Welcome!

Hello! I'm Defron and this is my blog.

Data Privacy Day: Passwords

Part One in a five-part exposé for Data Privacy Day

Data Privacy Day: Smartphones

Part two in a five-part exposé for Data Privacy Day

Data Privacy Day: Web Browsing

Part three in a five-part exposé for Data Privacy Day

Thursday, June 20, 2013

Proper Computer Infection Triage

It's been a looong time since the last time I've cleaned up an infection. I do my best to keep it from happening on my computers that run Windows as well as those I manage. Of course eventually something gets through. Yesterday (my day off since I work Saturdays), I got a call from the office about a computer acting weird. It turned out it was the System Care Antivirus rogue software. According to file timestamps, infection occured around 1:34 PM. I was notified approximately 10 minutes later.

Like a stroke, I believe that fast action is important, and the mnemonic FAST still applies, albeit a bit differently, as it relates to triage instead of identification:
  • F[ull stop]: Once you think you're infected, don't do anything with the computer.
  • A[lert (me)]: I need to know ASAP
  • S[hutodown]: I'll do it if I'm there. Otherwise Get that computer turned off asap (usually a hard poweroff. I'd rather have a single PC damaged than risk malware spread over the LAN)
  • T[ime]: This one stays the same. Time is important. The longer a virus has to act, the more extensive the damage, and the less likely infection removal will be the right course of action. Files may be irreversibly damaged without a reinstall and you just never know.
As hinted  in that last one: I'm a strong believer in disk imaging. Clonzilla is awesome; RedoBackup is great for those who want a GUI. Haven't gotten around to messing with FOG, but it's definitely a project that interests me (and of course Windows 7 and 8 can create an image natively as well as some Server-side ways via Windows Server). I don't usually deal with viruses, because it takes more time to clean up the mess than it does to restore an image. This time was an exception. The EHR software we use at work had been upgraded, along with some other programs on that particular computer. I hadn't imaged it since these upgrades (my bad). It would have taken longer to install those programs (as with some of them, all other clients need to be exited before a new client can be added) than it would have taken to clean it since triage had been followed. Had triage not been followed, I probably wouldn't have tried. Triage really makes that big of a difference in my opinion.

So now to explain FAST.

F -- Full Stop

Many infections start out as a simple file that was able to execute itself in the %AppData% area of your computer. It doesn't have much permissions yet and damage is usually not that bad. It will then try to trick you into giving it more power by clicking on something. By stopping everything and not touching anything, you can in many cases stop the virus in its tracks. This wasn't the case this time. It looks like the virus used an exploit in Adobe Flash Player to infect a bit worse -- more on this later.

A -- Alert (me)

If you aren't computer savvy, now is the time to get help. In the case of my office, I'm the one alerted. The sooner the problem is brought to the attention of others, the more easily it will be resolved. If you are at work, please note this: you will not be able to keep an infection a secret. Eventually it will come out. All you are doing is putting your coworker's computers, and the business at risk. Tell someone and tell them fast. I am quite proud how well it was handled. The person whose computer was infected told the office manager, who promptly instructed her to call me, just like it should have been done. It was beautifully handled.

S -- Shutdown

This one goes along with Full Stop. If the computer has been truly compromised (which the alerted person should be able to tell), then it's time to power that bad boy off. Some malware will try to stop this. Solution: Hit the switch on the power cord. A hard power off is much better than other computers getting infected. I instructed the coworker to turn off the PC and it stayed off until I got there. She was given a laptop to work on in the mean time.

T -- Time

Time is of the essence in an infection. Just like in a real medical emergency, triage is designed to quickly ascertain the severity of the problem. The longer it takes to triage, the more at risk the bad cases are. In the case of a computer infection, the longer it takes to get a PC squared away the worse it is going to be and the less likely cleanup will be at restoring a PC to its former glory.

I have two time counters: The first one is time from infection until the end of triage. I give this 30 minutes. If more than 30 minutes have passed and the PC is still being actively used, most likely that infection is going to be in every nook and cranny of the PC, maybe even jumping across the network. The second time is cleanup time. This one is 60 minutes. If no progress on cleaning up the infection has been made in one hour, it's probably time to wipe and start from scratch. Infection cleaning is a race against the clock in every aspect. The longer you spend cleaning, the more appealing the wipe-and-reinstall method will be. I find one hour to be a good compromise. If I've made good progress and everything seems in order by then, I'll continue cleaning up the infection. If I haven't even come close to getting it under control then it's time t wipe and reinstall.

My Case

As mentioned, this was my first cleanup in a long time. My first cleanup in years in fact. It was quite pleasant. Or at least as pleasant as a cleanup can be. I contribute most of this to the triage method described above. None of the network shares were infected and the PC is back up-and-running.

The infection appears to have been due to an outdated Flash Player install. I don't know how that happened. It should have been updated, but wasn't. The user had visited a website (the website in question seems to have been compromised. It doesn't appear to have been a malware website) and then wham, the popup of System Care started sceaming its alerts at her. She did the best next move by telling the office manager. The office manager than told her to call me. I got the call. I told her to shut down and she got a laptop. I arrived the next day and started cracking.

First, it was taken out and brought back to my office room. It was disconnected from the network and booted up into safe mode. I had done my research beforehand and quickly deleted the files and removed the registry entry related to the malware via the command prompt. Total time? A few minutes (spent more time getting the PC to my room than deleting these files). All was looking good so far, so I booted into Windows normally, expecting the worst. I booted in to windows and it wasn't bad. I was able to launch things and it wasn't a problem. First I launched the antivirus software (Vipre Business). Lookie there! It had caught two files. It may not have been a full success, but it did catch part of the malware and was probably why it was so easy for me to delete it manually with no problem (along with the blitzkrieg tactics in my removal methods). So now it was time to get some better malware scanning software and get the AV up to date.

Before I did that, I noticed that there was an Action Center alert. Apparently the malware had disabled Windows Security Center Service. I went into services to try and re-enable it when I saw it didn't exist. Uh-oh. Looks like the malware did more than I initially thought. Most likely it deleted a few registry values, causing the service to disappear. Knowing that, I decided to gamble on a System Restore. I consider System Restores a gamble because many malware programs will infect them, so when you restore them, you just end up restoring the malware too. I thought "if this doesn't work, I won't have wasted much time and I'll just wipe and reinstall" that way I don't waste much time. I chose a restore point a bit older in hopes that an older restore point would lower the chances since this malware had all of about 20 minutes before I deleted its core files and registry entries.

It was successful! Security Center and firewall and everything were all back after the system restore, and still no traces of the malware! So now I needed Internet access.

Even though I had done some cleanup and everything was looking good, I'm far too paranoid to just plug this computer into the LAN after it's been infected. It won't get LAN access until I've given it a clean bill of health. So what to do? I don't have a secondary Internet connection to use. This is where my Quarantine LAN comes into play. Using a DD-WRT router and some iptables rules, I made it so the desktop could connect to the Internet, but not to any computer on the LAN. Using a different subnet for the quarantine router and blocking the DHCP pool of the servers outside of it, I guaranteed that this computer couldn't infect my LAN even if it was filled with the nastiest of nasty malware (which is wasn't at this point). So then I went on and installed some more antimalware stuff and updated all the cleanup tools to the latest definitions and versions. CCleaner took care of any temporary files, with me cleaning up some it missed manually. the antimalware software was humming along, removing traces in cached and temporary files every now and then. It was the log in Vipre that informed me that it seems Adobe Flash Player related. The computer this entire time hasn't been exhibiting any infected signs: everything was running fine and nothing weird was going on. After a few runs with the various scanners, things were coming up clean. HijackThis logs were clean of anything worrying too. I put the PC back and that was it.

I ended up spending a few hours due to me being cautious. Rebooting, rescanning, scanning with all sorts of things. It eats a lot of time, but I wanted to be confident in my clean bill of health before I put it back in place. During the time I was also running scans on the network shares and other computers just to be safe.

In the end, it was a pretty successful cleanup story. And for the future? Well, I might implement Click-to-Play for flash content now.

Monday, April 1, 2013

World Backup Day

No April Fooling here.

