Getting OpenID Connect, Microsoft Accounts and Azure AD working with mod_auth_openidc

I've been very busy lately working on lots of very geeky things.  I've been doing quite a bit of work with Hans Zandbelts Apache mod_auth_openidc getting it to work with various and sundry Open ID Connect providers or OP's.  In this post, I'll be describing the steps I used to get the new preview version of Microsoft consolidated Open ID Connect implementation for single signon or SSO.

I won't go into how to configure Open ID Connect in detail, this post assumes you either have or have the knowledge to set up a basic mod_auth_openidc deployment.

The first thing you need to do is to register your app at  https://apps.dev.microsoft.com.

Use the "Application ID" for your client_id in the mod_auth_openidc configuration, then click on "Generate New Password" and save this off to use as your client_secret.

If you want the nitty gritty of Microsoft's implementation, have a look at: https://azure.microsoft.com/en-us/documentation/articles/active-directory-appmodel-v2-overview/

Everything should be configured per the normal mod_auth_openidc documentation.  I'm using the OIDCMetaDataDir directive so that I can specify multiple open ID connect providers as described in the README file for mod_auth_openidc.

If you want to see the configuration directives that map to the Apache Conf file, look in  the auth_openidc.conf file in the source tree.

There are 3 files included in a meta setup for each OP.  xxx.provider, xxx.conf and xxx.client.

The contents of the .provider file can be gleaned from the following URL:

https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration

The Microsoft documentation is incorrect and has .well-known/configuration, which returns a 404 error.

Now here's where the secret sauce comes in.  When you name your xxx.provider, .conf and .client files, name them like the following with the following contents:



login.microsoftonline.com%2F%7Btenantid%7D%2Fv2.0.client

{
        "client_id" : "app/client id from apps.dev.microsoft.com",
        "client_secret" : "generated password from apps.dev.microsoft.com"
}

login.microsoftonline.com%2F%7Btenantid%7D%2Fv2.0.conf

{
        "scope" : "openid",
        "response_type" : "id_token",
        "response_mode" : "form_post"
}

login.microsoftonline.com%2F%7Btenantid%7D%2Fv2.0.provider

Copy and paste from https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration

Now restart your Apache server.  Load a protected URL, on said server, so that you get the discovery page that shows links to your configured OP's.  You should see one for login.microsoftonline.com%2F%7Btenantid%7D%2Fv2.0.

Click on the link from your discover page and login with a Microsoft Online account.

At this point your Web Server will throw an error.  If you look in your Apache error log you should see something like the following, if everything else is configured correctly:

oidc_proto_validate_jwt: requested issuer (login.microsoftonline.com/{tenantid}/v2.0/) does not match received "iss" value in id_token (login.microsoftonline.com/xxxxyyyyzzzz/v2.0)


The problem is that {tenantid} is a placeholder and will not work to authenticate. xxxxyyyyzzzz above should be your valid tenantid. This to appears to be a bug/missing documentation on Microsofts part.  To finish making this work do the following:

1. Edit login.microsoftonline.com%2F%7Btenantid%7D%2Fv2.0.provider and change login.microsoftonline.com/{tenantid}/v2.0/ to be login.microsoftonline.com/xxxxyyyyzzzz/v2.0
2. Now change the names of your meta files to be:
   
   login.microsoftonline.com%2Fxxxxyyyyzzzz%2Fv2.0.client
   login.microsoftonline.com%2Fxxxxyyyyzzzz%2Fv2.0.conf
   login.microsoftonline.com%2Fxxxxyyyyzzzz%2Fv2.0.

Now the big caveat to all of this is that this is a preview version, and is not meant for production.  Microsoft may make changes to the above and break any implementation you might care to deploy, according to the Microsoft documentation.  That being said, the above seems to work great for logging in to your web app using Microsoft as an OP and mod_auth_openidc as the Relying Party (RP).

How to Generate a Public Key With ssh

Useful ssh tricks

I don't like to let people log in to sensitive servers with passwords.  I generally disable this feature on servers I maintain.  I will explain.  ssh is used for many things.  I use the openssh flavor of ssh, but there are many other flavors.  For Windows, Putty is a popular ssh client.

 There are many things that you can do with ssh besides just establish a login session on a remote server.  scp and sftp are programs that allow you to connect to a server and copy files securely.  When you use plain old ftp to copy files, you are sending your passwords across the Internet in clear text, bad, mmkay.

