How do I make sure my non-technical parents are safe online?

Keeping my family safe online is a topic I worry about all the time. Being a little paranoid about security always helps.

I’ve been reading this Ask HN thread on Hacker News on the topic and thought of jotting down a TLDR in case someone finds it useful. Some of the points are in verbatim.

  • Enable automatic updates and take away their admin privileges.
  • Force them to only use pre-installed apps on the tablet/phone that you’ve selected. By pre-installed, I mean pre-installed by you.
  • Install ad-blockers on all devices. Preferably something like uBlock Origin.
  • Set up a Pi-hole and configure on their devices
  • When buying devices for them always prefer iOS. iPads seem to be the general go-to choice of the HN community.
  • Create desktop shortcuts for common tasks. Eg: if your dad checks news first thing in the day, create a desktop shortcut to that news site.
  • Tell them to be suspicious of email links that require them to log in
  • Talk to them about being conned / scammed. That’s by far the most likely way for them to get victimized online.
  • Talk to them about real world analogs to pop-up ads that look like virus scanner alerts, talk to them about people pretending to be someone they know
  • Get them to consider “what do I really know, and is this too good to be true”
  • Make sure they know to call you if they get a virus / malware popup they think could be real
  • Tell them about phone scams

While some of these expect you to be fairly technical (eg: setting up a Pi-hole), a majority of them do not.

Another point that wasn’t mentioned in the comments but I highly recommend – be kind and attentive when parents call you about technical issues. I used to be (or used to act) busy which led them to call me only on dire circumstances – something you would not want to happen.

Hiding posts from people you don’t follow on Twitter

I need to share this regularly, but Twitter doesn’t like the formatting of the snippet, so I’m creating this blogpost.

In your ad blocker’s options page, there will be a place to add custom filters. In uBlock Origin, for example, there’s a ‘My Filters’ tab. Add this snippet there and save changes:


twitter.com##[data-suggestion-json*=ActivityTweet]

Bye bye, suggested tweets.

Mercurial choosing Rust over Python

According to this article in Mercurial wiki, its core is being re-written in Rust. Mercurial is one of the largest open-source Python projects in existence.

This does not however mean everything will be rewritten in Rust. (Yes, this post’s heading’s not entirely accurate.)

* hg is a Rust binary that embeds and uses a Python interpreter when appropriate (hg is a Python script today)

* Python code seemlessly calls out to functionality implemented in Rust

The obvious reason for the decision is startup performance concerns, but the article also (interestingly) states:

In addition to performance concerns, Python is also hindering us because it is a dynamic programming language. Mercurial is a large project by Python standards. Large projects are harder to maintain. Using a statically typed programming language that finds bugs at compile time will enable us to make wide-sweeping changes more fearlessly. This will improve Mercurial’s development velocity.

Git was also designed with a core written in C and a host of shell scripts that call the core for additional functionality. For example, rebase is actually a shell script.

However, usage of shell scripts has made porting Git to Windows a pain. See the Lessons Learned section in this AOSA article.

C++17 finalized

The C++17 specification has been finalized. The actual specification is under a paywall (wtf), but you can get the final draft of the pdf here. But it’s 1448 pages long and you most likely don’t have time to go over everything.

However, there’s this nice writeup that summarizes the new features in C++17. There are no new groundbreaking features, but some handy additions you might wanna use.

One of the first things that caught my eye is std::optional. I love optionals in Swift. They let you wrap values which might or might not be null and reduces the chances of null pointer exceptions. std::optional is a bit more awkward to use than Swift’s built-in optionals, but I hope people would start using them.

There’s also nested namespaces and structured bindings which will help with brevity and readability. Structured bindings are similar to destructuring in JavaScript.

New server + HTTPS

This site used to be in a Hostgator shared host which I had bought long before I understood how servers work. I didn’t bother changing it as it just worked and this was not the only site/app that was hosted there. (If I was to move, I wanted to move everything)

Lack of WordPress know-how was another problem. I have/had multiple WP sites including this one, and moving meant creating a multisite, configuring it to match the original URLs, while supporting other non-WP stuff as well. Also I didn’t want to migrate the blogs as static sites for different reasons.

Finally I’ve moved most of the stuff to a separate VPS in Vultr (thx to @gaveen for referring). The major motivation was TLS support. You had to pay additionally for TLS in Hostgator, which didn’t make sense as we have Let’s Encrypt.

The multisite is mostly working now, but I need to get images working properly (uploads directories not properly configured for sub-sites), fix old thameera.com/files/... links, set up rss2email and also see what else is broken 😆.

Using ncdu to examine disk usage

du has been my go-to tool for checking disk usage and it’s wonderfully simple. But I’ve been using ncdu for a few weeks now.

ncdu is short for NCurses Disk Usage. In addition to being able to visualize disk usage by directory, it lets you sort on different parameters, delete files, show hidden files, and a few more stuff that you’ll miss if you go back to plain du. Most importantly it acts as a file manager, so you can simply enter the directories to see a more fine-grained breakdown of file sizes. As an added bonus it has Vim keybindings along with normal arrow key movements.

ncdu - ncurses disk usage

Screenshot of ncdu + help popup

Installation:

brew install ncdu # macOS
sudo apt-get install ncdu # Ubuntu/debian

Printing double-sided in a non-duplex printer

My printer doesn’t support duplex printing, but I regularly print double-sided booklets. It’s not straight-forward and I always forget how to do this so I keep a checklist to consult every time. Publishing it here so I won’t lose it and someone searching for this in the interwebs might find it useful.

  1. Select ‘Odd Pages Only’ in print settings (usually under ‘Paper handling’)
  2. Print
  3. Take the printed papers out and put them in the same orientation to the tray (white side up, no turning)
  4. Select ‘Even Pages Only’ in print settings.
  5. Also, select ‘Reverse’ for Page Order
  6. Print

If you are printing a booklet, note that you will need to convert the document to a booklet format first. I use Booklet Creator for this, but there are other alternatives as well.

How the macOS root user vulnerability happened

Mac security specialist Patrick Wardle digs into the root cause (pun intended) behind why a blank password gave you root permissions:

* For accounts that are disabled (i.e. don’t have ‘shadowhash’ data) macOS will attempt to perform an upgrade

* During this upgrade, od_verify_crypt_password returns a non-zero value, and an error code which is not checked

* The user (or attacked) specified password is then ‘upgraded’ and saved for the account

It appears that od_verify_crypt_password should fail (update: it does and Apple just didn’t check for this!).

It might be an oversimplification, but what I gather from the post is that proper handling of the function’s return value (error code) could have prevented this on hindsight.

Now I’m pondering about all those times we ignore the error codes returned by the OS for file I/O operations and whatnot.

Root user vulnerability in macOS High Sierra

It has been discovered that you can get root permissions on a macOS system running High Sierra without any password. To test, click on the padlock in any System Preferences dialog and enter root as the username and keep the password to blank. Now click Ok (or whatever the confirmation button is) twice and you have root privileges!

This is like the worst nightmare ever, but note that the attacker needs to have physical access to the machine. Until Apple sends the patch, the easiest way to secure the system is by changing the root password as described here: https://support.apple.com/en-us/HT204012

Unfortunately it looks like the vulnerability was publicly disclosed without letting Apple know and waiting for a patch.

Imgur hacked

Imgur has apparently been hacked in 2014 and this has come to light only a few days back. 1.7 million emails and passwords have been leaked – passwords encrypted with SHA256. (Imgur has been using bcrypt since 2016, though)

From the article:

Although in an ideal world Imgur would never have been hacked in the first place, I believe that the company should be commended on two counts.

Firstly, Imgur didn’t ask users when they created accounts to enter any extraneous unnecessary information – such as real names, dates of birth, addresses, or phone numbers that could have made this breach much more damaging to its victims. There’s a great deal to be said for companies limiting the amount of information that they ask from their users – the less they store about you, the less they can lose.

One of the key requirements in GDPR is that websites collect only the minimum personal data necessary to perform its operations. It will be very hard to keep the user stores from being pwned, but having the least possible amount of data in them definitely helps lessen the damage.