Home Articles About Projects Agency
August 13, 2024

Recovering Redacted Content: It’s Scary How Easy It Is

  • Blurred and pixelated images can often be reverse-engineered to reveal censored details, making them unreliable for secure redaction.

  • Black bar redaction in digital documents are not foolproof despite being industry standard; hidden text can be retrieved using simple software tools.

  • Proper redaction involves using the right tools for the job, but can go as far as printing, physically cutting out portions, and rescanning in 2-bit.

I censor images and documents everyday as part of my job.

It’s nothing overly sensitive like passwords/confidential information; it’s mainly for communication purposes & document creation — logos, names, or references that are irrelevant to my recipient.

If it’s irrelevant, it’s a distraction — so I crop, blur, pixelate, and even compress my images & documents before submission using a combination of CleanShot X and Clop. So imagine my surprise when I came across a YouTube short of Thor explaining that blur is an insecure form of censorship.

This sent me down a deep rabbit hole of the (lack of) security — of not just blurred text but also mosaic, pixelation, black bar censorship, as well as photo cropping.

Non-Destructive Editing — Images and Text

cfd04ff3c0a606e40d7d47c9f2440ac2_MD5cfd04ff3c0a606e40d7d47c9f2440ac2_MD5

Mr Swirl Face. Source: BBC

I’ll start with the history of Christopher Paul Neil, or Vico, his assigned nickname within the Interpol operation.

  • Vico was involved in a high-profile case of child sexual abuse involving at least 12 boys in Vietnam, Cambodia, and Thailand.

  • He appeared in more than 200 online photographs depicting the abuse, his face obscured by a digital swirl.

  • However, reversing the censorship simply involves applying the same swirl filter in the opposite direction, which made his face clearly visible.

  • Posting these reconstructed images online led to hundreds of witnesses contacting Interpol, which led to his arrest in October 2007.

Hubris is Vico’s downfall — but we are just as likely to make the same mistakes in our day-to-day censoring efforts.

Reverse Engineering Text

What surprised me is how accessible these reversal tools are to the wider public.

For text-blurring reversal, there are two tools that I came across — BishopFox’s Unredacter and Spipm’s Depix. Both tools use different algorithms, but the underlying principles remain the same:

  1. Use image cropping tools to isolate the censored text.

  2. Obtain and load the font reference materials.

  3. The software then conducts multiple experiments — creating blurred versions of every alphanumerical character within the reference font

  4. These blurred texts are then compared to the censored text, character by character.

  5. If the generated blurred text looks strikingly similar to the censored text, it becomes easy to decipher the original characters.

This solution is straightforward, but not perfect:

  • It requires the user to know the font family of the censored text.

    • That’s because the same text in different fonts will produce wildly different censored images, which can be hard to reverse-engineer.

    • It shouldn’t be difficult to identify font families using WhatTheFont, or GPT-assisted font identification tools.

  • What’s actually hard to decipher is the blur type and intensity, which requires trial and error.

  • Photoshop alone contains 16 types of blurs which can affect the reverse-engineering process.

  • Also, the higher the blur intensity — the harder it is to recover the original text.

On the flip side, this deciphering method is versatile in theory — allowing users to recover text that’s blurred, mosaic, or even pixelated.

Image De-Blurring

d40034f4de1cf1a0f1446b4da786a3a7_MD5d40034f4de1cf1a0f1446b4da786a3a7_MD5

Face de-pixelation demonstration. Source: Google Brain

Apparently, a 2017 Google project had already found ways to fill in details of very low-res images. They’re not exactly accurate, but it’s amazing how much information it can extract with such limited input. But also imagine how much this technology has advanced, now with AI advancements and the availability of high-quality training data.

In my research, I’m surprised to see a distinct overlap between reversing image censorship, image sharpening, and image upscaling.

This makes sense because all these technologies involve analysing surrounding pixels and using advanced algorithms to make informed decisions on what other pixel data should be.

I’ve found a GitHub repo compiling most of the important research done in this area starting from 2006. But there are also research papers that go as far back as 1980 — using diffraction grating to enhance blurred images the analogue way, before pixels were even widespread (it was invented in 1957).

But for pixelated images, the technology essentially involves deep learning (DL) techniques and non-deep learning (non-DL) techniques.

