Protect Yourself - Restrict Your Privileges

One of the advantages of having your own computer is all the things that you can do with it. From surfing the web, and holding instant audio / video conferences with friends and family, to paying your bills and maintaining data used in your various hobbies, your computer lets you do marvelous things.

Unfortunately, what your computer can do, the bad guys can use, if you don't stop them. Would you want unknown persons having access to lists of your bank accounts? Would you want unkown persons having the ability to create files and folders on your system, without you knowing about them? How about if somebody were to encrypt the contents of your system, and provide the ability for YOU to use what's on YOUR computer, only after you pay them?

Back when the web was just getting started, a browser (like Internet Explorer) was used to display text documents, that used hypertext to reference other documents. Then somebody added the ability to display pictures. Every web page needs at least a picture or two - look at the upper right portion of this windows - do you see the MVP logo? That's a picture (and one that I'm pretty proud of too). Click on the logo, and you can see my picture too.

Unfortunately, with every ability given to your browser, comes the ability of the bad guys to use that ability against you.

Are you using Internet Explorer right now? Download one of the absolutely neatest utilities that you can get for Windows NT based (NT, 2000, 2003, XP) operating systems. Process Explorer will tell you 100 times as many details as the native Windows Task Manager will. Process Explorer is free, and does not require any installation process - just drop it into an available folder. Please don't drop it into the root of C:, or anywhere into the C:\Windows structure - create a folder for it, such as "C:\Utilities", or "C:\Program Files\Process Explorer".

Now Process Explorer, and other utilities like it, is provided to us by SysInternals and Mark Russinovich, the guy who caught Sony with their pants down. You can trust anything from SysInternals (my professional opinion anyway). And you can trust anything else that I tell you about - really. I don't recommend any products - free or otherwise - that I don't use myself. But please don't indiscriminately download software from the web.

So, did you just download Process Explorer? Did you do that using Internet Explorer? If so, you used a scripting program known as ActiveX. That window, like a small Windows Explorer, that popped up asking you where to put the file being downloaded is written in ActiveX. A lot of small programs (we call them applets generally) are written in ActiveX. Unfortunately, the mini-Explorer applet, like most ActiveX scripts, can be used by you locally, or thru your browser.

What happens if you surf to Hackerz-R-Us, and download one of the games there? Do it using Internet Explorer, and you may find yourself Owned. An ActiveX script that has system level capabilities, and can be called from your browser, has enormous potential to do you harm.

Having said that, it would NOT be in your interest, even if you could, to delete the ActiveX libraries. Nor can you even remove ActiveX totally from Internet Explorer. Windows Update, which you absolutely better use regularly, depends upon ActiveX to update your system.

Short of something stupid, you can do several things.



Use The Browser As A Restricted User
Knowing that Internet Explorer would be essential to your using Windows, Microsoft built into it the ability for you to designate some websites (such as WindowsUpdate) as absolutely trustworthy, and others (such as Hackerz-R-Us) as absolutely untrustworthy. And you can disable ActiveX, and other dangerous browser features, for untrusted websites.

One of the best known security experts on the web, Eric Howes, explains how to do this, and provides a regularly updated database of known dangerous websites.

Don't Surf To Dangerous Websites
Right. Do't go there. Stay away from http://www.hackerzrus.org! Unfortunately, this may not be an effective strategy. A DNS hijack, whether local (using your Hosts file), or networked (using your DNS server), could redirect traffic for windowsupdate.microsoft.com to www.hackerzrus.org.

Use The Computer As A Restricted User
How often do you install software? Most useful software requires you to close all open applications, and / or forces you to restart the system after installing. If you're like me, you install once / day, or once / week.

So why should you login to your computer as an adminstrator routinely? If you do all of your web surfing as a non-adminstrator, and you accidentally (yeah right) surf to http://www.hackerzrus.org, don't run any scripts there. View the pictures, and read the text, just don't run any of their programs.

But what if you surf to a malicious website, but one with a benevolent name? How about http://www.sys1nternals.com?

One of the best ways to protect yourself is to NOT use Internet Explorer, by policy, except when doing Windows Updates. When you're surfing the web, sign in as a user, and a user with non-adminstrative privilege.

Aaron Margosis, a Microsoft security expert, has a very dynamic blog discussing the pros and cons of running with limited privilege. And Derek Melber, of WindowsSecurity, has Using Dual Accounts for Administrators.

Sys1nternals

This could be a website with malicious content. You never know.

