Danny's Weblog

2006 Dec 25 [ Mon ]

Interesting vulnerability in Windows/Word

I noticed while reading the following Slashdot discussion: ask.slashdot.org [http://ask.slashdot.org/askslashdot/06/12/15/0144253.shtml] that the default behavior of Windows in opening files is not what it appears to be.

You would think that Windows goes by the extension, and if it doesn't recognize the extension it asks the user to select an app. But what actually happens before that is Windows somehow checks whether it's openable by Word, and if it is Windows opens it in Word.

I just tested this by renaming a .DOC file .XXX and Word opened it without a qualm.

The significance of this is that if you are a system administrator and you have been filtering MS Office files because of the danger of macro viruses etc, you actually need to filter *any* extension.

Presumably the reason for this was to support Word Perfect users who were used to naming their files with arbitrary extensions. But surely the person who did this must have realized it was horrible for security, right? It's an example of the bad things that can happen when the company that makes the OS also makes the app.

2006 Mar 29 [ Wed ]

Surprising bug in MS Access

My girlfriend is doing a MS Access course, and asked me to help her to set up a form for an employees table. I looked at the printed version of the form, which showed a mugshot of the current employee, and looked at the instructions she had noted down from the teacher on how to set up that (image) object on the form.

"Hmm, don't really understand this." She said "oh, the teacher said don't worry about that bit."

Well, she wanted me to address her current problems – things like she didn't understand that the "retirement date" object on the form needed to be an unbound text object whose control source was the birth date field of the data table, rather than being a separate field in the table. And then I got sidetracked because the version of the date-calculating function that she had noted down from the class assumed that a year was exactly 365.25 days.

But I came back to that image field. There was definitely something funny about it. It turns out that this is a well-known issue: www.jamiessoftware.tk [http://www.jamiessoftware.tk/articles/handlingimages.html]

The above link is quite good but does not give you the full picture. In particular it does not apologize for the misinformation in Access's own help files. It also does not give you a full sense of how many webpages you can find relating to this which give misinformation or lack the full story.

Microsoft has several pages relating to this issue. This one is probably the most helpful: support.microsoft.com [http://support.microsoft.com/kb/q210100/#EJADAAA]

Here is my summation of what I discovered:

1. Access allows you to put image files into the database as an OLE object, but it seems to actually store them as uncompressed .BMPs. When I started experimenting with this I was using fullsize 2 MP .jpgs. I have since stopped using the OLE object technique, but my tiny database file – with only six records – is still over 20 MB. I suppose I need to compact it somehow, but I haven't checked that out yet. So as the first link suggests, it's really impractical. (Incidentally, it occurs to me that even a few *static* images could really bloat up a database.)

2. Even when I used the OLE object technique, I *still* wasn't able to display images on the form (except static images of course). I don't know why. Some references on the web say that you need to install Microsoft Picture Editor to make sure Access can find an OLE server for your graphics file, but my system already has umpteen apps registered to handle .jpgs. I tried changing the registered app to various things including IE, and it still wouldn't work.

3. Anyway, I wanted to specify the image file by storing the path and filename in a text field. It turns out that you need to put code in both the form itself and a module in the database. (As described in the Microsoft link above.) This was not hard to do by cutting-and-pasting, but the fieldnames and tablenames are hard-coded for the example, so you would need to duplicate it for every image field in your database. (I think – actually, I really don't understand what the code is doing.)

4. Even then, it only worked if your filespec included the *full* path to the file – eg something like "L:\data\msaccess\imgtest\pics\danny-small.jpg" This contradicted the help file, which specifically suggested that a path relative to the location of the database file would work. Eg, if the database file was "L:\data\msaccess\imgtest\test01.mdb" then your filespec could be "pics\danny-small.jpg". I thought this really sucked – it would make it very hard to move the database file around. Eventually, I realized that the following *does* work: "imgtest\pics\danny-small.jpg"

5. I almost forgot the first way I made it work. The MS documentation refers to "data access pages" and for a long time I assumed this was some sort of generic term for "forms". However, in microsoftspeak it refers to a specific kind of database object which you can create. It is like a form, but can be accessed by Internet Explorer. I don't know exactly how it's supposed to work if you have multiple clients; presumably the form actually tells IE to use the client's locally installed copy of Access to access (aargh) the Access file on a simple fileserver. Anyhow, it works for displaying images, with no need to add code.

6. I don't remember the details, but Access did not seem to automatically resize an image to fit the control size you set on the form. I think maybe the docs are wrong. I needed to resample all of my images to make sure they fit in the pixel area allocated on the form.

7. The "Northwind" sample database somehow manages to make images work without using the sample code. On the other hand, they are very low-resolution images. Additionally, they are only used to illustrate product *categories*, which if you think about it is pointless – the database does *not* have images of the products themselves, probably because then it would need to be about 500 MB.

All in all, I thought this behavior was incredibly buggy and kludgy. I would have thought that handling images was not rocket science.

Also, it makes me wonder whether *all* the documentation produced for software is produced based on its *specs* and never tested against actual behavior.

Also, I would like to point out that Microsoft appears to have a policy of taking over a common term whether it has a generic or specific meaning and redefining it. For instance, "Word". More interestingly "domain", which has quite different senses on the Internet and in connection with Microsoft server setup, even though (obviously) you are usually discussing situations where either sense might be intended.

Likewise, here, "data access pages". It makes me feel less irritated about Unix naming conventions. When you encounter a name like "snort" you don't know what it means, but you *do* know it's a name and you need to look it up.

Finally, I suspect that my girlfriend's teacher never got images to work on his form at all.

2006 Mar 02 [ Thu ]

Fun reinstalling Windows 2000

I ran out of space on my hard drive and figured I should reinstall Windows – maybe that would fix the problem with the scanner.

I ran into several problems though.

One big one appears to be overheating. (I say "appears to be" because the error pattern in the LEDs on this machine never matches the manual.) Presumably during the install the setup software doesn't handle the powersaving stuff, runs the CPU at max, and causes overheating within a few minutes. Still, I've managed to do it before... but now I come to think of it, that was probably in an airconditioned room.

Still, the *irritating* thing was being unable to copy the files from the setup folder on the CD, boot and then just run everything from hd. I was stymied in several ways:

1. I had put the setup files on the NTFS partition. But my "Ultimate Boot CD" needs to load a memory manager to load NTFS support... and it crashed on my laptop hardware.

2. I tried copying the files to a DOS partition. This would have worked, if Windows 2000 Setup could run under DOS. D'oh!

3. I tried running Bart PE, which could see and write to the NTFS partition just fine... but Windows 2000 Setup refused to run an install on a machine running a later version of Windows. D'oh! (If I remember rightly Bart PE has to be used with XP – you can't make it boot W2K.)

Oh well. Back to the Windows CD and SP4... overheats again... aargh...

2005 Nov 04 [ Fri ]

Installing a second copy of Windows 2000 W2K

I recently bought a scanner. I made the salesman connect it up, install the software and run it first, but when I got it home it wouldn't work with my laptop.

I tried downloading a newer version of the driver (amazingly hard to find, btw) but that didn't help. I thought I might have to install XP, but when I happened to try another drive – which also had W2K SP4 – it installed and ran OK. Still, I didn't want to have to swap drives every time I needed the scanner.

After stewing over this, I realized I had been meaning to try installing multiple copies of Windows for a long time, and this was an excuse.

It turns out to be easy, if you have a spare partition. I had a Linux install that had developed bitrot, so I sacrificed that. It had installed some sort of boot loader, which interestingly the second install of Windows did not replace.

