Category Archives: Security

How to use a Netgear Nighthawk R7000 with Vodafone NZ fibre

After Chorus connects your fibre optical router to the wifi modem that Vodafone provides, and ensures it’s working, you can switch to using your own, better Nighthawk modem this way:

  1. Detach the red plug from Vodafone’s modem and plug it into the Internet port on the Nighthawk
  2. Follow the instructions in your Nighthawk manual and connecting power, etc.
  3. In a browser, visit routerlogin.net (This is an address that the Nighthawk interprets as referring to itself; it’s not a machine on the Internet, so it will work if the modem is on but you don’t have an Internet connection yet.)
    1. If you can’t connect, follow the instructions about using an Ethernet cable to connect your computer to the Nighthawk
    2. The default login is admin with password password. But if you have house-sitters, you probably want to change this. I recommend using LastPass to keep track of passwords.
    3. If prompted whether to use the Netgear Genie software or a wizard to connect to the Internet, answer yes.
  4. In Genie:
    1. To connect to the Internet:
      1. Select: Advanced / VLAN-Bridge settings / Enable VLAN / Enable VLAN tag / VLAN ID = 10 / click Apply
      2. Note that if you ever use a paperclip to press the recessed reset button, you will need to do the step above to reconnect.
      3. I got this tip from https://community.vodafone.co.nz/t5/Broadband-services/Trying-to-connect-a-new-router-to-the-ONT/td-p/183755
    2. To change the wifi name or password:
      1. Select: Advanced / Setup / Wireless setup / 2.4GHz name ssid = NETWORK NAME YOU WANT / security = wpa2-psk / password = PASSWORD YOU WANT Then do the same for 5GHz but add something like -5G to the name. Click Apply to restart router.
      2. Note that this changes the name of your wifi as it appears on your computer and for any of your guests. It doesn’t change the name and password that you use to access the modem’s settings. If you’ll have a house-sitter that you want to prevent from changing modem settings, follow the steps below.
    3. To change the password for modem settings:
      1. Select: Advanced / Administration / Set Password
      2. Enter password as Old Password
      3. Use LastPass to generate and record a New Password. I recommend saving this to a folder in LastPass that you’ve shared with any other household members that might need to access settings.
      4. NetGear recently advised against using the Enable Password Recovery checkbox for security reasons. If you do lose your password, press the recessed Reset button and redo all of the steps on this page.
      5. Click Apply
      6. When prompted to login again, enter admin as the user and get the password out of LastPass
    4. To set the clock to NZ (which is necessary if you’re going to use a schedule below, but probably not important otherwise):
      1. Select: Advanced / Security / Schedule / Timezone = NZ GMT+12. Adjust for DST = on. Click Apply to restart router.
    5. To turn wifi on and off according to a schedule:
      1. Select: Advanced / Advanced setup / Wireless settings / Wireless advanced settings for 2.4GHz / Turn off by schedule = on / Add new period / start=11pm end=7am daily / click Apply. Then do the same for 5GHz. Click Apply to restart router.
      2. You might need to set both “Turn off by schedule = on” again after updating the schedules.
    6. Logout of Genie and close the browser tab it was in.
  5. Disconnect any Ethernet cable.
Print Friendly, PDF & Email

How to setup Android tablets for offline Amazon video and browser whitelisted parental control

These instructions are for Android 4.4 on two Lenovo TAB 2 tablets bought in the US. I’m also using a 32 GB microSDHC card for each so we can download more.

Aims

  • Allow videos that were bought for watching on Amazon’s website to be watchable while offline (e.g. on a plane)
    • Caveat: There is no option in this app to password-protect all sections other than Downloads in order to keep children from watching trailers and such. There are parental controls that can be enabled, and we did, but this leaves the choice of what’s appropriate to Amazon’s editors.
  • Allow children to access websites that we choose and no others
    • Caveat: We installed an app named Kiosk Browser to do this, but it’s not perfect. Mostly, it’s designed to be the only app that non-admin users of the tablet will be able to use, while we want to allow access to Amazon Video also. Also, if you use the hardware power button while Kiosk Browser is running, which should be a normal thing to do, after startup Android will prompt which launcher app you want to use instead of remembering if you don’t want it to be Kiosk Browser (so that your kids can get to Amazon Video easily)
    • We just learned of Android Chrome’s support for Supervised Users, and this might be a better solution
  • Disable access to all installed apps, including Settings and Play Store, except for Amazon Video, a browser, and maybe Skype for calling relatives
    • Caveat: As of the end of 2015, neither Android Settings nor the Android Play Store offer a way to set a password for access to them specifically, and I could not find any app that I would trust to do this. So this aim isn’t solved yet.
  • Prevent anyone but us parents from changing any of these settings

Steps for offline Amazon Video

  1. Create a Google account to be used only for the children’s apps.
  2. Enable 2-factor auth on that Google account, which should help prevent your child from installing anything. To be sure you can get these codes while on a flight, install the Authy app on your phone and use it to photo the QR code shown when you enable two-factor auth.
  3. On each tablet, go into Google Play app and login.
  4. We have a tablet for each child, so to identify the devices, we bought color-coded cases. And went into Play Store using desktop browser > Gear button > Android Device Manager > Pencil button > (added case color to name)
  5. In the tablet Android Settings, disable location services so Google and perhaps others cannot track your child
  6. Disable loud sounds https://forums.lenovo.com/t5/Lenovo-Android-based-Tablets/Start-up-sound-idea-s6000/m-p/1298239#M13520
  7. Make sdhc the default storage medium so you can download more: Android Settings > Storage > SD Card.
  8. Uninstall or disable as many apps as you can except the Play Store and Android Settings (and maybe Skype for calling relatives)
  9. (Necessary only for non-Amazon Fire devices) Using your tablet’s browser, go to https://www.amazon.com/appstore_android_app which will download the Amazon App Store app for Android. Use it to install both Amazon For Tablets app and Amazon Video app (exactly as spelled here, not Instant Video).
  10. Amazon Video app shows “We’re unable to show this content. Please try again later.” I see this while outside the US, so I installed the Android solution of my vpn service https://play.google.com/store/apps/details?id=com.privateinternetaccess.android&hl=en then while connected through it, Android Settings > Apps > Amazon Video > Clear Data.
  11. Logout of Amazon For Tablets, then log back in. Visit ‘Your Orders’ and confirm that it shows actual orders you’ve made — before logout it may show Recently Viewed Items, which indicates it’s confused. You should still be on VPN.
  12. Start Amazon Video and verify your video library is accessible through the menu. Download all your purchases that you want while offline.
  13. After downloading, we could view all the downloads without the vpn and without any network connection at all.
  14. Set Amazon Video app’s parental controls http://www.amazon.com/gp/help/customer/display.html?nodeId=201423060

Setting up a browser that enforces a whitelist

  1. Using laptop browser logged into same Google account as the tablet’s Play Store, installed Pro version of https://play.google.com/store/apps/details?id=com.procoit.kioskbrowser because it’s a browser app that has a url whitelist, and is based in a country I trust (UK)
  2. Signup for free trial of the remote management service at https://www.kbremote.net/Home/Start Then in the app go to Settings > Remote Management > Login/Signup > Login and use the same userId and password. In a few minutes, logging into the site will show the device.
  3. Setup which urls should be allowed https://kioskbrowser.userecho.com/topic/908050-profiles/
  4. To make one device’s profile slightly different from others (e.g. different default url), use Profile Overrides https://kioskbrowser.userecho.com/topic/847081-profile-overrides/
    Sign up for a Kiosk Browser forum account at https://kioskbrowser.userecho.com/

Working all this out took me a day and half, so I hope sharing it here saves some other parents some time to prep for their travel!

Print Friendly, PDF & Email

Why Palm’s webOS is the future of Android (and desktop computing)

Do you connect these dots in the same way I do?

