tag:blogger.com,1999:blog-82212072024-03-08T03:12:49.675-06:00BitspitterA 'Bitspitter' is networking jargon for a Repeater - a device which extends the reach of a network by reconstructing a weak signal and sending it farther down the wire at full power.bitspitterhttp://www.blogger.com/profile/14808524441658851666noreply@blogger.comBlogger15125tag:blogger.com,1999:blog-8221207.post-1125811830871914152005-09-03T23:34:00.000-05:002005-09-04T00:30:30.896-05:00DirectNIC<a href="http://www.directNIC.com" target=_blank>DirectNIC</a> has been my registrar of choice for years; all of my current domains are registered with them, and several of our clients use them as well.<br /><br />DirectNIC's offices are in the <a href="http://maps.google.com/maps?q=650+Poydras+Street,+New+Orleans,+LA+70130&spn=0.020453,0.035306&t=e&hl=en" target=_blank>heart of New Orleans</a>, down the street from the Superdome. They have remained online and almost completely operational through Katrina and its aftermath (apart from their free web hosting service, restored today) due to the almost literally heroic efforts of their data center staff.<br /><br />DirectNIC's Crisis Manager, Michael Barnett, has been updating <a href="http://mgno.com/" target=_blank>his blog</a> during the disaster, including photos and a webcam feed.<br /><br />If you want a reliable hosting company, these folks have certainly proven that they'll do <i>whatever it takes</i> to keep their data center online.bitspitterhttp://www.blogger.com/profile/14808524441658851666noreply@blogger.com1tag:blogger.com,1999:blog-8221207.post-1117339762359918342005-05-29T01:43:00.000-05:002005-05-29T01:47:02.246-05:00Why is my PIX PDM Broken?If you manage a Cisco PIX firewall, you may have recently run into a problem accessing the PDM (PIX Device Manager) browser-based management interface. Cisco's PDM is a Java-based tool for managing your firewall; there are a handful of things that can't be done via its graphical interface, but for the most part, many users will seldom have any reason to use anything else for configuration and management. The VPN wizard, in particular, is vastly easier to use than the dozen or so lines of arcane commands required to implement the same thing from the command line.<br /><br />A couple of my clients recently had issues accessing the PDM from Windows XP and Server 2003. After authenticating successfully in both the browser and the Java window, they were presented with an empty window instead of the PDM - and a message in the status bar claiming <code>java.security.AccessControlException: access denied</code>.<br /><br />Both clients concluded - not unreasonably - that there was some kind of authentication problem with the PIX, and that they were locked out.<br /><br />In fact, the problem was not with the PIX, but with Java itself. Sun's most recent updates to the JRE (Java Runtime Environment) made <a href="http://archives.java.sun.com/cgi-bin/wa?A2=ind0404&L=java-security&F=&S=&P=4012" target="_blank">changes to the behavior allowed for signed code</a> - and caused consternation for developers and end users by breaking quite a few applets.<br /><br />Installing the "release 8" update for the <a href="http://java.sun.com/j2se/1.4.2/download.html" target="_blank">1.4.2 plugin</a>, or the "release 2" update for the <a href="http://java.sun.com/j2se/1.5.0/download.jsp" target="_blank">1.5.0 plugin</a> prevented access to the PDM - and no adjustment to the security settings in Internet Explorer or Firefox could fix the issue (both Windows and Linux platforms suffer from this problem.) Applets which behaved like the PDM - launching code which performs security-restricted functions from an HTML button - were now 'broken by design' under the new stricter security model.<br /><br />Those who had upgraded their Java plugin from an earlier (working) release could uninstall the latest version, and once again access the PDM. But for a new workstation or server, the latest load of Java was broken 'out of the box,' and there wasn't anything to go back to. And unless the affected user tried a Google search on the full status bar error message, there were very few clues on the nature of the problem - or the fix.<br /><br />There is, in fact, a <a href="http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_field_notice09186a008046c805.shtml" target="_blank">Cisco Field Notice,</a> dated May 16th, on this issue - but unless you perform a very specific Google search, you'll probably miss it.<br /><blockquote><span style="font-style:italic;">I almost never use a vendor's own search tool to explore a support knowledge base. Microsoft's Knowledge Base, in particular, was long notorious for the obscurity of the keywords assigned to articles. More than once, I couldn't re-locate a KB (or Q article, if you're old skool) that I </span>knew <span style="font-style:italic;">was there, which was immensely frustrating. I finally started using site-specific Google searches: specifying a search by <a href="http://www.google.com/search?sourceid=mozclient&ie=utf-8&oe=utf-8&q=site%3Amicrosoft.com+server+2003+dns+firewall" target="_blank">site:microsoft.com server 2003 dns firewall</a> allowed me to find information that eluded the built-in tool. Microsoft, by the way, claims to have made significant improvements to the way their site search engine works. Is it better? I don't know - they trained me not to use it by returning poor results for years.</span> Google is my friend.</blockquote><br />Cisco <span style="font-style:italic;">does </span>offer a <a href="http://www.cisco.com/pcgi-bin/Support/FieldNoticeTool/field-notice" target="_blank">product alert service</a> which will e-mail you notices like this one when they are published, but you have to have an account with Cisco CCO - which generally means, if you're an end user, that you're carrying a SMARTnet service contract on at least one piece of Cisco equipment.<br /><br />Those who <span style="font-style:italic;">don't </span>have a SMARTnet contract on their PIX not only probably missed the alert, but also cannot implement the official fix, which is a downloadable update - 3.0(3) or 4.1(2) - to the PDM. The workaround is to uninstall the latest copy of the JRE, and download and install <a href="http://javashoplm.sun.com/ECom/docs/Welcome.jsp?StoreId=22&PartDetailId=jdk-1.5.0_01-oth-JPR&SiteId=JSC&TransactionId=noreg" target="_blank">release 1</a> of the Java 1.5.0 plugin.<br /><br />And, perhaps, consider springing for a SMARTnet contract on at least <span style="font-style:italic;">one </span>of your Cisco products. It doesn't take many of these kinds of headaches for it to pay for itself.bitspitterhttp://www.blogger.com/profile/14808524441658851666noreply@blogger.com11tag:blogger.com,1999:blog-8221207.post-1117325498559562272005-05-28T21:45:00.000-05:002005-05-28T21:45:53.070-05:00Outlook's Compelling Autocomplete IllusionWorking with someone who had been issued a brand-new laptop last week made me consider something interesting about Microsoft Outlook - the <span style="font-style:italic;">autocomplete</span> feature works so unobtrusively, and so well, that most users believe that it's doing something that it isn't - and <span style="font-style:italic;">can't</span>.<br /><br />Autocomplete kicks in when you begin typing in the <span style="font-style:italic;">To:, Cc:,</span> or <span style="font-style:italic;">Bcc:</span> fields of a message. The first character of a name or e-mail address pops up a menu of matching recipients; additional typed characters can <span style="font-style:italic;">disambiguate </span>the list to a single entry (as soon as you've typed enough to distinguish it from all the other names and addresses.) An essentially identical feature fills out commonly used form fields in most web browsers.<br /><br />It works well, and saves time and typing - especially for those of us whose number of e-mails sent per day exceeds our word-per-minute typing speed!<br /><br />I've found that most users - including some very computer-savvy people - think that Outlook actually searches their address book in real time as they type. It doesn't. Instead, the first time you type in an address or name, it's added to Outlook's <span style="font-style:italic;">Nickname </span>file. Outlook searches the file each time you begin typing an address, and creates a menu of suggestions from all the matching entries. For those who have been using Outlook for a long time, there are often so many entries that Outlook <span style="font-style:italic;">appears </span>to be searching their entire address book, and the users don't realize (or remember) that an address doesn't autocomplete until it's been used the first time.<br /><br /><strong><span style="color:#993399;">The rude awakening</span></strong> generally comes after an upgrade, or a move to a new computer. If the user's Windows profile doesn't follow them to the new computer, they'll complain that Outlook is 'broken' - because it isn't filling in all their addresses anymore. An explanation of how the feature <span style="font-style:italic;">really </span>works - and the implication that they'll have to use each address again before it will autocomplete for them - is generally <span style="font-style:italic;">not </span>well received.<br /><br /><strong><span style="color:#993399;">"WHY CAN'T IT WORK LIKE THAT?"</span></strong><br /><br />The autocomplete feature is useful because it is near instantaneous - if it took so long to pop up suggestions that it slowed down our typing, it would cease to be a feature, and become an <a href="http://www.annoyances.org/" target="_blank">annoyance</a>.<br /><br />That's why it can't really search your address book in real time. I have a few hundred entries in my <span style="font-style:italic;">Contacts </span>list; my wife easily has three times as many as I do. A reasonably fast computer, with plenty of RAM, could probably deal with my list. I doubt that it could do an acceptable job with my wife's list - unless it cached the entire list in RAM. But not everyone has a 'reasonably fast' computer - and so a significant number of Microsoft's customers would experience performance issues.<br /><br />And consider another class of Microsoft's customers - exceptionally large enterprises like <a href="www.boeing.com" target="_blank">Boeing</a>. Boeing has somewhere around 160,000 users on a Microsoft Exchange-based e-mail system. Imagine each user's copy of Outlook crunching through close to 200,000 possible recipients and aliases, across the network, all day long. Not only would this make the autocomplete process as slow as molasses, but it would also increase the load on the network, and <span style="font-style:italic;">really </span>increase the load on the domain controllers.<br /><br /><strong><span style="color:#993399;">The good news is</span></strong> that, with a little planning, you can move the Nickname file to a new computer. In Outlook 97, 98, and 2000, it was a <a href="http://support.microsoft.com/?kbid=245421" target="_blank">.nick</a> file; in Outlook 2002 and later, it's <a href="http://office.microsoft.com/en-us/assistance/HA011394511033.aspx" target="_blank">.NK2</a>. Ensuring that these files get backed up, and are moved to the user's new computer, will prevent irritated users with 'broken' copies of Outlook.<br /><br /><strong><span style="color:#993399;">SOMETIMES YOU WANT IT TO GO AWAY</span></strong><br /><br />On the other hand, after an e-mail migration changes the format of most or all of the addresses in an organization, or if someone moves to a new company but retains their laptop, most or all of the autocomplete entries can become invalid. You can <a href="http://office.microsoft.com/en-us/assistance/HA011240661033.aspx" target="_blank">reset the autocomplete cache</a> (by renaming the file) to remove all the entries; the <a href="http://www.microsoft.com/technet/prodtechnol/exchange/guides/Ex2k3DepGuide/ccf25373-2255-42ff-b16c-871a62cd6f4b.mspx" target="_blank">Exchange Profile Update Tool</a> (<a href="http://www.microsoft.com/downloads/details.aspx?familyid=e0f616c6-8fa4-4768-a3ed-cc09aef7b60a&displaylang=en" target="_blank">Exprofre.exe</a>) can do this on a wholesale basis if you are migrating hundreds or thousands of users.<br /><br />It is also possible to <a href="http://support.microsoft.com/?kbid=242074" target="_blank">remove individual stale or corrupted entries</a> for Outlook 97, 98, and 2000, using the <a href="http://download.microsoft.com/download/outlook2000/utility/9/w9xnt4/en-us/nickname.exe" target="_blank">nickname.exe</a> and <a href="http://download.microsoft.com/download/outlook2000/utility/2000/win98/en-us/ol2knick.exe" target="_blank">ol2knick.exe</a> tools. I'm unaware of a similar tool for Outlook 2002 and later - if you are, I'd love to hear about it.bitspitterhttp://www.blogger.com/profile/14808524441658851666noreply@blogger.com1tag:blogger.com,1999:blog-8221207.post-1110521875273369692005-03-10T23:55:00.000-06:002005-03-11T02:48:53.980-06:00More AutoLink Outrage!<a href="http://ptech.wsj.com/archive.html" target="_blank">Walt Mossberg</a> at the Wall Street Journal <a href="http://ptech.wsj.com/archive/ptech-20050310.html" target="_blank">doesn't like the AutoLink feature</a> of Google's new <a href="http://toolbar.google.com/T3/index" target="_blank">toolbar</a>, either.<br /><br />And his article bears more than a passing resemblance to Scott Granneman's <a href="http://www.securityfocus.com/columnists/304" target="_blank">column.</a> Almost as if one of them is paraphrasing the other. Or they're both getting their ideas from <a href="http://blog.searchenginewatch.com/blog/050225-104317" target="_blank">someone else</a>. Hmmm.<br /><br />Again, what the outrage comes down to (even in some posts on <a href="http://forums.fark.com/cgi/fark/comments.pl?IDLink=1395327" target="_blank">Fark!</a>) is that web pages that these folks either design, or write content for, might somehow acquire links to somewhere else. Like a competitor.<br /><br />Never mind that the links appear because the reader <em>asked for them</em>. They're still clinging to the idea that they have the right to control what you and I can do with their content <em>after</em> it's been downloaded to our own computers.<br /><br />The arguments all seem to boil down to this:<br /><br />First, if Google gets away with this, then Microsoft, or someone else, will bring back <a href="http://www.alistapart.com/articles/smarttags/" target="_blank">Smart Tags</a>, which will rewrite pages automatically, without any user intervention at all, and we'll all slide down a slippery slope where web publishers won't have any control of their content at all...<br /><blockquote><em>If the principle behind AutoLink were to take hold, there would be nothing to stop Microsoft from adding a feature to Internet Explorer that would replace the ads on a Google search-results page with ads sold by Microsoft's MSN service.</em></blockquote>And second, and this is the important part, the average web user (that's you and me, folks) is too stupid to figure out what's going on. They won't know where the links came from. And apparently, we'll just click on any old link and follow it.<br /><blockquote><em>I take a back seat to nobody in favoring user convenience, but, as with most things in life, every principle must be balanced against others. In this case, that balancing principle is the right of Web publishers to control the content and appearance of their own sites. Users wouldn't benefit if the Web became a sea of uncertainty, where anybody could alter every Web page.</em></blockquote>Let's look at what seems to be the favorite scenario, here - I'll be on someone's web site, which is designed to sell me products and/or services, and AutoLink, SmartTags, EvilSneakyLinkTags, or what have you, will display links to competitors. <em>The horror!</em><br /><br />Just how do they suppose I arrived at this hypothetical web site in the first place?<br /><br />I'll tell you how I would have gotten there - either the company was known to me, and I am specifically interested in their products, services, or content (<a href="http://www.apple.com" target="_blank">Apple</a>, <a href="http://www.sunfire.com" target="_blank">Sunfire</a>, <a href="http://www.ebay.com" target="_blank">eBay</a>, <a href="http://www.slashdot.org" target="_blank">Slashdot</a>) - in which case, <em>I'm already where I want to be,</em> and I'm not interested in following links elsewhere...<br /><br /><em>Or,</em> I arrived there by following a link from a <em>search engine!</em> (In my case, almost certainly Google.) I've <em>already seen</em> ads and links to competitors! The Web - especially if you're shopping for commodity items - makes comparison shopping quick, easy, and reasonably foolproof. With <a href="http://froogle.google.com/" target="_blank">Froogle</a>, <a href="http://www.pricewatch.com/" target="_blank">Pricewatch</a>, <a href="http://www.mysimon.com/" target="_blank">MySimon</a>, and similar sites, I can rapidly determine who has the item I want in stock, and the cost. When I'm purchasing a book, I'll <em>always</em> search for the ISBN on <a href="http://www.barnesandnoble.com/" target="_blank">B&N</a>, <a href="http://www.amazon.com" target="_blank">Amazon</a>, <a href="http://www.bookpool.com/" target="_blank">Bookpool</a>, <a href="http://half.ebay.com" target="_blank">Half.com</a> - you'd be an idiot not to, when it's so quick and easy. It's faster than driving to even <em>one</em> store.<br /><br />So I'm just flabbergasted by the the idea that all these various pundits think that a tool that adds links to a web page is going to destroy Web commerce as we know it. Here's a hint for you e-commerce merchants out there - if your e-commerce site depends upon your customers being ignorant of your competition, you are <em>doomed.</em> <br /><br /><em>(Here's an idea - why don't you add links to your competitors yourself? If you don't have lower prices, better customer service, faster shipping, a better selection, an easier-to-use site, unique items, or more than one of these things, why would anyone choose to buy from you? Have some </em>chutzpa<em> - your customers </em>will<em> comparison shop; tell them you know they're smart enough to do it, and tell them why they'll discover that you're the best choice. If you can't tell them that, then as far as I am concerned, your business model consists of attracting ignorant customers, and ripping them off.)</em><br /><br />Google's AutoLink simply makes it easier for me to perform certain actions that I already do. If Google happens to make some money while providing this service, good for them! A service like AutoLink is only a threat if you believe that the majority of your audience is too stupid to comparison shop.<br /><br />AutoLink is, after all, in beta - like <a href="http://news.google.com" target="_blank">Google News</a>. Google just added customizability to the Google News page - why wouldn't they do the same for AutoLink?<br /><br />Here's what I forsee: you'll be able to add your own preferences for maps, booksellers, etc. to AutoLink, and you'll be able to choose which ones you'd like to follow. There will be one or more sponsored links, but they'll be clearly and unobtrusively differentiated from your custom links - much like sponsored links already are on Google's search pages. Google's business model is based solidly on a foundation of providing useful and powerful services to the Web <em>user.</em> Why would this be any different?<br /><br />What about the slippery slope - first AutoLink, then the next thing you know, Internet Explorer is rewriting everything? It won't happen, and the reason is right in the last sentence in Walt Mossberg's article: <em>"Users wouldn't benefit if the Web became a sea of uncertainty, where anybody could alter every Web page."</em><br /><br /><em>Users wouldn't benefit.</em><br /><br />Do you know what users do when they stop seeing something as a benefit? <em><span style="font-weight:bold;">They stop using it.</span></em> Whether it's the Google Toolbar, Internet Explorer, or AOL - when something makes the user experience worse, the users leave. The "slippery slope" is self correcting, because as soon as a tool, or site, or service stops serving the user (read that as <em>customer,</em> e-commerce types) they'll turn you into road kill as they run to the competition.<br /><br /><strong><span style="color:#993399;">THE REAL SLIPPERY SLOPE</span></strong><br /><br />Mossberg, Granneman, <a href="http://blog.searchenginewatch.com/blog/050225-104317" target="_blank">Danny Sullivan</a>, and the rest are filled with righteous indignation, anger, and <em>fear</em> that someone might be able to alter their web pages - that they will lose control of <em>their</em> content. Walt Mossberg claims to <em>"take a back seat to nobody in favoring user convenience,"</em> but then turns around in the very next sentence and claims that there is a <em>"right of Web publishers to control the content and appearance of their own sites."</em><br /><br />I agree with that - but I also happen to believe that that right <em>stops</em> when the content enters <em>my</em> computer. At that point, I should be able to view it, augment it, and annotate it in any way that I wish. I can't figure out what makes these folks enthusiastic about controlling what I can do on my own computer! <em>That's</em> the slippery slope!<br /><br />Wouldn't it be unreasonable for me to prevent you from translating my blog articles to another language? Or from resizing the type to make it easier to read? Or resizing the window? Or to prevent you from having your computer read the article to you, because you're visually impaired? What if the things that I do to prevent copying and pasting, or reformatting the page, or to prevent AutoLink from working, also happen to prevent translation, or accessibility for the visually impaired? Is that just too bad? Is it all about <em>me?</em><br /><br />Apparently Danny Sullivan <a href="http://blog.searchenginewatch.com/blog/050225-104317#myusers" target="_blank">thinks so</a>:<br /><blockquote><em>They may be Google's users, but they are also my users as a publisher as well. If my visitors are upset that my site prevents them from using Google AutoLink, they can tell and lobby me directly. I don't need Google deciding for me what my users want on my web site.</em></blockquote>Did you get that? They're <em>his</em> users - and if he wants to screw up their experience, that's their problem. They'll just have to complain about it.<br /><br />Well, no, actually - they're not <em>your</em> users, Danny. You don't own them. Which means they can also simply stop coming to your site, if you prevent them from doing what they want. It's colossal arrogance, and bad business, to believe otherwise.<br /><br />If you try to control "your" users, and restrict what they can save, or link to, or enhance, or translate, you might discover that they aren't <em>your</em> users any more. Ask the RIAA.bitspitterhttp://www.blogger.com/profile/14808524441658851666noreply@blogger.com0tag:blogger.com,1999:blog-8221207.post-1110419729142592942005-03-09T19:45:00.000-06:002005-03-10T12:11:33.403-06:00Google Autolink and HypocrisyScott Granneman has published a <a href="http://www.securityfocus.com/columnists/224" target="_blank">couple</a> of <a href="http://www.securityfocus.com/columnists/304" target="_blank">articles</a> on <a href="http://www.securityfocus.com/" target="_blank">Security Focus</a> regarding <a href="http://www.google.com" target="_blank">Google</a>; a great search engine can also serve as a great <a href="http://johnny.ihackstuff.com/index.php?module=prodreviews" target="'_blank">exploit and hacking engine</a>, if you put some thought into it (or you know where to look.)