THE OFFICIAL BLOG OF THE SBS "DIVA"

Zune.net:
http://forums.zune.net/412486/ShowPost.aspx

Early this morning we were alerted by our customers that there was a widespread issue affecting our 2006 model Zune 30GB devices (a large number of which are still actively being used).  The technical team jumped on the problem immediately and isolated the issue: a bug in the internal clock driver related to the way the device handles a leap year.  The issue should be resolved over the next 24 hours as the time change moves to January 1, 2009.   We expect the internal clock on the Zune 30GB devices will automatically reset tomorrow (noon, GMT). By tomorrow you should allow the battery to fully run out of power before the unit can restart successfully then simply ensure that your device is recharged, then turn it back on.  If you’re a Zune Pass subscriber, you may need to sync your device with your PC to refresh the rights to the subscription content you have downloaded to your device

I'm not even going to ask what it means if you are traveling and don't have access to the PC where your Zune normally syncs.

http://www.msnbc.msn.com/id/28449091/wid/11915829?GT1=40006

Microsoft also said that “the issue should be resolved over the next 24 hours as the time change moves to Jan. 1, 2009.”

Temporary glitch in the matrix is all.

New ways of doing the same old things is sometimes hard to get a handle on.  Sharing out printers in the 2k8 era is like that.  Since the server is 64bit, when you attach a 32 bit workstation, the native driver isn't 32bit but 64 bit. 

One of the ways you can deploy printers is a utility called pushprinters.exe.  But there's a problem where the 32bit version isn't on the box.  You can either build the 32bit version of Pushprinters.exe or grab it from the link talked about here http://www.activedir.org/ListArchives/tabid/55/forumid/1/postid/32125/view/topic/Default.aspx

Like Philip said put it on a usb flash drive -- http://blog.mpecsinc.ca/2008/11/x86-pushprinterconnectionsexe-must-for.html

Chad has some posts about things that are different as well... http://msmvps.com/blogs/cgross/archive/2008/12/16/the-death-of-ifmember.aspx and http://msmvps.com/blogs/cgross/archive/2008/12/16/installing-group-policy-preferences-client-side-extensions.aspx

Jamison got first hit with the black screen of death of Vista during his vacation.  Now he's got two little ones with 30 gigs zunes that he's not looking forward to turning them on and seeing if they work for his two kids for the plane ride back.  Ugh.  That could be a long plane ride for him.

Major Nelson's twitter feed (1) says the following:

The team is working now to isolate the issue and get it addressed. Keep an eye on http://www.zune.net/en-US/s... <http://www.zune.net/en-US/support> for an update. about 1 hour ago <http://twitter.com/majornelson/status/1088297066> from web

Hang loose and stay tuned to that bat channel.

(1) Okay so when it's a business emergency or an event with announcements that's when twitter makes some sense, but the rest of the time if you want to know what I'm doing right NOW(2), we have an attention deficit problem on our hands.  California on 1/1 has even banned text messaging during driving due to the hazard it causes. 

(2) On a train to LA to spend New Year's with Friends.

As one comment on the post says... all 6 Zune users impacted...

Yup dead as a doornail.

http://gizmodo.com/5121311/reports-30gb-zunes-failing-everywhere-all-at-once

Indy has a comment that self signed certs are now "more secure" than third party ones.

http://msmvps.com/blogs/bradley/archive/2008/12/30/the-sky-is-only-partially-falling-today.aspx#comments

I disagree.  Why?  Because we're training our end users to blindly click on certificates.  So are you going to sit down with folks and tell them to go ahead and examine each time they use a self signed cert?  I don't think you will, but that's what we'll need to ask someone.  Can they trust the certificate chain all the way back?  Can you train them on what to look for for bad certificates?  Granted our best mitigation is to train users to be more paranoid and not blindly click in general.

"Most attack will probably still use bad certificates and ask the user to click "ok" to accept the bad certificate."

http://isc.sans.org/diary.html?storyid=5590

So in reading this blog post http://blogs.technet.com/swi/archive/2008/12/30/information-regarding-md5-collisions-problem.aspx before this one http://blogs.technet.com/msrc/archive/2008/12/30/information-on-microsoft-security-advisory-961509.aspx one got the impression that all MD5 based certificates are bad and should be chucked out the window.

Cool we can do that, open up that MMC snap in and TAKE THAT you potentially rogue certs!

1. Add the Certificates snap-in to the Microsoft Management Console.

a. Click the Start button, click Run, type mmc, and click OK.
b. Click the File menu, and select Add\Remove Snap-in.
c. Click the Add button, then select the Certificates snap-in and click Add
d. Select Computer Account and click Next
e. Click Finish.
f. Click Close.
g. Click OK.

2. Expand Certificates (Local Computer).
3. Expand Trusted Root Certification Authorities.
4. Click on Certificates.
5. Backup and then delete trusted root certificates that you are not using in your environment.

So we can use this process to also look at EVERY root cert in our trusted store and chuck out the door any cert that is based on MD5 right?

But hang on, not so fast.  Some of those certificates are Microsoft ones and in fact per Trusted root certificates that are required by Windows Server 2008, by Windows Vista, by Windows Server 2003, by Windows XP, and by Windows 2000: http://support.microsoft.com/default.aspx?scid=kb;EN-US;293781 there's a couple of key certificates that one shouldn't export and delete even though they are MD5 based:

That one in fact, happens to be a MD5 based cert.

But what does that mean?

For this particular certificate it means that any new certificates signed by Microsoft with a MD5 hash would be suspect, but they don't sign today's certificates with MD5 anymore.

It means that the attack is still very much in the theoretical not the actual sky is falling realm.  It still means that we do need to train people to not blindly click on certificate errors.  And if you don't understand the full impact, ask smarter people that you, like I did, to explain it in better details.

So for everyone concerned, the sky is only partially falling today.  If you've been reading the security news, you've probably seen the links to

http://www.win.tue.nl/hashclash/rogue-ca/ and to http://www.phreedom.org/research/rogue-ca/md5-collisions-1.0.ppt and to http://www.microsoft.com/technet/security/advisory/961509.mspx and to http://blogs.technet.com/msrc/archive/2008/12/30/information-on-microsoft-security-advisory-961509.aspx and finally to http://blogs.technet.com/swi/archive/2008/12/30/information-regarding-md5-collisions-problem.aspx

So what's the best mitigations?  Firstly normal godaddy certs are indeed based on Sha1 and not MD5

Next train folks to stop and bad or broken SSL certs.  Yes that means buying third party certs for your SBS boxes and not using self signed.

On a related note one of my pet peeves (and one of Darryl Roberts) is when you install an update to the root certificates on your server and then it throws off a Event 36885 Schannel error in your event logs.  The 'fix' is to tell you to remove those certificates you don't need.  Okay..but.... which ones?  There are 219 of 'em, which ones do I not need?

Interestingly enough certs number 5 and 6 in that view are based on MD5, and given that I live in Fresno, not France, so me thinks I'll back those up and export them out since they are based on MD5 anyway.

But if you are seeing the Schannel issue...

Windows Event ID 36885 from Schannel:
http://www.eventid.net/display.asp?eventid=36885&eventno=8846&source=Schannel&phase=1

Darryl reported that this hotfix (which isn't just for IAS servers but any server) will allow that repository to increase as it should to hold the proper root certs.

Clients cannot make connections if you require client certificates on a Web site or if you use IAS in Windows Server 2003:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;933430

Microsoft SMB Community Blog : Part numbers for the SBS SA benefits media kits you need from my earlier post:
http://blogs.msdn.com/mssmallbiz/archive/2008/12/09/9188009.aspx
Microsoft SMB Community Blog : How do we get the SBS Software Assurance benefits such as: Outlook 2007, Entourage 2008, ISA 2006 + additional Windows Server 2003, and Office SharePoint Designer 2007 now that SBS 2008 is out?:
http://blogs.msdn.com/mssmallbiz/archive/2008/12/05/9180289.aspx

I called 866-324-7110.  The person on the other end of the line knew what I was talking about.  Hooray!  So far so good in the saga of obtaining Software assurance benefits.

I'll keep you posted when I get the SA media of 2k3/Outlook/Sharepoint designer/ISA 2006

Downloadable documentation for Windows Small Business Server 2008:
http://technet.microsoft.com/en-us/library/cc707659.aspx

Regardless of what the dates say on the page...

The downloadable migration documents are actually December not June documents.

http://technet.microsoft.com/en-us/library/cc707659.aspx

Ensure you download them from there and disregard the "June" updated date.

Mac owners are supposed to be buzz loving, cutting edge, technology loving folks, right?

HP MediaSmart Home Server may get some competition from Apple | 9 to 5 Mac:
http://www.9to5mac.com/apple-home-server

So when a mac web site talks about how the Home Media Server now supports Mac's as a backup-able client as well as integrating iTunes, and the discussion turns to hosted models, notice on that post how many technology loving, cutting edge Mac users are saying "I don't trust the cloud for my data".

So here's a question that's been bugging me about all of this cloud computing stuff.  Okay so I'll be the first to admit that I don't do "best practices" when it comes to separation of networks and duties and all that.  I don't have my databases restricted from the Internet, I don't have workstations that also deal with SSNs separated out either.  But while "they are out to get me", they aren't out specifically to get me.  I'll be nailed by stupidity as much as I will be for insecurity. 

Fast forward to when yours, mine, and ours is on the web on one set of data centers, won't that be a site that is extremely targeted by every Tom, and Harry hacker?  Why try to build malware to go after desktops and capture information when one can put their sights on the Perot Data Centers in Plano Texas (which is where some of my vendors host their servers).  There's another fundamental sticky question that everyone is glossing over a bit (in my opinion).  The risk of the data all plopped down in one spot (or one distributed spot held by a vendor).

I'm speaking not as a techno geek head here but as a person tasked with making business decisions about my clients' very sensitive (and regulated) data.  I'm seeing that many small businessess are careful with their data.  To the point of paranoia and want assurances. 

So when all of our vendor is housed in Data Centers in Plano Texas, or in Northwest Washington, or in containers in Chicago, they are behind banks of known IP addresses right?  And they can't be entirely restricted from access since I need to get to that data myself.  So there still needs to be access, data transmitting across lines,

So my question that I don't know the answer to is about risk:  When the data is there all in one spot.  Can they, with all of their best practices provide enough safeguards that my small pot of data has by being lesser of an economic target.  I've also been in situations where I've seen data centers not have transmissions to them protected via SSL.  With one particular vendor this has occurred twice.  Neither time did this vendor give me appropriate guidance as to whether I needed to disclose this to the impacted clients and I had to investigate on my own.  Do I have the right to inspect their external Security audits?  Should my clients have the ability to do ask me sticky questions as well? 

It's in a vendor's best interests to manage a security incident, let's be honest about that.  Will this fundamental issue of clients' rights of disclosure only get addressed via regulation?

Needless to say, it will be interesting as we go forward, fasten your seat belts!

Science and technology march forward - CNN.com:
http://www.cnn.com/2008/TECH/12/26/yir.scitech/index.html

Some of the comments regarding twitter have been interesting to read.

"Twitter tells us what we are doing right NOW".  Is it really important that I know what you are doing right NOW?  I think I need a life if I'm that into you that I need to know what you are doing every waking moment.  Or better yet, you need to be concerned that I'm stalking you and want to know what you are doing.  I really don't want to know what you are doing every moment especially if it includes parts of your life that shouldn't be public. 

"But companies use it to track users interactions with their products"  And that's exactly where I think it makes the least amount of sense.  It's a one to one support model in 140 characters or less.  Support has to be scalable.  It also has to be findable.  Right now if you want to keep an eye on potentially trending items in the tech support world there are....

