Tuesday, January 27, 2009

Safely store your passwords (Windows; some support for Mac and Linux)

The KeePass application is one of the better options for safely storing password (and account) information on a Windows computer.  There is also some support for Mac and Linux, but I have not tried these versions.

For programs that use encryption, "open source" distribution becomes a serious consideration.  Only through examination of the source code, and with the ability to independently build the application from that source code, can the user (or expert, on behalf of the user) easily determine that the program is safe and does what it described as doing.

Here's the URL:

http://keepass.info/

A new way to blog

During the course of writing my entry on Abiword's Vi mode, I became rather frustrated with the way the Blogger built-in / online editor managed the configuration file "code" examples.  First, I needed to experiment to identify an HTML entity that would wrap the entries without being changed by Blogger.  Then, I found that whenever I previewed the entry and returned to editing, Blogger would remove one leading space from each line of those entries.  Even when I used the HTML entity for a non-breaking space, Blogger would not respect the indentation; it converted those to regular spaces and removed a leading space from each line.

I'd looked into alternative post editing clients previously, but I'd not managed to sort through the detail, spread around in various locations, to make a choice.  I returned to the task today, and I identified four candidates.  Although it was not initially at the top of my list.

Scribefire is being used to write this post.  User feedback and "looking around" convinced me that it was good enough and also that it does not pose any immediate security risk.  (To be more proactively certain of safety, I changed my Google/Blogger password before beginning to use it.)  A major reason for starting with it is that it is a Firefox extension.  The installation was therefore much less involved.

The other candidates are below.  I may comment on them in the future, as I try them.
  • Windows Live Writer -- I know, I know.  But it really does get favorable comments online.  I am considering a portable installation, which would be a bit more involved (not a lot).
  • Zoundry Raven.  It appears to be pretty full featured, although this now dated comment describes it as not being as full featured as Windows Live Writer.
  • w.bloggar.  It appears to be a bit further behind, was last updated at the end of 2007, and has a preference for Internet Explorer (version 4.03 supports IE) over Firefox (stuck on version 4.02).  However, it seems to have a good spirit.  It is also what the Zoundry Raven folks describe using before they developed their own product.
The candidates I chose are all available as free / donation products (although one should keep in mind that Microsoft has a habit of "taking things away").  For starters, until I am more comfortable with blogging, I'm not ready to spend $30 - $50 on a commercial product.  I found most of them before finding this summary listing that identifies a number of such free products.

Blogger itself has a list of complimentary software.  However, it appears to be rather outdated and not maintained.

Thursday, January 22, 2009

Ditto: Use a clipboard manager to hold and search prior copies

I get very frustrated with manual, repetitive processes that slow my actual work progress (the process isn't the goal) while making me behave like a robot.  One such process is the assembling of multiple pieces of information.  Windows has a "clipboard" that you can copy to and paste from, but it only holds one item at a time.  If you have several items to copy, this leads to repeated context switching as you grab one item, move to where you want to paste it, switch back for the next item... ad naseum.  Further, if you want to locate an item you copied some time previously, you have to return to the source (or the pasted location) and manually relocate it.

A little used but -- amongst its users -- wildly popular type of utility application is the clipboard manager.  What these do, in essence, is record their own record of each Copy or Cut action for future reference.  You can copy several items in succession, then move to a target document and paste them in one after another, recall each item quickly from the clipboard manager's memory.  Typically, the clipboard manager will have a hotkey combination to quickly pull it up and an interface that facilitates its rapid use.

Although I haven't used it, I understand that one of the most popular commercial clipboard managers is ClipMate.  However, for my use I have found the open source manager Ditto to meet my needs admirably.

Ditto can be run only as needed, or set to start up with Windows.  It can be installed or run as a portable application.  When activated, it records every Copy or Cut action to an internal database.  That database is implemented in SQLite, a very highly regarded lightweight database.  This means that Ditto can hold and search several hundred records very rapidly.

