Are Online File-Conversion Services Safe?

At Quora, I occasionally play, “Ask the expert”. Hundreds of my Quora answers are linked at the top right. Today, I was asked if it is safe to use free, online services that convert between file formats. For example, many web services allows you to upload a JPEG image and get back a PNG file. Others convert between DOC and PDF, or between popular video or audio formats.

Some of these services include additional processing. For example, stringing separate images together into a single animated GIF file—or rotating pages and adding a password within a PDF file. If you don’t have a locally installed program that does these things, is it safe to use these free, online services?

And what about the apps that you download and install? These present separate risks! But, with a little common sense, you can figure out which ones you can trust…


The short answer: It depends on the file type. A JPEG file that is processed via an online service is safe. SVG is not.*

A More Complete Answer…

There are three factors that relate to the safety of free online file converters:

  1. Is the target file type passive? That is, is it a data-only file that you will open with your own application. But watch out!

    Most—but not all—media formats (files that store pictures, music or video), cannot contain malicious code, unless you are tricked into opening them with the wrong program. Most of these formats simply direct your application to present pictures to your screen or audio signals to the speakers, without launching other apps or executing code that reads or writes to your device. But there are exceptions. Some popular formats support scripts, which are a form of program instructions. And, rarely, you may even be susceptible to execution of a data only file.*

    In my opinion, JPEG files are safe (including .jpg and .jiff file extensions). So are bmp, gif, mp3, avi, and mp4 files. But svg, doc and pdf files are not necessarily safe! These file formats permit javascript or other code which can be activated when you attempt to open the file. Therefore, if you use a service to create SVG, DOC or these other file types, be sure that you use your own applications to open it, and that you have configured your application to restrict execution on files that are downloaded from the Internet.

  2. Is there anything sensitive in your source material? (i.e. is your file confidential or embarrassing?). If so, it will be in the hands of strangers for all time. Do not use an online service to convert the file—nor even to store it, unless it is first encrypted on your device.
  3. Is there possibility of misdirection or error during the process? That is, could you be tricked into uploading the wrong file or revealing more information than you intended? For example, with deceptive tactics, a web service might slip you a routine that fools with your file associations. Now, a file ending with .JPG is no longer interpreted as an image, but contains an active and malicious threat.

Most Important: Never accept options that offers an upload manager, browser plug-in or “assistant”. These are programs over which you have no control! They often contain malware that threatens your data and your entire network. Helper apps and plug-ins should only be installed from rock-solid sources, such as the maker of your operating system or browser (Apple, Microsoft, Google) or from highly reputable, open-source projects.

Disambiguation: That last warning is about apps installed on your device, rather than online services. But, how can a non-techie be secure in their decision to download or install an app? Here is way to think about your options and safety: The maker of your app should fall into one of these two categories:

  • The vendor has a lot to lose if they fail to fully vet the context and security of an executable. This is typically true of large, audited, publicly funded companies like Adobe, Citrix or Google. (Being big does not inherently make them trustworthy, but it makes them very careful to verify their claims against internal practices).
  • —OR— The executable is offered via a reputable open source community with a broad base of technical and critical developers. It helps if developers are rewarded for finding and reporting bugs.

Online file conversion services fail these tests—But they are not locally installed apps. Remember, these last two tests are intended for apps that you plan to install, whereas online file-conversion services simply process data and return it to you. So to protect yourself from file-conversion programs that you download and install, you must ensure that they don’t install or interact with your other applications and data.

One way of ensuring this is to run in a sandbox or protected environment (as if you maintained a separate PC for use only with file conversions). The more practical way is to educate yourself on the vendor’s practices, reputation and history. A dedicated file conversion utility should interact only with files you select—and only to generate passive content that you open with your own applications.


* Even data-only files can be exploited. For example, malware can use a “buffer overrun” weakness to treat some of the music or photo data in your files as executable program code. But don’t worry. Although this might seem impossible to defend, such opportunistic exploits are unlikely if you have good antivirus protection, and if allow your trusted applications to update regularly.

Additional reading about SVG file format:

Free, Online Blockchain Courses

I develop Bitcoin and Blockchain courses for a profitable venture—And so, I may be shooting myself in the foot with a competitive referral. But, hey!—It’s for a good cause.

Jeremy Boris; Zero to 60 in six months

Jeremy Boris has a degree in business management. He became interested in blockchains a few months ago. In just the first half of this year, he has leapt beyond the realm of enthusiast. He already casts himself as a blockchain developer.

Now, Jeremy seeks to spread the joy (and the potential for career income). Here is his annotated list of free, online blockchain courses, covering all six critical technologies.

Everyone needs a starting point. This is a great one!

Vicente Fox: Message to Donald

I try hard to avoid pushing too many Trump posts into AWildDuck. The blog is intended to be more about technology, privacy, cryptocurrency and social policy.

But all too often, something like this hits the news and it’s tempting; like Adam & Eve and the apple, all over again!

I could be mistaken, but it appears that this video message to US president Donald Trump was really produced and presented by former Mexican president Vicente Fox. It does not appear to be an actor or comedian. The video is posted on President Fox’s Facebook page and his own personal web page.

Even if this is an actor portraying the Mexican president, it is clearly authorized. It is not only funny, but insightful and relevant—and very sad. That too! Funny, but sad…

Solar System Map: Surprisingly deceptive

What’s wrong with this illustration of the planets in our solar system?            »

For one thing, it suggests that the planets line up for photos on the same solar ray, just like baby ducks in a row. That’s a pretty rare occurrence—perhaps once in several billion years. In fact, Pluto doesn’t even orbit on the same plane as the planets. Its orbit is tilted 17 degrees. So, forget it lining up with anything, except on rare occasions, when it crosses the equatorial plane. On that day, you might get it to line up with one or two planets.

But what about scale? Space is so vast. Perhaps our solar system looks like this ↓

No such luck! Stars and planets do not fill a significant volume of the void. They are lonely specs in the great enveloping cosmic dark.* Space is mostly filled with—well—space! Lots and lots of it. In fact, if Pluto and our own moon were represented by just a single pixel on your computer screen, you wouldn’t see anything around it. Even if you daisy chain a few hundred computer screens, you will not discern the outer planets. They are just too far away.

Josh Worth has created an interactive map of our solar system. For convenience, it also assumes that planets are lined up like ducks. But the relative sizes and distance between planets are accurate. Prepare to change your view of the cosmos…

1/7 the way to Pluto. I enlarged Jupiter’s moons. On a full-screen view, they are barely visible.

Just swipe your finger from the right edge of the screen to move away from the sun. Despite a fascinating experience (and many cute, provocative Easter eggs hidden between the planets), few readers swipe all the way out to Pluto and the author credits. On my high-resolution monitor, it requires more than a thousand swipes. Imagine if the Moon had been more than 1 pixel…It would take a long, long time! I would rather go out to dinner and a movie. But I urge you to travel at least to Jupiter. At 1/7 of the trip to Pluto, it should take less than 5 minutes.

On this scale, you won’t see the 1½ or 2 million asteroids between Mars and Jupiter. They aren’t large enough to merit a pixel. As Josh states, “Most space charts leave out the most significant part – all the space.” (an Easter egg at 1.12 billion km on the map).


* I borrowed this phrase from my former Cornell professor, Carl Sagan. He uses it in Pale Blue Dot [timestamp 2:14.]. This video tribute became a touchstone in my life; even more than having Sagan as a professor and mentor.

If you view it, be sure to also view Consider Again, Sagan’s follow-up in the video below. It is a thought-provoking observation of human-chauvinism throughout history—even among ancient Greeks. Carl isn’t the first atheist, of course. But he is eloquent in describing mankind’s ego trip: The delusion of a privileged place in the universe, or the religious depiction of God and his relationship with our species.

Related:

Credit:  ▪ Josh Worth and Sachin Gadhave who offers an illustrative answer at Quora.com


Ellery Davies co-chairs Crypsa & Bitcoin Event, columnist & board member at Lifeboat, editor
at WildDuck and will deliver the keynote address at Digital Currency Summit in Johannesburg.

US withdrawal from Paris accord; Universal disappointment

Yesterday, I had a fantasy. One that I passionately hoped would become reality. Minutes before Trump announced the withdrawal of the United States from the Paris Climate Accord, I began to daydream…

  • I dreamt that Trump might listen to his top science advisors and his daughter
  • I dreamt that he might not gamble our existence on his minority opinion that humans cannot help rescue the environment.
  • I dreamt that he would recognize that clean energy jobs trump legacy coal mining
  • I dreamt that he would avoid export tariffs for failing to respect international norms
  • I dreamt that he would stop pandering to Yahoos and stand for something worthy and undeniable

No such luck! The USA has lost its Mojo—at least while it is led by a man with no grasp of science, history, morals or a global perspective. As Trump begun to speak, I was sucked into a cruel nightmare. But this nightmare is reality. It’s the reality of a buffoon representing you and me in our nation’s highest office.

Question: Time for a thought experiment. Can you guess the answer?…

What do Arnold Schwarzenegger, Elon Musk, The Pope, Richard Branson and French president, Emmanuel Macron, have in common?

Answer: They are all saddened that the US is surrendering its inspiration, leadership and common sense. Clean energy creates jobs, saves our planet, and aids the political and military stability of nations. Trump doesn’t sense any of this. He is validated by his base and his Yes men. He is a climate denier, and he doesn’t even read. He only watches what others say about him on television.                     [continue below video]

I cannot add perspective nor amplify President Macron’s urgent message to Americans. The clip is trending on Facebook with the caption: “French president destroys Trump in 5 words”. This suggest that he is taking a jab at Trump; mocking his poor grasp on science and the environment. But, politics plays no role in this message. It is about global impact and opportunity…

The French president hasn’t made a fool of Trump. Trump has brought shame onto his office and made a fool of our system of government, all on his own. His defiance of science and complete lack of understanding history risks irreparable harm to our planet. Trump feels that American jobs come before environmental policy. Yet, he is turning his back on the biggest jobs market since the steam engine.                 [Continue below video]

Perhaps more critically, his withdrawal from the global accord will bring about tariffs against US cars, steel, airplanes, timber and electronics. After all, by pulling out of the Paris accords, we ducking environmental safeties in an effort to make America great — or more accurately, in our effort to bury our heads in the sands and let the rest of the world take the lead on clean energy, efficiency, reducing pollution and averting global warming.

Response to US withdrawal…


Ellery Davies co-chairs Crypsa & Bitcoin Event, columnist & board member at Lifeboat, editor
at WildDuck and will deliver the keynote address at Digital Currency Summit in Johannesburg.

Wallet Security: Cloud/Exchange Services

3½ years ago, I wrote a Bitcoin wallet safety primer for Naked Security, a newsletter by Sophos, the European antivirus lab. Articles are limited to just 500 hundred words, and so my primer barely conveyed a mindset—It outlined broad steps for protecting a Bitcoin wallet.

In retrospect, that article may have been a disservice to digital currency novices. For example, did you know that a mobile text message is not a good form of two-factor authentication? Relying on SMS can get your life savings wiped out. Who knew?!

With a tip of the hat to Cody Brown, here is an online wallet security narrative that beats my article by a mile. Actually, it is more of a warning than a tutorial. But, read it closely. Learn from Cody’s misfortune. Practice safe storage. If you glean anything from the article, at least do this:

  • Install Google Authenticator. Require it for any online account with stored value. If someone hijacks your phone account, they cannot authenticate an exchange or wallet transaction—even with Authenticator.
  • Many exchanges (like Coinbase) offer a “vault”. Sweep most of your savings into the vault instead of the daily-use wallet. This gives you time to detect a scam or intrusion and to halt withdrawals. What is a vault? In my opinion, it is better than a paper wallet! Like a bank account, it is a wallet administered by a trusted vendor, but with no internet connection and forced access delay.

Exchange and cloud users want instant response. They want to purchase things without delay and they want quick settlement of currency exchange. But online wallets come with great risk. They can be emptied in an instant. It is not as difficult to spoof your identity as you may think (Again: Read Cody’s article below!)

Some privacy and security advocates insist on taking possession and control of their wallet. They want wealth printed out and tucked under the mattress. Personally, I think this ‘total-control’ methodology yields greater risk than a trusted, audited custodial relationship with constant updates and best practice reviews.

In case you want just the basics, here is my original wallet security primer. It won’t give you everything that you need, but it sets a tone for discipline, safety and a healthy dollop of fear.


Ellery Davies co-chairs Crypsa & Bitcoin Event, columnist & board member at Lifeboat, editor
at WildDuck and will deliver the keynote address at Digital Currency Summit in Johannesburg.

Incentivize Bitcoin Miners After All 21M BTC Are Awarded

Individuals who mine Bitcoins needn’t be miners. We call them ‘miners’ because they are awarded BTC as they solve mathematical computations. The competition to unearth these reserve coins also serves a vital purpose. They validate the transactions of Bitcoin users all over the world: buyers, loans & debt settlement, exchange transactions, inter-bank transfers, etc. They are not really miners. They are more accurately engaged in transaction validation or ‘bookkeeping’.

There are numerous proposals for how to incentivize miners once all 21 million coins have been mined/awarded in May 2140. Depending upon the network load and the value of each coin, we may need to agree on an alternate incentive earlier than 2140. At the opening of the 2015 MIT Bitcoin Expo, Andreas Antonopolous proposed some validator incentive alternatives. One very novel suggestion was based on game theory and involved competition and status rather than cash payments.

I envision an alternative approach—one that also addresses the problem of miners and users having different goals. In an ideal world the locus of users should intersect more fully with the overseers…

To achieve this, I have proposed that every wallet be capable of also mining, even if the wallet is simply a smartphone app or part of a cloud account at an exchange service. To get uses participating in validating the transactions of peers, any transaction fee could be waived for anyone who completes 1 validation for each n transactions. (Say one validation for every five or ten transactions). In this manner, everyone pitches in a small amount of resources to maintain a robust network.

A small transaction fee would accrue to anyone who does not participate in ‘mining’ at all. That cost will float with supply and demand. Users can duck the fee by simply participating in the validation process, which continues to be based on either proof-of-work, proof-of-stake — or one of the more exotic proof theories that are being proposed now.


Ellery Davies co-chairs Crypsa & Bitcoin Event, columnist & board member at Lifeboat, editor
at WildDuck and will deliver the keynote address at Digital Currency Summit in Johannesburg.