Risque Management

What's the fastest supercomputer in the world?

It's probably not what we think it is. Top 500 is the most widely publicised top performing supercomputer list but apparently it's missing some of the world's top most computing powerhouses. Here's what Jeff Wierer, who is currently director of HPC at Microsoft, said in an interview last year:

I don't think there's much financial incentive for private sector firms to get visibility on that website.
For example, if you're a large investment bank, the time required to take down that system and run the benchmarks to get into the top 500 is prohibitive, especially in the current economic climate.
We have a customer running 32,000 servers in a cluster. Running the benchmark on that would make them number one, but as I said there's no financial incentive for them to do that.

There's quite a bit of competition in the HPC space, so Microsoft wouldn't be the only vendor helping to build amazing number crunchers about which general public has little or no knowledge.

Offline root CA is an outdated concept

My first experience with PKI was back in 1997. We (Andy Khomenko, currently with Caspio, and I) have been developing a business-to-business e-commerce site. We decided to use client certificates for authentication, as just-released IIS 2.0 on Windows NT 4.0 was supporting them. There was no Microsoft CA back then - so I have written a CGI wrapper around SSLeay (now OpenSSL) that managed client requests, certificate issuance process and kept the relevant logs in Microsoft SQL Server database. Looking back, the whole setup wasn't very secure - and not only because of the endless vulnerabilities in the technologies that we used. But in the end we had a working product using then-leading edge technologies, and cut our teeth in the e-commerce technology and Internet security.

In early 2000s I have seen transition of internal PKI from a test facility running from a floppy in a guy's desktop to an enterprise service with countless applications depending on it. At the same time, the certificate authority key migrated from the floppy to HSM, the hardware security module. HSMs are amazing devices: they can require multiple people with smart cards to perform an operation (based on the policy, even basic tasks like signing certificate request or CRL may require multiple custodians present), and can drop keys is the device is shaken or temperature changes. The whole idea is to have private keys stored more securely than anywhere on the commodity hardware and operating systems.

Amazingly, while HSMs prevailed in enterprise environments, design decisions are made as if the CA keys are stored in the Inetpub folder on a Windows NT 4.0 SP1 system. That's the rationale behind implementation of the offline root CA.

In Deploying and Managing PKI inside Microsoft (a must-read), under MS PKI Security Requirements, Microsoft guys say: "Even though Microsoft internal hierarchy no longer had the previous intermediate CAs, Microsoft IT did not lower any of the existing security controls. The root and the new intermediate CA were offline and never exposed to network traffic, thereby minimizing the chance of a compromise". But hang on: what is the compromise of CA?

There are two common fault scenarios: issuance of certificates to unintended recipients; and losing ownership of the CA keys. The first scenario is not mitigated by the offline root: you revoke the certificates and possibly review the process. That's happened with Verisign and other commercial CAs. The second scenario - total loss of the CA keys - is mitigated by the use of HSM. Even if you own the system connected to the HSM, you can't get the keys out.

One might say - what if you compromise a system that can connect to the HSM and use that as a base to exploit vulnerability in the HSM? That assumes that the infrastructure is already owned by someone else - hardly they will need to spend time running the research project that is finding a vulnerability in HSM. And the trivial solution is keeping the HSM, not the client system, offline.

Technology evolves. Offline root CA is just one of those obsolete ideas that are labeled the "best practice" in hope that there will be no critical analysis.

IPv6: back to basics

Recently I have enabled IPv6 on my home network. My ISP - Internode - supports IPv6 for some time now, and I finally got around to purchase new router with IPv6 support. Most operating systems that I run at home (including Maemo on Nokia N810) support IPv6 too. Fast forward few weeks to the World IPv6 Day - as it happens, I have found a problem with my setup on the day when the whole world makes an effort to prove IPv6 maturity:

C:\Users\spadmin>ping ipv6.google.com
Ping request could not find host ipv6.google.com. Please check the name and try again.

C:\Users\spadmin>nslookup ipv6.google.com
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa
        primary name server = 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa
        responsible mail addr = (root)
        serial  = 0
        refresh = 28800 (8 hours)
        retry   = 7200 (2 hours)
        expire  = 604800 (7 days)
        default TTL = 86400 (1 day)
Server:  UnKnown
Address:  ::1

Non-authoritative answer:
Name:    ipv6.l.google.com
Address:  2404:6800:4006:802::1010
Aliases:  ipv6.google.com


C:\Users\spadmin>ping 2404:6800:4006:802::1010

Pinging 2404:6800:4006:802::1010 from 2001:44b8:78e1:1320:2d10:241c:5668:2f6a with 32 bytes of data:
Reply from 2404:6800:4006:802::1010: time=53ms
Reply from 2404:6800:4006:802::1010: time=51ms
Reply from 2404:6800:4006:802::1010: time=52ms
Reply from 2404:6800:4006:802::1010: time=53ms

Ping statistics for 2404:6800:4006:802::1010:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 51ms, Maximum = 53ms, Average = 52ms

C:\Users\spadmin>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : ACE
   Primary Dns Suffix  . . . . . . . : example.net
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : example.net

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 PL Network

Connection
   Physical Address. . . . . . . . . : 00-1C-25-E7-B0-75
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:44b8:78e1:1320:2d10:241c:5668:2f6a(Deprecated)
   Link-local IPv6 Address . . . . . : fe80::2d10:241c:5668:2f6a%10(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.1.1.200(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   IPv4 Address. . . . . . . . . . . : 192.168.178.254(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : fe80::be05:43ff:fea6:127b%10
                                       10.1.1.1
   DHCPv6 IAID . . . . . . . . . . . : 167779365
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-10-3D-2B-1A-00-1C-25-E7-B0-75
   DNS Servers . . . . . . . . . . . : ::1
                                       127.0.0.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

After disabling and re-enabling the NIC everything works:

C:\Users\spadmin>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : ACE
   Primary Dns Suffix  . . . . . . . : example.net
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : example.net

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 PL Network

Connection
   Physical Address. . . . . . . . . : 00-1C-25-E7-B0-75
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:44b8:78e1:1320:2d10:241c:5668:2f6a(Preferred)
   Link-local IPv6 Address . . . . . : fe80::2d10:241c:5668:2f6a%10(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.1.1.200(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   IPv4 Address. . . . . . . . . . . : 192.168.178.254(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : fe80::be05:43ff:fea6:127b%10
                                       10.1.1.1
   DHCPv6 IAID . . . . . . . . . . . : 167779365
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-10-3D-2B-1A-00-1C-25-E7-B0-75
   DNS Servers . . . . . . . . . . . : ::1
                                       127.0.0.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

