All posts by Paul

How To Export Contacts From OwnCloud Database

For those who need or prefer directly dumping all their contacts from an OwnCloud database, below are commands to do it from a PostgreSQL installation.

Remember to put your OwnCloud user-name in place of the “…” in the query.

psql owncloud --tuples-only --no-align -c \
"SELECT encode(carddata, 'escape') FROM oc_cards WHERE addressbookid = (SELECT id FROM oc_addressbooks WHERE principaluri = 'principals/users/...')" \
> oc_cards.vcf

If you happen to have accented, or other non-ASCII, characters then you may need to convert from octal (“\nnn”) to UTF before trying to import elsewhere.

Why Can’t I Change Gamepad Controls?

A disturbing trend among some video games is gamepad support whose controls cannot be customized. While the standardization of gamepad support on PC’s has increased the number of games supporting them, for some games there is only a single configuration. For those of us who are differently abled, or simply prefer to use a familiar layout, control customization seems to be taking a step backwards.

This is surprising since personalizing controls has long been a feature of PC gaming for decades, even among small budget titles. Consoles such as the PS4 and Xbox One now offer the ability to remap keys for all games. This is a modest accessibility improvement, though it appears to come at the cost of less in-game remapping. So players who prefer to alternate between different games the situation often involves re-configuring one’s brain each time. One would hope the competition among PCs and various console platforms would drive progress towards more accessible controls.

It’s true that enterprising users and 3rd-party developers provide alternative means of remapping controls. Sadly, many of these fail to remap for multiple games at once. Steam is the most accessible and broadly available which does do per-game mapping. Still, being outside the game requires users know their games default controls and do the old-to-new mapping using only the abstract button names. It’s also a relatively unknown feature.

Despite the variety of games and genres there is a lot of similarity in game control: move forward-back-left-right, jump, crouch, action/shoot, sprint, etc. On PC the keyboard controls have defaulted to the WADS keys for forward-left-right-back, so why not have a means to change the defaults for all games at once? Certainly some games will have unique controls which cannot be standardized. In those cases in-game customization may be the best solution. Still, it would save gamers time and frustration if they could begin with familiar fundamentals when starting or switching among experiences.

If PCs and consoles increasingly become home-theater machines and gamers play a larger variety of games they too may be asking why controls are so difficult to personalize. Hopefully developers will take notice.

Thinking Of Password Strength Like Slot Machines

Instead of communicating password strength—specifically unpredictability—as ‘bits,’ let’s consider using slot machines as a metaphor. Bits of entropy are the traditional way of describing the randomness and variety, though it can be intimidating or too abstract for some users. It can also overlook that each ‘character’ in the equation is actually an entire word, since those are easier for users to remember. Slots are relatively simple machines which randomly rotate among variations of options and line up together like letters or words in a passphrase. So this metaphor may help users better understand the strength of their passwords.

Let’s imagine that slot players are thieves looking to steal the money in your bank account. Slot positions or wheels can be thought of as each character or word in your password or phrase. And the varieties of slot fruits represent the possible characters or words in your secret. Now if a player happens to line up each of them they’ll strike jackpot and get access to all your money. Preventing unwanted jackpots like that requires choosing passwords or phrases that are unpredictable. So we want a lot of different fruit (characters/words), as many slot positions as practical (as long as possible), and no pattern among the slot choices (no relationship between them). More is stronger.

It’s important to keep in mind that if we choose a password as a collection of words (not random characters) then our ‘fruit’ or dictionary cannot be counted as each character. In that case it must be counted as each whole word. Attackers know that people often use words because of frequent passwords leaks. So any pattern we choose should be considered public knowledge.

Now, to gauge how strong a password (jackpot) is we can multiply the number of possible words/characters (fruit) together repeatedly, one for each slot position. Consider that three words with two slots is 3 x 3 or 9 possible values. Put another way we take it to the exponent: 3 ^ 2 = 9. Guessing randomly the attacker/player would probably hit the jackpot in half as much, on average. So that password would typically require 9 / 2 or 4.5 guesses to get right. That’s really weak.

