USB Data-Blocker aka USB Condom

I was recently reading Kevin Mitnick’s “The Art of Invisibility” and found that he’d also recommended these devices. I’ve been using them for several years as it was always unnerving to plug in a mobile device into a work computer to recharge only to see that there was a request to mount them. Additionally, my laptop would occasionally want to tether data via my cell phone. In an effort to block data transfer and leakage, something was required. These simple and cheap devices allow for power but no data to be transferred via the USB port.

WARNING: there’s always the possibility that any USB device could be compromised, including these… keep them in sight and under your control at all times.


Google Federated Learning of Cohorts (FLoC) – optout

Google Chrome 89 and other browsers based upon it such as Chromium Edge have introduced a new capability known as FLoC. This approach removes the need for third-party cookies by passing a group identifier in the HTTP Headers in a manner similar to how Cookies are exchanged. While FLoC should allow for users to remain more anonymous as advertisers only receive a group identifier for the user, it would not be difficult to use their IP address or other features available via device fingerprinting to track the individual.

As a web user, you would need to use several approaches to avoid this:
1. Use a browser without FLoC support. Hopefully, this will be added to the configuration menus to allow users to prevent it, similar to DNT.
2. Use a browser plugin (or other software/proxy) to remove the FLoC headers.

As a web-developer, you can add configuration to opt-out of all FLoC cohort calculation by sending the following HTTP response header:

Permissions-Policy: interest-cohort=()

If you really want to see the data, the following javascript will expose it:

const { id, version } = await document.interestCohort();
console.log('FLoC ID:', id);
console.log('FLoC version:', version);


Javascript let keyword

ECMAScript 6 (ES2015) added the ‘let’ keyword. let works a lot like the legacy ‘var’ keyword, but adds scoping capabilities.

Unfortunately, support cannot be retrofitted to older browsers with a polyfill, supported by IE11(with limitations), Edge 12+, Firefox 44+, Chrome 49+, Safari 10+. If you still need to support older browsers or devices you may want to stick with var.


Javascript const

Formally introduced in ES6, const was introduced in JavaScript 1.5 and was a Mozilla-specific extension and not part of ECMAScript 5.

Unfortunately, support cannot be retrofitted to older browsers with a polyfill, supported by IE11+, Edge 12+, Firefox 36+, Chrome 21+, Safari 5.1+. If you still need to support older browsers or devices you may want to stick with var.

NOTE: some initial implementations may have thrown different exceptions on reassignment, were not limited in scope, or treated const like ‘var‘.

Name may start with letter, underscore or $ character.


Amazon Mechanical Turk

Amazon crowdsources some work for humans that computers just cannot complete. Tasks often pay only a few cents to a few dollars each. If you have some time to spend and want to do what is usually pretty simple work such as completing identifying information in photos, to more complex tasks such as translations. You can always set up an account and complete a few HITS to get a feel for it. I’d done this many years ago when it was relatively new and was able to earn a few dollars, some people claim to easily make $50/day.


RetireJS for Eclipse extension

Several years ago I wrote an Eclipse plugin to help me identify vulnerable javascript libraries using RetireJS. On a whim, I finally got around to submitting it to the Eclipse marketplace last week and it was approved.

This addresses a common OWASP Top-Ten item – A9:2017-Using Components with Known Vulnerabilities.

For Non-Developers… in English, while software developers are creating websites they often use open-source libraries such as jQuery (or literally thousands of other libraries) to simplify their development. Eventually, almost all software is identified as being vulnerable to various attacks. This tool makes it easier to scan and report on libraries that might be used in an application so that they can be updated or replaced.


Neofetch for displaying system information

Originally designed for use in demonstrations on Linux bash in an easy to understand way that could be used in screenshots and demos. In my experience I’ve found that it also makes it easier to review details of remotely administered and virtual machines or images when performing maintenance.

Neofetch shows Operating System, uptime, CPU, GPU, and memory information. While built for linux bash, it can also be installed on macOS and Windows machines.

Installation for Linux is as simple as:
sudo apt install neofetch


Bitcoin and Cryptocurrency Mining

Unless you’ve been completely removed from society over the past 10 years or so, you’ve likely heard about Bitcoin and other crypto currencies. While the technology behind them may beyond most peoples understanding and buying a single Bitcoin is likely too expensive for many people (as of today its over $56,000 USD = 1 BTC), you can still get in on the craze by mining. At the core of crypto currency is some really complicated math, mining is the process of having a computer perform some of those calculations. Usually this is done with entire farms of computers with high-end CPUs or GPUs. Regardless of your hardware you can still get in on the action by joining services that combine the actions of many users into smaller units of work.

While there are many providers out there, I’ve found that the client offered by CudoMiner is one of the easiest for most users to install and run on modest hardware running Windows, Linux or OS/X. After setup, you just have to leave your device powered and connected to the web to use the idle time to earn some money.

With the increase in remote workers and students over the past year, I’d expect that at least a few of those organizations have figured out that they can use the idle time on those devices for mining to increase their revenue stream.

Microsoft ending support and removing Legacy Edge on Windows 10

Another Microsoft browser bites the dust. Legacy Edge, the original “Edge” on that was designed to replace MSIE on Windows 10 before Microsoft changed direction and used the same underlying engine already used by Chromium, Chrome and Safari is finally going away. During it’s short tenure and overlap with Chromium Edge, it’s lead to a lot of confusion by users that are not aware of the vastly different versions of ‘Edge’. Fortunately its support ended on March 9th, 2021 and it will be removed by Windows Update with the upcoming patch expected on April 13th 2021.


A very long time ago there was an online means to identify yourself online with a short abstracted code that resembled a PGP email signature, at that time I identified as:

Version: 3.12
Created: 1999/02/02
GCS/IT d-([email protected]) s+:+ a- c++ UL++(++++$) P+++$ L+ E W+++$
N++ o++++ K w+++ O M V PS+ PE++ Y++ PGP+++ t+ 5 X++ R(-)
tv+ b+ DI+++ D+ G++ e++ h(-) r>++ y++*