3473 posts • joined 31 May 2010
Re: Oh Canada...
Several islands (such as Denman Island) exist in teh gulf between Vancouver Island and the City of Vancouver.
Re: Oh Canada...
Bloody robin broke my window just the other day. Didn't survive the impact, poor bugger.
Many people's minds
Contemplate the “average” citizen. Now please bear in mind that – by definition – 50% of the human race is below average.
How other people choose to spend their hard-earned is up to them. If they choose to read my articles or pay my consulting fee, I’ll give them opinions on what products might meet their needs. But fuck no; I’m not paying a subscription fee for Microsoft Office. Office 2003 and LibreOffice have both been doing a bang up job for me so far.
If you have a particular need for the latest, greatest Microsoft Office…then by all means, pay the man his shilling. If you believe that “free must be bad,” then by all means, buy whichever product makes you feel you have the best item. If you believe that corner cases of formatting issues when importing files into older versions of Office/LibreOffice justify the cost, Microsoft is a-waiting. Even if you just feel that it is prudent, proper, and “what a good IT person does” to “use the same industry standard as ‘everyone else (or at least those with a brain, defined as those who choose the same industry standards as you do)’” hey, go hard.
This is the beauty of marketplace diversity. It is the benefit that we see from having even the barest fraction of competition in this market. An increasing number of people are perfectly happy with iWork. I’m perfectly happy with LibreOffice…
…and for this one household, Microsoft’s rent seeking can kiss my shiny, metal ASCII.
Oh look, everyone, it's Richto! Here to tell you that anything that doesn't put more money into Microsoft's coffers is inevitably bad! Of course, he hasn't the foggiest clue in hell what he's talking about - as usual - but he'll not let that stop him, will he? Charging valiantly onto the battlefield of a dead thread, Richto bravely explodes his heart upon heart upon any possibility of usefulness from a company that isn't Microsoft. Well, charging bravely between the hours of 9 and 5, Monday to Friday.
That said, yes Richto, Group Policy is indeed automation software. It is both configuration deployment and software deployment automation software. In fact, it is some of the most sophisticated configuration deployment software developed ever developed. It is why Microsoft slaughtered Novell at the turn of the millennium.
You are correct in that System Center Operations Manager provides [i]even more[/i] automation possibilities than Group Policy…but not by much. OpsMan mostly provides Agentful Monitoring and some integration with WSUS. Orchestrator extends even more configuration capabilities, and System Center Virtual Machine Manager would be required to fill our the rest of what Puppet can do.
That said, Puppet can indeed match GPOs, GPPs, SCOM, SCO, and SCVMM damned near feature-for-feature on the configuration automation front (not absolutely, no product is perfect,) while offering things that none of them can otherwise offer. Critical functionality that Microsoft’s offerings lack. Namely: cross platform support. Single-pane-of-glass configuration for multiple operating systems (and cloud services) where settings are the same. (Set NTP servers across all OSes from one place? De nada.)
Puppet is about automating configuration deployment. Which is pretty much [i]exactly[/i] what group policy was designed for. The fact that to meet Puppet’s full extent you need not one, but [i]three[/i] add on software packages from Microsoft - [i]and CALs[/i] – is the strongest advertisement for Puppet in a Microsoft shop there is.
But please do respond to this comment with alacrity. I do very much look forward to your very well researched, detailed and through analysis of exactly which elements of configuration automation that Puppet is missing, which Microsoft provides through their products. I am especially eager for you to explain – in detail – how those configuration items justify per-seat cost delta between all the MS CALs you’ll have to buy when compared to Puppet’s cost.
I’ll give you bonus points if you can do it without bringing systems monitoring into the conversation. Because we really don’t need to get into a catfight about “what Puppet can monitor versus what SCOM can monitor.” Real-time monitoring isn’t Puppet’s target, but it sure is making a heck of a lot of inroads into both monitoring [i]and[/i] configuration simulation.
Specifically, the integration work that has been done to tie it to Nagios has been extraordinary. And Nagios ****ing flattens SCOM for monitoring. Of course, if you hate Nagios, Puppet also has been made to work well with both Zenoss and icinga.
So please, Richto, if there are flaws in Puppet’s configuration automation as compared to Microsoft’s (very expensive) offerins, [i]do tell[/i]. I will be very happy to point the community at your response so they can promptly resolve the minor gaps in feature coverage.
Also, can you point me in the direction of Microsoft’s offerings which provide configuration automation for Linux, OSX, OpenStack, GCloud and EC2?
Answers on a postcard,
Re: The plural of box...
Exactly how old are you? It's an honest question, because you are either young enough to never have used a modem where you had to put the phone on the modem to get it to work, or you never paid any attention to the history of the craft which this website reports on.
To wit: boxen contain blinkenlights. Use that newfangled tubular interwebnets to do a Google and discover the 411 on the wiki. (Did I get that right?)
Now get off my goddamned lawn.
Re: Cool man, real cool
@tom38: correct! In fact, even Earth is too small to prevent losing its atmosphere to space. The issue is timeframes. Mars on its own, were we to give it an earth-normal atmosphere, would be able to hold onto it for over 100,000 years before humans started to need pressure suits again. Mars + Ceres is apparently closer to 1,000,000 years. Long enough - I'd hope - for us to find an alternate solution.
It is life after all that renews our atmosphere. There is every reason to believe that it would be able to do the same on Mars. Remember, like Earth, Mars is mostly oxygen. Like Earth, it's all trapped up in the rocks.
Re: Cool man, real cool
Terraforming Mars isn't all that hard. Strap a set of great big engines to Ceres and crash the thing into the south pole. Ceres + polar deposits have enough volatiles that - combined - there should be a reasonable atmosphere. The impact - while it would leave an interesting crater - shouldn't shatter the planet, nor blow the flimsy extant atmosphere off. So yes, you'd have half the planet being molten for a few hundred years to deal with, but that's a relatively minor issue. (It should also help offset the cooling wrought by the dust kicked up, making the thicker atmosphere a net gain.)
This shouldn’t actually be all that big a deal to accomplish. You need a set of holy-shit nuclear power plants on Ceres, an automated mining facility that extracts non-volatile (rock/mineral) mass from the planet for use as propellant (don’t waste your volatiles!) and a set of big-ass ion engines.
You vaporise the mass, ionise it and huck it out the engine at a significant fraction of c. This is a simple impulse engine/hall thruster/VASMIR design. It doesn’t provide a huge amount of thrust – well, okay, with nukes powering the thing, the thrust will be insane, but so is the dwarf planet we’re trying to move – but it will be a constant thrust. That is how we get new horizons out to Pluto in short time frames, or move Dawn out to go check on the dwarf planet under discussion.
You’ll need some RCS thruster quads (probably chemical) for steering, but here you can probably afford to burn some volatiles in order to provide the moderate amount of reaction mass you need.
So, a trillion dollars or so, about 250 years to move the dwarf and another 250 before Mars is tectonically stable enough to think about colonising and *bam*, whole other planet to work with.
Converting the atmosphere into the right oxy/nitro mix, that’s a whole other issue. Still, the ability to walk around outside with no pressure suit, nor cold-weather gear would be a huge thing. Wearing a small oxygen mask is a minor inconvienience.
Re: Apple's Success
Where did I say that Samsung's stuff was anything other than mediocre? I said I preferred their design elements. Not that they were fundamentally "better."
You leap staunchly to defence without realising that I am not attempting to vilify Apple in any way. I am not impugning their honour. I do not hold a grudge against Apple, nor am recommending against them. I am simply objectively determining their place in the market and giving them props where props are due, without attaching unwarranted significance to other aspects of their business.
Do not presume for a second that "preferring A to B" or "what I use" is an indication of what I believe is "best." Far – far – more details go into a purchase decision than what someone thinks is "best." This is true not simply for me, but for anyone. Price, availability, a balance of the values of various features…the mix and the match result in different choices for everyone; and not everyone even has the same options.
So please don’t waste time attacking me; especially if you cannot check your emotions at the door. Instead, I think that you would benefit from reading this paper.
If that seems like too much work, Ars Technica has a great writeup on it here.
I feel compelled to reiterate how this series of comments does nothing but reinforce the point I was trying to make in the article: buying into hype, marketing, "the controlled message," "what’s popular" or "what everyone else is doing" is not a good plan for people who can’t afford to take risks. Instead I advocate research.
Gather evidence, learn some science; especially the science related to our own psychology and group dynamics. Learn to separate the pre-canned, carefully manicured world we are fed by people who do know that very science – and your own tribal instincts – from reality.
Sometimes "what everyone does" is done for good reason; it is the most efficient possible way. Other times, it is because billions of dollars and lots of time from very smart people has gone into creating an industry that merely believes it is the best way.
Consider if you will the Cisco-trained nerd. Indoctrinated for 10+ years in all things Cisco. He is approached by a small business of 50 seats. This business has crunched the numbers as hard as they can and they know that they can only afford to spend $50,000 to upgrade their entire IT infrastructure. It must last 6 years. They have zero wiggle room on this; this is all the money they can possibly get together.
The Cisco nerd – and I have seen this happen many times in my life, involving many different Cisco nerds – will adamantly demand that the company spend $25000 on switches and routers. "If you can’t afford to do things properly, you shouldn’t be in business" is the claim. Chats come out. TCO and long term this and that are mentioned. Huge effort goes in to convincing this business the absolutely must have Cisco because Cisco is the best, and nothing but the best is acceptable. Anything except the exacting deployments outlined in best practice whitepapers is akin to sacrilege.
The CEO of the company turns to me and says "is what he says true? Should I close up my company tomorrow?" I browse to the local computer shop on my phone, pull up some off-the shelf servers, 48-port DLink switches, some SME NAS gear with "meh" replication, VMware licences, MS licenses and backup software licences. I factor in the cost of bandwidth over the 6 year lifespan of the project and some offsite storage in a datacenter I run. I manage to do it for $40,000, including spare parts.
The Cisco nerd explodes with rage. Everything I just described goes against a lifetime of his teaching. He sprays emotion everywhere, verbally assaulting me; even coming within a hair’s breath on more than one occasion of physically assaulting me. For doing math; but not doing it according to the whitepapers in which he has invested his sense of self worth. By rejecting the ideas – and the companies – that he had incorporated into his "tribe" I was not only "insulting" those ideas and products, I was insulting him.
