Jimiz.net – Jim Becher on the web

I was reading my daily RSS feeds and came across this headline.

“More than 10% of all PCs worldwide now on Windows 7″. (http://windowsteamblog.com/blogs/windows7/archive/2010/04/22/more-than-10-of-all-pcs-worldwide-now-on-windows-7.aspx)

It stood out and made me interested. That is pretty amazing, since Windows 7 has only been out for a few months. Considering the volume of users that have a PC that is huge number and to get to 10% this quick is just outstanding. I have been lucky enough to use 7 for quite a while at home, but still use XP at the office.

I am continually amazed at how people upgrade and update their home PC’s. Not many of the people I know who are not technical would even be able to tell you how to upgrade their OS. In fact, most of the people I end up helping with their tech problems just purchase a new PC rather than upgrade the OS.

I wonder how many of the sales are tied to a new PC? I would even love to know what the numbers were of people upgrading from XP or Vista?

Here are some great basic money mistakes. If you are in any way questioning these items please email me so I can explain. I am not a financial planner or even a consultant (I work in IT). However, if you don’t understand why these are bad, I am offering to take the time to explain them and answer questions.

Here is the original link from USAToday (http://www.usatoday.com/money/perfi/basics/2010-04-19-personalfinance19_ST_N.htm?csp=usat.me)

1. Raiding your 401(k)
2. Walking out on a mortgage (Please understand the major financial issue behind this)
3. Ignoring the card balance (Dave Ramsey)
4. Debt-wipeout scams (don’t be a sucker)
5. Co-signing a loan (Stay away)
6. Payday loans
7. Reverse mortgages
8. Trying to stiff Uncle Sam (it is not worth it)

These are some pretty simple mistakes to avoid, some are done because people are under stress to pay things or get out of a bad situation. Just please remember how important it is to understand the financial decisions you make

As a follow up to my original post of watching some kid at a coffee shop sniff the wireless network for passwords, I am doing a wi-fi security series.

In this post I will show wi-fi users how easy it is to gather information from other computers and users by just sniffing the network. I first must explain what “sniffing the network” means. In the simplest form it is just listening and capturing the information that is sent across the network this information is in network packets. This can be done on a wireless or wired network. Network sniffers come in all different flavors and types. I prefer Eathereal, this is because it works on linux and Windows. These tools are used to troubleshoot and also diagnose issues on networks and applications. They can also be used to ease drop or snoop on others, which is what I plan on explaining in this post.

So you may ask, what can a person “sniffing the network” find? Well for starters, it is really easy to gather usernames and passwords. Especially from POP email accounts. Most people who use email have an email client, such as (outlook, outlook express, thunderbird, or some other branded client like AOL or earthlink) Most of these clients user POP3 to communicate with the server to read your email. This all happens when you hit the Send/Receive email button. These clients that use POP3 may send your username, password, and messages in clear text. By default these programs as set to be easy to use and do not have the security features that are available turned on. So what does this mean? Well let’s look at a typical transaction from a user who is checking his or her mail. The open up Thunderbird (my email client of choice) at a coffee shop and hit send/receive while using the free wi-fi.

When they do they are sending information unsecured over that network, which happens to be a wi-fi network. Other users, which use the wi-fi also, have the abilty to overhear or sniff your information. The image below shows an Ethereal capture of my fake user called jvandenbon.

As you can see from the image, the username jvandenbon is sending his password of Alice623001 to his mail server. This happens each time he hits send and receive. Not only is the username and password readable, but so is the email. Below is a screen capture of an email I sent to that user. You can see from the capture that I read the email then deleted it.

Here is the actual information from that email inside ethereal:

Received: from ?192.168.1.107? ( [22.131.13.51])
by mx.gmail.com with ESMTP id j4sm126467nzd.2005.11.22.19.09.50;
Tue, 22 Nov 2005 19:09:50 -0800 (PST)
Message-ID: <4383DD50.9050706@jimiz.net>
Date: Tue, 22 Nov 2005 22:09:04 -0500
User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716)
X-Accept-Language: en-us, en
MIME-Version: 1.0

So as you can see a default email client and POP3 account is not very secure. You are basically sending your userinformation and password for all to see if they know how. What is scary, is when you actually do sniff a network the amount of email usernames and passwords are actually sent. The day that I caught that kid at the coffee shop I saw about 10 username flying over the network.

