____________________________PLAY BLUBRRY PROMO____________________________

____________________________PLAY ANN____________________________

____________________________PLAY OPENING MUSIC____________________________

[Keith] Welcome to the Mind Of Root - where we cover all layers of the protocol stack. I'm Keith Albright

[Rich] and I'm Rich Niemeier.

[Steve] and I'm Steve Murawski.

[Keith] This is Episode 65 recorded on Tuesday September 2nd, 2008.

Chit-Chat - What's going on with you?

[Steve]

  • Got my new monitor today.. I've been battling with a couple of old CRT's that occasionally would blank out or reset themselves, so I ordered a new monitor from Dell two weeks ago. Good and bad experiences - Bad - took forever for them to ship it. I wanted it for the holiday weekend and it was listed as in stock, but they did not ship it for a week. I contacted customer service to get the shipping method changed, but by the time they changed the shipping method, it had been shipped out. Good - They were going to give me a $50 coupon, I held out for a $75 credit, so my 24" monitor only cost about $200.. Woo hoo!

[Rich]

[Keith]

  • Summer colds stink

Housekeeping Items

[Rich]

[Steve]

[Keith]

  • Philly Tech Guys - 3PM Saturday September 6th, 2008. I think we will be live on UStream? either under Mike Tech Show or Philly Tech Guys - still working out some details.

____________________________PLAY TPN PROMO____________________________

____________________________PLAY FORCE FIELD PROMO____________________________

Steve's Topics

  • Google Chrome [STEVE]
-New beta browser from Google
-Fast, some neat features, but needs some work before it can be my standard browser.
-Cool Features like Stats for Nerds and Incognito Mode, built in task manager, integrated search bar
-Link: http://www.google.com/chrome
-Link: http://shrinkster.com/11rl
  • Comcast Sets Usage Limits for Residential Customers [KEITH]
-Starting October 1st, 2008, Comcast ISP subscribers will have a defined 250GB/month usage cap. (That is both up and down people.)
-One month of overages results in a warning. Two months (within six month period) results in termination of service for one year.
-I'm hoping they will have a little usage chart on the bill (like utilities). First time I go over (if I do), I'll start shopping around.

->-Link: http://www.informationweek.com/news/internet/reporting/showArticle.jhtml;jsessionid=W0GEBBFJ1HRBIQSNDLRSKH0CJUNN2JVN?articleID=210201500

-Link: http://shrinkster.com/11rz
  • BGP Vulnerability [STEVE]
-Two security researchers have demonstrated a new technique stealthily to intercept internet traffic on a scale previously presumed to be unavailable to anyone outside of intelligence agencies like the National Security Agency (NSA). The tactic exploits the Internet routing protocol BGP (Border Gateway Protocol) to let an attacker surreptitiously monitor unencrypted internet traffic anywhere in the world, and even modify it before it reaches its destination.
-The man-in-the-middle attack exploits BGP to fool routers into re-directing data to an eavesdropper's network. Anyone with a BGP router (ISPs?, large corporations, or anyone with space at a carrier hotel) could intercept data headed to a target IP address or group of addresses.
-"It's a huge issue. It's at least as big an issue as the DNS issue, if not bigger," said Peiter "Mudge" Zatko, a computer security expert and former member of the L0pht hacking group, who testified to Congress in 1998 that he could bring down the Internet in 30 minutes using a similar BGP attack,
-The attack is called an IP hijack and, on its face, it is not new. In the past, however, known IP hijacks have created outages, which, because they were so obvious, were quickly noticed and fixed. This is what occurred earlier this year when Pakistan Telecom inadvertently hijacked YouTube? traffic from around the world. The traffic hit a dead-end in Pakistan, so it was apparent to everyone trying to visit YouTube? that something was amiss.
-Pilosov's innovation is to forward the intercepted data silently to the actual destination, so that no outage occurs. Ordinarily, this should not work -- the data would boomerang back to the eavesdropper. Pilosov and Kapela, though, use a method called AS path prepending that causes a select number of BGP routers to reject their deceptive advertisement. They then use these ASes? to forward the stolen data to its rightful recipients. "Everyone ... has assumed until now that you have to break something for a hijack to be useful," Kapela said. "But what we showed here is that you don't have to break anything. And if nothing breaks, who notices?"
-Link: http://hsdailywire.com/single.php?id=6728
-Link: http://shrinkster.com/11rv
  • USB stick that can capture cell phone data [RICH]
-http://www.csistick.com/
-
-Link: http://shrinkster.com/11s0
  • Bi-Directional VPN through Juniper SSG140? [KEITH]
-One of the production managers wanted access to the production control systems in the shop. He's done access before via dial-up, but we wanted to move to a VPN-based access for better speed.
-It's a UNIX based system and he runs the control software via X-Windows. I setup the VPN and could access the host via telnet, but I couldn't launch the X session.
-I had forgotten how X works and that the remote workstation is actually the server. So, the UNIX box actually connects to the remote workstation without a traditional network initiation. So, given this was a uni-directional VPN, the client could not connect back to the server.
-At first I thought it just needed a static IP assigned when coming in and I used a DIP (Dynamic IP) pool on the production network interface. It worked and I had a static known IP, but still no traffic coming back.
-I had to create a bi-directional VPN which is easy when using XAuth? on the Juniper. You simply create an IP Pool and assign it to that VPN (or even to the entire XAuth? setup and it uses that pool to assign the IP to the incoming VPN client. You also enable the Virtual Adapter on the NetScreen? remote IPSEC client software so that it pulls that IP Pool address to the client.
-Lastly, your IP Pool needs to be addresses OUTSIDE of any other addressing used on the device. i.e. not in the subnets of the locally connected networks. I originally used IP's in the subnet of the production network not realizing it would ARP locally and not send them to the gateway. Using a remote subnet for the pool means the host has to send to the defined or default gateway to reach that subnet.
-Link: http://kb.juniper.net/kb/documents/public/ApplicationNotes/Technical/ScreenOS%204.0.0/dialupvpn_xauth_ias.htm
-Link: http://shrinkster.com/11rs
-WinSplit? Revolution is a small utility which allows you to easily organize your open windows by tiling, resizing and positioning them to make the best use of your desktop real estate.
-Now that I have a bigger single monitor, I want to make the most of the screen real-estate. I've tried using this on several machines and it is works pretty well. Small footprint too.
-Link: http://www.winsplit-revolution.com/
-Link: http://shrinkster.com/11rr
-While I agree with the writer's concepts in general, I think tying too strong of an anology to Electricians falls apart.
-His analogy holds on the need for mentorship, apprenticeship levels for skills and certifications.
-Unless you believe, like Nicholas Carr, that IT doesn't matter and is becoming a commodity, there are too many variations on systems to be as uniform as the National Electric Code can be.
-I think we have standards like ITIL and CoBIT?, but they will take time to be adopted. SOX and HIPAA are the beginnings of what the NEC started at. Auditor are the new building inspectors.
-However, small companies need to be dynamic and flexible to stay competitive. If we as technology leaders saddle a company with too much IT structure, we cease to be valuable and become that commodity.
-Context plays a role as well. He speaks of us applying our individual standards, but some of this is needed. Example - Service Accounts - My old company wanted them all at the domain level. Understood from a management and control level. I had some apps at remote locations without a DC. I created service accounts at the server level since I could not guarantee contacting a DC for auth and it was a business critical service. This goes against a standard I agreed with but was necessary for business continuity.
-Link: http://www.usenix.org/publications/login/2008-08/openpdfs/couch.pdf
-Link: http://shrinkster.com/11rt

