Category: Technology

Windows 11… Simply Unnecessary

Windows 11 is wholly unnecessary, and shouldn’t even exist.

If we ignore the fact that Microsoft stated Windows 10 was the last version of their operating system, and the seemingly obvious missed opportunity to simply rebrand Windows 10 to “Windows” alone like Apple did, then we can look at their proposed reasons for the change.

Why Microsoft is Rebranding

When Windows 10 came out, it was supposed to usher in a new standard of operating under the Microsoft family. The start menu was brought all the way back in comparison with Windows 8.1, and they finally fixed a number of graphical issues users were having.

The rebrand to Windows 10 was for the numerous changes they’d done to the operating system, back then.

So what changes to instigate a new OS now?

A New Name Means Distance from Old Identity

Changing a name is a great way to distance a person, place, or thing from old actions or non applicable qualities that exist currently. It’s a way to signal change, that something is not the same as before.

Microsoft and other corporations use this strategy often to create positive attention for their brand or distance themselves from negative attention.

And Windows 10 has had a lot of negative attention:

A quick search will pull up almost unlimited articles complaining about Windows 10.

With the recent failure of Windows 10 X, Microsoft had enough.

So What’s New?

Really, that’s the most important thing, isn’t it? Are the changes any good?

Well, no.

Unless you want a bunch of features you could already achieve in Windows 10 with more bloat, more integrated applications, less customization, and more restrictions on which hardware you can install it on.

Windows 11 still has bloatware in the preview builds, and they’ve had updates before which has reinstall all preinstalled apps. Microsoft Teams will now be integrated into the taskbar. I don’t have high hopes for the Teams integration if the weather icon they tried to add to the taskbar and failed miserably with is any indication. The “News and Interests” taskbar option causes the taskbar to update arbitrarily and File Explorer to lag, and the font is grainy and pixelated on a monitor with higher than 1080p.

Well what about the centered taskbar?

Wouldn’t it be great if you could already do that in Windows 10?

Center Taskbar Windows 10 Dark Theme

Oh wait. You can.

This is what my desktop looks like currently on 21H1. I also have a custom dark theme installed to properly theme some of the discrepancies out of the OS like the Task Manager, the dialogue options, and even Notepad.

Using TaskbarX, SecureUXTheme, and a few other dependencies, you can already create what I believe to be a better look than what Windows 11 delivers out of the box.

Changing UX Design

Notice that the start button is on the bottom left in the image above. Now look at a picture of the new Windows 11 taskbar:

The start button has moved to the center with the other icons.

THIS IS BAD UX DESIGN.

Why?

Because when a button is on an edge that you can move your mouse against, it has an infinite width. If you drag your mouse against the left edge of your (leftmost) monitor, it cannot move outside the screen and thus any button on the edge of the screen would be easier to quickly whip the mouse over and click.

In the same way, when a button is in a corner such as the start button was in most previous versions of Windows, it is much easier to drag your mouse to the corner quickly without aiming at all, as two sides have infinite width. This makes it extremely efficient to locate the start button, no matter the cursor location.

However, by moving the start button to the center of the taskbar, Microsoft eliminates that smart UX choice they made all those years ago.

Perhaps Microsoft will realize this and provide an option to restore the default alignment in a later update. As of 8/2/2021, this is not possible.

Additionally, they eliminated the option to align the taskbar to the left or right in the latest version.

The main concern for me as Microsoft continually whips around GUI updates is… how has Windows fundamentally changed since the last big update? And how are they fixing the small issues that continue to plague normal operations throughout the working day? Well, the answers to both of those questions are pretty disappointing.

A) It hasn’t changed that much, so don’t expect to notice much difference

B) They haven’t fixed that much, so don’t expect to notice much difference

And that’s where we are. Another graphical change to an OS in an era where to this day, on the latest Windows build, you can open command prompt and hold F11 down to see the old Windows 7 UI underneath for a split second as the GUI is overwritten with the new theme.

Split second after you hit F11 to minimize the CMD prompt window out of fullscreen.

Progress Is Not Bad

But there has to be progress. Windows 11 is completely unnecessary for what they are bringing to the table in the new versions. In a perfect world, maybe Windows 10 would have been rebranded to “Windows” with thematic naming to keep versions clear, saved the sweeping UI upgrades until AFTER THEY’VE FINISHED THE EXISTING DARK THEME FOR THEIR CURRENT OS, and maybe don’t make yet another “Settings” app before the old Control Panel is even removed.

