A Skype alternative worth its salt: Jitsi

I’ve been using Skype, Google Talk and Facebook chat for years to communicate with friends and family. They’re all convenient, reliable and easy to use. But there is a big problem: They are all very easy to record and monitor by 3rd parties. We now know that:

  • Microsoft (owner of Skype) keeps records of who talked to whom and for how long. We also have very good reason to believe that there are tools out there (built by private companies and sold to governments) that can eavesdrop on Skype voice calls. Skype executives have been unable to deny that they comply with local law enforcement requests to eavesdrop on Skype calls.
  • Google definitely record all of your text chats. They don’t deny they do that, even when you use the “Go off the record” option in Google Talk. We’re not sure what recording they do with voice calls but can be certain that they comply with the law – therefore building “legal intercept” capabilities into their products.
  • Facebook record and analyze all of your text chats and will report you to the police if they see anything “suspicious” (source: Reuters). We don’t know what they do with voice/video calls, but again can be certain that they comply with the law – therefore building “legal intercept” capabilities into their products.

So if you happen to live in a surveillance state (think countries of the Arab Spring, think UK with their repeated attempts to introduce surveillance of their citizens, think USA with their record-breaking demands for your personal data from all of the above service providers (Microsoft, Google and Facebook)) then you can expect that all your online communications with your loved ones (voice calls, video calls, text chats) are recorded and stored, or at least eavesdropped upon. They’re all great free services that allow you to keep in touch with people, with one caveat: the government is listening in.

If you have no problem with that, perhaps because you subscribe to the flawed “I have nothing to hide” school of thought, read no further.

If you feel that being spied upon constantly, and having no reasonable expectation of privacy for your online life is not cool, read on.

The work of thousands of visionaries (starting with people like Richard Stallman in the 70’s) has today given us the free tools to protect our online communications to a reasonable degree. These are not tools to stop a police investigation against you from succeeding – these are tools that empower you to opt-out from the surveillance-by-default communications channels most of us use, and instead keep your private thoughts and words only between yourself and your loved ones.

Jitsi main window
The easiest one to get us started is Jitsi.

Jitsi gives you voice calls, video calls, instant text messages and group chats. It therefore covers 100% of the communication capabilities of Microsoft’s Skype, Google Talk, Facebook Chat, IRC channels and the like. Use Jitsi, and you don’t need to use any of these again.

Why switch to Jitsi?

Because it protects your privacy as much as possible. If you and your loved ones use Jitsi, you can:

  • Have end-to-end encryption of your voice and video calls – guaranteeing that nobody is listening in or recording.
  • Have end-to-end encryption of your text (instant messaging) chats with Off The Record (OTR) technology – the world’s finest in preserving your privacy with unique features like Perfect Forward Secrecy and Deniability.

As an additional benefit, it’s great to have all of your instant messaging contacts in one window, and Jitsi gives you that. It also runs on Windows, MacOSX and GNU/Linux.

encrypted video call

Start using Jitsi instead of Skype, Google Talk and Facebook Chat and stop corporations and governments collecting, storing and analyzing the thoughts you share with your loved ones.

PS: You can only have private communications if both ends of the chat/voice/video call support this. If both you and your loved ones use Jitsi, voice & video calls are private by default. For text chats, you will have to click the lock icon in your chat window (as shown below) until it displays a closed “lock” state.

this conversation is NOT private
PPS: No “lock” icon? That probably means that the person you are chatting with is not using Jitsi or a similar program that can protect your chats with OTR. You can only have a private conversation if both ends support OTR.

PPPS: Looking for something like Jitsi for your smartphone? For private text messaging (using the Off The Record protocol) look at ChatSecure for iPhones or GibberBot for Android phones. For private voice calls on the Android, look into csipsimple and Moxie Marlinspike’s RedPhone. Remember, both ends of the conversation need the same technology to create a private channel.

On addresses

In the era of the Internet, addresses are wonderfully diverse and quirky creatures.

