• August 2017
    M T W T F S S
    « Feb    
     123456
    78910111213
    14151617181920
    21222324252627
    28293031  

Firefox and Chrome Private Browsing Not So Private

Recently, Chad Tilbury posted a blog article on Flash Cookie Forensics. If you didn’t already know, Adobe Flash stores cookies (actually called LSO’s) on your computer that act more or less like regular HTTP cookies, except they never expire. This got me thinking about the built-in private browsing settings found in the current versions of Firefox (3.5.2) and Chrome (2.0). Both of these browsers have an easy to use private browsing setting that block histories, HTTP cookies, form data, etc. In Firefox, private browsing is called “Private Browsing”, and Chrome has “Incognito” mode. After reading this article, I began wondering just how private Firefox’s and Chrome’s privacy settings were when it comes to Flash cookies. A couple of simple tests showed me that there isn’t much privacy at all.

The tests were simple: locate the storage of Flash cookies (as demonstrated in Chad Tilbury’s article), and see if cookies are being saved while browsing in Firefox’s Private Browsing mode, and in Google Chrome’s Incognito mode. Here is a screenshot of the Flash cookies stored on my computer before I began internet surfing in Firefox:

Firefox Private Browsing Before Surfing the Net

Firefox Private Browsing Before Surfing the Net

And here is a screenshot of the stored Flash cookies after I surfed to hulu.com in Firefox Private Browsing mode:

Firefox Private Browsing after Surfing to Hulu

Firefox Private Browsing after Surfing to Hulu

As you can see, even when using Firefox Private Browsing, Flash cookies are saved to the computer. Let’s see how well Google Chrome’s Incognito mode does. Here is a before screenshot, with Chrome cracked open in Incognito mode and ready to surf:

Google Chrome in Incognito Before Surfing

Google Chrome in Incognito Before Surfing

After surfing to hulu.com in Chrome Incognito, the Flash cookie was clearly stored on my computer:

Google Chrome Incognito after Surfing to Hulu

Google Chrome Incognito after Surfing to Hulu

The problem really shouldn’t be a surprise based on how Flash cookies work, and I am not reporting any thing new. It might not really be the browsers’ fault. Flash cookies aren’t handled by Chrome or Firefox, and thus the browser has no way to block them (as far as I understand it). Still, the private browsing features in Chrome and Firefox are a complete false sense of privacy and security. One might make the argument that both browsers should be able to build in protection against Flash cookies. As Chad mentions in his article, Firefox has an add-on called BetterPrivacy that can manage Flash cookies, and No Script blocks Flash completely, so if an add-on can do it, why can’t it be built into the browser? By the way, as far as I can tell, there isn’t a similar add-on for Chrome.

(This article is dedicated to my friend, John.)

Update: For a follow up on how to block Flash Cookies, and a better implementation of Flash called Gnash, see my article Blocking Flash Cookies (and Improved Security with Gnash.

Naming Computers in LANDesk Upgrade

Late last year I wrote an article on how to rename computers before an image is applied during LANDesk’s OSD process (read this article first if you haven’t already). Here at CSN, we PXE boot our faculty/staff computers into LANDesk’s specially configured WinPE, which launches a GUI menu of OSD tasks. These OSD tasks can be anything really, but that is a story for another article. My previous article about injecting the computer name into the Sysprep.inf file used a VBScript. I have since then upgraded to an AutoIt script that gives us more options.

PC Rename

First, let me give a brief explanation of our environment. We have a parent domain, and a child domain for students. We have four LANDesk agent configurations: one for labs and classrooms, one for office computers, one for laptops, and one for computers that don’t reside on our network. The LANDesk agent gets installed during the GUIRunOnce section of Sysprep. So, I upgraded our OSD task to prompt the technician to select which domain to join (or none), and which LANDesk agent to install. Here is the script. I won’t go through line by line like I did for the VBScript; you’ll just have to visit the AutoIt documentation website to look up some of the functions. Re-read my previous article on how I did the VBScript. The AutoIt script follows the exact same logic, but expands the idea to add more options.

