2014/01/10 · 18:30

1Fit Fitness (Madison)

Over the summer, I was looking for a gym. Since I hadn’t been a member of a gym in probably 20 years, I wasn’t really sure what criteria I should use to pick one, but I liked Brian’s review strategy of testing gyms before signing up, so  I started with the gym that was closest to my house: 1Fit Fitness on County Line Road in Madison. I met with Chuck, the owner, and got a quick tour. First, a word about Chuck, who is a retired Army officer and super nice guy. He and his staff keep the gym clean and neat, which was apparent when I waked in the door. The gym is divided into two large areas: on the left, there are dumbbells (12.5-100 lbs), a Smith machine, a squat rack, and a couple of benches. On the right, there’s an incline bench, a big combo cable machine, a rack for doing pull-ups and dips, a variety of selectorized machines, and half-a-dozen assorted pieces of cardio gear. Each side has at least one TV, and the left side has a counter area with a small fridge with drinks for sale. The decor is extremely basic, although there are plenty of mirrors, which always bugs me a little bit. However, there are none of the typical meathead trappings: no diamond plate or posters of gigantic ripped dudes.

I signed up for their family plan, which is about $40/month for me plus two kids. For that price, I get unlimited, 24/7 use of the gym. It is rarely busy; I’ve never seen more than 4 other people there, and most of the time when I go I’m by myself. If you want a social gym, this probably isn’t the best choice. The place is staffed in the afternoons, Monday through Saturday— while “afternoon” sounds vague, I chose it because the actual hours seem to start anywhere between noon and 4pm and end at 6pm. I’ve seen the owner in a few times outside that time, but that’s unpredictable. However, since your key fob gets you 24/7 access, unless you need company, staffing hours are pretty much irrelevant.

There are a variety of classes offered, and several personal trainers who work out of the gym, but I don’t have anything to say about them because I haven’t used them.

Cons? Sure, a few. The gym doesn’t have some equipment that I wish it did: there’s no leg press machine, no trap bars, and only one curl bar (which is broken). This isn’t a huge deal, but it does point out the drawback of using a small locally-owned gym; at least in this case, Chuck can’t afford to invest the same kind of money as the big-box gyms. However, the ease of access makes up for that in my opinion; I love having a nearby gym that I can go to whenever I want, and I prefer supporting the locals. It might be easier to sign up for a chain such as Anytime Fitness so that I have better gym access when I travel, but for now I’ve had good luck finding gyms in each city where I travel.

In the meantime, I’m toying with the idea of adding a second membership at Workout Anytime or Planet Fitness just up the road; $10/month or so would get me some equipment I don’t currently have access to, plus better gym access when I travel. However, when I start triathlon training in the spring, I’ll want access to a pool, which means I’ll probably be stuck with switching to a bigger gym (or the local Y), so I’ll probably wait.

Bottom line: 1Fit is a solid gym and I’m happy with the value I get for the cost. I recommend it.

140608 update: 1Fit closed in March 2014 and has been replaced by an IronTribe location.

1 Comment

Filed under Fitness, Reviews

2014/01/10 · 13:00

On piston aircraft engines, part 1

If you’ve noticed, car manufacturers often brag on the technology or fuel efficiency of their engines. If you recognize phrases like “fuel-injected,” “variable valve timing,”  “double overhead cam,” or “turbocharged,” then the automotive industry’s marketing has succeeded— even if you don’t know what those things are you probably think of them as desirable.

Now forget most of that. The basic design of most aircraft piston engines are stuck solidly in the 1930s.

Take, for example, the 1975 Cessna 182P I often fly, N1298M. Its engine is a Continental O-470-U variant. No electronic ignition. No fuel injection. It weighs 390 pounds, makes 230 horsepower, and costs about $21,000 to overhaul (more if you replace your timed-out engine with a remanufactured or factory-new one).

Yep, that’s right. The engine in that airplane costs as much as many cars do, and yet from an efficiency perspective it’s terrible— 470 cubic inches to make only 230 horsepower! (In fairness, the O-470 is capable of more; in the 182 it’s derated to 230hp). By comparison, the Nissan Altima— hardly a supercar— has a 213 cubic-inch engine (well, 3.5L, really) that makes 270hp and can be completely replaced for about five grand. Now, in fairness, the Nissan engine is a much newer design. Maybe a better comparison is the engine from a 1975 Corvette, which made 205hp from 350 cubic inches and weighed about 325lbs. I won’t hazard a guess at the original cost, but overhauling a small-block 350 would cost maybe $1500 in parts today.

Behold the mighty O-470

Newer aircraft of course have somewhat more modern engines. For example, a 2012 Cessna 182 (identical in performance to the 1975 model I normally fly) uses a Lycoming IO-540-AB1A5 engine that still makes 230hp, but features fuel injection and a somewhat more modern design than the O-470. An overhaul for this engine will run you about $24K, while a brand-new one lists for just under $77K. (In 2013, Cessna stopped selling the piston 182 and moved to a new diesel engine, a topic I’ll have more to say about in part 2.) Another example: the Cirrus SR22G5, the latest version of the best-selling piston single, runs a fuel-injected Continental IO-550N that, apart from being fuel-injected, is still just as noisy, heavy, inefficient, and expensive as its predecessors.

Besides the expense, these engines require much more management than you might think. In flight, whether your engine is fuel-injected or carburated, you have to adjust the fuel-air mixture as you change altitude. You must also monitor the cylinder head temperatures (CHTs), and in some aircraft you have to adjust cowl flaps or other cooling devices. When was the last time you had to do that in your car? You don’t; in pretty much every car built since the late 1970s, a computer takes care of adjusting spark timing, mixture, and a number of other parameters to get the best performance or economy from the engine. All you do is press the accelerator. In a piston airplane, that’s a different story (something I’ll also talk more about in part 2).

The reasons for this sad state are many and complex, but the biggest two are easy to describe succinctly: reliability and cost.

Despite the fact that these engines use ancient technology, they are superbly reliable because their basic design is so mature. Engine and airframe manufacturers have 50+ years of data about their behavior, and when the possible consequences of an engine failure escalate from “pull over and call a tow truck” to “fall screaming out of the sky and die in a fireball,” you can see why that reliability is so desirable.

Cost is a multifaceted factor. First, it is exceptionally expensive to certify anything for aviation use. The FAA has a demanding and complex set of rules (known as “part 23”), backed by a fairly arbitrary process, for certifying things such as engines, propellers, and avionics. It’s prohibitively expensive for most new entrants to get a new engine and airframe combination certified. Manufacturers such as Cessna and Piper have little incentive to spend millions of dollars certifying new engine designs for their 50+-year-old airframe designs. Second, these engines are produced in very low volumes by modern manufacturing standards. In a really, really good year, Lycoming or Continental might sell a number of new engines measured in the low thousands (perhaps more, but it’s certainly fewer than 10K units/year). In that volume, it’s hard to see much improvement from scale, and given that these engines are largely hand-built, this is unlikely to change.

I haven’t touched on another drawback, one which really requires its own post: piston engines normally run on leaded fuel. This has several related consequences: economic (it’s more expensive because it’s a lower-volume product), environmental (duh), political (various satraps in California have tried several times to ban or legislate leaded aviation fuel out of existence), and technical. Some engines, such as the ones for the 182, can be made to run on ordinary auto gas (known as mogas), but higher-compression engines in larger airplanes need the lead to prevent pre-detonation, so we’re stuck with it for now.

Like the weather, the state of engine tech in general aviation is often discussed but there is little individual pilots and owners can do about it. Manufacturers, though, have a variety of tricks up their sleeve, which I’ll discuss in part 2.

6 Comments

Filed under aviation

Tagged as

2014/01/02 · 13:30

Thursday trivia #105

Welcome, 2014! So far my year’s off to a great start; I ran a race at midnight New Year’s Eve; I have some idea of what my major 2014 goals are, and I now have a pet again. I hope you’ll join me in welcoming Pancake the cat to the blog. I promise not to be one of those tiresome people who regales unwilling audiences with tales of their pet’s accomplishments and behavior, but I must say the boys and I are excited to have a family pet again.

WP 20140102 001

  • I bit the bullet and signed up for an accelerated IFR ground school with Aviation Ground Schools. Why them in particular? They had a schedule that fit my needs, they got good reviews, and then they had a one-day sale. Expect a full report once I attend the seminar next month.
  • The hardest thing I ever had to do as a business owner was fire people. Firing people in your personal life can be just as difficult, but sometimes it’s necessary.
  • After nearly six months I am finally feeling settled into the house: everything is unpacked, there are doormats, pictures are hung, and so on. I celebrated New Year’s Day by replacing the fill mechanisms in all 3 toilets. (Cue the “you know you’re a homeowner when…” jokes)
  • I’m excited to start the next round of group training with Roman and Mike Vacanti. Here’s to crazy gainzzzz.

Leave a comment

Filed under Musings

Tagged as

2014/01/02 · 10:59

Office 365 token disclosure flaw: patch your desktops now

Happy New Year! To start the year off right, let’s talk about security. More to the point, let’s talk about Office 365 security.

One of the ways I often talk about Office 365 to customers is this: any time you move to a hosted service, you’re placing a bet that your hosting provider can do something better or cheaper than you do. Maybe they’ll deliver better uptime than you can afford to provide, or they’ll offer global reach, or some feature or function that you don’t currently have. As with any other bet, you have to carefully evaluate the odds and your counterparty (the person offering the bet). One of the big arguments in favor of Office 365 has been its security: Microsoft has invested a huge amount of money in physical and logical security for Office 365. Tie this in with the huge investment (several billion dollars and counting) brought about by Trustworthy Computing and you can see why Microsoft is eager to tout the security of their products: they have made huge strides over the last ten years. (Sadly, many other vendors are still as bad as they were back in 2005… let that thought sink in for a few minutes.)

In December, Microsoft released a patch, MS13-104, which every organization using Office 365 should immediately deploy. Microsoft rated this bulletin as “important” using their severity scale. While I understand that the “critical” severity is usually reserved for flaws that could allow remote code execution, I think this is just as bad because it allows an attacker to silently steal every document you have in a SharePoint Online document library.

Wow.

Keep this tab open, then open a new tab and use it to start figuring out how to patch your clients ASAP if you’re using SharePoint Online. Then you can come back.

I won’t repeat the excellent analysis performed by Adallom Security, the folks who reported the flaw to Microsoft in May 2013. That’s right: they reported in May 2013, and the patch was issued in December 2013. That’s a minimum of 7 months of days-of-risk, which is bad enough without considering how long this flaw was being exploited before Adallom found it. However, I do want to make a couple of additional points.

First, they wrote their post before the recent spate of disclosures surrounding the NSA’s Targeted Access Operations (TAO) team and their catalog of exploits. There is of course no evidence that NSA developed or was using this particular exploit, but this is exactly the kind of silent, virtually undetectable attack that is the specialty of nation-states. The fact that Adallom’s customer is a large, high-profile enterprise is potentially bad news for Office 365 sales efforts, given that those customers are already a little leery of cloud services because of a perceived lack of security controls.

Second, this exploit apparently doesn’t work against Exchange Online or Lync Online, but that hasn’t been proven conclusively. Don’t hold off patching Office 2013 just because you aren’t using SharePoint Online.

Third, it seems to me that this kind of flaw is the natural consequence of breaking new ground. Seamlessly tying together on-premises and cloud services through a complex desktop suite is something that no other software company has even attempted: the major Office 365 competitors, such as Box.net and Google, don’t offer traditional desktop productivity apps, preferring instead to run inside the browser, where the design patterns and potential vulnerabilities of authentication are much better understood. So I don’t think of this as sloppiness necessarily on Microsoft’s part: sometimes in complex systems, people make mistakes. 210+ days-of-risk makes me a little nervous though.

My overall takeaway: if you have truly sensitive data that you want to protect, putting it in the cloud is not necessarily any more risky than keeping it on-premises. That may seem counterintuitive, but an entity that is determined to get your data has many potential avenues of attack, and my experience tells me that the vast majority of sites have a number of local vulnerabilities (such as poor patching practices, poor intrusion detection, or inattention to basic security practices) that put them at higher risk than a relatively esoteric, hard-to-exploit flaw like this one. if you don’t believe me, just look at the number of sites hit by Cryptolocker and various banking-related Trojans. Put another way, you don’t need to worry about defending yourself against NSA if you can’t even manage to defend yourself against script kiddies.

Now go forth and patch!

Leave a comment

Filed under Office 365, UC&C

Tagged as , ,

2014/01/01 · 05:50

2014: my major goals

I am a big believer in the SMART system for goals: any time you make a goal, it should be specific, measurable, attainable, relevant, and time-bound. The counterpart to that is another “A” that’s missing: accountable. Both academic research and practical experience show that accountability helps make it easier to achieve those goals. I’ve seen this principle in action throughout my professional and personal life so I wanted to set out some of my 2014 goals here as a means of making myself accountable for progressing towards them. So, in no particular order, here are some of the things I plan to accomplish by the end of 2014.

On a professional level, my SMART goals revolve around specific things I need to do at work, including getting my MCSE certification, producing a certain set of internal IP documents, and a few other things that are related to our internal processes. They’re not necessarily things I can discuss in depth here. However, in my professional-but-not-at-Dell role as an MVP and author, I’m planning on doing at least one book in 2014. I have discussions underway with a couple of publishers and my agent about possible topics.

On the skills front, I will complete my instrument and commercial ratings in 2014. I will do this by continuing to train and fly with my instructors, setting a regular schedule to fly so I can maintain proficiency, and learning as much as I can about every aspect of IFR operations. Once I get the ratings, I will fly with them regularly to remain proficient. My target is to fly at least 120 hours of pilot-in-command time in 2014, with more if my schedule and budget allow.

From the health, fitness, and activity department: I want to train for and complete a sprint triathlon (probably this one). I will do this by taking advantage of Fleet Feet’s training programs and continuing my weightlifting and exercise regimen. I’m doing another increment of the Fitocracy group coaching program from January through April, when triathlon training season starts. (I’ve also signed up for several 5K races spread throughout the first quarter of the year.) I also want to continue to maintain a healthy body weight and appearance. I will do this by continuing to lift weights and track what I eat to ensure that I’m getting the right mix of macronutrients to support my activity level and goals. (Obligatory numbers: bench my bodyweight of 185, deadlift 300, and squat 275. I have no idea whether these are reasonable numbers or not since I am not used to setting goal weights, but I’ll stick with them for the time being.)

To help support those goals, I’ll continue to learn to cook new things. This is a squishy, non-SMART goal because I don’t have (or want) specific targets for learning to cook N new dishes.

Turning to the personal: I want to be more generous with my charitable giving of both money and time. I have some ideas about how to do this, and be accountable for it, but I’m still puzzling through what I think will work best. More on that another time, perhaps. The rest of the personal goals I have are, well, personal, and mostly non-SMART, so I’m leaving them out as well.

Expect a progress post each quarter so we can see how I’m doing on the specific things I’ve listed here. That’s the “accountable” part, y’know.

Leave a comment

Filed under Friends & Family, Musings

Tagged as ,

2013/12/23 · 09:15

Office 365 beta exams: a few thoughts

Last week I took the beta versions of the two MCSA exams for Office 365: 71-346 is Managing Office 365 Identities and Requirements and 71-347 is Enabling Office 365 Services. I thought it might be useful to write up a few NDA-safe notes on the exams and the topics they cover. Keep in mind that the questions on the beta exam are there because they’re being tested; the objective domains (ODs), or areas of knowledge being tested, won’t change but the specific questions probably will as the beta identifies “bad” questions (those that everyone gets right or everyone gets wrong are immediately suspect!) The Microsoft exam development process is really complicated; to summarize, by the time the exams hit beta, the knowledge areas to be tested are set in stone but the questions themselves can be modified, or thrown out, based on beta exam feedback.

First, be forewarned that there are no formal study materials for these exams. I hear that Office 365 Admin Inside Out from MS Press is decent, but haven’t read it yet. Be prepared to do a lot of binging to look up specific things that you want to know how to do.

Second, the absolute best way to prepare for the exam is to sign up for a trial Office 365 E3/E4 tenant and make sure that you know how to do everything mentioned in the exam objectives in both PowerShell and the GUI. This is baloney, and it has been a hot topic of debate in the MVP community. IMHO there is little value in asking an examinee to show that they know how to do something in PS which is trivial to do in the GUI, especially if it’s a one-time task like setting up Azure RMS. Nonetheless, that’s the requirement.

For 346, specific things you should probably know include:

  • How to add a new tenant, from scratch. This includes choosing a region (and what effect that has), setting the domain purpose, and confirming domain ownership.
  • How to configure DNS records and firewall settings: SRV, CNAME, and MX records, what they point to, etc.
  • How to design ADFS: how to size it, when to use SQL Server instead of WID, and so on. Note that actually doing HA or DR with ADFS is not one of the topics listed in the OD, but you’ll need to know how to do it anyway. The ADFS 2.0 documentation content map is very helpful here.
  • How to administer (parts of) ADFS, including installing it (prerequisites too) on both Windows 2008 and 2012 (but not R2), controlling filtering, and managing dirsync. I have heard that there are questions in the pool that cover ADFS 3.0 but don’t know if that’s true.
  • How you’d conduct a pilot, including how to use connected accounts and mail forwarding.
  • What the different administrative roles in 365 are for and what they can do, including how to manage delegated admins.
  • How to provision / license users through the 365 Admin Center.
  • Basic account management through PowerShell: creating users, modifying their properties, licensing them, etc. Nothing too exotic; I expect most Exchange and Lync admins can do these types of things now without difficulty.
  • How to provision, enable, and administer AD RMS, a surprisingly cool technology that Brian Reid has written about at length already.
  • What the mail flow/message hygiene reports are and what you can do with them
  • How to do daily admin tasks: checking service health, using the RSS feeds, opening service tickets, etc.
  • Troubleshooting using the Remote Connectivity Analyzer and MOSDAL

347 is a little more of a mixed bag because it contains both admin-level material similar to ODs in 346 plus a smorgasbord of other stuff. The most important thing to know here: you must know how to do stuff with SharePoint Online. Out of the 53 questions on my beta exam, 12 of them (22.6%) were related to SPO.  Given that about 0.5% of my actual knowledge relates to SPO, that was a problem. I don’t use it, and I haven’t worked on the SPO-related parts of any deployments for Dell customers, so I was unprepared. Don’t be like me. Be prepared to demonstrate that you know:

  • All about Click-to-Run, including how it differs from MSI installations, how you customize what gets installed, how the installs themselves work, etc.
  • All about Office Telemetry. Never heard of it? Neither had I. Its inclusion in these exams seems a bit odd, since I suspect you’d see people running it before deploying Office 2013 on-prem too. It’s been a while since I was directly involved in the world of desktop deployment, though, so maybe everyone but me knows about them.
  • How to manage SPO site collections, including how to share and unshared them, set quotas, etc.
  • How to provision (including how to license) Excel and Visio Services
  • How to manage proxy, reply-to/default addresses, resource mailboxes, external contacts, and groups in Exchange— standard stuff for working Exchange admins.
  • How to work with archiving policies on both Exchange and Lync, including integration with Exchange 2013’s in-place hold mechanism
  • How to set up Lync settings for external access, including visibility of presence and per-user access to PIC

Again, you need to know how to do these things in both PowerShell and the GUI, despite the fact that many of the tasks in the ODs will be things you do once (or maybe quarterly, at most).

Should you take the beta exams? It depends, I guess. They cost the same as the “real” exam, and they’re subject to the same “Second Shot” MS program that grants you one retake of a failed exam. So you could sign up and take the beta now for $150, then take the real exam for free if you don’t pass. Based on the state of the exam questions I saw, and the lack of structured training materials, I don’t recommend that you rush to take the exam, though; the real version goes live on 17 February. Until then, your time would probably be better spent setting up a scratch tenant that you can play with, then running through the list of ODs to make sure that you know how to do the things on the list.

I’d be interested in hearing from people who took the exam to see how well you think the exam actually matches up with what Office 365 admins and designers need to know in the real world.

1 Comment

Filed under Office 365, UC&C

Tagged as , , ,

2013/12/15 · 09:45

MEC and Lync Conference 2014 session list (partly) released

The fine folks in charge of organizing the Microsoft Exchange Conference have released a partial list of the sessions that will be on offer, as well as a list of speakers (oddly enough, the speakers are in alphabetical order by first name… ooops). There are some surprises in the mix, and I expect a few more once the full list of sessions is released in the near future.

First, there’s clearly a heavy emphasis on panel-style discussions: there are no fewer than 8 “Experts Unplugged” sessions featuring product managers from the Exchange team. I’m moderating the UM panel session, which should be a good opportunity for people to have their in-depth UM questions answered by the PMs who own the features in UM. In addition, the support team has a session called “Experts Unplugged: Exchange Top Issues – What are they and does anyone care or listen?” that I can almost guarantee will be worth your time. Amir, Jennifer, Scott, Shawn, Tim, and Nino did a very similar panel at the MVP summit and it was extremely informative— plus they’re a fun bunch to talk to. I expect the other panels to be of equal quality, and the fact that there’s one per track is a good sign that the Exchange team is interested in getting two-way feedback from the community.

Second, there’s a nice mix of topics covered: a number of sessions promise to compare or contrast the on-premises and service environments (I’m particularly looking forward to “Engineers vs Mechanics”), and there seems to be a balance between architectural-focused sessions that explain design principles and sessions focused more narrowly on how to administer, manage, or use features such as RBAC (presented by Bhargav Shukla, who taught RBAC for the late lamented MCM program) and archiving. This balance between explaining why features work a particular way and how to use them was a hallmark of MEC last year, and I’m pleased to see it continuing in the sessions this year.

There are a couple of sessions whose abstracts are missing or incomplete. For example, the “Enterprise Social” session promises to “discuss Social experiences in the MSFT suite beyond e-mail.” I’d bet $5 that this is a code phrase for “talking about Yammer,” but we’ll see. As we get closer to MEC, expect to see more detailed abstracts, as well as additional sessions.

Turning abruptly to Microsoft’s other major unified communications conference: I’m speaking for the first time at Lync Conference (which lacks a catchy acronym so far: I suggest “LyC”, pronounced “like”). The session list is worth a careful review; I don’t know if there are more sessions forthcoming, but the ones that are there focus much more heavily on on-premises topics than the MEC sessions do, and there’s an entire track titled “Business Value” dedicated to helping attendees identify areas where Lync can add value to their environments and then squeeze that value out as rapidly as possible. There is also a “Lync Online” track shown in the track selection pulldown but it shows no sessions right now— I’m sure they’ll appear in the near future. It looks like the content for the developer-focused track will be super technical; it will be interesting to see how the level of detail in those sessions compares to the developer-track session at MEC. I get the sense that there will be more admins-who-are-interested-in-development at MEC and more developers-who-write-code-every-day at LyC, but I could be wrong.

My Lync Conference session is a 300-level look at integration between Exchange 2013 and Lync 2013. It’s nicely complemented by Jens Trier Rasmussen’s 400-level session on the same topic; we’ll be working together to coordinate topics. The Lync Conference also features sessions presented by sponsors; Dell (or, more precisely, Michael Przytula, my boss) will be presenting one. I’ll have more to say about its contents when we get closer to showtime.

I’m looking forward to both shows— meeting with the community is always really energizing, and both shows have a great session lineup. If you haven’t already registered for one or both, you should strongly consider it while early registration is still ongoing. What you learn in a single session can easily save you (or make you) enough money to make the entire trip worthwhile, and the social and community benefits of attending are icing on the cake. See you there!

Leave a comment

Filed under General Stuff, UC&C

Tagged as ,

2013/12/13 · 07:30

The instrument written exam

As described in FAR 61.65, the FAA requires three categories of things to earn an instrument rating: you have to meet the experience requirements (which includes things like being proficient in English and convincing your instructor to sign you off), you have to pass the practical test, and you have to pass the written exam. I haven’t had much opportunity to fly with my instructor lately, so I’ve been focusing on studying for the written exam, which covers weather, IFR procedures, regulations, how to read IFR charts, and all sorts of other goodies.

NewImage

The picture above shows a portion of the IFR low chart surrounding David Wayne Hooks Airport in Houston. Yes, the FAA really expects you to know what all that stuff means! Every little symbol and text block has its own particular meaning: minimum en-route altitudes, crossing restrictions, distances, and lots of other things are all encoded into the symbology, and there is a completely different visual language used for diagramming instrument approaches. That’s a shorthand way of saying that there’s a lot of bookwork required to be ready for the test. I’ve been using the Sporty’s IFR course, which is pretty good, along with their test-prep app. I’m re-reading Taylor’s Instrument Flying and working my way through a couple of other books I have. Finally, I am considering taking one of the weekend accelerated ground schools offered by companies such as Aviation Seminars and Rick Yandle, but that requires at least one full weekend of time, plus several hundred dollars— money and time I could be using to fly instead.

Now, time to hit the books again…

Leave a comment

Filed under aviation

Tagged as ,

2013/12/06 · 06:52

Android 4.4/KitKat Exchange ActiveSync problems; fixed in 4.4.1?

Apple’s iOS has gotten a deservedly bad reputation for its Exchange ActiveSync implementation. But, to their credit, things seem to be fairly stable with the latest iOS 7.0.4 update. On the other hand, Google seems to have largely gotten a free pass on the quality of its EAS implementation; in fact, for quite some time Android didn’t include EAS functionality, although some individual vendors did. The latest release, 4.4 (or “KitKat”, a particularly nasty type of candy, at least in the US), includes EAS as part of the core OS, but it appears to have some bugs, including at least one that I am still trying to get a good understanding of.

First, there appears to be a problem with client certificate authentication, i.e. it doesn’t work. To Google’s credit, they maintain a public bug-tracking system where everyone can see the bug report and status, at least of this particular bug. Imagine a world where Microsoft and Apple were similarly transparent about bugs in their major products… OK, back to reality; Google of course doesn’t do the same for their proprietary products, just for open-source efforts such as Android. On the other hand, this kind of public reporting lets people show their ignorance; check out this thread, where a couple of engineers for a competing product show that they haven’t read the protocol specs in detail (hint: see this discussion of WindowSize to spot the flaw in their argument).

Anyway, Tony pointed out this particular problem to the Exchange community just before Thanksgiving. Recently I was contacted by a customer who was seeing another widespread KitKat issue: devices persistently pounding the server with EAS Sync commands, over and over and over and… well, you get the idea. Although I haven’t seen a clear cause identified, Google claims to have fixed this problem in the 4.4.1 update (see the reply by Ersher in page 24 of this thread), so the question becomes whether all the users claiming to be affected by this bug have upgraded.

Actually, the question becomes at what point Exchange administrators begin to proactively block new mobile device OS releases! While I’m not quite ready to declare a fatwa on all new device releases, it is beginning to look at though organizations with diverse BYOD populations might be well served to establish some kind of criteria for staging support of new releases. Apple, Microsoft, and Google all offer developer access to new OS releases, often months in advance, so one possibility is to establish a pool of test devices for new OS releases— something which many sites already do with new desktop OS releases. The logistics of working out such a program might be challenging, but I think the effort might be well worth it if it prevents unpleasant surprises caused by device-side EAS misbehavior.

There’s another, perhaps less palatable, option on the horizon. Now that we have OWA for Devices (known colloquially as Mobile OWA, or MOWA, within Microsoft), if you were so inclined you could block all iOS device access and require your users to use MOWA. Since there’s no MOWA version for Android yet (and there may never be; Microsoft hasn’t given any hints), this wouldn’t be a comprehensive solution, and it would likely aggravate users to a high degree… but as improvements in MOWA performance and capability roll out, it might become a more viable option.

(side note: speaking of aggravation, it’s amazing how aggravated Google’s customers get when they don’t receive an official answer from Google in the time frame they expect. At least Google gives official answers in their support forums, something you are unlikely to see happen much in the support fora offered for iOS and Windows Phone!)

One thing I’d like to see emerge is something akin to collaborative spam filtering— when I report a message as spam to my filtering service, that message is filtered for other subscribers too. It seems like BoxTone or another company might be able to offer a subscription service to customers that gives them early alerts to wide-scale problems reported by other customers, such as regional outages in a carrier network or a pattern of sync misbehavior for a specific device family. I know I’d be happy to pay money for a service that would give me early warning of apparent problems with new device software releases— what about you?

24 Comments

Filed under UC&C

Tagged as

2013/12/05 · 12:25

Microsoft, encryption, and Office 365

So the gloves are starting to come off: Microsoft general counsel Brad Smith wrote a long blog post this morning discussing how Microsoft plans to protect its customers’ data from unlawful interception by “unauthorized government access”. He never specifically mentions NSA, GCHQ, et al, but clearly the Five Eyes partners are who he’s talking about. Many other news outlets have dissected Smith’s post in detail, so I wanted to focus on a couple of lesser-known aspects.

First is that Microsoft is promising to use perfect forward secrecy (PFS) when it encrypts communications links. Most link-encryption protocols, including IPsec and SSL, use a key exchange algorithm known as Diffie-Hellman to allow  the two endpoints can agree on a temporary session key by using their longer-term private/public key pairs. The session key is usually  be renegotiated for each conversation. If Eve the eavesdropper or Mallet the man-in-the-middle intercept the communications, they may be able to decrypt it if they can guess or obtain the session key. Without PFS, an attacker who can intercept and record a communication stream now and can guess or obtain the private key of either endpoint can decrypt the stream. Think of this like finding a message in a bottle written in an unknown language, then next year seeing Rosetta Stone begin to offer a course in the language. PFS protects an encrypted communication stream now from future attack by changing the way the session keys are generated and shared. Twitter, Google, and a number of other cloud companies have already deployed PFS (Google, in fact, started in 2011) so it is great to see Microsoft joining in this trend. (A topic for another day: under what conditions can on-premises Exchange and Lync use PFS? Paging Mark Smith…)

Second is that Microsoft is acknowledging that they use data-at-rest encryption, and will be using it more often. Probably more than any other vendor, Microsoft is responsible for democratizing disk encryption by including BitLocker in Windows Vista and its successors, then steadily improving it. (Yes, I know that TrueCrypt and PGP predated BitLocker, but their installed bases are tiny by comparison.) Back in 2011 I wrote about some of the tradeoffs in using BitLocker with Exchange, and I suspected that Microsoft was using BitLocker in their Office 365 data centers, a suspicion that was confirmed recently during a presentation by some of the Office 365 engineering team and, now, by Smith’s post. Having said that, data-at-rest encryption isn’t that wonderful in the context of Office 365 because the risk of an attacker (or even an insider) stealing data by stealing/copying physical disks from an Office 365 data center is already low. There are many layers of physical and procedural security that help keep this risk low, so encrypting the stored data on disk is of relatively low value compared to encrypting the links over which that data travels.

The third aspect is actually something that’s missing from Smith’s post, expressed as one word: Skype. Outlook.com, Office 365, SkyDrive, and Azure are all mentioned specifically as targets for improved encryption, but nothing about Skype? That seems like a telling omission, especially given Microsoft’s lack of prior transparency about interception of Skype communications. Given the PR benefits that the company undoubtedly expects from announcing how they’re going to strengthen security, the fact that Smith was silent on Skype indicates, at least to suspicious folks like me, that for  now they aren’t making any changes. Perhaps the newly-announced transparency centers will provide neutral third parties an opportunity to inspect the Skype source code to verify its integrity.

Finally, keep in mind that nothing discussed in Smith’s post addresses targeted operations where the attacker (or government agency, take your pick) mounts man-in-the-middle attacks (QUANTUM/FOXACID)  or infiltrates malware onto a specific target’s computer. That’s not necessarily a problem that Microsoft can solve on its own.

Leave a comment

Filed under Office 365, UC&C

Tagged as , , ,

2013/12/05 · 11:06

Thursday trivia #104

  • Last week I had a fantastic visit to Louisiana for Thanksgiving, bracketed by perfect flying weather. It was great to see my mom, grandmother, uncles, and cousins.
  • Next week I’m headed to Dell World in Austin, where I’ll get to meet my boss for the first time, help run some nifty hands-on labs, and see a number of family members and long-time friends. I’m also looking forward to Elon Musk’s keynote.
  • It amazes me that PayPal continues to prosper with as many problems as their back-end systems have. For example, my account contains ship-to addresses going back at least four years and there’s no way to remove them except by calling support. Ooops.
  • This article about what it was really like to fly commercially in the 1950s was fascinating. I know that I am much happier with the navigation and communications technology available to modern pilots than I would have been using the 1950s equivalents. 
  • My friend Glenn posted a photo to Facebook of one of Amazon’s new drones labeled “Amazon drones: Skeet Shooting With Prizes”. Yep.

2 Comments

Filed under Friends & Family, General Stuff

Tagged as

2013/11/25 · 16:10

Exchange 2013 Cumulative Update 3 released

I thought it might be fun to write an annotated version of the Exchange team blog post announcing the availability of CU3 for Exchange Server 2013. So here goes…

The Exchange team is announcing today the availability of our most recent quarterly servicing update to Exchange Server 2013.  Cumulative Update 3  for Exchange Server 2013 and updated UM Language Packs are now available on the Microsoft Download Center.  Cumulative Update 3 includes fixes for customer reported issues, minor product enhancements and previously released security bulletins.   A complete list of customer reported issues resolved in Exchange Server 2013 Cumulative Update 3 can be found in Knowledge Base Article KB2892464.

Translation: “We’re getting the hang of this cumulative update model. Notice that we gave you a list of bug fixes in this release, just like y’all asked for last time, although we’re not saying that this is a comprehensive list of every bug fixed in the CU.

We would like to call attention to an important fix in Exchange Server 2013 Cumulative Update 3 which impacts customers who rely upon Backup and Recovery mechanisms to protect Exchange data.  Cumulative Update 3 includes a fix for an issue which may randomly prevent a backup dataset taken from Exchange Server 2013 from restoring correctly.  Customers who rely on Backup and Recovery in their day-to-day operations are encouraged to deploy Cumulative Update 3 and initiate backups of their data to ensure that data contained in backups may be restored correctly.  More information on this fix is available in KB2888315.

Translation: “Backups are sooooo 2005. Why are you even doing them instead of using Exchange native data protection? DAGs and JBOD, baby. Just make sure you have at least 3 database copies. But if you are, well, take another backup right quick to make sure you can restore later.” [ Note that I am manfully resisting the urge to ask how this issue slipped through testing. –PR]

In addition to the customer reported fixes in Cumulative Update 3, the following new enhancements and improvements to existing functionality have also been added for Exchange Server 2013 customers:

  • Usability improvements when adding members to new and existing groups in the Exchange Administration Console
  • Online RMS available for use by non-cloud based Exchange eployments
  • Improved admin audit log experience
  • Windows 8.1/IE11 no longer require the use of OWA Light

Translation: “Who doesn’t like new features?  We promised to deliver new features on-premises, and we did, so yay us! However, notice how we avoided saying ‘on-premises’, instead using the clumsy ‘non-cloud based’ term instead.

More information on these topics can be found in our What’s New in Exchange Server 2013, Release Notes and product documentation available on TechNet. Cumulative Update 3 includes Exchange related updates to Active Directory schema and configuration.  For information on extending schema and configuring the active directory please review the appropriate TechNet documentation.   Also, to prevent installation issues you should ensure that the Windows PowerShell Script Execution Policy is set to “Unrestricted” on the server being upgraded or installed.  To verify the policy settings, run the Get-ExecutionPolicy cmdlet from PowerShell on the machine being upgraded.  If the policies are NOT set to Unrestricted you should use the resolution steps in KB981474 to adjust the settings.

Translation: “Because we love you and want you to be happy, we’ve included a schema update to keep your Active Directory looking shiny and fresh. Remember, we can push schema updates in CUs now. Sorry if this means your organizational change control process means you have to delay installing the CU for months while you wait for the change to be assessed and approved.

Our next update for Exchange Server 2013, Cumulative Update 4, will be released as Exchange Server 2013 Service Pack 1.  Customers who are accustomed to deploying Cumulative Updates should consider Service Pack 1 to be equivalent to Cumulative Update 4 and deploy as normal.

Translation: “CU4 will be so awesome that it’s really a service pack, if you like service packs, but if you don’t, then it’s not. Because every CU can include both features and fixes now, we have lots of flexibility to choose when to deploy features. Part of the reason we changed the servicing model was to get people away from the ‘wait for SP1’ attitude, so if SP1 is really just CU4, that helps show there’s no reason to wait.

Reminder:  Customers in hybrid deployments where Exchange is deployed in-house and in the cloud, or who are using Exchange Online Archiving with their in-house Exchange deployment are required to maintain currency on Cumulative Update releases.

Translation: “Surprise! Since you can’t control what release your Office 365 tenant is running, if you’re in hybrid mode (or want to be), you now must commit to remaining on the current CU. If that’s a problem because of schema changes, well, good luck with that. I suppose if enough people complain we might start pre-announcing which CUs will contain schema changes so you can plan ahead.

Overall, I’m looking forward to seeing CU3 be widely deployed. It seems to be a stable and solid release based on my experience with it. The new features will be welcome, and I am heartened to see the team continuing to hit their release cadence.

Leave a comment

Filed under UC&C

Tagged as

2013/11/21 · 10:59

MVP Summit wrap-up

I’ve just returned from the 2013 edition of the mostly-annual Microsoft Most Valuable Professional (MVP) Summit. I say “mostly-annual” because Microsoft normally holds a Summit about every 12 months. The previous event was only 9 months ago, but for various logistical and product lifecycle-related reasons, they decided to return to the tradition of holding the event towards the end of the calendar year.

This year’s Summit was probably the best that I’ve attended in terms of both logistics and engagement from the product groups, at least for the sessions I attended. The transportation, housing, and events all ran very smoothly, with few delays and plenty of the delicious oversized cookies usually served in the afternoons. The product group mixer, which is an opportunity for each group of MVPs to mingle with various folks from their product teams, was nicely organized and well attended. I met a few Exchange MVPs I didn’t already know (such as Germany’s Norbert Klenner, Ratish Nair from India, and Damian Scoles from the US, a first-year MVP) and was able to spend time with many that I have known for a while, including Michael van Horenbeeck (whom Tony had previously christened “Michael van Hybrid”), Jeff Guillet, Michel de Rooij, Jason Sherry, my Santiago homeboy Jorge Patricio Diaz Guzman, Magnus Björk (now known as “Magnus Availability” after asking one too many questions about Managed Availability), J. Peter Bruzzese (who for some reason doesn’t yet have a snappy nickname; I am thinking that maybe “Mailbox Pete” would fit?), Siegfried Weber, Serkan Varoglu, and too many others to list.

The session content was generally excellent. Overall, the Exchange team did a solid job of both telling us about upcoming changes and improvements and asking for our feedback. There is a lot of exciting stuff coming in the recently-announced Service Pack 1, and from both the formal and informal discussions it seems clear that the product group has a clear vision of where they want to invest effort— product quality being one of the key investment areas— as they deliver new capabilities. Many of the sessions were held in a panel format that allowed full and frank discussion between MVPs— always an opinionated bunch— and the people responsible for designing and building Exchange.

Although the content was all 100% NDA, I think it will probably be OK with the NDA police if I close by saying that Navin Chand and the rest of the Exchange team have some exceptionally cool things planned for MEC that they will be talking about in the not too distant future. If you haven’t already registered I would give very serious consideration to doing so. Navin told me that there are more than 180 session slots available during MEC— compare this to fewer than 40 session slots allocated to Lync and Exchange together at a typical TechEd and you can see just how much more material will be available at MEC. What kind of material? Well, the Lync Conference team announced their session selections this week, and their conference is in February. If one were to extrapolate, one might assume that MEC will be announcing their sessions in January-ish given that the event is in April, so I think we’ll be finding out relatively soon. (Note that I don’t know the real dates, even under NDA, so this is just a SWAG).  

My thanks to all the people at “big Microsoft” and in the Exchange and Lync product groups who worked to get content together for this year’s Summit. They set a very high bar for future events.

Leave a comment

Filed under General Stuff

2013/11/21 · 04:30

Thursday trivia #103

  • This was a big week! I spent the first part of the week in Redmond for the annual Microsoft MVP Summit. It was amazing— great content (all under NDA, at least for now) and a wonderful chance to catch up with my MVP peers. While there, I found out that my session proposal for the 2014 Lync Conference was accepted, so I’ll be presenting to an audience from what Jeff Guillet has started calling the “Skype Pro” community.
  • I’m also going to be working in the hands-on labs at Dell World. No word yet on whether I’ll get to take Michael and Elon Musk out for BBQ but it will be neat to catch up with family, friends, and coworkers in Austin.
  • Just bought John Ewing’s Concise Guide to IFR. I’m looking forward to reading it. I haven’t spent as much time studying for my instrument written as I need to, so I grabbed the Sporty’s Study Buddy app as well.
  • I sold my Surface Pro because I had planned to take advantage of an MVP discount on the Surface Pro 2 that Microsoft was going to offer at the Summit… then they withdrew the offer. I can’t decide if I want to buy a Surface Pro 2 or a Dell Venue 11 Pro; they seem similar in specs in most respects. The original Surface Pro was a great device for me but if I can get an employee discount on the Venue 11 Pro that might tip the balance in its favor. (I also like that the Surface line is starting to grow an ecosystem of accessories, too.)
  • Weather permitting, I’ll be flying to Louisiana for Thanksgiving, probably with a side trip to Texas. Have airplane, will travel…
  • This is very well said: weightlifting gives you the serenity of the iron. I certainly find that when I am lifting or running (not as much for cycling, meaning I’m probably not doing it with enough intensity) that it clears my mind wonderfully well.

Leave a comment

Filed under General Stuff

Tagged as

2013/11/20 · 13:18

Exchange 2013 SP1 coming in early 2014

Microsoft today announced that Service Pack 1 for Exchange 2013 is coming in “early 2014”. The announcement has a few interesting nuances:

  • The Edge Server role is coming back. Not by popular demand, as far as I can tell; I presume this is being introduced to pacify a few large, noisy customers who are using Edge, because I haven’t seen any signs that customers are demanding it. I would not expect to see significant feature improvements or investments in this role, either in SP1 or going forward.
  • S/MIME for OWA support is coming. This has been known for some time; as yet we don’t know the specific details of which browsers will be supported.
  • SP1 will require a schema update. I will have more to say about this in the very near future.

Interestingly, SP1 is essentially CU4: it is applied in the same way as other CUs, and if you skip SP1 and install CU5 later on, you’ll get all the fixes and features included in SP1. The Lync team is doing the same thing with their CUs; the old rule that only service packs could include new features is dead and buried.

1 Comment

Filed under UC&C

Tagged as