David L. Farquhar on technology old and new, computer security, and more
Lifehacker says it costs you money to make your IRA contribution all in April. Unfortunately, their advice to contribute in January is an oversimplification. Don’t make your whole IRA contribution in April, but don’t do it in any other single month either.
Contributing all year gives a better result.
I scan the network I’m paid and sworn to protect on a nearly daily basis. I experienced a problem with the account I use for that, and I tested by scanning a small quantity of machines (my own and my cubicle neighbor’s) with my own account to make sure the problem was the account, not the tool.
Fixing the account has become a problem–my boss’ problem now–but when I told him about it, I said I could scan the network with my personal admin account, but didn’t want to. One reason has to do with liability and HR. The other, believe it or not, is technical.
You may have heard people like me talk about watering-hole attacks. It’s an indirect attack on someone by compromising a third party and using that to get in. Here’s a watering hole attack example from the real world.
In this case, back in November, attackers got a Forbes ad server, and from there, attacked visitors from government and bank networks.
Here’s the logic: Since ad servers tend to be much less secure than your target company, you compromise an ad server from a site someone on the target network is likely to visit, then infect them from there. The attackers jumped to the ad network first. That put them into position to jump onto government and bank networks.
When using vintage Lionel transformers, it’s important to make sure the power cord isn’t broken or frayed to avoid the risk of electric shock or starting a fire. If yours is, here’s how to replace a Lionel transformer power cord.
Replacing a power cord safely is a lot easier than most people make it sound. It’s possible to do the job safely with simple tools and a few dollars’ worth of parts from the nearest hardware store.
I’ve talked at length about HP’s new mini PCs, but there are some alternatives in the DIY space. For example, Asrock offers the D1800B-ITX, which sells for around $53. Going the DIY route, you won’t get a discounted copy of Windows, but you also won’t spend money on RAM and an SSD that you’re going to end up replacing and you can get exactly as much CPU as you want.
Now that SSDs and CPUs that consume 10 watts are readily available and inexpensive, it’s possible for almost any mainstream PC to be a silent PC. You can of course buy new cases for silent-PC builds, but if you want to upgrade and save a little money while doing it, you can easily convert a legacy case of almost any age to work silently. If you have an AC adapter from a discarded or disused laptop or LCD monitor, you can do this project for less than $30. Here’s how.
From time to time I have to pull up Programs and Features (formerly known as Add and Remove Programs in obsolete versions of Windows), but I’m not an administrator. Not normally, at least. When I need to do so, I run cmd.exe using my administrative ID–I created a shortcut and pinned it to my Start Menu so I can right-click cmd.exe and select “Run As”–and then, from the command prompt, I type appwiz.cpl. Then I can make all the changes I need to make, without the hazards associated with logging in as an administrator and running everything with admin rights.
A commenter asked me last week if I really believe the lock in a web browser means something.
I’ve configured and tested and reviewed hundreds of web servers over the years, so I certainly hope it does. I spend a lot more time looking at these connections from the server side, but it means I understand what I’m seeing when I look at it from the web browser too.
So here’s how to use it to verify your web connections are secure, if you want to go beyond the lock-good, broken-lock-bad mantra.
So, if you haven’t heard by now, last year Lenovo experimented with preloading its cheapest laptops with spyware that subverts HTTPS, allowing a third party to inject ads on any web page, and providing a convenient place for an attacker to hide behind while messing with your secure transactions.
By the end of the day yesterday, Lenovo had apologized, sort of, and after several sites had provided removal instructions, Lenovo provided its own. After spending much of the day downplaying the security concerns, by the end of the day they were at least reluctantly acknowledging them.
This was really bad, and I’ll explain why in a second, and I’ll also try to explain why Lenovo did it.
Earlier this year at CES, HP introduced its HP Stream Mini ($180) and Pavilion Mini ($320 and $450) mini-desktops. They’re small, inexpensive, and in the case of the Stream, silent. They turn out to be surprisingly upgradeable as well. Ars Technica has details and benchmarks (link removed in retaliation for Conde Nast’s 11/3/2025 layoffs, sorry not sorry) but of course I have my own priorities based on their discoveries.