First, some background on DNS; feel free to skip this paragraph if you know what it is . “Domain Name System” is a distributed system for translating web addresses (Google.com) to IP addresses (64.233.187.99). You type “Google.com” into your browser, the browser (through the computer) sends that address to the DNS, the DNS looks up the address and retrieves the corresponding IP, the DNS sends that IP to your computer, and, finally, the browser can use that IP to contact the appropriate website’s server to fetch the content. Each domain has at least one “authoritative” DNS server, which holds the master information for that domain. Other servers in the DNS system contact the authoritative server, and cache the IP address in their own tables. This way, if an authoritative server goes down, less-reliable-yet-still-useful results can be obtained from secondary servers. (This is the way I understand it, please correct me if I’m wrong). OK, moving on.

I was doing some domain name management on FreeDNS a few days ago, when, seemingly out of nowhere, I was getting “error loading page” for that site. I tried a few other sites to make sure my internet wasn’t down; I could access Google, but not eBay, with the same situation for a number of other sites. Very strange. Having recently been educating myself about DNS (that happens when you start looking into the details of dynamic DNS ), I immediately assumed that my ISP’s (AT&T’s) DNS servers were on the fritz. Which, to my knowledge, has never happened before.

So, naturally, I went straight to google with a query: “att dns servers broke”. Not the best grammar in the world, but it worked . Nothing especially recent popped up under Web results, so I checked out the Blog results, and found this: Your DNS Server is Broken, and Can’t Be Fixed. Naturally, that site was one of the sites that my working DNS server(s) couldn’t find, so I had to call up a google cached version. ‘Twas a scary article.

Basically, there is an inherent flaw in the very design of the DNS system. This flaw allows malicious entities with knowledge of this flaw to poison the DNS cache. This means that they can update the system’s cache to point a domain name at their IP address, which, in theory, could be a perfect copy of the original website. This would allow them to redirect major bank websites, for example, to their perfect copies designed to steal your account information. And you, of course, would never know the difference, because the URL bar still says “mybank.com”.

Fortunately, the discoverer of the flaw, Dan Kaminsky of Doxpara.com, was a security researcher. And, fortunately, he kept this monumental news quiet and got together with some other security guys and programmers, as well as some of the big names in technology, to work up a workaround. The flaw isn’t fixable, but we can make it harder to exploit.

After reading this article, which didn’t exactly answer my first question (”Are AT&T’s DNS servers down, broken, or worse?”), I headed to the news search. The most recent article there was on Forbes.com: Hackable Broadband Left Unpatched. This article, besides describing the flaw, detailed some major ISPs who hadn’t updated their servers as of the day the article was published. To my disdain, AT&T was among them. This may explain the DNS hiccups, though, if implementing this workaround to the main servers is at all a major undertaking.

While sooner is better, the major ISPs (or, really, anyone who runs a DNS server) have until August 6th to update their systems. That’s when Kaminsky will be discussing all the gritty details of the exploit in his talk at the Black Hat Briefings. In other words? DNS D-Day for anyone who hasn’t patched up yet.

Do you have a wireless notebook with Samba shares that contain copyrighted materials? For example, your music collection? But you only want to share it with your Xbox Media Center while you’re on the home network — sharing anywhere else could result in copyright infringement. It’s a hassle to disable your shares every time you go somewhere, eh?

Well, I’ve written a script which monitors your wireless connection and, should you hop on the wrong network, shuts down your Samba service. When you get back on your home network, it restarts the service. Isn’t automation wonderful?

Alright, so maybe I have a little too much free time. Whatever. Download the script, try it out, leave your comments here or through email, and enjoy. Distribute it yourself if you feel like it, but leave the bylines intact. Oh, and the script does need sudo/root privileges, so you should probably put it in /etc/init.d or similar.

1) DBAN

If the hard drive is of no use to you, you don’t plan on letting others have it, and you don’t trust the Geek Squad to destroy it for you, here are a couple more, rather more fun, alternatives

2) Industrial Shredder

3) DIY Boot ‘n’ Nuke

But it’s so limiting!

You have to login as admin to install software, to install new hardware devices, to setup new internet connections (mostly referring to VPNs, here) — even to install those bulky Windows Updates!

How do I deal with it?

With much exasperation, to be assured, but windows comes with tools to “make it easier”. The main tool I use is “runas“. This is a command line tool that takes a variety of options, and lets you run a program as a different user (including admin users). The catches: 1) you almost exclusively have to use it on executable files, and 2) you have to know the other user’s password. Which isn’t a problem if both user and admin accounts are yours. Also useful, right-clicking an executable file (and a few other file types) offers a “Run as…” option, which is similar but a bit more limited than the runas command line tool.

