Not wanting to spend big bucks on server equipment (which consumes server-level power, btw), but also not wanting to use “junker” equipment just because it’s available, I re-cycled a very sweet e-machine 663mhz PIII system.  It’s always been a solid machine, and was just too slow to use as a workstation. It ran on a very miserly 120w power supply, so I new it wouldn’t sip much power (compared to other “former development machine” systems in my boneyard).  But I didn’t want to string together any more 100GB “black friday specials” - it’s time to go big. So I bought a pair of Seagate 750GB drives from geeks.com for $125 each, and a cheap sata raid card. 

While I awaited delivery on the discs, I started playing around with prototypes.  FreeNAS was first. It seemed nice, but there wasn’t any user-level security.  It’s just one big happy share.  So much for keeping the kids out of my development stuff.  But the install was easy - boot from the CD, it stores the config data on a flash drive. Nice.

OpenFiler seemed promising, but I couldn’t get the security to work. It requires an LDAP server, and I couldn’t get the included one to work. Looking at their forums, nobody else can either!  Bah.  Security was so good I couldn’t use it.

NasLite looked easy, but again, no security.

Back to FreeNAS.  Voila!  All I needed to do was use “old school” unix-level permissions. You can’t do it all from the web gui (which is very nice, btw), but once you set up the groups and users, you can then go into the console (or SSH) and use chmod and chgrp to assign ownership.  The permissions then applied to what you could or couldn’t do through the samba share with a windows client.  So “Carolyn” could see directories available to teh “family” group, and she could write to the “carolyn” directory, but not the “alex” directory.  Yes, this would work!

The hardware arrived.  I quickly set about to building a proper server.  The e-machine case and power supply were inadequate for multiple disk drives, so I transplanted the motherboard into a generic tower case with a 300w power supply, installed the RAID card, drives, etc..   Long story short: I spent a lot of time getting mirroring to work.  Much like navigating to/from the “lost” island, you have to follow a particular course, without deviation. 

There is apparently a problem with the IOFlex card, Seagate SATA drives, and FreeBSD (FreeNAS is based on FreeBSD Unix).  At least according to comments on NewEgg.  I didn’t expect to need any sort of driver, as I wanted to mirror the two 750 drives and have FreeNAS see it as one drive.  But FreeNAS saw it as two drives.  So I tried mounting one and figured I’d let the hardware sync it to the other.  Bad idea. It actually crashed FreeNAS so hard that it forgot the network config and reset the web password to some unknown… I had to start over.   Long story short (again), I decided to switch to another card - the ROSEWILL RC-212, which I had bought to use as a “lifeboat” for migrating XP/Vista installations to new motherboards.  Voila - this card made a mirror array (you do it by pressing TAB during the BIOS boot-up) that presented itself to FreeNAS as a distinct volume - “ar0″.  The physical discs show up too in FreeNAS, but if I ignore them and just use the “ar0″, I get hardware mirroring.

Now for the critical parts - I wasted a lot of time because I picked the wrong options when setting up the discs, usually ending up in the “error - retry” when trying to mount.  Here’s the magic formula, in my case:

1. Hardware RAID - set in bios (I used Raid1 - mirroring two identical Seagate 750GB SATA drives)
2. Add the “ar0″ disk (raid array), ignore the actual physical drives in the list.  Don’t pick any pre-formatting options.
3. Format the disk - choose “UFS (GPT and Soft Updates)”.  Do not pick “software raid”.  It will take a few minues, and fill the screen with long numbers.  That’s good.
4. Mount the disk - choose “EFI GPT” as the type.  Here is where I fouled up earlier, by picking “UFS”.  It had to be “EFI GPT”, then it worked. Bingo!  I called it Data750.

Great!  Now I activated SSH and SAMBA (shared \mnt\Data750 as share name “Data”).  Since I’ve got unix-level control over permissoins, I decided to just use one SAMBA share.  Different users get to do different things, according to the group and family membership.  So everyone mounts the network drive as \\nas1\Data and their userid/password (which windows will happily remember for you, after challenging you one time) determines what they can do.

I set up (in FreeNAS web panel) users and groups:

• groups: thornsoft, family
• users: chris, brenda, carolyn, alex, matt, ripley

Chris and Brenda are members of both groups.  We put the dog in there (ripley) for use by visiting relatives who may need to get/put pictures, etc..

Here’s the directory structure:

drwxrwxr-x  23 chris  thornsoft  512 Mar 28 15:34 www
drwxrwxr-x  11 chris  family     512 Mar 28 15:15 pub
drwxrwx—   2 chris  thornsoft  512 Mar 28 14:39 dev
drwxrwx—   2 chris  thornsoft  512 Mar 28 14:39 prod

Notice that everyone can see the “pub” and “www” directories, but only the “thornsoft” members (chris and brenda) can even SEE the dev and prod directories.  Within “pub” are folders such as video, music, pictures, etc.., along with “home”. The “home” directory looks like this:

drwxr-x—  2 ripley   family  512 Mar 28 15:15 ripley
drwxr-x—  2 matt     family  512 Mar 28 15:15 matt
drwxr-x—  2 carolyn  family  512 Mar 28 15:15 carolyn
drwxr-x—  2 alex     family  512 Mar 28 15:15 alex
drwxr-x—  2 brenda   family  512 Mar 28 15:15 brenda
drwxr-x—  2 chris    family  512 Mar 28 15:15 chris

Here, you’ll see that I’ve set the group ownership to “family”, and each user owns his/her own directory.  This should prevent any family member from deleting/modifying anyone else’s files.  I could (probably will) make a shared folder in there, with rwx permissions for the family group.  But the family group DOES also have rwx access to the other folders within the “pub” directory (music, pictures, etc..)

So how to do this?  From the FreeNAS console (or an SSH session), navigate to /mnt/Data750 and issue commands such as:

• mkdir pub
• chgrp family pub
• chown chris pub
• chmod 755 pub

Then I went down into “pub” and created other directories, all with “family” group ownership. For the individual user directories, I assigned the user ownership with “chown”.   For the important directories (dev and prod), I assigned the group to “thornsoft”. 

As I write this, I’m syncing the directories from the XP server using SaltyBrine’s FolderClone.  Once it’s done, I’ll start transitioning over to the new server.  Yay!

Other misc notes…. 

FreeNAS can be installed onto a hard disk, compact flash card (with IDE reader) or can run from CD if you have a USB flash drive for it to store its config data.  I’d like to use the CF option, but don’ thave the right kind of IDE interface for it, so I’m using the CD with config on USB. Works great, and you can hand-edit the file on another PC if you want. I “cloned” our account info that way, which was quicker than using the web interface.  This is also how you back it up.  Interestingly, it stores the passwords there as clear text.

• ex:  echo “hello, world!” | clip
• ex: dir | clip
• ex: clip < readme.txt

Again, this is available on Vista.  If you are using older versions of Windows, you can use our Dos2Clip program, which will do the same thing, but only with one line.  You can get it here, and it’s free to use.

1) Copy something benign - just highlight any harmless text from any program, press Ctrl+C, and you’ve just overwritten the clipboard with that benign word. 

2) Press the PrintScreen key - this puts a bitmap onto the clipboard, overwriting whatever was there previously.  Web sites can’t paste an image, and if a co-worker is sitting at your desktop, they can see what’s on your screen anyway.  You CAN paste the image into an image editor such as Microsoft Paint, but unless you’ve got sensitive or “naughty” stuff on the screen, this is probably the quickest way.

If your goal is to save memory, use option #1.  Any program that claims to “clear your clipboard, thereby saving memory) is going to use more memory than whatever little thing you’re copying to overwrite what was there.

This tip brought to you by the people who make ClipMate!

