Inside The Mind

Wow, another article about something I hate.

The situation: 16 brand-spanking new Dell Optiplex PCs running Vista in a new training lab. Customer had bought multi-user packs of Norton Antivirus (over my objections and warnings).

Shortly after build, two of them cease all network operations. No domain login. No access to shared folders. The things won’t even get an IP address whether wired or WLAN.  The network appears as “connected” and tries to get a DHCP address but eventually fails. Assigning a static IP makes me feel better but does no good either.

I booted from a Knoppix linux CD and was able to get the machines back on the network. So it’s not a hardware problem.

Norton Antivirus was disabled, there was an activation problem because we were re-using license keys from the machines we were replacing. The Symantec Network Security Intermediate Filter Driver was disabled and uninstalled…all firewall and AV services were stopped and disabled.

I re-imaged the boxes with a known working copy. Things were fine for about 2 days, then same problem again.

I walked away for a few minutes (the customer thought I was getting my really big hammer) and thought. “What’s the single most common cause of ANY computer problem?”

I uninstalled Norton Antivirus from the computers.

“Please select the network type….” and all is well in the world.

I have no qualms with Norton AV shutting itself down because of an invalid key. I knew this was a problem we’d have to go through Symantec support for, and that we’d be unprotected until we got through that. I didn’t expect Symantec to shut down my network because of an AV product licensing issue. This customer didn’t even purchase Internet Security, firewall, or any of the advanced Internet-protecting stuff, this was JUST NAV.

This was just wrong. This package should have just stopped working and had no right to disable my network.

eset nod32 is the way to go, people. No more Symantec crap.

There’s ONE piece of the puzzle that’s keeping lots of small-to-medium businesses tied to Windows Operating Systems. Ironically, it’s also a market leader that Microsoft themselves have been unable to counter at all.

Quickbooks.

It’s well-known by now that some older versions of Quickbooks will run under some versions of wine and CrossoverOffice…sometimes. Not supported. Nor stable.

There are several promising linux-based accounting packages out there, like Appgen’s MyBooks, xTuples’ PostBooks, and the SMB-Ledger project. I’m not going to go into the pro’s and con’s of these solutions, but suffice to say that none of these have the stability, versatility, and universal acceptance of Quickbooks. A small business owner can talk to any bookkeeping services, accountant, bank, etc, and be assured that they “speak” Quickbooks.

So….we can either wait for Intuit to realize that they could easily own the linux SMB accounting market if they released something, even if it was only supported on FC or Ubuntu… or wait for one of the linux-native solutions to mature…

…or we can start doing something now.

Here’s the plan:

-Keep a Windows machine to run Quickbooks.

-Install seamlessrdpshell on the Windows machine. Look here for the files: http://www.cendio.com/files/thinlinc/seamlessrdp/seamlessrdp.zip
Install these files on the Windows machine to a simple location like C:\seamlessrdp\

-Install rdesktop 1.5 or later on your linux machine

-Add an icon to the desktop of your linux machine to execute

rdesktop -A -s "c:\seamlessrdp\seamlessrdpshell.exe C:\Program Files\Quickbooks\QBW.exe"

You CAN use options like -u gregc -p K00lDood$ but I’m not comfortable running it that way myself.

Look here for more info about SeamlessRDP! http://www.cendio.com/seamlessrdp/

Legalities, licensing, etc.

It would be really nifty to run ONE Windows XP machine as an RDP terminal server to connect all of your company’s linux boxes for Quickbooks. There’s a registry hack that is supposed to allow up to three simultaneous connections, and there are several commercial products (XP Unlimited, Terminal Server Pro, to name a few) that do this very nicely. Given my non-lawyer read of the Windows XP EULA found here http://download.microsoft.com/documents/useterms/Windows%20XP_Professional_English_9e8a2f82-c320-4301-869f-839a853868a1.pdf
I see contradictory language regarding remote desktop or remote execution usage. The “safe way” appears to be pretty simple, though. Buy a retail copy of Windows XP for each concurrent terminal connection. That way, even IF Microsoft audits you and finds out you’re running Windows XP, you have at least made a show of good faith that you’re trying to comply with the licensing requirements.