799c2e4b843b1ac13fa923a8cad8a266_MD5799c2e4b843b1ac13fa923a8cad8a266_MD5

It even works with Video. Source: Github

DL Characteristics:

  • Produces higher-quality images

  • More versatile with various blur types and noise

  • Requires significant computational resources for model training

  • Models are more complex

Non-DL Characteristics:

  • Good quality if blur type and intensity are known

  • Less versatile than DL methods if data contains varying types of blur

  • Computationally and resource efficient

  • Algorithm is simple, and thus, more predictable

I can’t find any case studies on image de-blurring being used to reverse censorship, but it is certainly being used by police authorities.

f48f85ee064eaee45ddf1ded98a2a60e_MD5f48f85ee064eaee45ddf1ded98a2a60e_MD5

Different de-blurring algorithms. Source: Journal of Physics

There was a case involving CCTV footage of a violent crime in Delhi, but the footage was so blurred that the perpetrator could not be identified, despite being directly in front of the camera. De-blurring then played a crucial role in face detection, which led to better suspect identification. (I wonder if it’s a more cost effective option than better CCTV investments.)

You can even try out de-blurring for free through Github projects like DeepMosaics.

Black Bar Redaction

f093dde645a4d63626fc83a8da300e2b_MD5f093dde645a4d63626fc83a8da300e2b_MD5

Google search results for Document Redaction”

I’d comfortably say that black bar redaction is the industry standard. In fact, it’s the only thing that comes up while googling the term redaction”.

Even then, the adage still rings true — if it’s not destructive, it’s likely reversible. For digital documents, it’s dangerous to assume that just because the user can’t see it, neither can the computer.

  • An example would be black highlights, which is different from a proper redaction feature. Here’s a Reddit post of a user copying redacted text into a clipboard by simply highlighting the redacted areas.

566ed573a74f339583dd0342362bc2ac_MD5566ed573a74f339583dd0342362bc2ac_MD5

Redacted text being bypassed with a simple highlight + copy & paste. Source: Reddit

  • This also applies to covering the target text with black boxes. If saved improperly, users can simply remove the box layer in Adobe Illustrator or any PDF editor.

234462d839ca70d1457a02c458a650c5_MD5234462d839ca70d1457a02c458a650c5_MD5

Removing black boxes by simply moving them using PDF tools

  • Sensitive information may also exist within the PDFs raw data. It could easily be extracted simply by converting the PDF into text, or for the more technically competent, digging through the source code.

449ada1f35a2950eb7f5144019fabba0_MD5449ada1f35a2950eb7f5144019fabba0_MD5

Extracting hidden text by converting PDFs into TXT files

Obfuscating Passwords Using Asterisks

A quick note regarding asterisk obfuscation: it’s crucial that you complete your login process and not leave it unattended halfway — don’t assume it’s safe just because the password is censored.

337e087b78151873f7bba29f787fbba4_MD5337e087b78151873f7bba29f787fbba4_MD5

Revealing password is as simple as editing HTML code in client browser

I’ve managed to find this flaw in KWSPs EPF login page — bypassing the censorship by simply editing a simple HTML line. There are also times when I can retrieve censored passwords by simply copying them to my clipboard and pasting them somewhere else

1997c74292de2d88e927602dc802736f_MD51997c74292de2d88e927602dc802736f_MD5

Maybank’s login system is harder to bypass

Fortunately, Maybank’s login page has implemented security measures against this — implementing some form of encryption and randomly generated UUID upon every keypress. They even restrict right-clicks on the webpage and any password manager’s autocomplete system.

I have yet to try it out on the other banking portals just yet.

Recovering Cropped Screenshots

Another form of censorship is to remove entire sections by simply cropping the image. This, unfortunately, is not entirely safe either.

bc38802a3ab7da688b615ce1dae1505e_MD5bc38802a3ab7da688b615ce1dae1505e_MD5

Pro geo-guesser discovers more un-cropped image data in RAW file. Source: RainBolt

As it turns out, you could un-crop JPEG files as well.

The Acropalypse is a vulnerability discovered in 2023, allowing users to view an un-cropped version of screenshots captured using several variants of Google Pixel phones.

In 2018, the new version of Android (Pie) was released, and the phones received a new screenshot editor called Markup. It took years for the issue to be brought up after a user found it strange that a cropped image had an abnormally large file size, which led to the discovery. A patch was released on March 13 to fix them.

You can try un-cropping the affected photos yourself by using the free tools here:

The Proper Way of Redaction

Given the vulnerabilities in document redaction, how should we go about properly redacting documents and images then?

Personally, I think the best resources come from the Legal & Defence sectors because information redaction is integral to their operations.

But here are some key ideas I’ve managed to capture:

f09475bd3edf5f07d032943da1ed25bd_MD5f09475bd3edf5f07d032943da1ed25bd_MD5

Sample of proper redaction techniques

  1. Replace sensitive text with [redacted]”.

Firstly, replacing the text entirely obfuscates the length of the redacted text, while you can guesstimate the length of the redacted text using black bars. Plus, replacing the text entirely is less likely to result in user error, unlike black boxes which could go either way.

  1. Use Adobe Acrobat’s built-in redaction tool properly.

Adobe currently dominates the market, reportedly holding 76.85% of the share in 2021 — and frankly, it is good enough for the job. Personally, I use PDFGear, as long as you use the appropriate features and tools for redaction.

  1. Utilise image and file compression, size-reducers.

Not only does this remove hidden metadata that might compromise any redaction efforts, but it also removes unnecessary bloat that makes sharing files easier. I personally use Clop for asset compression, but do note that it does not remove all metadata from the files.

  1. Make the extra effort for truly sensitive data.

This involves printing out the PDF, physically cutting out sensitive portions, and re-scanning the document in 2-bit colour format (pure black & white). Apparently, a US court says that this method is 100% effective, despite the disclaimer that they do not explicitly support any specific redaction methods.

  1. Password protect files/links.

Passwords help ensure that your redacted documents end up with the right person. To take one step further, make varied passwords for the different recipients, so that if a document were to be compromised, there is a chance that it can be traced back to a particular leaker.

  1. Develop a system to manage unredacted original files.

All your redaction efforts would be wasted if bad actors got a hold of the source files, or god forbid, you sharing them publicly by mistake. There are ways around this, such as having proper file naming structures or having encrypted hard drives — but these are materials for future articles.

Writer’s Note

  • With that, thanks for reading my second article from De-Code!

  • So far I’ve just been writing tech explanations, but do expect some variation in content as I’ve just secured a few interviews with subject-matter experts next week.

  • For now, I’m aiming to adhere to a weekly publishing schedule. I will also loop in a colleague of mine in the near future.

business CoThinking cybersecurity entrepreneurship productivity technology
August 8, 2024

An Entrepreneur’s Guide to Effective Time-Tracking

b8eefb1c4e81b858b77cb601ea13a607_MD5b8eefb1c4e81b858b77cb601ea13a607_MD5

A good tool improves the way you work. A great tool improves the way you think.  
- Jeff Duntemann

Maybe you’ve heard of time-tracking tools; perhaps you’ve even tried a couple. Today, we’re taking a closer look at the benefits, the challenges, and how anyone can find a system that works for them.

Why You Should Time Track

A quick Google search reveals dozens of time-tracking solutions on the market. When I started my time-tracking journey, it was difficult to choose between the various features and price points.

Fortunately, understanding your purpose for time-tracking will help narrow down your options.

Certain Industries Require It

Fields like consulting, legal, and freelancing could not operate without tracked hours. Man-days and billable hours are units of measurable effort, making it a vital part of revenue generation.

These tools are tailored for enterprise use and might not be ideal for personal productivity. However, they can be cost-effective since employers often cover subscription costs.

Look for tools with:

  • Team & Role Management: Efficiently manage team roles and assignments.

  • Corporate Dashboard: Get an overview of all time-tracking data in one place.

  • Tool Integration: Sync with your work calendar and phone call log for seamless tracking.

Combat Procrastination by Injecting Awareness

I found a study suggesting that users who tracked unproductive time became measurably more productive after eight weeks. Conversely, those who tracked productive time showed no difference whatsoever.

The study also stresses the importance of having an ambient widget displaying time spent procrastinating, which significantly limits total procrastination time.

Each glance at the timer prompts us to ask ourselves, Is this how I want to spend my time?”

  • Easy Access: Multi-platform availability, including lock screen and Siri control.

  • Constant Preview: Widgets or menu bars that keep your data in view.

  • Great UI/UX: User-friendly interface, often with tactile feedback.

Strategic Data Insights

We humans are poor at judging the passing of time. In fact, emotional factors play a more significant role in the perception of time than relying on our internal clock.”

Personally, I’m surprised that I spent 25 hours a week commuting, translating to more than three hours of commute a day. Having objective data helps us make more informed decisions, such as deciding to leave the house earlier to avoid traffic or loading an educational podcast to increase the quality of time spent commuting.

Features to consider:

  • Automatic Time-Tracking: Reduced friction in time logging.

  • CSV Export: Easily export data for in-depth analysis.

  • Data Visualization: Clear and insightful visual representations of your time usage.

  • Tagging and Organization: Better categorization and sorting of tasks.

  • Email Reporting: Regular updates and reports sent directly to your inbox.

