Friday, March 14, 2025

App Discovery: Spacedesk by Datronicsoft

As you use more and more tech, you object have extra old tech left over. If you have an old tablet left over, have you wondered what you should do with it? 

How about turn it into an extra display for your desk accesories that you don't want to take up extra desktop space? 

I have an old Nexus 7 (2nd gen) tablet, too old and too slow for 2025, but it's fast enough to act as a secondary display. I cleaned it up (removed all the old apps I don't use), uninstalled a bunch of crap, then went to 

https://www.spacedesk.net/

And downloaded the "driver" for the PC. Then went to Google Play Store (yes, my Nexus 7 can still access it) and downloaded the Spacedesk app.  I connected the USB cable between the 2, set the tablet on file transfer mode, fiddled with it a bit, the driver software saw the app, and voila, I have a 4th screen. 

This will also work in Wifi, but wired is more secure and faster. 

My triple-wide desktop, now with a small 4th display.
I stuck my desktop widgets and other stuff there.  

The software is FREE for personal use. If you have Spotify or Stock Ticker or Weather, Clock, and so on, put in on that display for extra clean look of your desktop. 

And happy "Pi" Day. 

(3/14, get it?)

Sunday, March 9, 2025

Cybersecurity: Stop the Fake CAPTCHA Run Trap

Recently, there has been a spade of reports in Reddit's /r/cybersecurity of a "new" attack that relies on users being unaware of how their computer works, and tricked into executing a malicous script, by describing the attack as a CAPTCHA challenge. 

CAPTCHA stands for "completely automated Public Turing test to tell computers and Humans Apart". It's those picture tests where you need to answer certain question, such as "pick out the tiles in a segmented picture that contains a bus" or "which pictures has a motorcycle in it?" But later the term was genericized to mean any sort of "are you human" challenge test designed to weed out the automated scripts. 

The fake version asks the user to press Windows-R on their keyboard, followed by Control-V, to prove they're human. 

EDIT: The attack has been highlighted by KrebsOnSecurity and named "ClickFix" attack

If you didn't recognize these keystrokes, Windows-R (Win-R) brings up the Windows Run box, where you are supposed to enter a program to run. And Control-V (Ctrl-V) pastes what's in the clipboard into the whatever you have open. 

In other words, you just ran something, but you have no idea what. 

That is indeed... VERY bad. Because you basically just gave away control of your PC to the bad guys. And who knows what they'll do with it, probably download malware to your PC, steal all your accounts, and more. 

Given that 99% of the users will NEVER need to touch the Run box, you should disable it ASAP, esp. if you have computers being used by users who can be tricked into running this (very young, or very old)

To disable the Windows Run box, please follow this article: 

https://www.auslogics.com/en/articles/enable-or-disable-run-command-winr-box/

There are ways around it, but if you trained your users well (call me if you run into any errors you don't understand), you can stop them from trying to further compromise their PC. This is basically a barrier that says "are you sure what you're doing? Call me before you continue..." instead of blindly follow some malicious instructions. 

Conversation: Are You a Tattle-Tale?

Recently I ran into a couple scenarios that just annoyed the heck out of me, that I don't want to share any more info with that person, due to the negative reactions I got. I'll create a fictional but based on real life scenario below. Trust me, there's a lesson for everyone at the end. 

I have been going to the same barber for 20+ years. I know this barber is a bit expensive, ($25 for a haircut, vs the really cheap ones at like $8), esp. when you add some tip, but I don't really have to give any instructions or such. The guy and his wife (also a barber) know me. 

Anyway, ran into an acquaintance, who's a known miser, yet constantly ran out of money and had to borrow $30 from me. He paid me back, and I remarked, "Good, I just spent $30 on my haircut" since I also noticed he's sporting a new do as well. 

For the next five full minutes I get non-stop tsk-tsk about how I am wasting my money, his haircut was only 8 bucks, are you made of money, I make a lot more than you do yet so you're so spendy, you clearly don't need the money so can I borrow that $30 again, he got a free hair wash with that $8 too what a bargain, blah blah blah. Had he and I were not meeting more friends for lunch I would have ditched him right there. 

The harangue did not stop once other friends arrived and lunch started. He started replaying the entire "lecture" to every acquaintance within hearing distance, and he's not a quiet guy. "Oh, can you believe So-and-So spent $30 on a haircut? I only spend $8!"  You can probably hear him a couple tables away. 

I normally were not a cheerful guy, but I can hold a conversation in a group setting, do the social smalltalk, and so on. I am just not a social butterfuly, like the miser thought he was. But when I've been made the topic and the butt of the joke, I am sulking inside, starting to regret knowing this guy, and vowed never to talk to this guy again, and if I see him coming toward me I'd jaywalk to the other side of the street. 

So what's the takeaway? 

Don't be a tattle-tale. 

Miser may have thought he was offering useful advice or being helpful, but once he got started he failed to notice my counter-remark "I've been going there for years." And instead of leaving this between us, he turned it into a conversation topic with other people and I was made into a butt of a joke. 

Now that's just mean, and childish, and he's probably not even aware he's doing it. He's socially oblivious yet thought he's going sociable. 

Next time you receive some info, consider the context it was given. Don't be so quick to criticize, then repeat it to every acquaintance within reach. Not every piece of info you receive is meant to be replicated public knowledge, and you're not a broadcaster / newsreader (unless you actually are). 

Share something about yourself instead, not something you just learned about someone else. 

Thanks for coming to my TED Talk. 

Friday, March 7, 2025

Reaction of Autopsy Results of Gene Hackman and his wife, Betsy Arakawa

New Mexico authorities finally figured out what happened to Gene Hackman and his wife, Betsy Arakawa. 

