Get secure with Steve Riley

Links to my Windows Connections presentations

Steve Riley — Fri, 13 Nov 2009 00:52:32 +0000

Several of you have asked for copies of my presentations from the autumn 2009 Windows Connections. Because I’m using the online tool Prezi, I don’t have traditional slides to give you. I have, though, shared the presentation files for everyone to see. The links are below.

Thanks again for coming to the talks. And be sure to look for my Windows-related guidance for using Amazon Web Services. I’ll announce here and on the AWS blog when each paper is published.

Posted in Amazon Web Services, presentations, Windows Connections

I’m presenting at CloudCamp Phoenix

Steve Riley — Wed, 21 Oct 2009 17:37:42 +0000

This Saturday, 24 October, CloudCamp is coming to Phoenix. CloudCamp follows a unique format, I’m pretty excited to participate. It starts with several five-minute “lightning talks”; the Phoenix event will have five, and I’ll deliver a rapid overview of cloud security in Amazon Web Services. After the lightning talks is a panel, followed by two breakout “unsessions.” The unsessions are attendee-driven; I’ll focus on general cloud security/compliance and AWS specifics, so come prepared with your toughest questions. Hope to see you there!

CloudCamp information
CloudCamp Phoenix details
Register for CloudCamp Phoenix

Posted in Amazon Web Services, cloud computing, cloud security, CloudCamp

Puget Brass in concert

Steve Riley — Wed, 21 Oct 2009 16:50:14 +0000

Last year I joined a British brass band here in Seattle, called Puget Brass. I’m a long-time French horn player; since British brass bands don’t have French horns, I learned to play the baritone horn. Our first concert of the 2009-2010 season is this weekend. We’re performing a mix of traditional and contemporary pieces. If you’re local to Seattle, or traveling here, and would enjoy some high quality cultural entertainment, I’d love to see you come.

Date — Sunday 25 October
Time — 2:00 PM
Location — Plymouth Congregational Church, 1217 6th Ave (at University St), 98101 (map)

Posted in music, Puget Brass

Payroll attackers add themselves

Steve Riley — Sat, 17 Oct 2009 21:24:57 +0000

As a follow-up to my earlier post recommending a procedure for discovering and removing payroll fraud, I’d like to point out an article in yesterday’s Threat Level:

A payroll-processing firm that was breached by hackers last month is warning customers about a new breach, after some clients noticed phantom employees popping up on their payrolls.

New Jersey-based PayChoice sent a message to customers Thursday indicating that thieves appeared to have stolen customer login IDs and passwords by exploiting a vulnerability in the website feature for changing a password, WashingtonPost.com reports. PayChoice said it disabled the change-password feature until it could fix the vulnerability.

The company discovered the problem after some of its payroll customers noticed bogus employee names being added to their payroll lists, in an attempt to get the companies to pay those “employees” through bank accounts controlled by the fraudsters.
Posted in attacks, malware, phishing, risk

Newly published: Amazon Virtual Private Cloud scenario paper

Steve Riley — Mon, 12 Oct 2009 22:48:42 +0000

One of the coolest new features of AWS is Amazon Virtual Private Cloud. With Amazon VPC you can securely extend your corporate network into the cloud. You can maintain ownership and control of the information, you can provide the IP address range, you can control access and security using your existing tools and products. An IPsec tunnel-mode security association protects the data communications between your network and your Amazon VPC cloud. You can join your Amazon EC2 Windows instances to your domain and manage them with System Center.

I’ve written a paper that describes several scenarios that fit well with Amazon VPC. Please give it a read. And if you’ve not yet tried AWS, perhaps this will give you a few ideas of projects that fit with your IT plans.

Whitepaper: Extend your IT infrastructure with Amazon VPC

Posted in Amazon Web Services, cloud computing, management

Oklahoma lawmakers violate privacy of women

Steve Riley — Sat, 10 Oct 2009 21:22:09 +0000

Absolutely unconscionable. In a blatant play to shame women away from perfectly legal medical procedures, the Oklahoma legislature passed a law that will collect and publish personally identifiable information about each woman who receives an abortion in that state. What’s included:

Date of abortion
County in which abortion performed
Age of mother
Marital status of mother (married, divorced, separated, widowed, or never married)
Race of mother
Years of education of mother (specify highest year completed)
State or foreign country of residence of mother
Total number of previous pregnancies of the mother

Not included is the woman’s name, but given the number of small towns in Oklahoma, deducing her identity will be easy. Also not included is the name of the father. One could surmise this is to conceal the identity of randy state politicians, but that would be…um…correlation without causation, no? (Riiiiiiiiiight.)

I really don’t understand why people continue to vote for politicians who actually think laws like this are good ideas. This law is going to cost taxpayers a quarter of a million dollars every year. What public benefits will the state’s residents receive? Certainly not any increase in public safety. If anything, one potential outcome of the law might be an increase in lynchings — wingnuts might very well locate, harass, even kill anyone they can identify on the list.

Stupid.

There’s an effort to kill the law. Let’s hope it succeeds.

Posted in freedoms, law, privacy, public policy, things that make me angry

Your opinion: external out-of-office replies

Steve Riley — Tue, 06 Oct 2009 05:45:27 +0000

Earlier this evening I sent an email to a list of acquaintances. Along with the expected NDR or two, I received several out-of-office replies. This surprised me: I assumed most people realize sending out-of-office replies beyond their organization creates vulnerabilities. Now I’m curious about how pervasive the practice might be. So, dear reader, please answer this poll about whether you or organization uses external replies and what your opinion is of them:

.
I think they’re dangerous. They frequently offer plenty of information for a bad guy to cause a lot of mayhem. Here’s a sample:

Good day. During 26-31 December 2009 I’m on vacation with my extended family enjoying the sun and triple-bogeying my way to the 19th hole in Cayman Islands. I’ve left my mobile phone at home, too. If you need any assistance, please contact Alice. I’ll answer your emails and calls when I return. –Bob

So what have we learned about Bob?

Bob is far away from home for six days.
Bob and his family departed the day after Christmas, so his house is probably full of brand new loot.
Some of bob’s sibling’s families, and his parents, are also away from home. Their houses are probably full of new presents, too.
Bob’s shiny new smartphone is sitting on his kitchen table, next to the keys for his wife’s attractive new BMW parked in the driveway.
Bob must have a lot of money, why else would he go to the Caymans?
Bob’s a major golf nut, but most likely he’s better at drinking than driving.
Bob probably left his computer on. I’d bet his bank password is “golfgolf.” (Bob must work in sales.)
Bob is a moron.

Now I certainly never let fear motivate decisions of mine, but I’ll admit that external out-of-office messages worry me. Internal replies don’t: it’s reasonable to trust one’s colleagues and internal replies help people understand why your emails are delayed. The risk created by external replies outweighs their usefulness, though. If Bob were smart, he would have individually informed business associates about his short absence so they’d know when to expect pending work to resume. Blasting details about your empty house to anyone who pings your mailbox is just stupid.

Posted in attacks, risk, threats, vulnerabilities

Cloud for the enterprise

Steve Riley — Mon, 05 Oct 2009 21:46:38 +0000

Amazon Web Services is coming to Los Angeles and New York with half-day afternoon events especially for enterprises. I’ll be there, speaking about security and concluding with some remarks on how the cloud is changing delivery of IT services. Click on one of the links below to register. The events are free — hope to see you there!

Los Angeles – Thursday 15 October – Sofitel Hotel, 8555 Beverly Blvd, 90048
New York – Monday 19 October – Marriott Downtown, 85 West St at Albany St, 10006

Reasons to attend

Gain a deeper understanding of Amazon Web Services, including best practices for architecting and securing applications in the cloud
Learn how AWS can help you quickly and cost-efficiently scale IT infrastructure capacity to meet growing business needs without incurring resource costs when demand is low
Hear enterprise customers talk about their experiences and successes with Amazon Web Services

Who should attend

Technology and business stakeholders of enterprise companies, including CTOs, CIOs, VPs, directors, program and product managers, architects, administrators, lead engineers, and IT managers

Agenda

12:30pm – 1:30pm: Doors open; partner and solutions expo
1:30pm – 1:40pm: Opening statements
1:40pm – 2:20pm: AWS overview by Dr. Werner Vogels, Amazon CTO
2:20pm – 3:20pm: Customer presentations and Q&A
10 minute break
3:30pm – 4:00pm: Security in the AWS cloud
4:00pm – 4:40pm: Architecting enterprise applications in the cloud
4:40pm – 5:00pm: Getting started with the AWS cloud
5:00pm – 7:00pm: Networking and cocktail reception

Posted in Amazon Web Services, cloud computing, events

Who’s on your payroll?

Steve Riley — Mon, 05 Oct 2009 00:27:29 +0000

Do you know for certain that everyone on your organization’s payroll is actually employed by your company? Are you sure? Payrolls have long been tempting targets for attackers. It’s where the money is. Anyone with sufficient access to the payroll database could secretly add a buddy or two; probably no one would notice. The buddies kick a bit of their “paychecks” back to the sleazy employee. This could happen to organizations of all sizes — to avoid detection, people scamming small companies keep their payouts low, while those pilfering from large organizations can get away with greater amounts.

A few days ago we learn that payroll processing and software firm PayChoice got attacked:

In a Sept. 28 e-mail sent to customers, PayChoice indicated that the hackers had obtained e-mail addresses as well as login IDs and at least parts of passwords for account holders using the OnlineEmployer.com web site.

The hackers wasted no time in using the information to trick the customers into relinquising the remainder of their passwords. Customers…received targeted phishing e-mails telling them they needed to download a plug-in to continue using the OnlineEmployer web site. The e-mails referenced the customer’s log-in username and part of their password.

The plug-in, however, was actually a password-stealing Trojan [TrojanDownloader:Win32/Bredolab.X]. When customers clicked on a link in the e-mail taking them to a site hosting the plug-in download, the site searched for vulnerabilities to exploit in the user’s browser and other applications that would allow it to install the malicious software onto their machine. The malware exploits the Internet Explorer browser as well as Adobe Flash and Adobe Reader applications.

While not the same as inserting fraudulent entries into the payroll database, it shows that attackers aren’t exactly stupid about picking their victims. Phishing attacks urging victims to download and run malware are nothing new. I’ve told the story many times about how attackers used a similar tactic in 2004 to siphon money out of the online accounts of e-Gold customers:

Win32.Grams was directly spammed to potential victims, in the form of an attachment containing an encoded Visual Basic script with a .vbe extension… When run, the VB script downloads a file from http://onestopgpt.com/media.exe (no longer available), saves it as svhost.exe and executes it.

Because the trojan automates the burden of siphoning money from the accounts and does it from the victim’s own computer, this method of account looting bypasses all authentication methods employed by the banking institutions, and is therefore expected to become very popular – however, due to tagging of certain browser fields, the automated sessions can still be detected by the financial institutions using backend analysis systems (for example, the Corillian Fraud Detection System).

Since the trojan uses the victim’s established SSL session and does not connect out on its own, it can bypass personal and corporate firewalls and evade IDS/IPS devices. Anti-virus engines may detect some trojans, but signature-based solutions will always have a lag time, and will never reach 100% detection. At the time of this writing, only 5 out of 9 virus scanners tested detected the trojan file.

Back to payroll attacks. If you think your organization isn’t vulnerable, think again. A few months ago I received an email from someone whose IT department hired a consultant to investigate potential insider attacks. The writer mentioned the consultant must have been to a seminar of mine, because the first thing he did was recommend a procedure I’ve long advocated: periodically run manual payrolls.

Announce the date in advance so everyone can be ready. On that date make no direct deposits of paychecks. Instead, employees must appear at a designated location in person, with valid employee ID, to claim paper checks. Give yourself a week to complete the process. Any checks remaining in the box have been going to people who no longer — or never did — work for you.

Jesper has frequently recommended this too; a few years ago he got a call from someone who followed the advice and was shocked to see what remained. How much? “Significant,” was all the customer would say. The customer I mentioned above wrote that the consultant discovered excess payments “in the six-figure range.” Multiply that by a few years and you’ve got a seriously expensive scam.

Contact your HR and payroll department this week and arrange for your organization’s manual payroll. I recommend you perform one annually.

Posted in attacks, malware, phishing, risk

Raising the bar: URLZone trojan evades fraud detection

Steve Riley — Fri, 02 Oct 2009 19:32:10 +0000

One of the tools in the good guys’ arsenals is the fact that the bad guys haven’t been very skilled coders. Not anymore: they’re getting very, very good. DarkReading describes how Finjan uncovered URLZone:

URLZone doesn’t just dupe users into giving up their online banking credentials. Instead, it calls back to its command and control server for specific instructions on exactly how much to steal from the victim’s bank account without raising any suspicion, and to which money mule account to send it the money. Then it forges the victim’s on-screen bank statements so the person and bank don’t see the unauthorized transaction.

“The Trojan was smart enough to be able to look at the [victim's] bank balance,” says Yuval Ben-Itzhak, CTO of Finjan. “This is more advanced than other banking Trojans, like Zeus, whose main goal is to get the user to provide his online credentials, credit card numbers, or PINs by inserting different text boxes into the online banking application. Then they use those credentials to log into the bank account.

“But in this attack, everything happens from the victim’s computer. This is more sophisticated than anything we’ve seen in the past.”

The attack begins like most Web-based infections: An unsuspecting user visits an infected Website — either a malicious or rigged legitimate one. The attack is based on the LuckySploit malware toolkit, which exploits things like unpatched Adobe PDF and Flash vulnerabilities in browsers. Its exploits are obfuscated so they’re difficult to detect.

Once the victims are infected with the URLZone Trojan, it sets up the victim’s machine as a bot in the banking botnet, complete with command and control instructions. URLZone ensures the transactions are subtle: “The balance must be positive, and they set a minimum and maximum amount” based on the victim’s balance, Ben-Itzhak says. That ensures the bank’s anti-fraud system doesn’t trigger an alert, he says.

Here’s more evidence that as attackers grow their sophistication, defenses that counter yesterday’s attacks become useless. Would smartcard or token-based two-factor authentication have stopped URLZone? Nope. What about out-of-band transaction authentication, perhaps with mobile phone text messages? If the process were built correctly, yes — more than just an OTP, the banking application might require the phone holder to reply to the SMS with what the transaction amount is expected to be.

People are starting to lose trust in computers and the Internet. While waiting for the bus today one of my fellow riders struck up a conversation about the funky colorful shoes I found in Auckland during TechEd 2008. The conversation turned to what our jobs are, and when I mentioned information security, several folks at the bus stop started peppering me with questions. Conversations continued on the bus for the entire ride. People don’t understand the criminal element, can’t figure out how to determine what’s trustworthy and what isn’t, and generally seem apprehensive about doing anything on the Internet. This is becoming a very difficult problem to solve; rampant disregard for the devastation wrought by identity theft, warrantless government wiretapping, and presidential ruminations about “taking down the Internet” aren’t doing anything to help. I’m not even sure National Cybersecurity Awareness Month will be all that effective.

We have got to redouble our efforts to remove the coolness factor from computer attacks. It’s no longer hacking, folks. Drop that term from your vocabulary. Start talking about attacks conducted by criminals. Don’t idolize notorious bad guys. And demand that officials start requiring accountability. Honestly, there’s nothing you can do to prevent the misuse of your PII; in America, you generally don’t even own your PII. We need strong laws to finally convince the holders of your personal information (read: financial institutions) that prohibit all sales, laws that are backed by massive fines. Right now, it’s cheaper for institutions to deal with breaches than to keep them from happening. The only way to fix this is to change the economics.

Posted in attacks, cybersecurity, identity theft, law, public policy, social engineering

Webinar: securing public cloud infrastructures

Steve Riley — Wed, 30 Sep 2009 17:34:36 +0000

Mark time in your calendars for a cloud security webinar co-presented by Amazon Web Services and enStratus on Wednesday October 7, 2009 at 11:30 AM – 12:15 PM Central Time US.

Sign up today

Public cloud computing has evolved into a mainstream approach for building out components of an IT infrastructure. Cost saving opportunities make the development of a public cloud strategy absolutely critical. Even before taking on pilot projects in the cloud, however, you should have a solid understanding of the security implications and opportunities in public cloud computing. Amazon Web Services and enStratus have teamed up for this webinar detailing how businesses moving into the cloud can understand the security issues in public cloud computing and how to secure a public cloud infrastructure.

Among the most critical components in cloud security is transparency from your cloud providers. AWS has built out an infrastructure and established processes to mitigate common vulnerabilities and offer a safe compute and storage environment. enStratus operates outside of the AWS cloud, watching over its operations, and keeping your authentication and encryption credentials safe outside the cloud while encrypting the data inside the cloud both in transit and at rest.

Steve Riley from AWS and George Reese from enStratus will discuss common cloud security concerns and show you how to take advantage of the security features AWS and enStratus provide you to build a secure public cloud infrastructure.

Key Learnings

How does AWS protect its infrastructure and, by extension, your data?
What can you do with tools like enStratus to further protect your data?
How can you use enStratus to protect your data from third-party subpoenas or subpoenas targeted at AWS?
How can I manage user access to my AWS infrastructure?
What issues impact compliance with various standards/regulations in the AWS cloud?

Speakers

George Reese, O’Reilly cloud computing author and CTO for enStratus, a leading cloud management platform
Steve Riley, Sr. Technical Program Manager for Amazon Web Services

Posted in Amazon Web Services, cloud computing, cloud security, management, webinar/webcast

Will they ban food, water, and air, too?

Steve Riley — Tue, 29 Sep 2009 04:08:56 +0000

In a lapse of common sense, the government of India is seeking to ban Internet telephony until some kind of tracing mechanism can be put in place. “Terrorism” certainly seems to be the popular excuse for eliminating pesky citizen behavior. We’ve seen attempts to ban mobile phones, attempts to ban constitutional law, attempts to subjugate with fear. Will it ever end?

Like similar attempts in other countries, India’s proposition will utterly fail. What is an Internet “phone call,” anyway? A stream of bits between applications on computers. Hm, sounds like every other kind of Internet communication. Attention, government regulators: the distinction between voice and data disappeared in the late 1990s. Banning Internet telephony is as ridiculous as all other attempts to ban ideas. Sure, you can make it difficult for people to download VoIP and messenger applications, but there’s an essentially infinite supply of distribution points for these programs. There’s also an essentially infinite supply of alternate telephony applications: people will just keep cranking out new tools that national proxy servers don’t recognize. Blocking VoIP protocols won’t work, either, because a lot of applications fall back to HTTP, the durable universal protocol. Most of them work over VPNs, too; public VPNs seem to be all over the place these days.

The article mentions that India’s government successfully lobbied RIM to modify its protocols to satisfy certain regulations. Okay. Guess what? The bad guys have done what they always do: changed tactics. They’re probably using iPhones now. Was it really worth all those endless meetings? How many non-terrorist customers might have switched platforms after this?

Banning a thing because bad guys might use it to unleash mayhem prohibits good guys from using the thing, too, even during emergencies. Which only serves to make everyone a bit more insecure.

Posted in censorship, freedoms, privacy, public policy, regulations, speech

RunAs Radio interview

Steve Riley — Mon, 28 Sep 2009 05:22:38 +0000

Recently I was interviewed by Richard Campbell and Greg Hughes of RunAs Radio. We discussed my transition from Microsoft Trustworthy Computing to Amazon Web Services, some points to consider about cloud security, and a bit about desktop virtualization.

Posted in Amazon Web Services, cloud computing, interviews, virtualization

Voodoo security

Steve Riley — Mon, 28 Sep 2009 04:41:05 +0000

Amazingly, even in the 21st century, people still want to cling to ancient beliefs that lack even a whisper of a shadow of evidence. Dowsing rods are back — but this time in the guise of bomb detectors. A few weeks ago NPR had a story on portable bomb detectors the Iraqis are deploying at roadside checkpoints. Turns out they’re completely fake: the units contain no electronics. They serve only one purpose: to allow an officer to search any car he wishes without needing to notice potential criminal behavior. In other words, these “detectors” are actually very handy devices for confirming baseless suspicions or disguising profiling.

While the story does indicate “U.S. military experts suspect it is nothing more than a charade” and “Many U.S. officials say the science is about as sound as searching for groundwater with a stick” and “One American expert in Baghdad compared the machine with a Ouija board,” the story spends more time quoting people who claim the devices actually work. Unfortunately, NPR is demonstrating the increasing trend among many journalistic organizations to soft-pedal the facts. These gadgets are a complete sham, and the author of the story should have said so in no uncertain terms. “Reporting the controversy” is just plain deceptive where there is actually no controversy to report. Where the reporter chickened out, the story’s comments reveal the truth, and also suggest possible real motives behind the use of the devices.

Posted in fake security, things that make me angry

Groovy security in Windows 7

Steve Riley — Fri, 25 Sep 2009 16:58:46 +0000

Get a full dose of great Windows 7 information and advice in the October issue of TechNet Magazine. The entire issue is dedicated to helping you learn about and deploy the newest version of Windows in your organization. Included is my article “Groovy security in Windows 7,” where I discuss my favorite new security features: DirectAccess, BitLocker and BitLocker To Go, AppLocker, and DNSSEC (yes, I’ve changed my thinking about the need for authentication and integrity in DNS), multiple firewall profiles, and the Windows Biometric Framework. Please take a look. I hope you enjoy it, and as always, I welcome your feedback.

Posted in AppLocker, BitLocker, DirectAccess, DNSSEC, publications, TechNet, Windows 7

Predicting the future

Steve Riley — Fri, 25 Sep 2009 13:43:03 +0000

At the Get Your Head in the Cloud seminar at Iowa State University yesterday, I briefly mentioned how the future will bring about certain unavoidable disruptive discontinuities in the way traditional IT carries about its business. I mentioned several books worth reading. Many of you have asked for the list; here it is:

The Cathedral and the Bazaar by Eric S. Raymond
The Wisdom of Crowds by James Surowiecki
We Are Smarter Than Me by Barry Libert, Jon Spector, Don Tapscott
The World Is Flat by Thomas L. Friedman
The Innovator’s Dilemma by Clayton M. Christensen
The Long Tail by Chris Anderson
The Speed of Trust by Stephen M. R. Covey
What Got You Here Won’t Get You There by Marshall Goldsmith
Outsourced (the movie)

Posted in Amazon Web Services, events, the future

I’m speaking at Windows Connections in November

Steve Riley — Mon, 14 Sep 2009 18:30:53 +0000

Windows Connections is one of my favorite events. I’m returning in November, this time in my role as cloud computing evangelist for Amazon Web Services. I’m delivering a keynote and three breakout talks. While the breakouts are in the Windows track, my presentations will cover various aspects of cloud computing, including details on AWS. My keynote is also on cloud computing, it’s vendor-neutral and is designed to help you understand the drivers behind cloud computing. See below for descriptions.

If you’ve never attended a Windows Connections event, I urge you to give one a try. They’re very well run, with plenty of technical depth, relevant topics, and great speakers. Plus Minasi If you’ve attended in the past, please come back — we’ve got all new material, and it will be good to see many of you again. The event runs 9-12 November.

More information

My talks

Fear the cloud no more

Suddenly, it seems, the simple network diagram symbol for the Internet has become a major component for providing infrastructure platforms and service offerings. Unlike the application service provider days of the late 1990s, cloud computing is here to stay. It’s already gained much traction for specialty computing purposes, yet many IT shops remain wary. Moving compute and storage out of your own data center and into someone else’s, mingled among many others, seems daunting at first. Common questions arise around security, manageability, performance, and reliability. Think about it, though–these are the same concerns you’ve always had. Nothing about the cloud requires that you jettison everything you’ve learned during your career. The cloud is a logical next step in the evolution of computing, and when integrated with corporate IT removes much of the burden and allows a business to concentrate on its core functions. Steve Riley will explore common concerns, dispel several myths, and help you learn how your business can benefit from the cloud.

Introduction to the cloud: infrastructure, platform, and software services

There have been many attempts to define and classify cloud computing. And while most providers seek ways to differentiate themselves and offer novel solutions, three general service models have arisen. Roughly following other compute and protocol stacks, the models include infrastructure as a service, platform as a service, and software as a service. Depending on your requirements, you may decide to select providers from one or more of these models. Steve Riley will explore the models and illustrate where the various components of Amazon Web Services fit.

Security and compliance in the cloud

Moving to the cloud raises lots of questions, mostly about security. Providers worthy of your business should answer them clearly and honestly. Amazon Web Services has built an infrastructure and established processes to mitigate common vulnerabilities and offer a safe compute and storage environment. Steve Riley will discuss common cloud security concerns, show how AWS protects its infrstructure from internal and external attack, and explain how you can take advantage of the security features of AWS in your own applications as you extend your enterprise into the cloud.

Managing resources and performance in the cloud

Transitioning your compute processing and data storage to the cloud doesn’t mean you have to give up control. Indeed, many providers are investing in technology and adding features that can help you manage cloud resources using the same tools and procedures you already use in your existing environment. Steve Riley will illustrate capabilities in Amazon Web Services that allow you to monitor resource utilization, to dynamically add or remove resources as demand changes, and to integrate cloud resources as a logical extension of your data center.

Posted in Amazon Web Services, cloud computing, events, speaking, Windows Connections

Fixed the Passgen download

Steve Riley — Wed, 09 Sep 2009 16:44:39 +0000

Several people have alerted me that the Passgen tool in my Box.net site was corrupt. I uploaded a new version this morning, and tested it. All’s good now, please try your download again from the widget to the right of this frame. Sorry for the troubles.

(Jesper wrote Passgen and included it in our book, Protect Your Windows Network. With this tool you can manage machine and user passwords locally and remotely across a domain. Unlike other tools, it doesn’t actually store any passwords; instead, it sets completely random passwords or passwords derived from an identifier plus a pass phrase. Check it out, it’s very handy.)

Posted in my book, passwords

What can you do with Amazon Virtual Private Cloud?

Steve Riley — Tue, 08 Sep 2009 18:35:08 +0000

I hope most of you have seen the news about our newest release, Amazon Virtual Private Cloud. Here’s a brief description:

Amazon Virtual Private Cloud (Amazon VPC) is a secure and seamless bridge between a company’s existing IT infrastructure and the AWS cloud. Amazon VPC enables enterprises to connect their existing infrastructure to a set of isolated AWS compute resources via a Virtual Private Network (VPN) connection, and to extend their existing management capabilities such as security services, firewalls, and intrusion detection systems to include their AWS resources. Amazon VPC integrates today with Amazon EC2, and will integrate with other AWS services in the future. As with all Amazon Web Services, there are no long-term contracts, minimum spend or up-front investments required. With Amazon VPC, you pay only for the resources you use.

Product page

Frequently asked questions

Developer resources

What interests you the most? What kinds of projects and workloads would you consider deploying into Amazon VPC? How can you envision Amazon VPC extending your capabilities? I have some thoughts I’m assembling into a scenario whitepaper, I’m sure there are many more than what I’ve described so far. I’d love to learn what else the bright minds here can come up with. Thanks!

Posted in Amazon Web Services, cloud computing

The influence of public opinion on the Internet

Steve Riley — Tue, 08 Sep 2009 05:58:28 +0000

Recall Green Dam Youth Escort? The Chinese are at it again: ruthlessly trying to censor the Internet. The government is forcing news sites to require commenters to log in using their real names. These orders were secret and immediate, they affect major news portals, and they demand not only real names but national ID numbers and registered mobile phone numbers as well. It’s broken, of course; people have already successfully registered with forged credentials.

You really have to marvel at the complete blockheadedness of it all. The claim is such moves will forge “greater social responsibility” and “civility” among users. I’ve spent a little time on Chinese blogs and news sites, and they are paradigms of civility compared to the vitriolic bloviating you see on some American political and news blogs. So what’s the Politburo really afraid of? One editor summed it up perfectly: “The influence of public opinion on the Internet is still too big.” Read that again and marvel: this claim came not from a government official but from an online news site! Oh wait, perhaps I’m being redundant there. Oops.

Whenever an oppressed group tries to assert its rights, the “harmonious” one party system smacks the group down: Uighurs, Tibetans, students for democracy. Perhaps holding onto land just isn’t enough to seed real change. There’s already been a major backlash against the online identification requirements, perhaps this will stir the Chinese in a way previous government iron-fistedness hasn’t. Remember, too, that the Internet’s design goal of routing around outages has another salvific property: it routes around censorship.

Posted in censorship, public policy

Social engineering with Skype

Steve Riley — Tue, 08 Sep 2009 03:29:32 +0000

Continuing my immersion into the tumultuous world of social networking software, the other day I installed Skype (I’m “stvrly” there if you want to add me). On this damp Sunday night over 11,000,000 people are logged on — Skype seems popular, but I wonder about its long-term viability. Google Voice is free for domestic calls, is free for domestic and international SMS, and has lower international call rates than Skype. Most people already use Live Messenger or Yahoo for IM. So what’s left to differentiate Skype? It should be interesting to see how the developers improve the product now that it’s been freed from its eBay shackles.

Anyway, my kvetching now is this: yesterday I received a message from online.service.usaa12. I have no clue who this person or thing is. Here’s the text:

WINDOWS REQUIRES IMMEDIATE ATTENTION
=============================

ATTENTION ! Security Center has detected malware on your computer !

Affected Software:

Microsoft Windows Vista
Microsoft Windows XP
Microsoft Windows 2000
Microsoft Windows Server 2003

Impact of Vulnerability: Remote Code Execution / Virus Infection / Unexpected shutdowns

Recommendation: Users running vulnerable version should install a repair utility immediately

Your system IS affected, download the patch from the address below !
Failure to do so may result in severe computer malfunction.

http://www.scaninfo.org/

For the link to become active, please click on ‘Add to contacts’ skype button or type it in manually into your web browser !

I wonder how many other people received something similar. Consider, though, the characteristics of this message, and its basic irrelevancy to me:

I’m running Windows 7, which is not it the list of infected software
My system obviously can’t be affected, because I’m running an unlisted operating system
My computer is actually free of infections at the moment, so the initial claim is false
I’m instantly suspicious of any note with more than one ! and notes that lack basic grammar skills

I don’t have a sandbox machine at the moment to play with. Anyone else get this, and out of curiosity add the sender to their contacts? At first I thought this might be new, because Google showed only 7 hits. The Whois for www.scaninfo.org lists one Andrej Kazanski. Foraging for him through Google revealed a paltry 208 hits, yet it seems this second-class moron has a bit of history with Skype spam.

I was talking with my mother the other day and she asked about inexpensive laptops. My father is giving her computer and Internet lessons, and she doesn’t like having to go into his home office to use his hulking desktop computer — she wants something of her own that’s a little smaller. I agreed, thinking that learning on a device more personal removes a lot of the intimidation that must be present for novices. Then this Skype spam appears, among all the other daily Internet crap I have to dispose of. Spam wastes the time of all of us. And I worry that, in short order, my mom will grow frustrated with the thieving and scheming that inundates her inbox, and just give up before she really gets started. Sigh. Alan Rasky and Sanford Wallace and the rest of you cretins really suck ass. Your approval rating is worthy of a disease.

Posted in social networking, spam, things that make me angry

Amazon Web Services on Twitter and LinkedIn

Steve Riley — Thu, 03 Sep 2009 22:25:18 +0000

Quick note to let you know that I’m now reading and replying to some of the Amazon Web Services social networking presences. Please join and participate.

@awscloud on Twitter
Amazon Web Services Community Network on LinkedIn

Posted in Amazon Web Services, cloud computing, social networking

Hands off my laptop!

Steve Riley — Mon, 31 Aug 2009 05:03:41 +0000

[Update below]

So I read today that the Obama administration has decided to persist yet another despicable Bush policy: that of allowing suspicionless and warrantless searches of laptops belonging to travelers entering the United States. I am flabbergasted. We elected this man as a repudiation of the terrible damage wrought by his predecessor. Why is he continuing to disappoint?

Another question: why does the DHS seem incapable of realizing that scouring a laptop is not at all like rummaging through someone’s backpack? Here are three blindingly obvious reasons why:

Laptop searches last far longer. The backpack search is complete when the traveler leaves the border. For a typical laptop, the government can make a copy and then search every file at its leisure.
It’s like searching your home. Our laptops contain family photos, medical records, finances, personal diaries, and all the other detailed records of our most personal lives. Having the government rummage through all these files is like searching your home, and that requires a probable cause warrant.
Confidential and privileged information. Many kinds of confidential information are in laptops, including journalists’ notes about an investigative story, trade secrets and other key business information, and many more. Lawyers’ laptops contain attorney-client privileged information, as reinforced by a recent case that says the privilege is lost once the government sees a file during a search.

