Sunday, February 07, 2016

A Run-in with Cryptolocker

A Little History
Over the years, we've had a fairly good run when it comes to viruses and malware. Much of that I can put down to the fact that we've always used IBM Notes as our mail system and it's less susceptible to hijacking. Of course, notes only slows down the distribution (and reduces the likelihood of specific mail calls being used).  It's not an effective anti-virus solution.

Years ago, I used to run my anti-spam services on the mail server. There were two problems with this approach;

  1. The mail had already reached our systems before the first scan occurred - even if it was just spam, you're now using your bandwidth and your storage.
  2. You're running secondary processes on (or between) your mail server. It needs updates, maintenance etc. 

Anti-Spam was the first service we moved offsite.

For the past few years, we've been using the Symantec.Cloud anti-spam service. This was a very good service when it was a recent acquisition (MessageLabs).  Back in those days, the spam used to pass through the filters of many of the major anti-spam vendors. These days, I think that it only runs through the Symatnec solution; making it far less valuable. We're finding that more and more spam is slipping through.

Our desktop scanners are Kaspersky. We've spent years on Symantec/Norton (slowed all of our PCs down) and McAfee (never actually caught anything) and Kaspersky has been pretty good overall but it didn't catch this one.

So How did it Start?
In this case, the email that made it into our systems was a variant of the Australia Post cryptolocker email that hit Australia from August last year onwards. This particular email looks very similar to real emails that Australia Post sends out. Our users had been warned about this particular problem three or four months ago but the fact is that if you keep throwing links at an organisation, eventually you're going to get lucky.

The first sign of trouble was when some of our users called the helpdesk saying that their files were encrypted. I was just standing up to go off to lunch but luckily I decided to investigate. This is why you need a responsive helpdesk - The reaction (and recognition of the problem) was time-critical. I immediately ascertained that the files were not .zip they were simply normal files renamed with .encrypted -- and there was a whole folder full of them.

I'd been following trends and reading bulletins from AusCERT, so although I didn't know the exact effects of cryptolocker, I immediately suspected it was the problem.

I quickly googled signs of it and discovered that the ransom message was the clue.  I looked for one on the person's computer but couldn't find one. I couldn't see one on the network either. I was just about to start disconnecting all devices from the network (all our PCs go to the servers via a single, easily isolated switch) when a user reported an unusual message.  We'd found the PC with the issue ... and it was a different PC to the one which reported the problem.  We immediately disconnected it from the network and started a local scan on it.

If possible, have a single point somewhere on your network that allows you to easily isolate systems in case there is a problem (this could be an attack, malware or even just a network traffic incident).

Confirming the Problem
I was pretty sure that Cryptolocker was malware, not a virus (meaning that it could wreck files but it couldn't infect) but I needed to be sure. I called one of our suppliers who had knowledge of cryptolocker and he advised me to look for the ransom notes in all the folders. There was a html and a txt version called "HELP_TO_DECRYPT_YOUR_FILES.txt" -- though some variants of cryptolocker use different names. They hadn't been there prior to the message but now they were everywhere. If you want to read them, open the text file.... there was too much HTML in the the other file, and it's too risky.

Looking at the properties of these ransom notes, we were able to confirm that all of them were created by the same user. There was only one problematic PC and it was now disconnected.

Cleaning Up
I already knew that the cryptolocker malware uses irreversible encryption, so the choices were either "pay up" or restore.

If you're interested, paying up was about $400 AUD with a timer set to go off in a few hours that would increase the price to $1,400.  They wanted their money in bitcoin.

I know people and companies who have paid up and they have had their files decrypted, so at least these people seem to have some honour.  Of course, if you have a decent backup, then it's safer not to draw attention to yourself.

In our case, we have drive shadowing turned on for our main drives which results in them being copied every two hours. It also makes restoration fairly simple.

The process of recovery was still long, but mainly because I wanted to be careful.

Tips and Problems in Restoration
I'm always telling people never to restore things to the same folders.  There's lots of good reasons for this which I won't go into right now.  We didn't have enough space to restore all of our data at once, so we did it in chunks.  Then we copied each chunk over the top of the good data (without overwriting). This meant that if a file was missing (because it had been renamed to .encrypted), it got restored but if a file was new/unaffected, it wasn't overwritten with an older version.

Part way though the restore process, we discovered that the malware had been triggered about three hours prior and that some files being restored had already been affected. Once we'd finished restoring the 10am files, we repeated the process with a 7am copy (which was definitely prior to the email).  That way we made sure that all of the right files were restored.

Getting rid of the Rubbish
The last things we did were;

Del *.encrypted /s 

On each affected drive letter. This removed the encrypted files.  We also did a


It certainly helps to know DOS.

As to the infected PC..., 

  • A complete scan using a current version of Kaspersky took nearly 24 hours and discovered nothing. 
  • The PC has now been wiped. 

Friday, June 05, 2015

Getting Started with IBM Connections - Communities (Creating a Notification System)

With Sametime (Chats) out of the way (See: Part 1 and Part 2) and the initial user setup done too (see here), it's time to start building things and getting users engaged in IBM Connections Cloud.

From what I've seen, it appears that there are two major features to go; Communities and Meetings. For the time being, I want to focus on Communities. 

What is a Community?
A Connections community seems to be a "group or topic around which members gather" in order to share and develop ideas. There are lots of things which could be communities;

  • Your company as a whole.
  • Specific Departments (or Business or Functional Groups)
  • Members of a Particular Project
  • A System (For example, your Invoice System). 
  • An Idea, such as "Business Continuity" 
  • A Hobby (such as a pet club, readers club or a movie watchers club).

Most communities will probably be business-related but if you're having trouble getting people to use Connections, it might be worthwhile providing them with a community they might enjoy participating in. 

Creating a Community
Ideally, before you create a community, you'll have decided what exactly the purpose of the community is.  In this particular example, we need a community to track changes to external companies whose membership we manage.

To get to the communities page, sign into IBM connections and then click "Communities" and "I'm a Member".  This will take you to the communities pages where you will see the communities that you're already a member of.  There's also a button marked "Start a Community"; Click it.  

Showing the Communities that you're a member of
The "Start a Community" Form
Give your community a meaningful name, It's possible to change the name later but it's best to try to get it right from the beginning.

