Wednesday, November 18, 2009

I Hate VISTA!

There are many things that factor into user-friendliness and it absolutely floors me that something like Vista was released so many years after Apple's OS X, an operating system that has been hailed as a shining example of user friendliness. I can understand many of the shortcomings of Linux in this area...it's largely developed by geeks that like to do what they can to prevent the average user from entering the sacred halls of geekdom, and creating pain among users is a secret handshake in our meritocracy.

But when you're the dominant operating system vendor with millions of users and millions and millions of dollars in R&D, what excuse do you really have for releasing something that is actually several times more frustrating than anything a bunch of geeks have (laughingly) "designed"?

I had to work on a laptop (yes, that I previously had worked on with Vista Home Edition) that was reported as saying that it "needed to update the antivirus but need administrator to do it."

Okay, shouldn't be hard. The antivirus is one that I'm not too crazy over because it, too, has in my opinion design flaws that drive me freakin' batty as well...Central Command's Vexira. However, I take the laptop and start to work.

I ended up having the laptop brought home. I spend some time trying to get Vista to find my wireless network (usually with XP it's a simple matter of clicking the wireless icon in the tool bar and selecting from a list, but this Vista laptops wouldn't show that to me). I eventually found in the networking control panel a line in English, in tiny print, telling me I can "find a network." Fair enough.

It found my (unsecured) wireless network. Join it. Warning: EVERYONE WILL SEE WHAT YOU'RE DOING!" Then it gave a button that didn't look like a button to continue on anyway. I thought it was a label of some sort...nope, just an awkwardly labeled button in the interface. I twitched a little.

It joined my wireless network, telling me the signal strength was excellent. I then right clicked on the Vexira system tray icon and told it to update. And waited. After a few moments I noticed a blinking task bar icon; click that, it tells me that there's a system notice. Click that, and the screen does the obligatory blanking-switch-to-system-screen. Told it to update, and it belches an error with the connection.

Huh?

Told it to "return to my desktop", leading to the laptop blinking a few times.

I was disconnected from the wireless. No reason why, just not connected.

I sigh and go through all the steps to reconnect and once again bring up the update interface on the "special annoy the hell out of the user" desktop.

SAME @#% ERROR. I returned to the regular interface and check the network connection. Disconnected.

I tell the bloody thing to reconnect, and this time "remember the network" and "connect automatically".  This time the notebook connected and stayed connected.

That wasn't the end of the problems, but my gripe here is about Vista, not Vexira. I don't understand why the connection was:
A) so awkward to connect to in the first place.
B) kept disconnecting without notice.
C) had so many @#% clicks to find, establish, and re-establish.

This was on top of the issue with having to switch desktop modes a few times and having the display click and clack as it changed back and forth (resetting video modes? Redetecting the display? I don't know; from the user perspective, all I know is that it ticked me off having to repeatedly go through that annoyance).

I'm a big believer in preventing friction in a user experience. I do what I can to minimize this friction; one thing I do to make it as least annoying as possible is to secure my systems from intrusion and monitor my network usage while removing encryption from my wireless network to make it friendly to the myriad devices we use. This should have made connecting to my wireless network a simple matter of "show available networks, select, connect." So why wouldn't this @#$% notebook connect and stay connected?

Once I told it to "remember the network" and "connect automatically", it stayed connected long enough for me to get a dose of hate for Vexira. The wireless network worked without issues for my wife's Mac. My own Mac hasn't had issues. My iPod hasn't had issues. So unless something is flaky with that notebook's hardware...which hasn't been reported (although possible)...it tells me that my headaches were Vista-related.

It's almost like Vista was going out of it's way to make this three times more difficult than it needed to be! Another checkmark on why I hate Vista. Supposedly Windows 7 improves this dramatically. Me, I'm not so sure I care. There's an Apple ad that pokes fun of the "it has none of the problems Vista had...it has none of the problems XP had...it has none of the problems Windows 2000 had..." There comes a point where I just don't care anymore. When the track record goes this far down, when the experience just fails so hard and far, when I've switched to another platform altogether and found it to be a huge improvement to my ulcers...

I. Just. Don't. Care.

Pay me to try Windows 7, and I might try it. If not then I'll wait until I absolutely need to deal with a new set of headaches.

