Network security worst practices

I recently came across a company with amazingly poor security practices. Over the course of time, the company was so lax about tracking its laptops that many were either lost or stolen with sensitive customer data, of course kept unencrypted on the laptop’s hard drives. For many months, the company had no Internet firewall. It didn’t track any network egress traffic and didn’t routinely examine any of its network log files to see what what actually going on across its infrastructure. Routine software updates were ignored, many of which had security implications. And the final coup de grace: it never kept any records of who had administrative access to various critical resources.

None of these things are hard to do. All can be done with technology that is common at least ten years ago, in some cases 20 years old. All require some diligence, and staying on top of things, and having the personnel who are responsible for these tasks to actually be doing them on a routine basis. So what happened? You probably won’t be surprised when I tell you that all of these activities were common IT practice at several US government agencies. We aren’t even talking about government contractors (which also fall down on the security job). These are full-time employees, and at agencies that should know better, such as the SEC or NRC. People that handle sensitive stuff.

As an aside, both agencies are among the top places to work for midsized agencies.The SEC actually has two IT specialist job openings (at least for now) that pay quite well. Sounds like a pretty cushy position to me, since you probably spend your time playing computer games or surfing the web.

And I haven’t even gotten to the latest revelations about Chinese hacking into the database of people who have applied for security clearances, which has been happening over the last year. This gives new meaning to being “red flagged.” Quite literally, and one with five yellow stars on it too.

My story gets worse. I should mention that many users were found with that old bugaboo, using “password” as their access passwords. Really? This is more than embarrassing.

And all jokes aside about going with the lowest bidder or cost overruns on $500 toilet seats. These agencies don’t have to buy anything much to cover the basics.

If a private industry CIO had this sort of security record, they would never work in IT ever again, unless to become a motivational speaker and tell people what not to do. Instead, because they are the Feds, we just shake our heads and wonder what is going on, and some how give them a free pass to mess something else up again. It really boils my blood.

I recently had a friend of mine ask me to serve as a reference for his security clearance renewal interviews. So chances are my name is in the hands of the Chinese somewhere. It was an interesting moment for me: when I met the investigator, he showed me his credentials, and I joked with him that I wouldn’t know if they were legit or not, I didn’t even know the name of the agency that he was supposed to be working for. As my friend explained, they aren’t looking for youthful indiscretions (not that I knew him when he was younger) but things that he hasn’t revealed on his application that can somehow be used to compromise him. Too bad the network administrators already blew it for him and millions of other Americans that are serving their country.

Okay, we lived through Healthcare.gov and all that mess. We made it through some pretty massive screw-ups where our 57 different intelligence agencies couldn’t even share basic threat information, or where innocent people with names that are similar to the bad guys are flagged by the TSA. This takes government tech to a new low.

When we can’t have basic, simple IT security practice that just involves people doing their jobs, that gets my goat. This is not a technology problem, it is a leadership and people problem.

Tom’s Hardware: Bitdefender’s Box not recommended

IMG_0008When Bitdefender announced its Box, a new breed of security hardware, I was intrigued. It sadly over-reaches and isn’t quite ready for prime time, will be only useful in a very limited number of circumstances, and falls far short of being the kind of unique protective appliance that it promised.

It is a very unusual product: basically, it supplies the DHCP addresses in conjunction with your existing home router. But getting that combination to work reliability wasn’t pretty, and took weeks of effort too.

You can read my review in Tom’s Hardware today here.

Top ten most annoying things writers do to their editors

I recently got to see “Author Anonymous,” a very funny mockumentary movie about a bunch of writers and how their group dynamics change when one of them (played by Kaley Cuoco of Big Bang fame) experiences success. It reminded me about how badly many fellow members of my fellow writing fraternity are when it comes to pitching potential stories to prospective editors. Here are my top ten mistakes you can make.

  • Make incomplete pitches.

