Laptop power states can lead to paranoia

A few weeks ago I had a spooky event, from which there were important learnings and since nothing bad happened, is the sort of thing I can happily share, rather than hang my head in shame.

Background

For ages I've made my main home desktop machine (whichever that happens to be) accessible via Remote Desktop. Even when sitting on the couch on a laptop, I am most likely controlling the desktop as it has all of my tools, apps, etc... as well as plenty of storage and RAM.

This also comes in handy when at work so I can maintain separate browser environments in the case I want to search/view something I don't want showing up in official logs (ie, I don't want to worry the security/hr people if I happen to look up the specs of a particular firearm at work, nor do I want to be accused of being a shill for this or that on a web forum based on an ownership lookup of the IP range I am on at the office).

WTF?

A few weeks ago I was working on some things physically at my desktop when I got logged out, being told that *someone else* was connecting remotely.

Was my Microsoft Account password compromised? How? It's rather complex and very carefully used. It's never even be written down on paper or to a instance of notepad.

I was able to log in locally quickly, yanked the network cable and started the fun process of changing all critical passwords, taking a backup image of the hard drive, then going to bed... it was late.

Some cursory examinations of my router and Windows logs told me a disturbing story... that I was seeing connection attempts to the default Remote Desktop port every 3-5 seconds, for as far back as the log had memory... and from places all over the world.

The day after

Upon getting to work, I mentioned the event to my lead and the head of the networking team, as the day before they had wondered if I had uploaded an unusual amount of data from my work machine (which I didn't believe I did). Fearing the incidents might be related, I figured I should ask them to look into their network logs on their end.

It turns out their firewall views inbound & outbound traffic oddly, so someone in our subnet downloading a fair number of large MacOS updates tripped some data-ex-filtration warnings.

Breathing a bit of a sign of relief, back at home I installed a new hard drive with a fresh install of Windows in case something on the old had been compromised.

Feeling confident that I had contained whatever damage could have been done, I enabled Remote Desktop again, but on a non-obvious port and got back to my life...

Until...

A week and a half later while sitting at my desktop... it happened again!

You could argue that without 2FA on my Microsoft Account, it was bound to happen eventually (previously not enabled due to issues with Xbox)... but to have it happen again, so soon with a completely new password, 2FA enabled (not that it matters for desktop RDP) and on a random port? Who the hell did I piss off to get popped like this so quick?

Again, I yanked the network cable, turned off the PC and went to bed... not having the energy to deal with the issue at the time.

What if...?

The next morning, I had a theory... what if some other device of mine was legitimately logging in? I went looking first at my personal laptop and found it was in fact awake at the same time as the previous nights event... exactly 3 hours after my last use.

Hmmmm.

That night I tested the theory, I opened up my laptop, connected to the desktop via RDP, closed the lid, and made my way down to my desktop a couple of hours later, making sure I was sitting there when sure enough, I got logged out.

As it turns out, after 3 hours of being asleep, my laptop will boot to a full power state for a moment to go into a full hibernation mode. During this time, the RDP app re-asserts itself and will kick an local user out from whatever it is logged into... even though waking the laptop during this window will see the RDP application asking for a password to connect to the remote session.

Benefits & learnings

On the plus side... the event gave me an excuse to upgrade the size of the SSD in my desktop, buy a few fresh sets of underwear, and some major takeaways:

1. I never should have had the default port exposed,
2. Two-factor authentication should be supported out of the box on the client (though Duo can be used for free to do so), alas Microsoft has abandoned the home desktop user,
3. I need to be more diligent about watching failed logons, no matter how confident I am that a good password isn't going to get compromised.

Revealing the prediction, and an ominous warning

Tomorrow Microsoft is expected to announce a Chromebook competitor running a stripped down version of Windows to target the education market. Even though I will probably buy one of them, the effort will ultimately fail. Before we look too far into the future and it's possible success, let's look a bit to the past.

Two years ago I sent a set of predictions to a well-placed former co-worker within the larger Windows group in an email titled "A (hashed) prediction of the future (expires end of 2016)" which included the hashes mentioned in this post.

