The heartbleed vulnerability

Heartbleed is a major online security vulnerability in a widely used, open-source encryption library named OpenSSL. The OpenSSL library is found in nearly 70% of all webservers on the internet as well as many other software products. The vulnerability allows any attacker to compromise the private encryption key of the webserver. It also allows any attacker the ability to remotely read pieces of data directly out of the server’s memory. These are both extremely serious flaws.  The fix requires IT staff to first update the OpenSSL library, then replace the SSL certificate with a new one. This is both time consuming and costly. If you are running any Linux-based webserver, particularly any on the public internet, you need to immediately check the version of OpenSSL and remediate if required.

Note that this vulnerability does not exist on a standard Windows web server running IIS.

The most recent release of VMware ESXi, version 5.5, is affected by the bug and there is no patch currently available. Standard security practice is to segment the management IP addresses from the rest of your network to prevent a malicious user from compromising your vSphere host. If you are running 5.5 and you have not segmented the management network, do so immediately.  This is the only workaround available as of April 10th, 2014 at 10:15AM Central

Technical details on the bug can be found here:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160

Here are official releases from various vendors on this vulnerability:

VMware - http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2076225

Cisco - http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed

Juniper - http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10623

Citrix - http://support.citrix.com/article/CTX140605

Fortinet - http://www.fortiguard.com/advisory/FG-IR-14-011/

Barracuda -  No official statement found, although I have verbal confirmation that multiple Barracuda products are vulnerable. A patch already exists for the Message Archiver product.

Palo Alto Networks - http://researchcenter.paloaltonetworks.com/2014/04/palo-alto-networks-addresses-heartbleed-vulnerability-cve-2014-0160/

VMware recertification

VMware just announced a new recertification policy for the VCP. A VCP certification expires 2 years after it is achieved. You can recertify by taking any VCP or VCAP exam.

Part of VMware’s justification for this change is “Recertification is widely recognized in the IT industry and beyond as an important element of continuing professional growth.” While I do agree with this statement in general, I don’t believe this decision makes much sense for several reasons:

  • Other vendors – Cisco and Microsoft as two examples – expire after 3 years, not 2 years. Two years is unnecessarily short. It’s also particularly onerous given the VMware course requirement for VCP certification. It’s hard enough to remain current with all of the vendors recertification policies at 3 years.

 

  • Other vendors – again, Cisco and Microsoft as examples – have no version number tied to their certifications. You are simply “MCSE” or “CCNA”. With VMware, you are “VCP3″, “VCP4″, or “VCP5″. The certifications naturally age themselves out. A VCP3 is essentially worthless at this point. The VCP4 is old, and the VCP5 is current. An expiration policy doesn’t need to be in place for this to remain true.

 

  • The timing of this implementation is not ideal. VMware likes to announce releases around VMworld, so we’re looking at August 2014 for 6.0.  Most VMware technologists will be interested in keeping certifications with the current major release, so demand for the VCP6 will be high. Will the certification department release 6 in time for everybody to test before expiration? It’s really a waste of my time and money to force me to recertify on 5 when 6 is right around the corner.

 

  • The expiration policy makes no sense in light of the policy on VCAPs and VCPs. Currently, any VCP makes you eligible to take a VCAP in any of the three tracks, and achieving the VCAP in a track automatically gives you a VCP in the same track. This is a significant timesaver for those of us who are heavily invested in VMware – skip the entry level exam and go straight to the advanced exam. VCAP exam development is obviously even slower than VCP exam development. I have doubts that the VCAPs will come out quickly enough to meet the March 2015 deadline.

 

  • Adam Eckerle commented in his blog post “I also think it is important to point out that I think it encourages individuals to not only keep their skills up to date but also to branch out. If your VCP-DCV is going to expire why not take a look at sitting the VCP-DT or Cloud, or IaaS exams?  If you don’t use the Horizon products or vCloud Suite as part of your job that can be difficult.”I agree that in some cases, this might encourage you to pursue a certification in a separate track. Before I had the desktop certifications, I might have considered accelerating exam preparation to prepare for this recertification date.  However, I already own 4 of 6 VCAPs. Even as a consultant I have no use for vCloud, there’s just not enough demand from our customers to build a practice area around it. There’s currently no business benefit in pursuing the Cloud track.