I’ll say it again, I would love for Microsoft to be innovating here, but where is it? What can be achieved on Windows 11 that can’t already be accomplished on existing hardware and software?

“Windows 11 has all the power and security of Windows 10 with a redesigned and refreshed look. It also comes with new tools, sounds, and apps. Every detail has been considered. All of it comes together to bring you a refreshing experience on your PC.”

I suppose nothing. It’s not like I would consider whatever Microsoft is shipping with their OS to be essential apps, probably just a new version of candy crush 😉.

At the very least, Microsoft says they will still support Windows 10 for 4 more years, until 2025. Maybe by that time, Windows Infinity will have hit shelves and I can skip 11.

Honestly, just please make one settings app and I’ll be happy. 🙏

If you want to improve your Windows 10 experience by searching with any browser and Google from your start menu instead of Bing, read this.

It helps me if you share this post

Published 2021-07-27 18:55:20

TikTok: Social Media, or Spyware?

TikTok is the most popular growing social media right now by far, surpassing the likes of Reddit, Snapchat, Twitter, Pinterest and Quora.

And it’s much more popular among Gen Zs and Millenials.

But TikTok was declared as a security threat and many have growing concerns about the operations of ByteDance as a whole.

TikTok Source Code Analyzation

Step 1: Obtain TikTok source code

This is the step most people might get stuck on…

Step 2: Spend hours looking through said program for suspicious things

Step 3: Share!

Beyond initial paranoia, let’s be realistic about what apps collect. Even Google collects IP (and therefore geographic location), and other pieces of personal data:

Google might collect far more personal data about its users than you might even realize. The company records every search you perform and every YouTube video you watch. Whether you have an iPhone or an Android, Google Maps logs everywhere you go, the route you use to get there and how long you stay — even if you never open the app.

So then what are we looking for? How is this different? For one thing, Google, Facebook, Reddit, and Twitter apps don’t collect anywhere near the same amount of data that TikTok does, and they don’t obfuscate and hide their methods sneakily like TikTok. Additionally, TikTok has some weird code in it that no normal social media app should have. Here’s a quick comparison of the APIs TikTok accesses vs the Facebook app:

They both collect data, but TikTok collects more. And needs access to your SMS messages for some reason, even though it doesn’t interact with that…

Below deconstructs more about what the TikTok app can/does do and why it might do it. Make your own judgement at the end of the day. However, this is all just what’s able to be seen. Note that TikTok has the ability to update their app and add / remove code without updating the app through the store.

Things TikTok Collects

  • Location (once every 30 seconds for some versions)
  • Phone Calls
  • Screenshots(?)
  • Network Information (Wifi Networks’ SSID, MAC address, Carrier, Network Type, IMSI (possible), IMEI, local IPs, other devices on the network)
  • Facial Data
  • Address
  • Clipboard
  • Phone Data (cpu, hardware ids, screen dimensions, dpi, memory usage, disk space, etc)
  • Installed Apps
  • Rooted/Jailbroken Status
  • All keystrokes in the browser (more below)

Location

Most apps collect your location, so there’s nothing too fishy about this. However, one could argue that your location is not useful to TikTok’s general functioning and therefore shouldn’t attempt to locate you so often or at all unless you’re using a feature that takes advantage of that. The data collected here includes your latitude and longitude, and exact location if they can pull it from the WiFi (done in the wifi collecting code).

Phone Calls/Call Log/Phone Number

TikTok requires you to provide a phone number upon signup on most occasions to function normally within the app, so they can link your identity to your phone number. They also collect your call log (people you’ve called) and have the permission to make calls from your device, although I’ve never heard of a case of this happening. Phone numbers are generally very unique, so this combined with location and name would already be enough to identify virtually anyone using this app in the U.S.

Screenshots

The app hooks an observer at some point (it would make sense to be on app load) that watches when the user takes screenshots. It’s unlikely this code can run in the background or does, but the app at least knows everything you take a screenshot of while using the app. Additionally, TikTok includes a string, “KEYWORDS”, that may be of significance. A keyword is defined as: “an informative word used in an information retrieval system to indicate the content of a document”. They may use this variable to find screenshot files and potentially scan/upload/use them. However, this may have legitimate use in categorizing images for upload by the user or be non malicious.

