Thursday, August 31, 2006

Dapper on Dell Precision M65

I'm typing this using the Ubuntu Dapper LiveCD on a Dell Precision M65.

I'm not intending to install Ubuntu on it because it is for someone else.

Quick report, the wired connection works out of the box. Wireless is installed but doesn't seem to register as a wireless connection. It is calling it an eth1 device. Network-manager (nm-applet) doesn't see it.

Here is the lspci output:
0000:00:00.0 Host bridge: Intel Corporation Mobile Memory Controller Hub (rev 03)
0000:00:01.0 PCI bridge: Intel Corporation Mobile PCI Express Graphics Port (rev 03)
0000:00:1b.0 0403: Intel Corporation 82801G (ICH7 Family) High Definition Audio Controller (rev 01)
0000:00:1c.0 PCI bridge: Intel Corporation 82801G (ICH7 Family) PCI Express Port 1 (rev 01)
0000:00:1c.1 PCI bridge: Intel Corporation 82801G (ICH7 Family) PCI Express Port 2 (rev 01)
0000:00:1c.2 PCI bridge: Intel Corporation 82801G (ICH7 Family) PCI Express Port 3 (rev 01)
0000:00:1c.3 PCI bridge: Intel Corporation 82801G (ICH7 Family) PCI Express Port 4 (rev 01)
0000:00:1d.0 USB Controller: Intel Corporation 82801G (ICH7 Family) USB UHCI #1 (rev 01)
0000:00:1d.1 USB Controller: Intel Corporation 82801G (ICH7 Family) USB UHCI #2 (rev 01)
0000:00:1d.2 USB Controller: Intel Corporation 82801G (ICH7 Family) USB UHCI #3 (rev 01)
0000:00:1d.3 USB Controller: Intel Corporation 82801G (ICH7 Family) USB UHCI #4 (rev 01)
0000:00:1d.7 USB Controller: Intel Corporation 82801G (ICH7 Family) USB2 EHCI Controller (rev 01)
0000:00:1e.0 PCI bridge: Intel Corporation 82801 Mobile PCI Bridge (rev e1)
0000:00:1f.0 ISA bridge: Intel Corporation 82801GBM (ICH7-M) LPC Interface Bridge (rev 01)
0000:00:1f.2 IDE interface: Intel Corporation 82801GBM/GHM (ICH7 Family) Serial ATA Storage Controllers cc=IDE (rev 01)
0000:00:1f.3 SMBus: Intel Corporation 82801G (ICH7 Family) SMBus Controller (rev 01)
0000:01:00.0 VGA compatible controller: nVidia Corporation: Unknown device 01dc (rev a1)
0000:03:01.0 CardBus bridge: O2 Micro, Inc.: Unknown device 7135 (rev 21)
0000:03:01.4 FireWire (IEEE 1394): O2 Micro, Inc.: Unknown device 00f7 (rev 02)
0000:09:00.0 Ethernet controller: Broadcom Corporation NetXtreme BCM5752 Gigabit Ethernet PCI Express (rev 02)
0000:0c:00.0 Network controller: Intel Corporation: Unknown device 4222 (rev 02)

This is the device I think i think is the wireless card (lspci -vv)

0000:0c:00.0 Network controller: Intel Corporation: Unknown device 4222 (rev 02) Subsystem: Intel Corporation: Unknown device 1020
Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR+ FastB2B-
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR-
Latency: 0, Cache Line Size: 0x10 (64 bytes)
Interrupt: pin A routed to IRQ 177
Region 0: Memory at dcfff000 (32-bit, non-prefetchable) [size=4K]
Capabilities: <available only to root>
I'm not going to spend much time on this but I will try to use fw-cutter to see if I need to download some firmware. Although the bcm43xx driver isn't loaded.

Here is what we purchased using Dell's SKU #'s





















System Summary



















Service Tag:2J9XNB1
System Type:Dell Precision WorkStation M65
Ship Date:8/26/2006
Dell IBU:Americas




















































































































QuantityParts #Part Description
1U9625PROCESSOR, 80539, YONAH, T2400, 1.83, C0
1DF771CORD, POWER, 125, 1M, C7, 2P, DUAL, UNITED STATES
1DF266ASSEMBLY, ADAPTER, ALTERNATING CURRENT, 90W, MOBILE 2007, LEAD FREE, LITEON
1UT879KIT, SOFTWARE, OVERPACK, WXPPSP2, COMPACT DISKETTE W/DOCUMENTATION, ENGLAND/ENGLISH
1RD530CARD (CIRCUIT), WIRELESS, LEAD FREE, INTERNAL, BLUETOOTH, 350
1UC004HARD DRIVE, 60G, 9.5, 7.2K, Serial ATA, HITACHI GLOBAL STORAGE TECHNOLOGIES, MORAGA PLUS
1RG240KIT, SOFTWARE, MCAFEE, 7, COMPACT DISK DRIVE, ENGLAND/ENGLISH
1NC293CARD (CIRCUIT), NETWORK, MINICARD, 3945ULD, DELL AMERICAS ORGANIZATION
1FD161LIQUID CRYSTAL DISPLAY, 15.4WSXGA+, VIDEO ELEC. STDS. ASSOC., SAMSUNG
1GF120ASSEMBLY, CABLE, COAXIAL, LIQUID CRYSTAL DISPLAY, 15.4, BREWSTER/COLOMBO
1NF964BRACKET, SUPPORT, RIGHT, METAL, LIQUID CRYSTAL DISPLAY, BREWSTER/COLOMBO
1NF965BRACKET, SUPPORT, LIGHT, METAL, LIQUID CRYSTAL DISPLAY, BREWSTER/COLOMBO
1UC172KEYBOARD, 87, UNITED STATES, ENGLAND/ENGLISH, DUAL POINTING, BLACK
2Y9525DUAL IN-LINE MEMORY MODULE, 512MB, 667, 64X64, 8K, 200
1JF155ASSEMBLY, PALMREST, TOUCHPAD, STANDARD, BREWSTER/COLOMBO
1M8281KIT, SOFTWARE, OFFICE, 2K3, READYWARE RETAIL, STANDARD, ENGLAND/ENGLISH
1YC102ASSEMBLY, DVD+/-RW, 8X, IDE (INTEGRATED DRIVE ELECTRONICS), D MODULES
1NG763CASE, CARRYING, NYLON, LARGE, NOTEBOOK, JSL GROUP
1WH304KIT, DOCUMENTATON ON FLOPPY DISK, SOFTWARE, POWERDVD, 5.7
1JF242ASSEMBLY, BASE (ASSEMBLY OR GROUP), DISCRETE, 256, BREWSTER/COLOMBO
1YD623BATTERY, PRIMARY, 85W, 9C, LITHIUM, SIMPLO