C:\Users\spadmin>ping ipv6.google.com

Pinging ipv6.l.google.com [2404:6800:4006:802::1011] from 2001:44b8:78e1:1320:2d10:241c:5668:2f6a with 32 bytes of data:
Reply from 2404:6800:4006:802::1011: time=53ms
Reply from 2404:6800:4006:802::1011: time=51ms
Reply from 2404:6800:4006:802::1011: time=51ms
Reply from 2404:6800:4006:802::1011: time=51ms

Ping statistics for 2404:6800:4006:802::1011:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 51ms, Maximum = 53ms, Average = 51ms

Evidently the IPv6 protocol stack is left semi-functional. I admit I haven't spent a lot of time configuring the network but for my home autoconfiguration features of the protocol are sufficient (and I was getting 10/10 scopr in the IPv6 test)

So why the global IPv6 address gets deprecated? An Internode engineer thought it was a Windows 7 bug (How to report IPv6 bug to Microsoft - Vista and 7 won't "undeprecate" a prefix) but AVM, the makers of the router that I use apparently released a firmware update that addresses this issue (W7 ignores ICMPv6 Router Advertisments setting an IPv6 prefix from invalid to valid). Details of this issue are also discussed on Whirlpool. I'm on a test firmware that is addressing another issue with the router, so will have to report, wait and see.

I guess my point is this: the protocols are quite robust but it will take some time to shake down some implementation issues. It's been four years since I have posted my view on the IPv6 enterprise. I stand by it.

And yes - my home network is on the Internet, without firewalls, gateways or any other masquerade.

UPDATE: Microsoft recognised irreversible IPv6 address deprecation a bug in Windows Vist, 7, Server 2008 and 2008 R2 and will release a hotfix. I have the prerelease code and tested it successfully.

More ping goodness

Strange problems with the corporate WAN? Welcome to my world. I'm a big enthusiast of ICMP diagnostics with ping (see Let there be ping!), and traceroute and pathping as well. One particular issue is quickly identifiable with stock-standard ICMP ping. Look at this output, for example:

C:\Users\spadmin>ping -n 25 dc-0001.asia.example.net

Pinging dc-0001.asia.example.net [172.25.7.71] with 32 bytes of data:
Reply from 172.25.7.71: bytes=32 time=38ms TTL=115
Reply from 172.25.7.71: bytes=32 time=20ms TTL=115
Reply from 172.25.7.71: bytes=32 time=42ms TTL=115
Reply from 172.25.7.71: bytes=32 time=48ms TTL=115
Reply from 172.25.7.71: bytes=32 time=124ms TTL=115
Reply from 172.25.7.71: bytes=32 time=33ms TTL=115
Reply from 172.25.7.71: bytes=32 time=80ms TTL=115
Reply from 172.25.7.71: bytes=32 time=31ms TTL=115
Reply from 172.25.7.71: bytes=32 time=33ms TTL=115
Reply from 172.25.7.71: bytes=32 time=32ms TTL=115
Reply from 172.25.7.71: bytes=32 time=20ms TTL=115
Reply from 172.25.7.71: bytes=32 time=22ms TTL=114
Reply from 172.25.7.71: bytes=32 time=20ms TTL=115
Reply from 172.25.7.71: bytes=32 time=21ms TTL=115
Reply from 172.25.7.71: bytes=32 time=22ms TTL=115
Reply from 172.25.7.71: bytes=32 time=23ms TTL=115
Reply from 172.25.7.71: bytes=32 time=26ms TTL=115
Reply from 172.25.7.71: bytes=32 time=25ms TTL=115
Reply from 172.25.7.71: bytes=32 time=21ms TTL=115
Request timed out.
Reply from 172.25.7.71: bytes=32 time=21ms TTL=115
Reply from 172.25.7.71: bytes=32 time=20ms TTL=115
Reply from 172.25.7.71: bytes=32 time=35ms TTL=115
Reply from 172.25.7.71: bytes=32 time=36ms TTL=115
Reply from 172.25.7.71: bytes=32 time=26ms TTL=115

Obviously there's packet loss, not a good sign ever. But the other line is out of ordinary and signifies not just congested link or faulty cable. That's the line where the return TTL is different from any other TTL. That means that ICMP echo response took different route, not the same as the other 23 packets that were returned. Which, in turn, signifies a problem with WAN routing infrastructure. Although IP, the Internet Protocol, was designed to sustain full scale attack affecting communication lines and changing routes are standard, that shouldn't occur on a normal day on your corporate network.

There's one more thing. Check out Smokeping. It's ping monitor on steroids - something you really need in very dynamic and partially stable environments. And it's free, as in free beer.

Checking server SSL/TLS certificates - any service

With all kinds of services using TLS encryption, and many more using SSL wrappers like stunnel, the usual approach of using a Web browser, or service-specifc client, doesn't work. This is where OpenSSL comes handy. Its SSL client functionality is great for troubleshooring and discovery:

