March 2006

As I make my push deeper into VMware ESX Server and VirtualCenter, I’m hoping to get a chance to try out Reflex VSA as well.  Reflex VSA is, according to the vendor, a virtual security product (emphasis mine).

The excellent virtualization.info blog tipped me off to the press release announcing Reflex VSA.  The idea here is to provide security services—such as firewalling, intrusion detection/prevention, and threat detection—within the virtual networking environment created by ESX Server.  This would make it possible, for example, to create firewalls between different virtual switches within a single ESX Server host machine.  The picture on the product information page for Reflex VSA really says it better than words can describe.

Is this type of product really needed?  I don’t know—that’s a valid question.  Once I get ESX Server up and running at the office, I plan to request a trial copy of Reflex VSA and see what it really does and how it really works.  I’ll post more information here once it’s available.

This article on application delivery (written by Brian Madden) got me thinking about synergies between technologies.  The article was intended to be a discussion about the various technologies and architectures for delivering applications to users, but what struck me more was the idea of complementary technologies offering more together than they could individually.

In this particular instance, the article mentions a couple of technologies that can create some real synergies when used together.  For example, the article mentions “application streaming,” via a product such as what Softricity offers.  It looks to be a very nice product (I have no personal experience), but could it be better when used with another technology?  What about combining it with Citrix, as is mentioned in the article?  In that case, you have Softricity streaming the application to the Citrix server, the Citrix server performing the execution and sending the display down to the client.  The advantage?  Easier management of applications into servers running Citrix Presentation Server, as well as isolation of applications on the Citrix servers.  In this case, each product involved—Citrix Presentation Server and Softricity SoftGrid—are very good products, but used together we get more than we would have individually.  (Again, this idea is not mine, it was mentioned in the linked article above.)

So what other kinds of synergies can we identify?  Is it worthwhile to try to identify these synergies?  Very much so, in my opinion.  If we, as IT professionals, can identify where specific technologies or products can be combined together to create something that is more than just the sum of the components, then we’ve managed to add real value for our customers.

I’m going to make it a point over the next few weeks to actively seek out these synergies, to try to find new ways of combining products, services, and technologies.  If you have any ideas you’d like to share with me, feel free to e-mail me or leave a comment.

For a variety of reasons, I am in the process of rebuilding my list of RSS subscriptions.  OK, so I forgot to export my list to an OPML file before I installed Tiger.  This gives me the opportunity to weed out some RSS subscriptions that weren’t very helpful (not for me, anyway—that’s not to say they aren’t helpful to others) and add some new ones, as well as focus on certain areas I know I’ll be working with a great deal.

For example, my new company has already told me they’d like for me to focus on virtualization (especially VMware) and Citrix.  So, I’m adding some RSS feeds that target those technology areas.  I had several virtualization-related feeds already, but I’ve only managed to locate one really good Citrix-related feed so far, and that’s from Brian Madden’s outstanding site (the feed can be found here).  (I highly recommend his work, including his books—I use his Citrix MetaFrame XP Advanced Technical Design Guide fairly regularly.)  Already I’ve found a couple of good articles that I intend to review in more detail over the next few days (don’t be too surprised if links to them show up here).

On the flip side, I’ve removed some feeds that were just generating noise.  Novell Cool Solutions (feed here), while useful to Novell experts (which I’m not) and those tasked with supporting Novell networks (which I don’t), just aren’t helpful to me.  Likewise, I weeded out a couple of redundant Mac OS X feeds and a couple of Microsoft Exchange feeds.  Some of the feeds that got removed from my list of regular feed subscriptions will be moved into del.icio.us as bookmarks in the event I need to refer to them later.

Finally, the Tiger upgrade has also afforded me the opportunity to review my choice of RSS aggregator.  I had been using PulpFiction, but that application has been languishing since the sale of Freshly Squeezed Software to a new owner (although I saw rumors that development was going to pick back up soon—I certainly hope so).  I really wanted some improved integration with new Tiger features, such as Spotlight and Automator, and evaluated a number of applications.  I’ve finally settled on NetNewsWire, which I’m going to run for a while to see how it fits into my workflow (and take full advantage of the trial period).  It doesn’t have Spotlight support (yet), but it does support Automator and AppleScript, and I’m beginning to like how some of its features work.  It’s rather different than PulpFiction (not better or worse, just different).

I stumbled across a forum on Apple’s web site this morning (referred to me in turn by Derrick Story’s request for MacBook Pro feedback) that makes me glad I’m not yet able to afford a MacBook Pro.

According to the forum, there is a bug in the Ethernet driver in the Intel version of Mac OS X 10.4 that causes excessive packet loss on networks that employ 802.1Q.  802.1Q, in case you aren’t already familiar with it, is an Ethernet networking standard used in networks that employ multiple VLANs.  Apparently, the Ethernet driver on the Intel-based Macs is incorrectly processing packets as 802.1Q packets when they really aren’t.  This causes excessive packet loss and network connections that are pretty much unusable.

I guess I’ll have to wait for the second generation of Intel-based Mac laptops.  That’s OK, as it gives me plenty of time to get my money’s worth from my current PowerBook G4.

Apple released another security update today, Security Update 2006-002, that addresses the security flaw that was unsuccessfully plugged with Security Update 2006-001.

Per Apple’s description of the update, the update provides “additional checks” to prevent malicious file types from being opened automatically.  In addition, the update addresses a few other security flaws in CoreTypes, Mail, apache_mod_php, and rsync.  Full details are in the article linked above.

And while we’re on the topic of security updates, Microsoft is expected to release one critical security update for Microsoft Office and one important security update for Microsoft Windows tomorrow on “patch Tuesday.”  More information is available from Microsoft’s web site, but is subject to change until the final security bulletin is released.

Apparently, there are some rather heated arguments occurring in certain circles about the inability to boot Microsoft Windows Vista on the new Intel-based Macs (as a side note, I seriously do not like the term “Mactel,” so I’ll instead be referring to them as “Intel-based Macs”).  While I can see both sides of the debate, I personally feel that holding Apple to blame for not being able to run Windows is a bit of a stretch.

I reviewed portions of a rather lengthy thread in the comp.sys.mac.system Usenet newsgroup regarding this issue, and it basically comes down to the fact that (according to reports) Vista will only support EFI (Extensible Firmware Image) on 64-bit platforms.  Of course, the new MacBook Pro and iMac use EFI, but these are 32-bit platforms.  As a result, Vista won’t boot.  Also according to reports, adding BIOS support (to allow non-EFI-aware operating systems to run) is as simple as adding a module to EFI to emulate BIOS.  So, a number of people are holding Apple to blame for failing to load the BIOS emulation module in EFI on the Intel-based Macs, saying that it intentionally prevented Windows Vista from booting on the new Macs.

Well, I suppose you could put it that way.  Then again, Apple did say that they weren’t going to do anything to make sure that Windows ran on the new Intel-based Macs, nor were they going to support it on their hardware.  Is Apple intentionally preventing Vista from running on their hardware, or are they just doing what they said?

As to the argument that Apple is missing potential sales by not making the Intel-based Macs capable of booting Windows Vista, I can’t say that I agree with that one.  Yes, it might be possible to increase value for Apple shareholders by spending extra time and effort to make their hardware more compatible with Windows.  But why burden down your hardware with legacy technology that your own core products don’t really need?  Mac OS X doesn’t need BIOS support, so why add BIOS support to Mac hardware?  On the chance that you might gain marketshare via that small percentage of people who want to dual-boot Windows Vista?

If Apple really wants to increase marketshare, the fast, best, and cheapest option (in my opinion) involves promoting virtualization and emulation.  No, these aren’t conflicting directions.  First, support virtualization by promoting open source and commercial virtualization products, such as VMware, Q, and others.  (I’ve mentioned the use of virtualization to drive marketshare before.)  Second, support emulation of the Windows API via such projects as WINE and Darwine, which allow Windows applications to run on non-Windows operating systems.  Think about it:  If the only reason you want to boot Windows on your new Intel-based Mac is for a couple of applications that don’t have Macintosh equivalents, why install an entire OS?

I’ve posted a couple of other entries about stuff related to the Tiger upgrade (like my discovery of continued development of the Virtue virtual desktop application and weirdness with Spotlight), but hadn’t yet actually discussed the upgrade itself, and everything that was involved.  So here’s the sordid details.

When I upgraded from Jaguar to Panther, I performed an “Archive and Install” to get as clean a system as possible without having to reinstall all my applications and such (most of which, at the time, had come bundled with the PowerBook when I bought it).  That worked well enough, but this time around I had some other changes I wanted to make, so I felt like an “Erase and Install” was the best approach.

So, not without some trepidation, I proceeded to backup all my data—mail messages, documents, bookmarks, music, pictures, etc.—to an external Firewire hard drive.  Then, paranoid creature that I am, I made a manual copy of a few of the items as well (just in case).  I double-checked and triple-checked to make sure I had gotten all the stuff I needed.  I verified that I had licenses for software I had purchased.  Finally, once I was reasonably satisfied that I had all the backups I needed, I inserted the Tiger DVD and rebooted the laptop.

The installation of Tiger was pretty painless, as it wasn’t until after I had it running and had started installing applications that I started running into odd things:

• RDC Menu:  This freeware app lets me run multiple instances of Microsoft’s Remote Desktop Connection for the Mac—a feat that Windows users take for granted.  Under Panther, the Dock icon for this application had worked perfectly; under Tiger, it doesn’t work at all.  I finally managed to get it working from the menu bar, but I’m not terribly thrilled with it there.
• SSL Enabler:  This GUI front-end to the Stunnel utility won’t work unless you first create the “/usr/local/sbin” directory.  Otherwise, the Stunnel program doesn’t get copied correctly and nothing works.

So far, it’s only been these few issues, along with the Spotlight problem described separately, and everything else has been working reasonably well.

Of course, I did have to reinstall all my applications, recreate some of my preferences, and such, but I prefer that knowing that I have a clean installation of Tiger that is unencumbered by any problems caused from my Panther installation.

