01.08.07
Posted in Article at 9:48 pm by Techie
Jon Pogue, a technical writer for the New York Times, recently discovered how very insecure Wi-Fi connections can be (via Lifehacker). This is nothing new. However, it can be a jarring shock to those of you who hop on free Wi-Fi connections down at the local coffee shop. Your email messages, web surfing, instant messaging, and insecure web logins are all out there, zipping over the airwaves. Scary. I hope you didn’t send that email regarding inside information at a public company over a hot spot — you might be in hot water if you did. If you logged onto that message board you like, you might watch for posts you didn’t write.
However, Jon Pogue is just discovering what techies have known all along: networks are insecure. When you’re down at the local hot spot, you could be sharing a connection with a hacker, it’s true. It doesn’t even have to be a good hacker — lots of freely available software can do the trick without much fuss. However, you’re just as vulnerable on wired networks, depending on who else can get on it. Do you really trust everyone in your office?
Nonetheless, you should always consider wireless hotspots untrusted. If you need to do work, see if IT staff will set up a VPN for you. While you’re at it, see if they’ll set up a web surfing proxy for you. If you need to send email, try using SSL. Avoid logging into unsecured logins, such as most message boards. Otherwise, just be aware that someone might be listening.
Permalink
11.16.06
Posted in Article, Windows at 11:17 am by Techie
Here’s an interesting experiment. On a Windows desktop, right-click on the desktop, and create a new Folder. Then, try renaming it ‘aux’. Can’t do it, right? There are certain restricted words that cannot be used to name folders or files, even though they use regular characters. You can’t even name it, say, ‘aux.test’. I came across this bug when editing files in CVS that were sourced on a Linux machine. I checked out the repository, but got errors for a folder named ‘aux’. I ended up doing work on a Linux machine to get around this, as there would be no way I would be able to work on the files there from Windows.
The following are reserved names, which cannot be assigned to a folder or file (normally):
- CON
- PRN
- AUX
- CLOCK$ (NT and older)
- NUL
- COM1
- COM2
- COM3
- COM4
- COM5
- COM6
- COM7
- COM8
- COM9
- LPT1
- LPT2
- LPT3
- LPT4
- LPT5
- LPT6
- LPT7
- LPT8
- LPT9
It’s not impossible to create a file with that name, however. You just need to break out the old command line. From a Windows XP box, open up a command window (Start->Run, type cmd) and try:
md \\\\.\\c:\\aux
Congratulations, you’ve just created a folder named ‘aux’! You can even browse to it in Windows Explorer. To break down what the above does: the md stands for “make directory”. Specifying \\.\c:\aux means (in UNC format) on the local machine, volume C:, folder aux.
However, you still can’t delete it from Windows Explorer. To do that, you have to go back to the shell:
rd \\\\.\\c:\\aux
Aside from wowing your neighbors with your random geek knowledge, is there a practical use for this information? While I can’t think of any, it’s good to know to avoid using these, if doing cross-platform development. Do not use these names on a file on a Linux machine if they are going to be opened or edited by Windows users! This includes files and directories with those names but with an extension, such as aux.txt.
References:
Permalink
07.28.06
Posted in Article at 10:22 am by Techie
First off, let me just state that the ordering of DSL from Verizon was a surprisingly painless procedure. The support and sales people I talked to were courteous and helpful. I called up to get a “dry loop” (no phone service) DSL line, and they got me squared away (with one small error in my address, which was quickly remedied). I took their installation kit, followed directions, and had working Internet in about an hour. From first call to them to surfing the Internet took about ten days.
However, I’ve noted that Verizon leaves people in a bit of a precarious situation. Let’s have a tech dissect the procedure:
Windows Firewall is disabled. In order to get things working, they tell you to disable any firewall programs. They don’t force you to do so, but tell you to do so to prevent issues during setup. Fair enough. However, in the beginning they also just mention that you should re-enable the firewall post-setup — and never remind you. Net result: many will probably leave the firewall disabled. Sure, they offer security suites for free, which often come with their own firewall, but it’s still a risky way to leave the customer.
Wireless networking is by default ON. I ordered their wireless DSL modem, on the recommendation of one of the folks at Verizon. However, they shipped it with the wireless networking on. This may be a nitpick, but it seems to me that they should ship this off, and ask if it should be set to on. That, or make sure the next doozy isn’t the case…
Wireless networking uses WEP. This one is unacceptable. Wireless networking is on, with encryption set to WEP. I believe they might have set a WEP key, with the key printed on a sticker on the bottom of the unit, but WEP must die. It’s not secure. It only gives the illusion of security to the less tech-savvy. WPA was available, but not WPA2. (Read why I care.)
No suggestion to change default password on the router. This is another no-no. After running setup, I was able to get straight online with no issues. This was all fine and good, but I knew that there was a password on the router, and that it’d be a good idea to change. Sure enough, there was, AND it was a default user / password that’s available for all wireless routers of the same make and model. I had to dig around in Help on Verizon’s web site for details on this, as they didn’t provide that in the installation kit documentation. In fact, they never mention it.
So, many a new Verizon user may end up having a fairly insecure wireless network, with a default password on the router and no firewall. It would be pretty trivial for someone to come along, wardrive to find my access point, crack the WEP, and start listening in on all my IM and email conversations. Or worse, hack my PC. Plus, once on the network, if I hadn’t changed the password to my router, they could easily pop in there and break my wireless network access altogether. They could theoretically do all of this inside of half an hour — which, incidentally, I might spend in the initial setup. Plus, if they were on the network, they could technically capture plaintext passwords, which include things like IM, message boards, email, and site logins.
I understand Verizon’s challenge: they have to provide rather technically detailed service to people who are unfamiliar with it. In that regard, I think their setup kit does very well. I think most people could take this kit, follow the instructions, and be up and running online in little time. However, the next step is security: getting people to actually secure their network should be of vital importance, both to Verizon and the customer. People like to believe that their Internet surfing is private. With Verizon opting for this sort of setup, people are getting wireless networks online, without realizing how very insecure they might be. What’s more, since Verizon is setting them up in this manner, their customers will just tend to trust that Verizon has set things up acceptably. It’s that validation from a position of authority thing: people will think they know better.
So, I leave off with a dual message: Verizon, focus more on security. Consumers: get better educated. Of course, I think Verizon should also step up the hardware side of things. Where’s the WPA2 support? WPA is so 2003. I think I’m going back to my old wireless gear.
Permalink
06.06.06
Posted in Article at 11:33 am by Techie
“If the man at the top and a team of Microsoft’s best engineers faced defeat, what chance do ordinary punters have of keeping their Windows PCs virus-free?” Microsoft CEO Steve Ballmer and a team of top Microsoft engineers couldn’t remove spyware from a PC. If they couldn’t do it, we know we have a real problem on our hands.
Permalink
05.25.06
Posted in Article at 4:47 pm by Techie
If you’re using Yahoo Instant Messenger, beware of strange messages from friends or strangers. There’s a couple malicious things floating around that may trouble you.
The first is a worm virus, that sends a message with a malicious URL. Clicking on the URL will send you to a page that will install a custom web browser without permission, dropping an IE-like icon on the desktop. The start page will also be changed to point to a page with more malware, and when this custom browser is launched, as well as play strange music on computer startup. The virus attempts to propagate itself further in Yahoo chat.
However, there’s also a social engineering “virus” (if you can call it that) that’s going around, which works much simpler. You may get a message from someone on your buddy list, that has a message to check out a site, and a URL to visit on a Geocities site. I recently got one of these messages, so could dive into it in more detail.
This is brilliant for its simplicity. The page itself looks just like a standard Yahoo login. However, it’s not. Someone hosted a page on Geocities, emulating the Yahoo style, but with a different form action. The brilliance here is that there is no virus. It relies entirely on people’s trusting of the Yahoo brand, and their familiarity with logging into Yahoo. Even looking at the domain isn’t straightforward, because Yahoo owns Geocities. People who try to use this form are sending their username and password off to some third party. Let’s see if we can get any clues as to how it works.
The form action used was encoded using HTML escape sequences, but when translated, point to http://www2.fiberbit.net/form/mailto.cgi. Oops, looks like someone left a poorly coded script out there! Word to budding coders out there: if you write an email posting script, make sure to not allow arbitrary setting of addresses — it’s just asking for abuse.
The hidden attributes of this form are as follows:
<INPUT TYPE="hidden" NAME="Mail_From" VALUE="Yahoo">
<INPUT TYPE="hidden" NAME="Mail_To" VALUE="icewishart@gmail.com">
<INPUT TYPE="hidden" NAME="Mail_Subject" VALUE="Yahoo id">
So, by all appearances, by submitting this form, you are sending your Yahoo username and password to the address icewishart@gmail.com. They can then take your username and password and send off a message to people on your Yahoo buddy list, to try to get more usernames and passwords. Better change your Yahoo password if you’ve fallen for this!
While the first vulnerability is a legitimate and critical one, the second one underscores the importance of being careful with providing your information online. There’s a reason banks have started doing two factor security — they want you to be very aware of where you provide your information. When online, adopt an attitude of paranoia. You never know who is really sending you that message.
Permalink
03.01.06
Posted in Article at 2:50 pm by Techie
Everybody probably has this thought at some point: I have two UPSes rated for 20 minutes of battery time; can I plug them into each other and get 40 minutes of power? The short answer is ‘no’. It’s just not a good idea, and not just because it voids your warranty. Here’s why.
The power that a UPS draws is significant. This is because in addition to getting power to your devices, it has to charge the battery. Hence, you’ll actually be drawing significantly more power through the UPS than if you were just running the devices. This means that you’re going to kill the power rating of the first UPS. Would this be more than just the first UPS? Possibly, if the first UPS could handle that power drain, but it also ignores some other things.
Consider, for example, the electricity output. Electricity curves coming from the power company are a nice smooth sine wave. This is what your devices expect. UPSes do not — their curve approximates a sine wave using steps. So instead of rolling your computer down the handicapped ramp, you’re pushing it down the stairs. This is okay for the short term, but it’s considered “dirty” power, in the sense that it’s not reliable and smooth — there’s a lot of harsh fluctuation.
Enter surge protectors and UPSes. Being that they’re designed to cover dirty power issues such as brownouts, how would they handle actually receiving power from the first UPS? The answer is probably not very well, because it’s not clear how they would respond to the dirty power. They might not respond to the power, or they might be damaged by the stairstepping curve. (Incidentally, they do make UPSes with smooth sine wave curves, but they’re pretty rare and expensive.)
So, it’s a bad idea, don’t do it. If you want to use two UPSes, then split equipment between them — run the monitor on one, and the computer on the other, and don’t power protect items such as scanners and printers. Just don’t expect to add the UPSes together for double the time — it isn’t going to happen.
Permalink
01.05.06
Posted in Article at 5:10 pm by Techie
The music industry is at war with you, the consumer. You might not have even known you were at war, and yet, you are. The music industry as a whole, and especially the Recording Industry Association of America (RIAA), is working to restrict your rights. Whereas before when you would buy an album, you would have a set of rights around that, the music industry is working to make it harder for that fair use to be available. The music industry is fairly unique in its position: it’s treating its consumers like criminals, for the sake of profit.
Why are they fighting this war, you might ask? It’s quite simple, actually: greed. However, there’s more to it.
The first element is format churn. How many of you own records? How about eight-tracks? How about tapes? How about CD? If you were unfortunate, you might have owned the same album on all of those. Have you heard that new super audio CDs are on the horizon? That’s right, the music industry is hoping you’ll once again upgrade your collection to the new “higher quality” audio recordings, and buy your collection again. There’s a reason for this: if you don’t re-buy your collection, then music sales stagnate, unless the music industry can constantly provide you with must have music. What’s worse, if those recordings don’t die, then older albums will never be rebought. If your father bought an album, then there’s no reason you would, right? On the other hand, if you convert music to MP3 format, then the format doesn’t degrade. This bothers the music industry.
Another element is to cut piracy. The music industry’s theory is that if music gets to MP3 form, then it will wind up on peer to peer networks, which will result in lost sales. After all, if you download an MP3, why would you buy the album? This theory would hold more weight, if music industry sales could directly show these effects through their sales. Yet, during periods when file sharing was most rampant, music sales were running at all time highs. However, I’m the first to acknowledge that correlation doesn’t imply causation. What I can offer is an anecdotal story: back in the wild peer to peer days of Napster (before it became a music service) I found that I and other people I know were buying lots of CDs. Basically, if I downloaded a song and liked it, I would go out and buy that album. At the time, I was averaging around an album a week. My (and my friends’s) purchasing habits directly correlated to how much I had actually downloaded. (Interestingly enough, my collection is currently 100% legal, and I do not trade music on peer to peer services anymore. However, I am also no where near the purchasing levels I was at back in the high days of file trading.)
