- Sign-up Now!
 - Current Issue
 - Edit Your Profile/Unsubscribe

Subscribe | Media Kit | About Us | All Issues | Subscriber Feedback | Contact Us | Privacy Statement
Sunbelt W2Knews™ Electronic Newsletter
The secret of those "who always seem to know" - Over 500,000 Readers!
Mon, Mar 26, 2001 (Vol. 6, #20 - Issue #255)
MS Digital Certificates Compromised
  This issue of W2Knews™ contains:
    • Need To Explain The Difference Between A Hub And A Switch?
    • Tech Briefing Bonus: "Be Nice To Nerds"
    • WARNING - Microsoft Digital Certificates Compromised
    • W2K Datacenter will run on IBM's new 64-way Intel Box
    • New WinXP file system breaks disk utilities. Again. Oops
    • Run Exchange? Need to Audit All Content? Here's How:
    • Best Selling Software In Sunbelt Online Shop?
  5. W2Knews 'FAVE' LINKS
    • This Week's Links We Like. Tips, Hints And Fun Stuff
    • 40% off all Windows 2000 Books for W2Knews Subscribers
Register now to receive Chapter I of " The Definitive Guide to
Windows 2000 and Exchange 2000 Migration"
-- a FREE eBook
brought to you by NetIQ and Realtimepublishers.com. Get
hands-on field experience as industry experts tackle Windows
2000 and Exchange 2000 in a single book. You'll get migration
techniques, strategies, and example scenarios on deploying
Microsoft Windows 2000 & Exchange Server 2000 network.
Visit NetIQ for more information.
Hi NT/W2K-ers,

If you only read the article about the MS Digital Certificates problem this (free) issue will have paid back for itself a few times over! ;-) There is a lot happening again, so I'll keep this column short.

And oh, if you see your machine contacting your ISP when reading the HTML version, that is just to fetch the graphics. We keep these out of the newsletter to keep the size down to a minimum. The work on getting your profile done is making headway. Soon you'll be able to receive this newsletter in *all* (Monday and Thursday) html OR *all* (Monday and Thursday) txt.

Warm regards,
Stu Sjouwerman
(email me with feedback: [email protected])

Ever had the feeling of ACUTE PANIC that a hacker has invaded your
Plug NT/2000's over 1,000 holes before they plug you. You_have_
to protect your LAN_before_it gets attacked. STAT comes with a responsive
web-update service and a dedicated Pro SWAT team that helps you to hunt
down and kill security holes. Built by anti-hackers for DOD sites.
Download a demo copy before you become a statistic.

Visit WIN NT = HACKER TARGET #1 for more information.

Need To Explain The Difference Between A Hub And A Switch?

(This was a recent thread on the NTSYSADMIN Forum, one of the Sunbelt sponsored communities at http://www.sunbelt-software.com/community.cfm)

Some of us techies see the need for hardware that our bosses do not. That translates into sessions where you are trying to explain why this new device will do so much better than the old one. It gets esoteric quickly and goes over their heads. And you wait forever for the approval. Users continue to complain. Below are some links that will help you explain the difference.

First, conceptually, what IS the difference? Once we used simple 10 Mbs hubs to manage our networks, and they offered quite an improvement over shared peer-to-peer connections. Now we have dual 10/100 speed hubs that offer dual speed data transfers for under 100 dollars. But they are passive and have no built-in intelligence.

The switches on the contrary will segment traffic between nodes from the rest of the LAN by isolating the individual data streams to specific paths, which should not affect the rest of the network nodes. Hubs do not manage any of this traffic, and this causes collisions, which will greatly impede traffic efficiency on the LAN. Switches have improved performance speeds, enough to convince most IT managers and network administrators that switches are the product of choice in their next upgrade purchase.

If you want to SEE the difference, check out this link first:

Some other explanations:

Tech Briefing Bonus: "Be Nice To Nerds"

The 11 rules below are rumored to be coming from Bill Gates who supposedly dished them out at a recent high school speech. I think this is very likely 'urban legend' but the item is fun and has a lot to it so I'm including it as a bonus item this issue. [grin]

The comment that went with the rules was as follows. "He talks about how feel-good, politically correct teaching has created a full generation of kids with no concept of reality and how this concept sets them up for failure in the real world. To give them a taste of what it's really like out there, he allegedly came up with these rules.

  • RULE 1
    Life is not fair - get used to it.
  • RULE 2
    The world won't care about your self-esteem. The world will expect you to accomplish something BEFORE you feel good about yourself.
  • RULE 3
    You will NOT make 50 thousand dollars a year right out of high school. You won't be a vice president with a car phone, until you earn both.
  • RULE 4
    If you think your teacher is tough, wait till you get a boss. He doesn't have tenure.
  • RULE 5
    Flipping burgers is not beneath your dignity. Your grandparents had a different word for burger flipping - they called it opportunity.
  • RULE 6
    If you mess up, it's not your parents' fault, so don't whine about your mistakes, learn from them.
  • RULE 7
    Before you were born, your parents weren't as boring as they are now. They got that way from paying your bills, cleaning your clothes and listening to you talk about how cool you are. So before you save the rain forest from the parasites of your parent's generation, try delousing the closet in your own room.
  • RULE 8
    Your school may have done away with winners and losers, but life has not. In some schools they have abolished failing grades and they'll give you as many times as you want to get the right answer. This doesn't bear the slightest resemblance to ANYTHING in real life.
  • RULE 9
    Life is not divided into semesters. You don't get summers off and very few employers are interested in helping you find yourself. Do that on your own time.
  • RULE 10
    Television is NOT real life. In real life people actually have to leave the coffee shop and go to jobs.
  • RULE 11
    Be nice to nerds. Chances are you'll end up working for one. ;-)

WARNING - Microsoft Digital Certificates Compromised

Some one posing as being from Microsoft has gotten hold of a pair of digital certificates. This is ugly. Why? These actually can be used to make some one believe they are downloading genuine Microsoft code while in reality they might install a malignant piece of code. The alert that MS sent out regarding this, warns the problem covers all the existing versions of Windows. Not good.

Let me quote Russ Cooper, Surgeon General of TruSecure Corporation and NTBugtraq Editor: "Verisign has royally screwed up. Verisign managed to issue a Class 3 Digital Certificate, a Certificate which is used for code-signing of things like ActiveX controls, Macros, applications, etc... to someone who purported to be from Microsoft Corporation." The black hat seems to have used some social engineering to pull the wool over Versign's eyes.

A digital certificate, when your box gets presented with one, shows you a prompt that explains how these certificates work, and asks you to trust it. Now, if you get presented with a Microsoft cert, either via HTML or email, you have to check the date! If it has a date of Jan 30 or Jan 31, 2001. If so, you cannot trust it and do not download the presented code. No real MS certs were issued on these dates.

The bogus Cert will NOT be trusted automatically by your system, so that is positive. But the fact you need to check the date (which users very likely will not do) is definitely the liability here. Microsoft is working on a solution but that is not here yet. I think you should plan to patch all the systems you are managing in the next few weeks. it's also not clear who the Black Hats are that pulled this off, so we do not know what nastyness to expect: a virus, worm, trojans, your hard disk trashed or other exploits.

Quite a few people in Microsoft are actually pretty pissed off. They stated there has to be some kind of revocation mechanism in place to correct this kind of thing. But it ain't working right at the moment, as the URL for the CRL (Certificate Revocation List) is not filled out in the certificates. You may need to install a CRL on every box yourself, or get code from MS that make Explorer look at the MS CRL. I'll let you know more when I know more.

Microsoft Knowledge Base articles Q293817 and Q293819 also appeared.

W2K Datacenter will run on IBM's new 64-way Intel Box

Dang, this is getting interesting! IBM's going after the high-end Intel environment. That means at the moment mainly the Unisys ES7000 Series. Gang, we're getting into the big time now. IBM's new 64-CPU box is called the eServer x430. It's got Intel's latest and expensive 900MHz Xeons as its brains, and IBM's mainframe technology at its basis.

Big Blue also created a few smaller versions of this Intel based family. There are 8-way and 4-way systems coming, and a cluster as well. They took four of their 8-way x370 systems and clustered them together in a 32-node array that runs W2K DC, SQL2K and was pretty darn fast on the SQL transactions. They claim to be faster than Compaq that held the record op to now, and also say they're doing better than NEC's fastest boxes. We're going to get to play with some pretty cool hardware in the future.

New WinXP file system breaks disk utilities. Again. Oops

The Register in the UK usually has some good industry rumors and scoops. I went there and found one that is worth looking over. It boils down to the fact that WXP will tweak its file system, and that means that some utilities may stop working. An example would be Partition Magic. Third party utilities vendors need to be alert, and you may need to upgrade your fave disk tools when you move to WXP. Again.


