Archive for category Security

Dear Columbia, you need a java update

So, the winter season is upon us and so are the updates. Yep, I’ve found another one. Was shopping for a new winter jacket the other day in the Columbia store, and what did I come across? You guessed it, another kiosk infraction (and it’s running XP – yuck)!

DSCN2129

Let’s take a closer look at that there kiosk:

DSCN2126

Hmm, how about a bit closer?

DSCN2128

Yep, Java Update Available. Yet another reason why automatic updates are a bad idea (especially on kiosks).

Tags: , , , ,

Dear SeaTac, I upgraded your kiosk for you

So the other day I flew in to SeaTac thinking, wow, I haven’t seen any blue screens or problems recently (ok, I did see a few but didn’t have my camera), when BANG. At that moment, walking to catch the bus (yes I take the bus to and from the airport), I came across a kiosk and it had a dialogue box up. Most of the time when I come across a kiosk with a dialogue box it is usually stating it needs a reboot, however this one, strangely enough wanted to upgrade…something I don’t think should/is/was supposed to be a consumer task. At any rate, here is the kiosk:

DSCF1361

and the close up of the kiosk:

DSCF1360

so, I went ahead and clicked update for the version update for SeaTac. Not sure if you’re now out of EULA or your license allows you upgrades to LogMeIn or not, but hey, you gave me the chance/option to upgrade and as we all know, the newer the better and with software always use the latest and greatest, right?! Smile

Tags: , ,

Why Yahoo! never made it too far

Disclaimer: I am not a programmer. I did a bit of programming in college and I “dabble” occasionally. I by no means consider myself hard core but the following might assume I think I am.

We all know the hype of IE9 right? It’s the latest and greatest out of the halls of Redmond. They’re suggesting for all of us to upgrade and try it out and see for ourselves it’s the best thing since sliced bread. OK, I took the plunge, I upgraded just like many others will – in order to try it out as well as try to be ahead of the IT curve, in such a case I get asked any questions.

Today, I took my browser to Yahoo! Answers because Bing told me it would have the answer to the question I was looking for. I got there and Yahoo! told me IE9 wasn’t a new enough browser and I should upgrade:

yahoo-answers-upgrade-ie

What’s even more comedical is when I click on the Upgrade Now link, in lieu of taking me anywhere it takes me to a page that says:

yahoo faux paux 2

Yep, that’s right. IE8 isn’t available for my system. So, three learning experiences we need to teach Yahoo! in order to get them up to speed:

1. When testing for browser compatibility your programmers might want to use $browser >= $version and not just hard code specific versions

2. P.S. I’m running Windows 7 which runs IE 8 fine although you don’t seem to think so

3. IE8 is not ONLY available for XP, Vista and Server 2008. It comes bundled with Windows 7 which makes it available for that OS too (see number 2 above).

Tags: , , ,

Vegas – The home of XP, DameWare, Messy Desktops, Java, Intel video cards and Sound

I love airports.  What else to do with your free time besides scout out all of the things that shouldn’t be done in public :)  I’ve been to Seattle, Gatwick, Southampton and now let’s take a look at what we can find in Vegas…

DSCF0885 (768x1024) DSCF0888 (1024x768) DSCF0889 (1024x768)

What does the departures board say?  It says I’m running Windows XP and looking closer at the board doing the adverts next to it tells me:

  • They run a Java based dos client (DDC Java – version 1.6 even)
  • They use DameWare to remote control their devices (anyone want to sniff port 6129?)
  • They haven’t done too much with the desktop for 14 days as the clean desktop wizard is appearing
  • The have sound on their kisok machines (why?)
  • They are using the intel graphics chip set

Come on guys, I wouldn’t want to go gambling in your city with your IT staff…They’re showing their hands making it easy for the opponents to gauge them!

Tags: , , , , , ,

Data Protection…Bah, Who Cares Really

So, on my way to Las Vegas en route to the MVP Summit 2010 and where do I get to travel via?  Of course, my favourite airport London Gatwick :)  Just a note, it’s neigh on impossible for me to “avoid” Gatwick, so every time I get to fly through Gatwick I ensure to keep a look out for interesting things.  If you’re a frequent reader in the past you surely know about their difficulties with the Windows XP monitors and you’ve probably read about my thoughts on the MyMemory automated vending machines (Story1, Story2, Story3).  Well, good news, today all of the monitors I passed were working and the prices in the MyMemory machine were better than before and competitive with Dixons (who now seem to operate two shops in the South Departures Lounge).  However what was worrying was what I came across upstairs.

For those of you who haven’t had the experience of travelling through Gatwick lately, over the past 18-24 months Gatwick has gone through various transformations, one of them being moving the primary security channel from the ground floor to the upstairs just outside the main restaurant.  Supposedly there are more security machines and they can get passengers through more effectively and efficiently.  Personally, I don’t believe it, and in my personal experiences, I’m waiting longer upstairs, but hey ho.  What scared me today though was the sign I came across as part of Gatwick’s further transformations.

Upstaris, after clearing the security channel there was a set of scaffolding to what looked like roof access.  Being the curious type, I approached it and low and behold exposed to the outside world – the names and telephone numbers of all of the parties involved in the works on transforming Gatwick.  No, not internal telephone extensions, rather their mobile numbers.  Yep, fully exposed to the public:

gatwick numbers

Now, I know usually you can get information if you work hard at trying to unearth it or uncover it, but hey, here it is open to Joe Public and no strings attached.  You’d like to think that they’d put this sheet behind the door where people who were working on the project – those who would need these numbers – would have secure access to, but nah, let’s throw data protection to the wind and make it visible for everyone.

N.B. For protection of those innocent I’ve blacked out the last two digits of everyone’s mobile, but should you want them, book a flight via Gatwick and as soon as you’re through the security channel, presto, they’re yours for having :)

So, food for thought, if you ever do any contracting work at Gatwick or do work for BAA, I’d ask them their idea of data protection as you’re mobile number, should you be anyone involved in the project at a level of any significance, will be visible to all.  Thanks again Gatwick and BAA for making my delay all the more interesting by yet again giving me another story to write about your airport :)

Tags: , , ,

What kind of security might your car tell everyone about you?

In 2006 as a valentine’s day present, the UK put in to effect an initiative called Chip and Pin.  What it meant was that you no longer signed for card purchases at the till, rather you entered a four digit code – the same four digit code you enter when withdrawing money from a cash point (ATM).  According to the marketing people:

Chip and PIN is the new, more secure way to pay with credit or debit cards in the UK.

What it actually meant is that anyone who gets your PIN can then purchase stuff as you. No longer needing to practice your signature.

Now, here’s the twist.  There are places that use Chip and Pin who have number plates that are only digits…Here’s an example:

normal number plate

What does that number plate say?  Well it says 35949 and underneath it, Silverline Cars.  Ok, so we know this Alfa Romeo came from Silverline Cars.  No big deal.  However, what if you were to have your number plate personalised or have a four digit number plate? (it’s the “in” thing to have a smaller number as it’s easier to remember)

four digit number

No problem,again we can see this one came from a place called Doyle Motors Honda…Now, here’s where security comes in to play.  Walking down the road the other day I came across the following:

security number plate

I’ve blurred out part of the number, but the biggest concern is what is below the number.  If you click on the photo it gets larger.  I’ve blurred it out, but what it is – the person has not only personalised their number plate, but they’ve gone to the extent of telling you who they are…Why the concern?  Information is ubiquitous today.  Those four digits plus the person’s name gives me loads of information on who they are (and maybe even their pin number), not to mention, there’s probably an online telephone directory (p.s. there is), which now lets me know where that person lives (and yes this person was in the public directory)…

All from their number plate.  Next time you think of having something personalised about yourself and you’re going to make it publically available, think what it might say about you or even what information it might just be putting in the wrong hands…

Tags: , , ,

Get On ‘Yer Bike (Trike) Google

get on your bike google

As if they aren’t in the news enough already for upsetting China and blaming Microsoft for a zero-day flaw in IE:

<soapbox>

By the way Google, I quote from the MSRC:

Based on our comprehensive monitoring of the threat landscape, we continue to see only limited attacks. To date, the only successful attacks that we are aware of have been against Internet Explorer 6.

We continue to recommend that customers update to Internet Explorer 8 to benefit from the improved security protection it offers.

And, albeit that the successful attacks are only confirmed against IE6, they’re still going to patch it, and they’ll even talk about it:

Please join us Thursday, January 21 at 1:00 p.m. PST for a public webcast where we will present information on the bulletin and take customer questions. Registration information:

Date: Thursday Jan 21
Time: 1:00 p.m. PST (UTC -8)
Registration: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032440627

And interestingly enough Google, in your own blog post Thursday May 14, 2009 you state:

We work hard to keep our users safe and secure when using our applications, and we believe that making sure users have the latest software available using automatic updates is a key component of that.

Guess what, Microsoft suggest that and does that too, and if you were updated (similar to your suggestions above), you’d have IE 8 which is safer than Chrome and this attack wouldn’t have been such a big marketing hoo rah for you, but at any rate, I digress…

</soapbox>

Google have a bloke on a push bike riding around the UK taking imagery of the National and Historic landmarks…Quite an interesting contraption and if you’re interested more in imagery of this bloke on his pusher, visit the BBC’s In-Pictures review.

If you’re interested in the aforementioned rant about Internet Explorer, I ask you…Which version of IE are you running?  If you’re not running IE 8, why?  Do you not take your car in for service and make sure it’s “up to date”? When you go for an MOT each year to ensure you’re “safe” on the roads, do you not have to do what they suggest to make your car roadworthy?

Microsoft Update is your MOT and your service call all in one…Best of all, it’s free of charge :)

Tags: , , , , ,

Firefox Fans Skew the Statistics with Funny Math

There are various articles floating around the Internet right now about how Firefox has overtaken IE as the most popular browser in the world…  Let’s have a look at Mike Albee’s Article from the LA Business Tech Examiner

Ok, let’s take a look at the graph referenced in the article:

firefox-beats-ie

A quick analysis of it does show, yes Firefox 3.5 is more popular than Internet Explorer 7, however is IE 7 the only browser Microsoft has and is IE 7 representative of what you call “Internet Explorer”?  No, by no means.  IE is IE6, IE7 and IE8.  Oh one other thing before we get in to the nitty gritty of the stats. The comment about Firefox:

Each new version built upon the project’s original goals of speed, security, and reliability.

So, why is it then that they have to patch it for security holes more frequently than IE?  Here’s a good article describing this:

Report: Firefox Security Superiority a Myth

Interesting thing, it’s a linux based article too, so no bias either.

Anyways back to the numbers, I think it’s interesting how you got to the conculsion that Firefox “trounced” (article headline) IE, because if we add up everything – Stats Counter, the same people providing the aforementioned graphs give us the real result:

real-browser-stats

…and in case you think I’m making this up, here is a URL for you to visit:

http://gs.statcounter.com/#browser-ww-monthly-200811-200912-bar

Looks to me like IE still has a demanding stronghold on the market – in fact if my math proves me right – I think that 60% (about what IE has) is DOUBLE 30% (what Firefox has)….

What’s next?  Linux being more popular than Windows (95)? 😉

Tags: , , ,

InformationWeek and Virtualisation – Take it with a grain of salt

DISCLAIMER: Yes, I’m a Microsoft MVP, MCT, MCITP, CCNA and hold various other certifications, however when I write articles I will take the view that there might be a better technology out there than Microsoft, but I will ensure I write articles with the proper facts being portrayed and not try to put a “media” spin on things.

OK, now that’s over, let’s look at what has got me revving.  A bloke called Elias Khnaser has written an article for Information Week entitled “9 Reasons Enterprises Shouldn’t Switch to Hyper-V”.  He didn’t put a disclaimer at the top, but Elias works for a company called Artemis Technology and if you go to their “Partner” page, Artemis is a VMware Enterprise Partner and they consider this their one of their “Spotlights” compared to their Microsoft Gold Partner status which is just listed as a valued partner.  (UPDATE: since writing this article, the logo has changed to include their areas of expertise and has been fixed, however at the time of writing the logo was “warped” and furthermore if you moused over it, the description about the partner was set to “information to come”, whereas all of the other valued parnters seemd to have descriptions).

Anyways, let’s look at the article…

1. Breadth of OS Support….:

Hyper-V, however, supports only Windows and SuSE Linux

Hmm:

http://www.microsoft.com/windowsserver2008/en/us/hyperv-supported-guest-os.aspx

Microsoft support more than just Windows OS’s and SUSE.  Here’s another page I’d like to steer Elias to:

http://boincstats.com/stats/host_os_stats.php?pr=bo&st=0

OK, so it’s a piece of software, but what does it say? Yep, that says of the top 15 OS’s 12 are Microsoft’s, so why support such a breadth of OS’s if there’s no need to…Anyways, I digress.  Let’s carry on:

2. Memory Management

In this article it goes in to Memory management and talks about how Microsoft just say throw more memory at the situation whereas he states VMware can overcommit and utilise more memory…Interesting, in contrast to this article:

Performance Tuning Best Practices for ESX Server 3

That white paper clearly states:

Avoid frequent memory reclamation.  Make sure the host has more physical memory than the total amount of memory that will be used by ESX plus the sum of the working set sizes that will be used by all the virtual machines running at any one time.  (Note: ESX does, however, allow some memory overcommitment without impacting performance by using the memory management mechanisms described in “Resource Management Best Practices” on page 12 [of this document].

key word of course is *some*, yet everyone knows you never overcommit memory in a production environment (thanks to my friend Mitch Garvis for the heads up on this one – A Brief Discussion of Security with Regard to Resource Over-Commitment in VMware)

3. Security

Well, don’t get me started on this one as VMware has a kernel infrastructure that means if you inject one malous driver in to the Hypervisor layer it can (and will) affect EVERY VM you have.  Hyper-V does it differently.  Here’s a reference for the differences:

http://4sysops.com/archives/the-difference-between-the-microsofts-hyper-v-and-the-vmwares-esx-hypervisor/

Biggest difference is microkernalised hypervisors versus monolothic hypervisors.

4. Live Migration

Well, lets look at this one.  In order to do it with VMware, it’s not as straight forward (oh wait, it’s not mentioned in this review of *one* paragraph) as it seems either.

5. Priority Restart

Seems as though the spin on this paragraph is going down the clustered route not a priority restart route.  He mentions Exchange, IIS, SQL all of which, you don’t want a VM infrastructure to *move*.  You want them highly available via clustering, not a VM management utility or tool…

6. Fault Tolerance

Not sure where this one is heading, but again it seems like he’s letting VMware control the applications, something any good system administrator (see third party software and reliability).

7. Hot Adds

All I need to say is CSV and I don’t mean comma separated values.

8. Third Party Vendor Support

Please list some…Furthermore, I’d ask why (and 9 is maturity) if VMware is so much better, do they need third party products to make their product good?  Hyper-V has SCVMM R2 and that’s all you need, period.

9. Maturity

Sure Hyper-V hasn’t been around long, but you have to admit, it’s gaining ground on VMware at a very fast pace now that the R2 version is out and the “kinks” have begun to be ironed out…

Morale is,  it seems this story has a load of FUD in it and that proper research wasn’t done in order to make it impartial.  Next time an article like this is written, maybe it should be prefaced with the caveat the author is a VMware addict or seems to be trying to have it out for Microsoft Hyper-V, for whatever reason that might be.

Tags: , ,