Avoid the Feeling of Being Stuck in Life

You could spend an entire day working and putting out fires but still feel like you haven’t made any progress. Does this sound familiar?

The evidence is anecdotal, but I strongly believe that it’s because we spend significant time and resources on urgent/important tasks and urgent/non-important tasks.

This leaves many non-urgent/important tasks in the backlog, but these are usually items that reduce your need for fire-fighting in the first place.

Feeling stuck in life represents a discrepancy between our priorities in life and the actual time spent on them, and time-tracking can help us be objective in this regard.

This is where time-tracking comes into play — it provides an objective metric that highlights the discrepancy between perceived priorities and actual commitment to them.

Why Time Tracking Is Difficult

Time tracking is a notoriously hard habit to cultivate. I have personally tried my hand at it several times, jumping between various solutions before I settled on a system that works consistently.

Here are the common roadblocks I’ve encountered:

1. It Requires Constant Awareness

Time tracking shouldn’t be mistaken for time blocking. Time blocking pre-plans for the future, while time tracking governs the present and past. Time blocking is a 20-minute endeavour of populating calendars with blocks of time, assigning each hour to a particular purpose. Time tracking, however, requires consistent awareness and upkeep to maintain.

Solution: Having tools of awareness (via widgets) and the ability to quickly switch timers with as few motions and clicks as possible is crucial.

2. Intrusiveness Resulting in Inconsistency

Time tracking is undeniably disruptive to your flow. Imagine being motivated to hit the ground running, only to be hindered by the need to start a timer.

It’s inevitable to forget logging your time throughout the day, and that’s okay. Between the time logging and deep work trade-off, it always pays to favour deep work.

Solution: Features that make adjusting and adding time entries convenient.

3. Negative Perception

Time tracking has a bad reputation, and some of my peers were surprised that I attempted this endeavour in the first place. It’s often viewed as micromanagement and becomes an added burden, especially if I’m already under high stress and overloaded with work — even if starting timers takes just two taps.

The same Penn State University study cited above also reveals higher degrees of stress despite the higher degrees of productivity associated with time tracking.

Additionally, there’s a lack of immediate benefits — trend data becomes meaningful months down the road. Overcoming the initial bumps requires persistence, and the absence of immediate rewards can be demotivating.

Solution: Being constantly reminded of the purpose of time tracking, especially from others who have successfully cultivated the habit, can be motivating. For me, it’s been motivational hearing from CGPGrey and Mike Hurley on the Cortex Podcast.

Tools for Time-Tracking

81eed99a67c1cde7a559e848f86c5434_MD581eed99a67c1cde7a559e848f86c5434_MD5

ATracker — De-code’s time tracker of choice

Editor’s Pick: ATracker

For readers who want a quick TL;DR, I use ATracker, which is available on iOS, watchOS, and Android devices. ATracker is quite an underrated tool in the market, packing many features that I find relevant despite its under-the-radar reputation.

No Real Need for Time-Tracking on Laptop Devices

I wear my Apple Watch frequently throughout the day, making timer switching less disruptive than switching in and out of timer applications on my laptop.

Always in View

573450b963ff21cdb15dd27612ab0d7f_MD5573450b963ff21cdb15dd27612ab0d7f_MD5

Time tracked is always up-to-date & visible

ATracker has a decent large-sized complication for my Modular Watchface, letting me know the timer name, duration, and start time — the only three pieces of information I need to make an informed decision. It may seem trivial, but other apps overcomplicate their displays with the separation of projects and descriptions and various icons, which is more distracting than helpful.

ATracker also has great Live Activities” and Dynamic Island” functionality, which means that my timers are always in view whenever I view notifications and use my phone. It’s a healthy nudge and reminder whenever I browse Reddit on my phone for too long.

Its Speed Is Unmatched

95bae570d12e50504b66462b06e3ebcc_MD595bae570d12e50504b66462b06e3ebcc_MD5

Comparing TImery/Toggl with ATracker

ATracker uses a local-first-then-sync methodology — this means that switching timers is practically instantaneous. This is different from apps that require internet connectivity (sorry Toggl), which means that I had to wait a few seconds for my new timer to reflect before I could confidently look away from my phone/watch. Because of its reliance on the internet, timer switching is impossible overseas and slow when I’m without Wi-Fi in places without a strong 5G connection.

