2966 posts • joined Monday 31st May 2010 16:59 GMT
I don't think that you and I differ too much here. I think you are dead bang on correct about Google; they make "best effort" for continual uptime without going balls-to-the-wall crazy about it. They aren't willing to put themselves out of business trying to obtain the impossible.
But that’s my whole point! If Google – of all companies – can’t maintain “perfect’ uptime without breaking the bank, then no company on earth can either. I hold Google up because Google has entire divisions dedicated to continually refining their high availability technologies. They have “given more back” to the community in terms of high availability technology than any other company in recent times.
People are less forgiving about downtime…but I think mostly they are unforgiving about /unschedualled/ downtime than anything. My ISP will periodically send me an e-mail that says “oh, and BTW, one month from now, on this date, we’re nuking the net for 30 minutes between 03h00 and 03h30 Sunday morning. I’ll get a reminder a few days before the event. Even if I plan to be up that night, I am not upset when it happens, because I was given adequate warning, and they get it done (more or less) within the appropriate timeframe.
So what is “mission critical?” Visa can’t keep their net up all the time, and without Visa’s network the world’s economy might actually collapse. Stock market femtosecond monetary masturbation stations loose millions of dollars for every *minute* of downtime, and they are still not showing “perfect” attendance.
Thus I think “mission critical” is pretty much dead bang on defined by Google: it’s the “best effort” uptime based on what your budget and technology will bear, within the boundaries of what your customers will tolerate. What your budget, technology and customers will bear are completely different not only company by company, but often department by department within the same organisation.
(That said, Google does a spectacularly piss-poor job of scheduling downtime and keeping customers informed. Then again, so do Amazon, Sony, Microsoft, Apple...)
Alternate definitions are of course always welcome!
I have had a few PFYs...
...and I do work side by side with another systems administrator at my day job. His name is Peter Washburn. He is a proper bastard in his own right, and I am proud to say I learn as much from him as he does from me. You couldn't ask for a better sysadmin, in my opinion.
As to the audio quality...recorded skype. Not always the best thing in the world. I was using a proper headset though. Used this: http://www.zalman.com/ENG/product/Product_Read.asp?idx=213
Does come with a proper microphone. Will work on this for next time.
Please do some research on "Remote Desktop Gateway," formerly called "Terminal Services Gateway." I believe that this will suit your needs. As of Server 2008 R2, it works in conjunction with Hyper-V to assign not only terminal services sessions from a pool of terminal servers, but can also serve up Virtual Machines from pools you define.
I have never - honestly, not once in my life - believed something was "better" because it was new. I viciously and vociferously mock people who equate "new" with automatically "better." So I will take your comment in stride and try to do better next time.
As you pointed out, the article really was largely aimed at “reminding folks of some of the more significant developments of the last 15 years.” This article was never really meant to be a standalone: it is part of a series of interrelated articles. It is possible you have not read my previous articles on the topic that do go into far more depth on many of the issues you raised. Here are links:
As to “was there a problem in the first place,” well...yes! The problem is the same as it has always been: how to most efficiently deliver IT services. There isn’t “one true answer” to that problem; cloudy services are just one more tool in the toolbox. Neither innately good nor bad for their recent appearance; cloud computing must be viewed with the same sceptical eye we would use when analysing any technology.
Check these out:
They flesh that bit out better, I feel.
86 articles total. 1 Didn't make it. Of course, this is probably because my editor takes the time to bounce them back when they're bad. Now, when talking about work e-mails that I wish I had editied a little before sending, that's a whole other story...
That is a good question.
It also relates not only to some of my own musings, but some issues I will soon be faced with as a minor cloud provider via my day job. Investigation required; I'll put it on my list!
I'd love to take all the credit...but I really can't. Any skill I have – and the quality of the polished, finished product – exists only because due to the patience and hard work of the excellent individuals who edit my articles.