One of the more useful things about a good ssh client is that it takes advantage of the features of a good ssh server (sshd).  A good ssh client will allow you do tunneling.  An example would be using ssh to connect securely into a Virtual Private Network, then using the tunnel created to secure a Windows Remote Desktop connection between the client and another machine on the VPN. A good ssh client can be used by other programs to connect to the ssh server, like in the case of svn, where you can include svn+ssh://yourhost/yourrepo instead of just svn://yourhost/yourrepo, which will also use the same ssh client.

There are lots of cool things you can do with ssh, but it all depends on getting the username and password set up properly so that authorized user (A), well call him "Joe",  can get into the server and copy files and check out things with subversion and tunnel remote desktop connections.  In a default kind of setup, you would create a user account on the server for Joe, then assign Joe a password.  Joe would then connect to the server, it would ask for his password, and he would enter it.  That's all good, unless, someone else had Joe's password.

Brute Force and Dictionary Attacks

When you use only usernames and passwords to protect your server, you are vulnerable to these types of attacks.  This type of attack involves attacker (X), well call him "Snidely", gaining access to your system by trying as many passwords as he can until one lets him in.  Snidely doesn't have to type these passwords in, he can just get passwords from the dictionary, or from a cracker library, and have an automated program keep trying until one works.   Your only protection against this type of attack, when you are using passwords, is to assign a "Login Limit".  This causes the account to be locked after a pre-defined number of unsuccessful login attempts, and shuts Snidely's little game down.

Public and Private Keys

Lucky for us, there is an even more secure method, Public/Private key exchange.  First I should explain what a public and private key is.  If Joe wants to send user (B), well call her "Sally", a secret  message, Sally can receive this message secretly by generating a public and private key.  Sally generates her public and private key, then she gives her public key to Joe.  Joe then writes the message and locks it up with Sally's public key.  Once the message is locked with Sally's public key, only Sally, with her private key can unlock it.  For an added level of Security ,  Sally was smart, and she also locked up her private key with a password, known only to Sally, when she generate the "Key Pair".

How to generate ssh  Public/Private Keys

Now let's say that Joe is the System administrator, and Sally wants in to the server.  What needs to happen is sally first needs to generate a public/private key pair.  If Sally has openssh, either in Cygwin (Under Windows), or openssh in Linux/Mac OS X, the ssh-keygen utility can be used as follows:

$ ssh-keygen -t dsa

If you do not add the "-t dsa" part, it will generate an rsa key.  Either will work, but I like DSA as RSA keys are not exportable outside the US, DSA keys are.  Also the default length of the key is 1024.  The length of the key determines how secure the key is.  The longer the key the more secure it is.  Theoretically nothing is "secure", when you talk about key lengths and whether or not it's secure you get into the whole argument about, is there enough computing power available to Snidely so that he can easily crack your key and gain access.  The longer the key, the more computing power Snidely will have to use to crack the key.  You can also specify a longer key (Up to 2048) if you use type RSA with "-t rsa".

After you hit enter, it will prompt you for where you want to store your files, it will look something like:


Generating public/private dsa key pair.
Enter file in which to save the key (/home/scott/.ssh/id_dsa):

You can enter a different filename, but I usually press enter, as the default is usually sufficient.  After you hit enter here, you will be prompted for a password.  This is important, you can choose to have no password (not recommended), or you can pick a password that locks up use of your private key.   As explained before, secret message locked up with this public key, will only be able to be read by using the private key.  Anyone in possession of the private key can de-crypt Sally's secret messages.  Any time you use this private key you will have to re-type this password.  This is important to note because when Sally tries to connect to the server, after Joe has installed her public key there, Sally will enter the same password she used to lock up her private key, NOT a password that is stored on the server.

Enter passphrase (empty for no passphrase):

After Sally has entered her passphrase, she will be prompted again:

Enter same passphrase again:

Then A nice little message with some additional randomart will display


Your identification has been saved in /home/scott/.ssh/id_dsa
Your public key has been saved in /home/scott/.ssh/id_dsa.pub
The key fingerprint is:
66:27:fc:27:8e:1d:43:ab:25:2b:3c:b7:8f:7b:16:69

If you look inside the id_dsa.pub file, you will see your public key.  It will look something like:

ssh-dss AAAAB3NzaC1kc3MAAACBAO2A0f//TUz1cx/23vRk7kfqEt81pQz6s0qbbjBaKPAn1eIbe7xHVogZNPdVhqWBMJ4xAWH5Fldayy4tJp5oDY0QqxsBVEvx81PUkmTD3cWMtysTaKqS6jjSNrGimRvL+xZf2jt4FvN1LQhFfeKI0Q1+MkoJ8GWD7ggmWC4/2GWhAAAAFQCJ2DgZMyN6AUTt+rW9Me2TZf4JhQAAAIAy2ehqfts19c+SNqKiIpII8kFI/u8N1tjKAV9sw2BDC5aJinqcoGGFXCI8J43ni4g/GPu+vAxWi2MPiGbw6MFnFvQRWdOPAjM5FJFU3mKqM3Vhk+29Qr25x/0cdDKh7hSPcmRRPTPTHwVEZwTErp8hG8JqFRlc0iSx/kMmLL6HCAAAAIEAiXy69U6zdYQitJfIMrc6dG61l/R7Rs+7Z9zsGpW5MmgyMMzAXU3gKO+0NEpUv9lMyDOqEYwEviU/0lyeesFmIl0T1/c/TOTtlgqpv9S5KAparVfkVXL3U4Gq7tNyzeGncbOd5u1tYdLh8dKgLPMtgmoHNzw+5m/Mc70TpVwLzZA= scott@monstro

All Sally needs to do is to e-mail the above text to Joe, and he'll know what to do.

What's a Joe to do? - Installing the public key on the server.

Now for Joe's part, he needs to take Sally's key, and if the /etc/ssh/ssh_client file has things in the standard place, and assuming home directories are in the standard place, and assuming that Sally's username is "sally".  Joe will put the above key (without any line-feeds or carriage returns) into:

/home/sally/.ssh/authorized_keys2

or

/home/sally/.ssh/authorized_keys

(Depending on how old your server installation is.  NOTE: I've seen both filenames needed in certain instances)

It is important that the ".ssh" directory in /home/sally be readable and writable, only by Sally.  In addition the authorized_keys file can only be readable and writable by Sally.  Just to be sure you can do the following commands as root.

$ sudo chmod 700 /home/sally/.ssh
$ sudo chown sally /home/sally/.ssh

$ sudo chmod 600 /home/sally/.ssh/authorized_keys2
$ sudo chown sally /home/sally/.ssh/authorized_keys2

If you leave out the above and the permissions are not correct, then Sally will not be able to log in, and Joe's authorized_keys file will be ignored.

How the ssh Authentication Handshake Works

I like this story, because it's the same way that Friend or Foe identification works in fighter aircraft.  So Sally want's to connect to the server.  Joe has done his part as administrator, and put Sally's public key into her authorized_keys2 file and Joe has also updated permissions on said files, using chmod and chown.  Sally can now use the command

$ ssh sally@joeserver.com

What happens next is that the ssh server, generates some random data.  It then uses Sally's public key, put on the server by Joe earlier, to lock up that random data.  It then sends the data to Sally.  Sally is prompted for a password, and she puts in the password she used to lock up her private key, when she generated the keypair.  Sally then unlocks the random data sent by the server, and sends it back, unlocked.  The server compare the unlocked version with it's pre-locked version and if they match, the server let's Sally in.

I get asked about the above quite a bit, and there is always consternation from the users when they have to generate keys, but it's a necessary evil.  Security, or convenience, pick one :)

Aren't you ready for Linux Yet?

"A Classic Drive By Attack" is what this article says.

So Microsoft Outlook has another bug that allows machines to be infected and taken over without the users clicking on an attachment or anything.

Plus many other security holes, in Office, and other security holes that have to be patched manually. I always hear much gnashing of teeth and wailing over the high cost of hiring the staff to administer Linux or Unix boxes, but once you install a Linux box, and once it's configured and running, administration is minimal.

I used to fix the Windoze boxes of family and friends when they got infected with a virus or malware, or crippled by spyware. Not anymore, now when someone brings me an infected box, I give them two options. Let me install Linux, or take it to someone else. So far nobody has turned me down. And of the 10 friends/family I have installed Linux for over the last two years, none of them have had a single virus or blue screen of death or other system issue. I also haven't received a single phone call about how does this work or that work, or this broke or that broke.

This has been typical of the Windoze environment ever since Windoze for Workgroups when they added networking and allowed the rest of the world in. I just don't get why people continue to buy the marketing hype of Redmond and continue to throw money at this swiss cheese platform.

