Watch Out for LEGAL Scams: App that Cost WAY TOO MUCH on Subscription

For those who don't operate multiple phones... Androids use JPEG (or JPG), but iPhones use HEIC. The two standards are NOT compatible. If you share a photo from iPhone straight to Android, it will not be viewable. So what do you do? 

You convert it. 

Except the first convert I ran into is... essentially a scam. It basically won't do anything unless you engage the "free trial" which means you'll be charged in 3 days. It didn't exactly mention what's the cost. Then I looked at the email I just got:

Auto-renew subscription of $14.99 PER WEEK for an image converter?!

This app subscription costs $14.99 PER WEEK. 

Not per year. Not per month. PER WEEK?!

And this app doesn't even do HEIC to JPG, despite its name, "Image Converter Premium". 

Needless to say, I cancelled ASAP. 

Some Quick "Spending Money" Side Gigs in San Francisco (6/14/2025)

Need some spending money in San Francisco, but don't have a lot of time? Here are two things I've tried and gotten money for, 2 hours at a time, pay starts at 17.50 per hour and up, for VERY simple work:

A) Condu.it

Want to help a company that wants to create a headset that turns your THOUGHTS into typed words on a computer? Condu.it is working on that, and they need help of people who can type without looking at the keyboard, wear this heavy headset, and spend two hours looking at a screen and type responses without looking. You get paid $50 for two hours, and you can do up to 10 hours total. Beware... they are so booked, they are paying extra $10/hr if you can go extra early or extra late. That's $25+ PER HOUR (not counting any cost to get there, but there's a bus that go within 2 blocks)

However, beware, there are a couple caveats:

* You need some neck strength, because the headset is heavy and they provide a "chin rest"

* You do the two hours in the dark, as they need the laser to align properly. If you need a break, ring the bell

* You REALLY need to know how to type without looking at the keyboard, because you can't see the keyboard! 

If you can do all that, you will make easy $50 for 2 hours, up to 10 hours total ($500). They will hand you a check right at the end, which you can remote deposit into your bank via your banking app. Click on link above to book. If you click through, tell them "Kasey Chang" sent you. :) We both get a small bonus.  

B) Reflex

Reflex is working on something similar, albeit, they want to use your jaw's micromovements via subvocalization and turn that into typed words. What does that mean? Can you "say" things without actually making the sounds? That's subvocalization. At the study, you wear a headset with some extra sensors (more like a regular headset), and read both out loud and subvocalize a bunch of nonsense phrases to calibrate the sensors. Once you got it calibrated, you read aloud a book of your choice, for the remainder of the time. If you go back, you get to keep reading the book, or choose any ebook for under $10 on Amazon and they'll buy it for you to read into the machine to train their AI on the words and your jaw muscle patterns.

Their pay is $35 for 2 hours to read a book out loud. However, they only pay via Paypal, so you *do* need a Paypal account (at Paypal.com)  You can keep booking more time, but no more than twice a day.  

Sounds interesting? Click here to book time with Reflex $35 for two hours. You'll be paid within hours of finishing your session. 

https://reflexresearchstudy.as.me/schedule/7307a5c3/appointment/72148510/calendar/any

Any way, hope you earn some extra money!

Restaurant Review: Kokio Republic (via Grubhub)

Hadn't had a meal delivered in a LONG time, decided on fried chicken. Apparently, nearest KFC does NOT deliver to my area (a few blocks too far?) so I had to pick someone else, and seems Kokio Republic was highly rated. 

Ordered combo 1: 4 pieces Korean Fried Chicken (hot and sweet flavor, mixed bone-in and bone-out), + 3 kimchi balls, which is just under $20. Added a pickled korean radish as side, and a bulgogi beef taco. Add driver fee, Grubhub charge, minus discount, plus tax, plus $3 tip, comes out to be just about $30. 

Delivery was fast, tried the food, felt as if I ordered the wrong thing, due to my changing taste buds. 

Kimchi balls: eh... didn't really taste like kimchi, a bit of grain, probably rice. I just had kimchi yesterday, and this doesn't taste like kimchi. 

Korean Fried Chicken: I did ask for mixed (half bone-in, half-boneless), and I probably should have just asked for all boneless. I did ask for hot and sweet, but it tastes mostly sweet, very little spice. I probably should have specified "fiery" (3 spice level vs 1). The chicken is nice and tender, not dry, but delivery means outside isn't crispy any more. 

Pickled Korean Radish: this is pickled? It just tastes like cubed with a little vinegar. It is crispy, and it does counter the saltiness of the chicken. But I probably should have ordered Persian cucumber instead. 

