If you use Truecrypt, migrate to Veracrypt

I’m playing catch-up with this one, but if you’ve been relying on the quasi-open source Truecrypt encryption solution, you need to migrate to Veracrypt as quickly as possible.

For some reason, it doesn’t seem to be common knowledge that Veracrypt is derived from Truecrypt and is, for all intents and purposes, the successor to Truecrypt.

Read more

The problem with open source, especially security

Security-minded open source software has taken a beating in the last year, as numerous projects have had holes exposed, or, in the case of Truecrypt, got audited heavily. This fanned the flames of the old debate whether open or closed source software was more secure.

This past week I heard a plausible theory about the state of open source security: It’s all about the money.

Read more

Upgrading an HP Mini 110 to Linux Mint 17

Upgrading an HP Mini 110 to Linux Mint 17

Over the Labor Day weekend I decided to upgrade my HP Mini 110 netbook to Linux Mint 17. The Mini 110 can handle Windows 7, but Linux Mint doesn’t cost any money and I figure a Linux box is more useful to me than yet another Windows box. There are some things I do that are easier to accomplish in Linux than in Windows. Plus, I’m curious how my two young sons will react to Linux.

Linux Mint, if you’re not familiar with it, is a Ubuntu derivative that includes a lot of consumer-friendly features, like including drivers and codecs and other common software that aren’t completely open source. It’s not a Linux distribution for the Free Software purist, but having options is one of the nice things about Linux in 2014.

Linux Mint includes a lot of useful software, so once you get it installed, you’re up and running with a useful computer with minimal effort.

Read more

Steve Gibson on Truecrypt

Dan Bowman sent me this link to Steve Gibson’s analysis of Truecrypt, a suddenly dear departed piece of full disk encryption software.

The important thing to remember right now is that we still don’t know what’s going on.

Johns Hopkins cryptography professor Matthew Green is heading up an effort to audit the Truecrypt code. Last month he said the code could be of higher quality, but at that point he hadn’t found anything truly horrible in there either.

That said, his analysis of the cryptography itself is phase 2. Cryptography is notoriously difficult to do–even when cryptography is your specialty, you can get it wrong.

So it’s premature to declare Truecrypt 7.1 as the greatest piece of software ever written. Green did find some flaws that need to be fixed. As far as we know, right now Truecrypt is better than nothing, but the most important part of Green’s work isn’t finished yet. Green has said he is going to finish his audit of the code. He probably won’t find perfection. He may find a fatal flaw that makes it all come crashing down. More likely, he’ll find something in between. But until those findings come out, it’s all speculation.

Truecrypt’s license allowed someone else to come along, take the existing code, act on Green’s findings, and make it better. It’s called Veracrypt. But going open source doesn’t guarantee people will work on it.

Gibson’s page on Truecrypt is a good reference page, but his cheerleading is premature. Gibson is a talented software developer in his own right, but cryptography isn’t his specialty. At the company where I work, we use Truecrypt for some things, and until we know otherwise we are going to continue to use it, but we haven’t made any final decisions on it yet.

Update: Here’s an analysis by Mark Piper, a penetration tester by trade, who explains the history and the issues today.

Libre Office and Open Office both grow up a bit–together

Both Libre Office and Open Office released new versions this week, and the changelog indicates a good amount of shared code between the two, at least in this go-round. The animosity between the two—Libre Office is a fork of Open Office, dating to before the time Oracle spun the project off to Apache—may thus be overstated. Read more

Thanks for the misinformation, Disney

In one of its throwaway kid’s sitcoms, Disney insinuates that open source software contains spyware and using it is a ‘rookie mistake’.

Open source software rarely contains viruses or spyware. Since it’s open for examination, changes to the code that have any funny business in them tend to be rejected. For that matter, code with unintended bad consequences tends to either be rejected, or quickly changed.
Read more

HP open-sourcing Web OS is a gutsy move

HP announced this week that it’s not going to sell Web OS–the operating system it bought the remnants of Palm to get–and plans to open-source the platform, as well as re-introduce tablets based on it sometime in the distant future.

The move isn’t guaranteed to work, but I think it’s a shrewd move.

Read more

Better upgrade advice

PC Magazine has a feature about inexpensive PC upgrades. There’s some good advice there, but some questionable advice too. Since I really did write the book on free and inexpensive upgrades, I’ll present my own advice (but I’ll skip the pretty pictures).Hard drives

The best upgrade they didn’t mention is replacing the hard drive. I’ve been squeezing extra life out of old systems for years by taking out the aging drives and replacing them with something newer and faster. The trick is figuring out whether the drive is the old-style parallel ATA (with a 40- or 80-conductor cable) or newer SATA. If you can afford it, it makes sense to upgrade to a SATA controller so you can use a more modern drive. Newer drives are almost always faster than older drives if only because the density of the data is always increasing. If a drive stores twice as much data in the same linear space as an old one, it (roughly) means it will retrieve the data twice as fast, assuming the disk spins at the same speed (and it may spin faster). You can go all the way up to the 10,000 RPM Western Digital Raptor drives if you want, but even putting a mid-range drive in an old PC will speed it up.

