Computer Security...Why Should You Care?

Computers are ubiquitous today. In the span of fifty years computers have not only become affordable but have shrunk down to the point of being home accessories like our DVD players and microwave ovens.

What used to be so large as to fill a room and require separate air conditioning and power supply systems to function...think ENIAC...now fits into our cellphones. Indeed our cellphones are more powerful than the computational power used to accurately deliver our astronauts to the moon and get them back to Earth without turning them into crispy critters. Seeing someone toting a laptop computer is hardly a sight that merits a second glance as we walk by

Of course, the most popular operating system in use is Microsoft Windows, with well over 90% of home computers having some version of Windows installed (I think the last numbers I read were close to 97% of the operating system market belongs to Windows). If you pay attention to any technology news you'll see various reports of malware (think of viruses, worms, spyware, etc.) as well as Microsoft's infamous Patch Tuesday bringing system updates every month; the fact that there's always something for you to install on your system that Tuesday should tell you that after so many years and so many versions of Windows Microsoft still hasn't ironed out problems. This of course makes Windows a very popular target among malware authors.

But you never notice any issues, right? You've never had a virus kill your computer. Or if you did, you just took it to come neighborhood geek to reinstall or fix it for you, or maybe paid too much for a Geek Squad agent to run his or her quick-fix diagnostics on your system before doing a reinstall anyway. No biggie.

Here's the issue.

Back in the eighties and nineties, malware was meant to be clever. Angry, malevolent but very clever hackers (and the term hackers is NOT synonymous with malevolence; I linked to a description for you to read up a little on it and the vast majority of them take great offence to malware writings being synonymous with the term hacker) would create a program that would travel from computer to computer and at some particular time or event have a payload triggered that would display to the world how clever they were. It would play a tune, or display goofy graphics onscreen or the text of some poem or message. Some punished users for being ignorant users stupid enough to get infected by the malevolent programmer's creations...the program would destroy the user's data or use some other technique to render the system inoperable.

This is the stereotype the typical user has of the bad things that happen to their computer aside from hardware failure.

What they fail to realize is that the goal of these programmers today has shifted dramatically. It's no longer to show how clever the program authors are to the world, or to punish users for being ignorant and invading their "cyber domains." To the contrary, these people are being employed to take advantage of people who don't pay attention to their system security.

Malware isn't out to destroy your computer.

If you're aware that your system is infected with something, they screwed up.

Your computer can be infected right now and you'd not know it.

This is what people fail to understand. You're a wonderful target for other people to steal from, and taking your computer offline would be counterproductive.

Here are some things to think about...

Most people use the same password or password theme for their online sites. I've read more than one case where people set up a porn site or fake porn site by hacking a legitimate web business, replaced the login page with one of their own making that steals the password and some other identifying information, then managed to log in to other sites as the victim. If bob@ibm.com tried getting into the site with a particular username and password...ends up emailing some information...what are the odds that the password is either the same or very close to the one he's using as an employee or contractor at IBM?

If malware is installed on your computer...again, you're not supposed to know it's even there...and gets your password credentials, what services are you using in our connected society with interaction through that keyboard? We had a service that let us track our daughter's cellphone location from the provider's website. We use multiple banks. Some bills are autopayed and tracked online. Credit card accounts. If one or more of these things are compromised, how much of a pain would sorting the resulting mess create for you?

How many of you keep track of your bills on your computer, with something like Quickbooks, for example? Some malware installs back doors on to your computer. If it's exposed to the webbertubes, this means that groups anywhere in the world, the groups that created and released the malware in the first place, can connect to and control your computer...this includes uploading your information. It's amazing how many people have financial records or personal information on their systems and don't think about what they're exposing if the files were stolen.

How many of you have private information that you'd rather not have advertised to others? Few of us really wouldn't mind being open books. Would you want your clergy knowing your web browsing history? How about your employer? What about liability...after all, if you haven't even heard of the RIAA but your son or daughter found this neat program that can download the latest music for FREE, you may very well find yourself being sued for several thousand dollars you don't have. Congratulations!

What about emails? We treat email as a private medium. Racy notes from your spouse? Notes about you not minding seeing a bus as a fashion accessory for your boss? You don't bother learning silly things like how to erase old messages or keep your email folders trimmed and neat. You don't give a second thought to what your mail provider is doing with your email...backups? Copies? Your data...your emails...could easily be read by law enforcement (or nosy system administrators) without your knowledge. Some note that you thought was a harmless brain fart could cause problems if it got to the wrong eyes. And here's something else to think about...email isn't secure. If you aren't encrypting the data, anyone can read it. It's flying around the Internet as plain text. And the law is not on your side, especially with data sent or received from your place of work.

And how often are you sending or receiving particular information...credit, insurance, phone numbers, even information on where you keep a spare key or will have one set aside for someone in some hidden location near the house or car?

The point is there is probably a lot of information on your computer, or accessed from your computer, that you don't want advertised to the general population. Malware infections today are specifically aimed at getting that information without your knowledge...if they do their job correctly, you never know when your keystrokes are recorded, files are transferred from your computer to another, or other private information is being eavesdropped on.

Most users never give a second thought to these issues and that paints a bullseye on their backs. Despite changes to Windows and a rise in awareness of privacy issues there is still not enough done to keep systems, and your data, secure.

Right now your best tool is education and awareness. Give some thought to issues raised in this post and evaluate whether you have more at stake after reading this blog entry...

iChat, Update, and User Experience

Mac OS X update 10.5.7 was released yesterday. I was listening to the Mac OS Ken podcast and heard that among all the changes was a mention of an update to iChat.

My immediate thought was, "Could they possibly have fixed that @#% connection bug??" I previously wrote about it here; sometimes I can video chat with people, often I get the "connection declined" error repeatedly. Sometimes it'll manage to connect. Frustrating, frustrating, frustrating...until I got tired of swearing at it and installed Skype, sent a message to my wife to download and install Skype on her system as well, and it Just Worked (tm).

I pulled up an article on Macworld's site that discussed the 10.5.7 changes. The author found that yes, there were changes made to iChat, but from the sounds of them they were cosmetic (although it seems he couldn't find the changes when he checked between 10.5.6 and the updated system).

Disappointing, but I guess I wasn't too surprised.

That got me to thinking...after all the hassle I had before, would I want to use iChat again now that I have Skype working?

This is an issue with the User Experience, something so many people just can't seem to grasp as a concept. I have bad memories of iChat, and I eventually got so fed up with it that I found my own solution that works well in my situation. I may use iChat if the issue is fixed, but I'm always wary of it and the only reason I'd go back is if I don't have time to get some new user to download and install Skype but rather use the software pre-installed on their Mac.

If you work in technology, especially in support, you cannot underestimate the importance of the user experience. Yes, users do dumb things. Yes, users make you want to stab yourself with a dull spoon sometimes to make the frustration go away. But the users make up the community with which you interact on the webbertubes and if their user experience sucks, you're going to have problems with your product's reputation, your company's reputation, or if you're a sysadmin, your users with find their own solutions and ignore you because to them you're an incompetent boob not worth listening to. They also will hate you for not listening to their issues and addressing their needs.

Thus leading to more frustration for you having to support them, leading to resentment, leading to more sales of Dilbert books.

Unfortunately technology today is about compromise. This issue with iChat has been ongoing for quite some time and a lot of people are having to deal with it and are left to find their own workarounds. Because of the many things Apple does do right combined with the alternatives...Windows? AAAHH! Linux? Most users would rather poke their eyes out than have to deal with various tech issues related to using Linux on their own...the Mac is still the best value for usability and system stability (and security) for the average home user.

There is a caveat. As a geek, we take our warts very seriously. We don't forgive when our favorite things are blemished and we feel we're wronged. This annoyance is not something that will be easily forgiven, and the longer we're ignored over an issue the more vocal people will become about hating you for it. Worse, you have a competitor that has a solution that works. So what's the holdup, Apple? Why can't you get this right when some left-field startup managed to have a cross-platform solution with your features...video, audio, text chat...that just works?

Antivirus Program Effectiveness

I was reading the report from www.av-comparatives.org detailing the results of their tests on 17 different antivirus products with names like AVG, Norton, and McAfee among them. Av-comparatives is an independant body that delivers objective tests on these programs and rates them on both effectiveness in detecting malware from a set of known baddie programs and how many "false positives" are triggered.

I can't help but shake my head at these things. Antivirus software, that is. I hate them.

The average home user doesn't understand much other than "viruses are bad. Antiviruses protect me." So they slap a program on their system (or worse, they have one that came with the system that they eventually let lapse on the subscription) and consider themselves safe.

Here's a simple explanation of how these work. Antivirus software works on the theory that as bad software (malware) is detected, the parent company releases what are called signatures, or key characteristics of bad software for their product to use.

When your computer accesses a file, the antivirus program running in memory intercepts your computer's attempt to read it. The program compares that program's memory footprint with a database of signatures; if the file matches that signature, it's flagged as a virus.

Some antivirus programs use what are called heuristics. Basically this means that the antivirus program knows about a set of behaviors that are somewhat common to things that malware does, and if any of the programs you open share those behaviors it will flag them as potential malware.

Many many many home users assume that having the software on their computer keeps them safe; that's like assuming that just because you bought your car that it'll keep running without little things like changing the oil. Doesn't work that way. Antivirus programs rely on having up-to-date signatures. That means they need to connect to the vendor periodically; once a day, every other day, once a week, and download the latest updates.

Some programs require a subscription to keep up to day. If you don't pay for the access, eventually they stop updating, and then you're vulnerable to new malware.

Other times the program, like Windows itself, requires updates. Antivirus software requires system-level access to programs and files, meaning your antivirus program probably runs with elevated privileges. Oooh...what does that mean? It means that if certain bugs are discovered in your AV software, since your AV software has full reign over the computer (that's the elevated privileges part), attacking software taking advantage of the bug can basically do whatever it wants to do on your computer, like install other software or control what does and doesn't run anymore.

Basically the antivirus software isn't hands-off. You need to make sure it keeps up to date both with fixes and new signature files. And your subscription, if your particular brand has this payment model, is up to date.

Let's suppose you do what you're supposed to do and keep everything up to date. You're safe, right?

Not necessarily.

Simple scenario. A "black hat hacker" creates new malware (or takes existing malware and modifies it just enough that the signature no longer registers it as known malware. The program is unleashed on the Internet.

Your signature database doesn't know about it. It's too new.

So someone has to get infected. Depending on the payload of this particular piece of malware it may get caught by the vendor with one of their honeypot networks or it may be discovered through heuristic checking or some researcher finds it. Regardless, someone has to discover it first.

Next that sample is sent to the vendor.

Then the vendor analyzes the sample and from that derives a signature.

The signature is added to the vendor's database.

Next your software needs to check in with the company and see, hey! There's an update waiting! Then the antivirus must download and restart itself so it is running with the new database.

This means there's a window of anywhere from hours to days before your computer has the signature to stop this new bit of malware. Believe it or not if the malware is self-propagating on the Internet it can take as little as four minutes by some estimates (this one from the Internet Storm Center) to be hit by an infection attempt. There are some arguments about this being exaggerated, and there are other estimates for how long an unpatched Windows installation would last before being infected with something. But if you need to download a couple hundred megabytes in service packs and updates, it takes a lot longer than half an hour to get the computer hardened up; plenty of time to get scanned by infected systems on the Internet.

The underlying assumption is that the antivirus works up to par as well. A number of the programs tested by av-comparatives missed malware from their tests, or worse, had false positives. False positives are situations where your antivirus program labels legitimate programs as viruses and panic the user, making them think they have some terrible problem when really it's a poor signature in the database that after another update or two may be altered to fix the error.

The conclusion for this is that just because you have an antivirus program you can't sit back and assume you're safe. Your antivirus is flawed. The very model of having to download signatures from a vendor to be innoculated against malware means that you're playing a perpetual game of catch-up and you're always at the bleeding edge, waiting for whatever exploits are freshly released into the wild to possibly hit your computer before you get the latest updated signature file. And the whole time your computer is paying an incompetance tax because you have your antivirus program taking up memory and processor time scanning every file your computer accesses, slowing down your computer and adding more overhead and possibly more bugs and glitches to the operation of your system. Antivirus software is the toothpaste put into small holes in the sheetrock walls of college dorms; a band-aide solution to what is really a flaw in the design of Windows.

Stop relying on blind buzzwords to keep you safe. Learn how such things work to a degree that allows you to take responsibility for the safety and integrity of your information on your computer. Otherwise you're a target waiting to be hit.

Windows Updates, WSUS Style

Update Tuesday. Another set of fixes comes down the pipes, and sysadmins hope as hard as they can that this batch won't break an application or system. Again.

When you have to administrate hundreds of systems and have very few people to cover them, you end up with a lot of systems going for months (or in some cases longer) without updates. This is especially true if you don't have a routine and policy in place for making sure all systems are updated within a particular period of time.

To help with the update chore, Microsoft created a free Windows System Update Server tool; you make a server on your network with a lot of dedicated space and that server then downloads your updates for you from Microsoft, then your systems can be configured (again, Active Directory, when it works...) to look to that server within your much faster network for updates rather than from the Internet, thus contributing to slowing down your site's access while others are working (or goofing off) over the Internet. It also keeps track of systems that are updated and what updates are needed, and can control which systems get what updates.

The irritating part is that it only sometimes seems to really help.

1. There's no web interface from the client that needs to be updated. In other words, I need the Windows Update Service to see the updates and notify me. There's a command line utility you can run to tell it to try the updates, but it just runs and exits without feedback...it just tells the invisible background service, "Yeah, could you try checking now instead of later for updates?," then you might be able to find a log somewhere that lists if the service did anything. The conventional bandwidth-sucking method means I can just go to Microsoft's update website and click on the button to start updates; from there I can get SOME feedback on what's going on.
2. I found a script that is supposed to help with on-demand updates. I dutifully put it into a directory with a couple support programs, double click it, and in anywhere from five to fifteen minutes a script window pops up that tells me whether it's downloading updates or not. Some improved feedback, but c'mon!
3. Just as the script's window pops up, I sometimes get the Windows Automatic Update "shield" in the system tray telling me there are updates to download. Sometimes it comes up while the script window hasn't appeared yet. In other words, I could easily end up running two updates in parallel, slowing me down even more because of a slip of attention.
4. Sometimes it's not a slip in attention. Sometimes the script just doesn't work so I start the other process thinking the first attempt failed. There is sometimes an error from the script, sometimes not. ARGH!
5. It appears that sometimes if a particular "pre-update" isn't installed, the WSUS (update server inside our network) simply won't work. Period. I have to do a manual update from Windows Update on Microsoft's site, defeating the purpose of having the internal server in the first place.

I'm not a professional programmer, but in designing this update server program I really think it would be nice to have something that

1. Gives feedback on your system's update status and current state of the updater.
   
2. Allows the admin to pull updates on demand, not whenever the system decides to notice that there are updates waiting for it.
3. Has better mechanisms for realizing you need various "pre-updates" in order to work properly.

It would be nice if your administration tools didn't make you want to scream and bash your head into a wall...when doing updates for Ubuntu, at least I can usually decipher my update progress and messages as things are zipping around on the console when not running the graphical front-end to the tools. Seems like Windows with all the enterprise penetration that operating system has and the fantastic developer tools available would have better tools for such a common chore!

Synergy!

Quick application review time!

If you have two or more computers at your desk, you probably know the irritation at having multiple mice and keyboards cluttering the workspace or you had to get a KVM switch, a box that lets you hook up one Keyboard, Video device, and Mouse (that's the acronym, in case you missed it) to two or more computers. This option also comes with the occasional loss of hair since some computers like to have issues with the keyboard not responding properly or the video mode going wonky if the computer switches on while it didn't have the KVM's focus or some other anomaly in behavior.

Here's one more alternative, with the assumption that your computers are networked and the other systems have their own displays near each other (you still have to give up desktop space to multiple monitors with this option). You designate your primary workstation as the "server", the system from which you want to use the keyboard and mouse. You then install Synergy on all the computers you want to control from this keyboard and mouse. On your "primary system" you run Synergy Server. On the other system(s) you run the client, telling them to connect (using the network address) to the server you're sitting at.

For my Ubuntu system it's even simpler...you can install a graphical front end for Synergy to set up the server options. I get a display with an icon between four points (actually labels); one each above, below, to the left and right of the computer icon. I enter the name of the client I want to allow in the box on the left side of the icon, and tell Synergy to run with the Execute button. Then on the client machine I type the command to have the Synergy client connect to my server, and voila'! When I slide my mouse pointer to the left side of the screen, it appears on the other computer. My mouse and keyboard are now controlling that system. Slide it offscreen to the right on the client, it appears back on my "server". You can control up to four computers this way, sliding the pointer up, down, to the left or right of your primary monitor.

I use this function at work to control a second system I'm using right now and often have my laptop controlled this way when I need to access it on the desk to avoid stretching over things to reach the keyboard. I just need it open close enough that I can read the display and use my full size keyboard and mouse to pop into the laptop display when I need to enter commands on that system, then slide the pointer back off to my own display to resume working on that system.

It does not steal the client system's control of the mouse or keyboard either...if you reach over and type on that keyboard, it still works just fine.

Personally I like to tunnel Secure shell and have the Synergy client pointed at itself...secure shell redirects the program to talk to my server and that way it's encrypted when I am typing information. But that's a bit advanced for many people to try setting up.

Synergy itself is cross platform; you can use any combination of Windows, Linux, and OS X systems to control with it (I use it on two Linux systems and the Mac notebook). This is one of those utilities that fills a really niche need, and it fills that need well.

If you're using multiple systems at your desk, or need to occasionally pop open your notebook computer while at your desktop computer and want a little more convenience in arranging your desktop real estate, look into Synergy as a way to help simplify things a bit. I'm glad I found it!

Ubuntu Console Locking Up

While I keep going back to Linux as my primary workstation operating system, all is not always rosy in Linux Land. Case in point; when I returned to work, my workstation's console was locked up.

I've been having that happen to me over the weekends for reasons I haven't figured out; the console is simply completely locked when I get into the office in the morning. Keyboard is dead. Display is frozen.

Hasn't happened on my home system, so I wonder if it's the graphics card...the system at work is an Intel chipset, and I recall there are some rumblings about it being crappy. The weird part is that I can secure shell into the computer and kill GDM in order to regain control of the computer. It kills my logged in session but at least I don't have to reboot. Indeed, I have no idea how long the system was locked up since I've been using the computer remotely using a VPN and secure shell without any indication that there was a problem.

These little quirks and annoyances are usually just that; minor annoyances. But they detract from the user experience. Get enough minor annoyances and soon the user begins to see a minor annoyance as a major annoyance. Then they get disgruntled, and worse, they start to spread the word about how crappy these "non-standard" Windows alternatives are.

I recently upgraded the system to Jaunty Jackalope, 9.04. I'm hoping that'll cure that lockup quirk; few more days and I'll find out...

Windows Consistency Sucks...AD Edition

Microsoft Windows has gained a well-deserved reputation for sucking wind. I encounter new reasons usually about once a week or so.

Microsoft realized that to make more headway into the enterprise (business, not starships) it had to beef up its offerings, so they did what they usually do. They looked at the guy already in the lead and copied them, added a couple tweaks, and touted it as their own better-than-sliced-bread feature.

At the time this meant they were staring at Novell's behind with their NDS tools (Novell Directory Services), later called eDirectory. Microsoft cloned much of the functionality and called it Active Directory, then proceeded to integrate it into Windows.

Now for the fun part. I don't trust it. Here's a quick reason why.

Windows XP integrated a software firewall. Basically it prevented connections to your computer when it's activated unless you set up rules allowing said software to connect, thus limiting the ability for other programs to infect you through network scans. This post is about irritations with Active Directory, so I won't get into why their firewall software sucks just yet.

Where I work we are using a freeware utility called VNC to remotely assist users when they have problems; we are a small department supporting hundreds of computer and simply cannot be everywhere at once. VNC lets you connect and view the user's desktop; they call saying there's an odd error on their screen, we can connect and see it just as they're seeing it instead of trying to decipher their sometimes creative descriptions of what is going on.

Except when the firewall is on.

Since we're a Microsoft shop, the solution, from many an MSCE with a smirk on their faces (MSCE's are people who pay big bucks to pass Microsoft-biased tests so they get a certificate saying they're certified to answer your questions about Windows and other Microsoft products, really oversimplifying and probably offending some of them out there), is to simply add into your policies...rules that govern the behavior of good Active Directory citizens (i.e., Windows clients) on your network.

Fine. We set up a rule in the default policies saying to turn off the software firewall. Don't get your panties in a wad just yet, sysadmins who know better! I fully realize this is semi-insecure and not best practices. This is not to justify why we did it. The sharp point of the rant is approaching!

About ninety-five percent of the time this works. Boot the computer, the firewall is off. The other five percent of the time, the computer reboots, and voila! We're locked out!

That's right. Active Directory policies, supposedly refreshed at boot and randomly at other times later, sometimes and seemingly without rhyme or reason will lock me out of the remote, twenty-mile-away computer because it decided to activate the firewall!

Best of all because we have certain software running that can only switch modes with a password and a reboot to unlock certain functionality in the computer, the reboot will occur putting the computer into a compromised state just as the firewall pops up, meaning I can't get in to reset the system back the way it was!

Why? Who knows!

We had another policy many moons ago that was telling the computer to hide certain drives from the user that they didn't need access to. This was fine and dandy, except when you ran the old fileman utility from Windows 3.1 or a third-party freeware utility for managing files...the programs showed all the drives. Huh?

After some experimentation it appeared that the Active Directory policy that hides drives was actually a setting for Explorer, the shell program that you interact with in Windows to allow you to launch programs and navigate through Windows.

In other words, the setting to hide system drives in Active Directory was only effective against one program in Windows. Other programs could still work around it. Basically what I would have thought at first glance was a setting to tell Windows to hide access to certain drives was actually telling a particular component of Windows to hide the drives.

No doubt that careful reading would have explained that this was the expected behavior, but I never saw any warning to the administrator that this could be worked around so easily, that it wasn't a system-level lockout but rather something that could be worked around with a two-minute download of freeware.

Another reason I don't trust Active Directory. I got burned by a setting that looked like it was taking a step in the direction of locking out access to the system, in reality it was just telling one part of Windows to hide it. Second, the policies don't always "take," so when I take the time to configure a system to behave in a certain way there's no guarantee that it will, just that it probably will work. Sometimes "probably" just isn't good enough.

Eye Candy

Quick note on a blog with some very interesting notes on how people react to eye candy. Check it out at "A List Apart".

When I was much younger I strongly disliked the Macintosh running MacOS. From the technical viewpoint, it was horrible...the multitasking model was horrible, the memory management was horrible...all it really had was a WYSIWYG (What You See Is What You Get...it used graphics at a time when the average computer used text commands to work and Windows was just beginning to catch on) interface that appealed to non-technical people.

I stand by my arguments from back in the day. I was later validated when Apple ended up throwing MacOS out altogether and adopting the UNIX-based OS X. If you needed something a little more rock-solid and reliable, the MacOS Macintosh wasn't the platform to use.

This article has some interesting points, however, on how design affects us psychologically. My view has always been (in the case of technology) that once the basics are met...fix the memory management, fix the security, fix the multitasking model, etc...eye candy and ease of use are differentiating factors. After all, a Ferrari isn't useful if you can't start it!

Operating System of Choice

I have long despised Windows. I have to support it at my day job and in supporting it have grown to despise it. The lock-ups, the weird behaviours, the overwhelming amount of evidence that it has had feature after feature bolted on to it instead of having been engineered for security and multiuser capabilities, the number of malware programs that take full advantage of Windows users...it drives me nuts.

Many years ago I started using Linux. I found it to be flexible and far more stable than Windows ever was. It had great features while at the same time none of the licensing bull artificially limiting the operating system that Windows had; for example, Windows NT Server is basically Windows NT Workstation with some registry hacks in place to cripple it. You were even limited to a certain number of client connections to the operating system because you didn't pay a few extra hundred dollars. With Linux I could run a web server with as many connections as I wanted, no licensing limitations.

Today my main workstation is running Linux and my workstation where I'm employed is running Linux but my employer-supplied notebook computer is a MacBook, so I get to play with Apple's OS X as well now. This has influenced some of my opinions on the current state of operating systems.

Linux is still a strong contender but I run into a few shortcomings that are significantly annoying. Case in point; my webcams. There was a kernel update in the Ubuntu repos where after updating, my web cam no longer worked properly. I later found out that some applications will work with the webcams, while others don't. Searching for a solution...something that seems to be common in using Linux...yielded no solution other than running what is now a kernel several releases old.

And so far there doesn't seem to be any work being done to get these cams working again. Since it works with some applications and not others the consensus seemed to be that part of the interface to the drivers that interact with the kernel has been changed...so of course blame is shifted to the developer that used a library that no longer works.

Huh? Basically, no one takes the blame, and no one seems to be working on fixing it, and even if they were there's no one to really ask about it or get updates on the situation.

I have issues with the computer working with sound properly. Sometimes it just disappears. I end up having to restart the pulseaudio server on the system (most people probably just restart the computer).

The fact that I have freedom in configuring and using my Linux system is where a lot of its power comes from; at the same time, the fact that I can use an image capture program to get motion captures from the my webcams but can't use a live viewer of what my webcams are viewing or use Skype on Linux to view anything but a garbled green video image is very frustrating.

Then there's the Mac. The Mac is nicer in that most of what I have will just work. I can usually get work done on it. When I have to go through and restart a rogue PulseAudio process I end up thinking that the next time I am looking at a new computer I may very well get a Mac.

But I know I have issues with the Mac as well.

For example, when I secure shell from the Mac into my Linux system, it seems to take forever to connect. From what I can find it has something to do with DNS lookups, but I'm not sure because even after trying to change some settings in the configuration file it still takes forever to connect.

Another problem is that OS X doesn't have any of the neat features inherent in X Windows. For all the issues with X, one of the greatest features I use is to remotely run programs so that the display appears on the computer I'm sitting at, but the drive, resources, processor, etc. are all on the remote computer. This means that if I have Thunderbird set up on my desktop computer with all my filtering rules and preferences then I can run it on a remote computer without redoing all my preferences and filters. It also means that if the computer I'm on is slow or low powered while my desktop has plenty of processor speed and memory to spare then my mail program can be run on the weak system with the only bottleneck being the network connection.

OS X can't do this. It can run an X server as an application so I can launch programs on my remote computer from the MacBook, but I can't launch applications on the Mac so the display comes up on my Linux computer. Note that this is different than remote control software like VNC; those programs show your desktop and let you see the desktop as if you were remotely using that desktop. When you're bringing up a window of your files in a window or reading your email through that then someone else in the room, who you may not see since you're somewhere else, can be sitting there reading your email along with you. Forwarding X doesn't do that.

