I continue to be amazed by the haphazard approach many IT product vendors take to security. For work purposes I was recently asked to evaluate an HR package of a vendor which has been around for a fair few years and you would really expect to be big enough to put some attention to detail in the area of security. Although I would love to name and shame them, I had to sign an NDA before they would allow the evaluation and therefore cannot reveal their name here.
When receiving the package and a few hefty manuals, I could spot the problem a mile away. The usernames and passwords for all users were contained inside the SQL database (which raised the thorny issue of why it didn’t integrate with our AD to begin with) and then the program used a fixed username and password with Database Authentication to the SQL Server to query it for the username and password that existed in the user table.
Architecturally this solution is awful. In order to connect to a table which contains encrypted data, the program has to make a database connection with an unencrypted username and password. Hardly secure is it? Also, although it was possible to change the default username and password, the tool to do this with was undocumented, which means hardly anybody will bother.
A quick test with Cain and Abel confirmed my suspicions. After configuring the ARP cache poisoning feature in Cain it was possible to capture this database password from a third machine in around 20 seconds. Of course I could still not connect with the client (as this used credentials contains in encrypted form inside the database), but I now had direct access to the database and could look at the raw data which included salary details, medical history, disciplinary records etc. Good thing this was a test environment with a demo database!
I did of course raise my concerns with the vendor, but they did not appear very concerned at my quite detailed description of the problem. Either they do not care they have hundreds of insure installs around the world, or they are well and truly aware of the problem and are choosing to ignore it and hope to improve the architecture in future releases of the product.
It is not only smaller vendors that ignore this problem. One well known industry name allows you to store their configuration details in a database so your entire farm of servers can access the same info. Again, the documentation only talks about using Database Authentication, but at least does give a warning that this is not suitable for high security environments. Why not include another two pages to explain to users how to switch it to Windows Authentication or maybe a whole chapter on how to make it completely secure?
If you really have to live with database authentication, it is possible to make it secure. IPSec under Windows is relatively straightforward to enable, and you can disallow connections from any client that is not capable of communicating securely. Microsoft do a nice little KB article that describes this process in detail. Once we put this in place, Cain was rendered ineffective and our data was once again secure.
Essential lesson? Don't assume commercial software vendors value your security as much as you do and do your own research!
Wednesday, 22 April 2009
Tuesday, 21 April 2009
My Iphone 3G
I love my IPhone!!! There .. I said it . Having been raised in the PC camp, I have always been a staunch defender of the PC and its various platforms ( Linux, Windows, Windows Mobile etc)over and above the Apple Mac. Why ? My answer is simple .. Pure ignorance. The fact is that it is a great platform to work with, easy and simple, yet you can get into its innards and be as leet as you like. ( no I am not converting and no I am not being a fan boy either)
So I found myself succumbing to the wills of Steve Jobs and his second incarnation of the IPhone .The IPhone "3G". I needed a new music player anyway .. and being the lover of "GADGE" that I am (thanks for coining the word Jason Bradbury.. well I heard it from him first), I decided to fork out the stupid monies for the 16GB 3G and subscribe to the £35 a month contract.
So, here I am almost a year on from my purchase. Software version 3 is in sight and guess what .... One of the most exciting things to come out is .. wait for it .. " COPY AND PASTE" .. Yep you read that correctly. I went to one of my favourite sites Wikipedia, and pulled an excerpt from the history of copy and paste "Apple Computer widely popularized the computer-based cut-and-paste paradigm through the Lisa (1981) and Macintosh (1984) operating systems and applications." So in short. Apple, who were one of the originators ( 28 years ago) of the copy and paste functionality as we know it today, have taken 2 phone revisions and x number of software revisions to implement that functionality into one of their newer devices .. Somehow, they have made it seem like a huge deal, and get all IPhone users excited about it . Hats off to Apple Marketing .. I don't know what else to say except roll on release 4.0 with the revolutionary CUT and paste functionality .. I cant wait :)
Emm
Friday, 17 April 2009
Torrent Trial
It seems that the entertainment industry has even more control over the world than it first seems. The much awaited ruling from the ongoing case of The Pirate Bay has finally been released. It came as a shock to me to hear that the 4 founders have been found guilty. Fredrik Neij, Gottfrid Svartholm Warg, Peter Sunde and Carl Lundström have all been charged with 'promoting other people's infringement of copyright laws.' Does this sound like someone is clutching at straws?
