Jimiz.net – Jim Becher on the web

Lifehacker (lifehacker.com) is a productivity site that I frequent. Every year the put out a list of free applications for windows and call it the Lifehacker Pack 2010. The most recent list is out.

Lifehacker Pack 2010

This is a great list of applications that any windows user should use. From burning cd’s / Dvd’s to tools to re-install your computer software. Over the years I have found that I automatically use most of these tools. Happy Installing.

I mainly develop inside of a virtual server / application. In the last year I have been using Virtualbox instead of Virtual PC. I have a base image that I use as a testing machine. It is a base Windows XP image. I recently discovered that I could save some disk space by using a few commands to shrink / compact the vdi file.

To do this you will need to install a small application Nullfile (http://www.feyrer.de/g4u/nullfile-1.02.exe) This allows the empty disk space / unused data bytes to be filled with zero-bytes. You can read more about this at (feyrer.de/g4u/)

Once you have the file copy it to your Virtual Image. Run a disk defrag on your Virtual box system. After running a few defrags, you now need to just run the nullfile.exe. You only need to doubleclick the .exe.

Once the file is done, shut down your virtual image.
Open a command prompt and navigate to the directory where your vdi file is located. Mine is c:\vpc

Once in that directory we will be running the vboxmanage utility. On my Windows 7 pc it is located at C:\Program Files\Sun\VirtualBox\VBoxManage.exe

Here is the command we will be using modifyhd -compact

“C:\Program Files\Sun\VirtualBox\VBoxManage.exe” modifyhd -compact “c:\vpc\BaseXP.vdi”

Once this was completed my virtual image went from 4.3Gig to 2.7Gig.

Have fun with this utility. I was able to shrink my typical Windows 2008 server image to a much smaller size.

I was reading the notes from the CES conference and saw the tag wireless usb. I did not think much about it. Because I thought they were talking about usb wireless cards (which have been around for a bit). I just saw this post (wireless usb) on digg.com and now realize what they were talking about. It is the ability to access your usb peripherals through a wireless connection. Now this is very cool. I have actually thought about this feature before. I typically have a few items attached to my computer through usb. It would be great to be able to access these items when using my laptop as well. For example, I take my portable usb drive everywhere; I use it for backup and music storage. With wireless usb I would be able to keep it connected to a central place when at home. You could also use this for printers, and things like the griffen Radio Shark (my favorite).

I will be purchasing this when it is available.

Well I got some flack the other day about not posting to my blog. I will have to make up for that in the next few days. So get ready for some more strange, rude, and possibly informative posts.

I am working with a client that deals in Film and has a business model around film community. I just read a great blog post on how theaters make their money. It was very interesting to me and I thought I would share with the rest of you. http://arstechnica.com/news.ars/post/20060105-5905.html

As a follow up to my original post of watching some kid at a coffee shop sniff the wireless network for passwords, I am doing a wi-fi security series.

In this post I will show wi-fi users how easy it is to gather information from other computers and users by just sniffing the network. I first must explain what “sniffing the network” means. In the simplest form it is just listening and capturing the information that is sent across the network this information is in network packets. This can be done on a wireless or wired network. Network sniffers come in all different flavors and types. I prefer Eathereal, this is because it works on linux and Windows. These tools are used to troubleshoot and also diagnose issues on networks and applications. They can also be used to ease drop or snoop on others, which is what I plan on explaining in this post.

So you may ask, what can a person “sniffing the network” find? Well for starters, it is really easy to gather usernames and passwords. Especially from POP email accounts. Most people who use email have an email client, such as (outlook, outlook express, thunderbird, or some other branded client like AOL or earthlink) Most of these clients user POP3 to communicate with the server to read your email. This all happens when you hit the Send/Receive email button. These clients that use POP3 may send your username, password, and messages in clear text. By default these programs as set to be easy to use and do not have the security features that are available turned on. So what does this mean? Well let’s look at a typical transaction from a user who is checking his or her mail. The open up Thunderbird (my email client of choice) at a coffee shop and hit send/receive while using the free wi-fi.

When they do they are sending information unsecured over that network, which happens to be a wi-fi network. Other users, which use the wi-fi also, have the abilty to overhear or sniff your information. The image below shows an Ethereal capture of my fake user called jvandenbon.

As you can see from the image, the username jvandenbon is sending his password of Alice623001 to his mail server. This happens each time he hits send and receive. Not only is the username and password readable, but so is the email. Below is a screen capture of an email I sent to that user. You can see from the capture that I read the email then deleted it.

Here is the actual information from that email inside ethereal:

Received: from ?192.168.1.107? ( [22.131.13.51])
by mx.gmail.com with ESMTP id j4sm126467nzd.2005.11.22.19.09.50;
Tue, 22 Nov 2005 19:09:50 -0800 (PST)
Message-ID: <4383DD50.9050706@jimiz.net>
Date: Tue, 22 Nov 2005 22:09:04 -0500
User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716)
X-Accept-Language: en-us, en
MIME-Version: 1.0

So as you can see a default email client and POP3 account is not very secure. You are basically sending your userinformation and password for all to see if they know how. What is scary, is when you actually do sniff a network the amount of email usernames and passwords are actually sent. The day that I caught that kid at the coffee shop I saw about 10 username flying over the network.

At this point some people may be saying why do I care, it is just an email account? Well ask yourself, a few questions. Do you use that password for anything else, like your online bank site, or bill pay, or paypal, or even your gas or electric site? Do you use that email for any other accounts like paypal, ebay, or your bank site. Could someone use your email and password to ask your bank to reset your online bank password? These are all just food for thought.

Others are probably reading this and saying that the users should know how to secure their email account properly and use SSL / TLS over POP. I plan on helping people do that in my next post.

To keep this part 1 section going, let’s discuss what other information your machine may be telling people about you. So far we have seen that email; usernames, passwords, and messages can be viewed. Now I will show how online web email accounts can also be viewed. Though not as easy, online or web mail can also be seen over the network. This is only true when it is not used under SSL (https). Below is a picture of what a typical web mail login looks like. You can see the username jvandenbon and his password being sent over the network.

All the information I have talked about so far is from a user’s computer being sent out. This means you are initiating traffic, checking email, browsing web sites. But, what about your computer, does it answer questions about you when asked? It amazed me when I did a quick scan of the coffee shop wi-fi the other week. I saw 3 laptops that had network shares available on them. That means I was able to copy files off that machine.
The user turned on network sharing without any security. In my next post I will discuss methods of protection against intruding eyes.

As always, leave me feedback. Both good and bad.

My last blog post last week on Network Intrusion has generated a lot of traffic and emails. It was interesting to know that people actually read what I post. A lot of people responded in emails asking to know some more information on wireless security. I think this is due to the popularity of wi-fi, both in our municipalities and in hotspots such as coffee shops. I is amazing to see where wi-fi is available. You can catch a hotspot anywhere in our little town of Grand Rapids. If you are interested in finding a HotSpot near you head on over to grwifi.net, James has a great site that allows users to rate and discuss wi-fi hot spots.

Since my last post I have been thinking of ways to respond to the emails and feedback I have received. I think it may be best to do a 2 part series on wireless security. The first part will be to show what kind of information your laptop our application is sharing on the wireless network. I will just briefly walk through some typical situations where you may be sharing more information then you know about. In part one; I will discuss the common applications that may share information. I will also discuss the tools used to gather that information, to show how easy it is for someone to steal.

The second part of the series, I plan on discussing and showing methods to help prevent unknowingly sharing information to others. This will include software applications and techniques for securing your applications and systems.

It is amazing to me how many people are unaware of what their computer or applications do on the network. In reality your computer is very chatty, it likes to send information and it is up to the user to help secure and limit the amount of information that is sent. In the next few blog posts, I hope to show people what they can do to secure, encrypt, and defend when using their computers.