The Access is the most tricky part of the form.
You generally have three options; Restricted, Moderated and Open.

The first question to ask is;
Will anyone outside of my organisation be required to join this community?
(ie: anyone that you haven't purchased a Smartcloud licence for).  If the answer is yes, then you need to choose "Restricted" and everyone who joins the community must be "invited".   You'll probably also want to tick the checkbox marked [x] Allow people from outside my organization to become members of this community.

If the answer is No, then the next question to ask is;
Can anyone in my organisation decide to join this community?
If the answer to that question is yes, then you should choose Open.

If your answers were "No" and "No" to the two questions above, then you should choose "Moderated".

The next part of the form is the community description. You don't need to put a lot of detail here for now because you'll probably find yourself editing this as your community begins to find its role.

The last field is "tags".  These are keywords associated with the community.  The biggest decision to make here is how to represent multiple words which belong together (for example; financial institutions).

If the words are to be treated as a single keyword, they can't contain spaces  or commas.  It's possible to use a hyphen (eg: financial-institutions or to simply leave the pace out entirely FinancialInstitutions. Whichever way you choose, try to be consistent across your organisation.

The Icon
Below the fields is a link that reads "Upload a Community Image".  I can't stress the importance of community images enough. These provide an important recognition point for your system.

These icons should be square and ideally larger than they are displayed in other areas community. I tried at lower resolutions but they don't look good. A jpg of about 500 x 500 pixels is ideal but 250 x 250 is okay too.

I'm assuming that you've already created an image (I might explain how to do one quickly in another post). so just click Upload a Community Image, then choose your file.

There's also an area where you can select Members.  It's not a bad idea to put yourself in there as an owner to start with.  You can fix the rest up later.  It's best not to go adding others until you've gotten the system to a reasonable state (otherwise they'll start getting all sorts of messages).

In the Access Advanced Features section, you can set the rules for who can email who (email privileges).  More importantly though, you can set the start page of your community to "Status Updates".  If you can't see these options now, don't worry, they'll be there when you come back and edit the community later.

Now that you've done, click Save and your community will be created.

Configuring your Community
Now that you have a community, it's time to configure it a bit. This is a whole new topic in itself, so I'll just do one quick example;

We've decided that we want a calendar and activities as part of this community.
On the top right of the menu bar, click Community Actions and then Change Layout.

Next, click on the Add Apps tab to see a list of the apps you can add. Click the plus on each app that you want to add.

Now, still in the layout view, scroll down to see the body of your community. You'll notice that activities has been added to the very bottom of the list.  If you hover the mouse over the word activities, it will turn into a four arrowed cursor.  When that shows, it means that you can drag the activities dialog all the way to the top of the community so that it gets more easily noticed.

Your changes will be saved automatically.

That's it.

Using your New Community
Now if you post a status update, you should be notified. Your users can subscribe to this community and be notified too.

A Quick note on RSS
You'll notice that there are little fields which say "feed for these entries" against community elements. You can right click on these and copy the link address.  (That's the Chrome wording, it's probably a little different in other browsers).

Next, switch to Lotus Notes and expand the right hand pane and find the Feeds widget.
Click the Square RSS Feed icon with a green plus
A dialog box will appear, paste your URL and then click Go.
Change the feed name to something sensible (because the default one is just silly)
Click Ok.

Your notes client will change to show the feed (and if you've just posted something, it should pop up automatically).

You now have a notification system that your users can subscribe to.  To keep up to date on company changes. 

Wednesday, May 20, 2015

Getting Started with IBM Connections Sametime Cloud (Chat) - PART 2

In my last post, I went through the initial setup of Sametime (from Creating a user to getting to a logon in the cloud). I promised that I'd be back with information on getting Sametime (IBM Chat) working on other devices and away from the web browser. 

So, after a slightly longer than expected break (holiday), I'm back. 

Last time, we got to the point where you could access Sametime in the Connections Cloud. As part of this, you should have ended up with;

  • A login name (email address)
  • A password
  • A connections location

Your connections location will probably be a URL something like this.

This is a good URL worth understanding and remembering.

The .ap. bit refers to Asia Pacific, which is the most correct option for Australia at the moment. Yours may be .na. (North America) or .eu. Europe

Getting the Relevant EXE Files
Once logged onto IBM Connections Cloud, it's very easy to get the installation files for a local version of IBM Chat (Sametime).

To get to the Install files, click on Apps and then on Downloads and Setup.
There's a section in there called Chat and a link to "View Chat Options".
Clicking this will open a new window containing the relevant links.

Three Types of Chat Client
There are three major types of Chat Client - and all of them have their little idiosyncrasies. 
  1. Stand-Alone Chat
    This runs in your system tray and in my opinion, it's the best option for most people. If you choose this client, then it will pop over anything when there's a message. Of course, not being integrated with Notes means that your notes mails won't be "presence-aware" but since the chat app itself is - and it's usually hovering nearby, it's not a major concern.  In particular, this chat client is good if you often close Notes (to use Webmail instead) or if you find yourself switching Notes IDs often.

    If I'm working from home, I will usually work on both my home PC and my remote work PC. When I'm focussed on my home PC any chats which break on the remote PC won't be seen if I have a screen in front.  That's where having the chat running on my home PC as a standalone client works well.
  2. Embedded in the Notes Client
    This is the option that most people are familiar with. If you're running a recent version of Notes, then you'll already have an embedded sametime client. If configured correctly, it will usually work with the connections cloud but I'd still recommend downloading and installing the latest embedded client as it contains a few "extras".
  3. Mobile Chat
    The mobile client is used on Apple iOS, Android, Blackberry and Windows tablets and phones. It's not downloaded from the "Downloads and Setup" section of connections but from the app stores for your particular device. 

Note that while it's certainly possible to have both the Notes Client AND the standalone version of Sametime on the one machine, they can't both be connected at the same time, so it's counterproductive.  Only install one sametime client per machine

Installing the Stand-Alone and Embedded Clients are simply a matter of downloading the EXE, then closing Notes and running it as Administrator, Agree to the licence and click next a few times followed by Finish.

The server should be your address and your user name and password are the same as for connections.  You should be prompted at some point for your location and this is worth filling in. The other important thing is to save your chats.  If you don't save your chats then you'll lose context when you move between devices.  I found this out the hard way. 

