Archive for the ‘Tech News’ Category

Update: Superfish and Maxthon

Friday, February 27th, 2015

Dear Friend of Maxthon,

 This note is an update on Superfish, how it works, its relationship to Maxthon browsers and what we are doing to mitigate any issues related to it.  Our engineering team has spent a good bit of time examining Superifsh and  how it interacts with Maxthon.

Here is what we learned.

Superfish is malvertising software that Lenovo pro-actively pre-installed on several consumer PC product lines in 2013 and 2014. Its purpose is to control part of your web browsing and serve you advertising. It is designed to intercept all encrypted connections, things it shouldn’t be able to see. Superfish accomplishes this in an insecure way that leaves the system open to hackers or NSA-style spies. For example, it can spy on your private bank connections.

 The function that intercepts and replaces encrypted connections within Superfish is known as a “SSL hijacker,” Specifically the Komodia Redirector with SSL Digestor.  This SSL hijacker was created by an Israeli company called Komodia. An SSL hijacker opens up a HUGE security hole — effectively creating a ‘man in the middle’ attack on your machine. Superfish uses this hole to install its own root CA certificate in your Windows system. From that point on Superfish intercepts each SSL site certificate and swaps it out with a copy of its own that allows access to serve ads. SuperFish’s advertising works by injecting JavaScript code into web-pages. This can wreak havoc with websites, breaking them.

Even if you don’t have a Lenovo consumer PC your PC might have this vulnerability because Komodia sold this technology to other malware companies including:

  • Atom Security
  • Infoweise
  • Komodia (KeepMyFamilySecure)
  • Kurupira (Webfilter)
  • Lavasoft (Ad-Aware Web Companion)
  • Qustodia and Websecure LTD (Easy Hide IP Classic)

Now, Only the traffic from the browser to the SuperFish internal proxy uses the website’s certificate. The traffic on the Internet still uses the normal website’s certificate, so we can’t tell if a machine is infected by SuperFish by looking at this traffic.

However, SuperFish makes queries to additional webpages to download JavaScript. 

And this is where Maxthon enters the picture.  

Due to the way we handle javascript requests in our browser, Maxthon’s PC browser unintentionally triggers a false positive on the Superfish test. In most cases running the test on other browsers on your system will not. If you find yourself in a position where Maxthon is said to be insecure  and Chrome (on the same machine) is not, do not worry.  If you get positives from all browsers, you likely have Superfish.

To repeat: the way Maxthon browsers retrieve javascript can trigger a false positive during a Superfish detection test saying your system is at risk.  Even though our browsers remain as secure as the best in the industry, we recognize the severity of this bug and have elevated it to the top of the line – P1 importance.

We are working on a fix for it as we speak and will update all affected browsers via a required browser update when complete.

In the meantime, if you have not already, please take a couple of minutes to test your Windows PC for the presence of Superfish.  Use the link for a simple and fast test.

If you do determine you have Superfish, you will need to both uninstall the .exe AND manually remove the bogus CA certificate.  This link will show you how remove it completely.

Thank-you for your continued support of Maxthon.  We’ll keep you informed of any changes.

-Team Maxthon

2015 Browser Wars: Yahoo’s Slimy Web Browser ‘Upgrade’ Ruse

Wednesday, January 7th, 2015

All that’s old is new again.  Over the holidays we got not one, but three signs that the browser wars are alive and well in 2015.  They appear to be in one of their cyclical, heating-up phases. Today we’ll focus on how Yahoo, Mozilla, and Google are prompting users with false upgrade warnings to switch browsers in what amounts to a forced upgrade. A term in the new Yahoo/Mozilla deal is the not so subtle effort Yahoo is now making to goad their email users into tossing whatever browser they currently use and upgrade to Firefox.  Google is doing something similar for different strategic reasons.  Each (Yahoo and Google) is pressuring their webmail user base to move over to either Chrome or Firefox by reading what’s known as the web user’s browser user agent string and then prompting them with a conditionally-surfaced upgrade warning that implies that things won’t work right unless said user switches browsers. (The user agent string is  a piece of code that identifies a browser by its type.)  When someone using a browser that isn’t Firefox  for Yahoo email they trigger an update pushdown message.  Google web product users get something that looks like the image below.unnamed (Google products mistakenly identify Maxthon as a version of Chrome because both browsers use Webkit as a rendering engine.)   This is the kind of user mail we started receiving the day Yahoo implemented the Firefox ‘forced upgrade.’

“Since purchasing a new laptop with Windows 8.1, I am not able to use enhanced Yahoo email using Maxthon. I keep getting a message saying I am using an unsupported browser, and instructions to download Firefox. 
I am a big fan of Maxthon and have been using it for over 9 years. But the above is an issue I need to get resolved…Yahoo keeps taking me back to Basic Mail which has no features at all.”

Let’s get one thing straight: there is no technical reason you should have to use Firefox to use the new Yahoo email.  Nor do you need a ‘supported’ browser like Chrome to use Google’s web products.  In a word, all of that ‘you need to upgrade to a supported browser‘ messaging is bullshit. It has nothing to do with technology.

Maxthon uses the same open source rendering and javascript engine code base that just about every other web browser also uses: WebKit and V8.  However, that’s not what Yahoo and Google would have you believe. In Yahoo’s case, they are proactively redirecting you to their older webmail product to FORCE you to upgrade and use Firefox. (As our 9 year customer laments…It’s either upgrade to Firefox or not be able to use the new Yahoo mail. ) It has been interesting to watch both Yahoo and Google wise up and start using this tactic but it’s not hard for anyone in the industry to understand why. Yahoo’s growth has been stagnant and slipping for years. It hasn’t weathered the shift to mobile and apps well.  In a world of apps and mobile, Yahoo remains a big bunch of noisy, over-stuffed websites. Google, certainly far from desperate :) ,  is trying to solve a slightly different problem: unifying the experience behind a single login to be able to cross promote better. After years of fumbling around with silo-ed web products, each company finally awakened to the fact that to survive (Yahoo) and continue growing (Google) they needed to knit together their product ecosystems into a walled garden. Monkeying with browser upgrades and support is a key tool in that effort. In Yahoo’s case they’re likely getting a monetary bounty for every Firefox conversion they drive. (Or the activations offset what Yahoo has to pay Mozilla for all of the search traffic driven by Firefox.) Probably both. Probably tiered in some way.  In Google, they are growing Chrome — which gets them closer to a reality where they can drive all of the PPC and search advertising they require through their own products and thus not need to pay any search/ppc referral partners.   This ‘unsupported browser’ smokescreen is a key part of keeping those efforts on the down/low. And here’s where history repeats itself. The messaging Yahoo and Google are using with these upgrades is essentially the same argument used by Microsoft in its defense of the Netscape anti-trust suit in the late 90s.  “We have to make IE the default browser – it’s totally interwoven with the Windows operating system!  Things won’t work right if they use something other than IE. ” Ironic that Mozilla is now party to the same tactic its ‘father’ — Netscape —  labelled as unfair and anti-competitive. Those of you who are old enough to remember the DoJs’ anti-trust suit remember the crocodile tears were thick, thick, thick from Microsoft and Netscape … Next time: Microsoft’s browser strategy is far from dead…It’s baaaaaack! :)

Surprise! Microsoft jumps to Windows 10

Tuesday, September 30th, 2014


Forget Windows 9. In an unexpected twist, Microsoft will be going straight to double digits from Windows 8 as it faces a challenging future for its operating system.

SAN FRANCISCO — Microsoft just said no to 9. The follow-on to the current Windows 8 operating system will be known as Windows 10.

Originally codenamed Windows Threshold, the new operating system essentially does away with the decency on the tiled “Metro” user interface that Microsoft had attempted to implement across its entire device line, from desktop PCs to Surface tablets and Widows Phone devices. In its place is a combination of the so-called live tiles, present in areas like the new Start Menu, and a more classic Windows experience that aims to please both touch and keyboard-and-mouse users.

Windows 10 is such a substantial leap, according to Microsoft’s executive VP of operating systems, Terry Myerson, that the company decided it would be best to skip over Windows 9, the widely expected name for the next version.

“Windows 10 will run on the broadest amount of devices. A tailored experience for each device,” Myerson said at a press event here Tuesday. “There will be one way to write a universal application, one store, one way for apps to be discovered purchased and updated across all of these devices.”

Those changes found many critics and detractors.

Windows 8.1, released last year, attempted to address those complaints with the revival of core Windows design and usage properties, such as the Start button. Now, with Windows 10, Microsoft is not quite hitting the reset button on touch, but wants to make sure it does not repeat history in its attempt to take Windows forward.

“We believe that, together with the feedback you provide us, we can build a product that all of our customers will love,” Myerson said. “It will be our most open collaborative OS projects ever.”

Taking the stage after Myerson’s introduction was Microsoft’s Joe Belfiore, corporate vice president of operating systems and the current public face of Windows and Windows Phone design and development. He gave attendees a live demo of an early build of Windows 10. Belfiore, too, put the emphasis on a great leap forward.

“We want all these Windows 7 users to have the sentiment that yesterday they were driving a first-generation Prius,” he said, “and now with Windows 10 it’s like we got them a Tesla.”

Windows 10 combines elements of Windows 8′s forward-thinking design and the familiarity and functionality of Windows 7, still the most popular Microsoft OS. According to Web traffic-tracking firm Net Applications, Windows 7 could be found on 51 percent of desktop PCs in August, compared with just over 13 percent for versions 8 and 8.1 combined.

“It’s easy to say, ‘Oh it’s Microsoft giving up on touch,’” Belfiore said, pointing out the most obvious criticism of the scaled-back Metro interface. “We’re absolutely not giving up on touch. We have a massive number of users who know Windows 7 well and a massive, but smaller, number of people who know Windows 8 well.”

Never Offline? How Apple Is Invading Our Bodies

Saturday, September 20th, 2014

Interesting thought piece about Apple’s latest devices from

Apple Watch Time Magazine Cover 140922

The Silicon Valley giant has redrawn the line that separates our technology and ourselves. That may not be a good thing

The Apple Watch is very personal—“personal” and “intimate” were words that Apple CEO Tim Cook and his colleagues used over and over again when presenting it to the public for the first time. That’s where the watch is likely to change things, because it does something computers aren’t generally supposed to: it lives on your body. It perches on your wrist, like one of Cinderella’s helpful bluebirds. It gets closer than we’re used technology getting. It gets inside your personal bubble. We’re used to technology being safely Other, but the Apple Watch wants to snuggle up and become part of your Self.

This is new, and slightly unnerving. When technologies get adopted as fast as we tend to adopt Apple’s products, there are always unintended consequences. When the iPhone came out it was praised to the skies as a design and engineering marvel, because it is one, but no one really understood what it would be like to have it in our lives. Nobody anticipated the way iPhones exert a constant gravitational tug on our attention. Do I have e-mail? What’s happening on Twitter? Could I get away with playing Tiny Wings at this meeting? When you’re carrying a smartphone, your attention is never entirely undivided.

The reality of living with an iPhone, or any smart, connected device, is that it makes reality feel just that little bit less real. One gets over-connected, to the point where the thoughts and opinions of distant anonymous strangers start to feel more urgent than those of your loved ones who are in the same room as you. One forgets how to be alone and undistracted. Ironically enough experiences don’t feel fully real till you’ve used your phone to make them virtual—tweeted them or tumbled them or Instagrammed them or YouTubed them, and the world has congratulated you for doing so. Smartphones create needs we never had before, and were probably better off without.

The great thing about the Apple Watch is that it’s always there—you don’t even have to take it out of your bag to look at it, the way you would with an iPhone. But unlike an iPhone you can’t put the Apple Watch away either. It’s always with you. During the company’s press event the artist Banksy posted a drawing to his Twitter feed of an iPhone growing roots that strangle and sink into the wrist of the hand holding it. You can see where he was coming from. This is technology establishing a new beachhead. To wear a device as powerful as the Apple Watch makes you ever so slightly post-human.

What might post-humanity be like? The paradox of a wearable device is that it both gives you control and takes it away at the same time. Consider the watch’s fitness applications. They capture all data that your body generates, your heart and activity and so on, gathers it up and stores and returns it to you in a form you can use. Once the development community gets through apping it, there’s no telling what else it might gather. This will change your experience of your body. The wristwatch made the idea of not knowing what time it was seem bizarre; in five years it might seem bizarre not to know how many calories you’ve eaten today, or what your resting heart rate is.

But wearables also ask you to give up control. Your phone will start telling you what you should and shouldn’t eat and how far you should run. It’s going to get in between you and your body and mediate that relationship. Wearables will make your physical self visible to the virtual world in the form of information, an indelible digital body-print, and that information is going to behave like any other information behaves these days. It will be copied and circulated. It will go places you don’t expect. People will use that information to track you and market to you. It will be bought and sold and leaked—imagine a data-spill comparable to the recent iCloud leak, only with Apple Watch data instead of naked selfies.

The Apple Watch represents a redrawing of the map that locates technology in one place and our bodies in another. The line between the two will never be as easy to find again. Once you’re OK with wearing technology, the only way forward is inward: the next product launch after the Apple Watch would logically be the iMplant. If Apple succeeds in legitimizing wearables as a category, it will have successfully established the founding node in a network that could spread throughout our bodies, with Apple setting the standards. Then we’ll really have to decide how much control we want—and what we’re prepared to give up for it.

Apple iPhone 6 Plus vs. Samsung Galaxy Note 4: Big-Screen Showdown

Friday, September 19th, 2014

Posted via PCMag

Apple iPhone 6 Plus vs. Samsung Galaxy Note 4: Big-Screen Showdown


Samsung may have fired the first shot with the category-defining Galaxy Note, but Apple appears poised with a volley of its own. Now big-screen fans will have an even tougher choice ahead of them—the Galaxy Note 4 and iPhone 6 Plus go on sale this week, though Samsung’s only opening up pre-orders at the moment. The stage is set for showdown of epic proportions. Is bigger better? Can Apple beat Samsung at its own game? Read on for a side-by-side comparison.

