Juxtaposition, the Blog

Virtual PC -> VMware breaks mouse

2010-02-15T18:58:01Z

I had this intermittent problem with my mouse in a VM until I realized it had been converted from a Virtual PC image long ago. That still left some mouse driver hooks that were breaking the VMWare mouse driver. Thank goodness for keyboard shortcuts and thank goodness I still know them... The fix is here:

mouse stopped working correctly after VMware tools were installed - Page 2 - Petri.co.il forums by Daniel Petri

Facebook broken in Firefox? Brought to you by the letter "s"

2010-01-20T08:27:51Z

Actually, the lack of a letter "s".

I hadn't noticed that Firefox had opened facebook up without SSL, but sure enough, the tip from this thread got everything working correctly (now have Older Posts back and the bottom toolbar). Sheesh.

Problems in Facebook page when using Firefox 3.5.1

NutritionData: Know what you eat

2010-01-03T19:46:12Z

Excellent way to get data on just about anything and good graphs to visualize the balance of nutrients to fat.

Nutrition Facts and Analysis for Seeds, flaxseed

Reigning in Credit Card companies begins February 13, 2010

2009-12-24T07:25:02Z

Bank of America nicely summarized some of the major changes coming due tot he Credit Card Accountability and Disclosure (CARD) Act. In short, your credit card company can't be so much of a money-grubbing bastard anymore. Although there are so many avenues not closed by this act, they actually still can be pretty evil. For example, there is no regulation preventing credit card companies from charging whatever they want for interest rates.

Here's some of the good stuff that should have been in place already were it not for a congress that is in bed with the financial sector:

APRs can only be raised if you do not make at least the minimum payment within 60 days of your payment due date. Previously, they would jack it up probably the next day after your payment was due.
If your APR was raised due to missing a payment for > 60 days, your APR can be returned to the original rate if you pay your bill for the next 6 months by the due date.
45 days notice required for increasing your APR for any arbitrary reason.
Amounts you pay over the minimum payment apply to the highest APR balances first. Without this legislation, they would just apply it to whatever they wanted that maximized their profit and minimized your wallet. Because they are mostly still evil, they are going to still apply the amount due to the lowest APR balance first.
Payment due dates will always fall on the same date each month. You will also get at least 25 days from the statement closing date for your payment due date. I'm guessing that they changed your dates in the past to make you more likely to miss your payment so this is a nice catch.
Paying more than your minimum amount due will actually reduce your interest costs because of changes in how finance charges (that B of A now says will be all called "interest charges") are calculated.
Payment cutoff times are changing from just one timezone (e.g. Eastern) to be the actual timezone of the facility to where you mail your payments. This helps you because a payment received on the Tuesday it is due, but after 5pm eastern, was actually counted as "late" prior to this law. Unbelievable.
Cash advance checks they mail to you will all have printed expiration dates and will not be honored after that date. Sounds like a good security measure to me. I hate that they send checks about every month; waiting for someone to steal them from my mail.
So long as you pay at least the minimum amount due by the due date, your APR for existing balances will not be affected.
In addition to your payment grace period (where you can carry a balance but not pay interest), if you have paid in full previously but on one statement do not pay in full (thus leaving a balance on your card), portions of your "Purchase balance" (I'm interpreting this to be stuff you just bought on your card this billing cycle) are eligible for an extended interest-free period. Thus, you do not get dinged right away for finance charges on your entire card balance. That was the really annoying thing. If you had $1000 on your card, and missed a payment by even one day, you would get assessed a finance charge on -- not just the amount on your bill, but the total amount you owed on your card -- even stuff in the grace period. So, you had no way of reliably knowing what you might have to pay. This sounds like it's a game-changer for that practice.

But beware that you will be seeing some "novel" attempts by the card companies to return to excessive profitability at your expense at some time soon. They are poring over the legislation to find the loopholes.

New study suggests exposure to microbes as kids is healthy

2009-12-11T06:47:26Z

Best to have a kid get a cold here or there to reduce the chance of higher inflammation as adults and protect them from cardiovascular diseases. We were just talking about this...

Everyday germs in childhood may prevent diseases in adulthood

The "Alternative" medicine trash heap

2009-11-30T07:22:36Z

I think it is a horrible waste that the US spends so much money to fund the National Center for Complementary and Alternative Medicine (NCCAM) which investigates non-scientific modalities, many of which have no prior plausibility so would not normally even qualify for scientific investigation. I prefer the term Supplements and Complementary and Alternative Medicine for the category of woo because it has a better acronym (SCAM) -- thanks to Mark Crislip for that.

