Save your time, the conclusion is: Do not use Sogou Pinyin IME.

https://shurufa.sogou.com/

Here is the problem I found last month.

The blue circle with the mouse arrow is always there.  When I boot the PC, it is normal. After a while, I opened a browser or ran some programs, and the circle came.

I tried to check every spot in my Windows installation. Such as system drivers, antivirus programs, open Firefox, or Chrome. But the same results.

I knew something is running behind the screen. It is the reason for the blue circle.

I did not think about Sougo pinyin. I used it for many years, since Google Pinyin is gone.

Until I saw some news on Google News.

Vulnerability in Tencent’s Sogou Chinese Keyboard Can Leak Text Input in Real-Time
Almost Every Chinese Keyboard App Has a Security Flaw That Reveals What Users Type
So, I uninstalled the Sogou Pinyin IME. I re-enabled the Microsoft Pinyin.

The blue circle disappeared immediately. Now, it has been almost one month. I believe that the Sogou Pinyin did something behind me. I don’t like it. I know nobody likes this kind of thing. I have to post it and let everyone know it.

The post Problem of Sogou Pinyin IME appeared first on David Yin's Blog.

I got a few hours to sit in front of my laptop tonight. The upgrade is two steps. One is from v4.2.5 to v4.2.6.

I enter the following commands to upgrade it. Firstly, SSH to the VPS.

sudo su - mastodon
cd live
git fetch --tags
git chckout v4.2.6
bundle install
yarn install --frozen-lockfiles
exit
sudo systemctl restart mastodon-sidekiq
sudo systemctl reload mastodon-web
sudo systemctl restart mastodon-streaming

The other one is an upgrade from v4.2.6 to v4.2.7.

sudo su - mastodon
cd live
git fetch --tags
git chckout v4.2.7
bundle install
yarn install --frozen-lockfiles
exit
sudo systemctl restart mastodon-sidekiq
sudo systemctl reload mastodon-web
sudo systemctl restart mastodon-streaming

Then, I restarted the VPS.

Why do I do the upgrades one by one?

I want to play safe. Since Mastodon does not provide a direct upgrade method. The best way to do the upgrade is one by one.

Since I am out of town, I may not publish regularly. Sorry about it.

The post Upgrade Mastodon from 4.2.5 to 4.2.6 to 4.2.7 appeared first on David Yin's Blog.

So, I went to the official release v4.2.5 notes to see what exactly happened on it.

⚠️ This release is an important security release fixing a critical security issue (CVE-2024-23832).

Corresponding security releases are available for the 4.1.x branch, the 4.0.x branch and the 3.5.x branch.

If you are using nightly builds, do not use this release but update to nightly.2024-02-02-security or newer instead. If you are on the main branch, update to the latest commit.

Yes, it is very important. I should upgrade it immediately.
SSH to the server. Run the following command:

sudo su -mastodon
cd live
git fetch --tags
git checkout v4.2.5
bundle install
yarn install --frozen-lockfile
exit
sudo systemctl restart mastodon-sidekiq
sudo systemctl reload mastodon-web
sudo systemctl restart mastodon-streaming

Now, it is OK.

The post Critical security Update of my Mastodon instance to v4.2.5 appeared first on David Yin's Blog.

The upgrade procedure is the same as before. The motherboard is Asus PRIME B450M-A II. The version of BIOS on the MB is v3802, dated 04/28/2022.

I download the latest BIOS file from the official website.

It is v4002 now.

Version 4002

15.73 MB

2023/03/21

Look at the list of updates

1. Update AGESA version to ComboV2PI 1208
2. Mitigate the AMD potential security vulnerabilities for AMD Athlon™ processors and Ryzen™ processors.

See, the security vulnerabilities is very important.

After upgrading the version number is 4002 x64.

There are also some modifications when I change the settings of BIOS and do the first restart.

• SVM enabled
• IGFX Multi-Monitor -> enabled
• Primary Video Device -> IGFX Video
• UMA Frame Buffer Size -> 2G

That is all.

The post Upgrade the PC BIOS firmware appeared first on David Yin's Blog.

Adopt a Zero Trust approach

The standard approach to perimeter network security is to concentrate on preventing unauthorised users from accessing the network (through firewalls, VPNs, multi-factor authentication, etc.). However, this does not protect the network from users within the network, and many hackers have ways of getting past these defences. A user only needs to find out the relevant passwords, and they would be able to access a network.

A Zero Trust approach to security makes the user prove that they are not attacking the system, even in they are already working within the perimeter. With Zero Trust, you can also limit what a user can access even when they have passed the perimeter. Find out more about what is zero trust security now.

Improve the physical security of your premises

Your premises should be secure for many reasons, but if you have your network onsite, you have another reason to prevent intruders from crossing the boundary. Options include alarms, lighting, security guards, digital locks, and much more. Ten ways to protect your business from crime.

Train your employees regularly 

You, your management team, and employees should be trained in cybersecurity risks as well as how to prevent and deal with cyberattacks. This should include your network administrators who will have responsibility for managing security on a day to day basis. New technologies are being developed all the time to combat the new techniques used by cybercriminals. When employees are aware of the risks posed by phishing emails, clicking on suspicious downloads, or divulging sensitive information to unknown people, the likelihood of human error is significantly reduced. This training should be repeated regularly to ensure they are aware of the latest cyberattack tactics.

Strengthen your authentication procedures

Passwords are often weak, and a lot of people will use the same password for all their accounts or stick with default passwords. You should ensure that your staff are using different passwords for different systems, that passwords are changed regularly, not recorded anywhere unauthorised people could find them, that they are complex, and not related to personal information. Ideally, you should incorporate multilevel authentication to bring in extra layers of security.  

Implement network defences and monitoring software

Finally, there are some essential defences which should be in place to prevent cyberattacks and alert you to threats. These include installing a firewall, using network segmentation, a VPN (Virtual Private Network), an IDS/IPS, and updating software regularly. You can also implement network monitoring software which will provide an early warning at the slightest hint of a threat so you can act as soon as possible.

The post How to Eliminate Attacks on Your Network appeared first on David Yin's Blog.

Whenever your phone connects to the internet, it is at risk from hacking by data thieves that target phones in particular, as they contain nearly all of our important information such as passwords, emails and even the login details to online banking apps.

Fortunately, there are a few steps anyone can take to protect their phones from harm and recover their data if their smartphone is damaged or locked my malicious software.

Use a Virtual Private Network App When Connected to Public Wi-Fi

When you are using public Wi-Fi, such as when you are at a hotel or café, your phone is at risk of being hacked by someone else using that network. Some data thieves are known to connect to these networks regularly in order to steal credit card information from shoppers and tourists.

Virtual Private Networks encrypt and conceal your web traffic, even when using a public Wi-Fi network. These services can also be used from home to protect your online shopping and browsing there, giving you extra peace of mind.

Use an App to Securely Back Up All of Your Smartphone’s Data

Sometimes when a phone is hacked, it can suddenly become corrupted and unusable, trapping your files like your phone numbers and personal photographs on the device. There are apps available that can back up data to an online cloud service, but sometimes they can be missing important and more recent files.

If you have data on a damaged or corrupted smartphone, there are services like mobile data recovery by Secure Data Recovery that can recover data from your device, sometimes even if it has been deleted by a hacking program.

Use a Password Manager to Encrypt and Generate Your Passwords

Our passwords are gatekeepers to a lot of our sensitive information such as emails and bank accounts. Too many people rely on using the same password, or maybe two or three, in order to log in to all their different accounts.

Password managers use encryption algorithms to generate complex passwords for you, and store them in a ‘digital safe’ in an app on your phone and online on a secure server. The password manager will auto-complete passwords on all your accounts, or they can be copy-and-pasted from the app to the login form. This means you have only one password to remember, the one that logs you into your password manager, and you can let it safely and securely do the rest.

We keep a large amount of sensitive data on our phones, and not just banking details and contact information. Your phone probably has hundreds of photos of friends and family, as well as pictures from social media accounts. This information needs to be protected, not just from theft, but also from accidents and problems with a smartphone’s components. With a few apps and the help of professionals, anyone can protect the data on their phone, and recover it if the worst happens.