If you've accidentally chosen not to save your chats, you can change it later, simply click the cog icon in the sametime chat window and choose Preferences.  Then click on Chat History and change it to Automatically Save Chats. 

Where are all my contacts?
Probably the most frequently asked question about Sametime today is "where are all my contacts".  In the past, we could just add the "All staff" group to Sametime and it would pull in everybody but that doesn't work if you're not running a hybrid setup -- because your notes groups aren't accessible to sametime in the cloud. 

You just need to add people as you need them for the time being. On the plus side though, once you've added them on one cloud-enabled device, they show up on others. 

Switching Between Clients
It's a bit of a joke nowdays that IBM changed the name from "Sametime" to IBM Chat because you can't actually be in two clients at the "same time".  This is really annoying and Google talk can do it .... .  All whining aside though, there's some settings that you really need to look at;

Shut down Sametime in the Cloud
The next time you logon to IBM Connections cloud, sametime will connect and will pass control to the browser. This will drop you out of your embedded or standalone client. Sign out of IBM Chat on the cloud system and deselect the "Automatically Sign me in" box.  You can now re-sign in to your embedded or standalone client without worrying that everytime you visit IBM Connections cloud, you'll be signed out. 

I've noticed that there's a google chrome extension to do that.  I don't know what that's for but you won't need it. Just sign out. 

Apple iOS and Android Clients
The iOS and Android clients for sametime are called IBM Connections Chat. You can find them in the Apple iTunes store or the Google Play Store.  They're easy to install and once installed, you just need your user name, password and IBM connections cloud server. 

The same notes as above apply to them, you should save your chats and set up your location.  You should also be aware that whenever you sign into them, you will be signed out of your other sametime accounts... and you will appear with a mobile device icon next to your status. 

Next Time: With all the sametime stuff out of the way, hopefully Next time, I can start talking about using IBM Connections Cloud to get work done. 

Monday, April 20, 2015

Getting Started with IBM Connections Sametime Cloud (Chat) - PART 1

One of the best reasons to move to the new IBM Connections Cloud is IBM Sametime. 

Until recently, we were using the "free" bundled IBM Sametime 7 offering. This was a useful feature but of course, some of us were spoiled by the chat options available in other software (Google Hangouts particularly). The version 7 feature has not aged well.  

We looked at upgrading the functionality some time ago, only to be told by many people that "the new SameTime is too complex to set up". It also required considerably more investment in hardware and software. Essentially it wasn't going to be economical to use and we had ditched the product. 

The plan was to eventually install a replacement, but in the meantime, we were learning to live without it - after 6 months, our users had stopped complaining.

Then along came the IBM Connections version of Sametime.... and it's good. Very Good. 

Cloud: The Fastest Way to Get up and Running
The fastest way to get up and running with the connections version of Sametime is to get some people to connect in the cloud. To do this;

Essentially, this is the new user account process

  1. Login to your IBM Connections Cloud Page.
  2. In the top Right, click Admin then Manage Organization
  3. Click Add User Account
  4. Provide a First and Last Name, a Language and a Department.
  5. Choose a Role (Generally User is appropriate).
  6. Click Next.
  7. On the Subscriptions tab, choose;
  8. IBM Connections Cloud S2 (under collaboration).
  9. Leave the mail alone unless you're using mail/hybrid settings -- that's a whole other post. 
  10. In the Subscription Add-ons, tick [x] IBM Connections Docs Cloud.
  11. Click Next
  12. Ensure that the email address is correct and then click Finish. 
The system will send your new user an email telling them that they now have an IBM Connections account. There's a clickable link in the email and this will enable them to reset their password. Once they're logged in, they'll automatically be available in Sametime.

Note: it's the web version of SameTime, so it will be "gone" when your users navigate away from the page but that's okay. There's some better sametime options which I'll discuss in part 2. 

You may also find that your sametime system doesn't automatically have the names of everyone in your organisation.  The old version used to. I believe that once you connect your Notes/Domino environment to the cloud as a hybrid environment, you'll have that functionality though at the moment, I can't confirm. 

Adding a Colleague to the Chat
If your new user wants to add a colleague who is also on sametime, then these are the steps to follow;
  1. Click on the Cog (top right)
  2. Choose New Contact
  3. Type part of the name (ie: first or last name only) and press Enter.
  4. Your person's name should appear.
  5. Click on it and then Click Add. 

Next Time
In my next post, I'll go over how to get the Connections-based Sametime working in the Notes client, as a Windows app and on mobiles and tablets.

Tuesday, April 14, 2015

Getting Started with IBM Connections Smartcloud

Last September, when renewing our Notes and Domino Licences, IBM offered us a trade-up to IBM Connections SmartCloud.  Essentially, there we were presented with two options;

1. 50%  of our licenses upgraded to the full services (S1)
2. 100% of our licenses upgraded to a subset of the services (S2)

I chose the first option, knowing that either way I'd have a struggle on my hands with management when I wanted to take advantage of the full services but also knowing that it's easier to justify getting the other half of the organisation onto the new service than it is to widen services for the whole organisation. 

We're still only half there but I'm very hopeful - it's the first time in years that I've had real confidence in IBM's direction. 

So What is this Connections thing Anyway?
It's weird but IBM seems to have come full circle in the Domino product line. They spent years barking up the wrong tree with ideas like the ill-fated "workplace" which was intended to replace Domino but merely destabilized the entire IBM customer base, the equally ill-fated Symphony, which was designed to replace Microsoft Office and Quickr (which went through a few confusing name changes, looked good and then ultimately died).

That's a pretty short list, there's a lot more which I won't go into suffice to say that it takes a tenacious IBM customer to hang on through all of those bad decisions.

I deliberately ignored Connections when it first came out.  It looked like yet another attempt at making a "Lotus killer" - and I'm glad I did ignore it because it's really taken many years to mature.

Connections SmartCloud seems to be a sort of hybrid of the various products which uses Domino and XPages as the "glue" to stick it all together. I was dubious at first but the more I use it, the better it becomes. 

Slowly, Slowly
The key to connections is really to take things slowly until you build up enough understanding to make proper use of the product. In our case, we let our connections licenses sit there idle for about six months before deciding to do something about them (we were very busy with other things).

The key to getting things up and running is to get IBM involved. Right now, connections is a fairly new product and they're trying to gain traction.  They'll be willing to help.

