* Posts by SecurityPedant

16 posts • joined 9 Nov 2011

Sysadmins: Keep YOUR data away from NSA spooks


Re: No, no, no, no and no - this is NOT a technical problem

Actually, there is a very elegant technical solution to this and cryptography is at its core.

Encrypted data requires keys to decrypt it. Assuming you encrypt your data with a key length and algorithm which isn't easily broken, then you end up with data + keys. You can then store the data in the cloud, but keep the keys local.

Now assuming that the data isn't actually decrypted by an application running in the cloud environment. The only way to decrypt the data is to come to your keystore, get a key, and decrypt it.

Thus if you were to encrypt your data and store it in Dropbox or Skydrive but retain the keys in your own sovereign state. If Microsoft were to get a legal request, they would, as per their own practice, hand over the data. But it would be the encrypted data and the next step is one of the following...

1. The organization requesting attempts to brute force the crypto.

2. The courts now have to come to you to get the keys.

Screw it, says NSA leaker Snowden: I'm applying for asylum in Russia


Re: Wake up and realize this is global.

I don't disagree with you that the approach in the US is a major concern. But a dangerous country? Maybe, but in comparison to what and who? Their practice is more dangerous that Russia? China? Iran?

And I disagree with your empire on its way down. The modern global economy is such that empires are now critically dependent on each other. US economic power and the dollar is still a very powerful entity in the global economy. As is the English financial markets, Europe as a trading entity and China. Russia with its power exports are also intricately woven into the rest of the modern economy. It is harder than ever to predict the rise and fall of the super powers in their current state because they each rely on the others economic status. When the US economy goes down the pan, guess who else struggles? Europe. When Europe and the US struggle, who else feels the heat? China? Russia?

I'm not a US citizen, but I do live there. I don't have any special affinity with the US other than being any regular citizen of the earth. But saying the US is in decline is woefully inaccurate.


Re: Oh it gets better

Oh man, what's crazy is that your post, which is clearly the most stunningly made up bunch of nonsense actually fits in with the other crazy talk on this website!


Wake up and realize this is global.

Snowden is a naughty boy and has upset his employer. He's trying to do the right thing and inform the general populous of what his employer has been up to. But those of you that think this is purely a problem for the US... wake up.

Since the birth of nations, organizations have spied on each other. Information is power and therefore anyone with an interest in their own empire will invest significant effort in getting information, both about its own citizens and it's enemy.

You think the US is alone in this practice? You don't think Russia, the UK, Germany, France, China, Iran, Israel has similar practices? The only big difference here is that the US is fortunate to have a massive amount of the worlds traffic flow across networks and systems owned by companies on US territory. You don't think that if Apple, Microsoft and Google were Russian or Chinese companies that this sort of thing wouldn't happen?

This whole conversation is going to end up with one fact. Everyone is doing covert stuff that is outside of the law. EVERYONE. And it's been happening for hundreds of years. What does that really mean? To your typical Joe, not much. A massive percentage of people in the world are not affected by this. The 99%? The 1%? The people this REALLY impacts, as in actually changing your life, is a tiny percentage. Sure your rights to privacy are violated and yes, that's not a good thing. But wadda ya gonna do? Move to a very remote location in the world, stop using email, quit posting to Facebook. That's your only way to get privacy nirvana.

What about corporations around the world who need to protect data, what do they do? Well they do what they've always done. Slowly increase their ability to monitor, classify and protect data and then evaluate risks of doing so versus the costs. Companies outside the US will be more adverse to using Office 365. So another company somewhere is going to benefit by providing similar capabilities or an alternate approach to the same benefits that reduces the risk (either real or perceived). That will come at a cost, and companies will decide if that cost is worth the risk.

Are Snowden's efforts going to stop the practices of the US and other nations? I doubt it. Imagine if this was about nuclear warfare. Pretend that Snowden had just gone public that the US has thousands of ICBMs hidden all over the US. You don't think Russia is in the same position? We all then realize that the countries who could afford nukes, have them. You think the governments would just get rid of them? We've been trying to go through the process of nuclear disarmament since the 80's and the US STILL has over 7,000 warheads with Russia beating them in the 8,000 region. And this is just about a deterrent. Information warfare is much more important, its essential. The same agencies everyone are now pointing fingers at have the same government mandate that led to the capture of the Enigma which helped end the second world war...

I think this whole discussion Snowden has created is a great thing. We are going to see more and more technological innovation around how we can protect data. Citizens are going to be a little more informed and will do a little more to protect their information and privacy. This is a long road people, we just hit a bump, but the end is not in sight.

Microsoft splurges on single sign ons with Active Directory update


Re: The world turns @SecurityPedant

I'm bored of your lack of informed information. Oracle has not killed OID and OID actually has a significant install base. What's the main directory deployed behind millions of Oracle application (eBusiness Suite) deployments? Yip... OID. Rarely used? Bah. Are you still in college?

Nice move of the goal posts here with OpenDJ :D


Re: The world turns

What a stupid comparison. People choose to deploy and use AD. We don't chose to have horses shit and then eat it.

It's simple. If there was a superior solution to AD to do what AD does. People would be using it. AD is not perfect, it has faults and its initial incarnations had some terrible faults and problems. But to say that it's shit and doesn't work in the real world is a massively incorrect statement.

AD IS the most pervasive directory technology in use today. Fact. You can't dispute this. You also can't say that quality has nothing to do with popularity. Sure AD in NT 4.0 and Server 2000 had some really difficult issues. But eDirectory wasn't perfect either. But they both got better and Microsoft had the massive advantage they had a very popular client which they also developed and could therefore bring capabilities to both client and server that nobody else could so as quickly or as well integrated.

Microsoft had an advantage, either fair or not. They had a wildly successful client OS and they developed a wildly success server infrastructure which had a significant reliance on a directory based technology that helped manage the clients. Now what they are doing in the cloud era is looking at the similarities between the on premise world and the cloud world and building a solution for the cloud.

Is Microsoft trying to get as many customers to move onto its own cloud based directory? Of course they are. Will they leverage their other markets such as Office, Windows and so on? Who wouldn't? Is Microsoft the only company desperately trying to win the "Identity in the cloud" challenge? Nope...

SalesForce, Microsoft, Okta.com, Ping, McAfee, Verizon, Oracle... you name them. Everyone knows that if you can be the main vendor for identities in the cloud, you have a key piece of the future infrastructure for business.

Microsoft with AD became one of, in some instances the only, options for managing identity, devices and authenticating users in companies. It makes only sense they would invest heavily in bringing this to the cloud and finding ways to migrate existing customers over to a newer model.

So many people on this website seem to love to bitch about very specific things without having any real focus of the overall reasons these technologies exist.


Re: The world turns

Indeed, DSEE is an excellent product and was born in the telecoms sector. It was by far the widest used LDAP server. I had many a conversation about DSEE with the Sun guys when they came into Oracle. But you can't compare AD with DSEE, they are very different solutions. AD may have an LDAP interface which supports LDAP queries. But AD does a lot more than DSEE in terms of functionality.

Oracle will find a way to screw up DSEE though. I used to work at Oracle HQ here in the bay area and if you think the engineering genius is going to continue through ODSEE into the future, think again. If you want a massive performance LDAP solution from Oracle, they want customers to buy OID. Why? Because a nice big fat database resides behind it.

You think IBM and Oracle have been the majority of solutions that have taken the place of eDirectory? Wow, now you really are showing your lack of knowledge in the industry. In the last 6 years (when I spent time at both Oracle and Microsoft in front of their biggest customers) I didn't see a single customer moving from eDirectory to IBM or Oracle. At Oracle even their own sales org would recommend to eDirectory customers to use AD.


Re: The world turns

"Yes, its popular but it's still shit."

Ahh there lies the total problem with your point of view and of so many people who comment on technology trends. You really think that AD is shit and yet has gained massive acceptance and popularity from small business to massive enterprise?

eDirectory was a fantastic product, but it had its flaws, as does Microsoft's AD. But if eDirectory was the vast superior solution, how come its use is in massive decline?

I feel you need to take off those worn out glasses and get a fresh set of lenses through which to view the technology world.


Re: Insecure by Design

"There has been zero will to do this on the part of people currently entrusted with control of the Network."

Wow, your post is inaccurate in so many ways and just sounds like the bitter whine of a misunderstood security genius.


Re: AD?

"Especially when AD crumbles under real world authentication requirements."

Indeed. Which is why AD is at the core of nearly every medium to large business for their authentication requirements. I've worked at both Oracle and Microsoft and have worked with many, many large companies that use a variety of directory services. If you think AD crumbles in real world deployments you must be an intern that has yet to work in the "real world".

D-Wave IS QUANTUM, insist USC scientists


Gotta love the register. Hundreds of comments from serfs about how Windows 8 is a failure. yet the comments on this article demonstrate the average intelligence of the register reader.

Me included by the way...

Lights, camera, action: Snowden movie hits the web


Maybe Zynga should be building a Snowden spy game for my iPhone.

Salesforce and Oracle forge partnership to smash rivals


I really don't know where to start with this news. I could write a book... But suffice to say that years and years of Oracle treating customers poorly means that when those customers are given a viable alternative in the cloud, they are going to run from Oracle as fast as possible. Oracle suddenly realizing that it's terrible sales practice might finally bite them in the ass is now going to partner with everyone it can to save face, or more importantly for Larry and Safra, save revenue.

Analysts brawl over 'death' of markup language


Re: Gartner...

Absolutely. Gartner are mostly a paid PR company.

On the XACML subject however, the problem is that trying to externalize authorization is damn hard when SAP/Oracle/IBM WANT their platforms to be the source of policy. It's part of the value of building the massive enterprise ERP platforms. So while XACML fills a need, the need is depressed by the vendor. So either the customers need to force the standard on people or it will never work.

Emergency spacewalk as ISS takes a leak


4) Stop using all forms of computing devices

5) Devolve the human race

6) Start worshipping the sun and sacrifice every first born child

Any other amazingly dumb suggestions?

Prepare for a growth spurt when you virtualise systems

Thumb Up

Make sure your identity management infrastructure is also ready for the increase in demand

While this article talks about the need for mature process around storage and system patching it also highlights the need for a mature identity solution underneath it all. I spend a lot of time talking to people about how they provision accounts in their environment, how they manage access rights to applications and systems. An alarmingly high number of people have a lot of manual process in the creation and management of user accounts and access controls. Scale up the environment and quickly the one guy who is adding new accounts to Active Directory when a new employee joins or is managing group membership can be overwhelmed. This can lead to a reduction in the speed at which users get access and increase the exposure for mistakes when people have access to the wrong systems.


Biting the hand that feeds IT © 1998–2022