Asus and Log4j

Surely you've heard of the Log4j vulnerability by now.

A recent podcast led me to investigate whether my Asus RT-AC68R was vulnerable. I've got a lot of Asus equipment.

I went to Asus' site and found their summary of "Affected Products & Services".

Nice.

Keepass Revisited

The end of the year gets me to reminiscing. One issue that came to mind recently is Keepass. These posts cover all the mechanics. I have migrated from Dropbox to OneDrive for storage. While I casually use Google Chrome's password store, my serious encrypted store is Keepass.

It's flexibility lets me store notes.

I also use Keepass to save names and addresses.

I had been using a 16GB Transcend thumb drive for the last several years. Last week, when I tried to update Keepass, I got a message that the drive was write-protected. I could still read it. After an hour or so of playing with it I realized it was just worn out.

As I keep it on my keyring, I needed a small but sturdy replacement. I found this 32GB Kingston DataTraveler.

It works great for Keepass.

Happy New Year 2022

The start of a new year is a good time to review a few things and make sure everything is right. Here's my list of things I think you should check once a year.

Some of the steps may be a little out of date but I think you can find your way around. If not, leave me a comment and I'll help.

PayPal Preapproved Payments
Offline Backup
Certificate Store
Router Configuration
Windows Defender and Windows Defender Offline
Controlled Folder Access
System Restore

You'll sleep better.

Wyze Cam Plus Person Detection

As I've mentioned previously, I'm a big fan of Wyze products.

Initially, the Wyze cameras had on-camera person detection but a dispute with Xnor.ai forced Wyze to remove this.

This seemed like a bad thing but it has been good.

Wyze introduced a paid service called Cam Plus. It's cheap ($1.25 per month per camera) and from time to time, they offer deals. I got an annual package for 5 cameras for $49.99.

In addition to person detection, Cam Plus offers package detection, vehicle detection, and pet detection. It also removes the 5 minute "cool down" period and has unlimited video length.

You can see how this looks in the following event log.

From the bottom to the top, you can see my neighbor pull into my driveway, walk to the front door, carry the package around to the back porch, return to his car, and drive off.

Just FYI, for my last purchase, I got the Wyze Cam v3 ($33.59) and a Samsung 32GB MicroSD card ($8.55).

Windows 10 21H2 Enablement Package

Windows 10 November 2021 Update, a.k.a. 21H2, doesn't have many new features, especially for the home user.

• Adding WPA3 H2E standards support for enhanced Wi-Fi security
• Windows Hello for Business introduces a new deployment method called cloud trust to support simplified passwordless deployments and achieve a deploy-to-run state within a few minutes
• GPU compute support in the Windows Subsystem for Linux (WSL) and Azure IoT Edge for Linux on Windows (EFLOW) deployments for machine learning and other compute intensive workflows

It hasn't shown up on ANY of my PCs so far. I always try to test new things so you don't have to. 21H2 is no exception.

Like 21H1, I found a link to download the enablement package. And like 21H1, when I clicked on that link, nothing happened. I had to right click and choose "Copy link address" and then paste that link into another browser tab.

Worked fine.

I Can Print Again

This story starts with PrintNightmare. That's a long and arduous journey that isn't over.

But one of the side effects is that Microsoft's attempts to fix PrintNightmare has impacted Windows printing for months.

Printing to a direct connected printer hasn't been a problem (yet) but printing to a "server" connected printer has been impacted.

At my house, I have a Windows 10 Pro computer with a USB attached color laser printer. Each of my other PCs have this printer mapped across the network.

This has worked perfectly for YEARS - until August 2021's Patch Tuesday.

Then my PCs couldn't print to the shared printer.

But Microsoft couldn't let this situation persist, could they?

I waited until September's Patch Tuesday but I still couldn't print.

I took to Google and found a Registry hack that got me printing again.

Then after October's Patch Tuesday I couldn't print again.

But Microsoft couldn't let this situation persist, could they?

I waited until November's Patch Tuesday but I still couldn't print.

Again, I took to Google and found a Registry hack that got me printing again.

This time the workaround was in Bleeping Computer. grumpyoldadmin posted the following Registry hack from Microsoft for the November Patch Tuesday "fix."

Windows Registry Editor Version 5.00




[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\FeatureManagement\Overrides] "713073804"=dword:00000000 

And that worked. There're specific hacks for the various versions of Windows 10. But if you read grumpyoldadmin's post, he notes that Microsoft also informed him that this change will need to be backed out once the December "fix" is released.