Because ATracker is local-first, I am also extremely confident that the timer displayed on the widgets, Live Activities, and Dynamic Island are all up to date — in contrast to internet-reliant options where these displays only refresh every 15 minutes to conserve battery life.

b26858bf0f67485df7eaec2177c78b64_MD5b26858bf0f67485df7eaec2177c78b64_MD5

ATracker’s Entry Editing Screen

I also like how incredibly easy it is to adjust start and end times using time intervals and the last,” Now,” and fill gap” buttons.

I Like Their Monetisation Policies

b1b3e8a87e31c1f3642614b42577b138_MD5b1b3e8a87e31c1f3642614b42577b138_MD5

ATracker Pricing Tiers

There’s no real reason to upgrade to the paid version of ATracker. The free version comes with all the features that make the app great to use.

I paid for the Pro version, which removes ads from the app (the display banner kind, which is less disruptive than the skip-after-five-seconds type), offers unlimited tasks (the free version comes with five, which is sufficient for most people), CSV exports, and the ability to add notes to task entries. The Pro version is a one-time purchase that costs about £5 or $6.

There is a subscription tier that I find unnecessary for my use case. It syncs your time-tracking with other devices (you can bypass it using the built-in Dropbox feature), allows access to your data from the web, and offers unlimited tags and goals. It costs about £25/yr or $30.

Other Bells and Whistles

The app comes with a great tagging and goal system, which replaces the client” and habits” available in other apps, both of which are trackable within the reports tab.

17adf3f408666bef54cd669d670c0d5c_MD517adf3f408666bef54cd669d670c0d5c_MD5

Comparisons between Calendar and Time Blocks

It is also the only app I’ve found so far that makes full use of the horizontal and vertical rows of my phone screen space — with the vertical axis being the hours and the horizontal axis being the minutes in said hour. A quick glance at the colours on screen is a good way of telling how much time is spent on a given day. This is different from a typical calendar, where a short 15-minute duration is just a tiny slither on screen.

37881930142093a1cfbc44b680fe6cc1_MD537881930142093a1cfbc44b680fe6cc1_MD5

In fact, I find ATracker’s report functionality relatively more robust than other tools I found — you can easily filter reports by duration, date, tasks, tags, and goals. Another cool feature I rarely find elsewhere is the ability to track occurrences in addition to duration captured — which is great for users who want to track, say, how many times they spent reviewing emails a day.

Minor Complaints

The homescreen widget is, albeit ugly, functional and straightforward to use. But it could make better use of the dead space, and the design feels somewhat underdeveloped.

ead3c56acfc158a5af0ec2bec3d179cc_MD5ead3c56acfc158a5af0ec2bec3d179cc_MD5

I also dislike how clicking on the widget doesn’t change timers immediately and instead opens up the app. It doesn’t even automatically direct you to the Today” tab if you were on another tab previously.

9b1491569bb88a1e855b7b714910dd95_MD59b1491569bb88a1e855b7b714910dd95_MD5

Live activities are unclear and confusing

Additionally, I feel that the Dynamic Island is too narrow to include the full task name, and it could make do with a coloured icon rather than a white one.

But these are ultimately minor complaints compared to the immense value that the app brings.

A Note About: Automatic vs Manual Time-Tracking

Most of the time-tracking apps I’ve come across fall into one of two categories: automatic and manual time-tracking. While they appear deceptively similar, they serve different purposes.

Automatic Time-Tracking

Geared Towards Enterprises: Automatic time-tracking tools are often designed with billing features and have enterprise pricing. The design philosophy also leans more towards accuracy rather than intentionality, which is more relevant for corporations than for personal productivity.

They tend to be more expensive compared to manual tracking tools, even for personal plans. This is expected, considering the time and effort spent designing the app.

Restricted to Laptop Devices: Automatic time tracking is generally limited to laptop devices, which can make tracking time outside the device difficult. This makes sense, as automatic trackers rely on capturing window titles and apps opened.

The only exception I found is the Timing app, which allows you to track time on your phone via Apple’s built-in Screen Time functionality. However, time spent shopping, eating, or working out still needs to be entered manually.

  • Reduced Friction: Automatic time-tracking is designed to reduce the friction of capturing data by automating it entirely. However, this can somewhat defeat a significant purpose of manual time-tracking, which is to externalise intent.

  • Data Privacy: I personally trust many of the reputable solutions providers to use and store my data responsibly. However, it doesn’t change the fact that automatic time-tracking requires extensive permissions to review running apps and, in some rare instances, capture screenshots and analyse content on screen. This invasive nature can put off many people.

Why I Prefer Manual Time-Tracking

24-hour Time Tracking: Manual time-tracking is more suited for 24-hour tracking as it is built with accessible widgets, Siri support, and other advanced macOS functionality in mind.