This advice is based only on interpretations of Windows EULAs from Microsoft licensing “experts,” and the common sense that says…if you own the correct number of licenses then you can use them in ways that Microsoft doesn’t explicitly grant or deny. I’m not a lawyer and if you’re really concerned about this beyond my “do the right thing and but the right # of Windows” thinking then please contact a lawyer to discuss this.

I’d be interested in hearing how this concept works out for people. Please register and post a comment if you find this useful, or if there’s something I need to explain further.

-Greg C

I had an “interesting” experience this week, where I moved a client from an existing peer-to-peer network to a shiny new SBS03 setup. The user profile migration went well, the e-mail copy-over went fine and didn’t take that long to do manually for 6 users…

…then I got the old Quickbooks file off their old “server” and tried running QB. They are running Enterprise 8, which had been upgraded from QBE 7 a few months ago, which has been upgraded on a regular basis since Quickbooks Pro ‘97.

Some of the desktop PCs sat at “Starting Quickbooks…….” for a long time. Some also came up with a Windows Installer window that wouldn’t go away.

There’s a known issue listed on the Quickbooks support site (”Clicking the QuickBooks icon displays the Microsoft Windows Installer message and QuickBooks does not start “): http://support.quickbooks.intuit.com/support/Pages/KnowledgeBaseArticle/1004428

Which is all well and good. I start working away to do a repair reinstall of Quickbooks. No good. Move on to Part 3, Uninstall the “Quickbooks Product Listing Service.” Easy enough…..Hey, it’s asking for an .msi file that I can’t find (QBPLSInstaller.msi). Try with the QBE8 CD…still no good.

Turns out Quickbooks Product Listing Service is on the QBE7 CD. Fortunately the client is a pack-rat who didn’t throw away the older Quickbooks disks. Pop the Enterprise 7 CD in, Add/Remove Programs, Quickbooks Product Listing Service, reboot.

Some of the machines started working OK at this point, others needed a Repair installation of QBE8.

One machine didn’t even like a repair install of ent 8. I went through and tried the reboot.bat file in the Quickbooks directory, like shown here: http://msmvps.com/blogs/bradley/archive/2008/05/21/if-you-act-fast-the-laptop-may-still-be-in-one-piece.aspx

I ended up uninstalling everything Quickbooks…scouring the registry by hand to remove anything with the work “Intuit” or “Quickb” (took about 45 mins) and rebooted.

After the restart I was finally able to get Quickbooks EE 8 running again.

Crap list:

• Symantec. There’s no reason why Norton’s uninstall should touch anything to do with Quickbooks.
• Intuit. I removed BY HAND several hundred registry entries and files that were obviously Quickbooks-related. Why couldn’t the Quickbooks uninstaller wipe them out?
• Me. I should have moved them off Norton AV LONG ago.

That’s why we schedule extra time for these things.

The “why” is simple: the computer needs to know who you are.

Back in the day, our computers took us on faith. My TI-99 and my Amiga took for granted that if I was sitting in front of my computer that I had every right to be there and do whatever I wanted. I didn’t store credit card numbers, personal details, or do online banking on my computers back then. There was no network…you either sat in front of the computer….or you did something else.

This started to change with Windows 2000 and Windows XP. While lots of small businesses are still running on a random collection of desktop PCs, there are more and more of us using networks and sharing stuff between computers.

Even if you’re not running a server, think of the “stuff” on your computer today. Quickbooks, MS Office Accounting…letters or other documents with your personal financial info? Do you have credit card numbers saved anywhere? Bank web site passwords?

What’s to keep your kids, your cleaning staff, your disgruntled ex-employee, or some Romanian hacker from taking this stuff?

It’s important for your computer to know who you are.

The easiest and most popular way is with a username and password. If you can type a username and a password that matches what’s on file, then the computer decides that you are that user, with full rights and priviliges. Other ways include fingerprint readers, “smart cards,” and USB “keys.”

We all know from the movies that bad guys sit in dark rooms with gazillons of screens, furiously banging away at keyboard and using super-secret magic to hack into computer systems. Well, okay. How do bad guys really break passwords?

