Is Windows Continuum Worth Your Time?

Posted on by
Reply

When I was attending the Citrix Synergy show last week, much was made about the support of the Windows Continuum effort by Microsoft. This puts the Windows 10 functionality on a lot of different and non-traditional IT devices, such as the Surface Hub gigantic TV, Xbox consoles, and Windows Phones. If you look at the linked webpage above, you will see a lot of information about how you can use a Windows Phone as the basis for a new kind of docked workstation that has a real keyboard and screen attached.

When I spoke to Citrix SVP PJ Hough about this, he changed my thinking about Continuum. It isn’t all about the Windows Phone, but about the other stuff that is enabled here. Continuum is really about how you can essentially upgrade these devices to become smarter about their deployment and delivery of Windows apps themselves.

Naturally, Citrix has a vested interest here, because Receiver now supports Windows 10 S installations, which are devices that are part of the Continuum ecosystem. One of the issues for Win10 S is that it is a locked-down OS that only runs the applications delivered from Windows Store. This means if you have legacy Win32 apps on your older desktops, you were out of luck to run them before now. Having Receiver on 10 S gives you the best of both worlds: a more secure desktop that can still run your crusty older apps in a protected workspace.

Citrix Receiver — compatible with Windows 10 S — is built using the Microsoft Universal Windows Platform technology. This was introduced by Microsoft earlier this year and at this link you can find more information on how to build apps and learn from the samples that they have provided. Essentially, what Microsoft is trying to do is create a common core that app developers can use on a variety of other devices, including HoloLens and its Surface line of tablets and TVs.

But the real secret sauce of the universal platform is how it can be distributed using the Windows Store. Microsoft has learned from the Apple Store that app distribution is the real friction for getting apps to actually be used. Universal apps thus come with a built-in marketing bonus.

To make true use of Citrix Receiver, you of course will need XenApp and XenDesktop, running on XenServer or in a cloud-based infrastructure through Citrix Cloud to deliver the complete desktop experience. You can see the video of how this works here:

An update on securing the web browser

Posted on by
Reply

When I was at the Citrix Synergy show in Orlando last week, I was interested in tracking down their announcement about their securing web browsing product. I have been interested in secure browsing technology for several years now, mainly because the web browser has been a major infection vector and allows malware to be transported to millions of computers through phishing, man-in-the-middle, SQL injection and countless other attacks. Securing the browsing channel could be a way to stop this madness.

A few years ago, I did a review of several products for Network World, looking at Authentic8 Silo, Spoon’s BrowerStudio, Invincea’s FreeSpace and Spikes AirGap. While the review is outdated, the process that I went through to try to test these products made me realize that securing everyone’s web browsers is a lot harder problem that it first appears.

 

Typically, these products offer one of two approaches: One way is they sandbox, virtualize or otherwise contain the browsing session via several different methods so that any Web pages or online content can’t reach the actual desktop that is being used to surf the Web. A second approach is to replace the usual Internet Explorer, Firefox or Chrome browser software with a specialized browser that is locked down and has limited functionality.

The secure browser might give up surfing speed or not view a more complex website properly. And you still have someone’s regular browser sitting on their PC that could cause trouble. Not to mention that some of these early products did a lousy job at protection.

image001Citrix has had a secure browser service as part of its Cloud offerings for about a year now. It uses a combination of sandboxing and locking down the browser environment in an interesting way.

While the motivation behind its old and new products is similar, the execution is different, as Brett Waldman in their product marketing department explained to me at the show. The older secure browser (shown here) allows you to secure a specific web app. You set up an instance that ties a specific browser version (such as Chrome or Edge) to a specific app (such as Facebook), and you can add a data center that the browser request will originate from. Once this is done, every time you launch that instance, you will bring up an HTML v5 copy of a browser and taken to Facebook’s website under just those circumstances. The actual browsing is happening inside Citrix Cloud, not on your local PC. It is a way to lock things down with a specific app. You can think of it as running a stripped-down version of Receiver just for this one app.