At this point some people may be saying why do I care, it is just an email account? Well ask yourself, a few questions. Do you use that password for anything else, like your online bank site, or bill pay, or paypal, or even your gas or electric site? Do you use that email for any other accounts like paypal, ebay, or your bank site. Could someone use your email and password to ask your bank to reset your online bank password? These are all just food for thought.

Others are probably reading this and saying that the users should know how to secure their email account properly and use SSL / TLS over POP. I plan on helping people do that in my next post.

To keep this part 1 section going, let’s discuss what other information your machine may be telling people about you. So far we have seen that email; usernames, passwords, and messages can be viewed. Now I will show how online web email accounts can also be viewed. Though not as easy, online or web mail can also be seen over the network. This is only true when it is not used under SSL (https). Below is a picture of what a typical web mail login looks like. You can see the username jvandenbon and his password being sent over the network.

All the information I have talked about so far is from a user’s computer being sent out. This means you are initiating traffic, checking email, browsing web sites. But, what about your computer, does it answer questions about you when asked? It amazed me when I did a quick scan of the coffee shop wi-fi the other week. I saw 3 laptops that had network shares available on them. That means I was able to copy files off that machine.
The user turned on network sharing without any security. In my next post I will discuss methods of protection against intruding eyes.

As always, leave me feedback. Both good and bad.

Well I have finally decided to make the actual move from AT&T to Cingular. It is not that I am uhappy with AT&T wireless. It is just that they are no longer around. They are cingular.

One issue I am having is that I have a family plan. I did not have one with AT&T but with cingular they label my plan as a family plan. So I am unable to upgrade online. Which happens to be the only way to upgrade to get the phone I desire.

So about 50 min of calls today and a few people who could not have confused me more.. I am now in waiting for a phone that I don’t know which number it belongs to. But, I am calm. You see if I am able to get the phone I want for the price they advertise it for, then I will be happy.

Yesterday I completed my first marathon. On Oct 9th I ran the Chicago Marathon in 4 hours and 27 min. That is near a 10 min mile. I did not know what to expect going into this race. I figured it would be interesting, and I was right.

The day was perfect, 40 degrees in the morning and near 60 and sunny at the finish. I now know why they call Chicago the “Windy City.” I knew there would be 40 thousand people there but I did not know how they would effect me when I was running. I spend the first 10 miles just trying to get out of the way of people. Mostly passing runners and dodging people who just decided to start walking. You see, with that many people you had people around you at all times. At most times during the race if I stuck my arms out to my side I would have touched someone.

I realize know some of my mistakes. First, I will make sure that I get in with a pace team that is a bit faster. I would have liked to be in the 4 hour range or less. We ran with the 4:30 pace team (we go to the start a bit late to move up to the 4 range). What I found is that we ended up passing almost everyone around us, and not having too many people pass us.

Second, I would probably run a bit harder in the beginning and then rest in the middle. I did not really get tired until mile 24. Let me tell you that the last 2 miles were hard.

I ran the race with my sister-in-law and brother-in-law, Rodney and Alyssa. We all finished together.

It was one great adventure that I recommend everyone trying.

I have finally realized how much I use Instant Messaging. It is not a matter that I did not consider IM a viable means of communication, but rather the fact of how often I use it as a means of communication. Since switching jobs recently I have been able to consolidate my email, contact list, and useful files. The one thing that was left was IM. I use AIM, MSN, Yahoo, and Google Talk. It was when google talk was released that I realized how many programs I had to just do IM. I have all these IM accounts because of the diverse people I communicate with. Most of my friends are on MSN, and most a lot of business associates are on AIM and Yahoo.

To make all this easier for me and to consolidate and simplify (I seem to be doing this a lot lately) I moved to using Trillian Pro 3.1. I have used trillian before but that was the basic version. The pro version (cost me 25 bucks) and so far seems to be worth it. One of the major things I did not like about Trillian in the past was the interface. The pro version allows you to try different skins. I am using a minimal skin to let me get the most screen real estate. The reason I chose Trillian was that it was compatible with almost any IM protocol. One nice feature is the ability to use it as an RSS reader. I am still playing with all the settings but it is nice to get a full view of all IM people online and also a quick look at your Email for each IM account.

So in closing, I give it 4 our of 5 stars.

You often hear about security and web services. How they need to be more secure and how they can pass unsecured information. Well, I recently had an issue with a client that felt they were exposing too much information with the web service provided. This web service allows for products to be returned based on some search criteria. Unfortunately the web service was located in the root of the main web site so the asmx file was available by going to (http://www.someurl.com/somefile.asmx). The client felt that the web service gave too much info out.

We had a few methods to resolve this issue. One was to move the web service to another virtual folder and only allow the specific ip address to access that location. This did not seem to be the logical choice for us because we had multiple applications obtaining information from this location. We would have to find and adjust all the linking applications. So we started to look at the asmx file.

After some googling we really did not find too much info on how to secure the asmx file. Because in it’s true sense it is meant to explain / expose the methods of the web service. In one of the searches we were able to find some information on how the asmx file was built and displayed on the server. Specifically how the can be changed to show the order of the methods.

Using this information we set out to modify the asmx file to not show information about the web service methods. To do this we needed to modify the DefaultWsdlHelperGenerator.aspx file. This file is located in %SYSTEMROOT%\microsoft.net\framework\v1.1.4322\Config

In this file it allows for description and display of all exposed methods on page load. By modifying the SHOWingMethodList function and replacing the list of methods with some text or links back to the site we effectively removed any information the asmx file displayed. The ShowingMethodList had a repeater listing, we removed the repeater and added some text and a url.

We also removed the header information that had the standard documentation and put some text in it’s place.

In the end we had a functional asmx web service page that only displayed the text we wanted. It was not the ideal way of securing a web service, but in our situation it was useful.

We have just launched a new site at work today. www.omnova.com. The interesting part of this launch is the use of a new server application called Macromedia Flex. You can get to the application part of this site by going to www.omnova.com/designcenter. The Flex application allows for a rich internet user interface to be generated through remote data access points.

We had many issues getting this application to work in specific environments. Many of these issues were based on both the types of browsers and how they render css or div tags, and also firewall / permissions.

The site utilizes a few technologies. ASPX, Flex, and Macromedia Contribute.

You can read more about the issues here at one of our developers blogs (http://www.merhl.com/webdevblog/index.php?itemid=26)

Well Adam Curry finaly released the castblaster beta. You can download it here (http://www.castblaster.com/forums/viewtopic.php?t=5)

One thing I noticed about this beta is that they are asking for $50 bucks for a license key. I’m not against purchasing software but, paying for a beta is a bit over the edge. I understand that castblaster may be worth it but I can’t possibly think we would pay for this.

If you are like me you probably use firefox or have used firefox. It is a great alternative to IE for web browsing. One of the nice features of firefox is the ability to code extensions or plugins for the browser. I user some very frequently. Here is a quick list of extensions that I use:

1. Web Developer – this has all kinds of tools for those of us who develope web sites. It allows you to outline tables, style sheets, get form info, header info and anything else you have needed.
2. ForecastFox – This puts your weather information in browser frame window. This is great for just a quick view of the weather.
3. ConQuery – allows for contextual searching on a web page
4. GotFlash - Extensions that allow for multimedia information in pages.

I have attempted to write my own extension. I did the default “hello world” extension but never figured out what I wanted to do. If you have any ideas drop me an email.

It seems to me that there are a ton of IE tool bars out there. And every program you install tries to add another. I understand the functionality of a toolbar and how useful they can be, but come on. How many do we need. So I started thinking of what I use. And wanted to see what others thought. I personally use IE about 80% of the time at work (firewall issues) and about 100% of the time at home. I have found that the same tool bars frequently do not cross browsers. I recently found one that does. That is what got me thinking about this topic. So let me review what I use.

Ranked in the order with the most value
1. Google Toolbar - This is one that should be used by everyone with IE. It has popup blockers built in. Search from the menu bar. What else can you ask for. If you use firefox it is called the GOOGLE bar.
2. Netcraft toolbar – This toolbar keeps you from phising sites, allows you to search a sites rank and hosting provider. This is a very useful toolbar for those in the hosting business or webdevelopment business.

Well these two are the main ones I use. At one time I used the yahoo toolbar but found it very cumbersum.

next time I will discuss firefox extensions.

I have been asked on numerous occasions to help a client find a way to transfer files securely. The first thing a client will mention is just the use of FTP. I then have to explain how ftp sends both the username and password in clear text. I often demonstrate how easy it is to sniff the username and password by using ethereal and my local ftp server. Once someone sees this they tend to stop using ftp. One problem with this little conversation is the lack of secure ftp servers out on the market. I have used about 4 different ones, and finally settled on one that meets both the reliability and demands I have. Secureftp3 from globalscape (www.globalscape.com), the makers of the cute ftp program is my current choice.
It allows for the use of all secure ftp protocols (ssh, ssl over ftp, ssl passive, etc..) . One other key factor is that you can integrate into Active Directory. This is a feature that many ftp servers really lack. A drawback to this program is not necessarily due to the selection of the globalscape product but all secure ftp servers. They tend to require the use of their own ftp client. While the client is typically inexpensive, purchasing a client for all users can get very pricy. So I have made the decision to only use one standard ftp client (Filezilla) , it works with all secure ftp servers and also any version of ssh. The key reason was the price. Filezilla is free, you can download both the app and the source over at sourceforge. It has all the features, of any client I have seen and also has some extra ones.

Well I finally got my podcast up and running. I have made a few in the past, but now I have a format and an agenda. Yes, that is right an agenda. You may be asking, what is your agenda? Well, it is to keep the kind people of Grand Rapids, Michigan up to date with technology, local pubs, local music and where to enjoy our town. Especially if you are part of the local area or visiting. So take a listen and subscribe DGR_5_12_05

If you want to subscribe to the podcast in an application like ipodder.org or another podcast reader. You can grab my RSS feed (http://jimiz.net/blog/wp-rss2.php) and paste it into your program

Show Notes – DGR-2005-05-12

It looks like one of my favorite PodCasts is going to be available on Sat radio. Adam Curry is working with Sirius radio to deliver a Podcast channel – You can read the news release here . Or visit Sirius Radio for more info and a free 3 day trial.

I was playing with getting Sat Radio for a while. I just could not move on what device to purchase and also go for the Monthly fee. The ideal situation would be the USB XM radio they made last year. But they stopped making that one. I am in my car for about a total of 8 min. That is how long it takes me to get to work. So Sat radio in the car would not be an excuse. I have a friend who purchased the Portable XM radio and ended up taking it back. It did not have very good reception.

I have been a huge gmail fan since I got my first account. Now that gmail is up to 2 gigs of space how can you resist. I have been thinking of ways to utilize my gmail account other than an aggregator for thoughts, files, and other email accounts. I finally decided to try and use the system for email relaying. I have posted earlier my gadget setup, but I had not found a great way to get company email. Now, by utilizing my gmail account, I am able to pickup my email via wap, on my cell phone.

To do this I found two systems that would possibly work. One is a hosted service called
Gmail Wireless – http://www.gmailwireless.com/. The other is an application called
Gmail-mobile – http://sourceforge.net/projects/gmail-mobile/.

The first, Gmail Wireless is a site that you enter in your Gmail info and then access that site for your mail and information. The one thing I did not like about this solution, is that you have to enter your information into an unknown system. Not that I don’t trust the gmailwireless.com group, it is just I did not like that idea.

I finally decided to use the second option, Gmail-mobile. Gmail-mobile is a php application, that you install on your server with libgmail – http://libgmail.sourceforge.net/.

You can access it here http://www.jimiz.net/gmail. I can now forward email from the office to my gmail account and access via this wap enabled link. I did have this all wrapped in an ssl, but there seem to be issues with ssl and some versions of wap.

During my searching I found a few other interesting gmail links.

GMAIL API – http://johnvey.com/features/gmailapi/
Gmail-Lite – http://gmail-lite.sourceforge.net/