Also, if you use the OperatingSystemVersion attribute, you will find that Server 2008 R2 shares version “6.1 (7600)”.  So, the best way to find Windows 7 only, is to search for “Windows 7*” with the wildcard character against the OperatingSystem attribute.  That will ensure all Windows 7 versions are returned and will exclude Server 2008 R2 from your results.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

#Get Domain List
$objForest = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
$DomainList = @($objForest.Domains | Select-Object Name)
$Domains = $DomainList | foreach {$_.Name}
 
 
#Act on each domain
foreach($Domain in ($Domains))
{
	Write-Host "Checking $Domain" -fore red
	$ADsPath = [ADSI]"LDAP://$Domain"
	$objSearcher = New-Object System.DirectoryServices.DirectorySearcher($ADsPath)
	$objSearcher.Filter = "(&(objectCategory=Computer)(operatingSystem=Windows 7*))"
	$objSearcher.SearchScope = "Subtree"
 
	$colResults = $objSearcher.FindAll()
 
	foreach ($objResult in $colResults)
	{
		$Computer = $objResult.GetDirectoryEntry()
		$Computer.DistinguishedName
	}
}

By following the steps below, you will be able to create a new policy and manage the filter lists and actions. The goal here will be to put all these pieces together into a nice tidy package that is fully automated.

The policy you create in this tutorial will not be applied to the system until you “Assign” the policy in Step 6. As long as the policy is not assigned, you can safely edit, add, remove, etc. rules and sets to the policy without affecting the system. Note: double and triple check your sets to ensure you do not block legitimate traffic before assigning the policy.

To begin this tutorial, open the command prompt. If you don’t know how, you probably shouldn’t be doing this. All commands meant to be typed are in italics.

Step 1: Create IP Security Policy

netsh ipsec static add policy description=”This policy blocks all traffic to hosts/nets associated with it.”

Step 2: Create an IP Filter List

netsh ipsec static add filterlist description=”This filter list contains hosts and networks known to host malware, criminal activity, etc.”

Step 3: Create IP Filters and Associate them with the Filter List (Repeat this step until all hosts you wish to block have been entered)

Single IP (10.254.254.254/32)

netsh ipsec static add filter filterlist=”Bad Hosts” srcaddr=10.254.254.254 dstaddr=any description=”John Smith. 12/31/2015. Brute force logon attempts to: SERVER01″

Subnet (10.254.254.0/24)

netsh ipsec static add filter filterlist=”Bad Hosts” srcaddr=10.254.254.0 dstaddr=any srcmask=24 description=”John Smith. 12/31/2015. Brute force logon attempts to: SERVER01″

Network Range (10.254.254.2-10)

netsh ipsec static add filter filterlist=”Bad Hosts” srcaddr=10.254.254.2-10.254.254.15 dstaddr=any description=”John Smith. 12/31/2015. Brute force logon attempts to: SERVER01″

Step 4: Create a Filter Action

netsh ipsec static add filteraction description=”This action blocks all traffic.” action=block

Step 5: Create Policy Rule to apply Filter Action to Filter List

netsh ipsec static add rule policy=”Blocked Traffic” filterlist=”Bad Hosts” filteraction=”Block All Traffic” activate=yes

Step 6: Assigning (and un-assigning) the Policy

This step will apply all the settings you have created up to this point. Double and triple check that you did not enter a valid host or network or it will be blocked. If fact, if you have any doubts in your mind, do not do this step until another person (who knows what they are doing) looks over your work too! Note: This is one place MS will not give you a little “are you sure you want to do this” type of warning. As soon as you assign the policy, it is done.

Assign

netsh ipsec static set policy name=”Blocked Traffic” assign=yes

Un-assign

netsh ipsec static set policy assign=no

By following the steps below, you will be able to create a new policy and manage the filter lists and actions. In part three, I will explain how this can be done from the command line for all you CLI warriors. This tutorial should be accurate for: Windows XP, Vista, 7 and Server 2003, 2008, 2008R2 (possibly even 2000)

The policy you create in this tutorial will not be applied to the system until you “Assign” the policy in Step 6. As long as the policy is not assigned, you can safely edit, add, remove, etc. rules and sets to the policy without affecting the system. Note: double and triple check your sets to ensure you do not block legitimate traffic before assigning the policy.

