Monthly Archives: December 2008

You are browsing the site archives by month.

Turn on the new year with your Zune

Zune.net:
http://forums.zune.net/412486/ShowPost.aspx


Early this morning we were alerted by our customers that there was a widespread issue affecting our 2006 model Zune 30GB devices (a large number of which are still actively being used).  The technical team jumped on the problem immediately and isolated the issue: a bug in the internal clock driver related to the way the device handles a leap year.  The issue should be resolved over the next 24 hours as the time change moves to January 1, 2009.   We expect the internal clock on the Zune 30GB devices will automatically reset tomorrow (noon, GMT). By tomorrow you should allow the battery to fully run out of power before the unit can restart successfully then simply ensure that your device is recharged, then turn it back on.  If you’re a Zune Pass subscriber, you may need to sync your device with your PC to refresh the rights to the subscription content you have downloaded to your device


I’m not even going to ask what it means if you are traveling and don’t have access to the PC where your Zune normally syncs.

Your Zune and my Zune should be fine tomorrow

http://www.msnbc.msn.com/id/28449091/wid/11915829?GT1=40006


Microsoft also said that “the issue should be resolved over the next 24 hours as the time change moves to Jan. 1, 2009.”


Temporary glitch in the matrix is all.

New ways

New ways of doing the same old things is sometimes hard to get a handle on.  Sharing out printers in the 2k8 era is like that.  Since the server is 64bit, when you attach a 32 bit workstation, the native driver isn’t 32bit but 64 bit. 


One of the ways you can deploy printers is a utility called pushprinters.exe.  But there’s a problem where the 32bit version isn’t on the box.  You can either build the 32bit version of Pushprinters.exe or grab it from the link talked about here http://www.activedir.org/ListArchives/tabid/55/forumid/1/postid/32125/view/topic/Default.aspx


Like Philip said put it on a usb flash drive — http://blog.mpecsinc.ca/2008/11/x86-pushprinterconnectionsexe-must-for.html


Chad has some posts about things that are different as well… http://msmvps.com/blogs/cgross/archive/2008/12/16/the-death-of-ifmember.aspx and http://msmvps.com/blogs/cgross/archive/2008/12/16/installing-group-policy-preferences-client-side-extensions.aspx


 

This was just not your time for a vacation was it?

Jamison got first hit with the black screen of death of Vista during his vacation.  Now he’s got two little ones with 30 gigs zunes that he’s not looking forward to turning them on and seeing if they work for his two kids for the plane ride back.  Ugh.  That could be a long plane ride for him.


Major Nelson’s twitter feed (1) says the following:



The team is working now to isolate the issue and get it addressed. Keep an eye on http://www.zune.net/en-US/s<http://www.zune.net/en-US/support> for an update. about 1 hour ago <http://twitter.com/majornelson/status/1088297066> from web


Hang loose and stay tuned to that bat channel.


(1) Okay so when it’s a business emergency or an event with announcements that’s when twitter makes some sense, but the rest of the time if you want to know what I’m doing right NOW(2), we have an attention deficit problem on our hands.  California on 1/1 has even banned text messaging during driving due to the hazard it causes. 


(2) On a train to LA to spend New Year’s with Friends.

Y2k9 bug

As one comment on the post says… all 6 Zune users impacted…


Yup dead as a doornail.


http://gizmodo.com/5121311/reports-30gb-zunes-failing-everywhere-all-at-once


Status:

Customers with 30gb Zune devices may experience issues when booting their Zune hardware.  We’re aware of the problem and are working to correct it.  Sorry for the inconvenience, and thanks for your patience!

Self signed certs better?

Indy has a comment that self signed certs are now “more secure” than third party ones.


http://msmvps.com/blogs/bradley/archive/2008/12/30/the-sky-is-only-partially-falling-today.aspx#comments


I disagree.  Why?  Because we’re training our end users to blindly click on certificates.  So are you going to sit down with folks and tell them to go ahead and examine each time they use a self signed cert?  I don’t think you will, but that’s what we’ll need to ask someone.  Can they trust the certificate chain all the way back?  Can you train them on what to look for for bad certificates?  Granted our best mitigation is to train users to be more paranoid and not blindly click in general.


“Most attack will probably still use bad certificates and ask the user to click “ok” to accept the bad certificate.”


http://isc.sans.org/diary.html?storyid=5590


 

Can we just chuck them out the door?

So in reading this blog post http://blogs.technet.com/swi/archive/2008/12/30/information-regarding-md5-collisions-problem.aspx before this one http://blogs.technet.com/msrc/archive/2008/12/30/information-on-microsoft-security-advisory-961509.aspx one got the impression that all MD5 based certificates are bad and should be chucked out the window.


Cool we can do that, open up that MMC snap in and TAKE THAT you potentially rogue certs!


1. Add the Certificates snap-in to the Microsoft Management Console.

a. Click the Start button, click Run, type mmc, and click OK.
b. Click the File menu, and select Add\Remove Snap-in.
c. Click the Add button, then select the Certificates snap-in and click Add
d. Select Computer Account and click Next
e. Click Finish.
f. Click Close.
g. Click OK.

2. Expand Certificates (Local Computer).
3. Expand Trusted Root Certification Authorities.
4. Click on Certificates.
5. Backup and then delete trusted root certificates that you are not using in your environment.


So we can use this process to also look at EVERY root cert in our trusted store and chuck out the door any cert that is based on MD5 right?



But hang on, not so fast.  Some of those certificates are Microsoft ones and in fact per Trusted root certificates that are required by Windows Server 2008, by Windows Vista, by Windows Server 2003, by Windows XP, and by Windows 2000: http://support.microsoft.com/default.aspx?scid=kb;EN-US;293781 there’s a couple of key certificates that one shouldn’t export and delete even though they are MD5 based:



That one in fact, happens to be a MD5 based cert.



But what does that mean?



For this particular certificate it means that any new certificates signed by Microsoft with a MD5 hash would be suspect, but they don’t sign today’s certificates with MD5 anymore.

It means that the attack is still very much in the theoretical not the actual sky is falling realm.  It still means that we do need to train people to not blindly click on certificate errors.  And if you don’t understand the full impact, ask smarter people that you, like I did, to explain it in better details.


 

The Sky is only partially falling today


So for everyone concerned, the sky is only partially falling today.  If you’ve been reading the security news, you’ve probably seen the links to


http://www.win.tue.nl/hashclash/rogue-ca/ and to http://www.phreedom.org/research/rogue-ca/md5-collisions-1.0.ppt and to http://www.microsoft.com/technet/security/advisory/961509.mspx and to http://blogs.technet.com/msrc/archive/2008/12/30/information-on-microsoft-security-advisory-961509.aspx and finally to http://blogs.technet.com/swi/archive/2008/12/30/information-regarding-md5-collisions-problem.aspx


So what’s the best mitigations?  Firstly normal godaddy certs are indeed based on Sha1 and not MD5



Next train folks to stop and bad or broken SSL certs.  Yes that means buying third party certs for your SBS boxes and not using self signed.


On a related note one of my pet peeves (and one of Darryl Roberts) is when you install an update to the root certificates on your server and then it throws off a Event 36885 Schannel error in your event logs.  The ‘fix’ is to tell you to remove those certificates you don’t need.  Okay..but…. which ones?  There are 219 of ‘em, which ones do I not need?



Interestingly enough certs number 5 and 6 in that view are based on MD5, and given that I live in Fresno, not France, so me thinks I’ll back those up and export them out since they are based on MD5 anyway.


But if you are seeing the Schannel issue…


Windows Event ID 36885 from Schannel:
http://www.eventid.net/display.asp?eventid=36885&eventno=8846&source=Schannel&phase=1


Darryl reported that this hotfix (which isn’t just for IAS servers but any server) will allow that repository to increase as it should to hold the proper root certs.


Clients cannot make connections if you require client certificates on a Web site or if you use IAS in Windows Server 2003:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;933430

Hey! He knew what I was talking about!

Microsoft SMB Community Blog : Part numbers for the SBS SA benefits media kits you need from my earlier post:
http://blogs.msdn.com/mssmallbiz/archive/2008/12/09/9188009.aspx
Microsoft SMB Community Blog : How do we get the SBS Software Assurance benefits such as: Outlook 2007, Entourage 2008, ISA 2006 + additional Windows Server 2003, and Office SharePoint Designer 2007 now that SBS 2008 is out?:
http://blogs.msdn.com/mssmallbiz/archive/2008/12/05/9180289.aspx


I called 866-324-7110.  The person on the other end of the line knew what I was talking about.  Hooray!  So far so good in the saga of obtaining Software assurance benefits.


I’ll keep you posted when I get the SA media of 2k3/Outlook/Sharepoint designer/ISA 2006

It’s really December, not June

Downloadable documentation for Windows Small Business Server 2008:
http://technet.microsoft.com/en-us/library/cc707659.aspx


Regardless of what the dates say on the page…


The downloadable migration documents are actually December not June documents.


http://technet.microsoft.com/en-us/library/cc707659.aspx



Ensure you download them from there and disregard the “June” updated date.