What to do when a Microsoft patch won’t install

Dave Farquhar Software, Windows ,

Every once in a while, when you push patches for a living, you come across a time when a Microsoft patch won’t install. This is one of those times, and what I did to fix it.

So, Microsoft KB947742, an old .NET 1.1 fix, refused to install on one of the servers at work. When I ran the executable, all it did was pop up the window showing the Windows Installer switches or parameters. Searching Google turned up a number of people having the problem, but no solutions that worked, although reinstalling the .NET 1.1 Framework and the latest version of the Windows Installer are always good ideas when you run into weird problems. .NET 1.1 is extremely fragile anyway, and reinstalling it along with all applicable hotfixes has worked for me in the past to resolve weird issues, such as permissions issues showing up in the security log. Or .NET applications just suddenly not running anymore, even though they ran just fine yesterday.

I tried everything I could think of and finally stumbled on a solution. I have absolutely no idea why this works. First, I opened a command line, changed into the directory where I had stored the patch, and I ran the following command:

NDP1.1sp1-kb947742-x86.exe /extract .\947742

This extracts the update to a directory called 947742. Inside that directory, I found a single file, named NDP1.1sp1-kb947742-x86.msp. When I double-clicked on the file from Windows Explorer, it installed.

I’ve applied this patch on more than 100 servers and I recall only having the problem on one of them. And, oddly, all other .NET patches and for that matter all other recent Microsoft updates apply to this machine just fine.

I suppose the same fix could work on other Windows updates that supply only a window full of switches instead of installing, or other weird installation issues. It’s worth a shot if nothing else works and you can’t (or would rather not) open a support case with Microsoft.

This is a strange case. If you’re running WSUS or (better yet) Shavlik Netchk and a patch refuses to install, try logging in, downloading and running the offending patch manually and note any error messages. Maybe, just maybe, this fix will help you. Or better yet, maybe the patch will tell you what you need to fix, but don’t count on it.

When absurdity strikes, try extracting the patch and poking around inside, like I did in this case.

How to secure your wi-fi router

Dave Farquhar Servers and Networking , , , , , , , , , ,

It’s not enough to know what to look for in a router. I wanted to get some solid advice on wi-fi network security. Who better to give that advice than someone who built an airplane that hacks wi-fi? So I talked to WhiteQueen at http://rabbit-hole.org, the co-builder of a wi-fi hacking airplane that made waves at Defcon.

Hacker stereotypes aside, WhiteQueen was very forthcoming. He’s a white hat, and I found him eager to share what he knows.

Read more

Tagged!

Dave Farquhar net.culture, This weblog

I’ve only wanted tags for about 10 years. Tags are little keywords you can use to help categorize blog posts. And the first blog I ever saw use them used them liberally. You’d read a post, and at the bottom, there were links to similar posts.

I found a way to make WordPress automatically tag all 1800+ posts here. Many of the tags are nonsensical, but they seem to work. I’m finding all sorts of related content all of a sudden. Which makes sense, seeing as I tend to write about maybe 20 different things over and over. Due to the many migrations I’ve made with this blog, much of my content was never categorized, let alone anything else. Now it’s all cross-referenced. Finding related content is easy. Depending on the age of the related content, it’s not always enlightening, but often it is.

So I hope you like it. I know I do. Suddenly it’s far, far easier for me to find stuff on my own blog. And I wrote all this stuff. If I didn’t know it was all there, then how will anyone else?

Blocking malware at the operating system level

Dave Farquhar security, Windows , , , , , , ,

In recent months I’ve been recommending that everyone run Adblock Plus with the malware domains subscription, to get extra protection beyond what your antivirus/antispyware suite can give. Given a choice between detecting and blocking bad stuff, or not downloading it at all, it’s much better to not download it at all.

There are some downsides to this. Adblock Plus uses a fair bit of memory. It’s tolerable on my desktop PC with 2 GB of RAM, but less so on my netbook with 1 GB of RAM. And if you have to use a browser that doesn’t have a compatible version of Adblock Plus available, you’re unprotected.

The solution is to block at the operating system level, using the hosts file.

Here’s a script that does it, with instructions.
http://www.ericphelps.com/scripting/samples/Hosts/index.htm

But I know of one malware site list that his script doesn’t use: http://www.malwaredomainlist.com/hostslist/hosts.txt.

Read more

How I changed servers midstream

Dave Farquhar Apache, Linux, Servers and Networking, Software , , , , , , , ,

When upgrading this site, I replaced the underlying hardware as well. The old server was just a dead end in too many regards to be worth upgrading in place, and besides, being able to run new and old side by side for a time is helpful.

