Mythic Monday – Immortality

Stories about immortality and the quest for it abound in literature.  You have kings trying to live on through their sons.  You have gods that must ritually die and be reborn so that the cycle of nature can continue.  And you have, in a few stories, the few humans that succeed in their quests.

Consider, for example, the Cumaean Sibyl who bartered her virginity to Apollo in exchange for everlasting life (not technically, but despite appearances, this isn’t a mythology blog).  However, she made a bit of an error when she forgot to also ask for everlasting youth, so she kept getting older and older until she eventually faded to nothing but a voice kept in a jar.

This is very similar to the story of Tithonos, who was granted immortality by Eos (via Zeus) but she also forgot to ask for everlasing youth, so he aged past senility and was locked away where he babbled to himself in an empty room.

(Stories from Metamorphoses 14 and the Homeric Hymn to Aphrodite).

What lesson is there here?  Clearly, there’s something for us all to learn about operating system virtualization.

Yeah, you heard me right.  Ovid and Homer* were clearly writing about the modern practice of virtualization.  Specifically, they were concerned about aging operating systems.

* Whether Homer actually wrote the Homeric Hymn to Aphrodite is debatable.

See, virtualization is wonderful, and it’s all the rage right now for some excellent reasons.  It allows you to fully leverage your hardware to capacity.  You can aggregate virtual machines on top of real machines and have them create a robust infrastructure.  If any hardware fails, all the little VMs can even skitter around like cockroaches as they find a working environment in which to live.  In short, we as IT admins have the power to make these machines live forever.  We are truly blessed.

But, as ancient mythology has informed us, with great power comes great responsibility (OK, so that bit is modern mythology).  We have the power to grant immortality to these systems, but we have to consider how we use that power.

After all, what purpose does death serve?  It allows new life to take hold.  It allows unfit life to go away.  From a technical perspective, this means that we have to let systems die to make room for new and more efficient systems to be built.  Also, and a bigger concern, we have to let the ancient systems die before they start to make problems for us.

Imagine for a second, a network that has a mix of Windows 2003, Windows 2000, Windows NT, Windows 98, RedHat Enterprise 3, IRIX, AIX and DOS.  Now, I’m sure you’re thinking “this is ridiculous, such a network doesn’t exist, no one would let that happen”.  Well, this describes the network I was working on a few months ago.  I’ve worked on live production networks in 2008 that used operating systems that were five to ten years old.  I’ve heard tales of systems that were running Windows 3.1, as production machines, into 2009.

Now stop for a minute and think ahead twenty years.  Can you imagine still supporting Windows 2000 in 2029? What about 2049?  We have the ability to grant these systems immortality, people.  It’s going to happen.

Sometime in 2020, you’re going to be working on the GoogleSoftwahoo TeleBlazinger running on Linux kernel 2.6.3492-23 and wondering why your network hypercloud is slow.  After launching numerous tools that allow you to trace network traffic in all four dimensions (five if you can afford the enterprise license), you’ll track the problem to an infected botnet of Windows 2000 systems running a ponzi scheme involving stolen credit card numbers.  You’ll try to refresh them from backup, to discover that they’ve been compromised for the last 19 years, and your backups only go back 15.  And, worst of all, there’s a legacy billing system that requires these machines, so you have to keep them running… forever.

You’ll stop, scratch your head, and think that virtualizing at the operating system level was the stupidest thing that we ever did.  And you know, you’d be right.

What it comes down to is how your organization is structured. If you’re building a virtual infrastructure, making brand new systems and setting hard deprecation dates for these systems, you’ll probably be OK.  However, if you are like many companies, and take the perspective of “just move the physical machines to virtualization and we’ll straighten it all out later”, I’m sorry to break it to you, but later is never going to get here.  There will always be another fire and another resource restriction.

We have think through new technology before we deploy it.  There is a tendency to only look at the benefits and costs in terms of dollars, not in terms of time.  A small gain in the present can be completely reversed and magnified by the flow of time.  Just as inefficiencies add up throughout the weeks and months, security problems tend to grow over time.  The longer you keep legacy systems around, the greater your risk grows.

If you grant immortality to these systems, they will just continue to age, until they will eventually be just another set of voices, hidden somewhere in the back of your network, babbling at your IDS systems pleading to be allowed to die.

Site Review – Flickr

For those that don’t know, you know, those of you have been under a rock for the last few years, Flickr is a photo sharing site.  It has numerous social media features which make it very easy to post your content, add it to groups, discuss it with others, etc.  It supports all types of cameras as well as files from applications like PhotoShop and PaintShop Pro.  They recently added the ability to share movies.

