theangryangel.co.uk

First off let me say that I've tried not to give too much away, but I fear that I may've. If you're still to see Iron Man, then I'd recommend not reading this post after the 3rd paragraph.

So, I finally got the opportunity to see Iron Man last night. Myself and Tom headed to see it at the 20:30 showing in Longwell Green Bristol. The Vue cinema there tends to be a little less crowded, easier to park at and nice seats than the Odeon in Bath. We got there, a little later than I had hoped (which was entirely my fault), and ended up at seats near the front. This wasn't too bad though as my neck wasn't completely knackered by the end of the showing.

So the movie started, eventually, and a few minutes in it stopped. Lights up, adverts on. Now I appreciate that everyone can have technical problems, but over the last few times I've been to the cinema something like this has happened. In my opinion this is exactly why digital distribution is going to have to lead the way. The other issue is of course the age old desire of wanting to pause the film to drain the python. About half way through I really, really needed the loo and didn't want to leave. At the end of the film there was a horrendous queue and I just didn't want to wait, so we went home. The Vue employee was giving out tickets to see Iron Man again for free, but I decided not to take one and barged my way through. The thing that most annoyed me was the simple fact that I had to barge my way through. There was no provision for those of us who wanted to bypass this ridiculous offer of appeasement. Even funnier was the fact that the british public clearly didn't know what they were queuing for.

This kind of ruined the cinema experience for me, and thus I felt it had slightly diminished the film. Now don't get me wrong, Iron Man is an awesome film. It is undoubtedly the best comic conversion I've seen to date, which clearly demonstrates that having Marvel directly behind it is a good thing. The film is funny, entertaining and I wasn't wishing that it would hurry up at any point. I've only read a few of the Iron Man comics in the past, but I do remember the cartoon from my youth which I felt was good fun, although a little wet. In comparison to this I found that the Stark from the film was much more real and his change of character portrayed perfectly by Robert Downey Jr. I think Gwyneth made a perfect (not to mention "hwat") Ms Potts. My only concern with the film was that I felt parts of it were cut a little short and maybe could've been expanded on a little. The film is clearly setting the scene for a sequel (if this wasn't the case then possibly they've made a cock up there).

I'd really, really recommend seeing this film when you can. It's certainly one I'll be buying on DVD, and maybe the film that finally motivates me to buy a HD-DVD or BluRay device. Seriously go and see it. Even if you're not aware of the Iron Man story, or if you're not a hardcore comic fan you'll love it and won't really be missing out on much, except maybe the S.H.I.E.L.D. references.

We had a bit of a weird one come in today. A customer, using a specific custom font, had found that HTML emails using this font would have the right hand side of the text missing, effectively cutting off part of the email, when printed. Forwarding the email to yourself would fix the issue, since a forwarded email is indented I pretty quickly figured it was down to margins.

Now I was aware before this that the IE engine was used to print documents from Outlook, but what I wasn't aware of was that the print/page settings in IE affect the print also. Turns out that the File > Page Settings, Margins need to match the ones in Outlook to reliably get everything output right (in some cases). If it's not already been set IE will default to using 0.75 inches, which in the UK comes out at 19.05 mm, where as Outlook appears to default to 130mm (its actually measured in cm in the GUI oddly - nothing like consistency gents!).

Glad as I was that this resolved the issue for them, I wasn't happy about the prospect of telling the users to manually change these settings. I'm very much a believer that users should use the system, and not be bothered about stupid things like this (plus I like playing sysadmin god and making stuff just happen, then telling the users it's "just magic"). Thankfully the settings are sensibly stored in the registry (and rather handily documented in KB236777), meaning that it was possible for us to distribute the fixed settings to our client's users via a quick registry import in the logon script (I chose to use HKCU, rather than HKLM for various reasons, but it is possible to apply per computer rather than per user). It would've been very much possible to also take care of this by creating an ADM(x) file and distributing it via GPO, however I chose to do it via the logon script for 2 reasons;

1. Someone looking at the script in question can see my reference, in a comment, to the call ID
2. It was just much quicker using a reg import \\path\to\file.reg

Many virtualisation suites for the desktop won't let you reliably boot from physical disks, if at all. Virtualbox and Vmware spring to mind instantly. I also only use these on the laptop, rather than my desktop, so I started fiddling about 15 minutes ago to see if I can get what I want done with MSVSR2SP1.

Turns out it's actually quite easily done, although at the end of the day I wasn't strictly booting from the USB device itself, but an image of it which can also be acheived with almost all other packages.

1. Create a Linked Disk in the MSVSR2SP1 web console. You need to make sure that you've not got the device mounted (i.e. no drive letter - remove it from under the disk management MMC in the usual way)
2. Next Inspect the vhd you've just created, then select convert to dynamic disk.
3. Wait a few minutes and you're done. You can then link this to any VM you want.

The reason you can't directly link the USB is that it's "unsupported", like so many other virtualisation solutions.

My goal? To test my customised bootable USB pendrive I've been carrying around. Turns out integrating DBAN and your regular bootable linux pendrive is actually quite easy, if you're using syslinux (much easier than I imagined). Now I just need to learn more about squashfs and getting what I want in it.

I tend not to like posting this sort of stuff, as it's usually a bit of spam, however this one might appeal to some people. Via the SBS Diva, I present Programming Language Inventor or Serial Killer. My score was 7/10.

My first regular usage of an email client was in the early days of webmail and whatever ran on the RM Network at school originally (which obviously sucked as I cant remember what it was exactly). Unfortunately this has meant that I've grown up living with new emails going at the top. Even more unfortunately the Thunderbird packagers/developers clearly come from an earlier age where new emails go at the bottom of the view.

This weekend I had to setup another instance of Thunderbird and the thought of changing them to "the right way" just got on my tits. Luckily I discovered that like most other XUL applications, you can change this by either editing the config file directly or by using the config editor built into Preferences > Advanced, then Config Editor.

In my case the setting I was after was hidden away as mailnews.default_sort_order. The default is 1, which makes it ascending, which makes 2 descending, and 0 as no sort.

If you're interested in changing the default sort column then the following page entitled nsMsgViewSortType from XULplanet might be of use to you. Despite the fact that many of the pages are labeled as inaccurate this one seems to be OK from a brief test and play.

On a side note, it's certainly nice to see more on XULplanet than there was the last time I played at XULrunner, and even more interesting to see that it's now being migrated into the Mozilla Developer Center. I guess it'll be getting more lovin' there.

I was going to go with "technologically raped", but that's a bit sensationalist. Granted I'm probably going a bit over the top, but it looks like some researchers from the University of Bath, my home town, were let loose with various bluetooth tools and equipment. The aim of their research was to do some basic modelling and proof of concept work - mapping interactions, using bluetooth.

Astonishingly they captured 10,000 unique devices (supposedly) over 6 months, from various locations. Including "the pub", which appears unnamed. Now whilst I usually disable my bluetooth when I'm not using it (one, because the battery life on my k800i is slowy going the way of the electron fairies, and two because I don't want stuff like this happening, or my phone being subjected to anything that it shouldn't), it makes me wonder if the people who were being tracked were informed. Granted it's interesting work nonetheless, although the fact that they used a pub strikes me as a good excuse for other activities; "Err... yes we're in the pub. But don't worry, it's all in the name of science!"

However this could serve as a practical wake up call for those who object to lack of privacy but aren't technologically aware.

It's probably no secret to some people who read this that I do a fair bit of work with terminal servers and thin clients (dumb, low power machines that connect to a terminal or citrix server). However, most deployments I've been involved with at work at relatively small, our largest of which has recently gone up to a load balanced set of 5 Windows Terminal Servers, a few weekends ago.

In the past we've always manually configured the thin clients, as they've always been rolled out over a long period, typically in very small quanities (no more than one or two); slowly replacing aging computers. However, this project is effectively a new cluster of terminal servers (replacing some aging hardware it was decided that it would be a good opportunity to do things properly). Personally I didn't really like the prospect of going to each one in the building and manually fixing the config, or using a CNAME in the local DNS, as many probably need firmware updating and altering in other ways to bring them inline with the rest.

In the past I knew that the Wyse S10's (which is the model we've mostly got deployed with this client) were administratively configurable (by this I mean en-mass from a single point, á la group policy), but I had never really gone hunting for some decent docs until three-four weeks ago.

I stumbled across freewysemonkeys.com, an absolute gold mine of documentation for anything Wyse thin client related without having to wade through all the other "user guides" from Wyse themselves. Whilst the docs weren't always 100% accurate for our model they did give me enough of a leg up to get everything we needed working perfectly on all but the oldest S10's (unfortunately getting a firmware update from Wyse currently requires a support contract, according to their site).

A few days prior to this project I had tested it on another, much smaller client, as I was on-site virtualising part of their systems, and it worked awesomely well. Based on the configuration we will now beable to tell if a thin client has a proper network connection by simply asking what colour the background of the thin client is, setup various remote connections, wallpapers and icons, automatically reflash the firmware if there's a newer version available, etc. all of which is picked from some basic DHCP scope options and a FTP server.