The prediction in question said:

Windows 10 Mobile bombs. Windows 10 for PCs continues to languish much like 8.x but at more affordable device price points. Terry is forced out by end of 2016.

Windows 10 Mobile/Phone has in fact bombed, so much so that Microsoft has more or less given up on first party devices for the time being, and will soon even be selling Android based devices at the Microsoft Store. Heck, even I, a long time Windows Phone die-hard was eventually forced to switch not six weeks ago (though I'd been trying to since December unsuccessfully).

Windows 10 has languished. While vastly better than Windows 8 in most ways, even with the free (and at time) forced upgrades, it is ultimately competing with previous versions of itself (like Windows 7 which works just fine for most still using it), none of which drives revenue for the company, nor inspires passion from most users who use or buy PCs/tablets/phones.

With regards to Terry (Myerson) being forced out... I wake up every day flabbergasted that this has not happened yet.

Admittedly, he has a difficult job. Aside from trying to make Windows Phone great again, he was ultimately responsible for de-Sinofsky-izing Windows... the first he utterly failed at, the second... remains an ongoing process.

At the end of the day, there is the issue of "why is Windows important?" and the answer really is "it's not anymore", but more on that for another time.

I am occasionally accused of having an ego, true or not, I am now going to say perhaps the most egotistical things I've ever said:

I tried to stop this. I could have made it better. I could have saved so many of the jobs already lost and the ones to come. I wasn't allowed to.

I talk a lot, I listen a lot, but I also play some cards very close to my chest. While it doesn't always work out for me, it doesn't detract from how painfully often I am right about too many things which most didn't see or believe coming.

Just call me Cassandra.

One less Windows Phone user

I've had a long & tortured history with phones. Long being on Verizon my options were limited, one day I marched into an AT&T store, ready to buy an iPhone provided I could port my South Dakota number. At the time they couldn't. I tried a few different Windows Mobile devices during this time, which did the job for what I needed it for at Microsoft, but it wasn't great. I even bought an Android device, which I returned less than 24 hours after I'd purchased it due to some major issues.

By the time the iPhone came to Verizon, I was eagerly awaiting a Windows Phone to finally show up, which it did on May 26th, 2011, where I was 13th in line at the Verizon store in the Microsoft Commons, many hours before the store was to open. Since then I've gone through many Windows Phones as a local and enthusiastic user (1x HTC Trophy, 2x HTC 8X, 2x Lumia Icon, 4x Lumia 735, 1x Lumia 950 XL.

Yesterday, 9 years to the day after I started at Microsoft (though I am there no longer), I did something I didn't think I'd do. I switched to an Android device, the Google Pixel XL.

As much as I loved Windows Phone, it simply doesn't get the love it needs, both from Microsoft and from 3rd parties.

There was always an 'app gap' with regards to trying to convince companies to bring their apps/services to Windows Phone given its low market share something many attributed to the lack of apps.

The issue was not just app related, but technical. Windows Phone has long had issues with getting sufficient love within Microsoft. Over the years I was a passionate user & developer, both of which often lead to discoveries of issues, many of which were fixed, some not. I even found/yelled about a couple of recall class bugs in the product (thankfully just prior to going to the escrow period).

For me, most of what I needed to do I could do from my phone. Phone/SMS, email/calendar, web, podcasts… and with a couple of apps like Facebook & Twitter rounded out most the rest. For those things I couldn't do, I'd either write my own app or two, or simply go without.

As an aside, one of these weeks/months I'll reveal the answer to my previous prediction about this and other subjects, but that for another time

Given my rather, unique perspective, I thought it would be good to write a few words about my experience thus far in making such a switch.

Out of box experience

I'd often heard it reported that one of the reasons many gave up on Windows Phone was that they simply couldn't figure out how it worked. Having come from devices with very regular design metaphors I'd come to expect, it was rather difficult switching to something else.

Example: While Windows Phone & Android both have back buttons on the bottom left side of the screen, on Windows Phone one holds the back button to show the currently open apps. On Android, you press the right most button, which is a square.

Similarly, I've long been used to using the bottom part of the screen (which provides easier touching in my experience) for accessing settings of a particular app, this is just the opposite in Android, where even the address bar in the web browser is at the top.

Winner: Draw

Multiple email/calendar sources

Like many, I've got a Microsoft Account which is mostly used for signing into Microsoft properties. My email is hosted by Office 365. My YouTubing & Blogging is done with a Gmail address, and my wife (now) has an iPhone so she stores all of her calendar info to iCloud.

On my Lumia 950 XL, I could access all and have a semi coherent picture of all of my email accounts & shared calendars.

On my Pixel XL, the default mail client struggled to make sense of my Office 365, though after multiple tires it eventually worked. Unfortunately, it seems without purchasing an app (or writing my own), I won't be able to access my wife's calendar.

Winner: Microsoft

Support

During my struggle to figure out how to setup my O365 email, I noticed in settings there was an option to receive 24/7 phone based support.

Wow!

While they weren't able to solve my issue as the 18th time was the charm, the fact they not only have support reps on hand was surprising. The fact that they had the ability reach out and request screen sharing was shocking.

Winner: Google

Charging

I hate cables. Just because I've got oddles attached to my TV/DVR/game consoles/network switch/router/desktop PC/etc, or cables on both sides of the couch for Surface Pro 3's, a Macbook, or an iPhone doesn't mean I like them.

Ever since the release of the HTC 8X in November 2012, I've been rocking the wireless charging train. On my desk at work, next to my bed, next to my couch, and next to my home office are wireless chargers that allow me to plop down my compatible device and charge it while not in use. Heck, I even have one of these speakers in my home office.

The only time I would rely on a physical cable, was when I was in the car (given I had to plug my phone in for audio out, another cable wasn't so bad) or when I was doing on device debugging.

I am a sad panda that only the Samsung devices support it, though given their fire issues and very less than stock Android builds, I'm not willing to carry such a device.

Winner: Microsoft

App selection

Recently I pointed out to a friend who pays me on a monthly basis that there is a way to pay via PayPal which doesn't incur fees. He asked why I don't use Venmo or Google Wallet. The answer was simple, the first doesn't exist on my platform of choice, and the second wasn't quite relevant as YouTube is the only area I really sign into Google services for.

Looking around in the app store, seeing all of the major companies (take just fast food I noticed today) who felt compelled to build... something is remarkable.

Given the number of payment & messaging apps out there today, it is quite clear how PayPal & Skype somehow missed the boat.

Winner: Google

App security

Depending on the circles you are in, you may hear Android referred to Windows 3.1, 95, 98 or even 2000. Operating systems which were pretty good for their time, but horribly insecure in certain circumstances. 

Ultimately, the user is in control and is responsible for the security of their device. Not just what apps run on it, but what permissions they are granted. The ease at which apps are able to ask for permission for access to this or that resource (Does my podcast app really need access to my photos & contacts?) is frankly, frightening.

Assuming no user action allows a seemingly innocent app to do malicious things, the degree of protection offered by the underlying platform is important. iOS has been excellent at this, as has Windows Phone. Android, alright. The whole reason I opted for the Pixel was that as a first party phone from Google, it was the most likely to receive regular security updates. There still needs to be sufficient safeguards against such malicious apps running rogue to prevent badness, something Android historically has lacked.

Winner: Microsoft

Bio-metric sign in

I do not like/trust bio-metric sign in options. They are easy to fool, and they are even easier to be used against you. Nothing stops law enforcement or a small child from forcing a device owner to touch their finger to a bio-metric sensor against their will and allowing their adversary into their device. I've personally seen one of these happen, and the hacker squealed in glee upon achieving their goal.

During the brief time I was using the Iris scanner on my 950 XL, I found it not only to be slow (not unlike a Kinect attached to a Windows 10 PC), but it actually hurt my eyes. Anytime I'd use it, day or night, bright or dark in the area, I would feel a… haze over my eyes for several minutes afterwards. 

Winner: Google

Over the last day my wife has often asked me if I was happy with my new phone, I was less than enthusiastic, much to her disappointment. While we all like something like a phone to be interchangeable with any other, the reality is there is a high degree of buy in associated with each particular ecosystem which makes moving rather difficult. Windows Phone is dead, RIP, and as much as I wish I could stay on it, the reasons to stay are decreasing day by day. In time I expect I'll grow to understand & appreciate my new phone, until then, at times I feel like a mule with a spinning wheel, "No one knows how he got it, and danged if he knows how to use it!"

Only time will tell how I get on with my new phone, if I stick with this ecosystem or jump ship to another, but for now, it is an interesting learning experience being one of the last to make this particular jump.

A (hashed) prediction of the future (expires end of 2016)

The following is an email I sent to a co-worker back on 4/6/2015 who was at the time a rather senior person in the Windows org.

As we approach the end of the window I gave myself for this prediction, I wanted to re-post it in a more public place so if/when it comes true I can more publicly say "I told you so" and "you should have listened" (though not just to him).

I wish to make a prediction of the future (well I made it a couple of weeks ago, but wanted to send it now that you were back so it was less likely be less likely to get swept up in a post vacation mailbox purge of unread mail)... though because of the nature of the prediction (which most would dismiss outright) it’s clear text cannot be revealed at present. Instead I present the following hashes for later verification (by end of 2016 I figure):

length 159

MD5

D7BEA2AB0317D11D134738B402D86A6D

SHA1

B376DAB38017A4FA5D86F9B329B02903C99FC380

SHA256

776778DE7F37658204F9C7B874588F69720629B06BB9E7ECB11120D4F1E0AAF3

SHA384

A0AB8EA0FB78449A3B024DE0ABD0CE338F8A72E46B436D70C04B9D1223176B8A

B28325861E379ED8FC10310045F7024C

SHA512

DF8C51B44B233293650DFC6D3C9F55DDC7780863C6F2FFFFF646011011D4D225

5C596C8AE0F2184B62E93D03FF5B2DC0A5CA174E096575853529C3D17CCDC641

A little long of text perhaps, but it’s a (it’s long because it’s actually a three-parter (I opted to leave out the far more drastic 4^th prediction).

For note the following hashes come from the code specified at http://blogs.msdn.com/b/oldnewthing/archive/2006/05/23/604743.aspx

If this prediction does come true, I’ll share the clear text behind the following hashes for the related explanation/castigation:

length 607

MD5

B78B5BF35C09409EC72B80C006B85974

SHA1

46D34F29221BD28AB28B09E2A741F21FEE2989EE

SHA256

396121627F06DBD2593CF5014519419A37C6A572466732375E24525A472EBFCF

SHA384

4DC75B9BD3F74A39238864DCBB4DC750119202F76265D6BF1E88474422CC13F1

B29E9D29692D81FEB02205B6B7F89634

SHA512

1983C57036531176D36EB3578334DB918001EEA6B6E3EDA1E73564ACB3737CD4

E04D1773D718EE63E7954BDF9832069FD08C122D5157E2B7D60FCC6E86AB7F10

Only time will tell.

I knew I heard it before...

For the second time this evening I saw the following commercial:

Both times the tone was very similar to something I'd read several times before... then I remembered the quote:

"The John Galt Plan," Wesley Mouch was saying, "will reconcile all conflicts. It will protect the property of the rich and give a greater share to the poor. It will cut down the burden of your taxes and provide you with more government benefits. It will lower prices and raise wages. It will give more freedom to the individual and strengthen the bonds of collective obligations. It will combine the efficiency of free enterprise with the generosity of a planned economy." - Ayn Rand, Atlas Shrugged, p1124

This is by no means the first time I've heard words from this Administration or it's supporters that could have just as easily have been spoken by the looters or moochers in Atlas Shrugged... and somehow I doubt it will be the last.

"Wild" Bill Janklow Sues Dell?!?!?

I've got another political post in the queue... but I had to post this first after hearing about it while chatting with tdaxp on the phone this afternoon while waiting for the ferry.

Former South Dakota Governor, Congressmen (at large) and convicted manslaughter(-er?) Bill Janklow has recently decided to sue Dell over some tech support issues.

