Finally, someone has the right answer to how to clean a compromised system. So, you didn’t patch the system and it got hacked. What to do?

Click here to find out.

Is it the one correct answer - If you have already been compromised? Three cheers for Jesper M. Johansson, Ph.D., CISSP, MCSE, MCP+I, Security Program Manager at Microsoft for pointing this out. Maybe.

However, it should be noted (as was done to me by a security professional whom I respect greatly) that there are many options other than and in addition to patching available to prevent system compromise. Here's what my colleague said in email:

“I can't believe they actually published that!  While instilling fear and hopelessness it has no redeeming value and makes MS look bad (by implying a 'justification' for the pain of the patch process).  There are other alternatives to cleaning systems and validating what has been altered besides reformatting.  Things like Tripwire, regular audits, etc. etc. etc.  The real decision is what is it worth to not have to reformat?  Also you don't need any of the MS patches to prevent a system from being compromised.”

All valid points. I agree on one level or another with everyone here: Prevention and planning are worth a ton of cure. But when you have been compromised at the system level (i.e. did not plan and prevent), you're assuming a fairly large risk if you continue to use the compromised system.

Office 2003, SharePoint, etc. Things you never knew or might not otherwise find:

MSFT tool to remove hidden history and collab data from Office documents - A couple of months ago Microsoft released a nifty tool that will permanently remove hidden and collaboration data, such as change tracking and comments, from Word 2003/XP, Excel 2003/XP, and PowerPoint 2003/XP files. When you distribute an Office document electronically, the document might contain information that you do not want to share publicly, such as information you’ve designated as “hidden” or information that allows you to collaborate on writing and editing the document with others. Before you email that doc to your customer or partner, or post it to a web site, run this tool and clean things up.

A couple of quick ways to stay up-to-date on SharePoint resources and information - Check out these resources if you're interested in SharePoint Portal or WSS 2003 - good stuff to be found:

• sharepointblogs.com - Aggregated set of blogs by individual SharePoint developers and implementers [RSS here]
• blo.gs results for posts matching “sharepoint” - Lists recent posts for blogs tracked at blo.gs related to SharePoint
• Another feed list for SharePoint posts from feedster.com [Links on that page for RSS/ATOM/OPML feeds]

I'll post a more complete OPML file sometime soon.

Earlier I posted my first audio blog entry. This is just a quick note about how to set up audioblog.com to post directly to dasBlog...

It's really pretty simple: I used the Blogger-API capability of dasBlog (you'll need to turn it on in your config) and directed audioblog.com to publish my blog entries use the Movable Type option. You could specify XML-RPC, but if you do you won't get the headlines properly translated into dasBlog, so Movable Type is the one that works best. Very cool that dasBlog allows you to post this way, and even more cool that audioblog.com appears to properly emulate Movable Type when posting. When I tried to use another audio blogging service (AudBlog), it didn't play well with the Blogger API - But audioblog.com works like a charm.

Teaching is tough. Making things like the speed of light tangible is not easy. Making it interesting is even harder.

Robert H. Stauffer understands how to teach high school students.

Three cheers for audioblog.com - I signed up to test their new service last night, and today I got an email with my new account info. Within 5 minutes I'd posted my first test audio blog entry. Their service is smooth, it works (other services out there are glitchy at best in my recent experience), and it's very well designed. Quite cool. Just imagine what you can do with this kind of service. From any computer or phone you can post audio blog messages in real time. You can record up to an hour at a shot, and if you want to go longer than that, you can chain multiple recordings together into a play-list. Wow - this is great!

Update: Looks like they went live today! $4.95 a month for unlimited recording and up to 1GB of audio data transfer a month - very nice. See their Service Features page for more info.

Also check out the interview with the creator of audioblog.com, Eric Rice at ITConversations.

UPDATED: Apparently, somone one mis-spoke, and Microsoft has corrected earlier reports - see eWeek's coverage of the change in the story.

Sorry guys, all you software thieves out there will not be able to install SP2 after all (unless this all changes again). From a business and antipiracy perspective, I agree with not allowing it to install. From a security perspective, I was looking forward to seeing what impact (if any) the loosening of the reins might have.

But I don't hink Microsoft has a responsibility to provide anything to people who steal software.

It's a change of direction for Microsoft, but apparently they will allow SP2 for Windows XP to be installed on pirated copies of the OS when the service pack is released later this year. This was not the case with SP1, which has protections in it that keep people with pirated copies of Windows XP from installing it successfully.

"It was a tough choice, but we finally decided that even if someone has pirated copy of Windows, it is more important to keep him safe than it is to be concerned about the revenue issue," he added. He admitted, however, that it is more than altruism that helped Microsoft come to this decision. "Having these unsecured users means bigger worm and virus outbreaks - which also impacts the Internet and consequently, our legitimate users as well."

 - Microsoft group product manager Barry Goffe

Considering the potential positive impact of SP2 on the computing world, this is probably a good idea. After all, keeping users from spreading viruses and becoming launching platforms for hackers is an important part of securing the Internet and - in a broad sense - the Windows OS.

There are a number of technological leaps I have not yet made, many of which are pretty commonplace nowadays. Most who know me look at me as one of those guys who's always first to acquire and use new technology, but in some cases that's just not true.

Here are a few facts about me and technology adoption, and where I see myself in the near future with regard to each:

• I don't own an MP3 player - In fact, I never have. Sure I've listened to MP3s on my computer before (but not nearly as much as everyone else I know). I have not jumped on the MP3 wagon yet. I do digital media for sure - I've run Windows Media servers at work for a few years now, I have a hacked TiVo at home and have even put together my own PVR before, and I've used a Pocket PC and Smartphone in the past (both of which can play MP3s with Mobile Windows Media Player), but never have I actually owned an MP3 player. My boss once told me about how he uses audible.com, which is a cool service where you can download electronic books and stuff. That may be what eventually gets me to buy one. We'll see. iPods are looking pretty cool to me.
• I don't yet do IP telephony - This is an area I was exploring earlier today, and it's what got me thinking about the things I have not yet bought into. I was researching Vonage phone service and features, after I started playing with the idea of audio blogging (Maybe you can see the connection, I know it's a stretch, but that's how I got from virtual-there to virtual-here, so to speak). This is something I am seriously considering trying out. Vonage not only now allows you to have a IP phone bridge device for your normal phone to plug into, they also support installing and using a software phone on the laptop (or whatever computer you like). I like the idea of being able to travel and have my phone ring on my laptop when I am logged in. They also have some cool voice mail features, including delivery of voice mails as email attachments and the ability to access your voice mail on the web. Now, how cool is that?
• Picture/Audio/Video Blogging - I know this is not exactly something that everyone's doing, but when it comes to my list of things I think I should have done by now, this is definitely on it. I've wanted to do picture blogging for some time, but I don't have a camera phone (I use a blackberry phone since that's what really meets my hectic needs and work-style). The idea of being able to record an audio blog entry, however, is pretty cool to me - and if I could combine a camera-phone image with called-in audio recording and post them together, well that would be really cool. I'm definitely looking into this. Not sure what practical use it has, but it sounds like fun to me. Oh, and it has to work with dasBlog, which has a number of interfaces for getting remotely submitted blog entries created. For audio blogging on the road, I am looking at AudioBlog.com (Looks awesome and just went into closed beta release - I've applied) and AudBlog.com (which I have already tried, and while it's kind of cool, it just doesn't seem to work too well for my needs - and it's a bit limited in terms of what you get for the buck). Fun stuff, coming soon I hope.
• Windows XP Media Center PC - I have been saying I want to get a Media Center PC for quite a while now, but still have not done so. With the new possibilities created by Microsoft's planned releases of new networked/connected Media Center “extender” devices, the level of desire has been continually increasing on my part. I need to buy a new computer for home anyhow (mine's pretty much dead), but I guess my only fear is that before too long some new OS and the accompanying mega-hardware requirements will replace what's on the market now. I dunno - I'll have to keep thinking about this one.