  1. The current practice in OSs and browsers of asking the user at install time whether to proceed with the install, as a way of avoiding security threats, just doesn’t work. Users do not have the right kind of information at that time to decide.
  2. The threat of compromised systems and data loss is severe enough that consumer and enterprise OSs will have to be designed in a different way to manage installation risks. The widespread acceptance of smartphone apps indicates that smartphones will need such protection, too.
  3. Google’s NativeClient project is a good way of handling the risk because it provides a sandbox, and it’s better than alternatives like Java and Flash because it allows apps to run faster (because the apps are compiled natively rather than into bytecode).
  4. Palm’s webOS for its new smartphones has a very similar design to NativeClient (and since NativeClient is open source, could be built on top of it, for all I know). Specifically, webOS’ plugin development kit (PDK) will allow allow apps written in C and C++, two languages which by themselves allow altering memory contents almost anywhere in RAM and thus open to abuse by malicious app coders, but the PDK will sandbox apps, apparently in much the same way that NativeClient does. WebOS’ other interface, the Mojo SDK, allows apps written in Javascript to access data on the phone in much the same way that NativeClient’s browser plugin design would allow.
  5. Thus, webOS seems to provide a glimpse into what smartphone and desktop OSs will be like in coming years, if they deal with security threats in the inspired way detailed in the NativeClient design.

And there’s another force pushing Google’s Android smartphone OS in the same direction as webOS:

  1. Google always seems to prefer keeping its apps as platform-agnostic as it can by leveraging browsers when it can. The exceptions are Google Earth, GTalk, etc which must be installed either for performance reasons or to gain access to “hooks” in the OS that browsers can’t offer.
  2. Google’s apps for Android are Java-based (i.e., not browser-based) for apparently no strong reason. In fact, it seems that if Google had had Palm’s insights about how a web-oriented OS could be made back when Android was being designed, then Android would be very much like webOS so that Google wouldn’t have to split its app-building competence and resources across so many platforms (of course, the iPhone and Blackberry platforms would still make their own demands). Google’s efforts to build ChromeOS is another strong bit of evidence of its desire that there be fewer platforms and that they resemble browsers more.
  3. Eric Schmidt has said that Android and ChromeOS will eventually merge. I’m not sure if he came to this conclusion before or after learning about the design of Palm’s webOS, but webOS seems like a good hint of what such a merge would result in.

Am I pulling too hard on thin threads, or does this paint the same strong picture for you that Palm’s webOS really is a glimpse of the future? It sure is a fun way for me to stretch my thinking about what smartphones can do and be.

If this is an accurate prediction, then two consequences come to mind:

  1. The current unspoken practice of web engineers looking into the Javascript source of their competitors, learning new tricks, and helping the craft of web engineering to improve will suffer because companies will want to shift their presentation and business logic out of Javascript and into compiled native code for greater performance and out of a misguided attempt to protect their intellectual property.
  2. Having Google compete in the same idea space will help inspire both toward even better ideas. Of course, Google won’t buy Palm (why would it need to?), and it’s unlikely that having similar platform designs will affect the market share of either of them. As long as Palm can capture a significant share of the growing global demand for smartphones, it should be able to survive. And it’s likely to always have an advantage over Android in the beauty of its UI, given the DNA of the two companies.

UPDATE: Google released an “NDK” for Android way back in June 2009, which sounds like webOS’ planned PDK and also sounds like it was built on NativeClient. So, my prediction above that webOS is the future of Android has things a bit turned around.

Also, although the NDK seems to have a very similar design to NativeClient, and might have been built on NaCl, I’m somewhat doubtful because NaCl relies heavily on a feature known as “segmented memory” in the 386 chip architecture, and I wonder if that same feature is present in mobile CPUs such as ARM.

UPDATE: Other devs are worried that we might lose the ability to view html source and thus lose one of the primary learning and innovation paths for web app devs.

    Print Friendly, PDF & Email

    Going portable as an alternative to using a remote desktop

    This tip is intended for people like me who:

    • Often need to work outside the office but don’t want to carry a laptop
    • Happen not to use any Linux or Mac machines, just Windows
    • Can’t use Window’s Remote Desktop Connection app. (Perhaps your IT dept won’t open the port in their firewall; but if the problem is just that you’re using a Home version of Windows, you could switch to a Business version or upgrade to an Ultimate version.)
    • Can’t use the similar VNC app because your client computer has User Account Control turned on and you want to keep it that way for security reasons.
    • Or, your IT dept won’t give you admin privileges on your machine, so you can’t install apps at will
    • If you use SVN, then either your SVN repo has a publicly-accessible IP address, or that you can access it via VPN. (That is, if you need to use SVN but it’s kept behind a firewall, then these instructions won’t help you access it…you’re stuck working non-portably.)

