Tuesday, June 30, 2009

VMWare Server 2 on Gentoo

The ebuild for VMWare Server 2 is (finally) in the main portage tree on Gentoo. I've been running
app-emulation/vmware-server-2.0.1.156745 via the layman overlay for several months now without issues, but I'm happy to see this going more main stream on my linux distro of choice. The new version is app-emulation/vmware-server-2.0.1.156745-r1. The changelog seems to indicate that if you didn't have the latest via layman, you would have seen this package a couple of weeks ago.

This package is (of course) still masked, so to get this package you have to have app-emulation/vmware-server and app-emulation/vmware-modules in your /etc/portage/package.keywords file (like so, or with the appropriate arch tag):

app-emulation/vmware-server
app-emulation/vmware-modules

The upgrade was relatively painless via:

emerge -Du world

However, I did a (as instructed but possibly cargo cult) run of:

/opt/vmware/server/bin/vmware-config.pl

immediately after the install. I don't know if it was needed. But because I had not stopped the vmware services prior to the upgrade, I could not successfully stop them now, and had to reboot in order to successfully run vmware-config.pl.

If you still want to run the version via layman, or want to stay on the bleeding edge when the next version comes out, I worked from the directions here and here.

Tuesday, June 23, 2009

Résumé Mistakes

When applying for a job in IT/IS or really anywhere technical, don't lie or exaggerate on your résumé. Skilled people will find out and you will likely not get the job. Or worse, you will get a job that you are not qualified to do and from which you may ultimately get fired, thereby ruining your career, your reputation, and possibly your life.

Quite frankly, it's better to underplay your skills and impress people then to exaggerate and disappoint.

My favourite memory of this is a long stream of candidates answering job postings which specified "experience with Unix and Linux systems" in the required skills. If you are going to put "extensive experience with Unix and Linux" on your résumé, then you should, at the very, very least, be able to name at least one Unix variant.

And "uhhhh..... Red Hat?" doesn't count.

Principle of Least Astonishment - Fail

I've been thinking a lot about design lately. Mostly because I'm entering the design phase of my thesis and I've reviewing the better chapters of Richardson & Ruby's "RESTful Web Services" and other material. But beyond web services, I've been thinking about "good design" and "bad design" as general principles. I really appreciate it when I encounter a system or service (in the real world or online) and I can come away with a sense that I have just experienced the benefits of good design. Just as strongly, encountering poorly designed systems really leave a sour taste in my mouth.

I won't do business with a company that has what I consider to be a poorly designed or poorly implemented web presence. Just my choice. I'd prefer to support good design by directing my business to organizations that, at the very least, share my aesthetic for design principles. I realize this is often a subjective evaluation and I'm not apologizing for it. But I think certain aspects of design can be widely recognized as very poor, outside of any aestheticical tastes.

The example I have in mind is the system at my local library. Now don't get me wrong, I love my local library and have a tremendous respect for libraries in general. But across my city, the library has rolled out a self service checkout system which badly violates the principle of least astonishment. I'm a pretty tech savvy person. I love to figure out new systems. But I end up misstepping every time I try to check out library materials. And I'm not the only one. As far as I have seen, everyone stumbles with this system because it combines familiar interfaces with unfamiliar uses.

The system works like this, there is a bar code reader, a touch screen interface, and a glass plate. The expected use case appears to be scan the card in the bar code reader, then touch the screen to confirm that the card read was correct, place items on the glass plate where they are identified "magically" (magnetic strip?), confirm the items are correct, once all the items are scanned confirm that you are done, your "receipt" prints out and you leave. Sounds good, right?

Well, it doesn't quite work out. This system is actually replacing another self serve system that was entirely bar code driven. I don't know why they ditched the other system. It worked fine, as far as I could see, and all library materials, including new materials already have a library issued bar code sticker. People are familiar with bar code readers, everyone in the western world has had a lifetime of barcode training by watching items be scanned in at the checkout, and by now most people have experienced self serve checkouts where you scan your own. So what's the first thing that everyone does when checking out books? They hold them up to the bar code reader! When that doesn't work, they try to swipe the barcode over the glass plate and place it aside, which results in the item appearing then disappearing from the confirmation touchscreen.

So what happens? People are generally capable of figuring this out and they learn, right? Nope. Doesn't seem to happen for two reasons: 1) Inevitably the helpful librarians who have been hovering inches away now swoop in and do it for you, oblivious to all protests and completely negating the value of self service checkout; and, 2) Weak technology. The scan plate is touchy, too many items on it and it gets confused - four items is okay, five sometimes, but a sixth item inevitably causes it to decide that only three are on the plate and all must be removed and the process restarted. The bar code reader requires that the library card be place on the desk for it to work, the natural behaviour of holding it up the reader fails. And the touch screen is unclear about where to press and when and how many times (in fact, it requires an unprompted, second press of "No" at the end of the process for it to ever conclude the session).

At the end of the day, it's not a big deal. No one dies. Everyone gets their items. People will eventually adjust and the technology can be upgraded to remediate some of the touchiness at the cost of only a few hundred thousand dollars more spending in a city with multi-billion dollar deficits. But it irks me. And I think it illustrates something that all designers should take as a lesson, understand the expecations of your users and work with them. It will be to your benefit and theirs.

Wednesday, June 17, 2009

2010, the year of Vista?