Some people will point out that a new drive may be able to deliver data at a faster rate than an old controller in an old PC can handle. I don’t see that as a problem. There’s no drive on the market that can keep a 133 MB/sec bus saturated 100% of the time, and the old drive certainly isn’t. Even if your older, slower bus is the limiting factor some of the time, you’re still getting the benefit of a newer drive’s faster seek times and faster average data transfers.

While replacing a hard drive can bust an entire $125 upgrade budget in and of itself, it’s still something I recommend doing. Unless your system is really short on memory or you’re heavily into gaming, the hard drive is the best bang for your upgrade buck.


The other point I disagree with most strongly is the memory. There’s very little reason anymore to run a system with less than 1 GB of RAM. As a system becomes more obsolete, memory prices go up instead of down, so it makes sense to just install a ton of memory when you’re upgrading it anyway. If you need it later, it will probably cost more.

The caveat here is that it makes very little sense to install 4 GB of RAM, since the Intel x86 processor architecture reserves most of the 4 GB block for system use. If you install 4 GB of RAM, you really get more like 3.2 or 3.5 GB of usable memory unless you’re running 64-bit Windows. I don’t recommend going 64-bit yet. When it works, it works well. Unfortunately there’s no way to know if you’ll have good drivers for everything in your system until you try it. I wouldn’t go 64-bit until some popular software that requires (or at least takes really good advantage of) 64 bit arrives. The next version of Photoshop will help, but I think the thing that will really drive 64-bit is when id software releases a game that needs it. Until then, hardware makers will treat 64-bit Windows as an afterthought.

I usually put 2 GB of RAM in a system if it’ll take that much. If you do a lot of graphics or video work, more is better of course. For routine use, 2 GB is more than adequate, yet affordable. If a system won’t take 2 GB, then it makes sense to install as much as it will take, whether that’s 1 GB or 512 MB. If a system won’t take 512 MB, then it’s old enough that it makes sense to start talking replacement.

Outright replacement

Speaking of that, outright replacement can be a very practical option, especially if a system is getting up in years. My primary system is a 5-year-old office PC. Take a 2-ish GHz P4 or equivalent (current market value: $75-$125), load it up with 2 GB of RAM and a moderately fast hard drive, and you’ll have a better-built system than any $399 budget PC on the market. It will probably run as fast or faster, and it will cost less.

I have two PCs at the office: a 3 GHz Pentium D, and a 2.6 GHz Core Duo. Both have 2 GB of RAM. They theoretically encode MP3s faster than my home PC and would make better gaming PCs than my home PC (ahem), but for the things I do–namely, web browsing, spreadsheets, word processing, e-mail, and the occasional non-3D game–I can’t tell much difference between them. The System Idle Process gets the overwhelming majority of the CPU time on all of them.

Other upgrades

The other things discussed in the article can be worthwhile, but faster network cards won’t help your Internet speed. If you routinely copy huge files between multiple PCs, they help a lot, but how many people really do that on a regular basis?

Fast DVD burners are nice and they’re inexpensive, but if you needed one, you’d know it. If you don’t know what you’d do with one, skip it. Or if you have an older one that you use occasionally, you probably won’t use a faster one any more often.

For $60 you can get a decently fast hard drive, and that will do a lot more for overall system performance than either a network card or DVD burner upgrade.

The video card is a sensible upgrade under two circumstances: If you’re using the integrated video on your motherboard, or if you play 3D games and they feel jerky. If neither of those describes you, skip the video card upgrade.

Free upgrades

The article describes CHKDSK as a “low level defrag.” That’s not what CHKDSK does–it checks your drive for errors and tries to fix them. If your drives are formatted NTFS (and they probably are), routinely running CHKDSK isn’t going to do much for you. If you run CHKDSK routinely and it actually says it’s done something when it finishes, you have bigger problems and what you really need is a new hard drive.

If you want to defragment optimally, download JK-Defrag. It’s free and open source, and not only does a better job than the utility that comes with Windows, but it does a better job than most of the for-pay utilities too.

The first time you run it, I recommend running it from the command line, exactly like this: JkDefrag.exe -a 7 -d 2 -q c:. After that, just run it without any options, about once a month or two. (Running more often than that doesn’t do much good–in fact, the people who defragment their drives once a day or once a week seem to have more problems.) Run it with the options about once a year. Depending on what condition your system is in, the difference in performance after running it ranges from noticeable to stunning.

Replace your Antivirus software with this freebie and regain your performance

Antivirus software is the worst culprit in PC slowdowns. I am not alone in this belief. I don’t suggest going without (not completely) but it’s certainly possible to save lots of money, eliminate subscriptions, eliminate most of the overhead, and still practice (relatively) safe computing while running Windows.

Use Clamwin, the Windows version of ClamAV, and don’t engage in risky behavior (more on that later).Clamwin is free, GPL software, meaning you never have to pay for or renew it. It lacks a realtime scanner, which is the main resource hog for PCs. This may leave you vulnerable to infections, but think about where the majority of infections come from: E-mail, downloads, and drive-by installations. Clamwin comes with hooks into Outlook to scan e-mail attachments for you, and Clamglue is a plugin for Firefox that automatically scans all downloaded files. Of course you’re using Firefox, right? Using a non-Internet Explorer browser is the most effective way to prevent drive-by installations. I don’t use IE on my personal PCs for anything other than running Windows update.

