Windows 10 Security and Privacy Initial Setup


, , , , , , ,

Recently I’ve bought my first personal Windows machine, and was a bit wary of connecting it to the Internet without first looking at the security configuration, even though Windows 10 has native memory protection features that make arbitrary code execution pretty damn difficult.
Here I’ll cover the basic steps for enhancing security further, and also a solution that might resolve the privacy issues associated with Cortana and telemetry.

Windows Defender
The first thing I’d recommend is setting up Windows Defender. This provides a basic anti-malware service, links to the local firewall configuration and parental controls. In the Update & Security menu, there’s initially a button to enable the Windows Defender service. Use this to access the Security Centre and its main options.

From what I’ve seen, most consumer-level routers don’t allow for a detailed firewall configuration. This is why it’s a good idea to check the one that’s included with the operating system. Although Windows Defender has a simplified interface for general filtering rules, I prefer to go through the entries in the ‘Windows Firewall with Advanced Security’ application.
The ‘Allow an app through the firewall‘ in the ‘Firewall & network protection‘ tab opens the Control Panel’s Windows Firewall options. Ensure the firewall is enabled for both private and public networks. Clicking ‘Allow an app through the firewall‘ link should open a menu to select and deselect application-level rules.

Application whitelisting, or ‘Default Deny’ – blocking all applications and services except those specifically allowed, is a strategy worth considering for a paranoid-level of security.

SmartScreen settings are displayed under ‘App & browser control‘. Technically SmartScreen improves security by checking the URLs of Edge browser requests against a list of malicious addresses, but it’s a trade-off between that and privacy.

The ‘Family options‘ tab contains options that are potentially useful if children are borrowing the laptop. As with Sophos Home security (which I’ll come to), the ‘Family options‘ are managed through a Web portal so it’s harder to disable without logging into the owner’s account.
Here the owner has the options to determine which sites are accessible in the Edge browser (what happens if Firefox is used?), set time limits for laptop/browsing activity and monitor online activity.

More advanced security-related configurations can be accessed in the classic Control Panel. Options to look at are User Account Control, BitLocker and Storage Spaces.

Disable Telemetry Services
Central to the privacy-related controversy around Windows 10 is the ‘telemetry’ feature. Essentially every several hours the operating system will send limited data about the usage to Microsoft. This cannot be disabled in the user-friendly Privacy settings menu, which instead only allows for Basic or Full diagnostics, but it can be disabled in Services.msc (the Services application), where it’s listed as ‘Connected User Experiences and Telemetry‘.

Some caution is needed when disabling services here, though, as many of them are for inter-process communication between critical operating system components.

Just in case the telemetry feature is re-enabled by some future update, it makes sense to configure the inbound and outbound firewall rules for ‘Connected User Experiences and Telemetry‘ in the Windows Firewall advanced settings. This might also be listed in the simplified firewall menu as ‘DiagTrack‘.

By the way, you could also do this for any applications you want to keep entirely offline.

Third-Party Protection
After the native security features are configured, the next thing to add is a dedicated third-party anti-malware product. I’ve reviewed BitDefender Total Security before, and found it an excellent product definitely worth the £30 annual subscription. I’m also thinking of giving the considerably more expensive F-Secure TOTAL a try, as I believe in supporting a company that takes a principled stand on digital rights, and the Freedome VPN service might prove very useful while travelling.

For now I’ve installed Sophos Home – I’ve followed this vendor’s work for a couple of years as a security undergraduate, and I’m very confident it provides an excellent layer of protection even though it’s a free service. Sign up for an account with Sophos on the site, and download the installer file (roughly 236MB). When launched we get a status screen when running the Sophos Home application.

What we get here is virus protection, Web protection and unwanted application detection. The latter should protect against spyware and adware.

Sophos Home installations are managed from the company’s Web dashboard, which has three configuration sections:

  • Virus Protection: Seems like your typical anti-malware detection system.
  • Web Category: Determine which categories of sites are allowed and which are blocked.
  • Exceptions: Set filtering exceptions for files, Web sites and applications.


Fixing Multiple Broken Assembly References in Visual Studio


, , ,

This problem often appears after a project is fetched from a version control system and a new file structure is created on the local machine, with the packages folder being read-only by default. The fist step is to make sure the packages folder isn’t read-only.

Then reinstall the packages using the following command in the Package Manager Console:
Update-Package -Reinstall

A Basic MVC Application with Node.js and Express


, , , , , , ,

Using Node.js, JSON and jQuery, I’ve managed to develop something much like an MVC application that’s considerably more lightweight than a .NET project, and anyone can use this as a template or basis for their own Web application project. Node.js enables the creation of Web servers, and enables communication between client-side JavaScript and the server. A Node.js application has the following:

  • Module imports
  • Server creation
  • Response

The source code in the following screenshots is posted on GitHub.

Creating a Simple Node.js Server
The server-side code for this is fairly simple:

Note the server created by this method is just a process listening on port 8090 (or whichever port is specified), and doesn’t host Web pages at this stage. Instead it returns an HTTP response using response.writeHead() to determine the header and response.end() to determine the body. When this code executes console.log() will print the ‘Server running’ message in the command line. A browser sending a request to localhost:8090 will display ‘Hello World’ as the response. I saved this file as ‘nodeserver.js’.

To start the server using the Node.js interpreter, simply navigate the command line to the directory where the .js file’s stored, and enter the following:
node nodeserver.js

File Operations
Perhaps the main reason we want server-side code, rather than something entirely client-based is data persistence. An application isn’t much use if it can’t store and retrieve data. Here I have two files: file-op.js server-side script, and the serverdata.txt data file. The latter simply contains two lines of text.

This time we import both the http and filesystem (fs) modules:

var http = require("http");
var fs = require("fs");

And specify the file to read:

var data = fs.readFileSync('serverdata.txt');

And this time, the HTTP response is defined as the contents of serverdata.txt:

http.createServer(function (request, response)
response.writeHead(200, {'Content-Type': 'text/plain'});

Streaming Data and Writing to File
The filesystem module enables the JavaScript to perform I/O with files using createReadStream() and createWriteStream(). As before, we import http and the filesystem modules, but leave the data as a null value. Another variable is needed to declare the read stream. The data returned by the fs.createReadStream() function populates readerStream.

And to write to file using createWriteStream:

Although this isn’t much at this point, it demonsrates that we can use persistent storage with a bit of JavaScript.

Node.js Express
Express can be used to achieve the same thing as ASP.NET MVC, as it handles routing, REST requests and other server-side operations. First we need to use npm to install Express.js.
npm install express --save

We’ll use the following simple express server to understand routing:

As with ASP.NET MVC, the controllers here determine actions to be performed when the server receives a given request in the form of a URI. To initiate an action, we only need to send its name as part of the URI in the browser. For example, ‘http://localhost:8090/listusers’ will cause express to return the response for that app.get() method. It responds by calling the sendFile() function that returns users.html. This is the equivalent of MVC’s ‘return view()‘.

Reading and Writing JSON Files
Of course, most Web applications function as an interface to some data source. Here I’ll try and use a JSON-based source to store and retrieve the data, with data being sent between the HTML and the JavaScript controllers. The Express.js site lists the database integrations it supports.

For the following the body-parser is required through npm:
npm install body-parser --save

In the HTML file we have a simple form with four fields. To the JavaScript file we add another method for handling the data submitted from the HTML.

If the fields are populated and submitted, the following JSON output is generated:


Now we need a .json file for the application to append, for example ‘users.json’. Here’s the solution I hacked together, by trial and error:

This can also be extended to MongoDB, which is also JSON-based, if a data access layer needs to be added to the application.

To do the reverse – rendering JSON data in an HTML page – we’ll need jQuery and a script that fetches the data returned by the Node.js controller. In the HTML I have two elements, ‘get-data‘ and ‘show-data‘. The first is a link that triggers the JSON reader JavaScript.

The handler function will read the JSON file and return the output to the ‘show-data’ element, placing the read values in an HTML list.

Suggestions for Programming Learning Methods


, , , ,

I’d answer the question posed by UWNThesis’ post ‘Can anyone become a programmer? and the study papers linked to it with ‘yes’. Anyone could become a programmer. After some thought, I’ve come up with three learning methods that might work better than conventional programming courses. Ultimately, though, I think that people run into problems because programming languages are tools that require context and technical understanding to use. I guess that anyone could become a programmer in generally the same way anyone could become an engineer.

1. Usability and Control – The Command Line as an Ideal Interface
It was almost a decade ago, around the time I was discovering the Linux operating system, that I attended a talk given by a computer scientist from Cardiff University, Dr. Frank Langbein, who argued that anyone can and should learn to program. He didn’t argue that people should ‘learn to code’ for the sake of just being able to, but because it gives us the ability to break through the limitations imposed by ‘user-friendly’ graphical interfaces. And sure enough, the same arguments, and distilled computing wisdom, could be found in Neal Stephenson’s Cryptonomicon and In the Beginning was the Command Line – please do read them for yourself.

Perhaps the clearest illustrations of Langbein’s argument would be the horrid (in my opinion) desktop interface that became the default in Ubuntu since ~2012, and the widely disliked Windows 8 desktop. Despite these entirely cosmetic changes, they were still the same Linux and Windows operating systems as before, and both just as usable in the command line. The only change was the graphical interface, but nevertheless there was a demand for programmers to fork Gnome and develop a third-party program to reintroduce a start menu for Windows 8.

I had other reasons to dispense with the desktop interface: I’m composing this post on an old Compaq that’s barely powerful enough to run a modern desktop interface, and it certainly can’t handle graphics or video without almost combusting, yet it’s too good to throw away. Consequently I got into the habit of doing most things in the Linux command line – browsing the Internet, accessing emails, modifying spreadsheets, configuring and administrating servers remotely, drafting research papers and generating them in the same format as you’d see in a scientific journal, etc. etc. And it’s important to mention that I’m not intelligent – the command line was designed to be usable for humans, and proficiency is just another learned pattern of behaviour, a habit.

