IBM Thinkpad External USB Keyboard with Trackpoint on Windows 8

Do you have one of the amazing original IBM Thinkpad USB Trackpoint keyboards (Model: SK-8835, P/N: 02R0400) but can't get it to work under Windows 8? After lots of trial and error, I found the right driver set that does the trick.

Works

The only driver set that works is:

  • Think/Travel USB Keyboard with UltraNav TrackPoint/TouchPad driver for Windows Vista
  • v2kyb03us17.exe
  • 9.1.2.0 14
  • Mar 2007

You can find the download from one of these locations

Once you have downloaded v2kyb03us17.exe:

  1. Run the downloaded file to extract the contents
  2. Do NOT run the first setup.exe
  3. Go to: C:\swtools\drivers\KYB\v2kyb03us17\WinWDF\
  4. Go to your platform (64 or 32 bit)
  5. Run that setup.exe

Do NOT work

These drivers all had a better Google page rank, but did not work at all for me:

King Schmendricks

A Schmendricks poppy seed bagel with chive cream cheese

Yes this is a $3 bagel, and yes it is really good.

Schmendricks is a pop-up bagel shop here in SF that is making all the headlines. Their press page links to most of the coverage from the media. Serious Eats also posted a more in-depth series on their beginnings.

Beware that the bagel half-life is definitely in effect here. As Serious Eats found out when they tried to do head-to-head taste tests in NYC, a bagel will lose most of its awesomeness 30 minutes after it's come out of the oven:

Our conclusion? A bagel's half-life, untoasted and unadorned, is no more than half an hour. It was far less than any of us had thought, but after more than thirty minutes, we saw a rapid decline in texture, crust, and even taste. Brooklyn Bagel's initial victory? Simply a matter of freshness.

I've tasted Schmendricks bagels at 10, 25, 40, and 90 minutes after they've come out of the oven and absolutely agree that afterthe half hour mark they take a turn for the ordinary. So my advice is this: eat a Schmendricks bagel while it's still hot and you'll swear you've just had a real bagel for the first time; eat one after it's cooled and you'll wonder why you didn't spend that $3 at Tartine Bakery instead.

93% of top passwords appear in LinkedIn leak

LinkedIn launched itself back into the limelight with yesterday's massive user account security breach. Over 6 million unsalted SHA-1 password hashes were posted online, triggering an orgy of consternation, smugness, and schadenfreude across the geek boards. It was barely a year and a half ago that LinkedIn was in the press because of leaked password issues (not their fault)--one would have thought that they would have spent a little time auditing their security procedures. Now Last.fm is reporting their own leak just 24 hours later.

I downloaded the hashes and did find my LinkedIn password hash in the dump, though apparently uncracked. You can check yours over at LastPass or LeakedIn.org. Luckily I have unique passwords for all my logins so the damage was minimal. The damage to LinkedIn's reputation though, is not so contained:

  • LinkedIn had (or still has) a security hole that allowed someone to gain access to their user account database
  • LinkedIn's use of unsalted SHA-1 hashing is gross negligence at best
  • LinkedIn's public incident response was pathetic: 2 tweets and 2 blog posts (2 more tweets simply linking to the blog posts)

Luckily LinkedIn search currently shows 480,153 profile matches for "Director of Security". Maybe they might want to start cold calling some of them.

The File

The file that I was able to download off of the torrent sites is a single column dump of SHA-1 hashes that looks like:

00000fac2ec84586f9f5221a05c0e9acc3d2e670
0000022c7caab3ac515777b611af73afc3d2ee50
deb46f052152cfed79e3b96f51e52b82c3d2ee8e
00000dc7cc04ea056cc8162a4cbd65aec3d2f0eb
00000a2c4f4b579fc778e4910518a48ec3d2f111
b3344eaec4585720ca23b338e58449e4c3d2f628
674db9e37ace89b77401fa2bfe456144c3d2f708
37b5b1edf4f84a85d79d04d75fd8f8a1c3d2fbde
00000e56fae33ab04c81e727bf24bedbc3d2fc5a
0000058918701830b2cca174758f7af4c3d30432

The consensus is that all of the hashes that start with 00000 were artifically masked and have already been cracked. This is supported by the evidence that known common hashes, like for the string password:

5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8

are not in the file, but their masked counterparts:

000001e4c9b93f3f0682250b6cf8331b7ee68fd8

are in the file. Initial reports said that 6.5 million hashes were release, but the file that I downloaded was slightly different:

  • Filename: SHA1.txt
  • Total count: 6,143,150
  • Masked hash count: 3,521,180

So about 57% of the passwords are assumed to have been cracked. I was curious as to what percentage of the most common passwords were present in this dump, as a proxy for gauging the password choices for a supposedly more professional population. A quick search led me to security guy Mark Burnett, who maintains a list of the top 10,000 most used passwords across the internet. He admits to some skew caused by a significant amount of sourcing from adult websites, but I don't think it really matters.

I dumped all the hashes into a Redis instance, produced a list of SHA-1 hashes from Mark's list, and looked for matches on both full and masked hash variants. Here's what I found:

  • 7,142 of the most common passwords were present
  • 546 of the most common passwords were not present
  • 2,312 of the most common passwords were too short for LinkedIn's 6 character minimum

I've posted my final CSV of the top 10,000 passwords with SHA-1 hashes and their status in the LinkedIn dump. What does it all say? Well, adjusted for the minimum password length:

93% of the eligible subset of the 10,000 most common passwords were found in the LinkedIn password leak.

Unfortunately, the leaked hashes were only uniques and did not contain any frequency information so I wasn't able to match it to the distribution that Mark reports. Still, this reaffirms that the vast majority of people don't concern themselves with password security. Stop the madness! Generate site-specific passwords and manage them using LastPass. Sign up for two-factor authentication on Google.

How to block SMS text message spam on Verizon

block verizon sms text message spam

Are you getting SMS text message spam from 5-digit numbers? These are messages that Verizon complicity sends to you via their "Premium Messaging" service. The good news is that Verizon allows you to block all of these via their website. The bad news is that there are still plenty of SMS spammers that don't route through Verizon's officially sanctioned spam channels and just robo-spam.

  1. Log in to My Verizon
  2. Go to the "Verizon Safeguards" page
  3. Go to the "Service Blocks" page
  4. Check both boxes for "Block Premium Messaging" and "Block Premium Animated Messaging"

verizon safeguard sms service block options

Verizon explains "premium messaging" on it's FAQ page:

What is Premium Messaging?

Premium Messaging is an option to purchase or subscribe to messaging programs, provided by third party content providers, for premium charges (e.g., charges that are in addition to standard messaging charges). The premium charges for subscriptions recur monthly, while the premium charges for purchases occur only once. Many programs offer both one-time purchases and recurring subscriptions. These programs are initiated through special numbers, which are four, five or six-digit numbers, known as Short Codes.

Examples of Premium Messaging programs are:

  • Interactive voting during TV shows
  • Purchases of content, such as ringtones, wallpaper or screensavers
  • Weather alerts, sports score alerts, daily jokes, horoscopes, etc.
  • Trivia subscriptions
  • Subscriptions that enable the download of a certain amount of content each month, such as the ability to download 10 ringtones or wallpapers per month

Not surprisingly, in 2011 Verizon settled a class action suit where customers were unwittingly signed up for recurring billing for various bullshit services:

Verizon Wireless has learned that some customers may have signed up and been charged for certain third party premium text messaging services based on advertising that did not meet Verizon Wireless’ standards for the disclosure of pricing and subscription information. These charges were for content associated with a company known variously as Cylon, Jawa and/or Eye Level Holdings (although these names may not have appeared on the content or on your bill).

-- www.premiumsmsrefunds.com

Read more about the implementation side of premium messaging at Verizon's developer site, and from the perspective of Sumotext, a SMS short code provider.

