Thursday, July 13, 2017

Defend Your Backups Against Ransomware

My people have no tradition of proofreading.  —Ken White

Bob Brown

One of the newer (and nastier) tricks of The Bad Guys™ is a class of software known as ransomware.  It scrambles all the useful files on every disk it can find, including network and cloud drives, then puts up a message asking you to pay for the key that will unscramble your data.  You pay in Bitcoin, which is anonymous.  The amount is often a couple hundred bucks, which is enough to sting even if you manage your money well.  Finally, these people are thieves; there's no guarantee that you'll get a decryption key for your $$$.

So, how do we defend against such extortion?

Back Up Your Computer!

The first defense against all kinds of computer trouble is a good backup process.  "Good" means it's automated, so you won't forget to do it regularly.  Good also means you've tested that you can restore files from the backup media.

Backups are a subject for their own Bitmonger article, so for now let me just say that if you're not backing up your computer, you're waving in the wind.

Protecting the Backups

One of the nasty things about ransomware is that it encrypts all the drives it can find.  If you carefully back up to a USB drive, as I do, and you leave the drive attached to your computer, the backup drive is exposed in the case of ransomware.

Before I retired, I kept a USB backup drive in my office and another at home.  I made backups of my laptop at both locations on a regular schedule, so there was always an "off site" backup not connected to my laptop, and so protected from ransomware.   Now that I'm retired, I can't do that.  I still use two backup drives.  After all, one could fail.  However, they're both at home.  (The lack of an off-site backup means I'm exposed to risk of fire or theft, too.)

To keep my (and your) backup drives safe from ransomware, they need to be physically disconnected from the computer except when a backup operation is scheduled, and they should never both be connected at the same time.  You can accomplish that by unplugging the USB cable.  If your drive has a power switch, just turning the drive off works, too.  In my case, both options are somewhat fiddly operations in hard-to-reach places.

I'd really like to have an A-0-B switch switch for USB that connects drive A, drive B, or neither to the computer, and that will not allow both drives to be online at the same time.  I couldn't find one, but I did find a hub with push buttons that will allow one to connect or disconnect any of four devices with the push of a button.  I have to push two buttons to swap drives – connect A and disconnect B, or vice versa – but I've put the hub in a convenient location so I can swap drives with minimal fooling around.

If you're looking for a similar device, be sure you get one that's USB 3.0 compatible.  Otherwise, you will probably sacrifice speed, and speed is important when making backups.

 I've found several USB A-B switches, but they're all designed to share one peripheral among two computers, and not the other way around.

"Safely Remove" USB Drives

In earlier times, Windows did "lazy writes" by default.  That is, Windows waited until the CPU was briefly idle to actually write data to the disk.  In that case, just disconnecting such a disk could result in a corrupt file system because there may have been incomplete disk writes.  For current versions of Windows, "quick removal," which does not cache writes, is the default. You can find the details and info on how to check your own computer here at PC World.

So, if you use Windows, you can just push the button to disconnect a drive without having to fiddle with safely removing it.

Even so, there is value in logically removing your backup drive as soon as a backup is complete.  Although it's possible to detect and reconnect a drive that's attached but offline, I know of no ransomware that does that... yet.  Also, taking the drive offline immediately can prevent certain "Oops!" accidents.  If you run your backups manually, you can just push the button, but running backups manually is poor practice because we skip doing it.

If your backup is run from a batch file, or has a way to call a batch file when the backup ends, there is free software that will take the drive offline for you.  Two such programs are RemoveDrive and USBDiskEjector.  Consider using one of these, and if you do use one of them, consider making a donation to the author.

About Backing Up to the "Cloud"

There is no cloud.  There's only a bunch of computers you don't own run by a bunch of people you don't know.   It's more complicated than that, of course, and the various cloud services run some pretty slick software.  Down at the bottom, though, you are trusting someone else with your data.  Anything you store "in the cloud" should be encrypted, and you should never store the only copy of something "in the cloud."  (For a cautionary tale, read the sad story of MegaUpload.)

One of the things that makes cloud storage so convenient is that you can often treat a "cloud drive" like any other disk drive.  Sadly, that means ransomware can likely find and obscure your cloud backups just like everything else.  The lesson is that you should not depend on "cloud drives" to defend against ransomware.

Some vendors of cloud backup services have taken steps to protect against ransomware, but the ordinary "cloud drive" does not offer such protection. 

Copyright © 2017 by Bob Brown

Creative Commons License
Defend Your Backups Against Ransomware by Bob Brown is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.

Saturday, February 27, 2016

Avoid the Wretched Spammers at MailChimp

I've had the same email address for a long time, so it's gotten passed around.  It's also short, so people who think they're inventing an email address often hit on mine.  I get a lot of spam.

About half of it comes from MailChimp.  The people at MailChimp will tell you, "we help our customers comply with spam laws and best practices."  It's not true.  They're spammers.

To understand that, we first need to define spam.  I like the definition from  Spam is unsolicited bulk email.  Bulk email is OK; I subscribe to several mailing lists.  They send bulk email, and I get it because I want it.  Unsolicited email is OK... in fact, it's even normal.  An old friend recently sent me email inviting me to lunch.  Great!  It was unsolicited, but I was happy to get it.

It's Spam, Jim!

Email is spam when it is both bulk and unsolicited.  In the case of bulk mail, "unsolicited" means "the recipient has not verifiably granted deliberate, explicit, and still-revocable permission for it to be sent."  Those words are from Spamhaus, and I couldn't say it any better.  It's about consent.  "Verifiably granted" means what is sometimes called the double-opt-in.  The emailer sends you a message that says, in effect, "Thank you for signing up for our stuff.  Click here to validate your email address."  That is verifiable.  That is what MailChimp doesn't do.

Don't Get Tarred with MailChimp's Reputation

If you are thinking of email marketing and you're thinking of hiring help, be careful not to get tarred with the reputation of a spammer.  If people get spam from you, they'll naturally and correctly think you're sleazy.  That's what will happen if you hire MailChimp.  They send from several domain names, and every time I find one, I block it on my home email server.  That mail "bounces;" it gets rejected without being delivered at all.

I also have an email address with one of the big, public email providers.  I haven't figured out how to block entire domains there, but I do block the individual spammers, one by one.  Their future messages get received and go into my spam folder.  The sender paid MailChimp to send that message, but I never saw it.  Don't let that happen to you!

"Just Unsubscribe"


I feel no obligation to "unsubscribe" from anything to which I didn't subscribe in the first place.  In fact, I see a great advantage in not unsubscribing.  It makes the sender's email campaign that much more expensive because the sender pays for those messages that go into my spam folder.  Don't let that happen to you.  I feel no obligation to make spamming cheaper or more cost effective.  Besides, unsubscribing just confirms that the email address works.

Be Like Me

When you get spam, block the sending domain entirely.  If you can't block the domain, block the specific sender.  Only unsubscribe if you cannot block domain or sender.  Spam works because it's cheap.  Help make it more expensive.  And never, ever, buy anything from a spammer.  Read what Spamhaus says about unsubscribing.  Remember, it's spam if it's both bulk and unsolicited.

Sunday, December 7, 2014

About PGP Signatures

My people have no tradition of proofreading.  —Ken White

I started attaching PGP digital signatures to my work email a few months ago.  That's kind-of an appropriate thing for me to do since I'm a teacher of computer security.  For many people, that signature is just a mysterious hunk of garbled letters either appended to the email message or sent as an attachment.  Such a signature looks like this:

Version: GnuPG v2.0.22 (MingW32)


Ewww... that's ugly! But why?

A PGP Digital Signature Authenticates the Message

When people get email, they naturally assume that the name on the From: line is the sender of the message, especially if it's someone they know and with whom they communicate frequently.  Unhappily, that doesn't have to be true; it is trivially easy to forge a sender's identity in email.  The PGP digital signature provides strong evidence that the message is actually from the purported sender and that it hasn't been tampered with in transit.

How Does it Work?

The PGP digital signature depends on two cryptographic technologies, cryptographic hash functions and public key cryptography.   A cryptographic hash function produces a "fingerprint" for a message.  The text of the message is input to a computer program that computes the hash code, called a "digest."  Every possible message probably has a unique digest, and even a tiny change in the message would change the computed digest dramatically.  Why is it called "hash?"  Look at the example above!

Public key cryptography uses two keys called public and private.  The public key is widely available, often published a key server like the MIT key server.  If you know someone's email address and they have a PGP key pair, you can probably find their public key easily.  A very useful feature of PGP  keys is that they are cryptographic inverses of one another.  If you encrypt a message using my public key, it can only be decrypted with my private key.  If I've carefully kept my private key, um, private, only I will be able to decrypt the message.  It works the other way, too.  If I encrypt a message using my private key, which only I have, anyone can get my public key and decrypt the message, but I'm the only one who could have encrypted it because only I have the private key.  So, a message encrypted with my private key is digitally signed.

My email program generates a PGP signature by first computing a cryptographic hash digest from the message, then by encrypting the digest using my private key.  The recipient can use my public key to decrypt the digest.  If the rest of the process works, the message could only have come from me because only I have the corresponding private key.  The recipient then computes a new digest from the message using the same cryptographic hash algorithm.  The newly-computed digest is compared to the decrypted digest.  If they're the same, the decryption worked and the message hasn't been tampered with because tampering would have caused the newly-computed digest to be different.

I wrote that a valid PGP signature "provides strong evidence that the message is actually from the purported sender and that is hasn't been tampered with in transit."  How strong?  The main consideration is whether the sender has kept his private key truly private.  Anyone with a copy of my private key can sign a message that will appear to come from me.  You also have to trust that neither the cryptographic hash algorithm nor the public key algorithm has a flaw that can be exploited.  Modern cryptographic algorithms are strong enough to make the cryptographic safety of PGP signatures a good bet.

What is PGP, Anyway?

PGP stands for "Pretty Good Privacy," invented by Phil Zimmerman to allow exchange of secure (confidential) and authenticated messages.  Zimmerman's original PGP ran into patent problems and Zimmerman himself was the subject of a long criminal investigation for "exporting munitions," namely cryptographic algorithms.  (The FBI, CIA, NSA, TSA, DHS, DoJ and every other three-letter agency known to man hate encryption because it makes dragnet surveillance and casual snooping very difficult.  With that said, I cannot emphasize too strongly that, in the United States, there is nothing illegal about using encryption. )

I'm actually using Gnu Privacy Guard, or GPG, an open source implementation of the OpenPGP standard, along with the Enigmail plugin for the Thunderbird email program.

What About Snooping?

A digital signature doesn't do anything to protect the confidentiality of a message.  To do that, one must encrypt the message itself.  It's easy to do, and if you start sending me encrypted email, I'll be sure my replies are encrypted.  That way, even the NSA won't know what kind of pizza we're planning to have.  See the articles below for instructions.

Want to Know More?

I've written a series of three articles on using and understanding encryption:
There's also plenty of information in the links above. Knock your socks off!

Too Long; Didn't Read

The XKCD comic, which everyone who does anything with technology ought to read, explains PGP digital signatures this way.

You have to actually validate the digital signature, not just check that it's present to be certain.  But really, if the signature is there, odds are good that it will validate, and if you have any doubts, you can validate and be sure.  How?  See Using Encrypted Email.

Copyright © 2014 by Bob Brown

Creative Commons License
About PGP Signatures by Bob Brown is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.

Wednesday, August 27, 2014

A Note on Card Safety

My people have no tradition of proofreading.  —Ken White

There's been a lot in the news lately about malicious software invading stores' computer systems and stealing credit and debit card numbers.  A couple of people have asked me about how to be safe using credit and debit cards.  I wrote a big long piece about that.  After I read it, I decided it was mostly useless.  It can be boiled down to three rules:
  • Use your credit card sparingly,
  • Use your debit card almost not at all, and,
  • Check your accounts frequently.
Using your cards sparingly minimizes attack opportunity.  It is true that big, national organizations like Target and Neiman-Marcus have been compromised but it is also true that smaller organizations are often easier targets for the bad guys.  Each time you use that card, you potentially expose it to theft.  If you use a card for fast food or sundry purchases a dozen times a week, you've potentially exposed it a dozen times a week.  It really won't hurt you to carry some cash and make those small purchases with cash.  If you're worried about getting mugged, ask yourself how often that has happened and set the amount of cash accordingly.  If you're worried about losing your wallet, remember where you keep those credit cards!

I carry about a hundred dollars and pay for nearly every small purchase with cash.