    The next best alternative I’ve found is to use a thumbdrive to keep your documents and applications (plus application state such as licenses, passwords, bookmarks, files currently being edited, email and contacts, etc).

    If all the desktops you’ll use the usb drive with are XP, then you could put MojoPac on the usb; it emulates an OS and provides a desktop view of your usb that runs as a window in XP. It’s not clear if there will ever be a version that works with Vista or Windows 7.

    Encryption

    Before copying any files to your thumbdrive, or installing any portable apps, consider whether you’d be hurt if the thumbdrive were lost or stolen and someone got access to its contents. If that’s at all important to to you, there are four options:

    • If you expect to have admin rights on any computer you might use, then you could install TrueCrypt on your thumbdrive and also create a TrueCrypt file container there.
    • If you don’t expect to have admin rights, but can convince your IT dept to install TrueCrypt for you, then check out the instruction in the next paragraph.
    • Or, if you won’t need more than 1G of space encrypted on your thumbdrive, you can try Rohos Mini Drive. (I haven’t)
    • Otherwise, you need to use Remora, where you will have to manually unencrypt each file you would want to use, then manually re-encrypt it after saving. (I haven’t tried this either)

    If you can go with TrueCrypt, then install it on your harddrive. Use it to encrypt the thumbdrive. You can configure the encryption so you are prompted for the password as soon as you plug in the thumbdrive anywhere; then, you will be able to access files and run apps from the drive as though it weren’t encypted but all your edits and adds will be encrypted. (Things will run slower due to the on-the-fly encryption, although perhaps not noticeably so.) You might want to encrypt only a folder of documents, but I opted to encrypt everything because apps like Thunderbird store one’s data (e.g. all one’s email, if you have opted to keep local copies) in generally unpredictable places. After installing TrueCrypt, do this (basically following TrueCrypt’s beginner tutorial):

    1. Do the following from a machine where you have admin privileges
    2. Start the TrueCrypt application from your desktop
    3. Click the Create Volume button
    4. Select “Create an encrypted file container”. (I tried “Encrypt a non-system partition/drive”, but when I plugged the drive into another machine where TrueCrypt wasn’t installed, I was prompted to format the usb drive.)
    5. Select “Standard TrueCrypt volume”
    6. Click “Select file”
    7. In the file selector popup, select your thumbdrive in the left pane, and for “File name:” provide a name for your container. Mine is “TrueCryptContainer”, but the paranoid might want to use “junk”. Then hit Save.
    8. In the Encryption Options view, just hit Next.
    9. When prompted for file size, use the full capacity available (e.g., 3680 MB for a “4GB” usb drive). Then Next.
    10. Choose a good password. Next.
    11. For Volume Format, set Filesystem to NTFS (or, if you can’t get admin privileges anywhere, choose FAT). Move your mouse around over the window several times to generate a good random seed for the encryption algorithm. Then click Format.
    12. When formatting’s done, close that dialog window.
    13. Back in the main TrueCrypt dialog, the one showing a list of unused drive letters, choose a letter you want your new container mapped to.
    14. Click the “Select File” button and choose the container file you just created.
    15. Click the “Mount” button. You’ll be prompted for the password you assigned. Sometimes this doesn’t work for me and I have to cancel and then hit Mount again before it works.
    16. Once it works, you’ll see your container file listed alongside the drive letter you chose in TrueCrypt’s main dialog. And the drive letter should appear in WindowsExplorer under “My Computer” along with your other drives. You should be able to open from and save to this encrypted container using any application’s File Open and File Save commands.
    17. Be sure to use the Dismount button before trying “safely remove hardware” and before removing the thumb drive.

    Sync with desktop or server/cloud

    After encryption, this is probably your highest priority. You can try a portable application like Toucan, but I think it’s not full-featured enough. For example, one needs to type or paste in paths when defining items to skip, instead of selecting them through a browse button. And my rules for skipping items were ignored anyway. Instead, rather than using a portable app to do the syncing, you probably just need to sync to one primary desktop, and Microsoft’s SyncToy running from that desktop works well. I configured it to sync docs/projects and apps separately, and I set my desktop-to-cloud sync service Mozy to sync just the docs/projects from the desktop (because I want double protection for things I can’t just reinstall and reconfigure). As a further step, I use Windows Task Scheduler (See “Help | Learn how to schedule SyncToy” within SyncToy) to kick off these SyncToy tasks near the end of every workday. Setting SyncToy to run at the end of a workday assumes your backup desktop is your work desktop; to sync to a desktop at home, you probably want the trigger event to be the insertion of your usb drive. TaskScheduler doesn’t natively support “mounting of usb drive” as a trigger, but you can buy MyTrigger for US$24 which enables TaskScheduler to launch SyncToy for such an event.

    Default programs

    Once you start reading email from Thunderbird on your thumbdrive, when you click links in msgs you’d want them to open with the browser also on your thumbdrive (especially if you might bookmark the link or enter a password). This doesn’t happen automatically; instead, you’ll get whatever app has been set as the default handler of the kind of file you want to open (where “kind” is determined by the file’s extension — the part after the dot). There is no good solution in XP nor Vista to this general problem of wanting to set usb-hosted apps as default handlers (but Windows 7 appears to support it).. However, just for the case of handling urls when they appear in apps other than the browser, one can make a desktop-hosted Firefox the default handler and then use the Foxmarks extension in that installation and all one’s other Firefox installs (including the portable one), since the extension syncs bookmarks and passwords across machines. (However, there does not appear to be any Firefox extension that syncs one’s open tabs, aka session.)

    Auto-start when inserting drive

    Many people like certain apps on their drive to launch as soon as it’s plugged in. PStart is a portable application with a small window (aka “panel”) where one can list other apps hosted on the same drive, and set some of them to launch when the drive is mounted. To make this work, however, one needs to configure each desktop OS to “autoplay” usb drives whenever they are inserted. XP and Windows 7 will prompt you if you want this done when you plug in your first usb drive, but Vista requires extra work:

    1. Open your run box (Start | Run) and type regedit and click OK.
    2. Go to HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorer.
    3. You should see a key called NoDriveTypeAutoRun (see picture below). Double click it and set the Value Data to 91 (hexadecimal).
    4. Restart your computer and it should be fixed.

    Now install PStart to your usb drive.

    Once it’s installed, open its panel and go to Setup | Create autorun file. Select the drive letter that’s mapped to your TrueCrypt container. (You might want to tweak the autorun.inf file even further.)

    You can also tell PStart to launch any programs listed in its panel when PStart launches. To do so:

    1. Right-click on the item in the panel (or add it by right-clicking in an empty part of the panel and selecting “Add file”)
    2. In the dialog that appears, click the Advanced tab
    3. In this tab, set Autorun to “on startup”

    Reminder to take your drive when you log-off

    This is useful, but the Quiet version requires that you log-off instead of using Safely Remove Hardware.

    Force apps to release thumbdrive

    If you often have the problem of Safely Remove Hardware failing to dismount the drive, you might consider this workaround. However, there seems a pretty fair chance of data loss. (If you use PStart, the culprit might be that in Settings you don’t have “when closed” set to “exit application”.)

    I’ve heard that Windows 7 will actually tell you what application is holding onto the drive (but not what file it’s using).

    Reward if returned

    You probably want to create a text file at the root level of your drive called REWARD IF RETURNED.txt providing your email address, and make sure the file remains unencrypted. Or, you may want to make the name of the drive your email address or phone number.

    Mozilla Firefox browser

    I prefer Google’s Chrome browser, and there is a portable version (steps available below) but I haven’t found any way to export bookmarks once one starts using the portable version; that’s a critical flaw, because when I’ve installed updated portable versions, I’ve had to lose any bookmarks accumulated since I first started using the portable version. So, I’m using portable Firefox instead. (Update: I’m using Foxmarks because portable Firefox is slow, particularly when scrolling.) For portable Firefox, I recommend the following addons:

    • Xmarks – Keep your bookmarks in sync across machines and drives
    • Download Statusbar – I find it annoying that FF uses a popup to acknowledge every download attempt, and the designers of this addon felt the same
    • Undo Closed Tabs Button – If you were too quick to close a tab and want it back, this feature will help you
    • Tabs Open Relative – When you right-click to open a link in a new tab, it should appear right next to your current tab, not way down at the right. This feature fixes that.
    • Firebug – Useful for designing/debugging web pages
    • Zotero – Useful for managing a library of e-documents, such as you may have on your usb drive

