So I was browsing my stats the other day and noticed several visitors coming in from citrix.com! Yes, Citrix linked to this blog.
TWICE!!!
Specifically from http://web.citrix.com/blogosphere/index.php?id=88
Look for the "Edgesight for Load Testing Semi-Free" and "Edgesight Licensing Hole" links.
So WTF?
No doubt this is an automated spider that just searches a bunch of blogs for relevent content and posts links to the page. I seriously doubt that Citrix Systems would endorse anything on this site. All that said, I got quite a chuckle at the irony of Citrix linking to articles about hacking their products.
I'm thinking that maybe someone at Citrix should take a glance at that page once in a while.
-CG
Thursday, January 3, 2008
Thursday, December 13, 2007
Edgesight for Loadtesting Semi-Free!
Here's some news. Load testing on Citrix is still a pain in the ass.
Citrix is attempting to round out that chasm of product functionality with a new product called "Edgesight for Load Testing". Actually to say that it's a new product is a fat lie. Like many other products (Edgesight included) Citrix just bought up a company and slapped their logo on their product. So in addition to the name being completely lame, it's also incorrect. This product is in no way related to Edgesight. No doubt future integration is planned, but for now it has about as much to do with Edgesight as notepad does.
According to the press release found here:
"Citrix EdgeSight for Loading Testing 2.5 will be available on June 25, 2007, and suggested retail pricing starts at $7,500. Citrix EdgeSight for NetScaler is available as part of the Citrix NetScaler 8.0 Platinum Edition."
In other words, this shit ain't cheap.
Unless of course you found some way to get a license for some kind of discount.
Recently I took a class on Edgesight 4.5, specifically CTX-1800AI. It's a moderately interesting course, but the cool part is that you get a demo license for Edgesight for Load Testing. So what? Well.. the "demo" license you get is good for 2 years! 2 friggin years! What the hell were these guys thinking?
So why pay 7500 for a product when you can get the same product for around 1200 and some change? Just take the course and conduct a very extensive demo of the product. I think most people would agree that two years is adequate to make a determination as to whether or not you actually want to go forward and pay the full licensing cost.
-CG
Citrix is attempting to round out that chasm of product functionality with a new product called "Edgesight for Load Testing". Actually to say that it's a new product is a fat lie. Like many other products (Edgesight included) Citrix just bought up a company and slapped their logo on their product. So in addition to the name being completely lame, it's also incorrect. This product is in no way related to Edgesight. No doubt future integration is planned, but for now it has about as much to do with Edgesight as notepad does.
According to the press release found here:
"Citrix EdgeSight for Loading Testing 2.5 will be available on June 25, 2007, and suggested retail pricing starts at $7,500. Citrix EdgeSight for NetScaler is available as part of the Citrix NetScaler 8.0 Platinum Edition."
In other words, this shit ain't cheap.
Unless of course you found some way to get a license for some kind of discount.
Recently I took a class on Edgesight 4.5, specifically CTX-1800AI. It's a moderately interesting course, but the cool part is that you get a demo license for Edgesight for Load Testing. So what? Well.. the "demo" license you get is good for 2 years! 2 friggin years! What the hell were these guys thinking?
So why pay 7500 for a product when you can get the same product for around 1200 and some change? Just take the course and conduct a very extensive demo of the product. I think most people would agree that two years is adequate to make a determination as to whether or not you actually want to go forward and pay the full licensing cost.
-CG
Wednesday, October 31, 2007
Edgesight Licensing Hole
Edgesight is a cool product. There's no doubt about it. But why pay for it if you don't have to?
A little history is probably in order..
Edgesight was actually developed by another company called Reflectant. Citrix bought Reflectant as a means to round out their suite of products. Let's face it, Resource Manager is about as useful as loose bowels. Oh sure, it was probably grand back in the days, but it's a dinosaur by modern standards. Hence the need for Citrix to find something to monitor their stuff.
