April 2006 Archives

High-tech mad-libs

From this morning ISC Diary:
cat /usr/home/tliston/diaryheader.html > diary.html
echo "$1 has discovered a vulnerability in Internet Explorer," >> diary.html
echo "which can be exploited by $2 to compromise a user's system." >> diary.html
echo "The vulnerability is caused by an error in $3 " >> diary.html
echo "that can be exploited to $4, by tricking a user into visiting" >> diary.html
echo " a malicious web site. Successful exploitation allows $5." >> diary.html
cat /usr/home/tliston/diaryfooter.html >> diary.html
mv diary.html /www/htdocs

tommy: tom$: ./ie_dujour.sh
MATTHEW MURPHY has discovered a vulnerability in Internet Explorer, which can be exploited by EVIL HACKERS to compromise a user's system. The vulnerability is caused by an error in A RACE CONDITION IN THE DISPLAY AND PROCESSING OF SECURITY DIALOGS RELATING TO THE INSTALLATION/EXECUTION OF ACTIVEX CONTROLS that can be exploited to CONVINCE A USER TO INSTALL A MALICIOUS ACTIVEX COMPONENT, by tricking a user into visiting a malicious website. Successful exploitation allows THE ABILITY TO EXECUTE ARBITRARY CODE ON THE TARGET MACHINE.
This IS getting silly. But still. High-tech mad-libs!

Tags: ,

MORE pointless stats!

I haven't done an inventory on the Student user-volumes in a while, so I ran a report just now. This is one of three volumes, but statisticly it should be good.

  • Total files were around 920,000 files.
  • Top file-type by bytes were PPT files (~42GB).
  • Top file-type by count were DOC files (~18GB).
  • WMA files were the #8 top consumer of space (~8GB) , MP3 the #9 (~7.2GB).
  • 77% of files were modified less than 2 years ago.
  • 51% of files were modified less than 1 year ago.
A theoretical HSM solution that archives on modified-date rather than accessed-date wouldn't buy us all that much. I'm not looking at Last Access date since in this modern era of Google Desktop and all the Macintosh Spotlight clones, it is pointless.

Now compare the data from the Faculty/Staff Shared volume:
  • Total files were around 1,800,000 files.
  • Top file-type by bytes were DOC files (125GB).
  • Top file-type by cound were also DOC files.
  • WMA/WMF/MP3 don't even show up in the top 20.
  • 37% of files were modified less than 2 years ago.
  • 19% of files were modified less than 1 year ago.
Now HERE we could use a last-modified HSM solution. With 840GB (ish) of data on the volume, we could get some serious savings.

Tags: ,

Firing firefox

Today Firefox has pissed me off one too many times. I'm switching to SeaMonkey here at work. Why the switch?
  • Cookie handling in Firefox broke some sites I use regularly. None of them work-related, but prviate browsing happened often enough it just drove the aggravation level up too high.
  • The URL-bar drop-down sort in Firefox was unusable. I've blogged about this before. Firefox sorts it by added-date, where all other browsers I've used sorts it by most-recently-accessed. This had the side effect of making the semi-permanent entries on that list appear at the bottom. And the most frequent things I hit in the drop-down list are at the bottom, entailing long scrolling. Bad design.
  • Cookie exception-handling in SeaMoneky is superior. Firefox's exception handling was clunky. You had to be in 'alert' mode for each cookie to do it on the fly, or pry into the Settings to set your exception. In SeaMoneky (and Mozilla before it) Tools -> Cookie Manager -> selection to set your exception. Much nicer.
Things are a little different, such as no "open in tabs" function for bookmark folders, but still workable. And I'm not as peeved! Always a bonus.

Tags: ,


It has been out there for a bit, but I haven't gotten around to trying it until today. But there is a new OpenSSH for NetWare on the Forge site. This is the thing that includes a shared-key method, but it also includes significant bug-fixes from the OpenSSH included in NW65SP4 and SP5. And so far, I believe it. Also, the log files have more data in them which will make troubleshooting future problems easier.

Tags: ,

Back from vacation

I spent the last week and a half out of town. Family stuff. Things held up just fine in my absence, and some nice things got done. Like migrating a few more servers to the remote datacenter. Good stuff.

And this morning I'm adding more disks to the SAN. Getting things re-leveled will probably take until tomorrow, though. Then I get to add space to one of the User directory volumes which desparately needs it.

Opinion: The Future of Novell

Novell is facing a problem right now. The market has several demands that they are having trouble meeting.

  • Server Consolidation. Every manager desires fewer servers since fewer servers mean reduced costs.
  • General Purpose Computing. A side-effect of the first point, servers need to be able to multi-task.
  • Reducing the number of operating systems being supported. A form of 'consolidation' but for OS instead of hardware servers.

NetWare fails two of the three conditions. As a file-and-print server, NetWare allows consolidation to a very high level. As a general purpose computer, it is an iffy web-server and is a challenging environment to develop applications for. As for reducing the number of OSes used, NetWare is a speciality OS with delusions of application-serverness. Therefore Novell needs to revamp NetWare to meet market demands.

As one BrainShare attendee said he heard from a Novell employee, NetWare 8 and NetWare 9 were scheduled to have the same features linux has today. Novell made the hard choice to not try and shim a complex thread model, memory protection, process separation, and robust virtual memory into NetWare and instead try to shim NetWare-quality file-and-print serving into Linux. Technically, it was the easier of the two tasks. And rather than have a market-competetive OS in 5-7 years, they could have one in 2-4. That attempt is Open Enterprise Server - Linux.

OES-Linux file-and-print serving is not quite at the level NetWare is today in terms of stability. It is there for performance; and as I showed, it already exceeds NetWare performance. Stability has improved markedly from First-Customer-Ship, to SP1, to SP2. Version 2 next year will bring even more stability improvements. With OES-Linux being able to support 64-bit computing and NetWare not able to, even more performance gains can be had.

In my opinion, sometime in the next 12-18 months OES-Linux file-and-print serving will surpass OES-NW in both stability and performance.

OES-Linux already turns in faster NCP performance than NetWare does. This is due to two reasons. First, when they ported the NCP code over to Linux they dropped all reference to IPX. Second, during the port they dropped all the depreciated NCP calls. These two improvements provided enough of a speed boost for NCP-on-Linux to outperform NCP-on-NetWare, the native platform. What's more, NCP-on-Linux stands up to just as much concurrent usage as NCP-on-NetWare does; a very critical thing in the WWU environment where the WUF servers frequently have >5000 connections on them.

Now for the bad news.

Unfortunately, Novell has clearly and unambiguously signaled to long-time NetWare shops that the platform they know and love is dead. To further the misfortune, the alternative (OES-Linux) isn't quite there yet in terms of stability. IT managers are facing a migration event, and as I predicted a majority of them are going with the default choice, Windows. To fight this Novell is trying to demonstrate that moving to OES-Linux is mostly painless as a way to stop the flight.

Unfortunately for Novell, once a shop is considering a migration, market bias forces that shop to justify why they are NOT going with a Windows environment (see migration threshold). To make the leap from NetWare (a.k.a. OES-NW) to Linux (a.k.a. OES-Linux) IT Managers have to have solid reasons why they are going with Linux instead of Windows. IT Managers who don't have a clear vision will end up on Windows by default, no matter what Novell (or their IT techs) do or say.

Financially, Novell is in good shape (1st Qtr 2006). They have very little debt, and have a lot of cash. This is a good place to be when faced with losing quite a bit of OS revenue, which they will. Combined, GroupWise and Identity Management product provide about as much income as their OS revenue which combines both NetWare and Linux sources. Foreign income is greater than US income, which is good since SUSE is the #1 Linux distribution in both China and Europe.

By taking the course they have with NetWare, they're going to face some punishing quarters for the next two years as a majority of the former NetWare shops jump ship to Windows. Offsetting that loss will be an increase in Linux sales, but I do not expect that to fully replace the lost NetWare income for several years. Novell has chosen a few punishing quarters over the slow leak they would have had otherwise had they continued to prop up NetWare.

If OES-Linux really were as stable and fast as OES-NW, we wouldn't be facing this problem. But that 12-18 month lead to get there will kill NetWare license renewals. Novell will still be around in 10 years, I have no fear of that. I also have no fear of Novell dropping OES-Linux anytime in the next 5 years. The one thing that may survive to eventually be incoroprated into the greater Linux world is the NSS file-system and its rich trustee system. Other then that, NCP-shops will very likely be scarce on the ground in 2011. They'll all be running whatever version of Samba is around in 2011, which by then will be robust enough to do what NCP can do right now.

Tags: ,


I found where we're getting the buggy Workstation values! The MST file that associates with the ZenAgent MSI is, for some reason, hard-setting a workstation name and ID. I'm not sure how that MST file is generated, so I'm not sure if this is a bug in the MST creation process or a misconfigure by the person who generated it.

The client push this morning caused that object I talked about earlier to re-create and all new installs were busilly registering against that object. So I renamed the object, and that seems to be forcing new registration requests to generate new objects instead. Which is what I want.

Now to see if we can get that MST file re-jiggered to remove those two values.

Tags: ,

A threshold

This morning about 8:32am, we passed a threshold. More Workstations have been imported than we have users in our .users.wwu. context. That number represents faculty/staff workstations and lab-machines, which is why it is over the user count. Having 18676 student accounts, though, means we have large computer labs ;)

That WINS trick REALLY worked.

Tags: ,

A neat trick

We have a problem. We need to get workstations imported into eDir. Unfortunately, we have 135 subdomains on our main DNS server, and several organizations here at WWU also manage DNS servers. That means we'd have to get 'zenwsimport' into all of them. Not gonna happen.

The HOSTS hack works to a point... but these days spyware scanners will alert the user to edits to the HOSTS file. So we can't do it quietly. Ergo, not gonna happen without a fight.

So along comes WINS. Most (but far from all) of our workstations point to the central WINS servers. It is a feature of Windows name-resolution that a WINS lookup is involved if DNS turns up nothing. So hopefully, we'll get more registrations now.

Tags: ,

Impressions of BrainShare


Bert made a post about his impressions of brainshare 2006. It is a good read, and I encourage you to go take a look. He and I went to BrainShare for at least one similar reason, to see if Novell had pulled off the switch away from NetWare and onto Linux et. al. As such, I think Novell pulled it off. Bert thinks so too.

In my case I went to BrainShare to find out the future of Novell, as well as answer some technical questions we had. It was a good, and I continued to meet more and more interesting Novell people (including Bert). It was, eh, unfortunate that my management heard the opposite message I heard at BrainShare. Happily, that situation is not yet unrecoverable.

Tags: ,

OS and Browser statistics

I have a bit over a year of logs stashed away in our system. So I'm comparing March 2005 vs March 2006.

[Student MyWeb] March o' 05 March o' 06
Most requested page: ~stazelj2/revolutionary /~kenagym/videos/SKATE%20at%20woodinville.WMV
Hits for most-requested 1128 9191
Top Referral http://forums.somethingawful.com/showthread.php http://search.yahoo.com/video/view
Top Search Engine search.msn.com search.yahoo.com
#1 OS Windows (63%) Unreported (54%)
#2 OS Unreported (30%) Windows (43%)
#3 OS Mac (6%) Mac (4%)
#1 Browser IE (46%) Mozilla Compatible Agent (42%)
#2 Browser Mozilla (20%) IE (34%)
#3 Browser Mozilla Compatible Agent' (13%) Mozilla (9%)

From this it is clear to me that the majority of traffic the Student MyWeb server serves is that skating video. I'm not sure what "Mozilla Compatible Agent" is, but it is generating a lot of sessions. Time to see what doing the sort on 'Bytes' instead gives us:

[Bytes] 2005 2006
#1 OS Windows (47GB/53%) Windows (115GB/54%)
#2 OS Unknown (37GB/42%) Unknown (87GB/41%)
#3 OS Mac (4GB/5%) Mac (12GB/5%)
#1 Browser IE (39GB/44%) IE (91GB/42%)
#2 Browser NSPlayer (22GB/25%) NSPlayer (59GB/27%)
#3 Browser contype (11GB/11%) Mozilla (26GB/12%)

So when looking at bytes transferred, there isn't a lot of movement in either OS or Browser used. NSPlayer constitutes a large percentage of the data being served, which makes sense since media files are huge. Safari was under 4% in either case. Honestly, I did figure that Macs would make for a larger percentage of the total then they did.

Now for a look at the FacStaff side. No skating video over there, so it should provide some interesting data.

[FacStaff MyWeb] March o '05 March o' 06
Most requested page: /~riedesg/sysadmin1138/atom.xml ~riedesg/sysadmin1138/atom.xml
Hits for most-requested 5211 11043
Top Referral www.google.com/search www.google.com/search
Top Search Engine www.google.com/ www.google.com/
#1 OS Windows (3.63GB/75%) Windows (22GB/78%)
#2 OS Unknown (1GB/20%) Unknown (5GB/18%)
#3 OS Mac (.2GB/5%) Mac (1GB/4%)
#1 Browser IE (3.3GB/68%) IE (18GB/63%)
#2 Browser Mozilla (.32GB/7%) Mozilla (4GB/15%)
#3 Browser msnbot (.21GB/4%) Mozilla Compatible Agent (1GB/4%)

Not too surprisingly, the top hit is still the rss file for this blog. It is very clear from this data that MyWeb-FacStaff is used a lot less than it is on the Student side. About an eighth as much, as it happens.

The OS/browser breakdown on the FacStaff side is also interesting. Clearly less media players are hitting the server, so we get a more 'pure' sample. Macs constitute about 5% of traffic either way. It is also clear that Macs aren't all using Safari. Linux is on the chart, and in both cases score about .2% of the total traffic.


Who knew?

Apparently the Libraries have their own account domain that I didn't even know existed. We learned this because they asked our help in finding and setting up a single-sign-on solution, like the one we have everywhere else on campus. Makes sense, SSO is good stuff.

Back at the founding of our fine institution the Library made it a policy to extend borrowing privs to members of the community. I understand this is somewhat unusual at places of higher education, but there we are. Once the electronic age hit, they had to give these community borrowers a presense in the system.

How that was done was to allocate a block of "W numbers" in Banner, and let Libraries handle it. Community person comes in, signs up, and gets allocated a W-number. How the libraries handle the allocation, I don't know. What I do know is that to use most systems over there you have to use your W-number (in essence the number our HR system uses in the place of a name) and PIN (actually a number). Oh. so. secure.

Anyway. So here we have this identity source that our 'authoritative' identity system has no data on beyond "allocated to libraries". Libraries do not, we think, populate back identity data to our central store (Banner). So how are we going to knit things together? This is going to take some debate.

Tags: ,