In Windows 10, Microsoft since Windows 10 (1809) has introduced a new tool called "Snip & Sketch" Windows App (package name "Microsoft.ScreenSketch" intended to replace the trusty Snipping Tool (SnippingTool.exe).
The Snip&Sketch can capture the screen (rectangle, free form, etc) like the SnippingTool, however the images it produces for some inexplicable reason cannot be pasted into a document with LibreOffice Writer. The Ctrl-V in LibreOffice does not work.
There are two ways to invoke it:
1) You can invoke it by launching (use the search) "Snip & Sketch" which is a Windows App. You can recognise it by its appearance once launched.
2) Or you can press the Windows short cut key: Windows Logo Key + Shift + S, this launches the Snipping bar
If one uses Method 1) the captured image is inaccessible to LibreOffice Writer. I have experimented with AbiWord, KeepNote, and CherryTree, programs that can embed images into their document and they are all working fine.
Only LibreOffice Writer (ver 6.1.63, 6.3.5, and 6.4.1.2 all running Windows 10 1903) is failing the test. With these versions of LibreOffice running in brand new laptops, old laptops and desktop, I cannot reproduce the claimed effect stated in LibreOffice site.
Method 2) is the most reliable method as it works with Microsoft and LibreOffice Writer. When that short cut key is pressed, a small bar called Snipping Bar pops up on the top roll of the screen. With that the user can choose how to capture like the trusty SnippingTool.
While the snipping bar does not have any menu item to indicate you can save the image, crop, or annotate etc, once an screen portion is captured, Windows will display a transient message window showing the captured part and informing the user that it has been sent to the clipboard.
This transient window will then appear in the notification collection. If you are quick enough, you can click on that transient window to launch the "Snip & Sketch" App with the captured image embedded in it allowing you to do the "Sketch" or File save part.
If you want to use the "Snip & Sketch" to annotate, crop, etc on the capture image and then paste that into LibreOffice Writer, here are the steps:
1) Once you have completed the process with "Snip & Sketch", press the "Copy" icon just to be sure the right image is transferred to the clipboard
2) Open MS Paint (paint), Paste the image to it.
3) Use the Select tool (mostly I use Rectangular Selection) to select the part you want to paste into your document
4) Then press the Copy (or Ctrl-C) to deposit it onto the clipboard.
5) Switch to your tool that you want to paste the image and press Paste (or Ctrl-V).
There is no need to involve saving to file. It is already clumsy enough.
It seems the fault is in LibreOffice Writer.
Monday, March 2, 2020
Monday, February 12, 2018
Linux Foxit Reader - possible leaking your document
I have been using Foxit Reader for Linux for a while and was using version 2.4.0.14978 in Mint 18.3 (64-bits) to read a PDF document.
All of a sudden several popup messages, like this:
popped up and some time followed by several more like this.
How can someone comments on a document if they have not read it and hence according to this message box, it is clear that Foxit Reader surreptitiously upload the user's document without consent to some cloud site to be shared. It is creepy.
This is a clear breach of privacy and I sincerely urge Foxit developers to investigate this serious matter.
May be this is caused by ConnectedPDF, something Linux users cannot turn off while the Windows version can. At least the Foxit Cloud can be eradicated by deleing the entire fxplugs directory.
In the mean time I urge all Linux users of Foxit Reader to uninstall it to protect your privacy. If you do uninstall it, make sure you delete ~/.local/share/Foxit\ Reader, ~/opt/foxitreader, and ~/.config/Foxit\ Reader.
If you need a reader with the ability to annotate your PDF document, you can use Okular which is available in Canonical or your software manager.
Apart from leaking document, Linux Foxit Reader is rather buggy - crashing randomly in different operations like annotating, printing, etc. Not only its reader is flaky, its forum is also very poorly implemented. I, a registered user, tried several times to post messages on this and so far I have yet seen any appearing. It seems to behave like a trash can.
All of a sudden several popup messages, like this:
How can someone comments on a document if they have not read it and hence according to this message box, it is clear that Foxit Reader surreptitiously upload the user's document without consent to some cloud site to be shared. It is creepy.
This is a clear breach of privacy and I sincerely urge Foxit developers to investigate this serious matter.
May be this is caused by ConnectedPDF, something Linux users cannot turn off while the Windows version can. At least the Foxit Cloud can be eradicated by deleing the entire fxplugs directory.
In the mean time I urge all Linux users of Foxit Reader to uninstall it to protect your privacy. If you do uninstall it, make sure you delete ~/.local/share/Foxit\ Reader, ~/opt/foxitreader, and ~/.config/Foxit\ Reader.
If you need a reader with the ability to annotate your PDF document, you can use Okular which is available in Canonical or your software manager.
Apart from leaking document, Linux Foxit Reader is rather buggy - crashing randomly in different operations like annotating, printing, etc. Not only its reader is flaky, its forum is also very poorly implemented. I, a registered user, tried several times to post messages on this and so far I have yet seen any appearing. It seems to behave like a trash can.
Saturday, December 16, 2017
www.kproxy.com uses your resource to perform in-browser mining code
I was shock to see a prompt seeking my consent to run some calculation in my machine when I loosen my Tor Browser's security level using www.kproxy.com to reach another site.
Naturally that rings a bell that the "calculation" is referring to in-browser mining code.
So I set about to examine the page and through inspection and experimentation to identify that it is KProxy that is loading the in-browser mining code and not the target site, which happens to be https://www.google.com
The in-browser minining code is not on the landing page of KProxy and they are only injected when you surf to the target site. Shame on you KProxy for not even stating that your user's resources could be used for mining purposes.
KProxy has 10 public servers and here are what they are loading:
Server 1, 2, 3, 10: https[:]//coinhive.com/lib/coinhive.min.js
Server 4, 5, 6, 7, 8, 9: https[:]//authedmine.com/lib/authedmine.min.js
The heading comment in authedmine.min.js declares that it will only run the in-browser mining code if you opt-in.
You be the judge if you can believe such declaration. As for my money, stay away from KProxy and if you are running "uBlock Origin" add these two domains into your filter to block them.
My Tor Browser is now reset to the maximum security.
Naturally that rings a bell that the "calculation" is referring to in-browser mining code.
So I set about to examine the page and through inspection and experimentation to identify that it is KProxy that is loading the in-browser mining code and not the target site, which happens to be https://www.google.com
The in-browser minining code is not on the landing page of KProxy and they are only injected when you surf to the target site. Shame on you KProxy for not even stating that your user's resources could be used for mining purposes.
KProxy has 10 public servers and here are what they are loading:
Server 1, 2, 3, 10: https[:]//coinhive.com/lib/coinhive.min.js
Server 4, 5, 6, 7, 8, 9: https[:]//authedmine.com/lib/authedmine.min.js
The heading comment in authedmine.min.js declares that it will only run the in-browser mining code if you opt-in.
You be the judge if you can believe such declaration. As for my money, stay away from KProxy and if you are running "uBlock Origin" add these two domains into your filter to block them.
My Tor Browser is now reset to the maximum security.
Tuesday, September 19, 2017
An advice from a long time Skype user - It is time to ditch Microsoft Skype
Recently, a Skype user told me that when he tried to sign into his Skype account with his Android phone, he was pestered by Microsoft Skype that detected his mobile number on his SIM card was different from the number he recorded in his account (It is a big mistake for being too complete in the profile) and demanding some form of verification. Of course it is different as he was in some overseas country using their local SIM.
Now I have heard of 2 persons who have just returned to US from an extended overseas stay being hassled preventing them to use Skype to convey their message of arrival. They were using Skype without trouble or hassle when they were overseas. They told me their experience using Wire messenger.
As a long time user - I used Skype it was first developed and released and way way before Microsoft has acquired it - I am furious to hear this kind of hassle.
Initially I thought they might have used a wrong version of Skype (Remember Microsoft the stupid saga in Windows 8? When your Metro style Skype was half baked while everyone had to uninstall it and install the full-feature Desktop version).
I have always recommend Skype to others as a messenger that does not link to any mobile phone numbers and it seems Microsoft has decided to impose draconian imposition as stated in their FAQ to hassle their users demanding this.
While Skype is a property of Microsoft and Microsoft can do all sort of stupid things, Microsoft is reminded that the messengers space is full of competitors with more features than your aged product. Microsoft seems to still living in the past when Skype was the only messenger. Now in fact Microsoft Skype is known as a laggard and not even in the race.
It is disappointing to see Microsoft decides to spend their time and energy to implement childish snapchat style feature and then hassling their user as if Microsoft wanting to drive them away to its competitors, which are numerous, by imposing all these ridiculous demand and act of invasion of privacy.
I have yet seen a messenger asking for DOB except now Skype with the weakest excuse like "Microsoft Account requires your date of birth to give you the best experience" Please note the user's DOB is none of your business.
If you are being hassled by Microsoft Skype, from this long time Skype users something that I have found hard to say but is driven by Microsoft's draconian imposition, switch to Wire or other messengers. It is time to ditch Microsoft Skype.
Wire does not ask you for DOB, does not link you to the mobile phone number in the SIM (phone number is optional can even be your land line), and definitely do not ask you all sort of unnecessary and intrusive questions in the profile. In fact Wire does not have any profile at all.
Wire is open source and audited while Skype is close source and no one has seen its code. You use Skype with a good dose of trust, something that I have found hard to award to Skype. Wire has end to end encryption while Skype does not publish what it does. Requiring your DOB is a clear unnecessary invasion of privacy that Microsoft tries to hide behind some weak irrational excuses.
Don't waste your time with meeting Microsoft Skype's unreasonable imposition, switch to Wire, Signal or other more features messengers that are designed to be secure and private. I have already done the switch.
Now I have heard of 2 persons who have just returned to US from an extended overseas stay being hassled preventing them to use Skype to convey their message of arrival. They were using Skype without trouble or hassle when they were overseas. They told me their experience using Wire messenger.
As a long time user - I used Skype it was first developed and released and way way before Microsoft has acquired it - I am furious to hear this kind of hassle.
Initially I thought they might have used a wrong version of Skype (Remember Microsoft the stupid saga in Windows 8? When your Metro style Skype was half baked while everyone had to uninstall it and install the full-feature Desktop version).
I have always recommend Skype to others as a messenger that does not link to any mobile phone numbers and it seems Microsoft has decided to impose draconian imposition as stated in their FAQ to hassle their users demanding this.
While Skype is a property of Microsoft and Microsoft can do all sort of stupid things, Microsoft is reminded that the messengers space is full of competitors with more features than your aged product. Microsoft seems to still living in the past when Skype was the only messenger. Now in fact Microsoft Skype is known as a laggard and not even in the race.
It is disappointing to see Microsoft decides to spend their time and energy to implement childish snapchat style feature and then hassling their user as if Microsoft wanting to drive them away to its competitors, which are numerous, by imposing all these ridiculous demand and act of invasion of privacy.
I have yet seen a messenger asking for DOB except now Skype with the weakest excuse like "Microsoft Account requires your date of birth to give you the best experience" Please note the user's DOB is none of your business.
If you are being hassled by Microsoft Skype, from this long time Skype users something that I have found hard to say but is driven by Microsoft's draconian imposition, switch to Wire or other messengers. It is time to ditch Microsoft Skype.
Wire does not ask you for DOB, does not link you to the mobile phone number in the SIM (phone number is optional can even be your land line), and definitely do not ask you all sort of unnecessary and intrusive questions in the profile. In fact Wire does not have any profile at all.
Wire is open source and audited while Skype is close source and no one has seen its code. You use Skype with a good dose of trust, something that I have found hard to award to Skype. Wire has end to end encryption while Skype does not publish what it does. Requiring your DOB is a clear unnecessary invasion of privacy that Microsoft tries to hide behind some weak irrational excuses.
Don't waste your time with meeting Microsoft Skype's unreasonable imposition, switch to Wire, Signal or other more features messengers that are designed to be secure and private. I have already done the switch.
Sunday, September 3, 2017
Firefox Focus - simple effective way to stop auto-completion on entering URL
Firefox Focus running on Android & iOS is highly recommended to protect your online privacy. It is fast and safe.
However, there is one annoying feature (still there in version 1.3 Build #10 for Android) when entering the URL into the address field. After you have type several alphabets, it then attempts to offer suggestion and perform auto-completion for you. All the time it is producing gibberish and then one has to use backspace to get rid of it and to start again.
There is no settings to turn this off and people have reported this bugs to Mozilla.
In the meantime, there is one simple effective way to stop this unintelligent auto-completion. To do this, before you enter the URL, type a space character first.
The space seems to stop Firefox Focus from trying to guess what you want to enter and you are then left alone entering the URL properly. Give that a try.
However, there is one annoying feature (still there in version 1.3 Build #10 for Android) when entering the URL into the address field. After you have type several alphabets, it then attempts to offer suggestion and perform auto-completion for you. All the time it is producing gibberish and then one has to use backspace to get rid of it and to start again.
There is no settings to turn this off and people have reported this bugs to Mozilla.
In the meantime, there is one simple effective way to stop this unintelligent auto-completion. To do this, before you enter the URL, type a space character first.
The space seems to stop Firefox Focus from trying to guess what you want to enter and you are then left alone entering the URL properly. Give that a try.
Wednesday, May 24, 2017
The way to suppress Mono's "WARNING: The runtime version supported by this application is unavailable"
Many people would have encountered following dreaded Mono runtime warning,
WARNING: The runtime version supported by this application is unavailable.
Using default runtime: v4.0.30319
when one runs a console application in Mono.
This is caused by the fact that machine running this program does not have the version of the framework used to build the program. The only version of the framework available in this machine is v4.0.30319.
Sadly this warning is written to stdout and hence you can't redirect it to elsewhere if that were written to stderr.
The proper way to deal with this is to tell Mono that your application can also run in whatever version of the framework it has been installed in the machine. To do so you simply add a <startup><supportedRuntime> element into the application configuration file. If your application does not have one, create one containing the following lines:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<startup>
<supportedRuntime version="v2.0.50727"/>
<supportedRuntime version="v4.0.30319" />
<supportedRuntime version="v4.0"/>
</startup>
</configuration>
This config file also says that if you have version 2 framework installed, it will use that, the one the application is built. The order of the supportedRuntime elements are important.
With that if the only framework version 4.0.30319 is installed, your application will not cause that warning message. Of course as a recommended practice you must also test your application in the framework that is NOT the one you use to build it to ensure no subtle difference in reaction creeps in.
WARNING: The runtime version supported by this application is unavailable.
Using default runtime: v4.0.30319
when one runs a console application in Mono.
This is caused by the fact that machine running this program does not have the version of the framework used to build the program. The only version of the framework available in this machine is v4.0.30319.
Sadly this warning is written to stdout and hence you can't redirect it to elsewhere if that were written to stderr.
The proper way to deal with this is to tell Mono that your application can also run in whatever version of the framework it has been installed in the machine. To do so you simply add a <startup><supportedRuntime> element into the application configuration file. If your application does not have one, create one containing the following lines:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<startup>
<supportedRuntime version="v2.0.50727"/>
<supportedRuntime version="v4.0.30319" />
<supportedRuntime version="v4.0"/>
</startup>
</configuration>
This config file also says that if you have version 2 framework installed, it will use that, the one the application is built. The order of the supportedRuntime elements are important.
With that if the only framework version 4.0.30319 is installed, your application will not cause that warning message. Of course as a recommended practice you must also test your application in the framework that is NOT the one you use to build it to ensure no subtle difference in reaction creeps in.
Saturday, March 18, 2017
This is the way to add bi-weekly repeats into Samsung S Planner.
For some obscure reason that only Samsung's Android developers would know, it has never have the ability to define bi-weekly or fortnightly repeat event or let along repeating task.
My latest NoteEdge (SM-N9150) running Android 6.0.1 still does not have it. In the process of finding a third party reminder app to supplement the deficiency in S Planner, I have discovered a very simple way to do this.
To allow you to define custom repeat, you install the "To-Do Calendar Planner" which install the isoTimer app into your handset.
When you start the isoTimer for the first time grant it permission to access your Calendar. You can deny it permission to your Contact just as I do.
Then you use the isoTimer's interface, albeit a bit unusual, to create an event or task and to set bi-weekly repeat use the "Repeat every X Days" option.
What this program does is to inject those repeats into the S Planner's Calendar. I am using a localised calendar as the default and that is where the isoTimer injects the repeat event/task into.
So it seems Samsung has stubbornly refused to implement an user interface to support bi-weekly repeat, which is surprisingly a very common requirement.
Now you have a simple way to overcome Samsung's deficiency.
My latest NoteEdge (SM-N9150) running Android 6.0.1 still does not have it. In the process of finding a third party reminder app to supplement the deficiency in S Planner, I have discovered a very simple way to do this.
To allow you to define custom repeat, you install the "To-Do Calendar Planner" which install the isoTimer app into your handset.
When you start the isoTimer for the first time grant it permission to access your Calendar. You can deny it permission to your Contact just as I do.
Then you use the isoTimer's interface, albeit a bit unusual, to create an event or task and to set bi-weekly repeat use the "Repeat every X Days" option.
What this program does is to inject those repeats into the S Planner's Calendar. I am using a localised calendar as the default and that is where the isoTimer injects the repeat event/task into.
So it seems Samsung has stubbornly refused to implement an user interface to support bi-weekly repeat, which is surprisingly a very common requirement.
Now you have a simple way to overcome Samsung's deficiency.
Tuesday, November 22, 2016
Signal Messenger vs Wire Messenger - private voice communication
I am a frequent user of Signal but I met a situation where a friend, let's call this Bob, also a Signal user, wanting to talk with me using Signal. We could chat but we could not talk to him. I have no trouble with have a voice conversation using Signal with other users using public Internet services. Attempts to connect to or from Bob always fail. He was using Signal in a campus network and I suspect the reason for these failure was due to certain ports required by Signal calls to go through being been blocked. Bob also uses Skype and there is no problem of striking up a crystal clear voice conversation with him using that.
So I am wondering whether other so called private messengers supporting E2EE on voice call will suffer from the same problem?
After waiting for Bob to upgrade his Android machine from his old Android 4.0 machine, as an experiment he installed Wire Messenger, one that I also use, showing great promises, and I have great respect for it. This messenger also uses the Signal protocol to perform E2EE and it has far more features than Signal. However, it is not as widely known as Signal and definitely less than WhatsApp.
Finally, Bob and I successfully managed to talk securely using Wire protected by Signal protocol transversing the same tightly protected network. We've decided to give Signal a miss because the new phone is now a full populated due SIM, see comments below.
So if anyone having trouble talking with Signal, give Wire a try and you even can test it using your web browser. For those not familiar with Wire, Wire has several great benefits that Signal and WhatsApp fail to offer:
Benefits
✔ Work without dependent of SIM or phone number
Unlike Signal & WhatsApp, it uses an e-mail address as the identifier with name and phone number as optional identifiers. These optional identifiers can be change at will; the phone number you enter can be different from that in the SIM.
Moreover, the e-mail is only used during account registration for receiving the verification code. After that it is just a pure identifier, like the mobile number used in WhatsApp or Signal.
You can look up friends base on e-mail address, name, or number.
✔ Because of its independence on SIM, its desktop version is a totally stand alone program, unlike Signal and WhatsApp where theirs are appendages to their smart phone siblings.
✔ Because of that, you can run Wire totally from a web browser without having to establish an account in a smart phone. No need to install anything. It is a great bonus for being able to walk up to the airport kiosk and start chatting.
✔ Access to your phone's Contacts is totally optional because its primary identifier is the e-mail address and not phone number. However, if you grant it access to the Contacts, it can use the Contacts data to look up friends.
✔ Its oblivion of a SIM is a great bonus for those operating a dual-SIM phone. Because it does not rely on the SIM, it can be used in a dual-SIM phone without the usual chaos associated with SIM dependent messengers.
If you are in a situation with a dual SIM phone, switch over to Wire and you can use the phone to the fullest rather than carrying two phyiscal phones just to escape the madness.
✔ Because it does not care about the SIM, it is a great tool for travelers who likes to use local SIM. One does not have to do anything to continue the conversation.
✔ At the time of writing and testing (Signal 3.22.2 and Wire 2.22.298) Wire is the only one with encrypted video conferencing and file attachment.
Disadvantages
❌ Since most private messengers use encryption using various schemes to provide content integrity and safest, the degree of its privacy is now measured based solely on how much meta data the messenger retains, for how long and its purpose. Meta data are essential for the system to operate correctly. It is the system retention policy of these data or portion of them that have effect on its degree of privacy.
According to this measure, Signal ranks supreme and as the ultimate private messenger. A recent grand jury demand in US lay bare the amount of data retained by Signal - the date the user first registered and the last time the user contacted the system (it does not even record the participant of the conversation).
No messenger so far has ever published verifiable data to surpass Signal or even dare to challenge its supremacy. If you do not hold data how can one be forced to hand over the data? The best defense against authority demanding to hand over data as opposed to data retainer's expensive court fight.
While Wire has declared what kind of meta data (Creator, Timestamp, Participants list, and Conversation name) it records, it has not declared the retention period and the purpose of retaining them. As can be demonstrated, Wire collects tons of data by comparison to Signal and as a result less private and thus secure than Signal.
