Mind Of Root Podcast Wiki - Main

____________________________PLAY BLUBRRY PROMO____________________________

____________________________PLAY ANN____________________________

____________________________PLAY OPENING MUSIC____________________________

[Keith] Welcome to the Mind Of Root. I'm Keith Albright

[Rich] and I'm Rich Niemeier.

[Steve] and I'm Steve Murawski.

[Keith] This is Episode 63 recorded on August 19th, 2008.

Chit-Chat - What's going on with you?

[Steve]

[Rich]

[Keith]

Housekeeping Items

[Rich]

[Steve]

Tonight we are joined by Steve Friedl of UnixWiz ?.net. Steve has a great write up of the DNS Vulnerability found by Dan Kaminisky and is going to walk us through what the issue really is and what are the patches doing for our security.

[Keith]

____________________________PLAY TPN PROMO____________________________

____________________________PLAY ACOAP PROMO____________________________

Steve's Topics

DNS Vulnerability Explanation

-Steve Friedl

In October 2003 he was named a Microsoft MVP (Most Valuable Professional) for "Windows Servers - Security" for his work in the DSL Reports Security Forum. This award was renewed in 2004, 2005, 2006, and again for 2007.

Internet Infrastructure & Security

fulltime internet connection at my home office since 1994

responsible for setting up customer routers and firewalls

currently manage around a dozen customer networks, firewalls, and internet servers.

Specific areas of practice:

DNS Configuration and Hosting

Sendmail Configuration

Internet Security

Applications

UNIX fax

Computer Facsimile

UDP Client/Server Protocol

Credit Card Authorization Multiplexor

Modem-based File Transfer Communications

Databases / Data Conversion

used SQL databases since 1984

Unify, Informix, Sybase, C-ISAM, mySQL, MS-SQL, Interbase/Firebird and IBM's DB2 ?

C/C++ and UNIX/Win32 Systems Programming

using UNIX since January 1981 and programming in C since the summer of that year.

used nearly every UNIX machine ever made save for a Cray, and have ported to something like 50 platforms over my career.

"Portability" is my middle name.

extensive experience with the Win32 platform, particularly under Windows NT.

comfortable with OS-level work on NT as I am in UNIX.

Embedded Development

Training / Technical Writing

teach week-long classes in C and UNIX programming to such companies as IBM, BellSouth ?, Goldman Sachs, plus an

teach classes in Efficiency, Portability and Maintainability class at AT&T Bell Laboratories in Holmdel, New Jersey

He was also a volunteer English as a Second Language (ESL) instructor for many years

He has been a technical reviewer on dozens of books, some with more involvement than others.

-Interview Questions

-How realistic is this threat (for the average tech-savvy user and small to medium environment)?

-Are firewall vendors responding to this threat, to allow the maximum use of random query ports?

-What would you recommend users and smaller environments do to respond to this threat?

-Will IPV6 ? help with this issue or does DNS need to be rethought (long term)?

-[KEITH] Does a split DNS scenario offer some additional protection? My DNS is split between internal and external. External has recursion disabled and only serves the zone for public accessible host.

-[KEITH]Firewall and router vendors have been pulled into this because their products can undo the positive effects of the DNS source port randomization if their appliance (through PAT or NAT) use a narrower range. Are there any other techniques that can be applied until your network vendor releases a fix? one-to-one IP NAT, etc.

-UPDATE

-Steve Friedl - I commented that Sonicwall hadn't appeared to have fixed this, but it seems that they have. 8 days after I opened a support ticket with them, I got a response pointing to a setting that was *not obvious* (VoIP ? -> Consistent NAT). Who looks in VoIP ? for DNS security fixes?

-Link: http://www.unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html

-Link: http://shrinkster.com/11cv

Live Mesh

-Live Mesh is an offering from Microsoft that is supposed to allow you to coordinate all your devices. Currently it is in CTP (community technology preview) status, meaning there are probably lots of changes to come.

-Part of the idea is that your home, work, and mobile devices will all be part of the Mesh... Personally, I like the idea, but from an administrative point of view, is that a good public service that Microsoft is pitching.. Am I going to have to support a mesh network where people have installed software on their Mesh (API should be released at PDC-a developer conference this fall I think) and are going to have or want access to this at work. Part of the target network would be mobile devices, so they will want to access it from their Windows Mobile devices too.

-As people move their lives "into the cloud", it is going to be harder and harder to restrain the use of these resources, unless more draconian measures are introduced. Have you considered how you are going to handle these situations? I'm trying to figure out my response.

-Link: http://www.mesh.com

-Link: http://shrinkster.com/11cw

Exchange 2003 Management from Vista

-Now, that didn't take long.. :(

-Since I don't have the luxury of jumping to Exchange 2007 right away, I'm glad I can still use my management tools from Vista.

-Link: http://msexchangeteam.com/archive/2008/08/18/449598.aspx

-Link: http://shrinkster.com/11cx

-Link: http://www.microsoft.com/downloads/details.aspx?familyid=3403d74e-8942-421b-8738-b3664559e46f&displaylang=en

-Link: http://shrinkster.com/11cy

Microsoft Updates Licensing on 41 Server Applications - Re: Virtualization

-Microsoft is updating its software licensing terms for 41 server applications, including Microsoft SQL Server 2008 Enterprise edition, Microsoft Exchange Server 2007 Service Pack 1 Standard and Enterprise editions, Microsoft Dynamics CRM 4.0 Enterprise and Professional editions, Microsoft Office SharePoint ? Server 2007, and Microsoft System Center products. With the new terms, the company is waiving its previous 90-day reassignment rule, allowing customers to reassign licenses from one server to another within a server farm as frequently as needed. For many customers, the change will reduce the number of licenses they need to support their IT systems, increase agility, and simplify the tracking of application instances or processors because customers now can count licenses by server farm instead of by server.

-It's nice that they are reviewing and making the licensing more Virtualization friendly, since they are pushing Hyper-V. :)

-Link: http://www.microsoft.com/licensing/resources/volbrief.mspx

-Link: http://shrinkster.com/11cz

Rich's Topics

Topic 1

-Link: http://

Topic 2

-Link: http://

Topic 3

-Link: http://

Topic 4

-Link: http://

Keith's Topics

Corrupted Winsock

-Working on a laptop for a friend. Not sure how, but the whole network setup got corrupted. I deleted the network adapter and let it refind it, but that didn't even work.

-I found a couple MS articles on rebuilding the TCP/IP stack and the entire Winsock. Running the TCP/IP rebuild didn't work, so I went to the Winsock and it resolved the problem.

-The articles give you both the easy and the full manual way to rebuild. Easiest is issuing a NETSH command. Manual is ripping registry keys.

-Link: http://support.microsoft.com/kb/299357/en-us

-Link: http://support.microsoft.com/kb/811259/

-Link: http://shrinkster.com/11d0

-Link: http://shrinkster.com/11d1

Ultimate Boot CD problem

-Summer intern needed some help building new PC's for he and his father. I offered the UBCD disk I built recently with SATA support since he wanted to image his old drive and lay it down on the new one.

-So, I give him a fresh copy and it won't boot. He brings it in and I can boot it on any PC or laptop I have.

-He brings in the box and sure enough, it won't boot. We originally suspected BIOS boot order, etc. but nothing works. I popped in my older version (Rich built) and is boots fine.

-I realized the newer version has a boot menu that allows you to boot to different scenarios (DOS boot, Dariks Boot & Nuke utility, etc). and it must not be compatible. I built a new copy without the MultiBoot ?/BCDW plugin and it boots fine. I would think it being a new DVD drive would mean better support rather than not supporting the process.

-Link: http://www.ubcd4win.com/

-Link: http://shrinkster.com/11d2

Topic 3

-Link: http://

Topic 4

-Link: http://

____________________________PLAY SWEEPER____________________________

Listener Feedback

From listener....Petri Lopia who posted a comment on the blog regarding Episode 61

Has somebody got that vmware esxi server really work? I downloaded it and installed it but it doesn’t let me do any virtual machines.

It just keep saying me like this when I try to start my virtual machine:

This product has expired. Be sure that your host machine’s date and time are set correctly. There is a more recent version available at the VMware ? Web site: “http://www.vmware.com/info?id=4″.

[KEITH] We had a couple back and forth comments on this until I found that it was the day of the ESX software bug related to the licensing date.

____________________________PLAY SWEEPER____________________________

Website Picks

Rich - http://

Steve - http://

Keith - http://sharkbait.computerworld.com/ Great forum for funny end user anecdotes and the Shark Tank area picks on our brethren in the IT field as well.

Last Call

Anyone....Anyone....Buehler.....Buehler....

Closing

All right, well that is it for the show. For listener feedback; you can email us at Feedback [at] mindofroot.com or post a comment on the main site at mindofroot.com. If you use iTunes, you could write a review. If you just want to show us your listening, drop a pin on the Frappr map...there's a link on the show site.

Lastly, you can drop any show ideas or topic requests on the wiki. There is a link to the wiki on the main show site. If you would like to participate in the show; either through an interview, a segment contribution, or any other way, please let us know. We are also a member of the Techpodcast and the Blubrry networks. Check out some other great shows by going to Techpodcast.com and Blubrry.com....That's Blubrry without the E's

Thanks everyone.

Normal View Home Edit History Recent Changes
Welcome to the show wiki HomePage ListenerIdeas Web Site Picks ServerStaging Administration SiteManagement Show notes InterviewSchedule UpcomingInterviews EpisodeSteve1 EpisodeSteve2 Episode141 Episode140 Episode139 Episode138 Episode137 Episode136 Episode135 Episode134 Episode133 Episode132 Episode131 Episode130 Episode129 Episode128 Episode127 Episode126 Episode125 Episode124 Episode123 Episode122 Episode121 Episode120 Episode119 Episode118 Episode117 Episode116 Episode115 Episode114 Episode113 Episode112 Episode111 Episode110 Episode109 Episode108 Episode107 Episode106 Episode105 Episode104 Episode103 Episode102 Episode101 Episode100 Episode99 Episode98 Episode97 Episode96 Episode95 Episode94 Episode93 Episode92 Episode91 Episode90 Episode89 Episode88 Episode87 Episode86 Episode85 Episode84 Episode83 Episode82 Episode81 Episode80 Episode79 Episode78 Episode77 Episode76 Episode75 Episode74 Episode73 Episode72 Episode71 Episode70 Episode69 Episode68 Episode67 Episode66 Episode65 Episode64 Episode63 Episode62 Episode61 Episode60 Episode59 Episode58 Episode57 Episode56 Episode55 Episode54 Episode53 Episode52 Episode51 Episode50 Episode49 Episode48 Episode47 Episode46 Episode45 Episode44 Episode43 Episode42 Episode41 Episode40 Episode39 Episode38 Episode37 Episode36 Episode35 Episode34 Episode33 Episode32 Episode31 Episode30 Episode29 Episode28 Episode27 Episode26 Episode25 Episode24 Episode23 Episode22 Episode21 Episode20 Episode19 Episode18 Episode17 Episode16 Episode15 Episode14 Episode13 Episode12 Episode11 Episode10 Episode9 Episode8 Episode7 Episode6 Episode5 Episode4 Episode3 Episode2 Episode1 Special Segments 2007 Holiday Gift Guide Scripts & Templates Promos SpecialTopics ShowNoteTemplate edit SideBar TriadSkin powered by PmWiki	Episode 63 ____________________________PLAY BLUBRRY PROMO____________________________ ____________________________PLAY ANN____________________________ ____________________________PLAY OPENING MUSIC____________________________ [Keith] Welcome to the Mind Of Root. I'm Keith Albright [Rich] and I'm Rich Niemeier. [Steve] and I'm Steve Murawski. [Keith] This is Episode 63 recorded on August 19th, 2008. Chit-Chat - What's going on with you? [Steve] [Rich] [Keith] Housekeeping Items [Rich] [Steve] Tonight we are joined by Steve Friedl of UnixWiz ?.net. Steve has a great write up of the DNS Vulnerability found by Dan Kaminisky and is going to walk us through what the issue really is and what are the patches doing for our security. [Keith] ____________________________PLAY TPN PROMO____________________________ ____________________________PLAY ACOAP PROMO____________________________ Steve's Topics DNS Vulnerability Explanation -Steve Friedl In October 2003 he was named a Microsoft MVP (Most Valuable Professional) for "Windows Servers - Security" for his work in the DSL Reports Security Forum. This award was renewed in 2004, 2005, 2006, and again for 2007. Internet Infrastructure & Security fulltime internet connection at my home office since 1994 responsible for setting up customer routers and firewalls currently manage around a dozen customer networks, firewalls, and internet servers. Specific areas of practice: DNS Configuration and Hosting Sendmail Configuration Internet Security Applications UNIX fax Computer Facsimile UDP Client/Server Protocol Credit Card Authorization Multiplexor Modem-based File Transfer Communications Databases / Data Conversion used SQL databases since 1984 Unify, Informix, Sybase, C-ISAM, mySQL, MS-SQL, Interbase/Firebird and IBM's DB2 ? C/C++ and UNIX/Win32 Systems Programming using UNIX since January 1981 and programming in C since the summer of that year. used nearly every UNIX machine ever made save for a Cray, and have ported to something like 50 platforms over my career. "Portability" is my middle name. extensive experience with the Win32 platform, particularly under Windows NT. comfortable with OS-level work on NT as I am in UNIX. Embedded Development Training / Technical Writing teach week-long classes in C and UNIX programming to such companies as IBM, BellSouth ?, Goldman Sachs, plus an teach classes in Efficiency, Portability and Maintainability class at AT&T Bell Laboratories in Holmdel, New Jersey He was also a volunteer English as a Second Language (ESL) instructor for many years He has been a technical reviewer on dozens of books, some with more involvement than others. -Interview Questions -How realistic is this threat (for the average tech-savvy user and small to medium environment)? -Are firewall vendors responding to this threat, to allow the maximum use of random query ports? -What would you recommend users and smaller environments do to respond to this threat? -Will IPV6 ? help with this issue or does DNS need to be rethought (long term)? -[KEITH] Does a split DNS scenario offer some additional protection? My DNS is split between internal and external. External has recursion disabled and only serves the zone for public accessible host. -[KEITH]Firewall and router vendors have been pulled into this because their products can undo the positive effects of the DNS source port randomization if their appliance (through PAT or NAT) use a narrower range. Are there any other techniques that can be applied until your network vendor releases a fix? one-to-one IP NAT, etc. -UPDATE -Steve Friedl - I commented that Sonicwall hadn't appeared to have fixed this, but it seems that they have. 8 days after I opened a support ticket with them, I got a response pointing to a setting that was not obvious (VoIP ? -> Consistent NAT). Who looks in VoIP ? for DNS security fixes? -Link: http://www.unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html -Link: http://shrinkster.com/11cv Live Mesh -Live Mesh is an offering from Microsoft that is supposed to allow you to coordinate all your devices. Currently it is in CTP (community technology preview) status, meaning there are probably lots of changes to come. -Part of the idea is that your home, work, and mobile devices will all be part of the Mesh... Personally, I like the idea, but from an administrative point of view, is that a good public service that Microsoft is pitching.. Am I going to have to support a mesh network where people have installed software on their Mesh (API should be released at PDC-a developer conference this fall I think) and are going to have or want access to this at work. Part of the target network would be mobile devices, so they will want to access it from their Windows Mobile devices too. -As people move their lives "into the cloud", it is going to be harder and harder to restrain the use of these resources, unless more draconian measures are introduced. Have you considered how you are going to handle these situations? I'm trying to figure out my response. -Link: http://www.mesh.com -Link: http://shrinkster.com/11cw Exchange 2003 Management from Vista -Now, that didn't take long.. :( -Since I don't have the luxury of jumping to Exchange 2007 right away, I'm glad I can still use my management tools from Vista. -Link: http://msexchangeteam.com/archive/2008/08/18/449598.aspx -Link: http://shrinkster.com/11cx -Link: http://www.microsoft.com/downloads/details.aspx?familyid=3403d74e-8942-421b-8738-b3664559e46f&displaylang=en -Link: http://shrinkster.com/11cy Microsoft Updates Licensing on 41 Server Applications - Re: Virtualization -Microsoft is updating its software licensing terms for 41 server applications, including Microsoft SQL Server 2008 Enterprise edition, Microsoft Exchange Server 2007 Service Pack 1 Standard and Enterprise editions, Microsoft Dynamics CRM 4.0 Enterprise and Professional editions, Microsoft Office