Comparison of Slicehost vs. Linode VPS Performance

I had been hosting this site on a 256MB VPS from Slicehost for just over 2 years in their Dallas datacenter. Overall, it was a great service (and a much needed upgrade from Dreamhost), with only 3 unscheduled reboots over those years. However, my weekly monitoring reports from Browsermob never hit 100% uptime across their global servers. A typical report looked like this:
Slicehost (Dallas) VPS weekly uptime
Location Response Time Checks Failures Availability
Amsterdam 5.94 secs 192 26 86.5%
Dallas, TX 1.04 secs 166 0 100%
Dublin, Ireland 2.28 secs 140 0 100%
New York City 6.01 secs 196 33 83.2%
SF Bay Area, CA 1.3 secs 163 0 100%
Singapore 3.83 secs 170 0 100%
Washington, DC 1.1 secs 174 0 100%
Over 4 months of monitoring, between 1 and 3 locations would fail to reach 100% availability each week. Out of curiosity, I wanted to see if any other VPS service could do any better. I signed up for a Linode 512 plan and ported over this site, which had the following relevant configuration:
  • CentOS 5.3
  • Apache 2.2
  • MySQL 5
  • WordPress 2.1
The change in the Browsermob profile was immediate. The first full week of running on Linode in their Fremont datacenter looked like this:
Linode (Fremont) VPS weekly uptime
Location Response Time Checks Failures Availability
Amsterdam 2.06 secs 84 0 100%
Dallas, TX 1.05 secs 84 0 100%
Dublin, Ireland 1.9 secs 83 0 100%
New York City 1.27 secs 84 0 100%
SF Bay Area, CA 672 ms 84 0 100%
Singapore 2.37 secs 84 0 100%
Tokyo 1.58 secs 83 0 100%
Washington, DC 1.15 secs 84 0 100%

(The drop in number of checks is due to a drop in the daily allowance for free Browsermob accounts, in addition to an increase of one new location in Tokyo.)

Diving into the data some more, I found that the range of response times across the globe were also substantially improved. The response time chart in my profile showed a clear improvement at the time of the switch on July 4:

graph of global response times

Slicehost Linode % improvement
Average response time (ms) 1889 1513 19.91%
Response time stdev 1161 638.7 44.95%
Coefficent of variation 0.6141 0.4221 31.26%

So, for the same price ($20/month), Linode was able to deliver almost 20% improvement in average global response time along with a much tighter standard deviation.

At the time that I switched, the 256 Slicehost plan cost the same as the 512 Linode plan. Slicehost has since changed their pricing to almost match Linode.

Canon 5D loose mirror replacement

I was hiking up in Yosemite when at the top of North Dome the mirror in my Canon 5D came unglued and started bouncing around in my camera! I took it to a local camera shop, who quoted a $350 repair (which involved replacing the entire mirror housing), but luckily a bit of interneting yield the following service notice from Canon's astoundingly-difficult-to-bookmark support site:

Service Notice: EOS 5D: Main Mirror Detachment

Thank you for using Canon products.

We have discovered that, in rare instances, the main mirror of some EOS 5D Digital SLR cameras may detach due to deterioration in the strength of the adhesive. Accordingly, we would like to convey the details and our service policy concerning this phenomenon.

We offer our sincerest apologies to those customers who have been inconvenienced by this issue. Canon always strives to provide the highest quality products to our customers and we will spare no effort in our quality management to make sure our customers can use our products with confidence. We hope our efforts will earn your understanding.

Phenomenon: The main mirror of the camera detaches and images cannot be viewed through the viewfinder.

Affected products: EOS 5D Digital SLR cameras whose main mirror has detached.

User Support: We will repair and reinforce the mirror portion of the affected products free of charge. If you own one of the affected products, please contact our Customer Support Center.

We appreciate your patience, and we offer our sincerest apologies to the customers using these products who have been inconvenienced by this issue.

This information is for residents of the United States and Puerto Rico only. If you do not reside in the USA or Puerto Rico, please contact the Canon Customer Support Center in your region.

Contact Information for Inquiries
Customer Support Center
1-866-422-2965 (toll free)
8:00 a.m. - Midnight, EST (M-F)
10:00 a.m. - 8:00 p.m., EST (Sat.)
Email: carecenter@cits.canon.com

The Canon customer support rep was far more friendly than their website. The timeline went like this:
  • August 6: Canon sent over a UPS ground shipping label to the closest repair facility in Irvine, CA
  • August 11: I shipped out my 5D body
  • August 18: Canon sent an email confirming that they have inspected the camera and would be starting repairs
  • August 22: Canon sent an email confirming that the repair was finished and a Fedex tracking number
So within 2 weeks, I got my camera back, freshly cleaned and sporting a reinforced mirror mount (highlighted in green below) total free of charge: Canon 5D reinforced main mirror assembly

The best page in the universe

According to Google, I am the second-most popular "purveyor of [insert genre here]" in the world, bested only by the purveyor of the world's finest teas, Upton Tea Import. Being second in this list is lamentable, but under the circumstances not a terrible position considering that I have a better rank than the leading purveyor of fine needlework and supplies, and the purveyor of EarthBalls and Giant Globes. Gloating aside, how the moniker "purveyor of" came into being merits some discussion. C.M. recently asked,

You use the line "purveyor of fine words." Before commandeering this line, did you look into its etymology? For example, what is correct "fine purveyor of..." or "purveyor of fine..."? Oddly, there is not much online by way of a discussion. There are of course several instances of people using the phrases both ways. I did come across a book about the history of purveyance and it talked about "fine purveyors" as those who procured better cuts of meat or poultry, as opposed to the "coarse purveyors." However, these days, everyone claims to be a "purveyor of fine something". I just wonder if they are interchangeable or if one is more correct than the other. For obvious reasons, you seemed like a good person to ask, being a self-titled "purveyor of fine words" and all.

Well, I chose the tagline 'purveyor of fine words' as a response to the typical self-deprecating blog name that is so common these days -- ones that mix and match words like 'rambling', 'thoughts', 'random', 'drivel', 'brain farts'. I subscribe to one blog that is titled, "Continuing Intermittent Incoherency", which sounds like the author picked up some kind of Mad-Lib for blog names for inspiration. "Randomised nonsense" and "The Solipsistic Sayings of a Random Infidel" also seem to have been derived from the same template.

Perhaps these titles are a byproduct of today's disclaimer-ridden society, where consumers are too moronic to realize that a cup of coffee contains scalding hot liquid, or that a pack of peanuts "may contain nuts", or that power tool enthusiasts should not "attempt to stop a chainsaw with [their] hand". In the online world, this warning zealotry translates into prefacing statements with redundant acronyms like FWIW or IMHO, which authors use to ostensibly indemnify themselves against criticism. "IMHO, you're nothing but a fucktard and the best part of you ran down the crack of your momma's ass", becomes a quaint jest I suppose. In order to buck this trend, I opted to go big instead and inflate myself to gourmet proportions, and thus I promoted myself to a purveyor of fine words.

In response to C.M.'s question, I don't have any more insight into the etymology of the phrase, as mine merely parodies Dean & Deluca's tag line of "Purveyors of Fine Foods and Kitchenware". I would say that "purveyors of fine..." is much more prevalent than "fine purveyors..." insofar as it's difficult to explain the difference between a "purveyor" and a "fine purveyor" (maybe the purveyor is very attractive?), whereas the difference between "food" and "fine food" immediately conjures up contrasting images of corn dogs and Iranian caviar.

IE does not bubble form <select> element onchange events

When developing dynamically generated forms, you often want to attach a single event handler to the main form object, and have that handle the events generated by the form elements, thus saving you the trouble of constantly attaching event handlers to newly generated elements. However, IE 6 and 7 do not bubble the onchange event beyond the originating select element, meaning that you have to explicitly attach an onchange handler to every select you generate. All other current browsers bubble the event properly.

