The Great Password Debate – Where we disagree about password resets and failures (Part 3)

September 20, 2017 at 3:30 pm | Posted in cybersecurity, Knowledge, Technical Tips | Leave a comment
Tags: ,

This post is part three of our reaction to new recommendations in the National Institute of Standards’ Digital Identity Guidelines (NIST Special Publication 800-63), Appendix A – Strength of Memorized Secrets. You can check out Part 2 here.

In the Great Password debate that has been generated by the latest NIST guidelines, we (the trainers and experts on the Transcender team) find we agree with some recommendations and disagree with others. In our previous post, Josh discussed the way password complexity has been found less secure than longer passwords made up of simple words. In this post, we (Robin Abernathy, Ann Lang, and Troy McMillan) want to discuss NIST’s new guidelines for password resets (password age) and responding to password failure/account lockout (failed authentication).

Among the otherwise sound advice in the Digital Identity Guidelines (NIST SP 800-63B), we did pick out three points that cause us some consternation:

  • Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator. (Section 5.1.1.2)
  • Unless otherwise specified in the description of a given authenticator, the verifier SHALL limit consecutive failed authentication attempts on a single account to no more than 100. (Section 5.2.2)
  • When the subscriber successfully authenticates, the verifier SHOULD disregard any previous failed attempts for that user from the same IP address. (Section 5.2.2)
Love it a long time, or leave it every 30-60 days?

How many of you out there work for a company that requires you to change your password at a regular interval, usually every 60 or 90 days? Bullet point 1 states that this is no longer necessary.

Troy says: I disagree with this recommendation. I contend that changing the password at regular intervals DOES increase security because it shortens the amount of time it is available for disclosure. The logic behind this new NIST rule is based a failure of how people implement it, not a failure of the concept of password age. In other words, the concept fails because the users do not use unique or secure passwords. They usually choose a new password that’s similar to the previous passwords with a few character changes. This issue would be resolved with proper security awareness training and policy enforcement. Also, there are solutions out there that can prevent users from creating a password that is too close to a previous password. So while we understand what NIST is trying to do with this change, I personally don’t agree with it.

Ann says: I disagree somewhat. The theory is that if you’re ALSO making people choose much longer, easier-to-remember character strings for passwords, like IlikebigpasswordsandIcannotlie! Twoyears beforeI changeit lala hooray!, then you still have the advantage of the password being much, much harder to crack or guess from a mathematical standpoint. After reading through their breakdown of Authenticator Assurance Levels (AAL), I’d be okay following their password age recommendations for any site that’s operating at AAL2 or above.

(For what it’s worth, Microsoft’s 2016 Password Guidance for IT Administrators both counsels you to lose the mandatory periodic password reset, AND to educate users on choosing appropriate passwords and banning commonly used passwords.) Continue Reading The Great Password Debate – Where we disagree about password resets and failures (Part 3)…

The Great Password Debate (Part 2): Longer, Simpler Passwords Are the New Black

September 8, 2017 at 4:03 pm | Posted in cybersecurity, Knowledge, Technical Tips | 4 Comments
Tags: , , , , ,

This post is part two of our reaction to new recommendations in the National Institute of Standards’ Digital Identity Guidelines (NIST Special Publication 800-63), Appendix A – Strength of Memorized Secrets. You can check out Part 1 here.

Which of the following two passwords is more secure?

p@$w0RdCh34Tr#
ILikeSimplePasswordsICanRememberAndUseNotComplex

The first password is 14 characters long, well over the recommended minimum of 8 characters. It also meets many, if not all, of common password complexity requirements: it contains multiple special characters like @ and $, numbers like 3 and 4, and mixes uppercase and lowercase letters in for good measure. It does not contain a username or any repeated characters. At the Password Meter, I get the following rating:

password1_strength

The second password is a lot longer (over 3x), clocking in at 48 characters. If you think that is crazy long, section 5.1.1.2 of the new NIST  800-63B Special Publication suggests passwords of least 64 characters! But this password is pretty awful when it comes to complexity: it has no special characters or numbers, and it contains easy-to-read dictionary words. So you’d expect a really low score from the Password Meter.

But you’d be wrong:

password2_strength

What is going on? In a nutshell, according to the latest research, password size matters more than character complexity, even if the password strings together easy-to-read words. This is a harsh truth, to be sure, and the reason why requires a quick trip back to mathematical set theory and the world of bike lock combinations.

Continue Reading The Great Password Debate (Part 2): Longer, Simpler Passwords Are the New Black…

Ransomware! What is it, and what can I do about it? (Part 1 of 2)

April 4, 2017 at 3:08 pm | Posted in cybersecurity, Knowledge, Technical Tips | 1 Comment
Tags: , ,

Ransomware! What can I do about it?

We live in dangerous times. Your cranky grandfather was right: they are out to get you – but who are “they,” and what the heck are we talking about? Ransomware, of course. It’s out there, and its coming for you.

Mobsters extort money from people. You may be a fan of mobster movies or the Sopranos on HBO, but it’s only fun to watch mobsters at work when you’re not the one getting the shakedown. I don’t know Tony Soprano, and besides, I like Joe Pesci’s character in Lethal Weapon III better than his characters in Casino or Goodfellas. Extortion could be coming to a PC, Mac, or even Linux box near you in the form of ransomware.

Mobsters

It’s fun to watch these guys on TV. It’s not so fun to be a victim in your own home.

First I’ll go over the basics of how ransomware works.  I’ll explain the most common mistake you may be making – even if you’re an IT professional – that might leave you a victim of a drive-by drive-locking. And, of course, I’ll tell you the best ways to prepare to fight ransomware.

In my follow-up post I’ll go over some specific strategies to harden your e-mail and firewall against malware attacks and share a recommended reading list for infosec news.

How the shake-down starts

You can be extorted on the Internet without being infected with ransomware. Hijacking someone’s social media account (like Instagram), changing their login, and then demanding payment for the user credentials is extortion, but it isn’t ransomware.

Ransomware is a type of malware that infects your computer and encrypts your files or blocks access to your own data. The ransomware displays a message stating that the attacker will unlock your files for a price, and that payment should be rendered through a nominally untraceable electronic currency, such as BitCoin or MoneyPak. It usually gives you a time limit and threatens to permanently destroy your data if you don’t pay before the deadline.

For home users, that price is usually set between $150-300 USD or Euros. For business victims, the demand might start at $500 – or it could be $10,000 and escalate from there.

How did the ransomware get there?

The malware that carries the encrypting payload is loaded on your computer in a number of ways. The malware could have come from a downloaded file or from a browser hijack. The malware could be hidden in another program. Any web site that hosts third-party ads, like recipe blogs and your favorite vintage car forum, can be a huge vector for malware no matter how innocent the site itself is; just visiting the site or clicking an ad by accident can expose you to a silent malware download.

No operating system is immune (not even mobile phones or home appliances). Ransomware can affect PCs running any operating system and Macs. Yes, I said Macs. A ransomware called KeRanger was found in a BitTorrent software that was designed to install on the Apple OS X operating system. The KeRanger malware will encrypt files on your computer and try to encrypt Time Machine backup files to prevent you from recovering the data from a backup. The KeRanger malware attackers want $400 for the private key.

[Note: If you frequent Bittorrent sites, you know they have pirated files for download from shady servers. Don’t be surprised when you lie down with dogs and get up with fleas.]

What happens when the ransomware activates?

A majority of active ransomware uses a variation of Cryptolocker. Once the malware is loaded on your computer, it first contacts a central server on the Internet. That server creates a unique encryption key pair. A public key that is kept on the local computer and the private key used for decryption that is kept on the attacker’s central server. Once the public key and private key are created, the malware will begin encrypting files locally on your computer and any mapped drives.

The attacker has the private key and will sell it you to use to decrypt your files. If you have ransomware on your computer, you will get a pop-up that instructs you to pay money via BitCoin, MoneyPack, or something similar.

CryptoLocker

When ransomware is an offer you can’t refuse

Ransomware is common because it’s cheap to implement (for the attackers) and hugely effective. Steve Perry of Journey once sang the wheel in the sky keeps on rolling. Well, when it stops rolling, everybody raises hell. If your business has an outage, the data has to be restored. Money never sleeps; your network has to hum along 24 hours day. The Internet is like Waffle House: it never closes. (I can go on and on in this vein. Don’t try me.) In short, your customer expects that you will never be closed and that your (and their) data will always be there. Ransomware that locks your data up has kneecapped you right in the business income.

Many business victims would rather just pay the ransom and get access restored. The logic goes that it’s better to pay rather than to lose an unknown amount of revenue from the downtime they’ll incur while trying to root out the infection and restore systems.

Unfortunately, this is EXACTLY why ransomware continues to flourish, and exactly the wrong response to an attack.

Whatever you do, if at all possible: DON’T. PAY. THE. RANSOM. There are two very important reasons why this is a bad idea:

  1. You are dealing with criminals. There is no guarantee you’ll even get the private key to unlock your files.
  2. If you pay, you only encourage this crime to continue.

However, it’s easy for me to lecture you on this. I didn’t have my laptop full of all my kids’ photos, my graduate thesis, the last video of my late wife, or some other valuable data extorted from me. I can honestly say that if I was in that situation, I don’t know whether I would pay to get that data back.

The #1 mistake that leaves you vulnerable to ransomware

Pirating movies. Frequenting shady websites. Buying a “smart” refrigerator and letting it connect to your home wireless router without changing the default settings. Failing to keep your anti-virus programs updated. All of these are bad ideas, but they’re not the #1 mistake that makes you most likely to shell out the (bit)coin and retrieve your data.

Sure, our goal should be to never get infected with ransomware. But given the speed at which these attacks evolve, it’s not realistic to assume that our firewalls and anti-virus software will be 100% effective. The best offense is always a good defense; with ransomware, the best defense is a secure recent backup.

Threats only work if you’re afraid of the consequences. With a secure external backup, you can wipe your system and walk away from the demands.

After all, if you have a full image of your system and a secure external copy of your data, you can risk losing a few days’ worth of files while you wipe and reimage your system to remove the malware.  You could use a snapshot to restore your system, or clean your machine and restore your data.

Unfortunately, home users (and many small businesses) rely on cloud-connected file servers like OneDrive and Dropbox to back up the physical copies stored on our hard drive. Or we never keep a local copy of our files, assuming that our cloud providers have better intrusion security than we could provide for ourselves.

Rest assured: backing up to the cloud won’t protect your data. Malware like Cryptolocker can encrypt files on mapped drives and external drives. This definitely means your Dropbox, OneDrive, Google Drive or cloud service that is mapped to your machine can also be infected and your cloud-based files can be encrypted just like your local ones.

You should treat the personal data on your laptop or desktop, company data on your company’s laptop, or data on your company’s devices just like the data on corporate servers and schedule regular backups. Furthermore, you need to back up to external drives.

You should have your drives backed up to an external drive on a regular basis or use a backup service that does not use an assigned drive. Why does it have to be an external drive? Variations of Cryptolocker can check for shadow files on your computer and disable or delete them.

How often you perform backups will determine how much you lose.

In our next post…

In my next post I’ll share a few ways to harden your OS, firewall, email, and end users – even your grandma – against some common ransomware entry points. I’ll also suggest ways to handle the dreaded “friends and family support call.”

Until next time,

George Monsalvatge

 

2016: Held Ransom

April 11, 2016 at 4:29 pm | Posted in EC-Council, Technical Tips | Leave a comment
Tags: , , , , , , , , , , , , ,

It was predicted late last year that 2016 would the year for ransomware. Thus far, the prediction is proving right; only four months in to 2016, the Locky ransomware has managed to spread itself over 114 countries (displaying its demands in dazzling array of 24 languages). The Hollywood Presbyterian Medical Center paid $17,000 in bitcoins after having their computer systems seized in February 2016, while hospitals in Kentucky and Maryland report similar attacks.

In case you’ve been in that doomsday bunker a bit too long, ransomware is malicious software that blocks access to your own data, usually by encryption that targets a local computer. Data stays locked away until you pay a tidy sum of money to the hacker (or, more commonly, to the hacking organization). The malware usually contains a ticking bomb that will format the entire hard drive if you don’t pay by a deadline (or post the data for everyone to see, just as extra motivation). The data kidnappers may call themselves hackers or vigilantes, or even pretend to be a federal agency, but their demand is always the same: pay us for your data — or else!

Worse, with automated viruses like Crytpolocker, Crytowall and TeslaCrypt, hackers don’t have to go through the extra effort of targeting big fish like CEOs of Fortune 500 companies. Any end user could be bilked for hundreds of dollars. And, through the economies of scale, hackers rake in millions per campaign. While current year damages won’t be tallied for a while,  the FBI estimates the CrytoWall variant pulled in over $18 million from 2014 to 2015 alone.

gangster-squad-option-2

“Shame if something happened to that hard drive…”

End users are not the only targets; nor are Windows users. Major sites like the New York Times, BBC, AOL and NFL had their advertising networks compromised by malvertising, where a malicious ad hijacked user’s browsers and redirected them to install a crypto-virus via the Angler toolkit (another argument for using adblockers?). And the once near-invincible Mac OS has been revealed as the target of the KeRangers malware – the first ransomware Mac users have ever had to contend with.

In this climate, is it any surprise then that a prominent security certification vendor like EC-Council was a recent target? Read more for the details.

Continue Reading 2016: Held Ransom…

Take-Home Certification Exams: Adventures in Online Proctoring

February 18, 2016 at 4:35 pm | Posted in Proctors, Study hints, Technical Tips | Leave a comment
Tags: , ,

So, you’ve spent months studying for the latest certification. You’re ready to schedule the exam and  proudly showcase your new knowledge and skills. Until recently, your only option was to take the exam at an approved testing center. [Editor’s note: the following opinion does not represent the corporate viewpoint of Kaplan, Transcender, Graham Holdings, or any sane person, Josh. ~A.L.] Most test centers are a cross between a corporate cubicle farm and prison camp. Sure, there are people there, but people in their worst possible moments: bleary-eyed, nerve-wracked, and way too over-caffeinated. [Editor’s note: This would explain those horrible ID photos on my score reports. ~A.L.]

If you don’t live near a corporate testing hub, you might dread the half-day of commuting time, lost productivity, or even the need for an overnight hotel stay. (In a major hub like Atlanta, there are testing centers galore, but we have to fight bumper-to-bumper traffic to get there.) You may be too busy with your day job to get the time off, or you might want enough time to fit in a last-minute cram session. You may experience test anxiety that negatively affects your performance, especially when testing in an impersonal, sterile environment.

Enter online proctoring.

Message not recommended. Online proctors might not appreciate the humor.

The glorious promise of an online proctored exam is the ability to take a certification exam wherever you are at the time of your choice, without travel or stressful interactions. And except for a few caveats, the dream is reality. But you need to really consider those caveats. The whirlwind home-alone experience isn’t for everyone!

Josh’s Excellent Proctored-Exam-At-Home Adventure

First: equipment. You need a decent PC with a camera and microphone and high-speed Internet bandwidth. Every online proctor will have a pre-flight checklist that will verify your hardware is up to snuff. Don’t wait until minutes before taking the exam to ensure your equipment will pass. Run the check as soon as possible, and leave yourself time to borrow, purchase, or overnight yourself any missing components.

Next: scheduling. You read that right – even though you have more flexibility than a testing center’s hours, including the ability to take your exam late at night or very early in the morning, a live proctor still has to be present on the other end of the connection to observe you take the exam. For this reason, some time slots may be unavailable – the proctor might already have too many test takers to keep track of. (Or maybe they actually sleep.)

Finally: location. From my personal experience, you need to find a room or an enclosed space in a room that will be quiet and isolated (where no one can here you scream). This is actually required to prevent accusations of cheating, so close all of your windows  and make sure no one is in the same room with you. If you don’t have access to a private room in your home, check your local public library – most have study rooms that can be reserved for periods of up to two hours. Other options would be a hotel conference room or an unused cubicle or office in your workplace.

If you’re testing in your own home, secure any pets away from the exam area and make sure that children won’t enter the area. I chose my dining room (finally getting some use out of it!), because I would have at least three walls around me. I locked up my cats  for the duration, especially after my first unsuccessful attempt when my cat Norio attempted to lie across my hands during the exam (the proctor had to pick himself off the floor laughing, but was gracious enough to allow me to continue). I also silenced my cellphone and let everyone, especially my wife, know that I would be completely unavailable and unresponsive for the duration.

No pet time for you – I have a test to take!

Additional considerations for at-home online examinations

Here are a few other tips I’ve learned from online proctored experiences:

  • Do not install any updates or new software on the same day as your exam appointment. Murphy’s law in action here. I’ve had to cancel at least one exam after installing an update to Visual Studio on the machine I was using for the exam. It took over an hour, and finished installing just in time for the proctor to tell me that my test time was up.
  • If you’re using a laptop, make sure you’re plugged into a power source. Especially if you have some ridiculous 42-inch super AMOLED screens which will run dry after 5 minutes of operation.

This thing is for an online test, not a gaming rig!

  • Empty your pockets of everything (and make sure you wear pants, too).  Some test centers require this and will make you display your empty pockets to the camera. And you’ll have to spin around (so you may want to hold off of on the antihistamines for a bit).
  • Clean up the table or desk where you are testing. You can’t have any loose papers or computer equipment lying around. You’ll have to pick up your laptop (or attached camera) and rotate it around the work space to demonstrate that no cheating materials are nearby, so make sure there’s nothing embarrassing lying around.
  • You cannot have bags, purses, boxes, or any other items on the floor next to your chair.
  • You must take off all bracelets and watches. This I forget all of the time, but the proctor won’t. Save yourself some testing time and do this beforehand.
  • Make sure you can roll up long sleeves to display that you don’t have notes written on your skin.
  • Do not bring any food, drinks or gum into the test environment. It’s not allowed. Well, at least don’t open your mouth too wide or smack too loud.
  • Be nice to your proctor. It’s at their discretion if and when you get bathroom breaks!

If you have wearable medical devices (such as insulin pumps or medical alert bracelets) that should not be removed, or if your personal beliefs don’t allow you to comply with certain regulations (such as displaying bare arms), be sure to ask the vendor to specify IN WRITING whether exemptions are allowed in general, and to approve yours in particular, to avoid disappointment at test time.

“You keep using that word – I do not think it means what you think it means”

Different vendors have different terminology. When you’re searching for an exam you can take from home, be sure you’re searching for online proctored exams. For example, Oracle refers to exams taken online as “non-proctored” and exams taken in person at Oracle University testing centers as “proctored.” Here is more information on online proctored exams with Oracle.

Sold! Where do I sign up?

Due to security considerations, not every vendor offers an online exam experience. Project Management Institute, for example, only allows people to sit the PMP exam at approved testing centers.

At this time of writing, Cisco allows certain of its exams to be scheduled through Pearson Vue for an at-home exam experience.

EC Council, for popular security certifications like CEH, delivers their exams through ProctorU.

CompTIA’s online exam program is called the Anywhere Proctored program, but the available information seems to be geared toward test providers, not test takers. At this time of writing, I could not definitely find a CompTIA exam that could be taken online outside of a boot camp or other training course.

Microsoft has a robust online proctored exam environment, called “online proctored exam delivery.” You can read their full list of policies here.

According to Pearson Vue, VMware offers all VCA exams in a 24/7 online format. There is a full FAQ available.

Online proctoring exam service PeopleCert offers online proctored exams for a variety of vendors, including ITIL®, PRINCE2®, MSP®, P3O®, MoV®, DevOpsLean ITLean Six Sigma,ACCESSIBILITY PASS and ISO.

However you choose to take your exam, as always, we wish you good luck and happy testing!

~Josh aka codeguru

Windows 10 Review, Part 3 – The house that Jack built

July 10, 2015 at 3:13 pm | Posted in Microsoft, Technical Tips, Vendor news | Leave a comment
Tags: ,

As with many trilogies, the exciting bits of my Windows 10 review happened in the middle (A Tale of Two OSes and It was the best of times, it was the worst of times). Although this chapter doesn’t have as many plot holes as my previous posts, or the multiple endings you’d find in a movie like The Return of the King, it’ll probably be more important to your productive life with Windows. Helm, warp one – engage!

Touch, Notifications and General Task Management

Material Design, anyone?

Material Design, anyone?