To begin this tutorial, open the Local Security Policy by:

• Control Panel → Administrative Tools → Local Security Policy
• Start → Run → secpol.msc

Step 1: Create IP Security Policy

1. Right click “IP Security Policies on Local Computer”
2. Select “Create IP Security Policy…”
3. IP Security Policy Wizard
   • Welcome Screen → Next
   • IP Security Policy Name → Give a descriptive name and description → Next
   • Requests for Secure Communication → Do Not Check “Activate the default response rule” → Next
   • Wizard Completion → Do Not Check “Edit Properties” → Finish

Step 2: Create an IP Filter List

1. Double click your new policy (or, right click and select properties)
2. On the Rules Tab → Uncheck “Use Add Wizard” → Click “Add…”
3. Create an IP Filter List
   • On the “IP Filter List” Tab → Click “Add…”
   • In the “IP Filter List” Window → Enter a descriptive name and description → Uncheck “Use Add Wizard” → Click “Add…”

Step 3: Create IP Filters and Associate them with the Filter List (Repeat this step until all hosts you wish to block have been entered)

1. Address Tab
   • Change Source Address to → “A specific IP Address or Subnet”
   • Enter the IP Address and/or subnet in the text box (Use CIDR syntax for defining subnets (e.g. 10.10.10.0/24)
   • Check “Mirrored”
2. Protocol Tab → Ensure protocol type is set to “Any”
3. Description Tab → Enter a description. It is typically useful to identify the creator of the rule, why it was added and a date/time when the rule was created.
4. Click “OK”
5. Repeat step 3 until all the hosts/networks you wish to block are entered. Once completed, press “OK”.

Step 4: Create a Filter Action

1. On the “Filter Action” Tab → Uncheck “Use Add Wizard” → Click “Add…”
2. On the “Security Methods” Tab → Select the “Block” radio button (All other options on this tab will become greyed out)
3. On the “General” Tab → Enter a descriptive name and description → Press “OK”

Step 5: Create Policy Rule to apply Filter Action to Filter List

1. On the “Filter Action” Tab, ensure the new filter action you created is selected.
2. On the “IP Filter List” Tab, ensure the new filter list you created is selected.
3. Press “OK”
4. On the new policy properties window, ensure the new list and action are enabled.
5. Press “OK”

Step 6: Assigning (and un-assigning) the Policy

This step will apply all the settings you have created up to this point. Double and triple check that you did not enter a valid host or network or it will be blocked. If fact, if you have any doubts in your mind, do not do this step until another person (who knows what they are doing) looks over your work too! Note: This is one place MS will not give you a little “are you sure you want to do this” type of warning. As soon as you assign the policy, it is done.

1. Right click your new policy → Select “Assign” → Done (It really is that easy)
   • To un-assign, just do the same thing except select “Un-assign” instead.

In part 3, I will cover how to do all this directly from the command line.

While troubleshooting some issues on an OWA Front-End server, I went over to the security log to see if the authentication attempts were getting past this box. The problem I found was the log was so full of failed logon attempts it was difficult to filter out what I was looking for. In a twelve hour period, there were thousands of 529 events in the security log. Now, I know this is nothing new, but I found a few patterns. I manually exported the log to a CSV, parsed out all the source ip addresses and opened it up in Excel. What I found was that 98.7% of failed logon attempts were made by just four different ip addresses.  (I recommend using MaxMind’s GeoIP Address Locator for help in determining where the source addresses are located.)

The easy fix is to setup an IPSec policy to block all traffic coming from those addresses.  And I did just that.  There are many different methods to blocking bad hosts.  And, anybody who has dealt with this knows, they will come back.  Just from different addresses.

One other piece I was able to get from this is that there are several of our users whom have fat fingered their passwords within ActiveSync (or they just have it setup wrong).  And then there are those users who have forgotten their domain, e-mail address, username, etc.

This is step one in my project to automate the blocking of bad hosts.  My goal is to build an automated method for blocking hosts with a high percentage of bad logon attempts within n hours.  And, even if I can’t get it 100% automated, this first whack at it took my bad logon attempts from 800 per hour to 25 per hour; nearly a 97% improvement!  And, a lot less crap to sift through when troubleshooting real issues.

So, my first goal is to automate a method of extracting the data I want from the event log.  (The script can be found below.)  The most important piece of data is the source ip address.  However, the other pieces of data I decided to extract could be helpful in determining the legitimacy of the logon failure.

To get the data, simply download the script and run “cscript /nologo get-bad-hosts.vbs > bad-hosts.csv” (w/o the quotes).  You can then open the file in Excel, do a quick pivot-table and identify the source addresses with the most hits.  At that point, you can add the host (or address block) to an ipsec policy to block all traffic from that address.

In my next post, I’ll explain the details in setting up a quick ipsec policy to block the bad guys.  Cheers!