As I say separately, in my professional opinion, you can trust anything provided by http://www.sysinternals.com. SysInternals has been providing powerful, and free, system utilities for years. But, as you become well known, you need to watch out for imitators. I would not be surprised to hear, one day, of the bad guys registering domain Sys1nternals, and providing malware to anybody surfing to http://www.sys1nternals.com.

So be careful, and anytime you see a web site address, check it carefully for intentional misspellings like this.

Hackerz-R-Us

This summary is not available. Please click here to view the post.

Lost Ability To Create New Network Connections

When you use the Windows XP System Restore, you have to remember not to restore to a state preserved before a major system update. You can cause major problems, if you try a scenario like:


  1. Upgrade XP to SP2.
  2. Attempt System Restore to a point before the SP2 upgrade.

One of the known consequences of the above scenario is loss of functionality in the New Network Connections wizard. You might observe any of these symptoms:

  • One or more of the selections in the New Connection Wizard may be grayed out (unavailable).
  • The Network Connections folder may be empty.
  • You may receive an error like

    Cannot load Remote Access Connection Manager. Error 711.


When this happens, the only valid recovery is to reapply SP2. After that, you will have to rerun Windows Update, and reapply all upgrades applicable after that procedure.

But what if this isn't the case? What if SP2 wasn't recently applied, or if a system restore to a point before the SP2 upgrade wasn't done? There is one thing you can check. The Remote Access Auto Connection Manager, and Remote Access Connection Manager, services must both be running. If you have this problem, check the Services Wizard, and make sure that those services, and all those that they depend upon, are running (Started and Automatic).

For more information, see these Microsoft articles.

Virtual Memory and The Thing King

Are you somewhat confused by virtual systems? Do you understand them but have a hard time explaining how they work? Then the following explanation, developed by Jeff Berryman, a Systems Programmer at the University of British Columbia (UBC) Computer Center, and originally published in the UBC Computer Center Newsletter, may help.

THE PAGING GAME
Rules


  1. Each player gets several million things.
  2. Things are kept in crates that hold 2048 things each. Things in the same crate are called crate-mates.
  3. Crates are stored either in the workshop or warehouse. The workshop is almost always too small to hold all the crates.
  4. There is only one workshop but there may be several warehouses. Everybody shares them.
  5. Each thing has its own thing number.
  6. What you do with a thing is to zark it. Everybody takes turns zarking.
  7. You can only zark your things, not anybody else's.
  8. Things can only be zarked when they are in the workshop.
  9. Only the Thing King knows whether a thing is in the workshop or in a warehouse.
  10. The longer a thing goes without being zarked, the grubbier it is said to become.
  11. The way you get things is to ask the Thing King. He only gives out things in multiples of eight. This is to keep the royal overhead down.
  12. The way you zark a thing is to give it thing number. If you give the number of a thing that happens to be in a workshop it gets zarked right away. If it is in a warehouse, the Thing King packs the crate containing your thing back into the workshop. If there is no room in the workshop, he first finds the grubbiest crate in the workshop, whether it be yours or somebody else's, and packs it off with all its crate-mates to a warehouse. In its place he puts the crate containing your thing. Your thing then gets zarked and you never knew that it wasn't in the workshop all along.
  13. Each player's stock of things have the same numbers as everybody else's. The Thing King always knows who owns what thing and whose turn it is, so you can't ever accidentally zark somebody else's thing even if it has the same number as one of yours. (VS/2)

Notes

  1. Traditionally, the Thing King sits at a large, segmented table and is attended to by pages (the so-called "table pages") whose job it is to help the king remember where all the things are and who they belong to.
  2. One consequence of Rule 13 is that everybody's thing numbers will be similar from game to game, regardless of the number of players.
  3. The Thing King has a few things of his own, some of which move back and forth between workshop and warehouse just like anybody else's, but some of which are just too heavy to move out of the workshop.
  4. With the given set of rules, oft-zarked things tend to get kept mostly in the workshop while little-zarked things stay mostly in a warehouse. This is efficient stock control.
  5. Sometimes even the warehouses get full. The Thing King then has to start piling things on the dump out back. This makes the game slower because it takes a long time to get things off the dump when they are needed in the workshop. A forthcoming change in the rules will allow the Thing King to select the grubbiest things in the warehouses and send them to the dump in his spare time, thus keeping the warehouses from getting too full. This means that the most infrequently-zarked things will end up in the dump so the Thing King won't have to get things from the dump so often. This should speed up the game when there are a lot of players and the warehouses are getting full. (Not applicable to VS/1)

LONG LIVE THE THING KING

---------------------------------------------------
Dr. Michael R. Williams
Editor-in-Chief, Annals of the History of Computing
Department of Computer Science
University of Calgary
Calgary, Alberta

Don't Lose Sight Of The Mission

This army officer didn't, but you have to read the whole letter.


Gentlemen,

Whilst marching from Portugal to a position which commands the approach to Madrid and the French forces, my officers have been diligently complying with your requests which have been sent by H.M. ship from London to Lisbon and thence by dispatch to our headquarters.

We have enumerated our saddles, bridles, tents and tent poles, and all manner of sundry items for which His Majesty's Government holds me accountable. I have dispatched reports on the character, wit, and spleen of every officer. Each item and every farthing has been accounted for, with two regrettable exceptions for which I beg your indulgence.

Unfortunately the sum of one shilling and ninepence remains unaccounted for in one infantry battalion's petty cash and there has been a hideous confusion as the the number of jars of raspberry jam issued to one cavalry regiment during a sandstorm in western Spain. This reprehensible carelessness may be related to the pressure of circumstance, since we are war with France, a fact which may come as a bit of a surprise to you gentlemen in Whitehall.

This brings me to my present purpose, which is to request elucidation of my instructions from His Majesty's Government so that I may better understand why I am dragging an army over these barren plains. I construe that perforce it must be one of two alternative duties, as given below. I shall pursue either one with the best of my ability, but I cannot do both:

  1. To train an army of uniformed British clerks in Spain for the benefit of the accountants and copy-boys in London or perchance:
  2. To see to it that the forces of Napoleon are driven out of Spain.

-- Duke of Wellington, to the British Foreign Office,
London, 1812

Windows XP - Which Edition Should I Choose?

The choice of whether to choose Windows XP Home or Professional, or any other edition, or any similar edition of Windows Vista, varies - and not always strictly according to network environment, or to intended use. Many small businesses can get by quite well with XP Home, yet many professionals wouldn't have anything less than XP Pro in their home LAN.

Based on help requests, I'd guess that the most relevant distinctions, between the various editions of XP are:

  • Choice of file sharing. A computer running XP Home will only use Simple File Sharing.
  • Domain membership. A computer running XP Home cannot join a domain.
  • Number of simultaneous incoming connections. XP Home limits you to 5 simultaneous incoming connections, while XP Pro will limit you to 10.
  • Remote access to the desktop. XP Pro provides Remote Desktop, which integrates tightly into the Windows structure. For XP Home, and for other operating systems, you will need VNC, or a similar product.
  • Remote access to the operating system. A computer running XP or Vista Home can't be managed remotely, nor can its problems be diagnosed remotely.
  • Token based access. A computer running XP Pro will use token based access. You'll authenticate once (possibly automatically) to a server, the client will setup a token, and use that token in the future. With XP Home, you'll authenticate each time that you create a connection to a server.


As always, Your Mileage May Vary.

NOTE: There is a third, odd member of the Windows XP trio. XP Media Center Edition has the XP Pro kernel. The early versions of MCE had all of the functionality of XP Pro, plus the multimedia capabilities. Starting with the 2005 version, XP MCE (KB887212): lost the ability to join a domain, though it still has many other components of XP Pro.

If you have a computer with either XP Home or XP MCE 2005, and you need it to access domain resources, please read File Sharing Under Windows XP - Windows XP In A Domain.

If you want to make a detailed comparison, and look at other decision making possibilities, you may want to read additional articles:


Identify Your Edition Of Windows XP
  • Right click on My Computer.
  • Select Properties.
  • On the General tab, look under System:. If you have Windows XP, it will say either:
    • XP Home.
    • XP Media Center (which has the file sharing abilities of XP Professional).
    • XP Professional.
    • XP Tablet (which has the file sharing abilities of XP Professional).
    • XP Professional x64.


>> Top

Irregularities In Individual Share Accessibility

When I talk about strategies for diagnosing network problems, one of the principles that I recommend is Relational Pattern Analysis. Look for computers that have the same problem, and other computers that don't. When you have problems that can't be solved easily, when you use one of my troubleshooting guides like Irregularities In Workgroup Visibility, the larger your network, the better. You need computers that don't have the problem, and computers that do, so you can identify the common thread between each set of computers, and then identify the problem itself.

Sometimes, though, your problem may be more complex. Instead of all shared folders on your server being invisible or inaccesible, maybe some are accessible, but others aren't. Maybe only some are even visible. Now what do you do?

