blog.scottlowe.org

You might think, given my technological tendencies, that this post has something to do with industry standards, free/open source software, or similar.  Not exactly.  It’s about keeping an open mind—just not in the way that you might think.

I was driving to my church earlier tonight for a little get together we were having for the younger kids in our church.  I help serve on the team of people that coordinate and conduct these events, and I have some younger kids that would be participating, so naturally I needed to be there.  As I was driving, I was listening to Steven Curtis Chapman’s All Things New CD and the song “What Now” came on.

If you’ve never heard the song, the basic gist is that God can appear to us in many forms.  In one instance, God is appearing as a little orphan girl; in another, as a homeless boy.  In each of these cases, God is asking the question:  “You wanted to find Me, so here I am.  What now?”

Indeed, what now?  How many times have we asked God to lead us in the direction He would have us to go, only for us to go the direction we wanted?  How many times have we asked God to show us how we can show the love of Jesus to the world, only to fail Him at the first test?  The song really reminded me of the need for me—for all Christians—to keep our eyes and our minds open to God.  We need to stay open, open to the leading of the Lord, open to the possibilities that God has in store for us.

Easy to say, hard to do, I know.  And later in the evening, the Lord put me to the test.  As I was walking into the church after dropping my daughter off at home, a gentleman in an older pickup truck stops me in the parking lot.  He claims to be new to the area, and says that his family is stranded with a broken down car.  He needs money to get their car towed.

“Oh, Scott,” I hear you saying.  “Surely you didn’t give him any money, did you?  You know he’s using that money for drugs or alcohol!”

No, I don’t know that.  What if that were us?  What if we were the ones that were $15 short of being able to tow our cars home and get our family home safely?  Wouldn’t you want someone to help you?  The way I see it, if this gentleman feels the need to con people out of money through treachery and deceit, he’ll answer to the Lord for that.  But if this man really did need some help and I don’t help him, I’ll answer to the Lord for not helping him.  So I helped him, and I wished for God to bless him, and I’m going to trust the Lord to honor my faithfulness.

So, I urge you, if you are a Christian, to keep your mind open to the leading of the Lord.  Stay open to opportunities where you can show the love of Jesus to the world, and keep in mind that those opportunities may not appear the way you expect them to appear.

After all the hubbub around the new Mac malware subsided, it turned out that Mac users shared something with their Windows-using counterparts:  they have to be careful, too.

The extensive coverage of the Mac malware showed that, in the end, the security vulnerability is really more of a user issue than anything else.  For more information, see this coverage from ONLamp.com (part of O’Reilly) or this vulnerability from Secunia.

For years, Windows users have been preached at not to open executable files, not to open untrusted file attachments, etc.  Mac users, living in their smug little world, didn’t have to worry about that.  “Mac OS X is immune to viruses,” everyone would say.

Hardly.  (Yes, for the record, I am a Mac user, and I love my PowerBook and Mac OS X.)  While I do believe that the core architecture of Mac OS X does lend itself to be generally more secure than Windows, that does NOT mean that Macs are immune.  It just means that Mac users need to pay a little more attention to what they are doing, and they need to learn the same lessons that Windows users have had to learn.  What lessons are those?  Don’t open executable attachments.  Don’t open or download untrusted files.  Don’t assume that just because a file says it’s a picture it’s actually a picture.

I will say that Apple must assume a portion of the blame here.  First, the whole resource fork/extension mess that the Finder uses to determine how to open an application is partly at fault here.  Otherwise, it wouldn’t be possible to create an executable file that presented itself as a JPG or an MP3.  Apple needs to resolve that, somehow, as things move forward.  Second, Safari should have had the “Open safe files after downloading” option turned off by default, rather than the opposite.  And, finally, Apple needs to make sure that Mac OS X relies on something other than the “shebang” line to identify files as a shell script.

In the meantime, just use the features already present in your Mac web browser (both Safari and Camino have options for not opening “safe” files after downloading) and don’t blindly trust that files are indeed what they claim to be.  It may be a new lesson for most Mac users, but it’s an important one for all of us to learn.

As some of you may already know, I’ve been wrestling with an important career decision for quite a while now.  In thinking about this decision, I’ve had to take an honest look at what I really want to do.  What brings me the most satisfaction in my career?  In other words, what do I want to do when I grow up?

In looking back at the work that I’ve done for the last few years, I can tell you the projects, the customers, the tasks that have been most satisfying for me.  The worldwide Active Directory migration that I helped design and install—that was a good one.  I enjoyed the huge Cisco network installation I did a few years ago, at the height of the dot-com boom, for a startup.  I led a POP3/SMTP-to-Exchange migration a couple of years ago that was fun as well.  What do each of these things have in common?  They’re projects.