After initial pokes at providing a touchscreen UI as far back as Windows XP, Microsoft has delivered a mature, functional touch technology in Windows 10. Finally, the OS feels highly responsive, easy to navigate, and most importantly, stable. The taskbar is slightly taller than in Windows 8, to accommodate the tips of chubby man-size fingers like mine. The Aero interface snaps a window into full-screen or half-screen with minimal hair-pulling. And the process of dragging icons around the screen isn’t as choppy as it was in Windows 8 and 8.1.

The news is not 100% good, though. Microsoft left a few issues hanging around. In my test runs, the on-screen keyboard didn’t pop up every time I needed it to. And trying to highlight text with my finger is still reminiscent of playing a microscopic version of Pac-Man™. Overall, the touch technology earns a solid grade of B.

Microsoft has also brought some new features to the table. There is now a notification area for messages and common settings that you can launch from your task bar (even if I can’t get any notifications to show up).

Nothing to see here?

Nothing to see here?

The OS includes support for multiple desktops, reminiscent of Linux and Apple OS, so that you can spread your windows across virtual space more easily.

Too many chefs... I mean, desktops.

Too many chefs… I mean, desktops.

They even threw in a task manager that is less concerned about switching between programs than it is with graphing the overall health of your running system.

Yup, need to get some more memory!

Yup, need to get some more memory!

Release Details

Thanks to a leak from AMD, I can report that we’re expecting this new OS to hit the market by July 2015—just in time for the back-to-school sales! It’s confirmed that you can get the upgrade for free if you’re running Windows 7 or later (but only for the year following Windows 10’s release to market).

In conclusion, I think you’ll definitely want to install this new OS, especially if your need to make your touchscreen more desktop-like productive, but you don’t have to take my word for it!

Oracle Redaction in the 12c Database: Advanced security for regulatory compliance

May 8, 2015 at 3:56 pm | Posted in Oracle, Technical Tips | Comments Off on Oracle Redaction in the 12c Database: Advanced security for regulatory compliance
Tags: ,

Oracle Redaction in the 12c database is part of the Oracle Advanced Security package. It can be used as a standalone feature, or together with other components of Advanced Security. Oracle redaction allows you to set up policies so that when column data is retrieved, it can be masked or hidden from the person performing the query. It can affect all or part of the data in a column and the data can be any of the more common datatypes that Oracle supports. Redaction allows you to comply with industry regulations such as the Payment Card Industry Data Security Standard as well as the Sarbanes-Oxley Act.

You’ve probably already seen this feature at work when you receive documents from the government or your bank with key data partially hidden, such as social security numbers and credit card numbers. Social security numbers are commonly masked to allow only the last 4 digits to be read, appearing as ***-**-1234. Salary is another column that is commonly redacted in reports.

The key to using redaction is the Oracle supplied package DBMS_REDACT and the procedures and functions contained within it. The procedure DBMS_REDACT.ADD_POLICY allows you to set up a policy on a column of a table or view. For example, view the following statement:

DBMS_REDACT.ADD_POLICY(
object_schema   =>  ‘bob’,
object_name     =>  ‘employee’,
column_name     =>  ‘salary’,
policy_name     =>  ‘protect salary in bobs employee table’,
enable          =>  TRUE
)

This statement will create a new policy with the given name on the salary column of the employee table in the schema called bob. Note that all the arguments of this procedure are IN, and that the arguments shown are all VARCHAR2 with the exception of enable, which is BOOLEAN. This policy will be enabled as soon as it’s created, and it will apply to all users except SYS and any other user who happens to have the system privilege called EXEMPT_REDACTION_POLICY. Further, it will redact the entire salary column and use a 0 as the default masking character, since the datatype of the salary column is number.

All of these defaults can be changed to create complex rules with the logic encapsulated in the policy. For example, you may want the policy to apply only to users who have a particular role or who are logged in at a particular time. You also might want the salary to be displayed as a series of $ signs instead of a zero, and if you were performing redaction on social security number, you may only want to redact part of the column so that the last 4 digits are still visible. This procedure has additional arguments that allow you to do all of these things and more. You can even redact a number column such as salary so that the column appears as a random number rather than the true value or a 0. I’m hard pressed to think of a business example where you might want to use this feature, so if you have a  good example, PLEASE reply to this blog and let me know in the comments!

Redaction should apply to read-only situations, since you don’t want a user to update a column in a row without being able to see the old value in the column, or even the new value for that matter.

As far as SQL statement processing is concerned, the redaction is the very last thing that occurs.  In the past you may have said to yourself that the last thing done in a SELECT statement is to sort the returned rows if the ORDER BY clause is part of the query.  Now we have one more potential step that might be performed on the returned rows after the sort: namely, the redaction.

This post just scrapes the surface of everything you can do with this tool.  My hope is that I’ve been able to stir your interest in this topic if you have applications where redaction  is appropriate.  More information about redaction can be found in Chapter 9 of the Oracle 12c Advanced Security Guide.  Click this link if you’d like to become more familiar with this tool:  http://docs.oracle.com/database/121/ASOAG/redaction_features.htm#ASOAG601

Thanks,

Bob, the OrclTestGuy

Windows 10 Review, Part 2 – It was the best of times, it was the worst of times

March 25, 2015 at 3:20 pm | Posted in Microsoft, Technical Tips, Vendor news | 1 Comment
Tags: , ,

After my introductory foray into Windows 10, I was ready to get down to brass tacks and really discover what Microsoft’s new OS was all about. When, suddenly, this happened:

app_error_message

You can’t always get what you want… but if you try, sometimes you might find that you don’t have to re-install. Well, actually that doesn’t really work for Windows, especially with a Technical Preview. But maybe this is a good starting point to discuss how Windows will treat this kind of error, from Windows 8 going forward.

Refreshing Your PC

Windows 10 comes with the fairly painless re-install option introduced in Windows 8, called refresh. Refreshing your PC leaves all of your files and personal settings alone, but reinstalls Windows Store apps for you. Bully for you if you have any of those applications, but more than likely you’ll need to re-install any legacy applications by hand, e.g. the ones that every business user works in. So don’t go throwing away those InstallShield downloads and installer DVDs. But, hey, it’s better than having to reinstall everything, right? Certainly it’s a quick enough procedure if it fixes the problem.

In this case, though, it didn’t fix the problem. Okay, so now I had some investigation to do. Nurse, scalpel, STAT!

Reinstallation

Yeah, so surgery didn’t go so well. Good news is I have updated to the latest build (9926). Bad news is my first patient didn’t make it, but, you can’t make an omelette without breaking a few eggs. So, after three hours of alternating between Candy Crush and Trivia Crack, I’m back on the review beat… Oh, did I plug our great mobile app time-waster yet? Who knows? You might learn something.

Okay, skip the ad — let’s break into the hyped stuff first.

Start Menu 2.0

Fair is foul, and foul is fair. It’s not the same compact program listing you remember. Gentleman, they rebuilt him; they had the technology. That’s right, meet the new Start Menu. Granted, you don’t have to dive into full-screen unless you’re in tablet mode.

Here's the Start Menu!

On the left is your old Programs listing, with fewer functions than the Windows 7 edition, but thankfully more simplistic. If you can’t find the application or document you want, then try clicking on the All apps link. Once here, it helps to know the name of the app you’re searching, because you’re staring at a phonebook-like listing. Reminds me of scrolling through Windows Phone contacts. Or you can get cozy with Cortana (see more about that below) to avoid hunting and pecking every time you need to open something new.

Another note about the lovely new Windows 10 Start Screen, each application displays as a tile and supports live updates, so that you can keep up with the latest Facebook flame war and your cousin’s selfies. If that’s a distraction, then you can move the tiles around, group them, and set them in one of four sizes – small, medium, wide, or large. Not a whole lot of custom options, but hey, at least it’s simple to use.

Browser

Internet Explorer 11 comes pre-packaged with two different browser platforms: Edge and Compatibility. Eventually, this will make its way into two completely different browser applications – Spartan and Trident. Spartan will be the experimental, lightning-fast HTML5 engine, while Trident will be the old, reliable browser with the compatibility to handle older web pages with ActiveX, Silverlight, and other retired or soon-to-be-shelved technology.

When in automatic mode, I experienced no lag loading web pages with multimedia, and scrolling and touch-to-zoom seemed responsive and snappy. So I went ahead and ran a quick HTML5 benchmark to get some objective measures … and was quickly disappointed.

Windows 10 IE 11 Edge Peacekeeper Rating

According to the Peacekeeper universal browser test, IE 11 running with Edge scored a measly 406, and only 388 with Compatibility enabled. That’s lower than an iPhone 4s scores, and trust me, that stock browser is sluggish by anybody’s standards! To test whether it was the fault of Windows 10 or Internet Explorer, I installed Google Chrome as a control. Chrome scored a whopping 616. Let’s hope that the new IE only gets better as we move towards the general release.

Cortana

So, after the limited success of voice activation on the Xbox, the folks at Microsoft brought the voice recognition application Cortana (named after the AI in the Halo franchise) over to the desktop/tablet. She knows your name (after you type it in) and keeps you in the know with the latest news. I tried making friends with Cortana. You should too. But approach with caution. Go ahead and ask her what the weather is today and where Washington, DC is located and you’ll be pleased. But if you ask, “How far am I away from Washington DC?”, she may stop talking to you and instead launch the Bing website. Although, when I asked, “How long would it take for me to get to Washington DC?”, she took a minute or two, and then returned a detailed answer. Of course had I followed her directions I would have ended up in the state of Washington  and not the District. D’oh!

Hello, Cortana.

That said, this is early going for Microsoft’s voice recognition system. But I have no doubt it will rise to the standards of Google’s Speech and Apple’s Siri by general release.

Look out for the third and final installment of my Window 10 Review – What Lies Beneath!

Until then,

Josh Hester aka codeguru

Windows 10 Review, Part 1 – A Tale of Two OSes

March 5, 2015 at 5:15 pm | Posted in Microsoft, Technical Tips, Vendor news | 2 Comments
Tags: , ,

2011. It was the best of times, it was the worst of times. Well, actually, it was a bummer of a year. Not only did a famous pop star say her final, “no, no, no,” but R.E.M. called it quits and Charlie “Tiger Blood” Sheen got booted off of prime time TV. More seriously, there were several devastating natural disasters—namely the earthquake-tsunami that led to the Fukishima nuclear meltdown and the slew of tornadoes that ripped through Joplin, Missouri.

Perhaps that grim recap puts me in the mindset to review the spectacle that was Windows 8. Rather than screen capping or demoing any of the fledgling OS’s features, Microsoft chose to talk about ARM support at CES. This pushed anticipation into a fever pitch, culminating into the first pre-release later that year. The result was a strange hybrid—one part traditional Windows and another part this thing called Metro, later amended to the Modern UI in 8.1.

Some reviewers would describe it less charitably: more like an OS with schizophrenia, similar to Dr. Jekyll and Mr. Hyde, than a cohesive user experience. By the time of its public release, all of its laudable features—such as Microsoft account integration, improved task manager features, and built-in virtual drive mounting—fell away. It all boiled down to that awkward Metro UI for many Windows users and businesses. Oh, and let’s not forget Start-Gate!

So, in my review series on Windows 10 (Technical Preview Build 9841), I plan to start from a baseline of Windows 7 before Microsoft’s misadventures into the Modern UI. If Microsoft itself wants to move right from Windows 8.1 to Windows 10, then I too will go ahead and skip any unneeded Windows 8 comparisons. After all, most of you never upgraded to Windows 8 or 8.1 anyway.

The Hype

Two of the features I was most interested in previewing were the Spartan browser with its lightning-fast Edge engine and the streamlined Office suite. I’d also heard the churning rumors regarding the return of the Start menu, and was curious to see whether this was another Microsoft game.

The Setup

To properly evaluate the Windows 10 preview release from a touch standpoint, I installed it on the Asus VivoTab Smart with a Bluetooth keyboard. It came with a dual core Atom processor, 2GB of Ram, 64GB storage, and Windows 8 pre-installed, which I later upgraded it to Windows 8.1. For this preview, I went ahead and did a clean install of Windows 10. The process was relatively painless, but coming from Windows 7, you’ll probably be a bit confused. Since Windows 8, Microsoft is pushing for an OS that’s not just your co-worker, but also wants to be your friend.

win8-hi

MIA

Sadly, the Spartan browser and the updated Office suite were not included in the build I installed. Next to the Cortana voice assistant, these are two of the more highly anticipated features, so I’ll review them individually once they come out in a future build.

But good news about that Start Menu… it’s back!

Untitled

Well, sort of back… more about that in my next post.

Until next time,

Joshua Hester

Reader writes: Where can server admins find good PowerShell training?

November 10, 2014 at 12:48 pm | Posted in Microsoft, Study hints, study tips, Technical Tips | 1 Comment
Tags: , ,

Editor’s Note: Regarding PowerShell and Passing the Microsoft 70-410 exam: one trainer’s perspective (Part 2), reader Jeremy Brown recently commented: “I feel there should be more sections in training materials dedicated to recapping PS… there is a disparity between expected knowledge and printed material…” Blog post guest author Scott Winger attempts to find some workable solutions.

For those of us who aren’t yet PowerShell Masters, Jeremy’s point is painfully sharp when one considers code snippets such as this one from SANS.org’s Cyber Defense & Cybersecurity blog:

[[[[[[[[[
filter extract-text ($RegularExpression) 
{ 
 select-string -inputobject $_ -pattern $regularexpression -allmatches | 
 select-object -expandproperty matches | 
 foreach { 
 if ($_.groups.count -le 1) { if ($_.value){ $_.value } } 
 else 
 { 
 $submatches = select-object -input $_ -expandproperty groups 
 $submatches[1..($submatches.count - 1)] | foreach { if ($_.value){ $_.value } } 
 } 
 }
}
Get-Service | ForEach `
{ 
 $sctxt = sc.exe qc $_.name
 $Path = $sctxt | extract-text -reg 'BINARY_PATH_NAME\W+\:[\W\"]+([^\"]+)'
 $Identity = $sctxt | extract-text -reg 'SERVICE_START_NAME\W+\:[\W\"]+([^\"]+)'
 Add-Member -InputObject $_ -NotePropertyName "Path" -NotePropertyValue $Path 
 Add-Member -InputObject $_ -NotePropertyName "Identity" -NotePropertyValue $Identity
 $_
} | format-list Name,DisplayName,Identity,Path
]]]]]]]]]

In this post, I’ll explain how you can teach yourself to analyze and create arbitrarily complex scripts, i.e., how to teach yourself to master PowerShell. But before starting, I want to share a little known droll fact: there’s an annual contest to see who can deliberately write the most impossibly abstruse code:

http://www.ioccc.org

Although this contest is for programs written in C, I’ve included it to show that countless others have wrestled with code that’s far too complex.

First, a few words in praise of PowerShell

Jeffery Snover, Parser, Syntax, Major Domo, Rom-Com.

At this moment you should be thinking:

[[[[[[[[
Rom-Com…

What?!

Good Golly man! … Is that a typo or are you drunk?
]]]]]]]]

Let’s take a look at these words a little more closely and then you can decide whether or not I need a 12-step program (or at least an editor) before blogging for a hapless audience.

Jeffery Snover:
He’s the guy who invented PowerShell. And, to give you an idea how important PowerShell is to your 70-410 endeavor, he’s also the Lead Architect for Windows Server 2012. So at this moment, you should be thinking, [[Holy SYNTAX DIAGRAM, Batman! If I’m gonna master Server 2012, I’d better learn PowerShell!]] This is absolutely true because, thanks to the vision of Mr. Snover, Server 2012 can be controlled, customized, queried, and tuned by over 2,400 PowerShell cmdlets.

Parser:
Precious few IT pros even know what a parser is, let alone recognize its quiet-yet-vital role in their success. But IT masters know parsers well. Whether you’re doing PowerShell, NSLookups, DiskPart.exe, or CMD.exe … heck, even when you’re clicking the mouse, it’s the parser that’s your Major Domo. It’s the parser that captures, interprets, and carries out your every syntactically correct command. So get to know PowerShell’s parser via the suggestions I’ve provided in the section below. And, then, practice, practice, practice.

Syntax:
Every language, spoken, written, mathematical, or musical, has a set of rules that its speakers have to know. And the rules for a language’s constructs are called its syntax. In the case of PowerShell, although at first you might be dazzled by its syntactical complexities, the mother of all PowerShell syntax diagrams fits on four printed pages. And this brings us to Rom-Com. You and PowerShell can do great things together. But, unlike two people in a cheesy romantic comedy who fall in love without speaking the same language, you and PowerShell won’t even get started if you don’t learn its syntax. So print and master the few pages of the PowerShell about_Command_Syntax file mentioned below.

Second, a curated list of resources and study tactics

Whenever one endeavors to learn a new programming language, a trip to the armory is a good first step, because you need learning resources.

Enter and explore the doorway to the Learning PowerShell Arsenal:
http://www.reddit.com/r/sysadmin/comments/2c2x22/best_place_to_learn_powershell/

Download the about_Command_Syntax document from Microsoft’s official PowerShell Syntax Authority. And I recommend that you keep it handy and refer to it often. (Here’s the link: http://technet.microsoft.com/en-us/library/hh847867.aspx)

Sign up for and become active on the Hey Scripting Guy PowerShell forum. Those of us who’ve been around long enough to remember the coveted, expensive, and hard-to-get IBM Red Books are astonished that this era’s IT experts are so helpful by tradition — and for free. Here’s the Hey Scripting Guy link: http://blogs.technet.com/b/heyscriptingguy/

Head over to YouTube and root out the many excellent PowerShell videos, such as this one from TechEd North America 2014:
https://www.youtube.com/watch?v=SSJot1ycM70

Study complex PowerShell code on your breaks and before bed.

And now for the big guns:  Buy Don Jones’ and Jeffery Hicks’ Learn Windows PowerShell 3 in a Month of Lunches. Lunch is optional, but the labs are not: do them as you work through each chapter.

[Editor’s note: I’m amending Scott’s post to second the reader’s recommendation of Windows PowerShell Best Practices by Hey Scripting Guy writer Ed Wilson, highlighted in a comment below.]

Third, the call to action

Fire up PowerShell and start with some “get” statements so you’ll do no harm. Then take your first baby steps using some simple “set” statements.

Then, start building your own custom library of scriptlets with commonly used categories, such as:

\Enumerating\ActiveDirectory,
\Enumerating\FileSystem,
\Parsing\TextFiles,
\Parsing\Strings,
\Parsing\TableData,
\Parsing\ObjectData,
\Writing\[same folders as parsing]
etc.

Proceed apace to Advanced Analytical PowerShelling:

Predict the results/output of PowerShell code that’s a step or two or even way beyond your current abilities. Then run the script and compare your guestimates to the results. Of course, for this type of practice, a computing sandbox in which you can unleash total annihilation is a must.

Correspond with experts by seeking out and participating in PowerShell special use case blogs, such as those at SANs Security and elsewhere:
http://cyber-defense.sans.org/blog/category/powershell

Look into the relationship PowerShell has with .NET and how you can use PowerShell underneath the graphical world of C#.

Take PowerShell to new unconquered worlds via Desired State Configuration Tool, Puppet Forge, and PowerCLI.

And here are some thoughts and words for those who would be PowerShell Mystics:

Study the notion of an Abstract Syntax Tree; diagram pieces of its underlying data structure on paper. Then celebrate as you come to understand how PowerShell’s Tab Completion feature works.

Study rudimentary Data Structures: Arrays, B-Trees, Heaps, Linked Lists, etc., because it’s the data structures that lie at the heart of all programming. Understanding underlying data structures is also, often, the key to troubleshooting complex IT problems.

If you’ve got comments I’d like to hear em.

And good luck with your 70-410,

Scott

P.s. If you’ve been wondering, [What’s up with the square brackets?]  Well, speaking of parsers, I had the good fortune of taking a Programming Languages and Compilers course at one of the world’s greatest Computer Science universities.  And when one writes a parser to carry out specific commands, one quickly absorbs the nature and value of brackets, braces, and parentheses.  So the brackets are this scrivener’s habit and they are what they seem: a simple delimiter for emphasis.

Editor’s note: today’s guest post was written by IT instructor Scott Winger. Scott is a computing technologist at the University of Wisconsin in Madison and a technical editor for VMware Press. He also teaches continuing education classes in IT for Madison College.

Next Page »

Blog at WordPress.com.
Entries and comments feeds.

%d bloggers like this: