What is Winshock?

So the other day I got blindsided with a question at work: What are we doing about Winshock. Winshock, I asked? I had to go look it up, and I found that’s what they dubbed what I’ve been calling MS14-066, the vulnerability in Schannel, which is Microsoft’s implementation of SSL/TLS for Windows.

Based on that, I’d argue it has more in common with Heartbleed than Shellshock, but I guess “Winshock” is catchier than “Winbleed.”

Then the lead of another team asked me to brief his team on Winshock. I actually managed to anticipate all but three of the questions they asked, too, which was better than I expected. Some of what I shared with them is probably worth sharing further.

Read more

Why you need to guard your Backup Exec servers

If you have a Windows domain, there’s a fairly good chance you have Backup Exec servers, because you probably want to take backups. Because you need them. (As a security guy, I no longer care how you get backups; just that you’re getting them somehow.) Backup Exec is a popular solution for that. But there’s a problem.

A security problem, that is. The quality of Backup Exec as a product hasn’t been my problem since 2005. The problem I have with it now is that Backup Exec stores its passwords in a database. The passwords are encrypted, but it’s possible to decrypt the backup copy, if you’re determined enough.

Read more

Using antivirus to deliver a virus

A coworker tipped me off the other day to how it’s possible to use a certain major-brand antivirus to infect a computer. “I didn’t have admin rights,” I overheard him explaining, “So I got them with [redacted] antivirus.”

My head spun around violently. “You did what?

“Google ‘confused deputy persistence,'” he deadbeated. “It’s the first result.” Then he went back to explaining the problem at hand. Read more

ARM exec says: $100 tablets are the key to mass adoption

This week, ARM said what several people seem to have figured out: The key to mass adoption for smartphones and tablets is the $100 price point.

It may happen this year. It’s not hard to find a decently fast $80 Android tablet, but you’ll have to put up with a sub-optimal screen to get it–800×480.
Read more

Microsoft getting into the backup business?

I take issue with this Register story, which says Veritas has a better name in the storage arena than Microsoft.

Enron has a better name in the storage arena than Veritas. Ditto BALCO and FEMA and Michael Jackson and Martha Stewart.

So Microsoft wants to get into the backup business? Good.I gave three of the best years of my life to the shrink-wrapped stool sample that is Backup Exec. I believed, wrongly, that the Constitution protects sysadmins like me from that piece of software in the clause that mentions cruel and unusual punishment.

After that last job put me out with Thursday night’s garbage, one question I always asked on job interviews was what they used for tape backups. Had anyone said Backup Exec, I would have walked out of the room immediately.

Nobody did. That was good. There are still some smart people in the world. My confidence in humanity was somewhat restored.

Microsoft’s offering will no doubt have problems, but when batch files and Zip drives are more reliable than your competition, who cares? Backup software is one area that desperately needs some competition. Microsoft entering with its usual less-than-mediocre offering will force everyone else with their less-than-mediocre offerings to either improve or die, because Microsoft’s offering will be cheaper, and there will be people who will assume that Microsoft’s offering will work better with Windows because nobody knows Windows better than Microsoft. (In this case, that assumption might actually be true.)

What’s wrong with Backup Exec? Ask your friendly neighborhood Veritas sales rep what they’ve done about these issues:

If a Backup Exec job backing up to disk contains both disk and system state data and it’s the second job to run on a given night, it will fail just as certainly as the sun coming up the next morning. Unless they finally managed to fix that bug, but I doubt it. I sure reported it enough times.

Remote backups happening over second-tier switches (D-Link, Linksys, Netgear, and other brands you find in consumer electronics stores) usually fail. Not every time. But more than half the time.

Those are just the problems I remember clearly. There were others. I remember the Oracle agent liked to die a horrible death for weeks at a time. I’d do everything Veritas support told me to do and it’d make no difference. Eventually it’d right itself and inexplicably run fine for a few months.

Maybe competition will fix what support contracts wouldn’t. And if it doesn’t, maybe Backup Exec will die.

And if Backup Exec must die, I want to be part of that execution squad. Remember that scene in Office Space with the laser printer and the baseball bat?

I never thought I’d say this, but now I’m saying it.

Welcome, Microsoft.

Fixing Backup Exec with Hisecweb installed

If you run your web servers on Windows under IIS, you’d better install the Hisecweb security template unless you want to find yourself hosting a warez site.

But Hisecweb breaks Backup Exec. So what do you do when upgrading to Apache and Linux isn’t a solution?The problem is that Hisecweb makes the system state (shadow copy components in Windows 2003) and SQL server not show up in the selection list. Not only does it not show up in the selection list, Backup Exec cannot find the resources. So backups fail, and if you have to restore from them, you won’t have the registry or a number of system files, which vastly reduces the value of your backup.

