Blocking Flash Cookies (and Improved Security with Gnash)

A couple of months ago, I wrote about some simple tests that showed the lack of privacy in Chrome’s Incognito mode, and Firefox’s Private Browsing. Both browsers boast a privacy setting that will not save any of your surfing activity on your computer. That is, any activity that doesn’t produce a flash cookie. Most flash websites that I’ve been to save cookies on your computer, regardless of the browser’s privacy options.

A recent episode of FLOSS featured Rob Savoye talking about his Open Source port of Flash, Gnash. On Rob’s Blog, I found an excellent post on how to block Flash cookies on your computer. Here are the steps to block Flash cookies:

1. Browse to Adobe Flash Player Settings Manager.
2. Click on “Global Storage Settings Panel” in the left navigation menu.
3. Uncheck “Allow Third Party Flash Content to store data on your computer”.

According to Rob’s post, you shouldn’t mess with the other Privacy options in here.

An interesting side note to this blog is Gnash itself. Gnash is a completely Open Source and free project aimed at being a replacement for Adobe’s proprietary Flash player. Gnash can run stand alone Flash files, as well as be a browser plugin. Perhaps the most attractive reason to maybe switch to Gnash is that Gnash rarely suffers from the same security holes as Adobe’s Flash, as these holes tend to be due to the implementation of Flash, and not the format, according to Rob. Gnash works on almost all platforms, including Windows, Mac, and Linux, as well as plenty of other more obscure architectures. Gnash also has a significantly larger performance improvement over Adobe’s Flash in terms of CPU processing. There even exists a port of Gnash for Android!

Firefox and Chrome Private Browsing Not So Private

Recently, Chad Tilbury posted a blog article on Flash Cookie Forensics. If you didn’t already know, Adobe Flash stores cookies (actually called LSO’s) on your computer that act more or less like regular HTTP cookies, except they never expire. This got me thinking about the built-in private browsing settings found in the current versions of Firefox (3.5.2) and Chrome (2.0). Both of these browsers have an easy to use private browsing setting that block histories, HTTP cookies, form data, etc. In Firefox, private browsing is called “Private Browsing”, and Chrome has “Incognito” mode. After reading this article, I began wondering just how private Firefox’s and Chrome’s privacy settings were when it comes to Flash cookies. A couple of simple tests showed me that there isn’t much privacy at all.

The tests were simple: locate the storage of Flash cookies (as demonstrated in Chad Tilbury’s article), and see if cookies are being saved while browsing in Firefox’s Private Browsing mode, and in Google Chrome’s Incognito mode. Here is a screenshot of the Flash cookies stored on my computer before I began internet surfing in Firefox:

Firefox Private Browsing Before Surfing the Net

And here is a screenshot of the stored Flash cookies after I surfed to hulu.com in Firefox Private Browsing mode:

Firefox Private Browsing after Surfing to Hulu

As you can see, even when using Firefox Private Browsing, Flash cookies are saved to the computer. Let’s see how well Google Chrome’s Incognito mode does. Here is a before screenshot, with Chrome cracked open in Incognito mode and ready to surf:

Google Chrome in Incognito Before Surfing

After surfing to hulu.com in Chrome Incognito, the Flash cookie was clearly stored on my computer:

Google Chrome Incognito after Surfing to Hulu

The problem really shouldn’t be a surprise based on how Flash cookies work, and I am not reporting any thing new. It might not really be the browsers’ fault. Flash cookies aren’t handled by Chrome or Firefox, and thus the browser has no way to block them (as far as I understand it). Still, the private browsing features in Chrome and Firefox are a complete false sense of privacy and security. One might make the argument that both browsers should be able to build in protection against Flash cookies. As Chad mentions in his article, Firefox has an add-on called BetterPrivacy that can manage Flash cookies, and No Script blocks Flash completely, so if an add-on can do it, why can’t it be built into the browser? By the way, as far as I can tell, there isn’t a similar add-on for Chrome.

(This article is dedicated to my friend, John.)

Update: For a follow up on how to block Flash Cookies, and a better implementation of Flash called Gnash, see my article Blocking Flash Cookies (and Improved Security with Gnash.

How to Install and Fix Stumbler Plus Crashes on an iPhone (Jailbroken)

Google seems to have a lot of older forum discussions about how to get Stumbler Plus to work on the iPhone. Most of these discussions revolve around an old upgrade that resulted in a crashing state for this app. However, I have found that new installations of Stumbler Plus from Cydia also crash, and the fixes described in a lot of the Google results don’t solve the problem.

Before you can do this, your phone must be jailbroken, and you need to have OpenSSH up and running. If you are using Windows, you will need a command line SSH client like Putty and pscp.exe. Remember to turn off OpenSSH on your iPhone after this is done (there is no need to leave the service running. Anyone can scan your phone and find the service running on your phone).

To install Stumbler Plus on a jailbroken iPhone, first install it from Cydia. The app will crash as soon as it is launched. Follow these instructions to get it working properly. If you are using Windows and have downloaded pscp.exe, use pscp.exe where these instructions say to use “scp” to copy the Stumbler package to your phone. Use putty to ssh into your phone to complete the rest of the steps from the Stumbler website. If you are not comfortable using putty, you can also use the MobileTerminal application from Cydia directly on your phone.

My Twitter

Follow me on Twitter: http://twitter.com/Dantheman_13

Naming Computers in LANDesk Upgrade

Late last year I wrote an article on how to rename computers before an image is applied during LANDesk’s OSD process (read this article first if you haven’t already). Here at CSN, we PXE boot our faculty/staff computers into LANDesk’s specially configured WinPE, which launches a GUI menu of OSD tasks. These OSD tasks can be anything really, but that is a story for another article. My previous article about injecting the computer name into the Sysprep.inf file used a VBScript. I have since then upgraded to an AutoIt script that gives us more options.

First, let me give a brief explanation of our environment. We have a parent domain, and a child domain for students. We have four LANDesk agent configurations: one for labs and classrooms, one for office computers, one for laptops, and one for computers that don’t reside on our network. The LANDesk agent gets installed during the GUIRunOnce section of Sysprep. So, I upgraded our OSD task to prompt the technician to select which domain to join (or none), and which LANDesk agent to install. Here is the script. I won’t go through line by line like I did for the VBScript; you’ll just have to visit the AutoIt documentation website to look up some of the functions. Re-read my previous article on how I did the VBScript. The AutoIt script follows the exact same logic, but expands the idea to add more options.

#include <GUIConstantsEx.au3>

GUICreate("PC Rename", 250, 310) ; Create the GUI Window
GUICtrlCreateLabel("Enter the computer name:", 30, 10) ; Create a label
$computername = GUICtrlCreateInput("", 30, 30, 190, 20) ; Create the textbox
GUICtrlSetLimit(-1, 15) ; Limit the computer name to 15 characters
GUICtrlCreateGroup("Domain to join", 30, 60, 190, 90) ; Create the join domain "group" that surrounds the radio buttons
$optCSN = GUICtrlCreateRadio("CSN", 40, 80, 100, 20) ; Create the radio button to join the CSN domain
GUICtrlSetState(-1, $GUI_CHECKED) ; Set the CSN radio button as checked by default
$optSTUDENT = GUICtrlCreateRadio("STUDENT", 40, 100, 100, 20) ; Create the radio button to join the STUDENT domain
$optNONE = GUICtrlCreateRadio("Do not join a domain", 40, 120, 150, 20); Create the radio button to not join a domain
GUICtrlCreateGroup("", -99, -99, 1, 1)  ;close group

GUICtrlCreateGroup("LANDesk Agent", 30, 150, 190, 110) ; Create the agent "group" that surrounds the radio buttons
$optStaff = GUICtrlCreateRadio("Standard Staff/Faculty", 40, 170, 150, 20) ; Create the radio button to install the Faculty Staff agent
GUICtrlSetState(-1, $GUI_CHECKED) ; Set the Faculty Staff agent radio button as checked by default
$optDeepfreeze = GUICtrlCreateRadio("Deep Freeze Required", 40, 190, 170, 20) ; Create the radio button to install the Lab Classroom agent
$optLaptop = GUICtrlCreateRadio("Laptop/Roaming", 40, 210, 150, 20); Create the radio button to install the Roaming Laptop agent
$optRural = GUICtrlCreateRadio("Rural Site", 40, 230, 150, 20); Create the radio button to install the Rural Site agent
GUICtrlCreateGroup("", -99, -99, 1, 1)  ;close group

$okbutton = GUICtrlCreateButton("OK", 100, 270, 60)	; Create the OK button
GUISetState(@SW_SHOW) ; Show the GUI

$f = FileOpen("x:\LDClient\insertname.bat", 2) ; Create the insertname.bat file

While 1 ; infinite loop that waits for the GUI to receive a message
  $msg = GUIGetMsg() ; get any user input

  Select
    Case $msg = $okbutton ; if the Ok button is pressed, check the options that the user selected
		If GUICtrlRead($computername) = "" Then ; if blank computer name, use the LANDesk inventory computer name for the name.
			FileWriteLine($f, "tokreplw c:\sysprep\sysprep.inf COMPUTERNAME=%Computer - Device Name%")
		Else ; else use the user input for the computer name
			FileWriteLine($f, "tokreplw c:\sysprep\sysprep.inf COMPUTERNAME=" & GUICtrlRead($computername))
		EndIf
		Select ; Chose the domain to join or not join a domain
			Case GUICtrlRead($optCSN) = $GUI_CHECKED ; Join CSN domain
				FileWriteLine($f, "tokreplw c:\sysprep\sysprep.inf DOMAIN=CSN")
				FileWriteLine($f, "tokreplw c:\sysprep\sysprep.inf NOWG=")
				FileWriteLine($f, "tokreplw c:\sysprep\sysprep.inf WG=;")
			Case GUICtrlRead($optSTUDENT) = $GUI_CHECKED ; Join STUDENT domain
				FileWriteLine($f, "tokreplw c:\sysprep\sysprep.inf DOMAIN=STUDENT")
				FileWriteLine($f, "tokreplw c:\sysprep\sysprep.inf NOWG=")
				FileWriteLine($f, "tokreplw c:\sysprep\sysprep.inf WG=;")
			Case GUICtrlRead($optNONE) = $GUI_CHECKED ; Join WORKGROUP and no domain
				FileWriteLine($f, "tokreplw c:\sysprep\sysprep.inf NOWG=;")
				FileWriteLine($f, "tokreplw c:\sysprep\sysprep.inf WG=")
		EndSelect
		Select ; Chose the Agent to isntall
			Case GUICtrlRead($optStaff) = $GUI_CHECKED ; Install the Staff faculty agent
				FileWriteLine($f, "tokreplw c:\sysprep\sysprep.inf AGENT=instfacst.bat")
			Case GUICtrlRead($optDeepfreeze) = $GUI_CHECKED ; Install the Lab Classroom agent
				FileWriteLine($f, "tokreplw c:\sysprep\sysprep.inf AGENT=instlabcl.bat")
				MsgBox(64, "Deep Freeze Reminder", "1.  Remember to run a scheduled Deep Freeze task for this computer in LANDesk Console after imaging is complete." & @CRLF & "2.  Set the System BIOS to auto power on every day at 11:00 pm.")
			Case GUICtrlRead($optLaptop) = $GUI_CHECKED ; Install the Laptop Roaming agent
				FileWriteLine($f, "tokreplw c:\sysprep\sysprep.inf AGENT=instlaptop.bat")
			Case GUICtrlRead($optRural) = $GUI_CHECKED ; Install the Rural agent
				FileWriteLine($f, "tokreplw c:\sysprep\sysprep.inf AGENT=instrural.bat")
		EndSelect
		ExitLoop
	Case $msg = $GUI_EVENT_CLOSE ; if the GUI is closed, the default is to name the computer using the LANDesk inventory, and not join a domain.
		FileWriteLine($f, "tokreplw c:\sysprep\sysprep.inf COMPUTERNAME=%Computer - Device Name%")
		FileWriteLine($f, "tokreplw c:\sysprep\sysprep.inf NONE=;")
		FileWriteLine($f, "tokreplw c:\sysprep\sysprep.inf WG=")
		FileWriteLine($f, "tokreplw c:\sysprep\sysprep.inf AGENT=instfacst.bat")
		ExitLoop
  EndSelect
WEnd