Bulgogi beef taco: hmmm... street taco (tiny little tortilla) with some better in the middle, tastes pretty good, but $5 for that little thing? A bit overpriced, IMHO. 

I probably should have ordered 6 pieces Korean Fried Chicken, fiery flavor, boneless, and instead of the bulgogi taco, something like kimchi beef risotto or noods, or tteokbokki skeweyer. 

For the price I paid, I just feel I didn't quite get my money's worth. It's not bad, but it's not that good either.     

Kokio Republic, 711 Geary, San Francisco

Cybersecurity: Seems Most People Think Most Cybercriminals are Uberhackers... They aren't!

One of the things I do on Reddit is hang out in /r/cybersecurity_help, and tell people what they claim was impossible. Like "I got hacked through ______". 

I don't mind people not believing me. Honest truth is sometimes hard to believe, or let's use Chinese proverb, 忠言逆耳. 

Two MONTHS ago, someone decided to post a portion of their iPhone's log, believing it contains evidence of them being monitored. Except it contained no such thing. It's quite easy to Google all the suspicious keywords like "tracked" and "proactiveHarvesting"... They are all built by Apple. So I replied there's nothing here that indicates anything about you being monitored. 

OP pivoted to a different theory, like "what if they hack me through Bluetooth or something else? I can find evidence of intrusion? "

I replied that you can't be hacked through Bluetooth nowadays, esp. if you have a modern iPhone and keep stuff updated. And evidence of intrusion had to be gathered by forensic analysis. It's not something regular folks can just run an app and "voila, evidence!". 

Then yesterday, some OTHER random guy decided to necro the topic from 2 months ago (and even OP had left the topic), and started blabbing about "Bluetooth hacking, just search for it."

As a cybersecurity professional, I am QUITE familiar with state of Bluetooth hacking. With noderm iPhones, the best you *can* do without some Zero-day exploit was Bluespam (keep popping up "trying to connect") 

There are other Bluetooth hacks, but they don't result in being able to control the iPhone. Just to summarize: 

Bluejacking -- the targeted user accepts the pairing attempt from a peripheral, which of course, results in the peripheral, acting as a keyboard and mouse, gaining some control of the iPhone. This is NOT done easily, as the user must ACCEPT the pairing attempt. It's not done invisibly or automatically. 

Bluesnarfing -- by using some exploits on VERY old firmware, hacker can transfer files the target phone. Again, only on very old firmware with problems. And most files "shared" this way are just regular stuff, like calendar, contacts, photos, texts, videos, and such. Stuff you normally use BT to transfer. They can't suddenly reach out into Banking app and take your account number and balance (at least, not with bluesnarfing alone). 

Bluebugging -- the most dangerous, but requires a VERY dangerous exploit that basically gave the attacker full control of the device through Bluetooth. You pretty much have to be running ANCIENT (like 5-10 year old) hardware and firmware with no security updates. 

Blueborne hacking -- a bunch of vulnerabilities discovered in 2017 (yes, 8 years ago) that got grouped together even though they are spread across iOS, Android, Windows, and even Linux, and some embedded OS, due to a Bluetooth problem. When it came to iOS, Blueborne problem was... an audio protocol over Bluetooth, called LEAP: Low Energy Audio Protocol. Guess what iOS was this fixed in? iOS 10. That's right. iOS 10. We're now on... iOS 18.5. 

Really, that's it. 

So I replied something like "Bluetooth hacking is from YEARS ago and usually doesn't even involve smartphones, but peripherals." 

His reply? "Those Flipper devices are something huh?"

Except there's only one: Flipper Zero, and while it *can* "hack" BT and BLE, the worst they can do to iOS is Bluespam. They are not capable of anything like Bluejack, Bluesnarf, Bluebug, or Blueborne. So it's completely irrelevant to the original topic. 

What was the purpose of the reply and who was he supposed to impress by mentioning a few keywords? I honestly have idea. Was he expecting to stump me? 

Frankly, to the average "civilian" (who's not in cybersecurity), the "hackers" seems like wizards, when most of them are actually scriptkiddo that can barely follow instructionss on a PC. They may be lead by someone who's somewhat more skilled, but they are hardly a "live in parents' basement" misunderstood genius stereotypical geek. 

Cybercriminals are usually NOT uberhackers. They can barely follow standard script. They are worse than scriptkiddies (or scriptkiddos). 

In fact, most civilians can't even distinguish device being hacked vs. account being hacked. 

Whether this is due to lack of compuiter literacy, I have no idea. 

And with the advent of AI, which can be used to further disguise the lack of compute literacy, things can only get worse. 

Guess that keeps us cybersecurity experts employed. 

