Disable Capslock

The capslock key is not only unnecessary, it is harmful. I estimate it has cost millions of hours of productive working time since the advent of personal computers.

But it is easy to disable it completely on a Windows PC. Just download and unzip the attached DisableCapsLock.zip and execute the contained DisableCapsLock.reg file. Done. If not done, restart your computer.

Twelve Commandments for Internet Security

A reader asked in a comment to my post about unsafe password managers:

So, what is the solution?

It is a good question and prompted me to write this answer.

My Recommendations With Regards to ‘Evil Password Managers’

  1. Always keep in mind that the internet is dangerous and there is no security available and never will be. Because:
    All technical solutions to safety, secrecy and security are for phishers, gangsters and secret services what is sh*t for flies.
  2. Distribute your money between several bank accounts at different banks. So if one account is hacked, you will still keep a big part of your money.

  3. For bank accounts, keep a unique password or -phrase for every one which does not resemble any of the others.

  4. If you cannot keep these in mind, write them down onto a sheet of paper.

  5. Write them down with a simple encryption which you can remember and calculate easily in your head. So in the rare case that somebody finds it by chance, he still cannot take your money.

  6. Hide this sheet of paper somewhere in your home. Maybe glue it into a book or the like.

  7. Use an extra computer for doing banking related stuff. Use this computer for nothing else. Do not surf the web or read mails or watch %/*%/@&* on this computer.

  8. Keep it switched off all the time when you don’t need it.

  9. Run an obscure and seldom used operating system on the extra banking computer.

  10. For all medium important stuff – non-banking and not really important but quite annoying if hacked – build a base password or passphrase. Modify this slightly for every of these accounts.

  11. For all fun stuff – accounts where you could live well with them being hacked – use one and the same simple password for all of them.

  12. If I needed to do communication that must stay secret under all circumstances – for example being a freedom fighter in a state run by criminals – I would not use the internet or a phone or any technical thing at all. I would do extremely delicate communication only face to face in real life.

I can not claim that my methods are safe. Because – see point number one above – nothing can ever be safe.

But in my view, my methods are much much safer than using any kind of password manager or things like TOR or encryption algorithms which I do not understand.

What do you think about my solutions to evil password managers? Do you have better ideas? I’d love to hear your opinions.

Why Password Managers Are Not Safe

Why Password Managers Aren’t Safe – And Won’t Ever Be

Lately a paper by Zhiwei Li, Warren He, Devdatta Akhawe und Dawn Song from the University of Berkeley has been published which is called The Emperor’s New Password Manager. It reveals that

…in four out of the five password managers we studied, an attacker can learn a user’s credentials for arbitrary websites.

and later in the paper they write

We found critical vulnerabilities in all the password managers and in four password managers, an attacker could steal arbitrary credentials from a user’s account.

I’m not surprised; not at all. IMHO, which I have had since password managers have been invented is: Password managers are evil and cannot ever be really fixed.

Why Password Managers Can’t Be Fixed

There are two main problems with password managers:

  1. Nobody is trustworthy.
  2. Password managers are for phishers and secret services what is sh*t for flies.

Let me explain. Of course,

You can trust any given password manager maximally as much as you can trust the provider of the password manager.

And all providers are untrustworthy because everybody on the net is untrustworthy. Especially when it comes to password managers.

Even if there would be company XYZ which you trusted fully, how do you make sure that the password manager you download from company XYZ is really the password manager from XYZ? You can bet that there exist a lot of hacked versions on the net.

Not trusting the identity of anybody is common sense these days. But aside of this, there are other problems…

Basically there are three possible types of password managers. Each of them is untrustworthy per se, even without identity theft.

A Commercial Company’s Closed Source Password Manager

  1. You can bet that the NSA has built backdoors into it.
  2. And there is a secret law that forbids that the company talks about the backdoors.
  3. Other secret services are very much trying to find out the backdoors or to put spies into the company to be able to introduce their own backdoors.

An Open Source Password Manager

  1. The NSA has built backdoors into it.
  2. Other secret services have built backdoors into it.
  3. Some bright phisher has built backdoors into it.
  4. With many eyes, all bugs are shallow, you say. Heartbleed I say. Oh, and Shellshock, of course.

A Password Manager Built by Yourself

This is a site for developers, so building your own password manager may seem like an option. At least, you will be sure that nobody builds backdoors into it.

