href="http://adf.ly/">AdF</a><a href="http://adf.ly/">.</a><a href="http://adf.ly/">ly</a><a href="http://adf.ly/"> </a><br />
One needs to add this to the whitelist in the NoScript in Orfox.<br />
<br />
<a href="http://bit.do/">Bit.do </a><br />
<br />
<a href="http://mcaf.ee/">Mcaf</a><a href="http://mcaf.ee/">.</a><a href="http://mcaf.ee/">ee</a><a href="http://mcaf.ee/"> </a><br />
Given this is in beta, it loads slowly but still works in a no-nonsense manner. Hope it will not be hostile to Tor as it matures.<br />
<br />
<b></b><br />
<h3>
<b>
Hostile Services</b></h3>
<b>
</b><a href="http://goo.gl/">Goo.</a><a href="http://goo.gl/">gl</a><br />
<br />
<a href="http://ow.ly/">Ow</a><a href="http://ow.ly/">.</a><a href="http://ow.ly/">ly</a><a href="http://ow.ly/"> </a><br />
<br />
<a href="http://is.gd/">Is.</a><a href="http://is.gd/">gd</a><a href="http://is.gd/"> </a><br />
<b></b><br />
<h3>
<b>
Useless</b></h3>
<b>
</b><a href="http://is.gd/">Is.</a><a href="http://is.gd/">gd</a><a href="http://is.gd/"> </a><br />
<br />
<a href="http://x.co/">X.co </a><br />
<br />L. Marhttp://www.blogger.com/profile/12467212807268032119noreply@blogger.com0tag:blogger.com,1999:blog-3150901600152577599.post-55970158902778676702016-03-14T17:14:00.001+10:002016-03-14T17:14:33.165+10:00Way to by pass Tor Browser hostile web sitesIt is really a form of anti-Net Neutrality for web sites, most notably web hosting sites like CloudFlare, to <a href="http://arstechnica.com/tech-policy/2016/02/some-websites-turning-law-abiding-tor-users-into-second-class-citizens/">discriminate Tor Browser users</a> by putting all sort of childish barrier in an attempt to prevent Tor Browser users from gaining access to the materials.<br />
<br />
Perhaps by comparison, CloudFlare is not as anti-Tor as <a href="http://arstechnica.com/tech-policy/2016/02/some-websites-turning-law-abiding-tor-users-into-second-class-citizens/">Akamai which simply greeds Tor users with 404</a>.<br />
<br />
It is an easy way out to treat all Tor Browser users in the same boat as those using the tool to abuse the system. If that kind of thinking prevails, may be we should all shut down the Internet as not a day gone by without seeing an attack being carried out on the Internet. Any other way would require intelligence that they have not got and it is also a good sales material of telling their customers that they could block all those abusers using Tor.<br />
<br />
Thankfully, there is a way to get past playing their childish game. I simply route the access through <a href="https://ixquick.com/proxy/eng/help.html">Start Page's proxy</a> from Tor Browser. Just do a search on the link from Tor Browser and then uses the proxy to access it.<br />
<br />
<br />
<br />L. Marhttp://www.blogger.com/profile/12467212807268032119noreply@blogger.com0tag:blogger.com,1999:blog-3150901600152577599.post-2171124597809509682016-02-05T00:11:00.000+10:002016-02-05T00:11:22.101+10:00Lenovo SHAREit - turning a useful program into a useless oneI once enjoyed using <a href="http://shareit.lenovo.com/">Lenovo's SHAREit program</a> on my <a href="https://play.google.com/store/apps/details?id=com.lenovo.anyshare.gps&hl=en">Android phone</a> and pairing it with the one that came with my Lenovo laptop and have been recommending it to others. <br />
<br />
This was in the day of ver 2.x of this program. That version was not only functional but also lacking any of the fancy stuff. It worked wonderfully.<br />
<br />
Like many software, Lenovo changed all that in version 3. Instead of letting the program running on the devices scanning for compatible ones, its only option offered to connect to the PC is to use the camera to look for a QR code from the laptop's version of SHAREit.<br />
<br />
Surely just because there is a camera in the phone, you don't really have to use it in preference to a workable solution in ver 2. To work with version 3, even though all other facilities on the Android phone and laptop are unchanged, users have to do a version 3 upgrade.<br />
<br />
It is not hard to find it and after I installed the version 3, it popped up the EULA and unless I allowed this program to suck up my personal and usage information and hauling it back to Lenovo, I could not use it.<br />
<br />
So I treasure my information more than SHAREit and hence without hesitation I hit the decline button and so be it. I highly recommend everyone to do so as I am offering you a much less surveil method.<br />
<br />
So disgust with Lenovo's SHAREit, I summarily uninstalled it from my laptop and all the Android phones I have. Good bye SHAREit with pleasure. <br />
<br />
If your laptop and phone have bluetooth, why not put that into good use and you can follow this <a href="http://thetechterminus.com/receive-a-file-via-bluetooth/">well written instructions to use it</a>.<br />
<br />
The best way to send file from the Android phone to the paired device is to use the share facility.<br />
<br />
I encourage any user of SHAREit to uninstall it as it only puts a glossy veneer on top of facilities already there with the aim to capture your data.<br />
<br />
If all else fail, the USB cable is just as good and one does not have to submit to Lenovo's unreasonable demand.L. Marhttp://www.blogger.com/profile/12467212807268032119noreply@blogger.com0tag:blogger.com,1999:blog-3150901600152577599.post-47250800872249462562015-12-15T21:45:00.001+10:002015-12-15T21:45:36.143+10:00Is building a better mouse trap (Signal Private Messenger) enough to win market shares?
I am please to see the release of Signal Private Messenger <a href="https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms&hl=en">for Android</a> and <a href="https://itunes.apple.com/us/app/signal-private-messenger/id874139669?mt=8">iOS</a>, a messaging application that has earned full marks in the <a href="https://www.eff.org/secure-messaging-scorecard">EFF</a><a href="https://www.eff.org/secure-messaging-scorecard"> security score sheet</a>. I am a fan of this product and I like it very much for the following reasons:<br />
<ul>
<li>It is an open-source project offering the service for free. WhatsApp is <a href="https://www.whatsapp.com/faq/en/iphone/30060258">not a free</a>.</li>
</ul>
<ul>
<li>As a result, it can be reviewed by anyone capable of doing it while WhatsApp is proprietary, even though it claims to be <a href="https://whispersystems.org/blog/whatsapp/">underpinning by Open Whisper Systems</a> but no one has reviewed that. <a href="http://arstechnica.com/tech-policy/2015/06/intercepted-whatsapp-messages-led-to-belgian-terror-arrests/">Recent event</a> has indicated that WhatsApp messages have been intercepted and decoded.</li>
</ul>
<ul>
<li>It is not owned by any company while WhatsApp is owned by Facebook, Skype by Microsoft. Thus all metadata in WhatsApp and Skype belongs to Facebook or Microsoft respectively.</li>
</ul>
<br />According to well-known security researchers, <a href="https://www.schneier.com/blog/archives/2015/11/testing_the_usa.html">Bruce </a><a href="https://www.schneier.com/blog/archives/2015/11/testing_the_usa.html">Schneier</a> and <a href="https://whispersystems.org/">Matt Green</a>, Signal is developed to a very high quality to provide end-to-end encryption (E2E) not only for messaging but also for voice and their endorsement must mean something.<br /><br />I am not here to raise doubt of this product which I am using admittedly with very limited users to interact with and I have great trust. I hope it will do well.<br />
<br />
But I am here to question whether it is enough to rely on technical superiority which is so well hidden from the users to induce them to switch to Signal and to grow its market shares. That's is: is building a smarter (more secure) mouse trap enough to win market shares? Other class of software such as web browser, anti-virus, media player, or mail client can draw people to switch based of superiority of features.<br /><br />Looking at the landscape of messaging applications it is difficult to see how Signal can rely on security implementation, so out of sight of the user, to win market shares. Will this become a replay of <a href="https://en.wikipedia.org/wiki/VHS">VHS</a> (WhatsApp, Skype, etc) vs <a href="https://en.wikipedia.org/wiki/Betamax">BetaMax</a> (Signal) of the 21st Century?<br />
<br />
Messaging applications are like clubs or cults in which they only allow club members to interact and go to <a href="http://www.theverge.com/2015/11/30/9819460/whatsapp-telegram-link-block-copy-paste">great length to discourage inducement to leave</a> and definitely providing no facility to support inter-club interaction. This produces <a href="https://en.wikipedia.org/wiki/Network_effect">network effect</a> to draw people in and that also becomes disincentive to leave and its nurture of human social interaction provides a positive feedback to increase the network effect.<br /><br />Looking at the EFF Security score card, most of the popular messaging applications do not use security best practices and their inferiorities do not seem to matter to the users. The anecdotal conclusion one can draw is that users do not care with online privacy and security despite well <a href="http://www.bbc.com/news/world-us-canada-23123964">publicised massive surveillance activities</a>. Unlike other type of application, such as web browser, there is no report of people deserting one messaging application to another, despite vulnerabilities and caught not using <a href="http://arstechnica.com/tech-policy/2015/06/intercepted-whatsapp-messages-led-to-belgian-terror-arrests/">secure messaging mechanism when they claim to use</a>. For those entrenched players, they must feel like in a no-loss situation. The only way they can lose to a competitor is by a total annihilation of the enterprise.<br /><br />Messaging applications have another unique characteristics that it is not the features that draw users to choose a particular application; there is a great degree of peer pressure exerted by those early adapters unwittingly forcing people to form that circle of friends. This peer pressure then forms a vortex to draw more and more people in. Their only concern is to be able to communicate with the club members.<br /><br />Because of the lack support for inter-application interaction, the application through using proprietary communication protocol forms a natural barrier for their user to leave. Apart from that, the user does not see any benefit for using a different application that essentially providing the same things - messaging and may be voice - and having to desert their friends. So why leave? What is the benefit to them?<br /><br />Many users of messaging applications also form the mistaken belief that they can only use one messaging application in their device. Perhaps it is this mistaken belief or blind fanaticism to their favourite application they are also reluctant to install other messaging applications to increase their reach to their friends. Since Signal is so similar to WhatsApp, it is simply a matter of installing and waiting for others in the contact to install their copy of Signal to re-establish communication. Even that simple is not enticing.<br /><br />I have spoken to several users of messaging applications as well as non-users and recommending to switch over to a more secure application called Signal. But telling them the benefits of Signal is like talking about wine apprecThis is particularly difficult when Signal is so similar to the
operations of WhatsApp separated by a thin veneer of technical features.
