I just had a user call me to complain that he was getting the same email over and over and had received over a thousand over night. The message is a legitimate message from an actual employee of one of our business partners. The sender sent the message last night, and we have received it about once every minute since then. I just looked at our spam firewall, and it is showing me that the sender’s SMTP server is connecting to it every minute or so and sending another copy of the message. I blocked the sender’s email address at the spam firewall, so at least my user won’t get anymore. We’re getting in touch with the sender to let them know their mail system is malfunctioning. Hopefully they’ll be able to stop it. Since I set the firewall to block the sender’s mail address a little while ago, the firewall has blocked 22 copies of the message.
It’s very weird, and I’ve never seen it happen before. According to my logs, the sender used Microsoft Outlook, Build 10.0.6626, and there a Postfix server in the sender’s outgoing mail path, but there’s no real indication of where the source of the problem is. Fun and games.
Yesterday I wrote an article about using Syslog-NG as a centralized loghost on SUSE Linux, and how to configure SUSE Linux machines to log to the loghost. I emailed it to Novel Cool Solutions last night. This morning, this article showed up in my news aggregator, posted on Linux Today, about using Syslog-NG as a centralized log host on Debian. Due to the approximately one-week turnaround on CoolSolutions, my article will be published after this one, which will end up making mine seem like somewhat of a rip-off. Dang it!
Caveat: I don’t use Windows on my desktop machines, and haven’t since 2003, and I work mostly with Linux and NetWare on the server side, with some Solaris and Windows servers thrown into the mix.
I am constantly perplexed with people who love Windows. It costs a lot of money. It is riddled with viruses and spyware. Normal people can’t maintain it and to keep it stable you have to reinstall it every six months. It doesn’t come with anything useful out of the box, and by the time you have everything you need (an office suite, photo manager, PDF reader and writer, proper web browser (with plugins), mp3 player, CD burner, personal organizer, email program, flash player, quicktime player, proper text editor, C compiler and other developer tools, etc. etc., you’ve spent another $1,000, and downloaded a gigabyte or two of stuff (plus wasted hours of time). Don’t forget that you need to install 500 patches and reboot after each one. Also, don’t forget about the constant virus scanner updates, disk defragging, adware scanning, and all that nonsense. But, I digress (I guess I’d better assign this post to the “Rant” category).
Anyways, one of the big problems with Windows is that it is so insecure and vulnerable to security exploits. Many people think that this is because it is developed in a closed source model. While I think that closed development prevents a lot of opportunity for bug-finding and security-hole fixing, I think one of the other major reasons Windows is so vulnerable is that Microsoft is forced by the market to maintain backwards compatibility with ancient software. If Microsoft does something that breaks compatibility of existing applications, but increases the security of the platform, they get raked over the coals. They walk a fine line between keeping everything as secure as they can (which isn’t very) and preventing the applications of thier customers from breaking. For example, the new Vista feature of using less privileged users without administrator privileges will fail, because many applications don’t work properly unless the users running them have administrator privileges, and users will rebel if they are continuously asked for permission by an application that needs administrator privileges. This causes all kinds of security issues. I won’t talk about how Microsoft got into that conundrum, as that isn’t the point of this post.
The point of this post is that I think that the commoditization of virtualization in modern hardware and software is an opportunity for Microsoft to drastically improve security in Windows version Vista + 1, without breaking compatibility with older applications that require older insecure APIs and features in the operating system. After the prolonged ranting above, the conclusion is fairly short. Microsoft could re-architect the version of Windows that comes after Vista to have a hardened secure core, with tightly secured APIs, with concepts like Least User Privilege, and all the modern thinking that has been done about secure operating systems. This core could drop all legacy compatibility completely. New Windows applications could be written around this new secure core, and Windows would be much better off going forward. At the same time, Microsoft could implement a sort-of sandboxed compatibility layer (or layers) for applications that were written for older versions of Windows, using virtualization. A Windows desktop could have it’s secure core running with non-legacy applications, and one or more virtual machines, that were logically isolated from the core, running the old less-secure Win32 APIs that would allow older applications to run. The applications could be isolated from the core and from each other, preventing a security compromise in an old application from compromising the whole system. This approach would give Microsoft’s customers time to migrate to the new more secure Windows architecture at their own pace, while still being able to maintain legacy applications, and have the benefits of a more secure environment.
Most of this isn’t a new idea. Apple produced a compatibility layer called Rosetta when they came out with OSX, to allow older Macintosh applications to work. Unfortunately from everything I’ve read, that compatibility layer was very slow. The new part of this idea is to use virtualization to provide a fully functional virtual machine to run the compatibility layer in. This would have the effect of drastically improving the performance of the compatibility layer, as opposed to writing it as a dynamic old-API-to-new-API translator, like Apple’s Rosetta. It would also simplify the isolation of the compatibility layer from the secure core. Also, if Microsoft uses virtual machines to host the compatibility layer, then the compatibility layer is already written. It’s called Windows Vista. They would just have to strip out unneeded parts, so that it just provided the facilities necessary to run legacy apps, and away they could go.
This is my million dollar idea of the day.
I have a Blackberry 7250 from Telus as my phone and PIM device. I got it for free via a promo at Brainshare last year, but I haven’t been using it because I had a perfectly good Motorola phone, and a Palm Zire 71, which I was happy with so the Blackberry with it’s higher monthly data fees seemed unnecessary.
In the mean time, I got an iPod, which had me carrying three devices, and my old phone died, and then my Zire 71 died. I decided to activate the Blackberry on my account and use that as my phone and PIM.
I had that working fine, and got mail working on it and so forth, but since I’m a Linux user I haven’t been able to connect to my PC to back up the settings in the Blackberry. I use VMware Server for all kinds of stuff so I decided to use that to run a Windows 2000 virtual machine, and connect it to my Blackberry to enable me to upgrade the Blackberry firmware and back up the handheld.
I’m running OpenSUSE 10.1 as my Desktop OS, and I have a Windows 2000 workstation VM already built, so I downloaded the Blackberry desktop software into the VM and installed it. Then I connected the Blackberry to the host, and clicked the VM / Removable Devices / USB menu to tell VMware to connect the Blackberry to the VM. The menu showed Empty, instead of the expected Blackberry Device.
I then went searching and found this knowledgebase article in the VMware Technology Network Knowledgebase, which explains that you need to have the usbfs filesystem mounted, which SUSE Linux doesn’t do automatically. A quick su followed by mount -t usbfs none /proc/bus/usb got that mounted. I then rebooted my VM, and the Blackberry device appeared on the USB menu.
I connected the Blackberry device to the VM, and the Blackberry desktop application started up and I was away. I updated its firmware, backed up its contents, and it all worked flawlessly.
Our 2006 Techshare, the 3-day network administrator training session we do every year, has successfully concluded. Of particular interest were the vendor presentations of Lenovo and HP on business workstation manageability. It is uncanny how similar their offerings are, but I think the Lenovo manageablity stuff might fit better with our Novell Zenworks solution. I also far prefer Lenovo Thinkpad keyboards. I was never unhappy while I had an HP laptop, but once I got my first Thinkpad I found out what I was missing. Keyboards are all-important to touch-typists, and I prefer a standard layout that is the same on all laptops, and as similar as possible to a full-size keyboard. HP doesn’t come close to Lenovo in that respect.
Anyways, everybody learned something and some people learned a lot. We also took the opportunity to do some training on our Polycom video conferencing stuff, and we sent Nancy from Lethbridge back to the Lethbridge office with a full Polycom sytem all preconfigured and ready to go.
James and I brought the Bladecenter to the colocation last night. We set it up in the staging area for the night for a burn-in period. This morning we installed it in our rack, obtaining the usual forearm and hand cat-scratch injuries you always get when manoevering heavy sharp-edged server chassis. This afternoon we have reconfigured the 9 servers and 8 virtual machines and the management infrastructure pieces to the new addressing scheme for the colocation, and now I just have to reboot the Windows virtual machines for Vision a half a dozen more times or so and we’ll be done. It went pretty well.
After weeks of negotiations and months of construction delays, our hosting provider has finally installed 220 VAC power into our rack space where we colocate some of our IT services. With that finally ready, we can move the IBM Bladecenter that I’ve been working with for the past several months into the colocation site, along with it’s multi-terabyte IBM SAN. It’s the first step in production deployment for three critical services for us: Our new financial management system, our GroupWise 7 SP1 upgrade, and our second off-site backup system.
We’ve been preparing for ages, and it’s going to be nice to finally get the system installed in its new home. I’m particularly looking forward to being able to start the GroupWise 7 upgrade. That will be a big undertaking, and we’re doing comprehensive user training at the same time that we roll out the GW 7 client to our users. GroupWise 7 has some nice features that will make managing GroupWise easier for us and avoid another space incident, plus a lot of great improvements in the client that will really help our users be more productive.