A Case of Mistaken Identity

It appears as though the carefully crafted hierarchy of trust that we’ve built in public key encryption is in danger of unraveling like a cheap suit.  Thanks to DigiNotar, the heretofor unknown registrar for the government of the Netherlands, we’ve got ourselves another fake certificate floating around out there.  This time, they generated a certificate for google.com (yes, the whole domain) back on July 19th.  According to DigiNotar, their certification authority (CA) infrastructure was breached and used to generate the false certificate.  Based on some defaced websites on DigiNotar’s site, there are strong rumors that a foreign government attempted to use the certificate as the catalyst in a man-in-the-middle (MITM) interception attack that would allow nefarious things like GMail to be snooped or search results to be cataloged.

Most security conscious users are already doing the smart thing.  They are removing DigiNotar from their trust lists even as Microsoft, Mozilla, and Google remove the rogue certificate.  I’m in the camp of completely removing DigiNotar from my list of trusted CAs.  I’ve also done the same with Comodo after their little issue with rogue certificate problems a few months ago.  To me, once a CA starts issuing false certificates, they have effectively erased any kind of trust they might have once built up.  Even worse, by admitting that it was a security breach and not an honest mistake on the part of a careless employee or an admin with a grudge they have moved from the realm of carelessness and into the ocean of stupidity.  If the CAs that sign our most trusted pieces of information that identify trustworthy organizations can be so easily compromised, how are we to trust the information we are presented?  Granted, this kind of MITM does require a chokepoint, such as a country with only one or two regulated Internet terminus points.  The risk of something similar happening in a country like the US or the UK is reduced due to our infrastructure, but it’s still something that could cause problems should a certificate like this be issued and then installed by a large ISP.

At Cisco Live, the 15,000 attendees hammered the Interop block providing Internet access to the point where the BGP peerings started freaking out.  Some of our traffic was getting rerouted to Japan.  A few noticed the strange google.co.jp pages popping up but thought nothing of them.  That same mentality causes people to click through certificates without much thought to where they were issued from or whether or not they should be trusted.  Now, compound that with a trusted provider not causing a certificate warning and you’ve got a recipe for disaster.

I think we need to take a hard look at all of these trusted CAs that are issuing certificates like I hand out candy at Halloween.  Someone needs to provide real oversight and not just allow anyone to start signing identities.  If you get caught issuing bad certificates, you should be shut down until you can prove you have implemented strict security measures somewhere other than on paper.  If not, you get shut down and all your certificates get invalidated permanently.  It would suck mightily, especially for a CA that signs government certificates.  However, faced with the alternative, I think a little bit of trouble in rooting out the bad CAs is worth not having to face what could happen.

Tom’s Take

If you haven’t already, rip DigiNotar out of your trusted certificate list.  Just search for your particular OS and there are lots of instructions.  Update your browser, as all the major players have already removed the rogue certificate.  Show DigiNotar that the price of being compromised is high.  Maybe a few people protesting like this is equal to a bucket of water missing from the Pacific Ocean, but the more people that remove that trusted certificate, the bigger the message that can be sent to all these “trusted” companies that they had better keep the keys to their kingdom safe and sound.  The alternative is a situation that doesn’t sit well with me at all.

Sight Beyond Sight – 4 Months of LASIK

I had my last major checkup after my LASIK procedure (detailed here) this week.  For the past four months, I’ve been enjoying the benefits of having amazing vision without the need to wear contact lenses or glasses.  I now have 20/16 vision in my left and right eyes, and when I use both eyes I have 20/12 vision.  Since the majority of the healing process has now occurred, I’m fairly certain this this will be my stable vision for a good long while.

Continuing on from my previous post, I can honestly say that the experience was the best thing I’ve ever done.  My worries about night halos were pretty much over-hyped.  I’d heard from many people that bright lights at night had a kind of halo effect that caused driving to be difficult with all the headlights.  I found that while there was indeed a halo around things like street lights or car headlights, it wasn’t nearly as pronounced as I had been led to believe and was quite tolerable.  Now, four months later, even those small halos are practically non-existent.  This is pretty much what I expected, since the halos are usually just artifacts of the incisions made during the procedure and as the eyes heal the halos vanish.

