Why you should upgrade to Windows 7

I usually don't recommend everyone immediately upgrade to a new version of anything. I'm firmly in the wait for others to find the bugs camp. I like to run the latest myself but for paying customers if it ain't broke why fix it. I don't recommend they upgrade until version 1.1 or possibly with a hardware change. I'm changing this position for Windows 7. It's not that different from Vista. Vista's now at Service Pack 2 and is very stable. For whatever reason many people are still running XP. The security benefits of Windows 7 compared to XP far outweigh any cons about upgrading. The Internet is worse than the wild west was. Surfing the net with XP is like showing up at the OK Coral naked with a water pistol. It doesn't matter what you do, you're probably going to lose. When you do lose you will become a zombie bothering the local townies until they finally put you out of your misery. Windows 7 puts you in the game. You've got as good of a chance as the bad guys. For this reason alone Windows 7 is worth upgrading for. All the fancy UI, networking, media enhancements, etc, are just gravy. Security is the number one reason to upgrade. Heck, even the Linux and Mac crowd should be urging the Windows crowd to upgrade. The Internet will be a much better place when XP is forgotten.

Walking in the Rain Revisited

A while back I wrote a blog post comparing computer security to walking in the rain. This morning it was raining pretty hard during my morning walk. It wasn't raining quite as hard as when I wrote the previous post but west coasters know what "raining pretty hard" means. For the rest of you, it was raining as hard as you'll probably ever experience unless you live in a rain forest. For some reason I decided not to use the same gear as in the blog post. I had the Halti jacket and Tilley hat on. I didn't take an umbrella, wear gloves, or wear rain pants. I ignored my own advice from this blog post about security being a marathon where we can never relax. In half a block my pants were soaked through. A few minutes later my hands were cold. I had to cut my usual walk in half because I was getting cold and wet. Computer security is similar. Use the appropriate tools. Don't take shortcuts. Never relax or get complacent.

Experimenting with IPv6 – Part 1

IPv6 is coming. We'll all have to learn how to deal with it. With this in mind I've set out to educate myself about IPv6. I learn better by doing than by reading. I like to read enough that I have a very basic understanding of the subject then play. After playing with it I generally find I need to do some more reading or possibly even take some courses. With IPv6 I'm at the playing stage. I decided to setup a Server 2008 R2 virtual machine as a test bed for IPv6. I needed a second domain controller on my SBS 2003 network so I made it a DC and a DNS server. It's probably not the best idea to use a DC for an IPv6 experiment but I figured I may as well go whole hog and learn by making mistakes.

The reason for the DNS server is so once I figure out IPv6 it can answer IPv6 queries from the workstations. Plus it's a DC which implies a DNS server. This is the first place I ran into a problem. There is a bug in the 2008 R2 DNS server implementation. It wasn't resolving some queries. NSlookup microsoft.com worked but nslookup www.microsoft.com didn't. It was very perplexing and took a lot of Bing-foo and Google-foo to fix. The fix is here in Scott Forsyth's Blog. It appears it's a combination of some DNS servers not returning EDNS results properly and the way Server 2008 R2 DNS deals with that.

The server was now setup as a DC and a DNS server. To play with IPv6 I needed to set up a tunnel. My ISP doesn't support IPv6 and neither does my router. I decided to activate a free IPv6 tunnel at tunnelbroker.net. This was relatively straight forward. I was happily testing IPv6 over the tunnel thinking that was too easy. I was right, it was too easy. I decided to run a port scan of the IPv6 tunnel. Imagine my surprise to find out that as far as the Windows firewall was concerned the tunnel was part of the local network. I had just put a DC on the Internet with no firewall. Not good to say the least. I quickly disabled the tunnel. I spent the next several hours Googling and Binging to no avail. So far I haven't found any way to block incoming ports on the IP6Tunnel interface while leaving ports open for the local network. I'm stuck for now. I need to use the Windows firewall because the tunnel by definition bypasses the firewall in my router. I'm sure there's a way but until I find it no IPv6 for me. Once I get past this setback I'll continue this blog series.

