#77: Should you eat that Cookie?

a young man with a quizzical expression on his face is holding a cookie in his hand. He has a though

As Sesame Street moves to Netflix, we might be reminded that cookies are often ravenously delicious even if you’re left counting the empty calories.

Web users might be familiar with a different kind of cookie, signified less like a tasty snack and more an annoying pop-up. Non-Californian American browsers might be less susceptible to this kind of nonsense, but European users have – in the name of “privacy” – been compelled to deal with prompts before they can see a site they’ve clicked on. Like just about any T&Cs or software licensing EULAs, most people just want to get rid of the prompt as quickly as possible so might be drawn to the most-prominent “Accept” button.

Screenshot 2025-05-22 100023

It can be pretty eye-opening if you do pay attention – many sites potentially share the way you browse with thousands of third parties. Dive into the more advanced settings on each of the se prompts and you might be able to enable and disable individual “partners” or tweak exactly which kind of information is being tracked. But who’s got time for that?

Mmmmm. Cookies.

Back in the mid 1990s, when the web was taking shape, telecoms company MCI was developing an early e-commerce application with Netscape, but didn’t want their web server to have to track every stage of incomplete transactions. So, the developers took an idea that had been previously used, called a “magic cookie”, as a way of temporarily storing a block of data on the user’s computer. Thus, the HTTP Cookie, aka web cookie and so on, became a standard in 1997.

In general, cookies are supposed to make browsing the web more seamless – when you go to a website, a cookie from a previous visit could be used to continue a previous process or remember some preference you had – like how many items you want in a list or how to sort it – without needing to log in.

But cookies give website developers a raft of ways to silently track users, while also opening the door to all kinds of nefarious behaviours either on behalf of the site owners or unknown 3rd party players.

Look in your browser settings and you’ll see various ways where you can control the usage of cookies, and see what sites have put on your machine…

A screenshot of a computer

AI-generated content may be incorrect.

Visiting a single site, you can see what cookies are in use, and individually inspect, disable or delete them.

A screenshot of a computer

AI-generated content may be incorrect.

Using addins to stop foul play

Even if you are a trusting soul, it makes sense to use some common addins to limit what 3rd parties can see and know about you while browsing the web. Popular tools that might reduce tracking, cookies and block ads include Privacy Badger, I Don’t Care About Cookies, uBlock Origin and many more.

A screenshot of a computer

AI-generated content may be incorrect.

Most of these kind of tools will give you the option to “whitelist” a website, in case turning off all its tracking and cookies actually breaks the site, so there’s little risk in using the well-known ones. Be very careful of any unsolicited add-ons trying to install themselves via popups or any other means.

Check out the EFF’s “Cover Your Tracks” page as well – it gives you a report on how well tied down (through addins or configuration) your browser really is.

Should you Accept, or Reject All?

Most of the time, the options are straightforward, even if the Accept button is more prominent; many sites will let you Reject cookies and will still work more-or-less intact. There are both temporary cookies that only live as long as your session, and persistent ones which stay on your computer so you can be identified next time you show up. There are a few different types typically used:

· Functional – these are used to track things like your basic preferences on the site, what country you are in and so on. There should be nothing to fear here but if you use an addin or a browser setting to completely block cookies, the site might just not work.

· Performance or analytical – these track how you use the website, and are generally anonymised so just provide the site owner with a way of improving their service.

· Advertising – usually a mix of 3rd party sites which track what you do, across different sites. That’s why if you’re shopping for something one minute, you start to see adverts for the same kind of thing on different websites. Do you want to have your browsing patterns exposed to potentially thousands of advertisers so they can foist more stuff at you?

You could try disabling third-party cookies as one way of avoiding advert spam.

In Google Chrome:

A screenshot of a search box

AI-generated content may be incorrect.

In Microsoft Edge:

A screenshot of a computer

AI-generated content may be incorrect.

There is a school of thought which says you’d be better off rejecting as much as you can when asked for what to allow, in conjunction with anti-tracking and ad-blocking addins. Some sites will still make you jump through multiple hoops to individually disable lots of options to effectively “Reject All”.

A screenshot of a computer

AI-generated content may be incorrect.

Some sites just won’t let you get by without either Accepting everything or by paying for a subscription; your choices then are to accept their meddling oversight, pay their toll, or just don’t look at their pages.

