Danny's Weblog

2008 Sep 08 [ Mon ]

MS Access 2007 -- differences from Access 2003

I have used Access 2003 quite a bit, but I've never used Access 2007, so I thought I should probably grab a a book on it. I saw "Access 2007 for Starters" (in the Missing Manual series from Pogue Press / O'Reilly) in the library, and read through it. Despite many grumbles (below), it's well-written and worth buying. The only real grumble about the book itself is that it is intended as a companion to "Access 2007: The Missing Manual", which contains a lot of extra information on programming etc, but also explanations of GUI procedures which one might have expected to find in the "starter guide" version.

Below is a list of notes which I made in order by page location in that book, which mainly address issues where the GUI is unclear or misleading, plus the differences between Access 2003 and Access 2007. I made the notes to have a fast reminder in case I need to start using Access 2007 quickly. But first I want to address the most important thing I learned from the book, which in my opinion is a real gotcha for anyone learning Access.

I assume that most people reading this are already somewhat familiar with Access. One of the nice features is that you have not only a GUI for setting up relationships between tables, but also a GUI for defining a "lookup" field in a table, so that the user can fill in that field by picking from another table.

What I had never realized was that the latter feature only works if the source and destination tables do not already have a relationship. The book states this on page 188:

Access is a bit quirky when it comes to lookups. It expects you to add the lookup, and *then* the relationship. (In fact, when you set up a lookup that uses a table, Access creates a relationship *automatically*.)

If you *do* have an existing relationship, you need to *delete* it before setting up a lookup. This seems to be true for 2003 as well, and explains why I occasionally had baffling problems setting up a lookup in the past. Is there anyone who can think of a logical reason why this restriction is necessary?

Here's a link to my previous posting about MS Access 2003: www.panix.com [http://www.panix.com/~dannyw/weblog/Computers/Opsystems/Windows/msaccess01.html]

Here is a nice simple webpage which lists new features in Access 2007:

www.wiseowl.co.uk [http://www.wiseowl.co.uk/ms-training-version/access-2007-training.htm]

Note that most Access info is either not free or is from MS, so finding info on bugs or shortcomings is tough. The following link may help.

www.allenbrowne.com [http://www.allenbrowne.com/Access2007.html]

One standard technique the book does not mention is splitting up a database into two separate Access files: the main (large) data tables, and the forms, queries, menus and VBA code. This makes it much easier to provide updates, or multiple versions using the same live data. However, I noticed in checking the procedures in the book using Access 2003, that when I set up the main data file to use a lookup from a child table to a parent, when I subsequently accessed the child table from the external database file the field showed as the bare ID numbers, instead of as the lookup. Perhaps the full version of the book goes into this issue.

Notes on "Missing manual" book by page

1. p 006 I particularly wanted to pick up simple starter stuff about the new "ribbon" GUI for Office 20076 apps, so I don't apologize very much for noting this absurdly newbie tip: Access does not show the ribbon until you create a database.

2. p 027 You can download the "Access Developer's Toolkit" from MS to allow you to customize the Getting Started page. I don't remember such a thing for Access 2003.

3. p 033 One of the weaknesses of the book is that it is not well organized for people who are familiar with, or need to interoperate with, earlier versions of Access. For instance, this page describes how you can save from Access 2007 in formats compatible with older versions, but does not detail what new features are incompatible with those older formats.

4. p 042 I'm sure these keystrokes were the same in 2003, but I was happy to find them here: use F2 to enter edit mode in a cell, and ctrl-" (ctrl-double-quotes) to copy to a field from the previous record.

5. p 044 You can go to Access Options to set a database to automatically compact on close. (I am ashamed to say I usually forget to compact Access databases, eg when I was messing around with image files in a previous posting.)

6. p 048 Both Access 2003 and 2007 have multiple, clunky, hard-to-read security warnings when you open a database. This page makes the point that going with what appears to be the safer option in 2007 will screw up action queries, of which more below.

7. p 056 You can create a shortcut from the desktop to a table by dragging the table's icon to a blank space on the desktop. I haven't checked to see if you can do the same thing for a query or whatever.

8. p 067 The attachment data type is new. It basically provides the image data type I was grumbling about in my previous Access posting, but can also be used to embed other filetypes, eg Word files. (But there doesn't seem to be any way to do anything useful with the contents of the file, eg getting the creator name of the Word file.)

9. p 071 You can open a "zoom box" to edit a cell – eg a memo field – with shift-F2.

10. p 079 The author seems to think that "2008-23-2" is the "international year-month-day standard". I imagine he means "2008-02-23". It would have been nice if he had been more explicit than "always works": eg, does it work in expressions like filters?

11. p 084 You can edit hyperlinks (add a caption) either by r-click and Hyperlink - Edit hyperlink, or by the shortcut ctrl-K.

12. p 084 Here's an example of a new feature – attachments – which may or may not work if you choose an older database file format.

13. p 099 The book strongly urges you to use an arbitrary (system-generated) ID field as the primary key, instead of figuring out which real (natural) data fields can be used as the primary key. I have gotten the impression from examples created by Microsoft that this is what MS really intends, although I have not seen them explicitly recommending it. For once, I am with MS on this one. See "surrogate key" on Wikipedia: en.wikipedia.org [http://en.wikipedia.org/wiki/Surrogate_key]

14. p 103 I like the new feature of alternating row formats on datasheets.

15. p 113 "If you edit values in a sorted column, then Access doesn't reapply the sort." This is an example of the sort of really fundamental information which I think should be in an introductory section of the book: for instance, it's not obvious to me that Access *does* re-sort if you close and re-open the table (or indeed what behavior is desirable).

16. p 118 The "filter by selection" feature can filter by *part of* a field simply by selecting just that part. That would not have been obvious to me without the book.

17. p 133 The book wisely adds a note about another unexpected behavior: you can enter a record with a *required field* that's set to *blank* simply by entering a space: Access allows this because it sees "something" in the field, but then happily truncates the field to blank (zero characters) when it stores it! You can set "allow zero length" to "no" to prevent this.

18. p 138 This should have been obvious to me, but was not till I read the book. If you want to prevent duplicates in a field, you can set the "indexed" property of the field in Design View to "yes [no duplicates]".

Similarly, you can create an index with a combination of fields, and then prevent duplicates of that *combination* of fields. You may want to set "Ignore nulls" to "yes".

19. p 147 Here it describes how to add a user-defined mask to the mask list, but on p 144 it says you need to buy the *full* book to get this info.

20. p 151 The following is a valid range expression: "Between 0 And 100", ie both "Between" and "And" are keywords.

21. p 156 If you want to set a validation rule for *multiple* fields, that is considered a property of the table, so you do it by going to the property sheet of the table, not of the component fields. If necessary, you can set up multiple rules by using the And and Or operators using a single validation-rule box.

22. p 162 This is the location of half of the info about lookups that I emphasized above.

23. p 179 When you have created a relationship diagram, Access asks you if you want to save it. It is really asking about saving the *diagram* itself. The *relationships* remain in the database whether you save the diagram or not.

24. p 186 At least in Access 2007, if you are viewing a parent table as a datasheet, you can just click the little "plus" box at the left of a record to view its child records. If more than one table is linked to the record, Access lets you pick the table. I can't remember ever knowing that, but maybe I just figured it out from the GUI when I needed it.

23. p 188 This is the location of the rest of the info above about lookups.

24. p 189 You add a lookup by the following procedure

-1. Delete any existing relationships between the tables

-2. Open the child table

-3. Select the field for which you want to provide a lookup to a parent table

-4. In "data type", choose "lookup wizard".

You can then follow the GUI to complete the setup. However, note that in most cases you need to select two fields: the ID field which actually links the tables, plus a human-readable field so that the user can make a meaningful choice. The default setting at the lookup setup window is to not display the ID field, which is usually what you want. For instance, usually the user wants to pick a company name, not the company ID number.