  • Mr John Doe, 82 Gjjirigh Road, 18721, Paris, France – snail mail address
  • la7iu@spam.la – email address
  • https://www.eff.org/ – (World Wide) Web address
  • http://xdtfje3c46d2dnjd.onion/ – Tor hidden network address – using this you can have an anonymous & private chat using https://crypto.cat via the Tor network
  • 1ESKsNEfjmCZJt3yEYjdE31L1QKqnRVcmn – Bitcoin wallet address – using this you can donate to JuiceMedia, creators of Rap News using bitcoins.
  • 00-50-57-C0-00-08 – MAC address
  • – IP address

Stop Google recording your chats

Many Gmail users also use Gchat to talk to their buddies. Why not – the Gchat window is right there, next to their emails and very easy to use.

Problem is, Google automatically analyzes everything Gmail users are emailing or chatting about. It’s obvious that Google stores your emails, but if you’re sceptical about how much of your chats Google records, just go to any of your Gchat contacts and click “More” -> “Recent Conversations”.

Recent Google Chat conversations

Bringing up your recent chats with another Google user

You can now see the contents of all conversations you’ve had with this user. This should make it obvious that everything you type in Google Chat is recorded and stored.

Why is Google recording our chats?

But why do Google record all this? Because by knowing everything you talk about, Google can perfect your “behavioural profile”. The better this profile, the higher its market value.  Remember, if you’re not paying for it, you’re not the customer, you are the product! And everything you say or do while logged on to Google services is used to make you a higher-yield product. Google then charges marketing companies (Google’s real customers) for access to this massive data set. Marketers are aching for an opportunity to directly target the more than 350 million Gmail users (as of Jan 2012) with personally targeted, customised ads. Of course this is done automatically with software, and Google is not the only “free services” provider to sell your data for profit. Facebook follow the same business model, and it appears to be working out quite well for them. Facebook recently reported $3.7 bn (yes, that is billions of US dollars) in revenues. There is a lot of money to be made for companies that turn our entire lives into sellable products.

This is one of the two reasons you would want to stop Google recording your chats.

Why is this dangerous?

The second reason why Google recording your chats is not a good idea is that Google hands over this information (your emails, chats, things you have searched for, YouTube videos you have watched) to the law enforcement agencies of your country. They have no choice – they have to. Google provides a “Transparency Report“, which is commendable. Unfortunately it falls short of giving us a clear view of just how much personal information has been handed over to government agencies due to the way the numbers are presented.

The following table attempts to answer the question:

“For how many user accounts was Google asked to hand over data to government agencies between January – June 2011”?


# of users (approximate)

USA 11,057
UK 1,444
 Spain  709
 Italy  1,263
 India  2,439
 Germany  1,759
 France  1,552
 Brazil  1,822

You can look up your country by following any of the links in the table.

Given just how much Google knows about us, our friends, and our friends’ friends, it is a troubling thought that all this data, all of our contacts, the videos we have been watching, our chat messages, things we +1’ed, services we use from other service providers (Flickr etc) are recorded by Google and therefore being handed over to government agencies all over the world at this unprecedented rate.

If you believe that nothing you ever type or click on will be of interest to any law enforcement agency, government or court around the world until you and your entire family pass away (but what about your grandchildren? Think 40 years ahead. Could someone in 2052 dig up a record of an internal joke with one of your buddies back in 2012, cast it as proof of extremism and use it to harm your family?), AND you subscribe to the “I have nothing to hide, therefore I have nothing to fear” camp, you can stop reading here.

If you are genuinly uncomfortable with how your online life is harvested and recorded and wish to take steps to protect what little parts of it you can, read on.

Going “Off the record” in Google Chat

Google provide a mostly-hidden feature on their Gchat client that allows you to indicate you want to go “Off the record”. You can see it under the “Actions” menu when you are chatting with someone on Google Chat.

Google say that going “Off the record” means that “Chats […] aren’t stored in your Gmail chat history…” which sounds good, but does not actually promise your chats are not being recorded.

Google Chat: You are now off the record

Google Chat: You are now off the record

Given that Google “will share personal information with […] organizations […] outside of Google if […] preservation or disclosure of the information is reasonably necessary to meet any […] enforceable governmental request“, it is a safe assumption that Google Chat’s “Go off the record” option does not really buy you any privacy.

