The Bit Bucket

This blog has moved

noreply@blogger.com (Gary Williams) — Thu, 11 Mar 2010 11:04:00 +0000

This blog is now located at http://gdwnet.blogspot.com/.
You will be automatically redirected in 30 seconds, or you may click here.

For feed subscribers, please update your feed subscriptions to
http://gdwnet.blogspot.com/feeds/posts/default.

Catching up

noreply@blogger.com (Gary Williams) — Mon, 01 Feb 2010 13:01:00 +0000

I've been a bit remiss in not updating my blog for several months. A few combinations of a sudden urgent project, the wife having knee surgery and a flood at home all conspired to steal a lot of my time and then, of course, the inevitable run up to Christmas with all the fun and games of Christmas shopping in the snow.

I have been thinking about what to do with the blog, should I continue it? should I change it or should I just close it? I'm not playing with enough new technology to bring anything wonderful and astounding to the site and my time is ever more limited but I'd like to keep the blog going with a few war stories and other things.

Thoughts?

Upcoming Week

noreply@blogger.com (Gary Williams) — Mon, 28 Sep 2009 07:10:00 +0000

I already know it's going to be one of "those" weeks, but then I guess it always is, there is always something that turns a nice quiet, productive week into a nightmare. This week hasn't even started properly yet and it already has the feel of problems.

Put simply, this week is going to be all about shuffling data from one location to another, the sheer joys of being taken over and having to comply with another companies standards. It doesn't help that our permissions are a total disgrace. If you think of the standard rules of users into groups and assign the groups permissions.. well, we haven't done that. we don't even come close so permissions changes are proving to be a stumbling block.

We also have a subsidiary company that has been bought out by another company. Data transfer to the new location is proving to be another interesting experience, I cannot, for the life of me, understand why people cannot get organised and actually work out before hand what it is they need and so this is leading to a lot of last minute requests... situation normal I suppose.

Add this to the fact that Netapp have discovered another bug in their firmware this time and this bug is a good one. It seems that only on the 3070 cluster the bug will result in a reboot of the filer leading to a panic. Nice. I had this happen to one of the filers in Cambridge and now it seems that the only way to fix it is by being onsite with a laptop and a serial cable....

More updates coming soon and I'm thinking of changing this blog into more of a war stories blog with the occasional bit of technical information rather than leaving it a few months between updates.

TaskCoach

noreply@blogger.com (Gary Williams) — Tue, 07 Jul 2009 11:01:00 +0000

There are a lot of little tools out there which can allegedly help you get more organised, better with time management, etc, etc. Personally I find most of the tools are more awkward to use and so consume time that is better spent on actually do the stuff that needs doing.

However, I did find TaskCoach which is a simple enough .exe file that I can around on USB stick, any task that needs doing I stick into there. It's possible to organise by category and to set deadlines on. It's short of a few features I would like, for example, no software seems to get the idea of chained-tasks, that is where one task has to be completed before another starts so as soon as you flag the first task as complete the second appears.
TaskCoach does have quite a powerful category system for organising items into different groupings and I'm using this to organise work tasks by week number. This is a very useful way of seeing what I've got on for the week and what can be deferred to a later week.

All in all it's a lovely little tool. Now, all I need is a checklist tool.....

Why change control can be a Bad Idea

noreply@blogger.com (Gary Williams) — Sun, 05 Jul 2009 20:28:00 +0000

I'm sure that many people have had to endure the torture that is a change control process. In short, change control is a process whereby changes to a system have to be approved by a change control panel.
Generally, the panel is a group of people who probably don't know about the system and/or don't much care about it so you have to be quite vocal in why and change might be needed.
The actual ideal behind change control is to moderate changes to a system in such a way that should a system fail or have problems it should be possible to use the change control tool to work out what recent changes had been applied and undo those changes or research/test to see if those changes could be the root cause the issue. Sounds ideal doesn't it? In reality it never works that way.

In the long run a change control tool can actually do more damage that it's designed to prevent. How come?

