Archive for December, 2011
So Michele and I have been having a debate lately. One of us wants to start up the water softener but the other says that softened water is unsafe to drink… so what’s the correct answer?
Finding the answer wasn’t as easy as it seems. Everyone has an answer and they are sometimes radically different, depending on where you get your answer. Rather than give you what I found to be the quick-and-dirty answer upfront, I’ll show you why it’s important to consider the source.
Here’s one answer from Lenntech (they sell water softeners):
That is why in most cases, softened water is perfectly safe to drink. It is advisable that softened water contains only up to 300mg/L of sodium.
In areas with very high hardness the softened water must not be used for the preparation of baby-milk, due to the high sodium contant after the softening process has been carried out.
Here’s one from Budget Water (they sell reverse-osmosis systems)
If someone tells you it is ok to drink the water from their softener they are either ignorant of the science of water softening or they don’t care that they may be subjecting you to a very poor quality of drinking water. In many cases where the water is really hard going into the softener you will find MASSIVE amounts of sodium coming out of the water softener. This water is completely unhealthy to drink. You should be wary of any company that does not at least warn you to drink bottled water or offers a reverse osmosis drinking water system for the kitchen to purify all of your cooking and drinking water.
So let’s check another water treatment source: Morton (they sell softener salt)
Yes, softened water is safe to drink for people that are not on sodium or potassium restricted diets.
If you take a look at these opinions, you will see each company takes a stance in favor of their own equipment, sometimes with a disclaimer. So what we need is an opinion from someone who isn’t trying to sell something, otherwise known as an impartial source… Let’s try Mayo Clinic:
The amount of sodium a water softener adds to tap water depends on the “hardness” of the water. Hard water contains large amounts of calcium and magnesium. Some water-softening systems remove calcium and magnesium ions and replace them with sodium ions. The higher the concentration of calcium and magnesium, the more sodium needed to soften the water. Even so, the added sodium doesn’t add up to much.
Let’s take one more source…
The amount of sodium added to water from the water softening process depends on the hardness of the water supply. When very hard water (greater than 10 grains of hardness per gallon) is softened, only 20 to 40 mg of sodium is added to every 8 ounces of water. For comparison, an 8-ounce glass of low-fat milk contains about 120 mg of sodium, a 12-ounce can of diet soda contains from 20 to 70 mg, and an 8-ounce glass of orange juice contains about 25 mg.
My takeaway from all of this is that softened water is generally safe to drink, as long as you don’t have any health conditions that would warrant watching your sodium level. Even so, you can get potassium-based softener “salt”, which could help that.
Do you have an opinion on whether softened water is safe to drink? Please feel free to sare it in the comments below!
If you want to make use of the EXIF data stored in a JPEG (.jpg or .jpeg) or TIFF (.tif or .tiff) file from the command line in Ubuntu Linux — or most other Linux variants — here’s how.
This was tested on Ubuntu 11.10 (Oneiric Ocelot).
First, you will need to have imagemagick installed to provide the identify command.
sudo apt-get install imagemagick
Next, you can retrieve the data on an image with the following example:
identify -verbose /usr/share/backgrounds/WildWheat_by_Brian_Burt.jpg
If you want just the EXIF data, you can use something like the following:
identify -verbose /usr/share/backgrounds/WildWheat_by_Brian_Burt.jpg | grep "exif:"
In part 1 of this two-part series, I mentioned some of the fallacies and misconceptions in password practices. If you haven’t read it, I suggest you click here to read it now. In this part I’ll discuss a few methods for storing and securing your strong passwords themselves. It’s not as hard as it sounds, and there are lots of ways to do it. I’ll describe a few different approaches below and a few pros and cons of each one:
Paper and pencil (or pen)
I’m taking it back to the basics here. Write down your passwords in an address book, rolodex, or other suitable organizational booklet. However, don’t store this near your computer. There are some simple solutions that can help you think of — and remember — complex passwords, such as this idea from IdeaShower.com.
Pros: Helps you keep organized track of username/password and security question/answer combinations easily and inexpensively. Durable and long-lasting.
Cons: Can be easily compromised. Someone who knows where your password book is can still gain access to your accounts.
