Wednesday, December 31, 2008

How to Erase a DVD Completely and Securely

If you have a RW DVD, there are utilities to erase it, or you can overwrite it with something. Like hard disks, there may still be magnetic traces. If your DVD is +-R, write once, you can't soft erase it.

The best so far is to get a DVD shredder. I opted a while ago for the paper only shredder because the cost didn't justify the number of discs I may have to shred in the future. Also, for paper you need those cross shredder that is a lot harder to put the pieces together. For DVD there's no such fine shredding. As long as you can see a piece of silvery metal, you may be able to recover a large chunk of data or video from it. Are they real in CSI?

I have seen the microwave destruction video, taking only 5 sec. But there is a danger of harming your microwave because of the electric sparks. And there is bad smell. The metallic disc broke down pretty evenly, but the fragments are still large.

Here's what I tried, which didn't work, and don't waste your time. With a small craft drill you can destroy the surface easily using the right sander tip. But it is only skin deep. I don't even think that the plastic layer was penetrated.

I used pure sulfuric acid, which didn't do a thing because of the plastic layer protection.

It dawn on me that I have a plumbing torch. I fired it up outdoors, but surprising the DVD's are very hard to die. The plastic doesn't melt away easily, and it didn't burn. You have to melt the plastic until the inner layers are exposed, then there's a little flame and no more.

Here's the result, before I cut them up and put it in the trash a few pieces per collection day. Now, the superior part, after the torch treatment, the discs are, similar to the surface of the French desert made using the same technique, very crispy. You can crumble the discs into very fine pieces with your fingers, or you can hammer them into powder.

Friday, December 26, 2008

Early spring cleaning: secure computer data

I tried to encrypt bank accounts on my laptop long ago. You wouldn't believe how many money went through the laptop. I used KeePass and TrueCrypt, but gave up, until now.

You can setup your laptop with whatever password you can create, BIOS, Windows Logon, and even the hard drive. But all are crackable.

KeePass is good, but it's standalone, not integrated with anything. You have to pull your password into the browser forms. It's not bad at all but I have alternatives.

I was using TrueCrypt for file encryption. But it was tedious on a file by file basis. You can use it to create a big encrypted drive too, but I don't trust it enough. And the backup is a problem.

Revisiting TrueCrypt again, I came across encrypting entire operating system, optionally hidden, may have a decoy too. I doubt how TC deal with it. On close look, TC decrypts on the fly, which explains it's capabilities. When you are reading a file, TC doesn't decrypt it into another file, but decrypt a portion of it at a time and hand it over to the application.

I was amazed to see how fast and painless it is to use TC. I encrypt the entire video, actually quite a lot of large video clips, and play it. You don't feel any difference with the encryption, and you don't need to wait for encryption, nor have to deal with which version of the file to keep.

So instead of dealing with passwords, I encrypt the entire profile of firefox, which allows you to specify where your profile should be. So whatever I do on the web is encrypted, history, bookmarks, passwords (now double encrypted), and everything except some extensions may put data outside of the profile directory. If the profile directory is not mounted as a drive, it's just an encrypted file with a code supposed to be unbreakable. When it's mounted, someone need to run some spyware to read the drive where my profile is, or to steal the TC password in memory, if they know I'm using TC. Keyloggers and screen capture spyware won't work because I don't type in passwords anymore.

You can encrypt the entire OS, but I'll settle with using only two different master passwords. One is the personal secrets password and one is the shared secrets password. The only difference is, you don't need to or don't want to give out the personal password even when you drop dead.

There are three types of secrets to encrypt. The first two corresponds with the two type of passwords. Being secrets, the data naturally have to be backup safely. The third type are personal secrets that don't need to be backup. You don't want others to know but you can recover the data in other ways other than backup.

The model of 2 password, 3 types of data is strange, but like bookmark, you can lost it with minor inconvenience, but you don't want others to know all your online activities, such as surfing at work. (In this case there are other logs on the company LAN but you can also bypass the company LAN.)

For each type of data, you can split them into TC drives suitable for backup. Since secrets don't change that often, some drives can be huge. Example, 4.7 GB size for DVD, or some other values customized for your online backup accounts. To backup, you just copy the 4.7 GB encrypted file into a DVD. To read, you just mount the encrypted file as a drive.

For the Firefox profile, a 200 to 500 MB file size is enough, which can be smaller. You can setup automatic backup just like any other files. Though the whole file is copied whenever you use FF. I only backup it up manually when I added new passwords. They are randomly generated, only stored in the FF password manager, and I couldn't recover it if the file get corrupted (or lost the master password for that matter).

You can still do daily incremental backup like ordinary files. But you have to do it when both the source drive and the backup drive is mounted. Once unmounted, they are just ordinary drives containing ordinary files to any application.

TC has one interesting option, to have hidden encryption. You can have two passwords to the same drive, one mounts you the outer files, and the other decrypt the hidden files. I am not sure if that's theoretically possible, as I read about it a while ago as the next big research topic, which is supposed to be difficult. But for ordinary people, if you give them a password, they will believe what they decrypt is all what you have. TC seem to claim that others cannot know the existence of hidden files. It will not be easy, but I'm not sure it's impossible.

How to fix Christmas Lights

When I hanged the Christmas lights early, a section didn't light up. Unlike previous years, there are no apparently faulty bulbs in the section. I searched the web for short cuts and I found it - beepers. Those electric current detectors that you are supposed to use before drilling anything on the walls.

I had one, but unfortunately it also detect metal at an right angle to the current detector. Basically it beeps all the time, with a lot of false positive and false negatives. But since I was well trained on this beeper, it wasn't difficult to find the faulty bulb. It's a lot faster than swapping the bulbs one by one.

Unfortunately, a neighbor's kid shake the lights after I hanged them, and turned off a whole segment. The beeper worked poorly when the lights are in place, because the bulbs aren't far apart enough, and you have little control of their position, such as next to some metals.

Also, as I found out later, when multiple bulbs are loose from their socket, it's a nightmare.

So I took out the good old multimeter. After some thought I found a way to do it, better than swapping bulbs, and better than beepers, unless your beeper is high quality and the light bulbs are not close together.

First, set the meter to >120V (or 240V), wear insulated glove if you need to. Took off the bulb in question from it's socket. Probe one contact in the socket, and probe one prong of the main plug to the whole light chain. There are only 4 possibilities, one will give you a reading if the socket and the chain up to the socket is normal. That's how to find faulty bulbs or lose sockets. You don't need to swap all the 4 possibilities. After you get the reading for a working socket, the probe on the main plug don't need to change, and the other probe just follow the direction of wiring.

You can also do a continuity test instead of a live test, but it's less fun without the bulbs lighting up. I can be more formal about it, but I doubt if there's anything to simplify, and that Christmas is already over.

Thursday, December 25, 2008

Early spring cleaning: videos

What started the early spring cleaning is the real mpeg4 codecs, and the death of analogue TV.

After dragging on for a couple of years, finally the real mpeg4 standard appears as H.264, the video and audio codecs are simply called advanced AVC and AAC, with the container file format mp4. Open source software are freely available. If future players will play only one standard, this is it. AVC is used for Blu-ray so it's future proof. AAC isn't, but used in ipods, so it's not going to go away. Unless you are making sound for movies, there's no point to use the new Dolby Digital standards, even if you can get hold of some software.

DVD will be around for a long time, but there's no point storing video in it. You can store a lot more files on it and play it on the computer, or send it to the digital TV.

It's a joy to to the spring cleaning. Home movies can be 5 times or more compressed than DVD, and 25 times smaller than DV from camcorders. You clean up and have a lot more spaces. I got my 320G hard disk because of the videos. Now I have space to play with a lot of other things, like operating systems and virtual machines.

I still have some valuable home movies in VHS-C tapes!!. They are the best, not because of the format, but they use big lenses back then on big machines. The camcorder broke down a long time ago. A few years after that, I realize that we cannot get back the quality without buying a new but old VHS-C camcorder. There are same version loaded on to VHS tapes, and we still have the VHS-C to VHS adapter that hopefully works.

Surprisingly, I just searched online and found that plenty of VHS-C camcorders still on sale, while I thought digital DV tapes are already obsolete.

Of course there are format conversion shops. Firstly, you shouldn't easily trust them. Historically at busy times such as Christmas, when you send your films to develop, it could be lost forever. And I listened to online forums too much, and I believed that you have to touch up the videos and use manual settings to get the best out of the videos. This is plain wrong for home movies and I should have picked the best format or best solution at the moment rather than waiting for the future.

I have both PAL and NTSC VHS library to covert. I brought a dual standard player for the purpose but other than one or two conversions, it's sitting on the garage. I also have a analog to digital box for capturing the video, but I used it for something else and it broke long ago.

I have a DV camcorder with an analog input, designed for people moving from analog to digital. I never did the conversion seriously because I usually ran out of DV tapes, and I was convinced that the DV standard is bad for converting to DVD directly without some sort of color space compensation. I hope it doesn't break down anytime soon, otherwise I have to buy a useless DV camcorder for the purpose. There used to be PC graphic cards capable of TV capture, which give you twice for the same money. But now it's worthless because analog TV is dead. Also, I never brought any graphics card anymore, all integrated, there's no need to unless you are a true gamer.

Now most of the library in in DV tapes. I didn't know how to deal with it before. Compress to DVD and it would have been playing in blu-ray discs for years to come. But I was let to believe that the conversion need some compensation on the color space. And I was let to believe that noisy home movies will benefit a lot from noise filtering and color adjustment before compression. After a couple of years staying in the garage, I don't believe in the crap anymore. Home movie is home movie, that's little you can do about it, and the quality doesn't matter that much, the content is. So I brought bigger and bigger hard drives, and I load DV tapes into it, because it's cheaper and more convenient than tapes.

The other reason I didn't convert DV is because of interleaving. I don't believe the free interleavers are good enough and I had a hard time picking the right one. Also, I believe interleaved source, if compressed to DVD, will look better in analog TV. On the other hand, I was more like to watch in the computer, where interleaved version is more appropriate, and more future proof. Mpeg4 standard such as Divx and Xvid offers so much more compression, and had stand alone players for it. I was so tempted but it turns out that blu-ray players don't support, only DVD.

I don't care to put clips in DVD anymore or blu-ray for that matter. The only function is to impress kids after their birthday party. I got Sony Scenarist and used it a lot, but all comes to nothing. Even the full features of a DVD is quite coomplex, and the software cost a lot. So I don't bother anymore. A clip is a clip no matter where you see it.

So the target is set. I hope to finish everything before the next decade! Hopefully the PAL & NTSC VHS player doesn't break down, now that they don't make it anymore. Same for my DV camcorder, which plays the DV and converts the VHS too. And I will be watching the price of VHS-C camcorders. If they ever drops down to $100, it's worthwhile to buy one instead of sending the tapes to conversion shops, if the tapes are still working. And if I have the money, the time, and the motivation. Watching time flying by isn't always a good thing.

Monday, December 1, 2008

Free Fast VPN Proxies

 Updates:Free Fast VPN proxies 2

Can it be true? OMG it is for now. Not only that, I can make up a chain as secure as JonDo and even more secure and a lot faster. I think this is because a lot of networks are blocking Social Networks and Youtube etc. Entrepreneurs raise to the occasion. I didn't know why I missed these last time I looked. I did find and tried a few that was bad.

The best seems to be Ultrasurf. I think it's designed for internet cafe in China. You plug in the USB drive, run ultrasurf, which will fire up Internet Explorer. When you quit IE, no trace will be left, it claims. You can use any browser and ultrasurf is just a proxy client. I used it a while back and it was perfect, but not as fast as now. Bandwidth is perhaps cheaper now, and now China is unblocking many sites, lightening the workload of this bypass servers. However, it has ties to Fulon Gong, and perhaps funded by it.

At the time I was using it, I felt the tiny program is untrustworthy, but not in a technical way. The home page is Chinese for example. I thought it could come and go as other tiny proxy servers, and that like many proxy servers, the aim may be just to collect data for sale. Now it seems to direct url's that don't seem safe, and cause conflict, such as utilities that flag ultrasurf as virus.

You can call it a VPN as it's an encrypted proxy. However, it just divert browser traffic. The encryption is claimed to be better than the industry, that is, better than the browser uses. So nobody can ear drop on your traffic, nobody knows what you surf, and the target sites don't know your identity. However, ultrasurf have everything in their server log. You don't know if there's any security risks because it's not open source. The performance is best and passed the test. You can watch a movie with encryption!

BTW I tried the gladder, a later software to bypass the Chinese Great Wall. But to my surprise, it's a transparent proxy, even though the traffic is encrypted. The only reason for that is to avoid spammers flooding to the server. But it's too risky to review your ID to the target sites.

The next best is Hotspot Shield. It calls itself a VPN, quite rightly so because it's not a proxy client like others at the application level. You don't even need to set your browser. The traffic in your network is diverted to the proxy server. You can make sure all other users in your home PC are proxified without doing anything themselves. When you launch Hotspot Shield, it forces to launch a browser, but once after that, you can close and fire other browsers at will.

Hotspot Shield is similar to Ultrasurf, passed the Hulu test, quite reliable so far. Again it's not open source. It's ad supported, but the top banner don't appear all the time. For example, you can watch Hulu move full screen. It's a little slower than ultrasurf at times, but still much faster than JonDo and TOR.

It's a true VPN because when you open a command prompt and run ipconfig, the external IP address is changed to a private one. I ran bittorent on it and works without modifying any setting! Another proof is that the download rate is slower by several times. It wouldn't matter when you are in no rush, an hour of download time and several hours don't matter that much. But the problem is that free VPN can't be reliable. When the server is busy, you are thrown out of the private network. So the download went much faster in the middle. You have to manually reconnect to the network.

So Hotspot VPN is only suitable for browsing. When the VPN is down there is no warning other than that the icon turn red - you are suddenly using your own IP without other warning. You have to reconnect again manually.

Another surprise is that I found lots of fast SSL CGI Proxy at FreeProxies. Many are SSL proxies. For the bad, they are the usual trouble makers, pop-ups, top banner ad that distracts, strip a lot of things and can't support a lot of things. It didn't pass the Hulu test but you can surf most other sites. And blockers can deal with the rest, only sacrificing some real estate at top of browser.

The good thing about CGI proxy is that you can chain it with the VPN proxies above, and even add it to JonDo and TOR. You can have one tab that is proxified and the other not. When the banner is at top, you know it's working. When you see the address starts with https, you know SSL is in effect.

Wednesday, October 29, 2008

TOR Approach

Although TOR and JonDo aim at the same thing, their approach is different. JonDo traffic path is static, protected by the in dependency of screened companies. TOR seems to rely on randomness and safety by numbers.

Everybody can be a TOR relay, even your PC. TOR also changes path every 10 min or so, very much unlike JonDo. So unlike JonDo, it's pretty hard to sniff the entry and exit nodes because they changes for a particular connection.