Getting some real privacy for Google Chat

We will use Free Software tools that allow you to be reasonably confident that Google is not recording what you say over chat.

Before you continue, please understand:

  1. To have a private chat, both you and the person you wish to privately chat to, need to follow these steps.
  2. If you use multiple computers to chat (e.g. a work computer and a home laptop), you have to repeat these steps in every computer before you use it to chat. You will only have to “prepare” every computer once.

First, download and install the Pidgin instant messaging software

Get the software from http://pidgin.im and install it on your computer.

Done installing Pidgin? Great. Continue to the next step.

Download and install the OTR plugin

The Off The Record (OTR) plugin allows Pidgin users to encrypt their communications. Get it from http://www.cypherpunks.ca/otr/ and install it on your computer.

Configure Pidgin for Google Chat

The first time you start Pidgin you will see this:

Click on “Add…” – a new window comes up. (this may happen automatically before you even press “Add”)

Adjust the settings as shown, using your Google username and password:

Pidgin Google Chat settings – basic

Click on the “Advanced” tab and adjust the settings as shown:

Pidgin Google Chat settings – advanced

Almost there! Now click on “Add” to complete setting up your account.

You should now be connected to Google chat! A list of your online contacts (or “Buddies”) will come up right away:

Pidgin buddy list when logged onto Google Chat

If you see something like the above, congratulations – you are successfully connected to Google chat.

If you get error messages, likely causes are:

  1. You didn’t type all settings exactly as shown above
  2. You are using Google’s two-step authentication. In that case your “main” Google password is not accepted. You need to create an application-specific password for Pidgin on the computer you’re currently setting up. Why?
  3. Your (corporate or national) network firewall is blocking the chat protocol XMPP. It may be possible to bypass it with Tor.

Activate and configure the OTR plugin

From the Pidgin “Buddy List” window go to Tools -> Plugins as shown here:

Scroll down the list until you find “Off-the-Record Messaging”. Tick the box next to it – this will enable the plugin:

Now click on the “Configure Plugin” button:

In the new window that comes up, configure the default OTR settings as follows:

Congratulations! You can now chat privately with buddies who also use the OTR plugin.

You have just made it very difficult for Google or anyone else to eavesdrop or record what you say. Just point your Google chat buddies to this page and get them using the OTR plugin!

Start a private conversation

Note: You can communicate privately only if the chat buddy you’re communicating with has followed the above steps, or is using other software that uses the OTR plugin.

Double-click on a buddy’s name to bring up the Conversation window. Notice the “Not private” button on the bottom right?

This means you have not activated the privacy features yet. But you’re about to!

Click on “Not private” and ask Pidgin to “Start private conversation”:

Pidgin will now attempt to create a secure channel and should display the following:

This is the result we want. “Unverified” is not a problem (but see Improvement 2 below). Pidgin tells us that it has established a secure channel to the other end, and you can use it to chat with your buddy without Google being able to read & record your messages.

Remember to always check the bottom-right OTR status icon. If it says “not private”, you should assume that Google is recording everything you type in that window.

Improvements (optional)

Improvement 1: Ask OTR to always try to initiate private messaging

You can ask OTR to always try to “automatically initiate private messaging” from the OTR plugin configuration menu you used above. Here’s the option you need to tick:

Improvement 2: Verify the identity of people you chat with

You have stopped Google reading, analysing and recording what you discuss with your buddies. But if you have reason to believe someone might be trying to read what you say (e.g. if you’re a whistleblower, journalist, activist,  lawyer, live in the wrong country etc) you can not yet be 100% certain that the person you are talking to, is indeed your buddy and not an impostor, pretending to be your buddy.

To rule out this possibility you should always verify the people you chat with. You only need to do this once for every buddy you wish to chat with.

To do this, click on the “Unverified” button:

Encrypted, but not authenticated. You are talking to someone through a protected channel, but you don’t know yet who that “someone” is.