Network Information

It also collects lots and lots of Network data. The app uploads full lists of network contacts, SMS logs, IP, local IP, MAC address information, and probably anything else it can read from the phone (which is virtually everything).

Facial Data/Recognition

TikTok includes facial verification code as well, which upon first glance I believed to be for the face filters they include, but does a little more than that. The code includes a link to this domain (archived). Translating said domain states:

Oops, my bad. Should’ve known I had to reverse-engineer the app, extract a developer URL, and then get a translator just to see that I’d even agreed to facial recognition logging by ‘continuing to use this service’.

And further on, it states what I believe to be particularly interesting:

Near the bottom it states facial images are transmitted to the parties listed above.

In specific:

ByteDance developed this function, which includes but not limited to the Ministry of Public Security’s “Internet +” trusted identity authentication platform, “Query Center” and other institutions to provide verification data and technical support.

This is very important because it mentions a “Ministry of Public Security”, and an “Internet+” identity authentication platform/program of some sort, and it also states near the bottom of the same translated text that facial images and identity verification results + data is transmitted to said 3rd party.

What is the Ministry of Public Security? A Google search quickly turns up results. They “operate the system of Public Security Bureaus, which are broadly the equivalent of police forces or police stations in other countries”, and were “established in 1949 (after the Communist victory in the Chinese Civil War)”.

It seems they serve the Chinese Communist Party, or are at least connected to the government in a very direct way.

And what is the trusted identity authentication platform? More research turns up articles such as this, and this. It appears likely all facial recognition data would be sent back to China and saved by various parties.

TikTok seems to be sending facial recognition data of anyone who uses the app back to some sort of 3rd party associated with the CCP that has all the other information combined. This could create a very scarily comprehensive profile and location on high-interest targets China wants to keep track of. Additionally, it can use shadow tracking, which is a term pioneered by the era of Facebook. Shadow tracking or shadow profiles are collected data or hidden profiles of people that don’t use the app but TikTok can keep tabs on because of connections. For instance, when you upload your contacts to TikTok, it will track the names you’ve assigned to each contact and use that data in cross-checks with other uploaded contacts of your friends. For every person that uploads their contacts. This can quickly create a vast network of phone numbers and identities, even for people who aren’t associated with TikTok at all. Combining facial recognition data with shadow tracking techniques, and everything listed in this post could make for a pretty sophisticated tracking tool.

Address

I’ve used TikTok for a while before now, and I’ve never been asked to enter my address, city, or where I live. However, the TikTok app contains code to parse and send addresses of locations. This is probably to generate addresses from locations collected for internal logging and ease of viewing user’s geographical locations. This is not to say that is malicious.

Clipboard

Source: http://web.archive.org/web/20210506011606/https://twitter.com/jeremyburge/status/1275896482433040386

And more information here about clipboard collection by ByteDance.

Phone Data

TikTok collects lots of data about the device you are using to access their app. Installed app list, device ID, phone name, phone storage, etc. Extrapolating from this, it also probably collects more data not proven here.

Rooted/Jailbroken Status

Detects whether or not you’re rooted. This isn’t that big of a deal but I thought it was worth a mention. Could be used in combination with other obfuscation techniques to hide nefarious actions.

Other Problems

Beyond straight up tracking and collecting data about their users, there is also a number of fundamental design issues with the app as well. For instance, the app uses out of date cryptographic algorithms, including MD5 and SHA-1 for hashing. Both of which have been broken wide open and are no longer secure. Additionally, the app used to only use HTTP, not HTTPS until recently, and that exposed user’s emails, date of birth, and username in plaintext to anyone smart enough to look for it.

Execution of Remote Code & System Calls

Some research states TikTok executes OS commands directly on the phone and has the ability to download remote .zip files, extract them, and execute arbitrary binaries on your device, allowing TikTok to run whatever code they want. While I don’t doubt this is possible, I have not personally verified the code in my research. However, I would not put it past the app to have this capability. Perhaps it’s better hidden now.

Keystrokes in the Browser

The app was tested with inappbrowser.com which shows all JavaScript events that are hooked. If you open this page in your browser, no events will show. This is a good thing. There are no events being monitored in a default, safe browser. The site is meant to show how a 3rd party app is abusing its in app browser. TikTok happens to monitor all keystrokes and key inputs in its in app browser, so the output looks a little more like below.

inappbrowser.com report text for tiktok in app browser

Security Research Files

Penetrum Security wrote an in-depth paper on TikTok if you’re interested in reading into a lot of what I’ve discovered here, and also compared how much data Facebook, Twitter, and common social media apps collect vs. TikTok. They’ve done great work and I’ve archived those files here. The data collection comparison paper is very interesting (second download).

security_analysis.pdfDownload
datacollectioncom.pdfDownload
static_analysis.pdfDownload
used_loaded_urls.txtDownload
ip_address_list.txtDownload

I’m not the only one who has come to these conclusions, as well. This reddit post and other security researcher both found similar findings.

So, social media or spyware? Why not both?

I’m probably going to continue to use the app, but I’ll be sure not to say Xi Jinping looks like Winnie the Pooh or mention the Falun Gong genocide. At least, not while TikTok is watching.

It helps me if you share this post

Published 2021-05-06 09:00:00

Searchifier not working? Windows updated. Read this.

EDIT: As of 3/20/2022, Searchifier does not work anymore due to Microsoft blocking it. The post and download links will stay up for now, but they could be removed at any point. At some point in the future if a workaround is found this post will be updated.

Something changed between Windows 11 builds 22483 and 22494 (both Windows Insider Preview builds.) The build changelog makes a few mentions of changes to the protocol and file associations/default apps system. However, it omitted the headline news: You can no longer bypass Microsoft Edge [protocol links].

Searchifier works by handling the request send by your start menu to Edge and translating that to a link your other browser can handle. Windows 10’s latest update breaks this functionality by preventing automatically updating your default link handler at all.

You can fix it by doing this:

  1. Install Searchifier
  2. Go to Windows 10’s Settings
  3. Apps > Default Apps > Choose default apps by protocol (scroll down)
  4. Scroll to where it says “Microsoft-Edge”
  5. Click and change to Searchifier

It should work now!

Keywords not working, update, gmr, genevra, search, browser, link handling, bing redirect, broken

It helps me if you share this post

Published 2021-04-26 04:48:42

Google’s Privacy Policies Policy

Google unpublished a couple of my apps the other day for having out of date privacy policies. Fair, those URLs went dead. However, upon updating the URLs, one app was still not accepted.

Wall Ball. That’s because it doesn’t collect data on you. And what I mean by that is that when my privacy policy looked like this, Google rejected the app.

But, it’s true. Wall Ball doesn’t actually contain any ads or collect any data about anyone or anything. It simply runs as a small free game.

Removed notices from Play Console…

However, I’ve updated the privacy policy URL to:

https://gmr.dev/privacy/wallball2.html

Which basically just says I have ads in the game even though I don’t…

Whereas the link on the main privacy policy page goes to the “real” one:

https://gmr.dev/privacy/wallball.html

So we’ll see if Google accepts it this time. 😊

But hey, maybe it’s just their idea of an April Fools joke. 😛

*EDIT* GUESS WHOSE APP IS BACK ON THE STORE! 😀

It helps me if you share this post

Published 2021-04-01 13:59:10

New Ransomware Attack Vector – Virtual Machines

No one likes malware, but a particularly malicious type is called Ransomware, and it specifically preys on people’s data.

Ransomware essentially encrypts the entire user’s computer or specific files until a sum of money is paid to the attacker. While there is no guarantee the attacker will make the files or computer available again, it seems to be in their best interest to return access to the computer, otherwise no one else would pay once word got around.

A particularly nasty type of new ransomware has just been discovered, and it utilizes a surprising attack vector: virtual machines.

In a new report by Sophos, the operators of the Ragnar Locker are using another novel method to avoid being detected when encrypting files.

They are now deploying VirtualBox Windows XP virtual machines to execute the ransomware and encrypt files so that they are not detected by security software running on the host.

This attack is started by first creating a tool folder that includes VirtualBox, a mini Windows XP virtual disk called micro.vdi, and various executables and scripts to prep the system.

https://www.bleepingcomputer.com/news/security/ransomware-encrypts-from-virtual-machines-to-evade-antivirus

As the security software running on the victim’s host will not detect the ransomware executable or activity on the virtual machine, it will happily keep running without detecting that the victim’s files are now being encrypted.

Interestingly, Windows 10’s “Controlled Folder Access” may prevent this attack, as it prevents any unauthorized changes by applications without a password.

This is especially problematic for government organizations, business, and hospitals. In fact, one of their more recent attacks was on an energy company EDP (https://www.edp.com/en), where the attackers stole more than 10 TB of files and received a ransom of over 10 million dollars.

This attack illustrates how security software with behavioral monitoring is becoming more important to stem the tide of ransomware infections.

It’s more important than ever to implement safe browsing habits, and common sense when executing unknown files, as once the attacker is in your system, it’s game over.

It helps me if you share this post

Published 2020-05-23 17:27:04

Networking in C#, a simple library

Recently I wanted to make a simple multiplayer game in Unity, but I didn’t want to use their terribly made UNET, as even though it’s barely a few years old, it’s already deprecated. I also didn’t want to go with a third party like Photon Networking, because I don’t want to pay for CCU (Concurrent User) usage, server costs, and other misc fees.

No, what I wanted was a solution such as Minecraft implements, where you directly connect to a server and it’s served through peer-to-peer networking, with one player being a server. The solution? A small library called LiteNetLib. This library allows you to build multiplayer games in .NET (C#), including Unity, with no limitations on usage, including player count. It was exactly what I needed.

The documentation is slightly sparse but it wasn’t rocket science to get a small example up and running, and the developer seems pretty open to questions. There’s also a small sample included so you can see what it entails.

Cheers!

It helps me if you share this post

Published 2020-02-13 00:39:20

Welcome to the Age of Quantum Computers

From Bloomberg:

A team of scientists at Google’s research lab announced last week in the journal Nature that they had built a quantum computer that could perform calculations in about 200 seconds that would take a classical supercomputer some 10,000 years to do.

An age ofQuantum supremacywas duly declared.

Google’s claim to have achieved quantum supremacy that is, to have accomplished a task that traditional computers can’t was premature.

Although the specific problem that Google’s computer solved won’t have much practical significance, simply getting the technology to work was a triumph; comparisons to the Wright brothersearly flights aren’t far off the mark.

Congress should fund basic research at labs and universities, ensure the U.S. welcomes immigrants with relevant skills, invest in cutting-edge infrastructure, and use the government’s vast leverage as a consumer to support promising quantum technologies.

A more distant worry is that advanced quantum computers could one day threaten the public-key cryptography that protects information across the digital world.

This is big for a number of reasons but do not get too excited/scared yet! Quantum computing is still a number of years away. IBM was also quick to point out that Google’s estimate for how long “Summit” (the fastest computer in the world currently Google estimated against), was incorrect. According to papers published after Google’s report, “IBM’s engineers reckon, [adjustments would] allow Summit to breeze through the job in a mere 2½ days. Therefore, according to IBM, Google had not shown quantum supremacy after all.”

Well, that was quick.

What does that mean for their supposed success? Well, it’s still impressive. Google demonstrated a monstrous leap in technological prowess and got one step closer to proving a plethora of theories that many computer scientists are still eagerly waiting to take a crack at. P = NP anyone?

But wait, not so fast. Technically yeah, Google was wrong, but you still have to compare and contrast the differing performance results. Two and a half days is, after all, still about 1,200 times longer than 3 minutes.

Second, each extra qubit doubles the memory required by a classical machine put up against it. Adding just three qubits to Google’s challenger machine would have exhausted Summit’s hard disks. Quantum computers do not face such explosively growing demands. Google’s machine may not quite have crossed the finishing line. But it has got pretty close to doing so.

Additionally, Bloomberg has an excellent point when it says the U.S. should invest in this technology, if they aren’t already. They likely are behind the scenes, as a foreign entity such as China being the first to own a Quantum Computer is very scary. As Bloomberg pointed out, Quantum Computers make breaking passwords look like a walk in the park. Our current method of storing passwords would be under direct attack from Quantum Computing, and it’s one of the reasons the research is so dangerous.

Let me end your day off with this badass robot (fair warning, some of the video is fake) that some very talented individuals are developing.

It helps me if you share this post

Published 2019-11-01 11:35:18