Contact your IBM Business Partner (or if you haven't got one, contact IBM directly) and ask for someone to help explain what connections is to you.  It won't cost you anything and you'll benefit immensely from the experience. 

If you have several servers, you'll find that connections can replace your mail server, your traveler server and your sametime server.  You may also find that it replaces some other services.  Personally, I'd love to use it to replace our file servers but I don't think our organisation is ready for that kind of change... yet.

Start with Sametime
Sametime is probably the easiest way to start with connections -- and the quickest way to see real benefit in your organisation.  All you have to do is create users in connections and then push the passwords out to your people. They'll be able to logon and use Sametime on the PCs, Mobiles and tablets.

In my next post, I'll try to go through the rudiments of Sametime setup.

Thursday, April 09, 2015

Cloud Services and the Business

It wasn't all that long ago that cloud services were frowned upon in business circles but 2015 looks like being the year of cloud adoption. So far, I've personally signed up for three major options,

  • Google Apps for Business
  • Microsoft Office 365
  • IBM Smartcloud Connections

 Of course, there's a few smaller options in there too, like Symantec.Cloud which we use for Anti-Spam and Mail Archiving and Telstra's cloud services which we use in other capacities.

Data Protection
One of the things that has kept businesses well away from the idea of cloud services is belief that the US government has more access to data on cloud servers. In a way, this is true, particularly if those servers reside in the US.

Personally I don't understand why the US Government is considered to be such a threat to legitimate business but rest assured, I've seen the reactions. People clearly don't want their data to be snooped.

The problem is that the details of these laws make it clear that not being a US company or not being on US soil makes very little difference to the privacy of your data.  For a start, any company with any point of presence on US soil is subject to the PATRIOT act and may be required to surrender your data -- even if it was never on a US Server.

Secondly, most countries, Australia included, have reciprocal agreements which essentially mean that the government will willingly turn data over to the US if required. There's not a lot you can do about it.

With that in mind, a cloud service stops being quiet so scary. Your data is available no matter which way you look at it. You might as well make sure that you pick a cloud service that satisfies your business needs rather than some imaginary geographical ones. 

I'm not nearly close to a choice of the best service - yet.  What I can say is that of the three big ones I've looked at, Google is the easiest and cheapest to sign up and use.  Microsoft's service was by far the most difficult, it took me more than a week to sort out the licensing - and that was with the help of a Business Partner.

IBM so far sits somewhere in the middle, it's very simple to get started but now a month or so later, I'm still trying to get my head around it all. What I can see so far is that there's a lot of potential there and that it seems to integrate well with our existing Domino solutions.  I'll provide more information as I begin to figure it out.

One thing's for sure though. Microsoft is all about the "Office" and "Exchange" brands, Google is wider than simply applications and IBM is about collaboration -- applications take a clear back seat to the collaborative environment as a whole.

Thursday, March 26, 2015

How to Stop Youtube's new AutoPlay feature from Eating all of your Bandwidth...

I've noticed a rather annoying trend recently where youtube starts a countdown to the next video at the end of our current viewing and starts playing it automatically.  Sure, you can click cancel but what happens if you're not there?

What happens if you're watching a video and then you get a phone call and suddenly have to leave your desk.... Don't worry, YouTube will happily continue downloading random streaming videos in the background.  Even better, if you've left home for the day (or work for a weekend) you can expect a nasty bandwidth surprise.

That's why you need to turn this horrible new feature off. 

How to Turn AutoPlay OFF
In your YouTube account, start playing a video, any video.  You should see an AutoPlay option in the top right hand corner. Slide it to the off position.

That's it. It seems to be a setting which is remembered... of course, that's only if you're actually logged into YouTube.  If you're not logged in then you'll probably find yourself having to turn things off every time you restart your browser.

Wednesday, February 18, 2015

Restarting Agent Manager on Domino 9.0.1 may crash your server....

Update: Thanks to everyone who commented to point out that this was fixed.  We were all so focussed on Poodle that we only applied the fixes to the servers that serve HTML.  Turns out that IBM Domino 9.0.1 FIX PACK 3 is a good fix to have on all of your servers. 


Just a fun tidbit we discovered today (fortunately on the test, rather than the production server).

It seems that bug has been introduced in from Domino 9.0.1 which doesn't like having the agent manager restarted. 

Specifically, via the commands;




Under normal use, you'd probably have no reason to issue those commands on your server console but if you had a runaway agent or if you were testing/debugging, you might.

Shortly after agent manager loads (in our case, in under 10 seconds), the server will start to report things like;

AMgr: Console command 'LOG.NSF' is unknown
AMgr: Console command 'admin4.NSF' is unknown

The actual name of the database will be different depending upon your system but the problem is the same. The server starts referring to databases like they were console commands.

After a while, the server becomes hard to access and you either need to get to a remote console to shut down Agent Manager or access the server via services and shut down the Domino server (and then reboot).

After a reboot, it all starts working again -- provided that you leave Agent Manager alone. 

Turns out that there has been an APAR for it  (and here) since 17 June 2014 (but it's closed, not sure if that's okay).

Fixing it
Apparently the fix is to "Do not set Log_AgentManager." and "Remove unnecessary MQClose" (thanks IBM, that's really clear).

From what I can gather, this is something to do with the Notes.INI variable;


Which our server didn't even have.  I added this INI variable and set it to 0 (but didn't restart the domino server, so it's not a proper test).  After I restarted the Agent Manager, the problem reoccurred. I tried setting it to 1 and restarting the Agent Manager.... I'm not sure if I just hit good timing but the problem seems to have disappeared.

Really though, best to avoid agent manager commands during office hours on the production servers if you can help it. 

(one final thing... it looks like Thomas Hampel blogged about this last May, so thank you!)

Monday, February 16, 2015

Domino Lives!

I had a very interesting conversation with IBM last week (more on that in later posts) and at one point we discussed the current status and the future of IBM Notes and Domino.  It's a discussion which seems to be largely ignored at the IBM events these days but it's certainly a question that IBM's customers want answered. 

The answer from IBM was quite interesting.

First of all, we were assured that IBM Domino was not dead - far from it. It was alive, kicking and thriving.

It's no longer being considered "sexy" or "new" but is seen as a mature product which does exactly what it needs to do.  IBM made it clear that they didn't intend to over-engineer notes by adding functionality simply so that they could bring a new version to the market.

IBM weren't subtle about it either, pointing the finger at Microsoft Word and asking "how many more features do you need in a word processor"?  It was a good point, well made. After all, how much functionality did "the ruler" make to Microsoft Word - and was it worth the cost of the upgrade? In my experience, it's made a lot of things that I used to do much more difficult.

IBM does not want Notes and Domino to become "bloatware".  In fact, they made it clear that  many of their requests were for smaller clients, for example, to "make the firefox browser-based version of Notes available on iOS". Whether that actually happens is yet to be determined but it's clear that the future is "smaller".

There will be new versions of Notes as new requirements and fixes arise. Domino isn't going away but as it moves past the 25 years mark and loses it's sexy good looks, at least it has a plan to keep trim. 

Thursday, January 22, 2015

The Pain of Getting into Microsoft's Corporate Licensing

We've been out of Microsoft's Corporate licensing model for quite a while and it's been good, no, it's been GREAT. 

Whenever I've needed a Microsoft Product, I've wandered down to the local retail outlet and purchased it. Sure, sometimes I've been a little annoyed when it's not in stock and I've had to wait a day or two but on the whole, it's been glorious.

We haven't bothered with maintenance on our Microsoft products because we don't want to upgrade. Not within 3-4 years. Our standards so far have been  

  • Windows NT + Office 97, 
  • then Windows XP + Office 2003 
  • and now Windows 7 + Office 2010.
Because we update so infrequently (and all at once), it's easier to simply purchase new computers once every four years and buy the software at the same time. It's not like you save anything much on the volume licensing  -- in fact, it's quite the opposite, buying a new licence every four years is much cheaper than paying maintenance on one for four. Plus you get an extra (old) licence out of the deal. 

The Changing Microsoft Licensing Model
Unfortunately now, the Microsoft world has changed. 

Now they're making their products harder to purchase in retail stores and they're expecting to have them linked to hotmail/exchange accounts. This is all well and good if you've got a consistent set of employees who all have those accounts but if your workforce fluctuates (for example contractors on lots of short projects) then it's quite painful.

I've successfully avoided Microsoft Open Licensing since it was first introduced except for a few small occasions.  All of these were incredibly painful and time-consuming. In one case, we attracted the attention of Microsoft themselves who announced that we had to do an internal IT audit.  We were fully in compliance, in fact, we were considerably over-compliant but I still had to gather every single licence and fill out tons of paperwork.  It was a very costly exercise in terms of staff time and it certainly cooled us off on the whole "working with Microsoft" thing.

I really have to wonder why an organisation like Microsoft has the power to demand audits like that. 

The worst sign-up process in the World.
So, after years of successful avoidance, we now find ourselves in the position of having to do the whole Open Licence thing.  We're using a Microsoft Business Partner so you'd assume that this would smooth things over -- it doesn't.

Here are some of the highlights;

  • I've been waiting four business days for the licensing to come through.
  • The Microsoft site is not compatible with browsers other than Internet Explorer
  • Partway through the process the browser throws an error and tells me that I need an "InPrivate" session -- a decent browser would simply switch to one. 
  • A typical attempt involves me having to sign on at least five times.
  • I keep having to verify codes to protect my account (despite turning it off several times).
  • The Microsoft Volume Licensing Service Center is unintuitive (and useless)
  • The whole process ends with a "Sorry" Error telling me that I have to switch to an InPrivate window even though it's already InPrivate.

I used to complain about the usability of IBM's Passport advantage site but it leaves the Microsoft one for dead. 

An Alternative
On the plus side, since I'm without office at the moment, I've been using Google Drive.  I could have used Libre Office but I didn't want to install anything.  I'm pretty impressed, apart from the amazing signup process (login with your google account which takes 5 minutes to create), the product is free.

I've used it before for home purposes but this is the first time I've thrown real-world work documents from Word, Excel and Powerpoint at it.  I'm very impressed.  It's handled everything I've thrown at it without a hitch and I'm exchanging documents with my colleagues and they haven't noticed a thing.

I really have to question the business wisdom of continuing to use Microsoft products at all but that's a discussion for later - in the meantime, if Microsoft doesn't sort themselves out, at least I have other tools that I can rely upon. 

Friday, January 16, 2015

Why you should get onto Google Play even if you don't have an Android Device

So, you're an Apple person, or a Windows person, and you already have an iTunes or Windows store account. You can get your books, music and movies from their stores. Why would you bother getting a Google Play account?

It's worth it. That's why -- even if you only buy the FREE things. 

Actually, there's four very good reasons;

  • Cross Platform Functionality
  • Downloading to Other Devices
  • Uploading Your Own Materials
  • Free Stuff 

Cross Platform Functionality
If you have iTunes, then for the most part, your music and movies are only available on your apple device(s).   Your iPhone, iPod or iPad, maybe your apple computer and possibly, in some cases, your windows computer.  Essentially, purchases on the apple platform, stay on the apple platform.

This is not the case with Google Play.

Movies, Music and Books from Google Play works in;
  • Android tablets and phones (obviously)
  • Apple iPhones, iPads and iPods (Do a search for Google Play)
  • Windows PCs
  • The Chrome Browser (on any platform)
  • The Linux Platform
  • ChromeOS on ChromeBooks and the ChromeBox
In addition, Google Play Apps will work on;

Downloading to Other Devices
Some of the files from Google play will also play in other devices;

  • Music can be downloaded as DRM Free MP3
    This means that it will play in most modern CD players, can be written to CD using software like Nero or Windows Media Player, will play in VLC and can be uploaded to your iPhone.
  • Books can be downloaded as (usually DRM Free) EPub or PDF. 
    To download, just go to Google Play, click on Books, then My Books.
    Hover the mouse over the top right of any book in your collection and a tiny three-box menu will appear. Click on this and you can download your book to copy to your E-Reader or wherever else you want to take it.

Uploading Your Own Materials
Did you know that you can also upload your own books and music to Google Play?  This means that they become part of your library and you can access them from other locations.   Sure, you can do this in the iTunes world too but the difference is there that although you can copy songs to your phone, they don't become part of your library.  Trust me, the Google model is much better. 