This is my point. It is the point of this article, and ultimately the point of the comment thread we’re engaged in. You have demonstrated in inability to separate emotion and self image from a brand. Apple isn’t what it appears to be at first glance, and it certainly isn’t what its most ardent followers make it out to be. Neither are Microsoft, Cisco, VMware, Oracle or pretty much anyone else you can name.
If you are ever satisfied you know 100% "how things are," then you have stopped seeking evidence and started believing. You have resorted to faith. I get the distinct impression from our little tête-à-tête here that you are willing and capable of resorting to faith. I’m not. So we are never going to resolve this; no more so than any other religious (or political) binary dichotomy will ever be resolved.
I suggest we call it a truce and move on. You have decided that you can label me. In doing so you have associated heaps of extraneous baggage attached to that label with me; most of it without cause. There is thus no room for debate. This thread will simply end up with more of me defending myself against things I never said. Things which instead are associated with the label you have chosen to apply to me.
I’d ask that instead of clicking "reply" and venting your emotions into your poor keyboard (what did it ever do to you?) that you instead click the links I provided you.
Thanks for your time, and have a good day.
Re: Apple's Success
Well, Mark65, we'll have to agree to disagree here. Design is in the eye of the beholder. Personally, I buy Samsung, HTC and Asus because I prefer their design to that of Apple. I prefer the keyboard layouts on non-Apple PCs and a number of other design elements that prevent me from buying Apple. It is in fact Apple's design that means I only own products made by them which were given to me. I am not alone.
The thing is, there is lots of evidence to back up my position: design is a personal item, not a universal one. Apple have a different design. It is not universally liked…not even liked by the majority of consumers, according to most deep dives into the matter. In fact, a significant minority of individuals who own Apple products dislike the design quite a bit, but buy them for other reasons. (Simplicity being the largest factor.)
So I reject your idea that “design” is critical. It was a selling point to hipsters back when Macs were the 3% of desktop PCs and made nothing else. When they started hitting the consumer electronics market, other factors became far bigger reasons to buy. The hipsters still bang on about design aesthetic, but they are the minority of people who buy Apple products now.
The whole article I wrote; analysing as much data as possible to inform your decisions rather than relying on “gut feel,” “personal experience,” “what seems right” or “what you read in X” is pretty much cemented by this debate. My analysis of Apple and its success in the market comes from having read survey after survey, analysis after analysis and innumerable interviews with people from Apple and other companies involved in the process of selling into the CE market. I have poured over the evidence brought forth in the various trials and tried very hard to build an understanding of what shifts this stuff that is based on the real world, not simply who is loudest on the internet.
The hardcore fanbois have always been design hipsters. But they really, honestly and truly are a nearly irrelevant minority of Apple’s customer base. If you actually delve into the numbers, you’ll find the overwhelming majority of Apple’s customer base are 40 and 50 somethings with little-to-no understanding of technology, nor any desire to ever learn. They bought into the marketing hoopla of “just works” and “ease of use.” Ironic, given that many of the cited use cases they present would actually make RIM or WinPhone the better choice!
Marketing. Apple are good at it; quite possible the best at it. This whole debate – in which you wield arguments unsubstantiated by data, but which Apple’s marketing machine would dearly love everyone to believe – is aught but further proof.
Re: Apple's Success
The article discussed Apple's relevance as pertains to the enterprise. It's relevance regarding infiltration and disruption of business IT, from SMEs to large enterprises. I won't dispute that Apple's approach really shook up the CE market. In fact, I'd go so far as to say they levelled the CE market and started rebuilding it from scratch.
Again however, as I see it, their success relies on marketing. Now, in my definition of marketing I do lump in “quality assurance testing;” this is because almost nobody does any form of QA whatsoever in IT anymore. So engaging in QA (as opposed to selling your customers beta products as RTM) is a marketing thing. It’s a differentiator you’re actively choosing in order to make you different from the rest of the competition that cut all those corners.
Apple’s feature/functionality/SKU/etc restriction is also just marketing. As you pointed out, a certain segment of the population can handle choice. This is especially true in the consumer electronics market where people want appliances, not general purpose computers. Again; identify the market, create a mediocre product with limited choices, QA the shit out of those few functions, and then control the message so viciously that you convince an entire generation this is the greatest thing ever.
Knowing what to release and when is marketing. It is studies and focus groups. It’s testing and research, research, research It’s some intuition, but mostly the hard work of real brass tacks marketing which is – I’ll say this again so you get it - market research. Apple has the best of the best in this field working for them. They are the true innovators.
So your arguments don’t alter my stance any. Apple is a consumer electronics appliance provider that doesn’t actually innovate. Instead, they achieve success by limiting options – thus also limiting the potential for business penetration and disruption – and through excellent marketing.
Apple repackage other people’s ideas in a shiny package with a slick video and a clean store. Kudos to them. But it is still just marketing. Marketing par excellence, unmatched by anyone for nearly 100 years, but still marketing.
Re: Apple's Success
So your argument is exactly what I said? Apple excel at marketing: knowing when to introduce a product to the market and when the technology is not there yet?
You seem to be arguing that Apple do something "special" with their gear. I see zero evidence of that. They simply choose not to release products until the technology has advanced to the point that the product which can be released meets their standards of excellence.
