Adobe Creative Suite 6 Installs Very Slowly

March 1, 2013

[Additional 2014-01-10: the same issue occurs with Adobe Creative Cloud and the CCP.  In this case the outbound attempts are on both port 80 and port 443, so you'll need two rules.]

Here’s the scenario: when using AAMEE (the “Adobe Application Manager Enterprise Edition”) to install Adobe Creative Suite 6 on a machine [1] on an isolated LAN (i.e., a machine with no direct connection to the internet) it takes a very long time to install.  A very, very long time.  During most of this time CPU and disk activity are minimal.

It turns out that the installer is trying to contact various web sites on the internet, including crl.verisign.net, presumably in order to see whether any of the digital certificates on files in the install media have been revoked.  When the attempt times out, the installer continues, but it makes many such attempts.

The workaround I recommend is to install an outbound Windows Firewall rule blocking web traffic.  Windows then instantly fails any attempt to contact a web site.  You can do this from an administrative command line like this (split for readability):

netsh advfirewall firewall add rule name="block www" dir=out 
    action=block protocol=tcp remoteport=80

To remove the rule later, this is the command:

netsh advfirewall firewall delete rule name="block www"

So how much time does this save?  Well, on one of our new machines, the installer takes 30 minutes if the firewall rule is in place.  Without it, it takes five hours.

I’ll be raising this with Adobe and perhaps, if we’re lucky, the next version won’t be quite so vigorous in its efforts to check the digital signatures.  In the meantime, you may find this approach useful.

[1] The same problem may exist when using the regular installer; I haven’t checked.

Forcing Windows to identify a special-purpose network

February 3, 2013

One problem that comes up moderately frequently when dealing with Windows servers is that the Network Location Awareness service (NLA) doesn’t allow you to assign a particular adapter to a particular network.  On ordinary networks NLA seems to do a reasonable job, but typically it can’t cope with special-purpose networks such as SANs or point-to-point links; these are all lumped together as the “Unidentified Network” which by default is contained in the Public network profile.

Why is this a problem?  Because the Windows Firewall is configured on a per-profile basis.  That’s fine if Windows Firewall doesn’t interfere with whatever you’re doing on the special-purpose network.  Unfortunately, sometimes it does.

If you search the internet, you’ll find a number of scripts which change which network profile the “Unidentified Network” is put into.  You can also do this with group policy.  This means you can make unidentified networks Private, and turn Windows Firewall off (or set relaxed rules) for Private networks.  Is this a solution?  Not really, because it doesn’t just affect your special-purpose network, it affects every unidentified network from now on.  So if, for any reason, NLA ever fails to identify the network associated with your primary internet connection, your firewall will go down.  I’m not happy about that.

I’ve found a possible workaround.  IMPORTANT: I haven’t tested this thoroughly, and at the moment I’m not planning to use it on my production server (or at least only if every other option fails).  I’ve only tried it on Windows 2012 although I suspect it will work on older versions as well.  It is entirely possible that it only works for certain ethernet drivers.  Try this only at your own risk and please take proper and adequate precautions.

In addition to adapter settings such as the DNS prefix, NLA uses the default gateway’s MAC address to uniquely identify the network.  Special-purpose networks don’t generally have a default gateway; if yours does, you probably don’t have this problem in the first place!  The idea is to create a fictitious default gateway, with suitable parameters, and the trick is that you have to give the fictitious gateway the same ethernet address as the local network adapter on the special-purpose network in question.  If you give it a make-believe ethernet address, it won’t work; you could instead give it the address of another machine on the same network, but then it won’t work if that machine is ever off-line.

(If your special network is a point-to-point link, you might instead prefer to specify the actual IP address at the other end of the link as the default gateway, if you don’t mind that NLA will see it as a new network if the ethernet address ever changes.)

So, for example: when I use get-netadapter in PowerShell I see the following results:

PS C:\Users\Administrator> get-netadapter

Name                      InterfaceDescription                    ifIndex Status       MacAddress             LinkSpeed
----                      --------------------                    ------- ------       ----------             ---------
Ethernet 2                Broadcom BCM5709C NetXtreme II Gi...#42      13 Disconnected 00-10-18-EC-7F-84          0 bps
SAN 2                     Broadcom BCM5716C NetXtreme II Gi...#41      15 Up           08-9E-01-39-53-AB         1 Gbps
SAN 1                     Broadcom BCM5709C NetXtreme II Gi...#43      12 Up           00-10-18-EC-7F-86         1 Gbps
UoW                       Broadcom BCM5716C NetXtreme II Gi...#40      14 Up           08-9E-01-39-53-AA         1 Gbps

In order to assign a specific network to the third adapter (interface index 12) I would use the following commands:

new-netroute 0.0.0.0/0 -interfaceindex 12 -nexthop 192.0.2.1 -publish no -routemetric 9999
new-netneighbor 192.0.2.1 -interfaceindex 12 -linklayeraddress 001018ec7f86 -state permanent

The first command assigns the default gateway for the interface.  I chose IP address 192.0.2.1 because it is reserved and will never be used by a real device; I suggest you do the same.  We don’t want this route to be published, and we set the metric to 9999 so that it won’t ever be used.  (The system uses the default gateway with the lowest metric.)