Let’s start with the most obvious comparison: size. Though it sports a larger 5.7-inch display, the Galaxy Note 4 isn’t proportionately bigger than the iPhone 6 Plus. The Note 4 is shorter at 5.95 inches to the iPhone’s 6.22 inches, which could factor into pocket friendliness. The iPhone 6 Plus is slightly narrower at 3.06 inches to the Note 4′s 3.09 inches, and generally speaking, the narrower the phone, the more comfortable it is in the hand, but this difference is pretty marginal.

Samsung steps up its build quality game with this generation, framing the Note 4 in a sturdy metal band that should help quiet the plastic haters out there. Still, Apple’s unibody design looks as impressive as ever and continues Apple’s dominance on this front. To Samsung’s credit, the Note 4 retains the removable battery and microSD card expansion that fans have come to expect from the Galaxy line.

Name Apple iPhone 6 Plus Samsung Galaxy Note 4
Editor Rating
Lowest Price
Operating System as Tested iOS 8 Android 4.4
CPU Apple A8 Qualcomm Snapdragon 805 Quad-Core
Dimensions 6.22 by 3.06 by 0.28 inches inches 6.04 by 3.09 by 0.33 inches
Weight 6.07 oz 6.21 oz
Screen Size 5.5 inches 5.7 inches
Screen Type Retina Super AMOLED HD
Screen Resolution 1,920 by 1,080 pixels 2560 by 1440 pixels
Screen Pixels Per Inch 401 ppi 515 ppi
Camera Resolution 8 MP Rear; 1.2 MP Front-Facing 16 MP Rear; 3.7 MP Front-Facing
Video Camera Resolution 1080p 4K, 1080p
NFC Yes Yes
microSD Slot No Yes
Read the Review Read the Review

Apple finally steps into the world of full-HD displays, though it still calls it Retina HD, while Samsung appears one step ahead with its quad-HD panel. That makes for 401ppi for the iPhone 6 Plus and 515ppi for the Note 4. Will you actually notice a difference? Maybe if you have above-average vision, but even that’s a stretch in most situations. The big differentiator here is the screen tech—Samsung’s Super AMOLED panels have been drawing rave reviews since the Galaxy S5, and DisplayMate has already crowned the Note 4′s display as the best yet.

I won’t dive into sheer performance or software—both phones have top-of-the-line processors and run the latest versions of Android and iOS. Some other key differences to keep in mind are stylus support and camera performance. Samsung’s best stylus gets even better with the Note 4, while Apple’s camera prowess is well documented.

This might be the most hotly contested smartphone battle of the year, but we’re reserving final judgment until we can get both supersized handsets into our labs for thorough testing. That shouldn’t stop you readers from chiming in, though, so let us know which phone you’ll be clamoring to grab this fall. I’d say keep it civil, but, well, you know how these things go.

For more, check out PCMag’s hands on with the iPhone 6 Plus and the Galaxy Note 4, as well as our other spec comparisons:

Happy 158th Birthday to Nikola Tesla!

Thursday, July 10th, 2014


Happy 158th, Nikola Tesla! Strange Facts About the Inventor

Nikola Tesla may be known today as one of history’s greatest inventors, but the intrepid scientist’s eccentricities have become as legendary as his trailblazing discoveries in the field of electricity.

Tomorrow (July 10) marks the 158th anniversary of Tesla’s birth, and to celebrate the occasion, Live Science is looking back at Tesla’s legacy, the cult of personality that has developed around the inventor in the years after his death, and the decades-old debate about who should be crowned the greatest inventor of all time: Nikola Tesla or Thomas Edison.

Though Tesla holds 112 lifetime U.S. patents, and is most famous for helping to develop the modern alternating current (AC) system of electric power, the inventor died penniless and in relative obscurity on Jan. 7, 1943, at age 86. [Creative Genius: The World's Greatest Minds]

Tesla’s outsized and quirky personality, along with some of his more far-out ideas — such as his experiments to develop a particle gun, or death ray — earned him a reputation that fell somewhere between “creative genius” and “mad scientist.” But while some regard him as the true father of electricity, others have come to remember Tesla more for his peculiarities than his accomplishments.

Here are some of the strangest facts about Tesla:

-Tesla rarely slept, and claimed he never dozed for longer than two hours. The inventor also said he once worked for 84 hours straight without any rest, according to John O’Neil, author of the book“Prodigal Genius: The Life of Nikola Tesla” (Cosimo Inc., 2006).

-Later in his life, Tesla frequented parks in New York City, often rescuing injured pigeons and nursing them back to health. A special PBS report on Tesla’s life and legacy claimed that when the inventor took up residence at the Hotel New Yorker, “he had the hotel chef prepare a special mix of seed for his pigeons, which he hoped to sell commercially.”

