Friday, May 29, 2009

I Don't Do Financial Stuff On The Computer, So Why Care About Security?

On the topic of computer security, some people are lazy, some are ignorant, some just don't care because they say they don't do anything like buying things online or saving their credit information on the computer. They don't bother with updates or educating themselves about responsible computer use.

So what do they say if they're busted for child porn?

Yeah...that's one of many uses "zombied" computers...computers that are remotely exploited by system crackers...are put to work doing. Remote storage of warez, porn and possibly child porn.

Check this article which outlines more information in simple and easy to understand terms.

If you're not willing to take responsibility for your computer use you probably shouldn't be using the computer. Even if you don't do financially sensitive activities on the Internet your computer can be used against other people.

Uh Oh...When Computers Won't Boot

Another reason to love Linux.

I was working on a system in the lab today that was having some problems with a bit of software that was working fine, now wasn't.

I ran updates on it. Checked the hard disk. The usual.

discovered that the drive was seen in Windows XP as 20 gig, but the drive was actually 40 gig. Most likely this was an artifact from the system being imaged; the partition information given to Windows made it seem like a 20 gig drive so Windows wasn't properly seeing the entire disk.

So in the course of repair I took out my RIPLinux...Recovery Is Possible, although I thought it used to be called Rescue Is Possible... CD and booted to X Windows. The disc runs entirely in memory so you can use it for a variety of diagnostic and repair procedures on systems. A wonderful tool for any tech repairing computers.

Once in X I ran gparted from the partition tools menu. This gives a graphical menu of your disks and gives options for various alterations that can be made, among them resizing the partition. Because of a glitch in the way the partitioning was done gparted saw that the drive was already set as one partition taking up the entire 40 gig. I just told it to resize the disk to slightly less than 40 gig...better than the 20 it was already set to. Best of all is that this is a non-destructive resize (I'd still advise a backup, though)...resize the partition, and the data is still intact.

Clicked Apply and the changes went off without a hitch. Rebooted, Windows started...and rebooted itself. And rebooted itself. And rebooted itself. Uh-oh.

Information was still there because Windows started to boot. I stuck in the RIPLinux CD again and booted to X. This time I ran Testdisk. This is a utility that greatly helps in searching for lost data, partitions, errors, etc. and is a boon for recovering data from drives, but any tool for playing with partitions isn't child's play. One of the basic scans popped up telling me that the geometry on the drive was set to 16 heads but looked like it should be 255. I dropped through another couple menus to reset that information, told Testdisk to write the data to the disk, and rebooted.

Windows XP booted right up for me.

Yay, Linux!

This is by far not the first time I've fixed quirky and archaic and deep-level problems with Linux boot CD's and no doubt this won't be the last. Although this was the first time that resizing a partition triggered this kind of problem. I've seen this several times from cloning and duplication errors, especially switching drive brands and types...but never resizing on the same disk that I can recall. Goes to show that every task has its own challenges, I suppose.

Thursday, May 28, 2009

A Search Engine That's Not Google?

I heard about this on a podcast recently and after trying the site I highly recommend it!

It's called Kosmix. It's a search engine that will sort information out for you...you put in a query and it will search Google and put results in one spot, it searches blogs and puts those in another, commercial sites, video sites, image sites, etc...neatly separating them out for you and presenting them in an easy to read format!

I may start using it more than I use Google since Google is one of the engines it uses in turn. Very nice. Just going to their home page (linked above) will give you some interesting news stories and feeds, and you can customize the page for your computer. Take a look and see what you think.

Wednesday, May 27, 2009

X on Windows

X Windows is the primary graphical interface used on Linux systems and is available as a user-space application on the Macintosh OS X from Apple. If you're familiar with how it works and need to administer Windows systems, you may find yourself needing to access your "home" system from a Windows computer.

Windows was never meant to be a multiuser system...an extension to this philosophy led to more popularity for screen-viewing (and desktop-control programs) like VNC, Virtual Network Computing. Linux has this ability (with the VNC protocol, no less) but there's a difference in how remote desktop control compares to running a remote application using X.

So the next challenge is how to access these applications from a Windows system. The method I most often use is the XLiveCD. You pop it in, let the wizard run so you can answer a couple quick questions about your mouse, and then you're greeted by a BASH prompt. From there you secure shell (again with the SSH program! This means you need to be able to access your system remotely with secure shell, I'm afraid) with the -X or -Y switch so it will forward X sessions, and once you log in, you can run your program. XLiveCD will leave files behind only if it crashes or your computer decides to restart in the middle of a session; if you exit XLive by closing all the programs and the XTerm prompts, then right clicking the "X" in the system tray and selecting quit the program will clean up after itself and leave nothing on your Windows computer.

Unfortunately it looks like this isn't being updated anymore...the name of the CD implies that it was built in December of 2004. On the plus side that image is still for the most part working on systems I usually test it on.

An alternative is to use Xming. Unfortunately it requires installation on the local system, but it's small and relatively unobtrusive. This also means that it's really only feasible to use it on systems that you're often accessing while XLiveCD allows you to be far more migratory and use a large number of systems in your travels without leaving files and cruft behind. XMing also requires you to use an additional program...again, small and unobtrusive...like PUTTY to initiate the secure shell connection. Each of the Putty programs are a standalone executable, so they're primarily a download to a folder then point Xming to the appropriate program to set things up. Xming is a bit more work to set up but works relatively well in the instances I've tested it out.

Those are the two free methods I end up using to connect to my remote systems for tasks like reading email (I have special filtering rules and such in place). Handy for any sysadmin using Linux as their primary system in a Windows world!

Monday, May 25, 2009

New Computers and Malware

Can you trust your brand-new-out-of-box computer to be free from viruses/spyware/adware/malware?

Apparently not.

I've read stories about the digital picture frames (you've probably seen them for sale at Radio Shack, Walmart, online...) being infected with viruses right out of the box (what a gift!). I've experienced the pain in the butt that is pre-installed crap on many vendor's systems.

But how often do people look for malware being installed on systems fresh from the box? Take a look at this story...

Sunday, May 24, 2009

Wasting Time in Front of the Computer

When a geek is at the computer more often than not people write them off as just "goofing off on the computer". I contend that attitude is because most non-geeks use the computer to do just that...goof off. They surf around on the webbertubes, reading news, playing with email, and generally just wasting time.

In my years of support and watching usage patterns of the computer that there are two types of people. Those that just passively absorb content...i.e., wasting time, playing games, etc...and those that produce content. They write blogs. They program applications. They are generally using the computer to express themselves rather than define themselves.

So I take exception to the idea of just wasting time on the computer or goofing off. Sure, we geeks do goof off on the computer sometimes...the difference is that when non-geeks see us goofing off, they really can't tell if it's goofing off or producing content.

And secretly we like it that way.

Friday, May 22, 2009

I Love SSH

Secure shell, or SSH, is a UNIX utility that has become a replacement for the venerable Telnet utility and is usually a standard tool with your UNIX-like operating system installation (Linux distributions and OS X (Macintosh).

Telnet let you access your computer from the command line remotely. Secure shell takes this concept further by adding encryption; anyone with some knowledge of ARP poisoning could eavesdrop on your telnet session to get your passwords and hijack your system. If you run ssh, eavesdroppers would see nothing but gibberish.

But SSH does more than that...it adds the ability to forward your X Windows applications. X is usually what's running on Linux systems for the graphical interface; this means that if you run a graphical program on Linux like Firefox or Thunderbird, it's using X to show up on the screen. If you connect from a remote computer using SSH forwarding X then tell it to run, for example, thunderbird, your mail client on your home computer...with your filters, custom folders, settings, will appear on the computer you're connecting from! Many Internet Service Providers (ISP's) will only allow access to their mail servers if you're "inside" their network. Using X forwarding to your home system, you'd be able to use your home email system with your customizations from a "foreign" network.

But the fun doesn't stop there...

SSH can redirect ports. It gets a little hairy in the execution because you have to understand the idea of locality in order to properly map things, but I use it on my system to redirect email connections; I'll use that as an example.

I have a friend running an email server for me; he's on a different network. I'll call that email server primary-email.

I have my home system with my email client running on it (Thunderbird). I'll call it homesystem.

I want to connect to primary-email to get and send email, but since we're on two different Internet Service Providers, I want to securely connect and exchange mail between my computer and the mail server (in case you didn't know, without the addition of secure login most email traffic is unencrypted so people can eavesdrop and save your email while it's in transit).

So my friend sets up a Linux system...we'll call it linuxbridge...and opens port 22 to his Linux system. I tell my computer to tunnel...using ssh...port 25 (SMTP is for sending mail) and port 110 (POP3...a protocol for receiving email) from my computer to his Linux system. All information traveling to and from homesystem and linuxbridge is then encrypted; from linuxbridge, the traffic is moved to primary-email on my friend's network.

Yes, people can eavesdrop on his network between linuxbridge and primary-email, but this configuration still blocks people on my network, my ISP's network, and anyone between my ISP and my friend's ISP from seeing my email.

The tunnels can forward any port you configure in this manner. I've used it for forwarding email traffic and RDP (Windows Terminal Services) sessions without problem. Plus you can set it to compress the traffic, in some cases helping to speed things up a little.

But that's not all!

Using an addon available for Linux and the Mac called FUSE (Filesystem in Userspace) you can run sshfs to "mount" a directory from your remote home computer to your local Mac or Linux computer. What does this mean?