At this point, I'll take what I can get.

PS. Phil_Psdp commented:

For M$ to come up with entries to disable specific "features" in these updates certainly implies a deeper knowledge of the consequences than they are admitting

Aaarg!

Unbelievable

I've published previously about Microsoft letting certificates expire on Teams and Exchange. I even offered Microsoft some advice:

Maybe they should have put a reminder on their Outlook calendar.

I guess, like Facebook, Microsoft doesn't read my blog.

It happened again.

Microsoft warns Windows 11 features are failing due to its expired certificate

Microsoft has started warning Windows 11 users that certain features in the operating system are failing to load due to an expired certificate. The certificate expired on October 31st, and Microsoft warns that some Windows 11 users aren’t able to open apps like the Snipping Tool, touch keyboard, or emoji panel.

Besides being unbelievable that this keeps happening is that "certain features" of Windows 11 are dependent on Internet-based certificates.

Why in the world would tools like the Snipping Tool and touch keyboard depend on Internet certificates?

And I love their mitigation advice (archive.is):

To mitigate the issue with Snipping Tool, use the Print Screen key on your keyboard and paste the screenshot into your document. You can also paste it into Paint to select and copy the section you want.

Doh.

Nuclear Ransomware 3.0

I follow a lot of material from KnowBe4. They provide really good training for enterprises covering social engineering attacks.

Hopefully, I'm personally beyond that risk. At least I passed all the KnowBe4 classes I just took.

Recently KnowBe4's Roger Grimes posted an article on "Nuclear Ransomware 3.0."

We all know what ransomware started out doing.

He described Nuclear Ransomware 2.0 as "Quintuple Extortion."

The five elements were:

• Stealing Intellectual Property/Data
• Stealing Every Credential It Can - Business, Employee, Personal, Customer
• Threatening Victim’s Employees and Customers
• Using Stolen Data to Spear Phish Partners and Customers
• Publicly Shaming Victims

Those are bad enough.

Then he went on to suggest what Nuclear Ransomware 3.0 would consist of:

• Selling exfiltrated data
• Selling exfiltrated stolen credentials
• Selling initial access
• Stealing money from bank and stock accounts
• Personal extortion against individuals
• Hacking for hire
• Selling lead lists from stolen customer data
• Business email compromise scams
• Installing adware
• Launching DDoS attacks
• Crypto mining
• Creating rentable botnets
• Sending spam emails
• Resource renting
• Acting as proxy sites for other attacks
• Anything else they can think of to generate revenue

Yikes!

And some of these are already emerging. If you haven't heard of Initial Access Brokers (IABs), read this.

Top 5 Cyber Threats

Trend Micro shared a study in July 2021 on Cyber Risk Index.

There's a lot of comparison of risks across geographic regions, e.g. North America, Latin/South Americas, Europe, Asia-Pacific.

North America had the highest risk when Trend Micro compared regions' preparedness to the threat index.

While there's a lot to worry about there, to me the actionable topics are what Trend Micro called the "Top 5 Cyber Threats".

North America

1. Phishing and social engineering
2. Clickjacking
3. Ransomware
4. Man-in-the-middle attack
5. Fileless attack

Make that your "to do" list.

8 Inches vs 12 Inches

Ok, get your minds out of the gutter. I'm talking about silicon wafers.

We've all heard about car and truck production being impacted by chip shortages.

Why? I could have never guessed.

It turns out that automotive chips are fabricated on 200mm (8 in.) silicon wafers. Current wafer technology is 300mm (12 in.).

The use of chips in automobiles is booming so demand for 200mm wafers is increasing.

But the manufacturers of the wafer production technology are focusing on 300mm wafers.

This has caused a crunch in manufacturing of 200mm wafers.

As one headline from December (2020) read, "8-inch wafer capacity is in short supply to unimaginable levels", with the article stating "wafer production capacity is so tight that customers' demand for production capacity has reached a panic level." And that from mid 2021 "to the second half of 2022, the logic and DRAM markets will be out of stock."

ExtremeTech reported:

200mm was supposed to fade away as 300mm came online, and that worked from 2007 - 2014, ... 200mm capacity has gotten difficult to book. Large foundries like TSMC have been slow to add new 200mm capacity ...