TOR has a P2P feature that should be helping it's speed. If you run a relay, it should help with the network traffic, hence helping yourself at the same time. However, individuals don't want to be exit nodes, whose IP's will be exposed to whatever TOR users are doing. There is the option to avoid this. Also, since TOR allows all sort of network traffic, not only http, I suspect that it got slowed down a lot by bit torrent users.

Because of the large numbers of nodes across many countries, TOR probably will least be affected by data retention. However, there needs to be alerts when all nodes are in Germany.

When you sniff on a single entry or single exis node, because TOR path changes very often, any user will bound to pass through these nodes at times. This can be avoided by limiting the number of entry (or exit too?) nodes to hop.

JonDo avoid crooked nodes by legal contracts and inspections. In TOR, any crooked node can join the network at any time. If your adversary install larger numbers of high capacity nodes into the network, your anonmity can seriously be affected. The entry nodes have your IP, while the exit nodes have the URL and unencrypted contents. Again, it needs only one uncompromised node to protect your identity.

TOR seems to be usable during early morning in Europe. It's fail safe to download the TOR browser bundle, which include the TOR client, a GUI controller, a browser, and a software proxy to filter out unsafe content. The bundle also comes with a "universal" IM client, with your IP protected by TOR. But a few of the popular IM services won't work.

TOR has some interesting features, such as publishing web content on your PC while hiding your IP. The same hidden service is used in the TORchat bundle, which is a secure serverless chat client, where each user is only identified by a static long code word.

Interestingly, one can chain TOR and JonDo together using the proxy option in JonDo. In theory it doesn' t make the path more secure. But practically, the more nodes are included, it is less likely for rogue nodes to break anonymity, less likely for court orders to be effective.

Tuesday, October 28, 2008

Practical JonDo

Because the speed of JonDo is pretty decent, and free, I recommend it for many causal uses. As a matter of fact, I'm now writing this blog via JonDo.

I will certainly use it in internet cafes, wired or wireless, if I want privacy. I'll also use it at work or school to keep my secret from IT people. It's the encryption, for both your urls and content.

I will use it to secure yahoo web mail. It's encrypted only when you login, meaning that your password and your username is secret, but your email content can be sniffed by neighbors and IT coworkers. JonDo encrypts the whole thing, as in the secure option in Gmail. At the email servers, still somebody may like to peep at emails, but they have no idea who the emails belong to.

There's no strong reason to hide your IP, because in theory it need court orders to reveal your IDs, but if you know the right person in Earthlink, maybe a beer will do.

Very often, you want to change your IP often. For dial-up, it should be different everytime. For most broadband ISP's, you can "reset" you IP everyday without too much trouble. (You are still traceable.) You want to have different IP's so others can't put two and two together. For example, if you have two email accounts, you don't want the recipient to know that you are the same person. It's elementary for discussion board trolls. In the blogosphere, you can spread your personal details in different blogs or comments without fear of identification in real life. Say if you have 3 dogs and 2 twins living in a small town in Washington with a name called John, our neighbor will immediately thinks that it's you. Wordpress logs IP's automatically, and you can add scripts to other blogs to log statistics and IP's.

Actually, JonDo is pretty weak in protecting your ID, because they have only a few IPs. So even your IP is well hidden, it's easy to know that it's the same person calling. For example, how many JonDo users will be visiting your blog? Yeah, about one. Even worse, the few JonDo users are seen as one, and that's a hard time to convince webmasters otherwise. Also, in TOR it can be seen that you are visiting from all over the world, but JonDo only visits from Germany.

For the JonDo client, there's no need to set anything, but you have to pick the cascade yourself. For any paid cascade, they have 3 mixes to be safe, but there could be only 50 users, which may not satisfy your security requirements. For the free cascades, they all have only two mixes, while there is the test service where both mixes are run by the same university, mostly likely side by side. With at most a few thousands users, the traffic can be very different in different cascades, so you have to select the faster and safer cascade from time to time, manually. This is not going to change with the ramping up of paid services.

For the browser, I can only recommend JonDoFox, basically FireFox 3 with correct settings and loads of extensions, some even cannot be modified. If you see how much extensions they put in to secure the browser, you probably won't want to set it up yourself. The setup up provide you with a portable version, which is standalone Firefox, and a profile to be used for your installed version of Firefox.

When you start FF, you will be asked if you want which profile to use, "default", your old profile you have been using, or "JonDoFox", the new profile. If you don't want that trouble, copy the FF short cut, right click on it to edit the property, add to the target path. Instead of


you have ".../firefox.exe" -P JonDoFox

You can do the same for your old "default" profile.

If you want to use JonDoFox for everything other than your most secret activities, you have to use a lot of the 4 icons at bottom right. Cookies, Ads, scripts are normally disallowed, which make it totally unusually for most websites. You have to give temporary permissions, or add to the exceptions (white list). The actions are self explanatory if you click on the icons left and right.

Finally, there is the proxy switch on the bottom right most. You can turn off JonDo, switch to other proxies and even to TOR. But I don't know how secure the TOR option (if you have installed TOR or Vidalia) is. The TOR bundle seems to be less restrictive on the web contents, but the TOR button has some unexpected behavior that claims to be security fixes. Though the FF in TOR bundle wasn't that update.

JonDo Architecture

To use the JonDoNym system to protect your online anonymity, you have to have 3 things. A configured browser - I recommend JonDoFox. JonDo the client software, and Java runtime, in which the client runs on.

As just an encrypted secure tunnel with anonymous proxy, it's pretty fast and reliable. It reminded me of Safeweb at the height of the tech boom. Even if you use the more secure free two stage mixes, it's pretty fast most of the day, sufficient to do any surfing, other than youtube videos. I'm surprised it only get a few thousand users, because I would use it to secure unsecure emails such as yahoo, and to bypass school and company firewalls (if JonDo wasn't banned), and at least to hide what I'm surfing at work - that I used Safeweb for.

JonDo, same as TOR, is aimed to provide an untraceable proxy, your target website cannot trace back to you. And nobody can sniff what you are doing - the website address and contents are delivered to you encrypted.

The concept or "architecture" of JonDo is quite different from TOR. JonDo proxy is only for html traffic (though you can get over it). Because of the limited applications, the number of users and traffic are very reasonable for interactive surfing.

The server providers of JonDo are supposed to be independent companies/organizations, certified by JonDo, a company that came out of research in Germany universities. The client and server software are open source. That can exclude some bad things about using other proxies.

Ideally, you want 3 stages called mixes, in 3 independent companies, best in 3 different uncooperative countries. The first mix knows who you are (your IP), but not what you are doing (encrypted). The last stage only knows what web pages you are looking at, but have no idea who you are. So you are pretty secured if there is the middle mix, who knows nothing, to increase untraceability. It needs all mixes in your chosen cascade to cooperate together to sell you out. There's no point to setup a single company and try to collect private data and sell it. Someone may want to create three front companies, but since they have to sign a contract, it will be criminal fraud if being discovered. The people behind it are from the universities, at it for a long time now, and the software are open source, so there's some guarantee of integrity. There are also some privacy advocate groups involved, probably guaranteed by their charter and mission statements.

So at least you will not be scammed by somebody in their basements. And indeed court orders had been served on the companies to discover something, proving that it works (to some extend).

The weakness is that by German law, starting from 1/1/2009, ISP's have to log everything, and it seems that the JonDoNym companies have to store enough things such as decryption keys so users and URL's can be traced after the fact. This data retention is for 6 month or a year I think. This is only a problem because all (?) of the mix operators are now in Germany. It is not a problem if someone setup foreign companies. It is also not a problem if what you are doing won't be inviting court orders in Germany.

Sometimes court order is not as powerful as bribing insiders or implants. Without the data retention law, it's pretty safe because thetr are no logs. With data retention, you have to obtain logs in several independent companies, which makes it more difficult. These companies should be careful about the logs because they are in it for the money, fame, or their charter. If security breaches went public, their money making ability will be compromised, their advertising less desirable, and their ability doubted. Also when you add some encrypted proxy somewhere they can't even find the targets to bribe.

There are other form of attacks for other purposes. Assume there is no data retention or your adversary cannot get a court order. Your adversary can observe some traffic points in the internet - generally called sniffing. Sniffing can be easy - your adversary just need to get to the local network to sniff the traffic. In monitoring you they just need to be your neighbor on the same cable network, or sort of "wire-tap" your DSL phoneline or digital cable.

If you are monitored, the simplest mix of JonDo allow you to hide your URL's and content because of encryption. They can also compromise or sniff the final mix, where the target URL's have to be in the clear. When there are only 500 odd users, it's not difficult to guess who you are, what your secret email address and your handle in some special forums. Sniffing usually comes with statistical timing analysis. Your outgoing page loading activities corresponds with that on the final mix, so your destination can be identified and more. Adding your own encrypted proxies will move the target so it's rather difficult to hit.

The number of targets in Jondo is pretty small. Apart from the users can be as low as a few hundred, there are only a few cascades with same or perhaps different IP's. The target website can sniff the inputs to collect a few hundred suspects, or do timing analysis to pinpoint. At the cascade input, your IP is clear.

The future of JonDo is less bright after the data retention act. Without data retention, it's bullet proof, and sniffing and timing analysis fails when user numbers get large. If I were a criminal I will finance some front companies to setup free or cheap mixes, so I can use it safely. TOR maybe better but you have little control over the servers and relays. Without data retention, I don't think there will be big spenders like major crooks. And since JonDo charges by total traffic, it's doesn't sound competition for causal users, who may just want to bypass their myspace block at work. I can see that paid users are about 100 total at times. I don't know how they pay for those servers, which have to be pretty big, not your PC as in TOR. For a few dollars a month, you can get enrypted proxies (or VPN). But I will be careful before handing over my credit card number over to crooks in their basement. And I'm sure the data collected will worth something and they will sell it. Also, their fast free service may be their undoing.

Sunday, October 26, 2008

Usable CGI proxies

The only usable proxies are TOR, JonDo and some CGI proxies. Still, they all have weakness, but much less than a single proxy that you don't know anything about the server.

I have a browser extension that can download large free proxy lists automatically in any reasonable format, test which one works, check if there's any IP list, test the level of anonymity, rank the fastest ones, connect, use, and keep checking the rest for fastest ones in case the current proxy stalls. It's pretty good, but the more you test, the less likely the proxy will work when you switch to it. The other proxy approach provide more features than this. So I gave it up until I resurrected it when dealing with Wikipedia - they ban any proxies, including TOR, as soon as someone deface their pages. So I have the only effective weapon against Wikipedia. I have fresh proxies faster than they can ban.

So called CGI proxies are web based, like using gmail instead of outlook. Basically most of the free CGI proxies are copies of the software by one guy. There's no point to use other software because it's well tested, unless for commercial use that have to pay. You can google CGIproxy for examples, but there should be a more specific keyword to search for these proxies easily.

The main difference between CGI proxies and port based proxies is that CGI proxies want to be found, while port proxies are usually exposed by ignorant or accident. Or, since CGI proxies are web based, it's not difficult to find the web page. Why? Because anybody can download the software into some cheap hosting company. You can use it yourself, sell subscription to others, or sell advertising. Even if it's for personal use and you don't sell anything, you want others to use it to increase security.

The main advantage of CGI proxy is that they are reliably chainable. Instead of entering the URL of your desired website, you enter the URL of another CGI proxy. You get yourself a two proxy chain, and you can do more times.

The main disadvantage, or main advantage at the same time, is that the website content can't get to your browser directly, as in port proxies. So exotic contents don't always work, but most do. But since the content cannot get through otherwise, you can easily determine visually that the proxy or proxy chain is working.

With TOR and JonDo, CGI proxies are not really very useful, except for the encrypted ones. The free CGIProxy includes SSL encryption, but most servers don't allow it because of load. Though I have found a few commercial operators that allow free trials. If you chain a SSL CGI proxy at the end of TOR or JonDo, certainly it will increase your security unless the proxy is compromised.

It's very worthwhile to setup your own CGI proxy as part of your total chain. You can setup a few around the world with different juridision, paying for it with anonymous money if possible, and allow other people to use for deniablity.

If you connect to your own CGIproxy directly, nobody can sniff your traffic, as in wiretapping. Not even your ISP.

If your CGI proxy is at the end of the chain, nobody else know what is the target website. But the target website can trace back to your proxy server, and hence you, if the account need your ID to register.

Saturday, October 25, 2008

Proxies don't work

After so many years, there are still many merchants on the net trying to make money from proxies. Before wasting your time, proxies mostly don't work, even though the impression when you google proxy is opposite.

If you pay for proxy service, you have be very careful, and see if there's any guarantee that the company doesn't sell you out. The sites you visit doesn't know your IP, but the proxy service know everything about you better than your ISP does. Your enemy just need to gain access to the proxy company, via bribing, infiltration, or social engineering. There are saying that most proxy companies are collecting data for profit.

A good example is, which website still exists. It was about the only practical free software that make use of free proxies around the world. It seems OK at first but one day the software stopped working. It appeared that the free software is spyware, sending all your URL data back to base. When the operation went burst, the servers stopped working and hence the software stopped too, failing to communicate with base.

It's the same if you pay for some VPN service. You can have a private, secure connection between your home and company. You can have a private tunnel to bypass your company/school network, hence no censoring. But if you surf via the VPN, they have your ID and your data. For big companies, at least they have screened people and you can sue them if they do anything wrong. But for some companies with only a name, what can you do about it?

Software merchants may want to give you the impression that there are infinite numbers of proxies in the world for you to use. But actually most can be thought of as PC's or small systems whose owners don't know basic protection about their computers. Once they notice something going through, they will close the port. If not, then the computer will be overloaded and unusable most of the time.

There are indeed some proxies for public use, such as CODEEN. But usually they are overloaded, and usually you can only read, not posting anything, nor even login. Otherwise, it's criminal's heaven.

There are some web based CGI proxies that are easy to use. But these guys can be anybody. The reason that more CGI proxies are available because they can place advertisements. Also, some guys just want to attract lots of traffic to his machine so he can deny that he didn't do it himself. To void trouble, most CGI proxies avoid secure connection (https) and disable the ability to post, which otherwise would become heaven for spammers (and many other types).

You can chain proxies together so it's almost impossible for the target site to trace even in real time. However, it's almost impossible for normal people to do this just to protest their privacy. It's already difficult to find a public proxy that works for a while.

And since most free proxies don't support https, it's very easy to mislead users that they are secure. Say if you login to Google mail, it use secure https for login and then switch back to unsecure http. If you are not careful, you will login successfully, but not using any proxy, and you don't even know about it. Your IP may not appear on the email headers, but Google have info about your real IP, which can be obtained by court order (how about bribe, social engineering?).

In conclusion, nothing really works, and trust no one.

