December 7, 2013
See bottom of post, for the TLDR problem/solution:
I have been using XFCE for some time now and overall really enjoy it. I switched to XFCE after giving Gnome 3 a go when it first came out and have been using it since. It has gotten a lot better since then too.
For instance immediately after switching, one of the only things I missed from Gnome2 was tabbed file browsing. Thunar, the default file manager for XFCE, got that awhile ago and has generally been improving a lot.
Another change to XFCE is the way it remembers your desktop settings, windows, and programs when you logout. I admittedly have not researched this as much as I should, but anecdotally I noticed some changes to how this works when I upgraded to a newer version of XFCE recently. I also noticed that there seems to have been a change with the way that XFCE deals with multiple monitors, as after upgrading certain programs starting using the entire width of two monitors when initially drawing their windows, rather then using a single monitor as they had in the past.
Onto the problem: After getting new monitor that supported a higher resolution(1920×1080) and updating my xorg.conf, my resolution would get reset to my old resolution(1680×1050) as soon as I logged back in to XFCE.
I use Nvidia drivers, as I have found them to offer a bit better performance and support for a multi-monitor setup, not to mention generally quite easy to configure. Its been awhile since I tried using it, but the built-in display manager for XFCE has not been well suited to using multiple monitors in the past, while using nvidia-settings provides a nice easy to use GUI for arranging and setting up displays.
I tried several different things with my xorg.conf and nvidia-settings, including removing it all together, as well as a variety of different configurations. However, no matter what I had in my xorg.conf, as soon as I logged in the resolution was reset to the old resolution. It seemed like XFCE was ignoring my xorg.conf settings or overriding them.
I was fairly confident that the xorg.conf was correct, so I began looking elsewhere. I grepped my ~/.config folder for my old resolution and did in fact find it listed the old resolution in: xfce4/xfconf/xfce-perchannel-xml/displays.xml.
I tried changing it there to the new resolution, however it still reverted back to the old one. Finally, after being a bit fed up and fairly confident that the saved settings/sessions were to blame, I moved my config folder to a backup: mv ~/.config ~/.config_back
This unfortunately has the side effect of clearing all(or most) of your saved XFCE settings, but as soon as I did that, it started using the new resolution. I have in the past done some messing with xrandr settings in order to get multi-monitors working better, so it is possible this is my own doing, but there was definitely some xfce setting in my config that was reverting the resolution.
This is something that I should learn more about and rtfm a bit, but sometimes killing it with fire works and is the easiest/quickest solution…
Problem: After getting a new monitor, the resolution specified in Xorg.conf was ignored when logging in to XFCE. Instead, each time I logged in, it reverted to the old resolution.
Bad Solution: This is probably not the best way to address the problem. However, moving ~/.config to ~/.config_back cleared out whatever xfce setting was over-riding my xorg.conf and let me use the new resolution.
Caution: Again, this isn’t a good solution, but it worked. If you do the above, it WILL delete all of your XFCE settings, like panels! A better solution would be to learn why/where that setting that maintains old resolution is kept and changing it!
November 22, 2013
Recently, I ran into a weird issue with a 1G iPad and had to figure out a work-around to install apps on it.
One of my clients inherited an old first generation ipad from a friend. Before he gave it to him, it was wiped and factory restored.
After setting it up, when attempting to install certain apps, like Google Maps, Google Chrome, or Netflix, he got the following message: This application requires iOS 6.0 or later. You must update to iOS 6.0 in order to download and use this application.
Of course, the last version of iOS that was supported on this iPad was 5.1.1 and their suggestion is not possible.
After talking to a friend that has an old iPad and doing some reading, it seemed like most people would get a prompt to download the last compatible version of the app. However, even after wiping it again via itunes and making sure everything was setup, it still wouldn’t let us install old apps.
However, after a bit of playing around, I figured out a workaround that let us install both Netflix and Google Chrome on the app.
When installing an app on a first generation ipad, a warning stating ‘This application requires iOS 6.0 or later.’ is shown and installation is blocked.
- Install iTunes on a computer and Sync iPad
- Install desired apps via itunes onto the ipad
- Wait until the apps finish downloading, unplug the ipad
- The apps will attempt to install, but will hang on the ipad
- Delete the apps from the ipad
- On the ipad, go into the app store and re-install the app
- You will now be prompted to install the last compatabile version of the app
This worked for both Netflix and Chrome, however Google Maps, which we did NOT install via iTunes first still gave the upgrade needed error.
Why does this work?
I can only guess, but it seems like at some point Apple changed their policy on old devices and started allowing people to install older versions of software on their devices. I found a reddit thread from 2 months ago that discussed the change.
However, we were using a brand new iCloud/iTunes account, which had never installed any apps.
So, presumably, Apple only allows you to install compatible versions of Apps you already own. When I asked my friend, he had no issue installing any app, including Google Maps, which was not already on his 1G iPad. However, he had installed it before on other devices. By installing it first via iTunes, even though it doesn’t actually work, Apple will then allow you to install an older version…
October 24, 2013
Some time yesterday, Google’s Safe Browsing service detected malware on PHP’s main site, php.net. As a result, if you visit it right now in a browser that uses Google’s Safe Browsing list, like Chrome or Firefox, you will get a warning message and when viewing it in Google serps, you will see the ‘This site may harm your computer’ warning.
I use php a great deal and think that a lot of the dislike/feelings people have against the language are misplaced, but I do see the humor in the warning message showing up when you search for ‘php.’
Were PHP’s Server’s Compromised?
Ramsus, as well as a few others involved with PHP, have stated on Twitter and in a Google Groups thread that the file in question, ‘userprefs.js,’ was not compromised. In a Tweet from this morning, rasmus said ‘They[Google] point to a js code injection which was deliberate’
I checked a number of PHP mirrors and while I did find two different versions of userprefs.js, neither were the obfuscated version.
Will update this post with some more later, as it becomes available.
Update 2013-10-24 13:00: As of now, the warning message is no longer appearing when doing a google search and visiting the site doesn’t result in an warning, so it appears that the Php.net has been removed from the safe browsing list. Haven’t seen an update from Ramsus or others with any more details yet.
Update 2013-10-24 17:00: An update has been posted to PHP’s News Section and confirm that they were compromised. They state that an rsync job was reverting changes being made to userprefs.js, presumably because the local server was compromised. An initial code review has been preformed and they don’t think the PHP source was compromised, but are working on a more thorough review and post mortem.
July 6, 2013
I am, in many ways, rather frugal and I like to get as much use out of things that I buy as possible. To that end, I think it is safe to say I got my money’s worth out of this pair of New Balance 574s.
I am not sure exactly when I bought them, but I think they are at least 6 years old, probably older. I bought them on sale, 2 for one, with a similar pair of gray 574s, the M574N2. Now, these are described as retro and classics, but I think back then it was just the good old New Balance 574.
I still have the M574N2, it was the slicker all leather(?) style, without the cloth net on the toes.
The M574N2 regularly gave me blisters when I walked in them, primarily around the heel, so I let them get torn up, wearing them as outside/work shoes and retired them several years ago. I kept them for emergencies, as other then staining and a bit of damage under the heal, they aren’t in terrible shape. However, due to comfort issues I haven’t worn that pair of New Balances in years.
The other pair, the M574BGS, on the other hand, has been one of the best and most comfortable shoes I have owned. I can’t even begin to contemplate how many miles I have put on those, but it is a lot.
The picture at right shows the difference in tread between a replacement pair I bought a few months ago. The comparison shot really doesn’t do justice to the difference between the treads, but gives a pretty good idea.
Since that picture was taken, I ended up wearing the old pair as outside shoes for several more months and the heels have pretty much deteriorated to the point I can see through them. Due to the in-balance when I walk, which has finally gotten to be uncomfortable, I probably won’t wear them much for any extended period of time. I have since ordered a new pair.