This type of maneuver is routine work for a professional sysadmin. But it’s been at least two years since I’ve done a similar maneuver at all, and at least five years since I did it with Linux.

When I built the new machine, I gave it a unique IP address. Turnkey Linux makes getting an operational LAMP stack trivial, and depending on what you want to run on that stack, you may even be able to get that installed for you too.

Unfortunately for me, the Geeklog migration tool doesn’t seem to work with WordPress 3.0.1. So I had to get WordPress running on my old hardware in order to migrate. I chose WordPress 2.0.11 because the 2.0 branch appeared to be the current branch when Justdave wrote his migration tool, and 2.0.11 ran without complaint on the dated versions of PHP and MySQL that were on my old server.

After importing the content, I used mysqldump to export my databases. Specifically:

mysqldump --opt -u [mysql username] -p [database name, probably wordpress] > wordpress.sql

I should have gzipped the file, but I didn’t.

gzip wordpress.sql

I then connected to the old server via FTP and transferred the file. Use your favorite file transfer method; I happened to have FTP set up for my internal network.

Uncompress the file if you compressed it:

gunzip wordpress.sql.gz

Then restore the file:

mysql -u [mysql username] -p [database name] < wordpress.sql

Or, if the database already exists, like in my case:

mysqlimport -u [uname] -p [database name] wordpress.sql

Then I connected to the webserver via my web browser. WordPress 3.0.1 saw the WordPress 2.0.11 database and informed me that it needed to be upgraded. So I let it do its thing, and a few minutes later, I had a functioning WordPress site with 10 years’ worth of legacy entries.

I messed around with it for a while. Finally, I decided to go live. And at this point, I should have physically moved the new server into its permanent home. I didn’t do that, so now when I decide to move the server, I’m going to have some downtime.

To flip the IP addresses, you need to know where your Linux box stores its IP address. Debian and Ubuntu both store it in /etc/network/interfaces. As far as I can tell, Red Hat and derivatives like CentOS store it in /etc/sysconfig/network-scripts/ifcfg-eth0, but I haven’t used Red Hat or a derivative in a long time, perhaps 2003.

If worse comes to worse, try something like this to determine where it’s stored:

grep -r [ip address] /etc/

I edited the appropriate file on both boxes, changing the IP address while leaving all of the other parameters unchanged.

I then issued the command ifdown eth0 on both machines.

On my new production server, I then issued the command ifup eth0. Depending on the Linux distribution, it might also be necessary to re-issue a default route command. I didn’t have to do that.

Depending on how much Linux/Unix cred you have at stake, you could just do it the Windows way and reboot the box. Or both of them.

Once I was satisfied everything was working, I powered down the old server and celebrated.

Weekly roundup: 6 Oct 2010

Dave Farquhar Linux, Servers and Networking, Windows , , , , , , , , , ,

I used to do a weekly roundup every so often, just doing short takes on stuff that interested me as I found it. I haven’t done that in years; I thought I’d give it a whirl again. I don’t know how often I’ll do it, but it was fun.

Ars Technica says Intel’s neutral stance on Atom in servers is a mistake. Absolutely. A dual-core Atom gives plenty of power for infrastructure servers like Active Directory DCs, print servers, and other similar roles. Atoms could even handle many web server tasks.

Xeons are appropriate for database servers and application servers, but throwing them at everything is severe overkill. A lot of server tasks are more disk-bound or network-bound than CPU-bound.

I worked in a datacenter facility for several years that was literally at half capacity, physically. But they didn’t have enough power or cooling capacity to add much more to it.

The only way anything can be added there is to take something away first. Right-sizing servers is the only way to fix that. If they would yank a Xeon, they’d be able to replace it with several Atom-based servers and get a net gain in functionality per square foot and BTU.

Virtualization, a la VMWare, is an option, but one isn’t necessarily a drop-in replacement for the other.

Or, of course, Intel can sit back and wait for ARM to come in and save the day. ARM provides even more functionality per watt. And even though ARM doesn’t run Windows, it does run Linux, and Samba has reached the point where it can stand in for an Active Directory domain controller.

Is there a market out there for a domain controller that fits in a package the size of a CD/DVD drive and consumes less than 20 watts? I’m sure there is. And if Intel doesn’t want to deliver it, ARM and its partners can.

