Ok, so it’s been awhile since I blogged faithfully. I got really busy leading up to the Scripting Games, and then I got even busier afterward … and then I just got distracted. In fact, I have about 9 “drafts” posts queued up in WordPress that I started and never finished, so what I probably need to do to get myself going again is to stop trying to make every post into the complete documentation of … whatever I was writing about.

So, in the spirit of “spit it out”, I’m going to just leave this post at that, and just add I’ve been working on PowerBoots, PoshConsole, PoshCode … some OAuth code for authenticating and posting to FriendFeed (which just got bought by Facebook, so maybe my code will work there some day), and some more voice-recognition stuff … posts on all of these are coming soon.

This is just a short note to explain why I turned off IntenseDebate: it just seems to use way too much memory on my server — I had to increased the memory available to my blog twice, and was still having issues.

Quite frankly, I don’t feel like I was getting anything out of using Intense Debate other than the ability for users to get notified automatically when I reply to their comments, and to get that minor feature I had to give them all my comments, and render the comments in javascript, and … yeah, well, I’m going to do without for now, and we’ll see what happens.

Ever since Vista came out, users have been trying to find ways to avoid the “Elevation Prompt” when running things which require administrative access. There are lots of obvious solutions, but I’ve found one that’s not so obvious, and I’ve found an easy way to use it with PowerShell. First though, an explanation of what this is, and some of the “obvious” solutions.

UAC overview (feel free to skip this)

User Account Control (UAC) is a mechanism in Vista which finally brings Windows into the world of restricted user accounts that OS X and Unix/Linux have been in for years. Essentially it’s a mechanism which protects certain areas of the operating system from being changed (or even accessed) by users who don’t have administration rights. You can disable UAC completely, but it’s highly unrecommended — it’s basically like making all of your users into “root” level administrators, and it’s obviously overkill if all you want is for your administrator accounts to get prompted less.

There are several things you can do to leave the UAC mechanism in place while reducing the annoyance for users: they are all present as settings in the Local Security Policy snapin (secpol.msc) which controls the behavior of UAC and it’s elevation prompt. You can choose to require explicit login for everyone (a good idea for the family computer if you all share a single account) or to simply “Prompt for consent” for certain administrators, or even to Elevate without prompting which is basically like having all your administrators running as root (this is a logical idea only if you don’t normally log in as an administrator: it lets you have no prompting when you’re running as an administrator). Finally, you can tweak the behavior of the elevation prompt by disabling the “secure desktop,” this doesn’t get rid of the prompts, it just makes them a little less disruptive.

So far, this is all very much like a Mac or Linux system: with the exception that unlike OS X and Linux, Vista doesn’t just run the apps and let them fail with cryptic errors if they need administrative rights: it detects the attempt to access things which require administrative privileges and proactively prompts you to elevate them. Of course, there is another difference: most Windows apps aren’t written with this in mind: they insist on installing into the global “Program Files” folder instead of into the per-user apps folder (C:\Users\Name\AppData\Local\Apps\), and on accessing the registry, etc. This will change with time, but there will always be apps which need administrative access to install, and some which are actually for administering your system and will therefore always require administrative rights.

What about SetUID?

The problem is that the one thing Linux and OS X have that seems missing in Vista is the “setuid” feature: this allows you to specify that specific application always run with the rights of a specific user. The idea is that you control access to the specific file, but you set it to run as an administrator. This way “any” user who can access the app can run it without needing to have access to an administrator account. It allows you to give users access to some administration tools without giving them access to all of them.

It turns out that Vista has a feature like this hidden in the Task Scheduler. It’s not quite the same as setuid, you can’t use it to allow users to run interactive applications as other users, but it will allow you as a member of the administrator group to create tasks that run with “Highest Privileges” (that is: “Elevated”, or “as administrator”) without needing to deal with the elevation prompt each time. This solution is ideal for those tasks which you use repeatedly and which always require admin rights — but probably shouldn’t be used if non-administrators might use your account, and it can be scripted using PowerShell. Continue reading →

Well, it’s finally over. SCO v. Novell has been decided, and the court has concluded that Novell is the owner of the UNIX and UnixWare Copyrights, and that SCO is obligated to recognize Novell’s waiver of SCO’s claims against IBM and Sequent. So that’s pretty much a wrap, I’d say.

Even Groklaw actually passed on thanks to Novell on behalf of the entire FOSS community “for being willing to see this through.” Do you suppose this will make up for the fiasco with the Microsoft agreements?

So I was kind of bored today …
And it’s been a long time since I posted anything …

I’ve been hard at work … among other things I’ve made lots of progress on PoshConsole, and I’ve been playing with PowerShell a lot. If anyone knows anyone using Vista who still has UAC turned on, do them a favor:

1) Download a wav of Regis saying “Is that your final answer?”
2) Put it on their computer somewhere
3) Open up PowerShell (to the folder where you put the wav) and run this command:

Obviously you can do that in the “Sound” control panel too, it’s the last event under the “Windows” app, labelled “Windows User Account Control” ... now whenever Windows asks for permission to run something, they’ll get a bit of a chuckle out of it. Makes it more bearable.

Symantec’s 11th Internet Security Threat Report, released this week, discusses security and vulnerability issues from the last six months of 2006 and according to enterprise IT planet “Microsoft Windows had the fewest number of patches and the shortest average patch development time … Red Hat Linux ranks second, OS X third, and Solaris dead last.”

This comes on the heels of this post by Microsoft strategy director for security technology, Jeff Jones which shows Vista doing substantially better in it’s first three months than any other OS.

Don’t buy the hype.