Let's say that you have a website which has a fairly minor bug. Let's say that you know that the change control process will take two weeks to follow it's winding path and that you will need to invest about four hours to write and represent what is, at best, a 20 minute change.

What do you do?

Do you spend the time and fix the bug or do you forget about it and press on with the several hundred other things that's on your list?

Let's say you pick the second option (and I don't blame you if you do because I've done that) and several months later that small issue could explode to be a big issue.

And that's why change control systems need to be as flexible as possible otherwise what appear to be minor changes will be quietly shelved and in the long run that can lead to a major incident.

I'll provide some suitably altered real world examples in a future article.

Marriage!

noreply@blogger.com (Gary Williams) — Sat, 04 Jul 2009 11:01:00 +0000

It's certainly been a busy previous six months. Not only the company take over but I got married last week.

The amount of work required for a wedding reminds me of one of those projects with an unmissible deadline except in this case the deadline really is unmissible!! Once a date is set, that's it. Full steam ahead until the big day and wow, what a day. For me, the big day was June 29th and it was too hot. Mind you, we had some lovely photos taken down by the river and then off for the honeymoon in Paris.

Now that I'm back at home things feel like they are calming down but I'm sure the next major piece of work isn't far away.... why do I have the feeling that my wife wants to have most of the rooms redecorated......!

Anyway, here is to you Krys.

Software is not a panacea - Part 2

noreply@blogger.com (Gary Williams) — Wed, 10 Jun 2009 11:01:00 +0000

In the previous article I raised the fictional scenario of a company wanting to automate a timesheet submission process. In this article I'd like to touch on some of the project processes that would be used by the majority of companies.

Generally, most companies will start off with the sensible process of evaluating existing software packages, looking at what's out there and maybe even seeing what other companies use. After a period of time a sensible company will come to the conclusion that there is no one piece of software that fits their requirements and so their requirements must change as well as some processes. This is a key point as every company likes to think that they are unique and so around that uniqueness certain process have appeared so when it comes to upgrade or computerise those processes they are reluctant to change them.

However, back here in the real world most companies will do one of three things, they will

Abandon the idea
Buy the commercial package closet to their requirements and get it customised
Hire a developer to write a bespoke piece of software

Of the above three options the first is the best and safest but at this point many companies make another fundamental mistake. They never document the issues found or the reason for the project to be abandoned. This means that often someone else will reopen the project 6 to 12 months later, reinvestigate options and then select option 2 or 3.

Option 2 is an interesting one, surely there can't be much wrong with making some customisations could there?
Well, it depends. If the software is designed to allow those customisations then go ahead. However, may companies will want to alter certain business logic (e.g. maybe three people would have to approve a timesheet and the system, by design, only allows a maximum of two.
Quite often a company will purchase development skills and get the codebase changed to support what they require. This causes a problem when upgrades are required or if a security hole is discovered as often the customised verison will break when patches for the mainline system are applied if it's even possible to apply them at all.
Now the company ends up in a situation where they like and want the features in the next version but are tied to an old version due to the customisations, often they will have to face the choice of staying with the customised version, migrating to the new version or paying out to get the customisations in the new version.

Option 3 opens up all sorts of interesting possibilities for problems and complications to occur but I'll save that one for another blog

Software is not a panacea - Part 1

noreply@blogger.com (Gary Williams) — Tue, 24 Mar 2009 12:01:00 +0000

There have been many times where I've come across situations where people have this mistaken belief that software will fix all their ills. Surely, anyone with a few years experience know that software is merely a tool designed to fix a problem the way the programmer/designer intended it to be fixed and not the way that you expect it to be fixed.

There is often a huge disparity in the way a company wants a problem to be fixed compared to the way the software actually fixes it and this leaves the company with three options, namely:
a. Change the processes to fit the software.
or
b. Change the software to fit the process.
or
c. Write their own software.

Let's take the classical scenario of a time recording and billing application. Let's say that company X records time on paper sheets which then get passed to finance to generate the bills and send out to the clients. Let's say that the company bills on 15 minute intervals based on a client code.

Obviously, the above scenario is crying out for some sort of automation, the amount of time and money that can be saved with an online tool means it's worth investing in the hardware and IT departments time to get such a system installed.

In the next article I'll take a closer look at the process many companies follow for such a project.

Gameforge supports theft

noreply@blogger.com (Gary Williams) — Thu, 26 Feb 2009 12:01:00 +0000

Up until a few days ago I played ogame. This is a browser based online game where thousounds of people interact to steal and trade resources. It was the sort of game that you could spend 10-20 minutes on throughout the course of a day and provided a welcome respite from work.
My finacee also played it for similar reasons. She played for almost a year and I did for 2 and a half years.

That is, until the other day. Because I was helping out my financee (which is within the rules) and because she was on the same IP address (also within the rules) when the resources arrived (against the rules) we both got banned until 2036. Now, I'm not disputing the ban. We both violated one small part of the terms and conditions. The penalities for that are a permanent ban which seems a little draconian but that's how it is.

So, Ban in place I decided to ask for my money back as I've got 8 months left to run on the account only to be told to go away.

So, bewary of online games especially of places like gameforge who will happily take your money and then ban you for an infraction.

This to me is theft - a bought for service is not being provided, they won't transfer the subscription to another account and they won't refund me.

So, thanks to Gameforge I'll not be trusting any MMO ever again.

Company Takeover

noreply@blogger.com (Gary Williams) — Sat, 14 Feb 2009 12:02:00 +0000

The company where I work has just been taken over by a much larger organisation. I'm not going to say where I work for now as enough has been plastered over the technical press but I'll have a few things to say on the matter much later on.

It's an interesting time for both good and bad reasons. Obviously the economic problems have hit both companies hard so the usual bans on travel and overtime have come into force. This presents a problem for us IT Department types who have been given a lot of work to do around the integration and are going to have to take time off in lieu for it. At the end of the year I think they will have many staff out as they will have leave that they will have to take. Hell, they will probably buy it off us!!

The current plan is to re-ip all the devices as the company that has taken us over use the same IP range as we do and this is right on the back of recently relocating them all to new data centres do yet more out of hours work and then fixing things that break.

The Chinese have a curse "May you live in interesting times" and for the next few months those times sure will be interesting....

Busy Project Time (2).........

noreply@blogger.com (Gary Williams) — Thu, 15 Jan 2009 12:01:00 +0000

So, It's January 2009 and not much has changed, it's still busy project time. Unsurprisingly the server migration which absolutely, totally HAD to be completed by the end of December 2008 wasn't. How the project manager expected 79 servers and a lot of filer data to be moved in less than three months was beyond me but as with so many projects here the project managers are under the thumb from higher ups to deliver so often the way they do this is to pass on only good news to the higher ups whilst pressurising the staff to do the job no matter the cost...

Still, as the company is being taken over there is hope that this will change. Time will tell. With a little luck I'll be back blogging my normal nonsense very soon.

Busy Project Time.........

noreply@blogger.com (Gary Williams) — Fri, 17 Oct 2008 11:01:00 +0000

Just when you think it's all going to be quiet and maybe it will be a good time to get those niggling little tasks out of the way and to be able to sit down and write some decent blog articles someone comes up with the idea of decommissioning a server room to save on power. So now I'm involved in a project that requires the relocation of about 4TB of data to another filer, including updating and moving the servers that use the filer data....

Yes, it's going to be a busy few months.

And a project manager just asked me if I needed any help installing IIS...... Sometimes I'd rather be doing anything else than working in IT.

Some DNS Tips

noreply@blogger.com (Gary Williams) — Mon, 15 Sep 2008 11:01:00 +0000

Several times in just the past week I've had to deal with DNS entries that have made things a touch more painful than they should have been so I thought it might be time for me to jot down a few notes on how DNS should be configured to save IS people's sanity!

