Tuesday, December 22, 2015

Juniper backdoor discovered

When you buy a firewall you're expecting it to provide some kind of protection, not to give people the keys to your network.

But this is exactly what Juniper pulled off.  'Somebody' put a backdoor in their ScreenOS software in 2012.  ScreenOS was acquired by Juniper when it took over competitor Netscreen in 2004.  

At this moment there are no indications JunOS is affected.  JunOS is another operating system Juniper uses in its devices.

Read the official statement here. 

The backdoor is built into two distinct functionalities: the VPN implementation and the SSH and Telnet daemons.

Juniper has new updates for ScreenOS.  If you are a customer I would really check this out.




Wednesday, December 9, 2015

Current APT threat

This is the harvest of a month of APT detection on our firewall.
Guess it was worth our money, but not entirely...


As you can see in the far right column,  most threats are directed at me (Guy Schellens), which actually makes sense.  An administrator is more likely to have elevated privileges so the damage an infection (eg. cryptolocker) causes is much bigger.  Keep using locked down accounts,  avoid working as an administrator on your computer.
For network admins,  limit the rights of your users to what they really need, so a user who opens one of the files in this list will cause minimal damage.

All the documents contain malicious macrocode which contains an executable. Don't want to find out what Joe or Valerie had in store for me...

Even scarier is the next table.



It contains zero day APTs again targeted at me.  Zero day means this threat was unknown at the moment it was sent to me.  The APT detection sends these files to a service in the cloud, which runs some tests on the suspicious file in a virtual machine.  Note there are APTs which can detect they run in a virtual environment and will not do their evil actions because they suspect being in a lab environment...

You see the file was allowed further into our network, so the files weren't blocked because the examination can take a while... This means I and another colleague  got these files in our mailbox!  The  file invoice_latest_reminder.doc was allowed on 2015-11-10 15:11:34  but was blocked 2 hours later when it was mailed again to me.  By then the firewall manufacturer had put the file signature in their database so all customers are warned for this file.

It is still very, very important to educate end users how to identify these threats, because as you saw, those files are only blocked when the firewall is sure the content is malicious.

Take care guys!

Saturday, November 21, 2015

NetSec 2015 visit

Went to a NetSec 2015, an industry - customer meetup organized by Exclusive Networks in Antwerp (Belgium) and talked to some interesting guys from Palo Alto, Sophos and Fortinet.  The buzzword remains APT (Advanced Persistent Threat). You have to admit it's something every IT manager should be scared of and it demonstrates the necessity of security products.  The industry's response at this moment is to fortify the endpoint security. Every vendor now has some kind of endpoint agent and comes in competition with traditional antivirus/anti malware products.  The session of Palo Alto was a bit of a surprise.  According to analysis every exploits can be categorized into a (combination of) 20-30 like different attack vectors. By analyzing malicious activity in that way, they are able to detect new threats. I was just wondering why the specialized AV companies never came up with this idea.  That's something I'm trying to  find out right now.
Another approach is to analyse log files (Balabit) or network data to recognize patterns to detect anomalies. The vendors are also rolling out support or releasing products for software defined networking.  As everyone keeps an eye on everyone, we can expect this features to make an entry in other vendor's products.

Thursday, November 19, 2015

Veeam Endpoint backup

I tried Veeam Endpoint backup for the first time. It really is a nice product (no, I'm not paid by them).

By default it looks for connected devices.  But naturally, I wanted to store the backup immediately in one of our Veeam repositories.

After creating the right access rights for a user in the repo with Veeam backup and recovery,  connecting to Veeam backup server and a repository on a Windows storage server was as easy as supplying a user name and a password and click two times.

Veeam remains by far the easiest backup product I've worked with.  And the unlimited free (as in beer) Endpoint licenses makes it only better value.

The backupped drives can be exported as virtual disks for VMware or Hyper-V.  Ideal to experiment.  Going to try this in a few days.

Can't wait for the new free backup agent for Linux.