25. p 192 When you first create a lookup, the lookup is not *enforced*; the user can still enter data not present in the lookup. However, you can enforce the lookup by going to the relationship GUI, r-clicking on the relationship line, and enabling "enforce referential integrity".

26. p 193 Similarly to sorts (above), if you add a record to a parent table while the child table is open, you need to refresh the lookup to use the new record in the child table. In Access 2007, you do this by choosing Home - Records - Refresh all.

27. p 203 It is not obvious how to print out a relationship diagram. In 2007, you can do this by clicking Relationship tools - Design - Tools - Relationship report.

28. p 219 The default formatting for query fields (eg backgrounds, fonts) comes from the datasheet setup for the underlying table.

29. p 237 To get an outer join, you first create a relationship in the usual way (ie producing an inner join), and then convert it by r-clicking the relationship line. (I think I knew that before, but I can't remember actually doing it.)

30. p260 This is where the book explains in detail what happens if you did the wrong thing faced with those security warnings when you opened the database. The result is you can't run any code or action queries, but the only message you see is "the action or event has been blocked by Disabled Mode".

31. p 289 In order to export a report to eg Word, you need to do a Print Preview: the required option is part of that mode.

32. p 296 You can't change the formatting of the report unless you're in *layout* mode. (I don't remember knowing this before, but I may have just figured it out from the GUI.)

33. p 308 When you create a form to edit a parent table that's linked to child tables, Access automatically provides a two-part form which allows you to edit the child tables.

34. p 323 In filter-by-form mode, there is no button on the GUI which applies the form. Instead, you have to r-click on an unused area of the form and choose Apply.

35. p 325 If you want to re-use a form filter, you can do Sort & filter - Advanced - Save as query. You can then load the query back in any form which uses the same fields.

36. p 342-346 To connect to an MS SQL Server or MySQL server, click the External data tab, click the More button in the Import section (on the left), then pick ODBC. Then choose "create linked table".

2008 Aug 28 [ Thu ]

Some grumbles about Ubuntu 7.1 Gutsy Gibbon

I installed Ubuntu for the first time a few months ago. I have installed many versions of Linux, but for a long time I had been using Windows for most things, and Linux (mostly Damn Small Linux) basically for security in internet cafes.

A Linux distribution naturally consists mainly of applications, most of which are the same for different distributions. In this post I will try to address issues which are mainly Ubuntu-related.

1. The main reason I picked Ubuntu was that I had the impression that the majority of Linux apps were available for Ubuntu as binaries. That's also why I installed 7.1, not 8.04 which had already been issued at that time: the apps were already ported and debugged to 7.1.

2. Indeed, I have generally been pleased with installing apps under Ubuntu. The system is easy and fast, with few bugs. I mostly (lazily) used the Synaptic GUI, but occasionally used apt-get when a webpage specified a command-line.

3. I am not quite so happy with the update process. I personally hate any app – including the update app – if it insists on running at at startup and hogging the machine till it completes. OK, it wasn't tough to go in and change the setup so that it doesn't run until manually triggered, but actually what I would have preferred is an automatic reminder, plus – even better – a setup which ran the update at very low priority.

4. An even *worse* point about various processes like the update process was that they *completely took over the interface*. I was unable to run the GUI system tools to even find out what was happening. I was also unable to swap out of X Windows and open a console – at least after I had previously tried to alt-tab. I think this is quite serious: how can it *possibly* happen? I have always hated the way MS Windows takes many seconds to respond to a ctrl-alt-del, but this was way worse. Perhaps Red Hat etc are no better.

5. Actually, I was surprised that ctrl-alt-del does not bring up an interface which allows you to kill an amok process. I would think the most urgent need for an unmaskable interrupt is exactly that: things like logging out are just shortcuts.

6. The system does have multiple language support, but it is not that easy to find, and since there are multiple approaches what info there is seems a little muddled. I was able to set up multiple foreign-language keyboards, but it turns out the interface only allows a maximum of four, which doesn't seem to be documented. You will need to install something to indicate the current keyboard state separately: search for "Gnome indicator applet".

7. I was quite surprised that the internal hard drive was reported as SCSI. The drive hardware is certainly IDE. I haven't seen any other reports of this.

8. The initial install (and operation with the live CD) showed several strange little video problems. For instance, the command bar was initially above the area that the mouse could get to. After some guesswork it seems to work quite reliably now, but I don't really know what I did to fix things.

9. My Motorola V360 works about the same under Linux as Windows – ie the software is full of bugs.

10. For fun I installed "desktop drapes", a utility for automatically switching your desktop background at startup. This turned out to have serious bugs and I have now completely deleted it, mainly because it needs Mono, which I am ideologically opposed to: I don't want anything running MS. NET code on my machine. The only other thing needing Mono was some sort of photo sorting utility which I also deleted.

Also, it turned out that the Mono process was the *worst* offender as far as taking over the machine was concerned.

11. I have still not found a way to avoid the chocolate-colored background that covers the screen at startup. It clashes with my desktop colors and I cannot imagine anyone actually preferring it. (The "splash" screen is something else, which only appears for a second or two on my machine.)

12. Overall I think I might have preferred the KDE desktop. A lot of features seem more mature in KDE, like support for sshfs URLs in the file browser.

13. I found it surprisingly tough to install new fonts, at least by following the docs.

14. I was surprised that the firewall was not running initially. This should be part of the setup.

15. For simple backups you may want to check out grsync. There does not seem to be any backup utility in the default setup.

16. The location where apps get installed, both in the filesystem and in the screen menu, is inconsistent. Some apps do not get a link in the menu system at alll. Perhaps this info is stored somewhere by Synaptic: it was quite irritating to have to check it manually.

17. Firefox would occasionally cause heavy, uninterruptable disk activity – initially I assumed Firefox was the culprit in all such cases. Actually, increasing the size of the cache to 250 MB seems ot have fixed it.

18. Setting up to use the Medibuntu depository (for non-open-source drivers) was surprisingly clumsy and poorly-documented. Also, it didn't appear to work after I installed it, but now seems to be working by magic.

19. I have not been able to make my wifi card work, although it is returning info about the local wireless networks (four or five are visible from my location). It may be something strange about trying to run with both a wifi and a hardwired connection. Certainly the user interface for doing so is full of peculiar bugs.

20. I looked all over for how to set the default handler for files by extension. It turns out that Ubuntu provides a utility for setting a default multimedia handler etc – System - Preferences - Preferred applications. However, it doesn't go by file extension. You set that in your file browser, ie Nautilus in my (standard) case. I suppose that makes sense, but it took me a long time to think of it.

Btw, the problem I was trying to fix was .swfs. Totem had been set to handle them by default, but it couldn't open any .swf I tried. Gnash, on the other hand, works quite well.

21. I was unable to install VMWare, and found a bug report that said it had something to do with having the machine offline during the install. I would have thought that should be the normal procedure.

22. Generally, I have been disappointed with the default Ubuntu setups with respect to security. For instance, the default Firefox setup provided with 7.1 leaves all functions enabled. On the other hand, the default Adblock Plus setup seems designed to actively mislead.

2006 Dec 25 [ Mon ]

Interesting vulnerability in Windows/Word

I noticed while reading the following Slashdot discussion: ask.slashdot.org [http://ask.slashdot.org/askslashdot/06/12/15/0144253.shtml] that the default behavior of Windows in opening files is not what it appears to be.

You would think that Windows goes by the extension, and if it doesn't recognize the extension it asks the user to select an app. But what actually happens before that is Windows somehow checks whether it's openable by Word, and if it is Windows opens it in Word.

I just tested this by renaming a .DOC file .XXX and Word opened it without a qualm.

The significance of this is that if you are a system administrator and you have been filtering MS Office files because of the danger of macro viruses etc, you actually need to filter *any* extension.

Presumably the reason for this was to support Word Perfect users who were used to naming their files with arbitrary extensions. But surely the person who did this must have realized it was horrible for security, right? It's an example of the bad things that can happen when the company that makes the OS also makes the app.

2006 Oct 13 [ Fri ]

Sorry about "how to reattach to a job"

A few days ago an article showed up by mistake on my log. I had written it years ago but found that the content wasn't correct before I posted it, so I put it aside by the expedient of changing the filedate to a date unimaginably far in the future.

That happened to be this September 27th. The blogging software obediently started displaying it.

I didn't notice for a while and when I did I wasn't sure if I should erase it or publicly disavow it as I am doing now; eventually I came down on the side of not rewriting history (for the sake of my two faithful readers – hi, Seymour and Piotr!).

The article: www.panix.com [http://www.panix.com/~dannyw/weblog/Computers/Opsystems/Linux/jobs01.html]

Incidentally, I still haven't really figured out the problem. I tried sending a msg to panix help, who didn't know either. However, the workaround is to use the "screen" utility, which has a built-in command to reattach to broken sessions. Do "man screen".

2006 Sep 27 [ Wed ]

How to reattach to a job

Some tasks in Unix are relatively easy: "You want to just read a text file? Sure! Just do man less!!". (You think "less? Less?? wtf?".)

Other tasks are less easy to find. In particular, certain aspects of the shell are hard to find because they are documented under the shell rather than as a separate utility. Also, even if you have a hint about what function or keyword they are related to, it is very difficult to search the gigantic man file for your shell because the name of the function tends to be short or common.

This is I guess my "mea culpa" for not finding the answer to the following problem: if you lose the connection to a login session and the server retains a suspended version of the task you were running (ie the editor, mail client, etc) how do you reattach to it?

Here's the answer, at least for the cshell. First you probably want to examine the list of suspended jobs in order to be sure which one you want:

jobs -l

Then you can restart it with fg:

fg %job

Restart a suspended vi with "%vi" or "%?string" to specify a job containing "str ing"

2006 Mar 29 [ Wed ]

Surprising bug in MS Access

My girlfriend is doing a MS Access course, and asked me to help her to set up a form for an employees table. I looked at the printed version of the form, which showed a mugshot of the current employee, and looked at the instructions she had noted down from the teacher on how to set up that (image) object on the form.

"Hmm, don't really understand this." She said "oh, the teacher said don't worry about that bit."

Well, she wanted me to address her current problems – things like she didn't understand that the "retirement date" object on the form needed to be an unbound text object whose control source was the birth date field of the data table, rather than being a separate field in the table. And then I got sidetracked because the version of the date-calculating function that she had noted down from the class assumed that a year was exactly 365.25 days.

But I came back to that image field. There was definitely something funny about it. It turns out that this is a well-known issue: www.jamiessoftware.tk [http://www.jamiessoftware.tk/articles/handlingimages.html]

The above link is quite good but does not give you the full picture. In particular it does not apologize for the misinformation in Access's own help files. It also does not give you a full sense of how many webpages you can find relating to this which give misinformation or lack the full story.

Microsoft has several pages relating to this issue. This one is probably the most helpful: support.microsoft.com [http://support.microsoft.com/kb/q210100/#EJADAAA]

Here is my summation of what I discovered:

1. Access allows you to put image files into the database as an OLE object, but it seems to actually store them as uncompressed .BMPs. When I started experimenting with this I was using fullsize 2 MP .jpgs. I have since stopped using the OLE object technique, but my tiny database file – with only six records – is still over 20 MB. I suppose I need to compact it somehow, but I haven't checked that out yet. So as the first link suggests, it's really impractical. (Incidentally, it occurs to me that even a few *static* images could really bloat up a database.)

2. Even when I used the OLE object technique, I *still* wasn't able to display images on the form (except static images of course). I don't know why. Some references on the web say that you need to install Microsoft Picture Editor to make sure Access can find an OLE server for your graphics file, but my system already has umpteen apps registered to handle .jpgs. I tried changing the registered app to various things including IE, and it still wouldn't work.

3. Anyway, I wanted to specify the image file by storing the path and filename in a text field. It turns out that you need to put code in both the form itself and a module in the database. (As described in the Microsoft link above.) This was not hard to do by cutting-and-pasting, but the fieldnames and tablenames are hard-coded for the example, so you would need to duplicate it for every image field in your database. (I think – actually, I really don't understand what the code is doing.)

4. Even then, it only worked if your filespec included the *full* path to the file – eg something like "L:\data\msaccess\imgtest\pics\danny-small.jpg" This contradicted the help file, which specifically suggested that a path relative to the location of the database file would work. Eg, if the database file was "L:\data\msaccess\imgtest\test01.mdb" then your filespec could be "pics\danny-small.jpg". I thought this really sucked – it would make it very hard to move the database file around. Eventually, I realized that the following *does* work: "imgtest\pics\danny-small.jpg"

5. I almost forgot the first way I made it work. The MS documentation refers to "data access pages" and for a long time I assumed this was some sort of generic term for "forms". However, in microsoftspeak it refers to a specific kind of database object which you can create. It is like a form, but can be accessed by Internet Explorer. I don't know exactly how it's supposed to work if you have multiple clients; presumably the form actually tells IE to use the client's locally installed copy of Access to access (aargh) the Access file on a simple fileserver. Anyhow, it works for displaying images, with no need to add code.

6. I don't remember the details, but Access did not seem to automatically resize an image to fit the control size you set on the form. I think maybe the docs are wrong. I needed to resample all of my images to make sure they fit in the pixel area allocated on the form.

7. The "Northwind" sample database somehow manages to make images work without using the sample code. On the other hand, they are very low-resolution images. Additionally, they are only used to illustrate product *categories*, which if you think about it is pointless – the database does *not* have images of the products themselves, probably because then it would need to be about 500 MB.

All in all, I thought this behavior was incredibly buggy and kludgy. I would have thought that handling images was not rocket science.

Also, it makes me wonder whether *all* the documentation produced for software is produced based on its *specs* and never tested against actual behavior.

Also, I would like to point out that Microsoft appears to have a policy of taking over a common term whether it has a generic or specific meaning and redefining it. For instance, "Word". More interestingly "domain", which has quite different senses on the Internet and in connection with Microsoft server setup, even though (obviously) you are usually discussing situations where either sense might be intended.

Likewise, here, "data access pages". It makes me feel less irritated about Unix naming conventions. When you encounter a name like "snort" you don't know what it means, but you *do* know it's a name and you need to look it up.

Finally, I suspect that my girlfriend's teacher never got images to work on his form at all.

2006 Mar 02 [ Thu ]

Fun reinstalling Windows 2000

I ran out of space on my hard drive and figured I should reinstall Windows – maybe that would fix the problem with the scanner.

I ran into several problems though.

One big one appears to be overheating. (I say "appears to be" because the error pattern in the LEDs on this machine never matches the manual.) Presumably during the install the setup software doesn't handle the powersaving stuff, runs the CPU at max, and causes overheating within a few minutes. Still, I've managed to do it before... but now I come to think of it, that was probably in an airconditioned room.

Still, the *irritating* thing was being unable to copy the files from the setup folder on the CD, boot and then just run everything from hd. I was stymied in several ways:

1. I had put the setup files on the NTFS partition. But my "Ultimate Boot CD" needs to load a memory manager to load NTFS support... and it crashed on my laptop hardware.

2. I tried copying the files to a DOS partition. This would have worked, if Windows 2000 Setup could run under DOS. D'oh!

3. I tried running Bart PE, which could see and write to the NTFS partition just fine... but Windows 2000 Setup refused to run an install on a machine running a later version of Windows. D'oh! (If I remember rightly Bart PE has to be used with XP – you can't make it boot W2K.)

Oh well. Back to the Windows CD and SP4... overheats again... aargh...

2005 Nov 04 [ Fri ]

Installing a second copy of Windows 2000 W2K

I recently bought a scanner. I made the salesman connect it up, install the software and run it first, but when I got it home it wouldn't work with my laptop.