This is actually a good way to begin learning how to program. Given enough time (say three months), and with very little experience, a novice can install Linux or FreeBSD on a VirtualBox, start experimenting with the command line and become reasonably adept at it. I’d state that much as fact. With some familiarity with the command line syntax, it’s a trivial step to string together the execution of shell binaries in a BASH script, much like you’d string together modules in Python. From there, one could learn Python, and perhaps later move onto a more ‘serious’ language.

2. Context and Technical Understanding
The abstract of Saeed’s 2006 paper claims that ‘programming teaching is useless for those who are bound to fail and pointless for those who are certain to succeed.
I think that it’s unfair and unreasonable to make that determination about undergraduates (and anyone else, for that matter) before they grasped the technical theory and methodical reasoning. Both assertions are still correct, though, but for a very different reason.

Where I studied, it was actually possible (but not common) to graduate in computer security without having done any programming beyond a first year module in Visual Basic. What I observed is that many of us were successfully teaching ourselves BASH scripting and Python during our final year, and we skipped over the standard tutorials to instead focus on scripting the execution of security-related tools and third-party Python modules. Basically programming became simply a means to achieving something, after we gained some level of technical understanding and consequently the ability to clarify the problems. For example, if you wanted to develop a database-driven application, you might fetch a graphics rendering module, a database driver module, an Object Relational Mapper module, and so on, and we’d simply develop code that brings those modules together as a software application. Could we have done that two years prior? Maybe, but certainly not without some difficulty.

What this suggests, especially given there’s a world of difference between coding and having the skills required to properly engineer software, is there’s a lot of additional expertise required to become a decent software developer. I think that programming courses should be taught in that context, and not necessarily as a first step. Nacko, commenting on Ars Technica, put it another way:

‘Saying a person “can’t program” is like saying he can’t build a house. There is a lot of foundation skill and knowledge that goes into being able to successfully build a house. I would think the only way forward is to identify a more specific deficiency than “unable to build a house” and correct that with appropriate study and training. I suspect that applies to programming as well, and that most people can at least achieve competency’.

By the way, I’ve put together a short list of required skills on GitHub for someone applying for an entry-level developer role.

3. Learning Through Application
Does a course need to teach how to print ‘hello world’, how to manipulate arrays and how to loop operations in a given order? Not necessarily. I think the typical syllabus is inadequate, ineffective and often not very motivating. Using Python, Java and C#, it’s possible for beginners to start making things with third-party extensions following the briefest of introductions to the language – I actually flicked through a £7 Python book in WH Smiths’ magazine section the other month that uses this method. A course might take the form of a project to build a Python-based graphical interface to a MySQL database, during which students would gain a broader and more applicable understanding. Many of the concepts learned using Python could then be carried over into a secondary course with Java or C#, which might introduce real-world software design and engineering concepts – the SOLID design principles being chief among them.

Another thing I’ve noticed over the years is that a developer environment’s font style and colour scheme can make a huge difference to the comprehensibility of a source file, just as surely as the way source is formatted. Quite often I switch to another editor such as Notepad++ and Atom for modifying tricky-to-follow .NET projects. And it’s important to use the right editor – you don’t want an IDE that’s dauntingly feature-rich and presents its own learning curve.

Confirmation Bias and Search Engines


, , , ,

Getting information about last weekend’s Boston Free Speech rally wasn’t easy.

Google returned pages upon pages of results for corporate media sites repeating the same narrative: That the free speech protest was organised by the ‘far-right’, ‘right-wing’ and ‘phony libertarians’, and that it was countered by anti-fascist counter-protesters. I’d like to know how they arrived at this determination, given the lack of information about the protest or supporting evidence.

That’s when I got curious about what might be found using other search engines. The results weren’t remarkably different, and the tone is pretty much the same. returned search results that were more balanced. It’s worth pointing out the word ‘right’ appears five times prefixed with ‘far-’ and ‘alt-’ in the Google results. There were no occurrences of those words in the first Bing results page.

DuckDuckGo’s results are also quite different to what Google returns. Notice most the links here are for local news reports. The term ‘far right’ is absent, and and the organisers are described only as ‘conservative activists’ here.

The results returned by Yandex were very interesting indeed. Why are the Goldwater Institute, American Torchbearers and Daily Stormer at the top of the results? Is this the go-to search engine for the politically-conservative?

I’m not suggesting the above is evidence that Google, or any of the search engines here for that matter, are intentionally manipulating search results. Each search engine uses an algorithm, and there are various factors that determine what users see.
What I will say, though, is that our ‘filter bubble’ extends to how we seek information, and not just what ‘friends’ and people we ‘follow’ post on social media. Next time you research a story, clear your browsing history, try different search engines and see what comes up.