The ‘Service level Agreement’

Sadly I don’t have a ‘Service level Agreement’ with anyone. The reason being my business model is so crazy diverse it’s nearly impossible to encompass. Quite literally I seem to support everything 24/7/365 and if I can’t support it I’ll find you someone that can. If nothing ever breaks in your office/company I consider that darn near perfect, I want all my clients to NOT have problems. I really don’t like the companies that thrive on IT misery by billing a fortune for constantly fixing ‘something’ but never any ‘smooth sailing’.

I know that sounds a little weird but IT infrastructure is now printers, cabling, servers (real & virtual), cloud, phones, watches, tablets, copiers, routers, WiFi, email, VPN, RDP and that doesn’t even cover security systems, cameras, cars (yup.. I’ve clients that get Email/Teams/Zoom in their car). A few of my 3 & 4 letter agency clients have me doing towers, encryption, forensics and the occasional ‘white hack’. I can’t fix your fridge remotely but if it needs to connect to the internet to order your milk for the morning coffee, that’s part of my job if you say it is.

Thus.. I will pretty much do anything and everything to the best of my ability as soon as I possibly can or find you someone that will/can. All this for $100/hour (honestly I really need to revisit my rates.. it hasn’t change in nearly 10 years when gas was $0.80/liter) plus one-way travel time (no mileage) if I’m not already planning on being in your area.

How’s that for a ‘Service Agreement’?

My TEDx Talk

On Saturday April 14, 2018 I presented at the TEDx in Chilliwack, BC.  I applied last year, had an audition in January (was accepted as a presenter) then got on stage Saturday.

I had no IDEA how much work it would be.  Writing a script for a talk, less than 18 minutes that would explain Blockchain, the Cloud, our loss of privacy and give people options to create meaningful change.  Then memorize it, edit, re-edit, re-memorize and on the presentation night being more scared than anything I’ve done while fire fighting.  I got the 1st two lines out and then my tongue became wet leather, a stumble or three but I managed to get it together and, I think, present an acceptable talk.

By the end of April it’ll be on the TED/TEDx site among a thousand other talks and I’m hoping it’ll be of some interest.  When it’s ready I’ll post up a new link to the video and some pictures (which are also being worked on).

SharePoint 2016 (it’s evil but it’s awesome)

This is one of those programs you don’t even know you need until you have it.  Then you wonder how the heck you functioned without it.  You can ‘do the cloud’ or make your own fully controlled on-site system.

Explaining SharePoint is difficult but, trust me on this, you should at least look at it so see if it’s the ‘missing link’ of your information system.  Microsoft SharePoint.

Microsoft offers $20/month/user for SharePoint with Office, OneDrive, Exchange and the works.  Problem is they own you and your data, something most business owners in Canada either can’t (because of government contracts) or won’t do.  I’m on the ‘no cloud’ side because one twit with a backhoe can end your business in 10 minutes unless you diligently make backups.

If you have a Server 2016 & Exchange 2016 (the type I usually put into clients) you don’t need any hardware (see Your New Server), just a really complicated install.  If you already use SharePoint the upgrade from 2010 is nightmarish (but doable) and from 2013 it’s a walk in the park.

So why don’t you have one?  Well it’s the $7000 software plus $100/user (ball park figures Microsoft changes things from time to time).  Which is more than the licensing cost of your Server, Exchange and all those CALs you needed to get it happy.  You’ll need an SQL server as well (additional cost).

Maybe in this one case, the cloud will work for you (at least cost wise).

‘Hey Microsoft just called me’

Uhmm.. no they didn’t.  First off Microsoft isn’t going to call you, or really any other software company (try phoning their tech support and see how long it takes, imagine them actually phoning people proactively to solve problems).

The solution:  Don’t get rattled and don’t trust anyone (not webpages or people you don’t know).

