A different default browser with a different default search

Several weeks ago, I switched my laptop to a setting I’d last maintained in the previous decade: Mozilla Firefox as the default browser.

Firefox took the place of Microsoft’s Edge, which I’d decided to give a shot as part of my reintroduction to Windows before seeing Edge crash too often. In another year, I would have made Google’s Chrome the default instead–but a combination of privacy and security trends led me to return to an old favorite.

Firefox had been my default browser in Windows since February of 2004, when it was an obvious pick over the horrific Internet Explorer 6. But a few years after the 2008 introduction of Chrome, Firefox had stopped keeping up, and I began relying on Chrome in Windows.

I kept Safari as the default on my Macs for its better fit with the operating system–although its memory-hogging habits had me close to also dumping it for Chrome until a recent round of improvements.

Last year, however, Mozilla shipped a faster, more memory-efficient version of Firefox. That browser has since finally caught up with Chrome in supporting “U2F” two-step verification, where you plug in a cryptographically signed USB flash drive to confirm a login. And as I realized when writing a browser-comparison columns for USA Today, Firefox comes close to Safari at protecting your privacy across the Web–especially if you install its Facebook Container extension, which blocks Facebook’s tracking at other sites.

This doesn’t mean I’ve dropped Chrome outright. I almost always keep both browsers open, with much of my Chrome tabs devoted to such Google services as Gmail and Google Docs. (Confession: I only learned while writing this that Google Docs’ offline mode now works in Firefox.) Chrome continues to do some things better than Firefox–for instance, while it doesn’t offer a simplified page-display option like Firefox’s Reader View, it’s been more aggressive at disciplining intrusive ads.

When I set Firefox as the default in Windows, I also switched its default search from Google to the privacy-optimized DuckDuckGo. That’s something I’d done in my iPad’s copy of Safari years ago, then recommended to readers last July in a Yahoo post; it seemed a good time to expand that experiment to a browser I use more often.

Since DuckDuckGo doesn’t match such Google features as the option to limit a search to pages published within a range of dates, I’m still flipping over to Chrome reasonably often for more specialized searches. But even there, I’ve reduced my visibility to Google by setting a sync password to encrypt my browsing history.

All this adds up to considerably less Google in my Web life. I can’t say it’s been bad.

Advertisements

A travel to-do for Android Pie: enable lockdown

The first new feature in Android Pie that I noticed after installing it on my Pixel 12 days ago was its Adaptive Battery feature, which hunts and handcuffs energy-hungry apps (yes, that seems like a feature that shouldn’t have had to wait for a 9.0 release). The first new setting I changed was Pie’s “lockdown” option.

That’s the feature Google left out of the keynote sessions at Google I/O in May and instead saved for the closing minutes of a more technical briefing on the last day of the conference. Lockdown disables your phone’s fingerprint unlock and hides all notifications from the lock screen–a useful option if, as Android security manager Xiaowen Xin said during this presentation, “you need to hand it over for inspection at a security checkpoint.”

Or as avgeek blogger Seth Miller phrased things in a tweet then, it’s Android’s “airport mode.” It’s how you’d want your phone to behave if you must hand it over to somebody you shouldn’t automatically trust.

But lockdown isn’t on by default or all that easy to find. You have to open the Settings app, tap “Security & location,” tap “Lock screen preferences,” and then tap the slider next to “Show lockdown option” so it’s highlighted in blue.

Turning it on isn’t super-obvious either: Wake but don’t unlock your phone by pressing the power button, then hold down the power button again for about a second. You should see a “Lockdown” button on a menu that will pop out of the right side of the screen; tap that, and your fingerprint’s no good to unlock the device.

Now you know. Whenever you get Android Pie on your phone–yes, I realize that could be many months, unless apathetic vendor support prolongs that timeframe to “never”–enable this option. Then please get in the habit of using it.

Black Hat priorities: don’t get pwned, do get work done

LAS VEGAS–I took my own phone and laptop to the Black Hat USA security conference here, which is often held out as a bad idea.

Before I flew out to Vegas Tuesday, I got more than a few “Are you bringing a burner phone?” and “Are you leaving your laptop at home?” questions.

Black Hat backdropBut bringing burner hardware means dealing with a different set of security settings and doesn’t address the risk of compromise of social-media accounts. And writing thousand-word posts on my phone risks compromising my sanity.

So here’s what I did with my devices instead:

  • Put my laptop in airplane mode, then enabled only WiFi to reduce the PC’s attack surface to that minimum.
  • For the same reason, turned off Bluetooth and NFC on my phone.
  • Set the Windows firewall to block all inbound connections.
  • Used a loaner Verizon hot spot for all my data on both my laptop and phone–I even disabled mobile data on the latter gadget, just in case somebody set up a malicious cell site.
  • Connected only though a Virtual Private Network on both devices, each of which were set to go offline if the Private Internet Access app dropped that encrypted connection.
  • Did not plug in a USB flash drive or charge my phone through anything but the chargers I brought from home.
  • Did not download an update, install an app, or type in a password.
  • Did not leave my laptop or phone alone in my hotel room.

Combined, this probably rates as overkill–unless the National Security Agency or a comparable nation-state actor has developed an intense interest in me, in which case I’m probably doomed. Using a VPN alone on the conference WiFi should keep my data secure from eavesdropping attempts, on top of the fact that all the sites I use for work already encrypt their connections.

But for my first trip here, I figured I’d rather err on the side of paranoia. (You’re welcome to make your case otherwise in the comments.)

Then I showed up and saw that everybody else had brought the usual array of devices. And a disturbing number of them weren’t even bothering to use encryption for things as basic as e-mail.

When your old laptop dies at the perfect time

My old MacBook Air is now not only retired but dead. And it could not have happened at a better time.

I had resolved to donate the 2012-vintage laptop I’d finally replaced with an HP Spectre x360 last fall by donating it to the local Apple user group Washington Apple Pi, whose MacRecycleClinic refubishes still-functional Macs for reuse and scavenges the rest for parts. And since I’m speaking at Saturday’s Pi meeting about the state of computer security–the gathering runs from 9:30 a.m. to noon-ish in Enterprise Hall room 178 at George Mason University’s main campus in Fairfax, with my spot a little after 11 a.m.–I could bring the old Air with me to hand over.

So yesterday afternoon, I made one last backup of the Air’s files, signed it out of its Web services as per Apple’s advice, and rebooted it into macOS Recovery to wipe the drive and re-install macOS High Sierra from that hidden partition. Then I followed the counsel of experts for a USA Today column earlier this month and used Apple’s FileVault software to encrypt its solid state drive all over again.

Several hours later, High Sierra wrapped up that chore. I once again rebooted into Recovery, used Disk Utility to wipe the SSD–and then couldn’t install High Sierra, because the installer reported that the drive’s Self-Monitoring, Analysis, and Reporting Technology (SMART) software had found a problem that left the volume unusable.

After a moment’s irritation, I realized that this timing was perfect. It followed not just five years of trouble-free drive performance but a complete erasure, re-encryption and re-erasure of the volume, so there could be nothing left to recover–and therefore no need to apply physical force to destroy the drive. This Mac has failed me for the last time, and I am okay with that.

An occupational risk of freelancing: zero words on topic A

The European Commission socked Google with a €4.34 billion fine Wednesday over its treatment of Android device vendors, and I have had zero words published to my name about that blockbuster ruling.

It happens. When you’re not on staff and not in the newsroom as a major story breaks, you can get left aside as staff writers jump on that topic and editors scurry to get their copy posted. That collective rush to publish–and the glut of hot takes about whatever tech issue tops a day’s headlines–may then result in you not being able to sell anything about said storyline before everybody’s moved on to the next breaking topic.

So, yes, I have not opined at length over the EC’s judgment that Google abused its market power in requiring Android vendors to ship its Chrome browser and set its own search as the default if they wanted to bundle the Play Store. I haven’t even gone on radio or TV to spout off on Google getting this roughly $5 billion haircut, leaving only my initial, skeptical tweets as my comments.

I feel like I’ve put my tech-pundit status in jeopardy, especially considering the shameful lack of even unpaid broadcast exposure.

On the other hand, I should appreciate being able to think through this matter instead of having to file 800 words of first-few-hours analysis.

On the other other hand, my self-employed status also means I don’t have to crank out four posts in a day every time Apple commits news. And not being beholden to a single newsroom lets me self-assign less-obvious coverage, as long as I can find a willing client. That occupational flexibility may yet allow me to get back to Topic A in tech news this week, if I can just find the right angle to pitch to the right editor…

Another part of the world where I need to use a VPN

I spent last week in London with my family–yes, actual vacation-esque time! It was great, except for when I was trying to keep up with news from back home.

