The Windows Command Prompt is not DOS

A while back, I read on a website that the Command Prompt on the NT-based versions of Windows are somehow from MS-DOS. This is a myth.

While the Command Prompt (cmd.exe) does copy the commands from the MS-DOS (command.com) command line, this does not make the Command Prompt in Windows NT in any way, shape, or form, related to MS-DOS.

For example, I could write a C#.Net console application that mimics Linux bash commands, but that would not make my application “bash”.  I am just mimicking the commands from bash. The same applies for the Command Prompt on the versions of Windows NT. The Command Prompt may use the same commands as the MS-DOS one, but that does not make it DOS.


Here is a bit of information some people may find interesting.

32-bit Windows NT operating systems (e.g. WinXP, WinVista) can run DOS programs due to having a built-in 16-bit “NT Virtual Dos Machine” otherwise known as NTVDM. This allows people to run DOS programs (even full-screen ones) without much problems.

However the 64-bit versions of Windows do not have NTVDM. For the 64-bit Windows operating systems, an emulator (e.g. DOSBox) is required to run DOS programs.


Posted in Computers, Operating Systems, Software

How Secure are JavaScript Password Generators?

Many people use online services to generate secure passwords.

There is this idea that since your web browser is the one generating your passwords locally on your computer (via JavaScript) instead of someone else’s computer (e.g. web server), this is supposed to keep someone from getting a hold of your password.

Is this really the case? Are passwords generated locally with JavaScript really secure from being stolen?

Technically, no. Why? Well there are a few reasons why generated passwords (via JavaScript) can be compromised.


the [Math.Random] JavaScript function  –  Any JavaScript password generator that uses this function should be considered insecure. This is because the Math.Random function does not provide cryptographically-secure results. It is even possible to predict the output of Math.Random.

This means that someone could potentially generate the same password that you just generated a week before. Not the best for people who want to have secure passwords.

A good, secure alternative JavaScript function to use is window.crypto.getRandomValues(array).

Summary: Using any JavaScript password generator that makes use of the Math.Random function is not wise.


web browser add-ons  –  Many people use web browser add-ons (such as Ad-blockers) for their everyday browsing. What most people are unaware of is that many of these add-ons have permissions that allow the add-on to view the content of the web pages the user is viewing.

The problem? If someone has installed a malicious add-on, their “secure” JavaScript generated password would have been sent to the add-on’s creator. Now I am not implying that every single web browser add-on does this, but there is a very high potential that this can happen.

Would only using open-source browser add-ons be a safe option? Well open-source add-ons would definitely lower the chance that someone would get away with spying on you. However open-source projects do not have a spotless security track record either. There is still some risk.

Even Mozilla themselves warn about this problem with web browser add-ons (also called extensions).

Update 12/05/2019:  Here is another example of what I am talking about (https://www.zdnet.com/article/mozilla-removes-avast-and-avg-extensions-from-add-on-portal-over-snooping-claims/).

Summary: Several add-ons have the potential to spy on their users (including locally generated JavaScript passwords).


computer malware  –  This reason is arguably the most common cause of compromised passwords…malware. Malware has the potential to do anything it can to your computer (including reading your computer’s clipboard – what you copy & paste). This will instantly compromise your JavaScript generated password (and any other sensitive information on your computer, e.g. credit card numbers).

While Windows-based systems have more malware available for them, Mac and Linux are not completely in the clear either. As more people start using these other OSes, more and more malware will be created for them.

Android (the very popular Linux OS used on smartphones all over the world) has a good number of malware created for it.

Summary: Computer malware has the potential to instantly compromise your JavaScript passwords.


surveillance software  –  Some people have to use computers provided by their employer. Some employers put surveillance software onto their computers to track and monitor their employees’ usage of those systems.

The tracking software will monitor your computer screen, keystrokes, what you browse, install, etc. In other words, any generated password (JavaScript or no) on these computers will be compromised. It is advised to use non-work computers for generating passwords, or anything else that is not work related.

Summary: Assume any work computer is being tracked. Always use your own personal computer for anything non-work related.


So does this mean that I should never use any online password generators at all?

No, but just keep in mind that a JavaScript password generator, while technically a little more safe than having your password generated on a server and sent across the Internet, does not really provide a lot of extra security.

Summary: Using JavaScript (or anything else) to locally generate passwords on your computer, cannot keep your passwords completely safe from being compromised.


Posted in Android, Computers, Internet and Servers, Operating Systems, Programming, Security, Software

Dynamic and Static IP Address Differences

To access the Internet, your Internet Service Provider (ISP) assigns you an IP address. This allows you to talk to other computers on the Internet. Most people do not even think about their IP address they have been assigned, much less what type of IP address they have.

There are two kinds of IP addresses, static and dynamic.

Static addresses never change on you. Even after many months (or even years), the IP address you have been assigned stays the same. Dynamic addresses, on the other hand, usually change every few weeks (or months). Most people probably are assigned a dynamic address for a month or two at a time.

