Vol. 19, #17 - April 28, 2014 - Issue #977
Heartbleed: Victory or Failure for Open Source?
- Editor's Corner
- From the Mailbag
- Heartbleed: Victory or Failure for Open Source?
- Tip of the Week: Troubleshooting iSCSI target discovery
- Recommended for Learning
- Microsoft Virtual Academy
- Quote of the Week
- Admin Toolbox
- Admin Tools We Think You Shouldn't Be Without
- Events Calendar
- Asia Pacific
- Webcast Calendar
- Register for Webcasts
- Tech Briefing
- Windows Server
- Windows PowerShell
- Windows Server News
- Cloud overspending highlights capacity planning need
- Using folder redirection to store user data
- The advantages and limitations of Hyper-V Recovery Manager
- Five Mac tips for Windows desktop admins
- WServerNews FAVE Links
- Skydiver Films Meteorite Nearly Hitting His Parachute
- Lamborghini Murcielago Roadster - Pamplona Bull Run -Top Gear
- World's Largest Aircraft - Antonov 225
- Postmodern Jukebox - Ellie Goulding - 'Burn'
- WServerNews - Product of the Week
- Real-Time Monitoring for Exchange Health from SolarWinds®
- SAVE THIS NEWSLETTER so you can refer back to it later for helpful tips, tools and resources!
- FORWARD THIS NEWSLETTER to a colleague who you think might find it useful!
- SEND YOUR FEEDBACK to [email protected] if you have any comments or suggestions!
This week's newsletter is all about the Heartbleed vulnerability and whether it represents failure or victory as far as Open Source software is concerned.
While infosec stuff like Heartbleed is a little too technical to find its way into a comic like Dilbert, our old mainstay xkcd isn't afraid to tackle it and has done so in the following two webcomics:
Don't forget to read the mouseover text for these two comics...
From the Mailbag
Here's a bit more reader feedback concerning our recent issues Does the IT Profession need to be Regulated? (Issue #973) and Reader Feedback: Does the IT Profession Need to be Regulated? (Issue #975):
Patrick who works in the US Federal Government sector said:
I read the entire article and was struck by the absence of something that I would consider a solution that was not discussed. That being that "All software needs to meet specific standards and requires testing to prove that, that happens." Test the code not the person. Have coding standards just like a "UL" approved sticker. If it doesn't meet the standard it doesn't get sold bought or put in production.
Another reader named Bobby said:
When you get companies like Microsoft, Oracle, IBM etc. to remove the "non-liability" clauses from their licensing and product labels, then I'll be all for it.
I asked him to explain further and he replied:
Look at any software product licensing or legal clauses on boxes of software and you will see "is not held responsible" etc essentially the companies side stepping not being held responsible for the OS rebooting causing a damage or injury or the software having bugs that caused something to go wrong even if the bug was the fault of the supplying company etc.
How can I take responsibility for integrating a Microsoft product for example into a mission critical application when the supplier side-steps all responsibility for it being reliable. Generally, this is handled by redundancy and dependence on more solid state devices in the real world external to the I.T. function but not in all cases. If a an application or OS fails due to some "unknown" memory leak - who really should be blamed.
In the Tip of the Week section of Reader Feedback: Does the IT Profession Need to be Regulated? (Issue #975) I explained how you can configure Outlook views to show which folder an email message is when you browse your search results. A reader named Bernie responded as follows:
Hi Mitch, great article, as I've struggled to locate which folder an email was in after getting the Outlook search results!
One request though, is it possible to show the full folder path to the found email? I use nested subfolders to organize my outlook emails and the tip results in only showing the final folder not the whole subfolder path. Now that would be really helpful!
I haven't found a way of doing this--can any readers out there help?
Finally, a reader named Vladislav from Russia sent us the following feedback concerning our issue titled Restoring a Windows Phone (Issue #974):
It definitely exists -- the restoring function, but…
- It does not restore the start screen.
- You should remember all your hundreds of passwords.
- The SMS messages would be restored to some unusual way, so the message's texts are preserved, but the chats are not.
- Some programs are refused to install (I think because of some updates).
- You are lack of the PDFs list, because it is saved in some hidden place on your phone, and in general - most downloaded data for programs (for example -- offline maps for Nokia HERE Maps, radios' list, and many-many more that not fit in the bed of Procrustes of Documents-Photos-Videos).
Many-many more problems are ahead…
That's very helpful feedback, but I wonder if the restore capabilities on other phone platforms like iOS and Android have similar limitations?
Now on to the main topic of this issue...
Heartbleed: Victory or Failure for Open Source?
Here's been a lot of news lately about the OpenSSL (a.k.a. "Heartbleed") vulnerability. Most of the coverage by big media has been inaccurate in various degrees. For example, some news outlets have said that when the vulnerability is exploited it leaves no trace behind of what happened. This is obviously ridiculous of course--it may not log anything in the system or webserver logs, but inspecting intrusion detection system (IDS) and firewall packet logs can help you identify whether sensitive data may have been copied from your servers.
What interests me however is whether the discover and patching of this vulnerability represents a victory or loss for Open Source vs. proprietary security software. What brought this to mind was what the German software developer whose coding oversight created the vulnerability said as quoted in the Sydney Morning Herald:
"The benefit of open source software is that anyone can review the code in the first place. The more people look at it, the better, especially with a software like OpenSSL."
An article on eWeek suggests that the Open Source paradigm might be the underlying cause of this catastrophe:
"And that idea of an open, free software development environment in which an entire community of programmers work together to create software everyone needs is part of the problem in this case. It's a problem because it assumes that there will be a large community of developers, all of whom check the code over time, looking for errors. But in the real world, the open-source software is developed and then released into production, and because there are so few people in the community who understand it, very little checking happens."
The same article however also suggests a solution to this Open Source dilemma:
"But rather than use the Heartbleed bug as a reason to indict open source as being unreliable, what really needs to happen is to use this as a wakeup call. All of those companies—from Yahoo to Dropbox—that used OpenSSL without doing anything to help create and improve the product are paying for that neglect now. Once they spend millions to fix the problem, perhaps they can spend a few thousand more to help fund development of this critical security library."
When this issue was discussed on Soylent News it received some interesting responses:
"So there's not always lots of eyes looking at open source code. That's not necessarily a weakness though. It's more like failing to take advantage of a strength."
"If OpenSSL were closed source, chances are it would have taken much longer for the bug to become public, if it ever did. This bug was found by a code audit which could be conducted openly and fairly precisely because the code is open source."
But I question this kind of almost blind mistrust in closed source development, especially when it comes to Microsoft. I have great respect for the company as it exists today with regard to its concern for ensuring the security of its products. My friend and fellow fit IT pro Yuri Diogenes has just published links to some official statements from Microsoft concerning the "Heartbleed" vulnerability and their products/services on Microsoft's Curah! site here:
And by the way be sure to check out Yuri's before and after photos of an IT pro who has lost 100 lbs of excess weight:
I'll also be reaching the five year milestone of my own fitness transformation this Fall and will update IT pro readers of this newsletter who are struggling with their own weight problems to show you what is possible if you set your mind to it.
Anyways, back to Heartbleed. Does the discovery of this vulnerability vindicate the Open Source development paradigm and put the last nail in the coffin for trusting closed source? Or are companies actually better off trusting proprietary security solutions like Schannel, the SSL/TLS security package built into the Microsoft Windows platform?
But there's more to reflect on. Regardless of your position on the above issue, it may be irrelevant for several reasons. First, if you're public-facing web application uses IIS and is therefore not vulnerable to Heartbleed, it's possible or even very likely that users access your site via a load balancer or reverse proxy that's running OpenSLL and is thus vulnerable to the attack, yikes! Read more here:
Even worse, OpenSSL on the client side is also vulnerable to this problem:
I don't think this Reverse Heartbleed attack has gotten much exposure in the mainstream tech media, so maybe start spreading the word.
Send us feedback
What's your position on the questions raised by our editorial? Let us know at [email protected]
The following tip is excerpted from my book Training Guide: Installing and Configuring Windows Server 2012 from Microsoft Press:
If your attempt to discover an iSCSI target fails, it is usually for one of the following reasons:
- The wrong target portal IP address or DNS name was configured on the initiator.
- The wrong IQN for the initiator was assigned when the target was created.
- There are problems with network connectivity between the initiator and target computers.
Troubleshooting the first issue is straightforward. To see if the second issue is the cause of the problem, try assigning IQN* as the target, which allows any initiator to connect to it. And, of course, you can troubleshoot the third issue using standard network troubleshooting procedures.
GOT TIPS you'd like to share with other readers? Email us at [email protected]
This week we've got some popular hacking titles for you to check out (but put on your white hat first):
The Basics of Hacking and Penetration Testing, Second Edition: Ethical Hacking and Penetration Testing Made Easy
Hacking Exposed 7: Network Security Secrets & Solutions
Hacking For Dummies
Social Engineering: The Art of Human Hacking
The Hacker Playbook: Practical Guide To Penetration Testing
The Browser Hacker's Handbook
Microsoft Virtual Academy
A quick announcement from the Microsoft Virtual Academy:
May 1: SQL Server in Azure Virtual Machines: Developer Jump Start
SQL Server developers, attend this free, live online Jump Start and learn how to build and deploy apps running SQL Server in Azure Virtual Machines. And find out how to move existing on-premises databases and applications to the cloud as-is. You'll see lots of demos featuring migration tools and a sample app that utilizes both Azure Virtual Machines and Azure Cloud Services. If you're a DBA or solution architect with some SQL Server experience and you want to know more about Azure, this session is also for you! Register here:
Quote of the Week
"I'm certainly the last person to give advice on, well, anything." --George Clooney
Note to subscribers: If for some reason you don’t receive your weekly issue of this newsletter, please notify us at [email protected] and we’ll try to troubleshoot things from our end.