First up the DNS servers themselves. You should always have a primary and secondary which generally, speaking are two different DNS servers at your ISP's location. If two are not available you should consider switching ISP's. Personally, I use three. Two from my ISP and one from OpenDNS. This way, should the ISP change for any reason and/or should access be denied to the ISP's DNS servers I've got a third, totally separate service available to me.

Next up, A records. These should always point to the IP address of the server in question and they should always use the hostname of the server. Sure, this can lead to some unfriendly names but it's really handy to know the proper hostname of the server. If you want to use something 'pretty' then use CNames. When you create the A record make sure the PTR record is also created in the reverse look up zone. This way, when you are trying to work out what physical server a CName is all you have to do is a reverse lookup against the IP address.

MX Records should also have two internal/DMZ based mail servers which they can deliver to and a third at the ISP which can retry delivery to your internal servers at a later date.

These are simple tips and they (or variants of them) can be found as best practice advice for standard DNS configurations.

Understanding your environment

noreply@blogger.com (Gary Williams) — Mon, 08 Sep 2008 11:01:00 +0000

A practical demonstration of why understanding your environment is vital occurred a few evenings ago when some NetApp filer\domino work went wrong. A little bit of background first, domino data is stored on a NetApp filer which is shared using nfs. This is mounted by the domino server and it all (most of the time) works.

For some reason this particular server running Domino (let's call him Bob) was showing high i/o stats, although the server itself was responding fine. The filer (Nutkins) wasn't reporting any problems but it was deemed that Nutkins had to be at fault. There are a lot of connections to Nutkins after all and in fairness the mount point is living in an aggregate that is unbalanced in terms of i/o profile so the decision was made to create a new aggregate decided for Bob. Simple enough to do. For those not filer aware an aggregate is a collection of physical disks. In giving Bob his own aggregate it dedicated 8 spindles to the Domino data. More than enough to remove any i/o bottleneck.

Now, Nutkins itself has a very cool piece of technology called snapmirror. A snapmirror was duly setup and Nutkins began copying the data to its new home.

So, the big evening arrives. The paperwork is signed (in blood, naturally). The changes authorised, the servers poised....... A hush descends and the commands to stop Domino are typed into Bob......... and Domino promptly hangs.

Red flag 1 - when a manager says "oh, it always does that. Just issue kill -9 and everything will be fine, well except that a few databses might be corrupt" it's probably time to start worrying. However, the final snapmirror is initiated and the last 140mb of changes are copied (in 22 seconds no less, not even enough time to get a cup of tea). The snapmirror is then quiesed and broken. This makes the destination for the snapmirror writable. Over to the unix admin and a few key clicks later the export is mounted and Bob was started.........
Or not. Seems that a small fact was missed. Bob not only has data stored on Nutkins but also has a local directory for crash dump logs.

Red-flag 2 - when Bob's admin doesn't know the configuration of Bob's setup it is probably time to start panicking. Anyway, a tappety-tap of the keyboard and the directory is created. Oh, lets stop and start Bob hoping red flag 1 doesn't pop up. Mr. Unix issues the command and on the screen "server shutdown. Bob_stop not found". Ok, so did it shut down or not? Ps -ef | grep lotus and nope, nothing running. Red flag 1 avoided! So, start Bob and..... Nothing. Not happy. Hmmm. Time to fail back, something isn't understood\not working.. So Mr. Unix does his stuff and...... No Bob. Seems red flag 1 corrupted the data then the final snapmirror copied corrupt data. Also seems that the shutdown script has at least one bug in it which causes a loop to fail when the script is executed.

Anyway, to cut a long story short we backed out and made the change a few days later. There are several lessons learnt here mostly revolving around documentation, standarisation and knowing your environment. I'll leave it as an excercise to the reader to work out the rest!

AD Find

noreply@blogger.com (Gary Williams) — Thu, 21 Aug 2008 11:01:00 +0000

AD Find is the second of the two tools I managed to find in the same week. This little tool weighs in at just 700K for the download and about 2mb for the actual file. This tool does exactly what it says, it finds things in Active Directory. The clever part about it is it's possible to say exactly what you want to get back and the format it should be in.
As an example, a few weeks back I had the issue with Bindview not liking non-ASCII characters.

Now, the version of Bindview that's being used where I work is a very old NT4 only aware application which means it will update the SAMAccountName attribute but not the display name.

This isn't a problem as there is a workflow from an HR application which deals with all of that, all bindivew should be doing is delegated group permissions (and yes, I know it's much easier in AD but thats a war story for another time).

Anyway, I was curious to know how many SAMAccountNames didn't match up with display names so I used ADFind to display the CN, Samaccountname, mail, firstname and lastname fields in a CSV format which could then be processed by a filer in Excel. Much quicker than messing around with the native Active Directory tools.

AD Explorer from Sysinternals

noreply@blogger.com (Gary Williams) — Thu, 21 Aug 2008 11:01:00 +0000

Sometimes it's possible to stumble upon a tool and wonder just how you would have gotten a task accomplished without it. Last week I had the good fortune to stumble upon two such applications right at the time when I needed them most. I did consider buying a lottery ticket that evening!

The first one is AD Explorer and it's from sysinternals and it's exactly what it says, a explorer tool for Active Directory. It allows viewing, searching and editing of the AD in ways that are far superior to Active Directory Users and Computers. I suspect the only thing that AD users and computers can do (or do better) that this tool cannot are password changes, logon hour restrictions and limiting logon ID's to specific computers.

One very nice feature this tool has is the ability to take a snapshot of an Active Directory and compare it to another snapshot. Doing this shows just how many changes occur in the AD in just a few days. It's also a great way to see how many differences accumulate between your production and test active directory environments.

Overall this is a fantastic tool and one I'll be using when the MS technotes require delving into some obscure key via ADSIEdit. I'll also be using it in place of tools like Softerras LDAP browser unless I need to something LDAP specfic.

Why Total Cost of Ownership is a fallacy

noreply@blogger.com (Gary Williams) — Fri, 01 Aug 2008 11:01:00 +0000

If I have one more potential supplier try and sell me something on the lie that it will "reduce TCO" I will not only scream but I will beat them to death with a CAT 5 cable.

Total Cost of Ownership (TCO) is one of those almost unmeasurable values that seems to have pride of place in the salespersons portfolio. How do they KNOW a new system (with it's associated equipment, licensing and training costs) will work out cheaper than the old one?
The idea is that newer systems have better support so rather than training someone in an older system and maybe having to buy in more expensive skills more legacy systems it works out cheaper to upgrade or replace with the latest model.

I don't disagree that for some systems which are truly legacy such the old DOS or OS/2 application may well work out cheaper in the long run but the one thing that will truly reduce TCO?

Understand your systems.

Take time to test and document the fixes.

Use your call logging system as a knowledge base.

These three tips alone will truly reduce TCO.

VMWare course

noreply@blogger.com (Gary Williams) — Tue, 15 Jul 2008 11:01:00 +0000

For much of this week I'm on a VMWare course for the second half of my VMWare training. This part of the course is titled Deploy, Secure and Analyse. The course itself is to prepare me for a server consolidation project that the company I work for is kicking off.
The project invovles several VMWare clusters, a Hitachi SAN and blades. Lots of flashing lights and new technology to ~~break~~ support.

Legacy Systems and a very handy SQL comparrison Tool

noreply@blogger.com (Gary Williams) — Sun, 13 Jul 2008 15:16:00 +0000

On Friday, I had the "pleasure" of having to get a legacy system up and running.
This system was originally introduced to allow users in the business to manage group membership for projects they had ownership of. The idea was that it would cut down user calls to the service desk by about 10% and allow the project managers themselves to get a speedier turn around for new starters.
Sounds fine in theory and in the world of NT4 it wasn't a problem. Move on to the world of Active Directory and things are a little different. The legacy system (Bindview v4.6) has been superceded about 5 times over but we can't just install the latest version. Trust me on this, the latest version is fine but there are many design decisions and compromises as well as several rejections for upgrading the system from a few years back that have all combined to lead to the current problem.

