Inconsiderate Behavior

I thought today was going to be a good day: completely over the flu I had caught, night class was canceled, and my work load wasn't large (despite taking the majority of last week off)... I was mistaken.

When I check my work email I see the usual day-to-day emails, but one caught my eye. It was from my Spiceworks install and the title read "C: has less than 5% remaining on [one of the work servers]"... heart sank. Goodbye care free day, hello hellish day full of trying to figure out what's going on.

I turn to the server (running Windows Server 2003R2). I've always been well aware of the storage problems of the C:\ partition on this. This wasn't the first time the C:\ had filled up, in fact. Back when I first started working, it filled up due to an out of control program producing a five-mile long error log. The system, like most in the office, predate me. It was bought through a "value-added" retailer. The VAR decided it was a good idea to partition C:\ to only have 12 GiB of free space. I probably should have done something about it back then, but it being a Windows Server 2003 server, there's no integrated option to shrink one partition and expand the other. Budget was, as always, $0 and uptime was considered critical, so I freed up 4 GiB of space and called it a day. Of that, last week (some 3 years later) I had 2 GiB free space remaining. The server didn't ever really get any new software installed beyond security updates and I ran her lean and mean to reduce the chances of some log file going crazy. As I saw it, the remaining 2 GiB of free space would last me to this summer, where I planned to finally shrink the D:\ partition and expand the C:\ partition. It won't make it to then due to some inconsiderate behavior of an outsider.

A company, which will remain nameless for now, decided it was OK for them to do an automatic update of their software without telling me. Not only did they not tell me, they didn't announce it at all ahead of time, even on their website. The software also doesn't have the option to disable automatic updates and the fact that it can do automatic updates isn't even a listed feature. The software in question uses Microsoft SQL Server for the backend. Why? I dunno. I guess they thought that was a good idea (I disagree with that conclusion); it didn't use a SQL backend two revisions ago. Part of the upgrade included a forced upgrade to MS SQL Server 2008 (We were on MS SQL Server 2005)... That might be acceptable if I lived in an ideal world where I had each server only do a single role, but I don't because I don't have that kind of budget, working for a small business. The server in question was an archive server for patient records, and that functionality also used MS SQL Server. The update also required .NET Framework 4.0, which I had no need for up to then, so I didn't have it installed (free space being a premium, after all).

None of this would have been a problem, had I been given prior notice  of the update. If I was told ahead of time that this update was coming, I could have done something about it, and there would be no issue. Instead due to the company's inconsiderateness, I find myself with... 85 MB of free space on the C:\ partition.The .NET Framework update was also still running and complaining about a lack of free space (obviously). I had to cancel that.Next step is getting me some breathing room and call the company up. They give me the usual company blah about it, don't even apologize for not telling me about the upgrade beforehand. Told me they couldn't revert the upgrade so my only option was to clear up the space myself or uninstall the software.

Uninstalling it is very tempting, but I'll need to get my boss's approval before I can do that. In the mean time, I have a good feeling that the software is hosed and useless. The services related to it wouldn't start up, so I disabled them, crippling the software to dead status anyway, so at least it's not a further threat. I scavenged for free space and was able to get back to a bit over 800 MB. At least now it won't fail over from a single hiccup. That'll buy me the time to defrag the other partition (which is running smoothly so far, but since it was an archive server, still has a ways to go), shrinking it, and expanding the C:\ partition. If my boss doesn't approve some money spending, that'll mean downtime as I boot off GParted to shrink. I'll expand the C:\ partition with extpart from Dell so Windows get too grouchy.

A number of factors lead to the current situation, but the one thing that definitely shouldn't have been the case and would have made the world of difference is if I was told about this major upgrade beforehand so I could prepare for it.

At least Spiceworks is doing its job properly.

Read More

Blog Status Update

It's been about a week and a half since my last blog post, so I thought I'd fill everyone in on what's going on. I knew this would happen eventually, but was hoping I'd have been able to post a bit more before it does.

I'm juggling school, work, this blog, and a few other projects right now. At the beginning of the semester it wasn't an issue, as school work wasn't very demanding. Now, though, school work is requiring more and more of my time. I'm a straight-A student and would like to maintain that, as such I need to focus on my studying and so had to cut back on my blogging. On top of that I got sick and am going back and forth to the dentist, taking up even more of my free time. Oh, and my first midterms are the next two weeks.

I definitely won't be able to continue a post a day like I did for that little bit, but I am going to try to do one or two posts a week. I have plenty I'd like to post about, but it's too time consuming to do so right now. In the immediate future, though, this blog is going to be running at a lower priority than I'd otherwise put it at. It's school, work, one of my other projects, and then this blog. Hopefully in two week's time, I will be able to pick up the pace again, though. Until then, I might be able to accomplish one a week, we'll see.

I'm still getting my feel for blogging, too, so it's definitely not worked out in my schedule. In the mean time we'll just see how this all goes.

Read More

Wake-on-LAN

Wake-on-LAN is one of those technologies that I love, and one I think doesn't get enough attention. I guess it's a bit geeky still.

The actual technology is a hard to understand if you've never done any networking, but basically it works on layer-2 (MAC addresses) only. It sends the magic packet to everyone (broadcast), but only the intended device says "Oh, that's for me" and turns on the PC it's attached to. I always found it funny that it's called a magic packet. The "magic" part was fitting before I had a better grasp on networking, but, incidentally, now that I do understand networking better, the "packet" part makes less sense (since it uses layer-2 Ethernet frames, not IP packets). You can read up more about the technical side over at Wikipedia.

Wake-on-LAN Setup

In order to implement Wake-on-LAN you need to meet a few requirements:

1. You need to use a wired (Ethernet) connection. There is a Wireless implementation known as WoWLAN, but it doesn't have much market penetration and even more requirements than WoL.
2. Your BIOS/UEFI needs to support Wake-on-LAN (not all do)
3. Your NIC needs to support Wake-on-LAN (not all do)
4. Your OS needs to support Wake-on-LAN so you can manage it (AFAIK, all modern ones do)

To this day I regret the fact that I didn't consider support for WoL when building my current PC. I will never again build a PC that doesn't support Wake-on-LAN. MeetGadget allows you to sort by motherboards with this feature supported. Don't make my mistake in buying a motherboard that doesn't support it if you love WoL, as you will regret it.

BIOS implementation varies from one system to another. It's usually under power settings and something along the lines of "LAN wake-up" "Power on LAN" or something along those lines. Sometimes Wake on PCI and the like can be used, but those are usually for if using an separate PCI device (like a PCI NIC) to send a wake-up command.

If you don't find one of those options in your BIOS, your BIOS probably doesn't support the feature. It sometimes becomes available in a later version of your BIOS, but not usually.

Your NIC either will or will not support it. There's not much you have to do here. Really all you can do is verify it support Wake-on-LAN, which is done most easily by checking the documentation for your NIC.

On the Software/OS side, you'll need to tell the device it's ok to respond to Wake-on-LAN (and thereby allow your PC to turn on). I once was beating my head for hours because I thought I had configured this, but hadn't and the PC was refusing to turn on.

On Windows this is done by launching

devmgmt.msc

Then select "Network adapters" and right-click on the NIC you are using. Select Properties

Click on the advanced tab. The options may be different depending on your NIC, but for Realtek NICs, the option is usually called "Shutdown Wake-On-Lan". Make sure that is enabled. You should also make sure "Wake on Magic Packet" is enabled. Other names I've seen are "Network Wake-up" "Wake on Magic Packet" and other variations along those lines.

Now head over the the Power Management tab and make sure "Allow this device to wake the computer" is checked. Optionally check the box below it about allowing only magic packets to wake it up (otherwise the device may respond to any ethernet frame directed at it instead of particularly to magic packets).

On linux, you'll use a tool called ethtool, here's Debian's official documentation of it.

On Mac OS X, at least on Snow Leopard, it was:

System Preferences -> Energy Savor panel and make sure "Wake for network access” is selected.