For those that haven't been following the case. Four men behind the torrent tracking website The Pirate Bay have been in court for breaking copyright laws. The US Entertainment Industry is trying to claim $15m in damages for the illegal sharing of 20 songs, 9 films, and 4 games. However, The Pirate Bay servers themselves hold none of this data; they merely hold files that point to the locations of the files on users computers (Google if you don't know about torrents)
If The Pirate Bay 4 are being prosecuted, then why shouldn't they prosecute the people behind Google? You can find the exact same information there. Are they guilty of 'promoting other people's infringement of BlahBlahBlah'?
I'm sure, just by using the power of google, that you cant find some seriously questionable content and yet, as much as I like Google and services they provide, they are just allowed to carry on as they are.
In my view, it is the fault of the Entertainment Industry in the first place poularising illegal file-sharing. When given the option of paying £10 for an album or £8 to go to the cinema (without popcorn!), or getting it for free, which one are you going to choose?! The Movie and Music industries have failed to embrace these new technologies.
The major television channels have come up with a solution with the likes of the BBC iPlayer and 4OD, both offering a free option for watching back TV episodes, so why can't the music and film industries come up with something similar? How difficult can it be? Stick a couple of short adverts at the beginning and end of the film and offer it for a cheap price. I know I wouldn't mind paying a couple of quid for an ad supported film, rather than nearly £10 for the DVD.
I am however fairly certain that even with the guys in jail, The Pirate Bay will continue to stay afloat. Offering new services like their IPREDator VPN, which at just €5 a month will give you complete anonymity whilst surfing and downloading. Not a bad idea if you ask me!
To read more about the case try The Local or BBC News
Thursday, 16 April 2009
The Digital Home - Curse or shape of tings to come?
Over the last years I have spent many hours trying on the bleeding edge of Home Entertainment. Starting with my original Higrade Digital Media System (DMS) many evenings were spent effing and blinding at what was obviously a product that was not ready for mainstream. Through the various versions (Media Center 2002, 2005, Vista and now the various builds of Win7) I have seen the product progress from something very basic to a relatively mature (but still buggy) product that has now become an essential part of our daily lives.
Many less technology savvie people who come round our house are immediately smitten by the slick interface, 10 foot remote control experience and ability to have your entire digital life at your finger tips. With my new rather slick Moneual case not only the screen looks slick, the unit itself also cuts a rather handsome figure.
Basically, people see it and they want it. However, this also presents me with a bit of a problem because generally I value their friendship and I am not foolish enough to risk it by recommending they invest in a product that will have little or no WAF (Wife Acceptance Factor for those amongst us that are no techie geeks). Hell knows no fury like a friend's wife who has just missed Grey's Anatomy because MC decided it didn't like the latest MS patch and gave up recording. And if enthusiasts like me don't want to recommend it to their friends, does the product have a future in the mainstream?
However, there is no denying that the digital home is here to stay in some form or another. In fact, MC has only touched the surface on this and the box currently only does a fraction of what it should really do. VCR capabilities are still not up to Tivo standards (pre-emptive recording anybody?), there is little out of the box integration with streaming services and integration with online messaging services (like MSN) existed and then got scrapped between XP and Vista.
In truth, most of the problems are related to the TV tuning services and this is not an easy nut to crack. Different TV standards in different countries, DRM for Cable companies and protected content make the whole thing a bit of a pain. To me though one predominant thing is clear and that is that the product should have more of an appliance than a PC focus. With a Home Media Center the key focus should be on stability and recording should work 100% of the time, not 99%.
The solution? MS to build an MC appliance with a strong focus on stability. Forget about it also being a PC, nobody wants to browse the internet from 10 feet away. Strip the OS down to the bare bones (with Win7 it is now possible to turn off unwanted features even though they don't really get removed), focus on stability and supporting a wide range of TV standards and file formats, software extender support on a hardware platform that runs quietly, relatively cool and does S3 standby 100% reliably. Throw in an open and extendable development platform and a competitive price point (and MS can afford to be a loss leader) and you have a winnnig platform.
The prize at the end of the line? The same dominance in the Digital Home arena that MS currently enjoy on the desktop, but to achieve this reliability is key.
For all the slating and swearing I have done at Bill and Steve's expense over the last few years, it is obvious though that as far as the digital experience goes, their product is way above anyhting else in the market in turns of overall coverage. When the time came to replace the replace the previous MC with a new model, Mrs PasstheDutchie was offered the various alternatives like PVRs or Sky+ for her use but decided the new shiny 7MC was what she and the kids wanted to use. Who am I to argue with that? Having said that, if it fails to record the Grand Prix on Sunday, look out for a shiny new Media Center on Gumtree.
