Tuesday, September 15, 2009

How to make your IVANS Medicare Submissions Less Painful

FISS, IVANS, whatever you call it, Medicare submissions don't seem to go as well as we would hope.  Slow often doesn't begin to describe the process.  It seems like the PasyDES (also known as Passport IP) just won't work.  It won't connect.  It hangs.  It . . . doesn't work.

First up, if you haven't already, get a VPN account and use the VPN connection  - see my previous post on this subject.  Alright, everyone's using the VPN?  Great - next, check that you have the latest AT&T Global Network Client.  OK, now that you're ducks are in a row, let's figure out which servers actually work.


  1. Connect to AT&T and wait for Passport IP to open.  
  2. Hit Escape and abort the connection attempt.
  3. Go to Start -> Run -> and type cmd and click OK.  A command prompt will open.
  4. Now ping the 1st Chicago server by typing ping 204.146.91.80 and then pressing enter.
  5. Do you get a reply, or does it time out?  If it times out, you can try the next IP.  If it replies, congrats, you have a working server  - make a note of it and keep on trying until you get a second one.
Here are the server IP ranges:


Chicago: 204.146.91.80 - .88
Los Angeles: 204.146.91.148 - .154
New York: 204.146.91.50 - .58

Don't give up until you have two of them!  Enter your two addresses into the Connection Setup window, and enjoy a connection that works!  If it begins to behave badly, you can repeat the process and find another working server.  Happy submitting!
Update 26-Aug-10
Ivans is doing away with the Passport IP system and is instead opting for a system called Lime.  They've used Blue Zone for a while, and the users have really liked it, so Ivans has repackaged Blue Zone in a Web interface and is calling it Lime - you may already be able to use it.
Connect with your AT&T Global Client (Ivans Connect), open you web browser then visit https://limecportal.ivans.com.  When prompted input your user ID and password - if it proceeds you know you have it.  If it doesn't work, call Ivans (or even better go to their Support Chat) and get a new contract.

Friday, September 11, 2009

Internet Usage by Residents in Long Term Care

As our ever more technically inclined population are aging they are bringing their technical skill set and favorite leisure activities with them into the long-term care facilities.  Among these is a desire to use a computer and access the Internet.

The Internet has proven to be a valuable link for nursing home residents and their families.  Phone calls and visits in the day room are increasingly replaced by emails and online chats.  Boredom is combatted and lives enriched by allowing residents to while away the hours pursuing information about their favorite hobbies, reading the news, or just playing games.

What could possibly go wrong?  A Q&A with myself on this subject:


Could a staff members or visitor use a resident's computer to steal their identity or otherwise negatively influence them?

This is a big issue.  Many of us save our usernames and passwords to our favorite online haunts in our browser, allowing us to enter them conveniently without the hassle of authenticating each time.  However, if it isn't the computers' owner accessing the site we have a situation where someone has successfully masqueraded as the computers' owner.  The potential exists for an unauthorized individual to acquire personal and financial information about the resident, or to even manipulate the resident's banking and finances.
Residents who own their own computer should be encouraged to password protect their computer.  Furthermore they should be encouraged to lock their computer with a password if they will be leaving it unattended.


What level of service must we offer? Can we ethically prioritize our own Internet traffic over the residents'?

I believe that a minimal commitment of hardware and resources to resident Internet access is all that is necessary.  What is more necessary is keeping the business and healthcare functions going at full-speed - not only is this good business, but it is necessary for the staff to be as efficient as possible.
This situation is avoidable if a second Internet connection is established solely for use by residents - an expensive option.  What is more affordable, and certainly keeps the business and medical data more secure, is setting up a second network that is logically separate from the facility's business/medical network.  If you are using an IPCop you would set up your wired business network in the Green Zone and your wireless resident network in the Blue Zone.


Is it ethical, maybe required, to filter or monitor resident Internet usage?

It depends.  One good argument against filtering and monitoring is that we're dealing with free-willed adults.  So long as the equipment and time is theirs they should be allowed to do as they please so long as it doesn't do any harm.
But there is a lot of harm that we may prevent by filtering and monitoring access.  Many facility administrators have felt that the Internet access restrictions that apply to the staff should, in large part, be applied to the residents with a couple of notable exceptions:  online chat and social networking.
Blocking access to shopping, gambling, and potentially dangerous sites serving up viruses and spyware are certainly desirable.  Many are in long-term care because they don't have all of their mental faculties - they could drain their life savings if they could shop or gamble online and never realize what they've done.


How prevalent will pornography be?

Probably not very.
I'm certain that we will need to address the social and biological interests of our more amorous residents, as well as the well-being of our staff - the orientation of a resident's computer monitor will be very important.  So long as the equipment and time are theirs they should be allowed to do as they please so long as it doesn't do any harm.
I've heard of many residents possessing and viewing a personal store of pornography, and in one case a female resident has regularly provided pornographic DVD's for group viewing by her male peers.  The staff did not feel that this resulted in a sexually charged atmosphere or any undesirable public behavior.  These are adults with the vices and desires common to most of us.
That said, it is still up to the facility administrator.  I've had almost every one that I work with say that they did not feel comfortable allowing access to pornography using the facilities computer network.  If they want pornography they'll have to get it elsewhere.

Will our staff be expected to provide technical support the residents' computers?

Absolutely not!  In fact it should be actively discouraged.  All interaction between staff and the residents' computer equipment should be discouraged.  There are so many problems that can arise from good-intentioned assistance with a minor technical issue that the mind boggles.  The door to potential ill feelings and financial headaches opens wide if there is a problem and it is blamed on the facility staff.  So: Aide Frances helps Mrs. Cardigan install a new game; congratulations Aide Frances, you are now the proud owner of every problem that computer will ever have going forward.  Mrs. Cardigan knows that she didn't do anything to it, it must be what you've done.
Residents must seek help from family or paid technical staff from outside of the organization.  We can't get involved - there's too much risk.


Are there potential income opportunities for the facility, such as a setup fee or monthly fees?

I've wondered at this long and hard and think that it's not a bad idea.  The facility is investing in the well-being of its residents.  That investment should pay off.
While additional fees may not be appropriate, it is a feature that will appeal to many residents and will help to fill beds.


What liabilities can this incur? What happens if a resident has equipment that is damaged or stolen?

I'm certain it will matter if the damage is from a staff member, another resident, visitor, or act of God.  I'm afraid that every issue could be blamed on the facility staff.  It's just the nature of computer users to look for an issue beyond themselves as the cause of their problems.
A comprehensive set of policies will be needed to avoid these pitfalls.  Residents that bring computers should be informed that the facility is in no way liable for their computer or the information that it contains.  Period.  Stick to this line, it will be all that you have.
The facility staff need to make sure to keep themselves from becoming liable - a housekeeper who drops a laptop while cleaning a room is in a bad position indeed.
And what about when another resident breaks the computer?  Facility administrators will need to be prepared for this eventuality.  If you figure out a good answer to this one, drop me a line!

What if the residents computer is used for criminal activity?

The facility and the residents both would be best served by devoting every reasonable resource to exposing the criminal, the extent of the crime, and prosecuting the offender to the fullest extent of the law.  Whether a resident is guilty of using their computer for criminal hacking or possessing child pornography, or another person had used a resident computer to perpetrate a crime or fraud, society's best interests are served by involving law enforcement and seeing that justice is served.  Just try to keep it away from the press - no nursing home needs bad publicity, the press is already out to get them.

What about wireless networks – won't the homes and businesses adjoining the facility may be able to join open networks?

The operative word here is Open.  Basic WEP or WPA encryption is enough to keep all but the most skilled and determined attackers away.  Sure it's inconvenient, but security is never convenient.  Your wireless password should be an open secret - shared with anyone who asks.  This makes it convenient for residents and visitors to use the valuable and convenient service that you are offering.  Since you're keeping the resident's network separate from the business network there will be little gained from attacking the wireless residents network.

What about resident computers provided by the facility in the common areas?

Computers in common areas of the nursing homes will need special treatment so as to avoid issues of ownership, suitability for a particular use, appropriate usage, resident tolerance of frustration, time sharing, software installation, spyware, adware, viruses, etc.  Be sure to use a technology such as Microsoft Steady State to prevent as much headache as possible.  Even better, ditch Windows and use a Linux LiveCD like Hospitality Machine

Trouble with URLFilter Addon for IPCop (Like, it quit working!)

So a customer called me with a complaint about being blocked from legitimate sites, saying simply that a critical banking web site had been blocked.  However, there are several ways that one is "blocked" from a web site:  a simple issue of old web links or bookmarks, adware in your local computer, network congestion, an active block by your IPCop's URLFilter Addon, or OpenDNS blocking due to restricted content.  Each of these gives an error message that is unique to its condition (with the exception of adware, it's meant to be misleading) - unfortuantely this person couldn't remember the content or color of the block message.  I suggested they take a photo of the block message with their cell phone and text it to me the next time this happens.  Windows does NOT make sending screenshots as easy as it should be.

So another person at the customers' site calls and says that there is no filtering on the system.  Wow, two people from the same site with opposite problems?  What a puzzle!

While I can't exactly figure out person 1's issue, person 2's issue was that the URLFilter just did not work.  It had failed open - allowing access to everything that OpenDNS didn't block.  The Advanced Proxy was still working as it was still dutifully logging web site visits - you'll know the AdvProxy has quit and it's just NAT if you have logging turned on but nothing is being logged.

I tried stopping and restarting the URLFilter, the AdvProxy, then the whole IPCop, but it still didn't work.  I tried reinstalling the URLFilter over itself so as not to lose my settings and blacklists - no luck.  I had to uninstall the URLFilter, reboot the IPCop, the reinstall the URLFilter to make it start working.  I had copied all of the settings into textedit, so I was able to put everything right back into place with the exception of the blacklist.

An interesting note:  removing and reinstalling the URLFilter component periodically may do some desireable housekeeping:  it arranged my blocked sites categories alphabetically (they were a mess prior to that), it seemed to drop some categories that I didn't use anyway, and it seemed to improve the browsing speed.

Monday, August 31, 2009

Dell Inspiron 1545 with Vista x64 Spontaneously Reboots

I'm not sure which I dislike more, Microsoft, or Dell.  The two together are an unholy union that literally keep me up at night.  Todays headache comes courtesy of them both.  The Inspiron laptop would reboot every 20-30 mintes for no good reason, and it didn't matter if it was idle, in a screensaver, or busy with an update.  After rounding up all the usual suspects (all drivers updated, 3rd party software removed, updated the BIOS, removed the antivirus, installed all OS updates, ran Dell's hardware diagnostics) I decided to call Dell. 

After a half-hour of Hell because I didn't know that the customer had acquired the laptops at Best Buy (one of Dell's support reps suggested I could only get help from the reseller) a support rep took pity on me and suggested I do a system restore to two weeks prior.  I tried that, with no dice.  She then suggested that the issue is due to some incompatible updates from Microsoft.  That's right, the updates that are supposed to make our computers safer and more stable were crashing this one out.  The support rep further suggested that I turn off automatic updates.  Fat chance, I told her, then I politely asked if she knew which updates in particular were causing the mischief.  After a relatively brief hold, she gladly informed me that the issue was caused by the following updates and suggested that if I remove them my computer would operate trouble-free.
  • KB973839
  • KB970653
  • KB972036
  • KB973874
I've removed the required updates, rebooted, ran MS Update, hid the offending updates, and have operated the computer for the past hour without incident.  I think she may have given me the correct answer - she did great, but Dell is still not on my list of recommended vendors.

Friday, August 28, 2009

IPCop Firewall 2.0 - Coming Soon to a Network Perimeter Near You!

IPCop 2.0 will be here soon - I just downloaded and installeda beta version of IPCop 2.0 - IPCop 1.9.7 on a Virtual Box on my Macbook Pro. I don't know why, but they're playing it pretty close to the vest. There is virtually no mention of 2.0 on the IPCop.org web site unless you click on the Road Map link - which lays out 2.0's intended features. From the looks of 1.9, it's coming along rather nicely. I'll review the highlights and show you some screenshots.


/edit 11-Apr-2011
It seems a heroic few have soldiered on and are slowly moving toward what will be IPCop Version 2.0.  Despite the fact that there hasn't been a new stable version in quite some time, the IPCop version 2.0 is still under development - a new test version 1.9.19 has been released - you can find the test versions at http://sourceforge.net/projects/ipcop/files/IPCop%20Test%20Versions/.  Looking at their timeline it would seem that documentation is half finished, and many features are at 80% and 90%.  It seems that traffic shaping has not begun implementation, don't even think about using a dial-up modem (my Granddad still uses one - no kidding!)

If you've never heard of IPCop I'll give you a quick rundown: it's a Linux distro that you load into a crappy old PC - they've tested it on a 486 with 64MB of RAM, and it worked at a reasonable speed! You replace your network firewall with this baby and you gain all the power and flexibility of a Microsoft ISA Server (without the hassles and expense) or a Cisco PIX Firewall (again, without the hassles and expense!). Believe me, this thing is easy and fun. For install instructions and tutorial (version 1.4.x at this time, but easily applied to 1.9.x, or even 2.0 once it arrives) check out this Instructables Article.



I spent some time looking for documentation prior to installing the Beta, and found nothing but complaints about install problems or enigmatic questions wondering when 2.0 will be available. Wonder no more: the Beta is available now, you can test it out to your hearts content. In fact, I encourage it - the more people that download the software and try it out, the more feedback will be given to the developers, and the odds are that a few people who install it will know a thing or two about development and make some serious contributions.

Why haven't I contributed? I have! I'm spreading the word! The developers get a golf-clap: by downloading the software you show interest, and no one wants to develop software that no one is interested i. I'd contribute more if I knew how to code and script - I know code and script, but I'm a total script-kiddy: I understand the fundamentals and can manipulate the system once it's made. It's like knowing how to drive, fine-tune, and even fix an automobile, but ask me to fabricate a new piece or improve on the existing engineering and I'll have to pass. I'm confined to standing on the shoulders of giants.


IPCop v2.0 is a development of v1.4, but incorporates some significant improvements.


    • Linux kernel 2.6.27
    • New hardware support, including Cobalt, sparc and PPC platforms.
    • New installer, which allows you to install to flash or hard drives, and to select interface cards and assign them to particular networks.
    • Access to all web interface pages is now password protected.
    • The port for https secure connections has been changed to 8443.
    • Redirection from ports 81 and 445 will not work.
    • A New Look User Interface, which includes:


    • A new Scheduler Page, on the System Menu, where you can program various events.
    • More pages on the Status Menu including new pages for System Info, Traffic Accounting, and IPTables, as well as an overhauled page for Connections.  The entire Firewall Menu has been overhauled, and the Pinholes and Port Forwarding are now controlled by Firewall Rules. (This feature set rocks - the port forwarding worked great in 1.4.x, but the "pinholes" made no sense to me.)
    • An updated Proxy Page, now with advanced control features. (The "Advanced Control Features" are Marco Sonderman's AdvProxy addon for IPCop 1.4.x rolled into the new distro so you no longer have to install it separately. Thanks, Marco!)
    • There's a simplified DHCP Server Page. And underneath, dnsmasq has replaced dhcpd as the DHCP server.
    • The Time Server Page has also been simplified, as IPCop now uses ntpd fully.
    • OpenVPN has been added to IPCop, as an alternative to IPsec. (Whither Zerina? I'm guessing Zerina was rolled into this distro, too. Bravo! At the time of writing the Zerina site was down, here is the Google Cached Page Link)
      On the flipside, snort Intrusion Detection System has been dropped from IPCop v2.0, to become an Addon. (I didn't use this - the Sourcefire rules update was an onerous burden, there were too many false positives, and it's strictly reactive - great forensic evidence after the crime is committed but hardly a way to prevent the crime in the first place!)
      All in all, I'd say that these are milestone improvements - the install time is drastically reduced by rolling two of my favorite addons into the distro, multiple interfaces with separate IP's may be set up in each zone (2 Red's, one on the Fiber Line, one on the DSL backup?) making this a much more flexible system. I'm glad I stocked up on extra Ethernet adapters!

      Oh, and a word to the wise: This is a BETA, don't use it for a production system, use it for testing and development. The manual is certainly less than complete, and I'm certain that many features are half-baked, so you'll experience some headaches if you stake you business on 1.9.x.

      Sunday, August 16, 2009

      Small Business Server 2003 Service Pack 2 Stupidity


      I kept getting the error "Setup could not verify the integrity of the file Update.inf. Make sure the Cryptographic service is running on this computer," when I tried to apply SBS 2003 SP2. I stopped and started the cryptographic service. I read every Microsoft KB and followed every step. I ran DJ-Lizard's Dial-a-Fix - an excellent tool for repairing a variety of windows problems by automating the deletion of some pesky files as well as unregistering and reregistering some pesky DLL's - and still had no luck.

      Reading Experts Exchange (well worth the subscription price) another individual had the same problem, ran through the same troubleshooting steps, and had no success until he realized that he hadn't applied SBS 2003 SP1. I checked my server, and sure enough, I hadn't applied SP1. The Stupid Server service packs aren't cumulative? Windows deskop OS SP's are, so I naturally assumed that server service packs would be, too.

      Saturday, August 15, 2009

      Let's Waste Some More Time!

      A lot has changed since my last post about wasting time (not this one, that one!) - users decided that downloading and installing a dedicated application to run Internet television is NOT on their to-do list. Web-based video sites have instead opted to follow a format most similar to YouTube. I like the application-based model because it didn't feel like YouTube, which lets you browse videos much as you would browse Ebay.

      Admittedly the new online television sites don't look exactly like YouTube, but I dislike browsing video content inside of a browser window. The full-screen Babelgum and Joost clients had their own personalities which were expressed through various eye candy like slick menu effects, and Joost's fade-to-a-dot like an old-school TV was just awesome - it reinforced the fact that it was TV.

      Now that I've got my pitiful whining out of the way, lets look at our FREE online television viewing options:


      For the sake of completeness I've included the 800 pound gorilla. You know it, you love it. There's nothing that can't be found here - from the inane to the insane. It works in every browser on every platform (OK, that's a bit of a stretch, there's some geek reading this in
      Lynx running under Linux on his Atari 2600 who can't). It features low-quality and high-quality modes, fullscreen viewing, and if you have a slow connection you can pause it and let it queue up some more data for a better viewing experience. It's owned by Google. What more can I say? Go watch something stupid.


