Tuesday, November 29, 2011

Active scripting and SSL certificates in IE

When using Internet Explorer 8 or 9, setting security for the Internet Zone to High, or otherwise disabling active scripting in the Internet security zone, breaks your ability to accept invalid (including self-signed) SSL certificates.  You see the warning page, but clicking accept results in an IE error.

Internet Explorer uses a local dll (ieframe.dll) to present warning dialogs to the user. When the user visits a website which presents an invalid SSL certificate for example, the warning dialog (res://ieframe.dll/invalidcert.htm?SSLError=33554432) is shown and the user is prompted whether to accept and continue or not.

When FEATURE_LOCALMACHINE_LOCKDOWN (http://technet.microsoft.com/en-us/library/cc782928(WS.10).aspx) is enabled, which it is by default, ieframe.dll is placed into the Internet Zone. This can be verified by visiting a warning dialog and checking the zone in the page Properties.

This also subjects the warning dialog to any security restrictions placed on the Internet Zone. In cases where the Internet Zone security is raised to High, active scripting is disabled. The SSL warning dialog uses active scripting when the user clicks the link to accept the invalid certificate. The end result is IE produces an error to the effect of "Internet Explorer cannot display the webpage" when the user tries to accept a certificate.

The workaround is to add a mapping which places ieframe.dll in a zone which permits active scripting.  On a single machine, simply add
 res://ieframe.dll to Trusted Sites on a local machine. 

You may notice that Internet Explorer interprets this URL strangely in the zone map.  It will show up as "about:internet" in the site list.  You can also view the registry result under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains.
Finally, putting res://ieframe.dll directly into a GPO for the site to zone mapping is not interpreted correctly.  To reproduce this setting via GPO, then, one must zone map "about:internet" as the site in question. This will add the comparative setting to the registry, and res://ieframe.dll will function again, even with active scripting disabled in the Internet Zone.

Sunday, November 6, 2011

Dealing with Fungus Gnats in Houseplants

Fungus gnats are annoying little creatures that like to live in the moist potting soil used for house plants.  While not particularly dangerous, once they've taken hold in a pot or two, they can be a real nuisance to get rid of.


These gnats are tiny flying insects which resemble fruit flies or other gnats.  Being airborne, they can enter the house through open windows and doors, but are also extremely common in bagged potting soil used for new plants.  They thrive in wet soil and tend to appear in the largest quantities after watering.


Having dealt with the gnat menace successfully in the past, here is my experience in dealing with the issue.


Unsuccessful
Yellow Sticky Cards - The gnats land on these and get stuck.  It kills some of them, sure, but the coverage is not sufficient to exterminate them, and you're just forced to stare at the bodies.


Insecticide - Commercial insecticides will definitely kill the gnats that come in contact with it.  Unfortunately many of the products available are toxic to people or animals and may not be the best things to spray heavily around the house.  Furthermore, it may take a number of successive applications to be successful.  Even if you kill one batch of gnats, the spray may wear off before the next generation hatches.


Successful
I had my best success using a larvicide called Mosquito Bits.  This product is designed to be spread in water where mosquitos breed.  By killing the mosquito larva, their life cycle is interrupted.  As it happens, it works well on the moisture-breeding fungus gnats too.


Be sure to use non-chlorinated, luke-warm water.  Distilled jugs from a store, a rain barrel, or just neutralized tap water all work.  The larvicide itself needs to make it into the soil intact to be most effective.  


Fill each gallon jug with 2-3 spoonfuls of mosquito bits 15-30 minutes prior to watering.  Allowing the bits to soak gives them time to activate and distribute into solution.


To keep things simple, have an extra empty gallon jug handy.  Once the bits have had time to disperse, use a funnel and sieve to strain the bulk of the bits out and discard.  Now, simply water the plants as normal.


Keep in mind that larvicide kills the larvae, not the adults.  You will need to tolerate them for a few more weeks while the existing gnats get old and die.  Patience is the key, and you should see the numbers dwindle with each watering.