-Tesla was a vegetarian, but eventually limited himself to a peculiar diet of only milk, honey, bread and vegetable juices, according to Marc Seifer, author of “Wizard: The Life and Times of Nikola Tesla,” (Citadel Press, 1996). Later in life, he was consumed by an extreme aversion to germs, and would only eat food that had been boiled, reported PBS.

-Tesla allegedly had a photographic memory, and could memorize entire books, according to Margaret Cheney, author of “Tesla: Man Out of Time” (Simon and Schuster, 2001).

-According to Seifer’s book “Wizard: The Life and Times of Nikola Tesla,” the inventor claimed that repeatedly squishing his toes helped to stimulate his brain cells. In fact, Tesla reportedly performed his toe exercises nightly, 100 times for each foot.

-Tesla spent decades as a New York City resident, and to commemorate his connection to the Big Apple, the intersection of 40th Street and Sixth Avenue in Manhattan is named “Nikola Tesla Corner.” A plaque honoring Tesla can also be found on the façade of the New Yorker Hotel, where the inventor died.

-Tesla died in Room 3327 of the New Yorker Hotel on Jan. 7, 1943. A death mask was commissioned after a medical examiner inspected the body. The mask is on display in the Nikola Tesla museum in Belgrade, Serbia.

Lifehacker: Ask an Expert: All About Online Privacy and Security

Monday, June 9th, 2014

When it comes to security, the internet can sometimes feel like the wild west. Large commercial sites are routinely hacked and our private data feels like it’s behind a leaky sieve. How secure are we and what can we do?P

While some of us fire up Tor just to check email, other folks happily use public coffee shop Wi-Fi to manage their bank account without a care in the world. Where do you draw the line? Here to discuss online privacy and security is Karl Mattson, VP of International at Maxthon. Karl deals with security concerns every day at Maxthon, which has pioneered many areas of secure cloud-based web browsing. Have a question about your privacy and security concerns? Karl will be here for the next hour, so ask away!P

The Q&A is now over, but thanks for your great questions!

Have an expert you’d like to see participate? Email us.

IAmJared to Andy Orin
What’s the easiest and most consistent way to stay private on the internet?

Karl Mattson to IAmJared
First one needs to think about levels of privacy. If you want to surf the web completely anonymously, you’ll need to use a network like ‘Tor’ — that essentially covers your tracks — passing your requests through a sticky web of IP addresses. That, plus a ‘belt and suspenders’ approach to password management will keep you very safe. That’s the ultimate, a high standard. Unfortunately there is no easy way — but rather one needs to think of this in terms of using a set of best practices and tools. Password protectors to avoid identity theft. Avoid posting pictures of oneself to public networks. Manage your Facebook and LinkedIN profile settings actively. Reduce or refuse 3rd party cookies. There are many things one can do. Whatever you do — be wary of open WiFi networks.

iamazebra to Andy Orin
How do you draw the line between “keeping your privacy” and “being the product”?
For instance, if you had to sign up for an email service, how would you go about deciding between a service like Gmail or Yahoo mail and a paid service that guarantees your privacy like Hushmail or MyKolab?

Karl Mattson to iamazebra
Making that choice requires taking an end-to-end approach to your privacy. A service like Hushmail or MyKolab is only as secure as its internal data access and management practices are. Meaning, take the time to verify that MyKolab restricts and limits access from employeers to the servers it uses. To some degree, when looking at a service like Gmail or Yahoo — there is strength in size. Established publicly-traded companies like them tend to be much more thorough with their practices. But then again, their size also makes them a target of agency-level snooping a la ‘Prism’

charles lee to Andy Orin
is it worth having a personal vpn on a home server like logmein hamachi as well as a paid vpn to protect data until it reaches the paid server’s?

Karl Mattson to charles lee
That depends on your willingness to maintain such a system. Personal VPNs are getting easier every day, though. Personally, I do not. Rather, I segregate data locally on separate drives that are NOT wifi-enabled.

USER23 to Andy Orin
Hi Karl – I hear a lot about online identity theft. Where and when am I most vulnerable to this? Are there measures I can take to protect my personal information?

Karl Mattson to USER23
Identity theft is, more often than ever, the combination of both an online and an offline actions. For example, ‘Target.’ There the vulnerability was the physical Point of Service registers in the stores. Not much you can do about that. But, when you’re surfing the web you have options that empower your own security. First, recognize that the back door into more people’s operating systems — and their personal data — is usually through web mail viewed via web browser. Make sure the browser itself is secure — that it sandboxes processes and isn’t vulnerable to cross-scripting holes. Then, be smart about clicking on links, images and downloads in email —> EVEN if you believe that email is from a personal friend. And, definitely use a good anti-virus/security application with anti-phishing and malware protection.

velascomike to Andy Orin
What is your opinion on password managers like LastPass? Is it a secure option if used properly (like using two factor authentication)?