And if you haven't worked with Windoze 2008 Server yet, let me tell you, you are in for big administration headaches and backwards compatability issues. In order to try to fill the holes in their swiss cheese, so many security "features" have been added, it pretty much rewrites the book on configuration of security on one of these machines. Things like authentication and networked filesystems and file permissions are very much fubar'd and require a whole new level of expertise to configure and maintain.

So to close, I'll relate a story. A friend of mine asks me about why their machines are running so slow in their office. This friend tells me they are going to buy new machines because everything is so slow now. I tell them, they probably have some kind of virus or malware, or something slowing the machines down and they don't need new hardware.

I speak with the business owner, and she tells me that everything runs great, it's just the slow machines. She also tells me Windoze if fine for their office (she forgets the compatability issues they had last month where people couldn't read each others documents).

The next day, this same business owner is reading e-mail and all of a sudden, a picture of a woman lacking clothing, doing the spread eagle appears on her screen. Needless to say, I went by their office and ran malware and anti-virus scan's on all the machine in the office. Turns out only one of the machines wasn't infected with multiple virus'

The moral to the story here is get off of the Redmond crack. Take the needle out and put something in your business that isn't prone to getting attacked every month from some new threat. It's great that there are security patches available, but before there is a patch, someone has to find the bug, and by the time you get the patch, it's already probably too late. Kinda like the old saying of "Closing the barn door after the horse is already gone".

Conficker - Still paying for the mistakes of the past

I've been specializing in Analytics lately and I use Linux on all my desktop machines, so I haven't really paying that much attention to the Windoze arena other than the nicely manicured, maintained by a team of overseas engineers Windoze machines. I was reading this article from The Atlantic the other day, and I think the time has finally come to migrate off of Redmond Swiss Cheese once and for all.

The Conficker worm is one MF, for sure. The problem is this. You don't have to get infected by it directly. If there's a machine that's on the same network you're on, and it has the Conficker worm. That machine will actively attack your machine. It will try new security holes, and it will even try password cracks to try and guess your passwords.

First detected back in 2008, this thing has just gotten bigger and badder ever since. Sure there are patches, and apparently only some unreleased Beta of Windows 7 was vulnerable, but most of the other release before it were at one point vulnerable.

So let's say that you have one of these Windows systems and you are installing it fresh. It's probably vulnerable out of the box and will need an update. Well guess what, you have to connect to the Internet, to get the patch to close the hole. If you are on a network and there are machines that are infected, they will be actively attacking your machine. It's a race against time to see if you can patch your system before the nasties get in.

I just don't get it, I'm talking with my significant other's employer, they have seem to be having the same problems every network with Windows has, things work, then don't work, machines get infected with virus' and other nasty stuff, compatibility issues with older version and when I tell them they need to get off Windows and onto Mac's or Linux, they say "Well Windows has been working fine for us". When in fact they have all of the problems I just described. It's funny how people computers can run slow, crash and have all kinds of other issues that keep them from working and things are "working fine for us". The very next day, this same person I had the conversation with has the nastiest picture she has ever seen, spread eagle on her screen with the message "Watch Me Masturbate!". I think their ready for Linux now :)

Windows vs. Linux the candy bar analogy

So I was trying to explain to my significant other, this morning, about why, having worked with both *nix systems and Windows systems, do I dislike working with the OS from Redmond so much? Do I have something personal against Bill Gates? I mean come on man what's the deal yo? I really should like Windows, many of the things I do take much longer in Windows than just about any other OS, so there are more billable hours to be had. As an ethical consultant though, I really do want what's best for the customer. Also billable hours where the customer is in a panic because they are trying to recover important files that were lost because of some weakness in their operating system is not a fun call. I kind of summed up my dilemma in analogy that went something like this.

It would be like being a great chef, able to create any dish that tasted like anything in the world. But all people wanted to order from you, or have you prepare. were deep fried candy bars. They taste yummy to the customers, but the problem is, the customers keep keeling over dead. But it doesn't stop there, because you fed them the candy bar in the first place, you have to round up the Pope, the Local Witch Doctor and a guy from India named Bob to have a lengthly ceremony, where small animals are sacrificed to resurrect the now lifeless customer.

The customers is alive again, they are missing some fingers off of their left hand. Not to worry though, "Give me another candy bar!" the customer cries, "I'll pay anything, I love it!,and besides, it's what everyone is eating, I get a side of deep fried candy bar with almost every meal I order from any restaurant, why not? Oh and do I get a discount on you sewing my spare fingers back on?"