However, one good thing is that they have tested out many of the common "remedies" and supplements that many Americans take and have succeeded in disproving them. The trash heap now contains at least:

Other non-remedies to add to the list are:

Vitamin C

"Probiotics"
Antioxidants They may actually harm systems that depend on free radicals

Oh, and Airborne is chock full of a bunch of woo and is not going to be effective so don't give those thieves any of your money. Also, Airborne contains 100% of your RDA of Vitamin A, but if you take up to the maximum recommended "dose" of Airborne (every 3 hours, or 8 times/day) you will get 8 times the RDA of Vitamin A. And excess vitamins can be harmful as a new study shows specifically with Vitamin A.

And if you thought that Zicam was safe, watch out. It can cause a complete loss of smell and taste. So although it _may_ have a modest affect for the common cold, I don't think that the risk may outweigh the benefits.

Also, if any substance has a pharmacological effect on the human body, then _it is a drug_ And you should tell your doctor when you are taking these things because they can have drug interaction effects just like any prescription drug. Some can be very dangerous to not tell your doctor about. And as with any drug, they can have side effects.

Daily nasal irrigation may encourage sinus infections

2009-11-30T06:32:51Z

A brand new study out shows that using sinus rinsing as a prophylactic may actually have the opposite effect of increasing your rate of sinus infections. Significantly. As much as 50-60+ % more sinus infections.

They did not test efficacy of using sinus irrigation when you actually have a cold or sinus infection so until hard data is out there, it may still be okay.

Long-Term Neti Pot Use May Backfire

iPhone worm: warning to rooted android users

2009-11-23T00:26:41Z

As I recently wrote about the security issues with rooting your android phone. Fortunately, this should spark some discussion about how to securely jailbreak or root your phone.

BBC NEWS | Technology | Worm attack bites at Apple iPhone

Securely rooting your HTC Hero

2009-11-12T05:06:04Z

The best guide I found for reliably getting root access to your android HTC Hero device is here: How To: Root Your CDMA HTC Hero (Sprint/Verizon) | The Unlockr

However, as a security guy, I notice that none of the guides discuss anything about the implications of the process from a security perspective, so I will add a bit of extra tips and observations and explain how it works.

By default, Android devices run applications as low privileged user accounts on the underlying Linux operating system. If you have the application RoboTop installed, you can actually see the users that each process runs as. For example, the robotop process and its child 'top' processes all run as 'app_60'.

This is a good secure-by-default design for the operating system, however there are some things that you must do as root to have enough rights at the OS level to complete your task. For my case, I needed to be able to clean the /data/boot-cache directory to work around an annoying defect on the HTC Hero that was preventing application upgrades from persisting across a reboot. Some applications (SSH server, I believe) also need to run as root.

But, Google does not provide any means for getting root access as an end user. But the community has come up with all kinds of ways to get around this on various devices. If you have physical access to a device, it is generally pretty easy to gain full access to it _somehow_. In the case of the Hero, it essentially involves:

1. Running a Linux kernel exploit that allows you to run arbitrary programs as root. Discouragingly, the program to do this is a binary with no source code. But it is claimed to be based on this kernel bug: Sprint Hero HAS BEEN ROOTED@! - Android Forums
2. Using the exploit to launch a shell as root.
3. Using the root shell to create a setuid root shell so that you can gain root anytime in the future without the exploit.

However, there are some serious security implications of doing this:

1. The procedures don't tell you to delete /data/local/asroot2, so you end up leaving a program that can run arbitrary code as root on your system in a known location
2. The procedures have you create a setuid root shell as /system/bin/su. However, this allows anyone or any application to run arbitrary code on your phone as the highest privilege user using a binary at a known location.

So, you may have root but you have absolutely no way to control it. And applications that require root now expect to find a setuid root shell in /system/bin/su to gain root. Any application can now do anything it wants, including replace parts of your operating system for whatever nefarious purpose (malicious, wireless worm, extortion, annoyance, etc.)

But, all is not lost. You can get control back with the Superuser application. I've read through the design and it sounds on the face of it to be a reasonable approach: My Brain Hurts: Fixing the "setuid su" security hole on Modified Android RC30 Instructions on installing it and download of the files (source code is available as well): http://www.koushikdutta.com/2008/11/update-to-superuser.html

The install.bat file did not work for me though. I got a permission denied trying to write a file as a non-root user into /sysadmin/bin. Actually, the low user privileges cannot write to many places on the filesystem. Instead of copying the bin/su file directly, I copied it to /data/local/tmp and then _as root_ on the phone, I copied it into /sysadmin/bin and changed the permissions.

