Monday, June 17, 2019

How to change the resume posted on LinkedIn


After having updated my resume recently, I wanted to replace the file which is available on my LinkedIn profile. I clicked on every option on my profile page but could not find an option to see the existing resume file or upload a new one.

This resume file is the one which gets sent to the recruiter when you apply for jobs on LinkedIn using the Easy Apply button on the job posting. 

After spending a very frustrating 30 odd minutes, I realized that the only way to access this was by applying for a position using the Easy Apply option. The Easy Apply option opens a small window which allows you to select the resume files which you have uploaded. This page also gives you an option to delete the existing file and upload a new one. At the bottom of this page, there is a link for "Application Settings" which also gives you the option to manage the resume file stored on your profile. 

The URL of this page is https://www.linkedin.com/jobs/application-settings https://www.linkedin.com/jobs/application-settings/. So you could also go to this page directly by visiting that URL while you are already logged into LinkedIn. 

Hope this information helps other job seekers update their resume file stored with their profile.

Friday, July 11, 2014

Exchange 2013- ECP & OWA Returns Blank Page


After Exchange 2013 installation I rebooted the server and tried the access the ECP. The Form Based Authentication came up and after I typed the username and password the page redirected to “/owa/auth.owa” and returned a blank page. All the three URL’s below returned the same blank page.

https://ServerFQDN/ecp/?ExchClientVer=15
https:// ServerFQDN /ecp
https:// ServerFQDN /owa

The System Event Log had the below error registered.

Event ID
15021
Event Source
HttpEvent
Description
An error occurred while using SSL configuration for endpoint x.x.x.x:443.  The error status code is contained within the returned data.

After reading few posts online, I suspected it to be an issue with the SSL certificate associated with the website on IIS.
I ran below netsh command and dumped the output to a temp file.

netsh http show sslcert > D:\Temp\SSL.txt

There were 5 sections for the bindings, of which 3 sections for Https/443, each of them associated with a certificate hash. To make sure that right certificate was bound to the listener I had to get the thumbprint of the correct certificate.
Fired up mmc and added the certificate snap-in for the Computer Object and navigated to the Personal certificate store. Obtained the thumbprint of the certificate which was ‘Issued To’ the computer name and had a friendly name of “Microsoft Exchange”. Now I compared the thumbprint of the certificate against the “Certificate Hash” entry of the SSL Certificate Binding.

IP:port                                   : 0.0.0.0:443
Certificate Hash                  : 6g241621555492d473411160e41fae768d489f1x
Application ID                     : {3dc4e181-f14b-4a21-b011-59fc669b0419}
IP:port                                   : 127.0.0.1:443
Certificate Hash                  : 6g241621555492d473411160e41fae768d489f1x
Application ID                     : {3dc4e181-f14b-4a21-b011-59fc669b0419}
IP:port                                   : 111.111.111.111:443
Certificate Hash                  : b5765b22035b7f50f260d86fcc5646c85cf3e68a
Application ID                     : {3dc4e181-f14b-4a21-b011-59fc669b0419}

The last section had a different thumbprint. This could be the reason for the issue. So had to remove this binding and re-associate it with the right certificate. So ran the command below.

netsh http delete sslcert ipport=111.111.111.111:443

Then ran the command to add the right hash.

Netsh http add sslcert  ipport=111.111.111.111:443certhash=6g241621555492d473411160e41fae768d489f1x appid={3dc4e181-f14b-4a21-b011-59fc669b0419}

Restarted IIS, and the 15021 error was gone.

However the blank page issue still persisted. Further search took me to KB 2871485, which seemed to make sense. I ran the below command to obtain the current authentication setting on the OWA ECP Virtual Directories. The settings for the FBA and Windows Integrated Authentication were as below.

Get-OwaVirtualDirectory -Server ServerName | fl *auth*
Get-EcpVirtualDirectory -Server ServerName | fl *auth*

Name                                                                     : owa (Default Web Site)
WindowsAuthentication                                    : False
FormsAuthentication                                          : True


Executed the below command to disable the Forms Based Authentication and enable Windows Integrated Authentication on both the OWA and ECP Virtual Directories.

Set-OwaVirtualDirectory -Identity " ServerName \owa (Default Web Site)" -FormsAuthentication $false -WindowsAuthentication $true


Set-EcpVirtualDirectory -Identity " ServerName \ECP (Default Web Site)" -FormsAuthentication $false -WindowsAuthentication $true


Did a IISReset and Eureka... I was able to access the ECP.

