On Saturday (OK, it was after midnight, so technically it was Sunday — but I tend to count time before I sleep as one day, time after I wake up in the morning as the next day — since I stay up past midnight often enough this just makes it easier) I discovered a service called PassPack. The basic premise is this: Create an account, store all your passwords in it, log back in as-needed to retrieve them. “But wait!“ you might say, “that’s stupid, why trust a random website to secure your passwords, just run one of the countless free Windows apps to store your info, and a lot of them will even automatically log you in via your web browser to websites.” Normally, I’d agree with you. But PassPack is doing things a bit differently.

PassPack gives you a free account (did I mention it was free?). You create a user ID, a passphrase, and a Packing Key, all distinct. PassPack creates an encrypted container using your Packing Key, which is encrypted on your web browser using JavaScript and standards-based encryption. Only this encrypted “bundle,” without your Packing Key, is then stored on the PassPack servers. Want a password? Log in, enter your Packing Key if it’s timed out (5 minutes by default, up to 15 minutes), find the relevant account alphabetically, by tag, or search (all very Web 2.0 and AJAXy-smooth), and click it to…reveal your login name and a scrambled-looking (unreadable) password field. Click in this field and use the Ctrl+C keyboard shortcut to copy the password, and paste in to the site in question (URL also saved as an option to make it easy). This means the password never appears on the screen, it’s just stored directly in your clipboard, and you don’t have to retype it.

So you can copy and paste the password, so what? Well, they also have an auto-login bookmarklet you can save in your browser. Save the URL of the login page along with the password at PassPack, and then just click the Open and Login link within PassPack to open the website in a new window. Then, click the “PasssPack It!” bookmarklet you previously set up. If the site has been “trained” before (even by another user), it fills in the username and password fields and clicks Login to get you into the site! If it’s not been trained for this site, you are walked through a very simple process of clicking the bookmarklet, clicking the username field, then the password field, then the Login button to train the system. So far out of about twenty sites, only two have had issues and not been trained successfully (a Plesk 7.5 dedicated server control panel and the ZoHo group of sites, including the Church IT Podcast Wiki, were the malfunctioning sites, which have been reported to PassPack); these can still have their login information memorized like any other account, on- or off-line, they just won’t auto-login with the bookmarklet.

The folks at PassPack have implemented a few other nice features besides the slick and speedy interface and somewhat novel readable-only-by-you encryption scheme:

• They have a nice anti-phishing setup in place to prevent your PassPack credentials from being phished easily.
• If you keep the site open, it functions offline and can be saved to their server the next time you connect (it also auto-saves if you don’t disable this option).
• One-time keys are available for you to print out and carry with you. If using a public internet terminal, log in to PassPack with one of these one-time-use keys, and copy-and-paste the scrambled password you need. Then you never have to type a usable password into the insecure computer (for PassPack or the target site).
• Export and Import of your data, in unencrypted format, if you wish to switch between other password-saving applications that also give you access to your data in text format.
• Backup and Restore of your encrypted data, so you have a copy on your computer in addition to on their server (you choose whether the backup will use your regular Packing Key or a unique one).
• They will generate a unique password for you to use when registering a new account somewhere, which they will of course remember for you.

You may be wondering where this Packing Key thingy comes from. (I can hear you now, “David, this thing is awesome, sign me up, but what the heck is a Packing Key anyway?!”) PassPack has some of the best help I’ve ever read, which is even available contextually when you click Help within the site. They handily have an answer about Packing Keys and why they’re so handy. They do a much better job of explaining that and just about everything else about the service than I could, given that they wrote it and I’ve just used it for a day. But I’ve found it to be exciting, apparently secure, well-designed, and actually fun.

It should go without saying that besides the great interface, being able to access your passwords from any web browser very easily, along with the off-site storage, is probably the single biggest benefit to using PassPack over a Windows utility. Even the auto-login bookmarklet it cross-platform, cross-browser code and is a simple JavaScript bookmark — no need to install a Firefox Extension, IE Add-In, or any other code running on your machine outside of JavaScript.

I do see one potential downside: their Terms of Service contain several limitations (yes I read it! Well, the parts they highlighted at least…):

1. You are not allowed to store information about financial accounts (banks, etc.), although this may be legal CYA considering I don’t know how they could possibly enforce this given they don’t have access to your data.
2. If you don’t login at least once every six months, your account is “inactive” and they delete everything.
3. You only get 32k of storage per account (they estimate 75-100 entries worth of entries), with no upgrades available yet. Accounts active before August 1st (missed it by less than two weeks, darn!) got 128k of storage (150-200 estimated entries).

I’m sure PassPack intends on offering upgraded service with more storage at some point, but those three conditions may limit my use of their service, and possibly yours. I know I have 23 entries already saved, and I’ve barely scratched the surface with the quantity of online accounts I maintain. It’s at least worth a shot in my opinion. If you like the concept and want an alternative, Clipperz is worth a look, it’s also free and PassPack even has a comparison of their two services. It doesn’t do the anti-phishing stuff like PassPack but it does have many other similar features, which I have not tested extensively. They also do not prohibit the storage of financial details and actually provide a template to hold credit card and bank account information. They also keep the data from leaving your browser unless it’s encrypted so they have no access when it’s on their servers.

Monday and Tuesday this week we hosted one of Integrity’s Seminars4Worship conferences at Lakeview, which was well-attended and from all accounts was an even bigger success than the last time we hosted them. This time we had free wireless internet, which was well-used, and there was only once when people had some connectivity issues which I believe were related to the firewall and/or cable modem and were easily fixed (good old power cycle!).

After all the people early in the week, we now are in the midst of General Council for the Assemblies of God, being held in Indianapolis this year. We’re a bit too small to hold the thousands of attendees at Lakeview, so it’s actually pretty quiet both at Lakeview and at the District Office this week, for some odd reason :-) As an outreach set up to coincide with General Council, Convoy of Hope is going to distribute tons of food to the community on Saturday. Lakeview has hosted two events in the past (Day of Blessings and Day of Blessings 2) with Convoy of Hope where we distributed food to thousands right from our parking lot, and it looks like this outreach is going to be even bigger: bigger venue, multiple churches, lots of people.

That’s the long and short of it. Lots of people at the beginning of the week, very few around the end of the week. And some posts on web hosting coming soon, because I’ve taken on a project (well, several related projects) that mean more work and more fun!

Why can I not search my feeds in Google Reader? I’ve noticed over the past several weeks, every time I think “now where in my feeds did I last see x?” I can’t just pull up Reader and ask. Ironically enough, before I started this post, I decided to see what others were saying about this, so I searched Google. Lots of good stuff, but nothing along the lines of “it will be built in soon” which is what I really wanted to hear. There do appear to be some workarounds:

Poor Man’s Google Reader Search appears to have a solution that lets you search a public label or an individual feed, but that’s not what I was looking for.

Google Reader Gears Search has a way to search Google Reader using the Google Gears offline post database if you are set up to use Reader offline with Gears, but again this requires a browser add-in. The creator of this option actually talked to Chris Wetherell, the Google Reader creator, about why there was no search, but he doesn’t articulate the answer with any level of detail.

Google Groups has a thread about Google Reader search, which basically asks the same question I do, but provides no answers. Martin Porcheron comments back in May that Google Reader has updated their CSS (Cascading Style Sheets) to include hints of search capabilities, but those haven’t yet materialized. This seems to be the most promising reference that Google is indeed working to make this happen.

The most promising current solution that I’ve found came via a Lifehacker entry about a Google Operating System post: How to Add Search to Google Reader. It requires using Google Co-op and Greasemonkey (there’s another browser add-on to install still!), but it is probably the one I’m going to try for now. You also must export your feeds list and re-import it at the Co-Op site every time you update your subscriptions. Why is it so hard for Google to integrate their own two services, anyway?! I suppose I’ll have to live with the workaround for now, but I still think it’s strange for a company so focused on search to eschew it in such a widely used product. And there’s even an updated Greasemonkey script that will display your search results right within Google Reader. So you (and I) can fake it ’til they make it!

I must admit I was a bit surprised by this on one hand, and not at all surprised on the other. When you understand how virtualization works, it’s easy to think “wow, that creates a nice black box, nothing could ever get out of there automatically to the host computer, or even know the host exists!” Then you realize that because of the specific hardware VMware or other virtualization software uses, there are several ways for a program to discover that it’s running on a virtual machine (I won’t go into detail on these, I haven’t done much research but I’m sure Google has…). Then, if you know anything about computer security, you realize that if it’s on a computer, connected to a network, there’s probably a way to get in if you have enough time, knowledge and resources, because computers are complex and new attacks pop up every day. Why should VMware be any different?

To the (sparse) details already: PaulDotCom has an article discussing a program that runs on a VMware virtual machine, and in about a minute crashes the machine and then runs a program on the host machine. Whether this was an ESX Server or a VMware Server install is not clear, and neither are most of the other details. It does seem that running VMware Tools on the virtual server might be the attack vector and you would be safe if not running them, but again, the details are sketchy. Cutaway also has some commentary on the new security hole. Originally via Martin McKeay’s blog.