All you have to do is run the regular Windows install; I copied the Windows disk, and SP4, to the hard drive first, and started the install from there under the original copy of Windows. The only issue is that the prompt to allow you to create a second copy is rather hard to see – I don't know what happens if you miss it; it probably gaily trashes your original install without asking.

When I had finished the install, rebooting brings up a menu with two options – both named exactly the same! If I were doing it again I would rename the original operating system first. You can do this by manually editing the c:\boot.ini file (you have to change the permissions first; before doing *that*, note down what they are so you can put them back the same way later).

I then installed the "recovery console", which puts a second, limited bootable OS for emergency repair in the original volume.

I wanted to eliminate the now pointless Linux bootloader. When I checked the web, many references suggested using "fdisk /mbr" under DOS, but it turns out this will trash the "volume bytes", a new field in the MBR. Instead, you have to boot to the recovery console and run the "fixmbr" command. (There is also a "fixboot" command, which I did not run: I do not understand the difference.)

For real emergencies, these things have their limitations. For instance, the boot code (which loads ntldr) evidently checks the boot.ini before actually booting. That means that if some major problem has trashed the original boot volume, the boot process can never reach the functional second volume. On the other hand, if you use a Knoppix boot CD for recovery, it does mean you have a pristine copy of Windows' own driver code which can be used by Knoppix to read and write to the NTFS partition using "captive-ntfs".

I am not clear what the security issues are here. MS info makes some remark about needing to know the *original* administrator password, ie the one entered at install time, not the current one if different. This seems to mean that MS is trying to defend the data in the original partition. It certainly suggests you should make a double special note of that password. I can't remember if I actually had to *enter* that password though.

It recently occurred to me that having multiple copies of Windows probably makes it a lot easier to set up your machine for family members, while keeping the user interface for them pristine. I've found that when I install software in my own account, it typically puts a bunch of icons and Start menu items in all the other accounts, even though I don't want other family members to even know about these new apps. This can't happen if their accounts are in a completely separate copy of Windows. (On the other hand, make sure they can't read files in the other copy of Windows!)

Here's some more reasons for doing this, from Slashdot: yro.slashdot.org [http://yro.slashdot.org/comments.pl?sid=167226&cid=13945728]

Incidentally, I've found that accessing certain files, or even seeing that they're there, sometimes needs you to use the "System" account – you can't access them as Administrator, although you *can* make yourself effectively the System user.

Anyhow, my scanner now works.

If anyone's thinking of trying this, they should Google some of the terms I used above. Also, note that there are many extra considerations if you are also trying to boot W98, Linux etc.

Many major computer manufacturers do not provide a kosher copy of Windows, but only a "restore" disk which can only be used to completely reformat and rewrite the disk to original factory condition. Apparently this kind of disk may check first to see if the MBR has been rewritten, and refuse to continue! Here's how one guy got around the problem on his Dell: forum.us.dell.com [http://forum.us.dell.com/supportforums/board/message?board.id=si_sysperf&message.id=16811]

2005 Oct 25 [ Tue ]

Sysinternals Windows test utilities have new features; also reskit info

A few years ago, when malware and trojans for IE had just come out, I was using the free (as in beer) utilities from Sysinternals quite frequently to track down and repair infestations.

Then special-purpose malware detectors started to show up, and I got lazy and stopped using the general-purpose utilities like Sysinternals.

They do lots of fundamental things, like showing you how many pieces of code get loaded at startup – actually, it shows a lot more than Spybot does. But also things like which process or user is holding a file open (damn, Microsoft should do that).

Most of their utilities are available in free and for-money versions. The for-money versions tend to do things like work across networks. (To use most of them at all, you need to have administrator privileges.)

One reason I stopped bothering to include them on utility disks was that you needed to download different versions for different Windows versions. I was just too lazy to slog through the download for all the versions just because I *might* need them, but on the other hand I figured the one time I'd need them on a foreign machine it'd be running the version I hadn't downloaded for.

I just went to download them again and Sysinternals has set up their utilities differently. Now they all contain all the code needed for *all* the versions of Windows (if it can work at all), and the utility has a loader which uncompresses what's needed to the disk on the fly.

The downside of this is they refuse to run from CD. (Hm; I wonder if they leave the uncompressed versions on disk so you could copy those too; hmm.)

Anyway, if you're a sysadmin you should go get them.

I would tell you the price to buy the full versions, but I couldn't even find out the price of the heavily-featured "Administrator's Pak". But to give you some idea, they're currently offering a free iPod nano. http://www.sysinternals.com

Be aware that you need to enter a lengthy code every time you need to boot with the Emergency Recovery Disk. (Also, I have a feeling you may need to know the original administrator password of the system you're trying to probe.)

Incidentally, if you're interested in the utilities, you should take the time to read "Mark's blog" too. He does the utilities. He also wrote the book "Windows Internals". www.sysinternals.com [http://www.sysinternals.com/Blog/]

You should also have Microsoft's Resource Kit utilities. For some reason the XP resource kit is a free download; however *some* of the W2k resource kit utils (which *I* need) can be downloaded: www.microsoft.com [http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-96ee-b18c4790cffd&displaylang=en]

This is a 12 MB download that runs on XP and Server 2003. This page also leads to the Administration Tools Pack, which seems to be something different but is about the same size. (As you can tell I haven't downloaded either as I don't run XP... but I probably should... download them I mean.) The following site says the "Adminpak" is "on the installation CD-ROM and on any Windows 2000 Server that was already installed, in the %systemroot%\system32 folder": www.petri.co.il [http://www.petri.co.il/download_w2k_adminpak.htm]

Good intro to the Resource Kit utils, and some others: www.petri.co.il [http://www.petri.co.il/download_free_reskit_tools.htm]

From there I found this link to a Microsoft ftp site which has all the W2000 utils (presumably) that are available for free download, probably easier than trying to point-and-click on the webpage version: ftp://ftp.microsoft.com/reskit/win2000/

Incidentally, one of them is the "now" utility which just prints the current date and time. This would almost be useful except this is an example of the format:

Tue Oct 25 21:17:15 2005

How could you make it more difficult to use??

The following site appears to allow you to download *any* of the W2k resource kit tools, but i'm a little wary – why hasn't MS gone after them? www.dynawell.com [http://www.dynawell.com/support/ResKit/win2k.asp]

2005 Mar 14 [ Mon ]

Creating a CD from which you can install Cygwin

Cygwin is an ingenious free software package which provides you wqith a Unix-style prompt running under Windows. I have commented on it bewfore: www.panix.com [http://www.panix.com/~dannyw/weblog/Computers/Opsystems/Windows/cygwin01.html]

I downloaded and installed it a couple of years ago, but I never got rsync for it, which is what I mainly want Cygwin for now, as in the following Slashdot posting: ask.slashdot.org [http://ask.slashdot.org/comments.pl?sid=142044&cid=11911068] and I'm concerned that if I try to get rsync for it now it won't be compatible with my ancient Cygwin.

Irritatingly, the default install procedure is to download a small setup.exe file, then run it: this installs the packages which you select (out of umpteen) on *your* system. but there is no obvious way to transfer that installation to another system.

It turns out that what you are supposed to do is set up a "mirror". This procedure is well explained here: www.iocc.com [http://www.iocc.com/~joshua/cygwin/] except that it is unclear to me whether some of the code really works under Cygwin or whether you are expected to have a Linux client handy. This issue is probably irrelevant to most of the propellerheads who install Cygwin, but I want to get an internet cafe proprietor to download it *for* me. Incidentally, I recently bought a CD of open-source Windows software which promised "Cygwin" on the list of contents, and discovered that what it had was only the small setup.exe file – you still needed to download everything else yourself! Aargh.