In view of this, users of WhatsApp (or other app) are unwilling to
desert their circle of friends to use something that to them is almost
the same thing with minute user base, by comparison. iation to a group of teetotalers. To them the improve security and end-to-end encryption (E2E) are not enough to sway them. Even people that has not used messaging application seems to be reluctant to get onboard with Signal because they have not heard of it being mentioned by their friends.<br /><br />So I wonder how a late comer like Signal can overcome these barriers to increase its market shares? How it can base on technical superiority to entice users who are disinterested of them that Signal relies on to distinguish it from others? What is the future of Signal apart from being a niche player at best? Clearly Signal needs to improve its image and marketing.<br /><br />From the analysis, users of messaging applications place extremely high premium on their ability to reach their circle of friends and ignore other issues like security and privacy. Therefore if the new comer, like Signal, wanting to rise up, it must give their users a transparent way to interact with their circle of friends without requiring them to switch en masse like the present situation. How to achieve that is the real challenge in messaging application development in view of no standard communication protocol?L. Marhttp://www.blogger.com/profile/12467212807268032119noreply@blogger.com0tag:blogger.com,1999:blog-3150901600152577599.post-44019549213036190362015-12-07T20:51:00.002+10:002015-12-07T20:51:29.599+10:00Comments on using e-mail address as username for online servicesI have encountered more and more online facilities using e-mail address as the user name. In my mind, this is a lazy way for the service to check or to provide a unique user name when creating an account. In some rare usage, this may be fine but generally this is a very restrictive form and the reasons are given below.<br />
<br />
Using e-mail address has the following problems:<br />
1) While it is unique in the universe of the Internet it does not uniquely identify a user of the service, thus unsuitable as a user name unless the service has other facility to deal with one e-mail address for multiple users.<br />
<br />
For example if one manages several properties or funds belonging to different entities under some management agreement, it is often convenient to use one e-mail address for all these properties or funds. It is also possible that the e-mail owner owns all those properties or funds, it is unreasonable to base that identifier on an e-mail address which does not map to a unique entity; e-mail address is for correspondence - like a house address.<br />
<br />
Who would then use a house address to identify a person living there when it can house several persons?<br />
<br />
<br />
I have seen one service that uses the user name (aka e-mail address) as a proxy to a fund account. This then assume the owner of that e-mail address cannot have more than one funds - one may be for him and another for some other ownership arrangement with correspondence being sent to the same address. Clearly the developers have not model the usage requirement well.<br />
<br />
This silly design is like the above house number analogy requiring a house to house just one person.<br />
<br />
The assumption that an e-mail address uniquely maps to a particular person or entity is unsound. Don't do it. It is far better and more secure if your system generates a unique number, a la, account number, for the user.<br />
<br />
2) The use of e-mail address as a user name can confuse user in that he/she has to supply to the online service the same password for e-mail account. This can lead to an increase (or subliminally encouraging) reuse of password, a dangerous practice.<br />
<br />
To a less technically savvy person, he/she may be misled into believing that the e-mail provider now have access or linked to whatever materials available in the online service. <br />
<br />
3) While it is infrequent, though not impossible or improbable, for people to change e-mail address, services that uses e-mail address for correspondence as well as for user identification inevitably prevent user from changing e-mail address. This is because it is using a very poor design pattern - one piece of data to serve two distinctly different and diverse purposes. The user name is to identify a user which an e-mail address does not and the e-mail address is for correspondence, like a house address which can be used by anyone living there to receive correspondence.<br />
<br />
If you ask correspondence sender to simply put the address on the envelope no one in the household will know to whom is that letter addressed; you need to put the addressee's name (the user name). A person could one day moves out of that address; he/she retains the same name (user name) but simply changing the delivery address (changing the e-mail address). This happening may not be frequent but not improbable or impossible.<br />
<br />
No right minded person would combine the two (addressee's name and the delivery address) but why do that in the computer system?<br />
<br />
To address this kind of short coming, they then have to provide a means for the user to define an e-mail address for correspondence. In this situation which one should the system uses during account set up and validation purpose? <br />
<br />
<h3>
How to overcome this poor design as a user?</h3>
If you, as a user, are confronted with this problem - how to use one e-mail address for more than one users of the service - you may try this solution provided that:<br />
<ul>
<li>Your e-mail provider supports e-mail alias. GMail and Hotmail support them. If you provider does not supports this, set up a GMail account as a mail redirector.</li>
<li>Your online service's user name (aka e-mail address) validation knows about <a href="http://www.faqs.org/rfcs/rfc822.html">RFC 822</a> - Section 6 Address specification. Those failing to parse this properly would reject your e-mail address with alias.</li>
</ul>
Then use <b>e-mail alias</b> (like <a href="https://support.google.com/mail/answer/12096?hl=en">Somebody+Property1@GMail.com</a> or <a href="http://email.about.com/od/windowslivehotmailtips/qt/How-To-Add-An-Alias-Email-Address-To-Windows-Live-Hotmail.htm">Somebody+Property1@Hotmail.com</a>) to allow one e-mail address to be used for several entities. The '+' character in the local part of the e-mail address is valid and permitted under the RFC. If their developers tell you that it is an incorrect address, point them to the <a href="http://www.faqs.org/rfcs/rfc822.html">RFC</a>.<br />
<br />
Those thinking of using e-mail address as a user name to relieve them the task to validate its uniqueness needs to validate the e-mail address to conform to the RFC.<br />
<br />
To me, the task of validating and ensuring a user name is unique within the system is far easier than validating the e-mail address because the latter needs to check:<br />
<ul>
<li>conformance to RFC</li>
<li>that the e-mail provider supports the e-mail alias that the user enters, as the service has to make sure it is a reachable address to receive correspondence. If that alias syntax is not supported by the mail provider, conforming to RFC does not guarantee it can be used for correspondence. </li>
</ul>
Here lies the danger of tying the two purposes to one piece of data, that is using an inappropriate design pattern.L. Marhttp://www.blogger.com/profile/12467212807268032119noreply@blogger.com0tag:blogger.com,1999:blog-3150901600152577599.post-41372444832628709032015-10-11T11:05:00.001+10:002015-10-11T11:05:04.936+10:00To install or not install an application - what are the pros and cons?With the advent of USB devices, many applications that once require an installation process for deployment have been converted to run without one so that the user can use that program directly from the USB device on any machine and a large collection of them can be found <a href="http://portableapps.com/">here</a> mostly utilizing their portable application framework.<br />
<br />
Other program, such as TrueCrypt or its replacement <a href="http://veracrypt.codeplex.com/">VeraCrypt</a> offers a much simpler model; it simply offers you a way to extract the files into a directory and one can execute the program from there.<br />
<br />
I have been a fan of this convenient deployment model for a long time and in particular of avoiding any impact on the underlying operating system. It is particularly helpful in troubleshooting without the need to install anything. Just run!<br />
<br />
However, recently I have been having second thoughts whether the benefits of this model is worth the risk of allowing malicious attacker to contaminate the program to do harm? When needing to a USB device in an environment that I do not know its sanity, I always probe it using tools carried by locked SD-Card. In this way, I am protected from being a carrier of attacks or being attacked.<br />
<br />
Going back to the history of Windows beginning in Windows 2000 (aka NT5), Microsoft has been using the profile to define a set of file and registry security templates to protect executables and key information, although much of the good intention was discarded in favour of convenience and ignorance. Microsoft had to do something to rein in the unruly behaviour by introducing the UAC in Vista to the dismay of large unappreciative community.<br />
<br />
Apart from other benefits, the main aim of the file system security is to protect key files from bring modify by user without administrative privilege. From Vista onwards, all applications run by default with standard user privilege and that means that they cannot make changes to program files or protected areas. This is a good thing and has improved the security of Windows a lot.<br />
<br />
Now if instead of installing a program that requires administrative rights to carry out and deployed into designated protected areas, we modify the deployment model of the program to allow it to run from anywhere, doesn't such a practice is a throwback to the good old days of NT4/5/XP (run everything in admin account) style? Aren't we then essentially turning the file system protection off for these programs? Aren't we making our programs more vulnerable to attacks?<br />
<br />
What caused me to ponder is my latest installation of VeraCrypt 1.16 that has fixed a couple of recently discovered critical vulnerabilities. In the past I have been using <a href="https://en.wikipedia.org/wiki/TrueCrypt">TrueCrypt</a> in portable mode without installation. Then I wonder: wouldn't this mode of deployment makes it easier for others to attack the program or to use this program or this type of program, running at elevated privilege, to launch attacks?<br />
<br />
In the end, I decided to install the program. What is your opinion on this issues?<br />
<br />
In Linux, by default it does not allow programs to run from removable devices.L. Marhttp://www.blogger.com/profile/12467212807268032119noreply@blogger.com0tag:blogger.com,1999:blog-3150901600152577599.post-73901892278077335172015-07-29T23:40:00.002+10:002015-07-29T23:40:44.017+10:00Caveat for Link Market Services Registry users using Password ManagerThis is a note to any users of <a href="http://www.linkmarketservices.com.au/corporate/home.html">Link Market Services Share Registry service</a> that use Password Manager to manage their password.<br />
<br />
It seems Link Market Services discourages people using password manager, a practice that is recommended by security experts, and it expects the users to have some sort of psychic power to know why.<br />
<br />
Recently, I have encountered an operation that requires me to supply the Transaction Password. Since I used a password manager to generate and record passwords, I simply asked the password manager to transfer the transaction password to the field in the Link Market Services web page. The transfer happened flawlessly but the confirm button remained disabled as if I had not type anything. That's strange. There was no textual guidance and no pop up message box to tell the user what to do. <br />
<br />
Not deterred by this, I did some experiments and this is what you have to do if you want to use password manager:<br />
1) Transfer the Transaction password to the field in the normal way your password manager offers.<br />
2) Click on the field and press End key to force the cursor to be positioned to the end of your password. (Or enter a character to the end of the password and immediately removing it from the field)<br />
<br />The minute you have completed step 2, the confirm button is enabled! The web page at that stage does not have a clue if what you have entered a valid transaction password. <br />
<br />
It seems the web page has a user-interface bug failing to recognise the field change event.<br />
<br />
This kind of bad user interface design makes your <a href="http://do-the-right-things.blogspot.com.au/2007/05/why-software-sucks-and-what-you-can-do.html">software sucks</a>. If you do not want user to transfer data say via the clipboard, disable the paste operation and offer the users some form of guidance. If your web site does not have a general purpose help e-mail address, you need to make sure the user-interface of your web site to be perfect and idiot-proof.<br />
<br />
On the subject of Transaction password, this is their mandated rule:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjE5RXkStWB9ZuGx65f0NWN02J80DU1B3HaHEUzaMNFXLfcFZRIlQHz-F04NbNcdUbyenyAaoV-ZLdP9zE-HpPNhgZfXDJkpmpR2lIGbZqpwZ6Znh01AVKme45n8JA8x_bMT4KGGzY7HPCK/s1600/PasswordRule.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="277" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjE5RXkStWB9ZuGx65f0NWN02J80DU1B3HaHEUzaMNFXLfcFZRIlQHz-F04NbNcdUbyenyAaoV-ZLdP9zE-HpPNhgZfXDJkpmpR2lIGbZqpwZ6Znh01AVKme45n8JA8x_bMT4KGGzY7HPCK/s400/PasswordRule.JPG" width="400" /></a></div>
<br />
When you use the settings facility to change the Transaction password and if you use a password manager to generate the new password (highly recommended), after you have transferred the new password to the respective field, execute Step 2 mentioned above. Such action will trigger the script on that page to evaluate the supplied password. It seems the program has a bug similar to that mentioned above.<br />
<br />
One wonders if the Link Market's mandated rule can encourage users to choose strong password. If Link Market discourages their users from using password manager, then the users will undoubtedly choose an easy to remember password (that will also ended up to be easily guessed by hacker).<br />
<br />
For example the following passwords<b> Pauline1, Password1</b> or <b>Ab1234567</b> comply with the rule but according to <a href="https://www.microsoft.com/es-xl/security/pc-security/password-checker.aspx">Microsoft's password checker</a> or <a href="https://blog.kaspersky.com/password-check/">Kaspersky's checker</a>, there are weak passwords. It is therefore better to encourage your users to use password manager rather than forcing them to choose easy to remember one.L. Marhttp://www.blogger.com/profile/12467212807268032119noreply@blogger.com0tag:blogger.com,1999:blog-3150901600152577599.post-76266681594091139482015-07-15T01:00:00.003+10:002015-07-15T01:00:55.997+10:00A tale of two share registriesEvery year around this time, the end of the financial year, I, like others, have to prepare share holding statements of my share portfolio for my accountants and this exercise takes me into close contact with the share registries managing the shares in the listed companies.<br />
<br />
There are several registries in Australia and some companies use one while the others use a different one. It is not uncommon for a share holder having to deal with multiple registries.<br />
<br />
The two largest ones are the <a href="http://www.computershare.com/au/Pages/default.aspx">ComputerShare</a> and <a href="http://www.linkmarketservices.com.au/corporate/home.html">Link Market Services</a>. Both have the facilities to generate holding statement document but they are vastly different in their implementation and this blog post documents my experience showing how one can be so badly designed to meet user's requirement while other is a joy to use.<br />
<br />
Both systems offer several log in facilities to access the holding or holdings. Both allow a user to become a registered user and in so doing can let the user to define the collection of shares of interest. They also offer a user a single holding access to just one share's detail using the share identification number called the SRN and other details.<br />
<br />
For people with a large share portfolio it is much more convenient to become a registered user. However as to be revealed, it is not always the case when dealing with ComputerShare. <br />
<br />
ComputerShare has longer history than Link Market Services but the latter has a far user-friendly user interface that the former.<br />
<br />
ComputerShare once had a very functional, though less colourful, system and had served it well. In that system, one could expand the particular share holding and could then enquire the holding at a particular date right there. Several years' ago, ComputerShare decided the functional system needed freshen up and decided to splatter the web site with eye-candy features and introduced an amateurish help system that is actually an insult to the intelligent of its users. More on this later on.<br />
<br />
The eye-candy effect caused minimal changes to how holding details are shown to the user and the shares in the portfolio are listed alphabetically, just like the less colourful previous system. As a comparison to Link Market Services the eye-candy effect has not improved the usability one bit as compared to Link Market Service, speaking from someone with a long history of using both.<br />
<br />
However, the most radical change in ComputerShare is in the way of generating holding statement at a particular date. It is not about relocating the access of a feature from one user-interface to another location that is so unusable but the implementation behind that makes this so frustrating to use.<br />
<br />
The 'Export Balance Letter' has the following user-interface design:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgg6Uw83Rx75bo8cOYj2je0LFlHHuQHjqr2Hw39vPRcqV5VWu4GYm9RcFjncFCMvt3BfzixImxPVuX-B9x17i1JQDzy0Bg2_i6tlmjPcQzLvY_5lTbdaYYbVBxLp2h_inCwPi3qAQbsBEAu/s1600/ExportBalanceLetter.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="153" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgg6Uw83Rx75bo8cOYj2je0LFlHHuQHjqr2Hw39vPRcqV5VWu4GYm9RcFjncFCMvt3BfzixImxPVuX-B9x17i1JQDzy0Bg2_i6tlmjPcQzLvY_5lTbdaYYbVBxLp2h_inCwPi3qAQbsBEAu/s400/ExportBalanceLetter.JPG" width="400" /></a></div>
<br />
to let the user to generate the balance statement. For some strange or mismanagement reason, the designer of this piece of user-interface changes the terminology from 'holding' to 'account' in the 'Select Account'. In the opening statement of this user-interface, the designer is still referring them as holdings. The rest of the web site all uses holding to refer to a particular share holding. 'Select Account' should be corrected to 'Select holding' for consistence.<br />
<br />
