Friday, July 18, 2014

Netgear ReadyNAS 516 is Not Ready for Enterprise Networks

I've been saddled with one of these dreaded things with a gun pointed to my head.  Nothing can be worse.

In any event, if you were to unbox and connect a Netgear ReadyNAS to your corporate network, and said ReadyNAS came from the factory with OS Version 6.0.8, and said network had a firewall that didn't allow any and every HTTP request to flow through it unfettered, you would have the same odd experience I had.

You would log in with the default admin credentials, and be prompted to run through a wizard.  You could cancel out of it or complete the steps - wouldn't matter.  Either way, when the wizard exits, you would get a continual 'flashing' or cycling webpage.  It would flash between a hint of the admin console, a box saying "Connection Lost", and the splash screen for the device.  You would never be able to click on anything with any success.  You could restore the OS, restore to factory defaults, and basically end up in the same death spiral.

If however you looked at said firewall to see what traffic, if any, was hitting it from the IP used by the ReadyNAS, you'd see lots of HTTP requests going to subdomains of and, and even the stray IPv4 address.  You might try to open them one at a time a la "whack-a-mole", or you would just allow all traffic from that IP address - like I did - which works.

Thanks bags, Netgear, for again making the lives of IT professionals everywhere just a little more gruesome and unbearable.

Tuesday, April 29, 2014

On the Tail Wagging the Dog

I saw an article in Tech Republic today that rubbed me the wrong way.  I probably should have ignored it, but it comes up so often, I had to capture my thoughts.

The article was entitled "IT self-sabotage: Don't be your own worst enemy".  By itself, that sounds like it may be valuable, but the article took less time to write than it did to read, and rehashed the same nonsense that has become pervasive in corporate America.  Namely, there's no value in enterprise IT, so don't fight consumerization.

I could not disagree more with this mindset.  It's nothing more than salve for the souls of the inadequate.  The difference between a company with a strong IT leader who maintains their principles and doesn't succumb to every trend for which he has no immediate answer and a company willing to flop around like a water hose at full blast going wherever the flow takes it may not be immediately evident from the outside, but it will be startlingly clear to anyone who has been in both types of shops.

Who is supposed to benefit from this article?  Who is the audience?  Certainly no-one in the enterprise space with a management role would be so obtuse as to adopt hardline stances absent any other mitigating factors;  surely no-one is so facile and ill-equipped as to believe for a moment that the role of corporate/enterprise IT is to let the tail continually wag the dog, which is clearly what this article advises.  Rubbish.

IT has a unique perspective in many companies, in that it sees the broadest possible picture.  IT recognizes benefits of standardization and architecture that extend beyond the interests of individual business units, who themselves are often unaware and/or unsympathetic to the fact that those interests can be at conflict with one-another.  Deferring to the needs of the business as a policy means abdicating the important job of managing risk and ensuring that the entire organization runs smoothly and cost-effectively.  It's ridiculous to dismiss that in favor of myopic trends such as 'consumerization', or in the name of being more friendly.  Just because you can do something, it doesn't mean that you should.  Consumerization for example, is a trend borne from a combination of overzealous, unqualified para-technicians masquerading as executives, and the eagerness of the technology sector to profit from them by legitimizing an otherwise (and historically) illegitimate tactic.  The herd mentality on full display in all of it's resplendent glory...all the while, nobody has remembered to ask whether any of this stuff A) solves a real problem, and B) helps us generate more revenue, operate more profitably, and reduce (not simply rename) our risk.

In my experience, if a company runs into an IT department which says "no" too often, it's because the company isn't asking the right questions - meaning that they aren't applying careful, critical thought to the decisions facing them, or even willfully ignoring the obvious, underlying problems which seldom if ever have anything to do with technology.  IT might not (and should not) have all the answers about how to run a business, but they will certainly know when the business is about to dig themselves an enormous hole.  If IT doesn't speak up (and say "no"), they aren't doing their job.

To write up an article with insipid 'suggestions' such as these is of no more value than talking to someone for two minutes in a coffee shop line about their philosophy for enterprise architecture.  There is so much assumed, so much not considered, that it hardly makes sense to waste the time publishing it.

Wednesday, June 27, 2012

On The Big Switch

There is a school of thought, being echoed by no less a technology behemoth than Microsoft, that maintaining your own IT infrastructure will one day be as antiquated as maintaining your own power generation capability.  In the past, they remind us, companies had to generate their own power - until reliable utility power generated centrally for broad use came to be.  Suddenly it was no longer cost effective to make your own power.  The problem comes from the leap of irrationality they make in drawing an analogy between that step in our industrial evolution, to the current practice of a company maintaining their own IT infrastructure leading inevitably towards a cloud model.

On the surface, and only on the surface, this might counterbalance the fear of the "new" some folks might have.  People didn't trust utility power at first, but they eventually learned that it was great and the cost savings were worth the risk.  As it applies to utility power, certainly this is a sound argument.

Two things to keep in mind though.

1) Electricity is fungible; data isn't.

2) Companies still have backup power systems for when (not if) the utility fails.

The cost of maintaining redundant power is pretty reasonable.  And in some cases, the cost of maintaining redundant data systems is reasonable.  There are certainly use cases for cloud computing, but technology leaders are still exactly right to be critical of those who argue everything can, should, and will eventually be "in the cloud".  If they end up being right, it will be by accident and will probably not look anything like they imagine it today.  For now, outside those few "low business impact" use cases representing the lowest hanging fruit, the opinion of this technologist is that SaaS / Cloud / Web Hosted solutions struggle to do significantly more than exchange one set of problems for another.  Not that there's anything wrong with that.

Monday, December 12, 2011

How Confused SysAdmins Are Rendering SPF Useless

The idea behind Sender Policy Framework (SPF) is to eliminate the possibility for spammers to send messages which appear to come from a given company or entity, even though nobody at that entity sent it.

SMTP allows for this kind of impersonation because, by itself, nothing in SMTP ever checks to see that you are who you say you are in the FROM line.  Remember that SMTP has been around longer than most system administrators and was built in a time when everyone on the internet knew everyone else by first name.  "Trust" was never a design principle for the internet, and we've been dealing with the fallout ever since.  The bottom line is that, as far as SMTP goes, you are who you say you are because you say so.  If only it were that easy in real life.

Enter the Sender Policy Framework.  SPF is implemented by both senders (as a DNS entry, saying "mail from me is going to come from the following addresses only"), and receivers (by checking the IP address of the sender connecting to your system against the list of valid addresses for the domain they say they are at).  Simple.

The problem is this - if you don't implement SPF properly at both ends, it ends up causing more problems than it solves.  Confused system administrators are likely to get this wrong, and are likely to be even more confused when you explain to them why they got it wrong and how to fix it.  It's happening more and more often, and it's a pain.

The bane of a mail administrator's existence is the false positive - that is, a message which is legitimate, but that got blocked or bounced erroneously by the cocktail of email protection mechanisms they employ.

If as a receiver, you are not properly evaluating SPF for incoming messages, you are creating a problem for your users and the people trying to communicate with them by creating false positives in droves.

Worse yet, if your default action when you think there's an SPF issue is to bounce the message, you eliminate any chance that a human being can spot the problem and bring it to your attention.

Such is the case with tons of Barracuda anti-spam appliance users, who are responsible for a rash of "550 Rejecting for Sender Policy Framework" replies reaching support desks around the world.

A proper implementation of SPF will evaluate the IP address of the connecting system against the list of allowed IP addresses for that sender's domain based on their DNS record for SPF.  No more, no less.  In the case of the Barracuda, their devices are erroneously evaluating not just the IP address of the connecting system, but the IP addresses of every hop along the way.  It is as if they inherently assume that even if the connecting system is in the SPF list, it is an open relay and is being abused by a spammer.

We've seen screenshots of Barracuda administrative consoles, and for messages they blocked as false positives due to "Sender Policy Framework", the details reveal that an IP address of a server involved early in the relay was NOT in the SPF record for that domain - even though the server establishing the connection to the endpoint WAS in the SPF record for that domain.  If you use a smarthost configuration, whereby your public-facing mail server always relays to a service "in the cloud" for anti-virus scanning, etc, you are very likely having this problem or will soon.  Postini is a good example of this type of setup, but there are others.

So both sides are using SPF, and both think that problems with SPF "violations" are the other one's fault.  How do you tell who is right?  Well, if you've already validated your record against an SPF query tool, a good source of arbitration is for a sender to send a message to Port25's SPF check service.  They'll send you a return message with full details about whether your message complies with SPF properly and if they'd have delivered it.  Ours, for example, does comply with SPF properly.  And largely, we have no issues, but lately we've seen a rise in bounced messages due to reported SPF problems, and in actual fact, they have all (every single one) come from Barracuda appliance owners.

Plainly, if you are so dim witted as to put a Barracuda anti-spam appliance in place, little if any of this is making any sense.  And that's the problem.  What you're trying to do is admirable - cut down on spam.  What you're really doing isn't - you're blocking legitimate email because you don't understand how this stuff works.  Stop it.  If you have a Barracuda, turn of SPF checking.  It's broken, and you're eating up a lot of our time chasing issues that aren't in our sphere of influence.  If you are unwilling to turn it off, see if you can adjust the default behavior for SPF violations to be something other than BOUNCE. Amateurs.

Wednesday, November 16, 2011

You Can Toucha The Mango

I've used enough iOS devices to know them inside and out.  Simple, clean, no frills - much like Windows for Workgroups 3.1.  It doesn't do a heck of a lot other than let you launch apps, and the apps don't really do much outside of their sandboxes.

Same with Android, with the exception of being able to tweak it to look and behave how you'd like.  You can't really cover up the fact that it's little more than a platform for launching apps.  The cases and screens may change, but at the end of the day, they appear to me no different than iPhones or iPads.

Both iOS and Android are essentially software showcases.  They provide developers a nifty, powerful, portable stage to do their thing and a solid commerce mechanism to help them get paid.  They're giant digital flea markets (or malls if you will) with everything you need from anyone who makes it, in one convenient spot.  The iOS mall is very exclusive, and the Android mall is kind of like the run down joint in the bad end of town where the owner doesn't seem to know or care what happens as long as he gets his cut.

Color me uninspired.  The Apple fanbois and Google fandroids can argue about which app launcher / flea market is better than the other.  It's like arguing the difference between off-white and eggshell.

Enter (of all people) Microsoft.  Yes, the same Microsoft who only ever accidentally trips over an extremely successful product.  The same Microsoft with a total lack of coherence, consistency, or a compelling vision for how their products should improve people's lives.  Slowly, it appears, they have been coming to grips with the world in which Apple and Google would see us live.

The living room is kind of where it all started.  The XBOX 360 platform has been extremely popular, for all the right reasons.  It works well.  It looks dynamite.  It's cheap.  It's great with media.  It has access to streaming content.  It's audiophile and home theater enthusiast-friendly.  It's small.  It's WiFi.  The games are compelling.  The multiplayer Live experience is impressive.  You don't need to be a rocket scientist to work it.  Everyone has one.  People continue to trust Microsoft to get it right, whether or not they realize it.  A console from two or three years ago will still hang with the latest games, no issues.  Brilliant.  New stuff like Kinect works with any XBOX 360, no matter how old.  Brilliant!  Executives across the nation have ditched their Harley helmets for copies of Halo and Modern Warfare.  It's cool to be a gamer...finally.

In another part of Redmond, another group of people appeared to have been told "find a spot in the mobile market where nobody else dares go, and own it."  The result is impressive.  Very impressive.  Even if nobody knows it yet, it's fantastic.

Windows Phone 7 was the best mobile user interface of any device ever, period.  And it was flawed in some significant ways.  There were lots of things you couldn't do with it that you should have been able to do, but at its core, WP7 was a completely different approach to smartphones.  Revolutionary, really.  Yes, there were some sandboxes, but the difference was that there were also cool Habitrail tunnels connecting them, and very smart hamsters trained to run back and forth.

For example, on WP7, a contact becomes an incredibly powerful thing.  The phone almost magically combines everything you know about a person from every source you feed it - Exchange, GMail, LinkedIn, Facebook, etc, so that a person is represented in one "object".  You don't need to download a bunch of apps to do it - it just knows, out of the box, that you're probably on several of those services.

Because of this, any action related to a contact is available just about everywhere.  You can write on their Facebook wall, send them a tweet, a text message, an email, call them, pull up a map of where they work - all in one place.  And you get to do it in what must be the best implementation of graphic arts ever employed in a user interface.  It looks great, and it works phenomenally well.

Common bits of information are recognized everywhere.  An address, for example - whether it be part of a contact, or your current location (the GPS is freakishly fast and the street address resolution feature is freakishly accurate) - is understood as an address.  When you tap on an address, what should happen?  A map should appear.  What might people want to see in addition to a dot on a map?  How about a list of nearby restaurants and things to do?  What information should show up if you tap on one of those links?  Everything.  Phone number, hours, reviews from popular websites, who has checked in there on Facebook, spoken turn-by-turn driving or walking directions, etc.  Everything of interest, that you would most likely want to do or know about a place or a person, has been captured and gorgeously integrated in an incredibly simple interface.  Two taps simple.

The dependency on tethering to a computer appears to be somewhat diminished, but you will need Zune on PC (or the Mac plugin thingy) to do some things.  The good news for PC folks is that the latest Zune is also beautifully designed and simple to use.  Microsoft is doing some absolutely remarkable things in terms of user interface.  It just works.  Hardly a row/column table to be found anywhere.  There are definitely feature issues in Zune, but someone else can dive into that.  I'm just happy (actually, ecstatic) that Microsoft is demonstrating a capability approaching mastery of the user interface and that the penny has dropped for them in terms of making deep, meaningful interoperability of their various products and platforms a priority.  SharePoint, Lync, Office, Exchange, Windows 7, Server, and now Windows Phone.  They are all connected. No, really connected.

I am now using the Samsung Focus S.  Yes, there are still gaps I'd like to see addressed, but the Mango release has done an amazing job of addressing the most common issues people doing an evaluation would run into.  You have to dig at least a little bit to uncover the dead bodies now, whereas before you had to step over them.  If I had no interest in connecting to corporate email or no concerns about managing them, I would never use another phone.  The app marketplace is not on-par in terms of absolute quantity, but what is there is of high quality and the selection is broad enough to facilitate more time wasting and work-from-Starbucks activities than you can probably justify with a straight face.

For the first time in as long as I can remember, I love my phone.

Friday, November 11, 2011

Froyo Snackins

It took careful explanation by a "fandroid" over lunch one day to understand Froyo, Gingerbread, and Ice Cream Sandwich.  Are they even trying?  Is there a dartboard somewhere in Google headquarters with a dessert menu stapled to it?

If you struggle like me with all the TOMS shoe-wearing meme-ery going on around the Android camp, you'll be happy to know that each subsequent "major" version of an Android operating system gets a new name, and each new name starts with the next letter in the alphabet.  Froyo begat Gingerbread, which begat Ice Cream Sandwich (F-G-I).

Given that, the next Android OS name will begin with a "J", the one after that a "K", and so on.  Which got me to thinking...if I were to be as dopey as possible, what names would I come up with for future Android releases?

The following is the fruit of that labor.

  • J - tough call, but either Jelly Roll or Jujube
  • K - should be Key Lime Pie, but with these people you might well get Kaiserschmarrn
  • L - Ladyfinger?  Maybe, but that ruins tiramisu later.  I'm going with Lemon Bar
  • M - Mincemeat Pie.  Yes, going for stupid intentionally.  Tough to out-stupid "Froyo".
  • N - They like cold stuff don't they.  Neapolitan Sundae?
  • O - would ABSOLUTELY HAVE TO BE Oreo Cookie, but if that would cost them a cent, you'll get Orange Sherbet and like it.
  • P - Peanut Butter Fudge
  • Q - um, let's hope the next great thing is out by then.
Happy Friday.

Thursday, October 06, 2011

On the Passing of Steve Jobs

On the day after the passing of Steve Jobs, it's popular to say what an incredible innovator and pitchman and pioneer he was.  And he was all of those things.  It's also popular to say that his legacy, in the form of Apple Computer, puts him into a league of his own in terms of accomplishments in affecting the technology industry, and society at large.  His importance as an American businessperson cannot be overstated.

Looking ahead though, it's not difficult to harbor grave fears for the long-term future of Apple.  That company lived and died with Steve Jobs, and the truth of that is evidenced by the financial performance and market capitalization of Apple during his periods of tenure versus its performance in his absence.

What made Apple remarkable was Steve Jobs.  That's easy to say but perhaps harder to understand.  Jobs had an unyielding sense of what made a product great, and an almost pathological inability to tolerate anything which fell short of his standards.  He set the bar at Apple, and continued to raise it higher and higher over time.  He was uninterested by bureaucracy, deadlines, investor expectations, or anything else that would result in Apple delivering a less-than-perfect product.  Was he always right?  No.  But, any deficiency in an Apple product - especially a new one - could never be blamed on an attitude of "just push it out now, we'll fix it in the next version."  That is the singular quality of Steve Jobs which, paired with his remarkable ability to envision technology operating in such a way as to be compelling to huge swaths of people, resulted in Apple becoming the largest, most valuable company in the world.  Steve Jobs was bigger than everything other than God, and there's a good likelihood that even God uses an iPad.

And now that's gone.  There's no-one left at Apple who made the name for themselves that Jobs did - there couldn't be.  What does that mean?  Can they really maintain that level of inspiration among Apple employees, and that fierce dedication to quality above all else?  Can they really continue to fan the flames of true innovation indefinitely, as Jobs had, or are we in for a long future of repackaged/reshuffled products in the catalog as it appears today?

To me, this more than anything, will be his legacy.  A leader has many obligations and duties, and one of them is succession.  Has Jobs adequately instilled a sustainable culture at Apple, and has he done a good job at surrounding himself with people who can seamlessly carry on his vision and prepare the next generation of leadership, indefinitely?  Has he really built an Infinite Loop in Cupertino?  Only time will tell.

In the mean time, we will mourn the passing of a technology icon - a man without whom the world as we know it would be a lot worse.  Rest in peace, Steve.

Thursday, September 01, 2011

They Live

Ever since finding out about Google Cloud Print embedded into the Chrome browser, I feel like I'm living in a Sci Fi movie. I've discovered a nefarious secret plot, and nobody else is onto it yet. When you search for information on it, you see nothing but happy people who think it's cool but probably haven't used it.

I tried to use it, and it scares the hell out of me.

Our firewall and proxy servers are pretty well bolted down. They don't allow any traffic we don't explicitly name, and we blacklist a ton of URL's above and beyond what the filtering software blocks. Google Chrome's Cloud Print just works, right out of the chute, in ways that are difficult to track down exactly.

From a firewall standpoint, we were able to shut it off entirely, but through the proxy, it's a far trickier operation. The conversation essentially goes from client to directly. It hops to SSL pretty much right away, meaning you have no idea what's going on from a packet capture standpoint. It's all on port 443, and it just works. Google can see behind your firewalls and into your enterprise, using Chrome as a spy agent.

I am not a fan of that for a lot of reasons that should be obvious. I'm even less of a fan of the fact that I cannot cleanly and easily lock down that capability. The options I have are draconian and will definitely result in an internal shit-storm.

Apparently "do no evil" is an increasingly subjective and malleable standard for the Google juggernaut, because this is pretty damned evil.

Monday, July 11, 2011

Everyone's a Cloud Expert

In case anyone wonders why discussions of Cloud Computing are met with such broad skepticism and cynicism, I submit to you Exhibit "B" in the case against the cloud. (Exhibit "A", of course, is the question of "what happens if you, the service provider, end up being terrible?")

This example demonstrates how tenuous a grasp even those selling and advocating cloud technologies seem to have on the concept. They end up prattling on ad nauseam with a collection of garbled nothing-speak that causes the eyes to roll back in one's head.

"Why Cloud Computing Must Evolve" - wait, what? It has barely been born, yet you talk about it as if it were a foregone certainty.

The adoption of cloud computing — with businesses running a significant portion of their applications in the cloud — is on the verge of becoming ubiquitous. This marked increase in the use of the Internet for accessing computing resources will necessitate an evolution in the cloud computing network, which will include accessing public and private data.

"On the verge of becoming ubiquitous." Really! Eddie's in the space-time continuum, you say?


The rest of the article is a thinly-veiled effort to drum up interest in the author's company, and as an advertising piece goes, it is pretty lackluster. It seems to me that those who will be successful in marketing their product, will be able to do so in simple terms anyone could easily understand.

Thursday, April 28, 2011

That Took Long Enough

It's tough to imagine that it's been eight years since Novell appointed the single least effective C-level officer in the history of modern business, John Dragoon, as its head of marketing. Today, at last, and perhaps far too late, they are free of him.

It's interesting that the chief marketing officer of a (formerly) great technology company like Novell could go 6 months without updating his blog, after having done so fairly regularly at least in the beginning. This speaks to his utter failure to move the needle even the slightest bit despite having all the time in the world and a canyon full of cash to spend.

Novell's best marketers have always been its customers. That is a sad truth, because its customers have no business being the primary marketing vehicle. It was as if Novell was content with the status quo. Rely on a fickle and often under-equipped channel to deploy and maintain increasingly complicated products (a model that should have disappeared with the emergence of NetWare 4 and NDS, since hardly anyone understood what was happening until they attended expensive training); and allow the people who know and use the products - customers - to sell the advantages over Microsoft.

At the time, Microsoft's data-center (ha!) offering was incredibly weak. No-one who did an objective and thorough evaluation of Novell vs. Microsoft for file & print services would have bothered with Microsoft until roughly 2003, at which point it was becoming clear Microsoft was doing a better job of integrating all their stuff, courting developers, and (ding ding ding) marketing - than Novell. Eight years on, John Dragoon's complete and miserable failure is evident. Novell is almost a distant memory, and even the most loyal key Novell employees and customers have jumped into Microsoft's warm waters. And guess what, it's really nowhere as bad as we had been making it out all of those years. Not now it isn't.

Dragoon is far from alone in taking the blame for Novell's inexplicable failure to dominate the enterprise IT microcomputer landscape. The board of directors has installed one feckless leader after another, and none of them seem to understand the value of what they have. Sure, they're good business people and have a lot of relationships, blah blah blah, none of that matters (or mattered, more appropriately) as we can plainly see.

But John Dragoon had a real chance to make a difference and stem the tide. He had the enthusiasm of a lot of passionate people to build upon, all of whom were begging and pleading for Novell to do a better job selling the story into the board room rather than relying on grass-roots, organic growth to occur in every customer's IT shop. The most we got out of him was some magazine ads that looked foreign to even Novell employees. Nobody had any idea what they were selling. It looked like buzzwords in search of problems. In many, many ways, Novell continually missed the mark.

It is sad to see what was a company of such bright people doing such amazing things become a wilted husk of its former self. I am glad to see Dragoon gone, but I know it's too late for it to make any difference. It's hard to know where Novell should go now, but I think we have enough data to know with certainty that this path leads nowhere for them.