Sunbelt W2Knews Electronic Newsletter
The secret of those "who always seem to know" - Over 500,000 Readers!
Mon, Mar 26, 2001 (Vol. 6, #20 - Issue #255)
MS Digital Certificates Compromised
This issue of W2Knews contains:
- EDITORS CORNER
- TECH BRIEFING
- Need To Explain The Difference Between A Hub And A Switch?
- Tech Briefing Bonus: "Be Nice To Nerds"
- NT/2000 RELATED NEWS
- WARNING - Microsoft Digital Certificates Compromised
- W2K Datacenter will run on IBM's new 64-way Intel Box
- New WinXP file system breaks disk utilities. Again. Oops
- NT/2000 THIRD PARTY NEWS
- Run Exchange? Need to Audit All Content? Here's How:
- Best Selling Software In Sunbelt Online Shop?
- W2Knews 'FAVE' LINKS
- This Week's Links We Like. Tips, Hints And Fun Stuff
- PRODUCT OF THE WEEK
- 40% off all Windows 2000 Books for W2Knews Subscribers
Register now to receive Chapter I of " The Definitive Guide to
Windows 2000 and Exchange 2000 Migration"-- a FREE eBook
brought to you by NetIQ and Realtimepublishers.com. Get
hands-on field experience as industry experts tackle Windows
2000 and Exchange 2000 in a single book. You'll get migration
techniques, strategies, and example scenarios on deploying
Microsoft Windows 2000 & Exchange Server 2000 network.
Visit NetIQ for more information.
If you only read the article about the MS Digital Certificates problem
this (free) issue will have paid back for itself a few times over! ;-)
There is a lot happening again, so I'll keep this column short.
And oh, if you see your machine contacting your ISP when reading the
HTML version, that is just to fetch the graphics. We keep these out
of the newsletter to keep the size down to a minimum. The work on
getting your profile done is making headway. Soon you'll be able
to receive this newsletter in *all* (Monday and Thursday) html OR
*all* (Monday and Thursday) txt.
(email me with feedback: [email protected])
SPONSOR: WIN NT = HACKER TARGET #1
Ever had the feeling of ACUTE PANIC that a hacker has invaded your
network? Plug NT/2000's over 1,000 holes before they plug you. You_have_
to protect your LAN_before_it gets attacked. STAT comes with a responsive
web-update service and a dedicated Pro SWAT team that helps you to hunt
down and kill security holes. Built by anti-hackers for DOD sites.
Download a demo copy before you become a statistic.
Visit WIN NT = HACKER TARGET #1 for more information.
Need To Explain The Difference Between A Hub And A Switch?
(This was a recent thread on the NTSYSADMIN Forum, one of the Sunbelt
sponsored communities at http://www.sunbelt-software.com/community.cfm)
Some of us techies see the need for hardware that our bosses do not.
That translates into sessions where you are trying to explain why
this new device will do so much better than the old one. It gets
esoteric quickly and goes over their heads. And you wait forever
for the approval. Users continue to complain. Below are some links
that will help you explain the difference.
First, conceptually, what IS the difference? Once we used simple 10
Mbs hubs to manage our networks, and they offered quite an improvement
over shared peer-to-peer connections. Now we have dual 10/100 speed
hubs that offer dual speed data transfers for under 100 dollars. But
they are passive and have no built-in intelligence.
The switches on the contrary will segment traffic between nodes from
the rest of the LAN by isolating the individual data streams to specific
paths, which should not affect the rest of the network nodes. Hubs
do not manage any of this traffic, and this causes collisions, which
will greatly impede traffic efficiency on the LAN. Switches have
improved performance speeds, enough to convince most IT managers and
network administrators that switches are the product of choice in
their next upgrade purchase.
If you want to SEE the difference, check out this link first:
Some other explanations:
Tech Briefing Bonus: "Be Nice To Nerds"
The 11 rules below are rumored to be coming from Bill Gates who
supposedly dished them out at a recent high school speech. I think
this is very likely 'urban legend' but the item is fun and has a lot
to it so I'm including it as a bonus item this issue. [grin]
The comment that went with the rules was as follows. "He talks about
how feel-good, politically correct teaching has created a full
generation of kids with no concept of reality and how this concept
sets them up for failure in the real world. To give them a taste of
what it's really like out there, he allegedly came up with these rules.
- RULE 1
Life is not fair - get used to it.
- RULE 2
The world won't care about your self-esteem. The world will expect
you to accomplish something BEFORE you feel good about yourself.
- RULE 3
You will NOT make 50 thousand dollars a year right out of high school.
You won't be a vice president with a car phone, until you earn both.
- RULE 4
If you think your teacher is tough, wait till you get a boss. He
doesn't have tenure.
- RULE 5
Flipping burgers is not beneath your dignity. Your grandparents had
a different word for burger flipping - they called it opportunity.