Also: this article - as well as many others - was written at the pub. I find that writing at home has too many distractions. Writing at work tends to lead to getting interrupted by support calls. Writing at the pub is oddly peaceful. Nobody bothers you, the glass of Diet Coke is never empty...and when you're done you can reward yourself with a beer.
The great thing about writing for a tech magazine is that somewhere in the neighbourhood of 75% of all the research that needs to be done can be done from a tablet at the pub using RDP. For example: taking the time to sign up for various cloud services, create instances on them, play with their management tools, try to break them, etc. So when I head to the pub tonight, I’ll raise a glass for you, sir, and other other readers who enjoy my pub-written research. :D
Closer to $5/GB if you go over your (very low) limits. In some cases as high as $10/GB.
Internet in Canada is ass, and it's only going to get worse under Harper.
Simplecloud but one example. Other projects exist.
As to Spiceworks, if you can't find a plug-in or feature you need...ask! You might be suprised at how helpful both the community and the company can be.
"OTOH, should we push for a single unified API to do "cloud-y" things? Discuss."
"Apropos ticketing systems, find me one that will have true "email integration", meaning I can do bloody everything conceivable with it through email without ever having to touch any other interface."
Spiceworks isn't quite there yet, but it is very close. Spiceworks has an active community who often create plug-ins and extentions to the product bringing functionality the core application doesn't have. Spiceworks themselves are also very open to working with the community to meet feature requests.
Well, let's look at this a little:
First: WEP. WEP is terrible. WEP and WPA both are easily cracked, WPA2 personal being within the "possible but unlikely" range. Had the company in question been secured with WPA2, this game would have been over before it began.
Second: Signed binaries on the router. Had the router's operating system design taken into account the idea that eventually people would find a vulnerability and root the system, they would have implemented a process of signing their binaries. Any change to the binaries (so as to add software for a man-in-the-middle-attack, for example, ) would be rejected as compromised code. It might result in the router bricking itself, but that's better than allowing an attacker to gain a foothold.
Third: HTTPS. While it’s true that with some SSL scenarios, you can pick up the encryption keys (or information passed to the server from the client) if you get there as the session is set up…you certainly can’t decrypt an SSL stream with the processing power available to you on a broadband router. (I have my doubts you could do it in real-time even with a van full of equipment; the wireless bandwidth would be the limitation to attacking SSL with rainbow tables.)
If you can’t pick apart the steam, you can’t inject code. If you can’t inject code, you can’t compromise the browser, root the Mac and install a bunch of lovely world-ending crap. (It was this crap that got browser-injected that eventually scraped the banking passwords.)
There are other cases where encryption saves the day for other breach scenarios, but any of these would have saved the day here. Simple things that – in my mind – the end user should never be responsible for. Setting up strong wireless encryption should be simpler than Bluetooth pairing. For *some* modern routers, it is. Routers should be designed with security in mind; they are lovely targets; manufacturers should be locking them down tight and signing binaries. Lastly…everything everywhere should be SSL forever. We need to stop assuming that the communications channel between our customers and our cloud services are secure. They aren’t. There are so many ways to intercept that stream that we need to consider it a /public/ communications stream and encrypt all interactions.
That’s where that 25% comes in. Cloud providers are afraid of the overhead on their side of the equation if they not only enable SSL, but make it the default. It is where – quite frankly – cloud providers are failing their customers.
Quite a bit of vitriol. Let us examine some of it. FIrst off, full disk encryption (even using trucrypt) can be a much higher CPU hit than 3-4%. Many factors matter here. How fast is your CPU? DO you have a TPM on that system? Drivers and such loaded so that your applications can take advantage of it?
As stated in the article: encryption overheads don't have to be anywhere near the traditional 25% hit. It is however a number frequently brought out by people who believe that encryption is a waste of resources. In the case of this Mac Powerbook G3, full-disk encryption cheerily would be 25% of the CPU. Quite probably more.
Next, I am lacking an understanding of how pervasive encryption became a "mantra." It is true, I believe it should be used in more places than it is...but it is but one tool amongst many. There are plenty of elements of encryption that these businesses can undertake without any real budgetary impact.
The burden of encryption should not belong to end users alone. Cloud services – from gmail and twitter all the way to EC2 and Azure – should not only be offering SSL as a possibility, but redirecting every HTTP request to HTTPS. You should have to choose to use an unencrypted communications protocol – after a warning pops up to tell you the risks – rather than the other way around. The burden here in my opinion is largely on the cloud providers themselves; one they shoulder only very reluctantly, it seems.
Another point of interest: you rightly point out that sticky notes are not a bad thing in and of themselves, physical access is required, and the attacker would have to see them to use them. Simply putting the commonly used passwords on a sheet of paper, placing it inside a folder (that everyone at the workplace knows about) and putting it inside the filing cabinet beside the computer desk is a marked improvement in physical security for very little additional work.
As to the consulting job itself, here is how it played out: Updating the PowerBook’s software – most importantly the WiFi drivers – to be able to use WPA2 was my very first step. Next was simply junking the router and getting something that could support WPA2. After this, I introduced them to Firefox, and lovely plugins like https://www.eff.org/https-everywhere/
I set them up with dropbox and a scheduled task that zipped up their critical 20MB of information every night into an encrypted ball and moved it into the dropbox folder. A second scheduled task prunes backups older than 3 months. All their sites are set up on this now; it has already saved their butts when one of the old powerbooks dropped its disk.
These are cheap solutions, all involving just a little a bit of encryption that – while not the perfect or ideal solution – add a layer of security overtop the impenetrable user apathy that exists at this business. Most importantly, it cost them only one cheap replacement wifi device per site. I didn’t even charge for the three hours of my time.
It should be pointed out that even at that, they were exceptionally reluctant to spend money on IT. This is a company where store managers much update all the accounting spreadsheets, put the numbers into the accounting program, then print out the statements and fax them in to the accountant. Why? The accountant refuses to own a computer and keeps all records by hand on a 30-column ledger.
We can’t ignore that these businesses exist. You state you are a freelancer and speak of advertising and winning business. Well it is for yourself and other freelancers that I feel writing such articles are important. I hope that it is a bit of cold reality to remind all freelancers and consultants “these people are out there.”
Myself, I am not. I end up taking these jobs not because I am a consultant, or because I need/want their money. I do it because I feel a weird sense of duty; an obligation to help the technologically impaired. I have the ability to lend a hand…why wouldn’t I?
So sir, pervasive encryption is not a mantra, nor is it overly burdensome or expensive…except to cloud providers who are not taking full advantage of cryptoprocessors in their infrastructure. It can however – like the airbag mentioned elsewhere in this thread – be an important safety measure when others have failed.
HTTPS doesn't add 25% at the user end, but rather to the cloud provider's end. Google, Oracle, Twitter and others have made mention of this overhead. Specifically, it is used as a reason not to enable HTTPS by default on their services. (Or in some cases, even offer HTTPS at all.) That said, any decent cloud provider would in my mind be designing upcoming systems with this in mind; installing cryptoprocessors and ensuring that they have the ability to offer encryption to their customers as a standard, without a great deal of additional burden on their datacenters.
Sir, I respectfully request you consider the geocentricity of your statements. PCI DSS is not law in Canada. Even if it were, no one would enforce it here. As a small business administrator here in Canada, I have seen this and far, far worse. What I relate is not a tale made up out of thin air. It is a tale based upon what I have seen with my own two eyes.
Seen, because when they found out something was splork (tens of thousands of dollars later,) they called a friend who called a friend who called a friend who referred them to me. You make some large assumptions about people, businesses and the technical capability of both. The majority of people aren’t IT nerds. They really, honestly do only care that it “just work.” They don’t want to – and will stubbornly refuse to – learn more than the bare minimum required to get the task done.
In this case, for all the “just do X, problem solved” comments one could lob…it doesn’t change the fact that A) a great many people don’t know that and B) a largish % of those same people wouldn’t do anything about it (until it bit them in the ass) even if they did.
I don't know why some people read an article like this and come away with "encryption is the only answer; the only solution you need!" I think it’s a tool, an important and useful one that we shouldn’t be working without. I believe it should be on by default. It’s use could prevent some easily-avoidable wetware errors such as the one detailed in the article.
It is by no means foolproof. Tape a clipboard to that airbag and you might well get a chance to watch Darwin in action. Still, if the user doesn’t have to install and configure the airbag on their car, there is a reasonable chance that – barring some world-ending clipboard-esque stupidity – that airbag will be there and functional when it is needed.
An Airbag doesn’t guarantee your survival in case of an accident. If you screw with the design of the airbag through apathy of idiocy you can render it useless. I see encryption the same way; a form of digital airbag. It isn’t guaranteed to save you, but it might just help when the brakes (wetware education, training and corporate procedures) fail.
The difference here is that you don't have to install and configure the airbag yourself. Cars are designed with the idea in mind that the end user down't know how to maintain them. We also have decades of a culture wherein "if you don't understand how to fix your car on your own, bring it to the mechanic on a regular basis."
That culture has yet to spread to computers, as does the idea that they should be simple to use. Worse yet, computers don't come out-of-the-box configured for safety. Nor to several cloud services. That the option for better security exists helps not at all if the end user knows nothing about it.
IT folk love to blame the user. They love to blame the business owner. They like to blame everyone and anyone excepting themselves. Security should be built-in, on by default and easy to understand from the word “go.” In some cases, great strides have been made. In others, even the most basic precautions aren’t followed.
There is still much work to be done; I believe that applies to all sides of the IT problem. Developers, device manufacturers, service providers, sysadmins and yes...even the end user. I don’t believe any link along that chain can reasonably be expected to bear the entire burden alone.
They did. Fortunately, Domain Admins could still turn the proxy settings off for thier user. End users couldn't. You're right though; Windows XP has no wget. If the Domain Admin couldn't change the proxy settings, I would have been Q_Qing into my coffee.
Absolutely no idea. I was a subcontractor. Some dude out of the center of the universe asked me to look at this, as he had no other wetware in my city. He was managing wetware packets all over the country, and I get the feeling we weren't the only country involved in this particular change.
I am not even sure if the fellow that contracted me for the job was directly contracted by the company that owned the network. I got the distinct impression there were /at least/ two layers of contractors above me. Maybe as many as four.
Who installed the thing? Haven’t the foggiest. What I want to know is...why the sweet merciful mother of fnord this all couldn't have been done centrally? The client systems had Teamviewer installed, but the Fortinet box programmed by the follower of Cthulhu was blocking the Teamviewer client from calling home. (How hard is it to whitelist Teamviewer's servers, really?) This sort of thing should have been handelled from a central location, using a remote control app.
I mean, for the love of $deity, these were XP Pro Systems. On a domain! They have RDP capability built into the OS that is controllable via GPO! Why they needed a tech onsite to do a simple rename/readdress/reinstall of an Office ab is absolutely beyond me. Not htat I mind. In theory I'll get paid for this. It just makes me go "hmm..."
Sounds like a corrupt TCP stack. NOt so common anymore, but it does happen.Remove IPv4 *and* IPv6 from all NICs. (Don't forget 1394!) Reboot. Re-add IPv4 and IPv6 to all NICs. Alternately, sometimes Start --> Command --> SFC /SCANNOW will solve it.
I don't actually mind "Powerphones." If I remember after running errands today, I'll plead with Her Wonderful Self and see if she'd be so kind as to set up a Register Reader Poll with a few possibilities. Maybe we the commenters can put the issue to rest once and for all?
USB Host mode
I have had a lot of people email me asking about getting a superphone to use an Ethernet port. (Some have outright accused me of lying; that it can't be done.) There are calls to detail the step-by-step procedure on how to get it done.
I'll be 100% honest with everyone here when I say "I don't remember how I did it." I have been hacking at the thing for so long, I cannot honestly remember which bit of code I slung to get it to work. I can give you a starting point, however. I started this journey here; http://forum.xda-developers.com/showthread.php?t=702742
Here is where you can get the bit of precious that lets you put your desire into USB host mode. This is where you get the ability to attach devices and make the thing run wild. I have a friend with an APad orphan M16. This unit comes with a USB Ethernet dongle that /works/ with its Android. I lifted the drivers from there and with some work got it to work on the Desire. (I required a custom modified USB cable that derived the power from a battery pack.)
The entire project is nowhere near finished and ready. I would not at this time be very interested in attaching my name to it. (El Reg commenttards are notoriously brutal when it comes to any project that isn’t absolutely perfect without any observable flaws. Even then, a dozen or so with start in with the “what’s the point.”) I’m just a sysadmin; not the kind of hardware or software hacker that does really neat things like write Cyanogenmod, cracks a PS3 or creates a one-click jailbreaker for some piece of iTat.
So I politely decline to do the write-up on my efforts; they are at a very early stage…and others within the Android community are much further along. I will leave the interested with some valuable resources that helped me along the way:
I hope that helps some truly interested soul on his path to hardware hacking glory!
@Henry Wertz 1
You get used to it. After seventy some odd articles I've (finally) learned the truth: there's at least one in every comment thread. Some folks are just contrarian. What makes this particular gripe amusing to me is that I never set out to "coin a term" at all. I see a notable difference between smartphones and superphones in terms of the attack risk they represent. As a systems administrator defending my turf, they are two completely different animals.
Other parts of the internets have been calling these new gizmos "superphones," but it's largely been a marketing term. NO attempts to actually define it have taken place. I figured, "what the hell; I lack a better term for this new class of devices." At least I defined what I believed the term represented. I'll be happy to use a different term if anyone can come up with something better.
The issue I think the commenter takes is that he doesn't believe there is a separation between old-school smartphones and modern superphones. We will have to remain at odds on that, as I must respectfully disagree with him.
No, not all boards support CMOS reset. There are several available for the paranoid with the batteries soldered on. Specifically so you can't reset them..
I write about the whole superphone-as-cracking-tool not because I think it’s a theoretical exercise worth mental masturbation. I write about this because I have had seven separate incidents in the past month where I have been legitimately called upon to break into someone’s network/local computer and the only tools I had available were my HTC Desire, a MicroUSB cable and my MicroSD to USB adapter.
I threw the USB-to-Ethernet dohicky in there largely because right after I rooted my phone I putzed about with the USB port going “hmm, what can I make this blinking thing do?” I did get it to use a USB Ethernet NIC…with much effort. I have however not been able to get the bloody thing into promiscuous mode. Yet. I do not doubt for an instant that someone with a Nokia device and way more skill has already gotten light years past me on this.
So the risks of superphones aren’t theoretical for me. I’ve had to actually use them in practice.
For all the jokes about paranoia, there actually are out there creepy dudes who have their systems set up to reboot into an infinite DBAN loop based on either remote commands or unauthorised physical entry. I have actually met folks like that. Security is a balance; like hell I'd go that far at my day job. Working at a bank, however...it would be a serious consideration.
The part that hurts is that the paranoid blokes with the e-security fetish that I know are all sysadmins for post-secondary institutions. Faculty admins largely responsible for the client side and a few scattered local file storage systems. Creepy folk. I worry about the kind of mischief some of the sysadmins working in the office right next door could get up to if they so chose. These folks worry about three-letter agencies.
We’re talking people who with a straight face argue that everyone everywhere should be running line-of-business applications from within hidden partitions inside encrypted files residing on a fully encrypted drive whilst forcing encryption upon all web and email services. Forget passwords; they prefer minimum three-factor authentication using a password, physical token and biometrics. For a professor to update a schedule on a bloody secure intranet! That’s paranoid.
I think they’re way, WAY past supergluing the USB ports shut. ;)
You cannot fight a determined attacker with physical access.
...but you can make the bugger work for it.
We have a backup administrative user. The password for which is written down on a piece of paper and kept in a saftey deposit box at the bank that the senior staff have access to if something Really Bad Happens. I believe it's also where critical things like insurance documents and other things required in case of Emergency are kept.
My personal safety deposit box contains my will, insurance information, etc. as well. (Along with whatever bits of precious I own.) Doesn't everyone do this? Banks are kind of paid to take the "physical security" bits off your hands...
I should also point out that a great many of the attacks against the local system I have been able to come up with using my phone are thwarted by some kinds of disk encryption. It just goes to show that there are a lot of good answers already in existence to the kinds of security problems that people wandering around with phones/laptops/flash drives/etc. can pose to your systems.
However, they only work if you purchase and – critically – actually implement them.
Not all boards support it. Also; it can take a lot longer to get into a system and do this than you might want to expend. Furthermore, you can always pull out a USB stick and reboot a system you were working on in a flash if someone walks down the hall. Try explaining a disassembled PC away. ;)
I think that CMOS resets are still time consuming enough and awkward-looking enough to be dismissed as a possibility in most situations. The number of folks who know how to toss a Linux distro on their pen drive however are growing…
I find it truly terrifying how few people do this. It seems everyone forgets to set the system to “boot from hard drive only” and then password protect the BIOS. Even those few that password protect the BIOS still seem to leave the things configured to boot “CD-ROM, Removable, Disk, Network.”
I am not saying that a phone pwns everything. I am saying that they are now at least as useful as a netbook or most laptops at getting the job done. Proper security will of course minimise or even eliminate the threat...
...but they are a threat. Exactly as much as someone wandering around your office with an uninspected and uncontrolled Laptop would be.
Wonderful bit of security. Pity noone uses it. Would solve a great many attacks. From phones, laptops, you name it!
My Desire cracks WEP just fine.
If you know enough about cars you can baby one along for over a hundred years. Most people don't. If you know enough about comptuers to alter your work methodology when using Windows, you're also perfectly capable of both using operating systems like Linux and digitally cleaning up after yourself.
@ Chris 244
Well, I do drive down to Vancouver once a year. Edmonton --> Prince George --> V-Town --> Cowtown and home again.
Takes a little over a week to do the circut, with only a could of days in V-town and a couple of days in Cowtown to get things done. I do agree however that Edmonton --> Seattle for a big of kit is madness. The fuel alone would be worth more than the gear!
I am not an Apple hater
I simply have requirements Apple refuses to meet. Such as the ability to actually cut down on the number of devices I use. I need to be able to use my tablet as removable storage. I need to be able to carry around more than 64GB of media. (I refuse to cart a laptop with me on vacation for no reason other than to have my library available to sync with iTunes!)
MicroSD cables are /everywhere/. iPad chargers are not. So in short: give me a standard MicroUSB interface, access to the filesystem of my device, and support for removable media, or give me death!
If Apple's iPad 2 has all these things, I'll be the very first person in line. I promise. I'll take pictures.
Yeah, but have you noticed how it's all melting, only to re-freeze tonight? They sent the graders through Beaumaris yesterday, but there's still 15cm of solid black ice on the roads. I've no real yen to see all the snowbanks melt back onto the streets only to add another quarter metre of ice.
Wake me when the snow is not only gone, but the city is significantly less /brown/. As bad as winter is, spring is worse. An entire city covered in sand. Sand and rain and sleet and more sand.
- Apple's spamtastic iBeacon retail alerts launch with Frisco FAIL
- Submerged Navy submarine successfully launches drone from missile tubes
- Cache in the Attic El Reg's contraptions confessional no.2: Tablet PC, CRT screen and more
- Developer unleashes bowel-shaking KILLER APP for Google Glass
- Pix Astroboffins spot HOT, YOUNG GIANT where she doesn't belong