'==========================================================================
' VBScript Source File
' NAME: get-bad-hosts.vbs
' AUTHOR: Andrew J Healey
' WEB: http://halfloaded.com/
' DATE  : Dec 21 2009
' COMMENT: This script will return data in csv format for use in determining
'	hack, lockout or bad logon attempts
' PROCESS: 1) query event log for event id 529; 2) parse data to return
'	useful data; 3) output to screen
' USAGE: cscript /nologo get-bad-hosts.vbs c:\bad-hosts.csv
'==========================================================================
 
Option Explicit
On Error Resume Next
 
Dim strComputer, objWMIService, colLoggedEvents
Dim objEvent, objRegEx, colMatches, strMatch
Dim strUserName, strWorkstation, strIPAddress, strDomain
 
'Change to name of computer to query remote machine
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
 
'Event 529 in the security log are "Failure Audit" for a "Logon/Logoff"
Set colLoggedEvents = objWMIService.ExecQuery _
        ("Select * from Win32_NTLogEvent Where Logfile = 'Security' and " _
            & "EventCode = '529'")
 
'Write header to screen
wscript.echo chr(34) & "User Name" & chr(34) & "," & _
			 chr(34) & "Workstation" & chr(34) & "," & _
			 chr(34) & "Source IP" & chr(34) & "," & _
			 chr(34) & "Windows Domain" & chr(34) & "," & _
			 chr(34) & "Date/Time" & chr(34)
 
'Loop through all events matching criteria above: 529 in sec log
For Each objEvent in colLoggedEvents
	'Use regex to parse any ip addresses from event
	' if no address found, goto next record
	Set objRegEx = CreateObject("VBScript.RegExp")
	objRegEx.Global = True
	objRegEx.IgnoreCase = True
 
	'Will return the line of the user name that was used
	objRegEx.Pattern = "(\tUser Name:.*\n)"
	Set colMatches = objRegEx.Execute(objEvent.Message)
	For Each strMatch in colMatches
	   strUserName = strMatch.Value
	Next
 
	'Will return the line of the workstation name that was used
	objRegEx.Pattern = "(\tWorkstation Name:.*\n)"
	Set colMatches = objRegEx.Execute(objEvent.Message)
	For Each strMatch in colMatches
	   strWorkstation = strMatch.Value
	Next
 
	'Will return the line of the source ip address
	objRegEx.Pattern = "(\tSource Network Address:.*\n)"
	Set colMatches = objRegEx.Execute(objEvent.Message)
	For Each strMatch in colMatches
	   strIPAddress = strMatch.Value
	Next
 
	'Will return the line of the domain that was used
	objRegEx.Pattern = "\tDomain:(.*\n)"
	Set colMatches = objRegEx.Execute(objEvent.Message)
	For Each strMatch in colMatches
	   strDomain = strMatch.Value
	Next
 
	'Output clean csv line for easy reading in spreadsheet program
	wscript.echo chr(34) & GetCleanText(strUserName) & chr(34) & "," & _
				 chr(34) & GetCleanText(strWorkstation) & chr(34) & "," & _
				 chr(34) & GetCleanText(strIpAddress) & chr(34) & "," & _
				 chr(34) & GetCleanText(strDomain) & chr(34) & "," & _
				 chr(34) & WMIDateStringToDate(objEvent.TimeWritten) & chr(34)
Next
 
Private Function GetCleanText(byVal strText)
	'This will cleanup the text and return only necessary data
	' I'm sure there is a better way to do this :)
	dim tmp,txt
	tmp = Split(strText,":")
	txt = tmp(1)
	txt = Replace(txt,vbTab,"")
	txt = Replace(txt,vbCrLf,"")
	txt = Trim(txt)
	GetCleanText = txt
End Function
 
Private Function WMIDateStringToDate(byVal dtmEventDate)
	'Borrowed from the "Hey, Scripting Guy! BLOG"
	' --> Search: WMIDateStringToDate
    WMIDateStringToDate = CDate(Mid(dtmEventDate, 5, 2) & "/" & _
        Mid(dtmEventDate, 7, 2) & "/" & Left(dtmEventDate, 4) _
            & " " & Mid (dtmEventDate, 9, 2) & ":" & _
                Mid(dtmEventDate, 11, 2) & ":" & Mid(dtmEventDate, _
                    13, 2))
End Function

So, my buddy (and former co-worker) called me yesterday for some help with a script he put together.  His script checked the local profile in Outlook for any PST files that were stored locally.  If it found any, it would them move them to the users home space.  We tried and tried to get the script to work properly but it never seemed to work 100%.  Being that he is a good friend and this would be useful at work, I decided to take the work he had put in and get the thing working.

Here is what the script does:

1. Checks to see if the computer is a laptop.  If it is, the user probably uses Outlook offline and/or over VPN so moving the PST to a network share will be detrimental to the user’s experience.  If you don’t care, just comment out lines 17-21.
2. Checks to see if Outlook is installed and can be launched properly.  If it can not, no sense in continuing the script.  It will exit.
3. Checks to see that the target (network) directory exists and is writable.  If it does not exist or is not writable, the script will exit.
4. Enumerates all the local stores and returns all the PST files.
5. Check to see if the PST files are stored on local drives.  It will exclude drives that are mapped network drives and/or removable media.
6. Check if a file already exists in the target directory with the same name.  If one does, it will not copy the file over. (I may update the script to move and rename the file to ensure all local PSTs are moved.
7. Removes all Personal Folders from Outlook that matched criteria.
8. Moves actual PST files to network share (Outlook will close to release the file lock on the PST file).
9. Adds all the Personal Folders back to Outlook.

I have tested this on Windows XP w/ Office 2007 and Office 2003.  I am interested in hearing if this works or not in your environment.  I hope you find this useful.

'==========================================================================
' VBScript Source File
' NAME: move-pst-to-network
' AUTHOR: Andrew J Healey & Nate Stevenson
' WEB: http://halfloaded.com/
' DATE  : 2010.14.2009
' COMMENT: This script will move any mapped PST files that are located on
'	local disks to a network share.
' PROCESS: 1) determine if laptop; 2) determine if outlook installed
'	3) determine local drives; 4) check for local pst's; 5) move pst's
'	to network; 6) remap pst files
'==========================================================================
 
Option Explicit
 
'Determine if a laptop (remove if you don't care)
If IsLaptop() = True Then
	wscript.echo "Computer is a laptop or the chassis could not be determined."
	wscript.echo "Exiting."
	wscript.quit
End If
 
'Determine if outlook is installed
If IsOutlookInstalled() = False Then
	wscript.echo "Could not launch Outlook."
	wscript.echo "Exiting."
	wscript.quit
End If
 
'Get user name
Dim WshNetwork : Set WshNetwork = WScript.CreateObject("WScript.Network")
Dim user : user = lcase(WshNetwork.UserName)
Set WshNetwork = Nothing
 
Dim strNetworkPath
'=========================================================================
' Configuration Section
strNetworkPath = "\\servername\homes\" & user & "\"
' End Configuration Section
'=========================================================================
'Fix network path if forgot to include trailing slash...
If Not Right(strNetworkPath,1) = "\" Then strNetworkPath = strNetworkPath & "\"
 
'Determine if network path is writable
If IsPathWritable(strNetworkPath) = False Then
	wscript.echo "Remote path is not writable."
	wscript.echo "Exiting."
	wscript.quit
End If
 
'Instatiate objects
Dim objOutlook, objNS, objFSO, objFolder
Set objOutlook = CreateObject("Outlook.Application")
Set objNS = objOutlook.GetNamespace("MAPI")
Set objFSO = CreateObject("Scripting.FileSystemObject")
 
'Sort through all stores in outlook and add all local pst
' paths into an array. Then remove the store from outlook.
Dim pstFiles
Dim count : count = -1
Dim arrPaths()
For Each objFolder In objNS.Folders
	If GetPSTPath(objFolder.StoreID) <> "" Then
		pstFiles = GetPSTPath(objFolder.StoreID)
		If IsStoredLocal(pstFiles) = True Then
			If objFSO.FileExists(strNetworkPath & Mid(pstFiles,InStrRev(pstFiles,"\") + 1)) = True Then
				wscript.echo "A pst file already exists with the same name." & vbCrLf & _
						vbTab & "Source: " & pstPath & vbCrLf & _
						vbTab & "Target: " & strNetworkPath & Mid(pstPath,InStrRev(pstPath,"\") + 1)
			Else
				count = count + 1
				ReDim Preserve arrPaths(count)
				arrPaths(count) = pstFiles
				objOutlook.Session.RemoveStore objFolder
			End If
		End If
	End If
Next
 
objOutlook.Session.Logoff
objOutlook.Quit
Set objOutlook = Nothing
Set objNS = Nothing
 
if count < 0 then
	wscript.echo "No local PST Files Found."
	wscript.quit
End If
 
'If local PST files were found, move them to the new location
' Echo output if the file already exists
Dim pstPath
For Each pstPath in arrPaths
	On Error Resume Next
		objFSO.MoveFile pstPath, strNetworkPath
		If Err.Number <> 0 Then
			wscript.sleep 5000
			objFSO.MoveFile pstPath, strNetworkPath
		End If
	Err.Clear
	On Error GoTo 0
Next
Set objFSO = Nothing
 
'Re-open outlook
Set objOutlook = CreateObject("Outlook.Application")
Set objNS = objOutlook.GetNamespace("MAPI")
 
'Re-map Outlook folders
For Each pstPath in arrPaths
	objNS.AddStore strNetworkPath & Mid(pstPath,InStrRev(pstPath,"\") + 1)
Next
 
objOutlook.Session.Logoff
objOutlook.Quit
Set objOutlook = Nothing
Set objNS = Nothing
wscript.echo "Done."
wscript.quit
 