Sunday, May 11, 2014

TrueCaller - The Magical App - Or is it.. ?

I have heard a lot of people mention about this wonderful app on their smartphones, which displays the name of the person calling, even if you do not have it on your contact list. Interestingly enough, last week I heard "an IT geek" at one of the local radio stations suggesting listeners to install this cool app on their smartphones. He went ahead and explained that the app gets the database from the GSM service providers. Well this is what most of the innocent users of this app believe !! 

No GSM service provider will ever publish a directory of all its subscribers or give access to any one else to tap into their subscriber database. Then how does true caller do what it claims to do with almost 100 % accuracy - show you the name of the person calling, magically ?

The magic starts immediately after the app is downloaded to your smartphone and you recite the wedding vows.

"I take you to be my lawfully installed application, my trusted magical wizard from this day forward. In the presence of the internet, android and iOS, I offer all my contact details with their names, location and numbers to you so that you can share it with the rest of the world. I promise to allow you to synchronize my phone book with your servers as long as I have you installed on my smartphone."

This is what you accept the app to do when you agree to the prompts after the install :-

  1. Modify Your Contacts
  2. Read Your Contacts
  3. Read Call Log
  4. Write Call Log

The app uploads a copy of your entire phone book to its servers. This is what it has done with the phone book of its 20 million users. So what they have on their servers is an aggregated phone book database of millions of mobile numbers which are constantly updated with the new contacts that each of its subscribers add to their phone books. 

So when a caller who is not on your contact list calls you, the app looks up its database and shows the the name under which other people have listed it. It picks up the most relevant name based on the occurrence in its database. So the pretty girl next door might be listed as " My Honey Bun'  on someone's contact list, 'My Ex-2013' on someone else's and Ms. First Name, Last Name on your few of her colleagues phone book. So if she were to call your mobile it might most likely show you the Ms. First Name, Last Name (maximum occurrence). However if she called you from a number which she has only shared with her boy friend (current n ex), the app might list the caller as 'My Honey Bun' !!

As if the phone book data was not enough, TrueCaller has integration with Facebook, Twitter, Watsapp etc, giving them access to the contacts details of your friends on these social platforms as well. 

As the app has access to your call log, it is also able to analyse your call patterns, monthly spend, frequently called friends/associates etc. This information is worth millions, to a lot of commercial establishments who would be able to create and target, effective marketing campaigns based on this data. 

Last year TrueCaller was hacked and the database compromised. The hackers managed to download multiple databases from the TrueCaller website. These databases had contact information about millions of phone users including private numbers of a lot of politically and socially important personalities. 

The intention of this post is to educate the readers about how the application works and inform them about the potential security risk of having this app installed on their phone. I am sure each one of us have a different perspective about security. However one should realize that  by synchronizing your contact list you are exposing the privacy of your friends and family members. If your contact list has details of  people who are socially or politically important, VIP's etc. you might be compromising their security by installing this application on your phone.

Monday, July 1, 2013

Windows Updates Fails with Error 0x8024d007


I was trying to run Windows Update on one of my Windows 2003 Server and encountered the 0x8024d007 error. There are numerous posts available online with this error message and multiple solutions provided to solve the issue as well. The description of the issue is as below.

When you run Windows Update from the start menu, you would get a message suggesting you to download and install the latest version of the Windows Updating software. When you click on the “Update Windows” button on this web page it would start to download and install the software and the counter will run till 100 % and fail with [Error number: 0x8024D007].

The C:\Windows\WindowsUpdate.log file would register the following error messages.
WU client version 7.4.7600.226
WARNING: Exit code = 0x8024D007
FATAL: InstallUpdatedBinaries failed with error 0x8024d007
FATAL: UpdateClientWorker failed: error 0x8024d007

I will list down the steps which I have followed based on inputs from various posts online. Depending on your case either one or a combination of multiple steps might help solve your problem.
Solution 1: Manually install the Windows Update Agent from the Microsoft Site. Once you have download the executable please run it with the /wuforce switch to force it to install over an existing version of the Update Agent. (windowsupdateagent30-x86.exe /wuforce).
Solution 2: Re-register the following DLL files. You could put all the lines below into a batch file and run it in one go.
REGSVR32 WUPS2.DLL /S
REGSVR32 WUPS.DLL /S
REGSVR32 WUAUENG.DLL /S
REGSVR32 WUAPI.DLL /S
REGSVR32 MUCLTUI.DLL /S
REGSVR32 WUCLTUI.DLL /S
REGSVR32 WUWEB.DLL /S
REGSVR32 MUWEB.DLL /S
REGSVR32 QMGR.DLL /S
REGSVR32 QMGRPRXY.DLL /S

Solution 3: Renaming the SoftwareDistribution folder under %windir% folder. Please note that this can only be done when the Automatic Update Service is not running. You could run the commands below or do it thru the Services.msc console and the Windows explorer interface.

Net stop wuauserv
Ren C:\Windows\SoftwareDistribution SoftwareDistribution.old
Net start wuauserv



Solution 4: Giving permission on certain registry keys.

Give Full Control to System and Administrators Group to wuauserv under this key.
KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wuauserv


Give Full Control to System and Administrators Group to Svchost under this key.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost


Solution 5:
None of the steps mentioned above solved the issue in my case and finally I decided to apply the setup security template to the server to reset all the rights and permissions. I am glad I did. As soon as the settings were applied the windows update went and fetched a list of updates which were to be installed on the server.

Applying the Setup Security can again be done thru the MMC console or the CLI. The steps are available here for your reference.

You can also do the above using the secedit command line utility. Syntax and expamples are available here.

Once the baseline security is applied, the windows update happily started downloading the windows update from the MS site.



Wednesday, June 19, 2013

Reason 442 :Failed to enable Virtual Adapter


I have the Cisco VPN Client Version 5.0.03.0390 installed on fresh vanilla installation of Windows 8.

The VPN connection fails to get established and the client throws an error complaining that it was unable to enable the Virtual Adapter because it could not open the device. The log window of the client registers the error below :-

Sev=Warning/3 CVPND/0xE340000C. The Client was unable to enable the Virtual Adapter because it could not open the device.


In the network and connections page, there is a "Local Area Connection" entry with "Cisco Systems VPN Adapter" registered as the hardware adapter. 



Now it seems that the DisplayName string attribute in the "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\CVirtA" location of the registry has to match the adapter name. However this value had some extra character in it (screenshot below). Once these extra characters are deleted and the value is just "Cisco Systems VPN Adapter" and "Cisco Systems VPN Adapter for 64-bit Windows" for 64 bit editions of Windows 8, the VPN connection just works fine.
 


Lost access to secondary partition after Windows 8 Install ... for a few minutes.


I had to re install Windows 8 on my laptop due to some issues with the OS. I had two partitions on the local disk. So I copied all my data and installation source directories on to the secondary partition (E:) and did a fresh install of Windows 8 on to the C: Drive.


After the computer rebooted post installation, I could see both the drive letters C: and E: as they existed before the install. I clicked on the E: drive to get my software source folder and… I hear the loud Windows critical error sound effect, and a red cross with a message on the screen telling me that the drive "E:\ is not accessible" and "Access is denied".  Checked the properties of the drive and it said Zero bytes used. PANIC PANIC...I thought for a moment that I had lost all the data.




Luckily enough when I clicked on the security tab it said that I don’t have permission to view the properties of the object. Ray of Hope…. Clicked on Advanced and now it complained about being unable to display the current Owner. I took ownership of the drive and assigned my current logged in user account full access, ok, ok apply. Eureka..there was the familiar message on the drive icon, 90 GB used of 150 GB.

I believe the reason is that the local user account created immediately after install …the one which I used for logging in isn't part of the local administrators group. The ACL for the drive only has the SID for the local administrators group and hence windows refused to give access or even let me enumerate the drive contents.
If you do come across this issue please note that giving access to the local administrators group wouldn't give the newly created user access to the drive as by default it’s not part of the local administrators group. You will have to either add the current logged in user to the ACL of the Drive or add yourself to the administrators group and then log off and log back in to access the drive.


You might get an error about the recycle bin on the secondary drive being corrupted. You can just empty the bin and if required deleted the folder from the root of the drive.



Saturday, August 25, 2012

Don’t want to make Apple richer by 99 USD?