The iPod, iPhone and iPad did not appear from a vacuum. There is a clear line of technological progression – in design, battery life, form factor, and UIs – from across the entire IT industry leading to the development of each device. These devices were not revolutionary, they were evolutionary.
The success of Apple is that they didn’t sit around and release version after version of not-quite-working crap. They certainly built them in the lab – the Samsung case showed us the real world evidence of that – but these products never saw the light of day in the market. Apple didn’t invent awesome with a pixie wand and Steve Jobs’ tears. They begged, borrowed and stole ideas from everyone else, mixed with a few evolutionary ideas of their own and then threw the design out because it wasn’t ready yet and came back and tried again a few years later. They repeated this process until Jobs was satisfied in the end user experience.
Funnily enough, everyone else (well, except RIM,) started coming out with similar stuff right around the same time. Again; there is lots of clear evidence of evolution towards current mobile tech inside various companies. They did exactly what Apple did: they begged, borrowed and stole ideas from everyone else, then mixed with a dash of homegrown evolution.
The difference is that these other companies took any prototype they could knock together and went to market with it. They released failure after failure. (Well, except Fujitsu. P1510D and subsequent devices rocked the socks off everyone who had them, but the cost of the tech was too high for a very long time.)
Remember that a lot of the very innovations you tout – such as the mere ability to have “applications” as opposed to HTML “apps” – on your iThing were initially verboten. Even with Apple’s magnificent execution and Jobs’ genius, they launched without native apps, cloud sync and most of the “services” which would eventually make the consumer electronics appliances that Apple sells so compelling.
But Apple still isn’t redefining the enterprise market here. Nothing they do is revolutionary. Their success is that of execution and marketing, not R&D. Indeed; they are quite happy with this arrangement. Everyone else in the world – in a desperate, but blind attempt to be Apple – spends billions on R&D. Apple then simply takes the ideas – licensing or buying out if they have to, stealing or “changing just enough” if they can – and grinds them like a WoW player until they’ve QAed all the userland bugs out.
I don’t believe you analysis of Apple is objective. You don’t seem to understand their business model at all. I wouldn’t feel bad about that; many people running multi-billion-dollar companies haven’t obtained clue either!
But the lack of revolutionary ideas is why Apple isn’t a disruptive force in the enterprise.
Again, however, that’s a whole other article…
I am not sure I understand the meat of your issue here. My "sysadmin blog" is indeed an opinion column. That is the purpose of this particular corner of the internet; I am paid to write ~1 opinion article/wk. Yes, The Register pays me to drive page views. Welcome to how tech rags make money.
I also pitch ideas to the features editor to write more lengthy features. I try to make these focus on practical advice for solving a problem, or (at the very least) doing a far more "deep dive" look at it than I can in a "sysadmin blog" where I am asked to restrict myself to ~500 words. (Something I can only get away with going significantly over on a periodic basis.)
Commissions also creep up from time to time. A vendor will pay me to write X number articles on Y topic, and I am generally given more length to work with…or I can at least turn the whole thing into a set of back-to-backs. Here I can introduce new technologies, or offer solutions to the various problems that I have discussed in my sysadmin blogs.
It is important to remember however that I don’t simply get to “write whatever I want.” I do have to write within the boundary conditions I am given. I have been asked to write for other websites (such as Petri.co.il) where I will indeed be providing step-by-step instruction on how to solve various problems; for example “how to disable Java in every major browser on every major operating system.”
That is exactly the sort of article that will help many other sysadmins over time, but does not get the “big page views.” (Or even much in the way of interest from most people.) There are places and times for different types of writing.
Additionally, writing is not my day job. I “do something about” the crappy parts of IT every day. In some cases, it is solving the day-to-day problems of my individual clients. In others it is advising clients on IT purchasing, datacenter design and strategic direction. In still other cases I am serving as analyst or consultant to various technology companies (thankfully of increasing importance) helping them identify areas of focus, improvement and even methods of targeting the SME market that I have spent my career focused on.
If you have a problem with someone pointing out the negative parts of IT, please do a search on the website and find an article by “Drew Cullen.” Email the editor and discuss your concerns with him. If you feel my writing lacks value in some way, is an inefficient use of resources and/or manpower or you otherwise have a suggestion on how to improve things, he’s the man to talk to.
I feel that the job of a sysadmin blogger is indeed to complain. It is to point out the flaws and faults of various products, companies and so forth so that we can collectively analyse them and prepare to deal with them. The Register has a small army of people who republish press releases and discuss the news of the day. There are all sorts of people here whose job it is to put a positive spin on things.
My job as I see it is to raise the alarm where the alarm needs be raised. Systems administrators have a hard enough time reading the entrails as it is. Having someone cut through the crap and talk about the various elephants loitering silently in the building is something that I have been repeatedly told is helpful, requested and required.
I will take your comments into consideration. However, as the viewpoint expressed in your comments appears to be the minority of what hits my inbox, I cannot honestly say that I expect to change my approach to my weekly column any time soon. So I have taken the time to provide you with possible routes to solution. It would thus be only fitting for you to stop complaining and start solving problems. Complaining, sadly, is all I hear from you.
Re: Apple doesnt effect the landscape?