Pastor Nathan LaGrange is the Worship Leader at Lakeview Church, and he’s also the former college-age pastor. He’s also an all-around around awesome guy, and the pastor who married my wife and me almost two years ago! I guess if I had to play a hypothetical “favorite pastor” game (not that I would generally recommend that), I’d probably pick him. Anyway, my lengthy introduction finally brings me to my point: he’s blogging! He started late last week, but I figured I’d wait to announce it until I had a chance to get all the cool FeedBurner redirects and other plugins tweaked correctly on his WordPress blog :-) It’s called Follow The Lion (it was called Get Absorbed but the name has been changed), and I have it on good authority that he’s contemplating adding a podcast as well when his fingers start to get tired. This guy’s insightful as he–, um, all get out, and you have my strong personal recommendation to take a look and give him the reader boost encouragement to keep posting, and also put all the statistics plugins I set up for him to good use! Just don’t expect any IT stuff — his spiritual-relational posts should balance out my technology posts pretty well.

This is a long one (about 1800 words), so I’m giving you a table of contents, and breaking it up so it’s not all on the front page (the first post where I’ve done so, and I’ve had some other long ones!).

Overview

Our new youth facility now has a four-computer internet café. I’ve already written twice about my plans and research leading up to implementation, specifically about computer lockdown software. A couple of weeks ago, I mentioned briefly that we had changed course and decided to use Microsoft Windows SteadyState as our lockdown software of choice, mainly due to the price (free!).

We (Dutch volunteer Jeroen and I) were physically installing the computers/monitors/etc. in the youth lobby area when I thought, “hey, Microsoft just released some updated lockdown software, let’s try it out.” We hadn’t yet purchased the Fortres Grand software, although I had it approved. So I downloaded SteadyState, installed it, and messed around for a few minutes. It was so easy, even my mom could do it! Well, okay, I’ve been teaching her computers for a while and I might still have to walk her through this one over the phone, but I have no doubt she’d make it work :-) The installation went smoothly, the lockdown options (we wanted pretty much the tightest lockdown possible) were easy to select, and the hard disk protection (which discards changes on reboot) was easy to enable and control from within the main SteadyState console. I haven’t had experience with Microsoft’s old Shared Computer Toolkit, but from what I understand it was more difficult to combine all the options together into one functional system, and they appear to have fixed all of this in SteadyState.

Lockdown Features

In the SteadyState console, there are three items under Global Computer Settings: Set Computer Restrictions, Schedule Software Updates, and Protect the Hard Disk. The Set Computer Restrictions option lets you change things such as whether to display the last username in the logon screen, prevent users from writing to USB drives, turn the Welcome Screen on and off, and other miscellaneous things that affect the whole computer, not just particular user(s). I turned most of these on. I’m not writing this with access to the computers I set up, so I’m going from memory on this (and everything else) but if you have any questions about specifics please leave a comment!

You can create or import users/profiles that SteadyState can then manage with a selection of lockdown options going from low to high security, but at each level it just selects a more restricted subset of the detailed options and lets you customize away. This is similar to the functionality of the Fortres 101 software. All we tested was the highest security possible, locking down almost everything and only allowing the Mozilla Firefox executable to run. However, we did have to allow command prompt access to get the Firefox auto-restart trick below to work, although with the GUI and keyboard shortcuts this locked down, no one should be able to access the command line except through the batch file the Firefox shortcut links to for this trick to work.

Testing the lockdown settings to find the right mix can be a bit tricky because you must save the settings, log out, log in as the limited user, test, log out, and log back on to the administrative account again. It’s tedious, but once you have what you want, you can duplicate the settings more easily on other systems. The Export/Import Profile function works, but it imports a default user profile with the lockdown settings. Be careful with this, because it means you must wait until after you import a user into SteadyState from an exported profile before logging in and doing any customization to their desktop (display options, Start Menu positioning, etc.) as any customization you’ve done will be deleted if you import a user over top of your existing user! Found this out the hard way — once :-)

Continue Reading »

The install and test was a success! Four Meraki Mini access points are up and running at the campgrounds, providing internet access through the satellite connection (which was the weak link during our testing, being slow or down most of the time, but it was working better before we arrived so we have higher hopes). We even made it back to Lakeview before 5 pm, which was our goal!