Here is a test form for checking if your browser registers the onchange event beyond the firing select element. Changing the select options should trigger an alert dialog box.

onchange listener attached to parent <div> node

onchange listener attached to parent <form> node

onchange listener attached to actual <select> node

Concise Adblock Filter Set Explained

Adblock is the single most useful Firefox plugin available today. Just like watching sitcoms with automatic commercial-skip, adblock's banner ad supression system elicits a smug sense of satisfaction even after browsing through your 10,000th ad-free web page. However, a huge barrier to adoption seems to be the lack of a default filter set, so when you first install adblock, nothing happens.

The main issue is that adblock does not have any intelligence as to the content that is included with a webpage; it is just a generic regex-based filter system, so it is only as effective as the filters that you provide. There are plenty of pre-made lists available but they tend to be overly-aggressive in what is supressed, resulting in occasional broken pages and/or pages that dead-end because adblock has removed the "Next" button. The most dangerous public set seems to be the EasyList, which has a 360+ item block list. Evidence that the creators know of its greedy nature is their inclusion of a 20+ item whitelist to manually compensate what was initially blocked. Even more unstable is the EasyElement list that searches through the DOM to remove suspected elements directly from the main document -- a list of 570+ substrings to search for.

Intead of using such a large, reactive list of simple and site-specific string matches that tries to supress 100% of ads, I posit that you only need 2 adblock filters to eliminate 70-80% of ads, and still be confident that legitimate content isn't being flagged as a false positive. By getting into the heads of HTML writers, we can pick out the most common patterns used to include ads and create regex patterns to suppress the ads.

  1. /(\b|_)ad(x|s?)(\b|_)/
    This regex looks for any element that contains the string 'ad', 'ads', or 'adx' surrounded by a word boundary, because the vast majority of web sites partition their ads into a single directory or serve them through a single script. The word boundary check is crucial to this filter because just searching for the characters 'ad' is ineffective. Instead, the word boundary restriction means that adblock will supress elements that contain strings like 'ads.server.com' or 'www.server.com/ads/' or 'server.com/ad_server.php', but not 'adobe.com' or 'server.com/adjustment'.
  2. /ad.*\d+[xX]\d+/
    This regex exploits the common technique of ad designers to use the image dimensions in their element name, i.e., "server.com/newads.php?location=top&size=468x80". Like the previous rule, we don't just exclude any element that has dimensions, but qualify that by searching for the string 'ad' as well.

At this point, your browsing experience will be significantly improved, but you can bump up your block rate to about 80-90% with a few more simple substring matches. There are many well known ad providers that exist solely to deliver ads, so we can consildate those in composite filter rules:

  1. /a(2\.yimg|dserv|dvert|tdmt|twola)/
    This rule collects all the ad serving systems that start with 'a': Yahoo, Atlas, AOLTimeWarner, and generic ad serving systems.
  2. /b(anners|logads)/
    falkag.net

    These pick up anything labeled with 'banner', the 'blogads' network, or Falk AdSolutions.

Realistically, reducing the ad load by 90% should be more than sufficient for anyone. Chasing that last 10% -- and whitelisting the collateral damage -- will always be a losing battle. Your time is better used reading the content that is on the page you requested in the first place.

Positions filled

Effective immediately, I have a new title at work — actually 6 new titles...

Internets Strategerist
Internets Strategerist

Sr. Tube Developer
Sr. Tube Developer
The Decider
The Decider
Guapo
Guapo
Scrabblista
Scrabblista
Assistant to the Regional Manager
Assistant to the Regional Manager

Bonus points if you can match all the cards with their respective references:

  • The Office
  • Senator Ted Stevens
  • G.W. Bush & Will Ferrell
  • Victor's Taqueria
  • G.W. Bush
  • My desk at work
« Older posts