So I send the Pope, the Witch Doctor and Bob home with a healthy donation to the church, a goat and a support contract, or did I send the goat to the Pope? Well, regardless, the very next thing the customer does is order another deep fried candy bar. I say to the customer, "Look man, if you eat that you will just die again, and I'll have to call the Pope and things will get ugly, but you know, I can make you something that will taste just like that other candy bar, it will have the chocolate, the nougat, the caramel, everything the other candy bar has, and it won't kill you, except it's totally magical and organic, made by little elves in a far away land with chocolate rivers and houses made out of gingerbread, at least that's what I might as well be saying when I start to talk to the customer about the advantages of Open Source and the protected memory architecture of a *nix system vs. other operating systems that don't have these nifty features, not to mention the savings in time and money in maintenance, performance, downtime, etc.

You just can't beat a LAMP system (Linux, Apache, Mysql, PHP) for small to medium sized deployments. I just set up a small store owner with Ubuntu and Zoneminder on an 8 year old PC that would no longer run Windows, and now it's a low cost security camera server replacement for her 3 Axis Video cams in her store. Whenever my friends or family come to me with their Windows machines infected, again, I have just started to wipe them and put Ubuntu on them. If they want to keep their Windows, fine, but I'm not going to try to unravel their messes anymore. Oh and if you want to know what kind of new computer to buy, get a blue one :p

If you've got the dough, nothing will give you that low end torque like a Solaris Risc box running a well tuned Oracle database, oh baby! I put in a Sun box at a large deployment to process credit cards on the Internet a few years back, and it's still running without a reboot, chugging away. The Windows server that was processing credit cards for only a few local machines, had to be rebooted every night or the machine would hang, requiring someone to go down to the server room and hit the reset buttton in the middle of the day while cash registers were pumping and plastic was sliding. The problem was because of a poorly written application, but therein lies the big difference between most *nix systems and Windows based systems. In *nix land, it's much more difficult to write a program that will completely hang or crash the machine. Because of protected memory, which I won't go into detail about in this article, it makes it harder for a regular user to run a program that will cause the system and other users grief, it also makes it harder for virus' and other malicious programs to do extensive damage should they happen to get in.

All that being said, maybe one day, people will start to use an Operating system that is crafted by tiny elves in a far away magical land and forsake the evil king who rules from atop his green mountain of cash, with his armies of briefcase wielding stormtroopers, but then again, to quote a phrase "and maybe monkeys will fly out of my butt". Until then though, I guess I'll just shut up, put a few bills from the mountain in my pocket and go home :p

Star Trek Online, How to get it working in Linux (Ubuntu)

OK I haven't posted in awhile, but this will be my geekiest post to date. Not only do I talk about Star Trek, I talk about a Star Trek game, not only is it a game, it's an online game, a massively multi-player, online game (MMO). Now if that weren't geeky enough, at the end of this post I'm going to provide links that will allow you to install Star Trek Online under Linux. So if you are not already having spasms of geek joy just thinking about playing your geeky game about your geeky TV show with other geeks on the Internet on the geekiest (and most user friendly, ahem!) operating system on the planet, then read on.

I've really been enjoying this game, it's very cool to get my Kling-On :p. So far PvP as a Klingon is the best part of the game. There's a mission called "A Good Day To Die" where the object is to be killed 50 times in PvP. The only drawback with PvP'ing is that PvP is the primary way for a Klingon to level, Federation types have all types of missions they can run to level up and get good loot. It also means Federation types are soft and squishy. They don't PvP much, whereas the Klingons pretty much have to PvP to level or get any good loot. The alternative for Klingons is to grind exploration missions. I think once more content is added for Klingons, they will become less the PvP elite that they are now and it will balance out a bit. Still though, Klingon vs. Federation at the moment is pretty much a game of burn down the noob, hehe.

So on with how to get this sucker installed on Linux (Ubuntu Hardy Heron w/ Upgrades was what I installed on). First I tried to install this under VMWare. Even with the latest release and much gnashing of Teeth, no go. Next I tried VirtualBox. I really liked VirtualBox and I think I will move to it for my personal use of things like GotoMeeting, etc. Things I have to run I have to have Windoze for. Anyway, VirtualBox had a problem, even though I had read people had gotten it to work. Of those who reported it to to work it worked very slow.

In comes Wine, yeah Wine. The difference between Wine and VMWare or VirtualBox, is that VMWare and VirtualBox, at their base are hardware emulators. They emulate a virtual piece of hardware, that any operating system can be installed on. Wine on the other hand is an API that interfaces Windows applications to the Linux OS. It's more of a bridge than an emulator. That being said. I found this nifty YouTube Video where this clever chap shows step by step how to install it.

