• Why Won’t Dell Stop Sucking?!

    For some reason people keep buying Dells.

    I remember a couple of years ago all the small form factor optiplex’s I had suffered from a bad cap on the motherboard.  Eventually all of them just die.

    My whole team at work have the same model workstation and the PSU went on each of them, one by one.

    I have a service tag – the “serial number” unique to each computer – and type it into their site looking for drivers.  You would think, being that this tag is unique, that they could look up your computer and give you your network card drivers, your video driver etc.  NO!  Instead they give you the choice to download every driver for every chipset that was ever used on that given model.  Why do I have this service tag?!  Why don’t I just type in the model?!  Its the same results!

    After all that people still buy these pieces of crap.  They never even question why that is.

  • Freaking Winter!

    When you see a day in the forecast that has a predicted high of 0 degrees F, its time to move.

  • Conn. Teacher Cleared of Felony Endangerment in Pop-Up Case

    The case against Connecticut substitute teacher Julie Amero has finally
    come to a close.  Prosecutors dropped the felony charges against her,
    but the agreement called for a guilty plea to a misdemeanor charge of
    disorderly conduct and surrender of her state teaching credential.
    Amero had previously been convicted of endangering minors and faced 40
    years in prison.  Prosecutors alleged that in 2004 she had surfed to
    dubious websites that displayed pornographic pop-ups on a computer in
    the classroom; when security specialists caught wind of the case, they
    pushed to examine the computer in question and found that the school
    district had inadequate anti-malware protection on that computer and the
    pop-ups were not Amero’s fault.

    This is easily one of the most frustrating InfoSec stories of recent years.  In case you are unaware, some poor substitute teacher in Conn was using a computer in a classroom when a flood of pornographic pop-ups (induced by malware) came on the screen.  She found herself in court facing Child Endangerment charges and up to 40 years in prison.

    This highlights how scary our legal system can get.  If you have no idea what a case is about do not try to render a verdict.  Defer it to another judge, a jury or call in some experts.  For gods sake, don’t sentence someone for not doing anything wrong.

  • Diebold Accidentally Leaks Results Of 2008 Election Early

    It would be funny if it weren’t so damn plausible. :)


    Diebold Accidentally Leaks Results Of 2008 Election Early

  • SSH on a Non Standard Port

    I recently posted a comment on FOSSwire.com in response to other comments condeming the author for suggesting moving ssh to a port besides 22 was “security through obscurity” and a worthless security measure.

    I have argued this topic many times with many different people and felt that comment bears repeating for my downgrade.org audience.

    — snip —

    Gah! I have heard that argument over and over again about changing ssh to a non-standard port.

    “security through obscurity is no security at all” Says the broken record.

    I believe heavily in security metrics because numbers are awfully hard to argue with.

    In a university environment a machine with ssh on port 22 in my DMZ would receive an average of ~100 invalid login attempts per day (averaged over the course of 2 months).

    This same machine in the same DMZ running SSH on port 51234 received an average of zero… no, not a average of zero… just zero.

    This effectively eliminates all scripted attacks, worms, Trojans, bots and most uninitiated real attackers.

    In fact if you run it on a very high port — say 51234 — most people won’t even find it with a port scanner.

    One would have to statically define the port range as most port scanners quit far before 51234.

    At that rate scanning ports 1-51234 would take an insane amount of time per host, and most attackers scan huge blocks of hosts.

    At that point hopefully an IDS/IPS would pick up the port scan and make the whole thing moot.

    Seriously. Its not a fool proof security measure and I certainly wouldn’t use it as the only means of protecting SSH, but its an effective layer. And those same people that are so quick to spew out the “Security through obscurity” cliche are also the same that are quick to pull out the “Layered Security” ones.

    — snip –

  • Vista makes CNET’s “Top Ten Terrible Tech Products”

    For those of you wondering why I havent beaten up Vista yet… I have. I ran it from mid-beta to early-release and had a very well written and thought out evaluation of its security and usability features. It was quite negative. I wrote the entire article in notepad on my Vista machine.

    One day I went to open the file to add finishing touches and proof it and the file disappeared. I know how silly and impossible this sounds. But its true. I have never seen anything like it under any operating system.