In short, it’s great.  I use it all the time.

But, like all systems, especially in the fancy 2.0 world, there is a risk assessment that you should consider.

Pros:

  • Easy to use
  • Free to low cost
  • Active community with which to interact

Cons:

  • Who owns your content?
  • How can you use other’s content?
  • How can others use your content?
  • How is your content backed up?
  • Are you at risk from social engineering?

Please note that copyright is a complicated thing and well outside of the scope of this blog.  For real questions, please see a lawyer.  However, I’ll be glad to answer my own fake questions, after all, it’s my blog, right?

Who owns your content?

Well, you do, of course.  You made it, it’s yours.  Yahoo even agrees. Oh, wait a minute.  The Terms of Service state:

Yahoo! Inc. (“Yahoo!”) welcomes you. Yahoo! provides the Yahoo! Services (defined below) to you subject to the following Terms of Service (“TOS”), which may be updated by us from time to time without notice to you.

So maybe it would be more accurate to state that “you own your content right now”.  Not exactly ringing with assurance, but it’s the best we can do.

How can you use other’s content?

Oh, this one is easy!  Each photo is marked as “All rights reserved” (meaning you can’t use it) or “Some rights reserved” (meaning, umm, maybe).  Flickr uses the Creative Commons to allow people to license their photos as they wish.  Luckily, they also provide an advanced search so you can find photos that you can use and alter for commercial use.

Of course, there’s nothing preventing a user from posting a photo that you can re-use and then changing the licensing AFTER you’ve used it.  Any idea how you could prove that it used to licensed differently?  I sure don’t know.

Also, what happens if a photo is licensed so that you can use it but the person in the photo never signed a release?  Is it usable?  Can you be sure?

How can others use your content?

OK, this one should be easy, right?  After all, you upload your photos and you set a license and you’re done.  Flickr does all the magic to make sure that people only use your photos the way you want, right?

Well, not exactly.  See, if you license your photo under any of the Creative Commons options, the original image is available to everyone.  In other words, they have to voluntarily agree to abide by the copyright.  If they don’t, you have to deal with that yourself.  Are you able to monitor all the images on the Internet to make sure that yours are being used according to your wishes?  I know that I’m not.

How is your content backed up?

This really isn’t known.  There’s no mention of backups in the terms of service, and there has been at least one high-profile issue involving backups.  In general, they should be safe, but you might want to consider other options.  Or, you know, just keep a copy of whatever you upload to them.

Are you at risk from social engineering?

Finally, once that can be answered definatively.  Yes.  You are always at risk of social engineering. The more interesting question is “How are you at risk from social engineering?”

Flickr allows you to post photos.  Odds are that these photos will be of people you know and places you’ve been.  You can tag these photos by location, put people’s names into them and otherwise release loads of information for the savvy social engineer.  They can take this information and use to develop friend and family graphs and identify themselves to you or one of your friends as someone who seems trustworthy, but isn’t.

Conclusion

Wow, that’s a lot of negatives.  Does that mean that you shouldn’t use Flickr?

Well, that’s a decision that you have to make on your own.  In case it helps you, this is the decision that I made:

I choose to use flickr because I like the community and because I want others to use my photos.  With the exception of people that have not signed a release, all of my photos are tagged under the Creative Commons to allow re-use but only for non-commercial use and if I am credited.  Also, since a great many of my photos are taken at zoos, I allow zoos to use my photos for free, even for commercial use, so long as they ask politely.

In short, I do not make much of a living directly off of my photos (though I’m working on some projects at the moment that may change that).  Rather than expend my energies pursuing and defending misuse, I choose to trust the majority of people to do the right thing.  I do, however, keep the originals on my systems and am prepared to defend my rights, should I become aware of a violation.

I do NOT use anyone else’s photos for a commercial purpose without their permission.  I do not consider accent and illustritive photos in this blog to be commercial use (as I make no money off this site), so I may use someone’s photo here or there.  However, I am very easy to get ahold of, and if anyone asks me to take down one of their photos, I’m easy to work with.

So yeah, it’s not exactly straightforward, but to me, it’s worth the risk.

Small Business Defense – Document Leakage

If my last post raised any questions for you, this post will hopefully answer some of them.  As with many security topics, the issue is complex and this post will NOT give you all the answers.  Hopefully, though, it will help.

The first thing to look at is access.  In order for an attacker to get your data, they have to get on your network and somehow access the documents.  The more places that you keep your documents, the easier this is for an attacker to do.  If you put all your documents in a single place and prevent anyone from saving them anywhere else, you’ll be a bit better off.  (Odds are you won’t be able to keep them off your network, just so you know.)

