Mental models related work

A group at Princeton has a nice list of related work from people who are critical of the use of mental models as a research method.

Software updates research

I just published a paper entitled “Betrayed By Updates: How Negative Experiences Affect Future Security” (pdf) on the reasons people avoid software updates.

Free books on R

Excellent list of free ebooks on the R language and statistical analysis.

http://www.r-statistics.com/2009/10/free-statistics-e-books-for-download/

Using Windows Installer (WIX) to schedule a task as the system user

Goal: use WIX to schedule a task via the task scheduler. The task must run every 30 minutes after the computer starts, it must also run as the SYSTEM user.

Answer:

<Product Id="*" 
  Name="FooBar" 
  Language="1033" 
  Version="1.0.0.0" Manufacturer="Foo" 
  UpgradeCode="GID">
<Package Id="*" 
  InstallerVersion="200" 
  Compressed="yes" 
  InstallScope="perMachine" 
  InstallPrivileges="elevated"/>
     

<InstallExecuteSequence>
      <Custom Action="CreateScheduledTask" After="InstallFiles">
        NOT Installed
      </Custom>
</InstallExecuteSequence>

<CustomAction Id="CreateScheduledTask" 
    Return="check" 
    Impersonate="no" 
    Execute="deferred"
    Directory="TARGETDIR" 
    ExeCommand="&quot;[SystemFolder]SCHTASKS.EXE&quot; /CREATE /SC MINUTE /MO 20 /TN &quot;Foobar&quot;  /TR &quot;&quot;[INSTALLFOLDER]\Foobar.exe&quot;&quot; /RU &quot;NT Authority\System&quot; /RP /RL HIGHEST" />
</Product>

Explanation:

To schedule a task you need to create a custom action which calls the command line version of the Windows Task Scheduler (schtasks.exe). In the example above the task is being scheduled to run every 20 minutes starting from when the computer boots (/SC MINUTE /MO 20).

The tricky part is making the new scheduled task run as the SYSTEM user with the highest permissions possible (/RU “NT Authority\System” /RP /RL HIGHEST”). To do this the installer itself must run with elevated privileges AND the CustomAction must run with elevated privileges. To run the installer with elevated privileges I added InstallPrivileges=”elevated” to the Package element. To run the CustomAction with elevated privileges I added Impersonate=”no” and Execute=”deferred” to the CustomAction element. Aaron Stebner explains why deferring the action is necessary. Also note that the use of ‘&quot;’ instead of ‘”‘ is a feature of WIX and not an error in web formatting.

This solution works, but it is limited by the number of parameters schtasks will take in. This prevents you from doing things like disabling the AC Power requirement. Here is an explanation of how to do that.

Getting rid of the black boxes

Another issue is that a command prompt pops up briefly making the install look messy. To solve the issue you have to use a Quiet Execution Custom Action.

<Product Id="*" 
  Name="FooBar" 
  Language="1033" 
  Version="1.0.0.0" Manufacturer="Foo" 
  UpgradeCode="GID">
<Package Id="*" 
  InstallerVersion="200" 
  Compressed="yes" 
  InstallScope="perMachine" 
  InstallPrivileges="elevated"/>
     

<InstallExecuteSequence>
      <Custom Action="CreateScheduledTask" After="InstallFiles">
        NOT Installed
      </Custom>
      <Custom Action="CreateScheduledTaskId" After="CostFinalize">
        NOT Installed
      </Custom>
</InstallExecuteSequence>

<CustomAction Id="CreateScheduledTaskId" 
    Property="CreateScheduledTask"
    Execute="immediate"
    Value="&quot;[SystemFolder]SCHTASKS.EXE&quot; /CREATE /SC MINUTE /MO 20 /TN &quot;Foobar&quot; /TR &quot;&quot;[INSTALLFOLDER]\Foobar.exe&quot;&quot; /RU &quot;NT Authority\System&quot; /RP /RL HIGHEST" />

<CustomAction Id="CreateScheduledTask" 
    Return="check" 
    Impersonate="no" 
    Execute="deferred"
    BinaryKey="WixCA"
    DllEntry="CAQuietExec" />
</Product>

 

US map of effective states based on US Dollar movement

http://www.fastcoexist.com/1681677/a-new-map-of-the-us-created-by-how-our-dollar-bills-move#1

Theoretical physicist Dirk Brockmann used the dollar bill tracking site Where’s George to see how money moves, and create new state boundaries based on our economies. The darker the blue lines, the less likely it is a dollar bill will have crossed it.

Syria turning off the internet

Nice article by CloudFlare with a video of Syria turning off the internet for the country.

CDNet on how Egypt did the same thing.

Publicly avalible datasets

I teach a class on Processing, which is a simplified version of Java designed to enable people to easy create graphics. My class focuses on data visualization. Below is my list of publicly available data sets which I encourage my students to use in their visualizations.

IMDB

IMDB is a website that maintains a list of movies, actors, actresses, and information about them. They offer a set of downloadable information sets. The sets can be a bit challenging to parse though, so there also exists some Perl parsing scripts.

Other

StackOverflow has a list of publicly available data sets.

End user education

Schneier has an interesting article on his blog about end user education.

Sony utility disables UAC

Sony Hotkeys Utilities (SOAOTH-606A0000-0042.exe) disables User Account Control (UAC) on my Windows 7 machine.

After re-installing Windows 7 on my Sony laptop I wanted to make my hotkeys (like volume) work again so I installed the Hotkeys utility by Sony. A few weeks later I got suspicious when several programs I opened had “Administrator:” in the title when I hadn’t approved any UAC. I checked my logs and the last program to ask for privilege elevation was the Hotkey utility.

I re-enabled UAC dialogs and re-booted the machine. I re-downloaded the utility from Sony, installed it, and was asked to approve a UAC dialog (so UAC was definitely enabled). Sony software asked that I reboot the machine to “finish installation.”  Immediately after the Sony dialog appeared a balloon in the bottom right appeared with the following text: “You must restart your computer to turn off User Account Control.” Sony’s software was the only thing running and I hadn’t opened any User Account Control settings since restarting the computer.

Sony_post_install

Sony_post_install_zoomed

I let the software reboot the computer. After the reboot Sony software continued to install itself. I opened the User Account Control settings panel and verified that UAC was disabled.

Sony_post_reboot

Sony’s software finished installing itself, theoretically requiring UAC to do so, and asks to reboot a second time. I allowed it to reboot the machine and after the second reboot I pulled up the UAC settings again to verify that they were still disabled. As can be seen below the settings stayed with UAC disabled after two reboots.

Sony_post_reboot2

Turning off UAC dialogs without user notification is a very dangerous thing to do. My computer spent several weeks in a state where any program that wanted to install could just do so without my approval. My programs were running with “Administrator” in the title because they were running with Administrator privileges (I manually verified this for PowerShell). No well behaved software should ever change security settings on a computer without notifying the user.

A couple of limitations to consider

  • This is one personal computer, it is possible that the Sony utility is reacting badly with my computer’s setup.
  • I tried the above steps three separate times, this is repeatable (at least on my machine).

 

Graph of attacks in real time

A map of the world showing the source of attacks and statistics about past attack rates.

http://www.sicherheitstacho.eu/