A screenshot of a website

AI-generated content may be incorrect.

#75: Mind your P@assw0rds

Designer (28)

Be honest: when you sign up for some website, do you just use the same email address / password? If so, you’re not alone – around three-quarters of people reuse the same passwords, even though most know they really shouldn’t.

A CyberNews study of over 19 billion exposed passwords shows that many are weak and easy to guess, too – the most popular passwords for the last 15 years are, basically, “123456” and “password”. Some of the more high-profile security breaches have come about directly because of weak and compromised credentials.

ToW has talked about passwords a bit in the distant past – #620, #656 in the old days, and most recently, #33 – Securing your Microsoft Account (MSA). If you haven’t done so already, go right now to that last link and set up Multifactor Autthentication (MFA) on your Microsoft Account.

Authenticator being Edged out

Like Google Chrome, Firefox and pretty much every modern browser, Microsoft’s Edge can offer to generate nice complex passwords for you. It also has a password store which can automatically fill your usernames & passwords next time you revisit websites, so you don’t need to remember them or write them down, and synchronise them between different devices logged in with the same ID.

A screenshot of a computer screen

AI-generated content may be incorrect.

In shock news bordering on marginal enshittification, Microsoft has decided to remove a useful component of the Authenticator app that it prefers to use for managing 2FA/MFA on its various types of logins.

Thus far, if you have Authenticator set up with your Microsoft Account or an Entra ID, you can sync your passwords from the PC and be able to review them in the app, just as you would by going to Settings / Passwords options in the desktop Edge browser (or entering edge://wallet/passwords into the address bar).

A screen shot of a phone

AI-generated content may be incorrect.

This means that it can be handy to find a username/password when you’re mobile, in case you need to enter it manually, but also it allows Authenticator to provide an “autofill service” for other apps on your device, not just web pages. When you get unceremoniously signed out of an app just because it’s been automatically updated, the autofill service can recover and re-enter your username and password.

It’s this bit that is being yanked from Authenticator – for reasons unknown, other than “Microsoft is streamlining autofill”. Maybe nobody uses it? Maybe Microsoft would prefer anyone who does use Edge on their PC and who wants to access passwords while mobile, to be compelled to use Edge on their Phone also?

Similarly, Payment info that is synced from browser to Authenticator will be removed in July 2025.

A screenshot of a phone

AI-generated content may be incorrect.

The workaround (other than moving to a completely different password management system) is indeed to switch autofill provider on your phone to use Edge instead (having first installed it and synced it with your ID, if you haven’t already). In mitigation, the mobile versions of the browser are pretty good, and if you do use Edge on the PC or Mac, it makes sense to sync stuff across to your phone as well.

The password autofill is pretty much indistinguishable when using Edge in place of Authenticator. The UX for password management, however, isn’t so good (go into mobile Edge, Settings, and look for Passwords) but maybe that’s the price of progress?

#35: Do you really need a VPN?

 

Before widespread internet access, companies would use modems and dial-up services so remote workers could access their internal network as normal, but connecting (slowly) over a phone line. As mobility and broadband became more pervasive, Virtual Private Networks (VPNs) provided a way of accessing data that is held within your place of work – or home, perhaps – when you’re out on the road, establishing an end-to-end secure link over the internet between you and the destination.

At the same time, many of the services we’d rely on moved fully online – like email, shared documents or even business applications, potentially hosted by a 3rd party like Salesforce, Dropbox, Workday or Microsoft. Each of those would be protected using an encrypted and authenticated SSL/TLS connection, just like any other secure website connection.

What do you still have in your home or in your business premises, which you’d need a VPN to access? For organisations with local services or apps, Microsoft has long championed an automatic VPN back to your company HQ, called DirectAccess, but that is now having the sun set on it in favour of a more modern Always On VPN. Many businesses now are all in the cloud, so have nothing internally to connect to – but even as a home user, there may be some relevance.

Securing the connection

When you link using a VPN, everything between you and the endpoint is encrypted through an established “tunnel”, and therefore invisible to the intervening points on the network.

clip_image003

The invisibility of what’s happening in the tunnel could be useful to the user, for example where there’s a policy denying access to certain websites; if you VPN (and that was allowed) then the network owner wouldn’t know what you were sending up and down the connection since it’s encrypted, and therefore might not be able to block your access.

