Monday, 30 January 2006

Virtual Servers - gotta love 'em, gotta hate 'em.

If you ever have to support a large number of dev and test servers in your IT environment and have found yourself frustrated with the administrative and technical overhead, a virtual machine architecture might be for you. It's all the rage these days, but (trust me on this one, I should know) there's lots of ways to de-optimize (read: screw up) a virtual machine/server environment. To make it work effectively, there are a few things that you need to know and do to make your environment hum like a well-oiled (virtual) machine.

The problem is, until recently there has been relatively little prescriptive architecture for using virtual environments for specific test environments. In the case of Microsoft Virtual Server, there is now a reference architecture and detailed documentation that you can take advantage of by just downloading the documents:

Windows Server System Reference Architecture Virtual Environments for Development and Test (WSSRA-VE) can help large organizations and enterprises create environments for development and testing that emulate their own production environments. The guidance describes the architectural blueprint, planning considerations, deployment practices, and operational considerations for creating and supporting a virtualized instantiation of the Windows Server System Reference Architecture. It leverages the power of Virtual Server 2005 and automated deployment and configuration tools to minimize the physical infrastructure and logistical overhead necessary to deploy emulations of various data center services.

Like WSSRA itself, the WSSRA-VE is intended to aid users in their own effort to model their operational environment and condense it to a scale that can be representative of the infrastructure integration challenges facing developers and testers of distributed, message-based applications and IT services, and still be inexpensive and relatively economical to build and use throughout a large-scale IT organization.



Add/Read: Comments [0]
Tech
Monday, 30 January 2006 19:18:19 (Pacific Standard Time, UTC-08:00)
#  Trackback

Mom_airportI had a layover at the Denver International Airport for several hours today, so I called my mom, who lives over near Boulder. She jumped in the car and drove over to the airport for coffee and lunch.

The Pur la France chicken pot pie in the main terminal upper level is highly recommended. And so are those deals where they announce they have over-booked and will give a round trip ticket to anyone who will volunteer to take the next flight. I got lunch with my mom, a free round trip ticket, first class seat for no extra charge on the next flight, and on top of that I am able to work right now in the airport during business hours instead of being on an airplane during the time that counts. So I was able to test a very cool new demo version of one of our security software products and test market it to my mom. She provides good feedback.

I sent her a Logitech Quickcam Pro the other day so we can do video instant messaging and calls with Live Messenger v8, and I was showing her how to use the notebook camera I bought for my end of the connection. That's her right there, snapshot taken with my notebook Logitech cam (which is a great little camera).

Well, off to North Carolina... Then back home to Portland.



Add/Read: Comments [3]
Personal Stories | Random Stuff
Monday, 30 January 2006 11:25:01 (Pacific Standard Time, UTC-08:00)
#  Trackback

Security training - especially good, quality training - can be hard to come by without traveling somewhere and paying some hefty class fees. That's why my eyes opened wide when I found the Carnegie Mellon University/CERT Virtual Training Environment, which has a whole slew of great documents, tutorials and other resources that can enable anyone to learn a whole lot about computer, network and application security and forensics.

The Virtual Training Environment (VTE) is a Web-based knowledge library for Information Assurance, computer forensics and incident response, and other IT-related topics. VTE is produced by the Software Engineering Institute at Carnegie Mellon University.

What specifically is available? The VTE houses four types of training materials:

  • Documents: Whitepapers, handbooks, instruction guides, and other written material related to one or more IT topics such as information assurance, computer forensics, or incident response.
  • Demos: Demos are narrated recordings of instructor’s desktops. They enable users to watch and listen as an instructor describes the activities he or she is performing on a particular machine or piece of software.
  • Lectures/Modules: Modules are actual class instruction that has been video captured and transcribed. Modules are synchronized to a PowerPoint slideshow. Users can navigate through the module using the slide title or using VCR-like controls.
  • Labs: Labs are hands-on training exercises in IT-related topics using virtual machines. Each Lab has an accompanying walkthrough document and can be reserved and ‘taken’ using the browser.

All of the materials except the labs are available to the public, without having to sign up or anything. The hands-on labs are available only to organizations that have a relationship set up with CERT. There's not any obvious information on the site that indicates how to establish that relationship. but I did a Google search and found a brief announcement on the Carnegie Mellon University site indicating that emailing the VTE support email address (which is available on the VTE site link, below) is the way to find out more.

Access the CERT VTE at: http://vte.cert.org/



Add/Read: Comments [0]
Monday, 30 January 2006 10:00:07 (Pacific Standard Time, UTC-08:00)
#  Trackback
 Sunday, 29 January 2006

The Microsoft Download Center has a new audio podcast available (MP3 and WMA formats are listed) titled "How Microsoft IT Implements Encryption Using SQL Server 2005."

Podcasts appear to be a new thing there (first one was posted on January 19th), although I am not sure the technical name of "podcast" is accurate in this case, since I don't find a RSS Subscription feed anywhere that points to the files, and that's kind of half of what makes it a podcast. If anyone can find a RSS feed for these, please let me know.

But at any rate, there's some good content there. If you're an IT pro looking for some good drive time geek out audio, click here to search for podcasts on Microsoft Downloads. I'm grabbing "Podcasts: How Microsoft Information Security Protects Critical Information Assets" for my flight to North Carolina on Monday. Between that and the Battlestar Galactica season one video, I think I'll have plenty of content to keep me busy between powerpoint deck edits.