    And if you really want to use portable Google Chrome, here’s how:

    1. The portable version is available from a German developer, and you’ll have to get a translation of his blog page (plus the download link) from Lifehacker.
    2. To copy over your default tabs and settings, (for Vista) copy your C:UsersyournameAppDataLocalGoogleChromeUserDataDefault contents to Portable_Google_Chrome_0.2.149.30Profil
    3. Migrating bookmarks from desktop Chrome to portable Chrome takes several steps
      1. Download and install Mark Clouden’s chrome bookmark exporter
      2. Run it and hit the Export Bookmarks button. Make sure it refers to the chrome installation on your harddrive rather than the one on your thumbdrive.
      3. We’re going to use Firefox to import the bookmarks, so we can tell Chrome on your thumbdrive to import bookmarks from it. So run an instance of Firefox where you don’t mind emptying all existing bookmarks first.
      4. In Firefox’s menu bar, go to Bookmarks | Organize Bookmarks, and delete all bookmarks in the Bookmarks Toolbar and Bookmarks Menu.
      5. Click the Import and Backup button at the top. Choose Import HTML.
      6. Select “From an HTML file, then select the bookmarks.html file you created with Clouden’s exporter.
      7. It may take awhile to import; wait for the bookmarks you expect to appear. Then quit Firefox.
      8. Start Chrome from your thumbdrive, then go to (Wrench icon in upper right) | Import bookmarks & settings.
      9. Set From to Firefox and click Import.
      10. You’ll find your bookmarks if you click “Other bookmarks” in the upper right, and then “Imported from Firefox”. You can drag items out of “Bookmarks bar” in this view right onto Chrome’s bookmarks bar. And you can drag the other bookmarks and folders onto “Other bookmarks” itself, and then right-click on empty folders to delete them.
    4. You may want to change the default download location under (Wrench icon in upper right) | Options | Minor Tweaks
    5. You may also want to tell Chrome to reopen the same pages when you restart it. Go to (Wrench icon) | Options | Basics | Startup | Restore the pages that were open last

    Notepad++ text editor

    PortableApps.com has a portable version of this very powerful and popular text editor. I recommend renaming the .exe file and all other folders and files that contain “++” to “NotepadPPPortable” because some sync/backup tools like Toucan have a problem with +’s in filenames.

    Mozilla Thunderbird email client

    PortableApps.com has a portable version of this email client and address book application. But there’s no way to connect to your office Exchange server unless they’ve enabled IMAP or POP support. (But if you have a mobile phone running Windows Mobile, its email client does support Exchange.) Also, I recommend adding the following extensions:

    AntiVirus

    PortableApps.com offers the ClamWin antivirus checker.  Note that this is only useful when you suspect a there is a problem, probably in a specific file. It is not a schedulable scanner. You would probably use it only after disconnecting your thumbdrive from a computer you have borrowed.

    WinAmp media player

    Just copy C:Program FilesWinamp to your thumbdrive. But disable Winamp Agent, or it will prevent unmounting the thumbdrive.

    Unzip / file compression

    I used to use the version of 7-zip available from PortableApps.com, but I find its UI very nonintuitive and am now very happy with IZArc, which has a portable version.

    OpenOffice for docs, drawings, spreadsheets

    PortableApps.com offers OpenOffice. OO’s doc writer is a great replacement for MSWord, and its drawing app is far better than Visio in my opinion.

    PDF-XChange viewer

    This PDF viewer is free, portable, and supports highlighting, comments, and typewriter features. The typewriter is great for filling out forms.

    I’m providing a link for the PDFXChange download, because the creator’s web site is so poorly designed and confusing. But the software itself is really good, and I bought a license for the extra features.

    Application launcher

    Launchy is a very popular choice, and its online PDF help file explains how to run it in portable mode. An alternative that bundles encryption and autorun scheduling is GeekMenu.

    Skype messenger and internet phone

    I haven’t tried it portably, but here’s a tip.

    Eclipse IDE

    (A programming environment for Java, C, and other languages like Prolog)

    These instructions are adapted from a forum post on PortableApps.com:

    1. If you’re going to use SVN as source control, make sure your SVN repository has a publicly-accessible IP address, or that you can access it via VPN.
    2. Run all updates in the Installed Software tab.
    3. Select Core SVNKit Library under http://eclipse.svnkit.com/1.2.x/Revision Graph, Subclipse
    4. Select SVNKit Adapter under http://subclipse.tigris.org/update_1.4.x
    5. Disable SVNKit library version 1.2.1.5297
    6. Once you launch Eclipse and select a workspace, the full filepath to that workspace — including drive letter — will be saved to eclipseconfiguration.settingsorg.eclipse.ui.ide.prefs. Because the drive letter assigned to the thumbdrive can differ across machines (and even across uses of the same machine), you probably want to edit this file so that the final line has no drive letter. For example, mine is RECENT_WORKSPACES=ProjectsEclipseWorkspace
    7. Eclipse seems to change eclipse.ini each time it runs by updating the ‘-vm’ value, and for me it puts an absolute path there including drive letter. So you may want to make eclipse.ini read-only to avoid this bug.

    Unfortunately if you are a Prolog coder wanting to use Eclipse, there is no way to work truly portably. There is just one version of Prolog that runs in Eclipse that I know of, Amzi (which works very well), but it depends on environment variables in your OS and there is no way to provide these vars via an Amzi config file (yet). However, if Amzi is installed on your desktop, then an Eclipse running from your usb drive will be able to support Prolog. I have only tried this when I’ve installed Amzi on both the desktop and in the Eclipse on my usb. Here’s how:

    1. Go to the Amzi Logic Server download page and scroll down to section “3. Existing Amzi! and/or Eclipse Users”. Follow that.
    2. When prompted for a Destination Folder, be sure you select a folder on your thumbdrive (I selected “F:AppsAmziProlog”).
    3. When that’s done, you can enable Prolog support in Eclipse by following Amzi’s install instructions in the section on Existing Eclipse Users.
    4. After restarting Eclipse, go to Windows | Open Perspective | Other | Prolog.
    5. Then do the same to open the Debug perspective.

    Task manager / Todo list

    I’m not quite obsessive enough yet to need a multi-level task manager, but ToDoList offers that capability and can run portably.

    Wishlist

    • An app that monitored the health of the usb drive and warned me when it’s time to copy its contents to a new drive. (I already try to auto-sync the drive to my laptop at home whenever I remember/have time to plug it in, and that laptop auto-syncs in turn with Mozy.)
    • A desktop-hosted antivirus that scanned any usb inserted before allowing it to autoplay.  This may just require me to hunt more; I currently use Kaspersky, which seems to work very well, but it’s not clear if it does this and their tech support has ignored my questions about it.
    Print Friendly, PDF & Email

    Avoid cross-site scripting vulnerabilities

    “Cross-site scripting” (aka XSRF = cross-site request forgery) is an evil practice where someone tries to trigger your site into sending sensitive info, such as user logins, to their own site. A typical method is to “inject” script into your pages so the user’s browser will render the script as though it came from you, and the script might send the user’s cookies to the hacker site so they could append them to their own requests, making it very difficult for your server to tell the requests aren’t coming from the real user, and thereby allowing the hacker to damage the account.

    A typical trick is to put an unbalanced quote before some evil script into a form, such as:

    ‘ <script>document.location=”document.cookie”</script>

    The bet is that, if you take this submission and paste this value into your response html to confirm what was typed in, that you will wrap your input value in the same kind of quote. This embedded quote then breaks the html at that point, and the hacker’s <script> would be executed as though it was part of your intended markup.

    One way to avoid such vulnerabilities is to “sanitize” everything you paste into your pages that wasn’t created directly by you. For example, anything from the request or from a data-layer whose data is created by some user (such as email or contact names) should be sanitized before sending it out as part of a response.

    You’ll want one sanitizing method that accepts HTML and alters it such that control over fonts, colors, etc is preserved. You might also want a stricter method that escapes markup or strips it completely. The former is useful when sanitizing html-formatted email messages, and the later, for sanitizing names, addresses, filenames, etc where you do not want to allow any idiosyncratic styling.

    Writing a good sanitizer is hard. If I come across a good open-source one, I’ll post about it. AntiSamy seems like a great solution, and is open.

    Print Friendly, PDF & Email