This brings up the following menu, allowing you to “Authenticate Buddy”:

Asking Pidgin to authenticate the buddy you’re chatting with

You are now presented with the easiest option to authenticate your buddy – asking them a question, and checking that they know the right answer. There are other methods as well, like entering a secret passphrase you have agreed on in advance.

Go ahead and type a question and its answer. It should be something obvious to your chat buddy (example question: “what’s the name of my dog?” or “who did we discuss about last time we met?”) but not to potential impostors. (If you have reason to believe someone is targetting you specifically, using a pre-shared secret is the best way to ensure you are talking to your real friend. After all, any serious adversary can find the name of your dog without too much hassle.)

Example of a question/answer pair

After you click on “Authenticate” you will have to wait for a few moments for your friend to answer the question using his computer:

Waiting for response to authentication challenge

Once your friend successfully answers the question you set, you will see this message:

If you get a “Authentication failed” message instead, your friend probably mistyped something. Please remember (and remind your friend too!) that the answer is CaSe SenSiTive – so in this example the answer “Maxx” is correct, but “maxx” is wrong!

Congratulations! You can now be confident you are talking to the right person! This is an additional benefit to what you achieved already – stopping Google (or anyone else) from monitoring & recording what you say!

A private & authenticated conversation over Pidgin. You know the person you’re talking to is who they say they are, and you know that noone else can eavesdrop on your conversation.

Next time you wish to talk to this person, you will just need to click on the OTR button on the bottom right and the conversation will immediately switch to “Private”. No need to re-authenticate,  unless you or they are using a different computer.

Now the only thing Google knows is

  • Who you chat with
  • When you chat with them

…which is a significant improvement from before.

What, you still don’t like that? What are you doing chatting on Google Chat then?! Go use CryptoCat over Tor at http://xdtfje3c46d2dnjd.onion/, or if your enemies are pros (and you trust your hardware), TAILS.

Improvement 3: Use Google’s two-step verification & an application-specific password for Pidgin

It’s a good idea to use Google two-step verification. This means that Google will ask you for two pieces of proof that you are the legitimate owner of your account whenever you log in from an unrecognised device. This is an improvement in security, but means that external applications (like Pidgin) can not access your Google account.

Google’s solution is application-specific passwords. These are passwords that only work for one designated application and can not provide full access to your Google account (e.g. to change your account settings).

See Getting started with Google 2-step verification and after you’ve activated it, create an application-specific password for Pidgin on your device.

Then, on Pidgin’s main “Buddy List” window go to Accounts -> USERNAME@gmail.com -> Edit Account, input the password you just created, ask Pidgin to remember it, hit “Save” and you should be all done.

Now starting Pidgin will automatically log you into Google Chat, without asking for your password.

BT, you really don’t want people to read your terms of service, do you?

As of March 2012, BT’s terms of service for broadband customers are officially too complicated for human beings.

BT seem to recognise that even they can’t come up with a consistent set of terms within this avalanche of documents, so they included a catch-all term that reads:

“If any of these documents contradict each other […]”

Really, BT? Really?

Amazon Kindle 3 review

After a couple of months of having an Amazon Kindle 3 (purchased mid-2011) and travelling with it, here is my list of good and bad things about it:


  1. Decent battery life if NOT using wireless. With intensive reading it lasts upto a week.
  2. The display is much easier on the eyes than a traditional computer screen.
  3. You can carry a lot of books and personal documents with you in a single small device
  4. Friends and family can send you books to read in digital form
  5. Project Gutenberg opens thousands of books for immediate download and reading for free
  6. You can buy any book off Amazon and it will be in your hands in minutes
  7. Registering two kindles under the same Amazon account lets you duplicate all your paid content on both devices.
  8. For 10 quid you get the Independent delivered to your device automatically as long as you have GSM coverage every morning for a month… even if you are wild camping in a forest.
  9. You can browse the Internet and do emails from wherever at no additional cost.
  10. You get an English dictionary for free and it is easy to lookup any word in any document while reading in a non distracting way.


  1. Using the 3G wireless drains the battery in less than 24 hours.
  2. The battery takes approximately 3 hours to fully charge from empty when connected to a wall plug. Upto twice as much when charging from a USB port.
  3. The display is much easier on the eyes than traditional LCDs… but you still get more eye strain than reading on paper.
  4. You end up buying books only from Amazon, killing any competitors or smaller bookshops.
  5. You don´t own the kindle books you buy. Amazon does. They control your device at all times. Amazon can and has deleted books remotely from Kindles, a-la 1984.
  6. Organising your content is very limited and labour intensive.
  7. There is no reasonable expectation of privacy. Amazon can see everything you do with your Kindle.
  8. The pricetag for the 3G keyboard model is quite hefty at more that 150 quid.
  9. A Kindle purchased and registered in the UK is not allowed to buy from amazon.com US site. You are forced to purchase books only from amazon.co.uk which is more expensive.
  10. The keyboard is ergonomically cumbersome and not suited for extensive use.
  11. The web browser is of limited functionality. It doesn´t handle popups gracefully and has problems displaying pages that try to open in a new window.
  12. The display is black and white only.
  13. The refresh rate of the display is very slow. Eg. it´s impossible t scroll through text without it all becoming a blur. Turning pages is slow. Eg. it takes a full minute to turn 30 pages.
  14. You can not do anything with the books you have bought like give them to friends or family or sell them or save them in a less restrictive file format.
  15. To create customer lock in and make a good profit Amazon use their own DRM which imposes a lot of unneccessary restrictions on the content you buy. They make it easy to convert anything you want to their DRM locked down format but very hard to do the reverse and convert Kindle content to less restrictive formats.
  16. There is no international support. Only English. The Kindle can display international non english characters, but thats about it. Impossible to change the interface language, impossible to type in anything other than Latin characters.
Overall, the Kindle 3 + 3G is a good ebook reader with a great global Internet connectivity package, that is almost worth the hassle if you need to travel light and can afford to buy books that will remain locked in to Amazon for good. Perhaps an easy way to unlock Kindle books will become available in the future. Perhaps you won´t mind re-purchasing books that you might want to read on another, better device in a few years´ time.
The choice is yours.

Update March 2012
I dropped my Kindle, breaking its screen. Luckily I had it insured, so I got a replacement within 48 hours with no questions asked. I was very happy with the customer experience, until I tried reading my documents on the new Kindle:

What do you mean licensed to a different user?

Somehow the Kindle has screwed up its elaborate Digital Rights Management (DRM) logic and is therefore refusing me access to material I have paid for! This is negating my right to read by mistake, but certainly demonstrates that buying books on the Kindle 3 only gives you the illusion of ownership – access can be revoked at any time.

The story ended with a long phone conversation with Amazon Kindle support during which I established the following:

  1. Re-sending my books & documents to the new Kindle resolved the problem for all books & personal documents. Annoyingly manual process (have to be done one by one!) but it did the job.
  2. If this happens, and you have archived issues of magazines/newspapers/periodicals to which you have in the meantime cancelled your subscription, you are stuffed.You cannot re-download those issues. From Amazon’s UK “Kindle Subscriptions” page:

    Once you cancel a subscription, you will stop receiving new issues immediately and you will no longer be able to re-download back issues […]

After having been through this I am convinced any DRM-strangled ebook technology will just not be good enough for me to use. A model like O’Reilly publishing, who sell DRM-free ebooks is the only thing I will consider.

Otherwise, paper books are just fine, thank you very much.

I pay for it, I own it. End of story.

Windows Explorer: How NOT to resolve conflicts

Let’s say you have a “drafts” folder and a “final versions” folder, and every time you publish a new version of a document you drag’n’drop the latest draft into the “final versions” folder. This used to work fine with Windows XP, you’d get a prompt saying “are you sure you want to overwrite the file?”, you’d say “sure” and it was done.


With Windows 7 someone thought it was a great idea to confuse the users as much as possible by throwing this at them:

Could this be more confusing?

I think not. I spent a good 3 minutes staring at this. Reading and re-reading it. I had to completely switch my mental context from my primary task (what I was actually doing) to deal with this riddle. I got worried I might be trying to do the wrong thing. Was I at a risk of imminent data loss? Were my backups up to date? Was this a good day for moving files? One file is newer, the other is larger… what’s going on here? There is too much information and no “just do as you’re flippin’ TOLD!” button.

I shiver at the thought of users who are presented with this. Most of them will click the red “x” to close the window and make the problem go away.

I’d love to have a chat with the usability people who conducted the study that showed more information and more choices to be a good thing for end-user interfaces. Because from the perspective of the type of users I know, this would be an unsolvable, anxiety-inducing nightmare.

Don’t take control away from your users

From a technology usability perspective, you can’t do much worse than make your users feel they’ve lost control. It’s maddening (and a bit frightening, if we admit it) to feel that “the computer” is doing things without your consent. We’re tolerant to allowing actions we don’t understand (after all, not everyone should be a technologist or a computer scientist), but we always want to have the kill switch at hand.

End-user operating systems (Windows, MacOS, GNU/Linux desktop environments etc) always have such a kill switch – it’s usually something red and obvious on every window (like the big “X” in the red box at the top right corner in Windows XP/7). If you don’t like what it’s doing, you have the power to kill it. Why? Because it’s your computer, dammit, and you should have the final word!

I stumbled upon an example of breaking this rule the other day, when I was helping a family member reinstall a computer that had bombed:

Here is a screenshot of the “Windows Genuine Advantage Notifications” tool (a propaganda term if there ever was one) installer: All application controls (back, next, cancel) have been disabled, and so has the omnipresent “X” that is supposed to offer users the warm & fuzzy feeling of control in every single Windows application.

Installers have for years now had ways of trapping window/application interrupt requests and responding to them gracefully.

Taking away control from the end user in such an obvious manner is both unsettling and frustrating.

A practice best avoided.

How much Java do you need?

Sun Oracle has been giving us a few reasons to get rid of the Java Runtime Environment (JRE) from end-user machines for a while now.

I’ve been struggling with this decision, as I need Java for my favourite mind mapping software but I don’t want it to be used against me by Internet criminals.

My initial reaction was to remove Java completely and just keep the installation package around, for whenever I needed to do mind mapping. This soon got ridiculously cumbersome, so I’m now on to the next model:

Keep Java for local use, but disable Java for the browsers.

This still allows local applications to use Java, but stops Web-borne remote exploits from being delivered to my machines.

First of all: Get the latest Java

First things first. Always ensure you run the latest software. Visit http://java.com/en/download/installed.jsp?detect=jre&try=1 to verify that you have the latest version (currently 1.6.0_24)

If you haven’t got the latest version, download and install it from http://www.java.com/

Then verify that auto-update it turned on and frequent enough. For Windows users, go to Control Panel -> Java. Switch to the “Update” tab of the window that comes up and then click the “Advanced…” button. This should show you something like this:

The default is to check for updates once a month, which is a bit pathetic. Change this to weekly at the very least, or daily if you’re serious about your computer’s security:

Then click “OK” to save & close this dialog and “OK” again to save & close the Java settings window.

Now, onto the browsers:

Firefox 3.x

Go to Tools -> Add-ons and you see something similar to this:

Click on “Disable” for both Java extensions, to get this result:

Don’t restart Firefox just yet! Now, onto the “Plugins” tab of the same window:

Click on both Java entries and on the corresponding “Disable” button of each entry, until the window looks like this:

Now it’s time to hit that “Restart Firefox” button in the Add-ons window to restart your browser.

After you’ve restarted, visit http://java.com/en/download/installed.jsp?detect=jre&try=1 with Firefox to verify that Java is disabled.

You should get the following result:

Congratulations – Java has been disabled in Firefox!

Note: Some people may point out that using the NoScript plugin achieves the same goal in a more elegant way – i.e. it allows one to selectively allow the execution of Java code in Firefox. The problem here is that NoScript works on the premise that websites you trust will not deliver malicious code to your machine. Unfortunately there are reports that claim that up to 75% of websites serving malicious code are legitimate websites that have been compromised. Add to that the fact that malicious code can be delivered to your machine through ads served from trusted domains like google.com and yahoo.com.

