May 2004 Archives

Just landed in Cincinnati and checked my evals: 7.72. Comments were mostly favorable; a few "not technical enough" and one angry "Microsoft does too support our products" from a VERITAS product manager. However, that means that John humbled me decisively (his Word session racked up an 8.21!) In fact, I was just below the average score for messaging sessions this year. I've got to do better next time.

Update: with 108 evaluations out of a total of 522 attendees, my final score was 7.78. Since the overall for messaging sessions was 7.85, I'm still a little under the curve.

• This year, the speaker shirts were color-coded so that MS employees and speakers had different colors. This is great, since it makes it much easier for attendees to find FTEs to bother question.
• A request from all those born and raised in the Southern tradition of good manners: please do not use, talk on, or answer your cell phone while you are in the bathroom. Thank you.
• The service at Dick's Last Resort is as bad as it's claimed. Unfortunately, the food is worse than reported.
• The speaker shirt is the first shirt I've ever owned with Spandex in it. It will, God willing, be the only shirt I ever own with Spandex.
• The San Diego airport has free WiFi service. I can get a signal sitting in my seat (6C) with the boarding door open, but it's intermittent and doesn't allow me to actually log on.

First thing yesterday, John and I met for breakfast at Cafe 222, where I had some excellent pancakes. The food at the San Diego convention center is pretty good, but it's always nice to take a break from the HUGE CROWDS of people for which TechEd is justly famous, so we did.

I did a session and a half in the "Meet the Technologist" area yesterday, where I continued to be impressed with the level of questions we got. Lots of high-end, thoughtful technical questions, with very few of the howlers or RTFMs common in years past. The cabana idea has worked well, except when Navy SH-60s fly past outside.

Yesterday was my first spin through the exhibit hall. I got to meet with some folks from Quest/Aelita; they have an impressive line of management products that oddly doesn't seem to be well known. The Authentica folks have an interesting product that can do digital rights management protection at the email gateway and via a web service-- very cool stuff. I'll write more about that when I have time to dig into it more.

Interestingly, the two overwhelming giveaway items this year were Xboxes and iPods. Some group of companies was giving away a MINI Cooper, which is kind of neat (although not as cool as the Mercedes SLK that was given away at TechTarget's Enterprise Messaging Decisions show :)

Also on the show floor, I finally met John Osborn, executive editor at O'Reilly. We had a great discussion about Offfice development and books (which we extended later at the O'Reilly author party once JohnP got there). I'm hopeful that we'll be able to turn some of the cool content we did for the Fabrikam project into a book, or two, to help build up our Office dev branding.

In a few minutes, I'm heading back over to Cafe 222 for another stack of pancakes, then it's time to present MSG381 and fly to Cincinnati to rendezvous with my family. In the meantime, let it be known that JohnP's Word dev session yesterday is holding steady at an excellent 8.09/9.00 rating, which is going to be tough for me to beat. However, the folks I linked to last week are still ruling: Steve Riley's sessions have three of the top 10 slots, including an incredible 8.81! Go Steve!

Microsoft has released a nifty automated tool for building threat modeling documents for applications you develop.

It organizes relevant data points, such as entry points, assets, trust levels, data flow diagrams, threats, threat trees, and vulnerabilities into an easy-to-use tree-based view. The tool saves the document as XML, and will export to HTML and MHT using the included XSLTs, or a custom transform supplied by the user.

I saw an interesting post by Meng Weng Wong, inventor of the SPF anti-spam mechanism: apparently Microsoft and Wong are working together to converge Caller-ID for Email and SPF. This can only help, as both standards have technical merit but neither provides a complete solution. There's a good overview of what this convergence means in this slideshow.

I flew out to San Diego yesterday and got to the convention center about 45 minutes before my first session, a troubleshooting panel with Chris Nelson (from Microsoft's IT group), Karl Robinson of HP, and the legendary Paul Bowden. It was fun to share the stage with three knowledgeable people, and we got some good audience questions.

Next, I had a book signing, at which I sold three whole copies of my book. It was fun nonetheless; I got to spend some time chatting with the legendary Charlie Russel, with whom I've worked but who I've never met, Paul Cayley of the MS UNIX migration team, and Eldon Nelson from Microsoft Press. After that, it was off to the "Meet the Technologist" area (aka "Ask the Experts"). The place was mobbed! Erik Ashby was drawing a steady line of folks asking 5.5 migration questions, and there were lots of miscellaneous troubleshooting questions.

John and I got together for a short visit (wherein I learned that his first session outscored mine by about 0.5-- significant on a 1.0-9.0 scale!) before I headed out to the MVP dinner organized by KC Lemson at the Zocalo Grill. I had the good fortune to sit with Andy and Kim Webb, Andy David, Scott Schnoll, David Sapery, and Sue Hill (all MVPs, save Sue, who works on the Exchange User Education team), and there were a ton of other MVPs (including Sue Mosher, Diane Poremsky [at least it looked like her from the back], Chris Scharff of MessageOne. The product team was well-represented: KC and David Lemson, Ed Wu, Nicole Bonilla, and a few others were there. As a bonus, I finally got to meet Brandon Hoff, the MVP lead for Exchange; he and I have missed each other several times in Redmond, so it was good to finally shake his hand. The food was quite good, and the company was great. (Thanks, KC, for setting it up!)

Today I'm back in the Ask the Experts area for a while, but I should be able to actually attend some sessions-- more on that later.

Very cool news: the Exchange Intelligent Message Filter is out, and it's available at no cost to all Exchange 2003 customers. Microsoft had previously said they would only offer it to SA customers, which generated a lot of discontent. I'm glad to see them reversing their stance. Get the IMF here, and be sure to read the deployment guide. (Oh yeah-- Exchange 2003 SP1 is out, too).

Very cool: Evan Dodds of Microsoft has a blog about (drum roll) Exchange clustering. You should only go there if you want actual factual technical information, though; you'll have to go somewhere else for $spin.

So, Evan, here's a clustering question: can I force all outbound SMTP traffic on a cluster to originate from the IP address of the cluster instead of one of the physical nodes therein?

Happily, there's finally a review of Secure Messaging online at the Windows IT Library. My thanks to David Sengupta. (Now, if only Amazon would start posting the reviews that I know are queued up there...)

How could I resist any book that had the seal of the CIA with a pair of hot-red lips superimposed? Claire Berlinski's Loose Lips is the story of Selena Keller, a Sanskrit scholar who-- failing to find a real job-- ends up as a CIA case officer. Berlinski makes Selena likable and engaging enough, and the dialogue is pleasing, but the book just sort of meanders along until the end. Speaking of which: the end is terribly ambiguous, and leaves no sense of completion. I don't know if Berlinski did it on purpose or not, but I was unsatisfied by the loose ends she left flapping in the breeze. Not a bad library read; just don't expect Vince Flynn or Barry Eisler.

At the 2002 MEC, John and I were both presenting multiple sessions, and we had a little friendly competition to see who did better. (I honestly don't remember the results; I just remember how psyched he was at successfully evading the wrath of the demo gods). This year, he has a crushing four sessions, all deeply technical (BPR310 is "Office Developer: Programming XML Solutions", BPR311 is "Office Developer: Programming Word XML Solutions", BPRC14 is "Building High Performance InfoPath Solutions", while I have but one (MSG381,"Designing a High Availability Exchange 2003 Solution") , so I have somewhat of an advantage. Both of us have some hard work to do to catch the top guns from last year's TechEd, though.

This sounds cool: a get-together for developers at the San Diego Automotive Museum. The big draw: remote-control racing, with trophies. I won't be there, since it's before I arrive, but I definitely think John should go.

I've been using Office 2004 for Mac OS X for the last six months or so. It's awesome. Don't take my word for it; go get the 30-day "test drive" version and see for yourself.

I thought LDSSingles.com was a niche site, but if you scroll down the right side of this page, Google is currently serving up an ad for MarineCorpsSingles.com. So, all you single people out there... remember, our motto is Semper fidelis, or "always faithful".

Attention, Kate, KC, and Dori. Google is sponsoring a panel on non-traditional ways for women to enter the computer science field:

The Anita Borg Institute for Women and Technology and Google are pleased to co-sponsor an all-star female panel on education options for entering and re-entering Computer Science and IT on Wednesday, June 2 at 6:00pm at Google's headquarters in Mountain View, CA. Attendance is free but space is limited and you must pre-register. One of the many myths about the computer industry is that you must be young to enter the field. To the contrary, many highly successful women and men study Computer Science when well past traditional college age. Several innovative programs exist in the Bay Area for older students, with or without a diploma, who wish to study Computer Science.

Update: Well, it didn't take long for Dori to point out what's wrong with this picture.

Omar Shahine (who just moved to Hotmail, woo hoo!) posted a great tip for the Toshiba M200: tell Windows that you're using a 120 dot-per-inch screen. It works great, although the ugly resampled icons in the QuickLaunch bar take a little getting used to.

It's fun to see people asking for help cracking Yahoo passwords, but enough's enough. I've closed comments on that article. (Side note: I seemed to get more than my fair share of people with Indian names asking for cracking services... odd.)

• If you're using Exchange 5.5, you can't use Entourage 2004 in Exchange mode. Exchange mode requires WebDAV, which is only supported by Exchange 2000 and Exchange 2003. You can still use IMAP for mail, but you won't be able to sync calendar and contact data with the server.
• If you don't know what server name to put into the "Public folder server" field, try the name of your Outlook Web Access server with "/public/" on the end of it.
• If your OWA requires you to use https:// to get to it, you'll need to check the "DAV service requires secure connection (SSL)" checkbox on the Advanced tab of the Exchange account properties dialog.
• Entourage 2004 can act as a delegate, but you have to use Outlook for Windows to set up delegate access. I plan to write an article explaining how to do this (in my spare time... bwahahaha).
• If you send a meeting invitation from Outlook, and it arrives as an .ics file in Entourage, the "Accept" and "Decline" buttons may not appear. This is because of a bug in Outlook, and the Entourage team knows about it already.
• Only the basic Contacts and Calendar folders are supported-- Entourage doesn't allow you to create subfolders of those folders, or to put contacts and calendar items in other folders elsewhere.
• You can't adjust server-side settings (including the "out of office" state or server-based rules) from Entourage; you'll need to use Outlook or OWA.

This is a very cool little applet: it shows you which of your Xbox Live friends are online at any given time, and it can optionally alert you when someone's playing a particular game. Now I can find out the best times to, er, take a break. Yeah, that's the ticket. (Additionally, it uses the .NET Framework, so maybe that'll be enough to get the author some Scoble-style link-lovin'). Note that it still has a few minor bugs, but it's still quite cool.

The fine folks over at SearchExchange (in collaboration with MS Press) have excerpted chapter 13 from Secure Messaging with Microsoft Exchange Server 2003-- that just happens to be the Outlook security chapter. Their excerpt, "20 Tips on Securing Outlook in 20 Minutes", is well worth reading. It includes information on how to set up Outlook to use Windows Rights Management (including info on how to create your own RM templates), as well as information on controlling S/MIME through GPO templates, and how to set up and use RPC-over-HTTPs. f you like the chapter, buy the whole thing!

Attention, Kate, KC, and non-traditional ways for women to enter the computer science field:

The Anita Borg Institute for Women and Technology and Google are pleased to co-sponsor an all-star female panel on education options for entering and re-entering Computer Science and IT on Wednesday, June 2 at 6:00pm at Google's headquarters in Mountain View, CA. Attendance is free but space is limited and you must pre-register. One of the many myths about the computer industry is that you must be young to enter the field. To the contrary, many highly successful women and men study Computer Science when well past traditional college age. Several innovative programs exist in the Bay Area for older students, with or without a diploma, who wish to study Computer Science.

I used to have some old scripts on the website for my Exchange 5.5 book. I took the pages for the book down some time ago, but I still occasionally get queries for the scripts. Without further ado, then, here they are (note that I don't guarantee that they work with any particular configuration; use them at your own risk):

• Nick Brown's script to display the members of an Outlook distribution list. (I don't have a current address for Nick, so if you know him, please send him this way).


• Ken Cornetet's scripts to reboot a 5.5 server by stopping its services, rebooting, and then verifying that everything that was running before the reboot came up OK.


• An SNMP MIB for Exchange 5.5. I have no idea where this originally came from.
  

It's all WRC racing. I saw that RalliSport Challenge 2 was getting buzz in a variety of places (including here). OXM rated it a 9.0, so I decided to pick it up. So far, I'm very impressed: the single-player mode is extremely well executed, with a co-driver who tells you what's coming up on road rally sections and brilliant graphics. (side note: the word "stunning" is often overused when it comes to Xbox game graphics, but I can fairly say that it applies here-- the terrain and lighting effects are the best I've ever seen. Driving at night in the snow is an extremely tense experience). The kids and I had a great time racing Saturday night, even though driving a rally car is much more difficult than most of the cars in PGR2. I haven't had a chance to try racing on Xbox Live yet, but that's on my agenda for the week.

Woo hoo! Burt Rutan does it again: 'SpaceShipOne' becomes first privately funded vehicle to break through earth's atmosphere. It's about time. My money's on him to win the X Prize. Private spaceflight can't possibly come soon enough to suit me.

Today I'm headed for the world's largest geek fest: the Dayton Hamvention. Hopefully radio lust won't get the better of me...

This year's Hugo Award nominees have been announced. This page lists them, with links to full-text versions of most of the novellas, novelettes, and short stories. As a bonus, there are several links to lists of other recommended reading.

Update: Fixed a bad link to the story page. Thanks, Phil.

Special Forces master sergeant. Doctor and combat medic. Linguist. And, of course… Georgia Tech graduate. Meet Captain Dan Godbee, USA.

Dennis posted a link to an AP story in which some random yahoo claims that the soldiers accused in the Abu Ghraib torture cases reflect "a broad lack of moral values in the culture at large". Leaving aside the issue of relativism, what he should be saying is simple: "Our soldiers knew that what they were doing was wrong, but they chose to do it anyway."

You'd have to be retarded (and I mean that literally) not to pick up on the Geneva Convention instruction given in Army and Marine Corps boot camp. I don't know about the USAF and Navy, but I assume there's similar instruction there. Back in '86, those of us in the tender care of the 1st Recruit Training Battalion at Parris Island got a thorough drilling in the Law of Land Warfare, which covers what is and isn't permissible in actual combat. Guess what? Torture isn't on the "OK" list. The soldiers implicated in the Abu Ghraib torture cases may not have been schooled in the fine points of Geneva Convention requirements for the care of military prisoners, which are more detailed and quite different than the Law of Land Warfare.

I'm prepared to concede that they weren't; that they should have been, and that the fact that they were not is an indictment of those given the responsibility of supervising and training the troops who run the prison. However, I'm with Stryker on this one:

Let me say it clearly for anyone who may be morally befuddled by such things as "right" and "wrong": You don't follow illegal orders. In fact, you have a moral and professional obligation to refuse an illegal order. That's what these Nevada soldiers did:
"There was one incident when we were asked to keep detainees awake, to wake them up with metal drums. We said, `Absolutely not.' I stopped them from doing it," said Armstrong, a 37-year-old child protective services worker from Las Vegas.

She said no. Read the rest of that article to see how real soldiers conduct themselves.

There is no excuse or justification for what these troops did, and they are a stain on the military. Once the investigation concludes, I expect that those found guilty will be punished. One related question: why are the enlisted troops already being court-martialed, while the officers seem to be skating? They're not skating, as this post explains clearly. This one also points out that there are several investigations underway, including one to identify how the Taguba report got loose before the senior DoD structure obtained it.

It's Security Tuesday again. This month, we get MS04-015, which covers a vuln in Help and Support Center on XP SP1 and Windows 2003 RTM (32- and 64-bit versions), and updates to MS04-014 (pretty much everyone) and MS01-052 (NT4.0 TSE SP6 and Windows 2000 SP2). Happy patching!

A revised version of House Bill 1640 by Rep. Derrick Shepherd, D-Marrero, would mandate three eight-hour days of community service for anyone who publicly wears clothing that intentionally exposes undergarments, or any portion of his or her pubic hair, cleft of the buttocks or genitals.

Fortunately, the ACLU, the governor, and at least one state lawmaker understand that this problem is best addressed at home. Now, if they'd ban public wearing of bicycle shorts, I could get behind that.

Long-time Exchange developer Larry Osterman had a great blog entry today titled "Remember the Giblets". An excerpt:

“Giblets” are the pieces of software that you include in your product that you don’t always remember.  Like zlib, or LHA, or MSXML, or the C runtime library. Whenever you ship code, you need to consider what your response strategy is when a security hole occurs in your giblets.  Do you even have a strategy?  Are you monitoring all the security mailing lists (bugtraq, ntbugtraq) daily?  Are you signed up for security announcements from the creator of your giblets?  Are you prepared to offer a security update for your product when a problem is found in one of your giblets?  How do your customers know what giblets your application includes?

As administrators, how much do you know about the giblets on your servers? Are you paying attention to them, or only to the big chunks (like Exchange or SQL Server)?

In the comments to a previous post, Clement Kent asks a set of good questions about how to combine compliance requirements with encryption. The bottom line: if you have DCAR (discovery, compliance, archive and recovery) requirements, you have to be very careful with message encryption. You have two basic alternatives:

• Archive the encrypted messages, then make sure that you preserve the key material so you can decrypt them later. This is really, really complicated, since you have to keep the certificates and private keys and CRLs around for however long your DCAR window is. The problem with this approach is that the DCAR system can't index the messages, so you won't have a good way to tell whether those messages are in scope when you do a DCAR query. It's hard enough for most organizations to deploy a PKI in the first place, much less guarantee that they'll be able to retrieve Joe CEO's certificate six or seven years from now.
  
• Add the archive system as a recipient on all encrypted messages. The problem with this approach is that it doesn't work out of the box; you'll need to write your own tools. You could accomplish this via a client-side add-in that adds the archive agent as a recipient to any message that's encrypted, or you could use an event sink that would reject (or quarantine/flag for human attention) any encrypted message that the archiving agent couldn't read. As a bonus (mis)feature, this approach creates a very valuable target-- get the key to the archive account, and you can read all the sooper-secret encrypted traffic.
  

The US Defense Department chose option 2. Consider the situation where Alice and Bob, both CIA analysts, need to communicate securely. Alice is in Langley, and Bob is in Baghdad. If the CIA mail system allows direct encrypted mail between them, there's no way for the CIA itself to inspect the message contents. They work around this by using option 2, and also by allowing the mail to travel around Langley and Baghdad unencrypted, but using a server-to-server superencryption like that described in the Open Group's S/MIME Gateway Profile.

It's less clear how you'd preserve DCAR capability with messages protected by Outlook's IRM features. For messages sent to large groups (like, say, "all employees"), it's a simple matter to add the archiver to the group; then you just have to ensure that you keep the IRM system up and running for the required length of time. For messages sent to individuals, you're back to the requirement of writing code to either add the archiving account or to reject the message, but the code has to be smarter because IRM messages lack the easily-recognized S/MIME headers (not to mention that an ordinary message might have an IRM-protected attachment.. but we won't go there for now).

I'm speaking today at Enterprise Messaging Decisions 2004. This is actually my first day trip in a while. When I lived in Huntsville, it was possible to fly out at 0530 or 0630, change planes in Atlanta, and make it to pretty much anywhere by noon-- enough time for a meeting or presentation-- and then get home again around 11pm. In Toledo, that's just not happening because of Delta's flight schedule ex Cincinnati. So, since EMD is in Chicago, I'm going to drive-- should be fun. Here's the slide deck.

I'm speaking today at Enterprise Messaging Decisions 2004. This is actually my first day trip in a while. When I lived in Huntsville, it was possible to fly out at 0530 or 0630, change planes in Atlanta, and make it to pretty much anywhere by noon-- enough time for a meeting or presentation-- and then get home again around 11pm. In Toledo, that's just not happening because of Delta's flight schedule ex Cincinnati. So, since EMD is in Chicago, I'm going to drive-- should be fun. Here's the slide deck.

There's a new Windows worm: W32.sasser. It exploits a vulnerability in the Local Security Authority (LSASS.exe) service; the vuln was fixed by the MS04-011 patch. The original MS bulletin and patch were issued on 4/13, and the MS alert on Sasser was released on 5/1, so you can see the gap between patch and exploit is getting shorter. I'm sure all of you out there have already patched your systems, but tell a friend: install patches when they're released.

Anecdote: on Saturday, 5/1, Delta Airlines had a little dispatch problem that resulted in all their flights out of Atlanta being grounded for almost seven hours. The problem appears to have been with the airport computers used to calculate weight and balance according to FAA specs. One passenger on an affected flight reports that the flight crew attributed the delay to the "Mayday virus". I wonder what the real cause was?

Update: this WSJ article's last paragraph mentions Delta, Goldman Sachs, and JP Morgan Chase as companies affected; it also says that a Delta spokesman wouldn't say whether Sasser was to blame.

Well, it's only two weeks late, but hey, who's counting? (Besides the speaker manager at Microsoft, of course!) The first draft of my deck for MSG381, Designing High-Availability Exchange Solutions, is now available here. If you're coming to TechEd, the session is Thursday at 8:30-- stop by and say hello!

Update: Andy Webb was kind enough to point out a bad link, which is now fixed.

Reader Remek Kocz says:

First of all, thanks for writing Secure Messaging. I've been doing a lot of research on Exchange 2K security recently, and your book pretty much filled in all the gaps. The reason I'm writing you is that I have not been able to find an answer to what I thought was a simple question (Usenet wasn't much help, surprisingly). I've been tasked to secure our OWA servers w/SSL, and the issue of certificates came up. Is it possible to obtain a cert from a trusted authority like Verisign and then issue self-issued certificates with a path back to the Verisign one? Being a school district, albeit a large one, we need to look out for every dollar, so I wondered if it would be possible to combine the self-issuing CA &a commercial one. A pure self-issuing CA is not feasible for us, since many people travel without laptops, and there is no way of knowing how they'll access the OWA servers.

This is a classic case for use of a subordinate CA: you want to create a CA that issues certs to end entities (in this case, your OWA servers; it might equally be used to issue certs to users), and you want that CA's cert to be issued by a well-known commercial CA. You might think that Verisign, Thawte, and other commercial certificate vendors would provide this as a service, but as far as I can tell, they don't. Why? Their preference is for you to use them as an issuer, offloading all CA work to them (and, incidentally, paying a per-certificate, per-year fee!) For the specific case you have in mind, Verisign offers their managed PKI service: they issue the certs, and you manage the issuance and revocation process via a web-based admin tool…but you don't run your own CA. Section 3.1.1 of Verisign's certification practices statement talks about the process of registering as a non-Verisign sub CA, but I can't find where you actually do that on their web site. I'll post more details if I can find a better answer.

Update: BeTrusted's OmniRoot service does exactly what you want. Thanks to David Cross for the tip.

From today's New York Times, an editorial by William Broyles. His closing paragraph:

If this war is truly worth fighting, then the burdens of doing so should fall on all Americans. If you support this war, but assume that Pat Tillman and Other People's Children should fight it, then you are worse than a hypocrite. If it's not worth your family fighting it, then it's not worth it, period. The draft is the truest test of public support for the administration's handling of the war, which is perhaps why the administration is so dead set against bringing it back.

I've long supported the idea of bringing back some form of compulsory service. It's proved to work well in a wide range of cultural and social environments, and it provides a powerful counterbalance to exactly the kind of problem we're having now: the people calling the shots don't have any personal stake in the way the military is used. However, I think Broyles is too quick to dismiss the difference in quality between an all-volunteer force (where presumably everyone there wants to be there) and a force of conscripts. There's no question that a volunteer force tends to build up a more experienced core of non-commissioned officers, which (as any officer will tell you) is the real backbone of the armed forces. Without that core, it's not clear that the US military would be able to maintain the same level of professionalism and discipline. It's also an open question whether a mixed force of volunteers and conscripts would suffer from the same kinds of friction we've been seeing between regular and reserve/National Guard units. Interestingly, one benefit to come from the wars in Afghanistan and Iraq is that regular units are getting to see that reserve and NG units are just as prepared and capable, in most cases, as their regular counterparts.

It doesn't matter how secure your server is if it's on fire. The other Scoble has two good posts that describe the current state of the art in fire-suppression systems: here and here. This is actually something I talk about in Chapter 5 (physical &operational security), even though most of us are stuck with whatever physical plant is already in the building. Interestingly, one commenter mentioned pre-action sprinkler systems, which use water but which aren't activated without both heat and smoke alarms. (And hey, the inert suppression gas of choice is Inergen, not "Innergen".)

Tonight we had the four missionaries over for dinner. The discussion turned to one of the young women in our ward-- she's very attractive. I told Arlene that she cleaned up nicely, whereupon Thomas shouted out "But you cook even better than you clean, Mom!" Hilarity ensued.