A good time-tracking system should always be present, blend into the background, but be accessible and convenient when you want to use it. It should display relevant data quickly and easily whenever needed.

It Forces You to Review the Data: With automated time-tracking, I often forgot that the timer is actually running — making it unlikely that I open the app, let alone review the reports. Tools like Rize.io circumvent this by sending daily emails to your inbox or occasionally invasive notifications that take up a quarter of the screen, but this also disrupts the flow of work.

Manual time-tracking makes reviewing time spent a frequent part of my daily routine — and with ATracker, it’s baked into the same screen as my list of timers.

Granular Control: Manual time-tracking provides more granular control over how you categorise time. For instance, Rize.io has a pretty good idea of what apps and websites are designated for what purpose — Canva is for design, and Steam is for gaming. But this also forces the user to adopt the app’s philosophy of how to categorise apps. For instance, Google Sheets can be used to both budget a holiday trip or manage company expenses.

Should it be categorised under work or personal? By default, it will categorise under productivity” or spreadsheeting,” but these are not the categories you’d like captured. By the time you’ve customised the rules for automation according to your needs, you’ll often find it much easier to just time-track manually.

How I Structure My Time-Tracking

There are no fixed ways of tracking time, and it ultimately boils down to personal preferences and circumstances.

For freelancers, it makes sense to track only working hours and segregate them based on projects and tasks, making it easier to bill clients. For beginners, it might be as simple as having four timers — personal, work, travel, and rest.

Personally, the way I time-track is inspired by David Sparks from MacSparky and the Mac Power Users podcast. He builds his to-do list system around the idea of arete, an ancient Greek term describing excellence within purpose and function. In non-fancy terms, it means separating tasks based on roles in life, and I adopted his methodology for time-tracking instead.

fa327740b35819137817a0b64cf6ac51_MD5fa327740b35819137817a0b64cf6ac51_MD5

My personal time-tracking categories

Each task in ATracker is named after a role I adopt in life — such as being a department manager, creator of this newsletter, or becoming a HealthyGamer coach. I bundle all daily upkeep activities such as eating, bathing, and cleaning the house under maintenance. Transition refers to dead time between two tasks, such as grabbing coffee or a bathroom break. The rest is pretty self-explanatory.

Each task is given a tag (or client), with the key idea being Who is this for?” Tasks can be for myself, others, work, or Death. I like the idea of assigning procrastination time to Death because it’s a great reminder of our mortality and how we should spend our time focusing on important things.

I then review my tracked time every week and make observations and strategic adjustments from there.

General Tips

As someone who gave up time-tracking several times, I wish I had known the following facts sooner.

I had a grand narrative that I told myself: Look at how productive and busy I am! I essentially work three jobs but still manage to exercise and spend quality time with my partner. I’ve essentially min-maxed my life!

The first week of time tracking showed me that I’ve been living a lie — and I’ve contributed a quarter of my waking moments to death. No doubt it is shameful, discouraging, and very tempting to quit time-tracking there and then. But it’s important to realise that crafting a narrative on how I spend my time is a moral judgement.

Like any moral judgement, it has nothing to do with objective data, so it’s best to leave it out of the picture. It’s impossible to eradicate death time entirely, but it is possible to reduce it — and that became my goal. So far, I’ve managed to reduce death time from 25% to 20%, and there’s plenty of room to optimise.

But overall, I’m quite happy to have tracked my time. These are ultimately tools of truth, and truth can be very hard to face. But there is value in confronting them.

It’s Okay to Hit a Hard Reset

There is no such thing as loyalty to a particular time-tracking tool. Unlike task management apps, which come with a high cost of platform switching, it doesn’t take much effort to set up new categories when migrating time-tracking apps.

Many paid subscriptions come with a trial period that I encourage everyone to try. In fact, it might be harder to switch time-tracking tools after accumulating months’ worth of data.

Quick Thoughts on Alternate Apps

Timery / TogglTrack

This is by far the industry standard, and it is an app that I would recommend to anyone interested in time-tracking, both veterans and beginners. However, a recent trip to a rural island without internet connections has tainted my perspective on internet-reliant time-tracking.

Having inaccurate timers on widgets and watch complications is a disruptive experience, and my Apple Watch refuses to switch timers without my phone nearby.

Timing

I believe Timing is a great app that has done well in blending both automatic and manual time-tracking. I especially like how you can establish nested sub-projects and assign a productivity score to each.