The only way of protecting against this headache is really to keep all browser plugins updated and disable the ones you don’t absolutely need. Java is not the only culprit here, Adobe’s PDF reader and Flash plugin, as well as Microsoft’s DirectShow and Media Player are also repeat offenders.

Internet Explorer

If you’re forced to use Internet Explorer (e .g. because some luminary in your organisation had the brilliant idea that the “free” SharePoint server was a good developing platform for your corporate websites…), follow these steps:

First, make sure you have the latest version of the browser. Microsoft itself is begging people to stop using IE6, as it’s an open window for remote control of your machine by criminals. Download and install the latest version of IE.

Now, let’s disable Java in Internet Explorer:

Go to the menu “Tools” -> “Manage add-ons”.

(this example is from IE version 8 on Windows XP, your version might be slightly different)

In the “Manage add-ons” window, select “Show add-ons” on the left hand side pull-down menu:

Now you can see all Java add-ons listed. Select each of them with a single click and hit the “Disable” button:

The final result should look like this: (all Java add-ons disabled)

Now click the “Close” button on the bottom right and close your browser.

Annoyingly, I’ve found it necessary to also disable the Java plugin from the Java Control Center – as disabling it from IE only seems to not be enough…

Go to Control Panel -> Java and then to the “Advanced” tab. Make sure the options look like below:

Save & close with “OK” – you will get a popup similar to this:

Click OK and then fire up Internet Explorer to visit http://java.com/en/download/installed.jsp?detect=jre&try=1 to verify that Java cannot be executed in IE.

You should get one or more of the following popups:

(this means you disabled the add-on in IE but not in the Control Panel. Unfortunately this seems to result in Java code somehow getting executed regardless!)

(surreal web page, telling you both that Java *is* and *isn’t* working, but there you have it)

If you’ve disabled everything appropriately you should see the following:

Clicking “OK” will eventually land you in this page:

…which is lying to you. You don’t have an old version of Java. You just have a disabled installation.

If you need to use Java for local applications, that’s the best place to be.

Otherwise, if you’re tired with all this faffing about, just uninstall Java completely to get it over with and have one less thing to worry about.

I accept, please, no more!

Clearly, all passengers of trans-Atlantic flights do read the four lengthy legalese documents necessary to book a flight…

This is an interesting problem.

Companies can insert whatever terms they wish in those documents on the safe assumption that (statistically) nobody will read them. Why does that happen? Probably because these pesky things stand in the way of the customer’s primary task*, which is booking the flight and getting it over with.

Perhaps a more automated solution similar to P3P might be worth considering, to make contracts between vendors and customers more meaningful. As it is, we’re at the mercy of whatever Terms & Conditions the vendors decide to impose on us.

Remember, you’re voluntarily entering this contract. It will be very difficult to complain afterwards.

* See page 40 of Peter Gutmann’s security usability book chapters for a good (and funny!) example of how this problem-solving model works.

Free antivirus software for Windows

As of January February July 2011, there are at least three four perfectly legitimate free antivirus products for Windows. In my order of preference they are:

  1. Microsoft Security Essentials
  2. Avast Free Antivirus
  3. AVG Free
  4. Avira Free (why?) (fallen from grace due to user pestering)

These are the ones I have used. There are at least 6 more to choose from.

Please note that the following products are NOT free to use:

  • Norton
  • Symantec
  • McAfee
  • NOD32
  • Sophos
  • Kaspersky
  • etc…

If you’re using one of them and not paying for it (unless of course your organisation has paid for it), you are at risk, as malware authors use warez and similar types of “freebies” and “cracked versions” and “key generators” to infect your computer with the very software you’re trying to defend against.

The only (temporary) exception to this is time-limited versions of antivirus software you usually get with brand new computers, but you must do something about those as soon as the gratis period expires: either buy the product or uninstall it and install one of the free ones.

Remember, an expired antivirus that is not updating its definitions is almost useless.