Make it hard for the editor to understand what you are trying to do, why your pitch is important, what is your angle or expertise, or whatever. Put as much information as possible into your pitch

  • Don’t waste an editor’s time with inane queries.

Editors are busy people, make each email count. Try to figure out stuff on your own. Silence is golden.

  • Do follow your editor’s instructions.

Some of my editors have very specific instructions on how to assemble a draft for them. How hotlinks should be represented, or whether they like or hate in-line images, or whether they want subheads or suggested Tweet language or whatnot. Try to obey these instructions and keep them straight so you won’t waste their time in this fashion.

  • Don’t look at the website and understand their target audience.

This one is easy to fix: read and review the site and understand who they expect their readers to be.

  • Don’t know what articles have already been published.
    Make sure what you are pitching already hasn’t been covered on the site.
  • Don’t pitch something that you have already written for some other pub.
    This is a big no-no. Editors want unique content, unless they tell you otherwise.
  • Don’t have any clue on when you can actually finish a draft or hit a self-imposed deadline.
    When you are pitching a story, make sure you have the bandwidth to actually write it and finish it, because usually the next question is going to be when can the editor have it in hand?
  • Do understand the meaning of deadlines in general.
    And respect that deadline too. This isn’t some approximate timeframe. Don’t hold up the rest of the production process because you are late delivering your copy.
  • Don’t submit a story without any accompanying art, suggested Tweets, or other information that the editor requested.
    It isn’t just your text that is important, but the other information that supports your story is critical too.
  • Don’t whine about how much time revisions will take you.
    I know some editors are a major pain with serial revisions. Just don’t work for them again if they offend you or tie you up in knots with all sorts of back-and-forth emails. But your goal should be to finish the assignment at least to your standards. Now, I have worked for editors that like to subtract value, or think of themselves as writers, but that will be for another post.

Network World: Centrify tops the group of 7 SSO products

Since we last looked at single sign-on products in 2012, the field has gotten more crowded and more capable. A number of new vendors have come to ply their wares, and a number of old vendors have been acquired or altered their products.

Centrify admin dashbdFor this round of evaluations, we looked at seven SSO services: Centrify’s Identity Service (the overall winner who’s dashboard is pictured above), Microsoft’s Azure AD Premium, Okta’s Identity and Mobility Management, OneLogin, Ping Identity’s Ping One, Secure Auth’s IdP, and SmartSignin. In addition to these products, we also looked briefly at AVG’s Business SSO. Overall, products have expanded their authentication support, moving towards integrated mobile device management,  using more cloud-based solutions, and supporting more apps. You can read here the entire text of my review, published today.

Learning from my bitcoin mistakes

bit2So you want to get into bitcoin? Don’t do what I did: spend about $60 in banking fees that turned my investment of $150 into $90. I always said my investment strategy is buy high, sell low, but I didn’t think it would happen in a matter of microseconds.

Actually, it took the better part of a week. I first wrote about bitcon a few weeks ago here and got some great comments, along with a recommendation to read this book by two WSJ reporters that I found very interesting. Then I decided to take the plunge and set things up. I found it wasn’t as easy as, say Paypal or Square, two apps that I use more or less all the time when I have to move money around.

If you want to enter the bitcoin universe, you need the following:

  • A digital wallet to store your bitcoins. The one that I am using is Bitpay’s Checkout, but if you are going to be serious about storing a decent amount of value you probably want to use Copay, which asks for multiple signatories to move money around. Think of this like Square: you set up a transaction and then hand over your phone or tablet to your customer, who sends you money. Instead of taking a day or so to get into your bank account and being charged a 2.75% fee, you get the funds with almost no fees that goes to your wallet within a few minutes.
  • An exchange. I set up my account on Bitstamp.net and that took some doing. The exchange is where you can move money from one currency to another or to bitcoins. You probably don’t need to start out with an exchange, but I wanted to have flexibility and also prepare myself for when I could become a day trader (JK). I liked Bitstamp because they had good reviews and handled a variety of currencies, including Euros. We’ll get to that whole experience in a moment
  • Access to a wire service from your bank to fund your initial account. More on that too.