Tuesday, November 17, 2015

SureBackup and CentOS6/Windows 2008R2 virtual machines

I really like SureBackup.  It's a nice feature of Veeam to test your backups in a sandboxed environment.

I ran in some problems though and it took quite some time to make it work...

We still run quite a lot CentOS6 and Windows 2008 R2 virtual machines.
Both OS'es have networking issues after cloning.  This meant I had to change the configuration in a lot of VM's.




If you revert to E1000, look out for this issue if you're not running the latest VMware patches.
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2059053

Virtualization is so simple, eh?


Sunday, November 1, 2015

Brewery Het Anker (Mechelen)

Here are some pictures from two recent visits to brewery het Anker in Mechelen.
Certainly worth a visit!

One entrance of the brewery is in the historic beguinage of Mechelen (an UNESCO world heritage site, worth a vistit too) 


Here we got a talk about the roots of the brewery and the place of beer in the history of Mechelen.  "Gouden Carolus" refers to Charles V (aka Charles Quint).  He was considered the mightiest man of that age. The emperor grew up in Mechelen, visited it often and liked the beer so much he let it transport to Spain.

The rest of the tour focuses more on the brewing process itself.  There's a moment where you can taste the raw ingredients.
  


The guided tour also leads you to the roof,  where you can see these amazing sights of Mechelen





Old beer crates

Container deposit was 11 Belgian franks at that time, ~20 eurocents
 

The brewing process explained...

From 2009 on, het Anker also produces Whisky (Molenberg, Blaasveld).  The first attempt immediately had succes:  they got a silver medal at the International Wine and Spirit Competition in London. In

The big lock is from the Belgian government, to ensure excise duties ...


At the end, a selection of some of their delicious beers awaits you!

A few days before I went to a concert over there 




Saturday, October 10, 2015

Greatest switch - STUBRU

Belgians, before voting for the Greatest switch, please consider following tracks. Thanks!

Push * Universal nation - http://www.discogs.com/Push-Universal-Nation/release/20341

Reflect * Need to feel loved - http://www.discogs.com/Reflekt-Featuring-Delline-Bass-Need-To-Feel-Loved/master/126749

Binary Finary * 1998 - http://www.discogs.com/Binary-Finary-1998-Zapya/master/151598

Drax Ltd * Amphetamine - http://www.discogs.com/Drax-Ltd-II-Amphetamine/release/114056

Emmanuel Top * Acid Phase - http://www.discogs.com/Emmanuel-Top-Acid-Phase/master/99110

Aqua Contact * La Sirena - http://www.discogs.com/Aqua-Contact-La-Sirena/master/2380

Jones & Stephenson * The First Rebirth - http://www.discogs.com/Jones-Stephenson-The-First-Rebirth/release/20340

Jens Lissat * Energy Flow - http://www.discogs.com/Jens-Lissat-Project-Energy-Flow/master/95844

Jens * Loops & Tings Fruit Loops Remix  - http://www.discogs.com/Jens-Loops-Tings-Remixes/release/32131

The Age Of Love (Watch Out For Stella Club Mix) - http://www.discogs.com/Age-Of-Love-The-The-Age-Of-Love-The-Jam-Spoon-Mixes/release/29757

Yves Deruyter * The Rebel - http://www.discogs.com/Yves-Deruyter-The-Rebel/master/105327

LSG * Netherworld - http://www.discogs.com/LSG-Netherworld/release/19560

Three Drives * Greece 2000 - http://www.discogs.com/Three-Drives-Greece-2000/release/57059

Energy 52 * Café Del Mar (Original Three 'N One Edit) - http://www.discogs.com/Energy-52-Caf%C3%A9-Del-Mar-98-Disc-2/release/23397

Humate * Love Stimulation (Lovemix) by Paul van Dyk - http://www.discogs.com/Humate-Love-Stimulation-Curious/release/15777

Robert Armani * Hit Hard - http://www.discogs.com/Robert-Armani-Hit-Hard/master/328381

Metro Dade * The Andor Voyage - http://www.discogs.com/Metro-Dade-The-Andor-Voyage-Lurandi/master/45996

Dr. Phibes * Acid Story - https://www.discogs.com/Dr-Phibes-Acid-Story/master/102521

Castle Trancelott * Indoctrinate - http://www.discogs.com/Castle-Trancelott-Indoctrinate/release/1159088B

BBE * Seven Days And One Week - https://www.discogs.com/BBE-Seven-Days-And-One-Week-Hypnose/master/71652

Nikolai * Ready To Flow - https://www.discogs.com/Nikolai-Ready-To-Flow/release/67192

Commander Tom * Are Am Eye - https://www.discogs.com/Commander-Tom-Are-Am-Eye/release/49499

Sven Vath * L' Esperanza - https://www.discogs.com/Sven-V%C3%A4th-LEsperanza/release/129278

Wednesday, October 7, 2015

TURLA (mis)using satellites to avoid detection

An Achilles' heel in the deployment of an APT is maintaining control over the infected computers after the initial infection.  The "masters" over the malicious system use C&C (command and control) servers for this purpose.  Security firms try to pinpoint these servers so they can be disabled (eg. by DNS sinkholes/black-hole DNS).  This is an ongoing global battle.

Turla is one of the scariest APTs around and researchers from Kaspersky have observed it misuses satellite uplinks to hide the location of the people in charge.

Again, this is spy movie material...

Saturday, October 3, 2015

Choosing the right virtualization technology for the next couple of years

3.5 years ago we chose our currect virtualization stack.  One important issue was replication to another site which was already using equipment from a certain vendor, the other one was it had to be VMware -based.   Send in the pre-sales consultants and after a few meetings we saw where this thing  was going to. We ended up with a configuration that kind of suited our needs. We were very pleased with our Dell server hardware (PowerEdge R710).  But on the storage side, we missed the "flash revolution" and you can read other storage related rants on my blog.

Over the years, we did tweak the system a lot in-house, ditched NetApp backup tools and brought Veeam into the game.  As a result we now backup to cheap Dell boxes, and the process has never been easier.  Dedupe is not handled well in Windows Storage server 2012R2,  but if necessary we'll add a cabinet with cheap SATA disks or attach a tape library.   We also were considering PernixData to spice things up.  

We wanted to use this configuration for the full 5 year term but then new opportunities rose.  We immediately noticed our current solution didn't scale that well.  We're also hitting some of the limitations of the Essentials bundles. We are better informed now but this by no means makes the job of selecting the right infrastructure easier.
Hyper-v and KVM became a lot more mature and then came exciting new "hyper-converged"  technologies like virtual SAN, SimpliVity and Nutanix.

One option we are considering is to combine VMware and the Acropolis hypervisor in one Nutanix cluster, but we're also looking into Flexpod and more traditional setups from Dell and HP.   It has to scale a lot as we expect some serious changes.

So, interesting times ahead...



Wednesday, June 3, 2015

Migration of backup software from NetApp tools to Veeam

We weren't exactly happy with the reporting of VSC, SMVI and Snapvault.  We were also a bit afraid of the black beast of vendor lock-in.  So we chose for what most people consider the market leader for agentless VM backups: Veeam.
If you're in an similar situation I can only recommend to go for a partner which knows both NetApp and Veeam.

We hadn't removed certain scheduled smvi tasks and this gave trouble in combination with Veeam.  A NetApp savvy consultant probably would have noticed this during installation.

Symptoms of the problem: Friday at 22:06,  vCenter suddenly stops the virtual machine which is used both as backup and proxy server.

VMware tries to restart the VM several times but fails to do so because a (virtual disk) appears to be corrupt.  To make things worse, this 'corrupt' virtual disk belongs to another VM...  The VM also refuses to start unless we delete this virtual disk from the configuration (don't physically delete the virtual disk!)

To understand what happened you have to know how a Veeam backups a VM when in virtual appliance mode.  This is taken from the manual:


  • The backup proxy sends a request to the ESX(i) host to locate the necessary VM on the datastore
  • The ESX(i) host locates the VM.
  • Veeam Backup & Replication triggers VMware vSphere to create a VM snapshot.
  • VMware vSphere creates a linked clone VM from the VM snapshot. 
  • Disks of a linked clone VM are hot-added to the backup proxy or helper VM.
  • Veeam Backup & Replication reads data directly from disks attached to the backup proxy or helper VM through the ESX(i) I/O stack. When the backup process is complete, disks are detached from the backup proxy or helper VM.

So the mystery of the virtual disk belonging to another VM is solved.  This is the remnant of a (failed) backup.   But why around 22.00?  Of course this is no coincidence either.  At 22.00 the backup kicks in, but something causes an event which scares VMware so much, it just shuts the server down...

So I'm looking at something that happens around 22.00 to that machine.  Maybe another backup that also uses VSS?  Now NetApp based snapshots are suspect.  Then I notice a smvi script is still scheduled around this time.  We forgot to disable this schedule.  

After deleting these scripts the problem was gone.   





Tuesday, April 21, 2015

Veeam application-aware image processing

We had Veeam installed by a partner today.

It gave us a kickstart as I don't have that much time on my hand these days.  This by no means will hold us back to maximize our investment :-)

The consultant has disabled AAIP (Application Aware Image Processing) because the VM's we need to backup can't be reached by the Veeam software or vCenter over the network.

The documentation states

To create a transactionally consistent backup of a VM running VSS-aware applications (such as Active Directory, Microsoft SQL, Microsoft Exchange, SharePoint) without shutting them down, Veeam Backup & Replication uses application-aware image processing. It is Veeam’s proprietary technology that ensures successful VM recovery, as well as proper recovery of all applications installed on the VM without any data loss. Veeam Backup & Replication does not deploy persistent agents inside VMs. Instead, it uses a runtime coordination process on every VM that is started once the backup operation is launched, and removed as soon as it is finished. This helps avoid agent-related drawbacks such as pre-installing, troubleshooting and updating.

What does this "runtime coordination process" need?  Surely it needs a network connection to Veeam Backup server?

I asked this at the Veeam forum and someone pointed me to this very interesting blog entry of Luca Dell'Oca.

To my amazement this can actually be done even without network access thanks to the VMware VIX API.  You need to give the credentials of the "well-known" .\administrator or domain\administrator or disable UAC.  Perhaps this is not for every production environment but it is really cool technology.  I'm going to play a bit with VIX later on for sure...

Thursday, April 9, 2015

Alexion vs Belgium

I wrote about this story a few weeks ago.  It turns out the Belgian government isn't bowing to the terms of Alexion in this case and wants to negotiate.  Maggie De Block, the minister of public health is a MD herself and states the benefits of the drug (Soliris) aren't proven in the case of Elias.   She invites Alexion to come with a proposition.

Plastic Memories -ep 1

When you watch anime, you can't but notice its formulaic nature.   You have the hyped ones and then you have smaller productions, aimed at some group of fans. And every once in a while you get something original.

Plastic Memories is by no means a small production but somehow stayed under my radar. 
The screenplay was written by Naotaka HAYASHI, one of the writers of Steins;Gate.   Direction of episode #1 was done by Yoshiyuki FUJIWARA, who was involved in Attack On Titan.   Those are two of my favorite shows, so I decided to give it a chance.

Giftia are human like robots who have a limited lifespan .  The story deals with a crew that retrieves giftia when their service time expires.    Giftia are very much like us and after his first few assignments a new employee understands this is actually an tough job. 

In my humble opinion, the overall style of the artwork is too "cute" for the seriousness of the topic.  At the moment it's my only criticism.   Some owners got very attached to their giftia and we understand why.  The episode gets quite emotional in a positive (and for me unexpected) way.  It makes you think of lots of things.  What makes us human?  Can robots be used to take care of elderly people?  Euthanasia, loneliness, ...  

I hope the series can maintain  this quality.  

Wednesday, March 25, 2015

Noteworthy anime

The last episode of Parasyte the maxim aired yesterday and what a ride it was...  And a pretty satisfactory ending.  If you haven't seen this series, it's highy recommended.
Another series that's coming to an end is Death Parade,   which had some really great moments.

In April, Fate/Stay Night: Unlimited blade works starts again.
I'm curious about Seraph of the End, from Wit Studio (you know, the guys from Attack on Titan)

Finally saw When Marnie Was There, the latest Ghibli movie (and the first without involvement of Hayao Miyazaki).  If you liked the bittersweet tone of The Secret World of Arrietty, you're going to like this movie a lot.  Ghibli takes animation to near perfection.  You actually forget you're watching an animated feature.  I was really impressed both animation- and story-wise.

Also following:


Sunday, March 22, 2015

Alexion deal with Belgian government got public

In Belgium there's yet another controversy about Soliris  the trade name of Eculizumab, a drug from the firm Alexion.
Soliris is a orphan drug, effective in the treatment of two rare, life threatening diseases:  PNH (paroxysmal nocturnal hemoglobinuria) and aHUS (atypical hemolytic uremic syndrome).   "Typical" HUS is the result of a e-coli infection and is 10 times more common than the atypical variant, which has genetical causes.

In 2013 the media picked up a sad story:  little Viktor, a 7 year old child, suffering from a rare genetic disease (aHUS) was deprived from a miracle drug which could save his life.  Belgian's health system (considered one of the best in the world)  did not reimburse  a whopping € 234,000/year.  
There were lot's of ethical questions about Alexion's lobbying techniques.  They indirectly manipulated the parents. Even Pharma.be, the trade organisation for pharma companies in Belgium, condemned the practices and got into a legal quarrel with Alexion.
There was a lot of public pressure on  Laurette Onkelinx, then health minister to negotiate a deal.  They came to an agreement but the terms weren't made public.  

In 2014  another aHUS patient, the 15 year old Elias, shared a movie on Facebook explaining his situation.  Because he got a kidney transplantation and a more latent form of aHUS, other terms apply.  

Belgian government has yet again to negotiate with Alexion.  And perhaps not entirely coincidentally  someone has leaked the one page (!!!) agreement from 2013.  It seems Belgium got a poor deal:  a 5% reduction to a non negotiable price.  Sources speak of a blackmailish situation.     

This will be a really tough case for the current health minister Maggie De Block.  Let's hope for Elias sake everything will be ok.

Of course, the traditional not so effective kidney transplants and dialysis also cost a lot to the community.  Pharma companies take a lot of financial risks to develop orphan drugs.  Governments already recognise this and have special legislation for companies doing this research.  

As far as I can lookup, the Soliris patent expires in 2020.     

Tuesday, March 17, 2015

VMware not complying with GPL?

I've always had the utmost respect for VMware.  A true visionary company.

That's why it really saddens me to hear this multi-billion company does not want to comply with the GPL and is sued by Christoph Hellwig, a German kernel hacker.

If you don't like the license, write your own code.  It's not that your licenses come cheap.   Shame on you, VMware!

Read more about this here:

http://sfconservancy.org/news/2015/mar/05/vmware-lawsuit/
https://fsf.org/news/conservancy-and-christoph-hellwig-gpl-enforcement-lawsuit
https://sfconservancy.org/linux-compliance/vmware-lawsuit-faq.html
http://www.theregister.co.uk/2015/03/05/vmware_sued_for_gpl_violation_by_linux_kernel_developer/

Thursday, March 12, 2015

EquationDrug: Kaspersy describes yet another APT

After Turla and Regin, this is yet another very advanced APT with dozens of plug-ins.

https://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/

Thursday, March 5, 2015

Beertasting 5 feb 2015



Olivier, a  colleague of mine organized a beertasting for us (off working hours of course :-) ).
He did a 2y course "biersommelier" so he obviously knows a lot about the subject.

This was his selection:
As I had never tasted Chimay Dorée it was quite interesting.  Most of the other beers are well known but the tasting was aimed at beginners.

Chimay Dorée 

  • Alcohol: 4.8 % ABV
  • origin: Brewery Abby Notre-Dame de Scourmont - Route Charlemagne, 8, 6464 Baileux (CHIMAY)  BELGIUM

Troubadour Blond

  • Alcohol: 6.5 % ABV
  • origin: Brewery The Musketeers BVBA, Tramstraat 8, B-9910 Ursel Belgium

St Feuillien Tripel

  • Alcohol: 8.5 % ABV
  • origin: Brewery St-Feuillien SA , Rue d'Houdeng 20 - 7070 Le Rœulx - Belgium

Gouden Carolus Ambrio

  • Alcohol: 8.0 % ABV
  • origin: Brewery Het Anker,  Guido Gezellelaan 49, B-2800 Mechelen, Belgium

Rochefort 8

  • Alcohol: 9.2  % ABV
  • origin: Abbaye Notre-Dame de Saint-Remy, B-5580 Rochefort

Sint Bernardus ABT 12 

  • alcohol: 10% ABV
  • brewing type: quadrupel, dark
  • origin:  Brewery Sint Bernardus,  Trappistenweg 23, 8978 Watou, Belgium
  • price: € 1.90/ bottle incl deposit (qualidrinks, prices 2 jan 2015)

Did you know every 1000th bottle,  the abbot at the label winks at you? (thanks for the info, Harri)

Wall of shame: Seagate NAS has a nasty unpatched vulnerability - Freak attack


Seagate put extremely old versions of Linux software on their "business NAS" line and refuses (or is incapable) to fix the issue.

People should avoid using this hardware or put the box behind a firewall.

https://beyondbinary.io/advisory/seagate-nas-rce/

We seriously considered buying one of these things last year...

Freak attack
And thanks to the US government we have yet another serious SSL problem....

http://gizmodo.com/freak-attack-a-dangerous-security-flaw-caused-by-us-go-1689331567
All Windows versions are also vulnerable!


Monday, February 9, 2015

the Juniper switch blues

Last year we let some people work on the electricity in our server room.

We shut down our servers and storage arrays.   We just turned off our switches.
Big mistake.  You have to bring down Juniper switches with request system power-off  or you risk corrupt flash disks.  How nice of the people who installed them to mention this (not!)...

So, we had a corrupt flash disk without knowing it for almost a year... :(

We contacted our VAR and the best way to solve this according to them is to reinstall junOS on the device.  

On the positive side,  the switches have an USB port.  You just mount the USB stick with a firmware update and then upgrade from CLI.   The switch runs on FreeBSD by the way

No messing with TFTP or uploads to web user interfaces here... :-)   

The upgrade took > 15 minutes and needs a reboot in the middle of the procedure and one to finalize the upgrade.  Great we have a redundant system :-)


For some reason, the firmware update procedure removes the firmware archive from the stick, annoying if you have to upgrade more switches at once...



Sunday, February 1, 2015

Anime: Jojo's bizarre adventure

In a previous blog post I wrote about me discovering Jojo's bizarre adventure - stardust crusaders.
Despite it's silly title,  it's fun to watch.  

The series follows the Joestar family.  Every other generation someone with special powers is born in the family. It's their job to fight evil.

I think Hirohiko Araki, the mangaka is quite the weird guy.

After watching the previous two series (Phantom Blood and Battle Tendency), I'm more convinced of that fact :-)

Here are some youtube clips to illustrate his weird sense of humor.

WARNING mild spoilers ahead...

In the beginning of Battle Tendency we are introduced to Joseph (JoJo)... He runs in trouble with some corrupt cops...
https://www.youtube.com/watch?v=1aB-LZfxCZs

A frustrated JoJo and a cat... :)
https://www.youtube.com/watch?v=huAE_Dx0zno 

More animal fun...
https://www.youtube.com/watch?v=1cPW0MX79fU

from Stardust Crusaders.
https://www.youtube.com/watch?v=UQ-g0BdpbDM

Friday, January 30, 2015

Visit CentOS Dojo in Brussels

Went to the CentOS dojo in Brussels today with Patrik and Joeri.  This is the second time this event is organized in Brussels, strategically before FOSDEM and the beer night ;-)  

The event was well organized, kudos to the CentOS team, IBM (host) and Redhat.

It was nice to see the progress the CentOS community made. The SIGs (special interest groups) seem to work and I got the feeling this is heading somewhere.

Although "hot" technologies like OpenStack, Ceph, Docker and Atomic Host were presented, to me the award for best presentation should go to "Optimising Xen Deployments for Storage Performance" by Felipe Franciosi.  Well explained!  

I decided to use a lot of proprietary software  in our organization, because for some things OSS alternatives just weren't ready.  But most of the base infrastructure is (and will) remain free software and CentOS is a very important component.  


Nice T-shirt by the way :-)

Friday, January 2, 2015

Xmas beershopping

Went beer shopping this afternoon.


I'm going to organize a blind beer tasting Rochefort 10 - Sint Bernardus 12 - Westvleteren 12 for my beer loving friends. I'm really curious how they will perform :-)

Because a beer tasting with 3 (although very respected) beers is a bit shallow,  I'm going to throw in the Sint Bernardus x-mas, and the La Trappe quadrupel.




Westvleteren 12 


  • alcohol: 10.2% ABV (alcohol by volume)
  • brewing type: quadrupel, dark
  • origin:  Abby Sint Sixtus, Donkerstraat 12, B -8640 Westvleteren (Belgium)
  • price: € 52/crate incl Deposit for empty bottles and crate,  1.76 /bottle, incl. deposit (prices 2 jan 2015)
  • serving temperature according to brewer: between 12° and 16° C

Rochefort 10


  • alcohol: 11.3% ABV
  • brewing type: quadrupel, dark
  • origin:  abby Notre-Dame de Saint-Remy, B-5580 Rochefort (Belgium)
  • serving temperature according to brewer: between 12° and 14° C
  • price: € 2.50/ bottle incl deposit (qualidrinks, prices 2 jan 2015)

La Trappe quadrupel


  • alcohol: 10% ABV
  • brewing type: quadrupel, amber
  • origin: abby Onze Lieve Vrouw van Koningshoeven, Eindhovenseweg 3, 5056 RP Berkel-Enschot (Tilburg, NL)
  • serving temperature according to brewer: between 12° and 14° C
  • price: € 1.75/ bottle incl deposit (qualidrinks, prices 2 jan 2015)

Sint Bernardus ABT 12 


  • alcohol: 10% ABV
  • brewing type: quadrupel, dark
  • origin:  Brewery Sint Bernardus,  Trappistenweg 23, 8978 Watou, Belgium
  • price: € 1.90/ bottle incl deposit (qualidrinks, prices 2 jan 2015)

Sint Bernardus Christmas ale 


  • alcohol: 10% ABV
  • brewing type: quadrupel, dark
  • origin:  Brewery Sint Bernardus,  Trappistenweg 23, 8978 Watou, Belgium
  • price: € 2.10/ bottle incl deposit (qualidrinks, prices 2 jan 2015)


Q: Why "Rochefort 10" while the alcohol percentage is 11.3?  Or why "Westvleteren 12" while the alcohol percentage is 10.2?   
A: Well... "10" and "12" in the name refers to the old Belgian system to measure beer density.  This value was used to determine the taxation.  The wort was measured at 17,5°C, before the fermentation process.   Of course there is a correlation between this density and the alcohol percentage of the beer, but there are other factors in the brewing process.  It was abolished in 1993 and replaced by the plato scale.  Wikipedia has an excellent article.


In a previous post I told you about the very nice Christmas Beer tasting @ het Anker (Mechelen).  
For me, one beer clearly stood out,  St Feuillien Cuvée de Noël (9% ABV) so I couldn't resist ...
I also bought some  St Feuillien bruin (8.5% ABV)  and Brasserie LeFort (Omer Vander Ghinste, 8.5% ABV).   Very interesting beers!

(sorry for the bad quality, took this in my cellar ;-))