The post How to Protect Your Smartphone from Online Threats appeared first on David Yin's Blog.

I use it on my Linode VPS. It is a Nanon type of VPS at Fremont, CA, USA.

1GB RAM, 25GB storage, 1 CPU.

Ubuntu 18.04 LTS was installed on it.

Step 0, Build the system from Linode Dashboard.

Step 1, Update the system

I SSH to the server with user root.

apt updat

apt upgrade

Step 2, Enable TCP BBR to improve network speed

sysctl net.ipv4.tcp_available_congestion_control

The above command should report

net.ipv4.tcp_available_congestion_control = cubic reno

To change it to bbr, opent the file /etc/sysctl.conf, and add following lines intot the end of the file.

net.core.default_qdisc=fq

net.ipv4.tcp_congestion_control=bbr

Save the file and enter the following command

sysctl -p

Step 3, Install Webmin 1.9.0

I like to use webmin as my web panel on VPS.

Enter the following command to install the latest webmin version 1.9.0

apt-get install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl apt-show-versions python
wget http://prdownloads.sourceforge.net/webadmin/webmin_1.910_all.deb
dpkg --install webmin_1.910_all.deb

Reboot the server, the ssh connection is lost.

Step 4, Add a new user

Sign in the webmin as user root by entering the URL into the browser https://ip.address.of.the.vps:10000

Add a new user, for example: davidyin and add sudo as the second group of this user.

From this point, I will use davidyin to do all the ssh jobs. I will not use root in terminal anymore.

Step 5 Build Nginx with TLS 1.3 and brotli now

SSH the VPS with user davidyin.

First, list the version of the software.

• Openssl: openssl-1.1.1b
• Nginx: nginx-1.17.0
• Brotli: ngx-brotli-0.13rc

Install the related software packages.

sudo apt install build-essential

sudoapt install libpcre3 libpcre3-dev zlib1g zlib1g-dev openssl libssl-dev

Prepare the source code.

Nginx:

wget https://nginx/org/download/nginx-1.17.0.tar.gz

tar xvzfnginx-1.17.0.tar.gz

rm nginx-1.17.0.tar.gz

Openssl:

wget https://www.openssl.org/source/openssl-1.1.1b.tar.gz

tar xvzf openssl-1.1.1b.tar.gz

rm openssl-1.1.1b.tar.gz

Brotli:

git clone https://github.com/eustas/ngx_brotli.git

cd ngx_brotli

git submodule update --init --recursive

Compile Nginx

cd ~/nginx-1.17.0

./configure  --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/run/nginx.pid --lock-path=/run/nginx.lock --user=www-data --group=www-data --with-openssl=../openssl-1.1.1b --with-openssl-opt=enable-tls1_3 --with-http_v2_module --with-http_ssl_module --with-debug --with-http_gunzip_module --with-http_realip_module --with-http_sub_module --with-http_gzip_static_module --with-threads --with-file-aio --add-module=../ngx_brotli

make

sudo make install

Make Nginx as a service

If you can not start Nginx as service by “sudo service nginx restart”, make a new file at /etc/systemd/system/nginx.service

cd /etc/systemd/system

sudo nano nginx.service

Paste the following content:

# Stop dance for nginx
# =======================
#
# ExecStop sends SIGSTOP (graceful stop) to the nginx process.
# If, after 5s (--retry QUIT/5) nginx is still running, systemd takes control
# and sends SIGTERM (fast shutdown) to the main process.
# After another 5s (TimeoutStopSec=5), and if nginx is alive, systemd sends
# SIGKILL to all the remaining processes in the process group (KillMode=mixed).
#
# nginx signals reference doc:
# http://nginx.org/en/docs/control.html
#
[Unit]
Description=A high performance web server and a reverse proxy server
After=network.target
[Service]
Type=forking
PIDFile=/var/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t -q -g 'daemon on; master_process on;'
ExecStart=/usr/sbin/nginx -g 'daemon on; master_process on;'
ExecReload=/usr/sbin/nginx -g 'daemon on; master_process on;' -s reload
ExecStop=-/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /var/run/nginx.pid
TimeoutStopSec=5
KillMode=mixed
[Install]
WantedBy=multi-user.target


Ente the command to check the version:

nginx version: nginx/1.17.0
built by gcc 7.4.0 (Ubuntu 7.4.0-1ubuntu1~18.04)
built with OpenSSL 1.1.1b 26 Feb 2019

Now the Nginx server is supporting TLS 1.3 and Brotli compression.