Tuesday, November 10, 2009

Tech Support With a Tinge of Irritation

I just got a call from family for another round of tech support. I always realize after the fact just how irritated I sound when I get these calls.

It's a tough situation to be in. Of course there's my much mentioned personality disorders. But I also have tech support obligations at my day job. For many years I get calls for the same issues, over and over, usually dealing with people who are unhappy to begin with because they broke or lost something on their computer or can't be bothered to read and comprehend a statement on the screen. More often than not it's something that they called about a few months ago. Same issues. Over and over. And I dutifully repeat myself. Over and over.

I've heard many times how often tech support is a burnout job. No one stays sane in that position for long. And I've been doing it a long time. Repairing. Swapping. Answering repetitive questions. Educating over and over, the user never quite comprehending.

Worse, I'm normally regarded with a feeling of disdain. The movies make this stuff look simple. Why can't I just type a few words into the keyboard and have it work? I mean, The Matrix, The Net, the latest Die Hard, Wargames...they made it all so simple. Maybe I should pull a Tron and just jump through the screen and make it work for them. It's a simple job, making them wait longer while I decipher what the hell they're talking about is just irritating them. I must be doing it on purpose.

Better yet, tell me how you're not a computer person. Or how stupid computers are. How you hate them. I love hearing how my college investment and years of work were all pointless. And I'm still obligated to help you.

Then my family and friends want help. At work, we generally know what the systems have, how they work, how the network is configured. I generally know what you're supposed to be doing to get your documents. What applications, generally, you're running. When you are calling from home you've installed games, you've altered settings, I can't see what you're seeing. I need to rely on your descriptions. I need to strain to remember what you're running. Sometimes I remember. Sometimes I can't remember what I wore yesterday.

They get frustrated. I'm already irritated. It never ends well. They get free service at the price of putting up with my terse commands and repetitive issuance of directions. I remind myself that technology doesn't dance to the stroke of keys for them the say it does for me. I feel swells of anger at them not being willing to help themselves by working on basic functions like knowing where they put the damn files they created. I feel waves of frustration at their descriptions of things I can't see but need to know in order to instinctively discern the true nature of the problem. Then I have to remind myself once again...I don't know things they specialize in, they don't know things I specialize in.

Frustrating. And I always regret sounding like the ass after the fact. Maybe someday I will find a better coping mechanism. sigh.

Antivirus Programs vs. the Malware

AV-Comparatives, a name in online antivirus testing, has released the results of their 2009 malware removal tests pitting 16 antivirus programs against each other to test their ability to clean out malware from systems.

The results? None of the tested programs rated a "very good." The link above takes you to the full results of the test complete with a thorough description of the test methodology.

Not that it's a big surprise. At least not to people that have to deal with this crap all the time.

The fact is that once a system is infected, there's no way to trust that it hasn't been modified in a way to prevent you from finding it. It could change operating system files so that utilities can't see the malware or see indications of the infection (like replacing netstat so that you can't see network activity linked to the malware). You don't know if it's hidden in the filesystem so it's invisible (see what NTFS filestreams are; oddly enough there aren't much for native tools with Windows to let you find the damn things but they are simple to access for hiding data and there are malware that can hide information using them.) You don't know if malware is downloading more in the background or working to create backdoor access to your system or if it's monitoring your keystrokes for passwords or uploading your documents to file sharing sites.

Many malware programs are made in a way to recognize attempts to detect them or remove them or know about popular antivirus programs so they work to cripple your ability to update your antivirus program or break the installation of your antivirus.

It's an arms race. The only way to be "safe" is to not get infected in the first place, since I've mentioned what they can do once in your system and the antivirus programs rely heavily on signatures for detecting malware.

But think about it.

You install antivirus with Monday's signatures.
Tuesday a malware author creates a new "virus" and releases it.
Tuesday night a honeypot used by your antivirus vendor detects the new malware.
Mid-wednesday the vendor has finished reverse engineering the malware and has created a new signature.
Wednesday afternoon the vendor has added the signature to their latest update list.
Hmm...when are you updating your signatures? Every hour? Once a day? Every night?

Even if you update every hour, that's an hour window where you were open to infection by that malware. There are hours and hours, at least, between a malware program's release and a vendor getting it, analyzing it, creating a signature, uploading that, then you downloading the "fix". On the Internet you can be infected by scanning worms and malware within minutes.

That means that for most users the topic of computers and viruses is a cat and mouse game, always playing catch-up. And that's if the user even bothers paying attention to the issue (judging from my web server logs, most don't).

Worse, it's not like you can install multiple antivirus programs and overlap protection. Nope. They will normally end up interfering with each other. You have to pick one and enjoy it. Plus they add overhead by scanning every file your system opens up as they work; there's a memory and CPU cycle cost to doing this.

And again. It's. Not. Completely. Effective.

You can minimize the risk by using "less popular" systems like Linux or OS X instead of Windows. That helps, but doesn't make you immune.

How do you stay safe?
Educate yourself about proper system maintanence.
Stay updated with your vendors bug fixes and patches.
Educate yourself about malware spreads; don't install programs from random websites, or give your information to websites that aren't encrypted and aren't reputable.
Pay attention to warnings about addons running in your web browser or programs trying to install or run.
Pay attention to your system so you can be aware of anomalies in behavior. If it's suddenly getting slower or starts acting weird those are red flags.
If you use an antivirus keep it up to date with the latest signatures.
Install specialized malware programs like Spybot Search-and-Destroy. Keep it updated.
Pay attention to security warnings.
Educate yourself on how to use Google to check into programs before you install them. A lot of sites have fake "virus detected!" popups with offers to clean it with a particular product, when the product is actually the malware.

All of these are good starts to keeping safer while using the Internet. Antivirus and anti-malware programs alone aren't 100% effective. Education is a wonderful way to help curb your personal information becoming public.

Sunday, November 8, 2009

System Administrators, Let's Hang Out

I found this question on one of my favorite tech help sites, serverfault.com. It's a wonderful wonderful resource for help (totally free!) for people who are system administrators by day and geeks by night. It's actually one of the "trilogy" of websites; there's serverfault for admins, stackoverflow.com for programmers, and superuser.com for "power users".

One of the things that seems to be underserved on the webbertubes is a good community for system administrators and geeks. The closest I've really found so far is serverfault, but really it's a help site; you have a question, you get answers from peers (that are vetted and voted up or down by peers as well). But a social site for geeks?

So someone asked where system admins go online to "hang out" and be geeky. There seem to be some good leads with that question, but still it's not flooded with answers. Weird...you'd think that the Internet would have some good sources of respite from neurotypicals online.

Part of me wonders if in general sysadmins are antisocial even in an environment as socially hostile as the Internet to the point where they can't even bother to show up at online hangouts made for them.

At any rate for now I get a good geek fix from Serverfault. If you're a programmer, check out Stackoverflow or if you're just a power user go to Superuser. If you have an interest in...just about anything else, check out the Stackexchange site, where there are sites using the Stackoverflow engine to run specialty sites for asking and getting advice on everything from parenting to World of Warcraft. Okay, maybe not tons of sites yet, and directories are being created but it is growing rapidly...check them out and let me know if you've found any gems in these sites! It would be great if I managed to give a reader something useful to work with.

Documenting Configurations

I had an incident that reminded me of an aspect to system administration that we as system administrators don't often address.

It's a "dirty thought", the thing that ends up being on our minds without usually being said. An elephant in the room, if you will.

That thought is just how much of our jobs is to protect users from themselves.

I had a user call up to say their program wasn't working. I'll call it Widgetapp. She is the only one that uses Widgetapp. It's an older program (not extremely old, but about five years in age or so), and it's used to track a vital bit of data on a couple thousand of our users for HR purposes.

Since she's the only user that uses Widgetapp she is the only one with a PC that has the application installed.

I viewed her desktop and found that the program was opening a "sample database" meant for training purposes. Oh...no problem. I use File->open to open the other database with our live data.

I couldn't find it on her PC.

Hmm...this could be bad.

Her desktop doesn't have a backup agent of any sort on it; users are instructed to save all data to their home directories and the servers are then backed up regularly (when the backup server is double checked that it is working properly, that is). I looked at what kind of file the database was and started searching her PC for similar files. Nothing.

At this point I was getting irritated; I couldn't imagine why, if I've worked with this application before (it rarely needed fixing or alterations made) and the application allows you to specify a location for the database file, I wouldn't have stuck it onto the server.

