Three years ago, the [U.S.] Copyright Office agreed to create an exemption to the Digital Millennium Copyright Act so that folks could jailbreak their smartphones. But that exemption is about to expire.

Given the fact that the U.S. jailbreaking-scene is an important contributor, I signed the EFF petition which asks the Copyright Office for continued support for jailbreakers;

Being an avid Android-user, jailbreaking permits me to replace heavily customized (and in some ways crippled, think CarrierIQ) vendor-specific versions of Android with clean, crisp, fast and secure after-market “mods” such as CyanogenMod.

You should really sign this as well!

Possibly related twitterless twaddle:

• WordPress stats oddity
• Google loves html5 (in Android 2.0)
• The Magic’s gone, enter Samsung Galaxy S II

I’ve contacted the developer (Pat’s a swell guy, really) and he answered he would look into honoring the DoNotTrack header, which he wrote he’d love to include in Q1 somewhere. In the mean time, if you have AddToAny on your site, you can already hide the Lockerz “Earn” tab. And if you’re on WordPress, you could install (or upgrade) WP DoNotTrack, which I’ve updated to stop the Lockerz tracking (make sure lockerz.com is your blacklist).

If there’s a Drupalista out there that uses AddToAny and would like to stop Lockerz tracking; I’d be happy to co-author a Drupal DoNotTrack module, do get in touch!

Possibly related twitterless twaddle:

• Why your WordPress blog needs DoNotTrack
• AddToAny: removing the “spy” from the share-ware
• AddToAny removed-from-here

I remember reading about this a couple of years ago or so, but forgot as  support for this html5 spec was limited to Chrome (Apple added support in Safari as well). But while investigating a problem a WP DoNotTrack-user was facing, I re-discovered iframe sandboxing (it effectively stopped the javascript-based tracking inside the iframe) and noticed that support for it is to be included in Internet Explorer 10 and that Mozilla is finally working on an implementation as well.

So yeah, the option to sandbox iframe’s pointing to blacklisted (or non-whitelisted) hostnames will probably be in a future version of WP DoNotTrack. Stay tuned!

Possibly related twitterless twaddle:

• Fix iframe-positioning problem with frameMagic.js
• Avoid iframe-scrollbars with squeezeFrame.js
• It’s official: you can not track your visitors

• you can now choose between a blacklist and whitelist-approach (previous version did blacklisting only)
• define what exactly is in that black- or whitelist (previous version came with a hardcoded blacklist)
• option to block javascript-initiated tracking code from being added for all your visitors, or just those that explicitly opted out of tracking in their browser (supported in MS IE9 and Firefox 9, not supported in Google Chrome)
• and off course an option-page under wp-admin to change all these settings

Because of these new features (4 of them) and because I think the plugin is already at least 50% mature, I decided to bump the version from 0.1.0 to 0.5.0. Never been good at math anyway …

If you encounter any problems when installing or configuring this plugin, you might find valuable info in the FAQ. But here’s two tips anyway:

1. In general caching and js-aggregating plugins can interfere, so you might want to disable those while working on your WP DoNotTrack configuration and re-enable (with cleared caches) once you’re satisfied with the result.
2. If you’re running WP YouTube Lyte with the bonus “donottrack” feature activated, you’ll want to deactivate that before installing/ activating WP DoNotTrack. If you don’t do that, you’ll have to turn to the FAQ …

Don’t hesitate to contact me or leave a comment beneath this here little blogpost if you run into problems, if have a feature request or if you just want to chat a little. I just love receiving feedback!

Possibly related twitterless twaddle:

• Coding for the New Year
• It’s official: you can not track your visitors
• Why your WordPress blog needs DoNotTrack

Now, I haven’t met too many people that use Firefox Mobile and indeed when reading about mobile browsers, Firefox is rarely if ever mentioned. But what if I told you that Firefox Mobile is by far the best browser on mobile when taking performance, features and security into consideration?

I won’t beat around the bush, here’s the pretty objective data.

