Sunday, January 21, 2018

Windows 10 Rant

I haven't had a good rant in a long time. And it's not that I dislike Windows 10. And it's not that I don't like Windows 10 upgrading (different than updating) regularly.

Remember back in a previous post I enumerated the various versions of Windows 10. There's been more since then and a commitment (threat) from Microsoft for 2 per year.

In that post I noted 2 issues with the Anniversary Update (1607). They have continued with the Creators Update (1703).

I'll try to recap the things to look out for as Microsoft leads us down this trail.

Microsoft will silently remove drivers and software that they think aren't compatible with the new version of Windows. I have had my video drivers removed twice including the non-driver program used to update the drivers. Most recently they removed my VNC service. Microsoft admitted to the EU that they remove third party antivirus in certain conditions. I understand why in some cases that these actions are necessary but please don't do them SILENTLY.

Microsoft twice has reset password network protected sharing. I don't see that that has anything to do with a new version of Windows.

Microsoft has turned off System Restore. You find this missing at the worst possible time when you need to fall back to a known good state. You can turn it back on but still...


Sunday, January 14, 2018

One More Log on the Fire

If you're a regular reader you'll know that I'm a proponent of using Windows Defender as my anti-virus. While that it's free is a big factor for me, that it doesn't introduce new vulnerabilities into Windows is even bigger.

I've discussed that here, here and here.

In Microsoft's announcement of their patches for Meltdown and Spectre they included the following:
Note: Customers will not receive the January 2018 security updates (or any subsequent security updates) and will not be protected from security vulnerabilities unless their antivirus software vendor sets the following registry key:
Read that again.

If your anti-virus vendor doesn't set a new registry key you will NEVER get another security update.

Now, certainly mainstream anti-virus vendors quickly complied.

But what that means is that mainstream anti-virus vendors have been using non-public kernel calls.

Don't do that.

Further if you don't run any anti-virus you must manually set that registry key or you will NEVER get another security update.
In cases where customers can’t install or run antivirus software, Microsoft recommends manually setting the registry key as described below in order to receive the January 2018 security updates.
There's a pertinent blog post here.

Sunday, January 07, 2018

The World Revolves Around Memphis

Chrome 63 is forcing all domains ending on .dev to be redirected to HTTPS via a preloaded HTTP Strict Transport Security (HSTS) header. This may impact organizations that have been using .dev TLD privately for their own development teams.

Now most of us don't have to worry about that but it reminded me of a situation I had encountered at a former company.

My company had acquired another company. They were using an address space for their internal TCP/IP network that was routable but didn't belong to them. Obviously they weren't connected to the Internet.

They also had an internal DNS server that used their company's initials as a TLD. Needless to say that weren't the owner of the TLD.

Yeah, it took us a while to integrate them into our network.

But that was just the start.

As we were upgrading SAP worldwide we changed the GUI to use DNS rather than a hard-coded IP address. Then we pushed that change worldwide.

Then the SAP Basis team changed the target of the DNS name and watched for fallout.

Europe failed and was quickly addressed by updating our European DNS server.

But oddly, seemingly random US facilities were also failing.

We finally discerned that these were all facilities of the former company.

The on-site LAN admins determined that the locations' PCs had their DNS pointing to the former company's servers. Obviously they hadn't been updated.

When I reached out to management at the former company he responded that "You act like the world revolves around Memphis."

My response was "When it comes to DNS, it does."

Those were the good old days.