My web wanderings

An in-depth exploration of the art of shell scripting
By: Mendel Cooper

Security Insights MS Security Architect

By Richard Bejtlich

XSS (Cross Site Scripting) Cheatsheet: Esp: for filter evasion - by RSnake

This is going to come in handy during my pen test of our web site.

IIS 6 Peformance Paper - Worth the read

By Brett ‘brett’ Hill on IISFAQ Front Page

Papers from Microsoft are often hit and miss. Some are stellar and some are overbroad overviews filled with marketing jargon. This one, however, is well worth the read. He’s an excerpt from Web and Application Server Infrastructure - Performance and Scalability

COM General

With the new IIS 6.0 architecture, it is important to question some of the existing guidelines where COM is concerned. A major consideration is that, before Windows Server 2003, COM application components were configured (by default) to run out-of-processes from the caller. The default for COM applications is for them to run as Server Applications, executing in a DLLHost.exe process called into from the object instantiate, or over DCOM.

The performance downside of doing this for every method call, is that there are extra threads running on the system, and every call to a method must be marshaled across process boundaries. This is not noticeable on a small implementation with low request/transaction rates, but on a high volume, large multiprocessor, this kind of overhead can greatly decrease the overall scalability of the system.

Therefore, on Windows Server 2003, it is best to change the default configuration for a COM Server Application to Library Application to aid scalability of the calling per use of that application

Creating Images Of Your Linux System - SystemImager

This is a nice app I want to look at for deploying images of linux servers and desktops.

< Soap Box> The entire world is not using Microsoft technologies to develop. So PLEASE do NOT embed non-standard code into web standard code. Such as do not embed C# into an XSLT. XSLT’s are meant to be platform agnostic. That is what makes XML and its supporting technologies so valuable. What if someone wants to use the XSLT in say Java or some other language. < / Soap Box>

How to Set Up a Jabber Server LG #112 by Suramya Tomar
This is a great article to help us complete our internal Jabber Server.

the 5-in-1 network admin’s cable
ethernet / crossover / modem / null modem / Cisco console

This is something I have wished I had for years.

Kudos to Mike Ossmann and at the same time checkout the pure sweetness that is Make Magazine. I really need a subscription.

Syncing the Treo 650 with Bluetooth | Linux Journal
By Dovid Kopel on Thu, 2005-03-24 00:00.
The new Treo smartphone is GNU/Linux compatible and comes with Bluetooth connectivity–here’s how you can set it up for your network.

Pocket Workstation - Debian on Handhelds

by Telly Cooper (Sep. 12, 2003)

This whitepaper from Intrinsyc describes how engineers at IBM’s Pervasive Computing Advanced Technology Laboratory created an embedded Linux based intelligent, high-level remote control system for a model airplane as a way to showcase Gateway Server technology.

So I am back to using Evolution as my primary Email app in Ubuntu Hoary. I still love thunderbird but, since I am trying to get contacts and calanders sync’d with my Treo 650 thunderbird is not the best solution. I found today a good article on filtering mail with Evolution.

By The Exchange Team

Many times I’ve been asked to give a guideline on how large a mailbox can be before performance degrades, or on the recommended size for a mailbox. Unfortunately, this question is like asking “How many cookies are enough?” There may be a lot of implied information, but the question itself is vague. For example, I personally think there are never enough cookies, while my brother won’t eat more than one. Nonetheless, I have been asked to forge ahead, declaring my assumptions, and stating my conclusions.

First, there are no inherent size limits on individual mailboxes. The main factors that limit mailbox size, practically speaking, are available disk space, backup and restore times, Service Level Agreements, and Outlook performance. By Outlook performance I’m referring to the latencies experienced by the end user. In this blog, I’ll just talk about the limitation due to Outlook performance.

It’s item count, not size, that matters

First, it’s not the size of the mailbox that impacts performance - it is the number of items in the folder or folders that are being accessed on the server. In particular, performance is largely influenced by the number of items in the most commonly used folders: Calendar, Contacts, Inbox, and Sent Item folder.

Having a large number of items in a folder will mean than operations in that folder will take longer. Operations that depend on the number of items in the folder include adding a new column to the view, sorting on a new column, finds and searches. Many Outlook plug-ins do sorts or searches as they are running, and these requests may overlap with other Outlook MAPI requests, resulting in a poor user experience.

If you are running in Cached-Mode, (the default mode for Outlook 2003), then client performance can be an issue. One thing you should do is keep your OST files (the local data cache) free of fragments. There is a nice little tool called CONTIG on sysinternals.com for this purpose (http://www.sysinternals.com/ntw2k/freeware/contig.shtml).

All user pain is subjective

Setting a limit depends somewhat on your users’ tolerance for pain. Are they comfortable with slow Outlook operations, or do they expect a snappy response? How much wait are your users willing to tolerate? The number of items in these key folders has a large impact on the delays for many common actions, and this is one factor that the user can control. Publishing guidelines for your users may help them control their own experience.

Not all users are created equal

In addition to the number of items in the key folders, there are other factors that impact the Outlook experience, such as the number of other MAPI applications or Outlook plug-ins running on the user’s machine. All MAPI requests contend for attention in mapi32.dll; if you have a lot of plug-ins making requests, Outlook will run slower. Furthermore, the complexity of the action will have an impact. For example, marking all items in a folder as read is going to take a lot longer than marking one item. Other actions that inherently may take a long time include getting free-busy information for a lot of users on a meeting request, or doing a search across multiple folders. If your users are frequently doing complex actions, have lots of plug-ins, or have high use of the contacts and calendar folder, you may want to recommend that they keep limit the number of items in their critical path folders.