#include <GUIConstantsEx.au3>

GUICreate("PC Rename", 250, 310) ; Create the GUI Window
GUICtrlCreateLabel("Enter the computer name:", 30, 10) ; Create a label
$computername = GUICtrlCreateInput("", 30, 30, 190, 20) ; Create the textbox
GUICtrlSetLimit(-1, 15) ; Limit the computer name to 15 characters
GUICtrlCreateGroup("Domain to join", 30, 60, 190, 90) ; Create the join domain "group" that surrounds the radio buttons
$optCSN = GUICtrlCreateRadio("CSN", 40, 80, 100, 20) ; Create the radio button to join the CSN domain
GUICtrlSetState(-1, $GUI_CHECKED) ; Set the CSN radio button as checked by default
$optSTUDENT = GUICtrlCreateRadio("STUDENT", 40, 100, 100, 20) ; Create the radio button to join the STUDENT domain
$optNONE = GUICtrlCreateRadio("Do not join a domain", 40, 120, 150, 20); Create the radio button to not join a domain
GUICtrlCreateGroup("", -99, -99, 1, 1)  ;close group

GUICtrlCreateGroup("LANDesk Agent", 30, 150, 190, 110) ; Create the agent "group" that surrounds the radio buttons
$optStaff = GUICtrlCreateRadio("Standard Staff/Faculty", 40, 170, 150, 20) ; Create the radio button to install the Faculty Staff agent
GUICtrlSetState(-1, $GUI_CHECKED) ; Set the Faculty Staff agent radio button as checked by default
$optDeepfreeze = GUICtrlCreateRadio("Deep Freeze Required", 40, 190, 170, 20) ; Create the radio button to install the Lab Classroom agent
$optLaptop = GUICtrlCreateRadio("Laptop/Roaming", 40, 210, 150, 20); Create the radio button to install the Roaming Laptop agent
$optRural = GUICtrlCreateRadio("Rural Site", 40, 230, 150, 20); Create the radio button to install the Rural Site agent
GUICtrlCreateGroup("", -99, -99, 1, 1)  ;close group

$okbutton = GUICtrlCreateButton("OK", 100, 270, 60)	; Create the OK button
GUISetState(@SW_SHOW) ; Show the GUI

$f = FileOpen("x:\LDClient\insertname.bat", 2) ; Create the insertname.bat file

While 1 ; infinite loop that waits for the GUI to receive a message
  $msg = GUIGetMsg() ; get any user input
  
  Select
    Case $msg = $okbutton ; if the Ok button is pressed, check the options that the user selected
		If GUICtrlRead($computername) = "" Then ; if blank computer name, use the LANDesk inventory computer name for the name.
			FileWriteLine($f, "tokreplw c:\sysprep\sysprep.inf COMPUTERNAME=%Computer - Device Name%")
		Else ; else use the user input for the computer name
			FileWriteLine($f, "tokreplw c:\sysprep\sysprep.inf COMPUTERNAME=" & GUICtrlRead($computername))
		EndIf
		Select ; Chose the domain to join or not join a domain
			Case GUICtrlRead($optCSN) = $GUI_CHECKED ; Join CSN domain
				FileWriteLine($f, "tokreplw c:\sysprep\sysprep.inf DOMAIN=CSN")
				FileWriteLine($f, "tokreplw c:\sysprep\sysprep.inf NOWG=")
				FileWriteLine($f, "tokreplw c:\sysprep\sysprep.inf WG=;")
			Case GUICtrlRead($optSTUDENT) = $GUI_CHECKED ; Join STUDENT domain
				FileWriteLine($f, "tokreplw c:\sysprep\sysprep.inf DOMAIN=STUDENT")
				FileWriteLine($f, "tokreplw c:\sysprep\sysprep.inf NOWG=")
				FileWriteLine($f, "tokreplw c:\sysprep\sysprep.inf WG=;")
			Case GUICtrlRead($optNONE) = $GUI_CHECKED ; Join WORKGROUP and no domain
				FileWriteLine($f, "tokreplw c:\sysprep\sysprep.inf NOWG=;")
				FileWriteLine($f, "tokreplw c:\sysprep\sysprep.inf WG=")
		EndSelect
		Select ; Chose the Agent to isntall
			Case GUICtrlRead($optStaff) = $GUI_CHECKED ; Install the Staff faculty agent
				FileWriteLine($f, "tokreplw c:\sysprep\sysprep.inf AGENT=instfacst.bat")
			Case GUICtrlRead($optDeepfreeze) = $GUI_CHECKED ; Install the Lab Classroom agent
				FileWriteLine($f, "tokreplw c:\sysprep\sysprep.inf AGENT=instlabcl.bat")
				MsgBox(64, "Deep Freeze Reminder", "1.  Remember to run a scheduled Deep Freeze task for this computer in LANDesk Console after imaging is complete." & @CRLF & "2.  Set the System BIOS to auto power on every day at 11:00 pm.")
			Case GUICtrlRead($optLaptop) = $GUI_CHECKED ; Install the Laptop Roaming agent
				FileWriteLine($f, "tokreplw c:\sysprep\sysprep.inf AGENT=instlaptop.bat")
			Case GUICtrlRead($optRural) = $GUI_CHECKED ; Install the Rural agent
				FileWriteLine($f, "tokreplw c:\sysprep\sysprep.inf AGENT=instrural.bat")
		EndSelect
		ExitLoop
	Case $msg = $GUI_EVENT_CLOSE ; if the GUI is closed, the default is to name the computer using the LANDesk inventory, and not join a domain.
		FileWriteLine($f, "tokreplw c:\sysprep\sysprep.inf COMPUTERNAME=%Computer - Device Name%")
		FileWriteLine($f, "tokreplw c:\sysprep\sysprep.inf NONE=;")
		FileWriteLine($f, "tokreplw c:\sysprep\sysprep.inf WG=")
		FileWriteLine($f, "tokreplw c:\sysprep\sysprep.inf AGENT=instfacst.bat")
		ExitLoop
  EndSelect
WEnd 