Oh, I'm aware of this. A lot of the "BYOD is inevitable" stuff? I wrote it. There's more in the hopper. But right now, today, Apple's real world effect on the business computing landscape is negligible. The provide "default untrusted endpoints" that you either treat as a thin client or a limited-functionality device to be targeted by mobile device management software. These devices are supplements to the primary enterprise computing environments; nice to haves, but not "make or break."
This can - and will - change. I've customers on the bleeding edge of this revolution. That said, even in the SME space, Apple as anything other than an expensive document viewer/rdp client is still nearly nil. Even when and where it is used by "creatives," this mostly occurs in a vacuum. Content produced locally on the Mac, pushed to a central repository. True enterprise integration on the levels you see with Microsoft is almost unheard of.
Right now, today, Apple makes CE equipment. Isolated, disposable, replaceable; interchangeable with any other device that does the same task. Apple devices are appliances, not ecosystems. Apple has gone to great pains to preserve that.
And the articles on how that will affect us all...well...that's for the future!
Re: Apple's Success
Apple's products are nothing particularly special. They never have been. Apple turns “compute” into “appliance,” but they are far from the only ones to do so. They are not even the best at doing so for most products they have offered over time.
What they are is fantastic at marketing. More to the point, they were led by a marketing genius who knew when a new product was ready for market, and when “it wasn’t quite there yet.” Remember that the iPad sat on the drawing board for ages before release; there were variants of it before the first iPhones protypes were born!
No, the genius was pure marketing. Knowing that releasing the iPad would do more harm than good if the tech couldn’t A, B, C or [one of D or E]. Controlling the message, spin, hype…it’s an important part of that. Reading the market, pre-seeding the market and then executing that market you so carefully prepared…that is the execution excellence that separates this particular appliance company from all others.
Apple has never succeeded on the strength of their technology; nothing about their technology was ever all that special to begin with. They succeeded because they know when and how to release their technology to achieve maximum effect. That’s the beauty of Apple, and it’s something that everyone else is having a miserable time reproducing.
Re: Nothing I can do about windows
RHEL or GTFO.
Re: "have no idea what the initial vector was"
I feel pretty confident in my call that it's Java. See here: http://forums.theregister.co.uk/post/1533763 . It isn't a 100% slam dunk, but it's damned close.
They generally are capable of PXE boot, but not configured for it. So you have to go into the BIOS and set it up; something that isn't going to happen when your phone call happens as the office is emptying and you get a "please just make this go away over the weekend, bye." :/
Re: "appearance and disappearance of some malicious Java archive files"
MSE flagged them as malicious, and this was logged. I had an app trawling writes to standard windows events at the time making a second copy, so it caught them being flagged as such. By the time I looked at the computer (about 15 minutes later) the Jars were gone, along with most of MSE, Avast, the Windows logs, browser history and so forth.
So these jars showed up, MSE caught them as bad, but wasn't able to kill them. The rest you know. The following is what was seen:
Java/CVE-2011-3544.gen![insert a letter here]
Exploit:Java/CVE-2012-4681[insert letter here]
Exploit:Win32/Java (no qualifier?!?)
Now, CVE-2011-3544 and CVE-2012-1723 should not have affected a fully patched copy of Java. CVE-2012-4681 is just new enough that I can believe it might have been exploited if the user had “patched but not rebooted” or some such. Install logs for this system say that Java was up to date (Java 6u35).
What’s curious is seeing these together within a second of one another followed by the system going crazy. MSE lagged detection of CVE-2012-4681 by a day…so my working hypothesis is that the user went to a site that took a shotgun approach to Java exploits, at least one of which worked. (There may even have been more exploits to come; it is entirely possible that the payload went off before all the detections had been completed.)
The payload that worked nommed all the evidence, except for my little logger which caught the mentions of the files that shouldn’t have actually been an issue. Now, you can flog me all you want for the one stupid thing I actually did during this exercise, but I think making the call that “this crawled in through Java” is backed by reasonable evidence.
What I should have done was immediately image the system at a block level and get the image to Symantec/Kaspersky/etc with alacrity. Assuming the malware didn’t dban the blocks where it was stored, someone could have lifted the thing off of the recently deleted blocks and we might know more about it. Sadly, I got the call pre-coffee and simply set about trying to kill the thing. By the time I realised that I might actually be dealing with something totally unknown, it was too late; I’d made so many system changes that imaging the thing was likely pointless.
So this is why I say that Java is the most likely candidate. Nothing else was untowards on this system. It looks to me like someone out there has an updated Blacole toolkit with some terrifyingly new exploits in hand and is using it with abandon. That said, I am not a security expert. I do not work for Symantec, Kaspersky or any of these other firms. I can only look at the evidence I have and say “well, this looks like the attack vector, this looks like the end result, here’s how you nuke the buggers.”
I can only hope that by laying out a “how to kill it” in my post, someone is helped. If along the way a little bit of awareness is raised about the fact that Java in the browser is bad for us all, so much the better.
Frankly, I don't think Java needs to be singled out as "the only bad thing to run in your browser." I think that any extensions in a browser need to be vetted for necessity. That includes Flash, Silverlight, .net, various toolbars and more. Shrinking the attack surface is always a good idea.
In the case of Java, I have a particular hate on because of the frequency and severity of exploits, combined with the abysmal response from Oracle regarding patches. This gets combined with the sheer unavoidability of the product and the versioning issues that can and do crop up in real world use. It makes me ornery. Doubly so when the issues I described in my post – and the subsequent comments – occur.
So if I hath insulted the almighty JVM, please accept my apologies. It sure looks to me like it is at fault here. I can’t even blame the user for this one, and that bothers the hell out of me.
Re: 
Every time I try to run anything that my affect a system configuration, Windows asks for administrator's credentials. The user is not a member of "Administrator" or "Power Users," only "Users." This is verified by taking the time to trace all the domain memberships, how they interact, and what privileges those security groups have on the local computer. The user itself does not have specific permissions on the local machine. Everything I can see points to the user account not having any administrative privileges on the local PC whatsoever.
I do not rule out the possibility that someone may have tweaked some obscure setting in the registry of the local computer before I took over administration of this system that somehow allowed this to occur despite the fact that the user appears in every other way to be unprivileged. Without going over the registry with a fine toothed comb, I cannot possibly know for sure. I do know that no extant GPOs exist that cause any such weirdness. The system is also an off-the-shelf HP consumer-targeted system; there is always the possibility that it simply shipped with a bizarre/obscure registry tweak that nobody is aware of.
That said, I have done the legwork on this. I wouldn’t be posting an article claiming that the thing crawled in through Java without being pretty damned sure that this is exactly what happened. I also don’t claim that it exploited the latest discussed vulnerability; I have absolutely no idea which vulnerability it exploited; for all I know it exploited a vulnerability that is a true zero-day and completely unknown outside the blackhat community.
I have determined that the browser in use at the time was Internet Explorer 9. I have gone over the IE9 settings; unless the malware in question changed the settings post-infection, it is entirely default. That should not allow Java, Flash or anything else to break out of a sandbox in usermode; and yet, it happened.
Look, as far as I can tell, this system is an off-the-shelf HP client system from about 2 years ago. It was attached to a domain run by an administrator that was pretty damned “by the book.” The GPOs and other configurations are pretty clear. WSUS automatically clears critical, security and definition updates for immediate install, and the user was diligent about keeping Java, Flash, etc up to date. Nobody played around with anything obscure because it simply was never required in this environment. It is as close to “off the shelf” as you can get for an SME install.
That’s what’s so scary about all of this. I would like to be able to write a “well damn it Jim, such and such happened because users are stupid” article. They get nods and smiles and sympathy from the readers instead of vicious personal attacks from a pool of internet piranhas.
Indeed, I have one such client that got slapped by their own stupidity on the same weekend. Nothing up to date, everything unmaintained, didn’t listen to my “disable java in your browser now” cries, and they run every user as local administrators. They got predictably pwned, but that’s not exactly interesting. (I like the billable hours, though!)
No, the guys that did it “by the book” and then got run over by something that crawled in through the internet are interesting. The CFO in question is a pretty honest guy; I asked him if he used a USB key, CD or anything in recent memory and no, he had not. I’ve checked every other vector I can think of, and nothing presents itself. So either something crawled in through Java and then broke out, or I.E. itself has a truly abominable zero day.
If I.E. has a zero day, the self-immolating Jars make no sense; why would Java anything be used as an intermediary there? Creating malware that requires something like Java be installed narrows your target availability unless Java itself is part of the vulnerability package you are exploiting to get the toehold into the system. This looks and smells like a Java vulnerability being exploited, probably in combination with something else. (http://arstechnica.com/security/2012/08/microsoft-defense-bypassed-in-2-weeks/ ???)
This is the first time I’ve seen a malware attack on a system that is reasonably properly defended. There is no obvious way this could have or should have occurred. If anyone has a better explanation I’m all ears on this; but I’ve spent an entire long weekend looking for obvious vulnerabilities in configuration and found none so far.
Re: Mr Pott, I tip my hat to you.
Two things: 1) I don't get physical access to the system for another couple of days. 2) I write a sysadmin blog, and my readers are important to me. If I can figure out how to kill the damn thing, maybe I can help someone stuck in a bad situation. If it helps just one guy stuck on the wrong end of a Teamviewer session, it's worth my Friday. :)
Re: @Trevor: even Microsoft Security Essentials can find and kill most variants
Fucked if I know. MSE seems "as good as the rest." Every malware vendor has gaps in coverage. I like Avast and MSE because they don't don't seem to stpe on eachother's toes, so they can coexist. I prefer using multiple overlapping scanners on high-importance machines. Otherwise...prayer?
Nothing offers complete coverage. So we need to be ready with the re-install. Personally, I periodically run one-shot "second opinion" scanners such as housecall, even when they aren't resident. I don't trust any one scanner to find malware, so I throw the kitchen sink at things and hope it works.
Re: privilege escalation?!
I wish I had a definative answer for you. I am 98% certain the initial attack was delivered through java in the browser to a non-administrative user. Then what? What does it execute? Is it using a java-native escalation, or some other exploit? How the hell did that bit of fail break out of its sandbox?
Then it ate itself. To me, this is the biggest indication that there was an unknown zero-day being used. The author of that malware did not want to initial payload to be examined by security companies. There are holes in the logs; I only even know that Jars appeared and dissapeared because I had a completely separate app on debug for a completely different reason. (Trying to debug something inovlving Office 365.) It caught the logs thrown by MSE before it was anhiliated (and all of it's logs, browser history etc) with it.
