The First 90 Days of an Operating System

People who know me know that I often complain about Microsoft systems because of the constant vulnerabilities they seem to have. "patch Tuesday" is always an interesting time for me, as it typically provides a lot of work. But I read a recent article that outlined the vulnerabilities that occurred within the first 90 days of the life of various operating systems. It was funny to see that of all the operating systems discussed in the article that Red Hat Enterprise Linux 4 Workstation Reduced actually led the way with the most vulnerabilities in the first 90 days. Also mentioned were Ubuntu Linux, Novell SLED 10, and MAC OSX 10.4, all of which had more vulnerabilities than both Windows XP and Windows Vista combined.

It appears that 1) Windows Vista has made great strides in plugging security weaknesses, and that 2) The Linux folks need to reassess their stance on just how much more secure Linux is than Windows. A thought from someone who tests and deploys patches on Windows systems from month to month: I still see a lot of work to be done, but this article really makes us security professionals step back and realize that security vigilance is important, no matter what OS you are working with.

I guess what I am trying to say here is that there is a lot of stereotypical information about where the problems are. As I mentioned in a previous article: Microsoft is really not the problem. The problem is in that people get so wrapped around the axle on making assumptions about that which they are familiar with. For example, the Linux people will swear that Linux is flawless, and the Novell people will feel likewise. Much vigilance gets lost regarding educating users, and just keeping up on the day to day maintenance of the systems you do have. Educate your users, keep your systems patched, and at the end of the day, you Windows users will have an environment that is every bit as safe as that which the Linux folks claim to enjoy.

Article Link: http://www.csoonline.com/pdf/Vista_Vuln_Report.pdf

Daylight Saving Time 2007 - What Does it Mean to the IT Community?

Watch the news in the coming weeks - you are likely to see at least a few articles and reports of expressed concern over the new daylight saving time date change which takes place in 2007. In case you are not aware, daylight saving time (DST) has changed to March 11 this year instead of the first weekend in April as has been previously observed. This change was caused by the enactment of the Energy Policy Act of 2005, which President George W. Bush signed on August 8, 2005.

Initially, my inclination is to think that it is no big deal; I’ll just have to set my clock ahead a few weeks earlier is all. You would think that an event like this would simply come and go, we would set our clocks, VCRs, and computers, then life would be good. But when you think about it, you realize that with our current level of technology dependence, we rely on computers and cell phones for everything these days. Meeting schedules in our computer calendar programs, certain database events, when an online bill payment transaction is posted, even what time we can call on our cell phones to get the off-peak calling cost breaks, are all tied very closely to the time on our automated systems. Computer, network, and other system time accuracies are more critical than you might think.

There is a considerable amount of buzz about the DST issue in the patch management discussion groups on the Internet right now, so this must be a somewhat serious issue for the IT community. Today, for example, I think I received on the order of 50 or so emails on the DST patch (for computers) issue alone. Believe it or not, your computer is not the only thing that will be affected by the change. It is possible that network devices (such as routers and phone system components), PDA's, cell phones, and the like will also be affected. Some are equating this to a Y2K kind of event - on a much, much smaller scale, of course, but significant nonetheless. One article I read from Gartner suggested that companies form project teams to deal with this, and even have people on call and present to watch time changes to make sure the event goes smoothly, and that all systems are operating normally.

Although it will indeed be on a much smaller scale, here are some possible consequences of the DST change that people in the IT world (and consumers as well) are concerned about:

