Firefox 2.0.0.9 - Have they Tamed the Animal?

I have written a couple of times about Firefox 2.0+ issues mostly regarding memory usage and memory leaks. Recently Mozilla released 2.0.0.9 which is intended to primarily be a stability (not security this time) release. Well, I am pleased to say that after about a week of use, the memory leak problem seems to have been resolved.
Thank You Mozilla!

In addition, I have determined that one of the extentions I was using was a big memory hog. The extension was ANSWERS 2.2.27
It would use nearly 100mb of ram upon Firefox startup. I expect that they were using some sort of memory resident database of common words. Well, it was not worth the 100mb to me, so goodby Answers 2.2.27.

Now without Answers and with the resolved Firefox memory leaks, I am happy to report that Firefox is back to the "lean mean browsing machine" that I once loved.

Microsoft Forces Stealth Updates Even without Automatic Updates On

Here is another one from the "Microsoft is smarter than you are" file.

Microsoft was recently exposed for pushing out updates to your computer even if you don't have Automatic Updates turned on. Their position is that they need to continue to update the Windows Update Service components in order to notify you of updates and "maintain the quality of the service".

This presents a huge trust issue for many, especially IT support personnel, myself included. The reasons that Microsoft has announced on this issue are somewhat valid, but still cause a trust issue. If they are doing this unilaterally with some components, what keeps them from updating other components that they choose to update at will? The fact that Microsoft tried to do this behind the scenes is quite alarming.

Partnering with BIG BROTHER

There are many that are totally outraged by this Microsoft trust issue. My take on it is that you knew what you were getting into when purchasing and choosing to run Microsoft products, so deal with it. If you don't trust Microsoft to write your OS and write patches for your OS, then go play with someone else's OS. Granted, there are not many choices that most corporate average desktop users can deal with and with that, many IT support personnel are stuck with Microsoft desktops. If Microsoft screws this up and some compromised code gets pushed out to your desktops, yes, it will hurt and screw you up for a few days, but think about the pain you would endure to attempt to convert those desktop users to Ubuntu, or any other Unix like environment. Ultimately, Microsoft would be at fault for leaving the back door open.

For more detail on the MS stealth updates:

http://blogs.technet.com/mu/archive/2007/09/13/how-windows-update-keeps-itself-up-to-date.aspx

http://windowssecrets.com/comp/070913/#story1

Does Qwest still do Cold-Potato Routing?

This is somewhat of a rhetorical question, but I do question it. Qwest has always (AFAIK) advertised and bragged about this feature with their DIA services.

First, some may be wondering, what the heck is Cold-Potato Routing? The best explanation may be that it is the opposite of Hot-Potato routing in which an ISP will hand off it packets to a peer or downstream ISP as soon as possible to get it off of their system. So, in Cold-Potato routing, the well intentioned ISP will hold onto the traffic and haul it across a geographic region as far as possible before handing it over to the downstream provider. This provides a best end-to-end quality of service for the ISP customers, assuming the ISP has the backbone to handle it.

The reason I question weather Qwest is still providing Cold-potato routing is that if I trace routes from my Los Angeles based POP (Qwest provided) to my co-lo in Chicago, IL the traffic gets handed off in Los Angeles to Level 3. net. Level3 then hauls it across the country to it's Chicago facility. Now, I know that Qwest has a big OC-192 backbone direct from their Burbank, CA TeraPOP direct to Chicago, IL TeraPOP. So, what the heck? Can anyone shine some light on this issue?

Firefox memory leak revisited

I recently wrote about Firefox 2 becoming a pig, meaning that it consumes huge amounts of memory and slows down. This of course is a memory leak as expected. During the course of research of the problem I have discovered a couple of things that are short term work arounds.

1. Restart Firefox every day. It consumes memory over time (NSS!) so by restarting it, the memory will be released
2. uninstall any add-ons (extensions) that you don't use.
   
3. Uninstall extra themes
   
4. Run Firefox in Safe Mode
5. Keep unused browser tabs closed
   

I found this list of known problematic extensions that you should check out to make sure you are not running them:
http://kb.mozillazine.org/Problematic_extensions

There are claims that the extensions (especially the problematic ones) are causing the memory leaks. However, I only run about 4 lightweight extensions that I keep updated and only the default Firefox theme and I still have the memory leak problem. In fact, today Firefox on my desktop is comsuming over 163mb after restarting it about 18 hours ago. Guess it's about time for another restart.

Come On Mozilla Foundation! Get this fixed or I fear that many will resort back to IE. Oh the guilt...

Check Your Network Switch Speed Negotiation

In dealing with a recent bandwidth issue, we discovered that it was a speed negotiation issue between a Cisco 3845 router and a Cisco PIX Firewall. You would think that these two interfaces would do a better job of speed negotiation. There were no errors recorded on either side but we experienced horrible throughput... like 500kpbs. The issue was resolved by setting both sides to AUTO and reset the interfaces.

I have had many issues in the past with Cisco interfaces to other manufacturer interfaces (Netgear and Linksys to name a couple). They don't do auto negotiate well, so I have learned to fix the Cisco interface to the max speed of the other side. But, in the case of Cisco to Cisco, it seems that AUTO is the best choice... at least in this case.

The moral to the story is that when troubleshooting bandwidth issues, alway check your speed setting settings on interfaces... even when no errors are recorded.

Rotate Your Spare UPS Batteries

If you keep spare UPS batteries on the shelf, make sure you rotate them into your running UPS unit every month or so to keep them fresh and charged.
I am mostly speaking of data center level user replaceable UPS batteries like a APC Symmetra or similar. Keeping spare batteries is a good idea for replacement of a failed battery and for extra runtime when the lights do go out. In the case of extra runtime needed, you can keep extra batteries on the shelf and swap them in if your runtime gets low due to a power outage and you don't have a generator on standby. Just make sure you rotate them into the unit every month or so. The approximate shelf life of a Symmetra battery is 6 months. After that, they are considered dead or at least reduced efficiency.

Another UPS battery tip is to date stamp the battery when you buy it. This will help control the shelf life as well as overall life as the life expectancy of one of these is usually about 2 years.

TrendMicro OfficeScan Upgrade

Kudos to Trend Micro for providing a very seamless upgrade from OfficeScan/ServerProtect 7.3 to 8.0. To my surprise, it was as simple as validating the new license key, downloading version 8, and install on our central TrendMicro AV server. Our AV server then seamlessly and quickly pushed out the client updates without user interruption. In addition, there are some nice features in the new version that we can take advantage of.

I was anticipating a nightmare of uninstalling clients and re-installing (similar to the nightmare Symantec caused us a couple of years ago... arrrggg, curse you Symantec!), but it was actually very pleasant.

Thanks to Trend Micro!

Beware of Black Market Network Hardware

Black Market Network Equipment? Oh yes, and something to watch out for.
It only recently came to my attention that this even existed. There is a growing problem of counterfeit, imitation, fake and the like of Cisco and other high end network equipment. When recently shopping around for a couple of Cisco boxes is when I was made aware of this problem through a couple of trusted used network hardware resellers.

There is an organization called UNEDA that has taken the lead on bringing attention to the problem using an alliance of more than 300 of the top used network equipment dealers worldwide. Check them out and be aware!

Working in IT Hazardous to your Health?

Most would say no, and for the most part, IT work is a pretty safe profession. But, what about the IT guy or girl that sits in one place with their hands on the keyboard most of the day? Or, the IT person that lifts servers or desktop computers often? Are you plagued with shoulder pain, headaches and backaches? Here are a few tips to keep your body pain free (or at least, less pain):

• Keep your chair adjusted properly. In time most chairs will move out of adjustment through daily use. Check it on a regular basis.
• Get up and Move! Walk to lunch, walk around the building or up a few flights of stairs during your break time.
• Use a phone headset. If you spend a reasonable amount of time on the phone, get a headset instead of straining your shoulder and neck.
• Use the buddy system for lifting and moving equipment. Don't try to be the hero by racking up equipment by yourself. You also run the risk of dropping a very expensive piece of equipment... that would not be good!
• Don't strain your eyes. Adjust your monitors and wear the proper eye correction.

For me, I suffer from frequent neck strain and headaches when I don't pay attention to these details.

Take Care.

M$ Patch Tuesday Overview Report

SANS released a very useful "July 'Black Tuesday' overview" report. I don't know if they do this for every patch release Tuesday, but it is a nice report and I suggest you check it out at:
http://isc.sans.org/diary.html?storyid=3120&rss

They have columns for level of importance for Servers and Desktops (ISC rating) which is a nice feature. I like getting the second opinion from SANS!

Company eMail Privacy

Company email Privacy? Not so much.

When it comes to sending email from your employers company email address, there is no such thing as privacy. Company email users need to be reminded of this. It should start with an Acceptable Use Policy (AUP) that is signed upon employment and then employees need to be reminded of this through training or occasional memos.

Many people do not understand that any email communication via a company email account is company property. These message are typically stored in a long term archive and can be recalled upon by court order in a legal case. It could be a law suit with a client, competitor, employment, sex harassment etc. Any email that is even remotely related to the case can be presented as evidence. As a result, employees need to be trained to think about every email message that they compose.

These policies and training many times falls in the hands of your IT department... we get to be the bad guys... again! It's no wonder that they hate us.

Beware of Fake Microsoft Patch

The spam will have a subject of:
Microsoft Security Bulletin MS07-0065 - Critical Update

The body claims to have a patch for a zero day vulnerability, but contains malware.

For more detail, please see this SANS alert:
http://isc.sans.org/diary.html?storyid=3054&rss


A real, legitimate Microsoft Security Bulletin will be a PGP Signed text message.

Busy with SAS70

I have not kept up with this blog for the last week or so because I am very busy with SAS70 security auditors. If you want to know what this is SAS70 thing is all about, drop me a comment. Now, back to the hot seat =)

Firefox 2.0 becoming a PIG ?

Recently Firefox 2.0 (I am on 2.0.0.4 to be exact) seems to either have a memory leak or is simply becoming a resource hog. It is currently using over 200mb or memory with just three tabs open. Also, it seems that in time the auto complete features of both the address box and the search box use more and more CPU and become slower and slower. I get the old typing one character at a time response in these boxes.

I mention the slower over time because I will leave Firefox open for days because I have network monitor tools running in a couple of tabs. If I restart Firefox it will start back up using about 36mb of memory with my initial two tabs open. Looks like a mem leak to me! I guess the short term fix is to restart Firefox daily.

Also, as a side note... I had used Fasterfox a few weeks ago and with Fasterfox it seemed to chew up memory much faster and performance degraded within hours. So much for Fasterfox. I uninstalled Fasterfox and to get back to original Firefox (Slowerfox ???) and now it is back to taking a couple days to getting back to a crawl.

Anyone have more info or a fix for this out there?

.hk TLD attack warning

I came into the office today and noticed a flood of email with subject lines like:

[name] sent you a [domain].hk! Greeting

Inside, the message invites you to view a greeting card within 30 days. This URL contains malicious code that attempts to exploit Internet Explorer vulnerabilities among other Windows vulnerabilities.

Email server administrators should take action immediately to filter and kill these messages.

See more here from SANS:
http://isc.sans.org/diary.html?storyid=2985

APC MX5000 Battery Acid

In the past, we have had several battery acid spills from the old APC Matrix 5000 Smartcell XR battery units. These units essentially use automotive type batteries in the XR cabinet that are sealed and set on their side. If one of these batteries fails, they often overheat and will leak acid from the sealed caps. In fact, we have had a couple that blew the caps out and created a serious spill.

The best way to prevent a serious acid spill is to check these units at least once per day for excess heat. A quick check can be done by simply running your hand over the front of each unit to detect any raise in temperature. The temperature raise is quite obvious from the "normal" room temp. It is important to disconnect a overheating battery as soon as possible to prevent an acid spill. The bad battery led indicator on the front of these units is pretty much useless as they do not detect most of the battery problems so don't rely on it.

If you detect heat, do the following:

1. Unplug the input and output cables from the back of the unit to drop it off line from the main electronics therefore removing the load.
2. Do not open the front cover until the unit temperature returns to room temp.
3. Replace all 4 batteries - Replacement battery set - APC Part# RBC14 which costs around $500.
   

If one of your battery units has started leaking, do the same procedure, except make sure that you use eye and hand protection when removing the old batteries.

If you open the front cover of a unit with suspected bad battery, you can identify which of the four batteries is bad by it's bulging sides and/or leakage from the caps on the connector side.

So if you detect a battery acid smell in your data center, check those old XR battery units!

Vista Trials - Legacy Hardware

I set out to see what Vista would do if attempted to install on an old(er) generic "white box" machine. You might say Why? it's just going to fail. Yes, I expect it to fail but how would it fail and how well (or bad) would Vista handle it?

Time to hit the computer lab.

So I took a older machine (see specs below) to the computer lab, slapped a DVD drive in it and booted the Vista CD. To make a long story short, it actually installed but failed to start up. The most amusing thing was that there was the old Blue Screen Of Death during startup that flashed over the screen so fast that I could not read it, but it was certainly there. So much for Vista doing away with the old BSOD!
End of short story...

The BSOD caused it to crash and force a reboot, then upon booting from the CD again I was presented with the "Vista failed to start, what do you want to do" with the repair installation option. I tried the repair and of course, was presented with the same BSOD reboot "feature".
Next I removed all PCI cards and replaced the AGP graphics card with another and tried again. The net result was that I tried a number of format and re-install with an empty PCI bus and three different graphics cards and replacement RAM and had the same result every time. This leads me to believe that it simply did not like something on the mother board. My bet would the the chip set, but who knows?

Machine specs:
Motherboard: ABIT-TH7
Processor: Intel P4 1.7ghz
RAM: 2 x 512mb RAMBUS (also tried a 2 x 256mb set)
HDD: IBM 60gig IDE
DVDROM: Sony
Graphic: Nvidia AGP, ATI AGP, S7 chip PCI

Moral of the story... don't waste your time with Vista on old retired hardware.

If someone has had success with Visa on legacy hardware, I'd like to hear your story here.

Killer Command Line Tips Part 1

I am going to throw out a series of my favorite Windows Command Line shortcuts and tips.
Part 1 - Navigating directories.

One of the most clumsy aspects of using the Windows command line is traversing the file system directories. Here are a few tips to save some keystrokes and time.

1) Use directory name masking. Did you know that you can use * as a mask in the CD command?
Example: cd \brainstrain
This can be shortened to cd \br*
The typed out portion must be unique or it will change to the first directory name that matches the mask.

2) When you CD to a long directory name with spaces in it where you would quote the name like "program files" you can leave out the last quote.
Example: cd "\program files"
can be shortened to cd "\program files
and... using tip 1 and 2, you can do this
cd "\prog*

3) You can drag and drop a folder from Explorer into a CMD window. Windows will paste in the full directory path including quotes. Once the path is in the CMD window, change focus to the CMD window, hit HOME to get to the beginning of the cmd line, then type cd /d (with insert on), then hit enter.
Note: the /d option of the cd command is only required if you included the drive letter in the path AND the drive is different than the current drive.

4) Use the "Open Command Window Here" power toy found here:
http://www.microsoft.com/windowsxp/downloads/powertoys/xppowertoys.mspx

This is the XP version that also works in Windows 2000 (afaik). With this power toy, you simply right click on a folder name in Explorer, then click Open Command Window Here. A new CMD window will be opened with the folder being the current directory.

5) Use environment variables. The following changes to the temp directory:
cd %temp%
or, change to the user profile directory:
cd %userprofile%


Note - Don't use the masking methods in batch files because as directories are added or changed, the mask may not change to the directory name you would expect. Always spell everything out in full in batch files.

These methods work in Windows 2000 and later operating systems (however... not tested with Vista).

Enjoy!

Look for more Killer Command Line Tips in the near future.

IIS 5.0 authentication bypass exploit

A recently discovered (Dec 2006) IIS 5.0 exploit raises the bar for you to secure your web servers.

Actually, the most interesting aspect to this issue is that Microsoft has not released a patch to correct the exploit, but instead is showing the world how the exploit works and using it as a scare tactic to get you to upgrade to IIS6 (Windows 2003 server). Check this out:
http://support.microsoft.com/kb/328832

IMHO, this is yet another shameless cheap shot by Microsoft to push you into an upgrade. They actually show you how to use the exploit but offer no solution except to strongly recommend upgrading.

The cheap fix for those running IIS5 is to use URLSCAN and make sure you are blocking the .htw extension.
.htw is the webhits extension which is not widely used so unless you have a specific need for it, block it by running the IIS LockDown Tool and make sure you enable URLScan during install. I believe that .htw is blocked in most template installs but you should check the urlscan.ini after install to make sure.

For more info on the exploit, see the SAN alert here:
http://isc.sans.org/diary.html?storyid=2915&rss

Knowledge Base Alertz Notification

For those of you that need to keep up on Microsoft bug fixes (read security issues!) the task can be a real pain in your backside... to say the least.

To help ease the pain there is a service by Scott Cate at www.kbalertz.com
This free service will send you daily email alerts when a new KB article is posted for each KB area that you select.
Check it out, and Thank You Scott for creating this service!

YouTube Virgin

YouTube Virgin no more.