The application he's using is PlayOnLinux, which helps you install your Windoze games on Linux. It can be downloaded from http://www.playonlinux.com

You'll also want to install the PlayOnLinux plugin POL Helper (Also in the video)

Instructions for that can be found in the following thread:

http://www.playonlinux.com/en/topic-2415-Plugin_POL_Helper.html

So my friends, sit back, relax, and geek out!

Seamless Mouse and Keyboard Switching on Windows and Linux

This is by far one of the handiest utilities I've seen for a computer in many years.

It's called Synergy. And what it does is this: Let's say you have two computers a laptop and a deskop. Your laptop is on the left desktop on the right. When you start up Synergy you can move your mouse to the left side of your desktop screen and it shows up on the right side of the laptop screen. You can also use your keyboard input and you can do this with several computers. What it means is you can use one keyboard an mouse to seamlessly control several computers.

It works on both Linux and Windows and is interoperable so you could have 2 windows, 2 linux or a windows and a linux or any combination of up to 5 computers (center, top, bottom, left and right). It's very easy to set up, I've been using it frequently for the last couple of days and it seems to work beautifully.

You can get this baby at http://synergy2.sourceforge.net/

Bye bye desk full of keyboards and mice, Yeah!!!

Vista Again? Not so In Business

I haven't been doing a lot of travelling over the past couple of months, but that's fine with me. It's not so much fun to go places these days, with security, surly airline staff and the like. I read a story recently about a guy who was threatened with arrest when he tried to get some love for the laptop that he says airport security broke.

So I was reading about Vista again *smirk*. Their new service pack one that's supposed to have some performance improvements, really doesn't. It's really kind of funny. I do quite a bit of work with large companies, and not a single one has Vista installed. Most of them run XP on the desktop and Windows 2000 or Windows 2003 in the server room. It's not just because there are hardware costs associated, i.e. need more hardware, it's because of the risk of upgrading. These IT departments have been burned before by compatibility issues and server downtime, they're going on the "If it's not broke don't fix it" methodology, which, in my opinion, is not a bad one.

It's sad to see but in the Windows shops, the IT staff is constantly in an uproar about something. This failing, that breaking, etc. I've seen places where system failure were so frequent, they set up rooms of people that just watch the systems waiting for them to fail. When I go into a *nix shop. (That's Unix/Linux for the uninitiated). Although there are system failure, user support, etc. There isn't the, "Oh my god we've got a huge problem", feeling in the air. The engineers are engaged in creating and designing instead of plugging holes.

As a consultant I have a love hate relationship with Windows. It always takes me longer to do things with Windows than with any other OS I have worked with. It's good when you are charging by the hour, but bad whenever you are trying to get something done for yourself.
Things like copying files from one machine to another, or just downloading something from the Internet almost always takes me longer on a Windows machine. Most people see Windows on a desktop and it doesn't to all that bad of a job there, if you aren't too concerned about security. I see Windows on huge pieces of hardware dealing with large amounts of data. It's always fun to try to copy a large file across the network, after it prepares to copy for 20 or 30 minutes, it will start to copy, get part of the way through and die a horrible death. To be fair, this type of a scenario is usually caused by some 3rd party piece of resident anti-virus software, that corporation are forced to install if they want any semblance of security on their Windows servers.
I'll get off of my soap box again, but I will refer you to an article written by Juergen Haas which goes into some of the more technical details of making the choice between Windows vs. Unix.

Team Fortress 2, Good FPS Fun

In my off time, I enjoy playing a game or two. Single players are OK, but when it comes to pure gaming satisfaction, multi-player games are the stuff. When you play against a computer there is always some pattern, that when figured out, enables easy wins. When playing against a human opponent, you never know what they'll do. It makes for a richer gaming experience, In my opinion, and there is a small visceral satisfaction in knowing there's someone on the other end of that missile you just fired going, "Dammit, he just shot me!".

I've been a big fan of the EA Battlefield series for some time and have been liking Battlefield 2142, but just found a new FPS (First Person Shooter) that has great gameplay, an abundance of servers and terrific player vs. player action. It's one of the only video games that plays just like it's trailers. With alot of games you watch the trailers get excited about it, then the game itself comes nowhere close to the hype of the trailer. With Team Fortress 2, the games plays like the trailer. You don't just blow people up, you blow the hell out of them. When using a flamethrower you don't just set people on fire, you burn them down!