Yonah CPU-Z

It looks like the laptop is using Intel's ipw3945 driver.  Everything looks like it is working but network-manager doesn't seem to like it.

Monday, August 28, 2006

Remotely Adding Remote Desktop Windows 2003

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server]
"fDenyTSConnections"=dword:00000000
"TSEnabled"=dword:00000001

Enable Terminal services W2K ( command line )



technorati tags:, ,

Sunday, August 27, 2006

Remote Acces to Linux from Cell Phone

I've been playing with midpssh for a while. My first experience was when I had T-Mobile's $5 wap service. Unfortunately, port 22 was blocked (and it runs at 9600 baud).

Now I have been issued a Blackberry from work. Internet service costs $20 a month from Verizon wireless. T-mobile required the $20 service when purchasing a Blackberry. The service is much faster but I haven't read what speed that translates into.

Anyways, you probably want to know how to get ssh access to your linux machine through your cell phone. Go to http://xk72.com/wap to download MidpSSH to your phone. There is a special Blackberry version near the bottom.

The big trick is to set your terminal to linux otherwise it defaults to vt320 with only ASCII characters.

I've also set MidpSSH to use public keys (very secure if used correctly). Just copy the public key (a menu option once public key settings are enabled) and add a line ssh-rsa {public key} to ~/auth_keys. Reference man auth_keys to verify, I'm doing all this from memory.

Friday, August 25, 2006

Intel Duo Core 2 - My personal observations

Intel® Core™2 Duo



I needed to purchase a Radiology 2 medical monitor setup for a doctor that would live 9 months out of the year in Florida and be an integral tele-radiologist for our hospital. I work for the doctor side of our community hospital and as such, we don't normally purchase radiology workstations. I was given the specs for a current machine and asked to replicate it.



Since I knew that the Intel Duo Core 2's just became available July 27th (Thanks to DLtv, Cranky Geeks, and Twit), I wanted to see if I could save money using the more efficient processor.



All I can say is, Wow! You can look at a number of site with benchmarks but if you are like me you usually take them with a grain of salt. I'm not in the business of benchmarking systems, let alone processors. I knew from Anandtech and Tom's Hardware Guide that the speed improvements were significant but until I compared the processor to our systems I didn't really care :)  TG Daily has a fantastic article and graph that compares price versus power between Intel and AMD since the 8/18/2006 price drop.



When I received the Precision 390 with a Duo2 processor, I eagerly opened the box and sat in front of the machine quickly realizing I had nothing to throw at the processor except ripping CD's to MP3 or OGG files. In comes OpenMark...a quick search on sourceforge.org showed a seemingly strong contender (see note below). I don't pretend to do this for a living, this was just the best way I could compare two systems.



Below you can see 3 cpu's. The first one is my normal workstation P4 with hyperthreading which only seems to help when ripping MP3's. The second is a 2 Xeon processor Radiology workstation that I needed to duplicate. The third is the Intel Duo Core 2. Note the differences in Voltage and the Multiplier (I'll talk about the Multiplier later).







Benchmarks



Okay, if you are still with me, here are the results from the OpenMark sstandard tests, with all defaults selected.  I did turn off services on the older machines because I tested the Duo Core 2 with the Dell Windows default OS.  My workstation had a webserver and other crap.





Okay, what can we learn from this?  Well, first of all the AMD comparison doesn't really belong.  I include it here because I have been coveting an AMD chip for a long time.  At work we buy all PCs through Dell and Dell hasn't offered an AMD line until recently.  However, I didn't perform the test so I don't know what type of hardware they were testing and how they performed the test.  I got the results in the downloaded OpenMark package.



On the other three, I performed each test as equally as I could and feel pretty confident that the performance can be compared.  Since I turned off some services on the Intel P4 and the Xeon system, they may have had a slight advantage.  But my process was pretty much the same:



  1. copy the zip file from a machine,

  2. unzip it

  3. run the Official Run with all defaults

  4. wait for the 3 iterations to complete


From these tests, the Intel Duo Core 2 is at least twice the speed as the Xeon system.  I didn't purchase the Xeon system but I had the service tag and could look up the specs which is what I used to determine the power I needed for a Radiology workstation.



I differed from the specs (from memory) on the precision model number (the same model did not offer the new processors), the processor, and the video card and possibly the hard drive.