Practical Anonymity on the Internet

Whatever you type into the address/search bar of Chrome, the Google browser, it goes to Google. Of course Google has been doing it for a long time, every search is archived. If you volunteered by logging in, all the info goes to your hidden profile, such as web history. If you don't login, they have your IP anyway, which can easily be used to link to you one day. For example, with the website you visited, they know where you live, what are your kid's schools, which company you work for, your bank, and where you shop most, etc. With these info, it's easy to know which IP belongs to the same person, and one day link to your real ID. It's a big brother's world.

Imagine if Google brought up an ISP tomorrow! Whatever you do on the web, someone in Google can be able to know about it, and they know your real name and address too. Maybe every politician will be up in arms about it. Also Google's moto is do no evil. So that's not that alarming.

However, how about 10 or 20 years from now, Google and and a few ISP will be brought up by a Chinese company, still controlled by the communists? Immediately they can find out who were, say, human right activists causing trouble many years ago.

With all the talk about online privacy, my guest estimate is that at most only several thousand people in the whole world is taking it seriously daily. That's the number of people using JonDo, and perhaps more using TOR, the only two practical and reasonably safe systems.

Wednesday, July 30, 2008

How to make high quality youtube video and embed them

The steps is based on the findings in this video. If you need step by step instructions, play it, otherwise read my post that follows.

It's well known that you can link to the high quality version. If the url of the video is, the video of the HQ version is at

To embed is slightly different. The code to append to the url on the embed codes is
&ap=%2526fmt%3D18. Note that the url appears twice in the embed codes.

To ensure you have the HQ version, you need to do a few things.

Size: it must be 480x360 or above. If you have 4:3, the maximum dimension is 640x480. If you have wide screen 16:9, you can just use 640x360 without letter boxing yourself.

Frame rate: 24 fps works (vimeo uses), PAL is 25 and NTSC is 29.97. 30 fps will work too. Use 24 min.

Video codec: youtube said Divx or Xvid. Actually H.264 will work too. The trick is to configure the codec to use CBR (constant bit rate) and force the bit rate to over 1000 kbps.

File format: avi or mp4 will work (mov and wmv should do too). Strictly speaking H.264 and mp4 is the "real" mpeg4 standard.

Audio: MP3 and AAC will do. AAC is the "real" mpeg4 standard.

Free software is either Avidemux for mp4 compliance, or VirtualDub for popularity.

Avidemux: choose x264 for video AAC for audio and mp4 for file format. In the first main option menu, select encoding mode to be Constant Bitrate, and use the default 1500 kb/s. All codecs are built-in. If you want smaller files you can use 2 passes. Avidemux will do it automatically whereas in VirtualDub you have to config the codec twice, as in video above.

VirtualDub: you have to install the Video For Windows codec x264vfw. (Google for the download link.) As the video above suggests, name the output .avi file, select x264 codec. Configure the codec - the first bitrate option is Multipass - 1st pass. This allow us to pick the target bit rate - set as 1000 kb/s or higher. Then save as xxx.avi. For the 2nd pass, configure the codec to use Multipass - N pass, while everything the same. Then save as xxx.avi and overwrite the file in the 2nd pass.

Of course, if you upload to Vimeo instead, you have full 1280x720 resolution, HD 720p resolution, which is as good as 1024p until your TV is bigger than 50" and you sit close to it. (from some reviews)

For any resolution I use Avidemux x264/AAC/MP4. Vimeo is less fussy about the codec configuration. It accepts the default variable bit rate, while Youtube have to be constant bit rate larger than 600 kb/s to differentiate between "high def" and normal def.

Monday, July 7, 2008

Reverse Osmosis system components

I didn't make a simple list of the brand names that I trusted before. Here it is.

Valve's and T's (& tubing) $30 John Guest
Filter 1 $10 MatrikX
Filter 2 $10 MatrikX
Filter 3 $15 MatrikX
Filter 4 $15 Omnipure
Membrane $40 Filmtec
Flow restrictor $15
Permeate Pump $45 Aquatec
"90%" cut-off valve $15 Hydronamic
4 Gallon Tank $70 ROPRO
Faucet $30 Touch-Flo
TDS meter $15 Hana
Flow meter $30 DigiFlow
Filter housing $60
check valve $7 (instead of air-gap faucet)
Total $407

The price were a while ago. Google manufacturer's name or on eBay, so you get good price. From time to time, people just buy in bulk and sell them separately on eBay close to wholesale price but still make a profit. It's difficult to bait and switch and I think it's impossible to have fake items.

To see what you get for $390 see this Flomatic system I just came across. It's completely NSF certified (like mine) and it looks very much like my system (and any other system) except for the integration (to save labor cost for them probably). However, there is no pump, so the performance is inferior and probably the filters and membrane are not the best.

John Guest is the patented name of the tubing connection system and also the manufacturer of a few things. JG is the easiest system - leak proof. Valve is important because I told you before Lowes sell valves near ice maker tubings that carries a health warning. JG is NSF certified. All it's valves come with a beautifully fine JG symbol on it. You need a very fine plastic moulding process to copy that. If you have the tech and money to imitate it or fake it, you should have done a lot of other things than making some valves. JG make tubings too, though you can also find NSF certified tubings in hardware stores.

MatrikX filters are well known and well established, certified. Also a solid piece of work holding in your hands. The paper labels are well printed and now there are trademarks moulded on the filter housing, if I remembered correctly. Again if you can make that solid piece of fine work, so heavy, for $10, you can make a lot of other things to make money. Prefilters are for chlorine absorption to protect the membrane, though you can add some fancy filtering capabilities. Since my TDS readings are the same when the filters are new and a few years later, they are working as they should.

Omnipure is similar. MatrikX is the master of block carbon for prefilters, while Ominpure is the master of granular carbon for post filter - not for chlorine absorption. I think it's there to eliminate the taste due to bladder in the tank, at least my 1st cheap tank. Fine labels are printed directly on the housing.

Flow restricter doesn't matter because it's on the brine (waste water) path. But you do need to have the correct flow rate to match your membrane.

There is only one manufacturer for the permeate pump, Aquatec, who also makes a lot of other electric pumps for years. It's a certified component. The pump is completely sealed in tough plastic. The protective plastic doesn't look beautiful but it works - I measured the pressure and TDS. Not anybody can make something like that work - on and on 24/7/52. The smaller one is quiet but limited to 50 gpd and below (check).

The "90%" automatic cutoff valve from Hydronamic is a bit of mystery. They make a lot of other conventional RO valves with typically 60% cutoff. I bet they have some certified 60% valves but I didn't remember if I checked. It's has been a while now but the 90% valve is still not on their website while others are there. But there are no other valves like that on the market. There are controversy about the run away of the term 90%. They aren't - I talked to the manufacturer. But it's not really their fault because they don't sell retail. They do promise to check my valve and replace it if it doesn't goes up to 85%. But I changed my mind about it. Firstly, the value shouldn't relate to water quality - the pump make sure of that by isolating the two parts. The tank should fill more due to higher pressure but 4Gal is more than enough for me - there's no smaller one. I have at least 70 psi input feed, 90% gives 63 psi, higher than most people's main water pressure! My valve is probably 70%, a lot lower than 85% but at 50 psi it's supposed to be the standard main pressure! Conventional 50% valve doesn't have anything wrong in them. But now I know some fridge need 30 psi for ice maker. So you need at least 50 psi at the input.

ROPRO tank makes the others look like toys. It's certified, indestructible, beautiful and space saving. If you stand it upright, make sure your cabinet can stand the pressure, 4 gal per 9" diameter. You can stand it sideways or anyway you want. My 1st metal tank dented, chipped, and leak air. I need to pump it like a tire once a while near the end, and water smell of rubber. Never need to do anything about the ROPRO. The name is mounded on the housing. Actually I wanted to buy a certified metal tank to save money but the retailer give me this for the same price. I bet he didn't sell inferior metal tanks anymore and ran out of stock.

Everybody use Touch-flo faucet because any designer faucet cost $100 to hundreds. Touch-flo's are certified. Now they comes with tubings attached so you save a lot of terrible work at the deepest corners under the sink. The ones I got do not have markings on the faucet because most OEM's use them. They are sold in complete systems by other manufacturers - with or without their brand names etched on the faucet. Forget about air-gap - they can be very noisy and you need extra tubing and connections. It's the same as the air-gap on your dish washer. Just add a check valve so when your kitchen sink blocks, the waste water won't go back to foul your drinking water. I don't think it's a real problem, as long as you remember to disconnect the brine tube from the kitchen sink drain, like a manual on-off valve, before you pour poisonous drain cleaning chemicals down the drain.

Get a TDS meter, so you installation is fail safe. You can't get 95% TDS rejection any other way.

Flowmeter is rather new, in a form suitable for RO systems, monitoring a few different filters and tell you when to change it if you input sufficient data. I haven't tried it. It's rather bulky, a box stick to the front of you system with 3/4" connector. But I think replacing one of the 3 prefilter housing with this will make more sense. It's not certified I think but it claims they use certified material. That's very true, as long as they use certified plastic in contact with drinking water, it should be OK. That goes for the filter housing too. I don't think you can get branded name housing with NSF certification at a good price. But really it's a piece of plastic - if they use appropriate material, and the mold is fine and doesn't leak, how wrong can it be?

Wednesday, January 23, 2008

The law of juggling and the U-defense in desktop tower defense

As you have seen from previous videos, juggling is required to get high score, and to survive the 100 levels. This is a study to find successful juggling strategies and to simplify juggling, so easy that nobody hates it anymore.

For various reasons, the line of creeps in your maze will grow longer and longer, making it impossible to block your creeps in the maze by selling and building towers in different places.

To be successful you have to minimize the line of creeps, and to be able to shorten the line.

Minimizing the length of the line of creeps is easy to say:
  1. The creeps on the two entrance should enter you maze at the same time. For the worse timing, you have lines of creeps twice as long.
  2. Creeps should come out at the same time rather than gradually, using the "send next creeps button".
What prevents the creeps from coming out altogether is the flying creeps. If two waves come out at the same time they will easily overwhelm your air defenses. So basically you sent 7 level of creeps together if possible and keep them in by juggling. When the air creeps are about to clear you send another 6 levels together, but time their entrance so that they will join the creeps already in the maze.

To be able to shorten the line of creeps in the maze keep you in an invincible position. For this I came up with the U-defense. But sadly, after I reinvented it, I spot something similar in the videos that was not obvious because of the fast play speed.

The maze shown is a straight forward implementation of a double U-defense. The middle 4x6 towers are about enough to deploy air defense in a mix of swarm, boost and snap towers. The lower right corner shows the two exits of the maze. One of the exist are always blocked. Since you can actually shorten the line of creeps, other strategy isn't that important, unless you reach the point of aiming at the highest score.

The critical tower are the two towers marked "g", which can be seen as a return valve by passing a large U shaped path. When the creeps enter the U, they are slowed down. When they passed the U and then returns because of blocking, if the U valve is open, the later creeps to return will catch up with the earlier creeps, shortening the line of creeps!

The timing principle is simple. When the first creep enters and exits the U, passing the g-tower the 2nd time, this g valve can be open at the exact time but no earlier. If the valve is opened earlier, other creeps will find a short cut and pass the first creep to lengthen the line of creeps. Now when the exit is blocked and the first creep returns, it will return via the g-valve, catching up with other creeps returning not from the g-valve. So the line of creeps is shortened.

The juggling sequence is very simple. One of the exits is blocked. When the first creep passes through the middle of the U, it's time to sell the valve and the blocking tower in the other exit at the same time. It's so simple you can't forget it, and there's no extra difficulty other than simple juggling. When the selling is complete, you block the current exit, so some creeps return via the normal path and some return via the valve. After the last creep returns via the valve, block it. Then rest a little and do the same for the other path. Note that this timing is for the maximum sell time. When selling is fast at the beginning of the game, you can sell the valve-tower and the block-tower later.

Sunday, January 13, 2008

Personal computer regular maintenance

Do PCs, like cars, need oil and filter change? Sure, unless you, like many people, replace whole desktops or laptops every two years. But even if you do, you will have measurable benefits by doing regular maintenance.

The efficiency of air cooling systems using fans and heat sinks degrade with time. Most PCs have mechanisms to slow down the processor when over heating occurs. Typically mobile processors in laptops slow down significantly after long use, especially with the fan grills blocked. Slow down support is built into mobile processors. Desktop processors didn't, not until the latest ones. You also need system board level and operating system level support. So, if you keep the fans and heat sinks at top form, your PC runs fast and runs safe.

One more thing you may need to do is to reapply thermal paste between the CPU and the head sink. The chewing gum like paste that comes with new CPU's last for years. But once you disconnect the CPU from the heat sink, the paste will be very bad to reuse. So if you build your own system, you get only one chance if you want a good thermal contact. They are not supposed to be good anyway. Circuit City has a lot of more fluid like thermal compounds on sale, which claim to be better. But I just discovered that they don't last that long. But replying them is trivial.

Other maintenance include cleaning the monitor and keyboard. They are hardly life threatening, unless you have a wife like mine. I have quality screen cleaning fluid and micro fiber cloth for my expensive monitor. Normally it's quite dusty as I believe cleaning cause degradation. I only clean it when I need to calibrate color for example, or to view some very high quality image, or just it's too dirty to look at. But once I left my monitor alone for a while, my wife cleaned it like windows, not the software kind but the glass kind. I was horrified by the marks left on my dear monitor. I could image how she cleaned windows, spray on some Windex, and rub it hard with a towel, OMG. Luckily, after I wipe the screen repeatedly with my cleaning fluid, there didn't seem to be any harm done.

When do you need to do maintenance work? I had no choice because my system board alarm went off due to over heating. Lesson number one, you must turn on the temperature monitor alarms. In the past, I use the system board software utilities when the board is new, to verify that everything is working and no overheating. After that, I tend to ignore those utilities because they are quite primitive software from hardware manufacturers, a pain to use. But I learned to keep them on when the system boots, it will be useful years later.

My CPU reaches 60 deg C whenever the anti virus software is scanning my disks. The CPU usage is only some 50%. So I know there must be something wrong. Lesson number two, on a brand new PC, record the fan speed and temperatures when your PC is doing something heavy continuously, such as anti virus scanning, and playing videos. So when your fan speed or temperatures are significantly higher at the same conditions, you know it's time. Or, you can just wait for the alarms to go off.

I clean the heat sinks on the system board using a can of compressed gas duster for computers, which you can find in hardware stores nowadays. I also use it for all the fans in the power supply and in the case. Otherwise, it's hard to wipe the fans clean. I also use the duster to blow away dust from the system board components, and the keyboard. These are hardly necessary but feel good.

Don't mix thermal paste, old and new. The thermal paste that comes with retail processors are hard to remove completely. But those semi-fluid thermal paste are easy. You just need rubbing alcohol and they disappear completely. Then you reapply a drop or two of paste. These paste are usually contained in a tiny syringe, sufficient to be applied for a 100 years. But you are supposed to store them upright. I did keep the syringe upright after I was done installing my new system.

By the way, hot laptops cause low sperm counts, or something like that.

Tuesday, January 8, 2008

Second additional mobile line (VoIP)

The most straight forward is the Mobile Line 2 service. As the name says, you get another phone line (and number) on your existing mobile phone without affecting your carrier plans. All of these "virtual" phone services route calls via the Internet (VoIP) to be cost efficient. To use the service you need to download an application to your smart phone, which include many Java enabled phones. The cost is $9.99 per month plus less than $0.03 per minute. The cost is higher but comparable to a 2nd prepaid SIM card at low usage. There's no mention of International calls out of USA.

The better service seems to be TalkPlus. You can use smart phones including the iPhone, or dumb phones with just a browser. The cost is $9.99 per month with plenty of minutes included. International calls cost extra but cheap. You can get an international number too.

You can get a virtual phone number for free or very cheap. Incoming calls are easy. The problem is outgoing calls. There's no problem if your recipients take anonymous calls with blocked caller IDs, or you can call your recipients using any phones and ask them to call you back on your virtual number. For example, Skype out do not have outgoing caller IDs.

Google's GrandCentral is the exception. It's free for the moment but you have outgoing caller ID. The philosophy is to have a universal phone number to replace all your other numbers. But of course you can use this number as a 2nd mobile phone line. The added advantage is that you can use any phones when you have internet access. For mobile phones you just need a browser.

These mobile services all use your carrier's airtime for the duration of the call, and need a data plan for accessing the internet to setup the calls. For prepaid phones, the most expensive can be $0.25 per minute and a few cents per kilobytes. AT &T Cingular prepaid includes data plan, while Virgin phones typically weren't even internet capable. Typically a GrandCentral call uses less than $0.10 (prepaid) for data plus airtime.

Perhaps to limit free usage, you can only call somebody if you add it to the contact list first. This is a small deal but the funny thing is that you cannot add contacts at the mobile version of the site. Otherwise to call your contacts or return incoming calls via your mobile is simple, using one-click on the entry. My mobile phone works fine but one day I couldn't call anymore. I exchanged emails with Google support for a while but they couldn't solve the problem. My phone isn't too new or too smart or too old. It was on the compatible list of TalkPlus.

There is a little known service, or little thought of service that compliments any of the above services. You can call from any phone as if you are calling from your virtual number. You can setup calls using the internet, or via a toll free number. It's TalkPlus when you don't have or don't want to use your mobile phone. You can choose any phone number that you want your recipient to return your calls. It's GrandCentral when you can dial any number directly even with your cell phone.

It's the caller ID spoofing service such as Spooftel. It had been available for a couple of years now. You can just select your caller ID to your virtual number or any number you want. They don't have a mobile website so you may have to use the toll free access if you don't have a computer and internet. But you can always call somebody with a computer to connect the call for you. The cost is $0.10 per minute. Together with free GrandCentral, the combination is cheaper than the cheapest prepaid card. It's really pay as you go because the minutes do not expire.

The catch is, the bill to outlaw caller ID spoofing is at it's final stages, with the latest action last December. The bill is sort of agreed by all parties for a year now. Maybe there are as little as a few more months to go, or maybe a year. Maybe the cutoff date will be set further ahead to give some time for people to get ready.

ps I agree that carriers are trying to block the new VoIP services. When the mobile GrandCentral launched, it worked flawlessly. Then a couple of months ago I could access the mobile site but couldn't call. Now I can't even access the mobile site.

GC support didn't know what's the problem, and I haven't see any conspiracy theory yet. But I see good reason to block these services. When GC forward calls to your mobile, you can have the caller ID set to your GC number. If you add this number to your fav numbers, you have unlimited incoming calls for everybody calling your GC number.

Single cell phone multiple numbers (SIM method)

Two lines (two numbers) on one mobile phone is a popular demand. All non-ancient GSM phones support multiple lines, but it seems that no carrier in the world bother to support it. This is true a couple of years ago to last two years, not very true now, but the biggest and most popular carriers don't bother. Now still no US carrier bothers. Now the phones are so smart that you can do a lot of things to by pass the carriers, forcing some carriers to compete. The smaller carriers might just as well provide some fringe benefits to increase head count.

For GSM and 3G(UMTS) you can play around with the SIM cards. For other carriers, you can call via some calling card like services, or Internet services.

You can buy a super SIM card, together with a card reader and writer. You copy all your carrier SIM cards over to your own super SIM card. I heard that 3G SIM's are not possible to copy due to encryption. The original SIMs have to be compatible to your super SIM and to your phone, which makes this the most problematic method, though the most elegant.

The most common method is to get a dual-SIM adapter. I think Magicsim is the most common brand on eBay and I had one, long before they have a brand name and a website online. SIM's have some sort of standards, including V1, V2 and 3G. There are also different memory sizes, 32K, 64K to 128K (3G). Make sure that your phone is on the adapter compatible list. I don' t know if it's possible that some carrier SIM's can cause further compatibility problems. But I don't think it will be if your phone is a 3G or late GSM model.

There are two types of dual-SIM adapters. The simpler type looks like three SIM cards connected together. There are two holders for your carrier SIM cards. You insert the third card into the SIM compartment of your phone. This type requires that your battery compartment isn't too tight to contain the extra thickness of the SIM cards. You are OK if your phone is on the compatibility list. I would recommend this though I had the other type.

The second dual-SIM adapter requires you to cut out the central bit of your SIM cards, and put them into a SIM card that holds your two little cut out pieces. The adapter in the form of a SIM card is slightly thicker than an ordinary SIM card, so it might not fit if your SIM compartment is super thin. Or the contact may be loose so they provide you with sponge fillers for a tight fit.

The cut out type adapters sound dangerous and difficult. It's yes or no. SIM cards don't cost much if you know where to find, and if you have a plan your carrier may replace it for you. Unless you make very stupid cuts, even if the adapter doesn't work, they provide two holders for you to hold your cards for use as if they are not cut. I advise to get a SIM cutter, which I didn't. I just used a scissor. I intended to cut a little larger than the template, then gradually reduce the size to fit the adapter. But I ended up simply chopped off the excess with one simple cut per straight edge.

The two cut out SIM cards should look exactly like two miniature SIM cards, but not mine. After a little trimming they can go inside the adapter. But with some loose space one of the miniature card can move a little inside. It didn't work at first, or it didn't work reliably. But once I swapped the two miniature cards, they fit better and never gave me problems. Maybe after a year the SIM's are lose again. So I pull out and plug in the cards again and added the sponge filler to hold the cards tighter. It works fine now.

I brought a 64K SIM served by AT&T (previously Cingular). It was another eBay order without phone and plan. It was for the GoPhone, prepaid or with a monthly plan. It might be possible that the carrier may not activate some cards, they way they are sold or according to their serial numbers. My SIMs are OK but probably because I wanted to port my old phone number to the prepaid phone(!), I went through several operators. Virgin had better service and better deal, but they are not GSM, reselling Sprint airtime.

I had a carrier unlocked GSM phone for traveling. I don't think you need an unlock phone when you are using two SIMs from the same carrier. If you ask, a nice carrier may unlock the phone for you after 6 months. But most phones are trivial to unlock yourself. For Moto you only need to download some software to the PC and a standard mini USB cable. I don't know about the latest 3G phones but you always search unlock hacks specific for your phone. If you travel abroad those Blade Runner (the movie) type shops will unlock it for you free if you buy anything trivial.

Adapters cost little but you pay for those guys who buy it in bulk and resell on eBay. Same for SIM cards. US carriers don't sell SIM cards directly without anything to go with it. But somehow you can get it on eBay. Abroad, SIM cards with airtime are cheaper than refilling the airtime itself.

