Terminally Incoherent

Usually when I’m trying to decide whether an application is worth downloading, one of the first places I go to is the Screenshots link. I noticed that I’m disappointed when I can’t find any on a project page. In fact, it is very unlikely that I will download something without seeing a screenshot. Even if it is a console app. Even if it is a plugin of some sort. I want to see how it looks!

I’m not the only one who does this. In fact, I think most people act this way. Regardless of the nature of the application and the way it functions - we want to see it. Sometimes it can get out of hand.

Why is that? Why do we always want to see a picture before we download and install something? I guess we are visual beasts by nature. We respond better to visual stimuli than to lengthly descriptions. We even have a saying that explains this: “a picture is worth a thousand words”. You can write a lengthy essay about the features of your application, and I could read it 50 times and still not be sure if I like it or not. But it will take just one look at the screenshot for me to decide if I hate your app, or if I’m interested in it.

A screenshot is as close to a live demo as you can get without wasting my time and bandwidth or your resources. Sure, you could put a long flash screencast illustrating the functionality of your application, but who want’s to sit through the whole thing and listen to the sales pitch?

You could create a flash mock-up that mimics the functionality of your application, but that’s a whole side project in itself. And every minute you spend coding and debugging it, is a minute you don’t spend on improving your actual project.

If your project is a web application, you could provide an open demo, but then you have to host it and either lock it down or moderate it, unless you want it to be spammed, or flooded with offensive material.

Screenshots are the simplest, fastest and most direct way you can show us the functionality and features of your application. Even if it is a console app. Even if it just displays text and has no discernible GUI. I still want to see how the output will look on the screen. If you don’t post them, one of two things will happen:

1. If your application is relatively unknown, lack of screenshots will alienate new users. They will stop on your site, look for the link to the pictures, and if they don’t find it they will likely move on without ever downloading anything
2. If you get linked by someone, dugg or just build steady user base, your email inbox and bug tracking system will fill up with screenshot requests.

There is just no reason to avoid posting them. It only takes few seconds of your time to create them, and for one reason or another, the users will be grateful.

Quick announcement for anyone who is interested. I just took up a position as an Adjunct Professor at Montclair State University and will be teaching two undergraduate Fluency in Technology classes in September. This is in addition to my full time job, but I’m not worried.

The way it works out, I only have to do this 2 nights a week and it won’t interfere with my normal work schedule. I can totally pull that off, and still have time to goof off. And having some extra money never hurts.

In fact I should be able to spend more time on preparation than when I was doing this as a graduate assistant. Back then I was teaching this class, working part time off campus, taking classes as a full time graduate student, doing TA work (grading and etc) for another professor, and writing my thesis. This time around I won’t have classes, thesis or TA responsibilities to worry about.

So what does this mean for the blog? You may expect to see a return of “Only at Montclair State” and “LOL MSU” type rants. If you don’t know what I mean go over and read some of the posts by Miloš - he tends to churn those out regularly.

I have always said that the biggest problem with Windows security is that everyone is running as an Admin by default. I never really preached the LUA principle on Windows machines though. Unfortunately, I’m guilty of using an account with administrative privileges for my day to day stuff too. In fact I have been running windows boxen with Admin rights for years. So I can I really advise or recommend it to anyone if I haven’t tried it? I decided to put my money where my mouth is and try to live in the XP Home environment as a “Limited User” for a little while. I figured that if I can do it, it will give me the right to get on my high horse, and preach LUA to everyone around. This post is sort of a wrap up, describing my week long experience.

Installing software, and performing administrative tasks as a limited user is not a big problem. At least not as big as I expected. There are many tools out there that help you to temporarily elevate your privileges so that you don’t have to log out and log in as a different user to accomplish something. For example I used LaunchAdmin to open up terminal windows, and control panel with appropriate privileges which was working relatively well for a while. And I have to say, I didn’t really have many issues installing software or tweaking my system configuration this way.

But there was a problem I could not solve. You see, I’m a lazy bum. I do not like to do tedious administrative tasks such as downloading and installing patches. I schedule that stuff to occur when I’m asleep, or at work. When I come back home, I want my machine all to myself. I don’t want it wasting cycles on updates, I don’t want to be prompted to reboot. That shit is supposed to be done when I’m not around.

