Michael N. Dundas

Update(2008-06-20 15:39EDT): A. Alfred Ayache has started a Save CBC’s Search Engine group.

Search Engine is a show that is on CBC (link is here). I listen to this show quite regularly. It is a great show. This particular show had the interview with Jim Prentice, the minister behind bill C-61 (Canada Copyright).

At the end of the show, Jesse Brown announced that the show has been canceled. He didn’t use those words and tried to put a positive spin on it, but essentially that was the message. Another great show canned by CBC. I don’t know what is up with the CBC management, but some serious housecleaning is needed at the top I think.

When I first set this blog up, it was just to see what blogging was like and if it was useful. I don’t just blog for the sake of blogging, but I like the idea of things I find interesting or am working on in one place that is easily accessible and I can go back and reference if necessary.

Since most of my days (and nights) over the last few years have been dealing with tier 1 service providers around the world and their security, I figured it would mainly be based on those experiences and the security research that I do. I couldn’t think of a good name, so I picked the obvious ‘security’ — not very creative.

The problem with the title ‘security’ is that the blog is turning out to encompass more than just security. It has technical papers I have written, comments on things that I feel are important such as physical security, privacy concerns and whatever else I want to write my comments on and track. I considered starting multiple blogs but I have enough trouble keeping one blog and often times a issue in security can start with a technical paper which grows to discussions about architecture and then to politics, law etc. I want to be able to keep these things together.

With respect to technical security publishing, I am still working on what I can technically publish and what I can not. Given the work we do and our customers, I have to be careful what I write about on the blog. Since I work for a company that relies on research to build products that assist our customers, I have to ensure that I won’t expose our systems or our customers systems in anyway. That being said, my goal is to have either my research and articles published here, or at least comments on it and reference to a publicly available version of it.

I wrote a blog post the other day and referenced ‘Kaizen’. This seems like a good title to me, so I’ve switched the name of the blog. No big deal, but for anyone wondering why it changed now you know. If you go to the old URL http://security.michaeldundas.com it will continue to work. That URL now goes to a web server that will issue a HTTP 301 code which is a notification of a website that is moved permanently and redirect you to the new URL which is http://kaizen.michaeldundas.com.

Completely not security related, but physics related. I’ve always liked Physics and even managed to take a first year physics course as an option while I was in University. A colleague of mine Mou Mukherjee pointed me to software called Phun a 2-D physics sandbox. A youtube video showing it actually being demoed can be seen here. Kind of cool. I’m going to download it and play with it when I get some time.

My title “The network never lies” might seem a little bit naive. It might be better to say “the network lies the least.” That has been my experience to date. At my first real job I was working at a bank taking care of their Internet connections (this is going back 10 years or so). My manager there (probably my best manager and by far smartest manager to date if you include technical understanding and abilities, and political experience) when engaged in solving a problem time and time again always ignored the application logs and errors initially. He would take a look at them briefly, but if it wasn’t obvious in the first few minutes, he would pull out the network analyzer. He’d pull back some packets, take a look and in a few minutes say “there is the problem.” Sure enough it was, often completely different than the error messages the application or the logs were showing. He said to me one time while working on a problem “The network never lies.”

Now I may also be a bit biased as my background is networking and I’ve worked with networks for a long time SNA, Novell, and IP. Regardless of the type of network I find the same thing. By simply using Wireshark or another packet analyzer you can save so much time solving the problem.

Case in point. A friend of mine has a law office and about 15 employees. Years ago, she was in a bind with a really bad consulting firm and being friends she asked me to assist. I redesigned her network, as well as her applications, security, permissions, etc. Basically the entire network, servers, and applications. The office is completely paperless and has been for about 7 years now. Unfortunately, most legal applications require Microsoft proprietary servers, and databases so although there is some Linux emulation in the environment it is minimal. Recently a new large server was purchased and the environment was to be totally upgraded and placed on the new server. The new environment includes Vmware, as well as the latest in Microsoft products.

During my holdiays, I have been leading the charge to properly get the new system set up, data migrated, backups working, security in place etc. One of the first steps was to set up a new active directory instance and make it a primary domain controller and have it take over the FSMO roles. Creating a new active directory server and connecting it to the existing active directory instance was trivial. Attempting to migrate the FSMO roles, caused multiple failures with erroneous error messages. These errors created hours of searching the error messages on Google and Microsoft support sites, and reading forums on the problems and causes. Most solutions turned out not to work, or were not the actual problem. Most of the error messages presented by Microsoft were not even close to what the real problem was. Frusterated, I started Wireshark, and captured a trace. Low and behold, a DNS query for some long weird string was failing. The long string turned out to be the GUID. Manually entered this and presto, FSMO roles migrated with no issues. Why a GUID? Why not just a server name? No, no that would be to simple, let’s make it complex?!?!

In my line of work, I am constantly told by software engineers statements such as “Look at the logs”, “what is in the database”, “why do you need to know that?”, “you don’t need to see that information”, “you don’t need tcpdump” and other similar lines. I of course always disagree with them which I suppose frustrates them. My experience above always seems to work or at least greatly reduce the time to solve a problem. Look at the network is the lesson from years ago I am reminded of time and time again.

Now maybe I am a bit biased. My background is networking and security. I’ve always liked networking and my understanding of it is pretty good. I would suggest however that applications, sub systems, and kernels need to be smarter on logging errors, especially in the Microsoft world. They should always have the ability to easily turn on a debug mode without having to go to a registry, flip a bit in Hex, and reboot or some other complex sequence of events. And why is everything in the Microsoft world so interdependent? DNS is required for Active Directory and it has to be Microsoft DNS, without a lot of work to use a different DNS. Microsoft Exchange requires IIS web server to be running? It’s like a big monolithic interdependent system design. I guess I am digressing and this is a different topic for a later time.

Moral of my story is: The network never lies (for the most part anyway), and Wireshark or a packet analyzer is a good friend when it comes to solving application problems.

A colleague of mine had a reference to these Internet maps on his blog. Thought it was cool, so I am adding it as well. They use The Dimes Project data to map the Internet. I was chatting about the sample sizes as that could seriously affect the graph. If there are only a handful of people in Australia for example that are involved with the Dimes Project versus many more in Europe, that would obviously affect the look of the graph. Still neat though.

A charity organization in Toronto called “The daily bread” placed fridges around the city of Toronto as a way to raise awareness of the less fortunate. The article in “TheStar.com”, talks about the fridges and indicates that “Security personnel weren’t impressed” …. ummm so what?

Who are these Security Personnel? The police, private security companies, CSIS? It doesn’t say who they are. Even if they indicate which “security personnel” why do they care? Why is it bad? Why should people not do that? Come on people, let’s think for a moment.

If bad people were going to plant a bomb, or release toxic gas or some other awful ‘terrorist’ plot, do you think they would put fridges out in the middle of public, making it obvious ‘something is different’? Or do you think they might covertly do this, making it hidden, not obvious so that no one would notice and have maximal effect? How have the terrorist attacks in the world that have happened in the last 10 years played out? Obvious or covert? Threats like Operation Alberich recently foiled in Germany are the real threats that we need to be focused on and smart investigative work by law enforcement is what uncovers them, not running around worrying about fridges. Unfortunately, these real operations take time and for obvious reasons are kept out of the public ‘eye’ until they are close to being over.

How about doing some real investigation, finding out why the fridges were put there and what the point was? How about working with these types of organizations so that when they decide to do things to raise public awareness like this, they could actually give the “Security personnel” a heads up knowing that they would be more likely to discuss logically and cooperatively then just say ‘No’.

Heck, the fridge doors were even configured so they wouldn’t latch and couldn’t be closed, so no one would get caught inside them. I suspect they were even going to come back and pick them up had it not been interpreted as a ‘security threat’.

We have to stop playing security to the lowest common denominator. We need some smart people to actually come up with and implement security that makes sense — not as part of politics, or some business venture.

definitions of ‘off’:
1. to a state of discontinuance or suspension [turn off an engine]
2. out of operation or effective existence

This has always bothered me. I turn my television off, yet the red light stays on. I turn ‘off’ my PDA, but always wonder is it really off? If the alarm is set then when you turn it off it says “turning off till xx time”. It can’t be ‘off’ or it would not be able to turn itself on.

I think that off should be off. And I’d even go so far as to make it a legal requirement. When a device is in ‘off’ mode then it is truly off — not processing, not checking for updates, off. Just as if the battery is removed. If this is not the case, then don’t call it off, call it ‘sleeping’ or ‘in standby’ or ‘power save’. Off in these cases is wrong and mis-leading. I’ve heard the arguments that systems keep time, TV needs to be on to accept commands from the remote control and other similar arguments so it can’t truly be ‘off’. I’m o.k. with that. Just don’t call it ‘off’. It’s not off.

The new apple iPhone when it is ‘off’, still performs syncing with your e-mail as this person found out when they received a $4800.00 bill from AT&T.

http://theinquirer.net/?article=42235

Recently, I have been getting requests from people that do not know me to add them to my LinkedIn profile. Although I am pleased that people are interested in connecting with me, many times I do not know these people. In most of these cases, I expect they do not know me and have never met me, but are sending out connection requests based on some criteria that my profile has matched on. I haven’t investigated this, and do not intend to.

As a personal policy, I do not add people to my LinkedIn profile that I have not personally met and worked with. This isn’t just meeting at a conference once or twice, or one or two e-mail conversations. I want to be able to be able to comment on the personality and work of the people on that list. For me it is not an address book of my contacts (I have a contact manager for that), but rather a subset of contacts, that are individuals I have worked with either on projects, research or know very well personally.

Please understand, I am not trying to be difficult or unfriendly, but I always want to be able to know the people on my LinkedIn profile with a good degree of confidence and understanding.