Dibbler's Net

Thursday, August 28, 2008

Opensolaris is growing Up

For the past few months I have started running a dedicated opensolaris desktop system on my desk at home. It has two monitors, one screen displays nagios network status while the other one does generic web browsing and some twit live watching. I had run into an issue with 2008.05 that it did not want to nicely upgrade to svn_95 due to some mbr boot changes. Now granted this is a development so I don’t expect anything to be perfect, however I am finding myself surprised by more features each day. I am used to the fact that Solaris is a great Server OS first and a desktop second (for most users) but this is starting to change for me. This evening I decided to move to svn_95 as part of the pre 2008_11 version. Wanting to avoid my mbr boot issue (which is documented I just didn’t read the readme first) I went and got the ISO for 2008_11 svn_95 and downloaded it to the solaris system. Upon download I put a blank DVD+R into the drive. First Opensolaris saw the blank disk and auto launched a burning utility, this is new and I must say a nice touch. This shows Sun’s move to more of a end user friendly desktop. Next I went to the ISO file and right clicked on it. From there it gave me a burn to disk option which I used. From there a small utility popped up and with one click the dvd was being burned. This was actually an easier process than burning an ISO on windows. Congratulations to the Opensolaris team for a job well done and an OS that is quickly becoming a viable end user option.


Posted by derrick in • BloggingPersonalUnix
(0) Comments | Permalink

Monday, August 11, 2008

Software with License dates (the VMware bug)

From http://www.deploylinux.net/matt/2008/08/all-your-vms-belong-to-us.html

Quoting “As of tomorrow morning, VM’s running on all hosts with ESX 3.5U2 in enterprise configurations will not power on.”

The current thought is that some beta/preview code got left into the application that basically is a nothing works past this data kind of thing. The workaround fix of setting your system clock back a few days only breaks a few Federal rules if you are in a corporate environment.

Not wanting to just repost someone elses blog entry and the fact the news is quickly jumping on this story I wanted to post my personal issues with this problem.

Way back when I was writing software widgets for Web servers licensing was a big issue. As a coder I wanted to protect my code. Make it so that anyone using it really did pay for it. We also needed a way for people to try it. This meant using a registration key with an expiration date. This was really the only choice to allow people to demo something and to help offset some of the easier widget stealing.  The problem was is that the real version also included this code so if you bought a full version we gave you a license key that was good till 2032. Now this was many many years ago and since then I have drastically changed my thoughts on this area. First I am generally opposed to any software that requires any call home function to stay alive and is any way dependent on licensing every year. I understand that there is more SAS type of licensing and certain subscription type services like Antivirus where yearly costs are part of the model, for the moment I am leaving those out of this thought.

When it comes to actual software, where I have paid full price for the software up front then that software should not have any type of date based restriction anywhere in the code. If I choose to not pay for maintenance a year from now then I should not receive product updates ( security patches yes, new functionality no) but the base product should still continue to work. There are too many documented cases where software expires and then customers are basically strongarmed into paying higher fees just to keep their doors open. Or in some cases the vendor gets sold or goes away and now you have an expensive door stop. When you are looking to buy that next big software application for your business make sure that you evaluate licensing in your product criteria and test for date based kills. Any software that requires this type of licensing should be last on your product selection list. Going back to when I wrote software we actually found this to be enough of an issue that we changed how we distributed demo software. We moved to a model where we compiled a special demo build that worked for 30 days. But this was a different set of code then what we sold which had no Date restriction code in it at all. In the end it was the only fair way to treat paying customers. Now if other vendors could start to understand that it’s wrong to extort your customers and this VMWare issue is a direct result of that attitude. The only way we can fix this is to start demanding that vendors treat us better.


Posted by derrick in • BloggingPersonalSecurity
(0) Comments | Permalink

Tuesday, August 05, 2008

“Clear” Program loses data

Via Slashdot to the CBS SF web site Security Breached At SFO Due To Stolen Laptop. So all Clear users have possibly had all their data stolen, however I doubt this is new.

There are more of these stories everyday and I think we are finally seeing critical mass on these. This has been long covered by Bruce Schneier in his Crypto-Gram Newsletter for years.

Now for my Rant on this, which involves two separate issues on this topic.
Issue 1: I come from the days of mainframes. All the data in a secure location with dumb clients that validated users before allowing them access to the data. When dealing with these large databases of users why do they exist in a standalone form on the notebook. Is there a reason for offline access ? When you have offline access to this database how do you as a company audit access to the data and verify data stability. With the proliferation of VPN’s, Mobile data cards, and really the ability to have networks anywhere why does this need to be on a standalone machine. This has always been a base rule of security. If you can’t control the physical access to the machine then you have already lost.

Issue 2: The laptop has been stolen so now people consider that the data is insecure and that places the names at risk. I assert that by admission of the data being on the notebook in the first place there is already a high probability that the data has already been compromised. Let’s take a logical look at this. If the database exists on the notebook in a standalone form that means that at a minimum it exists in the form of an Excel spreadsheet, or maybe an access database with a small gui frontend, or even possibly a standalone Oracle or MS SQL install that holds the data, but really for 33,000 records I really doubt they have gone to that extreme yet. So if the data is an access database or an excel spreadsheet how did it get there ? Was it sent by cleartext email to an unknown number of accounts where it can be read or forwarded without issue ? Maybe it was sent out to employees on a CD which is then used to install on the notebook but then is the CD safely destroyed ? The point here being that if they feel safe keeping the data in a standalone application on the notebook then one can assume the data has already been disclosed prior to the notebook being stolen.

In the end this comes down to what FISMA, Sarbanes-Oxley, and every other federal regulation has been trying to establish. There are three critical areas when it comes to data storage. The ability to limit access to allowed users with a need to create, view, modify, delete. The second item is to be able to validate and verify the integrity of the data so you can detect changes that make the data wrong. The third is to audit data, you should know who looked, changed, added, or deleted data at any time. Currently the easiest way to meet these three is to start with a safe infrastructure that holds the data. A notebook in an office is not a good start and shows a bad corporate stance. If your the CIO of Clear then you have a real uphill battle on getting the trust back of not only your current customers but of those future customers of which I will not be one. I also think it’s about time we stop trusting companies by default and start making companies show us that they are safe before we become customers.


Posted by derrick in • BloggingPersonalSecurity
(0) Comments | Permalink
Page 1 of 2 pages  < 1 2