But are you really savvy of security related programming stuff? I don’t know any programmer who really is. Maybe there are those. Surely there are those. Probably most of them work for the secret services of the world or are gangsters. 😉

If you are one of the really security savvy developers in the world, maybe you can build your own flawless password manager.

But before you start…. answer these questions for yourself:

  • How many bugs have you produced already in your career?
    Yes, estimate a number.
  • With this number in mind, how much do you trust yourself?

Of course, even in spite of the bugs in your own password manager, it will be much more secure than all the others: because nobody knows that it exists, nobody tries to hack it.

US-CERT

The US-CERT stated in a paper (cited from Li et al’s paper)

[A Password Manager] is one of the best ways to keep track of each unique password or passphrase that you have created for your various online accounts without writing them down on a piece of paper and risking that others will see them.

Li et al’s view

While idealized password managers provide a lot of advantages, implementation flaws can negate all the advantages of an idealized
password manager …

My view:

Password managers are flawed and cannot ever be fixed.
I won’t ever trust one.

I’ve also written about a kind of a solution to the ‘Evil Password Managers’ problem.

UPDATE, Dec 2017

As I’ve always said, password managers are inherently unsafe. And nobody can be trusted. I’ve been right: Now it came out, that even in an original Windows 10 installation, there is preinstalled a flawed password manager which allows any website to steal any password.

UPDATE, Jan 2018

With the processor flaws Meltdown and Spectre, it is even more obvious, that all of the internet is inherently unsafe. And will always be. Including password managers.

Four Most Essential Firefox Add-Ons And Settings. Plus Eight Extras.

My dear friend Sabrina called and complained about a lot of popup windows and stuff when surfing the web. These are my recommendations for some essential plugins and settings in Firefox. Especially for you, Sabrina.

April 16th 2018, Update: I can no longer recommend using Firefox as they have kicked millions of users and thousands of add-on developers in the a** by disabling many important APIs in FF, which makes it impossible for the add-on developers to adapt. Many of the add-ons recommended below do not work anymore with FF Quantum. I am using Waterfox now. It is a FF fork which wants to keep the old APIs – and all my recommended add-ons work.

Two Most Essential Firefox Add-Ons

An Adblocker

An adblocker the essential add-on. I couldn’t use the web without one. It stops most of all those annoying blinking ads which try to distract you from your work in intrusive and flashy ways.
May 5th 2017, Update: I can no longer recommend Adblock Plus, as it lately often lead to complete hangs of Firefox. I do use now uBlock Origin.
To install, select the given link and there click Add to Firefox. Follow further instructions there.

Flashblock

The second add-on which is a couldn’t live without it is Flashblock. It replaces all the Flash stuff that tries to capture your attention in disturbing ways with a nice and silent f icon flashblock-f. If you really want to see the video or hear the music behind the f, just click the f.
To install it, click here and there Add to Firefox. Follow further instructions there.

Three Most Essential Firefox Settings

Block Popup Windows

  1. Open the Settings dialog in Firefox
  2. Select the Content tab.
  3. At the top, check Block Popup-Windows
  4. Press the Ok button.

Switch Off Gif Animations

First check out this site. Are there a lot of smilies winking, blinking, smiling, jumping around and even vomiting? So that you would get crazy if you looked at it for more than ten seconds? Yes? These are animated gifs. Not that I dislike them. No. I hate them.

Thank god, they’ve built something into Firefox to switch them off. It may seem a bit complicated for everyday users, but it is worth it.

  1. Type about:config into the address bar of firefox. about-cfg-address
  2. Ignore the following warning about The guarantee ends here and press the button I’ll be cautious, really.
  3. A huge list of settings will be shown. Type image.animation_mode into the search bar at the top so that the list will be reduced to one entry. The page then will look like this:
    about_config_image_anim
  4. Double-click the marked normal in the line. In the upcoming dialog, type in none and press ok. Close the about:config tab.
  5. Revisit the animated smilies page. You should look into complete quiescence now. Ah. This calmness. How relieving. Like a cool breath on a hot and humid day.

Turn Off Spell Checking

13 Nov 2017 Update Some time ago, those FF developers thought it would be a good idea to turn on a spell checker by default. It is not. You can turn it off via Preferences/Advanced/Check my spelling as I type.

