Why we all should care about net neutrality

Many people will see the words, “Net neutrality” and groan about yet more tech gobbledygook and geeks who spend too much time pretending to be Mr. Spock and watching Star Trek re-runs.  Nobody on Main Street cares about net neutrality, right?  Isn’t this all just an arcane concept that never intersects with real people on Main Street?

Well, not so fast.

The real story – behind all the tech jargon – is as old as the first antitrust issue ever to come before the US Government more than 100 years ago.  And it will effect everyone who connects to the Internet, which is pretty much everyone these days.  For people who think tech is only for weenies, think money.  $Billions in money.  And all of it comes from your pocket.

Net neutrality means Internet Service Providers (ISPs) are supposed to treat all Internet traffic equally, end to end.  Every data packet should be treated equally to all other data packets, regardless of source or destination.  ISPs should be neutral carriers and not make judgments about favorable or unfavorable traffic.

Here is the issue.  Without net neutrality, large ISPs will have the legal right to mess with your traffic.  Large players will have monopoly power and will control your access to services you care about.

And what happens when any monopoly player offers its own, competing services?  Forget high tech for a minute.

Let’s say Alice runs a restaurant.  But Bob controls all the streets in town.  If Charlie wants to eat at Alice’s restaurant, Charlie has to travel over Bob’s streets to get there. What happens if Bob’s sister, Doris, opens a restaurant that competes with Alice?  Bob wants to make sure money stays in the family, so Bob sets up toll booths for all travelers on his streets. But people who eat at Doris’s new restaurant get their tolls refunded, courtesy Bob.  Of course, this puts Alice at a competitive disadvantage, so Alice eventually closes.  Before long, Bob controls all the restaurants in town.

Now back to high tech.  Today’s large cable companies offer bundles that include phone service, Internet service, cable TV, and premium services such as movies on demand.  These companies control both distribution and content.  They control many of the streets and some of the restaurants. They want to control all the streets so they can encourage you to eat at their restaurants.

If any single ISP becomes your only choice to connect to the Internet, that ISP controls your access to the services you care about.  ISPs can exercise that control with pricing and surcharge gimmicks, much like the antitrust monopolies of old.  But today’s ISPs also have even more powerful tools.   They can prioritize traffic or play other quality of service games, to treat traffic badly they don’t want to carry.

Today’s familiar services such as Amazon, Netflix, Hulu, Facebook, Google, LinkedIn, and others, at their core, are elaborate websites.  The path from your house or business to those services runs through the Internet.  Without net neutrality, ISPs can grant or deny or regulate or tax access to these services as they see fit.  If an ISP decides it wants to offer, say, retail services, what access policies will it set up for Amazon?  Let’s say you put your business in the cloud, but your ISP offers a competing cloud service.  What quality of service will your ISP give you?

This is not hypothetical.  Comcast, for example, blocks traffic coming from email servers located in home networks.   More ominous, thousands of Netflix users are complaining about bad Netflix movie quality when connected to Comcast.  Comcast counters that it has a right to prioritize traffic as it sees fit because it wants to protect occasional Internet users from heavy downloaders.  Following that line of reasoning, I wonder if Comcast prioritizes its own Movies on Demand service similarly to Netflix, which competes with its own service?

Net neutrality is under constant attack.  If open access to Internet services is important to you – and it should be – then familiarize yourself with the details around net neutrality and make your voice heard.  Your livelihood may depend on it.

(Originally published on my Infrasupport website on Feb. 17, 2014.  I backdated here to match the original posting.)

What is the right way to deal with IT security vulnerability disclosures?

With all the IT security issues in the news lately, suddenly IT security is everyone’s problem.  One natural question behind the headlines is, what is the right way to handle IT security vulnerability disclosures?

Here are some thoughts.

To keep things simple, let’s limit this discussion to three major players.  The real world is more complicated, but this is enough to illustrate the concepts. The first player is Bob, leader of an organization.  Next is Ingrid who discovers a security vulnerability.   And, of course, Trudy, the evil intruder we all love to hate.  Trudy spends most of her waking hours probing the Internet, looking for weaknesses she can exploit and secrets she can steal.

Let’s say Bob’s business operates a website and Ingrid finds a security vulnerability that exposes sensitive information about Bob’s customers.  How should Ingrid proceed?

Here is a blog post I put together a few months ago with an example of what happens when players proceed the wrong way.

This is what should happen.  When Ingrid finds the vulnerability, she realizes Trudy is already trying to exploit the weakness to steal personal information from Bob’s customers.  The race is on to fix the problem before Trudy exploits it for her own evil purposes.  And Trudy has a head start.

Ingrid has an ethical duty to immediately inform Bob about the problem and make Bob aware of the potential consequences.  Bob, always skeptical about gloom and doom warnings, listens to Ingrid because Ingrid makes a coherent and credible presentation about the problem.  Bob heeds the warning, fixes the problem, and quickly informs his customers and takes remedial action.  A newspaper or popular blog eventually publishes the story, giving credit to Ingrid for her dedication.  Evan, an executive from an influential software company, reads the story and offers Ingrid a job as Director of IT Security.   Everyone lives happily ever after, except Trudy, who was denied the opportunity to steal from somebody.

That’s how things should work.  But it doesn’t always happen that way.

Let’s say Ingrid presents the problem to Bob, but Bob ignores the warnings.  Now what?  Trudy is out there.  When Trudy finds Bob’s vulnerability, she will exploit it and steal from Bob’s customers.  Trudy might even drive Bob out of business.  How does Ingrid respond if Bob fails to respond?

Let’s say Bob uses software from a company named, say, Orange Computer, and Ingrid finds a security problem with that software.  Ingrid contacts the right people at Orange, but Orange sits on the problem and does nothing.  Trudy is out there.  If Orange fails to address the problem, Trudy will exploit it.  What does Ingrid do?

Ingrid’s only course of action in this case is to follow a best practice called responsible disclosure.  After trying to warn Bob.  After contacting Orange.   After taking all reasonable steps to inform the right people, and after waiting a reasonable amount of time for a response, and as a last resort, Ingrid has a duty to disclose the problem publicly.  Ingrid must assume Trudy and her friends are already quietly exploiting the problem, and Trudy will hurt too many people if Ingrid fails in her duty.

Ingrid also has a duty to protect herself.  She should document her attempts to contact Bob and the people at Orange Computer as appropriate because when the problem becomes public, it will ignite a firestorm of controversy with Ingrid in the middle.   This will create an opportunity for Ingrid to educate the public and a threat from people who blame the messenger for creating the problem.

Politicians will weigh in with uninformed opinions and instant experts hungry for publicity will offer canned analysis for gullible press outlets hungry for sensational stories.  The noise will be deafening; real information will be scarce.

Amid all the noise, what about customers, the people who use software from Orange Computer and the people who use Bob’s website.  How do they respond?

Customers should do independent homework and look for the real story.  Security vulnerabilities happen all the time.  Is this one just another sensational story or is it real?  What are the prudent steps to protect against it?  What are the plans from Bob and/or Orange Computer to address the problem?  What are the consequences of not addressing the problem?  Customers need to find credible answers to these questions and make informed choices on how to respond.

After the initial disclosure shock wears off, some other questions are appropriate. Who is Ingrid?  What were her motives?  How did she find the problem?  Before the problem went public, what steps did Ingrid take to contact the right people?

That scenario assumes Ingrid discloses the vulnerability responsibly.   What if Ingrid wants to make a name for herself and she discloses the vulnerability without first informing Bob?  In this case, Ingrid is really a bad guy disguised as a good guy and trying to gain notoriety at the expense of Bob’s company.

Bob learns about the problem on the TV news along with the rest of the world and his company phones start ringing a few seconds later as press outlets everywhere look for comments and controversy.   What does Bob do?

Bob faces multiple threats.  He faces a public relations threat from sensational press stories spawned by Ingrid’s improper disclosure.  Bob and his customers also face a material threat from Trudy, quietly exploiting the vulnerability at the expense of  Bob and his customers.

To meet the PR threat, Bob needs to get in front of a runaway public relations train and slow it down.  This is the time for visible leadership and Bob must get in front of the cameras and take charge.  Provide explanations and frequent progress updates, and answer questions honestly and directly to repair credibility with a skeptical public.

Simultaneously and behind the scenes, Bob must also immediately address the actual vulnerability because Trudy wants to steal from Bob’s customers.  This might mean bringing in outside experts, it may even mean temporarily suspending business.   It will cost money.  Probably lots of money.  But if Bob handles this crisis properly, it can also be an opportunity for Bob’s company to come out of it with more trust and more credibility than before.

What if  Bob himself is a bad guy?

In 2005, Mark Russinovich was Ingrid and multibillion dollar Sony Corporation was both Bob and Trudy when Sony compromised thousands of computers around the world by surreptitiously introducing a rootkit when anyone played a Sony BMG music CD on a Windows PC.   A rootkit is illicit software that modifies core system components and is designed to conceal itself from malware countermeasures such as antivirus products.  Bruce Schneir summarized the story here.  Mark Russinovich’s original blog post with details on his great detective work uncovering the problem here.

Russinovich found the problem and reported it publicly in his blog.   This was the right thing to do and Sony eventually paid millions of dollars to settle fines and class action lawsuits.

What if Bob is a government agency and Ingrid discovers a vulnerability or abuse of power?  Now the consequences might be global.  Scenarios like this have spawned long discussions over the generations about ethics and whistle-blowing.  Sometimes, Ingrid is a lonely crusader pursuing justice against powerful forces.  Other times, Ingrid is an egomaniac, pursuing her own interests at the expense of everyone else.  And Trudy is always out there, ready to strike at every opportunity.  Ingrid has a duty to proceed with caution and carefully weigh the consequences of any action.

If you find yourself in a position similar to my hypothetical Ingrid, how do you decide what to do?  Who is harmed, who is helped if you disclose the vulnerability?  And who is harmed, who is helped if you do not disclose it?  If you take action, are you serving justice or your own ego?  Confide in a few people you trust and make your choice based on honest answers to those questions.  Do it responsibly.   Careers and lives may depend on the choices you make.

(First published on my Infrasupport website Feb. 14, 2014.  I backdated here to match the original posting date.)

What should a small business IT security system look like?

Given the recent security breaches all over the news, what would a good Main Street business security solution look like and how much would it cost?  After all, if organizations such as the NSA and large retailers such as Target can’t keep their secrets safe, what chance does Main Street business have?

A pretty good one actually. Keep reading.

First, an assumption. No piece of equipment is hacker proof.  You must assume bad guys want to get inside your devices and use your equipment and your network for their own evil purposes.  They have specs for everything you own and probably know more about the internal workings of your equipment than you’ll ever hope to learn. They’re smart, they’re greedy, they collaborate, and they want what you have.

That’s the nature of the threat.  Here are the pieces to deal with it.

It starts at the firewall.  You need a real firewall with provision for multiple LANs.  A real firewall is a router with multiple segments and some rules to regulate how each segment interacts with the other segments.  Most credible DSL and cable modems can accommodate firewalls behind them if configured properly.  Here is a PDF file you can download with some firewall frequently asked questions.

Your firewall will have at least one public, Internet facing segment.  It might have more public segments if you want multiple Internet feeds from multiple providers so you always have a path out if one feed drops.  Multiple Internet feeds is probably overkill for a business like a Chinese takeout restaurant, unless that restaurant depends on, say, a website to operate hour by hour.

You may choose to have an HA (highly available) firewall system with redundancy at your boundary that can juggle multiple Internet feeds and do automated failover routing in case an Internet feed goes offline.  This may also be overkill for that Chinese food takeout restaurant.  It may not be overkill for a multiple site retail operation that depends on the HQ site always being available.  Start small and scale as the business grows.

It will have a “people” segment where you put your employee computers.  This is where you put in the typical rules you see in most business networks. You’ll want a credible antivirus solution on all your workstations in this segment.  It can also become elaborate. You can put in web filtering appliances to regulate which websites your users visit, for example. If you choose to host your own email or web server(s), you can put in rules to accommodate those, and rules to accommodate spam filtering. This is overkill for small operations and a logical growth path for larger businesses.

If you’re a retailer, your firewall will also need a POS segment for your Point of Sale systems.  A simple POS terminal might interact only with your credit card processors.  Credit card processors all have IP Addresses, so your firewall will have rules to allow anything in the POS network to interact only with those IP Addresses.  The firewall will also have a rule blocking anything between your “people” segment and POS segment.

If your POS network is more sophisticated, those POS systems might need to interact with, say, a database server.  That database server, in turn, may need to access servers in your “people” network.  In this case, carefully construct firewall rules to accommodate this traffic and log attempts at any other traffic.  This is overkill for that Chinese restaurant, but might be essential for a franchise of Chinese restaurants or a sophisticated retailer with, say, a loyalty program.

Maybe you want to offer wifi as a convenience for your customers. This is tricky to do properly because of the nature of wireless and because you don’t want your customer wifi to mingle with your employee wifi in your stores.  Isolate the customer wifi from your employee wifi and all your other segments.  The wifi segment is only a convenience for your customers to get to the Internet.  Nothing crosses the border between the customer wifi into the “people” segment or the POS segment.

And there you have it in a few short paragraphs.  A topology that does a wonderful job of enabling your business, serving your customers, and keeping bad guys out.  Total investment includes a properly built firewall and either a few physical network switches or a smarter switch with VLAN capability.  Budget a cost of about $4k to start. The actual cost might be a little less for small operations, probably more for larger operations.  The antivirus subscriptions and other support subscriptions will also cost some op-ex each year.

(First published on my Infrasupport website on Feb. 8, 2014.  I back-dated here to match the original posting.)

A Left-Handed IT Security Opportunity to Earn Public Trust

The sensational IT security stories just seem to keep coming.  Consider:

  • Researchers at antivirus companies decoded a mysterious computer virus named Stuxnet, apparently authored by our own NSA and the Israelli government, designed to attack Iran’s nuclear equipment.
  • Army Private Bradley Manning (now Chelsea Manning) stole hundreds of thousands of secret communications and videos and sent them to Wikileaks, which published them.
  • Edward Snowden, working as a contractor, stole thousands, maybe millions of documents detailing how the United States gathers intelligence information and fingering pretty much every American IT equipment vendor and large service provider.
  • 40 million credit card and PIN numbers are now up for grabs thanks to malware implanted in Target’s POS systems.  And personal information stolen from other Target databases on 70 million more people are also now up for grabs.
  • Apparently, Target is not the only retailer with a data breach.  News reports of another breach at Neiman Marcus now fill the headlines.  Others are sure to follow.
  • And because of the Snowden revelations, the United States government stands accused of paying and/or coercing a Who’s Who list of American IT equipment vendors and service providers to aid in spying on foreign and American citizens.  One breathtaking claim says the US Government paid $10 million to RSA, a leading IT security company and standard setter, to purposely weaken at least one of its encryption standards.
  • That same United States government effectively forced a Chinese company out of the US market by accusing it of spying for the Chinese government, while at the same time it coerced and enticed American companies to help the US Government in its spying.

TV news reports paint a picture of the NSA as a group of trustworthy professionals gathering all this data to protect an unsuspecting public.  I’m sure top professionals work for the NSA, but if the NSA is so institutionally smart, how did one rogue system administrator steal millions of documents and put the entire United States intelligence gathering capability at risk?  What happened to concepts such as least privilege and levels of accountability?  And why is the Stuxnet virus now in the public domain?  Did the authors really believe it would remain secret as it wormed its way around Iranian computers, looking for targets?

Sensational security stories are not limited to the US Federal Government.  The initial reports on the Target breach came on December 15, 2013.  See this blog post.  On Friday, January 10, 2014, Target disclosed another theft from the same breach involving personal information for 70 million additional people.  Let this sink in for a minute – Target and an army of forensic investigators examined Target’s infrastructure in detail for nearly a month before finding evidence of the additional theft.  How many other similar thefts have gone undetected?

The predictable result of all these revelations?  Erosion of trust, finger pointing, shock, outrage, and hyperbole everywhere.

While government, the courts, and an alphabet soup of secret security agencies and large companies sort all this out, how much of this matters on Main Street and what should businesses and individuals do about it?

The core of all security products and practices depend on trust.  That trust has been violated and that makes this critical on Main Street. Main Street companies can no longer trust their infrastructures are safe from government and criminal eavesdropping because the very products put in place to protect against it are tainted.

Great – we can no longer trust our IT infrastructure products.  What do we do about it?

Consider replacing critical IT infrastructure components with components built using the open source model.  Although this reads like arcane tech jargon, the concept is vital in today’s interconnected and insecure world.  Two general methods exist for building the software we use every day for browsing the Internet, processing transactions, connecting phone calls, and everything else.  These are:

  1. Proprietary
  2. Open

With the proprietary model, one company controls everything about a product.   Microsoft Windows, Microsoft Office, Apple IOS, Cisco routers, and many others use the proprietary model.  The good about the proprietary model is, companies (hopefully) stand behind their products and offer support and accountability.  The bad is, customers are left at the mercy of these companies and nobody knows what’s inside, which provides an opportunity for meddling by government or other bad guys.

With the open source model, one person or organization acts as a maintainer or lead developer of an ongoing project, and members of a world wide community contribute new features, bug fixes, and peer review.  The development process happens in full public view, which means no government agency from any country has an opportunity to introduce secret “back doors.”  Why would armies of thousands of unpaid volunteers do this?  For the same reason I write articles for this blog – for the recognition, which hopefully leads to service revenue.

The major challenge behind open source is, community developed means community supported, which means nobody is accountable when things go wrong.  To meet this challenge, companies such as Red Hat provide commercial support subscriptions for open source products.  My company, Infrasupport, is a Red Hat partner.  This provides the best of both approaches; accountability from the proprietary model and professional peer review from the open source model.

Enlightened IT departments will seize the opportunity from today’s supercharged security climate to secure their organizations’ IT assets using untainted, open source tools.  These organizations will earn back lost trust and the rewards that come with it.  The rest will bury their heads in the sand and hope the problem goes away.  But the problem will not go away.  Sensational stories will keep coming and market power will shift to those organizations with enough guts to take control of their own environments.

