Category Archives: Life, the universe, and everything…

Standing for the OWASP Board

I have formally submitted my name to be in the Board Elections 2014.
I am standing for:
  • Reforming the Board. We need to improve the independence, ethics and dispute resolution processes. I will be a root and branches reformer to encourage the Board to make a couple of the positions available to truly independent directors. I will be encouraging all current Board and future Board members to undertake an Institute of Company Directors course to understand their duties, and the way they integrate with the Foundation they are responsible for.
  • Inclusion. I want OWASP to adopt one of the many fabulous inclusion policies for our community and our conferences. Everywhere you look, such as Reddit or Slashdot, it’s all too easy for the odd bad apple to come in and ruin a working community or local group with unnecessary drama. We need to make sure our policies and standards are inclusive of all who want to participate, regardless of merit or standing; but this has an important caveat – not at any price. We need to make sure we are an open and safe community for all of humanity, those from outside the USA, regardless of gender, sexuality, religion, politics, ethnic background, and all the other ones I’ve missed.
  • Projects. We must broaden our church to be truly inclusive of modern web applications, web services, cloud, system, embedded and mobile. I propose the Board create a process for RedBook style short intensive workshops of 1-2 weeks where projects can ask for funding to move their project to completion or a much higher state of quality. This should be backed by industry participation, ensuring our core deliverables are actually useful to developers and architects. The days of funding anyone but the content creators must end. We need to be famous for our developer centric projects, and these projects should be immediately useful to developers and their teams.
  • Standards. We need to be the trusted advisor to PCI, NIST, and ISO. This is not an easy path to take, but if we are not at the table, we become irrelevant. Additionally, we have an opportunity to take our flagship standards products (Application Security Verification Standard and Proactive Controls) and plug a market hole for easily applicable advice to developers. Developers don’t read ISO 27034, they don’t read PCI DSS. They should be reading and using our materials.
  • Education. We need to create University level course (100, 200, 300) with the help of a university educator. I propose that we ask a range of universities to come to AppSec USA and start the process of formulating a curriculum, which once completed will become the default standard university curriculum for application security.
I know there are excellent candidates already. I encourage you to ask them their positions on reforming the Board, Projects, Standards, and Education. With your vote, you get to choose the future of OWASP. I want to bring us back to our core mission of being relevant to developers, the literal standard bearer for all application developers, and the thought leader for the next generation of contributors and supporters.
I will expand on these points in future blog posts over the next week or so, as well as providing links to assist you in voting early.

So your Twitter has been hacked. Now what?

So I’m getting a lot of Twitter spam with links to install bad crap on my computer.

More than just occasionally, these DM’s are sent by folks in the infosec field. They should know better than to click unknown links without taking precautions.

So what do you need to do?

Simple. Follow these basic NIST approved rules:

Contain – find out how many of your computers are infected. If you don’t know how to do this, assume they’re all suspect, and ask your family’s tech support. I know you all know the geek in the family, as it’s often me.

Eradicate – Clean up the mess. Sometimes, you can just use anti-virus to clean it up, other times, you need to take drastic action, such as a complete re-install. As I run a Mac household with a single Windows box (the wife’s), I’m moderately safe as I have very good operational security skills. If you’re running Windows, it’s time for Windows 8, or if you don’t like Windows 8, Windows 7 with IE 10.

Recover – If you need to re-install, you had backups, right? Restore them. Get everything back the way you like it.

  • Use the latest operating system. Windows XP has six months left on the clock. Upgrade to Windows 7 or 8. MacOS X 10.8 is a good upgrade if you’re still stuck on an older version. There is no reason not to upgrade. On Linux or your favorite alternative OS, there is zero reason not to use the latest LTS or latest released version. I make sure I live within my home directory, and have a list of packages I like to install on every new Linux install, so I’m productive in Linux about 20-30 minutes after installation.
  • Patch all your systems with all of the latest patches. If you’re not good with this, enable automatic updates so it just happens for you automatically. You may need to reboot occasionally, so do so if your computer is asking you to do that. On Windows 8, it only takes 20 or so seconds. On MacOS X, it even remembers which apps and documents were open.
  • Use a safer browser. Use IE 10. Use the latest Firefox. Use the latest Chrome. Don’t use older browsers or you will get owned.
  • On a trusted device, preferably one that has been completely re-installed, it’s time to change ALL of your passwords as they are ALL compromised unless proven otherwise. I use a password manager. I like KeePass X, 1Password, and a few others. None of my accounts shares a password with any other account, and they’re all ridiculously strong. 
  • Protect your password manager. Make sure you have practiced backing up and restoring your password file. I’ve got it sprinkled around in a few trusted places so that I can recover my life if something bad was to happen to any single or even a few devices.
  • Backups. I know, right? It’s always fun until all your data and life is gone. Backup, backup, backup! There are great tools out there – Time Capsule for Mac, Rebit for Windows, rsync for Unix types.