The VPN model illustrated above has all your internet traffic going back to the VPN endpoint and then out onto the internet from there (so it looks to the website you’re accessing like you’re located wherever the VPN endpoint is). There’s generally a performance penalty in doing this since there are additional “hops” involved, and it also means that whatever you’re getting up to on the public internet will be happening through your company’s firewall or your own home router.

Some VPNs give you the option to split traffic, where it routes only certain data down the VPN tunnel, while everything else just goes out onto the internet from the hotel/airport etc network as usual. That reduces the load on the VPN endpoint and its network (since casual browsing traffic isn’t coming in and out, only stuff destined for the internal network it is attached to), and is a bit quicker for the user since they just get their public internet stuff done nearby.

Some companies – mostly VPN vendors or security consultancies, it must be said – would advise that every time you connect your laptop to a public WiFi network (as found in coffee shops, airports, hotels etc), then woe betide you if you don’t access everything through their subscription VPN service. Such services would say you should routinely connect to their endpoint (in whichever country you want) so that everything between you and their server is encrypted, and the local network provider to you has no clue what you’re doing.

NordVPN, probably the market leader for 3rd party services, pushes itself heavily through advertising and tie-ups with leading podcasts and credit card companies, etc.

Securing the connection is one thing, however there’s still the small matter of being tracked in everything you do, potentially having unwanted software downloaded, which a 3rd party VPN might not protect you from, so it’s no silver bullet.

If you don’t use a VPN and you’re accessing a shopping site or online banking, the network provider (eg the Hotel or airport) could see which URL you’re accessing, but since the first thing you’ll do in nearly every browser session is to establish a secure connection between your computer and their website, any prying networking provider would only see that you’re sending gobbledygook data back to a single address out there on the net.

clip_image005

There is a possibility of having a man-in-the-middle attack which steals your data through subterfuge, though there are numerous steps taken to prevent this. If you’re using a VPN then you’re protected, unless you’re unwittingly VPNed into the man in the middle directly, in which case, the whole game’s a bogey.

Pretending to be somewhere you’re not

Some VPN users will use them to appear that they are somewhere else – eg if you’re travelling but want to access a web service which is locked to a given region, like TV streaming services. Lots of Brits in America use VPNs to access the BBC’s iPlayer, for example. There is a “yes, I have a TV license” checkbox, but we all know how effective those kind of prompts are.

Since the traffic from the VPN device or service appears to be from whatever country it’s in, that might be used to circumvent geographic blockers. Streaming companies often have legitimate reasons to restrict access based on where you are (as opposed to just being greedy and horrible).

Since some VPNs are offering ways to not only defeat the geo-blocking, but potentially provide a way around password sharing restrictions, the arms race will continue where content providers will try to stop people using certain services and VPN services will get smarter at not being blocked.

Further reading

If you’re on the road and want to access stuff back in your home, your broadband router might even have a VPN service built in (though do take care that it’s not using out of date security standards). Another option could be to set up an endpoint with OpenVPN. If you have Synology NAS appliance (and they are very good), you can enable the OpenVPN service relatively easilysee here.

Some other things to check out:

· Should You Use a VPN? – Consumer Reports

· Do I Really Need a VPN at Home? | PCMag

· Is a VPN really worth it? | Tom’s Guide (tomsguide.com)

So, back to the original question – do you really need a VPN?

Probably not. But maybe.

You be the judge.

663 – Optimize Edge start screen

clip_image002Happy New Year! Do you have any resolutions that you’ve decided to follow, other than the usual (eat less, move more, try all you can to write 2023 instead of 2022)? How about cleansing your web browser start up screen to something more useful and/or less distracting?

With the Edge browser, the default New Tab Page (or NTP) presents a configurable and sometimes useful way to display information, however the source of news articles and the advertising that is shown alongside can sometimes be, er, challenging.

Clickbait

Third party advertising aggregators take sponsored content from an originator and present it as an advert. This presents a problem for the sites that choose to sell advertising space – in tiles mixed with legitimate sources in the likes of the NTP, or in chumboxRecommended for You” type content at the bottom or side of articles.

