Open Heart Surgery

2011/10/06 § Leave a comment

Mark Russinovich, of Sysinternals’ fame, tweeted a link to this rather in-depth (and I’m not kidding) article about Frank Boldewin’s extirpation of malware on a friend’s computer.

To get to that level requires a deep understanding of the Windows OS innards and reminds me of Nietzsche’s famous quote about abysses. Nevertheless, it got me thinking: of the Systems Administrators I know, which one of us (I include myself) would have been able to tackle such a dye-in-the-wool malware infection? Let’s try none.

At this level, it’s rather simpler to throw one A/V after the other at the problem and hope this fixes it, all the while exhibiting a large measure of faith that the issue had indeed been resolved. Barring this, there’s the always elegant “nuke and pave” method for fixing problems with which Windows administrators are quite familiar.

A short hike from this philosophical position leads to the question of whether this is a Good Thing™. Should I, as a systems administrator of one of the world’s most widely used Operating Systems, be able to routinely handle the kinds of issues met and defeated by the hero in the aforementioned article? Further, bearing in mind that the scenario encountered is nothing esoteric and in fact, is an everyday occurrence in many Windows “shops” nationwide. Yet, only a very small number of admins could perform all of the tasks in the manner outlined.

I haven’t decided on answer. Requiring all systems administrators to understand their OS to this depth may be asking for too much from someone who’s not an OS developer. Then again, why not? Why should sysadmins be able to handle what is gradually becoming an everyday issue for users without blindly resorting to sometimes expensive third-party “solutions” or destroying the OS and data in performing an OS reinstallation?

I try to imagine what a UNIX administrator would do with this kind of scenario? Would the average UNIX admin be able to dive that deep and not drown? Are these kinds of scenarios commong in that arena? I don’t remember as it’s been quite a while.

Whatever the case, this is indeed heart surgery and if I were allowed to abuse the analogy a bit, a surgeon is no ordinary doctor. To perform that kind of work requires extensive schooling and experience, something 99% of MDs don’t have, and perhaps don’t want. The parallels begin to fray though, when you consider that if the occurrence of heart surgery was as common as malware infection is in Windows, perhaps anyone who called themselves a doctor would indeed be required to perform heart surgery.

What do you think?

Hood Work

2011/09/29 § Leave a comment

It usually starts with your telephone ringing. Some disgruntled user is complaining they’ve been “having problems for a very long time.” If you’re an old hand at this, you know what to expect next: it’s very likely the user’s only noticed the problem recently, but their rationalization hamster is working that wheel.

Nevertheless, you take a deep sigh, reconfigure your frame of mind and get ready to evaluate their “problem.” If you’re lucky, it’s something simple. If you’re not, it’s resolution is going to entail a flight cross-country, several meetings with sour-faced people, and maybe a donkey ride or two. If you’re really unlucky, it’s your mom calling.

Whatever the case, you’re doing yourself a great disservice if you don’t go ‘under the hood,’ by which I mean, if you’ll pardon the lumbering metaphor: network sniffers. If you go to a mechanic because you’re like me, a total car noob and complain about the engine’s performance or whatnot, it’s usually the first step that the guy or gal will pop your hood to “take a look” while dollar signs rotate into view in their eyes.

Point is, that hood’s coming up and things get fixed and that’s how you should approach your work. Almost no one uses their computer disconnected from anything so if the problem falls into the category of slow access to some remote resource, one of the first stops on the troubleshooting trail is whipping out the network sniffer.

I’ve been a Windows sysadmin for quite a while. In that small insignificant corner of the the computing universe, there are two pieces of (free) software that should be part of your kit:

Wireshark is the ne plus ultra of the free network monitoring and analysis packages. There are a few others, but I don’t care. You have these two, and you’re fine.

If you’re a big spender, shot-caller, well then your chariot awaits good sir: WildPackets OmniPeek (and I’m not giving you a link to it, big boy. You can do your own searching. Maybe if you buy me a copy …)

And learn how to use them. Laura Chappelle’s written some excellent stuff. And I’ll let you in on a secret: if you apply for a job at my company and you tell me you can analyze TCP/IP packets, you’ll jump to the top of my list immediately. Almost no one in the Windows world knows how to perform this rudimentary task. It’s a sure in, so take the time to take a look under the hood.

Where Am I?

You are currently browsing the Security category at /var/log.