Learn and improve. It’s important to make sure that your Twitter feed remains your Twitter feed and in fact, all of your other accounts, too.

I never use real data for questions and answers, such as my mother’s maiden name as that’s a public record, or my birth date, which like everyone else, I celebrate once per year and thus you could work it out if you met me even randomly at the right time of the year. These are shared knowledge questions, and thus an attacker can use that to bypass Twitter, Google’s and Facebook’s security settings. I either make it up or just insert a random value. For something low security like a newspaper login or similar, I don’t track these random values as I have my password manager to keep track of the actual password. For high value sites, I will record the random value to “What’s your favorite sports team”. It’s always fun reading out 25 characters of gibberish to a call centre in a developing country.

Last word

I might make a detailed assessment of the DM spam I’m getting, but honestly, it’s so amateur hour I can’t really be bothered. There is no “advanced” persistent threat here – these guys are really “why try harder?” when folks don’t undertake even the most basic of self protection.

Lastly – “don’t click shit“. If you don’t know the person or the URL seems hinky, don’t click it.

That goes double for infosec pros. You know better, or you will just after you click the link in Incognito / private mode. Instead, why not fire up that vulnerable but isolated XP throw away VM with a MITM proxy and do it properly if you really insist on getting pwned. If you don’t have time for that, don’t click shit.

El Reg and the troubling case of climate denialism

This post is a last resort as I’ve had two comments rejected by the moderators at The Register, one of my favorite IT news websites.

Lewis Page is a regular contributor to the Register. For whatever reason, around 50% of his total output there is (willful mis-) reporting on various papers and research on climate science. Considering he (and for what it’s worth, myself) is not a climatologist, it’s very frustrating to see the “science” category tag on these articles. It wouldn’t be so bad if it was marked Opinion or Editorial, and that he wasn’t deliberately misrepresenting the observed facts, papers, research and scientists’ own words, but that he gives no truck at all to anything that doesn’t fit into his worldview.

Just to be utterly clear – among scientists who are trained in climatology, there is no doubt that we are in a rapidly changing world. Basically the question hasn’t been “if” there’s climate change for about 15-20 years, but “what does it mean to be on this planet in 10-20-50-100 years”. It’s up to us and the politicians to decide “what to do about it”. Even if climate change is not as bad as predicted (which actually, it’s worse than has been predicted), the actions we must take now are good for us and the planet:

  • less air pollution == longer, heathier lives
  • less water pollution == longer, healthier lives
  • lower energy bills == more money for other things
  • less wasteful consumption of a finite non-renewable resource == richer, more economically healthy future and longer production of things we can’t economically make without oil, like certain materials and medicines and so on

There is literally no downside to acting to curb emissions, but there’s a lot on the line if we don’t do something. Personally, I don’t think an ETS is the correct path as it’s a cheap way for the government to earn money and seen to be doing something – anything at all, but as it’s a derivative market, which has a colorful history of abuse (such as in Germany, where too many credits were issued undermining the market, and California, where traders essentially create artificial spikes in price to maximise profits and create artificial blackouts), but despite this, we must move on to the phase of our industrial planet.

I call on the Register to provide the scientific consensus view. Here’s my rejected comment in full.

It’s my long and fervent wish that the Register would stop publishing these opinion pieces, as I rather enjoy the “call a spade a f$&#ing spade” approach to almost all the other articles, reviews and IT news, which is rather let down by Mr Page’s long standing and regular missives on this topic.