I tried downloading a newer version of the driver (amazingly hard to find, btw) but that didn't help. I thought I might have to install XP, but when I happened to try another drive – which also had W2K SP4 – it installed and ran OK. Still, I didn't want to have to swap drives every time I needed the scanner.

After stewing over this, I realized I had been meaning to try installing multiple copies of Windows for a long time, and this was an excuse.

It turns out to be easy, if you have a spare partition. I had a Linux install that had developed bitrot, so I sacrificed that. It had installed some sort of boot loader, which interestingly the second install of Windows did not replace.

All you have to do is run the regular Windows install; I copied the Windows disk, and SP4, to the hard drive first, and started the install from there under the original copy of Windows. The only issue is that the prompt to allow you to create a second copy is rather hard to see – I don't know what happens if you miss it; it probably gaily trashes your original install without asking.

When I had finished the install, rebooting brings up a menu with two options – both named exactly the same! If I were doing it again I would rename the original operating system first. You can do this by manually editing the c:\boot.ini file (you have to change the permissions first; before doing *that*, note down what they are so you can put them back the same way later).

I then installed the "recovery console", which puts a second, limited bootable OS for emergency repair in the original volume.

I wanted to eliminate the now pointless Linux bootloader. When I checked the web, many references suggested using "fdisk /mbr" under DOS, but it turns out this will trash the "volume bytes", a new field in the MBR. Instead, you have to boot to the recovery console and run the "fixmbr" command. (There is also a "fixboot" command, which I did not run: I do not understand the difference.)

For real emergencies, these things have their limitations. For instance, the boot code (which loads ntldr) evidently checks the boot.ini before actually booting. That means that if some major problem has trashed the original boot volume, the boot process can never reach the functional second volume. On the other hand, if you use a Knoppix boot CD for recovery, it does mean you have a pristine copy of Windows' own driver code which can be used by Knoppix to read and write to the NTFS partition using "captive-ntfs".

I am not clear what the security issues are here. MS info makes some remark about needing to know the *original* administrator password, ie the one entered at install time, not the current one if different. This seems to mean that MS is trying to defend the data in the original partition. It certainly suggests you should make a double special note of that password. I can't remember if I actually had to *enter* that password though.

It recently occurred to me that having multiple copies of Windows probably makes it a lot easier to set up your machine for family members, while keeping the user interface for them pristine. I've found that when I install software in my own account, it typically puts a bunch of icons and Start menu items in all the other accounts, even though I don't want other family members to even know about these new apps. This can't happen if their accounts are in a completely separate copy of Windows. (On the other hand, make sure they can't read files in the other copy of Windows!)

Here's some more reasons for doing this, from Slashdot: yro.slashdot.org [http://yro.slashdot.org/comments.pl?sid=167226&cid=13945728]

Incidentally, I've found that accessing certain files, or even seeing that they're there, sometimes needs you to use the "System" account – you can't access them as Administrator, although you *can* make yourself effectively the System user.

Anyhow, my scanner now works.

If anyone's thinking of trying this, they should Google some of the terms I used above. Also, note that there are many extra considerations if you are also trying to boot W98, Linux etc.

Many major computer manufacturers do not provide a kosher copy of Windows, but only a "restore" disk which can only be used to completely reformat and rewrite the disk to original factory condition. Apparently this kind of disk may check first to see if the MBR has been rewritten, and refuse to continue! Here's how one guy got around the problem on his Dell: forum.us.dell.com [http://forum.us.dell.com/supportforums/board/message?board.id=si_sysperf&message.id=16811]

2005 Oct 25 [ Tue ]

Sysinternals Windows test utilities have new features; also reskit info

A few years ago, when malware and trojans for IE had just come out, I was using the free (as in beer) utilities from Sysinternals quite frequently to track down and repair infestations.

Then special-purpose malware detectors started to show up, and I got lazy and stopped using the general-purpose utilities like Sysinternals.

They do lots of fundamental things, like showing you how many pieces of code get loaded at startup – actually, it shows a lot more than Spybot does. But also things like which process or user is holding a file open (damn, Microsoft should do that).

Most of their utilities are available in free and for-money versions. The for-money versions tend to do things like work across networks. (To use most of them at all, you need to have administrator privileges.)

One reason I stopped bothering to include them on utility disks was that you needed to download different versions for different Windows versions. I was just too lazy to slog through the download for all the versions just because I *might* need them, but on the other hand I figured the one time I'd need them on a foreign machine it'd be running the version I hadn't downloaded for.

I just went to download them again and Sysinternals has set up their utilities differently. Now they all contain all the code needed for *all* the versions of Windows (if it can work at all), and the utility has a loader which uncompresses what's needed to the disk on the fly.

The downside of this is they refuse to run from CD. (Hm; I wonder if they leave the uncompressed versions on disk so you could copy those too; hmm.)

Anyway, if you're a sysadmin you should go get them.

I would tell you the price to buy the full versions, but I couldn't even find out the price of the heavily-featured "Administrator's Pak". But to give you some idea, they're currently offering a free iPod nano. http://www.sysinternals.com

Be aware that you need to enter a lengthy code every time you need to boot with the Emergency Recovery Disk. (Also, I have a feeling you may need to know the original administrator password of the system you're trying to probe.)

Incidentally, if you're interested in the utilities, you should take the time to read "Mark's blog" too. He does the utilities. He also wrote the book "Windows Internals". www.sysinternals.com [http://www.sysinternals.com/Blog/]

You should also have Microsoft's Resource Kit utilities. For some reason the XP resource kit is a free download; however *some* of the W2k resource kit utils (which *I* need) can be downloaded: www.microsoft.com [http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-96ee-b18c4790cffd&displaylang=en]

This is a 12 MB download that runs on XP and Server 2003. This page also leads to the Administration Tools Pack, which seems to be something different but is about the same size. (As you can tell I haven't downloaded either as I don't run XP... but I probably should... download them I mean.) The following site says the "Adminpak" is "on the installation CD-ROM and on any Windows 2000 Server that was already installed, in the %systemroot%\system32 folder": www.petri.co.il [http://www.petri.co.il/download_w2k_adminpak.htm]

Good intro to the Resource Kit utils, and some others: www.petri.co.il [http://www.petri.co.il/download_free_reskit_tools.htm]

From there I found this link to a Microsoft ftp site which has all the W2000 utils (presumably) that are available for free download, probably easier than trying to point-and-click on the webpage version: ftp://ftp.microsoft.com/reskit/win2000/

Incidentally, one of them is the "now" utility which just prints the current date and time. This would almost be useful except this is an example of the format:

Tue Oct 25 21:17:15 2005

How could you make it more difficult to use??

The following site appears to allow you to download *any* of the W2k resource kit tools, but i'm a little wary – why hasn't MS gone after them? www.dynawell.com [http://www.dynawell.com/support/ResKit/win2k.asp]

2005 Mar 14 [ Mon ]

Creating a CD from which you can install Cygwin

Cygwin is an ingenious free software package which provides you wqith a Unix-style prompt running under Windows. I have commented on it bewfore: www.panix.com [http://www.panix.com/~dannyw/weblog/Computers/Opsystems/Windows/cygwin01.html]

I downloaded and installed it a couple of years ago, but I never got rsync for it, which is what I mainly want Cygwin for now, as in the following Slashdot posting: ask.slashdot.org [http://ask.slashdot.org/comments.pl?sid=142044&cid=11911068] and I'm concerned that if I try to get rsync for it now it won't be compatible with my ancient Cygwin.

Irritatingly, the default install procedure is to download a small setup.exe file, then run it: this installs the packages which you select (out of umpteen) on *your* system. but there is no obvious way to transfer that installation to another system.

It turns out that what you are supposed to do is set up a "mirror". This procedure is well explained here: www.iocc.com [http://www.iocc.com/~joshua/cygwin/] except that it is unclear to me whether some of the code really works under Cygwin or whether you are expected to have a Linux client handy. This issue is probably irrelevant to most of the propellerheads who install Cygwin, but I want to get an internet cafe proprietor to download it *for* me. Incidentally, I recently bought a CD of open-source Windows software which promised "Cygwin" on the list of contents, and discovered that what it had was only the small setup.exe file – you still needed to download everything else yourself! Aargh.

Actually, what I will probably wind up doing is lugging my laptop in to the internet cafe. Groan.

Cygwin's own overview of the install process: www.cygwin.com [http://www.cygwin.com/cygwin-ug-net/setup-net.html] I suppose I need the "download from internet" option. I was trying to find whether they have different versions for XP and 2000, but failed.

2005 Feb 19 [ Sat ]

Yet another Slashdot Spyware discussion

it.slashdot.org [http://it.slashdot.org/article.pl?sid=05/02/18/1920244]

Microsoft has announced the possibility of impossible-to-fix rootkits which actively defend themselves against security software.

Someone mentioned BartPE: www.nu2.nu [http://www.nu2.nu/pebuilder/] which I really should check out (downloads are tough in PP).

Another couple of posters like VMWare, although I do not see why the base OS is really invulnerable to infection (although maybe VMWare allows you to use Linux as the base OS.)

One problem about recovering from rootkits which I did not see referred to in the discussion above is that any reinstallation is going to presumably be just as vulnerable *again*. Really (unless you are getting paid to do this as a service!) you need to diagnose *why* the original system was vulnerable, and fix that immediately after you restore it (and make a new secure image).

2005 Feb 06 [ Sun ]

Info on security patches for Windows

I have never run the automatic update feature on any machine I have administered. As well as the danger that an official patch will just break the machine, it bothers me that you are thereby giving MS total rights to dial into your machine at any time and do anything they like. I have every reason to believe that any assurances they make are worthless.

The following page is an interesting read and gives a lot of backgound info on the update process in general, plus info on slipstreaming updates onto your own hacked-up Windows install CD (so that if you're responsible for multiple workstations you can reload one in a single pass instead of multiple reboots and tedious downloads). www.vorck.com [http://www.vorck.com/wu.html]

2005 Jan 27 [ Thu ]

Become a "Microsoft Partner" and get many cheap licences

In part of a discussion on Slashdot about MS plans to stop providing security updates to people with pirated software, someone described the Microsoft Partner program:

Re:For those who have RTFA issues... (Score:5, Informative) by jht (5006) on Wednesday January 26, @10:56AM (#11480619) (jturiel.blogspot.com [http://jturiel.blogspot.com/] | Last Journal: Thursday September 18, @11:01PM) it.slashdot.org [http://it.slashdot.org/comments.pl?sid=137347&cid=11480619]

Let me give full props to the "get the Action Pack" idea. I'm a legit user of it (I run a small consulting/training company), but even if you freelance there's no real reason you can't use it.

Here's the requirements for subscribing to the Action Pack, and what you get for your money:

Requirement - register as Microsoft Partner. Basic membership is free, and qualifies you for both the Action Pack and for discounts on add-on services (like MSDN).

In the box you get:

XP (all versions including Media Edition) - 10 licenses

2003 Server, 2003 Server Web Edition, 2003 Server SBE - 1 each

Office Pro - 10 licenses

Virtual PC (Windows) - 10 licenses

Exchange Server - 1 license

Plus you get Visio, Project, System Builder Edition discs and licenses, service packs on CD plus slipstreamed install discs, selling materials, and all sorts of other server/client software.

The cost of the Action Pack is $299 per year - but I just got offered a renewal for $199 (which I immediately took). It was a no-brainer. They send you quarterly updates and occasional goodies as well.

The link to the Partner Program is https://partner.microsoft.com/partner [microsoft.com] - from there you can register and order it if you wanted to. For all the (usually justified) bashing Microsoft gets here, they do make it very easy and inexpensive for IT people to get into their product line. And that's part of the reason they still dominate the universe

I've been wondering wwhether *any* of the schools in Phnom Penh teaching Windows software have legitimate licences. This program sounds like it would be quite useful for a small school – I'm guessing that there are licence restrictions that make it (theoretically) not usable for a company which does not resell MS products and services (but too lazy to follow the link right now).

I guess MS may have special deals for schools too.

Of course, it would be even better if MS did not deliberately decide to provide insecure services in Windows.

2005 Jan 22 [ Sat ]

Fixing spyware infestations using standard Windows tools

Although I like the confident way the antivirus/trojan programs assure you they have removed an infestation which they recognize, it's nice to have a procedure for using standard Windows tools. I wonder if the following is sufficient?

Re:Makes no sense (Score:4, Informative) by einhverfr (238914) on Friday January 21, @11:21PM (#11438898) it.slashdot.org [http://it.slashdot.org/comments.pl?sid=136894&cid=11438898] (www.metatrontech.com [http://www.metatrontech.com/] | Last Journal: Wednesday July 28, @04:41PM)

First, I have never found any spyware problem that I could not resolve in approx 2 hrs or so. It is realtively simple. If Adaware and/or Spybot fail to detect a nd remove the infection, you have a few options. I do as follows:

2) Delete all browser helper objects. I usually leave Java installed unless it too seems infected (can happen).

3) Run msconfig. Select diagnostic boot. Then reboot into normal mode.

4) Now comes the fun. Open MSConfig and look at the registry entries and startup items. I use Google to identify what they do and note any suspicious items.

5) Just for protection, I create a restore point so I don't remove something I shouldn't and get into trouble. Then I use msconfig to select normal startup. When it asks if I want to reboot, I say "reboot later"

6) I go through the run keys (under HKCU and HKLM). I delete suspicious values. Same with the startup folder. I also review the drivers for anything strange and backup/delete as needed (I have seen drivers which I believed were involved in spyware).

7) Suggest to my customer (if it seems like a good idea) that we discuss migrating to Linux if they have continuing issues.

Reboot to test. Make note of anything that comes back. Reboot in safe mode if necessary to remove those values.

Granted this doesn't remove all the spyware programs, but it does disable their startup. By troubleshooting a problem for days and not being able to solve it, the author of the article has demonstrated that he doesn't really understand the Windows boot process or how to really troubleshoot it. Yes, I only run Linux, but I can troubleshoot Windows with the best.

On the other hand, I wonder whether the poster has had to deal with the really *nasty* ones like coolsearch. It's occurred to me, for instance, that a nasty trojan could look for a legitimate entry in the startup list, and install a stub with the same path that runs its nasty code and then the original code. Looking at the filenames in the list you have no way to recognize that the same pathname you've been used to seeing since you installed the system is now evil.

Maybe I'm just feeling doomy because my machine was hit by a virus yesterday. Fortunately Spybot detected its attempt to set a startup registry key, and all it appeared to do was load a copy of itself into c:\winnt. I ran Grisoft AV which detected it and said it removed it, so presumably it's OK. (Worryingly, although I naturally told Spybot not to allow the registry change, there *was * a registry entry, which I had to remove manually. Hmmm. I wish there were some sample "benign" viruses/trojans available that you could use to verify the operation of your security sw.)

The virus came in via my usb key, which I used to transfer files from a couple of service shops yesterday. (I need to let them know that at least one of them is infected.) Embarrassingly, it seems to have been able to execute by the simple ruse of having the icon of a folder. When I saw a folder whose name I didn't recognize on the usb key, my natural reaction was "wtf? what's in there?" and then I *double-clicked on it*. Even though it had a .exe extension – I was vaguely thinking "well it's gotta be a folder anyway..." Groan.

2005 Jan 05 [ Wed ]

Setting up a Windows system to run IE as a restricted user

Microsoft Windows has many features for locking down user rights, and supposedly some of thse features can be helpful for preventing browser hijackers from installing software in your computer.

The following Slashdot posting looks useful:

Re:Ironic methinks. (Score:4, Insightful) by dioscaido (541037) on Monday January 03, @09:38PM (#11250769) it.slashdot.org [http://it.slashdot.org/comments.pl?sid=134808&cid=11250769]

Have you been missing the stream of patches coming from MS? How are they not dealing with the primary issues?

Even so, please tell me which pieces of spyware exploit legitimate security holes? The "security hole" they exploit is that users run as admin. Hardly a bug in the OS, just a horrifically misguided ease of use 'feature' in the installer. Easily fixed. I've never gotten infected with spyware while running as a Limited user, and neither has my Mom, who has a penchant for running little apps she finds on the web. In the cases where they are malicious, she just gets a protection fault and knows to happily move along to the next little animation.

www.techproblemsolver.com [http://www.techproblemsolver.com/limited.html] www.dotnetdevs.com [http://www.dotnetdevs.com/articles/RunningAsNonAdmin.aspx] blogs.msdn.com [http://blogs.msdn.com/aaron_margosis/] www.pluralsight.com [http://www.pluralsight.com/keith/book/html/howto_runasnonadmin.html] support.microsoft.com [http://support.microsoft.com/default.aspx?scid=kb;en-us;305780]

For the handful that did take advantage of some buffer overflow, please point out those vulnerabilities that remain unpatched through Windows Update.

The tone of it sounds like a Microsoft employee astroturfing, but I suppose I should still be aware of all this stuff. I imagine a lot of companies would rather pay people to do this than install thin clients running X Windows connected to Linux desktops...

The "primary issue" which the poster scornfully refers to is actually – as the other posts in the thread to which his posting belongs made clear – Microsoft's design decisions to make it easy to install software with full privileges to do anything on the machine – ie, Active X – as opposed to Sun/Java's "sandbox" approach in which many potentially hazardous operations are forbidden. Although Java has had plenty of weaknesses, they were not *designed in*!

It's difficult to make IE more secure without disabling WINDOWS Update (hmm... maybe they hired a trojan developer):

SP2 still enables AX by default (Score:5, Interesting) by steve_l (109732) on Tuesday January 04, @05:51AM (#11252345) (iseran.com [http://iseran.com/Steve/)] it.slashdot.org [http://it.slashdot.org/comments.pl?sid=134808&cid=11252345]

on a clean SP2 build (that is the MSDN WinXP+SP2 all in one install), Prompted ActiveX download is still enabled for the internet zone.

If you turn that off, windows update stops working, as http[s]:*.microsoft.com is in that zone.

I dont call that locking down the browser, To secure IE (even if you only use it for windows update)

1. disable AX download in internet zone

2, edit trusted zone site security to medium. Like you ever need a 'run anything, unprompted' zone.

3. add https:*.microsoft.com and http:*.microsoft.com to the trust zone

4. uncheck the 'require https in trusted zone' switch

the aim is to redefine "trusted" from "total access" to "prompted download active X controls", which is a serious enough undertaking that I dont want to enable it broadly. Only MS sites and spyware vendors seem to use it, after all.

2004 Nov 18 [ Thu ]

Hiding a Knoppix distribution on the CD

It seems from the following Slashdot suggestion that some companies frown on using Knoppix: the poster details a trick for making the CD appear to contain only innocuous media files when read under DOS:

My favourite hack... (Score:2) by m50d (797211) on Wednesday November 17, @02:38PM (#10845061) books.slashdot.org [http://books.slashdot.org/comments.pl?sid=129900&cid=10845061]

Knoppix-STD is only ~460 mb, which leaves 240 mb you can use to your advantage. Put some "normal" files in there - I use a set of mp3s and play them on my mp3 cd player, alternatively some "work"-type files or a set of ebooks. Then create the iso with mkisofs -r -J -hide-joliet KNOPPIX (and -hide-joliet index.html etc. if you leave those files in there) Now you have a bootable cd full of security tools which, when viewed on a windows pc, looks completely innocuous.

The "hide-joliet" thing means "leave the directory information for Linux/Knoppix, but write no directory info that Windows can understand". Regrettably the "mkisofs" program runs only under Linux, as far as I know. On the other hand, if you have a Knoppix disk...

The above posting was from a discussion of a new book about Knoppix: books.slashdot.org [http://books.slashdot.org/books/04/11/16/1835224.shtml]

2004 Nov 02 [ Tue ]

"Vector Linux" -- Slackware distribution optimized for older machines

You often hear that Linux can run well on older machines, but the big-name Linux distributions actually need fairly close to current specs. What do you do if you have an older computer?

Well. someone has apparently done the work for you: try Vector Linux: linux.slashdot.org [http://linux.slashdot.org/article.pl?sid=04/10/30/1726254]

The above discussion mentions many other interesting ideas re Linux installs. For instance "debootstrap":

Sure - there is a script, called debootstrap, that will take a debian mirror and the set you want (stable, testing, etc), and install a minimal debian system in a directory of your choice.

2004 Oct 10 [ Sun ]

Free software for making MSI installer files

An .msi file includes an application and a great deal of info about how to install it. The (MS) software which then carries out the install thus knows how to do all kinds of clever stuff related to the install. The system can also be used for non-executable installs so that for instance a new copy of the employee handbook can be roled out to umpteen users more efficiently.

Here's a link to a freely-downloadable .msi utility package: www.labyrinth.net.au [http://www.labyrinth.net.au/~dbareis/makemsi.htm]

He also has the "msidiff" tool which apparently can be used to view the contents of an .msi file. Hmmm. I think I'll try that: sometimes I've been stymied by an .msi file that produces some kind of stupid error message like "drive PRN: does not exist".

Does Microsoft lie under oath?

The online columnist I. Cringely has a nice story on a current legal case between Microsoft and a tiny company called Burst.com. Burst.com, as part of the "discovery" stage of the lawsuit, requested all relevant emails. They are now alleging not only that Microsoft failed to provide all relevant emails, but that Microsoft has a consistent policy of lying in their responses to discovery, by simply stating that the principals in the case at Microsoft were not the actual principals, but rather some nebulous lawyer.

Cringely includes links to the documents involved, which I did not follow because I am old and tired. Anyway, it had occurred to me before that there had to be *something* strange about the email discovery process, because it doesn't usually uncover documents that are more than embarrassing. The fact that Microsoft's trick is as simple and blatant as to lie about which employees were involved makes me wonder whether lawyers are really all that smart.

www.pbs.org [http://www.pbs.org/cringely/pulpit/pulpit20041007.html]

2004 Sep 14 [ Tue ]

Connecting multiple screens and keyboards to one computer

From Slashdot: slashdot.org [http://slashdot.org/article.pl?sid=04/07/03/1923255]

The idea here is to save money etc relative to a diskless workstation approach. You're limited by the number of video cards you can stuff in the motherboard, obviously.

Slashdot gave me a link to this site: www.c3sl.ufpr.br [http://www.c3sl.ufpr.br/fourhead/index-en.php] which would appear to know what they're talking about, although it's not clear to me why it would be so complex: I would have thought that this is the sort of thing that standard X installations could handle with just a little reconfiguration.

I'm attracted by the idea of saving space and power relative to diskless workstations. I'm currently thinking of setting up say four to six student workstations this way.

A dissenting voice: slashdot.org [http://slashdot.org/comments.pl?sid=113365&cid=9602517]

OTOH, he can find NCD network terminals (used) for 10 USD each. I wish I could.

2004 Sep 09 [ Thu ]

The rationale for Windows NTFS "alternate data streams"

I've posted about these before: www.panix.com [http://www.panix.com/~dannyw/weblog/Computers/Opsystems/Windows/nfsaltdata01.html] www.panix.com [http://www.panix.com/~dannyw/weblog/Computers/Opsystems/Windows/nfsaltdata02.html]

Today I saw a posting in a Slashdot discussion about the old Cairo project at Microsoft, which suggested that the ADS feature was intended to be part of a set of new file-system features:

Document-centered work was the proposed user paradigm, where structured documents contained nested opaque data from many different applications, and so applications wouldn't need or want to know the difference between a top-level document or a sub-part of a document.

slashdot.org [http://slashdot.org/comments.pl?sid=121101&cid=10197767]

Of course, I'm much too paranoid to believe that's the *only* reason.