SharePoint ? Server 2007, and Microsoft System Center products. With the new terms, the company is waiving its previous 90-day reassignment rule, allowing customers to reassign licenses from one server to another within a server farm as frequently as needed. For many customers, the change will reduce the number of licenses they need to support their IT systems, increase agility, and simplify the tracking of application instances or processors because customers now can count licenses by server farm instead of by server. -It's nice that they are reviewing and making the licensing more Virtualization friendly, since they are pushing Hyper-V. :) -Link: http://www.microsoft.com/licensing/resources/volbrief.mspx -Link: http://shrinkster.com/11cz Rich's Topics Topic 1 - - -Link: http:// Topic 2 - - -Link: http:// Topic 3 - - -Link: http:// Topic 4 - - -Link: http:// Keith's Topics Corrupted Winsock -Working on a laptop for a friend. Not sure how, but the whole network setup got corrupted. I deleted the network adapter and let it refind it, but that didn't even work. -I found a couple MS articles on rebuilding the TCP/IP stack and the entire Winsock. Running the TCP/IP rebuild didn't work, so I went to the Winsock and it resolved the problem. -The articles give you both the easy and the full manual way to rebuild. Easiest is issuing a NETSH command. Manual is ripping registry keys. -Link: http://support.microsoft.com/kb/299357/en-us -Link: http://support.microsoft.com/kb/811259/ -Link: http://shrinkster.com/11d0 -Link: http://shrinkster.com/11d1 Ultimate Boot CD problem -Summer intern needed some help building new PC's for he and his father. I offered the UBCD disk I built recently with SATA support since he wanted to image his old drive and lay it down on the new one. -So, I give him a fresh copy and it won't boot. He brings it in and I can boot it on any PC or laptop I have. -He brings in the box and sure enough, it won't boot. We originally suspected BIOS boot order, etc. but nothing works. I popped in my older version (Rich built) and is boots fine. -I realized the newer version has a boot menu that allows you to boot to different scenarios (DOS boot, Dariks Boot & Nuke utility, etc). and it must not be compatible. I built a new copy without the MultiBoot ?/BCDW plugin and it boots fine. I would think it being a new DVD drive would mean better support rather than not supporting the process. -Link: http://www.ubcd4win.com/ -Link: http://shrinkster.com/11d2 Topic 3 - - -Link: http:// Topic 4 - - -Link: http:// ____________________________PLAY SWEEPER____________________________ Listener Feedback From listener....Petri Lopia who posted a comment on the blog regarding Episode 61 Has somebody got that vmware esxi server really work? I downloaded it and installed it but it doesn’t let me do any virtual machines. It just keep saying me like this when I try to start my virtual machine: This product has expired. Be sure that your host machine’s date and time are set correctly. There is a more recent version available at the VMware ? Web site: “http://www.vmware.com/info?id=4″. [KEITH] We had a couple back and forth comments on this until I found that it was the day of the ESX software bug related to the licensing date. ____________________________PLAY SWEEPER____________________________ Website Picks Rich - http:// Steve - http:// Keith - http://sharkbait.computerworld.com/ Great forum for funny end user anecdotes and the Shark Tank area picks on our brethren in the IT field as well. Last Call Anyone....Anyone....Buehler.....Buehler.... Closing All right, well that is it for the show. For listener feedback; you can email us at Feedback [at] mindofroot.com or post a comment on the main site at mindofroot.com. If you use iTunes, you could write a review. If you just want to show us your listening, drop a pin on the Frappr map...there's a link on the show site. Lastly, you can drop any show ideas or topic requests on the wiki. There is a link to the wiki on the main show site. If you would like to participate in the show; either through an interview, a segment contribution, or any other way, please let us know. We are also a member of the Techpodcast and the Blubrry networks. Check out some other great shows by going to Techpodcast.com and Blubrry.com....That's Blubrry without the E's Thanks everyone. Edit Page History Source Attach File Backlinks List Group Page last modified on August 26, 2008, at 08:01 AM
skin config pmwiki-2.1.27