Dave's Blog - My personal views on computing (and occasionally other topics)

About me

Send me a message

This web page:   http://webpages.mcgill.ca/staff/group3/dedwar1/web/blog.htm

Links:     MUSIC/SP     Sim390 ESA/390 mainframe emulator

(c) Copyright Dave Edwards, 2005, 2006

Nov 1, 2006: Free Geocities web hosting - Data upload corruption problem

I use Yahoo's Geocities free web hosting service for some of my web sites, and, generally, it's a good service - it's stable, has been around for several years and does not seem to be about to disappear (as so many free web hosts do), and the ads are not too intrusive. It's not bad for a small to medium size web site without high traffic and without the need for scripting or a database. The total file space limit is 15 MB, the individual file size limit is 5 MB, and the bandwidth (transfer) limit is 3 GB per month (there are also rumors of a 4 MB bandwidth limit per hour).

Since my web pages are fairly simple, I like to create my HTML (.htm) and text (.txt) files manually using a text editor, then upload them to the web host (Geocities). The free Geocities service does not allow FTP upload, but provides a File Manager with a web-based (HTTP) upload that is easy to use and lets you upload 1 to 5 files at a time from your local machine to the host. The File Manager also lets you edit text files on the host, rename files, create subdirectories, etc. Most types of files can be uploaded, including .htm, .txt, .gif, .jpg, and .zip. However, .exe files are not allowed, and .bin files are sometimes corrupted during upload, so avoid those types. If you are providing .exe files for your web site visitors, it's best to package them into a .zip file (by WinZip or equivalent) anyway.

So far so good. The "fly in the ointment" is an annoying data corruption problem that occurs for .htm and .txt files (and perhaps some other file types too) during upload by Geocities's File Manager. Initially, you may not even notice it. But later, when browsing your web site, you may see what seem to be typo or spelling errors at various places in your text. If you check your local files (the master copies on your own machine), you find that they are correct. Somehow the upload process has introduced the errors!

The typical error is that, in some lines of the source file (the .htm or .txt file), there is an extra character in column 44. The extra character is a repeat of the character in column 43. For example, a line:

This is a sample text line to illustrate the Geocities bug.

may be uploaded as:

This is a sample text line to illustrate thhe Geocities bug.

As far as I can tell, the errors occur at random places, and a large file may have several dozen errors. The best way to fix them is to edit the file on the host, using the Geocities File Manager. Uploading the file again is no good, since it just introduces different errors. To make sure you have corrected all the errors, use your web browser to fetch each file from the host to your local machine, then use a compare tool to compare it with the original file. For .htm files, you can use the "View source" feature of the browser, or right-click on the link and use "Save Target As...". For .txt files, use the latter method. Also, for .htm files, after getting a local copy, you must edit it to remove the ad text that Geocities added, before comparing. Of course, all this takes a lot of time. To fetch all the host files, try the free wget utility - search for "wget" on Google.

This Geocities data corruption problem has existed for at least 2 years, and I have seen it in several web pages on Geocities, not just in my own pages. For example, do a Google search for "thhe" or "fiile" or similar words, restricting the search to the domain geocities.com. I have reported the problem to Geocities, but they failed to explain it or even acknowledge it as a legitimate problem. The standard response seems to be "switch to the non-free version, which allows upload via FTP" or similar. It makes me wonder whether it may even be intentional (?).

While on the subject of free web hosting, a useful survey site is www.free-webhosts.com. An alternative to a web site is a discussion group - for example http://groups.yahoo.com is free and lets you create a discussion group that allows members to post messages, download files, etc. As far as I can tell, the upload bug does not occur with Yahoo Groups, and the space and bandwidth limits are a bit less restrictive.

Apr 12, 2006: Security notes: Cross Site Scripting (XSS)

Keeping a system secure, even a relatively simple one, is a never-ending struggle. Here's an example of what I mean. I try to keep up to date on computer security issues, but a few days ago, by pure chance, I came across a web page that mentioned a vulnerability called "Cross Site Scripting" (XSS), and the author advised all systems people to be aware of its dangers. I vaguely remembered the term, but did not know anything about it. So I read the article on Wikipedia (an excellent article, by the way) and realized how very insidious and dangerous it is.