There’s not even that much to tell. The setup was the easiest part: unpack, plug in to power. Place near window for best signal. Plug internet line into the one next to the satellite modem. And that part had been done for us! We primarily tested the existing network using VisiWave to document signal strength, and moved the fourth access point around to various locations to make sure when we order four more, they will cover what we want them to (they will). The VisiWave mapping was the most time-consuming part of the trip (besides waiting for the slow/disconnected internet), but I haven’t had time to pull useful reports out of that data yet.

The Meraki Dashboard is the truly novel and useful tool. You can place your nodes on a map, view how they are interconnected, monitor bandwidth usage and speeds by node and by user, block or whitelist users, set up a splash page, security, and quite a few other nice tweaks that I wouldn’t have thought of but make perfect sense when you see them!

I took a couple of screenshots of the node map overview, using standard and satellite maps:

If you hold your mouse over a node (in the real Dashboard, not these pictures of course! But you knew that…), the route to the internet turns green (one of the gray lines between nodes in the standard map), and some external text shows some additional status information. The number on a node is the number of users in the last 24 hours. These pictures just scratch the surface of the control interface, which is well thought out and feature rich. But that’s all I have time for, so you’ll have to grab some of your own Minis and mess around!

Oh yeah…sorry for the joke in the title. I do love my bad puns…

UPDATE: On Feb. 21st, 2012, after a new comment and response below, I wrote a post that’s a bit of a followup to this one, over at my current (though still infrequently-updated) blog: Ubiquity UniFi vs. Open Mesh.

Today I’m going up to the Assemblies of God Indiana District campgrounds with volunteer Jeroen to install and test some mesh networking made by Meraki. They just got a satellite internet connection (their only affordable option due to location) last week and need to populate the internet access to several locations on the campgrounds, probably using seven or eight Meraki Mini devices. One of them connects to the internet connection, the others are placed within range of the first one, or just within range of any of the others (up to three hops away I believe), extending internet access to the entire coverage area!

If they had a second internet connection, “injecting” another point of internet access would be an option, and the network would automatically send traffic to the best internet access point. Thus, the mesh part of mesh networking. I’ve been wanting to try the Meraki products for a while, so I’m excited! More details to come when we’re done!

The trip to the campgrounds is about two hours each way, so we’ll only have three or four hours of actual set up and testing time.

I really like gadgets, electronic toys, and technology. Sorry, I mean, um, tools. Yeah, tools. Anyway — what a shock, right? Coming from a Church IT guy? Well, I see plenty of cool stuff, I have some of it, and I look forward to an occasional new toy when I can afford it. But I haven’t seen the Perfect Computer. Until now. So I’m going to break with regularly scheduled programming (wow, what a cliché, especially for someone who doesn’t have any!) and tell you about it.

The HTC Shift is a UMPC. It has:

• An 800 MHz Intel processor (A110)
• Intel 945GU Express graphics
• 7-inch widescreen touch display
• Slide-out QWERTY keyboard suitable for touch-typing
• Vista Business OS
• Media Player 11
• Tri-Band UMTS/HSPDA and Quad-Band GSM/GPRS/EDGE
• WiFi and Bluetooth 2.0
• Trackpad, fingerprint reader, camera
• VGA output to a real monitor if you want/need it

So basically, wrap a very respectable laptop and cell phone in a fit-in-a-large-pocket package, give it every kind of connectivity you could ever ask for, WiFi to cell phone), a few extra gadgets thrown in for good measure.

Not much else to say. It’s not even available in the US yet. You can Google around and find plenty of more information. Now, pardon me while I go get my drool mop…

Over the past two days I noticed that my FeedBurner subscribers dropped by close to half! I thought maybe I was Egypt and people were on an exodus from my blog! Nope, it was me…on Sunday I turned off the feed redirection plugin (that sends all subscribers to my WordPress feed to FeedBurner’s feed) to troubleshoot an issue where FeedBurner wasn’t updating my feed because it wasn’t validating. (Turns out a plugin had put a bad character in the feed somewhere.) Then, I promptly forgot to re-activate the redirection! Apparently half my subscribers are using my site feed :-)

I apologize if you were affected by this (it may have done something like caused all my recent posts to reload in your feed reader, but I’m not sure exactly). It has been fixed and everyone should be using the FeedBurner feed again now, directly or indirectly.

Just a teaser; upcoming posts might be on things like: Windows SteadyState, Meraki Mini mesh networking, using WordPress as a CMS. All I still need to write, some I’m done and can write about and others I’m either working on or will be in the next week. Just have to find the time to document!