* Guessing. Most small businesses users I’ve seen use the same passwords: kids’ names, pets’ names, important dates, etc. People who know you can guess these very easily. People with access to your personal info can usually guess these too. Remember that friends and colleagues may “go off the deep end” and turn against you.
* Brute Force. these are automatic attacks that are done over the network. Hackers have lists of thousands of words and write scripts to try millions of usernames and passwords. It doesn’t matter that this takes a long time, because the nasty guys run the same attacks against a couple thousand addresses at a time. Even a 1% “hit rate” gives a dozen machines to play with. There are several other topics here like “rainbow tables” but suffice to say they’re all automated techniques that don’t require a large degree of skill….but do require network or physical access to the machine.
* Social engineering. Nasty guy (or girl) calls up and says they’re from Verizon, Comcast, your bank, etc….and they need your username and password to “test” or “verify” your account.
* Shoulder Surfing. If you’re a slow typist, someone can watch you type and figure out which keys you’re hitting with surprising accuracy.
* Keylogging and other malware. Some of the “crapware” (spyware/viruses/malware etc) out there will install a new program that sends EVERY KEYSTROKE YOU TYPE to a file. Comb through this for a few minutes and you’re bound to find some good passwords!

Protecting yourself

* If you don’t have a password on every computer you use, set one up after reading the rest of this piece.
* Don’t share passwords. If someone else needs access to your files, sites, or any of your stuff, set up sharing and a different, also-protected account for their stuff.
* Don’t give your password or username to anyone you don’t know and trust. Just because they say they work for your bank’s “fraud prevention unit” doesn’t mean they do.
* Run updated Anti-virus, anti-spyware, and personal firewall software on your PC.

* Have a seperate computer at home for Internet and games. Don’t treat your work computer like a toy. Don’t treat your work-from-home computer like a toy.
* Know and understand your responsibilities. If you handle credit cards, social security numbers, or medical details, remember that it’s ultimately your responsibility to make sure that info is protected properly. Understand your HIPPA and PCI/DSS responsibilities.

How do I come up with good passwords? We want something that’s 8 characters long, includes numbers, letters, and symbols (if allowed), and does not contain any common words or numbers.

• Use a “pass phrase.” Most versions of Windows allow you to use a very long password….like “Every third Sunday my 14 kids have Ice Cream!” It’s too long for a casual observer to remember, to strange for you to forget, and long enough that an automated cracker will have a hard time with it.
• Pick a song. Take the first letter of each word of the song and use that. Mix in a number, capital letter, or symbol where appropriate. For example….Stairway to Heaven gives us:

T1lwsatgig&sbastH!

That’s 18 characters of very strong, random un-crackable-ness.

• I use a password manager. I really like (and use) RoboForm. RF has a built-in password generator, so I remember my RoboForm password and IT fills in the others for me when needed. You still need a very strong password for RF itself, though.

A common misconception: Substituting a numbers for letters doesn’t do much except for slowing down casual guessers. You would think that p@$$w0rD would be MUCH more secure than password. It’s not. The “brute force” lists already contain nearly all substitutions of common words. It’s trivial for the program to say “If you’re trying safe, try $afe, S@fe, saf3, and all other combinations.”

I welcome your feedback and any suggestions you have for future topics!

-Greg C

(blog in progress, last edit 9:43a 7/30…will go back and add links later)

TOWN CUTS OFF NOSE TO SPITE FACE.
Selectmen, teachers, librarians, drivers “taught lesson.” Escalating fuel, energy, and insurance costs not to affect town budget. Town to join “elite” ranks of library-free towns.

Wow, the headline writes itself. But I’m getting ahead of myself. 

“When I see what they’ve done to this place that was home,
shame is all that I feel” -Jeff Lynne, The Way Life’s Meant to Be

I used to think that there was something special about the little town where I grew up, and moved back to after college. I know the roads, live with second and third generations of town families, and my kids go to school with some of their kids. There’s a nice sense of continuity, and living next door to my parents, across the street from our neighbors’ kids, has been wonderful.