To extract the record of a previous Copy or Cut action from Ditto, you type the hotkey combination to invoke Ditto -- by default, this is Control-` (control plus the backtick key that typically appears above the Tab key on U.S. keyboards).  Ditto produces a list of previous Copy's and Cut's.  The first ten items are associated with a digit; you can immediately select one by just typing that digit.  You can also scroll through the list with mouse or keyboard, and double click or press the Enter key to select the desired item.  For formatted text items, you can obtain a plain text version (with the formatting stripped) by pressing Shift-Enter instead of Enter.

One thing that makes Ditto very powerful is its integrated search.  After invoking Ditto, if you start typing, focus moves to the search box and the listed contents are immediate reduced to those items containing, in their title or in the clip contents itself (when the two differ), the search term.  If your search term begins with a number, press Tab first to manually shift focus from the list to the search box.

In practice, this means that if you remember a portion of an item that you copied some days ago, typing in that portion will likely expose that copy almost immediately and with minimal effort.  The search function also works with wildcards, so that e.g. a search term of "http*" will list all the URL's that you've copied.

Ditto is very configurable.  You can specify the maximum number of clips it will retain, or the number of days to retain unused clips, or a maximum database size.   Hotkeys are configurable.  You can even share clips over a network connection, although I've never tried that.

Ditto appears now to know at least something about Copy actions that other applications flag as containing passwords.  Where this protocol is observed, Ditto will ignore such Copy actions, keeping those passwords from ending up exposed in its database.  This is a real comfort when working with a password manager such as KeePass.

However, as the user you do bear responsibility for remembering that you have a clipboard manager active and that clips can end up in the manager that you do do not want others to see.  You should make sure that Ditto respects the privacy of passwords if you copy them from a password manager.   Ditto can also be temporarily disconnected from the clipboard while you copy sensitive items, so that those items don't end up in its database.

As a precaution, I recommend scanning the full contents of the Ditto list/database occasionally, especially when you are first starting to use it, to make sure that no risky nor embarrassing items have been captures.  If they have, you can selectively delete those items with a click or a keystroke.

It addition to retaining Copy and Cut clips, Ditto can serve quite conveniently as a means of rapidly accessing commonly used items.  Individual items can be flagged so that they are never deleted.  You can then rapidly pull them up with a hotkey or the search facility, either for reference or for pasting.  If you have an address you type commonly, or a salutation, or a few phone numbers that you are constantly looking up, you can put them in Ditto where they are just a keystroke or a few away.  And they don't clutter up your screen or your desk with notes.

Ditto can rapidly become one of your most often used utilities.  And while I've found it very stable, it is possible for the database to become corrupted.  You may wish to add it to your backup routine, to ensure that you don't lose all those items at your fingertips.

Ditto supports a number of clipboard formats, but not all.  When an item is copied or cut to the clipboard, it is identified as having a certain format.  Actually, many applications simultaneously place multiple format versions of a copy onto the clipboard, from which the pasting application can chose.  You may find some formats that Ditto does not support; however, for most everyday copying, it works just fine.

Some copies do not place the contents onto the clipboard; instead, they place a reference.  Then the pasting application can use the reference to directly request a copy of the data from the application being copied from.  These references may not work when Ditto is used as an intermediary.  Again, this is not too common in the Windows world, but once in a while you may come across it.

When you copy or move files using the clipboard, Ditto does not retain copies of those files.  Instead, it gains text records describing the these actions.

With regard to clipboard formats, I'm no expert, but the above paragraphs reflect my understanding of some situations in which Ditto may not perform as expected.

Finally, Ditto is a pop-up application.  It occasionally has a bit of trouble with application focus.  In particular, sometimes double clicking a list item or pressing Enter will not trigger the Ditto window to close.  The item will be selected and moved to the top of the list, meaning it has been placed on the Windows clipboard.  In these cases, you can get the Ditto window to disappear by pressing the Escape key (Esc).  You can then proceed to paste as expected.

If you open Ditto and then decide you don't wish to make a selection, either click outside its window or press Escape.

There are more features and tricks, but that should be enough to get you started and to avoid the most obvious points of confusion.

Thoroughly disabling AutoRun

Prescript: You should definitely back up the registry before attempting manual changes, such as the one described below. For two reasons: 1) In case your editing is not valid and hinders or cripples your machine; 2) In case you want to undo your changes in the future.

For the latter, you may not want to reapply the registry backup, particularly if some time has passed; you would lose all the subsequent registry changes. But you, or a professional, can use the back up as a reference when selectively removing registry changes.

----------

From an email I sent to a family member. Useful information.

The Windows AutoRun feature -- which automatically runs programs (desired or not) when you insert removable media, whether CD, DVD, USB drive, or similar -- is apparently difficult to disable thoroughly, from a conceptual perspective. This article describes how to do so. You have to decide whether you want to; however, for myself, I find the risk and/or annoyance outweighs the AutoRun convenience. For example, one time I inserted a music CD, to suddenly find the computer grinding away. Apparently, the CD had copy protection software that was trying to install itself. I'd forgotten to hold down the shift key while inserting, which is supposed to disable AutoRun on a case by case basis (this article doesn't discuss the Shift key feature, or whether it works in all cases; probably not, given that it describes how AutoRun can fire up not just on insert, but when you open something, even a directory, on the removable media).

If you have AutoRun disabled, you can always open up autorun.inf on the removable media to see what it would have run, e.g. what the set up program is on an installation disk.

----

http://www.windowssecrets.com/2007/11/08/02-One-quick-trick-prevents-Autorun-attacks


Top Story, November 8, 2007
One quick trick prevents AutoRun attacks

By Scott Dunn

Monday, January 19, 2009

Vi (and Emacs) key bindings in the Abiword word processor

As a long time occasional user of the programmer's editor, Vi, I have found its modal nature (you edit using two (actually, three) modes: command mode and input mode) very convenient, once I become (re)accommodated to it. I wondered whether any word processors supported a Vi-compatible input mode.

Some googling revealed that the open source word processor, Abiword, has a limited Vi input mode. However, the instructions for enabling it were not clear; I found partial information on several websites, and I also found several comments from frustrated users who could not get the instructions to work for them.

To enable the Vi input mode, one needs to edit their AbiWord installation's file "AbiWord.Profile". However, the exact editing that will work is quite particular. In experimenting, it is apparent to me that AbiWord.Profile is rewritten each time AbiWord exits. Edits to the file that do not fit AbiWord's expectations are not written out when this rewriting occurs. In one set of comments, users indicated that when they deleted AbiWord.Profile, causing AbiWord to generate a fresh copy upon startup, their edits and the desired effects of those edits then worked as expected and persisted. I've not tried doing this, yet, and so cannot speak to it.

I did manage to get the Vi input mode working for myself. I am using Windows XP. Under XP, the file "AbiWord.Profile" is located under "\Documents and Settings\[user id]\AbiSuite" where [user id] is the name of the Windows XP account that you are using.

Within AbiWord.Profile, make the following changes:

Leave the element "Select" alone; don't change it. It will look more or less like this:


<Select
scheme="_custom_"
autosaveprefs="1"
useenvlocale="1"
/>


Note that if you attempt to comment out element "Select" (to leave it in the file for future reference) while entering your own version of the element, the commented out version will be removed when AbiWord next rewrites the file.

Next, in the element "Scheme" as shown below:


<Scheme
name="_custom_"
ZoomPercentage="144"
/>


Add the attribute KeyBindingsCycle="1". The revised element will look like this:

<Scheme
name="_custom_"
ZoomPercentage="144"
KeyBindingsCycle="1"
/>


Save the file. When you next run AbiWord, the key "F12" will cycle between the three available input modes: "default", "viEdit", and "emacs". If you exit AbiWord while in "viEdit" or "emacs" modes, AbiWord.Profile will be rewritten to include the mode you were in at the time you exited. For example, if you exit while in viEdit, element "Scheme" will be updated to include attribute KeyBindings="viEdit", like so:

<Scheme
name="_custom_"
KeyBindings="viEdit"
ZoomPercentage="144"
KeyBindingsCycle="1"
/>
This information is current for AbiWord version 2.6.6 for Windows XP (installation file "abiword-setup-2.6.6.exe").

Here are some of the resources I referenced while figuring this out:

http://linuxmafia.com/faq/Apps/abiword-vi-mode.html

http://www.jukie.net/~bart/blog/tag/vi

http://www.abiword.org/mailinglists/abiword-user/2003/Mar/0023.html

http://www.abisource.com/wiki/FaqEditorBindings

http://www.abisource.com/wiki/KeyBindings

http://www.abisource.com/support/faq/

Thursday, January 8, 2009

Free Security Software, Part 1

I hesitate to start this post, because there is potentially so much detail involved.  Further, I'm not an expert.  However, in taking care of myself as well as answering some questions for family and a friend or two, I've accumulated some useful knowledge and resources.

You need security software.  No, it's not perfect, and it can slow your machine down somewhat.   Nonetheless, it provides some much needed protection.  News articles I've seen that reference recent security studies, state that an unprotected Windows computer that is connected to a broadband Internet connection becomes infected on average in under 10 minutes.

A straight-forward and reliable option is to purchase security software from one of the major vendors, e.g. McAfee or Norton.  These products work well, are fairly straightforward to use, and update themselves with minimal maintenance required from the user.

There are times though when an alternative may be desired or needed.  You may be entitled to software as part of your broadband Internet service.  You may have difficulty with the license fees.  Or you may resent the way the commercial products are difficult to uninstall and try to pump you for license renewal fees, upgrades, and the like in aggressive fashion.

Whatever the case, I myself have found myself needing alternatives, and I've had a number of people ask for the same information.  Here's a brief summary of what I've encountered.


"Free" and Easy Peasy

Do you have broadband Internet at home?  Is it from a major provider, e.g. Comcast, AT&T, or similar?  Very likely, your broadband subscription includes a subscription to a security software package from one of the major vendors.  Although I'm not using it at the moment, as a Comcast subscriber I'm eligible for a subscription to... McAfee, I think it was, the last time I checked.  My parents are now on AT&T, and I just helped them install an AT&T-provided McAfee security suite.  If you have a different provider, check.  The packages offered seem to be from quality brands, and you've already paid for it.

For the AT&T-provided McAfee, installation involved first visiting the Yahoo partner website and signing on with the AT&T account credentials.  You then need to navigate to a downloads area, where their is an option to download the security software.  When the option is chosen, the web site presents you with a license code to be used when installing the software.   After noting the code, you can proceed to download the installation package.

After it downloads, you run the downloaded installer.  It prompts for the license code; once the code is entered, installation proceeds.

Once the security software is installed, it will automatically download updates on a scheduled basis.


Caveats

Sometimes there is trouble during the installation process.  The problem I read most about is that of conflicts between different brands of security software.  For example, I already had security software installed when I tried to add the Avast product to the mix -- sometimes particular products will co-exist without problem.  After Avast installed and I rebooted, my computer locked up and refused to complete booting.  I was able to use Windows "Safe Mode" to undo this, but a typical user might become stuck and this point with a non-functioning machine.

In general, it's best not to combine products of the same type from different vendors.  If you already have a product installed, and you are going to switch to whatever your Internet service provider (ISP) offers, it's best to uninstall the old product before installing the new one.

Keep in mind that once you uninstall the old product, you may have no active protection.  So, if possible it is best to first download the new product.  Then physically disconnect your machine from the Internet.  Uninstall the old security software, then run the installation program for the new software.  Once the new software is in place and running, reconnect your machine to the Internet.

Be careful of products that only download a "front end" installer but then need an active Internet connection during installation in order to download the rest of the product.  If you have one of these, you can't disconnect your Internet connection.  Try to uninstall the old product and install the new product quickly, leaving yourself exposed for as little time as possible.

As soon as the new security software is installed and you are again connected to the Internet, run the software's update feature.  There will likely be numerous updates for it that were created after the date when the installer was generated.

Once  the security software is updated, it's a good idea to run a full scan to make sure that your system is clean.


Free, but more work

If you don't have access to a commercial package, you can assemble a security suite out of free (for non-commercial use) products.  Some offer a complete suite; others serve only one or two functions and need to be combined with other products in order to build up more comprehensive protection.

Personally, I'm using Comodo's Firewall Pro for my software firewall:


For anti-virus and anti-spyware, I've been using AVG versions 7.5 .  Note that this version of AVG anti-spyware has reached its formal end-of-life.  The current version, 8.0, combines the two products into a single product.  The free version does not offer all of the features of the paid versions; in particular, it provides less pro-active scanning.  If you know what you are doing and are careful, this may be sufficient.  There is still some pro-active scanning, and you can always manually initiate a system scan.