Visibility, and accessibility, of individual shared files and folders are controlled by Access Control Lists, or ACLs. The RestrictNullSessAccess setting can affect access to individual shares, if your server is authenticating with the Guest account.

The easiest way for your shares to differ in visibility is to have improperly differing ACLs. The easiest way to resolve this is to identify, and correct, the differences between the ACLs.

With Windows 2000, and Windows XP Pro, the solution here is simple. Edit the ACLs. Your can do this by the obvious (but more time consuming) way, by using the GUI in Windows Explorer. Or you can do this by the less obvious, but more efficient scriptable way of using CACLS. Both procedures are discussed in Server Access Authorisation techniques.

With Windows XP Home, you can't use the GUI in Windows Explorer. Windows XP Home, and Simple File Sharing, set all permissions the same (supposedly). They don't give you any way of changing any permissions, short of global settings where you identify each share, and allow (or disallow) network users to change the contents. With XP Home (or with XP Pro, if you prefer), you may use alternate Server Access Authorisation techniques.

But, having identified the above possibilities, and carefully read and followed all instructions, sometimes you still can't get things working just right. There are known problems which can't be solved by simple ACL editing.

If you want to provide a secure computer, one of the recommendations is to keep the operating system updated, religiously. Microsoft issues monthly operating system updates, with patches of varying criticality. In most cases, it is beneficial to apply all critical patches. In some cases, like yours, it isn't.

In this case, patch KB885250, as referenced in bulletin MS05-011, has been recently identified as the culprit in odd file sharing scenarios. The Microsoft article (KB895900): You cannot save a file from your Windows XP-based or Windows 2000-based computer..., and a subsequent article (KB896427): After you install security update 885250, both describe the symptoms of this problem. Symptoms caused by application of patch 885250 can, and have been known to, cause file sharing scenarios of varying complexity.

  • "Error = 5", aka "Access denied".
  • "Error = 58", aka "Bad network response".
  • Access to some folders, but not to others.
  • Apparently empty folders, when you know there are files in there.
  • "File not found".


In your case, there are 2 possible solutions:

The Static Route Table

Every networking device that uses or passes Internet Protocol traffic, and operates at OSI Layer 3 and above, uses a static route table. A static route table defines the networks, the destinations on those networks, and how the destinations can be reached.

To get the static route table for immediate examination, simply type "route print" into a command window.

If you want the data so it is easily compared between computers, you need to export the data into a text file.


  • Type "route print >c:\route.txt" (less the "") into a command window.
  • Then,

    • Type "notepad c:\route.txt" (less the "") into the same command window, for immediate examination.
    • Or, copy file c:\route.txt to another computer, for comparative examination.


Once you have the static route data in front of you, check out Joe Davies Understanding the IP Routing Table for details on how to interpret it, and to modify it.

Setting Up A WiFi LAN

Are you new to networking, or have you setup a few networks in the past? Networking looks really complicated (it can look that way), but it's basically just hooking up a few wires, and praying real well.

Setting up an Ethernet LAN is pretty simple, but it contains one annoying detail. With a wired LAN, unless the computer and router are right next to each other, you have to figure out how to locate the Ethernet cable that connects them. With a wired LAN, you have cables everywhere.

A WiFi LAN lets you remove the cables. With more work in the beginning, you're freer in the end. Without a simple physical cable, which you can see and touch, you have to setup a wireless connection, that you can't see or touch. But know, and understand, the limitations of WiFi.



Make It Easy For Yourself - Design The Installation Properly
Purchase The Right Equipment. You can setup a WiFi network without using a router / WiFi access point - this is called ad-hoc WiFi. But setting up an ad-hoc WiFi network is more complicated, and less secure, than an infrastructure (router / WAP based) network.

Plan The Installation
Read The Manual. Having carefully selected your WiFi Access Point / Router, and your WiFi Client Adapters, you hopefully spent some time acquainting yourself with their features. Now, spend some time perusing the guides and instruction manuals. Doing so is a good investment of your time.

Test As You Go. If this is the first time you've setup WiFi equipment, you may benefit from testing as you setup. Having 2 computers is a very good idea
  1. Connect one by Ethernet to the AP, and use it to make changes in the AP settings.
  2. Connect a second by WiFi, and use it to test the changes to the AP.
Having 1 computer, doing dual duty, can be done; but having 2 computers is a lot less stressful.

Stage The Installation. Setting up a WiFi LAN can be pretty stressful - it's 3 or 4 times as complicated as setting up an Ethernet LAN. If you plan, and setup in stages, you can reduce your stress level significantly.

Setup The Access Point / Router
You still need an Ethernet cable when you setup the access point / router. Whenever you make configuration changes to a router (wired or wireless), the router may have to restart itself. When that happens, you will lose connectivity. Reestablishing connectivity with a wired connection is bad enough; reestablishing a wireless connection in some cases (if, for instance, you get the WPA key wrong) will be impossible. Always connect by Ethernet, if not absolutely impossible, when making changes.

Even though you may have bought the router that afternoon, it may have been sitting in the store for a while, and the vendor may have issued firmware updates for it since it was shipped from the factory. Check with the vendor, and see if any firmware updates are available.

  • Setup your computer as a DHCP client.
  • Install an Access Point / NAT router, and give it power.
  • Connect an Ethernet cable to the router, and to your computer.
  • Power your computer up.
  • Connect your computer to the router thru your browser.
  • Install any available firmware updates to the router.
  • Make all the necessary IP and WiFi settings to the router.


NOTE: Most access points and routers, wired or wireless, will come with installation guides and configuration utilities, and some will offer to install software on your computer. If you plan your installation properly, no additional software should be necessary. Your Windows system has a browser, and that should be all the software that you need to connect to your access point or router. Don't install unnecessary software.

The changes to a WiFi access point / router include Internet Protocol settings (like a wired NAT router), and WiFi settings. WiFi settings include:

  • Connectivity settings.

    • Channel. You need a channel with no other devices within range, to get maximum bandwidth.

      • You can choose from any channel number 1 - 11 (in the USA). To minimise interference, and maximise satisfaction between WiFi neighbours, we choose between 3 non-overlapping channels 1, 6, and 11.



        Non Overlapping Channels
        Bottom ("1")
        Middle ("6")
        Top ("11")


      • With 802.11g-super, there is no channel choice. If a channel number is displayed, it will be "6", and be unselectable.
      • If there is any other network within range, using any channel which your router may use, you won't get maximum bandwidth. You will have to share the channel with your neighbor.

    • Interoperability. What standard will you use - 802.11b, 802.11b/g, 802.11g, or the newest (and currently not complete) 802.11n?

      • With 802.11b, you'll get a maximum bandwidth of 11M (half duplex).
      • With 802.11b/g (having a combination of 802.11b and 802.11g devices on your LAN), you will get between 11M and 54M (probably substantially less than 54M though). (Again, half duplex).
      • Only with 802.11g will you have a prayer of getting a full 54M (and that's with no 802.11b networks anywhere visible). (And still, half duplex).
      • If you have 2 802.11Super-G devices, from the same vendor, and no other WiFi devices are within range, you might be able to get 108M.
      • If you get 802.11n equipment, and have no other networks within range, you might get 108M or higher. This simply can't be objectively predicted, for any location, though.



  • Security settings.

    • Authentication. How will the wireless clients identify themselves to the router?
    • Encryption. How will the wireless clients keep your communications, between themselves and the router, private?
    • Logging. How will YOU know what is happening on your WiFi LAN?
    • Visibility. Hiding the SSID will not help you, and may hurt network performance. Setup a unique, yet not personally identifying SSID. If you have multiple APs, use the same SSID on each AP, to enable roaming by the clients.
    • The issue of Security is covered, in detail, in my article Setting Up A WiFi LAN? Please Protect Yourself!. Please note the above details.



Setup The Clients
Having made the necessary changes, you are free to turn the radio portion of the router on, and to setup the wireless clients. If your main computer also has a WiFi adapter, you can now remove the Ethernet cable between that computer and the router (but keep the cable handy for any future changes that you may make).

Setting up a wired LAN is simple - you connect the cables, things you can see and touch. With WiFi, you have the access point(s) out there - but you can't see or touch them. With WiFi, you setup the WiFi Client, which is a program provided by several vendors. Depending upon your setup, you may have any or all of these clients.

  • The computer manufacturer.
  • The WiFi adapter manufacturer.
  • Microsoft.
  • NetStumbler.

Before you install the WiFi adapter on your computer, check with the vendor, and see if any driver updates are available. This may include an update to the vendor's WiFi client.

Your access point can have only one WiFi Client managing it; having more than one Client active can cause conflicts. Conflicts can cause erratic performance, loss of connectivity, even the WiFi adapter may turn itself off. Know the possibilities, and only run one WiFi Manager at a time. If you choose to use the native Windows product - Wireless Zero Config aka WZC, consider applying the Wi-Fi Protected Access 2 / WPS IE (updated January 2007) update.

