Monday 27 July 2009

Windows 7

Like a lot of people, we’ve been keeping an eye on the information coming out about the next version of Windows. We received a copy of the RC 1 candidate for Windows 7 on Monday (thanks Georgina) – we have a PC with a copy of Vista Business Ultimate that we use for testing purposes (a Dell Optiplex 210 with a dual core 1.8 GHz and 1 GB ram), so thought we would partition the disk and do a dual boot so that we could do a direct comparison.

The installation went quite well – some of the usual types of screens for the initial installation, but not as many as we would normally see for older OS. The actual process start to finish was a little over 40 minutes. We didn’t join the PC to the domain although we left it plugged in and it picked up on the required settings, so we were able to activate it straight away. We then joined it to the domain a couple of days later - no hassles at all.

I’ve also run another copy on a second machine – an HP dx2450 with a dual core 2.3 and 2 GB RAM. This one installed in just over 25 minutes. Again, it was a very straight forward installation, with only a few screens to configure and absolutely no issues at all.

Initial reaction to it was that it does look a lot like Vista – same screens, same gadget bar etc. However, within a few minutes, it was noticeable that it was faster that the equivalent Vista installation probably about 40 – 50% faster. The Start button, Taskbar items and other shortcuts all seem to work much quicker as well – no delays between clicking the button and the app starting to open, which was a bit of a major gripe with the Vista installation.

We added our AV product (Nod32 by Eset) – it worked straight away, without any issues at all. We then added our automatic patching tool (Shavlik) – as it’s an RC product, we didn’t expect it to work. However, it did actually pick up on the OS, although there were no patches for it at this stage. The second PC was left as a stand alone system and AVG free (8.5) was installed as the AV product. The PC was connected to the Internet to allow it to run the automated patching – again very quick, very straight forward.

At this stage, we are still testing different apps on the machines – our ERP software, some CAD software, and various applications which we use. Not one of them has had an issue with running – the UAC threw up its warnings, but I don’t consider that a problem as that is exactly what it should do.

We’ve left the test machines in an office for people to check out – so far only a few have taken the time to do this. However, of those that have used it, not one has said that they don’t like it. All comments have been very positive and it seems that a number of people are now very keen to get the product for themselves and we may well consider installing it early next year with our next hardware refresh. All in all, it seems that Windows 7 is just what the doctor ordered.

Wednesday 15 July 2009

Security 101

I don’t pretend to be a security guru, but over the last few years I have had some specialist training in this area. I’ve also read a number of books on various security topics and have developed a bit of an interest in the subject. As a result, I tend to look at things a bit differently now – and sometime what I see really gets me wound up.

This morning, I received a telephone call from someone that said he worked for the credit card fraud section of one of the main UK banks. Our company does have an account with them (we actually use several banks) and we get company credit cards through this particular bank. These are used for a number of things – minor expenses, making travel arrangements, increasingly to buy things on-line. It makes life easier, and the credit control staff in our accounts department can track the charges much more easily than though petty cash arrangements.

The person that phoned explained that he wanted to query a particular payment – not a problem. But then he said that he needed to go through some security checks to make sure that I am the right person to talk to. He asked for the card number, my date of birth, account password plus some other items – effectively everything that a crook would be able to use to pretend to be me. At that point I refused point blank – he has phoned me, and I have no way of knowing if he is in fact anything to do with the bank.

I tried to explain this to him – but clearly he was reading from a script and couldn’t deviate from the process. So I insisted that I wouldn’t discuss anything further and hung up. I then phoned their helpline (the number was on the back of the card) and was put into an automated system. Eventually, I got through a nice young lady who explained that she couldn’t put me through to that department; they only work via outgoing calls and will not accept an incoming calls “for security reasons”.

As it happens, she was able to check the required details and I was able to confirm that the transaction was OK. But I have to say that there is something fundamentally wrong with the way that this bank are working. I tried to get put through to someone to discuss this – they refused point blank. In fact it appears that the only way I can register my concerns is in writing – a letter is going to go off to them tonight and I’ll update this blog to let you know what they say.