AutoIt scripts can easily be converted into an executable using AutoIt’s “Compile Script to .exe” tool.

I guess I also owe an explanation on how tokreplw.exe works. You can probably get this file by downloading the trial version of LANDesk Management Suite. This command takes two inputs: a file and a pair of tokens. The file is obvious, this is the target file to look at for token replacement. The token syntax is VARIABLE=VALUE, where VARIABLE appears in your target file as %VARIABLE%, and the value is whatever you decide. For example let’s examine one line in the prename.au3 script, line 35:

FileWriteLine($f, "tokreplw c:\sysprep\sysprep.inf DOMAIN=CSN")

To help not confuse the Autoit portion of the code, we’ll break this down to the tokreplw command:

tokreplw c:\sysprep\sysprep.inf DOMAIN=CSN

So, the “c:\sysprep\sysprep.inf” file is targeted. Within this file, an occurrence of the variable %DOMAIN% will be replaced with the value of CSN, which is the name of our parent domain. If we crack open our sysprep.inf file (do an Advanced Edit in LANDesk Console), we have this:

[Identification]
%NOWG%JoinDomain=%DOMAIN%
DomainAdmin=csn\BadBoy
DomainAdminPassword=LeeroyJenkins
%WG%JoinWorkgroup=WORKGROUP

You can see the %DOMAIN% variable here. You will also notice several other variables as well. I use tokreplw to manipulate the sysprep.inf file dynamically, depending on what the technician chooses. If the tech selects to join a domain then %NOWG% becomes blank, and %DOMAIN% becomes the name of one of our two domains. The %WG% variable becomes a semicolon, which comments out the JoinWorkgroup line. If the tech does not select to join a domain, then %NOWG% becomes a semicolon, which comments out the JoinDomain line, and %WG% becomes blank. This configures the sysprep.inf file to join the computer to a workgroup instead.

Feel free to ask any questions about the script, and I will do my best to answer them.

Google Voice on the iPhone

You can currently get an invite for Google Voice. The invitation came right away for me. The only problem is Apple rejected the Google Voice app for iPhones. Of course, this isn’t a big deal for people who have jailbroken phones. With Cydia installed, you can download GV Mobile, and make phone calls through your Google Voice account.

So what is Google Voice, and why would you want one? Let me tell you right now that this thing is cool once you grasp how it works and see it in real time! GV works like this: Google gives you an account and a phone number. In your Google Voice account, you enter your cell phone number, home number, and/or work number. When someone calls your Google voice number, it forwards the phone call to all of your listed phone numbers! You can even specify which numbers ring based on who the caller is. If you have more than one phone, this really allows you to consolidate your phone numbers into one number. I am sure that if you spend any time thinking about the possibilities for this application, you can realize that the uses for this could be huge! For example, you can give your home or cell number to agencies or businesses, while keeping your Google Voice phone number private for friends and family. The main concept to remember here is that your Google Voice number isn’t tied to a phone or device, it is tied to you.

GV also has a lot of neat features, particularly related to voicemail. You can have different greetings for different callers or groups of callers based on your Google Contacts. You can listen to voicemail on the Google Voice webpage. Voicemail is transcribed into text, both when you receive it on your phone (at least for the iPhone), and when you check it on the web. You can forward voicemail recordings to email, or even embed them on websites. GV can record phone call conversations, and listen to a voicemail message as it is being recorded. If you decide to take the call, you can do that too (provided the caller doesn’t hang up of course). Here is the list of things GV can do with links to short videos on how they work.