World Backup Day was yesterday. It's a little-known holiday, in fact it only came into being in 2011. It's got a pretty catchy slogan of "Don't be an April Fool. Backup your files. Check your restores." I'm a firm believer in backups. It's practically an art and not one most people understand. There are many things some people consider backups but aren't at all. A backup has to satisfy certain qualifiers to be considered a true, blue backup:
  • A backup is not a Mirror. Mirrors copy file corruption and don't version files. Human error is always the biggest source of data loss in my experience, and a mirror doesn't protect from the human factor
  • RAID is not a backup. This goes with #1. Things like RAID1 (which is mirroring) and pairity-based RAIDs are sometimes thought of to be a backup. They are not. RAID was designed to increase performance or availability. It doesn't protect your files beyond that needed to do one of those two things.
  • A backup is versioned. That is to say, the data in a backup represents files as they were some time in the past. A good backup has many versions of the same file from you to choose where to restore. A system that keeps only one version of a file is the weakest kind, but still has one important distinction over mirroring: changes to original files don't instantaneously replicate to the backup. This allows for a restoration Windows to correct from human error.
  • A backup is verified. An unverified backup is nothing more than a hope. You hope the data in the backup is good. You hope the data in the backup is what you need. Until you verify those facts (which can only truly be done by doing a test restore) you never know if your backup is actually working as you intend it to. This point is so important that it's in the slogan for World Backup Day. It's also the most overlooked aspect of a backup.
Those are the key aspects of a true backup. Besides that, a backup should be automated (human error is the greatest problem, and it's so easy to postpone backing up). A backup should generate feedback/reports. Exception reporting is when the backup software tells you that something went wrong and is the most common type of feedback from backup software. Software may also come with statistical/general/informative reporting where it'll tell you that everything is going fine. What's good about that is it means if you don't get that report than you know that something is wrong (so wrong that it's affecting the reporting feature).

Going further down the path to backup enlightenment is that backups should be stored on different mediums and securely stored in different locations. When you have this, you have backup nirvana. Power surge fries your hard drives? You've got tape/cold storage backups to restore from. Your house burns down? You're data's still safe. The more distant the better. Cloud backup services have made off-site backups an achievable possibility for the average person. Tape's not really a viable solution for your average person, but flash storage, optical media (DVDs, BDs), and cold storage (unplugged hard drive) all are. The problem with two of those three is that you can't automate it on the same level. Flash storage, too, is still expensive. I also consider cloud storage a storage medium.

Security of backups is the most important thing when dealing with off-site backups. Encryption is the most obvious way to do it. Any good cloud backup solution will encrypt your files. The best will give you options on how to encrypt. Of course good ol' sneakernet of an encrypted hard drive (maybe with TrueCrypt) is also a viable off-site secure backup strategy.

Of course you don't need to do all this at once. Backups can be improved over time. The whole idea behind World Backup Day is to get people started and moving in the right direction.


Backup Software

I consider backup software to be like Operating Systems: they all suck, so it's a matter of picking the one that sucks least for your purposes. Try out different programs and see which ones work best for you. IMO, the best backup software I've used has had a client-server relationship like BackupPC (been meaning to try out Bacula). It works well for my purposes, but obviously not ideal for others. Below are some free backup programs to try out and get started with:

Windows:

Windows is what most people use. Unfortunately it's the one whose free backup software I've found most lacking. There are some gems I've enjoyed from time to time though:
  • File History (Windows 8): File History is the one great feature of Windows 8 IMO and I truly think it is amazing. Unfortunately I'm not crazy about the rest of Windows 8 on the desktop paradigm and I doubt many of the users of Windows 8 use File History.
  • Windows Backup and Restore (Windows Vista/7): The predecessor of File History. It offers a lot of nice features including the ability to do a full system image. It's pretty efficient and I've never had it goof up, but setup is a bit clunky (Which is where File History really improved on) and depending on the version you have, you can be quite limited in backup destinations. Windows 7 Home Premium lacks network backups, for example.
  • Cobian Backup: Cobian Backup offers a lot of neat features and a pretty good scheduler. The main problem is the lack of an integrated restore feature makes continuous incremental backups quite painful. Instead it's best to do sets of incremental backups, say keeping 9 sets of 10-day incrementals (keeping 90 days worth).
  • FreeFileSync: Yes, mirrors aren't backups, but FreeFileSync is unique among file synchronization tools in that it offers the ability to keep files deleted/changed and moving them to a different  timestamped directory, creating a basic file versioning system. It's no-frills which will undoubtedly appeal to those after a simple (feature-wise) solution.

Mac OS X:

Anyone read this use  Mac OS X? I personally don't and so the only Mac OS X-only backup program I'm aware of is Time Machine, which is an included utility. It's quite nice for local backups. If you don't want to buy an expensive time capsule, you can use FreeNas for networked backups.

Linux:

Linux has backup software galore. rsnapshot, rdiff-backup, a million others, and many different GUIs. Here are some GUI backup programs for Linux:
  • Back In Time: Based on some no longer maintained backup programs and inspired by Time Machine, it is a very nice backup program.
  • LuckyBackup: A very feature-rich backup program offering GUI options for many advanced features not commonly found in a GUI. NOTE: technically it's cross platform, but I don't consider it to be stable enough to trust it with data and list it as cross-platform.
  • fwbackups: Designed to be simple, it largely succeeds. Doesn't have the bells and whistles others offer, but it gets the job done. NOTE: technically it's cross platform, but it doesn't play nice with UAC on Windows.

Cross-Platform:

There are some great cross-platform backup programs out there. I'll note that many require java to run. Here are my top three:
  • Areca Backup: A very advanced backup program. It offers many settings to satisfy anyone. This comes with a steep learning curve and a desire for experimentation to uncover them all, though.
  • CrashPlan: A friendly backup program. The free version is ad-supported. It offers the unique ability to back up to a friend's computer over the Internet without an involved setup. This is a very nice feature for people untrusting of the cloud The subscription version also offers a cloud backup option. The Windows version doesn't require Java, Linux and Mac OS X version does.
  • JBackPack: Java-based GUI for rdiff-backup and encorporates EncFS functionality for file encryption.
Finally there are cloud-based backup programs. I won't go into detail here since I don't have any experience with them besides CrashPlan. I chose CrashPlan because it's cross-platform and so far I've enjoyed it. I don't trust my super-private files to it (it has nice regex filtering) and it gives a weekly report of the backup. I've heard good things about BackBlaze, but it doesn't support Linux which is a no-go for me (I list these two in particular because 1. I use CrashPlan and 2. both are supporters of World Backup Day). Others are probably good too. I will say DO NOT USE CARBONITE. They seriously throttle your speed. That kind of practice is deceitful and hurtful to customers and such practices should not be acceptable. Also note that other online storage and sync platforms like Dropbox and Google Drive really aren't backup solutions, but they may suit your purposes fine so long as you realize they aren't really catering to the backup market.

Thursday, March 7, 2013

Oracle iSQL*Plus Overview

This post is a bit different from my usual ones. It's specifically aimed at classmates in one of my classes I'm taking right now where we are learning Oracle Database. I found out the school has an iSQL*Plus web access license and it's publicly accessible (so you can use it from home), so anyone can use it any time.

iSQL*Plus is a web interface to SQL*Plus. Pretty much everything will work in iSQL*Plus that will work in SQL*Plus, but not quite everything.

Login and Use

 Logging in to iSQL*Plus is similar to logging in to SQL*Plus, except you use your web browser. You'll navigate to the iSQL*Plus web server and enter your username, password and connect identifier (if applicable, for the school iSQL*Plus server it is). It works with any browser. I've used it in the latest releases of Chrome, Firefox, and Opera with no problem. The login screen looks like this:


Once you've logged in, you'll be presented with a nice web interface. Here's me executing a simple command:



 As you noticed, by default it'll display the output as standard HTML of your commands below the enter field. Also by default it'll paginate the output, so you only see a number of lines at a time, 24 by default. This can be changed in preferences, but first on the main workplace UI:

Your SQL Commands stay in the box until you clear it by either manually deleting it or using the "Clear" button.

The "Execute" button executes all the commands in your textbox, by default showing the output below.

The "Load Script" button will take you to a page where you can browse for a *.sql file to upload. After you've located it, press the "load" button and it'll put the contents of the file in the text box. It's kinda pointless since you can just copy and paste the contents faster most of the time.

The "Save Script" button will auto-generate a file called "myscript.sql" and present a download prompt, which is pretty nifty.

The "Cancel" button will terminate any running commands, useful if your commands are being unresponsive.

You may notice a "History" tab on the top-right corner. This will store a history of your last few executions of commands. You can then reload them, which is useful if you accidentally hit the "clear" button. Do note: the History is cleared upon logout.

Preferences

 Preferences are where you can change various default settings. Most notably are:

In Interface Configuration:
  1. The amount of scripts to save in "History" from the current session (by default 10).
  2. The default size of the script input text box (pointless in modern browsers that let you expand it yourself)
  3. Whether to display the output below the text box or generate a downloadable html file (this is the closest equivalent to spooling, which isn't available in the iSQL*Plus interface)
  4. Option to have everything display on one page or multiple pages (and set the number of lines per page)
In Script Formatting:
  1. Option to have line numbers (kinda nifty)
  2. Option to display commands in the output by default (equivalent to running SET ECHO ON at the top of every execution)
There are many other options too. Here's Oracle's page on iSQL*Plus preferences and the equivalent SET commands

Differences Between iSQL*Plus and SQL*Plus

Most things in SQL*Plus will also work in iSQL*Plus, as I've noted. One notable exception is spooling. If you try to spool you'll see this:
spool on 
SP2-0850: Command "spool" is not available in iSQL*Plus 
Any other command that can't be run will similarly kick up an error like that and the rest of your script will execute properly. Spooling doesn't work because, obviously, you cannot set a save location on the server from your web browser. that'd be a security nightmare! The closest equivalent is to have the output generate an isqlplus.html file instead of displaying the command results below the text box.