Expressing that as attempts gets out of hand quickly since at 1000 words/characters with 3 slots we’ve got 1,000 ^ 3 or 1,000,000,000 which is one billion. A dictionary or fruit basket of 10K with 5 slots would be 100,000,000,000,000,000,000 or one hundred quintillion, on average guessed in fifty quintillion attempts. If these numbers are too unwieldy we could use the ‘bits’ method to make these numbers easier to read and reason about. Then our 10,000-5-slot password would be log base 2 of 100 quintillion or about 66.4 bits. Still it would be important to remember to take care when filling in the ‘fruit’ or dictionary number to avoid counting characters when we’re actually using words.

P.S.

Each of the password requirements (many kinds of ‘fruit’, multiple slot positions, unrelated ‘fruit’ choices) is important, and that makes strong password/phrase choices hard to remember. Typically we also have many accounts with a variety of website and services. Ideally each account should use a different, unrelated password than all the others. For this reason a password manager makes life more practical. Properly designed they can encrypt all the random passwords or phrases with one, strong-yet-memorable password. If you aren’t using one please try making it a part of your daily routine for a month. It could save you a lot of time and headache by avoiding the loss of your accounts or funds.

“User-Agent” Headers Holding Back The Web

Every time you visit a website the name and version of your browser is sent to the service. In fact with every requested image, video, and style sheet the same data is sent again and again. This not only wastes bandwidth, it also subtly encourages web makers to rely upon it as a shortcut to make services work consistently across platforms. Later browsers then include more tokens in their “User-Agent” header to maintain compatibility with these fragile services. Over time the header becomes larger and the web more brittle. For example, Internet Explorer 11 identifies itself as “Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko”. Can you tell which part communicates that it is Microsoft’s Internet Explorer?

Of course it’s impractical for every web site/service to test every possible combination of browsers and platforms. So those of us developing sites and services only test the most popular browsers at the moment. Over time this leads to a web which caters to a mix of the most popular browser of the past and present, depending upon the time any given service was last made. As more and more devices leverage HTTP for the Internet-of-things this problem may grow more complex. Web standards and feature detection can help.

With well defined standards and run-time detection of features it’s possible to avoid the trap of ‘sniffing’ the browser from it’s UA headers. And while cutting edge features and services may benefit in the short-term from taking the shortcut of browser detection, they can also leverage vendor-specific prefixes of features in flux. Once standardized the prefixes can be replaced with official and non-prefixed names.

My experience detecting significantly different platforms such as mobile or internet-of-things (IOT) devices do still have some valid uses for the UA header. But ultimately they may be better served by a new, simpler header or more platform-independent designs. Until then Mozilla’s recommendations are a reasonable place to start.

In recent years even the once-dominant Microsoft notes the weaknesses and problems with UA headers. Sadly, my experiments sending an empty or minimal UA header have found too many sites broken to recommend the approach to non-technical users.

How about you? What do you think of UA headers?

Is Ad Blocking A Form Of Looting?

One description of the increase in ad blocking is that it’s a kind of boycott. While that may be the view of blockers the content producers may see it differently. For them advertising pays for their effort to create the content. So when people consume their content without any payment (in the form of attention) then their incentive to produce suffers.

This ‘boycott’ of advertising—while still taking the ad-supported services—appears to have much more in common with looting. Looting often occurs when large numbers of people feel deprived or exploited. Like a kind of vigilante justice one could argue the careless and invasive advertisers have pushed users to this extreme.

Of course a boycott sounds a lot more noble. But if I’m not mistaken that would involve avoiding the entire business, not using their services while dodging payment. Picketing is another feature that can accompany boycotts. Those bothered by ads do have options to express their discontent on social media, forums, and comments; though, admitted not always directly on the site of the business itself.

