Scott’s Blog

I just had a user call me to complain that he was getting the same email over and over and had received over a thousand over night. The message is a legitimate message from an actual employee of one of our business partners. The sender sent the message last night, and we have received it about once every minute since then. I just looked at our spam firewall, and it is showing me that the sender’s SMTP server is connecting to it every minute or so and sending another copy of the message. I blocked the sender’s email address at the spam firewall, so at least my user won’t get anymore. We’re getting in touch with the sender to let them know their mail system is malfunctioning. Hopefully they’ll be able to stop it. Since I set the firewall to block the sender’s mail address a little while ago, the firewall has blocked 22 copies of the message.

It’s very weird, and I’ve never seen it happen before. According to my logs, the sender used Microsoft Outlook, Build 10.0.6626, and there a Postfix server in the sender’s outgoing mail path, but there’s no real indication of where the source of the problem is. Fun and games.

Yesterday I wrote an article about using Syslog-NG as a centralized loghost on SUSE Linux, and how to configure SUSE Linux machines to log to the loghost. I emailed it to Novel Cool Solutions last night. This morning, this article showed up in my news aggregator, posted on Linux Today, about using Syslog-NG as a centralized log host on Debian. Due to the approximately one-week turnaround on CoolSolutions, my article will be published after this one, which will end up making mine seem like somewhat of a rip-off. Dang it!

Caveat: I don’t use Windows on my desktop machines, and haven’t since 2003, and I work mostly with Linux and NetWare on the server side, with some Solaris and Windows servers thrown into the mix.

I am constantly perplexed with people who love Windows. It costs a lot of money. It is riddled with viruses and spyware. Normal people can’t maintain it and to keep it stable you have to reinstall it every six months. It doesn’t come with anything useful out of the box, and by the time you have everything you need (an office suite, photo manager, PDF reader and writer, proper web browser (with plugins), mp3 player, CD burner, personal organizer, email program, flash player, quicktime player, proper text editor, C compiler and other developer tools, etc. etc., you’ve spent another $1,000, and downloaded a gigabyte or two of stuff (plus wasted hours of time). Don’t forget that you need to install 500 patches and reboot after each one. Also, don’t forget about the constant virus scanner updates, disk defragging, adware scanning, and all that nonsense. But, I digress (I guess I’d better assign this post to the “Rant” category).

Anyways, one of the big problems with Windows is that it is so insecure and vulnerable to security exploits. Many people think that this is because it is developed in a closed source model. While I think that closed development prevents a lot of opportunity for bug-finding and security-hole fixing, I think one of the other major reasons Windows is so vulnerable is that Microsoft is forced by the market to maintain backwards compatibility with ancient software. If Microsoft does something that breaks compatibility of existing applications, but increases the security of the platform, they get raked over the coals. They walk a fine line between keeping everything as secure as they can (which isn’t very) and preventing the applications of thier customers from breaking. For example, the new Vista feature of using less privileged users without administrator privileges will fail, because many applications don’t work properly unless the users running them have administrator privileges, and users will rebel if they are continuously asked for permission by an application that needs administrator privileges. This causes all kinds of security issues. I won’t talk about how Microsoft got into that conundrum, as that isn’t the point of this post.

The point of this post is that I think that the commoditization of virtualization in modern hardware and software is an opportunity for Microsoft to drastically improve security in Windows version Vista + 1, without breaking compatibility with older applications that require older insecure APIs and features in the operating system. After the prolonged ranting above, the conclusion is fairly short. Microsoft could re-architect the version of Windows that comes after Vista to have a hardened secure core, with tightly secured APIs, with concepts like Least User Privilege, and all the modern thinking that has been done about secure operating systems. This core could drop all legacy compatibility completely. New Windows applications could be written around this new secure core, and Windows would be much better off going forward. At the same time, Microsoft could implement a sort-of sandboxed compatibility layer (or layers) for applications that were written for older versions of Windows, using virtualization. A Windows desktop could have it’s secure core running with non-legacy applications, and one or more virtual machines, that were logically isolated from the core, running the old less-secure Win32 APIs that would allow older applications to run. The applications could be isolated from the core and from each other, preventing a security compromise in an old application from compromising the whole system. This approach would give Microsoft’s customers time to migrate to the new more secure Windows architecture at their own pace, while still being able to maintain legacy applications, and have the benefits of a more secure environment.

Most of this isn’t a new idea. Apple produced a compatibility layer called Rosetta when they came out with OSX, to allow older Macintosh applications to work. Unfortunately from everything I’ve read, that compatibility layer was very slow. The new part of this idea is to use virtualization to provide a fully functional virtual machine to run the compatibility layer in. This would have the effect of drastically improving the performance of the compatibility layer, as opposed to writing it as a dynamic old-API-to-new-API translator, like Apple’s Rosetta. It would also simplify the isolation of the compatibility layer from the secure core. Also, if Microsoft uses virtual machines to host the compatibility layer, then the compatibility layer is already written. It’s called Windows Vista. They would just have to strip out unneeded parts, so that it just provided the facilities necessary to run legacy apps, and away they could go.

This is my million dollar idea of the day.

I have a Blackberry 7250 from Telus as my phone and PIM device. I got it for free via a promo at Brainshare last year, but I haven’t been using it because I had a perfectly good Motorola phone, and a Palm Zire 71, which I was happy with so the Blackberry with it’s higher monthly data fees seemed unnecessary.

In the mean time, I got an iPod, which had me carrying three devices, and my old phone died, and then my Zire 71 died. I decided to activate the Blackberry on my account and use that as my phone and PIM.

I had that working fine, and got mail working on it and so forth, but since I’m a Linux user I haven’t been able to connect to my PC to back up the settings in the Blackberry. I use VMware Server for all kinds of stuff so I decided to use that to run a Windows 2000 virtual machine, and connect it to my Blackberry to enable me to upgrade the Blackberry firmware and back up the handheld.

I’m running OpenSUSE 10.1 as my Desktop OS, and I have a Windows 2000 workstation VM already built, so I downloaded the Blackberry desktop software into the VM and installed it. Then I connected the Blackberry to the host, and clicked the VM / Removable Devices / USB menu to tell VMware to connect the Blackberry to the VM. The menu showed Empty, instead of the expected Blackberry Device.

I then went searching and found this knowledgebase article in the VMware Technology Network Knowledgebase, which explains that you need to have the usbfs filesystem mounted, which SUSE Linux doesn’t do automatically. A quick su followed by mount -t usbfs none /proc/bus/usb got that mounted. I then rebooted my VM, and the Blackberry device appeared on the USB menu.

I connected the Blackberry device to the VM, and the Blackberry desktop application started up and I was away. I updated its firmware, backed up its contents, and it all worked flawlessly.

Our 2006 Techshare, the 3-day network administrator training session we do every year, has successfully concluded. Of particular interest were the vendor presentations of Lenovo and HP on business workstation manageability. It is uncanny how similar their offerings are, but I think the Lenovo manageablity stuff might fit better with our Novell Zenworks solution. I also far prefer Lenovo Thinkpad keyboards. I was never unhappy while I had an HP laptop, but once I got my first Thinkpad I found out what I was missing. Keyboards are all-important to touch-typists, and I prefer a standard layout that is the same on all laptops, and as similar as possible to a full-size keyboard. HP doesn’t come close to Lenovo in that respect.

Anyways, everybody learned something and some people learned a lot. We also took the opportunity to do some training on our Polycom video conferencing stuff, and we sent Nancy from Lethbridge back to the Lethbridge office with a full Polycom sytem all preconfigured and ready to go.

James and I brought the Bladecenter to the colocation last night. We set it up in the staging area for the night for a burn-in period. This morning we installed it in our rack, obtaining the usual forearm and hand cat-scratch injuries you always get when manoevering heavy sharp-edged server chassis. This afternoon we have reconfigured the 9 servers and 8 virtual machines and the management infrastructure pieces to the new addressing scheme for the colocation, and now I just have to reboot the Windows virtual machines for Vision a half a dozen more times or so and we’ll be done. It went pretty well.

After weeks of negotiations and months of construction delays, our hosting provider has finally installed 220 VAC power into our rack space where we colocate some of our IT services. With that finally ready, we can move the IBM Bladecenter that I’ve been working with for the past several months into the colocation site, along with it’s multi-terabyte IBM SAN. It’s the first step in production deployment for three critical services for us: Our new financial management system, our GroupWise 7 SP1 upgrade, and our second off-site backup system.

We’ve been preparing for ages, and it’s going to be nice to finally get the system installed in its new home. I’m particularly looking forward to being able to start the GroupWise 7 upgrade. That will be a big undertaking, and we’re doing comprehensive user training at the same time that we roll out the GW 7 client to our users. GroupWise 7 has some nice features that will make managing GroupWise easier for us and avoid another space incident, plus a lot of great improvements in the client that will really help our users be more productive.

I went to Friday night’s The Who concert at Rexall Place. All I can say is, it was awesome. I almost missed the boat when the tickets went on sale, and didn’t have time to find someone else willing to pop for a $100 CDN ticket, so I went by myself. My buddy Reagan went with a friend of his, and I saw him there, but we were far apart, with me in the 11th row at Pete Townshend’s side of the stage, and him in the 12th row on the floor. We IMed each other a few times during the show on our smartphones, but never managed to hook up through the crowds.

Photo from the Winnipeg Sun
Anyways, the show was amazing and it was almost surreal to see Pete Townshend and Roger Daltrey in person. They have so much stage presence that they seem larger than life. I’m really mostly speechless about how it felt to hear things like “My Generation”, “Behind Blue Eyes”, “I Can’t Explain” and “Eminence Front” performed live by The Who. It is definitely something I’ll never forget. I don’t expect to see those guys back in Edmonton, so I’m very happy I went.

Pete had his share of problems during the concert, mostly with guitars. He used a plethora of guitars to make his signature sounds during the performance, changing to a new instrument almost every song. For some reason, several times his guitar would not work properly, causing him some consternation and holding up the performance. This was mentioned in the various news articles I saw in the Edmonton papers the next day. The thing they didn’t mention was that Pete also seemed to get a big shock from his microphone a couple of times, causing him to jump back suddenly. After the second shock, which occured after their intermission break, he even sat down on a stool that he had used on stage during “A Man in a Purple Dress” and looked a little dazed. The show went on and Pete was a consummate performer regardless, and I can only reiterate: Awesome!

That’s right, our beautiful girl Emily is 10 already. It’s hard to believe for me. It seems only a couple of years ago when she was a little toddler, but on the other hand, I look at photos of her when she was small and I barely recognize her. Now, she’s got legs as long as her mom, and Jenn has about two more years before she’ll be looking up into her daughter’s eyes.

In other news, I’ve been a parent for 10 years! Whoa.

We’re coming up on the ninth annual Techshare at work, where we haul in all our IT people from our subsidiaries, give them too much coffee, subject them to early winter in Edmonton, and spend three days training them and sharing ideas on our IT infrastructure. I hosted the first one a long time ago in 1997, and we’ve done one every year since. This is the third one we’ve done since I started this blog, but I haven’t really written much about Techshare before.

We usually try to get one or two of our main vendors in here to do a session specific to our hardware, and we do sessions on network administration, workstation management, application deployment, equipment purchasing, troubleshooting and stuff like that. We also take the opportunity to let our office people know what’s coming down the pike for new IT initiatives too. It’s usually pretty interesting and entertaining, and it gives everybody a chance to socialize and get to know each other, which helps when they are all trying to deal with the same kinds of problems all the time.

This year Denys, our Edmonton office network guy and training whiz is preparing most of the agenda for Techshare. I just had an IM conversation with him about what I am supposed to be talking about this year, which prompted this blog entry. I was going to post it here too, but thought better of it, as it contained some off colour humour (grin).