Actually this is not a vulnerability in the product itself, but if you use Asterisk or one of its derivatives such as TrixBox, you should review your SIP and IAX secrets to make sure they are not the same as your extension numbers. As reported by Kerry Garrison on his blog:
There are some new scripts out in the wild that are attacking Asterisk-based systems. These scripts attempt to authenticate to your SIP extensions. If you have configured your extensions with the secret being the same as the extension number and you have SIP or IAX2 exposed to the internet, then your system is vulnerable.
It seems that setting the SIP secret to the same value as the extension number (as shown here in the screen shot taken from TrixBox CE) is a fairly common practice, which makes internet-facing deployments an easy target for these scripts. If you’re in this position, you should immediately review your SIP secrets and set them all to strong passwords – note that terminals and soft phones will need to be reconfigured to use the new passwords, but this will not affect voicemail pass codes.
A possible glimpse of things to come from Amy Babinchak on her Small Business Tech Notes blog highlights a new type of attack using x.509 certificates that is on the increase in the USA. Amy speculates that the bad guys are beginning to escalate the security arms race by leveraging some of the technologies (like SSL) that are supposed to keep us secure:
if the secure website you've gone to turns out to not be so secure there could be bad stuff coming through that tunnel and there's no way to detect it until it's too late. I think that we're going to start to see an uptick on this type of attack.
Amy’s point, of course, is that encryption technology that stops bad guys peeking at your information also stops your firewall, antivirus scanner and internet security tools from examining it too. If the bad guy can get you to install his x.509 certificate, then he can encrypt his attack on your computer, sidestepping your application layer firewall.
Small Business Tech Notes: Warning: Bank Fraud
Inspired by Richard Tubb’s remarks, I’m Twittering. You can follow me at http://twitter.com/Tim_Long. If you know me and you’re twittering then I want to follow you. Please drop me a PM or comment here and I’ll add you. I’m not sure about twitter, its one of those things that I can’t really see the point of yet – but I thought that about blogging when I first started. Often, it’s hard to see the benefits of something unless you’re actually using it. Lots of people that I know in business are doing it but I’m always reminded of “[wikipedia:The Emperor's New Clothes]”. So I’m going to give it a try for a while and see how it works out. I wonder if I’ll end up being that little boy in the crowd shouting “The Emperor is naked!”
I'm curious how many Microsoft Partners are/are not deploying Windows Vista. I've started a discussion thread at the SBSC group on LinkedIn. If you're not already a member of that group, please take this opportunity to join if you are SBSC qualified.
I saw this spoof video referenced on a mailing list, I just love it. Some of the gags are a bit obvious, but the immortal Clippy makes a comeback appearance.
Licensing for Windows Essential Server Solutions either just got easier, or more complicated. I can’t really decide which, so I’ll leave that decision to you…
Get a Discount on Windows Essential Server Solutions Upgrades & Migrations with Solutions Pathway
Help your customers easily upgrade or migrate from their existing solutions to meet changing business needs. Solutions Pathway, exclusively for Windows Essential Server Solutions, provides tiered savings that enable you to develop new revenue streams when you help customers cost-effectively upgrade or migrate from existing solutions to the latest Windows Essential Server Solutions offerings. Leverage your customers’ existing investments—and help them make the transition to the latest Windows Essential Server Solutions offerings today. Small Business Specialists and Networking Infrastructure Solutions partners receive an additional 10% discount!
![MPj04387380000[1]](http://community.tigranetworks.co.uk/cfs-file.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/tim_5F00_long/MPj04387380000_5B00_1_5D005F00_388C270D.jpg "MPj04387380000[1]")
Virus warnings are almost always hoaxes. Even if they’re not, forwarding the warning to your friends and colleagues can do more harm than good. My simple advice is this: press delete.
Virus warnings and hoaxes are one particular flavour of chain email. For in-depth information on why you should never forward chain email, see my article from January 2008.
This publication is available on the Ofcom web site and is in the form of an Interactive Executive Summary where you can leave comments. There are actually very few comments on the document at present, I have started adding mine today.
We (IT Professionals) are the people who know best what our businesses and those of our customers need from a next generation broadband network. If we don’t make our views known, then the interests of the likes of BT will prevail, and if history is anything to go by, the corporate agenda is not necessarily in the interests of broadband users.
I encourage you to review this document, it will not take too long and if we all try to make constructive comments, we could yet have an influence on next generation broadband. Let’s make a difference, or at least make it hard for Ofcom to claim they didn’t know what we wanted.