Alternatives to ad-funding do hold promise: micro payments, donations, and subscriptions. Each has some friction for users to get involved. Perhaps when doing so is easier than installing an ad-blocker things will turn around.

So what do you think? Is ad blocking more like a boycott or looting? Something else entirely?

VirtuaWin Vs. Windows 10 Virtual Desktops

VirtuaWin‘s virtual desktops has long provided the ability to expand your Windows work-space without adding extra physical screens. Now that Windows 10 includes its own virtual desktop/work-space feature I’ve found it both an improvement and a small step backwards. After a few months with both let’s break down how they compare.

Here is a table documenting my findings as of January 2016. (Since Windows 10 and VirtuaWin may evolve in the future I’ll try to keep this up-to-date.)

behavior or capability VirtuaWin Win. 10 Desktops
Boss key to hide other screens Yes No
Compatibility issues with some Intel drivers Yes No
Customize number of screens Yes (up to 20) Yes (100+)
Customize shortcuts Yes No*
Jump-to-screen shortcuts Yes No
Show a window on all screens Yes No
Switching from windows with admin. privileges Yes Requires extra key press
Switching from certain** modal windows No Yes
Vertically aligned screens Yes No
Windows with admin. privileges appear on all screens (bug?) Yes No
Wrap around when switching from first/last screen Yes No
*It’s possible to make alternative shortcuts for Windows 10 desktops using 3rd-party tools like AutoHotKey.
**My LockyWindow product has used a modal window when unlocking to prevent manipulating the underlying KeePass window. VirtuaWin’s switching feature is disrupted by such windows.

While VirtuaWin is more feature packed I personally don’t miss most of the capabilities absent in Windows 10’s desktops. Those most lacking were the jump-to shortcuts and the option to wrap around from the first/last screen. Still, the ability to switch away while administrative windows have focus is much appreciated. Window management in Windows 10 Desktops also feels more user friendly than VirtuaWin’s tray pop-out.

How about you? Do you use virtual desktops? If so which solution works best for you?

Does The DOS Gaming Era Standout?

Plenty of us enjoy a game to relax after a long day at work, school, or life. Yet why is it that some gamers are drawn to games before their time? My experiences with games preceding my youth has almost universally produced boredom, disgust, or both. And what is it about the DOS-era of gaming that is unique?

Anyone who has watched the React channel can probably understand the generational gap in media, especially games. Watching kids react to old games and computers with shock only reinforces my jaded experience looking back on those before my time. Still, as I frequent DOS gaming sites and podcasts to get a nostalgia fix there are often comments or calls from gamers who didn’t grow up with them.

Perhaps it’s because there are so many games today and there were so few back in the day. So getting a critical mass of fans was easier since players had fewer choices. Then the kids of those fans were (and continue to be) inevitably exposed to their parents’ favorites. If there had been more games available to their parents the influence of these ‘classics’ on this next generation would probably have been less concentrated.

Another possible reason is that the DOS era spans a wide range of experiences. The first games were merely black-and-white text while some of the last were high(er) resolution, 3D accelerated, Internet-enabled games rivaling the best consoles of the time. In the beginning a top-of-the-line game could easily be made by one person. By the late 1999’s some games were multi-million-dollar efforts.

DOS also saw wide-spread use over nearly two decades. Apparently consoles only have about about six years of development. That means DOS had about three times as long to innovate, make impressions, and establish a brand. And for many of those users during that period it was the default choice for their computer because of business, school, or other reasons.

Am I blind by nostalgia, or is there something truly unique about this era in gaming and technology?

How Much Pact Pays Me To Exercise [Updated 2017-07]

UPDATE: As of July 2017 the Pact service has shutdown.

The idea of getting charged for failing to meet my fitness goals was off-putting at first. Now the idea of being paid for meeting them was a lot more appealing. Pact is a mobile app which encourages healthier behavior by charging users who fail to meet their goals and rewarding those who meet them. Before starting it I wanted to know if the rewards were worth the work. Some articles mentioned vague amounts after a few months of use, but nothing with a breakdown per activity. So I’ve made one that is automatically updated weekly from my data.