Each WiFi Client will present you with a list of visible access points. You choose, by signal strength, channels, and name, with which access points you wish to associate. The access points that you choose become your Preferred Access Points. The WiFi Client may periodically scan the spectrum for the strongest access point, and connect your computer to that access point. Note that this behaviour may be subject to SSID Visibility.

Any access points that you do not choose are still available for your use. Your WiFi Client probably has a selection to this effect - "Automatically connect to non-preferred networks", for instance, is a selection with the Windows Wireless Zero-Config Client. Make sure that this selection is not enabled automatically. You do not want your client to connect to your neighbors WLAN unexpectedly.

Some Clients also let you prioritise the preferred access points - so you make a list, then you order the list, from top (most preferred) to bottom (least preferred). Your client will then automatically connect you, at any time, to the more preferred access point that is available.

With any access point of interest, if it uses any authentication or encryption, you will have to enter the appropriate information. Your client will create a profile for that access point, and keep that profile available for the future. When you remove an access point from your preferred list, you will delete the profile. You will then have to re enter the profile information later.

Without the correct profile information, you cannot connect to the network provided by the access point. If your client tells you that you are connected (however strong the signal), but you have no IP configuration, check the profile. If in doubt, delete and re enter the profile.

Whenever you setup a WiFi client profile, make sure that you select the appropriate authentication options. Selecting 802.1x authentication, without the complete infrastructure, will cause problems.

When you setup the WiFi client, you'll be using the setup wizard provided by the vendor (or Microsoft). Understanding the above issues, and reading the instruction manual or guide for the WiFi equipment, is essential. See, for instance, Windows Cable Guy Windows XP Wireless Auto Configuration.

Tune The Wireless Setup
Having done the Initial Setup, and having Secured your WiFi LAN, you may want to tune the physical setup. Maximum bandwidth is based upon maximum signal strength. There are a few things that you can do, when installing the equipment, that will prevent you from getting maximum signal strength.

Having completed all of the above tasks, enjoy the freedom.

>> Top

Hidden Uninstall Wizards In Windows XP and 2000

Occasionally, you may need to remove an application from Windows, like Windows Messenger. Windows Messenger does come with an uninstall wizard, but the wizard is not normally accessible thru the Add / Remove Programs applet. First, you have to make the wizard visible.


  • Open folder "C:\Windows\inf", using Windows Explorer.
  • Locate and open file "sysoc.inf", using Notepad or another text editor. If "sysoc.inf" isn't visible, you'll need to configure Windows Explorer.

    • Select Tools - Folder Options.
    • On the View tab, under Advanced settings, enable "Show hidden files and folders".

  • With sysoc.inf open in Notepad, look for (in this example) "msmsgs".

    msmsgs=msgrocm.dll,OcEntry,msmsgs.inf,hide,7

  • Change the substring ",hide," to ",,".

    msmsgs=msgrocm.dll,OcEntry,msmsgs.inf,,7

  • Save the file, and close Notepad.
  • Restart Add / Remove Programs, and the previously hidden applet should be visible.

Now, just start the wizard. Soon, no more Windows Messenger.

Interactive Problem Resolution and Thread Length

When I work on a networking problem in person, I can generally ask the owner / primary user of the computer a few questions. Based upon the answers received (or not), and having the computers involved in front of me, I can frequently do some investigative testing, and arrive at a diagnosis.

When I work on a problem remotely, the diagnosis generally takes longer. Then, I must ask the Original Poster (OP) to perform simple tasks for me. Generally, even then, with results from the investigative processes made available to me in real time (as the diagnosis is being performed), I can ask for additional investigative tasks; with enough patience and persistence (from both of us), a diagnosis is not impossible.

When I work on a problem asynchronously and remotely, as is the general case when advising in online forums, this problem becomes a bit more challenging. Latency becomes a factor, as does distractions from other helpers. The longer the investigative process takes, there is more chance that another helper will contribute an alternate diagnosis, which sometimes contradicts or interferes with the investigation at hand.


  • Factors affecting me.

    • Distractions by other tasks, including $payjob.
    • Ignorance of the situation being investigated (which generally decreases, as the investigation continues).
    • Ignorance of the subject involved (I try not to let this become a factor, by trying to focus on subjects which I have experience in).
    • Latency between posts. The longer I have to wait, after posting advice, for the OP to respond, the less I remember about the situation. This leads to longer time for me to respond to subsequent posts by the OP, leading, in turn, to decreased attention by the OP.

  • Factors affecting the second party - ie the owner of the computer, or the Original Poster (OP).

    • Distractions by other helpers.
    • Distractions by other tasks, including $payjob.
    • Ignorance of my methodical diagnostic procedures.
    • Ignorance of the situation being investigated (which generally decreases, as the investigation continues).
    • Ignorance of the subject involved.

  • Factors affecting any third parties - ie additional helpers.

    • Distractions by other tasks, including $payjob.
    • Ignorance of my methodical diagnostic procedures.
    • Ignorance of the situation being investigated.
    • Ignorance of the subject involved.



Are you a fan of American baseball? Have you ever watched American baseball? It's more than a bunch of guys hitting a ball around, and another bunch of guys trying to keep the first bunch from hitting the ball too much. There's a lot of strategy there.

Have you ever watched the Infield players (defense team) preventing an Infield Hit? The batter hits the ball to the shortstop (or other infield player, such as pitcher, second baseman, or third baseman), who grabs it, tosses it to the first baseman, and the batter is out. Simple - no strategy - just do the best you can to get the batter out.

Wrong. I was once on a corporate softball team, and the manager of the team arranged for an ex-pro baseball player (retired) to give us a small bit of strategic instruction. Just that small procedure - batter to shortstop to first base - is a quadratic equation carried out in real life. Watch sometime.

The shortstop and first baseman act as a single, coordinated unit, and maximise the time allowed them, before the batter gets to first base. How many times have you seen that the batter hits the ball, the shortstop fields it, and gets it to the first baseman when the batter is merely a third of the way to first base? Not that many times, I'd bet.

  • If the batter hits the ball really hard, the shortstop may have to really scramble to even stop the ball. When he gets up, he has to really hurry to get the ball to first base, where the batter is almost there.

    Since the shortstop is taking a while to get the ball to first base, and since he will possibly not be in exact control (he's scrambling, remember), the first baseman is covering first base at a stretch, with his toe on the bag, and moving in an arc around the bag, from the home plate side, to the outfield side. This gives the shortstop a 10 foot target to aim for (watch the first baseman stretch sometimes, he can get a good 5 feet stretch from his toe to his glove).

    As the shortstop throws the ball, in a hurry and from an uncomfortable position, the first baseman notes whether he is throwing straight towards first base, or to its infield or outfield side, and moves in the stretch arc accordingly. Shortstop throws ball, first baseman moves quickly to position himself, catches the ball, batter out.

  • OK, let's say the batter hits the ball really hard, and the shortstop is properly positioned, to grab the ball without even moving. His positioning, before the ball was hit, is not random; but we leave that for another discussion.

    The shortstop now has the ball in his hand, and he's standing and ready to throw the ball. Does he throw it to the first baseman immediately? No, because he's waiting for the first baseman to get into position. He'll probably toss it into his glove, and grab it again to get a really good grip for throwing.

    While the shortstop is positioning the ball for an accurate and hard throw, the first baseman is getting into position. The shortstop throws the ball like a bullet, right to the first baseman, and the batter is out.

  • Now for the third possibility. The batter hits the ball really weakly, so it just rolls. The shortstop charges towards the ball, and grabs it farther infield. He'll probably charge it to the right of its path, so when he gets it in his hand, he'll be facing the first baseman. Again, he's positioned just right, and in control.

    This time, he has less time to throw (he had to charge towards the ball, and the batter is running). Since he charged towards the ball, and at an advantageous angle, he comes up with the ball ready to throw immediately, maybe even from a bare handed grab. The first baseman, having already gotten into position, is waiting. The shortstop throws the ball, the first baseman catches it, and the batter is out.


So I know you're asking yourself "So what the heck does this have to do with network problem resolution?".

Well, I'm like the shortstop. Or maybe the first baseman, or a combination.

  • If the ball comes quickly (as in a problem report from the OP, with lots of good detail), I have a good chance of giving a quick snappy (mysterious) answer as to what to do about the problem.
  • If the ball comes slowly (as in the OP posts simply "My computers don't network"), I take my time, and ask a few questions, to try and get to know the OP, and the network. This looks like nothing useful to the other helpers. So the longer I take in my diagnostic procedure, the more chance that another helper may come up with alternate advice, or sometimes a quick fix. The alternate advice may, or may not, resolve the problem.