She died from hantavirus pulmonary syndrome... a disease with no cure or treatment, and has about a 40% fatality rate. It manifests as flu-like symptoms, then you basically lost the ability to breathe, as your lung starts to fill with fluid (pulmonary edema) and basically... can't get more oxygen in, which causes strain on your heart, and you... die. 

Gene Hackman, in his 90s and suffering from dementia and Alzheimers, did not realize his wife died until a week later, then he had an heart attack. 

And neither was found for days, until a worker became concerned enough to call for authorities for a welfare check. 

What a... sad end to one of the most famous actors of Hollywood... 

Experts say it often takes 2-3 weeks for the symptoms of HPS to manifest, and it does start with flu-like symptoms, and can take a sudden downturn. It is also surprising that neither have any staff or regular visitors. 

Guess money isn't everything...     

Wednesday, March 5, 2025

Cybersecurity: How Do You Know If Your Antivirus is Working (without actual Malware)?

Antivirus is a lot like having insurance... you have it, but hope you never have to use it. 

What if I tell you that you can test your antivirus on your PC, without downloading any malware, by simply typing something on your keyboard? If it reacts, the antivirus is working. If it didn't... your antivirus' real-time scan is not working. 

This only works on Windows, by the way. 

Open a powershell window. (If you don't know what is Powershell, please read this from Microsoft. It's already in your system.  https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/powershell )

What you will type or copy is just a string, a bunch of characters. It is NOT a script or malware. It is offered by Microsoft as a way to test their own AMSI (Microsoft Antimalware Scan Interface)

Enter this at the prompt:  ‘AMSI Test Sample: 7e72c3ce-861b-4339-8740-0ac1484c1386’ 

Note, please replace the fancy quotes with single quotes to get this to work properly. Yes, the single quotes are important. 

Microsoft Security should trigger as you press enter. Depending on whether you have any clipboard management software, it may react as soon as you try to copy the string onto the clipboard. 

Now you know whether your antivirus is active or not. 

There are, of course, other ways to test this. For this method (all credits goes to Black Hills Info Sec) and other ways, go read BHIS's blogpost: https://www.blackhillsinfosec.com/is-this-thing-on/

Saturday, January 25, 2025

Bad Argument: Russell's Teapot / Flipping Burden of Proof / Unfalsifiability

Sometimes when you argue with someone else, your opponent, instead of answering with evidence that support their position, they answer with worthless-isms like "It's obvious / well-known", "they said...", "Google it", and so on, sometimes with implied or outright stated "don't be lazy". 

Don't fall for this bad argument. They want you to disprove them, when it's actually their turn to prove their own position. 

During an debate / argument, each side states their position on the question, and each side is supposed to show evidence that supports their own side. If one side answers with worthless-isms, it means one of two things:

A. they don't HAVE any evidence, and they want YOU to prove THEIR side, which is NOT YOUR JOB. They are supposed to support their side, and they're trying to flip "burden of proof". 

B. they used an unfalsifiable argument (whether intentionally or not), which makes their argument an assertion, but there is no evidence, because it's impossible to obtain. 

One such example is known as "Russell's Teapot". First coined by Bertrand Russell, he basically postulated that there is a teapot in an eliptical orbit. You can't see it, because it's too small. And since you can't prove it doesn't exist, it therefore exists. Right? 

Wrong. The person making the assertion / argument has the burder of proof. If they made an unfalsifiable assertion, they've argued themselves into a corner. Nobody would be expected to believe something that cannot be proven. 

Russell used this assertion to argue against religion, because most religions presume the existence of God. But a lot of bad arguments started with a presumption, and that's not evidence. 

This sort of argument are often seen in cults and cult-like organizations, such as MLMs and scam cults (Ponzi schemes and pyramid schemes that had yet to collapse), where the victims, for various reasons, WANTED to believe in the scam and thus invent unfalsifiable assertions and instead of proving their own side, they want to critics to DISPROVE their unfalsifiable assertions (which is of course, a paradox in itself). 

So watch out when it's used against you. Call them out, and refuse to play their game. Reveal their bad argument. Watch them sputter. 

Tuesday, January 21, 2025

Cybersecurity: Hilarious (to me) Explanation for Attempted Verification Code Fraud

One of the scams that had been around a while was the verification code scam/fraud. To make a long story short, scammers, who cannot get a new account because they had abused their own account, would attempt to trick other people into "verifying" them by entering the victim's phone number when registering a new account, then claim "I'm just verifying you are real, gimme that code you just got". If you do give them that code, you just helped them get a new account to scam from, and now YOUR phone number is associated with them (and that also means you may not be able to register an account later on that service because your phone number's been "used" (and blacklisted due to abuse). 

Today, I just ran into a new spin on this old scam that gave me a chuckle. On reddit's /r/cybersecurity, someone, who may be romance scammed, wrote that someone, who claimed to be in the (US) army, sent her something he claimed to be a STIR verification code, "to verify you exist". 

Clearly, this is a scammer who tried to do the "verification code scam", but this STIR angle is new. 

So what is STIR? It has nothing to do with verification code, at least the type you send via SMS. 

STIR/SHAKEN is a protocol that was being implemented by phone carriers to "authenticate" callers, to combat the spam call problem. Similar to a website using HTTPS instead of regular HTTP, each phone carrier for a business is supposed to link a certificate to the main phone number. So when that caller calls out, the recipient's phone service can look up the certificate, verify it with public key encryption, and thus authenticate that the call did indeed came from that business. STIR is the outbound phase, and SHAKEN is the reverse-lookup/authenticate phase. Once the caller was authenticated, you get a "caller verified" checkmark as your phone receives the actual call. Obviously spammer who spoofed their caller ID cannot pass this authentication, and thus, no checkmark. 

Needless to say, we advise her to drop the scammer like a hot potato. The verification is nonsense and a lie.