PhillipBlanton.com

"Save me, oh God, from people who have no sense of humor."
— Ludlow Porch

Microsoft Abandons the Edge Browser.

Microsoft building Chrome-based browser to replace Edge on Windows 10

https://thehackernews.com/2018/12/edge-browser-anaheim-chromium.html

Why is Microsoft spending ANY money on building browsers? Why does Microsoft *NEED* a browser? They've NEVER been good at making them. Let Firefox and Chrome have the browser "market".

I simply don't get why Windows NEEDS to have a "default" browser. Especially one so deeply ingrained into the operating system that it cannot be removed. The only thing the people that I know, use Edge for is to install Chrome and Firefox on a new Windows machine. I wish I could uninstall it after that. It seems a tremendous waste of money for Microsoft to keep investing in browser development. ANYTHING Microsoft deliver will be thought a joke, and only used to ... download Chrome and/or Firefox in a new installation.

In the corporate world eight to ten years ago, ALL websites only had to be IE compatible. Now I regularly see corporate websites that say "Do not use Internet Explorer. This site will only work on modern browsers like Chrome or Firefox." No mention of Edge EVER.

Microsoft. Focus on creating a stable, high-performance, secure operating system that doesn't spy on its users, and let other people worry about building the application stack.

The best things you've  ever done application-wise is the Office Suite (except for Outlook) and the Visual Studio development tool stack. Your servers like SQL Server and IIS are great too, but your other client software has always sucked - Microsoft Bob anyone?.

Your browsers have been garbage for so long that they are perceived as a slightly off-color, mildly offensive joke that just makes people roll their eyes and quietly wish it would just stop. Edge may be a technologically superior application, but nobody is ever going to use it in any real numbers, and whatever you replace it with will be treated the same way.  You've lost the browser war so thoroughly, that you're like Hiroo Onoda; the Japanese soldier found in the Philippine Lubang jungle in 1974, not having been told the war was over.

Stop fighting a war that's been over for years, and go do something you're good at.

Warby Parker - Crazy, Broken, Bad Experience

I am experiencing one of the things my father warned me about when I was a cocky, know-it-all kid. "Someday that 20-10 vision will fade, and you'll have a hard time seeing things. You'll have to wear glasses and glasses suck." Well, here I am; and I've been here for a while now.

I normally get my eyes examined every three years or so, and that's when I get two new pairs of glasses. One pair of sunglasses and one pair of what I call, "Night-Vision glasses". They're really just clear-lensed versions of my "Day-Vision" sunglasses. I recently got my eyes examined, and armed with my shiny-new prescription, headed to $39 glasses .com

$39 Glasses Dot Com

The last time I bought glasses, I got them from $39 glasses Dot Com and it was a good experience overall, aside from the fact that on the first pair of sunglasses they made for me, the lenses were polarized oppositely from each other, making the world appear a surreal, shiny thing. I sent them back and they fixed it for me, but it did take about ten days to get it remedied.

Of course their name is misleading. My glasses cost about $250 each and NOT $39.

Unfortunately they no longer carry wide frames and I have skull that is a little wider than normal at my temples. Since their site is not equipped to let you search by frame size, I wasted about an hour there before hit the chat button and was told that they no longer carry frames wide enough for me. Dismayed, I moved on to Warby Parker.

Warby Parker

I'm not a hipster, doofus, millennial but Warby Parker has some nice frames that are priced well, plus they offer a "Try Five For Free" deal where you pick five frames that you like, and they mail them to you for a personal fitting session. Plus, they let you search frames by size. They also have a quiz that you can spend about a minute on, that will narrow down the frame selection to only things you'll like. We were off to a good start! I picked five frames and "checked out".

The frames arrived yesterday and none of them fit well except one. The Gilbert in Mission Clay Fade. It was like they were custom made for my head. They sort of "snapped" into place when I put them on and rested lightly wherever they touched me, without slipping in any direction; plus they looked good on this old cowboy-hippie-hacker's face. They were perfect. I packed up all of the test frames and headed to the Warby Parker website to complete my order.

I selected the Gilbert in Mission Clay Fade, and went to select my lens package. I prefer prescription lenses with a standard, lined +2.25 bifocal in both dark gray sunglasses and clear lens packages. I was prepared to buy two pairs of the Gilbert, with different lens packages.

The first hint of trouble was when I noticed that they don't offer regular lined bifocals. Apparently Warby Parker customers are more about vanity and ONLY wear progressives. I tried progressives once and HATE THEM! I'll ONLY wear lined bifocals. They are the perfect multi-vision eyeglasses and I really don't care what others think of the lines. I thought, surely this can't be true. Surely I can get regular lined bifocals from a hugely popular eye-wear company like Warby Parker!? So I chose the Progressives and moved forward, hoping I could change it later; but I cannot.