“Well, duh, Scott!  Of course they’re projects!” you say.

Yes, but a project has a defined start and a defined end.  (At least, a good project does.)  A project has a defined set of goals that must be attained in order to be considered complete.  Projects don’t go on endlessly, and projects typically don’t end up being the same thing over and over again.  (Yes, I know we all have stories about projects that do go on endlessly, but I think we all can say that those are the exception and not the norm.)

In addition, each of these projects are notable for another reason:  they forced me to expand my knowledge, they challenged my current skill set and drove me into new territory.  I love to learn—I’m constantly seeking out new technologies, new products, new integration techniques to pick up some new piece of knowledge that I didn’t have before.  Each of the projects that sticks out in my memory was a challenging project, one that led me to a new level of knowledge or to a new skill altogether.

I have known for quite some time that my personality is more of a “builder” personality.  I like to build things.  I like to create networks, and build servers, and craft e-mail systems, and assemble complex clusters.  That’s just how I am.  I’ve had customers offer to hire me (which is flattering, of course), but I know that I wouldn’t be satisfied because eventually the building would stop.  And when the building stopped, I’d be bored.  I’m a builder.

So as I’ve taken a deep hard look at where my career is right now, and what I’m doing right now, I find that I’m not building very much.  Instead, I’m maintaining.  I’m maintaining backup systems, or e-mail servers, or desktop workstations, or laptops, or whatever.  But I’m not building, I’m not involved in any projects, and I’m not really being challenged.

If my greatest satisfaction comes from building, from being involved in projects that challenge my skills and drive me to learn new things and expand what I already know, then isn’t that where I should be?  If I can meet my family’s needs (financially and otherwise) doing that, shouldn’t I be doing that?  Or is there something more that I am missing?

There’s been a bit of an Asterisk convergence recently, or at least for me.  I’ve come across a couple of articles that share one thing in common:  the open source Asterisk VoIP PBX software.  From wireless routers to virtual machines, Asterisk is making some noise.

First, there was this article from Nerd Vittles about a prebuilt Asterisk@Home virtual machine (instead to be used with the free VMware Player, but conceivably also usable with the upcoming free VMware Server) available from vmwarez.com.  For all of us who’ve thought about experimenting with Asterisk, now we have no more excuses.  With a prebuilt VM that has already taken the tedium from building an Asterisk PBX, now all we have to do is load it up and start tinkering.  (Nerd Vittles also has a great article on the setup of Asterisk@Home 2.5.)

(Note:  Asterisk@Home is a project that combines Asterisk with the base operating system—CentOS 4.2—and a number of associated applications for easy installation and deployment.)

Then, I find this article from NewsForge about Asterisk@Home running on OpenWrt.  OpenWrt is a Linux distribution designed for wireless routers; specifically, the Linksys WRT54 series.  It’s cool enough being able to load a full Linux distribution onto a wireless router, but it’s even cooler being able to turn that wireless router into an open source VoIP PBX as well.  What will they think of next?

Remember me pining for virtualization on Apple’s new Intel-based Macs?  That day has drawn much, much closer with the release of Universal binaries of Q, a Mac OS X port of QEMU.

It’s still an “unstable” build, but with Universal binaries available for Q, we now have the option of running x86 operating systems on an x86-based Apple with Mac OS X as the host.  Sweet!  This will probably be one of the very first things I try once I get my hands on a new MacBook Pro; unfortunately, my budget being what it is (i.e., too limited for a new MacBook Pro right now), that will have to wait.  But that’s OK, as it will give the excellent Q project more time to mature and develop.

Quite a long time ago, I posted two short articles on transparent RDP tunneling (read more here and here).  To be honest, I had forgotten that I hadn’t posted more complete details on how exactly I went about making it work.  So, to rectify that problem, here are the full details.

First, some background.  I have a number of customers whose servers I manage remotely via Remote Desktop.  Remote Desktop (or Terminal Services, if running in Application Server mode), as you may be aware, uses Microsoft’s RDP as the protocol.  Not comfortable using RDP across the Internet, I always encrypted RDP using SSL (typically via Stunnel), but this proved unwieldy as the number of servers increased.  I needed a way that I could use any ordinary RDP client from within my office and transparently tunnel that RDP traffic inside SSL.