The post How to build an Nginx with Brotli and TLS 1.3 support appeared first on David Yin's Blog.

You can check how much your personal data breach on the Internet.  Just enter the email address which you used on the Internet. Click search Firefox Monitor.

For example, I entered an email I used more than ten years. it told me that this email appeared in 10 data breaches.

You can sign up to use this tool to monitor your email. When a new data breach happened, and the monitor found your email is in the list of it. It will send you an email to notify you.

Later, I found the breach data is provided by Have I been Pwned.

If you already use Have I been Pwned, you don’t have to use Firefox Monitor again. It is almost same.

The suggestion is very helpful.

What to do when your information is exposed in a data breach.

1. Change your passwords, even for old accounts.
2. Stop using the exposed password, and change it everywhere you’ve used it.
3. Take extra steps to secure your financial accounts.
4. Get help remembering all your passwords and keeping them sage.

The post Firefox help you to check your account breach appeared first on David Yin's Blog.

The leaked information included comments, likes, reactions, account names, and FB IDs, and some email addresses. The app called At The Pool even stored passwords of 22,000 users in plaintext.

Security expert tips: If you have used At The Pool, make sure you are not reusing the same password for any other accounts. All other Facebook users, beware of phishing attacks based on your account activity.

How to protect yourself

• Don’t use third-party Facebook apps. These apps collect data on Facebook and deliver it to third parties who may not be secure. If you don’t want your private data showing up on unsecured servers, don’t use any third-party apps on Facebook.

• Don’t use Facebook. This is a tough ask for many users, but the arguments for leaving Facebook are growing. With more and more data breaches and suspicious activities coming to light every month, more people are questioning whether this free service is worth it.

• Reduce your Facebook activity levels. The less time you spend on Facebook and the less you do on their platform, the less they know about you. When creating or editing your account, don’t provide them with any more data than they need to provide their service.

The post Another Facebook security failure: millions of records leaked appeared first on David Yin's Blog.

Some time ago, on October 8, 2018, Google came out and admitted to a data breach in its Google+ social network, because of a software bug. This bug resulted in close to 500,000 user accounts getting compromised. There is no proof available so far that any user’s personal information was misused. If you recall, not too long ago, Google had to allay fears among its users that the developers were being given access to the users’ Gmail accounts, and could potentially misuse them.

As per an article published in the Wall Street Journal, Google chose not to come out with the details in the open, regardless of the fact that the data belonging to so many users was at risk. The company feared major damage to its reputation.

What exactly happened?

In the period between 2015 and March 2018, a good number of outside developers were potentially able to access the personal Google+ data of the users, because of a software glitch in the system. Although an internal memo warned about the potential ‘regulatory interest’, if the leak was made public, leading to comparisons with Facebook and the likes (owing to the Cambridge Analytica scandal), no notification was sent to the users of the social network.

Google+ users normally provide access to their profile data to the apps run by Google+, through API. This bug resulted in apps getting access to all their profile fields, including the ones not marked as public. Google clarified in a statement that this data is usually limited to only optional and static Google+ profile fields, such as the name, age, gender, occupation and email address. The tech giant said in a statement, “It does not include any other data you may have posted or connected to Google+ or any other service, like Google+ posts, messages, Google account data, phone numbers or G Suite content.”

As Google keeps the log data of APIs for no more than two weeks, it wasn’t sure about the users that were impacted by this glitch. However, after carrying out detailed analysis that spanned over two weeks, before the bug was patched, Google disclosed that close to 500,000 accounts were impacted. The company claims that no evidence was found of developers being aware of this bug, or any account abuse happening.

It also posted the following on its blog, “”Our Privacy & Data Protection Office reviewed this issue, looking at the type of data involved, whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response. None of these thresholds were met in this instance.”