The other side effect that I have is increased light sensitivity.  Imagine walking outside on a day where the sun is shining so brightly that it hurts your eyes to have them open more than just a small amount.  That’s what going outside on bright days feels like to me.  When a flashbulb or bright light gets shined in my eyes, the after effects seem to last a bit longer than they did before.  It’s not that it’s any different that what a normal person might feel in those situations, it’s just a little more pronounced.  I’ve managed to fix the sunlight issue by investing in a nice pair of polarized sunglasses.  Before, I wore sunglasses only to drive.  Now I feel like I need to wear them most of the time when I’m outside in the sunlight.  As for flashbulbs, I think that’s only going to be a real problem when I become a celebrity blogger and TMZ starts following me around with cameras.

Tom’s Take

The big question is: Would you do it again?  Yes, yes, a thousand times yes.  I recommend that anyone capable of getting the procedure done should investigate it.  My wife is going to get it done before the year is out.  My friends are all asking about it and I recommend it without reservation.  Unless you have a medical reason to avoid it, or you just like the look of “brainy specs”, the benefits of no longer needing glasses or contacts far outweighs anything that you could consider a downside.

I don’t rub my eyes nearly as much as I used to.  Before, when I felt my eyes start watering, I had to grab a napkin and blot them, lest my contact pop out or become dislodged.  Now, I just let my eyes water and I find that they aren’t nearly as irritated as they once were.  That might also be due to the notion that I no longer have a hunk of plastic sitting on top of them.  The highest praise that I can give to my LASIK procedure is that I sometimes forget that I had it done.  I just feels natural to me now to not have to worry about changing contacts or tracking down glasses.  If you are thinking about it, don’t hesitate to go out and get more information.  Ask your eye doctor about their opinion of your local options.  And don’t hesitate to get a second opinion.  Your sight will thank you.

One More Thing…Now What?

Unless you’ve been living under a rock for the last 13 hours or so, you’ve probably heard that Steve Jobs has stepped down as CEO of Apple.  He has asked to move to the position of Chairman of the Board, and he’s requested that current Chief Operating Officer Tim Cook step into the CEO seat.  This isn’t much of a change, as Cook has been acting in the role since January of this year, when Jobs stepped aside due to medical reasons related to his battle with pancreatic cancer.  One can only assume that if he is resigning today and completely stepping back that this medical battle isn’t going as well as he might have hoped and that he will need to devote time and energy to his healing process that would otherwise be distracted running the largest company of all time.

This announcement happened when it did for a good reason.  Apple is rumored to be on the verge of announcing the iPhone 5.  In fact, I expect to see the confirmation of an event happening in mid-September sometime late next week, after news of Steve’s resignation calms down.  Had Jobs waited to announce his resignation between the pre-event release and the actual event, it would have overshadowed the launch of what will likely become the most successful phone in the history of the company.  People are salivating over the prospect of a new iPhone, and the fact that it wasn’t announced at WWDC this year is whipping the fanboys into a frenzy.  Stepping down now allows all the retrospectives and analysis to happen ahead of the new product launch, while not casting an iCloud on it (see what I did there?).

Tim Cook will be scrutinized at this event like no time in his past.  Sure, he’s launched products before in place of Captain Turtleneck, but this time he isn’t just a temp filling in for the man.  Now, he *IS* the man and the leader of the Cult of Steve.  If he comes across as confident and reassured, people will be happy and content.  If he feels nervous or ill-suited for his role at the head of Apple, both he and the stock price won’t last long.  Much has been written about what will happen to Apple after Steve’s departure, due to the effect his strong personality has on the direction of Apple’s business.  Much like Oracle and Larry Ellison, Steve Jobs drives his company through force of will.  His aesthetic ideas become design mantras.  If he thinks something needs to be jettisoned for the greater good, out it goes.  Cook may not be the man to do all that.  He may just be a steward that shepherds the last of Steve’s designs out the door before taking a bow himself.  I’ve always said that in football, you never want to be the coach that follows a legend.  Here, I’m thinking that Tim Cook may not want to be the CEO that follows an even bigger legend.

I think the Jobs Design Philosophy is still ingrained enough at Apple that the next generation or two of products will still be wild sellers.  The iPhone 5, iPad3, and rumored redesigns of 15″ MacBook Airs and the like will still bear enough of the imprint of the former CEO to keep the company riding high for some time to come.  Much like a football coach that takes over for a legend that has recruited the best players and goes on to win a championship with that talent, the hangover effect of Jobs will last for a while.  The worrisome thing is what happens after Generation+2.  Will the design wizards be able to continue the success?  Will the company have enough fortitude to make crazy decisions now to pay off later, like that whole silly notion of a tablet device.  Taking risks got Apple where it is today, but only because Steve Jobs was a risk-taker.  If that mentality hasn’t been cultivated among those left in the company, we could find ourselves quickly repeating history when it comes to Apple and their slice of the market.

Tom’s Take

I’m sorry to see Steve Jobs go.  Yes, I’ve poked fun at Macs before, but truthfully I’m starting to come around a little.  I think now the important thing is for Jobs to take all the time he needs to stay healthy and impart some wisdom from time to time at Apple.  I think that Tim Cook will do a wonderful job keeping things afloat for the time being, but he needs to be very careful in continuing the innovation and risk taking that has made Apple a serious contender in the personal computer market.  If Apple become complacent, there’s a long spiral to fall down before hitting bottom again.  Only this time, the man with the turtleneck isn’t going to be waiting to swoop in out of the cold and pick them back up again.  Who knows?  Maybe Woz is just biding his time to make a triumphant return…

Touch-and-Go Pad

By now, you’ve probably heard that HP has decided to axe the TouchPad tablet and mull the future of WebOS as a licensed operating system.  You’ve probably also seen the fire sale that retailers have put on to rid themselves of their mountains of overstocked TouchPads.  I’ve been watching with great interest to see where this leads.

WebOS isn’t bad by any stretch of the imagination.  I’ve used a TouchPad briefly and I was fairly impressed.  The basics for a great OS are all there, and the metaphors for things like killing running applications made a little more sense to me than they did in iOS, which is by and large the predominant table OS today (and the most often copied for that matter).  I wasn’t all that thrilled about the hardware, though.  It felt a bit like one of my daughter’s Fisher Price toys.  Plastic, somewhat chunky, and a fingerprint magnet.  WebOS felt okay on the hardware, and from what I’ve heard it positively screams on some newer hardware comparable to that found in the iPad or the Galaxy Tab 10.1.

I think WebOS as an alternative to Android will be very helpful in the long run of recovering HP’s investment.  Google’s recent acquisition of Motorola is probably making companies like HTC and Samsung a little wary, despite what the press releases might say.  Samsung has done a lot with Android in the tablet space, presenting a viable alternative to Apple, or at least as viable as you can get going against that 800-pound gorilla.  They’ll be on the good side of Google for a while to come.  HTC sells a lot on handsets and has already shown that they’re willing to go with the horse that gives them the best chance in the race.  Whether that is Windows Mobile, Android, or someone else depends on which way the wind is blowing on that particular day.  If HP can position WebOS attractively to HTC and get them to start loading it on one or two phone models, it might help give HTC some leverage in their negotiations with other vendors.  Plus, HP can show that the TouchPad was a fluke from the sales perspective and get some nice numbers behind device adoption.  I’m sure that was part of the idea behind the announcement that HP would start preloading WebOS on its PCs and printers (which is probably not going to happen now that HP is shopping their PC business to potential buyers).  More numbers mean better terms for licensing contracts and better fluff to put into marketing releases.

As for the TouchPad itself, I think it’s going to have a life beyond HP.  Due to the large number of them that have been snapped up by savvy buyers, there is a whole ecosystem out there just waiting to be tapped.  There’s already a port of Ubuntu.  XDA has a bounty of $500 for the first Android port to run on it.  With so many devices floating around out there and little to no support from the original manufacturer, firmware hackers are going to have a field day creating new OS loads and shoehorning them into the TouchPad.  I don’t think it’s ever going to be enough to unseat the current table champ, but you have to admit that if the TouchPad was even close to being a competitor to the iPad, the fact that it now costs 1/5th of Fruit Company Tablet is a very enticing offer.  I doubt my mom or my grandmother is going to run out and snap one up, but someone like me that has no qualms about loading unsupported software might decide to take a chance on it.  If nothing else, it might just make a good picture frame.