Some Extra Add-Ons I Like

  1. Leechblock is from heaven for people who tend to surf the web (-hell) too much.
  2. Video DownloadHelper makes it possible to download videos from Youtube.
  3. With Fireshot, you can make screen shots of web pages that are too big to fit on the screen at once.
  4. JS Switch adds a toolbar button to the browser with which you can switch off and on JavaScript with one click.
  5. LEO Search adds a context menu entry to translate selected words.
  6. Vertical Toolbar lets you move your bookmarks and other buttons from a horizontal toolbar into a vertical one. This is very useful with the wide screens in use nowadays.
  7. Morning Coffee This extension lets you organize websites by day and open them up simultaneously as part of your daily routine. This is handy if you read want to read different newssites daily. I like it much.
  8. Firebug is an addon which is essential for all people creating web pages in one or another way. It helps you so much in debugging and creating HTML and CSS.
  9. Web Developer got a lot of five star reviews. I have to check it out.

Did I miss an essential add-on or setting? What are your favourites? I’d love to read about your opinions in the comments.

Why Zip Is a Better Archive Format than 7z

Scott Hanselmann declared 7z to be a much better format than zip and zip to be dying.
Or at least, this is how I understand his writing:

The 7z format is fast becoming the compression format that choosey hardcore users choose.

Though I’ve got a lot of respect for Scott, I have to add some facts.

Zip is Much Faster Than 7z

zip-7z-comparison.1 In my humble opinion, Scott has overseen that zip is much faster than 7z… I’ve done  tests with both formats and with both formats I’ve used compression methods 1 and 5. Some of the results are staggering.

 

Discussion of the Results

compressFullzip-7z-comparison.3

In the compressFull tests, a data set is compressed and added to a new archive.  As you can see above, compressing with zip-1 is around 4 times faster than compressing with 7z-1 and seven times faster than compressing with 7z-5. The resulting archive is only 6% bigger than the 7z-1 archive and 40% bigger than the 7z-5 archive. In my opinion, the much greater speed speaks clearly for zip.

extractFull

In the extractFull tests, all the files in the archive created by fullCompress are extracted locally. Here, the speeds are not too different, e.g. extracting from a zip-1 is only around 30% faster than from a 7z-5 archive. As the 7z archives are smaller, I rate this as a draw.

extractSome

zip-7z-comparison.2

In the extractSome tests, only a small number of all the files are extracted from the archive. Extracting from a zip-1 archive is 50% faster than from a 7z-1 archive and an astonishing twenty times faster than from a 7z-5 archive. As this is unbelievable, I have repeated the tests a lot of times. But it stays true. Victory by knockout for zip.

Test Details

  • I’ve done the tests on my oldish Fujitsu Siemens Lifebook S with a Dual Core Processor, running Win 7.
  • For both archive formats I’ve used the commandline version of 7-zip 9.20, controlled by tclkitsh.exe and the tcl script given below. It is the current and stable release of 7-zip. Unchanged since 2010.
  • The compression method 5 is in 7-zip the default value for both formats. Compression method 1 is the fastest compression method for both formats.
  • I’ve repeated each test several times. The standard deviation of the results have mostly been very small.
  • My data set has been a set of 2800 files with 192 MB uncompressed.
  • The files which are extracted in the extractSome test are 72 files with 68 kB uncompressed.

Reproduction of the Tests

You can reproduce the tests easily:

  1. Download my script zip-test.zip and tclkitsh.zip and extract both into the same directory.
  2. Open the file zip-test.tcl with a text editor and adapt the first three lines. In the first line, adapt the path to the 7z.exe file on your PC. In the second line, adapt the path to the directory you want to compress.
  3. Open a command window, cd to the directory where you’ve put zip-test.tcl and type in     tclkitsh zip-test.tcl
  4. Wait and don’t use the computer until the tests are finished.
  5. The results will be written on screen and at the same time appended to the file zip-test-results.txt.
  6. You should discard the first test, because for the first one, the speed is highly determined by the time you need to read data from the hard drive. In later runs, much of the data is in the OS’s drive buffer. So the first test is not comparable to the following ones. It does not measure compression speed, but hard drive speed. You’ll see that the first run (with zip-1) takes much longer than the following ones, even those with zip-5 or 7z-5.

Summary

  1. All operations on zip archives are much faster or as fast as the same operation on 7z archives.
  2. 7z archives are somewhat smaller than zip archives – but not much.
  3. My recommendation is:
    Use zip as archive type. If you are using the software 7-zip, do not use the default settings. Always use compressing method 1.

What is your opinion? I’d love to hear from you.