Category Archives: Security

Windows Shared Computer Toolkit

Microsoft has available the Shared Computer Toolkit for Windows XP. Mostly designed to protect computers that are used by the public, it provides a higher level of security, such as restricting some users further from fiddling with system settings.

I wonder if it gets around some of the issues of most users not running as Administrator. I still haven’t found a satisfactory way of running MS Train Simulator except as Admin.

It also has something called Windows Disk Protection, which means any changes to the disk are lost on the next reboot. Could be handy. Of course, a less-than-scrupulous person might use it for wiping out expiring Shareware needed only sporadically. But a more legitimate use would be for trying beta software, to ensure your machine was in a pristine state afterwards.

Hurricane Rita

I’ve been notified by my web ISP that Hurricane Rita is approaching Houston. Why does this matter? Because geekrant.org (and a number of other sites I run) are sitting on a server in a data centre in Houston. I’ve been encouraged to take backups of important content, which I’ll be doing. It’s a reminder that regular backups are an essential precaution.

If the site goes down in the next day or two, you’ll know why. Best wishes to those in the affected areas.

Slow SSL on Fedora

So, I’ve been using Fedora Core 3 (I really must upgrade to 4) and I’ve noticed that SSL – ie HTTPS – is really slow. Logging into eBay took something like a half hour. I consulted someone who uses FC3 as their primary operating system and his suggestion was to disable the firewall. “but…” I protested. The response was simple: “Stop being such a pussy. You’ve got a firewall in your modem.” And I do.

So I did – Applications | System Settings | Security Level got me to firewall configuration, one option of which was “forgetaboudit”. A reboot of the iptables (iptables is the linux firewall: very sophisticated, very powerful, very fragile, requires a detailed understanding of IP protocols to use correctly) later – either by a command line entry (simple – just enter service iptables restart) or a system reboot (easy to remember, but takes a fair old time – FC boot time is longer than XP’s) and the firewall’s behaviour was changed. Then secure logins went just as fast as straight HTTP, and it was clear that the Red Hat Firewall was the culprit.

Hours of searching the web revealed a suggestion for a change to the configuration file, which I went to implement in a restarted firewall – and it was already there. So, to make Firefox – or any other web browser – do fast SSL when it was going slow – you need to disable, then re-enable the firewall. You can do that by picking Applications | System Settings | Security Level from the menu, disabling the firewall, opening a terminal window and entering service iptables restart, and repeating the process but enabling the firewall this time (ensure you have web turned on).

In FC3 the default firewall install doesn’t like HTTPS. And I thought Windows was freaky. I understand the FC4 doesn’t do this crazy shit.

Win2K SP4 and a bit

For those of you still using it (I certainly am on one of my machines) Windows 2000 SP four-and-a-bit is out. I’m not totally convinced they couldn’t have just slapped an SP5 together, but oh well, there you go.

Dead USB port

So, in building the broadband access machine I’ve found a gift computer (twice as powerful as anything else I owned) that was ‘not working’. After loading XP onto and futzing with it for a while, I figured out that doing anything with the USB port locked up the computer… after a while. I tested the theory by running up a memory/CPU intensive game and letting it run for a few hours. It was happy until I transfered some files off the USB stick. Fault identified. If I want to transfer stuff off the machine, I’ll need to get a USB card, or hook up a network. And I think I’ll do the later.

With fault identification complete, I hooked up the broadband modem (Netcomm NB5) via the ethernet connection (given the USB connection wasn’t going to be working on this machine). Entered the IP of the modem into the browser, and got the modem’s login screen. Everything was good, and I shut down all access other than web via port 80 using the modem’s built-in firewall. Connection to the ISP was established, proxies entered into Firefox (not IE – CERT says there are no secure versions), and Google was available. Connectivity proven.

The web browsing machine got Fedora Core 3 loaded on (a simple process), and the proxy setup was repeated with the same results. FC3 comes with a pre-release version of Firefox, so I loaded up the CD with the .gz for 1.0.4 and loaded that onto the desktop. Then I spent a couple of hours figuring out that I needed to be root to install the browser, and where to install it. Having done that, I still haven’t got it as the default browser – that’s still the prerelease Firefox. But I can run up 1.0.4 from the command line, so at least it’s available, and adBlocker is installed, so well and good.

I figure that I’m going to lock the modem down to a single IP address it’s going to talk to, the FC3 machine. Anything else that wants data from the net is going to have to transfer it from the FC3 machine and won’t be exposed to the big bad internet, because I’m not ready to migrate our entire PC collection over to Linux just yet.

Which means I need to buy a switch.

YahooGroups getting paranoid

I use YahooGroups a fair bit. Is it my imagination, or is YG asking for way too much authentication of my logon? Increasingly it seems to show me the old logon screen (logon name/password) even though I keep turning on the option to remember me (and yes, my cookies are enabled).

Old-style Yahoo sign-in

…then straight after that it will ask me again, with a captcha displayed as well.

New-style Yahoo sign-in

In fact, trying to edit my account password today, I got the old, the new, then I changed my password (which involved re-entering the original password and the new one twice), then got the old and new sign-in screens again. Too much!

Letting non-Admin users see the calendar

Some time ago I ranted about the Windows date/time control (double-click on the clock) not being accessible to mere (non-Admin) users on Win2K. This is an issue because a lot of people use it as a calendar to check dates, even if they have no intention of changing the date/time setting.

Raymond Chen writes that to use it in that way causes all kinds of havoc on older versions of Windows, and points us to an article which explains how to let non-Power/Admin users see the calendar. (It’s on a blog which I may have to read in more detail, about running Windows with non-Admin rights.)

Just a user on Windows

This topic has come up in discussions at work and at home and elsewhere recently: You shouldn’t need to be Administrator to run software. This has one of the primary failings of Windows over the years, and something which Linux and Apple and others have led the way.

The guidelines for applications go into some detail on this*. Most of it comes down to your application working out where it should be writing files and settings (and it’s only a single API call to find out) and using those locations. Not rocket science.

Yet it lives on… even while Microsoft is encouraging people not to routinely run as Administrator, far too many Windows applications (even those provided by Microsoft) continue to assume the user has permissions to write anywhere on the disk.

This article, for instance, lists a couple of dozen recent Microsoft games that have to be run as Administrator to work (and misinforms about the Runas command, to boot. Hint: you need to specify the user as /user:X, not just /X).

Unfortunately, the one I’m trying to get working, Train Simulator, is resistant to this solution, and won’t work even if you give all users full access to its own directory and to its entries under HKey_LocalMachine in the registry. Grrrrrr.

From the sounds of it, the coming versions of Windows (Longhorn) and IE and other applications will be better at this, with default users having few system privileges. And not before time.

*WTF did they make it an EXE download, with a compressed Word document inside? Could they make it any LESS friendly for non-Wintel users to read? How’s about using HTML fellas, or at least PDF?

Prank

So, that shiny new computer I’ve been given and my propensity to save power have combined with boyish enthusiasm with a practical joke to create a very embarrassing situation for the two other contractors I work with.

I normally leave my box locked overnight, shutting it down on a weekend. So a discovery of a week ago had to wait until Monday to play out.

My new computer has a temperature sensitive main case fan that’s ducted – at higher temperatures the fan is cranked up to increase the airflow over the water cooled CPU heatsink. There’s a BIOS setting to set the idle fan speed; the default value is almost imperceptable, the highest is a roaring not dissimilar to a jet taking off (mainly because of the ducting and air being forced through the heatsink – all the turbulance is very noisy) and certainly seems to move a lot of air. Apparently the other guys here discovered this setting, and thought it would be a great idea to crank up the idle fan speed to “stupidly high” while I was away.

When I powered up the box, and the roaring fan started, I immediately went to Dean, the guy who did the swap-over to the new box. Having a CPU cut out because of overheating is not cool; I imagined that the heatsink might have come off somehow. He couldn’t imagine what was going on, and did note that the air wasn’t hot. Opening it up revealled everything in its place.

At this point the pranksters saw that this could escalate well beyond a prank and intervened with an explanation. Whilst I wasn’t put out, other people put the pranksters in their place. So, kids, be careful with those pranks. They could blowback on you (oh, I hadn’t intended that pun!).

Firefox critical vulnerability

With Firefox trumpeting itself as “Safer, faster, better” it’s fashionable to think of the product as being inherently safer than its opposition (primarily IE). It’s not. Mozilla has acknowledged a major vulnerability in Firefox, and with no fix available, is saying that the workaround is to switch off Javascript, and disable software installation.

Switching off Javascript renders a large chunk of the web unusable. Yeah, you can manually turn it back on for sites you trust… but who has the time to do that? And among the general non-geek populace, who has the knowledge to do it?

Of course, the likelihood of actually falling victim to this problem is pretty small. But if you’re tempted to switch back to IE, make sure it’s securely set up. One option is to use a security lockdown registry hack.

Meanwhile the neato Tiger Dashboard widgets facility that Andy’s been talking about appears to have its weaknesses too. Whoops.

Okay, so maybe I shouldn’t be so critical, especially since the stuff I code isn’t necessarily miraculously vulnerability-free. But then, I’m not coding browsers installed on millions of desktops.

Is it CG, or is it real?

A quiz for you: look at the pictures and guess which is computer generated and which is a photo.

I got 8 out of 10.

Or if that’s not amusing enough, check this for a funny story about a guy goading a l33t ha><0r into attacking his machine… “yes exactly that’s it: 127.0.0.1 I’m waiting for you great attack”

Firefox 1.0.1

Firefox 1.0.1 is out, and fixes a bunch of security vulnerabilities.

BUT before you go and download it, be ware: apparently there’ll be trouble if you install it over 1.0 and earlier versions. Be sure to read the release notes first.