USB Data-Blocker aka USB Condom

I was recently reading Kevin Mitnick’s “The Art of Invisibility” and found that he’d also recommended these devices. I’ve been using them for several years as it was always unnerving to plug in a mobile device into a work computer to recharge only to see that there was a request to mount them. Additionally, my laptop would occasionally want to tether data via my cell phone. In an effort to block data transfer and leakage, something was required. These simple and cheap devices allow for power but no data to be transferred via the USB port.

WARNING: there’s always the possibility that any USB device could be compromised, including these… keep them in sight and under your control at all times.

REFERENCES:

Google Federated Learning of Cohorts (FLoC) – optout

Google Chrome 89 and other browsers based upon it such as Chromium Edge have introduced a new capability known as FLoC. This approach removes the need for third-party cookies by passing a group identifier in the HTTP Headers in a manner similar to how Cookies are exchanged. While FLoC should allow for users to remain more anonymous as advertisers only receive a group identifier for the user, it would not be difficult to use their IP address or other features available via device fingerprinting to track the individual.

As a web user, you would need to use several approaches to avoid this:
1. Use a browser without FLoC support. Hopefully, this will be added to the configuration menus to allow users to prevent it, similar to DNT.
2. Use a browser plugin (or other software/proxy) to remove the FLoC headers.

As a web-developer, you can add configuration to opt-out of all FLoC cohort calculation by sending the following HTTP response header:


Permissions-Policy: interest-cohort=()

If you really want to see the data, the following javascript will expose it:

const { id, version } = await document.interestCohort();
console.log('FLoC ID:', id);
console.log('FLoC version:', version);

REFERENCES:

Javascript let keyword

ECMAScript 6 (ES2015) added the ‘let’ keyword. let works a lot like the legacy ‘var’ keyword, but adds scoping capabilities.

Unfortunately, support cannot be retrofitted to older browsers with a polyfill, supported by IE11(with limitations), Edge 12+, Firefox 44+, Chrome 49+, Safari 10+. If you still need to support older browsers or devices you may want to stick with var.

REFERENCES:

Javascript const

Formally introduced in ES6, const was introduced in JavaScript 1.5 and was a Mozilla-specific extension and not part of ECMAScript 5.

Unfortunately, support cannot be retrofitted to older browsers with a polyfill, supported by IE11+, Edge 12+, Firefox 36+, Chrome 21+, Safari 5.1+. If you still need to support older browsers or devices you may want to stick with var.

NOTE: some initial implementations may have thrown different exceptions on reassignment, were not limited in scope, or treated const like ‘var‘.

Name may start with letter, underscore or $ character.

REFERENCES:

Amazon Mechanical Turk

Amazon crowdsources some work for humans that computers just cannot complete. Tasks often pay only a few cents to a few dollars each. If you have some time to spend and want to do what is usually pretty simple work such as completing identifying information in photos, to more complex tasks such as translations. You can always set up an account and complete a few HITS to get a feel for it. I’d done this many years ago when it was relatively new and was able to earn a few dollars, some people claim to easily make $50/day.

REFERENCE:

RetireJS for Eclipse extension

Several years ago I wrote an Eclipse plugin to help me identify vulnerable javascript libraries using RetireJS. On a whim, I finally got around to submitting it to the Eclipse marketplace last week and it was approved.

This addresses a common OWASP Top-Ten item – A9:2017-Using Components with Known Vulnerabilities.

For Non-Developers… in English, while software developers are creating websites they often use open-source libraries such as jQuery (or literally thousands of other libraries) to simplify their development. Eventually, almost all software is identified as being vulnerable to various attacks. This tool makes it easier to scan and report on libraries that might be used in an application so that they can be updated or replaced.

REFERENCES:

Neofetch for displaying system information

Originally designed for use in demonstrations on Linux bash in an easy to understand way that could be used in screenshots and demos. In my experience I’ve found that it also makes it easier to review details of remotely administered and virtual machines or images when performing maintenance.

Neofetch shows Operating System, uptime, CPU, GPU, and memory information. While built for linux bash, it can also be installed on macOS and Windows machines.

Installation for Linux is as simple as:
sudo apt install neofetch

REFERENCES:

Microsoft ending support and removing Legacy Edge on Windows 10

Another Microsoft browser bites the dust. Legacy Edge, the original “Edge” on that was designed to replace MSIE on Windows 10 before Microsoft changed direction and used the same underlying engine already used by Chromium, Chrome and Safari is finally going away. During it’s short tenure and overlap with Chromium Edge, it’s lead to a lot of confusion by users that are not aware of the vastly different versions of ‘Edge’. Fortunately its support ended on March 9th, 2021 and it will be removed by Windows Update with the upcoming patch expected on April 13th 2021.

Geekcode

A very long time ago there was an online means to identify yourself online with a short abstracted code that resembled a PGP email signature, at that time I identified as:


-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
Created: 1999/02/02
GCS/IT d-([email protected]) s+:+ a- c++ UL++(++++$) P+++$ L+ E W+++$
N++ o++++ K w+++ O M V PS+ PE++ Y++ PGP+++ t+ 5 X++ R(-)
tv+ b+ DI+++ D+ G++ e++ h(-) r>++ y++*
-----END GEEK CODE BLOCK-----

REFERENCES:

Minify .js files during Maven builds

Minifying files for use on the web is essential to improving performance, to reduce network overhead as well as a slight bump in execution speed.

Long ago I used the YUICompressor plugin for both JS as well as CSS files, unfortunately that project appears to have been abandoned many years ago and no longer functions well for JS files that make use of modern features.

For JS files, I’ve found that most capabilities can be replicated with the following in the pom.xml:

<plugin>
<groupId>com.github.blutorange</groupId>
<artifactId>closure-compiler-maven-plugin</artifactId>
<version>2.21.0</version>
<executions>
<execution>
<id>default-minify-js</id>
<phase>generate-resources</phase>
<configuration>
<!-- not supported (always uses .min) <suffix>-min</suffix> -->
<encoding>UTF-8</encoding>
<baseSourceDir>${basedir}/${webapp-folder}</baseSourceDir>
<baseTargetDir>${webapp.path}/</baseTargetDir>
<sourceDir>js</sourceDir>
<targetDir>js</targetDir>
<skipMerge>true</skipMerge>
<includes>
<include>**/*.js</include>
</includes>
<excludes>
<exclude>**/webjars-requirejs.js</exclude>
<exclude>**/bootstrap*.*</exclude>
<exclude>**/jasmine*.*</exclude>
<exclude>**/*-min.js</exclude>
<exclude>**/*.min.js</exclude>
</excludes>
</configuration>
<goals>
<goal>minify</goal>
</goals>
</execution>
</executions>
</plugin>

NOTE: the only feature I have not yet been able to match is the suffix, as it appears to always use *.min.js (where I used to prefer *-min.js).

An additional advantage of using the plugin is that many common syntax errors will be identified at build time, before they cause user problems… but they will also break your build!

REFERENCES: