Hello,
It is only matter of a couple of hours here in Brussels. Yesterday they said on the Belgian news that worldwide the atomic clocks will be stopped for one second at midnight since the earth is slowing down.
So before you jump up and shout Happy New Year take a second for yourself. You've deserved it :).
Happy New Year folks!
Wednesday, December 31, 2008
Tuesday, December 9, 2008
Netstumbling WiFi APs
A couples of evenings ago at I had to drive through a nicely populated area just outside Brussels. I wanted to see for my self what my build-in WiFi could find. I used netstumbler to see what was in the air.
I've found 1228 WiFi connections of which were 349 wide open with no form of protection. I looked at netstumbler and it picked up more signals each time I approached the center of a town. It is probably correct to say that there are more chances to find concentrations of networks in towncenters but I have to tell you as well that you drive slower so the laptop had more time to pickup signals.
In the 1228 WiFi connections there were 8 peer-to-peer connections of only 1 had a form of protection. There were 2 hpsetup, this is usually an SSID for an HP printer. One other peer-to-peer was also a printer according to the SSID.
The majority of connections were either 11 Mbps or 54 Mbps. (The maximum my card does is 54 Mbps). The brands I encountered were 3Com, Apple, bbox2 (Belgacom), Belkin, D-link, Hercules, Philips, Linksys, Mobistar, Netgear, Sagem, Thomson, Sweex, Topcom, US Robotics, ZyXel, Nokia.
I've found 1228 WiFi connections of which were 349 wide open with no form of protection. I looked at netstumbler and it picked up more signals each time I approached the center of a town. It is probably correct to say that there are more chances to find concentrations of networks in towncenters but I have to tell you as well that you drive slower so the laptop had more time to pickup signals.
In the 1228 WiFi connections there were 8 peer-to-peer connections of only 1 had a form of protection. There were 2 hpsetup, this is usually an SSID for an HP printer. One other peer-to-peer was also a printer according to the SSID.
The majority of connections were either 11 Mbps or 54 Mbps. (The maximum my card does is 54 Mbps). The brands I encountered were 3Com, Apple, bbox2 (Belgacom), Belkin, D-link, Hercules, Philips, Linksys, Mobistar, Netgear, Sagem, Thomson, Sweex, Topcom, US Robotics, ZyXel, Nokia.
Wednesday, December 3, 2008
Lessons learned ... clustering SQL 2005 on a Windows 2008 (x64) cluster
Last couple of days have been verry stressful. I've just finished a clustered install of SQL2005 on a Win2008. I'll be talking in this post about the issues i had.
The first problem I had was getting to know Win2008. I know according to Microsoft that everything has improved but the challenge for us professionals is to keep up with the fact that some things don't have the same name or are completely on a different location. So I lost quite some valuable time on calling around asking a Windows system engineer with the questions "where can I find ..." and "How do I do ...". Yes, I felt like a complete idiot.
First I had to set up the MSDTC cluster resource, in Win2008 there is a wizard for that. I used it and it worked fine.
Then I had to add my clustered disks ... formatting took like eternity. No I 'm kidding but it took a while and was very impatient to go on.
Once all that was done I organised the cluster resources and started the SQL Server install. It went as planned. I ticked the box to tell it was a cluster install and continued on my quest.
The first error message I got was this one
It is actually the full-text search service that is down and it is simply solved by installing SQL 2005 SP2. After clicking ok I ran into a next error.
It is stupid but I needed to install Visual Studio 2005 SP1 (I only found x86) to solve this one. I think this happens because the SQL Server Managament Studio is written in 32-bit and I was working on x64. I know in Windows 2003 this is no issue but appearently on Windows 2008 it becomes one.
After fixing this I installed SQL 2005 SP2 and that has a problem on its own. I noticed that I was not able to make maintenance plans. I got these nice screenshots:
This is what happend: for some reason, don't ask me why it seems that the resource database had trouble to update in SP2. SP2 appearently changed some things ...
If you run in to this, you can verify the version of your resource databases with this query:
When I ran that query It answered me 9.00.1399 which is the RTM version (RTM is how it is shipped the first day your version is sold). Okay, that was usefull info but how to solve this was a mystery to me. I crused around on the information high way and found out that all it took wat to manually run the queries that are located in the "sysdbupg" script. This script can be found in "C:\Program Files\Microsoft SQL Server\MSSQL\Install". I ran it and got the maintenance plans back.
The last issue i had was an issue with database mail. Luckely for me there are nice people who blog and at Jean-Pierre Paradis' Blog I found what I was looking for. I got an activation failure.
I just copied Jean-Pierre's solution and it worked. I repeat it here if for some reason you would not be able to get to his blog.
First create the text file DataBaseMail90.exe.config in the \MSSQL\Binn folder of your SQL Instance (ex: \Program Files\Microsoft SQL Server\MSSQL.1\MSSQLSERVER\MSSQL\Binn). with the following content :
Next thing to do is to load this in SSMS:
Then I replaced this stored procedure:
with this one
Start the procedure with the follwing SQL command :
Finally that was the last issue I had. Thanks to everybody who helped me, like always in our business it is a matter of looking at a problem with as many as possible.
The first problem I had was getting to know Win2008. I know according to Microsoft that everything has improved but the challenge for us professionals is to keep up with the fact that some things don't have the same name or are completely on a different location. So I lost quite some valuable time on calling around asking a Windows system engineer with the questions "where can I find ..." and "How do I do ...". Yes, I felt like a complete idiot.
First I had to set up the MSDTC cluster resource, in Win2008 there is a wizard for that. I used it and it worked fine.
Then I had to add my clustered disks ... formatting took like eternity. No I 'm kidding but it took a while and was very impatient to go on.
Once all that was done I organised the cluster resources and started the SQL Server install. It went as planned. I ticked the box to tell it was a cluster install and continued on my quest.
The first error message I got was this one
It is actually the full-text search service that is down and it is simply solved by installing SQL 2005 SP2. After clicking ok I ran into a next error.
It is stupid but I needed to install Visual Studio 2005 SP1 (I only found x86) to solve this one. I think this happens because the SQL Server Managament Studio is written in 32-bit and I was working on x64. I know in Windows 2003 this is no issue but appearently on Windows 2008 it becomes one.
After fixing this I installed SQL 2005 SP2 and that has a problem on its own. I noticed that I was not able to make maintenance plans. I got these nice screenshots:
This is what happend: for some reason, don't ask me why it seems that the resource database had trouble to update in SP2. SP2 appearently changed some things ...
If you run in to this, you can verify the version of your resource databases with this query:
SELECT SERVERPROPERTY('ResourceVersion');
When I ran that query It answered me 9.00.1399 which is the RTM version (RTM is how it is shipped the first day your version is sold). Okay, that was usefull info but how to solve this was a mystery to me. I crused around on the information high way and found out that all it took wat to manually run the queries that are located in the "sysdbupg" script. This script can be found in "C:\Program Files\Microsoft SQL Server\
The last issue i had was an issue with database mail. Luckely for me there are nice people who blog and at Jean-Pierre Paradis' Blog I found what I was looking for. I got an activation failure.
I just copied Jean-Pierre's solution and it worked. I repeat it here if for some reason you would not be able to get to his blog.
First create the text file DataBaseMail90.exe.config in the \MSSQL\Binn folder of your SQL Instance (ex: \Program Files\Microsoft SQL Server\MSSQL.1\MSSQLSERVER\MSSQL\Binn). with the following content :
USE msdb;
GO
INSERT INTO [msdb].[dbo].[sysmail_configuration]
(
[paramname]
,[paramvalue]
,[description]
)
VALUES
(
N'ReadFromConfigurationFile'
,N'1'
,N'Send mail from mail server in configuration file'
);
GO
INSERT INTO [msdb].[dbo].[sysmail_configuration]
(
[paramname]
,[paramvalue]
,[description]
)
VALUES
(
N'ReadFromConfigurationFile'
,N'1'
,N'Send mail from mail server in configuration file'
);
Then I replaced this stored procedure:
USE [msdb]
GO
/****** Object: StoredProcedure [dbo].[sp_sysmail_activate] Script Date: 12/01/2008 15:41:40 ******/
SET ANSI_NULLS ON
GO
SET QUOTED_IDENTIFIER OFF
GO
-- sp_sysmail_activate : Starts the DatabaseMail process if it isn't already running
--
ALTER PROCEDURE [dbo].[sp_sysmail_activate]
AS
BEGIN
DECLARE @mailDbName sysname
DECLARE @mailDbId INT
DECLARE @mailEngineLifeMin INT
DECLARE @loggingLevel nvarchar(256)
DECLARE @loggingLevelInt int
DECLARE @parameter_value nvarchar(256)
DECLARE @localmessage nvarchar(max)
DECLARE @rc INT
EXEC @rc = msdb.dbo.sysmail_help_configure_value_sp @parameter_name = N'DatabaseMailExeMinimumLifeTime',
@parameter_value = @parameter_value OUTPUT
IF(@rc <> 0)
RETURN (1)
--ConvertToInt will return the default if @parameter_value is null or config value can't be converted
--Setting max exe lifetime is 1 week (604800 secs). Can't see a reason for it to ever run longer that this
SET @mailEngineLifeMin = dbo.ConvertToInt(@parameter_value, 604800, 600)
--Try and get the optional logging level for the DatabaseMail process
EXEC msdb.dbo.sysmail_help_configure_value_sp @parameter_name = N'LoggingLevel',
@parameter_value = @loggingLevel OUTPUT
--Convert logging level into string value for passing into XP
SET @loggingLevelInt = dbo.ConvertToInt(@loggingLevel, 3, 2)
IF @loggingLevelInt = 1
SET @loggingLevel = 'Normal'
ELSE IF @loggingLevelInt = 3
SET @loggingLevel = 'Verbose'
ELSE -- default
SET @loggingLevel = 'Extended'
SET @mailDbName = DB_NAME()
SET @mailDbId = DB_ID()
EXEC @rc = master..xp_sysmail_activate @mailDbId, @mailDbName, @mailEngineLifeMin, @loggingLevel
IF(@rc <> 0)
BEGIN
SET @localmessage = FORMATMESSAGE(14637)
exec msdb.dbo.sysmail_logmailevent_sp @event_type=3, @description=@localmessage
END
ELSE
BEGIN
SET @localmessage = FORMATMESSAGE(14638)
exec msdb.dbo.sysmail_logmailevent_sp @event_type=0, @description=@localmessage
END
RETURN @rc
END
GO
/****** Object: StoredProcedure [dbo].[sp_sysmail_activate] Script Date: 12/01/2008 15:41:40 ******/
SET ANSI_NULLS ON
GO
SET QUOTED_IDENTIFIER OFF
GO
-- sp_sysmail_activate : Starts the DatabaseMail process if it isn't already running
--
ALTER PROCEDURE [dbo].[sp_sysmail_activate]
AS
BEGIN
DECLARE @mailDbName sysname
DECLARE @mailDbId INT
DECLARE @mailEngineLifeMin INT
DECLARE @loggingLevel nvarchar(256)
DECLARE @loggingLevelInt int
DECLARE @parameter_value nvarchar(256)
DECLARE @localmessage nvarchar(max)
DECLARE @rc INT
EXEC @rc = msdb.dbo.sysmail_help_configure_value_sp @parameter_name = N'DatabaseMailExeMinimumLifeTime',
@parameter_value = @parameter_value OUTPUT
IF(@rc <> 0)
RETURN (1)
--ConvertToInt will return the default if @parameter_value is null or config value can't be converted
--Setting max exe lifetime is 1 week (604800 secs). Can't see a reason for it to ever run longer that this
SET @mailEngineLifeMin = dbo.ConvertToInt(@parameter_value, 604800, 600)
--Try and get the optional logging level for the DatabaseMail process
EXEC msdb.dbo.sysmail_help_configure_value_sp @parameter_name = N'LoggingLevel',
@parameter_value = @loggingLevel OUTPUT
--Convert logging level into string value for passing into XP
SET @loggingLevelInt = dbo.ConvertToInt(@loggingLevel, 3, 2)
IF @loggingLevelInt = 1
SET @loggingLevel = 'Normal'
ELSE IF @loggingLevelInt = 3
SET @loggingLevel = 'Verbose'
ELSE -- default
SET @loggingLevel = 'Extended'
SET @mailDbName = DB_NAME()
SET @mailDbId = DB_ID()
EXEC @rc = master..xp_sysmail_activate @mailDbId, @mailDbName, @mailEngineLifeMin, @loggingLevel
IF(@rc <> 0)
BEGIN
SET @localmessage = FORMATMESSAGE(14637)
exec msdb.dbo.sysmail_logmailevent_sp @event_type=3, @description=@localmessage
END
ELSE
BEGIN
SET @localmessage = FORMATMESSAGE(14638)
exec msdb.dbo.sysmail_logmailevent_sp @event_type=0, @description=@localmessage
END
RETURN @rc
END
with this one
USE [msdb]
GO
/****** Object: StoredProcedure [dbo].[sp_sysmail_activate] Script Date: 08/13/2008 11:59:49 ******/
SET ANSI_NULLS ON
GO
SET QUOTED_IDENTIFIER ON
GO
-- sp_sysmail_activate : Starts the DatabaseMail process if it isn't already running
--
ALTER PROCEDURE [dbo].[sp_sysmail_activate]
AS
BEGIN
DECLARE @mailDbName sysname
DECLARE @mailDbId INT
DECLARE @mailEngineLifeMin INT
DECLARE @loggingLevel nvarchar(256)
DECLARE @loggingLevelInt int
DECLARE @parameter_value nvarchar(256)
DECLARE @localmessage nvarchar(max)
DECLARE @readFromConfigFile INT
DECLARE @rc INT
SET NOCOUNT ON
EXEC sp_executesql @statement = N'RECEIVE TOP(0) * FROM msdb.dbo.ExternalMailQueue'
EXEC @rc = msdb.dbo.sysmail_help_configure_value_sp @parameter_name = N'DatabaseMailExeMinimumLifeTime',
@parameter_value = @parameter_value OUTPUT
IF(@rc <> 0)
RETURN (1)
--ConvertToInt will return the default if @parameter_value is null or config value can't be converted
--Setting max exe lifetime is 1 week (604800 secs). Can't see a reason for it to ever run longer that this
SET @mailEngineLifeMin = dbo.ConvertToInt(@parameter_value, 604800, 600)
EXEC msdb.dbo.sysmail_help_configure_value_sp @parameter_name = N'ReadFromConfigurationFile',
@parameter_value = @parameter_value OUTPUT
--Try to read the optional read from configuration file:
SET @readFromConfigFile = dbo.ConvertToInt(@parameter_value, 1, 0)
--Try and get the optional logging level for the DatabaseMail process
EXEC msdb.dbo.sysmail_help_configure_value_sp @parameter_name = N'LoggingLevel',
@parameter_value = @loggingLevel OUTPUT
--Convert logging level into string value for passing into XP
SET @loggingLevelInt = dbo.ConvertToInt(@loggingLevel, 3, 2)
IF @loggingLevelInt = 1
SET @loggingLevel = 'Normal'
ELSE IF @loggingLevelInt = 3
SET @loggingLevel = 'Verbose'
ELSE -- default
SET @loggingLevel = 'Extended'
SET @mailDbName = DB_NAME()
SET @mailDbId = DB_ID()
EXEC @rc = master..xp_sysmail_activate @mailDbId, @mailDbName, @readFromConfigFile,
@mailEngineLifeMin, @loggingLevel
IF(@rc <> 0)
BEGIN
SET @localmessage = FORMATMESSAGE(14637)
exec msdb.dbo.sysmail_logmailevent_sp @event_type=3, @description=@localmessage
END
ELSE
BEGIN
SET @localmessage = FORMATMESSAGE(14638)
exec msdb.dbo.sysmail_logmailevent_sp @event_type=0, @description=@localmessage
END
RETURN @rc
END
Start the procedure with the follwing SQL command :
EXEC msdb.dbo.sysmail_start_sp;
Finally that was the last issue I had. Thanks to everybody who helped me, like always in our business it is a matter of looking at a problem with as many as possible.
Saturday, November 29, 2008
Mounting usb-drives with a NTFS lock on it.
Everybody has come across it, your in a hurry and unplug the usb drive before Windows releases the disk. This is how to solve it when you have a linux (or a bootable linux cd) machine.
First you make a directory on which you will mount the disk. For people new to linux this is just a simple directory to which you will attach the disk.
Open yourself a shell prompt and type the following:
mkdir ~/mydisk
This will make your directory in your home directory.
The type the following:
mount -t ntfs-3g /dev/sdg1 ~/mydisk -o force
This will mount the disk presented at the device /dev/sdg1 and attach it to the folder ~/mydisk. For people new to linux I recommend to do some further reading about devices.
My system answers me with :
$LogFile indicates unclean shutdown (0, 0)
WARNING: Forced mount, reset $LogFile.
And I find the disk mounted under ~/mydisk
First you make a directory on which you will mount the disk. For people new to linux this is just a simple directory to which you will attach the disk.
Open yourself a shell prompt and type the following:
mkdir ~/mydisk
This will make your directory in your home directory.
The type the following:
mount -t ntfs-3g /dev/sdg1 ~/mydisk -o force
This will mount the disk presented at the device /dev/sdg1 and attach it to the folder ~/mydisk. For people new to linux I recommend to do some further reading about devices.
My system answers me with :
$LogFile indicates unclean shutdown (0, 0)
WARNING: Forced mount, reset $LogFile.
And I find the disk mounted under ~/mydisk
FOSDEM 2009 and HAR2009
I want to tell you about 2 upcoming events: fosdem and HAR2009.
Fosdem is according to their website a free and non-commercial event organized by the community, for the community. Its goal is to provide Free and Open Source developers a place to meet. (http://www.fosdem.org/2009/). Fosdem will take place the 7th and 8th of February 2009 in Brussels. There are every year people comming from all over the world. One of the things I like is the open idea. If you want to talk to somebody and exchange ideas, you just walk up to that person and start a conversation. If you go back to the previous years you'll see that they managed to get some important speakers in the open source community.
HAR is totally something else. HAR's website is http://har2009.org/. It is an international technology & security conference. It will take place in August 2009 from the 13th till 16th near Vierhouten, NL. It is something like Rock Wechter but for people who are into technology and security.
I plan to go to fosdem to a couple of talks and I would like to go to HAR if it is possible.
Fosdem is according to their website a free and non-commercial event organized by the community, for the community. Its goal is to provide Free and Open Source developers a place to meet. (http://www.fosdem.org/2009/). Fosdem will take place the 7th and 8th of February 2009 in Brussels. There are every year people comming from all over the world. One of the things I like is the open idea. If you want to talk to somebody and exchange ideas, you just walk up to that person and start a conversation. If you go back to the previous years you'll see that they managed to get some important speakers in the open source community.
HAR is totally something else. HAR's website is http://har2009.org/. It is an international technology & security conference. It will take place in August 2009 from the 13th till 16th near Vierhouten, NL. It is something like Rock Wechter but for people who are into technology and security.
I plan to go to fosdem to a couple of talks and I would like to go to HAR if it is possible.
Enter at own risk ... don't go eat there!
This week when I went to a customer with my colleague and we went out for lunch. Since we were in the Matongé area (a part of Brussels where a lot of African people live) we went to an exotic restaurant.
The name of the place is KAZI Surprise and it is located at the Chaussée de Wavre 46 in 1050 Brussels. We asked what the day special was it was goat with saka-saka or tilapia (fish) with fried bananas. We ordered the fish.
The fish had an odd tasted, clearly it was not fresh. Everybody knows that all fresh fish has a taste that is distinguishable from the not so fresh one.
Luckely in the hours that followed the experience my colleague and me didn't get the signs of food poison (although our stomachs were making some noises). I spoke to a doctor that evening and he told me that you would see the effect of food poisoning within the 4 hours.
I filed a complaint at the Federal Agency for Food Safety.
So my dear blog readers, don't go out to eat there.
The name of the place is KAZI Surprise and it is located at the Chaussée de Wavre 46 in 1050 Brussels. We asked what the day special was it was goat with saka-saka or tilapia (fish) with fried bananas. We ordered the fish.
The fish had an odd tasted, clearly it was not fresh. Everybody knows that all fresh fish has a taste that is distinguishable from the not so fresh one.
Luckely in the hours that followed the experience my colleague and me didn't get the signs of food poison (although our stomachs were making some noises). I spoke to a doctor that evening and he told me that you would see the effect of food poisoning within the 4 hours.
I filed a complaint at the Federal Agency for Food Safety.
So my dear blog readers, don't go out to eat there.
Database mirroring on SQL 2005 SP2
Howdy folks,
This week I went together with a colleague to a customer where there were some troubles with the database mirroring on SQL 2005. It a high available mirror and the problem was it didn't work 100% of the time. Some times something like a split brain occurs. The database is recovering as well on the mirror as on the principal.
The thing we noticed was in the mirroring monitor that the server who had the principal role didn't have a successful connection to the witness server.
First thing we checked was the network. The situation goes as follows. The servers are in workgroup mode and there is a dedicated Gigabit connection between those server to sent the transactions to both servers. All servers were also defined in the host file so even when the DNS goes down it should work.
After crusing down the Internet I found a post in a forum of somebody with the same problem. The problem was solved for this guy by rebooting the system. So we restarted the SQL service of the witness server and it worked.
So that needed some further investigation. We created a new database, made it mirror and the same scenario ... no witness on the principal, only for that database. We restarted the SQL service on the witness and it worked :-)
Then we did the ultimate test, we stopped the endpoint on the server for which the server was mirror for the databases in production and principal for our test database. (So there was no impact for production). First time we tested it, everything went fine and the test database failed over (and we wrote a record in it). The second time we tried it, it failed and a split brain like situation occured. Okay, there was no problem to bring the test database online and since it is in sync mode no transaction could have been written to one side and not to the other.
The odd thing is that the production server had to be turned off that evening and the automatic fail over worked without any problems.
So some further investigations will be required. Currently we are thinking in the direction of cummulative updates. When we find it I'll make a post about it.
This week I went together with a colleague to a customer where there were some troubles with the database mirroring on SQL 2005. It a high available mirror and the problem was it didn't work 100% of the time. Some times something like a split brain occurs. The database is recovering as well on the mirror as on the principal.
The thing we noticed was in the mirroring monitor that the server who had the principal role didn't have a successful connection to the witness server.
First thing we checked was the network. The situation goes as follows. The servers are in workgroup mode and there is a dedicated Gigabit connection between those server to sent the transactions to both servers. All servers were also defined in the host file so even when the DNS goes down it should work.
After crusing down the Internet I found a post in a forum of somebody with the same problem. The problem was solved for this guy by rebooting the system. So we restarted the SQL service of the witness server and it worked.
So that needed some further investigation. We created a new database, made it mirror and the same scenario ... no witness on the principal, only for that database. We restarted the SQL service on the witness and it worked :-)
Then we did the ultimate test, we stopped the endpoint on the server for which the server was mirror for the databases in production and principal for our test database. (So there was no impact for production). First time we tested it, everything went fine and the test database failed over (and we wrote a record in it). The second time we tried it, it failed and a split brain like situation occured. Okay, there was no problem to bring the test database online and since it is in sync mode no transaction could have been written to one side and not to the other.
The odd thing is that the production server had to be turned off that evening and the automatic fail over worked without any problems.
So some further investigations will be required. Currently we are thinking in the direction of cummulative updates. When we find it I'll make a post about it.
Monday, November 24, 2008
Converting a disk from FAT32 to NTFS
Today I had to convert my external disk form FAT32 to NTFS. I was confronted with the problem that an ISO file was 9GB and FAT32 couldn't handle that.
Convert is a tool that is part of your Windows OS.
Here is the syntax to convert the disk:
>convert diskletter: /fs:NTFS [enter]
After starting the convert tool you'll have to enter the disk label and the conversion starts. First it checks the disk for errors and than the actual conversion starts.
Friday, October 31, 2008
A usefull trick used at our customers
Everybody in IT knows it CLI is your friend :)
A little trick used at our customers to get a CLI with sufficient rights is:
runas /user:username@domain /netonly cmd
This gives you your little box executed with the rights of that user in that domain.
A little trick used at our customers to get a CLI with sufficient rights is:
runas /user:username@domain /netonly cmd
This gives you your little box executed with the rights of that user in that domain.
Friday, October 24, 2008
OWASP
The 23th of October I went to a OWASP meeting. If you're thinking about going to one, don't hesitate it is worth your time.
The first talk was "Building a tool for Security consultants: A story of a customized source code scanner" by Dinis Cruz. Even when you are not immediately going to audit code, it is worth to go and listen to Dinis. Although I just program for me, I still like to do it secure and the ideas I picked up are surely going to help me doing so.
The second talk was "Logging: not just a good idea" by Eddy Vanlerberghe. I didn't know what to expect from this talk and it wasn't the greatest presentation ever but it was ok. The fact is that we have to think about our logs, the way we store them and do the exercise to correlate logs of different systems to present as proof in a court of law. It is not so easy since you have to prove that your logs are genuine before you can use them and then there is the correlation.
If you're intrested in OWASP presentations you can go to the website www.owasp.tv there you can find up to 40 hours of presentations.
Wednesday, October 22, 2008
Doing some research
Howdy,
It has been a while since my last post but i have been busy. I've found a SQL injection vulnerabilty in a product and I am researching it. It is quite a major problem when you inject it returns login, password, server.
I will post more details later but now I have to contact the vendor.
It has been a while since my last post but i have been busy. I've found a SQL injection vulnerabilty in a product and I am researching it. It is quite a major problem when you inject it returns login, password, server.
I will post more details later but now I have to contact the vendor.
Tuesday, September 9, 2008
2nd Tuesday of the month @ microsoft
Howdy,
It is the second Tuesday of the month so a new series of patches have been released. I'll guess I'll be testing this one tomorrow:
http://www.microsoft.com/technet/security/bulletin/ms08-052.mspx
Since the rating is critical I'll guess we'll see some nice exploits for it.
It is the second Tuesday of the month so a new series of patches have been released. I'll guess I'll be testing this one tomorrow:
http://www.microsoft.com/technet/security/bulletin/ms08-052.mspx
Since the rating is critical I'll guess we'll see some nice exploits for it.
An interesting phone call
Yesterday was an interesting day I had a teleconference with two gentlemen who gave me a rather interesting insight in the inner workings of a big ISP who is hosting the website of one of our customers that I'll be auditing in the near future.
These two man wanted to talk to me about what my colleague and I will be testing for our customer. Since my colleague is on holiday I answered what I'll be doing on the servers and for the network part I answered that I was not the person to speak to.
They have apparently an issue with the fact that we would login as administrator on to the network appliances to check the configuration. Since it is not my call to make we agreed that they would send us some print outs and it is up to my colleague to decide if it is possible to do audit work on this. I personally think it is not acceptable since we are an independent party and have to obtain the information by our selves.
There is a second problem with this. The ISP is prepared to send me, a stranger they have never met, information about their firewalls and such by e-mail. Yes, this is something that will be in the end report to our customer, it is my due dilligence.
Just to see how far they go in the management of our customers environment I asked if they kept logs for each time they tested the clustered loadbalancers. Apparently they only tested their cluster once before it was put into production. They monitor it and have a spare ready in case one goes down. I asked them if they didn't test it on regular basis to see if it functions correctly but this was not necessary according to them since it is monitored in case it goes down.
It is for me the same problem as the guy who makes his back ups but never does a test on regular basis to see if they are any good.
These two man wanted to talk to me about what my colleague and I will be testing for our customer. Since my colleague is on holiday I answered what I'll be doing on the servers and for the network part I answered that I was not the person to speak to.
They have apparently an issue with the fact that we would login as administrator on to the network appliances to check the configuration. Since it is not my call to make we agreed that they would send us some print outs and it is up to my colleague to decide if it is possible to do audit work on this. I personally think it is not acceptable since we are an independent party and have to obtain the information by our selves.
There is a second problem with this. The ISP is prepared to send me, a stranger they have never met, information about their firewalls and such by e-mail. Yes, this is something that will be in the end report to our customer, it is my due dilligence.
Just to see how far they go in the management of our customers environment I asked if they kept logs for each time they tested the clustered loadbalancers. Apparently they only tested their cluster once before it was put into production. They monitor it and have a spare ready in case one goes down. I asked them if they didn't test it on regular basis to see if it functions correctly but this was not necessary according to them since it is monitored in case it goes down.
It is for me the same problem as the guy who makes his back ups but never does a test on regular basis to see if they are any good.
Tuesday, August 26, 2008
It is a small world (no not the Disney kind)
Dolmen is a large company and today christophe vandeplas because we will be working on a project together. Check out his blog, it has some fine reading material on it :).
Interesting case - part 2
In my previous post I told you about the medical institute having problems. Yesterday their server has crashed again. One could wonder why some of us consider this a good thing, well a problem that repeats it self has a better chance to be solved than one that occurs only once.
I was out of office so my colleague got the dump file and the output was exactly the same. Then we compared the cause and the configuration (sorry to stay vague but I think it is bad practice to name customers and their configuration on my blog) and it seems that Windows has only 2 GB and everything else was dedicated to SQL.
It is fine to dedicate a whole lot of memory to your database server process but the OS has got to breath too.
One of the other problems is that they have only one server and every database in the institute is on it and they expect it to be high available. I proposed that they contacted their sales contact and he would come by with a specialized sales since databases that are high available and the rest is strictly useless.
I was out of office so my colleague got the dump file and the output was exactly the same. Then we compared the cause and the configuration (sorry to stay vague but I think it is bad practice to name customers and their configuration on my blog) and it seems that Windows has only 2 GB and everything else was dedicated to SQL.
It is fine to dedicate a whole lot of memory to your database server process but the OS has got to breath too.
One of the other problems is that they have only one server and every database in the institute is on it and they expect it to be high available. I proposed that they contacted their sales contact and he would come by with a specialized sales since databases that are high available and the rest is strictly useless.
Tuesday, August 19, 2008
Interesting case
Today I had to be in a medical instituate where there has been a server crash a week ago and now I had to look at the server.
The SQL server has produced a minidump so a post about the SQL minidump will be in the near future on this blog :).
There are a huge amount of errors, i'll have to analyse them and will write about something about them as well.
The third topic i'll have to do some research on is windows 2003 (64-bit) paging, since their crash there is a huge amount of paging.
The SQL server has produced a minidump so a post about the SQL minidump will be in the near future on this blog :).
There are a huge amount of errors, i'll have to analyse them and will write about something about them as well.
The third topic i'll have to do some research on is windows 2003 (64-bit) paging, since their crash there is a huge amount of paging.
Thursday, August 7, 2008
A night at an ISP
Recently I've spent the night at one of Belgium's bigger Internet service providers. The ISP had had some trouble with their databases last December and I had to implement database mirroring.
In the beginning of July I had created a test database for their IT people so they could play with it. And now, the time had come to implement it for all their databases as a test to adapt their programming and make it fail-over aware.
There were some specifics as the mirror had to be synchronous and encrypted and it had to be the same port on each server.
So here are my findings:
The mirror wizard doesn't use the full qualified network name for the principal server so at the end it proposes to start mirroring but it fails because you have to manually adapt the principal server.
The only thing that was a real problem was 1 database. For some reason it failed time after time and the error message was that it was unable to connect to the witness or mirror server.
The cause was one app that writes constantly in the database and since it took about 15 minutes to move the backup and restore it with no recovery on the witness it was not possible to create the mirror.
To work around this I made the full backup, restored it with no recovery and then I made the transactional backup. I had the permission to take the database offline once I made the transaction log backup had finished and restored it on the mirror . Once I had put the database back online the mirroring was no problem at all.
We ran some tests and everything went fine. The only thing my customer still has to do is create maintenance plans on the mirror (for some weird reason you can't mirror those) and alter his apps.
At the break of rush hour we all went home for some sleep :).
An update: 10 days later and something went wrong, for some reason one database went suspect on the principal.
In the beginning of July I had created a test database for their IT people so they could play with it. And now, the time had come to implement it for all their databases as a test to adapt their programming and make it fail-over aware.
There were some specifics as the mirror had to be synchronous and encrypted and it had to be the same port on each server.
So here are my findings:
- Use 2005 SP2, it figures but I prefer to mention it ;)
- You need the database to be in full recovery mode
- Watch out for the auto close option, it runs the fun
- You need a full backup and a transaction log backup
The mirror wizard doesn't use the full qualified network name for the principal server so at the end it proposes to start mirroring but it fails because you have to manually adapt the principal server.
The only thing that was a real problem was 1 database. For some reason it failed time after time and the error message was that it was unable to connect to the witness or mirror server.
The cause was one app that writes constantly in the database and since it took about 15 minutes to move the backup and restore it with no recovery on the witness it was not possible to create the mirror.
To work around this I made the full backup, restored it with no recovery and then I made the transactional backup. I had the permission to take the database offline once I made the transaction log backup had finished and restored it on the mirror . Once I had put the database back online the mirroring was no problem at all.
We ran some tests and everything went fine. The only thing my customer still has to do is create maintenance plans on the mirror (for some weird reason you can't mirror those) and alter his apps.
At the break of rush hour we all went home for some sleep :).
An update: 10 days later and something went wrong, for some reason one database went suspect on the principal.
Sunday, August 3, 2008
Disable 8.3 short-name generation
One of the things that is still a remainder of the past is the 8.3 short-name. You know it can be a pain to access somethings in program files. Well you can have solve this by editing the registry.
Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem
add the dword value NtfsDisable8dot3NameCreation and set the value to 1.
Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem
add the dword value NtfsDisable8dot3NameCreation and set the value to 1.
Disable updating last access update
If for some reason you don't need the NTFS file system to keep track of when a file was last accessed you can disable this with a registry key.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem
Add dword value NtfsDisableLastAccessUpdate and set the value to 1. This works when you have rebooted your system.
From a security standpoint it might be a bad idea to do this since it will make it impossible to tell you if someone did or did not access a file.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem
Add dword value NtfsDisableLastAccessUpdate and set the value to 1. This works when you have rebooted your system.
From a security standpoint it might be a bad idea to do this since it will make it impossible to tell you if someone did or did not access a file.
Where is that procedure?
Last week after the power outage at the medical facility where I was doing a project I noticed that one phrase came back often "Where is that procedure?".
Apparently there were 2 problems, all procedures were word documents saved on a file server but the network was down and after the network was back it seemed quite a struggle to find the correct procedure.
In a previous job I organized a 24/7 IT-standby team to give support. I started out just like this customer but realized quite fast that managing a document library wasn't going to do the trick. I tried to identify what I wanted and what the problems were with the document library.
I wanted a system that was easy to maintain and where everybody of the IT team (15 people) could add the necessary info since gathering the information was dull and usually was the information nearly outdated when a document was "ready". One of the conserns was of course that the system should be accessible only to the IT department and that even when the network and servers in the server room failed the data was accessible.
The solution was simple, I took 1 ordinary desktop and putted a wamp server on it with a mediawiki. The wiki access was restricted and if the system went down, you just had to go and sit at that particular computer.
It was not the best system and it would probably have been better to use a wiki on a stick of a xampp since these can be used on a USB dongle but I wasn't aware of those solutions at the time.
The point is, that people should give thought to the documentation and not just ask documentation for the sake of have a document. Another thing is test that documentation because you can have a procedure and a company who does it for you but in the end you are responsable for your systems.
Apparently there were 2 problems, all procedures were word documents saved on a file server but the network was down and after the network was back it seemed quite a struggle to find the correct procedure.
In a previous job I organized a 24/7 IT-standby team to give support. I started out just like this customer but realized quite fast that managing a document library wasn't going to do the trick. I tried to identify what I wanted and what the problems were with the document library.
I wanted a system that was easy to maintain and where everybody of the IT team (15 people) could add the necessary info since gathering the information was dull and usually was the information nearly outdated when a document was "ready". One of the conserns was of course that the system should be accessible only to the IT department and that even when the network and servers in the server room failed the data was accessible.
The solution was simple, I took 1 ordinary desktop and putted a wamp server on it with a mediawiki. The wiki access was restricted and if the system went down, you just had to go and sit at that particular computer.
It was not the best system and it would probably have been better to use a wiki on a stick of a xampp since these can be used on a USB dongle but I wasn't aware of those solutions at the time.
The point is, that people should give thought to the documentation and not just ask documentation for the sake of have a document. Another thing is test that documentation because you can have a procedure and a company who does it for you but in the end you are responsable for your systems.
Business and procedures
Last week I was working in a public medical facilty and there was a power outage at 11:20 AM. This gave some interesting insights. There was no recovery plan so it was stressy for the IT departement of the hospital.
Some backup power system powered the computers but the network was down. The server room should have had 2 backup systems (the emergency room's and the hospital's) according to one of their IT guys but once the network was back I saw that all VM's were restarting and the ESX cluster had been down during the outage because the network connections were down.
They were lucky and lost no data but it is frightening that something like causes panic since it is quite obvious that these things will happen even in 2008 in Belgium.
I have written some technical procedures, like backup and restore, for their SQL Server but when it all comes down to it the basic needs are not fullfiled and I know by experience that this is the case in many companies.
May be some questions should be asked like What are business critical systems?" and do the proper risk management for each asset in the organisation.
Some backup power system powered the computers but the network was down. The server room should have had 2 backup systems (the emergency room's and the hospital's) according to one of their IT guys but once the network was back I saw that all VM's were restarting and the ESX cluster had been down during the outage because the network connections were down.
They were lucky and lost no data but it is frightening that something like causes panic since it is quite obvious that these things will happen even in 2008 in Belgium.
I have written some technical procedures, like backup and restore, for their SQL Server but when it all comes down to it the basic needs are not fullfiled and I know by experience that this is the case in many companies.
May be some questions should be asked like What are business critical systems?" and do the proper risk management for each asset in the organisation.
Historic data
One of the things I notice over and over again is that many applications clutter databases with historic data. It is actually no that hard for a programmer to make a maintenance plan as a part of his application.
Lets consider a real life situation. Most organizations have accountants and they generate quite some data year after year. Today were in 2008 and honestly, I still haven't figured out why the data of 2005 should be on the system. It is valuable to the organization and law demands to keep it but why keep it on a production system?
Lets consider a real life situation. Most organizations have accountants and they generate quite some data year after year. Today were in 2008 and honestly, I still haven't figured out why the data of 2005 should be on the system. It is valuable to the organization and law demands to keep it but why keep it on a production system?
Sunday, July 20, 2008
To consolidate something ... not the same thing in every language
My native tongue is Dutch and I am fluent in French too. Lately I noticed something funny. Some people make a quite odd translation to Dutch of the verb consolidate.
The first time I heard it I thought that I was mistaking but it was repeated a couple of times during the conversation. Just to be sure I looked on Wikipedia where it is explained as the act of merging many things into one. So in the context of virtualization this would make sense.
If we have a look at the explanation that the Dutch dictionary VanDale gives we see as result "bestendigen" which means to continue, to remain in force.
So as you can tell not quite the same thing. I did some more research and noticed that google translate makes the same mistake.
The first time I heard it I thought that I was mistaking but it was repeated a couple of times during the conversation. Just to be sure I looked on Wikipedia where it is explained as the act of merging many things into one. So in the context of virtualization this would make sense.
If we have a look at the explanation that the Dutch dictionary VanDale gives we see as result "bestendigen" which means to continue, to remain in force.
So as you can tell not quite the same thing. I did some more research and noticed that google translate makes the same mistake.
Saturday, July 12, 2008
cp- i and mv -i are not so interactive
I've build a DHCP-server today on a VM using Ubuntu 8.04 just to play around with. As part of the exercise is hardening the system I found some odd behaviour.
To protect me from my own mistakes I thought it would be nice to alias the commands rm, mv, and cp and each time ask for interaction. This is when I noticed that the commands mv -i and cp -i actually ignore the -i. I've tested it with --interactive but the same here. There is no problem for rm.
I've reported the bug at launchpad and it is now known as Bug 247973.
To protect me from my own mistakes I thought it would be nice to alias the commands rm, mv, and cp and each time ask for interaction. This is when I noticed that the commands mv -i and cp -i actually ignore the -i. I've tested it with --interactive but the same here. There is no problem for rm.
I've reported the bug at launchpad and it is now known as Bug 247973.
Friday, July 11, 2008
First post
Hello and let me welcome you to my blog. Here you'll find a little intro about me.
Who is Erik Vanderhasselt?
I am a Belgian IT guy, born in 1981 and my fascination with computers started really to take off when I got my first and broke it in 48 hours ... the good old days :).
What do I do and where?
Currently I work for a Belgian IT company called Dolmen Computer Applications where I work as a system engineer DBA on MS SQL. My job consists of either doing projects or solving problems at our customers.
What can you find on this blog?
I'd like to talk about pretty much anything that comes to mind. Mostly IT related I am into more things than just MS SQL as you'll find out. Other interests are martial arts, cooking and so much more.
Most people ask my 1 question and that is why I like open source work on Ubuntu machines and work with MS SQL server for a living. Let me answer that for you. I enjoy working with open source and a database is just a database. The basic idea is just the same on Oracle, MS SQL, MySQL ... you want to store data and how it is done is facinating on each platform. It just happens that this job opportunity presented itself when I was looking for a new job.
Who is my targeted public?
Well I know that there are hundreds of blogs out there specialised in some topic and this is something I want to avoid. So my public are people who are into technology and like to exchange ideas.
Who is Erik Vanderhasselt?
I am a Belgian IT guy, born in 1981 and my fascination with computers started really to take off when I got my first and broke it in 48 hours ... the good old days :).
What do I do and where?
Currently I work for a Belgian IT company called Dolmen Computer Applications where I work as a system engineer DBA on MS SQL. My job consists of either doing projects or solving problems at our customers.
What can you find on this blog?
I'd like to talk about pretty much anything that comes to mind. Mostly IT related I am into more things than just MS SQL as you'll find out. Other interests are martial arts, cooking and so much more.
Most people ask my 1 question and that is why I like open source work on Ubuntu machines and work with MS SQL server for a living. Let me answer that for you. I enjoy working with open source and a database is just a database. The basic idea is just the same on Oracle, MS SQL, MySQL ... you want to store data and how it is done is facinating on each platform. It just happens that this job opportunity presented itself when I was looking for a new job.
Who is my targeted public?
Well I know that there are hundreds of blogs out there specialised in some topic and this is something I want to avoid. So my public are people who are into technology and like to exchange ideas.
Subscribe to:
Posts (Atom)