Why I'm a Luser...
Moving from Windows to Linux isn't the pain some people might think it is, apparently...
I like to think of myself as an 'early adopter' when it comes to technology. You know the type of person: somebody who buys or obtains a piece of technology or software long before it's properly been tried-and-tested in the real world.
Those of technical savvy around me tend to refer to me as a 'luser'. I always thought that meant I was a Linux User, but apparently it means something somewhat less complimentary.
This boils down mainly to the fact that I procure something, use it incorrectly, then have to beg, plead and wheedle with somebody far cleverer than me in order to get them to fix it, so that I can go ahead and break it again.
Many years ago, when Linux was in its infancy, I convinced our-then SysAdmin, Gavin, to put a version of KDE on to my office laptop. He thought it would be fine – I sold myself pretty well to him about my technical ability, but by the end of the first day of having Linux on my machine he wanted to kill me.
Shortly after that, he removed it from my computer and told me to never, ever, think about using anything other than Windows again.
And I didn't. Until last week, when I managed to convince my pseudo-SysAdmin for the pub, James, to install a version of Ubuntu on my laptop.
Clearly having wiped his memory of the pain I caused Gavin all those years ago, Jimi agreed – but I have to say what a difference it is these days to use Linux!
Firstly, everything seems much easier to get to, and I don't have to keep opening a terminal and typing obscure random commands such as chmod + x or sudo ./ every time I want to get the damned thing to do something.
Instead, I can simply go to Applications and Add/Remove programmes in a Windows-like way to install just what I want. I've even managed to go outside the box and find programmes such as AdobeAir and install them all perfectly fine. Google's Picasa and even aMSN, a clone of MSN's Live Messenger, have all been installed perfectly easily. (Probably best not to ask me about Google Earth on Linux, however. That seems to have gone like a bit of an abortion.)
And for what I really want, Mozilla FireFox is an excellent web browser and while OpenOffice's Writer might have the look and feel of an early version of MicroPro's WordStar, it's functional and usable and has all of the everyday features that Microsoft's Word supports.
To top it all off, I've even managed to find a website where I can leave my e-mail address so that somebody can let me know when Google Chrome for Linux is finally available. I'm especially proud of that one.
In fact, the only thing that I haven't been able to get to successfully work since having Ubuntu installed on my laptop is my printer.
Recently, in order to print off some forms I needed for a licensing event for the pub, I found myself having to reboot in to Windows for the first time in days. Unfortunately, Windows doesn't seem all that happy about having some of its gargantuan requirements for disk space taken up by the impertinent Linux OS, and so it ran incredibly slowly. Or maybe it did that anyway and I just didn't notice.
And then, for reasons utterly unfathomable, it threw a wobbly and broke the computer.
And for equally unfathomable reasons, James suddenly seems to not be answering his telephone..
Software deployment
So… after a yearlong development cycle my department is about release its new frame work based CMS system.
So… all should be as well, the specification was completed (covering the first 8 months of the project) UAT and system testing have been completed. Server hardening has been completed and the whole server environment has been instanced. The users are happy (Although demanding last minute functional extras as is expected).
So… why do I always get the paranoia pangs over minutia issues that don’t exist and issues that have been long resolved? Lack of direction or just taking things to personally?
Anyway it seems fate is on my side as the chosen go live date has been set for a date while I’m on hols. Will that make it any easier? Probably not, will I lose sleep? Probably, will it work? it f***ing better :)
So… all should be as well, the specification was completed (covering the first 8 months of the project) UAT and system testing have been completed. Server hardening has been completed and the whole server environment has been instanced. The users are happy (Although demanding last minute functional extras as is expected).
So… why do I always get the paranoia pangs over minutia issues that don’t exist and issues that have been long resolved? Lack of direction or just taking things to personally?
Anyway it seems fate is on my side as the chosen go live date has been set for a date while I’m on hols. Will that make it any easier? Probably not, will I lose sleep? Probably, will it work? it f***ing better :)
Thursday, 9 April 2009
"Cloud" Computing on our doorstep
So today, I finalised our mail configuration to route all of our mails through Googles Postini mail filtering solution. Overall, the switch went quite well. Changed the MX records for the affected domains and use the Google directory sync tool to upload all the mails and group mails to the service.
So task accomplised and job done right ? Well NO .. Now the problems begin... We shall see how things pan out as time goes by, but at least you cant say we are afraid to embrace the growing trend of cloud computing.
Emm
So task accomplised and job done right ? Well NO .. Now the problems begin... We shall see how things pan out as time goes by, but at least you cant say we are afraid to embrace the growing trend of cloud computing.