In fairness, what Wire collects is probably small by comparison or typical of what other messengers, such as WhatsApp, Wickr, etc, collect. At least Wire declares precisely what are being collected without explanation of the purpose rather than some general non-specific statement from WhatsApp, who even attempts, but aborted, to share data with its master.
❌ Small user base.
This can be a bonus if you really want a private private messenger without being bombarded by tons of conversations. This is not a reflection of Wire's lack of technical excellence but more human inertia to change - a Network Effect. It also demonstrates the bulk of messenger users pay little attention to encryption and meta data retention.
So I am wondering whether other so called private messengers supporting E2EE on voice call will suffer from the same problem?
After waiting for Bob to upgrade his Android machine from his old Android 4.0 machine, as an experiment he installed Wire Messenger, one that I also use, showing great promises, and I have great respect for it. This messenger also uses the Signal protocol to perform E2EE and it has far more features than Signal. However, it is not as widely known as Signal and definitely less than WhatsApp.
Finally, Bob and I successfully managed to talk securely using Wire protected by Signal protocol transversing the same tightly protected network. We've decided to give Signal a miss because the new phone is now a full populated due SIM, see comments below.
So if anyone having trouble talking with Signal, give Wire a try and you even can test it using your web browser. For those not familiar with Wire, Wire has several great benefits that Signal and WhatsApp fail to offer:
Benefits
✔ Work without dependent of SIM or phone number
Unlike Signal & WhatsApp, it uses an e-mail address as the identifier with name and phone number as optional identifiers. These optional identifiers can be change at will; the phone number you enter can be different from that in the SIM.
Moreover, the e-mail is only used during account registration for receiving the verification code. After that it is just a pure identifier, like the mobile number used in WhatsApp or Signal.
You can look up friends base on e-mail address, name, or number.
✔ Because of its independence on SIM, its desktop version is a totally stand alone program, unlike Signal and WhatsApp where theirs are appendages to their smart phone siblings.
✔ Because of that, you can run Wire totally from a web browser without having to establish an account in a smart phone. No need to install anything. It is a great bonus for being able to walk up to the airport kiosk and start chatting.
✔ Access to your phone's Contacts is totally optional because its primary identifier is the e-mail address and not phone number. However, if you grant it access to the Contacts, it can use the Contacts data to look up friends.
✔ Its oblivion of a SIM is a great bonus for those operating a dual-SIM phone. Because it does not rely on the SIM, it can be used in a dual-SIM phone without the usual chaos associated with SIM dependent messengers.
If you are in a situation with a dual SIM phone, switch over to Wire and you can use the phone to the fullest rather than carrying two phyiscal phones just to escape the madness.
✔ Because it does not care about the SIM, it is a great tool for travelers who likes to use local SIM. One does not have to do anything to continue the conversation.
✔ At the time of writing and testing (Signal 3.22.2 and Wire 2.22.298) Wire is the only one with encrypted video conferencing and file attachment.
Disadvantages
❌ Since most private messengers use encryption using various schemes to provide content integrity and safest, the degree of its privacy is now measured based solely on how much meta data the messenger retains, for how long and its purpose. Meta data are essential for the system to operate correctly. It is the system retention policy of these data or portion of them that have effect on its degree of privacy.
According to this measure, Signal ranks supreme and as the ultimate private messenger. A recent grand jury demand in US lay bare the amount of data retained by Signal - the date the user first registered and the last time the user contacted the system (it does not even record the participant of the conversation).
No messenger so far has ever published verifiable data to surpass Signal or even dare to challenge its supremacy. If you do not hold data how can one be forced to hand over the data? The best defense against authority demanding to hand over data as opposed to data retainer's expensive court fight.
While Wire has declared what kind of meta data (Creator, Timestamp, Participants list, and Conversation name) it records, it has not declared the retention period and the purpose of retaining them. As can be demonstrated, Wire collects tons of data by comparison to Signal and as a result less private and thus secure than Signal.
In fairness, what Wire collects is probably small by comparison or typical of what other messengers, such as WhatsApp, Wickr, etc, collect. At least Wire declares precisely what are being collected without explanation of the purpose rather than some general non-specific statement from WhatsApp, who even attempts, but aborted, to share data with its master.
❌ Small user base.
This can be a bonus if you really want a private private messenger without being bombarded by tons of conversations. This is not a reflection of Wire's lack of technical excellence but more human inertia to change - a Network Effect. It also demonstrates the bulk of messenger users pay little attention to encryption and meta data retention.
Monday, August 22, 2016
Remove Nagware from Foxit Reader (Linux) version 2.1.0805
It is disappointing to see a perfectly good, useful, and feature rich PDF viewer damaging its reputation by engaging nagware in the latest version of Foxit Reader for Linux.
The nagware is very persistent trying to force user to use ConnectedPDF every time one launches Foxit Reader. There is no way to tell it to stop pestering me.
Furthermore, in the preference dialog box, the settings for ConnectedPDF fails (possibly deliberately) to remember my change in the setting for "Use ConnectedPDF Format". I unchecked the "Automatically save PDF files in ConnectedPDF format" but the dialog box failed to record my change.
If you are annoyed by this nagware or pester-ware and have no intention of using ConnectedPdf, you can get rid of it easily.
Just go to the foxit reader's installation directory, typically in ~/opt/foxitsoftware/foxitreader, and either rename or delete the fxplugins folder to summarily dismiss the pesterware. You may have to elevate your privilege in order to accomplish that. Once this is done, you will not see the nagware again. Peace at last.
Shame on you Foxit and that is a good way to drive away users.
The nagware is very persistent trying to force user to use ConnectedPDF every time one launches Foxit Reader. There is no way to tell it to stop pestering me.
Furthermore, in the preference dialog box, the settings for ConnectedPDF fails (possibly deliberately) to remember my change in the setting for "Use ConnectedPDF Format". I unchecked the "Automatically save PDF files in ConnectedPDF format" but the dialog box failed to record my change.
If you are annoyed by this nagware or pester-ware and have no intention of using ConnectedPdf, you can get rid of it easily.
Just go to the foxit reader's installation directory, typically in ~/opt/foxitsoftware/foxitreader, and either rename or delete the fxplugins folder to summarily dismiss the pesterware. You may have to elevate your privilege in order to accomplish that. Once this is done, you will not see the nagware again. Peace at last.
Shame on you Foxit and that is a good way to drive away users.
Saturday, May 21, 2016
Dumb algorithm in Yahoo Mail is a laughing stock
I tried to send an e-mail to a Yahoo mail recipient warning him about not to use the e-mail account's password as the password when registering on site that asks him for his e-mail address. I cited the case of LinkedIn. I told him site other than his e-mail account has no right to know his e-mail account's password.
The e-mail was blocked with the "554 Message not allowed - [298]" and Yahoo is the only mail server blocking that message as the other recipients in other mail services have no problem. Clearly their services are smarter than dumb Yahoo.
Not deter and to demonstrate how easy to by-pass Yahoo's so-called algorithm and automatic scanning of the mail content to block offending materials, I simply use the Windows' Snipping tool to convert the content to a bitmap and embedded that into the content of the message.
The exact content is preserved and the dumb Yahoo algorithm is by-passed!! If it was objectionable to Yahoo, the same objectionable content is being waved past as it totally lacks any intelligent. It is not even steganography.
What Yahoo has done is nothing but a theatrical. What a joke their implementation is.
The e-mail was blocked with the "554 Message not allowed - [298]" and Yahoo is the only mail server blocking that message as the other recipients in other mail services have no problem. Clearly their services are smarter than dumb Yahoo.
Not deter and to demonstrate how easy to by-pass Yahoo's so-called algorithm and automatic scanning of the mail content to block offending materials, I simply use the Windows' Snipping tool to convert the content to a bitmap and embedded that into the content of the message.
The exact content is preserved and the dumb Yahoo algorithm is by-passed!! If it was objectionable to Yahoo, the same objectionable content is being waved past as it totally lacks any intelligent. It is not even steganography.
What Yahoo has done is nothing but a theatrical. What a joke their implementation is.
Tuesday, March 29, 2016
Which of the 10 URL Shorteners are not hostile to Tor?
I examine 10 URL Shortener Services one by one to evaluate its hostility towards Tor Browser.
Those that put road blocks in the way such as using CAPTCHA or other techniques are classified as hostile services. Another requirement is that it should also operate properly in Android's Orfox, the Android's kind of equivalent to Tor Browser.
If it works in laptop/desktop Tor Browser and not in Orfox, it is still classified as hostile. Any service that requires log in etc. even though not presenting any hostility road blocks is placed in the "Useless" category. Too much trouble.
Tor Browser users should black list those hostile services as they do not possess any uniqueness as the review below shows there are friendly alternatives. In that way the Tor community can deny them of visits and advertising dollars, much like AdBlock Plus.
Tor users can refer to this Tor Project sites for more comprehensive list of Tor hostile sites.
Only 5 out of 10 are Tor friendly. Naturally Google is one of the hostile one.
In Orfox, one needs to add cloudfront.net and Googleapis.com to NoScript's whitelist.
TinyURL.com
There are times that this site demands CAPTCHA validation and need more experiment to determine its friendliness.
AdF.ly
One needs to add this to the whitelist in the NoScript in Orfox.
Bit.do
Mcaf.ee
Given this is in beta, it loads slowly but still works in a no-nonsense manner. Hope it will not be hostile to Tor as it matures.
Ow.ly
Is.gd
X.co
Those that put road blocks in the way such as using CAPTCHA or other techniques are classified as hostile services. Another requirement is that it should also operate properly in Android's Orfox, the Android's kind of equivalent to Tor Browser.
If it works in laptop/desktop Tor Browser and not in Orfox, it is still classified as hostile. Any service that requires log in etc. even though not presenting any hostility road blocks is placed in the "Useless" category. Too much trouble.
Tor Browser users should black list those hostile services as they do not possess any uniqueness as the review below shows there are friendly alternatives. In that way the Tor community can deny them of visits and advertising dollars, much like AdBlock Plus.
Tor users can refer to this Tor Project sites for more comprehensive list of Tor hostile sites.
Only 5 out of 10 are Tor friendly. Naturally Google is one of the hostile one.
Tor Friendly site
BitlyIn Orfox, one needs to add cloudfront.net and Googleapis.com to NoScript's whitelist.
TinyURL.com
There are times that this site demands CAPTCHA validation and need more experiment to determine its friendliness.
AdF.ly
One needs to add this to the whitelist in the NoScript in Orfox.
Bit.do
Mcaf.ee
Given this is in beta, it loads slowly but still works in a no-nonsense manner. Hope it will not be hostile to Tor as it matures.