Unfortunately, automatic windows update does not work if you are a limited user. Neither does the McAfee auto update feature - or at least not every time, because some updates require write access to the Program Files folder. So the only reliable way to update your system is to switch to administrative account, and run manual updates on all the software that usually updates itself automatically. There is no real way to schedule these things to run with elevated user privileges.

Oh, and did I mention that the only way to run Windows Update manually is by logging in as Admin? Apparently, by design, the update system requires the current user to be an administrator. You can’t use the Run As feature, and by extension most of the tools mentioned above. It also seems to have issues when you elevate your privileges using the MakeMeAdmin script which is what LaunchAdmin was using.

I don’t want to do system and AV updates manually. It is a waste of my productive time and an annoyance. I tend to procrastinate and forget about things like that. And so, I will sooner or later end up with a system that is un-patched, and behind on anti virus updates.

For me, this whole experiment boils down to a simple choice. Do you want:

1. A patched system, with up-to-date AV, running as Admin
2. An un-patched system, with outdated AV running as Limited User

On one hand, this may seem like a fair trade-off, especially considering the fact that running as Limited User makes you inherently more secure. So perhaps keeping your system up to date is not that important when you are not running as Admin on regular basis. Or is it?

As I said earlier - I have been running as Admin for years. The only time I got 0wned was back in 99 when the CIH virus totally destroyed my Win 95 machine. It overwrote my MBR, and messed up the BIOS making the machine completely unusable. And guess what - I didn’t have any backup plan in place back then. So in a blink of an eye I lost everything, and ended up with an unresponsive, unusable piece of junk on my desk.

That was my big wakeup call. Ever since then I have been anal about security, and extremely careful of what I run on my machine. In over 8 years now I haven’t been infected by a single virus, or contracted a single piece of spyware. Looking back at that track record, its fairly obvious that the chances of me catching some random piece of malware that requires Admin privileges to install itself is fairly low. Good instincts, browsing habits and software choices can and will protect you from most of the malicious crap out there.

Of course, at one point or another I will get exposed to some sort of malware. However, that if the creators of this thing are smart enough to trick me into running it on my machine, they are also smart enough to use one of the numerous privilege elevation hacks that are out there. And if the do, it won’t really matter if I run as Admin or not. I’ll get owned anyway.

At least with an up-to-date system, there is a hope that whatever security hole the attacker chooses to use was already patched, or that my AV can detect and stop the attack.

So, will I be continuing to run as Limited User? Nope. I switched back to Admin. While there are good reasons to run with LUA, the security gain for a power user like me is not big enough to make up for all the annoyances, and all the hoops you have to jump through to perform normal day-to-day activities. And I’m actually concerned that because of my laziness, and procrastination running as non-admin would effectively lower my systems security instead of increasing it.

I hear Vista is actually a little bit better about this with it’s new security access model. But I’m not switching yet. I’ll wait till after they release Service Pack 1, and DirectX 10 becomes ubiquitous till I even entertain the thought of purchasing a Vista OEM with a new gaming computer.

In April I posted a crazy clip from some Korean animation. Here is a quick side question - is Korean animation still considered anime, or is that name reserved solely for Japanise productions? Honestly, I don’t know!

Either way, I managed to track down and identify that movie. It is called Achi and Ssispak (or Achi-wa Ssipak). If you google it, you will find quite a few other clips from that movie on Youtube. I’d recommend staying clear of the official website unless you like to be assaulted by criminal amount of flash, and javascript - including poppups, dynamically resizing windows (ie, the onHover action is to move and resize the window), and etc.

I haven’t written a review in a while, so:

Apparently a subtitled DVD of this movie is currently available in US. You can order a copy for around $33. But I guess I should mention that this video is out there *cough*tv-links*cough* and the quality is decent (hosted at DivX Stage 6).

This is about the funniest thing I have seen on the interwebs in a while:

youtube link

My reflections on the video:

1. Fox News needs to LURK MOAR
2. Even Fox obeys rules 1 and 2
3. Hackers on Steroids on my /b/? LOMAO!
4. The Lulz Killer guy did not say enough memes. I was waiting for barrel roll, bringing back snacks and bell air. Such a waste.
5. That exploding car “demonstration” was priceless.

You got to love the overblown media sensationalism, over-exaggeration and unnecessary fear mongering. This is the proverbial “making a mountain out of a mole hill”. But then again, what else would you expect from Fox.