My first stay across the Atlantic since the European Union’s General Data Protection Regulation went into force May 25 brought home the unpleasant reality of some U.S. sites’ continued struggles with this privacy law. And instead of experiencing this only briefly in a Virtual Private Network session on my iPad, I got a full-time dose of it.

The biggest problem is sites such as the Chicago Tribune and the Los Angeles Times that have blocked all European access instead of providing the privacy controls required by the GDPR.

That’s not the fault of the GDPR–its provisions were set two years ago–but is the fault of Tronc, the long-mismanaged news firm formerly known as Tribune Publishing. Tronc could afford to pay $15 million to former chairman Michael Ferro after he quit facing charges of sexual abuse but apparently couldn’t afford to hire any GDPR-qualified developers. I hope the LAT can fix that now that Tronc has sold the paper, but it may be a while before I can link to any Tribune stories without annoying European readers.

With my client USA Today, the issue isn’t as bad: It provides EU readers with a stripped-down, ad- and tracking-free version of the site, which you can see at right in the screenshot above. What’s not to like about such a fast, simple version? Well, I can’t see comments on my own columns, and simply searching for stories requires switching to Google… by which I mean, Bing, since right-clicking a Google search result doesn’t let you copy the target address, and clicking through to a Google result will yield an EU-specific USAT address.

The simplest fix for these and other GDPR-compliance glitches was to fire up Private Internet Access on my laptop and connect to one of that VPN service’s U.S. locations–yes, as if I were in China. It seems a violation of the Web’s founding principles to have to teleport my browser to another continent for a task as simple as reading the news, but here we are.

Bandwidth battles in China

SHANGHAI–Crowded gadget trade shows like CES and Mobile World Congress usually entail connectivity complaints. But when you put the gadget show in China, you level up the complexity, thanks to the need to run a Virtual Private Network app to preserve access to U.S. sites blocked by China’s Internet filters.

In theory–and in every PR pitch from a VPN service advertising itself as the surefire way to stop your ISP from tracking your online activity–that should add no difficulty to getting online. You connect, the VPN app automatically sets up an encrypted link to the VPN firm’s servers, and then you browse as usual.

PIA VPN exit-server menu

The reality that I’ve seen at CES Asia this week while using the Private Internet Access Windows and Android apps has been a good deal less elegant.

  • Often, the PIA app will connect automatically to the best available server (don’t be like me by wasting selecting a particular U.S. server when the app usually gets this right) to provide a usable link to the outside world. But it’s never clear how long that link will stay up; you don’t want to start a long VoIP call or Skype conference in this situation.
  • On other occasions, the app has gotten stuck negotiating the VPN connection–and occasionally then falls into a loop in which it waits increasingly longer to retry the setup. Telling it to restart that process works sometimes; in others, I’ve had to quit the app. For whatever reason, this has been more of a problem on my laptop than on my phone.
  • The WiFi itself has been exceedingly spotty whether I’ve used my hotel WiFi, the Skyroam Solis international-roaming hotspot I took (a review loaner that I really, really need to send back), the press-room WiFi or, worst of all, the show-floor WiFi. Each time one of those connections drop, the VPN app has to negotiate a new connection.

If you were going to say “you’re using the wrong VPN app”: Maybe I am! I signed up for PIA last year when the excellent digital-policy-news site Techdirt offered a discounted two-year subscription; since then, my client Wirecutter has endorsed a competing service, IVPN (although I can’t reach that site at the moment). Since I don’t have any other trips to China coming up, I will wait to reassess things when my current subscription runs out next April.

Also, it’s not just me; my friend and former Yahoo Tech colleague Dan Tynan has been running into the same wonkiness.

To compound the weirdness, I’ve also found that some connectivity here seems to route around the Great Firewall without VPN help. That was true of the press-room WiFi Thursday, for instance, and I’ve also had other journalists attending CES Asia report that having a U.S. phone roam here–free on Sprint and T-Mobile, a surcharge on AT&T or Verizon–yielded an unfettered connection.

At the same time, using a VPN connection occasionally left the CES Asia site unreachable. I have no idea why that is so.

What I do know is that I’ll very much appreciate being able to break out my laptop somewhere over the Pacific in a few hours and pay for an unblocked connection–then land in a country where that’s the default condition.