Hostile Services
Goo.glOw.ly
Is.gd
Useless
Is.gdX.co
Monday, March 14, 2016
Way to by pass Tor Browser hostile web sites
It is really a form of anti-Net Neutrality for web sites, most notably web hosting sites like CloudFlare, to discriminate Tor Browser users by putting all sort of childish barrier in an attempt to prevent Tor Browser users from gaining access to the materials.
Perhaps by comparison, CloudFlare is not as anti-Tor as Akamai which simply greeds Tor users with 404.
It is an easy way out to treat all Tor Browser users in the same boat as those using the tool to abuse the system. If that kind of thinking prevails, may be we should all shut down the Internet as not a day gone by without seeing an attack being carried out on the Internet. Any other way would require intelligence that they have not got and it is also a good sales material of telling their customers that they could block all those abusers using Tor.
Thankfully, there is a way to get past playing their childish game. I simply route the access through Start Page's proxy from Tor Browser. Just do a search on the link from Tor Browser and then uses the proxy to access it.
Perhaps by comparison, CloudFlare is not as anti-Tor as Akamai which simply greeds Tor users with 404.
It is an easy way out to treat all Tor Browser users in the same boat as those using the tool to abuse the system. If that kind of thinking prevails, may be we should all shut down the Internet as not a day gone by without seeing an attack being carried out on the Internet. Any other way would require intelligence that they have not got and it is also a good sales material of telling their customers that they could block all those abusers using Tor.
Thankfully, there is a way to get past playing their childish game. I simply route the access through Start Page's proxy from Tor Browser. Just do a search on the link from Tor Browser and then uses the proxy to access it.
Friday, February 5, 2016
Lenovo SHAREit - turning a useful program into a useless one
I once enjoyed using Lenovo's SHAREit program on my Android phone and pairing it with the one that came with my Lenovo laptop and have been recommending it to others.
This was in the day of ver 2.x of this program. That version was not only functional but also lacking any of the fancy stuff. It worked wonderfully.
Like many software, Lenovo changed all that in version 3. Instead of letting the program running on the devices scanning for compatible ones, its only option offered to connect to the PC is to use the camera to look for a QR code from the laptop's version of SHAREit.
Surely just because there is a camera in the phone, you don't really have to use it in preference to a workable solution in ver 2. To work with version 3, even though all other facilities on the Android phone and laptop are unchanged, users have to do a version 3 upgrade.
It is not hard to find it and after I installed the version 3, it popped up the EULA and unless I allowed this program to suck up my personal and usage information and hauling it back to Lenovo, I could not use it.
So I treasure my information more than SHAREit and hence without hesitation I hit the decline button and so be it. I highly recommend everyone to do so as I am offering you a much less surveil method.
So disgust with Lenovo's SHAREit, I summarily uninstalled it from my laptop and all the Android phones I have. Good bye SHAREit with pleasure.
If your laptop and phone have bluetooth, why not put that into good use and you can follow this well written instructions to use it.
The best way to send file from the Android phone to the paired device is to use the share facility.
I encourage any user of SHAREit to uninstall it as it only puts a glossy veneer on top of facilities already there with the aim to capture your data.
If all else fail, the USB cable is just as good and one does not have to submit to Lenovo's unreasonable demand.
This was in the day of ver 2.x of this program. That version was not only functional but also lacking any of the fancy stuff. It worked wonderfully.
Like many software, Lenovo changed all that in version 3. Instead of letting the program running on the devices scanning for compatible ones, its only option offered to connect to the PC is to use the camera to look for a QR code from the laptop's version of SHAREit.
Surely just because there is a camera in the phone, you don't really have to use it in preference to a workable solution in ver 2. To work with version 3, even though all other facilities on the Android phone and laptop are unchanged, users have to do a version 3 upgrade.
It is not hard to find it and after I installed the version 3, it popped up the EULA and unless I allowed this program to suck up my personal and usage information and hauling it back to Lenovo, I could not use it.
So I treasure my information more than SHAREit and hence without hesitation I hit the decline button and so be it. I highly recommend everyone to do so as I am offering you a much less surveil method.
So disgust with Lenovo's SHAREit, I summarily uninstalled it from my laptop and all the Android phones I have. Good bye SHAREit with pleasure.
If your laptop and phone have bluetooth, why not put that into good use and you can follow this well written instructions to use it.
The best way to send file from the Android phone to the paired device is to use the share facility.
I encourage any user of SHAREit to uninstall it as it only puts a glossy veneer on top of facilities already there with the aim to capture your data.
If all else fail, the USB cable is just as good and one does not have to submit to Lenovo's unreasonable demand.
Tuesday, December 15, 2015
Is building a better mouse trap (Signal Private Messenger) enough to win market shares?
I am please to see the release of Signal Private Messenger for Android and iOS, a messaging application that has earned full marks in the EFF security score sheet. I am a fan of this product and I like it very much for the following reasons:
According to well-known security researchers, Bruce Schneier and Matt Green, Signal is developed to a very high quality to provide end-to-end encryption (E2E) not only for messaging but also for voice and their endorsement must mean something.
I am not here to raise doubt of this product which I am using admittedly with very limited users to interact with and I have great trust. I hope it will do well.
But I am here to question whether it is enough to rely on technical superiority which is so well hidden from the users to induce them to switch to Signal and to grow its market shares. That's is: is building a smarter (more secure) mouse trap enough to win market shares? Other class of software such as web browser, anti-virus, media player, or mail client can draw people to switch based of superiority of features.
Looking at the landscape of messaging applications it is difficult to see how Signal can rely on security implementation, so out of sight of the user, to win market shares. Will this become a replay of VHS (WhatsApp, Skype, etc) vs BetaMax (Signal) of the 21st Century?
Messaging applications are like clubs or cults in which they only allow club members to interact and go to great length to discourage inducement to leave and definitely providing no facility to support inter-club interaction. This produces network effect to draw people in and that also becomes disincentive to leave and its nurture of human social interaction provides a positive feedback to increase the network effect.
Looking at the EFF Security score card, most of the popular messaging applications do not use security best practices and their inferiorities do not seem to matter to the users. The anecdotal conclusion one can draw is that users do not care with online privacy and security despite well publicised massive surveillance activities. Unlike other type of application, such as web browser, there is no report of people deserting one messaging application to another, despite vulnerabilities and caught not using secure messaging mechanism when they claim to use. For those entrenched players, they must feel like in a no-loss situation. The only way they can lose to a competitor is by a total annihilation of the enterprise.
Messaging applications have another unique characteristics that it is not the features that draw users to choose a particular application; there is a great degree of peer pressure exerted by those early adapters unwittingly forcing people to form that circle of friends. This peer pressure then forms a vortex to draw more and more people in. Their only concern is to be able to communicate with the club members.
Because of the lack support for inter-application interaction, the application through using proprietary communication protocol forms a natural barrier for their user to leave. Apart from that, the user does not see any benefit for using a different application that essentially providing the same things - messaging and may be voice - and having to desert their friends. So why leave? What is the benefit to them?
Many users of messaging applications also form the mistaken belief that they can only use one messaging application in their device. Perhaps it is this mistaken belief or blind fanaticism to their favourite application they are also reluctant to install other messaging applications to increase their reach to their friends. Since Signal is so similar to WhatsApp, it is simply a matter of installing and waiting for others in the contact to install their copy of Signal to re-establish communication. Even that simple is not enticing.
I have spoken to several users of messaging applications as well as non-users and recommending to switch over to a more secure application called Signal. But telling them the benefits of Signal is like talking about wine apprecThis is particularly difficult when Signal is so similar to the operations of WhatsApp separated by a thin veneer of technical features. In view of this, users of WhatsApp (or other app) are unwilling to desert their circle of friends to use something that to them is almost the same thing with minute user base, by comparison. iation to a group of teetotalers. To them the improve security and end-to-end encryption (E2E) are not enough to sway them. Even people that has not used messaging application seems to be reluctant to get onboard with Signal because they have not heard of it being mentioned by their friends.
So I wonder how a late comer like Signal can overcome these barriers to increase its market shares? How it can base on technical superiority to entice users who are disinterested of them that Signal relies on to distinguish it from others? What is the future of Signal apart from being a niche player at best? Clearly Signal needs to improve its image and marketing.
From the analysis, users of messaging applications place extremely high premium on their ability to reach their circle of friends and ignore other issues like security and privacy. Therefore if the new comer, like Signal, wanting to rise up, it must give their users a transparent way to interact with their circle of friends without requiring them to switch en masse like the present situation. How to achieve that is the real challenge in messaging application development in view of no standard communication protocol?
- It is an open-source project offering the service for free. WhatsApp is not a free.
- As a result, it can be reviewed by anyone capable of doing it while WhatsApp is proprietary, even though it claims to be underpinning by Open Whisper Systems but no one has reviewed that. Recent event has indicated that WhatsApp messages have been intercepted and decoded.
- It is not owned by any company while WhatsApp is owned by Facebook, Skype by Microsoft. Thus all metadata in WhatsApp and Skype belongs to Facebook or Microsoft respectively.
According to well-known security researchers, Bruce Schneier and Matt Green, Signal is developed to a very high quality to provide end-to-end encryption (E2E) not only for messaging but also for voice and their endorsement must mean something.
I am not here to raise doubt of this product which I am using admittedly with very limited users to interact with and I have great trust. I hope it will do well.
But I am here to question whether it is enough to rely on technical superiority which is so well hidden from the users to induce them to switch to Signal and to grow its market shares. That's is: is building a smarter (more secure) mouse trap enough to win market shares? Other class of software such as web browser, anti-virus, media player, or mail client can draw people to switch based of superiority of features.
Looking at the landscape of messaging applications it is difficult to see how Signal can rely on security implementation, so out of sight of the user, to win market shares. Will this become a replay of VHS (WhatsApp, Skype, etc) vs BetaMax (Signal) of the 21st Century?
Messaging applications are like clubs or cults in which they only allow club members to interact and go to great length to discourage inducement to leave and definitely providing no facility to support inter-club interaction. This produces network effect to draw people in and that also becomes disincentive to leave and its nurture of human social interaction provides a positive feedback to increase the network effect.
Looking at the EFF Security score card, most of the popular messaging applications do not use security best practices and their inferiorities do not seem to matter to the users. The anecdotal conclusion one can draw is that users do not care with online privacy and security despite well publicised massive surveillance activities. Unlike other type of application, such as web browser, there is no report of people deserting one messaging application to another, despite vulnerabilities and caught not using secure messaging mechanism when they claim to use. For those entrenched players, they must feel like in a no-loss situation. The only way they can lose to a competitor is by a total annihilation of the enterprise.
Messaging applications have another unique characteristics that it is not the features that draw users to choose a particular application; there is a great degree of peer pressure exerted by those early adapters unwittingly forcing people to form that circle of friends. This peer pressure then forms a vortex to draw more and more people in. Their only concern is to be able to communicate with the club members.
