Gmail Checker Extension for Chrome Injects Rogue Ads
0
Do you use a Chrome extension to check your Gmail? Then you might want to check if it’s not a rogue extension…
I’ve been using the "Mail Checker Plus for Google Mail" extension for a while now. It produces a popup whenever I have new mail. It is quite sophisticated and is actually a very nice extension. However, there was more going on.
Fast forward to last Thursday. I noticed that YouTube finally started carrying banner ads in Belgium. (It is a little-known fact that many small countries don’t have see most forms of advertising on YouTube.) But they weren’t regular AdSense ads. In fact, they were promoting sites that were quite shady. So I rebooted to Linux, thinking I may have been infected with malware for the first time ever.
In Linux, I noticed the same dodgy advertising: unlimited download sites, smiley software and hilariously, a terrible Groupon clone. I managed to isolate it to this rogue extension and gone was the advertising. This extension had full permissions to access my data on all sites, including sensitive information sent over HTTPS.
Google may have to reconsider Chrome’s extension permission policy. In the meantime, Chrome users will need to be more careful about the extensions they install.
More screenshots
Should We Outsource Passwords to E-mail Providers?
0
As a person who is relatively security-minded, I try to use several different passwords (and variations) on websites. I don’t write them down and don’t save them on my computer. In practice, I end up resetting my password for at least one website each week.
Our current password system is a hassle and it’s not that secure. I’m suggesting a more convenient alternative as a replacement.
Outsourcing logins to e-mail providers
Google and Yahoo! both have OpenID services in place for their webmail services. As with Facebook Connect, this feature allows one-click registration/login on third-party websites through – in this case – your webmail provider.
Surely, a one-click login is convenient. But is it secure? A common argument against OpenID is that hackers only need your webmail password to gain access to all your accounts. But if a hacker gains access to your e-mail account, he can just request a new password on sites you’re registered with.(1) It makes no difference security-wise.
OpenID authentication at Google and Yahoo! happens over HTTPS, which beats the security of many other sites. Logging in over HTTP is not secure because passwords can be intercepted in clear text. Additionally, your session cookie for a certain website can be stolen, allowing people to break into your account without ever logging in.(2)
Financial sites require safer measures
For low-stakes user accounts, such as your account on a DnD discussion board, that site you signed up for once and never used again and your online RSS reader, a one-click login can be convenient, raise productivity by eliminating password resets and make us even lazier as a technology-loving species.
However, it still makes sense to avoid OpenID ties between your e-mail account and websites that pose higher risks (e.g. on financial sites, Amazon, your cellphone provider’s site, etc). These sites often have a password retrieval procedure that require more than you clicking a link in an e-mail. Tying these sites to your OpenID would be make the sites too easy to break into.
But really, neither of these systems offers acceptable security for a bank. Financial sites need to use more secure systems than OpenID or password authentication. Passwords can be retrieved via a keylogger, which means that account passwords as well as your central OpenID password can be compromised.
Most Belgian banks use the Digipass authentication system, which requires you to generate a one-time login key with a card reader that is in no way connected to the internet. Even if the login key is intercepted, the key cannot be reused. If you transfer money to a bank account that is not in your address book, you have to verify the transaction by generating an approval code. From my experience, it’s the best trade-off between security and convenience for financial sites. Well… at least until the encoding algorithm gets hacked. But until then, this appears to be the safest way to log in to your online bank account.
Disclaimer: I’m not a security expert, but I play one on TV. No seriously, I do not claim to have a full overview of any security issues that may affect various authentication systems. I welcome amendments, corrections and thoughts on the matter below in the comments.
(1) That is, unless you consistently delete all e-mails that indicate you use a certain website. Then the hacker has no quick way of finding out on which sites you have accounts. You can typically revoke OpenID permissions for a certain site (e.g. through the Google Dashboard). If someone then gains access to your e-mail address, they get a list of sites that you’ve used your OpenID with which, of course, can be seen as a pro-password argument.
(2) When the session expires or the user logs out, the hacker will no longer have access. Still, it poses a big security risk.
Can We Simplify and Standardize Software EULAs?
0
If you’re an avid South Park fan, you know that skipping past a software EULA can have terrible consequences.
Ever since computers started invading our homes, people have been confronted with software licensing agreements whenever they install new software. At this very instant you might be running Windows, an anti-virus product, a browser, an IM client and several other pieces of software. Is it humanely possible to read and comprehend the EULA of every little piece of software you use? I think of a better ways to spend a Saturday afternoon.
Basic developer rights and duties
A lot of the legal mumbo jumbo in EULAs of closed-source software is the always the same. The end user purchases/receives the right to use the software. Hacking, disassembling, reverse engineering and reselling is not allowed. The copyright rests with the software developer. Depending on the license, you can install it on a limited number of machines and/or only on machines under your ownership. You may be prohibited from using the software in a commercial environment. Freeware is often provided “as-is” and you can’t claim compensation for any losses caused by the software.
Standardized EULAs?
Since software EULAs often have such a big overlap, it is not beyond possibilities to come up with a standardized software license that developers can slap on their product voluntarily. This could pave the way for a more human-friendly license agreement screen during software installs.
The software is provided to you under a Standard Closed-Source License, which can be read in full at
http://www.softwarelicensing.org/license/scll.Additionally, the following conditions apply to your use of the software.
- Commercial and educational use is allowed at no additional cost.
- You are entitled to have the product installed on 1 machine at any time.
- The developer provides the software “as-is” and is not liable for any damage caused by the software.
By installing the software, you agree to be bound by this license and the aforementioned conditions. If you do not agree, you cannot proceed with the install.
This is something I’d suggest from a usability perspective – it doesn’t mean that it’s lawyer-proof. I’m just interested in helping people understand software licenses by making the experience as brief and clear as possible.
By letting developers build on a common software license, they can reduce lawyer costs and focus on their software. Users will finally understand what they’re agreeing to. The only party that doesn’t benefit from this move are intellectual property lawyers.
Considering the feasibility
There are two key parts to the plan. Developers will need to get on board with a common closed-source license initiative. Secondly, these developers will need to use a common human-friendly software licensing screen to improve people’s understanding of the license.
Restructuring licensing
For open-source software, organisations like Creative Commons and the Free Software Foundation (known for GPL and LGPL) have made attempts at standardizing licensing. I know what these licenses will let me do with the product, so it makes the license reviewing process easier. However, we haven’t seen any popular initiatives for closed-source software that gained much traction among major software developers.
To get the software licensing initiative off the ground, support from major commercial software developers (Adobe, Microsoft, Apple, McAfee) will need to be gained to get any sort of momentum. If this initial roll-out is successful, other developers are likely to follow suit.
Creating a simplified license agreement screen
This phase requires software developers to change their licensing screens to comply with some design rules, all for the sake of human readability. One way to get this done is by getting the installer creation toolkits (NSIS or InstallShield, for example) on board to agree on a universal licensing screen.
If the Windows App Store takes off, Microsoft could also play a role in this process. Since app stores eliminate the need for install wizards, they can change the way people interact with software EULAs centrally.
Conclusion
If we ever manage to standardize EULAs to a certain extent – of course leaving people free to go their own way, similar to W3C standardization efforts for (X)HTML – many years will have passed. EULA standardization requires many parties to collaborate on working out the legal and design roadblocks. In the meantime, we’re stuck with EULA analyzer tools to keep us from accidentally signing away our soul.
Improving Your Android Phone’s GPS Reception
0I wrote this article for CyberNet News. You can read the full article here.
I recently bought a Samsung Galaxy Gio, an entry-level Android smartphone priced at €149 (approx. $212). Overall my experience with the device has been great, but the phone seemed to have trouble picking up the GPS satellites and therefore couldn’t pick up a GPS signal in most locations. If your GPS-enabled Android phone has trouble locating you, there may be a simple way to improve your reception that doesn’t require a mobile internet connection.
Why Indie Artists Should Be Wary of Streaming Services
0Grooveshark is a service that lets me stream just about any song whenever I want to hear it. It’s great. Their revenue model is based on ads and premium subscriptions. I signed up for their Anywhere subscription in March 2011 when they had a special promotion where you could get a yearlong subscription for $20, with 100% of your subscription money being donated to Japan earthquake relief. Spotify hasn’t arrived in Belgium yet, but I’ve been able to play with it when I was in the United Kingdom last July.
Streaming may shrink the digital download market
Still, it made me wonder what the consequences for artists will be. Grooveshark Anywhere would normally cost me $9 a month. Spotify Premium is priced at $9.99. I could make use of Spotify’s offline features to download all my favorite music and, as long as I’m paying for the subscription, never have to buy any music again. While this would probably save a lot of music enthusiasts money, it will have an impact on independent artists.
In February 2011, The Guardian published an article about Spotify’s unequal treatment of independent artists.
It appears that not only do the majors own shares in Spotify, they – and their artists – also get much better streaming rates than the indies. Some of the indies threatened in early December to withdraw their music from Spotify in response. (…) Blancomusic Records – a small indie based in Spain – is, however, far from impressed by Spotify royalties: “The rates offered to us as an indie label were so insulting that we’d prefer to forgo the ‘privilege’.”
If everyone stopped paying for digital music, opting for cheaper alternatives such as Spotify instead, small artists will likely suffer. I’ve long supported the argument that full song previews (through YouTube, MySpace or the artist’s site) can have a positive effect on album sales. However, since streaming services started offering offline features there are less noticeable differences between renting and owning music, thereby eliminating many of the advantages digital downloading has over using Spotify. If you can take specific tracks with you on your smartphone, why would you bother paying for the digital download? By encouraging mass consumption, it lowers the perceived value of music.
CD sales will not suffer as much
That said, I still think that CD sales will not drop significantly because of streaming services. Now that I have a choice between a cheaper digital download and the physical package, I’ve come to appreciate CDs more for what they are. They make great gifts. I cannot imagine myself gifting someone a digital album. It’s just not the same as having a physical product in your hands.
I was born in the early 90s so I missed a big part of the CD era, but I still remember looking through booklets for lyrics, interviews and track listings. Nowadays I just enter the name of a song in my media player and it starts playing immediately. It’s very convenient, but it’s no fun.
Counting on the fans
Taking into account that small artists cannot live from streaming revenue, artists would have to count on their fan base to buy their music instead of renting it. As much as I love the all-you-can-eat buffet of streaming services, I think that low-cost music subscription services that support offline use will significantly reduce the amount of digital music people buy. At the same time, revenue from these services will not be able to compensate these losses, especially if indie artists keep getting bad streaming rates.
From what I’ve read in artist interviews, the internet has helped small bands tremendously in spreading the word and selling music on a low budget. As far as I can be a good judge as an outsider, this evolution has helped independent artists to thrive without precedent. I’ve discovered lots of interesting music that doesn’t get any mainstream attention.
Aside from the royalty inequality debate, there hasn’t been a major artist backlash to streaming services so far. I wouldn’t be surprised to see artists pulling out of streaming services over the next few years. I will not be extending my Grooveshark subscription when it expires and shift my focus to buying music again. Let’s hope it makes a difference.
Download.com Starts Bundling Bloatware with Its Software
0
I’ve been a long-time visitor of Download.com. Whenever I’m looking software, they can provide it to me faster than Google. This is because with Google, I would have to sift through a page of search results with links to shady-seeming download sites that rely on clever SEO techniques to lure people onto their site (softonic.com anyone?). While lots of download sites sold their credibility to dubious computer speedup products, Download.com steered clear of most controversial cash-grabbing tactics.
Recently, I found out that Download.com had introduced something that is referred to as the Download.com Installer. In effect, this is a little wrapper around Download.com’s less popular software that prompts the user to install bloatware such as toolbars. By default, it opts its users in to the installation of software that it labels as “recommended”. This little move is due to make many computer-illiterate people think it may be beneficial for the functioning of the downloaded software.
Why this is bad for software developers
I don’t like it when freeware developers bundle bloatware with their installers, but I respect their right to make money off their hard work. However, Download.com didn’t contribute anything to the software itself, so I don’t think they have the moral right to do this. By default, the site opts in all software to their bloatware wrapper. I asked about turning this off, but a representative for Download.com’s developer services said I had to buy an upgrade to turn it off.
It is my opinion that Download.com is profiting from developers’ work in an unethical way. The developer is does not benefit from this bundling practice while at the same time their software suffers from a deteriorated install experience for users. This practice feeds a negative image of the software product and damages the developers’ trust in the site. As it turns out, developer trust is essential in seeding a download site with valuable content.
Download.com provides a valuable service to developers by being a neutral place that offers user reviews and free software hosting. Of course this costs money, but I don’t believe that bloatware bundles are an ethical way to make a profit from these services.
Why this is bad for visitors
By wrapping software into a bloatware installer, it introduces another hurdle for their users. I think I can speak for most of us when I say I just want to get software installs done as quickly as possible without any bad surprises. Users can still download the regular installer but they’ve made this terribly inconvenient by requiring you to register first.
Download sites that systematically inject their listed software with bloatware develop a bad reputation over time. This malpractice is not something I’d expect from a website that prides itself on being “safe, trusted, and spyware free”. Fortunately, these days most bloatware products are just annoying resource eaters, but to me it still looks as though they’re giving users a false sense of trust.
In conclusion
In summary, I’d like to conclude by saying that Download.com will lose developer trust by making money off their products in an unethical way while simultaneously negatively affecting the reputation of their software. Visitors will also stop using the site because it introduces unnecessary hurdles in the software install process. In addition, suggested bloatware products are labeled as “recommended” to take advantage of naïve computer users, making them believe the recommended product helps in the well-functioning of the program.
Either Download.com will stick to ethical revenue models or lose visitor and developer trust. If the recently announced Windows App Store manages to make software installations a quick and pleasant experience, it will be far too late for them to change.
CBS Interactive is currently looking for feedback on this practice. Let them know what you think by e-mailing to the address mentioned here.
If you’re a software developer who has software listed on Download.com, you can send a request for exclusion from the Download.com Installer to cnet-installer@cbsinteractive.com. You can also pull your software from the site altogether. Their official FAQ on the matter can be found here.
More coverage of the Download.com Installer can be found over at Lifehacker, Hacker News, Reddit, Extreme Tech, chron.com and GHacks.net. Find my Twitter conversation with Download.com’s Seth Rosenblatt (who had no personal involvement in the decision) here and here.
Comparison of Smartphone Data Plans Across Western Europe
1
Are you paying too much for your smartphone’s data plan? To find out just how expensive Belgian data plans are, I dusted off my German and French to compare data plans in Western Europe. I set out to find the best data plan costing no more than €20. I researched plans in Belgium, The Netherlands, Germany, France and the United Kingdom.
Some data plans have been intentionally omitted because they are subject to special conditions, such as this offer from SFR that offers a 3G plan at a discounted rate to existing customers.
I’ve ranked the plans in a non-scientific way, taking into account pricing, data allowance, overage fees and any extras that are included. Three offers the best smartphone deal I’ve ever seen. It’s a prepaid plan where you get truly unlimited data, 300 voice minutes and 3000 national texts valid for one month for £15, which amounts for about €17. No commitment required!
In my own country, Mobile Vikings offers the best deal with €15 credit, 2GB data, 1000 Mobile Vikings texts, 1000 national texts valid one month for €15. No commitment is required and credit lasts up to six months.
I have not personally tested these carriers. They are a mix of carriers with their own network and MVNOs. Comments, suggestions and clarifications are welcome. Maybe you can help me find the best Italian, Spanish and Portugese data plans as well? As always, double-check your cellphone contract before signing anything. I’m not responsible for any errors in this table.
| Name | Price | Data | Extras | Overage | |
|---|---|---|---|---|---|
 |
Three All-in-One 15 Prepaid |
£15 (~€17) |
Unlimited | No fair use policy (info), 300 voice minutes, 3000 texts | N/A |
 |
T-Mobile DE Call & Surf Mobil 2-year contract |
€19.95 | Unlimited(3) | 30 voice minutes | N/A |
 |
KPN Surf&Mail Extra Snel Add-on |
€15 | Unlimited(3) | N/A | |
|
Base Internet Flat XL 2-year contract |
€20 | 5GB | free(1) | |
 |
Mobile Vikings Full Option Prepaid |
€15 | 2GB | €15 credit, free texts | €0.50/MB |
|
Vodafone Premium web pack Add-on |
£15 (~€17) |
2GB | £0.02/MB (~€0.02) |
|
|
Ben Internet Altijd Add-on |
€9.99 | 1GB | €0.10/MB | |
|
O2 Internet-Pack-M plus Add-on |
€15 | 1GB | free(1) | |
 |
Orange Let’s go 1Go 2-year contract |
€18.00 | 1GB | Live television through Orange TV, unlimited e-mail traffic | €0.067/MB |
|
Proximus Internet On GSM Favorite 1-year contract |
€19.99 | 1GB | €0.03/MB | |
|
O2 Pay&Go (Text&Web) Prepaid |
£15 (~€17) |
500MB | £15 credit, 500 texts, free WiFi | N/A |
|
Mobistar Internet Everywhere Multi Relax Add-on |
€15 | 750MB | USB modem, digital newspaper | €0.10/MB |
|
Tele2 Mobiel Internet Start 1-year contract |
€17.95 | 250MB | USB modem | free(1)(3) |
|
Vodafone SuperFlat Internet Wochenende 2-year contract |
€14.95 | 200MB | Unlimited landline and Vodafone calls during the weekend | €0.49/MB |
|
Virgin Mobile Forfait Bloqué 1H à 19.9€/mois Postpaid |
€19.90 | 100MB | 60 voice minutes, 300 texts | N/A(2) |
(1) No overage fee for data will be charged, but you will surf at reduced speed.