A simple text file, Spreadsheet, or Database
This is one step beyond the paper method above. Storing your passwords in a simple database can do the same as above, as well as keeping it quickly sortable and searchable. However, if someone gains access to your computer or hard drive, it can be compromised. A few examples of this are a text file, an Excel spreadsheet, or an Access database.
Pros: Easier to organize, search, and update than a paper file.
Cons: Can be compromised if unauthorized access to your computer occurs, such as through a trojan or virus. Can be lost, corrupted, or become outdated if backups are not made and maintained.
An encrypted text file, Spreadsheet, Database, or specialized software
An encrypted database can offer you the same ease-of-use of the electronic storage method, while providing an extra layer of protection in case someone gains access to your computer’s data. There are several software programs which are designed for encrypted password storage, such as KeePass, 1Password, Password Safe, or the Firefox extension Password Hasher (though it’s not clear if it stores its password in encrypted databases or not). Though some of these can be pricey, the peace of mind and organization they provide is often times priceless.
Pros: Many of the same advantages as simple file storage while providing an additional layer of security against unauthorized access. Free software programs are available. Specialized software can also assist in generating strong passwords.
Cons: Just as the encryption protects against unauthorized access, you can lose access to your database if you forget the password. Store it securely. Non-free software can be pricey.
Cloud-based, encrypted password storage
Cloud-based password storage attempts to combine the best of encrypted storage as well as worry-free backup and syncing across all your devices. Keep in mind when choosing cloud-based storage that you’re placing your trust in the availability and security of the provider. Make sure that if you choose a provider that you carefully review their encryption choices and availability of an optional 2-factor authentication method.
My personal favorite in this category is LastPass. LastPass is free to use the website and browser extension, and they offer a premium subscription which allows you to access your password vault from a mobile device for $12 per year. LastPass also includes support for 2-factor authentication via a YubiKey or Google Authenticator.
(Disclaimer: I am a LastPass premium subscriber; I have not sought nor are they offering me any compensation for mentioning them in this post.)
Pros: Convenient browser-based or browser extension for access and syncing of your passwords. Can auto-fill on websites. No need to worry about backing up your password file or losing it.
Cons: If your provider is compromised or goes down you could lose access to your stored passwords.
Do you have any methods of generating, storing, or securing passwords not listed above, or anything else that wasn’t covered in the above article? Please feel free to share in the comments below. Thank you!
DD-WRT is feature-rich alternative firmware for a large number of home router models. It adds a wonderful array of new features, VPN being one of them. This walkthrough will show you how to quickly and easily configure a PPTP VPN server on your DD-WRT-powered router, so you can connect to your home network from afar, create a secure tunnel so you can safely use a public Wifi point with your laptop, or secure your iOS or Android device.
Setting up the VPN Server
So here’s how to get started. First, you’ll need a build of DD-WRT supported by your router which includes the VPN software. If you’re doing this on an Internet connection which has an IP address that changes periodically (i.e. residential), you’ll likely want a Free DynDNS hostname to point to your IP address. You’ll also need a basic familiarity of networking.
For the remainder of this guide, I will assume your router’s internal (LAN) IP address is 192.168.1.1.
Start by going to http://192.168.1.1 and login to your router’s administration panel.
Go to Services > VPN and set PPTP Server to enable. After doing that, a few new options will appear. The only ones you need to set are Server IP, Client IP(s), and CHAP Secrets. Set them as follows:
Server IP: You can set this to your router’s LAN IP, i.e.
Client IPs: Set this to an IP range OUTSIDE your DHCP range (See Setup > Basic Setup to figure your DHCP range) A good example value would be
192.168.1.200-250 for clients to receive addresses within that range.
CHAP Secrets: This is the username/password combinations for your VPN clients. Format is:
myname * mypassword *
Neither the username nor password can contain spaces, and must be all-lowercase.
You’re done with this page; Click Apply Settings.
Now go to Security > VPN Passthrough and make sure PPTP is set to Enabled. Click Apply Settings if you had to change the setting.
You should now be able to connect to your VPN using your Windows, Mac, or Linux computer by setting up a PPTP connection to your public (WAN) IP or hostname.