• Partner managed newsgroups - some are 1 day turn around, others are 8 hour turnaround, others are 4 hour turnaround.  (There's like at least 4 forums for each product, or so it seems like)
• Public newsgroups (where today the web interface is messed up).
• Blogs
• Third party forums
• Web sites
• and yes Twitter and tweetscans where you can set up an email alert to topics -- http://www.tweetscan.com/index.php?s=sbs+2008

And when in the tweetscan there is a person doing a tweet that needs help from resources that are only in a support channel, tweeting about it is not the most efficient way of getting support.  It's a one rant to hopefully someone will read it and reach out channel.  That's doesn't scale.  It can get missed in all of the tons of areas that Companies need to keep their eyes on.  So I'd argue that as a user of the service, your better resources for support are elsewhere.

Does it make sense from a business microblogging standpoint?    Arguably, the existing corporate blog can be adjusted to have similar results.

All I'm saying is that don't jump on the bandwagon just because the buzz brigade out of San Jose thinks it's cool.  They've thought a lot of products have been cool in the past and have gone on to the next cool thing.  As with any platform of communication, whether corporate or personal, does it make sense for you and your audience?  If it doesn't, don't do "it" just because someone else is.  What is your existing audience or your intended audience's mode of communication?  Does it make sense FOR YOU.

And finally, the end of the day Twitter needs to find a business viability plan otherwise it will be not long for this business world.  Technology for technology's sake only works for a while, and then if it's not making the bottom line, investors don't care if it's cool, they want their investment back.

The dirty truth about technology is that supposedly "cool" technology doesn't always win.  It's the stuff that the beancounters in the budget department approve of.  What pays the bills is what's important.

Welcome to Microsoft Discussion Groups:
http://www.microsoft.com/communities/newsgroups/en-us/

To anyone trying to post to the 2k3 newsgroups today, I have to apologize.  The web interface is totally and utterly messed up to the point that when you click on any discussion group in there you get a Service temporarily unavailable:

So I'd recommend that for today that you not rely on the web interface and use the old, clunky, everyone obviously hates it because everyone keeps pronouncing it dead, NNTP.

news://msnews.microsoft.com/microsoft.public.windows.server.sbs

It's working.

The web isn't.

Windows Event ID 5038 from Microsoft-Windows-Security-Auditing:
http://www.eventid.net/display.asp?eventid=5038&eventno=8922&source=Microsoft-Windows-Security-Auditing&phase=1

Translation ... ignore it.  Supposed to be fixed in the next OS.

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          12/11/2008 10:51:18 PM
Event ID:      5038
Task Category: System Integrity
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      BITZIEVISTA.Kikibitzrtm.local
Description:
Code integrity determined that the image hash of a file is not valid.  The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys 
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
    <EventID>5038</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12290</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2008-12-12T06:51:18.487Z" />
    <EventRecordID>9103</EventRecordID>
    <Correlation />
    <Execution ProcessID="4" ThreadID="64" />
    <Channel>Security</Channel>
    <Computer>BITZIEVISTA.Kikibitzrtm.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="param1">\Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys</Data>
  </EventData>
</Event>

Apple Just Killed Microsoft:
http://www.fool.com/investing/general/2008/12/23/apple-just-killed-microsoft.aspx
The World's Most Influential Companies - BusinessWeek:
http://www.businessweek.com/magazine/content/08_51/b4113043336126.htm
The World's Most Influential Companies: The Influencers - BusinessWeek:
http://images.businessweek.com/ss/08/12/1211_most_influential/index.htm

Seriously.  Is Microsoft so irrelevant to the world?  I'm going to bet that about 90% of you are reading this blog from a Windows platform.  And I'm going to bet that regardless of whether you use Chrome, Safari, or Firefox it's installed on a Windows machines.  And I'm going to guess that it will take a while for this promise of cloud computing where it doesn't matter what platform one uses will come to pass.  Google's chrome in fact is trying to ensure that you use their Chrome browser for their gmail apps.  But in all of this irrelvant talk one needs to ensure that we're not in an echo chamber of our own making. 