    1. If the alternate advice resolves the problem, it may be a solution that I did not anticipate. In that case, I have just learned something, and I may include it in one of my diagnosis and troubleshooting articles.
    2. If the alternate advice resolves the problem, it may be a solution that I did anticipate, and may have been mentioned in one of the many articles that I ask for the OP to Please Read. But the second helper, in a shotgun approach, or instinctively, may offer the solution without any diagnosis. Oh well, that happens.
    3. If the alternate advice does not resolve the problem, it may create complications that make it harder to fix the problem. So I have to watch carefully what the other helpers are suggesting, and if they come up with a procedure that may be a problem, I have to convince the OP to avoid that advice.
    4. If I come up with lots of advice, or articles to Please Read, the OP has lots to do. If I provide too much advice in the beginning, I may waste the OPs time, and his eyes may glaze over and he will ignore my advice. If I don't provide enough advice, the other helpers, again, may get involved.
    5. If I take my time, and ask just the right questions, I can lead the OP thru the problem diagnosis, and he / she can diagnose, and correct, the problem on her / his own, or from reading my articles, and maybe learn a bit from all the reading.

    Either way, getting the problem diagnosed and resolved is like getting the batter out. Sometimes it happens, other times it doesn't. And sometimes, the shortstop throws past the first baseman, and the batter ends up on second base, or farther.

    But out or safe, there is a strategy in there. You just have to know that it's there, and play with it.

Hoya

It was election time and a politician decided to go out to the local reservation and try to get the Native American vote. They were all assembled in the Council Hall to hear the speech. The politician had worked up to his finale, and the crowd was getting more and more excited. "I promise better education opportunities for Native Americans!"

The crowd went wild, shouting "hoya! hoya!" The politician was a bit puzzled by the native word, but was encouraged by their enthusiasm. "I promise gambling reforms to allow a Casino on the Reservation!"

"hoya! hoya!" cried the crowd, stomping their feet.

"I promise more social reforms and job opportunities for Native Americans!" The crowd reached a frenzied pitch shouting "hoya! hoya! hoya!"

After the speech, the Politician was touring the Reservation, and saw a tremendous herd of cattle. Since he was raised on a ranch, and knew a bit about cattle, he asked the Chief if he could get closer to take a look at the cattle.

"Sure," the Chief said, "but be careful not to step in the hoya."

Congratulations

You found what you need. Help Me To Help You.

Make Your Wireless Computer Connect Only To Your Network

WiFi networking is designed like the Internet - lossy. That is, it's expected to fail, and designed with recovery mechanisms built in. Your WiFi signal is lossy.

The signal emitted by your WiFi router is very light, intended to allow coverage distances based upon feet - not miles, as a broadcast radio or TV station. WiFi, as with radio and TV, radiates in a spherical pattern. Very few business or residential properties are spherical shaped. Locating a WiFi access point on your property, to provide coverage to all of your property, is not a simple task.

If you carry your WiFi equipped laptop around your house enough, eventually you will find a dead spot - somewhere with no signal, or not enough signal to provide enough bandwidth. You can do several things to work around this problem.


  • Move the laptop, to find a better signal.
  • Relocate the existing WiFi router or WiFi Access Point (WAP), to give a better signal where it's needed.
  • Install a second (or third) WAP, connected as the first, to your LAN.

Say you like the third solution better, and now you have 2 WAPs. If you put both WAPs on different channels (so they don't cause interference to each other), and assign them the same SSID, you'll be free to move around, and the laptop wil automatically connect to which ever WAP is stronger, at any location. That's called roaming - it's a lossy solution, and it works well (within the limits of channel saturation).

However, there's a catch here. Whether you have a WiFi LAN with 1 WAP, 2 WAPs, or a dozen, if you don't setup your WiFi LAN properly, your laptop could just as easily connect to your neighbor's WiFi LAN. That could have various consequences.
  • You could end up with a connection thru a different ISP, with no access to services from your ISP.
  • You could end up on a different LAN, with no access to your other computers.
  • You could be arrested for leeching WiFi (stated to be illegal in some jurisdictions).


If you setup your WiFi LAN properly, this won't be a problem. Whether you have only one WAP, or a dozen.

  1. First, setup the APs. If you have more than one AP, use the same SSID, and security settings, to allow roaming by the clients.

    1. Give your SSID a unique value, but don't use your name, phone number, or address.
    2. Enable the SSID beacon on each of your access points.

  2. Next, setup each client.

    1. Designate your SSID as the only Preferred SSID.
    2. Disable the option to "Automatically connect to non-preferred networks".


Having done all of this, and with a carefully setup, and a properly secured, WiFi LAN, enjoy the freedom.