Hitachi ID Facebook Page Hitachi ID Twitter Page Find us on Google+ Hitachi ID YouTube Page

Hitachi ID Systems Blogs

Microsoft in trouble…

August 17th, 2013

It seems that Microsoft can do no right these days.

In the public space, they seem to be an all too eager accomplice with the NSA, violating the privacy of their customers.

In the gaming world, they had dreams of device lock-in and always-on Internet for their next console, but have had to back-pedal due to consumer outrage.

In the operating system space, I recently purchased two PCs and my experience getting each to a working state was telling.

* The first PC was a laptop for my kid. I picked up a used “professional class” Lenovo – same thing I use myself at work on eBay for a few hundred bucks. Add a mail-order SSD and voila- a backpack-friendly notebook for my little girl. So what to install on it? I handed her a USB drive with a recent Ubuntu on it (12.04 LTS) and asked her to install the OS herself. 10 minutes later, and my 13 year old was done: a fully functional machine, with a full suite of apps (including an office suite), which she was starting to personalize. 10 minutes from “that’s a new SSD” to “OK, the machine is ready to be used.” Impressive.

* The second PC was ordered a few weeks later. Also a cheap box – to replace our recently dead home Windows PC. A refurb Asus i7 with lots of RAM, a big HDD and a mid-line video card. Similarly priced to the laptop, also for light domestic duty. So how did this one go? 15 minutes to complete the half-installed OS install procedure. 2 hours to burn backup DVD media. 1 hours to decrapify the OS. Another 1 hours to download useful apps. Several reboots to apply tons of patches and “updates.” Total time to bring this machine to a similarly useful state? About 18 hours elapsed, 3-4 hours of intermittent human attention. Brutal.

Why would consumers put up with this? Microsoft: this is why Apple is eating your lunch! People pay hundreds of dollars to not put up with this. I even happen to think that the Win7 UI is *better* than the MacOS one and comparable to the Ubuntu one, but come on guys – hours of BS just to turn a consumer PC from a thrashing pile of almost-malware to a useful machine? And you pay $50 to $100 for the privilege of suffering that. Wow.

I don’t really know how Microsoft gets themselves out of this mess, either. Their whole commercial model depends on two franchises: Windows and Office. The rest, if I understand it right, is financially immaterial. The Office franchise is at risk from cloud apps (Google) and free apps (LibreOffice). The Windows franchise is under attack by mobile (Android, iOS) and cleaner desktop alternatives (Linux, MacOS). I get that Windows is a more robust enterprise desktop solution, able to be locked down, with central management features, but users, burned once or twice by the consumer experience, will certainly hate it. I also get that Windows is the premiere gaming platform, but are the enterprise and gaming markets enough?

To add insult to injury, I recently installed a trial of Windows 8.1. Wow – that is not a friendly desktop OS. Flaky/crashy with the main app I have Windows for (WebEx) and that whole Start page is definitely as crappy as everyone says. Who needs it? I just want to open a file or launch an app. And get this: the OS wants me to sign in with – not local creds – but creds to Microsoft’s online platform. Can you imagine if *that* credential database get compromised? What enterprise would allow such a dumb idea? What consumers are comfortable with this? Crazy.

If I were a Microsoft shareholder, I’d be up in arms.


July 31st, 2013

Just read the latest bit from our friend Mr. Snowden:

The Guardian

Interesting slides. Some thoughts:

  • This is an internal training deck, from 2008.
  • It shows full data capture – emails, VPN connections and more — in many countries around the world.
  • Data remains local — it’s not practical to feed all this stuff back to the US. Sensible architecture.
  • Interesting to see which countries are collaborating with the NSA on this kind of snooping and which are not.
  • This is from 2008. Imagine how much more they can do today!
  • Not snooping on US citizens/residents? Yeah, right.
  • Cool to see that Canada (where I live) is not on the list of cooperating states.
  • They claim ability to decrypt VPN traffic. I wonder how that’s done? Is there some secret key leakage/disclosure going on in popular VPN client packages? This may be the most worrying bit in the presentation
  • They claim 300 terrorists arrested using this platform. If true, and if they have convictions, this would go a long way towards justifying the whole thing. Privacy invasion to support theoretical security is one thing. To support concrete security results is something else again.

Bottom line: if they are actually putting away real terrorists with this stuff (as claimed) and are basically doing pattern match searches (almost certainly true), I’m not sure this is all that bad for my privacy or that of any other “honest citizens” — seems like a reasonable program, on that basis.