The final bit is to restrict your usage rights. By buying, say, a CD, you have certain rights to what you have purchased. If you want to copy your CD for archival purposes, you have that right. If you want to make a thousand copies for your personal use, you can do that. If you want to convert it to MP3, that’s your right. These are fair use rights — they’re the same rights that let you use a VCR to record television programming. The music industry is trying to restrict these rights. They want to prevent you from being able to create MP3s, because they have no control over that format. They can’t prevent you from copying that music to your three different MP3 players. They want to make sure you can’t copy files without asking them first.
Hence, Digital Rights Management (DRM). This is the music industry’s method of trying to manage your usage. The only problem is, it restricts how you can actually use music. This is quite annoying. For example, let’s say you buy music from iTunes (arguably the least restrictive music store providing popular music). Their DRM restricts how many times you can burn a playlist to CD. Additionally, if you copy the files to another computer, you have to authorize that computer with Apple before it can play these restricted files. You are restricted to just five computers on which you can play this music at any time. Additionally, if you have hardware music players (portable MP3 players, stereo components), they have to support Apple’s DRM, or they’re unplayable. I.e., if you buy music from Apple’s iTunes music store and want to take it portably, you’ll probably have to buy an iPod. The other music services aren’t much better, providing the same style of hardware restriction, but with non-Apple hardware. That’s the rub: if you buy DRM-enabled music, you will be locking yourself into narrow hardware support. I have a Sony PSP, but there’s not a chance that it will play music bought from Apple’s iTunes Music Store. This annoys me greatly.
What’s worse is that this is not limited to just online music stores. These days, more and more CDs are being shipped with DRM software right on the CD. This is problematic, because in the least of severe cases, there will be players on which the CD won’t play, to the most severe cases, where the DRM actually hacks the user’s computer, making it less stable or vulnerable to attack. Sony BMG recently got into a lot of hot water because of this, and shows the rather strange paradox of the music industry: why are they treating the people who actually buy their music like criminals? This is very, very shortsighted, because a) the people they are affecting are legal music purchasers, and b) actual music pirates still have no problem getting music off these CDs. It’s a lose-lose situation, and the negative press Sony BMG has been garnering reiterates this fact.
So, thanks to the music industry, you now have to worry about hardware compatibility for your portable music players, getting your computer hacked because you bought a CD, and increased limitations on how you actually use the music you own. Why is any of this a good thing? Remember when if you liked a song, you would buy the album? All of the extra terms and conditions getting attached to music these days is making it a terrifying experience to actually buy music. Thanks, music industry, for making my life more difficult! How about working instead on more unique music, instead of treating your consumers like criminals? What a novel idea!
Permalink
12.29.05
Posted in Article at 10:20 pm by Techie
Saying there’s a security flaw in Windows makes a tech’s eyes roll. Anyone who’s run Windows Update periodically know that there are flaws that crop up. However, recently, a new flaw was discovered that has yet to be fixed — a fully patched Windows XP machine with updated Norton Antivirus was able to be breached…by visiting a web page.
The problem has to do with the way Windows handles Windows Meta Files, which are meant to be image files. That’s right, not executables, not unsafe ActiveX controls, just image files. Well, wmf files are a little more than images; they have some scripting capability built into them, and that’s part of the problem.
The problem is, all you need to do is download the file. So, visit a malicious web page in Internet Explorer, and that’s it. In Firefox, you may get a warning about downloading a wmf file; if you do, that’s it. It’s that easy right now to get your PC hacked.
The quick workaround is to Go to Start->Run, and run the following:
regsvr32 /u shimgvw.dll
This will break some image thumbnail support. However, it’s better than running around with the threat of getting hacked. After Microsoft releases a patch, you should run:
regsvr32 shimgvw.dll
This is a quick workaround to running a little safer, but will break some things. (Not that many of you would notice.) Microsoft, release a patch already!
Reference:
Washington Post: Exploit Released for Unpatched Windows Flaw
Permalink
12.28.05
Posted in Article at 2:01 pm by Techie
Last week my sister pointed at a computer and called it a hard drive. The other one I’ve heard is calling a computer a CPU. I didn’t correct her, because no one really cares. No one, that is, except for techs. Techies are really annoyed when they hear this, because it’s just not right. It’s like pointing at a car and saying it’s a muffler. It doesn’t make any sense.
So, for the basics…most people know what a monitor, keyboard, and mouse are. They could even pick a printer and scanner out of a lineup. That leaves the computer. Most techies hate it when someone points at it and calls it a hard drive or CPU. It’s neither. The computer has those parts, but that’s just it — they’re parts. They’re components of the computer.
The part of the computer you see is the case. Sometimes referred to as a chassis, it’s where you put all the other internal stuff. A case alone is empty, and not very interesting. With stuff, it’s a computer. Not a hard drive, not a CPU. If you want to sound tech, you can even call it a beige box — just make sure it’s beige.
Let’s take a look inside. Inside the case, you’ll see a big silicon board on the bottom that everything hooks into — this is the motherboard. You don’t generally hear motherboards mentioned much in a computer’s quick description, because it’s something only techies would really care about.
On this motherboard you’ll probably see one or more green vertical silicon wafers about 1″ x 4″ in size. These are RAM. In a computer description, you might see something listed as “512 MB” — this is like short term memory for a computer. It’s a good idea to get plenty of this, because the more of it you have, the better your computer can run things at the same time. Do you multitask a lot? Better make sure you have a lot of this stuff. Think of this as like your quick memory, like when you go to the grocery store, and think to yourself, “I need a loaf of bread and a stick of butter.” You don’t write it down, and you’ll forget later that you had to remember this; it’s just useful to get what you need done right away, and then is discarded. Your computer empties this out every time you reboot, and this is normal.
Also on the motherboard, you may or may not see the CPU, which can take a few different forms, ranging from a long black cartridge, to a chip on the board. This thing does all your computer’s heavy lifting — all the calculations that happen behind the scene to do what you want to do. In either case, you’ll see attached to it a large ugly hunk of metal, which is known as a heat sink, which keeps your computer from catching fire from all the work it’s doing. On some machines (especially Dell machines), this is hidden behind a plastic awning. Rest assured, it’s there, because your computer would be a paperweight without one.
You may also see large silicon cards directly plugged into the motherboard. Your monitor may even be plugged into one of them (but not necessarily). These are add-on cards. If your monitor is plugged into one of these, it’s your graphics card. If your speakers are plugged into another one, it’s your sound card. If your network cable is connected to one, it’s your network card. If your phone line is connected to one, it’s your modem. These days, most computers have the graphics cards, sound cards, modems, and network cards actually integrated into the motherboard, so you might not see these.
Not directly attached to the motherboard, but connected via a cable, you should see a metallic rectangular box, about 4″ x 6″ x 1″ in size, with no access to it on the front of the computer. This is the mythical hard drive, where all your data actually gets stored. This is like writing down your grocery list, so you can pull it up and remember it later. This is where all your data is kept, so if you lose this, you lose all your files.
So let’s put it all together. Let’s say you see a computer description listed as such: “Intel Pentium M 2GHz, 1GB RAM, 80GB”. The CPU is the part that reads “Intel Pentium M 2 GHz.” The RAM is (obviously) “1 GB RAM”, and the hard disk size is “80 GB”. All of that, inside a case, makes a computer. Not a CPU. Not a hard drive. Those are just parts.
So stop calling computers hard drives and CPUs. It’ll make the techie’s work of fixing your broken PC a little easier, and won’t grate on their nerves. Do it, or I’ll drive my muffler over to your gutter and smack your hand with a ruler.
Permalink
12.23.05
Posted in Article at 11:30 pm by Techie
You probably keep hearing about BitTorrent, but might not have any idea what it is. Or, perhaps you’ve downloaded a .torrent file, and have no idea how to open it. BitTorrent has been getting a lot more distribution, and it’s a good idea to understand what it’s all about.
BitTorrent is a method of distributing a file to a lot of people. It has nothing to do with Peer-to-Peer (P2P) technology like Limewire, Gnutella, Bearshare, or any of the others. This is because it’s not building a network. When you use BitTorrent, you aren’t sharing a folder. It’s all about distributing the effort of sharing the file among people who are interested in it.
Let’s say a person has a 50 MB video they want to share with the public. If they have 1,000 people who want to download it, and they just host it on a web site somewhere, then this person has to support 50 MB x 1,000 downloads, or 50,000 MB (around 49 GB) of download bandwidth. That’s a lot by most standards.
Now, let’s imagine a different scenario. Let’s say that the person cuts the video into four parts, and starts uploading it to four different people. So, person A gets the first quarter, person B gets the second, C gets the third, and D gets the fourth. The original hoster has only uploaded the video one time, yet uploaded the parts to four other people. Person A, B, C, and D do not yet have complete files, they only have a fourth. However, now imagine that persons A, B, C, and D can now upload to each other. A can download the remaining parts from B, C, and D; B can download from A, C, and D, and so on. Basically, splitting things up this way mean that the other people who downloaded parts can upload the parts they downloaded to other people. Eventually, A, B, C, and D can all get the file, with the original person only having uploaded the file once.
Now, let’s add person E, another person interested in the file. Person E can download parts from the original poster, but can also download parts from A, B, C, and D. Even if the original poster doesn’t upload anymore, the file can be obtained by downloading from A, B, C, and D. The entire bandwidth of the upload can be distributed across the people who are downloading. If everyone except the original poster remains connected until E downloads the file, then the file will have been distributed five times (to A, B, C, D, and E), for an upload amount of 5 x 50 MB. However, the original poster only uploaded the file once for 50 MB. If the original poster had just hosted the file, they would have uploaded 250 MB.
This is a simplification of what happens, but is accurate enough to explain how it distributes the bandwidth cost. The truth is, the file will get cut into a lot smaller pieces, and there will probably be a lot more people involved. The more people involved, the greater the ability to download. If the original hoster didn’t have much bandwidth, that would throttle the amount that people could download at a time. Let’s say that the original hoster had the ability to upload at a rate of 50 KB/s. If one person was downloading, then they could get the file in 1,024 seconds. However, if two people were downloading, it would take 2,048 seconds. Imagine that there were a fifty people downloading the file at once — it would take everybody over fourteen hours to download.
With BitTorrent, that limit isn’t there, because everyone shares in the upload. The more people involved, the better off the bandwidth. That’s what makes BitTorrent so powerful: rather than causing downloads to get slower as more people get involved, it gets faster. I have one torrent downloading right now that is getting speeds around 540 KB/s. Not all torrents get that, but it’s even rarer to get web servers with that sort of download available, especially with a popular file.
This adds an interesting kharmic element to this mix. If everyone downloaded a file, then immediately quit uploading, then this doesn’t work. That’s why there’s a golden rule of BitTorrent: stay connected until you’ve uploaded as much as you’ve downloaded. This is referred to as a ratio — the ratio of what you’ve uploaded to what you’ve downloaded. You should stay connected until this is equal to or greater than 1.
Additionally, it also means that the power of the torrent will scale depending on the popularity. If no one wants a file, then the torrent will never pick up steam. A file’s popularity is directly correlates to the power of its torrent.
Those are the basics to understanding what BitTorrent does. These steps involve creating a .torrent file, with information about the file to distribute; this file gets uploaded to a tracker (a server that works to announce to everyone who’s connected to the torrent); then the .torrent file is uploaded somewhere for people to download. From a user’s perspective, all that’s needed is to download the .torrent file, open it in a BitTorrent client, let the download complete, then wait for the upload to download ratio to reach 1. It’s important to note, however, that some trackers strictly enforce that ratio — don’t hit it, and get banned from that tracker.
BitTorrent has been getting a bad rap because of its use in illegal trading, including music, videos, DVDs, software, and more. This is important to know, because of the way BitTorrent works: if you download things with BitTorrent, you are also uploading at the same time. If, say, the RIAA or MPAA note that you’ve been uploading copyrighted material, you’re running the risk of getting sued. Yes, it’s happened.
If you don’t have one yet, you probably should go ahead and download a BitTorrent client. The official BitTorrent client is actually decent, though there are many third party options available as well. As BitTorrent is getting more mainstream, it’s a good idea to install it, because you’ll eventually come across .torrent files.
Permalink
« Previous entries Next Page » Next Page »