Private Function GetPSTPath(byVal input)
	'Will return the path of all PST files
	' Took Function from: http://www.vistax64.com/vb-script/
	Dim i, strSubString, strPath
	For i = 1 To Len(input) Step 2
		strSubString = Mid(input,i,2)
		If Not strSubString = "00" Then
			strPath = strPath & ChrW("&H" & strSubString)
		End If
	Next
 
	Select Case True
		Case InStr(strPath,":\") > 0
			GetPSTPath = Mid(strPath,InStr(strPath,":\")-1)
		Case InStr(strPath,"\\") > 0
			GetPSTPath = Mid(strPath,InStr(strPath,"\\"))
	End Select
End Function
 
Private Function IsLaptop()
	'Determine if the computer is a mobile machine
	On Error Resume Next
		'Instantiate objects
		Dim objWMIService, colChassis, objChassis, strChassisType
		Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")
		Set colChassis = objWMIService.ExecQuery("Select * from Win32_SystemEnclosure")
 
		'Check chassis type
		'http://msdn.microsoft.com/en-us/library/aa394474%28VS.85%29.aspx
		For Each objChassis in colChassis
			For  Each strChassisType in objChassis.ChassisTypes
				If (strChassisType >= 8 And strChassisType <=12) Or (strChassisType = 14) Then
					IsLaptop = True
					Exit For
				Else
					IsLaptop = False
				End If
			Next
		Next
	If Err.Number <> 0 Then IsLaptop = False
	On Error GoTo 0
	Set colChassis = Nothing
	Set objWMIService = Nothing
	objChassis = Null
End Function 
 
Private Function IsOutlookInstalled()
	'Function will return false if unable to launch outlook
	' This adds some overhead but it is ultimately the best
	' way to truly determine if script will function properly.
	On Error Resume Next
		Set objOutlook = CreateObject("Outlook.Application")
		If Err.Number <> 0 Then
			IsOutlookInstalled = False
			Exit Function
		End If
	On Error GoTo 0
	IsOutlookInstalled = True
	objOutlook.Session.Logoff
	objOutlook.Quit
	Set objOutlook = Nothing
End Function
 
Private Function IsPathWritable(byVal strPath)
	'Check to make sure the path is writable. If it is not, no
	' need to continue processing.
	On Error Resume Next
		Set objFSO = CreateObject("Scripting.FileSystemObject")
		Dim min : min = 1
		Dim max : max = 1000
		Dim rand : rand = Int((max - min + 1) * Rnd + min)
		Dim fullFileName : fullFileName = strPath & "temporary-" & rand & ".txt"
		Dim objFile : Set objFile = objFSO.CreateTextFile(fullFileName, True)
		objFile.WriteLine("Test file creation of " & fullFileName)
		objFile.Close
		If objFSO.FileExists(fullFileName) Then
			IsPathWritable = True
			objFSO.DeleteFile(fullFileName)
		Else
			IsPathWritable = False
		End If
	If Err.Number <> 0 Then IsPathWritable = False
	On Error GoTo 0
	Set objFile = Nothing
	Set objFSO = Nothing
	rand = Null
	max = Null
	min = Null
	fullFileName = Null
End Function
 
Private Function IsStoredLocal(ByVal fullFileName)
	'Check if the PST is stored locally or on a mapped or removable drive
	On Error Resume Next
		Dim objDisk, objWMIService, colDisks
		Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")
		Set colDisks = objWMIService.ExecQuery("SELECT * FROM Win32_LogicalDisk")
		For Each objDisk in colDisks
			If objDisk.DriveType = 3 Then
				If InStr(fullFileName,objDisk.DeviceID) > 0 Then
					IsStoredLocal = True
					Exit For
				Else
					IsStoredLocal = False
				End If
			End If
		Next
	If Err.Number <> 0 Then IsLocalDrive = False
	On Error GoTo 0
End Function

NOOO!!!! Not my O!

Okay, okay.  I know you are expecting another brain-dead response to Go_gle’s recent doodle.  However, I am sick of it and I want to debunk several of the pages that say they have solved the mystery.  Here are a few interesting events:

1. Go_gle posted “1.12.12 25.15.21.18 15 1.18.5 2.5.12.15.14.7 20.15 21.19″ on its Twitter Page.  It is a straight alpha-numeric transliteration meaning, A=1, B=2, etc and making it stand for: “All Your O Are Belong To Us”.
2. The Go_gle logo file has been renamed with a missing O.  The actual file path is: http://www.google.com/logos/go_gle.gif
3. The UFO is abducting the O.  The filename and the twitter post confirm there is something special about the O or about it going missing.
4. Gogle according to the urban dictionary: a group of people awkwardly waiting for something to happen; usually unfamiliar with each other; a pre-icebreaker group
5. Go_gle has gone to great lengths to make this work in many countries.  However, not all have had their logo’s changed.  For instance, the Spain (although Spanish speaking Latin American countries have) and India Go_gle Search pages have not been changed.
   1. Russian Go_gle Page.  Search Term: необъяснимые явления
   2. Germany Go_gle Page.  Search Term: Rätselhaftes Phänomen
   3. Mexico Go_gle Page.  Search Term: fenómenos inexplicables
   4. Netherlands Go_gle Page. Search Term: onverklaarbare verschijning
   5. Hungary Go_gle Page. Search Term: megmagyarázhatatlan rejtélyek
   6. Italy Go_gle Page. Search Term: misteri inspiegabili
6. As the 6th of September comes to countries, Go_gle is pulling the logo.  So, there is something specific with the 5th.

Here are some of the rumors that people are spreading.  Of course, I have no proof… Only common sense.

• Reference to UFO Festival in Exeter, NH — Nope.  Why would Go_gle change the logo all across the world?  It is out of character for Go_gle to link to such an obscure search phrase.  Also, the Exeter incident happened in the weeks leading up to Sept 3rd, 1965.
• Reference to Voyager I (Sept 5, 1977) — Nope.  Although probably the most relevant space/UFO event relating to Sept 5th, Go_gle would probably just use the search phrase: Voyager Spacecraft.
• Maiden return landing of Space Shuttle Discovery (Sept 5, 1984) — Nope.  Once again, when Go_gle marks important events for mankind, they are more specific with their search phrase.
• Japan’s New Prime Minister’s Wife Visits Venus — Nope.  I really doubt Go_gle wants to make a statement that could be viewed as politically motivated or could look like Go_gle is poking fun at a foreign dignitary.  It just doesn’t make sense for Go_gle to do this.  Plus, the Japan Go_gle Search Page doesn’t show the logo.
• British Release of “District 9” — Nope.  Doesn’t really make sense.  The rest of the world has been able to watch “District 9″ for a couple weeks.  And again, the logo has been changed across the world.
• NEW: Star Trek Anniversary — Nope.  Examiner.com has a story that explains it might be related to Star Trek’s first airing.  Of course, that was on Sept 8th, 1966, not the 5th.  And, as one commenter pointed out, they would have used a logo of the Enterprise if that was the case.  Silly people…
• NEW: unexplained -scam- phenomenon.org — Nope.  It sure didn’t take long for a scam to show up.  Idea!  Go_gle creates mystery on intertubes pointing to “unexplained phenomenon”…  Buy domain name unexplainedphenomenon dot org…  Put up picture of egg with light beams coming out… profit!!!  Clever, annoying, and I’m sure some “believers” will fall for it…  Sad state of affairs…
• NEW: Zero Wing 20 year anniversary — Nope.  The Telegraph claims, and is wrong, that this solves the mystery.  The Telegraph points to this wikipedia article.  However, if you look at the revision history, the date “September 5th, 1989″ was added only yesterday.  Silly newspapers.  You think they would stop trusting everything they read on Wikipedia w/o a little research.  Wikipedia Zero Wing Articles: Before 9/5/2009; On/After 9/5/2009.

Any other ridiculous, nefarious schemes floating around the interwebs?  If so, let me know.  I’m sure their flaws will be just as easy to point out.  Most likely, this is one of two things: Something related to an internal event at Go_gle or a way to build hype regarding a new product.  Of course, my speculation is just as unfounded as the other yahoos out there…

The Good Ole' Days

Due to some unforeseen issues with our 2003 R2 print server, I decided it was about time to build up a new print server.  The old print server was built up by another person and it was never very stable so this was a good time to start with a clean slate.

Our old server was a Dell Poweredge with a 32-bit proc.  This time, we are going to use our new VMWare ESX environment to stand up a 2008 Server in 64-bit.

Everything went well until I got to our Dell Printers.  I added the 64-bit drivers and setup the printer.  All was well.  I went to the sharing tab in the printer properties to add x86 (32-bit) support.  I checked the box and got an error:

Install Components from Windows Media
Please provide path to Windows media (x86 processor).
Type the path where the file is located and click OK.

After searching around, I came across this page on Technet. At the very bottom, I found the solution. Basically, here are the steps involved:

1. From a 32-bit OS (I used 32-bit XP Pro)
2. Browse to: \\%servername%\Printers and Faxes
3. Right click the printer you want to add 32-bit support to and select properties
4. It will tell you the 32-bit drivers are not installed and ask for the installation disk. Browse to the 32-bit drivers and hit okay.  If you say No, you will not be able to complete the steps below.
5. Once the printer’s properties are displayed, select the Sharing tab and click “Additional Drivers”
6. Check x86 and press OK
7. Browse to the 32-bit drivers and it will copy the 32-bit drivers from the local folder to \\%servername%\print%\W32X86

After getting past this hurtle, I ran across it again. Except this time, the Dell drivers were updated enough that I received a decent message:

The selected driver must be installed remotely from an x86 computer using Type 3 (User mode) drivers.