Actually, what I will probably wind up doing is lugging my laptop in to the internet cafe. Groan.

Cygwin's own overview of the install process: www.cygwin.com [http://www.cygwin.com/cygwin-ug-net/setup-net.html] I suppose I need the "download from internet" option. I was trying to find whether they have different versions for XP and 2000, but failed.

2005 Feb 19 [ Sat ]

Yet another Slashdot Spyware discussion

it.slashdot.org [http://it.slashdot.org/article.pl?sid=05/02/18/1920244]

Microsoft has announced the possibility of impossible-to-fix rootkits which actively defend themselves against security software.

Someone mentioned BartPE: www.nu2.nu [http://www.nu2.nu/pebuilder/] which I really should check out (downloads are tough in PP).

Another couple of posters like VMWare, although I do not see why the base OS is really invulnerable to infection (although maybe VMWare allows you to use Linux as the base OS.)

One problem about recovering from rootkits which I did not see referred to in the discussion above is that any reinstallation is going to presumably be just as vulnerable *again*. Really (unless you are getting paid to do this as a service!) you need to diagnose *why* the original system was vulnerable, and fix that immediately after you restore it (and make a new secure image).

2005 Feb 06 [ Sun ]

Info on security patches for Windows

I have never run the automatic update feature on any machine I have administered. As well as the danger that an official patch will just break the machine, it bothers me that you are thereby giving MS total rights to dial into your machine at any time and do anything they like. I have every reason to believe that any assurances they make are worthless.

The following page is an interesting read and gives a lot of backgound info on the update process in general, plus info on slipstreaming updates onto your own hacked-up Windows install CD (so that if you're responsible for multiple workstations you can reload one in a single pass instead of multiple reboots and tedious downloads). www.vorck.com [http://www.vorck.com/wu.html]

2005 Jan 27 [ Thu ]

Become a "Microsoft Partner" and get many cheap licences

In part of a discussion on Slashdot about MS plans to stop providing security updates to people with pirated software, someone described the Microsoft Partner program:

Re:For those who have RTFA issues... (Score:5, Informative) by jht (5006) on Wednesday January 26, @10:56AM (#11480619) (jturiel.blogspot.com [http://jturiel.blogspot.com/] | Last Journal: Thursday September 18, @11:01PM) it.slashdot.org [http://it.slashdot.org/comments.pl?sid=137347&cid=11480619]

Let me give full props to the "get the Action Pack" idea. I'm a legit user of it (I run a small consulting/training company), but even if you freelance there's no real reason you can't use it.

Here's the requirements for subscribing to the Action Pack, and what you get for your money:

Requirement - register as Microsoft Partner. Basic membership is free, and qualifies you for both the Action Pack and for discounts on add-on services (like MSDN).

In the box you get:

XP (all versions including Media Edition) - 10 licenses

2003 Server, 2003 Server Web Edition, 2003 Server SBE - 1 each

Office Pro - 10 licenses

Virtual PC (Windows) - 10 licenses

Exchange Server - 1 license

Plus you get Visio, Project, System Builder Edition discs and licenses, service packs on CD plus slipstreamed install discs, selling materials, and all sorts of other server/client software.

The cost of the Action Pack is $299 per year - but I just got offered a renewal for $199 (which I immediately took). It was a no-brainer. They send you quarterly updates and occasional goodies as well.

The link to the Partner Program is https://partner.microsoft.com/partner [microsoft.com] - from there you can register and order it if you wanted to. For all the (usually justified) bashing Microsoft gets here, they do make it very easy and inexpensive for IT people to get into their product line. And that's part of the reason they still dominate the universe

I've been wondering wwhether *any* of the schools in Phnom Penh teaching Windows software have legitimate licences. This program sounds like it would be quite useful for a small school – I'm guessing that there are licence restrictions that make it (theoretically) not usable for a company which does not resell MS products and services (but too lazy to follow the link right now).

I guess MS may have special deals for schools too.

Of course, it would be even better if MS did not deliberately decide to provide insecure services in Windows.

2005 Jan 22 [ Sat ]

Fixing spyware infestations using standard Windows tools

Although I like the confident way the antivirus/trojan programs assure you they have removed an infestation which they recognize, it's nice to have a procedure for using standard Windows tools. I wonder if the following is sufficient?

Re:Makes no sense (Score:4, Informative) by einhverfr (238914) on Friday January 21, @11:21PM (#11438898) it.slashdot.org [http://it.slashdot.org/comments.pl?sid=136894&cid=11438898] (www.metatrontech.com [http://www.metatrontech.com/] | Last Journal: Wednesday July 28, @04:41PM)

First, I have never found any spyware problem that I could not resolve in approx 2 hrs or so. It is realtively simple. If Adaware and/or Spybot fail to detect a nd remove the infection, you have a few options. I do as follows:

2) Delete all browser helper objects. I usually leave Java installed unless it too seems infected (can happen).

3) Run msconfig. Select diagnostic boot. Then reboot into normal mode.

4) Now comes the fun. Open MSConfig and look at the registry entries and startup items. I use Google to identify what they do and note any suspicious items.

5) Just for protection, I create a restore point so I don't remove something I shouldn't and get into trouble. Then I use msconfig to select normal startup. When it asks if I want to reboot, I say "reboot later"

6) I go through the run keys (under HKCU and HKLM). I delete suspicious values. Same with the startup folder. I also review the drivers for anything strange and backup/delete as needed (I have seen drivers which I believed were involved in spyware).

7) Suggest to my customer (if it seems like a good idea) that we discuss migrating to Linux if they have continuing issues.

Reboot to test. Make note of anything that comes back. Reboot in safe mode if necessary to remove those values.

Granted this doesn't remove all the spyware programs, but it does disable their startup. By troubleshooting a problem for days and not being able to solve it, the author of the article has demonstrated that he doesn't really understand the Windows boot process or how to really troubleshoot it. Yes, I only run Linux, but I can troubleshoot Windows with the best.

On the other hand, I wonder whether the poster has had to deal with the really *nasty* ones like coolsearch. It's occurred to me, for instance, that a nasty trojan could look for a legitimate entry in the startup list, and install a stub with the same path that runs its nasty code and then the original code. Looking at the filenames in the list you have no way to recognize that the same pathname you've been used to seeing since you installed the system is now evil.

Maybe I'm just feeling doomy because my machine was hit by a virus yesterday. Fortunately Spybot detected its attempt to set a startup registry key, and all it appeared to do was load a copy of itself into c:\winnt. I ran Grisoft AV which detected it and said it removed it, so presumably it's OK. (Worryingly, although I naturally told Spybot not to allow the registry change, there *was * a registry entry, which I had to remove manually. Hmmm. I wish there were some sample "benign" viruses/trojans available that you could use to verify the operation of your security sw.)

The virus came in via my usb key, which I used to transfer files from a couple of service shops yesterday. (I need to let them know that at least one of them is infected.) Embarrassingly, it seems to have been able to execute by the simple ruse of having the icon of a folder. When I saw a folder whose name I didn't recognize on the usb key, my natural reaction was "wtf? what's in there?" and then I *double-clicked on it*. Even though it had a .exe extension – I was vaguely thinking "well it's gotta be a folder anyway..." Groan.

2005 Jan 05 [ Wed ]

Setting up a Windows system to run IE as a restricted user

Microsoft Windows has many features for locking down user rights, and supposedly some of thse features can be helpful for preventing browser hijackers from installing software in your computer.