Can’t get connected? First, try setting up your connection to the router itself, using the LAN IP (192.168.1.1). If that works, then the VPN server is set up correctly; the problem is likely on the WAN side. Keep reading for suggestions. If you weren’t able to get connected, go back to the top and double-check your settings.
You may need to make the following settings adjustment if you are having trouble connecting specifically from your iOS device running iOS 4.3 or above. Go to Administration > Commands and paste the following in the box. Click Save Startup.
#!/bin/sh echo "nopcomp" >> /tmp/pptpd/options.pptpd echo "noaccomp" >> /tmp/pptpd/options.pptpd kill `ps | grep pptp | cut -d ' ' -f 1` pptpd -c /tmp/pptpd/pptpd.conf -o /tmp/pptpd/options.pptpd
(Source: DD-WRT Wiki)
If you can connect from the LAN side, but are still having trouble connecting from the WAN side, it’s likely your ISP or your gateway device (modem) is blocking the needed GRE protocol or the needed PPTP port or traffic. Contact your ISP for further assistance.
Do you have any experience or tips to share regarding VPN connections to a DD-WRT-powered router, or any suggestions in addition to the above? Please feel free to share them in the comments below. Thank you!
This is the first part in a two-part series in password security practices and storage. Be sure to click here to read part two if you haven’t already!
If you — like many people — are in the habit of using simple passwords, or even the same password over multiple sites, you’re setting yourself up for disaster.
Let me briefly explain: If you’re using a simple password it becomes much easier for a hacker to brute-force your password and gain access to your account. You should always use the strongest password — lower- and upper-case letters, numbers, and special characters — that any particular website supports.
If you’re already using strong passwords, good for you. However, if you’re using that same password — or a variation of it — on multiple sites, you’re undercutting the security of it. If one website that you use it on becomes compromised and that password is revealed or released, any other website that you use it on has also become compromised.
One example of this disaster is the RockYou hack. In January of 2010, Imperva released data regarding passwords exposed in the RockYou.com breach. In this attack, 32 million accounts were compromised and led to the disclosure of the top ten most used passwords, which potentially led to countless more accounts being compromised which used passwords that were on that list. This list was later updated to the 25 most often used passwords, as listed on Yahoo Finance.
Another example of this disaster waiting to happen is a phishing attack. This type of social engineering attack starts with a convincing-looking email that leads you to a website where you will “log in” or provide some other account details. The site that you’re directed to — while looking like the real site — is often a fake, designed to get you to provide your account information. Once the site has it, your account information can be used to log in to the real site. From there, a hacker can seize control of your account (changing the email address, password, and security questions), and attempting to use that information to log into other sites. Again, if you’re using the same password on multiple sites, the hacker now has access to all of those other sites.
Think you can identify a phishing email? Take a few minutes and take the SONICwall Phishing IQ Test now. I got 100% on this test, feel free to post your score in the comments below! You can also try the OpenDNS phishing quiz. I scored 14 out of 14 on the OpenDNS quiz. Feel free to post your scores and feedback in the comments below.
The implications of this are almost limitless if an attacker manages to take control of your email account. Once that happens they can start issuing password reset requests on other sites, and start taking control of them as well. For that reason, protecting the security of your email account should always been first and foremost. Google for one agrees, and offers users the option of 2-factor authentication, which provides a very strong level of security. If you have a Google (Gmail) or Google Apps account, I recommend you go and set this up immediately. It only takes about 15 minutes.
Do you have any other password security practices that you would recommend? Do you have a story to share about an account being compromised? Do you have anything to share that I didn’t cover above? Please feel free to share in the comments below! Also — check back for part two of this article, coming soon!
If you — like me — take a lot of digital pictures, you probably have a hundred folders full of images on your hard drive or external drives, and not nearly as sorted as you would like them to be. you have probably gotten to the point that you don’t know what’s in them or can’t find an image when you’re looking. I had around 10,000 images in over a dozen folders spanning 5+ years, and I had no intention of even trying to sort them manually :) So I wrote this script.
The following script was written in bash on Ubuntu Linux and automatically sorts your images into directories based on the date and time the photo was taken. How does it do this? By making use of the EXIF data your digital camera stores inside the image. The date and time the photo was taken is stored in that EXIF data. When an image doesn’t have EXIF data (such as when it was downloaded from the Internet, or taken from a camera that doesn’t support adding EXIF data), it will use the files last-modified time.
