From paul.suh at ps-enable.com Tue Mar 13 22:15:24 2007 From: paul.suh at ps-enable.com (Paul Suh) Date: Tue Mar 13 22:15:36 2007 Subject: [Newsletter] Network World, The Canard of the Single-Source Argument, and More Message-ID: <7710AD6C-A595-41F5-86B2-7A04E3DFC678@ps-enable.com> Folks, Network World Magazine ---------------------------------- Hey, I got quoted in Network World magazine. :-) The title of the article is "Mac OS being infused with the tools of the corporate IT trade, but can it catch on?" The gist of the article is that the Mac is ready, but a lot of IT shops haven't properly evaluated it yet. I got the last tagline as well, "'I guess I still don?t see Mac having crossed the awareness gap,' says ps Enable?s Suh. 'It has started to seep into IT consciousness, but there is still a lot of prejudice out there, with some saying Mac is not ready for prime time. Until that awareness gap is closed, then everything else is secondary.'? The Canard of the Single-Source Argument ----------------------------------------------------------- > canard > 1 an unfounded rumor or story : the old canard that LA is a > cultural wasteland. > ... > ORIGIN mid 19th cent.: from French, literally ?duck,? also ?hoax,? > from Old French caner ?to quack.? Now that the Mac is being seriously considered by enterprise customers, the old single-source canard has been raised by a few "analysts" (most of whom as far as I can tell have never analyzed anything, instead just spewing the words of others). It runs something like this: "Since the Mac is produced only by Apple, if you don't like Apple or Apple treats you badly or you don't like the price, you can't go somewhere else for your systems. On the Windows platform, you can go to HP or Dell or IBM and get compatible equipment if your current vendor treats you badly." Bull. What a load of. Complete nonsense. Sewage best dealt with by flushing down the toilet. Why? There are two parts that need to be addressed: the part that is common across the various vendors and the part that is specific to each vendor. First, the part that is common to each vendor -- Windows. If there is some part of Windows that you don't like, you have two choices. One is to buy into an open source solution such as Linux or FreeBSD, which has its own costs. The other is to switch to the Mac. If Windows is a problem then switching from IBM to Dell is not going to solve anything. Not technical issues and not license pricing issues either. Any license pricing that you can get from one you can get from the other, since it is all dictated by Microsoft anyway. Second, the part that is specific to each vendor -- the hardware and the hardware support. The single source canard has a hidden assumption -- that you can replace *all* of a disliked vendor's hardware at once. Not going to happen. Never. Not at the enterprise scale, anyway. Different chipsets have different driver requirements. The lights-out management systems are just a little bit different between vendors, and between different models from the same vendor. Stuff *will* get stomped on or stop working in the face of system updates or service packs or security patches. Once that happens you're going to have to fix up your deployment images and in-place systems. To do this, you will need to continue to deal with the old company's support. Only now, since you're no longer buying any new hardware from them, you're at the back of the line as far as their account reps are concerned. Lotsa luck, chief. So, any time that someone raises the, "but if I buy from Apple I'm stuck with a single source" argument, ask them what considerations exist when they want to switch to a different vendor with non-Apple equipment. Subscribing to This Newsletter ----------------------------------------- I've updated my website so that you can subscribe to this newsletter from the website. I put a link on the front page and also at the top of the newsletter page. If you have friends or colleagues who want to sign up as well, please have them go to: Again, please let me know if you like the articles or have a topic that you would like me to cover. Macs on a Train ---------------------- You've heard of Snakes on a Plane, right? Well how about Macs on a Train? I took Amtrak up to New York City a couple of weeks ago, and on the way back I noticed that every single open laptop in my car (which was about 3/4 full) was a Mac! Even in the other cars, there were at least one or two Macs among the Windows laptops that people were using. And, it wasn't just students or leisure travelers -- the people using the Macs were dressed in business suits, not jeans. Defeating Hardware Rootkit Detection --------------------------------------------------- Be afraid. Be very afraid. This is a really neat trick to defeat PCi- or FireWire-based RAM snapshot utilities by hacking the RAM controller on the motherboard. It just goes to show that you absolutely cannot check the security on a computer system while it is running. My hat is off to Ms. Rutkowska for this very excellent hack. It's worth going through her presentation slides from the link at the bottom of the article. --Paul Paul Suh http://www.ps-enable.com/ paul.suh@ps-enable.com (240) 672-4212 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2508 bytes Desc: not available Url : http://mail.goodeast.com/pipermail/newsletter/attachments/20070313/912059db/smime.bin From paul.suh at ps-enable.com Wed Mar 28 00:00:54 2007 From: paul.suh at ps-enable.com (Paul Suh) Date: Wed Mar 28 00:01:16 2007 Subject: [Newsletter] One Year Ago, Daylight Savings Time II, Personal Firewall, The Lighter Side Message-ID: <7D9539FB-C894-40BB-AE16-3B4BE463DA5E@ps-enable.com> Folks, One Year Ago ------------------- A year ago on March 13, I left Apple and started ps Enable, Inc. Thanks to everyone who's helped me along the way. :-D Pass It On -------------- If you like this newsletter, please forward it to any colleagues who might be interested. They can sign up for their own copies at: . Daylight Savings Time II --------------------------------- Now that we've finished taking care to move our clocks forward three weeks early, we should also beware of systems that spring forward again on the old date. I had to move the clock for my old VCR forward manually, because the automatic DST function can't be updated. In another week or so it will spring ahead another hour, and I will need to move it back an hour when that happens. There may be any number of embedded systems like this in your organization that you had to "spring forward" manually; only now you're going to have to "spring them back" manually again. Oh, and don't forget these same systems come October and November. Personal Firewall ------------------------ Q: What should you do with the personal firewall on Mac OS X? A: Turn it off and leave it off. Say WHAT?!?! The personal firewall isn't actually protecting you against anything, since it's linked to the various sharing services. Anyway, firewalling at the endpoints (the client or the server) is not very useful -- proper firewalling happens at the router. First, let's look at how the personal firewall works in detail, then let's look at the consequences. Since the Sharing prefs pane services are integrated with the firewall, what happens in the four possible states? 1) Firewall off, service off --> port closed 2) Firewall on, service off --> port closed 3) Firewall off, service on --> port open 4) Firewall on, service on --> port open Notice anything? The state of the port depends only on the state of the service, not the state of the firewall. Thus, the firewall has NO effect on the state of the ports. The firewall does have a marginal effect in that it may slow down an attacker's port scan if you turn on stealth mode, but in practical terms that has little effect. Most scans are done by automated tools that don't really care how long it takes. Now, what are the consequences? In a low-threat environment, by turning on the firewall you interfere with services like Bonjour- based iTunes and iPhoto sharing, SubEthaEdit, etc. In a high-threat environment, what the heck are you doing with those services running, anyway? The personal firewall is a feel-good, marketing-driven measure that can be safely turned off on Mac OS X, which ships with all TCP ports closed by default (although UDP 5353 is open for Bonjour). On Windows you need a personal firewall on every single machine, since there is no way to turn off the System or RPC services, and NetBIOS is generally on. Thus, TCP ports 135, 139 and 445 and UDP ports 137, 138, and 139 are always open unless they are blocked by a firewall. I have long suggested (and yes, it is filed in Radar) that there should be an option to have the firewall restrict connections to those coming from just the local subnet, with an option to allow connections from anywhere. This would allow people to share files with someone locally without opening themselves up to the full Internet. Configuring the firewall this way would have a significant effect in slowing the spread of a zero-day exploit since the malware would face difficulties propagating itself beyond the local subnet. The Lighter Side ---------------------- I ran across some pretty funny IT stories on ComputerWorld's website, in the Sharkbait section. Read a few if you need a short break. --Paul -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2615 bytes Desc: not available Url : http://mail.goodeast.com/pipermail/newsletter/attachments/20070328/195bf1af/smime.bin