The following Slashdot posting looks useful:

Re:Ironic methinks. (Score:4, Insightful) by dioscaido (541037) on Monday January 03, @09:38PM (#11250769) it.slashdot.org [http://it.slashdot.org/comments.pl?sid=134808&cid=11250769]

Have you been missing the stream of patches coming from MS? How are they not dealing with the primary issues?

Even so, please tell me which pieces of spyware exploit legitimate security holes? The "security hole" they exploit is that users run as admin. Hardly a bug in the OS, just a horrifically misguided ease of use 'feature' in the installer. Easily fixed. I've never gotten infected with spyware while running as a Limited user, and neither has my Mom, who has a penchant for running little apps she finds on the web. In the cases where they are malicious, she just gets a protection fault and knows to happily move along to the next little animation.

www.techproblemsolver.com [http://www.techproblemsolver.com/limited.html] www.dotnetdevs.com [http://www.dotnetdevs.com/articles/RunningAsNonAdmin.aspx] blogs.msdn.com [http://blogs.msdn.com/aaron_margosis/] www.pluralsight.com [http://www.pluralsight.com/keith/book/html/howto_runasnonadmin.html] support.microsoft.com [http://support.microsoft.com/default.aspx?scid=kb;en-us;305780]

For the handful that did take advantage of some buffer overflow, please point out those vulnerabilities that remain unpatched through Windows Update.

The tone of it sounds like a Microsoft employee astroturfing, but I suppose I should still be aware of all this stuff. I imagine a lot of companies would rather pay people to do this than install thin clients running X Windows connected to Linux desktops...

The "primary issue" which the poster scornfully refers to is actually – as the other posts in the thread to which his posting belongs made clear – Microsoft's design decisions to make it easy to install software with full privileges to do anything on the machine – ie, Active X – as opposed to Sun/Java's "sandbox" approach in which many potentially hazardous operations are forbidden. Although Java has had plenty of weaknesses, they were not *designed in*!

It's difficult to make IE more secure without disabling WINDOWS Update (hmm... maybe they hired a trojan developer):

SP2 still enables AX by default (Score:5, Interesting) by steve_l (109732) on Tuesday January 04, @05:51AM (#11252345) (iseran.com [http://iseran.com/Steve/)] it.slashdot.org [http://it.slashdot.org/comments.pl?sid=134808&cid=11252345]

on a clean SP2 build (that is the MSDN WinXP+SP2 all in one install), Prompted ActiveX download is still enabled for the internet zone.

If you turn that off, windows update stops working, as http[s]:*.microsoft.com is in that zone.

I dont call that locking down the browser, To secure IE (even if you only use it for windows update)

1. disable AX download in internet zone

2, edit trusted zone site security to medium. Like you ever need a 'run anything, unprompted' zone.

3. add https:*.microsoft.com and http:*.microsoft.com to the trust zone

4. uncheck the 'require https in trusted zone' switch

the aim is to redefine "trusted" from "total access" to "prompted download active X controls", which is a serious enough undertaking that I dont want to enable it broadly. Only MS sites and spyware vendors seem to use it, after all.

2004 Oct 10 [ Sun ]

Free software for making MSI installer files

An .msi file includes an application and a great deal of info about how to install it. The (MS) software which then carries out the install thus knows how to do all kinds of clever stuff related to the install. The system can also be used for non-executable installs so that for instance a new copy of the employee handbook can be roled out to umpteen users more efficiently.

Here's a link to a freely-downloadable .msi utility package: www.labyrinth.net.au [http://www.labyrinth.net.au/~dbareis/makemsi.htm]

He also has the "msidiff" tool which apparently can be used to view the contents of an .msi file. Hmmm. I think I'll try that: sometimes I've been stymied by an .msi file that produces some kind of stupid error message like "drive PRN: does not exist".

Does Microsoft lie under oath?

The online columnist I. Cringely has a nice story on a current legal case between Microsoft and a tiny company called Burst.com. Burst.com, as part of the "discovery" stage of the lawsuit, requested all relevant emails. They are now alleging not only that Microsoft failed to provide all relevant emails, but that Microsoft has a consistent policy of lying in their responses to discovery, by simply stating that the principals in the case at Microsoft were not the actual principals, but rather some nebulous lawyer.

Cringely includes links to the documents involved, which I did not follow because I am old and tired. Anyway, it had occurred to me before that there had to be *something* strange about the email discovery process, because it doesn't usually uncover documents that are more than embarrassing. The fact that Microsoft's trick is as simple and blatant as to lie about which employees were involved makes me wonder whether lawyers are really all that smart.

www.pbs.org [http://www.pbs.org/cringely/pulpit/pulpit20041007.html]

2004 Sep 09 [ Thu ]

The rationale for Windows NTFS "alternate data streams"

I've posted about these before: www.panix.com [http://www.panix.com/~dannyw/weblog/Computers/Opsystems/Windows/nfsaltdata01.html] www.panix.com [http://www.panix.com/~dannyw/weblog/Computers/Opsystems/Windows/nfsaltdata02.html]

Today I saw a posting in a Slashdot discussion about the old Cairo project at Microsoft, which suggested that the ADS feature was intended to be part of a set of new file-system features:

Document-centered work was the proposed user paradigm, where structured documents contained nested opaque data from many different applications, and so applications wouldn't need or want to know the difference between a top-level document or a sub-part of a document.

slashdot.org [http://slashdot.org/comments.pl?sid=121101&cid=10197767]

Of course, I'm much too paranoid to believe that's the *only* reason.

2004 Aug 24 [ Tue ]

More on Windows NT "Alternate Data Streams"

I've mentioned these before: www.panix.com [http://www.panix.com/~dannyw/weblog/Computers/Opsystems/Windows/nfsaltdata01.html]

Basically, the NTFS allows you to associate, in effect, invisible files with a normal visible file. I just ran across this page with an interesting explanation: www.alcpress.com [http://www.alcpress.com/articles/ads.html]

(Note that the filename has "ads" in it; I wonder how many ad filters silently discard it?)

It suggests that MS IIS is vulnerable to a hack; you can view the contents of any ASP file (not its output) by using a URL like this: www.microsoft.com [http://www.microsoft.com/default.asp::$DATA]

...Hmmm; it produces "The system cannot find the file specified."

I tried – somewhat at random – another .asp site, which just resulted in the normal page. I figure this bug has now been fixed. Or else these webservers are keeping their files on a non-NTFS filesystem (quite likely).

2004 Aug 19 [ Thu ]

Windows 2000/XP "Private Character Editor" PCD

I ran into this inside the Windows 2000 Help file. Basically, you start it with Start – Run – "eudcedit"

It's a utility provided with all installs of 2000/XP which allows you to create your own characters. Unfortunately it does not seem to allow you to copy that character into an arbitrary font: only into a special font called "Arial Private Characters". But that might still be quite handy. And at least you can copy in any character from any font to use as a reference.

I don't really understand how to *type* using the special font, because all the new characters seem to start at "U+E000". I would have to look at the Unicode docs again (aaargh). Instead, you have to use the "Character Map" utility to select each character.