To keep everyone up to date from my last post. I did go back to the wi-fi hotspot and did not see the kid their sniffing the wireless network. But, if I do see him I plan on confronting him head on. I have not seen a clear argument that Sniffing a network is illegal yet, and plan on doing more research. It feels like it is illegal, but in a sense it is not much different than listening to people talk in a room.

Network Intrusion / Invasion

I typically stop at a local coffee shop to get some caffeine and use their wi-fi network to check email and surf the web. I am gathering this is not unlike most people out there in the business world. I tend to visit places that offer wi-fi because of their ease of use. But the other day I saw some thing that upset me. The story I am about to tell is not anything new, but rather just an eye opener for me.

As I was standing in line for coffee I noticed a fellow wi-fi user in the corner and happened to glance at his laptop. Being a tech geek I noticed he was running linux (you may ask how?), well I noticed etherape running and ethereal. These are both tools I use often. Especially when trouble shooting applications or networks.

At first I did not think anything about it. Then as I was firing up my laptop, I started to think why someone would be using ethereal and etherape here? Then it hit me. This guy was grabbing network traffic on the wireless network and sniffing, probably for passwords and usernames. At this point I came up with a plan. I looked around at the other 10 or so people on their computers and realized that they were unknowingly giving their information away. Usernames and passwords were floating in plain text all over that coffee shop. The girl next to me was on yahoo mail, the guy on my right had outlook express open. I figured that the kid had at least 10 or so usernames and passwords by now, and I was angry.

To see if my mind was just crazy or corrupt I decided to test my theory that he was sniffing usernames and passwords. I first ssh’ed into my box and created a new email account. I created a username called jvandenbon. I figured since I am in a Dutch area that a dutch username made sense. I created a password of Alice6232001, hopefully a real enough password. Then I hoped into my inbox using mutt and forwarded some of my spam emails into the jvandenbon user account. So now I had a real account that had some mail in it.

I then fired up ethereal and then thunderbird. First I took a quick capture of what was on the network, and as I suspected there were lots of POP accounts being used which show Username and PASS in clear text. I opened Thunderbird and checked my mail, I use SSL / TLS when I connect to my mail server so I was not worried about this kid grabbing my info. But I had to make sure that I was safe so I watched my traffic and sure enough it was encrypted with TLS. I closed ethereal, and created a new account in thunderbird using the above jvanderbon account name and told it to use POP as the means of communication. Again, I opened ethereal and then did a send receive to watch my fake username and password be sent across the wire. I then wrote an email and deleted some others to create traffic. I closed Thunderbird and waited. I set a string filter for Alice623001 in ethereal and watched. Sure enough in a few min later(about 10) I saw my fake username and password being sent over the wireless lan. I captured the kids source address.

This kid was trying to access my fake account. By this point I was angry. I got to thinking about what kind of stuff I could do to him. I easily could have kicked his ass; however I am not sure that it would have helped. All these people had been cheated of their info and privacy. That is when I started to think about legal options. I don’t even know if it is illegal to sniff a public network. I have never even thought about it. I did a quick google search and did not find much. I guess you can kind of relate this to yelling across the room to a friend with your username and password. Whoever happens to be in the room has access to that information. The analogy does not sit well with me. I would like to think that people can be safe or feel safe even when their trusted programs (outlook, outlookexpress, thunderbird, and hotmail) send their information in plain text over the network.

Right now I am just angry. If I do see this kid again, I plan on approaching him and asking what he plans on doing with all the usernames and passwords he stole. I can only guess he is going to just mess around. But, what happens when he comes across a guy who happens to have admin rights on a system and sends his username and password over the line. I realize this is a gray area of the law, but what about people privacy. I am not a malicious person by any means. I have sniffed networks in the past to gather information to help me learn how to protect them. But when I watched this kid and the speed of which he attempted to open my POP account, I am a bit worried. He must have had a program that would just take a username, password, and mail server and check validation.

I guess I am now asking the community what they think of this event. Do you know if you are secure? Do you go to a coffee shop and check mail via POP and send your info? Do you use ftp at the coffee shop to update your web site or worse; your corporate web site? I would love some feed back on what people think. Just think, if someone got your email password? Does it match your bank account password or your paypal password? These are the questions on my mind. And how can I do something against this punk kid. Should I just walk over and kick his ass or should I call the police? And if I call the police, what do I say?

I was reading my Information Week magazine and ran across an article regarding Large Databases “Big Honkin’ Databases” was in the Sept 19th magazine (article here). It is a quick glimpse into some of the largest databases. I have seen a 1.2 Terabyte database in action and seen the amount of work necessary to keep that database functioning. I cannot imagine the amount of work that would go into a 100.4 terabyte database like the one Yahoo uses. I thought it was interesting that they mention the platform the DB’s are on but not the actual DB Software. Of the ten in the list they show UNIX for 7, Linux for 2, and Windows for 1. I would have to guess that anything on the UNIX platform is really running DB2. However I could be wrong. I would love more stats on these huge databases. For example, they mention that the Yahoo DB gets 1 billion SQL statements per hour. I would even like to see the hardware and staff necessary to keep these things alive.
After looking at the article a bit more I found that more statistical data can be found by the company that did the survey (wintercorp). You can find the DB vendor and hardware vendor by reading the full survey (Full Survey). It also included if the db is federated or centeralized.

I have finally realized how much I use Instant Messaging. It is not a matter that I did not consider IM a viable means of communication, but rather the fact of how often I use it as a means of communication. Since switching jobs recently I have been able to consolidate my email, contact list, and useful files. The one thing that was left was IM. I use AIM, MSN, Yahoo, and Google Talk. It was when google talk was released that I realized how many programs I had to just do IM. I have all these IM accounts because of the diverse people I communicate with. Most of my friends are on MSN, and most a lot of business associates are on AIM and Yahoo.

To make all this easier for me and to consolidate and simplify (I seem to be doing this a lot lately) I moved to using Trillian Pro 3.1. I have used trillian before but that was the basic version. The pro version (cost me 25 bucks) and so far seems to be worth it. One of the major things I did not like about Trillian in the past was the interface. The pro version allows you to try different skins. I am using a minimal skin to let me get the most screen real estate. The reason I chose Trillian was that it was compatible with almost any IM protocol. One nice feature is the ability to use it as an RSS reader. I am still playing with all the settings but it is nice to get a full view of all IM people online and also a quick look at your Email for each IM account.

So in closing, I give it 4 our of 5 stars.

((REVISED – TOO MANY SPELLING ERRORS))) – it may have been too late to post

Ok I have switched jobs and currently I am using a Dell Latitude D800. People who know me, know that I do not have much respect for the Dell laptops. There are a few reasons for this. 1. They don’t make them. 2. Why call them laptops when they are the size of my Commodore 64. 3. If you can’t make a mobile computer mobile, then don’t (just don’t)

Number 3 is where the Computer Input discussion comes in. If you have read my earlier post (Track Back) You know my feelings on people who have a mobile computer and carry a mouse to use with it. Why can’t they just use the input devices on the computer to work. Well this logic I have carried for years, is now making sense to me. The reason people carry a mouse to use with their Notebooks is because notebook vendors make a crappy (that is a nice word for what I would call the pointing device’s on this Dell) touchpad or trackpoint.

The Dell I have is equipped with both the pointing stick (track point) and a touch pad. They both suck. Lets start with the pointing stick. First of all, it does not move very fluid at all. You have to push very hard to move the pointer (And yes I have adjusted every setting for the thing) Second, the location of the buttons when you use the trackpoint are horrible. They are not only in a bad spot (too close to the space key) but they are crappy to push. You see they are flush with the keys so if you happen to choose the touchpad they would not get in your way. From years of working on a ThinkPad I can see why people use a mouse when using this dell. The track point is not even worth trying to use. My hands are already telling me that Carpal tunnel is on the way. Not to mention that the button normally takes 2 tries to single click (it feels like you have to press with all your might to make it click)

Now let’s move to the touch pad. So with the pointing stick sucking as much as it does on the Dell (I still have an IBM thinkpad and it is heaven to the fingers and clicking thumb), I decided to give that a try. And the results are still the same. Why bother. You have to move your fingers from the keys, you have to move both hands to either click or drag something.

