October 2004 Archives

Migrations

The server out at Shannon-point has been replaced with a NW6.5 server on new hardware. I used the Migration Wizard to complete this migration, and as before I am really impressed with this tool. Back in the NW4.11 days I got the task of migrating a server to new hardware. In those days, pre-PKI, this was doable... if you worked at it. I've lost the TID, but I do remember that the TID itself had 93 steps to follow to ensure the migration of identity worked as planned.

Then I got to do the same thing (on the same server, no less) in NW5.1. By then Novell had released their first Migration Wizard tool, and wow. They automated all of the scut-work, and all you had to do was click things and rotate a few floppies when it came time for the NICI migration.

The NW6.5 version of it doesn't even have the floppy migration bit anymore. I had to be sure I had the right license-files in place so the users could connect once the identity was migrated, but it worked very well.

MRTG & tracking disk-space on NetWare

The MRTG tool is one that I've had a lot of experience with at my old job, and we use here. MRTG & Netware is something that has had some coverage already. The most notible of that is the changelog for MRTG include certain very interesting entries:
Changes 2.10.15, 2004-08-08

---------------------------
From: NormW
* patches for netware support
Changes 2.10.14

---------------
From: Norm
* make mrtg work on netware
My latest work with it is to take a perl script I've been using for ages to do disk-space monitoring of Netware and drop the data into a database, and tweak the script so it can be used by MRTG's external-script target syntax. Since the main problem to solve is how to extract and translate the data, and I already had solved that problem, it didn't take long to rejigger how the output is delivered.

I even have an example!

Not much data in there yet since I haven't had it running all that long. But it uses SNMP to extract data and graph it. The script can be specified to report either free-space or used-space. It is my experience that managers are much more interesting in the "how much resource do we have left" question than the "how much resources are we using" question. For "have left" can be used in planning, and "use now" is already paid for.

McAfee & Novell

So here I was, trying to make myself a NW6SP5 build. I get it all built, I patch the server, the server reports all modules I installed in the patch installed as I expected. All is great! Except...

Novell NetWare 6
Support Pack Revision 04
(C) Copyright 1983-2003 Novell Inc. All Rights Reserved. Patent Pending.
Server Version 5.60.04 December 12, 2003
Novell eDirectory Version 8.7.3.2 SMP
NDS Version 10551.13 May 26, 2004


Wha? I check NWCONFIG and it shows the service-pack is installed alright. Then I get a thought. I check the date-stamp of SERVER.EXE. It most definately was not 5/27/2004. I check the CD I burned, and it isn't there. I check my directory that I built the CD from, and it isn't there.

Grumbling, I expand the patch again from the source-file and it isn't there. Watching the unpack I see a possible error and see that "server.exe" had some error associated with it. Curious, I go to a cmd-prompt and manually attempt to extract the file (nw6sp5e -e \nw6sp5e\startup\server.exe for the curious) and get an "Access denied" error on extraction. This, unfortunately, looks familiar.

So I disable my virus-scanner, VirusScan Enterprise 8.0i, and try again. Comes right out. I turn the scanner back on, recreate the CD-project and get told that someone is using SERVER.EXE and it can't be added to the project. Sensing the pattern again, I turn off the scanner, put SERVER.EXE back in the project, burn the new CD, and turn the scanner back ON again.

I then patch server #2 and it comes up like it should.

Novell NetWare 6
Support Pack Revision 05
(C) Copyright 1983-2003 Novell Inc. All Rights Reserved. Patent Pending.
Server Version 5.60.05 May 27, 2004
Novell eDirectory Version 8.7.3.2 SMP
NDS Version 10551.13 May 26, 2004


Right, then. That's all good. I then manually copy SERVER.EXE to the server I patched yesterday and get it rebooted. Now it also comes up with the correct SP-revison.

It seems that McAfee VirusScan Enterprise 8.0i thinks server.exe is some form of malware from the name. This will need noting, as I routinely expand service-packs on my local machine.

NW6SP5

I just had what looks to be my first successful attempt at creating a SP build with patches slipstreamed in. One of the cluster servers is now at NW6SP5 and that's where printing is located. My hope is that this will minimize one of the annoyances we've been experiencing of late.

Specifcally, one of the print-agents will throw a message of the sort:

"Life sucks. I'm stopping this agent for no reason"

Which works just like a circuit-breaker. The status still shows on, but it doesn't do anything. To get the printer-agent working again, you need to stop the agent then restart it. At which point things start processing again. This behavior could be the result of using post-SP5 NDPS modules (needed for PCounter to work right) with an SP4 machine. Hard to prove, so that's what I'm about to do.

Exchange features

Today we finally solved a mystery that had been plaguing us since we started moving some accounts from the old Exch2000 to the new Exch2003 servers. Suddenly some users were no longer able to "Send as" other users, even when they had full rights to the other user's box. This was sub-optimal.

I won't go into the troubleshooting steps because its embarrassing. But what we discovered is that in order to "send as" without having "on behalf of" show up in the From line, you need to grant the relevant group the "Send As" right in object-security. The Exchange rights have no bearing here at all, which is what threw us.

I can understand why this is the case. It is my experience that the higher up in an organization you get, the less direct interaction you have with your own mail and calendar. There is a 'people filter' in place to prioritize what you need to even notice. In order to facilitate that, groupware provides the ability to allow other users into your mailbox. No biggie. What is also needed is that even if they have 'full' rights to everything, they can't send mail AS you and thereby steal your identity. This is why there is a separate right for this feature.

For things like group mailboxes (e.g. "alumni", or "NewStudents") this is something we needed to know, since we do that far more often than the executive kind. No we'll get to see how many of our 'group' accounts have been using "send as" all along.

Stating the obvious

To quote:
With a malware storm always on the horizon, you'd expect AV vendors to have among the best customer support programs. The last thing you'd expect is having to wait an eternity on an800-number listening to Burt Bacharach melodies only to tell your problems to a call center operator with a checklist ofquestions and stock responses.

Information Security, October 2004, p26
"HAH!" I say from personal experience. If the problem can't be dug out of either the public knowledge-base, or the internal-only knowledge base, you are screwed. Exceedingly few vendors provide GOOD information in their public knowledge-bases. Generally speaking helpdesk techs are not that hot when it comes to wing-it troubleshooting. If they are hot, they get promoted to level 2.
But that's exactly what Information Security found disturbingly often in our review of leading AV vendors' customer support.
And they seem to agree. The article goes on to enumerate their findings. I won't go into detail, but it is a nice article describing some of the short-comings of the AV-industry customer support.

October Info Security ad-counts

I got my "information security" mag today. To continue the thing I started in August and continued in September, here are this month's numbers.



FUD
We-Are-Nifty
Hard-made-easy
Regulatory
Security Service Management
0
1
4
1*
Widgets
7
0
12*
0
Training
0
0
3
0
In-house
2
1
2
0
Total Ads
33

* = ad on back-cover or behind-front-page

What I can see from this is that widgets are continuing their move from FUD as a prime motivator and towards ease. Also, some observer bias is probably present in the distinction between "Security Service Management" and "Widget". A lot of widgets provide "integrated solutions", which is almost the same terminology the Sec. Svc providers use, only they manage the widgets they deploy in your network.

I'm glad of the move. FUD is not a motivator to the audience of this particular publication, we already know the risk. We don't need the fear of hackers thrown at us from yet another source. We already get that from our management.

DHCP on Netware

I was told to investigate moving our DHCP services from the current Microsoft system and into our Netware cluster. It turns out that DHCP is really easy to set up in a cluster.

Unfortunately, in order for DHCP to actually work it requires a replica containing the DHCP-objects on the local server. Since this is a cluster, that'd be on all DHCP-configured servers. And since cluster-nodes do good yoyo imitations, we're leary of doing that. Because of this, we may keep DHCP in MS or perhaps think about putting it on our Replica boxes. We'll see.

Classwork

It would seem that myweb.students is being used in a class:

140.160.106.34 - - [14/Oct/2004:15:55:09 -0700] "GET /~usrname/cs101 HTTP/1.1" 404 303

Complete with click-on instructions. There are a couple of other accesses that have real usernames and not just a placeholder. But the "CS101" sort of gives this away as a beginners guide to making web-pages. I'm glad they're using it, I just wish I knew about it yesterday. We had some 'fun' between 3-4pm yesterday that took myweb.students out of whack for about an hour.

An observation -- not mine

"The problem with being IS and saying "we don't have time/resources to do this" is that people will do it anyway.

Pretend, for a moment, that the database and server resources you should be using is the I94 bridge over the Mississippi - many lanes, fast speed limit, well monitored and patrolled. A truckload of widgets goes across easily and smoothly, usually.

Now, take away the truck & the bridge, but they still want to move the widgets. They'll take what they can find "Oh, hey, there's this cable across the river in front of the dam no one is using - if we train a hundred monkey's to carry a widget each and put them in relays running up and down the river bank carrying widgets across for us, we can do the whole project w/o needing any IS funding. Cool!"

The problems now are:
1) Dead monkeys and widgets blocking the hydroelectric intake.
2) Barge captains running into the lock doors because they got distracted by BoBo.
3) Riverbank erosion and plant damage from widget laden monkeys
4) Large monkey breeding farms smell bad
5) We've already upgraded from small monkeys to large (Gorilla), monkeys are still not as good as trucks for carrying widgets"
-One Windswept Rose

Drag-n-Drop for e-mail

Earlier this month, AnandTech ran a review of OS-X from the point-of-view of an avid PC user. It was a very interesting read, and I recommend it. OS-X has some very nice features that blow past the stereotypes of MacOS and puts it squarely in the running for Modern OS.

One of the things that caught my attention is application integration. It seems you can drag any icon into your current application and it'll import it automatically. Or attach it to your e-mail. Or move any image from the browser to whatever. Neat stuff.

This morning I had a bit of an "ah-hah!" moment. I was attempting to move a Word document into an e-mail and it wasn't working the way I had expected it to. You see, GroupWise has a rather nifty feature in it that is very OS-Xy. You take the application icon on your title-bar (the far-left picture that identifies the app you are in) and drag it into your e-mail. It'll then attach that document into your e-mail. Very slick, and was what I was attempting to do with Word/Outlook. Didn't work. GroupWise has had this feature since at least the GW5.5 era, possibly earlier.

Neat stuff.

That was strange

I've been banging on our student printing infrastructure for a few days now trying to get a handle on the kinks we've been experiencing. While I was doing this yesterday I came across an oddity.

One one printer-pool, we had 10 jobs queued up. One of the printers was having paper-jams all day, so the other printer was having to handle the load. I look at the printer in question and I get:

COPY 40 OF 50

Dur? I check the queue itself to see what, pray, that could be. I find a job sized about 5.2MB, with 5 pages. Quick math tells me that should result in 250 pages, and would really explain why there was a backup in the queue. Such jobs should never hit printer since we set our PCounter to drop jobs with more than 50 pages in 'em. Unfortunately, the job clears before I can grab the spool-file. PCounter records exactly 1 page as printed. One?? HOW!

Since the pcounter log recorded the URL of the PDF involved I knew the original document to use. So I headed to that particular computer lab early this morning and grab the same workstation to see if I can reproduce this fun feature. No go. No matter what permuation of driver and driver-settings, the NDPS queue correctly identifies how many pages are emerging. The only thing I can think of is that it was set to print four-up, duplex for the first eight pages of the document. That would create a spool file about the right size. But the copy 40 of 50 thing still throws me. That sort of thing IN GENERAL is supposed to be frowned upon. Also unfortunately, the PCounter logs for that printer before this job went through show no obvious big stuff.

So either someone has figured out a way to print off way too many jobs and defeat our accounting, or the status reported was really old somehow. Most odd.

That was weird

I received a phone call from a survey firm just after tonight's debate. I picked up the phone fully expecting it to be someone calling me on some variation of "what'd you think?" The survey itself focused on my computer habits at work.

The weird part came at the end. They asked if I would be willing to verify my answers by having them mail me a floppy disk, run that disk on my computer at work, and mail it back. You can thank me for not actually saying, "SOD OFF" at the idea, but I thought it real hard. I mentioned that I would NOT be willing to do so, and the reason for it is that I manage sensitive information on my work PC and such a thing is not permitted. Did I mention they offered me $20 for my efforts? My alarm bells would be ringing louder if I didn't hear several similar conversations going on behind my interviewer in similarly Indian-accented english.

In hind sight, I'm trying to figure out what the survey was about. I have to think back to that survey several months ago where X% of people would fork over their work password for a Snicker bar. The information they gathered consisted of:
  • Basic demographic information such as age, number of adults in the home, that sort of thing
  • Information relating to my work-place demographics, such as
    • How many employees work for it?
    • How many employees work at my site?
    • Industry of my work
    • Name of workplace [I declined to answer]
    • My job title [declined]
  • Information relating to my work-place technology usage, such as
    • Office products in use
    • Type of computers (apple/pc)
    • Type of computers (desktop/laptop)
  • Information relating to my specific technology usage at work, such as
    • How many machines I use for personal computing (I didn't count servers, even though some of those consoles fit the standard they set)
    • What kind of machine I have on my desk
    • What types of activities I do at work relating to technology (use internet? use e-mail? use IM? Do personal finance? that sort of thing)
  • Some questions regarding usage of technology at home
  • What types of insurance I carry(?)
  • My job function, with a lot of IT titles and one lone non-IT title [also declined]
So what, pray, was THAT all about? One theory I have is that someone is doing a study. They got computer savy and possibly risk-taking behavior out of their little survey. Perhaps it was a feasability study by a big research firm looking into the acceptability of mailing out floppies to survey respondants and seeing what the response was. The fact that IT titles were their main thrust in the 'job function' section set alarm bells off for me too.

Most strange.

More fear-mongering

I saw this morning in a national weekly magazine an ad that made me shake my head. It featured text, "virus that erases your hard-drive", in amongst the rest of the ad. And the ad had lots of yellow in it. Just so you know.

Stuff like this makes me twitch. I realize that readers of this particular magazine aren't as sophisticated with regards to viri as readers of Information Security are, but still. Some things just grate no matter what they are. Like the violation of the Space Is Big principal in movies.

Computer viruses follow, unsurprisingly, epidemiological trends when it comes to 'lethality'. To take a real world example, lets look at Syphilis. When syphilis was first introduced into the human population it was much more lethal than the form we know of today. One of the ways it changed was to lengthen its incubation (i.e. prime infectious time) and reduce the percentage of death amongst people who contract it. In the beginning, the lethality rate was 100%. These days the survival rate of untreated syphilis is pretty high. This is because killing your host is not a good survival strategy for viruses; if you are going to kill them off, at least make the incubation time long enough to infect lots of others (AIDS) or be infectious enough that anyone that comes within so far of the dead body is likely to be infected too (Ebola).

Computer viruses follow these trends too. Successful viruses do not nuke (format the hard-drive of) their hosts, they lay dormant and spew copies of themselves. Some do perform data modification on the infected host, but these are relatively rare. Worms such as Nimda and Slammer had their own ways of causing annoyance; Slammer clogged networks, Nimda replaced image files with copies of itself. The last well known, wide spread format-your-hard-drive virus was back in the days when floppy-disks were a prime infection vector for viruses. I.e. the dark ages.

The idea behind them was simple. Release a bug that infects by boot-sector (or .exe/.com infector). Time-bomb it so that if the system-date is a specific date, the payload delivers and Bad Things Happen. There were scares from these, but I personally haven't heard of any wide-spread damage from them. Like I said, virus-writing in those days was pretty primitive.

That kind of thing is a lot harder to get away with these days. As worms such as Nimda and Slammer have proven, mass propagation as fast as possible is a very good way of defeating the Antivirus-vendor definition cycle. With pressures like that, the AV companies are getting better and better at identifying infectious material and deploying countermeasures pretty quickly. If the theoretical virus-writer writes a timebombed payload that includes "format c:", the AV community will know about the virus as soon as it gets widely spread enough, and the AV community will reverse-engineer it to find out what it does. Said virus-writer has to be very sure of his infection vector working well enough to get enough hosts infected before the major vendors get definitions out that clean up the bug. Too long, and only the badly managed systems (home users typically, these days) will get nailed by it. Too short, and critical mass wouldn't have been reached and the virus kills itself off.

A far more effective campaign, in my opinion, would be to put the fear into the reader that their PC might be part of the SPAM problem. It is proven that some viri turn infected hosts into spam-relay stations. And heck, everyone hates spam. And it'd cause my teeth not to grind as much.

WebDav, Windows, and Office

NetStorage has a WebDav tie-in. This is nifty. We like it.

It's not working. And today, I figured out WHY. Now to get on the horn to people who can fix it.

It seems that when you set up a 'network place' to https://whatever/ the first connection to the server in via SSL. As it should. Go to any of the subfolders after you connect, and suddenly the connection reverts to http. Since we turned off insecure access to our NetStorage servers, this gives an error-code.

It also seems that OfficeXP is the culpret. At least, that what they say in the newsgroups. We're trying to verify the problem, and if it proves out we'll be contacting our Microsoft Support.

Volcanos

Up here we have volcanos. You may have heard that Mount Saint Helens has been active of late. Anyone who has been listening to the news has already heard comparisons to the 1980 event that covered almost all of Washington state in at least some ash. Paranoids are pointing out that the current activity looks a lot like the activity the mountain had in early 1980. The US Geological Survey points out that such an event is vanishingly unlikley to happen again, there isn't as much mountain left to blow up.

And my coworker pointed out that Mt. Baker blew steam this morning. Mount Baker is our local volcano. The information about it can be found here. It has been blowing steam for several years now, though not anywhere near the scale that Helens has. We like it this way, since it shows that pressure isn't building inside the mountain.

Volcanic ash is tricky stuff. It is fine and mineral-based, so it gets into everything. Should we get anything up here, we might end up with gummed up air intakes for our HVAC and thus compromise our computer-room. Not so good. But if something that big happens again, we'll have bigger problems for a while.

Some links:
Live web-cast (windows media)
Local paper covering it closely
Current USGS statement

Myweb-students stats

Current Time: Tuesday, 05-Oct-2004 11:11:52 PDT
Restart Time: Wednesday, 22-Sep-2004 10:09:23 PDT
Parent Server Generation: 3
Server uptime: 13 days 1 hour 2 minutes 28 seconds
Total accesses: 21832 - Total Traffic: 5.6 GB
.0194 requests/sec - 5.2 kB/second - 268.4 kB/request


All in all, not that busy so far.