C:\OpenSSL\bin>openssl s_client -connect sip.microsoft.com:5061 -showcerts

CONNECTED(000000E4)
---
Certificate chain
 0 s:/C=US/ST=WA/L=Redmond/O=MS/OU=RTC/CN=sip.microsoft.com
   i:/DC=com/DC=microsoft/DC=corp/DC=redmond/CN=Microsoft Secure Server Authority
-----BEGIN CERTIFICATE-----
MIIGLjCCBRagAwIBAgIKFyZtNAAFAAF1UzANBgkqhkiG9w0BAQUFADCBizETMBEG
CgmSJomT8ixkARkWA2NvbTEZMBcGCgmSJomT8ixkARkWCW1pY3Jvc29mdDEUMBIG
CgmSJomT8ixkARkWBGNvcnAxFzAVBgoJkiaJk/IsZAEZFgdyZWRtb25kMSowKAYD
VQQDEyFNaWNyb3NvZnQgU2VjdXJlIFNlcnZlciBBdXRob3JpdHkwHhcNMTAwMzE3
MTc1NDU4WhcNMTEwMjE5MTgyNDUzWjBjMQswCQYDVQQGEwJVUzELMAkGA1UECBMC
V0ExEDAOBgNVBAcTB1JlZG1vbmQxCzAJBgNVBAoTAk1TMQwwCgYDVQQLEwNSVEMx
GjAYBgNVBAMTEXNpcC5taWNyb3NvZnQuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQC9pnKFxSqxKr6kAh3z6R47neNSf8QWRgYWwQlKySl6lfgruF+mZcpT
lsrzLcDEUtIZInAlvrvaQPmLp/wL6PLKZLpXlCoqQIMIxiPsac0tCgVSsjWVk1Nx
EYdxfdCKdwUyNIrxi60QxkOIofbbMffkYH7QiECSfiUs5CPchbDr/wIDAQABo4ID
PTCCAzkwCwYDVR0PBAQDAgSwMEQGCSqGSIb3DQEJDwQ3MDUwDgYIKoZIhvcNAwIC
AgCAMA4GCCqGSIb3DQMEAgIAgDAHBgUrDgMCBzAKBggqhkiG9w0DBzAdBgNVHQ4E
FgQUwQ0gtoURfJDzvYQvGSXDZKYH2eEwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsG
AQUFBwMBMEsGA1UdEQEB/wRBMD+CEXNpcC5taWNyb3NvZnQuY29tghRzaXBhbHQu
bWljcm9zb2Z0LmNvbYIUc2lwZmVkLm1pY3Jvc29mdC5jb20wHwYDVR0jBBgwFoAU
FFXEOeA9LtFVLkiWsNh+FCIGk7wwggEKBgNVHR8EggEBMIH+MIH7oIH4oIH1hlho
dHRwOi8vbXNjcmwubWljcm9zb2Z0LmNvbS9wa2kvbXNjb3JwL2NybC9NaWNyb3Nv
ZnQlMjBTZWN1cmUlMjBTZXJ2ZXIlMjBBdXRob3JpdHkoNSkuY3JshlZodHRwOi8v
Y3JsLm1pY3Jvc29mdC5jb20vcGtpL21zY29ycC9jcmwvTWljcm9zb2Z0JTIwU2Vj
dXJlJTIwU2VydmVyJTIwQXV0aG9yaXR5KDUpLmNybIZBaHR0cDovL2NvcnBwa2kv
Y3JsL01pY3Jvc29mdCUyMFNlY3VyZSUyMFNlcnZlciUyMEF1dGhvcml0eSg1KS5j
cmwwgb8GCCsGAQUFBwEBBIGyMIGvMF4GCCsGAQUFBzAChlJodHRwOi8vd3d3Lm1p
Y3Jvc29mdC5jb20vcGtpL21zY29ycC9NaWNyb3NvZnQlMjBTZWN1cmUlMjBTZXJ2
ZXIlMjBBdXRob3JpdHkoNSkuY3J0ME0GCCsGAQUFBzAChkFodHRwOi8vY29ycHBr
aS9haWEvTWljcm9zb2Z0JTIwU2VjdXJlJTIwU2VydmVyJTIwQXV0aG9yaXR5KDUp
LmNydDA/BgkrBgEEAYI3FQcEMjAwBigrBgEEAYI3FQiDz4lNrfIChaGfDIL6yn2B
4ft0gU+Dwu2FCI6p0oVjAgFkAgEGMCcGCSsGAQQBgjcVCgQaMBgwCgYIKwYBBQUH
AwIwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQEFBQADggEBAD1jaUKuhvqTVlya/3ye
We7PGRULROU2YAI9RFfpQ2Dbb3CHMYhps9KVKwDXbSPEehyLxElvz3Jqv5zevI4s
+MvF+6b/6K8kVbNI/w9FfgkFWJstTeaRPts8oI9961C6hMyivJKQxVz9v3hORtB8
N/K2EozhshauY0kBhOAlYwnmHe1nqfiY8gfMzIvaspCdyYPrPzqENRRp2BuJVZvM
7VNnVh27L09TvWM9r1rN+X1ViE1+kpYBfw10kUSgie6kBl9vKbXwMjq5VcVrsY+V
ABYCrM6Cs3JTPhs8gj325cCqdJ42w5KTjg62rOGCrxcKwynjJOZpEWCDfC3mv00Q
M9k=
-----END CERTIFICATE-----
 1 s:/DC=com/DC=microsoft/DC=corp/DC=redmond/CN=Microsoft Secure Server Authority
   i:/CN=Microsoft Internet Authority
-----BEGIN CERTIFICATE-----
MIIGEzCCA/ugAwIBAgIKYRZtLwAEAAAAIDANBgkqhkiG9w0BAQUFADAnMSUwIwYD
VQQDExxNaWNyb3NvZnQgSW50ZXJuZXQgQXV0aG9yaXR5MB4XDTA4MDQwOTIxMzc1
NFoXDTExMDIxOTE4MjQ1M1owgYsxEzARBgoJkiaJk/IsZAEZFgNjb20xGTAXBgoJ
kiaJk/IsZAEZFgltaWNyb3NvZnQxFDASBgoJkiaJk/IsZAEZFgRjb3JwMRcwFQYK
CZImiZPyLGQBGRYHcmVkbW9uZDEqMCgGA1UEAxMhTWljcm9zb2Z0IFNlY3VyZSBT
ZXJ2ZXIgQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
kYTz6fKXvrdfIr5o3Ue4CRIzhTE+8JE4hrLTQki3emjYn/CfHRPb7hmMiOZmWBdE
DUEymyXOyZ7Sy2tC6WaBC4onVYotPoSsaOZJv6EJeHPk64RiWTfX+XqufRndYOEC
DUmotYQNPV/8InioIBf9+gOSsAMdmyGZF6C1PkJqvPZTRxNv6hxuMMb6uOQIPoFX
/ceQvAOZcJx2qGsAVKsJHylYkC0GgVyFVhOI0vcZZBcP5T+NtOmyjVBWdxS413HL
D+8w+3wG0bOP8EyOeRnuf0KLXGBangte0ZFIRd28GXpo5UrcA/r5000e2RTHmhC4
8YPMIoi+q9XZoF5R0Z069QIDAQABo4IB2jCCAdYwEgYDVR0TAQH/BAgwBgEB/wIB
ADAdBgNVHQ4EFgQUFFXEOeA9LtFVLkiWsNh+FCIGk7wwCwYDVR0PBAQDAgGGMBIG
CSsGAQQBgjcVAQQFAgMFAAUwIwYJKwYBBAGCNxUCBBYEFM7FoL4P/nlmdZEP8PeS
WzWYqBWzMBkGCSsGAQQBgjcUAgQMHgoAUwB1AGIAQwBBMB8GA1UdIwQYMBaAFMbb
u8DYIBmS8WD8iPFYf7wbTo8aMIGjBgNVHR8EgZswgZgwgZWggZKggY+GNmh0dHA6
Ly9tc2NybC5taWNyb3NvZnQuY29tL3BraS9tc2NvcnAvY3JsL21zd3d3KDQpLmNy
bIY0aHR0cDovL2NybC5taWNyb3NvZnQuY29tL3BraS9tc2NvcnAvY3JsL21zd3d3
KDQpLmNybIYfaHR0cDovL2NvcnBwa2kvY3JsL21zd3d3KDQpLmNybDB5BggrBgEF
BQcBAQRtMGswPAYIKwYBBQUHMAKGMGh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9w
a2kvbXNjb3JwL21zd3d3KDQpLmNydDArBggrBgEFBQcwAoYfaHR0cDovL2NvcnBw
a2kvYWlhL21zd3d3KDQpLmNydDANBgkqhkiG9w0BAQUFAAOCAgEAempuzk/VLM4N
H9TAbFtCjKc95iGmyx2bHbEk9m2cbGxXjBre+N4cJoIYYmhLrZ6L712ov1NjM73b
m8fb2Fy8Yw8Cmwc8VtarPZT2yzGr8MhNUDVuZswaKfjCY3H7RYv/XKc7AOMd25WP
/M0WTT4Bna6hl9dUaDGwv5SZFFIJ17FLo4FR2H7IkOOI/WcUPAHeDXUewp4qRPE/
560xZrLSeNH2lKnOAwwXxwnXSo5WOF5AQXh1nRdbBV9Nu7yI6jH1QV6fKf6oFU2Y
IOjpnJ0FihVB6XoZ0wNOUMzPEEQcTfIoVoc+t0iK02wcmTLgBgbYU703dHvvPTcn
IfdI2mscx8l9MjUOdklIIve0FhCxRPqHpEeKjM95gllbXmWgQxAXiog+A62fEo5d
M7nfeEyiweSlhj1cv+2dyhzyS5saKYkk3ocCnOMCyD0M+4gJx4n4b/zT3rcujyN+
7m20PbBTjcdTT1+AxOs75rON2hhKUqqrk2MDCpnEJsNK4TuRyDUtm9r+AxaZ4XRK
MT8InY1Xl9hzrIK6MVERYH46kxg6odwpzJ8Urn4dREBiMy6Gzq8mtyXvpYEcmeGL
zz1aT7qNNbQ0qqbPb6RpOMHlUWOIhVWJC71T5WK1pynAc3P9zOm8BkUYvIyJvCbR
bufCGVng4FAtVZ1advxSVRoa4GyuFZ8=
-----END CERTIFICATE-----
 2 s:/CN=Microsoft Internet Authority
   i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root
-----BEGIN CERTIFICATE-----
MIIFCjCCBHOgAwIBAgIEBycWdTANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJV
UzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMScwJQYDVQQLEx5HVEUgQ3liZXJU
cnVzdCBTb2x1dGlvbnMsIEluYy4xIzAhBgNVBAMTGkdURSBDeWJlclRydXN0IEds
b2JhbCBSb290MB4XDTA4MDIxOTE4MjcwMloXDTExMDIxOTE4MjQ1M1owJzElMCMG
A1UEAxMcTWljcm9zb2Z0IEludGVybmV0IEF1dGhvcml0eTCCAiIwDQYJKoZIhvcN
AQEBBQADggIPADCCAgoCggIBAKiloatvDehDG/rQriel2AC9qmSJdvjKb2fmJf30
K7SaC3zQu8kGQxENUEFsHsH0jmBejJ9vvn9tHZ8hGL+kORvWUVBskdMzP65rC0V0
VeVgUYzPZ7MvrLfhh9+v3yJ7qRuf1aNgmzJg5t1AA91X+aRrFT4lRzl9BFWhQ1VS
XaD7l6qoiyhD8FbrdLRAe61swsRmzWeXoy6NJpOBsGXaCSG1Jooylro+zkWxt97c
NkNf/wYqoYcIXo02YpFbwreveejW9a0Lh/1z9+e9aiMtC5QnPT57GTqNINt5R0rp
Iz4g3GJhmjXVoVF/tev5DMJuhRgPoz0W0aA3UnSmTWh2RFvgqawLqSRrKUhVjySi
/m5s62uG5xxIftO7/6ljzS061CFoV/RBl/I3WghYp04sr4cSXWa/rL449YhBT8BJ
jltefWCYAOcT1nA4oFXwXbl1qCUIkZ0bqwju2FGW5vl2qh6vmzcQjc3XxD0m2UqC
yJNFa9SUgVXtUCqeOI+KqgLW01tpqZteG10byWKmppTVAvdPwHoGE0bl6wBwXldE
f7Pn4lqu6Yp4bedP3Qv1sfp2H7D98cxSwYRt3UcXN2kjTPv+pby2fEHm9GWf3iE/
7OtzUI7LYhP7+rGyuCYTtZKH1jDWHrTZBpnAPmrAQQHCI8/4TjF9ZQ1mqRi6x9I9
9XGfAgMBAAGjggFvMIIBazASBgNVHRMBAf8ECDAGAQH/AgEBMFMGA1UdIARMMEow
SAYJKwYBBAGxPgEAMDswOQYIKwYBBQUHAgEWLWh0dHA6Ly9jeWJlcnRydXN0Lm9t
bmlyb290LmNvbS9yZXBvc2l0b3J5LmNmbTAOBgNVHQ8BAf8EBAMCAYYwgYkGA1Ud
IwSBgTB/oXmkdzB1MQswCQYDVQQGEwJVUzEYMBYGA1UEChMPR1RFIENvcnBvcmF0
aW9uMScwJQYDVQQLEx5HVEUgQ3liZXJUcnVzdCBTb2x1dGlvbnMsIEluYy4xIzAh
BgNVBAMTGkdURSBDeWJlclRydXN0IEdsb2JhbCBSb290ggIBpTBFBgNVHR8EPjA8
MDqgOKA2hjRodHRwOi8vd3d3LnB1YmxpYy10cnVzdC5jb20vY2dpLWJpbi9DUkwv
MjAxOC9jZHAuY3JsMB0GA1UdDgQWBBTG27vA2CAZkvFg/IjxWH+8G06PGjANBgkq
hkiG9w0BAQUFAAOBgQBnSDXCyiqGmHTAEJOtZYVm/IbzGtzCY423NF6/yuccYZkm
spJnDoh8nq3nx3P2KBEyPAqoQ1MEFC+ByQjV4AAQ9dMQALUGNRfHhFUhBeeIybYd
bzvKOxSlIYSwO2T56+oXyDlkbQWKmHec5qzCE0lwGHslsRU/CHwhuFu2nH+CxQ==
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=WA/L=Redmond/O=MS/OU=RTC/CN=sip.microsoft.com
issuer=/DC=com/DC=microsoft/DC=corp/DC=redmond/CN=Microsoft Secure Server Authority
---
Acceptable client certificate CA names
/CN=MSIT TPM Root
/emailAddress=pkit@microsoft.com/C=US/ST=WA/L=Redmond/O=Microsoft/OU=ITG/CN=Microsoft Corporate Root Authority
/O=Microsoft Corporation/CN=Microsoft Corporate Root CA
/C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network
/C=US/O=VeriSign, Inc./OU=Class 4 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network
/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services Division/CN=Thawte Personal Freemail CA/emailAddress=personal-freemail@thawte.com
/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services Division/CN=Thawte Personal Premium CA/emailAddress=personal-premium@thawte.com
/C=US/O=First Data Digital Certificates Inc./CN=First Data Digital Certificates Inc. Certification Authority
/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services Division/CN=Thawte Personal Basic CA/emailAddress=personal-basic@thawte.com
/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
/C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority
/C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority
/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network
/C=HU/L=Budapest/O=NetLock Halozatbiztonsagi Kft./OU=Tanusitvanykiadok/CN=NetLock Uzleti (Class B) Tanusitvanykiado
/C=US/O=GTE Corporation/CN=GTE CyberTrust Root
/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root
/C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority
/C=HU/ST=Hungary/L=Budapest/O=NetLock Halozatbiztonsagi Kft./OU=Tanusitvanykiadok/CN=NetLock Kozjegyzoi (Class A) Tanusitvanykiado
/C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network
/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Root
/C=HU/L=Budapest/O=NetLock Halozatbiztonsagi Kft./OU=Tanusitvanykiadok/CN=NetLock Expressz (Class C) Tanusitvanykiado
/OU=Copyright (c) 1997 Microsoft Corp./OU=Microsoft Corporation/CN=Microsoft Root Authority
/DC=com/DC=microsoft/CN=Microsoft Root Certificate Authority
---
SSL handshake has read 7942 bytes and written 404 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-MD5
    Session-ID: 6622000040A4EDB48846EE407E969CD2D11D8359C05C702EB825524450A47A23
    Session-ID-ctx:
    Master-Key: E08629D601E2F9FD0F773F01C2A5063ADFD766F48A03A003D9FFC89947E303CECEB0C5D1ED0523D93AC933436B875D52
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1292923998
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---