Even the IEEE weighed in:

Despite the auto industry's desperation, there's no great rush to build new 200-mm fabs.

So, maybe the automotive industry could just move to 300mm wafers.

For automotive products from specification to PPAP would be more like 24 to 36 months, again depending on the complexity.

There's not going to be a quick fix.

Here's the only good news I've found around this:

Stop-start technology will be gone for now from non-diesel versions of Cadillac Escalade; Chevy Tahoe, Suburban, and Silverado; plus GMC Sierra and Yukon.

Plan Z

Facebook had a bad day recently. And the next day wasn't too good either.

I've posted a couple of times (here and here) about my "Plan Z."

I've also posted several times (here, here, and here) about WFH risks.

Apparently Facebook doesn't read my blog.

Somebody at Facebook made a mistake. People make mistakes. That will happen.

What happened (or rather what didn't happen) next is the issue.

The Daily Mail had a good recap of the series of problems.

But the repair was delayed, according a purported insider, because of 'lower staffing in data centers due to pandemic measures', ...

There's the "WFH risk." And no Plan A.

Kieron Harding, an IT Infrastructure Engineer at GRC International Group, told DailyMail.com: 'The nature of the problem meant Facebook would have needed network engineers to physically access their BGP routers - and due to the pandemic, some of the data centers quite possibly don't have an engineer based on site, or someone who could have immediately started to work on the problem.'

"Facebook would have needed network engineers to physically access their BGP routers," Facebook didn't have a Plan B.

... the misconfiguration of the BGP also affected Facebook's physical door access systems

Facebook didn't have a Plan C.

You have to have a plan all the way down to Plan Z.

Be prepared.

Microsegmentation Discovery

In my previous post on Microsegmentation, my closing comment was:

Labeling of assets is critical along with a comprehensive understanding of the applications relationships and dependencies.

In HP Enterprise's article on microsegmentation they said:

The smaller the segments, the more likely that security policies and controls can break normal interactions. So it's crucial to first get a lay of the land through a robust discovery process that uncovers what devices and applications are running on the network and then maps their data and traffic flows.

At a recent lunch with a network architect, he related how they had bought and implemented all the hardware for microsegmentation. But nobody would step up to the "robust discovery process" necessary. The microsegmentation capabilities of the equipment were never implemented. Eventually their hardware's capacity was exceeded and they were replaced.

What a shame.

Make sure that your microsegmentation project has not only the financial capital but the political capital to succeed.

Everyone Gets a Rootkit

Now that I have your attention with that clickbait headline ...

There's been a recent flurry of articles about a longstanding Microsoft Windows capability called "Windows Platform Binary Table" (WPBT).

Introduced with Windows 8, here's an excerpt of Microsoft's description (docx):

This paper describes a mechanism for a platform, via the boot firmware, to publish a binary to Windows for execution.  The mechanism leverages a boot firmware component to publish a binary in physical memory described to Windows using a fixed ACPI table.

"via the boot firmware" is the significant part.

Microsoft goes on:

The primary purpose of WPBT is to allow critical software to persist even when the operating system has changed or been reinstalled in a "clean" configuration. WPBT allows the Windows image on disk to be modified at boot time.

Yikes!

Remember my advice to "Reload Windows on Your New PCs?" That might not be enough.

Principally, WPBT is there for hardware manufacturers to install their own firmware drivers before Windows loads.

But remember Murphy's Law: If anything can go wrong, it will.

As far back as 2015 there have been vulnerabilities related to WPBT. Here's (archive.is) Lenovo's story.

This popped up again this week in a report (archive.is) from eclypsium.

How-To Geek has the process (archive.is) on how to check your PC:

... open the C:\Windows\system32 directory and look for a file named wpbbin.exe. ... If it’s not present, your PC manufacturer hasn’t used WPBT to automatically run software on your PC.

My ThinkPad and Asus desktop were clean.

YMMV

WFH Issues

WFH is a new acronym  for "Work From Home." I've blogged about my concerns before here and here.

Recently I came across a white paper from HP's Wolf Security group. Remember that they sell "endpoint security."

According to our HP Wolf Security Blurred Lines and Blindspots report, 23% of office workers globally expect to predominantly work from home post-pandemic, with an additional 16% expecting to split their time equally between home and the office. This will have far-reaching consequences for organizations across all economies.

This change is here to stay. That's really scary from a security perspective.

Here is a summary of their findings.

OFFICE WORKER REBELLIONS

Apathy

• 39% of office workers surveyed aged 18-24 were unsure of the existing data security policies in place at their work
• 36% of office workers surveyed had been given training on how to protect their home network
• 54% of office workers surveyed aged 18-24 were more worried about deadlines than exposing the business to a data breach

Frustration

• 48% of office workers surveyed aged 18-24 thought security policies are a hindrance
• 37% of office workers surveyed said security policies and technologies are too restrictive
• 48% of office workers surveyed said security measures result in a lot of wasted time

Circumvention

• 31% of office workers surveyed aged 18-24 had tried to circumvent security

We have a lot of work to do.

There's another section on IT Team Rejections. I'll let you read that at your leisure.

Mobile LTE Coverage Map

I recently came across an interesting article posted by the Federal Communications Commission (FCC).

It contains a map that shows the 4G LTE mobile coverage areas of the nation’s four largest mobile wireless carriers: AT&T Mobility, T-Mobile, UScellular, and Verizon.

It states that the coverage map was created using data submitted voluntarily by the four mobile carriers and depicts the coverage a customer can expect to receive when outdoors and stationary.

I am an AT&T wireless customer and have always found that cellular coverage varies significantly in the Memphis metro area.

This tool supports that experience on AT&T but I am skeptical of the other carriers' reporting.

Here is an example of LTE data in a neighborhood in Memphis that is not friendly to cellular towers.

AT&T

T-Mobile

Verizon

Who do you believe?

For reference, here's a map of cell tower locations.

AntennaSearch.com

Microsegmentation

Years ago, a co-worker and I had a discussion about architecting our Unix systems as if each one was at risk from the network, even the LAN. His thinking was that you would never know where the threat was coming from so you should not trust anyone except those connections you made deliberately.

He was so far ahead of everyone else. And ahead of the technology available then.

Now we have Software Defined Networking (SDN). Usually SDN is applied to Wide Area Networks (WANs). SDNs warrant a whole series of posts on their own.

What is now nascent is Microsegmentation.

https://www.paloaltonetworks.com/cyberpedia/what-is-microsegmentation

This excerpt from eSecurity Planet nails my co-worker's vision.

The Problem With Traditional Security Techniques

More traditional security tools, such as firewalls, VPNs and network access control (NAC), have their limits because they focus primarily on securing the network perimeter. Security teams historically assumed the biggest threats were attacking from outside the network. But that approach overlooked insider threats - and the damage that hackers could do when they eventually got inside the network.

SDN provides the underlying technology that wasn't available years ago.

But that allows you to worry about the next layer. What traffic do you allow between systems? Now you need to get to Layer 7 granularity.

Gardicore has a good article that lays out the benefits (and challenges) of microsegmentation.

Benefits of Microsegmentation

Lateral Movement Security

Reduce Attack Surface

Secure Critical Applications

Then an organization has to consider the methods.

Microsegmentation by environment

Creating regulatory boundaries

Microsegmentation by application type

Microsegmentation by tier

The steps for an implementation effort are:

Identify what needs to be segmented

Tackle short-term goals

Deal with long term goals

Repeat

Labeling of assets is critical along with a comprehensive understanding of the applications relationships and dependencies.

I'll cover more of microsegmentation in future posts.

Chrome Incognito

Google recently came out on the short end of a $5 billion class-action lawsuit concerning Chrome's Incognito mode.

Apparently as a result of that lawsuit, Google is being more obvious about what Incognito means.

I thought it would be worth sharing. Here is the new splash screen for Incognito mode.

What Incognito does
After closing all Incognito tabs, Chrome clears:
• Your browsing activity from this device
• Your search history from this device
• Information entered in forms

What Incognito doesn't do
Incognito does not make you invisible online:
• Sites know when you visit them
• Employers or schools can track browsing activity
• Internet service providers may monitor web traffic

One subtlety in the first section is that Chrome doesn't take any clearing action until after you close all Incognito tabs. What this means is that if you visit a site that only allows limited visits from a non-subscriber, the cookie that tracks your visit isn't deleted until you close all Incognito tabs. Specifically, if you have Facebook open in an Incognito window and then visit a paywalled site, the count of you visiting the paywalled site will remain until you close the Facebook Incognito window.

It's probably a good time to revisit How to Sandbox Facebook.

If You’re Going to Use the Cloud

... for Pete's sake, please use its strengths.

You know I have mixed opinions on the "cloud" depending on the size and capability of your organization.

An example of leveraging the cloud's strengths is in a recent article I saw from KnowBe4 entitled "Can the Microsoft 365 Platform Be Trusted to Stop Security Breaches?"

KnowBe4 referenced an article from Hornetsecurity entitled "1 of every 4 companies suffered at least one email security breach, Hornetsecurity survey finds." (Don't click on that just yet.)

Realizing that everybody has an agenda, let's look at these articles.

KnowBe4 calls out the following findings:

• 33% of organizations are not using Microsoft’s multi-factor authentication (MFA)
• Of those using MFA, 55% of organizations are not using Conditional Access which scrutinizes connection requests beyond just providing credentials and additional authentication factors
• Only 43% leverage Microsoft’s data loss prevention policies to keep data from leaving the organization
• 68% of organizations expect Microsoft to keep email safe from threats

This is my point. If you're going to use a cloud solution such as Microsoft 365, leverage its capabilities. Even if they are premium services, they're probably NOT services you could deliver yourself.

KnowBe4's recommendation: Have your "Users ... undergo continual Security Awareness Training."

By the way, that's KnowBe4's business model - training users. And that's a good thing.

Now, before you click on Hornetsecurity's link, get ready for a pretty aggressive privacy policy.

That almost scared me off. But just click on "Cookie-Details" and slide everything to "Off".

In addition to the points that KnowBe4 raised from Hornetsecurity's study, Hornetsecurity has one more finding: "An impressive 82% of all our respondents who use third-party email security solutions reported no breaches."

I'll bet you can guess what Hornetsecurity sells.

Regardless of the various agendas, the Hornetsecurity study is solid and the findings valuable. Take them into consideration for your Microsoft 365 implementation.

And consider the value-add capabilities of any cloud solution you implement.

Three Problems with Two Factor Authentication

One of the podcasts I listen to regularly is the SANS Internet Storm Center's "StormCast."

In addition to their podcasts, they have "diary" posts. Recently one of their contributors posted "Three Problems with Two Factor Authentication."

They actually listed 3 issues and "other gotchas."

Their list was:

0 - Usability

1 - Resetting the 2nd Factor

2 - Using a Token to Reset a Password

Now, being an engineer, I wasn't surprised by them beginning their count at "0."

But then they enumerated their "other gotchas."

4 - Other Gotchas

Where'd "3" go?

Very much worth the read!

You Say Tomato, I Say Tomato

Does this irritate you as much as it does me?

It kept popping up on various web sites and you had to close it.

Here's how to eliminate this pop-up.

Go to https://myaccount.google.com/permissions and scroll down.

Set "Google Account sign-in prompts" to OFF.

It's that easy.

Then I came across this article: Google has somehow made website sign-ins even easier

Tomato, tomato.

Follow the Wire

I'll start by conceding that the problem I'll be discussing was MINE, not Xfinity's.

But we didn't know that for a long time.

Recently my 2 year contract with Xfinity lapsed and my bill jumped $50 per month. I called to renegotiate.

They responded with a new plan that had the same TV channels and bumped the Internet speed from 200Mbps to 800Mbps. While I didn't NEED that speed increase, faster is always better.

So after a couple of days, I tried a speedtest.

Hmmm. 250Mbps. What's up with that?

So I looked at my modem, a CISCO DPC3008. While it is DOCSIS 3.0, it only has 8 download channels. This limits it to 340Mbps.

Maybe that was the problem. Not.

But it was time for a new modem anyway so I got an Arris SB6190. It was still DOCSIS 3.0 but had 32 download channels for 1.4Gbps.

Maybe that would fix it. Not.

So I called Xfinity for support. I got a representative in Honduras who was very thorough. His thinking was that there was a cap still in place somewhere but he couldn't see it. So he dispatched a technician.

The technician showed up. His diagnosis was that I had a bad coupling on the coax going into the modem. Not.

I was still at 250Mbps.

I placed another service call. This time the technician didn't even show up. He just called.

He said that I needed a different bootfile. His attempts at downloading a new one didn't work. He said that was because I needed a DOCSIS 3.1 modem.

The SB6190 was listed on Xfinity's modem page for 800Mbps. But I bought a Netgear CM2000 to satisfy him.

