Net Neutrality FCC vs. FTC

Net Neutrality is an emotional subject. It sounds like it is about equality and liberty for all, but that’s a simplification. As a foundation thought, this is not about “equality”, it is about which federal agency regulates the Internet, the FCC or the FTC?  Read this post and I hope it will bring some clarity to the discussion, and help the folks on both sides of the polar topic realize that they have more in common than they thought – keep the internet free!

The view of Net Neutrality proponents is that internet service providers (e.g. Comcast, AT&T) are in the business of delivering internet bits to / from users, and any filtering of these bits, or preference of some bits to other bits goes against the god given foundation of the US of A. This is ‘Merica!. Don’t mess with my internet!  Why then would anyone be interested in repealing Net Neutrality?

Some background on pricing

As home users, we pay a monthly fee and stream all we want. The ISPs average usage out over time and make sure they have the ability to deliver the bandwidth that their customers demand, and you get charged to make all this happen. Upstream of your immediate ISP, its more complicated.

Upstream of Comcast/AT&T, the Internet is a world of interconnected networks, big networks, with peering agreements. The Internet is not a network, it is a network of networks. We take it for granted that a user on AT&T U-verse can communicate with a user on Comcast, but this would not happen if those companies – and the other companies between them – did not have peering agreements to move bits to/from their major networks. (I just checked, there are 13 networks between my house and www comcast net).  Technically a count of routers, and there could be more than one inside each ISP along the way, but the point is that there are multiple layers of networking providers between any of us as home users and big content providers.  They work to keep this path short, but the layers must exist to have the internet scale to the levels of users that supports. 

All of this network of networks traffic ultimately funnels to a set of backbone networks which tie all the networks together and this backbone is funded by the US National Science Foundation and the data throughput is staggering.

In these big networks, network inter-connection is “free” so long as the number of bits in, is roughly equal to the number of bits out. This was one of the foundation principles defining the network of inter-connected networks that we call the internet. Everyone would like to connect to it because there is mutual benefit for all parties. This works so long as producers and consumers of bits are roughly random – it balances out. By contrast, consider what happens when the numbers are not 50/50. Here, if you SEND more than you receive, you pay the downstream party for bits you send that are more than bits you receive. 

Enter the modern world of video delivery.  There are multiple downstream networks from Netflix, yet the cost that Netflix pays to send bits gets REPEATED at every downstream network. Netflix only pays the first… The issue that some companies have very successfully figured out that they can get into the video delivery business over internet and OTHER companies, downstream of them will be forced to PAY to deliver their content. This is nothing short of a genius move! Netflix gets other companies to pay to deliver the content and the consumers pay Netflix.  SMART!  The ISPs in the middle though are not happy with this arrangement and so we get calls to repeal net neutrality! Bottom line, they want to be paid. They want to be paid by Netflix, but if they can’t get that, they’ll eat it out of the consumers with nickel, dime and dollar additions to bills. 

Caching comes into play. The Netflix video library seems infinite, but it’s a finite number. ISPs CAN cache the whole thing and if do, the ISP no longer has to pay the upstream internet providers for sending the hugely redundant bits. Netflix has caching servers they can install at ISPs to make this easier. ISPs almost surely also expect to be paid for hosting the caching servers in their data centers. Netflix likely expects them to do it for near free as just a caching service on fees they would otherwise have to pay the upstream network providers. 

Then this multiplies by the number of companies in the video delivery business. ISPs end up with 100s of caching servers scattered around the country for EVERY video delivery company multiplied by 100s of video companies equals real costs. The video delivery companies that are not cached are now pissed because they are being discriminated against. You cache Netflix, but not me!  NetFlix comes in high fidelity and my service is throttled! We want equality! It’s illegal! It’s anti-competitive.  Notice I’m not talking about outright discrimination here, this is just the way it plays out when attempts are made to make it efficient for the big players.

For the folks wanting to repeal Net Neutrality, the grand question of the present debate is not one of equality for everyone, the question is one of fair business practices and anti-trust. Are the actions by the ISP monopolistic? Are contracts with up-stream providers “fair”? The Net Neutrality proponents want to have non-filtered internet. Notice that both groups are not really wanting different things and though everyone appears to not get along, many are motivated by the same goals, keep the internet free!

With Net Neutrality now repealed, the internet does not revert to a place for ISPs to perform evil.  It goes back to a world of 2 years ago, where the FTC was in charge instead of the FCC.  Is the FTC more hands off?  Possibly – but anti-competitive rules apply even more strongly at FTC so the fears here of doom with the repeal do not seem well founded.  

Keeping the internet free
For me, the present course is good – but not for any of the above reasons. I am more interested in the 1994 CALEA law and whether it continues to exempt computers and networks from the CALEA requirements for real-time and remote, wiretap. Putting the internet in the dominion of the FCC makes it seem more like a “phone”. If the internet is regulated by the FTC rather than the FCC, this puts the internet further away from common carrier and IMO, is GREAT for civil liberties. We’ll have to wait and see if the courts and laws agree.

I wrote the foundation of this on facebook a few days ago and it received a good deal of interest.  Moved it here to make it a bit easier to read. Let me know your thoughts.

Joe Nord

Originally posted Dec 20, 2017

Comment from: joe Member

9th Circuit court of appeals today allows FCC case against AT&T for “unfair or deceptive acts or practices” regarding throttling of “unlimited” data plan to proceed.

02/26/18 @ 07:13 pm

Audio WAV file format

RIFF (.wav) file format has been around unchanged since the early 1990s and still in common use today.   This goes back to a time when CD audio formats were king and RIFF .wav follows the red book convention pretty closely, with the change that the number of channels, bits per sample and samples per second can vary as described in the file header.

As an example file, I have selected TADA.WAV from Windows 10, \windows\media\tada.wav.  This file is 285,228 bytes, the important part is in the first 44 bytes shown here.

