OS X: Various

Well, looks like Leopard did end up pre-releasing a couple of days early via the usual channels. This final build (9a581) has performed much more solidly for me than the last one I tried (9a559). I decided to go ahead and do a clean install though, just to start off on the right foot. Time Machine has been running regularly and has already filled up the space I partitioned on the external hard drive for backups. Certainly nothing revolutionary here- looks like Windows System Restore to me with a pretty make-over.

On another note, I bought an Apple TV used for $200 and am pretty happy. Again, nothing revolutionary as I've ran a modded Xbox with XBMC for years until recently. Needed to get back into the game so went Apple TV route this time. It's sleek for sure...hard drive is a little small so I'll be upgrading that. The modification process to get Divx and Xvid playback going was pretty straightforward:

1. Disassemble and remove HD.
2. Mount hard drive in external 2.5" USB enclosure
3. Copy over a NON LEOPARD (Tiger or lower only!) copy of the "sshd" binary to the "OS Boot" partition on the Apple TV hard drive.
4. Make sure file permissions are set to execute for sshd.
5. Return drive to Apple TV and boot it up.
6. Copy over some various codecs.

It's no XBMC but I was tired of burning Divx to disc for playback on the DVD player and it's nearly as much of a pain to set the laptop up for TV-out.

iPhone SDK in February '08

Apple must've taken the hint from consumers: we want third party apps on the iPhone. Either that or they noticed that regardless of their efforts to block users out of their own devices with firmware updates, the open source community will prevail. This article on Apple's site straight from Steve Jobs came to my attention on digg today:

"Let me just say it: We want native third party applications on the iPhone, and we plan to have an SDK in developers’ hands in February. We are excited about creating a vibrant third party developer community around the iPhone and enabling hundreds of new applications for our users."

Source: apple.com

OS X: hdiutil tips

For one reason or another, I find myself needing to convert a .dmg file to .iso for use in Windows. A quick "hdiutil" command can handle this:

hdiutil convert filename.dmg -format UDTO -o filename.iso

Another handy use for hdiutil is creating encrypted .dmg files:

hdiutil create -encryption -stdinpass -srcfolder ImageName
filename.dmg

OS X: Leopard Countdown

The Apple site has posted the countdown to Leopard. It would be nice if Pirate's Bay had their own countdown as well.

An interesting page on Apple's site details all 300+ new features of Leopard. Personally, I ran into stability issues with 9a559 so I'm hoping THAT wasn't the version they declared Gold Master. Guess we'll see.

OS X: Fresh Format Checklist

With Windows, I found myself reformatting and reinstalling things quite regularly- about once every 2 months or so. I just felt "cleaner" and it certainly helped boost performance. While OS X is MUCH more stable and reinstalling Tiger is more uncommon, I still have found the need (by my own fault) to reinstall Tiger 3 or 4 times since the purchase of my MacBook Pro about a month or so ago. So, I'm throwing this checklist up for my own personal reference. I'll check here in the event of a reinstall and make sure I've remembered everything.

1. Backup data - This step should be a no-brainer and shouldn't require much as I'm trying to keep everything important on either iDisk or the external HD.

2. Record Any Program Specific Settings - Make a note of any custom configured settings in an programs that might need to be saved (ie: FTP site directory).

3. Boot from OS X Disk

4. Deselect Unnecessary Options - Primarily MS Office Trial and iWorks but also all the foreign language crap. I speak one language, and that's Uh-muuur-uhhh-kun.

5. Install takes right at 26 minutes on my machine

6. Run Software Update

7. Configure OS Settings - Mouse/trackpad speed, energy settings, screen saver, view options, dock icons/size, etc.

8. Install 3rd Party Applications - This is the biggest step. My applications are as follows: nobootupsoundsprefPane, NeoOffice, Thunderbird, divx codecs, VLC, BBedit, CoRD, Transmission, Adium, Marine Aquarium SS, Cisco VPN Client, iGetter, Split and Concat, FireFox and associated addons (FoxyProxy, Adblock, StumbleUpon, delicious buttons), Visual Hub, Parallels, Boot Camp, Quicksilver, iStat widget, digg widget, Onyx, RemoteBuddy, Stuffit, Xee)

9. Configure 3rd Party Applications

10. Restore Data - Copy back any external media like movies or mp3's

OS X: Force a Disk to Unmount

My external hard drive was "player hating" on me so I had to force unmount it. I'm placing the terminal command here for my own future reference:
diskutil unmountDisk force /Volumes/disk_name