Because of the lack support for inter-application interaction, the application through using proprietary communication protocol forms a natural barrier for their user to leave. Apart from that, the user does not see any benefit for using a different application that essentially providing the same things - messaging and may be voice - and having to desert their friends. So why leave? What is the benefit to them?
Many users of messaging applications also form the mistaken belief that they can only use one messaging application in their device. Perhaps it is this mistaken belief or blind fanaticism to their favourite application they are also reluctant to install other messaging applications to increase their reach to their friends. Since Signal is so similar to WhatsApp, it is simply a matter of installing and waiting for others in the contact to install their copy of Signal to re-establish communication. Even that simple is not enticing.
I have spoken to several users of messaging applications as well as non-users and recommending to switch over to a more secure application called Signal. But telling them the benefits of Signal is like talking about wine apprecThis is particularly difficult when Signal is so similar to the operations of WhatsApp separated by a thin veneer of technical features. In view of this, users of WhatsApp (or other app) are unwilling to desert their circle of friends to use something that to them is almost the same thing with minute user base, by comparison. iation to a group of teetotalers. To them the improve security and end-to-end encryption (E2E) are not enough to sway them. Even people that has not used messaging application seems to be reluctant to get onboard with Signal because they have not heard of it being mentioned by their friends.
So I wonder how a late comer like Signal can overcome these barriers to increase its market shares? How it can base on technical superiority to entice users who are disinterested of them that Signal relies on to distinguish it from others? What is the future of Signal apart from being a niche player at best? Clearly Signal needs to improve its image and marketing.
From the analysis, users of messaging applications place extremely high premium on their ability to reach their circle of friends and ignore other issues like security and privacy. Therefore if the new comer, like Signal, wanting to rise up, it must give their users a transparent way to interact with their circle of friends without requiring them to switch en masse like the present situation. How to achieve that is the real challenge in messaging application development in view of no standard communication protocol?
Monday, December 7, 2015
Comments on using e-mail address as username for online services
I have encountered more and more online facilities using e-mail address as the user name. In my mind, this is a lazy way for the service to check or to provide a unique user name when creating an account. In some rare usage, this may be fine but generally this is a very restrictive form and the reasons are given below.
Using e-mail address has the following problems:
1) While it is unique in the universe of the Internet it does not uniquely identify a user of the service, thus unsuitable as a user name unless the service has other facility to deal with one e-mail address for multiple users.
For example if one manages several properties or funds belonging to different entities under some management agreement, it is often convenient to use one e-mail address for all these properties or funds. It is also possible that the e-mail owner owns all those properties or funds, it is unreasonable to base that identifier on an e-mail address which does not map to a unique entity; e-mail address is for correspondence - like a house address.
Who would then use a house address to identify a person living there when it can house several persons?
I have seen one service that uses the user name (aka e-mail address) as a proxy to a fund account. This then assume the owner of that e-mail address cannot have more than one funds - one may be for him and another for some other ownership arrangement with correspondence being sent to the same address. Clearly the developers have not model the usage requirement well.
This silly design is like the above house number analogy requiring a house to house just one person.
The assumption that an e-mail address uniquely maps to a particular person or entity is unsound. Don't do it. It is far better and more secure if your system generates a unique number, a la, account number, for the user.
2) The use of e-mail address as a user name can confuse user in that he/she has to supply to the online service the same password for e-mail account. This can lead to an increase (or subliminally encouraging) reuse of password, a dangerous practice.
To a less technically savvy person, he/she may be misled into believing that the e-mail provider now have access or linked to whatever materials available in the online service.
3) While it is infrequent, though not impossible or improbable, for people to change e-mail address, services that uses e-mail address for correspondence as well as for user identification inevitably prevent user from changing e-mail address. This is because it is using a very poor design pattern - one piece of data to serve two distinctly different and diverse purposes. The user name is to identify a user which an e-mail address does not and the e-mail address is for correspondence, like a house address which can be used by anyone living there to receive correspondence.
If you ask correspondence sender to simply put the address on the envelope no one in the household will know to whom is that letter addressed; you need to put the addressee's name (the user name). A person could one day moves out of that address; he/she retains the same name (user name) but simply changing the delivery address (changing the e-mail address). This happening may not be frequent but not improbable or impossible.
No right minded person would combine the two (addressee's name and the delivery address) but why do that in the computer system?
To address this kind of short coming, they then have to provide a means for the user to define an e-mail address for correspondence. In this situation which one should the system uses during account set up and validation purpose?
Those thinking of using e-mail address as a user name to relieve them the task to validate its uniqueness needs to validate the e-mail address to conform to the RFC.
To me, the task of validating and ensuring a user name is unique within the system is far easier than validating the e-mail address because the latter needs to check:
Using e-mail address has the following problems:
1) While it is unique in the universe of the Internet it does not uniquely identify a user of the service, thus unsuitable as a user name unless the service has other facility to deal with one e-mail address for multiple users.
For example if one manages several properties or funds belonging to different entities under some management agreement, it is often convenient to use one e-mail address for all these properties or funds. It is also possible that the e-mail owner owns all those properties or funds, it is unreasonable to base that identifier on an e-mail address which does not map to a unique entity; e-mail address is for correspondence - like a house address.
Who would then use a house address to identify a person living there when it can house several persons?
I have seen one service that uses the user name (aka e-mail address) as a proxy to a fund account. This then assume the owner of that e-mail address cannot have more than one funds - one may be for him and another for some other ownership arrangement with correspondence being sent to the same address. Clearly the developers have not model the usage requirement well.
This silly design is like the above house number analogy requiring a house to house just one person.
The assumption that an e-mail address uniquely maps to a particular person or entity is unsound. Don't do it. It is far better and more secure if your system generates a unique number, a la, account number, for the user.
2) The use of e-mail address as a user name can confuse user in that he/she has to supply to the online service the same password for e-mail account. This can lead to an increase (or subliminally encouraging) reuse of password, a dangerous practice.
To a less technically savvy person, he/she may be misled into believing that the e-mail provider now have access or linked to whatever materials available in the online service.
3) While it is infrequent, though not impossible or improbable, for people to change e-mail address, services that uses e-mail address for correspondence as well as for user identification inevitably prevent user from changing e-mail address. This is because it is using a very poor design pattern - one piece of data to serve two distinctly different and diverse purposes. The user name is to identify a user which an e-mail address does not and the e-mail address is for correspondence, like a house address which can be used by anyone living there to receive correspondence.
If you ask correspondence sender to simply put the address on the envelope no one in the household will know to whom is that letter addressed; you need to put the addressee's name (the user name). A person could one day moves out of that address; he/she retains the same name (user name) but simply changing the delivery address (changing the e-mail address). This happening may not be frequent but not improbable or impossible.
No right minded person would combine the two (addressee's name and the delivery address) but why do that in the computer system?
To address this kind of short coming, they then have to provide a means for the user to define an e-mail address for correspondence. In this situation which one should the system uses during account set up and validation purpose?
How to overcome this poor design as a user?
If you, as a user, are confronted with this problem - how to use one e-mail address for more than one users of the service - you may try this solution provided that:- Your e-mail provider supports e-mail alias. GMail and Hotmail support them. If you provider does not supports this, set up a GMail account as a mail redirector.
- Your online service's user name (aka e-mail address) validation knows about RFC 822 - Section 6 Address specification. Those failing to parse this properly would reject your e-mail address with alias.
Those thinking of using e-mail address as a user name to relieve them the task to validate its uniqueness needs to validate the e-mail address to conform to the RFC.
To me, the task of validating and ensuring a user name is unique within the system is far easier than validating the e-mail address because the latter needs to check:
- conformance to RFC
- that the e-mail provider supports the e-mail alias that the user enters, as the service has to make sure it is a reachable address to receive correspondence. If that alias syntax is not supported by the mail provider, conforming to RFC does not guarantee it can be used for correspondence.
Sunday, October 11, 2015
To install or not install an application - what are the pros and cons?
With the advent of USB devices, many applications that once require an installation process for deployment have been converted to run without one so that the user can use that program directly from the USB device on any machine and a large collection of them can be found here mostly utilizing their portable application framework.
Other program, such as TrueCrypt or its replacement VeraCrypt offers a much simpler model; it simply offers you a way to extract the files into a directory and one can execute the program from there.
I have been a fan of this convenient deployment model for a long time and in particular of avoiding any impact on the underlying operating system. It is particularly helpful in troubleshooting without the need to install anything. Just run!
However, recently I have been having second thoughts whether the benefits of this model is worth the risk of allowing malicious attacker to contaminate the program to do harm? When needing to a USB device in an environment that I do not know its sanity, I always probe it using tools carried by locked SD-Card. In this way, I am protected from being a carrier of attacks or being attacked.
Going back to the history of Windows beginning in Windows 2000 (aka NT5), Microsoft has been using the profile to define a set of file and registry security templates to protect executables and key information, although much of the good intention was discarded in favour of convenience and ignorance. Microsoft had to do something to rein in the unruly behaviour by introducing the UAC in Vista to the dismay of large unappreciative community.
Apart from other benefits, the main aim of the file system security is to protect key files from bring modify by user without administrative privilege. From Vista onwards, all applications run by default with standard user privilege and that means that they cannot make changes to program files or protected areas. This is a good thing and has improved the security of Windows a lot.
Now if instead of installing a program that requires administrative rights to carry out and deployed into designated protected areas, we modify the deployment model of the program to allow it to run from anywhere, doesn't such a practice is a throwback to the good old days of NT4/5/XP (run everything in admin account) style? Aren't we then essentially turning the file system protection off for these programs? Aren't we making our programs more vulnerable to attacks?
What caused me to ponder is my latest installation of VeraCrypt 1.16 that has fixed a couple of recently discovered critical vulnerabilities. In the past I have been using TrueCrypt in portable mode without installation. Then I wonder: wouldn't this mode of deployment makes it easier for others to attack the program or to use this program or this type of program, running at elevated privilege, to launch attacks?
In the end, I decided to install the program. What is your opinion on this issues?
In Linux, by default it does not allow programs to run from removable devices.
Other program, such as TrueCrypt or its replacement VeraCrypt offers a much simpler model; it simply offers you a way to extract the files into a directory and one can execute the program from there.
I have been a fan of this convenient deployment model for a long time and in particular of avoiding any impact on the underlying operating system. It is particularly helpful in troubleshooting without the need to install anything. Just run!
However, recently I have been having second thoughts whether the benefits of this model is worth the risk of allowing malicious attacker to contaminate the program to do harm? When needing to a USB device in an environment that I do not know its sanity, I always probe it using tools carried by locked SD-Card. In this way, I am protected from being a carrier of attacks or being attacked.