If you decide to use a card, and you have a choice, use a credit card, not a debit card.  If you use a credit card and become the victim of fraud, it's the card company's money that's tied up.  If you use a debit card, it's your money that is gone.  A $5,000 fraud on a credit card is bad because you'll have to wrangle with the card company about whether you have to pay that fraudulent charge.  A $5,000 fraud on your debit card is much worse because it's your money, not theirs, that's been stolen.  You will probably eventually get most of it back, but while you are dealing with your bank, that money is not available to do things like buy food or pay your mortgage.

I use my debit card in exactly two places: my bank's teller machine and a store that gives me a discount for debit but not credit.  So, those are my only two potential exposures to fraud.

Speaking of teller machines, there's a threat other than malicious software.  It's the "skimmer," a device that attaches to a teller machine or credit card reader like those on gas pumps.  The card gets read twice, once by the skimmer and once by the real device.  So, your transaction works, but the bad guys now have the numbers, too.  You guard against skimmers by using the same teller machines, gas pumps, etc. as often as possible and noticing what they look like.  If something looks funny when you visit, go elsewhere and then check with your bank.

If your card number is used for fraud, the sooner it's reported, the sooner it can be stopped.  Early detection lets you limit the damage.  These days, we can check our accounts on line in seconds.  You should check every account at least weekly, and your debit card account daily.  (If you have so many cards that would be hard, you have too many cards!)

Reduce opportunity for fraud by minimizing your use of cards and reduce your personal exposure by using credit cards, not debit cards.If fraud occurs, find it early by checking your statements regularly.

Copyright © 2014 by Bob Brown

Creative Commons License
A Note on Card Safety by Bob Brown is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.

Monday, June 23, 2014

Hack Your WiFi Password? Easy!

My people have no tradition of proofreading.  —Ken White

Using free WiFi?  Here's something to watch for: If you have a wireless router, you know you can set it up to broadcast any name you want. (Mine is "emorycottage.")

If you have service from AT&T or Comcast you know they're promoting their free WiFi hotspots like crazy.

Well, the Bad Guys have discovered this, and place wireless routers that broadcast names of "attwifi" or "xfinitywifi" in likely places. If your phone is set up to associate with such a hotspot automagically, it will connect to the evil hotspot.  If the attackers spoof a login screen, you could transmit your AT&T or Comcast password to the operators of the evil hotspot.  Even if there's no login, you're on a network you think you can trust, but you can't.

What to do? Don't allow your gear to connect automatically. Consider where you are if your gear asks for permission to connect, and never, ever use your carrier's WiFi password for anything else. Especially not for your email account, because if the Bad Guys can take over your email, they can probably reset your passwords for other accounts... like your bank.

Copyright © 2014 by Bob Brown

Creative Commons License
Hack Your WiFi Password?  Easy! by Bob Brown is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.

Tuesday, May 6, 2014

The IBM Model M Keyboard and Modern Computers

My people have no tradition of proofreading.  —Ken White

I love my IBM Model M "clicky" keyboard.  It has pounded out everything I've written for a quarter-century, including a master's thesis, a doctoral dissertation, thousands of reports, budgets, email messages, and even a small book.  What's so great about it?  The click!  There's a nice, satisfying click sound at the instant the key makes contact.  There's good tactile feedback, too.  You can feel when the key has made contact.  You don't have to bottom out each key press, and that means less effort when typing.  The letters are molded into the key caps, not painted on; the keys on my keyboard look as good today as they did a quarter-century ago.
Have I made you want one?  You can buy a brand-new Model M keyboard, made from the original IBM design, and even using the original IBM molds.  They're made by Unicomp in Lexington, Kentucky, USA using the original IBM equipment.  There's one specifically for Mac computers, too. They cost $80 to $120 plus shipping.

Not convinced that you should pay a hundred bucks for a keyboard?  It will make your life and work easier, and it'll last forever.  Computers may come and computers may go, but your Model M keyboard will go on and on.  Read what NPR's Martin Kaste has to say about it.

Using an Older Model M

If you're lucky, as I am, you have an original Model M keyboard.  You also have a problem; the keyboard has a PS/2 type plug, and modern computers do not have PS/2 sockets!  (New Model Ms from Unicomp come with a USB interface.)

You will need a PS/2 Keyboard To USB Adapter.  Cheaply made "bulge in the cable" adapters do not work.  Use the link to get the right thing.  (Disclosure:  Amazon pays me a few cents if you buy using the link.  I'm almost up to a dollar a month in commissions.)  You will probably also need a short USB extension cable because the adapter is too fat to plug directly into many USB sockets.  Plug directly into the computer or into a powered USB hub; an unpowered hub will not work because of the power requirements of the keyboard.

Cleaning up that Model M, and USB Conversion

If you're like me, after a couple of decades enough glop has dropped into your keyboard to be truly disgusting.  The nice people at Unicomp will clean and thoroughly test your keyboard for $30 plus shipping.  Email them at for an RMA number.  When you have the RMA number, order a Class 1 keyboard repair and ship your keyboard off to them.  (They can do more extensive repairs in the unlikely event that you have a non-working keyboard, but it might be better just to buy a new one from them.)

For a little extra, Unicomp will make the USB conversion for you.  If you're going to send your keyboard in for cleanup, order the USB conversion, too.  That's far better, and possibly less expensive, than using an adapter.  (It was $10 when I had mine done; that's less than the price of the adapter.  Check with Unicomp for the current price.)

Converting the Keyboard to USB Yourself

Some people, handy with soldering irons, have installed the USB adapter inside the keyboard case.  The idea is attractive to me because the adapter hanging from a cable on my laptop dock is un-aesthetic.  I haven't tried it, but it might not be hard to do.  A little time with Google should find some help.

But really, just get Unicomp to do it for you.  They're the professionals.

Copyright © 2014 by Bob Brown

Creative Commons License
The IBM Model M Keyboard and Modern Computers by Bob Brown is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.

Friday, April 18, 2014

Virtualizing Windows XP

My people have no tradition of proofreading.  —Ken White

Well... this is revolting.  A slip of a finger erased a multi-page post.  I have tried to re-create it, but this is not the original post.

You followed my advice in The Four Choices of the Windows XPocalypse and you have a shiny new computer with a shiny new operating system.  It might be Windows 7, but it's more likely Windows 8.1.  It might even be Linux or MacOS.  Now you find out that one or more of your Windows XP applications won't run under your new operating system, and you really need it.  What to do?  What to do?

Well, you could haul out your old computer when you need it, and if it's a laptop, that might even be practical.  What you really want is all your stuff on one machine, where you can use it when you want to.

Windows 7's Virtual XP Mode

Windows 7 includes a virtual XP mode that will let you run your XP programs under Windows 7.  You will have to reinstall your XP applications and any files they might need.

There is no XP mode in Windows 8, nor in Linux or MacOS, so it's not a long-term solution, and may not even work for you now.  Even if you have Windows 7 and your install media, your Windows XP setup may be so complex that replicating it under Windows 7 isn't practical.

Virtualizing Windows XP

A "virtual machine" is a software package that simulates actual computer hardware.  For helping XP live on, the virtual  machine software runs on your new computer, and Windows XP runs on the virtual machine.   There is software that's free for personal use that'll do this.  The exception is MacOS, where you will need a $60 software package.

You will need your Windows XP computer, with it's disk intact.  You'll also need an external hard disk at least as big as the Windows XP disk and virtualization software, which is free for most personal applications.  You may also need a new license and product key for Windows XP.  There's more on that below.

Creating the Windows XP Virtual Image

 If you bought your Windows XP computer with XP pre-installed, please read About the Windows XP Product Key below before you start this process.  If you're not sure whether your XP system has one of those OEM keys, you can try this process and See What Happens™.  The worst that can happen is that you'll have to do it again after you change the product key.

You make a virtual machine from your running Windows XP computer  by running the VMWare vCenter Standalone Converter.  It's free from VMWare, but you have to register to get it.  The longer XP goes unpatched, the more dangerous it is to connect it to the Internet.  I downloaded the converter (and all the other software I used for this project) using my new system and moved it over with a flash drive.

Install the vCenter Converter on your running XP system and run it.  Direct the output to your external disk, which should be empty.  (If it's not, format it.  Use the "quick format" option.)  This will take several hours – mine took about four – so best to plan to run it over night.

When the converter has finished, shut XP down, move the external drive to your new system, and go to Running Your Virtual Machine below.

About the Windows XP Product Key

Microsoft sold licenses for Windows XP to computer manufacturers at a steep discount. The catch is that the license is "locked" to the specific configuration of your XP computer. Such a license is called an OEM (original equipment manufacturer) license, and it will not run under a virtual machine.  If you try it, you'll get an "activation required" screen during the startup process of the virtual machine.

There is no way I know of to get past the activation screen.  Putting in a new product key doesn't work, and calling the phone number on the screen connects you to a robot with no sympathy for your plight.  You have to change the product key before you virtualize the XP system.

Getting a New Product Key: You will (probably) need a product key that matches the version of XP you have.  So, if you have XP Home Edition, you'll need an XP Home product key; if you have XP Professional, you'll need an XP Pro product key.  There are two kinds of licenses and product keys that will work, retail licenses and volume licenses.  If you ever bought, but did not use, a copy of Windows XP, you own a retail license, and the package will have the product key you need.  If you can find it.  Retail licenses for XP are for sale on eBay at prices ranging from $20 to over $100.  Expect prices to go up as these become rarer.

You may be able to talk the I.T. people where you work into giving you a product key for a volume license of XP.  (Remember, though, the VMWare software is free only for personal use; if you're doing this for work, you'll need VMWare licenses.) Educational licenses for XP are not locked to particular hardware, so you can use an education license if you have one.

I am told that one can find product keys that will work through searching the web.  I haven't tried that.  You shouldn't, either, because it's probably illegal.  (In the words of the late Jay Rosenberg, I have been politic and you have been warned.)

Cloning the XP System:  This step is optional.  Because I am conservative and risk-averse, I used the free edition of Macrium Reflect to make a clone of my XP system disk.  I booted from the cloned disk and changed the product key there.  My thinking was that if I somehow rendered the working disk unbootable, I'd still have the original.  That step took several hours and turned out not to be necessary for me.  (Although the free edition will do everything you need to do for this step, the folks at Macrium Software have done everyone a service by making it available.  Consider buying the licensed edition if you can afford it.)

Changing the Product Key: To change the product key of a running XP system, you will need the Windows XP Product Key Tool, still available (so far) from Microsoft.  Download it, run it, and type in the new product key.  You will probably have to reboot your computer, but it either will not need activation, or will activate over the Internet without trouble.  (If it doesn't, you'll be glad you made that clone disk!)

Once your XP system has a retail or volume license product key, you can return to Creating the Windows XP Virtual Image.

Running Your Virtual Machine

You use the free VMWare Player to run your virtual machine on Windows or Linux.   For MacOS, you will need VMWare Fusion, which costs $60.  There's a free 30-day trial of VMWare Fusion, so you can be sure this works for you before you put your money down.  Download and install the correct virtual machine software for your computer.

Connect the disk with the XP virtual machine image on it and double-click the dot-vmx file; Windows XP will start and run in your virtual machine!  (If you get the dreaded "activation required" screen, you will need a different product key.  See About the Windows XP Product Key above.  As far as I know, there's no way to get past the activation screen.  You will need to rebuild the virtual machine image with a retail or volume license product key.)

After you have Windows XP running, you will want to install the VMWare tools into the virtual machine.   There will be a button below the virtual machine screen that will start the process for you.  It takes two or three minutes.

You also need to read what Byron Brewer has to say about very slow shutdowns of VMWare virtual machines. I added the four-line change suggested by Brewer directly to the dot-vmx file by editing it with Notepad.

Use "msconfig" and "Add/Remove Programs" to get rid of things that start automatically.  They will make opening your virtual machine very slow, and may engage in unwanted Internet access.

It is an increasingly bad idea to use your XP virtual machine for anything having to do with Internet access.  Most especially you should not use Internet Explorer.  XP is limited to IE 8, and web browsers are a primary vector for malicious software.  Also avoid Flash, Java, and Acrobat in web browsers.  Best advice: No Internet access from that virtual machine.  You might even want to delete IE 8, Flash, Java, and Acrobat.

If all you do is look at stuff on your virtual machine, you probably don't need to worry about the virtual disk, except to back it up from time to time.  If you are writing to the disk as well as reading, you will want to read what VMWare has to say about compacting virtual disks.  Make a backup before you compact.

Copyright © 2014 by Bob Brown

Creative Commons License
Virtualizing Windows XP by Bob Brown is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.