No Lined Bifocals Available = FAIL

The next choice was the lens color. I was going to order two pairs of glasses. One in clear and one in dark gray, polarized sunglasses. Unfortunately the only choices I had at Warby Parker is clear, and "Light Responsive". I don't like Light-Responsive sunglasses, because I mostly need my sunglasses while driving, and the UV protection in windshields prevents the light-sensing / auto-darkening feature in those from darkening. They're fine for outside, but they are mostly useless in a car.

No Polarized Dark Lens Option for Sunglasses = FAIL 

Disappointed, I moved on to GlassesUSA.com

GlassesUSA.com

I ended up buying two pairs of new glasses with Oakley frames from GlassesUSA.com. When you first hit the website, they will offer you a 60% discount coupon code if you enter your email address. I did that, and then later learned that the discount doesn't apply to "premium" frames. Since I ordered Oakley frames, the discount code didn't work. I called their customer service line and the lady on the phone suggested a few discount codes until I was able to find one that took $100 off of the glasses I chose. I ended up paying $180 for the sunglasses.

By the way, their "Keyword Search" box is useless. I tried entering "Crosslink" "Twoface" and "Oakley" into it but the results were as if it were totally ignoring my search term and randomly showing me things.

The ones I chose were Oakley Twoface Steel with my prescription in lined polarized, dark-gray bifocals with silver mirror tint. I searched through a lot of frames before I realized that you must limit your search to those that will accept bifocals.

The next pair I selected for my clear glasses, were the Oakley Crosslink 0.5 Black. I got them with my prescription in lined bifocals with all of the coatings, and a new thing called "Digital Block Lenses". I'm not sure about that. It may be hokum, but I paid $30 for it because these are the glasses I'll use while at the computer. We'll see how it turns out.

Here's what GlassesUSA says about "Digital Block Lenses"...

Overall I highly recommend GlassesUSA.com. Before you checkout, be sure to call their customer service line and ask for the best discount code. The operator will work with you to get you the best discount she can.
For posterity, in the event that those links go down, here are the glasses I chose...

 

Stitcher is abusing its "Player Controls" permission to show ads.

I just got a "notification" on my Pixel XL phone. It was from Stitcher and it was the normal "Player Controls" that are allowed in the notification area when you're playing a podcast, except this time it was for an audio program that was clearly marked as an ad for something called "Threedom".

I immediately checked the app's ability to send me notifications, and noticed that the permission it apparently used was "Player Controls" which it used to provide podcast controls in the notification area, which is useful. If Stitcher is going to abuse that permission to show un-wanted ads, then it will be a fatal error in their judgement and the application is going to be DELETED.

I know that Stitcher is free, and if the product is free, then you're the product; but abusing a permission to slide an ad into the user's notifications is NOT OK. Free or not.

   
 

Admittedly, this is a knee-jerk reaction. I have no proof that Stitcher is doing anything untoward. I recently downloaded a photo montage app that behaved normally for exactly one week, then started tossing full page ads up over my phone's home screen even when the app wasn't running. Luckily for me, I don't install apps very often so I knew EXACTLY which app was the offender. I deleted it and ripped it a deservedly bad review.

My daughter has the same phone as I do, and is plagued by ads that cover her phone all the time. Since she installs apps often, she has no idea which app is the offender. My knee-jerk reaction to this perceived slight by Stitcher may be an overreaction based on these events, but I will be keeping an eye on the app's behavior.

Amazon Only Allowing Positive Reviews.

I am beginning to seriously mistrust Amazon reviews. There have been a number of times recently where I went to put in a review on a product that I have purchased and I got this...

I understand things like the Comey book, where people with differing political opinions may deluge the item with negative reviews, but I still think that Amazon should allow anyone who has actually purchased the item, to review it in any way he/she feels.

That said, there is NO WAY that the PowerLix milk frother that I was reviewing, had any "unusual reviewing activity".

My complete review is here. It is too bad that Amazon is doing this. I used to value their product reviews, but now I have no reason to believe they are anything less than shill-driven BS.

Don't Forget About the Disgrace!

I have received a couple of these emails lately. Two to be precise. I have obscured the bitcoin address, and the key the scammer put in the subject line, just in case any of you were to get any ill-advised ideas of actually sending an email to "tellthemaboutjesus.com".

Ironic email domain huh?

I did a cursory reconnaissance on it and it is a live domain but is serving nothing particularly interesting on port 80. In case you don't know, the scammer doesn't need to ever actually receive email at the email address he lists, as long as his bitcoin address is valid and he can receive payments, his scam can be lucrative.