Run Exchange? Need to Audit All Content? Here's How:

The brand new Cameo V2.0 Content Auditing for environments using Exchange is a pretty useful solution if company management has decided to audit email. There is a variety of reasons why companies decide to do this, one of which is prevention of sexual harassment. The questions they are asking themselves are:

  • How can you be sure that your e-mail system is being used the way it was intended?
  • What are the employees saying in their e-mail?
  • What are they spending their time reading?
  • Are we taking steps to manage our e-mail content?
  • Who is sending or receiving the newest e-mail viruses?
The new Features for Cameo 2.0 are interesting:
  • Scan Internet e-mail. Matched messages are allowed to pass, but are copied to any address for review. (Send it to HR so you do not have to be seen as the 'Net Nazi' yourself.
  • Scan internal e-mail. Over 70% of a typical company?s e-mail is internal. Only CAMEO (and CAMEO SMTP - available soon) check it.
  • Take direct control over e-mail already delivered. Search through any or all mailboxes looking for messages that match content you specify. Matched messages can be deleted (without user knowledge) or copied for review.
  • Enormous search capability. Over 200 words or phrases can be defined and searched for simultaneously.
  • Flexible reporting options. Every message match can be forwarded to a unique individual for review and action.
  • Selective scanning option, now you can select a distribution list of recipients that are to be excluded from message scanning.
One of the good things I like about CAMEO 2.0 is that it requires no additional servers or hardware and can be run from any workstation (Windows NT/2000). CAMEO doesn?t install into or on your Exchange servers, so it?s 100% safe and can be set up and running in minutes! Even the smallest network can easily afford CAMEO 2.0. Cameo silently, discretely, and continuously audits e-mail content moving in and out of your organization:
  • to ensure it meets company policies;
  • to check that confidential information isn't being leaked;
  • to review incoming e-mail and automatically route the message based upon content;
  • to help ensure that personnel policies are being followed;
  • to catch email viruses,
  • to catch spam messages, and a lot more.
Check the new Version 2.0 out at:

Best Selling Software In Sunbelt Online Shop?

You might wonder what it was in the year 2000. The piece of software that did best was U-Promote! What does it do? With this tool you can promote your NT Server into an NT Domain Controller. U-Promote is the only software utility that can promote your NT server to an NT Domain Controller (PDC or BDC) without re-installing the operating system.

With U-Promote you can:

  • Change a standalone NT server to a Primary Domain Controller (PDC).
  • Change a Primary Domain Controller to a standalone NT server.
  • Change a standalone NT server to a Backup Domain Controller (BDC).
  • Change a Backup Domain Controller to a standalone NT server.
Don't make the wrong choice!

When you installed Windows NT Server, you were asked if you wanted to create a domain controller (DC). Your choice was permanent. If you declined, you could never create one later (Q193219).

U-Promote is available exclusively from the Sunbelt Software OnLineShop You can download it in less than a minute. ONLINESHOP PURCHASE: When you purchase U-Promote from our OnLineShop, an email with your activation key will be emailed you usually within an hour, but no later than the next business day. If you require an immediate key upon purchasing, please call us at 800-336-3166 (Mon-Fri, 9-6 EST) and have your order number ready. Or write to [email protected]

What is a Domain Controller?
A domain controller puts all of your passwords in a central database. When a user logs on to a desktop PC, it consults the domain controller to verify your password. A small organization starts with a workgroup, a collection of machines that can share files and a printer. A domain is a larger collection of computers where access to files and printers is controlled by the domain controller. A domain has exactly one primary domain controller and one or more backup domain controllers.

Don't get bitten.
Only U-Promote can rescue you from a difficult dilemma: You need a DC but you already installed Windows NT Server without it. What do you do? Do you waste days of downtime while you re-install everything, or do you spend thousands of dollars on another computer?

Upgrade NT Workstation.
Suppose you decide you need a domain controller but all you have are workstations. You purchase the Windows NT Server upgrade CD-ROM. Oops, you have a problem. The NT setup upgrade procedure will not let you create a DC from a workstation upgrade. The solution is to use U-Promote. Here is how:

Insert the Windows NT Server CD-ROM and run WINNT32.EXE. Select your current NT Workstation directory as the installation directory. When prompted, select Upgrade. Select the NT services you want to install (IIS, RAS, etc.) When finished, immediately apply the latest NT service pack. Run U-Promote to promote the newly created server to a domain controller. Get it at:


This Week's Links We Like. Tips, Hints And Fun Stuff

  • Kyocera's SmartPhone (with Palm built in) is indeed a hit. Told ya so.
  • The Seattle Robotics Society's got a cool site. Search on Tortilla-Board!
  • Desktop Engineer's Junk Drawer has some good and useful pointers:

    40% off all Windows 2000 Books for W2Knews Subscribers

    Syngress Publishing is offering 40% off all Windows 2000 and related books to subscribers of SunBelt?s W2Knews newsletter. You'll find books covering Active Directory, SQL 2000, Exchange 2000 Server, Network Services, and more. Also, for a limited time you can get copies of their Windows 2000 Configuration Wizards and Deploying Windows 2000 with Support Tools - an $80 value - for only $15.95.

    All books come with a FREE 1-YEAR Upgrade plan that provides you with two technology whitepapers, Ask the Author query forms, and downloadable HTML ebooks for your laptop. Check them out at: