blog.scottlowe.org

It’s hard to believe that I’ve been posting articles here for this long, but it’s time for another release of OpenBSD.  As I’ve mentioned here before, I do use OpenBSD for a few purposes on my network, and I’m confident that OpenBSD 3.8, due November 1, will find its way onto the network as well.  (It’s fairly likely it will quickly replace OpenBSD 3.7.)

You know you are a true geek when you start measuring time in OpenBSD releases (“I’ve had this for over 8 OpenBSD releases!”)

As usual, the OpenBSD web site has more information on ordering CD-ROMs or T-shirts to help support the project.

If you like using Unix-like operating systems (like Linux), then you should try OpenBSD.

This story about the University of Indianapolis and their home-grown system for quarantining PCs infected by spyware or viruses is really interesting.  Named Shelob (and soon to be renamed Ungoliant to prevent a conflict with another open source project), this system really works.  Today.  How is it, then, that a group of IT staffers at a university can come up with a system for network access control, but multi-million dollar companies like Cisco and Microsoft can’t?  I could say that this is a testament to the value of open source software, upon which the solution is built, but that seems fairly obvious.

Technorati Tags: OSS, Security

The new Sun “Galaxy” x64 servers (the Sun Fire X4100 and Sun Fire X4200) are wicked cool.  Hot-swappable 2.5” Serial Attached SCSI (SAS) drives…dual-core AMD Opteron CPUs…quad built-in Gigabit Ethernet ports…it’s enough to make me want one.  Even better, they run Windows, Linux, or Solaris (all fully supported by Sun, too).  It’s almost like having your cake and eating it, too.

Technorati Tags: Hardware, Linux, Windows

It’s about time.  I’ve been waiting for someone to take revolutionary (in my opinion, at least) technologies such as virtualization, blade servers (or any alternative server form factors), and thin-client access and combine them.  And that’s exactly what IBM, VMware, and Citrix are doing, as discussed here.

Leveraging their individual strengths (IBM’s hardware, VMware’s virtualization, and Citrix’s access technologies), the group is rolling out a hosted client infrastructure that will compete directly with so-called “blade PCs” (from companies such as ClearCube) and traditional thin clients (from companies such as Wyse and Neoware).  The nice thing about this solution is that it works equally well with full PCs and thin client devices.

This is good stuff.  IBM’s blade servers are well-respected, and IBM’s integration of their blades with technologies from Cisco Systems (such as their Cisco Systems Intelligent Gigabit Ethernet Switch Module for the IBM eServer BladeCenter, more information available here) gives them a leg up on the competitors.  As for virtualization…well, VMware invented the market, and while Microsoft may be offering a virtualization product of its own they have a long way to go to catch up.  VMware’s latest version of ESX Server offers much-improved resource utilization and scheduling functionality, particularly when used in combination with the latest version of VirtualCenter.  Likewise, Citrix pioneered multi-user Windows and the ICA protocol, and they continue to innovate in recent versions of Presentation Manager.

Combining these technologies to create a dynamic environment where users are seamlessly connected to virtual servers hosted on and across multiple blade servers is a natural evolution for each of these technologies.  (I would guess that I don’t need to point out how full circle this brings enterprise computing environments.)

Technorati Tags: Citrix, IBM, Networking, Virtualization

The recent flaw in OpenSSL (versions prior to 0.9.7h and 0.9.8a) highlights the fact that SSL is not a security panacea.  (You can get more information about this flaw from the link above, from this eWeek article, or from this Netcraft post.)

Disabling the SSL v2 protocol entirely is another way to protect against this flaw.  Since OpenSSL is a set of libraries that other applications use to add SSL/TLS functionality, though, that configuration occurs within the specific applications, not within OpenSSL itself.  Here’s how to protect Apache by disabling SSL v2.

To disable SSL v2 support within Apache 2.0 with mod_ssl, use the following directive in the Apache configuration:

SSLProtocol +All -SSLv2

This enables SSLv3 and TLSv1, but disables SSLv2. (Also see this Apache httpd documentation.)

I searched for but couldn’t find a similar workaround for Postfix.  The smtpd_tls_cipherlist and smtp_tls_cipherlist directives allow you to specify the supported ciphers and refer you to the OpenSSL documentation.  However, the OpenSSL documentation didn’t seem to indicate a clear way of disabling only SSL v2.  There did appear to be some discussion of adding this functionality in Postfix 2.3.  If anyone knows of the particular keywords to specify with the smtpd_tls_cipherlist and smtp_tls_cipherlist commands for Postfix (or knows of any other way to disable SSL v2 support in Postfix), please let me know.

Technorati Tags: Apache, OSS, Postfix, SSL

Some time ago, I noticed while using my Treo 650 that I could not perform a HotSync operation via Bluetooth while I had a GPRS connection active.  As if that wasn’t enough, I’ve discovered what appears to be a further incompatibility between these two wireless technologies.

It appears as if anytime I use Bluetooth on the Treo 650 for anything other than communicating with my wireless headset (a Motorola HS850), I am unable to establish a GPRS connection.  I get an error (the exact text varies) whenever I try to establish the GPRS connection.

I’ve reviewed all the various settings on the Treo, but I don’t see anything that needs to be changed to fix this.  This is terribly irritating, since I’d really like to be able to wirelessly HotSync my Treo to my PowerBook while I am away from the office without having to give up my data access via GPRS.

Technorati Tags: Bluetooth, Networking, Treo, Wireless

I’ve mentioned the bug discussed in KB905809 several times in this blog.  In reading those posts (or reading the KB article), you’ve probably seen that you can use the SC.EXE command to set the security descriptors on the Service Control Manager to fix the bug.  What happens, though, if you mess up the SC.EXE command?

It turns out that this very thing happened recently.  A systems administrator copied the required SC.EXE command line from a Word document, thinking it was safer to copy and paste than try to type the command line directly.  As it turns out, the copied text from Word had a carriage return in it, and this caused the command line to terminate early (before all the security descriptors were applied).  In fact, what happened is that all of the “Write” permissions were removed.

If you run “sc sdshow scmanager” on a system running Windows Server 2003 SP1, you’ll get this:

D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)
(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)
(AU;OIIOFA;GA;;;WD)

(Side note:  The first section is the problem area, as this is what grants permission to the Authenticated Users group. In the fix described in KB905809, this section changes to grant Authenticated Users more permissions.)

In this particular situation, all of the “Write” permissions—everything after the “(A;;CCLCRPRC;;;SU)” section—was accidentally removed.  So, when the administrator realized what had happened and went back to try to fix it the system kicked back an “Access Denied” error message, because the permissions had been removed.  With no permission to change the permissions, what could be done?

Fortunately, we found a fix.  This URL describes a Registry key that someone else had concocted trying to fix this very problem.  In my discussions with Microsoft Product Support services, they analyzed this Registry hack and determined that the end result was the same as the SC.EXE command.  By importing this Registry fix, we were able to restore the permissions that had been inadvertently removed.  We then used SC again (with “sdshow scmanager”) to verify that the permissions were as they needed to be.

We are fortunate that this Registry fix solved the problem.  Had the Registry fix not worked, we most likely would have had to rebuild the server in question—not a pleasant thought given that we had several hundred users already migrated over to that server.

What can we learn from this situation?  Here are my thoughts:

1. Always type your commands by hand, instead of copying and pasting.
2. Take appropriate precautions.  In large-scale production environments, pull a hot-plug hard drive from the RAID array first.  If things go south, shut the server down and reboot from the pristine drive.
3. When running a command like this, pray.

The real question, in my mind, is this:  why isn’t Microsoft going to fix this bug?  We may never know the answer to that question.

Technorati Tags: Exchange, Windows

I don’t know that I necessarily agree with his viewpoint, but in “A fake freedom”, the question is raised:  Do we really own our data?

Are the pictures uploaded to Flickr still yours?  What about the bookmarks you’ve posted on del.icio.us?  Or the weblog entries on a free weblog service such as Blogger?  You think so?  Says who?

Truly paranoid people could be worried that these services might maintain copies of their information, even after the user has requested that they be deleted.  Of course, if you are really worried about copies of stuff, you may want to think about the Google cache…

At the very least, it would probably be a good idea to keep copies of this kind of information somewhere other than these “free” services.  Otherwise, you just never know when a site may suddenly go dark, so to speak, for any number of reasons.

Technorati Tags: Blogging, Web

Most people automatically equate “open source” with Linux or Apache.  But there’s more to open source than that.  There are a wide variety of open source projects that are also targeted at (gasp) Microsoft Windows and Mac OS X.

Being a Mac user myself, I was particularly interested in this article recently posted at NewsForge.  Some of the projects listed there were new to me; for example, I had never heard of or used Vienna.  Given that I don’t like brushed metal interfaces (can’t stand them) and that I already use a commercial RSS reader, Vienna won’t do me much good.

Many of the projects listed there, though, I was familiar with and actually using currently.  For example, Adium X is my default IM client (I use it to stay connected to MSN, AIM, and Google Talk), Cyberduck is my FTP/SFTP client, and Growl helps keep me informed about what is happening with all the various applications I have running.  I’ve never used Seashore, but I’ll probably have a look at it soon (I’ve been looking for a good image editor).

This link (also referenced in the NewsForge article) lists an even larger variety of open source Mac applications.  Again, some I recognize (and use), a lot that I don’t.  If you are a Mac user, I encourage you to take another look at some of the many high-quality open source projects available.

Over the last few days or so, I have been experimenting with Virtue, a virtual desktop application.  I’ve used various virtual desktop applications since switching to Mac OS X (see this blog posting).  After getting used to the lack of a desktop pager, I was really beginning to like Virtue and it’s functionality, even though it seemed as though the Virtue project had slowed and/or stopped development.  Finally, after searching around for some way of re-instating the “Run Application” feature in Desktop Manager, I found that Virtue was incompatible with Mac OS X 10.4, aka “Tiger.”  Since I’ve been researching the possibility of an upgrade to Tiger, I decided I’d better switch back to an application that was supposed to run under Tiger (which, based on what I’ve been able to find, Desktop Manager does).

It’s a real shame, too.  Virtue has a great feature set (I love the idea of the “primitives,” which are text and/or colors that can be applied to individual desktops).  I didn’t use the per-desktop wallpaper functionality or the per-desktop icons, but I know a few people whose desktop-centric filing system would have really loved those features.

If I were a programmer, I’d probably pick up the code myself and run with it.  But I’m not, so there you go.