I'm including a couple screenshots from some recent gameplay and be sure to check out the site at The Orange Box Site

These are shots of a couple of guys that got their just rewards after filling me full of lead. The game gives you the opportunity to take a screen shot of the avatar of the person that just killed you. Here are a couple

Windoze Vista? Are you nuts?

Do you like to have to upgrade your hardware, add memory, etc? Do you like to have the applications and drivers that you have used for years no longer work? If you're a sucker for punishment, then I guess Vista is the Operating System for you. I have heard many war stories of this no longer works, or my machine runs like a dog now after people I know have installed Vista.

As this person says in this video, Vista is not a new and improved OS, it's just a different OS. There is nothing I have seen to date that makes me want to again pony up to the Microsoft Tax to upgrade my machines. If you want my advice, stick with XP until you are dragged kicking and screaming to Vista. It's been the same story from DOS to Windows 3.1 to Windows 3.11 to Windows 95 to Windows 98 to Windows XP to Vista, every subsequent release adds more un-needed features, more bloat and always requires more hardware horsepower to run. Add that some of the applications you currently run will no longer fully work and I have to ask, "What are you people thinking?"

Fix Disconnect Problems on Battlefield 2142

For those of you that don't know, Battlefield 2142 is one of my Favorite FPS (First Person Shooter) games. It's a multi-player futuristic shoot-em-up that is the third generation of the original Battlefield 1942. If you like FPS games at all, this is one of the top of the line games.
Although the game has worked flawlessly for me, a couple of different people have reported problems with being randomly disconnected from games both with and without messages from Punkbuster.

These things have worked for some people and if you are having problems with disconnects when you play BF2142 try these links first.

For Punkbuster Kicks

For Disconnects

If that doesn't work you can try to uninstall Windows update KB917422 by going to Add/Remove Programs in Control Panel, checking the show updates box, and removing KB917422. Do so at your own risk.

See you on the Battlefield

Get rid of the annoying beeping when playing games on Windows XP

My machine recently started beeping when pressing multiple keys on the keyboard.

As I understand it, the Windows keyboard buffer is filling up and it's giving me a system beep sound. My games function properly, I just get this annoying beep when I try to hold a key or a key combination found.

I saw some solutions like trying to increase the buffer size in the registry, but the one I opted for was to go to Control Panel->System->Hardware->Device Manager

Then select View->Show Hidden Devices

Then in non-plug and play devices, right click on beep and then disable.

After you re-boot, the beep is gone!!

Microsoft, Deceptive? Say it aint so! *smirk*

I just read this article titled:

Microsoft Sued Over Deceptive 'Vista-Capable' Sticker

Microsoft, Deceptive? Go figure. When are you people going to wake up.

So here is this company. They screw you around for years, forcing you to spend lot's of time and money to upgrade, patch for virus', recover from system crashes, the list goes on, but instead of looking at an alternative, like a Mac, or Linux, you still give the company your money, you still use their product because you are too F*ing lazy to seek an alternative, then you sue them for doing what they have a long history of doing. Not to mention the fact that they have some of the deepest corporate pockets in the world and an army of lawyers that take on countries on a regular basis.

I just installed a new Server. It does e-mail via the postfix server and courier IMAP, it serves up the family website, and the website for my consulting engagements. It also server as the print and file server for the other computers in the house. It does all of this with a decrepit 350mhz, pentium 2, 256mb of RAM and a 4gb hard disk. If you want the new Vista in the recommended configuration, you'll need 100 times the processing power, 8 times the RAM and twice the hard drive space. This, my friends, is the beauty of Linux. All the taste of Windows, but half the bloat.

Micro$oft vs. Anything Else

You know, I have nothing personal against Bill. As a matter of fact I kind of admire his geek made good story. The software made by his company however is another story.

As a consultant I guess I should like Micro$oft, because any given IT task I have to do, usually takes twice as long (and usually the purchase of additional expensive software) to accomplish as it does under any other operating system. Pick one, Solaris, Mac OS, Any Linux Flavor, HP-UX, AIX, Dec-Ultrix, QNX, to name a few.

What the advent of Windows in the Server world has done is to breed a generation of MCSE's that can regurgitate the requisite points and clicks need to configure a Windows operating system, but they do not understand the underlying concepts of what their network and hardware is trying to do so they build bloated applications and flooded networks. To be fair there are MCSE's out there that know their stuff, but the majority I've run into know about Windows, but ask them an architecture question and they'll start pulling answers out of their arse.