         

If you are the kind of person who engages in things on the Internet that, ... could cause you concern if you were to receive such a message, fear not. This is a bullshit attempt to separate a random person (you) from your money. Most of the time, these scammers acquire your email address from a bundle of breach data on the dark web. Commonly when websites are breached, their data is posted on the dark web for just this type of nefarious activity. To be notified whenever your personal data is made available in this manner, sign up for a free account at "Have I Been Pwned" (https://haveibeenpwned.com/).

I was talking with a friend recently who got one that had one of his old passwords in it. This is NOT an indication that the sender is in any way more attached to your computer. most of these breach postings on the dark web contain your email address and password to whatever site got breached. This is another reason that you should use a password tool like 1Password, or LastPass and NEVER use the same password on more than one site. If you do get a message like this and it has your password (or a recent password that you recognize) that's no more reason to fret than the scammer having your email address is.

These messages prey on the very large percentage of people who engage in this type of behavior online and aren't particularly tech-savvy; but let's assume for a minute the scammer is telling the truth (he isn't), and you do pay him. What's to prevent him from sending the video of "your disgrace" to your email contact list?

The inherent trustworthiness of internet scammers?

The rule of thumb for these masturbation threat scams, is the same as it is for all of them. Delete the email and forget about it. NEVER engage an online scammer or you will identify yourself as a naive, mark and you'll never hear the end of it.

If the idea of this type of hack (which is possible by the way) scares you, then you can do at least some of these things to protect yourself online...

  1. Unplug or cover your webcam at all times unless you're using it.
  2. Use a good malware / virus software package like eset NOD32.
  3. Use something like Mac OSX, or Linux. ANYTHING other than Windows.
    Microsoft Windows has the largest installed user-base on the planet, making its users the most attractive targets of malware and hacking attempts. Avoid it.
  4. Install a Pi-Hole on your network and use it as your router's DNS resolver.
  5. Use OpenDNS for the Pi-Hole's DNS resolver and enable all of the OpenDNS filters that shut down malware, adware, and pornography. 

Removing Bloatware / Crapware from Windows 10.

Microsoft is now getting as bad about shipping their operating system full of bloatware and crapware, as Packard Bell was back in the nineties. That's a SHAMEFUL turn of events. To add insult to injury, many of these apps cannot be uninstalled by going to the "Programs and Features" applet. The [Uninstall] button is grayed out. These apps install automatically with Windows 10, and there’s nothing you can do to stop it. You have to manually uninstall them one at a time after your machine is up and running.

Fortunately there is a way, you just have to be a bit of a hacker. Powershell to the rescue.

I got this information from https://errorfixer.co/uninstall-bloatware-apps-windows-10-creators-update/ but will re-post the gist here in case that site ever goes away.

Run Powershell as administrator.

To get as list of the apps installed on your machine, run...

Get-AppxPackage | Out-File myapps.txt

Then examine the file "myapps.txt" that has been written to the current directory. To ensure that the file is written to your desktop nomatter where Powershell is, run it like this...

Get-AppxPackage | Out-File $env:userprofile\desktop\myapps.txt

Or, if you're using OneDrive...

Get-AppxPackage | Out-File $env:userprofile\onedrive\desktop\myapps.txt

Here are the commands for removing the most common bloatware packages...

Get-AppxPackage *Minecraft* | Remove-AppxPackage
Get-AppxPackage *DrawboardPDF* | Remove-AppxPackage
Get-AppxPackage *FarmVille2CountryEscape* | Remove-AppxPackage
Get-AppxPackage *Asphalt8Airborne* | Remove-AppxPackage
Get-AppxPackage *PandoraMediaInc* | Remove-AppxPackage
Get-AppxPackage *CandyCrushSodaSaga* | Remove-AppxPackage
Get-AppxPackage *Twitter* | Remove-AppxPackage
Get-AppxPackage *bingsports* | Remove-AppxPackage
Get-AppxPackage *bingfinance* | Remove-AppxPackage
Get-AppxPackage *officehub* | Remove-AppxPackage
Get-AppxPackage *BingNews* | Remove-AppxPackage
Get-AppxPackage *windowsphone* | Remove-AppxPackage
Get-AppxPackage *Netflix* | Remove-AppxPackage
Get-AppxPackage *bingweather* | Remove-AppxPackage
Get-AppxPackage *Microsoft3DViewer* | Remove-AppxPackage
Get-AppxPackage *ZuneVideo* | Remove-AppxPackage
Get-AppxPackage *Microsoft3DViewer* | Remove-AppxPackage
Get-AppxPackage *3dbuilder* | Remove-AppxPackage
Get-AppxPackage *Facebook* | Remove-AppxPackage
Get-AppxPackage *Microsoft.SkypeApp* | Remove-AppxPackage
Get-AppxPackage *SkypeApp* | Remove-AppxPackage
Get-AppxPackage *Appconnector* | Remove-AppxPackage
Get-AppxPackage *Wallet* | Remove-AppxPackage
Get-AppxPackage *Office.Sway* | Remove-AppxPackage
Get-AppxPackage *ZuneMusic* | Remove-AppxPackage
Get-AppxPackage *XboxOneSmartGlass* | Remove-AppxPackage
Get-AppxPackage *XboxSpeechToTextOverlay* | Remove-AppxPackage
Get-AppxPackage *XboxApp* | Remove-AppxPackage