No change.

And that's the end of the Xfinity lack of support story. Hours and hours of my time. Several hours of Internet down time while replacing/testing hardware. Hundreds of dollars spent. Two technicians dispatched neither of whom was capable of diagnosing a problem.

So I decided to take the advice I gave to one of my Unix admins when he was troubleshooting a dial-out modem on an HP 9000.

FOLLOW THE WIRE.

I took a laptop with a gigabit Ethernet port and plugged it directly into the Netgear CM2000.

Bingo! I got 650Mbps.

Then I plugged that laptop into the LAN port on my router.

250Mps.

That pointed directly at my Asus RT-AC68R router.

As Pogo said, "We have met the enemy, and he is us."

So off to Google I went.

What I FINALLY found was that the RT-AC68R defaults to using the CPU to perform NAT acceleration. But the RT-AC68R has dedicated hardware that it can use. When I dug down into the settings and switched "NAT Acceleration" to "Auto", all was well!

The download speed jumped to 950Mbps!

The switch point where you should use the dedicated hardware is 150-200Mbps so I hadn't stumbled on it earlier.

Then I switched back to the Arris SB6190 and returned the Netgear CM2000. I still got 850Mbps.

Lessons learned: 1) Fast home Internet is a challenge and 2) Xfinity is no help.

There Is No Cloud

I post fairly regularly about the "cloud." I have mixed opinions depending on the size and capability of your organization.

But recently I was following a story of Google changing their desktop Drive solution, AGAIN.

As frustrating as that will be to Google Drive users, that's not the story I want to tell.

Often the comments on a tech story are as interesting and valuable as the story itself and this was no exception.

lglethal posted:

It's just another reminder that The Cloud is just someone else's computer. And if they decide to change the rules around using their computer, then you either have to suck it up and accept it, or to try and pull back in all your data yourself. Neither of which is usually an easy or pleasant experience...

Good advice.

Turns out, there's even a t-shirt for this!

Get yours now!

I'm STUNed

My router (Asus RT-AC68R) has a nice traffic monitor screen. I check it regularly. One day I noticed that an iPhone had a large amount of traffic attributed to STUN.

Off I went to figure out what STUN was.

It turns out that STUN stands for Session Traversal Utilities for NAT. Interestingly, STUN messages are sent in the lower overhead User Datagram Protocol (UDP) packets, not Transmission Control Protocol (TCP).

Still, what on the iPhone was using STUN?

Facetime.

Here's Apple's chart of port usage that calls out STUN.

Check off that we've learned something today.

Nearby Share

One iOS feature that I really like is AirDrop. A recent article (archive.is) in Winaero explained a similar Windows 10 feature called Nearby Share.

Nearby Share in Windows 10 allows transferring files between files within the same network. It is a great and somewhat underrated feature that will let you ditch third-party sharing apps and slow USB thumb drives. Being integrated into the OS, Nearby Share ensures the best compatibility with almost any Windows 10 device.

I would add that it is pretty much unknown, even by a geek like me.

You need relatively recent version of Windows 10, e.g. 1803 or later. You also need Bluetooth enabled and having the 2 PCs on the same Wi-Fi network increases the speed of transfer.

To use Nearby Share, on both systems go to Settings > System > Shared Experiences and turn on Nearby Sharing.

To share a file, right click on a file in Windows Explorer and chose "Share".

You'll get a dialog showing the receiving system. Click on it.

You'll get this notification on the sending system.

On the receiving system, you'll get this notification.

Nice!

Application Layer Gateways - Part III

In Part II, I discussed how certain applications are allowed to "tweak" the router so that traffic to different incoming ports is allowed.

This post is the final part of this discussion (at least for now).

Again, I will reference Steve Gibson's Security Now podcast, this time episode 804.

In this episode, Steve describes how a NAT slipstreaming attack allows a remote attacker to trick the NAT into creating NAT traversal mappings to ANY device on the internal network,

This isn't good.

Armis discovered that routers' Application Layer Gateways (ALGs) have even more issues.

WebRTC TURN (Traversal Using Relay around NAT) connections can be established by browsers over TCP to any destination port. The browsers restricted-ports list was not consulted by this logic, and was therefore bypassed.

These TURN connections are used by H.323, a VoIP protocol similar to SIP.