First, this should be run in the top-most directory of wherever your pictures are stored. If you have pictures/foldername/somepics/ and pictures/anotherfolder/morepics, run it from your pictures/ directory.
There are quite a few opportunities to improve this script — and some cautionary notes as well — marked within the script with FIXME tags. I’m already finished sorting my images, but anyone is welcome to contribute suggestions and improvements, which I’ll look into incorporating the next time I’m using this. You are welcome to include any suggestions or code improvements in the comments below using <code> and/or <pre> tags.
Usage: Copy the script into a file, editing options where appropriate, and save it. Make it executable and run it from the command line or window, from the directory where your pictures are stored. No command-line arguments. Back up your stuff first :)
UPDATE: Because WordPress keeps mangling this code, it has been moved to github, here.
Questions, comments, or feedback can be left in the comments below, or please use the contact form. Thank you!
BitLocker by itself is great drive encryption, but unfortunately it has some shortcomings in its default configuration. Namely, there’s no safeguard at boot time preventing the drive from being accessed. If your computer is stolen or physically compromised, the drive is ready and willing to give access to your data.
Fortunately BitLocker supports a PIN code which would can be required to be entered at boot time to unlock the drive. To enable the BitLocker PIN, simply open an administrator-level command prompt and run the following:
manage-bde -protectors -add c: -TPMAndPIN
You should receive output similiar to the following, during which you’re prompted for your PIN (no confirmation of keystrokes will appear on the screen during PIN entry):
BitLocker Drive Encryption: Configuration Tool version 6.1.7601 Copyright (C) Microsoft Corporation. All rights reserved. Type the PIN to use to protect the volume: Confirm the PIN by typing it again: Key Protectors Added:
If you get the following error…
ERROR: An error occurred (code 0x80310060): Group Policy settings do not permit the use of a PIN at startup. Please choose a different BitLocker startup option.
… then you will need to edit the local computer policy to allow a PIN to be set by performing the following steps:
- Click Start > Run and type mmc
- If Local Computer Policy is not visible, or Group Policy Object is not already added, add it by going to File > Add/Remove Snap-In > Group Policy Object
- Browse to Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Bitlocker Drive Encryption > Operating System Drives
- Open the key Require additional authentication at startup
- Enable that Key and set Configure TPM startup Pin to Require startup PIN with TPM
Now you can set the PIN by running the manage-bde command once more.
We’ve all seen apps which tout their usefulness, relevance, or popularity by their number of downloads, but does it really mean anything?
“Number of downloads” means exactly that — the number of people that have downloaded your app — it doesn’t even attempt to represent the number of people who found it useful or continue to use it. It doesn’t even represent the number or rating of user-submitted reviews.
So why do application developers keep using the number of downloads to infer things about the quality of their product? Here’s a few examples:
“According to Microsoft, more than 13 million copies of the Windows 8 Developer Preview had been downloaded since its release back in the fall. California-based Net Applications said that — based on the Developer Preview downloads — Windows 8 already accounts for three-hundredths of 1-percent of all PCs accessing the Internet.” — TomsHardware.
Microsoft states that Windows 8 is still considered a pre-beta product, and it’s use is discouraged on production machines.
“Since its launch in October, [RoadNinja] has been downloaded 82,987 times for iPhones and iPads.” — NBC33TV.
This article was published one month after RoadNinja’s launch; RoadNinja currently holds a 3/5 star rating in the App Store with only a total of 207 reviews.
I’m not saying these are poor quality apps — what I’m saying is that developers tout too loudly the number of downloads of their app and try to infer that its a good quality app. What the number of downloads means is that it is a popular app; not necessarily a good quality one.
I should add that I personally downloaded the Windows 8 preview to check it out in a virtual machine — something I haven’t even gotten around to doing yet. I also downloaded RoadNinja but found it impractical and uninstalled it shortly after.
Do you have any personal opinion on the quality of apps that market on the number of downloads they have? Do you have anything to share that you think I may not have covered in the article above? Please feel free to share in the comments below. Thank you!
