Tag Archive for Microsoft

| May 12, 2017
Comments Off on Whose Time Is It?

Whose Time Is It?

Whose Time Is It?What time is it? If you looked at the lower right corner of your Windows PC screen, you know what time it is. That is good enough for most people, but followers of the Bach Seat want to know more. How does Microsoft know that time it is? Microsoft and everybody else uses Internet Engineering Task Force (IETF) RFC 7822 standard protocol called Network Time Protocol (NTP).

Network Time Protocol (NTP)

Network Time Protocol (NTP)NTP is one of the oldest Internet protocols still in use. NTP was designed by UMich alum David Mills at the University of Delaware. NTP can maintain time to within tens of milliseconds over the public Internet, and better than one-millisecond accuracy on a LAN. Like many other things in the network world, NTP is set up as a hierarchy. At the top of the tree are “Atomic Clocks” (Stratum 0). Corporations, governments, and the military run atomic clocks.

USNO NTP ServersAtomic clocks are high-precision timekeeping devices that use the element cesium, which has a frequency of 9,192,631,770 Hertz. That means it “oscillates” a little over nine billion times a second. Knowing the oscillation frequency and then measuring it in a device creates an incredibly accurate timekeeping mechanism. Atomic clocks generate a very accurate interrupt and timestamp on a connected Stratum 1 computer. Stratum 0 devices are also known as reference clocks. The other stratum levels are:

1 – These are computers attached to stratum 0 devices. Stratum 1 servers are also called “primary time-servers”.

2 – These are computers that synchronize over a network with stratum 1 servers. Stratum 2 computers may also peer with other stratum 2 computers to offer more stable and robust time for all devices in the peer group.

3 computers synchronize with stratum 2 servers. They use the same rules as stratum 2, and can themselves act as servers for stratum 4 computers, and so on.

First gen time serverOnce synchronized, with a stratum 1, 2, or 3 server, the client updates the clock about once every 10 minutes, usually requiring only a single message exchange. The NTP process uses User Datagram Protocol port 123. The NTP timestamp message is 64-bits and consists of a 32-bit part for seconds and a 32-bit part for the fractional second. 64-bits gives NTP a time scale of 232 seconds (136 years) and a theoretical resolution of 232 seconds (233 picoseconds). NTP uses an epoch of January 1, 1900, so the first rollover will be on February 7, 2036.

Microsoft Windows Time Service

Microsoft (MSFT) has a mixed history of complying with NTP. All Microsoft Windows versions since Windows 2000 include the Windows Time service (“W32Time”) which was originally implemented to support the Kerberos version 5 authentication protocol. It required time to be within 5 minutes of the correct value to prevent replay attacks. The NTP version in Windows 2000 and XP violates several aspects of the NTP standard. Beginning with Windows Server 2003 and Vista, MSFT’s NTP was reliable to 2 seconds. Windows Server 2016 can now support 1ms time accuracy.

In 2014 a new NTP client, ntimed, was started. As of May 2017, no official release was done yet, but ntimed can synchronize clocks reliably under Debian and FreeBSD, but has not been ported to Windows or Apple (AAPL) macOS.

Accurate time across a network is important for many reasons; discrepancies of even fractions of a second can cause problems. For example:

  • Distributed procedures depend on coordinated times to make sure proper sequences are followed.
  • Authentication protocols and other security mechanisms depend on consistent timekeeping across the network.
  • File-system updates carried out by a number of computers depend on synchronized clock times.
  • Network acceleration and network management systems also rely on the accuracy of timestamps to measure performance and troubleshoot problems.
  • Each individual blockchain includes a timestamp representing the approximate time the block was created.

NTP vulnerabilities

NTP has known vulnerabilities. The protocol can be exploited and used in distributed denial of service (DDoS) attacks for two reasons: First, it will reply to a packet with a spoofed source IP address; second, at least one of its built-in commands will send a long reply to a short request.

Ion-trap time sourceMore vulnerabilities were recently discovered in NTP. SearchSecurity.com reports that security researcher Magnus Stubman discovered the vulnerability and, instead of going public, took the mature route and privately informed the community of his findings. Mr. Stubman wrote that the vulnerability he discovered could allow unauthenticated users to crash NTPF with a single malformed UDP packet, which will cause a null point dereference. The article explains this means that an attacker could be able to craft a special UDP packet that targets NTP, resulting in an exception bypass that can crash the process. A patch to remediate specific vulnerability — named NTP 4.2.8p9  — was released by the Network Time Foundation Project.

This is a Windows-only vulnerability at this time. The author urges anyone running the NTP daemon on a Windows system to patch it as soon as possible. This particular DoS attack against NTP could incapacitate a time-server and cause havoc in the network. The easiest fix is to apply the NTP patch the article states.

rb-
NTP is important to your network and patching and protecting it should be a priority. The threat to your environment is real. If NTP is not patched, an attacker could take advantage of the chaos created by this vulnerability to hide their tracks since timestamps on files and in logs won’t match.

Way back in the day, when I was a network administrator, I inherited a network where a directory services container was frozen. Seems that time had never been properly set up on the server holding the replica and as time passed, the server time drifted away from network time and at some point, we could not make changes or force a replica update. That meant a late-night call to professional services to kill the locked objects and then apply DSRepair –xkz (I think) and then re-install a R/O replica.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , ,
| April 15, 2017
Comments Off on Open a New Galaxy Crack with a Pix

Open a New Galaxy Crack with a Pix

Open a New Galaxy Crack with a PixFollowers of the Bach Seat know biometrics have a limited value in replacing passwords. Despite the technical flaws another round of biometric hype is running across the intertubes. The latest round of biometric hype is coming from Samsung (005930). In the hope to revive their brand, they are on the verge of releasing the Galaxy S8. The Samsung Galaxy S8 includes the ability to use facial recognition software to unlock your brand new phone. CNet says that this idea “sounds awesome.”

Samsung Galaxy S8However, this awesome will lower the bar for your security. CNet reports that the video blogger MarcianoTech demonstrated a pre-release version of the Galaxy S8 is seen being unlocked using just a photo (at the 1:09 mark). To their credit Samsung has acknowledged that the Face Unlock feature is more for convenience than for security, and it cannot be used for mobile payments. Weak facial recognition software is a convenience for the user, it could also be very convenient for others, too.

The troubles with Face Unlock date back to 2011 when SlashGear reported that Google admitted the security system can be fooled by a picture of you and not the real thing. CNet reports that a Carnegie Mellon University spin-off in Pittsburgh, PittPatt, developed  that Face Unlock which was later acquired by Google (GOOG).

photographs are stored in facial recognition databasesJust to make Face Unlock and similar facial recognition systems more dangerous, the Guardian reports during recent testimony before congress the FBI admitted that they store about half of all adult Americans’ photographs in a facial recognition databases that can be accessed by the FBI. About 80% of photos in the FBI’s network are non-criminal entries, including driver’s licenses pictures from 18 states including Michigan (pdf) and passports.

The FBI first launched its advanced biometric database, Next Generation Identification, in 2010, augmenting the old fingerprint database with further capabilities including facial recognition. The bureau did not tell the public about its newfound capabilities nor did it publish a privacy impact assessment, required by law, for five years.

Unlike with the collection of fingerprints and DNA, which is done following an arrest, photos of innocent civilians are being collected proactively. The FBI made arrangements with 18 different states to gain access to their databases of driver’s license photos.States allowing FBI to search driver license pictures

 

I’m frankly appalled,” said Paul Mitchell, a congressman for Michigan. “I wasn’t informed when my driver’s license was renewed my photograph was going to be in a repository that could be searched by law enforcement across the country.” So anyone with a photo of you, or maybe even just access to your Facebook photos, could potentially access your phone.

rb-

There are two important reasons why biometrics don’t work, and why the old-fashioned password is still a better option: a person’s biometrics can’t be kept secret and they can’t be revoked.

There's no real way to conceal your eyes, face or fingerprints from the worldPeople expose their biometrics everywhere – they leave fingerprints behind at bars and restaurants, their faces and eyes are captured in photos and film, etc. There’s no real way to conceal your eyes, face, or fingerprints from the world. As far back as 2002, research led by Japanese cryptographer Tsutomu Matsumoto. Matsumoto and his team used clear gelatin to make artificial fingers that they then used to fool fingerprint scanners. The gelatin-based finger was successful in fooling all 11 devices tested. I wrote about spoofing fingerprints in 2016.

However, it’s the second problem with biometrics that is the really big one: once a person’s biometrics have been compromised, they will always be compromised. Since a person can’t change their fingerprint or whatever biometric is being relied upon, it’s ‘once owned, forever owned.’ That is biometrics’ major failing and the one that will be hardest to overcome.

Part of the reason is that it’s silly to only have 10 possible passwords your whole life (20, if you count toes) but unlike a password, once a biometric is compromised, it is permanent. Today, if your Twitter account gets hacked, you just change the password – but if you are using a biometric, you will be stuck with that hacked password for the rest of your life.

With the release of Windows 10, Microsoft (MSFT) stepped up their biometrics game. CNet reports that with the recent improvements in Windows 10 biometric security includes facial recognition software. Besides facial recognition, Windows Hello also supports fingerprint and iris recognition to secure your PC. For facial recognition though, Microsoft has partnered with chipmaker Intel (INTC) for its RealSense 3D camera tech to get the job done. RealSense uses depth-sensing infrared cameras to track the location and positions of objects, which Microsoft then uses to scan a person’s face or iris before unlocking the device in question.

To further push the biometrics agenda, more than 200 companies including Microsoft, Lenovo, Alibaba, and MasterCard have already come together to form a partnership known as the FIDO (Fast Identity Online) Alliance. Founded in 2013, FIDO was set up to address issues such as a worldwide adoption of standards for authentication processes over the Web to help reduce reliance on passwords.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , , ,
| March 11, 2017
Comments Off on Who Rules the Internet?

Who Rules the Internet?

Who Rules the Internet?

Singapore-based ISP Vodien published an infographic that lists the 100 highest-ranking websites in the U.S. by traffic, according to website analytics company Alexa. There are over 1.1 billion websites on the Internet, but the majority of all traffic actually goes to a very small number of firms. Seven companies control 30% of the top 100 websites and the related web traffic.

InternetNot surprisingly Alphabet controls the most popular sites on the web, Google and YouTube. Surprisingly, Microsoft controls the most sites in the top 100. Redmond controls seven of the top web properties including recently purchased LinkedIn, Bing, and Microsoft.com. For a long time, MSFT’s online efforts were a disaster. That seems to have changed with Azure, but I still hate Bing. According to the Vodien infographic Alphabet controls four of the most popular sites.

The Visual Capitalist points out that Google.com gets an astounding 28 billion visits per month. The next closest is also a Google-owned property, YouTube, which brings in 20.5 billion visits.

Facebook (FB) controls two of the most popular websites; Facebook (#3) and Instagram (#13).

Jeff Bezo’s firm Amazon (AMZN) directs four popular websites;

The infographic says Verizon (VZ) now controls the Huffington Post (#49) and AOL (#59) and will control Yahoo (#5) and Tumlr (#12) if the deal closes in 2017 Q2.

Reddit.com comes in at #7 and Reddituploads.com is #61.

Online retailer eBay comes in as the #8 website.

POTUS favorite Twitter (TWTR) is the 9th ranked website and t.co is #25.

Video streamer Netflix comes in ranked #10 by Vodien.

Microsoft (MSFT) controls 7 of the top 100 websites with recently purchased LinkedIn at #11, Live.com #14. so-so search engine Bing is #17, followed by Office.com (#23), Microsoft Online Services (#24), MSN (#37), and Microsoft.com (#41).


Vodien lists the 100 highest ranking websites

rb-

The consolidation of all of this web traffic is troubling. The current administration is going to allow online firms to sell all the personal information they collect to the government, data aggregators or anybody else to make a buck.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , ,
| March 4, 2017
Comments Off on How Much Code Does It Take?

How Much Code Does It Take?

How Much Code Does It Take?David McCandless from Information is Beautiful tries to answer the question of how many millions of lines of code does it take to? For reference, the Visual Capitalist calculates that a million lines of code (MLOC), if printed, would be about 18,000 pages of text. That’s 14x the length of Leo Tolstoy’s War and Peace. The total lines of code to run systems vary widely as Mr. McCandless shows in the infographic.

  • Stack of paperIt took less than a million lines of code to run the NASA Space Shuttle.
    • The Mars Rover Curiosity takes less than 5 million lines of code to run.
    • The latest version of the Firefox web browser includes just under 10 million lines of code.
    General Motors’ (GM) Chevy Volt requires just over 10 million lines of code.
    Microsoft (MSFT) Office 2008 for the Apple (AAPL) Mac consists of over 35 million lines of code.
    • And it took 50 million lines of code to bring us Microsoft Vista.
    • Finally, all Google (GOOG) services combine for a whopping 2 billion lines – that means it would take 36 million pages to “print out” all of the code behind all Google services. That would be a stack of paper 2.2 miles high!

Information is Beautiful Infographic
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , ,
| January 26, 2017
Comments Off on Avaya Goes Chapter 11

Avaya Goes Chapter 11

-Updated- 03-07-17 As predicted Avaya spun off its networking business. The lucky winner is Extreme. The presser from Extreme is here.

Avaya Goes Chapter 11In one of the worst-kept secrets in tech, Avaya has finally declared bankruptcy. The Santa Clara, CA-based communications company filed for chapter 11 protection on January 19th, 2017 in the U.S. Bankruptcy Court for the Southern District of New York. Reports are that Avaya faced an end of January deadline to reach agreements with creditors to address its $6.3 billion debt or potentially default.

Avaya logoThe company’s presser announcing the bankruptcy characterizes the decision to seek Chapter 11 as a necessary re-do on deals made a decade ago. The company was spun off from Lucent, a former AT&T unit, in 2000. Avaya went private in 2007 when private equity firms Silver Lake Partners and the Texas Pacific Group took over the firm for $8.2 billion. Avaya was set up as a leveraged buyout – loaded with debt. At the time the new owners said going private would help Avaya to accelerate product development. In 2009 Avaya scooped up the remnants of Nortel for $900m.

The Nortel acquisition added Ethernet switching and VoIP to Avaya’s portfolio. While the move added needed hardware to the Avaya portfolio the rest of the tech world started the shift towards software-as-a-service and the cloud. Avaya was not able to digest Nortel while taking on Cisco, Microsoft, and the cloud at the same time.

$6.3 billion debtAvaya was both late with VoIP and Unified Communications. Neither Microsoft nor Cisco were competitors in the TDM/PBX era. Cisco joined the race with VoIP and Microsoft then came along with Unified Communications. Both have tremendous enterprise penetration and brand recognition.

The pressure forced Avaya to consider selling its crown jewel, its contact center products to Genesys in 2016, in the hope it would raise some cash. When the deal with Genesys fell through, Avaya decided to file for bankruptcy. Avaya CEO Kevin Kennedy said in a statement, “…chapter 11 is the best path forward at this time.

In order to keep the lights on during the reorganization, the company has secured a $725 million loan underwritten by Citibank.

As part of its debt load, Avaya owes its pensioners $1.7 billion in unfunded pension liabilities. According to NoJitter Avaya will honor it obligations to maintain and continue the pension (as did GM in its reorganization).

Chapter 11 only impacts Avaya’s United States operations. In the rest of the world, the company is moving to assure customers and stakeholders that it’s business as usual.

Rb-
My experience is that the Avaya IP Office product is way over-priced, even in a bid environment. Why would anyone buy an Avaya Ethernet switch or access point when you can get a Cisco or an HP?

So what is to become of Avaya? One likely outcome is that all of the business units will be sold off to satisfy the creditors. The only thing left of Avaya will be a service organization to care for the huge installed base of orphaned Nortel and Avaya systems.

I know people are already getting calls from Cisco about replacing Avaya.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , ,
« Older Entries   Recent Entries »