(via Chris Pirillo)



Add/Read: Comments [0]
AudioBlogging | IT Security | Tech
Sunday, 29 January 2006 22:34:47 (Pacific Standard Time, UTC-08:00)
#  Trackback

Ask-A-Ninja-CoverArtDude. You think Robert Hamburger's the bomb? (You're right if you do, by the way)

Well then you MUST check out the Ask a Ninja video podcast blog thingie.

"You've got questions. Ninja's got answers."

Go here, don't delay: http://askaninja.blogspot.com/

Hahah. Sweet, super sweet. You can also subscribe to the video podcast in iTunes.



Add/Read: Comments [2]
Humor | Random Stuff
Sunday, 29 January 2006 00:04:11 (Pacific Standard Time, UTC-08:00)
#  Trackback
 Saturday, 28 January 2006

CNN has an article that covers the 25 worst words you can use in your resume. Why are they so bad? In a nutshell, because:

a) everyone uses them, so there's no originality, and
b) they don't really mean anything

Seriously. Read the article and then do something about it. I've looked at a couple hundred resumes in the past month or so and this article is spot on. Good advice that needs to be read by all.

Resumes are (or, rather should be) about standing out from the crowd on the merits and saying something real, so take the time to do it well. That's what the potential employer is looking for.

Oh, and never be your own resume editor. Always rely on a hard-core, ruthless and smart copy editor to point out your flaws. And if that makes you uncomfortable, find a therapist or trusted friend to help you with that character problem and you'll not only get over that hump, you'll also probably interview better.



Add/Read: Comments [0]
Random Stuff
Saturday, 28 January 2006 21:49:17 (Pacific Standard Time, UTC-08:00)
#  Trackback

If you're a geek and you don't know what Gnomedex is, you're truly missing out on something amazing. It's an annual conference, spawned from the brain of Chris Pirillo, and it's an event where a whole slew of the ultimate geeks and even some nerds gather and talk about all kinds of cool stuff. For example, last year IE7 was demo'ed for the first time at Gnomedex, where the IE team announced and showed off RSS integration in the browser and Longhorn/Vista OS. And many, many other interesting presentations were made. But most importantly, the people you meet are awesome.

There are 300 seats in the main hall. 100 are already sold. If you're going (or think you might be), act now! If you know a true geek and want to give him or her a great gift, a Gnomedex ticket and a trip up to Seattle is a terrific thing to do for someone.

Be there and be square. Word.



Add/Read: Comments [1]
Geek Out | GnomeDex | Random Stuff
Saturday, 28 January 2006 21:25:51 (Pacific Standard Time, UTC-08:00)
#  Trackback

Southpark1I've been a South Park fan ever since it came out. Who woulda' thunk these cartoons would become such a phenomenon. I laugh my ass off every time I watch it.

I have to say that at $1.99 an episode, it's a bit pricey - maybe buying the DVD sets online (you can find some good deals if you look) might work better for some people. But for the convenience factor, and in terms of iTunes store's expansion into the video content arena, this is cool.

South Park on the iTunes Music Store - click here to open in iTunes

Comedy Central and Apple just added South Park, Drawn Together (never really watched that one) and Best of Comedy Central Standup to the iTunes store.



Add/Read: Comments [1]
Humor | Random Stuff
Saturday, 28 January 2006 13:38:13 (Pacific Standard Time, UTC-08:00)
#  Trackback

Published just this month, an important whitepaper is now available that provides authoritative information about applying  the "don't run as admin" concept in the real world.

Should you care? Yes. Absolutely. Why? Because running as an administrator or high-privileged user opens the door to malicious software ruling your world by potentially damaging your computer and data, compromising confidential information, and harming your company's reputation and business relationships. Put simply, you should do it because it's now possible, because with Windows Vista it will be enabled in terrific ways that reduce the pain, and just because it makes obvious good sense.

Users will download and install software they're not supposed to. Policies don't solve technology problems. Rather they guide solutions to people problems. Users will take CDs they bought with a major record label on the sleeve and stick them in their CD-ROM drives, whether or not they are supposed to, and we've all learned recently that you cannot trust major record labels to product safe, appropriate software. Users will surf to web sites and (regardless of how much education and prevention you do, and how many times you tell them to never click on that stupid thing that says their computer might be infected) they'll click and download and even install software that wreaks havoc, logs keystrokes or any one of a thousand other bad things.

People and process changes and preventions are important - don't get me wrong. We need to educate and provide standards, and we still need to hold people accountable for behavior. But that does not remove from us the responsibility to make proper and correct technology decisions when it comes to operation and implementation security. Period.

People, process and technology - it's a combination of all three of these, in careful balance, that makes a true security ecosystem work.

But making changes like this is, honestly, something that most business and technology people avoid, because they're afraid they won't be able to operate that way. Or they're afraid someone will complain. Sorry guys, not a good enough reason, not anymore.

So... What's the problem we're trying to solve? From the paper:

"A significant factor that increases the risks from malicious software is the tendency to give users administrative rights on their client computers. When a user or administrator logs on with administrative rights, any programs that they run, such as browsers, e-mail clients, and instant messaging programs, also have administrative rights. If these programs activate malicious software, that malicious software can install itself, manipulate services such as antivirus programs, and even hide from the operating system. Users can run malicious software unintentionally and unknowingly, for example, by visiting a compromised Web site or by clicking a link in an e-mail message."

The approach into which the least-user model falls is a layered security, defense-in-depth style. We cannot rely solely upon one layer of security to solve all our malware problems, and the fact is this: If all computer users already ran with least-privileged accounts, the incidents of malware (spyware, adware, etc) would be significantly less. In the real world, we are stuck in a position of needing to make a change, but for the future we will do well to remember how taking the easier route early in a technology phase can come back to bite us later.

"A defense-in-depth strategy, with overlapping layers of security, is the best way to counter these threats, and the least-privileged user account (LUA) approach is an important part of that defensive strategy. The LUA approach ensures that users follow the principle of least privilege and always log on with limited user accounts. This strategy also aims to limit the use of administrative credentials to administrators, and then only for administrative tasks.

"The LUA approach can significantly mitigate the risks from malicious software and accidental incorrect configuration. However, because the LUA approach requires organizations to plan, test, and support limited access configurations, this approach can generate significant costs and challenges. These costs can include redevelopment of custom programs, changes to operational procedures, and deployment of additional tools."

Small and large organizations (of all types) are faced with this problem. While it's not the end of the world, it's often not a trivial task to change to a least-privileged computing model if you're already deployed in a mode where all users are administrators. This is common in software companies and other place where people have liberal privileges in order to provide ultimate flexibility in their development and design world.

I should also note that in Windows Vista, the next version of Windows, there are significant improvements in the operating system that will make it completely feasible to apply a least-privilege user model to every single computer, while affording users the ability to install software and make appropriate configuration changes in a controlled and safer environment. In my opinion, any shop that deploys Vista when it's available and does not take advantage of this security capability is negligent (and there will be many companies where that will happen, just watch). Find out more about Windows Vista User Account Control (UAC) at the Microsoft Technet site pages that cover the subject, and be sure to read and subscribe to the UAC Team Blog.

I highly recommend this whitepaper. It cuts to the chase and explains things in a clear and concise way, while addressing real world concerns and providing links and references to third-party tools and information. If you run a network or a dev shop, or if you're in any way responsible for secure computing, this is a paper you need to get familiar with.

Description and summary of the whitepaper from the Microsoft download page:

This 100-level technical white paper provides information on the principle of least privilege and describes how to apply it to user accounts on Windows XP. The paper covers the following topics:

  • Risks associated with administrative privileges
  • Definition of the principle of least privilege
  • Definition of the least-privileged user account (LUA) approach
  • Benefits of the LUA approach
  • Risk, security, usability, and cost tradeoffs
  • Implementing the LUA approach
  • Future developments

This paper also describes at a high-level the issues that affect implementation of the LUA approach and provides useful links to other online resources that explain these concepts in more detail.



Add/Read: Comments [0]
IT Security | Safe Computing | Tech
Saturday, 28 January 2006 09:51:48 (Pacific Standard Time, UTC-08:00)
#  Trackback
 Thursday, 26 January 2006

Omar Shahine sent me a message inviting me to sign up for Live Contacts this evening. It's a service that ties together your Messenger address list, Hotmail/live mail contact lists, and MSN spaces profile info (all, of course, associated with your passport identity), and let's you subscribe to someone else's contact info. Once subscribed, any time someone on you Live Contacts list changes their contact info, it changes in your list. So, it's always connected and up to date.

Plus, you can choose how much of your personal and business contact info to share (granularly), and with whom to share it.

Start by logging into your Spaces profile (mine's here, not used much to date) and then you can share your contact info with others. Choose "Edit Profile" on your space page, and scroll down to the "Contact Information" section - that's where you can specify how and with whom to share your info. It'll always be up to date in other people's Messenger and Hotmail/Live Mail apps.



Add/Read: Comments [0]
Tech
Thursday, 26 January 2006 22:41:33 (Pacific Standard Time, UTC-08:00)
#  Trackback

Microsoft Security VP Mike Nash answers a stack of questions posed by Slashdot readers. The Q&A is pretty good. Nash provides substantial answers to some fairly pointed questions. One thing is clear, both in the answers and in my own experience: Security is hard - if in no other way, then from the standpoint of overcoming the many cultural and technical hurdles.

Nash covers a broad range of important topics and addressed many, many issues. Click on over to read, but here's a very brief couple of excerpts:

On code security and secure code review processes:

"Two or three years ago, we had a vulnerability in Windows Media Player where an attacker could send out a piece of media content with a malformed copyright field and because of a flaw in the code that parsed the copyright, the attacker could over run a buffer and run arbitrary code on the machine. So the question was, should the developer of the Windows Media Player have thought about that kind of attack and take steps to prevent it? Remember, we want the people writing the Media Player to make the world's best media player. The answer has to be YES! While you could have a tiger team work around the organization reviewing all of the code in every product that we ship, that doesn't scale. You could never have enough dedicated security expertise; if they made changes they might break something since they really couldn't understand the details of the code they are making more secure. This works for final reviews, but final review needs to be like the guard rails on the side of the road -- they are a great last resort, but we need better drivers! So we trained everyone. Key thing here is that we also learn new things over time (better tools, new threat vectors, and new scenarios) so the training has to be continuously updated."

And on the cultural challenges of prioritizing security:

"Culture is a huge issue as well. Microsoft is a company that is very focused on technology, very focused on business, and very focused on the competition. Getting groups to put security high in their list of priorities was a super hard thing to change at Microsoft. Four years ago, I used to have to have frequent conversations with teams who would tell me that they couldn't go through the security review process because they had competitive pressures or had made a commitment to partners to ship at a certain time. Today, generally, people get it. It's now clear to us that security is a competitive and business priority. While I still see escalations from people who want exceptions, the numbers are pretty low. A big change from four years ago is that when I say no, I get great support from above me in the organization."

If you're even tangentially involved in security for your organization, and especially if you're a technology company, this Q&A is definitely worth the read.



Add/Read: Comments [0]
IT Security | Safe Computing | Tech
Thursday, 26 January 2006 20:50:06 (Pacific Standard Time, UTC-08:00)
#  Trackback

I've received a number of requests for Windows Live Mail invitations recently, due to my recent post offering up Windows Live Messenger account invitations. I don't have any Live Mail invites, but I'd suggest you sign up here and see what happens. At least one person to whom I suggested this signed up today and received his invitation today, as well:

(Windows Live Mail is the new version of Hotmail, currently in beta test mode and available only by invitation, which you can sign up for at the above addresses)



Add/Read: Comments [6]
Tech
Thursday, 26 January 2006 18:04:04 (Pacific Standard Time, UTC-08:00)
#  Trackback

From Mark Harrison's weblog:

All Windows SharePoint Services customers are entitled to an extended free trial of Antigen for SharePoint. This trial version will be active through June 30, 2006.

To download, simply go to
www.sybari.com/wss and fill out the form.

Antigen for SharePoint allows Windows SharePoint Services users to collaborate without the risk of uploading or downloading infected documents or inappropriate content.

The simple and honest fact is that many people who have deployed WSS or SPS don't run any anti-virus software on their SharePoint implementations - and that's a huge mistake. Running plain-ol' AV on the server's file system is exactly the wrong thing to do, because all the SharePoint files are stored in the database where regular AV software can't touch them. And besides that, running real-time AV scans of a SQL database file (which is constantly changing) is a supreme resource and performance killer if there ever was one.

I've worked with Sybari's Antigen products on both SharePoint and Exchange for several years. In my book, it's the best thing in AV-Land since sliced bread. So check it out.



Add/Read: Comments [0]
IT Security | SharePoint | Tech
Thursday, 26 January 2006 00:41:07 (Pacific Standard Time, UTC-08:00)
#  Trackback
 Monday, 23 January 2006

Life, work and everything else is pretty crazy these days. I'm tentatively scheduled for some major surgery on my lower back in February, and my day (and evening) job is hectic and quite challenging in many ways (but I'm not complaining). Add everything else that happens in life into the mix, well... Recently it's been just a bit overwhelming at times.

I've traveled more than usual lately. One of the things I found made it more bearable (besides wearing my rigid back brace on airplanes - thank goodness for that stupid thing) is the new iPod video model I recently picked up. I discovered Battlestar Galactica, the revived show that everyone and their brother has apparently seen and raves about. Now I can see why they rave. I used to watch the original series when I was a kid - it was the greatest show on TV for a period of time, at least in my book. So, I purchased the pilot mini-series of the new, modern version via iTunes a couple weeks ago and watched it on my flights to Philly and Pittsburgh. What a great show. Definitely made a couple long flights much more sane. I downloaded the first season of the show the other night and will start watching that soon.

Some of you know I've had back problems for some time. I now have back surgery set for February 15th in Seattle. There are some tests that I have to get done before then, too (bone scan, labs, etc.). From what the doc says, I guess I will be relatively out of it for a while - at least a few weeks. It's quite an intimidating prospect, actually: I have never had major surgery before, so I am more than just a little nervous, even though the doc is terrific and has tons of experience. More on that later, maybe when the day gets closer. Afterward it will certainly make for an interesting and geeky bionic-man kind of tale, assuming all works out and the surgery actually happens. First things first.

Have you ever had major surgery? Care to share your experience? Mine will be an anterior (read: from the front) approach to the lumbar spine (at L5-S1), where they'll remove the disc and then do their handiwork. Not too common, but maybe there's someone else out there who's been through that sort of thing. If so, let me know.



Add/Read: Comments [6]
Kineflex Artificial Disc Surgery | Personal Stories | Random Stuff
Monday, 23 January 2006 18:30:48 (Pacific Standard Time, UTC-08:00)
#  Trackback
 Saturday, 21 January 2006

DragonIllusionThe mind can really play tricks with what the eye sees. This short video is a great example of a really cool optical illusion.

Update: Reader Rocco points out the Grand Illusions Web site, where you can download a PDF file that contains the pattern to cut out and fold. along with instructions. Very cool! Print it on your color printer and amaze the kids!

The site has a number of other cool optical illusions worth checking out, as well.

Know of any others? Drop a line!

(via Digg)



Add/Read: Comments [1]
Random Stuff
Saturday, 21 January 2006 14:45:28 (Pacific Standard Time, UTC-08:00)
#  Trackback
 Wednesday, 18 January 2006

I'm in Pittsburgh, after spending the day with some cyber-forensics folk and seeing first-hand how law enforcement, business and academia are working together and actually sharing real information with each other to fight cyber crime. It's really very cool - A lot like taking community policing to the online world and its players. And best part is, it's a community that works. Lots of creative thinking going on there. Like a candy store for a forensics geek.

It's also similar in ways to the success of business blogging, actually. Why do I mention that? Robert Scoble and Shel Israel are out and about these days promoting the launch of their new book, called Naked Conversations, and I noticed one similarity between community policing and corporate blogging: The desire and success in getting the real faces and personalities of important people who would otherwise be inaccessible out into the community - the movers and shakers of the make-something-happen variety. In a community policing model, we expose individual law enforcement officers, business workers and citizens from the community to each other in a collaborative communication environment, allowing each member to own a part of the problem and solution. The corporate/business blogging model can do effectively the same thing - opening up the hidden world of the big, bad business machine, breaking down the traditional corporate walls, making it individual and human and allowing the customer to take some participative ownership in how things happen.