If you receive that message, it is basically telling you to follow the steps I outlined above. It’s a bummer MS couldn’t have included the sub-system to support the required backward compatibility often necessary in the enterprise. At least the workaround is simple enough.

Subject: PLEASE I NEED YOUR ASSISTANCE
From: clementmattins
Sincere Greeting,
I’m Mr. Clement Mattins from bank of Africa. firstly,accept my apologies ,am the personal accountant to Dr. Ravindra F. Shah who died with his wife Mrs. Manjula Parikh-Shah in a plane crash on 1st Oct. 2003 on their way to Boston. i came across ($8,500.000.00USD) in his balance with our Bank (B.O.A), then i want you to provide an account where this money will be transfer into for both of us, If you are willing to assist me, therefore you should contact me immediately you receive this E-mail for more detail, Regards Mr Clement Mattins Telephone: +226 78 31 77 67

After looking around the net, it became obvious that this is a 419 scam. A few ideas came to mind. Should I play along and screw with the scammer? Should I report this to some official government agency?

In the end, I decided to just let it go. I tried forwarding the message to the secret service’s 419 scam e-mail address but it just bounced. It just pisses me off that people fall for these scams. It also worries me that in the current economic climate, more and more people will fall for these scams. The public at large is aware of this type of generic scam. However, these scammers have adapted their methods and are becoming more clever.

Nothing made this more clear than Dateline NBC’s episode on, what they call, Work-from-home scams. The sad part is that these scams are originating in the same place as the scam e-mail I received. I guess these people will always find a way to make a quick buck.

The Good

Sprint Cellular Broadband Card: God Bless NetworkManager.  No reboot.  No installation.  I just plugged it into my running machine and it worked like a champ.  In fact, I’m using it now since my broadcom wireless card isn’t working.

Performance: This thing rocks.  It is probably because the drastic changes going from a single-core, 32-bit proc to dual-core 64-bit.  But, this thing is snappy!

Ext4: First major distro using this as default.  Congrats Fedora Team!

The Mediocre

Gnash/swfdec: I wish these two would just join forces and develop a kick ass, open-source flash player.  I decided to go with swfdec.  64-bit, mozilla-plugin. Adobe can kiss my ass.

PackageKit: This software just annoys me.  I understand its purpose but yumex is and always has been a better solution.  I guess I am a bit biased though since I am not a beginner.

The Ugly

Installation: The installer can’t seem to figure out how to eject the DVD and pukes at the end.

Wallpaper/Background: It is just ugly.  Now, I couldn’t design anything nicer but all I wanted to do was change the desktop background and never see it again.

Firefox: Firefox is great.  However, I am a habitual text highlighter.  The entire system locks up when I drag text a little bit on accident from within Firefox.

Broadcom/Nvidia: Can’t really blame this on Fedora but these drivers are still an issue.  I can’t get either of them to work.

Conclusion

What can I say?  I heart Fedora.  This seems to be the least stable beta release I have tried yet but I think it is because they are pushing the envelope.  I like to see it too.  Fedora is consistently trying new things and experimenting.  It is good for the community and OSS movement.

1. Storage is cheap.
2. Your data is only as safe as your password.
3. When stored online, your data is no longer yours.

While these factors are why I do not recommend online backups, I want to take a moment to discuss when online backups do make sense.

Disclaimer: When Online Backups Make Sense

As a reader pointed out, many people setup a backup process but the process gets in their way of doing it properly. Either their backups fail to run regularly or they stop rotating the media because the process is cumbersome.  If this is the case, backup your data online.

Also, please understand that this is only meant to explain why I do no recommend online backup services as a regular practice.  It does not mean there is no place for it.  There are many reputable online services out there.  The vast majority of them encrypt the connections end-to-end and store the data in encrypted form.  But that is something you should ask or check before just signing up for the service and dumping your data on their servers.

For each of the weaknesses I discuss, there are measures that can be taken to protect your data, even if stored online.  Most technically savvy people know how to operate online and protect their data and identity.  But all too often, I find people and small businesses operating online in an insecure fashion.  They may be required by their insurance company to have offsite backups.  They see online backups as a panacea without understanding the potential risks they face by not fully understanding the importance of protecting their data.

One other point regarding offline backups.  If you store your data on a hard drive that is stored in the back seat of your car or in your gym bag, just save yourself the hassle and use an online service.  By now, most of us have heard the stories about the IT guy at the hospital whose car was broken into and all the hospital’s data was compromised.  Or, the VA worker whose laptop was stolen with patient records.  The same thing can (and will) happen to you if you do not treat your offline backups with care.