But that isn’t good enough and doesn’t handle a lot of situations. What happens if you want more control over your browsing experience that goes beyond specifying a browser type and originating location? Or if you want to run a machine that isolates the browser from the rest of the applications? Or just want to try out a secure browser without loading a lot of Citrix infrastructure? That is where the app layering technology that Unidesk provides comes in handy, and that was what announced this week with Secure Browsing Essentials which will be available on the Azure Marketplace. By having layers, you can select exactly which bits and pieces of the browser you want to enable, so if you don’t want Flash or want to block pop-ups or downloads of executable files, you don’t assemble those pieces of code.

Citrix has other “Essentials” products on the Azure Marketplace, which makes it easy for anyone to get started with this technology. PJ Hough, Citrix SVP of Product, said the new Citrix Secure Browser Essentials will be available before the end of the year, with pricing starting at $180 per year (with a three-year subscription for a minimum of 50 subscribed users). Waldman said that this product “gives us a different route to market and to be able to satisfy these other use cases. Because it is on the Marketplace, it can also be more self-service and reach a different kind buyer, even within an existing Citrix customer.”

How the Okada Manila Luxury Resort Built its Greenfield IT Infrastructure

Posted on by
Reply

When you hear about an IT staff that has to build their infrastructure from scratch to support a new business, you think, “That couldn’t be that hard – they had no legacy infrastructure to support. What a dream job.” Well, it wasn’t a piece of cake for the crew at the Okada Manila resort hotel, and in an interview with Dries Scott, the SVP of IT for Okada, I got to see why.

Okada was built on a huge site and is similar to the resort-style properties that can be found in Las Vegas and Macau. It will house 2,300 guest rooms when it is fully built and have 10,000 employees. Scott’s IT department has at least 100 of them full-time — plus contractors — to support 2,000 endpoints and numerous physical and virtual servers placed in two separate datacenters on the property.

Scott actually worked for a few of the Macau resort hotels before coming to Manila, and he wanted to create the ideal IT environment for a five-star luxury hotel. “The biggest decision we had to make was to try to steer clear of having actual desktop PCs as our workstations,” he said to me when he sat down for an interview yesterday. “When you are starting from a clean sheet of paper, you want something that could last 10 to 20 years and want products that could evolve over this time period.” He decided to choose VDI for his endpoints. “I wanted to move away from the usual desktop PC environment, although we ending up having a few of them for our staff. PCs are a pain to manage, because hard drives crash, getting updates and patches distributed isn’t easy, and other issues.” To support their VDI deployment they purchased a variety of products, including XenDesktop, XenApp and NetScaler, HP thin clients and Dell servers.

One of the key enabling technologies is FSLogix Office 365 Container.  “This makes Outlook running on XenApp and XenDesktop able to mount users’ profiles as if they were on a local C: drive, so Windows acts normally and Outlook works like it is running on a regular PC desktop,” he said. This means you get the performance of the virtual workspace but the ease of management too.

Having a VDI solution meant some initial support hurdles. “We had to have a lot of patience with our users, some of whom were using VDI workstations for the first time,” he told me. “I could have taken the easy way out and just bought desktops for everyone, but I knew eventually VDI will pay off and benefit us in the long run.”

One concern Scott had was keeping corporate data secure. Given the market of his resort, he wanted to ensure that customers’ information stayed on the corporate systems; “It is one of our most critical assets,” he said. “Users don’t have the ability to remove any corporate data from the company.” His thin clients locked out USB access, for example, and he also set up appropriate data leak policies too. Through ShareFile, he has other policies for how files can be shared across his staff, and he prevents access to public SaaS repositories, like consumer file-sharing services whenever possible. Finally, he figured out ways to keep data from his construction contractors on his servers. “I didn’t want them to pack up their PCs and leave with my data on them,” he said.

View post on imgur.com

Building a new resort’s IT infrastructure wasn’t as easy as I was assuming, mainly because some IT elements needed to be put in place during the construction phase to support those workers on the job site. This meant erecting temporary buildings and networks and then migrating these resources to the production environment once the hotel was built. “That migration wasn’t easy, but we are just about through that process,” he said. “We have certainly been through a bit of a bumpy road.” One of his recommendations was to use Citrix consulting services in setting up his environment and helping define the appropriate computing architecture. “They can help make everything stable from the beginning and figure out your app and server configurations.”

What helped him pull off this project? Executive buy-in. “Our chairman is an engineer and very much into technology. It was a massive help that he supported our decisions from day one. All he wanted was to implement my vision and he gave me the ability to implement it.”

Blogger in residence at Citrix Synergy conference

Posted on by
Reply

This is my second time at the major Citrix annual conference, and I will be posting regularly during and after the show. My first piece can be found here and covers what I heard from a new management team at Citrix. They introduced their vision for the future of Citrix, and the future of work. “Work is no longer a place you go, it is an activity and digital natives expect their workplace to be virtual and follow them wherever they go. They are pushing the boundaries of how they work,” said Citrix CEO Kirill Tatarinov.

My second post is on Windows Continuum. This puts the Windows 10 functionality on a lot of different and non-traditional IT devices, such as the Surface Hub gigantic TV, Xbox consoles, and Windows Phones. If you review the information provided from Microsoft, you might get the wrong idea of how useful this could be for the enterprise, and in my post I discuss what Citrix is doing to embrace and extend this interface.

My next piece is looking at several infosec products that were shown at the show, including solutions from Bitdefender, Kaspersky, IGEL and Veridium. Security has been a big focus at the show and I am glad to see these vendors here supporting Citrix products.

Speaking of security, one of the more important product announcements this week at Synergy was that the Secure Browser Essentials will be available later this year on the Azure Marketplace. This is actually the second secure browsing product that Citrix has announced, and you can read my analysis of how they differ and what are some things to consider if you are looking for such a product.

And here is a story about the Okada Manila Resort that was featured as a semi-finalist for the innovation award at the show. It was built on a huge site and is similar to the resort-style properties that can be found in Las Vegas and Macau. It will house 2,300 guest rooms when it is fully built and have 10,000 employees. Scott’s IT department has at least 100 of them full-time — plus contractors — to support 2,000 endpoints and numerous physical and virtual servers placed in two separate datacenters on the property. I spoke to the IT manager about how he built his infrastructure and some of the hard decisions he had to make. 

At his Synergy keynote, Citrix CEO Kirill Tatarinov mentioned that IT “needs a software defined perimeter (SDP) that helps us manage our mission critical assets and enable people to work the way they want to.” The concept is not a new one, having been around for several years. An SDP replaces the traditional network perimeter — usually thought of as a firewall. I talk about what an SDP is and what Citrix is doing here. 

Finally, this piece is about the Red Bull Racing team and how they are using various Citrix tech to power their infrastructure. Few businesses create a completely different product every couple of weeks, not to mention take their product team on the road and set up a completely new IT system on the fly. Yet, this is what the team at Red Bull Racing do each and every day.

FIR B2B Podcast #72: WannaCry Newsjacking and a tribute to Walt Mossberg

Posted on by
Reply

Last week the WannaCry ransomware raged around the world. I go into some of the specifics, and have more on my blog if you want links to the exact operations of the malware who has been hurt by its attack. There are several great stories from the media about how one British researcher accidentally tripped a kill switch and gave American IT managers a bit of a breather, and how Microsoft has created patches even for Windows XP versions to try to stop its spread. But there are some important lessons for PR pros who want to become newsjackers. Both Paul and I received dozens of emails with insipid quotes and me-too “sky is falling” non-news releases. Instead, the next time one of these events occurs, try to be fresh, be quotable, be unusual, find the story within the story. Don’t just trot out your CEO or expert, but look for something specific that your client can leverage.

Next, we pay homage to Walt Mossberg of the Wall Street Journal. We reference this article in Recode.

Both Paul and I owe Walt a lot in terms of how they approached their own work over their decades in tech, along with how reviews were constructed and how sources were accessed. The Recode article looks at the current crop of mass media tech reviewers and what they owe to the great man himself. We also talk about how reviews have changed over the years and the prominence of Google and the crowdsourced reviews sites. Sadly, vendors today are getting too sensitive about negative reviews, don’t understand that good reviews take money and experience, and think that “placement” is more important that the actual content of the review itself.

Listen to our 21 min. podcast here:

WannaCry ransomware analysis

Posted on by
2

The WannaCry ransomware worm that plagued many people last week is notable for two reasons: first, it is a worm, meaning it self-propagates. It also uses a special exploit that was first developed by the NSA and then stolen by hackers. It first began on Friday and quickly spread to parts of Europe and Asia, eventually infecting more than 200k computers across more than 100 different countries. It moved quickly, and the weekend saw many IT managers busy to try to protect their networks. One researcher called it a “Frankenstein’s monster of vulnerabilities.”

Most of the victims were using outdated Windows versions such as XP. This map shows real-time tracking of the infected systems, where the bulk of infections hit Russian sites, although Telefonia in Spain was also attacked.

The hardest-hit were numerous hospitals and clinics run by the British National Health Service. Apparently, they had an opportunity to update their systems two years ago but didn’t due to budgets. So far, the best analysis is on The Register.  

WannaCry attack summary and timeline

American sites weren’t infected due to an interesting series of events. A young British security researcher who goes by the Twitter handle MalwareTechBlog discovered by accident a kill switch that stopped its operation. His account of that fortunate happenstance can be foundhere. Basically, by reverse engineering its code, he found that the malware checks for the existence of a specific domain name (which didn’t exist at the time and which he quickly registered). Once that domain had an operating “sinkhole” website, the malware attacks ended, at least until new variations are created without the kill switch or that check for a different site location. Sadly, the researcher was outed by the British tabloids. No good deed goes unpunished.

The story on payouts

One curious story about WannaCry is the small ransom payouts to date. About 100 people have been recorded paying any ransom, according to the three Bitcoin accounts that were used by criminals. (Yes, Virginia, Bitcoin may be anonymous but you can still track the deposits.) Other Bitcoim addresses could be used, of course, but it is curious that for something so virulent, so little has been paid to date.

Microsoft reaction and mitigation

The malware leverages an exploit that had been previously patched in mid-March by Microsoft and assigned the designation MS17-010. The company and took the unusual step to provide patches for all currently supported Windows along with Windows XP, Windows 8 and Windows Server 2003 versions.

Microsoft also recommends disabling SMBv1 and firewalling SMB ports 139 and 445 from the outside Internet. If you haven’t been doing these things, you have a lot of other problems besides WannaCry.

Microsoft’s president posted an op/ed blog piece saying “this attack demonstrates the degree to which cybersecurity has become a shared responsibility between tech companies and customers. The fact that so many computers remained vulnerable two months after the release of a patch illustrates this aspect. Users are fighting the problems of the present with tools from the past.” Speaking of the past, they didn’t mention how many people are still running ancient versions of Windows such as XP, but at least should be commended for having patches for these older systems.

Numerous security vendors have posted updates to their endpoint and network protection tools that will catch WannaCry, or at least the last known variant of it. And that is the issue: the hackers are good at morphing malware into something new that can pass by the defensive blocks. One interesting tool is this Python script that will detect and remove DoublePulsarexploits. That was the original NSA hack that can creates a backdoor to your system. In the meantime, as I said last week, hope is not a strategy.