I use the runas command combined with shortcuts in my quicklaunch menus to launch Windows Explorer, Regedit, and Control Panel under my admin account. This allows me fairly convenient access to these things, though I still have to type my password, which delays access. But it’s better than nothing.

To set these shortcuts up, you will need the “Secondary Logon” service to be running (the runas commands rely on this service). The Quicklaunch directory can usually be found at C:\Documents and Settings\{user}\Application Data\Microsoft\Internet Explorer\Quick Launch , where {user} is the name of whichever account you will be using. Alternatively, you can right-click on an empty spot on your quicklaunch toolbar (best is between the last icon and the drop-down arrow that shows the rest of the shortcuts) and click the “Open Folder” option, upon which Explorer will present you with the mentioned directory.

Now, on to exactly which shortcuts I use. In all of the following, {admin} will refer to the name of the admin account you will be logging in under (not your normal user account). When you see (or don’t see) the “/env” and “/noprofile” switches for the runas program, they are optional for the most part:

Windows Explorer: Create a new shortcut in your quicklaunch folder and point it to

C:\WINDOWS\system32\runas.exe /env /user:{admin} "explorer.exe /e,\"%USERPROFILE%\Desktop\""

This will open a new Explorer window open to the current user’s Desktop folder. You can also replace %USERPROFILE%\Desktop with another folder, or, to have My Computer selected, with ::{20D04FE0-3AEA-1069-A2D8-08002B30309D}. The escaped quotes (\”) are necessary. For your reference, I’ve listed some other system folders that you may find convenient to have shortcuts (runas-admin or otherwise) to.

Control Panel: Create a shortcut to

C:\WINDOWS\system32\runas.exe /env /user:Root "explorer.exe /e,\"::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\::{21EC2020-3AEA-1069-A2DD-08002B30309D}\""

Again, you have to omit the /noprofile switch for it to work.

Registry Editor: Create a shortcut to

C:\WINDOWS\system32\runas.exe /env /noprofile /user:Root regedit

(If you don’t understand the following paragraph, you may not even need this shortcut)
The problem with using regedit through this method is that HKEY_CURRENT_USER is the admin user. You can still edit other users’ accounts by finding their tree under the HKEY_USERS key. If I’m not mistaken (and on this point I very well could be), the trees (under HKEY_USERS) referring to actual users have long strings of numbers separated by dashes, the last number group being 100x (where x is a decimal [possibly hex] number).

Services, Device Manager, Event Viewer, and the like
This part gets a little trickier. To pull up the system services, for example, under an admin account, I would normally use Start > Run…, then type “services.msc” and click OK. This works under limited accounts, but you can’t start/stop/edit services. And, for some reason, you can’t use runas with services.msc; it just won’t work. There are two workarounds: 1) find the .msc or whatever file that refers to the administrative tool you want to use under the C:\Windows or C:\Windows\System32 folders, right-click, choose “Run as…”, and enter your credentials, or 2) Use the Start > Run… option to run

runas /user:{admin} mmc

then, in the resulting window, File > Add/Remove Snap-in… > Add… and select/add whichever tools you want to work with. Not pretty, not easy, but it’s there if you need it.

So, there you go. A few tools (derived from one tool) that I use to tweak my system as a Limited User. Hope you found it helpful, and feel free to ask questions or make suggestions (or boast of whatever tools you use) in the comments!

Also, as promised, some additional system folders:

• My Computer: ::{20D04FE0-3AEA-1069-A2D8-08002B30309D}
• Recycle Bin: ::{645FF040-5081-101B-9F08-00AA002F954E}
• Desktop: ::{00021400-0000-0000-C000-000000000046}
• Printers: ::{2227A280-3AEA-1069-A2DE-08002B30309D}
• Dial-up networking: ::{A4D92740-67CD-11CF-96F2-00AA00A11DD9}
• Fonts: ::{BD84B380-8CA2-1069-AB1D-08000948F534}
• Internet Explorer: ::{871C5380-42A0-1069-A2EA-08002B30309D}
• Microsoft Outlook: ::{00020D75-0000-0000-C000-000000000046}
• Network Neighborhood: ::{208D2C60-3AEA-1069-A2D7-08002B30309D}
• Inbox: ::{00020D76-0000-0000-C000-000000000046}
• Subscriptions: ::{F5175861-2688-11d0-9C5E-00AA00A45957}
• URL History Folder: ::{FF393560-C2A7-11CF-BFF4-444553540000}
• Briefcase: ::{85BBD920-42A0-1069-A2E4-08002B30309D}
• Internet Cache Folder: ::{7BD29E00-76C1-11CF-9DD0-00A0C9034933}
• ActiveX Cache Folder: ::{88C6C381-2E85-11D0-94DE-444553540000}
• Control Panel: ::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\::{21EC2020-3AEA-1069-A2DD-08002B30309D}

These were taken from the documentation file for KKMenu 2.8, whose author says:
“Please note, that I have taken the list above from the Aqua-Soft discussions (thanks to hydrostereo and fireball) and I have never tested if all of the items do really work. Please e-mail me in case of any inconveniences to: <email removed>.”

By default, any Windows XP user accounts that you create are given administrator privileges. Many people leave it this way (and some just use the built-in administrator account), allowing them to install software, modify settings, and otherwise tweak their system as their whims lead them to. Unfortunately, this also gives administrator privileges to ill-intentioned applications, malicious programs, and viruses.

Operating under a Limited User account can limit the damage that an accidentally downloaded virus is able to do. Limited User accounts have limited access to the windows registry, read-only access to select system folders (C:\windows, C:\Program Files, and probably others), and non-use access to several system tools (disk defrag, scandisk, add/remove programs, add hardware, and most tools in the Control Panel). Under such lockdown conditions, viruses and bad programs can’t really do much, which is good.

If you need to install a program…well, you can’t, but your admin account can, and you can access that account’s privileges either through the runas command or through switching to your admin account. Or, if you’re wanting to run an executable program (whose filename ends with .exe), there’s the RunAs context menu option.

If you’re thinking, “Yikes…so, you basically can’t do anything?” then you’d be partially correct. Unless you go through your admin account, you can’t install programs, uninstall programs, or do anything short of web-browsing and document-editing. Which may be all you need, depending on your circumstances. If you need regular access to locked-down resources, but still want the added security of a Limited User account, you can do as I have and make two accounts on your machine, one for (limited) everyday use and one for admin use. And check out my post, Surviving a Windows XP Limited User account, on making this situation livable

As there are plenty of step-by-step guides on how to setup a new user account, I’ll let Microsoft themselves guide you through the process.

But those little storage devices can store more than documents. Duh.

I’m working on getting a business running where I basically come to your computer and clean it. Take out the trash, clean up the spyware, spank the viruses, polish the CPU. Kinda like Geek Squad. Anyway. In this business there are a few essential programs that I will be using, but it’ll get very old very quickly if I have to download each and every one to my client’s computer to run it. Not to mention it’ll take more of their disk space, which is NOT a good thing. One alternative is to lug my laptop around to each person, setup a local file sharing network (somehow) and work on their drive from my comp.

No, thank you.

My solution: portable apps on a 1-gig flash drive. There are LOTS of programs that work from a flash drive, many of them free.

However, in choosing programs for your flash drive, you have to keep a few things in mind.

Size: Programs, along with all their add-on dll files and lengthy EULAs, can take up a good chunk of drive space. And with flash drives, you are limited to the drive’s capacity. So, obviously enough, the smaller the better.

Storage methods: How does the app store information? Most programs use files, but way too many programs use the Windows Registry. This is a BIG no-no for portable apps. On one hand your registry settings won’t be available on another person’s computer, and on the other hand you don’t want to inadvertently edit your client’s registry. As such, you want to make sure any program you bring won’t make registry changes.

Relative path support: Life on a flash drive means never knowing what drive letter you’ll be assigned. Therefore your programs have to be able to cope with changing letters, and they can’t be using absolute paths.

So here’s what my life-on-a-stick currently looks like:

Dock: With many programs come many directories. My file structure is pretty deep. As such, I don’t want to go hunting for my apps with my client’s Windows Explorer. So I downloaded RKLauncher. Yes, you could probably go with another dock program, or even a floating menu app, but I prefer RKL because 1) it’s a dock, and I like docks, 2) it supports both ObjectDock and Yz Dock docklets (don’t worry if that didn’t make sense), 3) it’s a standalone executable, 4) it supports relative paths, meaning it can find my programs even when my flash drive’s letter changes, and 5) it’s FREE!!! Free is very important to me.
Total size of RKLauncher + Dock Icons for all my apps + the following docklet: 3.24MB

Menu Docklet: When traveling, you can’t be sure what resolution the computer you visit will be working with, and you don’t often want to mess with the settings (if you can). As such, your traveling dock will ideally be as small as possible. Enter the menu docklet, KKMenu. It’s not really a docklet anymore, it’s a standalone executable, but as such it should work with any dock that supports shortcuts. The download includes a DOC subfolder with a file help.html that gives a rundown of how to use the program, along with a couple of menu skins. In my installation, I’ve deleted the DOC folder all but one skin (one INI file and one PNG file), and all extraneous files (everything in the root docklet folder other than kkmenu.exe and kkmenueditor.exe). My RKLauncher has 4 links to KKMenu, one for each category Internet, Utilities, Security, and Office. Put together with the two links to local copies of Windows Explorer and Task Manager, it’s a very small dock.

Internet

Internet Browsing: Yes, chances are any computer I walk up to these days will have high-speed internet connected to a browser of the owner’s choice — but I’m not the owner, and their choice may not be mine. I prefer FireFox (along with my choice of skins and extensions), so I downloaded FireFox Portable. The owner has even kindly put up instructions for copying your current FireFox settings for use under the portable version. Must-have extensions I take with me include DownThemAll!, SearchBar Autosizer, Cooliris, and PDF Download for use with Foxit Reader (more later), but it doesn’t yet support relative paths
Of course, since space is limited, you want to set some settings that prevent FFP from using more than it absolutely needs. Mainly this means turning off cookies, disk cache, and history.
Total file size of FFP, extensions, and one theme: 26.4MB
Edit: I talked with the author of PDF Download, and we managed to get relative paths working ^_^ In order to do this, open the PDFD options. Under the “General”, select “Open PDF”. Under the “PDF Opening” tab, select “Use this viewer:”. In the text field to the right, put the relative path to your PDF reader executable, starting at the directory where FFP starts. This method uses a lot of “dot-dot” directory specifications (”../”, meaning “one directory up”), but it is also set-and-forget; once you find the right path, you don’t have to modify it again (unless you’re switching PDF viewers).

Email: While it’s true that most email services have a web interface, I prefer a program that brings all my accounts to the same place. Enter ThunderBird Portable. Along with the Webmail Extension, it can bring just about any account type to the desktop. And, of course, you’ll have to explore the settings to reduce disk writing to a bare minimum.
Total size of TBP and two extensions: 27.6MB

Utilities

Advanced Text Editing: A good program that works like Notepad and has a little extra kick is Notepad++, but for flash drives go with Notepad++ Portable.
Total size: 2.25MB

File Compression: Let’s face it: the ZIP compression format stinks. For all the other formats, the best program out there is 7-Zip, with a portable version. Supports almost every compression format out there.
Total size: 2.08MB

SSH Client: My college career involves a lot of work on Linux computers through SSH clients. All I did here was copy over the SshClient.exe file from my local SSH installation, and it seems to work fine.
Total size: 3.07MB
There is also a portable PuTTY, if that’s your app of choice.

Lightweight PDF Viewer: Down with bulky Adobe Reader, long live Foxit Reader! Download and extract the ZIP file from Foxit’s site, and you have a standalone, lightweight PDF viewer!
Total size: 3.85MB

Other utilities: I have a few other small programs that might come in handy. These are Process Explorer (a bulked-up Task Manager), TightVNC Viewer (viewer executable only, along with a personalized build of UltraVNC Single Click, though I haven’t tried the combo yet), FolderSize, and a small program that creates a System Restore Point (edits the registry, yes, but in this case you want it to ).
Total size of all four apps: 4.91MB

Security

Antivirus: My app of choice for antivirus is actually AVG Free, but I haven’t yet figured out how to run it from a flash drive. Until then, I will use ClamWin Portable.

Antispyware/malware: At the moment, my spyware apps include only files copied over from local installations of Ad-Aware SE and Spybot SD. I have NOT tested these for registry modification yet, however!

Office
My portable office suite is OpenOffice.org Portable. Unfortunately, the installation program doesn’t let you choose which parts to install, and there’s really not much you can remove to save space. I’ve managed to slim my install down to 76MB total, but it’s still bigger than I like, when I’ll only occasionally use Writer and Calc.
Total size: 76MB slimmed, 181MB full install

Last, but not least, I have two files on the root of my flash drive: an autorun.inf and an rklauncher.bat. The autorun.inf is setup to automatically run RKLauncher (setup with some help from lazycoder.com). The rklauncher.bat file is essentially a shortcut in the case that autorun doesn’t autorun. With flash drives (and, therefore, changing drive letters), file shortcuts don’t work, so simple windows batch scripts have to be used instead (setup with a template found on a fatwallet.com post — be sure to use relative paths!).

Altogether, my 1GB flash drive shows 225MB used space, 747MB free space. Plenty of free space for any documents or relatively small downloads I may want to grab

Other sites for portable apps:
portableapps.com has a wide range of programs specifically built to be run from a flash drive.
That fatwallet.com post also has an exhaustive list of programs that can run from your flash drive.