You already own the latest 4X smart TV, an Xbox 360, a PlayStation, an impressive AV receiver with an equally impressive set of speakers and one or more iOS devices. Now the audiophile in you has a desire to play the music collection on your iOS device wirelessly to your 5.1 or a 7.2 AV receiver and enjoy it thru the carefully placed speakers all around your living room.

The only solution which seems to give you the result requires a minimum investment of 99 USD. You would need to get an Apple TV, unless of course you can convince yourself to replace your existing AV receiver with a new one which has built in Airplay support, like the Denon AVR-1912 or Pioneer VSX-1021-K, both of which would set you back by at least a 500 USD.

If you did convince yourself, I would doubt if you were successful in convincing your wife. If you weren’t and you still looking at alternatives read on...

Bluetooth Devices

You could get yourself a Bluetooth device like the Belkin F8Z492TTP Bluetooth Music Receiver or the Logitech Wireless Speaker Adapter for Bluetooth Audio Devices. These devices can be connected to the Audio Input of your AV receiver.  Once you have successfully paired your iPhone with one of these Bluetooth devices, the device would be listed as an airplay device on the music application of your iPhone/iPad. This would let you stream the music from your Apple device over Bluetooth to the AV receiver and enjoy the music thru the speakers connected to the receiver. These Bluetooth devices are available on amazon for less than 40 USD. However as you are aware the distance between the two paired Bluetooth devices has to be less than 20 feet for reliable playback.

iOS Application

If you are still feeling tightfisted and don’t want to spend even 40 dollars, you could still get the functionality by spending just 1.99 USD, only if you happen to already own a DLNA device or even an Xbox. FullBlast available on the App store is the poor man’s airplay alternative. It is as of now the only application which lets you control music playback directly when streaming to an Xbox or PS3. Except for a small delay in response when streaming to an Xbox the application works pretty well. The steps to configure the app and get it working are available on the Apple website.

Apple TV

Well you might be wondering why the Apple TV costs 99 USD when a 1.99 USD application can stream music over the wireless. The Apple TV does much more than just let you stream music over your wireless network. It can play music, movies, videos and photos from your apple device to your TV. It can also play movies and TV shows from Netflix and Hulu Plus, browse videos from YouTube and Vimeo and much more (not available in certain countries). It can mirror your iPad screen on your TV as well.

Did I just give you enough reasons to convince yourself to dig into your pocket and pull out a 100 dollar bill for the Apple TV?  
 

Feel Lucky, Wonderful, Trendy, Playful, Stellar, Hungry etc. with Google.

Google has replaced the decade old “I am feeling lucky” button on the Google home page with a button which changes text when you hover over it to “I am feeling wonderful”, “I am feeling hungry” etc. Each of these adjectives gives you a different search result.

The very familiar “I am feeling lucky” button since its introduction would skip the search result and redirect your browser to the first page on the search result. This feature was made redundant after Google learnt to peep into your mind and predict what you were thinking with the Google instant feature couple of years ago. Google instant would start displaying results as soon as you have entered the first letter and would keep updating as you keep typing the rest of your query.
If you keen on trying this new feature, you will have to go to the google.com website as this feature is not available on to the regional Google pages like google.ae or google.co.in etc. To force your browser to stick to the google.com page and not redirect you to the regional page type in http://www.google.com/ncr in the address bar. Now if you hover the mouse over the “I am feeling lucky” button it would change to one of the new variants of this button. Each of the new adjectives delivers a different result which in most cases is using a different Google application or project.

I am feeling hungry button would display you a list of restaurants close to your location. If you have used http://www/google.com/ncr the results would not be accurate as you have asked Google to ignore your location and use the .com website.
I am feeling trendy button would show you the hot searches on Google relevant to your location.

I am feeling artistic takes you, to the Google Art Project. The page doesn’t like the fact that you are using IE and suggests you use Google Chrome.
I am feeling wonderful takes, you to the World Wonders Project.

I am feeling Puzzled takes, one to the Google a day website.
And so on… If you are feeling adventurous fire up your browser and try this new Google feature.




Monday, July 16, 2012

BlackBerry smartphone displays Error message “507” when upgrading BlackBerry Device Software to Version 7.1.x.

I got hold of Version 7.1 for Blackberry 9900 after few hours of effort on Google. Tempted to upgrade to the latest OS,  I decided to take the risk of bricking my device.
I will list down the steps I followed to upgrade my device.