Admin Tools We Think You Shouldn't Be Without
SolarWinds Free Exchange Monitor delivers insight into Exchange services, mail queue sizes, & server health. Easily keep a vigilant eye on Exchange health so this mission-critical app never fails you!
Veeam Backup Free Edition is the must-have tool for VMware and Hyper-V. Use Veeam Backup Free Edition for as long as you like. Download now!
The Drobo S is an external RAID enclosure that supports eSATA:
The New Trent iCarrier 12000mAh battery pack can be charged using a standard USB charger:
SANOXY Micro USB OTG to USB 2.0 Adapter is great for connecting peripheral devices to your tablet or smartphone:
TechEd North America on May 12-15, 2014 in Houston, Texas
Microsoft Worldwide Partner Conference (WPC 2014) in July, 2014 in Washington, D.C.
Microsoft SQL Server PASS Summit 2014 on November 4-7, 2014 in Seattle, Washington
European SharePoint Conference on May 5-8, 2014 in Barcelona, Spain
TechEd Europe on October 27-31, 2014 in Barcelona, Spain
TechEd New Zealand on September 9-12, 2014 in Auckland, New Zealand
Add your event
PLANNING A CONFERENCE OR OTHER EVENT you'd like to tell our 95,000 subscribers about? Contact [email protected]
Register for Webcasts
Add your Webcast
PLANNING A WEBCAST you'd like to tell our subscribers about? Contact [email protected]
Securing Active Directory with PowerShell (WindowSecurity.com)
Is There Still Life Left in Forefront Threat Management Gateway (TMG) 2010 (ISAserver.com)
Windows Server Tips: Analyzing Possible Storage Savings Via The Deduplication Evaluation Tool (CanITPro)
Tracking NTLM Authentication Delays And Failures In Both Windows Server 2008 SP2 And Windows Server 2008 R2 (Jorge's Quest for Knowledge)
Introducing Windows PowerShell Desired State Configuration (CanITPro)
Beyond Zip - How to store 183 GB of VMs in a 16 GB file using PowerShell (Deployment Research)
Automate Live VM Export (The Lonely Administrator)
What You Need to Know About Software Defined Networking in Hyper-V (Part 1) (VirtualizationAdmin.com)
Cloud overspending highlights capacity planning need
In the age of cloud, smart cloud capacity planning has been used infrequently and often unsuccessfully, costing more than just money. Find out why effective capacity planning is essential for your company and get an exclusive insider look at tools used for overcoming potential obstacles.
Using folder redirection to store user data
A big challenge for virtual desktop admins is storing user data in a way that is easy to manage. Both folder redirection and profile redirection help with storing user data in VDI shops, but one option is significantly more efficient than the other. Uncover the key differences between the two and learn how to easily store your user data.
The advantages and limitations of Hyper-V Recovery Manager
Windows Azure Hyper-V Recovery Manager offers key disaster recovery benefits, but many IT pros are steering clear of it due to its current pricing, complexity, and distinct limitations. Read on for a clear breakdown of Hyper-V Recovery Manager's pros and cons to see if this cloud service option may, in fact, be right for your needs.
Five Mac tips for Windows desktop admins
The growing presence of Macs in the workplace is causing a major increase in both service tickets and headaches for desktop support techs that have been used to working only with Windows machines. Fortunately, this article from SearchEnterpriseDesktop.com reveals five invaluable Mac tips to help desktop admins straddle two OSes.
This Week's Links We Like. Tips, Hints And Fun Stuff
GOT FUN VIDEOS or other fun links to suggest you'd like to recommend? Email us at [email protected]
Skydiver Films Meteorite Nearly Hitting His Parachute
This is the first time in history that a meteorite has been filmed in the air during dark flight - after it has burned out.
Lamborghini Murcielago Roadster - Pamplona Bull Run -Top Gear
After surviving the famous stampeding bulls in Pamplona, Spain, Richard Hammond finds his next thrill in the Lamborghini Murcielago Roadster.
World's Largest Aircraft - Antonov 225
The amazing 6-jet-engined Antonov 225 takes off at Manchester Airport.
Postmodern Jukebox - Ellie Goulding - 'Burn'
Postmodern Jukebox takes pop music back in time with their 1960s doo wop girl group style remake of Ellie Goulding's hit single 'Burn'.