In my opinion, these articles are not “science”, nor are they reasonable journalism, where the authors of the paper might be asked for a comment or an interview to get their side first hand. Mr Page can still have his opinion, but at least pay us the respect of writing about the researchers, paper or presentation in an unbiased way to allow us to compare Mr Page’s opinion with what they really wrote, demonstrated, observed or said.

At least pay us the respect of providing balanced coverage either by providing mainstream climate science coverage in the science category along with Mr Page’s opinion pieces and coverage, or by adding in right of reply, interviews and accurate coverage of what was actually written in the papers and research.

Curation

I have taken the step of finally splitting the cut-n-paste import from my blog at Advogato into the days they actually occurred. All that content was here previously, but in some cases bunched together over many thousands of lines in single massive multi-month postings.

Some early permalinks are gone, but that’s okay, you can search for the content. The content I’m talking about dates back more than ten years.

Installing Fedora 18 (RTM) to VMWare Fusion 5 or VMWare Workstation 9

I always live in hope that just one day, the folks over at Fedora will actually have a pain free VMWare installation. Not to be. Here’s how to do it with the minimal gnashing of teeth.

Bugs that get you before anything else

On VMWare Fusion 5, currently Fedora 18 x86_64 Live DVD’s graphical installer will boot and then gets stuck at a blue GUI screen if you have 3D acceleration turned on (which is the default if you choose Linux / Fedora 64 bit).

  • Virtual Machine -> Settings -> Display -> disable 3D acceleration.

We’ll come back to this after the installation of VMWare Tools

Installing Fedora 18 in VMWare Fusion / VMWare Workstation 8

The installation is pretty straight forward … as long as you can see it.

The only non-default choice I’d like you to change is to set your standard user up to be in the administrators group (it’s a checkbox during installation). Being in the administrators group allows sudo to run. If you don’t want to do this, drop sudo from the beginning of all of the commands below, and use “su -” to get a root shell instead. 

The new graphical installer still has a few bugs:

  • Non-fatal – On the text error message screen (Control-Alt-F2) there’s an error message from grub2 (still!) about grub2 file not found /boot/grub2/locale/en.mo.gz. This will not prevent installation, so just ignore it for now (which the Fedora folks have for a couple of releases!). Go back to the live desktop screen by using Control-Alt-F1
  • PITA – Try not to move the installer window offscreen as it’s difficult to finish the installation if even a little off screen. If you get stuck, press tab until you hit the “Next” button – or just reboot and start again
Update Fedora 18

Once you have Fedora installed, login and open a terminal window (Activities -> type in “Terminal”)

sudo yum update
sudo reboot
sudo yum install kernel-devel kernel-headers gcc make
sudo reboot

Fix missing kernel headers

At least for now, VMware Tools 9.2.2 build-893683 will moan about a path not found error for the kernel headers. Let’s go ahead and fix that for you:

sudo cp /usr/include/linux/version.h /lib/modules/`uname -r`/build/include/linux/

NB: The backtick (`) executes the command “uname -r” to make the above work no matter what your kernel version is.

NB: Some highly ranked and well meaning instructions want you to install the x86_64 or PAE versions of kernel devel or kernel headers when trying to locate the correct header files. This is not necessary for the x86_64 kernel on Fedora 18, which I am assuming you’re using as nearly everything released by AMD or Intel for the last six years is 64 bit capable. Those instructions might be relevant to your interests if you are using the 32 bit i686 version or PAE version of Fedora 18.

Mount VMWare Tools

Make sure you have the latest updates installed in VMWare before proceeding!

  • Virtual Machine -> Install VMWare Tools

Fedora 18 mounts removable media in a per-user specific location (/run/media/<username>/<volume name>), so you need to know your username and the volume name

Build VMWare Tools

Click on Activities, and type Terminal

tar zxf /run/media/`whoami`/VMware\ Tools/VMw*.tar.gz
cd vmware-tools-distrib
sudo ./vmware-install.pl

Make sure everything compiled okay, and if so, restart:

sudo reboot

NB: The backtick (`) executes the command “whoami” to make the above work no matter what your username is.

No 3D Acceleration oh noes!1!! Install Cinnamon or Mate

Now, all the normal VMWare Tools will work. Unfortunately, after all the faffing about, I didn’t manage working 3D acceleration. I ended up installing something a bit lighter than Gnome 3.6, which requires hardware 3D acceleration.

  • Activities -> Software -> Packages -> Cinnamon for a more modern desktop appearance or 
  • Activities -> Software -> Packages -> MATE for old school Gnome 2 desktop appearance
  • Apply 
  • Logout 
  • From the session pull down, change across to Cinnamon or Mate and log back in
When VMWare updates support Tools to support Fedora 18 or vice versa, I’d still suggest Cinnamon over Gnome 3.6. Gnome 3.6 sucks way less than earlier Gnome 3.x releases, but that’s no great compliment. YMMV and you may really like Gnome 3.6, but without 3D support, it’s going to be painful. 

PTV iPhone app – worst public transport app ever, or just pure evil?

I take the train between Marshall and Southern Cross Station, a terminus station with 14 or 15 platforms and hundreds of V/Line country, suburban and bus services daily. I had an app that worked (the old MetLink app). That wasn’t stellar, but it worked well enough that I didn’t need to get a paper timetable.

So imagine my continuing frustration that the most basic of use cases just doesn’t work in the complete re-write of the new app:

I cannot find my station when standing on the station platform (!) using location search or by searching for the station in the default “Trains” mode the app comes in from the AppStore.

It cannot find the terminus of all V/Line services – Southern Cross Station. I’m serious. In “Train” mode, you cannot search for V/Line services or stations. In “V/Line” mode, Southern Cross is not even a station (!!). You cannot find it by clicking on “Find my location” icon whilst in the station (!), and you cannot choose it from the map, and you cannot search for it. Epic fail of all epic fails. It’s like the PTV app designers chose not to walk the 40 m from their office block to the biggest and busiest station in all of Victoria and test it out.

Modality. It’s nearly impossible to work out you can change the mode of transport you’re looking up by clicking the word “Trains” at the bottom of the screen. I am catching a “train”, but not the default type of “train”. Who knew? The thought that there are multiple types of trains obviously never entered to PTV’s UX designers. There’s no button shape or indicator, it’s just in a button bar by itself, which usually means that there are no other choices.

Honestly, PTV need to test their apps:

  • You should be able to find all the services within 500 m of where you are standing. Just list them all and let the filter function narrow things down in one or two keytaps.
  • You should be able to find ANY station or service or transport mode via text search. It’s just not that hard. There should be no difference between a regional bus, a metropolitan tram, an intercity V/Line service, or a station or bus stop. List ‘em all, and let the filter work its magic in a few keystrokes.
  • Get rid of modes. I don’t think of modes and I use at least two every day. Free up that wasted screen real estate and replace it with a search function that works across all modes, and services.
  • You should be able to view a line’s entire timetable with no more than two or three clicks. Timetables -> scroll to the timetable or tap in enough to narrow things down -> voila. It’s not rocket science. Allow it to be a favorite.
  • Planning a multi-mode trip is not rocket science. This is just not possible with the current PTV app.
  • The old app had notifications for the services / lines you were interested in. Please bring it back. This feature may actually be in the PTV app – I simply don’t know because I have not been able to find my station or the station at which I get off.

This app is terrible. It must be withdrawn.

Resurrecting the wife’s laptop – Asus hates you and you and you

At Christmas last year, I bought a new laptop for the wife, an Asus K52DR with 4 GB of RAM and 500 GB hard drive. I quote from then:

[...Asus should...] supply a real copy of Windows 7 installation media, so you can clean install the OS easily instead of wasting hours and hours and hours getting rid of the circusware. Asking folks to sit there for 2.5 hours to create 45 cents worth of DVDs is morally repugnant and evil.

Although I stand behind every word I said above, I’m begrudgingly glad I spent the extra 2.5 hours creating those DVDs as I’m restoring her computer to factory default after she killed the previous HD by cooking it in the bedding. Obviously, not Asus’ fault, but what happens after replacing the HD is most certainly Asus’ fault. This Asus will be our last PC – my life is just too precious to donate to absurd and evil corporate practices.