I'll try finishing this later...I'm getting drastically different values from OpenMark using the same computer/ configuration.



technorati tags:, , , ,

Tuesday, August 22, 2006

Picture of the Linux Kernel

The Linux Kernel Map


Google should support something like this using their mapping software:












technorati tags:, ,

RadRails and Subversion

Integrating Subversion and RadRails

I just spent a time while figuring out how to integrate RadRails and Subversion, and thought I'd share a tidbit in the hope it saves others time. I installed Subversion, created a repository under C:/repository, created a project called edu20 using svnadmin, and then started the lightweight subversion server by typing:svnserve -d --listen-port 3690 -r repositoryFrom RadRails, I selected Window>Show View>other>SVN>SVN Repository, which then displays a SVN window at the bottom of the screen. Then I clicked the + button which allows you to enter the URL of an SVN repository. The trouble is, it wasn't obvious what this URL should look like. After googling for information and some trial and error, I discovered the magic incantation is:svn://localhost/edu20/trunkIn other words, the protocol is svn, the next part is the host name, and the last part is the path from the repository root to the trunk of the project. I hope this helps someone! Graham Glass, etc., August 17, 2006. [Conversation]



Integrating Subversion and RadRails | Technology4Teachers.com: Google Cache




technorati tags:, ,

Monday, August 21, 2006

Defrag Linux? Surely you jest

OneAndOneIs2 - Why doesn't Linux need defragmenting?


After my first run into Linux (3 years ago), I started looking for a defrag tool.  I was using a lot of space for video and iso images and I was sure that my drive needed to be defragmented.



Low and behold I found article after article insisting that Linux didn't need to be defragmented.  That the OS would constantly monitor the drive for fragmentation.  Well, I heard that with Windows 2000 and with Windows XP did that too and it does work the same.



technorati tags:

Sunday, August 20, 2006

Mongrel is Terrific

First, I needed motivation to switch - “the why.” And the why is simple: speed. Mongrel and mod_proxy often have far better performance than a FastCGI setup (although this may depend from setup to setup, application to application). As better performance means less overhead, I was on board for learning what this was all about. Mongrel also has other advantages; most importantly, it is easier to debug problems (as discussed in the web-as-pipe essay). As I found out, it has only a marginal learning curve.

acts_as_pipe :web



Do yourself a favor and use gem to install mongrel, cd to the root of your rails project and run 'mongrel_rails start'  After another strong article and my own experience Mongrel makes getting Rails projects up really easy and it is faster for the dynamic portions (i.e. the hard stuff).  If you combine Mongrel with a proxy layer from Apache, Lighttpd (wait for the next mod_proxy release), or Pound (specific proxy layer) for the static content you have a solid solution.

technorati tags:,

First Attempt at Mongrel on Ubuntu

Re: [ANN] Mongrel 0.3.13.3 -- Ruby Licensed Release

First problem: Need to install make and gcc.  'sudo aptitude install make gcc' is necessary for a gem install of mongrel.  It looks like mongrel is compiled from C to assist with speed.



If you don't have make installed, you won't see any errors during the mongrel install until you try running it within a rails project.



/usr/lib/ruby/gems/1.8/gems/mongrel-0.3.13.3/lib/mongrel.rb:666:in `register': undefined method `resolve' for nil:Mongrel::URIClassifier (NoMethodError)

So I installed make and gcc and reinstalled mongrel through 'sudo gem install mongrel'.

technorati tags:, , ,

Running Regedit with System Rights

In DOS prompt: 



        at 16:31 /interactive regedt32.exe



This will - after 1 minute - open regedt32.exe with SYSTEM rights!!! (yes there is something _more_ powerful than an Administrator in Windows). And automagically - the keys can be violently deleted.



SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System



Windows Updates: Crazy

PatchAholic...The WSUS Blog! : Troubleshooting Error 0x80072efd



Yesterday while I was heading to work I was reading Slashdot Mobile (fantastic WAP site) and noticed the worm concerns.  From 9am on Friday until 2am Saturday morning, myself and 2 other network administrators were updating servers and desktop computers.



The servers were straightforward, apply patch and reboot.  The desktop computers forced us to pull the trigger on our WSUS strategy early.  I had already created a test group and approved all the updates to a small group of 4 users.  We were having problems with I knew we were having speed issues.  Frantically, I moved our WSUS server from a WMSDE service to a frontend backend SQL server solution.



Today I was able to force an update on the critical patch KB921883 at a time today.  As long as the client's checked in to WSUS before that time, I could change our normal behavior of updating at 9am.



I found out that a group of workstations were not updating.  From this event log and the link above, I can determine that I need to "computer's Local Area Network (LAN) settings, the automatically detect settings check box is NOT selected"



Event Type:    Error
Event Source:    Service Control Manager
Event Category:    None
Event ID:    7001
Date:        8/11/2006
Time:        10:01:56 PM
User:        N/A
Computer:    HFA9304
Description:
The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error:
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.






Here is the meat-and-potatoes of what I think our problem is.  My first tests with 'proxycfg -p  proxyserver:80 wsusfrontend' didn't help but I think this is the right track.  I will next check to see if winhttppxy service is disabled on these workstation.



OK, I solved it!!!! On our ISA 2000 (Proxy) Server, since we use WPAD for Automatic Detection through DNS and DHCP, I had to go into the Client Configuration > Web Browser settings and turn on the Bypass Proxy for Local Servers under the Direct Access tab. I never thought about this cause, I didn't actually realize those particular settings are what actually "write" the wpad.dat file that Automatic IE clients get.And, I found this by finally finding an article that states that WinHTTP clients, which Automatic Updates is if you are not actually manually going out to the Windows Update website, do not use IE settings including the IE exceptions list to access the Windows Update site. So, if you manually open IE and go to the Windows Update site, you are using all IE settings. BUT, if you use any kind of automatic scheduling for Windows Updates, to where you are not manually going out to the website, it uses the WinHTTP (which is the proxycfg tool) which either goes directly out there or through the automatically detect settings, or the wpad.dat or proxy script if you are using that.After figuring that out and doing some narrowing down, I found (as others had said in the past, just didn't make total sense) that since our client PC's use the Automatically Detect config of the wpad.dat through DNS and/or DHCP, then I needed to focus there. After making some changes, and testing, I have all my client PC's now popping up in there. YES!!!!! Case closed.I am going to award the points to Netman66 because 1) He tried hard to help me and narrow things down and 2) he taught me something else about GPO's that I didn't quite know, in that you should disable the settings first and not "not configure" them in order to reverse the settings. Thanks for everything.

Windows Server 2003: WSUS - 0x8024401B Error (Proxy Authentication)




technorati tags:,

Friday, August 18, 2006

Using Linux in a Microsoft World

Open Networks - Denver Linux Networking Part 1

Open Networks - Denver Linux Networking Part 2

I also work for a Microsoft/ Dell shop.  I am one of 4 network/ system administrators managing 530 desktops and around 20 Windows 2003 servers.  I have been using Linux (Debian and recently Ubuntu) for about 3 years.



Since I had control over my machine, I installed a second hard drive and attempted to install Linux without touching the Windows drive.  It was possible if I had Linux as the primary drive, but Windows doesn't work if it believes it is not on the primary drive.  I had to use grub to trick Windows into thinking it was the primary drive.  It is much easier to allow Linux to modify the boot sector on the Windows drive because you can always run fixmbr.exe from an old Win98 boot disk to revert.



You can authenticate on a Windows domain without joining the computer to Active Directory.



smbclient \computernameshare -U username -W domain                # ftp client

smb://username@computername/share                                        # for Gnome Nautilus smb.conf needs
the domain listed to resolve to the default domain



Kerberos is even better but I never figured out how to get Gnome's Nautilus to work with Kerberos without joining the computer to the domain.



After I got XGL working with Ubuntu Dapper, I went Linux full time for a week.  XGL sounds like just fluff but I found it to be very useful for my dual monitor workstation



Just note, when I joined my computer to the domain, it showed up in the AD find box as a Domain Controller and in the properties box as a workstation or server.  I don't have rights to join a Linux computer as a domain controller and this field must be an reporting error.



technorati tags:, ,

Inspection of Apache with Nikto

Security Testing your Apache Configuration with Nikto | HowtoForge - Linux Howtos and Tutorials

      

technorati tags:,

Sunday, August 13, 2006

Windows Updates: Crazy

PatchAholic...The WSUS Blog! : Troubleshooting Error 0x80072efd



Yesterday while I was heading to work I was reading Slashdot Mobile (fantastic WAP site) and noticed the worm concerns.  From 9am on Friday until 2am Saturday morning, myself and 2 other network administrators were updating servers and desktop computers.



The servers were straightforward, apply patch and reboot.  The desktop computers forced us to pull the trigger on our WSUS strategy early.  I had already created a test group and approved all the updates to a small group of 4 users.  We were having problems with I knew we were having speed issues.  Frantically, I moved our WSUS server from a WMSDE service to a frontend backend SQL server solution.



Today I was able to force an update on the critical patch KB921883 at a time today.  As long as the client's checked in to WSUS before that time, I could change our normal behavior of updating at 9am.



I found out that a group of workstations were not updating.  From this event log and the link above, I can determine that I need to "computer's Local Area Network (LAN) settings, the automatically detect settings check box is NOT selected"



Event Type:    Error
Event Source:    Service Control Manager
Event Category:    None
Event ID:    7001
Date:        8/11/2006
Time:        10:01:56 PM
User:        N/A
Computer:    HFA9304
Description:
The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error:
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.






Here is the meat-and-potatoes of what I think our problem is.  My first tests with 'proxycfg -p  proxyserver:80 wsusfrontend' didn't help but I think this is the right track.  I will next check to see if winhttppxy service is disabled on these workstation.



OK, I solved it!!!! On our ISA 2000 (Proxy) Server, since we use WPAD for Automatic Detection through DNS and DHCP, I had to go into the Client Configuration > Web Browser settings and turn on the Bypass Proxy for Local Servers under the Direct Access tab. I never thought about this cause, I didn't actually realize those particular settings are what actually "write" the wpad.dat file that Automatic IE clients get.And, I found this by finally finding an article that states that WinHTTP clients, which Automatic Updates is if you are not actually manually going out to the Windows Update website, do not use IE settings including the IE exceptions list to access the Windows Update site. So, if you manually open IE and go to the Windows Update site, you are using all IE settings. BUT, if you use any kind of automatic scheduling for Windows Updates, to where you are not manually going out to the website, it uses the WinHTTP (which is the proxycfg tool) which either goes directly out there or through the automatically detect settings, or the wpad.dat or proxy script if you are using that.After figuring that out and doing some narrowing down, I found (as others had said in the past, just didn't make total sense) that since our client PC's use the Automatically Detect config of the wpad.dat through DNS and/or DHCP, then I needed to focus there. After making some changes, and testing, I have all my client PC's now popping up in there. YES!!!!! Case closed.I am going to award the points to Netman66 because 1) He tried hard to help me and narrow things down and 2) he taught me something else about GPO's that I didn't quite know, in that you should disable the settings first and not "not configure" them in order to reverse the settings. Thanks for everything.

Windows Server 2003: WSUS - 0x8024401B Error (Proxy Authentication)




Saturday, August 12, 2006

Cool Links from TWIT

Workfriendly.net a browser that uses https to encrypt all internet traffic and make the browser look like a Word Document with the bold button and stuff.

Network Neutrality test. Google could incorporate this into their toolbar.

Ben Kinski dox site. Computer World article.

Thursday, August 10, 2006

Rails back on my mind

Thoughts on Ruby on Rails - Ian Clarke's blog

Rails is very much on my mind after hearing about the huge hole in the application. If you made the right call, you could wipe out data. I can't help but be disappointed that rails didn't have a security process before such a big problem.



Rails 1.1.6, backports, and full disclosure

Riding Rails: Rails 1.1.6, backports, and full disclosure



Read this fantastic comment by planetmcd. I wish I could just link to it on a blog. I've taken liberty on formating it but all wording is from this commenter.