Update

It looks like the only way to do this is to add a second NIC for the IPv6 tunnel. I should be able to set the firewall profile for the second NIC to Public which would solve the problem. I don't want the headaches caused by a multi-homed domain controller. I'd probably need to setup a VLAN as well, which my router doesn't support. The project is temporarily on hold while I rethink things.

Windows 7 vs. Fedora 11 - Part 2

Well the experiment to only run Linux while on a road trip was a partial failure. I had to boot into Windows to get some work done that involved email and Exchange. I can't seem to wean myself from Exchange. I thought I had Evolution working but it keeps locking up on me. I've always had problems with Evolution but I had high hopes for the current version and Fedora 11. It works flawlessly while directly connected to my Exchange 2003 server. Working remotely is another story altogether. It works sporadically. There will be long pauses of up to five minutes where it seems to be locked up then suddenly it's working fine for a few minutes. Eventually it will lock up completely. I switched to using OWA (Outlook Web Access) instead. The OWA experience with Firefox is not the best. OWA in Exchange 2003 really needs IE with ActiveX to be productive. I've tested Exchange 2007 and it has a much better OWA Experience with a non IE client. I'll be updating my Exchange server to 2007 in the near future. Hopefully the combination of OWA, Exchange 2007, and Firefox in Fedora 11 will be more productive.

My other problem is my Blackberry. I haven't found a way to sync the BB and Exchange in Linux. I could setup a Blackberry Enterprise Server. This will sync Exchange and the BB over the cellular carrier in real time. It would cost me more money. I'd have to upgrade my wireless plan from BIS to BES. I'd also be running another server. Even virtualized it seems like overkill.

Other than the Exchange problems the experiment has been a success. VPN and RDP access to the networks I manage hasn't been a problem. I've recieved some Excel attachments that Open Office had no problems with. I received some .PDF files that weren't a problem. So far I have to say I prefer Windows 7 over Fedora 11 but it has nothing to do with the OS. It's all about the applications and it seems as long as I'm married to Exchange I'll be running Windows.

Windows 7 vs. Fedora 11 - Part 1

I'm leaving this morning for a three day trip to Ottawa for a CIRA board meeting. I depend on my Blackberry and my laptop to run my business while I'm on the road. I'm going to do an experiment this trip. I'm going to run Fedora 11 exclusively on my laptop. I've always had a multi-boot setup on the laptop of Windows Desktop, Windows Server, and Linux. The current setup is Windows 7 Ultimate, Server 2008 R2, and Fedora 11. I've set the default boot to Fedora 11 and hope to keep it that way for the next three days. I've tried this in the past with various distros of Ubuntu and OpenSuse. Neither worked out. For some reason I always had to boot into Windows sometime during the road trip. It was usually something to do with Exchange or my Blackberry. I rely on my Blackberry and Exchange to manage my time, email, and basically my business. I'll try to keep this blog up to date with my experiences and at the end I'll post the results.

Facts vs. Beliefs

Last night I was on my deck watching the Perseid meteor shower. I started wondering what our ancestors must have thought about events like this. I was thinking that they must have had all sorts of weird superstitious beliefs about omens and such. Laying there watching the sky gave me lots of time to think. The more I thought about it I started wondering what someone several thousand years in the future would think about my beliefs regarding the meteor shower. To me they are facts that I know. I am sure that to our ancestors their beliefs were also facts that they knew with absolute certainty. This means that my facts may in fact be only a belief and not really a fact. In the future they may think that our current beliefs about space, meteor showers, etc. are quaint, superstitious beliefs because they have discovered some new facts.