It’s VMware’s program and they can do as they please, but I hope they consider 3 years instead of 2 for recertification.

Christian Mohn’s blog has a fairly lively discussion going on, and Vladan Seget also has some thoughts and comments

SQL Server imports, multiple columns with the same name

I needed to set up a recurring import of CSV data into SQL Server using BIDS. The source data contained multiple columns with the same name. SQL Server does not like this situation – it errors out with “There is more than one data source column with the name ‘First Name’”. One option is to change the column names manually in the source data, but that’s not a very good solution for a recurring import.

After a little searching I found that you can rename the source columns when you set up your data source. Change each offending name one time when you set up the import, then the error disappears.

change column name on import

Samsung S4 turns on when fully charged

This has been slowly driving me insane since I got my S4. I charge my phone overnight on my nightstand. When it is fully charged, the screen turns on and stays on, bathing the room with enough light to summon Batman. I finally found a solution buried in an Android forum.

First, find the Developer options in your settings.Developer options

 

 

If you do not have Developer options, tap on “About Phone”.

About phone

To enable developer mode, tap on the Build number 7 times. Seriously, you have to tap on it 7 times. You’ll get a message that tells you that you are now a developer.

Now go into the Developer options screen and uncheck “Stay awake”.  With this setting unchecked, the phone won’t wake up and neither will you.

DisableStayAwake

 

 

Zoning a SAN – The Danger Zone

Updated January 6, 2014

Per @StevePantol‘s comment below, I won a free signed copy of his and @ChrisWahl‘s Networking for VMware Administrators, due out at the end of March!

Original Post: January 1, 2014
On New Year’s Eve, @ChrisWahl tweeted:

ChrisWahl - Dange rZone

 

@StevePantol responded with:

Steve Pantol Lyrics

Challenge accepted. I officially submit my SAN-themed Danger Zone parody lyrics. To refresh your memory, here is a link to the actual lyrics.

Setting up the switches
Nexus or an MDS
Cables are all ready
One task left before you go

Building fibre channel zones
Adding hosts into the zones

Typin’ world wide names
Lost up in a sea of hex
Thanks for FCNS
Without it you’d be truly vexed

Building fibre channel zones
You will start
Adding hosts into the zones

You’ll never get the port online
Until you bind it to the vfc
You’ll have to keep up with the fight
Until the VSAN membership is right

Hoping to see flogi
Praying to be done and free
The longer that it takes
The greater the insanity

Building fibre channel zones
You finished
Adding hosts into the zones

My CCNA Data Center certification experience

Today, I passed the Cisco 640-916 DCICT exam, achieving the CCNA Datacenter certification. This was my third attempt. I failed my first attempt by 4%. I failed my second attempt by 1% and wrote about my less-than-stellar customer service experience with Pearson Vue in this post.

I primarily studied with Anthony Sequiera‘s CBTNuggets series - if you have some hands-on experience with basic Nexus configuration tasks, his videos are enough to pass the exam with one caveat. The exam developers at Cisco have taken a step backward in exam quality compared to the CCNA Route & Switch. Most Cisco exams don’t expect you to memorize pages of technical specifications, but that’s not the case with this exam. It’s almost as if they hired a few Microsoft exam developers and had them write Microsoft-style “Under which menu option would you find X feature” questions. Then they mixed those nonsense questions in with the typically straightforward Cisco questions. The result is an annoyingly blended exam that bounces between fair questioning on concepts and worthless memorization. Unfortunately, the straightforward questions aren’t enough to balance out the straight memorization.

While using somebody else’s braindump is against the rules, using your own exam experience is not. If you do happen to fail, my suggestion is to write down all of the areas you were confused by immediately – don’t even wait for the drive home, do it in the parking lot of the testing center. You can then take this extremely valuable information home with you and focus your study. Doing this made me understand exactly what pieces I had to memorize and resulted in a pass.