To indicate why I’m so uptight about this, I should explain that a while ago a I bought a copy of the book “The art of deception” by Kevin Mitnick. I was a bit ambivalent about this to begin with, as I don’t think it is right to reward someone for bad behaviour; but I wanted to understand how he achieved the various expolits that he got away with. Although some of the descriptions of his activities are now out of date or only relate to things in the US, the majority of the principles are actually very relevant today.

In the book, he described how he managed to obtain information by talking to several people, using one piece of information obtained from one person to persuade someone else to reveal another and so on until he got just what he needed. In this way, he gained access to a lot of really sensitive information, and if he had wanted could have caused a lot of trouble. What is so disturbing is how easy he found it all.

In my case, I refused to pass over the information and then took steps to verify the person was who he said he was – but it appears that the bank don’t want to work that way and in fact try to prevent a fairly sensible set of precautions. Worse they are propagating a method of verification that is open to abuse, and it is likely that if the average person sees that the bank do it a specific way, they will assume it is OK and not question someone else that telephones them, potentially leaving them open for a security breach.

Social engineering is a fact not a theory – and that is why so many people still fall victim to scams and the quantity and quality of spam we get is testament to the amount of money that is involved, and the number of people that regularly fall prey to these crooks. The risks are well known and I would expect those people that are involved in areas of security to understand this. If they don’t follow good procedure, how are the rest of us going to enforce it at our level?

Friday 3 July 2009

Hot, hot, hot...

I booked to take a week off of work last week – no plans to go anywhere, but just wanted a bit of a break. It was a glorious week, with lots of sun, but not too hot, and I managed to catch up on some outstanding jobs at home, such as painting the windows. I also had the chance to sit around and just relax with a glass of wine or two….

So back to work on Monday this week. I thought that I would get an early start as there are a number of projects on the go and I wanted to get a few things out of the way. When I arrived, there was note on the door – the inventory clerk had had problems getting on the system, so had left a note for us to investigate.

When I checked the server room, everything was off and the room was absolutely boiling – we normally run at around 22-24 degrees C as we find that’s a nice temperature to work in, the servers are OK with that and it uses less power to cool the place down. I quickly checked and everything had shut down including the air conditioner which wouldn’t even re-start.

I looked at the UPS and that was showing power going in, but nothing coming out. I looked but couldn’t see a problem so grabbed a couple of power extension leads from our office and ran them around so that we could get a couple of systems running. Priority number 1 was the DHCP / DNS server so that we could get network services and that was the first one running. Next one was email – no problem there, it started up fairly quickly. But with the room so hot, I had to find a way to get some air movement. Even with all the windows and doors open, the room was still close to 40 degrees.

I pinched some fans from the HR office as a quickfix, and after about 20 minutes the maintenance manager came in. He did a quick check on the air con unit and discovered that the power breaker in the mains supply in the factory had tripped out – he reset this, but when the unit started up, it wasn’t cooling anything down. He contacted the service company who sent an engineer down later.

With the rest of my staff in, we started moving a couple of the servers – we have small backup room at the other end of the building so were able to put a couple of them down there as a temporary measure. By about 9:00 am we had most of the system running so that people could get on with the daily work.

When the engineer from the aircon company turned up, he identified that the compressor had failed and needed to be replaced. It took a couple of days to get this, only for him to then discover that anpother part had failed causing all the refridgerant gas to leak out. This is what caused the aircon to fail – and as a result everything over heated.

We checked the UPS settings as it is supposed to send an alert for various events, and it turned out that every event was ticked except the one for temperature. Doh! Basically the device had gone up to 60 degrees C and then just shut everything down. In addition, a switch on the device had tripped preventing any outgoing power.

So now we are almost back to what passes for normal – we have to make time to come in one Saturday to put everything back in place as it takes longer to build a rack up than it does to strip it down. But the aircon is cooling away nicely and hopefully, now we’ve ticked the box, it will warn us of any similar event in future.