The actual problem was an interesting one. The system was complaining whenever anyone tried to edit a group. A restore of the back end SQL database fixed the problem until the next domain sync occurred when the database would corrupt itself again.

Obviously, the sync was pulling something from the domain that it didn't like.
For the first attempt at a fix I fired up SQL Trace which records every single SQL statement that goes to a selected database. The neat thing about Trace is that it's possible to point the trace results to a SQL database itself and then filter it to get rid of stuff you know isn't going to help - such as SQL agent tasks and so on.
Trace left me with a multi-variable SQL script spanning over 4,000 lines and quite difficult to read or even test so I decided that the next best thing was to restore the working database to new a database name and then find a tool to compare every object on the bindview user table to see what was different between the restore and the one that synced with the domain and promptly broke.

AdeptSQL was the third tool I tried and whilst it has a very simplistic point and click interface it's incredibly powerful for comparing two SQL databases. Once the comparison is done you get two side-by-side windows which represent the two databases. Changes are highlighted by colour - Red for deletions, Blue for new and black for no changes.
This left me with a 2,000 list of changes, deletions and amendments in the database.
AdeptSQL also lets you filter things out and by using these features I eventually tracked the problem down to the description field of two user accounts.
These accounts had spurious characters in them which Bindview being rather old and totally ASCII prompt fell over on. Removing these and waiting for a resync solved the problem.

Whilst AdeptSQL helped me solve that particular problem there is still the problem of this legacy system updating Active Directory whilst not being active directory aware which leads to some other fun and games with the display name versus the SAMAccount name but more on that in a later article.

Build your own NAS

noreply@blogger.com (Gary Williams) — Mon, 30 Jun 2008 11:01:00 +0000

Things have really moved on in terms of storage. Not so long ago the largest hard drive you could buy for a home PC was a 200GB IDE. Today, 1TB SATA hard drives are available for less than £100 from my favourite hardware website AUT Direct.

I'll admit that I couldn't resist for long and as I've got a tower PC with 6 IDE hard disks in which are not doing anything at present it was just too much of a lure and I've ordered up 4 1TB disks.
The plan is to replace four of the IDE disks with these 1TB SATA drives and I've bought the necessary SATA drive bays to making swapping them out easier if needed.

As the motherboard is quite old I also purchased two SATA cards which will be able to handle the SATA disks.

The tower also has two IDE disks on an IDE expansion card. This was originally for the OS but I'm going to pull that
and put one of the SATA cards in it's place. The IDE disks are small (either 10 or 20GB) which I'm going to bin and replace with two 250GB IDE disks.

In total the box will have about 4.5TB raw storage capability. I need to configure the 4 SATA drives as RAID 5 in case of a failure. I also want to configure the two 250GB IDE's as RAID1 for the same reason but testing in in VMWare showed it wasn't quite that easy.

The operating system of choice will be OpenFiler. This OS supports all sorts of storage options including CIFS, NFS and iSCSI. It's free and actually supports more than some hardware solutions such as the Buaffalo terrastation I recently bought!

Even so, When finished and configured with the RAID arrays the box should be able to support an impressive 3.2 or so TB or usable storage.

A fun little project......!

Issues upgrading Domain Schema to 2003

noreply@blogger.com (Gary Williams) — Sun, 29 Jun 2008 11:01:00 +0000

So I'm probably a little behind in upgrading my home networks domain schema to support Windows 2003 but better late than never!
The process itself was smooth enough once I'd corrected some problems on the machine but the upgrade logs were not the most helpful troubleshooting aid I've come across.
One particular error had me stumped for a few days:

"Error code: 0x57 Error message: The parameter is incorrect.."

No indication of which parameter it was but as it occurred when checking security descriptors and many blog articles refer to missing security ACL's on GPO's I had a look at those and sure enough, Enterprise admins was missing some rights so I fixed those up and....... the same problem. At this point I'd admit to a lot of head scratching. The event logs didn't shed much light until I realised that the security event logs were not accessible. Sure enough, somehow the ACL's on the security event logs had lost all their rights. Resetting these and then rebooting allowed the process to complete perfectly.

ITIL Overview Training

noreply@blogger.com (Gary Williams) — Fri, 20 Jun 2008 09:23:00 +0000

The company I'm currently working at have decided that ITIL is the way forward. Yes, after several years of different ideas, options, tests and other madness they want to adopt the official ITIL framework over a period of 6-7 months.

Now, whilst I think that ITIL is a good idea and yes, I am something of a convert to the whole ITIL structure I think that the nature of the user/customer base here is simply one that won't tolerate the ITIL way of doing things because it will require them to become more proactive and less reactive. I really do believe that many IT departments are products of the greater company in which they find themselves. Have a company that's reactive and unstructured then your IT department will be as well because it fits in to the business model.

Still, the training was interesting if a little dry and I picked up a few things on Problem Management and Root Cause Analysis. Something I'm very interested in because of the way it deals with problems and provides permanent documented fixes. This is something I'll go into in more detail in a later blog.

As for ITIL here, well.... I really do hope it works but I can see it being a somewhat half-hearted implementation unless the business are prepared to be a little more structured.

The final thing I'll say on ITIL is that it's a nice framework with a focus on how IT should be run but it doesn't address any sort of approach for bringing it into the business. I know that ITIL practitioners will say that this is because each business is different but it would be nice to read some success stories and find out just how they implemented ITIL and what order they implemented it.

Posting update

noreply@blogger.com (Gary Williams) — Mon, 09 Jun 2008 11:01:00 +0000

Yes I know I've not posted for a bit. No excuses and I promise I will try to be good for here on in!

Lot's of changes at work and enough material to fill the blog every day for a year but I do need to actually get on with writing some of it down!

One article a week from here on in. Not a new years resolution but a start of summer resolution.

InfoSec 2008

noreply@blogger.com (Gary Williams) — Mon, 28 Apr 2008 11:01:00 +0000

Well, After some false starts involving problems with London Undergrounds District Line I made it to Olympia and to Infosec 2008. The event itself is a good one for picking up the latest trends in security and seeing a few demo's of various products and as always there was some good stuff to see there.

For example, Sophos have come on in leaps and bounds and I was most impressed with their new AV console. It can also do NAP (where a machine is quarantined until it means a specific criteria for patches and AV).

The Sophos solution also has a web based applet which can be deployed to guest machines (i.e. visitors). The classic here was the sales guy who was demonstrating it was telling me just how clean the solution was "It uninstall's without a trace so we don't change a THING on the users machine" he extolled. Hmm. But if it doesn't met the policy then the remediation servers will be the only ones the user can see. This allows the user to update AV definitions and patches. Now, if we can't touch a visitors machine then what's the point? It's a nice technology but worthless for that reason.
Guest machines should be in an isolated vlan with only net access. They should not only be isolated from the production network but from each other as well.

The Microsoft seminar was superficial but I did learn a few things about their NAT offering in Windows Server 2008 and it does look useful. Certainly on the "to test" list.

Overall, I came away from Infosec slightly underwhelmed. There didn't seem to be any new technologies or ideas that made me feel "yes, I like this. This is a good way forward". The last time I had that feeling was with Splunk and I still think that about the product. I do wonder if security is falling into something of a rut just waiting for the next big attack.......

nLite Automated builds

noreply@blogger.com (Gary Williams) — Mon, 14 Apr 2008 11:01:00 +0000

I'm a big fan of unattended builds and I've been using them for over five years now. The process of creating an unattended build can be somewhat hit and miss so using something like VMWare to test the final build is often an essential.

nLite has been around for a while but the last time I used it I found that the resultant build could be flaky and often just not work.
These issues seems to have been fixed with current version as it's remarkably easy to create a custom build and to add service packs, drivers and patches.

Overall I'm very impressed with the tool and at price tag which is free I really cannot complain!