OS X: AOI (Application of Interest) Knox

I was looking to find some sort of secure solution for encrypting the contents of an external drive such as a thumb drive or hard drive. On Windows I liked to use Cryptainer but they don't have a Mac solution. Everywhere I turned people suggested using the built in encrypted dmg file creator of OS X's disk utility. I finally gave in and decided to go this route but for some reason had constant trouble doing it through DU. So, I stumbled upon (quite literally) a great front-end for this process called Knox. The program is quick, stable, and simple. I create password encrypted disk images that I can mount and store my files safely in. The nice thing is, even after the trial expires (which BTW, is not crippled in any way, only timed at 30 days) I can still mount and access the .dmg files and on Mac machine...brilliant! Definitely one of my top 10 apps.

OS X: Secure Browsing Through ssh and SOCKS Proxy

I don't like snoops. And I don't like people controlling and/or monitoring me. So, I searched around online to come up with a solution for safe and secure web browsing from unsafe connections such as an open wifi zone at a cafe or an airport or even a supposed "secure" connection elsewhere. I have played around in the past with an ssh server for Windows called WinSSHD by the company Bitvise and found it to work very well. In those days I simply used putty as my client. Now that I've primarily gone the way of the Mac, I can do this through the terminal and built-in ssh client.

After setting up WinSSHD as my ssh server at home on my Windows XP machine, I can create a secure SOCKS5 tunnel with the following terminal command:

ssh -ND 3300 myhomeipaddress.com

This will stay up and running until I kill or break out of the process. Now it's just a matter of configuring any web based app to use a SOCKS proxy and give it the address of "localhost" and port 3300. NOTE: It's important to also make sure your DNS traffic flows through this tunnel as well otherwise whoever/wherever will still see where you are going. I found FoxyProxy to make this really easy for me in FireFox.

OS X: Terminal Command to Display Screen Saver as Wallpaper

Since I'm new to Mac and OS X, I'm going to make a few posts here and there to serve as references for commands and the such that I might have a hard time remembering. Here's the first. This terminal command lets you use your screensaver as your desktop wallpaper. I use it with SerenScreen's Marine Aquarium found here. The command:

/System/Library/Frameworks
/ScreenSaver.framework/Versions/A/Resources
/ScreenSaverEngine.app/Contents/MacOS/ScreenSaverEngine -background &

As you know the ampersand backgrounds the process. Run "ps" to find it's process number and "kill" it if you need to.

Changing the LogonPrompt Text

When users sit down to our lab machines, they're usually already logged in and ready to go. When they're not, they have to go through the ole' three finger salute and login. Well, there's usually the question of "What's the username and password for the lab computers?". To optimistically try and circumvent this incessant question we have a the LogonPrompt defined to display text of the username of password for these public PC's. There's no security risk here as the account info is supposed to be known by anyone who wants to sit down and use the machine. In the event that the password changes for the accounts, I have this reg add command ready to go (copied and pasted into a batch file containing a line for each machine):

REG ADD \\machine_name"\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v LogonPrompt /d "Logon as 'wks01' With Password 'Public01'" /f

Works like a charm. Now, how to program the users to actually READ this info?

Using Content Advisor

We had quite a bit of trouble with people using YouTube and MySpace etc. in the lab. We needed a quick and dirty way to block access without investing in third party web filtering. See, we don't control the domain these machines are located on so any group policy implementation is out of the question. If our labs existed on their own subdomain and we had access to the DC every entry on this blog would be entirely different....different as in the Systems staff's jobs would be much easier. For this task we revised the LOCAL group policy on one machine to block access to facebook, youtube, and myspace. We then extracted the corresponding registry entries to be imported on other machines. The registry entry is entirely too long to post here. yes, I know there are easy ways to bypass this but it provides an additional layer of deterrence that's better than free reign.

Remote Shutdown/Restart

I'm throwing this in here as a quick reference for myself, as I can never remember the syntax of "shutdown":

shutdown -m \\machine_name -r -f -t 05

Where -r signifies a restart, not a shutdown, and -f forces with a -t delay of 05 seconds.

Remote Add Print Port/Set Default Printer

Our machines in the labs are all configured to print to a GoPrint server in the large lab. Sometimes, the large lab, where the GoPrint servers are physically located, will be occupied. In this case, we have to enable printing to a small HP LaserJet 5 in the small lab so users can still print. The first time we set this up, I needed to add the printer to each of the 15 machines in the small lab. Yet another opportunity for command line fun. Here is what I came up with.

