Superstition

Strange email a few days ago -- a casual note from one of the Exchange admins asking me to approve enabling a batch of accounts. Rather than just refuse it out of hand, I took a look at the list -- to find a mixed bag of service accounts and shared mailboxes.

For why? Well it appeared that they had been having difficulty archiving some boxes and noticed that the affected accounts were all disabled. Proof of a good reason? No. Plenty of other boxes are disabled -- our leavers process depends on archiving the boxes of disabled users, and shared box accounts are permanently disabled by policy.

I don't know how this will turn out, but it won't be fixed by the enable flag. I don't care, as the lesson I want to draw is a little different. Superstition in IT is one of the greatest impediments to security rectification.

If I had let that request go -- after all, what do I know about Exchange? and even if I was right, they might have learned something -- If I had followed a cautious "support the admins where you can" rule, a new superstitious belief would have been created. "If there's an archive problem, make sure the mailbox is enabled". And those boxes would never be disabled again -- after all, who goes looking for trouble? And we would have acquired a vast new list of unmanaged accounts for no purpose at all.

When I started, my first rectification was to get rid of the shared domain admin account. It was easy enough to issue DAs to colleagues who needed them, but the next stage, removing the shared account, was much harder. It was protected by superstition. Apparently, all sorts of stuff would break if I canned it or changed the password, it had been tried once and bad things happened, though nobody could remember what.

Now, that risk was real, given the usage of the account, but I knew the possibilities. It wasn't the replication account, it wasn't used to build images, and there were no services running under it (that one took a script to prove). So after a good deal of fruitless argument, I just did it -- our change control was weaker then. Nothing broke then and I suspect that what broke in the past was co-incidence

The point is that people who are out of their depth, even just a few inches, will clutch at the first turd that comes bobbing by, and once clutched, they'll never let it go. It's not a moral fault, it's a feature of human psychology, and no doubt in the wild it has survival value.

In Windows security, most people are just slightly out of their depth, even though it's pretty simple (apart from ACL inheritance, obviously.) Even though they could reach the truth with just a little effort, they don't. Instead they seize whatever comes first -- co-incidence or just wrong observation -- and their survivalist mind starts building superstition. It's my job to knock it down and I do. I don't like pretending to be authoritative, even though I took the training. But in a case like this, it's the only way forward. I declined the request, explained my reason as far as I could without accusing the team of crass irrationality, and left it at that. We'll see.

Bang per Buck

This is interesting. It's not a surprise that Iran wants to make a deal with a foreign oil major. No. The shock is the claim that a totally DIY nuclear programme, in the face of embargoes and secrecy, is cheaper than building out domestic oil production. That can't be good news.

Fairies

I'm doing up a flat in the evenings, and there's enough work that I can't see an end to it. This morning I found myself peeping through the kitchen door on the off-chance that brownies had re-decorated or at least washed the greasy walls during the night. They hadn't.

Whiteout

The drought has parched the fields for months, and now the full moon light bleaches them bone white.

Fantasy Programming

I work at the command line, and I've never found a better place to do stuff in bulk. But since I've been dealing with dynamic networks of hundreds of PCs I've found that there's a tool missing from the utility set.

Windows is good for remote management -- better than people realise, but there's one thing it needs -- a decent network enumerator. What's that? It automates a task which crops up time and again -- running a command against a list of all the machines in a domain, or on a network, or subsets of those lists. I want to be able to type enumerate --domain MYDOMAIN.LOCAL --exclude "/(DC.*)|(PRNT.*)/" /cmd "mycommand %%Name%% %%Timestamp%% I think that's fairly clear: I want to enumerate the domain MYDOMAIN, exclude the DCs and those pesky HP print servers, and then, for each machine, run the command mycommand with the name of the machine and a timestamp on its command line.

I know that would be useful because I actually coded "enumerate" in Perl, and I use it a lot. But doing stuff in Perl has a limited future and I don't think there's really a pressing need to make it an editable script: the function seems rounded and complete -- not something that'll need continuous extension. So, as a first step to a .Net executable, here is my specification for the enumerate utility:

enumerate

 Enumeration settings
 All these settings can be combined and repeated to build up a list of hosts.
 Each entry is expanded into FQDN and IP and de-duped on both, with the last entry taking precedence.
 [--domain DN] Add all members of domain DN to the list.
 [--IP N/L|IP1-IP2] Add all ip addresses in the specified subnet
      (omit network and BC) or the specified range to the list
 [--list H[, H]*] Add all the H's (names or IP addresses) to the list
 [--flist "path"] Add all the hosts in the text file at "path" 
      (one per line, leading "\\" optional, blank lines allowed, anything after white space on a line is comment)
 Logging settings
 [--job name] Log all dignostics to the file called TS_run_name and all command output to the file TS_out_name.

 Command Settings
 [--cmd "string" [--[no]ping] [--[no]browse] [--omit "regexp"] [--directory "path"] [--concurrent nnn]]
 Run the specified string in a cmd shell, for each enumerated target.
 Multiple --cmds are allowed.

 --directory : cd to "path" before running -- default is "."
 --[no]ping : ping the host -- don't run if no response. Default is --ping
 --[no]browse : attempt to Windows browse the host -- don't run if no response. Default: --nostart
 --omit : don't run if the enumerated name or IP matches the given regexp (no //). Default: --omit ""
 --concurrent nnn : Run no more than nnn instances of this --cmd setting concurrently. Default: --concurrent 1

 "string" is the command to run. Default is "echo %%Host%% %%IP%% %%TS%%"

 Variables in the command string are expanded:
 %%Host%% -- The enumerated FQDN or IP address if it can't be resolved
 %%IP%%   -- IP address -- skip if a name can't be resolved
 Times -- all suitable for use in file names:
 %%Date%% -- The date the run started in ISO yyyy-mm-dd format
 %%Time%% -- The time the run started as hh-mm-ss
 %%TS%%   -- Now as yyyymmddhhmmsscc

Now that's a utility.

Spam Counter - 2009 September: 818

More phishing than usual.

Secrecy

If you want to conceal your plan for a mass redundancy day, it's probably best not to book out every meeting room in the place all day....

Wrong Impression

I was very taken by this picture from the front page of the LogMeIn site.

On the site it's animated: we have  the shady character in an upstairs room hacking away at an unattended machine in an empty office.

That can't really be the impression they want to give, can it? Is that what they're selling?

Not Idle; Moral!

In a month or so, every adult who works as an employee or volunteeer with children or other vulnerable groups has to be registered with the Independent Safeguarding Authority. This is an extension to the current criminal record check, because the assessment is continuous. What that means is that if a rumour or suggestion falls into the hands of a police force, government agency or local authority at some future time, the registration can be withdrawn at that point, and the employer/organiser warned off, unattributably, under pain of a £5,000 fine.

The Home Office are saying that there will be more than ten million names on the list, dispensing information from hundreds of sources to hundreds of thousands of users, and the records will be up-to-date and truthful. Since the aim is so laudable, and the consequences of screw-ups so dire to innocent and guilty alike, we must wish them "good luck with that".

I'm not against this sort of thing overall. The test is always to move away from the emotive area of child protection and see how we feel then. If you apply for a bank job, is it good that your proposed employers is able to learn about your convictions for swindling or your creditors arrangement before they give you the safe keys? Yes, it is. Society is mobile and people do use that to hide. But this scheme fails for me, on top of its basic impracticality, because its boundaries are just too wide -- essentially, if the criteria for inclusion are fair and worthwhile there's no good reason why it shouldn't be applied to parents or at least step-parents, and that takes it into political and moral absurdity.

But I do have a slight problem. You see, the papers are full of warnings that volunteers -- the sports organisers and the reading assistants and millions of other helpful people -- will be deterred by the unpleasant thought of being on a list where they are graded and assessed for the risk they present to children. And this is a colourable view: the rules of the Standards Board certainly reduced the number of upright citizens willing to serve as parish councillors, and certainly I reckon I would much rather be judged on whether I had declared all my financial affairs than have some civil servant noting that my late marriage was a marker of sexual irregularity and a risk factor for proneness to abuse children.

On principle (like I say, it's a bad scheme, see?) I won't be registering, and that means I won't be volunteering, and will have to decline requests that I do so. But I am also aware of a slight hint of relief as I make that choice. Essentially, because of my strict moral standards, I can't do PTFA stuff; I can't do carpools, I can't mentor, I can't help with reading. All these things which I didn't do before, because I was a bad person, I'm now not doing because it's important to make a stand against idiot completists in the civil service. Result!

I'm not doing anything this evening: Fancy a swift half in the Angel? See you there.

Wireshark is OK, But a Bit Heavy

For sheer absence of dicking around, nothing beats tcpdump(1) which ought to be in your Linux install. I had to find out what systems were still using the old time server, which, happily was an ancient Slackware and, consequently, a Proper Operating System.

tcpdump -c 10000 port 123 > clockies

gathers the first 10,000 NTP packets, and, in another terminal session

gawk '/[0-9] 10/{print $2}' clockies | sort | uniq

gives you a list of the IPs (and you don't have to wait for the first one to finish.) Run wc(1) at the end of the second pipeline from time to time, while the first is still running, and you can see if any new IPs are cropping up.

What I like is the query language: for NTP packets there's just no more intuitive way of writing the search than "port 123"

SetACL for Command-Line Permissioning

SetACL looks like a saucy little alternative to approaches I've taken here before:

• Unlike CACLS it uses a simple permission language -- no SDDL
• Unlike CACLS and chmod(1) it works on services, registry keys, shares and printers
• Unlike SubInACL it's not mental

I think I need to get familiar with this.....

Spam Counter - 2009 August: 967

Very evenly mixed bunch. I liked "Stimulate her grotto better"

Media Studies

The more mad son has an email account so he can be subscribed to things. To keep on top of any problems, I have it set to forward copies of anything he receives.

Today his Youtube acount got its first subscriber (thanks for that, 344). I was so surprised that I took a look at his home page and one of them is getting decent viewing numbers -- in the hundreds. There's no huge skill in what he does, but he does make lovely explicit titles, and I guess they come up well in the searches.

But here we have a boy, autistic as they come, having more success -- much more success -- publishing free content than a lot of other people. Me for example.

Mental Health Warning

You never learn anything good about yourself when you read other people's diaries or emails. But we routinely ask managers to look at leavers' emails to ensure nothing gets missed. I think we'll carry on doing that, but it looks like we need to start each permission with a mental heath warning.

This week a manager reading a leaver's email found a disobliging reference to herself from another member of her team. Sort of understandable as there was no subject line so she couldn't avoid reading it, but perplexingly she's straight off to HR on the fifth floor.

It's perplexing because if I discovered that my team thought I was a CNUT -- their spelling -- I don't think I'd be going to HR, not as the first stop anyway. I'd be keeping it dead tight, so that being disliked as a manager didn't count against me next review time... and spend the time finding ways to punish the cunt.

Spam Counter - 2009 July: 1010

Penis 60%

Acai 10%

Watches 5%

Other 15%