More info: www.klippert.com [http://www.klippert.com/TCC/Blog/RULand/2004/02/19.html]

Tiny mention of PCE along with several other interesting utils: www.netdesk.com [http://www.netdesk.com/CourseInfo/Articles/ITProfessionals/XPTips2.htm]

2004 Aug 17 [ Tue ]

"Slipstreaming" (again) -- integrating service packs into a Windows install

I've written about this before: www.panix.com [http://www.panix.com/~dannyw/weblog/Computers/Opsystems/Windows/slipstream01.html]

Here's a Slashdot discussion where someone suggests that slipstreaming still works for XP SP2: ask.slashdot.org [http://ask.slashdot.org/article.pl?sid=04/08/12/1932246]

Cygwin -- free software package to provide Unix utilities under Windows

Sometimes people need to use a Windows machine – for instance, to develop Windows software – but they miss the Unix utilities they're used to like rsync.

I think I've mentioned Cygwin before, but I didn't provide a link: www.cygwin.com [http://www.cygwin.com/]

I'm referring to Cygwin now because I just read a thread on Slashdot: ask.slashdot.org [http://ask.slashdot.org/article.pl?sid=04/08/12/1932246] which is OK as an overview of uses and drawbacks. As you might expect, scripts which spawn processes – which is quite efficient in Linux – work very slowly in Windows.

A great advantage is that Cygwin comes with XWindows. For Windows people who don't know, XWindows is the Unix graphical interface standard. You can easily use it to display programs that need a graphical interface on your *local* box, even though the programs themselves are running on a box *without XWindows* – eg, a production server which has been stripped down to run only essential processes. And XWindows is quite efficient – years ago I remember using it to run Netscape on a remote server and display on my local box, via a 33.6 modem link, and it was about as fast reading websites as doing it locally!

I installed Cygwin a while back and I can't remember what the issues were but I can concur with the Slashdot poster who found it squirrelly. Also, when I finally got to a command prompt I couldn't figure out what my current directory was under Windows – Cygwin presents its own version of the file structure. Eventually I realized I could just save a file with a certain name and then search for that file from Windows. I might have figured that out earlier if I hadn't assumed the location would be somewhere obvious.

Incidentally, I wouldn't necessarily recommend Cygwin if you're starting from scratch and you just want to write some utilities. It's simpler to install ActiveState Perl for Windows. Cygwin is when you really want Unix utilities like rsync and excpect. Btw, you can compile new code under Cygwin, too.

2004 Aug 16 [ Mon ]

Windows "access control lists" compared with Unix permissions

I've always felt, as a Unix supporter, that the Unix permissions system – mostly read write and execute for user group and world – was pretty wimpy compared with the ACL system in Windows. In Windows, you have far more options. You can define many different access rights for *multiple* users and groups. In particular, it's quite easy to set up a directory so that people can *cooperate* on files, which is clumsy in Unix (although a user, if he belongs to certain groups, can switch groups, at any one time he only is handled as belonging to a certain group; likewise a file or directory only has one group).

It has recently occurred to me however that even in Windows, when people *really* need to cooperate on files they use either a sort of manual "librarian" system – where anyone who wants to make changes sends them to a "keeper of the flame" for that file – or a full version control system (usually only done in military, engineering or programming environments).

The reasons are:

1. Windows system administrators are too lazy to set ACL systems up properly in the beginning, and once the office has set up its own procedures (usually involving umpteen copies of huge files floating around in email) they don't want to learn a new procedure (it's tough enough just getting them to save documents on the network at all)

2. If files are important enough to cooperate on they need to be administered with some sort of security, rollback and logging features which are not provided by the basic ACL system

3. Microsoft Word contains a rather wimpy but usable change tracking system which makes it easy for "librarians" to identify proposed changes

I have actually never seen a workplace in which ACLs were really set up (of course I played with the feature myself, but you need to get the users to play along, which never happened). I never played with VMS on a real multiuser system, but I'll bet something like ACLs was routinely implemented on VMS systems, though.

2004 Aug 11 [ Wed ]

Interesting audio software utilities

As usual, the Bangkok Post's Database section today had some interesting links. One of them was for a small, free download of an audio editing program with interesting features, eg play at same speed with different pitch, or play at different pitch with same speed:

www.nch.com.au [http://www.nch.com.au/wavepad/index.html]

As well as Wavepad, the same site has many other interesting audio utilities, including one for conference applications which continuously records the output from multiple mic channels and sends it across the network. Another app handles producing music-on-hold, mixing in various short messages, just like big companies do. Full list:

www.nch.com.au [http://www.nch.com.au/action/index.html]

I haven't tried Wavepad yet. I'm mainly interested in using it in internet cafes which have no sound editor at all.

Incidentally, I really like this guy's site layout. As far as I can judge from the html, it's all manual, but he has a .css file that really works well. The only fiddly thing it does is automagically feed in a background graphic to his lists, and the graphic is tastefully minimal. I have to say it looks a lot cleaner than mine, both in terms of the output webpage and in the source; but Blosxom installs without using any .css and as a result my output pages are full of repeated, messy parameters in the html, which I have not bothered to eliminate now that I am (basically) using css.

2004 Aug 08 [ Sun ]

Good discussion of Windows spyware and its removal on Slashdot

yro.slashdot.org [http://yro.slashdot.org/yro/04/08/07/132248.shtml]

The discussion was prompted by a very good article in which someone set up a PC without protection against spyware and logged, and analyzed, the intrusion techniques used by various websites:

isc.sans.org [http://isc.sans.org/diary.php?date=2004-07-23&isc=00ee9070d060393ec1a20ebfef2b48b7]

It's chilling.

It's just amazing that the government allows malware websites to get away with this sort of thing, or it would be amazing if you thought the government is on your side.

It's like the situation with spam:

I-CAN-SPAM Act Flawed By Design (Score:5, Insightful) by Ken McE (599217) on Saturday August 07, @02:41PM (#9909459) yro.slashdot.org [http://yro.slashdot.org/comments.pl?sid=117150&cid=9909459]

If you take a look at the actual bill ~ thomas.loc.gov [http://thomas.loc.gov/cgi-bin/query/z?c108:S.877:]

and spend some time to boil off all the legalese, you will see that the bill is not intended to prevent spamming. That was used as a sales point, but is not supported anywhere in the text. The bill is written obscurely enough that ordinary people cannot read or understand it. I assume that is by design.

Some of the main things it does do:

It destroys all existing state and local level anti-spam laws. Some of them were actually becoming effective, so they had to go.

It removes any legal right of action from 99.99% of the population. The only entities who can bring action under it are ISPs and a few governmental agencies.

If these ISPs/Agencies want to bring suit they must do so in a federal court, not state, local, or small claims. If you don't have $10,000 (US) that you can throw away to make a point, there is no reason to go there. You cannot represent yourself and even normal attournies are not all qualified to go there.

The few federal agencies that can apply the law, such as state attourney generals, tend to already be fully occupied with things like rape, murder, grand theft, and chasing down workers in the drug and terrorism industries.

If you come up to them looking for help, they have to decide whether to look into a few annoying emails, or go out and catch passing speeders and arsonists and burglars. Because they only see 1/10,000,000 of any given spam run, it will look like nothing more than a misdemeanor. It will usually look like it is not even in their jursdiction. Guess who wins?

Small ISPs are unlikely to have the money to pursue cases under this law. Some of the major ISPs have gone after a dozen or so spammers. Even if they win every case, twelve or so prosecutions a year is not a noticable deterent for the remaining hundred thousand or so spammers.

The net effect is that this bill ought to be called the I-CAN-SPAM act, as this would represent it accurately.

Once you figure out that the aim of the government is to take your money and kill you, everything starts making sense.

2004 Aug 07 [ Sat ]

Using ntbackup in a batch file

I saw this comment as part of a discussion on doing backups of an NT system. As well as being useful as a reference for ntbackup syntax, it includes a lot of good ideas for creating filenames based on date and time – something that makes my tongue protrude from the corner of my mouth, even in Unix.

Automating NTBackup is half the battle. Example... (Score:2) by jakedata (585566) on Friday August 06, @09:53AM (#9898563) ask.slashdot.org [http://ask.slashdot.org/comments.pl?sid=116794&cid=9898563]

Making NTBackup operate at the command line can be tricky. You can use the backup wizard to create the bkf file for Exchange, and then specify it from the command line.

Here is an example .bat file I use for naming and managing backups without the use of any external utilities. It is pure batch language on Windows 2000.

Move the files to Linux any way you want.

-begin backup.bat-




rem Make room by deleting oldest files, leaving four newest




for /F "skip=4" %%A in ('dir s:\backup\*email.bkf /o-d /b') do del s:\backup\%%A
for /F "skip=4" %%A in ('dir s:\backup\*system.bkf /o-d /b') do del s:\backup\%%A




rem Back up the C drive
C:\WINNT\system32\ntbackup.exe backup systemstate c: /M normal \
 /F s:\backup\system.bkf




rem Grab the date and time, strip out extra spaces and illegal \
 characters, insert dashes and rename latest backup file
FOR /F "tokens=2,3* delims=/ " %%i in ('date /t') do FOR /F \
 "tokens=1,2 delims=: " %%l in ('time /t') do FOR /F "tokens=1-5 " \
 %%n in ('@echo %%i %%j %%k%%l %%m') do rename s:\backup\system.bkf \
 %%n-%%o-%%p-%%q-%%r-system.bkf




rem Back up the Exchange database
C:\WINNT\system32\ntbackup.exe backup \
 "@C:\Documents and Settings\Administrator\Local Settings\\
 Application Data\Microsoft\Windows NT\NTBackup\data\exchange.bks" \
 /a /v:no /r:no /rs:no /hc:off /m normal /j "exchange" /l:s /f \
 "s:\backup\email.bkf"




rem Grab the date and time, strip out extra spaces and illegal \
 characters, insert dashes and rename latest backup file
FOR /F "tokens=2,3* delims=/ " %%i in ('date /t') do FOR /F \
 "tokens=1,2 delims=: " %%l in ('time /t') do FOR /F "tokens=1-5 " \
 %%n in ('@echo %%i %%j %%k%%l %%m') do rename s:\backup\email.bkf \
 %%n-%%o-%%p-%%q-%%r-email.bkf

Microsoft adds insane feature to firewall in XP SP2

A Slashdot posting linked to the following story in PC Magazine: www.pcmag.com [http://www.pcmag.com/article2/0,1759,1631256,00.asp]

Microsoft has included a programmatic interface for Windows Firewall that allows an application to do things like set FirewallEnabled to FALSE, add itself to the list of AuthorizedApplications, or change the configuration of GloballyOpenPorts. Our concern here is that a malicious application could turn off Windows Firewall or, more likely, mark itself as an authorized application. Corporate administrators can disable some or all local configurations, which will prevent programs from making changes; but ultimately, Microsoft maintains, individuals still have to be smart about what apps they run. Even the best deadbolt won't protect your house once you've let the bad guys in.

I can only imagine the programmer intended the feature for use only by Microsoft apps (the secret phone-home stuff) and accidentally let it leak into the published feature set.

PC Magazine tries to invent a rationale: "be smart about what apps they run". But the reason why we have an outgoing firewall at all is because *smart* people *don't* trust the apps they run. For instance, Creative is notorious for installing intrusive phone-home modules, and the only way to detect that is by tracking down firewall messages. And of course there have been innumerable security flaws which allow modules to be installed without the user's knowledge and informed consent.

Problems with Windows XP SP2?

Apparently, Microsoft has just released Service Pack 2 for Windows XP. People with installations of XP that use non-kosher keys are worried that if they try to install SP2 it will detect the bad key and break Windows, as sometimes happened with SP1. Allegedly Microsoft decided that SP2 will work on any machine that worked with SP1, but maybe not.

Incidentally, some relatively legal installations of Windows have used shady keys. I myself have installed Windows on a corporate network where every machine had its own fully kosher Windows CD, but we used a hacked install disc; rather than unseal all the Windows packages (and try to keep everything straight), we just re-used a single key. (That was with Windows 98; Windows NT and later have various problems with that on a network. It's possible to get around them; Microsoft even have a webpage on how to handle such issues with image installs etc.)

In an excellent posting on Slashdot someone gave links to ways around this problem:

Re:So (Score:5, Informative) by wfberg (24378) on Friday August 06, @08:42PM (#9905290) it.slashdot.org [http://it.slashdot.org/comments.pl?sid=117069&cid=9905290] (huizen.dds.nl [http://huizen.dds.nl/~wfberg/)]

According to that msfn.org site, Microsoft has now announced that SP2 will install on all but the PCs that were also blocked from SP1.

So, if SP1 will install, so will SP2.

In the interest of preventing other people from getting their computers hacked into to form a botnet and DDOS the planet, check out how to change the CD key labmice.techtarget.com [http://labmice.techtarget.com/windowsxp/articles/changeID.] htm and a list of CD keys opensourcerules.esmartdesign.com [http://opensourcerules.esmartdesign.com/xpkey.htm] .

In the techtarget link, the following technique was suggested:

To change the product ID

Log in as the local Administrator 
Click Start > Run > and type in Regedit  
Browse to \
 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\wpaevents 




In the right pane, right-click OOBETimer, and then click Modify 
Change at least one digit of this value to deactivate Windows 
Click OK and close regedit 
Click Start > Run and type in: "%systemroot%\system32\oobe\msoobe.exe /a" 
Click Yes, I want to telephone a customer service representative to \
 activate Windows, and then click Next 
Click Change Product Key (at the bottom) 
Enter your valid Corporate Product Key 
Press Update and close the window. 
If you are returned to the previous window, click Remind me later 
Restart your computer 

The reason I'm posting it here is because of that interesting trick of writing a value to "OOBETimer" to "deactivate Windows". Is that a general trick?? Could you use it to easily edit system files? Hmmm.

2004 Aug 01 [ Sun ]

How to remove files from Windows

Recent versions of Windows have included "protection" for files installed with Windows. This even includes the handful of games that are included with any Windows install. The result of this "protection" is that even if you succeed in deleting them, Windows will put them back later! In the midst of a Slashdot discussion about a manager who was caught playing Solitaire all day, there was a very useful posting about how to positively delete or deny acess to such files:

Re:YOU CALL THAT (Score:5, Interesting) by nachoboy (107025) on Sunday August 01, @02:18AM (#9856515) yro.slashdot.org [http://yro.slashdot.org/comments.pl?sid=116452&cid=9856515]

He's trying to uninstall a game on a business-oriented operating system. That should be one command, tops.

You want one command? Done. Run this as a local admin:

RunDll32.exe advpack.dll,LaunchINFSection %systemroot%\INF\games.inf,SolitaireUninstall

Or perhaps you'd like to nuke all the games at once? You could of course run the Uninstall section for each game. But since we're so fixed on the "one command" notion, we'll need a file c:\nogames.txt with the following contents (disregard the spaces added by slashcode):

[Components]
freecell=Off
hearts=Off
minesweeper=Off
pinball=Off
solitaire=Off
spider=Off
zonegames=Off 

Once we have that, run this command to blow away all the games at once. (Add /q to hide all UI during the uninstall process.)

sysocmgr.exe /i:%systemroot%\inf\sysoc.inf /u:c:\nogames.txt

Or just deny permissions to the binary in question:

cacls %systemroot%\system32\sol.exe /e /d Users

Software restriction policies can also be easily set by a domain administrator for groups of users or computers.

Just because YOU don't know how to administer a Windows network doesn't mean it's not possible.

I have taken the liberty of removing what appeared to me to be Slashdot's inserted spaces. I've included the link to the original article if necessary.

2004 Jul 06 [ Tue ]

How to delete the Administrator account in Windows

Here's a link to a readable (although of course pretty technical) page about removing the administrator account (actually, removing it from the administrators group, which is effectively the same).

I liked it because it seems fairly clear about Windows security functions, which have always seemed clear as mud to me.

www.kuro5hin.org [http://www.kuro5hin.org/story/2004/7/4/7570/05276]

2004 Jun 23 [ Wed ]

Unnecessary services in Windows XP

A "service" is a piece of software which has been installed so that it always starts running as soon as the machine starts up, and runs continuously in the background, probably without you being aware of it unless you check for it.

Microsoft lately has been adding more and more of these damned services, most of which seem unnecessary and a security risk. Here's a link to an article listing services which it suggests you can remove: www.winnetmag.com [http://www.winnetmag.com/Windows/Article/ArticleID/40722/Windows_40722.html] Read the entire article: apparently some of the suggestions are controversial, if only to the extent that MS deprecates them.

Windows and .NET magazine is pretty good if you need to administer Windows. The above page also has a link to what seems to be a pretty good set of articles, eg this one about "svchost.exe": www.winnetmag.com [http://www.winnetmag.com/Windows/Article/ArticleID/40722/Windows_40722.html] which is one of their 20 most viewed: www.winnetmag.com [http://www.winnetmag.com/Index.cfm?Action=TopViewed]

I hate svchost.exe because it allows a malicious process to run with the svchost.exe label. Like almost all MS's design decisions, it gives maximum flexibility to the developer and maximum insecurity to the user.

2004 Jun 21 [ Mon ]

How to avoid getting infested *while* you're installing Windows

Although Microsoft seems to have put more effort into security with XP than previous versions, it still has many shortcomings.

In particular:

1. Microsoft advises you to leave the firewall disabled while you install the (essential) security updates. (For some reason, new computers are still being shipped without current updates – you're lucky to get XP SP1.)

2. The firewall does not load before the network interface, so there is a span of many seconds *every time it boots* during which the machine is on the network without any firewall. There is a documented case of a machine getting infected within *six* seconds.

The whole Slashdot discussion is worth reading: ask.slashdot.org [http://ask.slashdot.org/askslashdot/04/06/21/0024208.shtml]

Some good ideas in the discussion:

1. Windows Update seems to work even if you *do* enable the firewall

2. An external (hardware) firewall/router – often built into your cable or DSL interface , or as inexpensive as USD 30 – should be sufficient to protect the machine while you download security updates. (You need to take many more precautions before you then start using Internet Exploder, however.)

3. There's a downloadable utility that seems to handle patches more conveniently than Microsoft's built-in options. It works for 2000, XP and 2003: www.autopatcher.com [http://www.autopatcher.com/]

4. There's also a downloadable utility XPCREATE which makes it easy to put together a *prepatched* Windows XP CD: greenmachine.msfnhosting.com [http://greenmachine.msfnhosting.com/XPCREATE/]

Another Slashdot discussion about the lessons of the Blaster worm: developers.slashdot.org [http://developers.slashdot.org/developers/04/06/21/0142206.shtml] reminded me that a system administrator has several additional worries:

1. People with *laptops* are not necessarily going to get patched when all of the internal systems are. They may show up *weeks* after the original panic with an infested system that they plug right into the unprotected side of the firewall.

2. Likewise, VPN links – often provided to laptop users, or anyone else who needs to dial in – act as a major hole in the network for worms to enter through.

So if your anti-worm solution depends on an external firewall, your internal network is still vulnerable.

A few months ago I wondered if there was some sort of multiport firewall which would protect all of the workstations from *each other*. Ie, the firewall rules for each workstation port could be extremely simple, so that the hardware would be relatively inexpensive, perhaps along the lines of a managed hub. Hmm, maybe that *is* a feature on some managed hubs?

...Hmmm, there's actually a reference to something like that in the above Slashdot article:

Re:VPN's aren't perfect pipes (Score:5, Interesting) by HermanAB (661181) on Monday June 21, @12:31AM (#9481588) developers.slashdot.org [http://developers.slashdot.org/comments.pl?sid=111749&cid=9481588]

> "my new rule is no PC talks to anything else but its samba, proxy or email server"

Good quality routers, eg. HP2524 can be configured for 'port to port security'. So it is actually very easy to configure a system to prevent PCs from blabbing to each other.

If the PCs can only see the servers and the servers are all Linux or Mac boxen, then the system is remarkably robust.

Here's an overview of the HP 2524 (not really a router) (USD 1309 for 24 ports): www.hp.com [http://www.hp.com/rnd/products/switches/switch2524-2512/overview.htm]

It sounds like what the Slashdot poster was referring to is called "port security".

Unfortunately I can't find a definition of what "port security" really means. Apparently the Linksys EF24G2M also has "port security" but perhaps not with identical features: ftp://ftp.linksys.com/datasheet/ef24g2mds.pdf

The following data sheet talks about "port security", but seems to use that term to refer to blocking devices with unapproved MAC addresses. The kind of feature I want they seem to define as a "Multi-Layer Access Control List": www.dlink.de [http://www.dlink.de/binaries/misc_binaries/DGS-3224TGR.pdf]

The search term "*port to* port" security only returned 9 hits. The most interesting one was a blurb about a system Unisys installed in hotels to provide Internet access to guests: www.unisys.com [http://www.unisys.com/services/clients/unisys_a_starwood__hotels_a_resorts.htm] It's not very technical but it is relatively readable.

Here's another gizmo whose datasheet talks about access control lists (ACLs), as well as "layer 3 filtering": www.foundrynet.com [http://www.foundrynet.com/products/l23wiringcloset/stackableDatasheet.html] ...Hmm, maybe that *does* make them a router.

All in all, it looks like you'd have to actually play with one of these boxes to figure out what they can really do.

2004 Jun 16 [ Wed ]

Another improved Windows text editor

As usual, the Bangkok Post had a couple of interesting links today.

Wanda Sloan describes a text editor she likes: free, small, has some html features, does columns (the other day I couldn't figure out how to make Word 2000 do columns), undo/redo and goto line number: www.xtort.net [http://www.xtort.net/xtort/subpad.php]

I've downloaded it but I haven't tried it yet.

Btw, the creator seems to like Borland's Delphi programming languages and has a lot of links for it: www.xtort.net [http://www.xtort.net/xdelphi/xdelphi.php]

Don't try to recover an NT4 disk on an XP system

The following Slashdot post says it could be disastrous. I haven't tried doing what it talks about, but I probably would have if an NT4 disk died. So I don't know if it's true or not, but maybe "a stitch in time saves nine".

Re:What's the maximum partition size in WinXP/Win2 (Score:4, Informative) by dameron (307970) on Monday June 14, @06:21PM (#9424276) slashdot.org [http://slashdot.org/comments.pl?sid=111054&cid=9424276]

> I think XP has a newer version, and 2k can't use it, but could be wrong..

You are correct, and if you put an NT disk in an XP machine (say to do data recovery) the XP machine will -automatically and without asking- convert your NT disk to it's version of NTFS, rendering it unbootable.

-dameron

Btw, I've read something similar to this *even if the boot system and the recovery drive are the same version of Windows*. Apparently XP writes some sort of volume ID to a hard disk when it first connects to it, and that will prevent it booting when the recovery disk is put back in its own hardware. I don't have a link to this phenomenon, but I think I read about it in Windows 2000 magazine.

2004 Jun 06 [ Sun ]

The Windows 2000 Resource Kit tools

I noticed a link in Slashdot to the Server 2003 resource kit tools being a free download from MS. I thought "hmm, that's funny, last time I tried I couldn't dopwnload those." It turns out that for some reason MS provides a free download for the 2003 Resource Kit, but not for Windows 2000 (still).

On the other hand, for some unfathomable reason, MS does allow you to download each tool in the Resource Kit individually: www.microsoft.com [http://www.microsoft.com/windows2000/techinfo/reskit/tools/default.asp]

I happened to particularly notice "inuse.exe": www.microsoft.com [http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/inuse-o.asp]

Inuse.exe: File-In-Use Replace Utility

Last Updated: 11/04/1999 - Performs on-the-fly replacement of files currently in use by the operating system

That might get around some of those "Cannot delete file – file is currently in use by another process" messages.

Another nifty MS utility, though intended for XP users rather than 2000, allows you to change the "volume licensing product key" on an install;ed system instead of having to reinstall: support.microsoft.com [http://support.microsoft.com/default.aspx?scid=kb;en-us;328874]

The basic trick looks like you might adapt it for W2K, though.

The blasted capslock key

The first keyboards I used with a control key had it in what I now feel to be the obviously right place, ie next to "A". I was astounded when the PC went over to having the capslock key in that position, and hiding the control key away where only your left pinky can reach it. Worse, the effect of the capslock key is usually to make you retype a lot of text, at least for us non-touch-typers.

A recent discussion on Slashdot suggests a conspiracy theory: Microsoft wanted to make existing word processors harder to use, so they decided to make the control key harder to reach. The link is to the entire discussion:

ask.slashdot.org [http://ask.slashdot.org/askslashdot/04/06/05/2326217.shtml]

I've collected various utilities to flip the effect of the capslock and ctrl keys, but I wound up not using them much: I tend to work on a smorgasbord of different systems, most of which may be used by other people, and the effort of remembering which layout to use at any time (eg on a dual-booting machine) is significant. However, the above Slashdot discussion included the following tip which is worth repeating:

Re:Yes (Score:5, Informative) by falzer (224563) on Saturday June 05, @07:36PM (#9346972)

Here's how I made capslock an extra control in Windows 2000/XP.

Go to this path in the registry editor: HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Keyboard Layout

In that registry path, add a new binary value, like so:

Name: Scancode Map
Type: REG_BINARY
Data:
00 00 00 00 00 00 00 00
02 00 00 00 1D 00 3A 00
00 00 00 00

This required a reboot to take effect (for me, anyway).

I haven't tried this yet.

Another issue is the escape key. I mostly use the "vi" editor, which requires you to use the esc key frequently. The escape key should be where the tilde/tick key is, as it is on the "Happy Hacking" keyboard: shop.store.yahoo.com [http://shop.store.yahoo.com/pfuca-store/]

2004 May 18 [ Tue ]

How to download to disk *all* current patches for your Windows operating system

As part of a very good Slashdot discussion on dealing with various infestations of Windows machines: slashdot.org [http://slashdot.org/articles/04/05/17/0640235.shtml]

someone suggested the following:

Downlaoding all "Windows Updates" is possible (Score:5, Informative) by comcn (194756) on Monday May 17, @05:45PM slashdot.org [http://slashdot.org/comments.pl?sid=107840&cid=9177559] I had this issue just the other day. I found out that Microsoft provide a "hidden" option on Windows Update to allow downloading all patches for a certain operating system.

The following URL describes how to do it: support.microsoft.com [http://support.microsoft.com/default.aspx?scid=kb;en-us;323166]

Basically, go to Windows Update, click on "Personalize Windows Update", and then turn on "Display the link to the Windows Update Catalog", and save. You then go back to the main page, where you can access the windows update catalog and download to disk all current patches for a particular OS automatically.

When I found that I was very pleased.

I think there is software to automatically install it all from disk, too, but I haven't had time to look for that, yet.

When I tried this in an internet cafe it didn't seem to work, but I haven't used Windows Update much. Maybe it only really works on W2K, despite his reference to "for a certain operating system".

In particular, when I tried to go to the Windows Update site as recommended, it gave me some sort of error msg about how I had to run this as the administrator. Their instructions for getting to "run as" in W2K didn't work. It may also be that you need to eliminate all your security settings in IE to allow Windows Update to scan and rape your system.

Maybe it works for default installs of XP.

2004 May 04 [ Tue ]

Alternate Data Streams in Windows NT/2000/XP NTFS

The NT file system, still used in Windows 2000 and XP, has an interesting and underdocumented feature called "alternate data streams". This allows you to associate an "alternate data stream" – effectively an invisible file – with an existing regular file. Support for the feature is halfhearted and inconsistent.

Here is an excellent explanation: patriot.net [http://patriot.net/~carvdawg/docs/dark_side.html]

It makes the point that this feature seems designed for malicious use, so (my conclusion) it is probably part of Microsoft's backdoor code.

How to fix Internet Explorer starting up with only title bar

I recently encountered a machine at the internet cafe where every time you tried to open a site in IE, it would come up showing only the title bar. Clicking full-screen would make it show over the full screen, but then you couldn't resize it. Clicking the minimize button sent it to the bottom toolbar, but clicking on it again opened it justas the title bar again.

I tried various things and put up with it fuming.

Today I realized I had sat down at the same machine, and decided to fix the blasted thing.

After some Googling, I figured it out.

The basic reason is that under some circumstances IE will remember the window settings it *thinks* you want and keeps presenting new windows with the same setting.

How to fix it: if you're in IE, exit out of it and make sure you've closed all IE windows. Now start IE again. It will bring up the home page, whatever that is – "about:blank", www.yahoo.com, whatever – in the default it *thinks* you want – but in this case, it shows *only* the title bar of your homepage.

Move the mouse and hover overa *corner* of that title bar. You will see the diagonal arrows appear, and be able to resize the homepage window to something sensible. Now click File – Close to exit IE. IE will then remember the window setting, and when you reopen IE it will come back showing the home page, and every other window, with that setting.

Btw, this title-only problem happens to be obvious, but the basic process is why your startup window keeps changing apparently for no reason. (I don't know if "File – Close" is essential to causing new window settings to be made – maybe alt-F4 will trigger the same problem.)

Need I add that I consider this feature of IE to be a poor design?

2004 May 02 [ Sun ]

Setting registry key permissions to prevent trojan installs

Typically trojans which manage to sneak past your defences while you're browsing try to install themselves into your registry.

In the following Slashdot discussion: slashdot.org [http://slashdot.org/articles/04/05/01/1618224.shtml] several people made interesting assertions which I haven't investigated yet. Note that these suggestions may not work under non-NT-type systems.

Re:Mutex Trapping (Score:5, Informative) by Anonymous Coward on Saturday May 01, @01:49PM (#9028427)

You can set permissions in the registry per key.

Make it impossible to write to HKLM/software/microsoft/windows/currentversion/run

Re:Mutex Trapping (Score:5, Informative) by stef0x77 (529972) on Saturday May 01, @01:57PM (#9028496) (slashdot.org [http://slashdot.org/)]

Use regedt32.exe (which is an older incarnation of regedit), go to the key in question, choose Security | Permissions ... from the menu etc...

Re:Mutex Trappi