# planetmcd on 10 Aug 18:46:

DHH et al., First, I hope you get some much deserved rest today. Thanks for the hard work and the disclosure. Let me layout what I believe to be the source of frustration for many posters over the last day.



With a security breach there are 3 discreet tasks.



1) plug the hole,



2) assess the damage if there has actually been a breach,



3) take steps to correct the damage.



As a framework developer, all you can do is work on Step 1. And assuming things are smoothed out, your job is done and in quick fashion to boot.



For the people using your framework, steps 2 and 3 are equally if not more important to be handled in a timely fashion. Think compromised bank accounts or credit cards. The sooner clients know about this, the sooner they can protect themselves, and the sooner they will get over their anger.



By issuing a dire warning and then not revealing the problem, developers had no way to judge whether they should shut down their app, do nothing, put in place other security measures. And they had no means to judge whether the fix actually worked or not.



I do sympathize that hiding the attack vector to reduce detection by lowerlevel crackers, while you and the team feverishly worked on a solution might have been the most logical approach from the framework standpoint, it was a tough position for some members of the community. And while you’ve primarily created a framework, you’ve also created a community.



Let me also say that I also regret that many who disagreed with your decision expressed that disagreement in an immature fashion. How people state a point can diminish the validity of that point, and I hope that is not the case here. Some posters on both sides should really take some time and think about what they say before they hit send. This isn’t a black and white issue and treating as such reflects poorly on the posters and the community.



Thanks for your effort (in this case and in general), handling the situation with aplomb, and taking proactive measures for future security issues.



Riding Rails: Rails 1.1.6, backports, and full disclosure




My only addition to planetmcd, is a possible solution. The biggest concern with disclosing the vulnerability was that big sites that have used rails (odeo, second life's map, off the top of my head) needed to have that full disclosure. Actually any Internet facing website need this information but as soon as the public knows about it, then anybody can type the right url into a browser and delete parts of databases.



Stream of consciousness, such as it is

I believe the only solution for this type of disclosure is through a fee-based support model. I can't think of any other way to let the good people know and keep the bad people from knowing. If DHH offered a security support model that companies could pay for the quicker more direct information, then you could mitigate some of the risk of full disclosure.



Of course, it would only take one person to bring that information to the press, or the bad guys could even subscribe to the security support contract



Create a security support contract that costs $300 to get "trusted" by the core development team. On the contract, you could bind users to huge fines for disclosure which would prevent users from going to the press publically. Then you only have the untrustable good guys and bad guys.



Maybe there is no easy way.  Previously, I had thought that all the money transactions could be replaced by trusted GPG keys, but I'm not sure.  If there was only a way to encrypt a message that would show who opened the message.  Naw, you could always circumvent the process by cutting the decrypted information out of the message.  Unless there was always a block that would decrypt with the other parts of the message that could identify who had decrypted the message.



=====GPG Decrypted Message====



ajdflkj029384oiuweu0293480980                 This is a short asymmetrically encrypted hash



Here is the decrypted text.



)@#(LKJFDLSJF#@IOUKJFSLDFJO#WIE



=====end of Message===========



The blocks (hashes) could always be different depending on who's public key opened the message.  Really what you would have here is a signed message encrypted within a signed message.  The block could originally be something that only the sender can create.  When a user strips off the encryption with their key the block doesn't get decrypted because it was never encrypted to that user's key.  In effect, the block gets changed in a way only the recipient could have changed it.  I don't know if there is any way that you could use the recipient's public key to determine who decrypted it.  Maybe if the sender used their key that they encrypted the block, they would get something that you could compare to other public keys.



I think this could almost work and if you required recipients to send a copy of the decrypted text as an acknowledgment request (Not that you can force anybody to do anything but if you don't receive their acknowledgment then you could talk to them)



It's more like a signature within a signature.



technorati tags:, ,

RIS 2003 Documentation

I will need to document our RIS server environment and I don't want to forget about these websites.

http://web.mit.edu/ist/topics/windows/server/winmitedu/whatsRIS.htm

http://bink.nu/Forums/ShowPost.aspx?PostID=1684

I really felt I had to copy the text from un4given1. I didn't like the format on the webpage and I was concerned that the information may be lost. I don't have a way to contact un4given1 but I give this person full credit for this post.





I have been working with RIS for almost 2 years now and I concider myself somewhat of a seasoned pro so I would be more than happy to help anyone who has questions. I figured I would get this section off to a good start, so kick back and relax and get ready for a really long thread.I will start with a page that I am working on...-----------------------------------------------------
Introduction to RIS

There are many ways to deploy Operating Systems. Manual CD installs, image-based installations, network unattended installs and CD unattended installs are amongst a few of them. Each offering positives and negatives for their use. One other option is Remote Installation services, or RIS for short.

Lets first talk about Manual CD installation. It is obvious why this installation method is the least preferred. Such an installation requires constant user interaction. This is valuable time wasted especially when you have a need for a large volume of PCs.

Image-based installations offer a good amount of positives. With image based installations such as Ghost or DriveImage you can build a PC and configure it will all of your software. You then create the image and burn it to disk. The negatives of this would be that you would have to recreate an image and re-burn it to disk each time you needed to make a change. There is also a good amount of administration that needs to be done with image-based installations, such as using a utility to change the SID and computer name. One other negative point is that an image may only work with one hardware configuration.

Some imaging software does give you options to run “mini-setup” programs but since I am not all to familiar with image-based installations I can not comment on such programs. CD unattended installations give you all of the options that a manual CD installation offers but allows

you to create an answer file which holds the answers to all of the questions the setup wizards ask. You

can automate in installation of software through using a cmdlines.txt file and the GuiRunOnce options in

the answer file, but you are limited to the size of a CD minus how much Windows takes up. A negative

point would be that as with image-based installations, you have to recreate a CD each time you want to

add or remove an item.