When I had particular concern about making sure my system is clean from spyware, I added the "free" version of Spyware Doctor that is available via Google's software bundling service, Google Pack.  There are actually two free versions of Spyware Doctor.  The version from the Spyware Doctor site will scan but not remove threats.  The version from Google Pack will not pro-actively scan, for example when you download a file.  But it will do a manually-initiated system scan just fine, and it is capable of removing any threats that it finds.

Be careful about allowing Google Pack to install other software.  You can limit it to only installing the portions of the "Pack" that you want.  Pack seems to be very aggressive about taking control of the things that it installs.  I'd recommend limiting it to just Spyware Doctor.


PC Tools, the company that makes Spyware Doctor, also offers a "more modern" scanning program that attempts to identify threats based on their ongoing behavior rather than just a signature identified by a scan.  That tool, ThreatFire, also has a free edition available directly from PC Tools.  If used, it should be used in conjunction with a regular anti-spyware scanner and not by itself.  It's better at identifying ongoing malicious behavior, but its traditional scanning capabilities are too limited to be solely relied upon.


Finally, when Spyware Doctor was complaining about a file that AVG had no problem with, I located and added AntiMalwareBytes to the mix.  It was described online as being one of the few products that was fully effective against the problem that Spyware Doctor thought I had.  Further, it was described as being able to deal successfully with a number of threats that other security software packages failed against.



There are other high quality free products, but I have less familiarity with them.  Two in particular that I see mentioned consistently are Avira and Avast.




There are a number of resources for researching this software product category.  I've listed some at the bottom of this entry.


TANSTAAFL (No Free Lunch)

TANSTAAFL is the acronym for "There ain't no such thing as a free lunch."  The phrase was popularized particularly in Robert Heinlein's science fiction classic The Moon Is a Harsh Mistress.

The "free" products still require development and support.  They are free "for non-commercial use".  Typically, the company involved also sells commercial subscriptions and lives partly from this.  But if their income is not sufficient, the product will decline and they may go out of business.  If you use one of these products regularly, you should consider purchasing a license to support its continued development and support.

Further, in doing so, you allow the product to continue to be available to those who cannot afford or obtain a license.  Since the Internet is one big intersection, this benefits you and others indirectly by ensuring that more of the machines that you interact with, or that interact with the sites you use and rely on, are clean from infection.  With malware thus limited, the system works better for everyone.

If you purchase a license, you do want to be sure you are accessing the legitimate website for the company/product involved, and that the transaction is secure.  That topic is outside the scope of this blog entry, but I wanted to caution those unfamiliar with web purchases against making them when they are not sure it's safe.


Resources






Let the data dump begin

Over both the short and the long term, I've been providing advice to friends as well as accumulating a store of knowledge for my own use.  Recently, I've experienced an uptick in requests for my advice.  I've also found myself wishing for a better record of some of the items I've previously encountered.  Enter this blog.

As an opening, I'll mention that in order to be able to edit the blog concurrently while also maintaining my normal browsing habits, I downloaded and installed Google's new browser, Chrome.  In particular, Google does not allow a user to access more than one Google account simultaneously from within a traditional browser.  I view this as a shortcoming of their offer.  Running a second browser gets around this, as it maintains a second, independent set of data and credentials.  Further, with Chrome, each tab has its own process.  I believe this allows Chrome to access more than one Google account at a time, as the data and credentials are separate for the separate tab processes.

The Chrome installation and behavior, however, I found disappointing.  At the start, rather than downloading the entire installation package, I was limited to downloading an on-line installer.  Running the installer, I found that it proceeds by installing the Google Updater.  Something I'd acquired in the past via Google Pack and blocked from loading on boot when it kept annoying me including with its resource consumption.

Perhaps most concerning, though, was to encounter all the warnings from my software firewall and security package, alerting me to just now deeply and pervasively Chrome was apparently hooking itself into my system.  Most software installations, including both Firefox and Opera, do not produce such warnings.  Perhaps it is simply that Chrome is not yet part of the security software's database of recognized software, but the details looked more pervasive.