App(s) Discovery: Files (Community) and FilePilot, two Explorer Replacements or Complements

Recently, I came across two different Windows Explorer "replacements or complements". Let's face it, Windows Explorer can get a facelift, but the codebase is ancient. What if someone started from scratch? And here we have two different visions... 

Please note that Microsoft never gave us a way to completely replace Windows Explorer, so there are various "hacks" including registry changes, call intercepts, and so on, but they all have pros and cons. Just beware. 

Files / https://files.community/

Files is a slick looking manager that's completely free. They do suggest you "purchase" it from the Microsoft store to enable auto-patching and thus support them with a bit of revenue, but it is optional. 

The interesting thing about this explorer replacement just about EVERYTHING visual is configurable. Want a background? No problem. Zoom, unzoomed, specific percentage, specific alignment, etc. etc? Can do. Color themes? No problem. Want certain UI elements to appear in a different location? No problem. 

But by default, it looks a lot like Explorer... multiple tabs, etc. That is, until you find the "settings" button at the bottom left. Then everything changes. 

This is free, so just go download it and give it a try, eh? 

FilePilot / https://filepilot.tech/

FilePilot is extremely speedy and free during the beta period. In fact, the download is LESS THAN 2 MB. While the visuals are not as configurable as Files, the UI is extremely slick, with the mouse wheel picking many of the options, such as the different views of files, from large, middle, small icons, to file list, details, and so on. It also supports command palette. EVERYTHING is lightning fast... 

In fact, why don't you just go give it a try? They probably will stop the beta sometime later this year, but in the meanwhile, the beta should still work fine. And you *may* find it useful enough to pay for the full version... even in the current beta state. 

App Discovery: UnigetUI, the almost-universal Windows Patcher

Windows 10 and 11 actually has multiple methods of self-updating ASIDE FROM Windows Update. However, they are reserved for powerusers, not regular users, as most rely on command-line interface (CLI). Such as Winget, Scoop, Chocolatey, Pip, Npm, and more. Though to be honest, NPM is more for Node.js, and PIP is more for Python, but they are there, and they are used on Windows quite a bit. 

One user, Marti Climent, decided to change that, and came up with UnigetUI, which is a graphical interface for all those different sources, combined into one app. 

Between this and Patch My PC's Home Updater, they should update just about EVERY app you have on your PC. 

Now you have NO excuse to NOT keep your PC's apps updated. 

App Discovery: Patch My PC Home Updater, keep your apps updated easily!

I've touted many times before the 3 simple cyberhygiene rules of Brian Krebs, one of which is keep apps updated. But some apps update themselves (but you have to run them), some have external updaters, some relies on Windows update... 

Now, there is Patch My PC's Home Updater. That's right, there's an app that will scan your home PC, find the apps, and update them for you, with minimal headaches. 

While this doesn't replace ALL updaters, this will do about 80% of the updates. Just run it periodically (say, once a week)... Start it up, and just hit "update" and walk away. Come back in half an hour, and it should be done. 

How easy is that? 

You can also use this to FIND new apps to install by browsing the library of apps they scan for. These scan for mostly free alternatives to famous apps, and thus, you may discover apps that does what you pay monthly or yearly for. 

And of course, it will UNinstall apps you no longer want to use, which is another one of Kreb's cyberhygiene rules. 

So give it a try. 

For the few apps this won't update, there's another app I will recommend... in the next post. 

Cybersecurity: AI Dulls Our Critical Thinking and Enables Scammers to be More Effective (Microsoft Warned Us!)

The rise of "AI" (mostly Large Language Models, or LLMs, like ChatGPT, Claude, Perplexity, and so on) does enable a lot of "productivity hacks". However, Microsoft had warned us back in Jan 2025 that the most you rely on them, the more atrophied your critical thinking skills. Most "knowledge workers" who admitted to using AI tools, only use their own critical thinking skills to "fact-check" the LLMs. This suggests that the "average user" may be doing even less than that. 

This bodes ill for the average user, as they seem to regard ChatGPT and LLMs as some sort of generic "expert", when it is nothing of the sort. Indeed, merely by browsing /r/cybersecurity_help there are a number of topics where the poster openly admitted to "I checked my logs with ChatGPT..." when they lacked even the skills to fact-check the LLM they used. They suspected something, and they wanted ChatGPT to confirm their suspicions. 

But that's not the actually worrying part. Instead, Microsoft security is ringing the alarm: scammers are using LLMs to craft their latest scams to enhance their social engineering... by leveraging every sort of fakery possible, from fake website to fake job posting to fake customer service chatbots, because making them is so much easier with LLMs consolidating such knowledge. 

Be wary out there. 

App Discovery: Cobalt.tools, the video downloader that just works

One of the biggest pet peeves about Youtube is it's impossible to simply transfer your video to a different channel, when you have several. You have to download your videos, then re-upload them to the other channel, then re-enter the information. 