There's also an issue where things on the Mac either work well or don't work at all. I just plugged one of my webcams into the MacBook; nothing happened. The MacBook wants to run an iSight or it won't work at all without a special third-party driver.

The last big issue I have is with Apple Support. Apple support is great; quick turnaround, relatively easy to work through...the problem is that if I have to call them it's probably because the hardware has a problem. There's no easy way to get new parts without sending the computer away and I really really really do not like sending my personal data to a company where you don't know what is going on behind the employees-only door. While I don't think they're stealing my data or going through information I still have that hesitation in not knowing for sure unless I encrypt everything first. It's the same feeling I have to shove aside in going to a fast food joint. Hear the rumors of people spitting in the food or doing other nefarious things to your burger because you looked at the fry cook in a way they took offense to? It's always in the back of my mind, and I don't like having my tax information, documents, personal images, etc. being sent off to another company to trust that they won't dig through my data.

The Linux system on the other hand can be pretty easy to get parts for since it's a PC with generic parts. The Apple system I can try getting parts and void my warranty coverage if I replace my hard disk or some other part. Very annoying.

The musings here can be summarized as this: I hate Windows. I really like Linux but am running into some limitations that are starting to wear on my nerves. The Mac is very nice and is a strong contender...for the home user I don't hesitate to recommend a Mac, having converted my wife and mother to MacBooks...but even the Mac has some issues that if I switched over I'd have to find a way to work around the problems.

It shouldn't be a problem until the time comes when I have a few spare thousand dollars to spend on a new configuration for my workstation. But it never helps to think about what I'd do differently next time around.

iChat AV Communication Error

As I mentioned before my wife is on a trip until Sunday. Her schedule finally permitted her an early morning break...seven to eight AM, if that can be considered early...to try to chat and say hello to me and the kids.

We both have access to MacBooks, so naturally we'd use iChat AV to video chat. I use it quite a bit to chat with my mother when she wants to say hello to her grandson before bedtime. If she can use it to video chat with me then that should say something for how easy to use iChat is for a task like that.

But it wouldn't work.

Every freakin' time we tried, it would give some communication error.

Searching online gives a lot of entries from people stretching back YEARS saying it could be because of your router, because of firewall or quicktime settings, yadda yadda blah blah. You know the only reliable fix?

Use Skype.

I like iChat. But how, after all this time, can they not get video chat working properly?? It's one of their big features...you're supposed to be able to video conference people on a snazzy 3D-like display but apparently if you have some minor glitch in the handshaking that establishes the connection you will get a vague "error" that offers to send the information to Apple who in turn will ignore the issue.

I had this happen when chatting with my mother...it errored out, it errored out, then one day it worked. It's been working since. I didn't change my router. I didn't alter anything on her end. It just decided, "Hey, maybe they really want this to work, let's work this time around," and it did.

My wife is 24 hours away by freeway in a supposedly halfway decent hotel (a Comfort Inn, I'm told) but I'm afraid if it's a vague issue with their router or firewall there's not much that can be done to troubleshoot it.

Quite frankly, why can't the connection tunnel between the two machines an do a direct connection?? Why is this so difficult to get working?

I wanted to use iChat because iChat is relatively simple to use. It's a damn shame Apple can't seem to get around this video error that apparently plagues so many users.

But if you're interested in the fix that involved not screwing with your router or bandwidth allocation to Quicktime or any of that other bulls#@ you shouldn't have to play with, use Skype. It's free to use the chat function, it's multiplatform, and most of all, we managed to get a video connection up and running within ten minutes while really ticked off at running into the video error issue for the umpteenth time.

I love the Mac. I love it for home users. I don't hesitate to recommend it for non-gamers out there who just want to get their work done, especially for people who want to edit home movies or just browse the web and read email. But Apple really has a couple issues where I think their programmers suffer from a cranial-rectal inversion, and the inability to voice/video chat reliably from iChat is one of them.