 

Setting up GitHub SSH on Linux (Or Windows using GitBash)

Have you ever run across an issue you remember having solved before, but can't remember how to solve it now; then you Google it, find a great article on it, and realize that you wrote it some years back?

That's what this article is. EVERYTIME I have to set up SSH on a new Linux development machine I end up Googling pieces parts here and there and end up cobbling together the solution myself. Then I move on and some time later, have to set up Github SSH on a new Linux machine again. Well that just happened, so I decided to write it all down so that it doesn't trip me up again.

Before I get started with the dry, terminal commands, let me emphasize that the main thing that trips people up is that Github gives you the HTTPS url by default, and you are going to want to use the SSH URL if you want to use Git at the bash prompt.

To begin, fire up the new Linux machine (in this case I'm using Ubuntu Gnome 17.10) and start up a terminal.

Generate your new RSA keypair...

In your Linux Bash prompt, or GitBas on Windows, run ...

   $ ssh-keygen -t rsa -b 4096 -C "yourem@iladdr.ess"

  • It will default to saving the keypair to the .ssh directory in your home directory as "id_rsa". If that's fine, then just accept the default.

    If you already have an id_rsa keypair, then name this one something else. Since this is a ssh key for Gitlab, I called mine "id_rsa_Gitlab". You can also give them project-specific, or account-specific names like, "is_rsa_gfnproject". The convention is that they all start with "id_rsa".

  • Enter your passphrase (or leave it blank)
  • Enter it again, then the key will be saved.

You will have two files in ~/.ssh/. One of them will be named according to what you specified. This is your private key. The other one has a ".pub" file extension. Open that one in a text editor and copy its contents to your paste buffer.

  • Log in to GitHub (or the Git system of your choice)
  • Click on your picture in the top-right corner and select "Settings"
  • On the left, click on "SSH and GPG keys".
  • In the top right corner, click the green [New SSH Key] button.
  • Give it a meaningful title, like "Linux Dev Box" and paste the contents of the public key into the "key" field.
  • Click the green [Add SSH Key] button.

You should be good to go. Clone a GitHub repo to the local machine like this...

Go to a directory where you want to store your repositories

Execute the following command (modified for your own account and repo)...

   $ git clone git@github.com:acctname/reponame.git

You should see the clone procedure run. If it complains about your credentials not being trusted, then have a look at the keys SSH has installed...

Execute the following command 

   $ ssh-add -l

You should see something like...

4096 SHA256:i2fLkp3x3Dy+V3GpnU5IBWFb0wVZoPBvRsYp4aRWwsL /home/pblanton/.ssh/id_rsa (RSA)
4096 SHA256:i2fLkp3x3Dy+V3GpnU5IBWFb0wVZoPBvRsYp4aRWwsL yourem@iladdr.ess (RSA)

I have of course, shown fake keys for demo purposes.

If you don't see the expected keys, then run this command...

   $ ssh-add

Type in your passphrase (if any), and the SSH client will ingest your keys. Try cloning again, and it should all work. You should be able to Git at the command-line to your heart's content without being prompted for your credentials again.

Time to start writing some shell scripts to automate everything now. Automation is cool!

Update 2/14/2018:

Normally I am working on a virtual machine that has been especially configured for a client, so creating an ssh public/private keypair, saved as id_rsa works fine. Today however, I needed to access a Git repository at a client's site, running under a system called "Gerrit" which is a code review system with a Git back-end. This client also has an internal GitHub Enterprise system set up at Github.<clientname>.com, and we also use plain ol' Github.com; That means three different Git systems that I have to access from the same system. I want my Git bash to work in any repository, as it targets any of these systems, transparently. The way to do that is with an ssh config file. After you have created the requisite number of properly named ssh certificates using the instructions above, then you are ready to create your config file as follows...