This is for my cousin Anetta who likes to store sensitive information in her head. While it’s sometimes good to commit crucial passwords to memory, good documentation is important. My memory is not that great - and I must admit that I’m a frequent user of the “I forgot my password” feature on online services. Documenting passwords and procedures for crucial systems is just a good practice, and a safety line. In case you forget, you can always fall back on your notes.

But how do we prevent other people from snooping at your security sensitive notes? One way is to encrypt them. One of the best known, and highly recommended free encryption tools is TrueCrypt. Below I will walk you through installing it, and creating an encrypted volume that you can use to store sensitive data.

Installation is very simple - in fact, it is a one click deal that Jeff Artwood would love:

Granted, there is a lot of text to read there, and quite a few buttons, but in the end all you have to do is to hit Install and then Exit.

We have TrueCrypt installed so lets create our encrypted volume that we will use to store our sensitive data. Open up the tool and hit Create Volume.

On the next screen choose Create Standard TrueCrypt Volume:

Now let’s choose where do we want to locate our file. Choose Select File:

You can choose any file you want to be your TrueCrypt volume. I chose not to overwrite any existing files, but to create brand new one. If your goal is hiding data, you want to pick a mundane sounding name that no one would be interested in. I chose “Quaterly TPS Report Summary.xls”. I mean who wants to read about TPS reports [PDF Link]? Most people will stay clear of that file.

Once you choose the file name, click Next. I’ll skip that screenshot and more right along to our next screen. Here you choose your encryption and hashing algorithms:

AES is currently the national government standard, so it should be good enough for our purposes. Just leave the default settings on this page and hit next.

One slightly annoying limitation of TrueCrypt is that you need to specify the size of the file ahead of time. This is because all the free space on your volume will be filled out with random noise, and included in the ciphertext. From cryptographic point of view, this is a good thing. From the user’s standpoint, not so much - but that’s just how it works. Note that it is a good idea to choose a reasonable size for the type of the file you are employing if you intend to hide data. I arbitrarily chose 100 MB - but this size may be a dead giveaway for someone snooping around in my file system. How many 100MB excel files have you seen lately? Keep that in mind!

Next you will be prompted to enter the password - or passphrase. I probably do not have to remind you that this is by and far the most crucial step of the process. If your password is weak, and easily guessed, then all the encryption in the world won’t help you. TrueCrypt recommends a 20+ character pass phrase - a short sentence for example. But watch for dictionary words and names.

The FAT filesy stem is good enough for our purposes. If you plan storing big files (over 2GB) switch it to NTFS. Otherwise leave as default and hit Format. You might need to move your mouse around a bit to generate some randomized data that will be used as seed for the encryption algorithm.

That’s it - you are done. Just hit OK and then Exit and you are free to use your file. Let’s check it out up close - it looks like a regular excel file:

Of course if someone tries to open it, the file will appear to be corrupted - a completely irrecoverable ASCII goblygook. They won’t be able to retrieve the data by using normal analysis tools, or making hexadecimal dump because of the encryption. So the worst that can happen to your file, is that someone will delete it thinking it got corrupted.

Let’s mount our file now. Go back to the main TrueCrypt screen and hit the Select File button:

Navigate to our TPS report file, and open it. Next we want to select a mount point - ie. a drive letter which will be associated with our volume. Pick a free one from your the list in the main program window:

I choose O, but you can pick any available drive. When ready, hit Mount and type in your password at the prompt:

If you peek in My Computer you should see a brand new drive sitting there.

The encryption is completely transparent for the end user. You can interact with this drive as you would with any other hard drive. You can copy files to and from it, edit them in place and etc. When you are done editing your secret files, simply Dismount the drive:

Best part is that you can move your TPS Report workseet within the file system. You can even dump it onto a flash memory and take it with you. Whenever you need it back, just open up TrueCrypt again, and mount it from the new location.

In Part 2 I will show you how to encrypt your data using Stegonography - hiding information, within other information. In other words, with the Stego approach the nosy intruder rummaging through your files will be able to open our TPS Report worksheet and inspect it without ever noticing that it is actually an encrypted volume.

I recently got Covad ADSL to act as a backup internet connection. Comcast is fast, and cheap, but not always reliable, and I hate to have downtimes because of them. By default Covad gives you a Netopia-3000 which is a classic all-in-one piece of crap. It is a router, wireless access point and a DSL modem all rolled up into cheep bluish plastic case.