At any one time, only one SIM and one number is active. In the older adapters, you switch off the phone and then back on to switch SIM cards, hence your number. In the newer ones, you dial 001 and then hangup to use SIM card number one, and so on. With better compatibility, you can pick SIM1 or SIM2 on your phone menu. You can also rotate the cards at fixed intervals, x minutes for the 1st and y minutes for the 2nd. This way, you can receive all your voicemail and other alerts without having to manually switch the SIM cards. But I don't feel comfortable doing this. My adapter doesn't work in this mode anyway.

Normally you set your phone to forward on unavailable to the other number, so you will not miss any calls. But there are minor problems. You don't know if the call is forwarded or not. You just have the caller ID. So if you do not know the person, you don't know which number the caller called. And be very careful if your numbers aren't public. Your line 1 calls will be forwarded to line 2, and voice mail will be left on your line 2 account. The system default message is to announce your line 2 phone number, thought the caller called your line 1 number. The same problem occurs again if line 1 is supposed to be for John and line 2 for Peter. On the voice mail greetings you have to swap the greetings for John and Peter. But when you sometimes turned off the call forward for some reasons, you have to swap the greetings. So carrying two phones isn't a bad idea.

The cheapest way to keep an extra number this way is prepaid, roughly $100 a year or $25 for 3 months from various carriers, if you call very little. It's difficult to compare exactly because most have some refill bonus. Most carrier will allow you to go offline a few months while keeping your number. It's much cheaper if your usage patterns allow for that. AT&T (Cingular) has 3G, T-mobile still haven't make the announcement. And of course AT&T has the iPhone. With the constant cat and mouse unlock the iPhone game, no way AT&T is going to unlock your iPhone for your travels.

By the way, there are phones holding two SIM cards. But I bet they aren't too good as the demand is perhaps 1 in 1,000 or 100,000. And then there's a version of Blackberry from Verzion, which provides CDMA2000 technology, but also duals as a GSM phone for you to travel. Of course the GSM phone is unlocked for foreign carriers. And since you already picked Verizon, they are not afraid that you want to switch to GSM/3G carriers. But if money is no object, there are other more elegant ways to have a 2nd phone number with a smart phone.

The Internet or calling card like methods will be next.


Sunday, January 6, 2008

Desktop Tower Defence - top score video cure additiction

Finally I came across something that can cure the DTD addiction. It's video on how the top scores are made. You can learn a lot, but you may also give up altogether - as I said, the game isn't great after all. So if you want to play your own way and improve at your own pace, skip the videos.

Before the video's and the analysis of the top score strategies, I can disclose some tools that may help you to have more fun. In the challenge mode, there is the 3K Fixed game. Instead of 80 gold at the start of the Hard game mode, you have 3,000, but you can't add anything afterwards. It's a fast way to test out your maze, compare your weapons, and measure the unlisted properties of the weapons, such as how much the freeze towers slow creeps down. The weapons, if available, are the same across the games, but the health of the creeps are not all the same across games.

The other useful game is the 100K Gold in the fun mode. It's the same as 3K except that you can play as in the normal mode after spending the initial gold. Even better, there are 100 levels instead of 50 in the main game, everything else being equal. So you have more gold to spend on the first 50 levels and hence more flexibility to test things out.

Finally, there's The 100 in the challenge mode. It's the same as the hard mode but with 50 more levels. So it's exactly the 100K Gold but you have only 80 gold initially as in The 100 game. The 100 doesn't help you with anything but this is simply a superset of the hard mode with more levels. You may or may not want to start with this game rather than the main game. Because the high score strategies are different - that works for 50 levels doesn't work for another extra 50.

Other modes and games are deviations from the main game. For example, some guys hate juggling, the selling and buying of the towers. It became less of a strategy game than a shoot-them game. But then there's not as much challenge because of the limitations of the game.

I used a spread sheet (Open Office) that contains data of gold earned at each level, the health of creeps at each level, and all the measurable properties of weapons, like firing rate. So you can calculate to some degree how much fire power you need at each point and if you can afford them. I also use the Open Office drawing package to help with designing mazes and acting as blue prints during the games. But with modes such as 100K, the need for these outside tools are less. Also, if you see the videos, precise optimizations are either not necessary nor not possible at the end.

I think there's some sort of collective conspiracy in the DTD forum, which missed a lot of critical information, perhaps in order to keep new players interested in the game. Firstly, as I expected, many top scores are fake. They play some other modes and hack the submission forms to change the name of the game to get impossible high scores. Or they can just hack the flash code downloaded to everybody's computer during play. So the top players started to post their fast forward video on Youtube.

The first video I recommend is a classic strategy for the main game DTD 1.5 Hard, with no juggling, or even no selling at all.

Notice it's so easy using only one Swam (6) tower and all Squirt towers. I have done similar things before but I gave up because it wasn't likely to beat the high score. The strategy is easy. I have calculated that I need the equivalent of 4 swan 6 towers to kill the air bosses. When I saw this, I went back to my spread sheet and calculated if I reduce the sw6 to 2, then I need about 7 squirt 6 towers. So I need only two boost 5 towers and one sw6 to give the equivalent of 2 sw6 towers, cheaper that way. And since building extra sq 6 towers is more economical than adding boost towers, it's pretty easy to place the sq towers without worrying packing them together to touch the boost towers. There are more than enough fire power and enough money left for two frost 5 towers to slow down the air bosses to receive sufficient hits.

As for the maze, I said that the optimum pattern for sq towers is the cross, proportional in size to their firing range. But with two or more sq packed together, the cross doesn't make much sense any more. I used the drawing package to draw range circles on each sq. I think the optimum pattern is like peeling an apple - something like the maze in the video. It's not neat, but it doesn't matter because there are more than enough fire power.

With this setup, a new player and an old player differ only in how fast they hit the send-creeps early-button to add extra scores. Very soon you will hit near the high score of this strategy. Note that the no selling is a self imposed rule. The nearest game is the 3K fixed game if you want to fight for the top spot, but 3K is easier because some bosses are less powerful I think.

The next video is the top score of DTD 1.5 Hard:

Basically the guy almost managed to send the creeps altogether, and kill them gradually long after the last creeps came out into the maze. You need always to build enough sw towers to kill the air creeps, because you can't keep them in the maze. Sq towers aren't useful to air defense at all because they will always be distracted by the land creeps. So only bash towers are useful. Since you have very little money left for it, you don't worrying how to put more of them together with boost towers.

The maze isn't that important as long as you have two alternative paths, gold efficient at the beginning, and space efficient at the end. My staggered DNA pattern works rather well, with three DNA pattern on each path, and utilizing the remaining desktop space as maze. But since you have to share the pellet towers in the two paths to save gold and space, the DNA pattern aren't necessary.

The surprise is the splash towers. Not only that they fire at everybody in range, but they are completely frozen for a long time. I gave them up because of the seemingly weak power for the money. But the freezing allows the other weapons to be many times more effective. So killing the air bosses becomes very easy.

After I saw the true master at play, I decided that this isn't my game. It's all about timing, more of a shoot-them-all game than a war strategy game. Getting the timing right initially is hard but there's not much potential to optimize.

I could have completely cured of the addiction if I hadn't see the 10K fun:

The juggling strategy for the hard mode won't work anymore over 50 levels. But, you can't survive without a little bit of juggling. So it's a balanced game. But at the end, you have to use a lot of splash towers, and reserve a large central area for all the towers. So there aren't much variation to the maze and the use of the splash towers become more of a shoot-them-all game.