Vol. 19, #17 - April 28, 2014 - Issue #977

Image

Heartbleed: Victory or Failure for Open Source?

  1. Editor's Corner
    • From the Mailbag
    • Heartbleed: Victory or Failure for Open Source?
    • Tip of the Week: Troubleshooting iSCSI target discovery
    • Recommended for Learning
    • Microsoft Virtual Academy
    • Quote of the Week
  2. Admin Toolbox
    • Admin Tools We Think You Shouldn't Be Without
  3. Events Calendar
    • Americas
    • Europe
    • Asia Pacific
  4. Webcast Calendar
    • Register for Webcasts
  5. Tech Briefing
    • Security
    • Windows Server
    • Windows PowerShell
    • Hyper-V
  6. Windows Server News
    • Cloud overspending highlights capacity planning need
    • Using folder redirection to store user data
    • The advantages and limitations of Hyper-V Recovery Manager
    • Five Mac tips for Windows desktop admins
  7. WServerNews FAVE Links
    • Skydiver Films Meteorite Nearly Hitting His Parachute
    • Lamborghini Murcielago Roadster - Pamplona Bull Run -Top Gear
    • World's Largest Aircraft - Antonov 225
    • Postmodern Jukebox - Ellie Goulding - 'Burn'
  8. WServerNews - Product of the Week
    • Real-Time Monitoring for Exchange Health from SolarWinds®

 

Real-Time Monitoring for Exchange Health from SolarWinds®

Email and calendaring services that Microsoft® Exchange Server provides are critical when it comes to your business. With SolarWinds Free Exchange Monitor, you can easily keep a vigilant eye on Exchange health – and for free! This tool delivers continuous monitoring to deliver real-time insight into Exchange services, mail queue sizes, and host server health. Quickly identify and troubleshoot Exchange server problems, preventing email delays and calendaring issues. Spot growing mail queues that can indicate bigger issues, like transport failures, Internet connection failures, and virus activity. Leverage out-of-the-box settings based on best practices to start monitoring Exchange immediately.

Download the Free Exchange Monitor Tool Today!

 

Editor's Corner

This week's newsletter is all about the Heartbleed vulnerability and whether it represents failure or victory as far as Open Source software is concerned.

While infosec stuff like Heartbleed is a little too technical to find its way into a comic like Dilbert, our old mainstay xkcd isn't afraid to tackle it and has done so in the following two webcomics:

http://www.wservernews.com/go/1398330147058

http://www.wservernews.com/go/1398330149683

Don't forget to read the mouseover text for these two comics...

From the Mailbag

Here's a bit more reader feedback concerning our recent issues Does the IT Profession need to be Regulated? (Issue #973) and Reader Feedback: Does the IT Profession Need to be Regulated? (Issue #975):

Patrick who works in the US Federal Government sector said:

I read the entire article and was struck by the absence of something that I would consider a solution that was not discussed. That being that "All software needs to meet specific standards and requires testing to prove that, that happens." Test the code not the person. Have coding standards just like a "UL" approved sticker. If it doesn't meet the standard it doesn't get sold bought or put in production.

Another reader named Bobby said:

When you get companies like Microsoft, Oracle, IBM etc. to remove the "non-liability" clauses from their licensing and product labels, then I'll be all for it.

I asked him to explain further and he replied:

Look at any software product licensing or legal clauses on boxes of software and you will see "is not held responsible" etc essentially the companies side stepping not being held responsible for the OS rebooting causing a damage or injury or the software having bugs that caused something to go wrong even if the bug was the fault of the supplying company etc.

How can I take responsibility for integrating a Microsoft product for example into a mission critical application when the supplier side-steps all responsibility for it being reliable. Generally, this is handled by redundancy and dependence on more solid state devices in the real world external to the I.T. function but not in all cases. If a an application or OS fails due to some "unknown" memory leak - who really should be blamed.

In the Tip of the Week section of Reader Feedback: Does the IT Profession Need to be Regulated? (Issue #975) I explained how you can configure Outlook views to show which folder an email message is when you browse your search results. A reader named Bernie responded as follows:

Hi Mitch, great article, as I've struggled to locate which folder an email was in after getting the Outlook search results!

One request though, is it possible to show the full folder path to the found email? I use nested subfolders to organize my outlook emails and the tip results in only showing the final folder not the whole subfolder path. Now that would be really helpful!

I haven't found a way of doing this--can any readers out there help?

Finally, a reader named Vladislav from Russia sent us the following feedback concerning our issue titled Restoring a Windows Phone (Issue #974):

It definitely exists -- the restoring function, but…

Many-many more problems are ahead…

That's very helpful feedback, but I wonder if the restore capabilities on other phone platforms like iOS and Android have similar limitations?

Now on to the main topic of this issue...

Heartbleed: Victory or Failure for Open Source?

Here's been a lot of news lately about the OpenSSL (a.k.a. "Heartbleed") vulnerability. Most of the coverage by big media has been inaccurate in various degrees. For example, some news outlets have said that when the vulnerability is exploited it leaves no trace behind of what happened. This is obviously ridiculous of course--it may not log anything in the system or webserver logs, but inspecting intrusion detection system (IDS) and firewall packet logs can help you identify whether sensitive data may have been copied from your servers.

What interests me however is whether the discover and patching of this vulnerability represents a victory or loss for Open Source vs. proprietary security software. What brought this to mind was what the German software developer whose coding oversight created the vulnerability said as quoted in the Sydney Morning Herald:

"The benefit of open source software is that anyone can review the code in the first place. The more people look at it, the better, especially with a software like OpenSSL."
http://www.wservernews.com/go/1398330213027

An article on eWeek suggests that the Open Source paradigm might be the underlying cause of this catastrophe:

"And that idea of an open, free software development environment in which an entire community of programmers work together to create software everyone needs is part of the problem in this case. It's a problem because it assumes that there will be a large community of developers, all of whom check the code over time, looking for errors. But in the real world, the open-source software is developed and then released into production, and because there are so few people in the community who understand it, very little checking happens."
http://www.wservernews.com/go/1398330217558

The same article however also suggests a solution to this Open Source dilemma:

"But rather than use the Heartbleed bug as a reason to indict open source as being unreliable, what really needs to happen is to use this as a wakeup call. All of those companies—from Yahoo to Dropbox—that used OpenSSL without doing anything to help create and improve the product are paying for that neglect now. Once they spend millions to fix the problem, perhaps they can spend a few thousand more to help fund development of this critical security library."

When this issue was discussed on Soylent News it received some interesting responses:

"So there's not always lots of eyes looking at open source code. That's not necessarily a weakness though. It's more like failing to take advantage of a strength."

"If OpenSSL were closed source, chances are it would have taken much longer for the bug to become public, if it ever did. This bug was found by a code audit which could be conducted openly and fairly precisely because the code is open source."
http://www.wservernews.com/go/1398330222480

But I question this kind of almost blind mistrust in closed source development, especially when it comes to Microsoft. I have great respect for the company as it exists today with regard to its concern for ensuring the security of its products. My friend and fellow fit IT pro Yuri Diogenes has just published links to some official statements from Microsoft concerning the "Heartbleed" vulnerability and their products/services on Microsoft's Curah! site here:
http://www.wservernews.com/go/1398330227152

[aside]

And by the way be sure to check out Yuri's before and after photos of an IT pro who has lost 100 lbs of excess weight:
http://www.wservernews.com/go/1398330306917

I'll also be reaching the five year milestone of my own fitness transformation this Fall and will update IT pro readers of this newsletter who are struggling with their own weight problems to show you what is possible if you set your mind to it.

[/aside]

Anyways, back to Heartbleed. Does the discovery of this vulnerability vindicate the Open Source development paradigm and put the last nail in the coffin for trusting closed source? Or are companies actually better off trusting proprietary security solutions like Schannel, the SSL/TLS security package built into the Microsoft Windows platform?

But there's more to reflect on. Regardless of your position on the above issue, it may be irrelevant for several reasons. First, if you're public-facing web application uses IIS and is therefore not vulnerable to Heartbleed, it's possible or even very likely that users access your site via a load balancer or reverse proxy that's running OpenSLL and is thus vulnerable to the attack, yikes! Read more here:
http://www.wservernews.com/go/1398330317230

Even worse, OpenSSL on the client side is also vulnerable to this problem:
http://www.wservernews.com/go/1398330323464

I don't think this Reverse Heartbleed attack has gotten much exposure in the mainstream tech media, so maybe start spreading the word.

Send us feedback

What's your position on the questions raised by our editorial? Let us know at [email protected]

Tip of the Week: Troubleshooting iSCSI target discovery

The following tip is excerpted from my book Training Guide: Installing and Configuring Windows Server 2012 from Microsoft Press:
http://www.wservernews.com/go/1398330331089

If your attempt to discover an iSCSI target fails, it is usually for one of the following reasons:

Troubleshooting the first issue is straightforward. To see if the second issue is the cause of the problem, try assigning IQN* as the target, which allows any initiator to connect to it. And, of course, you can troubleshoot the third issue using standard network troubleshooting procedures.