Tom’s Take

Products have a lifecycle.  That’s why we aren’t still buying last year’s widgets.  Technology especially seems to have a much shorter lifecycle than anything else, with the possible exception of milk.  HP bet big on the TouchPad, but like most of today’s new television shows, when it wasn’t a hit out of the gate it got cancelled in favor of something else.  Maybe the combination of WebOS on this particular hardware wasn’t the optimal device.  We might see WebOS on printers and pop machines in the next 5 years, who knows?  The hardware from the TouchPad itself is going to live on in the hands of people that like building things from nothing keeping dead products breathing for just a little longer.  I’d love to see what a TouchPad running Backtrack 5 would be like.  With all those shiny new clearanced TouchPads floating around out there, I doubt I’m going to have to wait very long.

Missing CUCM Configuration Files

Oy.  There’s always one trouble ticket that gives you difficulty and makes you want to throw things around the room.  When you solve it, you yell and dance down the hallway proclaiming how smart you are to have gotten it fixed.  Folks, let me introduce you to that issue.

A Cisco Unified Communications Manager Business Edition (CUCMBE) server started exhibiting strange behavior.  No phones registered and no web GUI.  Not the first time that this has happened, so I’ll just log in via SSH and reboot the server.  When it came back up, nothing.  Same thing.  When I poke around in the CLI, I find out the SSH services are started, but that’s about it.  When I try to start the Tomcat service, which is required for the web GUI, I get an error about the Service Manager not being started.  No problem, I’ll just start that one:

admin:utils service start Service Manager
Aborting servM startup due to invalid configuration files

Oh crap.

Uh, restore from backup?  Hah!  No backup here.  Boot off the recovery CD and check the disk with FSCK (which looks a lot like a curse word I was uttering at this point)?  Fixed a couple of file issues, but still no dice on the services.  No backup partition, as this server had never been upgraded.

Just great.  What now?

Well, if you’re impatient like me when you’re waiting on support engineers to get back with you and you know you’re probably going to have to reload anyway, you can try some crazy things on the off chance they might work.  I mean, what’s the worst that can happen, right?

WARNING!!!!!

The things I’m about to discuss are totally unsupported by Cisco.  I also am not going to support them.  It worked for me this time, but it could have very easily screwed things up.  Don’t come to me and tell me you did this and now you need to reformat and you want me to help you.

Okay, that being said, there are a multitude of ways to gain root access to your CUCM server.  Again, none of them are supported, so don’t do them if you are the least bit squeemish.  The first thing you should read is the great guide at blindhog.net about gaining root access on CUCM 5.x/6.x.  It’s a very handy way to show you that the underlying system in CUCM is actually RedHat Enterprise Linux.  Since I didn’t have a Linux boot disk handy, I instead stumbled across this post which talks about jailbreaking CUCM.  I didn’t have to go all the way through it, but it is a fascinating read nonetheless.

1.  Download PuTTY, PuTTYgen, and PSFTP from HERE.  The instructions at the above link use these files and you should too.

2.  Log into CUCM CLI via SSH as the administrator user.

3.  Type in “file dump sftpdetails ../.ssh/id_dsa” at the CLI.  You’re going to get a dump of the SSH private key for the sftpuser account.  Copy this information to a text file and save it somewhere on your system.

4.  You need to convert this SSH private key from OpenSSH to PuTTY’s SSH format using PuTTYgen.  Import the Private Key file and save it somewhere like c:\temp.  Be sure to save it with the .ppk extension.

5.  Launch PSFTP with this command string:

psftp -2 -i c:\TEMP\id.ppk sftpuser@cucm.example.com

The file location should be where you saved the private key and the user@server should reflect your server’s IP or hostname.  Be sure to type in sftpuser@<your server address here>.

6.  If you’ve logged into the server before and saved the RSA fingerprint, you may get a warning here about the key your using.  Just say “yes” and keep going.

7.  Voila!  You’ve logged into the system as the sftpuser account and you can now download files from the Linux file system or copy files to it.  In the above link, this is where you would jailbreak the system.  For my particular example, we won’t have to go quite that far.

8.  In my troubleshooting case, I changed directories to “/usr/local/platform/conf/” which is where the configuration files live.  I noticed that “server.conf” was missing, but there was a “server.conf.bak” in the same directory.  I typed in “mv server.conf.bak server.conf” since I couldn’t copy the file.  Then I tried to start the Service Manager service again from a SSH CLI session.

SUCCESS!!!

Tom’s Take

I do stupid things all the time.  Like voiding warranties, which is what my little procedure above will do to your CUCM system if you try it.  I was desperate and impatient and it paid off for me this time.  I also have experience on the Linux CLI so I’m not afraid to do things there, even knowing that the outcome for a little slipup could crater my system.  Don’t do what I do unless you know what you’re doing or you aren’t afraid to reload.