A little known fact is that shortly after acquiring Reflectant, Citrix promptly told most of the other competing vendors (EG Innovations, etc) to go fuck themselves. Citrix is no longer including these vendors in the development process of the Metaframe product suite. Downright bastardly if you ask me, but many of us have seen the big red dot toss its weight around before for no other apparent reason than just to be catty. They refunded their iForum exhibition fees and did a tremendous job in showing their ass.
So anyways, after Citrix purchased reflectant they were in a rush to re-brand the product and get it out there. As is often the case, certain compromises were made with the product conversion for the sake of some deadline. Long story short is that the licensing in 4.0 and 4.2 is not perfect.
It's so imperfect in fact that it is not enforced by the product. Edgesight is licensed by concurrent connection in the same fashion that MPS is. What is supposed to happen is that the product gathers data on the number of users that you are licensed for and then stops once it hits the ceiling. With version 4.0 and 4.2 this doesn't happen. You could be licensed for 10 users and collect data on 10,000. Pretty sweet.
This little bug is fixed in 4.5, which may explain why Citrix is pushing folks so hard to upgrade even though the improvements are somewhat minor in the newer version.
Sometimes the latest and greatest turns out not to be.
-CG
A little history is probably in order..
Edgesight was actually developed by another company called Reflectant. Citrix bought Reflectant as a means to round out their suite of products. Let's face it, Resource Manager is about as useful as loose bowels. Oh sure, it was probably grand back in the days, but it's a dinosaur by modern standards. Hence the need for Citrix to find something to monitor their stuff.
A little known fact is that shortly after acquiring Reflectant, Citrix promptly told most of the other competing vendors (EG Innovations, etc) to go fuck themselves. Citrix is no longer including these vendors in the development process of the Metaframe product suite. Downright bastardly if you ask me, but many of us have seen the big red dot toss its weight around before for no other apparent reason than just to be catty. They refunded their iForum exhibition fees and did a tremendous job in showing their ass.
So anyways, after Citrix purchased reflectant they were in a rush to re-brand the product and get it out there. As is often the case, certain compromises were made with the product conversion for the sake of some deadline. Long story short is that the licensing in 4.0 and 4.2 is not perfect.
It's so imperfect in fact that it is not enforced by the product. Edgesight is licensed by concurrent connection in the same fashion that MPS is. What is supposed to happen is that the product gathers data on the number of users that you are licensed for and then stops once it hits the ceiling. With version 4.0 and 4.2 this doesn't happen. You could be licensed for 10 users and collect data on 10,000. Pretty sweet.
This little bug is fixed in 4.5, which may explain why Citrix is pushing folks so hard to upgrade even though the improvements are somewhat minor in the newer version.
Sometimes the latest and greatest turns out not to be.
-CG
Wednesday, October 17, 2007
Free TS CALs Forever!
I've given you a way to get around the Citrix licensing. It's only fair that I illustrate how to give the finger to Microsoft as well.
You'll note from my last entry, that I'm a little pissed at old Billy Gates. So I got to thinking.. As a Citrix engineer, how can I screw Microsoft? Of course the answer is licensing - the same way MS screws us. It's kinda poetic when you think about it.
There's potentially two ways to do this. Both of them are illegal, so you're on your own if you get caught.
User Mode licensing - TS User licensing with Win2003 is something that most Citrix Engineers don't mess with much. The idea is that you set up user level licensing and then you pay for each user who would be accessing a terminal server in your environment. In reality, it works much differently.
You see user level TS licensing is a new feature with Win2k3 server. Unfortunately, it's half baked. If you log on to a terminal server that's running in user licensing mode, it checks to see if there is a TS Licensing server on the network. That's it. If it finds a license server you're in. Money in the bank. So you can have a TS License server set up with only 1 CAL installed, and thousands of users would still be able to connect as long as your Terminal Servers are using user licensing. Nice huh?
Now if you opt to stay with device cals (the older win2k model that most of us are probably familiar with) the solution is a bit more extensive, but is still within reach.
The device CAL is stored on each workstation in the following registry location
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSLicensing\Store\
If the device tries to connect and doesn't have an entry there, a CAL is issued.. or if no CALs are available - a *temporary* CAL is issued. The temporary CALs expire in 120 days, which is plenty of time to get your users working. The problem of course is that after 120 days they get an error if there are no legitimate device CALs available.
So the way to get around that is to have a TS Licensing server that has a few device CALs installed, but all of them being in use. In this scenario, workstations that connect without a CAL are issued a temporary one. If the temporary CAL is deleted before it expires, it will get another temporary CAL, and so on.
It's the "and so on.." part that we're most concerned with. If you keep deleting the temporary CAL at login, they get a new one the next time they connect. This can be done over and over.
So a simple line or two in the login script to delete the license store (the registry key above) when users logon is enough to keep your entire enterprise running on temporary CALs.
Now go get busy,
-CG
You'll note from my last entry, that I'm a little pissed at old Billy Gates. So I got to thinking.. As a Citrix engineer, how can I screw Microsoft? Of course the answer is licensing - the same way MS screws us. It's kinda poetic when you think about it.
There's potentially two ways to do this. Both of them are illegal, so you're on your own if you get caught.
User Mode licensing - TS User licensing with Win2003 is something that most Citrix Engineers don't mess with much. The idea is that you set up user level licensing and then you pay for each user who would be accessing a terminal server in your environment. In reality, it works much differently.
You see user level TS licensing is a new feature with Win2k3 server. Unfortunately, it's half baked. If you log on to a terminal server that's running in user licensing mode, it checks to see if there is a TS Licensing server on the network. That's it. If it finds a license server you're in. Money in the bank. So you can have a TS License server set up with only 1 CAL installed, and thousands of users would still be able to connect as long as your Terminal Servers are using user licensing. Nice huh?
Now if you opt to stay with device cals (the older win2k model that most of us are probably familiar with) the solution is a bit more extensive, but is still within reach.
The device CAL is stored on each workstation in the following registry location
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSLicensing\Store\
If the device tries to connect and doesn't have an entry there, a CAL is issued.. or if no CALs are available - a *temporary* CAL is issued. The temporary CALs expire in 120 days, which is plenty of time to get your users working. The problem of course is that after 120 days they get an error if there are no legitimate device CALs available.
So the way to get around that is to have a TS Licensing server that has a few device CALs installed, but all of them being in use. In this scenario, workstations that connect without a CAL are issued a temporary one. If the temporary CAL is deleted before it expires, it will get another temporary CAL, and so on.
It's the "and so on.." part that we're most concerned with. If you keep deleting the temporary CAL at login, they get a new one the next time they connect. This can be done over and over.
So a simple line or two in the login script to delete the license store (the registry key above) when users logon is enough to keep your entire enterprise running on temporary CALs.
Now go get busy,
-CG
TS License Server and the Chamber of Secrets
So here's the scoop. We're retiring our main TS Licensing server and replacing it with a new box. Sounds simple yes? Yeah not so much.
The basic process is this you get on the phone with the MS Licensing Clearinghouse, which is a boiler room operation somewhere overseas, give them a bunch of numbers, and if the stars line up just right, then they give you a bunch of licenses to install.
So after the myriad of mindless voice prompts:
"Please say the operating system you're caling about"
"Windows 2003"
"It sounded like you said Windows XP. Is this correct?"
"No."
"I'm sorry, please say the name of the operating .."
"Windows 2003"
"It sounded like you said Windows 2003. Is that correct?"
"Yes. Damn this is a pain"
"Are you calling about licensing for terminal server, licensing for.."
"Yes. Terminal Server"
"I'm sorry. Please say your selection again.."
"Terminal server. Terminal Server! Terminal-fucking-server. What the mickey mouse fuck is your problem? None of your other products even sound remotely like the words 'terminal server'. You blind horse fucking toaster.."
"Transferring you to an operator"
"Mother Fucker!"
---Operator picks up---
[in a very thick indian accent] "Halo and tank you fah callind microsoft lichsing. My name is Bill. How can I assist you today?"
"Your name isn't Bill is it?"
"My name is Bill, yes"
"Seriously, what's your name"
[quietly] "It is.. uh.. Prasheid"
"Uh huh.. you guys in Redmond?"
"Redmond?"
"Nevermind."
"Look I need 90 thousand TS device CALs."
"What?" [Noises of the guy shitting a golden and curry scented brick can be faintly heard in the background]
"TS CALs - 90 thousand of em"
"90?"
"Ninety .. Nine.. zero.. thousand. Nine.. Zero.. Zero..Zero.. Zero."
"Hold on"
[Shitty hold music ensues]
"Sir I can't give you that many licenses."
"Our SA agreement should cover that amount.. what's the problem?"
"I'm not allowed to give you 90 thousand licenses"
"But we paid for that many. How am I supposed to get them?"
"You need to call back."
"What?"
"I can only grant 9999 per call"
"So I have to call back 9 more times to get the licenses that we paid for?"
"Yes sir"
"That's bullshit."
"I'm sorry?"
"Nevermind.. alright then.. so let go ahead with it.
"Okay sir.."
"Buttfucker"
----------------------
F-ing rediculous.
The basic process is this you get on the phone with the MS Licensing Clearinghouse, which is a boiler room operation somewhere overseas, give them a bunch of numbers, and if the stars line up just right, then they give you a bunch of licenses to install.
So after the myriad of mindless voice prompts:
"Please say the operating system you're caling about"
"Windows 2003"
"It sounded like you said Windows XP. Is this correct?"
"No."
"I'm sorry, please say the name of the operating .."
"Windows 2003"
"It sounded like you said Windows 2003. Is that correct?"
"Yes. Damn this is a pain"
"Are you calling about licensing for terminal server, licensing for.."
"Yes. Terminal Server"
"I'm sorry. Please say your selection again.."
"Terminal server. Terminal Server! Terminal-fucking-server. What the mickey mouse fuck is your problem? None of your other products even sound remotely like the words 'terminal server'. You blind horse fucking toaster.."
"Transferring you to an operator"
"Mother Fucker!"
---Operator picks up---
[in a very thick indian accent] "Halo and tank you fah callind microsoft lichsing. My name is Bill. How can I assist you today?"
"Your name isn't Bill is it?"
"My name is Bill, yes"
"Seriously, what's your name"
[quietly] "It is.. uh.. Prasheid"
"Uh huh.. you guys in Redmond?"
"Redmond?"
"Nevermind."
"Look I need 90 thousand TS device CALs."
"What?" [Noises of the guy shitting a golden and curry scented brick can be faintly heard in the background]
"TS CALs - 90 thousand of em"
"90?"
"Ninety .. Nine.. zero.. thousand. Nine.. Zero.. Zero..Zero.. Zero."
"Hold on"
[Shitty hold music ensues]
"Sir I can't give you that many licenses."
"Our SA agreement should cover that amount.. what's the problem?"
"I'm not allowed to give you 90 thousand licenses"
"But we paid for that many. How am I supposed to get them?"
"You need to call back."
"What?"
"I can only grant 9999 per call"
"So I have to call back 9 more times to get the licenses that we paid for?"
"Yes sir"
"That's bullshit."
"I'm sorry?"
"Nevermind.. alright then.. so let go ahead with it.
"Okay sir.."
"Buttfucker"
----------------------
F-ing rediculous.
Friday, May 11, 2007
Make Your Own Citrix CALs!
It's all about design.
The licensing model has been vastly improved since the days of XP. It's easier and more secure to manage your Citrix licenses. In fact, there used to be a cool utility called TFLKey.exe that would puke up Citrix licenses all day long, including licenses for unlimited servers and connections. You could even activate your existing cals with it.
Of course, using such a utility violates the license agreement (which I guess you wouldn't really need if you had the tool) and may get you thrown in Jail - which is bad because being Bubba's bitch is never fun.
But if it's an architectural design flaw that is a security hole - and you happen to build your environment in such a way that exposes it.. is it still illegal? You're not exploiting or in violation of licensing - and all your servers are working normally. Or are you just leveraging an aspect of the product's design in an unconventional way? Hmm.
Consider the following:
Let's say your environment consists of:
-10 MPS4 servers
-1 Citrix License Server with 100 CALs installed
-1000 users
In this scenario, we're going to potentially consume 100 Citrix CALs, but we're going to get our 1000 concurrent users up and running.
How the hell do we do that? We're simply going to leverage the 30 day Citrix Licensing grace period. You see, each of those 10 MPS servers keeps its own running tally of how many CALs are available. So with the license server up and running you have a max concurrency of 100 users.
Here's where it gets fun.
Kick off all your users and wait a few minutes. At some point, each server will recognize that there are 100 CALs available.
Shut down your license server.
Now you have entered the 30 day grace period where each server thinks that there are 100 licenses available. And since there's no license server to update as users logon and logoff, each server now has the capability to issue 100 cals.
As long as that license server stays offline (for up to 30 days), you can host all of those 1000 users using only 100 CALs.
Obviously the way around this is to bring it back up every 29 days when no users are online for a little while. Once you verify in the event logs on each server that the grace period has been reset you can take it down again, and drive on for another 29 days.
You've just saved your company 315,000 dollars (assuming 350 bucks per CAL).
Is this legal? I honestly don't know.. I think it might be a gray area that could be argued either way. Chances are that Citrix can pay for better lawyers than you or I, so I don't suggest doing something like this.
Is it ethical? No, but all that aside, from a technical perspective it is a pretty cool hack.
-CG
The licensing model has been vastly improved since the days of XP. It's easier and more secure to manage your Citrix licenses. In fact, there used to be a cool utility called TFLKey.exe that would puke up Citrix licenses all day long, including licenses for unlimited servers and connections. You could even activate your existing cals with it.
Of course, using such a utility violates the license agreement (which I guess you wouldn't really need if you had the tool) and may get you thrown in Jail - which is bad because being Bubba's bitch is never fun.
But if it's an architectural design flaw that is a security hole - and you happen to build your environment in such a way that exposes it.. is it still illegal? You're not exploiting or in violation of licensing - and all your servers are working normally. Or are you just leveraging an aspect of the product's design in an unconventional way? Hmm.
Consider the following:
Let's say your environment consists of:
-10 MPS4 servers
-1 Citrix License Server with 100 CALs installed
-1000 users
In this scenario, we're going to potentially consume 100 Citrix CALs, but we're going to get our 1000 concurrent users up and running.
How the hell do we do that? We're simply going to leverage the 30 day Citrix Licensing grace period. You see, each of those 10 MPS servers keeps its own running tally of how many CALs are available. So with the license server up and running you have a max concurrency of 100 users.
Here's where it gets fun.
Kick off all your users and wait a few minutes. At some point, each server will recognize that there are 100 CALs available.
Shut down your license server.
Now you have entered the 30 day grace period where each server thinks that there are 100 licenses available. And since there's no license server to update as users logon and logoff, each server now has the capability to issue 100 cals.
As long as that license server stays offline (for up to 30 days), you can host all of those 1000 users using only 100 CALs.
Obviously the way around this is to bring it back up every 29 days when no users are online for a little while. Once you verify in the event logs on each server that the grace period has been reset you can take it down again, and drive on for another 29 days.
You've just saved your company 315,000 dollars (assuming 350 bucks per CAL).
Is this legal? I honestly don't know.. I think it might be a gray area that could be argued either way. Chances are that Citrix can pay for better lawyers than you or I, so I don't suggest doing something like this.
Is it ethical? No, but all that aside, from a technical perspective it is a pretty cool hack.
-CG
Thursday, May 10, 2007
Tuesday, May 8, 2007
USB Gets Silly
It was bound to happen sooner or later.
Someone has written a worm that leverages USB drives as a means of propagation. I'm surprised that it took this long.
Think about it. What are thumbdrives used for? I plug it into my computer, copy a file or two, and then you take it and copy the file to your machine. You might as well be having unprotected sex, except with a bunch of little ones and zeros.
Here's the skinny from Sophos. Ha get it? Worm.. skinny? Ha! Nevermind.
------------------------------------------
Security researchers at Sophos are warning of a new Trojan worm virus that is being spread via infected USB device.
According to the security software maker, the W32/SillyFD-AA program, or Silly worm, automatically spreads itself to any USB storage device connected to a PC it has infected, and then passes itself along to any subsequent machines to which the removable thumb drive is inserted.
Once loaded onto a computer, the worm creates a hidden file labeled as "autorun.inf" from which it continues to propagate itself. Among the only discernable affects of the attack is that it changes the title of users' Internet Explorer browsers to read: Hacked by 1BYTE.
The same type of attack could be used to spread far more malicious programs such as spyware or rootkits.
Such attempts to infect via physical interface could become increasingly popular. According to a recent report published by Centennial Software, removable storage drives have actually become the leading cause of security concern for IT administrators, based on a survey the company conducted at a European conference.
------------------------------------------
Personally, if I were a l33t hax0r filled with all that post pubescent angst trying to stick it to the man, fuck the system, and all that - I would be kinda pissed that my worm got named Silly.
-CG
Someone has written a worm that leverages USB drives as a means of propagation. I'm surprised that it took this long.
Think about it. What are thumbdrives used for? I plug it into my computer, copy a file or two, and then you take it and copy the file to your machine. You might as well be having unprotected sex, except with a bunch of little ones and zeros.
Here's the skinny from Sophos. Ha get it? Worm.. skinny? Ha! Nevermind.
------------------------------------------
Security researchers at Sophos are warning of a new Trojan worm virus that is being spread via infected USB device.
According to the security software maker, the W32/SillyFD-AA program, or Silly worm, automatically spreads itself to any USB storage device connected to a PC it has infected, and then passes itself along to any subsequent machines to which the removable thumb drive is inserted.
Once loaded onto a computer, the worm creates a hidden file labeled as "autorun.inf" from which it continues to propagate itself. Among the only discernable affects of the attack is that it changes the title of users' Internet Explorer browsers to read: Hacked by 1BYTE.
The same type of attack could be used to spread far more malicious programs such as spyware or rootkits.
Such attempts to infect via physical interface could become increasingly popular. According to a recent report published by Centennial Software, removable storage drives have actually become the leading cause of security concern for IT administrators, based on a survey the company conducted at a European conference.
------------------------------------------
Personally, if I were a l33t hax0r filled with all that post pubescent angst trying to stick it to the man, fuck the system, and all that - I would be kinda pissed that my worm got named Silly.
-CG
Monday, May 7, 2007
Tuesday, May 1, 2007
Citrix Cutting Edge Update Notifications
One of the great features about the Citrix support website is the ability to subscribe to sections so that you get email notifications when things are added or updated. Of course I subscribe to several sections in the interest of keeping myself in the know and having something to blab about on this site.
I received the following email from this system today which demonstrates the effectiveness of this tool.
---------------------------------------------
You asked to be notified if there were any updates to the document type "Tool " in the Citrix Knowledge Base. The following entry was added or updated on Oct 26, 2006 3:17:38 PM:
ProcessHistory v1.1 for 32-bit and 64-bit platforms
To view this entry, please visit:
http://support.citrix.com/kb/entry.jspa?entryID=11487&categoryID=686
If you wish to remove this watch, visit:
http://support.citrix.com/kb/accountEditWatches!default.jspa
Citrix Technical Support
----------------------------------------------
See what I mean? Cutting edge.. give or take 6 months or so. I expect my updated Winframe 1.7 admin guide any day now.
-CG
I received the following email from this system today which demonstrates the effectiveness of this tool.
---------------------------------------------
You asked to be notified if there were any updates to the document type "Tool " in the Citrix Knowledge Base. The following entry was added or updated on Oct 26, 2006 3:17:38 PM:
ProcessHistory v1.1 for 32-bit and 64-bit platforms
To view this entry, please visit:
http://support.citrix.com/kb/entry.jspa?entryID=11487&categoryID=686
If you wish to remove this watch, visit:
http://support.citrix.com/kb/accountEditWatches!default.jspa
Citrix Technical Support
----------------------------------------------
See what I mean? Cutting edge.. give or take 6 months or so. I expect my updated Winframe 1.7 admin guide any day now.
-CG
Subscribe to:
Posts (Atom)