Going back to the history of Windows beginning in Windows 2000 (aka NT5), Microsoft has been using the profile to define a set of file and registry security templates to protect executables and key information, although much of the good intention was discarded in favour of convenience and ignorance. Microsoft had to do something to rein in the unruly behaviour by introducing the UAC in Vista to the dismay of large unappreciative community.
Apart from other benefits, the main aim of the file system security is to protect key files from bring modify by user without administrative privilege. From Vista onwards, all applications run by default with standard user privilege and that means that they cannot make changes to program files or protected areas. This is a good thing and has improved the security of Windows a lot.
Now if instead of installing a program that requires administrative rights to carry out and deployed into designated protected areas, we modify the deployment model of the program to allow it to run from anywhere, doesn't such a practice is a throwback to the good old days of NT4/5/XP (run everything in admin account) style? Aren't we then essentially turning the file system protection off for these programs? Aren't we making our programs more vulnerable to attacks?
What caused me to ponder is my latest installation of VeraCrypt 1.16 that has fixed a couple of recently discovered critical vulnerabilities. In the past I have been using TrueCrypt in portable mode without installation. Then I wonder: wouldn't this mode of deployment makes it easier for others to attack the program or to use this program or this type of program, running at elevated privilege, to launch attacks?
In the end, I decided to install the program. What is your opinion on this issues?
In Linux, by default it does not allow programs to run from removable devices.
Wednesday, July 29, 2015
Caveat for Link Market Services Registry users using Password Manager
This is a note to any users of Link Market Services Share Registry service that use Password Manager to manage their password.
It seems Link Market Services discourages people using password manager, a practice that is recommended by security experts, and it expects the users to have some sort of psychic power to know why.
Recently, I have encountered an operation that requires me to supply the Transaction Password. Since I used a password manager to generate and record passwords, I simply asked the password manager to transfer the transaction password to the field in the Link Market Services web page. The transfer happened flawlessly but the confirm button remained disabled as if I had not type anything. That's strange. There was no textual guidance and no pop up message box to tell the user what to do.
Not deterred by this, I did some experiments and this is what you have to do if you want to use password manager:
1) Transfer the Transaction password to the field in the normal way your password manager offers.
2) Click on the field and press End key to force the cursor to be positioned to the end of your password. (Or enter a character to the end of the password and immediately removing it from the field)
The minute you have completed step 2, the confirm button is enabled! The web page at that stage does not have a clue if what you have entered a valid transaction password.
It seems the web page has a user-interface bug failing to recognise the field change event.
This kind of bad user interface design makes your software sucks. If you do not want user to transfer data say via the clipboard, disable the paste operation and offer the users some form of guidance. If your web site does not have a general purpose help e-mail address, you need to make sure the user-interface of your web site to be perfect and idiot-proof.
On the subject of Transaction password, this is their mandated rule:
When you use the settings facility to change the Transaction password and if you use a password manager to generate the new password (highly recommended), after you have transferred the new password to the respective field, execute Step 2 mentioned above. Such action will trigger the script on that page to evaluate the supplied password. It seems the program has a bug similar to that mentioned above.
One wonders if the Link Market's mandated rule can encourage users to choose strong password. If Link Market discourages their users from using password manager, then the users will undoubtedly choose an easy to remember password (that will also ended up to be easily guessed by hacker).
For example the following passwords Pauline1, Password1 or Ab1234567 comply with the rule but according to Microsoft's password checker or Kaspersky's checker, there are weak passwords. It is therefore better to encourage your users to use password manager rather than forcing them to choose easy to remember one.
It seems Link Market Services discourages people using password manager, a practice that is recommended by security experts, and it expects the users to have some sort of psychic power to know why.
Recently, I have encountered an operation that requires me to supply the Transaction Password. Since I used a password manager to generate and record passwords, I simply asked the password manager to transfer the transaction password to the field in the Link Market Services web page. The transfer happened flawlessly but the confirm button remained disabled as if I had not type anything. That's strange. There was no textual guidance and no pop up message box to tell the user what to do.
Not deterred by this, I did some experiments and this is what you have to do if you want to use password manager:
1) Transfer the Transaction password to the field in the normal way your password manager offers.
2) Click on the field and press End key to force the cursor to be positioned to the end of your password. (Or enter a character to the end of the password and immediately removing it from the field)
The minute you have completed step 2, the confirm button is enabled! The web page at that stage does not have a clue if what you have entered a valid transaction password.
It seems the web page has a user-interface bug failing to recognise the field change event.
This kind of bad user interface design makes your software sucks. If you do not want user to transfer data say via the clipboard, disable the paste operation and offer the users some form of guidance. If your web site does not have a general purpose help e-mail address, you need to make sure the user-interface of your web site to be perfect and idiot-proof.
On the subject of Transaction password, this is their mandated rule:
When you use the settings facility to change the Transaction password and if you use a password manager to generate the new password (highly recommended), after you have transferred the new password to the respective field, execute Step 2 mentioned above. Such action will trigger the script on that page to evaluate the supplied password. It seems the program has a bug similar to that mentioned above.
One wonders if the Link Market's mandated rule can encourage users to choose strong password. If Link Market discourages their users from using password manager, then the users will undoubtedly choose an easy to remember password (that will also ended up to be easily guessed by hacker).
For example the following passwords Pauline1, Password1 or Ab1234567 comply with the rule but according to Microsoft's password checker or Kaspersky's checker, there are weak passwords. It is therefore better to encourage your users to use password manager rather than forcing them to choose easy to remember one.
Wednesday, July 15, 2015
A tale of two share registries
Every year around this time, the end of the financial year, I, like others, have to prepare share holding statements of my share portfolio for my accountants and this exercise takes me into close contact with the share registries managing the shares in the listed companies.
There are several registries in Australia and some companies use one while the others use a different one. It is not uncommon for a share holder having to deal with multiple registries.
The two largest ones are the ComputerShare and Link Market Services. Both have the facilities to generate holding statement document but they are vastly different in their implementation and this blog post documents my experience showing how one can be so badly designed to meet user's requirement while other is a joy to use.
Both systems offer several log in facilities to access the holding or holdings. Both allow a user to become a registered user and in so doing can let the user to define the collection of shares of interest. They also offer a user a single holding access to just one share's detail using the share identification number called the SRN and other details.
For people with a large share portfolio it is much more convenient to become a registered user. However as to be revealed, it is not always the case when dealing with ComputerShare.
ComputerShare has longer history than Link Market Services but the latter has a far user-friendly user interface that the former.
ComputerShare once had a very functional, though less colourful, system and had served it well. In that system, one could expand the particular share holding and could then enquire the holding at a particular date right there. Several years' ago, ComputerShare decided the functional system needed freshen up and decided to splatter the web site with eye-candy features and introduced an amateurish help system that is actually an insult to the intelligent of its users. More on this later on.
The eye-candy effect caused minimal changes to how holding details are shown to the user and the shares in the portfolio are listed alphabetically, just like the less colourful previous system. As a comparison to Link Market Services the eye-candy effect has not improved the usability one bit as compared to Link Market Service, speaking from someone with a long history of using both.
However, the most radical change in ComputerShare is in the way of generating holding statement at a particular date. It is not about relocating the access of a feature from one user-interface to another location that is so unusable but the implementation behind that makes this so frustrating to use.
The 'Export Balance Letter' has the following user-interface design:
to let the user to generate the balance statement. For some strange or mismanagement reason, the designer of this piece of user-interface changes the terminology from 'holding' to 'account' in the 'Select Account'. In the opening statement of this user-interface, the designer is still referring them as holdings. The rest of the web site all uses holding to refer to a particular share holding. 'Select Account' should be corrected to 'Select holding' for consistence.
It is not the eye-candy stuff that makes this piece of user-interface totally unhelpful and unusable. It is what lies behind the combo box for the list of holdings (I will refrain from calling them accounts because they are not) that are irritating (and dare I say any users bar the designer).
This piece of implementation is a prime candidate for the book "Why software sucks". If you drop that combo down, any sane person would expect ComputerShare designer to show the share holdings in alphabetical sort order, just like in the Portfolio page.
But surprisingly or rather shockingly, the order seems to be rather random without seeing the code. In my access, the list box in the combo box shows the companies in the list starting with A, C, W, W, A, C, A, P, A, .... S, L. What kind of sort order is that? I managed to talk with someone from ComputerShare about what kind of collating sequence they are using to generate this. The answer, from someone without much conviction, suggested that it might be the order I acquired the share. Even if that is the case, what good does that sort sequence do to the users?
Having worked with many developers in my life I have never seen something as bizarre as this. It is a sloppy piece of work and how hard it is to add an ORDER BY clause on ASXCode column in your SQL statement?
Needless to say the person I talked with from ComputerShare is rather defensive (a trait I have commonly found in some development companies) giving me all other irrelevant excuses like the software has to work in different countries. I am not inexperience in I18n.
If the caller wanted to solicit user feedback to help them with their design, he had used the wrong tactic. No where in my Facebook (borrowing someone's access) message did I say anything about having the ability to download them to a spreadsheet. And yet, this person kept drumming into me of the ability to download into spreadsheet and that features might take some time. I told him all I wanted was for ComputerShare to list the holdings in the list box in alphabetical order - a much easier undertaking that will bring huge benefit. He certainly has failed the user-requirement solicitation process.
Now let's consider how Link Market Service handles this that makes ComputerShare looking like an amateur. Link does not use the algorithmic way of pulling in the share holding relevant for the registered user. Link allows user to pull in holdings of totally different owners as long as one has the SRN and it also allows user to group these holdings, a useful feature not available in ComputerShare.
Hence in Link, one can have BHP, for example, owned by Albert, Mary, Jack and Tom, each with distinct SRN of course.
In Link, the balance statement is located in the 'Balance History' page which contains a similar user-inferface
Once again it is not what hits your eyes that matter but it is in the implementation of that list box in the combo box for the holdings. Link sorts the holdings alphabetically and a sort order I challenge ComputerShare to show me that is less useful.
Rather than to torture myself with the ComputerShare's illogical sort order when I came to compiling the end of the year holding statement for shares managed by ComputerShare, I did not use my registered log in detail. Instead I used the single holding access which seems irrational. Even with having to provide log in details and entering the CAPTCHA for each holding, it is still the quickest and less stressful way to get the job done. This is still might quicker than to navigate through poorly arranged list of holding in ComputerShare.
Not contented with driving their users crazy with their idiotic design, they try to pretend to provide some 'human' assistance; they introduced the 'Ask Penny' which must be built with a penny as it lacks any form of intelligence or knowledge. If you can't provide an AI assistance, perhaps a general helpdesk e-mail facility is more useful and more capable of giving that human touch. Their 'Contact us' facility is equally useless because it is share-centric.
In sharp contrast, it is a joy to use Link to compile that end of the year holding statements. Thanks for a job well done.
There are several registries in Australia and some companies use one while the others use a different one. It is not uncommon for a share holder having to deal with multiple registries.
The two largest ones are the ComputerShare and Link Market Services. Both have the facilities to generate holding statement document but they are vastly different in their implementation and this blog post documents my experience showing how one can be so badly designed to meet user's requirement while other is a joy to use.
Both systems offer several log in facilities to access the holding or holdings. Both allow a user to become a registered user and in so doing can let the user to define the collection of shares of interest. They also offer a user a single holding access to just one share's detail using the share identification number called the SRN and other details.
For people with a large share portfolio it is much more convenient to become a registered user. However as to be revealed, it is not always the case when dealing with ComputerShare.
ComputerShare has longer history than Link Market Services but the latter has a far user-friendly user interface that the former.
ComputerShare once had a very functional, though less colourful, system and had served it well. In that system, one could expand the particular share holding and could then enquire the holding at a particular date right there. Several years' ago, ComputerShare decided the functional system needed freshen up and decided to splatter the web site with eye-candy features and introduced an amateurish help system that is actually an insult to the intelligent of its users. More on this later on.
The eye-candy effect caused minimal changes to how holding details are shown to the user and the shares in the portfolio are listed alphabetically, just like the less colourful previous system. As a comparison to Link Market Services the eye-candy effect has not improved the usability one bit as compared to Link Market Service, speaking from someone with a long history of using both.
However, the most radical change in ComputerShare is in the way of generating holding statement at a particular date. It is not about relocating the access of a feature from one user-interface to another location that is so unusable but the implementation behind that makes this so frustrating to use.
The 'Export Balance Letter' has the following user-interface design:
to let the user to generate the balance statement. For some strange or mismanagement reason, the designer of this piece of user-interface changes the terminology from 'holding' to 'account' in the 'Select Account'. In the opening statement of this user-interface, the designer is still referring them as holdings. The rest of the web site all uses holding to refer to a particular share holding. 'Select Account' should be corrected to 'Select holding' for consistence.
It is not the eye-candy stuff that makes this piece of user-interface totally unhelpful and unusable. It is what lies behind the combo box for the list of holdings (I will refrain from calling them accounts because they are not) that are irritating (and dare I say any users bar the designer).
This piece of implementation is a prime candidate for the book "Why software sucks". If you drop that combo down, any sane person would expect ComputerShare designer to show the share holdings in alphabetical sort order, just like in the Portfolio page.
But surprisingly or rather shockingly, the order seems to be rather random without seeing the code. In my access, the list box in the combo box shows the companies in the list starting with A, C, W, W, A, C, A, P, A, .... S, L. What kind of sort order is that? I managed to talk with someone from ComputerShare about what kind of collating sequence they are using to generate this. The answer, from someone without much conviction, suggested that it might be the order I acquired the share. Even if that is the case, what good does that sort sequence do to the users?
Having worked with many developers in my life I have never seen something as bizarre as this. It is a sloppy piece of work and how hard it is to add an ORDER BY clause on ASXCode column in your SQL statement?
Needless to say the person I talked with from ComputerShare is rather defensive (a trait I have commonly found in some development companies) giving me all other irrelevant excuses like the software has to work in different countries. I am not inexperience in I18n.
If the caller wanted to solicit user feedback to help them with their design, he had used the wrong tactic. No where in my Facebook (borrowing someone's access) message did I say anything about having the ability to download them to a spreadsheet. And yet, this person kept drumming into me of the ability to download into spreadsheet and that features might take some time. I told him all I wanted was for ComputerShare to list the holdings in the list box in alphabetical order - a much easier undertaking that will bring huge benefit. He certainly has failed the user-requirement solicitation process.
Now let's consider how Link Market Service handles this that makes ComputerShare looking like an amateur. Link does not use the algorithmic way of pulling in the share holding relevant for the registered user. Link allows user to pull in holdings of totally different owners as long as one has the SRN and it also allows user to group these holdings, a useful feature not available in ComputerShare.
Hence in Link, one can have BHP, for example, owned by Albert, Mary, Jack and Tom, each with distinct SRN of course.
In Link, the balance statement is located in the 'Balance History' page which contains a similar user-inferface
Rather than to torture myself with the ComputerShare's illogical sort order when I came to compiling the end of the year holding statement for shares managed by ComputerShare, I did not use my registered log in detail. Instead I used the single holding access which seems irrational. Even with having to provide log in details and entering the CAPTCHA for each holding, it is still the quickest and less stressful way to get the job done. This is still might quicker than to navigate through poorly arranged list of holding in ComputerShare.
Not contented with driving their users crazy with their idiotic design, they try to pretend to provide some 'human' assistance; they introduced the 'Ask Penny' which must be built with a penny as it lacks any form of intelligence or knowledge. If you can't provide an AI assistance, perhaps a general helpdesk e-mail facility is more useful and more capable of giving that human touch. Their 'Contact us' facility is equally useless because it is share-centric.
In sharp contrast, it is a joy to use Link to compile that end of the year holding statements. Thanks for a job well done.
Tuesday, June 23, 2015
Rare to see an anti-virus/malware protector not having automatic updates
It is extremely rare to find an anti-virus/malware protector not having an automatic update facility to its engine and database. Windows Defender running in Windows 8.x is one such rare species.
This happens if the user chooses the option in Windows Update not to use automatic updates, a choice giving the user better control which upgrades should be applied.
In that case, Microsoft acknowledges that it is a design decision that the user is not given the normal Windows Update notification, except in the log in screen. While I accept, only reluctantly, that there is a shred of logic in this, albeit very draconian one, why does that affect the important updates to a protection software which depends on timely update of its database/engine?
I have used a variety of AV and this has to be the first one that fails to update automatically or tell me an update pending when I choose not to use automatic Windows update option. Most of them has automatic update by default and is not under the influence of Windows Update.
This situation is a good example of Golden-Hamer anti-pattern resulting in leaving its Windows user vulnerable to attacks. So if you want more controls on your Windows' updates, don't use Windows Defender. Furthermore, another case of don't believe everything you read (on Microsoft product) and here is one taken from the Windows Defender's Update page for Win8.1:
It only updates automatically if Windows update is set to automatic. That "Did you know" message needs to be clearly qualified to avoid misunderstanding.
Windows has all sorts of detections and options, surely in the Windows update control panel applet Microsoft can add a check box there to let the user to choose if one wants to receive notification, including Windows Defender update notification. Or in Windows Defender to have a check box to remove automatic updates if the update notification is so distractive; it could and should update silently. Cutting that out altogether is just plainly a bad design decision. I suspect that is other sinister motive than what has been revealed.
I am wondering if this draconian approach will be addressed in the upcoming Windows 10?
If you persist to support Windows Defender with your choice of Windows updates option, the other option is to use a Task Scheduler to register the Defender updates periodically. It is a choice to ditch Windows Update or to use the Task Scheduler.
I will now experiment with some of the Windows Update Notification tools to address the Windows 8.x deficiency.
This happens if the user chooses the option in Windows Update not to use automatic updates, a choice giving the user better control which upgrades should be applied.
In that case, Microsoft acknowledges that it is a design decision that the user is not given the normal Windows Update notification, except in the log in screen. While I accept, only reluctantly, that there is a shred of logic in this, albeit very draconian one, why does that affect the important updates to a protection software which depends on timely update of its database/engine?
I have used a variety of AV and this has to be the first one that fails to update automatically or tell me an update pending when I choose not to use automatic Windows update option. Most of them has automatic update by default and is not under the influence of Windows Update.
This situation is a good example of Golden-Hamer anti-pattern resulting in leaving its Windows user vulnerable to attacks. So if you want more controls on your Windows' updates, don't use Windows Defender. Furthermore, another case of don't believe everything you read (on Microsoft product) and here is one taken from the Windows Defender's Update page for Win8.1:
It only updates automatically if Windows update is set to automatic. That "Did you know" message needs to be clearly qualified to avoid misunderstanding.
Windows has all sorts of detections and options, surely in the Windows update control panel applet Microsoft can add a check box there to let the user to choose if one wants to receive notification, including Windows Defender update notification. Or in Windows Defender to have a check box to remove automatic updates if the update notification is so distractive; it could and should update silently. Cutting that out altogether is just plainly a bad design decision. I suspect that is other sinister motive than what has been revealed.
I am wondering if this draconian approach will be addressed in the upcoming Windows 10?
If you persist to support Windows Defender with your choice of Windows updates option, the other option is to use a Task Scheduler to register the Defender updates periodically. It is a choice to ditch Windows Update or to use the Task Scheduler.
I will now experiment with some of the Windows Update Notification tools to address the Windows 8.x deficiency.
Thursday, May 14, 2015
My experience in using one2free prepaid Mobile Broadband SIM in Hong Kong
I am a regular visitor to Hong Kong and in every visit, I purchase a prepaid mobile broadband data SIM for my Huawei pocket modem to provide Internet service to me. I am no stranger to this kind of SIM as I have used in the past various types of 3HK Data SIM. So after reading so many glowing remarks about the one2free's prepaid mobile broadband SIM, I have decided to give it a test ride this time.
I did some preliminary investigation prior to the visit via their e-mail customer service which I may say is rather responsive by comparison. It would be nicer if they have 3HK's online chat service.
On the whole, I am rather pleased with the performance, the cost, the responsiveness of the customer service which I had to use quite a lot, as you will see, during my stay. Unfortunately, their responsiveness is tarnished somewhat by their answers which clearly indicate that they are let down by their organisation.
Now, with the good bits out of the way, let's go through the bad bits.
Foremost is their web site which is devoid of any useful and helpful information. It would be more helpful if their web site provides some form of instructions in using their services. Such as what happen if you buy the $100 starter kit, what rate will you be charged at. What about the steps to buy the 30-Day Pass with 3GB quota for someone what has not used your product before? What happen when one uses up the quota but still within the 30 days? Will the connection speed be shaped?
In my case, I want to use the 3GB 30-day pass, which according to the published information will cost me HK$148.00. To subscribe to that, one needs to load the prepaid SIM with at least (preferably more) that that amount. At the shop where I purchased the kit, they did not have $50 top up voucher instead they only had $100 voucher which means my SIM card is loaded with $200 and after paying for the 30-Day pass, it has a balance of $52.00.
No where in their web site explaining this and what happens to that balance. For those wanting to go down this path, here is the treatment of the balance.
