Monthly Archives: May 2009

Holodeck a la Google

El desarrollo de la computación ha sido impresionante, desde la mitad del siglo pasado. Mucho de su avance se debió, en aquellos años, a la inversión en investigación de EE.UU. durante la guerra fría. Uno de los ámbitos donde hubo mucha investigación fue en la simulación gráfica. Recuerdo las primeros pasos de Sutherland y cía, en la creación de escenarios en tres dimensiones.

Hoy, la investigación también debe tener un componente gubernamental, pero veo más iniciativa privada. Cualquier avance puede llegar hoy a un mercado global, y eso permite que la investigación y desarrollo “se financie” con la expectativa de recupero de la inversión.

Una de las empresas con mayor compromiso con la investigación es Google. Y en el evento Google I/O (donde también presentó Wave, que merecería un post aparte), mostró a su aparato a la Holodeck de Star Trek, pueden ver fotos en

Google Holodeck: StreetView In 360 Degrees


Bueno, no será todavía como el de la Enterprise, pero algo es algo.

Pero es impresionante cómo algoritmos, hardware, software han ido avanzando, desde aquellas primeras pantallas con escenas de “alambre” en 3D, a estos resultados. Parece que es sólo cuestión de potencia de cálculo el alcanzar mejores resultados.

Bueno, un enlace de postre, para los que les gusta la ciencia ficción:

Where I Write – Main Page

Nos leemos!

Angel “Java” Lopez

One person’s bsod does not mean that all of us will get bsod’s

While I’m a person who recommends that you don’t have to be first to install a Service pack, lately I’ve seen a little bit of a disturbing trend where someone will get a bad install or a BSOD and they will roll back to pre service pack without doing more investigation.

First some rules when it comes to the worse case scenerio of a BSOD.  That to me is not necessarily the worse thing you can happen to your system.  Worst case is that the system doesn’t boot and provides no clues at all.  A BSOD with a dump file left on the box means that you can debug what freaked out the system.  A BSOD on one system doesn’t mean that you’ll get a BSOD on another system.

BSOD’s 99.999999999% of the time are a third party driver.  Firing up the debugger and running it more often than not will point you in the right direction of what needs to be tracked down.

Do take a backup.

Do plan.

Do consider a Service pack a time that you need to also update the bios on the server, the nic drivers and in general look over the other “stuff” of a server that may need updating.

Don’t willy nilly install it without planning.  But one person’s story of a bad or failed install may not be indicative of the experience you have.  Not all servers are alike.  Not all systems have the same drivers.

So a story about one person’s incident may not be signs of across the board issues.

Microsoft URL Rewrite Module 1.1 For IIS 7 To The Rescue

We are migrating the PontoNetPT community from an old .TEXT version to the latest Community Server (CS).

Because PontoNetPT has nearly 200 blogs with I don’t know how any posts, commentaries, trackbacks, etc., we are using the Community Server REST API.

The problem with using this API is that it doesn’t create the folder that CS can be configured to create with a default.aspx file for each blog created using it’s web site administration.

The importance of this folder and file is for IIS to be able to handle the requests http://<your community>/blogs/<your blog> or http://<your community>/blogs/<your blog>/ as if was a request to http://<your community>/blogs/<your blog>/default.aspx.

Fortunately, we are running on Windows 2008 and IIS 7 and all it took was to install the Microsoft URL Rewrite Module 1.1 For IIS 7 and configure it:

        <rule name="Add Default.aspx to blog root URLs" stopProcessing="false">
          <match url="^blogs/([^/]*)(/?)$" />
          <action type="Rewrite" url="blogs/{R:1}/Default.aspx" />

More on optimization, HTTP 304s etc. – a solution?

In my last post Optimization, BLOB caching and HTTP 304s, I did a fairly lengthy walk-through on an issue I’d experienced with SharePoint publishing sites. A few people commented, mainly saying they’d noticed the same thing, but there have been further developments and findings I wanted to share!

Quick recap

Under certain circumstances some files in SharePoint are always re-requested by the browser despite being present in the browser cache (“Temporary internet files”). Specifically this is observed for files stored in the Style Library and Master Page Gallery, for anonymous users. Although SharePoint responds with a HTTP 304 to say the cached file can indeed be used (as opposed to sending the file itself again), we effectively have an unnecessary round-trip to the server for each file – and there could be many such files when all the page’s images/CSS/JS files are considered. This extra network traffic can have a tangible impact on site performance, and this is magnified if the user is geographically far away from the server.

A solution?

Waldek and I have been tossing a few development matters around recently over e-mail, and he was curious enough to investigate this issue for himself. After reproducing it and playing around for some time, Waldek discovered that flushing the disk-based cache seems to cause a change in behaviour – or in layman’s terms, fixes everything. To be more specific, we’re assuming it’s a flush of the BLOB cache which is having the affect – in both Waldek’s test and my subsequent validation, the object cache was also flushed as well:


After the OK button is hit on this page, the problem seems to go away completely, so now when the page is accessed now for the first time as an anonymous user, the correct ‘max-age’ header is added to the files (as per the BLOB cache declaration in web.config) – contrast the ‘max-age=86400’ header on the Style Library files with what I documented in my last post:


This means that on subsequent requests, the Style Library files are served directly from the browser cache with no 304 round-trip:


This is great news, as it means the issue I described is essentially a non-issue, and there is therefore no performance penalty for storing files in the publishing Style Library.

So what gives?

I’m now wondering if this is just a ‘gotcha’ with BLOB caching and publishing sites. I know other people have run into the original issue due to the comments on my previous post, and interestingly enough one poster said they use reverse proxy techniques specifically to deal with this issue. Could it really be that everybody who sees this behaviour just didn’t flush the BLOB cache somewhere along the way, when it’s actually a required step? Or is the testing that Waldek and I did flawed in some way? Or indeed, was my initial investigation flawed despite the fact others reported the same issue?

I am interested to hear from you on this – if you can reproduce the problem I’ve described with a publishing site you’ve developed, does flushing the BLOB cache solve it for you as described here? Leave a comment and let us know!

Good work Waldek :-)

[OpsMgr] DB Grooming – How it works

I came across this post on Steve Rachui's Manageability blog – ConfigMgr/OpsMgr : “ A while back I wrote up a blog post on how grooming works for the OpsMgr DB and the warehouse…(read more

Phishers Try MSN Worms to steal credentials

At the University of Alabama at Birmingham our Computer Forensics students are working on a large number of spam and phishing related projects. One of those includes tracking the Fast Flux nodes related to various botnets. As I was meeting with one of the students this week to talk about a particular phishing botnet we noticed that the hosts were doing something that seemed to be related to MSN.

In this particular botnet, computers take turns hosting the phishing websites for various banks. For instance at the end of this week, the botnet was hosting phishing sites like these:

or these:

or these:

or these:

The phishers are still doing that, of course, but as we were exploring the IP addresses being used by the botnet for hosting these phishing sites (more than 250 of them since Thursday afternoon), we found some domains that didn’t fit this pattern.

First we checked out the WHOIS information . . .

Registered May 15, 2009 at XIN NET Technologies . . .

Using the nameserver NS1.MY-CHEERFUL-DNS.COM

And oh, look! Our old friend Pan Wei Wei!

Organization : Pan Wei wei
Name : Pan Wei wei
Address : BaoChun Rd. 27, No. 3, 1F, Apt. 1903
City : Bejing
Province/State : Beijing
Country : CN
Postal Code : 100176

Pan Wei Wei has been involved with this particular botnet since at least October, as others have noticed as well. For instance, see Dancho Danchev’s blog entry from December. Dancho follows the popular trend of wrongly calling this the “Rock Phisher”, but that’s a common misperception, and he certainly ACTS like the Rock phisher. We prefer the term “Rock-Like”, but that’s not the point here. Dancho and many others have good evidence on this guy.

Pan Wei Wei used to prefer his gmail address – or – but apparently he no longer uses those.

After Googling around a bit and checking the UAB Spam Data Mine, we find that this domain is not being used in spammed email, but is rather being used in an MSN message worm.

Messages are received such as:

damn, saw naked pics of yours or maybe the one in pic is similar to you …. crazy lol


phewww +o( unbelivable, is that you??? who ever is it…is really similar to you lol …

The criminal needs to update his graphics on this one. What’s supposed to happen here is that a graphic is displayed from one of several random ImageShack locations. Above the image are the words:

Click on the image to download the party pictures gallery…
(Click Open or Run when prompted.)

Clicking on the image will actually run this file:

Which causes you to download this file:


File size: 31745 bytes
MD5 : fa0e304fa4c11a89a2345e009ecebf1c

The detection of this file as a virus is actually quite high. 34 out of 40 anti-virus tools now detect this malware, including Microsoft who labels the malware

Microsoft 1.4701 2009.06.01 VirTool:Win32/Obfuscator.FI

Virus Total Analysis here

The next interesting looking website was

A WhoIs check confirms that this domain was also created by Pan Wei Wei, although this is more recent – with a created date of May 28, 2009. It also uses the nameserver NS1.MY-CHEERFUL-DNS.COM (and NS2, NS3, NS4).

This one is a much clearer phishing attempt. Here we are asked right at the beginning to provide our MSN userid and password in order to view the 35 pictures in our Private Gallery.

Userids and passwords are checked immediately. If you provide fake data, you get “invalid login! please try again…”

If you provide real data, someone will need to tell me what it does, because I don’t have an MSN account that I would like to share with the criminals.