* OFFSET +0       +4         +8       +C
00000000 52494646 245A0400 - 57415645 666D7420 *RIFF$Z..WAVEfmt *
00000010 10000000 01000200 - 44AC0000 10B10200 *........D¬...±..*
00000020 04001000 64617461 - 005A0400 00000000 **

The first thing to notice is that .wav files and indeed all RIFF files always have “RIFF” as the first 4 characters.  The RIFF header is immediately followed by a WAVE header.  RIFF is “Resource Interface File Format” and in the formatting of file data, RIFF refers to everything as “chunks”.  A chunk is a collection of data that starts with a 4 character code identifier and is follwed by a 32-bit length which is the amount of data in the chunk not including the chunk header.  These and all numbers in RIFF are stored little endian formatted.  Chunk sizes are usually even, but where it would be odd, the parser looks for the next chunk at the even address following.  That is, chunks are padded to an even size.  

The RIFF chunk is at the start of the file, and for TADA.wav, the size of the RIFF chunk is 0x245A0400, which is 0x00045a24 in big endian equals 285,220 in decimal.  The total file size equals the size of the RIFF chunk plus the 8 bytes that describe that it is a RIFF chunk and for TADA.wav, these add up and match.  

  • Filesize = 285,228 = 8 + 284,220

Next we dig into the sub-chunks of the RIFF chunk.  The RIFF chunk contains other chunks as its data.

Right away we see a “WAVE” chunk.  This is a .WAV file!  We knew that from the file extension, but now we really know it.

“WAVE” identifies the start of wave formatted data.  This always starts with a “fmt ” chunk immediately following and yes, that is a space at end.  Four character codes always have 4 characters even if the code is only 3 characters.  Four character codes do not include line feeds, just the ASCII text (not UNICODE).  The format chunk says the format of the data.  

The format chunk for this file disected is…

Field TypeDescriptionBig endianLittle endianMeaning
TAGTagIdentifier666D7420 “fmt “

PCM (format “1”) is the most common value for format.  There are a number of other formats defined primarily for compressed audio and these include Microsoft ADPCM as “2” and ITU G.711 a-law and u-law as 6 and 7.  It is entirely possible that a “valid” wav file can be processed by an audio player who will reply that it has been given an audio format that it does not understand, or that it has been an audio format that no audio devices in the machine know how to process.  PCM is the most common audio format in .wav and PCM is “Pulse Code Modulation” which equals sound pressure levels measured by an analog to digital converter and stored into memory or file with no compression.

After the format chunk is USUALLY the “DATA” chunk.  For TADA.wav, this is true and the DATA chunk starts at offset 0x14 and has the following contents.

Big endianLittle endianMeaning
64617461 “DATA”
005A040000045A00Data size: 285,184
datadata285,184 bytes of PCM data

Since the data chunk started at offset 0x14 (20 decimal) we can add 20 decimal plus the size of the data chunk header (8) plus 285,184 (data size) to find the start of the first chunk beyond the data.   Add those up, get 20 + 8 +  285,184 = 285220 which is the size of the file, so parsing is complete.

Everything inside the DATA chunk is PCM formatted data.  In this case, 16 bits per sample, stereo data at 44,100 samples per second.  This is CD audio format, stored in a WAV file.

The first PCM sample starts at offset 0x2C and it is 00000000.  Notice the sample is the collection of left and right channel and the size here equals the block alignment.  By convention, the left channel comes at the lower address which in this example is the 16 bits (2 bytes) at 0x2C equals 0x0000 and the right channel is 2 bytes later at 0x2E and it is also 0x0000.  For PCM, 16 bit audio data is stored little endian (intel format). 

  • 16-bit PCM data is “signed” and zero represents silence (no sound pressure)
  • 8 bit PCM data is “unsigned” and the half way point at 0x80 represents silence (no sound pressure)

With a little bit of programming, you can plot this out and see sound waves, SIN waves even if you look at a file with perfect tone.

RIFF includes additional chunk definitions and if a parser encounters a chunk type it does not understand, it should skip it and continue at the next chunk identified by the chunk length.  Some wav file editors include provisions for including copyright text for example.  Looking at the TADA.wav shipped with Windows, this is not present.

Joe Nord

Originally posted Oct 27 2017


Comment from: Jake Visitor

Your text says 16-bit PCM data is “signed”. So, for example, looking at one channel of a 16-bit stereo PCM file, and lets say I had two bytes (little endian) that were “07 FF” hex. I would reverse these two to get “FF 07″ which would be 65527 in decimal. If it is “signed”, would not the max be +32768? I am confused as to how it is changed to signed.

11/25/17 @ 04:49 pm

Comment from: joe Member

> “FF 07″ which would be 65527
Close! FF 07 is -249. This is pretty close to zero on a 15 bit scale which means reasonably close to quiet. By 15-bit scale, I mean 15-bits of positive numbers and 15-bits of negative numbers. The top bit is “sign”.

> I am confused as to how it is changed to signed.
The sign bit (most significant bit) is a 1 (negative) so that requires a bit more work.
Answer: 2’s compliment the data to find out how negative it is. How far is the value away from 0.

1) Reverse all the bits. FF 07 becomes 00F8.
2) Add 1. 00F8 + 1 = 00F9
3) Convert to decimal. F = 15. 15*16 = 240. 240 + 9 = 249
4) Change the sign. -249

Windows instant select audio device

When your computer has more than 1 sound card, you may find it cumbersome to change audio devices.  The standard method requires going through the control panel or settings application , a process of multiple dialogs and multiple clicks.  There is a better way.

Run the control panel on Windows 7 or on Windows 10 via Settings application , there are multiple steps required to get to the audio device selection, all end up at the same control panel dialog.

Two ways to get to the control panel application that sets the default audio playback and record devices

  1. Start / Control Panel / Hardware and Sound / Sound (This is the Windows 7/8 method)
  2. Start / Settings (type “sound”) / Manage audio devices (This is the Windows 10 Universal app method)

Both of the above take you to EXACTLY the same control panel application.  

Bring up process explorer from sysinternals and it shows that the control panel task is really the rundll32.exe application with parameter to tell it to load and run the DLL which is the control panel sound device manager.

Command line:

“C:\WINDOWS\system32\rundll32.exe” C:\WINDOWS\system32\shell32.dll,Control_RunDLL C:\WINDOWS\System32\mmsys.cpl ,

Not sure why that last comma is there, but this is all the information we need to short circuit the long steps to get the sound device selection dialog.  Put that string into clipboard.  Run a command prompt, paste, enter, whalla, sound device selection dialog.  BUT – don’t want to use a command prompt to make this happen.  

Instead, create a “shortcut” on the desktop to point to rundll32.exe as the executable program, with parameter of everything after the program name above.

Here are steps in detail.  Point at anywhere on the desktop with no icon or program. 

  • Right mouse button, new, shortcut 

Click Browse: And select, this PC, C:, Windows\System32\rundll32.exe.

This will fill in the “Type the location of the item” textbox.

The name of the executable is in place, append on the line the additional parameters to tell it which DLL to load and execute. 

  • C:\WINDOWS\system32\shell32.dll,Control_RunDLL C:\WINDOWS\System32\mmsys.cpl

Notice I omitted the comma at the end.  When get done, the create shortcut dialog looks like below.

The last step is to give it a name.  I choose “Sound”.  That is, change rundll32.exe to “Sound”

Save and then double click the icon on desktop, and INSTANT control panel access to setting the default output device.

To make it prettier, set an icon.  Go back in (point at the icon, right mouse button, properties) and set the icon via “Change icon”.  Find one that looks about right and done…

Joe Nord

Originally posted Oct 27 2017

Comment from: Martin Visitor

Hi, thank you! Exactly what I was looking for! It’s perfect. 03/27/19 @ 07:08 pm

Skype for business audio with more than 1 audio device

My primary desktop computer has an integrated audio device on the system board and a USB attached Blue Yeti microphone.  Great mic, it makes me sound good on online meetings and that’s a win.  The Yeti in addition to being a high quality microphone also has a headphone jack underneath, which has a very high quality DAC and permits great music playback as well as the ability to hear yourself when you talk in online meetings.  In my view, that last part is kindof not needed, but it is there  and if you mute the microphone, you can listen to music without hearing yourself type. With two audio devices in the machine, Windows allows easy selection of default audio device for playback and default audio device for recording and as you may guess, my configuration is to use the Yeti microphone for recording and the system speakers for playback.   Now, add Skype for Business audio conferencing and you’ll find that when using the Yeti as microphone, Skype absolutely INSISTS on using the headphone audio connection on the Yeti as audio playback device – a device which normally has nothing plugged in.  The result is that when you join meetings, the audience can hear you, but you cannot hear them.

I struggled with this for a bit, using phones to dial into meetings.  I have since found the configuration screens to tell Skype to use the system speakers for conferencing.  

  • ·         You will sound better when using headphones!  

Yes, I probably would – if I had headphones.  I don’t!  I have a very high end microphone connected via USB and that isn’t headphones.  I do not want to use the audio output of the Yeti for speaker/headphone connection, I want to use the system speakers.

When on a call, these two configurations will change the audio output device.

In Skype options, you can set the default audio device for Skype using this screen.

Joe Nord

Originally posted Oct 27 2017

Comment from: Neil McDonnell Visitor

Thank you! I do a lot of recording and podcasts, and recently this issue impacted me deeply. Hours of search found you and two seconds later the problem was resolved. 🙂 Thanks! Neil McDonnell

01/21/18 @ 08:39 pm

Hurricane preparation boats on canals

Hurricane approaching, you live on the water with a canal behind the house, does the boat go in the water or stay on the lift? With the experience of hurricane Irma just completed, I can answer this question: Put the boat in the water.

A better answer is “get the boat out of the water, onto a trailer and driving away”. That isn’t possible in all cases, especially for larger boats and I will add that if you think you did well and found a trailer before the storm, you will come home to find the canal is already closed off with neighbors tying off a couple days before storm arrival.

Here in Lighthouse Point (Broward County, Fort Lauderdale, FL), we just experienced hurricane Irma. A pretty good wind here, nothing like the keys, but strong winds at hurricane strength for 6 or more hours. We are a couple thousand feet from ocean, but the barrier island of Hillsboro Mile protects us from the ocean. The Hillsboro inlet is less than 1 mile away. I have two boats of personal study and both made it through the storm with no damage, one in the canal and a smaller boat on side of house on trailer.

First boat, 1995 Mako 22.1-B center console with T-Top which spends most of its time on an “L” lift rated for more than twice its weight.

For smaller hurricanes, I have left boat on lift successfully. Tied boat to the lift and tied lines fore and aft to pilings far away to keep the boat from swaying and potentially twisting the lift in directions where it is not designed to take high stress. This worked, but Irma looked more like a “3” than a “1” – this time I put the boat in the water and it was a good call.

Side note is that, oh I do WISH this lift were a 4 post. L-lift is what I have and as will show later in this post, they don’t fare as well as 4 post. The lateral sway fore and aft breaks “L” lifts and I’ll show a photo of another boat in the city that had this problem with Irma. Look as I could, I could find no example of a boat on 4 post lift failing in this storm – least here where we probably experienced cat 2..3 level damage.

Ropes, line and rode

You’re going to need lots of rope. Find it in the garage, find it in the anchor well, you will never find it at the store unless you thought about this months ahead. Liberate the anchor lines of your primary anchor and all the spares. Turns out the chains are useful. The boat needs to be in a spider pattern in the middle of canal and this will require all of your lines; MORE is better.

Replaced the bow eye and rear tie down cleats

About a year ago, the bow eye on this 20 year old boat was missing. When did it go away? Bottom line, it was “missing” which means it failed and wasn’t as strong as one might think. I had to replace the bow eye and when replaced that on the bow, also replaced the other 2 in the stern. Inspection says that the stainless steel metal had corroded from the inside through, all 3 were weak. The one on front was missing and one of the two from the stern broke during removal. That isn’t supposed to happen! Good news for this storm, I had recently replaced all 3 of the U bolts and all 3 are again strong – I used them as primary attach points for lines from dock.