First there is the exchange. They operate on a know your customer basis, meaning they want to see some documents that prove you are whom you say you are. That gives me some small measure of comfort. So I had to scan my passport, my utility bill, and so forth. I made the mistake of using my corporate bank account to send them a wire: that held things up for a few days while they wanted to see my corporate bank statement and answer a few other questions about why I wanted to use their services. Once we got everything working, they charged me a $7 fee to move my money into their system. Buying or selling bitcoins comes with another small fee of 0.25% per transaction.

Then my bank, which proceeded to charge me $45 for an international wire transfer to Europe, where Bitstamp is located. Sigh. That was the easy part, once I decided to accept that fee in the interests of science. The wire transfer takes a few minutes. Normally it would take Bitstamp a few minutes to recognize the transfer, but because I messed up and used my corporate account, it took a few days. Good thing I wasn’t trying to send a lot of cash this way.

As a side note, this outrageous wire fee is one of the reasons that bitcoin is catching fire. The fees are very low to move money around, in some cases almost nothing. But the bad news is that the value of the currency moves up and down very aggressively: at one point one bitcoin was worth $1200; now it is somewhere in the low $200s.

Then it came time to setup Bitpay. You first set up an account via the Web, and connect it to your bank account (if you want dollars out) or to your bitcoin account (if you want those out). They have a few other questions to ask you and documents to scan as well to prove who you are. They also have an interesting tier structure. When you first get your account you are set at tier 0, which entitles you to transfer $100 a day. The way they work, you send more documentation, they up your limit. Tier 1 is $1000 a day, and now I am at Tier 2, which is $10,000 a day with an annual limit of $500,000. This is all conducted via the Web, where you upload your scans, then they send you emails telling you that your account has been upgraded. And did I mention, there aren’t any fees? At least not yet.

The final step is to link your Bitpay wallet on your phone with your account. On the web, you go to Payment Tools and then Point of Sale app, where you add a pairing code, similar to how you would pair your phone on Bluetooth. You enter this code on your phone and your account is all setup. To test things I was able to send bitcoins from my exchange to my wallet. It was almost as exciting as sending my first Internet email message through MCIMail. (I know, I get off on some strange stuff.)

Was it all worth it? Certainly not the involuntary wire fee. But in the future I could use one of the bitcoin so-called ATMs that dot the landscape (we have one in St. Louis so far): they only charge about 8% fee to transfer funds, which is more typical of what my credit card company charges when I buy something abroad. And when one of my clients wants to pay me in bitcoin, I will be ready!

Wag the Dog, online and updated

In one of my favorite movies, Wag the Dog, we declare a fictional war on Albania in an attempt to manipulate a presidential election. While the movie (which was made 18 years ago) posits a ridiculous scenario, it is coming of age in today’s era of ubiquitous Internet and inexpensive video editing and social media aggregation tools.

MV5BMjA4OTQzODE1OV5BMl5BanBnXkFtZTcwNDIyMjY0NA@@._V1_SX640_SY720_According to Adrian Chen’s article in the New York Times, a secretive Russian agency has been fabricating various events for both American and Russian audiences using very similar “Wag the Dog” scenarios. Chen finds You Tube videos, fake Twitter accounts by the truckload, and phony websites and other postings that seem to all come from this agency. The effort is so realistic that many people are fooled into thinking its fabricated disasters, conflicts, and other newsworthy events are real, rather than the work of some clever and dedicated troll army.

Call it life imitating art 2.0. What took the prowess of a Hollywood producer (played superbly by Dustin Hoffman) and a studio back lot can now be done with a few clicks of a mouse and the right voice actor narration. Thanks to social media, it is easy to get something as a trending topic that is all a complete fabrication.

Russia seems to excel at truth-bending: witness the made-up details about the crash of MH17 in Ukraine. Whether you believe the plane was targeted by the Russians or the Ukrainians or just an accident, a year later it is still hard to tell.