There are other solutions for the various thin client's out there, so if you're still manually configuring stuff by hand before shipping out to a customer, I recommend investigating for your chosen make and model, no matter how small your deployment is. It'll make your life as an administrator, and the life of your users, much easier.

One of the users for the client that I mentioned in my last post works from home a fair bit, using a site-to-site IPSec tunnel that was setup a number of weeks ago, and a MacBook Pro running Leopard. As the rest of this client's network is Windows based we hadn't really considered restricting the Mac at all. After all this user is relatively clued up.. Or so I thought.

Tuesday we were told that the user was unable to access various resources on the LAN in the office. This was very odd as we could talk to the only other device on her subnet, which was her IP hard phone, without any problems. Even stranger her IP hard phone was working. We took her through the usual tests and everything seemed to be ok. I then incorrectly assumed that something had happened as part of the upgrade. The problem was this just didn't make sense. If something had happened her IP phone wouldn't work either. The lack of another machine at the tunnel end really hampered testing.

Much faffing and testing we come to the conclusion that it's truly just her Macbook Pro. Further investigation reveals that PeerGuardian for OSX had been installed - which by default blocks almost all traffic. The moral is if something stops working, even if you know that you've changed something recently and you knew what you were doing properly, don't waste too much time trying to figure out what you've done. Take a break and find out if it's someone else's fault first. If it still doesn't make sense then it probably is you've caused.

I guess it's a week of thoughts rather than technical stuff.

No matter how much you prepare, no matter how much work you put in beforehand, no matter what you do you cannot always have everything covered. This weekend myself, Dave and Chris were on-site performing an upgrade for a customer (several server upgrades, some new hardware, some switching of roles, upgrade to Exchange 2007 from Exchange 2003, replication of Exchange using SCR, file replication using DFS, implementation of a load balanced terminal server cluster, etc.). It was quite significant to say the least. Luckily we had done a lot of prep work beforehand so that we didn't have to do as much; Everything from new OU structure to new group policies for software deployment, to the virtual servers already being built and ready to be added to the domain.

Sadly several things bit us in the arse; Several GPO settings aren't accessible from a 2008 server that were available on a 2003 server (I'm specifically thinking the 2003 R2 Printer Deployment - no matter what we did existing settings wouldn't actually show up), an older server we wanted to use as the virtual server host was playing up when we moved the virtual servers to it, which resulted in a complete change of plan, the virtual domain controller idea was binned at the main office end, and the idea of using a small virtualised 2008 server for the print server wasn't 100% successful thanks to an older Toshiba Studio 311C that we had forgotten about, and some barcode printers. The ISA 2004 to 2006 upgrade went like a dream, however (don't ask).

Despite this when users came in this morning we had few problems - some issues with some of the accountancy software, some issues with printers not being set as the default (which their invoice/despatch note formatting software uses), and weirdly some users picking up old polcies that just wouldn't die until the the profile was binned (thank you file and settings transfer, you did save me some time there). When you consider that there was almost no reasonable chance of going back to how things were originally in a reasonable time-frame, and that that the margin for error was obviously so small, it's impressive just how well things went despite the changes in the original plan.

It also goes to show that even if you have to bin several days of preparation and planning that still pays off regardless. Constant testing with users through out at each suitable stage is key, no matter how much of a pain in the arse it is. Our plans for smaller customers tend to be a bit thin on the ground, but this is usually because it's the same old routine over and over again. Whilst this means we know what we're doing it does mean that we could get a bit complacent; having a new, more interesting, larger project like this certainly reminded me a lot about the importance of a good plan, good prep work, and being paranoid (to a certain extent).

A few weeks ago I had to setup my first IPSec tunnel between ISA 2004 and a non-Windows device, in this case a Draytek Vigor 2800, to create a site-to-site VPN. I had a few things that I hit on the Draytek which stumped me for a little bit (although probably could've been resolved much more quickly had I been more familiar with a Draytek Vigor I fear).

First thing I did was to head into the ISA console and setup an IPSec tunnel, using almost all of the defaults (this is important as the settings for the Draytek must match the ISA/Windows defaults). If you're not familiar with ISA, then the process is roughly as follows;

1. Under VPN and then Remote Sites, hit "Add a remote site network" under tasks.
2. Select IPSec tunnel, bung in the external IP of the draytek for the "Remote VPN gateway IP address" and selected the external IP for the local gateway (what you'd probably refer to as the end points if you were doing this in anything else), add the authentication (either PSK or cert. - in this example I'll use a PSK, although you might want to think about using a certificate once you've tested it with a PSK), added the remote address subnet and then pretty much followed the defaults.
3. Apply this and then head to Configuration > Networks, Network Rules. Create a new Network Rule from our internal subnet into the remote network to route, not NAT.
4. Apply this, and then head to the Firewall Policy and created a couple of rules to allow the traffic we wanted the remote subnet and the internal to send and receive. Apply again and you're done.

The Vigor then needs to be configured, to match the ISA server;

1. Head to VPN and Remote Access > Remote Access Control, and enabled the IPSec VPN Service (this is what had caught me out - some how I'd managed to miss this completely!).
2. Under IPSec General Setup, untick Medium (AH), tick all the items next to High (ESP).
3. Next go to VPN and Remote Access > LAN to LAN. Select the first free profile (probably 1) and set it up as follows:
• Common Settings
  Set the Profile Name to anything you like, its just a name - I used the same name that I gave the network in ISA. Tick "Enable this profile" and select both for Call Direction.
• Dial-Out Settings
  Select IPSec tunnel, set the "Server IP/Host Name for VPN" to the external IP of your ISA server (or whatever you selected in your IPSec tunnel setup in ISA). Set the IKE Pre-Shared Key to the same as in ISA, or if you used a certificate set the Digital Signature. Under IPSec Security Method set "High (ESP) 3DES with Authentication". Click advanced to open a new window and check "Main mode", set IKE phase 1 proposal to 3DES_SHA1_G2, IKE phase 2 proposal to 3DES_SHA1/DES_MD5, IKE phase 1 key lifetime to 28800, IKE phase 2 key lifetime to 3600 and enable PFS and click ok.
• TCP/IP Network Settings
  Set the WAN IP and the Remote Gateway IP to 0.0.0.0. Set the Remote Network IP to your internal subnet host address, and the Remote Network Mask to your internal subnet mask (by internal I mean the subnet protected by ISA). Disable RIP (unless you want to use it), and set the NAT operation to Private IP. We didn't need to set this as the default route, this is obviously your own design decision.

You should now be good to go, and your Vigor and ISA box will negotiate and encrypt all traffic that travels between the 2 subnets, as it should. To check on the Vigor you can head to connection management and check out whether or not the tunnel is currently up, and that it's encrypted.

There are various reasons for opting for an IPSec tunnel, however the major one is that it's one of the easier tunnels that can be created, and are secure. You could of course opt for a site-to-site PPTP, or L2TP/IPSec, VPN. However these come with their own complications and security issues.

If the Vigor 2800 is anything to go by, I'd say that the Draytek routers are a nice bit of kit which work well for SOHO deployments, although there are a number of things in the GUI which really started to cheese me off after a while. There's no denying that they're not as flexible as other solutions, but they're no where near as simple as other routers which you could use. I'm still not entirely convinced that they're the perfect solution, although Chris has fallen in love with them, but at the end of the day for this sort of job you're rarely going to be touching them once they're up and working, so the cost savings over an equivilent Cisco box may pay off at the end of the day.

Lenny Zeltser wrote a few days ago, on the ISC handlers diary, about alternative sensors to aid intrusion detection on mobile devices, based on research by Grant Jacoby. Without wanting to ruin the content of the article (and it is worth at least a quick read over), it certainly made me think about just what could also be used in small-medium scale deployments and infrastructures; the number of physical entry attempts to a shared remote site/rack, for instance.

Restricted Groups is a part of the GPO Computer configuration tree that I've not ever used until today, primarily because I'd never looked into what it does exactly, and partially because it has a misleading name (in my mind) and I assumed that it did something else.

What this feature allows you to do is configure member ship of groups within Active Directory or in the local groups of domain computers. It's also available in the local security policy (naturally), so you can also use it on a standalone machine (although I'd imagine that in this situation it would be rather less useful).

Why do I now consider this setting important? Because it allows you to setup a GPO for an OU to allow users to be a member of a given local group, such as the Remote Desktop Users, for instance. This first example is useful to me as I didn't want users to be a member of the AD Remote Desktop Users group and have RDP access all over the network by default. This allows me to add a group of users to the local RDU group, and now setup a Terminal Server entirely automatically once it's been added to the correct OU.

The second example is forcing membership to the local administrators group. This is useful in stopping fiddlers (who "require" local administrator rights on laptops) from removing Domain Admins, or other groups and users, from the local admin group. Whilst I've only ever been locked out of a user's laptop once because of this, I'd rather not go through that again.

Another benefit of using the setting is that it will automatically remove any local user accounts that should not be a member of the local admins group. I'm sure you can imagine why this is useful!

It's no secret that I enjoy PC gaming, and several MMOs are part of this. However, keeping more than one on the go is pretty difficult as anyone will tell you, which is why I tend to only play one at once. This week I decided to go back to 2 worlds that I've barely stepped foot in for over a year; Second Life and EVE: Online.

I'll start with Second Life, for the good of my health. I never "got" it to start off with, so I was a little apprehensive of going back. Sadly it seems that things have not changed. It's still laggy, filled with people buying cocks, nipples and sexual movements. I was unable to find anywhere of reasonable non-mature locations, except for the zones owned by Sun, IBM, Microsoft, etc. which were in-fact pretty much abandoned.

I like the idea behind Second Life; the idea that you can do whatever you want and build whatever you want is something I thought would be awesome in the early 2000's, yet it just doesn't seem to have really carried off well. Perhaps the total lack of an end goal has caused this.

EVE: Online, on the other hand, was my first proper MMO; which is almost always the one you fall in love with. I love the fact that it's in space, I love that it's huge, I love that it's unsharded and I love that you almost always come across other people in both popular and "unpopular" areas. There's also the part of me that wishes I were in the future and that I could be that hard captain just trying to get by without submitting to a Corporation. I also believe that humanity should be exploring the stars more than we are now. There was an article a few weeks ago about a one way, solo trip to Mars - I'd seriously do that in a heart beat provided I had some sort of network connection back to home, which was stable. However, that's another discussion, so lets get back on topic.

There's no denying that EVE is bite-the-back-of-your-hand gorgeous. It was gorgeous in 2002-2003 when I was playing the final set of betas on a crappy Radeon 7200 or Geforce 4200Ti, it was improved up on by 2005. It's even more so now, with the improved hardware and time that they've clearly put into the game from GUI to environment to ships, as well as getting it to run on the major 3 platforms (Windows, Linux and Mac OSX) in some way, shape or form.

Yet despite this I just don't seem to be getting the same satisfaction. Maybe it's purely because it's now nearly been 2 whole years since I last played and that it's going to simply take more time to get back into it, because, lets face facts, it's a little more complex than WoW or TF2. But, some how I'm left wondering. I've got a month of game time, which I'm going to use to try and get back into stuff, so I'll soon see.

Sadly there are a few things about EVE that have not changed. Perhaps it was simply my timing (I rejoined as a new patch was deployed), but the lag in certain systems still exists, along with chat lag and a proliferation of gankers in certain systems. You can see that CCP have really tried to improve things, but it just looks like they've succeeded in moving the issue from one location to other; in the time I've been away you can see that old choke points are now simply a few jumps out.

As part of my reorientation I jumped in a shuttle (the smallest, fastest ship (by default)) to do some sightseeing. I hit the usual points including EVE Gate, City of God, several of the ruins, and so on. In doing so I was surprised to see that certain marks I've left on the universe are still there, including an anchored Sec-Can at EVE gate, which is still pretty far out.

This really made me appreciate what a battle CCP really have, and just how difficult maintaining their infrastructure must be. I really do have a renewed, great respect for this company.

At work it's sometimes useful to allow multiple connections to a server, from the same user account, so that we can get more done at once, or to help out each other.

By default on Windows 2008 server you can't do this. Simple fix: Start up gpedit.msc, go to Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Connections\, find "Restrict each user to a single session" and disable. If you're on a domain and want to apply it to multiple machines, you obviously need to make it a domain policy.

Bullshit back story applied, just for Chris!
P.S. I win.

There are quite a few simple reasons for this;

1. It takes me back to my childhood (or the last time I read said comic)
2. There's that hero fantasy angle and living through the comic/film
3. The gadgets
4. The envitable women (in some story lines)

I'm sure that there are others, but they're just not springing to mind immediately. Why am I on this tack today? Well that's easy; another Ironman trailer was launched a few days ago and I've just seen it. It. Looks. Awesome.

Around summer last year we saw one of the first teasers for Ironman launched and it looked good then, so it seems that things are well on course. From what I've seen first time director (according to IMDB) Jon Favreau is doing a fantastic job.

However, I do hope that it's a long film, because it looks like they're craming a fair bit of the Ironman evolution into the film, and there's Stark's change of perspective. I love the fact that he's an arrogant bastard - that's absolutely fucking spot on - I just hope that they don't send it too far into the "I've now got a conscience" direction.

What with this and the Dark Knight shortly afterwards, its looking to be a really good summer cinema experience!