What does all this have to do with computers? Many people have beliefs regarding computers that they see as facts. One example of this is the fact that OS X is more secure than Windows. An alternate fact, just as wrong, would be that Windows 7 is more secure than OS X. My belief about this fact is that you can't measure how secure an OS is so the question is moot. My point is we all have many beliefs about computers. Many of these beliefs, which currently are thought of as facts, will probably change over time. Don't get too comfortable with the facts.

Windows 7, Vista, and the Blogoshpere

Windows 7 is about to hit the RTM milestone any day now. I've been playing with it since the public beta release last fall. I like it. As soon as it hits RTM I plan to install it in on both my laptop and desktop. I'll only run Vista in virtual machines for testing. That said I can't believe all the hyperbole about Windows 7. Yes, it has some nice new features but come on people it's really not that different from Vista. The vast echo chamber of the blogosphere which dissed Vista is praising Windows 7 like it's the second coming. I've been trying to analyse why.

Resistance to change and resistance to admitting you may be wrong is my best guess. Vista was a huge change from XP. I was in on the beta testing of Vista quite early. It was still called Longhorn. I knew immediately there was going to be a lot of resistance. It was actually reasonably secure and forced users and programmers into a better security model. Anyone remotely interested in security knows that increased security always means increased inconvenience. How often did we hear new Vista users saying things like "I'm the administrator dammit. I can look after my security myself." Well you know what? 99.9% of us can't. If you're running XP it's probably impossible. Amongst other things I enjoy figuring out how malware works. I don't make much money at it but I remove malware for customers when I have time. I do this so I can see real world infections and figure out how the malware works. I see malware all the time on the computers of network administrators and highly sophisticated users. You want to know why this is? It's because they run an insecure OS as administrator all the time. The programs they use expect to have administrator rights. The services and drivers running in the background have carte blanche to do whatever they want. XP is a security nightmare people became used to. There was no way to fix it thus Vista came into being. Vista while mitigating a lot of the problems forced everyone to change their habits in a way that wasn't convenient. More importantly it took a while to figure out these changes. It took even longer for a moderately competent geek to figure out new ways to bend the OS to their will. Couple this with the fact that Vista required significantly more hardware than XP and it was a recipe for disaster. This caused much angst and bad press in the blogosphere. This angst was endlessly echoed until it was the "truth" that Vista was flawed. Once this "truth" was out there it was impossible for any blogger to argue against it. There is still no better way to get click throughs than by writing a blog that disses Vista and links to other blogs as proof. Many of the bloggers and experts over time learned that this "truth" wasn't really true. They were afraid to say anything for fear of admitting they'd been wrong. Along comes Windows 7. It has a few cool new features. The UI has been tweaked a bit. It's been highly optimized to appear faster to the user. Most people now have hardware capable of running Vista. Windows 7 runs great on this hardware. More importantly all the bloggers and moderately competent geeks can get up to speed very quickly as they already climbed the learning curve with Vista and it's not Vista. They don't have to admit they were wrong in order to say they like it. It's a recipe for good press in the blogosphere.

Don't get me wrong. I really like Windows 7. Some of the new features are really cool. The new taskbar is a huge improvement. Aero peek has become indispensible. The UI really is more intuitive most of the time. There are a few things I don't like. The libraries feature is a great idea that isn't fully implemented. It has tremendous potential but as it is implemented in Windows 7 it doesn't work for me. The Homegroup networking feature is a security problem. It makes it very hard to share one folder in your profile. If you share a folder in your profile the whole \USERS tree is automatically shared. I had a good discussion about this with someone from Microsoft and in the end we agreed to disagree. He said the default ACLs and Access Based Enumeration locked down the folders well enough for home use. I felt they didn't, especially for a very small business many of which run the Home version of Windows.

So what's my conclusion? I'm somewhat grumpy about the fact that Vista will go down in history as Windows Me the second. The blogosphere is praising Windows 7 which will cause a lot of people to finally move away from XP. That's a very good thing. The Internet will be a better place.