I started looking for a backup of the database on the server used for her department. I hoped that there would be a database that was at most a few weeks old.

Instead I found an oddly named folder that had an uncompressed database file. I created a new folder just above that with a more obvious name (Widgetapp_database) and copied the suspicious contents to that folder then pointed the program to that database and opened it and then had the user check the database; her most recent entries were there!

From what I could piece together my suspicion that I had pointed the program to a database on the server (where it would be backed up regularly) was indeed what I had done. At some point when the company made an upgrade to Widgetapp they moved the folder (still on the server) to another location.

The user probably had a network issue or some other problem where she ended up pointing the program to a default "training" database on her local hard disk. She had no idea that data was actually residing on a shared folder so it was up to us to know this...and we didn't.

Lessons?

A) Keep application data centralized. Programs that don't allow you to point to network shares or UNC's or IP's of application servers are crap. Centralizing the data allows you to centralize your backup management.
B) Document your applications. Document your changes. Document your configurations. Document everything.
C) Users won't have a freakin' clue what you're talking about.

Our organization doesn't do a lot of documentation. We don't have the manpower to properly handle it, and it's a situation that isn't going to change in the near future.

We expect users with specialized software needs to keep track of certain things with those applications. Again, we're extremely shorthanded in our duties and so we make an unreasonable assumption that the user will take responsibility for applications they insist they need. In the end they don't. I consider this another elephant in the room...we know we're doing wrong by it but do it anyway. What normally ends up happening is we end up spinning our wheels for a time because we're re-learning how to use the application or figuring out how something was configured instead of having an up to date reference that spells it out. Then we end up sometimes creating a new method to work around the issue or fix the problem that counters what one of our coworkers initially did. Hilarity ensues if that other coworker is the next one called in to fix the next mess.


I guess the biggest fail here is lack of documentation. We are shorthanded so we take shortcuts. This means we don't keep track of changes made to systems, we're just starting to document procedures, and no work has gone into properly making documentation available (not just available as in collected in some tome on a shelf; available means being able to actually find the information you need, and that means leveraging a wiki or issue tracking database for the troubleshooters to use for getting user and system history and tracking configuration issues).

In this case there was a happy ending. The user's database was found and the application worked once again. The user was happy. And I re-discovered how the application was set up, so I managed to solve my puzzle of the day. The next time I may not be so lucky.

Friday, November 6, 2009

A Video Game that Deletes Your Home Directory Files

Created as an art project, Lose/Lose is a Macintosh game that looks a bit like that 80's classic Space Invaders. The difference is, as is warned explicitly on the author's home page, each alien you kill will delete a file in your home directory.

The story made its way to AppleInsider.

I've already railed on users not bothering to read directions or popups and warnings. This program is clearly a joke on people who don't bother to do so.

However a second twist came up in that several antivirus firms are classifying it as malware and a trojan. They claim that other people may take the program and repackage it without the warnings of dire consquences so that people will delete their files

First, this is silly. The vast majority of malware authors out there are working to make money now. They do it by taking over the machines in order to blackmail other users (give us money or your drive is encrypted), commandeer user's computers to remote control them in order to blackmail other users (give us money or you will suffer a denial of service attack), and commandeer user's computers to remote control them in order to overwhelm anti-spam efforts (turn computers into zombies that send spam). Oh, and I'd be remiss if I didn't mention the take over the computer to record files and keystrokes so they get your login information to banks and corporate sites.

Overall, the key to malware authors getting profits from ignorant users is to not get caught on the computer. If you disable the computer, they can't get money. They can't resend spam. They lose a zombie on their network of controlled machines. So unless it's a targeted attack, repackaging something that deletes home directory files is nothing more than digital vandalism (or a serious middle finger of misplaced anger at ignorant users to teach them a lesson).

In other words, it's a waste of time for malware authors.

On the other hand antivirus authors love this crap. "It's evil!" they laugh. "It'll destroy your computer! Plus it adds another signature to our database to increase the number we can post on our site so we look better than our competitors...

They know damn well it's not a serious threat.

Ken Thompson (if you don't know the name you're obviously not a computer person...just saying...) wrote a wonderful paper called Reflections on Trusting Trust wherein he described a compiler that was altered so it added a back door to the Unix Login program. He said that people normally audit the human-written source code to programs and trust the compiler, the program used to turn that source code into machine code. His alteration added a back door to the Login program and also had the ability to recognize when it was compiling a new version of the compiler, adding that backdoor-compilation-code to the new compiler as well.

In other words, this program questions trust. In order to install a program on the Mac (or Linux or Windows now) you have to authenticate as an administrative user. "Yes, I want to do this."

The problem is that you're normally installing programs from people you never met. You didn't write it. You didn't audit it. What's to stop the new trial software you downloaded from the webbertubes from uploading your financial information in the background while you're playing? If you granted it administrative access when installing the program, absolutely nothing will stop it.

Users simply trust that there's no chance (or a very slim chance) of that happening. They trust the authority of Those That Know More About This Shit Than I Do(tm).

Classifying Lose/Lose as malware (or potential malware) is silly and a waste of time. Any jackass that is worth their programming salt would come up with a better version than some retro 80's video game to attract more users rather than spend the time reverse engineering this little game, and even if they didn't, the time invested in removing the warnings would still probably not take much more to alter the compiled program so that it won't trip the signatures in the antivirus programs.

Hell...I could email a script to someone telling them to execute it and all it does is "rm -fr /". Got a signature for that, vendors?

The fact is that uneducated and ignorant users will always be a weakness in the system. There is no bringing them up to speed because they're not interested. See the number of cars that are on the streets in the US? How many of them don't know how to change a tire? Which, arguably, is one of the simplest tasks for car owners yet a rather important thing to know when they have a flat and are on their way somewhere. Lots of people have computers, they're ubiquitous, many people have come to rely on them for various tasks in their lives...yet they sure aren't flocking to the computer section of Barnes and Noble to learn how to properly maintain their system. Most of the time I'm lucky to find a user that even runs Windows Updates on their system.

So what's the summary here?
A) Users won't read warnings.
B) Antivirus vendors will do anything to look good.
C) If I can get you to install a program on your computer, you're not secure. You're probably fine. But you're not secure.

Thursday, November 5, 2009

Why Ask "Are You Sure?"

Joel Spolsky mentioned the question of why programmers bother having applications ask for confirmation from users before performing some task. He said that it seems to serve only one purpose; to make the user feel guilty.

The reasoning as I remember was that users, not being "computer people", don't know what to do when confronted with a confirmation. They don't care to know. They trust in the programmer...the "computer techie people"...to know what's best, so they just go ahead and confirm whatever it is that pops up.

So he said that the only reason to do it was to make them feel stupid. This way they confirm whatever it was that pops up, then find out it deleted something or did something they didn't mean to do, then know that they had the confirmation warning them not to do it and they said to do it anyway.

"Oh! I'm an idiot! I should have chosen something else!"

Personally I'm not sure that users feel stupid about making a mistake. They just blame the application, programmer, or "stupid computer". Maybe some feel like idiots, but I'm thinking they're not in the majority.

I hate those stupid confirmations. Users don't read confirmations or licenses or any of the "user friendly" crap that is thrown into Windows (do any tech people use the "friendly" control panel? I immediately switched to the old style while using XP).

I prefer having a straightforward set of tools that do what I want. Clear labeling for buttons, straightforward questions and queries that leave no ambiguity about what happens when you select yes or no (OS X is famous for eliminating a lot of the ambiguity from their selection dialogs), having a simple way to navigate the interface instead of five ways to accomplish one task...those are hallmarks of good design. Any roadblock you throw up in a workflow is a bad thing; users tend to not read them anyway! Even if they did, they claim they didn't understand it. So they just trust that the programmer selected sane defaults and click right through them.

I think this is what Mark Shuttleworth calls a papercut...little things that aren't bugs, per se, but added up create a bad user experience. It's a waste of bits and annoying as hell when you just want to get something done. I truly wish that there was a way to have an operating system that possessed an interface that doesn't try whatever it can do to get in your way with inane and worthless dialog boxes.

Is there any reason to have an "are you sure?" dialog box or other cutesy abstractions to the system? Maybe for things that are blatantly destructive (About to format volume C: in 10 seconds...), but other things...I'm not so sure. Anyone have experiences or opinions to share?

Tuesday, November 3, 2009

Security ID: NewSID is Retired?!

Mark Russinovich had this interesting blog article. He retired the NewSID utility.

If you didn't know, the NewSID utility was part of the Sysinternals suite of free Windows tools and was used to change the Security ID used on Windows NT based systems. The article explains more, but basically the SID identified certain accounts on the computer (the names associated with them are a friendly format for people to read, the SID was the machine version that actually mattered, similar to the userid in Unix systems mapping 0 to Root; anyone with userid 0 was considered Root).

Mark is a guru in the Windows world; he wrote NewSID, so when he posts his explanation that basically the SID is useless and doesn't need to be changed then questioning him is like questioning the Bible. It just isn't done.

The weird part is that I've had systems at work that acted very very strange on the Active Directory domain if it had a SID that matched another machine. Use NewSID, and suddenly issues went away. Coincidence?

Hmm...

Monday, November 2, 2009

Karmic Koala Released!

Great news, Ubuntu 9.10, called Karmic Koala, has been released!

I upgraded my workstation at work and my home workstation and so far haven't had major issues.

It took about four hours over a dedicated connection to do an in-place (read: told 9.04 to upgrade to 9.10 instead of formatting and reinstalling a clean version) upgrade. Probably would have gone faster if I tried using a CD image to upgrade, but I haven't tried that. I just opened the update-manager and clicked on the button that said a new release was available; upgrade-manager handled the rest.

While it upgraded I couldn't help but think about the people that are upgrading to Windows 7. People are trying to grab release candidates, downloading pirated versions, paying hundreds of dollars for a store copy, or having to buy a new computer to get the latest version of Windows.

Usually the upgrades go fairly well, but when the upgrade goes wonky...I get especially mad, because it usually means I paid to get screwed. I paid money to lose my time in the upgrade, have hassle in trying to get things working, and basically I paid to create a headache for myself (whether the upgrade went well or not I still lose time in the process of upgrading). I also get more irritated at the idea that I paid for the operating system only to run into later headaches with the OS, but that's another topic.

Karmic, on the other hand, is Ubuntu Linux. Free. It has some irritations and quirks; it's not perfect and I would never claim it was. And I was upgrading to the latest and greatest version without paying anything but time. If something broke, I lost time. Not money. No expectation of support, and no resentment at a company charging me to get stabbed with such expectations.

My upgrade went well both times with one minor exception; one irritation with Ubuntu has been the network manager. It sucks. Never seems to work right. So the first thing I do is install Wicd, which drops in palce and replaces the network manager. My work system kept everything just fine, while my home system replaced Wicd with Network Manager again, and lost my static IP entry and thus broke my port redirection from my home router. I came home, checked out what happened, and told Synaptic to reinstall Wicd and all worked fine again.

I'm still experimenting with Karmic to see if things that quirked and broke in the previous release work in this one. Some of my compiz graphics coolness would malfunction or barf on my home system so I had to turn it off; now I've reactivated some of the goodies to see how well (or horrible) it works now. My work system used to lock up if compiz effects were left on too long. My home system just had weird application crashes. I upgraded before Halloween and so far it seems to be working better.

Canonical (the company behind Ubuntu) has integrated a new cloud-storage system so I could, if I wished, upload 2 gig of data for free to a storage area on their servers that then I could access from any other Ubuntu system or use a web browser to download documents and files to other systems. Not something I see me using, but maybe in the future something will come of it since Apple has been trying to leverage their version of cloud storage with Mobile Me and Microsoft has a trial system in place as well.

Canonical also changed the software installation system. Right now it's mostly eye candy changes, not something overly functional, and they're expecting the next release (probably next April) to include greater functional changes to the installation system so users can find and install software more easily.

Other than that, it's a lot of incremental usability and bug fixes. Nice touches, nice refinements, and best of all, I didn't have to pay for the upgrade. As soon as it was ready I clicked a button and got it.

I'm sure most Windows users I know will be upgrading soon. They usually do as soon as they need a new computer, since then it's preinstalled...

Sunday, November 1, 2009

Managing Geeks

Not a long post today. Primarily wanted to share that when it comes to managing geeks and IT people in general, they tend to self-organize under a form of meritocracy built on a foundation of respect.

Definitely a good editorial. Too bad more Pointy Haired Bosses and managers don't seem to "get" this idea.

Check the post out at this link.