2004 Aug 24 [ Tue ]

More on Windows NT "Alternate Data Streams"

I've mentioned these before: www.panix.com [http://www.panix.com/~dannyw/weblog/Computers/Opsystems/Windows/nfsaltdata01.html]

Basically, the NTFS allows you to associate, in effect, invisible files with a normal visible file. I just ran across this page with an interesting explanation: www.alcpress.com [http://www.alcpress.com/articles/ads.html]

(Note that the filename has "ads" in it; I wonder how many ad filters silently discard it?)

It suggests that MS IIS is vulnerable to a hack; you can view the contents of any ASP file (not its output) by using a URL like this: www.microsoft.com [http://www.microsoft.com/default.asp::$DATA]

...Hmmm; it produces "The system cannot find the file specified."

I tried – somewhat at random – another .asp site, which just resulted in the normal page. I figure this bug has now been fixed. Or else these webservers are keeping their files on a non-NTFS filesystem (quite likely).

2004 Aug 19 [ Thu ]

Windows 2000/XP "Private Character Editor" PCD

I ran into this inside the Windows 2000 Help file. Basically, you start it with Start – Run – "eudcedit"

It's a utility provided with all installs of 2000/XP which allows you to create your own characters. Unfortunately it does not seem to allow you to copy that character into an arbitrary font: only into a special font called "Arial Private Characters". But that might still be quite handy. And at least you can copy in any character from any font to use as a reference.

I don't really understand how to *type* using the special font, because all the new characters seem to start at "U+E000". I would have to look at the Unicode docs again (aaargh). Instead, you have to use the "Character Map" utility to select each character.

More info: www.klippert.com [http://www.klippert.com/TCC/Blog/RULand/2004/02/19.html]

Tiny mention of PCE along with several other interesting utils: www.netdesk.com [http://www.netdesk.com/CourseInfo/Articles/ITProfessionals/XPTips2.htm]

2004 Aug 17 [ Tue ]

"Slipstreaming" (again) -- integrating service packs into a Windows install

I've written about this before: www.panix.com [http://www.panix.com/~dannyw/weblog/Computers/Opsystems/Windows/slipstream01.html]

Here's a Slashdot discussion where someone suggests that slipstreaming still works for XP SP2: ask.slashdot.org [http://ask.slashdot.org/article.pl?sid=04/08/12/1932246]

Cygwin -- free software package to provide Unix utilities under Windows

Sometimes people need to use a Windows machine – for instance, to develop Windows software – but they miss the Unix utilities they're used to like rsync.

I think I've mentioned Cygwin before, but I didn't provide a link: www.cygwin.com [http://www.cygwin.com/]

I'm referring to Cygwin now because I just read a thread on Slashdot: ask.slashdot.org [http://ask.slashdot.org/article.pl?sid=04/08/12/1932246] which is OK as an overview of uses and drawbacks. As you might expect, scripts which spawn processes – which is quite efficient in Linux – work very slowly in Windows.

A great advantage is that Cygwin comes with XWindows. For Windows people who don't know, XWindows is the Unix graphical interface standard. You can easily use it to display programs that need a graphical interface on your *local* box, even though the programs themselves are running on a box *without XWindows* – eg, a production server which has been stripped down to run only essential processes. And XWindows is quite efficient – years ago I remember using it to run Netscape on a remote server and display on my local box, via a 33.6 modem link, and it was about as fast reading websites as doing it locally!

I installed Cygwin a while back and I can't remember what the issues were but I can concur with the Slashdot poster who found it squirrelly. Also, when I finally got to a command prompt I couldn't figure out what my current directory was under Windows – Cygwin presents its own version of the file structure. Eventually I realized I could just save a file with a certain name and then search for that file from Windows. I might have figured that out earlier if I hadn't assumed the location would be somewhere obvious.

Incidentally, I wouldn't necessarily recommend Cygwin if you're starting from scratch and you just want to write some utilities. It's simpler to install ActiveState Perl for Windows. Cygwin is when you really want Unix utilities like rsync and excpect. Btw, you can compile new code under Cygwin, too.

2004 Aug 16 [ Mon ]

How to use Linux to make encrypted phone calls

In a recent Slashdot discussion on VoIP, someone said it was easy to set up an encrypted VoIP link in Linux:

nc -l -p 7001 >/dev/dsp &

ssh -R 7000:`hostname`:7001 $1@$2 "cat /dev/dsp|nc localhost 7000"

Yes, that's just two lines of code. The "nc" program is a general-purpose utility for setting up IP ports; "/dev/dsp" means the Linux machine's sound system. "ssh" handles the encryption.

(Those appear to be *backticks* around "hostname": I think he means "the backticks run the hostname program to return your own IP address", not "fill in the name of your host between these here single quotes".)

His original posting:

yro.slashdot.org [http://yro.slashdot.org/comments.pl?sid=118072&cid=9977051]

Another poster made the point that when IP6 is implemented we can all have our own IP numbers and we won't need centralized directory services (which can be filtered and blocked).

Windows "access control lists" compared with Unix permissions

I've always felt, as a Unix supporter, that the Unix permissions system – mostly read write and execute for user group and world – was pretty wimpy compared with the ACL system in Windows. In Windows, you have far more options. You can define many different access rights for *multiple* users and groups. In particular, it's quite easy to set up a directory so that people can *cooperate* on files, which is clumsy in Unix (although a user, if he belongs to certain groups, can switch groups, at any one time he only is handled as belonging to a certain group; likewise a file or directory only has one group).

It has recently occurred to me however that even in Windows, when people *really* need to cooperate on files they use either a sort of manual "librarian" system – where anyone who wants to make changes sends them to a "keeper of the flame" for that file – or a full version control system (usually only done in military, engineering or programming environments).

The reasons are:

1. Windows system administrators are too lazy to set ACL systems up properly in the beginning, and once the office has set up its own procedures (usually involving umpteen copies of huge files floating around in email) they don't want to learn a new procedure (it's tough enough just getting them to save documents on the network at all)

2. If files are important enough to cooperate on they need to be administered with some sort of security, rollback and logging features which are not provided by the basic ACL system

3. Microsoft Word contains a rather wimpy but usable change tracking system which makes it easy for "librarians" to identify proposed changes

I have actually never seen a workplace in which ACLs were really set up (of course I played with the feature myself, but you need to get the users to play along, which never happened). I never played with VMS on a real multiuser system, but I'll bet something like ACLs was routinely implemented on VMS systems, though.

2004 Aug 11 [ Wed ]

Interesting audio software utilities

As usual, the Bangkok Post's Database section today had some interesting links. One of them was for a small, free download of an audio editing program with interesting features, eg play at same speed with different pitch, or play at different pitch with same speed:

www.nch.com.au [http://www.nch.com.au/wavepad/index.html]

As well as Wavepad, the same site has many other interesting audio utilities, including one for conference applications which continuously records the output from multiple mic channels and sends it across the network. Another app handles producing music-on-hold, mixing in various short messages, just like big companies do. Full list:

www.nch.com.au [http://www.nch.com.au/action/index.html]

I haven't tried Wavepad yet. I'm mainly interested in using it in internet cafes which have no sound editor at all.

Incidentally, I really like this guy's site layout. As far as I can judge from the html, it's all manual, but he has a .css file that really works well. The only fiddly thing it does is automagically feed in a background graphic to his lists, and the graphic is tastefully minimal. I have to say it looks a lot cleaner than mine, both in terms of the output webpage and in the source; but Blosxom installs without using any .css and as a result my output pages are full of repeated, messy parameters in the html, which I have not bothered to eliminate now that I am (basically) using css.

2004 Aug 08 [ Sun ]

Good discussion of Windows spyware and its removal on Slashdot

yro.slashdot.org [http://yro.slashdot.org/yro/04/08/07/132248.shtml]

The discussion was prompted by a very good article in which someone set up a PC without protection against spyware and logged, and analyzed, the intrusion techniques used by various websites:

isc.sans.org [http://isc.sans.org/diary.php?date=2004-07-23&isc=00ee9070d060393ec1a20ebfef2b48b7]

It's chilling.