Pros of Static Addresses

  • Allows you to easily host web services (e.g. email, DNS, websites)
  • Helps prevent websites from mistaking you for being an abusive user. This is because when using a dynamic IP address, someone else had previously used that address, and may have been committing abusive behavior online. However, when using a static address, you (and whoever else has access) are the only ones using your address.
  • Allows for a more stable VPN connection, because a dynamic IP may change any moment, and this will break the VPN connection.

Cons of Static Addresses

  • ISPs usually require you to purchase a “business” Internet package to be able to obtain a static IP. This may cost more money per month than a typical residential Internet package.
  • Everywhere you go online can be easily tracked, since you use the same IP address everywhere you go online (a VPN can help with this problem).
  • If someone starts constantly abusing your IP address (e.g. DDoS attack), you likely will not be able to quickly request a new static IP address from the ISP.
  • If you have a unique host-name assigned to your static IP (usually necessary to host a email server), you will have less privacy than someone who has a typical residential, dynamic IP address without a custom host-name.

Pros of Dynamic Addresses

  • Usually can easily change your assigned IP address (helpful to stop someone who is abusing your computers; e.g. DDoS attack).
  • Since your IP address is “generic” (used by several other people), you are more anonymous than a static IP constantly browsing the web.

Cons of Dynamic Addresses

  • Hosting web services will not be very stable, since you are using a dynamic IP address that may change anytime on you (note: using a “dynamic IP” DNS service is more of a “jury-rig” than a proper solution).
  • Some web services may think you are a trouble-maker, since someone else may have had your IP address previously and used it to abuse web services.
  • ISPs may deny you the privilege of running any web services unless you have a “business”-grade Internet package (most people using a dynamic IP do not have a business account at their ISP).


Posted in Computers, Internet and Servers, Operating Systems, Security, VPN

What are DNS Resolvers and How Do They Work?

This short post is about how a DNS resolver works. I also quickly cover the best way to obtain a DNS resolving service.

Please note that I am not going into the specifics on how to setup a DNS resolver. There are plenty of online tutorials for you to follow if you wish to pursue that option.


What is a DNS resolver? Simply put, a DNS resolver contacts a domain name’s DNS server and asks it for information.

A DNS resolver will also do something called caching. When a DNS resolver caches, it is “remembering” the information it previously obtained from a DNS server.

A DNS resolver that caches can save a lot of time that would be wasted looking up a domain name that had just been looked up earlier.

DNS caching is like writing down information on a sticky note, so you can quickly look at it later, instead of having to ask the person for the info all over again.


Here is a simplified example of how a DNS resolver works:

1.   Alex types into his web browser example.com

2.   Alex’s web browser then contacts the DNS resolver (that his computer is set to use).

3. The DNS resolver goes to a root server and get the IP address for the TLD (e.g. com, net, org, etc.) server it needs to access.

3.   The DNS resolver then goes to ns1.example.com (the DNS name-server that the TLD server provided), and asks the name-server for the IP address of example.com

4.   The DNS resolver then relays the information it receives to Alex’s computer. In addition, the DNS resolver caches the retrieved information for later use.

5.   Alex’s web browser now knows where example.com is located (the IP address), and starts retrieving the website.


There are typically three different ways people get a DNS resolving service.

ISP:  People can make use of their ISP’s (Internet Service Provider’s) DNS resolver.  I suspect most home users use this option.

Free Third Party:  People can use a free third-party DNS resolver (e.g. Google [8.8.8.8, 8.8.4.4] or CloudFlare DNS [1.1.1.1, 1.0.0.1] resolver services).  This can be a good alternative for people who have slow, unreliable ISP resolvers.

Self-Hosted: People can also choose to host their own DNS resolver at their home/office (e.g. Unbound DNS server on a Linux or FreeBSD box, and yes, Windows boxes too 🙂 ).


Now which way is the best? Well that is ultimately up to you, but here are my opinions on the matter.

Using your ISP’s DNS resolver is the “best choice” for most home internet users, since they are already using it anyway and their ISP can give direct support if their customers ever experience issues resolving domain names.

Using a third party DNS resolver can potentially help resolve domain names faster than your local ISP’s servers (e.g. CloudFlare’s DNS resolver is considered fast when compared to other ISP’s and third party services).

However, something to keep in mind is that if you have any issues with a third-party DNS resolver, your ISP has no obligation to help you troubleshoot your issues you may encounter.

Also any non-self-hosted DNS resolver can potentially be logging your DNS lookups. Even if they claim that they do not keep personally identifying logs, you can not be totally sure of that, and you are taking their word for it.

Finally about self-hosted DNS resolvers. These are the trickiest of the three to use for the average home Internet user, since they have to maintain a server. However a properly setup self-hosted DNS resolver, in my opinion, is the most secured setup.

You have the control over the server that looks up domain names for you, not someone else who may have malicious intentions. However hosting your own DNS resolver may cause the initial DNS lookup (before the caching takes place) to be slower than using a fast third-party DNS resolver.


In Summary:

ISP/Third-Party DNS Resolver:  faster lookups / less secure

Self-Hosted DNS Resolver:  slower lookups / more secure


Posted in Computers, Internet and Servers, Operating Systems