XSS is fairly simple in concept (but not immediately obvious). It involves a web browser, some JavaScript, and usually a little "social engineering" -- such as getting the victim to visit a web site that the attacker has prepared, and click on an innocent-looking link or button there. Nothing complicated like crafting a buffer overflow. But the results can be quite serious -- theft of the victim's web cookies and other credentials, and, in some cases, the ability of the attacker to run arbitrary JavaScript code on the victim's machine in the context of the "Local intranet" zone, which often has a lot more privileges that the normal "Internet" zone. In MS Internet Explorer, see Tools / Internet Options / Security. In the worst case, this could do very bad things to your computer.

The crucial vulnerability for the victim is to be running a web server with a CGI program that gets some input from a web page (a web form) and returns it as-is in the HTML response page that the CGI generates. (In case you don't know, a CGI - Common Gateway Interface - program is a back-end program that runs on the web server machine and processes the data from an HTML form.) The data may be something as innocent-looking as a user name entered into a text box on a web page. Almost all CGI programs handle this type of data. The problem is that the attacker can place HTML tags, including entire JavaScript coding sections, into the data. (Think of this as "HTML Injection", similar in concept to the well-know security problem of SQL Injection for databases.) If the CGI program is not careful to remove or disable such tags, the browser software will happily execute the script code, without the victim being aware. In some cases, the script runs in the context of the local machine, with much fewer restrictions than normal script code in web pages. A firewall is no protection. The script code can do nasty things like send your web cookies to the attacker, snoop at other web browser pages you have open, and perhaps even install a virus on your machine or use your machine to attack other machines on your local network.

All CGI programs must guard against an XSS attack by "escaping" the 3 HTML control characters < > & in any input data before putting it out as part of the generated response page. These characters should be replaced by the HTML character entities &lt; &gt; &amp; respectively. This tells the browser to display them as before, but not to interpret the data as HTML tags. Therefore the injected JavaScript code becomes just data and is not executed. Of course, this takes more programming effort, and often CGI programmers forget to do it, or don't know about the XSS problem. This is an example of the general rule, which can not be repeated too often: "All user input is evil, or potentially evil, and the programmer must thoroughly check it and sanitize it."

After some reflection, I realized that my system had some XSS vulnerabilities in it, and I spent a few interesting days searching for and fixing all the problems (at least, I hope I found them all). I was somewhat surprised that a problem as serious as XSS was not more widely publicized. For example, the fascinating book "Hacking Exposed" (mine is the 3rd edition, which dates from around 2001) does not even mention it -- perhaps later editions do.

Maybe some developers tend to ignore issues like XSS because they involve some "social engineering" -- getting the victim to visit a particular web site, for example. But, if you think about it, it's very easy to do. Send the person email containing a link, or host a web page with the bad link included in a list of legitimate links, or even set up a web page with lots of text that your victim is likely to search for and wait a few days for Google to index it. Curiosity defeats caution! The possibilities are limited only by your imagination. And modern browsers make it easy to disguise links and buttons as something else.

Aug 25, 2005: EXIF - Data tags hidden in your digital photos

I wonder how many people realize that the photo files created by their digital cameras contain hidden data tags that reveal the make and model of the camera, the exact date and time the photo was taken, and perhaps even the serial number of the camera. This info could be used to identify the person who took the photo, and therefore could be considered to be an invasion of privacy.

Virtually all modern digital cameras store this information as data tags inside the JPEG file for the photo, using a specification called EXIF. The EXIF format is expandable and customizable, giving each camera manufacturer great freedom in what data is stored and the format in which it is stored. The manufacturers rarely publish the full description of the tags they store. This makes it possible to hide (or at least obscure) the user-identifying tags, such as camera serial number.

Admittedly, the EXIF tags contain much useful information, including the various camera settings that were in effect when the photo was taken. There is even a "thumbnail" (reduced size) version of the photo, stored as an EXIF field within the JPEG file. All these tags can add several kilobytes to the size of the file.

There are several photo utility programs that can display the EXIF tags, including the free program Photo Studio from www.stuffware.co.uk. See also www.exif.org. Some of these can remove all the tags, and, less commonly, modify them. An easy way to remove all the EXIF tags is to open the JPEG file in MS Paint (which is included in Windows) then use File / Save As to save the file as a .jpg file under a different name.

So, if you are concerned about personal privacy, you should remove the EXIF tags (or at least edit them) from any digital photos that you make available on the Internet via web pages, email, etc.