Network World: Linksys Velop boosts home network throughput

Posted on by
Reply

I take a look at the Linksys Velop Wi-Fi access points. This is the third in my series of reviews for Network World on smart home devices. If you are going to invest in smart home tech, you want a solidly performing wireless network throughout your house. While I had some minor issues, the Velop delivered solid performance and I recommend its use, particularly if you have existing radio dead spots in your home or have to use multiple networks to cover your entire property. You can read the review here. 

Hope is not a strategy

Posted on by
1

In my day job as editor of the Inside Security email newsletter, I read a lot of infosec stories from various sources: some technical, some legal, some for beginners. But I was struck by reading this piece in Dark Reading this week by this sense of failing purpose, and how IT is at best at parity with our attackers.

The piece is by a security consultant, Mark Hardy. Entitled, 7 Steps to Fighting Ransomware, it does what it says, providing some practical advice for corporate IT managers on how to prepare for the coming attack. Make no mistake: it is coming. All it takes is one person and one careless click and your network is compromised.

Some of Hardy’s suggestions are pretty predictable: make sure your systems are kept up to date on patches. Segment your network to limit the exposed systems that an attacker can easily access. Backup frequently and move them offline for further protection. Yeah, yeah, we’ve heard it before. Some corporations actually do these things too.

But one suggestion stopped me in my tracks: Buy some Bitcoin to prepare in advance, in case you have to fork over the ransom on short notice. That was a chilling point to make because it says no matter how carefully you prepare, there is still the off chance that you may have missed something and will need to pay out the ransom.

This is what I mean when I say we are at parity with the bad guys. We are fighting an asymmetric war against them: they have the ability to penetrate our networks and steal our data with a vast array of tools that are only getting better and more finely crafted. There is malware that can operate in memory and hide by using bits and pieces of software already part of your operating system that is very difficult to detect. There is malware that changes its attack signature every second. There is malware that uses flaws in the operating system (such as one that was patched this week by Microsoft, ironically in its malware protection engine program). And there are malware kits that run completely in the cloud, so all it takes is money and a few commands to launch an attack.  So it is inevitable that someday your company will be hit, it is just a matter of when.

Security strategies are forged in the heat of battle when you realize that no matter how many spare copies or protective procedures, something went wrong: your copies are bad, you have mission-critical data lurking on some executive’s laptop that wasn’t part of the backup, or some phisher dangled some bait and succeeded. Game over.

I speak from sad experience. Not over ransomware, but a simple backup error. Many years ago I lost my mailing list server due to a flooded basement. All the content on my server was duplicated elsewhere, offsite, save for one thing: the actual names on my list. A pretty critical piece of information, don’t you think? If that server didn’t come back online (it did), I would be out of business. I didn’t have a spare copy of my list. All it took was a simple command to have that list of names. But somehow I forgot to include that in my workflow. Oops.

Hardy says, “Ransomware is a clear and present danger. Companies can no longer afford to take a wait-and-see attitude. If you’re vulnerable to ransomware and take no precautions to mitigate those vulnerabilities, then the only thing you’re relying upon to prevent an infection is hope — and hope is not a strategy.”  So stop hoping, and start preparing.

Understanding Auschwitz

Posted on by
4

One of the reasons why we came to Poland in the spring of 2017 was to visit Auschwitz. I have been to Dachau outside of Munich about 12 years ago, but even so was unprepared for this visit. The first hurdle was getting a ticket to the site. The problem: it was the week of Yom HaShoah, and the day we wanted to go was the day when thousands would be participating in the annual March of the Living. Various tour operators were sold out or said the place was closed, so we tried to get tickets for the following days, and they were also all sold out.

There are two ways to visit the place: one is by being part of a group tour, which is what the vast majority of people do. They take you from Krakow (usually), get you a guide that takes you around to the various exhibits and tells stories and answers your questions, and gets you back to your hotel. Two of the major tour operators — out of the dozens there are http://SeeKrakow.com and https://discovercracow.com.

