Javascript or Not

Remember way back in 2006, I wrote a blog entry on Javascript. That was about my experiment with Steve Gibson's recommendation of blocking Javascript except on Trusted Sites in Internet Explorer. His idea was to put known sites in the Trusted Sites list. Boy, was that a pain! It was a noble experiment but I gave it up.

Well, now Steve is a Firefox user and and has embraced the NoScript add-on.

He went on and on about NoScript in Security Now 168 where he talked about clickjacking. If you don't know what that is, go listen but don't loose any sleep about it.

Then in Security Now 169 Steve confessed:

Steve: The reason I didn't want to skip this question was this was when I planned to confess.
Leo: You turn it off.
Steve: I've turned it off, too.

Even Steve Gibson runs with Javascript enabled!

No doubt turning off Javascript is the safest thing to do but it's pretty much impractical.

So that got me to wondering how many people actually TRY to surf this way.

Here's what my blog readers look like. This blog is on the left. WhereIveBen is on the right.
3.5% of the geeks have Javascript turned off and 1% of the normal people.

Secunia Online Software Inspector

Recently, I mentioned the Secunia Online Software Inspector. I played with it some. It worked pretty well.

It's a Java applet so there's nothing to install. It "only" checks about 100 programs but they're the key ones.

The OSI page says it takes "5-40 seconds." I saw this all over the place, as high as 4 minutes. Most runs were in the sub-20 second range though.

The first run showed up vulnerabilities in several Adobe products. I'm fanatical about patching Adobe products so that was a surprise.

It even gives you a link to resolve the problem. The Flash Player was tough to fix.

I finally had to download and save the Flash Player uninstaller. Then closed my browser(s) and ran the uninstaller. When it was done, clicked on the "Show Details" button and looked for "Delete on Reboot..." I found one so I needed to reboot.

After the reboot, I went back to Adobe and installed the current Flash Player.

After that, the OSI ran clean.

Maybe I'll go play with the Secunia Personal Software Inspector (PSI) next.

Asus Eee PC 1000H

My birthday was back in September. My birthday list was short - the brand new Asus Eee PC 1000H. The price had just dropped from $650 to $499 so I jumped on it. The price immediately fell to $410 and has now reached $399. Oh, well.

But it's a sweet system. The 1000H version comes with a 10" screen, 1GB of RAM, 80GB SATA hard drive, a 1.6GHz Atom processor and weighs just over 3 lbs.

It comes with XP Home pre-loaded. I'd never used XP Home before but it does everything I need so far. It's pretty clean of bloatware. What extra software that is loaded is pretty much just the utilities to support the Asus.

The screen is only 1024x600 but is crystal clear. With a hardware button, you can change the resolution to 800x600, 1024x768 (compressed into 1024x600) and finally 1024x768 that scrolls.

The Atom has been pretty zippy. The latest BIOS (which came already loaded) even enables hyperthreading.

Unfortunately it doesn't have my beloved TrackPoint but it has a multi-touch touchpad similar to the iPhone. It shipped without the latest drivers but I downloaded them from ElanTech and they're wonderful. There's a clip on youtube.com demonstrating it. You'll also notice that they have Vista running on the 1000H!

I upgraded the memory to 2GB for $12.99. I'm not sure that it made much difference but for the price ...

Asus suggests the battery life is up to 7 hours. I can't vouch for that yet but it has run for hours even with the WiFi running. Speaking of WiFi, it supports B, G, and draft-N. Oh, and Bluetooth. And has an SDHC slot. And 3 USB 2.0 ports. And a VGA port.

There's a very active and supportive community around the 1000H here.

Here're some comparison photos of the 1000H, my beloved ThinkPad X20, and my work Dell D410.

JRE Vulnerability

I was listening to Windows Weekly last week and Paul Thurrott mentioned Microsoft's Baseline Security Analyzer. Leo Laporte then mentioned Secunia's PSI (Personal Software Inspector). I had heard about it before but it was a long time ago.

Secunia's PSI has a much broader scope than Microsoft's so I went poking around looking at it. Leo had also mentioned that Secunia had a similar Online Software Inspector. This doesn't require an install as it's a Java applet (here's where the good stuff starts) but only scans less than 100 programs. Even so, that list is a pretty good start.

So I read on. There was a bright red link in the right column that caught my eye.
When I followed this link, There was a discussion of a newly discovered exposure in Sun's Java Runtime Environment (JRE).

It's pretty geeky reading and has a link to CERT's blog post on it (interestingly entitled "Signed Java Applet Security: Worse than ActiveX?").

Go read it for yourself and then either take the steps in the CERT blog article or just run the Secunia OSI and it'll do it for you.

USB Drive autorun.inf

So I had my menu working great on my new USB drive.

What I wanted it to do was to give me an choice to run PStart when I plugged in the USB drive.

I had noticed that my wife's USB drive that she runs Allway Sync from gave her that choice so I went looking there.

All I could see different on it was an autorun.inf. There had to be something in there.

It looked pretty normal but it had an entry I wasn't familiar with: action.

Go try and find some documentation on autorun.inf. After many searches, I came across this. It said:

ACTION is a relative new command that was introduced in Windows XP SP2. It is not supported in earlier Windows. This command specifies a text that should be shown as the first option in the Windows Autoplay dialog, together with the icon specified by the ICON. This option is always selected by default and if the user accepts the option, the application specified by the OPEN or SHELLEXECUTE entry in the media's Autorun.inf file is launched.

There also was a link to an MSDN page.

So I copied the autorun.inf from my wife's USB drive and made the following changes:

[autorun]
open=PStart.exe -autorun
icon="PStart.exe"
action=Launch PStart Menu
label=Ben's 8GB USB

Here's what it looks like when I plug it in.


Just hit Enter and you're off!

Green

A guy at work has been working on a green project involving putting PCs into reduced power states. He had a Kill-A-Watt so I borrowed it and brought it home.

My tests were clearly unscientific but I tried to be consistent.

I tested 4 laptops: a ThinkPad T42, a Dell D410, an Asus Eee PC 1000H, and a ThinkPad T61.

I ran each through 4 scenarios. First was a Steady state. XP was booted and "idle" as I wasn't intentionally running anything. I made no attempt to stop background tasks. Next, I started a search of the hard drive for a character string in a file name that would be unlikely to be found. During this I subjectively recorded the Search value and the Peak value. Lastly, I put each system in Standby.

The LCD was powered on and the battery was fully charged in all tests.

The Kill-A-Watt only recorded whole Watts so there is probably an issue with resolution in the Standby readings. It read 1 Watt when nothing was plugged into it.

Nevertheless, there are some pretty interesting results:

Laptop	Steady	Search	Peak	Standby
T42	22	24	31	3
D410	20	28	34	2
1000H	11	13	14	1
T61	37	72	83	3

The Asus Standby effectively read no power draw but that can't be accurate. This is likely an issue with the resolution mentioned earlier.

Bye, Bye U3

I was enamored with my U3 USB drive. It really did work well for me but my primary use was for KeePass. KeePass doesn't directly support U3. There are a couple of independently done U3 packages but I couldn't figure out how to incorporate my backup plugin. I had created my own package but it didn't use the U3 wrapper to shut down KeePass when I used the U3 launchpad to eject the drive.

And then when I handed my drive to somebody to share a file with them, I had to tell them to hold down the shift key while they inserted it so the U3 launchpad wouldn't run. They'd always look at me like I was from Mars.

Then my wife lost (and then found) the cap to her USB drive she runs Allway Sync from. So I started searching for her a USB drive that didn't need a cap.

I came across Super Talent's Pico-C.

I got her one at SuperMediaStore. Believe it or not, they're cooler than they look.
I had to have one myself.

So I got an 8GB from SuperMediaStore and moved my content over to it.

But wait, now I needed a menu!

I've used a couple of PortableApps but while they worked great, I didn't like the branding. I thought maybe I could use their menu system and delete all the branded stuff. Then I stumbled across PStart.

Perfect. The menu starts empty and you can just right click and add items. There's lots of flexibility to tailor the menu. There are just 2 files involved: PStart.exe and PStart.xml.

It's so clean. It puts an icon in the system tray (I'll get to how in another post.) A single left click brings up this menu.
A left double-click brings up the "panel."
Hitting Esc even dismisses this panel!