____________________________PLAY SWEEPER____________________________

Listener Feedback

From listener....Brian

I was listening to podcast 64 and heard about your Exchange 2007 problem. I has a very similiar problem with one of my clients who ran Exchange 2007. However, not only did the system attendant not start but neither would the information store. They would be fine when I manually started them, but after a power failure or other restart of the server, they would not start.

I wanted to warn about Microsofts fix for this. I followed the same article as you and decided to do the proposed registry fix for the dependencies. I first made a backup of the registry. After I made my fix and rebooted NONE of the Exchange services would start. After tinkering around, I restored the backup copy of the registry and rebooted. Once it came back up still NONE of the services would start. After panicking for several minutes and editing the registry for about an hour, I was about to get right back to where I started, wasting all that time. What I found that actually fixed the problem is here:

Link: http://technet.microsoft.com/en-us/library/bb738153.aspx

I hope this helps in some way. Love the show!

[KEITH]The article Brian links to details how to change the logging level for a particular service or function within Exchange 2007. Not sure what you found when you set the logging level higher, but I would be interested. I used this for the OALGenerator? function and found a distribution group did not have a correct SMTP address defined.

From Listener....Julian who originally wrote in about the high-pitch whine on our recordings

Yes, the "whine" is still there, BUT at a much reduced level so that I can only hear it during the silent parts between speaking. This podcast was much better to listen to (not related to content)... Thanks.

Website Picks

Rich - http://

Steve - http://smallestdotnet.com Visit it in IE and it can tell you how big a download it would be to get the latest version. Many people are under the impression that the .NET Framework is a huge download, but in many cases it is not. This site can tell you the options.

Keith - http://www.geekoftheday.com/geek-jokes/ I love the old Unix command line ones to get the system to respond with the punch-line.

Last Call

Anyone....Anyone....Buehler.....Buehler....

Closing

All right, well that is it for the show. For listener feedback; you can email us at Feedback [at] mindofroot.com or post a comment on the main site at mindofroot.com. If you use iTunes, you could write a review. If you just want to show us your listening, drop a pin on the Frappr map...there's a link on the show site.

Lastly, you can drop any show ideas or topic requests on the wiki. There is a link to the wiki on the main show site. If you would like to participate in the show; either through an interview, a segment contribution, or any other way, please let us know. We are also a member of the Techpodcast and the Blubrry networks. Check out some other great shows by going to Techpodcast.com and Blubrry.com....That's Blubrry without the E's

Thanks everyone.