Today we were having a discussion about our power usage. Our hydro co offers an online viewing and some smart meter real-ish time data (yesterdays data by hour).

So I clicked today. then yesterday. When I got to 5 days ago, I got this. My excessive use (5 clicks!). I am over their terms of usage (not TOU as in Time-Of-Use, which is all i can find on their site on the topic). Boo, how am i supposed to understand the details? If only there were other products to measure electricity... Like eyedro you ask?

Anyone care to chip in on what 'normal' usage would be if 5 page load of a day is excessive?

How many API calls is excessive?

View Results

Loading ... Loading ...

Content-Security-Policy. Make it tight.

Google, allow it to reference your images so they show in the search box.

Wildcards. You can specify the left-side (*.domain) but not the right side (domain.*).

OK, lets look up the list of google domains. I'll let you Bing that. The answer is here.

Huh. That is a lot.

.google.com 
.google.ad 
.google.ae 
.google.com.af 
.google.com.ag 
.google.com.ai 
.google.al
.google.am
.google.co.ao
.google.com.ar
...

Its larger than the probably allowable size of a Content-Security-Policy header. What is one to do? make img-src be *? But then the ad malware wanders in. Pick a few and hope?

Anyone have a suggestion for a best practice?

I see a lot of entries for countmake.cool (purposely not linked) in my Content-Security-Policy logs. These are folks who have some malware installed on their desktop, when they surf to my blog, they get redirected and advertising injected. Except that my CSP forbids this (since I don't allow them img-src or script-src permission).

I wrote about this earlier. I'm appalled that such things exist. I'm also saddened that its come to this, a spy-vs-spy one-upmanship games where people like me spend time adding rules to prevent malware writers from taking advantage of folks.

Once again, I'll suggest an action. Head to https://observatory.mozilla.org. Enter a site name that you use. If it doesn't get a great score, write to the owner: get it fixed.

 

Something interesting / disturbing just happened to me. I was trying out my new bluetooth headset to make sure it supported aptX and would pair to two devices. So, while watching a youtube video, i used skype to dial my phone.

Oddly, I got a high-fidelity playback of my voice mail (ironically a bunch of CRA scams). Hmm, but its not from the phone. Its from the PC. Weird.

So I dig in a bit. It turns out that if my caller ID is set to my own phone number, it just assumes its me and starts playing.

Given that caller ID is trivial to spoof, this means there's really no security here.

Anyone else care to try this? I tried on Koodoo if it matters.

 

Over on my corporate blog I did a post with more details. But, recently I updated this site's Content-Security-Policy rules. I enabled reporting of errors (expecting none).

To my surprise and chagrin, there were some reports. How? The site that was being blocked rasenalong<dot>com. Huh? Not mine, not my content, I don't use CDN, I don't serve ads.

Turns out that some of you have a malware extension in your browser called LNKR. And, it modifes the page of my site to add a bit of its own JavaScript, which then fetches scuzzy ads and places them on my site.

This was the subject of last night's Chautauqua. I have posted the video (and the slides) if you want to see.

I am appalled. I Can't Even.

I've also posted a shorter lightboard video which talks about this a bit. Go forth and fix your own sites now, please.