ThinkPad XP SP3 Wi-Fi

Remember the ThinkPad T42 I bought last year? It's still running XP and doing fine, thank you.

I run 802.11g throughout the house and the T42 came with a 802.11b mini-PCI card. I found a P/N 91p7301 on eBay for less than $5. Swapping it out wasn't trivial but I did it and it works fine.

I had installed Windows XP SP3 on a number of systems and had had NO problems.

Until...

After I finished the SP3 install and rebooted, the network wouldn't connect. It just sat there saying it was trying to get an IP address. Of course I tried "Repair" but no change.

Interestingly, if I left the wireless NIC trying to connect and connected the wired NIC to the router, the wireless NIC got an IP address and all was well.

I got another laptop and began Googling it. I found a couple of hits here and here. I wasn't alone.

It seems to be pretty specific to the particular chip set that's in that Wi-Fi card. The suggestions were to set the services "Extensible Authentication Protocol Service" and "Network Access Protection Agent" to "Automatic" and reboot.

That worked.

Oh, I don't use ThinkPad's "Access Connection" nor nLite.

Disappearing Task Manager

Have you had the problem I've had where Windows' Task Manager "disappears" when you minimize to the system tray. Yeah, I've got all the items checked under Options but it just disappears when you minimize it.

The only way I'd found to make it work as it should has been to reboot. I don't like to reboot so that wasn't acceptable to me.

The other day I Googled it one more time.

I found it. A couple of screens down in the Google results was this forum post.

f0dder's answer was so simple. I should have thought of this myself.

To solve it, bring up the task manager, *exit* it instead of minimizing, and re-start... at least that works for me.

KVM Switch

A couple of weeks ago, a thunderstorm went through and made the lights blink at my house. I've got UPSs on almost everything except my SageTV box. Yep, it wouldn't come back up. 2 beeps at power on and then nothing.

Now this box run headless, no keyboard or display. So I headed upstairs to my parts stash and returned with a display and keyboard.

What I found was that the CPU fan had died. I took it to PC Doctor in Memphis and they diagnosed and replaced the fan for just under $50 in 3 days. Not bad.

But it was a real hassle to drag it out of the desk and hook up the keyboard and display.

I found a D-Link KVM-121 at buy.com for $20 after rebate with free shipping.

It supports not only the keyboard and display but sound.

So now I can readily toggle between SERVER and SageTV. Hopefully I won't ever have to but I can.

T61

My wife's old ThinkPad T23 is getting long in the tooth. The wireless continues to loose NetBIOS so from time to time she can't get to the shared My Documents nor print. And the DVD drive keeps disappearing and reappearing. She's been exceptionally tolerant of it (more than I would have been).

So when her birthday came around this year, I found her a Lenovo ThinkPad T61. Don't worry. I also got her some Irish pottery.

It came with Vista Business and 1GB of RAM. I added a second GB.

The OEM Vista was pretty clean as it was a business load.

All seemed well until I started using it. I started having flashbacks of my previous Vista experience.

I had the same problem installing the printers. At least I knew how to fix it but that shouldn't be a problem.

I also have a problem connecting consistently to my WPA network although I'm not convinced that's not a Lenovo issue.

Then when I got it all hooked up, I ran into of all things performance problems! It was taking 5+ seconds to open a new tab. Most of that time, IE7 sat with "Connecting..." in the tab name. All it was trying to open was about:blank.

My friend Google finally turned up this forum post at Microsoft. The gist of it is that the slowdown was due to a BHO (CPwmIEBrowserHelperObject) that Lenovo had installed.

I aggressively disabled (Tools/Internet Options/Programs/Manage add-ons) any add-on that I didn't know that I wanted and now the T61 runs great.

Thank You, Google, I Think

I admit I'm a Google fan-boy. And I'm apparently one of the last to still be running Internet Explorer 6.

But in the same week that Google released Chrome, they updated (?) Gmail for IE6.

Thank you, Google, I think. What's next? Netscape?

Google Chrome

This is not the definitive post on Google's new browser, Chrome. (I kinda like that name.)

You know I'm a sucker for all things Google so I downloaded it and began playing with it.

This post just has the first couple of things that caught my eye and interest.

First, they lie to the web site. They probably have to or all the web sites would give them junk html.


They tell the web site that they are Safari on Macintosh WinXP. That's a new operating system to me. Apparently the code base is Apple's WebKit.

The rendering looks pretty much like Firefox as they both use the Gecko engine.


As you would expect from Google (particularly in a 0.2 release), this thing is pretty minimalist but it is elegant. Look at the Find bar.


And yeah, the up and down arrows are "previous" and "next." So subtle.

IE 7 and Firefox 3 have gotten this thing about combining the history in "Back" and "Forwards" buttons. Chrome leaves the history on the appropriate button but adds a new user interface of clicking and holding to display it.


Time will tell on this one.

I've really gotten where I like the color coding of the address bar for SSL and EV certificates. Chrome has half of it.


To show the EV certificate, you have to click on the lock in the address bar.

If you right click on the tab bar, one of the choices is "Task manager." I had to click that.


Interesting but I couldn't resist the "Stats for nerds."


Wow!

Remember the controversy over Firefox 3's address bar pulling up history? Google just went way beyond that. They use the address bar field for a search field also.


Go play with it. Just remember that it's a 0.2 release!

Windows XP SP3 Slipstream

This isn't a step-by-step "how to" but more of a "how not to."

I had heard a Windows Weekly podcast where Paul Thurrott talked about an article he had written on how to create a Windows XP installation disk with SP3 slipstreamed into it. It is nothing if not thorough.

But...

Paul wanted to make his process completely self-defining and using all free software. So he used ISO Buster and Nero 8 Trial.

ISO Buster is used to extract the file Microsoft Corporation.img from the original XP disk. As I'd already built an SP2 slipstreamed disk a couple of years ago, I already had that. Scratch off ISO Buster.

And I am a moderately big fan of Roxio so I didn't need Nero 8 Trial. Sometimes I'm too "clever" for my own good.

The end of the story is that the Microsoft Corporation.img file that I had worked fine but I had fits translating Paul's instructions for Nero 8 Trial into Roxio-speak.

I googled "make a bootable cd with roxio." On the first page was a link to "The Elder Geek's" post on how to slipstream SP1.

But at the bottom was a link to how to burn the CD using "Roxio Easy CD and DVD Creator 6."

Bingo. That worked.

DNS Security, Part 3

Is there no end to the DNS security flaw? I've written about it here and here.

We all hoped that the technique that Dan Kaminsky described would put this to rest.

Apparently we were wrong.

The Register reported that a Russian researcher had demonstrated DNS cache poisoning on a freshly patched DNS server. It did take him 10 hours with a dedicated gigabit connection to the server but he did poison it.

Even Dan had to respond.

I read that when he posted it but I kinda glazed over after a while.

Then Steve Gibson revisited the DNS vulnerability in his last podcast. (I gotta quit listening to Steve.) You can read it here.

Steve refers to the "0x20 hack." If you hadn't falling asleep reading Dan's post, you would have seen that he did too.

I found the ITEF RFC that describes this technique. Sure cure for insomnia. Suffice it to say it has to do with using mixed case in the domain name being queried.

Let me net it out for me and you both.

Prior to this summer's patches, DNS had as low as 1 in 32,769 possibilities to be compromised. After the patches, the odds were 1 in 4,294,967,296 (according to Dan).

The 0x20 hack makes this 1 in billions and billions. Yeah, there are some edge cases that Dan covers but it's way better.

And this seems relatively easy to implement. I expect it'll slip in in a future round of patches and we'll be done with this until ... DNSSEC.

Stay tuned.

DNS Security Flaw Explanation

Early last month, Dan Kaminsky announced that he had found a serious security flaw in the DNS code. My blog entry on it is here. Dan had promised that he'd explain it at Black Hat on August 6, 2008.

Here are his slides.

My take of it is that the bloggers had the vulnerability pretty much right but Dan explained how it could be so much easier exploited.

I welcome your comments with more insight.

Windows Product Key Update Tool

If you've been reading this blog for long, you know what a sucker I am for ThinkPads. I buy them off lease from RetroBox. If you watch them closely (think every day), you can really find some good deals.