Anyhow, Robert's in Pittsburgh today, too, and it's his birthday (Happy birthday, dude). He was here to speak at the university and to do some book promotion. We met up for a quick breakfast this morning and I grabbed a copy of his book from the Barnes and Noble store to read on the way home tonight. So far it looks pretty cool, fun to read and it appears to cover the bases quite well. Recommended.

Oh, and since every entry requires a tangent topic: There's free WiFi in the Pittsburgh airport, just like Portland. And Pittsburgh's a cool city - lots of old buildings and bridges. It's been a while since I was here last, I'd forgotten what it was like.



Add/Read: Comments [2]
Random Stuff
Wednesday, 18 January 2006 13:43:18 (Pacific Standard Time, UTC-08:00)
#  Trackback
 Sunday, 15 January 2006

As tends to happen from time to time, some sudden attention on the 'net (starting with the Security Fix blog at Washington Post) has been paid in the last couple days to what has been misleadingly described in some places as a "flaw" in the Windows wireless networking functionality. In reality, that's not quite the case. Rather, the potential problem (which some might argue is actually a feature) is related to an understood standard computer configuration (some would say "as-designed") of the spec governing dynamic configuration of IPv4 link-local addresses (RFC 3927 - see part 5). The authors of the spec even noted the potential risks and discussed the importance of taking that risk into consideration in design and deployment:

"The use of IPv4 Link-Local Addresses may open a network host to new attacks.  In particular, a host that previously did not have an IP address, and no IP stack running, was not susceptible to IP-based attacks.  By configuring a working address, the host may now be vulnerable to IP-based attacks." (read the spec)

Unfortunately, some have stated incorrectly that this represents an unknown or recently-discovered security hole or flaw. That's just not the case. This is, however, something that people should be aware of if they use or manage portable computers with wireless networking cards.

The problem has to do with the fact that the last wireless network name (or SSID) you successfully connected with is reused and associated with the generic IP address that gets assigned when your wireless card can't find a network to associate with, so someone who is also assigned an IP In that block and who knows what they're doing might try to connect to your computer using that network name and the generic IP address subnet. Yeah, it's technical but it's not too hard to protect yourself.

The first thing you should already have in place - and if you don't, you need to take care of this now - is a firewall to protect access to and from your computer. It's amazing how many problems can be mostly or completely mitigated with a decent and properly configured firewall. If you block incoming traffic with the firewall, then access to the wireless adapter is nowhere near as big of a deal.

On the technical side, there are a couple things that can be done to resolve the specific issue at hand. The most logical (and second most technical) step is to configure the network adapter in Windows to only allow infrastructure connections (to access points), and not Ad-Hoc connections (to other wireless cards in peer-to-peer mode). This can be done individually (on a specific computer by the user or administrator) or in a more automated fashion across a security domain (see below).

On a Windows computer, you can also get all geeked out (this is a more technical step) and disable the feature that automatically assigns the generic dynamic IP address when DHCP server is present (this auto-assign feature is sometimes referred to as APIPA - see this page for details on disabling it if interested, but use at your own risk, it involves editing the registry). It's this common and predictable IP address space that could potentially allow someone else to try to snoop into your computer, if you had none of the other standard protections - like firewalls and directory security - in place.

An even better option - where available - is to have your Windows Domain administrators control the setting for any group of computers managed by the domain's Group Policy. To do this, navigate in the Group Policy editor to:

Computer Configuration > Windows Settings > Security Settings >Wireless Networks

You notice there's nothing listed in that section by default - That's because you have to create your own policy if you want to take advantage of the features available. To do so, right click in the empty space and choose to create a new wireless policy. You'll give it a friendly name and the wizard will walk you through the steps required to set up your new policy. On the properties page (see below), you'll note an option is available to specify the network types to which you want to allow access. You can choose "Access point (infrastructure) networks only." Note that selecting this will force all computers to which the policy is applied to access point networks (so the wireless peer-to-peer networking without an access point - which is exactly the issue we're trying to mitigate - will no longer work).

Create_wireless_policy

Some companies use these settings to ensure the only wireless networks that business computers access are ones that are pre-approved, but that means a tradeoff between security and convenience, and road warriors often desire and need to use public access points for any of a number of reasons. How deeply and widely you apply the policies is a business decision - just be sure to consider all the potential business effects and consequences.

Note again that fixing a problem in just one place or in just one layer is most certainly not the right way to solve problems like this. Rather, taking a defense-in-depth approach, where you block access at as many layers as possible, is the way to approach network security issues.

For example, let's go back to enabling the software firewall on your computer - whether it be the Windows Firewall that is part of Windows XP SP2, or a third party firewall by a company like Symantec or others. This is another critical layer. Having a properly configured firewall in place helps to ensure access to your computer is protected, even if the wireless connection is "open." Layering protections allows you to be sure the problems are kept out, and also provides a possible mechanism to temporarily relax any one of the protections when needed in order to accomplish a specific task.



Add/Read: Comments [1]
IT Security | Safe Computing | Tech
Sunday, 15 January 2006 12:35:14 (Pacific Standard Time, UTC-08:00)
#  Trackback

People are certainly interesting, especially when given the ability and opportunity to say whatever's on their minds uninterrupted. Whether they should or not. Of course, "should" is a relative term, determined by both listener and speaker. And they won't always agree.

Brad Fitzpatrick - of LiveJournal fame -  has created a continuous stream of public Internet audio blog posts recorded by LiveJournal users. I think I'll call it Brad's People Aggregator. It's colorful, random, strange and interesting. Sometimes funny, sometimes just crude. And you never know what you'll hear (good, bad or otherwise).

NOTE that the language and content of the audio posts is almost guaranteed to contain loud, crude, vulgar language.

People dial in to a number that allows them to post to their LiveJournal accounts. It's apparent that elevators and airports bring out interesting behavior in people. Now, I'm not so sure recording an audio post about your marijuana growing operation is really all that great an idea - but whatever. Also not convinced that talking about the court date you just had and how you have to go to the mental health office for your appointment is a great idea, but again, whatever... It's certainly an honest and unique slice of the real world, and that means real people (along with their collective reasoning, language, intelligence and behavior).

I suppose it's a great way to discuss and complain about stuff, but in a way where no one is there to tell you why you're SO FREAKIN' WRONG. Heh. Hmmm, there's probably some serious psychology to be done there - Something about how our interconnected world actually makes us more isolated even though everyone is so "close."

Here's the link...

Enjoy.



Add/Read: Comments [0]
AudioBlogging | Random Stuff
Sunday, 15 January 2006 09:11:09 (Pacific Standard Time, UTC-08:00)
#  Trackback
 Saturday, 14 January 2006

I laughed out loud for some reasons when I read some of Trevin's comments from his trip to the Consumer Electronics Show earlier this month, where he listed a number of not-so-hot items from the super-mega-tradeshow of the gadget industry.

One of the more amusing categories in his post is "Wierdest celebrities coupling: Snoop Dogg and Donny Osmond."

XM had Snoop Dogg appear, then about 30 mins (later) they had Donny Osmond.  They had to have met at some point -- wtf did they talk about? 
 
Snoop Dogg: "Hey Don-dogg, what's the shizzle?"
Donny: "What?"
Snoop Dogg: "Fo sho"
Donny: "What?"
Snoop Dogg: "Peace out dogg"
Donny: "What?"
Heh!
 
Check out Trevin's "Oddest and Worst of CES 2006" list here, and be sure to also read his "Best of CES 2006" list. That way you'll be sure to walk away well-balanced.


Add/Read: Comments [0]
Humor | Random Stuff
Saturday, 14 January 2006 15:41:00 (Pacific Standard Time, UTC-08:00)
#  Trackback
 Friday, 13 January 2006

Add/Read: Comments [0]
Humor
Friday, 13 January 2006 21:54:22 (Pacific Standard Time, UTC-08:00)
#  Trackback
 Thursday, 12 January 2006

From CBC in Canada comes a hilarious video from Rick Mercer's show - The Mercer Report - demonstrating the latest in apparel for the Blackberry user. Should be mandated by OSHA in all high-tech office settings:

Check out the Blackberry Helmet Video at:

http://www.cbc.ca/mercerreport/videos/blackberry.wvx

(note - in non-USA style, there's some slightly-blurred-out nudity in this, so if you can't handle it, don't click - but hey, the video is funny)



Add/Read: Comments [2]
Humor | Mobile | Tech
Thursday, 12 January 2006 23:34:57 (Pacific Standard Time, UTC-08:00)
#  Trackback
 Tuesday, 10 January 2006

Ipod_blackI broke down last week and bought an iPod. I got the 60GB model (5G iPod Video, black) and its a pretty cool device. Not without its quirks, but cool for sure. I like it, and I'll be adding some of the available (expensive) accessories as soon as I figure out which of the zillion accessory manufacturers actually makes something worth buying. Talk about a zoo...

iTunes is all hooked up (pretty cool app dontcha know), a few podcasts are subscribed (small list below for people who are interested) and a couple movies have been loaded. Great video conversion information and help can be found here, by the way. I've only bought one song on iTunes so far, and that will probably change but I think it says something that after having this thing for a week I've used it primarily to load some video for traveling and to subscribe to syndicated content (audio and video podcasts).

I really, really wish - every time I look at an apple product package - that they would at least tell me what is included and what's not. I know, I know... I could just ask any random human being on the street what came with their iPod and the zoo of accessories they own, since I am like the last person in the world to buy one of these things, but seriously - no compact wall charger? Leaving out the iPod dock is crazy enough, but I figured there would at least be an AC-outlet-to-USB thing in there.

One thing I learned early on: When it says "do not disconnect" on the screen, regardless of the fact that the message stays there for-freakin-ever, it's best not to disconnect it. If you do, and your iPod starts an endless cycle of reboot, power up, power off, flash the display, reboot, power up, power off, flash the... Yeah, anyhow the iPod updater has a "Restore" option that nukes the iPod, reformats the hard drive and installs all the software from scratch. Works wonders.

Oh and another thing - I can only sync this $400 device to one computer? Seriously? Ok, so I can hook up to a second computer and as long as I don't choose auto-sync, I can manually move files to the iPod. But this is not so good: Mac and Windows synced iPods are not compatible? Jeez, there's something worth spending some serious dev time on. Using the iPod updater to reformat the thing so I can use it on the Mac mini doesn't solve any problems, it creates them. And there's no way I'm buying Apple computers just to work with the iPod.

Oh, and copy-protection and all that RIAA crap aside, iTunes is a service, and it should flow from computer to computer with the authenticated user's settings and content, and I should be able to sync to the iPod anywhere I am logged in. In other words, some content everywhere, and associate the device with my user account, not my computer.

Anyhow, in the accessories department, it's pretty clear I need an iPod dock. I'll have to break down and ask my friends if it comes with a USB cable, or if I have to purchase that separately, too. I won't be shelling out the $20 for Apple's video cable so I can play content on my TV or projector - I think I'll just use one of the almost-exactly-the-same cables I already have lying around the house and just mix up the plugs as described at the Mac Dev Center site:

  • Plug the red RCA plug into your TV's yellow RCA jack.
  • Plug the yellow RCA plug into your TV's white RCA jack.
  • Plug the white RCA plug into your TV's red RCA jack.

Pure. Freakin. Genius. If it works.

But don't get me wrong here. I'm complaining a bit about the proprietary, non-standard and closed nature of the Apple way of business, but this is a terrific piece of hardware, as the marketplace has clearly proven. Audio quality is great. The user experience is simple, flows and just works. But you already know that.

HKCarPlayI stopped by a couple stores the other night between appointments and checked out the plethora of radio-transmitter accessories. I spend a lot of time driving (two hours of commute time daily), so having something that does a good job of transmitting relatively high quality audio to my FM car radio would be nice. On the higher end of the car-audio purchasing spectrum (about $200), the Harman Kardon Drive+Play looks really cool. Not sure if it's video iPod compatible, but I have emailed them to ask. The Monster iCruze also looks nice and it is confirmed to work with the iPod Video models, but I need to make sue my car stereo is compatible - And it's on sale in a huge way as of the time of this writing: $99 for a complete kit. A FAQ page is here.

Oh, and (sidebar comment here) you gotta check out the videos on this page at the HK Drive+Play site - especially the "Title and Registration" one. Heheh...

Below are the few podcasts to which I've subscribed so far. Now that I am coming back to podcasts (my first round with them was more geeky in nature than practical, which is my approach nowadays) the number of shows I am interested in subscribing to is relatively small. I'm pickier. You'll note these all tend to be either professionally produced shows or well-produced indi ones, and that the only common denominator is that they're relevant and matter to me. And none of them are podcasters talking about podcasting. Thank goodness we moved past that phase.

Note: The iTunes interface makes it pretty much impossible for me to figure out where the real home pages are for these podcasts, so it's hard to link you to them, sorry. If someone knows a trick, please tell me (hey Apple - seems like easy access to a phobos.apple.com subscription link plus a standardized "home site" URL in the iTunes XML and UI would be a nice thing to do for sharing subscription links?).

  • Diggnation (video and audio podcasts) - these guys sit around and discuss what's hot on Digg.com
  • Ebert & Roeper - movie reviews from the top critics, weekly audio from the broadcast television show
  • Engadget podcast - ultimate gadget geek site and podcast show (but their RSS feed is broken and iTunes is out of date, ugh)
  • Major Nelson Radio - podcast from inside the world of the XBOX and XBOX Live!
  • NASACast video - this Week at NASA video podcast - just a cool, short video update on what's happening at the space agency
  • Security Now! podcast - Consumer focused security audio show - We really need more security-focused podcasts
  • Superman Returns, Bryan Singer's Journal - The director of Superman Returns video-blogs lots of interesting stuff in the process of the creation of Superman Returns, which is set to hit theaters this year. Professionally produced video shows (I don't think Bryan is shooting any of these, but hey...)


Add/Read: Comments [6]
Random Stuff | Tech
Tuesday, 10 January 2006 10:15:04 (Pacific Standard Time, UTC-08:00)
#  Trackback
 Sunday, 08 January 2006

HP ScanJet 4CIf you happen to have a HP ScanJet 4C lying around, check out this page and see if you can get it to play classical music for ya. Apparently there's a not-so-well-known command that plays "Fur Elise" using the ScanJet's motor. Cool.

Video of the scanner music is here (it's been removed from the original site)

(props to Dave M for the link)



Add/Read: Comments [1]
Geek Out | Random Stuff
Sunday, 08 January 2006 18:54:25 (Pacific Standard Time, UTC-08:00)
#  Trackback
 Saturday, 07 January 2006

WTF1The beauty of this fancy new clothing line for the discerning sarcastic person is that those who understand what it says will laugh, while those who don't understand... Well - let's just say some things are perfectly self-defining.

I used to be a cop. I can't tell you the number of times the phonetic alphabet was used to contract colorful descriptions of situations, usually as a quick final status update on a radio call. Like "Tom-Ocean-Tom-David," which is short for Too Old To Drive using the non-military version of the phonetic alphabet. Probably more than you wanted to know, but you get the idea. The point is that there are some things you can't say out loud, and there are other things you can get away with. And hey, don't take any of this too seriously - there really are people who are too old to drive, after all, but it's all relative.

Anyhow...

Oh yeah, and when they say "there are no stupid questions," we all know what a huge lie that is. Hence these t-shirts.

So... For your dry humored, geeky enjoyment - the Whiskey-Tango-Foxtrot shirts. Please wear appropriately. And remember the first rule of holding others accountable: Give them the ticket or give them the lecture, but never do both. Adding insult to injury is uncool. Analagize that and apply it to your own world. You'll go far. Whatever that means.

Ah, the t-shirts. Yeah. Click the images to go to the product pages:

Wtfshirt1  Wtfshirt2



Add/Read: Comments [2]
Humor | Random Stuff
Saturday, 07 January 2006 13:46:32 (Pacific Standard Time, UTC-08:00)
#  Trackback
 Friday, 06 January 2006

I just went to do a quick Google search and noticed a new line on the page with a link, under the infamous "I'm Feeling Lucky" button:

New! Download the essentials to make your PC just work: Google Pack

One package, several pieces of cool and useful software. And a catchy name. You get a slew of established titles - check them out at http://pack.google.com/

I'm not completely sure I want Google monitoring and updating my software for me, and I'd recommend you take advantage of the "Add or Remove Software" link on the page so you can avoid stuff you don't need (a.k.a. "bloat") and the Real Player (a.k.a. "Evil"). Or whatever you like. Here's what you can package together:

  • Adobe Reader 7
  • Ad-Aware SE Personal
  • GalleryPlayer HD Images
  • Google Desktop
  • Google Earth
  • Google Pack Screensaver
  • Google Picasa Photo Organizer/Editor
  • Google Talk
  • Google Toolbar for Internet Explorer
  • Google Video player
  • Mozilla Firefox with Google Toolbar
  • Norton AntiVirus 2005 Special Edition
  • RealPlayer
  • Trillian


Add/Read: Comments [3]
Random Stuff | Tech
Friday, 06 January 2006 22:15:43 (Pacific Standard Time, UTC-08:00)
#  Trackback

WLMes_BetaI have exactly four invitations available [Note: ALL INVITATIONS HAVE BEEN TAKEN - I WILL UPDATE THIS POST WHEN MORE ARE AVAILABLE] for people who would like to get and use the beta of Windows Live Messenger (that's the new name for MSN Messenger v8.0 - it's part of the whole Live family of app services that Microsoft's rolling out).

If you haven't seen it, it's a lot like MSN Messenger combined with the look and feel of an ice cream cone (I mean that in a nice way), with a whole slew of new and enhanced features/functionality - like a UI revamp, a new thing called sharing folders and Internet voice calling.

So, anyhow, the invitations - it's first come, first served. Once they're gone, they're gone - and I only have four left. Please send me an email to make your request (email is greg-at-greghughes.net), and be sure to indicate which email address you want me to send the invitation to. It would be nice if you would also tell me who you are and a little about yourself. You know, that whole community thing.

If you want to find out more about Live Messenger, check out the team's blog here.



Add/Read: Comments [17]
Geek Out | Tech
Friday, 06 January 2006 12:54:17 (Pacific Standard Time, UTC-08:00)
#  Trackback
 Thursday, 05 January 2006

After something like two and a half years of blogging, another calendar year comes to an end. Here's a list of some of my favorites from 2005. A bit belated, since we're already five days into the new year, but what the heck. Why do this? Because I can, of course.

Here are 12 of my favorites - chosen from the 754 blog entries for 2005. And typically not-too-tech-related, I just noticed:



Add/Read: Comments [0]
Blogging | Random Stuff
Thursday, 05 January 2006 21:26:37 (Pacific Standard Time, UTC-08:00)
#  Trackback

Scott and Chris reminded me that there's a nifty feature in dasBlog that lets me put all the headlines from this weblog for 2005 on one page in a calendar-like view. So, here ya go:

Every single post from the year, listed in a chronological calendar view. All 754 of them. Wow, now that's scary.



Add/Read: Comments [0]
Blogging | Random Stuff
Thursday, 05 January 2006 21:08:20 (Pacific Standard Time, UTC-08:00)
#  Trackback

A patch for the truly nasty WMF vulnerability on all versions of Windows has just been pushed out in an extra release by Microsoft. It is described in Security Bulletin MS06-001. It's available for your WSUS server and from Microsoft Update, or you can get it by downloading it from the links on the security bulletin web page.

This update resolves a newly-discovered, public vulnerability. The vulnerability is documented in the "Vulnerability Details" section of this bulletin. Note This vulnerability is currently being exploited and was previously discussed by Microsoft in Microsoft Security Advisory 912840. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

This is a huge one - super critical, as there are many exploits in the wild that are actively taking advantage of this vulnerability. UPDATE NOW!



Add/Read: Comments [0]
IT Security | Safe Computing | Tech
Thursday, 05 January 2006 14:01:32 (Pacific Standard Time, UTC-08:00)
#  Trackback

On January 12th at 9:00 am Pacific time my boss, Jim Maloney, will be presenting along with George Tubin, a senior analyst at Tower Group, on the topic of preventing fraud in the online banking world. They'll discuss the threats, ways to protect customers, and some tools and processes that can help get the job done. It's a hot topic in the marketplace, and I think many people will find this web cast interesting from a security perspective, regardless of whether or not you work at a financial institution.

There's been a lot of talk and movement in this space in the past few months, after the FFIEC (the federal government organization that's made up on several individual federal agencies responsible for setting banking standards) issued new guidance to banks and other financial institutions that says something needs to be done to further protect online banking accounts, and that it needs to be done sooner rather that later. The emphasis of the guidance is on a defense in depth and layered security approach. Jim and George will be specifically addressing that guidance in the web cast.

You can sign up for the web cast here (uses LiveMeeting). A press release that announces the event is available here.



Add/Read: Comments [2]
IT Security | Tech
Thursday, 05 January 2006 07:40:35 (Pacific Standard Time, UTC-08:00)
#  Trackback