The other is as an individual. You have to make your own arrangements for the transportation to and from Krakow. There are four public bus companies that run frequent service from the main bus station directly to Auschwitz, and it takes about 90 minutes. There is also a train, but the Auschwitz station is a bit of a walk. We took the bus. If you go this route, you save money (bus tickets are 12-15 zl. each way) and there is no entrance fee. But you have to get there early (say around 9 am), as they sell out quickly of the walk-in tickets. Once you get to Auschwitz, you can sign up for their own tours that the museum offers if you wish, there are a dozen each day in various languages, listed as you enter like an airport departure screen. For some reason, these tours are different than the public tours that the museum has listed on its website. I don’t know why. Also, when you visit you can go to two sites: the original Auschwitz site, where the tickets are required, and Birkenau, where you can literally walk in without any prior arrangement.

Enough of the logistics. You can read this guide here which is very well researched, and offers more pro/con details. I mostly agree with the author’s recommendations. What you should know is that there are so many people walking around that it is easy to leave one tour and join another if you are there on your own. Which is what we did.

One of the guides we met was the patriarch of an Orthodox Jewish family from NYC telling his stories to his grandchildren about his experiences. We stayed with them for a bit, as he has been to the camps numerous times and gives organized tours to Jewish groups quite often. You can check out his website here.

At Dachau, there is some curation and exhibits, but mostly it is restored to what it would look like back during its use. You walk around and get a sense of what life was like back during the war. Everything is pretty much rebuilt, because the German officials in charge of that camp had time and the inclination to destroy most everything before the camp was liberated. I learned at Auschwitz that this was an individual decision: some officials were proud of their work and wanted to leave the place intact. At Auschwitz, much was destroyed. With the neighboring Birkenau camp (which is a couple of miles away), much was left alone.

Even the buildings that were intact after the war are now long gone: they weren’t constructed to last. At Birkenau you got to see the foundations and the remnants of two stone chimneys that remained at each barracks site. One guide told us that these primitive heating systems — essentially a small firebox attached to the chimney — were placed there just for show. They never were lit. People froze in the winter and boiled in the summers. Ironically, like Ozymandius, the stone chimneys remain standing.

Each barracks in the Auschwitz camp has been turned into a different museum exhibit, focusing on the particular national identity of the prisoners and the relief organization that was sponsoring the exhibit: so one hut might contain a memorial to the Dutch Jews, one to the Romanian Gypsies, one to the Poles, and so forth. Each exhibit is curated differently and some are designed simply, others are more elaborate. There is a lot to read, and I imagine that if you are with a group you don’t have much time to spend in each building, plus you spend a lot of time waiting to get in and out of the buildings as the place fills up. None of the buildings is set up in Auschwitz to show its original use: that is the case in Birkenau, where you can see how closely packed the inmates are housed, and how many barracks there are. It would take you probably 20 minutes to walk from one end to the other. If you want to read more from someone who does a better job describing the current state of the camps, check out what my colleague Shelly Palmer wrote in a post he did here in January.

Perhaps the most infamous part of the camps were the crematoria. They have been demolished at Birkenau and have been reduced to a pile of rubble (as you see here), made all the more somber by the thought of what happened there. At Auschwitz (and Dachau) they have been reconstructed, so you have some understanding of what they looked like.

In addition to these reconstructions, the most moving exhibit we saw on our visit was a temporary one about the crematoria were constructed, from a German engineering firm called Topf and Sons that still is in business today. I never really thought about this in engineering terms, and the problem they were faced with was that the gas chambers could kill more people than the Nazis could dispose of the bodies. These engineers developed higher-capacity crematoria. It was clear from the documents shown in this exhibit how complicit they were in this process and how cooperative they were in designing the ultimate killing machines used at the camps. In this brochure linked to this page above, you can see something interesting: The original engineering plans were unavailable for many years because the archives were purchased from a leading Holocaust denier. When he reviewed the plans, he eventually came around to accept the reality of what happened. Indeed, how anyone can deny that these events of the Holocaust took place is beyond me.

The horrors of the place are made even more so because you are actually there. The crumbling structures make it feel even more intense. Every Israeli school kid goes on a field trip to Auschwitz as part of their education. I think this is a good idea: I wish it was a part of my own education too.

What Schindler represents to us today

Posted on by
1

Krakow once had a very vibrant Jewish Quarter where tens of thousands of Jews lived before the war. Now there are virtually none, as in many other Polish and European cities. But their presence is very strongly felt: there are numerous synagogues within a few blocks of each other (this one shown here was used by the Nazis as a stable during the war), and remnants of places where they lived and owned businesses. That area of the city isn’t as renovated as other parts, although it does seem to be making a comeback.

My sister and I visited Krakow in the spring of 2017. If you go, you can choose to tour the city independently (which we did) or join one of the numerous tour groups that walk you around the city (which you can easily tag along). Krakow is the home of Oskar Schindler’s actual metalworking factory and is now a museum.  The factory which was featured so famously in the Speilberg movie is actually across the river from the original Jewish quarter. (BTW, Schindler had a second factory which is also being turned into a museum in what is now the Czech Republic).

If you go to the Krakow Schindler museum, go early especially if you want to see the place and have time to go your own pace. The problem is that the rooms are small, and the crowds large. It is well worth the visit, well curated with lots to read and videos to watch.

Be warned though that most of the place isn’t about Schindler, which I think is a good perspective. Instead, you see the progress of the war through Krakow and how they treated many of the residents subsequently. The exhibits document the original invasion of Krakow by the Nazis in the early part of WWII and how quickly they established control over the city and created the Jewish Ghetto. The number of artifacts from the wartime activities, the photos of both Polish and Germans involved, and street scenes was all overwhelming. I particularly liked the art projects that were created as contemplative spaces, and reminded me of the large Serra sculptures that put you inside of them.

The couple of rooms that documented the life of Schindler are also interesting.  What I learned is how he is a very complex person, that you may not have gotten the first time you read the book or saw the movie. Yes, he saved 1200 Jews and was honored for that later in life, well before the movie came out. (He died in the 1970s.)  But he wasn’t saving Jews just because he had a soft spot for us: he wanted free labor and wanted the profits. Granted, he spent the vast majority of his firm’s profits on bribes to keep his workers alive later on in the war.

He was also an entrepreneur but not a very good one. Almost all of his businesses eventually failed. He was a Nazi spy, joining the German intelligence agencies early on and spying against his fellow Czechs. He was arrested numerous times and barely managed to escape death himself. And he was a rogue, interested in wine, women and having a good time.

But it turns out understanding Schindler is a good entry point to learn more about the wartime era and its complexities. Many people were semi-complicit in terms of outwardly supporting Nazi policies but personally affected by helping to save Jews. Many profited by the wartime business, only to donate vast sums of money to Jewish causes and reparations or philanthropy. It is important to see the shades of gray here.

One tour guide told us that the Spielberg “Schindler’s List” movie (here is an alley that was used in the movie) was a big economic engine that began in the mid-1990s after the movie came out. While it has taken time for this development to get started it can be seen as a lot of construction is happening and the original Jewish Quarter of Krakow now has a solid bar/club scene which is always a sign that the neighborhood is on the way up. At the local flea market, one table was filled with Nazi memorabilia. Not sure if genuine or reproduction, but either way somewhat unsettling.

If Krakow has any downside, it is because it attracts too many tourists and the infrastructure just can’t support the hordes. The vast majority of tourists come there as part of groups and so the big attractions, such as the salt mine, Schindler’s factory and Auschwitz have to cater to them, leaving little opportunity for independent travelers such as Carrie and me to get in and maneuver around them. I guess this is a good problem to have but it means if you want to see these sites you need to plan a lot further ahead than we did.