One of my most bitter memories of growing up was related to the schools. In the late 80s and early 90s a bunch of townspeople got together, calling themselves “concerned citizens” who wanted to limit the size and spending of town government and “save” everybody from the most nasty, evil, gluttonous monsters of all: teachers.

So the town budget got cut, the school budget got cut, and ostensibly people had more money in their pockets. What happened to my high school?

• about 20 teachers were cut. With not enough teachers left to advise clubs and coach teams, what do you think 14-18 year olds in the middle-o-friggin-nowhere ended up doing?
• The best teachers didn’t get cut, they left for better districts. In a “low-priority” school district the teachers can figure out that there’s little future and questionable security. Between my sophomore and senior years of high school, TEN of my favorite teachers left for better jobs. QRSD lost many of its best people during those few years.
• We ended up re-using paper that wasn’t completely filled…handing back worksheets that we otherwise would have kept, didn’t have extra copies of anything.
• Art and music classes were run occasionally as the budget permitted,
• Many of our “mid-stream” classes swelled to 38-40 students.
• Most field trips cut, and we started paying user fees for sports and most activities.

Back to today. In the past couple months there have been two votes in town. The Selectboard offered up a “one stop” budget vote (See Proposition 2-1/2 override) which would provide for a tax increase of a few hundred bucks a year to maintain consistent levels of service compared with last year. This vote was narrowly defeated, by a 52% - 48% vote. The most common complaint I heard at the time was that the override was “too big a pill to swallow” and they would have preferred the ability to vote yes/no on the different parts of the budget (seperating schools, library, highway, human services, etc).

I had heard about some hard feelings with the idea of a “re-vote,” with folks whose minds were already made up asking, “How many times do we need to vote NO?” and promising to “teach the selectboard a lesson.”

Because it’s “my town,” nearly half the population are households with children, and I like to believe that the right thing will happen, I figured the vote might be close again but that at least the library and public safety funding would pass.

Such a vote was held yesterday. The angry mob of Hubbardston voted overwhelmingly to reject all eight articles of funding. The fallout:

• The school district will cut at least 10 additional teachers going into next year. I’m sure 20 more will leave on their own for better jobs.
• The highway department will cut 1-2 workers and the winter fuel budget is decreased from last year. There’s $150,000 in matching funds for road repair that the town is leaving “on the table” buy not approving this.
• The library is cut to below the director’s salary. I’m not sure what the remaining money is for, but no personnel = no library. No library, in Massachusetts, means that we won’t be allowed to check items out of other towns’ libraries either. Only residents with certified libraries are allowed to borrow. Certification takes ONE YEAR to lose and 3-4 years to get back.
• Police and fire are cut severely. When my son first starting having seizures, we called 911 a few times and had EMT’s here inside of 2 minutes. The ambulance (with full Advanced Life Support) was here within 4 minutes. Without a local dispatcher, cutting the number of police officers available, and moving to single-coverage ’round the clock sure does save money.
• We begin another downward spiral of cutting the budget during a recession. The town won’t have money to help people at the very time they need it most. Last time it took 8-9 years for the town to start recovering and getting things “back to normal.”
• We’re going to have another generation of jaded, fed-up youth that are going to cause trouble and get out of town as soon as they can. The town has shown that we don’t value education, and don’t value having anything positive for them to do.

Looking at the town budget, I don’t see the huge “waste” that folks are complaining about. To sum it up: If my energy, fuel, transportation, and insurance costs have doubled in the past two years, what magic does the town have to possibly make this work? 

The sad irony is that the “angry mob” voters who decided these questions were trying to “teach the selectboard a lesson.” They were railing against a town government that was trying to “force” a spending plan down their throats, using the library and other essential services as “pawns.”

When they voted NO they played that exact game. They made themselves the pawns.They’ll blame the school, the selectboard, the highway department, and “gluttonous” school department, because that’s easier and much more fun than looking in the mirror.

What’s wrong with democracy? The modern voter has three concerns:

• lowering my taxes
• lowering my taxes
• not in my backyard

Maybe Alexander Hamilton was right. Maybe we shouldn’t trust the masses with our collective future.