- RULE 6
If you mess up, it's not your parents' fault, so don't whine about
your mistakes, learn from them.
- RULE 7
Before you were born, your parents weren't as boring as they are now.
They got that way from paying your bills, cleaning your clothes and
listening to you talk about how cool you are. So before you save
the rain forest from the parasites of your parent's generation, try
delousing the closet in your own room.
- RULE 8
Your school may have done away with winners and losers, but life has
not. In some schools they have abolished failing grades and they'll
give you as many times as you want to get the right answer. This
doesn't bear the slightest resemblance to ANYTHING in real life.
- RULE 9
Life is not divided into semesters. You don't get summers off and
very few employers are interested in helping you find yourself. Do
that on your own time.
- RULE 10
Television is NOT real life. In real life people actually have to
leave the coffee shop and go to jobs.
- RULE 11
Be nice to nerds. Chances are you'll end up working for one. ;-)
NT/2000 RELATED NEWS
WARNING - Microsoft Digital Certificates Compromised
Some one posing as being from Microsoft has gotten hold of a pair of
digital certificates. This is ugly. Why? These actually can be used
to make some one believe they are downloading genuine Microsoft code
while in reality they might install a malignant piece of code. The
alert that MS sent out regarding this, warns the problem covers all
the existing versions of Windows. Not good.
Let me quote Russ Cooper, Surgeon General of TruSecure Corporation and
NTBugtraq Editor: "Verisign has royally screwed up. Verisign managed
to issue a Class 3 Digital Certificate, a Certificate which is used for
code-signing of things like ActiveX controls, Macros, applications,
etc... to someone who purported to be from Microsoft Corporation."
The black hat seems to have used some social engineering to pull the
wool over Versign's eyes.
A digital certificate, when your box gets presented with one, shows
you a prompt that explains how these certificates work, and asks you
to trust it. Now, if you get presented with a Microsoft cert, either
via HTML or email, you have to check the date! If it has a date of
Jan 30 or Jan 31, 2001. If so, you cannot trust it and do not download
the presented code. No real MS certs were issued on these dates.
The bogus Cert will NOT be trusted automatically by your system, so
that is positive. But the fact you need to check the date (which users
very likely will not do) is definitely the liability here. Microsoft
is working on a solution but that is not here yet. I think you should
plan to patch all the systems you are managing in the next few weeks.
it's also not clear who the Black Hats are that pulled this off, so
we do not know what nastyness to expect: a virus, worm, trojans, your
hard disk trashed or other exploits.
Quite a few people in Microsoft are actually pretty pissed off. They
stated there has to be some kind of revocation mechanism in place to
correct this kind of thing. But it ain't working right at the moment,
as the URL for the CRL (Certificate Revocation List) is not filled
out in the certificates. You may need to install a CRL on every box
yourself, or get code from MS that make Explorer look at the MS CRL.
I'll let you know more when I know more.
Microsoft Knowledge Base articles Q293817 and Q293819 also appeared.
W2K Datacenter will run on IBM's new 64-way Intel Box
Dang, this is getting interesting! IBM's going after the high-end Intel
environment. That means at the moment mainly the Unisys ES7000 Series.
Gang, we're getting into the big time now. IBM's new 64-CPU box is called
the eServer x430. It's got Intel's latest and expensive 900MHz Xeons as
its brains, and IBM's mainframe technology at its basis.
Big Blue also created a few smaller versions of this Intel based family.
There are 8-way and 4-way systems coming, and a cluster as well. They
took four of their 8-way x370 systems and clustered them together in a
32-node array that runs W2K DC, SQL2K and was pretty darn fast on the
SQL transactions. They claim to be faster than Compaq that held the
record op to now, and also say they're doing better than NEC's fastest
boxes. We're going to get to play with some pretty cool hardware in
New WinXP file system breaks disk utilities. Again. Oops
The Register in the UK usually has some good industry rumors and scoops.
I went there and found one that is worth looking over. It boils down
to the fact that WXP will tweak its file system, and that means that
some utilities may stop working. An example would be Partition Magic.
Third party utilities vendors need to be alert, and you may need to
upgrade your fave disk tools when you move to WXP. Again.
THIRD PARTY NEWS
Run Exchange? Need to Audit All Content? Here's How:
The brand new Cameo V2.0 Content Auditing for environments using
Exchange is a pretty useful solution if company management has decided
to audit email. There is a variety of reasons why companies decide to
do this, one of which is prevention of sexual harassment. The questions
they are asking themselves are:
The new Features for Cameo 2.0 are interesting:
- How can you be sure that your e-mail system is being used the way
it was intended?
- What are the employees saying in their e-mail?
- What are they spending their time reading?
- Are we taking steps to manage our e-mail content?
- Who is sending or receiving the newest e-mail viruses?