My biggest gripe is with its expensive subscription — which shouldn’t be an issue if you are an existing Setapp subscriber. It’s simply not worth it to subscribe to Timing on the official site because it costs just as much on Setapp.

Rize.io

It’s an automatic time-tracking app that I’ve used for the longest time but also interacted with the least. It has nothing to do with the app and more to do with my priorities as a user — but I never bothered reading the daily reports sent to my inbox or reviewing my tracked time …because the tracking is done entirely automatically.

Additionally, the high price point and the lack of an iOS app are what pushed me away from using Rize.io.

Timelines

Timelines is now CGPGrey’s tool of choice since moving away from Timery/Toggl. I’ve tried it, hated how clunky it is, disliked its subscription model — and found ATracker, which is a better version of Timelines in every way for my use case. Sorry, Grey.

Timemator

This is by far the closest contender to ATracker that I came across. It’s a good blend of automatic and manual time-tracking, offline tracking, a one-time purchase business model, has watchOS support, and has great accessibility and reporting tools. It does concern me that the macOS version hasn’t seen an update in almost a year, but the iOS version is seeing more frequent updates. It does cost around $50 to obtain both the iOS and macOS versions, and I will be experimenting with it in the months to come once I’ve saved up enough.

Writer’s Note

Welcome to the first-ever article from De-code! I’ve settled on time-tracking because it’s a topic that I’ve been asked about a lot by peers and friends.

Do comment down below and let me know your thoughts on time-tracking. Here’s a share button if you know someone who would benefit from reading this article.

CoThinking entrepreneurship productivity technology
August 1, 2024

How Russian Technology Can Build Malaysia’s Digital Sovereignty

The pandemic saw Malaysian companies scrambling to move their communication towards the cloud, using Microsoft Teams, Zoom, Google Workspace and so on. Five years later, workers are now back in offices, but the new systems and policies remain in place — perhaps out of convenience, improved productivity or sunk cost.

What’s less talked about are the cybersecurity risks we’ve inherited along the way. Amidst the manic push towards technological adoption, Malaysian companies are now falling victim to newfound threats that they are not fully equipped to prevent.

Enterprise communication tools are a popular attack vector used by bad actors due to the diverse online channels adopted by companies. A 2023 survey by TechTarget’s Enterprise Strategy Group showed that 85% of organisations approve the employee use of six or more enterprise communication tools, with 35% approving 11 tools or more. Each of these tools represents a potential point of vulnerability, such as phishing attacks, employees mistakenly downloading malicious software, or bad actors covertly monitoring communications.

Even with the most stringent of policies, the weakest link could lie in solutions outside the organisation’s control. Platforms like Zoom, Microsoft Teams and Google Suite have vulnerabilities constantly exposed, sometimes taking multiple weeks to fix — of which the vulnerability had been sufficiently exploited.

As a result, 70% of companies surveyed by PIKOM in 2024 were victims of cyber breaches over the past three years. Netherlands-based cybersecurity firm Surfshark cites Malaysia as the 8th most breached country in Q3 2023, facing a 144% increase in breach rates compared to the previous quarter alone.

Digital sovereignty is now a priority — where organisations have authority over their data, infrastructure, and technology usage. Being reliant on foreign servers to store and process data is counterintuitive to that.

Places such as the European Union, India, and China are gradually tightening their Data Residency laws — requiring sensitive data to be stored locally. Malaysia is expected to follow suit, especially with massive investments into establishing data centres within the country.

Cybersecurity is part of the national agenda, and the Malaysian government is welcoming solution providers from across the world. One so happens to be from the Mecca of cybersecurity threats and defences.

Nestled in a corner of CyberDSA 2024 conference held in Kuala Lumpur is a booth by eXpress.ms — a Russian cybersecurity technological provider and their Malaysian partner, Gogopass Asia. Their solution aims to solve a security gap torn open by our move towards cloud communication channels.

Powering Communication for Russia’s Essential Services

eXpress.ms provides solutions that blend elements of enterprise communications and resource planning.

In addition to emails, calendars and video conferencing, their systems include human resources and project management tools — which users can interact with via web browsers, mobile apps and AI chatbots. Clients can even selectively combine relevant features into a super app, and incorporate their own corporate branding.

At first glance, eXpress.ms appears as a direct competition to players such as Zoom, Microsoft Teams and Google Suite. However, the simple decision to prioritise security first and foremost has domino-ed to the other aspects of the company — from product development to their position in the market.

profile photo of Andrey Vratskiyprofile photo of Andrey Vratskiy

Within the last three years, we have gained 80% [of the market share] within the Russian government and markets. Our solution is being used by the Presidential Administration of Russia, Federal Taxation Service, and Federal Agency for Rail Transport. Our customers also include Rosneft and Rosatom,” says eXpress.ms CEO Andrey Vratsky.

For context, Rosneft is the largest oil producer in Russia, controlling over 40% of the country’s total oil production, while Rosatom is a state corporation focused on Nuclear energy, responsible for 20% of Russia’s electricity production.

Building Walled Gardens for Corporations

Mobile preview of eXpress.ms messengerMobile preview of eXpress.ms messenger

Preview of eXpress.ms solutionsPreview of eXpress.ms solutions

eXpress.ms’ crown jewel is a proprietary internet protocol that serves as the foundation that every other product sits upon.

The protocol allows servers to communicate with each other in a way that’s harder to intercept compared to conventional public networks — thus making these servers less attractive as a target.

eXpress.ms is also deployed on the client’s on-premises servers and private clouds, of which eXpress.ms themselves have no access to. This forms a federation network that allows secure internal communication for organisations that span multiple cities and regions — all of which are controlled by the enterprise clients.

Despite the walled garden, the federation network can deploy ad hoc guest servers to accommodate temporary contractors and customers, of which will be erased upon work completion.

eXpress.ms’ other security features are built onto of this federated network.

Data is stored in crypto-containers which can be wiped remotely by an administrator, preventing data theft from lost and stolen devices. Data at rest and in-transit are end-to-end encrypted. Server admins have both broad-based and fine-tune control, allowing them to determine high-level and low-level security segments at will.

Sitting above this secured infrastructure are app features that we come to expect from an enterprise communication software, such as file transfers, screen sharing, integration with corporate telephony systems and so on.

Andrey explains that the company is built upon the idea of sovereignty, an idea so committed that eXpress.ms’ product suite is all built from scratch — without dependencies on external libraries, open source or otherwise.

Since the end of the 2000s, public cloud servers were the hype. The cloud is easier, cheaper, and faster, and demand peaked until around three years ago,” says Andrey.

Now, we see the trend reversing because organisations care more about security and data storage. Governments are worried about data sovereignty and wish to have their data stored locally within their borders.”

So, what does it mean to be digitally sovereign? It means you are independent — not replying on foreign services, foreign clouds and so on. Communication is an important part of digital sovereignty that that’s the purpose for which eXpress.ms was built.”

The decision to avoid open-source dependencies is crucial to the eXpress.ms’ success.

To integrate into Russia’s Critical Infrastructure Facilities, authorities require solution providers to obtain the FSTEC (Federal Service for Technical and Export Control) certification. Without the certification, it’s impossible to operate in sectors such as banking, telecommunications, healthcare, energy, and nuclear power.

To qualify for the certification, the source code undergoes stringent reviews by independent testing centres for potential back doors that allow data to be transferred or altered without permission. That minimises risks of espionage — an aspect Russia is known to be cautious of.

Every comma [and] every symbol of your source code is checked. That is the only way to obtain the certificate, and you cannot do this with open-source code. This is also why eXpress.ms is absolutely secure,” says Andrey.

Solving a Gap in the Market.

Before eXpress.ms, Andrey had worked for one of the largest system integrators in the country.

I had a 15-year career in the industry, and became the vice president of sales. We were one of the largest Microsoft partners in Russia at the time, and I sold more than a billion American dollars worth of licences across 11 years,” he shares.

However, I always wanted to start something of my own — to create something, and not just be a reseller. At the time, we wanted a secure enterprise communication suite for ourselves, but we couldn’t find such a product on the market. That’s when I decided to build one of my own.”

We launched a minimum viable product with just chat and video conferencing — and slowly, we added featured and connected to internal services such as Oracle, SAP and so on.”

eXpress.ms is eight years old at the time of writing, but it took them five years to develop the minimal viable product. Within three years of commercialisation, they’ve commanded a considerable part of the Russian market. Now, they are setting their sights overseas.

Andrey explains that Malaysia has several factors that make it an attractive market to tackle for a company like eXpress.ms.

First of all, we look at the country’s relation to Russia. The second thing is the size and structure of the country. Compared to Indonesia, although it has a larger population, the infrastructure is less structured,” he explains.

Finally, it is about demand for the product. Some countries, they may have a large population, they may be organised, but perhaps they don’t prioritise cybersecurity. Malaysia is open to adopting Russian technologies, is organised from top to bottom, and checks all these boxes.”

Andrey concludes that Malaysia is a strategic hub for eXpress.ms’ future activities, and will play a key role in their efforts to expand into the global market.