Free Stuff 
Finally, we get to free stuff.  Like most providers today, Google has "songs of the week" and "books of the week" as well as random "free" stuff throughout their library.   There's no real catch other than needing you to have a working Google play account. 

When you buy free stuff, it will expect either a play card with money on your account or a working credit card. It doesn't charge these things but it just likes to know that they are there. 

I'd advise against hooking a credit card up to the account.  It's much better to simply buy a cheap Google play card. 

You should check the front pages of the Books and Music on Google play at least once per week in case something free appears. If it's worth getting it, then just do. You don't need to worry about bandwidth, just "buy it" while it's free, you don't need to download it immediately.

The easiest way to find Free books and free music is to go to the appropriate books or music page and type in the search bar 
  • Free Books
  • Free Music
You'll find that most of the classics are free all of the time but other popular genres are only free for a limited time (so you need to "buy" them as soon as you see them for free. 

Free movies on Google Play are pretty rare but they do happen. Pacific Rim was free for a short while over Christmas 2014. 

Recent Highlights
Free stuff will also vary from one country to another.  Recent highlights include; (check these out because they might still be free) 

    Go get 'em. 

    Monday, December 29, 2014

    A little more on the Poodle (IBM Domino 9.0.1 and the Poodle Vulnerability)

    In my last post, I discussed the steps required to get your Domino 9.0.1 server patched against the poodle bug which exists in both SSL 3.0 and TLS.  At the end of the post, I mentioned that I still had one server which was refusing to apply the patch.

    This is how I got around the problem. 

    The Server that Wouldn't
    After taking the patches all the way back to Fix Pack 1 and slowly patching forward one-by-one with reboots in between, I realised that whatever was affecting my server had been installed for a long time.

    There was no easy way to resolve the problem and obviously I couldn't roll back forever.  I just had to accept the fact that the server would not take the patch and take some more drastic measures.

    Backup First
    Of course, before taking any drastic measures, you should always backup first. Personally, I like to have a proper backup as well as a local copy of the main domino files.  That way I don't have to worry about streaming and tapes.

    I manually took a copy of the D:\Lotus\Domino folder on the server (but not sub-folders) and saved it elsewhere.  Then, being careful to overwrite only obvious program and library files, EXE, DLL plus any other non-data files, I copied the files from a server which was otherwise at the same level (64 bit Domino 9.0.1) but had been successfully patched.

    After the copy, I restarted the server and retested for the poodle problem. Luckily, the file-copy procedure had resolved it.

    Yet again, I'm thankful for the low tech nature of domino and the fact that it doesn't go crazy with registry entries. 

    What if I don't have a working Server?
    So, if you don't have a working poodle-proof server and you're faced with a similar issue to mine, then one of the simplest options is to install a brand new Domino 9.0.1 server and patch it, then try copying the files across.  There's a pretty good chance that it will do the job.

    Wednesday, December 24, 2014

    Taming the Poodle in IBM Domino 9.0.1

    There's been a lot of talk lately about the Poodle Vulnerability and IBM have provided a rather slow and confusing response full of similarly named files across multiple web pages. We've mostly gotten our systems sorted now but as it was a difficult process, I thought I'd share some of the things I've learned.  If nothing else, I'm sure that other people could benefit from the fix lists being in the one place.  Huge thanks to the guys in the IBM Notes groups on LinkedIn who provided most of the best insights here.

    The poodle vulnerability isn't a new thing (it's 15 years old) but recently browser vendors, particularly Mozilla (and soon Google) have have issued upgrades which block access to vulnerable sites by default. I guess that means it's time to deal with it. 

    This is what the Firefox error message looks like.

    One more thing.... In case you've already dealt with poodle and you think that your system is safe because Mozilla Firefox is no longer complaining, here's a good test;

    Just enter your server domain in the box (and make sure that you tick the box about NOT showing up on the boards. If you're safe, you'll get an A or a B.  If you're still vulnerable to poodle, you'll get an F.

    Being on the Latest IBM Domino server
    So, the first port of call is to be on the latest IBM server if possible.  That's Release 9.0.1.

    IBM has actually provided fixes for a few other versions of domino, so it's not the end of the world if you're not on the latest, provided that you're on one of these.

    • 9.0.1 Fix Pack 2
    • 9.0
    • 8.5.3 Fix Pack 6
    • 8.5.2 Fix Pack 4
    • 8.5.1 Fix Pack 5

    However, I've heard that the 8.5 releases don't include the full fix (I could be wrong). So, a 9.x release is a better bet.

    Working out what version/patch your Server is
    There are a bunch of different ways to do this but my favourite is to simply fire up the Notes admin client and connect to the server.  You'll see the patch level  in the top left.

    Release 9.0.1FP2HF590 is the first version of Domino (for 64 bit Windows) which is fully patched against Poodle.   If your server has a higher number (eg: 9.0.2 or 9.0.1FP3 or 9.0.1FP2HF700) then you should be fine. If it's a lower number, then you probably have work to do.

    The patches are actually quite simple to install provided that you download all of them and install them in the right order.  It's best to make folders (and copy them all to an install folder on your server) before starting anything.

    The patches you'll need for a basic unpatched Windows 64 bit Domino 9.0.1 installation are as follows (in this order);

    Domino 9.0.1 Fix Pack 2

    You don't have to install Fix Pack 1 because fix packs are cumulative (they contain the earlier fixes too).

    Interim Fixes 1, 2 and 3

    Unlike the fix packs, interim fixes are not cumulative, you need to install them all and in the exact order.

    • Domino 9.0.1 Fix Pack 2 Interim Fix 1 (This was released twice, so make sure that you have the version from Nov 5, not Nov 3)
    • Domino 9.0.1 Fix Pack 2 Interim Fix 2 (released December 12, 2014)
    • Domino 9.0.1 Fix Pack 2 Interim Fix 3 (released December 19, 2014)

    You should be able to find most of the patches here;

    Once you've got all your patches in the right place, you'll need to find an outage window to shut down your server. It's strongly recommended that you do a backup before proceeding.

    To install the fixes, simply run the EXE files and follow the prompts, they should take only a few minutes each.  It's not always necessary for a server reboot between fixes but I've had variable results trying to cheat, so it's worth the extra time on important production servers.