Apparently now is the beginning of a prime period during which we'll be able to best see the International Space Station as it races across the sky. If you haven't ever taken the time to step out and watch the sky to see this before, you should do so - Realizing that there are people up there on that thing is really pretty mind-boggling when you think about what it takes to make something like the space station happen and work.

SPACE.COM: During the next couple of weeks, North Americans will have many opportunities to see the International Space Station, due chiefly to a seasonal circumstance. From now through the beginning of July, nights are shortest and the time that a satellite in a low-Earth-orbit (like the space station) can remain illuminated by the Sun can extend throughout the night, a situation that can never be attained during other times of the year.

You can find out when you can see the station at any of several web sites, including:

• NASA's J-Pass (http://science.nasa.gov/Realtime/JPass/)
• NASA's SkyWatch (http://spaceflight.nasa.gov/realdata/sightings/)

Here are a few links to SkyWatch data for cities people who know me are likely to be in. If yours is not listed, check out the full city list.

• Portland, Oregon
• Los Alamos, New Mexico
• Farmington, New Mexico
• San Francisco Bay Area, California

We interrupt this serious blogging effort to bring you something completely irrelevant.

You know it had to happen. Remember the Star Wars Kid? Of course you do. Seen Kill Bill? Of course you have. Maybe you even bought the t-shirt. Well, here you go:

http://content.collegehumor.com/media/movies/killbill.wmv

Enjoy.

German police arrested the 18-year-old author of the Sasser virus. Apparently he also confessed to authoring other viruses, including NetSky.

Which is good. But not amazing. For the most part, the bad guys eventually get caught.

What amazes me is the fact that so many companies and government agencies were actually shut down by the Sasser worm. A friend of mine who works for a government agency called me tonight to tell me that last week the city, county and related agencies where he works were shut down by the worm.

My response: “WHAT?!?!?!!?!?” The departments that were shut down in my friend's account of the situation included public safety departments and a fire/police dispatch center among others... No small potatoes when you consider how critical it is that things just need to work. Maybe someone needs to lose his or her job.

Good vs. Bad, or “Dude, that's pretty extreme.”

I'm serious - this one was so easy to avoid, there's simply no excuse for having a problem. I can think of one only reason any company or agency would be affected, and come to think of it, it's a problem rampant the world over.

Sadly, some IT professionals aren't - well - they're just not very professional.

So, here's an important message for companies and agencies employing lazy IT staff: If they don't prevent the outbreaks, they're not doing their jobs. The mark of a good IT crew is not that they respond to a virus outbreak and make everyone feel good that they're able to disinfect computers and (hopefully) go to tape backups to restore ruined data. The good IT crew is not the one that tells you it will take two to three days to recover, and then “delivers” in one day.

So what, then, makes for a good IT crew? And how do you know if you have one? It's very simple: While everyone else is freaking out about viruses and other threats, your company is still operating and you're not really too concerned, because your company just doesn't ever have many network security issues. Besides, if there was going to be a problem, you would have heard about it from the IT crew by now. In other words, things just work, problems are prevented, work doesn't stop, and you don't have to worry. That's what a good IT crew does for you.

An Ounce of Prevention Is Worth Big $$$

Believe it or not, I'm not supposed to be an exterminator. My job is to make sure the virus outbreak never happens in the first place, and the people who work in my department share in that responsibility. Ultimately, I am the one responsible (and held accountable) for network and data integrity when it comes to viruses and intrusions, but we all take a significant amount of pride in making sure problems never get a chance to occur.

What many may not realize is that it's actually pretty easy to do. In fact, it's a lot less work to prevent the problems than it is to react to them after they occur. Keeping a problem from happening is akin to preventing a cancer from ever growing; You can be so much more confident, and if the ability to prevent is there, it's simply negligent to assume the reactive posture. The removal of a cancer is painful, time consuming and expensive. Worse yet, you almost always have to wonder if you got it all, if it will ever resurface, and what the result will be when it does.