Overall, I’m glad I upgraded.  I do find myself liking Spotlight, and using Spotlight, and I’m looking forward to working more with Automator.  This will also now open the door to test some additional applications that require Tiger or higher in order to run.

One of the key features in Tiger that I was looking forward to was Spotlight.  I know, I know—lots of users have complained about Spotlight’s background indexing and its impact on performance, and there’s a lot of chatter on various forums and in the newsgroups about disabling Spotlight.  I, on the other hand, was interested in having all my stuff indexed by Spotlight so that I could take advantage of the indexes (indices?) in native Mac applications such as Mail (via Smart Mailboxes), Finder (via Smart Folders), Address Book (via Smart Groups), so on and so forth.

However, Spotlight was exhibiting some strange weirdness.  I don’t know if it was related to Spotlight having already built the index prior to applications being installed, or if it was due to the fact that some of the Spotlight importers weren’t being “picked up” by Spotlight.  In either case, the search results weren’t quite right.

So, in true geek fashion, I set out to find out why.  My first stop?  The terminal, to trot out some Unix commands that manipulate Spotlight.  First, I looked up some information on mdutil, and found that I can reset the Spotlight index using this command:

mdutil -E “path/to/volume”

I didn’t want Spotlight indexing my external Firewire hard drive or my iPod, so I added them as exclusions using the Spotlight preference pane in System Preferences, then issued the following commands:

mdutil -E /Volumes/Maxtor
mdutil -E /Volumes/iPod
mdutil -E /

This reset the Spotlight index.  However, I still wasn’t convinced that all was well.  I turned next to mdimport, another Unix command, and found that you can force Spotlight to tell you which importers were installed and recognized.  Using “mdimport -L”, I found that only the importers found in /System/Library/Spotlight or in an application bundle were actually being recognized.  However, there were some importers found in /Library/Spotlight that were not being recognized.  I copied one of these importers over to /System/Library/Spotlight, and “mdimport -L” showed it as being recognized.  I copied the remaining importers over.  Another problem resolved—now all the importers were being recognized.

However, these importers hadn’t been used when the index was being rebuilt, and now i needed a way to tell Spotlight to update itself with these new importers.  Another look at the man page for mdimport showed another switch that would be useful.  So I ran these commands to fix the problem:

mdimport -r “path/to/importer”

I gave Spotlight a little bit of time to update itself, then issued a quick Spotlight query for some text I knew would be buried inside a Microsoft Office document.  The results included the document(s) I expected, which told me that things appeared to be working much better.

The only thing not working (not yet, anyway), was the del.icious Spotlight Importer (to search del.icio.us bookmarks via Spotlight).  Still need to work on that one a bit.

My favorite Mac OS X virtual desktop manager, Virtue, has found new life with a new owner.  After stalled development, Virtue is progressing on, now with full Tiger compatibility and soon to have a Universal binary so that Intel-based Mac owners can use it as well.

I wrote about virtual desktop managers on Mac OS X a while back; at that time, I was using a program called Desktop Manager and was experimenting with Virtue.  The more I used Virtue, the more I grew to like it, and was very disappointed to learn that the project had apparently been abandoned and was not undergoing further development.  Of particular concern was the fact that it had not been updated for reliable operation under “Tiger,” the latest Mac OS X version, and I was (at the time) preparing for an upgrade to Tiger.

I have since upgraded to Tiger (I’ll post a blog entry about that soon), and was preparing to go back to Desktop Manager—which did work under Tiger—when I came across an obscure comment in a blog entry that indicated a new version of Virtue had been released.  Really?  I rushed over the Virtue Sourceforge site, but sadly…no changes.  A more comprehensive Google search turned up Tony Arnold’s weblog, where development of Virtue continues.  Hurray!

After a quick download, install, and tweak of the preferences, I’m once again back up and running with Virtue after my Tiger upgrade.  If you’re running Tiger and looking for a good virtual desktop application, look no further.

The extremely critical security vulnerability released by Secunia a couple of weeks ago was apparently not fixed with the security update released by Apple last week.  According to researchers, it is still possible to disguise an executable as a picture or other type of document.

Security experts were cited by ZDNet UK saying that the underlying problem still existed:

But Apple failed to address a key part of the problem, the fix should be at a lower, operating system level, experts said. It is now still possible for hackers to construct a file that appears to be a safe file type, such as an image or movie, but is actually an application, they said.

As a result, it is still possible to disguise a file as an innocent type while the file is actually executable.  This kind of security problem can be compared to Windows’ double-extension problem, which led to such wonderful exploits as the Melissa virus.

I’ll say again what I’ve said before:  No operating system is immune to these kinds of security problems.  I’m very confident that regardless of operating system—Windows, Mac OS X, or Linux—any unsuspecting user can be tricked into executing untrusted code.  In the end, it all comes down to educating the users.  Unfortunately, Mac users have been so indoctrinated that the Macintosh is immune to viruses and security problems that the user base in now facing an uphill climb.  In that regard, at least, Windows users have a plus.  (I suspect that as more and more non-technically savvy users start using Linux that the same problem will crop up there as well.)