    Be careful because some of the fixes look like they're done (with graphs sitting at 100% and a thank you message and a close button).  It's not finished until the bar graphs disappear.

    Before you do your final reboot, there's an INI File setting that you need to change.

    The INI File Setting
    Use Notepad to edit your system's Notes.ini file.
    Add a line (pretty much anywhere in the file), which says;


    I'm fairly certain that this overrides the unsupported command;


    So if you see that setting you can probably remove it.
    After this you can reboot your server, do your testing and redo the Qualys test.

    Other Fears and Concerns.
    I've tested this on servers running Traveler, Domino and iNotes.  It seems to work. I haven't tested on the current version of Sametime.

    There's some discussion around suggesting that this affects mail,  I didn't see any impact on mail.

    You don't need to get a new SSL certificate. The old ones should still work with TLS.

    Other things to Consider
    There seems to be a patch for Traveler too, so this is probably worth applying.
    I haven't gotten around to testing that one yet.

    The main problem I found was this message;

    From what I can tell, it's indicating that you're installing fixes either in the wrong order (or that Interim  Fix 1 is the wrong dated version).

    One time when I received this, I just had to go back to the beginning and install Fixpack 2 and then the hotfixes carefully.  On another server, I can't get past this message (and suspect that a certain amount of uninstalling or rollback will be required).

    Like I said, backup before you do this and best of luck Taming your poodle.

    Friday, November 28, 2014

    IBM Notes: 25 Years and Counting...

    Today marks 25 Years of IBM (Lotus) Notes. It's a pretty impressive lifespan for a product. Sure, Windows has been going 29 years and there are many older systems out there but few I suspect have retained the incredible levels of compatibility that Notes has. Can you still run Windows 1.0, 2.0, 3.0 or even 95 programs on the latest Windows? Sometimes, but not really. Not without emulation. Notes applications however still run fine on the newer notes platforms. 

    What is Notes?
    For so many years, people thought that Notes was email - in fact, they still do today.  I have no idea why they have that impression, after all, IBM/Lotus sold a separate product, CC:Mail for years before finally deciding that Notes handled mail well enough to not require it any more. 

    Nevertheless, Notes always drew comparisons with outlook and lots of companies moved away from Notes mail because it was fashionable (and a safe bet) to use Microsoft and because they figured that the new versions of Outlook did mail better than their Notes (which usually hadn't been upgraded in years). Many of the companies which "moved away" still run conveniently forgotten back-room Notes installations for their applications. Mail is moved but the applications are still there. 

    I mostly blame IBM for this, for failing to answer the simple question - what is notes? 

    Notes is a rapid development and runtime environment with built-in collaboration, security and replication. 

    That's what Notes is. 

    Where to from here?
    I picked the screen shot at the top of this post deliberately to show that the current version of Notes still has the workspace that the original has. I don't use the workspace, I haven't for about a decade. We have our own nice front end. 

    The future of Notes is the web. 

    Most of our in-house applications operate equally well in the Notes client and on the web. At the moment our users are still using the client and our customers use the web. The plan is for the development/admin team to continue using the client and for everyone else to use the web. 

    IBM have a web offering for Notes/Domino apps but the beauty of having your own domino server is that you own your own cloud. Also, if our customer base want a new system,we can simply and easily develop, test and deploy it, without having to worry about extra runtime requirements. 

    What I want from IBM
    • Clear Messages
      Stop muddying the waters with name changes, Connections, Sametime, WebSphere, Cognos and the web versions of these and all your other products. Make a clear statement of what the product does, why it is different to the other products, how it connects and how it adds real business value. Stop treating Notes like it's mail product.
    • Rapid Application Development
      Sort out the XPages mess. Yes, they're good but they take the R out of RAD.
    • Mobilize
      We want a compiler that will wrap up basic android, iOS and Windows functionality into APPs that work with a web-based domino server.
    • Be Proactive not Reactive
      The poodle attack vector was uncovered about 18 years ago. IBM was informed (apparently) 5 years ago. We (the customer base) had to fight way too hard to get a fix delivered -- and even then, I haven't installed it yet because I've heard too many horror stories about the installation.
    • Use OpenNTF Wisely
      OpenNTF is a great resource. All of the standard Notes templates should be developed there with the collaboration of the global notes resources. This would allow real users to provide instant feedback and suggestions for mail and calendar improvements. 

    Here's to another 25 years of Notes/Domino - I want to retire before it does.  

    Monday, August 11, 2014

    Using your Operating System Login for IBM Notes can "Poison" your IDs (and how to fix it)

    For years, we've had it easy with Notes. We've had our ID files stored safely on a secure drive and whenever a user moved to a new desktop, we could simply copy their original ID over to their new machine and do most of the setup without them.

    All that changed somewhere between Windows 7, Notes 9 and getting Notes to use the Operating System login. It's a good change, don't get me wrong and it certainly protects the users privacy and makes things more secure. Unfortunately it also renders all of our ID's "Poisonous" and now we can't reuse them.

    Instead when opening an ID file on a new client installation, just after agreeing to "copy the file to the Notes data directory", we get messages telling us that Notes cannot open the ID File.   Eventually I tried other ID files only to find the same problem.

    Fixing the Problem
    As it turns out, there's a surprisingly easy fix for this. Simply generate a password protected copy of the ID from the existing installation.

    1. On the working version of the Notes Client for your user that is moving, select File, Security, User Security.
    2. You'll be prompted to enter their Windows Password, get  them to do this and click Ok.
    3. On the User Security screen, click Copy ID...

    4. Choose a location to save your ID.
    5. You will be prompted to enter a password for this new ID

    6. Once your ID is saved, you'll be able to use it on new installations.

    What happens when you don't have an existing installation to pick from?
    So this procedure works very well if you're moving an existing user but what if their hard disk got corrupted and they're forced to move without their ID?

    I haven't tried this method but I've read about it in several forums...

    Apparently you can delete the user from the NAB (using the delete key not the Domino delete user function).
    I've also heard it said that you can do this by updating rather than deleting the NAB Entry.

    Next, create a new user with the same name, same short name and same internet address.
    Make sure that you choose a different mailbox name though or things could get ugly when it gets overwritten.

    Choose to store the ID on disk and complete the registration process.

    Go into the NAB record and change the person's mail file back to the desired location.

    You should now have a working ID.

    One thing to remember though, creating a new ID will allow you to set up a user and access mail but it won't let you get to any encrypted mail. Those are linked more closely with the original ID.

    Monday, June 23, 2014

    Reusing Text in Word 2010 via Bookmarks - Part 2 Getting your formatting right

    In my last post on reusing text via bookmarks in Word, I mentioned that there was a problem with the reused text retaining formatting. 

    Sure, you can reformat the text to look how you want but when you update it, then new text takes on characteristics of the old.  You end up with text that looks like this....

    There's an easy (but not obvious) way to fix this;

    Getting into Reveal Codes Mode on Field
    So, first we need to know exactly what makes our fields tick.  So, click on one of your fields and then press Alt+F9.  The field will change to show the code.

    In my case, the code is;

    {REF Title \h \* MERGEFORMAT }

    This is more or less the default setting (the word title is the name of the bookmark I inserted).  Mergeformat means that the format of the original text is being merged.

    To change this option, simply click on the code and overtype it.
    In this case, we're going to change MERGEFORMAT to CHARFORMAT.

    Once this is done, Press Alt+F9 to turn reveal codes off and then update your field.  (Remember that print preview is probably the fastest way to do this).

    If you apply formatting to your field, it will now update with the rest of the field.

    If you're still having trouble, it's worth remembering that Charformat applies the formatting of the first character (in this case, the R in REF), to the rest of the code.  You might want to reveal codes and then apply formatting directly to the word REF.

    Thursday, June 19, 2014

    How to Reuse Text via Bookmarks in Word 2010 (Update once and have it auto-update throughout the document)

    I guess this is a bit of an oldie but I was surprised how many people didn't know about it. 

    Why would you do this?
    If you find yourself opening old documents and then doing a search and replace to change a name, a date or a version number, then this is the tip for you.  It allows you to write your key information down once and then have it auto-update.

    If you do a lot of contracts or quotes - or basically any kind of document based on a template, then you'll find this very handy.

    Getting Started (Bookmarking the Original Text).
    Open a Word document and type in some useful repeating text;

    Customer Name:  MyCompany Limited

    1. Highlight that text

    2. Select the Insert Tab on the Ribbon.

    3. Click the Bookmark Button

    A dialog box will appear.

    4. Type a name for your bookmark.  
    This can be any name but it should be something that you'll recognise when you see it.

    5. Click Add.

    Inserting the Bookmarked Text
    So, now that you have bookmarked some text, it's time to reuse that text in other places in your document.

    1. Go to a place in your document where you would like to insert the text.

    2. Click on the Tab marked Insert

    3. Click on the button marked Cross-reference.

    4. In the dialog box, set the reference type to Bookmark.

    5. In the big white section, choose the bookmark name that you typed earlier.

    6. Click Insert.

    Note that the dialog box will not close until you click Cancel.  This is actually quite useful behaviour because it means that if you want to reference the company throughout your document, you can just move the cursor to the next place and press Insert again.  When you've finished, click Cancel.

    Updating Text
    So, now you have your original text and the reused text.
    Try changing your original text.
    You can update individual samples of your text by clicking on them and pressing F9 but the best way to update everything in one go is to print preview.  Just Press Ctrl+P and then press ESC.  Your document will be updated.

    There are two drawbacks to this method.

    1. Fields don't update automatically.
    Strangely, this behaviour is by design.  If you find it annoying, you can add a macro to do it for you.  See this article for instructions.

    2. Text inserted this way carries the original source formatting. In my experience this is the more annoying problem. In my next post, I'll show you how to change this.

    For more on bookmarks, including how to add bookmarks from other documents, see this site.

    Wednesday, February 05, 2014

    How to do Bullets and Numbering in IBM Notes

    I forgot the F8 shortcut key today and I looked it up via google. On the way I found a post about colouring text white to hide bullets in notes.  Crazy.  In any case, I wrote these instructions for my people and thought it was worth sharing on the blog;

    How to Do Bullets and Numbering in IBM Notes

    There are lots of cool things you can do with bullets in IBM Notes.

    To turn them on and off, click the bullets or numbering icons on the toolbar

    Getting Spacing in Bullets

    • If you're in the middle of a bulleted or numbered paragraph and you want a few lines to yourself.

      Press Shift+Enter
      This gives you a new line inside the bullet.
    • When you press ENTER again without holding down shift, then your bullets will start again.
    BTW: That trick works in Notes and Word and blogger and nearly every other application I can think of.

    Getting Indentation in Bullets
    If you're wanting to do sub-bullets;

    • For example
      • Just below and indented from the main bullet
      • Like a sub-point.
        • Just press F8
        • If you want yet another level, press F8 again.
        • When you've finished,
        • Simply end the bullets or 
      • Press Shift+F8 to get back.

    In word and blogger, the F8 is simply the tab and shift-tab keys.

    Using Different kinds of Bullets

    • To change your style of bullet, press ALT+ENTER to bring up the properties box.
    • Click on the second tab (it has a paragraph icon on it).
    • The new bullet will take effect immediately. 
    • You don't need to close the box (in fact, it's quite useful when left open).
    • Choose a new bullet type from the list.
    • You can mix and match bullets as you please.

    Re-ordering Bullets
    • To re-order items in a bulleted list,
    • Simply hold down the CTRL key and press the up arrow (to move things up)
    • and hold down the CTRL key and press the down arrow (to move things down)
    • That's it.

    Wednesday, June 12, 2013

    Getting Notes 9 to show Email Addresses as you type

    Until recently, in fact until Notes 9, our Notes clients used to show email addresses as we typed them in but suddenly with IBM Notes 9, it started showing their Job Titles.

    We got a lot of complaints about this and the fix wasn't entirely obvious (to me at least), so that's why I'm documenting it here.

    As you can see, the problem wouldn't be so bad if all of our contacts came from the same company - but they don't. Our contacts come from lots of different companies.

    So, how do we change this?

    In your Notes client, click on File, then Preferences.
    In the left hand panel, click on Contacts.

    On the contacts screen, change the type-ahead option drop-down to display Internet Address (or you could use company name which is quite useful too).

    Click Ok.

    The effect should be immediate, so try starting a new email and typing a first name (then push comma) and see what happens. 

    PS: Big thanks to Daniel Lechner and Sunanda A Patil for pointing this out to me.