Windows | ShocKNetworK Blog

Why I’m Rolling Back Security Patch 16.5.1 (c) on iPhone

I seldom roll back patches. Especially security patches. I work in security. It’s essential to stay up-to-date with the latest security patches to protect our devices from potential threats. However, sometimes these patches can inadvertently introduce new issues, affecting the overall user experience. In this blog post, we’ll explore the reasons behind the decision to roll back the security patch 16.5.1 (c) on the iPhone, focusing on the specific issues it caused: the breakdown of Bluetooth texting with Microsoft Windows phone link and Tesla’s voice texting functionality.

The Importance of Security Patches:

Before we delve into the reasons for rolling back the security patch, let’s acknowledge the significance of timely updates. Security patches play a crucial role in safeguarding our devices against potential vulnerabilities, malware, and other cyber threats. They are essential for maintaining a secure and stable environment for users.

The Problematic Patch:

While patch 16.5.1 (c) aimed to improve the security of iPhones, it unintentionally disrupted certain functionalities, leading to frustration for many users. Two of the prominent issues experienced were the inability to use Microsoft Windows phone link for texting and a failure of voice texting in Tesla vehicles.

Bluetooth Texting with Microsoft Windows Phone Link:
Many iPhone users rely on Bluetooth connectivity to stay connected while on the move. The Microsoft Windows phone link provides seamless integration between iPhones and Windows PCs, allowing users to send and receive text messages directly from their computers. However, after applying security patch 16.5.1 (c), users noticed that this feature ceased to function as expected.

Rolling back the patch is essential to restore this valuable functionality, enabling users to stay productive and connected regardless of the device they are using.

Texting with Voice from Tesla Vehicles:
Voice-activated features have become increasingly popular in modern vehicles, enhancing convenience and safety while driving. Tesla’s voice texting functionality enabled iPhone users to send and receive texts hands-free, contributing to a safer driving experience. Unfortunately, after applying the security patch, this feature stopped working in Tesla vehicles.

With safety being a top priority, it’s crucial to resolve this issue promptly. By rolling back the patch, iPhone users can once again enjoy the convenience and safety of voice texting in their Tesla vehicles.

The Decision to Roll Back:

The decision to roll back the security patch was not taken lightly, considering the importance of maintaining a secure device. However, the issues faced by users with Bluetooth texting and voice texting in Tesla vehicles were significant enough to warrant action. The lack of these essential functionalities could hinder productivity, communication, and safety, potentially outweighing the security benefits of the patch.

Apple’s Commitment to Users:

As a tech giant, Apple is known for its dedication to providing a seamless user experience. In light of the reported issues, it is reasonable to expect that Apple will address the problems promptly and release a revised security patch that addresses the concerns without compromising on security.

Conclusion:

Staying on top of security updates is crucial in today’s digital landscape, but sometimes unforeseen issues can arise. The decision to roll back the security patch 16.5.1 (c) on the iPhone, which caused Bluetooth texting problems with Microsoft Windows phone link and disabled Tesla’s voice texting functionality, aims to prioritize user convenience and safety. Apple’s commitment to its users should lead to a swift resolution of the problems faced, ensuring a harmonious balance between security and seamless connectivity in future updates.

Troubleshooting a Mysterious Networking Issue in Windows 11 (NOT!)

Networking issues can be frustrating and time-consuming to troubleshoot. This was just one of my many experiences troubleshooting an interesting network issue that took me a while to solve.

The Problem: One day, I noticed that my computer’s network connection was acting up. The network interface card (NIC) was sending packets just fine, but it was receiving very few packets, and eventually, it would stop receiving packets altogether. At first, I suspected that the issue happened after I installed the Insider Preview of Windows 11, so I reset Windows. I updated the Realtek NIC driver to the latest version, hoping that it might help. The problem persisted.

The Troubleshooting: Next, I decided to reinstall Windows 11 from scratch, thinking that it might fix the issue. The problem still persisted even after the fresh install. Now I knew that the issue was likely to be hardware.

I boot into Linux from a USB drive. To my surprise, the issue persisted even in Linux. This ruled out any software or driver issues with Windows.

The Solution: I started to suspect that the issue might be with my Wi-Fi access point. I have a TP-Link Deco 6E mesh Wi-Fi system, and one of the access points acts as the main router. I decided to swap the problematic access point with another one, and to my relief, the issue disappeared instantly. My NIC was now sending and receiving packets normally, and I was back online.

Conclusion: Networking issues can be tricky to troubleshoot, and it’s easy to get lost in a sea of software and driver issues. Sometimes, the problem might not even be with your computer at all, but with your network equipment. If you’re experiencing a similar networking issue, try ruling out all software and driver issues first, and then focus on your network equipment. Hopefully, my experience will save you some time and frustration.