First I had to setup the port on each machine using a snippet of vbscript found in Windows:

cscript prnport.vbs -s machine_name -a -r TCPIP -h xxx.xxx.xxx.xxx -o raw -n 9100

Where xxx.xxx.xxx.xxx is the IP address of the printer and machine_name is the name of the remote machine. The -s switch specifies the remote machine name. The -a switch specifies that we're creating a standard TCP/IP port. Switch -r specifies the name of the port, in this case simply TCPIP. IP address is set via the -h switch and the port type of RAW is configured with -o. Finally, -n sets the port used by Windows Standard Port Monitor (SPM) which is 9100 by default.

Now that the port was created on the machine of interest, I needed to add the actual printer instance. For this I used the built-in DLL "printui.dll" as such:

rundll32 printui.dll,PrintUIEntry /c\\machine_name /if /b "HP LaserJet 5" /f%windir%\inf\ntprint.inf /r "TCPIP" /m "HP LaserJet 5" /Y

This added a printer called HP LaserJet 5 to port TCPIP on the remote machine, installing drivers for an HP LaserJet 5 from the standard Windows ntprint.inf driver catalog, and set it as default printer.

Yay done.

Remote Enable RDP

By default Windows XP installs with remote desktop functionality disabled as a "security precaution". I needed to enable RDP on the machines in the lab, without going through the hassle of check boxes and right-clicks. Here is the command line to do so remotely (running command line as administrator as usual):

REG ADD \\machine_name"\HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 00000000 /f

I think I threw this into a batch file copying and pasting once for each machine. I probably could have set something up where the machine name was a variable and incremented itself in a while loop...but not all of our machine names are consistent. Yay done.

Internet Explorer 7 "runonce" Annoyance

Internet Explorer 7 has been out for some time now. However, computing services here on campus has just now decided to push the update out to all of our machines. We have about 45 or so machines and maybe half so far have the update. The problem is, upon first run IE7 displays the "Customization" runonce screen as opposed to the set homepage. Our users don't want to bother with this so Systems was tasked with globally removing this annoyance.

The first thing I did was track down the registry entries that were responsible for setting whether or not the runonce page would display. Turns out there are two entries that affect this:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Mail
"RunOnceHasShown" = 0
"RunOnceComplete" = 0

Normally, this would be an easy fix-- set both entries to DWORD value 1 and be done. However, there are 45 machines to deal with here, and they're all remote. When remotely editing the registry, HKEY_CURRENT_USER is not available so the settings can't be edited directly. Ugh- snag #1.
I dug a little deeper on the google and found that HKEY_USER can be used just as effectively provided I know the SID of the username currently logged into the machines (our machines are logged onto the domain as only one username). Ok, so how do I convert the username to the SID? Enter getsid.exe. Getsid uses the following syntax to compare the SID's of two user accounts:

getsid \\server1 account \\server2 account

The primary application here is that you would run getsid to compare the SID's of accounts on a primary and a backup DC. To reveal the SID of a single account just feed the same info in as \\server1 and \\server2. Included as part of Windows XP SP2 Support Tools, download can be found here.

Great! But I wanna make this a little more fluid since I'm going to be doing this in quantity. A little more digging yielded this batch file from a post on Windows IT Pro magazine site. It's a nifty snippet of code that, when fed the \\machinename account will store the SID in variable %sid% that can further be fed into other batch files etc. Perfect. The batch also only requires you enter the machine name/account once...even better.

So, now I've got my SID, I want to automate as best as I can the registry changes. I just threw this together. It's hard coded and ugly but it works for my purpose. I called it ie7reg.bat and the contents are as follows:

@echo off

set runonce="\HKU\%sid%\Software\Microsoft\Internet Explorer\Main" /v RunOnceComplete /t REG_DWORD /d 1 /f
set phish="\HKU\%sid%\Software\Microsoft\Internet Explorer\PhishingFilter" /v Enabled /t REG_DWORD /d 1 /f
set runshown="\HKU\%sid%\Software\Microsoft\Internet Explorer\Main" /v RunOnceHasShown /t REG_DWORD /d 1 /f

reg add %name%%runonce%
reg add %name%%phish%
reg add %name%%runshown%

The %name% variable is being supplied from a slightly modified usersid.bat so I only have to enter the machine name the one time-- when running usersid. Also notice I slipped a registry edit in there to go ahead and turn on the PhishingFilter of IE7 per our policy here.

And that's it. If all goes well the reg add command reports successful-- if not I know there's more than likely a connectivity issue with the target machine. Yay done.