    That pretty much cinched it for me. I downgraded back to XP and impatiently awaited the arrival of my new mac.

    That being said, I laughed aloud as I read the CNET article. It contained many lines that I couldnt help but agree with such as…

    Any operating system that provokes a campaign for its predecessor’s reintroduction deserves to be classed as terrible technology. Any operating system that quietly has a downgrade-to- previous-edition option introduced for PC makers deserves to be classed as terrible technology. Any operating system that takes six years of development but is instantly hated by hordes of PC professionals and enthusiasts deserves to be classed as terrible technology.

    It’s suffering from painfully slow adoption by users and corporations alike for good reason. I often hear the argument “All operating new operating systems have slow corporate adoption rates” however compared to 2000 and XP as well as planned adoption surveys… its dismal.

    Conversely adoption rates of Linux and OS X on the desktop are way up. Microsoft may finally be loosing its foothold of absolute dominance and as any industry can prove this… real competition makes for better products all around.

  • I Give Up.

    ‘I give up’ is not a phrase you will hear from me all that often. But I just can’t take any more. Novell has me at my wits end. I can’t believe people use this with any sort reliability.

    Throughout my months of toying with it I have issues and stopping blocks with each and every component. Some servers require many, many components to effectively work.

    Here’s a brief run down of just a couple of the annoyances:

    Updates and patches come rapid fire (about two per day) and often leave the system broken. I have had them cause dependency issues each time I have applied them. This will do crazy stuff from switching the physical network card that eth0-2 are assigned or out right breaking NSS. In fact, every update I have run broke NSS. You just can’t have that in a production environment. Technically you could script an auto-updater, however, per Novell support “Automating the updates might have its own risks [...] because of that, rug doesn’t have a –force option the way RPM does.”

    Things that should be done by installers must be done manually. A great example of this is having to manually enable remote administration of a GroupWise server. For example, you need to share out /usr/local/gw using samba. But first you have to install and configure samba. That’s essentially all the docs say on the subject is to ‘install samba’. Not ‘Download package X, install it using command Y, tweak this directive in X.conf, and so on’. So I installed Samba from source. After struggling to get it integrated into the eDirectory I discover Novell-Samba. Who knew, they just said ‘Install samba’.
    The install process for the OS and packages drives me insane! The OES cd set consists of 10 CDs. During the initial install you are asked to supply almost all 10 CDs in varying order and you have to re-insert a number of them multiple times. It also asks for the Suse Core 2 CD2 and 3. Which end up being the Suse Linux Enterprise Server disk 3 and 4. I figured that out just out of desperation and feeding it random CDs.

    The documentation is lacking. It assumes that all Novell customers are intimately familiar with Novell terminology and technology (see previously mentioned GroupWise/samba example).

    GroupWise acts as an open relay by default and no settings changes will help that. Users hate the GroupWise client, the outlook plug-in makes Outlook buggy and slow. The cross platform GroupWise client (Linux and Mac) is really bad. The only way to remedy this is to purchase an expensive third party app

    I purchased the only (at the time) official Novell Press book for Open Enterprise entitled “Open Enterprise Server, Administrators Handbook, Suse Linux Edition”. Being the only official book I assumed it would be comprehensive and cover anything and everything relating to OES. What I found was that it is entirely based on a pre-release version of OES and a large number of important things have changed since it was published. In fact, a couple of things the book tells you to do regarding updates will break an otherwise happy server.

    Overall I would just Novell to hammer all these things out, test thoroughly and make the docs useful. Don’t assume everyone using the product is a 15 year Novell-Netware veteran.

  • Microsoft offers Apple security advice?

    Fresh after the article from security firm Sophos entitled “Sophos recommends Macs for security“, A member of Microsoft’s security team blasts Apple for not having a “security czar” and not communicating with users about security vulnerabilities.

    By contrast, he points to Microsoft as a prime example of how to respond to threats, providing well-documented communications and prescriptive “how-to” guidance with alerts that are delivered through email, RSS and deployment tools.

    This whole paragraph is absolutely laughable. Lets flash back for a second to Microsoft security bulletin 912840 and my rant regarding it. And now lets re-read that happy little Microsoft fud. Something doesn’t add up, does it?

    If that isn’t enough to convince you, lets look at yet another reason why no software vendor should ever adopt Microsoft’s security practices. Two words; Patch Tuesday. Holy god is that a bad model. No matter how bad a vulnerability is, they will sit on the patch (leaving everyone exposed) till the next patch Tuesday. Just because its more convenient for admins.

    I, as an admin, would much rather patch frequently, than sit on hands while blatantly exposed to a threat.

    Once they work these things out, then (maybe) they can blast other software vendors. Until that time though, they should sit back, shut up and stop making themselves look foolish.

  • GroupWise Open Relay Crap

    I started testing my GroupWise 7 server and found that I received a bounce back while trying to send to domains that block mail from servers in the ORDB (Open Relay DataBase).

    Upon receiving this, one Saturday, I sent out a quick email scolding my tech who set up the gwia (GroupWise internet agent) and drove into work to fix it. I pulled up the area in ConsoleOne that contains the relay information and found a check in the box that reads “disable open relay”. Hmmm, you can’t get much clearer than that.

    I quickly whipped up a web app that will attempt to relay mail off the server. No luck. So I went into my office and submitted the IP to ordb.org again for re-scan.

    I was assuming that it was scanned while it was initially being set up, and that they had caught it in an open relay state.

    A while later I received an email stating that it is still blocked by ORDB, because they still think its an open relay.

    Puzzled I hit ordb.org faq to come with this…

    My Novell GroupWise is not an open relay!

    We’re sorry to say that it is. We are aware that GroupWise does not filter until after receiving the mail, but our test-method requires that at least one of our probes be delivered to its final destination before addition to the database occurs. Your server will not be added to the database just because it accepts the probe for later processing. Please see the section on securing your open relay for information on the latest patches for GroupWise. Additionally, please refer to this link for information about claims that ORDBs way of testing is flawed, when testing GroupWise and friends.
    Additionally, a user has provided information that at least Groupwise6 (and possibly Groupwise5.x as well) may be vulnerable to various relaying exploits unless sufficiently patched. The patch you need to download is called fgwia63a.exe, and is so far only provided as a beta quality patch by Novell.

    So, that wasn’t very helpful. I am running GroupWise 7 so that fits the “at least Groupwise6″ requirement and I am running it on Suse Linux Enterprise Server so its safe to say that an exe patch isn’t going to work.

    I could ask Novell about it, but support requests cost $500/, purchased in minimum quantities of 5.

    On a number of forums I heard talk of a mysterios patch, but was unable to find any mention of it on the novell download site. I also read that Novell acknowledges that its a stupid way to handle relay attempts and that it would be fixed in GW6. Well, I’m on 7 and its not fixed.

    The best ways I came up with to fix this are to use a incoming/outgoing relay host. Something free like exim or postfix. This also provides you with the ability to run antivirus and antispam on this host. Set up GroupWise to allow incoming and force outgoing relays through this host.

    Or you can do what I did; purchase a Barracuda 300 from barracuda networks and use the same configuration as above.

    My barracuda has gone through its initial testing very well and I’m quite fond of the web interface.

    But its also very sad that GroupWise forces admins to do something like this. Its almost as if they intentionaly included this inadequacy in the hopes that you will have no choice, but to go to one of their channel partners for a fix… and spend more money.

  • Lenovo Banned by U.S. State Department

    In one of the least thought out and dumbest moves made by our government in recent weeks… Assistant Secretary of State Richard Griffin said the department would alter its procurement process to ebsure no Lenovo PC’s are allowed inside secured U.S. networks.

    This is dumb for a number of reasons.

    1. Any software backdoor and ‘phone home’ keylogger would be wiped out when the machine is re-imaged. If they don’t re-image machines that come from hardware vendors than the brand is the least of our worries.

    2. Any hardware spying mechanism that would remain after an imaging would still need a way to ‘phone home’ to China for them to obtain the data. Any ‘secured U.S. network’ should have egress firewalling. So not only would ‘phone home’ attempts be blocked, but also logged and provide REAL evidence that we should be concerned.

    I believe this just boils down to yet another case of someone being uninformed and uneducated making big decisions that they are not qualified to do. Either that or its a more sinister attempt to curve the amount of Chinese goods purchased by the U.S. Either case doesn’t win our government any more brownie points.

%d bloggers like this: