Archive for December, 2012

If not passwords, then what?

Saturday, December 29th, 2012

Interesting read over at

While all the hacks described therein are quite legitimate, and some amusing (e.g., hacking Nuance voice verification by recording someone speaking each digit and replaying on demand), this does raise the question: if not passwords (and two-factor, and voice bio, and SMS/PIN and …) – then what?

That’s the million dollar question – the password-centric ecosystem, along with security questions and password reset mechanisms – is quite fragile, but it’s inexpensive to deploy and operate, accessible from any device and any location and well understood. Alternatives require changes to user behaviour, expensive infrastructure and often just create new weaknesses.

It’s easy to say “move on – passwords are not secure enough” but it’s hard to offer a convincing argument for any particular alternative.

Session capture can be creepy … keep it safe

Thursday, December 20th, 2012

One of the features we offer in our Privileged Access Manager product is the ability to record an IT user’s login session to a privileged account. This can come in handy in a variety of circumstances — forensic audit, knowledge sharing, figuring out what was done to cause a breakage, etc.

The problem is that session capture raises some serious privacy concerns. What if I’m the IT user being monitored, and I take a break from my admin duties to do a bit of personal banking. Maybe I do that at lunchtime – perfectly reasonable. The trouble is, my employer now has a video record, keystroke data, etc. of me signing into my bank account. They literally have my bank account number and password in the logs. Talk about unintended consequences! I’m sure they don’t want the data, but it’s very hard to filter it out of the capture data stream.

That’s inocuous, but what if things get really personal? What happens if an admin is called up at 3AM to fix a critical system issue. He gets out of bed, half dressed, opens his laptop, signs on and does what’s required. But session capture can also turn on his webcam – is that the admin’s partner in bed in the background? Have we activated the webcam on a corporate PC or on his personal device? Did we just enable video surveillance of our admin’s residence? The legal and ethical questions get pretty murky, pretty fast.

None of this is to suggest that session capture is an unreasonable feature — merely that it should be applied with great care.

We have been quite careful about this with our own software — we use workflow processes to approve requests to search through recordings, further workflow approvals to approve requests to play back a particular recording, policy engines to decide when session capture should be enabled and what data streams to turn on (full screen, launched window, keystrokes, copy buffer, webcam, etc.) and more. We take the privacy implications of session capture quite seriously.

Given this background, I was shocked when I recently learned that at least one of our competitors includes a feature for real time session surveillance. They literally allow an auditor, with pre-approved but not per-incident access, to watch what an admin does in real time. Wow. Talk about throwing caution to the winds!

Folks – real time surveillance is just plain creepy. Please don’t do it, even if you happen to have a tool with that capability. Instead, consider the power that session monitoring gives you to compromise someone’s privacy, and apply it very VERY conservatively.

Citrix Receiver on Linux/64-bit

Wednesday, December 19th, 2012

I had the unfortunate experience today of trying to use a Citrix ICA client (“Citrix Receiver”) on a Linux client OS.

What a joke.

The 64-bit client – once you find it through Google (it’s not offered automatically), is actually a packaged up 32-bit client. Built using Motif (anyone remember that ancient UI framework from the 1990s?). With a broken installation script, which fails to identify a 64-bit OS. And finally with broken SSL CA certificates, such that when you finally get the thing installed, through hacking scripts, installing dependencies and general screwing around, refuses to connect to the ICA server.

Citrix should decide whether they seriously want to support Linux. Either release a decent client, built with a modern UI, able to install cleanly on a modern OS, or stop taunting us with their crapware.

My advice to anyone reading this: don’t bother. If you must connect to a Citrix VDI infrastructure, and your PC runs Linux, then fire up a Windows VM and connect from there. While the UI experience of ICA inside Windows VM inside X11 is less than optimal, it at least works. The native client – not so much.