Sending WoL Packets

Now that the system is all set up, you'll probably want to do all sorts of cool stuff with it. While WoL itself is layer-2, most tools that send the packet will operate on Layer-3 and 4 (usually using UDP packets to encapsulate the magic packet).

wakeonlan is a command-line Linux tool that I use (it's also available for Mac OS X via Macports). You should be able to pull it from you repos. The majority of wired computers at my work support Wake-on-LAN due to my concentrated efforts in making sure they do. I often do remote work at night on the computers, doing this and that. I just ssh in, turn on all the PCs with wakeonlan, and then control them through various methods, primarily ssh-tunneled RDP (as most are Windows 7/XP Pro computers). I like to imagine the look on someone's face if they were in the office and all of a sudden all the computers around them started powering up.

Two Windows tools are MC-WOL, which is a command-line tool. I like to script WoL sends, so command-line tools like this one and wakeonlan for Linux are useful to me. If you want a GUI, though, there is WOL - Magic Packet Sender.

You can send WoL packets from DD-WRT/Tomato and the like too. From the webGUI and command line. More importantly, you can set it up so incoming packets will automatically cause the router to send a WoL packet to your device. Very useful for sending WoL when outside your LAN. You can then turn your PC on from anywhere with an Internet connection

iPhones can send Wake-On-LAN via Mocha WOL. Unfortuantely Apple in their infinite "wisdom" doesn't allow for this to be automated on certain external events.

Android has two big options PcAutoWaker and Wol Wake on Lan Wan.

PcAutoWaker will allow for your phone to automatically send a magic packet on connecting to a wireless network. Imagine this if you would: You just pulled into your drive way, and by the time you get in the house your PC is already fully booted up. Now that is a beautiful thing to me.

Wol Wake on Lan Wan isn't as cool out of the box, but has some useful features: you can set up widgets for your devices to make sending magic packets easier, and even better: it can be incorporated in Tasker/Locale very easily. This allows for one very interesting thing: Sending WoL packets when your alarm goes off in the morning (note: I don't know if Locale has a similar event trigger). Imagine if you will, your alarm goes off. You're groggy and either hit snooze or turn it off and start getting up. In either case, by the time you reach your PC, it's already booted up. Ah, how wonderful.

That's why I love Wake-on-LAN: it allows for two things I love: saving power (leave PCs off and just turn them on remotely when you need them) and automation (I don't turn on my PCs, they're automatically turned on based on my actions). It's a beautiful thing, it's a simple thing, and it makes my life easier and more environmentally friendly. What could you possibly not like?

Read More

Locking Down wifi on Windows without Active Directory

This is a cool trick I've learned recently, and it doesn't seem easily found through Google (but if you know of netsh, you may be able to discover it).

Windows management is best done through group policy, or at least most easily done through it. In fact, you can blacklist/whitelist wifi networks via group policy for Windows Vista+. The problem is that it's only available via AD group policy, not local group policy. At work I don't have Active Directory (but am hoping to by the end of the year), so I can't use this. Still, I'd like to block wifi networks on our wifi-enabled Windows computers. My desire for this came from the fact that someone in the office thought it'd be all right to take a laptop without permission for the purpose of working on public wifi during lunch. As a rule,  laptops shouldn't be just taken without properly being checked out, but sometimes people just think something not-ok is OK. Luckily the person didn't end up using the laptop on who-knows-what public wifi network, but it was a close call and made me look into this.

I found out it was possible with a couple of ye olde netsh commands. I'll show them off on my crappy laptop with a dead battery that I never use because I hate laptops (maybe I'll go into that another time). Before firing them off on my laptop, Windows saw these wireless networks:

Donnerschlag is my wireless network, so let's make it so that's the only option for this laptop to connect to. Open up the command prompt as administrator:

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\windows\system32>netsh wlan add filter permission=denyall networktype=adhoc

Followed by:

C:\windows\system32>netsh wlan add filter permission=denyall networktype=infrastructure

That will block all wireless connections, let's see what Windows says:

Looking good, but now I need to add my whitelisted connections:

C:\windows\system32>netsh wlan add filter permission=allow ssid=Donnerschlag networktype=infrastructure

Aaaaand now:

Success! Here's some other useful netsh commands for wireless networks:

Show current filters:

netsh wlan show filters

Which returns something like:

Allow list on the system (group policy)
---------------------------------------
    

Allow list on the system (user)
-------------------------------
    SSID: "Donnerschlag", Type: Infrastructure

Block list on the system (group policy)
---------------------------------------
    

Block list on the system (user)
-------------------------------
    SSID: "", Type: Adhoc
    SSID: "", Type: Infrastructure

You may want to blacklist just certain wireless networks, this is done by setting the ssid as appropriate and permission to block

netsh wlan add filter permission=block ssid=somewifinetwork networktype=infrastructure

There's also the ever-important delete filter command. syntax after netsh wlan delete filter needs to match the same syntax you used to add that filter.

TechNet Library for Netsh wlan

Read More

Colors, Coding, and Consoles!

Who doesn't like alliteration? After sharing how I got prettify the way I wanted, I thought I'd share some of my other color and font schemes schemes.

Fonts:

When it comes to writing code and consoles, nothing beats monospace fonts in my book. When you're staring at code, a good monospace font can make all the difference. There are a few monospace fonts I love:

• DejaVu Sans Mono (Download) is by far my favorite monospace font that I've ever used and my current font scheme for Console2, Windows CMD (when possible and where Console2 not installed), Notepad++, Linux terminals, and PuTTy. The only two things I'm not overly thrilled about DejaVu Sans Mono is the @ sign and i. I'd rather have the ones from Monaco.


• DejaVu Sans Mono has two sister fonts: Menlo and Bitstream Vera Sans Mono. I only recently found out about Menlo (while setting up Prettify.js -- see my last article) because it's Mac OS X-only. There is a derivative font of it called Meslo that you can get from GitHub. I've not used it personally. Bitstream Vera doesn't have the same character support of DejaVu Sans Mono, just an FYI. To see a comparison between DejaVu Sans Mono and Menlo, go here


• Monaco is a really nice font and I envy the @ sign and lowercase i from it. Overall I prefer DejaVu Sans Mono, though. It's a good all-around monospace font.


• Anonymous Pro is an upgraded version of Monaco that takes better advantage of ClearType, for those who like it. I keep meaning to give this font a real run-down, but haven't yet. It looks really promising, though.


• Consolas was the first awesome monospace font Windows has shipped. The one problem is that it absolutely has to have ClearType/subpixel rendering to be useable, as without it, the font looks like crap. Be aware of that if you don't like ClearType on while coding.


• Inconsolata is a font based on Consolas. It does a better job at handling being displayed without ClearType/Subpixel rendering, but the @ sign is worse in my book, and it still doesn't do a great job.


• Crystal is another really nice monospace font. I, as with Anonymous Pro, just haven't given it a proper chance.


• Droid Sans Mono is a font from Google created for Android. It's actually a really nice all-around font and I really like it except for one thing: the 0 and O are hard to distinguish since the 0 doesn't have a slash or a dot in the center. If it wasn't for that one thing, I think it'd replace DejaVu Sans Mono as my font of choice. If that doesn't bother you, I highly recommend this font.

Coding:

I do almost all my coding in Notepad++ or in a commandline text editor over SSH. Since I'll include my SSH color schemes in the console section, I will only bother with NotePad++ here.

I personally use a slightly modified version of Obsidian, which is a theme included by default.