The second command assigns the fictitious IP address an ethernet address; as discussed before, we use the same ethernet address as the adapter we’re assigning it to.  Note that the ethernet address must be entered in a different format to that in which it is displayed; just remove the hyphens.  We make the mapping permanent.  (You can use the remove-netneighbor command if you want to remove it later.)

I hope this is helpful.  If you do try it, please let me know how it goes.

Fictitious Charges Don’t Cause Torque: Mansuripur’s Paradox

February 3, 2013

There’s been some talk lately about Mansuripur’s Paradox, e.g., see Slashdot.

For those not interested in the fine detail, there’s a very simple explanation as to why there isn’t any real paradox involved.  I’m not sure whether the debate is significant for electrical engineers; it may well be true, as Mansuripur suggests, that the Einstein-Laub equations are more appropriate than the Lorentz law for the purposes of electrical engineering.  (I have no opinion on that question.)  What should be pointed out, though, is that from a fundamental physics point of view there’s really nothing at all to see here.  (I believe that Mansuripur understands this [1], but I’m not at all sure that the journalists do!)

Let’s start with a quote from one of the articles (it looks like the paper is a bit more subtle, but the upshot is might be [2] the same): “Now imagine how things look from a “moving frame of reference” in which the charge and magnet both glide by at a steady speed. Thanks to the weird effects of relativity, the magnet appears to have more positive charge on one side and more negative charge on the other.”

Now, it’s true that there’s an electric field, and for some purposes it may be convenient to imagine that this is due to charges on either side of the magnet. But these charges are fictitious. They aren’t really there, as can be easily shown by observing that charge is a scalar, and hence the charge distribution in the magnet cannot be dependent on the frame of reference. Since they aren’t there, it’s hardly surprising that the external electric field doesn’t apply a force to them.

So, basically, a fiction that happens to be convenient in electric engineering is incompatible with relativity; or, if you prefer, in order to make fictitious charges compatible with relativity you also have to either have fictitious angular momentum, or modify the Lorentz force law.  As far as fundamental physics is concerned, this is not a paradox.

Update:

[1] I may be wrong about this; see comments to my question on Stack Exchange.

[2] The comments and linked question also suggest that I might have misunderstood the source of the supposed torque in the original paper.  There’s still nothing indicating any evidence of a real paradox.  I’ll update again if I learn anything new.

Is POLi safe?

December 28, 2012

Short answer: No.

Long answer: Hell, no.

BNZ (link here) and ASB (link here) have both recently reported that POLi have been spoofing their respective internet banking sites in order to process payments, meaning that banking passwords, any other applicable authentication information, and private banking information have been passing through POLi’s servers when POLi is used.

The banks have warned customers not to use POLi, although BNZ seems to be sending some mixed messages.

Looking at POLi’s terms and conditions there are some major warning signs.  The disclaimer of liability is probably unavoidable (though still not acceptable IMO; see below) but terms like “You will not monitor or alter the execution of POLi™ using tools external to POLi™” are neither.  They want us to trust that their software is safe to use, but they don’t want anyone to check on what it’s actually doing?  Yeah, right.

The POLi client is basically, from what I can gather, a special-purpose web browser.  While that limits exposure to security bugs, it doesn’t eliminate it, so it is also worrying that I can’t find any security bug reports either on major third party sites such as Secunia or on POLi’s own web site.  There should be at least the occasional report that “someone found a bug and we’ve fixed it” and the absence of these suggests that it really hasn’t had enough attention from the white hats.  The alternative is that POLi have figured out a way to write software without bugs; that’s basically the Holy Grail of modern computing, and if they had the secret of perfect software they’d all be fabulously wealthy and retired on private Hawaiian islands by now!

The real killer, though, is POLi’s own response to these claims (PDF).  Most importantly, the part where they deny that “POLi is spoofing/mirroring the ASB website” and claim that, instead, “POLi is providing a pass through service whereby the bank sites are accessed via our secure servers.”

Uh, hello?  Those two sentences mean the exact same thing.

POLi say they aren’t capturing customer’s authentication or other private information.  Well, good for them.  But they could.  Their software allows them to do it.  (It pretty much has to; otherwise there would be no way for the merchant to know they had been paid.)  That means it also allows anyone who manages to hack into their servers to do it.  This article on ZDNet lists some of the companies whose secure systems were breached this year: Symantec, Amazon.com-owned Zappos, Stratfor, Global Payments, LinkedIn, Yahoo – even the Chinese Government, for heaven’s sake.  Are POLi really so arrogant in the light of all this that they think their security is impenetrable?

Well, of course, they probably don’t think that.  They just want us to.

They also offer to let the banks audit the software.  Kind of pointless, really; since the software allows POLi’s servers to spoof the banking sites (oh, sorry, “provide a pass through service”) it has failed any credible audit in advance.  Any audit of the servers themselves would be good only on the day it was performed, at best.

I’m also amused by POLi’s claim on their web site (link here) that “Your confidential information is not disclosed to any third party, including us!” which I can only assume is based on a creative definition of the word “us” which excludes their servers.  True enough, the information probably doesn’t leave their secure servers and is probably deleted as soon as the transaction is complete, but that doesn’t mean that it isn’t being “disclosed” to “us” – not by any reasonable definition of those two words, at any rate.

They also say that “POLi checks the bank website’s SSL certificate and thumbprints to always ensure you are talking directly to your bank.”  So which is it, exactly?  Directly to your bank like the FAQ says or via a pass-through service like the announcement says?  These are mutually exclusive possibilities, so it has to be one or the other, and either way I’m not exactly filled with confidence.

Besides, in practical terms it doesn’t matter how good POLi’s security is.  Yours isn’t [1] because today’s consumer operating systems are still based on old designs which did not have security in mind.  If your computer becomes infected a hacker could easily modify the POLi client to behave maliciously.

Of course, said hacker could also modify your web browser to behave maliciously.  The difference is that if that happens, BNZ, at least, will cover your losses.  It isn’t clear that they will if POLi is involved, and POLi definitely won’t.

Until and unless your bank makes a public statement that they will cover POLi-related losses, don’t use it.  Just don’t.  Uninstall the client if you have it installed.  Ask your merchant to provide an alternative, or, if applicable, choose a different merchant. For example, both Ascent and Mighty Ape NZ [2] accept internet banking payments without needing any special client software, although granted you then have to wait for the payment to go through before they will ship the goods.

A small price to pay, I think.

Harry.

[1] To minimize your risks, make sure you use a standard user account (not an admin account) for your everyday activities, and use a different standard user account for your internet banking (and nothing else).  Better still, get a live DVD (a DVD which you can boot to, containing a simple operating system) and use that for internet banking.  This doesn’t change anything I’ve written here.  Both of these approaches are much better than nothing, but neither is foolproof.

[2] I have no association with either company except as a satisfied customer.

Safe Computing: Another Case of Too Many Moving Parts

May 15, 2012

So, one of this month’s Windows XP updates, KB2686509, has a problem.  Long story short, in order to fix a security problem, Microsoft had to make the rules more strict for software that installs custom keyboard layouts.  If I’ve understood correctly, most software already does it the recommended way, but if you have software installed that is incompatible with the new rules the update will refuse to install.  You may be able to fix the problem yourself, or you may have to contact your software vendor.

That isn’t actually the interesting part.  The update will also refuse to install if you’ve remapped a key, for reasons that aren’t entirely clear.

Thought for today: If God wanted us to remap keys, he’d have given us a control panel.

Nah, too easy an answer.  People have reasons for wanting to remap keys, and the process is, or at least was, documented.  If Microsoft are going to make it that easy, of course people are going to do it, and it shouldn’t cause strange problems years later.

No, this is another case of too many moving parts.  We need to be able to configure this sort of thing, sure, but it needs to be done in a controlled way, so that issues can be avoided, or at least properly identified.  Of course, none of the suggestions in my previous post would have addressed this issue, so the question becomes: what should the ideal operating system do to deal with this sort of situation?

I think the solution [1] is to associate changes to the registry (or rather, its equivalent) with the application (or component) that made those changes.  This would probably be implemented by keeping a collection of registry settings for each application; a query for a particular setting would return the default value only if no application had made any changes.  As a bonus, you’d know when two applications or components were in conflict, although to be honest I’m not sure what you’d do about it.

(This doesn’t mean that you couldn’t make ad-hoc changes; in this context, an “application” could be a single text file, not much different from a Windows .reg file except that it would have to include a name to go in the list of installed software.  The registry editor could build these for you.)

Anyway, if Windows worked like that, KB2686509 wouldn’t have had to, metaphorically speaking, shrug its shoulders at you.  It would know which application had configured the setting it was upset about and could say something like, “I can’t install because I am an incompatible with the installed program, Freddy’s Keyboard Mapper.  Please contact the vendor for an upgrade, or uninstall that program and try again.”

I think that would have upset fewer people.

Harry.

[1] By solution, I mean a way for a hypothetical new operating system to avoid running into this sort of trouble.  It would not be feasible to modify Windows to work in this way.

Political Slogans

November 16, 2011

Some context for overseas readers: the Green Party has suffered some embarrassment recently after it was revealed that Green Party members, including the partner of the co-leaders executive assistant, were involved in vandalizing around 700 National Party billboards by adding satirical “slogans” such as “because the rich deserve more” and “drill it! mine it! sell it!”

Both childish and unethical, of course, but I thought the “slogans” themselves were kind of amusing.  So, along the same lines…

VOTE FOR THE GREENS because …

… trees are people too

… the economy isn’t going to ruin itself!

… you hated your science teacher, right?

VOTE FOR LABOUR because …

… New Zealand needs more debt

… we did OK last time, right?  Right?

VOTE FOR MANA because …

… Pakeha should just bugger off

… there are too many white <expletive deleted> in Parliament

… the Greens aren’t crazy enough

VOTE FOR ACT because …

… Maori should just bugger off

… National isn’t crazy enough

VOTE FOR NEW ZEALAND FIRST because …

… we made MMP what it is today!

VOTE FOR THE PIRATE PARTY because …

… have we got the coolest name, or what?

 

The United Nations and Palestine – A Missed Opportunity?

November 9, 2011

I’m sure everyone is aware that Palestine has applied for full member status in the United Nations.  At present, to the best of my understanding, this seems unlikely to happen.  Under current circumstances, it probably wouldn’t be helpful if it did.  But I can’t help wonder whether the UN is missing an opportunity here.

What if they were to offer full membership subject to the condition that the Palestinians accept a UN-negotiated treaty with Israel?  Negotiations between Israel and the Palestinians have been unproductive, but negotiations between the UN and Israel need not be.  (Of course, the UN would first have to accept that the Green Line is not a particularly useful starting point, which might be politically unpalatable to many member nations.)

Any such treaty would be significantly more favorable to Israel than the Palestinian negotiators have ever been willing to consider.  They probably wouldn’t get East Jerusalem, and Israel wouldn’t be accepting the return of any refugees.  Even so, it would be a difficult offer to turn down when the prize is United Nations recognition of a Palestinian State.

Would this have worked?  Maybe not – but I don’t suppose we’ll ever know for sure.  I think it would have been worth a try.

Stallman on Jobs

October 11, 2011

I’ve just read this article about a blog entry Richard Stallman recently posted on the subject of Steve Jobs’ sad death.  Leaving aside Mr. Stallman’s social gaffe, I just have one thing to add, on the subject of Mr. Jobs’ so-called “malign influence” on computing:

Pot.  Kettle.  Black.

Preventing executables from requiring UAC elevation

September 23, 2011

I’ve just found this great tip over at Stack Overflow.

In Windows Vista and later, an application can be coded to require UAC elevation.  If you try to run it as a non-administrator, you get asked for an administrator username and password, and if you don’t provide them the application doesn’t start.  That’s all very well, but some developers set this flag when it isn’t really needed (I’m looking at you, beepa) which locks out all non-administrators.

This isn’t usually a big problem on a home machine, because you probably have an administrator account even if you don’t use it for everyday activities.  In a teaching lab, however, as in many other contexts, it’s fatal; the students don’t know the administrator password (or at least I devoutly hope they don’t!) and obviously we’re not going to tell them what it is.

It turns out that this is as simple as setting an environment variable.  Set __compat_layer to RunAsInvoker, and Windows will ignore the application manifest.  You could set this globally via group policy, or write a simple wrapper program around specific applications that need it.  (Of course, if an application really does require administrator privilege it may fail in strange and unexpected ways, so take care.)

Hope this helps – and Norbert, if you’re reading this, thank you.  Knowing about this is going to come in very handy.

United Airlines replaces flight manuals with iPads

August 25, 2011

See this article from the New Zealand Herald.

Flight manual on an iPad

(Original picture courtesy Evan-Amos, Wikimedia Commons.)


Follow

Get every new post delivered to your Inbox.