Why does this have to be so hard. Are laptop vendors in bed with the mouse vendors? Why do we settle for this? I am finally that guy. I go to work and connect a mouse to my laptop. Shame on Dell for doing this to me. Shame on me for putting up with a computer that claims to be a portable and yet ties me to a desk and a cord……

You often hear about security and web services. How they need to be more secure and how they can pass unsecured information. Well, I recently had an issue with a client that felt they were exposing too much information with the web service provided. This web service allows for products to be returned based on some search criteria. Unfortunately the web service was located in the root of the main web site so the asmx file was available by going to (http://www.someurl.com/somefile.asmx). The client felt that the web service gave too much info out.

We had a few methods to resolve this issue. One was to move the web service to another virtual folder and only allow the specific ip address to access that location. This did not seem to be the logical choice for us because we had multiple applications obtaining information from this location. We would have to find and adjust all the linking applications. So we started to look at the asmx file.

After some googling we really did not find too much info on how to secure the asmx file. Because in it’s true sense it is meant to explain / expose the methods of the web service. In one of the searches we were able to find some information on how the asmx file was built and displayed on the server. Specifically how the can be changed to show the order of the methods.

Using this information we set out to modify the asmx file to not show information about the web service methods. To do this we needed to modify the DefaultWsdlHelperGenerator.aspx file. This file is located in %SYSTEMROOT%\microsoft.net\framework\v1.1.4322\Config

In this file it allows for description and display of all exposed methods on page load. By modifying the SHOWingMethodList function and replacing the list of methods with some text or links back to the site we effectively removed any information the asmx file displayed. The ShowingMethodList had a repeater listing, we removed the repeater and added some text and a url.

We also removed the header information that had the standard documentation and put some text in it’s place.

In the end we had a functional asmx web service page that only displayed the text we wanted. It was not the ideal way of securing a web service, but in our situation it was useful.

Well take all the above items and mix them up and you have what I have been up to. I have been coding a lot more lately, trying to get a new version of iisreporter out and also working on some custom dev software for a friend.

Work has been very stressful. We have a lot going on and a few upcoming deadlines. Visit the site soon and I will have to link out to our newest launch next week.

Running. Well this week I have been a bit lax on running. Since my 14/15 miler last weekend I have played 2 soccer games. One on Sunday right after the long run and the other on Tuesday. So I decided to take Monday and Wed off from running. Tonight, I was really tired and ready to go to sleep, but decided to go for a run with my sister-inlaw and brother-inlaw. I put in a nice 4.5 miler.

It’s funny that I can say 4 miles is a short run. I can remember the day of never going over 4 miles.

Well I have been extremely busy at work, so my posts have been a bit out of sync. I would like to get another pod cast out. I have a lot of material. I keep an ongoing journal of things I want to research, test, and write about. I can use a lot of that information to fill both a podcast and a blog.

To keep my mind off work, I have been running more. This is also in preperation for my marathon. It is interesting to see that 40,000 runners will go through a marathon with me. Wow.

This week I have been able to see and test a lot of new programs.
1. google earth (earth.google.com) Essentially it is keyhole (a program google purchased) on crack. They added all the great features of google maps to this sat image program. If you have not tried it, go download. It’s free.
2. Google Video player. I had heard about this earlier this month from some blog site. Google released a VLC (video Lan client) that is called the google video player. It is pretty good. I have used the vlc client before (also had some issues with the vls – video lan server.. but that is a different story) . If you have not tried this software you should give it a whirl. I use it to stream DVD’s at work to people who may want to watch.
3. Itunes new release – it has a podcasting manager in it. I have downloaded and installed but have not tried the new feature. Looks nice and easy to use like most apple applications.
4. AJAX support in .net 2.0. I read a story on slashdot about upcoming client side javascript (AJAX) being built into 2.0 framework.