Andrew Healey’s Blog

This weekend, I finally received my first Nigerian scam e-mail. In actuality, this is probably not the first but it is the first one to make it through the e-mail filters. I have to admit, I have felt a little left out over the past few years. I always heard about these e-mails but I never received one. Here is the text from the message:

Subject: PLEASE I NEED YOUR ASSISTANCE
From: clementmattins
Sincere Greeting,
I’m Mr. Clement Mattins from bank of Africa. firstly,accept my apologies ,am the personal accountant to Dr. Ravindra F. Shah who died with his wife Mrs. Manjula Parikh-Shah in a plane crash on 1st Oct. 2003 on their way to Boston. i came across ($8,500.000.00USD) in his balance with our Bank (B.O.A), then i want you to provide an account where this money will be transfer into for both of us, If you are willing to assist me, therefore you should contact me immediately you receive this E-mail for more detail, Regards Mr Clement Mattins Telephone: +226 78 31 77 67

After looking around the net, it became obvious that this is a 419 scam. A few ideas came to mind. Should I play along and screw with the scammer? Should I report this to some official government agency?

In the end, I decided to just let it go. I tried forwarding the message to the secret service’s 419 scam e-mail address but it just bounced. It just pisses me off that people fall for these scams. It also worries me that in the current economic climate, more and more people will fall for these scams. The public at large is aware of this type of generic scam. However, these scammers have adapted their methods and are becoming more clever.

Nothing made this more clear than Dateline NBC’s episode on, what they call, Work-from-home scams. The sad part is that these scams are originating in the same place as the scam e-mail I received. I guess these people will always find a way to make a quick buck.

I have been asked by several small businesses and individuals regarding services like those offered by Carbonite, Mozy and iDrive.  I’ve always had a bad feeling about the idea.  Recently though, I thought a little harder about the reasons why I could never store all my data online. Of course, online backup systems are infinitely more valuable than no backup solution at all. As some readers have pointed out, online backup services have saved a lot of butts. At the same time, there are some factors that make online backups less attractive to the “old fashioned way” of backing up data.  There are three main factors that I feel give standard backups an upper hand.

1. Storage is cheap.
2. Your data is only as safe as your password.
3. When stored online, your data is no longer yours.

While these factors are why I do not recommend online backups, I want to take a moment to discuss when online backups do make sense.

Disclaimer: When Online Backups Make Sense

As a reader pointed out, many people setup a backup process but the process gets in their way of doing it properly. Either their backups fail to run regularly or they stop rotating the media because the process is cumbersome.  If this is the case, backup your data online.

Also, please understand that this is only meant to explain why I do no recommend online backup services as a regular practice.  It does not mean there is no place for it.  There are many reputable online services out there.  The vast majority of them encrypt the connections end-to-end and store the data in encrypted form.  But that is something you should ask or check before just signing up for the service and dumping your data on their servers.

For each of the weaknesses I discuss, there are measures that can be taken to protect your data, even if stored online.  Most technically savvy people know how to operate online and protect their data and identity.  But all too often, I find people and small businesses operating online in an insecure fashion.  They may be required by their insurance company to have offsite backups.  They see online backups as a panacea without understanding the potential risks they face by not fully understanding the importance of protecting their data.

One other point regarding offline backups.  If you store your data on a hard drive that is stored in the back seat of your car or in your gym bag, just save yourself the hassle and use an online service.  By now, most of us have heard the stories about the IT guy at the hospital whose car was broken into and all the hospital’s data was compromised.  Or, the VA worker whose laptop was stolen with patient records.  The same thing can (and will) happen to you if you do not treat your offline backups with care.

Disks Are Cheap

The other day I was spec’ing out a brick-and-mortar backup solution for a small business.  I was surprised to find a 1TB external hard drive for only $90.  I realize that in a few years from now, that 1TB drive will not be enough storage.  File sizes grow.  However, as history has shown, a comparable storage medium will be available at that time for a similar price.

Online storage solutions exist because they offer strategy, software and storage for ~$50/year.  The price point and ease of use is attractive.  It is why the services are popular.  When you add the fact that to do your own backups you need (probably) two 1TB external drives, software and some knowledge of your computer, these solutions become even more attractive.  It is the same reason people use Gmail or Yahoo! for their e-mail.  Sure, they could buy a domain name, setup postfix and roundcube and have control over their e-mail services.  But why?  Especially when it is free to use Yahoo! or Gmail.

The real reason against online backups is in my two points below.  However, the cost and expertise needed to do it on your own is minimal.  If you do it on your own, you first have to assume that you probably replace your computer every 5 years.  Over that period, an online service would cost roughly $250 over that time.

To do this on your own, you probably want to start out with two 1TB disks.  The software needed is free.  You can use Windows Backup or an Open Source solution like Areca.  The time needed to learn how to properly backup your data and to manage the backups is the wildcard.  It depends on how much you value your data (if you’ve ever lost everything, your probably realize it is worth a lot; or maybe not).  The resources are available on the internet.  You just have to find a solution that works for you.

My solution.  I use two 1TB disks along with Areca to backup all my data to the disk.  I always store one of the hard drives in a locked, fireproof safe and the other at an external location I can trust.

Your Data, Your Password

If you are like most people, you use the same password for your online banking as you do your e-mail and your e-bay account.  It is a fact that people repetitiously use their passwords.  Although there is a positive trend in password strength, as was evident in the recent presidential race, there are ways to get around strong passwords.  For example, Sarah Palin’s e-mail account was compromised and all her e-mail accessed during the campaign.  Not because she used a weak password.  Instead, it was because the security questions used to reset her password were setup using easy to guess answers.  What is your mother’s maiden name?  What high school did you attend?  As social networking and the semantic web become more prevalent, the answers to these questions become easier to find.  And what about that computer support forum you posed a question on?  Well, you had to setup an annoying username and password.  You also supplied your e-mail address.  Odds are, you used the same password for that account as you did your e-mail account.  You trust the people that setup that forum without even knowing them.  You also trusted their ability to secure the data you submitted.  What if somebody were to compromise their database?  They now have access to your e-mail and any other online services you use that utilize that same password.  Thanks for playing, come again…

It is a fact that this activity goes on every day.  In my own testing, I was able to find forum after forum, website after website that were setup by lazy administrators and were vulnerable to these same attacks.  Now you are talking about client lists, confidential contracts, business relationships, personal information, tax information, etc.  All of that is vulnerable to these attacks when you store your data online.  The web is not a nice place for the complacent.

Your Data != Your Data

The 10 Immutable Laws of Security.  While they tend to talk about your computer explicitly, they are really talking about the security of the data on your computer.  If you don’t care about the data on your computer, then they don’t apply.  But, if you are like most, you value the safety of the data on your computer.

When you talk about backups, you are talking about storing all your data in a different place and medium than “your computer”.  I still tell people and small business that a security deposit box is tested and trusted; use it!  I tell them this because it is a trusted storage place and has been so for decades, if not years.  Online storage is a new medium that has only recently reached mainstream.

To store all your data online, you must trust all the individuals that handle your data.  You trust the geek squad or your neighborhood geek to fix your computer.  You know where they work.  You know where they live.  Yet, people have no idea where their data goes when they use one of these online services beyond what is posted on a web page.  Is your data handled by foreign nationals?  Are the employees at the corporation happy?  (We’ve all heard of rogue admins.)  How well do you know all those that have access to your data?  When you let somebody into your home, whether as a friend or contractor, you analyze the situation and give them a certain level of trust.  Do you do the same when you select an online service to upload everything you have stored on your computer?

You should ask yourself all these questions before selecting any backup solution, online or offline.  Most online services will offer some level of encryption.  You need to know what that means and do your homework to ensure you data is transferred in a secure manner and stored in a secure fashion.  Again, this goes for both offline and online backups.

Conclusions

The technology is neat.  The fact that we now have enough bandwidth to copy the entirety of hard drives up to the cloud is not something to scoff at.  My biggest concern is that the vast majority of people do not realize the repercussions of storing their data in the cloud.  If you put serious thought into the decision to do this and you still feel confortable, then go for it.  I, for one, will continue to backup my data to a disk I can touch and hold with my own hands.  Now get off my lawn!

Update 2009.04.16: At the request of a commenter, I added a couple lines to the script that will dump the output to a text file in the root of the C: drive. I also corrected a couple errors in the script.

I was tasked to get a dump of all the users in our Schema Admins, Enterprise Admins and Domain Admins for our Forest. I started thinking about it and realized a couple things. Two of the three groups reside at the forest root while the Domain Admins group exists for every domain in the forest. This meant I would need to enumerate every domain and depending on the domain, enumerate either all three groups or just one.