Just my $0.02. Let the flame war begin. :-)

– Idan

Floods in Calgary

July 1st, 2013

Normally I write about IT security or identity and access management.

Today I’ll take a break from that and talk about disasters and disaster recovery. Unfortunately, from first hand experience.

As some of you know, Hitachi ID Systems is headquartered in Calgary and we’ve recently had some very serious flooding here. Calgary is a pretty dry place situated at the confluence of two small rivers – the Bow and Elbow. When we get really heavy rains (always in June), it’s not unusual for a few basements to get wet, but what we just experienced is something else entirely. In a city of just over a million people, 100,000 were evacuated from their homes. Water levels in both rivers rose by several meters. Many square kilometers of the city were inundated. The damage is estimated at five billion dollars.

Calgary did not even get the worst of it. There is a nearby town called High River (yes, the irony in that does not escape anyone…) where all 13,000 residents were evacuated and most are still unable to return — some homes there are still completely submerged, about 10 days later.

Dealing with this has been quite the learning experience. It certainly puts into perspective things we see in the news, about Hurricane Sandy that recently hit the East Coast, the Fukushima disaster in Japan, Hurricane Katrina, etc. To be clear, what we suffered here was miniscule in comparison to those disasters – but seeing something like this first hand is certainly eye-opening.

First, the good: the evacuation of 10% of the city’s citizens took place over just 6 hours, in the most calm and orderly fashion imaginable. A laudable combination of responsible, effective government with clear-headed and compliant citizenry. I can just imagine that such an evacuation order, had it taken place in other parts of the world, might not have gone over as well as it did here.

Next, the bad: unimaginable damage throughout the city. Areas that are nowhere near either river and maybe 5m above it got flooded. For safety, power was cut to 20 neighbourhoods and much of it remained off for 5-7 days. Our office lost power for the full 7 days, being situated in one of the worst-hit areas.

Once the water started to recede, something really cool started to happen. Citizens descended on the affected areas by the thousands, to help with clean-up. One day, the mayor called for 600 volunteers at our football stadium. Thousands turned up. The number and energy of volunteers has been so great that the municipality could no longer help orchestrate their efforts, and instead started giving guidelines on what to do and where. Other cool stuff: effective use of social media to keep everyone appraised of road closures, flooding, cleanup processes, power cuts and recovery and more. This is one coordinated city!

We’ve had more than our share of volunteers helping to restore access to our offices too, both employees and contractors responsible for our elevator, electrical system, site security, etc. Thanks everyone!

We’re all very glad of our mayor Nenshi too. While Toronto deals with allegations that its mayor smokes crack with Somali drug dealers in low income housing, and Montreal and Laval have each replaced mayors twice in the past year or so, due to corruption allegations and charges, we have a solid guy working hard, keeping everyone up to date and keeping the recovery moving along smoothly.

So how did we do in maintaining service during this disaster? Our web site, e-mail and other essential services were knocked off-line for about half a day. We brought those up before we could even get back to our buidlding. After about a day and a half, we brought up more services by moving some of our core servers to a co-location site and got all of our Calgary staff to work from home. Everyone was getting in on the disaster recovery, including our hosting data center partner, who got us operational over the weekend.

In short, not too bad. I hope to never have to do this again, but I also know that we learned lots and will undoubtedly do even better next time.

And living through this sure gives me new appreciation for the need for geo-diversity of core services. The software we make does that: for example, our Privileged Access Manager customers routinely deploy servers on different continents and ensure that each server contains a full set of data, so that no single-site disaster would interrupt their access to privileged accounts at other locations. That’s a great sales pitch, but man, it sure feels more concrete when you have to live with the loss of a major data center yourself.


June 12th, 2013

The recent disclosure by Edward Snowden about the NSA’s PRISM surveillance system has been quite interesting. It seems certain that they are collecting meta data about all phone calls that pass through US infrastructure (or perhaps even infrastructure of US domiciled telcos that is located elsewhere). There are also claims that they have access to content from major B2C cloud providers such as Facebook, Google, Microsoft and Skype.

First, was anyone seriously surprised? Surely not! The US government is in a siege mind-set and both surveillance and development of a social graph to find accomplices are reasonable approaches (never mind legality) to defend against terrorism.

Why the siege mentality? Because of the ominous terrorist threat! Never mind that the number of people killed or injured in the western world, by terrorism, is statistically indistinguishable from zero and that no government can point to any successful prevention despite billions in spending. The best the US government can point to is a few dead terrorists, thanks to the drone assassination program over Pakistan. And a lot of dead soldiers in Afghanistan and Iraq. Tragic.

So given that wire-tapping without a court order is supposed to be illegal in the US, how might the government justify the legality of this program?

One approach might be to collect all the data, store it, but only analyze any of it with a court order. Another approach might be to run analyses on the social graph, generate reports on interesting sets of people but without identifying who they are and get a secret court to approve display of identity data for the people identified in a report.

Who knows? I am not a lawyer. It’s fun to speculate, though!

So is any of this useful?

As an IT security practitioner, my first instinct is to say “yes” — i.e., it seems plausible that you would find some bad guys this way.

The trouble is, have the US feds found any bad guys? I can’t imagine politicians resisting the urge to brag about the success of this kind of effort if they actually caught someone. They haven’t really done that, so I have to conclude that the program has been a dud. Very much like the video surveillance in London – sounds good on paper, but where is the data to show that it had an impact on crime rates? (hint: there is no such data).

I’m a big believe in “if you can’t measure it, it doesn’t exist” – and extreme surveillance like PRISM or like the London camera system have yielded no measurable value, as far as I can tell.

But what about 9/11 you might ask? It’s a single event, and it could be prevented by better doors on cockpits (done). Seriously – you don’t need a TSA or DHS to prevent it. Even if you include 9/11, in objective terms, terrorism still poses a lower risk than slippery bathtubs (On an average, 370 persons of all ages sustain injuries from bathtub/shower daily in the United States.).

If you accept my thesis that all this anti-terror activity is a huge waste of energy, then what effect does it actually have? Well, if the purported $200,000/year salary for high-school-educated Edward Snowden is any indication, it has an impact on the IT labor market. As does the fact that the NSA and its contractors certainly employ tens of thousands (perhaps hundreds of thousands, collectively) of talented individuals in work that has no economic benefit. This isn’t good for the US economy (diverting labor away from productive work) or for the US federal budget deficit (this isn’t cheap folks!).

Another impact is on cloud computing. While US-domiciled firms may continue to be comfortable moving their corporate infrastructure and apps to the cloud, firms domiciled elsewhere will either not feel comfortable using US-based cloud providers (such as Amazon, Salesforce, etc.) or may even be legally prohibited from doing so (I’ve heard that medical researchers in Canada cannot host their IT on US servers). This means that all the surveillance has the unintended effect of making otherwise world-leading US cloud providers uncompetitive.

Another angle on all this is that it makes US government behaviour uncomfortably similar to Chinese government behaviour. Extensive surveillance? Check! Ability to block content? Check! (the US do this with DNS take-down orders due to claimed IP violations, but still…). Did the moral high ground just making a whooshing noise as it disappeared?

What else could they monitor? Full speech-to-text of voice calls comes to mind. The technology almost certainly exists (I have heard that the Israeli government has had this capability for years). You could use same legal cover to add this feature.

Why the fancy new data centers in Utah and Maryland? Well, if you collect this kind of voluminous data, you have to store it somewhere. Surely the telcos and cloud B2C web site companies won’t want to spend their own money to store all this data on their servers, in their facilities. Violating customer privacy is one thing. Spending big money to do so is something else again.

The US public seems to be sanguine about all this surveillance. That’s an uncharacteristic trust in government’s good intentions, quite at odds with the recent IRS abuse of power scandal. Nishant Kaushik pointed out something really smart today — Americans would likely respond quite differently if they clued in to the idea that PRISM could probably be used to create a gun owners registry. Imagine the NRA‘s response! LOL.

So is this just a US problem? Well, obviously more repressive regimes like China and Russia do the same thing. I think we should assume, by default, that other Western countries (including my home in Canada) do so too. That’s gotta be the safer assumption.

That’s what comes to mind. Quite a lot. ;-) We certainly live in interesting times!

Why do you need a privileged access management system? Let me count the ways…

May 3rd, 2013

This sort of thing is distressingly common:

Basically a technical guy – developer/sysadmin – didn’t get promoted, got mad, quit and then spent weeks hacking into his old workplace and causing trouble. Electronic version of old crimes: “break and enter” and “vandalism.”

With a robust system to control privileged access, the amount of damage he managed would have been far reduced…

Want to replace passwords? Try…

April 29th, 2013

Every so often, I run across discussions about the end of passwords, and what will come next. Seems like a popular topic on linkedin discussion forums, of late.