First I, naturally changed the font to DejaVu Sans Mono. This is done by going settings-> Style Configurator

I made two changes to the coloring. I manually edited the xml file for the font and changed all instances of fgColor="E0E2E4" to fgColor="BBBBBB". It's a big pain to do this through the style customizor, and much faster to use Notepad++'s "Replace All" functionality after opening up obsidian.xml. The other is I changed the background color to be a bit darker. This can be done in the Style Configurator. Just change the background color to RGB 45,45,45 (#2d2d2d, but you can't use hex). and make sure to check "Enable global background color" (see above). The end result is:

Which I think is very nice. I recently found out about Tomorrow Night Eighties (which I use on here for prettify.js) and Tomorrow Night exists for Notepad++. I've been thinking about modifying it to look like eighties and using it instead of Obsidian, but haven't done so yet.

Consoles

Windows command prompt offers basic changing options.

To change the color right-click the top and select properties, then go to the "Colors" tab.

As you can see, I use a background color of RGB 32,32,32. I use a text color of RGB 187,187,187. The popup text is what you see if you press F7 with the command prompt open. It's the old-school way of pulling up your command history. I never use this, so I never bothered coloring it.

For the font, I use DejaVu Sans Mono as the font when possible. Changing the font to the likes of DejaVu Sans Mono in the native cmd on windows requires a registry edit. Here are some instructions. Note: You don't need to reboot. A simple log-out is sufficient. On Windows 7, you don't even need to do that: just close all open command prompts and when you open a new one, the option to use DejaVu will be available. Reg:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Console\TrueTypeFont]
"000"="DejaVu Sans Mono"

I find that the font cannot be changed if you have certain nonunicode language settings. That was the case to me (Japanese is my nonunicode language).

   

An alternative wrapper for the windows CMD is Console2. I actually recommend Console2 over CMD anyway as it offers many more nice features liked tabbed terminals, can also run powershell, and better resizing and copy/pasting. You can download it from SourceForge, just make sure to download the 64-bit if you use 64-bit Windows. Once again, I use RGB 32,32,32 for the background color and RGB 187,187,187 for the text color and DejaVu Sans Mono for the font. You change the font and font color on Edit->Settings->Appearance. The background color under Edit->Settings->Tabs->Background. I also use the xterm cursor with RGB 164,240,79 as the color.

 Finally there is putty. Putty is a bit of a pain to configure color-wise, because it uses the registry instead of a simple config file.

Anyway, my configuration is as follows (Note: don't forget to save the configuration after making the changes!):

Font = DejaVu Sans Mono , Font size: 10px.
Default Foreground = 187,187,187
Default Bold Foreground = 163,163,163
Default Background = 32,32,32
Default Bold Background = 85,85,85
Cursor Text = 32,32,32
Cursor Colour = 147,199,99
ANSI Black = 28,28,28
ANSI Black Bold = 85,85,85
ANSI Red = 215,85,90
ANSI Red Bold = 223,117,125
ANSI Green = 115,185,115
ANSI Green Bold = 147,199,99
ANSI Yellow = 251,194,0
ANSI Yellow Bold = 225,222,89
ANSI Blue = 103,140,177
ANSI Blue Bold = 124,168,211
ANSI Magenta = 188,122,188
ANSI Magenta Bold = 187,134,223
ANSI Cyan = 91,205,215
ANSI Cyan Bold = 64,150,236
ANSI White = 187,187,187
ANSI White Bold = 215,215,215

End result? It's not perfect, but near close in my book (some of the colors are a bit closer than I'd like, and Cyan is still a bit of a pain):

All in all, I'm pretty happy with my colors and fonts. It makes prolonged use of the console and long coding sessions much more pleasant than the default settings, IMO.

Read More

Prettify.js Perfection and Decade-Old Bugs

I'm a bit of a perfectionist, as many people who know me will tell you, so naturally I wanted to get prettify.js working exactly the way I want it to. It ended up being a bit more work than I predicted, but a lot of fun.

I already documented my experience with getting overflow working properly in Opera, here's the full documentation on my prettify.js implementation:

Adding it to blogger is simple, it's just a few lines inserted in the header:

<link href='http://google-code-prettify.googlecode.com/svn/trunk/src/prettify.css' rel='stylesheet' type='text/css'/>
<script language='javascript' src='http://google-code-prettify.googlecode.com/svn/trunk/src/prettify.js' type='text/javascript'/>
<script language='javascript' src='http://google-code-prettify.googlecode.com/svn/trunk/src/lang-css.js' type='text/javascript'/>
<script type='text/javascript'>
    document.addEventListener('DOMContentLoaded',function() {
        prettyPrint();
    });
</script>

I wanted alternating line colors, which is simple enough: just add the class linenums to the pre tag and prettify throws the code in an ordered list. Prettify by default only numbers every 5th line, which I wasn't all that thrilled about, so I customized it by overwriting the prettify CSS on my blog. Blogger doesn't allow uploading a css file, so it's all inline in the header, which kinda sucks from a management perspective, but it could be worse. I also wanted to add a line between the numbers and the code to better separate them, that too was simple.

One thing that was a bit tricky was getting alternating line colors to play nice with my overflow. I did quite a bit of Googling before I found out the answer on StackOverflow. Apparently the problem has to do with ordered lists being block elements. Making them display:inline-block took care of it.

Below is my CSS for prettify:

#main-wrapper pre {
    overflow-wrap: normal;
    word-wrap: normal;
    overflow: auto;
    max-height: 800px;
}
ol.linenums {
    display:inline-block !important;
    margin-right: 0px;
}
ol.linenums li {
    border-left: 1px solid #a0e66a;
    padding-left: 5px;
    padding-right: 5px;
}
ol.linenums li.L0, ol.linenums li.L1, ol.linenums li.L2, ol.linenums li.L3, ol.linenums  li.L5, ol.linenums li.L6, ol.linenums li.L7, ol.linenums li.L8 {
    list-style-type: decimal;
}

Finally I wanted to add an option for people to remove the line numbers if they don't like them via a toggle, which was a simple javascript implementaiton:

<script type='text/javascript'>
    //<![CDATA[
        function toggle_visibility() {
            'use strict';
            var list, count;
            list = document.querySelectorAll('ol.linenums');
            count = 0;
            while(count < list.length) {
                if(list[count].style.paddingLeft === '0px') {
                    list[count].style.paddingLeft = '40px';
                } else {
                    list[count].style.paddingLeft = '0px';
                }
                count += 1;
            }
            return;
        }
    //]]>
</script>

With that, I'm pretty happy. I try to always do vanilla javascript instead of using jQuery. Not that there is anything wrong with jQuery: I just prefer to have my code work with as few dependencies as possible. Just call the javascript function with a <a href="#" onclick="toggle_visibility();return false;">Toggle Line Numbers</a> and it's all done.

After that I went around just checking everything out. I copied the script from Firefox into notepad and was dismayed to see that all the white space didn't copy over! Apparently there is a decade-old bug in Firefox where it won't copy whitespace in certain instances even when rendered in the browser. One such instance appears to be ordered lists inside a pre tag. I didn't know that before, though it would explain why PasteBin doesn't do a simple pre tag of an ordered list (it's quite complicated, you should take a look at their page source some time). I never knew this before. Opera does it fine and always has since me using it. I decided to see how other browsers handled it. Chrome did fine with whitespace too; I had no problem copying my script perfectly in Chrome. Then I tried Internet Explorer... Oh man, it was bad. It pasted the entire thing as one giant line. You see, I'm using the pre tag to the fullest: I'm not bothering to declare line breaks in html, since pre tags will honor them natively. Internet Explorer isn't just too stupid to copy whitespace in pre tags, it's too stupid to even copy newlines!

I found it quite entertaining and educating. I do hope that Firefox bug is fixed soon. I couldn't imagine using Firefox as my daily driver with that bug. IE? Talk about a nightmare. Anyone who stumbles upon this looking for an implementation of prettify.js on Blogger, I hope you found it helpful.

EDIT: As you may have noticed, I actually changed my mind after posting this. I'm now using a different theme for prettify.js: Tomorrow Night Eighties (adding "DejaVu Sans Mono", "Bitstream Vera Sans Mono" as fallback fonts for a more uniform cross-platform rendering). My reason for doing this? The whiteness of non linenums prettyprint is far too harsh. At the same time, I don't like how bad that bug about white-space copying in Firefox ended up being. I don't want to penalize Firefox users, so I found a theme that's not so harsh on the eyes (IMO). You should now be able to copy the code posted on here in Firefox with white-space intact. I'll leave the notes about the old way of doing things up here in case it is useful to anyone else.

Read More

Doing things the hard way and overflow-wrap

Last night I posted a script for GIMP. Naturally, I'd want syntax highlighting and no word wrapping, so I used the pre tag along with prettify. Posted it and was quite happy. Then I check it in Opera and I find the text had wrapped. I couldn't figure out why, I know pre should keep text from wrapping and Opera doesn't wrap other pre tags. I thought I was going insane! I spent an hour looking into it, but just couldn't figure it out. Everywhere else using overflow: auto, Opera would properly add the scroll wheel and not wrap pres. I couldn't find anything in my CSS that would be causing pre to wrap. Even explicitly told it to treat the content like pre, and it still wrapped.

Finally I took a look at the computed stylesheet thanks to Opera Dragonfly. I really should have done this from the beginning. I don't know why I didn't. I found a CSS property I've never heard of before: overflow-wrap. It was set to break-word. I had never heard of it before. I'm no web designer, so there's plenty of CSS I'm unfamiliar with. Naturally I Googled it and found it's a new tag to replace word-wrap (word wrap remains for legacy reasons) I still don't know where it came from; I'll look into that later today if I get the chance. In the end I spent about an hour looking for something that would have been much easier to find if I went about it the right way, and it was a simple fix: all I had to do was put overflow: normal; to my css and it all worked properly.

Why all this effort for Opera? Well, Opera is my browser of choice, so I naturally want my blog to work perfectly in it. I test my site in Opera and Firefox. I'll probably install Chrome to make sure it works fine in there too, but for now just Opera and Firefox. IE I don't bother with, but last night I took a look at it and it too was wrapping because of overflow-wrap. It makes me wonder why Firefox wasn't wrapping due to overflow-wrap. I wonder if Firefox is doing some things different with CSS3...

Anyway, in conclusion, it's amazing how simple something is when you look at what actually is being done and use logic :P Though I'm still having a bit of trouble getting alternating line colors to work with prettyprint when using scroll overflow.

Read More

GIMP Script: Save as PNG

At my office, we have a few really cool fundus cameras. Well, I think they're cool anyway. Before I got there, they used to use CF cards to transfer photos from the Nidek NM200D (our fundus cameras) to a computer. This was not without problems: sometimes files wouldn't save right, the cameras produced really huge uncompressed tiffs, so not much could be stored, and a few other problems. The NM200D is supposed to be capable of transferring files via USB. Unfortunately, the software designed for it was really bad and unfriendly -- I could never actually get it to work. The drivers seemed fine, though. They are standard TWAIN drivers (but it still called itself a camera...), so I went to find a good solution that would meet my budgetary requirements ($0). There were a few contenders, but I settled on GIMP because it was open source (which I do so love) and would allow the doctors to import photos in quick succession while naming each individually.

We started out with GIMP 2.6. As you may know, GIMP 2.8 changed the way it handles saving by only allowing you to save in the native xcf format. For all other formats you have to export. That's not something that would fly well with the doctors. It's made worse by the fact that exporting to an image file without saving leads to a "scary" warning about unsaved content. There was no real reason to upgrade anyway, so I stayed on 2.6 and worked on other things.

Fast forward to today. I'm in the planning stages of upgrading the computers the fundus machines are connected to, as it's finally time to finish the Windows 7 migration at the office. The cameras actually seem to work great with Windows 7; I was afraid they may not play so kindly with it (though it does have to be 32-bit Windows 7). They actually work better judging from testing so far, as with XP they would only work with USB 1.1 (or fake USB 1.1 by disabling the 2.0 drivers causing Windows to fallback on legacy 1.1 support), but with 7 they seem to work fine with native 2.0. Naturally with an upgrade I'll want to use the latest software like GIMP 2.8, so I looked for solutions to the export problem. I found this "Save as JPG" script. For fundus photos, though, I'd rather have it saved in lossless PNG. I'd also like basic overwrite protection to keep the doctors from accidentally overwriting other fundus photos. A little bit of reading on some GIMP and pygtk documentation (never written a plugin for GIMP or used pygtk), and I had what I wanted: provide basic options for saving as PNG and offer overwrite protection when saving newly created files. Below is the code:

PasteBin

#!/usr/bin/env python

# save_as_png.py
# Provides a simple menu option to save as PNG with
# basic save options and overwrite warning for newly created files.
# Tested in GIMP 2.8.2 on Windows 7 (64 and 32-bit)
# Contact: Kevin Thomer (Defron) | http://blog.defron.org/
# Provided free and as-is under GPL v2.
#
# Based off of:

# save_as_jpg.py
# version 1.0 [gimphelp.org]
# last modified/tested by Paul Sherman
# 12/20/2012 on GIMP-2.8
#
# ==== Original Information ====================================================
# Save or export the current image -- do the right thing whether it's
# XCF (save) or any other format (export). This will mark the image clean,
# so GIMP won't warn you when you exit.
# Warning: this does not show a lot of extra dialogs, etc. or warn you
# if you're about to overwrite something! Use with caution.

# Copyright 2012 by Akkana Peck, http://www.shallowsky.com/software/
# You may use and distribute this plug-in under the terms of the GPL v2
# or, at your option, any later GPL version.
# ========================================================

from gimpfu import *
import gtk
import os, sys
import collections

def python_export_clean(img, drawable, interlace, background, compression) :
    filename = img.filename
    #These typecasts isn't really necessary in Python, just a habit of mine
    bg = int(background)
    interlacing = int(interlace)
# fullpath = pdb.gimp_image_get_uri(img)
# pdb.gimp_message(filename)

    if not filename :
        chooser = gtk.FileChooserDialog(
            title=None,action=gtk.FILE_CHOOSER_ACTION_SAVE,
            buttons=(gtk.STOCK_CANCEL,gtk.RESPONSE_CANCEL,gtk.STOCK_SAVE,gtk.RESPONSE_OK)
            )
        # save folder will be desktop
        save_dir = os.path.join(os.path.expanduser('~'), 'Desktop')
            
        chooser.set_current_folder(save_dir)
        chooser.set_current_name("UNTITLED.png")
        chooser.set_do_overwrite_confirmation(True)
        
        filter = gtk.FileFilter()
        filter.set_name("Save as png")
        filter.add_pattern("*.png")
        chooser.add_filter(filter) 
        
        response = chooser.run()
        if response != gtk.RESPONSE_OK:
            return
        filename = chooser.get_filename()
        img.filename = filename
        chooser.destroy()
    
        pdb.file_png_save(img, drawable, filename, filename, interlacing, compression, bg, 0, 0, 1, 1)
        pdb.gimp_image_clean_all(img)  
            
        
    else:
        base = os.path.splitext(filename)[0]
        newname = base + ".png"

        pdb.gimp_edit_copy(img.active_drawable)
        image2 = pdb.gimp_edit_paste_as_new()
        pdb.file_png_save(image2, drawable, newname, newname, interlacing, compression, bg, 0, 0, 1, 1)
        pdb.gimp_image_delete(image2)  
        pdb.gimp_image_clean_all(img)


register(
        "python_fu_save_as_png",
        "Save the image as a PNG file, set interlacing & saving bg color\n\nFor more options and a proper file overwrite protected dialog, \nuse the FILE > EXPORT menu item when saving as a PNG.\n\n",
        "",
        "Kevin Thomer (Defron)",
        "GPL",
        "2013",
        "Save as PNG",
        "*",
        [
            (PF_IMAGE, "image", "Input image", None),
            (PF_DRAWABLE, "drawable", "Input drawable", None),
            (PF_TOGGLE, "interlace", "Interlacing (Adam7)", 0),
            (PF_TOGGLE, "background", "Save background color", 1),
            (PF_SLIDER, "Compression", "Set the PNG Compression Level", 9, (0, 9, 1) )
        ],
        [],
        python_export_clean,
        menu = "<Image>/File/Save/"
)

main()

It only has basic options, but that actually works out better for the doctors (simpler). It also has one more added benefit: before, the doctors would occasionally accidentally save fundus images as GIMP xcf files; with the new method it'll always be PNG. A real win-win.