This allows fast and easy checking of SSL/TLS configuration for all services - HTTP, SIP, IMAP, and anything using SSL wrappers. It would be good to have TLS discovery functionality integrated into a tool like nmap.

A toolset note: Win32 OpenSSL is very handy for Windows administrators.

Open source takes on Active Directory

Coming out of RedHat ecosystem is FreeIPA,  a self-styled integrated security information management solution. IPA stands for Identity, Policy, Audit. Make no mistake - there is no PaidIPA, and FreeIPA is a take on Active Directory, combining the OS, LDAP, Kerberos and integrating Web and certificate services, as well as other infrastructure services into the software stack. Detailed features:

Version 1 will focus on

• Allowing an administrator to quickly install, setup, and administer one or more IPA servers for centralized authentication and user identity management.

Version 2 will focus on

• Adding DNS and Certificate Authority to the IPA core
• Allowing an admin to join a machine to an IPA realm
• Providing kerberos principal and cert to the joined machine
• Providing service keytabs and service certificates to services
• Managing the keytabs and certificates once provided
• Plug-in architecture for IPA extensibility. freeRADIUS as a first plugin.
• IPA Client code for managing authentication, authorization, caching, connection
• Policy. Centrally managed sudoers/netgroups, SELinux role based access
• Audit. Centrally collected audit logs from IPA servers and from IPA clients

I assume there will be an easy way to integrate email and real-time communications system into the IPA.

We have had all of this (bar a mandatory access control system) in Active Directory for a long while now. UNIX and Linux integrate well into AD through Samba and Likewise Open. But integrated authentication and authorisation subsystem designed specifically for Linux was missing. Until now, there were bits and pieces that are hard to integrate. FreeIPA is an attempt to close that gap and create some competition to Active Directory, which is a good thing.

When security doesn't work

A few days back, a hater named Umar Farouk Abdulmutallab tried to explode an airplane and kill 289 people aboard and maybe more on the ground. He was stopped by another passenger, Jasper Schuringa, a Dutch movie maker.

The US Department of Homeland Security and its Transportation Security Administration quickly issued statements. They introduced new security measures. The TSA doesn't really say what those measures are, but various reports and airline Web sites mention stuff like this:

Air Canada said in a statement that new rules imposed by the Transportation Security Administration limit on-board activities by passengers and crew in U.S. airspace. The airline said that during the final hour of flight passengers must remain seated. They won't be allowed access to carryon baggage or to have any items on their laps.

Flight attendants on some domestic flights are informing passengers of similar rules. Passengers on a flight from New York to Tampa Saturday morning were also told they must remain in their seats and couldn't have items in their laps, including laptops and pillows.

Note this: if the rules were already in place and the passengers strictly followed those, Mr. Schuringa wouldn't be able to subdue the terrorist: he had to leap over few seat rows to do that. Apparently, it's no longer allowed. It doesn't matter that explosives and flammable liquids were not allowed on the plane in the first place, and the TSA failed to enforce them. They issue a new ruling that doesn't make sense (last hour, huh?) and is almost impossible to enforce. Reminds me of the TSA requirement not to congregate on a plane headed for the United States.

This is not security, this is damage control. Happens too often in the government, and in the corporate world as well.

Doing your job is hard but not impossible: analyse why security measures failed, and correct the problem. If the measures are wrong, try something new. Like, in case of transportation security, sedating all passengers.

It is okay to acknowledge your errors. But it is a definition of waste not to, and keep doing same. Take information security. Firewalls don't work? Implement more firewalls. Intrusion detection systems don't detect intrusions? Rename them intrusion prevention systems, and spend some more. Sounds familiar?

Windows file server performance optimization

Merge this into the registry, reboot and enjoy increased performance:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem]
"NtfsDisable8dot3NameCreation"=dword:00000001
"NtfsMemoryUsage"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"NumTcbTablePartitions"=dword:00000008

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{INTERFACE NUMBER}]
"TcpAckFrequency"=dword:0000000d

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management]
"PagedPoolSize"=dword:ffffffff
"LargeSystemCache"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Executive]
"AdditionalDelayedWorkerThreads"=dword:00000020
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcXdr\Parameters]
"DefaultNumberOfWorkerThreads"=dword:00000040

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NfsSvr\Parameters]
"OptimalReads"=dword:00000001
"RdWrHandleLifeTime"=dword:0000000a
"RdWrNfsReadHandlesLifeTime"=dword:0000000a
"RdWrNfsHandleLifeTime"=dword:0000003c
"RdWrThreadSleepTime"=dword:0000003c
"SecureHandleLevel"=dword:00000000
"NfsHandlesCacheSizeLowWatermark"=dword:003d08ce
"NfsHandlesCacheSizeMax"=dword:003d0900
"NtfsHandlesCacheSizeLowWatermark"=dword:000249be
"NtfsHandlesCacheSizeMax"=dword:000249f0
"FileHandleCacheSizeInMB"=dword:3de00000
"LockFileHandleCacheInMemory"=dword:00000001
"MaxIcbNfsReadHandlesCacheSize"=dword:00001f40

Also, check the NTFS log size (chkdsk /l) and increase it to 65536 KB in case it isn't already of that size. That covers Windows CIFS and NFS and was tested on 32-bit Windows 2003 (yet I believe W2K8 and 64-bit platforms also can be optimised this way, will test). This comes from the SPEC file server benchmarking results and configuration notes for HP ProLiant DL585 G2 Storage Server.

Check out other systems and results - some interesting information there.

It is a good idea to check the performance before and after changing the system parameters. You don't need to purchase SPEC tests to do that - there are free tools available. Stay tuned for some details, or search away (if your OS of choice is Windows, use "sqlio" as the search criteria). 

How not to make decisions

In the past week, I had a number of discussions about information securtity and technology in general. With colleagues, we identified few common patterns about decision-making in corporate environments - and those are case studies on how decisions shouldn't be made. Here's examples:

We need mature solutions. Can anybody define maturity when it comes to IT? Is Intranetware mature solution for network file and print services? Whenever you hear maturity or business acumen, or something like that, reach out for your wallet. Fact: early adoption of technology works better in most cases. That's because you have better support from the technology partner, more features, more time before upgrade, and staff that feels good because they are working on something new.

Everyone else does it, so it must be good. This is the "best practice" fallacy. Cases in point: do not broadcast WLAN SSID; VLANs are for security; and multihoming servers (and having separate physical connections to different security zones) is a security feature. The myths don't withstand reality check (eg scenario-based threat analysis) but they persist in minds and get embedded in assorted standards like PCI - resulting in costlier infrastructures that are more complex to build and support.

We don't really know what we're doing but let's do it anyway. Tha is, decisions large and small are made based on uncertainty and lack of knowledge. Cases in point: we don't know what this software update is doing so let's have full system restore as the backout plan; I heard that virtual machine will have some kind of issue running our application so please use physical (the last one comes from Microsoft engineer, no details as to the issue given despite repeated questions); and we don't know how the database server will perform when the database size will reach 4TB so let's go Oracle RAC. If you don't know what the software update is doing - find out by looking in the installation package. If you have concerns abouth the database performance - create performance baseline and try to come up with automated stress test of some sort; the database size itself doesn't mean much.

Decisions should be made based on knowledge and facts.

US Senate: security through (more) bureaucracy

When I first read the news on the Washington Post web site, I thought this is a 1 April joke: Senate Legislation Would Federalize Cybersecurity. The April Fool's day has come and gone but all the signs are to that this is for real: the press releases trumpeting arrival of the legislation are still there. The bill's summary is available from the US Senate Web site (I cannot find the full text of proposed legislation yet). The problem definition is a typical scaremongering:

This comprehensive legislation addresses our country’s unacceptable vulnerability to massive cyber crime, global cyber espionage, and cyber attacks that could cripple our critical infrastructure. We presently have systems to protect our nation’s secrets and our government networks against cyber espionage, and it is imperative that those cyber defenses keep up with our enemies’ cyber capabilities. However, another great vulnerability our country faces is the threat to our private sector critical infrastructure–banking, utilities, air/rail/auto traffic control, telecommunications–from disruptive cyber attacks that could literally shut down our way of life.

So get ready for digital Pearl Harbor. Real one: Conficker virus, another April Fools' event, which some described as just that, caused zero noticeable impact.

Coming from professional politicians, the bill unsurprisingly proposes to improve the cybersecurity situation by introducing colossal new bureaucracy, headed by the US Cybersecurity Fuehrer (or Tzar, or Leader, if you so wish). If it becomes a law then the governemnt will have control over information security matters in private sector:

The legislation would require the National Institute of Standards and Technology to establish measureable and auditable cybersecurity standards that would be applicable both to government and the private sector.

Although the press release and the summary mention specifically critical infrastructure controlled by private entities - utilities, banking, transportation, health and telecommunications - apparently the bill's scope is not limited thereto. That would dwarf Sarbanes-Oxley and HIPAA information security rackets and create massive compliance burden on the economy. Layers upon layers of firewalls, "endpoint security" and "intrusion prevention" technologies, and regular compliance audits may become mandated by the law.

The bill would also attempt to place a dollar value on cybersecurity risk. Ironically placed uder the Foster innovation section, it means this:

The legislation would require the Advisor to provide a report on the feasibility of creating a market for cybersecurity risk management, to include civil liability and government insurance.

Welcome to the cybersecurity cap-and-trade scheme!

This is not the first attempt to create cybersecurity bodies in the government. Think of the DHS and its Cybersecurity Center, the people who brought us this:

Yet according to the senators all the efforts have basically failed. Maybe that signifies a problem with the approach? It does. Government-mandated dogma is not a substitute for a pragmatic approach to security threats.

Compliance is not security

Tim Holman comments on the latest card processing system breach:

Heartland Payment Systems (HPY) on Tuesday disclosed that intruders hacked into the computers it uses to process 100 million payment card transactions per month for 175,000 merchants:

http://www.usatoday.com/money/perfi/credit/2009-01-20-heartland-credit-card-security-breach_N.htm

I took a moment to see if they were PCI Compliant and they were audited in March 2008 by Trustwave:

http://www.mastercard.com/us/sdp/assets/pdf/Compliant%20Service%20Providers%20-%20January%2015%202009.pdf

QSAs cannot be held liable for customer breaches, but seeming the compromise occurred only a few months after their final audit it does bring into question PCI DSS auditing practices and whether or not they're just 'tick in the box' or actually leave companies with a long-lasting compliance strategy that actually helps merchants/service providers remain compliant.

Yes, they are just tick in the box. If you look at a security certification audit (any kind thereof), it's mostly hands-off process confined within a scope that leaves most of windows of opportunity out. And the auditors have no accountability for the ongoing business security. Corporate bureaucracies are magnifying the problems by resisting changes (and real security tests) originating from within the organisation, and putting most trust in the assorted audits instead. "Audit remediations" are getting more focus and resources than the real issues. In too many cases, internal security operations give up security and become compliance-driven. That is a recipe for trouble.