It is not the eye-candy stuff that makes this piece of user-interface totally unhelpful and unusable. It is what lies behind the combo box for the list of holdings (I will refrain from calling them accounts because they are not) that are irritating (and dare I say any users bar the designer).<br />
<br />
This piece of implementation is a prime candidate for the book "<a href="http://do-the-right-things.blogspot.com.au/2007/05/why-software-sucks-and-what-you-can-do.html">Why software sucks</a>". If you drop that combo down, any sane person would expect ComputerShare designer to show the share holdings in alphabetical sort order, just like in the Portfolio page.<br />
<br />
But surprisingly or rather shockingly, the order seems to be rather random without seeing the code. In my access, the list box in the combo box shows the companies in the list starting with A, C, W, W, A, C, A, P, A, .... S, L. What kind of sort order is that? I managed to talk with someone from ComputerShare about what kind of collating sequence they are using to generate this. The answer, from someone without much conviction, suggested that it might be the order I acquired the share. Even if that is the case, what good does that sort sequence do to the users?<br />
<br />
Having worked with many developers in my life I have never seen something as bizarre as this. It is a sloppy piece of work and how hard it is to add an ORDER BY clause on ASXCode column in your SQL statement?<br />
<br />
Needless to say the person I talked with from ComputerShare is rather defensive (a trait I have commonly found in some development companies) giving me all other irrelevant excuses like the software has to work in different countries. I am not inexperience in I18n.<br />
<br />
If the caller wanted to solicit user feedback to help them with their design, he had used the wrong tactic. No where in my Facebook (borrowing someone's access) message did I say anything about having the ability to download them to a spreadsheet. And yet, this person kept drumming into me of the ability to download into spreadsheet and that features might take some time. I told him all I wanted was for ComputerShare to list the holdings in the list box in alphabetical order - a much easier undertaking that will bring huge benefit. He certainly has failed the user-requirement solicitation process.<br />
<br />
Now let's consider how Link Market Service handles this that makes ComputerShare looking like an amateur. Link does not use the algorithmic way of pulling in the share holding relevant for the registered user. Link allows user to pull in holdings of totally different owners as long as one has the SRN and it also allows user to group these holdings, a useful feature not available in ComputerShare.<br />
<br />
Hence in Link, one can have BHP, for example, owned by Albert, Mary, Jack and Tom, each with distinct SRN of course.<br />
<br />
In Link, the balance statement is located in the 'Balance History' page which contains a similar user-inferface<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiiSBUUz9uiGUyyvG7bZIfLI8EYe6O7T9-nEAZgA21AjMOM8DzNmKv5mJ9WkSVITnMsSPHALvXPhRs3FO8xvvfX19jFdJDVG_dFEpOzjgR8Z7UU5pMvGNIBxjpWTFQX2yvZwcEQd64E81EJ/s1600/LinkBalanceHistory-1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="121" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiiSBUUz9uiGUyyvG7bZIfLI8EYe6O7T9-nEAZgA21AjMOM8DzNmKv5mJ9WkSVITnMsSPHALvXPhRs3FO8xvvfX19jFdJDVG_dFEpOzjgR8Z7UU5pMvGNIBxjpWTFQX2yvZwcEQd64E81EJ/s400/LinkBalanceHistory-1.jpg" width="400" /></a></div>
Once again it is not what hits your eyes that matter but it is in the implementation of that list box in the combo box for the holdings. Link sorts the holdings alphabetically and a sort order I challenge ComputerShare to show me that is less useful.<br />
<br />
Rather than to torture myself with the ComputerShare's illogical sort order when I came to compiling the end of the year holding statement for shares managed by ComputerShare, I did not use my registered log in detail. Instead I used the single holding access which seems irrational. Even with having to provide log in details and entering the CAPTCHA for each holding, it is still the quickest and less stressful way to get the job done. This is still might quicker than to navigate through poorly arranged list of holding in ComputerShare.<br />
<br />
Not contented with driving their users crazy with their idiotic design, they try to pretend to provide some 'human' assistance; they introduced the 'Ask Penny' which must be built with a penny as it lacks any form of intelligence or knowledge. If you can't provide an AI assistance, perhaps a general helpdesk e-mail facility is more useful and more capable of giving that human touch. Their 'Contact us' facility is equally useless because it is share-centric. <br />
<br />
In sharp contrast, it is a joy to use Link to compile that end of the year holding statements. Thanks for a job well done.L. Marhttp://www.blogger.com/profile/12467212807268032119noreply@blogger.com0tag:blogger.com,1999:blog-3150901600152577599.post-45534152318309567782015-06-23T13:30:00.002+10:002015-06-23T13:30:11.037+10:00Rare to see an anti-virus/malware protector not having automatic updatesIt is extremely rare to find an anti-virus/malware protector not having an automatic update facility to its engine and database. Windows Defender running in Windows 8.x is one such rare species.<br />
<br />
This happens if the user chooses the option in Windows Update not to use automatic updates, a choice giving the user better control which upgrades should be applied.<br />
<br />
In that case, Microsoft <a href="https://social.technet.microsoft.com/Forums/windows/en-US/d964be4c-6619-473a-a45d-27c2c85e721c/windows-update-tile-or-desktop-notifications?forum=w8itprogeneral">acknowledges</a> that it is a design decision that the user is not given the normal Windows Update notification, except in the log in screen. While I accept, only reluctantly, that there is a shred of logic in this, albeit very draconian one, why does that affect the important updates to a protection software which depends on timely update of its database/engine?<br />
<br />
I have used a variety of AV and this has to be the first one that fails to update automatically or tell me an update pending when I choose not to use automatic Windows update option. Most of them has automatic update by default and is not under the influence of Windows Update.<br />
<br />
This situation is a good example of <a href="https://sourcemaking.com/antipatterns/golden-hammer">Golden-Hamer anti-pattern</a> resulting in leaving its Windows user vulnerable to attacks. So if you want more controls on your Windows' updates, don't use Windows Defender. Furthermore, another case of don't believe everything you read (on Microsoft product) and here is one taken from the Windows Defender's Update page for Win8.1:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFkTVvo79doVpbcsPKfJQsPozoTe5MMb5q_T0GyOEeGHM_Y3clWqRNuoFqW2PyD5fFp9MFBxSFWD8mFhvYn3uY5j63qqmsxjjqCqM52UOEURYq1s06aT9vgHPR0AQ_hs0yawQ73i93HXly/s1600/WindowsDefenderUpdate.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="90" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFkTVvo79doVpbcsPKfJQsPozoTe5MMb5q_T0GyOEeGHM_Y3clWqRNuoFqW2PyD5fFp9MFBxSFWD8mFhvYn3uY5j63qqmsxjjqCqM52UOEURYq1s06aT9vgHPR0AQ_hs0yawQ73i93HXly/s640/WindowsDefenderUpdate.JPG" width="640" /></a></div>
<br />
It only updates automatically if Windows update is set to automatic. That "Did you know" message needs to be clearly qualified to avoid misunderstanding.<br />
<br />
Windows has all sorts of detections and options, surely in the Windows update control panel applet Microsoft can add a check box there to let the user to choose if one wants to receive notification, including Windows Defender update notification. Or in Windows Defender to have a check box to remove automatic updates if the update notification is so distractive; it could and should update silently. Cutting that out altogether is just plainly a bad design decision. I suspect that is other sinister motive than what has been revealed.<br />
<br />
I am wondering if this draconian approach will be addressed in the upcoming Windows 10?<br />
<br />
If you persist to support Windows Defender with your choice of Windows updates option, the other option is to use a Task Scheduler <a href="http://www.eightforums.com/system-security/42344-auto-update-windows-defender.html">to register the Defender updates</a> periodically. It is a choice to ditch Windows Update or to use the Task Scheduler.<br />
<br />
I will now experiment with some of the <a href="http://www.askvg.com/how-to-show-new-windows-updates-available-notification-icon-in-windows-8-taskbar/">Windows Update Notification tools</a> to address the Windows 8.x deficiency.<br />
<br />
<br />
<br />
L. Marhttp://www.blogger.com/profile/12467212807268032119noreply@blogger.com0tag:blogger.com,1999:blog-3150901600152577599.post-85227500518969422212015-05-14T01:16:00.001+10:002015-05-14T13:37:50.678+10:00My experience in using one2free prepaid Mobile Broadband SIM in Hong KongI am a regular visitor to Hong Kong and in every visit, I purchase a prepaid mobile broadband data SIM for my Huawei pocket modem to provide Internet service to me. I am no stranger to this kind of SIM as I have used in the past various types of <a href="http://www.three.com.hk/website/appmanager/three/home?_nfpb=true&pageid=000001&_pageLabel=P200170391219567376547&lang=eng">3HK</a> Data SIM. So after reading so many glowing remarks about the <a href="http://one2free.hkcsl.com/jsp/prepaid_sim/local_starter_pack/starter_pack.jsp">one2free's prepaid mobile broadband SIM</a>, I have decided to give it a test ride this time.<br />
<br />
I did some preliminary investigation prior to the visit via their e-mail customer service which I may say is rather responsive by comparison. It would be nicer if they have 3HK's online chat service.<br />
<br />
On the whole, I am rather pleased with the performance, the cost, the responsiveness of the customer service which I had to use quite a lot, as you will see, during my stay. Unfortunately, their responsiveness is tarnished somewhat by their answers which clearly indicate that they are let down by their organisation.<br />
<br />
Now, with the good bits out of the way, let's go through the bad bits.<br />
<br />
Foremost is their web site which is devoid of any useful and helpful information. It would be more helpful if their web site provides some form of instructions in using their services. Such as what happen if you buy the $100 starter kit, what rate will you be charged at. What about the steps to buy the 30-Day Pass with 3GB quota for someone what has not used your product before? What happen when one uses up the quota but still within the 30 days? Will the connection speed be shaped?<br />
<br />
In my case, I want to use the 3GB 30-day pass, which according to the <a href="http://one2free.hkcsl.com/jsp/prepaid_sim/local_starter_pack/starter_pack.jsp">published information</a> will cost me HK$148.00. To subscribe to that, one needs to load the prepaid SIM with at least (preferably more) that that amount. At the shop where I purchased the kit, they did not have $50 top up voucher instead they only had $100 voucher which means my SIM card is loaded with $200 and after paying for the 30-Day pass, it has a balance of $52.00.<br />
<br />
No where in their web site explaining this and what happens to that balance. For those wanting to go down this path, here is the treatment of the balance.<br />
<br />
The 30-Day pass expires after 30 days from the day of subscription. CSL will immediately deduced that amount from your card on subscription. Hence you must load your card up with sufficient amount before you can punch in the code to select the day pass. The amount remaining can be use for other purposes such as making calls or to contribute towards next day pass purchase. It does not expire until 6 months after the activation or from your last top up. In other words, your prepaid SIM card is valid for 6 months as long as there is sufficient fund to pay for the monthly government charges, which is HK$2.<br />
<br />
Unless you do not have other SIM to make voice call, this SIM charges (HK$0.3/min) 3 times as much as other <a href="http://one2free.hkcsl.com/jsp/prepaid_sim/power_prepaid_sim/card_features/card_features.jsp">CSL SIM</a> ($0.1/min).<br />
<br />
The next area of great disappointment is how to monitor the data usage. Their <a href="http://one2free.hkcsl.com/jsp/prepaid_sim/local_starter_pack/starter_pack.jsp">web site</a> for the prepaid starter kit contains wrong and misleading information.<br />
<br />
While that site is for the Prepaid Mobile Broadband SIM, the login button is not intended for Prepaid mobile and I only found this out after the event.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrzT_c3wlHoQH4HYka8FgLUUTWIE1Huej_GDw4dZ-D-rrscB7IavX4JqiqOi9UEpGJCNMj_0fmvYlLS3zjbcI9bBW-0eWRm8vfIkaCBSkx1CFGB29_lhIMr1vPE1CJEcIpqwd1F371-xCj/s1600/LoginButtonNotForPrepaid.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="182" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrzT_c3wlHoQH4HYka8FgLUUTWIE1Huej_GDw4dZ-D-rrscB7IavX4JqiqOi9UEpGJCNMj_0fmvYlLS3zjbcI9bBW-0eWRm8vfIkaCBSkx1CFGB29_lhIMr1vPE1CJEcIpqwd1F371-xCj/s400/LoginButtonNotForPrepaid.jpg" width="400" /></a></div>
<br />
This web site expects the user to possess certain degree of psychic to realise that. I was misled by this page and unsuccessfully to get a password or to reset it by following the online link. Out of desperation, I inserted the data SIM into a mobile phone and used the *777 code to successfully reset the 6-digit password for my SIM. The system acknowledges the request and echoes back the password (very security conscious).<br />
<br />
Next, armed with my SIM's mobile number and the password, I pressed the login button on that <a href="http://one2free.hkcsl.com/jsp/prepaid_sim/local_starter_pack/starter_pack.jsp">web page</a>. Rather than telling me that my SIM cannot use 'My Account' to manage my usage, it throws a Java Exception message:<br />
<pre>type Exception report
message
description The server encountered an internal error () that prevented it from fulfilling this request.
exception
java.lang.IllegalStateException
org.apache.coyote.tomcat5.CoyoteResponseFacade.sendRedirect(CoyoteResponseFacade.java:418)
LoginRedirect.doPost(Unknown Source)
javax.servlet.http.HttpServlet.service(HttpServlet.java:767)
javax.servlet.http.HttpServlet.service(HttpServlet.java:860)
sun.reflect.GeneratedMethodAccessor57.invoke(Unknown Source)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
java.lang.reflect.Method.invoke(Method.java:585)
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:249)
java.security.AccessController.doPrivileged(Native Method)
javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:282)
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:165)
note The full stack trace of the root cause is available in the Sun-Java-System/Application-Server logs.
</pre>
Nice? Have they ever tested their program? Why doesn't the web page inform their user that the login page is not for Prepaid user? Surely, they have all the information to tell if the caller's SIM is a prepaid or not.<br />
<br />
I raised this issue with the online support as well as visiting one of their customer service centres and was then told that that login button on the web page and "My Account" facility are not for Prepaid users. Surely their web designer can put that few words into their page to warn their user and even better, their program tests and traps that kind of exception and to inform their users in a more meaningful manner. It is not a big ask isn't it. More disturbingly, if that facility is not for prepaid user, why does *777 allows a number belonging to a prepaid SIM to reset password? So amateurish!<br />
<br />
So after the visit, I discovered that as a NextG-Prepaid user, I should use this URL <a href="http://www.one2free.com/nextg-prepaid">http://www.one2free.com/nextg-prepaid</a> while connecting to the CSL using the one2free SIM. Using this URL, I have managed for the next 3 days to make a daily enquiry of my usage.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjh_tIUsqHk09pWYp4QPJH4gOptwVvenlfRQ9LqJaMRmbD7DEb3PU6M9XHQ0xcnFb5fju049XhYWT2_iHtm8fQtRnRqdWYlOpxKLmZmf_r_rXN7n_IYQ4ybeM6SSdd-m4iGBKSejiPuqW1V/s1600/NextGPrepaid.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="268" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjh_tIUsqHk09pWYp4QPJH4gOptwVvenlfRQ9LqJaMRmbD7DEb3PU6M9XHQ0xcnFb5fju049XhYWT2_iHtm8fQtRnRqdWYlOpxKLmZmf_r_rXN7n_IYQ4ybeM6SSdd-m4iGBKSejiPuqW1V/s400/NextGPrepaid.JPG" width="400" /></a></div>
<br />
<br />
On the 4th day, when I used that URL, I was confronted with this web page:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijIOoPoN8cJpmQL72AiFUgDI-MMLchJbAga3njoOMM8NCr0n_JTFDHph54kGbtHnANpVDSHz2WW4wyA2lSFoejwoB6VfR1-GkEaIk9dsOh4TSb2A5oIAyjf7cvKYntoSpaByvWCRhQhj4p/s1600/ErrorPage.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="168" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijIOoPoN8cJpmQL72AiFUgDI-MMLchJbAga3njoOMM8NCr0n_JTFDHph54kGbtHnANpVDSHz2WW4wyA2lSFoejwoB6VfR1-GkEaIk9dsOh4TSb2A5oIAyjf7cvKYntoSpaByvWCRhQhj4p/s400/ErrorPage.JPG" width="400" /></a></div>
<br />
Notice that the left hand pane tells me that this is a "My Account" facility, the very facility that I was told that it was not for me.<br />
<br />
Not deterred and with a sense of adventure, I pressed the login link which sent me to <b>https://prepaid.hkcsl.com/login</b> with the following login page<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsERqzmxM94h5RmkR_-uayIDMbeNzY7Nj4K0C732qkHYX9Uh-RSkFJk9TXhlXzFdxgRfCs93PNAl7Kd27_usMQHuj7c4PLl8qf5WFWpITVlLpCddv_pXIu5g1xV4AOe-rugY7CaAAYlFp-/s1600/PrepaidLogin.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="181" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsERqzmxM94h5RmkR_-uayIDMbeNzY7Nj4K0C732qkHYX9Uh-RSkFJk9TXhlXzFdxgRfCs93PNAl7Kd27_usMQHuj7c4PLl8qf5WFWpITVlLpCddv_pXIu5g1xV4AOe-rugY7CaAAYlFp-/s400/PrepaidLogin.jpg" width="400" /></a></div>
<br />
The login page asks for the mobile number of the SIM and a password, which I duly use the one that I used the *777 code to reset. The system accepts my inputs and provides me access to my SIM's data. The data usage can be retrieved by pressing the "Promotional Bonus Details" link.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYUqsZhlGnkzE9XcNCGn9ll6siVcB0rq1G2eujN8_UMaUI5vUt0OjwrSOHx2-xe1hypnzDW5FyQaPSyPb7O0eeEt76AoHG6ruqmv6mQvCxylfAnS2zcrxbm_umLtdI7h1ZRnPse7pt34we/s1600/GotIn1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="232" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYUqsZhlGnkzE9XcNCGn9ll6siVcB0rq1G2eujN8_UMaUI5vUt0OjwrSOHx2-xe1hypnzDW5FyQaPSyPb7O0eeEt76AoHG6ruqmv6mQvCxylfAnS2zcrxbm_umLtdI7h1ZRnPse7pt34we/s400/GotIn1.jpg" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjptOb2-BafJ7cqWOPTGt9sB0yZDiUmTgDV_AnQyFPi672drNZdxV6BEQfZj_lPybfy6bk4nbyDtgjNMvov5FxArFjdctIxVWSgIgJsB5DflJem_DM6o8BpiUtn2yc6ZKDSRCJdgeHy2RgP/s1600/GotIn.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><br /></a></div>
Notice this is a different web page as compared to the previous one via the NextG-Prepaid link.<br />
<br />
I sought the customer service for an explanation of how I could access "My Account" when they told me that it is not for me to no avail. We ended up going around and around in circle. The customer service refuses to acknowledge that the URL <b>https://prepaid.hkcsl.com/login</b> is right for me despite being pointed out that the URL containing the word 'prepaid' to indicate that it is for prepaid users.<br />