There may be some resistance to ARM, since some decision makers are nervous of things they haven’t heard of, but it should be possible to overcome that. Maybe you haven’t heard of ARM, but guess what? Do you have a smartphone? It has an ARM CPU in it. That PDA you carried before you had a smartphone? It had an ARM CPU in it. It’s entirely possible that your consumer-grade network switch at home has one in it too. Not your router, though. That’s probably MIPS-based. (MIPS is another one of those scary RISC CPU architectures.)

Put a solid operating system on an ARM CPU, and it can run with anything. I have ARM devices that only reboot when the power goes out. If it weren’t for tornado and thunderstorm season causing the power to hiccup, those devices could run for years without a reboot or power-down.

And speaking of ARM, I have seen the future.

Pogoplug is an ARM-based appliance for sharing files. You plug it in, plug USB drives into it, and share files on your home network and the Internet with it. At least, that’s how it’s marketed. But you can hack it into a general purpose Linux box.

Inside, there’s a 1.2 GHz ARM CPU, 256 MB of RAM, and another 256MB of flash memory. Not a supercomputer, but that’s enough power to be useful. And it’s tiny, silent, and sips power. You can plug it in, stash it somewhere, and it’ll never remind you that it’s there.
I’ve actually considered picking up a Pogoplug or two (they go on sale for $45 occasionally, and the slightly less powerful Seagate Dockstar is available for about $30 when you can find them) to run this web site on. Considering how surprisingly well WordPress runs on a 450 MHz Pentium II with 128 MB of RAM (don’t ask me how I know), I think a Pogoplug could handle the workload.

What stops me? I can build an Atom-based PC for less than $150, depending on what I put in it, and run Turnkey Linux on it. Under a worst-case scenario, Turnkey Linux installs in 15 minutes, and it doesn’t take me any longer than that to drop a motherboard and hard drive into a case. So I can knock together an Atom-based webserver in 30 minutes, which is a lot less time than it would take me to get the LAMP stack running on an ARM system.

But if I had more time than money, I’d be all over this.

A device similar to this with an operating LAMP stack on it ready to go is probably too much to ask for. A ready-to-go image running the LAMP stack, similar in form to the DD-WRT or Tomato packages that people use to soup up their routers, might not be. I think it’s a good idea but it isn’t something I have time to head up.

I don’t think I’ve mentioned Turnkey Linux before. I’ve played with it a little, and I’m dead serious that it installs in 15 minutes or less. Installing off a USB flash drive, it might very well install in five.

And it’ll run pretty happily on any PC manufactured this century. More recent is better, of course, but the base requirements are so modest they aren’t worth mentioning.

I’ve built dozens of Linux servers, but this is fantastic. Spend a few minutes downloading an image, copying it onto installation media, and chances are the installation process will take less time than all of that does.

It’s based on Ubuntu LTS, and comes in literally 38 flavors, with more to come after the next refresh is done.

They haven’t built their collection based on the current version of Ubuntu LTS yet because they’ve been distracted with building a backup service. But that’s OK. Ubuntu 8.04.3 still has a little life left in it, and you can either do a distribution upgrade after the initial install, or build a new appliance when the new version comes out and move the data over.

And if Ubuntu isn’t your thing, or you really want 10.04 and you want it now, or worse yet, Linux isn’t your thing, there’s always Bitnami (bitnami.org).

Linux appliances took a little while to get here, but they’re here now, and they work.

What to look for in a router

Dave Farquhar DD-WRT, Hardware, Servers and Networking , , , , , , , , , , , , , , ,

I revisit the topic of what to look for in a router every six or seven years. As important as it always was, I think it’s even more important today, as there are a number of underpowered routers on the market and it’s best to avoid them.

This post originated in 2010. I revised it for 2017 needs, and by the time I was done, I’m not sure much of my 2010 text was left. But that’s OK.

Read more

Working for Canonical doesn’t make you pro-Free Software?

Dave Farquhar Linux , , , ,

Stuart Langridge works for Canonical. Canonical produces Ubuntu, a popular Linux distribution. Apparently, this means he favors proprietary software in some people’s minds.

Yes, this is the same Ubuntu Linux you can download freely. You can make copies of it and sell them, legally. You can modify it, if you have the ability and inclination. Just setting the record straight.

Canonical does what it has to do to get Linux working well on your computer. And it succeeds rather nicely. If a computer can run Windows XP or newer, it can run Ubuntu, and installing Ubuntu will be easier than installing Windows in many cases. The computer this website runs on was built on a variant of Ubuntu, and it literally took longer to burn the CD than it took to run the installation. It blew my mind.