By far, my favorite feature is that you can edit multiple lines very easily in iSQL*Plus and recall history. It's much nicer in that respect than SQL*Plus is. Likewise, the commands don't disappear after execution, so if you made a small mistake, it's easy to fix and re-execute. Very nice.

The other nice thing is any user can set preferences for many set commands, which can save you time.

The main downside is that there are no TNS alias, so your connect identifier has to be the full, proper connect identifier normally contained in the TNS.ora file

You should also be careful of something: iSQL*Plus doesn't care if you don't end SQL commands with a semicolon. If you plan on using this elsewhere or submitting it, you'll need to make sure you include them, as otherwise it may not work for someone else.

One thing to note is that iSQL*Plus has a pretty aggressive timeout/auto-logoff setting. So if you just leave it open for some time, you'll probably be forceably be logged out, so do make note of that.

Wrap-Up

Well, that's pretty much all there is to iSQL*Plus. Just make sure to log out. It's a great way to practice your SQL off-campus.


Saturday, March 2, 2013

Expanding C: Partition on Win2k3 and Remote GParted

As I mentioned in my last post, the C: partition on the Windows server at work had become completely full. I immediately did some temporary stopgaps to hold her over until I could properly repartition her. Today was that day.

Repartitioning modern Windows (Server 2008+, Vista+) is no problem, as you can do it with the included disk management utility. XP and Server 2003(R2) are different, as the disk management utility isn't nearly as capable. This server is a Windows Server 2003R2, so I had to use a third-party utility. For home users, the EaseUS Partition Manager family is pretty good. For a corporate server, though, it's $160. I wasn't approved for spending that (For good reason, the server is slated for replacement in a year or so, so the money would have been wasted in the long-run), so had to go with free options.

I ended up going with two different tools: one for shrinking the data partition and one for expanding the system partition. I used GParted to shrink the data partition and ExtPart to expand the C: drive. The reason being that Windows doesn't really like GParted and sometimes it'll require a repair action from the Windows disk when messing with the C: partition. I didn't want to deal with that and ExtPart is a small, simple, free utility for extending a partition (hence the name) from within Windows.

The day started at 8:40 am. I fired up CloneZilla and cloned the hard drive. If there was a power outage or some other freak accident during the repartitioning, I could then simply restore the image in a short time. I always recommend imaging your system before repartitioning for this reason. There are lots of disk cloning tools, I like CloneZilla. I tried doing this the day before, but the version of CloneZilla I had didn't work with my server's RAID card (a SAS 6/iR). I brought a freshly burned copy of the latest CloneZilla release and it recognized my drive just fine. This ran until 12:35 pm.

Next it was partitioning time. I inserted the GParted Live CD and got busy. Unfortunately Dell thought it was a good idea to make the data partition an extended partition. This means I'd have to do an extra action: First shrink the data partition and then shrink the extended partition it resides in. This means it'll take more time. I figured it to be done by 2:30 pm originally, but this would make it take longer. I figured it'd be done by 5:30 pm (it ended up beating my expectations by finishing at just shy of 4:50 pm). I didn't want to stay at work until 5:30 pm, time to get remote access to the GParted Live CD.

This actually proved pretty easy. First I configured the network, which GParted Live includes a nice desktop shortcut to do. Next I opened up a terminal. GParted Live is based on Debian so I did a sudo apt-get update && sudo apt-get x11vnc... This didn't work. Turns out GParted comments out the repos from sources.list. So I did a sudo nano /etc/apt/sources.list and un-commented the repos.

So now to install and run x11vnc:
user@debian:~$ sudo apt-get update && sudo apt-get install x11vnc
user@debian:~$ x11vnc -forever -display :0
The installation pulled a few packages besides x11vnc: libvncserver0, libxssl, openssl, tcl, tcl8.5, tk, tk8.5, and x11vnc-data. It only ended up taking 11.2 MB of more space, so no big deal, my server has plenty of RAM.

The forever flag tells x11vnc server to remain running after a client disconnects. Without that, as soon as you disconnect the first time, x11vnc will stop running. I planned on connecting a few times so I could do periodic check-ins on how GParted is progressing. The display :0 flag tells x11vnc to show the current session instead of creating a new one. It would be useless to VNC in to check on GParted's progress if I was given a new session. I also didn't want to risk x11vnc disconnecting and me being SOL, so I also decided to enable ssh on GParted. This is simple.

First, we need to set a password and configure hosts.allow so I can ssh in. This is done with sudo passwd user to create a password for the user 'user'. Without this you'd have to allow for passwordless login for ssh, which would require more configuration. Easier to create a simple password. Next you need to edit hosts.allow by doing nano /etc/hosts.allow. Add sshd subnetblock. (don't for get the period!) to the end. In my case it was sshd 192.168.1. that I needed to add. Now I just restarted networking and started ssh

sudo /etc/init.d/networking restart && /etc/init.d/ssh start

End result? I drove home at 3:00 pm and started checking on it. I use LogMeIn to remote into the office and then fired up TightVNC to check on GParted

 And then a bit later I saw:

Success! Done! Well, with the GParted part. I drove to the office to finish it up, since GParted will hang after ejecting the CD, and the server itself hangs on a setup in the preboot environment due to an alert I cannot disable.

Upon Reboot, Windows did a consistency check on the data partition, no biggie. I then rebooted again and was almost done. Now I need to expand the C:\ drive with ExtPart
C:\Documents and Settings\Administrator>cd C:\Dell\ExtPart
C:\Dell\ExtPart>extpart c: 15325
That's the default directory ExtPart creates when "installed" (it's a self-extracting archive when you download it). As far as the extpart syntax: it's simple. You specify the drive letter and then the amount you want to expand it in megabytes. In my case, that's c: and 15325. The end result? 26.9 GiB C: partition and 16.4 GiB of free space. I call that a rousing success for an honest day's work.

Tuesday, February 26, 2013

Inconsiderate Behavior

I thought today was going to be a good day: completely over the flu I had caught, night class was canceled, and my work load wasn't large (despite taking the majority of last week off)... I was mistaken.

When I check my work email I see the usual day-to-day emails, but one caught my eye. It was from my Spiceworks install and the title read "C: has less than 5% remaining on [one of the work servers]"... heart sank. Goodbye care free day, hello hellish day full of trying to figure out what's going on.

I turn to the server (running Windows Server 2003R2). I've always been well aware of the storage problems of the C:\ partition on this. This wasn't the first time the C:\ had filled up, in fact. Back when I first started working, it filled up due to an out of control program producing a five-mile long error log. The system, like most in the office, predate me. It was bought through a "value-added" retailer. The VAR decided it was a good idea to partition C:\ to only have 12 GiB of free space. I probably should have done something about it back then, but it being a Windows Server 2003 server, there's no integrated option to shrink one partition and expand the other. Budget was, as always, $0 and uptime was considered critical, so I freed up 4 GiB of space and called it a day. Of that, last week (some 3 years later) I had 2 GiB free space remaining. The server didn't ever really get any new software installed beyond security updates and I ran her lean and mean to reduce the chances of some log file going crazy. As I saw it, the remaining 2 GiB of free space would last me to this summer, where I planned to finally shrink the D:\ partition and expand the C:\ partition. It won't make it to then due to some inconsiderate behavior of an outsider.

A company, which will remain nameless for now, decided it was OK for them to do an automatic update of their software without telling me. Not only did they not tell me, they didn't announce it at all ahead of time, even on their website. The software also doesn't have the option to disable automatic updates and the fact that it can do automatic updates isn't even a listed feature. The software in question uses Microsoft SQL Server for the backend. Why? I dunno. I guess they thought that was a good idea (I disagree with that conclusion); it didn't use a SQL backend two revisions ago. Part of the upgrade included a forced upgrade to MS SQL Server 2008 (We were on MS SQL Server 2005)... That might be acceptable if I lived in an ideal world where I had each server only do a single role, but I don't because I don't have that kind of budget, working for a small business. The server in question was an archive server for patient records, and that functionality also used MS SQL Server. The update also required .NET Framework 4.0, which I had no need for up to then, so I didn't have it installed (free space being a premium, after all).

None of this would have been a problem, had I been given prior notice  of the update. If I was told ahead of time that this update was coming, I could have done something about it, and there would be no issue. Instead due to the company's inconsiderateness, I find myself with... 85 MB of free space on the C:\ partition.The .NET Framework update was also still running and complaining about a lack of free space (obviously). I had to cancel that.Next step is getting me some breathing room and call the company up. They give me the usual company blah about it, don't even apologize for not telling me about the upgrade beforehand. Told me they couldn't revert the upgrade so my only option was to clear up the space myself or uninstall the software.