Not all servers are created equal

If you’re running on really old hardware, you may experience poor performance at a lower number of items than if you’re running on the latest-and-greatest. This is a big area and I’m just not going to go into this any further here… Ok, I lied; I have to add one more thing: disk latencies. For optimal user experience, make sure disk latencies are small (eg, 20ms or less), even during peak server usage (see my earlier disk blogs).

Here’s an example to show how disk latency can add up. When getting a view, the requests for the data are done in individual, serialized requests from the disk, not bulk operations. So for example, if a plug-in is getting a view of 1000 items, then the Exchange store will probably make about 200 separate requests for data (assuming about 5 messages are retrieved per request). At 20 ms, that’s a guaranteed 4 second delay just from the disk subsystem alone! Imagine if your disk latency was 50ms or 100ms? To make matters worse, if you have multiple plug-ins making similar requests, you may find that your Outlook client is frequently blocked. Help yourself (and the other users) by keeping disk I/O latency low.

The Bottom Line:

I usually recommend no more than about 2500 - 5000 messages in any of the critical path folders. The critical path folders are the Calendar, Contacts, Inbox, and Sent Item folder. Ideally, keep the Inbox, Contacts and Calendar to 1000 or less. Other folders, particularly custom folders created by the user, can handle having larger numbers of items without having a broad impact on the user experience (20,000 items in my “Cookie Recipes” folder? No problem - except when I need to find that recipe from last Christmas!).

If getting word out to the users to reduce folder item counts is impractical, administrators have another option. Administrators can use the Mailbox Manager tool to control the size of critical mailbox folders. Unfortunately, Mailbox Manager does not evaluate the mailboxes based on message count within a folder— instead it processes messages by age and/or size of message. Regardless, if your organization allows the use of it, it can help prevent mail folders - and user-frustration - from getting out of control.

- Nicole Allen

I spent the last two days automating processes that co-workers had been doing on a manual basis for a LONG time. One thing that I needed was to rename a file with the current date. Bring in google and bam I found this.

ren test.txt test%date:~4,2%-%date:~7,2%-%date:~10%.txt

Now I have it handy in case I ever need it again. Credit goes to FishMonger on http://www.computing.net/dos/wwwboard/forum/14569.html

Article on Securing removable media
Author: Magnus Ahlberg, Managing Director of Pointsec Mobile Technologies

This is a clever idea.

By schneier

We know that people forget their passwords all the time, and I’ve already written about how secret questions as a backup password are a bad idea. Here’s a system where a voiceprint acts as a backup password. It’s a biometric password, which makes it good. Presumably the system prompts the user as to what to say, so the user can’t forget his voice password. And it’s hard to hack. (Yes, it’s possible to hack. But so is the password.)

But the real beauty of this system is that it doesn’t require a customer support person to deal with the user. I’ve seen statistics showing that 25% of all help desk calls are by people who forget their password, they cost something like $20 a call, and they take an average of 10 minutes. A system like this provides good security and saves money.

Kerry Garrison - Building your own PBX
Building Your Own PBX with Asterisk
Kerry Garrison
What would it mean to you to have your own full-featured PBX system at your home or small office? What would it mean to you if you could build an entire PBX system (minus the phones) on hardware you probably have laying around, AND that it can probably also save you money on your phone bill? Sounds too hard to believe doesn’t it, but using old hardware and some open source software, you really can build a commercial quality phone system that would normally cost thousands of dollars.

The Hardware
As I mentioned in the opening, we are going to build our PBX system from equipment that we have laying around the house. After cannibalizing three spare systems, what was left was a PII 450, 386mb RAM, 12gb HD, 48x CDROM drive, and an Intel Pro 10/100 network card. This is all you “need” to get going as long as you are going to get VOIP dial tone service from a company like BroadVoice (more on this later). If you want to use regular analog phone lines you will need modem card. Not every card will work properly, however, the most recommended card is the Digium Wildcard X100P FXO card which can be purchased brand new on eBay for $6.95 each. So far, total out of pocket expense for the card plus shipping: $12.90.

By Jono Bacon

03/03/2005

From the article

The Importance of the Message

Within the open source community, advocacy is as critical as contributing source code, patches, or documentation. Although advocacy is not a technical contribution, it is critically important to spread the message of open source to other people in a language that is cohesive to their context. It is easy to preach to the converted when advocating open source to people at Linux user groups and trade shows, but standing in front of a board of executives who care little about computers–let alone a facet of computers, such as open source–is quite a challenge.

Here is a review of a SQL encryption tool that I could use for work

By Erik Inge Bolso on Tue, 2005-03-01 00:00.

Keeping directories in sync on multiple machines can be difficult. Running Unison is one way to make the task easier.

Unison is a file-synchronization tool that runs on Linux, UNIX and Microsoft Windows. Those of you who’ve used IBM Lotus Notes or Intellisync Mobile Suite probably have an idea of what synchronization is good for, as compared to one-way mirroring options such as rsync. You might have mirrored a company document directory to your laptop, for example, and then modified a document or two. Other people might have modified other documents in the same directory by the time you get back. With rsync, you’d need to reconcile the differences between the two directories manually or risk overwriting someone’s changes. Unison can sort out what has changed where, propagate the changed files and even merge different changes to the same file if you tell it how.

Full article