Ok, the title might sound a little bit cryptic… let me explain.
A few weeks ago I was listening to a podcast that I enjoy called Surface Smiths (www.surfacesmiths.com). It was Episode 11, and the product they were reviewing was called the Microsoft Surface Pro 3 – 4 In 1 USB 3.0 Adapter from Juiced Systems. They had a contest, and all you needed to do to enter was retweet something. I did, and I found out a few days later that I won. I was happy, but I forgot about it… life just gets in the way sometimes.
Life can be rather amusing sometimes… Just Friday I was lamenting that I was going away for a few days, and I would only have my Surface Pro 3 with its single USB port because I was not bringing a docking station with me. And then when I got home, what was in my mailbox, but a package containing the prize – a 4-in-1 adapter that is custom fitted to the Surface Pro 3. It has two USB 3.0 ports, an SD Card reader (Great because I take a lot of pictures), and a Micro-SD Card reader (Great to transfer files to and from my HP Pro Tablet 408 which I use for videos).
The best part of it all is that it does not interfere with any of the other ports on my device. This was something I was worried about, because the USB port and the Mini-Display Port are so close to each other. While that means nothing to me on a short trip like this one, when I go to Japan later in the month it will be crucial.
So I got to my hotel room in Ottawa Monday afternoon, and I was really excited about the new add-on to my Laptop Kit. However the excitement had little to do with the USB ports… Seldom do I travel with a bunch of USB devices when I am only gone for a few days. But not only did I spend the weekend in Montreal taking pictures, but Sunday night was the Super Moon Eclipse. So I got some great pictures, and I was thrilled that rather than having to transfer them onto a USB key from another computer, I could just plug my SanDisk SD Card into my Surface directly using the new Juiced Systems adapter!
The device retails for $29.50, so it was not a major prize… but it was one worth having for sure!
Just so that you can all see what gets me so excited, here are a few of my pictures from Sunday. If you think getting close up to butterflies is easy, or that shooting a Lunar Eclipse is simple, I challenge you to show me what you can do!
Butterflies on Mount Royal
Butterflies on Mount Royal
Ducks on the Pond in Beaver Lake, Mount Royal
St. Joseph’s Oratory, from Beaver Lake, Mount Royal
Minute 62 of the Lunar Eclipse (10:23pm) from Westmount Lookout
(Note: All pictures taken with a Nikon D5200 camera with a 70-300mm VR lens. Night time pictures also used a Nikon SpeedLight SB-700 flash)
A few weeks ago I wrote about how I started using a password vault. Some of my keener observers noted that I did not mention which one I chose, and that was not an oversight. I am not an expert in the technology, and unlike many of the products and solutions I have reviewed over the years, usability is not the primary factor in selecting a password vault, and I am not qualified to evaluate how well any of them secure your passwords. However with regard to usability, I would like to talk about some changes I have made in how I work, and how it has affected me.
1) Completely Randomized Passwords
Over the course of my time in IT I have heard myriad complaints from users who did not like having to remember complex passwords, and liked even less having to change them every so often. I gave them a lot of advice of how to choose and remember and cycle their passwords, but no matter how hard I tried, yellow sticky-notes (yes they come in other colours too) remain the biggest enemy of IT security.
I have used a lot of different passwords over the past fifteen years, but it is rare that I forget one. Why? Because there are probably a dozen ‘series’ of passwords that I have used at any given point. I won’t give any of them away (there is probably some obscure site that I have not logged into in a decade that still has my account with one of these old passwords, and somebody would figure it out). But let’s make up an obscure and completely fictitious password that I could have used:
Four Score and Seven Years Ago, Our Fathers…
The opening words of the Gettysburg Address. It is easy enough to remember… nine words. If I were to take the first letter of each word, and change numbers and booleans into their characters, we would have 4S&7yaof. Upper case, lower case, numbers, and characters. More than eight characters. I just created a password that would pass almost every minimum password requirements algorithms. I would then use that as a password for a dozen sites and applications. Of course, some algorithms insist on starting with a letter, so Fs&7yaof would be similar but completely different. We’re happy.
As I have mentioned before, I maintain a text file of most of the sites I have credentials for, and every few months I go through them all and change my passwords. It takes time and effort, but I have done it. Fortunately, I have always had pretty simple passwords (for me) to remember… because I knew the context. Password Hint? GETTYSBURG.
Now that I am using the password vault, it has a tool that helps me to create long, complex, random passwords that would be completely impossible for someone like me to memorize. However I wouldn’t have to memorize them, because the vault app enters it for me when I need it. So:
Hello1 = BAD
Passw0rd = BAD
Fs&7yaof = Good
L9Gya$(aWPl47+~R2t7*^1> = EXCELLENT!
With passwords like these (and a management app that helps me create, remember, and every few months change them), combined with the fact that every site has a completely different nearly impossible to remember password, and I can sleep better at night knowing that my identity is secure.
The problem is: how am I securing the password vault? Well, that has a couple of answers. Two factor authentication for sure, but that would be different on my phone and on my computer.
2) Multi-Factor Authentication
When I am accessing the vault on my computer, I have to enter my password, and then two-factor authenticate using my Yubikey. On my iPhone I have to a) log on to the phone using either password or a fingerprint, b) log in to the application using a different password. It is not ideal, but it is better than nothing… and for my needs, it is just fine.
There are some sites that I use (such as WordPress for my blog) that interacts with applications, and supports Multi-Factor Authentication (MFA). The process for these sites is a bit different:
1) The password vault application (or WordPress) generates a ridiculously long and complex password, and stores it in the vault.
2) The site allows me to create ‘application passwords’ which are for individual applications (and different installations of the same application), which the applications can store.
3) The WordPress app is installed on my phone. When I try to authenticate using either the web or an application, WordPress sends a code to the app on my phone, which asks me if I tried to log on (and from where). I can either Accept, which will allow the logon to proceed, or Reject, which will block the logon.
Other sites, such as Microsoft ID protected sites, allow me to either remember my password, have my password vault application enter the un-rememberable password for me, or it will generate a one-time code which it will send to my phone by SMS message, and I can log on with that code.
A few sites and applications, which include my corporate VPN and my health insurance website (not to mention my password vault application), allow me to authenticate using a token, a device that I plug into my computer and then press a button. The device then sends a code to the computer, and authenticates. I will not go into the back-end of this, but it is quite secure from what I understand… as long as it doesn’t get stolen. Of course, for most of the sites that I use it for the Yubikey only works when used in conjunction with a password.
I hope by now I am beyond the ‘forgetting my cell phone’ syndrome… after all, I have been carrying one for the better part of two decades, and knowing that the replacement value of my phone is nearly $1,000 I do my best to have it on me at all times. But what about the Yubikey? I am relatively new to carrying it around, an it is absolutely tiny… about the size of my thumbnail. I have it attached to a little charm that I was given at a bar in Shinagawa (Tokyo). The two combined might weigh a few grams… and I am extremely hopeful that it is more durable than it looks. However here’s the thing… I carry a lot of things in my pockets, and because of that I will, on occasion, take things out that do not have to be there… including on the weekends my card access key for the office, and yes – my Yubikey. Only, there are days (and not a few of them) when I forget my key card at home… and as such, I will often also forget my Yubikey. Fortunately my company still has a secondary VPN that I can use, and as for other sites that require it… well, let’s just say that most of them are not required for me to perform my job.
Oh wait… my password vault requires it. So I had better hope that during the course of my day without my Yubikey I don’t need to access too many sites, because while I can get the passwords off my phone, typing in passwords that look like this: L9Gya$(aWPl47+~R2t7*^1> can be a pain.
4) When all else fails…
I actually had to do this more often when I was using my old password methodology than my new one. Most sites have those helpful ‘Forgot my password’ buttons that will, after asking you a couple of questions, send you a link to reset your password. I used it a lot before, but admit that the only time I used it recently was with my health insurance company… where the password hint was useless, and the ‘Forgot my password’ button told me to call so that they could delete my account and then I could recreate it. Thanks, I’ll wait until I pick my Yubikey up off the night stand.
I wasn’t entirely sure what to expect, but I was hoping the transition to the password vault (and scores of completely different and un-rememberable passwords) would not be too painful. I was not disappointed. I did have to log on to some sites and manually change the passwords, but for others the vault’s app did it for me. I haven’t been locked out of anywhere (YET), and to the best of my knowledge nobody has logged on anywhere as me because they have compromised my data.
The Multi-Factor Authentication (MFA) is great as long as I have my devices with me… and my phone’s battery isn’t dead. Fortunately some of the sites that use it have alternate methods (e-mail me a code?) but also fortunately my phone is usually pretty charged, else I bring a portable charger with me.
Does this new methodology benefit me? Let’s be honest… the world has changed. Twenty years ago I was afraid someone would steal my house keys and would then break into my house and steal my stuff. Today with alarms and cameras that threat is nearly obsolete, but the threat of losing our data and banking information and credibility to hackers is very real, and being able to take steps to prevent it… well, it’s a small price to pay.
On Yom Kippur (The Jewish Day of Atonement) we ask The Lord’s forgiveness for all of our transgressions against him over the past year. However in the ten days leading up to it (The Days of Awe) are a time when we ask forgiveness of our fellow man (and woman) for all of our transgressions against them (again, over the past year).
In March I had an epiphany. It was the greatest realization, and the most horrible, that I have ever come to. I discovered that most of what I had previously thought was right and acceptable – mostly with regard to behaviours and attitudes – were actually not. I had been brought up a certain way, so how can that be wrong? How can what I learned at my mother’s knee really be so completely anathema to acceptable behaviour? After all, it had worked for her, hadn’t it?
I remember in Torah class, a hundred years ago, learning the Ten Commandments. If you look at the Ten Commandments in any artistic rendering (and as they are described in the Torah) there are two tablets with five commandments each. The first tablet lists our duties toward G-d, and the second tablet lists our duties to people. So why is it that the Fifth Commandment (Honour thy father and thy mother) falls to the first tablet? It is because our parents gave us life; they created us in G-d’s image, and so we must honour them as we honour our Lord.
It will come as no surprise to anyone who met me later in life that as a youngster I was argumentative and questioned everything. Our teachers drilled into us that these Ten Commandments were never to be broken, and to do so would be a terrible sin. So I remember asking one of my Torah teachers at the time ‘what if your parent asks you to do something that breaks one of the other commandments? How can we honour them (and respect that commandment) while violating another of the commandments?’
Ahhh, my teacher said. ‘There is a difference between honour and obey. If your parent tells you to do something wrong, you are actually honouring them by disobeying them. By being right in G-d’s eyes you are bringing honour to them because they raised a good person.’
I don’t know why of all of the Torah lessons I slept through I remembered that one, but it stuck with me.
Of the myriad times I dishonoured and disrespected and disobeyed my parents over the years, this year I did so in a way that was in keeping with the Fifth Commandment. I realized that so many of the things I have done over the years, all of the ways I have mistreated people (family, friends, colleagues, and strangers), all of terrible things I have said to so many were just wrong. All of the people over the years who I have wronged and it never occurred to me until the last few months that I owed them an apology. I needed to ask they forgiveness before I could ask G-d for his… and I never did, unless it was clear to me at the time to be in my best interests.
The list is daunting; I cannot even begin to think of how many people there have been. Of course, it is also clear to me that in not changing my behaviour twenty years ago I hurt many people a little, but the person I damaged the most was myself. I do not know if I can or will ever forgive myself, but as with all of the others I have hurt, I do ask forgiveness of myself.
Of course, there are a few people that have come to mind over the past few months, and I have reached out to some of them and asked their forgiveness. I will not name anyone here, but there are some people I wish I could reach out to, and some people I have probably forgotten, but would still apologize to given the opportunity. I wish I could apologize to everyone personally, face to face. I wish I could tell them all – no, show them all – that I have changed. Even though it would be too late in many cases to repair the relationships, I wish I could show those people that I have changed, and am working at making even more positive changes.
On this, the eve of Yom Kippur 5776, I would like to ask everyone their forgiveness if I have wronged them. For those who think that this is a half-hearted attempt – doing it in a blog – I will point out that I am opening myself up emotionally to tens of thousands of people, many of whom I have never slighted. I do so because I am truly sorry for who I used to be, and how I used to behave.
לשנה טובה, וגמרו חתימה טובה
Happy New Year to you; may you be inscribed in the Book of Life!
This morning I decided to upgrade my iPhone to iOS 9.0. To be fair, I decided to do it overnight while I was asleep, but the phone seemed to sense this, and decided to keep me company when I slept, and only started to upgrade when I woke up and wanted to use it.
I haven’t done a lot of exploring yet, but I did find a great new application. It is called Find iPhone. It seems to be an application to help you find your lost iPhone… from your iPhone.
I ran it… and sure enough, after asking for permission to access my location services, it showed me where I was.
Of course, that is not all that the application does; from what I can tell, it allows you to play a sound to help you to find the iPhone that is in your hand, it will put the phone into Lost Mode (I don’t even want to speculate what that does), Erase Phone, or yes, it will even give you driving directions… to where you are.
Somebody got paid to develop this.
Don’t get me wrong… I understand all of the functionality, and the benefits of being able to track and lock and remotely wipe your phone. All of these are extremely good ideas. What I would like to know is who thought it was a good idea to develop a local client for this?
One of the benefits of virtualization is that you can segregate your SQL Servers from your other workloads. Why? If not then Microsoft SQL Server will hoard every last bit of resources on your machine, leaving scant crumbs for other workloads.