<aside>The reason this became unwieldy is due to the number of client-side definitions I had to create on my Mac OS X laptop using SSL Enabler.  After a while, it become difficult to remember which local port corresponded with each remote server.</aside>

So, using OpenBSD (then version 3.7, now version 3.8), I first added some additional IP addresses to the le1 interface by modifying the /etc/hostname.le1 file like so:

inet 192.168.100.1 255.255.0.0
alias 192.168.100.2
alias 192.168.100.3

Using ping, I verified that the new IP addresses were responding, then proceeded to configure Stunnel to accept unencrypted connections and forward them to another host as encrypted connections.  The Stunnel configuration looked something like this:

client = yes
[ms-wbt-server]
accept  = 192.168.100.2:3389
connect = 172.16.100.100:54321

I also had to add the “ms-wbt-server” to the /etc/services file with the appropriate port numbers (3389).

On the other end of the tunnel, Stunnel was set up in reverse—it was configured to receive an encrypted connection on port 54321 (for example) and forward that as an unencrypted connection to the standard RDP port (3389).  The Stunnel configuration looked something like this:

CApath = c:winntsystem32stunnel
cert = c:winntsystem32stunnelstunnel.pem
client = no
service = SSLTunnel
[ms-wbt-server-s]
accept = 54321
connect = 3389

Again, the “ms-wbt-server-s” (for “secure”) had to be added to to the services file (on Windows boxes typically located in “C:\winnt\system32\drivers\etc”).  Then I registered Stunnel to run as a service (I believe the command-line was “stunnel -s <config file name>” or similar).  Upon starting the service, I verified that we now had a listening port using “netstat -an”.

When all looked good, I configured any firewalls to pass the appropriate traffic and tested the connection.  Done!  I was now able to connect to one of the internal IP addresses on the OpenBSD server using a standard, unencrypted RDP connection.  That connection was then encrypted in SSL and forwarded across the Internet to a waiting Stunnel instance, where it was decrypted and handed off to the RDP listener.

With a few modifications, this approach could easily be used to create application-specific VPNs between multiple locations within the same organization, or between different organizations.

My customers rely on me to have the information they need.  As a result, I have to stay on top of lots of information:  new product releases, security patches, mergers, product interoperability—and that’s just the beginning.  I’m trying to use technology to help with the information overload, but is it really helping?

Let’s take RSS, for example.  I currently subscribe to 25 different feeds from a variety of news sources and weblogs.  I use a filing system in my newsreader (here’s a shameless plug for PulpFiction) so that articles from the various feeds get placed into a “Articles to Read”, “Articles to E-Mail”, etc.  I’m pretty good about trying to keep the Inbox in PulpFiction empty, but now I’ve got 35 articles in my “Articles to Read” folder and 8 links to follow from a del.icio.us feed (I have a person in my office who researches stuff on the Internet for me, adds what she finds to her del.icio.us bookmark list, then feeds it to me via RSS).

And that’s just RSS.  What about e-mail?  I’m subscribed to so many newsletters and automatic notification services that I get upwards of a dozen or more messages every day.  Since I don’t have time to read all of these, I forward them to a newsgroup hosted on an internal server so that I can go back and review them later.

And speaking of newsgroups, how in the world do I have time to keep up with a dozen or so core newsgroups?  My Usenet reader, Unison (another shameless plug), doesn’t yet support offline reading, so I have to read everything online.

Between newsgroups, e-mail, RSS, and “ordinary” web sites, I’m getting so much information I can’t adequately process it all.  And I can’t devote more time to it, because then what about my family?  Staying informed is important, but it’s my role as a father that is most important (easy to say, hard to practice!).

So what about all of you?  What tricks, techniques, tips do you have for coping with all the information being force-fed into our brains?

NewsForge ran this article about FOSS (free and open source software) for OS/2.  It was a real eye-opener; I hadn’t even considered the possibility that the kind of grassroots support that has driven the support and development of operating systems such as Linux and the BSDs (OpenBSD, FreeBSD, and NetBSD) might also work for OS/2.

I used to run OS/2, years ago, on one of my very earliest computers.  I said then, and I’ll say again today, that OS/2 was light-years ahead of anything else available at the time.  Sadly, it’s not always the best technology that wins, and let’s just say that Microsoft has always been good at marketing.  (I think both IBM and Novell have seen the strength of Microsoft’s marketing muscle.)  The object-oriented WorkPlace Shell was everything that Windows had always wanted to be but never quite made it.  And virtual DOS machines—the ability to boot multiple, distinct DOS versions in separate, isolated environments hinted at the virtualization trend that is now taking everything by storm.  Of course, this was years and years before VMware ever came into existence (but not before IBM was doing virtualization on the mainframe; see this article for examples).