What is Google planning to do now?

As per an announcement made on the company’s blog, Google will be ‘sunsetting’ the Google+ service for general consumers and offer it only to the business customers from here on. It is also putting processes in place to tighten up its security systems, as well as various privacy measures throughout the Google suite. The company will also roll out various additional controls in the near future and will update the policies associated with its APIs.

The post Google to kill Google+ because of big data leak appeared first on David Yin's Blog.

So, I did a little bit of research. I found Authy is a good replacement. There is a blog post to compare these two facilities on Authy’s website.

For me, I personally like the following features:

• Multi-device support
• Support Windows and Mac as well
• Support backups

Looks cool.

First, I checked all the accounts in my Google Authenticator app. Sign in the website one by one, disabled the old 2FA, which is powered by Google Authenticator.

Second, add a new 2FA, use Authy to scan the barcode on the screen. Complete the addition.

Third, remove the account from the Google Authenticator app.

Follow the procedures above, I transferred all accounts, except Google account itself.

If I don’t want to use Google Authenticator, how to handle Google account’s 2-step verification?

I go to Google 2-step verification webpage. I have three ways of 2-step verification.

1. Google Authenticator (Default)
2. Voice or Text message to my cell phone
3. Backup codes

The default is Google Authenticator. I deleted the Authenticator first. Google told me that Voice or text message is changed to default.

I think it may have the problem when I am going abroad. My cell phone has no roaming plan.

OK, I found Google 2-step verification has an alternative way, Google prompt. It is OK to use it instead of Google Authenticator.

When you sign in to your Google Account, you’ll get a “Trying to sign in?” prompt sent to your phone.

The very last step is to uninstall Google Authenticator from my smartphone, my tablets.

The post Do not use Google Authenticator appeared first on David Yin's Blog.

Automation: If you are in charge of a large organization and are required to check-in thousands of visitors on a daily basis, investing in an automatic visitor access management system will pay off in the long run. These systems work with minimum manual entry and allow security personnels to print plastic ID badges for visitors with all required data points in no time. Automation also involves the use of a robust software system in the backend which can hold the data for quick access.

Print reusable plastic ID cards: With the world getting conscious of our use of plastic, it is a good idea to invest in reusable ink for your plastic ID cards. If you need to manage a large number of visitors in a day, reusability will help manage cost as well. While paper printouts make for a good solution, the output looks unprofessional and clumsy. Plastic badges, on the other hand, look professional and last longer, especially if the visitor is in for manual labour.

Save data: It is a good idea to save the data of the visitors entering your premises. A good way to do that is to save certain unique fields such as phone number or email address and tag them to profiles. If biometric authentication is a possibility, that simplifies the process even further. Once a visitor checks in once, for repeat visits, it is just about pulling the previous data and printing plastic ID badges for visitors.

Physical security setup: Physical security not only includes what the visitor is carrying into the building, but also what they are carrying out. The easiest way to keep tab is to have all information printed on the visitors’ badges. Right from vehicle details to personal storage devices carried, everything should be noted. This needs careful planning and execution. You don’t want your visitor to make multiple pit-stops for each. Your security setup should enable visitors to use one identification for everything right from access to relevant areas to paying for parking.

With biometric authentication taking over the security industry with storm, it is always a good idea to stay ahead in the game. With Android and other software systems allowing seamless integration with biometric devices, it is only time that visitor check-ins become as simple as swiping plastic ID badges for visitors. Security and hospitality stay the most important aspects of building administrators across the world. A seamless visitor check-in system will only add value to that.

The post 4 Ways You Can Simplify How You Check-in Visitors To Your Premises appeared first on David Yin's Blog.

Some of the basic features to die for include:

Speed

The startup and boot takes less time than any windows version in history along with an inbuilt DirectX capability that enhances game play experience.

Startup menu

The customizable startup menu has everything you need while running your computer. It incorporates the features compatible with advance mouse users and modern User Interface elements. The big menu can be changed according to your needs and can help you do anything without opening any hard disk partition.

Security

Additional firewall and data security ensures that you PC and data are always safe. The Microsoft passport and Windows Hello are the features that enhance the old security protocols. Data recovery software ensures that your data is secure and retractable even if the system goes haywire.

Snapping apps

A single screen can hold up to four snap-able apps which helps you greatly in multitasking work, entertainment, communication or/and social media.

Data recovery

One button data recovery enables you to never lose a single byte of data even when you are somehow locked out of the system. One button file recovery software gives you peace of mind that you will never lose your data in any circumstance.

Schedule updates

Automatic updates is one of greatest feature of Windows 10 which will help you remain updated, helping your computer guard against new viruses and running of old hardware in a better and efficient manner. All this at a pre-set time when you are not using your machine.

Infographic Source : http://www.easeus.com/infographics/windows-10-tips-and-tricks.html

The post Windows 10 Tips and Tricks- Infographic appeared first on David Yin's Blog.

Targets

Your small business is a prime target for hackers. You have more digital assets than individual consumers and less security than larger businesses. Many small businesses underestimate their vulnerability, assuming they are not a target. There are many techniques hackers use to attack small businesses.

•        Advanced Persistent Threats (APT) – These long-term targeted attacks use multiple phases to avoid detection.

•        Distributed Denial of Service (DDoS) – Hackers intentionally overload a target’s website or network system with requests with the goal of causing the website or network to shut down.

•        Malware – “Malicious software” is any program introduced into the computer with the intent to cause damage or allow unauthorized access.

•        Password Attacks – There are many ways hackers can gain access to your password. The three main approaches include brute-force (guessing), dictionary attack and keylogging.

•        Phishing – This is the most common form of cyber attack. Sensitive data is collected through legitimate-looking websites. These are usually sent via email.

Educate Yourself

Consider taking online courses to increase your knowledge of your risks and solutions. Schools like Maryville University offer courses and degree programs in cyber security. You can take self-paced training courses that allow you to educate yourself despite your busy schedule. Online learning is a great resource for busy entrepreneurs. You are not bound to physical class sessions. You can easily access classes from anywhere. Since you are pumping all of your income into building a business, you want to save money at every opportunity. Internet-based courses save you both time and money.

Once you have the knowledge, pass it on to your employees. Make sure they are aware of the reality of online threats. Make sure there are security practices and policies in place and make sure the staff is aware of them. Social networking is a common distraction in the workplace. Educate employees on safe practices. Hold employees accountable to your business’s internet security policies and procedures.

Be Safe

It is important to do your best to protect yourself and your business against cyber attacks. As a small business, you are a target. Here are five steps to help keep information safe online.

•        Enable strong, two-factor authentication and create strong passwords

•        Update your operating system, browser and other critical software regularly

•        Make communication about cyber safety a priority around the workplace

•        Use privacy settings and limit the amount of sensitive information shared online

•        Always verify unknown links, attachments or emails before opening

Solutions

Different types of security software provide varying levels of protection. Antivirus software protects against most types of malware and is very common. Firewalls prevent unauthorized users from accessing your computer or network. This is a great added level of protection. It is also wise to invest in a data backup solution. If information is lost or compromised, it can be easily recovered from your backup source. Encryption software helps protect sensitive data.

Don’t delude yourself into thinking your small business has nothing worth stealing. Don’t allow yourself to be a target. Educate yourself and yourself on the dangers of cyber threats. Create enforceable internet security policies and procedures. Use safe practices to protect your passwords and sensitive information. Cyber security should be a top priority. Put protections in place and make sure to backup all your important information in case of a security breach.

The post Your Small Business Needs Cyber Security appeared first on David Yin's Blog.

WordPress 4.4.2 contains fixes for 19 bugs from 4.4 and 4.4.1, including:

• wp_list_comments ignores $comments parameter
• 4.4 Regression on Querying for Comments by Multiple Post Fields
• Pagination issue on front page after 4.4.1
• ModSecurity2 blocks Potential Obfuscated JavaScript in outbound anomaly

See the complete list of changes on Trac

Keep WordPress more secure is one of the most important job for Site Administrating.

The post Upgrade WordPress to 4.2.2 appeared first on David Yin's Blog.