Just published my first YouTube video and I must say that I am somewhat hooked.
Found a great tutorial for making great looking YouTube videos here:
http://www.squidoo.com/youtuberight

The process was of course time consuming but these days, even the free tools do a good job, even for a media dummy like me as I have always been more of a data guy. One thing that I didn't realize is that Microsoft actually has a nice free encoder that did a nice job. Windows Media Encoder WME:
http://www.microsoft.com/windows/windowsmedia/forpros/encoder/default.mspx

Check out my first video here:
http://www.youtube.com/watch?v=0cIVsi0iYi8

FBL Hell

If you are in the business of parsing and processing email Feed Back Loop (FBL) messages, you may want to read this about the AOL proposed standardized format.
http://postmaster-us.info.aol.com/fbl/arfinfo.html

I guess this is good news in the way that hopefully a standard will emerge, but I'm not sure that AOLs proposal is best. My main problem with it is that they intend to redact the email address. That just further complicates the process of flagging the account in your database (time to re-examine the X-Header drawing board). I mean, they are ONLY sending these FBL messages back to a whitelisted sender so what is the paranoia of an email address or screen name getting hijacked?

Buy your new Dell at Wal-Mart ?

A recent announcement that Dell will be selling it's consumer based PC products through Wal-Mart is an interesting move... and IMHO, very risky. How can they maintain that they are high-end and at the same time, sell through the low-end retailer?

Dean to Dell... are you sure about this?

What's next? Will I be buying a Dell PowerEdge at Home Depot or Lowes? And would I go to the "Information Desk" for support?

Some would argue that Dell is already low-end and they belong in Wal-Mart.

What do you think?

Tip - Terminal Service session reconnect problem

TS Server Admins -

If your users have problems in reconnecting to a Terminal Service session after a connection drop or intentional disconnect, try the following support article:
http://support.microsoft.com/kb/216783/en-us

What this does is add a value to the registry that changes the KeepAlive behavior. It stops the keep alive function after 1 minute so that the session will transition into a disconnect state. Once in the disconnect state, the session can be reconnected by the user. Without this value, the session may remain in an active state (depending on how the disconnect occured) and therefore the user cannot reconnect to it. Instead, the user may get a new session.

Blank Password more Secure than Weak Password

This is a new one on me, but according to Microsoft, on Windows XP (and I assume Vista) the use of a blank password on a user account is more secure than the use of a weak password... like "1234" or "aabb". Why? because if a user account is created without a password, then that account cannot be accessed remotely. I have not tested this but I have to assume that they set a local security policy that blocks remote access if the account does not have a password.

Sounds like it's time for a lab test on this one.

TrendMicro OfficeScan Attack

Arrived at my office desktop this morning to find that TrendMicro OfficeScan has decided that my Radmin Viewer software is malware and it has quarantined it. Fortunately, it was the older version 2.2 viewer that I don't use anymore so no real harm done... to me. Now we will see how many help desk calls we get from those that were using the old version... thanks for a bad day TrendMicro! Come on Trend... this is a commercially sold product that has not been widely abused. At lease give me a warning about this before sending it to the dungeon. This is one reason (of many) that we decided to walk away from Symantec CE version 10.

Take a Walk - In your Data Center

Every Data Center manager should assign a on-site staff member to walk the data center daily to check for problems. This IT guy should be checking for things like:

• Those pesky flashing amber lights on raid subsystem and in host machines
• The environment - high temp, hot spots, humidity
• Audible alarms
• UPS systems - move your hand over battery units to sense heat that may indicate a failing or overheating battery
• Listen for noisy fans or hard drives that may indicate a impending failure

This proactive approach to Data Center management can help to head off disaster.

Linksys Router Firmware Upgrade - Determine Version

For my first Tech Tip I thought I would help demystify the old Linksys router version problem. The trouble is that you must know the correct version number of your router in order to download and install the correct firmware upgrade. For the most part, there is no issue... just look the serial number / model number sticker usually found on the bottom of the box (sometimes the side) and the version will be listed after the model number. For example "Model No WRT54G v2.2"

But what if the version is not listed? In that case is it simply v1.0 even though it is not listed (and most of the version 1.0 are not).

What about just installing the later version firmware even though it is not for my v1.0 router... Don't do it. You will most likely turn it into a paper weight... and not a very good one at that. I know because I have done it.

Hope this helps someone out there!

Pop of the Starter's Gun

The race has begun. Blogging is a new venture for me, one that I hope to be able to keep up with. I am one of a somewhat reticent nature, so this will challenge me.

Preamble

My goal here is to make a daily post of "tales from the IT world"... sometimes the dark side of IT, sometimes a helpful tip, sometimes a rant or rage about something (look out Micro$oft). Since I spend about 50 hours of every week in the IT trenches, there must be something to post on a regular basis... right?

I'll keep you posted !