Tuesday, March 30, 2010

The Good, The Bad and The Ugly of NTFS Alternate Data Streams

The Good
When NTFS was introduced for the Windows NT platform, one of the features that was added was 'alternate data streams' (ADS). This was specifically added to allow for a similar concept of 'forks' for Mac users to allow them to maintain their 'data fork' and 'resource fork' for files and use NTFS as a network data share.

A file stream is essentially metadata added to a file that doesn't interfere with the contents of the file. One way to see this data is to look at the 'Summary' tab of a file.

But as you can see, the comments section in particular can be quite lengthy. Note that not all file streams appear here, others may be included. Also, the space used by the file streams is not used when calculating the file size, so adding more data to the ADS does not change the size reported by the OS.

This method is also used in other ways. Icon files are associated with the URL shortcut files for IE as a file stream and the blocking of downloaded files from execution is handled through ADS. Microsoft provides a tool to let you find files that have streams attached to them. You can read about it here http://technet.microsoft.com/en-us/sysinternals/bb897440.aspx

The Bad and The Ugly
This method can be used to make both text and binary files difficult to find. It's even possible to use the command shell to make an executable file (such as notepad) an ADS for a pre-existing executable (such as the calculator application), rename the executable and run it! This sample screenshot shows what happens when notepad.exe is added as an ADS called 'runtime.exe' to the calc.exe file and is executed. In this case, the notepad executable is being run from the runtime.exe ADS for the calc.exe.

Fortunately, you see the shenanigans when looking at the task manager. Also, all of these activities require someone with sufficient permissions. This means, that your system would already have to be compromised for this to happen.
Also, this information is only accessible on NTFS file systems and is not included when sending files over the network (unless it's to / from an NTFS file share).
Hopefully, this will shed some light into the inner-workings of the file system and explain some behavior you may have seen.

Monday, March 29, 2010

Practical Software Test Automation Course - Oklahoma City, May 13 & 14, 2010

We are fortunate to have Randy Rice local to our area and are happy to announce that we are helping to sponsor his Practical Software Test Automation Course. Registration and course information can be found here.


Even if you are not in the Oklahoma City area, this course is sure to be useful to anyone getting started with (or trying to recover from) their automation efforts.

On his site, you will find online training as well. Have a look around and see if other courses meet your needs as well.

Understanding Computers from 'first principles'

While researching information on computer security, I ran across the Security Now! podcasts( http://www.grc.com/securitynow.htm ).

Among the podcasts is a series of discussions that provides insight into how computers work at a fundamental (and somewhat technical) level.

Here are the podcasts that I found particularly interesting:
Basic Architecture of computers from the 1950s

Machine Language


Stacks, Registers and Recursion

Hardware Interrupts

These are the low-bandwith MP3s, there are high bandwidth versions as well as notes and supplimentary materials provided as well.

Wednesday, March 17, 2010

Meeting Announcement- Evening Meeting 4:30pm-6pm Thursday, March 25th

- We're moving to evenings to accommodate your busy work schedule!

Time and Location

We will be meeting at the FIS/Metavante offices at 1200 Sovereign Row. The meeting is from 4:30pm to 6pm.

Free parking is available!


Robert Watkins will discuss how FIS approached performance testing for one commercial server product and the process to provide performance testing utilities to customers.


  • From I-40, take Meridian South
  • Turn Left at Will Rogers Parkway
  • Turn Left at Sovereign Row
  • The FIS/Metavante offices are on the right just before the curve in the road.

Wednesday, March 03, 2010

Tuesday, March 02, 2010

Charles Babbage's connection to the Luddites

Charles Babbage is well known for his Difference Engine and lesser known for his Analytical Engine. When Luigi Menabrea (future prime minister of Italy and engineer) translated his notes of Babbage's lectures into French, Babbage asked a long-time freind, Ada Lovelace to translate those notes to English. That was in 1842. Ada's father was Lord Byron, the poet and Parlimentarian. In 1815, one of his first speeches to the House of Lords was in defense of the Luddites.

Monday, March 01, 2010

The Rule of 1000 Decisions (as a tie into myth-busters)

A couple 'prior-lives' ago, I worked with a CIO at a mid-sized bank who gave me quite a bit of encouragement and opportunity. There were several things I remember from working with him.

The first was his success criteria for the project to bring in the bank's website in-house. 'Just make it suck less'. I believe we did that in spades. The basic design was functional enough to last about five years before they out grew that architecture. Quite a feat for a site that was developed in 2001.

The second was his 'Rule of 1000 Decisions'. Essentially, this rule start with the premise that everyone makes mistakes and generally, everyone makes more good decisions than bad decisions. The caveat is that those who don't may not last long. Supposing that for every 1000 decisions you make, you have 900 good decisions, 50 bad decisions and 50 great decisions. If you start to avoid making decisions to avoid the bad ones, you are missing out on more good and great decisions that you could be making. The point is that you need to keep making decisions and accept the fallout as well as the praise for those decisions.

The tie into myth busters is this discussion on the importance of failures, even massive failures.