So why is it, really, that we’re still using passwords? We all thought they’d go away years ago, right?

It turns out that every type of credential is some sort of compromise, so let me try to capture all in one place what’s nice and what’s not so nice about every approach (in general – I won’t pick on any products here):


  • Well understood.
  • Work well on any device that supports text input (which is pretty much any device, right?).
  • Nothing physical to carry, that can be lost or stolen or just left at home.
  • Work both locally on the device (decrypt a key with the PW as the primary key) and on the network (web forms, Kerberos, etc.).

  • Pick a simple password, get hacked.
  • Share your password, get abused.
  • Avoid changing your password, create a comfortable time window for someone to hack you.
  • Easily forgotten, especially if they are strong/hard to guess/changed often.
  • If some app or web site implements them badly (happens often enough!), your password gets compromised along with everyone else’s. If you use the same PW elsewhere, all your accounts are potentially compromised.
Other kinds of secrets:
  • PINs are just short, numeric passwords.
  • Security questions are the most common.
  • Also images that you remember, or randomly rearranged symbols where you click on your password, etc.
  • Same basic pros/cons as passwords.
  • Some methods lose the compatibility advantage, because the login form of an app has to be altered to work with them.

  • Measures something you are.
  • You can’t forget parts of yourself.
  • Often quite user friendly, and sometimes perceived as “cool.”

  • Revocation is impossible.
  • Some technologies not very secure. For example, finger print scans that can be fooled by gummy bears or voice print by audio playback.
  • Other technologies just implemented poorly — looks cool, but under the covers just injects a password anyways.
  • Generally require a special sensor (fingerprint, retina, etc.) — so not compatible with all your devices.
  • If no special sensor required, then there are extra compatibility requirements: face-print verification? Good lighting. Voice print verification? Usually only on the telephone, and may not work if it’s really loud around you.
  • Often does not work when off-line, since the biometric database is on a server somewhere (that you can’t connect to from your airplane seat or car or …).
  • Typically 1% or 2% of users can’t use any given biometric. Amputee? No finger prints for you! Blind? Retina may not work. Used to go diving a lot? Finger vein may not pick up. etc.
  • Most apps are not compatible, so you either have to modify your apps or front-end authentication and then inject passwords (and we’re back to passwords again, but with the illusion of extra security).
One time password devices
  • Most commonly “hard” tokens like RSA SecurID and Vasco. Sometimes “soft” tokens where the special hardware is replaced by software on your phone or PC – which is more convenient but less secure.

  • Secure against password replay attacks. Does not assume channel security between the client and server.
  • Compatible – what you type is just a string, so looks a lot like a password, which makes integration with systems and applications relatively easy.

  • Expensive per-user hardware (but at least no reader).
  • Some implementations have been spectacularly compromised (RSA token key material was hacked/exfiltrated, compromising 40,000,000 tokens world-wide!).
  • Nuisance for users to carry “one more thing” – which may be left at home, lost or stolen.
  • Only works while connected to the network (the authentication server is most definitely not on your PC), so useless for applications such as PC login, which should work when your laptop is somewhere without WiFi coverage.
Smart cards:
  • Usually a card, but sometimes another physical shape, like a key fob, that carries PKI certificates and possibly other key material. Notably US federal PIV cards and US DoD CAC cards – other implementations are much smaller.

  • Can support both physical (i.e., door) and logical (e.g., PC login) access in a single device. Handy.
  • Works in off-line mode (you can sign into your PC while it’s away from any network using a smart card, something you cannot do with OTP and most biometrics).

  • Hardware (the card) deployed to each user: costly.
  • Hardware (the reader) deployed to each user: even more costly.
  • Depends on a PKI infrastructure, which is also notoriously expensive and complex.
  • Not compatible with devices that do not have / cannot get a card reader.
  • Sign into site A through a trust relationship with site B.
  • Many “standard” protocols such as SAML, WS-Federation and OAuth.
  • Technically, Kerberos looks a lot like federation.

  • Convenient. Reduces login burden for users and administrative burden for IT organizations.

  • Requires trust between domains. Want to sign into your local newspaper with your Facebook account? The newpaper has to trust Facebook to authenticate you.
  • Does not really make authentication (or passwords even) go away — it just externalizes it from one site to another. This is a good move, but not any kind of replacement / alternate authentication technology.
  • Too many standards – which ones to support?
  • Too many possibilities for who to trust – who do users want to use as an identity provider? Can we trust them?
  • Basically adding passwords or PINs to biometrics, OTP or smart cards.
  • More or less a given for 2 of those 3, since theft of the device (OTP/smart card) is an easy compromise.
  • Since the “extra” factor is a password or PIN, you can assume we aren’t replacing passwords or PINs any time soon.

If you find a security vulnerability and you live in the US … don’t say anything

March 18th, 2013

An interesting court verdict in the US today:

Basically a couple of guys who, in 2010, noticed that AT&T was improperly publishing e-mail addresses of customers with iPads and who (a) collected those e-mails and (b) sent the list to the press to point out AT&T’s lapse, got slapped with jail time today.

To be clear: these guys just fetched content from the web which should not have been there. They didn’t “hack” into any system, unless I misread this.

This will doubtless have a chilling effect on security research and on reporting of security problems.

Of course, the bad guys don’t care about such rulings — it just handcuffs (literally in this case) the good guys.

Scary how powerful large corporations have become in the US – it looks like they influence over both the legislative branch of government and over the judiciary.

Date formats

March 3rd, 2013

Just noticed this at xkcd:

I couldn’t have said it better myself. Why do people persist in weird and wacky date formats? What’s the point? Isn’t 2013-03-05 simply better, clearer, shorter, more sortable and basically superior in every conceivable way?

Do different cultures and locales really still need their own, weird, mutually-incomprehensible and obviously-not-as-good-as-ISO date formats? Really?

While we’re on the topic of attacks … awesome gadgets

February 28th, 2013

Seems like security exploits are all the chatter these days. People tend to think of these things as anonymous, remote things, but what about if you can get (briefly) physical access to your adversary’s premises?

This would be a cool device to surreptitously plug into their AC and wall power:

Very slick. And very dangerous. Funny that nobody talks about these things … is it because only the low-tech, user-must-have-been-duped attacks are press-worthy?

Now China claims US hacks

February 28th, 2013

Sometimes press releases are so dumb that they are funny.

Recently, the security firm Mandiant provided a detailed analysis of systematic, industrial-scale attacks against US and other private interests by a large, government-supported, well funded Chinese military agency. This was a wonderfully interesting read because it was full of evidence, analysis, clear links to a state actor as the aggressor, estimates of the scope and duration of attacks against private sector targets and more. Brilliant stuff.

Obviously, China denied the allegations (and why wouldn’t they?). Of course, none of that detracts from the detailed and convincing evidence, so clearly the Chinese feds are just engaged in mindless damage control and PR. No big deal – that’s the sort of stuff governments do.

Forceful public denials didn’t seem to convince anyone, though, so now they have a new tactic – complain that US hackers are attacking them instead. They claim 144,000 “attacks” per month against a couple of military-related web sites.

Call me crazy, but I’m dubious. First, no evidence was provided, so who knows if the number just came out of some marketing hack’s rear end or represents anything factual?

Second, what constitutes an attack? Our corporate web site is hit by thousands of script kiddie connection attempts daily, presumably hoping to take advantage of a buffer overflow or bug in some software or other, which isn’t even installed on our site. This sort of “attack” traffic is just a normal part of the web traffic for most sites. Should we consider these connections to be “attacks” or just random “probes?” If they come from compromised machines that happen to be in the US, does that mean that “the US is attacking us?” I hardly think so.

So clearly the Chinese government’s public relations hacks are behaving like children, as you would expect them to:

  • They don’t seem to know what an “attack” is.
  • They don’t seem to understand the value of “evidence.”
  • They are engaging in a transparent effort to save face, after having been caught with their hand in the cookie jar.
  • They cannot seem to differentiate between “state actors” and “IPs registereed in that jurisdiction.”
  • Of course, they have provided no evidence that Mandiant’s report is in any way untrue. Think about it — if that report was wrong, they could just march some reporters from the BBC or CNN or something into the building where the operation is purported to be taking place and show them that there are no hackers here. Easy, case closed, Mandiant would have egg on their face. What? They haven’t done that? Surprise, surprise!

The discussion above is not meant to imply, by the way, that the US military does not engage in “cyber warfare” — just that they are much more sophisticated and effective than this silly press release suggests. Think Stuxnet, not script kiddie. I’m not sure that they target China much either. Probably not enough Chinese-speaking US hackers to do that effectively. I think they are much more concerned with military and nuclear targets in Iran than Chinese commercial interests.