So I went to CompUSA, looking for another board/CPU combo. Since the old board was Pentium-D, I wanted something more efficient (and quieter/cooler), so I picked up a brand-name MoBo, an AMD X2 CPU, and some nice Corsair DDR2 RAM. I made the mistake of not looking for the Vista certification on the MoBo. More on that later…

I had expected to swap components, and hopefully let Vista find the new drivers when it booted. After all, we’ve had the “hardware abstraction layer” (HAL) since NT 3.5, right?  So I threw my faith in HAL, Plug-n-Play, Plug-n-PRAY, etc.. Sure enough, immediate blue-screen, followed by endless reboot/BSOD/reboot cycle.

If you’ve found this in google, you know what that’s all about. I’ll make the long story short - I was unsuccessful in booting from my Vista HD. Vista was unsuccessful in “repairing” the old installation. I ended up re-installing Vista (twice, because MSFT sends me “upgrade” disks because I’m in the “Action Pack” program). Grrrrr. I needed a better way.  Next time, I vowed to do better.

Well, that MoBo turned out to be a sweet Linux or XP board, but it wasn’t Vista certified, and I was experiencing daily lockups. No BSOD, just a freeze, requiring a power-off. I tried BIOS updates, new drivers, etc.. No good. My retailer (CompUSA) is going out of business (should have used NewEgg!!) and wasn’t interested in getting it back. I wasn’t interested in spending hours on hold with the MFG to RMA it and get an identical (non-working-on-Vista) board. So for $79, I found a nice Gigabyte board on NewEgg.

This time, I found a write-up that talked about removing drivers on the old board, prior to shutting down. This makes the board “driver agnostic”.  Long story short, it didn’t work. I think my PnP loaded the old drivers anyway, before I could shut down the machine.

The Lifeboat 

Looking for another solution, I found a comment on Lockergnome that talked about a “lifeboat” disk adaptor card.  Hmmmm…   Basically, you install a cheap IDE/SATA card into the machine before the MoBo swap. Let Vista (should work on XP too) load the drivers. At this point, Vista has drivers to run that card, no matter what chipset the MoBo has.  Then swap the MoBo, and plug your HD (Temporarily) into the new card. Load Windows, let PnP detect the new hardware, load drivers, etc.. Now you can reboot and switch back to the MoBo IDE/SATA ports, and remove the “lifeboat” card.  It sounded great, so I thought I’d give it a try!

I purchased a cheap IDE/SATA card (PCI interface) from NewEgg. For $20, I got this:

http://www.newegg.com/Product/Product.aspx?Item=N82E16816132009

It’s got both IDE and SATA ports, and runs on Vista. Great. 

Next, I installed it into my PC, running the old Motherboard.  Vista asked for drivers, I gave it the CD that came with the board.

Then I shut down and swapped the motherboard, and transplanted the Rosewill board from the old motherboard onto the new one.  This time, I connected the SATA drive to the Rosewill card. I probably should have connected the IDE cable for the DVD drive, as that would have saved a reboot later on.  But I left it disconnected.

Now I powered on and Vista loaded!  No BSOD. It came up with generic drivers, and did its PnP thing and loaded drivers that worked with the Motherboard. Here is where it may have been good to have the DVD plugged into the Rosewill card, to get a better set of drivers from the Gigabyte CD. No harm though, the Windows drivers worked.

Now I shut down, removed the rosewill card, and connected the IDE and SATA to the MoBo. Upon power-up, Vista loaded again, and I was able to update drivers from the Gigabyte CD.

Conclusion 

It worked great!  The Rosewill card now sits on the shelf, for future emergencies.  I will use it to “innoculate” all other (non-laptop) PCs in the house, so that I can upgrade failed motherboards in the future. In case of failure, they’ll already have the Rosewill drivers, and can be simply upgraded with new motherboards/CPU.  You don’t always get to do any “prep”, especially when the hardware just dies. So I’m going to prepare all of my systems so that they’re ready, in case they need a swap.

Apparently, Apple has “invented” some sort of killer technology for the iPhone, that lets you select something, “copy” it to an internal memory buffer, and then “paste” it somewhere else.  They’re calling it the ClipBoard ™.  What next, they’ll claim to have invented phones too?  Maybe the color Yellow?

Of course, we expect that it will pale in comparision to ClipMate, the first ClipBoard EXTENDER, written way back in 1991.  Ironically, inspired by the lameness of the Mac clipboard.  Read about it here.

This blog post describes the security setting in IE7 that warns you, and tells how you can turn it off (I don’t recommend turning it off….)
http://www.mydigitallife.info/2006/09/25/disable-allow-this-webpage-to-access-your-clipboard-pop-up-warning-message-in-ie7/

Technically, it’s pretty simple. A single line of javascript on the page can read your clipboard (unless IE is set to block it).

This article describes how the javascript trick is done:
http://www.arstdesign.com/articles/clipboardexploit.html

This blog post also describes how it’s done, and has a sample link, if you’d like to see this in action, or just to test if you’re protected or not:
http://harriyott.com/2005/01/javascript-clipboard-control.aspx

As for ClipMate (our product), the vulnerability doesn’t go any further than what’s on the clipboard (the currently selected clip). Such scripts have no capability to dig into ClipMate’s database or force it to give up other clips.

Update: (Dec 7, 2007) Now it looks like an e-mail trojan is exploiting this. I suspect that it can only work if you used web-based e-mail such as squirrelmail, yahoo, gmail, etc.. If you are opening your (web-based) e-mail and your browser asks permission to use the clipboard,  DON’T!  Here’s a link to the discussion about that:
http://www.windowsbbs.com/showthread.php?t=69461

 Vista Pain In The Neck Rule #1: If you modify or create a program in the “program files” directory, or a program does it for you, Vista will play tricks on you.

This includes: 

1. Editing a file yourself, even if you have administrator privleges
2. Any program that writes a data file to the program files directory (unless it’s an installer).
3. Any program that writes configuration or .ini files to the program files directory (unless that program was launched by an installer).

Here’s what I did:

I had modified a file myself, using Notepad or EmEdit (both are excellent text editors), in c:\program files\ClipMate7\Languages.  The file was called “english.lng”.  This was to test some changes for an upcoming maintenance release.  The modified file contained a version string 7.2.05.165, so I could easily check it within the program, to see if the translation was up-to-date.

A few days later (today), I installed my shiny new version 7.2.06.166.  Guess what?  English.lng contained the 7.2.05.165 version. 

I re-checked the installer and build scripts and directories. Everything was fine. As far as I could see, 7.2.06.166 was making it into the installer.  I uninstalled, rebooted, re-installed, and still had the old file.

Then I remembered the whole UAC thing, and how Vista makes some sort of “shadow” copy.  That’s what happens when Vista asks for special permission to continue with the “file save” or delete.  Yes, yes, yes indeed.  I found the old file lurking in:
C:\Users\Chris\AppData\Local\VirtualStore\Program Files\ClipMate7\Language\English.lng

I deleted it, and everything was fine. 

How did this happen? 

I was assuming that the installer would be able to clean up any such problems, but apparently, while the special UAC privlege for installers only allows them to install/delete files in the program files directory, it does NOT have provisions for reconciling newly-installed files with older files that are lurking in the VirtualStore directory.  Even though the installer supplied a new version of english.lng, Vista showed me the old one.

Lessons Learned To Date:

1. If a program file needs to write important data to its own directory, install it somewhere else. I have set up D:\Apps, for this purpose.
2. If you are backing up a program that seems to store its data in its own directory, and you didn’t follow #1 above, don’t count on the backup actually having the right files.
3. If you install a program and it offers to “run program now”?  Don’t. Just let the installer quit, and then run the program yourself. Otherwise you’ll run the risk of the program running with elevated privleges, and creating data and configuration files that cannot be updated later.
4. And today’s lesson: If you edit anything in the Program Files directory, you’re asking for trouble.  Be sure to check the VirtualStore cache.
5. The Virtual Store resides in: C:\Users\<userid>\AppData\Local\VirtualStore\Program Files\ClipMate7\Language\English.lng

References and helpful links:

• Vista and User Virtualization
• What is UAC? (And how to turn off those annoying prompts!)