·         Ran the executable (85_9900_7.1_b1333_*.exe) on my Windows 7 laptop. It installed the software and the update.

·         Connected my device to the Desktop manager and tried upgrading the device, but the desktop manager couldn’t find any upgrade for my device. This I assume was because the update was not for my carrier.

·         I deleted the “Vendor.xml” file in  “C:\Program Files\Common Files\Research In Motion\AppLoader” and then ran the Loader.exe file. It came up with the OS 7.1 upgrade options. Couple of clicks and the device upgrade started.

·         While on the “Load JVM and System State” phase it seemed to take quite a while. It finally threw an error of not being able to communicate with my device. When I checked the device it had and error message 507 displayed on it and suggested that I visit www.blackberry.com/507. The page doesn’t exist on the RIM website when I checked.

·         There were few posts which suggested that I would have to reload my OS to the last version I had using KB03621

·         Another KB on the RIM site seemed to have an explanation for this error. It seemed that the Power Management options on the Laptop turn off the USB Port when it senses no activity on the Port. The post further suggested that one disables the power management and reload the OS using the App loader. Details available on KB11320.

·         Call me lucky, I just plugged out the USB cable from my laptop and plugged it back in. It made that pleasant “dong” sound announcing that it has found a device on the USB port. Then I clicked on retry on the App loader and the upgrade continued like a charm. The device is running 7.1.0.402 (133) after the upgrade.

·         I think it would not be necessary to reload the OS as the App Loader picks up the installation from that state.

·         It took another 15 minutes for the upgrade process to complete and another 5 minutes for the device to restore the backup it had taken before the upgrade. Then it proceeded to do the device activation on my BES and popped the “Activation Complete” message.

The device certainly seems to be faster with the new OS. The new features which come with this release include:-

Blackberry Tags using NFC.  You can invite a contact to BBM using Blackberry Tags. The devices have to be aligned back to back for the devices to communicate using NFC. Blackberry Tags can also be used to share contacts, media and files thru a simple touch between the devices.

There is a new “Battery Saving Mode” available which will reduce power usage when the battery power drops below the specified threshold.

There is a new Media Server option also available. Other uPNP devices connected to the same Wi-Fi network can stream media content from the blackberry device. DLNA devices are currently not supported.

I couldn’t find the Hotspot feature on my device. It might not have been included in the build I have.

Wi-Fi Calls can be made using the carrier’s Wi-Fi calling service (UMA-lite or GAN-lite), if available. My carrier doesn’t provide this service and hence couldn’t try it.

To sum up the 7.1.xx release is not a major release and the features added are not very impressive. Look forward to some remarkable features in the next release.


Monday, May 7, 2012

Win2008 R2 SP1: The Remote Desktop Services service terminated unexpectedly. Error 7031.

Win2008 R2 SP1: The Remote Desktop Services service terminated unexpectedly. Error 7031.

After I joined a Windows 2008 R2 SP1 machine to the domain and rebooted, the remote desktop services would connect, display the applying group policy setting and then terminate the session.  It would throw an error when you try to connect again as if the remote desktop services were not enabled.
I logged into the server using iLO and noticed that the Remote Desktop Services was in a stopped state. Check the system log and found the error 7031 with a description “The Remote Desktop Services service terminated unexpectedly.  It has done this 2 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.”

Started the service and tried logging in again and issue repeated. However I was able to log in as a local administrator after the service was started. It was only crashing when the login was attempted using a domain account.
Spent some time troubleshooting and finally hit on KB 2667402 which explained the reason for this behavior to be a security update which places a wrong version of the Rdpcorekmts.dll file. The explanation is as below.
"After you install security update 2667402 on a computer that is running Windows 7 or Windows Server 2008 R2, and then you install Service Pack 1 (SP1) for Windows 7 or Windows Server 2008 R2, the binary version of Rdpcorekmts.dll is 6.1.7600.16952 and not 6.1.7601.17767. In this scenario, you may be unable to create a remote desktop session to control the Windows 7 or Windows Server 2008 R2-based computer. "

Uninstalled the KB 2667402 and rebooted and the ghost vanished and it let me connect on remote desktop. Was tempted to reinstall the KB and see the result, but didn’t. As per the article reinstalling the KB should resolve the issue.

Monday, July 4, 2011

Making Gmail as beautiful as it is powerful

Google has released a sneak preview of how the new Gmail interface is going to look like. The Gmail official blog mentions that they want to make Gmail as beautiful as it is powerful. Gmail users who are eager to feel the new look and feel can apply the themes which are made available by the Google team. These themes are available at the end of the theme list and have been called "Preview" and Preview (Dense).

I have tried these new themes and for sure the interface looks light and much cleaner. I am sure the people gadget with a presence indicator, has been there on the right pane for quite a while, but I only noticed it after I applied this new theme. I would not call this new interface/look more beautiful, but certainly it does remove the cluttered look of the existing interface.
The Gmail calendar has also been enhanced. You can try the new look by selecting "Try the new look" from options when on the calendar page. Few functions like quick add, icons for print and refresh have replaced the text which was there earlier.
Google has mentioned that the new features would be rolled out in the coming months. It would be safe to assume that there would be a lot of integration between Gmail and Google+. An integrated email feature within Facebook would have been really nice!  It would be interesting to see how Google ties all its products together and gives a single interface to their services. A communication hub with email, calendar, contacts, presence, instant messaging, voice chat, video chat, maps, photo sharing, social networking and a search function across all these.

I am sure your google will have more information about you than your girlfriend..



Saturday, August 21, 2010

Blackberry Ban- The Stalemate Continues.


There have been reports stating that RIM has given into the demands of the Saudi government and placed a local RIM server which would allow the security agencies to snoop on the conversations happening over BBM/PIN2PIN. This was easy to achieve considering that there is only a single encryption key involved and that the key was easily available.

It would be interesting to know how the demands of other governments would be met by RIM. Indian government has been demanding that it needs access to the emails being sent using the Blackberry Enterprise Servers. UAE government has concerns in the emails being sent out of the country.

The BES architecture uses multiple keys which are dynamically generated and managed between the device and the BES Server.  Let us see what happens when Alice sends an email to Bob who is a blackberry user in the same organization.

1.       Alice sends an email message to bob’s email address using her desktop email client.
2.       The email server receives the email and sends it to bob’s mailbox.
3.       The BES server receives the email from the Mail Server to be delivered to Bob’s BB Device.
4.       The BES server compresses and encrypts the message using multiple message keys.
5.       The message key is encrypted using the device transport key.
6.       The encrypted message and the encrypted device transport key are sent to the device thru the RIM relay Servers.
7.       The message gets delivered over the air (OTA) to the blackberry device thru the wireless connectivity provided by the ISP.
8.       The device decrypts the message keys with the transport key.
9.       The device applies the message keys to the encrypted message and displays it to Bob.


    So it’s the device transport keys which the governments are expecting RIM to provide them so that they could intercept and decrypt the emails passing thru their ISP networks.

    So how is this Device Transport Key generated and maintained? The following details are from security documentation published by RIM.

    “The BlackBerry® Enterprise Server and BlackBerry device negotiate to select the strongest algorithm that they both support (either AES or Triple DES) and use that algorithm to generate a device transport key during an over the air activation of the device.”

    “By default, the BlackBerry® Enterprise Server and BlackBerry device generate subsequent device transport keys every 30 days. The BlackBerry Enterprise Server and BlackBerry device generate the device transport key using existing long-term public keys and the ECMQV key exchange algorithm to negotiate a device transport key. This method is designed so that a potentially malicious user is unable to calculate the device transport key. The BlackBerry Enterprise Server and BlackBerry device discard the key pair after they generate the device transport key.”

    RIM seems to have made sure with this architecture that there is no way a third party (including itself) will ever get access to the device transport keys.

    So there is a device transport key unique to every device and it changes every 30 days.  In a country with a million blackberry users even if half of them were BES enabled, the ISP would require quite a large infrastructure to hold and manage these keys and probably a super computer to apply the corresponding device transport keys to decrypt the message keys and then apply the message keys to the encrypted message and then decrypt and store them.  All this to intercept communication between terrorists!!   As mentioned in my previous post, after all the media attention and the government demands for interception the Osama’s and Obama’s would never use a blackberry to do any serious communication.

    The question remains on how RIM would get hold of these keys. It has to either alter the device configuration to send the device transport keys to a local server, or it has to modify the BES Server architecture to upload the device transport keys to the local server in the country. Both of which are difficult to achieve as it involves a software upgrade either on millions of devices or on thousands of servers.