• Bank transaction times - people worried about payments not being credited properly.
• Cell phone time syncs - people being charged for peak minute usage when they are really in a non-peak time (i.e. after 9:00pm).
• People in organizations where their computer and/or Internet access has access time restrictions, may not be able to log in and do their work - could that be someone you have to do business with?
• eBay and other online auction ending times being affected.
• Missed deadlines for time sensitive things - those folks who like to submit things online at the last minute might end up an hour late?
• Incorrect departure and arrival times for airlines or other transportation.
• There is not a patch for Windows 2000 and Windows NT servers – if you are still on these platforms, the patching process is going to be manual.
• Networking equipment (certain routers) may experience issues when the new DST time change occurs, and again when the previously recognized DST date occurs.
  Applications that rely on Java Runtime Environment rules for time will report time incorrectly from March 11 – April 2 2007, and from October 29 – November 4, 2007.
• Java Applications return incorrect time after using Microsoft timezone.exe tool to update Windows (IBM Article: http://www-1.ibm.com/support/docview.wss?rs=3068&context=SSNVBF&uid=swg21250503)
• Known DST bug in Palm Treo 700w devices: http://mytreo.net/archives/2006/04/treo-700w-daylight-savings-time-change-bug.html
  

There are a lot more possible outcomes being discussed. No need to freak out though – I just wanted you to be aware that if things seem a little strange when trying to conduct business on March 12 - now you know what might be causing problems.Kind of scary in a funny sort of way (or is that funny in a scary sort of way), but one of the network administrators in the patch management group I participate in had the following to say:

-----------------------------------------------------------------------

Just had a conversation with Verizon Wireless about DST and the Treos weare using. Very funny if a little scary.

According to the Tech I spoke with and the email I got all the Treo users need to do is turn off their Treo and turn it back on after the time change.

However they both said something to the affect of "You don't need to worry about that until April" (emphasis mine)

Apparently Verizon has not yet heard of the new DST changes.

---------------------------------------------------------------------

The patch to change your computer is available now on Windows Updates, but it is an optional software patch, so you won't get it automatically (yet). You have to visit the Windows Update site, select “Custom” instead of ”Express,” and select the Optional, Software series of patches. Be sure to install any Active-X controls when prompted to do so.

(click image to see full size view)

Next, look for the KB928388 patch as shown in the image below.

(click image to see full size view)

As of this writing, I am waiting to find out if Microsoft will make this Windows patch a critical update. Keep in mind, however, that if you are running systems with Windows 2000 or prior, a patch will not be available at all – you have to manually make the change in the registry settings and elsewhere that define when DST is changed on the computers. Either that or turn off DST altogether on those systems, and make the time change manually twice a year. If they do indeed move this up to critical, then those of you who have Windows Updates set to automatic download/automatic install will get it - well - automatically. They better do it soon, though - there is only one more "Patch Tuesday" (February 13, 2007 before the DST change in March. The March “Patch Tuesday” occurs the week following the Sunday that DST changes.

All in all, it is important not to panic. Watch the news, get the patch, and pay close attention to things that you do that require time synchronization to take place. Visit your cell phone company’s web site to find out what implications the DST event will cause for you.

Some sources you might find interesting:

• About.Com Article: http://geography.about.com/cs/daylightsavings/a/dst.htm
• CNet Article: http://news.com.com/Daylight+saving+change+could+confuse+gadgets/2100-1041_3-5823792.html
• EdgeBlog Article: http://www.edgeblog.net/2007/daylight-saving-time-the-year-2007-problem/
• Microsoft: http://support.microsoft.com/kb/914387

Addendums:

This article will change as new updated information is received. Check back often.

Windows to Release New Operating System - Are You Ready?

In the very near future, Microsoft will release their newest version of the Windows Operating System. The release of Windows Vista is due to reach the public around January of 2007. Of course, those of you who know me know that I can't look at anything new in the computer world without scrutinizing its security, support, and maintainability aspects. So, I wanted to take this opportunity to show you what Vista looks like, but also give you an idea of some of the enhanced security and maintenance features as well. This newest release of Windows represents the most radical change in the look and feel of Windows since the jump from Windows 3.x to Windows 95 over eleven years ago. From a security and stability aspect, this new version promises to be more robust. And for those of you who only care about the "eye candy" features and have grown bored with the way Windows XP looks, you too will have some new vivid graphics and gadgets (literally) to keep you happy.

A Word About Hardware:

If you truly want to take advantage of Windows Vista's new graphics and user interface features, you are going to need a fairly hefty computer. If you are buying a new computer, look for the "Windows Vista Capable" logo on the front. You are going to need a fast CPU (dual core would be nice), lots of RAM (1 GB minimum), and lots of video RAM (128 MB minimum). These minimums are mine, not necessarily Microsoft's, by the way. The computer will run fine with Vista on a typical machine these days (3GHz CPU, 512 MB Ram, etc), but many of the graphics features will not work. The user interface (UI) in Vista is code named "Aero," and if you have the more robust system, you can take advantage of a host of new features commonly referred to as "Aero Glass" features. The interesting thing here is that Vista will tailor its performance and feature sets to the hardware it detects in your computer. Better have a DVD drive. So far, I have only seen the ability to obtain installation media on DVD - it is a fairly huge package. I am not certain at this time if Microsoft plans on releasing the installation media on CD as well as DVD. DVD drives are cheap - you will need one anyway.

For my tests and the screen shots you will see in the full article, I am running Windows Vista Ultimate Release Candidate 1 (RC1) on a 2.93 GHz Intel CPU, 1GB of RAM, and an NVIDIA GeForce FX 5500 video card with 256 MB of video memory. The final release version may have slightly different features and screen appearances than those seen below. RC1 is drastically more stable than Beta 2 was, and has a slightly different look and feel than Beta 2. If this is any indication, then there will be some slight enhancements and bug fixes in the final release versions.

The Vista Upgrade Path:

Vista will be available in several different versions (six versions to be exact) for home and for business. There will be a version that has more multimedia features, and versions that have more business and networking features. Windows Vista Ultimate (the version I will show you here) will have it all. If you are running an older version of Windows, you are out of luck - there will not be an upgrade path for you - you will have to install from scratch. If you are still running one of these older operating systems, you probably need a new computer anyway. You will need to be running Windows XP Home or Professional to be able to perform a direct upgrade, all others will require a clean install. Note: If you are already running Vista Beta 2 or RC1, you may have to do a clean install. In my testing, I was not able to upgrade from Beta 2 to RC1 without failure. Clean installs will always give a better, more stable installation anyway.

You may want to wait a bit before rushing right out and buying/installing the upgrade, however. Make sure all of your applications will work properly with Vista. Your antivirus software may or may not work with Vista. Remember - Vista is a drastically different operating system - so viruses that affect previous versions of Windows do not affect Vista. For that very reason, many antivirus applications would not even install on my test box because they would not run on Vista. One great feature is that your Windows Security Center will tell you if you are missing an antivirus application, and will give you a web link to antivirus applications. In my tests, I found a great deal of difficulty just finding an antivirus program that would install - but as I mentioned above, Vista will take you to the site of a compatible application.

If you use other types of maintenance programs, such as Diskkeeper for defragmenting your drives, those programs probably won't work either. This article from Microsoft will give you a pretty good step-by-step process and list of issues to consider when upgrading to Vista. According to one eWeek article, the best way to go is to not do an upgrade but back up all your stuff and do a clean installation. Application compatibility is a more complex issue with Vista, but Vista offers compatibility wizards to help you make an assessment.

A Final Word:

If you want to upgrade to Windows Vista, make sure you have a fairly powerful computer, and go out and do some research so that you know all of the requirements and pit falls. Once you are satisfied that you want to make the leap to the new O.S., go out and buy yourself a good video card and a wide-screen monitor. Vista takes good advantage of the new wide-screen monitor formats. Quite honestly, you will be fairly disappointed if you try to look at Vista on your old 15" CRT or even one of the smaller LCD monitors. I tried it initially on a 1024 x 768 resolution monitor, and was left wanting for more. You will needs lots of RAM and a hefty video card to be able to use all of the aero glass features. If you are buying a new computer anyway, research a 64-bit machine and make the leap to one of the Windows Vista 64-bit editions. As Vista is making its appearance, so are the powerful 64-bit machines. I think we will be finding that future applications will cater to the 64-bit systems and operating systems.

Read full article with more screenshots...