It was interesting to me that although they chose to host this site on a botnet, where each computer on the botnet is a potential host to help them anonymize the source, they chose to hard code an IP address of their stylesheets and javascript programs:

There are two domain names associated with that IP address:


I wonder if those might be similar scams?

Given that they were also both registered by Pan Wei Wei using XIN NET TECHNOLOGY as the registrar, I feel that it might be a safe bet. was registered March 15, 2009. was registered April 24, 2009.

The last interesting domain we are seeing on this botnet is:

Registered May 26, 2009 by Pan Wei Wei on XIN NET TECHNOLOGY using Name Servers NS1.MY-CHEERFUL-DNS.COM (and NS2, NS3, NS4)

We found a post about this one from Steve Swift at on a Vista Forum.

Steve had received a new email from Haris_Sheikh, which he knew because he had a link sent to him from an offline colleague:

You have received (1) new email from haris_sheikh.

Clicking on the link gave him a “System Notice” that read like this:

Your Live Account is about to get expired. For further details please visit,

If you’ve been a victim of any of these type of frauds, you may have bigger problems than you know. We’ve seen hotmail and accounts used to try to scam the friends who send you email (see our blog article on Traveler Scams.)

For some of them, changing your password might help —

For other support on your hotmail or emails you can visit:

To report possible fraud on your account, you can usethis reporting form.

For others, you probably have malware running on your computer which is being used to send spam and steal your passwords!

Notes from the Seattle SBS build day

Listening to the gang in Seattle at the SBS build day and found a “I didn’t know that” tidbit in Tyler’s slide deck:

If you use group policy preferences to map drives AND the vista workstations are local admins still, the mapped drives won’t ‘take’ unless you put in this registry key.  This key, aka the enable linked connections (that Chad’s blogged about as well) will only impact you when your Vista’s are local admins.

Create EnableLinkedConnections DWORD registry key:
HK_LMSoftwareMicrosoftWindowsCurrent VersionPoliciesSystemEnableLinkedConnections = 1

Drive Mapping via Group Policy Preferences not working for Vista clients – Aimless Ramblings from a Blithering Lunatic . . .:

Some other key take aways that I talked about:

Tattoo this blog post to your forehead:
The Official SBS Blog : SBS 2008 Migrations from SBS 2003 – Keys to Success:

Don’t install a patch that needs WGA UNTIL you’ve put the proper key in the box:
MPECS Inc. Blog: Ack! SBS 2008 Not Genuine!:

Philip’s Checklist:
MPECS Inc. Blog: SBS 2008 Setup Checklist V1.2.0:

This not fixed in Win2k3 sp2:
The Official SBS Blog : Cannot resolve names in certain top level domains like

This is included in Win2k8 sp2 so if you install SP2 you’ll get this needed fix
New AFD connections fail when software that uses TDI drivers is installed on a Windows Server 2008 or Windows Vista SP1 system that is running on a computer that has multiple processors:;en-us;961775


Unable to publish test results from Visual Studio to TFS

Error message similar to:

username@servername (mailto:username@servername) 2008-10-13 2:21:50          0.28 MB            10/13/2008 3:19:14 PM    Failed    Access to the path ‘\DropFolderBuildname_20080723.3TestResultsfd8883e0-2153-44c6-8671-6d6db460c4a8uesrname 2008-10-13 _02_21.trx’ is denied.

Cause: Permission issue

A Workaround can be found in the KB article 958726.

What are Test Name, Test Id, and Test Path used for?

If you create a work item out of a test result like this…

Rightclick test result > Create Work Item

… the three test fields get populated by Visual Studio:

Test Name, Test Id and Test Path point to the originating test

Read all details here:

Re. Windows FAQ (the previous article)

If you didn’t like what I said, or you think that I was nitpicking, consider this. Many PC users have been running XP since it was introduced. I know that there was some resistance at first because it looked different and stuff had been moved about, BUT everything ‘Windows’ was there. A five year active life is a long time for an operating system, long enough for users to get stuck in a rut, perhaps.

When Vista came along, it should have taken all that XP was and run ahead with it. Vista was everything that XP was and more; more security, more features, more stuff moved around, more problems. Hardware incompatibility was not the most prominent of the problems. Bulk and crippling performance topped the list. In actual fact, Vista performance is nothing like as bad as it was, what with the patches and fixes which have filtered through Windows Update, but the bulk and some of the glitches remain.

PC users will have had a further two years of XP up to the point where Windows 7 is released, and first impressions are going to count. The five points I stated are what XP users are first NOT going to see. Many are going to think ‘uh oh, Vista Mk 2’ and reel back quickly.

Windows 7 will have its big opening day very soon and access to the lot is fast, but where are the doors which will let users in? Presently, the only way in is through a small window.

Recent Comments