Network installations offer the same positives and negatives as CD unattended installations with the

exception of size limitations and the need to burn the information to a CD.

Remote Installation Services allows you to do everything that all of the other methods offer and much

more. RIS allows you to install an operating system without any interaction and install programs

through the use of the same methods as a CD or network based unattended installation. RIS also allows

you to add a computer to a domain without having to save your password information into the answer file.

RIS can be updated without recreating the image. There really aren’t any disadvantages to using RIS.

Remote Installation Services can be used many ways. You can create images using RIPrep, which in my

opinion is an unpreferred method since it must be recreated each time you make a change. You can use a

base image and through cmdlines.txt, GuiRunOnce, and batch scripting you can accomplish almost anything.

This is the method that I will focus on.

Prerequisites for Remote Installation Services

Remote Installation Services is only available on Windows 2000 Server and Windows 2003 Server. It

cannot be installed on the same drive or partition that Windows is installed on. The drive must be

formatted with the NTFS file system and must have enough space to hold at least one full image of

Windows 2000 or Windows XP. I recommend that you have at least 3 gigabytes, this way you accommodate

for a working image, a test image and space for any software you may want to include.

Remote Installation Services also requires other available services. These services can be run locally

on the RIS server or as part of your network domain. These services include Active Directory, DHCP

(Dynamic Host Configuration Protocol), and DNS (Domain Name Service).

Installing Remote Installation Services

Before you will be able to use RIS you will need to install the necessary components. The following

instructions will show you how to install Remote Installation Services.

1. Log into the Windows 2000/2003 Server you would like to use for your Remote Installation

Services as an administrator.
2. For Windows Server 2000: click Start, Settings, and Control Panel.
For Windows Server 2003: click Start, Control Panel, Add/Remove Programs then skip to step 4.
3. Double-click on Add/Remove Programs.
4. Double-click on Add/Remove Windows Components.
5. Select Remote Installation Services and click Next.
6. Insert your Windows Server 2000 or 2003 CD into your CD drive.
7. Click Finish to exit the Windows Components wizard.
8. When you are prompted to restart your server click Yes.

Configuring Remote Installation Services

The steps you followed minutes ago installed the necessary service, but without an image and other

changes you will be unable to use RIS. So, here we go.

1. Click Start, Run, enter RISetup.exe and click Open.
2. You will be prompted with the Remote Installation Services Setup Wizard dialogue box. Click

Next to continue.
3. You will be prompted to the drive and directory where you would like RIS to install it’s files.

Enter the drive and directory you would like to use, keeping in mind that you may not use the system

drive, and click Next.
4. In the next dialogue box you will be prompted with the options of Respond to clients requesting

service and Do not respond to unknown client computers. My recommendation is to choose the first

option. You can control who is allowed to use the services through permissions and delegated control.

If you choose the second option a PC must be pre-staged within Active Directory in order to connect to

the RIS server. Pre-staging PCs requires you to enter a GUID from each PC into Active Directory and

give it a computer name. Unless you are running another network based PXE (Pre-eXecution boot

Environment) you should have no need to use the second option. Make your selection and click Next.
5. You will be prompted for the location of your Windows 2000 or Windows XP installation files.

Contrary to information on Microsoft’s site stating that RIS works only with Windows 2000, it also works

with Windows XP and now in Windows Server 2003 support for Server operating systems has been included.

Insert your Windows 2000 or Windows XP CD into the drive. Enter the location of the CD and click Next.

IMPORTANT: Please be aware of licensing when creating an image. An image should be created with an

enterprise edition of Windows 2000 or XP. A retail or OEM installation disk may work with other retail

or OEM installation license keys but you should be careful not to include the license key in the answer

file. Unfortunately this will require a manual step, but it is always necessary to maintain license

compliance with Microsoft. I can not be held responsible for abuse of the aforementioned choices.
6. You will now be prompted to enter the name of the directory for which you will want to save

these installation files. You can name the directory anything you wish but you should not use spaces.

I recommend, as it is recommended by Microsoft as well, that you name the directory in a method such as

“win2000.pro” or you can take it one step further and use names such as “w2k.sp4.production” or

“wxp.sp1.test” Depending on how many images you create you will find that it’s important to have a good

naming scheme for the images. Enter the name of the directory you wish to use and click Next.
7. You will be prompted to enter a description of the image you are creating. This description

will be shown during the RIS setup screens on the client PC when the image is highlighted. Be as vague

or as detailed as you would like. Click Next to continue.
8. You will be prompted now with a dialogue box showing all of the choices you made. Click Finish

to accept these options and continue.
9. You will have to wait while RIS completes it’s tasks and creates the image by copying the

complete contents of the CD to it’s drive. This can take awhile. When it is finished click Done.

Authorizing Remote Installation Services in Active Directory

Well, you probably thought you were just about done. You were wrong. Before you can use the images you

just created you have to authorize RIS in Active Directory. The following changes must be made as a

domain administrator of the root domain that the RIS server will be servicing. They can be made from

the DHCP server or using the snap-ins on any other server, or available by installing the administrator

tool package located on your Windows 2000 or Windows XP CD as “adminpak.msi” It is not necessary to

complete these next steps if your DHCP server is also your RIS server.

1. Click Start, Programs, Administrative Tools and then DHCP.
2. Right click on DHCP in the top left of the window.
3. Select Manage Authorized Servers.
4. Click Authorize.
5. Enter the DNS or IP address of your RIS server and click OK.
6. Click Yes to verify that the DNS or IP address you entered is correct.

The changes you have just now made enable RIS to respond to client PCs that request it’s service.

User Permissions in Active Directory

In order for users to use RIS to install an operating system they must have the rights necessary to use

RIS. These rights would include the ability to join a computer to the domain. If you will not be

joining the PC to your domain you may skip the following steps.

1. Click Start, Programs, Administrative Tools and then Active Directory Users and Computers.
2. Right click on the domain name at the top left and select Delegate Control.
3. The Delegation of Control Wizard will begin. Click Next to continue.
4. Click Add.
5. Enter the name or group name you wish to delegate control to and click OK.
6. Click Next.
7. Select the radio box Delegate the following common tasks and then select Join a computer to the

domain.
8. Click Next.
9. Click Finish to exit the wizard.

At this point you are now able to use RIS. The image you created earlier will be the only image

available at this time and until you have edited the answer file it will act in the same manor as a CD

install.
--------------------------------------------

Now... that is just the setup of a RIS server... I could tell you how to use it but I think it's more

important to configure it first, so I will take some time to show you my method for that...

--------------------------------------------

First I start by creating an $OEM$ directory in the image directory, adjacent to the i386 directory. In

this I create three directories, $1, $$, and SOFTWARE. Within the $1 directory I create a directory

called FILES. Within that directory I create a directory for hotfixes with the 4 types of hotfixes each

having a directory (1,2,3,4). I will explain the different types a little later. Then I throw in

directories for programs I want to install during the build, such as acrobat reader and shockwave/flash

player. Throw anything into the $$ directory that you want to include in your %windir% and you can even

create sub directories. I then create a SOFTWARE directory that any software that is installed during

the cmdlines.txt is copied. So the directory structure will look a bit like this..

i386
$OEM$
-$1
--files
---hotfixes
----1
----2
----3
----4
---acroread
---swfp
-$$
-SOFTWARE

Now, you ask, "What do I do now?"

Well, all of those directories are useless without the files necessary so here we go..

In the $OEM$ directory you want to create a file called CMDLINES.TXT The format in the file will be

something like this...

------------
[commands]
".\software\ieak\ie6setup.exe /q:a /r:n"
------------

That would install your internet explorer administration kit during the 13 minute mark in GUI setup mode

for Windows XP. You can add any other commands that you would like.

For the example above you would need to copy the IEAK files to the IEAK directory under the SOFTWARE directory.

The $1 directory will be the root of the C drive (RIS does not allow you to do much with formatting and partitioning). In this directory you want to create a command script file that you will launch from the [GuiRunOnce] in the SIF file. So, lets assume that you want to install Service Pack 1 when the system starts for the first time. You would copy the SP1 file to the $OEM$\$1\files\SP1 directory. You would then create a CMD file to launch this... like this...

-----------
@echo off
echo Installing Service Pack 1
start "" /wait "c:\files\SP1\wxpsp1a.exe -u -z -q"
echo -completed
shutdown -r -t 10 -f -c "The system is restarting"
-----------

But what I usually do in this case is add an item that will write to the RunOnce regkey for when the PC restarts again, so that I can kick off hotfixes... You can do that by adding this item before the shutdown command...

-----------
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v hotfixes /t REG_SZ /d "c:\files\hotfixes.cmd"
-----------

What is HOTFIXES.CMD, you ask? It's a script to run all of your current hotfixes... and here it is...

-----------
@echo off
TITLE Hotfix Installation Script - by Donald Freeman
echo Collecting list of current hotfixes...
echo @echo off>>c:\hotfixes\hotfixinst.cmd
echo echo Please wait while current hotfixes are being installed. This may take awhile!!!>>c:\hotfixes\hotfixinst.cmd

for /f %%i IN ('dir c:\hotfixes\1 /b') Do @echo start "" /wait c:\hotfixes\1\%%i /passive /norestart>>c:\hotfixes\hotfixinst.cmd
for /f %%i IN ('dir c:\hotfixes\2 /b') Do @echo start "" /wait c:\hotfixes\2\%%i /q /r:n>>c:\hotfixes\hotfixinst.cmd
for /f %%i IN ('dir c:\hotfixes\3 /b') Do @echo start "" /wait c:\hotfixes\3\%%i -u -n -z>>c:\hotfixes\hotfixinst.cmd
for /f %%i IN ('dir c:\hotfixes\4 /b') Do @echo start "" /wait c:\hotfixes\4\%%i /C:"dahotfix.exe /q /n" /q>>c:\hotfixes\hotfixinst.cmd

echo echo - Completed>>c:\hotfixes\hotfixinst.cmd
echo - Completed
echo.
CALL c:\hotfixes\hotfixinst.cmd
shutdown.exe -r -t 15 -f -c "PC must reboot to make changes. This is part of the unattended installation. Please do not disturb."
:end
------------

Now, for the explanation of the different hotfix types...

type 1 is only used by the new XP rollup package. It's unattended switches are "/passive /norestart" This will allow you to view the install progress and it will be unattended.

type 2 is used by many packages and uses the switches "/q /r:n" This will also allow for you to view it's progress and allow for unattended install.

type 3 is used by many packages as well and uses the switches "-u -n -z" This will allow for all of the same as the above two.

type 4 is used by packages such as MDAC and others and uses the switches "/C:"dahotfix.exe /q /n" /q" Same as the above...

By placing the correct hotfixes in the correct directories (you can determine it's switches by typeing hotfix_name /? in a command window (where hotfix_name) is the name of the hotfix. You will learn to know the difference after you have done it a couple times.

The above will make your PC reboot once again. You can continue to write items to the RunOnce key and reboot the PC as many times as you would like (my build has 4 reboots, but that's just me...)

OK now... what about the programs such as acrobat reader and flash player? Well, I drop the EXEs into thier corresponding directories and create a CMD file in the $OEM$\files\ directory that includes the unattended switches for that file... such as this...