<br /><br />I recommend giving them a read - although I take exception to a couple of things in the latest column. As a kind of lead-in to his assertion that Google's post-IPO <a href="http://investor.google.com/conduct.html" target="_blank">motto</a> is now, <em>"Don't be evil ... mostly. Kinda. Pretty much. Maybe,"</em> he brings up the old red herring that Google's cookie isn't set to expire <a href="http://www.google-watch.org/cgi-bin/cookie.htm" target="_blank">until 2038</a>. (I couldn't care less. If it bothers you, clear your cookies from time to time. And replace your tin foil hat, while you're at it.)<br /><br />But what's really bugging Scott is a new feature in the <a href="http://toolbar.google.com/T3/index" target="_blank">Google Toolbar 3.0 beta</a> called AutoLink.<br /><blockquote><em>The AutoLink feature adds links to the page you're viewing if it recognizes certain types of information on the page. For example, the online review of a great new restaurant has the business address but no map. You could go to a map site and type in the restaurant's street, city, and ZIP code -- but why bother? Clicking the Toolbar's AutoLink button will automatically link you to a map. AutoLink also recognizes package shipping numbers, car VIN numbers, and book ISBN numbers.</em> (from <a href="http://www.google.com/support/toolbar/bin/static.py?page=features.html" target="_blank">Google Toolbar Help</a>)</blockquote>Sounds pretty useful, right? The Google Toolbar already rocks - though I'd be more excited about the new features myself if there was an official version for <a href="http://www.mozilla.org" target="_blank">Mozilla Firefox</a>, which has been my primary browser for a couple of months now. There <em>is</em> an <em>unofficial</em> version for Firefox - the <a href="https://addons.update.mozilla.org/extensions/moreinfo.php?application=firefox&version=1.0&os=Windows&category=Search%20Tools&numpg=10&id=33" target="_blank">Googlebar</a> extension. Couldn't live without it.<br /><br />The problem, as Scott sees it, is that the hyperlinks that appear in his columns are as much a part of the article as anything else:<br /><blockquote><em>I work hard in these columns to pick interesting, informative links that back up my statements, provide detail where I must be terse, or entertain with a sarcastic comment on my text. It's as much part of my writing as the words I use. In fact, in 2005, I would go so far as to say that for any writer using the web as a platform, links are in fact part of his or her writing.</em></blockquote>Fair enough, I guess - I try to fill my blog articles with useful, relevant links as well. But the AutoLink feature will put links on our pages that we didn't add ourselves - that's what it's <em>designed</em> to do, after all.<br /><blockquote><em>When Google changes the links on this web page, Google changes my writing, without any input from me, and </em><span style="font-weight:bold;">for commercial gain that certainly doesn't benefit me,</span><em> or SecurityFocus, the publisher of my columns.</em></blockquote>Ahh - now we come to the real issue. Someone might be making money from his column, and it isn't him.<br /><br />But is that really what's going on? It seems to me that you could also say that it's Google providing a service - the toolbar, after all, doesn't care what page you're on - and any potential revenue stream from that service is, legitimately, going to Google.<br /><blockquote><em>If I was an online bookstore, the fact that my ISBNs turned into links to a competitor like Amazon would make my blood boil. In essence, Google - and selected partner companies - benefit commercially from my work, and I see nothing for it. Alternately, on my web site, I provide a lot of stuff under a Creative Commons license, but AutoLink ignores it and commercializes things I do not wish commercialized.</em></blockquote><em>Almost.</em> The logic is soooo seductive. But hold on just a minute here:<br /><blockquote><em>...I'm a enormous, grateful fan of the <a href="https://addons.update.mozilla.org/extensions/moreinfo.php?application=firefox&version=1.0&os=Windows&id=10" terget="_blank">Adblock extension</a>, which allows me to remove advertisements and other annoyances from web sites.<br /><br />[...]<br /><br />I've been thinking about it, and I'm going to keep Adblock for now, since its operation is completely dependent upon my actions - nothing gets blocked unless I explicitly enter a URL to block - and since I'm removing annoyances, not augmenting content. In between Adblock, which seems OK to me, and AutoLink, which isn't, is BetterSearch. BetterSearch does change the Google results page, but it's not changing the original content. Instead, it clearly adds an enhancement. However, this does beg the question: at what point does enhancement cross the line? Frankly, it's a notion that's still up for debate, and I'm interested in your take.</em></blockquote>Well, then - here's my take. AutoLink doesn't do its magic unless the user explicitly clicks the button in the toolbar - that is, it works only when, and <em>because</em>, the user <em>wants it to.</em> It also doesn't alter any existing links; it only adds new ones.<br /><br />To be fair, Scott points out both of these things in his column. But then he goes on to say<br /><blockquote><em>...once AutoLink is pressed, the viewer will not be able to tell which links are put there by the page's author and which are put there by AutoLink. Granted, holding your mouse over the link and waiting for a tooltip to open will indicate that the link comes from Google, but I'm not sure how many users are going to do that. In fact, given the state of most web user's knowledge, I have serious doubts that they'd even understand what the tooltip's text meant in the first place.</em></blockquote>Let me get this straight - the readers of <em>his column</em>, which has an emphasis on computer security and privacy, are apparently too dumb to figure out which links are his originals, and which ones were added by AutoLink, <em>even though they had to press a button to get the additional links?</em><br /><br />And it's fine for him to view content which is intended to be supported by advertising revenue while deliberately blocking the ads, but it's not okay for me to use a tool to add content to his page that's beneficial to me?<br /><br />I think Mr. Granneman has been infected by the same idea about <em>Digital Rights Management</em> (DRM) that the RIAA has been trying to enforce - the idea that a creator of a work should have some control about how that work is used by the consumer.<br /><br />It's something like an author complaining that I should not be allowed to highlight passages in her book, or write notes in the margin - after all, if she'd thought those things were needed, she would have added them herself. And besides, the pen and marker companies are making money because I'm marking up <em>her</em> book!<br /><br />Well, it's not her book. It's her <em>work;</em> her content. It's <em>my</em> book, and I can mark it up as I wish. I can bend the corners, draw a mustache on the author's portrait on the flyleaf, and make the table of contents into paper boats - I don't care what the author wants. This is my own personal copy of the book, and what I do with it doesn't affect anyone else's copy. It's all about <em>me.</em><br /><br />Are you with me so far? When you or I view a web page, the content may have come from the web server, but the data has been copied to our computers. It's in RAM, and possibly on the hard disk as well. It's <em>our own personal copy.</em> If I <em>choose</em> to mark it up for my own convenience, that's my business - not the author's. Don't try to tell me what I may or may not do on my own computer.<br /><br />Scott even cheerfully points out that there's <a href="http://www.threadwatch.org/node/1562" target="_blank">code</a> that web sites can use to disable AutoLink. Gee, thanks for enhancing my user experience. I'm sure he'll be just as enthusiastic when the advertisers write code which gets around his adblocker.<br /><br />So, who is the hypocrite here? Google? I don't think so.bitspitterhttp://www.blogger.com/profile/14808524441658851666noreply@blogger.com0tag:blogger.com,1999:blog-8221207.post-1106682142501573182005-01-25T19:15:00.000-06:002005-01-25T19:17:24.690-06:00Analyst-shmanalyst!I followed a link on <a href="http://news.google.com/" target="_blank">Google News</a> this afternoon, and immediately thought of PJ's recent <a href="http://www.groklaw.net/article.php?story=20050119041239356" target="_blank">rant about analysts</a> on her <a href="http://www.groklaw.net/" target="_blank">Groklaw</a> site:
<br /><blockquote><span style="font-style:italic;">I have decided what I want to be when I grow up. I want to be a tech analyst.<br>
<br />No, don't bother to try to talk me out of it. My mind is made up. It's the only job I have ever heard of where you can have huge gaps in your knowledge, get random but truly vital facts utterly wrong, say the opposite of what is observably true, and nobody sues you. They don't even fire you. They don't even notice. No one says a word. In fact, they actually pay you good money, and the next time they want to know something, they forget you got it all wrong the last time and ask you for your opinion all over again.<br>
<br />Being a fortune teller might be just as easy. In fact, I met one once, by chance, and she confided in me what she did for a living and confessed, just between us girls, that she just made stuff up. But I think analysts get paid more, and I believe they get retirement benefits too. And of course it's steadier work.</span></blockquote>
<br />The target of PJ's rant was <a href="http://www.yankeegroup.com/" target="_blank">Yankee Group</a> analyst Laura DiDio.<br>
<br />I discovered today that I've got a similar opinion of fellow Yankee Group analyst Mike Goodman.<br>
<br />A blurb on <span style="font-style:italic;">CIO Today</span> entitled <a href="http://www.cio-today.com/story.xhtml?story_title=ITunes-Dominance-in-Peril&story_id=29972" target="_blank">"ITunes Dominance in Peril"</a> suggests that - even though Apple has sold over 250 million songs through the iTunes service since its launch, is now selling <a href="http://seattlepi.nwsource.com/business/209191_itunes25.html" target="_blank">over a million songs per day</a>, and is responsible for <a href="http://www.npd.com/dynamic/releases/press_041013.html" target="_blank">70% of online music sales</a> - its "days of...overwhelming dominance may be numbered."<br>
<br />And why might that be? According to Mike, it's because they have "shown no interest in the up-and-coming subscription business model for online music."<br>
<br /><strong><span style="color:#993399;">EXPLAIN THAT AGAIN?</span></strong><br>
<br />The <span style="font-style:italic;">'subscription model'</span> is what is used by the current incarnation of <a href="http://www.napster.com" target="_blank">Napster</a>: your music is tied to one to three PCs (it's <span style="font-style:italic;">"portable"</span> if you happen to have a laptop), you can't burn CDs or transfer music to a portable player, and if you stop making your subscription payments, all 'your' music goes <span style="font-style:italic;">poof</span>. <span style="font-style:italic;">Bye!</span><br>
<br />You can, of course, <span style="font-style:italic;">pay extra</span> to have permanent copies of your music. Thanks, but that's what I wanted in the first place.<br>
<br />Mr. Goodman is excited about the 'Janus' digital rights managment technology in Microsoft's newest version of Windows Media Player - which enables <span style="font-style:italic;">'tethered downloads,</span>' so that music services can "tie individual downloads to a monthly subscription." (I'm sure Microsoft picked <span style="font-style:italic;">'Janus'</span> to evoke the Roman god of doorways and openings - but the fact that he is depicted as literally being two-faced lends an unintentional ironic overtone to the technology.)
<br /><blockquote><span style="font-style:italic;">"Apple certainly has the option of jumping onto the tethered download bandwagon, Goodman noted. But it has given no indication of doing so. That decision may cost it a drop in the sales of its immensely popular iPod music players from an 80-90 percent market share down to 50-60 percent, Goodman predicted."</span></blockquote>
<br />Sorry, but I can't follow your logic, Mike.<br>
<br />First of all, let's talk about being <span style="font-style:italic;">tethered</span>. Do you want to be tethered? I don't. If I've purchased music, I want to be able to play it on my stereo, in my portable music player, and on my computer. I want to be able to burn CDs for my cars. And most importantly, I sure as heck don't want it all to <span style="font-style:italic;">expire</span>.<br>
<br />What happens, for example, to all the playlists and music you're 'leasing' from Napster if they get <a href="http://www.fmqb.com/Article.asp?id=61699" target="_blank">sued into oblivion</a> again? I'll tell you - the same thing that happened to all the <span style="font-style:italic;">DIVX</span> discs that people bought from Circuit City when they <a href="http://www.amateurhometheater.com/Miscellaneous/divx-death.htm" target="_blank">finally pulled the plug</a>. They will become inaccessible and worthless.<br>
<br />I am absolutely <span style="font-style:italic;">astounded</span> at the industry pundits who have forgotten the <a href="http://www.fool.com/portfolios/rulemaker/1999/rulemaker990621.htm" target="_blank">lesson of DIVX</a>:
<br /><blockquote><span style="font-style:italic;">Building a product with artificial limitations that are intended to allow you to charge the same consumer over and over for same product, and expecting it to compete against services that <span style="font-weight:bold;">don't</span>, is a <span style="font-weight:bold;">stupid idea.</span></span></blockquote>
<br />There is <span style="font-style:italic;">nothing </span>about being <span style="font-style:italic;">tethered </span>that serves the consumer. <span style="font-style:italic;">"You can fool some of the people some of the time,"</span> but in the long run, it's doomed to fail. I sure can't see any compelling reason to choose a service with tethering over iTunes.<br>
<br />And for the life of me, I can't see how tethering technology will impact iPod sales at all. Where is the <span style="font-style:italic;">advantage to the consumer</span> in using a tethered format? If I have to pay extra to download my subscribed tracks from my tethered service to my portable player, then I'm spending <span style="font-style:italic;">more </span>than I would have if I had simply bought them from iTunes in the first place.<br>
<br />If all I'm after is personalized streaming radio, I can get that <span style="font-style:italic;">for free</span> from <a href="http://www.last.fm/" target="_blank">Last.fm</a>. (Although they'd <a href="http://www.last.fm/donate.php" target="_blank">appreciate a donation</a>.)<br>
<br />And if the selling point <span style="font-style:italic;">is </span>that it's <span style="font-style:italic;">cheaper</span> - well, Apple hasn't been selling <a href="http://www.themacobserver.com/stockwatch/2004/10/13.1.shtml" target="_blank">truckloads of iPods</a> on cost anyway.<br>
<br />And like it or not, it's still pretty darned easy to download endless gigabytes of MP3s without paying for them at all. I can't tell you how - or <span style="font-style:italic;">if </span>- the music industry will solve that one, but I can tell you that it's <span style="font-style:italic;">not </span>going to be by expecting consumers to adopt a format which is specifically designed to artificially limit their choices.<br>
<br />So, why does Mike Goodman claim that a new DRM scheme is going to topple Apple's dominance? Well, if I were being cynical like Groklaw's PJ, I'd claim that it's because the tech analysts have stumbled into an incredible racket, where they can say damned near anything they want, even if it is entirely devoid of logic, and still make big bucks and get published in USA Today.<br>
<br />If I was being cynical like <span style="font-style:italic;">me</span>, on the other hand, I'd say that it's because tech analysts, by and large, don't get paid to accurately predict the future.<br>
<br /><strong><span style="color:#993399;">They get paid to tell industry executives what they want to hear</span></strong> - and to provide excuses for those same executives when their mind-bogglingly stupid marketing decisions go down in flames. If you're sufficiently devoid of scruples, it <span style="font-style:italic;">is </span>a heck of a racket.bitspitterhttp://www.blogger.com/profile/14808524441658851666noreply@blogger.com0tag:blogger.com,1999:blog-8221207.post-1106592929772149602005-01-24T22:30:00.000-06:002005-01-24T22:31:02.560-06:00Last.fmA recent <a href="http://slashdot.org/comments.pl?sid=136440&cid=11395530" target="_blank">Slashdot post</a> reminded me of <a href="http://launch.yahoo.com/" target="_blank">LAUNCHcast</a> - and introduced me to <a href="http://www.last.fm/" target="_blank">Last.fm.</a><br>
<br />Back when my wife Phaedra first discovered Launch.com (I'm guessing it was in 1999) we both thought it was exactly the sort of innovative and flat-out <em>cool</em> thing that the Internet <em>should</em> be all about.<br>
<br />LAUNCHcast used a Flash-based interface to play streaming 'Internet radio.' In and of itself, this wasn't all that impressive. The audio stream wasn't very high-fidelity, in particular.<br>
<br />But the collaborative environment was the killer feature. You could rate songs, on a ten-point scale from <em>'never play again'</em> to <em>'favorite'</em>. The LAUNCH system would gradually learn your music preferences, and tune your streaming radio to play more of your highly rated songs. But it would <em>also</em> let you find other users with similar listening preferences, and <em>subscribe</em> to their stations - adding their choices to your own, and allowing you to discover new (or old!) music. You could also add your friends - allowing them to influence your station as well.<br>
<br />Suddenly, I was discovering and enjoying new music like I did back in high school and college. <span style="font-style:italic;">Yeah baby!</span><br>
<br /><span style="font-style:italic;">Let me pause for a moment to point something out: I'm 38 years old. I went to high school and college in the '80s. I grew up listening to Led Zeppelin, The Who, Yes, Genesis, Emerson Lake & Palmer, ELO - and got the full effect of 80s post-punk synth-pop new-wave hair-metal right in the middle of my teen-angst years. Peter Gabriel, Eurythmics, New Order, Prince, The Cars, U2, Ozzy, Def Leppard - bring em on! And MTV played music videos! Lots of 'em!<br>
<br />WMMS in Cleveland was a highly influential and eclectic station, and we could listen to it all day. (Now it's just <a href="http://www.fujichia.com/billboards/6a.html" target="_blank">one more Clearchannel station.</a>)<br>
<br />We also had our own <a href="http://www.wkhr.org/history.html" target="_blank">high school radio station</a> - which is today, two decades later, basically devoid of meaningful student participation - despite the fact that it's still located on the high school campus. Shame on you, Kenston High!<br>
<br />Radio today is homogenized, soulless, and gutless - and it's not for me. It certainly isn't something I can use to discover new music!<br></span>
<br />So Phaedra and I each spent a lot of time listening to LAUNCHcast, evangelizing it to our friends, and tweaking our stations. I had close to five thousand songs rated in my profile - making me a 'fanatic.'<br>
<br />But it was too good to last.<br>
<br /><strong><span style="color:#993399;">ENTER THE RIAA</span></strong><br>
<br />Because you could choose to listen to just your own LAUNCHcast station (without any other influencing stations) and choose to play only highly rated songs, it was possible to construct a LAUNCHcast station which would play a given song at a predictable time. Never mind that no one in their right mind would actually <span style="font-style:italic;">want</span> to go through the trouble to do it - remember, this wasn't high quality audio, and Napster was providing a readily available method for copying specific songs, if that was what you wanted - all the RIAA cared about was that you <span style="font-style:italic;">could.</span><br>
<br />The RIAA <a href="http://www.afterdawn.com/news/archive/2077.cfm" target="_blank">sued LAUNCH</a> in May of 2001 because the sevice was <span style="font-style:italic;">too interactive,</span> and, they claimed, violated the level of licensing that LAUNCH had negotiated. This was my first clue that the RIAA <span style="font-style:italic;">didn't get it.</span> I could understand the outrage over Napster, but LAUNCHcast radio was a <span style="font-style:italic;">licensed</span> service which had <span style="font-style:italic;">substantially</span> increased my music purchases (you could buy a song or album on LAUNCH by clicking on the <span style="font-style:italic;">Now Playing</span> image) - I was actively buying music after almost a decade of commercial-radio-influenced apathy. I didn't see any reason that wouldn't continue.<br>
<br />That is, until the RIAA <span style="font-style:italic;">shut them down.</span> Passionate e-mails to Hilary Rosen (then the president of the RIAA) went unanswered.<br>
<br /><strong><span style="color:#993399;">LAUNCH re-emerged</span></strong> after being purchased by Yahoo! But in order to use the new service, you had to <span style="font-style:italic;">create a new account!</span> All the hours of rating music, artists, and albums by the old LAUNCH fanatics were <span style="font-style:italic;">gone.</span> Your friends were <span style="font-style:italic;">gone.</span> And Yahoo! filled my station with ads, and then encouraged me to buy a subscription to get rid of 'em again. There was also a limit on how many songs I could skip without a paid subscription. Phaedra bought one. I said <span style="font-style:italic;">"Screw 'em."</span><br>
<br /><span style="font-style:italic;">(I learned, from <a href="http://slashdot.org/comments.pl?sid=136440&cid=11405874" target="_blank">another Slashdot poster</a>, that the same sort of thing had happened when LAUNCH was started from the ashes of Firefly.com. Microsoft bought Firefly to acquire the technology which would become Passport, and then <a href="http://www.wired.com/news/culture/0,1284,21243,00.html" target="_blank">let Firefly die.</a> None of the ratings database that the old members had painstakingly created survived. What a missed opportunity for Microsoft!)</span><br>
<br /><strong><span style="color:#993399;">THIRD VERSE, SAME AS THE FIRST?</span></strong><br>
<br />So now there's <a href="http://www.last.fm" target="_blank">Last.fm.</a> It's essentially the same idea as the old Firefly and LAUNCH services - you rate streaming music, the system learns your tastes, and once you've rated enough music, you acquire <span style="font-style:italic;">neighbors</span> who influence your <span style="font-style:italic;">profile station.</span><br>
<br />It's still officially in beta, and there are a number of issues. (As I write this, a banner at the top of the <a href="http://www.last.fm" target="_blank">home page</a> reads: <span style="font-style:italic;">"Radio recommendation service restarting. You may experience 'random radio' for a while..."</span>) There aren't that many users yet, so you might not find a good match in the beginning. (Before you have your own profile, you can search for other stations by entering up to three artists. I entered <span style="font-style:italic;">Peter Gabriel,</span> <span style="font-style:italic;">Annie Lennox,</span> and <span style="font-style:italic;">The Prodigy.</span> There were no matches. Uh-oh.) There's quite a bit of available music, but you might find that some of your favorite songs, albums or artists aren't available yet. Response to the 'Skip' button is slow, and the current track doesn't always update promptly - or at all. It might take a day or two of dedicated listening and rating before you have your own profile radio.<br>
<br />So, does it suck? No, it <span style="font-style:italic;">rocks!</span> LAUNCH had a lot of the same problems, and it I put up with them because, ultimately, it still <span style="font-style:italic;">worked.</span> Last.fm <span style="font-style:italic;">works.</span><br>
<br /><strong><span style="color:#993399;">Audioscrobbler</span></strong><br>
<br />What helps make Last.fm better is a family of plug-ins called <a href="http://www.audioscrobbler.com" target="_blank">Audioscrobbler</a>. Rather than the occasionally flaky Flash-based LAUNCH control panel, Audioscrobbler plugs into your favorite media player - WinAmp, iTunes, XMMS - and there are versions for Windows, Mac OS, UNIX & Linux, and even Amiga! And not only does Audioscrobbler record your preferences when you're listening to Last.fm, but it also rates songs while you're listening to your own collection. <span style="font-style:italic;">Cool!</span><br>
<br />I'm using iTunes, largely because my wife has been actively importing our CD collection into iTunes on our old G4 Mac - making our music library accessible from any of the computers in the house. (She's been making compilation CDs for the car, but I think she's also planning ahead for her inevitable iPod purchase.)<br>
<br />I hope Last.fm avoids the fate of Firefly and LAUNCHcast. I'm loving it so far. If you sign up, <a href="http://www.last.fm/user/throughthewire" target="_blank">give my station a listen.</a>bitspitterhttp://www.blogger.com/profile/14808524441658851666noreply@blogger.com1tag:blogger.com,1999:blog-8221207.post-1106546502513008862005-01-23T23:06:00.000-06:002005-01-24T00:01:42.513-06:00Who's Responsible for Your Domain Name?How much value do you attach to your domain name? Many companies seem to treat theirs as if it is only worth the $20 or so they might have spent to register it in the first place.<br>
<br /><em>"Now wait a minute,"</em> you might be saying, <em>"we know that it's an extremely valuable business asset."</em> I'm sure you do. So who's responsible for it?<br>
<br /><strong><span style="color:#993399;">Hint:</span></strong> <em>"My ISP handles all that stuff"</em> is a <em>bad</em> answer.<br>
<br />Two years ago, I got a frantic call from one of my clients - a small insurance firm. They weren't getting any e-mail. A brief investigation soon revealed why - their domain had expired.<br>
<br />Typically, when your domain is in danger of expiring, your registrar will send you numerous e-mails, and probably a letter or two. After all, if your domain expires, they won't collect your renewal fee.<br>
<br />In this case, however, the domain had originally been registered by their previous consultant, and his e-mail address was associated with all the contact information for the domain. He had subsequently shut down his business - so e-mails to him went nowhere. The insurance company had also moved to a new office - so the physical address associated with the registration was wrong. The phone and fax numbers had changed. Even the credit card that had been used to pay for the registration had been cancelled. There had simply been no way for the registrar to contact my client - and no one at the client had realized the need to update the information. They are not a technology company - that's the sort of thing they relied on their 'computer guy' to handle. When their previous consultant left, the domain registration had 'fallen off the radar.'<br>
<br /><strong><span style="color:#993399;">The lesson I learned</span></strong> was that I could never assume that a new client had <em>anyone</em> who was responsible for their domain, and my 'best practices' for new clients now includes a domain audit.<br>
<br /><strong><span style="color:#993399;">Among the things that I recommend:</span></strong><br>
<br /><ul><li>Domain registrations include several contacts: at a minimum, there will be an <em>Administrative contact</em> and a <em>Technical contact</em>. It is not uncommon to have a <em>Billing contact</em> as well, and there may also be a separate <em>Registrant</em> for the domain. All the contacts s<em>hould not be the same person!</em> At a minimum, the Administrative contact and Technical contact should be different, and at least one of them should have a contact e-mail address that is not in the registered domain. (If the domain is offline, or there are transfer issues, it may not be possible to reliably send e-mail to addresses within that domain.)</li>
<br /><li>Your company's network documentation file or binder (you <em>do</em> have one, right?) should list the registrar, the contact information, and the expiration date for the domain. A specific individual should be responsible for domain renewal, and should have a reminder (whether it's an Outlook appointment, a reminder in their contact manager, or a physical 'tickle' file) to renew the domain before it expires. Do not rely on the registrar to contact you. They <em>should,</em> but if something can go wrong, it will. The same responsible person should update the records at the registrar if your company's phone number or address changes. Some pretty substantial companies, who should know better, have failed to renew their domains in time - with embarrasing or amusing results, depending on your point of view.</li>
<br /><li>Find out whether your registrar will allow you to lock your domain records (most will; many will have already done it for you) in order to prevent unauthorized transfers or changes to your records.</li>
<br /><li>Your documentation should also list the public DNS servers responsible for your domain (which might also be maintained by the registrar, or by your ISP, by a third party, or by your company itself - depending on the nature of your business, and the extent of your Internet presence.)</li>
<br /><li>The first entry in a DNS zone file is the SOA, or <em>Start of Authority</em> record, and it includes the e-mail address of the 'responsible' administrator for the domain. Make sure that this is a valid address (at a company where I just completed an e-mail migration, it wasn't) and that the mailbox associated with that address is monitored. This is often a <em>postmaster,</em> <em>hostmaster,</em> or <em>root</em> address, so that it doesn't need to be updated, even if the person who holds that role in the organization changes.</li>
<br /><li>Keep a copy of the DNS zone file itself, including the names and IP addresses of web servers and mail servers. If you ever have to reconstruct a DNS record from nothing (for example, after a botched transfer to a new ISP or DNS hosting company) this can mean the difference between getting back on the Internet in minutes or hours, rather than days.</li>
<br /><li>And if you're moving from one ISP to another, or changing registrars, have the process managed by a consultant or engineer who understands how DNS works - and who has successfully run migrations for other organizations. Ask for references.<br>
<br />Done correctly, a move shouldn't even be noticable. But a botched move can result in a domain effectively vanishing from the Internet, and due to the nature of the DNS caching process, it may be impossible to completely correct for 24 hours or more. One former client - against my advice - chose to allow their new ISP to manage the move from their old one. Twice.<br>
<br />Each time, they dropped off the Internet for more than a day. And when all of your revenue is generated from your web site, discovering that your home page now says "Future home of..." is cause for panic.<br>
<br />Partly as a result of their experiences, I now avoid telling an organization's old ISP <em>anything</em> about a move until <em>everything</em> - web site, e-mail, DNS records - is up and running at the new one.</li></ul>
<br /><strong><span style="color:#993399;">WHERE DO YOU START?</span></strong><br>
<br />If no one seems to know who your registrar is, you should be able to look it up using the <a href="http://www.whois.sc/" target="_blank"><em>WHOIS</em> tool</a> at Whois Source. (Any registrar will have a WHOIS tool; I like this one because it will also display the former registration records for recently expired domains.) You can verify your records, and the expiration date of your registration.<br>
<br />James Ponder has written a <a href="http://www.squish.net/dnscheck/" target="_blank">fantastic online tool</a> for all kinds of DNS diagnostics; you can use it to verify your SOA, MX and A records, and perform general troubleshooting on name resolution for your domain.<br>
<br />If you're curious about the inner workings of DNS, <a href="http://www.oreilly.com/catalog/dns4/" target="_blank">DNS and Bind</a> by Paul Albitz and Cricket Liu is generally considered to be <em>the</em> reference. You should have a decent grasp of networking in general - and the TCP/IP protocol suite in particular - before you dive in.<br>
<br /><strong><span style="color:#993399;">Make sure someone's responsible for your domain name now,</span></strong> instead of after someone asks, <em>"Where did our web site go?"</em>bitspitterhttp://www.blogger.com/profile/14808524441658851666noreply@blogger.com1tag:blogger.com,1999:blog-8221207.post-1099705292021140182004-11-05T19:31:00.000-06:002004-11-06T11:45:02.873-06:00MSN Search Thinks I'm an AuthorityI recently began tracking 'hits' to my site, using a <a href="http://www.extreme-dm.com/tracking/?reg" target="_blank">free tracker from extremetracking.com.</a>
<br />
<br />It's nice to know that I actually <em>have </em>traffic (thanks!) and I'm not just writing for the crickets.
<br />
<br />One of the things that the tracker shows is <em>referrers </em>- that is, whether a visitor clicked on a link on another web page to get to mine. And all of the referrer results so far have been from <a href="http://search.msn.com" target="_blank">search.msn.com</a> - people searching for <em>passthison</em>, <em>preexploit</em>, <em>spyware</em> and <em>virus</em> are being directed to my "<a href="http://bitspitter.blogspot.com/2004/09/dont-click-that.html" target="_blank">Don't Click That!</a>" post from last month.
<br />
<br />Searching for <a href="http://search.msn.com/results.aspx?FORM=MSNH&q=preexploit%20virus" target="_blank"><em>preexploit </em>and <em>virus</em></a>, in fact, currently returns this site as the <em>only </em>result.
<br />
<br /><strong><span style="color:#993399;">If you came here from a search engine,</span></strong> please post a comment to let me know whether you found what you were looking for. Or send me e-mail - maybe I can help you out.
<br />bitspitterhttp://www.blogger.com/profile/14808524441658851666noreply@blogger.com0tag:blogger.com,1999:blog-8221207.post-1095136480777526192004-10-31T01:45:00.000-06:002004-10-31T01:46:08.236-05:00Did You Send That Virus?If you've recently gotten a notification that you sent a virus to someone in email - you probably haven't.
<br />
<br />I regularly run into people who are convinced that they <em>must</em> have a virus - even though their own antivirus software indicates that their machine is clean - because they keep getting email that claims they've sent a virus to someone else. In fact, they're being needlessly annoyed (and panicked) by email administrators who have not adjusted the behavior of their antivirus software to match the behavior of today's viruses and worms.
<br />
<br />At one time, it was reasonable and helpful to send a message back to the sender's address when a virus was found in email - so that the sending user had some idea that all was not right with their machine, and could take steps to clean it up.
<br />
<br />But many of today's viruses and worms <em>propagate</em> (spread) by using <em>spoofed</em> email addresses, and chances are good that the apparent sender's [From:] address has nothing to do with the infected machine.
<br />
<br /><em>(A computer </em>virus <em>makes copies of itself when a user performs an action - such as launching a program, or opening a file. It may have a relatively harmless or extremely malicious payload, or no payload at all. A</em> worm <em>is able to make copies on its own, and spread from computer to computer with no user interaction. A</em> trojan <em>is harmful software which the user is tricked into installing, but does not make copies of itself.)</em>
<br />
<br /><strong><span style="color:#993399;">HOW DOES SPOOFING WORK?</span></strong>
<br />
<br />Both <em>Simple Mail Transport Protocol</em> [SMTP] and the <em>Internet Protocol</em> [IP, or TCP/IP] it runs on are vulnerable to spoofing. Both are designed to route messages to a destination address, even under less than ideal conditions - but in the innocence of the Internet's early years, security was not a design concern, and so neither protocol normally does anything to verify the <em>sender's</em> address.
<br />
<br />It's not unlike a postcard - you can make up anything you like as the return address, and the card will still be delivered. You might be able to convince your victim that they are inexplicably being deluged with postcards from <a href="http://www.weirdal.com/" target="_blank">Weird Al Yankovic</a>, unless they notice the cards are postmarked Camden, New Jersey - not Hollywood, California.
<br />
<br />But on a postcard, the postmark is easy to see, and easy to understand. With email, the equivalent of a postmark is the SMTP headers, which are generally hidden from the user, and not so easy to interpret. (Selecting <em>Properties</em> from the <em>File</em> menu in Outlook Express, and then selecting the <em>Details</em> tab, will display the headers. In Outlook, viewing the message Options will show the headers. In <a href="http://gmail.google.com/gmail/help/about.html" target="_blank">Gmail</a>, select <em>more options </em>and then <em>show original</em>. If you'd like a Gmail account, I probably have an invite for you.)
<br />
<br />SMTP headers look like this:
<br />
<br /><blockquote>Delivered-To: charles.cook@gmail.com
<br />Received: by 10.38.96.67 with SMTP id t67cs379rnb;
<br />Fri, 10 Sep 2004 09:12:27 -0700 (PDT)
<br />Received: by 10.38.11.80 with SMTP id 80mr991326rnk;
<br />Fri, 10 Sep 2004 09:12:26 -0700 (PDT)
<br />Return-Path: <blogdex-verify@media.mit.edu>
<br />Received: from aleve.media.mit.edu ([18.85.2.171])
<br />by mx.gmail.com with ESMTP id 61si136445rnb;
<br />Fri, 10 Sep 2004 09:12:26 -0700 (PDT)
<br />Received-SPF: none
<br />Received: from localhost.localdomain (epicenter.media.mit.edu [18.85.45.85])
<br />by aleve.media.mit.edu (8.9.3p3/8.9.3/+ALEVE) with ESMTP id MAA31517
<br />for <charles.cook@gmail.com>; Fri, 10 Sep 2004 12:12:26 -0400 (EDT)
<br />Date: Fri, 10 Sep 2004 12:12:26 -0400 (EDT)
<br />Message-Id: <200409101612.maa31517@aleve.media.mit.edu>
<br />From: blogdex-verify@media.mit.edu
<br />To: charles.cook@gmail.com
<br />Subject: blogdex verification for http://bitspitter.blogspot.com</blockquote>
<br />The important bits are the 'Received:' entries, including the IP addresses. Even these can be forged - but they can't <em>all</em> be forged, and an expert will be able to identify spoofed and/or forged email, and the point where it <em>really</em> entered the mail stream.
<br />
<br />But the vast majority of email users are <em>not</em> experts, and will never look at their headers, or be able to interpret what they would see.
<br />
<br />And it doesn't take sophisticated hacker tools to send a spoofed email. Outlook Express works just fine. Simply lie to the configuration wizard about your name and email address. You won't be able to <em>receive</em> email for the spoofed address; you can only send it - but that's all we're trying to do.
<br />
<br /><em>Spoofing works because the only address that must be correct is the recipient address. The sender's address can be forged and the email will still be delivered.</em>
<br />
<br /><strong><span style="color:#993399;">WHAT DOES ALL THIS HAVE TO DO WITH WORMS AND VIRUSES?</span></strong>
<br />
<br />In 1999, the Melissa virus was the first to harvest email addresses from the victim's own computer. It sent copies of itself to up to 50 addresses it found in the Outlook address book. Because it appeared to be from someone they knew, many people were fooled into opening the email and infected attachment, and Melissa spread faster than any previously known virus.
<br />
<br />After the 'success' of Melissa, more address-harvesting worms and viruses followed, including "Anna Kournikova," Sircam, Nimda, Klez, and Bugbear - all of which achieved widespread and rapid infection rates.
<br />
<br />But all of them used the email address of the infected victim, making it possible to identify the sender, and (hopefully) get them to clean up their machine. Antivirus software automatically sent infection notices back to the sender's address.
<br />
<br />This January, the MyDoom (or Novarg) worm took the next logical step in deception, and used the addresses it harvested from the infected machine as spoofed senders, as well as targets. Sally's infected computer now sent email <em>to </em>Jane <em>from </em>Bob, and identifying the actual source became essentially impossible for the vast majority of computer users. It worked - MyDoom spread faster than any previous worm, sending more than 100 million emails in the first 36 hours of infection, and infecting more than one million computers. The Sasser worm and Bagle variants followed, also using forged sender addresses.
<br />
<br />Today, only an expert has much of a chance to identify the actual source of an infected email. Notifying the 'sender,' either with an automated response from an antivirus program, or by reply email, is at best useless, and often worse.
<br />
<br /><strong><span style="color:#993399;">I recently had to intervene</span></strong> on behalf of a client who was being accused of repeatedly sending viruses to someone she didn't know. The virus turned out to be Bagle.Z, which, of course, spoofs the sender's address.
<br />
<br />The tone of the emails began with:
<br /><blockquote>I'm going to ask you one more time to quit sending me viruses and to take me off of your email list. If this does not happen and I get one more email from you, I am going to contact your internet provider and have them take care of you.</blockquote>
<br />And got progressively angrier, with an obscenity or two:
<br /><blockquote>This is a quarantine report from my internet service. Do you see your name under the forbidden attachment report? Now are you going to try to tell me that you have never sent me anything???????
<br />Sorry, these reports don't lie. You obviously have something wrong with your computer such as a virus that you are unaware of. All I know is that I am getting sick and tired of you sending me this shit. Get something done with your computer or if you don't know what you are doing, quit using the damn thing.</blockquote>
<br />It took both an email from me, explaining what was happening (and spoofed to appear to be <em>from</em> the hothead in question as a proof-of-concept) <em>and </em>an email from <em>their own ISP </em>to finally provide this person with a clue.
<br />
<br /><strong><span style="color:#993399;">If you receive a notification</span></strong> (or an accusation!) that you sent someone a virus, you should simply delete it. And if your antivirus software automatically sends notifications as replies to infected email, consider turning that feature off. It is, unfortunately, no longer helpful.
<br />
<br />Run antivirus software, keep it up to date, and keep your operating system and software updated. The folks in your address book will appreciate it.
<br />bitspitterhttp://www.blogger.com/profile/14808524441658851666noreply@blogger.com0tag:blogger.com,1999:blog-8221207.post-1099193115418162272004-10-30T22:03:00.000-05:002004-10-30T22:25:15.416-05:00Don't Click That! UpdateThe Federal Trade Commission <a href="http://news.zdnet.com/2100-1009_22-5403438.html?tag=nl" target="_blank">has filed suit against</a> Sanford Wallace, the star of last month's sordid little tale of spyware, hijacked browsers and pop-up hell.
<br />
<br />And U.S. District Court Judge Joseph DiClerico Jr. <a href="http://techrepublic.com.com/5100-22_11-5426734.html" target="_blank">granted a temporary restraining order</a> - ruling that Wallace and his businesses must refrain from exploiting Internet security vulnerabilities.
<br />
<br />Now that's what I'm talkin' 'bout!
<br />
<br />bitspitterhttp://www.blogger.com/profile/14808524441658851666noreply@blogger.com0tag:blogger.com,1999:blog-8221207.post-1094850275241650032004-09-10T16:03:00.000-05:002004-09-11T00:05:39.316-05:00Is That a Real Virus Alert?Something that I have to consider from time to time - both in my role as a consultant, and as a trainer - is whether or not I'm assuming something is 'common knowledge' for my students or clients, when it isn't. Experts often forget what a beginner, or just a non-expert, doesn't know. I was reminded of this during a phone conversation with a client last week.
<br />
<br />I was a bit confused at first (and so was she) because her screen had both a spyware popup, made to look like a Windows alert - claiming <em>"You have been infected with spyware!"</em> (no kidding) - <em>and</em> a genuine alert from her antivirus software (because the spyware had just attempted to install a trojan.)
<br />
<br />It struck me that one of the reasons that the fake spyware alerts are effective at fooling the average computer user is that they may not be sure what a genuine alert from their antivirus software looks like! Especially in a business environment, the end user may not have installed the software themselves, and quite possibly couldn't tell you which software is installed - or where to find the controls.
<br />
<br /><strong><span style="color:#993399;">HOW DO YOU GENERATE A VIRUS WARNING</span></strong> without actually loading a virus on the computer? By using a file that the antivirus software vendors have generally agreed to treat as a virus, even though it isn't. The folks at <a href="www.eicar.org" target="_blank">EICAR</a> <em>(European Institute for Computer Anti-Virus Research)</em> have a <a href="http://www.eicar.org/anti_virus_test_file.htm" target="_blank">collection of files</a> available to test your software. Try it yourself, and if you support a network, use it to educate your users!
<br />
<br /><em>(I know the EICAR test file is detected by </em><a href="http://www.trendmicro.com/vinfo/" target="_blank"><em>Trend</em></a><em>, </em><a href="http://securityresponse.symantec.com/" target="_blank"><em>Symantec</em></a><em>, </em><a href="http://us.mcafee.com/virusInfo/" target="_blank"><em>McAfee</em></a><em>, </em><a href="http://www.pandasoftware.com/virus_info/" target="_blank"><em>Panda</em></a><em>, and </em><a href="http://www.viruslist.com/eng/index.html" target="_blank"><em>Kaspersky</em></a><em> antivirus software. If your software doesn't detect the file as a virus, you might want to verify that your 'real time protection' is active. You </em>do<em> have antivirus software, don't you?)</em>
<br />
<br /><em><strong><span style="color:#993399;">Don't make the mistake of thinking someone's an idiot for clicking on a spyware popup if you've never showed them what a real virus warning looks like.</span></strong></em>
<br />
<br />Training <em>matters.</em>
<br />
<br />bitspitterhttp://www.blogger.com/profile/14808524441658851666noreply@blogger.com0tag:blogger.com,1999:blog-8221207.post-1094747745105193862004-09-09T11:29:00.000-05:002004-09-12T11:50:04.230-05:00Don't Click That!I recently had to clean up a client computer that was infected with spyware. Or if you prefer, malware. I like <em>crapware</em>, personally.
<br />
<br />As this problem has mushroomed, and many of the web sites and programs involved have started behaving - for all practical purposes - just like computer viruses, I have been amazed that:
<br />
<br /><ul><li>No one has brought a class-action lawsuit against the proprietors of these web sites - or their sponsors.</li>
<br /><li>Most popular anti-virus programs have, until very recently, refused to identify and remove the software and browser modifications, resulting in a new class of spyware removal products such as <a href="http://www.safer-networking.org/en/index.html" target="_blank">Spybot Search & Destroy</a>, <a href="http://www.lavasoftusa.com/" target="_blank">Ad-Aware</a>, and <a href="http://www.pestpatrol.com/" target="_blank">PestPatrol</a> (which was recently purchased by <a href="http://www.ca.com" target="_blank">CA</a>, and so will probably show up in the next version of their <a href="http://www3.ca.com/Solutions/Product.asp?ID=156" target="_blank">eTrust</a> anti-virus software.)</li></ul>On the infected computer, the user's home page had been set to <span style="font-family:courier new;">www.passthison.con/r4/?s43</span>.
<br />
<br /><em>(Many of the URLs in this post are not clickable, and have been slightly mangled as well. If you feel compelled to fix the links and open them, I strongly recommend that you don't open them in Internet Explorer on Windows - unless you are </em>very<em> confident in your popup blocker, your antivirus software, and your spyware removal software - and are also sure that your </em><a href="http://windowsupdate.microsoft.com" target="_blank"><em>Windows service pack and security updates</em></a><em> are absolutely current. Don't blame me if you fill your computer up with crap!)
<br /></em>
<br />The 'Passthison' web site apparently used to pass itself off as <em>"A collection of the greatest fun sites to pass on to your friends."</em> It was featured on the BBC's <a href="http://www.bbc.co.uk/essex/website_day/f.shtml" target="_blank">Essex Web Site of the Day</a>, and on quite a few 'Cool Links' and 'My Favorites' web pages.
<br />
<br />A quick <a href="http://www.google.com/search?q=%22www.passthison.com%22" target="_blank">Google search</a>, however, also turned up several 'Passthison' removal tools and spyware discussions. There was apparently once even a Microsoft knowledge base "Q" article - <em>Q309313 PassThisOn.com Home Page Unexpectedly Appears When You Start Your Computer</em> - but it has since been removed.
<br />
<br />The 'Passthison' site also features in a 'browser hijacking' <a href="http://www.cdt.org/privacy/20040210cdt.pdf" target="_blank">complaint</a> filed with the FTC by the <a href="http://www.cdt.org/" target="_blank">CDT</a>. <em>(Good!)</em>
<br />
<br />And it turns out that the person behind 'Passthison' is none other than <a href="http://www.annonline.com/interviews/970522/biography.html" target="_blank">Sanford Wallace</a>, the allegedly 'reformed' Spam King, who has also been involved in <a href="http://news.com.com/2100-1023-203430.html?legacy=cnet" target="_blank">some</a> <a href="http://www.netlitigation.com/netlitigation/cases/compucase.htm" target="_blank">litigation</a>.
<br />
<br />The current home page at <span style="font-family:courier new;">www.passthison.con</span> is just a text file, which reads:
<br />
<br /><blockquote><em>"Due to new laws being enacted and controversy surrounding our business model, we have voluntarily decided to implement the cease of all current business practices by the end of June 2004."</em></blockquote>Uh-huh. But the if you load the page (from the same site) that had hijacked my client's browser, it will:
<br />
<br /><ul><li>Open three popup ads from <span style="font-family:courier new;">adserver.con</span> - with no toolbar, location bar, status bar, or close box. Nice.</li>
<br /><li>Open a popup ad for Secret Keeper software, which promises it <em>"will allow you to protect your privacy, clear your history, and block unethical websites from changing your homepage or spying on you with cookies."</em> Do you suppose it will block the unethical website which changed your homepage to pop up this ad? I don't think so. No toolbar or close box on this one, either.</li>
<br /><li>Open a page titled <em>'preexploit.htm'</em> from a server at <span style="font-family:courier new;">209.50.251.182</span>. Pre-exploit, get it? Subtle, they aren't. They also aren't kidding, because the page in question will attempt to exploit a flaw with Internet Explorer's handling of <em>iframes</em>, web archives and help files. Have a look in the <a href="http://209.50.251.182/new-exploit5/" target="_blank">directory</a> - just don't click on anything! If they do manage to exploit your browser, they'll go on to inject trojan software and other assorted garbage onto your PC - at which point, your computer is under the control of the spammers, not you.</li></ul><em>(While I was researching the exploit, I ran across an article titled </em><a href="http://isc.sans.org/diary.php?date=2004-07-23" target="_blank"><em>"Follow the Bouncing Malware"</em></a><em> on </em><a href="http://www.sans.org/rr/" target="_blank"><em>SANS</em></a><em> - one of the best general Internet security sites. The author, </em><a href="http://www.labreatechnologies.com/about.htm" target="_blank"><em>Tom Liston</em></a><em>, attempts to determine how an unpatched Windows XP Home computer could be compromised, and ends up discovering the</em> exact same exploit <em>on the</em> exact same web server <em>- and follows the ugly results farther than I did.)
<br /></em>
<br />But wait - there's more! There are also several popup ads from <span style="font-family:courier new;">www.lovemynet.con</span>, including one which features a schmaltzy <em>"Friends Are Like Angels"</em> poem, and encourages you to <em>"Click HERE or click on the angel to send this special page to the people you want watched over..."</em>
<br />
<br />More like people you want <em>taken over</em>! Guess where that link will take you? Not-so-reformed Spam King Stanford Wallace's <span style="font-family:courier new;">smartbotpro.not</span>, where he'll be happy to harvest you and your friend's email addresses to use himself and sell to other spammers, and generate a few more popup ads, too.
<br />
<br />As a final insult, the page generates one more popup, positions it <em>way</em> off the screen so that it's effectively invisible, and continues to generate more popups from that! If you <em>can</em> see the window, it claims:
<br />
<br /><blockquote><em>"If your computer will NOT hide this big white window, you may have spyware on your system which is interfering with your ability to control hidden windows. Spyware also sends you unsolicited advertising, slows down your computer and could capture private information like credit card numbers and social security numbers, etc.
<br />
<br />I recommend that you install a "spyware removal" program so you can rid your computer of these parasites."</em></blockquote><em>(You almost have to admire the audacity. Perhaps this fellow will run for office the next time he 'quits' the spamming business.)
<br /></em>
<br />It then recommends <span style="font-family:courier new;">www.spydeleter.con</span> as a source for effective syware removal. It wouldn't surprise me if it <em>does</em> clean out all the other spyware - so that your machine can be completely controlled by <em>theirs</em>. I've seen trojan programs do the same thing.
<br />
<br /><strong><span style="color:#993399;">SO WHAT'S THE SOLUTION?</span></strong> There isn't a simple one. If you lock down Internet Explorer in 'paranoid mode,' with scripting and other advanced features completely disabled, you'll be able to avoid a lot of these issues - but you'll also discover that quite a few popular web sites won't work properly. Several industry pundits have <a href="http://zdnet.com.com/2100-1105_2-5250697.html?tag=nl" target="_blank">begun</a> <a href="http://slate.msn.com/id/2103152/" taregt="_blank">recommending</a> <a href="http://www.mozilla.org/" target="_blank">Firefox</a> as an alternative browser, and it does have a lot to recommend it - but it's not free of security issues either, and like it or not, most popular web sites are formatted to work best with Internet Explorer.
<br />
<br /><strong><span style="color:#993399;">Keep as current as possible with Windows updates.</span></strong>
<br />Even if you're completely up to date, you may still be vulnerable, but you will certainly be vulnerable if you don't apply the updates. This is probably the single most important thing you can do.
<br />
<br /><strong><span style="color:#993399;">Install an Antivirus program, and make sure that its updates are working.</span></strong>
<br />Some block spyware as well - I've seen good results from <a href="http://us.mcafee.com/root/package.asp?pkgid=100" target="_blank">McAfee VirusScan</a>, and Trend's PC-Cillin 2005 is in <a href="https://trendmicro1.rsc03.net/servlet/website/ResponseForm?mktEw99UV_8LmH_cNgTX_yLn.40hkt_LQmLkgHsTU" target="_blank">beta test</a> until September 30th - you might be able to participate.
<br />
<br /><strong><span style="color:#993399;">If your Antivirus program does not also block spyware, then use an anti-spyware program.</span></strong>
<br />And make sure that it is updated regularly, as well.
<br />
<br /><strong><span style="color:#993399;">Don't send people 'cute' e-cards from unfamiliar sites.</span></strong>
<br />If it isn't Hallmark, or American Greetings, or anyone you've heard of, don't hand them you and your friend's email address, no matter how cute the little bunnies and angels are. If you have a friend or office mate who sends these things on a weekly basis, encourage them to stop. And to have their machine examined. And maybe their head, too.
<br />bitspitterhttp://www.blogger.com/profile/14808524441658851666noreply@blogger.com4tag:blogger.com,1999:blog-8221207.post-1094536138177570992004-09-06T23:41:00.000-05:002004-09-08T17:49:43.140-05:00Cheap Switches and Broadcast StormsOne of the continually amazing and wonderful things about computer technology is the continuing trend toward <em>smaller, faster, cheaper.</em>
<br />
<br />For example, when Kalpana (which was purchased by Cisco in 1994) introduced the first Ethernet switches in 1990, they were huge - about the size of a PC - which, to be fair, was also true of the Cisco routers they would challenge at the core of the LAN.
<br />
<br />They were slow - half-duplex 10 Megabit Ethernet - although again, this was the best available at the time.
<br />
<br />And the first seven-port model retailed for $10,500, or $1,500 per Ethernet port - still cheaper than a router, which might be three times that cost.
<br />
<br /><em>[These figures come from </em><a href="http://www.networkcomputing.com/"><em>Network Computing</em></a><em> magazine, which ranked the Kalpana EtherSwitch as the 5th </em><a href="http://www.networkcomputing.com/1119/1119f1products_5.html"><em>"Most Important Product of the Decade"</em></a><em> in October of 2000.]</em>
<br />
<br />Today, I can purchase a D-Link, Linksys, or Netgear eight-port full-duplex 100 Megabit switch for about $40, and can just about put it in my pocket. I don't even have to go to a computer store - Office Depot has Ethernet switches. So does Wal-Mart. They'll probably be in the check-out lane at Kroger soon, next to the batteries and gum.
<br />
<br /><em>(I can also purchase an original Kalpana EtherSwitch on eBay right now for $15, plus shipping, if I really want one.)
<br /></em>
<br />The cheap switches are meant for home networks and small offices, but I see lots of them on, under, and behind the desktops at larger businesses. The reasons are fairly simple - offices (and cubicles) which may have started with one occupant now hold two; the desktop PCs are now often joined by a laptop, and occasionally a networked printer (and a VoIP telephone is next!) - and when a new cable run to the wiring closet or server room might cost $50-$150 and require an expensive core switch upgrade (because all the ports are full!) it seems like a no-brainer to throw a $40 switch into each office.
<br />
<br />And it generally <em>is </em>a good solution, but there is a potential problem, which one of my clients recently found out the hard way.
<br />
<br />The small, cheap switches are <em>unmanaged</em>, which appeals to their target market. There's nothing to figure out - you plug them in and they work. But since they lack the capability for management, they also lack features which might require configuration, such as <em>Spanning Tree Protocol</em> - which we'll return to in a moment.
<br />
<br />
<br /><strong><span style="color:#993399;">I GOT A CALL</span></strong> after lunchtime on a Friday, from a colleague's cell phone - asking if I knew a store in town that was likely to have a couple of 24-port switches in stock. The client's switches - a pair of Cisco Catalyst 2900s - were 'going crazy.' No one could connect to anything; the port status lights were all blinking rapidly, and even after turning the switches off, the problem came right back after just a couple of minutes of operation.
<br />
<br />I thought it was highly unlikely that both switches had malfunctioned at the same time, and in any case I wanted to see what was happening (I had originally installed the switches myself) so I told him to skip the store and pick me up, and I grabbed a couple of Catalyst switches from my lab.
<br />
<br />Sure enough, the switches were blinking like crazy, but a quick look at the settings and status didn't indicate anything obviously wrong. In the interest of getting the client's network back online while we did forensics on the switches, we plugged in the spares from my lab and moved about forty patch cables from the old switches to mine.
<br />
<br />The problem cleared up, everyone started getting back to work - and then <em>my </em>switches went crazy. Since the status lights indicated constant traffic on every port, I figured that <em>any </em>port might give me some clue as to what was going on. Using Microsoft Network Monitor on one of the servers, I captured network traffic for several seconds.
<br />
<br />I found hundreds of frames, all from the same MAC address, each a NetBIOS broadcast request for a Master Browser. A Windows client was attempting to build a list of network resources. But Windows clients don't normally broadcast hundreds of NetBIOS requests per second. And I had trouble believing that any of the client machines could even continuously transmit at the rate I was observing.
<br />
<br />I queried the switches to determine the source port for that MAC address (the Catalyst switches <em>are </em>managed) and we tracked the source to a computer in shipping, which was connected to a small switch. We disconnected the computer, and the network settled down. I thought perhaps it had a malfunctioning network card; less likely but still possible was a virus or other malware (especially since this machine had recently been configured by FedEx.)
<br />
<br />And then the network went down again.
<br />
<br />A quick check back at the Catalysts showed that yes, it was the same problem, and the traffic was still originating from the same port. We had another look at the switch, and found that there were <em>five</em> patch cables, even though we had only found <em>three</em> computers in shipping. We followed one cable behind a bench, and shelves, and a stack of boxes, and then back to a different port on the same small switch! <em>Aha!</em> We unplugged the cable, and the problems went away - this time for good.
<br />
<br />What my client had been experiencing was a classic <em>broadcast storm</em>, which occurs when an Ethernet network has been configured with a loop.
<br />
<br />Data is sent through an Ethernet network in small packages called <em>frames</em>, which, much like a letter, have a destination address, a source address, and a payload, or data. The addresses are <em>media access control</em>, or MAC addresses, and are unique to each <em>network interface card</em>, or NIC.
<br />
<br />Switches use the source addresses to determine the location of each computer, printer, and other network device on the network. Frames with a specific source address will only enter one port (plug) on the switch. Once a switch has mapped a MAC address to a specific port, then frames with that address as the destination address will only be sent to that port.
<br />
<br /><em>(This is what distinguishes a switch from a hub. Hubs do not build a map of MAC addresses, and simply send an incoming signal out of every other port.)
<br /></em>
<br />But frames sometimes have a <em>broadcast address</em> as the destination - which is a special address intended for <em>every</em> NIC. Computers use this address when a message must be sent to all other computers - or when the destination MAC address is unknown.
<br />
<br /><em>(Consider a license plate number, which uniquely identifies a car. If you see a parked car with its lights left on, you might have the license number announced over the intercom. Everyone will hear the announcement (broadcast) but only the owner of the car needs to take action. Everyone else will ignore the announcement once they realize that the number isn't theirs.)
<br /></em>
<br />Because a broadcast frame is meant for every computer, a switch will send the frame out of every port (except for the port where it entered the switch.)
<br />
<br />But if there is a loop in the network, a broadcast frame leaving one switch port will enter through another, and the switch will once again send that same frame out of every port except the one it entered. In the case of my client, the loop was on a single switch. When any of the computers on that switch sent a broadcast, the switch would send the frame out of both looped ports - and almost instantaneously, it would appear <em>inbound</em> on the same two ports after going around the loop. The switch would once again send the frames out of every other port, <em>including the other port in the loop</em>, and the switch would become a perpetual-motion frame generator, constructing new broadcast frames as fast as it could process them.
<br />
<br />And since one of the ports on the switch led to the rest of the network, the whole network was flooded with an endless stream of broadcast frames. There was essentially no room left on the wire for any other machine to talk, so the network came to a standstill.<a href="#footnote1">*</a><a name="asterisk1"></a>
<br />
<br />
<br /><strong><span style="color:#993399;">SPANNING TREE PROTOCOL</span></strong> is designed to prevent loops in a switched network. All the interconnected switches in a network select one switch as a <em>root bridge</em> - based on the MAC address of the switch, and the switch's <em>bridge priority number</em>.
<br />
<br /><em>(The bridge priority needs to be adjustable - the bridge with the lowest priority will become the root. Otherwise the root bridge would be determined just by the MAC addresses, which would be something like choosing a leader based on who had the lowest Social Security number. This is why only managed switches typically implement spanning tree.)</em>
<br />
<br />All the switches then determine which of their ports (based on link speed and 'hops') has the lowest cost path to the root bridge. The switches do this by sending <em>bridge protocol data units</em>, or BPDUs, from each port - containing their own priority number, their current root bridge, and their lowest cost path to the root bridge. While each switch begins with itself as root, it will learn from the incoming BPDUs, until all the switches <em>converge</em> on a single choice for the root bridge, and have determined their own lowest cost path to that root.
<br />
<br />If a switch determines that there is more than one path to the root, it will disable (<em>block</em>) the higher cost ports. If two or more ports have the same cost, then the port with the lowest number will be the <em>active</em> port, and the others will be blocked. <em>Blocking</em> ports will never transmit any frames, but will still listen to incoming BPDUs, in order to respond to changes in the network.
<br />
<br />In this way, spanning tree is able to detect loops in the network, and shut down one of the looped ports. For a simple loop, such as the one at my client, the switch will notice that the incoming BPDUs have <em>its own</em> MAC address, and will disable the higher-numbered port.
<br />
<br />
<br /><strong><span style="color:#993399;">OF COURSE, THERE'S ALWAYS A CATCH.</span></strong> Spanning tree can take 30 seconds to converge after any change, which means that it might be 30 seconds before any new computer plugged into the network begins working. If the computer is configured to get an IP address automatically using DHCP, it may give up in those 30 seconds - and not try again for five minutes. In the mean time, of course, the computer won't be able to use the network, and a non-technical user might reasonably conclude that something's broken. Cheap, consumer-oriented switches are designed to start working as soon as a new device is plugged in, which means no spanning tree.
<br />
<br />And managed switches naturally are more expensive - sometimes by several hundred dollars over unmanaged versions. Many manufacturers don't offer managed switches with fewer than twelve or even 24 ports.
<br />
<br />
<br /><strong><span style="color:#993399;">IF YOU'RE GOING TO HAVE THESE THINGS</span></strong> on your network, you need to make sure that all your users understand that loops are big trouble. In the case of my client, an employee had made an effort to clean up the shipping area, and when they discovered an unplugged network cable, intended for temporary use by laptops, they chose to 'clean it up' by plugging it into the switch - right next to its other end! Ouch. The LAN network was unusable for most of that Friday, idling more than a dozen salespeople in that office, and even more in Austin and Dallas who connect via VPNs. The direct cost in consulting fees to diagnose the problem was substantial, but the cost in lost sales and lost employee productivity was much greater. You can be sure that the management had a long talk with the person responsible.
<br />
<br />Once a network reaches a certain size (and degree of complexity) you should implement a policy that no employee is allowed to plug <em>anything</em> into the network without the approval of the network support personnel. This can, of course, occasionally inconvenience an employee - or a visitor with a laptop - but when an innocent mistake can potentially bring down the entire network, the consequences are too great to ignore.
<br />
<br />Other common problems are wireless access points - which can provide a path into the core of your network, bypassing your firewall - and laptops running Windows XP with both a wireless and Ethernet adapter. It's not uncommon for XP with multiple adapters to be configured for <em>bridging</em>, which means that, yup - it's implementing spanning tree, and can cause interesting behavior by forcing the network to re-converge when it's plugged in. It's a <em>bad thing</em> when a visitor's laptop becomes the root bridge.
<br />
<br /><em><strong><span style="color:#993399;">Know what's plugged in to your network, and only allow authorized people to make changes.</span></strong>
<br /></em>
<br /><a href="#asterisk1">*</a><a name="footnote1"></a> My more technically aware readers will have observed that normally, plugging a cable back into the same switch (or another switch) will not cause a problem unless the cable is wired as a <em>crossover cable</em>. But because the cheap switches are designed to be consumer-friendly, they will 'helpfully' <em>automatically</em> change to crossover mode!
<br />
<br /><em>"Each port on the DSS-5+ supports automatic MDI/MDIX detection providing true 'plug and play' capability without the need for confusing crossover cables or crossover ports."</em>
<br />
<br />- from the <a href="http://www.dlink.com/products/?pid=69">product description</a> on a 5-port D-Link switch
<br />
<br />
<br />bitspitterhttp://www.blogger.com/profile/14808524441658851666noreply@blogger.com3tag:blogger.com,1999:blog-8221207.post-1094494099404304242004-09-06T12:31:00.000-05:002004-09-06T13:08:19.403-05:00Welcome!<span style="font-family:trebuchet ms;">"Arguments, agreements, advice, answers,</span>
<br /><span style="font-family:trebuchet ms;">Articulate announcements</span>
<br /><span style="font-family:trebuchet ms;">It's only talk"</span>
<br /><span style="font-family:trebuchet ms;"></span>
<br /><span style="font-family:trebuchet ms;"><em>Elephant Talk</em>, </span><a href="http://www.king-crimson.com/"><span style="font-family:trebuchet ms;">King Crimson</span></a>
<br /><span style="font-family:trebuchet ms;"></span>
<br /><span style="font-family:trebuchet ms;"></span>
<br /><span style="font-family:trebuchet ms;">Welcome students, clients and colleagues; friends and visitors! I intend this blog to be a resource for networking technology and general computer topics, plus whatever else happens to occur to me as it evolves.</span>
<br /><span style="font-family:trebuchet ms;"></span>
<br /><span style="font-family:trebuchet ms;">I work as a computer consultant, concentrating on Microsoft Exchange, Active Directory design and migrations; Cisco switching, routing, firewall and VPN infrastructure; and security for small and medium-sized networks. I also deliver training on Microsoft and Cisco technology.</span>
<br /><span style="font-family:trebuchet ms;"></span>
<br /><span style="font-family:trebuchet ms;">I hope you find something that captures your interest - if only for a moment!</span>
<br /><span style="font-family:trebuchet ms;"></span>
<br /><span style="font-family:trebuchet ms;"></span>
<br />bitspitterhttp://www.blogger.com/profile/14808524441658851666noreply@blogger.com0