To be perfectly clear about where I'm going with this: I believe that organizations need to adopt a zero-tolerance policy toward avoidable downtime. Virus outbreaks should be very few, very far between, and extremely isolated in scope. If a virus infects an entire network, something is not being done correctly. If data is lost and can't be recovered, there's simply no excuse.

Kick Me If You Like, But I Know I'm Right

Some who work in the IT field will read this and be upset with me. Am I really telling people like my boss to fire their employees if they can't prevent the problems from happening?

Yes, in a matter of speaking I am. After all, if I can't (or rather “won't,” since pretty much anyone can) protect the company from internal and external threats, I am not doing my job and my boss needs to find someone who can (and will). While there are occasional threats that cannot be prevented, he knows that those are so rare that he'll know when the exception to the rule occurs.

IT professionals around the world, regardless of the organization's size or business, should hold themselves to this standard. If you're an employer, you're responsible for maintaining or hiring people who meet the standard.

We no longer live in a world where the guy your neighbor knows who “works in computers” is sufficient for a professional IT job. Even the interns I hire require a special skill and work ethic that's hard to find. High standards make for quality work and results, and I think that's the way it should be. To expect less in this day and age is to neglect the needs of the real world of IT.

It's Bigger Than Just Your Organization

By the way - when the people responsible to do the prevention at your organizations fail in their duties, who do you think those failures impact? It's not just your employees and customers. The nature of the Internet is that your failure will almost certainly impact many organizations outside of you own. That's what virus writers count on, that the poorly-designed and -managed networks of the world won't be proactively managed, and that employers who don't know the difference won't do anything about it.

If you're the employer and you can't for the life of you determine whether your IT employees know how to do their jobs, here's your best clue: They probably don't. It's one of those things where you know if they're doing their jobs. How? It's a dangerous world we work in; If they are not educating you and keeping you aware, they're not doing their jobs.

For the Record - Bad Employers Are Part of the Problem

Before I finish, I should say that I realize the world is not black-and-white, that there are many aspects of operational IT work that can put a very good and responsible IT professional in a position where he or she is doomed to fail. There are times when, despite the best efforts of the individual, the budget or company priorities actually prevent you from doing good security. I only see two options for you there: One is to make them aware, change the outlook and attitude, and failing that the second option is to find a place to work that will leverage your skills and and fits your priorities.

Line In The Sand

So, here's the challenge: I think that anyone responsible for day-to-day IT security who walks away from these words upset that I'd adopt this position probably needs to take a look at why they're upset. Seems to me if one does one's job, there's nothing there to be upset about.

Anyhow, that's what I think. It's a little more black and white in writing than in real-world practice, but I've read and re-read my words, and I'm good with them. This started out to be a short post about the 18-year-old kid who wrote a computer worm. It ended up becoming a bit of a rant about what really matters to my employer. Catching this kid doesn't mean less viruses and worms - We still have a job to do, and it's just getting more and more complicated as time goes on.

And since all good blog entries should include a question, tell me: What do you think? Click the comments link and talk back if you're so inclined. I could be wrong, you know. ;-)

I decided today to look for cool stuff and tie up a few loose ends from the past week. Nothing big - Just a few things that will probably change the way you work or live in the future that I thought you might like to know about, if you don't already. Not that I really know how they all work, I just find them very, very interesting:

How to Bundle Active Directory Application Mode with Your Directory-enabled Application - Microsoft created ADAM to let developers us Active Directory as a dedicated LDAP service. Someone was asking me what I know about it, and how to ship ADAM with his application. This article talks about how to bundle the ADAM setup as part of your app's setup. ADAM is cool. This makes it cooler. It may not change the way you live, but the potential is there to change the way people like me work.

Mono Beta 1 has been released - What the heck is it? No, you won't end up in bed for weeks wishing you could just die. Think of it this way: Write C# code and run it on Windows or Unix. This is big. It's a .NET framework for Unix, and when you think about it, the possibilities are - well - pretty interesting. Interoperability, here we come. It's worth noting that Microsoft released the whole .NET thing to the community to do this kind of thing. And for those who wonder why anyone should care, the abstraction layer of the .NET framework allows you to write and deploy much more secure (read: managed) code. That matters. That's probably not a great explanation, but someone else can chime in and comment if they want. :-)

Keyhole is Super-Cool and Addictive - I ran across Keyhole a month or two or more ago, but forgot to blog about it. I don't know why, I mean this company has only mapped out the entire earth - more than seven terabytes of map images are on their system. I think the first time I saw their technology and started looking for it was when the news shows started doing these fancy fly-over maps of Iraq to show their audiences where certain cites, battles or whatever were happening. In the future, this kind of tool will be commonplace. Imagine tying this capability into a GPS-enabled application and speaking instructions to your car, then having it show you, step-by-step and in 3D detail, to your destination. Or dream up your own uses and ideas.

Well, During an excellent presentation about Longhorn by Chris Sells the other day where I work, he showed some forward-looking stuff that reminded me of the coolness of this new application. When Longhorn arrives and we get its amazing 3D graphics system, we'll no doubt see some amazing new things taking advantage of applications like this one. At any rate, no need to wait for Longhorn to see what this can do. Anyone with eyes and brain (and hopefully broadband) should truly enjoy themselves on this site today. Oh, and if you happen to have a nVidia graphics card, be sure to check out Keyhole NV and see Mars. A free trial account is available, and it's worth the download is you have a computer that's less than three years old (older than that might be too slow).

Longhorn - The Next Version of Windows - As mentioned above, Chris Sells, who works for Microsoft and speaks regularly about Longhorn, the way-cool next version of Microsoft's operating system, spoke at Corillian (my place of work) the other day. Chris is a great speaker and he convinced me about the one necessary assumption upon which Microsoft appears to be betting the company: Longhorn will be to Windows XP as Windows 95 was to Windows 3.1. They want people to flock out to get Longhorn the same way they did with Windows 95. they'll spend more in marketing the next version of Windows thank they've ever spent marketing any other product, ever.

Now, if you were around for the debut of Windows 95, you know what I mean and how big a deal this statement is. For those of you who are too young to remember, but are old enough now to be interested (yes, I am speaking to you Scott), well hold on tight - The ride's about to begin. The world of computing as we know it will (once again) change dramatically.

Want to see where things are heading? Check out these concept videos that show some of the new capabilities that will reach our homes and offices one day soon. They're geared toward business solutions, but show a lot of the new features and make you think about the possibilities. Note that one of the videos (the commercial real estate one) leverages the Keyhole world imagery application and data mentioned earlier - in combination with mapping applications like MapPoint. Neat stuff.

Two of my coworkers, Scott and Patrick, have been musing about what it means to be a coder. Or a geek. Or whatever. I'm not a coder (to be sure). But many people do consider me to be a geek. So at least in certain circles, they're not really the same.

Anyhow, Patrick had an interesting comment about his son. He mentioned that he has taken to calling himself “geek, son of geek.” Heheheh that's cool. He also mentioned his son's a little miffed that they don't have a t-shirt that says that.

Have no fear, my friends. Your fears and miffed-ness are silenced by my own personal form of geekdom.

It's faster, it's fixed up, it's super cool and stuff.

Omar says dasBlog v1.6.4121.0 has been posted to the GotDotNet workspace (note - takes forever to load, be patient). So you can download it, install it, use it, and enjoy it. There's nifty easy installers for the whole thing, ZIPs with just the upgrade files, packaged source code - you choose how and what you want to do. Instructions are here.

I upgraded last night, and the site runs faster and there's some cool fixes as well as new/improved functionality. For complete info about the changes, see the release notes.

Now all I have to do is get around to translating my blog entried from my old LiveJournal from back in the day to dasBlog. In my spare time. :-P

If you run it, get it. If you don't and you're looking to start a blog of your own, this is the stuff. Need a place to host yours? Email me, maybe I can help.

Forgive the randomness... Can't resist posting:

http://subservientchicken.com/

Burger King is - well - weird. :-)