      The not-quite 800 pound Gorilla but having 800 pound gorilla backing (Fox, WB, and Comedy Central to name just a few) has many, perhaps too many, TV episodes online for your viewing pleasure. And it's legal - unlike Youtube, which is regularly asked to pull copyrighted content by the content's owners. The content owners have given their precious shows over to Hulu (when they haven't Hulu gladly links to a content-providers site on which you may watch your show), which places a single 20 or 30 second ad at the points where television viewers would endure a few minutes. Even with less ads, they're making a fortune because the advertisers are willing to pay for ads that they know will be seen - it's pinpoint accuracy advertising, unlike the shotgun of over-the-air TV.

      Hulu has classics like AirWolf and V, and fresh content like The Daily Show (a day late). An added bonus: Movies. They're not terribly recent, and the content is changed up regularly, so if you missed The Fifth Element when it was on Hulu a few months ago you're out of luck.

      OK, on to the geeky stuff: you will need a fat Internet connection to enjoy Hulu thoroughly - the video is usually very high quality. Many hotel networks don't fit the bill. Neither does dial-up. Users with a slow connection can pause the show and let it queue up - it has a handy queue meter when you pause it - for smoother viewing.


      I thoroughly enjoyed their stand-alone client's visual effects. Kudos to Joost for managing to bring some of that visual style to their site. It seems that the corporate television overlords have seen fit to keep their eggs in different baskets (I won't name names, but one rhymes with Schmomedy Schmentral). Ads are placed at the beginning of the show and at appropriate places throughout the show, much like Hulu. There is a lot of classic cartoon content - like GI Joe, He-Man, and Transformers - great stuff, I rushed home after school for these! Newer content from Nickelodeon can also be found here. Also, I'm delighted with the PBS channel, educating and entertaining at the same time!

      I'm not thrilled with the layout and navigation of their site - it's clunky, wasting lots of space and hiding the impressive depth and breadth of available content. The video quality is excellent, it queues when you pause it, and you'll enjoy it more with a good fast Internet connection.


      The European answer to Hulu and Joost, Bebelgum has an excellent easily customized interface that invites you to search deeper. And deep is what you get here - independent films and Britain's BBC as well as a plethora of documentary films. My favorite documentary? Red Files.

      The site is supported by video ads that play at the beginning of the video. Then, during the video, to my irritation, static ad content slides out in a translucent bar, which is closed by clicking the X in the top-right corner. Video quality is excellent. I like this site due to the sheer uniqueness of the content, all of which is professionally generated.


      This one is pretty iffy. It's a web site that pairs with an application (spyware risk, anyone?) that streams live TV and radio stations from mostly non-American sources - like the BBC and Al-Jazeera. Remember how I was delighted with the video services that required a player to view the content? Well these guys got it wrong. The clunky player only plays the video or audio half the time due to the fact that users may add content that then becomes unavailable even though LiveStation shows it as available. I think that what they're doing with their client is aggregating the streaming content from a "partner" entity's web site. I'd save the effort and just go to the web site of the entity you want to watch - you'll likely not suffer as much disappointment. Quality is wildly variable. The player app is available for almost every OS and platform, from Windows and Linux to Mac (Intel and PPC!).


      Miro is a horse of a different color. First up you have to download and install it. It is RSS for video. You tell it which "channels" you like, and whenever you run the app it checks those feeds for fresh content, which it will then download for your offline viewing pleasure (the bar doesn't have Wifi? Pshaw, I'm still entertained!). That's right, it saves the movie files right to your hard drive, from which you can copy them into your favorite mobile device and watch them on the go, or you can just watch them in Miro. Miro is NOT for those seeking instant gratification as it must download the entire video before it plays it. Miro seems to be the only video app that plays HD content, so if you hook your computer to your TV and play the videos your in for a real treat. My favorite channels include NASAcast and Monty Python.


      This one has potential, but in its current form it's too hit and miss, too low quality, and too difficult to navigate to be used by most people. Unless you're an expatriate from Asia, Europe, or the Middle East who's missing the TV from home, you will likely be disappointed by this service. It's similar to LiveStation (see above) in that it attempts to aggregate several sites' streaming content into one searchable, useable place. It won't work unless you download their proprietary plugin (I wonder if its' loaded with spyware?), and the video quality is poor. However, I'm going to periodically check back on this one because I can see the potential - the web site has a visual appeal a la Joost.

      Wednesday, August 12, 2009

      Firefox: No Longer King of the Browser Hill?

      After nearly seven years of telling Windows users to "Get Firefox!" I've finally stopped - Internet Explorer 8 is faster, just as secure, and has an excellent feature set. I'm not just whistling Dixie here - I deal with hundreds of Windows computers across 5 states. I see users of Firefox with spyware and extra browser bars just as often as I see IE users with those sorts of junkware. IE 8 adheres more closely to web standards and displays web pages the way the author intended. Firefox does - usually. Have you ever connected to Outlook Web Access with Firefox? It sucks. I won't explain why, I'll just wait while you try it.

      OK, next up, IE 8 is just plain faster than Firefox 3.5. Take a Pentium 3 with 256MB of RAM and Windows XP, install IE 8 and Firefox 3.5 (go on, I'll wait, this will take a while . . .) then surf the web. IE 8 is faster, and it is most noticeable on older computers.
      Also, Google Chrome is cool too. It's fast, displays web pages well, but it works the same as Firefox if you hit Outlook Web Access. On the up side it's new enough that it's a tiny target for malware.

      OK, now for my Mac followers: Quit with the Firefox and try Safari. The latest updates have made it super fast, and its interface reminds me of a cross between Firefox and Google Chrome. The Top Sites feature is great eye candy, check the picture at the right.
      Best of all, Flash (Shockwave) games work better in Safari. A good example is the Star Wars Clone Wars game my son plays on Cartoon Network. It loads much, much faster on Safari, then actually works. Lets see Firefox do that!

      Saturday, August 08, 2009

      E-Mailed Virus Warnings

      I never thought I would have to make this blog post, but events over the past couple of weeks have forced my hand.

