Defensive Computing

I just got a Lenovo S10 Netbook computer and couldn't have been more enthusiastic about kicking the tires. As I've written before, I think Netbooks will be very big, and this was to be my first.

So this posting should have been a first look. I should be offering my opinion on whether the keyboard is too small, what it's like to use Windows XP on such a small screen, and how hot the thing gets. But I didn't get that far.

After a delay in getting the machine the box arrived all beat up. Not unusual, of course, but computers are normally so well packaged that it doesn't matter. Not this time.

My first impression was that the box had been opened in transit; two sides weren't sealed at all. As you can see below, a golf ball easily fit in the open sides of the box.

The golf ball points up three problems:

• Something could have fallen out or been purposely removed during shipping.
• The cardboard was thin, closer to a manila envelope than something protective.
• It didn't appear that the box had been vandalized, rather two sides were never sealed in the first place.

In a nutshell, the contents were not well protected in transit.

As I examined the box and turned it over, stuff was rattling inside. I've had more than my fair share of computers mailed to me, and never before did a box arrive with stuff rattling around inside.

I removed the 4-inch strip of tape that held the outside box closed and found the computer and a white box inside as shown below.

The white interior box was the source of the rattling. As you can see in the picture below, the battery and the AC adapter are together in the box and neither was covered. There was a plastic bag in the box, but it wasn't wrapped around anything.

That Lenovo would ship a battery in a plastic bag without cushioning is, to me, poor judgment--a corner that should not have been cut. That Lenovo would ship the battery without the plastic bag actually covering the thing is poor quality control.

Am I overreacting? After all, it's a $400 laptop. Perhaps, but lithium-ion batteries are a well-known fire hazard. In normal use I'm sure they are safe, but one mistake that you can make with a lithium-ion battery is banging it. According to PC Pitstop:

There are numerous conditions where these fires can occur in real life. Faulty battery packs (driving the recalls), faulty protection circuits inside the PC, exposure to excessive heat, and blunt force are some of the major ways that this could happen to you.

Shipping an unprotected, unwrapped battery right next to a hard object is risking "blunt force."

The Department of Transportation no longer allows lithium-ion batteries in checked baggage when flying. As for carry-on bags they say that "you may still carry any number of some types of lithium batteries, such as the ones used in cell phones and most laptop computers, provided you take measures to protect terminals." Why the different policies for checked vs. carry-on bags? "In the passenger compartment, flight crews can better monitor safety conditions to prevent an incident, and can access fire extinguishers, if an incident does happen."

To further illustrate the danger, the Department of Transportation offers these suggestions for flying with a loose lithium-ion battery:

• Place tape across the battery's contacts to isolate terminals. Isolating terminals prevents short-circuiting.
• If original packaging is not available, effectively insulate battery terminals by isolating spare batteries from contact with other batteries and metal. Place each battery in its own protective case, plastic bag, or package. Do not permit a loose battery to come in contact with metal objects, such as coins, keys, or jewelry.
• Take steps to prevent crushing, puncturing, or putting a high degree of pressure on the battery, as this can cause an internal short-circuit, resulting in overheating.

As for the S10 itself, I never removed the plastic covering the computer. It's going back.

As I was deciding whether to keep the computer or not, Lenovo e-mailed a receipt for the purchase. The receipt arrived a couple days after the computer arrived, and eight days after the initial order. There was a link in the e-mail message (www.lenovo.com/products/us/returns) for how to return a purchase, but it's broken. Instead of the return policy, the link results in "There were no items matching your search." This is on top of the shipping delay because UPS said there was no label on the box.

Lenovo ThinkPads have an excellent reputation, but an IdeaPad is not a ThinkPad. The S10, in particular, is a whole new product category, one for which there is no pre-existing reputation. So things boil down to confidence and Lenovo did not inspire confidence.

My next hassle is trying to convince Lenovo not to charge me the $60 restocking fee. If you're thinking of buying a Lenovo computer, be aware that machines sold on their Web site are subject to a 15 percent restocking fee. You may be better off at a local retailer with a more liberal return policy.

Update: Unboxing other Netbooks

• The Dell Mini 9 comes wrapped in heavy cardboard and seems to have the battery already inserted.
• The battery for the MSI Wind U90 ships in plastic bubble-wrap. The computer itself comes in box inside another box.
• The Acer Aspire One battery is wrapped in plastic and seems cushioned by cardboard to keep it from moving in transit (2 minutes, 10 seconds into video).
• Laptop magazine got a very early copy of the Lenovo S10 and unboxed it on video. First point they made was that it might not be the final retail boxing. Still, their battery, like mine, shipped naked.
• Brand Linder at Liliputing did an unboxing video of the Asus Eee PC 100H. It shipped as a box within a box and the battery was protected by plastic bubble-wrap.

See a summary of all my Defensive Computing postings.

Twice this year I ordered a computer directly from Lenovo and they shipped it via UPS. Both shipments got screwed up.

Back in January I wrote about how UPS lost my computer. That machine, a desktop, was supposedly delivered to the wrong address. Lenovo built and sent a replacement computer and a few days after the replacement computer arrived, and roughly a month after the first one was shipped, the first machine magically showed up.

On October 8th Lenovo shipped me a new S10 Netbook (see The Lenovo S10 Netbook is here, count me in. On the 9th, I checked the delivery status with UPS only to find that the tracking number didn't exist.

The next day, when the UPS tracking number still wasn't in the system, I called Lenovo. They couldn't explain what happened and queued my query to another group with a promise to call back in a couple days.

By the 13th, UPS knew about package.

My package "experienced an exception". The address label was missing or illegible. That's a first for me.

Lenovo called on the 13th to say that the package had no label and they would have a new estimated delivery date tomorrow.
Update: The computer arrived before the new delivery date estimate.

Making a poor situation worse was that three out of the four times I spoke to someone from Lenovo on the telephone, I couldn't hear the person due to background noise as loud as Fenway Park in the World Series. That, combined with the accents of the Lenovo employees, meant that every sentence had to be repeated.

Of course, you can also communicate with Lenovo by email, except that an email about this wasn't responded to for 3.5 days.

UPS seems to be the only shipper used by Lenovo.

Update October 20, 2008. This did not end well.

See a summary of all my Defensive Computing postings.

Things aren't going well at Ford Motors.

The automaker just reported that September sales were down 34.6 percent compared with the same month a year ago. For the first half of 2008, Ford posted net losses of $8.6 billion.

Ford blames a weak economy and a tight lending market. But there may be another factor at work--unhappy customers.

In August, I rented a Ford Fusion from Hertz. When I saw a Microsoft logo under the dashboard, I suspected trouble ahead. Sure enough, it seems that poor design choices, so common in the computing world, have migrated to Ford cars.

When it comes to automobiles, I'm a newbie. While I can get from point A to point B, I wouldn't know a carburetor if it sat next to me on the subway. But how much do you need to know about cars to play the radio?

After listening to the radio a bit, something drove me to hit the phone button. Why? I don't know. There were two cell phones in the car, but the phone section of the radio wanted something from me that I didn't have. It was asking all sorts of questions that I didn't know the answer to. So, I gave up and turned the radio off.

But, it didn't go off.

I pushed more buttons, and more, and more. Nothing turned off the radio; in fact, nothing would get it to play AM or FM or satellite radio. I could put a CD in the dashboard, but couldn't get it to play. The radio insisted on answers to the phone questions and without them it wouldn't do anything else.

So, I called Hertz.

The person at Hertz had never dealt with a radio that refused to turn off before. He went to search for the user guide (car people call it an owners manual) and called back. We got nowhere. He suggested turning off the car (rebooting to a techie), but I was in the middle of a crowded highway on a long trip so that wasn't an option. Then the Hertz rep was nice enough to call a Ford dealer and call back.

The final answer? Push and hold the radio's phone button for about 5 or 10 seconds. That turns off the radio. Being a techie, I had tried pushing in the power button on the radio and holding it for 10 seconds, but didn't think to try it with other buttons too.

The nonfunctional radio was all the more annoying because I couldn't play my MP3 player through the car stereo.

The last car I rented, a Toyota, had an input jack in the dashboard. With the right wire, it was a simple thing to plug one end into the dashboard and the other end into the headphone jack on the MP3 player. I was a happy camper in Toyota-land.

The Ford Fusion user guide said the car could do the same thing and had a picture of where the input jack was. But the picture looked nothing like the dashboard. It didn't look anything like any part of the car. I searched every inch of the dashboard and the entire front half of the car. No stereo input jack.

The third strike was the rearview mirror. The interior of the car slopes up in the back. Thus, anyone looking in the rearview mirror can barely see an elephant standing behind the car.

Next time I rent a car, no Fords.

(Credit: CNET Networks )

Robert X. Cringely writes a technology blog for PBS, which I've read for a long time. In his August 29th posting, What Did You Say?, he discusses his unpleasant experiences as a new iPhone owner/user.

I have no iPhone experience, so I can't judge his opinions. However, Cringely's blog is always thoughtful and, to me, he is a very credible source. Plus, he has an excellent perspective owning two iPhones, a Samsung AT&T phone and having just switched from two other cellphone companies to AT&T.

In a nutshell, he says that the iPhone makes a miserable telephone.

The posting is long but only the first five paragraphs address the iPhone. For more about the iPhone, see CNET coverage.

See a summary of all my Defensive Computing postings.

Slate recently published a great article Take That, Stupid Printer! How to fight back against the lying, infuriating, evil ink-and-toner cabal by Farhad Manjoo. The title is a bit meaner than the article, which makes for interesting reading.

If you own a Brother HL-2040 printer, the article is especially relevant. The author suspected that the printer was lying about being out of toner and he figured out how to lie back to it, making it think there was a new cartridge. Sure enough the printer had lots of toner left, as Mr. Manjoo puts it "At least eight months have passed. I've printed hundreds of pages since, and the text still hasn't begun to fade."

Brother is not the only company wringing profits out of way-too-early warnings out being out of ink/toner. The good news, according to the article is that "... instructions for fooling different laser printers into thinking you've installed a new cartridge are easy to come by ... If you're at all skilled at searching the Web, you can probably find out how to do it .... Just Google some combination of your printer's model number and the words toner, override, cheap, and perhaps lying bastards."

My HP LaserJet 1320 is well-mannered; it warns when it thinks the toner is running low, but doesn't do anything other than warn. And, it's reasonably accurate, giving me time to order a new cartridge before it really runs out of toner. Apparently, I'm lucky.

Or, it may be that the more expensive the printer is up-front, the less the manufacturer feels the need to play tricks with the ink/toner. If that appeals to you, see Kodak's consumer printers aim to chop ink costs.

See a summary of all my Defensive Computing postings.

What are they thinking at Mozilla? How could they devote time and effort to eye candy like new icons and drastically reworking the address bar when Firefox so often fails at printing.

How did printing get pushed to the bottom of the priority list?

I read lots of Web pages in hard copy and from the get-go (version 0.8 or so) Firefox has underperformed when it comes to printing Web pages. That issue and the slow start-up time are two constant annoyances endured by devoted Firefox users. It's been quite awhile now, and I think it's time that Mozilla get around to making Firefox the equal of Internet Explorer in terms of printing Web pages.

This page deserves special mention: SSLVPN Vulnerabilities - Client Certificates offer a superior defense over OTP devices.

In Firefox 2, not one word of the article prints. Not a single word. Print preview shows one mostly blank page.

In Firefox 3, the first page is the same as Firefox 2, page 2 has the article and page 3 has some links from the page footer. But, the article is about 7 or so pages and page 2 has only the first page. In other words, Firefox 3 can't print the vast majority of the article.

Firefox is Lucy Ricardo. For those of you who recall I Love Lucy, I'm Ricky. I love my wife, Lucy, but sometimes she just does the craziest things.

Maybe it's time for Ricky to go to the Opera. Version 9.5 of the Opera browser, running on Windows XP, prints the entire article, although it also feels the need to start with an appetizer of an empty first page. Internet Explorer 7 prints the entire article perfectly, no blank first page.

Update August 20, 2008: A commenter below noted that Safari can print the article in question, I haven't tried this. The person didn't say however if it was Safari on the Mac or on Windows. I only tried Firefox on Windows XP, another commenter below said that Firefox 3 on a Mac printed this page fine. Firefox version 2 had an optional toolbar button to report web sites that didn't display well in the browser (the button looked like a spider web). Version 3 of Firefox eliminated this button, so problems like this can no longer be reported to Mozilla.

See a summary of all my Defensive Computing postings.

Following with the theme of my recent posting, Some companies you can trust, and some you can't, I ran across a blog posting from Alan Shimel of StillSecure (More frustrations with web infrastructure) that details how GoDaddy and Typepad let him down in his time of greatest need. Mr. Shimel was the victim of a cyber crime - his blog and domain were stolen out from under him.

GoDaddy

The first indication of trouble came to Mr. Shimel as an email message from GoDaddy stating that his domain was switched from a locked* to an unlocked status, a change that he didn't initiate. This started a long dialog with GoDaddy which led Mr. Shimel to refer to them as "the hackers best friend."

I find stories like this unusually illuminating. Anyone reviewing a service, such as the domain registration that GoDaddy offers, can easily cite the features and costs and kick the tires. But, the true test of a company comes in your hour of greatest need and for a domain owner, that hour is when your domain has been stolen out from under you. In this case, GoDaddy did not perform well.

I have a number of domains registered with GoDaddy and have recommended them in the past. Their prices can't be beat and my few interactions with tech support were reasonably handled. My biggest gripe was their busy and always confusing website. In light of this story though, it's hard to recommend GoDaddy going forward.

directNIC

My favorite registrar (and I've used my fair share) is directNIC. This opinion was cemented in an hour of great need. I had been a steady customer when they screwed up a transaction and transferred a domain away from a client. This was not a case of malicious hacking, the circumstances of the domain registration transfer were extremely unusual, and one that their computer systems had probably never seen before.

The initial response from tech support, was disappointing to say the least. I used other words to describe it at the time. That was out of character, my previous interactions with directnIC tech support were handled very well.

As I noted previously, it's not the problem that I remember, it's how the problem is dealt with. In this case, I was able to reach a higher authority at directNIC and get things straightened out. At one point, they even called me to verify that all was well and they admitted the first response was not up to par.

Typepad

Mr. Shimel's blog posting also details his experience trying to get Typepad to restore a stolen blog and restore postings the bad guys had deleted. It didn't go well. If your blog is very important to you, you may want to host it with a company that offers telephone based support. Typepad does not.

Update August 20, 2008: Mr. Shimel also had poor experiences dealing with Yahoo trying to reclaim his email account. See Why Google is now my homepage instead of Yahoo.

Update August 20, 2008: Someone claiming to be Anil Dash, a Vice President at the company behind Typepad, Six Apart, left a long comment below. I'm trying to verify that it really was Mr. Dash...

*A locked domain can't be transferred to another registrar. It has nothing to do with the state of a web site or email. Locking a domain is a standard security procedure, but it may not be the default status when you register a new domain. If you control any domains, you may want to verify with the registrar that they are locked.

See a summary of all my Defensive Computing postings.

As is so often the case with networking problems, the firewall was source of the Verizon DSL problem I wrote about recently.

I had experienced problems making outbound connections at two Verizon DSL business customers and was told by another Verizon DSL customer that they too had a similar problem.

The problem first came up when trying to use NetMeeting from a Verizon DSL customer to remotely control a computer. Despite there being no firewall on the receiving computer NetMeeting still couldn't make a connection. Even a simple ping of the target computer failed.

I suspected Verizon was the source of the problem when, a few days later, from another Verizon DSL customer, Real VNC failed to connect to a computer (another remote control attempt). Again, a ping of the target computer failed, but so too, did pings of websites such as yahoo.com, cnet.com and cbs.com that normally respond to pings (not all websites do).

When Verizon tech support and press relations made it clear that they don't block outgoing traffic, the problem had to be with the configuration of their modem/router.

In a standard consumer grade router, the firewall has a simple task: block all unsolicited incoming traffic. It doesn't try to govern outgoing traffic at all. Thus, any connection to the Internet that starts from a computer on the LAN is allowed. This is similar to the way the Windows XP firewall works, except that the XP firewall is likely to have some pre-defined holes in it.

The firewall in the Verizon Westell 7500 router/modem is a bit more ambitious, it tries to also exert control over outgoing connections that originate from the LAN. In some circumstances this is a good thing, but it caused me problems.

The actions of firewalls are easily quantified. They control a TCP/IP networking concept; a port. Ports are assigned numbers ranging from zero up to roughly 65,000. Some port numbers are reserved for specific types of traffic, others can be used by any networking software for any purpose. For example, you requested this web page using port 80. When you request a secure web page you are using port 443.

To see this for yourself, try to go to www.cnet.com:80 (the colon 80 may not show in your web browser status line when hovering over this link, but it is in the link). Everything works fine, the colon 80 is explicitly stating that port 80 should be used. Normally, the port number is implied when using the HTTP protocol. If you use any port number other than 80, you'll get an error message from your browser rather than the CNET home page.

Each port is either:
-- inbound or outbound
-- used by TCP or UDP or both (low level protocols)
-- open, closed or stealthed (stealth is the best)

That's it. Everything a firewall is doing can be quantified with rules about ports that are allowed and ports that blocked.

The Verizon DSL problems that I experienced stemmed from their using vague words to describe the functioning of the firewall. Nothing about the actions of the firewall in the Westell 7500 is explained in terms of ports. Thus, no one is sure exactly what the firewall is doing (I spoke to tech support twice).

When you configure the firewall in the Westell 7500, you get the choices shown below (full size image).

Take, for example, the "Minimum Security (Low)" setting which "allows all traffic except for known attacks". Is it allowing everything coming in or everything going out or both? And, what is a known attack? Firewalls control ports, not attacks. A given piece of malicious software may use one port number to phone home this week and a new variant can use a different port number next week.