Delivering super-fast broadband in the UK - Interactive Executive Summary
I spent a fair chunk of today with Peter Gradwell and some of his colleagues from Gradwell.com. They were celebrating the company’s 10th anniversary and were kind enough to invite some of their customers to lunch in Cardiff Bay. We chose Gradwell.com as our preferred supplier of digital trunks for our digital telephony solution, partly because we’ve found their support and technical know-how to be first rate. One of the subjects that came up in conversation (and there were many) was the state of the UK broadband industry, which I personally find to be woeful with a few notable exceptions. TiGra Networks has recently switched to Be Unlimited (an O2 offshoot) to get a quality of service that could handle our VoIP traffic, our previous ISP was hopelessly inadequate and VoIP was just not reliable. It turns out that Gradwell has now launched its own Local Loop Unbundling (LLU) DSL service, which I am assured can be configured with Quality of Service to prioritise voice traffic, making it an ideal companion for one of Gradwell’s digital trunks or centrex services.
Coincidentally, I was just reading a copy of Comms Business that someone had left in the office and there is an article titled DSL - Breaking Free by Ian Thomas of Cable & Wireless. Ian says:
Networks and commercial arrangements architected around the delivery of email and best-efforts browsing are floundering in the face of new, high bandwidth ‘over-the-top’ services such as [BBC] IPlayer, hosted CRM and VoIP services.
These services crash the economics of over-subscribed networks by forcing ISPs to pay more to BT than they make per subscriber, and highlight to subscribers that the way these networks are managed is not to their benefit. Businesses and consumers are seeking alternative ways of getting the services they need and use.
I concur, and I’ve voted with my feet. I’ve ranted in the past that I feel ISPs are missing the point of broadband, especially where businesses are concerned, weighting so heavily in favour of downstream bandwidth and crippling upstream bandwidth. The Internet is no longer just about email and web. In the new era of Software + Services it is about distributed computing – witness the launch of Windows Azure this week. It is about businesses connecting their digital telephony up to their ITSP, publishing web sites, sharing and synchronising data with geographically dispersed virtual teams, working from home with remote access connections, pushing email to mobile devices, all of which require upstream bandwidth. The UK broadband market is ripe for a shakeup. Today’s best hope is the LLU providers like Gradwell, Be Unlimited and Cable & Wireless, but even so we still see the emphasis on downstream traffic. I would like to see more focus and much better pricing on SDSL and equivalent services.
Ray Ozzie delivered the keynote speech at PDC 2008 a few moments ago. He spoke about a number of interesting topics.
Challenges of Virtualization & Distributed Systems
Ray suggested that business continuity is a challenge not easily addressed by small and medium enterprises. The only real way to mitigate disasters such as earthquake, fire and flood is to have more than one data centre, geographically distant. This has its own challenges of redundancy and data synchronization.
Microsoft’s has years of indirect experience in cloud computing, running services like Live Messenger, Hotmail, online help systems and Office Live.
Introducing Windows Azure
A new tier of architecture at the global scale. Windows Azure is the foundation bedrock for building scalable online applications and cloud based services. Personally, I thought “Windows Cloud” was a better name, but Microsoft has never been good at making product names. Ray described three tiers of technology. Tier 1 is the experience tier and is all about the individual. Tier 2 roughly corresponds to the enterprise and encompasses systems for provisioning, managing and computing at the enterprise scale. Tier 3 is the external tier and is at the scale of the web.
Windows Azure is not something we will install on our own servers. It is a service in the cloud. As you can see from the screen clipping, Azure will include Live Services, .NET Services, SQL Services, SharePoint Services and Dynamics CRM Service.
Operating Systems for The Cloud
Amitabh Srivastava describes how Windows Azure provides a layer of abstraction from the details of global distributed computing. For example, how do you upgrade your application or the underlying OS without degrading performance or going offline? Windows Azure manages problems like these. At the heart is a ‘Fabric Controller’ which vies the entire data centre as a pool of resources and maintains the health of services. Windows Azure provides managed services, not just managed servers.
An Azure application consists of two things: the code to implement the service, plus an XML file describing the architecture of the service or application. The Azure Fabric Controller operates on this XML file to provision and managed deployment and maintenance to ensure high availability of the service.
Developer Experience
Code, run and test on your local desktop PC using familiar tools.