My thinking was overly complex and I realized this halfway through writing a new script. Using the power of LDAP, I can use a logical “or” (|) statement. When run against a domain, it would always return “Domain Admins” since it will always exist in an AD domain. When it is run against the forest root domain, it would also return the “Enterprise Admins” group and “Schema Admins” group. Here is the LDAP query:

(&(objectCategory=group)(|((name=Enterprise Admins*)(name=Domain Admins*)(name=Schema Admins*))))

At this point, all I need to do is this:

1. Enumerate all domains in the forest
2. Loop through each domain
3. Execute LDAP query against each domain
4. Loop through LDAP query results
5. Dump membership of each group

The script below does just that. I hope some find it useful. There is no configuration necessary. You should be able to just run it from your environment as no domain references (or really anything) is hard coded. The only thing you may want to add to or remove from is the LDAP filter. Cheers!

'==========================================================================
' VBScript Source File
' NAME: Active Directory Admin Audit
' AUTHOR: Andrew J Healey
' DATE  : 2009.04.16
' COMMENT: This script will check all the domains within a forest
'		and report all the members of the following groups: Schema
'		Admins, Enterprise Admins and Domain Admins. See notes to
'		expand on the groups.
'==========================================================================

'Define Constants
Const adUseClient = 3
Const ForWriting = 2
 
'Set the path and filename for the dump of sensitive users
'  Folder must exist!
fileTemp = "C:\AD Admin Audit.txt"
 
'Create tmp file and report file
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objTempFile = objFSO.OpenTextFile(fileTemp, ForWriting, True)
 
'Query RootDSE and return array with all AD domains in forest
Set adoComm = CreateObject("ADODB.Command")
Set adoConn = CreateObject("ADODB.Connection")
adoConn.Provider = "ADsDSOObject"
adoConn.cursorLocation = adUseClient
adoConn.Open "Active Directory Provider"
adoComm.ActiveConnection = adoConn
 
Set objRootDSE = GetObject("LDAP://RootDSE")
strBase   =  "<GC://" & objRootDSE.Get("rootDomainNamingContext") & ">;"
strFilter = "(objectcategory=domainDNS);" 
strAttrs  = "distinguishedName;"
strScope  = "subtree"
 
strQuery = strBase & strFilter & strAttrs & strScope
adoComm.CommandText = strQuery
adoComm.Properties("Page Size") = 50
adoComm.Properties("Timeout") = 30
adoComm.Properties("Cache Results") = False
 
Set adoRS = adoComm.Execute
 
'Start Loop
Do Until adoRS.EOF
	'Parse ad search results to create well formed DNS domain
	strDomain = Replace(adoRS.Fields(0).Value,"DC=","")
	strDomain = Replace(strDomain,",",".")
	Call GrpAll(strDomain)
	adoRS.MoveNext
Loop
adoRS.Close
adoConn.Close
wscript.quit
 
Function GrpAll(x)
	'To search for more groups, edit the "strFilter" line. It uses a simple
	' LDAP or (|) so multiple groups can be added. It uses ADO record sets
	' to loop so it doesn't have to find all of them, just one. Every domain
	' will contain at least the Domain Admins group.
	Set adoCommand = CreateObject("ADODB.Command")
	Set adoConnection = CreateObject("ADODB.Connection")
	adoConnection.Provider = "ADsDSOObject"
	adoConnection.cursorLocation = adUseClient
	adoConnection.Open "Active Directory Provider"
	adoCommand.ActiveConnection = adoConnection
 
	strBase   = "<LDAP://" & x & ">;"
	strFilter = "(&(objectCategory=group)(|((name=Enterprise Admins*)" & _
				"(name=Domain Admins*)(name=Schema Admins*))));"
	strAttrs  = "name,member;"
	strScope  = "subtree"
 
	strQuery = strBase & strFilter & strAttrs & strScope
	adoCommand.CommandText = strQuery
	adoCommand.Properties("Page Size") = 5000
	adoCommand.Properties("Timeout") = 30
	adoCommand.Properties("Cache Results") = False
 
	Set adoRecordset = adoCommand.Execute
 
	objTempFile.WriteLine "Group report for domain: " & x
 
	adoRecordset.MoveFirst
 
	Do Until adoRecordset.EOF
	    objTempFile.WriteLine vbTab & adoRecordset.Fields(0).Value
		For Each strMember in adoRecordset.Fields(1).Value
			objTempFile.WriteLine vbTab & vbTab & strMember
		Next
	    adoRecordset.MoveNext
	Loop
 
	adoRecordset.Close
	adoConnection.Close
End Function

The difficult part with managing SNMP via Group Policy is that SNMP is not installed by default. The first step is to install SNMP on all the machines you want to monitor via SNMP. This can be managed a couple ways. The simplest method that I have used is the one Zenoss recommends. If you only have a couple of machines to install SNMP on, it may be easier just to go into the Add/Remove Programs –> Add/Remove Windows Components –> Management and Monitoring Tools –> Simple Network Monitoring Protocol.

Once SNMP is setup, you need to create a custom ADM template to manage the SNMP settings via Group Policy. This sounds more difficult that it really is. The bonus is that once you see it done a time or two, you really start to understand the power in home made ADM templates. I would checkout the mailing list at ActiveDir.org and the information available on petri.co.il. Both of these resources are invaluable for getting things done in Windows and Active Directory.

If you just want to manually control the SNMP settings, just go: Start –> Run –> Services.msc. Select the SNMP service, right click and select Properties and click on the security tab. All your communities can be managed through that tab.

Unfortunately, MS didn’t make SNMP as easy to implement in Windows as *nix environments have. However, setting it up on Windows is a good experience and all the work will pay off in spades once it is complete.

As for monitoring packages, check out Zenoss and Zabbix. I’m all for the open source, service support model of software development and these two have proven it is a viable means of running a productive and profitable software development business.

Here is a little script I put together for one of our developers here at Aerojet. Feel free to use, abuse, change, tweak, fix, etc.

Here is a zip file of the script: list-all-attributes.zip

'*  Script name:   List All Attributes.vbs
'*  Created on:    01/28/2009
'*  Author:        Andrew J Healey
'*  Purpose:       Exports all attributes from the user object type within
'*                 the Active Directory schema.
'*  Usage:         cscript /nologo "list all attributes.vbs" > Attributes.csv
'*  History:       Andrew J Healey 01/28/2009
'*                  - Created script
'
Option Explicit
 
'Declarations
Dim objUserClass : Set objUserClass = GetObject("LDAP://schema/user")
Dim objSchemaClass : Set objSchemaClass = GetObject(objUserClass.Parent)
 
wscript.echo chr(34) & "Mandatory" & chr(34) & "," & _
			 chr(34) & "Name" & chr(34) & "," & _
			 chr(34) & "Syntax" & chr(34) & "," & _
			 chr(34) & "Single/Multi Valued" & chr(34)
 
Call GetAttributes(objUserClass.MandatoryProperties,objSchemaClass,True)
Call GetAttributes(objUserClass.OptionalProperties,objSchemaClass,False)
 
Private Sub GetAttributes(x,y,z)
	Dim strAttribute
 
	'Loop through all attributes
	For Each strAttribute in x
		Dim strOut : strOut = ""
 
		'Compares whether the attribute is mandatory or optional
		'Prints whether mandatory/optional and name of attribute
		If z = True then
			strOut = strOut & chr(34) & "Yes" & chr(34) & "," & _
							  chr(34) & strAttribute & chr(34) & ","
		Else
			strOut = strOut & chr(34) & "No" & chr(34) & "," & _
							  chr(34) & strAttribute & chr(34) & ","
		End If
 
		'Get the attributes syntax: i.e. Integer, String, NumericString, etc.
		Dim objAttribute : Set objAttribute = y.GetObject("Property",  strAttribute)
		strOut = strOut & chr(34) & objAttribute.Syntax & chr(34) & ","
 
		'Determines whether column holds multi or single values
		If objAttribute.MultiValued Then
			strOut = strOut & chr(34) & "Multi" & chr(34)
		Else
			strOut = strOut & chr(34) & "Single" & chr(34)
		End If
 
		'Print string to screen. Each line its own CSV.
		wscript.echo strOut
		strOut = Empty
	Next
	Set objAttribute = Nothing
	strAttribute = Empty
End Sub

So, I found a way to download, burn and install Fedora. This normally wouldn’t be a big deal but I’m roaming house to house until Rose and I find somewhere to live. I survived Iraq with Fedora 8 and I really wanted to try out the latest. I really enjoyed 8. It was stable and served me well on my journey.

But, being the geek I am, I couldn’t resist but install the latest and greatest. And, two days later, I have no regrets. I can honestly say that this is the best distribution I have tried. I used Ubuntu 8.10 as soon as I got home to see what had changed on the Debian front. I wasn’t all that impressed. While it operated smooth, it was missing a few bits which I really wanted. It was lacking the latest OpenOffice.org, Mono and Eclipse and it excluded the Empathy IM package which I wanted to try. It also didn’t have a ready-to-go NetBeans installation in its repositories.

There is really nothing much to say about the installation of F10. The installation was smooth and easy. Everything just worked. When it first booted, I noticed an immediate difference. Not only did the boot process look different, it also booted a lot faster than F8. This is due to the inclusion of Plymouth as a replacement for RHGB. I wasn’t sure why it looked so plain though. It was just a black screen with a progress bar across the bottom. After some searching, I found that adding “vga=0×318″ would allow a more graphical boot screen at 1024×768 with 16M colors. After the change and a subsequent reboot, it looked more like one would expect.

I would have to say that the folks working on NetworkManager have done an outstanding job. I didn’t my Kyocera KPC650 Verizon card with me during installation. However, it didn’t matter. I just plugged it in while working from the desktop and NetworkManager detected it and I was able to connect in seconds. This was much smoother than using wvdial or any of the other older methods. It is also considerably better than Windows approach.

After adding all my bits, I found that I didn’t need to reference any documentation to get my system 100%. It just was. Everything was there and working. I did add the RPMFusion repos to yum but this is as simple as clicking on the download on their site. Viola, libdvdcss, gstreamer-ugly, et. al. were all there and ready.

I do have one complaint with Gnome. The default image viewer application is just too simple. It doesn’t offer any photo touch up tools or anything. I really wish the folks at Gnome would begin pushing gThumb as the default. It is fast, lightweight and simple enough to use as the default. Yet, it offers those that want to crop or adjust color the tools necessary to get the job done.

In conclusion, I would recommend F10 to just about anybody. It is as stable as any release I have ever tried. It is also as bleeding edge as they come. Those two rarely come hand in hand. It’s nice to see they got it right with Fedora 10.

A really interesting post was placed on the Royal Pingdom blog that compared average load time and up time of operating system websites. The author took measurements from October 17th through November 17th. He used 16 Linux distributions, Apple.com and Microsoft.com. While his results were interesting, I felt a correlation between page size and load time should be included. I asked the author about this and he responded, “from a user perspective it doesn’t really matter what size the web page is. All that matters is how they experience the load time.”

I created the chart below based off his data and a current size snapshot of the same web pages. I used a Firefox add-on called lori or Line-of-request info to measure the complete size of the page including images and anything stored in cache.

The following two charts show the actual size of each page including scripts, images and html and their speed to load in KBps based on the data from Pingdom.

OS Vendor Website Speed (KBps)

OS Vendor Page Sizes (KB)

Conclusions

• Most popular, well funded operating systems have main pages which, regardless of size, have ample bandwidth
• If all linux sites are combined, the average speed is 130.35KBps. The median speed is 70.84KBps.
• I’m not sure if the Suse Enterprise site load time was measured correctly. It measures in at a whopping 388KB! However, its load time averaged 591ms giving it amazing results. I am wondering if the flash heavy website wasn’t being measured correctly in Pingdom’s tests.
• There seems to be a direct correlation between the funding, bandwidth and bloat of the website. I guess if you have all the bandwidth you could ever want, file size doesn’t matter. Unless you want to be nice to those of us with SLOW INTERNET!
• It is interesting to point out that even those with the slowest transfer speeds will still usually beat out the loading of the bloated pages from a users perspective. This is ultimately what really matters as pointed out by Pingdom.
• PC Linux OS could really do themselves a favor and get rid of some bloat!
• Apple and Ubuntu seem to be the most balanced between size, bandwidth and load times.

So, as most of those who know could have guessed, I’ve become the computer fix-it guy over here. Between our firewalls, proxies and lack of reliable phones, troubleshooting is made difficult. The past week, I have had to fix four computers. That makes nine complete format and OS reinstalls. Of those, all nine had Windows Vista installed. I’m not a Vista guru but it seems to me that Vista was rushed to market. In every case, the only resort available was to upgrade them to XP. I say upgrade because the stability and performance after moving them to XP was remarkable. Every Marine was glad to have the reboots snappy and system stable. Most of them just figured the slowness of their computers was due to the laptop and not due to the bloated operating system Microsoft released.

Only one of them I was able to salvage. I found a nice little hack to reset any users password using Linux and some intuitive programming. This is definitely one of those “must have”’s for the toolbox. The funny thing was, once I restored the Marine’s password, he asked if I could put XP on his laptop just because Vista was so annoying, bloated and slow.

I was also reading a story on how RedHat plans to capitalize on Microsoft’s release of Vista and the slowdown in the economy. I guess both of these type of events have, historically, led to the adoption of alternative software and operating systems. I really hope so. It would be nice to see some more competition out there. Mac has made a nice stand recently with their products. I guess we will see.

For me, I look forward to the late November release of Fedora 10. I’m going to be building up a new computer based on the “Ultimate Budget Box” on Ars Technica’s website. Sub-$500 isn’t bad for a full system with speakers, LCD monitor, keyboard, mouse, etc. Plus, it only pulls 90 watts which will help with the electricity bill.

Anyway, I guess this is all wishful thinking.