Category Archives: Software

Who knew, or even suspected?  Microsoft Word does regex!, via Joho the Blog.

Of course, most people who understood that are probably wondering why anyone who speaks regex well enough to want to use it in searches in Word would be using MS Word rather than Open Office or LaTeX….

Slight Paranoia has the story. It seems Dropbox tries to avoid storing duplicate files, and thus check (probably via a hash comparison) to see if any OTHER user has uploaded the same file. And there’s the rub:

As Ashkan Soltani was able to test in just a few minutes, it is possible to determine if any given file is already stored by one or more Dropbox users, simply by observing the amount of data transferred between your own computer and Dropbox’s servers. If the file isn’t already stored by Dropbox, the entire file will be uploaded. If Dropbox has the file already, just a few kb of communication will occur.

While this doesn’t tell you which other users have uploaded this file, presumably Dropbox can figure it out. I doubt they’d do it if asked by a random user, but when presented with a court order, they could be forced to.

What this means, is that from the comfort of their desks, law enforcement agencies or copyright trolls can upload contraband files to Dropbox, watch the amount of bandwidth consumed, and then obtain a court order if the amount of data transferred is smaller than the size of the file.

Last year, the New York Attorney General announced that Facebook, MySpace and IsoHunt had agreed to start comparing every image uploaded by a user to an AG supplied database of more than 8000 hashes of child pornography. It is easy to imagine a similar database of hashes for pirated movies and songs, ebooks stripped of DRM, or leaked US government diplomatic cables.

via slight paranoia: How Dropbox sacrifices user privacy for cost savings.

Ungood. Not actually something that I think has a large chance of impacting my life, but it’s bracing to discover that dropbox has easy access to cleartext of my files and has such a large security hole. I was misled by their description of how they encrypted things. The description is being corrected as a result of this discovery, but I’d rather they fixed the problem thank you very much.

All of the really important Firefox extensions I rely on daily have been updated to be compatible with Firefox 4 — except one: Scrapbook+, the infernally useful web page saving tool (no webrot fears here). The Scrapbook Plus Add-ons Page hasn’t been updated since August 2010, and is silent on the subject other than for some plaintive user requests. Some people say that they’ve downgraded to plain old Scrapbook, which has been updated, but there is also a prominent user report there of lost data that doesn’t make me feel all warm and fuzzy.

So I emailed the developer of Scrapbook+ to ask if an update might be in the works, and lo and behold, inside of ten minutes comes the answer, yes, one is in the works. Some days the Internet is great.

So I guess I’ll hold off on that Firefox 4 upgrade just a bit longer. I just hope the Scrapbook+ update gets here before Firefox 5, which allegedly has a mid-2011 release date.

The other extensions I rely on that is not FF4 compliant is Autocopy. Normally I’d override that problem with MR-Tech Toolkit, but it looks as if that isn’t compatible either…

Here’s the problem: the config.db file is completely portable and is *not* tied to the system in any way. This means that if you gain access to a person’s config.db file (or just the host_id), you gain complete access to the person’s Dropbox until such time that the person removes the host from the list of linked devices via the Dropbox web interface. Taking the config.db file, copying it onto another system (you may need to modify the dropbox_path, to a valid path), and then starting the Dropbox client immediately joins that system into the synchronization group without notifying the authorized user, prompting for credentials, or even getting added to the list of linked devices within your Dropbox account (even though the new system has a completely different name) – this appears to be by design. Additionally, the host_id is still valid even after the user changes their Dropbox password (thus a standard remediation step of changing credentials does not resolve this issue).

Dropbox authentication: insecure by design via Slashdot.

This is a somewhat big deal, especially for anyone using Dropbox file sync on a mobile device that could be easily borrowed for a minute. It will become a very big deal if someone writes a virus that takes advantage of it.

I love Dropbox, I don’t use it on anything mobile other than my laptop which I do keep a close eye on. I encrypt files with anything good on them before I put them in the Dropbox. I think all my machines are pretty well hardened against viruses. And this still makes me unhappy.

It’s been a remarkably long time since Windows crashed on me. I was actually getting to think that XP was stable. And even thinking that going to Win 7 might be tolerable.

Well it’s back to the bad old days. This evening I fired up the scanner connected to main desktop machine, and everything froze. I tried to do a software reboot but it wouldn’t even do that. So I did a hardware reboot.

Only, Windows wouldn’t start right. A little box popped up saying that it could not load my profile and I should contact my administrator. There was a countdown and an “OK” box. But I clicked “OK”. And just got another message about my user profile being damaged. So I contacted my administrator. Which would be me. We had a very nice discussion about the problem, and decided to try rebooting again.

But that didn’t work any better than the first time.

I was eventually able to enter safe mode (after using another computer to remind myself that it’s the oh-so-intuitive F8 key you have to push). Once there I was able to go back to the most recent restore point (after consulting help files to be reminded where it is hidden), two days ago. Suggestively, this restore point was made just before I installed the latest Win XP patches, numbers KB2494047, KB2479943, KB2481109, KB2508979 and KB890830. Post hoc, propter hoc?

So on the one hand, this is not a nice way for software to fail. On the other hand, I was able to get things seeming back to normal in about an hour. After the rollback, my virus checking files were out of date — one of them by several weeks, which is most peculiar. That took a very long time to download and install. Otherwise most everything else seemed to be working except that my Firefox profile got trashed, and I even lost my theme — but not, it seems, my plugins.

Crashes got a whole lot less scary ever since I started putting all my working documents on dropobox. Having copies of all my work on several other machines means that the most I would lose even if my disk went is the day’s time it would take to reinstall and reconfigure all the software.