Spread the load

While the towing U bolts are strong, there is not enough area there to tie things to. A solution is to string ropes through the U bolts and then bring them up to the docking cleats on the top of boat. Instead of that, I built three (3), 3 to 4 foot long ropes out of very heavy 3/4 inch line to attach to the towing eyes. Galvanized shackles on one end attached to the boat and on the other end a large braided polypropylene eye to attach lines to and through. This also has the advantage that everywhere something is connected to the boat, it is underwater during storm, which should keep it cool and help lines survive periods of high load. It has disadvantage that if the shackle or U bolt fails, the lines will go free with no top side cleat to try to hold on.

On the front, the trailer eye is hard to get to, so I used a large hook with spring lock and here, used metal eye on the water end – connect lines using shackles, as exist on anchor lines – anchor removed. On some, used anchor lines on shore with chain in a loop around piling – that worked very well.

The canal faces east – there are 2 lines to shore on both the front and the rear of the boat and for bonus points, a pair of north / south (side) lines to keep the boat from getting too close to the shore. If all goes as planned, these side lines never take a load. Also, with Irma, weather forecast said strongest winds would be from the south, so added an extra set of lines from the boat right rear U bolt to a separate piling on the shore. Both lines would have to fail to send the boat wondering.

When get done, the boat looks like this in the canal. Most of the front line attachments are not visible – they are all underwater.

A nice photo, observe it also has a different boat on a lift to the left and a jet ski on a floating dock on the far side. BOTH also survived the storm though the floating dock was doing a backward wheelie at highest part of storm tide with its nose held under the seawall.

Most of the lines were sent from boat to shore around piling and then back to the boat. This made it possible to adjust line length from the boat to all shore attach points. I note that it also means that when you get done adjusting all the lines you have to SWIM to shore! I have seen people make mistake of trying to keep the boat off the dock, but close enough to make the jump. No! put the boat in the middle and swim in.

To do better, each line from shore to boat should be distinct line so that one failure would not allow the doubled line to unwind. It didn’t matter, everything held. Also, advice from many says that the lines need to be tied DOWN to the dock so they do not get pulled above the piling. Used small ropes and bowline knots to keep the lines near bottom of the piling, allowing the lines to slide but keeping them held down on the pilings. This worked out to be extra prep with no return because the water never got high enough for it to matter.

As predicted on the news, the water did get high though. Not like a direct hit, keys style high, but higher than I have ever seen it before at this location. It got about 6 inches above the level in the photo below. The boat was not troubled and found the windy day to be similar to a pretty ordinary day in the ocean. There was lots of mess to clean up, but no damage.

My immediate neighbors didn’t have any issues. Boats on lifts, boats in water, all fine. Further down the canal, there was damage. Below is a picture of a large sailboat that was tied off the dock, but not far enough to allow the lines to stretch. Both boat and dock suffered damage – a serious eroding of
piling can be seen in this picture.

A few canals away, was an example of a boat on an L-lift where the lift failed. It looks like lateral movement on the “L” lift caused 1/2 of the lift to fail, tossing the boat into the water during the storm. Boat survived, with damage. In this case, the boat from L lift was at end of canal and tying up “to the street” where I stood taking this picture would have been pretty easy. Majority of wind would have blown “away” making for a pretty good case for “put it in the water”. To note though, the trees on shore were blown down so it would have taken some work to find a good place to tie on.

Leaving boats on floating lifts was also a losing proposition. When the water rises higher than the floating lift can ascend, the boat takes a dip. Answer: Put the small boat on a trailer or put the boat in the water. Observe that the floating dock rose, damaged the dock, then the water receded, with the floating lift stuck to the dock, putting the back end of the boat into the water.

I have a Boston Whaler very similar to the above but a bit smaller, that one looks like 17, mine 15. Kept on trailer on side of house, tied to 3 concrete deadmen installed about 10 years ago with chains that just stay there waiting for the rare storm. The anchors here go down into ground about 4 feet with a few bags of concrete each. In addition to tying the trailer to the ground, we tied the boat to the trailer and filled the boat anchor well with water to make it heavy. The boat weathered the storm with no issues. The fence in front of it blew down. I tied the fence to the boat during storm to keep it from getting loose.

No matter what happened to my little boats, it could be worse. Less than a mile from here is the Hillsboro Inlet and there are some beautiful homes in that stretch of real estate including this one, just a couple houses from the inlet.

This is/was a beautiful monstrous yacht, which did not survive. I hear the back end came loose during the storm and banged against pilings, and she sank. That is a bad day. On the front not visible in this picture is anchor chain tied up into the yard around a very large large silver palm tree, that held. The back end just couldn’t have a big enough anchor? Big sail, hard to win?


With the experience of hurricane Irma, I observe a few things 

  • Boats in canals do better than boats on lifts in strong storms
  • Boats on trailers tied to something heavy can survive lots of weather
  • 4 post lifts do better than L lifts
  • Floating boat docks are not a really good place to be

Ideally, I’d invest in a trailer and put the boat on the trailer for a storm. Would then need a place to store the trailer and would also have to get out “early” to avoid the nest of boats strung across the canal. Trailer is the best answer – and a truck to tow it away from storm. Baring that, for category 1, the L lift with bracing will be fine. For category 3, my ship plan says put the boat in the water. For category 4 like the Florida Keys just experienced 100 miles south of here, well you’re screwed either way and I’m not sure anything would help.

Joe Nord


Comment from: Harry Alverio Visitor

Hi In Puerto Rico , a lot of boats survived in the cannals during hurricane Maria . They were tied the same way. Those left in the marina got hurt the most , hitting pillings and other boats. I trully belive that if you cannot take the boat out of the water try to move it to channels or mangrove protected areas. This is my 2 cents!

03/28/18 @ 12:26 am

Comment from: joe Member

Thank you for the comment Harry. With Maria, Puerto Rico went through some real mess and I wish you safety and happiness.

05/24/18 @ 01:56 pm

Comment from: Shawn Visitor

Hey Joe,

I am moving to Florida shortly. I will also be living on a canal way. This was a very helpful read. I have been worried sick about what to do with my boat. No one really talks about boats on canal ways during hurricanes. 

Just curious, if everyone is tying up all up and down the canal, what happens when one boat isn’t secured properly and starts making its way up the canal and hitting other boats? do you worry about that?

sorry for commenting so much later than your post. just finally came across this!

04/18/19 @ 03:52 pm

Comment from: joe Member

Hi Shawn, welcome to the neighborhood.
> Just curious, if everyone is tying up all up and down the canal, what happens when one boat isn’t secured
> properly and starts making its way up the canal and hitting other boats? do you worry about that? Everyone worries about that, and we worry about it before the storm. If a boat is in the canal and for some odd reason is not making its way to the middle of like all the other boats, look for the neighbors to knock on the owners door and offer encouragement and assistance. Common also for people to take dinghies up/down canal before the storm and inspect the rope and knots of everyone up-wind.

Originally posted Sept 30 2017

Adventures in S/MIME – Certificate Renewal

After writing a 3 part series on purchasing and using S/MIME certificates with Microsoft Outlook 2016, some months went by I started receiving certificate renewal emails from Entrust. The first encouragement to renew arrived at 90-day warning, then 60, 30 and finally, 10. This post reviews the Entrust renewal process and describes that it is actually a new certificate purchase, not a renewal and describes the configuration changes required to configure Microsoft Outlook to use the “renewal” certificate rather than the expiring certificate.


Recall from part 1 of this series, that the Entrust website requires use of ActiveX controls so it can perform Microsoft Crypto API operations on the Windows PC endpoint where the certificate will be created and installed. More than requiring ActiveX execution on the endpoint, the Entrust ActiveX control is not digitally signed. Together, these mean that Windows is the only operating system and Internet Explorer is the only web browser that will work with Entrust purchasing system and that the IE trusted sites security controls have to be relaxed to perform the purchase. I add that today in January 2017, just as a year ago in 2016, the website still does not “fail early” when you visit in Firefox. You can still get all the way through purchasing and payment and not actually get the private key installed into the certificate store on Windows.

Before you visit the Entrust store to renew certificate, launch internet explorer and temporarily relax the security controls. Details for this are in the part 1 of this series. Quick version:

  • Place on “trusted sites
  • Dial security level to “Low” for trusted sites – this permits running non-signed ActiveX controls. Make a note of the before setting and when done, reverse these steps
  • These should be put back after completing the certificate purchase/renewal

Renewal process

In IE, browse to Complete the purchase process as in part 1 of this blog series. Receipt will arrive via email. Side note is that the receipt is 10 pages, 1st page is the receipt and 9 that follow are the EULA. When print, save a tree, print only pages 1-1.

A separate email will have the certificate pickup link. This email process is used to validate that the person who is purchasing the email certificate actually has control of the email address. The email contains a web link to continue the CA certificate signature process and this is identical to the original certificate purchase.

In the pickup email, this text

Attention: Be sure to use the same browser to retrieve your certificate that you used to order it. For example, if you used Mozilla Firefox to order the certificate, use Mozilla Firefox, on the same computer, to retrieve it. Do not click the link on a different browser or a different computer.

Cute! Parts of the Entrust website believe this process works with something other than Internet Explorer. Don’t click the link. Have to copy / paste it into IE which is hopefully still up after the purchase.

OK, done! Not really done. Request for enhancement here for Entrust. You are already running native code on my computer as the presently logged in user. How about walking me through the backup key process and automatically importing the newly purchased key into my email application rather than just having the certificate available in Internet Explorer. This must be done manually and is covered in part 1 of this series.

This is not a certificate renewal

The “renewal” certificate is a completely “new” certificate and the installation process is same to the installation of the “first” certificate a year ago. Entrust “renewal” emails started arriving 90 days before expiration. In my case, I renewed 6 days before expiration of the first year and notice that this caused a loss in validity period of 6 days with a loss in value of 6 / 365 * $20. Yes, this is a cost that I can handle, but it goes to show that the process is not a renewal. Separate certificate issuance and not same day expiration dates drive home the fact that this is a new certificate purchase and there is zero incentive to renew early, or even on-time.

Properly implemented, the “renewal” should change the expiration of the original certificate. That is, the public key of the original certificate should be sent to Entrust to be signed as part of renewal rather than a fresh key. The certificate signing request should denote a 1 year extension of the expiration date – which would fix the disincentive for early renewal.

Notice that in a renewal, the private key should be unchanged, but the key will then have a fresh “attest” that it is legitimate and new expiration date. This is not what happens with Entrust “renewal”, it’s a new key pair and a new certificate on renewal which precisely equals a first-time purchase and there is no alignment of dates.

Security wise, there’s some advantage in generating new keys, but there is a real usability impact of having multiple certificates. It means that to be able to validate signatures on emails sent in the past, the user must maintain ALL of the previous generation certificates. In my case, there are now 2 certificates and next year there will be 3.
Install the certificate for use in Microsoft Outlook

In Outlook 2016, this is Alt-File, Options, Trust Center, Trust Center Settings, Email Security, Digital IDs, Import/Export.

Browse to the key backed up earlier, exported from Internet Explorer (part 1 of this series). Browse to the file holding the certificate with the private key. When import the key you will be prompted to enter the password saved when you exported, and … done. Conceptually done, but not actually done.

Outlook is still using the old certificate

Send a signed email to someone and you’ll see that outlook is still using the “old” certificate. To validate, you must actually send an email to see what was used for the signature. After send, open sent items, open the mail that was sent and then inspect the security of the signature. Multiple screens required to get to this information.

Click the icon, push through a few more screens.

Almost there. When view the certificate we will see that the wrong one was used.


  • Outlook is still using the old certificate
  • We need to tell it to use the renewal certificate, which is actually a new certificate, but we need to do this without deleting the old certificate
  • Yes, that was a whole bunch of steps to verify that this didn’t work

Configure Outlook to use the new certificate
File, Options, Trust Center, Email Security, Encrypted email, Settings, Signing certificate. Below image implies that everything is all set, but it isn’t. You have two certificates (or more) for the same email address and you have to change Outlook configuration to tell it to use the one that was just purchased

Things to observe

  • The default certificate selected is the “old” certificate
  • If select “OK”, Outlook 2016 dialog hangs and must be closed
  • Selecting “More choices” is the correct thing to do

The “default” certificate for this account is the “old”. Select the new certificate and press OK.
Get another dialog to set encryption parameters.

Just like a year ago, the default hash is SHA1 which is depreciated by NIST so should not be used. The people of the world still using a computer with Windows XP before Service Pack 3 will have to upgrade to receive your email. Change the hash to SHA2 / SHA256.

Click OK to close out the set of configuration panels.
Verify it is now working

Send another signed email and this time the new certificate will be used.


It is always fun to go back in time and read “Why Johnny can’t encrypt”. That was written 1999 and today in 2017, this remains true. Users should not be expected to have this level of expertise just to send a secure email, but they still are placed in this situation causing for the most part a complete inability to have secure email on the internet. With work by using parties, it can be accomplished. I hope this small blog assists.

For the Entrust “renewal”, I summarize to
The Entrust email certificate “renewal” is actually a fresh certificate purchase
There is no advantage in renewing early, and indeed there is a a disincentive to renew early
Since renewal is a new certificate, actions must be taken to convince Outlook to use the new certificate rather than the old
Entrust purchasing website expecting ActiveX to be available and browser configured to be willing to run non-signed controls in modern times is hard to justify

A native application is needed! The application should be downloaded and executed to guide the user through the certificate purchase, backup and certificate installation process. While in there, also implement true “renew”

I’m in for another year and this will work. Not ideal, but it will work.

Joe Nord

(Originally published Jan 1 2017)

Send and view all email as TEXT in Microsoft Outlook

Phishing is popular activity in evil circles. Avoiding HTML and rich-text formatted email is a level of defense; one that I’ve taken on recently as a matter of security hygiene. This post describes how to configure Microsoft Office 2016 to read and send all email as text, and discusses some of the opportunities lost in not well distinguishing good guys from bad guys.

Wear your black hat

Bad actors wishing to attack a specific company often start by attaching a payload to email which sent to everyone inside the company. SOMEONE will click “run” and they have a foothold. The evil payload can be packaged as attachments, packaged as bad images, macros or referenced from HTML tags inside the formatted email. Payload can also be packaged as harmless looking or even almost hidden links to rogue websites and this last one is probably the biggest issue of all. Don’t put the payload where email scanner will find it, instead provide a link and get the user to click. Issues abound on “why this works”, but a big one is that as a user, you cannot easily distinguish between mails that are worthy of your trust and those that are potentially evil. Links embedded inside email text are a particularly large issue. They are “small” and can be framed as nothing, but when you click, even by just switching windows and clicking random spot in message, evil is unleashed from the visited website.

Bottom line – email provides an avenue for evil. Our mission is to keep the intruders away and getting away from rich-text and HTML formatted email is an important start.

Friend vs. foe

In many ways, I wish Outlook did a better job distinguishing “friendly” email from “suspect”. If I get email sent from someone inside my company, it has a higher level of trust than receiving email from outside. From outside, there are actually people I trust MORE than unknown people inside, but all of these trusted and non-trusted show up the “same” in outlooks email list presentation. One of the MOST important things in email listing is the DOMAIN of where that mail originated – but we have no view. You can’t easily figure out if email is good or bad until AFTER you open the email to view. I would like to know more about the sender of an email before I open it, but this isn’t today possible. The solution we are stuck with is rather harsh, treat everyone as suspect.

Solution – View and send all mail as text

View all email as text and then clicking text in email doesn’t open links and if we really want to follow a link, we can select text and paste into browser. Yes, it is more steps and not nearly as convenient. When we configure to view all email as text, we should also have the courtesy to SEND all email as text. This makes a statement to the receiver that they should not invest time during reply to make the email pretty because all the formatting will be removed before I see it anyway. I’m deep down hoping for a side benefit on this that it may assist in keeping emails SHORT.

Configuration settings

Default configuration for Microsoft Outlook 2016 is HTML formatted email. To change to text, follow these steps.

File / Options. Mail Tab. Set all outbound email to be composed in Plain Text.

Yes, you can switch inside mail editor to make things HTML if that’s appropriate for a discussion you are having, but by default, with this setting change made, all mail will be composed as text.

Read all email as plain text

Trust Center, Email Security – Read all email in plain text. Notice below that I left the second box clear, saying that people who send me digitally signed mail can send HTML. I expect most black hat hackers will not bother digitally signing email so this seems reasonable. I may still turn it off and require an explicit step to view such email as HTML.

Trust Center – Attachment Preview

In a world of malware delivered via attachments, its hard to imagine why automatically showing attached documents in a preview handler is considered a good idea. The default is wrong, fix it.

Disable picture download

A number of sub options on this one. May take some tweaking to get it to desired state, but for the most part if viewing email in plain text, the idea of setting the options for downloading pictures is not that important. This setting will come up only IF you decide to view a specific email in HTML format and by that point you have probably already concluded that the source is trustworthy so the particulars of this panel will not matter too much. Still, turn it off and make yourself take an extra step if you want to see the images associated with an HTML formatted email.


SERIOUSLY! Macros by default are enabled if digitally signed. This sounds scary enough that if I were a bad guy, I’d digitally sign my malware macros to get them to auto run. Turn this setting OFF.


With these security practices in place, I close by noting that I’m not precisely happy with it. Reading email as text takes me back to mainframes and UNIX of the 1980s. Yes, messages get through, but not nearly as beautifully as a colorful and elegantly formatted email “document”. Viewing in text though allows me to get the message across and makes my world a safer place.

If things change over time to better identify “good” vs. “bad” senders or even email encryption and signing could ever become mainstream, some of the “turn it off” aspects of this post could be relaxed. For the moment, I’ll be happier viewing in text.

Joe Nord

Originally published Feb 25 2016

Configuring GoDaddy SFTP Primary and Secondary accounts

Setting up a secondary FTP account for GoDaddy CPanel hosting requires different configuration than I expected. The trick is that while the primary FTP account uses SFTP, the secondary accounts need to be configured for FTP over TLS. This was a large enough headache for me that I share the details here so some others may be able to avoid the same issue.

In my case, the primary SFTP account was already in place; the panel below is the GoDaddy Gateway page for creating and managing FTP Accounts. Enter an account name, password and click “Create FTP Account”.

When setting up the alternate FTP account in FileZilla, set the protocol to FTP and the Encryption to “require Explicit FTP over TLS”.

Notice that the above FTP configuration for an alternate account is different than the FTP configuration for the primary account. Primary account is shown below for comparison, the difference is that the Protocol is “SFTP – SSH File Transfer Protocol”.

Time to connect

Back to the secondary account. Click on “Connect” in FileZilla.

Click OK, activity starts.

Good news! Is is connecting via TLS. In the first hit to the site, the TLS certificate for the GoDaddy FTP site will be downloaded into FileZilla and retained for comparison on future connections. Notice that while my GoDaddy domain does not have TLS support installed, the GoDaddy FTP site does. (update: June 2021 – site also has TLS certificate installed). This creates a certificate warning on first connect which in my case, no choice but to accept. To be cleaner, should probably add a TLS certificate to my site. Another day.


When got done, it actually makes sense. Only the primary account is permitted SSH access, so it is the only account which can do FTP over SSH. The secondary FTP accounts have to use FTP transferred over TLS. Set up FileZilla that way, and all works as expected.

Joe Nord (Originally published Feb 6 2016)

Adventures in S/MIME – Sending encrypted email with MS Outlook

In parts 1 and 2 of this series, I reviewed the difficult process of purchasing a personal certificate to use with S/MIME and the lengthy process required to get that certificate installed where Microsoft Outlook 2016 can use it for S/MIME signed email.  This post will show how to send your public key to friends, where you and they can then finally send email encrypted with S/MIME.

Distributing public keys

At this point, you and the other person have each completed the process of purchasing and installing a personal certificate for use by Microsoft Outlook.  By sending a SIGNED email to each other, your public key travels along with the email message and is used by Outlook to verify that a signed message was properly delivered.

I expected that receiving the public key (validated by public key crypto) would mean that it is possible to now send an encrypted email to the party that sent you the public key.  False – not there yet.  First have to get their public key installed into your Contacts entry for their email address.

I am told later that you can highlight their email in a received signed message and add them to your contacts.  They are already in your contacts, but this will merge the public key into your existing entry, completing the key acceptance.  I didn’t do it that way.  Here’s the long way.

Upon receiving a signed email message, click on the “signed” icon. Its red, on the right side.  Get this dialog.

Click on Details

Click on signer (two down from highlighted in the above).
And “View Details”.

And view the certificate.
And EXPORT the certificate to a file.
And then go back to Contacts, look up the person,

Click on Certificates.
Click on Import, and import the other persons public key that was exported above.

Now you CAN send them an encrypted email via their public key and can sign that email using your private key.  Mission accomplished.  In a way success.  There’s more. 

Construct an email

Write an email to the person that you have now the ability to send encrypted mail.  You still must click the little tiny icon to bring up the security dialog to instruct Outlook to encrypt and sign the email.  Major usability mistake here.  Outlook by default will NOT encrypt the email to this person even though you have their public key.

If you write a secret letter – and you’re going to send it – and you hit send, did it go encrypted?

If you have a public key for someone Outlook should go out of its way to default require sending all mail to that person encrypted.  Failing to do this puts you in a position of having to be very careful about whether or not the the security properties on the mailing are set.  If you get it wrong, outlook will happily send the email “in the clear”.

You installed an S/MIME certificate for yourself because you want to be able to receive encrypted email.  You installed someone else’s public key because you want to be able to communicate with them securely.  Outlook should REQUIRE that all email sent to that person be encrypted, or make you at a minimum jump through approvals to send non-encrypted.  It doesn’t, and that’s a shame.

Outlook should also “collect” public keys for all email received where you have a matching email address in your Contacts.  It doesn’t, and that too is a shame.


We blame users for not being good at complicated things like certificates when in reality, we as programmers are not very good at making the user’s life easy. They should not have to care about all these details.

Certificate authority actions

For a certificate purchase, why is a web browser used for installation of the cert???  I’m okay with using a web browser to conduct a purchase, but when I get done, what I want is a certificate file stored on disk containing my public and private key, encrypted with some password that I assign.  THEN, I will load that cert into programs where I want to use it.

To go beyond the call of duty, let me download a utility program that will do the entire operation.  To say you don’t want OS specific utilities to develop is false.  The registration in my case used ActiveX control and that means Windows, so there is already per-OS code used on the website registration.  Instead, the website should prompt me to download and RUN a utility program that will do the functions of certificate purchase and installation.

When the certificate purchase is complete, the program should enumerate all the potential certificate stores on the machine and PROMPT me for which to install the cert.  IE/Windows cert store, Firefox, Outlook, they are all different and installation of the purchased certificate should automatically put the certs in the place where I want to use them.

Email program actions (Outlook)

Default to making it secure.  Automatically update my contacts when you receive a valid public key – or at a minimum, prompt me that you are going to do this and seek approval.  When sending email to someone that has a public key in my contacts entry, absolutely encrypted it – always!  And when I send to people that have a certificate themselves, do SIGN my emails and do ENCRYPT.  Default to doing it securely and should I ever try to send a non-encrypted email to someone that can accept encrypted, well don’t do that – always send it encrypted.

S/MIME adoption

It is somewhat self fulfilling that S/MIME adoption is low.  Make this stuff work like it is supposed to work and things will be much easier.  Much easier to convince people to spend $20 to make it secure for a year if all they had to do was make a purchase over the internet.  Get this right, the money side can get in place and user count up, which should inspire email programs to do a better job defaulting to secure transport of email messages.

My $0.02 to secure the world.

Joe Nord 

(First published Jan 23 2016)

Adventures in S/MIME – Installing certificate for MS Outlook

In Part-1 of this series, I described the process of purchasing and installing a personal certificate.  In my case, certificate was purchased from Entrust and I noted that once the purchase process was complete, the certificate exists for use in the Internet Explorer web browser, but that is all.  With the purchase done, Microsoft Outlook will not yet utilize the certificate for purposes of S/MIME encrypted and signed email.

On Windows, there are multiple places where certificate are stored.  Holding potentially private encryption keys, we don’t just put them anywhere, they are placed into a controlled access space where their usage can be limited.  The operating system itself provides the primary storage location, but even this is more than one location.  There is a machine wide certificate store and then a separate certificate store for each user.

The Windows certificate store is the store that is visible with Start / Run MMC.exe, Ctrl-M, Certificates and then you can browse.  For purposes of a personal certificate needed for S/MIME, the certificate is stored in the USER store.  It isn’t needed by any other user on the machine, so there is no need to elevate to admin to view the user certificates.   

Take a look at the user certificate store

Press the Windows button to bring up the search bar, type “MMC” and Windows will respond with:

 Click on “Run command” and the Microsoft Management Console (MMC) will be run with user privilege.  The MMC is capable of loading numerous management “snap-ins” and with these can manage many different things on the computer.  When it comes up, it is managing “nothing”.

We are interested in managing certificates.  Ctrl-M brings up the add snap-in dialog, find Certificates on this list and presss “add”.

Since we run MMC on user privilege account, we are presented with no options on selecting machine level store or user store, we get the USER certificates.  An interesting side note is that had we escalated to administrator access to certificates and then started browing the user certificates, we would be browsing the administrators certificates.  This isn’t what we want, MMC was run on our normal user account, so we can see only the certificates for ourselves, and that is what we want.

Click on Personal and then Certificates and we get a listing of ALL of our personal certificates; in my case, there is only one.  

Nice experiment, we have noticed that after installing the certificate into Internet Explorer, the certificate is automatically installed into THE Windows certificate store, in our user space.

Internet Explorer uses the Windows primary certificate store for web browsing so when the Entrust installer placed the certificate onto the computer, it landed here.  Google Chrome also uses the system certificate store, so it too will benefit from being able to use certificates in web browsing.  Recall that for me, the end game is S/MIME, so having now two web browsers capable of mathematically proving to web sites that Joe really is Joe, is completely uninteresting.  In fact, most of the time I would prefer this not be possible, so there is something to be said for removing this certificate from the Windows certificate store.  More on this later.

Firefox by contrast manages its own certificates.  We could install the certificate into the Firefox certificate store.  Alt-Tools, Options, Advanced, Certificates to get this started.  Again, the goal is S/MIME email with Microsoft Outlook, so giving a certificate to Firefox to use with web browsing is not helpful.

Microsoft Outlook 2016

You would THINK that if Microsoft Internet Explorer uses THE Windows certificate store for its usage, that Microsoft Outlook would also use that store.   You would think this, I would think this, we all would think this, but we would all be wrong.

Outlook has to be told that you have a certificate and you must import it.  Here is a Microsoft article on how to do it, link.  Quick version: When running Microsoft Office:File, Options and then down at the bottom, click on “Trust center”, Trust Center Settings, Email Security.  Get a dialog that looks like this:

Click on “Import/Export…” and we can start the process of importing our personal S/MIME certificate into Microsoft outlook.  Remember the USB drive that stored a copy of your certificate after purchase and the password you wrote down for the encryption of that private information in that backup, you will need those.

Complete that activity and get back to this screen

In my case, I checked the box to say “Add digital signature to outgoing messages”.  In retrospect, that was a mistake, the vast majority of people I send email to from my personal email account have no idea what an S/MIME attachment is and this creates confusion.  Since I can’t send them encrypted email anyway (they do not have a certificate), no big value in signing the message.  Recommend leave this checkbox “off”.

Next, click on “Settings”

I just purchased this very fine personal encryption certificate, the certificate itself is signed with SHA2, but this dialog says I should sign my email messages using SHA1   Argh!!!!  

NIST themselves have depreciated SHA1 and it is no longer FIPS 140-2 approved.  SHA2 is vogue and since my personal certificate is signed with SHA2, anyone who receives anything from me by definition must be able to handle SHA2, so why is outlook defaulting to a lower form???  Change this to SHA256.

For for AES256, that’s peachy.  Frankly, AES128 would be just fine, but 256 is also fine and with low quantity of encrypted mail I will be sending, it just doesn’t matter if it takes a few extra microseconds to do the math.

Send a signed message

Since I turned off the “sign all messages” box in options, the decision to sign any message now must be set as a function of sending an email.  In the editing box of sending an email, the method to get it to do the signing is … hidden.  Insert / Signature doesn’t do it – that is for text signatures placed at the end of the email message.  What to do?

The answer is hidden in a very small pixel at the lower right of this box.

Yes- that little tiny box with an arrow.  Click on that and this dialog pops up.

Click on “Security Settings”, and finally you can say “yes, sign this email message”.

Click on SEND and the email will be sent, signed.

ANYONE can receive your signed email, all they need is your PUBLIC key and this travels along with the S/MIME formatted email.  Since that public key roots up to Entrust and since Entrust is part of the pre-installed set on every operating system, ANYONE who receives your message can do fancy math to verify that the message was indeed from you and since the signature checks out, they can also be sure that the message was not tampered along the way.

What they will not have is encryption of the message.  To get that, they too would need a S/MIME certificate and that I will save for a follow up post.  Link.

Joe Nord

(Originally published Jan 23 2016)