----------
@echo off
echo Installing Acrobat Reader 5.1...
start "" /wait c:\files\acroread\setup.exe
reg add "HKLM\Software\Adobe\Acrobat Reader\5.0\AdobeViewer" /v EULA /t REG_DWORD /d 00000001
echo - Completed
echo.
----------

The "reg add" key accepts the license agreement.

Well, in order for you to install this you have to call it at some point right? You can decide the point and just call the following file which will scan the directory for files in it and launch each of them in alphabetical order (I usually put numbers at the beginning of the files to control order.. if your hotfixes files is part of this directory it will call it, and you can do away with the call script I spoke of earlier and input this following script instead)

----------
for /f %%g IN ('dir c:\files\*.cmd /b') Do @echo CALL c:\files\%%g>>c:\RISinstalls.cmd
CALL c:\RISinstalls.cmd
----------

This will gather the names of the files in the c:\files directory and launch each.

Ok, so it's always a good idea to clean all of the files off when you are done so you would need to add a script to delete any temporary files and directories you have. Thats easily accomplished using the RD /q /s command.

OK.. I know that this is spotty and some things may be missing, but it is getting late so I am going to conclude this addition. Please let me know if you have any questions, comments or suggestions!

Later!

Digg It! Ubuntu in the News

TV interview with Mark 'Ubuntu' Shuttleworth - Google Video








http://digg.com/linux_unix/TV_interview_with_Mark_Ubuntu_Shuttleworth



technorati tags:, , ,

Skype Protocol

Paralipsis » Blog Archive » Blocking Skype Using Squid

Best information about how to help get better skype connections is through a paper on how to block it.

[PDF link to paper]



technorati tags:,

Wednesday, August 9, 2006

New Linux Podcast

Linux Action Show
http://Linuxactionshow.com

Mobile Blogging -- MoBlog

Use http://m.wordpress.com log in and start posting to your wordpress.com blog.

This interface is fantastic. I'm writing this on a Blackberry 7250 or there about.

I've been using emailing my gmail account to store my notes and comments about podcasts I'm listening to. I started using vox.com to have a more public record of thoughts but flock doesn't work on vox.com.

Now I'm hooked on wordpress.com

My only concern was that it took a google search from my BB to hear about it. I'm pretty sure that there are other features I know nothing about. I did once find the help area on wordpress but it looked better for referencing rather than give me neat ideas about the possibilities of blogging.

Maybe there should be a learn.wordpress.com or something else entirely.

Medical Software Problems

Here is an interesting discussion about some problems with Medical Software. Unfortunately, this just begins to scratch the surface. I have been using and managing medical software for 5 years and I am amazed at how poorly a vendor can treat a customer once the contract is signed.



Some doctors who use Dr. Notes' electronic medical records software say they have been denied access to the program and their patients' medical records because they refused to pay increased technical support fees.

Multiple doctors cut off from records by Dr. Notes - South Florida Business Journal:



Fortunately, the situation isn’t entirely bleak. New online communities are developing to build and market free software solutions. LinuxMedNews is a regularly updated online forum for discussing industry news. GPLMedicine is a similar site maintained by Fred Trotter, project manager for the Free software ClearHealth management system. A project by Canada’s McMaster University, OSCAR, became the first IT system certified by OntarioMD.



Although these don’t have the name recognition among the medical community of commercial ventures such as Dr. Notes, they’re available for testing and implementation—free of charge and usage restrictions—today.



If you are a doctor or other healthcare provider, you owe it to yourself and your patients to take a look at these forums and applications. At the worst, you’ll find them uninteresting and unuseful. However, you could also find ways to protect your patients’ and your own best interests—all while saving money.



Your data or your life | Free Software Magazine



The Problem

Too many unique software packages and too few dollars for development.

If you look at it, the real value that a medical facility gives is the doctor's expertise. Sure there is lots of tools that a doctor needs to be effective but a doctor can still make good decisions without the fanciest equipment in the world. If you believe as I do, then everything else is just an expense to maximize the doctor's dollar. That means that there is less money to spend on software. At a conference a keynote speaker told us that medical facilities spend the lowest per revenue dollar on IT (IIRC 5% for medical and 10% for banking)



Medical facilities need multiple software packages to do very specialized and unique processes even for similar departments. For example, we use one software package to schedule radiology (Radiology Information System), one system to schedule clinic visits, and another to schedule patients that stay overnight. The reason a hospital needs 3 systems is because each system is better at managing it's department than a general scheduler. I haven't even covered the transcription department, the billing department, and the medical records department. I'm sure I'm missing some but you should get the idea.



When a medical facility shops for vendors usually they are lucky to find 2 competitors in a marketplace. Sure there may be many small boxed software but usually you find one very strong industry leader and a weak second place competitor. That vendor that you pick may be the best in the industry but since the other one is still using an abacus for calculations, the medical facility feels over a barrel.



The main thing I wanted to say was the medical field needs to start embracing open standards and open source software. It is too expensive for medical facilities to ignore. Medical facilities are also very keen on working with their competitors. We don't have a problem sharing information between other sites as long as they are not across the street stealing patients.



I believe that if HL7 had a BSD style license for their standard and maintained a slow backwards compatibility, interfaces between applications would drop to under $1,000 from the $10,000 we see today.  I'm usually a GPL guy but something as low level as HL7 you probably need the proprietary software guys and the open source software guys to come up with a standard.



technorati tags:, , ,

Wednesday, August 2, 2006

McAfee Reference

http://www.chm.bris.ac.uk/pc/tech/ePO_notes.php

Look into dsquery
dsquery * ou=chem,dc=ads,dc=bris,dc=ac,dc=uk -scope subtree -attr cn -filter "(&(objectclass=computer)(objectcategory=computer)(operatingSystem=Windows*))"
to see if I can use this to do multiple queries on our domain.