Aug 21, 2005: Most useful computer gadget: the USB memory drive

These tiny devices plug into a USB slot on your computer and appear to your computer as a read/write hard disk drive. For example, in Windows 2000 and XP, they appear as a new drive letter in "My Computer". Capacity ranges from 128 megabytes to 1 GB (1024 megabytes). For comparison, one CD holds 700 megabytes. They are inexpensive, small enough to fit in a shirt pocket, and quite rugged. I heard a story of one surviving a trip through a washing machine. Most support the USB 2.0 standard, which gives a very high data transfer speed (similar to the speed of a real hard drive). They are also automatically compatible with the USB 1.1 standard (slower but still quite fast) found on older computers. You don't have to restart your computer when you plug or unplug the USB drive. They DO work on Windows 98, but installation is more difficult since you have to provide the driver software.

They have a multitude of uses. Use them instead of a diskette drive. Use them to transfer files between machines. Use them to keep backup copies of important files (at least until you have time to copy the files to a CD).

Note: Some MP3 music players can also act like a USB memory drive.

Aug 21, 2005: High gasoline prices - Stop whining!

Where I live in Montreal, gasoline is about $1.10/liter. A few months ago it was $0.80 or $0.90/liter. That is certainly a dramatic increase. It is mostly a result of high world demand and tight supply, but the oil companies (and the government via high taxes on gasoline) are making enormous profits, and many would argue that they are taking unfair advantage of the situation. In their defense, it can be said that they ARE a business, and they DO need lots of cash to invest in exploration and new sources of supply such as the Alberta tars sands.

Many people complain passionately about the high prices. But let's put things in perspective. If a car is driven 20,000 kilometers per year and gets 10 km/liter, that's 2,000 liters of gasoline per year. An increase of $0.25/liter amounts to an extra $500/year, or about only $40/month. Many people spend a lot more than that for cell phone charges!

Also, people forget that, as oil company stocks rise, the values of the mutual funds in our pension plans also rise. Oil company activity generates more jobs. Higher tax revenues give the government more money for research and development (I hope!) and for other areas such as health care, education, and deficit reduction.

So, what can the average person do?

(1) Drive less. Take the bus or subway when possible. Combine small trips into one when you can. Keep your car well maintained. Check the tire pressure regularly.

(2) Buy shares in two or three large, stable oil companies. If you invest, say, $10,000 and the stock prices increase 10% in a year (increases for Canadian companies so far in 2005 have been much more than that), you will make $1,000. Tip: Buy stocks rather than mutual funds; use an on-line discount broker, such as Bank of Montreal's InvestorLine, rather than a stock broker.

(3) The next time you buy a car, consider something more efficient. How many people really need a big, gas-guzzling SUV (Sport Utility Vehicle)?

Aug 19, 2005: Annoyances with Windows Update

I run Windows 2000 Professional on my primary PC connected to the Internet, and of course it's vital to keep it updated with the latest security patches from Microsoft. For this, I run Windows Update manually on a regular basis - at least every couple of weeks. My problem is that I have other Win 2000 machines (not connected to the Internet) that I also want to keep up to date, and I use a dial-up modem for my Internet connection, which makes downloading megabyte updates very slow. I really don't want to download a particular update more than once. Another important consideration is that, if I need to reinstall Windows, either on a new machine or after a disk crash, say, on my current machine, it would be very nice not to have to download all the (many!) updates again, which could take several hours.

Microsoft has a solution for this, which it calls "Windows Update Catalog", but it is somewhat cumbersome to use. Basically, it lets you search for and download selected updates as executable (.exe) files; you apply an update by executing its .exe file; you can keep the files for later use, and transfer them to another machine to apply them there. Great concept! But Microsoft does not really publicize this feature much (it seems to want everyone to set Win Update to run automatically on each machine), and the whole procedure is a bit messy and not entirely obvious, as you can see from the following description of the steps needed.

(1) Do a regular Windows Update, for example from the Start menu, to see what fixes are available for your machine, but do not download or apply them. Just take a note of the fix numbers (usually KBnnnnnn) that you need.

(2) From the Win Update screen, open "Windows Update Catalog". Originally, you had to configure (one-time) Win Update in order to even see the option for Win Upd Cat in the left-hand menu. Now, starting Aug/2005, there is a new version of Win Update (it took me over 1/2 hour to download and install it - groan!); you must click on "Use administrator options", then click on the "Windows Update Catalog" link in the section "Update multiple operating systems". Next, click on "Find updates for MS Windows..."

(3) Click on the button to show the "Advanced search options", which are crucial to let you select the type of updates (normally I only want "Critical Updates and Service Packs") and select only recent updates.