Tags: uac, user account control, vista

Office 2007:

• Doesn’t seem to be a problem. I haven’t seen a clipboard come up, when performing multiple copies. 

Office 2003: See these articles:

• http://malektips.com/word_2003_0025.html
• http://www.annoyances.org/exec/forum/winxp/1187382118

Office2000:

• From Microsoft: “As you copy items, the Office Clipboard automatically appears on your desktop. You can close it if you do not want it to appear automatically. After closing the toolbar three times, you are prompted to permanently close it. If you permanently close the clipboard, to redisplay it, on the View menu, click Toolbars and then click Clipboard.”
• This information is from the Microsoft Support Knowledge Base, Article: Q221190 : Using the Office 2000 Clipboard
  There is yet another way, if you want to edit the registry.  The information is in a related Knowledge Base article: Q207438 OFF2000: Preventing the Office Clipboard Toolbar from Appearing
• Here are two registry scripts that will turn off, or on, the Office2000 clipboard by adjusting the value that is mentioned in the above MS Knowledge Base article:  
  Turning it off: office2000clipboardoff.reg
  And back on again:office2000clipboardon.reg
  Just click on either of the above links above, download and run the file to update the registry. You’ll be prompted with an “are you sure” dialog, and then the registry is updated.  If you want to see what they’re doing first, just download to your hard disk and open with a text editor such as Notepad.

• Note: This registry patch won’t work in Office XP

OfficeXP Clipboard:

• OfficeXP has a clipboard that will interfere with certain ClipMate operations like PowrePaste.  Disabling it is easy.  Start WinWord, and you’ll see the “task pane” at the side of the screen.  Within the task pane, you’ll see the clipboard appear if you copy two items in a row.  Now you can turn it off for good.  Select the “Options” menu, and turn off the “Show Automatically” and “Collect without showing” options.  There is a screenshot to show this.  When you re-start WinWord, the clipboard won’t re-appear.  If you need to bring it back, you can do so via the menu at the top of the “task pane”.

• Alternately, if you see the OfficeXP clipboard icon showing in the Windows System Tray (next to the clock), you can right-click on it and select “stop collecting”.

Related Links:

•  Annoyances.Org has a page on disabling the Office Clipboard in both Office2000 and XP.

How To Fix The Photoshop Clipboard (Sept 5, 2007)

It was an interesting read for me, confirming some things I’ve suspected.  I’ve always assumed that Photoshop keeps its own, separate clipboard for internal copy/paste (just call it a “hunch”, after years of support questions…)  But it seems that you can get into a bind where Photoshop doesn’t update its internal clipboard when the external one changes. The user copies something from somewhere, and pastes it into Photoshop.. and gets something that he copied WITHIN Photoshop, half an hour ago.   Of course, users hate that.

Developers never seem to learn: don’t try to be too cute with the clipboard. When the user wants to paste, go and get the clipboard contents and paste it. Don’t try to monitor the clipboard to see if you like it, or if it has newer data than your internal buffer. If the user wants to paste, just paste from the clipboard. Smoke and mirror tricks will always end badly, when you try to account for anyting and everything that could be happening to the clipboard.

Of course, this is likely due to blind faith in the clipboard notification process.  It probably worked great in the lab though! 

As I played launched on Vista, I heard a “pop” from ClipMate. Sure enough, GoogleEarth had inserted itself into the clipboard viewer chain. Why, oh why, must every progam feel that they need to know about anything that the user copies to the clipboard? IMO, GoogleEarth has no business inserting itself into the clipboard viewer chain.  Hopefully, they will stop doing this.

This brings up another question: why does ClipMate ”pop” when GoogleEarth (or any other program) inserts itself into the clipboard viewer chain?  The short answer is that the new Vista-style clipboard notification fires whenever a new program inserts itself into the legacy clipboard viewer chain. The long answer will likely be the basis for another article…