Open XML documents driving me insane on the Mac

Posted on By Mark Wilson

A few weeks back, I wrote about how smart Office 2003 had been in detecting my need for an Office 2007 document converter and opening it for me. If only I could say the same for Office 2004 on the Mac. I’m all too familiar with Microsoft product groups working independently but the MacBU has excelled (excuse the pun) in its inability to ship a working document converter for the Open XML document formats more than seven months after the release of Office 2007 on Windows.

To make matters worse, Office 2008 for Mac (which uses the new file formats) is a closed beta so I can’t use that to convert/open the files.

Ironically, there are various reports of using an alternative office suite like OpenOffice or NeoOffice to open the files! Hmm… not such a smart business move for Microsoft then…

My Digital Life has information on the various options for working with Open XML in Office 2004 for Mac. Mac Mojo (the Mac Office team blog) has information about a beta converter for Word documents (only).

The Microsoft-Novell alliance – good, bad or ugly?

Posted on By Mark Wilson

A few weeks back, I attended a Novell webcast about last year’s Novell-Microsoft collaboration agreement. Although that particular event was for partners, I’ve since found that the same presentation is available to a wider audience so I’m not breaching any NDAs by writing a bit more here about what this is all about.

We live in a heterogeneous world; most of the world’s data centres run a combination of mainframe operating systems, Unix, Windows and Linux. As commodity server hardware takes hold, many organisations previously running Unix-derived operating systems are starting to look at Linux (what Novell don’t say is that many won’t consider running Linux because of concerns about the supportability of open source software). Clearly a move from Unix to Linux is easier than a move to Windows, so (according to Novell), Microsoft has taken the pragmatic approach and partnered with Novell, who claim that SUSE Enterprise Linux is more prevalent in data centres than Rad Hat – the number one Linux distribution (I’m sure that Microsoft would argue that Windows Server 2003 and 2008 include better integration with and application support for Unix-like operating systems).

The Novell-Microsoft collaboration agreement focuses on three technology areas:

  • Virtualisation – virtualisation is a hot topic and the various competing technologies each take a different approach. Novell and Microsoft consider their solutions (with interoperability options for Xen and Windows Server Virtualisation) to give the best in performance, support, interoperability, cost and management (I’d say that’s not yet true, but may soon become closer to the truth with Windows Server Virtualization). Novell are quick to point out that Red Hat now include Xen (since Red Hat Enterprise Linux 5) but only support their own operating system in a virtual environment whereas Novell will support Red Hat, SUSE and Windows (NT/2000/2003) guests.
  • Heterogeneous systems management – today’s server management products are a minefield of standard-based and proprietary software. Under the Novell-Microsoft collaboration deal, the two companies will co-sponsor and contribute to a number of open source WS-Management products. They will also improve federation between Microsoft Active Directory and Novell eDirectory with WS-Federation and WS-Security.
  • Document format capability – Novell describes Microsoft as having a “heathy market share” (I’d call that an understatement – others might consider Microsoft’s dominance of the Office productivity application market to be unhealthy). Novell considers the open document format (ODF) to be growing in support (if not from Microsoft) and project that it will soon become the standard for governments. Under the agreement, Microsoft and Novell will co-operate to make it easier for customers use either or both Open XML and ODF formats.

Under the terms of the arrangement, Microsoft has purchased vouchers that may be exchanged for copies of SUSE Enterprise Linux and will issue them to customers who are looking at Linux in a cross-licensing arrangement that indemnifies SUSE Enterprise Linux users from patent infringement claims – as discussed in episode 93 of the Security Now podcast (transcript) – in return, Novell hopes to become the Enterprise Linux of choice and has issued a similar covenant to indemnify Microsoft customers against claims on their patents.

Remember that this information has come from Novell – not Microsoft – and there is a lot of fear uncertainty and doubt (FUD) circulating at present about Microsoft’s true motives for a Microsoft-Linux alliance (including rumours of open source software’s wide infringement on Microsoft’s software patents).

As an infrastructure architect working for systems integrator, my personal view is that anything that leads to interoperability improvements is a bonus. I’m not sure that’s what we have here – the Microsoft-Novell relationship seems (to me) to be more about marketing than anything substantive (although they have announced a joint technical roadmap) but we’ll see how this works out – it has certainly got the Linux movement up in arms as Microsoft has announced further partnerships with some less significant distributions (including Xandros and Linspire) and consumer electronics giants who use Linux in their products (notably Samsung and LG).

It will be interesting to see how Ubuntu reacts over time (Ubuntu founder, Mark Shuttleworth’s latest reaction is neither hostile nor approving although he did earlier incite OpenSUSE developers to defect to Ubuntu and can now be quoted as saying:

“We have declined to discuss any agreement with Microsoft under the threat of unspecified patent infringements.”

[Mark Shuttleworth, founder of the Ubuntu project]

I’m certainly not expecting a Microsoft deal from the number one Linux distribution:

“We believe…

It was inevitable. The best technology has been acknowledged.

The relentless march of open source is shaking up the industry by freeing customers from proprietary lock-in and lack of choice.

[…]

We will not compromise.”

[Red Hat statement on the Microsoft Novell announcement]

There’s more from Red Hat’s Mark Webbink and ars technica has a good review of why he is ever-so-slightly misguided in his assertion that:

“These guys made noise. Larry Ellison had the effect he wanted to have, and our stock price went down. But let’s see where we all are a year from now. We will still be standing. We still believe that we will be the dominant player in the Linux market because, by that time, there won’t be any other Linux players. We will have succeeded once again.”

[Enterprise Linux News – Red Hat: We will be here in one year, Novell will not.]

Whilst I’ve not spoken to anybody at Microsoft on this particular topic, it does strike me that Microsoft employees are, by and large, either extremely defensive, or a touch arrogant, when open source software is mentioned (to be fair, so are representatives of many companies if you ask them to talk about the competition). Maybe Microsoft can help make a better Linux (as the Linspire agreement suggests) but will they? Well, for one example, they rejected my feature request for Linux client support in Windows Home Server; and one Microsoft employee had a good point when we were discussing my desire to see (ideally not DRM at all, but more realistically) a single cross-platform standards-based DRM solution – “would [Linux users] accept a solution from Microsoft?” (to which I would append “, Apple or any other closed source vendor?”) – probably not.

Further information

Microsoft Interoperability.
Novell/Microsoft more interop.
Novell and Microsoft collaborate – customers win.

Is a picture worth a thousand words?

Novell's new business strategy (from ars technica)ars technica has a visual timeline of the Novell-Microsoft controversy, including this gem of an illustration for Novell’s apparent business strategy.

Quick tip for Mac users to recover a forgotten password

Posted on By Mark Wilson

If you’re anything like me, then you have hundreds of security credentials to use at many websites. Best practice dictates that you should use a different password at each one but sometimes that’s just not practical – and, unless you write it down, sometimes you just forget what the password is.

I’m not sure how Windows and Linux applications store passwords, etc. (I suspect they use a variety of methods) but Mac applications tend to use the Mac OS X keychain feature – the equivalent of writing down all your passwords and storing them in one (secured) database.

If credentials are stored in the keychain, you don’t normally need to use them again as the application (e.g. a web browser) reads the keychain as required but users can come unstuck if they need those credentials to log in from a different computer. Luckily, it is possible to find out what the password is for a particular application or website (as stored in the keychain). Simply open the Keychain Access utility, open the appropriate item, select the show password checkbox, supply the keychain password when prompted and click the allow once button – at this point the password should become visible in clear text.

Password visible in the Mac OS X Keychain access utility

Low cost SSL certificates from Go Daddy

Posted on By Mark Wilson

I have a number of web services running at home, some of which are SSL secured; however, they are only used by me (and a few select friends and colleagues) so, in theory, I could generate certificates by creating my own public key infrastructure (PKI) and add my certificate authority (CA) to the Trusted Root Certificate Authorities store. The trouble is that I’m lazy, and a CA is just another infrastructure service to run (it really is a bit geeky to have as many computers as I do), so I use a public certificate instead.

Because I don’t require the highest levels of validation, I don’t need an expensive certificate from a class 1 CA like Verisign so last year I used a free certificate from Ascertia. No matter how hard I tried, I couldn’t complete the certification path or get clients to trust the Ascertia root certificate, but last night, Scotty McLeod mentioned low-cost certificates from and, crucially, Go Daddy is one of the trusted CAs in most web browsers (certainly recent versions of Internet Explorer, Firefox and Safari).

Of course, there are other (more expensive) options available from Go Daddy and other CAs for longer certificate life, multiple top level domains, domain wildcards or higher levels of validation (hence trust) etc. but for $19.99, I bought a 12 month SSL certificate that will work with both servername.markwilson.co.uk and www.servername.markwilson.co.uk.

SSL certificate from Go Daddy


Go Daddy $14.99 SSL Sale!

Implementing SenderID Framework records for my e-mail server

Posted on By Mark Wilson

I recently read Craig Spiezle and Alexander Nikolayev’s TechNet Magazine article about the SenderID Framework (SIDF) – one of the available schemes to validate mail servers in the fight to reduce unsolicited commercial e-mail (UCE), more commonly known as spam.

SIDF is similar to the Sender Policy Framework (SPF) in that it uses specially-formatted TXT records in DNS (called SPF records) to detail the mail exchange (MX) servers that SMTP e-mail may originate from for a given domain, and any other domain names that may be used.

I’d decided some time ago to implement an SPF record for my domains but my hosting service provider at the time did not support the use of TXT records. Since I moved to ascomi a few months back that’s not been an issue and last night I finally requested that the changes were made.

There are a variety of tools online to help create SPF records, but the first problem I had was the need to decide whether to use OpenSPF, SenderID, or an alternative (such as Domain Keys). In the end, I decided to go with SenderID – largely because the Microsoft SenderID website helped me create an SPF record which supported the both SenderID Mail From method (identical to the SPF method) and the SenderID Purportedly Responsible Address (PRA) header method. Finally, to validate that my record was correct, I sent an e-mail to check-auth@verifier.port25.com and used the Email Service Provider Coalition verification tools – Microsoft also publishes a short implementation guide for SIDF which is worth a read.

The differences between SPF formats are discussed on the OpenSPF site too (and OpenSPF also has tools to help create the necessary records) but the OpenSPF guys seem to be more interested in saying why SenderID violates the standards and shouldn’t really be called SPF (I call that the “not invented here” syndrome) than in actually helping people work out how to stop spam.

It’s also worth pointing out that my SPF record will not directly affect the volume of spam that I receive; it will, however, help others who perform SPF lookups to determine if mail that appears to come from one of my domains really originated from a server which I authorised. Even then, they may elect to retain the message, or they may drop it – that’s no different to today but as more and more SPF records are published, the volume of spam on the Internet should drop considerably as all messages are effectively authenticated as having passed through an authorised MX for the stated domain name.

Using snapshots as insurance for product demonstrations

Posted on By Mark Wilson

I spent this evening at Microsoft UK, attending the inaugural Windows Server UK user group meeting. There weren’t many of us there but there was a lot of information passed around as Scotty McLeod from Perot Systems and Austin Osuide from EDS gave presentations on Windows Server 2008, Read Only Domain Controllers and Terminal Services Gateway Servers.

Based on his ability to retain technical information, it strikes me that Scotty has a brain the size of a planet and Austin quite simply oozes enthusiam (he knows his stuff too!). I intend to blog some more about the topics that were covered; however I did want to mention Austin’s technique for ensuring that his demo could complete, regardless of anything going wrong (although there wasn’t much he could do about the Microsoft Campus security closedown at 10pm). When preparing his demo, with a number of virtual machines running on VMware Workstation, Austin had also taken snapshots at key points so that he could revert to a basic system and walk through the process, or jump to any point in the demo with a partially or fully completed configuration.

Some people pray to the demo gods but it seems to me that this technical approach may be more reliable!

A look forward to Windows Server 2008

Posted on By Mark Wilson

This evening, I’m planning to be at the inaugural Windows Server UK user group meeting, prompting me to write up my notes from the Windows Server 2008 Technical Overview event held at Microsoft UK last month. Presented by Andy Malone from Quality Training, I’ve already given my (negative, but hopefully constructive) feedback to Microsoft on this event (so I won’t dwell here on why I thought it was so bad – although the presenter seems to think that it went rather well…) but I did at least manage to glean some information about the latest Windows Server release – what follows picks out some of the highlights.

Windows Server 2008 logoFormerly codenamed Longhorn Server, Windows Server 2008 shares a common code base with Windows Vista and, not surprisingly, Microsoft is touting it as the most secure and highest quality version of Windows ever produced.

The first change is the setup; with three distinct phases of:

  • Setup (product installation).
  • Server welcome (initial configuration) – except in upgrades.
  • Role configuration and management.

Whilst looking at deployment, it’s worth mentioning that remote installation services (RIS) has been replaced by Windows Deployment Services (actually, this is also available with Windows Server 2003 SP2) which, unlike ADS, supports client and server operating systems as well as multicast deployment.

Windows Server 2008 also pulls much of the administration into one console – Server Manager (which made me smile, casting my mind back to the old Windows NT Server Manager console). There are some new component concepts to get around – components are now known as roles and features but more significant is Windows Server Core, an installation option consisting of a subset of executable files and libraries, providing a small footprint for a much reduced attack surface. Offering a number of server roles, Server Core provides core functionality in either a standalone (e.g. headless) scenario or as part of a larger Windows Server infrastructure. There are no GUI tools for Server Core – management is via command line tools (local and remote), terminal services (remote) or Microsoft Management Console (MMC) snap-ins (remote). Server core is an installation-time choice (there is no option to convert to a standard installation later) and Server Core will not support application installations (such as SQL Server, Exchange Server, etc.) but I can see it being very useful for running core infrastructure (AD, DNS, DHCP, etc.) servers in a secure fashion.

Other security features (some of which are already present in Windows Vista) include support for the trusted platform module, BitLocker drive encryption, a redesigned TCP/IP stack with native support for IPv6 (alongside IPv4), the updated Windows firewall, new Group Policy settings and Windows Service hardening whereby services run in their own address space and a number of layers are used to separate the kernel, service, administration, user and low-rights program layers. Windows Server 2008 will also (finally) see Microsoft introduce network access protection (NAP).

Some network features are being removed from Windows Server: the file replication service (FRS) is replaced by remote differential compression (RDC); bandwidth allocation protocol (BAP) is out, as is X.25 support, serial line interface protocol (SLIP) support, and services for Macintosh (SFM); there are also a number of changes to routing and remote access with the removal of open shortest path first (OSPF), the basic firewall and static IP filter APIs.

Terminal Services gains new functionality too – including a version 6 of the remote desktop protocol (RDP) and:

  • Terminal Service Gateway – providing RDP over HTTPS support for remote access to corporate applications.
  • Terminal Service Remote Programs – centralised management of line of business applications on a roaming basis, integrated with Terminal Service Web Access.
  • Single sign-on for managed clients.

At least in the beta product, Active Directory sees a number of name changes – some of which make sense and others which seem be be inteded just to cause confusion:

Old name New name
Active Directory Active Directory Domain Services
Active Directory Application Mode (ADAM) Active Directory Lightweight Directory
Windows Rights Management Active Directory Rights Management
Windows Certificate Services Active Directory Certificate Services
Identity Integration Feature Pack Active Directory Metadirectory

(I fully expect at least some of these to change again before product release!)

There are some Active Directory goodies too:

  • Backup domain controllers (BDCs) are back! Except that now they are called read-only domain controllers (with unidirectional replication to offer credential caching and whilst increasing the physical security of remote domain controllers, e.g. in branch offices).
  • dcpromo.exe now supports Server Core (i.e. it will run in command line mode), uses the logged on credentials for promotion and allows the seed method to be chosen (e.g. populate from a specific server offering Active Directory domain services), enables site selection (with automatic detection), provides automatic DNS configuration (for resolvers and delegation), and allows role selection for DNS (on by default), global catalog (on by default) and read-only domain controllers.
  • Active Directory can be restarted without rebooting (e.g. to run ntdsutil.exe with the server online, just stopping and restarting Active Directory services).
  • An attribute editor is available in the Active Directory Users and Computers snap-in with advanced features enabled, avoiding the need to use the ADSIedit support tool.

Of course, Internet Information Services (IIS) gets an overhaul and the new IIS version 7 features a much-improved (MMC v3) administrative interface (as well as application and architectural enhancements). Windows Server 2008 also gains improved Unix interoperability features with authentication integration, Unix scripting and application migration tools, support for both 32 and 64-bit applications and extensions to the AD schema to support UNIX-related attributes (using LDAP as a NIS service – see RFC 2307). Clustering is also improved with a new MMC v3 management interface, enhanced infrastructure (e.g. support for graphically dispersed clusters and for GUID partition table disks in cluster storage) and improved security.

Before I wrap up, I’ll mention that there is a lot of misinformation circulating around Windows Server Virtualization (WSV). WSV is not part of Windows Server 2008 but it has been announced that it will ship as a separate product within 180 days of Windows Server 2008. Some features were recently cut from the initial release (Microsoft prefers to use the term postponed) and may make it into a future service pack or other update.

As one might guess from the name Windows Server 2008, the product looks set to be released late in 2007. Looking further out at the Windows Server roadmap, we can expect a 64-bit only “release 2” in late 2009 and the next major release in 2011. It looks to me as if there’s a lot of good features in Windows Server 2008 – watch this space to learn more just as fast as I do!