However, this will also make a nice place for an attacker to target, so you should control this storage location.  At a minimum, you should control access to the document repository by username and password.  If you can, it would be good to split up access levels within the repository so that the documents are grouped by type and only people with the business need to access those documents have the ability to do so.

Do not rely on the built-in password protection of the documents themselves. They can be broken.  (Also, please note, running random software off the Internet is unwise.  It may not work, it may do things other than what you expect, it may give an attacker the very files you are trying to protect.)

If you are somewhat technical or have a technical consultant helping you, you may want to implement an encryption mechanism to protect your documents.  This is highly complex and hard to do right, but it can help more than almost anything else you can do.

Once your documents are all in one place and reasonably protected, stop and think about what to do if someone does access and misuse the document.  Are all of your sensitive documents clearly marked?  Are you certain that the law will protect you if they’re not?  (Sometimes it doesn’t.)  Would marking the documents as “sensitive”, “secret” or “proprietary” just give attackers something to search for?

Hmm, what an interesting problem.

What many companies choose to do is to classify information based on it’s security level. There are different ways to do this, but all of them start with the question “what’s the most important and/or damaging information?”  Once you can group your documents by risk, you stand a chance of protecting them.  Then you can write a document classification policy and start looking at tools to implement it technologically.  These steps are beyond the scope of this post, but your legal and technological contacts can help you with that.

Lastly, I should mention that the easiest data to protect is data that isn’t there anymore.  You might want to read Brett Trout’s post on document retention policies.

Small Business Attack – Type of Data: Office Documents

How many of you use Microsoft Office?  OpenOffice.org?  KOffice?  AbiWord?

I’ll bet you’re all raising your hands right now, right?  We’ll put’em down, you’ll want to hit scroll at some point.

What do you know about these files?  Did you know that many of these files track changes?  In other words, if you redact certain things or change data, that a clever attacker can open the file and revert it to what it used to be?  It happens.

Do you know what kind of data is stored in these documents?  financial dataEmail addresses? Trade secrets? Passwords?

(The above links go to Google searches.  There is no guarantee what Google may find when you search on certain things.  If you access information that you shouldn’t, saying “but it was on Google” may not be a good defense.  Remember rule number one of security is don’t be stupid.)

If someone wanted data from your company, where would they go to get it?  Is there any one thing (say, a spreadsheet perhaps) or location (hmm, shared drive) that might be particularly tempting to an attacker?

If you get a virus or spyware infection on your computer, might the person who wrote it be able to access all the documents that you can access?

How are you protecting your files?

Security lessons from Nature – Genetic Tricks of Parasites

Let’s start this one by utterly ignoring the negative connotations of the word “parasite”.  It is a perfectly valid form of life and has proven to be highly successful in nature.  So, in other words, there’s nothing wrong with being a parasite… you know, if you happen to be one.

This news from from the journal Nature Genetics and is summarized here.  In a nutshell, they’ve found that parasitic life forms tend to have fewer genes than non-parasitic life forms.  Why is this interesting?

Well, it means that creatures that are dependent on other creatures can simply drop the bits of themselves that they don’t need.  However, dropping genes is a lot easier than gaining new ones (usually).  What does this mean to you?

It’s interesting to compare this to business models.  While no company exists in a vacuum, different companies do have differing levels of self-sufficiency.  For example, a full service IT company can do many things themselves.  They may use the products of different companies, but generally speaking, they are dependent on none of them.  If one branch of their business were impacted by a change in the market, they could just focus on another.  This is good, but it does tend to make the company larger and less responsive.

Compare this to companies that only do one thing, but do it very very well.  Let’s take a hosting company as an example.  A hosting company is completely dependent on their bandwidth provider.  Sure, some of them use multiple bandwidth providers, but even in this case, the business model is parasitic (upon a genus or order of businesses, rather than just one species).  So, suppose that something happened to all but one of the sphenodontian businesses.    Our little parasitic business would be forced to work with the one remaining business to survive.

Suddenly, the reduced resource usage that parasitism allows for doesn’t look quite so appealing.

As with many things, it’s all about risk management.  You gain an advantage here, it’s often paired with a disadvantage there.  So, as you look at your business and consider where to make cuts or where to focus on your core competencies, just consider one thing:

How do reductions now reduce my options later?

Other Sites: Business, Photos/Conservation

Get the feed (RSS):



Josh More - Entropologist
Expert in removing chaos from
I.T. and business systems.