Back with the real World War II we had squadrons of mis-information groups that didn’t have access to the Internet and personal computers. But they still managed to invent some amazing stories. If you want to read about one of them, try Agent Garbo, which accounts about the real life of one spy who managed to trick the Germans into thinking the Allied D-Day landings were happening elsewhere. And it all was done through the sheer force of his personality too.

Is it too much to hope that reporters should be doing this for a living and helping matters? Well, at least some of them now get trained in using tools to verify social media posts. This is a great start but there are still lots of reporters that get duped. It reminds me of my favorite media hoaxster, Joey Skaggs, who has made his living trying to fool the mainstream press over the years. (You can read about some of his exploits here.)

So a lesson from all this is to be more skeptical, I guess. And in Wag the Dog, Hoffman’s character says, “It’s the best work I’ve ever done in my life, because it is so honest.” Truer words were never spoken. Trust, but verify.

 

Maybe it is time to pick up the phone

I had a phone call last night with my friend from high school. We remarked that we had to schedule the call via an email exchange. This is an actual friend, someone that I have seen from time to time over the many decades since we parted ways from growing up on Long Island. It was nice to hear from him and spend time catching up, something that neither of us have done in a while.

I told him that it was curious how never before in human history do we have so many different communications tools at our disposal but so little actual inter-personal communication that takes place. Every day we email, text, Instagram, Tweet, and send other electronic missives to people that are virtual strangers. Many of my correspondents I have never actually met face to face.

And while I mentioned all these electronic choices, notice that I didn’t list the telephone. It seems to be obsolete. Giving someone a call out of the blue nowadays is usually seen as bringing bad news: a family illness, say. Or something else that is wrong. What happened to those days when we picked up the phone just to chat? It is more likely that when the phone rings, it is some telemarketer who is trying to sell us something. Indeed, while we were talking, my friend’s landline phone rang (naturally we were talking on our cells) with such a call.

As adults, we make “friends” who are not actually friends, develop “followers” composed of people who would not follow us out of a room, and “like” things whether we really like them or not. “Sharing” isn’t really about caring, it is just another button click on a webpage that doesn’t really take much forethought or carry with it any emotional connection. We no longer even have to come up with a good line at a bar to meet someone, thanks to the dating app Tinder. (Not that I would really know much about that, I should hasten to add.) This is progress?

Maybe it is all the fault of email, which got things moving in this direction many years ago, when we could sit in front of our computers and not have to talk to anyone to get our thoughts across. I remember when I started a magazine back in 1990 and we had hooked everyone up via email the first time. It soon became easier to write something rather than get up and walk across the office a few feet. So it began for me, and I am sure many of you also discovered this alternative to face-to-face communications back then.

Or it could be the fault of texting and instant messaging, tools that Gen Y has had almost from birth it seems.

Not that I am saying all e-communication is bad, just that it has taken some of the spontaneity and serendipity out of things.

On the other hand, certainly email and some of the other electronic tools have made it possible to reach a broad audience at a speed and scope that wasn’t ever thought possible. Within a few seconds of sending this newsletter out, many of you will have me at a disadvantage (at least those of you that actually read this). You will know what I am doing, what I am working on, what I am thinking. That is both wonderful and somewhat scary at times, depending on what you say to me when we actually do meet face to face.

And then there is this. As someone who is mostly introverted, all these tools have enabled me to communicate with more people than I have ever thought possible, as I sit here in my office, alone and in front of many screens and keyboards.

I don’t have any real words of wisdom for you. My takeaway is just to sit back for a few moments, think of the friends that you have that are actual friends, whom you have shared a meal or some important activity over the years. And pick up the phone and give them a quick call, to let them know that you are thinking about them. See if you can do it without making the arrangements in a text or an email.

Need help organizing your SAN Storage? Look at Datacore’s SANsymphony-V

If you have a lot of data stored on SANs, you might want to take a look at the latest offering from Datacore Software’s SAN Symphony. I have been testing various versions of this product for more than a decade, and my latest video screencast review can be found here. They make it easier to automatically move data between storage tiers (such as solid state hard drives and cloud repositories) and enable continuous data protection with just a single mouse click. There is also this nifty heat map as you see above that shows your most-active storage tiers.

A Guided Tour of the SANsymphony-V Software Defined Storage Platform From DataCore Software

DataCore’s storage virtualization software, SANsymphony-V, maximizes the availability, performance and utilization of disks in data centers large and small.  Use it to manage on-premises storage or build a cloud storage infrastructure.

We looked at version 9 in June 2012 and version 10 in May 2015.

http://www.datacore.com

Pricing: DataCore-authorized solution providers offer packages starting under $10K for a two-node, high-availability environment.
Requirements: Windows Server 2012 R2

Take a look at another screencast review of Datacore’s software-defined storage solution here.

The post-Snowden era has been a good one for secure email

Email book coverTwo years ago a young man left his girlfriend and home with his laptops and a fantastic story that has changed the world and the way we think about our Internet privacy. I am of course talking about the flight and plight of Ed Snowden and his cache of secret documents about the massive NSA surveillance of electronic communications.

Whether you think Snowden is a patriot or a traitor or somewhere in between, it certainly has been an interesting couple of years in the secure email biz. It is a continued series of ironies, starting with the fact that Snowden had trouble convincing his chosen scribes to make use of encrypted email technology. (He isn’t the only one.) While he ultimately was successful in securing his communications with the press, another irony was how things ended up for him: now he is living in Russia, certainly not one of the most privacy-friendly places in the world. It is also ironic that his Russian residency has enabled his new career as a professional speaker, albeit using various remote video technologies since he can’t get on a plane because he doesn’t have a passport. (Part of me is envious of this, having to still give speeches the old fashioned way by getting on planes. But I am glad that I have my passport.)

But the ironies extend beyond Snowden’s life to more important matters. We have evidence that shows how the NSA abused numerous statutes in what they call “bulk metadata collection” of phone calls and emails. And we all now know what metadata means, and how former NSA director Michael Hayden said last year: “We kill people based on metadata.” Certainly, the Snowden effect is quite real, given the current debates in Congress over reauthorizing various legislative means for them to continue these practices.

And the ultimate irony of them all is another Snowden effect: while the NSA revelations have closed down several secure email providers such as Lavabit and Silent Circle, others have taken their place and encrypted email usage is most likely at an all-time high, thanks to the paranoid and prudent among us.

I have spent a lot of time listening to Snowden’s various public discussions, held at SxSW, with John Oliver for his HBO show, and at a recent conference at Princeton where he exchanged words with a New York Times reporter that broke some of the early stories. And while I am not sure where I stand on the traitor/patriot index, Snowden certainly has a lot of interesting things to say. It is clear that he has spent a good portion of his clandestine career preparing for his media close ups and photo ops. He also has a lot of time on his hands to keep up with current events.

I think Snowden has done more than just about anyone since Phil Zimmerman (the creator of PGP and now involved with DarkMail) to encourage email encryption usage. When Marshall Rose and I wrote a book about corporate email use back in 1998 (cover reproduced above), we said that secure email was “best described as a sucking chest wound.” For most of the last 17 years, secure email was more a curiosity and almost unknown and unused in corporate America. That changed two years ago, and it is catching on in more places.

It is still too difficult to use, as this story in Ars Technica takes you through how to deploy it on an individual basis. Maybe not a sucking chest wound, but still more than just a mere blister to be sure.

I am interested in hearing more about your own secure email usage, and it is partly motivated by a review that I am writing for Network World comparing several of the more useful business-oriented tools. Having used some of these products for decades, I welcome your own thoughts and will let you know when the review is published, probably later this summer.

And if you want to re-read a semi-serious blog post that I wrote last year where I thanked the NSA for enabling all sorts of activities, here you go.