To be fair, I did kind of baby this pair initially, only wearing it infrequently until the first gray pair was too dirty. However, they have been my main shoes for a number of years now and up until only a few months ago, my daily shoe.
So, it is with a bit of sadness, I officially retire this pair and anxiously await my new one!
Probably the only downside to the New Balance 574 is that they seem to attract burning ash from fires. Both the original pair of 574s and the new one I bought a few months ago ended up with a small burn spot from a bit of ash the first time I wore them at an outdoor fire. I suppose it is like denting your car the first time though, after that you can relax a bit. However, I plan on keeping the pair I just ordered well out of harms way for as long as possible.
March 11, 2013
Update 2013-08-06: Since writing this article, Lowe’s has updated the documentation on the Loweslink website. See my response to the Loweslink Documentation Changes
Each time I do, I am utterly amazed at how amazingly reckless the LowesLink service is and the state that it leaves a user’s computer in. In regards to computer security anyone who uses LowesLink, even more so if you actually follow their published instructions, has opened a gaping hole in their computer’s security.
For those who are not familiar with it, LowesLink is a web portal that makes invoicing and receiving payments from Lowe’s easier. It has been in my experience mostly been used by independent contractors, but I would imagine it is also heavily used on the corporate side of things too.
The Main Issues Are as Follows:
1) LowesLink discourages people from using a modern browser, stating a requirment of Internet Explorer 7 or 8. They tell IE9 users to downgrade.
2) LowesLink requires people to use the generally insecure Java Web Browser Plugin
3) LowesLink website tells users to download an old version of Java from 2010 – 2011, jre-6u20 (2010) – jre-6u27(2011)
4) LowesLink, through their published documentation and support staff, tell users NOT to update Java and instruct users to disable updates of java.
5) The LowesLink website, while using HTTPS, loads content insecurely. This results in a warning when visiting their page.
Why this is bad:
All of the above is a great way to ensure that their users are running an insecure and vulnerable system. It effectively creates the perfect storm of bad advice and insecure software.
The Java Browser plugin is ridiculously insecure by itself, not even taking into account that their website instructs people to install a 2+ year old version.
It would probably be quicker to point out the days over the last 3 years when there hasn’t been an unpatched java browser vulnerability being actively exploited in the wild. Consistently, Java is top of the list of insecure software that results in computer infections, along with Flash and Adobe Reader.
As a result, telling your users to install a version from 2010-2011 and then disable updates is amazingly reckless and irresponsible.
What makes it even worse is, at least in part, the instructions published on their website are incorrect. Not only is it possible to run it with the latest version of Java 6, but also IE9!
Also, telling users not to update java is insane, Java 6 has already been updated 3 times in 2013, with fixes for around 60 security issues. If you follow their instructions, you would never get these updates, unless preformed manually. Which most users are not going to do.
Event the US Government has come out stating that Java should be disabled in the browser, as it represents such a serious threat to security. And that is the most recent version! Not the version Lowe’s wants you to install!
Loading Mixed Content from a Secure URL
As any web-dev with even a bit of experience can tell you, if you are going to use HTTPS, then you should load ALL resources over HTTPS.
However, Lowe’s not only fails to do this, but because the user is required to use Internet Explorer, they will see an unintuitive warning each time they visit.
Browsers handle insecure content differently and how IE handles it by default is to display a warning about the insecure content each visit to the page. The question is one of those ones that is phrased a little awkwardly, where if you care about security you really should hit yes, rather then no. Hitting yes, which is what most people instinctively do when they encounter a popup, would tell IE to only load the secure content.
However, in this case if you want LowesLink to work and display properly, you would need to probably hit no, which tells IE to load both insecure and secure content.
Fix Your Documentation
Aside from just being horrible advice, the published documentation is actually incorrect.
I have been able to get LowesLink to work using a current version of Java 6 and using Internet Explorer 9. So, I know it works, while still less then optimal.
If Lowe’s isn’t prepared to invest in fixing this mess, at least spend some resources making sure it works on a modern browser stack!
Why I am Writing This
This is one of those posts that I almost write each time I encounter LowesLink, as it is just such overwhelmingly bad advice. Whenever possible, I end up urging the user to use Firefox or Chrome and then ONLY use Internet Explorer for LowesLink, in an effort to reduce the risk of infection.
I am writing in the hopes that Lowe’s will, as their support assures me each time I call, work to update to this system. However, they have been saying that for years and their system has been reducing the security of their users for just as long.
Lowes: Clean Up Your Act!
LowesLink is a disservice to all Lowe’s Users and those who support them. The LowesLink System, especially if you follow their published instructions, by design results in a computer that is vulnerable to infection.
This choice makes Lowe’s Contractors, Vendors, and Employees a very easy group to target and the low hanging fruit of the corporate world.
For years, support has been apologizing and saying they are working on something better, but here it is 2013 and they are still telling users to install a 2 version of Java from 2011 and disable automatic updates.
Further, this isn’t just some Java applet color picker we are talking about. This is a system used for invoicing, bidding, and a ton of other really important and likely sensitive tasks. I understand it costs money to update, but I can’t even wrap my head around the multitude of bad choices that has brought us to this point.
Even my Aunts and Uncles are tech savvy enough to pick up on all the Java related news, but apparently Lowe’s can’t or won’t invest the money to protect their users. Instead, they simply leave their users computers open to infection!
Update 2013-08-06: The Loweslink Documentation has been updated since this post was created. See top of this article for more info.
March 5, 2013
Over the years, I have learned a lot about computers not just in regards to fixing computers, but also troubleshooting, the right types of questions to ask, how to walk people through simple repairs over the phone, and also how different people use computers. One lesson that it took me some time to learn is that you can’t always setup other people’s computers like your own.
I would classify myself as a power user and have been for some time. I became the computer guy for my friends and family pretty early on and was often called to setup a computer for the first time or figure out why something wasn’t working. Back then, I would lock down their internet browser, tweak security settings, and generally setup the computer just like mine. However, most folks aren’t power users and this often had the effect of making their life more difficult or meaning that they would see a warning due to a security setting and just click through it. It took me a while to figure out that while this type of computer use was preferable for me, most people don’t want or need that type of experience.
Eventually though it clicked and while I still take great care setting up peoples computers, I now try to do it from the perspective of a normal non-technical user, rather than a power user.
The Case of the Locked Down Router
I ran into a great example of this today, while dropping off a laptop.
The client had been having problems getting their work computer to connect to the network. Their laptop and ipad worked fine, but just not their work computer. So, they asked me to take a look at it while I was over there.
The network was saved with the wrong security settings, WEP instead of WPA, so I deleted the saved network profile and re-addded it. It worked right away.
However, I have found that it is always a good idea to restart the computer after making these types of changes (or any changes really), to make sure it still works on reboot. And, sure enough, as soon as I rebooted I could no longer connect to the network. So, I logged into the router to see what was going on.
After a few minutes of playing, I discovered that it was setup to only allow 2 DHCP leases at a time. As a result, unless they manually set an IP address in your network adapter, it would only ever be possible to connect two devices to their router.
In retrospect, me being able to connect right away made sense. I had their personal laptop long enough for its lease to expire, so when I came back to their house and started the work computer, it filled the second slot that their personal laptop would normally have taken.
I set it to a higher limit and problem solved, they were able to connect with multiple devices.
During the work, we talked for a bit and I discovered that the person who setup their router was a friend who works in networking.
In addition to limiting the number of DHCP leases, he also made a few other changes, like setting the SSID to not be broadcast, which were geared at locking down the router. While this is similar to how I would setup a personal network, with a limited number of DHCP leases, MAC filter, reduced subnet, ect, setting up a non-power user’s network like this isn’t generally a good idea, as they would never have thought to check the DHCP limit and didn’t know how to reset their router.
So, I think this ends up being a great example of why you should try to put yourself in the shoes of the user when setting up a computer(or network,) rather than approaching it how you would a personal system.