Karl Mattson to velascomike
Password managers like LastPass are worth the effort. Just know that you are then collecting and centralizing your passwords. I think two-factor authentication is necessary. I would like to see every website or app that uses even mildly sensitive data to adopt it.

JasonMTracy to Andy Orin
“other folks happily use public coffee shop Wi-Fi to manage their bank account without a care in the world.”
Why wouldn’t I? If I verify the certificate (I do), then what does it matter if I’m on public wifi?
In other words: Don’t trust a hardwired connection to your personal ISP any more than a coffee shop wifi.

Karl Mattson to JasonMTracy
Jason, you raise a good point. If you verify the certificate you can be reasonably sure you’re safe. Someone could still be logging your session — eg the MAC address of your machine and every IP address you went to and when. Taken alone you may think that doesn’t leave you very vulnerable. But, now more than ever before, that kind of seemingly useless session data is easily combined with other dis-aggregated data about yourself which allows for increasingly more complex and detailed profiles of who you are: what you do, where you go, how you shop, what you like/dislike. The aggregation of dis-aggregated personal data in the cloud is pretty creepy to me.

Karl Mattson to Karl Mattson
For most, the horse is out of the barn on that privacy issue. All of us have all lmany, many ‘identity breadcrumbs’ on the open web. And a slew of private and governmental agencies are mining it and creating behavioral profiles from it.

Casey to Andy Orin
How can I make my Android phone the most secure. If I download apps certified only by the play store, how can I add additional security? Recommendations?

Karl Mattson to Casey
Casey — that is a great question. When you talk to security professionals they’ll all tell you the same thing — Android is GROUND ZERO for identity theft threat. It’s open by design — and that means the bad guys have many holes to exploit. I use whole-device security apps on my Android devices — products like AVG Mobile, for example.

IMHO, privacy and security on the web require personal responsibility and a regimen. In the same way you have to take the time to learn the rules of the road and drively safely, so should you take the time to learn what and where about major web threats and how to protect itself. Privacy hygiene. You gotta’ practice it… 

thinktechdude to Andy Orin
What are your thoughts about the death of Truecrypt? Is it still safe to use?

Karl Mattson to thinktechdude
I use encryption tools but have no illusions about the level of protection they offer. There is the very real unknown of undiscovered backdoors. And, the math behind cracking encrypted information is straightforward. It’s a function of computational power and randomness. Again — there is no magic bullet.

How can I stop companies from following me? For example I browse something on Newegg and for the following 7 days all I get is newegg ads, same with amazon or any store I browse. I know there is adblock plus and edge, but how can I completely stop these companies from getting my browsing information?

Karl Mattson to Lolobond
Use Adblock plus. Use a browser that supports ‘Do Not Track’ (and be sure it is enabled). Then, either don’t allow 3rd party cookies (look in your browser options menus) OR — and pardon the plug — use Maxthon’s browsers. Maxthon web browsers split how we manage 3rd party cookies — preventing the tracking kind from working while allowing the kind that, for example, remember your username, to work. So, you get convenience along with protection.

Andy Orin, Host to Andy Orin
Hi Karl, glad you could be with us today. What do you think’s the most common mistake that average people make that can compromise their online security?

Karl Mattson to Andy Orin
This will sound retro and remedial, but poor password management is the most common (and wholly avoidable mistake.) Before you do anything else re: security, find and use a password management app like ‘LastPass.’ It is fool proof? No — human error is at play, but they definitely make a difference.

Karl Mattson to Karl Mattson
On a more abstract level, the biggest problems we see in your user mail and focus groups arise from consumers not knowing when the security of one application or device ends and another begins. By that I mean, consumers needs to think about online privacy from at least two major areas — what happens on the device and what happens on the open web.

Andy Orin, Host to Andy Orin
I’m sure a lot people are also paranoid about their ISPs watching their traffic, not to mention some certain government agencies. Do you think normal folks would benefit from VPNs?

Karl Mattson to Andy Orin
VPNs will go a long way but if the concern is an ISP watching your traffic in an ‘NSA’ Prism – type dynamic, a VPN adds a level of protection but is not magic bullet. As long as traceroute exists agencies and governments will be able to extrapolate increasingly more accurate information about where you go online – -and can then make pretty accurate inferences from that.

Karl Mattson to Karl Mattson
Everyone needs to do a little personal soul-searching to examine what is *most* important them regarding privacy. On the web anonymity is a not binary. It’s a matter of degrees — from total anonymity on one end to ‘my life is an open book’ on the other. Each person needs to determine for him or herself where they sit on that scale.

Christina DiRusso to Andy Orin
Having an online presence in some cases is so important for building a career. How does an individual, especially within a job hunting scenario, strike a balance between building a public, online brand and privacy?

Andy Orin, Host to Christina DiRusso
We’ve talked about this a bit before, I think it’s really up to you to decide the line between personal and private—you could have a clean LinkedIn profile and maybe a totally private Facebook page, for example. Twitter is obviously another issue since it can be used for both work and to talk with your friends, but you could always make a separate, private account too.

Karl Mattson to Christina DiRusso
That is an interesting question — and from my experience the correct answer tends to vary along generational lines. The younger the professional, the looser he/she usually is regarding what they believe to be acceptable. For me, I recommend that people hold themselves to the ‘New York Times’ standard. Which is to say, never put anything online that you *wouldn’t* want to see on the front page of the NYT. Online presence is a critical part of one’s professional identity. You have to concede, from the get go, that you are trading a bit of privacy for the benefit that comes from putting your ‘brand’ on the web to your advantage. Yes, I said it. Like it or not, you have to approach from a brand management point of view. As in, ‘I’m the CEO of and this is my message. This is how I want to be known.’ Level of detail varies based on profession — certainly. But in general, stick to the professional and leave the personal for your private FB lists.

Bradlee Kuhn to Andy Orin
I know Lifehacker’s viewpoint on this but is it worth paying for internet security software for a normal household (non-business) user?

Karl Mattson to Bradlee Kuhn
I use it on all of my machines. I know it’s not foolproof — but the ways in which the McAfees and AVGs of the world work together to identity and stop new threats — and then share information between them is one of the more admirable examples of companies working together to protect users.

Andy Orin, Host to Bradlee Kuhn
That article is a little out of date, as you probably noticed— our pic for free anti-virus software is Avast. For most people, the paid options are probably not necessary.

LukeMeowingtons to Bradlee Kuhn
Passive scanning anti-virus is almost useless, you really want something that is multiple layers of protection. Most viruses are obfuscated and encrypted via a site that will do multiple passes of tests against all AV vendors products until none of them detect it, so you want something that can can for threats in a variety of different ways.

Karl Mattson to LukeMeowingtons
You’re right, Luke. Though I wouldn’t classify it as ‘almost useless.’ Rather — it’s not bullet proof. Just like in every other corner of the web, the level of sophistication from one virus to the next varies. So, using an AV product to get the low and middle-hanging threats is, in my view, worth doing.

LukeMeowingtons to Karl Mattson
Totally agree! Better something than nothing! I always try to push for Internet Security All-In-One solutions as I feel they are safer.


Click here to see the rest of the Q&A! 

Users Beware: Even Homeland Security Says Not to Use Internet Explorer

Wednesday, April 30th, 2014

How scary is the latest Internet Explorer security vulnerability? Even the U.S. government says not to use IE until the browser is fixed.

The flaw, which affects Internet Explorer versions 6 and up, allows bad guys to gain complete access to a PC via a malicious website. Dubbed “Operation Clandestine Fox” by the security firm FireEye, the threat is real. And dangerous.

The U.S. Department of Homeland Security doesn’t issue security alerts for computer software very often, but this time, it made an exception. Many agencies within the U.S. government use versions of IE.

Homeland Security recommends that users or administrators “enable Microsoft EMET where possible” and to “consider employing an alternative web browser until an official update is available.”

That’s good advice. Microsoft’s next schedule “Patch Tuesday” isn’t until May 13, although the company may push out an unscheduled update earlier. If you’re using an unsupported version of Windows — like Windows XP — don’t expect to get any updates.

For Windows XP users, the best course of action is to move to Google Chrome or Mozilla Firefox now.

Is it Time to Encrypt the Entire Internet?

Thursday, April 17th, 2014


It’s Time to Encrypt the Entire Internet


The Heartbleed bug crushed our faith in the secure web, but a world without the encryption software that Heartbleed exploited would be even worse. In fact, it’s time for the web to take a good hard look at a new idea: encryption everywhere.

Most major websites use either the SSL or TLS protocol to protect your password or credit card information as it travels between your browser and their servers. Whenever you see that a site is using HTTPS, as opposed to HTTP, you know that SSL/TLS is being used. But only a few sites — like Facebook and Gmail — actually use HTTPS to protect all of their traffic as opposed to just passwords and payment details.

Many security experts — including Google’s in-house search guru, Matt Cutts — think it’s time to bring this style of encryption to the entire web. That means secure connections to everything from your bank site to to the online menu at your local pizza parlor.

Cutts runs Google’s web spam team. He helps the company tweak its search engine algorithms to prioritize certain sites over others. For example, the search engine prioritizes sites that load quickly, and penalizes sites that copy — or “scrape” — text from others.

If Cutts had his way, Google would prioritize sites that use HTTPS over those that don’t, he told bloggerBarry Schwartz at a conference earlier this year. The change, if it were ever implemented, would likely spur an HTTPS stampede as web sites competed for better search rankings.

Cutts, who didn’t respond to our request for comment, told Schwartz that it’s a controversial idea, and it faces some opposition within Google. A Google spokesperson would only tell us that the company has nothing to announce at this time. So this change won’t happen overnight.

Dump the Plain Text Internet

White hat hacker Moxie Marlinspike knows as well as anyone how insecure SSL/TLS can be. A former Twitter engineer, he’s uncovered multiple critical bugs in the protocols over the course of his career and has proposed an alternative way handling trust and verification in the protocol. But he still thinks that using HTTPS in as many places as possible would be a good thing. “I think there’s value to making network traffic as opaque as possible, even for static content,” he says. “Ideally we would replace plain text on the internet entirely.”

When you use HTTPS, the data is coded so that, in theory, only you and the server you’re communicating with read the contents of the messages passing back and forth between your computer and the server.

Most major websites only use HTTPS to protect your password when you login, or your credit card information when you make a purchase. But that started to change in 2010 when software developer Eric Butler released a free tool called FireSheep to show just how easy it was to temporarily take control of someone else’s account over a shared network — such as a public Wi-Fi connection.

Butler agrees that more use of HTTPS would be a good thing, pointing out that using HTTP makes it easier for governments or criminals to spy on what internet users are doing online. And Micah Lee, a technologist for The Intercept, points out that there are many situations in which it makes sense to use HTTPS besides just protecting passwords or other sensitive information.

For example, HTTPS doesn’t just encrypt the information passing between a server and your computer: It also verifies that the content you’re downloading is coming from the people you expect it to be coming from — again, in theory. That’s something that a regular HTTP connection can’t do.

“Any sort of attacks that involve tricking the victim into connecting to the attacker’s server instead of the real server gets halted by HTTPS,” Lee said via email. “And this is really important, even for non-secret content, because of integrity: you really don’t want attackers modifying the content of websites you’re visiting without your knowledge.”

For example, a country that doesn’t want its citizens getting certain information from Wikipedia can set up a system that feeds users fake Wikipedia pages. “Without HTTPS, censorship isn’t just possible,” Lee says. “It’s simple for powerful attackers like governments, and it’s impossible for ordinary users to detect.”

There are other ways that a rogue government or criminal hacker could cause problems by replacing insecure content with their own fake pages. Lee points out that many journalists post their PGP encryption keys on their websites using only HTTP. An attack could show a potential whistleblower a fake page with a fake encryption key, causing them to turn incriminating evidence over to, for example, the government or their employer.

One of the most dangerous possibilities, however, is that hackers could replace software downloads with malware. “Websites that publish software have no business ever using HTTP,” Lee says. “They should always use HTTPS. If they don’t, they’re putting software users at risk.”

The Argument Against Total SSL

But if HTTPS is so great, then why don’t all websites use it already? There are several disadvantages to using HTTPS everywhere, the World Wide Web Consortium’s HTTPS expert Yves Lafon told us in 2011.

The first is the increased cost. You have to purchase TLS certificates from one of several certificate authorities, which can cost anything from $10 dollars per year to about $1,000 dollars a year, depending on the type of certificate you purchase and the level of identify verification it provides. Another issue is that HTTPS increases server resource consumption and can slow sites down. But Marlinspike and Butler say the costs and resource overhead are actually greatly overestimated.

An issue for smaller sites is that it’s historically been hard to set up unique certificates on sites that use cheap shared hosting. Also, sites that used content delivery networks — or CDNs — to speed up their responsiveness also frequently faced challenges when implementing SSL. Both of these issues have been largely resolved today, though the costs, performance and complexity varies from host to host.

But even if the entire web isn’t ready to switch completely to HTTPS, there are plenty of reasons that more sites should start using HTTPS by default — especially sites that provide public information and software. And given how far we’ve already come since the days of FireSheep, we can expect HTTPS to continue to continue to spread, even if Google doesn’t start prioritizing sites that use it.

The World’s Most-Viewed Photo – The Windows XP ‘Bliss’ Wallpaper – Is a Real, Unaltered Photo

Friday, April 11th, 2014

Given that at least 500 million people still use the Windows XP operating system, it’s no surprise that “Bliss,” the bright and beautiful photo of an idyllic field that is the system’s default wallpaper, is considered the most-viewed image of all time. But now that Microsoft has officially pulled its support for the aging operating system, it’s high time we found out exactly what the story is behind this iconic and beautiful background.

The famous picture was taken by photographer Charles O’Rear in Napa Valley, California using a Mamiya RZ67 camera, color Fuji Film and a tripod. That’s right – it’s a film photograph! There’s a lot more to the story, however, so we suggest checking out Microsoft NL’s Youtube video below! (via)

A video about the Famous wallpaper