One thing to note: this will only export the current layer, it doesn't flatten the image or anything. It's not really a problem in my case since the images are imported one at a time and saved separately, so I didn't bother looking into merging or flattening.

Read More

OpenVPN Server on Windows

UPDATE: Every once and a while someone will reach out to me about this and ask about if I have any plans to update it. I no longer use Windows as my primary OS (switched to Linux) and no longer use OpenVPN either. The below guide may have issues, especially on Windows 10, which I don't use.

OpenVPN is a wonderful VPN system, but it's not so simple to set up on Windows. When I first created this how-to, there wasn't a real cohesive and precise instruction set on how to get an OpenVPN server working on Windows where Windows clients could have all traffic go through the VPN (the alternative is where only directed traffic goes through the VPN: Split tunneling). I prefer all my traffic going through a VPN when connected, less likely for information to leak out.

NOTES:
 1. Throughout this guide I will use two words: over and over again: server and client1. Feel free to modify these, but be sure to modify them EVERYWHERE they are repeated. To help you out I bolded and italicized them everywhere you should change them (except in the config files, they need to be changed in those as well)

 2. Everywhere you see quotation marks, it is to signify what you should type (which would be the stuff inside the quotation marks), DO NOT TYPE THE QUOATATION MARKS UNLESS OTHERWISE SPECIFIED!

 3. I know this seems long, but it really isn't, I just broke everything down into as basic of steps as I could and explain everything as thoroughly as I can. In the end, it pays off, you have a secure multi-client VPN offering that definitely beats PPTP in terms of security and robustness.

 4. A relatively common practice with OpenVPN is to configure it to use TCP port 443, as this is the port normally associated with HTTPS, so even the most most draconian of firewalls won't block it. I don't cover this, instead cover OpenVPN using the default port of 1194 UDP. Changing it is simple, just edit the server and client configuration files to use proto tcp and port 443. Make sure to also change your forwarded port and firewall rules to match as well.

 5. This guide uses the 192.168.137.0/24 block for the OpenVPN network. This is the default for Internet Connection Sharing (a needed utility to get Internet through OpenVPN on Windows) for Windows 7, which is why I chose it (it should also be the default for Windows Vista, though I cannot test this) On Windows XP, ICS uses 192.168.0.0/24 by default, which isn't very useful for a VPN (as it's a popular subnet and would lead to conflicts in various situations). If you wish to change the subnet for OpenVPN, you must change it in the config file for the server as well as for ICS. This can be done through a registry setting. In HKLM\System\CurrentControlSet\services\SharedAccess\Parameters you will need to change ScopeAddress and ScopeAddressBackup to the first IP address in the range you wish to use. I am not certain if Windows XP can change it or not, but it's worth a shot. Here is a registry file of the 192.168.137.1 ICS configuration, change the network numbers and run it to change to a different subnet (or do it manually). You can also find it on PasteBin.

 6. You will also need to know your public IP address or set up a Dynamic DNS service. This can be done by visiting http://www.whatismyip.com/ on your server. Better is to set up no-ip on your server and use their free dynamic dns service (as it'll work even if your home IP changes). You will need to do this for PPTP VPN servers and SSH servers. I will mention this again when we get to the client configuration file.

Pre-Install

This guide assumes two things: You've properly set up a static IP for the will-be server and you have configured any firewall on the will-be server correctly. I will do a quick run-down of how to do this on Windows Vista/7 with Windows Firewall (which are the same in this matter).

Static IP: Windows XP/Vista/7

Windows Firewall setup:

1. run wf.msc
2. Click Inbound rules on the left panel, and on the right panel click "New Rule..."
3. Select Port for the rule type and click next. Image of steps 2-3 
4. Select UDP and enter in port 1194 and click next
5. Select Allow the connection and click next
6. Select which networks to allow the rule, to be safe, allow for all and click next
7. Name the rule "openvpn in" (without quotes) and click finish.

Install Process

1. Download OpenVPN onto the will-be OpenVPN server and run the installer (as administrator if you are using Windows Vista/7)
2. . When you get to the "Install Location" part of the setup, I highly recommend installing it to C:\OpenVPN rather than the default install path. Especially on Vista/7 as this will save you headaches. Proceed to finish the install
3. Navigate to the installation folder (C:\OpenVPN if you followed my advice), then enter the config folder (C:\OpenVPN\config).
4. Here, create a file server.ovpn. It should look like this:  http://pastebin.com/wU0MeHKL
   
   About the server.ovpn configuration file:
   
   You can modify the port number to any number you want, just remember what you set it to. Same for proto (short for protocol) you can change that to tcp, just remember you did so (udp will give you better performance, but may be blocked on some draconian networks)
   
   Line 5 is one that may need changing. First, you need to keep "server" as server (it's a configuration line dictating the VPN server IP range). Later on we'll enable Internet Connection Sharing and you may need to change 192.168.137.0 to match any IP address being forced on you by Internet Connection Sharing (for me this was 192.168.137.0/24 but it may be different for you) I'll remind you of this when we get to Server Configuration.
   
   You need to specify the DNS servers, I chose OpenDNS as it makes it easy to test if the tunnel is being used without running something like Wireshark (which is nice), but any DNS server will do.
5. Open up the command line (As administrator on Vista/7)
6. type "cd C:\OpenVPN\easy-rsa" (without quotes, everywhere you see quotes from now on, it's to signify what you should type) and hit enter
7. type "init-config" and hit enter
8. navigate to C:\OpenVPN\easy-rsa in explorer if you haven't already. find the vars.bat file, right-click it and edit it
9. Edits to make to vars.bat:
   
   Mandatory: change HOME path from "%programfiles%\OpenVPN\easy-rsa" to "C:\OpenVPN\easy-rsa" (if you don't do this you will get an error complaining about unable to write random state)
   
   You also need to fill (found near the bottom of the file):
   
   set KEY_COUNTRY=
   set KEY_PROVINCE=
   set KEY_CITY=
   set KEY_ORG=
   set KEY_EMAIL=
   
   Technically, any value will do, including the default ones, but I suggest filling them in with your information
   
   You also need to set KEY_NAME and KEY_OU . I usually set name to my name and OU to VPNers just because it's simple.
   
   -------- DO NOT CHANGE KEY_CN, IT NEEDS TO BE CONFIGURED ON A PER-RUN BASIS ----------
10. Save vars.bat and return to the command line (reopen it as administrator and navigate back to C:\OpenVPN\easy-rsa if you closed it)
11. type "vars" and hit enter
12. type "clean-all" and hit enter (it's normal for this to kick up an error, it just means the folder "keys" didn't exist before it was ran)
13. type "build-ca" and hit enter. This will start the creation process for the ca.crt file. You will be prompted for various things. The default values are fine until you get to COMMON NAME
14. WHEN YOU GET TO Common Name enter in "server"
15. "build-key-server server"
16. Leave the password blank unless you want to read OpenVPN documentation. same for company name
17. answer "y" to signing and committing to the certificates.
18. type "build-dh" and hit enter
19. copy ca.crt, server.crt, server.key, and dh1024.pem from the keys folder in easy-rsa to C:\OpenVPN\config
20.  type "build-key client1" and hit enter
21. WHEN YOU GET TO Common Name enter in "client1"
22. Leave the password blank unless you want to read OpenVPN documentation. same for company name
23. answer "y" to signing and committing to the certificates.
24. Install OpenVPN on the client computer EXACTLY the same as on the server (ok, it doesn't really need to be exactly the same, I'm just too lazy to tell you what you do and don't need)
25. copy ca.crt, client1.crt, and client1.key from the server's keys folder to the client computer's OpenVPN config folder (C:\OpenVPN\config if you installed it like I said)
26. in the config folder on the client, you will need to create a client1.ovpn file. It should look like this:  http://pastebin.com/42ekkJtL

About the client configuration file:

You need to use the same protocol as you specified on the server configuration file.