The one last thing that impressed me, and really sold me on Google Voice, is the international rates. This alone is a good reason to have Google Voice. I occasionally have the need to call Australia, which is only $0.03 a minute. Compare that to my cell phone provider’s international rate, which is $3.50 per minute for the same phone call. I just couldn’t pass that up.

Unfortunately, Google Voice is only available in the USA. There are plans to add it in other countries though. I highly advise folks to go to the GV website and apply for an invitation. If you have a Google or Gmail account, use that if you can. I don’t know if it makes a difference, but I signed up using my Gmail account which I have had for a few years now, and got my invitation instantly. Good luck!

Internet Communities Making Revolutionary Changes

I’ve recently discovered an interesting phenomenon creeping up on then net. Well, political grassroots movements are not new to the internet at all. Every organization out there has a website, some using technology with varying levels of effectiveness. Politicians are using the net to communicate their platforms. Online communities have been around for a long time, from the early days of Usenet, to web bulletin boards, and now Web 2.0 sites like Youtube, Facebook, and Twitter. One impressive grassroots Youtube movement in particular has caught my eye as a movement that has stood out with a rather amazing and recent success story.

A couple of months ago, I watched an interesting vlog on Youtube from AtheneWins. As an ex-WoW player, I’ve watched Athene videos before, particularly for their humor. The rather large following that Athene videos have created apparently lead to a spin-off by the amateur film makers of the AtheneWins videos, I Power. I Power’s focus was self-improvement, and, more to the point of this article, politics. I Power has taken a particular stance on supporting Net Neutrality in Europe.

I had known about Net Neutrality before, but this was the first that I heard about it being considered in European Parliament. As a US citizen, I suddenly became increasingly interested in Net Neutrality. If laws could be passed in Europe that allow ISP’s or governments to restrict what their users can view on the internet, why couldn’t it happen in the US?

Inspiration happened when I Power posted an “emergency” video on on Youtube that encouraged Europeans to contact their Parliament, and support Net Neutrality. The video got 40,000 hits. As a skeptical, somewhat apathetic American, I had to wonder just how this would affect the European Parliament’s decision on whether or not to allow ISP’s to control the content of the internet as it’s delivered to their customers.

A few days later, I Power posted this follow up video announcing a victory in protecting Net Neutrality. Apparently, European Parliament members received so many letters, emails, and phone calls, that they realized just how important Net Neutrality is to the internet as we know it today, and refused to allow ISP’s the ability to control what content their users could view. I couldn’t believe it!

This is a very real example of how online communities are making their voices heard, and making a difference. You always hear about how the “world is being changed by technology”, and the “internet is a huge part of change”. From politicians using Youtube and Twitter to spread their campaign message, to the leaked Iran protests videos (which Iran’s government has tried to suppress by blocking direct access to Youtube), these are more than just buzz words. The success of I Power stands out as one of the most impressive examples of how every day people can use technology to make their voices heard, and when voices are heard by politicians (in democratic countries), change can become a reality.

A Windows SSH Client with Tabs

I’ve decided to upload my SSH client code, written in C# for Windows, to Sourceforge. This is very unfinished, buggy, and probably not well written. There is no installer yet. I need to update the telnet code since the library I am using (and had to hack to include some basic telnet negotiation code) has been updated. I am not sure how much of the telnet code I need to change, but the library looks like it has been improved quite a bit. The site manager portion of the code is also very unfinished, and I would like to finish that as well before making an installer for this program.

Here’s the code

iPhone with Exchange and Google Calendar

I finally broke down and got myself an iPhone. I must say that my initial reaction to the phone was partial excitement, and partial disappointment. You see, I’ve never owned a Smart Phone before. I had high expectations for these devices. I knew there were limitations, such as only being able to run one app at a time on iPhones, and no Flash Player. However, I was still willing to give this device a try.

One of the things that aggravated me was the lack of information on how to set up two separate Calendars on the iPhone. Apparently, the iPhone can only recently do this. I finally found the technical information I was looking for on how the iPhone Calendar/Mail apps actually work on Stephen Foskett’s Blog.

You see, I, like many, use Exchange Server 2008 for work, but I also needed a separate personal Calendar, particularly for reminding me about personal appointments. I had a Google account that would be perfect for this if I could get it to sync onto my iPhone. Google now has an ActiveSync application, which will sync your Google email, Contacts, and Calendar. However, there was one problem. If you read Foskett’s blog, you’ll learn that you can only have one ActiveSync (Exchange) account on your iPhone at a time. Now, the iPhone can easily add multiple Mailboxes without a problem. I added my Gmail account as a new email account on my iPhone, along with my existing Exchange account, and both accounts were kept separate. However, this only added my Google email, and not my Google Calendar.

As of now, I am still left without a solution to this.

Well, there is a solution, but it involves jailbreaking your iPhone using “redsn0w” for 3G and 3GS iPhones. After this is accomplished, an application called NemusSync can be installed using Cydia that will create a second, separate Calendar on your iPhone. You then launch the NemusSync app, and manually sync your Google Calendar. Too bad this isn’t built into the iPhone!

Message to Mythic

Below is a post I made on the VN boards in regards to what players want in regards to keeps in Warhammer Online:

Everyone knows that there is currently no incentive to defend a keep or BO right now, other than trying to cap a zone. However, capping a zone is such an involved, and seemingly random thing that this currently does not qualify as an incentive in my opinion. People play this game to RvR, but they also play the game to advance and experience the end game. Put simply, advancement is made by capping zones. The oRvR experience and the VP system are deeply interconnected within the player experience, and I think that this interconnectness needs to be exploited by Mythic to produce a potentially awesome gaming experience.

We need incentive to defend keeps, and I think that incentive should be focused on the VP system. Such a solution could also solve another problem with Warhammer: the VP system currently does not appeal to players. This system in its current, seemingly obscure and random form, is just not tangible to us. Right now, the only realistic way to cap a zone is to win scenarios. When enough VP’s are accumulated from winning scenarios, we quickly take the keeps and hope we have enough VP’s to cap when we are done. This “rush” to take keeps in a zone does not create keep defense. There is also currently no reason to defend a keep unless you are really close to capping a zone from winning scenarios. So, Mythic should shift the focus from scenario wins, to success in oRvR to solve both problems in one blow. The system of static VP’s from keeps and maybe BO’s has to go.

Here are a couple of ideas that could be applied, perhaps with some modifications (the VP system is very complex, and I am far from understanding its complexities). Neither of the two ideas are original, but within this context they could work to help make this game really great:

Idea #1: If a keep is captured by a realm, and/or possibly only when claimed by a guild, it will slowly trickle in VP’s for that realm. When a keep is taken back by the enemy realm, those VP’s are lost, including the accumulated VP’s (or maybe VP decay would take care of this, but only after a certain amount of time has passed.). So, if a realm can hold a zone for a reasonable time length (maybe 2 days for example), then it should have a higher chance of capping the zone, depending on how well the realm is doing in scenarios. Winning scenarios would still be a factor, but less of one.

Idea #2: Instead of Idea #1, capturing all of the keeps and/or BO’s could result in VP decay being halted. Currently, VP decay is set in place to balance against a sweep of (perhaps lucky) scenario wins, which is good in theory, but from experience it can also be very demoralizing when you’ve worked with your entire realm to cap a zone, and there just aren’t enough quick, back-to-back scenario wins to do it. Perhaps the VP decay system itself needs to be redone, but in the meantime this idea would give a realm incentive to defend taken keeps/BO’s if defending will help cap the zone.

These are not the only ideas that could work. The important thing that I would like to communicate to Mythic as a player who loves this game, but wants it to improve is that they should use the inherited interest of players to cap a zone and advance the game, to increase keep defense and game play in oRvR. This is what the player base wants, and I think Mythic could easily give it to us. Being successful in oRvR should lead to being successful in pushing or defending zones.

Thank you,
BB