AutoIt scripts can easily be converted into an executable using AutoIt’s “Compile Script to .exe” tool.

I guess I also owe an explanation on how tokreplw.exe works. You can probably get this file by downloading the trial version of LANDesk Management Suite. This command takes two inputs: a file and a pair of tokens. The file is obvious, this is the target file to look at for token replacement. The token syntax is VARIABLE=VALUE, where VARIABLE appears in your target file as %VARIABLE%, and the value is whatever you decide. For example let’s examine one line in the prename.au3 script, line 35:

FileWriteLine($f, "tokreplw c:\sysprep\sysprep.inf DOMAIN=CSN")

To help not confuse the Autoit portion of the code, we’ll break this down to the tokreplw command:

tokreplw c:\sysprep\sysprep.inf DOMAIN=CSN

So, the “c:\sysprep\sysprep.inf” file is targeted. Within this file, an occurrence of the variable %DOMAIN% will be replaced with the value of CSN, which is the name of our parent domain. If we crack open our sysprep.inf file (do an Advanced Edit in LANDesk Console), we have this:

[Identification]
%NOWG%JoinDomain=%DOMAIN%
DomainAdmin=csn\BadBoy
DomainAdminPassword=LeeroyJenkins
%WG%JoinWorkgroup=WORKGROUP

You can see the %DOMAIN% variable here. You will also notice several other variables as well. I use tokreplw to manipulate the sysprep.inf file dynamically, depending on what the technician chooses. If the tech selects to join a domain then %NOWG% becomes blank, and %DOMAIN% becomes the name of one of our two domains. The %WG% variable becomes a semicolon, which comments out the JoinWorkgroup line. If the tech does not select to join a domain, then %NOWG% becomes a semicolon, which comments out the JoinDomain line, and %WG% becomes blank. This configures the sysprep.inf file to join the computer to a workgroup instead.

Feel free to ask any questions about the script, and I will do my best to answer them.

A Windows SSH Client with Tabs

I’ve decided to upload my SSH client code, written in C# for Windows, to Sourceforge. This is very unfinished, buggy, and probably not well written. There is no installer yet. I need to update the telnet code since the library I am using (and had to hack to include some basic telnet negotiation code) has been updated. I am not sure how much of the telnet code I need to change, but the library looks like it has been improved quite a bit. The site manager portion of the code is also very unfinished, and I would like to finish that as well before making an installer for this program.

Here’s the code

iPhone with Exchange and Google Calendar

I finally broke down and got myself an iPhone. I must say that my initial reaction to the phone was partial excitement, and partial disappointment. You see, I’ve never owned a Smart Phone before. I had high expectations for these devices. I knew there were limitations, such as only being able to run one app at a time on iPhones, and no Flash Player. However, I was still willing to give this device a try.