Sitting at an Ubuntu Linux system and you want to access files on your home Ubuntu Linux system, you can run

sudo sshfs -C -o allow_other @:/home/your-username /mnt/sshfs

If you don't already have the sshfs directory on which to mount the remote directory, you need to create it first.

sudo mkdir /mnt/sshfs

After you enter your password to the remote system, you can just "cd /mnt/sshfs" and do a directory listing...there's your home computer's home directory! Of course, copying files will be slower than doing things with local drives since you're copying and caching things over the network; the man page (man sshfs) gives options for turning off caching if applications like Nautilus are slowed down trying to pull information about directories at first...I noticed on my system it seemed to slow things down a bit. But it can be really handy at times, plus it's all encrypted and can use compression (notice the -C option) to help speed things up.

When you're finished, you just run "sudo fusermount -u /mnt/sshfs" to unmount the directory.

There are other things ssh can be used for, such as using the "scp" command to securely copy files between two networked computers. "Rsync" is a utility that syncronizes files and directories between two systems and it can be used with certain switches to connect using SSH for an added layer of encryption and compression during the operation. Some application build on the functionality...the OS X program Fugu is a graphical file transfer utility that lets you navigate your remote computer and transfer files between them using SSHD.

Yes, in order to do all these things, you need SSHD...the Secure Shell Daemon...running on the "server" computer. A daemon is a background process that handles tasks invisible to the user; the sshd process listens for and negotiates ssh connections. Your home system would need sshd running and if you have a NAT router...linksys, belkin, etc...between your computer and the Internet connection, it needs to be forwarding tcp port 22 to your internal computer. From there, you're all set to go.

Plus, of course, you need a strong password configured on your user account since there are automated scripts trying to log in to people's SSH service on the Internet. But more advanced configurations can mitigate that; running denyhost to automatically block IP addresses that try logging in with the wrong password more than, oh, three times helps. And/or you can change from the default port number 22 to another port to make it more obscure. Again, my posts are already too long to jump right into that topic, though.

In short if you have a Mac or a Linux system...especially if you have a Linux system...learn to use secure shell. It's a wonderful and flexible tool for copying files and granting remote access to your home system while you're on the road; I can copy files securely, navigate my home computer's filesystem with SSHFS, and run my X Windows applications from a portable computer without having the applications installed on the portable computer (X...and the X forwarded applications...only display on your system. The memory and drive storage and printers are all remote on your home system; part of the X Windows design is to divorce the display from the resources a computer uses. The program is laggy and can appear slow, but for most connections today it's not intolerable.)

Thursday, May 21, 2009

Email Hoax: Sony Ericsson Laptop

Maybe it's my life experience, maybe I'm a little less gullible than average, I don't know...but I'm still surprised to some degree at how many people, how many people with four-year (or longer) degrees of education, still end up asking us about an email they received promising free this or that or some charity getting donations or some miracle in exchange for forwarding the message to everyone on the Internet or sending some banking information to some random group of syllables in Istanbul.

How can educated people still think they will get something for free? Is this the same mindset that allows casinos in the middle of the desert to air condition rooms the size of football stadiums? Is it perpetual hope fed by feelgood, good guy wins in the end Hollywood fairy tales? Or are people at heart simply naive (which, if you reverse it, is a rather high-priced bottled water...coincidence, of course)?

I recently had a report about people in our institution forwarding messages promising a free Sony-Ericsson laptop if you forward the email to friends, then people started buzzing about it. It took me five seconds to submit a query to Google for an answer: "cc anna for a sony laptop". It actually took longer to pull up the result from Snopes, the best resource we've ever found for urban legends and hoaxes, than to find the list of answers from Google.

A few people have learned to look before leaping with these hoaxes. Usually they learn it because they are sensitive to looking foolish after doing something the first time around that they shouldn't have...other times, it seems as if people just don't give any thought to these issues. I sometimes wonder if these are the people that run out of gas because they just don't think to fill the tank or never have the oil changed in their car or turn up the radio when it makes weird noises instead of taking it to a mechanic.

I have normally written the behavior off as typical behavior for users but I wonder if it isn't something that is encouraged by our consumer behavior. We as a society push to consumers that they can get wonderful dreams for free; you deserve them! Take shortcuts! Busy watching TV and mis-prioritizing your life? Get a degree sitting on your duff for low low cost, because we understand you're busy! Buy this and that and your life will be simpler and boring, crappy tasks will take moments to finish so you can get back to the latest TV fad!

We have people profiting from that idea who really shouldn't be, in my opinion; the state lotto system (for a few bucks you have a one in three million shot at being set for life!) advertises something for nothing, casinos showcase people who have checks for tens or hundreds of thousands of dollars lining the walls and once in awhile they may even have a millionaire walk out; they don't mention how much money was spent in the process. How can we not think that email promising millions for a few minutes of time or a free vacation for something as simple as a few forwarded messages may be legit? What have we to lose in trying?

Most people are too naive or ignorant to think about what they're really giving away...

  • Storage space on servers forwarding this crap.
  • Time wasted having to read them, forward them...especially from prolific forwarders.
  • Bank information? That one little click may give some anonymous Russian access to your bank records or credit information.
  • Email address? Welcome to another spam list. And maybe your friends can thank you too for adding them at the same time.
This particular hoax is listed as floating around in one form or another since 1997. That's 12 years ago. Twelve years and it's still making rounds...make a slight edit, and suddenly it's fresh and new and fooling even more users.

I said that the people I've encountered who actually stop and check such claims on Snopes or Google before spreading the word are usually people who felt foolish, felt some kind of ramification for a previous mistake. People who don't feel foolish the first...or second...or thirteenth time they fall for such things generally don't feel any accountability for their actions. Unless people are held accountable for their actions they generally don't take action to correct their behavior; because of this little rule of thumb I've noticed over the years I'm afraid there's not much that will be done to prevent hoaxers, scammers and spammers from successfully making fools of our friends and family anytime soon.

Anyone think there's any hope out there? Unless people feel accountable for their actions and thus educate themselves to keep from forwarding such crap...thus make it unprofitable for the scum originating the messages...or computers finally gain human-level comprehension of messages so your system can evaluate what messages are legitimate before delivering them (probably the best route since it keeps people from having to be responsible for thinking about what they're doing and I've noticed that the more an invention offloads our need to think the more popular the invention is), I don't foresee much hope in stopping these messages. Feel free to post your opinions...

Monday, May 18, 2009

Mac OS X Split Command: Illegal Byte Count

Here's an issue I recently ran into on the Macintosh. I was archiving large data files...we take a number of user files that shouldn't be needed anymore but instead of deleting them I compress them with 7zip and set them aside in case we get a frantic call about missing file XYZ that they didn't know wasn't being stored on a share that is in the backup rotation.

Some of these folders get to be real doozies...6 gig or larger.

Most fit on the DVD's I'm burning to (4.7 gig). The big files, of course, won't fit. The easiest way to cut them down to size is to use the "split" command, a common command available on OS X and Linux. That way I don't need to hunt down and install additional proprietary software should the need come along to reassemble the data file later on...I can use tools already on the systems I usually have available.

So I transferred the files I needed to archive to my Mac (it has a DVD burner in it) and then tried to use the Split command from the terminal:

split -b 2G filename.7z newfilename.7z.split

This command should have taken the giant "filename.7z" and split it into manageable 2 gig chunks. Instead the terminal spit back an "Illegal byte count" error. Huh?

I searched around trying to figure out what I was doing wrong; I thought it might be related to this posting on Macosxhints.com about a problem with the version of split shipped with OS X.

I could have tried using a newer version of split or trying to narrow down the issue by trying a patched version of the program, but I went with the solution that was simply quicker to try; I transferred the giant file to my Ubuntu Linux system and ran the command there. Worked flawlessly. Transferred the resulting split files back to the Mac to burn to DVD.

*sigh*

Why must even things that should be simple become a project? Once again my Linux system managed to save me a couple Aspirins (or Tylenols).

UPDATE: an anonymous reader suggested:
Have you tried: split -b2000m filein fileout ?

I had the following response:
Actually I tried this after you suggested it on a file I created by tarring the 6 CentOS install CD's into one big file (over 3 gig) and it appears to have worked...so I guess the million dollar question is, why did that work while the Gig version didn't?

Burning CD's on OS X and Ubuntu Linux

The previous post discussed a problem with the way OS X handles splitting large files into smaller and more digestible chunks...namely, it wouldn't.

There's a second bit that bothers me in creating DVD archives of data on the Mac. The process of burning the CD isn't quite as intuitive as it should be.

Ubuntu (Linux) made this very simple. I pop in a CD, open a folder for the CD-RW volume (or DVD-writable volume), open another window in the file manager to locate the files I want to burn, then drag them to the CD window. It populates the window with the files as if I'm copying any other content to or from a network or local volume. When I have the files I want burned all nice and tidy, I click on "Write to Disc", and Ubuntu merrily burns the file for me.

In OS X, I pop in the DVD blank, a window pops up from Finder asking me what I want to do with it. I tell it to Open Finder. Unfortunately if I already have a folder open, as is normal for me since have a window showing the files I want to burn, the dialog disappears and you see in the sidebar that a blank CD has been mounted. Not a big issue, but in my workflow that's annoying. Minor, though.

I open another window to the blank CD. I drag a file from the files-to-burn to the blank DVD image. The Finder window is filled with...aliases.

Aliases are little files that basically point to another "actual" file. It's a small placeholder...you can have a tiny alias, or many of them, pointing to an actual location on your hard drive to make it more convenient to find other folders or programs without copying the whole thing to a new location or have multiple copies floating around.

My problem is that I'm looking at these tiny aliases, just a few kilobytes each, thinking...I don't want to burn a CD of alias files. I want the actual files. When I look at the file sizes, the aliases are tiny...how much space is there left on the disc? If you look at the bottom of the window there is a subtle update on how much space is left on the disc...took me awhile to notice that. Annoying! It simply isn't consistent in the display of information to the user (you look at the directory listing, it's a fraction of the 4.7 gig you're supposed to have on the volume...only you have 200 meg left in which to save things?)

Finder is apparently resolving the aliases to the actual files when you tell it to burn the disc.

I suppose this isn't so bad if you're just accustomed to the Mac way of doing things, but it still isn't intuitive. This type of behavior, this type of need for the user to adapt to the Mac, that's unusual. Usually the Mac is way ahead of the curve in protecting the user from having to puzzle things out, and strangely enough (is the devil wearing a jacket?) Ubuntu Linux is ahead of the curve in intuitiveness in burning discs!

So I have a couple "Yay, Ubuntu!" sentiments today. I don't often get to say that, so when it does happen I acknowledge it.

Of course, these were way ahead of Windows, where last I knew you still had to download third-party software to burn discs. Both Ubuntu and OS X burn disks (and can mount them and do various operations on disk images) from the interface natively. Maybe things will change with Windows 7 or Vista had features I'm unaware of, but it's 2009...get with the program already, Microsoft.

Saturday, May 16, 2009

Computer Security...Why Should You Care?

Computers are ubiquitous today. In the span of fifty years computers have not only become affordable but have shrunk down to the point of being home accessories like our DVD players and microwave ovens.

What used to be so large as to fill a room and require separate air conditioning and power supply systems to function...think ENIAC...now fits into our cellphones. Indeed our cellphones are more powerful than the computational power used to accurately deliver our astronauts to the moon and get them back to Earth without turning them into crispy critters. Seeing someone toting a laptop computer is hardly a sight that merits a second glance as we walk by

Of course, the most popular operating system in use is Microsoft Windows, with well over 90% of home computers having some version of Windows installed (I think the last numbers I read were close to 97% of the operating system market belongs to Windows). If you pay attention to any technology news you'll see various reports of malware (think of viruses, worms, spyware, etc.) as well as Microsoft's infamous Patch Tuesday bringing system updates every month; the fact that there's always something for you to install on your system that Tuesday should tell you that after so many years and so many versions of Windows Microsoft still hasn't ironed out problems. This of course makes Windows a very popular target among malware authors.

But you never notice any issues, right? You've never had a virus kill your computer. Or if you did, you just took it to come neighborhood geek to reinstall or fix it for you, or maybe paid too much for a Geek Squad agent to run his or her quick-fix diagnostics on your system before doing a reinstall anyway. No biggie.

Here's the issue.

Back in the eighties and nineties, malware was meant to be clever. Angry, malevolent but very clever hackers (and the term hackers is NOT synonymous with malevolence; I linked to a description for you to read up a little on it and the vast majority of them take great offence to malware writings being synonymous with the term hacker) would create a program that would travel from computer to computer and at some particular time or event have a payload triggered that would display to the world how clever they were. It would play a tune, or display goofy graphics onscreen or the text of some poem or message. Some punished users for being ignorant users stupid enough to get infected by the malevolent programmer's creations...the program would destroy the user's data or use some other technique to render the system inoperable.

This is the stereotype the typical user has of the bad things that happen to their computer aside from hardware failure.

What they fail to realize is that the goal of these programmers today has shifted dramatically. It's no longer to show how clever the program authors are to the world, or to punish users for being ignorant and invading their "cyber domains." To the contrary, these people are being employed to take advantage of people who don't pay attention to their system security.

Malware isn't out to destroy your computer.

If you're aware that your system is infected with something, they screwed up.

Your computer can be infected right now and you'd not know it.

This is what people fail to understand. You're a wonderful target for other people to steal from, and taking your computer offline would be counterproductive.

Here are some things to think about...

Most people use the same password or password theme for their online sites. I've read more than one case where people set up a porn site or fake porn site by hacking a legitimate web business, replaced the login page with one of their own making that steals the password and some other identifying information, then managed to log in to other sites as the victim. If bob@ibm.com tried getting into the site with a particular username and password...ends up emailing some information...what are the odds that the password is either the same or very close to the one he's using as an employee or contractor at IBM?

If malware is installed on your computer...again, you're not supposed to know it's even there...and gets your password credentials, what services are you using in our connected society with interaction through that keyboard? We had a service that let us track our daughter's cellphone location from the provider's website. We use multiple banks. Some bills are autopayed and tracked online. Credit card accounts. If one or more of these things are compromised, how much of a pain would sorting the resulting mess create for you?

How many of you keep track of your bills on your computer, with something like Quickbooks, for example? Some malware installs back doors on to your computer. If it's exposed to the webbertubes, this means that groups anywhere in the world, the groups that created and released the malware in the first place, can connect to and control your computer...this includes uploading your information. It's amazing how many people have financial records or personal information on their systems and don't think about what they're exposing if the files were stolen.

How many of you have private information that you'd rather not have advertised to others? Few of us really wouldn't mind being open books. Would you want your clergy knowing your web browsing history? How about your employer? What about liability...after all, if you haven't even heard of the RIAA but your son or daughter found this neat program that can download the latest music for FREE, you may very well find yourself being sued for several thousand dollars you don't have. Congratulations!

What about emails? We treat email as a private medium. Racy notes from your spouse? Notes about you not minding seeing a bus as a fashion accessory for your boss? You don't bother learning silly things like how to erase old messages or keep your email folders trimmed and neat. You don't give a second thought to what your mail provider is doing with your email...backups? Copies? Your data...your emails...could easily be read by law enforcement (or nosy system administrators) without your knowledge. Some note that you thought was a harmless brain fart could cause problems if it got to the wrong eyes. And here's something else to think about...email isn't secure. If you aren't encrypting the data, anyone can read it. It's flying around the Internet as plain text. And the law is not on your side, especially with data sent or received from your place of work.

And how often are you sending or receiving particular information...credit, insurance, phone numbers, even information on where you keep a spare key or will have one set aside for someone in some hidden location near the house or car?

The point is there is probably a lot of information on your computer, or accessed from your computer, that you don't want advertised to the general population. Malware infections today are specifically aimed at getting that information without your knowledge...if they do their job correctly, you never know when your keystrokes are recorded, files are transferred from your computer to another, or other private information is being eavesdropped on.

Most users never give a second thought to these issues and that paints a bullseye on their backs. Despite changes to Windows and a rise in awareness of privacy issues there is still not enough done to keep systems, and your data, secure.

Right now your best tool is education and awareness. Give some thought to issues raised in this post and evaluate whether you have more at stake after reading this blog entry...

Wednesday, May 13, 2009

iChat, Update, and User Experience

Mac OS X update 10.5.7 was released yesterday. I was listening to the Mac OS Ken podcast and heard that among all the changes was a mention of an update to iChat.

My immediate thought was, "Could they possibly have fixed that @#% connection bug??" I previously wrote about it here; sometimes I can video chat with people, often I get the "connection declined" error repeatedly. Sometimes it'll manage to connect. Frustrating, frustrating, frustrating...until I got tired of swearing at it and installed Skype, sent a message to my wife to download and install Skype on her system as well, and it Just Worked (tm).

I pulled up an article on Macworld's site that discussed the 10.5.7 changes. The author found that yes, there were changes made to iChat, but from the sounds of them they were cosmetic (although it seems he couldn't find the changes when he checked between 10.5.6 and the updated system).

Disappointing, but I guess I wasn't too surprised.

That got me to thinking...after all the hassle I had before, would I want to use iChat again now that I have Skype working?

This is an issue with the User Experience, something so many people just can't seem to grasp as a concept. I have bad memories of iChat, and I eventually got so fed up with it that I found my own solution that works well in my situation. I may use iChat if the issue is fixed, but I'm always wary of it and the only reason I'd go back is if I don't have time to get some new user to download and install Skype but rather use the software pre-installed on their Mac.

If you work in technology, especially in support, you cannot underestimate the importance of the user experience. Yes, users do dumb things. Yes, users make you want to stab yourself with a dull spoon sometimes to make the frustration go away. But the users make up the community with which you interact on the webbertubes and if their user experience sucks, you're going to have problems with your product's reputation, your company's reputation, or if you're a sysadmin, your users with find their own solutions and ignore you because to them you're an incompetent boob not worth listening to. They also will hate you for not listening to their issues and addressing their needs.

Thus leading to more frustration for you having to support them, leading to resentment, leading to more sales of Dilbert books.

Unfortunately technology today is about compromise. This issue with iChat has been ongoing for quite some time and a lot of people are having to deal with it and are left to find their own workarounds. Because of the many things Apple does do right combined with the alternatives...Windows? AAAHH! Linux? Most users would rather poke their eyes out than have to deal with various tech issues related to using Linux on their own...the Mac is still the best value for usability and system stability (and security) for the average home user.

There is a caveat. As a geek, we take our warts very seriously. We don't forgive when our favorite things are blemished and we feel we're wronged. This annoyance is not something that will be easily forgiven, and the longer we're ignored over an issue the more vocal people will become about hating you for it. Worse, you have a competitor that has a solution that works. So what's the holdup, Apple? Why can't you get this right when some left-field startup managed to have a cross-platform solution with your features...video, audio, text chat...that just works?

Sunday, May 10, 2009

Antivirus Program Effectiveness

I was reading the report from www.av-comparatives.org detailing the results of their tests on 17 different antivirus products with names like AVG, Norton, and McAfee among them. Av-comparatives is an independant body that delivers objective tests on these programs and rates them on both effectiveness in detecting malware from a set of known baddie programs and how many "false positives" are triggered.

I can't help but shake my head at these things. Antivirus software, that is. I hate them.

The average home user doesn't understand much other than "viruses are bad. Antiviruses protect me." So they slap a program on their system (or worse, they have one that came with the system that they eventually let lapse on the subscription) and consider themselves safe.

Here's a simple explanation of how these work. Antivirus software works on the theory that as bad software (malware) is detected, the parent company releases what are called signatures, or key characteristics of bad software for their product to use.

When your computer accesses a file, the antivirus program running in memory intercepts your computer's attempt to read it. The program compares that program's memory footprint with a database of signatures; if the file matches that signature, it's flagged as a virus.

Some antivirus programs use what are called heuristics. Basically this means that the antivirus program knows about a set of behaviors that are somewhat common to things that malware does, and if any of the programs you open share those behaviors it will flag them as potential malware.

Many many many home users assume that having the software on their computer keeps them safe; that's like assuming that just because you bought your car that it'll keep running without little things like changing the oil. Doesn't work that way. Antivirus programs rely on having up-to-date signatures. That means they need to connect to the vendor periodically; once a day, every other day, once a week, and download the latest updates.

Some programs require a subscription to keep up to day. If you don't pay for the access, eventually they stop updating, and then you're vulnerable to new malware.

Other times the program, like Windows itself, requires updates. Antivirus software requires system-level access to programs and files, meaning your antivirus program probably runs with elevated privileges. Oooh...what does that mean? It means that if certain bugs are discovered in your AV software, since your AV software has full reign over the computer (that's the elevated privileges part), attacking software taking advantage of the bug can basically do whatever it wants to do on your computer, like install other software or control what does and doesn't run anymore.

Basically the antivirus software isn't hands-off. You need to make sure it keeps up to date both with fixes and new signature files. And your subscription, if your particular brand has this payment model, is up to date.

Let's suppose you do what you're supposed to do and keep everything up to date. You're safe, right?

Not necessarily.

Simple scenario. A "black hat hacker" creates new malware (or takes existing malware and modifies it just enough that the signature no longer registers it as known malware. The program is unleashed on the Internet.

Your signature database doesn't know about it. It's too new.

So someone has to get infected. Depending on the payload of this particular piece of malware it may get caught by the vendor with one of their honeypot networks or it may be discovered through heuristic checking or some researcher finds it. Regardless, someone has to discover it first.

Next that sample is sent to the vendor.

Then the vendor analyzes the sample and from that derives a signature.

The signature is added to the vendor's database.

Next your software needs to check in with the company and see, hey! There's an update waiting! Then the antivirus must download and restart itself so it is running with the new database.

This means there's a window of anywhere from hours to days before your computer has the signature to stop this new bit of malware. Believe it or not if the malware is self-propagating on the Internet it can take as little as four minutes by some estimates (this one from the Internet Storm Center) to be hit by an infection attempt. There are some arguments about this being exaggerated, and there are other estimates for how long an unpatched Windows installation would last before being infected with something. But if you need to download a couple hundred megabytes in service packs and updates, it takes a lot longer than half an hour to get the computer hardened up; plenty of time to get scanned by infected systems on the Internet.

The underlying assumption is that the antivirus works up to par as well. A number of the programs tested by av-comparatives missed malware from their tests, or worse, had false positives. False positives are situations where your antivirus program labels legitimate programs as viruses and panic the user, making them think they have some terrible problem when really it's a poor signature in the database that after another update or two may be altered to fix the error.

The conclusion for this is that just because you have an antivirus program you can't sit back and assume you're safe. Your antivirus is flawed. The very model of having to download signatures from a vendor to be innoculated against malware means that you're playing a perpetual game of catch-up and you're always at the bleeding edge, waiting for whatever exploits are freshly released into the wild to possibly hit your computer before you get the latest updated signature file. And the whole time your computer is paying an incompetance tax because you have your antivirus program taking up memory and processor time scanning every file your computer accesses, slowing down your computer and adding more overhead and possibly more bugs and glitches to the operation of your system. Antivirus software is the toothpaste put into small holes in the sheetrock walls of college dorms; a band-aide solution to what is really a flaw in the design of Windows.

Stop relying on blind buzzwords to keep you safe. Learn how such things work to a degree that allows you to take responsibility for the safety and integrity of your information on your computer. Otherwise you're a target waiting to be hit.

Monday, May 4, 2009

Windows Updates, WSUS Style

Update Tuesday. Another set of fixes comes down the pipes, and sysadmins hope as hard as they can that this batch won't break an application or system. Again.

When you have to administrate hundreds of systems and have very few people to cover them, you end up with a lot of systems going for months (or in some cases longer) without updates. This is especially true if you don't have a routine and policy in place for making sure all systems are updated within a particular period of time.

To help with the update chore, Microsoft created a free Windows System Update Server tool; you make a server on your network with a lot of dedicated space and that server then downloads your updates for you from Microsoft, then your systems can be configured (again, Active Directory, when it works...) to look to that server within your much faster network for updates rather than from the Internet, thus contributing to slowing down your site's access while others are working (or goofing off) over the Internet. It also keeps track of systems that are updated and what updates are needed, and can control which systems get what updates.

The irritating part is that it only sometimes seems to really help.

  1. There's no web interface from the client that needs to be updated. In other words, I need the Windows Update Service to see the updates and notify me. There's a command line utility you can run to tell it to try the updates, but it just runs and exits without feedback...it just tells the invisible background service, "Yeah, could you try checking now instead of later for updates?," then you might be able to find a log somewhere that lists if the service did anything. The conventional bandwidth-sucking method means I can just go to Microsoft's update website and click on the button to start updates; from there I can get SOME feedback on what's going on.
  2. I found a script that is supposed to help with on-demand updates. I dutifully put it into a directory with a couple support programs, double click it, and in anywhere from five to fifteen minutes a script window pops up that tells me whether it's downloading updates or not. Some improved feedback, but c'mon!
  3. Just as the script's window pops up, I sometimes get the Windows Automatic Update "shield" in the system tray telling me there are updates to download. Sometimes it comes up while the script window hasn't appeared yet. In other words, I could easily end up running two updates in parallel, slowing me down even more because of a slip of attention.
  4. Sometimes it's not a slip in attention. Sometimes the script just doesn't work so I start the other process thinking the first attempt failed. There is sometimes an error from the script, sometimes not. ARGH!
  5. It appears that sometimes if a particular "pre-update" isn't installed, the WSUS (update server inside our network) simply won't work. Period. I have to do a manual update from Windows Update on Microsoft's site, defeating the purpose of having the internal server in the first place.
I'm not a professional programmer, but in designing this update server program I really think it would be nice to have something that
  1. Gives feedback on your system's update status and current state of the updater.
  2. Allows the admin to pull updates on demand, not whenever the system decides to notice that there are updates waiting for it.
  3. Has better mechanisms for realizing you need various "pre-updates" in order to work properly.
It would be nice if your administration tools didn't make you want to scream and bash your head into a wall...when doing updates for Ubuntu, at least I can usually decipher my update progress and messages as things are zipping around on the console when not running the graphical front-end to the tools. Seems like Windows with all the enterprise penetration that operating system has and the fantastic developer tools available would have better tools for such a common chore!

Friday, May 1, 2009

Synergy!

Quick application review time!

If you have two or more computers at your desk, you probably know the irritation at having multiple mice and keyboards cluttering the workspace or you had to get a KVM switch, a box that lets you hook up one Keyboard, Video device, and Mouse (that's the acronym, in case you missed it) to two or more computers. This option also comes with the occasional loss of hair since some computers like to have issues with the keyboard not responding properly or the video mode going wonky if the computer switches on while it didn't have the KVM's focus or some other anomaly in behavior.

Here's one more alternative, with the assumption that your computers are networked and the other systems have their own displays near each other (you still have to give up desktop space to multiple monitors with this option). You designate your primary workstation as the "server", the system from which you want to use the keyboard and mouse. You then install Synergy on all the computers you want to control from this keyboard and mouse. On your "primary system" you run Synergy Server. On the other system(s) you run the client, telling them to connect (using the network address) to the server you're sitting at.

For my Ubuntu system it's even simpler...you can install a graphical front end for Synergy to set up the server options. I get a display with an icon between four points (actually labels); one each above, below, to the left and right of the computer icon. I enter the name of the client I want to allow in the box on the left side of the icon, and tell Synergy to run with the Execute button. Then on the client machine I type the command to have the Synergy client connect to my server, and voila'! When I slide my mouse pointer to the left side of the screen, it appears on the other computer. My mouse and keyboard are now controlling that system. Slide it offscreen to the right on the client, it appears back on my "server". You can control up to four computers this way, sliding the pointer up, down, to the left or right of your primary monitor.

I use this function at work to control a second system I'm using right now and often have my laptop controlled this way when I need to access it on the desk to avoid stretching over things to reach the keyboard. I just need it open close enough that I can read the display and use my full size keyboard and mouse to pop into the laptop display when I need to enter commands on that system, then slide the pointer back off to my own display to resume working on that system.

It does not steal the client system's control of the mouse or keyboard either...if you reach over and type on that keyboard, it still works just fine.

Personally I like to tunnel Secure shell and have the Synergy client pointed at itself...secure shell redirects the program to talk to my server and that way it's encrypted when I am typing information. But that's a bit advanced for many people to try setting up.

Synergy itself is cross platform; you can use any combination of Windows, Linux, and OS X systems to control with it (I use it on two Linux systems and the Mac notebook). This is one of those utilities that fills a really niche need, and it fills that need well.

If you're using multiple systems at your desk, or need to occasionally pop open your notebook computer while at your desktop computer and want a little more convenience in arranging your desktop real estate, look into Synergy as a way to help simplify things a bit. I'm glad I found it!