Risque Management

Windows file server performance optimization

Slav — Fri, 24 Apr 2009 06:02:00 GMT

Merge this into the registry, reboot and enjoy increased performance:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem]
"NtfsDisable8dot3NameCreation"=dword:00000001
"NtfsMemoryUsage"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"NumTcbTablePartitions"=dword:00000008

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{INTERFACE NUMBER}]
"TcpAckFrequency"=dword:0000000d

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management]
"PagedPoolSize"=dword:ffffffff
"LargeSystemCache"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Executive]
"AdditionalDelayedWorkerThreads"=dword:00000020
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcXdr\Parameters]
"DefaultNumberOfWorkerThreads"=dword:00000040

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NfsSvr\Parameters]
"OptimalReads"=dword:00000001
"RdWrHandleLifeTime"=dword:0000000a
"RdWrNfsReadHandlesLifeTime"=dword:0000000a
"RdWrNfsHandleLifeTime"=dword:0000003c
"RdWrThreadSleepTime"=dword:0000003c
"SecureHandleLevel"=dword:00000000
"NfsHandlesCacheSizeLowWatermark"=dword:003d08ce
"NfsHandlesCacheSizeMax"=dword:003d0900
"NtfsHandlesCacheSizeLowWatermark"=dword:000249be
"NtfsHandlesCacheSizeMax"=dword:000249f0
"FileHandleCacheSizeInMB"=dword:3de00000
"LockFileHandleCacheInMemory"=dword:00000001
"MaxIcbNfsReadHandlesCacheSize"=dword:00001f40

Also, check the NTFS log size (chkdsk /l) and increase it to 65536 KB in case it isn't already of that size. That covers Windows CIFS and NFS and was tested on 32-bit Windows 2003 (yet I believe W2K8 and 64-bit platforms also can be optimised this way, will test). This comes from the SPEC file server benchmarking results and configuration notes for HP ProLiant DL585 G2 Storage Server.

Check out other systems and results - some interesting information there.

It is a good idea to check the performance before and after changing the system parameters. You don't need to purchase SPEC tests to do that - there are free tools available. Stay tuned for some details, or search away (if your OS of choice is Windows, use "sqlio" as the search criteria).

How not to make decisions

Slav — Mon, 13 Apr 2009 01:39:00 GMT

In the past week, I had a number of discussions about information securtity and technology in general. With colleagues, we identified few common patterns about decision-making in corporate environments - and those are case studies on how decisions shouldn't be made. Here's examples:

We need mature solutions. Can anybody define maturity when it comes to IT? Is Intranetware mature solution for network file and print services? Whenever you hear maturity or business acumen, or something like that, reach out for your wallet. Fact: early adoption of technology works better in most cases. That's because you have better support from the technology partner, more features, more time before upgrade, and staff that feels good because they are working on something new.

Everyone else does it, so it must be good. This is the "best practice" fallacy. Cases in point: do not broadcast WLAN SSID; VLANs are for security; and multihoming servers (and having separate physical connections to different security zones) is a security feature. The myths don't withstand reality check (eg scenario-based threat analysis) but they persist in minds and get embedded in assorted standards like PCI - resulting in costlier infrastructures that are more complex to build and support.

We don't really know what we're doing but let's do it anyway. Tha is, decisions large and small are made based on uncertainty and lack of knowledge. Cases in point: we don't know what this software update is doing so let's have full system restore as the backout plan; I heard that virtual machine will have some kind of issue running our application so please use physical (the last one comes from Microsoft engineer, no details as to the issue given despite repeated questions); and we don't know how the database server will perform when the database size will reach 4TB so let's go Oracle RAC. If you don't know what the software update is doing - find out by looking in the installation package. If you have concerns abouth the database performance - create performance baseline and try to come up with automated stress test of some sort; the database size itself doesn't mean much.

Decisions should be made based on knowledge and facts.