(4) Select the operating system. There is a "gotcha" here, that I found out about only by experimenting. I have to select "Windows 2000 SP4" (my machine has Service Pack 4 applied), not "Windows 2000 Professional SP4", even though my machine is Win 2000 Prof. Otherwise, for some strange reason, you won't find all the updates you want. It seems that, maybe, the Win 2000 Prof SP4 selection only has items specific to Prof, whereas the more general selection has ones for all Win 2000 (including Server versions).

(5) Select by date posted. Unfortunately you can't enter an exact date, to get all items posted since that date. You can only specify options such as "Past 2 weeks", "Past month", etc. I usually select "Past month". Also select the type(s) of updates.

(6) Click on the Search button. You will be surprised at the large number of updates found. For example, I recently needed only 6 critical updates (according to the normal Windows Update), but the search found about 25. Go though the list, and select only the ones whose numbers you noted in step (1) above. Sometimes this takes quite a bit of "reading between the lines".

(7) Enter a directory location on your hard disk where you want the updates to be stored. NOTE: you must create the directory ahead of time. Example: c:\Win2000_updates\WinUpdatn, where n is a sequential number. Start the download. Unfortunately, if, like me, you run a firewall (I use ZoneAlarm) or have the normal browser security settings enabled, you must monitor the download in order to reply to various security screens that pop up from time to time. The whole process is quite time consuming. [The last time I did this, for some strange reason, the progress window did not show any progress, and stayed open even after the downloads had apparently finished; I had to close the window manually.] NOTE: the resulting directory structure has many levels (typical MS overkill!), and this may cause problems if you try to copy it to a CD for safe-keeping; some CD formats have a limit of 7 or 8 directory levels.

(8) At this point, you can now disconnect from the Internet if you wish. To actually apply the updates, navigate down the directory structure to the individual .exe file for each update, and execute it. You must go through a tedious dialog (license agreement, etc.) for each one; specify that you do not want to restart Windows at this time. When all have been applied, restart Windows.

(9) As a recommended final step, reconnect to the Internet and run the normal Windows Update, to verify that there are no critical updates that you missed.

The whole process is long, tedious, and "quirky", which does not encourage me to do it as often as I should. What I would really like from Microsoft is: (a) A simple option in the normal Windows Update that would let me download and keep the applicable .exe files. (b) A much simpler directory structure - just the .exe files and perhaps a descriptive .txt file for each, all in one directory. (c) A script or something that I could use to execute all the .exe files, in unattended mode (no prompts).

While I'm on this topic, why does MS need to update products like IE browser and Outlook Express so often, with each update being several megabytes? They should be organized into smaller components, so that each update could replace only a few components, and therefore be much smaller in size. Also, how about an easy way to download a Windows Service Pack (e.g. Win 2000 SP4), as a file that I can keep and reuse. I know it's possible now, but it takes a lot of research to figure it out. Again, it seems that MS does not really want the average user to do such things, even though they are crucial to re-installing or re-building a Windows system.

Aug 17, 2005: Thoughts on the Zotob worm and security

Recently there has been a lot of excitement about the Zotob worm, which attacks (mostly) Windows 2000 systems, via the Plug and Play interface. Here is what I have been able to distill from all the info and hype.

Windows 2000 systems are vulnerable because the attack sends a malformed Plug and Play request to port number 445 (and perhaps other port numbers). The machine just has to be visible on the Internet. The owner does not have to be doing anything.

More recent systems such as Windows XP apparently are not vulnerable because either a username/password is needed or because the affected TCP/IP ports are normally blocked. However, if the Win XP machine is on the same local network as an infected Win 2000 machine, it may also be vulnerable, perhaps because the Win 2000 machine knows a username/password, or because the Win XP firewall does not block access from the local network.

In any case, a properly configured firewall (such as the free ZoneAlarm, which is an excellent product by the way) should protect any machine from the worm, provided there are no machines on the local network that are infected and are allowed through the firewall.

To be safe, you should apply the Microsoft patch (KB899588, about 504K in size), and download and run MS's current Malicious Software Removal Tool (KB890830, about 622K), which detects this and other infections and attempts to remove them. When I tried to run the tool from MS's web page it failed; I had to download it and run it manually.

It's interesting that antivirus products did not protect against the worm, since there is a delay of several days before the antivirus vendors can update their products after the worm starts attacking. By then it's too late. That's the big problem with antivirus products. And that's why a firewall (conservatively configured) is your best defense at all times. Second in importance, in my opinion, is keeping up-to-date with Windows patches. An antivirus product is third in importance (and it's questionable whether it's even worth running one).