Some remarks:

• the hardware is pretty comparable; all dual-core CPU’s and plenty of RAM.
• higher is better, except for Sunspider which measures time (in microseconds).
• I’ve got no screenshot or URL of the google v8 test results on my phone, but I’ll be glad to reproduce.
• sunspider and v8 are javascript performance benchmarks.
• html5test is an indication for support of “modern” browser features (html5, css3 and much more).
• the features of the browser GUI arent’t measured byhtml5test, but I’m pretty pleased with Firefox Mobile in that respect as well; great tabbed browsing, plugins (including noscript!), sync-ing of all relevant data between desktops & mobile, …
• I added Opera Mobile and Dolphin HD to the list. Opera’s not too shabby but not a winner either?

And last but not least; as Firefox Mobile isn’t native and since it’s on the same (crazy) rapid release cycle as the desktop-version, I consider it to be a lot more secure when compared to the slow evolving, rarely updated native browsers in Android and iOS.

My advice; if you’re an Android-user and you’ve got a recent handset or tablet, you really should consider switching to Firefox Mobile. It’s the best mobile browser no-one is using! Except for you?

From the readme:

WP DoNotTrack stops plugins and themes from adding 3rd party tracking code to your blog to protect your visitor’s privacy. WP DoNotTrack uses (a slightly modified) version of jQuery AOP to catch and inspect elements that are about to be added to the DOM and renders these harmless if the black- or whitelist says so.

The current version is blacklist-based and stops tracking by media6degrees and quantserve. This can easily be changed in the javascript though. Future versions will include a WordPress admin-page to change these settings.

Possibly related twitterless twaddle:

• Coding for the New Year
• Configure WP DoNotTrack to block what you want
• Why your WordPress blog needs DoNotTrack

# also stop google+ widget
Site plus.google.com
Accept from plus.google.com
Deny INCLUSION(SCRIPT, OBJ, SUBDOC)


# and twitter
Site platform.twitter.com
Accept from twitter.com
Deny INCLUSION(SCRIPT, OBJ, SUBDOC)

As access to important online services such as Google should ideally not only rely on just a password (session hijacking anyone?), I activated Google 2-step authentication. What this means is that access to Google (Mail, Docs, …) is now also limited to authenticated devices. If I try to access Google from another computer, I’ll have to authenticate the device using an SMS-challenge or a code generated by the Google Authenticator application on my Android-phone.

If you’re still unsure about what 2-step authentication entails, here’s a brief intro-video from Google:

So yeah, you can have my password now. Theoretically. If you really insist. But even if I do decide to give it to you, you still won’t be able to access my account. How’s that for peace of mind? And now off to Facebook security settings, to enable login notifications & approvals.

It took some time, digging and soul-searching, but it turned out to work fine for all but me. The reason: NoScript! My favorite Firefox Addon has, so I learned, “Automatic Secure Cookie Management” as a countermeasure against HTTPS cookie hijacking (by setting cookies “secure” if they’re set in HTTPS and if they contain something resembling a session-id?). And that feature indeed can break stuff.

So if you’re using NoScript and you’re running into weird cookie-related problems: try with “Automatic Secure Cookie Management” turned off, or add the site you’re on as an exception and you might be good to go.

Possibly related twitterless twaddle:

• Web API security basics
• Quercus PHP on GAE: pining for file handles
• Web 2.0 insecure? Bullshit (of dan toch grotendeels en nu ook met update)!

The summary for TLS-dummies like me:

• According to the TLS spec the server should not only provide it’s own certificate, but also any intermediate certificate between it’s own & the CA’s root
• Browsers (or the OS’es key stores that some browsers depend upon) don’t ship with any intermediate certificate, but can and in some cases will store (cache) them when they come across them. In Firefox, cached intermediate certificates are listed as being part of the “software security device”, whereas root certificates are in the “builtin object token”.

All in all, this means that whenever you’re implementing TLS (or SSL, if you’re old-fashioned) you have  to configure your webserver to provide all intermediate certificates in a “chainfile” as (for example) per Apache’s SSLCertificateChainFile directive.