US Senate: security through (more) bureaucracy

Slav — Sat, 04 Apr 2009 23:15:00 GMT

When I first read the news on the Washington Post web site, I thought this is a 1 April joke: Senate Legislation Would Federalize Cybersecurity. The April Fool's day has come and gone but all the signs are to that this is for real: the press releases trumpeting arrival of the legislation are still there. The bill's summary is available from the US Senate Web site (I cannot find the full text of proposed legislation yet). The problem definition is a typical scaremongering:

This comprehensive legislation addresses our country’s unacceptable vulnerability to massive cyber crime, global cyber espionage, and cyber attacks that could cripple our critical infrastructure. We presently have systems to protect our nation’s secrets and our government networks against cyber espionage, and it is imperative that those cyber defenses keep up with our enemies’ cyber capabilities. However, another great vulnerability our country faces is the threat to our private sector critical infrastructure–banking, utilities, air/rail/auto traffic control, telecommunications–from disruptive cyber attacks that could literally shut down our way of life.

So get ready for digital Pearl Harbor. Real one: Conficker virus, another April Fools' event, which some described as just that, caused zero noticeable impact.

Coming from professional politicians, the bill unsurprisingly proposes to improve the cybersecurity situation by introducing colossal new bureaucracy, headed by the US Cybersecurity Fuehrer (or Tzar, or Leader, if you so wish). If it becomes a law then the governemnt will have control over information security matters in private sector:

The legislation would require the National Institute of Standards and Technology to establish measureable and auditable cybersecurity standards that would be applicable both to government and the private sector.

Although the press release and the summary mention specifically critical infrastructure controlled by private entities - utilities, banking, transportation, health and telecommunications - apparently the bill's scope is not limited thereto. That would dwarf Sarbanes-Oxley and HIPAA information security rackets and create massive compliance burden on the economy. Layers upon layers of firewalls, "endpoint security" and "intrusion prevention" technologies, and regular compliance audits may become mandated by the law.

The bill would also attempt to place a dollar value on cybersecurity risk. Ironically placed uder the Foster innovation section, it means this:

The legislation would require the Advisor to provide a report on the feasibility of creating a market for cybersecurity risk management, to include civil liability and government insurance.

Welcome to the cybersecurity cap-and-trade scheme!

This is not the first attempt to create cybersecurity bodies in the government. Think of the DHS and its Cybersecurity Center, the people who brought us this:

Yet according to the senators all the efforts have basically failed. Maybe that signifies a problem with the approach? It does. Government-mandated dogma is not a substitute for a pragmatic approach to security threats.

Compliance is not security

Slav — Mon, 16 Feb 2009 02:50:00 GMT

Tim Holman comments on the latest card processing system breach:

Heartland Payment Systems (HPY) on Tuesday disclosed that intruders hacked into the computers it uses to process 100 million payment card transactions per month for 175,000 merchants:

http://www.usatoday.com/money/perfi/credit/2009-01-20-heartland-credit-card-security-breach_N.htm

I took a moment to see if they were PCI Compliant and they were audited in March 2008 by Trustwave:

http://www.mastercard.com/us/sdp/assets/pdf/Compliant%20Service%20Providers%20-%20January%2015%202009.pdf

QSAs cannot be held liable for customer breaches, but seeming the compromise occurred only a few months after their final audit it does bring into question PCI DSS auditing practices and whether or not they're just 'tick in the box' or actually leave companies with a long-lasting compliance strategy that actually helps merchants/service providers remain compliant.

Yes, they are just tick in the box. If you look at a security certification audit (any kind thereof), it's mostly hands-off process confined within a scope that leaves most of windows of opportunity out. And the auditors have no accountability for the ongoing business security. Corporate bureaucracies are magnifying the problems by resisting changes (and real security tests) originating from within the organisation, and putting most trust in the assorted audits instead. "Audit remediations" are getting more focus and resources than the real issues. In too many cases, internal security operations give up security and become compliance-driven. That is a recipe for trouble.

One might say that something is better than nothing. I reject that notion: it is better to do nothing than spend time and money on something that results in worthless certification, while security stays poor. HPY is yet another proof.

Let's have a security czar?

Slav — Tue, 09 Dec 2008 03:10:00 GMT

First, a follow-up to my previous message: it turns out that the investment is to be twice as that initially indicated, resulting in half of the jobs, and the jobs will be all kinds thereof, not green only. Good luck.

Now, there's something that is more of concern than just hot air promises: information security industry is asking Mr. Obama to appoint a security czar. Since all the signs are to more regulation from the nanny state, this might as well become a reality. the report - Securing Cyberspace for the 44th Presidency - is written in typical bureaucratic style. If you have a courage to read it, you'll find few fascinating ideas. For example, the authors come up with enabler for online collaboration:

Our proposed management structure would enable a collaborative social network among the offices and functions involved in cyberspace.

I can only remind about the previous make-work program for information security people, the Sarbanes-Oxley Act implementation. At huge cost that resulted in exactly nothing.

Now is the chance to dwarf SarbOx with somethink bigger and more ridiculous.

Election day mathematics

Slav — Tue, 04 Nov 2008 06:01:00 GMT

Reading the US presidential candidates final pleas, one sentence in Sen. Obama's The Change We Need piece drew may attention:

I'll invest $15 billion a year over the next decade in renewable energy, creating five million new, green jobs that pay well, can't be outsourced, and can help end our dependence on Middle East oil.

That's right - a $3000-dollar investment will create a well-paying, stable job. However you stretch the plan, this is still bulldust. I wouldn't vote for lies or utopia.

OLPC solves all security problems, among others

Slav — Sun, 04 May 2008 09:10:00 GMT

Ivan Krstic's presentation at AusCERT 2007 (PDF) is a fascinating reading. Until today I didn't realise that OLPC not only offers a solution to the world's educational woes, but also facilitates system security in a completely new way - that is, finally eliminates all opportunities for malware to exist.

Except that the way isn't completely new. In his writing Ivan suggests that before UNIX process model was invented in 1971, computer systems were running explicitely trusted code only:

No conceivable way for untrusted code to “appear” on a machine. You had to physically put it there via tape or punched card.

My recollection is a little different - punch cards were prepared by one group of people (users), and processed by another (operators) - who have little interest in the code they are running. Getting elevated privilege on the mainframe was not only fun, but kinda essential for getting things done - or your program will be allocated miserable resources and you'll have to wait for ages for the output. Some clever JCL jiggery-pokery did help a lot, so did interactive systems supporting terminals.

Ivan re-iterates the mantra about users' dumbness by default, suggesting not giving any choice for the fear the user will degrade the systems security:

To users, security dialogs are a black box here clicking ’Permit’ or ’Allow’ maximizes the likelihood of getting their work done.

User is the fundamental problem:

We have failed as an industry, and modern desktop security is completely broken as a result. Put differently, it’s about the user, not about TCP/IP, or SSL, or AES, or IPSEC. The user.

Ivan goes on to introduce Bitfrost, a part of the OLPC system software that is using virtualisation to prevent malware from making impact on the system:

Main idea: run each application in its own virtual machine (really, OS container or zone). Give each program only the permissions it needs. With this approach, viruses and spyware argely “go away”.

Just like Java virtual machines. Isolated and with limited, explicitely given permissions to interact outside of the VM.

Unfortunately, Ivan repeats unsibstantiated legends about malware on the personal devices in order to sell his novel concept:

We’ve seen limited for-profit malware on mobile devices. Now there’s universal malware for Symbian.

No, we haven't seen that - only heard about possibility of its existence - and there is no universal malware for Symbian. In fact, here's the situation with malware on mobile devices:

No viruses on Symbian platform;
No viruses on Windows Mobile;
No viruses on Apple iPhone; and
No viruses on BlackBerry.

And no credible reports of serious data theft from those. Pretty good situation, well before the OLPC. I'm hugely optimistic about upcoming Microsft Windows XP-based personal devices, too.

And I don't believe that users are dumb to an extent that few software developers can make security decisions on their behalf.

Disabling Syskey startup password

Slav — Mon, 28 Jan 2008 00:50:00 GMT

So it happened: Windows starts up and asks for a password, and you don't know what that is. Either forgot, or didn't know the password. This is Syskey in action. What to do?

You can try brute forcing the password. Syskey gives unlimited tries. After the first hundred you'll come to the conclusion that brute forcing is overrated. And there are no reliable tools that will help brute forcing Syskey password.

You can forcibly switch Syskey off. The best tool for it is the Offline NT Password & Registry Editor, commonly known as NTPasswd. The bootable Linux-based CD image is just over 3MB, contains many SCSI drivers as read-write NTFS driver, as has intuitive text manu-based UI. It allows disabling Syskey. But there will be side effects:

All locally stored encryption keys will become invalid;
You will not be able to connect to Terminal Services - it's using encryption keys for session security;
IIS-based services (W3SVC, SMTP and depending Exchange services) will not start - parts of Metabase are encrypted, and the keys aren't available;
Any service running not as LocalSystem will not start. You'll need to reset the credentials cache. The easies way is to set the service to run as LocalSystem, and then change again to a service account;
Same applies to scheduled tasks;
All EFS-encrypted data, including that encrypted with the system key, will be permanently lost.

So the system will be severely damaged after it comes back up. Only do this to recover the latest data. If you need more - always back up System state offline. And do not forget test restoration before an incident happens.

Motorola's Ed Zander reinvents SIM

Slav — Mon, 10 Dec 2007 08:09:00 GMT

With all the buzz around major US wireless operators opening their networks to devices bought by the users, one may wonder if those businesspeople understand what they're talking about. There's no need to open anything at all in GSM and 3G (UMTS etc) worlds. CDMA was trickier but you usually could talk support person on the phone into connecting anything, provided you pay accounts. So opening up varies from symbolic act to... symbolic act. There's no need to reinvent the concept of openness.

Motorola CEO Ed Zander reinvents another concept - SIM, the Subscriber Information Module. here's what he said in a recent magazine interview:

Eventually, you'll have one SIM card for your mobile devices, and when you plug that card in, it will recognize the device and shut off all your other devices.

Some news for Mr. Zander: this is exactly how SIM always worked.

"Business intelligence" is category of software packages that helps organisations - and the execs - understand their business. Mr. Zander needs some, or Motorola is in big trouble.

Wireless network in Canberra's Paliament House

Slav — Sat, 01 Dec 2007 07:44:00 GMT

Recently I have visited Australia's Parliament House in Canberra. As parliaments of many other democratic countries, it is open for public access. Notably, there was no wireless LAN available. Not for long - implementation of
wireless network is forthcoming.

There are many interesting bits and pieces in the information. Focus on security is understandable. I do not expect the implementation be anything extraordinary - our usual mixture of Cybertrust consultants, and DSD analysts and government bureaucrats working on rather predictable solution (my bet is on wholesale implementation of Cisco equipment and software, and certificate-based authentication). One thing that draws attention is that the intention is to provide wireless internet access capability to building occupants and visitors to the building such as delegates and invited guests. No public access.

That would be wrong. Australia needs to set example by providing free-for-all wireless Internet access in the Parliament House. This will be a token of Labor government's commitment to the broadband future for Australia. We have free parking at the House, why not free Internet?

Technically, providing public Internet access is not too hard, and it will only marginally increase the cost of the project. You create a separate SSID (open access), connect the clients to a separate VLAN, and route that outside of the government's firewall. Traffic shaping optional. Guests never really hit the "internal" network above the physical layer (which, being radio spectrum, is available to anybody anyway). If I'm right and Canberra goes with Ciso solution, this detailed guide is available.

I have emailed my MP asking for Internet access for general public. We'll see what comes out of it. Next time I'm going to Canberra I'm taking my laptop loaded with all the wireless tools to check out what the solution is.

What telephone is more secure?

Slav — Sat, 10 Nov 2007 05:12:00 GMT

On the more absurd side of security debates, new one has emerged: what is more secure - Apple iPhone or Google Android?

Yes, we have yet to see Google's product, but some guys are happy to talk. They happen to be security product vendors and security consultants. For example:

Gphone is open source, which means it can get a good kicking and shoeing, and can be worked on by just about anyone. It's starting out in a better way than the iPhone, which has seen vulnerabilities. However, any new consumer won't be secure when the first product comes out.

This comes form Ben Whitaker, head of security at mobile security development company Masabi. I'm puzzled. We haven't seen anybody who has been impacted by vulnerabilities in iPhone. Same goes for other mobile platforms that already exist - Symbian, Windows Mobile and BlackBerry. Interestingly: iPhone runs Mac OS X, with Darwin core that is a derivative of FreeBSD, open and free as in fish and chips; Windows Mobile is based on Windows CE - you can get the source and modify it; and Linux is Linux. SDKs, APIs and emulators are widely available for all telephone platforms. And users mostly run in privileged context (as in: root, or can do anything on the systems).

But where are the evil hackers? There is more talk of vulnerabilities than there are vulnerabilities, let alone real exposures. New telephone platforms are the proof that security is changing, and the industry has to change from its current focus.