While for channel owners there is an option to download individual videos, there is no mass download option, so you need to click on each one individually to download each file individually, and you are now at the mercy of your browser's downloader. And every once in a while, you run into a few videos that just refuse to download. You click on download, you somehow get dumped back to the content tab, or the download simply "failed" with no error given. 

Yes, there are all sorts of shady sites and apps that claims to download Youtube videos for you, many of them want money, subscription, or more. Just search for "Youtube downloader" on Google... They all look shady for one reason or another. 

Then I found https://cobalt.tools , yes, that's the whole URL. 

No registration, no payment, no subscription. 

Simply paste in the URL of the video you want downloaded, and voila, it downloads. Even the ones previous you can't download from Youtube itself as the owner of the video. 

It has other options, like get audio only of a video, or download from other platforms (not just Youtube, but all the Chinese ones, like Bilibili, Xiaohongshu, as well as the Western ones). 

It just works. 

App Discovery: PyMacroRecord -- a completely free (no trial, no freemium, FREE!) macro recorder for Win10/11

Sometimes, you need to record a macro that will just copy data across multiple windows, move the mouse, and so on. However, when you search, you find... expensive options that has an fee... or an ANNUAL fee. 

Then you keep looking, and find PyMacroRecord. Completely free, source code in Python available on GitHub. One guy's passion project made available for all to you. 

And it works. 

I need to move some videos across my different Youtube channels. However, there is no such functionality on Youtube. The ONLY option is to re-upload. 

So I quickly whipped up a macro that copies title and description from one channel to the other. The rest, like keywords and such, can be handled by re-using an existing description. I have the videos available for re-upload (and the rest, I can download in batch). 

That's a TON of manual copy/paste saved. 30+ videos means probably closer to an hour saved. 

I am sure you have your own use case when you need such functions. Don't pay when this free tool will do. 

PC Hardware Discovery: One of the Best Mouse Bargains on Amazon -- Infinmind Mouse

Recently, I ended up buying two mice on Amazon. One I am okay with, but the other I am ecstatic with.

The latter is the Infinmind Mouse

It's a simple mouse, with 4 buttons (2 regular, 2 near the thumb), but it has a couple extra tricks. 

Instead of mouse wheel "tilting" (like Logitech) to scroll sideways, there's a separate mouse scroll roller next to the thumb. 

And the mouse wheel is METAL, and it's buttery smooth, yet has a distinctive step feedback if you scroll slowly. And it will let you spin on inertia alone so you will scroll a LONG way. It's hard to describe. 

The tracking is precise, as the built-in 4 different DPI setting, from 1000 to 3000 DPI, makes my scrolling on my triple-wide desktop (I use 3 x 24 inch monitors each at 1080p) very comfortably on a space that's barely twice as wide as my mouse. 

AND this mouse is both 2.4 Ghz wireless AND Bluetooth. In fact, it's 2 channel Bluetooth (can be paired to 2 different devices) AND available in both black and white. 

It even CAME with AA alkaline batteries, so it's ready to be used immediately. 

So what's the price of this amazing mouse? 

$18.99, and there's a 16% off coupon you can clip right now.  (As of 4/15/2025)

I daresay this is better than most Logitech mice I've used. We'll see how long it lasts. But in the meanwhile, this is one of the best mouse bargains on Amazon. 

LONG TERM UPDATE: It's now June 2025, and after 2 months of using it, it's... crap. It freezes up every few minutes, that I had to power cycle it to get it to work again. And that's USING the wireless dongle! I haven't tested Bluetooth mode yet. Will check later, but this is... not good. I had to power cycle the mouse multiple times a day. That's just... "no bueno".     

App Discovery: Spacedesk by Datronicsoft

As you use more and more tech, you object have extra old tech left over. If you have an old tablet left over, have you wondered what you should do with it? 

How about turn it into an extra display for your desk accesories that you don't want to take up extra desktop space? 

I have an old Nexus 7 (2nd gen) tablet, too old and too slow for 2025, but it's fast enough to act as a secondary display. I cleaned it up (removed all the old apps I don't use), uninstalled a bunch of crap, then went to 

https://www.spacedesk.net/

And downloaded the "driver" for the PC. Then went to Google Play Store (yes, my Nexus 7 can still access it) and downloaded the Spacedesk app.  I connected the USB cable between the 2, set the tablet on file transfer mode, fiddled with it a bit, the driver software saw the app, and voila, I have a 4th screen. 

This will also work in Wifi, but wired is more secure and faster. 

My triple-wide desktop, now with a small 4th display.
I stuck my desktop widgets and other stuff there.  