Sand
The gnats need access to the soil to reproduce.  I've also had luck spreading a thick layer of sand across the potted plants, forming a barrier between the air and the soil.  This may help frustrate the gnats, but also changes the aesthetics and soil composition.  May be worth trying in cases of heavy infestation.


Watering
Soil should generally be allowed to dry out between waterings.  Although all plants have different needs, you should realize that constantly wet soil will breed both fungus and attract gnats.


Prevention
Gnats love to hitch a ride into the house on fresh potting soil.  They infect it while it's still in the bag (or earlier), and the larvae sit and wait for you to pot a plant and provide the water they need to hatch.  You can head the nuisance off at the pass by sterilizing any fresh potting soil immediately upon first use.


Heat - You can literally bake the fresh soil to kill off organisms living within it.  I suggest a Google search to determine the necessary time and temperature to use.  I've tried this, and although it seems to work well, it may smell up the house.


Larvicide - I use the Mosquito Bits larvicide for the first several waterings of all new plants.  Any larvae will be destroyed before they grow up to reproduce.


Good Luck!

Tuesday, February 22, 2011

Updating HP Printer Firmware from Linux

HP LaserJet printers provide a number of ways to update the system firmware, some of which are easier or more effective than others.  My favorite method so far: use curl to upload the new firmware via FTP.

First, download the firmware file from HP's support website. Then, just push it to the printer...

curl -T ./hp_firmware_file.rfu ftp://myprinter.mydomain

Can be scripted to run in batches too. :)

Monday, February 14, 2011

PDF Printing and Cups

Cups servers can be used to handle print jobs from all the major operating systems.  When a new print job arrives, it is either handled as 'raw' or as one of a number of mime file types.

A raw job (often sent from Windows) is pre-processed into the final printer-hardware-ready binary stream.  Cups doesn't touch raw jobs; it just forwards them on to the end device.

When a non-raw job comes in, Cups knows it will have to do some processing before the file is ready to print.  Printer hardware is only capable of handling certain file types (often PostScript or PCL), so if the file to be printed is not in these types, filters must be applied.  Cups includes a number of filters to turn files into printer-ready PostScript.  Supported types include image files, text, postscript, pdf, and others.  A good description of the process is available here: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/CUPS-printing.html

Most of the time this works fairly well.  Unfortunately, Cups makes some naive assumptions about its filters which will backfire on occasion.  As of this posting, Cups 1.4 may use the pdftops application from Poppler to handle PDF to PS conversion.  (This is how Debian and Ubuntu handle things at the moment.)  Cups will hand the incoming PDF file off to the pdftops filter, expecting to get PostScript back in return.  The catch: some files may take up to several hours to finish processing!

Cups runs its print queues in a FIFO style.  If you run a multi-user print server, and one user submits a PDF that spends 2-3 hours in pdftops, everyone else's jobs will back up in the printer queue.  This makes users sad :(  and printer admins angry >:-|

Ideally, Poppler should fix and improve pdftops to the point where it no longer takes more than a few seconds to process any file.  Unfortunately, this is hard work, complicated by the fact that a lot of peoples print jobs are considered confidential.  Being an angry admin, I need a more immediate solution.

It turns out, pdftops uses two backends: Splash and Cairo.  Cairo is a very well known graphics library used in a number of high profile applications.  Splash is much less well known, and as far as I can tell, there is very little if any documentation for it.  It doesn't even show up in a search of the Poppler Wiki.

After some time tracking down an offending PDF and profiling the bejesus out of it, almost all of the processing delay was incurred by various components of Splash, and regrettably, it appears to have been in multiple, unrelated portions of the code, rather than one easily addressed bug.  As soon as Poppler was compiled without support for Splash (--disable-splash-output), a PDF that previously took 3 hours to process was down to a couple seconds.  Talk about an improvement!

One of the Poppler developers mentioned that Splash was used to rasterize PDF elements which are not natively supported by PostScript.  Turning this feature off may result in mangling the appearance of some printed files, so disable it at your own risk.  But if you find your print queues being frequently tied up by unruly pdftops processes, it's definitely worth a try.