A Two Weeks With Windows 8

I have forced myself to use Windows 8 at home for previous two weeks. And best way to describe them would be as tablet OS.

Best example of tablet-centric behavior is seen if you search for “Computer”. You will get known “Computer” icon on which you might want to do right-click (in order to get context-menu). If you do this, context menu will appear but at bottom of the screen. So you need to take your cursor all the way down the screen. Pointless. And it is annoying that you cannot use keyboard to do that at all. Pressing context-menu key brings menu for text box and not for currently selected item. You first need to use arrow keys to go up/down and only then you can use keyboard properly. Unpolished to say the least.

Search that worked perfectly in both Windows Vista and Windows 7 is lacking. You cannot search for Printers, Devices, Programs… all those items that resided in start menu are not easily accessible by search. Yes, you can go and CLICK on Settings bellow, but that is solution that is more oriented toward tablets and guys using mouse. If you want keyboard you can get it with Win+W (very logical indeed) but at cost of time for switching. It gets even worse when you are not sure where something is.

Windows SmartScreen technology helps to annoy user further. It checks each file downloaded over Internet and, if not enough users downloaded that application through Internet Explorer, it will force you to jump through hoops to run it.

As network goes, Windows Vista/7 hid everything behind one more click than it is really necessary. However, if you had network connected, that network was shown in notification area (aka tray). In Windows 8 it shows state of whatever adapter it wants. Chance will have it that it is not adapter that you are using currently. So you can have icon with exclamation point while your network works perfectly. To show it you need to click on icon with warning.

Those were the things that I hated the most during regular work but they weren’t only ones. I think that almost every single feature of Windows 8 was unfinished and it was very obvious. I understand that it is not fair to compare beta (or consumer preview) of Windows 8 with finalized product that is Windows 7. However, I remember Windows 7 beta. I had no reservations to start using it immediately. There was virtually no downsides to it. Comparing two betas, it feels like Windows 8 was rushed…

Single excellent thing about Windows 8 is their ability to boot off the USB. And it is fortunate that they do since I am erasing them from my hard drive.

Cheap Bastards

It is very sad to see illegal downloads driving Sony Music so poor that they cannot afford to have proper SSL certificate. It is either that or team creating these pages just didn’t give a damn.

Well, at least they do offer SSL…

Force HTTPS for WordPress Login Page

If you do have SSL certificate on your domain it would be shame not to use it for WordPress login. Since WordPress sends passwords as plain-text, it would be great thing if we would be redirected to HTTPS version for every login (even if we forget to specify it).

Solution lies in adding few lines to your .htaccess file:

RewriteCond %{HTTPS} off
RewriteRule ^wordpress/wp-(login.php|admin/)(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]

This code checks whether we are going to login or admin pages. If we are and https is not protocol of our choice, it will simply rewrite request.

P.S. This example was taken from my pages where I have WordPress installed in sub-directory named wordpress) If you have it installed in some other directory, adjust accordingly.

P.P.S. Do not forget to set FORCE_SSL_LOGIN and FORCE_SSL_ADMIN also.

WordPress and Plain-text Password

If you ever did network capture of your WordPress login procedure you would have noticed that password is sent as plain text:

[plain] POST /wordpress/wp-login.php HTTP/1.1 log=admin&pwd=mysuperpass&wp-submit=Log+In&redirect_to=http%3A%2F%2Fwww.example.com%2Fwordpress%2Fwp-admin%2Fedit.php%3Fpost_status%3Ddraft%26post_type%3Dpost&testcookie=1 [/plain] Anyone that can watch traffic on your network can see it as clear as day. Worse still, if you traverse some proxy server (in most of companies), your password might get dumped into a log file. Whoever has access to those log files has access to your password. Do you really trust your network admin that much?

Proper way to sort this out would be to use SSL. That way connection is encrypted end-to-end and whole plain-text issue just goes away. Unfortunately, SSL certificates usually cost some money.

Cheaper solution would be to tunnel all your traffic through SSH on trusted network (e.g. your system at home). While this would alleviate thread when you are connecting from e.g. hotel, it still means that your plain-text is traveling to server unencrypted. However, in case of SSH tunnel from home, you can count (or can you?) on your provider not keeping such a detailed log.

Last thing that you might do is to force WordPress to use CHAP protocol. That way password is still visible but only in hashed form. Brute-force attacks will be possible but at least attacker has something to do. And, if password was selected carefully, it might require months and even years of computing. Only way I found to do this is by installing Chap Secure Login plugin.

Upon activating this plugin you should log-out and log-in again (that will fail). And then log-out and log-in again (in my case this was still sending plain-text). Only upon third logout/login plugin will start working properly. Snooping system again you will see something like:

POST /wordpress/wp-login.php HTTP/1.1
  log=admin&pwd=0a1dbb73659c24dd237ec254022af7daef410404665cc7f4be22b69e1e2b1845&wp-submit=Log+In&redirect_to=http%3A%2F%2Fwww.example.com%2Fwordpress%2Fwp-admin%2Fedit.php%3Fpost_status%3Ddraft%26post_type%3Dpost&testcookie=1

This looks much better.

[2014-10-29: I had this plugin fail with Suffusion. After its (manual) removal I was unable to log on anymore. Solution was to remove cookies.]

SQL Server 2012

If you happen to be MSDN subscriber, there is new treat for you. SQL Server 2012 is available for download.

For those as cheap as me, there is SQL Server 2012 Express. For some reason it is still listed as beta, but I expect to see RTM version soon enough.

Biggest feature in my book would be LocalDB. On first glance it would be same thing as SQL Server Compact. However, if you dig a bit deeper, you will see that it has few subtle differences.

For me LocalDB is missing link that brings SQL Server data and TSQL without need for full-blown SQL Server install. Compared to Compact, it is bigger and not as easily distributed. On other hand, upgrade between LocalDB and full SQL Server should be a breeze. This one goes on my system immediately. Check more details.

Yes, there are other changes, but I will leave each one of you to pick a favorite.