Turing Test commenting

Some recent comments on my posts which, sadly, will defeat their advertising purposes by not being attributed:

“I wish to voice my gratitude for your generosity for those individuals that have the need for help on your topic. Your special dedication to getting the message along had become surprisingly powerful and have constantly enabled ladies much like me to reach their objectives. Your entire useful tips and hints denotes this much to me and especially to my peers. Thanks a lot; from each one of us.”

“Thanks so much for giving everyone remarkably marvellous opportunity to read from this site. It can be so lovely and also packed with amusement for me personally and my office peers to visit your blog the equivalent of three times a week to read the fresh issues you have got. Not to mention, we are usually astounded with your surprising guidelines you serve. Some 3 facts on this page are certainly the most suitable we’ve had.”

“Great information to share and hope it will be very helpful in future. For handling higher level of corruption & typical issues i took help of: <link redacted>

“Hey there awesome blog site!! Person .. Stunning .. Remarkable .. I will take a note of your website and make nourishes additionally…I am happy to find a great deal of valuable information in the actual post, we require figure out much more approaches to this particular regard, appreciate your discussing. . . . . .”

“This is finding a extra very subjective, but I significantly choose the Zune Market place. The particular user interface can be vibrant, features much more sparkle, and a few great characteristics similar to Mixview’ that allow you to quickly observe connected photos, songs, or another users associated with what you’re playing. Simply clicking one particular may focus on in which merchandise, and yet another list of “neighbors” should come in to see, enabling you to understand around looking at by similar musicians, tracks, or perhaps users. While we’re talking about people, the Zune “Social” can also be extreme fun, enabling you to find other individuals using shared tastes and achieving buddies using them. Then you definitely may tune in to any playlist made depending on an amalgamation of the your pals are generally listening to, and this is pleasant. Individuals interested in personal privacy is going to be relieved to know you are able to stop the open public through discovering your personal tuning in practices if you consequently choose.”

 

“Sources a great astonishingly common occasion could possibly be wholesale jerseys from china, in general energetic surroundings favorable simply is not appropriate, your reason could be nicely, Ensure that your current networks additionally limits fixed during the entire little bit of lazio jersey”

Posted in Uncategorized | Leave a comment

Mobiles re-revisited

It was July 2012 when I last reported on the University’s mobile users so it seems like a good time to see what’s changed.

So, last summer we had 11,461 ActiveSync devices which connected to the Nexus service. Today that figure has more than doubled, to 24,492. But that’s not necessarily 24,492 different people: the number with more than one ActiveSync device has rocketed too. That figure has gone from 3,031 to 11,151.

Yet another factor to bear in mind is that not all of these devices are mobile ones  – Windows Mail uses ActiveSync but is a feature of Windows 8’s touch interface, widely known as TIFKAM.

As before I’ve not recorded devices which have fewer than twenty users.

Device Number % of total
Android 7623 31.1%
BlackBerry 37 0.2%
iPad 4162 17.0%
iPhone 11049 45.1%
iPod 587 2.4%
Nokia Email 74 0.3%
Palm 20 0.1%
Playbook 48 0.2%
Windows Mail 342 1.4%
Windows Phone 429 1.7%

That means that nearly a quarter of Nexus users are making regular connections via ActiveSync devices. Apple still dominate but Android is also a significant force. The graph below shows the change over time.

usage

Windows Phone shows the largest percentage increase over the last two years, but behind that impressive growth figure is the rather more down-to-Earth one that they only represent 1.7% of the total. Who knows, another year and Windows Phone could overtake the iPod!

Interestingly BlackBerry’s Playbook has leaped from ten devices last year to 48 today. But the tiny number of BlackBerry phones (even if I were to add those 360 BlackBerries using our BlackBerry Enterprise Server – not listed here) shows that their technology is very much in fourth place behind Windows Phone, Android and Apple.

I will finish off with a few final items which caught my eye – Palm lost two users over the last year and are now in a precarious position, just barely scraping onto the table by maintaining twenty active users.

I’d also like to say a big ‘hello’ to the two people who’ve bought Surface RT tablets in the last year. Maybe they’re the same two people who gave up their Palm devices?  🙂

Posted in Uncategorized | Leave a comment

Mail merging

 

This isn’t something I’ve had to do for quite a while so, mostly for my own reference, here are some of the more common pitfalls after you’ve done the mail-merging legwork.

MAPI32.DLL

If you have the Exchange admin tools installed this DLL gets replaced. It’s usually found in c:\WINDOWS\SYSTEM32. But if you place a copy of the correct MAPI32.DLL file version into the same folder as Outlook (usually C:\Program Files\Microsoft Office\Office<version number>) Outlook will find that one first.

This eliminates the nasty MAPI error messages and still allows your admin tools to work.

Security Settings 

At the final hurdle, just as your mail merge is ready to go, you get the ‘Do you want to allow this?’ message. This is then followed by a succession of ‘allow/deny’ dialogue boxes – one per message  – which can get a bit wearing if you’re emailing hundreds of people…

  The fix (if you don’t want to resort to third-party software, such as ‘ClickYes’) is to install the Office 2007 group policy template from Microsoft.  Having downloaded that, launch the group policy editor MMC snap-in. Under ‘User Configuration’ select ‘Administrative Templates’. Right-click, select ‘Add/Remove templates’ and browse to the Outlook ADM file (ADM\en-us\OUTLK12.ADM).

You now have additional settings for Outlook 2007. Under ‘Security’ change ‘Programmatic Access Security’ to ‘enabled’ with ‘Never warn me about suspicious activity’ selected. Don’t forget to reset this afterwards!

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Posted in Uncategorized | Leave a comment

“Stop, thief! My data is on that…”

We were recently contacted by one of the university’s departments to discuss their concerns about client-side data security. Their worry was that confidential material from their users’ mailboxes would be cached in Outlook’s offline store. This represented a possible data vulnerability in the event that a computer were to be stolen. The department had proposed, as a solution, that Outlook’s caching should be disabled. Users would work online, minimal confidential data would be stored on the hard disk and all would be well…

Now it is true that the locally cached copy of a user’s email  represents a possible target for the malicious. But tackling a perceived data vulnerability issue via Outlook’s offline store is to overlook countless other areas of equal or greater concern. From my team’s perspective a large number of Outlook clients failing to use caching represents higher server load. These users would have poorer Outlook performance and lose offline access to their email when away from a network.

Disabling Outlook’s caching is not a great idea for performance, server or client. It also doesn’t really address the data vulnerability issue anyway. Even if we were able to force the whole university to use Outlook on their desktops1 there is still a vast array of users’ own devices to which data might be transferred.

If you have content that needs to be secured, my experience is that the end-user represents the weakest part of any security environment: servers are very likely to be fully patched, in a secure datacentre, audited, monitored and protected by strong security policies with ‘least privilege’ access. End users, on the other hand, tend to resent and resist security, only complying where it is impossible to avoid or where non-compliance has sanctions attached.

There are countless security options available but by far the most powerful is to require a strong password: naturally the university does this already. But in a form of arms race the end user can respond to this with software which caches this password for them.  The best solutions to the problem are, in my view, ones that are unavoidable by users. Avoiding any additional user inconvenience at the same time is a bonus. However finding that kind of solution needs a more detailed understanding of the problem.

In the case of our department’s query, a bit of probing eventually revealed that the concern related solely to the possible theft of a departmental computer.  The aim was to provide a security enhancement that should ensure that a casual thief would be unable to recover content from a stolen machine’s hard drive.

Preventing Outlook from duplicating mailbox content locally does, sort of, achieve that aim but overlooks the very real possibility that users may still be putting classified material onto their local computers. Saved attachments, PST files, and MSG files represent just a few of the email-related possibilities. But confidential data doesn’t just move around via email. Plugging one possible route doesn’t affect others.

The ideal situation would therefore seem to be something that doesn’t require user interaction or effort yet secures whatever data our users might care to store on their computer’s hard disk. Fortunately technology comes to the rescue – most of the university’s current crop of desktops have a TPM chip which offers a very simple way to secure hard disks. A brief foray into the BIOS might be needed to activate TPM functions but then Windows can do the remaining heavy lifting. The Enterprise / Ultimate versions of Vista, Windows 7 and Windows 8 all include Bitlocker. This is a hard drive encryption technology that doesn’t generally require any user interaction – they may not even be aware of it.

Bitlocker’s decryption key is held within the computer’s TPM module so, as long as the TPM chip sees unmodified boot files, the operating system will power up normally. From that point onwards of course we do still have to depend on the user having sensible security settings. It is therefore while a computer is turned off that Bitlocker offers a reasonable defence against data loss. It would be foolish to deny that routes still exist to attempt data theft, but those routes need someone who is both highly technical and extremely determined. TPM’s vulnerability relies on a cold-boot attack, extracting the decryption key from the memory of a recently-shut down machine. This is hardly something a casual thief is likely to undertake. Password phishing  probably represents less effort for greater gain…

In the case of computers without a TPM chip, Bitlocker will require the user to supply a USB key or provide a PIN in order to power on. Although this represents a hassle for the regular user, and lacks the transparency of TPM’s approach, it can be even more secure: it makes cold-boot attacks from a really determined hacker that little bit harder.

In my view Bitlocker represents one of those features that, if it’s available to you, you should use it. It’s not perfect by any means but, with a TPM-enabled computer, is completely transparent to the end user. It offers full disk encryption that will make most, if not all, data theft uneconomic.

1 Good luck with that idea.

Posted in Uncategorized | Leave a comment

Kies, Samsung firmware and bricks

 

I recently opened up Samsung’s Kies software, to synchronise some of the content that doesn’t get updated over the air, and was given a popup notification of a new firmware version. Having done similar upgrades through Kies before I didn’t think twice: new equals shiny equals better, right?

To cut a long story short, this time the update didn’t work. My phone was stuck in limbo and Kies couldn’t get the process to finish. My only hope seemed to be ’emergency firmware recovery’ via a recovery code that Kies presented to me. But even this option didn’t resurrect my slumbering Galaxy S2.

Rather than assume my half-upgraded phone was now a brick I considered my options.  Even if Kies can’t do the upgrade it can at least download the correct firmware for you.  I found that Kies downloads its firmware updates into the TEMP folder. The file’s name is in the format ‘tmp<4 hexadecimal characters>.tmp.

You have to be quick to find it though. Kies decompresses the file into a folder called ‘tmp <4 hexadecimal characters> .tmp.zipfolder’  and almost immediately afterwards begins the firmware upgrading process. Once it gets to 100% these files are removed sharpish – grab a copy while you can! Putting ‘%TEMP%’ into the ‘run’ dialogue box makes this easier to find.

Since Kies couldn’t do the job I finally resorted to the rooter’s favourite: Odin. This little program, armed with the firmware I’d grabbed from Kies’ temp folder, was thankfully able to bring my phone back to life.

As a further bonus, and unlike those who go down the rooting process proper, Kies will still happily talk to my phone for synchronisation and backups. One final point to note – the recovery didn’t work until I had tried using a different USB cable (I switched from my no-name eBay purchase to an official Samsung one) and also plugged straight into a USB port, rather than via a powered hub.

Hopefully this may help someone else who finds themselves stuck in a similar position.

 

 

 

Posted in Uncategorized | 5 Comments

BlackBerry Enterprise server versions

Mostly for my own reference here’s how the BlackBerry bundle numbers you see in ‘Add/Remove programs’ correspond to the various maintenance releases and hotfixes:

Updated 13th April 2014

Version Bundle
5.0 223
5.0 MR1 236
5.0 MR2 244
5.0 MR3 255
5.0 MR4 267
5.0.1 (Service Pack 1) 70
5.0.1 MR1 82
5.0.1 MR2 117
5.0.1 MR3 139
5.0.2 (Service Pack 2) 36
5.0.2 MR1 51
5.0.2 MR2 96
5.0.2 MR3 119
5.0.2 MR4 133
5.0.2 MR5 146
5.0.3 (Service Pack 3) 33
5.0.3 33
5.0.3 MR1 41
5.0.3 MR2 53
5.0.3 MR3 93
5.0.3 MR4 107
5.0.3 MR5 143
5.0.3 MR6 163
5.0.3 MR7 227
5.0.3 MR8 256
5.0.4 (Service Pack 4) 38
5.0.4 MR1 52
5.0.4 MR2 70
5.0.4 MR3 86
5.0.4 MR4 100
5.0.4 MR5 116
5.0.4 MR6 128
5.0.4 MR7 160

Service Pack 4 Maintenance Release 7 is dated 9th April 2014. The minimum requirement to install this remains the same: the server must be running at least v 5.0.4 (bundle 38).

Posted in Uncategorized | Leave a comment

iOS6 devices hijack ownership of an Exchange meeting

It has been brought to our attention that Apple devices which have been upgraded to iOS6 may encounter an issue when responding to meeting requests in Exchange. The behaviour has been described as ‘meeting hijacking’ and seems to relate to situations where a user opens a meeting request in Outlook but takes action on it from iOS6.

The effect is that, under certain circumstances, taking action on a meeting request (such as accepting a meeting) has the unfortunate side-effect of simultaneously taking ownership of that meeting. Under those circumstances the meeting updates, cancellations and confirmations would be directed to the new owner rather than the original organiser of that meeting.

Both Apple and Microsoft are reported to be investigating this problem and, at the time of writing, the advice is to contact Apple for an update.

Microsoft have documented this issue here: http://support.microsoft.com/kb/2768774.
The Apple discussion forums discuss it here: https://discussions.apple.com/thread/4368289?tstart=30

This issue appears to be confined to those devices which run iOS6 AND have been configured to connect to Exchange using ActiveSync. If you use a different protocol (such as IMAP4 or POP3), you have a non-Apple device, or you’ve not upgraded your iDevice to iOS6 you should be unaffected.

UPDATES:

The Exchange Team Blog reports on the issue here: http://blogs.technet.com/b/exchange/archive/2012/10/23/ios6-devices-erroneously-take-ownership-of-meetings.aspx

Michael Rose’s blog also documents this behaviour as an even longer-running issue. His article describes a user who reproduced the problem:

At some point, the iOS device syncs the calendar via ActiveSync and suddenly becomes confused about who the owner of the meeting should be (the organizer, in Exchange-speak). The iPhone decides that its owner should become the organizer, since it has no idea who the real owner is, and syncs this property change back to the Exchange server. Exchange 2007 now has a disconnected copy of the meeting with a different owner. Exchange is agnostic about this.
Now the iPhone owner declines the meeting for whatever reason. Exchange automatically generates a cancellation or decline notice and sends it out to everyone since the disconnected copy of the meeting has a different owner. This results in mass confusion and sometimes will delete the meeting from the other calendars.
We verified this problem against iOS 4, 5 and 6 with Exchange 2007 and 2010. In Exchange 2010, Microsoft introduced a “calendar repair agent” that is supposed to detect this problem and resolve it. This calendar repair agent is a daily timer job. Microsoft did release patches on Exchange 2007 SP2 and up to correct some of the issues that are similar to this, but this particular problem was never resolved.

It seems that blame can be applied to both parties in this. Michael’s user’s analysis suggests that:

 Apple’s manipulation of the organizer field is against the ActiveSync specification. However, ActiveSync will not stop iOS from doing this regardless of the fact that it is “against the specification.” ActiveSync will happily accept the change and write the properties from the mobile device even if the ActiveSync spec says that Exchange explicitly should not do this.

Based on this it reads to me that blame should be apportioned in both directions:

  •  Apple: wrote code that attempts to do something it shouldn’t.
  • Microsoft: wrote code that accepts a change that it shouldn’t.

Now we just need one of them to take ownership and fix the issue.

 

Posted in Uncategorized | Leave a comment

Exchange 2010 SP2 Rollup 4 doesn’t like a wildcard in your ‘Accepted Domains’

We have identified a curious issue with Exchange 2010 when SP2 Rollup 4 is applied. Here’s what happened, in a nutshell, on our servers:

 Users who have ‘Full Access’ permissions over a secondary mailbox lose the ability to open that secondary mailbox via OWA.

The problem was clearly directly attributable to the rollup and we confirmed this: prior to SP2 RU4 it works; after the update is applied it no longer works. Removing rollup 4 restored the functionality and stopped the error (‘System.ArgumentNullException’) from being returned.

Initially we were confused both by this behaviour and also that it didn’t apparently seem to be a widespread issue. Had we found a problem that was unique to our installation? After our diagnostics had drawn a blank we naturally escalated our report of the problem. A bit of email to-ing and fro-ing eventually led to confirmation that Microsoft can reproduce the error we’re experiencing – but only under a certain very specific condition. This seems to be the explanation for why the issue isn’t widespread – our installation differs in one crucial respect from the majority of others out there. This problem is caused by a revision, introduced in SP2 RU4, which changes the server’s behaviour when trying to access secondary mailboxes from within OWA.  Here is what we’ve been told:

“When there is an additional mailbox that is being accessed through OWA, we perform a search for the same and return it back based on the permissions on the mailbox. The way this search is being performed has changed starting E14 SP2 RU4.

In Exchange 14 SP2 RU3 and previous versions, we just did an un-scoped search. So in a large organization and in a hybrid setup (cloud + On Premise), the search results could be ambiguous. There was a change in this logic introduced starting Exchange 14 SP2 RU4. We now do a scoped search, using the scope of the Primary SMTP Domain of the additional mailbox. We go ahead and search for an Organization ID for this domain in the OrgID Cache that is built. This Cache is built based upon the list of domains in the “Accepted Domain List”. When this domain entry is not in the “Accepted Domain List”, the cache would return a null organization id, resulting in the System.ArgumentNullException. We need to also note here that the cache is built upon the actual domain name, and not a wild card. So a domain entry in the Accepted Domain List, similar to “*.something.com” does not mean that we will have all the domains under something.com in the cache. We will need to add all the domains explicitly in the Accepted Domain List. The cache will be formed based on this list, so that we need not iterate the accepted domain list frequently.”

The university, by virtue of its many departments, divisions and colleges has a great many domain names – 208 at the current count* – and this list changes regularly. To avoid the maintenance overhead of altering the Accepted Domain List we have long since used a wildcard entry for the ox.ac.uk domain. It seems that we therefore fall foul of this new scoped search functionality as a consequence of our wildcard. At the moment the ‘fix’ seems to be to remove the wildcard entry and instead add an entry for every accepted domain.

*Some way off the limit.

Posted in Uncategorized | Leave a comment

Unintelligent Intelligent Provisioning

This month brings us some new hardware which will shortly become our new Threat Management Gateway array. The new servers are all HP’s  Proliant DL380p (Gen8).

The process for setting up new HP servers has recently been updated. They’ve recently integrated their set-up process internally to the server: instead of booting from a SmartStart CD there now is a built-in ‘Intelligent Provisioning’ boot option instead. In fact a Gen8 server refuses to boot from a Smartstart CD any more.

This new Intelligent Provisioning  feature is accessed by pressing F10 at the crucial moment at startup.  For six of our new servers this option was both quick and superbly simple – IP’s options start with a quick config to specify performance options, the ability to update system software as part of the deployment and of course to configure the disks using the Array Configuration Utility (ACU). When accessed via iLO it also allows an ISO file to be presented as virtual media for the installation, so this was my preferred route to do a deployment.

All was well for the first batch of new servers – the array was set to be customised at this first stage, so the ACU launches, lets you configure the disks and then resumes the installation. However this process wasn’t quite so seamless for the last two servers. These two were due to become our new SQL mirror and, initially, all seemed comfortingly familiar.

However beneath these three familiar options the ‘continue’ button had disappeared. And almost immediately an error message appeared on screen:

“There are no physical disks attached – you will need to attach a supported drive to continue”

Now I knew that these disks were there. I’d seen them. And this same error was appearing on two different servers which were installed in two different datacentres. Neither had anything more connected to them at this stage than a power feed and a single network cable for the iLO connection – not even so much as a keyboard and screen. But paranoia had started to set in. It didn’t take long for my diagnostic approach to reach the point where I was thinking about removing the cover from the server to check internal cables and re-seat hot-swappable drives.

But prior to that a quick review of this error on the net seemed to be in order. Search engines weren’t very forthcoming, usually all seemingly directed at one or more variants of the same PDF (it suggests that the issue relates to an SD card or an unsupported drive being connected). Neither of these applied in our case.

The fix is surprisingly straightforward however. Rather than request an array configuration as part of the intelligent provisioning process, instead launch the ACU separately. Configure the disks as you wish in advance, and then return to Intelligent Provisioning afterwards. This step seems to bypass whatever disk-hiding glitch was present in the system and setup then resumes as advertised.

Posted in Uncategorized | 2 Comments

Mobiles revisited

It’s been some time since I last wrote about Nexus’ mobile users so here’s some nice fresh statistics to see what has changed:

  •  11,461 ActiveSync devices
  • 78% have connected in the last three calendar months.
  • 61%  have made a connection today.
  • 3,031 users have more than one ActiveSync device

 

Effectively we have just under a quarter of our users making regular connections via ActiveSync devices. Although Apple have the, er, Lion‘s share and are showing a healthy increase, the gong for greatest percentage increase goes elsewhere: the number of Samsung devices has more than tripled. About half of them are the Galaxy S2 and 43 people are using the Galaxy S3.

 It’s also worth noting that the Windows Phone is now starting to appear in respectable numbers and is also showing healthy growth.

And finally, a few other numbers that caught my eye:

  • Motorola (33 devices)
  • LG  (10 devices)
  • Research In Motion’s Playbook (10 devices)
  • Palm (22 devices)
Posted in Uncategorized | Leave a comment