    What every government is demanding is a copy of the device transport key of every device connected to a BES Server in the country. Let’s say that I work in India and my company’s blackberry server is in Timbuktu. The Indian government would not have the keys to see my communication!!  Wouldn’t this be the typical case of a terrorist? Assuming that the typical terrorist is a foreigner he would be using a blackberry device supported by an ISP of another country to which my local government doesn’t have keys. I wonder how many terrorists have a registered office and a datacenter to host a blackberry enterprise server!

    If the RIM documentations about the architecture are to be believed there is no foolproof technical solution to address the concerns of these government entities. It’s hard to believe that the RIM technical team hasn’t been able to communicate the same to the government agencies and close the issue. So how will the stalemate end? Will blackberry be banned in these countries or will it be a face saving exercise of placing a local server in every country which would just display lines of encrypted text on the screens?  If that is the case RIM will add another product line to its portfolio:-Face Saving Relay Servers in different colors. The countries will get to choose from a Red, Orange or a BLACK BOX.

    Friday, August 20, 2010

    Osama & Obama have lost trust in their Blackberry Devices



    As mentioned in my previous article, Blackberry Messenger uses the same encryption key on all devices. This would mean that if one could intercept the PIN message sent to another device it could be decrypted and read.  

    RIM does give its customers an option to replace the default encryption key on the devices with a company specific key. This would limit the BBM communication to company devices only which have the same key.  It should also be noted that it is only the message body which is encrypted and not the header which will still carry the source and destination device PIN identifiers in clear text.

    The Blackberry Messenger communication is a PIN 2 PIN (device to device) message which passes only thru the RIM Relay Servers.  The BES Server or the local ISP is not party to this communication and this is where the concerns raised by many national security bodies are coming from. They have no way of intercepting the Blackberry Messenger Communication.  The solution these governments have demanded is a local RIM Relay server thru which all PIN to PIN communication should flow so that they could intercept and decrypt it on a demand basis or even real time basis.

    It is easy to comprehend here that once the messages are routed thru a local proxy server the global encryption key could be used to decrypt the message and make the content available to the local security agencies.  What I fail to understand is that as the devices were communicating to the RIM relay using the internet connectivity provided by the local ISP why couldn’t the ISP transparently proxy/mirror all communication to the RIM Server and use the Global Encryption key to decrypt it themselves. What action was required by RIM to enable the local ISP get access to these messages? There are no encryption keys which RIM is going to provide for doing this as this key is available on blackberry devices.

    The solution seems quite simple to implement, but given that RIM operates in 175 countries and most governments having expressed their concerns on this issue would RIM be forced to run individual servers in each of these countries? Who would own and operate these servers? Where these servers would be placed physically?  In countries where there are multiple ISP’s providing Blackberry Services, would a separate server have to be placed at each ISP’s datacenter? So is this a really practical solution?

    It is difficult to understand why was this issue given so much exposure and media attention? Was the concern only in the way the data was routed or was it the encryption technology that is being used or was it the unfortunate combination which is unique to RIM’s implementation which has put blackberries in this turmoil?

    I doubt if any terrorist who is seriously concerned about secure communication will ever use a blackberry device after having read all these articles of how RIM has struck deals with different governments. Are there more reasons why these countries are demanding a local server?  Are there more demands which are not known to the media? The secret shroud around this issue certainly makes one curious on what is actually transpiring between RIM and the different Government entities!

    In fact the conflicting statements made by RIM actually make even the diehard crackberry loose the trust in the device and the secure architecture which they have been preaching all these years. According to RIM the whole solution is so secure that no one even RIM could not intercept the messages flowing thru their servers. If that is the truth then what is it that they are negotiating with the different governments? I am sure they are not considering changing the underlying architecture on which it operates.

    I am sure both Osama and Obama would seriously consider sending any confidential message using their blackberry devices. Yes they certainly would continue to use Facebook on blackberryJ.

    Thursday, July 29, 2010

    Product: Windows Server Update Services 3.0 SP2 -- Removal failed.

    WSUS wouldnt let me uninstall it and would just fail and write "Product: Windows Server Update Services 3.0 SP2 -- Removal failed." to the Application Event Log.