Of the three months that Jeff Jones is comparing, Windows Vista has only been publicly available for one month — the first two months are the time it was available only on enterprise MSDN subscriptions. Although I was running it during that time, the scarcity of drivers and software that worked in Vista during that pre-public release made it very clear that this was not really a “launched” OS.

Buck back to the new report from Symantec — presumably no friend of Microsoft’s, and with a vested interest in making Windows sound frighteningly vulnerable. The new report ranks Microsoft first in their security chart, and that’s what the Enterprise IT article is touting.

However, despite having the “fewest number of patches and the shortest average patch development time” — patching vulnerabilities on average in three weeks — Microsoft Windows had 12 severe or high-priority vulnerabilities out of 39 total. Basically, 1/3 of the vulnerabilities discovered in Windows were considered high priority — even though on average Symantec only rated four percent of all vulnerabilities as high priority.

Although Mac OS X was ranked third according to the article, it had only 3 more vulnerabilities than Windows, and although on average they took nearly three times as long to respond, perhaps they can afford to take their time, since OS X had only one high priority vulnerability. Red Hat —which they ranked second based on their response time— had a whopping 208 vulnerabilities, but it still only had 2 that were considered high severity. All in all, it’s hard to justify ranking by patch time .

More interestingly…

To me, the most interesting thing in the report wasn’t mentioned in the article linked above: the United States not only has the highest number of bot command-and-control computers (40% of the worldwide total) but also accounted for more malicious activity than any other country (nearly 1/3 of all tracked activity), more spam email hosts, and more phishing hosts… in second place, China only accounted for 1/3 as much “malicious activity” as the US. Forget your notion that hackers are Eastern European malcontents: the United States accounts for 19 percent of the world’s Internet users, and 30% of malicious activity.

Another interesting point: worms are down from 75 to only 52 percent of the volume of malicious code … replaced by Trojans, which are up from 23 to 45% of the top malicious code threats. When it comes to actual infections, Trojans measure 60% while traditional “viruses” account for only 5% of all infections!

By the way, at what point do other countries start accusing the US of being a hotbed of international computer crime and demanding that we crack down on this stuff?

I’ve created a variation on the Plain Masses theme, based on the idea of having lots of extra columns on the front page. I got the basic idea from the International Herald Tribune site — they use tables to achieve the effect, and obviously have strict control over what shows up where.

I’ve been trying to decide if I want to make the “main” story a special one, like the latest article in a specific category, but since I don’t usually post even daily, never mind multiple times a day, it doesn’t seem useful to me to have that main article be the “lead story” ...

The next three most recent articles have their “excerpt” displayed in the second column (actually the number of stories in that column is easy to adjust, the variable is right at the top of the index.php file). The third column shows just headlines in a list for the remaining stories on your front page.

The catch to using this theme is that you have to think about things a little more. I had to turn my front page count up to 15 articles to make the third column look right, and I have to write my excerpts more carefully, and use the WordPress more feature carefully, making sure to put enough content on the front page to keep the layout straight. In case you’re not familiar with it, that’s the tag which breaks your post into front-page and full-article sections, and the point is that you need to have enough content on the front page for it to work

I also integrated LiveSearch into this theme, so if you grab the theme download, be aware of that. I was careful enough that it should work without any problems, but if it doesn’t, or you just don’t want it, you can disable it by simply removing all three of the livesearch files …

On my server, the livesearch seems to be a bit slow, I haven’t looked into why yet, the fact is, it works, and in the worst case it still works “the old way”.

If you want to try it out, I’m giving away the theme … as always, please feel free to modify it before you use it. It’s in 7-Zip format, so if you haven’t upgraded yet, you may want to get a better archiver

For the first time in a long time, I’m actually excited about a new Google service: Google Patent Search covers the entire collection of patents made available by the USPTO from the 1790s through the middle of 2006.

If you’ve ever done patent research, you’re going to be really impressed by this thing, I promise. They are hosting their own copies of the full text (where available) and all of the images, and presenting them in a slick AJAX viewer, so not only will you not get redirected to a slower government server to see the patent, there’s finally a way to view patent diagrams without downloading some obscure tiff-viewer!

The only real downside is that they don’t include patent applications, or even U.S. patents issued in the last few months (they’re working on it) ... and of course, they don’t include international patents either (yet?).

Wikipedia founder Jimmy Wales announced that his for-profit company, Wikia Inc., is ready to give away not just MediaWiki (the software which runs Wikipedia) but also the hosting you need to run it. And even further, if you run what they consider to be a popular website, you can even have the advertising revenue from your wiki.

The only catch is that they appear to be sort of forcing the GNU FDL on you, which could cause problems for people who would prefer some other license (like a Creative Commons license, perhaps?) and although Memory Alpha was able to get a different deal, one doubts that anyone else would — Memory Alpha is a 7-Million hits per month site which brings in some serious ad revenue.

At any rate, Wikia’s OpenServing service will be giving away hosting in a MediaWiki derivative in exchange for links back to Wikia. Not just that, but according to this article on eWeek they are hoping to become a sort of unified hosting based on open source website software such WordPress and Drupal. In fact, they’re open to suggestions, so if you are a web software developer and have some other open source software you’re willing to help them install and maintain on their servers … they want to hear from you.

Krugle

• An elegant search engine for coders: finds code that Google doesn’t (yet) because it indexes sourceforge (among others). - post by jaykul

Mobility Project – Simple Secure Communication.  Annotated(1)

• Mobility Email is basically Thunderbird + GPG + Enigmail, with a secure launcher so you can run it from a USB stick without leaving any traces behind … it provides a nice email app with OpenPGP built in, in a slick wrapper that provides good privacy and protection
   - post by jaykul