One might say that something is better than nothing. I reject that notion: it is better to do nothing than spend time and money on something that results in worthless certification, while security stays poor. HPY is yet another proof.

Let's have a security czar?

First, a follow-up to my previous message: it turns out that the investment is to be twice as that initially indicated, resulting in half of the jobs, and the jobs will be all kinds thereof, not green only. Good luck.

Now, there's something that is more of concern than just hot air promises: information security industry is asking Mr. Obama to appoint a security czar. Since all the signs are to more regulation from the nanny state, this might as well become a reality. the report - Securing Cyberspace for the 44th Presidency - is written in typical bureaucratic style. If you have a courage to read it, you'll find few fascinating ideas. For example, the authors come up with enabler for online collaboration:

Our proposed management structure would enable a collaborative social network among the offices and functions involved in cyberspace.

I can only remind about the previous make-work program for information security people, the Sarbanes-Oxley Act implementation. At huge cost that resulted in exactly nothing.

Now is the chance to dwarf SarbOx with somethink bigger and more ridiculous.

Election day mathematics

Reading the US presidential candidates final pleas, one sentence in Sen. Obama's The Change We Need piece drew may attention:

I'll invest $15 billion a year over the next decade in renewable energy, creating five million new, green jobs that pay well, can't be outsourced, and can help end our dependence on Middle East oil.

That's right - a $3000-dollar investment will create a well-paying, stable job. However you stretch the plan, this is still bulldust. I wouldn't vote for lies or utopia.

OLPC solves all security problems, among others

Ivan Krstic's presentation at AusCERT 2007 (PDF) is a fascinating reading. Until today I didn't realise that OLPC not only offers a solution to the world's educational woes, but also facilitates system security in a completely new way - that is, finally eliminates all opportunities for malware to exist.

Except that the way isn't completely new. In his writing Ivan suggests that before UNIX process model was invented in 1971, computer systems were running explicitely trusted code only:

No conceivable way for untrusted code to “appear” on a machine. You had to physically put it there via tape or punched card. 

My recollection is a little different - punch cards were prepared by one group of people (users), and processed by another (operators) - who have little interest in the code they are running. Getting elevated privilege on the mainframe was not only fun, but kinda essential for getting things done - or your program will be allocated miserable resources and you'll have to wait for ages for the output. Some clever JCL jiggery-pokery did help a lot, so did interactive systems supporting terminals.

Ivan re-iterates the mantra about users' dumbness by default, suggesting not giving any choice for the fear the user will degrade the systems security:

To users, security dialogs are a black box here clicking ’Permit’ or ’Allow’ maximizes the likelihood of getting their work done.

User is the fundamental problem:

We have failed as an industry, and modern desktop security is completely broken as a result. Put differently, it’s about the user, not about TCP/IP, or SSL, or AES, or IPSEC. The user.

Ivan goes on to introduce Bitfrost, a part of the OLPC system software that is using virtualisation to prevent malware from making impact on the system:

Main idea: run each application in its own virtual machine (really, OS container or zone). Give each program only the permissions it needs. With this approach, viruses and spyware argely “go away”.

Just like Java virtual machines. Isolated and with limited, explicitely given permissions to interact outside of the VM.

Unfortunately, Ivan repeats unsibstantiated legends about malware on the personal devices in order to sell his novel concept:

We’ve seen limited for-profit malware on mobile devices. Now there’s universal malware for Symbian. 

No, we haven't seen that - only heard about possibility of its existence - and there is no universal malware for Symbian. In fact, here's the situation with malware on mobile devices:

• No viruses on Symbian platform;
• No viruses on Windows Mobile;
• No viruses on Apple iPhone; and
  
• No viruses on BlackBerry.

And no credible reports of serious data theft from those. Pretty good situation, well before the OLPC. I'm hugely optimistic about upcoming Microsft Windows XP-based personal devices, too.

And I don't believe that users are dumb to an extent that few software developers can make security decisions on their behalf. 

Disabling Syskey startup password

So it happened: Windows starts up and asks for a password, and you don't know what that is. Either forgot, or didn't know the password. This is Syskey in action. What to do?

You can try brute forcing the password. Syskey gives unlimited tries. After the first hundred you'll come to the conclusion that brute forcing is overrated. And there are no reliable tools that will help brute forcing Syskey password.

You can forcibly switch Syskey off. The best tool for it is the Offline NT Password & Registry Editor, commonly known as NTPasswd. The bootable Linux-based CD image is just over 3MB, contains many SCSI drivers as read-write NTFS driver, as has intuitive text manu-based UI. It allows disabling Syskey. But there will be side effects:

• All locally stored encryption keys will become invalid;
• You will not be able to connect to Terminal Services - it's using encryption keys for session security;
• IIS-based services (W3SVC, SMTP and depending Exchange services) will not start - parts of Metabase are encrypted, and the keys aren't available;
• Any service running not as LocalSystem will not start. You'll need to reset the credentials cache. The easies way is to set the service to run as LocalSystem, and then change again to a service account;
• Same applies to scheduled tasks;
• All EFS-encrypted data, including that encrypted with the system key, will be permanently lost.

So the system will be severely damaged after it comes back up. Only do this to recover the latest data. If you need more - always back up System state offline. And do not forget test restoration before an incident happens.

Motorola's Ed Zander reinvents SIM

With all the buzz around major US wireless operators opening their networks to devices bought by the users, one may wonder if those businesspeople understand what they're talking about. There's no need to open anything at all in GSM and 3G (UMTS etc) worlds. CDMA was trickier but you usually could talk support person on the phone into connecting anything, provided you pay accounts. So opening up varies from symbolic act to... symbolic act. There's no need to reinvent the concept of openness.

Motorola CEO Ed Zander reinvents another concept - SIM, the Subscriber Information Module. here's what he said in a recent magazine interview:

Eventually, you'll have one SIM card for your mobile devices, and when you plug that card in, it will recognize the device and shut off all your other devices.

Some news for Mr. Zander: this is exactly how SIM always worked.

"Business intelligence" is category of software packages that helps organisations - and the execs - understand their business. Mr. Zander needs some, or Motorola is in big trouble.

Wireless network in Canberra's Paliament House

Recently I have visited Australia's Parliament House in Canberra. As parliaments of many other democratic countries, it is open for public access. Notably, there was no wireless LAN available. Not for long - implementation of
wireless network is forthcoming.

There are many interesting bits and pieces in the information. Focus on security is understandable. I do not expect the implementation be anything extraordinary - our usual mixture of Cybertrust consultants, and DSD analysts and government bureaucrats working on rather predictable solution (my bet is on wholesale implementation of Cisco equipment and software, and certificate-based authentication).  One thing that draws attention is that the intention is to provide wireless internet access capability to building occupants and visitors to the building such as delegates and invited guests. No public access.

That would be wrong. Australia needs to set example by providing free-for-all wireless Internet access in the Parliament House. This will be a token of Labor government's commitment to the broadband future for Australia. We have free parking at the House, why not free Internet?

Technically, providing public Internet access is not too hard, and it will only marginally increase the cost of the project. You create a separate SSID (open access), connect the clients to a separate VLAN, and route that outside of the government's firewall. Traffic shaping optional. Guests never really hit the "internal" network above the physical layer (which, being radio spectrum, is available to anybody anyway). If I'm right and Canberra goes with Ciso solution, this detailed guide is available.

I have emailed my MP asking for Internet access for general public. We'll see what comes out of it. Next time I'm going to Canberra I'm taking my laptop loaded with all the wireless tools to check out what the solution is.

What telephone is more secure?

On the more absurd side of security debates, new one has emerged: what is more secure - Apple iPhone or Google Android?

Yes, we have yet to see Google's product, but some guys are happy to talk. They happen to be security product vendors and security consultants. For example:

Gphone is open source, which means it can get a good kicking and shoeing, and can be worked on by just about anyone. It's starting out in a better way than the iPhone, which has seen vulnerabilities. However, any new consumer won't be secure when the first product comes out.

This comes form Ben Whitaker, head of security at mobile security development company Masabi. I'm puzzled. We haven't seen anybody who has been impacted by vulnerabilities in iPhone. Same goes for other mobile platforms that already exist - Symbian, Windows Mobile and BlackBerry. Interestingly: iPhone runs Mac OS X, with Darwin core that is a derivative of FreeBSD, open and free as in fish and chips; Windows Mobile is based on Windows CE - you can get the source and modify it; and Linux is Linux. SDKs, APIs and emulators are widely available for all telephone platforms. And users mostly run in privileged context (as in: root, or can do anything on the systems).

But where are the evil hackers? There is more talk of vulnerabilities than there are vulnerabilities, let alone real exposures. New telephone platforms are the proof that security is changing, and the industry has to change from its current focus.

Pictures at a VMWare Exhibition

Not really pictures but few notes from recent VMWare Virtualisation Forum - the regional mini-VMWorld. It started with a lot of pictures - trees, water, animals and I think smiling babies.When an event starts with those, expect a lot of marketing dung - and we got plenty in a day. For example, one of the VMWare keynote speakers said that virtualisation is the only way to manage hardware resources efficiently. Or, in BEA's leaflet words: Virtualization: Same Servers, More capacity. As if the hypervisor and the OS image per each guest take none. Or this apparent inefficiency is compensated by flexibility allocating more resources, should the need be. If you cannot effectively manage resources on physical servers, you're likely to waste those in virtual. Virtualisation just gives a chance for a fresh start - and some different tools.

VMWare's updated product line includes a OS patching solution that will allow patching systems that are shut down. Virtually shut down, of course. I believe this is the industry's first. My concern is that VMWare is losing focus: they shouldn't really go into patching and software delivery.

Both EMC and Network Appliance were presenting their storage offerings. Virtualisation requires shared storage, and those vendors are ready to sell - at premium price. One thing they aren't interested in is storage enterprise commoditisation (despite the fact that commoditisation will allow them to enter mass market). But NetApp mentioned something that is definitely worth noting: good old NFS provides solid and viable alternative to Fibre Channel- and iSCSI-conected storage. This blog explains why: VMWare over NFS. Suddenly NFS is making a comeback. Enterprise-class virtualisation with commodity and/or open source storage is coming.

Also both storage vendors presented their backup offerings. Two main points: direct-from-storage backups and data de-duplication. Watch the space - backups may finally become reliable and usable!

IBM was touting new server. While doing that they have admitted that big-iron, multi-CPU approach is much better than using blades. Surprisingly many people believe that blade servers are the best for virtualisation - in fact, the opposite is true.

Wyse and HP pushed their desktop virtualisation solutions - e.g. thin clients. After so many failures, will thin client solutions succeed? I'm sceptical. Virtual desktops tend to be more expensive than traditional desktops. But the functionality is less crippled this time around - thanks to full dedicated OS image per client.

Overall, virtualisation drive is a welcome shakeup of the industry. But promises - and expectations - tend to be overblown.

Capturing Windows user logon traffic

I don't need to go into many details about the startup process and importance of analysing it in case of problems. Here's how I do it:

The tools:

• Wireshark (http://www.wireshark.org/)
• PSTools (http://www.microsoft.com/technet/sysinternals/Utilities/PsTools.mspx)
• Windows ResourceKit tools (http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-96ee-b18c4790cffd)

Install the tools accepting all defaults (you should always go with defaults unless you have really good reasons not to - and security through obscurity is not one). Follow the Resource kit documentation to install Autoexnt service, use interactive option.

The most important information that is not in the network traffic capture is the process map - the information that allows to identify what processes are making connections.

I'm using c:\tmp folder for the captures and other files. This is the autoexnt.cmd file:

@echo off
move c:\tmp\capture.cap c:\tmp\captureX.cap
move c:\tmp\capturelog.txt c:\tmp\capturelogX.txt
start /D"C:\Program Files\Wireshark\" tshark.exe -i 2 -w c:\tmp\capture.cap
:loop
cscript //Nologo c:\tmp\now.vbs >> c:\tmp\capturelog.txt
netstat -ano >> c:\tmp\capturelog.txt
pslist >> c:\tmp\capturelog.txt
sleep 1
goto loop

In the tshark command line options, the interface number (the -i option) may be different on your system - use "tshark -D" to list interfaces on your system. I found that in some cases tshark has visibility of all interfaces on the system whereas Wireshark GUI doesn't let you choose the right interface. Now.vbs prints current time with seconds. The whole script is:

WScript.Echo Now

After rebooting the computer and the user logon there will be two windows on the screen  - cmd.exe and tshark.exe. Close both -you'll find the traffic capture in the c:\tmp\capture.cap and process/connection lists in c:\tmp\capturelog.txt. That's enough information to do analysis.

The beauty of the approach is that no hubs or switches are involved, and all of it can be done remotely. Evidently, both scripts and the approach can be improved in many ways. Suggestions welcome.