TMG Rollup 3 out now; so’s Mod_Security for IIS

TMG SP2 Update Rollup 3

As the ISA Blog mentions, Rollup 3 for TMG Service Pack 2 is now available:

We are happy to announce the availability of Rollup 3 for Forefront Threat Management Gateway (TMG) 2010 Service Pack 2 (SP2). TMG SP2 Rollup 3 is available for download here: Rollup 3 for Forefront Threat Management Gateway (TMG) 2010 Service Pack 2

Please see KB Article ID: 2735208 for details of the fixes included in this rollup.

The Build Number for this update is: 7.0.9193.575

Fair number of new fixes included and it looks like a worthwhile update. I’m putting it on my home TMG box tonight. As a reminder, the hotfix rollups are cumulative for a given Service Pack, so if you’re already at Service Pack 2 (and you should be) you just need SP2UR3 if you skipped UR1 or UR2.

Mod_Security for IIS

In other security-related news, mod_security for IIS hit a stable release at 2.7.2, as the SRD blog notes:

We are pleased to announce the release of a stable version of the open source web application firewall module ModSecurity IIS 2.7.2. Since the announcement of availability of the beta version in July 2012, we have been working very hard to bring the quality of the module to meet the enterprise class product requirements. In addition to numerous reliability improvements, we have introduced following changes since the first beta version was released:

  • optimized performance of request and response body handling
  • added “Include” directive, relative path and wildcard options to the configuration files
  • re-written installer code to avoid .NET Framework dependency and added installation error messages to system event log
  • integrated OWASP Core Rule Set in the MSI installer with IIS-specific configuration
  • fixed about 10 functional bugs reported by ModSecurity IIS users.

Microsoft also released recently a TechNet article entitled "Security Best Practices to Protect Internet Facing Web Servers", which explains in details benefits of deploying a WAF module on a web server.

The Technet article referenced above is worth a read if you’re charged with delivering IIS web server security for random applications!


Where’s Waldo?

I’m spending more time editing the MSPFE blog than here at the moment, so if you’re missing my quippy, irreverent style… tough! (But I still love you. Happy Valentine’s day! (No gifts for you this year.))

The Art of the Authentic Cutscene

(Written back in… oh… 2007? But cleaning out old posts after a blog migration. The “zooming through an object” effect still annoys me today…)


I’ve been thinking a lot about cutscenes recently, because I’ve seen a few particularly bad ones.

How do you know a bad cutscene? Because you’re painfully aware that you’re watching something akin to amateur Hi8 footage. Everything seems somehow wrong. In-engine cutscenes are particularly susceptible to breaking the viewer’s supension of disbelief (or shattering the ‘fourth wall’, I think I heard it called recently). Maybe the camera lens appears to be at waist height. Maybe the camera moves through solid objects. Maybe the movements of the camera are exacting and unyielding, or follow a perfect path, or perhaps the camera has perfect alignment with its subject at all times.

There’s something about a human-operated camera, from the visual language of TV and cinema, that’s almost reassuringly wonky. Not necessarily eye-tracking NYPD Blue wonky, just imprecise and inertial.

Say what you like about Hollywood (er, not in the comments, go elsewhere to do that), but they know how to build and shoot a scene, or an action sequence. It’s rare when watching a movie that you’ll be aware of the technical details that went into the production of a scene, especially the bread-and-butter dialogue sequences in most movies. I haven’t played the game The Movies, but I think I’m going to have to go get a copy after writing this.

With games, I think the fundamental problem is that it’s hard to convince an engine to behave like a movie. Then there’s the secondary problem, which is that if the average developer wanted to coax a game into producing movie-style (or even TV-style, let’s not be elitist here) dialogue or action sequences, they wouldn’t know how to start.

So, what do I think I can suggest that might help cutscene producers in general?

Treat the camera as an actor

I wonder if people in the movie or TV business even realize they’re doing it (they do it so well), but game developers in general need to get better about this:

In your average 3D world, the camera is just a set of parameters that define a view onto a scene. That’s fine – functionally, that’s all you need.

But consider this: in a movie the camera has mass, it obeys the laws of physics, and it arguably has a personality.

Some of the most effective visual effects I can remember in recent times have used the “camera as an actor” technique staggeringly well – Battlestar Galactica and Firefly leap to mind.

On the other hand, one shot in Talladega Nights – while way cool – instantly told me that I was watching an effects shot: the one where the camera seems to zoom down, through the windscreen of Ricky Bobby’s car moving at 200mph, then out through the back of the car. It’s a seamless blend of live action and CGI, and instantly I got to thinking about the shot itself; it ruptured the narrative (well, the racing).

When a camera has no presence, it’s not a camera, and it shatters the illusion.

Windows 8 Launch Week!

My Surface RT is preordered (as is my Mum’s), all my home computers are upgraded… it’s finally *almost* here!

And then! The real madness begins!

That’s pretty much all I had. I’m excited!

On that replacement Exec Laptop scenario with DJOIN

The Volume Licensing website allows Win8 Enterprise to be downloaded to the new laptop, which should go some way to fixing the Enterprise Edition client requirement.

It’s not quite slap-black-amex-down-and-join-domain, but then again that’s generally what you’d want!

If you just attended our AUTeched session, thanks for coming along! Except Chad.

Update: Couple of questions suggest I didn’t communicate this well enough, so to step back and simplify: DJOIN is used for offline Domain Join (since Windows 7), which gets a client thinking “I should contact a DC!” next time it can find one. The WS2012 feature is to combine this with a policy blob which can pre-provision specific Group Policies to that client even while disconnected. Our example was DirectAccess; it could be anything. Next time the client hops onto a corporate-connected network (or invokes DirectAccess), it’ll use regular Group Policy processing to do its magic.

DJOIN with a client TXT file failing with error 0x57 – Incorrect function or parameter is incorrect.

Incorrect function or parameter is incorrect.

Long story short:

DJOIN.EXE is finicky about its text formats. Don’t re-save a domain join blob text file with Notepad – if you can download the file as a file, you’ll be happier.

(Experimenting with Save formats in Notepad is left as an exercise for the reader)

Long again:

I downloaded my domain join blob for DirectAccess offline domain join from a web server I hadn’t configured with a content-disposition of attachment, and Notepad opened the text file as soon as it was clicked – no Save option.

I then re-saved the file from Notepad. Mistake!

Notepad prepended an invisible byte order marker to the file. Which DJOIN.EXE didn’t like at all.

This BOM isn’t visible from Notepad, and FC didn’t find a problem until it was run with the /B switch (binary comparison) over a working and nonworking client.

I grabbed the file using another method, and it worked noicely!

Windows Server 2012: Hyper-V hanging on boot

Breaking it

During the week, I tried a straight upgrade for my Hyper-V box from Windows Server 2008 R2 to Windows Server 2012, and wandered off.

Noticing the Internet hadn’t come back a half hour later (TMG VM), I found my server hung at the new Windows logo. Hung hard: no capslock activity.

Rolled back; cued it up for today.

Long story short, one fresh install later I’d worked out it was only hanging when I added Hyper-V, and was trying to find a solution that didn’t involve buying a new motherboard after 4:30pm on a Friday afternoon!

Solving it

The solution was to: (drumroll please)

Disable USB 3.0 support in the BIOS for my Gigabyte Z68MA-D2H-B3 motherboard. THANK YOU Illho Ye for the post. Now I have my virtual machines and they’re, like, working!

I’d seen other forum mentions of other whizbang processor features (C3-C6 states) causing similar problems, but for me, the problem turned out to be something to do with the USB 3 controller (in Advanced BIOS Features or Integrated Peripherals, I forget which) causing the boot hang. Toggling it back on caused it to hang again, so it doesn’t appear to be just a first-run problem.

Bricking it (not really)

Amusing moment: I’d tried a BIOS update as part of my troubleshooting before finding the winning post, and had that “OHNOIBRICKEDIT!” feeling when the computer didn’t seem to be doing anything immediately afterwards… only it turns out the flash had just changed the Init Display order back to the PCI Express X16 board, rather than the onboard video.

That made me happy! And sheepish.

[Update 2016-11-13] Loads of things have probably changed since my original post (BIOS updates and OS updates…) Just re-enabled USB 3.0 on Windows Server 2016; whatever the initial cause, it’s no longer a problem, and Things Boot Now.

Come to the Windows 8 and Windows Server 2012 Premier Roadshow

Australian Premier Support customers: Join us for an overview of the new stuff in Windows Server 2012 and Windows 8!

This series of events will run for the entire day in each city and showcase 4 sessions of about 90 minutes, on a range of Windows Server 2012 and Windows 8 client topics. All topics will be presented by the best Premier Field Engineers across Australia and New Zealand.

Except they got me for Sydney! I’m covering the new Networking features.

Windows Server 2012 – Networking

Connect from anywhere, more working and less waiting, better network management via cost-aware networking. Sound interesting? This session provides a general overview, including many of the improvements to DirectAccess, BranchCache, and general networking improvements in Windows 8 and Server 2012.

Details and signup:


And if you’re at Tech.Ed 2012 AU, you can catch Darth Chad and I presenting on the enhancements to Windows Server 2012 DirectAccess.


Is it time for you to reset your online identity?

Lots of account hacking activity in the news recently. The Blizzard hack (via RPS) caught my eye because of some of the wording used to describe it:

“Some data was illegally accessed, including a list of email addresses for global users, outside of China. For players on North American servers (which generally includes players from North America, Latin America, Australia, New Zealand, and Southeast Asia) the answer to the personal security question, and information relating to Mobile and Dial-In Authenticators were also accessed. Based on what we currently know, this information alone is NOT enough for anyone to gain access to accounts.”

Now, I’ve trained my parents never to use the same password on any websites connected with billing information. That’s a no-brainer.

But I’ve always lied on those secondary verifiers because it just seemed like I should. It’s intuitive to me that I’d want to have different verifiers for each website *despite* them offering the same set of questions.

But I wonder if others are as careful? The recent publicized Apple/Amazon combo hack suggests that some combinations might be unavoidable, but that doesn’t mean you can’t take other precautions.

Have you used the same “mother’s maiden name” verification information across websites? Could the compromise of information you supplied to a “throwaway” website lead to compromise of a really important one?

If so, it might be time to go through all the websites you use most frequently, and change the information there. Yes, all of it. Then write down your new lies somewhere you can find them.

Secrets should be shared between you and each website – not between you and every website.

Because until we get to an identity metasystem, where every single website doesn’t rely on independently re-verifying every single detail about your life, anything you share with any website may eventually become public information.

Scary thought.

Jump to closing Curly Brace!

I maintain a few projects with a few spaghetti functions.

It’s really common to see something like:


//And then sixteen pages of text before the closing brace


If you click either brace, it highlights its counterpart, which is great when they’re on the same page, but not when they’re many scrolly pages and many brace-pairs apart…

So I wondered if there was a way I could jump between them (16 pages is an awful lot of scrolling)

Yes! Ctrl+] !

Thanks SO!