Let's talk about Vista for a moment. They did this to us with Windows 95, Windows 98, Windows XP and up the line. Each successive operating system has been more bloated than the next. Each upgrade causing the customer to have to buy bigger faster hardware just to equal the performance of their old operating system/hardware combination. In addition to that, the new operating system is 64 bit, but most of the applications and drivers are still 32 bit. Which means you'll have to run those suckers under a 32 bit emulator which will give you yet another performance hit. I just don't get it. Let's see, I'm going to cause myself days of un-told pain and suffering so I can upgrade to something that runs slower and is less stable than what I currently have? Ya right..

The architecture, hmmm... Well I can sum that up with two words, "Protected Memory". All of the other operating systems I mentioned above, Unix and Unix work alikes have something called protected memory. The operating system itself, i.e. the video drivers, disk drivers, passwords, logins, etc are all stored in what's called protected memory. Your applications, like your spreadsheets, web browsers and e-mail programs all run in what's called "User Memory". This is also sometimes referred to as kernel space and user space. The concept here is that while your applications run merrily away, they can only access the core of your system or "Protected Memory" through very well defined API's (Application Programming Interfaces).

In the Windows world everything runs in the same space. In other words, once you're in you're in. This is what makes Windows more prone to virus' than other operating systems that utilize the concept of "Protected Memory". On Windows, Any program you install can access parts of the operating system that it's usually not a good idea for programs to access. Things you run on your user desktop can re-install drivers, write directly to the hard disk and update your system registry where all your important system configuration information is stored. Once you're in to a Windows system it's a fairly simple matter to infect it with something nasty.

In the "Protected Memory" world, once someone gets in, they are in to that application, i.e. a mail server or a web server. The difference here is that just because they have broken in to one application still doesn't mean they can get at your system. Once someone is in to your system they then have to try to break in to protected memory which in a lot of cases just can't be done. "Protected Memory" not only helps protect machines from getting completely compromised by hackers, it also keeps poorly written applications from crashing or locking up your machine.

Let's talk about that time thing. I said up above that it takes twice as long to get things done, and here's why. First, point and click, point and click. A half hour later you've navigated to the places you needed to go to updated your configurations the way you wanted them. In a *nix system there are certainly graphical config programs if pointing and clicking is your thing, but on the back end instead of a cryptic "Registry" where everything is stored in multiple levels in text and hex, there's a directory, with text files (usually /etc) where all your application configuratino is stored. There's usually only one or two files per application and everything is in there, usually with comments telling you what each configuration parameter is for. It makes configuration of systems and applications, nice, simple and less prone to failure.

I've always found, in the IT business, that it is always best to have options. If you have a hammer in your tool box, you can only drive nails. If you have a hammer and a screwdriver in your tool box you can drive screws and nails. The point being is the more tools you have the more problems you can solve. Next time you are out looking for a new server or a new set of desktops think about a Unix or Linux solution. If you have the basic needs of most business', i.e. E-mail, Web, Database, Word Processing, Graphics, then a good Unix or Linux distro may be the ticket. It will cost you less up front, has commercially available support, won't get virus' and will keep people from installing alot of extra chat programs and the like on your nice new desktops or servers.

My current favorites are Ubuntu Desktop and Ubuntu Server, although I've only had the server running about a week, setup was text based, which is OK, but it took a bit, being new to the system, to get it how I wanted it configured. It was, however, very easy to get a postfix mail server with spam assassin and a Courier IMAP with SSL running. I've still got to get my Apache and mySQL set up the way I want them. I'll let you know more about how I like it after I've had it running for a bit.

For Video games, well it's just Windows. The same thing that makes Windows suck at being a desktop, is what makes it great for playing a video game. In an operating system there is something called a scheduler that divides up the single or multiple CPU's to work on any given process at any given time. In Windows the scheduler tends to like to dedicate all of your CPU power to just one process at a time for long periods of time. This is why sometimes when you run Windows and start a big print job, all the other applications either lock up or run very slowly. In *nix, the schedulers tend to divide the CPU time up a bit more evenly (although you can adjust certain process to hog all the CPU if you like, it's generally called a "nice" value). In Windows, if you start a heavy duty game, it will dedicate all of your CPU power to a single game process (although multiple CPU's and multiple core CPU's tend to be a bit under-utilized in Windows as compared to most *nix systems).

I could go on about this for days, and I think I will, but for now, I've got to get back to the consulting biz..

Safe Travels,
GT