On line 5, for remote, you need to specify the PUBLIC IP address of the server OR the DNS entry for it. Refer to Note #6 for this information. After the ip address or DNS listing, specify the port. This needs to be the same port as in the server configuration file.

Almost done! Just have some configuration left on the server to go.

Server Configuration

1. On the server open up services (run services.msc). Find OpenVPN, right-click it and go to properties. Set it to automatic and start it.
2.  Still on the server in services, find Routing and Remote Access (shorthand: RRAS). Set it to automatic and start it. NOTE: At least in a couple of my goes with this, enabling RRAS made my network indicator in the notifications tray signify I had no connection -- I Still had a connection despite being told otherwise. It only happened on a few of my computers, so it may or may not happen to you (if it does, see if you can access any website. If you can there's no problem)
3. You will need to modify a registry entry, so open up regedit and go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters. In there change IPEnableRouter to 1 (defualt is 0).
   IPEnableRouter.reg file download | PasteBin
4. You may need to reboot before the registry change takes effect
5. Still on the server, go Control Panel->Network and Sharing Center and click on "Change Adapter Settings"
6. If you use my config it is necessary to change the TAP name (as the default name is random). Right-click the adapter that says TAP-Win32(or WIN-64) Adapter and select "Rename". Rename it to "MyTap".
7. Right-click the newly-named MyTap and go to properties. Uncheck IPv6 if it's available (Vista/7 + some XP computers with it configured).
   
   Now we go onto Internet Connection Sharing (ICS) configuration. You may wish to review Note #5 as it covers some details on how to use a different subnet, as well as the "Some Things Very Important To Note" section for possible issues. A reminder is my guide assumes you are using 192.168.137.0/24, which is not the case on Windows XP. Edit as appropriate.
8. This part is not necessary if you have checked the registry entry for ICS and made sure it is correct for your needs, but is a useful way to double-check as you'll get a warning popup. While still having the MyTap Properties open, Select IPv4 and click properties. Give it a static IP of 192.168.137.1 with a 255.255.255.0 subnet mask.
9. Right-click your LAN adapter (the one you gave a static IP in step zero) and go to Properties. Go to the sharing tab (advanced on Windows XP) and check "Allow other computers to connect through this computer's Internet Connection"
10. If there is a drop-down list you can select from, select MyTap. If not, don't worry: that just means you have no other adapters to share with other than MyTap. Image of Steps 9+10
11. Uncheck the lower box titled "Allow other network users to control or disable the shared Internet Connection" if it is checked.
12. Click OK. If you did optional step 8 for Server Configuration, you'll get a popup that says something about how MyTap will be set to 192.168.137.1. If yours said a different IP address, you will need to modify server.ovpn to use that subnet (same first 3 sets of numbers, last one a zero) and restart the OpenVPN service, alternatively you can set the ICS network range in your registry. Run this registry file to use the guide's 192.168.137.1 (Pastebin) or configure it manually using regedit and navigating to HKLM\System\CurrentControlSet\services\SharedAccess\Parameters and editing ScopeAddress and ScopeAddressBackup to use the desired IP address range (you specify the first IP address in the range). You can check to make sure that the IP address for MyTap is correct by running ipconfig /all in the command line and making sure it matches that in your server.ovpn config file.

Now you just need to port forward for OpenVPN so you can access it over the Internet.

Client Configuration

1. Still on the client, go Control Panel->Network and Sharing Center and click on "Change Adapter Settings"
2.  If you use my config it is necessary to change the TAP name (as the default name is random). Right-click the adapter that says TAP-Win32(or WIN-64) Adapter and select "Rename". Rename it to "MyTap".
3. You can try out OpenVPN now on your LAN to make sure all is working. Just change your client1.ovpn to connect to your server's LAN ip address (NOT the address you set for MyTAP on the server, but the static IP you set for the LAN adapter).
4. Launch OpenVPN GUI (as Administrator on Vista/7). A tray Icon should appear for OpenVPN (a little red-monitored computer with a globe). Right-click it and select "Connect"
5. A window like this will appear. After a few seconds to a minute, you should hopefully connect and be assigned an IP address. To verify traffic is going through the tunnel, assuming you used OpenDNS, you can test it simply using an OpenDNS check.

I know it's been a lot of work, but it's worth it. You now have a secure basic VPN setup More robust than Microsoft's default PPTP offering as well as allowing multiple clients. You can improve the security by looking into ta.key, maxclients, client filtering, choosing the cipher, and password authentication. You'll need to go elsewhere to learn how to do these, or I may cover them in a future post. Finally, there are a few things you should know

Some Things Very Important To Note

• If you have issues with resolving DNS, uncomment register-dns from the client file.
• On some networks with a short dhcp timeout, your client may have issues with getting a new address lease due to OpenVPN sending the request through the VPN. Disconnecting from OpenVPN and running "ipconfig /release" followed by "ipconfig /renew" in the command prompt will solve the issue (until it times out again).
• Internet Connection Sharing (ICS) is a tricky one, but I've gotten it mostly figured out through the SharedAccess registry options. You can read up on configuring ICS here. On Windows XP it uses 192.168.0.1 by default and I've yet to verify if that can be changed.
• Strictly speaking, the subnetting you are giving your OpenVPN server may not be absolutely correct. This doesn't matter for a handful (3) clients, but it may stop you from having too many clients. This appears to either be related to the version of Windows used, related to the NIC used, or related to whether the NIC used is a wireless NIC and cannot be changed. You should get subnet mask of 255.255.255.0, but may get less (lowest I got was 255.255.255.252 -- 3 clients + the server would max that out). When the OpenVPN client should pull the correct information when it connects, so as long as you don't exceed the limit, it's not an issue. Slightly related is the below:
• I don't know if this was because my virtual machine is crashy, but I noticed that the MyTap adapter would randomly change to using APIPA (Automatic Private IP-Adressing) and therefore having the 169.254.0.0/16 block. It's simple enough to fix. NOTE: This happens when RRAS runs into an issue and the DHCP server fails, to fix this issue, follow the below 3 steps:

First, disable sharing on the LAN adapter.

Second, reset the MyTap to use a static IPv4 address (IP and default gateway the same, in my case 192.168.137.1).

Third, re-enable sharing on the LAN adapter for MyTap.

• I suggest disabling sleep/hibernation on the server (I mean, if the server isn't online when you need to connect, it's kinda useless) anyway. And whenever you reboot for updates, just check to make sure the MyTap properly has the first IP address in the block your OpenVPN server gives.
• I've yet to find a way to get the OpenVPN network to be identified by anything less than a Public Network on Windows 7. It doesn't make much of a big deal unless you want to access network shares on the OpenVPN server (which may not be possible since Windows may block sharing since it's a public network). NOTE: This is due to OpenVPN's network not having a default gateway. Some steps on potential workarounds can be found on the Internet.

Read More

Data Privacy Day Prep Part 5: Network Security

Data Privacy Day is one of my favorite holidays and falls on this upcoming Monday. Every year, for the days leading up to it, I like to talk and publish reminders about. I normally post this on the Bethesda forums, where I'm quite active, but now that I have a blog, why not also add it on here? Here's part 5; it's about Network Security. It's long, so maybe read it in chunks. It'll always be here for you to refer to later :P

The goal of Data Privacy Day is to make people more informed about their data and privacy. I hope you find some of this information useful and put it into action. Security and privacy are constantly evolving items, and what cuts it today may not in the future, but this should be a good springboard to boost your security and privacy for Data Privacy Day and the years to come. As always, the level of security you need will differ from others, so you need to figure out what level is good for your needs. Some things, though, are universally applicable to all, such as a good password system. Another thing to remember is that even if you follow the best of security practices, it may not be enough to stay safe if a company who has poor security practices gets hacked (and after the summer of 2011 hacks and the ones that followed in 2012, I think we are all familiar with that).

