Sunday, January 14, 2018

One More Log on the Fire

If you're a regular reader you'll know that I'm a proponent of using Windows Defender as my anti-virus. While that it's free is a big factor for me, that it doesn't introduce new vulnerabilities into Windows is even bigger.

I've discussed that here, here and here.

In Microsoft's announcement of their patches for Meltdown and Spectre they included the following:
Note: Customers will not receive the January 2018 security updates (or any subsequent security updates) and will not be protected from security vulnerabilities unless their antivirus software vendor sets the following registry key:
Read that again.

If your anti-virus vendor doesn't set a new registry key you will NEVER get another security update.

Now, certainly mainstream anti-virus vendors quickly complied.

But what that means is that mainstream anti-virus vendors have been using non-public kernel calls.

Don't do that.

Further if you don't run any anti-virus you must manually set that registry key or you will NEVER get another security update.
In cases where customers can’t install or run antivirus software, Microsoft recommends manually setting the registry key as described below in order to receive the January 2018 security updates.
There's a pertinent blog post here.

Sunday, January 07, 2018

The World Revolves Around Memphis

Chrome 63 is forcing all domains ending on .dev to be redirected to HTTPS via a preloaded HTTP Strict Transport Security (HSTS) header. This may impact organizations that have been using .dev TLD privately for their own development teams.

Now most of us don't have to worry about that but it reminded me of a situation I had encountered at a former company.

My company had acquired another company. They were using an address space for their internal TCP/IP network that was routable but didn't belong to them. Obviously they weren't connected to the Internet.

They also had an internal DNS server that used their company's initials as a TLD. Needless to say that weren't the owner of the TLD.

Yeah, it took us a while to integrate them into our network.

But that was just the start.

As we were upgrading SAP worldwide we changed the GUI to use DNS rather than a hard-coded IP address. Then we pushed that change worldwide.

Then the SAP Basis team changed the target of the DNS name and watched for fallout.

Europe failed and was quickly addressed by updating our European DNS server.

But oddly, seemingly random US facilities were also failing.

We finally discerned that these were all facilities of the former company.

The on-site LAN admins determined that the locations' PCs had their DNS pointing to the former company's servers. Obviously they hadn't been updated.

When I reached out to management at the former company he responded that "You act like the world revolves around Memphis."

My response was "When it comes to DNS, it does."

Those were the good old days.

Sunday, December 31, 2017

Storage Sense

One of my employees used to tell me that I was the only boss that he'd had that he would turn to for technical help.

Now it's my turn to turn to one of my former bosses.

I got a FaceBook message asking:
Also do you use "storage sense" to clean files off the ssd or do you manually remove frequently...
I didn't know what he was talking about.

It turns out that Windows 10 Creators Update (1703) has a new feature "Storage Sense."

Who knew?

Windows Central has a good article on Storage Sense.
Storage sense is an optional feature, which is disabled by default, but when enabled, it'll proactively delete temporary files, like those created by apps. It'll delete files that have been in the recycle bin for more than 30 days, as well as files in the downloads folder that haven't changed in 30 days. If you're running low on space, Storage Sense even includes an option to delete the previous version of Windows 10 to make more room.
Click the Windows key and type "Storage". Click on it. Make sure the Storage Sense toggle is On.

Then click on "Change how we free up space".

I don't see why you wouldn't want to check all the boxes there.

The last checkbox was added in Fall Creators Update (1709).

You might as well click on "Clean now" while you're there.

I recovered 4.12 GB.

Sunday, December 24, 2017

Global Entry

tl;dr Global Entry speeds you through U.S. Immigration and Customs really fast.

On the return from our recent trip to Canada, we cleared U.S. Immigration and Customs in Chicago in less than 5 minutes.

Here's how...

A couple of years ago before we traveled to Ireland we joined the U.S. Customs and Border Protection (CBP) Global Entry program.

At the time we had to travel to Nashville for the CBP interview. The interview took less than 5 minutes and we received e-mail notification that we had been approved before we left the parking lot.

According to Customs and Border Protection's page the benefits are:
  • No processing lines
  • No paperwork
  • Access to expedited entry benefits in other countries
  • Available at major U.S. airports
  • Reduced wait times
  • TSA Pre✓ Eligibility
You also get Global Entry cards (like a Passport Card) that are good for U.S. entry at land and sea ports of entry. We used these when visiting Campobello Island.

Global Entry costs $100 compared to TSA Pre✓'s $85 and includes TSA Pre✓. Global Entry also includes the equivalent of a Passport Card ($30). Both Global Entry TSA Pre✓and  are good for 5 years.

How this works is that when the flight attendant passes out the Form 6059B politely take it, put it in the seatback pocket, and go back to watching the movie. You don't have to complete it.

Then when you deplane and go to the Immigration area, watch for the Global Entry kiosks.

Place your passport on the reader, smile for the camera, put your hand on the sensor and answer the few questions. Take the receipt that the kiosk prints and head for the exit.

Wave the receipt politely to the Immigration agents and keep going.

Now you're in Customs. Again look for the Global Entry line. It's the Customs agent without a line. Wave the receipt politely to the Customs agent and keep going.

Head to Starbucks and wait for your friends that didn't have Global Entry.

By the way there's also Mobile Passport Control that is similar.
Mobile Passport Control enables travelers to submit their passport and customs declaration information via their smartphone instead of the traditional paper form. 
Follow the Mobile Passport Control signs to the designated Mobile Passport Control line. Show your passport to the CBP officer and scan the barcode on the CBP receipt. And that’s it!
It's free but doesn't include TSA Pre✓ or the Global Entry Card. Mobile Passport Control requires some pre-work on your smartphone before you land. Once you're on the ground you have to connect to the Internet and complete some information. Then you are shown a barcode that you have to present to the CBP agents at Immigration and Customs.

Not all international arrival airports have Global Entry and fewer support Mobile Passport Control. We actually cleared Global Entry in Dublin on our return from Ireland.

Sunday, December 17, 2017


I've written about KeePass several times in the past but it's been a while and I've made a couple of improvements.

A recent article in Sophos' Naked Security blog inspired me to update my use of KeePass.

Naked Security's summary of KeePass was:
KeePass is an open-source password manager that does all the things you’d expect a password manager to do at the very least – it stores all websites and service credentials in a highly-encrypted vault that can only be unlocked with one Master Password, which becomes the only password you need to remember.

There actually are 2 versions of KeePass. I've been using it so long that I started on version 1. Both versions are actively being maintained. There's nothing that I have wanted to do that version 1 doesn't do so I'm staying on that for now.


KeePass runs as a portable app. I have it on a USB drive that I keep on my keychain.

I also have it in a folder on my Dropbox including the active database. These are identical copies. I install on the USB drive and copy to the Dropbox folder.

On each of my PCs and laptops I have a shortcut on my desktop that points to the Dropbox instance of KeePass and opens the database read-only.

Don't worry about the security of the database. The KeePass database is AES 256 encrypted.


When I intend to update the KeePass database I run it from the USB drive. 

When I exit KeePass with changes to the database, I have an DB_Backup plug-in that makes a backup of the database and invokes a BAT file. This BAT file copies the new database from the USB drive to the KeePass Dropbox folder on that PC or laptop. A few more details on this BAT file are here.

This accomplishes 2 objectives. First it backs up the database in case the USB drive is lost or damaged. Second it provides access to the database to my other PCs and laptops via Dropbox.

While I haven't dug into KeePass version 2 I understand that this cloud (in my case Dropbox) capability is built into the base product.


While KeePass isn't as integrated as LastPass or Google's Smart Lock, it does let you specify which URLs are related to a KeePass entry.

For example, the following is my entry for xmarks:

This tells KeePass to use this user name and password when invoked on a URL that begins with "Xmarks - ".

In "Tools" is a wizard that helps you build the Auto Type selection. You just choose the target window from a drop-down list. Incidentally since KeePass is using the window name you can also use this feature for non-browser logins.

There is also a feature that will generate random passwords for you.

You can specify your own key sequence to invoke KeePass login. I use the left Ctrl key and the / key. Just place your cursor in the user name field and press your key sequence. KeePass will type the user name and password into the target window. There are simple script-like commands to tell KeePass when to tab, press Enter, etc.


On Android I use KeePassDroid and on iOS I use KeePass Touch.


I also use KeePass as an address book. KeePass allows you to create various folders in its database. I have one called "Names and Addresses."

Sunday, December 10, 2017

Air Transfer

As I mentioned in my Back and Forth post I'm using an iOS app Air Transfer to copy photos from the iPhone to my Windows laptop.

Here's my workflow.

I launch Air Transfer.

On my laptop I browse to the URL that Air Transfer presents. It pretty much never changes.

On my laptop I click on the link to take me to the Camera Roll.

I select the photos that I want to transfer to my laptop. The free version of Air Transfer lets you select 10 photos at a time. The upgrade to the Pro version is $1.99.

I click on the Download link.

Air Transfer then creates a zip file and downloads it to my laptop.

When the download is complete I go back to the iPhone, double-click the home button and swipe away Air Transfer.

Then I launch Apple's Photo app and delete everything on the Camera Roll.


Why don't I use Google Photos? Actually I do. But Google Photos recompresses the photos so I don't use this copy for archive. I use the Google Photos copies for casual sharing.

Why don't I use Dropbox? Actually I do. But not for photo transfers. Dropbox renames the files. I prefer to maintain the original file name.

For a thorough comparison of Google Photos and Dropbox revisit my Dropbox vs Bluetooth vs Google Photos post. Think of Air Transfer as the iPhone equivalent of using Bluetooth on Android.

Here is one of the screen captures from the app store:

Here's what mine looks like:

Because there is no slider for WiFi Transfer you must swipe away the app. I asked the developer about his. He replied quickly.
I am currently overhauling the internals of the App.
The on/off switch was temporarily eliminated in current version.
To disconnect Air Transfer, you can either shutdown the WiFi of iOS or terminate Air Transfer.
The on/off function will be available in later updates.
A similar app is File Hub. It has a lot broader set of capabilities than Air Transfer but includes a Wi-Fi transfer service. I didn't stick with File Hub as it requires a web password on each execution. If you're using a public Wi-Fi this is absolutely necessary but on my home Wi-Fi this was just a nuisance.

Sunday, December 03, 2017

Contactless Payments

One day on my deals feed was this gadget:
The post said "We can all afford to be paranoid at this price."

Should we really be paranoid?

So I went to wikipedia.
The examples and perspective in this article may not represent a worldwide view of the subject. 
Contactless payment systems are credit cards and debit cards, key fobs, smart cards or other devices, including smartphones and other mobile devices, ...
Mobil was one of the most notable early adopters of this technology, and offered their "Speedpass" contactless payment system for participating Mobil gas stations as early as 1997.  

What does that really mean for you and me?

Not much.

Remember that opening statement from wikipedia: "The examples and perspective in this article may not represent a worldwide view of the subject."

Here are some valid concerns but it's from the UK.

Here is a North American-centric view of contactless payment systems.

"Nothing to see here, move along".

But remember that wikipedia also said: "...including smartphones and other mobile devices."

But smartphones and other mobile devices won't fit in the little case.

Not to worry.

Although these are "contactless" they are based on NFC. Although NFC is contactless there is always another layer of security, e.g. TouchID for Apple Pay.