Some of the ads often lead users to a site which will do more than try to sell them something – some try to get them to install browser addons, show faux review sites recommending dubious-at-best products, or fraudulently push get rich quick schemes and the like.

clip_image004If the originator keeps foisting nonsense adverts with poor quality visuals and clickbait headlines through the aggregator, the content owner who relies on the revenue stream from the ads can complain and have it blocked – it doesn’t do their reputation any good if their site is littered with stupid adverts.

clip_image006Ad blockers don’t work on the Edge new tab page, but you can report a dodgy ad by clicking the ellipsis on the top right of the tile. Or submit a report here. This is a whack-a-mole game in a modern sense, since even if the original is blocked they may just appear the next day on a different URL but with substantially the same garbage content.

If this kind of insidious spam drains your energy, there are things you can do to minimize or remove the nonsense, even without switching to a different browser.

clip_image008Looking at the Edge NTP, if you are using a browser profile signed in with a Microsoft 365 account, you might see “Work” or similar in the Enterprise page; it’s extremely useful and quite customizable, and administrators could make Edge default to that tab. If users click on My Feed, they’ll get the same view as a non-Enterprise tab, and it will stick for that user on the next new tab.

clip_image010clip_image012You can customize the “My Feed” section by choosing to Personalise your content selection and how you want it laid out, but if you want to switch the whole lot off altogether then look on the settings cog on the top right.

Switching the clickbait off will mean you get a beautiful Bing image taking up most of the screen (click the double-headed arrow on the bottom right to find out what it is), with a search bar and some collapsible quick links tiles pointing to pinned or recently-used sites, and other subtle info points like weather or stock prices.

clip_image014

Replace NTP altogether

There is no option within Edge to set what the New Tab Page should be – it’s only possible to tweak the one that’s there already.  Install a simple extension like Custom New Tab, however, and you can point it to any URL you like (a largely clickbait and ad-free news source like Google News might be one choice, or a customized set of sources from something like Feedly). After installing and configuring, you’ll need to deal with Edge checking if you really want to replace the NTP and making sure that it’s not being subverted by some malicious code. Just say Yes.

A final nail in the NTP could be to just silence all the distractions by installing the Blank New Tab extension: that’s the equivalent of setting the new tab page to be about:blank.

If you’re still using Edge and have replaced the NTP with something else, yet feel like checking in on either your M365/Enterprise page or you’d like to outrage yourself over the stupid adverts polluting the “My Feed” section, just drop https://ntp.msn.com/edge/ntp?query=enterprise into the address bar to get the classic NTP experience.

645 – mobile ad blocking

It's always DNS

The internet just wouldn’t work without the magic that is the Domain Name System, or DNS. If you are not a networking guru, this service is effectively the index of internet hosts (not just websites but also anything else that offers a service on the net), and is used to find the actual address that your computer will connect to, using a name as the reference.

If you put www.bbc.co.uk into your browser, that means you want to connect to a machine called www which belongs to the domain bbc.co.uk, and a beautiful yet simply elaborate system is used to figure out how to find that domain, get the address(es) of the actual host, and provide the info back to your device so you can connect to it and request information.

Being the one service to bind it all also means DNS is often the thing that brings everything to a halt, eg. if your home router can’t connect to your ISP’s DNS server, then you’re basically unable to communicate with the rest of the world as you’d be unable to find anything (unless you hard-code your machine to use a different DNS, like CloudFlare’s 1.1.1.1 or Google’s 8.8.8.8).

Futzing about with DNS can sometimes bring benefits, though. One such is that for the many webpages which contain embedded adverts or clickbait links, if your browser is unable to connect to the source of the advert, then it might just not show the content at all. On desktop computers, you could use ad blocker browser extensions of all kinds, but on mobile devices your choices are a bit more limited.

Stupid Ad from Microsoft Start appIf you rely on mobile apps like Google News or Microsoft Start, which show content within the app and have no ability to install 3rd party browser extensions, you may have to take more action to block out all the insidious and stupid adverts.

A true geek’s solution at home could be to set up a Pi-hole; a DNS server (traditionally targeted to run on a Raspberry Pi microcomputer, hence the name) which will filter out the garbage by deliberately blocking the URL-to-address resolution of thousands of known advertisers or clickbait providers. Great when you’re on the home network, but what about if on the move and connected to another network?

One possible solution here is to use a provider like NextDNS, which has been described as effectively running a Pi-hole in the cloud for you to use.