An important definition:

•  Man-in-the-Middle attack: Any attack wherein someone intercepts data you receive and send to someone else by acting as a relay ("in the middle"). This can be done in numerous ways (arp and DNS poisoning being two common methods, though many other methods exist) but the end effect is the same: your information and communication is compromised. Your passwords can be stolen and your sessions hijacked. This threat is an increasingly common problem on wireless networks, and can even affect mobile telecommunication networks (for around $500 and enough know-how is the current going rate, FYI).

Networks

Your local network is an important point of security. A properly set up one will allow easy sharing and collaboration while simultaneously keeping out those who would intrude on it from the outside. This section will cover your local network, your local computer, and how to protect your computer and privacy when on public networks.

Your Wired Network

For a wired network, you don't have as much to worry about. Make sure not to use the DMZ your router allows: this is a black hole for security and offers nothing over properly forwarded ports. Any forwarded port should have a distinct purpose, otherwise don't forward them. Disable remote/WAN administration (might be buried in there somewhere). Make sure to keep the router nice and updated with any new firmware releases (better yet, use custom firmware like DD-WRT, OpenWRT, or Tomato), as they patch various security flaws. Next you should change the username/password for logging into your router. Finally make sure your router firewall is enabled; it's one of the nicest features they have. While not necessary, disabling UPnP can add a little more security by closing any vulnerabilities it may have that are unpatched and keeping rogue software for dynamically forwarding ports. Being careful is simpler and more friendly, though.

Your Wireless Network

Wireless networks are another thing. On top of all the above, you NEED to be using WPA2 with AES. Nothing else is secure!!!! Well, nothing you can reasonably implement, at least. This checklist is pretty good; the only two things I disagree with are using MAC filtering and disabling SSID broadcasting. If someone knows how to crack a WEP key, they can easily find out how to spoof a MAC address or uncover an invisible network. Both also come with significant disadvantages while offering no real security. As mentioned in that checklist, make your WPA2 key very complex. You don't need to worry about forgetting it: write it down and stick it to your router. If someone is in your house, your WPA2 password isn't going to keep them out of your network. If you want to be secure with your WPA2 key, consider using the same password strategies mentioned in the passwords section.

 But what about your WEP-only devices? I've not tried it yet myself, but here is a guide on how to set up a virtual wireless network for your WEP devices. Other options are to set up a wireless access point with WEP for when you want to use your DS/other WEP-only devices, and just unplug the WAP when not using it. Everything else will be on your normal WPA2 connection.

 A very new happening in attacking WPA/WPA2 networks is to ignore trying to break the WPA/WPA2 encryption and instead have the router give you the password. A common feature included in many modern routers is Wi-Fi Protected Setup (WPS). Unfortunately, this is a weakness as it is a simple (generally hardcoded) PIN that is very easy to brute-force. Lifehacker did a full rundown of this attack vector and the primary tool to abuse it (Reaver), which I suggest you read so you can stop it from happening to you. A redditer created a wonderful spreadsheet of many common household routers and whether they are vulnerable to Reaver and whether you can disable WPS on them (some routers cannot have the feature disabled even if there is an option on the web interface to do so). One thing to immunize yourself against this attack is to flash a custom firmware on the router, such as DD-WRT. Many custom firmwares do not have support for WPS, so it nullifies this vulnerability.

Your Computer (localhost)

Your computer can leak information out of your local network if you are not careful. The browser section covered many of the most common leaks, but if you computer is infected with a keylogger or other malware, data may be leaked and all of your network security can be bypassed. Likewise, on an open network, someone may try to break into your computer over the network. There are a few things you can do to mitigate these risks:

 Keep your Operating System updated. It's easy to fall into the cycle of not getting the latest updates for your OS. These often patch security holes that can be exploited. Along the same lines, keep your software updated, especially major programs and anything that uses the Internet. Along these lines is NOT using an unsupported OS. Windows Vista Home and Ultimate editions reach end of support this year in April, so upgrade before then or it'll only be a matter of time before an unpatched hole allows for unassisted malware installation on your computer due to running an unsupported OS.

 Just as important to keeping your OS updated, is keeping your software updated. Key programs that should be kept updated are your Antivirus/antimalware/firewall solutions, your web browser of choice, your pdf viewer, Java (if installed), Microsoft Office (if installed, can be updated through Windows update), and your media player.

 Use a password! Windows passwords are trivial to overwrite if someone has access to your PC (which is where encryption comes in), but they are VERY useful in keeping other, unwanted people on the network out of your shared folders. You should also, of course, disable shared folders on public wifi networks.

 Install a firewall. Your router has one, but when on open networks like your laptop may often connect to, your router firewall won't be of any help. With Windows Vista/7, the built in firewall is pretty good (and can be improved with Windows7FirewallControl -- which works with Vista/XP as well). The best free one is Comodo's Firewall. the Defense+ feature also is a basic HIPS program (Host-based Intrusion Prevention System) that will stop rogue programs from doing naughty things. This does an excellent job on keeping keyloggers, trojans, and worms from sending data out from your computer (keyloggers can also be effectively nulled with the use of a password manager such as KeePass and LastPass). Lately Comodo has been getting bloated, a good HIPS-based alternative is PrivateFirewall.

 Keep your antivirus/antimalware/antispyware solutions up-to-date and scan as you feel needed. Whther you run full-fledged real-time protection antivirus + antimalware solution, or a free antivirus and something to occaionally scan with like Malwarebytes, it's better to have it on your system now and not need it then need it and not have it. Some malware make it near-impossible to install antimalware programs and/or update them successfully. Instantly being able to do a scan after you think you've been compromised is a very nice thing. The next-best thing is to instantly shut down your computer and use live rescue CDs like Kaspersky offers (there's tons of them). Antivirus/antimalware/antispyware, whether proactive or retroactive, should always be considered your last line of defense.

 Disable file sharing when you don't need it. This is of particular importance when on public wifi. In Windows 7 this is done simply by going Control Panel > Network and Sharing Center > Change Advanced Sharing Settings (left panel item). Expand the Public profile. Turn off Network Discovery (not really necessary, it doesn't offer any real security), Turn off File and Printer Sharing, and Turn off Public Folder Sharing. Save the changes and exit. Next, disable your administrative shares. Disabling shares you don't need is important for those "oops" moments when you connect to a network and accidentally make it a home or work network instead of of a public one.

Shared and Public Computers

Shared and public computers are of particular risk. With shared computers, it's possible someone else using it has unwittingly installed some privacy-invading software or may try to snoop your files. On public computers you never know if there's a keylogger or some other malice acts going on. It's best to do your best to minimize your risks on these computers. With shared computers, you should verify that other user accounts cannot access your data by checking folder permissions and make sure other accounts don't have read (or execute) access. Another thing you can do is set up email alerts for whenever someone logs in to your computer. It may be handy if you think someone is snooping around. I personally prefer blat for sending emails from the command line on Windows, though sendemail is fine too. SendEmail is also available for Mac OS X and Linux, and the instructions given there will mostly apply, but you'll need to create a shell script to run them on those platforms and set it to run at start-up. An alternative program for Linux and Mac OS X is ssmtp, which I find a bit simpler than sendemail. Here are some instructions on ssmtp's basic set up and some Mac OS X instructions.