The 30-Day pass expires after 30 days from the day of subscription. CSL will immediately deduced that amount from your card on subscription. Hence you must load your card up with sufficient amount before you can punch in the code to select the day pass. The amount remaining can be use for other purposes such as making calls or to contribute towards next day pass purchase. It does not expire until 6 months after the activation or from your last top up. In other words, your prepaid SIM card is valid for 6 months as long as there is sufficient fund to pay for the monthly government charges, which is HK$2.
Unless you do not have other SIM to make voice call, this SIM charges (HK$0.3/min) 3 times as much as other CSL SIM ($0.1/min).
The next area of great disappointment is how to monitor the data usage. Their web site for the prepaid starter kit contains wrong and misleading information.
While that site is for the Prepaid Mobile Broadband SIM, the login button is not intended for Prepaid mobile and I only found this out after the event.
This web site expects the user to possess certain degree of psychic to realise that. I was misled by this page and unsuccessfully to get a password or to reset it by following the online link. Out of desperation, I inserted the data SIM into a mobile phone and used the *777 code to successfully reset the 6-digit password for my SIM. The system acknowledges the request and echoes back the password (very security conscious).
Next, armed with my SIM's mobile number and the password, I pressed the login button on that web page. Rather than telling me that my SIM cannot use 'My Account' to manage my usage, it throws a Java Exception message:
I raised this issue with the online support as well as visiting one of their customer service centres and was then told that that login button on the web page and "My Account" facility are not for Prepaid users. Surely their web designer can put that few words into their page to warn their user and even better, their program tests and traps that kind of exception and to inform their users in a more meaningful manner. It is not a big ask isn't it. More disturbingly, if that facility is not for prepaid user, why does *777 allows a number belonging to a prepaid SIM to reset password? So amateurish!
So after the visit, I discovered that as a NextG-Prepaid user, I should use this URL http://www.one2free.com/nextg-prepaid while connecting to the CSL using the one2free SIM. Using this URL, I have managed for the next 3 days to make a daily enquiry of my usage.
On the 4th day, when I used that URL, I was confronted with this web page:
Notice that the left hand pane tells me that this is a "My Account" facility, the very facility that I was told that it was not for me.
Not deterred and with a sense of adventure, I pressed the login link which sent me to https://prepaid.hkcsl.com/login with the following login page
The login page asks for the mobile number of the SIM and a password, which I duly use the one that I used the *777 code to reset. The system accepts my inputs and provides me access to my SIM's data. The data usage can be retrieved by pressing the "Promotional Bonus Details" link.
Notice this is a different web page as compared to the previous one via the NextG-Prepaid link.
I sought the customer service for an explanation of how I could access "My Account" when they told me that it is not for me to no avail. We ended up going around and around in circle. The customer service refuses to acknowledge that the URL https://prepaid.hkcsl.com/login is right for me despite being pointed out that the URL containing the word 'prepaid' to indicate that it is for prepaid users.
Even more interestingly is that I can access my prepaid SIM card detail using this URL without having to use a connection provided by CSL SIM while I need to use the one2free SIM in order to use the http://www.one2free.com/nextg-prepaid regardless successful or not. As an experiment, I have just connected to this https://prepaid.hkcsl.com/login some thousands miles away from Hong Kong.
After discovering that I can use this URL to monitor my data usage, I continue to use it ignoring any contradictory comments from the customer service. Incidentally this URL is not disclosed on any of the CSL web pages. It seems that there is a communication problem within the CSL on this issue.
Whatever it is, it is CSL's problem and they need to deal with it. I have supplied all the information, such as SIM card number, mobile number, and modem model. They need to improve their web site to make it more useful and helpful. Don't just throw figures and data on it. Test it with someone who is not a user of your system or product.
Teach your front line support personnel to slow down and take time to explain the various facets of your products. I know you know your products very well but your potential customers DON'T.
Test your web site with any non-sensible data and don't let your Java exception message leak out to the users. That is not an acceptable way to tell your user that they have entered something wrong.
To date, I still have not been offered a logical explanation why the link http://www.one2free.com/nextg-prepaid, I was instructed by the customer service to use, failed after 3 days. And that why I should not use https://prepaid.hkcsl.com/login which works but the customer service next acknowledges that I should use that.
Thankfully, I have a wonderful Internet service and despite all the above mentioned issues, it is still cheaper than 3HK's offering and I still will recommend it to other travelers. Just be prepared for some rough edges.
I did some preliminary investigation prior to the visit via their e-mail customer service which I may say is rather responsive by comparison. It would be nicer if they have 3HK's online chat service.
On the whole, I am rather pleased with the performance, the cost, the responsiveness of the customer service which I had to use quite a lot, as you will see, during my stay. Unfortunately, their responsiveness is tarnished somewhat by their answers which clearly indicate that they are let down by their organisation.
Now, with the good bits out of the way, let's go through the bad bits.
Foremost is their web site which is devoid of any useful and helpful information. It would be more helpful if their web site provides some form of instructions in using their services. Such as what happen if you buy the $100 starter kit, what rate will you be charged at. What about the steps to buy the 30-Day Pass with 3GB quota for someone what has not used your product before? What happen when one uses up the quota but still within the 30 days? Will the connection speed be shaped?
In my case, I want to use the 3GB 30-day pass, which according to the published information will cost me HK$148.00. To subscribe to that, one needs to load the prepaid SIM with at least (preferably more) that that amount. At the shop where I purchased the kit, they did not have $50 top up voucher instead they only had $100 voucher which means my SIM card is loaded with $200 and after paying for the 30-Day pass, it has a balance of $52.00.
No where in their web site explaining this and what happens to that balance. For those wanting to go down this path, here is the treatment of the balance.
The 30-Day pass expires after 30 days from the day of subscription. CSL will immediately deduced that amount from your card on subscription. Hence you must load your card up with sufficient amount before you can punch in the code to select the day pass. The amount remaining can be use for other purposes such as making calls or to contribute towards next day pass purchase. It does not expire until 6 months after the activation or from your last top up. In other words, your prepaid SIM card is valid for 6 months as long as there is sufficient fund to pay for the monthly government charges, which is HK$2.
Unless you do not have other SIM to make voice call, this SIM charges (HK$0.3/min) 3 times as much as other CSL SIM ($0.1/min).
The next area of great disappointment is how to monitor the data usage. Their web site for the prepaid starter kit contains wrong and misleading information.
While that site is for the Prepaid Mobile Broadband SIM, the login button is not intended for Prepaid mobile and I only found this out after the event.
This web site expects the user to possess certain degree of psychic to realise that. I was misled by this page and unsuccessfully to get a password or to reset it by following the online link. Out of desperation, I inserted the data SIM into a mobile phone and used the *777 code to successfully reset the 6-digit password for my SIM. The system acknowledges the request and echoes back the password (very security conscious).
Next, armed with my SIM's mobile number and the password, I pressed the login button on that web page. Rather than telling me that my SIM cannot use 'My Account' to manage my usage, it throws a Java Exception message:
type Exception report message description The server encountered an internal error () that prevented it from fulfilling this request. exception java.lang.IllegalStateException org.apache.coyote.tomcat5.CoyoteResponseFacade.sendRedirect(CoyoteResponseFacade.java:418) LoginRedirect.doPost(Unknown Source) javax.servlet.http.HttpServlet.service(HttpServlet.java:767) javax.servlet.http.HttpServlet.service(HttpServlet.java:860) sun.reflect.GeneratedMethodAccessor57.invoke(Unknown Source) sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) java.lang.reflect.Method.invoke(Method.java:585) org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:249) java.security.AccessController.doPrivileged(Native Method) javax.security.auth.Subject.doAsPrivileged(Subject.java:517) org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:282) org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:165) note The full stack trace of the root cause is available in the Sun-Java-System/Application-Server logs.Nice? Have they ever tested their program? Why doesn't the web page inform their user that the login page is not for Prepaid user? Surely, they have all the information to tell if the caller's SIM is a prepaid or not.
I raised this issue with the online support as well as visiting one of their customer service centres and was then told that that login button on the web page and "My Account" facility are not for Prepaid users. Surely their web designer can put that few words into their page to warn their user and even better, their program tests and traps that kind of exception and to inform their users in a more meaningful manner. It is not a big ask isn't it. More disturbingly, if that facility is not for prepaid user, why does *777 allows a number belonging to a prepaid SIM to reset password? So amateurish!
So after the visit, I discovered that as a NextG-Prepaid user, I should use this URL http://www.one2free.com/nextg-prepaid while connecting to the CSL using the one2free SIM. Using this URL, I have managed for the next 3 days to make a daily enquiry of my usage.
On the 4th day, when I used that URL, I was confronted with this web page:
Notice that the left hand pane tells me that this is a "My Account" facility, the very facility that I was told that it was not for me.
Not deterred and with a sense of adventure, I pressed the login link which sent me to https://prepaid.hkcsl.com/login with the following login page
The login page asks for the mobile number of the SIM and a password, which I duly use the one that I used the *777 code to reset. The system accepts my inputs and provides me access to my SIM's data. The data usage can be retrieved by pressing the "Promotional Bonus Details" link.
I sought the customer service for an explanation of how I could access "My Account" when they told me that it is not for me to no avail. We ended up going around and around in circle. The customer service refuses to acknowledge that the URL https://prepaid.hkcsl.com/login is right for me despite being pointed out that the URL containing the word 'prepaid' to indicate that it is for prepaid users.
Even more interestingly is that I can access my prepaid SIM card detail using this URL without having to use a connection provided by CSL SIM while I need to use the one2free SIM in order to use the http://www.one2free.com/nextg-prepaid regardless successful or not. As an experiment, I have just connected to this https://prepaid.hkcsl.com/login some thousands miles away from Hong Kong.
After discovering that I can use this URL to monitor my data usage, I continue to use it ignoring any contradictory comments from the customer service. Incidentally this URL is not disclosed on any of the CSL web pages. It seems that there is a communication problem within the CSL on this issue.
Whatever it is, it is CSL's problem and they need to deal with it. I have supplied all the information, such as SIM card number, mobile number, and modem model. They need to improve their web site to make it more useful and helpful. Don't just throw figures and data on it. Test it with someone who is not a user of your system or product.
Teach your front line support personnel to slow down and take time to explain the various facets of your products. I know you know your products very well but your potential customers DON'T.
Test your web site with any non-sensible data and don't let your Java exception message leak out to the users. That is not an acceptable way to tell your user that they have entered something wrong.
To date, I still have not been offered a logical explanation why the link http://www.one2free.com/nextg-prepaid, I was instructed by the customer service to use, failed after 3 days. And that why I should not use https://prepaid.hkcsl.com/login which works but the customer service next acknowledges that I should use that.
Thankfully, I have a wonderful Internet service and despite all the above mentioned issues, it is still cheaper than 3HK's offering and I still will recommend it to other travelers. Just be prepared for some rough edges.
Subscribe to:
Posts (Atom)