Something crawled in through Java. Then it ate itself, the anti-virus packages, the logs and installed new friends. The user was not running as admin. So I don't really care if it used a native flaw in Java to escalate privs enough to do that, or if it cascaded other flaws once the userspace code had been delivered. Java was the initial vecotr, and windows cracked like an egg after that.
Re: "have no idea what the initial vector was"
The user was not runnign as admin. Their antivirus was up to date. Their browsers were up to date. Their browser extentions were minimalistic. Jars showed up and then dissapeared; shortly thereafter the system was pwned.
If you have a different attack vector for that, I am all ears.
Re: ...for those running as root
sudo passwd root
Enter a pssword
Now you can log in to the GUI. What's so hard about that?
Re: ...for those running as root
Set a root password. Then you can log into the GUI as root.
Re: @ Trevor_Pott
If you are calling me a Linux fanboy, I'm going to ask you to back that statement up with some sort of evidence. For the record, these are the following things I am a "fanboy" of (in rough order):
1) My wife, close friends and selected coworkers.
2) Ninite.com (Just. Frakking. Works.)
3) Cyanogenmod (My phone. MINE.)
4) A significant chunk of The Register's writers, current and departed (I miss Sarah.)
5) Ars Technica's Nobel Intent (Science, bitches!)
6) Evidence-based legislation (Science, bitches!)
7) Mars Rovers (Science, bitches!)
8) Intel networking (Just. Frakking. Works.)
9) Jose Barreto (Awesome guy working for Microsoft's storage team.)
10) Classic Shell (I want my goddamned up button back!)
My definition of "fanboy" means I give those individuals, people, products and concepts on this list "the benefit of the doubt." It means I will accept at face value what is presented. I will trust what they have to say without the need for significant deep dives; this trust has been earned over time.
By nature however, I am a cynical person. I do the research, I question everything. So if you are suggesting that "Linux is the most compromised X on the planet" and that "anyone who believes otherwise is a Linux fanboy," I am going to call you on it. That goes against every scrap of evidence I have; prove your accusation.
Linux is not the most compromised webserver, despite being the most dominant. Various web APPLICATIONS (frequently, but not exclusively run on Linux) are vulnerable as hell...but these web apps lead to compromise on Windows as well as Linux. The actual underlying technology is significantly less assailable than the competition; shocking considering the many issues surrounding Linux governance and implementation.
So...prove it. Prove that Windows is "more secure" for the same tasks running the same apps. Especially when both are properly configured and hardened for a production environment. Prove also that those who disagree are "Linux fanboys," instead of people who have different - possibly more accurate - information than you are working from.
...you can prove that, can't you?
Re: The only use for java these days
Disables fine in Chrome and Firefox. Even when "disabled" in IE, the thing still can be called. How that works, well...comments, Microsoft? I'd love to hear the explanation.
Re: ...for those running as root
Do you have any idea how many Ubuntu users I catch runnign as root? It gives me a sad.
Given the complex web of how things are run in Windows, who knows what happened to allow infection? The user running this was not an administrator on the local PC. How then did this get the kinds of privs nessecary to install a rootkit? Browser glitch? Did it pop up a "run escalated" box? (Users says no, but...they're a user...)
I have no idea how something crawling through Java could install a rootkit on a non-administrative user. And yet, it did. So is this something that uses multiple vulnerabilities in multiple products, or is there a whole new zero-day at work here that we just don't know about?
I'm open to thoughts on this.
Re: even Microsoft Security Essentials can find and kill most variants
Try it in practice. You'll sing a different tune. MSE cannot kill a single rootkit under active development. It can eliminate very old rootkits. Anything actively maintained will go through MSE like a hot knife through butter. It won't even see them, let alone be able to defang them.
FFS man, don't come in here and spread propaganda; we're actually trying to help people cope with real world issues here. This is not the time or the place for you pro Microsoft crap; especially when so much of it is half truths wrapped in outright lies. The lack of context in everything you’ve ever written in the comments section of The Register is appalling.
Please astroturf elsewhere.
Re: Lets not just blame java here
Richto; who is paying you and how much? The amount of utterly bullshit FUD you spread about Linux is amazing. Honestly though, which company foots the bill? I'm really curious.
Re: even Microsoft Security Essentials can find and kill most variants
Oh? Do tell. It is an actively versioned bit of malware, so it is a moving target for everyone. But in my experience, is MSE can kill it, it isn't all that relevant. MSE cannot however kill rootkits like Zeroaccess. They are a threat.
Sirefef will be isolated by and contained by MSE unless we're talking about the very latest greatest variant. It won't get a chance to download buddies. Unfortunately, whatever the primary vector was murdered MSE before installing Sirefef.
Nope. I blame Java for lettine the bastard in the door and giving it escalted privs on an account not running as administrator. The facr that once in, the sattelite infections played merry hob with a Windows system is just par for the course. Protect the edges if you know that the center is soft and chewy. Nothing I can do about windows; but I can uninstall the inefection vector...Java.
Re: The only use for java these days
Um...what? OSX is actively under attack using these vulns...as is Ubuntu for those running as root...
How many PCs do you know of that you buy at the local electronics store come preconfigured for PXE boot? Not a large enterprise; systems are not configured for image-based dissemination. Main office has only 11 people! Everything is on the other end of wet-noodle VPN. Nah; these folks use Best-Buy specials and the previous admin left such a mess that two months later I'm still picking up pieces.
At this point, it wouldn't be an "image" either. It would be a clean install. And there is a lot of CFO-only software to get off that thing...
The user was not a member of the administrators group on the local PC; unless one of the infections in question altered permissions post-infection...
Re: What we have here is a serious lack of comprehension...
Up to date Java...that's the thing...
Re: 12 steps
If only it were that simple, and the people who pay money for things didn't have say in their own environments...eh?
Re: At least there's the day rate.
This is the first thing in years I've seen simply waltz right on by MSE. It was actually Avast that caught the initial one. (Befor it was crippled, and MSE annihilated.)
Re: Why blame Java at all?
I can know the attack vector without knowing the name of the attacker. I don't have a clue what the initial Bad Thing was. I do know they were malicious. Jar files that set off the alarms. The browsers were up to date. No flash was installed. Moments after detection, the jars dissapeared. So did Microsoft Security Essentials, Avast and a large chunk of all thee browser histories. It looked to me like someone using a java exploit that didn't want a security researcher decompiling the attack vector.
I crawled all over the thing for three days. I was hoping for an awesome new browser zero day. Alas, "Java is still broken" is not much of a story. But I was able to get the "this is how you fix it" info out to people, in case they got hit. That was really my goal.
Not all of us are so lucky as to have full imaging gear and pre-vetted application stacks. This is a new client of mine; small, most IT descisions still taken directly by CEO, call for help as they need it. Remote cleaning was a priority. If it happened to me, it might happen to someone else in a similar position; worth the time then to write up.
Agreed; that's a next-week project; for when I have physical access. For right now, this works over Teamviewer, and everything I can throw at it comes back clean.
Systems administrator = digital janator.
Server = Digital Sewer.
I can see it.
Mine's the one with the disks full of El Reg comments.
Re: Mostly agree
"Write once, run anywhere" can indeed work. Assuming your programmers are hot shit and either A) restrict themselves to a very limited subset of the language or B) "Write once, debug everywhere."
It is possible to achieve the holy zen of “write once, run anywhere.” It is however enough work that you’re better of being a monk on a mountain for 40+ years. It’s more satisfying and less effort.
Reading comprehension fail.
"Hating or loving a logical construction such as a programming language is irrational, illogical and otherwise nonsensical. As a human being with an emotional reaction to the world around me, it is increasingly unavoidable."
"It is possible to code Java applications that are excellent. The ubiquity of the language as a primary educational tool has unfortunately made these the exception rather than the rule. So I hate Java; not because there's anything inherently wrong with the language, but because of a decade's worth of people who still haven't figured out how to use it as designed."
Like so many others, you have completely failed to actually read the article. I explicitly state that technology is a logical construct for which it is irrational to "hate." I also explicitly state that java [i]can[/i] be used for good. I also – the article is right there, go read for yourself – explicitly state that my negative reaction to java is an irrational emotional reaction brought about by the totality of the extended universe of issues that surround it.
The article is not about “how terrible Java is.” Java is a tool. The article is about how “horrible abuse of this tool by our entire industry has meant that it is a significantly larger frustration – and even liability, from a security perspective! – than the marginal benefits it provides.
Bonus points for skimming through so fast that you assume the only Java I ever coded was the crap I had to do in my first year of university. The anecdote explains why I left university seeking something better. Is followed up immediately thereafter by a description of how that was a bad plan and I ended up developing applications anyways. Those applications include Java, which I am still forced to use to this day.
Perhaps you need to detach your personal sense of self worth form the language you program in. There is no need for a tribal reaction; criticism of Java) or the wider Java ecosystem) is not criticism of you. If the sub editor’s title, or the opening sentence of the article [i]which is immediately followed by an open admission of trolling commenttards for fun[/i] sets you up emotionally to skim through an article with a blinding rage, there are problems. If you skim so you can quickly get to the comments section and core dump some hatred, there are all sorts of questions about how you define yourself personally and professionally that need to be asked.
If you cannot acknowledge the issues surrounding your choice of language, why should anyone trust you as a developer? You need to know about – and acknowledge – the problems before you can adapt to and overcome them. Tribalism regarding technology is an indication of inadequate understanding of the role of that technology.
Re: Thank you for this.
The problem isn't the hammer. The problem is that we told an entire generation "all you need is a hammer" and they actually believed it. Now ****ing everything has hammer marks where other tools should have gone, and nothing quite works the way it should.
Re: Goodbye mouse button
My experience with the client in question says that right clicking on nearly every element in the UI works just fine.
- The land of Milk and Sammy: Free music app touted by Samsung
- The long war on 'DRAM price fixing' is over: Claim YOUR spoils now (It's worth a few beers)
- Privacy warriors lob sueball at Facebook buyout of WhatsApp
- Dell thuds down low-cost lap workstation for
cheapfrugal creatives or engineers
- 20 Freescale staff on vanished Malaysia Airlines flight MH370