Read the DHS’s extremely weak logic explaining the reasons for laptop searches and note the multitude of objections in the comments. Seems like everyone except DHS realizes that bad guys will use online file storage. It’s time to dismantle this bloated and ineffective bureaucracy. (Wait, did I just repeat myself? hahaha)

And please, please go sign the Hands Off My Laptop petition as soon as you can. Refuse to be terrorized, people!

[Update 31 August]

%deity% bless the ACLU. They’re raising a ruckus:

The American Civil Liberties Union filed a lawsuit today demanding records about the U.S. Customs and Border Protection (CBP)’s policy of searching travelers’ laptops without suspicion of wrongdoing. The lawsuit was filed under the Freedom of Information Act (FOIA) to learn how CBP’s policy, issued last year, has impacted the civil liberties of travelers during the first year of its implementation. “Traveling with a laptop shouldn’t mean the government gets a free pass to rifle through your personal papers,” said Catherine Crump, staff attorney with the ACLU First Amendment Working Group. “This sort of broad and invasive search is exactly what the Fourth Amendment’s protections against unreasonable searches are designed to prevent.”

Posted in freedoms, law, privacy, public policy, travel

On what planet does the CTIA spend its time?

Steve Riley — Fri, 28 Aug 2009 19:14:46 +0000

Marketwatch has a story today about the FCC’s plans to investigate the wireless phone market. Apparently there’s some worry that innovation and competition is rather lacking in America. Glad to see that someone has finally realized the truth of this! I’ve seen amazing wireless technologies everywhere except here. My friends in Singapore and Korea and Malaysia just laugh at the paleolithic timewarp we seem stuck in.

The wireless industry, of course, disagrees. Their PR mouthpieces claim we have the lowest prices and the most innovation in the world, and they say several independent studies support this assertion. Yeah, which world, dudes? Cringely gives us a glimpse of what’s happening outside yours, why are you so afraid to join?

Go, FCC, go.

Posted in mobility, public policy, regulations, wireless

Interview on RunAs Radio

Steve Riley — Wed, 26 Aug 2009 03:36:29 +0000

This Friday I’ll be on the phone with Richard Campbell of RunAs Radio, recording an interview. We’ll talk about my transition from Microsoft to Amazon Web Services, explore enterprise adoption of cloud computing, and of course discuss recent security events in the news. I welcome suggestions for additional topics, feel free to leave in a comment.

My previous interview with RunAs Radio was at TechEd Europe in Barcelona during November 2007.

Posted in interviews

What about my private bits?

Steve Riley — Tue, 25 Aug 2009 04:07:18 +0000

As I’ve chronicled my migration to and trials of various in-the-cloud services, a number of commenters have asked my thoughts about storing personal or private information online. I don’t have any empirical evidence to support it, but I doubt that those who staff large-scale data centers have the time or inclination to go trolling amok people’s stuff. For one thing, there’s just a whole hell of a lot of noise to sift through. Curiously, there isn’t much of published research on the amount of information humans generate. The Global Information Industry Center at the University of California, San Diego, has been working for several years on a project to measure how much information we create. They were slated to release a report at the end of 2008, but haven’t yet. Their earlier 2003 report is still available, though:

Print, film, magnetic, and optical storage media produced about 5 exabytes* of new information in 2002…. We estimate that the amount of new information stored on paper, film, magnetic, and optical media has about doubled in the last three years…. Information flows through electronic channels — telephone, radio, TV, and the Internet — contained almost 18 exabytes of new information in 2002, three and a half times more than is recorded in storage media.

Let’s use this to calculate possible 2008 results. To simplify the math, let’s assume a linear growth rate (which is certainly not the real case). If stored information went from 2.5 EB in 1999 to 5 EB in 2002, then linear growth says in 2008 we created 10 EB. If we assume a constant 3.5 multiplier (again, probably unrealistic) for information flows, then in 2008 we transmitted 35 EB. So the total volume of data generated in 2008 was 45 exabytes. Given Earth’s 6.7 billion population in 2008, that’s 6 gigabytes per person (remember, we’re counting total flows, not just original generation).

When you think about it for a while you’ll remember that, for the entire history of telecommunications, content has been visible to service providers and storage companies. What worries me more than some voyeuristic sysadmin is pernicious snooping by various authorities driven by some deep-seated fear that somone, someplace, is expressing an impure or unsanctioned thought. Where in the days of voice communications the law was very clear that carriers could not be held responsible for the actions of their subscribers, today’s legislative thinking appears to be taking the opposite direction. This is not a healthy turn, by the way; consider also your rights when you enter the United States with your own personal laptop: none.

Which leads back to the question “what about personal or private information?” My answer: encrypt it all. It matters not where you keep it — in the cloud, on your PC, or printed on paper — find an encryption utility you like, scramble your data, and protect your keys. Authorities can probably compel service providers to turn over data; encrypted blobs will be useless to them. If they really want you, they can get a warrant for data on your own computers; you can make even that useless if you encrypt it with a key you don’t know. Recently randomwire published a recipe for combining Dropbox and TrueCrypt. This looks interesting, and I’ll see if I can repeat the experience with SugarSync.

Boys and girls, you know I’ve been urging everyone to encrypt portable data for years. I think we can all agree that cloud = portable, right? Your responsibility to protect your information doesn’t change because you’re using someone else’s hard drives; in fact, it’s a responsibility you simply can’t ignore.

——–
*Funny bit: WordPress’s dictionary needs updating. It lacks an entry for “exabytes,” offering “exacerbates” as a substitute. Maybe they aren’t so wrong, really!

Posted in cloud computing, encryption, law, privacy, public policy, regulations

I found my nirvana…I think

Steve Riley — Sun, 23 Aug 2009 04:02:02 +0000

So after some deliberation, and lots of time uploading files to my various chosen providers, I decided life only in the clouds wasn’t for me.

Non-reason: I wasn’t worried about losing my stuff. Although it’s true that a lot of service providers end up in the deadpool, the ones I had begun considering showed signs of continued existence. So why did I abandon my approach?

Minor reason: most of these sites have terrible interfaces for content upload and retrieval. Plus, none of them provide easy ways to download or delete groups of files — you can operate on only one file at a time. Most of them lacked any kind of mass tagging feature.

Major reason #1: Even using a single file was cumbersome. I’m working on a PPT and want to insert a picture. It’s simple to insert pictures on my hard drive. It’s a monumental pain to find-select-download-insert pictures from online photo sites. The lack of local storage turned out to be a major annoyance.

Major reason #2: No content indexing! I realized very quickly that not being able to search the contents and filenames of my documents and presentations and images made it nearly impossible to find things quickly.

Therefore I thought instead to investigate sync-to-the-cloud applications. Both Dropbox and SugarSync appeared promising. Ultimately I chose SugarSync because it has better integration with my G1 and I prefer its method for selecting synced folders. (If you decide to give it a try, please use this referral link — we’ll both get increased amounts of free storage.)

After spending a few days reading my RSS feeds delivered via Feed My Inbox, I decided to return to Google Reader. A true RSS reader provides more options for quickly scanning through the many feeds I’m subscribed to. Plus, with Google Reader I can do two things that email-delivered feeds don’t permit: starring items that I might want to read again later and sharing items with other people. I regularly encounter articles that would be interesting to many of you; I’ve added another element to the right side of my blog where you can see a feed roll of the most recent six articles I’ve marked for sharing. I hope you find this useful.

Speaking of blog changes, I’d like to point out a couple other items. I created an account on box.net to store files available for you to download. They’ll appear in the “box” widget in the right side column. There’s a VodPod widget where I’ll link to videos I’ve found. I decided to maintain my Flickr account, mostly for sharing the goofy images I come across to use in presentations; I’ve put a widget in the blog so you can see them too. And I’ve added a Meebo widget, but honestly don’t know whether I’ll use this or continue with the native Live Messenger client. More things to play with, I know.

Posted in cloud computing, my blog, tools

And in other news…let’s check in with the federal government

Steve Riley — Sat, 22 Aug 2009 00:53:23 +0000

Two interesting bits that I saw in today’s SANS NewsBites.

The FTC no longer cowers in the face of corporate bullishness. Back in January the FTC issued a news release that they charged a mortgage broker for not properly stewarding the PII of its customers. Tax returns, mortgage applications, bank statements, photocopies of credit cards and driver licenses, and 230 credit reports were discovered in a dumpster. My favorite part about the news release is its title: “FTC says mortgage broker broke data security laws: dumpster wrong place for consumers’ personal information.” That, my friends, has got to be the coolest news release ever published by the government!

An agency within the USDA has banned all web browsers except for Internet Explorer. The notification memo states:

In keeping with the requirements of the Federal Desktop Core Configuration, all third-party browsers will be removed from customer workstations beginning Tuesday, Aug.18. Internet Explorer is the standard browser and will be maintained. Netscape, Google Chrome and Firefox will be removed.

The article intimates some disagreement over interpretations of FDCC’s requirements. While FDCC isn’t actually so restrictive — it’s concerned more about standardization than the particular standards chosen — you have to agree that fewer configuration variations improves manageability, which in turn improves security. Surely the IE folks consider this one a win.

Posted in policies, privacy, social engineering, standards

Privacy and anonymity vs. identity and responsibility

Steve Riley — Fri, 21 Aug 2009 21:58:02 +0000

[Update below]

Cringley posted today about a federal judge forcing Google to disclose the email and IP address of “soon not to be anonymous blogger” who will likely be sued for whatever his target’s lawyer can scrounge up. Lively debate beginning in the comments about whether this is good or bad, with the inevitable comparison to the Chinese.

It’s probably true that, to maintain some semblance of a civilized society, there ought to be limits to the amount of untruth one person could spread about another. I’d like to see the same vigilance against the talk-radio blowhards and cable TV sabbath gasbags, too. Why should they get a free pass?

Update 27 August

The anonymous blogger has come forward to identify herself. Rosemary Port is suing Google for $15 million.

Posted in censorship, law, public policy, speech

More on my move to the cloud

Steve Riley — Fri, 21 Aug 2009 05:34:24 +0000

Yesterday I wrote about the beginning of migrating myself from the shackles of my hard drive to storing everything in the cloud. You’ve asked some questions that I’ll answer in this new post rather than in comments to the previous post. I’ve already made one change to my choice of providers, as you’ll see in an answer below.

The Dave: Why don’t I host my own domain? Simple — in addition to being cheap, I’m also lazy. I’m looking to do the least amount of maintenance possible. I’m enjoying discovering the myriad online offerings and seeing the different mechanisms and interfaces one can choose from. That said, I did look into Yahoo Small Business. At $5.95/mo for a year, that seems like a real bargain.

AAS: I looked briefly at Feedly, haven’t explored it a lot yet. I’m really enjoying Feed My Inbox.

Melle: I never said I was recommending anything … and as you’ll see below, I’ve already moved some stuff away from Google Docs.

Phil: I like Delicious’s tags and tag groups, plus there’s a decent (if slow) sync app for my G1. The newest Delicious plugin for Firefox works very well for me, too.

Matt: Hmmm, terms of service is on my list of things to research. Some time ago I had made a note to document the current TOS of many of the more popular providers. Now that I’m using some of them, this is definitely a thing to do sooner rather than later.

Mathieu: I wasn’t originally aware that Evernote supported PDF. While that’s certainly an option, I’m actually going to use yet a different service for PDF storage: Adobe’s acrobat.com. For to-do lists and such, Remember The Milk is one choice, 3 Banana Notes is another one. I’m going to try both and see which one integrates better with my G1.

So here’s my (slightly modified) cloud list. It’ll probably change again, of course!

Personal email: Gmail
Personal calendar: Google Calendar
VOIP: Google Voice
RSS feeds
- winning: Feed My Inbox
- losing: Google Reader
Document storage
- Office Live — .pptx and .docx files
- Acrobat.com — .pdf files, personal correspondence
Notes and clippings
- Evernote — web pages, frequently-accessed unstructured information
- to be decided — lists
Image storage
- Picasa — travel photos
- Photobucket — other collected image files
Bookmarks: Delicious
Blog: WordPress

Another advantage that comes from using multiple providers is that by spreading myself around, I get a lot more storage space. Yes, it’s more places to keep track of, but I save all my passwords in my browser (shameful, I know, but show me one person who never does this and I’ll show you someone whose password is “golf”) and created a bookmark bar so that everything’s just a click or two away.

It’s been an interesting experiment. Once I get settled into a routine, I might even delete local copies of everything. That’s kind of the point of the cloud, isn’t it?

Posted in cloud computing

Heartland Payment Systems blamestorming begins

Steve Riley — Wed, 19 Aug 2009 23:48:52 +0000

In January, Heartland Payment Systems announced a data breach that’s turned out to be one of the largest leaks ever — over 130 million records. Earlier this week, CEO Robert Carr crapped all over his PCI DSS auditors, blaming them for his problems:

The audits done by our QSAs (Qualified Security Assessors) were of no value whatsoever. To the extent that they were telling us we were secure beforehand, that we were PCI compliant, was a major problem. The QSAs in our shop didn’t even know this was a common attack vector being used against other companies. We learned that 300 other companies had been attacked by the same malware. I thought, “You’ve got to be kidding me.” That people would know the exact attack vector and not tell major players in the industry is unthinkable to me. I still can’t reconcile that.

He goes on to say that everything’s better now, since they’ve spent oodles of money on encryption:

We contracted with Voltage Security to use their encryption technology. We have absorbed that cost and the cost of developing an encryption advice. We are not passing that on to customers. We haven’t increased anyone’s pricing. That said, customers who want to go to our new encryption device will have to rent or buy it. It will cost under $500, approximately. The savings they’ll get from not having card numbers in their systems will be worth it. The technology will prevent raw numbers from being transmitted in the clear.

As you can imagine, his remarks were less than well received. Mike Rothman, of Security Incite, wrote a stinging rebuttal:

I say that’s a load of crap. It’s about time organizations suffering from a data breach owned up to the fact that they made a mistake…. This kind of response from Mr. Carr basically proves that organization has learned NOTHING from the data breach, which means inevitably it will happen again.

To be clear, you cannot outsource thinking. You cannot outsource security. An auditor or assessor is only there to substantiate the technical controls implemented to meet a regulation. They are not there to tell an organization whether they are secure or not. They are not there to provide an itemized list of every possible attack vector that could compromise data.

That, my friends, is the responsibility of the internal security team. That’s what they do, and that’s what they get paid for. And in Heartland’s case, that’s what they clearly failed to execute. His security team should have known about the malware used on “300 other companies.” Why is it the auditors responsibility to inform him of that? The auditors are there to determine whether they have met the spirit of the regulation.

I’ve written about this before:

Audits help us ensure that we are following our own policies. Audits measure the current state, compare the results against what the state should be, and show where we are out of compliance. Essentially, audits help us know that we are indeed doing what we say we’re doing.

If there are fundamental flaws in the policy, audits probably won’t uncover that, and we shouldn’t expect them to. In Heartland’s case, the policies themselves were simply bad and poorly executed. If Robert Carr is scrounging for a scapegoat, he should just go look in a mirror.

Posted in audit, compliance, policies, regulations

Moving the blog yet again

Steve Riley — Wed, 19 Aug 2009 21:52:04 +0000

Good Wednesday afternoon (or Thursday morning, for those on the other side of the date line). Since my new job largely revolves around speaking to audiences about cloud computing, I’ve decided that rather than observe from the sidelines I should jump right in and embrace nephology whole-heartedly. So I’m making a number of changes to my traditional ways of publishing information and interacting with online services. Here’s where I’m heading:

Personal email: Gmail
Personal calendar: Google Calendar
VOIP: Google Voice
RSS aggregator: Google Reader
Document storage: Google Docs (lists and format-neutral stuff); Office Live (.pptx and .docx files)
Note-taking and web clippings: Evernote
Image storage: Picasa; Photobucket
Bookmarks: Delicous
Blog: WordPress

What I like about many of these services is the flexibility to choose web-based interfaces or client-side applications to work with online information. I’ve been giving Firefox 3.5.2 and Thunderbird beta 3 pretty rigorous workouts, and like what I’m seeing — especially the huge variety of plugins (warning: some of them are pretty bad, so be careful).

If you look at the list, you might think I’ve sold my soul to the big G. That certainly wasn’t my intention, but alas that’s how things worked out, in some sense because I’m now carrying around a T-Mobile G1 smartphone. For one thing, I’m cheap enough that I wanted to limit my providers to ones that don’t charge. Other attributes of certain services narrowed my choices even further. For example:

I’ve used FeedDemon to aggregate RSS feeds for a while. NewsGator discontinued their own sync service, so now FeedDemon pulls from Google Reader.
- I discovered a service called Feed My Inbox, that delivers daily RSS feeds into your email. I’ve really liked it so far, I might end up ditching FeedDemon and Google Reader. (A similar service, FeedBlitz, has too many ads.)
Google Docs is great for storing lists I might want to refer to on my G1 phone and for collecting PDFs.
Office Live integrates with Office pretty slickly, so Office-formatted docs are going there.
Flickr only allows 200 pics for non-paid accounts, so I didn’t consider them. Photobucket and Picasa each offer only 1 GB of storage; I need more than that, so I’m using both. Photobucket’s max size is 1024×768 or 1 MB, they’ll get all the goofy pics I’ve collected over the years and used in presentations. Picasa has no dimension limits, so they’ll get my photo archives from pictures taken during my travels.
I’m moving the blog to WordPress.com mainly because I wanted to ensure I’m spreading my usage across a variety of services, despite Google Blogger’s greater flexibility — Blogger allows scripting, WordPress prohibits it. But when you think that arbitrary scripting has knocked off MySpace and LiveJournal in the past, maybe WordPress’s approach is the more sensible.

My blog will now be at http://stvrly.wordpress.com — please update your aggregators/bookmarks/favorites accordingly; in a few days I’ll have the MSInfluentials blog issue a 301 permanent redirect to the new URL. All the existing content, including comments, has been copied from MSInfluentials to WordPress.

Included in the new blog are links to:

TechEd videos — recordings of past presentations
TechNet articles — my writings in the magazine
A link to order my venerable book — whose advice is, of course, timeless
A link to the Passgen tool included in the book
Buttons to subscribe to and share blog posts
Twitter and Delicious feeds

Other information for you:

My new email is stvrly @ gmail . com — however, my old Hotmail is now configured to forward everything to Gmail
My Live Messenger will continue to use my steriley @ hotmail . com
My Twitter feed remains the same: http://twitter.com/steveriley
My LinkedIn profile remains the same: http://www.linkedin.com/in/steverileysea
My Delicious bookmark collection is here: http://delicous.com/stvrly
I created a FriendFeed here: http://friendfeed.com/stvrly

Over time, as I become more used to working in the world of no local storage — and the switch from traditional hierarchical folder-based organization to the far more flexible tags/labels constructs — I’ll let you all know how it’s going.

Posted in cloud computing, my blog, next step

My new gig: Amazon Web Services

Steve Riley — Fri, 10 Jul 2009 17:52:37 +0000

On Monday 13 July I start my new position as evangelist and strategist for Amazon Web Services. What is AWS, you ask? I’ll briefly explain.

Unless you’ve spent the last couple years engaged in distant interstellar space travel, you’ve certainly noticed that the momentum behind cloud computing continues to grow. Unlike the application service provider (ASP) days of yore, cloud computing is here to stay: the business models are mature, the technology can support the requirements, and there are clear customer benefits.

Amazon’s cloud computing approach follows the infrastructure as a service (IaaS) model. AWS includes these components:

Elastic Compute Cloud (EC2)—virtual server instances on which you run your choice of operating systems, web servers, and applications
Simple Storage Service (S3)—persistent data object stores accessible through several standard protocols
SimpleDB—web-based data indexing and querying services without complex schemas
Simple Queue Service (SQS)—a message queuing service integrated with EC2 and other AWS services
CloudFront—a content delivery service for data served up from S3 stores close to end users
Elastic MapReduce—a hosted Hadoop framework for processing large amounts of data

My role in AWS will be to help customers of all sizes, from small startups to large enterprises, understand the benefits of IaaS-style cloud computing and how to integrate the various elements into their existing infrastructures; and also to track requirements, concerns, and opportunities so that Amazon’s offerings match the needs of its customers.

We know that many organizations are keen to explore cloud computing, but have reservations particularly about availability, reliability, security, compliance, and manageability. In my role I will concentrate on these issues, plus others. I’m very excited about this new position because it’s a wonderful opportunity to learn some new technologies, develop and communicate new processes, and still allow me to continue direct interaction with customers around the world.

I look forward to seeing many of you soon at an event near you. Next week I’ll follow up with my Amazon contact info.

Posted in Amazon Web Services, cloud computing, next step

Information security = risk management

Steve Riley — Mon, 22 Jun 2009 17:32:02 +0000

My good friend Andreas Wuchner holds the fascinating position of IT Risk Manager at Novartis Pharmaceuticals. Recently he started a new blog, where he collaborates with other authors to create knowledge and raise awareness of good risk management practices and tools.

Just last week he published the first of a series of articles about the impact of data loss—on organizations and on careers. The first article highlights the patchwork of various national regulations and compares some of their differences. Future articles in the series will explore what adequate protection means, how various technologies can help achieve this, and the trend toward holding executives such as CSOs accountable for loss.

I encourage everyone to take a look at Andreas’s work.

Posted in compliance, policies, regulations, risk

For sale: one botnet, 300 million nodes, cheap

Steve Riley — Mon, 15 Jun 2009 23:01:08 +0000

Oh the heels of my previous discussion about vulnerabilities in Green Dam Youth Escort, Secunia reports, via a third party, the discovery of a URL processing overflow vulnerability in the software. They rate it highly critical: it allows a remote attacker to take over a system, there’s no patch, and an exploit is already in the wild.

Furthermore, it appears that Green Dam is far more than just a porn filter—its filter contains a long list of political keywords. And Green Dam’s developers have purloined parts of Solid Oak’s Cybersitter software.

For a nation that’s trying to become a major 21st century world power, this kind of behavior is disturbing.

Posted in attacks, censorship, piracy, public policy, vulnerabilities

Throwing my words back at me

Steve Riley — Mon, 15 Jun 2009 18:11:54 +0000

Have you ever tried feeding something you wrote into an online language translator, then doing it a second time back to your original language? The results can be uproarious. You may recall my writings a couple years ago about the necessity of antivirus software (original and additional). A four-month-old website called “Vista Home” appears to be written by someone who translates English language articles into something else—maybe Mandarin—and then back into English. Why anyone would do this is beyond comprehension. They subjected my antivirus postings to their brutal mutilation and the results are hilarious:

It is the view that Steve Riley of Microsoft safety expert concerns the software that reduce toxin below. “On a few newsgroup of Zhou Qian, a few people ask what kill poisonous software is experts what like most, this is the problem of a curiosity making a person really, on the path that does not cross my safe researcher with me- – no matter be an introduction person, advisory, instructor arrived even after I believe firmly I call oneself the expert, affirm: Also bed of Wei of the Kingdom of Wei of raw meat or fish of 2. rightness Song ” the? that save press and smooth why?

Check for yourself and have a good Monday morning laugh. Click on the photo above for another laughable translation attempt.

Posted in just plain weird

The page STILL cannot be displayed… 0 seeders, 0 leechers

Steve Riley — Thu, 11 Jun 2009 20:22:14 +0000

Well, maybe not zero, but there’s less seeding and leeching in France now. With the support of an industry group, French military police have shut down a BitTorrent tracker and seized their equipment. Regardless of where one stands on the filesharing debate, this news is dreadful. Filesharing is apparently now a serious national security issue for France—serious enough that it deploys a military agency against its own citizens. Western democracies aren’t supposed to do that. It’s unnerving that there’s a new precedent.

And it appears that China’s mandated Internet filtering software, called Green Dam Youth Escort (uh, mmkay), is riddled with flaws (big surprise there). When the software phones home, communications are unencrypted, and probably unauthenticated (the article doesn’t say), which makes it trivial for someone to inject malicious code to take over a machine. Certainly no one would be interested in pwning a 300,000,000 node botnet, right?

The software keeps logs of all activity. Online criticism of the software is being blocked. You know where that will lead. Surely an underground economy of Green Dam Youth Escort vulnerabilities (…ahem…), user behavior profiles, and personal data will soon emerge.

How the software detects p0rn is pure entertainment. It evaluates the amount of flesh tone color in an image; if the amount exceeds some level, the software assumes there’s too many naughty bits for innocent eyes. Photos of pink pigs are blacked out, while photos of dark-skinned people sail right through. The blockage works only if you’re using Internet Explorer on Windows. Other web browsers on Windows, and other operating systems, are unaffected. Hmph. Well, at least someone has finally figured out how keep users away from naked dancing pigs.

Posted in attacks, censorship, piracy, public policy

The page cannot be displayed…639k seeders, 500m leechers

Steve Riley — Wed, 10 Jun 2009 04:18:31 +0000

Things that make you go “hmm” . . .

China is requiring censorship software to be installed on all new PCs starting 1 July. Apparently too many people are learning how to circumvent the Great Firewall.

Australia’s attempt at Internet censorship has consumed AU$44.5 million and really has no way to demonstrate effectiveness.

Meanwhile, Sweden’s Pirate Party won a seat in the European Parliament by capturing 7.1 percent of votes in Sweden.

(Bonus points to anyone who can figure out where the numbers 639,000 and 500,000,000 come from.)

Posted in censorship, piracy, public policy

Changing the economics of spam

Steve Riley — Tue, 09 Jun 2009 23:28:21 +0000

In the past I’ve spoken about what I think is the most effective way to stop spam: change the economics. Who pays for email today? The receiver, of course. Sending email is free, and so long as it remains that way, spam will always be with us. If there were a way to make email not free, spammers would abandon it.

Of course, any system would have to be effectively free for legitimate email, and scale in such a way that it becomes costly only for extremely high volume emailers—the spammers. I’ve often mentioned Microsoft Research’s Penny Black project, which investigated ways to make senders pay. These are examples of proof-of-work systems, which require that the sender perform some amount of work that the receiver can validate. People who send only a few emails a day would never notice the work; someone sending millions of emails would be seriously impeded by the required work, probably enough that they’d give up: the cost is simply too great.

I recently found some additional research on proof-of-work systems, which although not new, made for fascinating reading, and I’d like to share it with you.

To be effective, POW systems need to incorporate good design. Typically, the “cost” in a POW system involves performing some kind of computation to find the solution to a problem. If the function is CPU-bound, then as microprocessors continue to increase in speed, the POW system becomes less of a hindrance; on low-power portable devices, POW systems could create a barrier against legitimate use. Memory-bound functions appear to be a better choice, where the performance variations among hardware aren’t nearly so wide.

Botnets, it would appear, can circumvent all forms of POW systems. But infected zombies will themselves be slowed down by the POW computations, and the owners of the zombies would probably notice (and call you to help clean their machine). The paper “‘Proof-of-work’ proves not to work” by Ben Laurie and Richard Clayton analyzes data gathered from various ISPs to show that a POW cost high enough to deter spammers using botnets would be unbearable for users—exactly the opposite of what we want from POW systems.

The paper “Proof of work can work” by Debin Liu and L. Jean Camp counters the claims in the earlier paper by proposing that POW computations are weighted with a reputation function. They describe two mechanisms: one scores machines using a continuous reputation function that analyzes every email sent; a sending machine gains trust over time unless it begins exhibiting spam behavior, at which point trust is withdrawn. The other (simpler and easier to implement) mechanism scores machines on a step-wise basis and measures the probability of an email being legitimate or spam; a 99% success rate is shown to be possible and effective. Most anti-spam products on the market now use some kind of reputation system, thus adding POW capabilities could push the economics back in the direction we want it to go—no observable cost to ordinary senders and prohibitive costs to spammers.

Although the claims often vary, at times 94% of all email is spam. Most of us don’t see it in our inboxes because spam filtering continues to improve. But that doesn’t mean the problem has gone away—it takes time (which equals money) to deploy and maintain such filters, and those costs are ultimately paid by end-users and companies. My hope is that reputation-enhanced proof-of-work systems will grow in popularity, that a standard will emerge, and that we can end this blasted scourge completely.

Posted in email, research, spam, standards, stuff we need

Side channel attacks

Steve Riley — Mon, 08 Jun 2009 22:07:47 +0000

Side channel attacks circumvent traditional encryption and access control technologies that help to protect information. The May issue of Scientific American magazine has an article describing some interesting attacks. Highlights:

A description of how deconvolution processing can help straighten out images recorded from the reflection of a computer monitor in the user’s eyes. (The same technique is already used by astronomers to remove blur in photographs of galaxies.) There’s a handy chart showing, based on distance from your eyes, the cost of equipment needed for an attacker to read reflections. Someone 57 meters away would need a 51-centimeter telescope, which costs $10,000.
An illustration showing how the unique sounds each letter generates when printed on a dot matrix printer (remember those?) can be run through linguistic analysis that can determine a reasonable letter sequence. Apparently, research on how to do this with ink jet printers is now underway.
A list of how just about everything in your office can be used against you. Your keyboard’s EMF radiation can be picked up by an antenna located 20 meters away behind a wall. A malicious web site could take over your webcam and watch keystrokes as you type. Flat-panel LCD screens are be vulnerable to TEMPEST attacks. The curved surface of a water glass or wall clock offers wide-angle reflections to anyone with a telescope across the street. Whiteboards reflect everything on them.

It’s a fun read, but probably doesn’t require you to make any sudden drastic changes to your existing defensive postures. I’m glad the author (W. Wyat Gibbs) addresses the limitations (proximity, temporal, cost) of these attacks near the end of the article and discusses the few potential targets who might be vulnerable.

(This paper from May 2008 details the setup of a project to gauge the effectiveness of reading computer monitor reflections from a variety of surfaces, including teapots, eyeglasses, spoons, and plastic bottles.)

Posted in attacks, research, side channel

Will the new US “Cybersecurity Coordinator” actually be able to do anything?

Steve Riley — Sat, 30 May 2009 18:36:54 +0000

[Update below]

Some of you have probably read through the numerous blog postings and articles about Obama’s recent speech on cybersecurity. (Can I just complain for a moment that “cybersecurity” is a stupid term?)

If you recall, the government has tried this before: in 2001, President Bush appointed Howard Schmidt as special advisor for cyberspace security. He stayed only for about a year and a half—probably because he didn’t have the necessary power and authority (which equals money in Washington) to accomplish any real reform.

It appears that the new cybersecurity coordinator will be hamstrung by the same limitations. This well-written article by Gene Spafford summarizes the history leading up to the announcement, analyzes probable outcomes, and speculates that the administration might be having trouble finding someone to fill the position precisely because, just like before, it lacks power and authority (that is, it has no budget).

Here’s a thought: perhaps a great start would be for Congress to provide sufficient budget and grant necessary authority for the new cybersecurity coordinator to complete the conversion of every single government computer to NIST’s Federal Desktop Core Configuration. I can’t think of a better example for others to follow.

Update

Richard Bejtlich writes the speech he wishes the President had delivered. This is good stuff; like Richard, I wish he would have included it in his speech. My favorite bits:

Making the federal government an example for others to follow (harkens to my wish for budget and authority to fully implement FDCC as the first example).
Admitting that the varied nature of threats prevents installation of a single “cybersecurity czar.”
Explaining that security always involves tradeoffs (with my favorite example: why no one wears bulletproof vests).
Describing how most security risks are economic externalities with misaligned incentives.

Posted in cybersecurity, public policy

Maybe hardware is cooler than software after all

Steve Riley — Thu, 28 May 2009 01:48:14 +0000

A while back, if you recall, I wrote about the Model 22 HDD Hard Drive Disintegrator (check the link for a pointer to a video of the machine in operation). People seem to love to create complicated hardware devices to solve problems that really aren’t that difficult—I’m convinced it’s for the sheer joy of building something that clanks and grinds.

Random numbers are important for things like gaming and computer security. There are plenty of decent software random number generators around. But some people prefer true throws of actual dice; if this describes you, then you’ll certainly want to investigate the Dice-O-Matic mark II, used for generating dice rolls on a gaming web site:

The inventor writes:

I had a soft target of a machine capable of 200,000 rolls a day, as site traffic is growing. However, any automation project worth doing is worth over doing, and I way overshot the mark. The result is what you see here: a machine that can belch a continuous river of dice down a spiraling ramp, then elevate, photograph, process and upload almost a million and a half rolls to the server a day. I may not get nominated for a Nobel prize, but the deep rumbling vibration you feel more than hear when two rooms away is quite impressive.

It reminds me of the work of artist Arthur Ganson, who creates kinetic sculpture—art that moves. One of his coolest creations is this machine:

Arthur says:

I’m imagining myself as a machine…I would love to be bathed in oil. So this machine does nothing but just bathe itself in oil…for me it’s really about the lusciousness of oil.

TED.com has a video of Arthur and several of his creations. He shows this machine at time point 8:56.

Posted in hardware, tools