Navigate to your .ssh directory, open a text editor of your choice and create a file called "config" with no file extension. I'm doing it in Git Bash, so vi...

   $ vi config

Edit the file as necessary. Here is an example...

The keys are the Host, and IdentityFile settings as follows...

Host: url that will trigger this identification.
 IdentityFile: The SSH Cert to use for this authentication.

The indentation of the IdentityFile line under "Host" is important. Make it one space.

More examples...

Let's say that I am only using Github, but I have a work account and a personal account on Github. My personal account name is "pblanton" and let's assume I also have a Github account for Gort work. My configuration would look like this...

   # SSH Authentication for my personal projects
   Host pblanton.github.com
    IdentityFile /f/.ssh/id_rsa_pblanton

 

   # SSH Authentication for Gort projects
   Host gortbot.github.com
    IdentityFile /f/.ssh/id_rsa_gortbot
 

Now, when you clone a project for your personal work, add "pblanton" to the url. For instance, let's clone WebGoat (git@github.com:WebGoat/WebGoat.git). In this case though if we tweak the url to be

   git@pblanton.github.com:WebGoat/WebGoat.git

then when we clone it...

Github doesn't care about the extra subdomain, but the Git client will associate it with the credentials specified by the "Host" line that matches "pblanton.Github.com" in the config file, and anytime we push or pull it the correct creds will be used.

Gitlab, BitBucket, et. al.

Since the Git client associates your credentials to the url string found in "Host" you aren't limited to Github. ANY repository that implements Git will work as long as you have a valid "Host" entry that matches the url.

For instance, my GitLab repos can use the credentials in .ssh/id_rsa_lab through the following entry in config...

   # SSH Authentication for my personal projects
   Host gitlab.com
    IdentityFile /f/.ssh/id_rsa_gitlab

 

Since "Gitlab" is unique among the "Host" values in my ssh config file, there is no need to prepend it with "pblanton", but if I had multiple accounts on Gitlab that I used for different purposes, then that would work here too.

Make a bootable USB drive for ANY bootable ISO from Linux.

So, you have abandoned Microsoft Windows wholesale, choosing to perform most of your work in Linux or OSX. But now you need to make a bootable Windows 10 USB drive in order to set up a laptop for someone. You Google how to create a bootable disk "FROM LINUX" but all you get is different flavors of the same Ubuntu bootable live USB drive from Windows. Occasionally you'll find a tutorial for Linux that references some crappy UI app to do it for you.

That's not necessary.  It's pretty easy to make a bootable flash drive from Linux using ANY bootable ISO you have access to. Here's the command...

sudo dd bs=4M if=blahblahblah.iso of=/dev/sda && sync

Break it down...

  • sudo -> because you have to be a super-user in order to do it.
  • dd -> data dump (dd) is the program we will use.
  • bs=4M -> Be sure to use four-meter long bullshit sticks *
  • if -> input file
  • of -> output file. In this case the flash drive is /dev/sda.
  • && -> chain another command IF the first command succeeds.
  • sync -> flushes the write buffers to ensure that the write operation is complete before you yank the drive.

* just kidding. bs is the BlockSize switch. We're telling dd to copy the data in 4Megabyte blocks. If you're on a Mac, be sure to use a lower-case "m".

If your flash drive partition is  "/dev/sda1" then be sure to use just "/dev/sda". You want to write the iso file contents to the raw drive and not as a separate partition. 

Now you'll NEVER need Windows and Rufus ever again.

Getting a New Kali 17.2 Install to apt update...

I recently installed Kali Linux 17.2 to a VMWare VM. During the installation I was prompted for a mirror to use to update packages. All of the mirrors available returned an error that they were invalid, so I had to finish the installation as a "minimal installation" like the installer warned me against; but I was stuck with either abandoning the installation and starting over from scratch, which wouldn't guarantee a better outcome, or just go with it and try to figure it out later.

After the installation finished and I booted into my fresh new Kali, I went to " apt update && apt upgrade -y " and found that it wouldn't. I checked my /etc/apt/sources.list file and it contained this...

No online sources, and the CDROM source lines are commented out, so every time I ran " apt update ", the system was content that it needed no updates.

I updated the sources.list file to...

And in plain text, for your cutty/pastie pleasure ...

deb http://http.kali.org/kali kali-rolling main contrib non-free
# For source package access, uncomment the following line
# deb-src http://http.kali.org/kali kali-rolling main contrib non-free

Save the file, and then re-run " apt update && apt upgrade -y ". It'll take a while to update/upgrade depending on the size of your pipe; and then you will be all updated and able to install stuff.

Hack with reckless abandon!