So what to do? I repeat the recommendation at the end of Part II. In your router, turn off as many of the ALG passthroughs that you can.

Good luck if you're using H.323.

Windows 10 21H1 Enablement Package

I wrote about how I had forced the upgrade to Windows 10 21H1 in a previous post. I did it the hard way and suffered the consequences. That post described the cleanup I had to do.

Well, I came across another laptop that hadn't/wouldn't upgrade to 21H1. I didn't want to take the hard way again.

If a PC automatically offers 21H1, the installation is QUICK. So I set out to find how to force that laptop to upgrade in the same manner as if it were automatically offered.

And I found it.

It seems that 21H1's functions were actually delivered in previous months cumulative updates. The "Feature Upgrade" that is automatically offered just flips some registry switches and reboots.

That "Feature Upgrade" is simply KB5000736, an enablement package. This enablement package is only available for devices running versions 20H2 and 2004.

If you have a device that isn't offering 21H1, just download KB5000736 (64-bit) and run it. Incidentally, when I clicked on that link, nothing happened. I had to right click and choose "Copy link address" and then paste that link into another browser tab.

Enjoy!

Happy 40th Birthday 8086

June 8, 2021 was the 40th anniversary of the Intel 8086 microprocessor chip. Today it's usually called the x86 chip.

https://commons.wikimedia.org/wiki/File:Ic-photo-Intel--D8086--%288086-CPU%29.png

Here's an article on its history.

I worked in IT during those 40 years and have a few thoughts.

In the 1990s, there were several competing architectures in the enterprise realm. I especially recall DEC's Alpha and Sun's SPARC. The less said about IBM's PowerPC the better. It took me some Googling to even remember what HP's processor was. And nobody remembers Intel's Itanium. HP went all in on Itanium and look where that got them.

But these architectures locked an organization into a specific vendor. We went through a huge and expensive migration of our SAP systems from PowerPC to SPARC.

During that effort, my architect and I pushed the vendors to propose a mixed environment, i.e. proprietary processors for database servers and commodity processors (x86) for application servers.

None of the vendors would play. We ended up going with SPARC, but in the end, the battle was lost to Intel's x86 architecture.

Ironically, this success wasn't attributable to Intel but AMD.

One of the advantages that SPARC brought us was the ability to move to 64-bit architecture for our database servers. That made orders of magnitude improvements in our I/O response times.

At that time, Intel didn't support 64-bit on x86.

AMD came along and implemented a 64-bit architecture on top of Intel's x86 code. That is known as x64 and has conquered the world.

Intel played catch-up and eventually implemented x64 and, as they say, "The rest is history."

But the fat lady hasn't sung yet.

Exchange in the Tank

This article came up in my feed recently:

Microsoft Exchange admin portal blocked by expired SSL certificate (archive.is)

This noted that the Microsoft Exchange admin portal was down after Microsoft forgot to renew the SSL certificate for the website.

That sounded familiar to me so I went back and searched my blog.

Bingo!

Teams in the Tank

In that case Microsoft tweeted:

We've determined that an authentication certificate has expired causing users to have issues using the service.

As Yogi Berra said:

It's déjà vu all over again.

Apparently Microsoft didn't take my advice:

Maybe they should have put a reminder on their Outlook calendar. 

Windows.old

I know I'm not your normal user. I try things so you don't have to.

Recently I forced the installation of Windows 10 21H1 on my ThinkPad. To do this, I downloaded the Windows Update Assistant and ran it.

Don't try this at home.

Unlike the upgrade from the Windows Update app, this process does a FULL Windows 10 update.

But it all went well. It took a long time unlike using the Windows Update app but worked fine.

Then a week later, I was poking around in my C: drive. (You do this, don't you?)

I found several folders that I wasn't expecting:

$GetCurrent - 4.23 GB

Windows10Upgrade - 3.62 GB

Windows.old - 25.6 GB (that's not a typo)

Those weren't really a problem on my HD but still that's over 33GB of space.

Surely Windows 10 would clean those up. Some of them are supposed to be cleaned up 30 10 days after the upgrade. That period had not lapsed.

Windows 10 has a Storage Sense feature that has an option to "Delete previous versions of Windows".

I ran that and it reported that it cleaned up 17.4 GB by deleting Windows.old. That's a nice start.

Now you ask why did it only clean up 17.4 GB if Windows File Explorer said that Windows.old was 25.6 GB? Read this until your head hurts.