One of the things that aggravated me was the lack of information on how to set up two separate Calendars on the iPhone. Apparently, the iPhone can only recently do this. I finally found the technical information I was looking for on how the iPhone Calendar/Mail apps actually work on Stephen Foskett’s Blog.

You see, I, like many, use Exchange Server 2008 for work, but I also needed a separate personal Calendar, particularly for reminding me about personal appointments. I had a Google account that would be perfect for this if I could get it to sync onto my iPhone. Google now has an ActiveSync application, which will sync your Google email, Contacts, and Calendar. However, there was one problem. If you read Foskett’s blog, you’ll learn that you can only have one ActiveSync (Exchange) account on your iPhone at a time. Now, the iPhone can easily add multiple Mailboxes without a problem. I added my Gmail account as a new email account on my iPhone, along with my existing Exchange account, and both accounts were kept separate. However, this only added my Google email, and not my Google Calendar.

As of now, I am still left without a solution to this.

Well, there is a solution, but it involves jailbreaking your iPhone using “redsn0w” for 3G and 3GS iPhones. After this is accomplished, an application called NemusSync can be installed using Cydia that will create a second, separate Calendar on your iPhone. You then launch the NemusSync app, and manually sync your Google Calendar. Too bad this isn’t built into the iPhone!

Message to Mythic

Below is a post I made on the VN boards in regards to what players want in regards to keeps in Warhammer Online:

Everyone knows that there is currently no incentive to defend a keep or BO right now, other than trying to cap a zone. However, capping a zone is such an involved, and seemingly random thing that this currently does not qualify as an incentive in my opinion. People play this game to RvR, but they also play the game to advance and experience the end game. Put simply, advancement is made by capping zones. The oRvR experience and the VP system are deeply interconnected within the player experience, and I think that this interconnectness needs to be exploited by Mythic to produce a potentially awesome gaming experience.

We need incentive to defend keeps, and I think that incentive should be focused on the VP system. Such a solution could also solve another problem with Warhammer: the VP system currently does not appeal to players. This system in its current, seemingly obscure and random form, is just not tangible to us. Right now, the only realistic way to cap a zone is to win scenarios. When enough VP’s are accumulated from winning scenarios, we quickly take the keeps and hope we have enough VP’s to cap when we are done. This “rush” to take keeps in a zone does not create keep defense. There is also currently no reason to defend a keep unless you are really close to capping a zone from winning scenarios. So, Mythic should shift the focus from scenario wins, to success in oRvR to solve both problems in one blow. The system of static VP’s from keeps and maybe BO’s has to go.

Here are a couple of ideas that could be applied, perhaps with some modifications (the VP system is very complex, and I am far from understanding its complexities). Neither of the two ideas are original, but within this context they could work to help make this game really great:

Idea #1: If a keep is captured by a realm, and/or possibly only when claimed by a guild, it will slowly trickle in VP’s for that realm. When a keep is taken back by the enemy realm, those VP’s are lost, including the accumulated VP’s (or maybe VP decay would take care of this, but only after a certain amount of time has passed.). So, if a realm can hold a zone for a reasonable time length (maybe 2 days for example), then it should have a higher chance of capping the zone, depending on how well the realm is doing in scenarios. Winning scenarios would still be a factor, but less of one.

Idea #2: Instead of Idea #1, capturing all of the keeps and/or BO’s could result in VP decay being halted. Currently, VP decay is set in place to balance against a sweep of (perhaps lucky) scenario wins, which is good in theory, but from experience it can also be very demoralizing when you’ve worked with your entire realm to cap a zone, and there just aren’t enough quick, back-to-back scenario wins to do it. Perhaps the VP decay system itself needs to be redone, but in the meantime this idea would give a realm incentive to defend taken keeps/BO’s if defending will help cap the zone.

These are not the only ideas that could work. The important thing that I would like to communicate to Mythic as a player who loves this game, but wants it to improve is that they should use the inherited interest of players to cap a zone and advance the game, to increase keep defense and game play in oRvR. This is what the player base wants, and I think Mythic could easily give it to us. Being successful in oRvR should lead to being successful in pushing or defending zones.

Thank you,
BB

Naming Computers and LANDesk OSD

LANDesk puts out a technical paper on how to accomplish Hardware Independent Imaging with its Management Suite.  If you don’t know what HII is, basically it is the process of creating a single image or imaging task that will work regardless of your hardware.  LANDesk’s tools plus Sysprep create a very easy to maintain HII imaging solution.  However, I wanted to add a little piece of of my own to this mix.

We have a newly implemented naming convention here at CSN.  This was very thoroughly thought out by many people, but more or less the naming convention identifies a computer’s location, and its asset tag number.  With the documentation on HII that LANDesk provides, a computer must be named properly in the LANDesk database, or named after the imaging task has finished.  Since our computers move from one location to another quite often, and renaming computers in the LANDesk database is not easy, I created a way for technicians to name the computer before the imaging process begins.  Once named, the computer images, and reboots into Sysprep where it joins the domain and installs all of its device drivers.  Wonderful!

Now, if you are not familiar with LANDesk, a lot of this won’t make sense.  Basically, LANDesk OSD scripts are a text file which you can alter to your liking much like any other scripting method.  Now, to get started with adding dynamic renaming to the script, I enter the following command into the LANDesk OSD script in the part just before the imaging command is executed:

REMEXEC259=sdclient /f /o /dest="X:\ldclient\pcname.vbs" /p="http://server/PC_Rename/pcname.vbs", STATUS

SDCLIENT.EXE is the swiss army knife utility of LANDesk.  It does lots of stuff.  Here it just copies a file from an HTTP share onto the WinPE environment.  I then add another line right underneath the one I just created that will execute the pcname.vbs script that was just copied from a server:

REMEXEC260=cscript x:\ldclient\pcname.vbs

So, let’s take a look at the contents of the pcname.vbs file.  Keep in mind that I do have a programming educational background, but I’ve never done any vbscripting before this, so the script may not be the most elegant vbscript around:

Dim objShell
Dim getName
Dim objFSO
Dim f


Set objShell = WScript.CreateObject("WScript.Shell")
getName = InputBox("What is the computer's name? Press Cancel to rename and rejoin the Domain later.")


set objFSO = CreateObject("Scripting.FileSystemObject")
set f = objFSO.CreateTextFile("x:\\LDClient\\insertname.bat", 2)
If getName <> "" Then
f.WriteLine("tokreplw c:\sysprep\sysprep.inf COMPUTERNAME=" & getName)
Else
f.WriteLine("tokreplw C:\sysprep\sysprep.inf COMPUTERNAME=%Computer - Device Name%")
End If
f.close

So, for a rough explanation of this vbscript.  First, an input box is called, which prompts the technician to input the computer’s name.  Whatever the user enters is returned to the variable “getName”.  A batch file is created that will get executed by the LANDesk OSD script later, “insertname.bat”.  If the user enters something, then the batch file is created with a single tokreplw command containing the text as an argument to the tokrepw command.  If the user does not enter anything, or presses cancel, then the batch file gets created with the original naming command that LANDesk put into the script originally.  I’ll go into tokreplw in a later post.

I mentioned that LANDesk creates its own naming command. Let me expand on that. By default, LANDesk attempts to find the name of the computer in the LANDesk database and name the computer for us.  The line that LANDesk puts into the OSD script when you initially create the OSD task in the LANDesk Management Suite Console looks like this (note that when you create a LANDesk OSD script, you do not see the actual text of the script. Instead, the LANDesk administrator uses a GUI wizard to create the OSD script. The OSD script can be opened in a text editor by selecting the OSD task and selecting “Advanced Edit”):

REMEXEC29=tokreplw C:\sysprep\sysprep.inf COMPUTERNAME=%Computer - Device Name%

Looks very similar to the contents of our batch file, doesn’t it?  We simply remove the command for REMEXEC29, and replace it with the execution of our batch file:

REMEXEC29=cmd /c x:\ldclient\insertname.bat

Instead of the computer getting the name that LANDesk thinks it should have, the technician can specify the name that the computer actually needs to have.  Since our computers move around a lot, their names change a lot.  This is convenient for our environment.

