Wednesday, November 26, 2008

Javascript or Not

Remember way back in 2006, I wrote a blog entry on Javascript. That was about my experiment with Steve Gibson's recommendation of blocking Javascript except on Trusted Sites in Internet Explorer. His idea was to put known sites in the Trusted Sites list. Boy, was that a pain! It was a noble experiment but I gave it up.

Well, now Steve is a Firefox user and and has embraced the NoScript add-on.

He went on and on about NoScript in Security Now 168 where he talked about clickjacking. If you don't know what that is, go listen but don't loose any sleep about it.

Then in Security Now 169 Steve confessed:

Steve: The reason I didn't want to skip this question was this was when I planned to confess.
Leo: You turn it off.
Steve: I've turned it off, too.
Even Steve Gibson runs with Javascript enabled!

No doubt turning off Javascript is the safest thing to do but it's pretty much impractical.

So that got me to wondering how many people actually TRY to surf this way.

Here's what my blog readers look like. This blog is on the left. WhereIveBen is on the right.
3.5% of the geeks have Javascript turned off and 1% of the normal people.

Wednesday, November 19, 2008

Secunia Online Software Inspector

Recently, I mentioned the Secunia Online Software Inspector. I played with it some. It worked pretty well.

It's a Java applet so there's nothing to install. It "only" checks about 100 programs but they're the key ones.

The OSI page says it takes "5-40 seconds." I saw this all over the place, as high as 4 minutes. Most runs were in the sub-20 second range though.

The first run showed up vulnerabilities in several Adobe products. I'm fanatical about patching Adobe products so that was a surprise.

It even gives you a link to resolve the problem. The Flash Player was tough to fix.

I finally had to download and save the Flash Player uninstaller. Then closed my browser(s) and ran the uninstaller. When it was done, clicked on the "Show Details" button and looked for "Delete on Reboot..." I found one so I needed to reboot.

After the reboot, I went back to Adobe and installed the current Flash Player.

After that, the OSI ran clean.

Maybe I'll go play with the Secunia Personal Software Inspector (PSI) next.

Friday, November 14, 2008

Asus Eee PC 1000H

My birthday was back in September. My birthday list was short - the brand new Asus Eee PC 1000H. The price had just dropped from $650 to $499 so I jumped on it. The price immediately fell to $410 and has now reached $399. Oh, well.

But it's a sweet system. The 1000H version comes with a 10" screen, 1GB of RAM, 80GB SATA hard drive, a 1.6GHz Atom processor and weighs just over 3 lbs.

It comes with XP Home pre-loaded. I'd never used XP Home before but it does everything I need so far. It's pretty clean of bloatware. What extra software that is loaded is pretty much just the utilities to support the Asus.

The screen is only 1024x600 but is crystal clear. With a hardware button, you can change the resolution to 800x600, 1024x768 (compressed into 1024x600) and finally 1024x768 that scrolls.

The Atom has been pretty zippy. The latest BIOS (which came already loaded) even enables hyperthreading.

Unfortunately it doesn't have my beloved TrackPoint but it has a multi-touch touchpad similar to the iPhone. It shipped without the latest drivers but I downloaded them from ElanTech and they're wonderful. There's a clip on youtube.com demonstrating it. You'll also notice that they have Vista running on the 1000H!

I upgraded the memory to 2GB for $12.99. I'm not sure that it made much difference but for the price ...

Asus suggests the battery life is up to 7 hours. I can't vouch for that yet but it has run for hours even with the WiFi running. Speaking of WiFi, it supports B, G, and draft-N. Oh, and Bluetooth. And has an SDHC slot. And 3 USB 2.0 ports. And a VGA port.

There's a very active and supportive community around the 1000H here.

Here're some comparison photos of the 1000H, my beloved ThinkPad X20, and my work Dell D410.

Sunday, November 09, 2008

JRE Vulnerability

I was listening to Windows Weekly last week and Paul Thurrott mentioned Microsoft's Baseline Security Analyzer. Leo Laporte then mentioned Secunia's PSI (Personal Software Inspector). I had heard about it before but it was a long time ago.

Secunia's PSI has a much broader scope than Microsoft's so I went poking around looking at it. Leo had also mentioned that Secunia had a similar Online Software Inspector. This doesn't require an install as it's a Java applet (here's where the good stuff starts) but only scans less than 100 programs. Even so, that list is a pretty good start.

So I read on. There was a bright red link in the right column that caught my eye.
When I followed this link, There was a discussion of a newly discovered exposure in Sun's Java Runtime Environment (JRE).

It's pretty geeky reading and has a link to CERT's blog post on it (interestingly entitled "Signed Java Applet Security: Worse than ActiveX?").

Go read it for yourself and then either take the steps in the CERT blog article or just run the Secunia OSI and it'll do it for you.

Friday, November 07, 2008

USB Drive autorun.inf

So I had my menu working great on my new USB drive.

What I wanted it to do was to give me an choice to run PStart when I plugged in the USB drive.

I had noticed that my wife's USB drive that she runs Allway Sync from gave her that choice so I went looking there.

All I could see different on it was an autorun.inf. There had to be something in there.

It looked pretty normal but it had an entry I wasn't familiar with: action.

Go try and find some documentation on autorun.inf. After many searches, I came across this. It said:
ACTION is a relative new command that was introduced in Windows XP SP2. It is not supported in earlier Windows. This command specifies a text that should be shown as the first option in the Windows Autoplay dialog, together with the icon specified by the ICON. This option is always selected by default and if the user accepts the option, the application specified by the OPEN or SHELLEXECUTE entry in the media's Autorun.inf file is launched.
There also was a link to an MSDN page.

So I copied the autorun.inf from my wife's USB drive and made the following changes:

[autorun]
open=PStart.exe -autorun
icon="PStart.exe"
action=Launch PStart Menu
label=Ben's 8GB USB
Here's what it looks like when I plug it in.


Just hit Enter and you're off!

Monday, November 03, 2008

Green

A guy at work has been working on a green project involving putting PCs into reduced power states. He had a Kill-A-Watt so I borrowed it and brought it home.

My tests were clearly unscientific but I tried to be consistent.

I tested 4 laptops: a ThinkPad T42, a Dell D410, an Asus Eee PC 1000H, and a ThinkPad T61.

I ran each through 4 scenarios. First was a Steady state. XP was booted and "idle" as I wasn't intentionally running anything. I made no attempt to stop background tasks. Next, I started a search of the hard drive for a character string in a file name that would be unlikely to be found. During this I subjectively recorded the Search value and the Peak value. Lastly, I put each system in Standby.

The LCD was powered on and the battery was fully charged in all tests.

The Kill-A-Watt only recorded whole Watts so there is probably an issue with resolution in the Standby readings. It read 1 Watt when nothing was plugged into it.

Nevertheless, there are some pretty interesting results:

Laptop
Steady
Search
Peak
Standby
T42
22
24
31
3
D410
20
28
34
2
1000H
11
13
14
1
T61
37
72
83
3

The Asus Standby effectively read no power draw but that can't be accurate. This is likely an issue with the resolution mentioned earlier.

Saturday, November 01, 2008

Bye, Bye U3

I was enamored with my U3 USB drive. It really did work well for me but my primary use was for KeePass. KeePass doesn't directly support U3. There are a couple of independently done U3 packages but I couldn't figure out how to incorporate my backup plugin. I had created my own package but it didn't use the U3 wrapper to shut down KeePass when I used the U3 launchpad to eject the drive.

And then when I handed my drive to somebody to share a file with them, I had to tell them to hold down the shift key while they inserted it so the U3 launchpad wouldn't run. They'd always look at me like I was from Mars.

Then my wife lost (and then found) the cap to her USB drive she runs Allway Sync from. So I started searching for her a USB drive that didn't need a cap.

I came across Super Talent's Pico-C.

I got her one at SuperMediaStore. Believe it or not, they're cooler than they look.
I had to have one myself.

So I got an 8GB from SuperMediaStore and moved my content over to it.

But wait, now I needed a menu!

I've used a couple of PortableApps but while they worked great, I didn't like the branding. I thought maybe I could use their menu system and delete all the branded stuff. Then I stumbled across PStart.

Perfect. The menu starts empty and you can just right click and add items. There's lots of flexibility to tailor the menu. There are just 2 files involved: PStart.exe and PStart.xml.

It's so clean. It puts an icon in the system tray (I'll get to how in another post.) A single left click brings up this menu.
A left double-click brings up the "panel."
Hitting Esc even dismisses this panel!