This applies to those pop-up webpages you can’t close (often with loud messages playing).. “Call this number you are infected, owing taxes, under arrest, piracy, being investigated for terrorism.  You often see the terms FBI, RCMP, CIA, CRA and other scary federal agency letters, seals and the like.  Just as often you see spelling mistakes and poorly phrased English.

Here’s a quick list of thing to watch for in the ‘Tech Support Phone Scam’, I’ll cover the ‘Webpage scam further down’:

  • Clue #1: THEY called YOU
  • Clue #2: The Caller ID says ‘Microsoft’, ‘Tech Support’, or something techie sounding
  • Clue #3: They have a thick foreign accent and some ‘normal’ sounding name
  • Clue #4: They claim your computer is doing ‘something’ (spam, virus, hacking)
  • Clue #5: They ask you to open the windows Event Log Viewer
  • Clue #6: They ask you to go to a Website and install a Tool (Ammyy, TeamViewer, LogMeIn Rescue, and GoToMyPC)

As long as you don’t let them in (via the remote control programs) they can’t do anything but swear at you.  If you do let them in they’ll likely run for SYSKEY and now you have to pay a ransom to get your files back.  Couple hundred to a few thousand dollars with no guarantee you get your files back.

The annoying WebPage with plenty of threats and you can’t close it:

  • Clue #1: You can’t close the page
  • Clue #2: It’s usually playing some loud record voice telling you how you are in serious trouble (virus, taxes, police etc..)
  • Clue #3: You have a convient phone number to call to get this all fixed ASAP

If you call you are now in the ‘Tech Support Phone Scam’ at Clue #3 and they will quickly need you to allow them remote access (Clue #6).  To get rid of the page you can reboot or in your Taskbar (that bar on the bottom usually) RIGHT click on your browser and select ‘Close All’.

Variations of these scams include:

  • A relative needs money for bail in some foreign country, usually they got this information from your relatives FaceBook page.
  • CRA/IRS is coming to take your house (foreclose), sometimes they want you to send Bitcoins (digital currency) to some address.
  • Some crazy distant relative left you a pile of money but you need to pay for the ‘processing’ so they can mail you some massive cheque from Namibia or something.

If you want to help stop these people, tell others and especially our less digitally knowledgeable relatives (usually older and retired).  If you really want to help perhaps take a few lessons from 419 Eater (a site that helps fight back).

Your New Server

It’s probably that time again.  You knew it was coming but that old 2008R2 has been running well or at least it was until recently.

So what to do now that 2008R2 is done and if you knew me you had an SBS2011 (with Exchange & SharePoint as well as 2008R2 server).  The good news is the hardware is probably cheaper for more CPU/RAM/Storage/Speed, the bad news is Microsoft isn’t going to let you off easy on the software costs (hard to beat $900 for SBS).

Migrations are not easy and being your system is probably 5+ years of clutter with leftover accounts, email, and more; a fresh start would probably help.  So here is what you’ll need and what it’ll take to get there:

  • New server box (i7 Hex Core, 64GB RAM, 2x SSD and 2x HDD, 2x Backup USB drives & extra NetCard)  All totaled it’ll probably by about $2500-3000.
  • MS Server 2016, we’ll use the VM licenses to get more mileage from this $1000 base software.  You will have CAL costs per user ($100/user)
  • Exchange 2016 is another $1500 plus $150/user.  You only need this if you want local Exchange which you probably do.. if you cloud mail count on $10/month/user for anything better than crap.  Even at 5 users the ROI is 4 years.
  • 1x SSL domain wildcard @ $150/year
  • The last part is the sheer work involved.  This will usually take me 30-50 hours on just a single machine with VMs running Exchange and all the data transfer and setup (as well as migrating you workstations).  The good part is large and more complicated doesn’t increase labour much, even triple server boxes and a dozen VMs with 35 workstations will still be less than 100 hours.

All in for your single box Server & Exchange for 5 users for under $10000, Each additional user is $250 (2x CALs).  The amount of data can affect the time required, plan a weekend at the office while it’s migrated.  Come Monday everyone has a new profile with their old data still there, email migrated, toys installed and very little to complain about.  This would be a great time to retire the old tired workstations as well or possibly just wipe and reinstall.

I know, you see $10,000 and nearly have an involuntary bowel movement.  Think about it though, the cheapest POS new car is double that, heck your copier is likely that much.  Your business could survive without a vehicle (you can rent one) but turn off the network and see how it all turns out.

Balls in your court, upgrade before the old beast dies and it’s smooth sailing.  Wait too long and it fails and it’ll cost a bunch more and a much more painful upgrade with significant down time (no one keeps servers in stock, these are custom computers).  I can work miracles, sometimes even resurrecting the dead server.. but not every time, so keep the 5 year replacement idea firmly in your thoughts (moving parts wear out).

Send me a message if you want more details.

SBS 2011 goes bye-bye

Alas Microsoft is in the process of ending the 2008R2 server and Exchange 2010 from regular support and updates (limited support until 2020 but only critical security patches).  This means all those companies that have one of these awesome beasties will need an upgrade in 2017 or 2018 (or risk some serious problems).

So what’s the plan?  The plan is head to 2016 and opening your wallet.  There is no more cheap ride on SBS (it’s dead) so you need 2 servers and purchase a full Exchange.  At this point the best in-house option is a powerful CPU & loads of memory and run the Exchange on a VM.  It’ll cost about $4000 in software/licensing alone for 10 users including the base Server software.

If that makes you cringe you can host the Exchange with a partner of mine (HostedBizz) and get a Canada-only cloud at $10/month/user and I will still keep it running normally.  Unlimited mailbox size and good old Exchange so your phone will be happy and no SSL for you to mess with (saves $100/year).

If you need a quote on the hardware for this I’ll get you something current but your looking at an i7 hex-core with 32GB RAM, 2x SSD and 2x 2TB HDD.  Some extra cheap extra bits will help (like a network card for the VMs and some new 4TB USB backup drives).  The server is ‘cheap’ it’s the software that’ll hurt this time.  I have UNIX alternatives (like Zentyal) but the maintenance will eat your savings.

For the accountants out there the cloud services offer a better tax advantage @ $10/month/user the on-premises solution of Exchange 2016 with be $1500 & $150/user and about a 5 year lifespan making the ROI and easy calculation (remember software has a smaller/longer write off spread over time but is cheaper in real $).

Call/Email me if you have questions

‘BadTunnel’ a gateway to hell

PhoneMicrosoft has a bounty program, which pays if you find a bug and explain why it’s a bug (or exploit).  They pay upto $50,000 USD for the information.  Yang Yu, founder of Tencent’s Xuanwu Lab has made previous successful bounty claims as well but this one is a whopper.  It affects every version of Windows back to Windows 95 (no patches coming for those old OS either).

The flaw, which he’s called BadTunnel, exposes local area networks to cross-network NetBIOS Name Service spoofing. An attacker can remotely attack a firewall- or NAT-protected LAN and steal network traffic or spoof a network print or file server.

“In combination with other system mechanisms, it can hijack the network traffic, and even run any program,” Yang said.  The flaw was addressed recently by Microsoft in security bulletin MS16-077 and in CVE-2016-3213.

“To successfully implement a BadTunnel attack, [you] just need the victim to open a URL (with Internet Explorer or Edge), or open a file (an Office document), or plug in a USB memory stick,” Yang said. “[You] even may not need the victim to do anything when the victim is a web server.”

The key is the apparent predictability of a NetBios Name Service transaction ID, which an attacker can abuse by getting the victim to visit a URL hosting an exploit or open an exploited document. The victim’s machine will trust the attacker and they will be able to hijack traffic or force the victim to visit malicious sites.

Windows admins are advised to patch at once, or block UDP port 137.

Randsomware – the ‘new’ virus type

HelpLocky encrypts your data using AES encryption and then demands .5 bitcoins to decrypt your files.  Though the ransomware sounds like one named by my kids, there is nothing childish about it.  It targets a large number of file extensions and even more importantly, encrypts data on unmapped network shares.  If you don’t have a backup your data is gone, unless you pay and hope they payment isn’t yet another scam.

Those of you with a server are pretty safe.  Backups, Shadow Copies and the like but stand-alone computers are at risk.  The virus (usually run as a script or macro from an email attachment) will disable your shadow copy (removing backups) and sometime hunt the backups down wiping them out.

So far I’ve seem 5 infections of this virus and only 1 had data loss (that client at least remembers me specifically telling them.. “Seriously, you really need a backup of some type, you know, just in case”).  Each infection differed in the targeted files.  Sometimes it was MS Office files, image files or PDFs but there is no limit to what it COULD encrypt.. it just happened to have a priority before we stopped it.

Why did the anti-virus get it?  Because the user ran it, not as a virus but a function with their security and authorization.  Much trickier, to limit what the user can do a file (like saving & deleting) than limiting access to the same file.  It sound like a fine point but the micro-management required means you need a server and if you had one this virus is only inconvenient event, not a source of data loss.

The real victims are home users and ‘server less’ environments.  The most recent off-line backup could be the only fall back.

So if you see a .locky file on your machine, reboot.. NOW!  Pull the power cord if you need to it’s only in memory (usually) and that stops the encryption process.  If you are on a network you can look at the file properties of the newly created ‘How to fix’ file in the same directly (could be a few names but you’ll know it when you see it) and the under the Details of the file properties it’ll tell you the user/system infected (the one that created the new file).  Reboot that machine ASAP.

Google can offer you some help recovering, so can Malwarebytes.org (in finding any viral leftovers).  Your server and backups are your best hope, failing those a few bitcoins and some trust in the makers of the virus are all you might have left.

Backup often, trust no email attachments.

SBS is dead, but not forgotten.

UpgradeMicrosoft officially ended the Small Business Server (aka SBS) to the chagrin of many smaller companies wanting in-house control of their data at a reasonable cost.  With this move the cost of having an in-house solution for email & data went up by $3000 or more.  I’ll explain the changes and how you can make a new SBS that will at least do the same job as before.

SBS was unique in it allowed the Domain Control & Exchange to co-exist on the same server, normally this didn’t work.. Exchange doesn’t like being on a DC.  The new method means every company needs 2 servers in their office or move email to the Cloud, as we know in Canada that’s not going to work (unless you have no email from the government or government contracts which REQUIRE your mail & server be in the country).

The new solution is a computer powerful enough to run 2 servers, one normally and the 2nd virtually.  Windows Server Essentials 2012 will be the base machine and another copy of Server 2012 Standard runs as a VM (but not a DC) and there resides the Exchange server.  Many other changes are also needed and the setup is much longer and of course the server more complicated.  Instead of the $900 + licenses (past 5) on SBS you now have $500 for Essentials (upto 25 users), $1000 for Standard but also $900 Exchange & $110/user.

Of course setting up 2 servers takes longer (even if one is virtual), the hardware is more expensive and you need a few extra parts (like a VM drive for Exchange).  All in all an in-house system went from about $6000 (hardware, software & labour) to about $10,000.  You can no longer buy SBS 2011 but for those with a copy you could keep it running on new hardware for a least a few more years (after all SBS 2003 just ended it life).

HeartBleed & Microsoft

HackedThe Heartbleed vulnerability in OpenSSL has received a significant amount of attention, worry naught it won’t get you unless you have Apache on your Windows server. Microsoft services were not impacted by the OpenSSL vulnerability and the Windows implementation of SSL/TLS was also not impacted.

Rest assured that default configurations of Windows do not include OpenSSL, and are not impacted by this vulnerability.   Windows comes with its own encryption component called Secure Channel (a.k.a. SChannel), which is not susceptible to the Heartbleed vulnerability.