Sigh. I guess I should make good on my stated intent to write about things that annoy me and/or interesting technology, or failing that technology that annoys me. So on that note I've got something to say about Windows Vista. Yes, I am aware that it is no longer 2007 and no one cares about Vista anymore. Windows 7 is in RC with a slated RTM date of late October 2009. Vista is old news for everyone, except me.

When Vista came out I took one look at UAC, read a few articles about how slow it was, and swore never to use the OS. I figuratively pulled the blankie of corporate hardware and licensing over my head. At the time I had an employer supplied Thinkpad running XP that no one had ever got around to putting on the domain and a pretty kick-ass corporate desktop running Gentoo x64. I was happy with what I had and all I knew about Vista was that I didn't like it.

That was then. Now I'm on my own without the luxury of someone else paying for volume license keys. I had to buy my own laptop and live with the available OEM options. Sure I could drop the MSFT products and run Linux, I have no problem with Linux on the desktop and for the most part I can live without MS Office. I could do that, but can I afford to? I'm running my own business, I can't afford to have technology problems which might interfere with my ability to work. Specifically, I need to be able to run IDA. I asked around and was warned I'd spend more time fighting with WINE than reversing and I can't afford to fiddle with settings and hope it works. Forage Security's second computer will run Gentoo, but for better or for worse I'm now a Vista x64 Business Edition user. And you know what? It's not that bad.

I'm running SP2, UAC is enabled, aside from the perplexing and pointless relabeling of familiar control panel items, the experience (no pun intended) is much like that of XP, only smoother. Maybe it's the visual effects. Only problem so far has been that SSLTunnel doesn't seem to be supported on x64 and I don't have the expertise (or the time) to port the driver files. Oh well.

If you're still reading, you may be wondering if all this rambling about Vista being "not that bad" has a point. It actually does. I was at my bank the other day and couldn't help but notice that all the teller's machines were running Windows 2000. Fine and dandy for them, I'm sure, but last time I checked extended support for Windows 2000 is expected to cease July 13, 2010. That means just over a year from now there will be no more publicly available security patches and it's way past time to retire those boxes.

Nevertheless, a large enterprise can afford and may choose to pay for continued support even after the end of generally available extended support. But let's face it, the end is nigh for the one of the most popular operating systems in history. Now, if you're a "for-real" cyber criminal and you are sitting on a remotely exploitable buffer overflow in Windows 2000, what do you do? Exploit it now and see it patched within a couple of months? Probably. MS08-067 showed that even when the patch is available, hundreds of thousands of systems can still be compromised. But maybe you'll wait until July 14, 2010 knowing that most of the people still running 2K at that time will never see a patch. I guess you'd do whatever seemed the most profitable, I don't know which way that is.

On the other side, if you're running the IT department of a fortune 500 company, and you've (hopefully, finally) just finished migrating all you NT4 hosts to Server 2003 and are now faced with the costly prospect of an even larger migration of Server and Desktop 2000 hosts... what do you do? Well, look at the timing, it's obvious that this has occurred to MSFT too. Windows 7 promises to improve on the lessons learned with Vista, but there is not going to be a Window 7 Server, instead we'll get Windows Server 2008 R2 at about the same time Windows 7 hits the streets. All of this before 2K expires.

But is it soon enough? By now, IT departments have learned to wait for SP1. And quite frankly, 9 months isn't long enough for a major organization to adopt a new desktop operating system. Those with a lot of foresight are already testing their applications with the release candidate and training their users. Those that haven't started yet will probably take a long hard look at the matured Vista SP2 offering for their desktops.

Welcome to the Forage Security Blog

So... I'm blogging. And not only am I blogging, I'm blogging from the international departures lounge of Laguardia airport in NY, NY whilst awaiting my now-delayed-by-more than an hour flight home from my first ever business trip. How exciting. So what if I'm about eight years late to the blogging party? At the pace at which I'm adopting social media technologies you can expect my Twitter feed to launch sometime in 2015 and my facebook page sometime after the sun has burnt down to a cold dark cinder.

Technically this isn't my "first" ever blog post, but it is TEH FIRST POST!!! (sorry - had to) on this site, the Forage Security blog. I intend to use this blog to talk about things I'm working on and rant about whatever is getting under my skin today. Maybe it'll be therapeutic. What sort of things do I work on? Well, as the title might have suggested to you, this blog will largely be about IT security. I've spent the last three and a third years as a researcher for a major North American vulnerability and configuration management company. That's where I did what little previous blogging I have done. It wasn't much. Forage Security is my new gig. I'm trying to go it alone as an independent security researcher and security consultant, wish me luck - I'll need it.

IT Security is a big field and there's enough interesting things going on in the space to keep a lot of bloggers busy, but it's not the only work I do. I'm also a student in the process of wrapping up my Master's "integration project" (hereafter referred to as "my thesis"). So you can expect this blog to touch on a number of specific topics, including Programming Techniques, Software Engineering, Semantic Web Technologies, Ontologies, Python, Django, RESTful architecture, Virtualization, Gentoo Linux, and whatever else happens to pop into my head on any given day.

Well, my flight seems to finally be boarding, so I'll wrap this up.... or not. Apparently this is a game, where the closer it gets to boarding time, the further back the actual boarding time will be pushed. The latest round featured me getting to T -3 minutes, before the flight was pushed back another hour and a half.

BTW there are flies and ants all over the place in Laguardia's Terminal B, it's unpleasant.

Sigh.... got within 10 minutes of departure time and they bumped it back another 15. Finally made it out of there more than three hours late.