Graph of max possible last week
This completionist graph shows that one can typically earn the most from veggies in a week. Though at 5 per day that’s a total of 35 photos to submit.

Graph of earnings per activity
As can be seen each individual activity does not pay much, and clearly exercise is the highest payout. But committing to a dozen or so activities per week does provide a nice little bonus for exercise and healthier eating. So far I get about $8 per month by exercising 6 days, logging one day, and recording veggies half the week. Even if the reward were only a few pennies I’ve found the bonus improves my consistency. Avoiding being charged for failure certainly motivates as well.

Around the 2014 holidays the payout was a little higher. So I imagine the busyness and temptations of that season made reaching these goals more challenging. Regardless, despite some misses, these kinds of pacts can provide the needed push to get one moving more and eating healthier. If you’re on the fence I’d recommend giving it a try with some modest goals.

Disclosure: I’m not affiliated with Pact, Inc. (a.k.a. Gym-Pact) except as a user of their app and service. The data provided is my own, and it cannot predict future earnings.

VeraCrypt Is Too Slow And Complex

Now that more Truecrypt weaknesses have been revealed the open-source solution taking its place appears to be VeraCrypt. Yet its extra-secure encryption of the system partition adds so many rounds booting is slowed and the extra PIM concept mandates an extra step to every startup. This situation makes it even less suited to non-technical users than TrueCrypt before it.

Steve Gibson may be ready to recommend VeraCrypt, but I don’t think it’s ready for the masses; up to version 1.15 anyway. After clocking my boot time with system encryption it took an extra 85 seconds. Talking non-technical friends and family through even basic use of TrueCrypt volumes was challenging enough. VeraCrypt’s additional Personal Iteration Multiplier certainly adds more security. Still, the extra step and forgettable-yet-necessary element is only making it less novice friendly.

Another long term problem is VeraCrypt’s lack of Secure Boot support. This prevents booting with whole-disk encryption on machines locked down within UEFI’s boot-loader signing. Hopefully VeraCryp support will be done before Secure Boot becomes widespread.

Now having tried the built-in encryption features of Windows, OS X, and Ubuntu Linux the VeraCrypt software does still offer a nice cross-platform solution. The VeraCrypt UI is also easier than Linux, though it has a way to go before being as easy as Windows and OS X. With a little UX love and simpler defaults VeraCrypt has the potential to offer a compelling alternative for regular folks.

Exercise That Saves Me Hundreds Per Year

Needing more exercise and reducing fossil fuel use are two birds. My bicycle is one stone, and with it I hit them both by schlepping groceries and other purchases after shopping. Let’s call it ‘schlopping’. My guess is that in the past 2 years of doing so I’ve saved about $1600 and 670 gallons of fuel. It’s also helped me stay in shape.

Having a desk job for over a decade has not made me the healthiest worker. So after my bike’s saddle bags spent a year rotting in the basement I finally got around to installing them. Since then any trip around town has been a good excuse to get some exercise. As long as there isn’t too much snow, ice, or salt in the way it can work well. Even in northern Ohio this has only prevented me from riding twice.

Safety equipment like a helmet, lights, and gloves also reduce some of the risk factors. Careful riding also helps. But to be honest, it is tempting to cut corners and ignore traffic laws; especially on long rides. Thankfully, I’ve only had one moderately serious accident thus far. Strangely enough it was not one of my frequent shopping runs but a relatively rare joy ride.

Still, keep in mind that all our sitting has risks too, more so when when driving/riding. Of course how the risks of walking/riding vs. driving/riding stack up to each other vary quite a bit. Things like distance of trips, traffic volumes, kind of vehicle, physical health, and availability of bicycle lanes are complicating factors. Your mileage may vary.

Despite the modest costs, different risks, and extra time involved in bicycling or walking the gains are certainly worth it for me. Improved health, reduced environmental impact, and net savings of hundreds per year are too much to pass up.