Realtime protection made lots of sense when the main distribution point for viruses was infected floppies, but those days are long gone. This approach protects you against modern viruses without making your multi-gigahertz computer run like a Pentium-75.

I do suggest periodically scanning your system, something that even antivirus packages with realtime protection do. It makes you wonder how much confidence they have in that resource-hogging realtime protection, doesn’t it? Weekly scans are usually adequate; daily scans are better if you suspect some users of your computer engage in risky behavior.

Risky computer behavior

The last virus that ever hit any computer I was using was LoveLetter, which was way back in May 2000. The only reason I got that one was because I had a client who got infected and she just happened to have me in her address book. I don’t know the last time I got a virus before that.

It’s not because I’m lucky, it’s because I’m careful. There are lots of things I don’t do with my computers.

I stay off filesharing networks. Not everything on your favorite MP3-sharing site is what it claims to be, and there are people who believe that if you’re downloading music without paying them for it, they are entirely justified in doing anything they want to you, such as infecting you with a computer virus.

I don’t open e-mail attachments from strangers, or unexpected e-mail attachments from people I know. For that matter, if I don’t recognize the sender of an e-mail message, I probably won’t open it at all, attachment or no attachment.

I don’t run Internet Explorer if I can possibly avoid it. Internet Explorer’s tight integration into the operating system makes it far too easy for people to run software on your computer if you so much as visit a web page. Google tries to identify web pages that might be trying to do this, but a safer option is to use a different web browser that doesn’t understand ActiveX and doesn’t have ties into your underlying operating system.

I don’t install a lot of software downloaded from the Internet. A good rule is not to install any “free” software whatsoever unless it’s licensed under the GNU GPL or another similar open-source license. If you don’t know what that means, learn. Open source means the computer code behind the program is freely available and outside programmers can examine it. If a program distributed that way does anything malicious, someone’s going to figure it out really fast. If I’m going to download and install something that isn’t open source, I only do so when somebody I trust (be it a trusted colleague, a magazine columnist, etc.) recommends it.

I don’t rely on software firewalls. I have a separate cable/DSL router that acts as a firewall and sits between my computers and the Internet. So when the random virus comes around looking for a computer to infect, my firewall doesn’t even speak their language (it doesn’t run Windows and doesn’t have an Intel or AMD processor inside), so the potential infection just bounces right off.

Use a web-based e-mail service instead of a program like Outlook or Outlook Express if you can. If you use something like Yahoo Mail or Hotmail, that company’s servers scan your incoming and outgoing e-mail for viruses, so if someone sends a virus to your Yahoo account, you won’t get it. Does your ISP scan your e-mail for you? If you don’t know, you probably should consider getting your e-mail from someone else. Your antivirus should catch it, of course, but it never hurts to have someone else looking out for you too.

If you avoid these practices, you can join me in throwing out your commercial, for-pay antivirus software and reclaim a lot of computer performance too.

Why small business is better than big business

Technophilosopher Paul Graham (whose essay on Bayesian filtering spurred the development of one of the more popular methods for blocking spam) has some thoughts on what companies ought to learn from open source and blogging.

I really liked this quote: [Those who] run Windows on servers ought to be prepared to explain what they know about servers that Google and Yahoo don’t know. I know Google and Yahoo are a whole lot smarter than anyone I’ve worked for who runs on Windows.

But the most poignant bit for me was this: People work a lot harder on things they like.

I believe this is why successful small businesses are successful. Millionaire owners of small businesses often work very long hours–possibly 10 or even 14 hours a day. But many of them probably don’t realize they’re working those long hours because they enjoy it.

I’ve noticed this with my wife when I work with her. She doesn’t keep track of the hours she works because she doesn’t care. And at the end of my workday when I come home, we might spend most of the evening working, but at the end of the evening, we’re no more tired than we would have been if we’d spent the evening sitting on the couch watching TV.

As I watch the rise and fall of companies in the computer industry, I see this same pattern. Why can’t Microsoft sustain the growth of its early years? There are lots of reasons, but in the very early days when Bill Gates and Paul Allen actually spent time writing code alongside their employees, everyone worked excruciatingly long hours, but they did it out of choice. Microsoft is notorious for trying to force those kinds of hours out of its workers today (the book Microserfs details this in general). Could the reason every Microsoft operating system released in the last 15 years has been delayed be because they’re just a labor, rather than a labor of love?

I think that has a lot to do with it.

And I think this is the reason why I’m not a fan of big business and never have been. Don’t get me wrong; I’m no fan of big government or big labor either. Big anything is out of touch and can’t help but focus more on self-preservation than on the things it’s doing and why those things are interesting and important. I can’t necessarily tell you why any given thing is interesting or important but I can tell you without even seeing it that it isn’t because of the amount of money it can make.

WordPress Appliance - Powered by TurnKey Linux