The software is FREE for personal use. If you have Spotify or Stock Ticker or Weather, Clock, and so on, put in on that display for extra clean look of your desktop. 

And happy "Pi" Day. 

(3/14, get it?)

Cybersecurity: Stop the Fake CAPTCHA Run Trap

Recently, there has been a spade of reports in Reddit's /r/cybersecurity of a "new" attack that relies on users being unaware of how their computer works, and tricked into executing a malicous script, by describing the attack as a CAPTCHA challenge. 

CAPTCHA stands for "completely automated Public Turing test to tell computers and Humans Apart". It's those picture tests where you need to answer certain question, such as "pick out the tiles in a segmented picture that contains a bus" or "which pictures has a motorcycle in it?" But later the term was genericized to mean any sort of "are you human" challenge test designed to weed out the automated scripts. 

The fake version asks the user to press Windows-R on their keyboard, followed by Control-V, to prove they're human. 

EDIT: The attack has been highlighted by KrebsOnSecurity and named "ClickFix" attack. 

If you didn't recognize these keystrokes, Windows-R (Win-R) brings up the Windows Run box, where you are supposed to enter a program to run. And Control-V (Ctrl-V) pastes what's in the clipboard into the whatever you have open. 

In other words, you just ran something, but you have no idea what. 

That is indeed... VERY bad. Because you basically just gave away control of your PC to the bad guys. And who knows what they'll do with it, probably download malware to your PC, steal all your accounts, and more. 

Given that 99% of the users will NEVER need to touch the Run box, you should disable it ASAP, esp. if you have computers being used by users who can be tricked into running this (very young, or very old)

To disable the Windows Run box, please follow this article: 

https://www.auslogics.com/en/articles/enable-or-disable-run-command-winr-box/

There are ways around it, but if you trained your users well (call me if you run into any errors you don't understand), you can stop them from trying to further compromise their PC. This is basically a barrier that says "are you sure what you're doing? Call me before you continue..." instead of blindly follow some malicious instructions. 

Conversation: Are You a Tattle-Tale?

Recently I ran into a couple scenarios that just annoyed the heck out of me, that I don't want to share any more info with that person, due to the negative reactions I got. I'll create a fictional but based on real life scenario below. Trust me, there's a lesson for everyone at the end. 

I have been going to the same barber for 20+ years. I know this barber is a bit expensive, ($25 for a haircut, vs the really cheap ones at like $8), esp. when you add some tip, but I don't really have to give any instructions or such. The guy and his wife (also a barber) know me. 

Anyway, ran into an acquaintance, who's a known miser, yet constantly ran out of money and had to borrow $30 from me. He paid me back, and I remarked, "Good, I just spent $30 on my haircut" since I also noticed he's sporting a new do as well. 

For the next five full minutes I get non-stop tsk-tsk about how I am wasting my money, his haircut was only 8 bucks, are you made of money, I make a lot more than you do yet so you're so spendy, you clearly don't need the money so can I borrow that $30 again, he got a free hair wash with that $8 too what a bargain, blah blah blah. Had he and I were not meeting more friends for lunch I would have ditched him right there. 

The harangue did not stop once other friends arrived and lunch started. He started replaying the entire "lecture" to every acquaintance within hearing distance, and he's not a quiet guy. "Oh, can you believe So-and-So spent $30 on a haircut? I only spend $8!"  You can probably hear him a couple tables away. 

I normally were not a cheerful guy, but I can hold a conversation in a group setting, do the social smalltalk, and so on. I am just not a social butterfuly, like the miser thought he was. But when I've been made the topic and the butt of the joke, I am sulking inside, starting to regret knowing this guy, and vowed never to talk to this guy again, and if I see him coming toward me I'd jaywalk to the other side of the street. 

So what's the takeaway? 

Don't be a tattle-tale. 

Miser may have thought he was offering useful advice or being helpful, but once he got started he failed to notice my counter-remark "I've been going there for years." And instead of leaving this between us, he turned it into a conversation topic with other people and I was made into a butt of a joke. 

Now that's just mean, and childish, and he's probably not even aware he's doing it. He's socially oblivious yet thought he's going sociable. 

Next time you receive some info, consider the context it was given. Don't be so quick to criticize, then repeat it to every acquaintance within reach. Not every piece of info you receive is meant to be replicated public knowledge, and you're not a broadcaster / newsreader (unless you actually are). 

Share something about yourself instead, not something you just learned about someone else. 

Thanks for coming to my TED Talk. 

Reaction of Autopsy Results of Gene Hackman and his wife, Betsy Arakawa

New Mexico authorities finally figured out what happened to Gene Hackman and his wife, Betsy Arakawa. 

She died from hantavirus pulmonary syndrome... a disease with no cure or treatment, and has about a 40% fatality rate. It manifests as flu-like symptoms, then you basically lost the ability to breathe, as your lung starts to fill with fluid (pulmonary edema) and basically... can't get more oxygen in, which causes strain on your heart, and you... die. 

Gene Hackman, in his 90s and suffering from dementia and Alzheimers, did not realize his wife died until a week later, then he had an heart attack. 

And neither was found for days, until a worker became concerned enough to call for authorities for a welfare check. 

What a... sad end to one of the most famous actors of Hollywood... 

Experts say it often takes 2-3 weeks for the symptoms of HPS to manifest, and it does start with flu-like symptoms, and can take a sudden downturn. It is also surprising that neither have any staff or regular visitors. 

Guess money isn't everything...     

Cybersecurity: How Do You Know If Your Antivirus is Working (without actual Malware)?

Antivirus is a lot like having insurance... you have it, but hope you never have to use it. 

What if I tell you that you can test your antivirus on your PC, without downloading any malware, by simply typing something on your keyboard? If it reacts, the antivirus is working. If it didn't... your antivirus' real-time scan is not working. 

This only works on Windows, by the way. 

Open a powershell window. (If you don't know what is Powershell, please read this from Microsoft. It's already in your system.  https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/powershell )

What you will type or copy is just a string, a bunch of characters. It is NOT a script or malware. It is offered by Microsoft as a way to test their own AMSI (Microsoft Antimalware Scan Interface)

Enter this at the prompt:  ‘AMSI Test Sample: 7e72c3ce-861b-4339-8740-0ac1484c1386’ 

Note, please replace the fancy quotes with single quotes to get this to work properly. Yes, the single quotes are important. 

Microsoft Security should trigger as you press enter. Depending on whether you have any clipboard management software, it may react as soon as you try to copy the string onto the clipboard. 

Now you know whether your antivirus is active or not. 

There are, of course, other ways to test this. For this method (all credits goes to Black Hills Info Sec) and other ways, go read BHIS's blogpost: https://www.blackhillsinfosec.com/is-this-thing-on/

Bad Argument: Russell's Teapot / Flipping Burden of Proof / Unfalsifiability

Sometimes when you argue with someone else, your opponent, instead of answering with evidence that support their position, they answer with worthless-isms like "It's obvious / well-known", "they said...", "Google it", and so on, sometimes with implied or outright stated "don't be lazy". 

Don't fall for this bad argument. They want you to disprove them, when it's actually their turn to prove their own position. 

During an debate / argument, each side states their position on the question, and each side is supposed to show evidence that supports their own side. If one side answers with worthless-isms, it means one of two things:

A. they don't HAVE any evidence, and they want YOU to prove THEIR side, which is NOT YOUR JOB. They are supposed to support their side, and they're trying to flip "burden of proof". 

B. they used an unfalsifiable argument (whether intentionally or not), which makes their argument an assertion, but there is no evidence, because it's impossible to obtain. 

One such example is known as "Russell's Teapot". First coined by Bertrand Russell, he basically postulated that there is a teapot in an eliptical orbit. You can't see it, because it's too small. And since you can't prove it doesn't exist, it therefore exists. Right? 

Wrong. The person making the assertion / argument has the burder of proof. If they made an unfalsifiable assertion, they've argued themselves into a corner. Nobody would be expected to believe something that cannot be proven. 

Russell used this assertion to argue against religion, because most religions presume the existence of God. But a lot of bad arguments started with a presumption, and that's not evidence. 

This sort of argument are often seen in cults and cult-like organizations, such as MLMs and scam cults (Ponzi schemes and pyramid schemes that had yet to collapse), where the victims, for various reasons, WANTED to believe in the scam and thus invent unfalsifiable assertions and instead of proving their own side, they want to critics to DISPROVE their unfalsifiable assertions (which is of course, a paradox in itself). 

So watch out when it's used against you. Call them out, and refuse to play their game. Reveal their bad argument. Watch them sputter. 

Cybersecurity: Hilarious (to me) Explanation for Attempted Verification Code Fraud

One of the scams that had been around a while was the verification code scam/fraud. To make a long story short, scammers, who cannot get a new account because they had abused their own account, would attempt to trick other people into "verifying" them by entering the victim's phone number when registering a new account, then claim "I'm just verifying you are real, gimme that code you just got". If you do give them that code, you just helped them get a new account to scam from, and now YOUR phone number is associated with them (and that also means you may not be able to register an account later on that service because your phone number's been "used" (and blacklisted due to abuse). 

Today, I just ran into a new spin on this old scam that gave me a chuckle. On reddit's /r/cybersecurity, someone, who may be romance scammed, wrote that someone, who claimed to be in the (US) army, sent her something he claimed to be a STIR verification code, "to verify you exist". 

Clearly, this is a scammer who tried to do the "verification code scam", but this STIR angle is new. 

So what is STIR? It has nothing to do with verification code, at least the type you send via SMS. 

STIR/SHAKEN is a protocol that was being implemented by phone carriers to "authenticate" callers, to combat the spam call problem. Similar to a website using HTTPS instead of regular HTTP, each phone carrier for a business is supposed to link a certificate to the main phone number. So when that caller calls out, the recipient's phone service can look up the certificate, verify it with public key encryption, and thus authenticate that the call did indeed came from that business. STIR is the outbound phase, and SHAKEN is the reverse-lookup/authenticate phase. Once the caller was authenticated, you get a "caller verified" checkmark as your phone receives the actual call. Obviously spammer who spoofed their caller ID cannot pass this authentication, and thus, no checkmark. 

Needless to say, we advise her to drop the scammer like a hot potato. The verification is nonsense and a lie. 

Restaurant Review: Taqueria El Farolito (North Beach, 1230 Grant)

El Farolito is reputed to be one of the two restaurants in San Francisco that invented the Mission-style burrito. I live in Chinatown, so I can't really head down all the way to Mission to the original location, but I *can* get a burrito from their North Beach location. 

The door and the shop is a bit on the small side, and the door is facing Grant, not Columbus, which makes it a little hard to find. Got in. There are many seats available, but I needed to head back to work. So I ordered a superburrito al pastor to go. It took 5 minutes, as I did watch them cook it. I also ordered an horchata. I guess I was thirsty, and I finished the horchata before burrito arrived. The horchata has visible spice bits and was quite delicious. 

I got the burrito wrapped in foil, plenty of napkins, and small cups of red and green salsa, all in a nice and thick plastic bag with their logo and verbiage. 

Got back to my "office" (only a few minutes away), and started to unwrap the burrito by tearing off the foil on one end. Strangely, the inside seems a bit... dry, but then, that's why we have the salsa. It's wet enough with the salsa, then I started to worry I don't have enough salsa.   

Then I started to notice red oil dropping onto my desk... Huh? It seems the burrito foil wrap developed a leak at the bottom. I had to hold folded napkins against the bottom of the burrito, while I unwrap and consume the top. It is a bit dry without the salsa, as the pork seems overcooked and dry, or did all the juice went to the bottom? 

I ran out of salsa when I consumed 3/4 of the burrito. There was a little "crunch" with the pork... I seemed to have gotten burnt bits of the pork. Should I have ordered carnitas? As I was full, I dumped the rest into the trash. 

Overall, the superburrito is merely... average. The horchata was good, but it can't really raise the overall score. I probably should try Taqueria Zorro again. It's been a while since I've been there. 

Taqueria El Farolito (North Beach): 3/5

App Discovery: Google NotebookLM

Recently I started seeing a lot of mention of NotebookLM, so I decided to take a look, and it surprised me. 

You can access NotebookLM at https://notebooklm.google.com/ and it's free so far. 

What does it do? It's a summarizer, but it can act across multiple types of media. 

• Google Docs
• Google Slides (with a lot of text)
• PDF, Text and Markdown files (with a lot of text)
• Web URLs (with a lot of text)
• Copy-pasted text
• Youtube URLs of public videos (with captions)
• Audio files (with speech that can be transcribed by Google)

You're probably still confused as to how do you use this. Here's one possible example:

• You are trying to cram for an exam, and the professor made all the lecture notes available as a bunch of PDFs. 
• You load all the PDFs into NotebookLM as one notebook which you call (Subject) Cram 
• You can now generate a study guide of all the notes
• You can generate, then listen to a "podcast style" audio overview where a male and female host discuss the subject in an engaging manner. 
• Use the prompt window to ask Gemini to generate a quiz to test your knowledge of the subject. 

This is a VERY powerful tool due to its "multi-modal" ingestion. Previously, you can buy access to "book summaries", and some even have audio summaries available, but this basically lets you generate summaries on ANY subject, as well as have the AI generate quizzes, study guides, cheat sheets, and more to suit YOUR study style. 

Give it a try. You may wonder how you never heard of it until now. 

Job Hunting: A Few Questions for the Hiring Manager that Makes You Memorable

One of the more difficult things to conclude the interview is the hiring manager tend to ask you "are there any questions you have for us?" Even I flub this all the time and answer with a non-answer "Not at this time."

However, here are a few questions you *should* ask, and it may make you memorable when it comes to decision time. 

What's the "one thing" a new employees should know if they want to work here?

Who are the heroes in this company/department, and what do they have in common? 

(This goes AFTER the "company culture question")  If there is one thing you can change about the company culture, what would it be? 

(Controversial) If there is "one thing" in common about people who got burned out, resigned, or terminated... what was it? 

(Controversial) Is there anything I've said, or haven't said, that would make you think I am not a good fit for the job? 

Cybersecurity: Stop Diagnosing Yourself with Pegasus!

As one of the "trusted contributors" on /r/cybersecurity on Reddit.com, one of the FAQs was "Is my phone hacked with Pegasus? My (evil ex) is stalking me." 

The answer is "extremely unlikely". Pegasus is reserved for nation-state actors because it costs a TON of money to license, so it's only deployed against mostly political people, or people with possibly high influence and wide reach, such as reporters. While Wired deployed sensational headlines "Spyware  Scandals are Ripping Through Europe", and the verbiage was literally "commercial spyware has been deployed by more actors against a wider range of victims", implying that even normal citizens can be targeted by commercial spyware, the literally truth is, again, only people of high influence (politicians and reporters) are being targeted, i.e. "prevailing narrative has still been that the malware is used in targeted attacks against an extremely small number of people", even though the article was stating that literally despite trying to claim the opposite. Yes, Pegasus, developed by NSO Group, is getting some competition in Europe, where OTHER companies are developing similar spyware... with similar price tags.  

The article in question "$1 phone scanner finds seven Pegasus spyware infections" basically states that iVerify has managed to develope a tool to detect Pegasus and other commercial spyware. It sold $1 trial package called "IVerify Basics", and if the user choose to turn on Spyware Detection, they can generate a fingerprint to be submitted to iVerify for analysis, and 2500 or so people have done so. Out of the 2500, they found SEVEN instances of Pegasus infection. According to iVerify, "people who were targeted were not just journalists and activists, but business leaders, people running commercial enterprises, people in government positions", even though in the next paragraphs, they pointed to a Sikh political activist (and a lawyer) as one of the iVerify successful detections. They also pointed out that two of Harris-Walz staff's phones were infected.  

The article concludes with "the rate (of spyware infection) is much higher than the prevailing narrative". Yes, it is much higher, but the original number was such an infinitisimally small number, even if it's 10-100x higher, it STILL a tiny number of users being targeted. Important people... Business leaders, CEO, Company Presidents, government employees, political employees, etc. in addition to the typical reporters and political activists. 

Not average citizens on the streets. 

Restaurant Review: La Venganza in Ikea Saluhall San Francisco

 Decided to walk around a bit this Saturday, and decided to give Salut Hall another try, and decided to try La Venganza, a Mexican Vegan eatery. Ordered a Tostada de Barbacoa (simulated), which is actually made of mushroom, and an horchata. This is what I ended up with...

It's not bad, it's not really "barbacoa", and the jalapeno isn't distributed well. There's a little bit with the guac, and that's it. I was expecting a bit more salsa, but there's enough beans here so it's okay. It's a bit on the cold side. I probably should have ordered "carnitas" instead. 

The horchata tastes okay, but it's not really that fresh, the cap was on crooked, and it's not mixed well, with a lot of the cinnamon and stuff settled in the bottom. They did warn me to shake well, but I didn't realize they mean cocktail shaking vigor. 

The problem is... the price. For $16 for the tostada, and $6 for the horchata, there's really not that much food here. I guess that's the "vegan tax", eh?  

3.5/5

Rant about PC Microphones: Specifically, the search for a Shock Mount

To optimize audio quality of a PC recording, one of the things that was emphasized was the necesity of a "shock mount", which are basically isolation for the microphone from the desk, because any sort of vibration on the desk can be transmitted to the microphone, thus affecting audio quality. And we're talking about condenser mics, not the tiny boom mics on headsets. 

Unfortunately, some mics are so niche or so unsupported, you cannot get shock mounts for them, or at least there are none advertised for them. One such is the Joby Wavo Pod. With MSRP of $99 launched back in 2022, Amazon is already discounting them to as low as $19.99. 

However, there seems to be no shock mount for it, until you look up its diameter, which is nowhere to be found on Joby's website. (FWIW, it's 60mm) Most shock mounts are the "tube" type, where two half pipes form a tube tightened by elastic shock cord in a complex pattern, which provides friction to secure the mic as well as isolation from the mounting "ring". 

You *can* find 55-65mm shock mounts on Amazon, but they cost almost as much as the mic itself... starting at $15. Then you realize those are not really compatible because the microphone has controls on the body, and the shock mount would cover those up. 

You have to get a VERTICAL shock mounts, which basically goes between the mounting "bolt" and the "nut" on the microphone itself. Which completely bypasses the friction mount problem.