Alas, OS/2 never got the treatment it rightfully deserved.  Languishing from a dearth of native applications, plagued by hardware compatibility issues, bungled by horrible marketing and support from IBM, and going up against the Microsoft juggernaut that was Windows 95, it hardly stood a chance.  But it’s nice to see how die-hard OS/2 fans are continuing to support the operating system even now.

After having just written about predictions concerning Mac OS X malware (viruses, spyware, trojan horses, worms, etc.), news of a Mac OS X virus comes in from MacNN.  Is the prediction coming true?

Sophos has a detailed analysis of the malware; Intego has also posted a question and answer regarding the new threat.  In addition, McAfee has updated their virus library as well.  Security firms are in disagreement whether this is a virus or a trojan horse; some say it should be classified as a virus since it attempts to spread via iChat and trojan horses aren’t self-replicating.  Such cut-and-dry definitions rarely fit reality.  Personally, based on the analysis that I’ve seen, it doesn’t look or act like a trojan horse.  I’d classify it as a virus.

How does one protect oneself against this threat?  Well, Mac users, you take a page from your Windows-using friends:  Don’t blindly assume that all files are safe and can be trusted.  In other words, don’t double-click stuff you don’t know is safe!  This particular malware spreads via a .tgz file, which when uncompressed appears as a graphic file.  It is, however, a compiled executable.  I would imagine that it is probably possible, then, to right-click on this file and see a “Show Package Contents” menu item, which is a dead ringer that this is anything but a simple graphics file.  Of course, the anti-virus companies have updated their virus signatures to protect against this particular threat; refer to your particular vendor (if you use anti-virus software) for updates.

For network administrators or other technically savvy users, I’d recommend blocking .tgz files via e-mail.  There’s no evidence that this malware spreads via e-mail, and I’m not aware of any vulnerabilities that would allow this virus to replicate via e-mail, but better to be safe than sorry.  Now that this has happened, crackers will move quickly (in my opinion) to make this more potent and more dependable (it doesn’t really work right now).

I’m not aware of any products or software to protect IM sessions.  It may be prudent to configure Camino, Safari, Firefox, or your other browser of choice not to automatically open certain file types.  In Camino, this is done by unchecking the “Open downloaded files” in the Preferences.  Honestly, I couldn’t tell you where to do the same thing in Safari or Firefox; I rarely use those products.

To Mac users:  This is NOT the end of the world.  It’s just the evolution of our favorite platform.  It was bound to happen sooner or later.

To Linux users:  Get ready.  Your day is coming, too, if Linux continues to gain popularity.

To Windows users:  Better get your jibes in while you can.  By the way, did I mention that Microsoft just patched 7 security flaws in Windows and Internet Explorer, including two of which allowed remote code execution?

UPDATE:  A problem with the original title and the resulting URL for this posting caused some problems, so I reposted with a better title and a clean URL.  Sorry!

The security advantages—real or perceived—of Mac OS X have been tossed around by many, including some so-called security experts.  Some say that Mac OS X is only more secure because it is less common and therefore less tempting to a cracker.  Others say that Mac OS X’s underlying Unix architecture makes it inherently more secure, regardless of popularity.  This SecurityFocus article on a hacked Apple PowerBook seems to give credence to the former instead of the latter.

According to reports, a security researcher’s “hardened” Apple PowerBook was compromised at a recent hacking conference.  It is believed that an unknown exploit allowed the compromise to take place.  However, forensic analysis conducted afterward could not show any trace of a compromise or intrusion.  Fact, or fiction?  It’s anybody’s guess at this point, but the rumors are flying that this is “the year of the OS X exploit.”

I’m not so sure I believe that, but I also don’t believe that it’s impossible, either.  I do believe that as Mac OS X gains in popularity, crackers will begin to target the platform more heavily than they are right now.  At the same time, I also believe that Mac OS X is inherently more secure than Windows, due in large part to two factors:

• Mac OS X’s underlying Unix architecture
• Lack of driving need for “backward compatibility”

The Mac’s greatest vulnerability is, strangely enough, its ease of use.  Many users, unaware of the dangers of untrusted binaries and lured into complacency by the slick user interface, won’t think twice about authenticating with administrative credentials when prompted to do so.  But who’s to know what’s really going on under the hood?  And from a consumer’s perspective, who cares what’s going on under the hood?  (When’s the last time you looked under the hood of your car?)

It’s almost certain that Mac OS X will come under greater scrutiny in the coming months.  It’s not quite so certain that a widely-exploitable flaw will be uncovered, nor is it certain that built-in Mac OS X security features won’t be able to quickly mitigate such a flaw.  As with all aspects governing security, the best approach is to remain vigilant.

(Meanwhile, don’t even get me started about how Mac OS X on x86 will be less secure than Mac OS X on PowerPC.)