When I bought the Asus, it took me about three days to get the PC to a default-ish Windows installation, Office 2010, and iTunes with just enough drivers to run “advanced” technical devices like the display or the wireless network. Don’t get me started on the number of reboots or gigabytes of patches required. Copying Tanya’s data, migrating her PST and recovering her calendar was simple by comparison.

I am dreading wasting yet another two to most likely three days of my personal life YET AGAIN to weed out all the circusware from the factory default build. Asus must start providing a fast circusware free method of complete restoration like Apple do. The time I’m going to spend over the next few nights, and probably the next weekend, is like a working week away from my family. Completely unacceptable.

I tried restoring the repair partition I dd’d off, but due to the new 750 GB drive having different sized clusters and alignment than the old 500 GB drive, I struggled to create a bootable recovery partition without spending yet more time than it would take to restore using the DVDs. So I’m using the restore DVDs.

I still don’t have a Time Machine work-a-like that can back up Tanya’s data. This is a serious issue as hers is the most likely computer to die. [...]

And die it did. I tried Windows 7 Backup for months on and off after buying a new 2TB external HD, but as per usual being a Microsoft product, it doesn’t actually work. So too late, I found Rebit, which is just like Time Machine … but expensive. I’ll be trying that after restoring Tanya’s data. Luckily, I was able to get her most if not all of her data off under Linux all the while the HD was making very high pitched death screams. It’s dead now – all the sparing sectors are spared and the computer wedges hard if you try to do anything with it in read / write mode.

My newish MacBook Air 11.6″ is significantly faster and cheaper than this Asus, and more so every time I have to fix it up. Once I had recovered Tanya’s data to my 2TB dumping ground on my Mac, she was up and running with one of our AppleTV’s in about two minutes.

Tanya’s next computer will be a Mac when this one dies. I will not tolerate the loss of any more of my life to Asus insistence on circusware in the default build, and cheapening out by not providing real installation media, or Microsoft’s insistence on a recovery CD and crappy end user experience.

I stand by my recommendation:

Score so far: 2/5. Do not recommend. PCs are only cheaper if your time is worthless. I just don’t get it.

 

I’m going to reduce the rating to 1/5, and the 1 is only due to the surprisingly resilient Seagate 500 GB drive that survived just long enough to get nearly all of Tanya’s data off it.

RIP Meebles 1997-2011. Best cat ever

Some blog entries are easy to write. Not this one.

Meebles is no more. In the end, it was peaceful, but his last days must have been hell. At least he had chicken (and lots of it) last night.

I first met Meebles in early 1998 when I was looking for a companion to Greebo. I went to the Lost Dog’s Home, and picked the most feisty cat there. After 14 years, I know now why his original slaves put him up for adoption again, but I didn’t mind the random attacks, the aloof distance he preferred, and his general bat craziness. It was part of his charm, and it’s the reason I picked him. He had 3 days to go before what I had to do today would have been done to a six month young cat back then.

All in all, I got the best of the bargain for all 14 years. He was steadfast in his loyalty. You had to earn that loyalty, something dog owners will never and don’t understand, but once you had it, he was a part of your life.

 

Meebles watching over me

I miss him already. Catchya round buddy.

Time for something new

As many of you have probably noticed by now, my larger than life frame is not at AusCERT 2011. This is a shame as it sounding like one of the best AusCERTs in the history of AusCERT. There’s a couple of reasons for my absence - flu and the strange case of the disappearing job.

My services at Pure Hacking are no longer required, and so I need to get on with the job of getting on with the next phase of my life – and that means finding a great job that allows everyone to win.

There are a couple of options on the table as I write this. But the most intriguing to me right now is to be the advanced gun for hire for consultancies with schedule overload. If you think your consultancy could use me in that fashion even a few times a year, I definitely want to hear from you. If I can make alliances with even a few of you, this could work for us all. This would allow me to work for anyone in the world from my lab here, and would allow consultancies all over the world to plug their scheduling nightmare with one of the best web app sec minds* out there period.

I have a strong preference for remote telecommuting jobs as I live in a regional city. This doesn’t mean that a full time job in Melbourne is out of the question, but I will be upfront about my need for flexibility (i.e. allow me to work on the train and a day a week at home), or full time remote working from Geelong. Being 2011, full time or partial telecommuting should not be a difficult decision today.

I know I have a small but loyal readership in this blog, so if you know someone who knows someone, I’m available. I only have a short window before I have to make a decision, so if you’re able to pick me up, I definitely want to hear from you – vanderaj @ greebo . net.

* Just in case you didn’t know, I was the Project Leader and primary author of the OWASP Developer Guide 2.0, OWASP Top 10 2007 (the one in PCI DSS), and ESAPI for PHP, and I helped set the exam for the SANS GSSP (Java).

New laptop – Asus K52DR-EX143V

Much earlier this year, the Minister of War and Finance’s (hi Tanya!) old Dell augured in and bought the farm. First, Tanya spilt Milo (granulated malt) grains on the keyboard and this got under the key caps, causing the keys to stick. I tried cleaning it a couple of times, but many keys were never very good after even a solid cleaning. Then I spilt soup into the keyboard. In trying to take it apart and wash off the soup, I managed to break the little ribbon connector holder to the trackpad, and the keyboard didn’t appreciate being taken apart again, and I couldn’t get about six or so keys back on. Despite this, the laptop “worked” with an external keyboard for months. Finally, Mackenzie stomped all over our bed and the laptop, breaking the power cord connector near the screen. This last one did it – couldn’t get any more charge into it.

So I gave Tanya my maxxed out late 2006 17″ MacBook Pro. We were free of the evil, monstrous Windows beast and I was happy even though I was down a computer. Unfortunately, Tanya doesn’t like MacOS, not even after six months. Color me shocked, but there you go.

So for Christmas, I bought her a new Asus K52DR-EX143V from MSY. This unit has a 4 core AMD processor, 4 GB of RAM, 1 GB of dedicated VRAM and ATI HD5470M display chipset, 500 GB of disk, and BluRay / DVD-RW combo drive. Sounds sweet.

Opening the packaging wasn’t too bad (there are videos all over YouTube if you’re an unboxing freak), but then the stark differences between Mac and PC packaging starts to set in.

  • There’s quite a lot of papers and odds and ends in the box. With the Mac, you get a simple, small Getting Started booklet and a sticker.
  • The Asus power brick is fairly large, but the cables are pretty short – about 1 m in total length. The end is a traditional plug that is of similar design that caused the demise of the previous Dell. You may need to take an extension cord with you on site if you travel with this model as the cable is pretty short. The Mac has a small power brick with integrated cable organizer, with long cords (about 2 m total) with a MagSafe connector. There’s no doubt in my mind that Tanya’s Dell would have survived if it had a Magsafe connector.
  • However, there’s no recovery DVD (urgh) or installation media. With the Mac, you get a single MacOS X DVD that allows you unlimited re-installs.
  • Stickers randomly cover about 45% of the Asus palm rest. Luckily, they came off fairly easily in about five minutes and a sharp knife. There was some residual stickiness from one of the stickers which I’m still yet to get completely off. There’s no stickers on a Mac.
  • There are a lot of shipping protective stickers on the Asus, such as around the bezel, on the web cam,and so on. Some of it is actually quite hard to remove such as on the hinges. There’s only a small piece of soft foam between the keyboard and the keyboard in the last two Macs I had.

Turning on the Asus requires installing the battery, and plugging the power cord in. Immediately, differences between Windows 7 OEM and MacOS X start to stand out. For a start, the Asus is by any standards a fast computer, but it took over a minute to get to the first registration screen asking for personalization and registration details. I was working and online in two minutes out of the box on my Macbook Pro 13″ in 2009.

Windows 7 starts in about a minute, but there’s so much circusware and trial software installed that I spent the next fourteen hours:

  • Decoding and removing all unnecessary crap off the machine. This is still not complete, but I’m much happier now. The Asus now boots in about 45 seconds
  • Removing the stupid “data” disk partition – for some reason there’s a 116 GB system partition (far too big), and a 329 GB data partition (far too small). Removing the data partition solves both issues. To fix it on yours, assuming there’s no data on the data partition, start the disk partitioner (diskpart.exe):
select disk 0
list partition
select partition 3 < -- see note below 
delete
select partition 2
extend
exit

* the data partition was 3 on my system - YMMV and do not delete your system partition!

  • Upgrading Adobe Reader 9 to X
  • Upgrading Flash to be as secure as it'll ever be (which is not very)
  • Installing the 78 patches for Windows, requiring just over a gigabyte of bandwidth, several attempts and reboots
  • Installing decent firewall, anti-virus and anti-spyware - not needed on a Mac (yet)
  • Installing Microsoft Office 2010. There's a trial copy of Office 2010 Starter edition already installed, but that also has all the installation bits for all editions. So I bought the Product Key Card of Home and Business edition and chose "Activate key" to turn Starter edition into Home and Business. However, it failed to install the first time, so I tried again after a reboot and that worked. On the Mac, you just drag MS Office from the install DVD to your Applications folder. The Mac install is far faster and just works. Of course, once installed, there were Office 2010 patches to install.
  • There's no installation media or recovery DVDs, so I broke out my DVD-R supply, and after 2.5 hours (seriously!) it burnt five recovery DVDs with hilarious Chinglish prompts such as "Predictably, burning will take five DVDs to create a recovery DVD". You can't make that crap up. Of course, using the recovery DVDs will blow away all Tanya's data and return the circus ware, but ... it had to be done. The Mac has a full OS DVD and thus doesn't lose any user data, and in many cases keeps your applications and settings working too.
  • I'm currently installing iTunes and migrating data across. This would take time no matter if it's a PC or a Mac, so I'm going to give it a free pass at the moment.
  • I'm still trying to set up Outlook 2010 and her Windows Mobile 6.1 phone. This should be a no brainer, but ... Windows 7 doesn't seem to like Windows Mobile 6.1.
  • I still don't have a Time Machine work-a-like that can back up Tanya's data. This is a serious issue as hers is the most likely computer to die. Suggestions welcome.

Using the laptop

As it's only the second day of having the laptop, I've not done any real work on it yet. PCs are unproductive like that. I'm still yet to find out if it can run videos in iTunes full screen on our TVs, which the Macs do in their sleep. Tanya's previous Dell used to have serious lag time between video and sound and the fans were on full time, requiring extra volume. I'm hoping that this computer is at least as able as a four year old Macbook Pro.

Problems so far

I don't know if this is just me, or known problems with Asus laptops, but I've found that connecting the VGA adapter to a 24" screen at 1920x1080 @ 32 bpp produces a wobbily and shimmering display that flickers a great deal. I would get eye strain after a few minutes if I had to use this as my primary display. So I tried a HDMI cable, but that produced a pink / purple display centered in the middle of the screen. I don't know if this means I have a broken laptop yet, or if this is how crappy all PCs are. I hope it's not broken, as I've invested so much time in getting to where I am at the moment.

Conclusion

In short, the machine is very fast at some things. Except for booting and running Office seems a bit tardy. The external display connectors don't seem to be working properly. At least, it found my Bluetooth mouse and used it without any additional issues.

As a Mac user, I cannot understand why PC manufacturers don't take that little bit of extra time and make sure their product works out of the box with minimal fussing. The circusware was very annoying. That should go, as should the sticker vandalism. The patching was annoying but necessary. It shouldn't require multiple reboots. Someone should test the installation of Office 2010 with a product key card before creating the image. A slightly longer power cable would really help and is not that expensive. And supply a real copy of Windows 7 installation media, so you can clean install the OS easily instead of wasting hours and hours and hours getting rid of the circusware. Asking folks to sit there for 2.5 hours to create 45 cents worth of DVDs is morally repugnant and evil.

Although in terms of raw speed, the equivalent Mac is about twice as expensive as what I've spent on the Asus, the reality is that my two year old Mac boots up faster, starts Office 2010 faster in emulation than this thing, and has a better screen and a longer battery life. The price of a Mac with my Mac's performance is $1499, only a few hundred more. If the display ports are broken, I'll have to do all of this again with a replacement unit next week. Argh!

Score so far: 2/5. Do not recommend. PCs are only cheaper if your time is worthless. I just don't get it.