Seriously… when you start the Microsoft SQL Server you will immediately see your memory usage jump through… or more accurately, to the roof. That is because SQL Server is actually designed to take up all of your system’s memory. Actually that is not entirely true… out of the box, Microsoft SQL Server is designed to take up 2TB of RAM, which means that in all likelihood a lot more memory than your computer actually has.
So assuming you have been listening to me for all of these years, you are not installing anything else on the same computer as your SQL Server. You are also making sure that the virtual machine that your SQL Server is installed on (remember I told you to make sure to virtualize all of your workloads?) has its memory capped (Hyper-V sets the default Maximum RAM to 64GB). You are doing everything right… so why is SQL performing slowly?
It’s simple really… Your computer does not have 2TB of RAM to give SQL Server… and if it did have 2TB of RAM, the operating system (remember Windows?) still needs some of that. So the fact that SQL wants more than it can have can make it a little… grumpy. Imagine a cranky child throwing a tantrum because he can’t have deserts or whatever.
Fortunately there is an easy fix to this one (unlike the cranky child). What we are going to do is limit the amount of RAM that SQL actually thinks it wants… and when it has everything that it wants, it will stop misbehaving.
1) Determine how much RAM the server on which SQL Server is installed has.
2) Open Microsoft SQL Server Management Studio with administrative credentials.
3) Connect to the database (If you have multiple SQL databases on the same server see the note below)
4) In the navigation pane right-click on the actual SQL Server (the topmost item) and click Properties
5) In the Server Properties page navigate to Memory
6) Figure out how much 90% of your server’s RAM would be (in megabytes). Use the following equation:
1GB = 1024*.90=921.6
8GB = 1024*8 (8192)*.90=7373
7) In the Maximum server memory (in MB) field type that number, then click OK.
**Note: The math we are using here allocates 90% of the total RAM to the SQL Server. In the event that you have multiple SQL Server databases running on the same box you will have to do a bit of calculating to determine how much each database should use… and that can be a challenge.
If you only have the one database engine on your box, you should immediately notice marked improvements. This breathing room does not mean that it is now time to pour more workloads onto the server… only that your SQL Server should be running a little better!
Last week without paying attention I scheduled this article to publish Monday morning, not realizing that in North America we would be celebrating Labour Day. Almost none of my readers were in the office, and many (including myself) were relaxing by a beach somewhere. As I expect the article was largely overlooked in lieu of late mornings and lazy afternoons, I decided to re-schedule it for this slot. Enjoy the article! -MDG
You have a job that gives you a computer. Maybe it’s even a laptop that they let you take home with you. It is probably better than the old computer that you’ve been using… and maybe there isn’t even a policy at work about using your corporate computer for reasonable personal use. Cool, right? You can let your old computer at home gather dust and use the company’s computer for everything.
This is a really bad idea.
If you work for a company like any of the ones that I have managed then you have worked with some pretty scrupulous (i.e.: HONEST) IT Professionals. However like every other profession, there are a lot of bad apples out there. Here is a scenario that I hope will haunt you… or at least scare you into segregating your personal computer tasks from your corporate laptop.
In my last article (Passwords: Beware) I wrote about some of the dangers of passwords, and especially of using catch-all passwords… in other words, the same password for many sites. Here’s how an unscrupulous IT admin can make all of that irrelevant.
You get your shiny new laptop from work. You use it for business… but you also use it to pay your bills, do on-line banking, connect to Facebook, and any of a thousand other tasks you do during the course of a normal week.
‘Don’t worry… your computer is secured with an Active Directory password which we forced you to make complex, and we cannot see your password or log in as you. Of course, we could change your password… but you would know that pretty quickly the next time you tried to log on to your system and your password didn’t work.’
In most cases this statement is true… and let’s assume for the time being that it is absolute (whether it is or not).
Times are tough all over, and you have not been selling as well as you were expected to. You are dreading that call into the boss’ office, but as you are preparing to leave the office on Friday you get the call. ‘Please come see me for a minute.’ You lock your computer (as you have always been taught), and walk over to his office.
Of course, s/he might tell you to finish out the month, but usually this conversation officially ends your employ. You go back to your desk to clear out your personal belongings, but if you do try to log in to your computer you will discover that your account has been locked out.
What happens next?
An honest IT Admin will back up your data, then wipe your profile and prepare the computer to be given to your replacement.
A dishonest IT Admin will change your password to something that he or she knows. He will log on as you (and remember, he doesn’t have to sit at your old desk out in the open to do this – he can do it quietly from the comfort of his cubicle). He will install a password recovery software (maybe the one he used to help you when you forgot your e-mail password last month). In seconds he will have a list of every website that you have visited, your username, and your password.
It won’t take long for him to order a new credit card in your name… and maybe buy some goodies on eBay with your PayPal account. I don’t know what else he might do, I am not that kind of guy. But I have met people who were… and they scared me straight.
So what happens now?
Any website that is business-related won’t matter… once you have left the company they have a right to whatever data you would glean from them anyways. If the IT Admin does anything on those sites with your credentials it will be easy to prove – ‘Hey, I was let go at 3:45pm on Friday the 13th, and that malicious post was written from my corporate laptop on Tuesday the 17th… four days after the laptop was taken from me.’
Anything that’s personal… well my friend, you should not have been using your business laptop to do your eBay shopping, or your on-line banking. You could file a criminal complaint and you might get your money back… but by the time the cops come to investigate (and they will almost certainly never do that) they dishonest but not stupid IT Admin will have wiped the laptop clean and there will be no record of wrongdoing.
So what do I do?
Once you are in the position you are already too late; what you need to do is separate business from pleasure at the very beginning. If you are already using your company computer for personal use then a) stop now, and b) from a personal computer change all of your on-line passwords now.
But would he really…?
I don’t know your IT Admin… Maybe he’s a good guy (or a good girl) who would never do anything like this. But why put yourself at risk? Take the temptation away from him or her and just don’t use your corporate computer for personal activities.
…Or you can take the risk, and then find out how frustrating it is to have to cancel credit cards and swear affidavits that the offending transactions were not yours in the faint hope that your bank will reverse the charges
Anyone who has taken a basic networking course will understand that UNC (Universal Naming Convention) paths are one of the common ways we in IT access file shares across our local networks. They will usually look like this: \\oak-mgt-01\Sharename. Of course, you can see all of the shares on a particular server by just entering the servername (\\oak-mgt-01). Once upon a time Windows Explorer would show you that path in the address bar, but in this era of simplification of everything (i.e.: Dumbing it down) it makes it prettier by showing > Network > oak-mgt-01 > Sharename. This changes nothing, it is the same under the hood.
Users are not the only ones who use these UNC paths. In fact, it is our servers and applications that use them far more frequently than we do, because under the hood that is what they use to connect to any network resource.
But what happens when UNC paths stop working?
A client called me recently to tell me that none of their UNC paths were working, and because of it their production applications were down. I checked, and sure enough a particular server could access the Internet just fine, and it could ping every internal resource it wanted, but when you tried to navigate to any UNC path, the result was a very unfriendly and generic one:
Not only was it not working, it was not even giving me a descriptive error code. I started down a troubleshooting rabbit hole that would haunt me for hours before I found the solution.
The first thing that we confirmed is that while we were pretty sure that this was a networking issue, it was contained within the specific server. How did we determine this? We discovered that we got the same result when we tried to navigate to \\localhost. Localhost is that trusty loopback adapter that exists in every network device, and is the equivalent of \\127.0.0.1… which of course we tried as well. Because we know that Localhost lives within the server, we knew that it was not an external issue.
Before we went out to the Internet for other ideas, we tried all of the obvious things. We changed the NIC, we verified DNS, WINS, and even NetBIOS over TCP/IP. We reset the network connection (netsh ip reset c:\resetlog.txt). Nothing doing.
We went out to the Internet and followed the advice of several people who had been in our spot before. We uninstalled and then reinstalled several networking components. We deleted phantom devices, we ran network reset tools. No joy.
When I came across Rick Strahl’s Web Log I thought I was close…he had experienced exactly the same symptoms, and in his article UNC Drive Mapping Failures: Network name cannot be found I was hopeful that when I re-ordered the Network Provider Order in the registry (HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order) I would be home free. Unfortunately I was wrong… but I was in the right place.
When Rick’s solution didn’t work, I was disheartened. I was about to close it out and look at the next ‘solution’ on-line. My instinct however told me to look again… to look closer.
There was a typo… but you have to really know what you are looking at to see it. In fact, even if you really know what you are looking at, it is easy enough to miss. Take a look… do you see it? Look closer… The entry LanmanWorkstation is right there, clear as day, right?
Nobody would blame you for not noticing that there is an S at the end of the string… because S is so common at the end of words – it just makes them plural, right? Well computers – and especially the Windows Registry – does not know English grammar, it knows binary… and the difference between LanmanWorkstation and LanmanWorkstations is the difference between working… and not working.
When I made the change it was instant – no reboot was required, the server application started working immediately. A big sigh of relief permeated the office.
The server in question is one that several people were working on when it stopped working, and nobody is entirely sure how it happened… was it human error, or did a rogue process cause it? We will look in our logs and figure that out later. For the moment though, our UNC paths are back, and my client is back at work.