Uninstalling it is very tempting, but I'll need to get my boss's approval before I can do that. In the mean time, I have a good feeling that the software is hosed and useless. The services related to it wouldn't start up, so I disabled them, crippling the software to dead status anyway, so at least it's not a further threat. I scavenged for free space and was able to get back to a bit over 800 MB. At least now it won't fail over from a single hiccup. That'll buy me the time to defrag the other partition (which is running smoothly so far, but since it was an archive server, still has a ways to go), shrinking it, and expanding the C:\ partition. If my boss doesn't approve some money spending, that'll mean downtime as I boot off GParted to shrink. I'll expand the C:\ partition with extpart from Dell so Windows get too grouchy.

A number of factors lead to the current situation, but the one thing that definitely shouldn't have been the case and would have made the world of difference is if I was told about this major upgrade beforehand so I could prepare for it.

At least Spiceworks is doing its job properly.

Thursday, February 14, 2013

Blog Status Update

It's been about a week and a half since my last blog post, so I thought I'd fill everyone in on what's going on. I knew this would happen eventually, but was hoping I'd have been able to post a bit more before it does.

I'm juggling school, work, this blog, and a few other projects right now. At the beginning of the semester it wasn't an issue, as school work wasn't very demanding. Now, though, school work is requiring more and more of my time. I'm a straight-A student and would like to maintain that, as such I need to focus on my studying and so had to cut back on my blogging. On top of that I got sick and am going back and forth to the dentist, taking up even more of my free time. Oh, and my first midterms are the next two weeks.

I definitely won't be able to continue a post a day like I did for that little bit, but I am going to try to do one or two posts a week. I have plenty I'd like to post about, but it's too time consuming to do so right now. In the immediate future, though, this blog is going to be running at a lower priority than I'd otherwise put it at. It's school, work, one of my other projects, and then this blog. Hopefully in two week's time, I will be able to pick up the pace again, though. Until then, I might be able to accomplish one a week, we'll see.

I'm still getting my feel for blogging, too, so it's definitely not worked out in my schedule. In the mean time we'll just see how this all goes.

Sunday, February 3, 2013

Wake-on-LAN

Wake-on-LAN is one of those technologies that I love, and one I think doesn't get enough attention. I guess it's a bit geeky still.

The actual technology is a hard to understand if you've never done any networking, but basically it works on layer-2 (MAC addresses) only. It sends the magic packet to everyone (broadcast), but only the intended device says "Oh, that's for me" and turns on the PC it's attached to. I always found it funny that it's called a magic packet. The "magic" part was fitting before I had a better grasp on networking, but, incidentally, now that I do understand networking better, the "packet" part makes less sense (since it uses layer-2 Ethernet frames, not IP packets). You can read up more about the technical side over at Wikipedia.

Wake-on-LAN Setup

In order to implement Wake-on-LAN you need to meet a few requirements:
  1. You need to use a wired (Ethernet) connection. There is a Wireless implementation known as WoWLAN, but it doesn't have much market penetration and even more requirements than WoL.
  2. Your BIOS/UEFI needs to support Wake-on-LAN (not all do)
  3. Your NIC needs to support Wake-on-LAN (not all do)
  4. Your OS needs to support Wake-on-LAN so you can manage it (AFAIK, all modern ones do)
To this day I regret the fact that I didn't consider support for WoL when building my current PC. I will never again build a PC that doesn't support Wake-on-LAN. MeetGadget allows you to sort by motherboards with this feature supported. Don't make my mistake in buying a motherboard that doesn't support it if you love WoL, as you will regret it.

BIOS implementation varies from one system to another. It's usually under power settings and something along the lines of "LAN wake-up" "Power on LAN" or something along those lines. Sometimes Wake on PCI and the like can be used, but those are usually for if using an separate PCI device (like a PCI NIC) to send a wake-up command.

If you don't find one of those options in your BIOS, your BIOS probably doesn't support the feature. It sometimes becomes available in a later version of your BIOS, but not usually.

Your NIC either will or will not support it. There's not much you have to do here. Really all you can do is verify it support Wake-on-LAN, which is done most easily by checking the documentation for your NIC.

On the Software/OS side, you'll need to tell the device it's ok to respond to Wake-on-LAN (and thereby allow your PC to turn on). I once was beating my head for hours because I thought I had configured this, but hadn't and the PC was refusing to turn on.

On Windows this is done by launching

devmgmt.msc

Then select "Network adapters" and right-click on the NIC you are using. Select Properties


Click on the advanced tab. The options may be different depending on your NIC, but for Realtek NICs, the option is usually called "Shutdown Wake-On-Lan". Make sure that is enabled. You should also make sure "Wake on Magic Packet" is enabled. Other names I've seen are "Network Wake-up" "Wake on Magic Packet" and other variations along those lines.


Now head over the the Power Management tab and make sure "Allow this device to wake the computer" is checked. Optionally check the box below it about allowing only magic packets to wake it up (otherwise the device may respond to any ethernet frame directed at it instead of particularly to magic packets).


On linux, you'll use a tool called ethtool, here's Debian's official documentation of it.

On Mac OS X, at least on Snow Leopard, it was:

System Preferences -> Energy Savor panel and make sure "Wake for network access” is selected.

Sending WoL Packets

Now that the system is all set up, you'll probably want to do all sorts of cool stuff with it. While WoL itself is layer-2, most tools that send the packet will operate on Layer-3 and 4 (usually using UDP packets to encapsulate the magic packet).

wakeonlan is a command-line Linux tool that I use (it's also available for Mac OS X via Macports). You should be able to pull it from you repos. The majority of wired computers at my work support Wake-on-LAN due to my concentrated efforts in making sure they do. I often do remote work at night on the computers, doing this and that. I just ssh in, turn on all the PCs with wakeonlan, and then control them through various methods, primarily ssh-tunneled RDP (as most are Windows 7/XP Pro computers). I like to imagine the look on someone's face if they were in the office and all of a sudden all the computers around them started powering up.

Two Windows tools are MC-WOL, which is a command-line tool. I like to script WoL sends, so command-line tools like this one and wakeonlan for Linux are useful to me. If you want a GUI, though, there is WOL - Magic Packet Sender.

You can send WoL packets from DD-WRT/Tomato and the like too. From the webGUI and command line. More importantly, you can set it up so incoming packets will automatically cause the router to send a WoL packet to your device. Very useful for sending WoL when outside your LAN. You can then turn your PC on from anywhere with an Internet connection

iPhones can send Wake-On-LAN via Mocha WOL. Unfortuantely Apple in their infinite "wisdom" doesn't allow for this to be automated on certain external events.

Android has two big options PcAutoWaker and Wol Wake on Lan Wan.

PcAutoWaker will allow for your phone to automatically send a magic packet on connecting to a wireless network. Imagine this if you would: You just pulled into your drive way, and by the time you get in the house your PC is already fully booted up. Now that is a beautiful thing to me.

Wol Wake on Lan Wan isn't as cool out of the box, but has some useful features: you can set up widgets for your devices to make sending magic packets easier, and even better: it can be incorporated in Tasker/Locale very easily. This allows for one very interesting thing: Sending WoL packets when your alarm goes off in the morning (note: I don't know if Locale has a similar event trigger). Imagine if you will, your alarm goes off. You're groggy and either hit snooze or turn it off and start getting up. In either case, by the time you reach your PC, it's already booted up. Ah, how wonderful.

That's why I love Wake-on-LAN: it allows for two things I love: saving power (leave PCs off and just turn them on remotely when you need them) and automation (I don't turn on my PCs, they're automatically turned on based on my actions). It's a beautiful thing, it's a simple thing, and it makes my life easier and more environmentally friendly. What could you possibly not like?

Saturday, February 2, 2013

Locking Down wifi on Windows without Active Directory

This is a cool trick I've learned recently, and it doesn't seem easily found through Google (but if you know of netsh, you may be able to discover it).

Windows management is best done through group policy, or at least most easily done through it. In fact, you can blacklist/whitelist wifi networks via group policy for Windows Vista+. The problem is that it's only available via AD group policy, not local group policy. At work I don't have Active Directory (but am hoping to by the end of the year), so I can't use this. Still, I'd like to block wifi networks on our wifi-enabled Windows computers. My desire for this came from the fact that someone in the office thought it'd be all right to take a laptop without permission for the purpose of working on public wifi during lunch. As a rule,  laptops shouldn't be just taken without properly being checked out, but sometimes people just think something not-ok is OK. Luckily the person didn't end up using the laptop on who-knows-what public wifi network, but it was a close call and made me look into this.

I found out it was possible with a couple of ye olde netsh commands. I'll show them off on my crappy laptop with a dead battery that I never use because I hate laptops (maybe I'll go into that another time). Before firing them off on my laptop, Windows saw these wireless networks:


Donnerschlag is my wireless network, so let's make it so that's the only option for this laptop to connect to. Open up the command prompt as administrator:
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\windows\system32>netsh wlan add filter permission=denyall networktype=adhoc
Followed by:
C:\windows\system32>netsh wlan add filter permission=denyall networktype=infrastructure
That will block all wireless connections, let's see what Windows says:


Looking good, but now I need to add my whitelisted connections:
C:\windows\system32>netsh wlan add filter permission=allow ssid=Donnerschlag networktype=infrastructure
Aaaaand now:


Success! Here's some other useful netsh commands for wireless networks:

Show current filters:
netsh wlan show filters
Which returns something like:
Allow list on the system (group policy)
---------------------------------------
    

Allow list on the system (user)
-------------------------------
    SSID: "Donnerschlag", Type: Infrastructure

Block list on the system (group policy)
---------------------------------------
    

Block list on the system (user)
-------------------------------
    SSID: "", Type: Adhoc
    SSID: "", Type: Infrastructure
You may want to blacklist just certain wireless networks, this is done by setting the ssid as appropriate and permission to block
netsh wlan add filter permission=block ssid=somewifinetwork networktype=infrastructure
There's also the ever-important delete filter command. syntax after netsh wlan delete filter needs to match the same syntax you used to add that filter.

TechNet Library for Netsh wlan

Friday, February 1, 2013

Colors, Coding, and Consoles!

Who doesn't like alliteration? After sharing how I got prettify the way I wanted, I thought I'd share some of my other color and font schemes schemes.

Fonts:

When it comes to writing code and consoles, nothing beats monospace fonts in my book. When you're staring at code, a good monospace font can make all the difference. There are a few monospace fonts I love:

  • DejaVu Sans Mono (Download) is by far my favorite monospace font that I've ever used and my current font scheme for Console2, Windows CMD (when possible and where Console2 not installed), Notepad++, Linux terminals, and PuTTy. The only two things I'm not overly thrilled about DejaVu Sans Mono is the @ sign and i. I'd rather have the ones from Monaco.

  • DejaVu Sans Mono has two sister fonts: Menlo and Bitstream Vera Sans Mono. I only recently found out about Menlo (while setting up Prettify.js -- see my last article) because it's Mac OS X-only. There is a derivative font of it called Meslo that you can get from GitHub. I've not used it personally. Bitstream Vera doesn't have the same character support of DejaVu Sans Mono, just an FYI. To see a comparison between DejaVu Sans Mono and Menlo, go here

  • Monaco is a really nice font and I envy the @ sign and lowercase i from it. Overall I prefer DejaVu Sans Mono, though. It's a good all-around monospace font.

  • Anonymous Pro is an upgraded version of Monaco that takes better advantage of ClearType, for those who like it. I keep meaning to give this font a real run-down, but haven't yet. It looks really promising, though.

  • Consolas was the first awesome monospace font Windows has shipped. The one problem is that it absolutely has to have ClearType/subpixel rendering to be useable, as without it, the font looks like crap. Be aware of that if you don't like ClearType on while coding.

  • Inconsolata is a font based on Consolas. It does a better job at handling being displayed without ClearType/Subpixel rendering, but the @ sign is worse in my book, and it still doesn't do a great job.

  • Crystal is another really nice monospace font. I, as with Anonymous Pro, just haven't given it a proper chance.

  • Droid Sans Mono is a font from Google created for Android. It's actually a really nice all-around font and I really like it except for one thing: the 0 and O are hard to distinguish since the 0 doesn't have a slash or a dot in the center. If it wasn't for that one thing, I think it'd replace DejaVu Sans Mono as my font of choice. If that doesn't bother you, I highly recommend this font.

Coding:

I do almost all my coding in Notepad++ or in a commandline text editor over SSH. Since I'll include my SSH color schemes in the console section, I will only bother with NotePad++ here.

I personally use a slightly modified version of Obsidian, which is a theme included by default.

First I, naturally changed the font to DejaVu Sans Mono. This is done by going settings-> Style Configurator


I made two changes to the coloring. I manually edited the xml file for the font and changed all instances of fgColor="E0E2E4" to fgColor="BBBBBB". It's a big pain to do this through the style customizor, and much faster to use Notepad++'s "Replace All" functionality after opening up obsidian.xml. The other is I changed the background color to be a bit darker. This can be done in the Style Configurator. Just change the background color to RGB 45,45,45 (#2d2d2d, but you can't use hex). and make sure to check "Enable global background color" (see above). The end result is:

Which I think is very nice. I recently found out about Tomorrow Night Eighties (which I use on here for prettify.js) and Tomorrow Night exists for Notepad++. I've been thinking about modifying it to look like eighties and using it instead of Obsidian, but haven't done so yet.

Consoles

Windows command prompt offers basic changing options.

To change the color right-click the top and select properties, then go to the "Colors" tab.

As you can see, I use a background color of RGB 32,32,32. I use a text color of RGB 187,187,187. The popup text is what you see if you press F7 with the command prompt open. It's the old-school way of pulling up your command history. I never use this, so I never bothered coloring it.

For the font, I use DejaVu Sans Mono as the font when possible. Changing the font to the likes of DejaVu Sans Mono in the native cmd on windows requires a registry edit. Here are some instructions. Note: You don't need to reboot. A simple log-out is sufficient. On Windows 7, you don't even need to do that: just close all open command prompts and when you open a new one, the option to use DejaVu will be available. Reg:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Console\TrueTypeFont]
"000"="DejaVu Sans Mono"

I find that the font cannot be changed if you have certain nonunicode language settings. That was the case to me (Japanese is my nonunicode language).

   

An alternative wrapper for the windows CMD is Console2. I actually recommend Console2 over CMD anyway as it offers many more nice features liked tabbed terminals, can also run powershell, and better resizing and copy/pasting. You can download it from SourceForge, just make sure to download the 64-bit if you use 64-bit Windows. Once again, I use RGB 32,32,32 for the background color and RGB 187,187,187 for the text color and DejaVu Sans Mono for the font. You change the font and font color on Edit->Settings->Appearance. The background color under Edit->Settings->Tabs->Background. I also use the xterm cursor with RGB 164,240,79 as the color.

 Finally there is putty. Putty is a bit of a pain to configure color-wise, because it uses the registry instead of a simple config file.

Anyway, my configuration is as follows (Note: don't forget to save the configuration after making the changes!):

Font = DejaVu Sans Mono , Font size: 10px.
Default Foreground = 187,187,187
Default Bold Foreground = 163,163,163
Default Background = 32,32,32
Default Bold Background = 85,85,85
Cursor Text = 32,32,32
Cursor Colour = 147,199,99
ANSI Black = 28,28,28
ANSI Black Bold = 85,85,85
ANSI Red = 215,85,90
ANSI Red Bold = 223,117,125
ANSI Green = 115,185,115
ANSI Green Bold = 147,199,99
ANSI Yellow = 251,194,0
ANSI Yellow Bold = 225,222,89
ANSI Blue = 103,140,177
ANSI Blue Bold = 124,168,211
ANSI Magenta = 188,122,188
ANSI Magenta Bold = 187,134,223
ANSI Cyan = 91,205,215
ANSI Cyan Bold = 64,150,236
ANSI White = 187,187,187
ANSI White Bold = 215,215,215

End result? It's not perfect, but near close in my book (some of the colors are a bit closer than I'd like, and Cyan is still a bit of a pain):



All in all, I'm pretty happy with my colors and fonts. It makes prolonged use of the console and long coding sessions much more pleasant than the default settings, IMO.

Thursday, January 31, 2013

Prettify.js Perfection and Decade-Old Bugs

I'm a bit of a perfectionist, as many people who know me will tell you, so naturally I wanted to get prettify.js working exactly the way I want it to. It ended up being a bit more work than I predicted, but a lot of fun.

I already documented my experience with getting overflow working properly in Opera, here's the full documentation on my prettify.js implementation:

Adding it to blogger is simple, it's just a few lines inserted in the header:
<link href='http://google-code-prettify.googlecode.com/svn/trunk/src/prettify.css' rel='stylesheet' type='text/css'/>
<script language='javascript' src='http://google-code-prettify.googlecode.com/svn/trunk/src/prettify.js' type='text/javascript'/>
<script language='javascript' src='http://google-code-prettify.googlecode.com/svn/trunk/src/lang-css.js' type='text/javascript'/>
<script type='text/javascript'>
    document.addEventListener('DOMContentLoaded',function() {
        prettyPrint();
    });
</script>

I wanted alternating line colors, which is simple enough: just add the class linenums to the pre tag and prettify throws the code in an ordered list. Prettify by default only numbers every 5th line, which I wasn't all that thrilled about, so I customized it by overwriting the prettify CSS on my blog. Blogger doesn't allow uploading a css file, so it's all inline in the header, which kinda sucks from a management perspective, but it could be worse. I also wanted to add a line between the numbers and the code to better separate them, that too was simple.

One thing that was a bit tricky was getting alternating line colors to play nice with my overflow. I did quite a bit of Googling before I found out the answer on StackOverflow. Apparently the problem has to do with ordered lists being block elements. Making them display:inline-block took care of it.

Below is my CSS for prettify:
#main-wrapper pre {
    overflow-wrap: normal;
    word-wrap: normal;
    overflow: auto;
    max-height: 800px;
}
ol.linenums {
    display:inline-block !important;
    margin-right: 0px;
}
ol.linenums li {
    border-left: 1px solid #a0e66a;
    padding-left: 5px;
    padding-right: 5px;
}
ol.linenums li.L0, ol.linenums li.L1, ol.linenums li.L2, ol.linenums li.L3, ol.linenums  li.L5, ol.linenums li.L6, ol.linenums li.L7, ol.linenums li.L8 {
    list-style-type: decimal;
}
Finally I wanted to add an option for people to remove the line numbers if they don't like them via a toggle, which was a simple javascript implementaiton:
<script type='text/javascript'>
    //<![CDATA[
        function toggle_visibility() {
            'use strict';
            var list, count;
            list = document.querySelectorAll('ol.linenums');
            count = 0;
            while(count < list.length) {
                if(list[count].style.paddingLeft === '0px') {
                    list[count].style.paddingLeft = '40px';
                } else {
                    list[count].style.paddingLeft = '0px';
                }
                count += 1;
            }
            return;
        }
    //]]>
</script>
With that, I'm pretty happy. I try to always do vanilla javascript instead of using jQuery. Not that there is anything wrong with jQuery: I just prefer to have my code work with as few dependencies as possible. Just call the javascript function with a <a href="#" onclick="toggle_visibility();return false;">Toggle Line Numbers</a> and it's all done.

After that I went around just checking everything out. I copied the script from Firefox into notepad and was dismayed to see that all the white space didn't copy over! Apparently there is a decade-old bug in Firefox where it won't copy whitespace in certain instances even when rendered in the browser. One such instance appears to be ordered lists inside a pre tag. I didn't know that before, though it would explain why PasteBin doesn't do a simple pre tag of an ordered list (it's quite complicated, you should take a look at their page source some time). I never knew this before. Opera does it fine and always has since me using it. I decided to see how other browsers handled it. Chrome did fine with whitespace too; I had no problem copying my script perfectly in Chrome. Then I tried Internet Explorer... Oh man, it was bad. It pasted the entire thing as one giant line. You see, I'm using the pre tag to the fullest: I'm not bothering to declare line breaks in html, since pre tags will honor them natively. Internet Explorer isn't just too stupid to copy whitespace in pre tags, it's too stupid to even copy newlines!

I found it quite entertaining and educating. I do hope that Firefox bug is fixed soon. I couldn't imagine using Firefox as my daily driver with that bug. IE? Talk about a nightmare. Anyone who stumbles upon this looking for an implementation of prettify.js on Blogger, I hope you found it helpful.

EDIT: As you may have noticed, I actually changed my mind after posting this. I'm now using a different theme for prettify.js: Tomorrow Night Eighties (adding "DejaVu Sans Mono", "Bitstream Vera Sans Mono" as fallback fonts for a more uniform cross-platform rendering). My reason for doing this? The whiteness of non linenums prettyprint is far too harsh. At the same time, I don't like how bad that bug about white-space copying in Firefox ended up being. I don't want to penalize Firefox users, so I found a theme that's not so harsh on the eyes (IMO). You should now be able to copy the code posted on here in Firefox with white-space intact. I'll leave the notes about the old way of doing things up here in case it is useful to anyone else.

Wednesday, January 30, 2013

Doing things the hard way and overflow-wrap

Last night I posted a script for GIMP. Naturally, I'd want syntax highlighting and no word wrapping, so I used the pre tag along with prettify. Posted it and was quite happy. Then I check it in Opera and I find the text had wrapped. I couldn't figure out why, I know pre should keep text from wrapping and Opera doesn't wrap other pre tags. I thought I was going insane! I spent an hour looking into it, but just couldn't figure it out. Everywhere else using overflow: auto, Opera would properly add the scroll wheel and not wrap pres. I couldn't find anything in my CSS that would be causing pre to wrap. Even explicitly told it to treat the content like pre, and it still wrapped.

Finally I took a look at the computed stylesheet thanks to Opera Dragonfly. I really should have done this from the beginning. I don't know why I didn't. I found a CSS property I've never heard of before: overflow-wrap. It was set to break-word. I had never heard of it before. I'm no web designer, so there's plenty of CSS I'm unfamiliar with. Naturally I Googled it and found it's a new tag to replace word-wrap (word wrap remains for legacy reasons) I still don't know where it came from; I'll look into that later today if I get the chance. In the end I spent about an hour looking for something that would have been much easier to find if I went about it the right way, and it was a simple fix: all I had to do was put overflow: normal; to my css and it all worked properly.

Why all this effort for Opera? Well, Opera is my browser of choice, so I naturally want my blog to work perfectly in it. I test my site in Opera and Firefox. I'll probably install Chrome to make sure it works fine in there too, but for now just Opera and Firefox. IE I don't bother with, but last night I took a look at it and it too was wrapping because of overflow-wrap. It makes me wonder why Firefox wasn't wrapping due to overflow-wrap. I wonder if Firefox is doing some things different with CSS3...

Anyway, in conclusion, it's amazing how simple something is when you look at what actually is being done and use logic :P Though I'm still having a bit of trouble getting alternating line colors to work with prettyprint when using scroll overflow.

Tuesday, January 29, 2013

GIMP Script: Save as PNG

At my office, we have a few really cool fundus cameras. Well, I think they're cool anyway. Before I got there, they used to use CF cards to transfer photos from the Nidek NM200D (our fundus cameras) to a computer. This was not without problems: sometimes files wouldn't save right, the cameras produced really huge uncompressed tiffs, so not much could be stored, and a few other problems. The NM200D is supposed to be capable of transferring files via USB. Unfortunately, the software designed for it was really bad and unfriendly -- I could never actually get it to work. The drivers seemed fine, though. They are standard TWAIN drivers (but it still called itself a camera...), so I went to find a good solution that would meet my budgetary requirements ($0). There were a few contenders, but I settled on GIMP because it was open source (which I do so love) and would allow the doctors to import photos in quick succession while naming each individually.

We started out with GIMP 2.6. As you may know, GIMP 2.8 changed the way it handles saving by only allowing you to save in the native xcf format. For all other formats you have to export. That's not something that would fly well with the doctors. It's made worse by the fact that exporting to an image file without saving leads to a "scary" warning about unsaved content. There was no real reason to upgrade anyway, so I stayed on 2.6 and worked on other things.

Fast forward to today. I'm in the planning stages of upgrading the computers the fundus machines are connected to, as it's finally time to finish the Windows 7 migration at the office. The cameras actually seem to work great with Windows 7; I was afraid they may not play so kindly with it (though it does have to be 32-bit Windows 7). They actually work better judging from testing so far, as with XP they would only work with USB 1.1 (or fake USB 1.1 by disabling the 2.0 drivers causing Windows to fallback on legacy 1.1 support), but with 7 they seem to work fine with native 2.0. Naturally with an upgrade I'll want to use the latest software like GIMP 2.8, so I looked for solutions to the export problem. I found this "Save as JPG" script. For fundus photos, though, I'd rather have it saved in lossless PNG. I'd also like basic overwrite protection to keep the doctors from accidentally overwriting other fundus photos. A little bit of reading on some GIMP and pygtk documentation (never written a plugin for GIMP or used pygtk), and I had what I wanted: provide basic options for saving as PNG and offer overwrite protection when saving newly created files. Below is the code:

PasteBin
#!/usr/bin/env python

# save_as_png.py
# Provides a simple menu option to save as PNG with
# basic save options and overwrite warning for newly created files.
# Tested in GIMP 2.8.2 on Windows 7 (64 and 32-bit)
# Contact: Kevin Thomer (Defron) | http://blog.defron.org/
# Provided free and as-is under GPL v2.
#
# Based off of:

# save_as_jpg.py
# version 1.0 [gimphelp.org]
# last modified/tested by Paul Sherman
# 12/20/2012 on GIMP-2.8
#
# ==== Original Information ====================================================
# Save or export the current image -- do the right thing whether it's
# XCF (save) or any other format (export). This will mark the image clean,
# so GIMP won't warn you when you exit.
# Warning: this does not show a lot of extra dialogs, etc. or warn you
# if you're about to overwrite something! Use with caution.

# Copyright 2012 by Akkana Peck, http://www.shallowsky.com/software/
# You may use and distribute this plug-in under the terms of the GPL v2
# or, at your option, any later GPL version.
# ========================================================

from gimpfu import *
import gtk
import os, sys
import collections

def python_export_clean(img, drawable, interlace, background, compression) :
    filename = img.filename
    #These typecasts isn't really necessary in Python, just a habit of mine
    bg = int(background)
    interlacing = int(interlace)
# fullpath = pdb.gimp_image_get_uri(img)
# pdb.gimp_message(filename)

    if not filename :
        chooser = gtk.FileChooserDialog(
            title=None,action=gtk.FILE_CHOOSER_ACTION_SAVE,
            buttons=(gtk.STOCK_CANCEL,gtk.RESPONSE_CANCEL,gtk.STOCK_SAVE,gtk.RESPONSE_OK)
            )
        # save folder will be desktop
        save_dir = os.path.join(os.path.expanduser('~'), 'Desktop')
            
        chooser.set_current_folder(save_dir)
        chooser.set_current_name("UNTITLED.png")
        chooser.set_do_overwrite_confirmation(True)
        
        filter = gtk.FileFilter()
        filter.set_name("Save as png")
        filter.add_pattern("*.png")
        chooser.add_filter(filter) 
        
        response = chooser.run()
        if response != gtk.RESPONSE_OK:
            return
        filename = chooser.get_filename()
        img.filename = filename
        chooser.destroy()
    
        pdb.file_png_save(img, drawable, filename, filename, interlacing, compression, bg, 0, 0, 1, 1)
        pdb.gimp_image_clean_all(img)  
            
        
    else:
        base = os.path.splitext(filename)[0]
        newname = base + ".png"

        pdb.gimp_edit_copy(img.active_drawable)
        image2 = pdb.gimp_edit_paste_as_new()
        pdb.file_png_save(image2, drawable, newname, newname, interlacing, compression, bg, 0, 0, 1, 1)
        pdb.gimp_image_delete(image2)  
        pdb.gimp_image_clean_all(img)


register(
        "python_fu_save_as_png",
        "Save the image as a PNG file, set interlacing & saving bg color\n\nFor more options and a proper file overwrite protected dialog, \nuse the FILE > EXPORT menu item when saving as a PNG.\n\n",
        "",
        "Kevin Thomer (Defron)",
        "GPL",
        "2013",
        "Save as PNG",
        "*",
        [
            (PF_IMAGE, "image", "Input image", None),
            (PF_DRAWABLE, "drawable", "Input drawable", None),
            (PF_TOGGLE, "interlace", "Interlacing (Adam7)", 0),
            (PF_TOGGLE, "background", "Save background color", 1),
            (PF_SLIDER, "Compression", "Set the PNG Compression Level", 9, (0, 9, 1) )
        ],
        [],
        python_export_clean,
        menu = "<Image>/File/Save/"
)

main()

It only has basic options, but that actually works out better for the doctors (simpler). It also has one more added benefit: before, the doctors would occasionally accidentally save fundus images as GIMP xcf files; with the new method it'll always be PNG. A real win-win.

One thing to note: this will only export the current layer, it doesn't flatten the image or anything. It's not really a problem in my case since the images are imported one at a time and saved separately, so I didn't bother looking into merging or flattening.

Monday, January 28, 2013

OpenVPN Server on Windows

UPDATE: Every once and a while someone will reach out to me about this and ask about if I have any plans to update it. I no longer use Windows as my primary OS (switched to Linux) and no longer use OpenVPN either. The below guide may have issues, especially on Windows 10, which I don't use.

OpenVPN is a wonderful VPN system, but it's not so simple to set up on Windows. When I first created this how-to, there wasn't a real cohesive and precise instruction set on how to get an OpenVPN server working on Windows where Windows clients could have all traffic go through the VPN (the alternative is where only directed traffic goes through the VPN: Split tunneling). I prefer all my traffic going through a VPN when connected, less likely for information to leak out.

NOTES:
 1. Throughout this guide I will use two words: over and over again: server and client1. Feel free to modify these, but be sure to modify them EVERYWHERE they are repeated. To help you out I bolded and italicized them everywhere you should change them (except in the config files, they need to be changed in those as well)

 2. Everywhere you see quotation marks, it is to signify what you should type (which would be the stuff inside the quotation marks), DO NOT TYPE THE QUOATATION MARKS UNLESS OTHERWISE SPECIFIED!

 3. I know this seems long, but it really isn't, I just broke everything down into as basic of steps as I could and explain everything as thoroughly as I can. In the end, it pays off, you have a secure multi-client VPN offering that definitely beats PPTP in terms of security and robustness.

 4. A relatively common practice with OpenVPN is to configure it to use TCP port 443, as this is the port normally associated with HTTPS, so even the most most draconian of firewalls won't block it. I don't cover this, instead cover OpenVPN using the default port of 1194 UDP. Changing it is simple, just edit the server and client configuration files to use proto tcp and port 443. Make sure to also change your forwarded port and firewall rules to match as well.

 5. This guide uses the 192.168.137.0/24 block for the OpenVPN network. This is the default for Internet Connection Sharing (a needed utility to get Internet through OpenVPN on Windows) for Windows 7, which is why I chose it (it should also be the default for Windows Vista, though I cannot test this) On Windows XP, ICS uses 192.168.0.0/24 by default, which isn't very useful for a VPN (as it's a popular subnet and would lead to conflicts in various situations). If you wish to change the subnet for OpenVPN, you must change it in the config file for the server as well as for ICS. This can be done through a registry setting. In HKLM\System\CurrentControlSet\services\SharedAccess\Parameters you will need to change ScopeAddress and ScopeAddressBackup to the first IP address in the range you wish to use. I am not certain if Windows XP can change it or not, but it's worth a shot. Here is a registry file of the 192.168.137.1 ICS configuration, change the network numbers and run it to change to a different subnet (or do it manually). You can also find it on PasteBin.

 6. You will also need to know your public IP address or set up a Dynamic DNS service. This can be done by visiting http://www.whatismyip.com/ on your server. Better is to set up no-ip on your server and use their free dynamic dns service (as it'll work even if your home IP changes). You will need to do this for PPTP VPN servers and SSH servers. I will mention this again when we get to the client configuration file.

Pre-Install

This guide assumes two things: You've properly set up a static IP for the will-be server and you have configured any firewall on the will-be server correctly. I will do a quick run-down of how to do this on Windows Vista/7 with Windows Firewall (which are the same in this matter).


Windows Firewall setup:
  1. run wf.msc
  2. Click Inbound rules on the left panel, and on the right panel click "New Rule..."
  3. Select Port for the rule type and click next. Image of steps 2-3 
  4. Select UDP and enter in port 1194 and click next
  5. Select Allow the connection and click next
  6. Select which networks to allow the rule, to be safe, allow for all and click next
  7. Name the rule "openvpn in" (without quotes) and click finish.

Install Process

  1. Download OpenVPN onto the will-be OpenVPN server and run the installer (as administrator if you are using Windows Vista/7)
  2. . When you get to the "Install Location" part of the setup, I highly recommend installing it to C:\OpenVPN rather than the default install path. Especially on Vista/7 as this will save you headaches. Proceed to finish the install
  3. Navigate to the installation folder (C:\OpenVPN if you followed my advice), then enter the config folder (C:\OpenVPN\config).
  4. Here, create a file server.ovpn. It should look like this:  http://pastebin.com/wU0MeHKL

    About the server.ovpn configuration file:

    You can modify the port number to any number you want, just remember what you set it to. Same for proto (short for protocol) you can change that to tcp, just remember you did so (udp will give you better performance, but may be blocked on some draconian networks)

    Line 5 is one that may need changing. First, you need to keep "server" as server (it's a configuration line dictating the VPN server IP range). Later on we'll enable Internet Connection Sharing and you may need to change 192.168.137.0 to match any IP address being forced on you by Internet Connection Sharing (for me this was 192.168.137.0/24 but it may be different for you) I'll remind you of this when we get to Server Configuration.

    You need to specify the DNS servers, I chose OpenDNS as it makes it easy to test if the tunnel is being used without running something like Wireshark (which is nice), but any DNS server will do.
  5. Open up the command line (As administrator on Vista/7)
  6. type "cd C:\OpenVPN\easy-rsa" (without quotes, everywhere you see quotes from now on, it's to signify what you should type) and hit enter
  7. type "init-config" and hit enter
  8. navigate to C:\OpenVPN\easy-rsa in explorer if you haven't already. find the vars.bat file, right-click it and edit it
  9. Edits to make to vars.bat:

    Mandatory: change HOME path from "%programfiles%\OpenVPN\easy-rsa" to "C:\OpenVPN\easy-rsa" (if you don't do this you will get an error complaining about unable to write random state)

    You also need to fill (found near the bottom of the file):

    set KEY_COUNTRY=
    set KEY_PROVINCE=
    set KEY_CITY=
    set KEY_ORG=
    set KEY_EMAIL=

    Technically, any value will do, including the default ones, but I suggest filling them in with your information

    You also need to set KEY_NAME and KEY_OU . I usually set name to my name and OU to VPNers just because it's simple.

    -------- DO NOT CHANGE KEY_CN, IT NEEDS TO BE CONFIGURED ON A PER-RUN BASIS ----------
  10. Save vars.bat and return to the command line (reopen it as administrator and navigate back to C:\OpenVPN\easy-rsa if you closed it)
  11. type "vars" and hit enter
  12. type "clean-all" and hit enter (it's normal for this to kick up an error, it just means the folder "keys" didn't exist before it was ran)
  13. type "build-ca" and hit enter. This will start the creation process for the ca.crt file. You will be prompted for various things. The default values are fine until you get to COMMON NAME
  14. WHEN YOU GET TO Common Name enter in "server"
  15. "build-key-server server"
  16. Leave the password blank unless you want to read OpenVPN documentation. same for company name
  17. answer "y" to signing and committing to the certificates.
  18. type "build-dh" and hit enter
  19. copy ca.crt, server.crt, server.key, and dh1024.pem from the keys folder in easy-rsa to C:\OpenVPN\config
  20.  type "build-key client1" and hit enter
  21. WHEN YOU GET TO Common Name enter in "client1"
  22. Leave the password blank unless you want to read OpenVPN documentation. same for company name
  23. answer "y" to signing and committing to the certificates.
  24. Install OpenVPN on the client computer EXACTLY the same as on the server (ok, it doesn't really need to be exactly the same, I'm just too lazy to tell you what you do and don't need)
  25. copy ca.crt, client1.crt, and client1.key from the server's keys folder to the client computer's OpenVPN config folder (C:\OpenVPN\config if you installed it like I said)
  26. in the config folder on the client, you will need to create a client1.ovpn file. It should look like this:  http://pastebin.com/42ekkJtL
About the client configuration file:

You need to use the same protocol as you specified on the server configuration file.

On line 5, for remote, you need to specify the PUBLIC IP address of the server OR the DNS entry for it. Refer to Note #6 for this information. After the ip address or DNS listing, specify the port. This needs to be the same port as in the server configuration file.

Almost done! Just have some configuration left on the server to go.

Server Configuration

  1. On the server open up services (run services.msc). Find OpenVPN, right-click it and go to properties. Set it to automatic and start it.
  2.  Still on the server in services, find Routing and Remote Access (shorthand: RRAS). Set it to automatic and start it. NOTE: At least in a couple of my goes with this, enabling RRAS made my network indicator in the notifications tray signify I had no connection -- I Still had a connection despite being told otherwise. It only happened on a few of my computers, so it may or may not happen to you (if it does, see if you can access any website. If you can there's no problem)
  3. You will need to modify a registry entry, so open up regedit and go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters. In there change IPEnableRouter to 1 (defualt is 0).
    IPEnableRouter.reg file download | PasteBin
  4. You may need to reboot before the registry change takes effect
  5. Still on the server, go Control Panel->Network and Sharing Center and click on "Change Adapter Settings"
  6. If you use my config it is necessary to change the TAP name (as the default name is random). Right-click the adapter that says TAP-Win32(or WIN-64) Adapter and select "Rename". Rename it to "MyTap".
  7. Right-click the newly-named MyTap and go to properties. Uncheck IPv6 if it's available (Vista/7 + some XP computers with it configured).

    Now we go onto Internet Connection Sharing (ICS) configuration. You may wish to review Note #5 as it covers some details on how to use a different subnet, as well as the "Some Things Very Important To Note" section for possible issues. A reminder is my guide assumes you are using 192.168.137.0/24, which is not the case on Windows XP. Edit as appropriate.
  8. This part is not necessary if you have checked the registry entry for ICS and made sure it is correct for your needs, but is a useful way to double-check as you'll get a warning popup. While still having the MyTap Properties open, Select IPv4 and click properties. Give it a static IP of 192.168.137.1 with a 255.255.255.0 subnet mask.
  9. Right-click your LAN adapter (the one you gave a static IP in step zero) and go to Properties. Go to the sharing tab (advanced on Windows XP) and check "Allow other computers to connect through this computer's Internet Connection"
  10. If there is a drop-down list you can select from, select MyTap. If not, don't worry: that just means you have no other adapters to share with other than MyTap. Image of Steps 9+10
  11. Uncheck the lower box titled "Allow other network users to control or disable the shared Internet Connection" if it is checked.
  12. Click OK. If you did optional step 8 for Server Configuration, you'll get a popup that says something about how MyTap will be set to 192.168.137.1. If yours said a different IP address, you will need to modify server.ovpn to use that subnet (same first 3 sets of numbers, last one a zero) and restart the OpenVPN service, alternatively you can set the ICS network range in your registry. Run this registry file to use the guide's 192.168.137.1 (Pastebin) or configure it manually using regedit and navigating to HKLM\System\CurrentControlSet\services\SharedAccess\Parameters and editing ScopeAddress and ScopeAddressBackup to use the desired IP address range (you specify the first IP address in the range). You can check to make sure that the IP address for MyTap is correct by running ipconfig /all in the command line and making sure it matches that in your server.ovpn config file.
Now you just need to port forward for OpenVPN so you can access it over the Internet.

Client Configuration

  1. Still on the client, go Control Panel->Network and Sharing Center and click on "Change Adapter Settings"
  2.  If you use my config it is necessary to change the TAP name (as the default name is random). Right-click the adapter that says TAP-Win32(or WIN-64) Adapter and select "Rename". Rename it to "MyTap".
  3. You can try out OpenVPN now on your LAN to make sure all is working. Just change your client1.ovpn to connect to your server's LAN ip address (NOT the address you set for MyTAP on the server, but the static IP you set for the LAN adapter).
  4. Launch OpenVPN GUI (as Administrator on Vista/7). A tray Icon should appear for OpenVPN (a little red-monitored computer with a globe). Right-click it and select "Connect"
  5. A window like this will appear. After a few seconds to a minute, you should hopefully connect and be assigned an IP address. To verify traffic is going through the tunnel, assuming you used OpenDNS, you can test it simply using an OpenDNS check.
I know it's been a lot of work, but it's worth it. You now have a secure basic VPN setup More robust than Microsoft's default PPTP offering as well as allowing multiple clients. You can improve the security by looking into ta.key, maxclients, client filtering, choosing the cipher, and password authentication. You'll need to go elsewhere to learn how to do these, or I may cover them in a future post. Finally, there are a few things you should know

Some Things Very Important To Note

  • If you have issues with resolving DNS, uncomment register-dns from the client file.
  • On some networks with a short dhcp timeout, your client may have issues with getting a new address lease due to OpenVPN sending the request through the VPN. Disconnecting from OpenVPN and running "ipconfig /release" followed by "ipconfig /renew" in the command prompt will solve the issue (until it times out again).
  • Internet Connection Sharing (ICS) is a tricky one, but I've gotten it mostly figured out through the SharedAccess registry options. You can read up on configuring ICS here. On Windows XP it uses 192.168.0.1 by default and I've yet to verify if that can be changed.
  • Strictly speaking, the subnetting you are giving your OpenVPN server may not be absolutely correct. This doesn't matter for a handful (3) clients, but it may stop you from having too many clients. This appears to either be related to the version of Windows used, related to the NIC used, or related to whether the NIC used is a wireless NIC and cannot be changed. You should get subnet mask of 255.255.255.0, but may get less (lowest I got was 255.255.255.252 -- 3 clients + the server would max that out). When the OpenVPN client should pull the correct information when it connects, so as long as you don't exceed the limit, it's not an issue. Slightly related is the below:
  • I don't know if this was because my virtual machine is crashy, but I noticed that the MyTap adapter would randomly change to using APIPA (Automatic Private IP-Adressing) and therefore having the 169.254.0.0/16 block. It's simple enough to fix. NOTE: This happens when RRAS runs into an issue and the DHCP server fails, to fix this issue, follow the below 3 steps:
First, disable sharing on the LAN adapter.

Second, reset the MyTap to use a static IPv4 address (IP and default gateway the same, in my case 192.168.137.1).

Third, re-enable sharing on the LAN adapter for MyTap.
  • I suggest disabling sleep/hibernation on the server (I mean, if the server isn't online when you need to connect, it's kinda useless) anyway. And whenever you reboot for updates, just check to make sure the MyTap properly has the first IP address in the block your OpenVPN server gives.
  • I've yet to find a way to get the OpenVPN network to be identified by anything less than a Public Network on Windows 7. It doesn't make much of a big deal unless you want to access network shares on the OpenVPN server (which may not be possible since Windows may block sharing since it's a public network). NOTE: This is due to OpenVPN's network not having a default gateway. Some steps on potential workarounds can be found on the Internet.