Well, that is all for now.  If I get a moment or two, I will try to pump out a post about the mysterious tokrepw program. 🙂

IT Gets You Down Sometimes, But It Comes With the Job

Just because one’s job location moves to a less busy, smaller location, doesn’t mean that life is simple.  Take today for example.  I started the day off with a high school teacher who couldn’t connect her digital camera via firewire to her student’s computers.  Easy fix, right?  Unfortunately not.  I worked on this for two hours before the teacher had to lock up the cameras for the day.  No drivers for the firewire cards, and no drivers for the camera available.  Just some bad software that doesn’t appear to work.  I have to go back tomorrow afternoon to work on this one.  Next, I take my lunch, then we have a mandatory meeting where a bunch of “new rules” are put into place.  This happens whenever the higher ups hear about anything that happens in the real world.  I don’t blame my manager for any of these “new rules”, it just comes with the job.

Then I attempt to contact three or four customers to close out some easy work tickets.  But its already passed 4:00, and apparently no one stays until 5:00.  So I can’t get a hold of these people, and these easy tickets continue sitting in my queue.  Ok, moving on.  I have a very nice CAD instructor, with some influence and a reputation, whose CAD installation isn’t quite perfect.  He likes things perfect.  But he is a nice guy, so I’m not stressing this one.  It just sucks that CAD doesn’t seem to work on any image I find, and so I’ll have to spend two days rebuilding it.  Oh yeah, and he mentions that he wants CAD, Solid Works, Revit, and the rest of the boys installed on his office computer (along with the latest and greatest Visual Studio 2008).  So, we’ll just bump this up to a four day project.  Not a biggy, comes with the job.

So, I go about the rest of my night, while it is quiet and slow, trying to learn how to build software packages with Symatnec’s Wise Package Package Builder.  Great looking piece of software compared to the trash package builder that LANDesk sold us.  I’m getting a lot of pressure from our management to build a package deployment solution for labs and classrooms, and move away from our Ghost imaging solution.  If I want tools that work, its up to me to research them, evaluate them, and argue that the money we’re spending admist state-wide budget cuts is worth it.  God, do I hope its worth it.

Oh, but I forgot, the boss just told me that I have to unstinall Everdream’s EDMS on every computer in our network as soon as possible.  Its been out there for a couple of years, and no one has used it.  Suddenly, this is an urgent project.  Mind you, there is no documentation on this stuff.  The isntaller doesn’t work with the /uninstall switch, and there is no other install media or MSI available for me.  No one is still around who knows anything about it except the smart guy that moved into Server Services (then again, I think he is the only one that knew anything about it from the beginning).  So, I email him and call it good for now.

Back to Wise.  While building a package for Firefox, using some great video tutorials from AppDeploy.com, I get interupted by lab assistants who are new and can’t fix the buggiest software that has has ever been spawned (GenevaLogic’s Vision), only to find out that by the time I get up from my desk, walk over to the classroom, and ask the instructor if she needs any help with this bastard of a software program, that no, she didn’t need any help.

I peacefully go back to my desk and continue working on building my first Wise MSI package, which doesn’t work.  I guess I shouldn’t have multitasked and built those last few Kiosk OSD scripts in LANDesk while also building this software package.  The damned thing does not capture the Firefox profile in the Application Data folder which I manually copied to the Default User’s profile.  By the time I fiddle with this and try a few far reaches only to find that my technique has no logical reasoning behind it, my head is pounding and my stomach is wrenching from old coffee at the school cafe. I spend the rest of my night, all fifteen minutes, making sure that the kids (I mean lab assistants) are not burning candles on the front desk, or pissing off that afore mentioned CAD instructor with over zealous yet inexperienced technical assistance.  I gather my things, and with my frustration-caused throbbing headache, head home only to sleep and come back the next day.

All in all, IT work isn’t that bad, as long as you have an outlet, and you can succeeed every now and then.  Politics, customers, technology that doesn’t work worth a shit, are all made up for when you get to be a part of something larger, or at least work on something interesting.  I mentioned that I am responsible for creating a new system of doing things at our college.  This is frustrating at times, like tonight when things don’t work, but when they do work I go home feeling like I’ve done the world some good (or at least my community).  There is a kind of rush about figuring things out, and making IT work.  Maybe tomorrow I will make some IT work, and feel good about what I’ve accomplished.  Sometimes, this also comes with the job.