They come from RetroBox wiped clean; no OS. That always gets me to scrambling even though they all have a Certificate of Authenticity (COA) for Windows XP Pro on the bottom with a key. You'd need the IBM OEM XP Pro recovery CDs to use this key. Or so I thought.

Tonight I found the way to activate using this key. I have a consumer media for Windows XP Pro with a key. Use this and do a normal install even including entering this key. Don't sweat it if it has already been activated.

Then after the install is complete and before activating, go to Microsoft and download the Windows Product Key Update Tool. Run it and follow the instructions using the key on the COA on the bottom of the ThinkPad. One reboot later, you're done. It's even authenticated!

I don't see why this wouldn't work on any PC with an OEM COA. Let me know your experience.

I found this technique here on My Digital Life.

Allway Sync

Remember when I talked about using FolderShare to help my wife work back and forth between home and her office?

Her work system administrators have gotten increasingly thorough. In the end, they've blocked FolderShare. I completely understand why they're doing that.

But...

If I was ever going to see my wife, I had to restore her ability to work from home. I talked around at work and found robocopy and SyncToy. robocopy comes in the Windows Server 2003 Resource Kit Tools. It's a command line utility but there's a GUI to "help." While it's very capable, it's pretty awkward.

Then there's SyncToy v2.0 Beta. It's bigger than a breadbox. For example, it requires the .NET Framework v2.0.

I kept looking.

Somewhere I came across Allway Sync. It's free but limited to "synchronize no more than 20,000 files per 30-day period." I can live with that. They have a portable install made especially for installation on USB drives.

I found her a 512MB USB drive and copied her work My Documents to it. Then installed Allway Sync and created an automatic synchronization job.

On her PC at work, I created an icon on her desktop that will launch Allway Sync and run that synchronization job. And I got her a USB extension cord so she had a place to plug her USB drive in right on her desktop.

When she gets to work, she plugs in the USB drive and clicks the icon. It syncs automatically. She removes the USB drive and works normally throughout the day. When she is ready to leave, she repeats the process. Now the USB drive has a copy of her work My Documents.

At home, she plugs the USB drive into her ThinkPad and works from there. An unexpected benefit is that since she keeps the USB drive on her key chain, she can actually work on any PC by just plugging in the USB drive.

Still not as nice as FolderShare but works good enough within the restrictions of her work.

OpenDNS and the DNS Security Flaw

I found another reason to run OpenDNS. Brian Krebs of the Washington Post recently posted about a newly revealed security problem in the design of DNS.

Brian linked to Dan Kaminsky's blog. Dan has a gadget on his page that will check YOUR DNS server. You know me. Like the bank robber in "Dirty Harry," "I gots to know."

Here's what the test reported for OpenDNS:

Then I went to another PC that is using BellSouth's DNS servers:

You be the judge.

Firefox 3

Here I go again.

I'm using pretty much the same Add-ons I used before:


Here're the options for QuickDrag:


And here're the options for Tab Clicking:


I changed a couple of things in about:config:

browser.tabs.autoHide - false
browser.tabs.closeButtons - 2
browser.tabs.tabMaxWidth - 100
browser.tabs.tabMinWidth - 10

The location bar has a star at the right end for Firefox bookmarks, clear if the site isn't bookmarked and gold if it is. Since I don't use Firefox bookmarks, I just wanted that real estate back. This tips list tells you how to do it.

Hide the star button if you prefer to use the Bookmarks menu or a keyboard shortcut (Ctrl + D)

* Open your userChrome.css file located in your profile folder.
* Add this line to the end of the file:
#star-button {display: none !important;}
* Restart Firefox for the change to take effect.

What they don't tell you is how to get the userChrome.css because it doesn't exist. In your C:\Documents and Settings\<username>\Application Data\Mozilla\Firefox\Profiles\im0vt1ea.default\chrome there is a file userChrome-example.css. Copy that in place and rename it to userChrome.css. Oh, they also don't tell you that you need to edit this with WordPad. Restart Firefox and then all is fine.

Maxthon lets you search from the address bar and I'm already missing that in Firefox. I think I've found something even better though. John Bokma wrote about how to add "smart keywords" to Firefox. These work just like Maxthon's search shortcuts except you use them in Firefox's location bar. I've added the obligatory ones for Google and wikipedia.

Can't be any worse than Maxthon 2.