The solution is to tell Backup Exec not to use null sessions on those components, which seem to be one of the many things disabled by Hisecweb. On the server being backed up, go into Services and disable your Backup Exec Remote Agent. Now, fire up Regedit. Navigate to HKLM\Software\Veritas\Backup Exec\Engine\NTFS and locate the key called Restrict Anonymous Support. Set this value to 1. Close the registry editor and restart the Backup Exec Remote Agent service.

SQL Server and the system state or shadow copy components should now show up in the selection list for the server you just changed.

This registry hack can also fix visibility problems when the two machines are on different sides of a firewall.

Moral Dilemma

I saw the following in one of my Backup Exec failure logs (directory names changed slightly to protect the client’s name, and me):

Directory F:\ITWEB\Flash Stuff\Welcome Page Animations was not found, or could not be accessed.
None of the files or subdirectories contained within will be backed up.

Hmm. Flash animations.I’m torn. My duty to the client who is paying me, of course, is to fix the problem so the file is backed up.

But they’re blinky, annoying Flash animations. Flash, of course, is the third worst thing to ever happen to the Internet, behind popups and spam. OK, it’s the fourth worst thing. I’ll put it behind spam. But I’ll even put it ahead of Microsoft Internet Exploiter.

So an opportunity to snuff out some blinky Flash animations that have been foisted on the world is a great temptation.

Or am I the only one who feels this way about Flash?

Incidentally, I turn off animated GIFs too–I find a Web without animated GIFs and Flash is a much more pleasant place. I don’t know if that makes me boring and extremist or what.

I’ve been messing around with Backup Exec 10

Veritas is trying mightily to unseat Microsoft as my least-favorite software company. I do believe Backup Exec to be the worst piece of software of any kind on the market. In fact, babysitting Backup Exec is the reason I haven’t been around much.

I’m looking to version 10 for some relief (and the much-needed 1.0 quality that Microsoft usually delivers around version 3–when Veritas will deliver it probably is an interesting Calculus problem).The downside to version 10: I’m told there’s no more Windows NT 4.0 support. Can’t back ’em up. I haven’t actually tried installing the remote agent on an NT4 box to see if it’s unsupported as in we-won’t-help-when-it-breaks or unsupported as in no-can-do. Smart businesses hocked their NT4 servers a couple of years ago. I won’t say anything else, except that not every business is smart.

More downside: If a tape fills up and you can’t change it because the server is offsite and/or behind locked doors that require approval from 14 middle managers and a note from your mother to get to, under some circumstances Backup Exec 10 will hang indefinitely while cancelling the job. Version 9 had the same problem. Bouncing the services will usually relieve the hang, but sometimes you have to reboot.

It’s tempting to put Backup Exec and your tape drive on your biggest file server to get faster backups. But trust me, if you put it on a server that’s dedicated to backups–its day job can be as a domain controller or some other task that’s shared by multiple, redundant mahcines–you’ll thank yourself. It’s very nice to be able to reboot your Backup Exec server without giving your seven bosses something else besides the cover sheet on your TPS reports to grumble about.

If you must put Backup Exec on your file server, set up DFS and mirror the file shares to another server. It doesn’t have to be anything fancy–just something that can prop things up while the server’s rebooting. And run Windows 2003, because it boots fast.

The upside: I can make Backup Exec 9.1 die every time by creating a direct-to-tape job and running it concurrently with a disk-to-disk-to-tape job. The tape portion of the second job will bomb every time. Veritas technical support tells me that bug was fixed in 9.1SP1. It wasn’t. But it’s fixed in 10.

There are some other features in 10, like synthetic backups, that promise to speed backups along. That would be very nice. It would also be nice if it would be reliable.

I’m not going to put it in production yet–when I first deployed 9, it fixed a lot of problems but it made a whole bunch of new ones–but maybe, just maybe, Backup Exec 10 will do what it’s supposed to do well enough that I can work something close to regular hours again.

Otherwise I’ll look forward to Backup Exec 11 and hope that it features more changes than just a new Symantec black-and-gold color scheme and wizards featuring Peter Norton. We’ll see.

How to connect a Commodore 64 to a television

How to connect a Commodore 64 to a television

It is less than obvious how to connect a Commodore 64 to a television, especially a modern television, and it’s even more difficult if your C-64 didn’t come with the cables or the manual.

There are, as it turns out, several ways to do it. The C-64 and 128 have an RCA jack on the back that matches the RCA jacks on most televisions, whether LCD or CRT. Confusingly, this isn’t the key. If you just plug a cable from the RCA jack into the RCA input on a TV, you won’t get a display.

Read more

WordPress Appliance - Powered by TurnKey Linux