Loading up Active Directory with lots of groups

Loading up Active Directory with lots of groups can be a tedious task, but it can be made easier by following some steps. I recently had to do this to test a product to make sure that it can handle a large amount of data. I started with a list of job titles. Found that those titles were not enough groups and so ended up using a list of animals as the groups input to provide the script to automate the process of creating groups in Active Directory.

First, let’s assume that you already have Active Directory set up and that you have the necessary permissions to create groups. We will use the ldif template provided in the question to create groups in Active Directory.

Here is the step-by-step process to load up Active Directory with lots of groups:

Prepare the list of groups: In our example, the list of animals is provided in the question. You can create your own list of groups based on your requirements.
Create an ldif file: Use the ldif template provided in the question to create an ldif file that contains the group details. Make sure to replace {groupname} in the template with the actual name of the group.
Run a for loop: To automate the process of creating groups, we can use a while loop that reads the list of groups and creates the groups in Active Directory using the ldif file. Here’s an example script:

#!/bin/bash

# Read the list of groups from a file
while read -r group; do
  # Replace {groupname} in the ldif file with the actual group name
  sed "s/{groupname}/$group/" group.ldif >> temp.ldif
  # Create the group in Active Directory using ldapadd command
  ldapadd -x -D "CN=Administrator,CN=Users,DC=mydomain,DC=com" -w password -f temp.ldif
done < groups.txt

In the above script, replace the following:

group.ldif with the name of the ldif file that you created in step 2.
groups.txt with the name of the file that contains the list of groups.
CN=Administrator,CN=Users,DC=mydomain,DC=com with the actual Distinguished Name (DN) of the user account that you want to use to create the groups.
password with the password for the user account.

Run the script: Save the script to a file (e.g., create-groups.sh) and make it executable using the command chmod +x create-groups.sh. Then run the script using the command ./create-groups.sh.

That’s it! The script will create all the groups in the list and add them to Active Directory. You can modify the ldif template and the script as per your requirements to create groups with different attributes and properties.

Install .NET 2.0 in Windows 10

What!? Why would you want to do that!? A friend of mine recently brought a computer to me for him to install some old software on. This happened to be some custom software that was written and required .NET 2.0. I tried installing the software and it wouldn’t install because it .NET 2.0 was required and if you go to Microsoft’s website, it looks like the only version you could get is .NET 4.8 and it already came with the OS that his laptop came with! What gives!?

I managed to find this command only that allowed me to continue the install:

DISM /Online /NoRestart /Enable-Feature:NetFx3

Turns out there are tons of YouTube videos and other posts about how to install it. I just didn’t think to look. You could actually just go to the control panel and install it from there as well.

Anyway, hope this post can save you some time!

Spinning up a bunch of virtual desktops in Amazon WorkSpaces (videos)

This was a pretty fun project that I had gotten so I figured I would share the experience. There are multiple use cases for virtual desktops. In our case, it’s ephemeral – only need them for a few days for a class so that all students can share the same experience without the need for anything but a web browser. They can probably get a better experience with the PCoIP client, but it could be against some company policies. Most companies will allow HTTPs out, so we figured this would be the easiest way.

The way Amazon WorkSpaces works is that each desktop is assigned to a single user and the users sit in the directory service. The service I’m using is the Simple AD (Samba 4) as I had no need for a huge directory. To create the users, we will just need a UID (sAMAccountName in AD) and a password if using the API to create the desktops. If using the Amazon portal to create the desktops, you’ll need the first and last name and an email address as well. You can easily import a CSV file with this information, but for the sake of simplicity, I just use a generic account name and numbers.

After creating the directory and starting up a single desktop, I went to the “Programs” in the Control Panel and “Turn Windows Features on and off” and “Features” to install the “AD DS and AD LDS Tools”. More information on the RSAT tools is available here: https://wiki.samba.org/index.php/Installing_RSAT

Here’s a short video on how to do it:

Once the RSAT tools are installed, the “dsadd” command will be available to add users. This is the script I’m using that asks for the users and then creates the users:

echo off
set /p users=Number of users to create:
echo "Creating %users% students"
set count=0
:createusers
    set /a count+=1
    echo creating student%count%
    dsadd user "cn=student%count%,cn=users,dc=corp,dc=amazonworkspaces,dc=com" -samid student%count% -pwd Student%count%
    if "%count%"=="%users%" goto done
    goto createusers
:done

The script will create users with the username student# with passwords Student# – the capital “S” is just for password complexity.

After creating the users, we can go and create the desktops. To do this, I used awscli. On a Mac or Linux system, it can be easily installed running “easy_install awscli”. After installation, there will be a config and credentials file that should be configured in the .aws directory in your home directory. Once that’s set, you can check to see what workspaces you have by running “aws workspaces describe-workspaces” – that gives you an idea of what your workspaces look like. The minimal template I’m using for workspaces looks like this:

{
 "Workspaces" : [
 {
   "DirectoryId" : "d-9267258c77",
   "UserName" : "%username%",
   "WorkspaceProperties": {
   "RunningMode": "AUTO_STOP"
 },
   "BundleId" : "wsb-gw81fmq2p"
 }
 ]
}

The DirectoryId is the directory service where the users are housed, I’ll be replacing the %username% with student#, and I added RunningMode just to save on costs – they’ll automatically suspend after an hour of idling. It takes about 90s to spin back up if they suspend. The BundleId is the VM that you want to provision. This one is the customized one for our classroom.

With the template in place, we’re ready to run the script:

#!/bin/bash

echo "Number of Desktops to Create [20?]"
read desktops
echo $desktops
COUNTER=0
         while [  $COUNTER -lt $desktops ]; do
             let COUNTER=COUNTER+1
             echo Creating Desktop number $COUNTER
        sed "s/%username%/student$COUNTER/g" create-workspaces.json > /tmp/student$COUNTER.json
        aws workspaces create-workspaces --cli-input-json file:///tmp/student$COUNTER.json
         done
echo Created $desktops Desktops.

You can remove the temporary files in /tmp afterwards.

Here’s a short video of the scripts in action.

Have fun with your desktops!

How to use PowerCLI to register or unregister a bunch of templates at a time …

I recently resignatured a datastore that housed all of my templates and ran into an issue with a bunch of datastores that wouldn’t unmount and a slew orphaned templates. To get rid of them, I had to unregister them all and then register them, but had a ton, so I didn’t want to do them one at a time.

Unregistering the VM templates is easy. Just select them all, right click and click “remove from inventory”. The registering part is harder – need to browse the datastore and then right click and add to inventory and give it a name. So, I did it with PowerCLI.

The first thing we want to do is get a list of all of the vmtx files in the datastore that the templates reside in. I do it like this:

$vmtxs = gci vmstore:\$((Get-Datacenter -name "DCpod"))\templates -Recurse -Include *.vmtx | select -exp datastorefullpath
You can list it and you should see something like this:

PowerCLI C:\Program Files\VMware\Infrastructure\vSphere PowerCLI> $vmtxs
[templates] Win8.1_Template/Win8.1_Template.vmtx
[templates] Windows 10 template/Windows 10 template.vmtx
[templates] Win2K8R2_Template_1/Win2K8R2_Template.vmtx
[templates] Ubuntu_Server_Template/Ubuntu_Server_Template.vmtx
[templates] Win2K12R2_Template/Win2K12R2_Template.vmtx
[templates] webservertemplate2/webservertemplate2.vmtx

With the list of files, you can loop through and register them all on a particular host like this:

PowerCLI C:\Program Files\VMware\Infrastructure\vSphere PowerCLI> foreach($vmtx in $vmtxs) { $currentname = ($vmtx -split "/|\.")[1] $vm = new-template -name $currentname -templatefilepath $vmtx -vmhost esxhostname.domain.com }

Lenovo T400 blank screen issue on Windows 10

Someone who owns a very well SEO company came to me with a freshly installed Windows 10 OS on a Lenovo T400 and showed me that he would get a black screen at start up. He would suspend the machine (close the lid), and it would come back to normal. He would reboot, and the same problem would reproduce again.

This didn’t happen when he first installed the OS. Only happened after the OS was installed and Windows update was run. I was suspicious that it might be a driver issue, but Lenovo’s website didn’t show much.

Then looked into the device manager and saw this:

2016-02-01

What’s interesting here is that the laptop actually has 2 video cards. I think it’s for power savings. I took a gamble and disabled the Intel video card. The problem went away!

Update: Booted into the BIOS and under video settings, found that the Lenovo could install a Switchable graphics driver along with their power management software so that it could save power. So, my hunch was correct. So, no need to disable the Intel card. Just boot into the BIOS and set it to discrete or the other one, whatever it is. I just set mine to discrete.

Microsoft PowerShell takes forever to open!

If you’re in a situation where it appears to take forever to open a PowerShell prompt, Internet access might be the problem.

The easiest resolution at this point appears to allow Internet access to the machine. If that is not possible, you can disable the check for the publisher’s certificate revocation. You can do this from Internet Explorer (or Control Panel, Internet Options) by clicking on Tools, Internet Options. Under the Security section of the Advanced tab, uncheck “Check for publisher’s certificate revocation”.

NOTE: These type of security features are in place for a reason. Take caution when considering disabling these.

A relatively easy/inexpensive way to speed up your old desktop or laptop for ~$100

REQUIREMENTS:
Ghost binaries on bootable CD/DVD or USB thumb drive
Windows 7 installation DVD or USB thumb drive

There are several ways to speed up some old computers. Sometimes, they might not even be old – they’re just slow.

My mother’s laptop was crawling. It had a dual-core 2ghz chip, 4gb ram. Why was it slow? I figured, 4gb ram is enough to run Windows 7 – I’m running a bunch of VMs and I only have 5gb ram on the server. So, it had to be i/o. Since I had an old 128gb SSD from a laptop I had before, I put it in. The problem was, the laptop had a 320gb hd. Clonezilla wouldn’t clone it – gave me some issues with partimage. I remember that the old Ghost 2003 would do a bigger to smaller disk. So, I tried that. Ghost gave me other issues. I tried ghost.exe -fdsp because this is Windows 7. Vista changed some things with NTFS or something that made Ghost stop working with the default settings. The first time I tried Ghost, it ran for 90 minutes and ran into a bad sector. 🙁 It failed. So I tried bypassing it. I ran ghost with the -BSC -FRO switches. It then ran into some issue with a big file or something and told me to pass the -NTC- switch. Well, that failed and told me the same thing, so I just decided to abandon the ghost idea and start fresh.

Since I had the idea of upgrading my mom’s hd, I did the same with a couple of other computers, so my process has been repeated. On the other machines, I got 1tb Seagate ssd hybrid desktop drives (sshd) for $80 each. Ghost 2003 or 8.0 both work for Windows 7. The first thing I did was put the SSD in along with the disk I wanted to clone. I booted from one of my old Ghost DVD archives, but on one machine, there was only 2 SATA ports, so I had to figure out a way to build a bootable USB thumb drive. The one I ended up using was UNetbootin – with that, I created a FreeDOS bootable thumb drive and copied the ghost.exe binary there. Since the stupid Ghost DVD archive only had .GHO files on it and I could access the DOS partition, I ended up copying ghost.exe by extracting it from an old Hiren’s Boot CD. With that, I was able to boot from USB. You can copy ghost.exe onto the USB drive, but FreeDOS boots in it’s own jail or something. The ghost.exe actually ends up on b:\. You should be able to then do the clone using ghost.exe -FDSP -BSC -FRO. After a successful clone, since this is Windows 7, we’re not exactly done yet. The disk will not boot – will give
Windows failed to start. A recent hardware or software change might be the cause. To fix the problem:

1.Insert your Windows installation disc and restart your computer.
2.Choose your language settings, and then click “Next.”
3.Click “Repair you computer.” If you do not have this disc, contact your system administrator or computer manufacturer for assistance.

Status: 0xc0000225

Info: The boot selection failed because a required device is inaccessible.

This is an easy fix. Just follow the directions. Boot with the Windows 7 install DVD or USB thumb drive and go to repair and it’s done almost automatically. On one host, it asked to run CHKDSK afterwards. I let it run and everything was dandy as well. But if all else fails you could buy one of the best budget gaming laptops that is guaranteed to run great.

if vCenter Server Heartbeat or Neverfail Heartbeat failover appears to be not working or taking a long time …

The main symptom of this problem would be that the vCenter Server Heartbeat console or Neverfail Management Client console would show that the services had failed over, but if you were to try to ping it, it wouldn’t respond.
Logically, there there are some hypotheses you could come up with:

1) Network packet filter isn’t revealed on the active server, so we can’t connect to it.
2) Something wrong w/ the service.
3) The console is wrong and on the backend, nothing failed over.
…
These would be all wrong.

What we found was that it was an issue with ARP caching on the switches. Because the VM or host abruptly fell off the network, the switches hadn’t expired the ARP entries and that they were stale. You would think that it would be fixed in a minute after the ARP entries expired, but I guess the chain could take a little longer.

Probably the best way to troubleshoot this would be to get on a host on the same network segment and try a ping. If that fails, you could run “arp -a” and check to see if you indeed have the right mac address of the host you want to connect to. If not, you could probably log into the switch to delete the entry or you can create a task to run the command during switchover:

“C:\Program Files\VMware\VMware vCenter Server Heartbeat\R2\bin>nfpktfltr.exe arp”

You should then see the switchover happen without the long delay.