By default the device is set up like this:

1. Enabled NAT with DHCP
2. Enabled open Wifi
3. Blocking all Inbound Traffic

This was exactly the opposite of what I needed. I simply need a DSL modem to sit outside my Sonicwall TZ170. All I really want is a piece of hardware that can translate the DSL moonspeak into proper Ethernet signals that the firewall will understand. I looked around but I couldn’t find good tutorials on how to accomplish this so I decided to make my own.

First you will need to configure the Netopia router. So connect it to any computer, and pull up the web interface at 192.168.1.1. By default both the username and password are admin. Don’t forget to change that!

First navigate to Advanced Configurations and choose Internet Security. We don’t want Netopia doing any kind of Firewall like stuff. This is what the Sonicwall is for and it does it much better. So check Allow Sever Hosting on this screen.

Next, got to NAT Applications, and choose OFF from the combo box. NAT is bad. We want the firewall to have direct access to the outside world - not sit on a NAT. You might be prompted to restart the router after you change this setting.. Once you log back in, this screen should look like this:

In LAN Setup un-check the DHCP option. This may or may not prompt you to restart the router again. You want your screen to look like this when you are done - just the Router IP and Subnet should be visible:

Finally, go to WAN Setup. Don’t touch the values of VPI and VCI. Make sure the Protocol is PPP over Ethernet LLC/SNAP. Set Bridging to Enabled.

This will definitely force you to reboot the router. After this you won’t have internet connectivity on that machine. That means it’s working. Your Netopia just became a DSL modem and you will need a PPPoE client to use it. Disconnect it from your machine, and plug it into the Sonicwall’s WAN port.

Get into your Sonicwall control panel, and open the Network section. There, choose NAT with PPPoE Client from the pull-down menu:

You should see an automatic popup window. If you are with Covad like me, you can safely ignore the General tab. It will be overwritten anyway. Switch to the PPPoE tab and enter your username and password.

You obtain them from your ISP - and no, they are not the same as the credentials you use to sign into covad.net. Both username and password fpr PPPoE are just random character strings composed of letters and numbers and some non-alphanumerics like @. Covad actually puts them on the packing slip that comes in the box with the router.

Be sure that you typed in your credentials correctly. As far as I could see there was no meaningful error messages if you get them wrong. You still get an IP, but there is no internet connectivity.

Once you get it set up, go get a cup of coffee. Sometimes it will take 2-3 minutes before the two devices figure out how to talk to each other. No clue why, but I was fighting with it for around 10 minutes, then got interrupted, went to do something else, and all of a sudden the internet “fixed itself” as I was told by a coworker.

So there it is. I hope it helps you, and spares you some unnecessary frustration.

If you own XP Home you are probably painfully aware of some of it’s limitations. The home edition of the OS for example won’t let you have a detailed file access control. The security tab where you can give or deny users permissions on given file or folder is simply missing from the properties dialog in this version.

Of course you can still modify file access permissions by using simple workarounds like:

1. Booting into Safe Mode
2. Using the cacls command on the command line
3. Using a 3rd party tool such as ACLView
4. Patching your system with a untested, unofficial patch.

None of this options is convenient, and the last one is particularly unsafe. While this patch does not have to be malicious, it’s just to easy to slip a rootkit into this type of system file patch.

Today I found yet another solution, while looking for something completely different. Someone at the MSFN forum simply noticed that you can cheat the system into thinking it is in safe mode by tweaking the registry, opted to create two reg files. First one to enable the security tab:

Windows Registry Editor Version 5.00
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Option]
"OptionValue"=dword:00000001

And another one to disable it:

Windows Registry Editor Version 5.00
 
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Option]

The change is instant, and does not require a restart. Why do you need to disable it? Because with that dword in place, your XP will be absolutely convinced that it is running in safe mode, and thus won’t let you run certain software, or perform any installations.

The problem with their solution is that you need to remember to click on the second reg file to restore your registry back to normal. So I decided to improve on it with a little shell script that will add that key, wait for you to finish your file access related tasks, and then remove the key before closing:

@echo off
echo 'Enabling Security Tab'
 
reg add HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option /v OptionValue /t REG_DWORD /d 00000001
 
echo 'Please keep this window open while you use the tab. When done, follow the prompts on the screen.'
pause
 
reg delete HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option /f

You simply run this batch script, then leave it open at the prompt, do what you have to do, then go back and hit enter. The key will be automatically removed as the script closes.

As you may have read, my windows box has suffered a hard drive failure after a power outage yesterday. Well, my machine is back - at least in a way. I’m running on a bare bones windows installation with just the antivirus, firewall and few other crucial applications such as Firefox.

I mentioned that Knoppix was able to access the drive without much problems. Windows was not as nice. The access was sketchy, and the system partition, which was the one I wanted to access was missing. After few tries I pulled it out, mounted my secondary drive, and closed the box up. I just didn’t feel like dealing with it. What exactly did I loose?

1. My Firefox Profile - I miss my familiar setup and my adblock filters which I’ve been tweaking for the last few years. Still, all my bookmarks are either in del.icio.us or in Google Notebook so nothing irrecoverable was really lost.
2. The whole MUGEN folder with the 50+ characters I downloaded. Oh well. I can re-download all this stuff, it will just take time.
3. Morrowind and HL2 saved games. While these are irreplaceable, I can live without them.
4. All the emails I pulled from my school email account over the last 2-3 years. Most of that stuff was mirrored on my laptop, and I don’t think I will need any of it any time soon.
5. Some applications that I obtained… Um… Let’s say, less then legally. I don’t think I ever bothered archiving the iso’s and installation files for these things

That’s about the extent of the damage.

I did learn that my backup strategy needs to be more robust. Because of my unique drive situation, I have been very diligent in backing up the failing drive. I’d usually back up my both drives to an external device twice a week using the Windows NTBackup software. Each time it was a full backup (not an incremental one) and because of space constraints, I would simply overwrite the previous file.

Of course, this plan has one big hole in it. What happens if the machine dies in the middle of a backup? Well, you end up with an unusable, corrupted file. Since Murphy’s Law never fails, this is exactly what happened to me. I thought I was ready, and I thought I was “doing it rite” but I guess I was not.

My new backup plan is:

1. Backup twice a week like before
2. Always keep at least 2 backups on the drive
3. Automatically delete the backup with the suffix _old from the drive
4. Rename the current backup with a suffix _old
5. If necessary get another external drive and start a weekly rotation
6. Check the integrity of backups at least once in a while

Fortunately my policy of keeping crucial data on non-system drive did pay off big time. This is the least amount of data I have ever lost in a critical failure of this magnitude.

I also learned that NTBackup does not like failing drives. I had an old backup from April stashed away somewhere, and it seemed to be in a pristine condition… Unfortunately I was unable to recover anything from the system partition. All the other drives and partitions were fine. Which just goes to show you that auditing the integrity of your backups is crucial even in home environment.

I decided to finally shell out some cash for a UPS. I saw small 1hr ones at Best Buy few days ago for $50. They seemed like a perfect size for your home desktop. This is another lesson that came out of this whole ordeal. If I had a working UPS underneath my desk, chances are the machine would do a graceful shutdown, perhaps extending the life of my drive few more months. Power surges, and hard reboots are definitely not healthy for your hardware.

Finally, I will never use a computer with just one hard drive, unless it’s a laptop. It is a security policy that prevents you from pulling hair, and murdering innocent bystanders in a fit of rage. That second hard drive is crucial to my mental health and I will always have one.

My primary HD on my Windows box finally died. We had a power outage when I was at work, and when I came back the machine would consistently boot into BSOD claiming that “boot drive is not mountable”. The drive was acting funky anyway, so this is not a huge surprise.

So the machine I use at home the most is temporarily out of commission till I reinstall windows on the new drive. In other words, I’m windowless for today, and probably tomorrow until I get everything back in order. Fortunately I still have my laptop so it’s not the end of the world.

I booted Knoppix on the machine and I can still access the drive so I should be able to restore everything as needed. I was also pretty good with backups - but of course, the power outage happened on a backup day so I have no clue if it finished. I do have a 60 GB file on the external drive which was last modified at 3pm today, but it might as well be corrupted. The earlier backups are from April and May which is not so great.

But, again - since I’m able to access the drive from Knoppix I should have no problems pulling the data off of it later on. Most of my important stuff was on the secondary drive anyway. So I’m not panicking just yet. At most I will loose my Firefox preferences folder, and some saved games, and whatever crap I had thrown onto the the desktop.

So my plan for today is:

1. Pull the band HD
2. Install Windows
3. Go through the usual post-installation tasks such as hunting down drivers, installing applications and etc
4. Check if the latest backup was ok, and try to restore the most crucial files.
5. ???
6. Profit

Whatever I planned to blog about today and tomorrow is going to get pushed back, because this crap will likely take me a while.