Pictures at a VMWare Exhibition

Slav — Mon, 29 Oct 2007 02:30:00 GMT

Not really pictures but few notes from recent VMWare Virtualisation Forum - the regional mini-VMWorld. It started with a lot of pictures - trees, water, animals and I think smiling babies.When an event starts with those, expect a lot of marketing dung - and we got plenty in a day. For example, one of the VMWare keynote speakers said that virtualisation is the only way to manage hardware resources efficiently. Or, in BEA's leaflet words: Virtualization: Same Servers, More capacity. As if the hypervisor and the OS image per each guest take none. Or this apparent inefficiency is compensated by flexibility allocating more resources, should the need be. If you cannot effectively manage resources on physical servers, you're likely to waste those in virtual. Virtualisation just gives a chance for a fresh start - and some different tools.

VMWare's updated product line includes a OS patching solution that will allow patching systems that are shut down. Virtually shut down, of course. I believe this is the industry's first. My concern is that VMWare is losing focus: they shouldn't really go into patching and software delivery.

Both EMC and Network Appliance were presenting their storage offerings. Virtualisation requires shared storage, and those vendors are ready to sell - at premium price. One thing they aren't interested in is storage enterprise commoditisation (despite the fact that commoditisation will allow them to enter mass market). But NetApp mentioned something that is definitely worth noting: good old NFS provides solid and viable alternative to Fibre Channel- and iSCSI-conected storage. This blog explains why: VMWare over NFS. Suddenly NFS is making a comeback. Enterprise-class virtualisation with commodity and/or open source storage is coming.

Also both storage vendors presented their backup offerings. Two main points: direct-from-storage backups and data de-duplication. Watch the space - backups may finally become reliable and usable!

IBM was touting new server. While doing that they have admitted that big-iron, multi-CPU approach is much better than using blades. Surprisingly many people believe that blade servers are the best for virtualisation - in fact, the opposite is true.

Wyse and HP pushed their desktop virtualisation solutions - e.g. thin clients. After so many failures, will thin client solutions succeed? I'm sceptical. Virtual desktops tend to be more expensive than traditional desktops. But the functionality is less crippled this time around - thanks to full dedicated OS image per client.

Overall, virtualisation drive is a welcome shakeup of the industry. But promises - and expectations - tend to be overblown.

Capturing Windows user logon traffic

Slav — Fri, 12 Oct 2007 00:36:00 GMT

I don't need to go into many details about the startup process and importance of analysing it in case of problems. Here's how I do it:

The tools:

Wireshark (http://www.wireshark.org/)
PSTools (http://www.microsoft.com/technet/sysinternals/Utilities/PsTools.mspx)
Windows ResourceKit tools (http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-96ee-b18c4790cffd)

Install the tools accepting all defaults (you should always go with defaults unless you have really good reasons not to - and security through obscurity is not one). Follow the Resource kit documentation to install Autoexnt service, use interactive option.

The most important information that is not in the network traffic capture is the process map - the information that allows to identify what processes are making connections.

I'm using c:\tmp folder for the captures and other files. This is the autoexnt.cmd file:

@echo off
move c:\tmp\capture.cap c:\tmp\captureX.cap
move c:\tmp\capturelog.txt c:\tmp\capturelogX.txt
start /D"C:\Program Files\Wireshark\" tshark.exe -i 2 -w c:\tmp\capture.cap
:loop
cscript //Nologo c:\tmp\now.vbs >> c:\tmp\capturelog.txt
netstat -ano >> c:\tmp\capturelog.txt
pslist >> c:\tmp\capturelog.txt
sleep 1
goto loop

In the tshark command line options, the interface number (the -i option) may be different on your system - use "tshark -D" to list interfaces on your system. I found that in some cases tshark has visibility of all interfaces on the system whereas Wireshark GUI doesn't let you choose the right interface. Now.vbs prints current time with seconds. The whole script is:

WScript.Echo Now

After rebooting the computer and the user logon there will be two windows on the screen - cmd.exe and tshark.exe. Close both -you'll find the traffic capture in the c:\tmp\capture.cap and process/connection lists in c:\tmp\capturelog.txt. That's enough information to do analysis.

The beauty of the approach is that no hubs or switches are involved, and all of it can be done remotely. Evidently, both scripts and the approach can be improved in many ways. Suggestions welcome.

More daily hacks

Slav — Wed, 26 Sep 2007 08:39:00 GMT

Getting free access to communication services was always one of the primary hacking activities, still is. The recent proliferation of commercial Wi-Fi hotspot networks made them one of the prime targets. Stealing somebody's access by cloning a MAC address or performing a man-in-the-middle attack are well-known techniques. But if there is nobody in the area whose connection is available for stealing?

Nokia to the resque. In some countries (Australia, Indonesia, maybe more) Nokia teamed up with local operators of Wi-Fi hotspot networks to provide free Wi-Fi Internet access to the owners of Nokia N-Series multimedia devices. In Australia, their partner is Azure. The service is available in many locations in Melbourne CBD and also blankets the fun part of Chapel Street in South Yarra - if you're visiting, don't miss the place.

From a user's perspective, the service is same as with any other commercial hotspot - you find the network, associate to Azure, browse anywhere with your Web browser, and you'll be sent to the provider's captive portal. Then you'll see the difference - a "free access for Nokia N series" pictogram. Click on it, and you're logged on. Can browse Internet and place Internet calls with built-in SIP client.

So where's free access in this scenario? Simply put, the provider's authorisation system (that includes the captive portal and some kind of backend) has no way of knowing that I'm using the N Series. I don't know what kind of basic check is conducted by the server - can't figure anything but the MAC address first octets verification - but the onus is basically on me. The good news is that Nokia's product line is great. It gives Mac OS- and Windows-based telephones tun for the money. Symbian OS interface and applications are great, features that inclide full VoIP support (both standards-based and Skype), full support for secure wireless (including support for PEAPv0 that many Windows-centric corporate networks are using - not available in Windows Mobile yet). Prudly proprietary. Free Wi-Fi is a welcome bonus - and a chance to feel like hacker once more.

Other recent observations include some news about Bill Gates. I think BillG isn't @microsoft.com any longer. I mean, the account. End of the era, beggining of another one. Good luck and thanks to Bill.

Zero-knowledge Intrusion: upcoming 2600 article

Slav — Mon, 17 Sep 2007 09:20:00 GMT

Soon 2600 will publish my article on practical NIDS avoidance. As soon as it comes out, it will be on my Web site.

The magazine is quite an interesting reading - sometimes entertaining, sometimes educating, never boring. I'm glad to contribute.

How to stop Skype using ISA server, and why

Slav — Sat, 25 Aug 2007 07:18:00 GMT

Skype is a good example of how defying open standards can result in a better product. H.323, the first attempt at VoIP standard, failed miserably. SIP stands much better chance but there are numerous issues with SIP operator interconnections and crossing organisational perimeter. Skype doesn't have any of these issues: it doesn't interconnect with third parties, using PSTN as the only interface available; and it supports HTTP proxy for connectivity, effectively eliminating difficulties sending voice/video traffic to external parties.

Of course, Skype is scary (as in: buy a firewall, and may it protect you against Skype). It is the perfect backdoor, can only slow down the exploitation of it, and may protect a 0-day - Desclaux Fabrice of EADS does a decent research only to come to wrong conclusions. What's certain - Skype is a perfect target for hacking.

Some security people hate Skype and want to stop it. rootn0de provides a smart way of doing that (see Blocking Skype Using Squid and OpenBSD). Skype doesn't rely on DNS resolution for contacting its supernodes (because Internet DNS resolution may not be available on semi-isolated networks) - so rootn0de configures Squid proxy to block CONNECT tunneling connections to destinations represented by IP address. You cannot even modify the list of supernodes so that DNS resolution will work - so this is a really good hack. It doesn't require OpenBSD.

What about numerous organisations using Microsoft ISA Server as their Internet connection gateway? The solution is even easier. Configure ISA to require Windows integrated authentication and Skype will not work. Just checked - that's fixed recently in Skype for Windows 3.2 hotfix. Back to square one - no easy solution for ISA. You can be creative with Winsock client, or write custom filter, or channel traffic through Squid (defying the purpose of ISA to an extent). Besides, getting arount restriction to use Windows integrated authentication only can be relatively easily worked around - by modifying the client.

Solution, did I say? No. Trying to block Skype on the Internet access gateway is an example of wrong approach taken because of wrong problem definition. Skype is just a videophone with chat, that can also send files - most of potential Skype users on corporate network have Web access that allows chatting, sending files and placing telephone calls. If you don't want users to run software that you don't approve - don't let them by strictly controlling their operating environment (thin client solutions help here). If you don't want them to share information - don't give access, or protect it (RMS solutions help with this). But don't try to cripple the functionality that is already given to the users - they may as well have business need for it.

VoIP Scaremongers

Slav — Sun, 05 Aug 2007 09:26:00 GMT

DEF CON, an "underground" information security conference (appropriately held in an upscale hotel in the entertainment capital of the US) is on, together with sister Black Hat Briefings, and the fresh crop of FUD is already making it to the business press worldwide. There's nothing like a catchy headline, and Forbes has got one of those: VoIP Vandals. Let's see what it's about:

Security professionals at the Black Hat conference in Las Vegas spent Wednesday outlining the exploitable vulnerabilities in voice over Internet protocol technology, or VoIP. In a series of presentations, they demonstrated ways in which cybercriminals can eavesdrop on VoIP calls, steal data from Internet telephony devices, intercept credit card numbers from VoIP connections and shut connections down altogether.

I wonder if there's something radically new. Some details:

"VoIP is about convergence. The idea is that you save money and resources and time," said Barrie Dempster, a senior security consultant at Next Generation Security Software who made a presentation at the conference. "But convergent systems give you more avenues of attack, more ways in. It's not a secure environment." Because VoIP connects telephone calls via the Internet, it shares the Internet's weaknesses, Dempster argued. Those include vulnerability to denial of service attacks, which overload servers with thousands of simultaneous requests for data, as well as basic hacking tactics like guessing the password of users who fail to change default settings.

Environments become secure if and when we chose to secure them. VoIP set of technologies gives countless ways to achieve integrity and privacy of communications. It's much better in that regard that POTS, the pretty old telephony service it's replacing. And by the way - many people who witnessed major disaster, or attended a sports event, or just tried to call relatives in a developing country on a public holiday, know of limitations of POTS is its susceptability to load-based denial of service. Plus, legacy telephones don't have passwords to speak of, so there's nothing even to guess.

Well Mr. Dempster may have said FUD without substance, but other guys conducted cool demonstrations. They have shown weaknesses resulted in insecure iplementation of MGCP, and lack of touch tone protection in ZRTP, o VoIP protocol invented by Phil Zimmermann of PGP fame. Nice hacks they may be. Pity no one's using the protocols. SIP and proprietary protocols like Skype have won the protocol race.

Of course, Microsoft's embrace of the realtime communications and VoIP is considered no less than upcoming doom:

Eric Winsborrow of Sipera Systems says that the wave of threats has been brought on by VoIP's new popularity in the business world as well as the technology's growing connection to the Internet at large, instead of smaller networks. He also points to plans at Microsoft to introduce VoIP applications into upcoming software as a sign that the technology's security issues are reaching a tipping point.

I don't know where Mr. Winsborrow has spent last several years, but conf.exe is a part of Windows for a long while, and we are long past the tipping poing. There will be no VoIP crash boom bang. It is secure. Mr. Winsborrow and his squad managed to crash a BlackBerry handheld and a D-Link phone by injecting packets into Wi-Fi network (as if you couldn't crash any of those networks entirely with a microwave), and simulated the theft of private data via VoIP from a laptop. I invite them to exploit a setup with Kerberos authentication and SIP signaling secured with TLS. That is common in Microsoft world and is used to interconnect organisations as well as internally.

VoIP scaremongering is pathetic.

Virtually hopeless

Slav — Mon, 30 Jul 2007 08:54:00 GMT

I don't know if that's CIOs, or the press, or both. Recently Byte & Switch, CMP Technology's zine on storage networking, published a chef d'oeuvre on troubles with virtualisation. Some amazing thoughts by the captains of the industry. Take this one:

Time is definitely a major concern of ours," said Jim Steinmark, director of architecture and engineering at Fidelity Investments. "One of the big challenges is the time that it is taking to get people to accept virtualization as a production-ready technology," added the exec, who uses VMware, Citrix, and SoftGrid within his infrastructure. For this reason, Steinmark estimates that it probably takes 40 to 50 percent longer to get an application deployed on virtual machines than it would on physical servers. A complex virtual application shared by a number of different users, he said, could easily take a year to deploy.

The whole idea and practice of virtualisation is to implement an efficient hardware abstraction layer. Applications don't know and don't care if they are running in a virtual machine. Even detecting virtual environment is not a trivial task. How it will increase implementation time at all is beyond me. Any clues? Here's another product of disturbed minds:

Another attendee, George Scangas, lead IT infrastructure analyst at Welch's Foods, warned that developers are often the hardest group to get on board. "A lot of them are from the old school of thinking -- they want to run [applications] on a physical box," he added.

If developers have concerns like that, they are thoroughly unprofessional (Mr. Scangas's colleagues definitely are).You cannot develop application for a box with redundant power supplies and six cooler fans inside. With few exceptions (like device drivers, operating systems and virtual machine hypervisors) applications have requirements like certain operatins system, runtime libraries, disk space and available RAM - nothing that cannot be provided in a virtual environment. And if there's somebody who's hard to get onboard, that is not developers or system administrators.

On giant databases

Slav — Sun, 22 Jul 2007 01:54:00 GMT

Why Wal-Mart, Tesco and other big retailers build giant databases that record every purchase and whatever else their customers are doing? Here's how Peter Dorrington of SAS, a software vendor, puts it:

Not only do firms like Tesco have good operational systems that control their costs, but they understand their customers and can offer particular product mixes which are attractive to certain groups

So this is the big idea. Businesses are sold on the hope of better understanding their customer and therefore finding better ways of taking the business to new levels. In fact, the best they can hope for is running the business efficiently as it is - without transformations. Without data that is not in the database you cannot attract new customers. You don't know how big is your customers' appetite for schinkenspeck until you offer some. And the database will not tell you that it won't be popular in Middle East because it's neither halal nor kosher unless there is appropriate database field, and you ask. And asking the right question is the hardest bit.

Banks are legally obliged to keep all information about their customers' transactions for a long period of time. That information is readily available but it doesn't help developing new products, market expansions and major investments. This is where artificial intelligence can assist. AI is bound for a big comeback.

Meanwhile, we have systems ironically classified as business intelligence and giant databases. They are surrounded by aura of mystery. Here's what Anthony Bianco writes in The Bully of Bentonville, a leftist anti Wal-Mart opus:

From their perch in the Glass center, Information systems technicians monitor the computer-to-computer interplay using software that enables them to anticipate glitches, or "exceptions", as they're known in digitese, and intervene to prevent them from occuring. "We are pretty near real time. We can tell people that they need to go do something and we are within hours, depending on the event", said Linda Dillman, who, as Wal-Mart's chief information officer, runs the Glass Center.

Funny as it is, this description of how Wal-Mart's is running their RetailLink infrastructure also gives indication how distant from reality is the perception of the giant databases.

Virtual infrastructure v Terminal servers

Slav — Sat, 14 Jul 2007 23:42:00 GMT

Virtual infrastructure based on products like Microsoft Virtual Server, VMWare and Xen is the flavour of the month. People are talking about reduced cost of ownership, energy consumption and increased security risks resulting from use of virtualisation - all of which is questionable. But without a doubt virtual infrastructure, especially in the datacenter space, will change the way we do things today. System deployments will take much less time. Recovery procedures will change dramatically. In enterprise space, virtualisation will change networking and storage architecture as well: IP subnets will span multiple physical sites, and storage will become more flexible. I'm doing my reading on iSCSI - IP-connected storage is the way to go.

There are other effects of the emergence of vitualisation. Blade servers won't ever become mainstream solution because of it, and possibly will die off altogether. And there will be a very interesting clash with terminal server solutions - technology space dominated by Citrix Systems, History of terminal servers is interesting: developed as a way of enabling multiuser access to systems, it evolved into bandwidth-saving way of using legacy applications, then to the core of thin client infrastructure (remember Oracle's Network Computer?) and now it's all of the above plus secure remote access mechanism and software distribution application delivery system. Virtual infrastructure hosting any modern OS has all the same features - but approach is different. Some may argue that terminal servers are utilising less resources since htey are using single OS image for all clients - which is probablu true, but becomes less of an advantage as both VM resource management ans sytems' awareness of the virtual infrastructure improves. And terminal servers can become legacy systems themselves.