Steve Marx demonstrated building and deploying a Hello World application using ASP.Net and Visual Studio 2008. He built a minimalist web page that simply displayed a text label. All standard stuff.
The project is then published (using the familiar techniques) but this brings up the Azure Development Portal page. The configuration file and code are uploaded to http://hellocloud.cloudapp.net/ and you can see it running there.
We then get a demo of a service called http://bluehoo.com/ which is live today on Azure. It was shown how easy it is to scale up the number of live nodes, the presenter turned up the gas from 2 to 20 instances with just a couple of clicks. The BlueHoo demo will be downloadable from midday (PST) today from http://m.bluehoo.com/
Services Architecture
Bob Muglia, pictured left, describing some of the details of the Azure services architecture. He described how Azure includes ‘scale out’ services, such as the Windows Workflow Foundation that span from on-premise systems out into the cloud environment. Available today is a set of data services built on SQL Server, over time this will be enhanced to give access to more SQL features.
Next, we see a demo of how Azure makes it possible to orchestrate a product recall spanning multiple enterprises. This was somewhat contrived but did demonstrate a workflow being initiated locally then moving out into the cloud and into partners’ systems.
Bob demonstrated an application running a SQL query against SQL Services running in the cloud. Unfortunately this was done by putting a SQL query into a string then sending the query string out to the server. This would have been far more convincing had Bob been able to use LINQ (Language Integrated Query) and it is to be hoped that Windows Azure is able to support all the innovations introduced in C# 3.0 and .Net 3.5 SP1.
There was a demo of CRM Online, the salient point was that the authentication was federated to the on-premise Active Directory so there was no need for a seperate login to the cloud service. The presenter showed how we can hit the CRM web service to extract data into Office then publish that up to SharePoint services. Nothing earth shattering, I am doing all this today, except that this stuff all runs on Microsoft servers. This stuff has huge potential, but somehow it fails to inspire. Honestly, I was getting very bored at this point. A lot was said but talk is cheap. The proof of the pudding will be in the eating. Microsoft has invested in several mammoth data centres around the globe (one of which is in Ireland) so I’m sure we are going to see a lot more of Windows Azure. I’m just not effervescing yet.
Let me start with a disclaimer: I neither love nor hate Linux. I sell a product that uses it, but wish I didn't have to. I read a blog called the Linux Hater’s Blog and, while I don’t completely approve of the language and style, I think the author cuts to the quick and his posts make interesting reading.
Today I saw a post titled Linux Hater's Blog: Mini-Rant that ended in the following paragraph:
If you upgrade your version of Windows and an application breaks, it's Microsoft's fault. If you upgrade your version of OS X and your application breaks, it's the ISV's fault. If you upgrade your version of Linux and your application breaks, well, that's your own damn fault.
I find resonance in that sentiment and it is typical of the way this blog cuts through the FUD and gets to the heart of the matter.
I was fortunate to attend a Microsoft event in London today on the topic of Software plus Services, at which the keynote speaker was none other than Microsoft CEO Mr. Steve Ballmer. He was not what I expected - I was pleasantly surprised. He comes across as genuine but direct and to the point, humourous and personable. If you know David Overton, you will recognise the style.
A couple of interesting things came up during the sessions, the first of which is what Steve (I get the impression he would not mind me referring to him in the familiar) referred to as Windows "Cloud" (this is not the real product name). A product announcement is due in 4 weeks time at the Professional Developers Conference (PDC) so I'll be watching that with interest. Windows Cloud - it is hinted - will be all about providing cloud computing infrastructure, so it is easy to write applications that run on the desktop, on mobile devices and in the web browser. It will provide essentials (such as storage), infrastructure (such as authentication, identity, data services and so on) and some pre-built services. This is certainly an interesting concept, if a little unsettling for those such as I, who have just embarked on a hosting venture (LiveCRM.biz).
Something that came up in the Q&A session that seemed to take Steve genuinely by surprise was a question about something called "Midori". Steve was taken aback that this supposedly secret product was on partners' radar, but actually it is documented on Wikipedia, so I wonder if this might have actually been a carefully engineered "leak". Steve described it as a Microsoft Research incubation that was exploring new operating system technology that though about things like security with a clean slate (in other words, how would things be done if Microsoft could throw away Windows and start anew, in today's insecure highly-connected environment. The wikipedia notes describe Midori as "a managed code operating system developed secretly by Microsoft. It has been reported[1][2] to be a possible commercial successor to the Singularity operating system, a research project started in 2003 to build a highly-dependable operating system in which the kernel, device drivers, and applications are all written in managed code".
Finally, Steve is quite happy to give out his email address and says he will reply personally. When asked how many emails he receives each day, he replied "about 75". He had to repeat that figure several times to quell the murmers of incredulity from the audience, but he went on to explain: "People don't like to waste your time". He added that once all the spam was removed, he actually didn't get all that many emails. He said he expected to receive perhaps two as a result of giving out his address today (to a room full of several hundred people). Thinking about it, I have myself been tempted to email Mr. Ballmer on a few occasions but have in the end decided not to, on the grounds that it wasn't important enough.
All in all, I was quite impressed with Steve Ballmer, which took me a little by surprise. Most of the material out there on the web paints him in a faily negative light and I guess I had been taken in by that. It was also nice to catch up with Claire Barclay (head of partner marketing), Tim Kimber (Office Live supremo), our SBS PALs, Vijay and Gareth and Andrew from SBS-WoE. I want to mention the ladies and gentlemen of the Microsoft UK Events team - some of whom I am getting to know quite well - who always do a very professional job and are a credit to Microsoft.
I lost my cool a little bit today, when someone on the MVP programme emailed me and asked me to try Internet Explorer 8 beta 2. They said I could try to join the beta program, no guarantee I would be accepted, but they wanted to offer me the opportunity to try. Gee, thanks. Here is my reply in full:
I’m afraid that IE8 beta 2 is well past engineering and is now already a marketing exercise. That’s too late for my involvement. I have already tried and failed to get onto the beta programme. Which is a shame, because I have had a truly miserable experience with IE8 beta 2. I could have provided valuable feedback.
I should have been able to air my concerns through the MVP Early Warning System – but IE8 issues are explicitly excluded by policy on the EWS home page.
My vision for the MVP Early Warning System was so that MVPs – the industry experts that Microsoft itself recognises – would not have to compete with the masses to get their technical feedback heard. However, Microsoft’s vision is somewhat different. As MVPs, we should not have to compete to get onto beta programmes. Microsoft should be actively seeking us out and enticing us onto beta programmes. In fact, we should be involved long before it gets to beta stage. Microsoft has politicised the beta to the point where it is no longer about engineering, but marketing. These days, beta is already too late.
Microsoft home page www.microsoft.com
Yes that’s right, everyone who goes to the Microsoft home page is being encouraged to download IE8 beta 2. You see that? “Now available”. Oh, by the way, it’s a beta. Oh, but don’t bother to try and report any bugs, the beta is closed. That, my friend, is not a beta. IT IS A PRODUCT RELEASE. And now, NOW, you invite MVPs to join the beta?
If only you knew the problems I have had with IE8. I hope Microsoft is taking on extra support staff! Oh but wait, they don’t have to do they, because betas are not supported. That’s right. Try IE8 today! Knock yourself out. Break your system but don’t come running to us for support.
Here’s a handy hard drive cleanup tip for you that is applicable only if you have installed Windows Vista Service Pack 1 update. On my system, I used WinDirStat to see where all my hard drive space was going and discovered that my %SystemRoot%\WinSxS folder was over 15 Gb. In this screen shot taken from WinDirStat, you can see the WinSxS folder circled in red and the block of files it contains arrowed and outlined with a white border (click the image for a full size version). WinDirStat is a great utility for visualising this sort of thing and you can instantly see that the WinSxS folder is a significant chunk of the drive space. That red area in the top left hand corner is my music collection, also around 15Gb of data. The two large green blocks towards the bottom right are the Windows swap file and the hibernation file.
It turns out that this folder – the Windows Side by Side assembly cache – is critical to the operation of Windows, so you definitely cannot wade in there with impunity. However, if you have upgraded to Windows Vista Service Pack 1 then the WinSxS folder is likely to contain both the RTM versions _and_ the SP1 versions of all the system files. SP1 contains a utility called vsp1cln.exe that makes SP1 permanent (i.e. cannot be uninstalled) and cleans out the old executables. You can find the vsp1cln.exe file by clicking start and typing it into the search box.
Running vsp1cln.exe took under a minute and saved more than 3Gb. This might be enough to dig you out of a tight spot for a while and uninstalling unused programs can potentially reduce the size of WinSxS even further. However, with hard drives cheaper than they have ever been, maybe now is the time to buy that upgrade.
Email disclaimers are one of my pet hates. They are, on the whole, rather ill considered. Here’s a fairly typical one that I received today in a marketing email:
This Email any attachment may contain information which is confidential. If you are not the addressee, any disclosure, reproduction, distribution, or other dissemination or use of this communication is strictly prohibited. If you have received this transmission in error, please notify the sender immediately and then delete this email. E-mail transmissions cannot be guaranteed to be secure or error free, as information could be intercepted, corrupted, lost destroyed, arrive late or incomplete, or contain viruses. The sender, therefore, does not accept liability for any viruses, or errors or omissions in the content of this message, which arise as a result of e-mail transmission. Please ensure that you have adequate virus protection before you open or detach any documents from this transmission
Aside from the grammatical errors, let’s pick this apart.
- May contain information which is confidential. Does it or doesn’t it? Who decides? Am I to take it upon myself to decide whether the information is confidential?
- If you are not the addressee… Surely, if I received the email, then by definition I am the addressee? Unless they mean original addressee – which in this case I was not (the email had been forwarded from a third party). Considering the fact that it was a marketing message designed to get me to do something as a result of receiving it, the disclaimer then prohibits me from acting on the contents of the message.So the message is either a tautology or completely self defeating.
- If you have received this transmission in error… How would I know? What constitutes an error?
- Please notify the sender immediately… But that would require disclosure, dissemination and use of the communication.
- Then delete this email… But what if my email system archives all messages for auditing purposes? Am I then required to delete the message from all systems in addition to my own inbox? Who pays for the expense of that?
- E-mail transmissions cannot be guaranteed to be secure or error free… Well actually that’s not strictly true. Emails can be encrypted and digitally signed and can have delivery and read receipts requested. I take the point though. Plain text email is not secure. But just because one organisation doesn’t know how to do secure email, doesn’t mean it can’t be done.
- The sender, therefore, does not accept liability for any viruses, or errors or omissions in the content of this message, which arise as a result of e-mail transmission. I suspect it is very unlikely that any of these conditions would arise as a result of email transmission. It is far more likely that such errors arise as a result of human error. In some cases, for example virus infection, the email transmission arises as a result of the error, not the other way around. So again, this attempted limitation of liability is hopelessly inadequate.
- Please ensure that you have adequate virus protection… Well, that’s best practice but a little presumptuous of the sender. “If I send you a virus, it’s your own fault for not having adequate protection”. Hmmm.
I’m not even convinced that a disclaimer delivered after-the-fact is even valid in any legal sense. In other words, how can I be bound by terms and conditions that I haven’t agreed to? I only get to see the disclaimer after I’ve read the email, which may or may not have been intended for me, may or may not be confidential and may or may not contain malware or errors. Is this starting to look silly enough yet? If not, visit the Stupid Email Disclaimers website for more examples and further discussion about why they are stupid.
To drive a final nail into the validity of these stupid darned email disclaimers, TiGra Networks has published an email policy. It reads like this:
TiGra Networks Email Policy
In response to the growing trend of ridiculous disclaimers and terms and conditions attached by some companies to their outgoing email, TiGra Networks has instigated this email policy for all mail being delivered to our email domains. If your organisation uses email disclaimers, please visit this web site for a discussion of the futility of email disclaimers:
http://www.goldmark.org/jeff/stupid-disclaimers/
This policy covers all domains owned and/or operated by TiGra Networks, including (but not limited to) the following:
- tigranetworks.co.uk
- long-family.com
- speechclarity.co.uk
- orientaliadesigns.com
- mapug-astronomy.net
Policy Statement
- All content delivered to any email domain owned and/or operated by TiGra Networks becomes the property of TiGra Networks. TiGra Networks may dispose of such content in any way it chooses, including disclosing, forwarding, copying, publishing, archiving or destroying.
- TiGra Networks hereby explicitly declines agreement to any terms, conditions, non-disclosure notices or other stipulations contained in any electronic correspondence, unless it has agreed to them in writing in advance of the content delivery. TiGra Networks holds that such terms and conditions delivered after-the-fact are unfair contract terms and shall not be bound by them.
- By sending email to any domain owned and/or operated by TiGra Networks, you indicate your acceptance of our email policy. If you do not agree with our policy, do not send us email.
Timothy P. Long, B.Sc.
Business Owner and Technology Consultant
TiGra Networks
26 July 2005
More Posts
Next page »