Basic Cable for the Internet
Friday, February 18, 2005
  The Top Exchange client/server support issues
Of course, for us 7 of the top ten support issues are DNS.

But here's MS' list.
 
  Apple releases Common Criteria Tools 1.0
Interesting stuff, albeit of interest mostly to gov types who have severe security concerns. You get asked about this stuff (Common Criteria, trusted systems, the Rainbow series) in the CISSP exam, and if you work outside of the government you never see it again. I mean, let's face it, the average company has trouble getting all of its applications to use complex passwords that don't cross the network in cleartext, let alone having development code--that has been analyzed for covert channels--be delivered by a secured agent to a trusted facility. And of course, none of your developers have access to production systems, right?

Summary: specific versions of Mac OS X, with the Common Criteria tools installed, on specific hardware platforms, have been certified to reach a well-defined level of security. It all sounds very qualified, and it is compared to the results you used to get from Orange Book evaluation it's all very specific to certain aspects on certain systems, but that was the very problem with Orange Book: the levels it provided were too broad and generic. Common Criteria solves a lot of those issues.

The TOE (the "targets of evaluation" in CC-speak) are Apple Mac OS X v10.3.6 and Apple Mac OS X Server v10.3.6, and they got an assurance level of EAL3, specific to... ah, read the details. The assurance level means nothing out of context, and you really need to read the report to get those. A really good explanation of what the assurance levels refer to is here.

If you have or are studying for your security certification and have never actually read one of these reports, take a look at this one (see the "Validation Report) here. It gives you a pretty good idea of what some of the measurement criteria are and how the systems are analyzed. Neat "real world" implementation of what, for most people, is usually just referred to in theory.

Link
 
  2 things
Two things Blogger doesn't currently do:

- trackbacks
- RSS syndication (in the free version, at least)

It does Atom, this is true, but I want RSS. I WANT RSS!

Any suggestions? Preferably someone who will let me test out their service for a month before I have to start paying? I'm extraordinarily picky about new tools.
 
Wednesday, February 16, 2005
  Groupware BAD, Users GOOD
My favorite quote:
If you want to do something that's going to change the world, build software that people want to use instead of software that managers want to buy.

An interesting insight (from someone who was there) on the *other* reason Netscape went down the tubes, and why groupware (with Business Process Management, Workflow and all of the other buzzw.... ZZZZZZZZZ) is never interesting to anyone outside of a corporation.

OK, here's my other favorite quote:
Your "use case" should be, there's a 22 year old college student living in the dorms. How will this software get him laid?


Heh.

I would half-heartedly defend Exchange as groupware if it weren't so terrible at doing everything it tries. Did you know that in Exchange 2000 if you send out a meeting invitation and someone forwards it back to you, you suddenly lose control of that meeting? You're just another invitee, and can no longer manage the meeting BECAUSE YOU DON'T OWN IT ANY MORE.

It's pretty common for people in my company to forward an invitation on to someone else they think would benefit from the meeting, and also copy the meeting originator to let them know that there's someone else attending. And it ruins the meeting, every single time. Now the originator needs to send out a new meeting invitation, telling all the invitees to delete the old meeting notice manually, and accept the new one.

It does something similar when you accidentally invite yourself to a meeting. There are some other things going on here, too... if the invitee is editing the invite at the time, for example, or if there are Blackberries involved. Anyway.

Link to jwz's ranty rant
 
Tuesday, February 15, 2005
  SHA-1 broken
Yipes! This is a pretty major result.

Background refresh: SHA-1 is the most popular crypto hash function. A hash function takes a certain amount of data (a string) and calculates a fixed size "digest" (a number) of the data. The algorithm that creates the digest must have the following characteristics:

SHA-1 is used for email digital signatures, web connections encryption, pretty much everything that uses a digest to uniquely identify a message. So for example, if I want to digitally sign an email, the process of doing so first creates a "digest" of the message. I then encrypt the digest (not the message) with my private key (which only I know), and attach it to the email. If you want to confirm that I was the person who "signed" the message, you take my public key (which everyone knows) and use that to decrypt the digest. Then you perform the same digest creation on your machine on the content of the message: if the digest you created matches the one I sent to you encrypted, then there is no way someone else could have sent it unless they somehow got hold of my private key.

This is of course why private keys should remain exactly that: private.

End background refresh.

What the current paper means is that they have significantly reduced the complexity of a brute-force attack, which could result in someone changing a small part of a text, in such a way that the digests still equate. Still a lot of heavy lifting under the cover to do that, and it's not like someone could publish a toolkit tomorrow with these results and let you change that signed email order for a million widgets at $1 a piece into an offer to give you ten free iPods, but it's a very troubling result.

Link
 
  IE7? IE7!
Announcement note at Scoble's blog

Out probably by the fall, *assuming* a short beta. Although I can't believe there'll be a short beta of something like IE: a better guess (ITHBO*) is second quarter next year before we see an actual released product.

UPDATE: XP SP2 only, apparently.

At the same time, with this type of product, launched mainly for security reasons (and other than finally implementing tabs, why else?), a common attitude to have is "why wait? Worst case scenario you are usually no worse off than if you didn't have it..." The perfect example of this is the Beta AntiSpyware product from MS. Yes, it's beta, and from MS of all companies, but I use it, and I tell others to use it. It's also the case with mediocre (but free, and included) implementations

However, there is a downside to this: a false sense of security. If you find yourself clicking on dubious links *more* or taking more chances because you think you're protected, then you're potentially worse off if the beta doesn't cover you where you think it does.

So my recommendation (in the AntiSpyware specific case) is to use it, but don't lower your shields and don't stop surfing responsibly and carefully. In other words, install it, but act like you haven't. On IE7, I'll reserve my judgement: if the beta provides enough protection benefits to overcome the inherent risk of running beta code, then yes, I'll recommend it.

Wasn't it just a couple of weeks ago that MS said "no how, no way!" on a new IE before Longhorn? In fact, wasn't there not even an IE team until recently?

(*) In This Humble Blogger's Opinion
 
  UPDATE: SmartWater
Hmmm... based on comments posted (by SmartWater employees, no less) in Bruce Schneier's blog, some more thoughts.

It's entirely possible that I may have been confusing two or even three products. In my defense, I was going off the information in the Wired article and the main product page of the SmartWater web site, which do not state that the SmartWater product dries/hardens to a point where it will not come off the property in question. The references to "water" and "liquid" would imply the contrary (especially given the existence of a product that is a spray and does *not* harden), but that might just be a marketing or labeling issue.

The Wired article noted above (which I should have referenced in my previous post, my apologies) doesn't even mention the Index Solutions product (which is the spray-at-intrusion stuff) by name, instead naming only the Tracer/Instant products. However, I think my problem with the article is that it (in my opinion) implies that you can get the benefits of the Index Solution (close to guaranteed conviction jail time for the unequivocably identified perp) with the Tracer/Instant products. The Index Solution product isn't even mentioned by name, and yet many of the quotes ("It's practically impossible for a criminal to remove; it stays on skin and clothing for months", "Now, if a suspect caught with a stolen VCR turns green, they can't claim they got it from some bloke down the pub") are actually clearly referring to Index Solution, not the Tracer/Instant products that are the ones mentioned by name.

As another example of potentially misleading data, whether intentional or not, the statement in the article that:

"Word on the criminal grapevine, say police, is that anyone stealing from a coded home is likely to leave the crime scene having pilfered an indelible binary sequence that will lead only to jail time; it's not worth the risk."

seems confusing in the context of the above: the concept of "indelible binary sequence" is true only of the Tracer or Instant products since the spray (Index Solution product) is not "indelible": difficult to remove, yes, but not indelible. And yet the quote claims the benefits ("lead only to jail time") really only applicable to the spray technology, which is not mentioned by name.

I would also state that comments left in Mr. Schneier's blog have made it clear that others are confused by the same issues as well. Again, I make no claim that this confusion is an intended or unintended result, and I am perfectly willing to provide the benefit of the doubt.

Whether it is feasible to have all homeowners install a system that sprays intruders and thus provides all these benefits depends on cost: is it more or less expensive than a similar alarm/notification system, the stickers for which also serve as a significant deterrent? I can't see a spray system being any less expensive, and I can imagine it costing significantly more (just based the cost of sensors, directional nozzles and pressurized containers of fluid located at the right entry points, vs. just sensors and a wire to a central point).