(First posted on my Infrasupport website on Jan. 13, 2014.  I backdated here to match the original publication date.)

Target, get on the ball with this data breach

If you shopped at Target between 11/27/2013 and 12/15/2013, congratulations.  Your credit or debit card info is one of around 40 million up for sale in a thriving underground marketplace complete with wholesalers, distributors, retailers, and easy to use websites.  Replace your card right now before bad things happen.

Brian Krebs broke the story in his blog, Krebs on Security, and the public owes Krebs a debt of gratitude.   Here is the original story.   Here is a follow-up post.  Target blew it.  Target should have notified customers and broken the story itself.  But  instead of proactively notifying its customers, Target apparently responded to the Krebs blog, as did the rest of the popular press.

The more onion layers peeled back, the scarier this gets.  Where did that date range between Nov. 27 and Dec. 15 come from?  Apparently, banks buy samples of stolen credit card info from those same underground markets and look for patterns.  The big thing all these cards have in common is – you guessed it – transactions at Target during that time window.   That’s why the press is reporting the date range of 11/27 through 12/15/2013, not because of anything Target found and reported about its systems.

Let this sink in for a minute.   That date range came from looking at samples of cards already stolen and not from any analysis of whatever was penetrated to get the card numbers.  As of Christmas eve, 2013, we still don’t know what specifically was penetrated, which means we don’t know what else is at risk or what steps the public can take to protect itself.  Here is an article with some expert speculation, but it’s only speculation from the outside.

Target claims the vulnerability is now closed and offers reassuring press releases to soothe the general public.  But with no guidance on what was penetrated and what specific steps Target took to close the vulnerability, the press releases so far offer nothing of value.  The public trusted Target before the theft and now 40 million credit card numbers are up for grabs.  Why should the public trust Target now?  What’s different?

If anyone from Target reads this blog post, Crisis Management 101 suggests transparency and disclosure.  The worst thing you can do is hide.  Instead of reacting to events and putting out vague press releases that offer no useful information, get in front of this story and tell the public specifically what happened and what you’re doing about it.  Introduce us to the people working around the clock to plug the gaps.  Show us how hard you’re working to fix the problem.  Convince us that shopping at your stores won’t expose us to identity theft.  Treat this like a crisis, because it really is a crisis.

Are we all in this together, as your press releases promise, or are those just empty PR words?  Smart people who know how transaction systems are supposed to work are watching.

(First published on my Infrasupport website on Dec. 24, 2013.  I back-dated it here to match the original date.)

A long couple of days in the life of an IT professional

This story is one example of many for what the best IT professionals do to keep our skills current.

The story started in April, 2013 when an opportunity to deliver a project based on a software product called RHN Satellite from a company named Red Hat came along. Large companies use RHN Satellite for activities such as automated builds, patch management, auditing, configuration management, and other administration for Red Hat Enterprise Linux servers. Think of an IT shop that needs to roll out dozens or even hundreds of servers and set them all up the same way. Those folks need RHN Satellite.

I knew nothing about RHN Satellite, but I’ve earned a reputation as a quick learner and was confident I could master it.  This would help a customer bring in an important project and make some money for me.  A win for everyone.  So I said yes.  This is what the best IT consultants do; we say yes and we learn quickly.  The job is not for the feint of heart.

There was a training class in Dallas with open seats coming in one week and I quickly signed up. Dallas is more than 900 miles away and I’m too cheap to buy expensive plane tickets, so I drove the 14 hours to the training site, attended the class and learned enough about advanced Red Hat Enterprise Linux system administration to deliver the project.  I also invested in the certification test.  If I’m going to learn the product, I may as well also get some certification credit for it.

Red Hat certifications are unique in the IT industry. While most IT product vendors offer certification tests based on cleverly worded multiple choice questions, Red Hat tests are all lab based.   This means anyone who wants a Red Hat certification must demonstrate knowledge of that system by setting one up in a lab according to test specifications.  The tests are challenging and very few candidates pass on their first attempts, even instructors who teach the courses.

Equipment problems in the Dallas classroom forced Red Hat to reschedule my certification test.  I scheduled mine for July in Chicago and failed miserably.  I improved in Chicago in October, but not enough to pass.

I knew what I did wrong and how to fix it, but the next scheduled test in Chicago was 6 long months away.   Two other test sites had openings on Nov. 22.  One was in Atlanta, the other in Ottawa, Ontario, Canada.  The Atlanta site is 16+ hours away by car, the Ottawa site around 18 hours away.

I decided on the Atlanta site and planned to buy my seat sometime after Nov. 9 to maximize my credit card float.  But the Atlanta seats filled on Nov. 8, leaving Ottawa as the only available Nov. 22 choice.

Ottawa presented a logistical challenge.  Trips from the US to Canada require a passport and mine was expired.  Minneapolis has a passport office and I could renew my expired passport by bringing it in with an updated picture and $220.   But unable to find my expired passport, I had to start from scratch with a birth certificate from Idaho.  To get a copy of my birth certificate, I needed an official copy of another piece of paper documenting my legal name change back in 1978.  That piece of paper was buried in a vault and the only way to get a copy was a trip to the basement of the Hennepin County Government Center in Minneapolis, where the lady behind the counter said she would order it for delivery the next week.  In a miraculous sequence of events, the process accelerated and by Monday, Nov. 18, I stood on the steps of the US Passport office in Minneapolis with a new passport in hand.

Only one logistical challenge remained – sign up for the test in Ottawa.  But now, after spending hundreds of dollars and watching a logistical miracle unfold around my passport, all the seats in Ottawa were full.   I called Red Hat and talked to Lauren with the training group.  Lauren orchestrated another logistical miracle to add an extra seat, and I reserved my seat in Ottawa a few hours later.

Now the real work – prepare for the test, travel to the site, pass the test, and go home.  Air travel cost between Minneapolis and Ottawa started at roughly $1050, confirming my decision to drive.  The test was Friday morning, so I was on the road from Minneapolis by 4:45 AM Central time Thursday.   I arrived at the Stardust Motel on Carling Road in Ottawa at 11:15 PM Eastern time, 17 1/2 hours later.

Canadian customs officers have ultimate power at the border and can deny entry to anyone they want for any reason they want.  My trouble at the Sault St. Marie border crossing started almost immediately as I rolled down my car window and handed a lady in a little booth my passport.

“And what brings you to Canada today?”

“I’m taking a test.”

“How long do you plan to be in the country?”

“Overnight”

“And where is this test?”

“It’s in Ottawa.”  (I think alarm bells started going off her head.)

“Let me get this straight.  You’re driving all the way to Ottawa to take a test, then you’re turning around and going home?”

“Yes, that’s right.”

“You are aware that Canada is a sovereign country, right?”

“Uhm, Ok.” (Not sure where she was going with this.)

“And you know Ottawa is 11 hours from here, right?”

“Well, Google maps tells me it’s about 9 hours, but OK.”

“So why are you taking this test in Ottawa?”

“Because the site in Atlanta was full.”

“What is this test anyway?”

“It’s for advanced Linux system administration.”

“Advanced what?  Why are you traveling to a different country just to take a test?”

“C’mon, What foreign country?  This is Canada. We’re friends. ” (Note to self – Canadian customs agents apparently don’t like appeals to friendship.)

“When was the last time you visited Canada?”

“Uhm, well, I guess it’s been a while.  Why?”

“OK, you need to park right over there and go inside for more questioning.”  (Uh-oh. This can’t be good.)

She directed me to a parking spot where several people in uniforms waited to escort me inside.

One of my escorts asked me what documentation I had to prove I really was going where I said I was going.  Thinking about it, I only had some emails.  I could open them on my tablet so I brought it in with me.  Maybe the emails would satisfy them.  I’ve been to former communist countries with less hassle.

I watched car after car after car easily cross into Canada while I slowly walked inside the building, flanked by uniformed guards as the clock and my upcoming night’s sleep ticked away.  Walking in the building, I saw 5 more people in uniform behind a counter on my right laughing about a video on a computer screen.  They sent me to the farthest counter, where a fat, gruff, balding grey haired man in uniform talked to a group of three people. As I approached the counter, he ordered me to step back and sit down at a table and wait.

“They told me to go to this counter.”

“And now I’m telling you to sit over there and wait.”

“If it’s all the same to you, I’d rather stand and stretch if I have to wait.”

“Suit yourself, I’ll be back after a while.  Don’t come up here until I tell you to.”

And then he left with the three people trailing.  I stretched my legs and back, stiff after 9 hours of driving so far that day, thinking about the 9 additional hours still to come and the clock ticking while I waited on the Canadian government.

The officers watching the comedy video barely looked up.  I asked one if he could take care of whatever it was I needed to take care of and he said no, that guy was the only one who could do it.  My only option – cool my heals and wait.

I needed to pee.

After a few minutes, Mr. Authority returned, motioned me up to his counter and asked me what was going on.  I gave him my passport and then made my next mistake.

“The lady outside hassled me and told me I need to come in here and take care of it.”

Major mistake. And then I made it worse.

“She didn’t hassle you.  You said you’re here for work so she sent you in here. That’s what she’s supposed to do! Do you think we just let anyone in our country who wants to come in?”

Dumbfounded, I said, “I see at least 10 cars out there and they’re all flowing right through.”

“THEY’RE ALL CANADIAN CITIZENS AND THIS IS A SOVEREIGN COUNTRY!  SO HOW ABOUT I DON’T LET YOU IN THEN? YOU JUST CAN TURN AROUND AND GO HOME, HOW DO YOU LIKE THAT?”

I wanted to walk outside and survey the license plates on those cars passing through the border, but a little voice in my head told me to shut up before I got myself into more trouble.  This guy controlled what I needed and I had nothing he wanted.  He had all the power and I had none.  He was the master and I was a dog.  Time to become meek and beg for mercy.

“I wouldn’t like that at all. I’ve been up since 3:30 this morning.  I just want to get where I’m going, take my test and go home.”

“WAIT RIGHT HERE.”

He took my passport and disappeared into a little back room. He came back out a few minutes later.

“Ever been convicted of a crime?”

 I was about to say “speeding tickets”, but my literal answers had already gotten me into trouble.  Speeding isn’t a crime anyway.  So I answered, “No.”

“Ever been denied entry into any country?”

“Not until right now, no.”

“Show me this proof you’re taking some sort of test in Ottawa.”

I showed him one of the Red Hat test confirmation emails and he said, “That doesn’t say it’s in Ottawa. What else ya got?”

“Uhm – well, here, take a look at this email.” I brought up an email thanking Lauren for opening the additional the seat for me.

“I never heard of any company named Red Hat.  What do they do?”

“They’re a software company.”

“Where are they?”

“They’re in North Carolina and they have offices all over the world.”

He looked me over one last time.

“OK, I’m going to let you in. BUT YOU NEED TO WORK ON YOUR ATTITUDE!”

“Thank you.”  (resisting the urge to further express my feelings.)

“Go give this paper to those two standing over there and be on your way.”

“Thank you.”

I still had to pee, but not bad enough to ask anyone here to use a bathroom.  As the uniformed guards escorted me to my car, I asked if any of them wanted to search it.  They said no and I drove away.  Welcome to Canada, eh.

I passed the test.  I’m now a proud holder of a Red Hat Advanced Linux System Administration Certificate of Expertise.

Total cost – $480 for the November test, $480 for the October test, $2800 for the original training and test, about $400 for the passport and required paperwork, 4 trips to the Minneapolis passport office and Hennepin County Government Center, around $1000 for travel costs for the training and test trips, 36 hours behind the wheel for the round trip to Ottawa, $40 per month for upgraded cell phone service in Canada and Mexico, sore legs and back, and a lesson in humility from some Canadian border agents.

Hopefully it was worth it.

(Originally posted on my Infrasupport website in Nov. 2013.  I backdated it here to match the original posting.  At the time of the original posting, my one person company was a Red Hat partner.  I am also now a Red Hat employee.  Everything in this post is my own opinion and may not reflect what anyone at Red Hat thinks.  Life goes on.  That test I worked so hard to pass back in 2013 is now obsolete.)

www.healthcare.gov – A Classic IT Disaster

My family is OK with health insurance coverage for now and I live in Minnesota, which has its own website for navigating the local healthcare marketplace, so I don’t need to deal with the US healthcare.gov website to find health insurance. But I was curious after looking at the news the past several days. I find it amazing that an Internet website generates front page newspaper and breathless TV coverage and I wanted to see what the fuss is all about.

My wife’s sister and her husband live in Indiana, so I wondered how health care coverage would look in their state and county. Navigating the website was straightforward and I found a few sample plans and pricing. The prices looked high, but each page boldly displayed caveats that the prices displayed were probably high and lower prices were most likely available by filling out a real application.

The website also mentioned a worksheet called the Kaiser Family Foundation health insurance cost and savings calculator and provided a helpful link. Answer a few quick questions using this worksheet and the website promised to generate more accurate price estimates.

So I followed the link and came to a page with some helpful explanations. So far so good.

When I clicked Next, presumably to start answering those few quick questions, a popup window with red text and yellow background popped up that said,

Please review your answers on this page,
there was a problem with one or more of
them.

This question is mandatory.

I would love to fix my answers, but this page had no questions.

In less than 5 minutes, I found an obvious programming bug by taking a path through this website that any typical user would follow. Here is a screenshot, [This link is no good – see my Infrasupport blog post about how I recovered from my own IT disaster, here.] reduced in size to 50 percent to capture most of the page. Notice the popup message at the bottom about answering questions, but the page only has explanatory text. There are no questions to answer, but the website will not allow me to navigate away from this page without answering its nonexistent questions.

Now I see what the fuss is all about. If I stumbled across such an obvious bug in less than 5 minutes without even trying, what other bugs are lurking beneath the surface? Current news reports suggest this website is full of bugs, performance issues, and inaccurate information. After my experience, I believe the reports.

The consequences are predictable. Politicians with no IT experience beyond using Facebook and smartphones are screaming, and VIPs across the government with no IT experience are trying to hold other VIPs with no IT experience responsible for this mess.

Where have I seen this before? Perhaps with every big IT project ever conceived since the dawn of big IT projects? Why would any IT veteran be surprised this one has serious problems? This project has all the classic elements: A lofty goal at the beginning, political maneuvering among potential contractors for development money, squabbling constituencies during development, major changes in design and function throughout the process, no time for serious testing to meet a looming deadline, nobody in overall charge of the effort, and a search for scapegoats at the end when the project fails to meet expectations. And in a classic and insulting knee-jerk response, our most senior and clueless Executive Branch officials now promise us they’re bringing in the A-team of “experts” to fix it all.

The stakes are indeed high. By United States federal law, and affirmed by the United States Supreme Court, we Americans are forced alpha testers for a new piece of technology over which we have no control, and if the technology fails, we pay a fine. I see attorneys building entire careers from the lawsuits this debacle will generate.

The quick fix President Obama promises will not happen for many reasons. First, as a few grizzled IT veterans constantly remind me by metaphor, the calendar time for a 9 month pregnancy cannot be reduced by finding 9 people to each work one month. In IT terms, a pregnancy project only achieves its goal if one person does all the required tasks during 9 consecutive calendar months because the output from earlier months provides the input to later months.

Software development is not war and the Obamacare surge metaphor comparing this project with the wars in Iraq and Afghanistan is a load of BS. Adding more programmers does not necessarily improve development time because at some point in any software development project, adding more labor becomes counterproductive. Even if they are “experts”. When the United States Federal government sends in their newly found “experts”, these new people will first climb a learning curve before becoming productive, and will then face the same project dependencies and constituencies as the earlier, presumably less capable team that came before them.

President Obama’s proposal to fix healthcare.gov is like proposing new tires for the car to fix a broken engine. It’s nonsense.

Beyond rookie programming errors such as the one I found, the problems are fundamental. The real fixes will depend on all players cooperating and agreeing to a reasonable set of specifications. No matter how many “experts” our Government brings in, these experts have no power to persuade or coerce all the unrelated parties to work together. Consider:

  • insurance companies with no incentive to cooperate with government contracted software developers,
  • a federal government filled with too many high officials with too many big egos and too many new and brilliant half-baked ideas,
  • millions of users trying to use the system on the front end while developers scramble to fix bugs on the back end,
  • and nobody in overall charge,

and the result is a recipe for continued failure.

Future historians may well declare the new healthcare.gov effort as the biggest, most spectacular failure in the history of IT projects.

(Originally published on my Infrasupport website.  I back-dated here to match the original publication date.)

A new level of malware sophistication

I woke up today around 4 AM when one of our cats jumped on my stomach.  By now, it’s a pounce and jump operation because he knows if I catch him, I’ll throw him across the room and bounce him off a wall.  So he pops up from the floor to the window pane, pounces on my stomach from above my head, then flies off the bed, all in less than one second.  It’s an effective technique to wake me up, not so good to persuade me to feed him.

Some days, I really don’t like cats.

Since I was awake, I staggered out to the other room to do some computer work.  As I sat down in front of this Windows 7 system, I saw a window on the screen that made my blood run cold.  There, right in front of me, was a window telling me this computer had several virus infections and a “click here” button to clean them all up.  I lost count of the number of fake AV systems I’ve cleaned over the years, but this one was right here at home.

Fake AV, or fake antivirus, is a great scam.  Here is how it works:  Vicki the virus author decides she wants to make some illicit money.  So Vicki writes an evil program that pops up a window on a computer screen with an alarming and official looking message about dozens or hundreds of viruses found.   But the whole thing is a lie, designed to entice naïve users into giving up sensitive information.

Vicki will probably craft her program to display a reassuring ”Click here” button with a promise to make it all better.  When the user “clicks here”, her program will probably prompt for a credit card number, with the promise of a $24.95 download to take care of all the problems.  When the user enters the credit card number, the program will send the data back to Vicki, and Vicki can either have a great shopping spree at the credit card holder’s expense, or sell the credit card number in an underground market.

Vicki’s program may also leave behind a key logger or other malicious software designed to track user mouse clicks and keystrokes and send the results back to Vicki.  Vicki can mine this data at her leisure, stealing anything of value she wants.

It’s serious business.  If you “clicked here” for one of these programs, and especially if you gave a credit card number, stop reading this right now, call your credit card company, and cancel the credit card.   Also call your other credit card companies and your bank and sign up for a credit watch service.   Pull your computer off the Internet and have a trusted professional thoroughly clean it.  Don’t mess around with this – identity theft can make your life miserable for the next several years.

But Vicki has a distribution challenge – how does she distribute her evil program to millions of potential victims?  Enter many of today’s popular news, weather, sports, and gaming websites.   These sites make money by selling ads.  When a user visits, say, www.espn.com, that website will also download several banner ads from all over the Internet.   Those ads do not come from ESPN, they come from advertisers who pay ESPN.

So when you visit the ESPN website, you also visit several other advertiser websites who display their ads in areas ESPN assigns.  Any one of these can download programs to your computer for, say, displaying animation, touring the advertiser client products, or displaying a popup window claiming you have dozens of virus infections.   ESPN cannot possibly vet all its potential advertisers and must depend on the advertisers to keep their own websites clean.

I purposely picked on ESPN because ESPN had a well documented incident a few years ago, but all websites that sell third party ads have the same potential issue.  If any one of these ad websites are compromised, and that ad happens to display on your computer, your computer is in danger.  From the users’ point of view, it’s like a game of Russian Roulette.

From Vicki’s point of view, there are hundreds, maybe thousands of these ad websites.  Vicki only needs to find one with poor security so she can inject her program and make it act as an unwitting distribution point.

Vicki no doubt subscribes to an automated underground service that constantly probes these websites, looking for vulnerabilities.  When she finds an eligible candidate, she injects her payload, compromises the website, and sits back and waits for the credit card numbers to flow in.

Vicki’s evil payload eventually found its way to one of my computers when my wife visited an Internet game site the other day.

If you find such a program running on your computer, do not immediately shut down and reboot – this will generally trigger these programs to deliver their evil payload and they will own you after the reboot.  Instead, launch your Task Manager, find the offending process, kill it, find the offending program on your hard drive, delete it, then do a thorough virus scan using a reputable tool.  Or call me and I’ll guide you over the phone.

Curiously, this fake AV program was a little different than most.  This one claimed it was a Norton virus scanner and a quick trip into my Windows Task Manager found a process named nss.exe.  NSS.exe is, in fact, the name of the free Norton Standalone Scanner.  But in this case, it was an evil program pretending to be the real nss.exe.  I killed it and the fake AV window went away.

Next, I searched my hard drive for any file named nss.exe.  I found two occurrences, both in folders with Norton in the name, under C:\Program Files (x86).  Looking at these folders, I found dozens of .DLL, .exe, and other files.  This was definitely not a typical virus scenario.  Most directories containing malware programs have a single, hidden program with a random name.  This one was different – this one went to a lot of trouble to look like a real Norton installation.  The creation date for nss.exe was May 7, 2013.  The creation date for the directories I found were from July 28, 2013 at 5:39 PM.  The time as I write this is around 4:30 AM on July 30, 2013.

This gets even more interesting.   Looking at Control Panel…Programs and Features, I found references to two packages claiming to be Norton virus scan tools.  When I right-clicked and selected the “Remove” option, a new window popped up asking me if I wanted to install the Norton virus removal tool.  I also heard my hard drive rattle a little bit, suggesting to my paranoid mind this virus may have delivered its payload.

Nice try Vicki, but you failed to solve two problems:

  1. I never installed anything from Symantec or Norton on this computer, although it’s possible my wife may have done so.
  2. Even if somebody else installed this stuff without my knowledge, why would a removal option instead prompt me to install something new?

I think, with help from my wife,  I stumbled across a new variation on an old theme.  I’ll bet a zillion dollars, this is a particularly sophisticated fraud.  I think my hypothetical Vicki ripped off the Norton Standalone Virus Scan installation and replaced the main program, nss.exe, with an evil program of the same name.  It probably found its way to a compromised ad website, where my wife inadvertently downloaded it from the free Internet game site she likes to visit.

To be safe, I did a System Restore and restored that system to its state 4 days ago before the last Windows Update, or 2 days before the fake Norton installation.  After a reboot, Control Panel…Programs and Features no longer shows anything claiming to be a Norton product.  I deleted the offending directories and started up a full virus scan in another window using a popular tool named Malwarebytes.  The scan took one hour and 14 minutes to finish and I am pleased to report this desktop is clean.

With hindsight, I probably should have taken some screen shots and quarantined those directories so I could present it all in this blog post.   But, just like most users, this desktop is a tool and I need it up and running.  I didn’t think about documenting it all until after I removed it.

For my non-technical friends, the moral of all this?  Just like with your car, be on the lookout for unusual behavior.   If your car flashes the “Check Engine” light or exhibits unusual behavior, you look into it, right?  If your computer starts to act differently, you should also look into it.  Call me if the problem looks complicated.  You have important data inside that computer and believe me, you do not want criminals across the Internet messing around with your identity.

For my more technical friends, I think the malware arms race just ratcheted up a notch.  This looks like a new level of sophistication.  Watch out for variations on this theme as Vicki’s friends craft other pieces of malware to imitate other free virus scan products.

Vicki found the wrong user to mess with this morning.  Hopefully, you can also stop Vicki and her friends cold when their programs try to invade your computer.  Be vigilant.

(Originally published on my old Infrasupport website and backdated to match the original date here.)

Why “normal” people should care about IT

I did a presales call with a small dentist office a few months ago.  I have some dentist customers, so I’ve come to understand a little bit about how dentist offices operate.  But this office was, well, different.  The “server” was really an old, failing Windows XP PC tucked away in a dusty corner of an unused office.  Other workstations were in similar states of disrepair.  This office had a challenge – the receptionist’s brother maintained all the IT equipment, but he recently moved from Minnesota to Colorado and was no longer available to come onsite and resolve the latest emergency.

I promise – I am not making this up.

Apparently, nobody knew how to boot their “server” and they had to call the brother every morning to get the office up and running.  The process was generally to turn that central PC off and back on again and hope it booted. Once up and running, nobody was to touch it for the rest of the day.  Although PCs in the exam rooms had the ability to store a few patient updates locally, they all depended on this failing central repository to access historical patient data, including X-Ray images.  If that PC died, all the X-Rays and all patient data died with it.

The dentist/business owner said he knew he needed a server and we talked at length about setting one up.  Then I asked my key question:  “What happens if this PC you’re using as a server dies and you can’t access any patient X-Rays?”  His answer left me speechless.  “I don’t need computers to practice dentistry.”  The meeting went downhill after that, and this dentist office never returned another phone call or email.

I use that dentist as an example because, unfortunately, his attitude seems typical of so many business owners and otherwise intelligent executives.  Here is another quick story to drive the point home.  Several years ago, I was in a presales meeting at a bank to talk about IT security.  The banker proudly showed me the shiny new security audit report he undoubtedly paid a small fortune for and asked me to look it over.   I sat across the table from him, looked over the report, and commented it covered the bank’s website pretty well, but where was the section about the bank internal IT operations?  His reply – “Thanks for coming over” and he quickly hustled me out the door.  To this this very day, I don’t know what nerve I touched.  But I have some theories.

I think IT is boring for most “normal” people.  Most people don’t care about what DHCP servers do or the difference between 1 gb and 10 mb.  Some bankers probably never stop to think about the difference between their internal operations and public facing website.  At least one dentist never took the time to think through what would happen if all his patient records disappeared.   And because IT is boring and “technical” and costs money, it must be at best a necessary evil.  For most business decision makers I’ve met, IT is not an asset to be maintained and enhanced, IT is an expense to be minimized.

This is a shame.  Consider:

  • medical and dental clinics, who keep patient data inside a server instead of a large room full of paper files and film X-Rays.
  • transportation companies who can keep images of millions of invoices and other paperwork inside a computer network instead of whole buildings filled with file cabinets
  • email and the world wide web
  • automated airline check-in systems
  • online banking
  • and thousands or maybe millions of other applications we take for granted today.

What would happen if we turned all those off?  Think about a bank branch without access to the central databases.  Think about an airline without the automated ticketing and check-in systems we’ve become used to using.  Think about cutting off access to email and the world wide web.  Think about a dentist trying to run a modern office without access to computers and historical patient data.

If you are a small business owner, here is a challenge.   Turn off your servers and computers for one day and try to run without them.  Observe the chaos that will surely follow.  Try to calculate the lost revenue from all the customer service disasters that will happen.  Try to calculate the increased cost when everyone has to operate manually, with no access to any data.

I dare you to take up these challenges and send me some comments about your experience.  And then, let’s have a conversation about how to protect your critical assets and how you can use IT to at least gain competitive parity and maybe a competitive edge versus your competition.

(I originally published this in my old Infrasupport blog on May 30, 2013.  I back dated it here.)

Computer Whodunit Detective Story – the Conclusion

In part one of our computer detective saga, the story opened with a few users unable to access their emails. Similar to a Hollywood detective story, we followed the clues through several unexpected twists and turns, with each clue answering questions and generating new questions.  Continuing in the style of great whodunit detective mysteries, we eventually uncovered the culprit, a rogue DHCP server.  This changed everything.

And now the conclusion.

DHCP – Dynamic Host Control Protocol – is the reason we can connect our laptops and tablets and smartphones to the Internet.  DHCP servers assign all the attributes our devices need to enable communications.  Think of the Internet as similar to the telephone network, but with one important difference.  In the telephone network, your phone number stays the same no matter where your phone travels. On the Internet, an IP Address defines your device.  But unlike phone numbers, IP Addresses change, depending on where your device is located.  That’s why we need DHCP servers, to assign IP Addresses and other attributes to devices when they attach to an office network or the Internet.

Here is how DHCP works.  When you connect your device to a network, your device sends a broadcast to anyone on the local network who will listen.  It’s essentially a cry for help.  (Help!  Load me with what I need so I can talk to the world.)  The DHCP Server listens to the broadcast and downloads an IP Address and other attributes to the requesting device.  This is called an IP Address lease, and the lease expires after a settable amount of time, called a TTL (Time to Live).  Once the device acquires its IP Address lease, it can interact with the world.

DHCP is a thing of beauty when set up properly and works so well, only a few hard-core IT people think about it anymore.  Except when things go wrong.  And one of the worst things that can go wrong is a rogue DHCP Server wreaking havoc on the network.  When this happens, random devices get the wrong attributes and lose all ability to communicate.  Depending on how long the lease TTLs are set, sometimes the passage of a few hours can cure the problem, or sometimes make it worse.  The problem can “hop” from device to device as leases expire and new leases come online.  Sometimes devices can end up with duplicate IP Addresses that come and go and interfere with communications.  This can be maddening to troubleshoot.

The usual culprit in an office network is a wireless router somebody brought in from home.  This happens all the time as end users decide they want to build their own private wireless networks, but don’t think about the consequences to everyone else as their wireless router hands out home IP Addresses to random devices across the company network.

Obviously, the cure for a rogue DHCP server is to find it and get rid of it.   The challenge is how to find it?

Enter structured cabling.  Essentially, a structured cable plant runs network cables from stations all over the building to a central patch panel in the server room.  Each cable is labeled, preferably with the labels on both ends of the same cable matching.   All buildings should have a structured cabling.  Unfortunately, many don’t.  Fortunately, this one did.  And that proved to be a tremendous aid finding my rogue DHCP server.

Instead of walking the entire building and looking for a device that looked out of place, I set up a laptop near the patch panel and assigned the laptop a hard IP Address to fit the rogue DHCP server scheme.  After warning everyone their network connections may be disrupted briefly, I set up the laptop to continuously ping the rogue DHCP server IP address while I disconnected and reconnected each network cable.

The idea – one of those cables had to lead to the rogue DHCP server.  I would find the cable leading to my rogue DHCP server by watching for pings to stop responding when I disconnected that cable.  Once I found the correct cable, I could walk to the other end of that cable with a hammer and put the rogue DHCP Server on the other end out of its misery.

I eventually found it, chased it to the other end of the cable, and disconnected it.  It turned out, my friend James brought in a wireless router over a weekend to help with some work he needed to do.  He forgot to disconnect it and that was why my users started complaining on Monday morning.

The moral of the story?  These things happen and that’s why good troubleshooting techniques are invaluable.