Windows 10 Forums said that uninstalling the Windows Update Assistant will delete the Windows10Upgrade folder. I uninstalled the Windows Update Assistant and the Windows10Upgrade folder was gone.

How-To Geek said that the $GetCurrent folder can be deleted but should be deleted automatically. After 10 days, its size was only 181 KB.

Microsoft Aggressive Updates

In several of Microsoft's recent updates, e.g. Windows 10 21H1 update, when the system reboots the user is presented with aggressive fullscreen dialogs.

Here is what I saw on one of my systems and how I recommend that you respond.

"Your device needs to connect to a few more Microsoft services ..."

No, it doesn't "need" to connect. Ignore everything and click on "Continue".

"Use recommended browser settings"

No. Click on "Don't update your browser settings" and then click on "Apply Settings".

"Sign in with Microsoft"

Again, no. Click on "Cancel".

Give it up, Microsoft.

Saleforce's Circular Dependency

I follow cloud vendors' outages. Broadly, I believe that cloud vendors can deliver higher availability than most SMBs can do themselves. Enterprises are a different discussion.

But I always get a kick of looking at various cloud vendors post mortem reports (archive.is).

Recently Salesforce had a DNS outage. Like other vendors, e.g. Microsoft, the Salesforce outage even took down their status page!

And look at the spin they tried to put on it.

"We're not blaming one employee," said Chief Availability Officer Darryn Dieken.

And then they threw him under the bus.

"For whatever reason that we don't understand, the employee decided to do a global deployment," Dieken went on.

They don't understand?

But wait, there's more...

"In this case," he went on, "we found a circular dependency where the tool that we use to get into production had a dependency on the DNS servers being active."

 

If you're going to run a cloud service, you've GOT to design to avoid these kinds of problems.

Amazon Photos

Sorry, but this is just a rant. I'm an Amazon Prime user. I have several Amazon Echos. On the Echos, I have the display set to play a slideshow of photos from Amazon Photos.

That has been working fine until 05/11/21. The Echo Show 5 started only displaying the weather, no photos. I poked around in the settings and confirmed that I had the display set to show my photos, the weather, and upcoming calendar events.

Amazon has a tacky habit of silently turning on other features but this time that hadn't happened. So I navigated to re-select the Amazon Photos album to use as a slideshow.

I got a screen that prompted me to sign up for Amazon Photos. But, I already had that capability with Amazon Prime.

I went to my Echo Show 8 HD. It was showing the slideshow. Just for fun, I navigated to re-select the Amazon Photos album to use as a slideshow.

BINGO, I got a screen that prompted me to sign up for Amazon Photos in spite of the slideshow working just fine.

Ok, so I went an logged into the web interface of Amazon Photos. Every time I tried to access an album I got a message that there had been an error and I should try again later.

By then, I was really confused. My next 2 routes were to 1) factory reset my Echo Show 5 or 2) call Amazon for support. Neither seemed particularly likely to resolve the problem.

So I ignored it for a couple of days.

Then on 05/13/21 I got an e-mail from Amazon saying:

Putting that ANYWHERE earlier would have been very valuable to me.

Reload Windows on Your New PCs

Now, Dell is not my favorite PC vendor. It probably has something to do with the smoke that came out of my coworker's office as her new Dell laptop burned up.

But I'm not going to jump on Dell in this post. You can do whatever you want.

This post is about what you should do as soon as you buy a new PC.

But first, I will mention what cranked me up on this.

Since 2009, Dell has been distributing "nice" utilities on all of its PCs that updated their firmware. These packages were variously called Dell Command Update, Dell Update, Alienware Update, Dell System Inventory Agent, or Dell Platform Tags.

The problem is that these packages installed Dell's DBUtil.

In December 2020, SentinelOne notified Dell of five vulnerabilities in this utility.

DARKReading described it:

The bugs give adversaries a way to bypass security products, wipe a hard drive, or install a malicious driver on a domain controller. "The attacker is effectively the system administrator."

What I don't want to do is suggest that this is exclusive to Dell. Lenovo has had similar issues on its products.

So, what should you do?

Format and reload Windows on ANY PC you get before you do ANYTHING with it. Get the bits from Microsoft here. Don't worry. Windows Update will install all the drivers that you need. You'll save significant disk space and won't have any bloat-ware the vendor installed.

You can thank me later.