    A lot of people seem to have posted this issue, but none of the forums had a proper resolution to it. There were few analysis of the causes of the issue available though. Some belived that it was a problem with the ACL on the SQL/ Windows Internal DB, installation directory and suggested that DB be uninstalled manually by running "msiexec /x {CEB5780F-1A70-44A9-850F-DE6C4F6AA8FB} callerid=ocsetup.exe" ont he command prompt. It didnt work for me though.

    Another analysis of the issue was that WSUS was installed with Windows Internal Database and somehow the registry was missing this information. The trick suggested was to modify the value of "wYukonInstalled" from 1 to 0 in the [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Update Services\Server\Setup] registry location. Choose to leave the Database on the uninstallation options. This worked and I was able to uninstall WSUS. The Windows Internal Database can be deleted from the default installation path "C:\WINDOWS\SYSMSI\SSEE".

    Tuesday, June 1, 2010

    Myth - BBM is Secure

    I felt secure communicating on the BBM... Till some time back!!
    It was probably the fact that the BBM messages do not travel over the internet was making me feel 'secure' about it, or was it the fact that BBM only works on a BlackBerry Devices and my belief that BlackBerry devices are secure by design. Not Sure...but somehow I thought it was the safest IM App avaiable.

    I fired my browser and landed on Google. I couldn’t find many articles about the security of messages communicated over BBM. I couldn’t even find any notes on the BBM architecture. I will just summarize what I was able to understand from many different pages.

    Blackberry Messenger is a skin on top of the basic PIN to PIN messaging which has been there on these devices for long. A “PIN” is a hardware address, similar to a MAC address, and is unique to every BlackBerry device. A “PIN” however is not an authentication password nor is it a user identifier. It is the method by which the BlackBerry device is identified to the RIM relay for the purpose of finding the device within the global wireless service providers’ networks.

    Alice sends a message to Bob. The target address for this message would be the PIN of Bob's Blackberry Device. The message is received by her service provider which sends the message to the RIM Relay Server. The RIM relay identifies Bob’s BlackBerry device by its PIN and forwards the message directly to Bob’s wireless service provider. These messages do not travel thru the internet or the Blackberry Enterprise Server and hence are faster than email communication. It is ideal for communication in Emergencies, or when your Emails Server/BES etc are not functional. I am sure this raises the question about compliance, auditing, content security etc. These messages bypass all the onion skins of security and land on the devices directly. Unless specifically configured on the BES thru an IT Policy, these messages are not logged on the BES. This has prompted certain enterprises to disable PIN to PIN messages on their corporate BB devices.

    Now, one would assume that since RIM has been serious about security, they would have made the transmission secure by encrypting it. Well they did! All PIN to PIN messages are encrypted with Triple DES. Excellent!! Not exactly all RIM devices are loaded with a common peer-to-peer (same) encryption key which is used for encrypting the PIN to PIN messages. This would mean that every blackberry device can decrypt any PIN message that it receives because every BlackBerry device stores the same peer-to-peer encryption key. RIM advises users in one of the security guides to “consider PIN messages as scrambled, not encrypted”. It would mean that if I were to sniff the traffic coming to your device I could potentially decrypt the PIN messages and see them. The probability of such a threat actually happening is very rare but technically possible.

    As I mentioned earlier the PIN is a number burnt on to the device and is permanent. This highlights another potential vulnerability. Bob's device is wiped and assigned to Dave. The device would still retain the same PIN and will continue to receive PIN messages addressed to that PIN. Alice would be unaware of the fact that her messages intended to Bob are being delivered to Dave.

    Let us consider another situation. Chuck steals Bob’s device. Chuck could actually impersonate Bob and elicit information from Alice. Alice would think that she is communicating with Bob and unsuspectingly share information. She is in fact communicating with the PIN of Bob’s device which is now with Chuck.

    If PIN can be spoofed it could be another potential threat to the security of messages exchanged using P2P. I was not able to find any information on how to do it. The forums seems to suggest that it’s not possible.

    Lesson learnt:

    Be careful when sharing sensitive information over BBM/PIN Messages because:-
    • PIN-to-PIN messages are encrypted using an encryption key which is accessible to everyone.
    • The messages you send are to an address which is tied to a device and not a person.
    • Big Boss might be watching. If PIN-to-PIN messages are configured to be logged on the BES server, all BBM/PIN Messages would be logged in Clear Text Log files on the BES Server.
     I still love my Blackberry :)