Are Web Browser Extensions Safe to Use?

Many people use web browser add-ons (such as Ad-blockers) for their everyday browsing. What most people are unaware of is that many of these add-ons have permissions that allow the add-on to view the content of the web pages the user is viewing.

The problem? If someone has installed a malicious add-on, their web browsing data (e.g. browsing history, password credentials, what they type into a website, etc.) would have been sent to the add-on’s creator. Now I am not implying that every single web browser add-on does this, but there is a very high potential that this can happen.

Would only using open-source browser add-ons be a safe option? Well open-source add-ons would definitely lower the chance that someone would get away with spying on you. However open-source projects do not have a spotless security track record either. There is still some risk.

Even Mozilla themselves warn about this problem with web browser add-ons (also called extensions).

Here is an example of what I am talking about (https://www.zdnet.com/article/mozilla-removes-avast-and-avg-extensions-from-add-on-portal-over-snooping-claims/).


Posted in Android, Computers, General, Internet and Servers, Security, Software

Why are So Many Internet Forums Toxic?

I have noticed, off and on, people on discussion boards (e.g. forums, comment sections) seem to have an abrasive, if not downright toxic (hostile) attitude towards people. I know, this is not surprising. There always have been people that have acted this way on the Internet.

However, why do people act this way? While I do not pretend to be a psychologist, I have some ideas of why people engage in this kind of behavior online (or offline).

(Please take note, everything I say are my own opinions.)

  1. Depression

Some people are clinically depressed. They do not necessarily mean to cause anyone problems, but they just see their life as one big mess. They in turn let their feelings about themselves (and their life) bleed into their online conversations with others.

  1. Life Stress

Stress can be the cause of someone being frequently irritated. For example, some guy on a truck/SUV forum has just lost his job and is in danger of losing his really nice truck. He makes large monthly payments each month. He is also struggling to pay his rent. With these life problems, I would not be surprised if he were to get fussy with others online.

  1. Arrogance

Many times people being hostile online is due to arrogance. They believe their opinion is the only correct one, and that no one else can be right.

If they happen to be right, they become even more smug and arrogant. If they happen to be wrong, they will never admit it and unfortunately, most of the time, never change their ways. Either way, not a pretty sight.

This happens a lot on comment sections of websites. There is always someone that wants to ask “smart” questions to other people. However when the person they asked the “smart” question to is able to answer their question, they typically either insist on a stupid “comment war” that leads nowhere, or they sneak out like a thief in the night, never bothering to give a reply for courtesy.

  1. Insecurity

Someone being insecure (not being sure/confident of themselves) can drive someone to get frequently defensive (usually without justification). They also show signs of paranoia and maybe even arrogance, since someone telling them they are wrong causes them to become even more insecure.

  1. Pride

This one is similar to arrogance. Someone being prideful online is not hard to spot. Usually it is recognized by the “tone” of someone’s message.

For example, someone who has lots of money (e.g. a rich businessman) writes an online article. He says that he is of the opinion “poor” people either cannot or have a very small chance of becoming rich like himself.

Now most people would read his article that think “Wow! That guy is a jerk.” Well they would be right. A prideful online post, as mentioned before, is not hard to spot.

I believe people who post similar to my example above, are insecure, and need to put other people down to feel better about themselves. In my experience, they will even act as if they are being sincere, when they are not.

Also, their entire post does not have to be putting someone down. Just one or two sentences will give away the author’s true intentions.

  1. Trolling

As everyone knows, there are people out there who cannot rest until they have caused someone trouble. The Bible talks about these kind of people (Proverbs 4:14-16 *). When it comes to online conversations, they will give pointless talk with little to no technical arguments, wasting everyone’s time in the process.

They also semi-frequently say something like “I’m done with you.” and stop responding, as if you were the one being ridiculous. However, they are just projecting their own ridiculousness onto you, in an effort to coverup the fact they are the troll (troublemaker).

 

* Proverbs 4:14-16   New American Standard Bible (NASB)

Do not enter the path of the wicked And do not proceed in the way of evil men. Avoid it, do not pass by it; Turn away from it and pass on.

For they cannot sleep unless they do evil; And they are robbed of sleep unless they make someone stumble.


Posted in Christian, Computers, General, Internet and Servers

The Windows Command Prompt is not DOS

A while back, I read on a website that the Command Prompt on the NT-based versions of Windows are somehow from MS-DOS. This is a myth.

While the Command Prompt (cmd.exe) does copy the commands from the MS-DOS (command.com) command line, this does not make the Command Prompt in Windows NT in any way, shape, or form, related to MS-DOS.

For example, I could write a C#.Net console application that mimics Linux bash commands, but that would not make my application “bash”.  I am just mimicking the commands from bash. The same applies for the Command Prompt on the versions of Windows NT. The Command Prompt may use the same commands as the MS-DOS one, but that does not make it DOS.


Here is a bit of information some people may find interesting.

32-bit Windows NT operating systems (e.g. WinXP, WinVista) can run DOS programs due to having a built-in 16-bit “NT Virtual Dos Machine” otherwise known as NTVDM. This allows people to run DOS programs (even full-screen ones) without much problems.

However the 64-bit versions of Windows do not have NTVDM. For the 64-bit Windows operating systems, an emulator (e.g. DOSBox) is required to run DOS programs.


Posted in Computers, Operating Systems, Software

How Secure are JavaScript Password Generators?

Many people use online services to generate secure passwords.

There is this idea that since your web browser is the one generating your passwords locally on your computer (via JavaScript) instead of someone else’s computer (e.g. web server), this is supposed to keep someone from getting a hold of your password.

Is this really the case? Are passwords generated locally with JavaScript really secure from being stolen?

Technically, no. Why? Well there are a few reasons why generated passwords (via JavaScript) can be compromised.


the [Math.Random] JavaScript function  –  Any JavaScript password generator that uses this function should be considered insecure. This is because the Math.Random function does not provide cryptographically-secure results. It is even possible to predict the output of Math.Random.

This means that someone could potentially generate the same password that you just generated a week before. Not the best for people who want to have secure passwords.

A good, secure alternative JavaScript function to use is window.crypto.getRandomValues(array).

Summary: Using any JavaScript password generator that makes use of the Math.Random function is not wise.


web browser add-ons  –  Many people use web browser add-ons (such as Ad-blockers) for their everyday browsing. What most people are unaware of is that many of these add-ons have permissions that allow the add-on to view the content of the web pages the user is viewing.

The problem? If someone has installed a malicious add-on, their “secure” JavaScript generated password would have been sent to the add-on’s creator. Now I am not implying that every single web browser add-on does this, but there is a very high potential that this can happen.

Would only using open-source browser add-ons be a safe option? Well open-source add-ons would definitely lower the chance that someone would get away with spying on you. However open-source projects do not have a spotless security track record either. There is still some risk.

Even Mozilla themselves warn about this problem with web browser add-ons (also called extensions).

Update 12/05/2019:  Here is another example of what I am talking about (https://www.zdnet.com/article/mozilla-removes-avast-and-avg-extensions-from-add-on-portal-over-snooping-claims/).

Summary: Several add-ons have the potential to spy on their users (including locally generated JavaScript passwords).


computer malware  –  This reason is arguably the most common cause of compromised passwords…malware. Malware has the potential to do anything it can to your computer (including reading your computer’s clipboard – what you copy & paste). This will instantly compromise your JavaScript generated password (and any other sensitive information on your computer, e.g. credit card numbers).

While Windows-based systems have more malware available for them, Mac and Linux are not completely in the clear either. As more people start using these other OSes, more and more malware will be created for them.

Android (the very popular Linux OS used on smartphones all over the world) has a good number of malware created for it.

Summary: Computer malware has the potential to instantly compromise your JavaScript passwords.


surveillance software  –  Some people have to use computers provided by their employer. Some employers put surveillance software onto their computers to track and monitor their employees’ usage of those systems.

The tracking software will monitor your computer screen, keystrokes, what you browse, install, etc. In other words, any generated password (JavaScript or no) on these computers will be compromised. It is advised to use non-work computers for generating passwords, or anything else that is not work related.

Summary: Assume any work computer is being tracked. Always use your own personal computer for anything non-work related.


So does this mean that I should never use any online password generators at all?

No, but just keep in mind that a JavaScript password generator, while technically a little more safe than having your password generated on a server and sent across the Internet, does not really provide a lot of extra security.

Summary: Using JavaScript (or anything else) to locally generate passwords on your computer, cannot keep your passwords completely safe from being compromised.


Posted in Android, Computers, Internet and Servers, Operating Systems, Programming, Security, Software