(2) Unavailable outside the bundle.
(3) A Fair Usage Policy applies.
Overages fees are valid nationally. Roaming costs are higher and vary across the world, but are capped in EU countries. Pricing does not take into account temporary discounts offered on many contracts.
Nosy Apps Are Hurting the Android Market
0
Contract-free smartphones for 150 euros (216 dollars)
I am amazed by how quickly smartphone prices have come down. The price drop is likely driven by the fast growth of the open-source Android platform, which takes the burden off manufacturers to build their own obscure smartphone OS from scratch.
A few weeks ago, I finally caved in and bought my first smartphone. I went with the Samsung Galaxy Gio, which available from stores for 150 euros if you shop around. It comes with a 800 Mhz processor and surprisingly, I can play most Angry Birds on it without suffering from severe battery drainage and slowed down gameplay.
Mobile apps are harvesting your location and phone ID
In December 2010, the Wall Street Journal reported that some mobile apps on both iOS and Android are sending info such as your phone ID, location, age and gender to their servers and those of certain ad networks. Pandora was among a list of apps that got a public spanking for this behavior. Innocent-looking games like Paper Toss send the user’s phone ID to at least five ad networks for no good reason. This sneaky practice is not necessary for the functioning of the app, only helps ad networks target users individually and doesn’t even ask for permission.
Taking a look at some Android-specific privacy problems, it came to my attention that many popular applications request access to owner’s location data, including rough netwerk-based location data and exact GPS coordinates.
These are just some of the popular apps that want access to the user’s location data for varying reasons. In most cases, the app contains some location-based features that need the user’s location to operate. However, due to the way the Android Market is built up, it is not possible to use an app without its location-based features. The app can either be installed with all listed permissions or not at all.
You can see how this design decision greatly reduces the flexibility of Android’s app platform. If a user doesn’t want Facebook to know their location, they can’t use Facebook at all or they will have to resort to using m.facebook.com to see what people are posting. Ah, first world problems…
iOS takes a more clever approach here, letting its users install apps without giving location access upfront. Instead, the application will ask for access when it actually needs it and the user can permanently turn off Location Services for a given app. By doing this, users can keep using Google Maps while preventing nosy apps from phoning home to report their exact location.
I believe that this is a better way to manage location permissions. By implementing this, Android would show itself to be more privacy-aware. While this introduces the light burden of the user having to grant location permissions separately in the app, it is more transparent to users and will improve people’s trust in Android apps and ultimately the Android Market.
Joining MP3s in Linux on the Command Line
0
One of the reasons why I love Linux is its command prompt. Sure, Windows has MS-DOS, but the Linux command line is way more powerful right out of the box.
Yesterday I needed to join a directory of MP3s together in alphabetical order. I just did this:
cat `ls -1 *.mp3` > merged.mp3
Let me break it down for you. ls -1 *.mp3 (that’s minus one, not minus L) gives you an alphabetical list of MP3s in the current directory.
cat concatenates a list of files, more specifically the list of files produced by the ls command. Notice how I encapsulated the ls command within backticks. By doing this, the command within backticks will be replaced by its output and so cat file1.mp3 file2.mp3 file3.mp3 > merged.mp3 will be the command that is actually executed.
Finally, the output of the cat command is redirected to merged.mp3 using the > sign. You can read more about I/O redirection here.
You can do this on just about any Linux distro with no additional software!
How to Automatically Fix File Indentation in Vim
0
Working on poorly indented source code? Vim can automatically fix the indentation of your file. When in normal mode, type this:
gg=G
= will indent your current line (only in visual mode). =G will indent everything from your current line until the end of the file.
Since gg represents the starts of the file, it makes sense that gg=G will indent everything from the start of the file until the end of the file.
For a more in-depth explanation of this trick and why it works, click here.