It's just amazing that the government allows malware websites to get away with this sort of thing, or it would be amazing if you thought the government is on your side.

It's like the situation with spam:

I-CAN-SPAM Act Flawed By Design (Score:5, Insightful) by Ken McE (599217) on Saturday August 07, @02:41PM (#9909459) yro.slashdot.org [http://yro.slashdot.org/comments.pl?sid=117150&cid=9909459]

If you take a look at the actual bill ~ thomas.loc.gov [http://thomas.loc.gov/cgi-bin/query/z?c108:S.877:]

and spend some time to boil off all the legalese, you will see that the bill is not intended to prevent spamming. That was used as a sales point, but is not supported anywhere in the text. The bill is written obscurely enough that ordinary people cannot read or understand it. I assume that is by design.

Some of the main things it does do:

It destroys all existing state and local level anti-spam laws. Some of them were actually becoming effective, so they had to go.

It removes any legal right of action from 99.99% of the population. The only entities who can bring action under it are ISPs and a few governmental agencies.

If these ISPs/Agencies want to bring suit they must do so in a federal court, not state, local, or small claims. If you don't have $10,000 (US) that you can throw away to make a point, there is no reason to go there. You cannot represent yourself and even normal attournies are not all qualified to go there.

The few federal agencies that can apply the law, such as state attourney generals, tend to already be fully occupied with things like rape, murder, grand theft, and chasing down workers in the drug and terrorism industries.

If you come up to them looking for help, they have to decide whether to look into a few annoying emails, or go out and catch passing speeders and arsonists and burglars. Because they only see 1/10,000,000 of any given spam run, it will look like nothing more than a misdemeanor. It will usually look like it is not even in their jursdiction. Guess who wins?

Small ISPs are unlikely to have the money to pursue cases under this law. Some of the major ISPs have gone after a dozen or so spammers. Even if they win every case, twelve or so prosecutions a year is not a noticable deterent for the remaining hundred thousand or so spammers.

The net effect is that this bill ought to be called the I-CAN-SPAM act, as this would represent it accurately.

Once you figure out that the aim of the government is to take your money and kill you, everything starts making sense.

2004 Aug 07 [ Sat ]

Using ntbackup in a batch file

I saw this comment as part of a discussion on doing backups of an NT system. As well as being useful as a reference for ntbackup syntax, it includes a lot of good ideas for creating filenames based on date and time – something that makes my tongue protrude from the corner of my mouth, even in Unix.

Automating NTBackup is half the battle. Example... (Score:2) by jakedata (585566) on Friday August 06, @09:53AM (#9898563) ask.slashdot.org [http://ask.slashdot.org/comments.pl?sid=116794&cid=9898563]

Making NTBackup operate at the command line can be tricky. You can use the backup wizard to create the bkf file for Exchange, and then specify it from the command line.

Here is an example .bat file I use for naming and managing backups without the use of any external utilities. It is pure batch language on Windows 2000.

Move the files to Linux any way you want.

-begin backup.bat-




rem Make room by deleting oldest files, leaving four newest




for /F "skip=4" %%A in ('dir s:\backup\*email.bkf /o-d /b') do del s:\backup\%%A
for /F "skip=4" %%A in ('dir s:\backup\*system.bkf /o-d /b') do del s:\backup\%%A




rem Back up the C drive
C:\WINNT\system32\ntbackup.exe backup systemstate c: /M normal \
 /F s:\backup\system.bkf




rem Grab the date and time, strip out extra spaces and illegal \
 characters, insert dashes and rename latest backup file
FOR /F "tokens=2,3* delims=/ " %%i in ('date /t') do FOR /F \
 "tokens=1,2 delims=: " %%l in ('time /t') do FOR /F "tokens=1-5 " \
 %%n in ('@echo %%i %%j %%k%%l %%m') do rename s:\backup\system.bkf \
 %%n-%%o-%%p-%%q-%%r-system.bkf




rem Back up the Exchange database
C:\WINNT\system32\ntbackup.exe backup \
 "@C:\Documents and Settings\Administrator\Local Settings\\
 Application Data\Microsoft\Windows NT\NTBackup\data\exchange.bks" \
 /a /v:no /r:no /rs:no /hc:off /m normal /j "exchange" /l:s /f \
 "s:\backup\email.bkf"




rem Grab the date and time, strip out extra spaces and illegal \
 characters, insert dashes and rename latest backup file
FOR /F "tokens=2,3* delims=/ " %%i in ('date /t') do FOR /F \
 "tokens=1,2 delims=: " %%l in ('time /t') do FOR /F "tokens=1-5 " \
 %%n in ('@echo %%i %%j %%k%%l %%m') do rename s:\backup\email.bkf \
 %%n-%%o-%%p-%%q-%%r-email.bkf

Microsoft adds insane feature to firewall in XP SP2

A Slashdot posting linked to the following story in PC Magazine: www.pcmag.com [http://www.pcmag.com/article2/0,1759,1631256,00.asp]

Microsoft has included a programmatic interface for Windows Firewall that allows an application to do things like set FirewallEnabled to FALSE, add itself to the list of AuthorizedApplications, or change the configuration of GloballyOpenPorts. Our concern here is that a malicious application could turn off Windows Firewall or, more likely, mark itself as an authorized application. Corporate administrators can disable some or all local configurations, which will prevent programs from making changes; but ultimately, Microsoft maintains, individuals still have to be smart about what apps they run. Even the best deadbolt won't protect your house once you've let the bad guys in.

I can only imagine the programmer intended the feature for use only by Microsoft apps (the secret phone-home stuff) and accidentally let it leak into the published feature set.

PC Magazine tries to invent a rationale: "be smart about what apps they run". But the reason why we have an outgoing firewall at all is because *smart* people *don't* trust the apps they run. For instance, Creative is notorious for installing intrusive phone-home modules, and the only way to detect that is by tracking down firewall messages. And of course there have been innumerable security flaws which allow modules to be installed without the user's knowledge and informed consent.

Problems with Windows XP SP2?

Apparently, Microsoft has just released Service Pack 2 for Windows XP. People with installations of XP that use non-kosher keys are worried that if they try to install SP2 it will detect the bad key and break Windows, as sometimes happened with SP1. Allegedly Microsoft decided that SP2 will work on any machine that worked with SP1, but maybe not.

Incidentally, some relatively legal installations of Windows have used shady keys. I myself have installed Windows on a corporate network where every machine had its own fully kosher Windows CD, but we used a hacked install disc; rather than unseal all the Windows packages (and try to keep everything straight), we just re-used a single key. (That was with Windows 98; Windows NT and later have various problems with that on a network. It's possible to get around them; Microsoft even have a webpage on how to handle such issues with image installs etc.)

In an excellent posting on Slashdot someone gave links to ways around this problem:

Re:So (Score:5, Informative) by wfberg (24378) on Friday August 06, @08:42PM (#9905290) it.slashdot.org [http://it.slashdot.org/comments.pl?sid=117069&cid=9905290] (huizen.dds.nl [http://huizen.dds.nl/~wfberg/)]

According to that msfn.org site, Microsoft has now announced that SP2 will install on all but the PCs that were also blocked from SP1.

So, if SP1 will install, so will SP2.

In the interest of preventing other people from getting their computers hacked into to form a botnet and DDOS the planet, check out how to change the CD key labmice.techtarget.com [http://labmice.techtarget.com/windowsxp/articles/changeID.] htm and a list of CD keys opensourcerules.esmartdesign.com [http://opensourcerules.esmartdesign.com/xpkey.htm] .

In the techtarget link, the following technique was suggested:

To change the product ID

Log in as the local Administrator 
Click Start > Run > and type in Regedit  
Browse to \
 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\wpaevents 




In the right pane, right-click OOBETimer, and then click Modify 
Change at least one digit of this value to deactivate Windows 
Click OK and close r