Not Good Enough

Ah, criticising Microsoft is a bit like picking on the disabled kid.

Anyway, one of the issues we have with Windows is when a user accidentally moves a directory.  How do you accidentally move a directory you ask. By moving your mouse across the screen. Sometimes, for one reason or another, as you drag the mouse the left button gets held down and suddenly you’ve moved a directory. If it’s a small directory the user may not even be aware that they’ve done it – and sometime later we get asked to restore the “missing” directory.

This has happened often enough that I’ve been asked to modify permissions on directories so that users can’t do it. The problem is I can’t – the permissions on the directories are fine. The users concerned are supposed to be able to do what they do.

Really this isn’t a security issue, it’s a usability issue. If Microsoft had provided an option in Windows so that the user would be asked to confirm a move then we would all be happy. Unfortunately, they haven’t.

You might be thinking “so what – it’s the user’s fault, they should have been more careful”. However, it’s easy to do. Browse to your favourite search engine and enter Windows Explorer move confirm and you’ll see that plenty of other people have the same problem.

So, Microsoft, why haven’t you fixed this issue? It shouldn’t be hard – you only need to provide a tick box under the Folder Options menu and then, if it’s ticked, ask the user to confirm a drag and drop move. One of your gun Windows programmers could probably knock it up over lunch.

It’s just not good enough!

I’m big on virtualisation. I think it’s the way of the future, especially from a DR perspective. The combination of VMware ESX and SAN replication means that the downtime due to the loss of a data centre can be minimised. Virtualisation potentially makes DR a lot easier. As a matter of fact, I think it’s worth virtualising everything, even if you only run one virtual server per physical server. VMware ESXi is now free so it doesn’t even have to cost anything to do it. In my mind it makes a compelling argument.

The only fly in the ointment is the problem of those products that won’t work without a licence server. Some products require a USB or parallel port dongle. They obviously can’t be virtualised.

However, licence servers that don’t require dongles (e.g. FlexLM based) are prime candidates for virtualisation. We can virtualise these servers and know that if we have to fail over to our backup data centre everything will still work.

Intergraph now require a licence server if we want to use their SmartPlant Materials (formerly called Marian) product. Thta’s fine, it’s their product. Unfortunately, they won’t allow us to virtualise the licence server. To my mind, this means that Intergraph are saying that they don’t care about us or our business.

It’s just not good enough!

We have an IBM Blade Center with two Management Modules, two Nortel Ethernet switches and two Brocade Fibre Channel switches.

The Management modules are used to provide the I/O Modules (the Ethernet and Fibre Channel switches) with basic network configuration (IP address, etc.). The rest of the configuration of the I/O Modules is done directly on the modules themselves (i.e. via telnet or a web browser and Java).

We have had an issue with the Blade Center where after an outage the external ports on the I/O Modules come up disabled. I had to connect to each of the modules and enable to external ports. Now, the first time this happened I assumed that some twit (me) had forgotten to save the configuration of the I/O Modules. So, of course I made extra sure that I saved the configuration.

The next outage we had the same thing happened. The external ports where disabled. However, it was obvious that the configuration had been saved because all the other settings (VLANs, etc.) were correct.

Later I discovered by accident that there’s a setting in the Management Module that overrides the I/O Modules. This setting is tucked away in the Admin/Power/Restart screen when all other configuration is access via the Configuration screen (or by connecting to the modules directly). And it seems that this setting defaults to disabled (although I can’t confirm that):

I/O Modules Advanced Setup

Now, I can perhaps think of a reason for allowing the Management Module to override the I/O Modules (maybe – if you want to disable all external I/O to a particular module, although we can do that by connecting to the modules themselves, the place where we would normally configure them). But why default to disabled? And if we enable the ports on the I/O modules themselves, shouldn’t the above setting also change to enabled?

It’s just not good enough!

Ah IBM. Their Remote Supervisor Adapter II allows for the creation of up to 12 login ids. The problem is, when you create a password it doesn’t tell you if the password is too long. From trial and error, it seems that the maximum password length is 15 characters. I’ve looked at the source code of the page and I can see that the password field is restricted to that many characters (perhaps I should have saved myself a lot of trail and error testing by looking at the source first):

RSA II Password Length - HTML Code

Now 15 characters isn’t that bad (plenty of systems allow only 8 and it seems one UK bank only allows six). The problem is that it lets you think you have created a password with more than 15 characters – but it only stores the first 15 characters. So, if you set your password to a123456789012345 you can’t login using that password (however, you can login using a12345678901234). Imagine the consequences if this is the only log in account, and you don’t realise the 15 character limit.

Surely it couldn’t have been that hard for the programmer creating the page to have done a basic check and popped up an error message if the password is too long. After all a message does appear if the password doesn’t contain both alphabetic and non alphabetic characters:

RSA II Password Error

So, if they can pop up an error when the password isn’t complex then why can’t they pop up an error when the password is too long.

It’s just not good enough!

In virtually every application I use, including Lotus Notes, Control-F brings up the Find dialogue. This seems to be the default behaviour for Windows applications. There is an exception though – Microsoft Outlook. In Outlook 2007, Control-F is the keyboard shortcut to forward a message. So, Microsoft has broken their own UI standard. Why? They didn’t need to, they already have a keyboard shortcut for forwarding – Alt-W.

Unfortunately, it appears that the User Interface Hall of Shame isn’t being maintained any more. Otherwise this would rate a mention.

It’s just not good enough!

You just gone out and spent all your money on a fleet of Packeteer iShapers (or PacketShapers and iShared) and want to use them to optimise your network. So, you plan to run cram as much TCP traffic down your WDC tunnel as possible to make the most of your expensive bandwidth. Of course, some traffic is more important than others, so you also plan to prioritise some of your traffic that’s going through the tunnel. It’s a great plan. Unfortunately, it’s a plan that won’t work.

The Packeteer PacketShapers (or the Inline plane in the iShapers) uses WCCP to redirect traffic destined to go through the WDC or WAFS tunnels. It does this before the traffic passes through its inspection and classification engine. That’s fair enough – you don’t want to be needlessly shaping traffic before it reaches the tunnel or you wouldn’t gain any benefits from the WDC cache.

The problem is that once the data has entered the WDC or WAFS tunnel, the PacketShaper (or the Inline plane) thinks it’s just WDC or WAFS traffic. It can’t classify it any further. So you can’t tell whether its the Payroll Department trying to use Oracle to get everyone paid, BITS updating an SMS repository or someone skiving off in Facebook. That means you can’t prioritise one over the other. The whole reason for buying a PacketShaper has just gone out the window. You would actually have been better off using the PacketShaper with a caching device from one of Packeteers competitors (Cisco, Citrix, Riverbed, etc.).

It’s just not good enough!

You could dedicate a whole site to the problems with this product. However, lets start with just one.

The iShaper is basically a melding of the Packeteer PacketShaper and the Packeteer iShared (a product Packteer acquired through their takeover of Tacit Networks). It consists of two planes – the Inline plane which offers the traditional features of the PacketShaper (QoS and not very good reporting) and the Advanced Services plane which runs Windows and offers WAFS and TCP caching (WDC). On paper this device looks a million dollars. The idea is that you can deploy it to a branch office and have it provide the features of a Windows server (Active Directory, DNS, DHCP, printing) together with WAFS, WDC and your traditional PacketShaper QoS. The PacketShaper part (the Inline plane) does a WCCP redirection to the Advanced Services plane of the traffic that needs to go via the WAFS or WDC tunnels. Note that these devices are pretty expensive – depending on your discounts, a mid range server from a tier one vendor is probably cheaper.

One of the problems with this device is that it doesn’t come with any form of built in remote management of the hardware. If you go out and buy a mid range HP Proliant or IBM xServer you’ll have the option of iLO or RSA to provide remote management of power and a remote console. The remote consoles might be slow because they use a Java client and the tracking of the mice might be poor, but at least you can do it. So, if Windows locks up and RDP doesn’t respond, and the server’s in another country, you can try to fix it.

Not so with the iShaper. They have nothing like iLO or RSA (or DRAC in the case of Dells). If RDP doesn’t work you’re stuffed. If the Advanced Services plane stops responding to the network (and that does happen) you’re stuffed.

Because the Inline plane is basically a separate machine it will still respond. You can still
log on and you can use the reset command. However, you can only reset the Inline plane, not the Advanced Services plane. So, you’re still stuffed.

Packeteer now sells an external IP KVM you can use to access the console. Unfortunately, this device only went on sale some considerable time after the release of the iShaper – and it’s not integrated. Nor does it do anything about the power. If Windows were to have a BSOD you would still be stuffed! This does assume that you can get to the KVM. Sometimes a misbehaving iShaper does strange things to the traffic passing through it – like blocking most of it.

My advice, avoid the iShaper. It’s just not good enough!

I currently use Microsoft Outlook 2007 at work. On the whole, it’s ok, but sometimes I do find it frustrating. The problem I’m having at the moment is when I try to reply to an email and I want to make inline comments.

Now it appears that Outlook replies in what ever format the original email was sent in. That’s fine if the original email was plain text. Then each line in the original email will be indented and prefixed with the “>” character. I can just add my comments where I want:

However, if the original email was sent in HTML, then my reply will be in HTML. The problem with that is that it’s less obvious where my comments are:

I can convert the reply to plain text. But that’s even worse as I don’t get the indenting:

It shouldn’t be this hard. It’s just not good enough.

Group Policy allows Windows administrators to centrally control many settings on a workstation. Generally speaking, it’s a good thing.

Group Policy works by updating the registry. It normally does this by setting the appropriate value under one of the following four keys:

HKEY_LOCAL_MACHINE\Software\Policies
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies
HKEY_CURRENT_USER\Software\Policies
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

When the policy is removed, the corresponding values are also removed. When the user runs an application that uses group policies, the application should look under the appropriate key above for the policies.

Group Policy can also write directly to the registry. This is common for security settings, or where an application isn’t policy aware (and so won’t look for its settings under the Policies registry keys above). However, when writing outside the Policies keys, the changes are permanent – the settings won’t be removed if the policy is removed. This is called “tattooing”. More information on tattooing can be found in the excellent FAQ at gpoguy.com.

Now, Internet Explorer proxy settings can be configured using Group Policy. This is good as it means that an enterprise can easily configure all its hosts with the appropriate proxy settings. Unfortunately, these settings are tattooed. Why is this unfortunate. Because, when a user leaves the network, the proxy settings still apply. So, if a user takes their laptop home, to a client, to a hotel, etc. and then attempts to browse the Internet they’ll have a problem. They will need to manually disable the proxy.

Why did Microsoft decide to tattoo these settings? I don’t know, but it’s just not good enough.

Yesterday my brother rang me to say that he was having a problem with his computer (a Toshiba laptop running Windows Vista). He’d been browsing the Internet and clicked yes when asked to install some software so he could view some files. Next think he knows, Internet Explorer is taking him to some website called secureinvites.com and telling him that he’s got a Trojan installed (at least that bit is right) and to buy their security software.

Basically, Secure Invites is a browser hijacker or rogue security software that’s trying to sell rogue anti-spyware software.

While I was helping my brother, he asked why people can get away with this sort of thing. I told him the Internet is like the Wild West. But that’s no excuse. Companies shouldn’t be able to get away with this sort of thing. To me it appears to be fraud. Now, in Australia, there’s no doubt that this would be illegal under the deceptive and misleading conduct provisions of the Trace Practices Act. I don’t know where the parent company for Secure Invites reside but I have no doubt that the people behind it should be in gaol.

I searched the Internet for utilities that would remove Secure Invites. My search on Microsoft didn’t find anything (which is just not good enough). Google turned up a number of results. However, all of them where for domains I wasn’t familiar with. How could I know if a utility was legitimate or more malware? In the end I used SmithfraudFix. It had been listed on a couple of sites and I seemed to recall using it before. I sent my brother the instructions from this page and talked him through it.

We didn’t do the first step however – I asked my brother to back up his files before he did anything. His response – “How do I do that?” When I asked him if he had an external drive, things got a bit vague. In the end it became a case of trusting the removal software and hoping for the best.

So, what’s not good enough:

• This software exists at all
• The people who wrote it and make money from it aren’t being prosecuted
• Windows didn’t protect my brother from this type of software
• Anti-virus software didn’t protect my brother either
• A search of Microsoft’s website didn’t help us
• There was no way for us to verify the bona fides of those sites on the Internet offering a removal tool
• It shouldn’t be so hard for your average computer illiterate user to back up their files

What’s the solution? I don’t know. But I don’t think it’s user education. Security awareness training has its place in limited situations (e.g. tips on creating secure passwords in combination with systems that will only accept complex passwords), but it’s not practical to educate everyone. Even if we sent every user on a security awareness course, it still wouldn’t work. Some people would still be fooled by a social engineering attack like Secure Invites.

Let’s explore the Wild West metaphor I used with my brother. Back in the Wild West, there were plenty of conmen selling snake oil to the gullible. You might say we’re now smarter and don’t buy snake oil. But we do, it’s just that now it’s made out of crystals or just plain water.

So, back to my question, what’s the solution? Well I don’t think there’s a silver bullet. We could deputise a posse to hunt down, torture and string up the malware writers. Of course that might be a little unrealistic (and unethical – cruelty to animals isn’t acceptable).

Perhaps better anti-virus software will help – but based on the industry’s past efforts I think that’s unlikely. Could better designed and built operating systems help? Perhaps it’s an issue that can only be addressed by law enforcement agencies and regulatory authorities.

Who knows? All I know is that it’s just not good enough.