Emm
Wednesday, 8 April 2009
OMFG I have found my hierarchical model nirvana
Having just given myself a nose bleed by having to think longer than 50 seconds on a single topic I am complete, and that completion has taken the form or using both Nested set and Adjacency List models. To create your basic tree data structure.
Ok if anyone reading this is thinking “nice one Patrick, take some long words string them together and bingo you have your very own buzz word bingo” I’ll expand on this.
When I used to have a tree structure it would be an tidy collection of parent child relationships between nodes. And use this in a Adjacency List model
So…
John would be the dad of Anna and Patrick and Patrick is the dad of Ben
John[A] and has No Parents
Anna[B] has parent of A
Patrick[C] has parent of A
Ben[D] has parent of B and is grandchild of A
John [A]
=Anna[B]
=Patrick[C]
==Ben[D]
So to get From D >> A I need first check Who is the parent of C.
Which is cool a small bit of recursion and we are done.
But………. What if you are going back 15/20 generations. That much recursion is a lot of work for 20 bits of data.
So instead of the extended game of “who is your dad and what does he do?” we also use the nested set Model.
Ok, instead of thinking in terms of nodes and Lines, we treated them as nested containers. Everyone gets a left and right value, every element within that left and right at some level a child. (nose bleed started here).
---A----
-B---C-
--------D
So ABC form a nice little triangle and ACD form a nice line. (the appearance of both patterns are strongly dependant on formatting ;)
With their left and rights, and the step they are on
A 1|8|1
B 2|3|2
C 4|7|2
D 5|6|3
So
1----1A8----
2-2B3--4C7-
3---------5D6
This means I can pull out the ancestral line D by checking to see what other elements have values that contain 5 (D’s left) if when I do this I order the result by the Left descending I can get the Father child relationship in order.
If I want to see to find siblings of C I can take the left and right of the parent A and get all elements that are between 1 and 8 but are on the same step as C (2).
Of course for lots for lots of peeps this is all simple year 1 of the computer science degree, but for me it sparked that little giggling light inside my head that that appears when I realize I can view data from a completely different view point and make that work for me (the last time was “what?!?! you just loop through the structure and process the elements, rather than doing them each individually????Tuesday, 7 April 2009
Is Hardware coming to a Standstill ?
I recently decided to move my "ailing" 2 year old PC into a smaller chassis in order for me to kick it into life again . ( it now lives under my coffee table downstairs) The processor is a Q6600 Quad Core and the GFX card is an Nvidia 8800GTX . Both of these main components are older tech by today's standards, yet performance wise, they still more than hold their own when compared to whats out at the moment. It got me to thinking...
Whereby in previous years, a 2 year gap in hardware specs would present a significant performance difference, the Q6600 is still selling and the technology behind the GFX card hasn't changed to a point of revolutionising their performance.
So is the race finally coming to an end ? It has been said for years that PC tech will reach a point whereby it wont get much faster than what it is ( unless you are an overclocking liquid cooling nut) and this has certainly become more noticeable in my recent experiences.
Emm
Whereby in previous years, a 2 year gap in hardware specs would present a significant performance difference, the Q6600 is still selling and the technology behind the GFX card hasn't changed to a point of revolutionising their performance.
So is the race finally coming to an end ? It has been said for years that PC tech will reach a point whereby it wont get much faster than what it is ( unless you are an overclocking liquid cooling nut) and this has certainly become more noticeable in my recent experiences.
Emm
Wednesday, 1 April 2009
Confiker Day 0
So the big day has arrived ... Confiker 1st April "boom" day. ( Or to be more apt .. yet another huge hoax ??!?!?!) .. I really dont know what to think. Patched all my systems, defences are up2date and have been activly scanning my network to see if there is any trace of this.
So far, not a peep .. Not even a false positive .. Am I just being overly paranoid or am I just lucky .. I am a big advocate of not subscribing to hoax's and make a valliant effort to inform the individual of said "end of world virus". It generally doesnt work and sure enough within another few weeks, I receive yet another "OMG read this .. its legit .. its not fake .. honestly guv" mails.
So right now its a big WTF .
So far, not a peep .. Not even a false positive .. Am I just being overly paranoid or am I just lucky .. I am a big advocate of not subscribing to hoax's and make a valliant effort to inform the individual of said "end of world virus". It generally doesnt work and sure enough within another few weeks, I receive yet another "OMG read this .. its legit .. its not fake .. honestly guv" mails.
So right now its a big WTF .
Subscribe to:
Posts (Atom)