Software

Steve Gibson on Truecrypt

Dave Farquhar security, Software ,

Dan Bowman sent me this link to Steve Gibson’s analysis of Truecrypt, a suddenly dear departed piece of full disk encryption software.

The important thing to remember right now is that we still don’t know what’s going on.

Johns Hopkins cryptography professor Matthew Green is heading up an effort to audit the Truecrypt code. Last month he said the code could be of higher quality, but at that point he hadn’t found anything truly horrible in there either.

That said, his analysis of the cryptography itself is phase 2. Cryptography is notoriously difficult to do–even when cryptography is your specialty, you can get it wrong.

So it’s premature to declare Truecrypt 7.1 as the greatest piece of software ever written. Green did find some flaws that need to be fixed. As far as we know, right now Truecrypt is better than nothing, but the most important part of Green’s work isn’t finished yet. Green has said he is going to finish his audit of the code. He probably won’t find perfection. He may find a fatal flaw that makes it all come crashing down. More likely, he’ll find something in between. But until those findings come out, it’s all speculation.

Truecrypt’s license allowed someone else to come along, take the existing code, act on Green’s findings, and make it better. It’s called Veracrypt. But going open source doesn’t guarantee people will work on it.

Gibson’s page on Truecrypt is a good reference page, but his cheerleading is premature. Gibson is a talented software developer in his own right, but cryptography isn’t his specialty. At the company where I work, we use Truecrypt for some things, and until we know otherwise we are going to continue to use it, but we haven’t made any final decisions on it yet.

Update: Here’s an analysis by Mark Piper, a penetration tester by trade, who explains the history and the issues today.

The ultimate command-line ZIP utility

Dave Farquhar Software, Windows ,

I accidentally find Ken Silverman’s utility page from time to time and can never find it again when I want it, so if you need the ultimate command-line ZIP utility (KZIP), or the ultimate PNG optimizer (PNGOUT), to squeeze just as many bytes as possible out of your recompressed archives or your images while maintaining 100% compatibility, save this link. You’ll thank me later when you need it badly, like when you’re e-mailing an archive and it’s a few dozen bytes larger than your e-mail system allows.

Also check out his clever ZIPMIX utility.

What makes his approach to ZIP archiving special is that he emphasizes file size over speed. His software is built to take a few extra seconds to save a few bytes, if it’s possible to do so. Mainstream Zip/Unzip programs will still decompress his archives just fine; they just won’t match it for compression ratio most of the time. And in the rare event that they do, his ZIPMIX utility will take advantage of that. Just zip up the same files with both programs, then run ZIPMIX on the two archives. So Ken Silverman’s utilities win even when he loses.

I first noticed this phenomenon when using Info-Zip, when I found its -9 option produced smaller archives than PKzip’s -max option. The first thing I did was make sure PKzip could uncompress the Info-Zip archive I’d created. It did, so I never used PKzip to create an archive again. And every once in a while I find another tool that does better than the last best one I found. Right now Ken Silverman’s utilities are it.

I have an unusual appreciation of smaller archives. That’s because I’m old enough to have downloaded files over a 300-baud modem (but also young enough to remember having done so). Ken Silverman practices a lost art, and maybe there aren’t a lot of people left who appreciate that, but I still do.

When Linux is easier than Windows

Dave Farquhar Software , , , , , ,

A few months ago I bought a Gigabyte GA-Z77M-D3H to learn computer forensics on, because at the time I thought that was the direction my career was going. I dropped it into a neglected Compaq case and installed Linux on it, since most of the free forensics tools run on Linux. The current version of Debian loaded effortlessly and ran nicely, as you would expect on a dual-core CPU with 16 gigs of RAM.

Then my career went another direction. Today I analyze Windows threats and vulnerabilities for a living. That’s a better match for my experience and the pay is the same, so I’m perfectly fine with that. But my mind turned to that hotrod computer in the basement. I suppose I could still use it to learn forensics, but I probably won’t, so why not see how Windows runs on it and bring it upstairs? Read more

So I’m not the only one ditching Microsoft Office

Dave Farquhar Software , , , ,

Rick Broida wrote a fairly harsh piece on Cnet about why he’s ditching Microsoft Office. Our reasons differ, and while I agree with all of his reasons he may not agree with all of mine. That’s OK.

I stuck with Office 2003 because its user interface is familiar and makes sense. By using the program, you learn the keyboard shortcuts from the menu and can graduate from casual user to power user relatively quickly. That went away in Office 2007, so I never moved on. Office 2003 was the best version Microsoft ever made, but it loses security updates next month, so it’s the end of the road.

Fortunately, Libre Office has a traditional user interface and most of the same keyboard shortcuts. If you don’t use mail merge, it’s a capable replacement, and it’s free and actively maintained. It’s not as fast as Office 2003 was, but neither is anything Microsoft has made since.

Now, in corporate environments, with a recent version of Office and Sharepoint you can do some really nifty things, like automatically building Powerpoint presentations from Excel spreadsheets created by different people. You could probably approximate the same thing with other software, but what I saw a Sharepoint-literate colleague build this week with MS Office was very impressive.

But I don’t need that at home, and I don’t want to pay $100 per year for the rest of my life to use a program that I tolerate at best, so I’ll save my money and move to Libre Office.

Giving Libre Office another look

Dave Farquhar Software , ,

With the end-of-life of Office 2003 rapidly approaching, I’m having to look at alternatives. Even after five years, I find the Office ribbon demeaning and productivity-killing, so Microsoft’s newer products are out. With Libre Office, the price is right ($0), so I’m giving it a long look.

Read more

Merge CSV files from a command prompt

Dave Farquhar Office, Software ,

I had a bunch of CSV files I needed to merge. I don’t spend half an hour loading all of them into Excel and doing a bunch of copying and pasting. Here’s how I merge CSV files from a command prompt.

Read more

How to increase the capacity of a Log Logic appliance by 45%

Dave Farquhar security, Software , ,

My 9-5 gig revolves primarily around Tibco LogLogic (I’ll write it as Log Logic going forward, as I write in English, not C++), which is a centralized logging product. The appliances collect logs from a variety of dissimilar systems and present you with a unified, web-based interface to search them. When something goes wrong, having all of the logs in one place is invaluable for figuring it out.

That value comes at a price. I don’t know exactly what these appliances cost, but generally speaking, $100,000 is a good starting point for an estimate. So what if I told you that you could store 45% more data on these expensive appliances, and increase their performance very modestly (2-5 percent) in the process? Read on.

Read more

Excel won’t scroll down or otherwise? Try this

Dave Farquhar Office, Software ,
Excel won’t scroll down or otherwise? Try this

I regularly work with Excel spreadsheets with tens of thousands of rows, correlated. Or hundreds of thousands of rows of raw data. Working with gigabytes of data taught me a lot. Including things it wasn’t supposed to, like what to do when Excel won’t scroll down or otherwise with the keyboard, or Excel mouse scroll isn’t working.

Large, complex Excel sheets are pretty fragile. Among other things, the largest of the sheets will stop scrolling. The scrollbar on the right scrolls, but the display doesn’t move. The mouse wheel scrolls, but again, the screen doesn’t move. And the arrow keys don’t work either. I can’t scroll down, I can’t scroll right, or do anything useful with the data because I can’t see the whole worksheet. In this blog post, I cover two ways to solve the problem when Excel won’t scroll.

Read more

Libre Office and Open Office both grow up a bit–together

Dave Farquhar Software , , , , ,

Both Libre Office and Open Office released new versions this week, and the changelog indicates a good amount of shared code between the two, at least in this go-round. The animosity between the two—Libre Office is a fork of Open Office, dating to before the time Oracle spun the project off to Apache—may thus be overstated. Read more

No, this doesn’t mean Ubuntu and Linux are giving up

Dave Farquhar Hardware, Software , , , , , , , , , , , , , , , , , , , ,

This week, Mark Shuttleworth closed the longstanding Ubuntu bug #1, which simply read, “Microsoft has majority market share.” Because Microsoft didn’t lose its market share lead to Ubuntu, or Red Hat, or some other conventional Linux distribution, some people, including John C. Dvorak, are interpreting this as some kind of surrender.

I don’t see it as surrender at all. Microsoft’s dominant position, which seemed invincible in 2004 when Shuttleworth opened that bug, is slipping away. They still dominate PCs, but PCs as we know it are a shrinking part of the overall computing landscape, and the growth is all happening elsewhere.

I have (or at least had) a reputation as a Microsoft hater. That’s a vast oversimplification. I’m not anti-Microsoft. I’m pro-competition. I’m also pro-Amiga, and I’ll go to my grave maintaining that the death of Amiga set the industry back 20 years. I have Windows and Linux boxes at home, my wife has (believe it or not) an Ipad, and at work I’m more comfortable administering Linux than Windows right now, which seems a bit strange, especially considering it’s a Red Hat derivative and I haven’t touched Red Hat in what seems like 400 years.

What Shuttleworth is acknowledging is that we have something other than a duopoly again, for the first time in more than 20 years, and the industry is innovating and interesting again. Read more