The next step is to first run the Superuser application on the phone so that it can replace the files and set the permissions properly to implement the protection.

After you do this, you will now get a visible request each time an application tries to execute /system/bin/su. You got control and auditing back.

Oh, and what you also need to remember to do is delete /data/local/asroot2. You don't need it anymore and it only makes your system vulnerable to keep it around. If you ever needed it again, you can copy it back.

Gmail suppresses copies of mailman posts to yourself

2009-11-05T19:13:08Z

FYI. Kind of annoying since I have to look in my mail logs to double-check if a critical message actually went out.

I use Gmail-Googlemail, but I can't tell if any of my messages have been posted to the list - Documentation - Confluence

Colorpulse: Carl Sagan ft. Stephen Hawking "A Glorious Dawn"

2009-10-31T06:41:39Z

This was played at the end of Reasonable Doubts podcast e55 and I loved it. Had to find the high-fidelity version. I think I might have my new ringtone...every call will be awe-inspiring.

Very cool trance mix with wonderful clips from Sagan and Hawking masterfully woven in.

Colorpulse: Youtube goodies

Flash app to find Flickr photo set IDs

2009-10-21T06:03:15Z

Very cool and handy. I use it for drupal's Flickr plugin.

idFindr - Find your Flickr userids, groupids, photosetids

My first GreaseMonkey script now available

2009-10-21T06:00:03Z

I just posted a greasemonkey script I wrote months back that I use all the time to make managing my Chase accounts just a bit easier. I cleaned it up a bit and added some missing comments. I decided later to switch to jQuery by referring to a remotely-hosted copy on chase.com so eventually I'll simplify things and rewrite what I can in jQuery instead but it works great!

Chase OFX downloader for Greasemonkey

Script Summary:
Automates chase.com OFX file downloads for every eligible account. One click to download all available OFX files one after the other instead of manually. Also adds useful features not present in the site, such as remembering the date you last downloaded

If like me you think that the chase online transaction download form could use a little help, you might enjoy this script.

1. It provides a button on every page that allows you to quickly go right to the download transactions page. Otherwise, you have to hunt around for this page.
2. On the download transactions page, it:
a) Automatically persists the last transaction download date and then reloads it next time you come back so that you don't have to remember the date you need to start downloading from.
b) Automatically sets the end date for transaction downloads to the current date.
c) Remembers the OFX file type you selected and reloads it automatically next time.
d) Most importantly, provides a "Download All OFX" button that you can use to download available OFX transactions from every account in the drop-down list. Multiple download windows will appear that you can click on one at a time and the transactions will then be opened in the application associated.

Free west seattle wi-fi

2009-09-27T01:55:34Z

Finally got a secondary wi-fi setup at home for guests, iPhone users, and neighbors who need to borrow it. Like Bruce Schneier, I just think it's the neighborly thing to do. Until now, I couldn't allow it because my main wi-fi needs encryption to keep interlopers off my LAN. But, the secondary wi-fi is in a DMZ so all that is accessible is the Internet.

SSID: hellohansenview

Enjoy!

* Hansen View is the official name of my neighborhood.

Curious if anyone else out there vends open wi-fi for the interloper?

I've borrowed some neighbor's open linksys many a time to get info on the Internet when my DSL is down. But these days, most are encrypted, which makes me sad.

Obama does not go far enough with financial regulation

2009-09-25T05:55:31Z

I work for a company that is 'too big to fail' and that is a scary prospect. Here's another thing on the list that I don't agree with Obama about. I like him a great deal, but don't think he's as progressive as he was billed...

Hopefully congress can see through this and will pass some decent legislation regarding overhauling the so-called PATRIOT act and other things that Obama has not taken a very strong stand on.

Volcker: Obama Plans Maintain 'Too Big To Fail'

A top White House economic adviser says the Obama administration's proposed overhaul of financial rules preserves the policy of "too big to fail," and could lead to future bailouts.

Former Federal Reserve Chairman Paul Volcker said Thursday that by designating some companies as critical to the broader financial system, the plans create an expectation that those firms enjoy government backing in tough times. That implies those financial companies "will be sheltered by access to a federal safety net," he said.