      Please: NEVER, EVER FORWARD E-MAILED WARNINGS OF VIRUSES

      True virus warnings will not come from the guy that sends you silly emails. They won't even come from your accountant. They will come from the news - yes, that's right, watching the TV news or listening to the news on the radio you will hear stories of impending computer virus doom. Nimda, Melissa, and Conficker all made the 10 O'Clock news. They were worth worrying about.

      E-mailed missives of impending doom often come from someone we trust, contain bogusness similar to "I checked with the executives at Symantec and they confirmed that this is for real," and "it will 'burn' your hard drive, making it unreadable and destroying all of your data," and are complete and utter wastes of time.

      There are some idiots out there who create things like this then laugh at the chaos it creates. Please don't be their patsy! Don't kid yourself, forwarding these things is almost as bad as spreading a real virus in that they waste time and resources. Resources that have been spent assuring people that this warning is a hoax and that we do not need to prepare for this disastrous worm or virus or whatever. My phone rang for two days. My inbox filled up. My patience wore thin.

      Your computer guy has better things to do than assure you that this is a hoax.

      Tuesday, August 04, 2009

      Windows XP/Server NTBackup Script

      WARNING
      If technical content gives you a headache SKIP THIS POST. I make a lot of assumptions about the technical savvy and familiarity of the user with the command line and DOS batch files.
      I've played this one pretty close to the vest, but it's time for the world to behold the glory that is . . . My Windows NTBackup Script. This baby will back up your registry, your Exchange data, Sharepoint, user documents, and, provided you use the proper net stop commands, your databases can all be backed up. Familiarity with your database server also helps - often there is a command to dump the data from the database into a separate set of files that can be backed up while the database is still running.

      This script is for backup to an external hard drive - in this case the i:\ drive. It's specific to many of my health care servers, but is easily modified to work almost anywhere - just delete the references to SharePoint, MySql, ProgressiveSQL, etc.

      You will need to create the following directories on your external hard drive:




      \backups
      \backups-shortterm
      \backups-longterm
      \backups-delete


      You will also need to create %windir%\backups\data\sysstate.bks and%windir%\backups\data\userdata.bks by opening up NTBackup, making the selections for your system state and user data, and saving them into the necessary files name and placed appropriately.

      Lastly you will need to install Blat in your c:\windows\system32.


      REM @echo off

      REM ***Set Variables***
      Set DateCode=%date:~-4%%date:~4,2%%date:~7,2%.%time:~0,2%%time:~3,2%%time:~6,2%
      set sharepointbackuplocation=d:\sharepoint\backup
      set blat=c:\windows\system32\blat.exe
      set relayserver=mail.charter.net
      set yoursite=http://server
      set emailsub=SharePointBackupReport
      set templog=d:\backupscripts\spbackup.txt
      set sharepointfile=Backup.bak
      set to=desireduser@yourdomain.com
      set who=sbackup@yourdomain.com
      set
      reply=noreply@yourdomain.com

      echo System Backup Script v1.1 by J Hoeft >> %templog%

      REM ***Lock Sharepoint as readonly, create backup, unlock***
      echo Backing up Sharepoin" >> %templog%
      "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\BIN\Stsadm.exe" -o setsitelock -url %yoursite% -lock readonly
      "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\BIN\Stsadm.exe" -o backup -overwrite -url %yoursite% -backupmethod full -filename %sharepointbackuplocation%\%sharepointfile% >>%templog%
      "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\BIN\Stsadm.exe" -o setsitelock -url %yoursite% -lock none
      dir %sharepointbackuplocation% >> %templog%


      REM ***shutdown Progressive SQL for ECS backup***
      echo Stopping Progress SQL >> %templog%
      \\server\keane\dlc\bin\pccmd.exe proservice stop >>%templog%


      REM ***delete previous ECS backup***
      del /q d:\AmericanData\EcsBackUp\dbar
      del /q d:\AmericanData\EcsBackUp\dbarforms
      del /q d:\AmericanData\EcsBackUp\dbdoc
      del /q d:\AmericanData\EcsBackUp\dbhistory
      del /q d:\AmericanData\EcsBackUp\dbmds
      del /q d:\AmericanData\EcsBackUp\dbparadox
      del /q d:\AmericanData\EcsBackUp\dbpicklist
      del /q d:\AmericanData\EcsBackUp\dbreport
      del /q d:\AmericanData\EcsBackUp\mysql

      REM ***create new backup files***
      d:
      cd \
      cd AmericanData
      cd mysql
      cd bin
      mysqladmin flush-tables
      mysqladmin flush-tables

      copy d:\AmericanData\mysql\data\dbar d:\AmericanData\EcsBackUp\dbar
      copy d:\AmericanData\mysql\data\dbarforms d:\AmericanData\EcsBackUp\dbarforms
      copy d:\AmericanData\mysql\data\dbdoc d:\AmericanData\EcsBackUp\dbdoc
      copy d:\AmericanData\mysql\data\dbhistory d:\AmericanData\EcsBackUp\dbhistory
      copy d:\AmericanData\mysql\data\dbmds d:\AmericanData\EcsBackUp\dbmds
      copy d:\AmericanData\mysql\data\dbparadox d:\AmericanData\EcsBackUp\dbparadox
      copy d:\AmericanData\mysql\data\dbpicklist d:\AmericanData\EcsBackUp\dbpicklist
      copy d:\AmericanData\mysql\data\dbreport d:\AmericanData\EcsBackUp\dbreport
      copy d:\AmericanData\mysql\data\mysql d:\AmericanData\EcsBackUp\mysql

      REM ***Start Progressive SQL***
      echo Starting Progress SQL >> %templog%
      \\server\keane\dlc\bin\pccmd.exe proservice start >>%templog%

      REM ***Do System State Backup***
      ntbackup backup "@%windir%\backups\data\sysstate.bks" /j "System State Backup" /f "i:\backups\SysState-%datecode%.bkf" /d "System State" /v:yes /r:no /l:s /m normal /rs:no /hc:off

      REM ***Do User Data Backup***
      ntbackup backup "@%windir%\backups\data\userdata.bks" /j "User Data" /f "i:\backups\UserData-%datecode%.bkf" /d "Full - User Data" /v:yes /r:no /l:s /m normal /rs:no /hc:off


      REM ***Cleanup backup files weekly***
      If /i "%date:~0,3%" == "Sun" (
      Echo Weekly backup file considation performed.>>%templog%
      move i:\backups-longterm\*.* i:\backups-delete
      move i:\backups-shortterm\*.* i:\backups-longterm
      move i:\backups\*.* i:\backups-shortterm
      del /q i:\backups-delete\*.*
      )

      REM *Email backup results*
      dir i:\backups >>%templog%
      %blat% "%templog%" -t %to% -s "%emailsub%" -i %who% -f "%reply%" -q -server "%relayserver%"

      REM ***Delete Temp Log***
      del /q %templog%

      I found out how to print the NTBackup Log!  (From WindowsITPro.com, thanks, guys!)


      Create a .bat file called PrtBakLog.bat that contains the following:



      @echo off
      setlocal
      if {%1}=={} @echo Syntax PrintDevice (\\Server\Printer)
      set device=%1
      set prt=N
      for /f "Tokens=*" %%i in ('dir /o-d /b "%userprofile%\Local Settings\Application Data\Microsoft\Windows NT\NTBackup\data\backup*.log"') do call :print %%i
      endlocal
      goto :EOF
      :print
      if not "%prt%" EQU "N" goto :EOF
      set prt=Y
      print /D:%device% "%userprofile%\Local Settings\Application Data\Microsoft\Windows NT\NTBackup\data\%1"
      Insert Call PrtBkLog \\Server\Printer In the backup batch file, and you're going - you can even leave out the lame e-mailed reports!


      Friday, July 17, 2009

      Windows 7 Available on New Computers!

      Or more accurately, free upgrade to Windows 7 once it becomes available. I've even seen this made available to users who purchase computers with an XP Downgrade.

      What's so cool about Windows 7?
      • It's faster than Vista. If your computer runs Vista, this will make it run faster. If you use a computer that is more than three years old it will be sluggish if you upgrade it from XP.
      • It will run your old programs. That popular time and attendance application that hasn't been updated since 1994? Worked fine from Windows 3.1 to to Windows 95, NT4 to 2000 to XP, then POW, it won't work on Vista. The camera view zooms out. Snow falls silently. Crouched at the edge of the bamboo is . . . XPM. XPM is XP Mode, and it is here to help you. I haven't tried it out yet, but as a fan of Microsoft VirtualPC, I'm willing to believe the hype.
      • The cool effects are actually useful and make sense in their various contexts. You're just gonna have to trust me on this one.
      • It's easier to support - my job will be much easier with the new Problem Steps Recorder, which allows the user to record a video of what is going on in their computer, add comments to it, then save it to a file that can be emailed to the support tech. Rock on for thinking about me, Micro$oft!
      What sucks about it?
      • It's an incremental upgrade, not a radical rethink (despite what Microsoft says about it) - it's like Windows ME was an upgrade of Windows 98, but this time it won't suck. As bad. We hope.
      • It looks like Vista. You know how caterpillars have distinctive colors to let birds know that they taste bad and might be poisonous? The bird eats a pretty caterpillar, gets sick, and remembers what they look like so they don't do that again. Humans can be like that bird - I cringe at the Vista interface not because it's a bad interface but because Vista sucked.

      Monday, July 13, 2009

      Sysco TraySys Network Configuration

      Dietary Managers across the Midwest, and likely across the country, use a handy program called TraySys to manage their residents' dietary needs and to print tray cards to insure that these needs are accurately met.

      Most facilities have one computer in the Dietary department, and it will likely stay that way. However, some facilities have multiple dietary users - say a Dietary Manager and a Dietitian. Both need access to TraySys, and it's mighty convenient to have it in a server for both users to use.

      However, the documentation and support for a network environment are virtually non-existant. Sorry, Sysco, but someone dropped the support ball on this one. I was told by telephone support to RTFM (Read The Fine Manual). The manual said nothing about network support.

      Through trial and error I figured it out:
      1. You must install the software locally on each computer
      2. Create a share on the server that is accessible to both users and map it as a network drive (I chose T: because it stands for TraySys)
      3. Run TraySys on each computer, one at a time and do the following:
      4. Click Tools -> Network Configuration
      5. Fill in or browse for the new mapped drive you created
      6. Check "Use Data Server"
      7. ONLY if you have already been using TraySys locally should you click the Copy Data to Server button, and ONLY on the 1st computer - if you do it from subsequent computers the data will be overwritten with blank data.
      8. Click Connect to Server and wait for a success message.

      Saturday, July 11, 2009

      Free Antivirus Roundup - Summer 2009

      A lot has changed since my last post about Antivirus products - editions have been thoroughly updated and spyware has become a bigger threat than viruses.

      Avast, a one-time favorite of mine (for its excellent protection) had stopped being free for home use for a short time, so I stopped using it. It is back, and freely available at http://www.avast.com/eng/download-avast-home.html for home and non-commercial use. Registration is compulsory if you plan on using it for more than 60 days, but accurate registration information I'm sure is optional. Avast is known for being light-weight with regard to system resource consumption. I hate the Avast user interface.

      What you get:
      • Anti-Virus
      • Anti-Spyware
      • Anti-Rootkit
      • Resident Shield
      • P2P and IM Shield
      • Network Shield
      • Web Shield
      • E-Mail Scanning
      • Virus Vault
      • Scheduled Scans
      • Supports 64-bit Windows
      • Integrated Virus Cleaner
      What's crippled unless you get the pro version:
      • Web Script Blocker
      • Automatic Updates
      • Push Updates
      • Command-Line Scanner


      AVG Free has been a solid option, and there is no requirement for registration. However it periodically nags you about being a cheapskate and informs you of the many benefits of paying for your antivirus.

      The new user interface for Version 8+ isn't as intimidating as previous versions, but it still sucks. Burying options behind a bunch of vague icons and menu items is no way for a product to make friends and influence people. Aside from the lousy interface I've been unimpressed with the frequency of reboots the paid product has required in order to complete updates. Come on, guys, servers can't be rebooted every week!

      On the plus side, the resident application has a small system footprint (except when it's scanning) and does a great job of detecting and removing viruses and spyware. In a business environment AVG brings a lot of bang for your buck - great centralized deployment, reporting and management.

      What you get:
      • Anti-Virus
      • Anti-Spyware
      • Resident Shield
      • Automatic Updates
      • Scheduled Scans
      • Link Scanner Surfing and Search Shields (real-time malicious link and site blocking)
      • Virus Vault
      • Supports 64-bit Windows
      • Integrated Virus Cleaner
      What's crippled unless you get the pro version:
      • P2P and IM Shield
      • Anti-Rootkit
      • E-Mail Scanning


      Avira Antivir Personal has also been a solid choice if you can tolerate the periodic nag trying to get you to fork over 50 Euros - tres costly! The minimalist user interface and tiny system footprint make this an ideal antivirus for older systems. Its detection capabilities border on supernatural.

      What you get:
      • Anti-Virus
      • Anti-Spyware
      • Anti-Rootkit
      • Automatic Updates
      • Scheduled Scans
      • Integrated Virus Cleaner
      • Supports 64-bit Windows
      What's crippled unless you get the pro version:
      • Web Shield
      • E-Mail Scanning

      Panda Cloud Antivirus, currently in beta, is the newest kid on the Anti-virus block, and so far I'm thinking its the coolest! Minimalist user interface has no ambiguity. Real-time protection extends to the Internet - I tried downloading the Eicar test files and was prevented from doing so before they even reached the desktop.

      Oh yeah, it's FREE as in beer! There is no pro version, this is the whole enchilada. I'm imagining that Panda isn't doing this altruistically - they've been an underdog Anti-virus provider for some time, so a free offering like this will get the attention of IT pros who will then be interested in the full editions with management features and such.

      There is no option to schedule scans, but the real-time protection scheme might well remove the requirement for slow-ass scheduled scans. I don't know if it integrates with e-mail or not.

      What you get:
      • Anti-Virus
      • Anti-Spyware
      • Resident Shield
      • Automatic Updates
      • Integrated Virus Cleaner
      What's crippled unless you get the pro version:
      • NOTHING!

      Microsoft Security Essentials is in a closed beta. However, it will soon be freely available to all once the beta is over. Minimal configuration options and a Spartan interface make it easy to use and understand. It will likely be an excellent option for personal antivirus as it has a small system footprint yet is highly effective at detecting threats in real-time. It doesn't integrate with e-mail products.

      What you get:
      • Anti-Virus
      • Anti-Spyware
      • Resident Shield
      • Automatic Updates
      • Scheduled Scans
      • Integrated Virus Cleaner
      What's crippled unless you get the pro version:
      • NOTHING!

      ClamWin is the only Open Source Anti-virus offering for Windows. It has a simple user interface and reliably detects all manner of malware. It has no real-time protection, it has no web protection, and doesn't integrate with e-mail products. It is by far the most basic of Windows Anti-virus systems.

      However this simplicity can be seen as a strength:

      Tiny system footprint makes it ideal for low-power computers. Even while scanning the file system for viruses on a low-end system you will still be able to use the computer at a reasonable speed.

      What you get:
      • Anti-Virus
      • Anti-Spyware
      • Automatic Updates
      • Scheduled Scans
      • Integrated Virus Cleaner
      What's crippled unless you get the pro version:
      • NOTHING!

      Tuesday, July 07, 2009

      FTP Applications and Squid Proxy (AdvProxy for IPCop)

      I'm having a lot of trouble with Windows applications that transfer files to and from Internet-based servers via FTP or that tunnel FTP over HTTP. I know I'm in trouble with a Windows file transfer app if it has proxy settings - even if I configure them with the correct proxy info (despite the fact that its a transparent proxy it will gladly accept traffic at port 800) they still fall flat.

      Passive FTP from a Windows command prompt works great. Active mode transfers fail, which I can understand as they represent a security threat (open Port 20). I also understand Squid squashing tunneling over HTTP as this is a great way to hide malicious or undesirable traffic, but I'm not sure why applications that seem to use straight Passive FTP fail when the AdvProxy is enabled even though I can use a command-prompt ftp.

      I guess I need to look at the traffic with Wireshark (my favorite packet capture and analysis tool) and see what's really happening.

      I'm also going to add the kernel module ip_nat_ftp to an IPCop on a network experiencing this problem - the command is modprobe ip_nat_ftp.

      If someone reading this has more insight, please share!

      Monday, July 06, 2009

      Pitney Bowes Postage Meter and Squid Proxy

      The software that comes from Pitney Bowes for loading postage into your meter doesn't work behind an IPCop running the Squid proxy - doesn't matter if its in Transparent Mode or not. I added ports and protocols, tried several options, and still no dice. It worked only when the proxy was turned off, which then makes the IPCop handle all traffic with IPTables which acts as a state-aware NAT box.

      So this Geekspeek is meaningless - how do you use a Pitney Bowes postage meter when you are using an IPCop on your network?

      1. Open the IPCop web administration page.
      2. Go to Services -> Proxy (or Advanced Proxy).
      3. Uncheck "Enabled on Green."
      4. Scroll to the bottom and click "Save and Restart." - Don't close your web browser!
      5. Run your Postal Meter program and load your meter with cash.
      6. Go back to your browser and check "Enabled on Green."
      7. Scroll to the bottom and click "Save and Restart."

      Thursday, July 02, 2009

      Converting from HMDS to ANRMS

      If you are having problems getting on AT&T and getting the error message that your User ID needs changed you will need to follow these steps to change the ID in the dialer.
      1. First, click on the icon that connects you to the AT&T dialer. The big green connect will appear.
      2. On the left hand side of screen you will see a settings tab, click it.
      3. The next thing you will see is show or set up wizard..click that. This will get you into where you need to be.
      4. Click next screen and when you do you will see your old ID. Change this to ANRMS and then click out rest of wizard to finish.
      5. Your password has been RESET - your password will be the same as your User ID. So if your User ID is h@1a2b3c, your password will be h@1a2b3c. You will be prompted to change it after you have signed in.
      If you tried to transmit without following these directions, your account is locked out. If you're locked out, Contact MDS/OASIS helpdesk at (800) 905-2069 or send an email to mdcn.mco@palmettogba.com and ask for a password reset. It will be reset to your User ID within 24 hours. Please give them the full 24 hours as they take a while to reset your password and you'll be wasting your time trying to connect.

      Thanks, Tracy!

      You can find the latest AT&T Global network client at https://www.qtso.com/mdcn.html

      Tuesday, June 23, 2009

      Microsoft Security Essentials - Beta

      In what I perceive as another apology from M$ for making such bloated code with so many features that the inconvenience for users is only rivaled by the convenience for hackers, Micro$oft has announced that 75,000 lucky souls in the US, Israel, and Brazil (sorry, little Kim Jong Un, no Beta for you!) will get to try it out this replacement for the pitiful Windows Defender. Windows Defender seemed so promising, but just sucked, hassled me about VNC, and sucked some more.

      Of course I dashed right over to http://www.microsoft.com/security_essentials/, signed up, was approved, and downloaded the Beta for myself and a friend (she has an Windows7 x64 system, but doesn't know it yet) and installed it. It ran a scan. It found . . . nothing. Not totally unexpected as all I ever do with my XP machine is test software and run Quickbooks. It's not even really a machine - it's running in in a Virtual Box under Mac OS X Leopard. However, I'll rest a bit easier knowing that my current Antivirus - ClamWin has some backup should I ever step in a website I shouldn't have. Call me a glutton for punishment.

      **UPDATE 6-Jul-09 The Beta has closed - if you don't have it already you have to wait for the final release.

      Monday, June 22, 2009

      HP Total Care Backup Manager - First Impression: Total Crap

      A friend brought an HP laptop to me. It came with Vista Home Premium, and it would not boot up. It would always stick at the black screen with a cursor that precedes the login screen. No amount of system checkpoint recovery, chkdsk, and replacing the registry files with a base copy did no good. Even the venerable SpinRite (which is completely worth the $80 or so I spent for it - I keep on hoping for a SpinRite 7!) I went for HP's tools as a last resort.

      I decided that, prior to attempting to boot Knoppix and move the customer's desired data onto a temporary medium I would see if there was a repair option. Alas, there was not, but there was a handy backup featue that promised to back up all of the data, classified into images, documents, multimedia, and the like. Beautiful!

      I proceeded to attach the requested USB storage - an 8GB Lexar stick, which the backup app didn't even deign to recognize. I attached an external 3.5" hdd and the Next button cheerfully lit up. I eagerly pressed it, and, to my horror, it scoured the whole local hdd and proceeded to archive every inane image, document, .wav file, .txt file, countless .png's and .jpg's from numerous crapware HTML documents that came with the computer. The backup took 10 hours.

      The reinstall of Vista took considerably less time than that, and, after removing of the crapware the system came with (njdsakfdsaNortonSystemProtectfndjaskf, oops, sneezed), I proceeded to point the system at the external hard drive, run the restore application, and let 'er rip! Well, it's been an hour and a half, and it still shows 0% complete.

      A brief search on Google brought numerous complaints of this with no answers to be found. Great - I'll let it set until morning and see what happens.

      Meanwhile, I'm contemplating the merits of installing the Windows 7 RC and giving it back to them, or, even more daring, loading it with Ubuntu!

      Do any of you have thoughts on this? Please let me know, I'm sure the data restore will finish in a day or two! Way to go, HP, Awesome Backup App, GREAT JOB.

      ***

      It's morning and I see that the Restore Manager got it's act together - 12 hours later and it's 24%through it's restore. This speaks very poorly of the efficiency of the code that HP is using to backup and restore info. It should be much quicker as it's coming from a USB 2.0 external HDD. Come on, HP, ntbackup works better than this!

      ***

      Wow, 15 hours later all 30GB or so of data has been restored. If your HP Backup Manager seems like it's doing nothing, give it a day or so, it'll get its act together.

      Tuesday, June 09, 2009

      1 out of 5 my IPCops Behaved Very Oddly Since Sunday NIght

      I run somewhere around 25 IPCops in my organization, and one at home. Five of them, including my personal unit, exhibited an odd behavior. On Monday morning Four customers called and said that their Internet did not work. I checked their systems and the IPCop was up and running, VPN's were on. HTTPS worked, but not HTTP. I could ping remote hosts by hostname or IP with no issues from desktops in the Green Zone. Rebooting the IPCop fixed the issue in 3 cases. The fourth case that day I fixed it by unchecking Enabled and Transparent under the Advanced Proxy, save/restart, tested HTTP worked, reenabled the Advanced Proxy and Transparent settings, save/restart, and tested - HTTP worked. This morning my personal unit exhibited the same behavior - rebooting did not fix it, but clearing the Advanced Proxy and Transparent check boxes, save/restart, then re-enabling them, save/restart, and it works.

      Since this happened on 1/5 of my boxes during the same time period, and all boxes are on independant public IP's from disparate carriers, I suspect that this was either caused by some function of date and time, by some type of port scanning/probing from the outside, or by a malformed (or maligned) http communication that breaks Squid.

      Wednesday, June 03, 2009

      Will Oracle kill OpenOffice.org?

      I just finished reading this article on the Register, and I'm almost ready to cry. Oracle acquired Sun. Sun was the main developer of OpenOffice.org, with help from IBM, Novell, and a host of other organizations trying to break the M$ stranglehold on office productivity suites. Oracle is asking OpenOffice.org developers to develop for their new, proprietary platform JavaFX. Think Microsoft Java, but the goose's sauce apparently doesn't apply to the gander!

      In 1998 Sun sued M$ over licensing violations, saying that M$ shouldn't be allowed to change the Java systems and code so that they run better on Windows, but ONLY on Windows. Now it appears that Oracle may be trying to corner OpenOffice.org so that it runs best ONLY on JavaFX, their propreitary system that you would have to BUY.

      I'd rather lose Oracle than lose OpenOffice.org. I don't directly use or recommend any Oracle products, and I'm willing to bet you don't either. Indirectly you use their products in most any financial or business transaction, but don't let that worry you. It's inevitable - if you boycotted anything that was connected to Oracle you might want to look up the Kaczynski family and see if they have a cabin for sale.

      I'm just sayin . . .