dc0de’s & friends notes…

After the recent Pwn2Own contest, the Microsoft product manager Peter LePage spoke out about the two “features” that were completely sidestepped to hack a Windows 7 system. He stated, ”

Just days after a pair of researchers outwitted major Windows 7 defenses to exploit Internet Explorer (IE) and Firefox, Microsoft said the measures AREN’T MEANT to “prevent every attack forever.”…

Pete LePage, a product manager with IE’s developer division, stood up for DEP (data execution) and ASLR (address space layout randomization), the security features that two hackers sidestepped to win $10,000 each at the high-profile Pwn2Own hacking contest last Wednesday

via Microsoft defends Windows 7 security after Pwn2Own hacks.

I find these comments from Mr. LePage a bit misguided, and very suspect.  How can a security “feature” so easily be sidestepped?  Two minutes?  I can’t wait until we get the details of the attack/exploit so that we can really see how this was done.

Cisco wireless LAN vulnerability could open ‘back door’ – Network World.

Ok, really? Come on, you must be bluffing.  People ask me all the time why I don’t pursue a Cisco Certification path in my career.  Here is why.  This is the company that has foisted such slogans as

• “Changing the way we work, live, play, and learn.” (1996)
• “The Worldwide Leader in Networking for the Internet”(1997-2002)
• “Empowering the Internet generation.” (1998-2002)
• “The fastest way to increase your Internet Quotient.” (1999-2001)
• “This is the Power of the Network. now.” (2003)
• “Discover a new world of Productivity.” (2003)
• “The Network Works. No Excuses.” (????)
• “Data Center 3.0″ (????)
• “Welcome to the Human Network” (????)
• “The Network is the Platform” (????)
• “The Self-Healing Network” (????)

I mean really.  John Chambers should be PISSED.  This is the kind of engineering I expect from a “has-been” company, or a really STUPID startup.  However, if Cisco would have embraced the “hacker community” instead of shunning it, perhaps Cisco’s technical expertise and prowess would be still employed at Cisco, instead of being at Juniper Networks, CheckPoint, Microsoft, and others.

I’ve been saying this for years, but perhaps it’s now the clearest time for someone at Cisco to listen.  Get back to your core competency; Routing.  Everything else you try to do is a distraction.  Come on, do you really think that I’m going to build a data center with Cisco blade servers? (Who? Cisco? Servers? What?)  Pluuuheeese.  Stop trying to do everything, and do ONE THING RIGHT.

I refuse to believe that Cisco didn’t know about the above vulnerability when they purchased the product (We all know that Cisco doesn’t invent stuff anymore, unless it’s trying to patent someone else’s fix for a broken protocol), but really, I’m sure that a cost-benefit-analysis was done on the vulnerability, and it wasn’t “important” enough to fix at the time that they purchased, re-badged, and shipped out the “new” lightweight access points.

Any idiot with 1/2 a brain and has spent more than 30 minutes working on Wireless networks knows that you don’t send anything in the clear that you don’t want subverted, so really Cisco, how did this happen?

How about you reach out to the information security industry, (the same one that you claim to belong to), and ask for help?  There are many researchers who would be willing to help you, as long as you’ll sign a waiver to never sue…

Finally, I’m happy to be working on my Juniper certifications.  They aren’t perfect either, but at least they don’t sue researchers to not release vulnerabilities that you refuse to fix.  Oh, and they have a much faster platform.

That’s my 2¢, YMMV.

(Note, the comments above represent my personal opinion, and in no way are related to any positions I may have held in the past, present or with future companies.  These opinions are mine, and mine alone, and are not representative of any company, service, system, software, hardware, automobile, table, chair, any person (dead or alive), or anything.  If you want to try to sue someone, please sue yourself.)

Ok, this one is a winner… bear with it, it’s pretty long. But, let me set the stage first…

- Friend of mine owns a company reselling HP product
- I do his IT support after hours
- HP sent him (unsolicited), a HP Mininote 2133 with Suse Linux Enterprise Desktop v.10, for surpassing a sales target

Ok… now given that, he asked me to set it up, so when he’s out traveling next week, he can show off HP’s nice little netbook. Sounds great so far…

So, I setup the netbook, create his user account on the box, and setup Evolution, and prepare to perform system updates, to ensure I have the best security posture on the system for his upcoming travel.

Here’s where it gets interesting. I was presented with a screen while adding the Novell repositories to the update manager, requesting my HP Software Key. So, I diig through the product box, all the cds, and all over the system. (external and internal). So, I go for the call to HP.

Well… the first three calls I make, get me to the wrong queue, every time, regardless that I tell the system that I’m calling for technical support on an HP Mini-note 2133 Netbook. I first end up in the Commercial Laptop Queue, they transfer me to a different group, where I receive a “Please enter the extension you’re trying to dial” message, and I hold for 3 minutes, to have an agent ask me what I’m holding for. He tells me that I’m in the wrong queue, and transfers me back to the Laptop Queue. (that’s 30 mins). I explain my situation to the Laptop queue again, they transfer me to the “mini notebook” group. After holding for 18 mins, I get someone in the Netbook group!!! Woohoo…

Only to be told that I’m in the WINDOWS netbook queue, and have to be transferred again. So, I hold, for another 15 mins, and actually get to the Linux, 2133, HP Mini-note queue.

Ok. So, I go through the 9 rings of hell, and I get to the right queue. I’m expecting some solution to the issue. After all, I’ve got the serial number of the unit, explained that the company is a reseller, and how the unit was received. It’s just a matter of someone telling me the associated software license key.

Nope. That’s not going to happen. You see, I’m told, by not one, but THREE different HP Support people, that I need to have a Software Subscription or “HP Carepaq” for the unit. Ok, so, I’m asking them for the part number, so it can be added to the unit.

I’m told, that if the Carepaq isn’t ordered with the Unit, that you (get this!) CANNOT purchase one for the unit after the fact.

I’m stunned. So, I repeat back to the people who have told me this, “If I understand you correctly, you’re telling me that I cannot purchase a software support contract with HP for the Novell SLED 10 software that shipped on a Netbook that was ‘gifted’ to my reseller friend?”

They all validated that you CANNOT purchase this after the fact… only with the original order.

Now, as someone with a “little” bit of sales experience, If this is true, then HP is going to tank like GM. I was ready to purchase the software support/Carepaq, and frantically tried to find out what is necessary, so that a HP Reseller could show off their product.

I felt like I was standing in the middle of a store, with a wad of $100 bills, waving wildly over my head, screaming for someone to help me… and getting NO response. Hello HP? Can this even be true? Does anyone know if I can get the upgrades for SLED10/SLED11 on the HP Mini-note 2133 with 4gb SDD? Is it true I can’t PURCHASE a software upgrade license?

So, I gave the netbook to my friend, setup for his out of town trip, and informed him that if we cannot get the software upgrade / license from HP, that I’ll simply wipe it out, and load EasyPeasy. After all, I KNOW that will update without any issues.

Oh, and on the bottom of the unit by it’s Serial #, there’s a label that states, “1 year warranty”, and during one of my discussions with strangers in a foreign land, I was told that the warranty expires this July. The unit was received only 3 weeks ago. I guess the 2133′s aren’t selling that well, as this one’s been on a bench somewhere for 3/4′s of a year.

If anyone can help, please let me know… if not, I’ll keep you posted on the installation of Ubuntu.

(oh, and now I REALLY love my Asus eeePc.)

Ok, this one is a winner… bear with it, it’s pretty long. But, let me set the stage first…

- Friend of mine owns a company reselling HP product
- I do his IT support after hours
- HP sent him (unsolicited), a HP Mininote 2133 with Suse Linux Enterprise Desktop v.10, for surpassing a sales target

Ok… now given that, he asked me to set it up, so when he’s out traveling next week, he can show off HP’s nice little netbook. Sounds great so far…

So, I setup the netbook, create his user account on the box, and setup Evolution, and prepare to perform system updates, to ensure I have the best security posture on the system for his upcoming travel.

Here’s where it gets interesting. I was presented with a screen while adding the Novell repositories to the update manager, requesting my HP Software Key. So, I diig through the product box, all the cds, and all over the system. (external and internal). So, I go for the call to HP.

Well… the first three calls I make, get me to the wrong queue, every time, regardless that I tell the system that I’m calling for technical support on an HP Mini-note 2133 Netbook. I first end up in the Commercial Laptop Queue, they transfer me to a different group, where I receive a “Please enter the extension you’re trying to dial” message, and I hold for 3 minutes, to have an agent ask me what I’m holding for. He tells me that I’m in the wrong queue, and transfers me back to the Laptop Queue. (that’s 30 mins). I explain my situation to the Laptop queue again, they transfer me to the “mini notebook” group. After holding for 18 mins, I get someone in the Netbook group!!! Woohoo…

Only to be told that I’m in the WINDOWS netbook queue, and have to be transferred again. So, I hold, for another 15 mins, and actually get to the Linux, 2133, HP Mini-note queue.

Ok. So, I go through the 9 rings of hell, and I get to the right queue. I’m expecting some solution to the issue. After all, I’ve got the serial number of the unit, explained that the company is a reseller, and how the unit was received. It’s just a matter of someone telling me the associated software license key.

Nope. That’s not going to happen. You see, I’m told, by not one, but THREE different HP Support people, that I need to have a Software Subscription or “HP Carepaq” for the unit. Ok, so, I’m asking them for the part number, so it can be added to the unit.

I’m told, that if the Carepaq isn’t ordered with the Unit, that you (get this!) CANNOT purchase one for the unit after the fact.

I’m stunned. So, I repeat back to the people who have told me this, “If I understand you correctly, you’re telling me that I cannot purchase a software support contract with HP for the Novell SLED 10 software that shipped on a Netbook that was ‘gifted’ to my reseller friend?”

They all validated that you CANNOT purchase this after the fact… only with the original order.

Now, as someone with a “little” bit of sales experience, If this is true, then HP is going to tank like GM. I was ready to purchase the software support/Carepaq, and frantically tried to find out what is necessary, so that a HP Reseller could show off their product.

I felt like I was standing in the middle of a store, with a wad of $100 bills, waving wildly over my head, screaming for someone to help me… and getting NO response. Hello HP? Can this even be true? Does anyone know if I can get the upgrades for SLED10/SLED11 on the HP Mini-note 2133 with 4gb SDD? Is it true I can’t PURCHASE a software upgrade license?

So, I gave the netbook to my friend, setup for his out of town trip, and informed him that if we cannot get the software upgrade / license from HP, that I’ll simply wipe it out, and load EasyPeasy. After all, I KNOW that will update without any issues.

Oh, and on the bottom of the unit by it’s Serial #, there’s a label that states, “1 year warranty”, and during one of my discussions with strangers in a foreign land, I was told that the warranty expires this July. The unit was received only 3 weeks ago. I guess the 2133′s aren’t selling that well, as this one’s been on a bench somewhere for 3/4′s of a year.

If anyone can help, please let me know… if not, I’ll keep you posted on the installation of Ubuntu.

(oh, and now I REALLY love my Asus eeePc.)