I challenge us all not to get wrapped up the the hype.  Don't get caught up in the hype that Windows 7 will solve all the problems of Windows Vista.  Don't get caught up in the hype of cloud computing without doing due diligence.  Don't get caught up in the hype that your clients will magically trust the cloud for housing all of their data. 

Make decisions that make sense for business reasons, not for hype.

That Windows 7 bootleg is a ticking time bomb | Ed Bott’s Microsoft Report | ZDNet.com:
http://blogs.zdnet.com/Bott/?p=618

If you have the PDC build 6801 you do get the IE patch offered up to you

But in general, don't run betas on production systems (this is a vmware build)

Notice the more explanation of what a security patch is going to be installed?

So for the past week I've been unable to update my Mac to 10.5.6 version.  I guess I should look at the bright side that it doesn't tell me to contact my System administrator (ME) to fix it and I wouldn't have a clue.

http://www.pcmag.com/article2/0,2817,2337151,00.asp

PCMag and the Apple discussion boards are a bit messy and looks like maybe this is one update to be glad that it's not working

Apple - Support - Discussions - Installation and Setup:
http://discussions.apple.com/forum.jspa?forumID=1219&start=45

However based on this looks like a reinstall of the OS is in my future.  Ugh.

Apple - Support - Discussions - 10.5.6 unknown installer error ...:
http://discussions.apple.com/thread.jspa?messageID=8644170&#8644170

http://norcalpcm.spaces.live.com/Blog/cns!E0867F061B7C8E88!1097.entry  |  Comments

QuickStart Intelligence, Microsoft Gold Certified Partner and Small Business Specialist, is happy to announce an exclusive opportunity for Microsoft Partners to learn how to Implement and Administer Microsoft Small Business Server 2008 for only $95!

A savings of over $2700 off the regular retail price!

This is a five-day deep-dive training course is being offered on January 12^th at QuickStart Intelligence’s San Francisco, Irvine, and Los Angeles offices.
This course was designed specifically for consultants, system integrators, and IT professionals that serve small and medium-sized businesses and want to leverage Microsoft Small Business Server 2008.

Partners will learn how to:

·       Install Microsoft Windows Small Business Server 2008.

·       Migrate to Microsoft Windows Small Business Server 2008.

·       Configure Windows Small Business Server 2008 using the Windows Small Business Server 2008 Console.

·       Manage users and groups in Windows Small Business Server 2008.

·       Manage messaging and collaboration in Windows Small Business Server 2008.

·       Manage and monitor Windows Small Business Server 2008.

·       Secure a Windows Small Business Server 2008 network.

·       Expand a Windows Small Business Server 2008 network.

Seating is limited, and available on a first come first serve basis.

To learn more visit: http://www.quickstart.com/courses/course.aspx?cat=Server&type=18&course=6445&cid=156

Now that I've just said I don't 'get' twitter, there's times that twitter, or a short broadcast platform may make sense.  It often is showcased by a vendor, not by an individual.

Dell on Twitter : Follow Us:
http://www.dell.com/twitter

Dell has an entire launching pad for their blogs and twitter feeds.

Does it make sense for everyone to embrace web 2.0 for their customer base? 

Six Web 2.0 Tips for Managed Service Providers | MSPmentor:
http://www.mspmentor.net/2008/12/26/six-web-20-and-blog-tips-for-managed-service-providers/

Maybe, maybe not.

http://www.cnn.com/2008/TECH/12/26/yir.scitech/index.html

Twitter is one of those things I still don't get.  Yet here it is top technology of the year.

But is it leading to a world full of short attention span adults that only read 140 characters worth of words before they go off to the next topic? 

140 characters is not much time to develop deep thoughts.