01/04/07
I have come across another issue with CCA: It is not localized.
The CCA client can be instructed to check file versions and dates, e.g., for anti-virus software. However, it seems that the CCA client assumes that files are in the "Program Files" directory. In non-English versions, that directory has different names, though.
A Cisco representative has stated (on a CCA support mailing list): "We wont support checks/rules etc on non-english version of XP today."
I find that quite strange, given that Cisco markets CCA mainly (or only) to universities, and universities have a large body of foreign students who often bring their non-English software with them.
Yet another thing that should have been a negative when doing due diligence before the decision to purchase CCA. But Resnet apparently was determined to waste a large amount of money on CCA no matter what...
01/03/07
On the security mailing lists Bugtraq and Full Disclosure, Cisco has posted another security advisory regarding CCA.
This one is related to the management of CCA. What distinguishes this issue from the CCA client installation problems is that a successful exploit would result in the attacker being able to take over all client machines.
This shows once again that having a mono-culture system like CCA for security purposes is a bad thing (as I and others have repeatedly told Resnet.) Attacks on the single point of failure, the management system, break the whole system. A well-designed security system has multiple layers so that breaks at one layer do not result in a complete meltdown.
Update:
In response to the security advisory, one person posted this on the Full Disclosure list:
So, I read this to mean, the snapshot files are still downloadable without authentication, still have easily guessable names, and still contain sensitive information that can aid in an attack (what sensitive information?), but now the attacker has password hashes against which he has to do a three hour offline brute force, or perhaps a twenty second rainbow table lookup, rather than getting the plaintext straight off.
In other words, the security hole isn't fixed, it is just slightly obscured. Any marginally alive cracker can still get in.
Update 2:
The more mainstream tech news is now reporting on this vulnerability as well. CNET News has it on their front page.
12/19/06
Last week, I took a good look at the 2nd Gen iPod Shuffle at the local Apple store. That thing is so small, it is unbelievable.
So, I decided to buy it. 79 bucks is still affordable. I didn't order it through the Apple store, though, since I wanted the one-line engraving. So, off to the Apple website...
I got it today, and it indeed is probably the coolest MP3 player around. Small is beautiful 
This makes it my third iPod, after the 1st and 2nd generation Nano. I have put Rockbox on the 1st gen Nano recently (the 2nd gen Nano has a different processor, so Rockbox doesn't run on it at this point) and I am playing with that.
Resnet sent out an announcement for network upgrades. That was in the making for some time, and is long overdue, since the old equipment and cabling only allowed 10MB speeds.
They are upgrading to 100MB. I personally would have liked a Gigabit network (some of my computers have gigabit network cards), but I can't really complain. 100MB is still a huge improvement over the current state.
So much for the good news.
Of course, they could not resist trying to misrepresent the past...
Part of the announcement reads:
The new switches will increase port speeds from 10Mbps to 100Mbps as well as provide better QoS (Quality of Service). They also offer security features such as DHCP snooping that will prevent rogue DHCP servers that have plagued our network over the past several years.
The "rogue DHCP servers" that Resnet complains about were all of their own making. Resnet itself provided bogus installation instructions that resulted in routers exposing their internal DHCP servers to the network.
Maybe that's Resnet's modus vivendi: Create the problem in the first place, and then claim huge improvements when they finally see the light.
Reminds me of shopping outlets who raise the prices and then advertise huge discounts...
11/27/06
Here is yet another instance where the CCA client agent doesn't quite work:
A lot of people and organizations who want to avoid having to apply Windows Service Packs or hotfixes manually to new Windows installations turn to slipstreaming Windows. This is a Microsoft-supported way to integrate service packs and other fixes into the core OS on a CD. For a description, see, e.g., Paul Thurrott's page about Slipstreaming.
To quote:
For end users, slipstreaming can also be useful. For example, you can copy the installation directory from your XP CD-ROM to the hard drive, slipstream the XP SP2 files into that installation directory, and [sic]than write it back to a recordable CD, giving you a bootable copy of the XP setup disk that includes SP2 right out of the box (so to speak). That's the process we're going to examine here. And slipstreaming isn't limited to service packs, either: You can also slipstream in various product updates, including hot-fixes.
I have used this method since XP SP1 to create Windows installation CDs that contain SP1 and SP2 already.
The problem the CCA client has with this method is that it doesn't detect that the service packs and hotfixes are already installed. It checks the registry, and slipstreaming obviously can't create registry entries indicating that SP2 and hotfixes are installed, and requires the user to download and install all this again.
So, once again, we have a broken product (CCA) that foils doing the good thing (slipstreaming Windows with service packs and hotfixes already applied.)
Yet another reason why CCA should be abolished.
