Kartones Blog

Be the change you wanna see in this world

Stopping Windows 10 privacy bleeding

There's been quite some talk about how Windows 10 upon install by default sends lots of mostly private stuff to Microsoft. Sure, it can turned on "just not using express settings", but we all now many people are lazy and install without reading, so this was done on purpose (else everything would be opt-in).

After the initial install, people realized the operating system kept bleeding data to the outside, so I did a quick test. I opened Task Manager, the Performance tab and there it was having a high activity peak when I wasn't doing anything. To avoid a false positive I ordered processes by network %... and I had the Search "app" sending 2.3MB of data... when I had disabled everything I could at setup (plus later on the Privacy settings).

Checking the App History tab I got this nice two "rogue leakers", two applications I hadn't even launched once in my few weeks using the new OS:

Examples of personal Windows 10 data leaks

Somebody please tell me why the Store has to grab so much data when I haven't even setup a Microsoft account (I use a local one), or why if I have never searched anything it was sending/receiving MBs. Searching for a more complete list of Windows 10 privacy fixes I found this nice guide, but as I never use Bing and similar MS-only services, I did some network sniffing to see what other places my PC is still "calling".

This are the domains I've ended up blocking (redirecting to 127.0.0.1 from the hosts file is the best stopper) based on articles read and my own Wiresharking experience:

  • any.edge.bing.com
  • bing.com
  • msn.com
  • live.com

I also disabled ssw.live.com but then I had issues updating Windows Defender so I guess it either controls WD definition files or the whole Windows Update and I unblocked it.

I really like Windows 10 after suffering Windows 8 and using Windows 8.1 (although I'm sticking to Windows 7 for the gaming PC), but sadly it seems the privacy invasion era has jumped from mobile phone operating systems to desktop ones. It's still a better battleground to fight from (Firewalls, hosts file, 3rd party apps/tweaks...) but still another war to fight at.

 

PS: I've read as much as possible to take away FUD from reality, and while some options have been explained, not all questions have been answered.

PS 2: If I come with additional things to disable or domains to block I'll update the post to reflect it.

Taking care of my body when working remotely

Reading a Dilbert's book I found this really funny comic strip about remote work and personal well-being:

Dilbert on remote working

Until half a year ago I didn't do much remote working, mostly because previous jobs didn't allowed me to and I wasn't so eager to try it. But past months things have changed and now I really appreciate it as a way to improve concentration and squeeze more from time the day for other tasks (mostly as I save on commuting). But, there is one thing where at meast I have to be careful now: ergonomic and proper sitting position.

Ergonomic seating basics

I sometimes tend to cross my legs, other times to curve my back, and sometimes I get wrist pain (not strong, but enough to annoy)...  so I've been improving my home working area as now I work an average of two days per week from home. This is the setup I currently have:

An old, grey and white IKEA Fredrik work table with up to two optional shelves above it, plus cable cord "rail" and a keyboard handle. It is wide and big enough for my laptop, monitor, a study area (for books, writing...) and even a PS3. The cable holder rail is so nice to avoid having tons of cables laying under the desk. It is also high, so with a small box below (with drawers to store things inside) I have the monitor at the correct height to always look upfront and not lower the head.

IKEA Fredrik

A decent (but not expensive) chair, with a net-like back so that my body can "breathe", and of course armrests, to keep the arms in proper angle. I modified the keyboard handle of the table to be at the proper height so my arms form a proper 90º angle. A SteelCase or similar brand might be awesome, but they are so expensive that while I can find cheaper alternatives I'll stick to them.

Ergonomic chair similar to mine

A 24" 1920x1200 monitor. People go a bit crazy IMO and maybe for a designer 27" or 30" are nice, but at least I don't need so many inches. I have a 30" monitor but after some daily use I moved it permanently to being my gaming PC screen and instead use something smaller but good enough display for my daily tasks. I'd love to have one that rotates to portait mode (so nice for coding, I had one like that at a previous job) but while this one works I won't change it. 2 Monitors might also be interesting but I'd need a dell docking base and my table is not huge, plus I'm so used to alt-tabbing that I don't need them.

Dell 24 inches monitor

I use an ergonomic keyboard for everything except gaming. I have two Microsoft Natural Keyboard 4000, one at home and one at work, but recently I switched (at home) to the newer and smaller Microsoft Sculpt Ergonomic, because I get more free space from the (separate) numeric keyboard segment and it is great, with soft keypresses and definetly a good improvement. Ah, it is in english, I'd rather learn where are the ñ and accents when I need to write in Spanish but enjoy the quicker code writing of a UK layout (I've never used a US layout but as anyway would be harder to get from Spain, I directly don't care).

Microsoft Sculpt Ergonomic for Business

I recently tried and now use a footrest platform. I bought a Kensington Solemate Plus because is cheap but allows to adjust the inclination and height, plus the feet don't slip.

Kensington Solemate Plus

As I play videogames, ages ago when I bought my gaming PC I did it with a good laser gaming mouse, a Razer Diamondback. After serving me for around 4 years, I decided to buy another one for the gaming rig and I've been using this one for coding for around anoher 4 years. It is very precise and my hand doesn't gets tired of using it, so I'll probably keep it until breaks. Probably any ergonomic mouse will do, but I'd go for a mid-high gaming one as usually are the best ones.

Razer Diamondback

For a distant future, I'd have to test a standing desk, but I don't see where I could setup one at home so for the time being is on hold.

 

Add to the list a good illumination, quiet environment and now that I have air conditioning nice temperature even in the smmer, and the truth is I feel really comfortable working from home. Any additional suggestions, ideas or elements you'd add?

Making Rails CookieStore more secure and sessions expirable

As lately is happening to me a lot, Ruby ecosystem has lots of tutorials and guides that range from beginner to intermediate, but lacks more advanced topics. Recently I had to implement a security feature that surprisingly wasn't present at Rails: Session invalidation when you change your password.

Many sites, CartoDB included, use Rails CookieStore, which is just cookie based session handling: You securely serialize and deserialize session data (usually the user identifier) and avoid storing sessions serverside. Really cool in theory but has a flaw: If there is no serverside session management, how do I signal a password change so the other cookies with my session for example at other browsers become invalid?

Reading the official Ruby on Rails Security Guide I hoped to find the answer, but no, instead it lists lots of security hardening points, but just recommends to make your session expire, use a general secret_key (but changing it would invalidate all sessions, not just a given user ones) and in the end to go for database-based session handling for proper security. Well, I agree it is better, but sometimes you cannot adopt some changes as easy as they seem, so... what about improving CookieStore?

First I went deep, checking CookieStore and its "mixin parent" AbstractStore source codes. They just wrap actual session handling on storing at a cookie, but the parent had an interesting method, generate_sid (session Id). Maybe if I could change the generation of the session would be enough... so I also checked Rack::Session::Abstract::ID, the parent of all stores. I did some tests inheriting from CookieStore (as I don't fancy monkey patching even if Rack's code suggests it) but quickly I found that when you are generating a sid, really you don't have context of "users".. and you shouldn't, because this is really inside. This is for people desiring to modify the session id generation algorithm, or the actual storage of session data.

So, I went up, because over Rails we use Warden to ease all authentication (we have user/pass, API key, OAuth...). Digging into its wiki I found that you can have more session data than just the user id that you deserialize into a full User object upon retrieving an existing session. But that example wasn't enough, as it only worked playing with default session scopes. We use scope-based sessions because our usernames are unique and cannot be repeated, so for example I can have a session cookie with the scope "kartones" and another with the scope "test" (or different roles, or other ideas you might have).

Cheking more about Warden, I found some interesting callbacks, but again the examples were silly and not too useful, so as usually happens with Ruby, it is better to again check the source code to see the internals. And inside hooks.rb I found the answer, in the documentation block of after_set_user. There, I could filter to handling authentications and store additional session data at Warden initializer file... something that if your password changes changes too, e.g.:

Warden::Manager.after_set_user except: :fetch do |user, auth, opts|
  auth.session(opts[:scope])[:sec_token] = Digest::SHA1.hexdigest(user.crypted_password)
end

Now, editing the traditional Rails base ApplicationController I can add some methods to handle this additiona data:

def update_session_security_token(user)
  warden.session(user.username)[:sec_token] = Digest::SHA1.hexdigest(user.crypted_password)
end

def session_security_token_valid?(user)
  warden.session(user.username).key?(:sec_token) &&
  warden.session(user.username)[:sec_token] == Digest::SHA1.hexdigest(user.crypted_password)
end

def validate_session(user = current_user, reset_session_on_error = true)
  if session_security_token_valid?(user)
    true
  else
    reset_session if reset_session_on_error
    false
  end
end

And then just add the new logic to the authentication endpoints, for example:

def login_required
  is_auth = authenticated?(CartoDB.extract_subdomain(request))
  is_auth ? validate_session(current_user) : not_authorized
end

Now it would only remain to call update_session_security_token upon a password change, and all other cookie sessions will become invalid.

 

Why this is not an option either at Rails or Warden, I don't know, but I couldn't find a single tutorial, post or message detailing all this info, so let's hope this post helps fix that.

My dislike for open office spaces

Open office spaces are a logical step when you are a small company, but as you grow, it has become the "first cool thing to do with your office" in software development. I been working in them since 2008, and before intermittently at some clients while consulting. And the truth is that I still don't like them.

I come to the office primary to work. it sounds asocial* and maybe it is, but my main goal is to do my job. I can make friends, I can laugh and tell jokes, but the highest priority is to work, and, at least while coding, concentration is a basic need. It is not that I don't like seeing my colleages faces, in a friendly environment "without walls, all plain". It is more the fact that education and respect become vital, and building a culture of silence is not a trivial task.

Silent hours, public and/or private complaints, forbidding audio/video chats at working areas, listening to music the whole workshift, allowing remote work, clever rearrangement of teams to isolate or at least reduce hearing of noisy ones... I've seen a few approaches, but in the end until everybody learns to keep a "low noise volume", they are just mitigations.

I've also noticed that there are also virtual walls: teams still have to sit together or really near, so changing a team creates a cascade of people changing their things**. It might not always be the case, but I still have to see a fully de-centralized team that works always flawlessly.

So far, the best approach I've seen and the most comfortable working environments I've been at is to have separate rooms or at least physical walls separating teams. You distract and get distracted less, you can talk with the rest of the team, makes much easier being quiet, and there are always common areas like the kitchens (or a bar nearby!) to talk with the rest of the company while having a break.

Making an open space office work correctly is possible... but at Tuenti took years (and trying most if not all of the "hints" mentioned earlier). It seems to require quite some effort regarding education and respect.

 

* Back at my university days, as it was far away from home, if I was going to spend 2 hours per day on a train, I was going to either study or do assignments. That's why I never learned to play Mus or CounterStrike, but I managed to pass more than half of the studies working part-time and then going to the university.

** Up to the point I became a "nomad" at Tuenti by having just my laptop, my chair and a monitor in order to move "everything" quickly with the so frequent "reallocations" we had.

Book Review: The LEGO Mindstorms EV3 Discovery Book

The LEGO Mindstorms EV3 Discovery Book book cover

As lately I'm quite busy between my pretty dog, working, reading articles (of too varied topics to write about them I think) and trying to rest, I've just written another book review I had pending since a while. It's another book about LEGO Mindstorms EV3 (of which I have sadly my Node.js library quite adbandoned), so feel free to check it out if you like the topic.