This is a case of software being like religion.

I am Lutheran. Almost militantly so, to the annoyance of some people who know me. I break from the traditional Lutheran camp in two regards: favoring music in the service that was written during my lifetime, and not being uptight enough about doctrine. I take the concept of grace alone, faith alone very seriously, and to an outsider, that plus the Lutheran definition of grace–God’s riches at Christ’s expense–is enough to make you Lutheran. That’s good enough for me. Some vocal Lutherans expect you to be able to recite precisely what makes John Calvin a heretic. I neither know nor care about that. I read the Bible, in its entirety, and concluded that Calvin puts certain responsibilities on you, a human being, that Luther puts on God. Since I believe that God is more reliable than me, I concluded that the Lutheran view is safer. I believe that ought to be enough.

The big question is whether I care if I’m Lutheran enough for some people. And the answer is no, I do not. I just ignore the rants about heresy that I see on Facebook, or better yet, stay off Facebook for long stretches at a time, and go about my business.

I guess that’s easier said than done in the Free Software community. There are a lot more witch hunters in that group. I suppose the people who can’t write working code try to make up for it by concentrating on ideology, or something like that. I do know it’s a whole lot easier to crusade for ideology than to write code.

The silent majority of people just want a system that works. They don’t want to hunt down drivers and compile them, or spend hours editing configuration files. I can’t tell you how many e-mail messages I received over the years from people who tried the most popular Linux distribution of the time, ran into difficulty, and gave up. (It’s one reason my e-mail address isn’t on this site anywhere anymore.) Even if the problem was something I could answer relatively easily, they just gave up and installed Windows instead. In their minds, if Dave Farquhar knows how to make that work, then whoever made that particular Linux distribution ought to make it work automatically. And they have a point.

So if Ubuntu installs a driver or some other low-level code that isn’t completely Richard Stallman-approved, the majority of people really don’t care. They’re happy it works. If their freedoms are infringed upon, they don’t know it.

I’ve said before that I could re-train my mother to use Linux. In fact, she could probably get all of her work done in Linux and emacs, and I’m sure John the Baptist Richard Stallman would be absolutely thrilled. But it would take her several years to learn the nuances of emacs, and some of her job duties would take much longer. Perhaps she wouldn’t mind occasionally spending hours to do something that can be accomplished in minutes using a more specialized, albeit proprietary, tool. In the end, when she’s a master of emacs, I’ll be able to tell her that she’s free. And she’ll tell me, “It wasn’t worth it.” Or, if she’s feeling a little more reasonable, she’ll throw something at me.

It’s easier said than done. But perhaps when the witch hunters come knocking, it would help to ask them if they had anything better to do?

After all, he could be a total sell-out like me. In my job, I’ve recommended Linux-based solutions when appropriate, but I spend the overwhelming majority of my time supporting things that run on Windows. Perhaps they would prefer he do that.

But I wouldn’t. I really like the work Canonical is doing.

And we have safely arrived in the 21st century.

Dave Farquhar Servers and Networking, This weblog ,

It wasn’t the smoothest of transitions, but it went a whole lot better than it could have. I’ve moved the venerable Silicon Underground, with its nearly 1,800 posts spanning a little over a decade, to WordPress 3.0.1.

This blog’s been pretty stale for a long time. Some of that is due to the software. Some of it’s my fault. Blogging software has really advanced a lot in the last few years, and the software I’ve been using since 2004 was a bit behind the curve even then. In its defense, in 2004 nothing could do everything I wanted, and the system I chose was one of the few that required login and authentication, which I desperately needed in order to stop spam. But then registration broke, and I didn’t fix it, which meant only longtime readers could comment.

For commenting, we’re going back to username and e-mail address with optional URL, and with some spam analysis tools hopefully filtering out the spam. Users are moderated until their second comment, which will help take care of the trolls. Comments containing multiple hyperlinks automatically go to moderation. And comments will be closed after some period of time, probably 14 days. Discussions usually go downhill as time goes on.

Will I post more now that it’s easier? Probably.

Modern blogs can interact with one another; mine was always an island. Now I can trackback and pingback like everyone else, which will probably prove useful.

I’m sure I’ll be making changes for a while, but this is a big improvement.

I’d like to thank Steve D. and Rich P. (you know who you are) for their help with the migration. It only took me what, three years to go through with it? Four? And then it ended up taking about two hours of real work, if that, spread out over the course of a couple of weeks.