Disks Are Cheap

The other day I was spec’ing out a brick-and-mortar backup solution for a small business.  I was surprised to find a 1TB external hard drive for only $90.  I realize that in a few years from now, that 1TB drive will not be enough storage.  File sizes grow.  However, as history has shown, a comparable storage medium will be available at that time for a similar price.

Online storage solutions exist because they offer strategy, software and storage for ~$50/year.  The price point and ease of use is attractive.  It is why the services are popular.  When you add the fact that to do your own backups you need (probably) two 1TB external drives, software and some knowledge of your computer, these solutions become even more attractive.  It is the same reason people use Gmail or Yahoo! for their e-mail.  Sure, they could buy a domain name, setup postfix and roundcube and have control over their e-mail services.  But why?  Especially when it is free to use Yahoo! or Gmail.

The real reason against online backups is in my two points below.  However, the cost and expertise needed to do it on your own is minimal.  If you do it on your own, you first have to assume that you probably replace your computer every 5 years.  Over that period, an online service would cost roughly $250 over that time.

To do this on your own, you probably want to start out with two 1TB disks.  The software needed is free.  You can use Windows Backup or an Open Source solution like Areca.  The time needed to learn how to properly backup your data and to manage the backups is the wildcard.  It depends on how much you value your data (if you’ve ever lost everything, your probably realize it is worth a lot; or maybe not).  The resources are available on the internet.  You just have to find a solution that works for you.

My solution.  I use two 1TB disks along with Areca to backup all my data to the disk.  I always store one of the hard drives in a locked, fireproof safe and the other at an external location I can trust.

Your Data, Your Password

If you are like most people, you use the same password for your online banking as you do your e-mail and your e-bay account.  It is a fact that people repetitiously use their passwords.  Although there is a positive trend in password strength, as was evident in the recent presidential race, there are ways to get around strong passwords.  For example, Sarah Palin’s e-mail account was compromised and all her e-mail accessed during the campaign.  Not because she used a weak password.  Instead, it was because the security questions used to reset her password were setup using easy to guess answers.  What is your mother’s maiden name?  What high school did you attend?  As social networking and the semantic web become more prevalent, the answers to these questions become easier to find.  And what about that computer support forum you posed a question on?  Well, you had to setup an annoying username and password.  You also supplied your e-mail address.  Odds are, you used the same password for that account as you did your e-mail account.  You trust the people that setup that forum without even knowing them.  You also trusted their ability to secure the data you submitted.  What if somebody were to compromise their database?  They now have access to your e-mail and any other online services you use that utilize that same password.  Thanks for playing, come again…

It is a fact that this activity goes on every day.  In my own testing, I was able to find forum after forum, website after website that were setup by lazy administrators and were vulnerable to these same attacks.  Now you are talking about client lists, confidential contracts, business relationships, personal information, tax information, etc.  All of that is vulnerable to these attacks when you store your data online.  The web is not a nice place for the complacent.

Your Data != Your Data

The 10 Immutable Laws of Security.  While they tend to talk about your computer explicitly, they are really talking about the security of the data on your computer.  If you don’t care about the data on your computer, then they don’t apply.  But, if you are like most, you value the safety of the data on your computer.

When you talk about backups, you are talking about storing all your data in a different place and medium than “your computer”.  I still tell people and small business that a security deposit box is tested and trusted; use it!  I tell them this because it is a trusted storage place and has been so for decades, if not years.  Online storage is a new medium that has only recently reached mainstream.

To store all your data online, you must trust all the individuals that handle your data.  You trust the geek squad or your neighborhood geek to fix your computer.  You know where they work.  You know where they live.  Yet, people have no idea where their data goes when they use one of these online services beyond what is posted on a web page.  Is your data handled by foreign nationals?  Are the employees at the corporation happy?  (We’ve all heard of rogue admins.)  How well do you know all those that have access to your data?  When you let somebody into your home, whether as a friend or contractor, you analyze the situation and give them a certain level of trust.  Do you do the same when you select an online service to upload everything you have stored on your computer?

You should ask yourself all these questions before selecting any backup solution, online or offline.  Most online services will offer some level of encryption.  You need to know what that means and do your homework to ensure you data is transferred in a secure manner and stored in a secure fashion.  Again, this goes for both offline and online backups.

Conclusions

The technology is neat.  The fact that we now have enough bandwidth to copy the entirety of hard drives up to the cloud is not something to scoff at.  My biggest concern is that the vast majority of people do not realize the repercussions of storing their data in the cloud.  If you put serious thought into the decision to do this and you still feel confortable, then go for it.  I, for one, will continue to backup my data to a disk I can touch and hold with my own hands.  Now get off my lawn!