Browser Vulnerabilities

It's been a while since I've talked about vulnerabilities. This time it seems like there's been a flurry in both Internet Explorer and Firefox.

Last week, SANS reported a 0-day exploit in Microsoft's DirectShow ActiveX control that can be exploited in IE. This ActiveX control is not intended to run in IE. Microsoft's advisory is here. Microsoft created a "Fix it" article that turns on its kill bit. Though unaffected by this vulnerability, Microsoft is recommending that Windows Vista and Windows Server 2008 customers apply the "Fix it."

Then this week, SANS reported a 0-day exploit in Microsoft's Office Web Components ActiveX control that can be exploited in IE. This ActiveX control is not intended to run in IE. Microsoft's advisory is here. Microsoft created a "Fix it" article that turns on its kill bit. (Is there an echo in here?) Microsoft's Security Response Center says it doesn't affect Vista. Read the details for yourself.

Then today, Brian Krebs reported a "highly critical" vulnerability in FireFox 3.5. He describes the "about:config" as a work-around:

To disable the vulnerable component, open up a new Firefox window and type "about:config" (without the quotes) in the browser's address bar. In the "filter" box, type "jit" and you should see a setting called "javascript.options.jit.content". You should notice that beside that setting it reads "true," meaning the setting is enabled. If you just double-click on that setting, it should disable it, changing the option to "false." That's it.

The bad news is that this slows Firefox's Javascript back down to 3.0 levels.

Creative Labs Vado HD

As a going-away present, my former co-workers gave me a gift certificate at amazon.com, one of my favorite stores. The timing (of the gift certificate) couldn't have been better.

My daughter was expecting our first grand-baby so I was in the market for a grand-parent's camcorder.

I had already been shopping for a camcorder. I wanted something with a USB connector. Not only did the Vado have that but it had a built-in HDMI connector. It uses its own 8 GB internal storage so I didn't have to buy a separate SDHC memory card.

I'd read a lot about problems with low light recording and shaking but I haven't seen problems with either of these.

The size is amazing. It is only slightly larger than my wife's Blackberry Pearl. It charges from the USB connector so you don't have to fool with a power adapter.

It wasn't obvious from the advertising but the USB presents a drive to Windows that has Autoplay. If you let the autorun.inf run, it installs a codec for the Vado and then launches a limited version of muvee's Reveal. It is pretty crippled, e.g. it won't convert to DVD, but it does Ok.

It even has a button that directly uploads to youtube. I've also used its capability to consolidate a couple of clips and output a .wmv.

The codec that is used by the Vado is a proprietary h.264. Even with the Vado codec installed, I've not been able to process the files directly using uLead DVD Movie Factory or Pinnacle Studio.

Posterous

My wife has 2 shelves in our kitchen full of recipes. They're in boxes, magazines, books, and scraps of paper.

I've been wondering how I could help her keep up with them and find just the one she wants. Of course the first thing that came to mind for me was technology, perhaps a data base?

Then I came to my senses. I played around a little with Google Docs but that seemed awkward.

One day, I came across posterous.com. All you have to do is to e-mail something to post@posterous.com and it's posted. They even clean it up for you. For example, if there are multiple pictures, they setup a picture gallery!

You can see her recipes here.

There's a great podcast about it here.

Geotagging

After our trip to Long Island last summer, I laboriously went through all my pictures on Picasaweb and geotagged them. I liked the result but not the effort!

So I've been investigating how to do this automatically. I searched high and low for GPS loggers. I looked at ATP PhotoFinder (original and mini), Sony GPS CS1KA, Qstarz BT-Q1000P, Canmore GT-730F(L), i-gotU GT-100, AMOD AGL3080, and more.

My key criteria were that I wanted it to be rechargeable via USB and to not require Windows drivers to get the data off the device.

The closest I came was the Columbus V-900. It recharged via USB and wrote KML files to a micro-SD card. That way all I needed was a micro-SD to SD USB adapter. Close enough so I clicked on "Submit" on Amazon.

Then I remembered my Blackberry Curve has GPS. Duh! I googled "Blackberry geotagging" and eventually found GPSLogger on some of the Blackberry forums.

It met both my criteria. Obviously the Blackberry is rechargeable via USB and GPSLogger creates standard format files on the Blackberry's micro-SD card.

The short version is that it just works. Surprisingly, it runs in the background. I've run it for 12 hours and it drew down about 1/2 the Blackberry's battery.

Here's the track in GeoLogger:

Here's the altitude:

And the speed:

Here's what I have for Options:

When you want to export the track, go to the path manager and "Export Path to Filesystem":

To apply the GPS data to the photos, I'm using GeoSetter. It's real simple but very capable.


Here's the result in Picasaweb.

Now I'm set for our next vacation. And I have to return the Columbus V-900.

KWORLD SA290-Q LE

I've been trying to find a use for the Astar MP-32HB HD TV that I got a couple of years ago. When I got the Sony KDL52W3000, I moved the Astar to my bedroom. I ran it on cable-ready for a while but that was all SD. Then I got a second HD DVR for it.

That had a couple of problems. First was the cost, about $30 per month to Comcast. Second was the noise. The hard drive kept spinning up and down. I replaced the DVR once but the second did the same thing.

Really, all I watch back there is the 10 o'clock news and the late night talk shows. It seemed silly to spend that much money for that but I had gotten where I liked the HD quality.

That's where I was when the digital TV transition happened. What that brought was that Comcast started carrying the local stations in digital format and in HD resolution. Unfortunately the Astar doesn't have a QAM tuner.

What I did is got a KWORLD SA290-Q LE from newegg.com.


Notice that it will also do VGA out so you could drive just an old PC monitor.

Read the reviews on newegg.com. Lots of people complain about it. The setup instructions are non-existent but the comment thread helps a lot. I bought a cheap programmable remote (GE 24950) and replaced the terrible remote that comes with it.


It has a bright blue light indicating power. That wouldn't do in the bedroom. I covered it with a 1/2 inch square of black duct tape. Perfect.

I feed the Comcast cable directly into it and get around 30 digital channels, no cable-ready although I had expected them also. Most of the digital channels that I've checked are HD, some 720p, some 1080i. I use component video to drive the Astar.

It'll pay for itself in 2 months.

Firefox Again, Again

This time I think I've found a keeper. I've been really leveraging Google's Hosted Apps for my domain using e-mail, Docs, Calendar, Tasks, Voice, etc. What I've run into is that IE7 (with IE7Pro) suffers seriously from memory creep. And no, I haven't tried IE8. IE7Pro reportedly doesn't work consistently with IE8.

The symptom I observed was that my real memory used crept up over 1GB after a couple of hours of usage. My T42 only has 1GB of RAM so that's bad. I could see this by firing up Windows Task Manager and looking at the Commit Charge at the bottom right. The Mem Usage of iexplore.exe would be a couple of hundred MB. When I'd stop IE7 the Commit Charge would drop lots more than what was attributed to iexplore.exe. Something was leaking somewhere! I suspect Javascript.

I thought I'd try Firefox again, again. Wanting to get as current as possible, I downloaded Firefox 3.5 beta 4. I haven't had a bit of trouble from the beta.

Most of the Add-ons I'd used before are still valid with Firefox 3.5 beta 4. Only Tab Clicking Options wouldn't work with it. This was easily replaced with Close Tab by Double Click. You don't even have to set any options. On QuickDrag I also checked "Open tabs for text searches in the foreground."

Besides the previous tweaks, I also found one to make search results open in a new tab.

howtogeek.com says:

Type about:config into the address bar, and then put the following into the filter box:

     browser.search.openintab

Double-click the value to change it to true.

This time, I also turned off third party cookies.

So far, so good.

Atlantis Takes Off

This week I flew down to Orlando to see Atlantis take off. As this was the last mission to the Hubble the area was packed. I watched from a location on the Cocoa Beach Causeway (SR 520).

The last mission to the Hubble was in 2002. This mission was scheduled for 2004 but scrubbed as too dangerous after the Columbia disaster in 2003. Post-Columbia, the plan in case of orbiter damage has been to keep the astronauts at the ISS until they could be rescued. This isn't possible when going to the Hubble. Hence, the Endeavour shuttle was on the other launch pad in case a rescue mission was required.

What sounds like wind noise starting at about 1 minute into it is the noise from the launch finally reaching our location. That says we were about 8-10 miles away. It gets louder as the shuttle gets higher then dies down.

Click on the HD in the bottom right corner of the picture. Depending on your Internet speed, you may want to then click on pause and let it load before playing.

This was shot with my Creative Labs Vado HD using a tripod (at first).

Oh, I haven't told you about the Vado HD have I? Later...

View Larger Video

IE8 Blocker

I'm really pretty neutral on Internet Explorer 8 right now. I haven't played with it yet. Microsoft just moved IE8 over to "Critical" status so it'll get pushed to a PC near you soon. I'm pretty conservative on letting things get pushed to my PCs.

With IE7 I used the IE7 blocking tool from IntelliAdmin.com. It worked great.

With IE8 Microsoft came out with their own blocking toolkit. Needless to say, it's bigger than a breadbox! It ends up creating a script that you have to run from a command line and set switches. Yuk.

In the end, it simply creates a single registry key. I created a pair of .reg files that do the same thing.

Just download this zip file. In it are 2 files, one to block IE8 and one to unblock IE8. Just open the zip file and double-click on whichever you want to do. Click on "Yes" in the dialog box that comes up and you're done. Look at them pretty closely. Use at your own risk.

As I was preparing this post, I went back to IntelliAdmin.com to see if they had done something for IE8. Needless to say they have. They have added IE8 blocking to their Network Administrator tool. Their article is here.

It's not quite as trivial as my .reg files (it requires an install) but I'm sure it's very good.

contxts.com

Sometimes I run across something that seems SO neat. So I go setup an account and play with it.

Then, I start wondering what I'm going to use it for.

I had that experience with contxts.com.

contxts.com is harder to explain than twitter.

Go to contxts.com and click on "get it free."


Fill in the form. Here's my sample.


And the result.


You can edit the field that is labeled "YOUR TXT CARD." You want to make this look kinda like a business card. Note that this field is simple text and is limited to 140 characters. Does this sound familiar?

I can't tell that the fields below with Twitter, LinkedIn, etc. do anything. I probably just haven't figured it out yet.

Ok. As one of my old bosses used to ask "So what?"

Here's how you use it. Say you want to share your contact information with a new acquaintance. Get their cell number (we'll use 601-444-2323 in this example) and send a text message from your phone (601-555-1212 in this example) with "send 6014442323" to 50500.

contxts.com will send a text message to 601-444-2323 with the text you put in the field of "YOUR TXT CARD."

An alternate method is to tell your acquaintance your "USERNAME" ("bogusname" in this example) and tell them to text that to 50500. They will receive a text message with the text you put in the field of "YOUR TXT CARD."

Here's what it looks like on my BlackBerry Curve.


Neat! Definitely. Useful? I dunno.

PS. Now that you understand this completely, go read foursquare's overview. Notice what shortcode they use. Huh?

Flash Players Settings

Did you realize that there are tons of settings available to you for Adobe Flash? Did you know that one of them will let Flash applications turn on your web cam? If not, then you should go look at them.

Don't think that you can just fire up Flash and navigate to Tools/Settings or something like that. Not that easy. Instead surf to Flash Player Help - Settings Manager.

Once you get here, you have access to these settings:

Global Privacy Settings Panel

Global Storage Settings Panel

Global Security Settings Panel

Global Notifications Settings Panel

Website Privacy Settings Panel

Website Storage Settings Panel

Here's what the Global Privacy Settings Panel looks like:

Read that second paragraph and then go check it out!

CaptureIt

One of the things I never got around to on my Treo 650 was finding a way to do screen captures. I Googled around looking for a BlackBerry tool and came across this article.

You know I like cheap and simple ("cheerful" for my Kiwi friends) so I naturally went for the free over the air (OTA) downloadable one. This was CaptureIt from TheTechMogul. His mobile site with the OTA download is here.

It's pretty simple. Just download it and let it install. It adds an icon to the home screen but it also adds a "CaptureIt" entry to the Menu. You can also go to Options, Screen/Keyboard, and set a Convenience Key (Right or Left) to invoke it. I haven't done that but it may come in handy from time to time. There are a few places that you don't get the Menu entry of "CaptureIt" so you can't get a screen capture there except by using the Convenience Key.

After CaptureIt captures a screen, it vibrates. This was put in recently as people who were using the Convenience Key were taking captures and didn't realize it.

CaptureIt stores the images in the Blackberry/Pictures folder (on the memory card if you have one) as CaptureHH_MM_SS.jpg. Then I just e-mail them to myself.

Here're a couple of screen captures just to show you what it looks like.

Hasta La Vista, Baby

I put up with Vista as long as I could. Or rather, I put up with my wife's complaining as long as I could.

I got her a ThinkPad T61 for her birthday. (A bit of advice. Don't get birthday presents with power cords.)

As I mentioned previously, it came with Vista Business and relatively little crapware. I put Office 2007 on it.

It seemed like it was going to do fine.

Then it started hanging up. Sometimes it was the whole thing and it took a hard power down to fix. Other times, it was just Internet Explorer that froze. Printers seemed to come and go randomly. Wireless was never certain.

I must admit, she was way more tolerant than I expected.

The last straw was when I picked it up last week to put the latest patches on it. It took me hours. It hung up, crashed, complained about processes that weren't visible, you name it.

A call to Lenovo to inquire about XP downgrade disks turned up that they wanted to charge $45 plus shipping! Then the confusion started about how to activate using the downgrade rights. I'll explain that in a minute.

I went to the Lenovo site and downloaded all the drivers and software for XP.

I Ghosted off the Vista partition. To do this I had to go into the T61's BIOS and set the SATA drive from ACHI to Compatible. Without this, Ghost 8 couldn't see the SATA drive.

I installed Windows XP Pro from a SP3 slipstreamed consumer CD that I had. With SP3 you can defer entering the key so I did. Then after it came up, I clicked on the Activate Windows link and chose telephone activation. To shorten the story, I had to enter the key (that was previously activated on another machine) and give the Microsoft representative the loooooooooooong installation ID. I told him I was downgrading Vista Business to XP Pro and he gave me a new key. I never had to give him the Vista key. Very odd.

The coup de grâce was installing Office 2003.

It's so nice to get back to the familiar and stable Windows XP. Call me a Luddite if you must.

Blogger and AT&T Curve

Recently I saw that I had a visitor to this blog who had Googled for "how to link my blog to att curve." I wish I could get back in touch with them. I know exactly what they were having problems with.

I have a blog that I use to post photos taken from my smartphones. I started it with my Treo 650, used it a little from my Motorola Q9h, and now post to it from my AT&T Blackberry Curve 8310.

But when I post using the Blackberry e-mail application, I get a reply back from postgateway@blogger.com:

Your carrier is not supported by Blogger Mobile.

When you go to Blogger Help, this page tries to get you started. But here's the key paragraph:

We support most popular mobile carriers in the US and worldwide. If Blogger Mobile is unavailable from your provider, you can still send posts to your blog using Mail-to-Blogger.

If you go into the Dashboard of your Blogger account, down at the very bottom (pay no attention to the Blogger help that says it's in the sidebar) is a list of mobile devices or e-mail addresses and which blogs they will post to.

There's the rub. That doesn't seem to work from the Curve like it did from the Treo. I presume that it has to do with using Blackberry e-mail on the Curve.

But that can be easily fixed.

Go to your Blogger Dashboard and click on the Settings tab then the Email tab. On this page there is an input field labeled "Email Posting Address." In this field, put a code word that will specify an e-mail address in the format yourname.codeword@blogger.com.

Then mail away to yourname.codeword@blogger.com. By default, those e-mails will automatically be posted to your blog.

DMA vs PIO

I think that title is probably the geekiest title I've used. I represents one of the trickiest and most persistent problems I've encountered.

First some background. My DVD burner is an old Sony DW-Q28A. It's a dual-layer +/- burner but old is the operative word. It is pretty picky about the media you use. It likes +Rs more than -Rs.

What I keep running into is write errors. Pitching the coaster disk and just trying the next one from the same cake box usually fixes it.

However, every now and then, it gets where it won't burn at all. I got so frustrated that I went looking for new firmware. I found some but never felt good about the process to reflash it. So I finally just bought a new burner.

But before I got around to installing it, I ran across some information about DMA vs PIO mode. Here's what makeuseof.com said:

... if Windows encounters six or more CRC or timeout errors, it will ... slow the Secondary IDE settings to PIO mode.

Trust me, that makes your DVD burner pretty worthless.

So how to correct this? Best to just read the entire post from makeuseof.com.

---

UPDATE

I had this problem again today. I used the procedure described above and it DIDN'T correct it.

So I invented my own solution.

From the desktop, right click on My Computer and select Properties. Click on the Hardware tab and click on the Device Manager button. Find the line that says "IDE ATA/ATAPI Controllers" and expand by clicking on the "+." On my system, the "Secondary IDE Channel" has the DVD drives. Double click on the appropriate channel and click on Advanced Settings. Look for the PIO value under "Current Transfer Mode" to make sure you have the right IDE channel.

When you're sure you have the right IDE channel, back up to the main Device Manager panel and (here comes the fun part) right click on the IDE channel and select "Uninstall." Click Ok. Now go up to the top and click on Actions and select "Scan for hardware changes." This will find the IDE channel and all the devices on it and reinstall them fresh. You shouldn't even have to reboot.

This fixed it for me today.

---

My experience shows that this fixes the problem, but YMMV. If this doesn't work for you, here's a lot more information. Be warned, it's not for the faint of heart.

By the way, DVDFab HD Decrypter checks this before it runs and offers to fix it. Oh, it's FREE!

Geotagging Pictures on a Blackberry

I'm still a relative amateur on my Blackberry but I just cracked the code on how to geotag pictures taken on my AT&T Curve 8310 running OS 4.5.

I'd Googled this and never got a concise explanation. Here's how to do it.

When you go to the Camera on the Blackberry, hit Menu and then Options. Set Geotagging to Enabled. Go back to the camera. In the lower left corner is an icon that you can't figure what it is. It is a satellite representing GPS. A red X over it means no GPS signal. No red X means you've got the satellites. Now take a picture. Save it and press Menu and View Pictures. Use the trackball to select the picture you just took. Don't click on it. Look at the bottom left corner of the screen. I don't know what the green icon means but the white dot between that and the file name means it has location data. How obscure can they make this?

When you finish with the camera, I suggest hitting Menu and then Close to ensure that the GPS is turned off.

I use Picasaweb to share my pictures. You have to go into Settings and check "Show my photo locations to others" and "Use Exif location data." Now go upload the Blackberry pictures to Picasaweb and voila!

And The Answer Is...

...Blackberry Curve 8310.


I gave in. It really shows how far the Blackberry has progressed to being a true smartphone since my 7290.

One of my overriding criteria is portability of data between the smartphone and PCs. The SanDisk Plus USB/SD card and Documents to Go solved that for the Treo 650.

The Motorola Q9h had Documents to Go as well but the media was a micro-SD card. Without carrying the micro-SD to regular SD adapter and a SD to USB adapter with you at all times you were fairly limited in connectivity. And the cable connectivity was a micro-USB. Whens the last time you've run across a micro-USB cable? Did you trip over a mini-USB cable (like the Curve uses) between your desk and the parking lot?

Both the Motorola Q9h and the Curve have good Bluetooth capabilities and I used them extensively on the Q to transfer files (remember the micro-USB). With the Curve I've mostly been using the mini-USB cable.

The Q used the same micro-USB cable for the external speaker connection. I use this extensively as I listen to podcasts to and from work. Whens the last time you've run across a micro-USB cable? (Is there an echo in here?) Needless to say, the Curve uses a standard 3.5mm connector. The Treo used a 2.5mm connector like a cell phone headset. I had to use a 2.5mm to 3.5mm adapter with it.

I immediately upgraded the Curve from OS 4.3 to OS 4.5. That gives you better applications, e.g. Voice Memo, Media Player, Camera (now supports video and geotagging), etc.

I've only added a few applications to the Curve. I added BB Notepad to read and create .txt files. I also added BuzzMe to make it ring and vibrate at the same time. Without this if you have it set to Vibrate+Tone, it will vibrate first then ring. Odd. I also loaded the obligatory Google Maps. Did I mention that these are all free?

All of these loaded over the air (OTA). I haven't really missed the 3G network of the Q.

I'll post more on the Curve later.

(Not So) Smartphone

My trusty Treo 650 is getting long in the tooth.

Over the holidays, I was googling around and found that RIM supported Blackberry Connect on the Motorola Q9h by AT&T. Then a little research on the AT&T site and I was off to the nearest corporate AT&T store.


The sales representative there was good. She didn't know everything but what she didn't know, she knew who did and got in touch with them.

I left there with a shiny new Motorola Q9h. The BlackBerry Connect loaded over the air (OTA) and pretty quick with the 3G network! The BlackBerry Connect did an enterprise activation OTA and even supported my company's BES policies.

Windows Mobile 6.1 was much nicer than Windows Mobile 5 on the iPaq hx2115. Turns out it was lipstick on the pig though.

The Moto Q9h was fun to play with. Until...

When I was showing it off to my co-workers, it started locking up. The keys wouldn't respond to anything and you had to pop the battery out to restart it.

After 3 or 4 times in the first 2 weeks, I posted on the great forums at everythingq.com. I got a sinking feeling in my stomach when one of the "gurus" responded "it just sounds like you're trying to do too many things at once."

The next post suggested a master reset which was a good idea. I got my act together and did this the next weekend.

It was rock solid for a week. But by the next weekend, it locked up 3 times in 3 days.

On the 29th day, the Moto Q9h went back to AT&T for ... (stay tuned).

TwitterGadget

I'm not (yet) a big Twitter.

The Twitter web interface is pretty simple to say the least. To use it, you have to keep hitting Refresh on your browser. Before you flame me, wait a second.

There are plenty of capable desktop and mobile applications that are much more capable clients than Twitter.com itself. I find that kinda odd but ...

Anyway, as you probably have figured out, I'm a big "cloud" proponent, e.g. Bloglines and Gmail.

While personalizing Gmail, I came across TwitterGadget. The Gmail gadget required 3rd party cookies be enabled which I didn't want to do so I kept looking.

What I found was that TwitterGadget's web interface is good alternative to a fat client for Twitter. That link is at the VERY bottom of the TwitterGadget home page.

Java Version Checker

Just to make sure you're running the latest version of Java JRE, Sun has an interactive Java version checker.

Just click on this link and then click on the blue "Verify Java version" button.

Pretty simple.

PS. There are more version checkers here.

The Fall and Rise of Spam

You'll remember how I track spam. Back in October 2008, I observed a precipitous drop. Remember that my numbers lag about 30 days as that's how long Google leaves spam before they delete it. I continued to watch this drop rapidly until it bottomed out in early December 2008. Now it's clearly headed back up.

While you have to look pretty closely at this chart, it represents a drop of almost 50%, 1500 to just over 800.

The story behind this is what's interesting.

Start with Brian Krebs' article from the Washington Post. It seems that the Internet backbone providers got together and took McColo off the air. McColo was a web hosting service that was accused of hosting 75% of spam. That's amazing.