Enable NextDNS on AndroidFree for up to 300,000 name resolutions (which sounds like a lot, but in reality, isn’t), it’s a snap to try out and if you sign up, you’ll be given simple instructions on how to plug it into your phone, tablet, desktop or even home router, so as to extend protection to every device connecting through that network.

Insidious ad has been silently blockedDNS queries would be routed to the NextDNS service and if the requested host is from one of a plethora of blocked sites – not just ads, but known trackers, phishing links etc too – then it will simply return a dud response as if the site doesn’t exist.

Your app or browser will either show you an empty box, maybe an inline error frame, or it may silently move on and display nothing at all. Just one small victory!

Using a service like this – others are available – can be switched on or off quickly (in Android, it takes the form of a single switch to configure a Private DNS with a URL unique to your account), and works regardless of whether you’re on Wi-Fi or mobile connectivity.

#639 – Macros, Ghosts and GALs

VB and MacrosSince the early days, Microsoft always kept an eye on what its competitors were doing. It was once de rigeur to produce “battlecards” which would show feature-by-feature how one product is better than its competitor, thus assuring the customer they should buy this one. Thankfully, times have mostly moved on to just building as good a product as possible and then let customers and the markets decide – sometimes, they get improved and honed over time to be the best out there, and sometimes they get dispatched to the boneyard as times move on.

Exchange Server boxIn the late 1990s, Office and Exchange (and later, SharePoint) Server were seen as Microsoft’s entrants into the burgeoning “Groupware” market, which became subsumed into “Knowledge Management” c2000. Key competitors to Exchange & Outlook were Lotus Notes and Novell GroupWise, both of which came from being collab tools and gained email functions. Notes was arguably much more mature and feature rich even if the UI was sometimes clunky, GroupWise was much leaner but found a niche in several industries. Amazingly, GroupWise is still a thing and Notes evolved first into IBM Notes/Domino and was eventually sold off to now be HCL Notes and HCL Domino.

One of the early moves Microsoft made to elevate Office apps to more than just writing documents, was to try to make the docs more capable through adding Macros, and later, Visual Basic for Applications. This allowed a moderately skilful user to dabble in programming to make smarter applications centered around documents; what seemed like a good idea at the time unwittingly unleashed a wave of malware, where bad actors wrote macros to do undesirable things. Following the “Melissa” worm in 1999, Office stopped Macros running without asking the user for permission. Using Macros for anything more than tinkering never really took off.

Blocked Macro warning

Macros disabled entirely

Microsoft announced in February 2022 that all Office Macros in content received online would be disabled completely; this was temporarily rolled back in some test builds for some changes to be made in how it works, but for many, the warning will still be there if you open a Macro-enabled file that you’ve downloaded or been sent.

Unblocking MacroThere are still some very useful Office macros out there, and if you do need to run one that you know is from a trustworthy source, there is a workaround – save the file to your PC locally, then right-click on it to look at the file’s properties, tick the “Unblock” option and apply that. You’ll now be able to choose to run the macro unencumbered.

One such handy macro was discussed back in December 2021 in ToW 611, and is used to find Ghost meetings – ie ones you have arranged but everyone has declined (or at least not accepted). The macro spins through all future meetings in your calendar and lists the ones you’ve organised but where you’re likely to be the only attendee who shows up. Particularly useful at this time of year if lots of people are about to take time off over the summer, and may have declined a few recurring meetings but you – as organiser – still have them in your calendar.

Ghost Meetings

For the latest version of the macro, download the ZIP file to your machine and expand it (or just copy the XLSM file that’s within and put it somewhere else), do the property Unblock thing as above, open in Excel, click the button to allow content, then the Scan Calendar button and you’re all set. You still need to go into Outlook and look at the appropriate date then decide if you want to cancel those meetings or not.

Another more powerful macro – though a little more esoteric – is one which does bulk resolution against the Global Address List, so if you give it a list of display names and/or alias names, it will show the full name, title, department, office, email, and alias name of that person. Handy if you want to get the full details of everyone who is going to attend a meeting, but if you just have a longish list of names then you could just paste them in and see how it goes. This was covered back in ToW 575. One usage scenario recently was to estimate the number of people who were attending a group meeting, but were based at other offices and would therefore need accommodation.

Here’s an example output of over 500 names who were invited to a large meeting; by just providing their display names in column A, it took the sheet about 30 seconds to complete, with 10 identified as distribution lists and 50 unknowns who couldn’t be resolved, either due to no longer being in the GAL or because there were more than one possible name listed.

GAL resolving

If you can manually find the unknown person/people in the GAL, then get their alias name and paste that into column 1 instead of the ambiguous display name, then try to run it again.

634 – M’aidez, m’aidez

Quick Assist logoThe internationally recognized distress signal “May-day!”, as used by pilots heading for trouble among other scenarios, was chosen as an anglicisation of the French “m’aidez”, or “help me”, due to difficulties of understanding other terms over poor quality radio.

With much less serious consequences, those of us with a technical bent might often be asked to help family or friends who have problems with their computer, and may turn to remotely taking over their machine –  from desktop sharing in Teams or Skype, to using software that should be simpler for the technologically challenged to initiate so you can help them out.

TeamViewer is one such bit of software that’s relatively easy to install and configure, so it’s unfortunately a fave of the scammers who prey on vulnerable people by phoning them up and warning that Microsoft has detected a problem with their computer, and they need to get help to fix it.

Microsoft will never proactively reach out to you to provide unsolicited PC or technical support.

Quick Assist updateIf you do want to get or give help from a Windows PC, a venerable in-box inclusion called Quick Assist could be worth a look – it has recently been updated and is delivered via the Microsoft Store, which now has support for any Windows app and not just UWP and PWA. More on that announcement from Build, here.

Sharing security codeThe gist with Quick Assist is that you over the phone, you could talk your victim friend through the process to start it up (Start -> type assist ENTER), then you do the same. The first screen gives an option to enter a code provided, or if you are the one doing the remote assisting, click the button to Assist another person, and you’ll be given a time-limited alphanumeric code to provide the other party.

They type this is to the dialog on their end, and a secure connection is established, whereupon they can choose to share their screen in view-only mode, or they can offer to give you control.

After a couple of prompts to validate that this is really what they want to do, you would see the recipient’s desktop in a window and have a variety of control icons around it, like a short cut to run Task Manager on their machine, shut it down or send messages back and forth between both of you. Unfortunately, the chat history is not preserved but it’s a good enough way to give short instructions.

clip_image002[6]

620 – Change your P@ssw0rd!

clip_image002Bad Actors are all over the internet (not just in your local multiplex), mostly aiming to gain access to data and systems for nefarious purposes, though sometimes they try to do good. Data breaches generally start with the weakest link in the chain: PEBKAC, in other words, It’s Your Problem.

Identity protection company SpyCloud reports that more than two-thirds of passwords which have been breached online are still in use and most users still have the same username and password combo across multiple accounts. If you want to keep your own personal identity and data safe, it’s job #1 to make sure you have unique passwords for each website you use, and that the passwords are not made up of guessable words or phrases.

clip_image004clip_image006The Edge browser gives you some tools to manage your passwords better – look for the Password Generator, or the drop-down Suggest strong password option, when you’re registering a new sign-in, and it will generate a long and complex password, stored in your account so in future you can be automatically signed in.

clip_image008Some sites don’t trigger the password generator or suggestion – perhaps due to how they describe or display the password field(s) – so another option is to use a browser extension like btPassnumerous others are available. It simply drops an icon on the browser toolbar and will show a password of varying complexity and length, which can be quickly copied to the clipboard and pasted into password fields. Since some sites don’t like special characters in the password, you can tweak or edit the text it creates.

Security software company F-Secure has launched a free online password generator, if you’d prefer to create your secrets that way.

clip_image010The Manage passwords option seen in some password drop-downs – also available from the settings menu or by entering edge://settings/passwords into the address bar – gives access to Password Monitor, which warns you if passwords you have saved are known to have been breached, and can display a list of the sites where your previously-set password has been found in a trove of hacked accounts.

clip_image012You can quickly check the password used and decide to visit the page to change it – assuming the site still exists – or simply ignore it (on the assumption that you’ll be cleaning up and not using the compromised passwords on any sites you still want to actually visit).

If you install Microsoft Authenticator on your phone and sign in with the same account as you use in your browser, the saved passwords will be available through Authenticator too – so having very complex passwords should be no barrier to usability any more.