Cloudy, with a chance of software…

When you work in IT, and particularly when you work on consulting, people are in to the next big thing. If you’re not working on the next big thing, you feel like you’re missing something critical.

The buzzword d’jour for the last few years has been ‘cloud’. Put it out in the cloud, the cloud makes business more agile, the cloud saves money, etc. The cloud has its place, but you have tradeoffs. You have no control over the environment. You have to continually pay for licensing – in the cloud, you own nothing. You don’t even own the data – legalities aside, the data is sitting on equipment that you don’t own. The cloud provider could go offline at any point leaving you high and dry. I don’t really think that Amazon will go out of business soon – but what happens if it did?  Backups, obviously, but now you have to look at how to back up and recover your cloud environment.

In the past, if you bought Exchange 2007, you owned it. If your cash flow meant you couldn’t afford Exchange 2010 when it came out, then you kept running 2007. In the new cloud world, you’re bound to a monthly or annual subscription. A cash flow problem means your business stops. I don’t object to looking for cloud solutions to many business problems, but people seem to be rushing to the cloud without considering all of the ramifications.

 

Death Certificates for Exam Cancellation – Another Reason to Loathe Pearson Vue

ADDITIONAL UPDATE 10/28/2013

VMware uses Pearson Vue for all of their certification exams. I have had several interactions with VMware’s certification personnel due to my participation in the VMware Beta exam process. I forwarded this blog post to Randy Becraft, Senior Program Manager, VMware Certification Team. After discussion with the Vue program manager assigned to VMware, Randy provided me with the following bullet points:

  • Pearson VUE delivers thousands of exams to hundreds of clients each month. Theirs is a business that has to have policies that apply to the large volume of candidates.
  • Some test centers have very high volume. Cancellations—particularly at the last minute—cost the test center revenue.
  • Historically enough candidates cancelled so many tests the same day that Pearson VUE had to implement a policy to provide a “buffer” from that business risk, hence the 24-hour cancellation policy.
  • When a cancellation must occur within the 24-hour period for a legitimate reason such as a death in the family, some form of documentation is required to ensure the cancellation privilege is not abused. In the case of a death in the family the policy does not specifically require a death certificate, though that is what was communicated in Patrick’s specific case. For instance, a newspaper death notice is acceptable.

UPDATE 10/28/2013

During my April encounter with Vue, I spoke with a customer service manager. I called him last week and left a voicemail asking for a call back.

The staff running @PearsonVue‘s Twitter account saw a flurry of retweets of this blog post. I received a DM this morning saying that I’d be contacted by one of the Vue staffers.

The customer service manager who got my voicemail just sent me an email. I did not explain my situation in the voicemail; I assume that the social media staff at Vue forwarded the Twitter activity to him. The email says:

Hi Patrick,

I got your VM this morning.  Sorry I was in training last thursday and Friday and missed your call.

While it absolutely is policy to need some sort of documentation to waive the reschedule policy for a death in the family, I booked you for a new exam for end of November as a customer service gesture..  You can go online, call our call center or give me a call to reschedule to a date/time that works better for you.  I am very sorry for your loss.  Please let me know if you have any questions or if there is anything else I can do for you.

Although I’m pleased that the manager did what I believe to be the right thing, I have to think it’s primarily because of the bad publicity on Twitter.  Another victory for social media.

Original post 10/26/2013

I failed my first attempt at the Cisco 640-916 DCICT exam by 4%. I studied in the evenings for a few weeks afterward, prepping for the retake. I worked a maintenance window for a client on the evening of October 23rd, finishing around 10PM. I was scheduled at the same client on the 24th, but that was a backup date in case the 23rd had problems. With no work left to do, I decided to book the exam for 1:30PM on the 24th. This would give me the morning to try cramming useless factoids into my brain.

I was unaware that as just as I was booking the exam, a family member was dying. It was a hospice situation; his passing was expected, but the speed with which it happened was not.

I got the call at 7AM.

I notified work. They didn’t ask for a death certificate. I cancelled my son’s appointments. They didn’t ask for a death certificate.

Then I called Pearson Vue. The cancellation policy requires 24 hour notice, an absurdity on its face because I booked the exam inside the cancellation window – 15 1/2 hours before the scheduled time. This policy means I couldn’t have cancelled the appointment ten seconds after making it. I booked it at an exam center with literally dozens of exam slots open – I didn’t take the final slot available on the 24th and prevent somebody else from testing on that day.

The Vue person demanded a death certificate. I won’t repeat exactly what I said in reply – I suppose the best way to put it is that I ‘impolitely declined’. Vue said there was nothing else that could be done and my exam fee would be forfeited. I hung up.

My wife and I planned to drive up to another family member’s house, which happened to be close to the testing center. At some point I began stewing over what had happened and decided if I forfeited the exam fee, Vue was somehow winning – beating me, stealing the exam fee. I can’t say the logic was sound, but that’s how my mind was operating at the time. I popped out and sat the exam for the second time. I failed by 10 points out of 1,000.

Since 2009, I have sat 21 exam sessions at Pearson Vue at a total cost of $5,000. I haven’t canceled any sessions, although I’ve had an exam canceled due to Vue’s gross incompetence. I think it’s reasonable to give me the benefit of the doubt that a family member did indeed pass away. I would think that even the questionably skilled techs at Vue could design a way to track same-day cancellations. It could be a single field on a form; one column in a database; even just an entry in the comment field. Perhaps Vue could consider dropping the policy altogether. Are there really that many people cancelling appointments on the same day? People spend countless hours preparing for these exams, I highly doubt that there is a flood of same-day cancellations other than true emergency situations.

I wish I could say that I was going to avoid a Vue testing center from now on, but that’s obviously not going to happen due to my career requirements.

 

 

 

 

 

 

Fixing artifacts in an RDP session

Most Windows admins spend quite a bit of time in RDP windows. I can’t imagine how many RDP sessions I’ve used since I started in IT 15 years ago, but it’s conservatively more than 10,000 (4 times a day X 5 days per week X 49 weeks a year * 15 years).

In all of that time and all of those sessions, never once have I come across these artifacts in my RDP session:

Artifacts in the RDP session

Artifacts in the RDP session

It took me quite some time in Google to find the answer, and I ended up finding an obscure post mentioning something about bitmap caching. I disabled bitmap caching on my RDP session and the problem disappeared.

Disable persistent bitmap caching

Disable persistent bitmap caching

The feature prevents the RDP client from re-downloading the same bitmap file, saving bandwidth and improving the user experience. I don’t know what particular set of configurations caused this to happen, but now I know how to get around it.

 

My Cisco 640-911 (DCICN) exam experience

I passed the Cisco 640-911 exam today on my second attempt. I failed the first attempt with an 809/1000 – passing was 818. I’ve failed other exams by razor-thin margins before, like the VCAP4-DCA and VCP5-DT exams by 2%, but this is the first time I’ve ever failed by less than 1%.

The 911 exam is the first of two exams required for the CCNA Data Center certification and is roughly analagous to the ICND1 exam for the CCNA exam. However, unlike the regular CCNA, you don’t have multiple options for taking the exam. You can take the ICND1 and ICND2, or the CCNA exam for your CCNA. There is no option for the CCNA Data Center, you must sit both the 911 and 916 exams.

I was a bit disappointed by some of the questions. Nexus is supposed to be a next-generation platform, yet I was tested on legacy tech that isn’t at all relevant to the Nexus or even any modern data center. I added some fairly blunt comments during the exam and I hope the questions that I flagged are considered for removal.

I used Todd Lammle’s CCNA Data Center study guide for this exam. If you take the time to work through the entire book, work all of the examples and practices questions, you will pass the exam. I was a bit overconfident the first time, assuming I could easily pass this exam by simply skimming the material – it brought me close, but not close enough. The second time I made sure to slowly go through the entire book, and it paid off with a pass, and I even got a 100% on some of the exam sections!