GOT TIPS you'd like to share with other readers? Email us at [email protected]

Recommended for Learning

This week we've got some popular hacking titles for you to check out (but put on your white hat first):

The Basics of Hacking and Penetration Testing, Second Edition: Ethical Hacking and Penetration Testing Made Easy
http://www.wservernews.com/go/1398330337370

Hacking Exposed 7: Network Security Secrets & Solutions
http://www.wservernews.com/go/1398330341714

Hacking For Dummies
http://www.wservernews.com/go/1398330346073

Social Engineering: The Art of Human Hacking
http://www.wservernews.com/go/1398330351886

The Hacker Playbook: Practical Guide To Penetration Testing
http://www.wservernews.com/go/1398330613542

The Browser Hacker's Handbook
http://www.wservernews.com/go/1398330617105

Microsoft Virtual Academy

A quick announcement from the Microsoft Virtual Academy:

May 1: SQL Server in Azure Virtual Machines: Developer Jump Start

SQL Server developers, attend this free, live online Jump Start and learn how to build and deploy apps running SQL Server in Azure Virtual Machines. And find out how to move existing on-premises databases and applications to the cloud as-is. You'll see lots of demos featuring migration tools and a sample app that utilizes both Azure Virtual Machines and Azure Cloud Services. If you're a DBA or solution architect with some SQL Server experience and you want to know more about Azure, this session is also for you! Register here:
http://www.wservernews.com/go/1398330621605

Quote of the Week

"I'm certainly the last person to give advice on, well, anything." --George Clooney

Note to subscribers: If for some reason you don’t receive your weekly issue of this newsletter, please notify us at [email protected] and we’ll try to troubleshoot things from our end.

 

Admin Toolbox

Admin Tools We Think You Shouldn't Be Without

SolarWinds Free Exchange Monitor delivers insight into Exchange services, mail queue sizes, & server health. Easily keep a vigilant eye on Exchange health so this mission-critical app never fails you! 
http://www.wservernews.com/go/1398332796448

Veeam Backup Free Edition is the must-have tool for VMware and Hyper-V. Use Veeam Backup Free Edition for as long as you like. Download now!
http://www.wservernews.com/go/1398332799355

The Drobo S is an external RAID enclosure that supports eSATA:
http://www.wservernews.com/go/1398332804652

The New Trent iCarrier 12000mAh battery pack can be charged using a standard USB charger:
http://www.wservernews.com/go/1398332809589

SANOXY Micro USB OTG to USB 2.0 Adapter is great for connecting peripheral devices to your tablet or smartphone:
http://www.wservernews.com/go/1398332826855


Events Calendar

Americas

TechEd North America on May 12-15, 2014 in Houston, Texas
http://www.wservernews.com/go/1398330627886

Microsoft Worldwide Partner Conference (WPC 2014) in July, 2014 in Washington, D.C.
http://www.wservernews.com/go/1398330629527

Microsoft SQL Server PASS Summit 2014 on November 4-7, 2014 in Seattle, Washington
http://www.wservernews.com/go/1398330631261

Europe

European SharePoint Conference on May 5-8, 2014 in Barcelona, Spain
http://www.wservernews.com/go/1398330633027

TechEd Europe on October 27-31, 2014 in Barcelona, Spain
http://www.wservernews.com/go/1398330634870

Asia Pacific

TechEd New Zealand on September 9-12, 2014 in Auckland, New Zealand
http://www.wservernews.com/go/1398330637011

Add your event

PLANNING A CONFERENCE OR OTHER EVENT you'd like to tell our 95,000 subscribers about? Contact [email protected]

 

Webcast Calendar

Register for Webcasts

Add your Webcast

PLANNING A WEBCAST you'd like to tell our subscribers about? Contact [email protected]

 

Tech Briefing

Security

Securing Active Directory with PowerShell (WindowSecurity.com)
http://www.wservernews.com/go/1398330651027

Is There Still Life Left in Forefront Threat Management Gateway (TMG) 2010 (ISAserver.com)
http://www.wservernews.com/go/1398330663136

 

Windows Server

Windows Server Tips: Analyzing Possible Storage Savings Via The Deduplication Evaluation Tool (CanITPro)
http://www.wservernews.com/go/1398330667948

Tracking NTLM Authentication Delays And Failures In Both Windows Server 2008 SP2 And Windows Server 2008 R2 (Jorge's Quest for Knowledge)
http://www.wservernews.com/go/1398330671902

 

Windows PowerShell

Introducing Windows PowerShell Desired State Configuration (CanITPro)
http://www.wservernews.com/go/1398330675886

Beyond Zip - How to store 183 GB of VMs in a 16 GB file using PowerShell (Deployment Research)
http://www.wservernews.com/go/1398330679230

 

Hyper-V

Automate Live VM Export (The Lonely Administrator)
http://www.wservernews.com/go/1398330683886

What You Need to Know About Software Defined Networking in Hyper-V (Part 1) (VirtualizationAdmin.com)
http://www.wservernews.com/go/1398330688058


Windows Server News

Cloud overspending highlights capacity planning need

In the age of cloud, smart cloud capacity planning has been used infrequently and often unsuccessfully, costing more than just money. Find out why effective capacity planning is essential for your company and get an exclusive insider look at tools used for overcoming potential obstacles.
http://www.wservernews.com/go/1398330692214

Using folder redirection to store user data

A big challenge for virtual desktop admins is storing user data in a way that is easy to manage. Both folder redirection and profile redirection help with storing user data in VDI shops, but one option is significantly more efficient than the other. Uncover the key differences between the two and learn how to easily store your user data.
http://www.wservernews.com/go/1398330695761

The advantages and limitations of Hyper-V Recovery Manager

Windows Azure Hyper-V Recovery Manager offers key disaster recovery benefits, but many IT pros are steering clear of it due to its current pricing, complexity, and distinct limitations. Read on for a clear breakdown of Hyper-V Recovery Manager's pros and cons to see if this cloud service option may, in fact, be right for your needs.
http://www.wservernews.com/go/1398330699667

Five Mac tips for Windows desktop admins

The growing presence of Macs in the workplace is causing a major increase in both service tickets and headaches for desktop support techs that have been used to working only with Windows machines. Fortunately, this article from SearchEnterpriseDesktop.com reveals five invaluable Mac tips to help desktop admins straddle two OSes.
http://www.wservernews.com/go/1398330703652


WServerNews FAVE Links

This Week's Links We Like. Tips, Hints And Fun Stuff

GOT FUN VIDEOS or other fun links to suggest you'd like to recommend? Email us at [email protected]

Image

Skydiver Films Meteorite Nearly Hitting His Parachute

This is the first time in history that a meteorite has been filmed in the air during dark flight - after it has burned out.
http://www.wservernews.com/go/1398330709198

Lamborghini Murcielago Roadster - Pamplona Bull Run -Top Gear

After surviving the famous stampeding bulls in Pamplona, Spain, Richard Hammond finds his next thrill in the Lamborghini Murcielago Roadster.
http://www.wservernews.com/go/1398330715058

World's Largest Aircraft - Antonov 225

The amazing 6-jet-engined Antonov 225 takes off at Manchester Airport.
http://www.wservernews.com/go/1398330719027

Postmodern Jukebox - Ellie Goulding - 'Burn'

Postmodern Jukebox takes pop music back in time with their 1960s doo wop girl group style remake of Ellie Goulding's hit single 'Burn'.
http://www.wservernews.com/go/1398330722933


 

WServerNews - Product of the Week

Real-Time Monitoring for Exchange Health from SolarWinds®

Email and calendaring services that Microsoft® Exchange Server provides are critical when it comes to your business. With SolarWinds Free Exchange Monitor, you can easily keep a vigilant eye on Exchange health – and for free! This tool delivers continuous monitoring to deliver real-time insight into Exchange services, mail queue sizes, and host server health. Quickly identify and troubleshoot Exchange server problems, preventing email delays and calendaring issues. Spot growing mail queues that can indicate bigger issues, like transport failures, Internet connection failures, and virus activity. Leverage out-of-the-box settings based on best practices to start monitoring Exchange immediately.

Download the Free Exchange Monitor Tool Today!

 

WServerNews - Editors

Mitch Tulloch is Senior Editor of WServerNews and is a widely recognized expert on Windows administration, deployment and virtualization. Mitch was lead author of the bestselling Windows 7 Resource Kit from Microsoft Press and has published hundreds of articles for IT pros. Mitch is also a seven-time recipient of Microsoft's Most Valuable Professional (MVP) award for his outstanding contributions in support of the global IT pro community. Mitch owns and runs an information technology content development business based in Winnipeg, Canada. For more information see www.mtit.com

Ingrid Tulloch is Associate Editor of WServerNews and was co-author of the Microsoft Encyclopedia of Networking from Microsoft Press. Ingrid is also Head of Research for our content development business and has co-developed university-level courses in Information Security Management for a Masters of Business Administration program.