 Public computers are especially scary because there's so much unknown about them. The best bet is to reboot into Linux if possible. It's not always possible with public computers, but when it is it'll provide you the best option. A privacy and security-minded Linux distro is Tails. Of course, booting into Linux isn't always possible on public PCs (being able to do it is actually a really bad sign) so instead you may have to make due with some portable apps. I'd recommend avoid using passwords when possible, and using only accounts with two-factor authentication otherwise. Definitely use a portable version of your web browser of choice all tricked out with your favorite privacy plugins. Only save stuff to the usb stick and only run stuff from it. Pretend every program on the computer is a poisonous snake trying to eat your mouse (pointer). Besides that, there isn't much you can do besides following some good practices.

Foreign (public) Wireless Networks

Foreign, public wireless networks are a war zone, especially the open ones. Ones properly protected and configured with 802.1x (aka, WPA2 Enterprise) can be safe networks, but assume that any 802.1x network is poorly configured and multiple people have the same key you do and can see your traffic. Man-in-the-Middle attacks happen with more and more frequency, and the skill required to initiate them is at an all-time low (can be done with just a smartphone). There are two primary technologies you can use to secure your roaming on such networks: SSH Tunnels and Virtual Private Networks (VPNs).

 NOTES:

 1. For all server installs, you will need to know the pubic IP of your server. This can be done by visiting http://www.whatismyip.com/ on your server. Better is to set up no-ip on your server (the computer running SSH or your VPN) and use their free dynamic dns service (it'll work even if your home IP changes). No-ip is so simple, it hardly warrants directions, but no-ip provides them for a simple setup anyway. You will need to do this for PPTP VPN servers and SSH servers.

 2. You will also need to set a static IP for your server. This is simple enough

Static IP - Mac OS X

Static IP - Linux (various)

Static IP - Windows XP/Vista/7

 3. A simple tool to use to see if an ARP poisoning attack is happening on the public wifi is DecaffeinatID. It keeps track of the default gateway MAC address and will alert you if it changes.

SSH Tunnels

An SSH tunnel is a simple, yet effective way to protect your web browsing (and select other traffic) while on public wifi when properly configured and relatively simple to set up. Setting up an ssh server is simple on Mac OS X and Linux; windows is simple after installing a program. Your tunnel will be a SOCKS proxy, and Firefox with QuickProxy makes switching to that proxy simple to secure your web browsing traffic (I recommend using Firefox because of QuickProxy, and also because Firefox can be configured to send DNS requests through the tunnel, something I've yet to find out how to do in Opera or Chrome).

 NOTE: You may wish to get email alerts whenever someone logs in via SSH to your server. It's simple to do. These instructions apply to openssh, so should work for both Linux (assuming OpenSSH is your SSH Server) and Mac OS X. If you use my recommended program of BitVise for Windows, you'll have an option to run a program after successful logins, so you'd just create a batch file that uses either sendemail or blat to send the email.

 First, you need access to an SSH server to log into and create the tunnel. This computer needs to be located at home and always on.

 Mac OS X: Enable Remote Login for Mac OS X

 You will then need to forward port 22 from your Mac on your router so you can access the ssh while on the go. Locate your router on PortForward and follow the instructions for SSH.

 Linux: Simply install OpenSSH (or your SSH server of choice). Your distro should have sufficient instructions on how to activate key-based authentication and disable keyboard authentication in their documentation. It won't be any different than the instructions for Mac OS X if you use OpenSSH. Then likewise forward port 22 from your Linux PC on your router so you can access the ssh while on the go. Locate your router on PortForward and follow the instructions for SSH.

 Windows: Windows lacks a built-in SSH server, though there is a very good free (for personal use) SSH Server provided by BitVise. It offers very fine-grained controls, public key authentication, virtual users, jailing, and everything else you could want in an SSH server. If you have any questions, feel free to ask me as I'm very familiar with BitVise's SSH server. Don't forget to forward your port, though.
 

 I HIGHLY suggest setting up key-based authentication for SSH to prevent brute-force attacks on your SSH server. Then just disable keyboard-authentication. (the instructions are for PuTTY as it's fairly cross-platform and allows for me to just post a single set of instructions. Feel free to use any client you wish, though).

Now that your server is configured, time to configure your client (probably your laptop). I will do my instructions through PuTTY (for simplicity once again) so download and install putty. On Mac OS X, you will need to use MacPorts to get putty

 Launch Putty. Type the dynamic DNS (or IP) address into the Hostname/IP box. Looks like this

 Under Connections in SSH, select tunnels. Change Enter in 7070 for the destination (technically any port will do, I just always use 7070 because it's easy for me to remember), set it as Dynamic and Auto. Click the Add button. Looks like this.

 It isn't absolutely necessary, but I highly suggest saving this configuration, which requires going back to the session panel. Enter some title in the "saved sessions" box (like sockstunnel) and hit Save. Now in the future you will just have to select sockstunnel and click load.

 Now click the open button. A window that looks like a command prompt will open up and ask for your username, so enter it. If using keyboard authentication, enter your password. If using key-based authentication with a passphrase, enter your passphrase (the earlier linked howtoforge guide for key-based logins with putty explained how to load a key into putty). Leave this window open.

 Now we configure Firefox. Download QuickProxy as this makes things simpler (you'll be able to switch to your proxy with the click of a button).

 In Firefox go Tools>Options. Go to Advanced. In Advanced, go to the Network tab. Under "Connections" click the settings button. Select "Manual Proxy Settings". Enter a SOCKS Host of 127.0.0.1 and a port of 7070. It should look like this. Change back to "No Proxy" and OK out of all open windows.

 One more thing needs to be changed: go to about:config. Enter in socks as your filter. Change network.proxy.socks_remote_dns to true. Should look like this.

 Now Firefox can be configured to use the proxy (when logged into the SSH server in putty) by just hitting the QuickProxy button.

 When you're done using your SSH tunnel, disable the proxy by once again clicking the QuickProxy button and type "logout" ("exit" if it's a BitVise server running on Windows) into the putty terminal window to end the session. 

 

PPTP VPN

 Windows has a basic VPN built-in that used the Point-to-Point Tunneling Protocol. It is limited in that you can only have one remote connection, it uses your Windows password (so it must be strong), and it won't work when the CLIENT is behind old or improperly configured routers. From a security standpoint, PPTP has been broken, and can be broken by someone proficient with the right tools, but from a average user standpoint, people getting their MitM on are going after easy fish, and short of someone coming after you in particular, PPTP should be sufficiently secure. Also in its favor: it's simple to set up.

 Server configuration:

 NOTE: both guides also include information on port forwarding for PPTP, which involces port forwarding TCP 1723 and enabling PPTP Passthrough -- this second part is important because PPTP uses a non-TCP/UDP protocol: GRE. You may have to look around a bit to find where PPTP Passthrough is on your router (GRE is also the reason why PPTP won't work when the client is behind some old routers, as they drop the GRE packet before it leaves the network).

 1. PPTP Server on Windows XP

 2. PPTP Server on Windows 7 (Vista is almost identical)

 Client configuration:

 3. PPTP client on Windows XP

 4. PPTP client on Windows 7 (Vista is almost identical)

 5. PPTP client on Mac OS X

 6. PPTP client on Linux (GNOME)

Make sure to always test that your PPTP VPN tunnel is being used as the default gateway. This is default behavior for Windows clients.

Hamachi VPN with Privoxy and ProXPN Free

Finally, the last option is to use Hamachi VPN and Privoxy. It's a cross-platform solution and Lifehacker has a write-up on how to do it here.

 A managed, simple, free VPN service is ProXPN Free. Note that you are using their service, so they are your exit point. To me, this is less ideal as you do not control the exit point. Also, you have to use their [proprietary] VPN implementation, as the free service does not include PPTP access. Their free service VPN implementation is incompatible with all other VPN clients I know of. Still, for simplicity it wins hands-down and it will protect you from Man-in-the-Middle Attacks on public wifi.

 That's all for this section. By following some of these tips, your public wifi browsing is now secured. and you have much less to worry about.

Read More