Monday, February 9, 2009

Fine-tuning Windows System Cache To Free Memory

Note: If you want the technical part only, go to the end of the post

Boring Intro


Our retail software is built on top of Visual Basic (yuck!) and main server replicates with 7 other servers that hold sub-databases.

The main server is a quad-core IBM X3400 with 6GB of RAM running Windows Server 2003 Enterprise x64. This is a new system that replaced an old server that crashed a while back. The old server ran on Windows 2000 Server with 4GB of RAM, but the data was stored on a Storage Area Network (SAN).

After moving to the new box, the dude "administrating" it kept restarting it on a daily basis saying that the server was "too slow" and that it didn't have enough memory (!!!). Later on, one of the people at the implementing company said that the server wasn't good.

I could let you live if you say a server that I built is slow, but saying it isn't good ... you just dug your own grave dude... I emailed one angry email at both the administrator and the no-good fella, CCed to my manager, accusing them of meaningless restarts and claiming that my server isn't good and that it's hardware fault, without ANY proof.

Of course, because I'm right, none of them replied, but sneakily they purchased extra RAM (2GB) behind my back, which is another big no-no. They didn't install the RAMs and were looking for someone (other than me) to do it for them.

Technical Part


It took me 5 minutes to identify the problem: During replication or at times were many files are open on the server, Windows caches these open files in the RAM (System Cache's responsibility).
According to the Help of Windows Task Manager: The System Cache shows the current physical memory used to map pages of open files.

Of course, Windows being itself, there's no direct way to tweak this properly, and after some search I found a registry key which can balance the usage of the System Cache and free up some RAM.

Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters and look for a REG-WORD data type named Size, which can have the following settings:

1 = Minimize Memory Used.
2 = Balance.
3 = Maximize Throughput for File Sharing and Maximize Throughput for Network Applications.

The default, as you might have guessed, is 3. I changed it to 2 but nothing changed until a server restart (typical).

I fired another email saying that I fixed the problem with a registry key, and went there and took the 2GB RAM for another server.

Why this didn't happen to the old server? I'm guessing that the SAN's cache was handling it properly and/or Windows 2000 Server was configured from the start to be a database host, which the new 2003 box apparently haven't.

Saturday, February 7, 2009

Export Unicode Data from Lotus Notes NSF Files

A colleague was tasked to rebuild a program was developed on top of an ancient version of IBM Lotus Notes.

I've been searching with her for programs to export the data from the NSF file that also support Arabic. We didn't know which encoding the NSF was using either. She contacted the authors and companies of many programs and all said that it depends on the computer you're executing the program on. Well, we tested them on computers which already have Arabic installed and everything set properly but still failed to export the data properly.

Eventually, I thought of trying to export the data from the latest Lotus Notes software available (8.5 stable), and it worked! I had to open the view which contained the listed data and then export and make sure I selected UTF-8 or Unicode (No clue what's the difference!).

Lotus Notes 8.5 allows to export in Comma Separated Value format (CSV), Structured Text, tabular Format and ASCII. To obtain full information on each record I had to export the data in Structured Text format. CSV only exported the visible data in the current view; if you double click a record you'd get the rest of the data in the view.

Structured Text for now, unless I find a way to export the full data in CSV. (I'm feeling lazy now that the data is exported in Structured Text already .. it requires some parsing but its there!)

Friday, February 6, 2009

NBK: Sticky-note Security

The National Bank of Kuwait has just introduced a new measurement of so called security to its online banking portal: Watani Online.

Previously, you would just put in your card number, Watani Online password and click login, but it seems like some security fanatics thought they should introduce extra steps to insure the security & safety of clients' account.

In my personal opinion, I think it's a bad move and will only introduce inconvenience to both clients and the help desk. Let's take a look at what has been done, and then I'll comment why it's a bad move.

(1) The first step was to select 5 questions out of many, and then provide answers for them.







(2) The second step was to choose a picture and a password phrase which will be displayed as part of the login process.







(3) Then you enter your account password and login (yes you still have to do that).


(4) These are the options available to you upon your creation of the Watani Online Security Key and how you can "manage" it.






So now that you've seen the steps and screens of the security measure, why is this not secure?
  • Answering those questions with true & relative answers will make them predictable and easy to guess.

  • Answering those questions with answers that are random and have nothing to do with them is good practice, unfortunately you'll most likely forget them by the time you want to login the next time (end of next month?)

  • Since you'll forget them, you'll write the answers and questions down on some paper, sticky-note, or in your mobile.
    So what good is this? It's no different than writing the account password on a sticky note.

  • After answering a random question correctly, you'll see the 2nd figure that says: If you recognize the picture, click proceed. (And it always shows the correct picture and password phrase!)
    Does this step make any sense to anyone?

  • After jumping two obstacles you come to the final one: Entering your account's password. AT LAST! (Assuming you still remember it after all these questions, pictures and password phrases).

  • One of the management features is to "register" your PC. I read a PDF which NBK has linked me to and it didn't provide any info on how this mechanism works, so I'm assuming it's a simple Cookie.
    Cookies anyone?
    Hotmail users used to be tricked into malicious websites and their accounts were stolen by hijacking their cookies. How is this any different? You could have an up to date antivirus, firewall, all windows & browser patches & updates, but none of those can prevent a well-hidden javascript to hijack your delicious cookie(s).
    If your computer is secure, register it.
    NBK has thrown the ball at the client's field and assumed that clients (point-and-click users) would be able to tell whether their computer was "secure" or not to use that feature, which most people would use because it skips the random question step!

  • The last option provided to "manage" the Security Key is that if you wish to change the questions, call their support line. This is both good and bad.
    Calling the support line would require knowing your pin code and card number, and since you forget a lot, you wrote this down on your sticky-note along with the 5 questions. I'm guessing that if you call, they'd ask you for your civil ID number. But can't they ask for that online, too? Why bother calling the support line? They already ask for parts of the civil ID when adding beneficiaries to transfer money to!
I have contacted NBK through the messaging feature they have in Watani Online and received a dull answer. Below is my message:
Hello,

I have just went through the WOL Security Key process and I believe that it's completely pointless. But before I continue, I'd like to note that I'm a computer engineer and have a healthy knowledge of security, so I'm not commenting just because I can!

The reason I think it's pointless is that, even though it provides great measurements against brute-force attacks it fails at social engineering attempts and even worse, it fails because people will forget whatever they filled, if they chose to write answers that aren't related to the questions to avoid social engineering hacking attempts!

If your advice to the latter is to write the answers down, then your new "secure" measurement has proved just as secure as a sticky note with my password on it, stuck at my monitor.

I hope you see this as a constructive comment and I hope you find an alternative method to improve the security of your portal, and our accounts.

Thank you

And this is the reply I received:
Dear Mr. XXX,

We appreciate your valuable feedback, and would like to clarify that we have chosen the "WOL Security Key" since it is a proven security solution that has been implemented to ensure a safer online banking experience and protect your personal information.

Thank you for using Watani Online, if you require further assistance please do contact us.<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />

Kind regards,

XXX XXX

(yes, including the gibberish part!)

If I'm mistaken, please correct me. If you're like me, inconveniened with their measurement, contact them and complain.

This reminds me of the time I called them to allow Firefox to access their site (restricted to IE only) and said that I circumvented their browser check and it works fine with Firefox, only to be called a malicious hacker, introducing insecure software and not using the secure standard: IE 6. I didn't know whether to laugh or get upset.