Not Good Enough

I currently use Microsoft Outlook 2007 at work. On the whole, it’s ok, but sometimes I do find it frustrating. The problem I’m having at the moment is when I try to reply to an email and I want to make inline comments.

Now it appears that Outlook replies in what ever format the original email was sent in. That’s fine if the original email was plain text. Then each line in the original email will be indented and prefixed with the “>” character. I can just add my comments where I want:

However, if the original email was sent in HTML, then my reply will be in HTML. The problem with that is that it’s less obvious where my comments are:

I can convert the reply to plain text. But that’s even worse as I don’t get the indenting:

It shouldn’t be this hard. It’s just not good enough.

Group Policy allows Windows administrators to centrally control many settings on a workstation. Generally speaking, it’s a good thing.

Group Policy works by updating the registry. It normally does this by setting the appropriate value under one of the following four keys:

HKEY_LOCAL_MACHINE\Software\Policies
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies
HKEY_CURRENT_USER\Software\Policies
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

When the policy is removed, the corresponding values are also removed. When the user runs an application that uses group policies, the application should look under the appropriate key above for the policies.

Group Policy can also write directly to the registry. This is common for security settings, or where an application isn’t policy aware (and so won’t look for its settings under the Policies registry keys above). However, when writing outside the Policies keys, the changes are permanent - the settings won’t be removed if the policy is removed. This is called “tattooing”. More information on tattooing can be found in the excellent FAQ at gpoguy.com.

Now, Internet Explorer proxy settings can be configured using Group Policy. This is good as it means that an enterprise can easily configure all its hosts with the appropriate proxy settings. Unfortunately, these settings are tattooed. Why is this unfortunate. Because, when a user leaves the network, the proxy settings still apply. So, if a user takes their laptop home, to a client, to a hotel, etc. and then attempts to browse the Internet they’ll have a problem. They will need to manually disable the proxy.

Why did Microsoft decide to tattoo these settings? I don’t know, but it’s just not good enough.

Yesterday my brother rang me to say that he was having a problem with his computer (a Toshiba laptop running Windows Vista). He’d been browsing the Internet and clicked yes when asked to install some software so he could view some files. Next think he knows, Internet Explorer is taking him to some website called secureinvites.com and telling him that he’s got a Trojan installed (at least that bit is right) and to buy their security software.

Basically, Secure Invites is a browser hijacker or rogue security software that’s trying to sell rogue anti-spyware software.

While I was helping my brother, he asked why people can get away with this sort of thing. I told him the Internet is like the Wild West. But that’s no excuse. Companies shouldn’t be able to get away with this sort of thing. To me it appears to be fraud. Now, in Australia, there’s no doubt that this would be illegal under the deceptive and misleading conduct provisions of the Trace Practices Act. I don’t know where the parent company for Secure Invites reside but I have no doubt that the people behind it should be in gaol.

I searched the Internet for utilities that would remove Secure Invites. My search on Microsoft didn’t find anything (which is just not good enough). Google turned up a number of results. However, all of them where for domains I wasn’t familiar with. How could I know if a utility was legitimate or more malware? In the end I used SmithfraudFix. It had been listed on a couple of sites and I seemed to recall using it before. I sent my brother the instructions from this page and talked him through it.

We didn’t do the first step however - I asked my brother to back up his files before he did anything. His response - “How do I do that?” When I asked him if he had an external drive, things got a bit vague. In the end it became a case of trusting the removal software and hoping for the best.

So, what’s not good enough:

• This software exists at all
• The people who wrote it and make money from it aren’t being prosecuted
• Windows didn’t protect my brother from this type of software
• Anti-virus software didn’t protect my brother either
• A search of Microsoft’s website didn’t help us
• There was no way for us to verify the bona fides of those sites on the Internet offering a removal tool
• It shouldn’t be so hard for your average computer illiterate user to back up their files

What’s the solution? I don’t know. But I don’t think it’s user education. Security awareness training has its place in limited situations (e.g. tips on creating secure passwords in combination with systems that will only accept complex passwords), but it’s not practical to educate everyone. Even if we sent every user on a security awareness course, it still wouldn’t work. Some people would still be fooled by a social engineering attack like Secure Invites.

Let’s explore the Wild West metaphor I used with my brother. Back in the Wild West, there were plenty of conmen selling snake oil to the gullible. You might say we’re now smarter and don’t buy snake oil. But we do, it’s just that now it’s made out of crystals or just plain water.

So, back to my question, what’s the solution? Well I don’t think there’s a silver bullet. We could deputise a posse to hunt down, torture and string up the malware writers. Of course that might be a little unrealistic (and unethical - cruelty to animals isn’t acceptable).

Perhaps better anti-virus software will help - but based on the industry’s past efforts I think that’s unlikely. Could better designed and built operating systems help? Perhaps it’s an issue that can only be addressed by law enforcement agencies and regulatory authorities.

Who knows? All I know is that it’s just not good enough.

If you are running Trend Micro OfficeScan with Virus Scan Engine 8.550.1001 you might see errors such as “Insufficient system resources exist to complete the requested service” or “The server was unable to allocate from the system paged pool because the pool was empty.” If you run Poolmon you will see the Vmem tag using around 80 to 100MB of the pool. Basically, this is Trend consuming a large portion of your paged pool:

In Sysinternals’ Process Explorer you see that most of your paged memory is in use:

If you unload Trend OfficeScan most of your Kernel’s paged memory is freed:

Basically, it seems that OfficeScan is trying to load its entire pattern file in memory. Unfortunately this file is around 100MB, which doesn’t leave much of the default 160MB page pool for the rest of the system. This problem has been around since at least the end of October when this version of the engine was released. Trend Micro have known about it since at least the middle of December. They have published a work around (see Trend Micro’s Solution ID on the problem) that increases the size of the pool. However, this only delays the onset of the problem.

More information can be found in this thread at the SysInternals forums.

It’s now almost the middle of February and Trend Micro still haven’t released an update fixing this problem. When are they going to fix it? Personally, I think anti-virus can at times be as bad as the viruses.

It’s just not good enough!

By default the Start menu in Windows XP looks quite different to Windows 2000. I quite like the new menu - I find it increases my productivity. However, some people prefer the old style Start menu. Nothing wrong with that - Windows XP has an option to change to the “Classic Start menu”.

Now, to reduce training costs (or because the management in IT don’t like change), some organisations want to make the Classic Start menu the default. Again, nothing wrong with that. The problem is that the normal way of doing this is to set the Explorer option NoSimpleStartMenu via the registry or Group Policy (where it’s called “Force classic Start Menu”). Unfortunately, when you set this entry you don’t just make the classic the default, you also disable the new “Simple Start menu” so no-one can use it.

Now I get given my new PC at work. I log in and see the classic Start menu. I then go to change it to the new simple Start menu and I can’t because that option isn’t available anymore. Not happy Jan.

I mean didn’t someone at Microsoft think that perhaps there should be an option to set the classic Start menu as the default but allow users to choose the simple Start menu if they wanted? Would that be such a revolutionary idea?

It’s just not good enough!

Some organisations choose to use a Packeteer PacketShaper on their Internet link. This gives them some rudimentary reporting and the ability to shape their Internet traffic*. When doing this it’s important that the box is secured. One of the steps in securing a PacketShaper is to not allow management access over the outside interface (called securing the interface). Some models also have a MGMT interface. So, why not connect the MGMT interface to the local network and then disable all management access to the Inside and Outside ports. That should allow us to manage the device internally while keeping it safe from all the script kiddies.

Unfortunately, no. To quote the page Specify Security Settings in Packeteer’s PacketGuide:

“Enable/disable access to the unit over the inside and/or outside interfaces (for example, ping, Telnet, or web access). The MGMT port (available on certain models) is considered an outside port. Therefore, securing the outside interface will secure the MGMT port as well.”

Now, some might call me stupid (and may do), but for the life of me I cannot think of any reason why the MGMT port should be linked to the Outside interface. I can think of a reason why it shouldn’t - so I can secure the Outside interface and use the MGMT port to manage the device.

What I can’t figure out is why Packeteer decided to do it the way they did.

It’s just not good enough!

* Shaping traffic like streaming video down to less than 1Kbps is popular. It means that IT can hold their hand on their heart and swear to all things holy that they aren’t blocking such traffic - while making such applications unusable.

I have seen this several times. You buy a new IBM server (perhaps a xSeries 3650) and connect to the Remote Supervisor Adapter. After logging in you get the error:

The firmware on this ASM does not include functionality to support this server. You can update its firmware on the next page. Click “OK” to continue. 

See the screen shot below for an example:

How hard can it be to ship a server with a working RSA adapter? I mean all they have to do is make sure it has the appropriate firmware.

It’s just not good enough!

Why is it that when I select my location as Australia during a Windows XP install, the installer sets my default language to US English? I mean, wouldn’t you think that just because I’m in Australia I might want to default to Australian English?

It’s just not good enough!