While I voted against him every chance I could (granted only once)... watching the following video I am reminded of part of why I voted against him when I lived there and why I was so anti-him the rest of the time.

While I agree with him in principal with regards to his case... his presentation and... rather whiney/nasal attitude... doesn't instill much sympathy in me, watch for yourself:

Don't get me wrong... he did some good things for the state... reintroduction of the death penalty, massive wiring of the schools (K-12 and higher ed), helping to bring various banks into the state (most notably Citibank), reduce the damages required to make a crime a felony ($500 IIRC), not to mention serving as a joke for citizens and former residents well beyond his time in office.

Granted... I am semi-biased in all of this because I had a couple of email arguments with him when I was a student in the state (yes.. that is the sort of State that South Dakota is and that was the sort of Governor Bill Janklow was (I really wish I still had those emails))... hell, I even got to shake his hand once and ask him a question regarding state law (~3-4 weeks into my freshmen year of college no less).

Of course he did top it all off with a big ole middle finger to the state of South Dakota (after his conviction and subsequent joke of a sentence (100 days for a man's life)) when he agreed to represent the Mayo Clinic (in Minnesota) against the DM&E railroad expansion in the area (of the Clinic specifically)... a campaign that was eventually joined by Tom Daschle (a man who also had a reason to be angry with South Dakota (we did after all run him out of office the same way that Harry Reid will be in 2010).

</RANT>

On an unrelated note... oh how I hate you Kelo... I always refused to watch you simply because of your labeling of the area as "Keloland" rather than something more generally acceptable as "Sioux Empire"... and that despite the fact that my aunt used to work for you as an on air personality!

</RANT4Real>

... what can I say? South Dakota is a rocking place and I miss it greatly... and a place I expect to see this fall and taunt (and hopefully take home) some deer within.

Brendan’s Brilliant Idea #247225 – Do it yourself DLNA

While I was apparently one of three people in the world who liked Vista... I absolutely love Windows 7 and one of it’s killer features from where I sit is the Play To feature in Windows Media Player 12... which allows you (as an extreme) to request that one device in your home (PC, Xbox 360, other DLNA supporting media renderer) to play content that exists on a second device (say a Windows Home Server running TwonkeyMedia Server)... all while being controlled from a third (another PC, laptop or even cell phone).

So lets say you want to have a dedicated device in your living room, bedroom, office or other place where you want to stream audio to via this mechanism... your options are not cheap.

Building a standalone, barebones networked PC is one option. Spending $1200 on a premium receiver is another.

What about lower priced consumer level devices?

Sonos will sell you a device for ~$350. For ~$250, Linksys would love to talk to you.

Both though are still too expensive… in fact my maximum price for such a device would be <$100... which shouldn’t be too difficult considering Apple has been selling their AirPort Express product for the last 5 years for just $99 and can often be had on eBay for under $50.

But it doesn’t support DLNA does it?

There’s the brilliant idea... why not make it?!?!

Rather than try to hack the firmware... why not write a wrapper service that speaks the (sadly) proprietary (but reverse engineered) Remote Audio Access Protocol (RAOP) to the device and pretends to be a DLNA Digital Media Player to the rest of the home and other devices.

No doubt the AirPort Express isn’t the only device that could be used by such a system.

Take older Roku devices which were controllable from either a front panel or from custom software running on the PC... a similar wrapper could be built for it utilizing the Roku Control Protocol (PDF warning).

Remember Linksys? They have a far less expensive network audio player (the WMB54G retails for ~$90 and requires custom software to control)... though as far as I can tell the way it is controlled is as yet unknown.

The AudioTron is another possible target.

So in the end... a need exists for a bit of software that pretends to be a DLNA media renderer to the controller/user... and passes along control requests via device specific add-ins to the various kinds of proprietary devices in the home. Simply run and configure this bridging service on a device like a Windows Home Server (where most of the media should already be) and you have an always available setup for streaming your music throughout the home and from any DLNA compatible device to far less expensive ones.

Brilliant, eh?