As Mr. Schneier always mentions, it's an equation that takes into account incremental reduction of risk vs. incremental increase in cost, wnere cost *includes* the price but also other has to take into account other effects: on privacy, freedom, anonymity, etc. I suspect homeowners will go with whatever will get them "sufficient" deterrence and protection for a reasonable "cost".

The Wired article mentions SmartWater being given away for free in certain areas, but I had assumed that is the Tracer/Instant product, and not the intruder-marking spray setup. I don't disagree with the concept of this suite of products potentially reducing crime where implemented: I am questioning the cost equation.
 
  SmartWater again: more info, still the same questions
I referenced this particular product in a post below, and I still don't get it.

It's a "clear liquid" that contains unique identifiers, that part I get, but what I don't get is from this quote from the CEO of the company that made the stuff:


"It was born out of my frustration at arresting villains you knew full well had stolen property, but not being able to prove it," he said.

"Just catching someone with hot goods, or a police officer's gut belief a suspect is guilty, are not enough to secure a conviction -- so we turned to science."



How it's supposed to anything BUT prove that the goods are hot, and hopefully return them to the owner, is something I'm not clear on yet, any more than a serial number registered to an owner would do the same. Yes, the SmartWater may be harder to remove than a S/N sticker, but all you're proving is that the person in question came in contact with the object in question: it doesn't prove anything more than just catching them with the hot goods in their possession. It may be the case that they are claiming that the deterrent factor plus the tracking identification are the real benefits, but they're sure obfuscating by quotes like the above, which seem to imply that this product is the direct (not indirect) solution to the problem of catching someone with hot goods and not being able to secure a conviction.

Eh, who am I kidding: it's all advertising, and I'm complaining that it's not 100% revelatory. Might as well complain that the sun is releasing photons.

The other part that's not clear from the article is: if this SmartWater (or Tracer) works, and everyone starts using it, isn't it reasonable to assume that you--the innocent person with friends who happen to own stuff valuable enough to be tagged--will end up covered with the stuff? Just by going over to their house and brushing up against their belongings, touching their stereo, riding their car? And if this stuff stays on for months (as they claim), you're tagged with these chemicals or "microscopic particles" for just as long. There's no contextual information on how or when or why you came into contact with the articles in question.

Think about it this way, too: yes, the person who stole your stuff now has chemicals on him/her that reference your ownership. However, so does everyone in the evidence room, the police officers who came in contact with it while trying to preserve the chain of evidence, your ex-girlfriend, the stranger who took the picture of you standing in front of the World's Largest Ball of Twine with your chemically-tagged camera...

I like the idea of unique, registerable identifiers that I can put on my stuff. I don't like the idea of tagging everyone who touches my stuff (regardless of intentions or permission), any more than I would like the other side of this particular coin: tagging every individual with chemicals that would slough off onto everything they touch.

Here are some more great ideas if you get hold of this stuff:


 
Monday, February 14, 2005
  Blackberry Connect in final beta for the Treo 650
I had a Palm back in the I, II and II era. Never used it much. But man, I hear nothing but TiVo-level love from Treo users.

It's been a good couple of weeks: the Treo and the new iPaqs running Blackberry or Good (respectively)... finally, phone, PIM and email all in one, ergonomically efficient device. I've been waiting for that combination for a while.

Don't know whether the Treo will be doing wireless contact or to-do list synchronization. It's one of the things I lost when I first got my 7100, and I really missed it. Just got it back last week after an update. It's hard to really maintain to-do lists when they're not automatically sync-ed, since you want to be able to update them (according to GTD standards) as soon as possible.

Of course, working from home means it didn't affect me *that* much. I'm never more than a minute or two away from updating To-Do lists. Blessing and a curse, obviously... I haven't left the house in a week, which is contributing to a bit of cabin fever. But that's a different post.

I think I would probably (given unlimited choice) go with whichever device allowed me to store the most MP3s with no DRM. However, my Catch-22 is that we have a Blackberry server in-house, not Good; we support the iPaq, but not the Palm. I guess I could probably convince the company that I'd support the Palm myself, but that doesn't mean they'd buy me one.

So anyway, some screenshots of BBerry on Treo on the link below, as long as they last.

Link
 
Friday, February 11, 2005
  Only the JUST survive
JUST is an acronym for "Just an Unnecessary Sub-Task", the distractions to the real work you should be doing, as I discussed a couple of posts down.

I can't start working on this white paper until I get some coffee. Let's go prep the Barista... hey, you know, I haven't cleaned this thing out in a while, might as well do it while I'm here.

The funny thing is, I thought about the acronym JUST as I was cleaning the Barista, and rather than finishing that task I interrupted it to come here and post this blog entry.

Sometimes I have days composed entirely of JUSTs.
 
  Paper Things
I just noticed that my two favorite songs right now are "Paper Airplane" by Rosie Thomas (from the "In between" EP) and "Paper Wings" by Gillian Welch/David Rawlings (the version I have is from a live concert in Hickory, NC).

Not a big fan of the "Paper Moon" movie, but I like the Ella Fitzgerald version of the song.
 
  Pseudo-ADD
Boy, that's a perfect name for it. And it's the latest in computer-related maladies we should all throw our hands up and fret about.

This article in the NY Times discusses how computers offer infinite distraction capability, both overt (the "ding" of a new instant message) and subtle (the constant need to check and re-check your email). I'm a victim of this, I admit: too many times when I'm stuck on a task or a phrase or a problem, I find it too easy to flip over to another program on my computer and check up other things. An RSS feed to refresh, an inbox to clean... some of these "distractions" are actually valuable tasks in themselves: my "Sent" folder is a mess, and I desperately need to sort it out, but I find it's my default thing to do when I don't want to attack what should be my primary task.

When I'm really into the flow of writing a program or a document or fixing a problem, it's impossible to tear me away. Hours fly by and I forget to eat or sleep, and I'm insanely productive, nothing distracts me. The problems is that it's *very* hard to get into that groove: once you're in, you're in, but achieving Groove Nirvana is a process that can be derailed easily. A head poking in the door to ask a simple question, a phone call, and email, all have the tendency to throw off the concentration focus spiral (and that is really what it feels like, too: I'm spiraling in on a task, and the more I spiral in, the further away the rest of the world falls).

Even right now, I'm writing this blog article instead of cleaning up my Sent folder, which is the task I actually assigned some time in my Calendar for. Recursive distraction!

The distractive nature of email is worsened by the fact that I can't really turn it off. The "flow" improvers may tell you to shut off Outlook, but I have a Blackberry that is expected to be on at all times. Even if I exit all my email programs (I usually have about 3 running at any given time), I still get the buzz at my hip from the damn Blackberry, and I just *know* there's an email waiting to be read. That can throw me off my spiral in no time flat.

I believe the task of allowing computers to recognize this type of cognitive flow and somehow only chime up when you're open for interruption is a pipe dream, though. It's varies so much across individuals, and the fact that I'm typing away furiously doesn't mean I'm flowing. I may look like I'm hard at work and shouldn't be interrupted, but I may just be cleaning out my Sent folder. And when I'm reading a web page and thus interacting little with the computer, it doesn't mean I'm idle.

No matter what my Instant Messenger icon says. On any of my 3 IM clients. Which is another problem.
 
Thursday, February 10, 2005
  Relief vs. Root Cause Analysis
A response to a discussion at JeremyK's excellent MS weblog: Link

This is a question that rarely comes up for your typical firefighter: relief (put out the fire!) goes before root cause analysis (it was a pan of grease on the stove). Much easier prioritization decision!

It's a balance, just like you have a balance when deciding whether to take all your servers down right now to apply the latest series of security patches. Is the risk of a self-inflicted denial of service higher than the risk of lost sales while I reboot? If so, you might want to consider patching over the weekend. Is the risk of an exploit and associated losses higher than the risk of possible lost sales? Then bring'em down, cowboy.

The balance in this case is based on, amongst other things:

A- how much the analysis time is costing in lost productivity or business opportunity while the problem is ongoing, vs. how quickly I could apply relief and reduce that cost
B- how much longer it will take to perform further analysis, before I can determine root cause
C- how soon the problem will reappear if I just apply relief. If I reboot tonight and the problem goes away for two years, I'll be much more willing to select "relief" than a scenario where I'll be called back in an hour.
D- the level of confidence I have in my answers to the above questions. Also, the level of confidence I have that the Relief I will be applying will actually work.
E- the value of the data lost when I apply relief. If logs are critical to resolving the root cause, and I will lose them completely by applying relief, I'm less willing to do so. If I can apply relief and still work on RCA, that's more palatable.
F- SLAs. If my company gets financial penalties on downtime per incident, my incentive to search for root cause may be diminished. If I get penalties on cumulative downtime, I may want to resolve the problem for good, in which case I want root cause.
G- closely related to the above: how loudly is the client shouting in my ear?
H- how long I've been working on the problem with no forward movement. I'm more willing to provide relief and throw in the towel on RCA if I've been trying to fix the problem for 48 hours and I don't feel I've made progress. If I feel the solution is "just around the corner" I'm more willing to continue analysis.
I- how much sleep I've had in the past 48 hours, and whether the coffee in the breakroom is any good.

The last one is not completely in jest. Root Cause analysis often requires a sharp, focused, alert! mind that is in tune with the environment and can detect minute anomalies or variations from the norm. Rebooting takes one binary brain cell and an index finger.

All of the factors above are balanced in the equation:


X = lim (( A / I^2) * (B - G/D) + C)
H -> F

Plus a constant, of course. As X trends to 1, I'll be more willing to just go to Starbucks rather than drink any more of that overwarmed pot sludge.

-dp.
 
  Anti-AntiSpyware
MS AntiSpyware under attack

A Trojan that tries to disable the MS/Giant AntiSpyware beta before installing further crapola. As long as it just installs at first as a regular, reasonably safe-looking and -acting program, *then* disables the AS, and *then* starts installing itself in the startup registry entries and all the other stuff typical spyware does, it should be successful.

It's nothing new, of course: there have been things like viruses that try to disable the A/V detection programs for years. It's all part of the natural evolution/cold war escalation of malware/anti-malware.

You see, Jimmy, when the Internet loves a computer very, very much, it puts a little "seed" called a "malware app" in its tummy. That seed sprouts and grows up in about four milliseconds in the computer's tummy, and then the computer starts sending all of its secret, precious information back to the Internet to show how much it loves it. You know, like credit cards, bank account information, passwords.

And then nine months later, the user realizes that they have a brand new case of identity theft!

 
  Bruce Schneier and the Magic Water
It sounds like the Harry Potter series took a turn towards water sports, but it's actually security guru Bruce Schneier's take on Smart Water, a product you paint on your stuff to identify it as yours.

I think the best (unintended) use of this technology is to buy a ton of it and then dump it into a reservoir or large body of water: either way, it gets into the system (through regular water distribution channels, or evaporation and subsequent rain), and then you can claim the entire city as your own.

You say you washed your clothes this morning? Them clothes is mine now.

Link
 
Wednesday, February 09, 2005
  MS05-012: Yes, Exchange is definitely vulnerable
Partially incomprehensible links to follow.

Link 1 to MSDN

"Install the patches. Get others to do the same. This is an important OS fix for Exchange systems." - David Lemson, Microsoft.

Thanks to the MS Exchange Blog

-d
 
  Secure your email on Mac OS X
Good lord, this is a good link. All of this information is available elsewhere, of course, but this is a great place to read up on the whys and hows of using SSH to retrieve your email a bit more securely.

A lot of the comments criticize not just saying "turn on SSL for IMAP or POP", but there are a LOT of major ISPs who don't offer that functionality (*cough*Earthlink*cough*).

Read it even if you don't have a Mac.
 
  Carly's out at HP...
...but she still gets her $21 *million* dollars.

Here's my prayer for the day: may all my projects fail so well.

Link
 
  How late it was, how late...
It's too late for me to be posting, so I'll just finish this here.
 
  Oy, what a week.
Anyone who works in security or Windows system administration is having a crappy week, thanks to MS and Symantec. If you do, then you know what I'm talking about. If you don't, you'll be no more confused by this post than by anything else in this blog, so read on anyway. Maybe we'll both learn something, and by "both" I mean "you"!

So after careful analysis (read: drinking *not* to the point of incapacitation), here's our take on the MS vulnerabilities and patches made available this week: note that there are 12 patches announced, but they cover more than that number of vulnerabilities in MS' software. MS has a tendency to combine vulnerability fixes into patches, in part because 12 is the lower number of the two.

"We've only had one patch released this year!"

Yes, but it covered 158 vulnerabilities and was 7 terabytes in size, requires all workstations and servers to be rebooted two and a half billion times (give or take one), and your own distribution software gives us conflicting reports on whether the installation was successful or not.

"Only *one* patch!"

Let me clarify on the below: it's my opinion that ALL Windows-based systems that face the Internet should have *ALL* applicable patches installed ASAP. Whether you need to patch internal-only facing servers depends on how much you trust your users, which is something only you can gauge, you precocious little monkey.

05-004 – ASP.NET Path Validation: Requires a site using authentication and ASP.NET, allows an attacker to bypass authentication. If you have an Internet-facing server that hosts ASP.NET-based services, patch now. If you have non-Internet-facing servers and you trust your users, patch a little later.

05-005 – Office XP Code Execution: Permits code execution, requires user interaction, executes with user’s privileges. Eh. Patch as soon as you can test a little, but send a reminder to your users not to click on random crap. Stop laughing.

05-006 – SharePoint XSS: Permits cross-site-scripting, requires attacker to have an authenticated logon to the SharePoint site, permits code execution with privileges of user tricked into executing code (requires interaction to execute script. Not so terrible, but see Internet-facing disclaimer above. Test and patch in the next scheduled downtime.

05-007 – Windows Information Disclosure: Affects XP only, permits attacker to list user account names using an open shared resource, requires Computer Browser Service. This adds one more to the list of one kabillion ways you can find out the names of user accounts on a system. Forget it, install when you can. No self-respecting hacker is going to use this one, when there are far simpler ways to get the info.

05-008 – Windows Shell Code Execution: Permits code execution through flaw in drag-and-drop routines, executes with user privileges, requires user interaction. Stop laughing and tell your users not to visit porn sites at work. It's not an escalation of privileges issue, so not too bad.

05-009 – PNG Processing Vulnerability: Affects Windows/MSN Messenger and Windows Media Player only, requires user interaction (opening file), executes with user privileges, requires attacker to be on user’s contact list (MSN Messenger) or that user is receiving .NET alerts (Windows Messenger). We still don't know why WMP would be opening PNG files, but there you go. This one has the potential to be a nasty worm on IM... I would patch soon, but don't take your users down over it. Sometimes the denial-of-service you apply to yourself when patching *too* enthusiastically is not worth the potential risk. Remember, you're supporting a business that has work to do.

05-010 – License Logging Service: Affects servers only, permits code execution from remote attacker through flaw in license logging service, service disabled by default on 2003, service requires authentication on 2000SP3+ & 2003. Forget this one: disable the service, you don't need it. Didn't you learn that in Security 101? Disable all unused services. First thing on the agenda. Just make sure you're legal on your licenses without MS peering over your shoulder. You can do that, right? We're all adults here?

05-011 – Server Message Block (SMB) Code Execution: Affects all Windows versions, flaw in SMB permits potential remote attack through targeted or broadcast packets or through user-interactive vector (e.g. SMB URL or HTML coding). Oy. Oy. Oy. Nasty one. Patch now, there's a worm on this one coming out this weekend. No, I won't give you the code, I'm not writing it.

05-012 – OLE/COM Code Execution: Affects Windows (all)/Exchange/Office, permits privilege escalation (to Admin), requires attacker is logged on locally. We set this one as a critical patch for Exchange servers, a moderate one for everything else. Even though we're not terribly convinced that Exchange is that vulnerable, we can't find any proof.

05-013 – DHTML ActiveX Code Execution: Affects all Windows versions, requires user interaction (click on link), executes with user privileges. Yeah, ActiveX. So it's an IE vuln, basically. WHAT DID I JUST TELL YOU PEOPLE ABOUT THE PORN SURFING?!

05-014 – Cumulative IE Security Update: Affects IE 5.01/5.5/6.0, 4 vulnerabilities included, all vulnerabilities are either spoofing/phishing or code execution with user privileges requiring user interaction. Just install all of the IE-based ones pretty soon, at the same time. You know your users won't listen, especially when you shout at them like that. Do we have to send you to sensitivity training again?

05-015 – Hyperlink Object Library Flaw: Affects all Windows versions, requires user interaction (click on link), executes with user privileges. I love this one. It doesn't require a bad guy to host malware on a website, the flaw is triggered just because the link itself is formed in a way MS didn't expect. Don't click on that URL! Why, because it might take me someplace nasty? No, because the URL ITSELF is the code. THE URL ITSELF IS THE CODE! SOYLENT MICROSOFT IS CODE!

Re-release 04-035 (SMTP DNS Lookup Vulnerability) to incorporate fix for additional vector. Oooh, missed this one, didn't you? It's not a NEW vulnerability, no: that would make our pretty number go up! Only 12, remember? But you thought you were safe, and now you're NOT! As far as I can tell, if you don't configure your Exchange servers to do reverse DNS lookup on incoming SMTP messages, this shouldn't affect you. If you do, then patch it, and ignore the mitigation step that says you should enable only authenticated users: who forces authenticated users on their incoming SMTP? People who get no email, that's who!

Now go patch. You know you don't want to. But for the spam-spewing-zombie-hating love of God, you MUST. It's for the good of the Internet, like flossing.
 
Tuesday, February 08, 2005
  MS buys Sybari
Interesting stuff. We use Sybari at work for Exchange and have been considering for SharePoint. It's become a pretty good product after a few hiccups at the outset with Exchange 2000, mostly because of its close integration with the database. That provides speed, at the occasional expense of stability.

It was thanks to Sybari that our troubleshooting steps for anything Exchange/AD related became:

1) Check to make sure DNS is working
2) Check DNS again, just in case
3) Turn of AV to see if that fixes it
4) Did you check DNS? Are you sure you know what you were looking for, and could recognize when something looked awry?

We had a handful of issues with engine updates and AV def updates that led to very high utilization on Exchange servers, but the last one was probably a year ago. All in all, a good product.

Link
 
Friday, February 04, 2005
  ..and then, and then
...and then one day you wake next to someone
who has become a stranger
Except that the contours of your life seem
to be the same as his
a mirror match
And the pauses in your conversation
where you had gotten used to being interrupted
once so annoying, now just empty spaces
so you turn over and drape an arm
around the sleeping stranger
and begin to re-acquaint yourself with him
 
Thursday, February 03, 2005
  Randomness in a bagel
My wife called to ask what kind of sandwich I wanted from the bagel shop. I told her to get me something she thought I wouldn't like.

I wish I could live my entire life with that sentiment as one of the founding principles. Try something you think you don't like, and you'll (at worst) learn something.

Technically, "at worst" you'll be heaving semi-digested chunks of kimchee straight into the garbage disposal, but that's not my point.
 
  Blackberry and iPaq... together?
OMFG! GIMME GIMME GIMME!

I've been waiting for this for soooooooo long. The Blackberry 7100t (which I currently have) is almost like having a non-functional mockup one of these: it looks like it should run all the other apps, but it doesn't. Everyone who sees my 7100t thinks it's a Windows CE-type device, but it's not, and that annoys me because I think it should be one as well.

Stupid 7100t. I didn't hate you nearly as much before I saw this link.

(yeah, OK, it's not really the Blackberry software. But close enough.)
 
Wednesday, February 02, 2005
  Tools for the Relative Support Techs
As an IT person (guru, my ultra-sensitive ego whispers while it jabs me in the kidneys with a soldering iron), I have to deal with computer support for my family. Parents. Thanks to the many supposed "vacation" days I've spent poring over logs and removing virii and spyware, I now have a little recurring fantasy of an evil adware developer waking one morning to find the severed purple head of a gorilla in his bed: "Bonzi Buddy! NOOOOOOOOOO!"

I love this kind of tool: not just because it's free (which helps), but because it does one core thing, and does it well. Sometimes you need to clean out the major muck just to get a parental units' system in a usable state in order for the real troubleshooting to begin.

And by the way, ISPs that merrily hand out broadband access to obviously clueless users without even an attempt to educate them on security should be shot in the head, along with all the extremists.

ZoneAlarm is free. Anyone can pick up a Linksys box that will at least give you a NAT and a firewall to hide behind (yes, yes, I know, it's not perfect. You prefer nothing?) for under $30 these days. You're charging me $45 a month for this service, I can't imagine amortizing the cost of a NetGear router/firewall/NAT device over the course of the years I'll be on this system will add more than a couple of pennies to the total. You do it already with the cable modem.

Heck, doesn't it cost you more in support calls when the PC is infested with spyware and the user calls your tech support to complain that the Internet is slow? Doesn't it cost you more to upgrade the SMTP servers to handle all the spam (and rejection emails) those users are spewing?

Sorry, didn't mean to interrupt your studious avoidance of reality, there, Mr. ISP. Please carry on. Everyone else, go get a hardware or software firewall. Better yet, get both. Also, a spyware/adware removal tool; if you can get one that prevents scumware installation to begin with, even better. The Microsoft one will do, even if it's beta.

You already have anti-virus, of course. But here's a little secret: if you're smart about when you open attachments and where you travel to on the net in your daily troll for porn, it'll never trigger. I've had anti-virus for years, and the only thing in its logs are the times I run the EICAR test file against it, to make sure it's still working like I think it should. If I had HTML views turned on in email, I might have a different story, but I don't, so I don't.

And if you are reading this post using Internet Explorer, you're probably already infected. Get your filthy browser off my blog, you damn dirty purple ape! Go get Firefox before you hurt yourself or someone you love.
 
  A little on what I do...
I work for my computers, like everyone will in the future.

My specialty is making stuff talk to each other. You can slap two Windows servers onto the network and odds are they'll be chatting back in forth in no time, but try and make that Windows 2003 server talk to the Novell server that's trying to download SQL data from a Linux box that's using an older version of NIS to authenticate... oy. Oh, and the client wants single sign-on too.

There's the vey.

Did I mention the client wants to be able to print the results of this SQL query to an LPR printer? From his ancient Mac that's running OS 7, and that they can't upgrade because it's running an add-on card from a company that went out of business 5 years ago?
 
  Avoiding otherwise certain death and mayhem.
Thank $DEITY for the Starbucks Barista.
 
  Working from home
I've been working from home for a couple of months now. Not working for myself, you understand, but working for my corporate masters from a remote location.

Very remote. Almost 2000 miles, if you can believe the Mapquest directions. However, those directions include a detour through Tierra del Fuego for some reason, so it may be a handful less than that.

All in all it's been working well; it allows me a lot more time to spend with my family (son of 3, wife of unaging beauty) and for cooking. The occasional shot of a naked butt (the child's) shooting past in the background of video conferences, stuff like that.

There are tools that improve the life of a permanent telecommuter. I'll be talking about them at some point. There are things that make life harder, and trying to work with multiple computers (some PC/Win, some Mac OS X) when most of your data is remote is one of them. Right now I'm synchronizing data down on a regular basis, but that makes for some interesting juggles.

Case in point: Citrix. A marvelous tool, and one that allows me to do many things as if I were sitting on the network 2,000 miles (give or take) away. I'd like to give the impression to my co-workers (and bosses) that I'm really not far away, and Citrix lets me do that to some level, but... it doesn't do NetMeeting worth a damn, and drag/drop, copy/paste from local to non-local apps is twitchy at best. It works so well that the places it doesn't are more annoying than they should be.

I use Citrix mostly for Outlook, even though I have Outlook 2003 installed locally as well. But since we have a limit on mailbox sizes, I have to go through and archive mail off every so often. This I do on Citrix, since my PST files are up on the file/print network share (most of my synchronization is currently one-way, down from the network to local).

As I'm writing about this, I'm thinking of a million different things to try in order to fix these issues, but almost all of them require me to take time away from what I should really be doing and testing, tweaking, trying out configurations. I have an appalling tendency to spend a lot more time working on the environment than working on the task at hand; it's the equivalent of a developer endlessly tweaking the IDE rather than coding. So I'll just this on the backburner with the million other things crowding that part of the stove.

More later.
 
Look Ma! A Blogger template!

Name:
Location: Minneapolis, Minnesota, United States
ARCHIVES
06/01/2000 - 07/01/2000 / 07/01/2000 - 08/01/2000 / 02/01/2005 - 03/01/2005 / 03/01/2005 - 04/01/2005 / 04/01/2005 - 05/01/2005 / 06/01/2005 - 07/01/2005 / 10/01/2005 - 11/01/2005 / 11/01/2005 - 12/01/2005 /


Powered by Blogger