I ran into a scan a document to send it via email. PDF format would have been preferable, but Windows Scan and Fax wouldn’t export as a PDF. Fortunately OpenOffice is quite capable of converting a multi-page document to a PDF, and does it quite easily. I had already scanned my documents, so I wanted something that would work with the existing scans. Side note: OpenOffice also works on Linux.
Here’s how I did it.
Scan your pages into JPG files and save them where you can find them. In this example, I have four scanned JPG files which I want to convert into a single PDF.
Start OpenOffice Writer
Click Insert > Picture > From File
Select the image to insert. Repeat with any additional images you wish to insert. Once you have all your images inserted, go to…
Click File > Export as PDF.
Set the PDF export options. If you aren’t sure what to do here, accept the defaults as they are fine. Click Export and you’ll be prompted to give the file a name and save it.
“Carrier IQ: How the Widespread Rootkit Can Track Everything on Your Phone, and How to Remove It” — That was the title of one of LifeHacker’s posts this Wednesday, which is just one of countless articles on the now-controversial carrier metric-gathering tool Carrier IQ that some are calling “rootkit” and “spyware.”
” … a hidden application on some mobile phones that had the ability to log anything and everything on your device—from location to web searches to the content of your text messages. The program is called Carrier IQ, and … it actually comes preinstalled by the manufacturer of your phone.” — LifeHacker.
Developer Trevor Eckhart posted his YouTube video detailing the proported workings of the Android software, which demonstrates Carrier IQ monitoring keypresses, SMS messages, and browsing, even when the phone is not connected to a carrier network, and transmitting this data to Carrier IQ’s servers. Supposedly this data is then aggregated and then transmitted to the carriers for network and user-experience improvements. Though it’s not necessarily what it is doing, it’s about what it’s capable of doing. Read Eckhart’s detailed article here for his detailed breakdown the capabilities of Carrier IQ.
So I’ll say it once more — Carrier IQ is doomed — at least in its present incarnation. It’s not a matter of if, it’s a matter of when.
LifeHacker, HowToGeek, TechCrunch, BBC News, and others have all run articles on Carrier IQ, typically with one main focus: Detecting it and allowing the user to remove or disable it.The U.S. Senate has started asking questions, and it’s fairly certain that there will be lawsuits. After all, it’s not what you’re doing, it’s what you’re capable of doing:
“Senator Al Franken … has asked Carrier IQ to clarify exactly what its software can do. Franken specifically wants to know what data is recorded on devices with Carrier IQ, what data is sent, if it’s sent to Carrier IQ or carriers themselves, how long it’s stored once received, and how it’s protected once stored.” — The Verge.
If you want Eckhart’s app for checking/removing it on Android, you can get it here. Non-root users, or those having trouble with the above tool, can get a tool that detects but cannot remove Carrier IQ here.
What will be the end result?
If the lawsuits have their way, Carrier IQ is likely to have it’s functionality reduced at the very least, as well as a full disclosure to its presence. It could also mean a visible option to disable it — and that’s if handset manufacturers and carriers continue to use it. At the very most, it will be a huge, drawn-out ordeal, which is very likely. Update: The lawsuits are already underway:
“Carrier IQ, the new poster child for (alleged) smartphone privacy violations, has been hit with two class-action lawsuits from users worried about how the company’s software tracks their smartphone activity.” — ArsTechnica.
If the tech blogs are of any influence (and they are), people will start removing Carrier IQ from their handsets, or switching away from Android to handsets that don’t have Carrier IQ on them. Apple has already stated they are planning to drop Carrier IQ completely in future versions of iOS. RIM has stated that they never had Carrier IQ on BlackBerry handsets to begin with. Microsoft states Windows 7 phones don’t even support Carrier IQ.
Phones aren’t the only devices Carrier IQ may be installed on. Users have started asking questions about tablet devices such as the Nook as well, and the Samsung Galaxy Tab 7 can be rooted to check for the presence of it.
You can bet that, over time, the pressure from customers and negative press towards Carrier IQ will cause the carriers to reconsider the value of it, especially since they might be the ones paying for it in the first place. If you want one last laugh, be sure to read John Gruber’s “translation” of the Carrier IQ press release from November 16th.
Have any thoughts of your own to share regarding Carrier IQ, or would like to share what devices you have or have not found it on? Please feel free to share them in the comments below. Thank you!