Then it says "your modem is visible by other computers on the Internet". First off, the Westell 7500 is not just a modem, if it were, this posting wouldn't exist. Then, it's not clear if this means that no incoming ports are blocked or if it just means that the 7500 will respond to pings.

The bottom line is that these words have no meaning. Think of it as a gas station with pumps labeled "best", "medium" and "worst" without the octane rating.

In my case, the term "Typical Security (Medium)" tripped me up. That's what one modem was set to when I couldn't do ping or traceroute or Real VNC remote control. Lowering the setting to "Minimum Security (Low)" fixed the immediate problem.

What's the difference, in terms of ports being blocked, between Medium and Low? Even Verizon doesn't know.

In a scenario very reminiscent of WiFi routers shipping with encryption disabled, Verizon normally uses the "low" and "none" firewall settings. "Typical Security (Medium)" is not, according to tech support, typical. They rely on security software on the computers of their customers.

Shields Up!

A great service for testing ports is Shields Up! from Steve Gibson at grc.com. It too, pointed out how vague the firewall security description is.

With the Westell 7500 set to "MaxiumSecurity (High)" Shields Up! reported that the FTP port (21) was closed rather than stealthed. This is not maximum security. The boring, ordinary, years-old, dusty Belkin router that sits between me and the Internet as I write this, is, according to Shields Up!, fully stealthing all the common ports.

During a recent installation of a new Verizon business DSL line, the customer was not given a choice as to the equipment Verizon would provide. Later, tech support said they do offer dumb modems, presumably without firewalls. That may be the better way to go in terms of Defensive Computing as it lets you chose a router with better documentation.

See a summary of all my Defensive Computing postings.

Recently, someone at a small business with a Verizon DSL Internet connection couldn't connect to my computer with NetMeeting. I've done this often enough to know that NetMeeting wasn't the problem, so I asked them to ping my computer - and it failed (timed out).

The TCP/IP ping command is a network debugging tool available on any operating system with TCP/IP (which is just about every operating system). It sends a simple command to the target computer which answers with a small amount of data. As the name implies, ping is just a tap on the shoulder to see if the networking is working between two computers on a TCP/IP network. Because pings are so simple, any problem is a networking problem.

In this case, the ping should not have failed. The target computer was one of mine and it was naked on the Internet, without a firewall protecting it. It seemed that Verizon was blocking it at the source, but I couldn't be sure.

A few days later, while working at another small business with a Verizon DSL connection, I couldn't establish a remote control connection using Real VNC. This was a bit more complicated, as it involved port forwarding on the target router and poking a hole in the firewall on the target computer. But here too, my first step in debugging was a ping of the target public IP address - and it failed. The target was a router under my control and it was configured to respond to public pings. Again, it seemed like Verizon was blocking the ping at the source.

To be sure, I tried a more advanced network debugging tool, traceroute. Long story short, traceroute proved that Verizon was blocking things. The trace was able to get from my computer on the LAN to the Verizon Westell 7500 modem/router that connected the LAN to the outside world, but could not get any farther.

A third test provided strike three. Someone I know with a Verizon DSL account, when told about this problem, also tried to ping some public websites and couldn't. The box used in this case was a Westell Wirespeed C90.

Verizon DSL is blocking outgoing ping, traceroute, NetMeeting, Real VNC and probably more.

This is bad. The blocking of outbound remote control software was a real problem to the first businesses as it prevented me from helping them with another problem.

Update August 5, 2008: Pings to websites don't always work. This has nothing to do with an ISP, rather it is an attribute of the website, or more specifically, the routers fronting the site. A website may simply choose not to respond to pings. The examples in this posting do respond to pings. Many consumer grade routers have a configuration option governing whether they respond to pings. However, even if a website opts to not respond to pings, a traceroute (in Windows the command is tracert) should at least show that the request got out to the Internet and bounced around a bit before failing. This was not the case with Verizon DSL.

Update August 5, 2008: I spoke to Verizon tech support and the technician said this is not by design. In fact, the person said they had never had a complaint that a DSL customer couldn't do something as simple as pinging yahoo.com. If this is true, the problem must lie in the configuration of the Westell modem/router. To be continued.

Update August 7, 2008: Verizon's press relations office made it clear they do not block traffic. And, it seems they don't - at least not on purpose. The problem has been resolved with one of the three customers, the issue was with the firewall in the router. More to come soon...

Update August 11, 2008: To see how this played out, see Verizon DSL traffic blocking explained

See a summary of all my Defensive Computing postings.