<br />
Even more interestingly is that I can access my prepaid SIM card detail using this URL <u>without having to use a connection provided by CSL SIM</u> while I need to use the one2free SIM in order to use the <b>http://www.one2free.com/nextg-prepaid</b> regardless successful or not. As an experiment, I have just connected to this <b>https://prepaid.hkcsl.com/login</b> some thousands miles away from Hong Kong.<br />
<br />
After discovering that I can use this URL to monitor my data usage, I continue to use it ignoring any contradictory comments from the customer service. Incidentally this URL is not disclosed on any of the CSL web pages. It seems that there is a communication problem within the CSL on this issue.<br />
<br />
Whatever it is, it is CSL's problem and they need to deal with it. I have supplied all the information, such as SIM card number, mobile number, and modem model. They need to improve their web site to make it more useful and helpful. Don't just throw figures and data on it. Test it with someone who is not a user of your system or product.<br />
<br />
Teach your front line support personnel to slow down and take time to explain the various facets of your products. I know you know your products very well but your potential customers DON'T.<br />
<br />
Test your web site with any non-sensible data and don't let your Java exception message leak out to the users. That is not an acceptable way to tell your user that they have entered something wrong.<br />
<br />
To date, I still have not been offered a logical explanation why the link <b>http://www.one2free.com/nextg-prepaid</b>, I was instructed by the customer service to use, failed after 3 days. And that why I should not use <b>https://prepaid.hkcsl.com/login</b> which works but the customer service next acknowledges that I should use that.<br />
<br />
Thankfully, I have a wonderful Internet service and despite all the above mentioned issues, it is still cheaper than 3HK's offering and I still will recommend it to other travelers. Just be prepared for some rough edges.L. Marhttp://www.blogger.com/profile/12467212807268032119noreply@blogger.com0tag:blogger.com,1999:blog-3150901600152577599.post-30924627877297125442015-03-28T13:58:00.001+10:002015-03-28T13:58:43.227+10:00Installation recommendation for PDFCreator 2.1.0For those intend on installing PDF 2.1.0, you are recommended<br />
<ol>
<li>to download it, </li>
<li>turn off your network connectivity, </li>
<li>before running the installation package. </li>
</ol>
<br />This is because the installation script produces very much the same <a href="http://do-the-right-things.blogspot.com.au/2014/12/experience-in-installing-pdfcreator-20x.html">undesirable behaviour</a>. Turning off the network connective during installation prevents it from calling home to download other crapware.<br />
<br />
If you are running AVG 2015, it will pick up the presence of OpenCandy, "Adware AdLoad.OpenCandy", since it is a crapware, it is best to let AVG's residence shield to toss it away - no loss at all.<br />
<br />
Below is the brief outline of what happen to the installation process with no network connectivity (assuming no AV to intercept the presence of OpenCandy crapware).<br />
<br />
In fairness, I do not believe PDFCreator intends on planting OpenCandy into your machine. Detail probing of the installation process seems to indicate that some programming error is responsible for the left over of "<b>OpenCandy's recommendation engine p101</b>, version 2.0.0.156" (<b>OCSetupHlp.dll</b>) in the temporary directory. The presence of this file can cause your AV to report the presence of OpenCandy threat during routine scanning.<br />
<br />
PDFCreator installation script also generates a copy of the set up log in "<b>c:\Program Files\PDFCreator\SetupLog.txt</b>". There also seems to be a programming error that left the temporary copy (original copy) of this file of the format "Setup Log <i>yyyy-mm-dd</i> #<i>xxx</i>.txt" in your temporary directory.<br />
<br />
When one initiates the set up program, it creates two temporary directories of the format is-<i>XXXXX</i>.tmp. One is to hold the actual installation program <b>PDFCreator-2_1_0-Setup.tmp</b> and the other is to hold various files that it needs during the installation program. You can find the list in the Set up log. One of them is the "OpenCandy recommendation engine p101" <b>OCSetupHlp.dll</b> version 2.0.0.156.<br />
<br />
At the early stage of installation process, this DLL is not used, see comment below, and if you hate OpenCandy, delete it now and in fact that is what AVG did when it picks up the presence of OpenCandy and that you instruct it to remove the threat.<br />
<br />
After you have selected the options to install, the program will run smoothly to completion. In my execution (not installing "PDF Architect") I never allow the last dialog box to launch PDFCreator.<br />
<br />
Investigation using <a href="https://technet.microsoft.com/en-us/sysinternals/bb896645">ProcMon</a> on the interaction of the PDFCreator setup program with OpenCandy records the following observations:<br />
<ol>
<li>Towards the end of the installation phrase, the installation script launches <b>RunDll32.exe</b> to invoke OCSetupHlp.dll with the entry point using <b>exported function 16</b> and the optional parameter seems to indicate an intention to perform IPC with the parent process. The purpose of this is still a mystery.</li>
<li>The installation script's clean up process then deletes the files such as InstallCheck.exe, etc in the temporary directory</li>
<li>It fails to delete OCSetupHlp.dll because RunDll32.exe is still running using it. The installation program attempts to delete this file <b>31 times</b> before giving up.</li>
<li>Once all the files are 'deleted', including the failed one, it tries to delete the directory but fails.</li>
<li>At the end it simply ignores those failures and completes the installation.</li>
</ol>
The presence of the installation program trying numerous attempt to delete OpenCandy crapware only to be faulted by their programming error and the lack of sign of it trying to plant this engine elsewhere suggest to me that PDFCreator does not have any intention of using OpenCandy in the execution of the program.<br />
<br />
You cannot delete OCSetupHlp.dll at the completion of the installation program until you have terminated the RunDll32.exe process holding this DLL. The best way to find the process holding onto this DLL is to run <a href="https://technet.microsoft.com/en-us/sysinternals/bb896653">ProcExp</a> and then search for the OCSetupHlp.dll. Alternately, log off and log back on and you can delete this file. It is highly recommended that you delete OCSetupHlp.dll to avoid your AV finding it in routine scanning.<br />
<br />
Once RunDll32.exe is terminated you can delete OCSetupHlp.dll and to satisfy your concern, run your AV scanner over your system or use something like <a href="https://www.malwarebytes.org/">MalwareBytes</a>.<br />
<br />L. Marhttp://www.blogger.com/profile/12467212807268032119noreply@blogger.com0tag:blogger.com,1999:blog-3150901600152577599.post-55005257534489269222015-01-08T21:39:00.002+10:002015-01-08T22:36:01.789+10:00A solution to my problem of unduly long time to connect to the WiFi network when waking Windows up from sleepI have encountered a problem that has also been reported by many Netizens that they have experienced an annoyingly (some called it obscenely) long time to connect to their WiFi network when their Windows is woken from sleep. My laptop is running Windows 7 with all drivers up to date.<br />
<br />
In my case, all WiFi connections are flagged 'Automatically Connect' and that the WiFi adapter did not have the "Allow the computer to turn off to save power" in the power management section selected.<br />
<br />
When I wake my laptop up from sleep, the machine responses very swiftly and my desktop is restored. However, it frequently fails to automatically connected to the strongest signal WiFi nor initiates any attempt to connect; I have to manually press the connect button.<br />
<br />
I have tested my machine with two distinctively different Wireless networks - different modems/routers and networking technologies and I have observed the same problem. Hence it is clearly the problem is in my laptop.<br />
<br />
Prior to last month, my laptop's WiFi adapter connects to the network the moment I sign in after waking my machine up (< 10 seconds). Then suddenly the about mentioned problem occurs.<br />
<br />
After some soul searching and searching the Internet, I have managed to rid this problem restoring it to its former glory. I am not suggestion nor recommending my way of solving my problem as a solution to deal with all long connection problems but you many review the materials to see if it can apply to your situation. It does not involve some drastic proposal found on the Net. IPv6 has nothing to do with this sluggish behaviour.<br />
<br />
So what is the possible cause then? After some soul searching of what I did to my machine, I vaguely remember one evening I was investigating the <a href="http://www.practicallynetworked.com/networking/create_a%20virtual_wireless_router_with_windows.htm">Virtual WiFi Router </a>that turns your laptop's WiFi Adapter into a wireless access point and that to understand the underlying mechanism, I was using <a href="http://www.practicallynetworked.com/networking/create_a%20virtual_wireless_router_with_windows.htm">the command line technique</a>. In that experiment, I vaguely remember that I did not complete the whole process as I do not have a real need of it and that I might even have gotten the command sequence out of whack.<br />
<br />
That experiment caused the "<b>Microsoft Virtual WiFi Miniport Adapter</b>" to appear in my Device Manager, albeit with a yellow triangle with an exclamation mark in it.<br />
<br />
This gives me a clue that it might (just a might) be the cause of my problem - I therefore may have to disable or remove the miniport. So after some research, I have found the following instructions to disable the "Microsoft Virtual WiFi Miniport Adapter" and here are the steps (must be executed in a command prompt with Administrative rights):<br />
<br />
1) To stop the hosted network<br />
<b>netsh wlan stop hostednetwork</b><br />
<br />
2) To disable the WiFi Virtual Adapter<br />
<b>netsh wlan set hostednetwork mode=disallow</b><br />
<br />
I throw in a Windows restart just for the safe measure. After that the long process connecting to the WiFi network is gone and the machine is restored to its former behaviour on waking from sleep; no longer do I need to manually click on a Wireless network to connect to it.<br />
<br />
You can find more information on the <b>netsh</b> command to deal with the wireless hosted network on the <a href="http://msdn.microsoft.com/en-us/library/windows/desktop/dd815243%28v=vs.85%29.aspx">Microsoft's site here</a>.<br />
<br />
Once I have executed the above mentioned commands, the "Microsoft Virtual WiFi miniport adapter" disappears from the Device Manager.<br />
<br />
If you have used or experimenting with the Microsoft's virtual wifi hotspot (or router), a good sign is the presence of this adapter in the Device Manager, give this a try and see if it helps.<br />
<br />
<br />L. Marhttp://www.blogger.com/profile/12467212807268032119noreply@blogger.com0tag:blogger.com,1999:blog-3150901600152577599.post-64240574567519561212014-12-19T01:18:00.003+10:002014-12-19T01:18:42.495+10:00Experience in installing PDFCreator 2.0.xI have been a long term, though slow to update, user of PDFCreator and recently I have decided to upgrade it to 2.0.0 from 1.7.3.<br />
<br />
The installation experience left me with a sense of unease as it triggers the resident shield of my AVG 2015 flagging some files as being a Malware/Trojan/Adware. I will come back to this.<br />
<br />
As a result of this alarm, I revisited my trust old friend <a href="http://www.cutepdf.com/Products/CutePDF/writer.asp">CutePDF Writer</a>, which has fewer feature than PDFCreator. The installation of CutePDF Writer 3.0 went without tripping my AVG but one has to be on the wit about its attempt to slip in some PUP and toolbars. It is nice to see the installation script offering a feature to skip all the PUP.<br />
<br />
Since PDFCreator's installation script trips my AVG, I have decided to investigate this further in a controlled environment. First of all, I went to PDF Forge site <a href="http://download.pdfforge.org/download/pdfcreator">to obtain the MD5</a> of the installation package to make sure I was not using a tainted package.<br />
<br />
My investigation used 2.0.1, the latest release to determine what's going on. I use two installation scenarios - with network access and without network access and they have different behavior causing AVG to report different alerts. My experiments with installing PDFCreator do not install Image2PDF and PDFArchitect.<br />
<br />
<h3>
With network access</h3>
When the installation package, PDFCreator-2_0_1.exe (MD5:1464dab853dfac75097e6f81fa060c9a), is invoked, the first thing it does is to spawn a process called <b>DownloadUpdateInfo.exe</b> and this runs its twin DownloadUpdateInfo.tmp for a brief moment and then closed down.<br />
<br />
After soliciting inputs from the user, it then invokes <b>CBStub.exe</b> which controls the invocation of the process <b>InstallManager.exe</b>. It is at this point that the resident shield of AVG 2015 alerts the user of the presence of a Malware ladden file. It alleges that it is infected with MalSign.Generic.5E6.<br />
<br />
This file, together with its companion file, <b>inetc.dll</b>, which appears to be doing the HTML get, put, post, and head operations, are deposited in the %Temp%\<randomdirname>. <randomdirname> is a randomly generated temporary directory name. They disappear after successful installation and one needs some trickery to capture them.</randomdirname></randomdirname><br />
<br />
According to <a href="https://www.virustotal.com/en/file/c54dd76609cc4132aa340ae6bf341e5c33ebc4b71f5f9e372c5c8067ac3df92a/analysis/">VirusTotal</a>, there are 10 out of 56 Anti-virus tools reporting this file as infected.<br />
<br />
What this file does is to offer user a chance to install Ad-Aware Web Companion:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhCfl7NmX3uiNO4QKJHO1c5jbYaWAcAyp34i4ryfBcxZbtwDnQ1R8MHqUF7pX9EygAia0Vk5CkhxyjR4hVjEzPpulof5Wetr4jh-4PuwtBXiIgsbhMqUq-gOrrxdm-A1jNqhu3cskWFAIy/s1600/InstallManager-001.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhCfl7NmX3uiNO4QKJHO1c5jbYaWAcAyp34i4ryfBcxZbtwDnQ1R8MHqUF7pX9EygAia0Vk5CkhxyjR4hVjEzPpulof5Wetr4jh-4PuwtBXiIgsbhMqUq-gOrrxdm-A1jNqhu3cskWFAIy/s1600/InstallManager-001.JPG" height="312" width="400" /></a></div>
Strange, asking user to install an Ad-Aware component results in being classified as a Malware! What this does is to then invoke the <b>Mntz_Installer.exe</b>, which seems odd as most people on the Internet identifies this as the <a href="http://processchecker.com/file/Mntz_Installer.exe.html">Opera Network Installer</a>. Whatever this file is, it installs two services, namedly, LavasoftTcpService.exe and Lavasoft.SearchProtect.WinService.exe, which are part of the <a href="http://www.shouldiremoveit.com/web-companion-128861-program.aspx">Web Companion</a> software.<br />
<br />
<br />
In all fairness, one can safely consider the alert from AVG for <b>InstallManager.exe</b> as a <b>false-positive</b> and can ignore it. If you are running AVG and feel uncomfortable when it raises the alert, it will not harm the operation of PDFCreator if you ask AVG to protect you. In this case, AVG will destroy InstallManager.exe and its subsequent operations.<br />
<br />
<h3>
Without network access</h3>
Often, it is advisable to install downloaded software with network disconnected to see if it calls home.<br />
<br />
When the PDFCreator installation package is invoked with network disconnected, it does not invoke the <b>DownloadUpdateInfo.exe</b>.<br />
<br />
Instead it extracted a bunch of files into a temporary directory %Temp%\<randomdirname> which happens to contain the OCSetupHlp.dll. The presence of this file triggers the AVG 2015's resident shield identifying it as an Adware AdLoad.OpenCandy.</randomdirname><br />
<br />
According the <a href="https://www.virustotal.com/en/file/c4f2356b70a70c01ef78f82f33ad739b2806b8ff0e713074f5c76a859eb01ff5/analysis/">VirusTotal</a>, there are 12 out of 56 AV tools identifying it as infected with OpenCandy. Exactly what this being used is unsure but it does not appear to hamper the installation if one asks AVG to remove this offending DLL.<br />
<br />
When installing without network access, the installation package will not prompt you about the installing the Ad-Aware Web Companion using the <b>InstallManager.exe</b> and hence it will not trip the AVG's resident shield.<br />
<br />
If you examine this DLL's version information and its export functions, it is unambiguously associated with OpenCandy and hence it is fair to say that PDFCreator installation is tainted by OpenCandy but PDFCreator does not seem to have infected with OpenCandy after installation and during its operations.<br />
<br />
In view of this, it is fair to say this is also a <b>false-positive</b> even though it is part of OpenCandy system.<br />
<br />
The experiments show that while PDFCreator installation package causes AVG to raise alarms during the installation, they are safe and one can safely ask AVG to protect yourself against these files without jeopardising the operations of PDFCreator. PDFCreator runtime does not cause any resident shield alarm.L. Marhttp://www.blogger.com/profile/12467212807268032119noreply@blogger.com5tag:blogger.com,1999:blog-3150901600152577599.post-4764308627720392092014-06-05T10:38:00.001+10:002014-06-05T10:47:08.902+10:00Handling Popup Menu (aka Context Menu) in a Gtk# TreeView widgetThere are two ways to invoke the context menu, namely the familiar right mouse click and pressing Shift-F10.<br />
<br />
To handle these two triggers requires some special treatments and this post is to illustrate how to accomplish them. The Internet and in fact the <a href="http://go-mono.com/forums/">Mono forums</a> contain materials showing how to handle the right mouse click and it is repeated here for completeness but seem to fail to discuss how to deal with Shift-F10. <br />
<h3>
To intercept the right mouse click</h3>
To intercept the right mouse click you need to provide a ButtonPress event handler to the TreeView's ButtonPress event and most importantly you need to tell the runtime to slot your handler before the default ButtonPress handler, or else you won't see the right mouse click.<br />
<br />
Here is the code fragment to add a ButtonPress event handler, which you can also specify using the properties pad in MonoDevelopment IDE.<br />
<br />
<pre>this.treeview1.<b>PopupMenu</b> += new global::Gtk.PopupMenuHandler (this.OnTreeview1PopupMenu)</pre>
<br />
When defining the handler, make sure you adore the handler with the <a href="http://docs.go-mono.com/?link=T:GLib.ConnectBeforeAttribute#">Glib.ConnectBefore</a> attribute as follows:<br />
<br />
<pre><b>[ GLib.ConnectBefore ]</b> // need this to allow program to intercept the key first.
protected void OnTreeview1ButtonPressEvent (object o, ButtonPressEventArgs args)
{
if( args.Event.Button == 3 ) // Right button click
{
Debug.WriteLine( "Right mouse click detected" );
ShowContextMenu("Right Click - ");
}
}
</pre>
<h3>
To handle Shift-F10</h3>
It seems the treatment to invoke the context menu via the keystroke is not as popular as using the right mouse click and hence the forums have scant discussion on this. This may be due to poor documentation, in particular to the use of <a href="http://docs.go-mono.com/?link=E:Gtk.Widget.PopupMenu#">PopupMenuArgs</a>, the event argument for the <a href="http://docs.go-mono.com/?link=E:Gtk.Widget.PopupMenu#">PopupMenuHandler</a> delegate. In the absence of a recommended way from the Mono team to invoke the pop up, below offers a possible way to accomplish this.<br />
<br />
When Shift-F10 is pressed on a TreeView, the runtime will invoke the <a href="http://docs.go-mono.com/?link=E:Gtk.Widget.PopupMenu#">TreeView.PopupMenu</a> event handler if defined. This is different from other widget's way of handling context menu; Others have a PopulatePopupMenu event allowing the control's provider to construct the menu and the runtime will then render the menu.<br />
<br />
Hooking the TreeView.PopupMenu event is easy but the same treatment used in invoking the user constructed pop up menu for right mouse click does not seem to work; in fact nothing is displayed. Hence it needs a slight departure from simply calling directly the <a href="http://docs.go-mono.com/?link=T%3aGtk.Menu%2fM%2fPopup">Menu.Popup</a> in the TreeView.PopupMenu event handler. You need to basically post yourself a message, using a Windows' parlance, and then you can invoke the popup. This can be accomplished by using the <a href="http://docs.go-mono.com/?link=M%3aGtk.Application.Invoke%28EventHandler%29">Application.Invoke</a> method or its overloads.<br />
<br />
Here is the code fragment to install an event handler for PopupMenu:<br />
<br />
<pre>this.treeview1.ButtonPressEvent += new global::Gtk.ButtonPressEventHandler (this.OnTreeview1ButtonPressEvent);</pre>
<br />
Once again if you prefer, you can use the properties pad for the TreeView object in the MonoDevelop to specify this.<br />
<br />
Below is the code fragment showing the way to use Application.Invoke() to show the context menu:<br />
<br />
<pre>protected void OnTreeview1PopupMenu (object o, PopupMenuArgs args)
{
Debug.WriteLine( "TreeView Popup Menu click" );
// Post yourself a message to invoke the context menu.
// Calling ShowContextMenu() directly from here does not
// work.
<b>Application.Invoke</b>( delegate
{
Debug.WriteLine( "Delegate invoked" );
ShowContextMenu("Shift-F10 - ");
} );
}
</pre>
<br />
For completeness, here is the implementation of very simple ShowContextMenu():<br />
<br />
<pre>void ShowContextMenu (String prefix = "")
{
Menu m = new Menu();
MenuItem mi = new MenuItem( prefix + "Item 1" );
mi.Activated += (object sender, EventArgs e) =>
{
String s = prefix + "Item 1 Clicked";
Debug.WriteLine( s );
ShowMsgBox( this, s );
};
m.Append(mi);
mi = new MenuItem( prefix + "Item 2" );
mi.Activated += (object sender, EventArgs e) =>
{
String s = prefix + "Item 2 Clicked";
Debug.WriteLine( s );
ShowMsgBox( this, s );
};
m.Append( mi ); </pre>
<pre> </pre>
<pre> m.ShowAll();
m.Popup();
}
</pre>
<br />L. Marhttp://www.blogger.com/profile/12467212807268032119noreply@blogger.com0tag:blogger.com,1999:blog-3150901600152577599.post-64300389055816207142014-05-13T15:47:00.000+10:002014-05-13T15:47:03.516+10:00CLR and Mono Runtime difference - System.Diagnostics.DefaultTraceListener.AssertUiEnabledThis one to some is a very contentious issue and is present in the Mono runtime 2.10.8.1 running in Mint-15.<br />
<br />
While this property is not well known to many as rarely one would need to touch this in CLR, it is intimately related to the well-known method <a href="http://msdn.microsoft.com/en-us/library/system.diagnostics.debug.assert%28v=vs.110%29.aspx">System.Diagnostics.Debug.Assert()</a>.<br />
<br />
The runtime behaviour of Debug.Assert() depends on the behaviour of the trace listener(s) that have been loaded at that time. When the expression becomes false, Debug.Assert() calls the System.Diagnostics.TraceListener.Fail().<br />
<br />
At start up time, CLR & Mono would load a number of System.Diagnostics.TraceListener-derived class(es). If there is no overriding specification in the application's config file, the runtime loads the <a href="http://msdn.microsoft.com/en-us/library/system.diagnostics.defaulttracelistener%28v=vs.110%29.aspx">System.Diagnostics.DefaultTraceListener</a> and is identified in the collection of TraceListeners by the name "<b>Default</b>".<br />
<br />
In CLR for most runtime environment, such as Console, WinForm, WPF, WCF, Debug.Assert() by default will alert the user with a user-interface that allows the user to abort or ignore. This behaviour has not changed since the first release of the .Net framework and runtime. Of course this behaviour is entirely configurable.<br />
<br />
If System.Diagnostics.DefaultTraceListener is the default TraceListener, the default behavour of alerting the developer is by means of a user-interface to inform of the unmet condition. This is the desired behaviour for most situations during development. This is because the <a href="http://msdn.microsoft.com/en-us/library/system.diagnostics.defaulttracelistener.assertuienabled%28v=vs.110%29.aspx">System.Diagnostics.DefaultTraceListener.AssertUiEnabled</a> is default to <b>true</b>.<br />
<br />
However, in Mono, the <b>System.Diagnostics.DefaultTraceListener.AssertUiEnabled</b> is by default initialized (or lack of explicit initialization in DefaultTraceListener class) to <b>false</b>.<br />
<br />
This discrepancy in the default value often leads to developer's gripe and incorrectly accusing the Mono's System.Diagnostics.Debug.Assert() failure to catch the unmet condition; by defaut Mono just does not alert the user loudly. The Internet has plenty of Linux/Unix ways of 'fixing' this problem. But I will present here the .Net ways of fixing this discrepancy in the spirit of maintaining cross-platform runtime consistency.<br />
<br />
It is nothing more annoying when one writes defensive code using Debug.Assert() liberally only to be silently scuttled by a difference in default value in another class. I have lost count of the number of hours trying to find some problems that should have been caught by Debug.Assert() but flew past me silently!<br />
<br />
<h2>
How to fix this? </h2>
To convince yourself you can report out the default value for <b>DefaultTraceListener.AssertUiEnabled</b> by writing a simple console application like this that can run successfully in both Mono and CLR:<br />
<br />
<pre>class MainClass
{
public static void Main (string[] args)
{
Console.WriteLine ("Default value of AssertUiEnabled = {0}",
(Debug.Listeners ["Default"] as DefaultTraceListener).AssertUiEnabled);
}
}</pre>
<br />
You should get <b>true</b> when run in <b>CLR</b> and <b>false</b> when in <b>Mono</b>.<br />
<br />
The
reason for assuming false in Mono could be historical where Mono
initially did not have any GUI support; this has changed and the code
for DefaultTraceListener.Fail() contains code to invoke user-interface.<br />
<br />
However,
even in the absence of rich user-interface it should adopt the approach
used by other languages, such as Java's assert keyword, assert() in
C/C++ language, where it aborts the execution reporting the point of
failure. Not reporting to a developer loudly by default is dangerous,
considering the usage promoted by Debug.Assert(). If a crude way of alerting the user is unsuitable, the .Net has ways to allow user to alter the behaviour and that is a user-initiated process and that the user then know where to look for violations. This also makes the runtime behaviour consistent with CLR. Not telling misleads the developers of fault. The current situation is like asking Java developers to make the JRE's behaviour of <b>java -ea</b> different in Windows and in Linux!<br />
<br />
<h3>
Without recompilation - use Application Configuration File</h3>
This is by far the most convenient way to fix this problem and that it works for both CLR and Mono.<br />
<br />
You simply include the following fragment in your application configuration (if none, create one) to add an <a href="http://msdn.microsoft.com/en-us/library/ty5e4c4h%28v=vs.110%29.aspx">assert element</a> to force the <b>assertuienabled</b> to true:<br />
<br />
<pre> <system.diagnostics>
<!-- This changes the DefaultTraceListener.AssertUiEnabled from false to true -->
<assert assertuienabled="true" />
</system.diagnostics>
</pre>
<h3>
With code</h3>
This approach will require you to compile new code. However, if you are testing ready-made assembly and do not want to rebuild them, this approach can be adopted by including the following piece of code in the start up code:<br />
<pre> </pre>
<pre>(Debug.Listeners ["Default"] as DefaultTraceListener).AssertUiEnabled = true;
</pre>
<br />
I hope this post will make the experience of developers looking for Mono as their cross-platform environment more pleasing.<br />
<br />L. Marhttp://www.blogger.com/profile/12467212807268032119noreply@blogger.com0