That being said, a little Internet searching followed by some practical application can save your bacon in a time of emergency.  Just remember that the Disaster Recovery Tool (DiRT) is there for a reason. Use it wisely and use it often and you shouldn’t find yourself needing to jailbreak your CUCM server anytime soon.

The Ultimate Cisco Live Attendee

The results are in, and the Ultimate Cisco Live Attendee…isn’t me.  Bummer.  Congrats to Carole Warner Reece from Chesapeake NetCraftsmen for taking home the gold!

In all honesty, I never really figured I was going to win anyway.  There are people that have been going to Cisco Live since it began.  People that are way more involved in tons of aspects that I’ve never even seen.  And yet, I was named a semi-finalist along with my good friend Jeff Fry.  Jeff was a no-brainer because he did some great PR work with Cisco Live leading up to the event.  He was even a recommended read for all the first-time attendees this year.  You can’t knock the guy for being that popular.

I probably wouldn’t have entered the contest if it hadn’t been for the awesome time I had hanging out with all my friends.  Yes, crazy things happened.  Yes, I brought some of them on myself.  However, it all added up to make a great event and give me lots of interesting fodder for my submission video.  All of those things happened to me this year.  Except for my wife threatening to leave due to my overwhelming desire to collect t-shirts (that happens every year).

Here’s my submission video in all its glory direct from Cisco’s Youtube account.  For the record, I did record it on my Cius.

SIP Trunking – Review

When I first got started working with Voice-over-IP (VoIP), I was excited about all the possibilities of making calls over the Internet and moving away from my old reliance on Ma Bell.  However, the reality of my continued dependence on the good old phone company is an ever-present reminder that sometimes technology needs to mature a little before I can make bigger leaps.  That’s why the idea behind SIP trunking has me excited.  It brings back a little bit of that hopeful magic from my early days of VoIP possibilities.  Thanks to Christina Hattingh, Darryl Sladden, and ATM Zakaria Swapan and the good folks over at Cisco Press, I got my feet wet with SIP Trunking:

This is the “pound cake” of Cisco Press books.  It’s only about 300 pages and a bit on the thin size, but it’s a very dense read.  Part 1 covers the differences between traditional Time-Division Multiplexing (TDM) trunking and SIP trunking.  There is discussion of the cost and benefit of moving to a hybrid model or even to a pure SIP environment.  This is a good part to focus on if you aren’t familiar with SIP trunking in general or you are trying to convince your decision makers to give it a try.

Part 2 is all about planning.  One hundred plus pages of modeling and design and checklists.  An engineer’s dream.  You are going to spend a lot of time in here dissecting the cutover strategies and the list of questions that you need to ask your provider before delving into the SIP-infested waters.  In fact, I would recommend this book for Chapter 9 alone, the checklist chapter.  It goes into great detail about all the questions you need to ask your provider, along with a description of each question and why the answer would be so important to you.

Part 3 is the deployment guide.  No Cisco Press book is complete without some code examples, and Chapter 10 has them in spades.  One thing I did like about their examples of AT&T and Verizon configuration is that they are appropriately annotated with notes to be sure you understand why a particular setting was configured.  I want to see more of this in the networking-focused Cisco Press books, not just the planning ones.  There are also case studies to help you make decisions and a chapter on the future of Unified Communications.  This one’s kind of dubious, though, as most of the time the predictions either end up looking hilariously obvious in hindsight or wide of the mark.  You can’t fault the authors for wanting to put a little bit of vision in at the end of this read, though.

Tom’s Take

If you want to learn a little more about SIP trunking or you are planning to put one in in the next 6-8 months, grab a copy of this book.  Have a cup of coffee before you jump into it, as the material could be a little dry if you aren’t focused on the task at hand.  Make sure to dog-ear the first page of Chapter 9, as you’ll find yourself coming back here more and more as you start implementing your SIP trunk.

Disclaimer

This book was provided to me as a perk at Cisco Live for being a NetVet.  I chose this book from a list of the available titles and it was provided to me at no charge above the cost of the conference.  Cisco Press did not ask for nor did I promise any kind of consideration in the above review.  The thoughts and opinions expressed above represent my true and honest opinion of the material.