Shortly after Krebs' article went up, FireEye began a series of blog posts about "the rest of the story." The links are here:

McColo shutdown Nov 11, 2008 16:23 EST

McColo found a new upstream provider (update)

But then the story took a twist. The spam had been emanating from a huge botnet known as Srizbi.

Srizbi control regained by original owner

It seems that this botnet had a plan to reestablish their command and control center in the event that they lost their host.

Technical details of Srizbi's domain generation algorithm

The good guys at FireEye even began buying up the domain names generated by the Sirzbi algorithm but to no avail. By late November, Krebs called it a "resurrection." He recapped it in this blog entry.

Andre' M. Di Mino of The Shadowserver Foundation discusses this in his podcast.

Good Job, Canon

My wife's work has a Canon PowerShot A95. It's a couple of years old but still a nice camera.

She came home one day and mentioned that there was something wrong with it. It wasn't taking pictures.

The next time I was by there I picked it up and played with it. When you viewed the pictures, it seemed to not display anything.

I kept playing with it and realized that if I continued to scroll backwards, I eventually got to old pictures.

Hmmm.

Then I took some pictures and they too were black. You could see all the menus though.

Seemed like the capture thingy was busted. (Don't you love it when I talk techie?)

I fell back to my faithful Google search for "Canon PowerShot A95 black LCD." Wouldn't you know that the first hit told me about the problem?

Eventually I got to this page at Canon.

The bad news is there is something fundamentally wrong with the CCD Image Sensors on a number of Canon cameras in this era.

The good news is that Canon is doing the right thing. A quick call to Canon and they e-mailed us a pre-paid UPS label to return the A95 to them. Within 10 days it was back repaired for no charge.

Nobody likes it when a product they buy fails but the way Canon is handling this is exemplary.

published with Windows Live Writer

BartPE on SD Card

The Asus Eee PC 1000H has an SD card reader. I read on the eeeuser.com forums that you could boot from that device.

That got me to thinking about booting BartPE from that.

I already had a BartPE CD so I just wanted to copy that to an SD card. I Googled "copy bartpe cd to usb drive" and got some pretty good hits. I chose this link.

Worked like a charm. Now I can boot BartPE from the SD card and use an external USB drive to Ghost to.

What's Google Up To?

I'm obviously a big Sitemeter fan. When I was looking at my report the other day, I noticed something odd. There were several entries from an ISP called Google! Look at this list.

Date/Time	Entry Page	Comments
10/05/08 5:21:20 pm	testblog/2007_12_01_archive.html	XP IE6
10/12/08 5:44:41 pm	testblog/	XP IE6
10/12/08 10:00:55 pm	2008/09/thank-you-google-i-think.html	From Google in NY OS X Firefox
10/12/08 10:52:20 pm	testblog/2007/12/test-2.html	XP IE6
10/13/08 2:35:03 am	testblog/2007/12/test.html	XP IE6
10/18/08 1:41:10 am	testblog/2007/12/test-2.html	XP IE6
10/18/08 4:48:18 am	testblog/	XP IE6
10/18/08 11:21:47 am	testblog/2007/12/test.html	XP IE6
10/19/08 7:47:43 pm	2008/10/thinkpad-xp-sp3-wi-fi.html	XP IE6
10/20/08 5:53:27 am	2007_12_01_archive.html	XP IE6
10/23/08 2:51:24 pm	2008/10/thinkpad-xp-sp3-wi-fi.html	XP IE6
10/26/08 3:12:51 pm	2008/02/gps-and-google-maps.html	WinNT IE7 "can i imports maps to mio c320"
11/09/08 6:43:04 pm	Javascript disabled	Win2000 IE6

What on earth is going on with Google?

Why do they keep visiting my test blog? And those entries aren't even active. They're test entries when I was experimenting with using Blogspot's ftp method of publishing.

Someone from Google's New York office even visited.

I think it's interesting to notice that most visits were from Windows XP, IE6, and 1024x768 display. Probably the same PC.

Every now and then, you'll see an outlier, like the WinNT IE7 visit on 10/26/08. It looks like that visit was personal as it was the result of a Google search for "can i imports maps to mio c320." And the security conscious visitor on 11/09/09 who had his Javascript disabled.

Google, what are you up to?

published with Windows Live Writer

Javascript or Not

Remember way back in 2006, I wrote a blog entry on Javascript. That was about my experiment with Steve Gibson's recommendation of blocking Javascript except on Trusted Sites in Internet Explorer. His idea was to put known sites in the Trusted Sites list. Boy, was that a pain! It was a noble experiment but I gave it up.

Well, now Steve is a Firefox user and and has embraced the NoScript add-on.

He went on and on about NoScript in Security Now 168 where he talked about clickjacking. If you don't know what that is, go listen but don't loose any sleep about it.

Then in Security Now 169 Steve confessed:

Steve: The reason I didn't want to skip this question was this was when I planned to confess.
Leo: You turn it off.
Steve: I've turned it off, too.

Even Steve Gibson runs with Javascript enabled!

No doubt turning off Javascript is the safest thing to do but it's pretty much impractical.

So that got me to wondering how many people actually TRY to surf this way.

Here's what my blog readers look like. This blog is on the left. WhereIveBen is on the right.
3.5% of the geeks have Javascript turned off and 1% of the normal people.

Secunia Online Software Inspector

Recently, I mentioned the Secunia Online Software Inspector. I played with it some. It worked pretty well.

It's a Java applet so there's nothing to install. It "only" checks about 100 programs but they're the key ones.

The OSI page says it takes "5-40 seconds." I saw this all over the place, as high as 4 minutes. Most runs were in the sub-20 second range though.

The first run showed up vulnerabilities in several Adobe products. I'm fanatical about patching Adobe products so that was a surprise.

It even gives you a link to resolve the problem. The Flash Player was tough to fix.

I finally had to download and save the Flash Player uninstaller. Then closed my browser(s) and ran the uninstaller. When it was done, clicked on the "Show Details" button and looked for "Delete on Reboot..." I found one so I needed to reboot.

After the reboot, I went back to Adobe and installed the current Flash Player.

After that, the OSI ran clean.

Maybe I'll go play with the Secunia Personal Software Inspector (PSI) next.

Asus Eee PC 1000H

My birthday was back in September. My birthday list was short - the brand new Asus Eee PC 1000H. The price had just dropped from $650 to $499 so I jumped on it. The price immediately fell to $410 and has now reached $399. Oh, well.

But it's a sweet system. The 1000H version comes with a 10" screen, 1GB of RAM, 80GB SATA hard drive, a 1.6GHz Atom processor and weighs just over 3 lbs.

It comes with XP Home pre-loaded. I'd never used XP Home before but it does everything I need so far. It's pretty clean of bloatware. What extra software that is loaded is pretty much just the utilities to support the Asus.

The screen is only 1024x600 but is crystal clear. With a hardware button, you can change the resolution to 800x600, 1024x768 (compressed into 1024x600) and finally 1024x768 that scrolls.

The Atom has been pretty zippy. The latest BIOS (which came already loaded) even enables hyperthreading.

Unfortunately it doesn't have my beloved TrackPoint but it has a multi-touch touchpad similar to the iPhone. It shipped without the latest drivers but I downloaded them from ElanTech and they're wonderful. There's a clip on youtube.com demonstrating it. You'll also notice that they have Vista running on the 1000H!

I upgraded the memory to 2GB for $12.99. I'm not sure that it made much difference but for the price ...

Asus suggests the battery life is up to 7 hours. I can't vouch for that yet but it has run for hours even with the WiFi running. Speaking of WiFi, it supports B, G, and draft-N. Oh, and Bluetooth. And has an SDHC slot. And 3 USB 2.0 ports. And a VGA port.

There's a very active and supportive community around the 1000H here.

Here're some comparison photos of the 1000H, my beloved ThinkPad X20, and my work Dell D410.

JRE Vulnerability

I was listening to Windows Weekly last week and Paul Thurrott mentioned Microsoft's Baseline Security Analyzer. Leo Laporte then mentioned Secunia's PSI (Personal Software Inspector). I had heard about it before but it was a long time ago.

Secunia's PSI has a much broader scope than Microsoft's so I went poking around looking at it. Leo had also mentioned that Secunia had a similar Online Software Inspector. This doesn't require an install as it's a Java applet (here's where the good stuff starts) but only scans less than 100 programs. Even so, that list is a pretty good start.

So I read on. There was a bright red link in the right column that caught my eye.
When I followed this link, There was a discussion of a newly discovered exposure in Sun's Java Runtime Environment (JRE).

It's pretty geeky reading and has a link to CERT's blog post on it (interestingly entitled "Signed Java Applet Security: Worse than ActiveX?").

Go read it for yourself and then either take the steps in the CERT blog article or just run the Secunia OSI and it'll do it for you.

USB Drive autorun.inf

So I had my menu working great on my new USB drive.

What I wanted it to do was to give me an choice to run PStart when I plugged in the USB drive.

I had noticed that my wife's USB drive that she runs Allway Sync from gave her that choice so I went looking there.

All I could see different on it was an autorun.inf. There had to be something in there.

It looked pretty normal but it had an entry I wasn't familiar with: action.

Go try and find some documentation on autorun.inf. After many searches, I came across this. It said:

ACTION is a relative new command that was introduced in Windows XP SP2. It is not supported in earlier Windows. This command specifies a text that should be shown as the first option in the Windows Autoplay dialog, together with the icon specified by the ICON. This option is always selected by default and if the user accepts the option, the application specified by the OPEN or SHELLEXECUTE entry in the media's Autorun.inf file is launched.

There also was a link to an MSDN page.

So I copied the autorun.inf from my wife's USB drive and made the following changes:

[autorun]
open=PStart.exe -autorun
icon="PStart.exe"
action=Launch PStart Menu
label=Ben's 8GB USB

Here's what it looks like when I plug it in.


Just hit Enter and you're off!

Green

A guy at work has been working on a green project involving putting PCs into reduced power states. He had a Kill-A-Watt so I borrowed it and brought it home.

My tests were clearly unscientific but I tried to be consistent.

I tested 4 laptops: a ThinkPad T42, a Dell D410, an Asus Eee PC 1000H, and a ThinkPad T61.

I ran each through 4 scenarios. First was a Steady state. XP was booted and "idle" as I wasn't intentionally running anything. I made no attempt to stop background tasks. Next, I started a search of the hard drive for a character string in a file name that would be unlikely to be found. During this I subjectively recorded the Search value and the Peak value. Lastly, I put each system in Standby.

The LCD was powered on and the battery was fully charged in all tests.

The Kill-A-Watt only recorded whole Watts so there is probably an issue with resolution in the Standby readings. It read 1 Watt when nothing was plugged into it.

Nevertheless, there are some pretty interesting results:

Laptop	Steady	Search	Peak	Standby
T42	22	24	31	3
D410	20	28	34	2
1000H	11	13	14	1
T61	37	72	83	3

The Asus Standby effectively read no power draw but that can't be accurate. This is likely an issue with the resolution mentioned earlier.

Bye, Bye U3

I was enamored with my U3 USB drive. It really did work well for me but my primary use was for KeePass. KeePass doesn't directly support U3. There are a couple of independently done U3 packages but I couldn't figure out how to incorporate my backup plugin. I had created my own package but it didn't use the U3 wrapper to shut down KeePass when I used the U3 launchpad to eject the drive.

And then when I handed my drive to somebody to share a file with them, I had to tell them to hold down the shift key while they inserted it so the U3 launchpad wouldn't run. They'd always look at me like I was from Mars.

Then my wife lost (and then found) the cap to her USB drive she runs Allway Sync from. So I started searching for her a USB drive that didn't need a cap.

I came across Super Talent's Pico-C.

I got her one at SuperMediaStore. Believe it or not, they're cooler than they look.
I had to have one myself.

So I got an 8GB from SuperMediaStore and moved my content over to it.

But wait, now I needed a menu!

I've used a couple of PortableApps but while they worked great, I didn't like the branding. I thought maybe I could use their menu system and delete all the branded stuff. Then I stumbled across PStart.

Perfect. The menu starts empty and you can just right click and add items. There's lots of flexibility to tailor the menu. There are just 2 files involved: PStart.exe and PStart.xml.

It's so clean. It puts an icon in the system tray (I'll get to how in another post.) A single left click brings up this menu.
A left double-click brings up the "panel."
Hitting Esc even dismisses this panel!

ThinkPad XP SP3 Wi-Fi

Remember the ThinkPad T42 I bought last year? It's still running XP and doing fine, thank you.

I run 802.11g throughout the house and the T42 came with a 802.11b mini-PCI card. I found a P/N 91p7301 on eBay for less than $5. Swapping it out wasn't trivial but I did it and it works fine.

I had installed Windows XP SP3 on a number of systems and had had NO problems.

Until...

After I finished the SP3 install and rebooted, the network wouldn't connect. It just sat there saying it was trying to get an IP address. Of course I tried "Repair" but no change.

Interestingly, if I left the wireless NIC trying to connect and connected the wired NIC to the router, the wireless NIC got an IP address and all was well.

I got another laptop and began Googling it. I found a couple of hits here and here. I wasn't alone.

It seems to be pretty specific to the particular chip set that's in that Wi-Fi card. The suggestions were to set the services "Extensible Authentication Protocol Service" and "Network Access Protection Agent" to "Automatic" and reboot.

That worked.

Oh, I don't use ThinkPad's "Access Connection" nor nLite.

Disappearing Task Manager

Have you had the problem I've had where Windows' Task Manager "disappears" when you minimize to the system tray. Yeah, I've got all the items checked under Options but it just disappears when you minimize it.

The only way I'd found to make it work as it should has been to reboot. I don't like to reboot so that wasn't acceptable to me.

The other day I Googled it one more time.

I found it. A couple of screens down in the Google results was this forum post.

f0dder's answer was so simple. I should have thought of this myself.

To solve it, bring up the task manager, *exit* it instead of minimizing, and re-start... at least that works for me.

KVM Switch

A couple of weeks ago, a thunderstorm went through and made the lights blink at my house. I've got UPSs on almost everything except my SageTV box. Yep, it wouldn't come back up. 2 beeps at power on and then nothing.

Now this box run headless, no keyboard or display. So I headed upstairs to my parts stash and returned with a display and keyboard.

What I found was that the CPU fan had died. I took it to PC Doctor in Memphis and they diagnosed and replaced the fan for just under $50 in 3 days. Not bad.

But it was a real hassle to drag it out of the desk and hook up the keyboard and display.

I found a D-Link KVM-121 at buy.com for $20 after rebate with free shipping.

It supports not only the keyboard and display but sound.

So now I can readily toggle between SERVER and SageTV. Hopefully I won't ever have to but I can.

T61

My wife's old ThinkPad T23 is getting long in the tooth. The wireless continues to loose NetBIOS so from time to time she can't get to the shared My Documents nor print. And the DVD drive keeps disappearing and reappearing. She's been exceptionally tolerant of it (more than I would have been).

So when her birthday came around this year, I found her a Lenovo ThinkPad T61. Don't worry. I also got her some Irish pottery.

It came with Vista Business and 1GB of RAM. I added a second GB.

The OEM Vista was pretty clean as it was a business load.

All seemed well until I started using it. I started having flashbacks of my previous Vista experience.

I had the same problem installing the printers. At least I knew how to fix it but that shouldn't be a problem.

I also have a problem connecting consistently to my WPA network although I'm not convinced that's not a Lenovo issue.

Then when I got it all hooked up, I ran into of all things performance problems! It was taking 5+ seconds to open a new tab. Most of that time, IE7 sat with "Connecting..." in the tab name. All it was trying to open was about:blank.

My friend Google finally turned up this forum post at Microsoft. The gist of it is that the slowdown was due to a BHO (CPwmIEBrowserHelperObject) that Lenovo had installed.

I aggressively disabled (Tools/Internet Options/Programs/Manage add-ons) any add-on that I didn't know that I wanted and now the T61 runs great.

Thank You, Google, I Think

I admit I'm a Google fan-boy. And I'm apparently one of the last to still be running Internet Explorer 6.

But in the same week that Google released Chrome, they updated (?) Gmail for IE6.

Thank you, Google, I think. What's next? Netscape?

Google Chrome

This is not the definitive post on Google's new browser, Chrome. (I kinda like that name.)

You know I'm a sucker for all things Google so I downloaded it and began playing with it.

This post just has the first couple of things that caught my eye and interest.

First, they lie to the web site. They probably have to or all the web sites would give them junk html.


They tell the web site that they are Safari on Macintosh WinXP. That's a new operating system to me. Apparently the code base is Apple's WebKit.

The rendering looks pretty much like Firefox as they both use the Gecko engine.


As you would expect from Google (particularly in a 0.2 release), this thing is pretty minimalist but it is elegant. Look at the Find bar.


And yeah, the up and down arrows are "previous" and "next." So subtle.

IE 7 and Firefox 3 have gotten this thing about combining the history in "Back" and "Forwards" buttons. Chrome leaves the history on the appropriate button but adds a new user interface of clicking and holding to display it.


Time will tell on this one.

I've really gotten where I like the color coding of the address bar for SSL and EV certificates. Chrome has half of it.


To show the EV certificate, you have to click on the lock in the address bar.

If you right click on the tab bar, one of the choices is "Task manager." I had to click that.


Interesting but I couldn't resist the "Stats for nerds."


Wow!

Remember the controversy over Firefox 3's address bar pulling up history? Google just went way beyond that. They use the address bar field for a search field also.


Go play with it. Just remember that it's a 0.2 release!

Windows XP SP3 Slipstream

This isn't a step-by-step "how to" but more of a "how not to."

I had heard a Windows Weekly podcast where Paul Thurrott talked about an article he had written on how to create a Windows XP installation disk with SP3 slipstreamed into it. It is nothing if not thorough.

But...

Paul wanted to make his process completely self-defining and using all free software. So he used ISO Buster and Nero 8 Trial.

ISO Buster is used to extract the file Microsoft Corporation.img from the original XP disk. As I'd already built an SP2 slipstreamed disk a couple of years ago, I already had that. Scratch off ISO Buster.

And I am a moderately big fan of Roxio so I didn't need Nero 8 Trial. Sometimes I'm too "clever" for my own good.

The end of the story is that the Microsoft Corporation.img file that I had worked fine but I had fits translating Paul's instructions for Nero 8 Trial into Roxio-speak.

I googled "make a bootable cd with roxio." On the first page was a link to "The Elder Geek's" post on how to slipstream SP1.

But at the bottom was a link to how to burn the CD using "Roxio Easy CD and DVD Creator 6."

Bingo. That worked.

DNS Security, Part 3

Is there no end to the DNS security flaw? I've written about it here and here.

We all hoped that the technique that Dan Kaminsky described would put this to rest.

Apparently we were wrong.

The Register reported that a Russian researcher had demonstrated DNS cache poisoning on a freshly patched DNS server. It did take him 10 hours with a dedicated gigabit connection to the server but he did poison it.

Even Dan had to respond.

I read that when he posted it but I kinda glazed over after a while.

Then Steve Gibson revisited the DNS vulnerability in his last podcast. (I gotta quit listening to Steve.) You can read it here.

Steve refers to the "0x20 hack." If you hadn't falling asleep reading Dan's post, you would have seen that he did too.

I found the ITEF RFC that describes this technique. Sure cure for insomnia. Suffice it to say it has to do with using mixed case in the domain name being queried.

Let me net it out for me and you both.

Prior to this summer's patches, DNS had as low as 1 in 32,769 possibilities to be compromised. After the patches, the odds were 1 in 4,294,967,296 (according to Dan).

The 0x20 hack makes this 1 in billions and billions. Yeah, there are some edge cases that Dan covers but it's way better.

And this seems relatively easy to implement. I expect it'll slip in in a future round of patches and we'll be done with this until ... DNSSEC.

Stay tuned.

DNS Security Flaw Explanation

Early last month, Dan Kaminsky announced that he had found a serious security flaw in the DNS code. My blog entry on it is here. Dan had promised that he'd explain it at Black Hat on August 6, 2008.

Here are his slides.

My take of it is that the bloggers had the vulnerability pretty much right but Dan explained how it could be so much easier exploited.

I welcome your comments with more insight.

Windows Product Key Update Tool

If you've been reading this blog for long, you know what a sucker I am for ThinkPads. I buy them off lease from RetroBox. If you watch them closely (think every day), you can really find some good deals.

They come from RetroBox wiped clean; no OS. That always gets me to scrambling even though they all have a Certificate of Authenticity (COA) for Windows XP Pro on the bottom with a key. You'd need the IBM OEM XP Pro recovery CDs to use this key. Or so I thought.

Tonight I found the way to activate using this key. I have a consumer media for Windows XP Pro with a key. Use this and do a normal install even including entering this key. Don't sweat it if it has already been activated.

Then after the install is complete and before activating, go to Microsoft and download the Windows Product Key Update Tool. Run it and follow the instructions using the key on the COA on the bottom of the ThinkPad. One reboot later, you're done. It's even authenticated!

I don't see why this wouldn't work on any PC with an OEM COA. Let me know your experience.

I found this technique here on My Digital Life.

Allway Sync

Remember when I talked about using FolderShare to help my wife work back and forth between home and her office?

Her work system administrators have gotten increasingly thorough. In the end, they've blocked FolderShare. I completely understand why they're doing that.

But...

If I was ever going to see my wife, I had to restore her ability to work from home. I talked around at work and found robocopy and SyncToy. robocopy comes in the Windows Server 2003 Resource Kit Tools. It's a command line utility but there's a GUI to "help." While it's very capable, it's pretty awkward.

Then there's SyncToy v2.0 Beta. It's bigger than a breadbox. For example, it requires the .NET Framework v2.0.

I kept looking.

Somewhere I came across Allway Sync. It's free but limited to "synchronize no more than 20,000 files per 30-day period." I can live with that. They have a portable install made especially for installation on USB drives.

I found her a 512MB USB drive and copied her work My Documents to it. Then installed Allway Sync and created an automatic synchronization job.

On her PC at work, I created an icon on her desktop that will launch Allway Sync and run that synchronization job. And I got her a USB extension cord so she had a place to plug her USB drive in right on her desktop.

When she gets to work, she plugs in the USB drive and clicks the icon. It syncs automatically. She removes the USB drive and works normally throughout the day. When she is ready to leave, she repeats the process. Now the USB drive has a copy of her work My Documents.

At home, she plugs the USB drive into her ThinkPad and works from there. An unexpected benefit is that since she keeps the USB drive on her key chain, she can actually work on any PC by just plugging in the USB drive.

Still not as nice as FolderShare but works good enough within the restrictions of her work.

OpenDNS and the DNS Security Flaw

I found another reason to run OpenDNS. Brian Krebs of the Washington Post recently posted about a newly revealed security problem in the design of DNS.

Brian linked to Dan Kaminsky's blog. Dan has a gadget on his page that will check YOUR DNS server. You know me. Like the bank robber in "Dirty Harry," "I gots to know."

Here's what the test reported for OpenDNS:

Then I went to another PC that is using BellSouth's DNS servers:

You be the judge.