One of the good things I like about CAMEO 2.0 is that it requires no
additional servers or hardware and can be run from any workstation
(Windows NT/2000). CAMEO doesn?t install into or on your Exchange servers,
so it?s 100% safe and can be set up and running in minutes! Even the
smallest network can easily afford CAMEO 2.0. Cameo silently, discretely,
and continuously audits e-mail content moving in and out of your
- Scan Internet e-mail. Matched messages are allowed to pass, but are
copied to any address for review. (Send it to HR so you do not
have to be seen as the 'Net Nazi' yourself.
- Scan internal e-mail. Over 70% of a typical company?s e-mail is
internal. Only CAMEO (and CAMEO SMTP - available soon) check it.
- Take direct control over e-mail already delivered. Search through any
or all mailboxes looking for messages that match content you specify.
Matched messages can be deleted (without user knowledge) or copied
- Enormous search capability. Over 200 words or phrases can be defined
and searched for simultaneously.
- Flexible reporting options. Every message match can be forwarded to
a unique individual for review and action.
- Selective scanning option, now you can select a distribution list
of recipients that are to be excluded from message scanning.
Check the new Version 2.0 out at:
- to ensure it meets company policies;
- to check that confidential information isn't being leaked;
- to review incoming e-mail and automatically route the message
based upon content;
- to help ensure that personnel policies are being followed;
- to catch email viruses,
- to catch spam messages, and a lot more.
Best Selling Software In Sunbelt Online Shop?
You might wonder what it was in the year 2000. The piece of software
that did best was U-Promote! What does it do? With this tool you can
promote your NT Server into an NT Domain Controller. U-Promote is the
only software utility that can promote your NT server to an NT Domain
Controller (PDC or BDC) without re-installing the operating system.
With U-Promote you can:
Don't make the wrong choice!
- Change a standalone NT server to a Primary Domain Controller (PDC).
- Change a Primary Domain Controller to a standalone NT server.
- Change a standalone NT server to a Backup Domain Controller (BDC).
- Change a Backup Domain Controller to a standalone NT server.
When you installed Windows NT Server, you were asked if you wanted to
create a domain controller (DC). Your choice was permanent. If you
declined, you could never create one later (Q193219).
U-Promote is available exclusively from the Sunbelt Software OnLineShop
You can download it in less than a minute. ONLINESHOP PURCHASE: When
you purchase U-Promote from our OnLineShop, an email with your activation
key will be emailed you usually within an hour, but no later than the
next business day. If you require an immediate key upon purchasing,
please call us at 800-336-3166 (Mon-Fri, 9-6 EST) and have your order
number ready. Or write to [email protected]
What is a Domain Controller?
A domain controller puts all of your passwords in a central database.
When a user logs on to a desktop PC, it consults the domain controller
to verify your password. A small organization starts with a workgroup,
a collection of machines that can share files and a printer. A domain
is a larger collection of computers where access to files and printers
is controlled by the domain controller. A domain has exactly one
primary domain controller and one or more backup domain controllers.
Don't get bitten.
Only U-Promote can rescue you from a difficult dilemma: You need a
DC but you already installed Windows NT Server without it. What do you
do? Do you waste days of downtime while you re-install everything, or
do you spend thousands of dollars on another computer?
Upgrade NT Workstation.
Suppose you decide you need a domain controller but all you have are
workstations. You purchase the Windows NT Server upgrade CD-ROM.
Oops, you have a problem. The NT setup upgrade procedure will not let
you create a DC from a workstation upgrade. The solution is to use
U-Promote. Here is how:
Insert the Windows NT Server CD-ROM and run WINNT32.EXE. Select your
current NT Workstation directory as the installation directory. When
prompted, select Upgrade. Select the NT services you want to install
(IIS, RAS, etc.) When finished, immediately apply the latest NT service
pack. Run U-Promote to promote the newly created server to a domain
controller. Get it at:
This Week's Links We Like. Tips, Hints And Fun Stuff
Kyocera's SmartPhone (with Palm built in) is indeed a hit. Told ya so.
The Seattle Robotics Society's got a cool site. Search on Tortilla-Board!
Desktop Engineer's Junk Drawer has some good and useful pointers:
PRODUCT OF THE WEEK
40% off all Windows 2000 Books for W2Knews Subscribers
Syngress Publishing is offering 40% off all Windows 2000 and related
books to subscribers of SunBelt?s W2Knews newsletter. You'll find books
covering Active Directory, SQL 2000, Exchange 2000 Server, Network
Services, and more. Also, for a limited time you can get copies of
their Windows 2000 Configuration Wizards and Deploying Windows 2000
with Support Tools - an $80 value - for only $15.95.
All books come with a FREE 1-YEAR Upgrade plan that provides you with
two technology whitepapers, Ask the Author query forms, and downloadable
HTML ebooks for your laptop. Check them out at: