Thursday, May 15, 2014

Thank You Satya Nadella, for Saving the Internet... for a while

A while back, I asked if Satya Nadella was going to reverse MSs decision to stop publishing security patches for XP, for free.  I didn't get a call or email from Mr. Nadella and MS did not change their overall plan.

That said, MS decided to release the big Internet Explorer patch and include XP. This is a particularly big bug and would be devastating to the web, if left unpatched.

I am curious how those who are paying millions for XP support feel about the rest of us getting this for free.

Thank you Satya Nadella for saving the web.  I look forward to the next XP security update. I know you will do the right thing when the next big bug comes.

Friday, February 21, 2014

Tech Job Postings are Funny! Post 1 Amazon.com

I get a lot of recruiters emailing me and I get job postings in my RSS feeds.  Many of these postings are unintentionally funny, some are downright embarrassing, and some just leak a lot of information about a company.

I've decided to start posting some of these with commentary.  The one that finally made this decision for me is from Amazon.com . A copy can be found here. I've added bold for emphasis.

The almost certainly illegal and super ageist posting title is what caught my eye: "Systems Engineer - AWS Simple Storage Service (S3) -University Candidate: May 2014 Grads Only".

It was the wonderful nonsequitur requirements for job experience that really hooked me.

  • Experience running and maintaining a 24x7 Internet-oriented production environment, preferably across multiple data centers, involving (preferably) at least hundreds of machines.
  • Demonstrable expertise around specifying, designing, and/or implementing system health, performance monitoring tools, and software management tools for 24x7 environments.
  • Experience with very large distributed systems such as multi-terabyte storage farms, and/or horizontally scaled request processing fleets

Sure, there are plenty of 2014 Grads with expertise in the book sense and maybe some even in a more practical sense, but, really how does a grad get to a place where their college and work lives intersect with a large 24x7 operation?   Maybe I need to open my mind.  Maybe Amazon wants a 12th year senior who has been working in enterprise architecture while going to school at night?   That eliminates the ageism too!!

Sunday, February 9, 2014

Will Satya Nadella Save the Internet on April 8th 2014?

If you have worked for Microsoft, or any huge company, this will be no surprise; Microsoft has many groups working against each other or at least spending dollars in one department that could save or make millions in another. It’s not easy to align everything in a large company, especially when it has been run by the worst CEO in America for so long. Microsoft is regularly in the news “shutting down botnetsand doing other great pro-bono work to make the web safer.  I applaud this!

Yet, in the core operating systems orgs, they have let Windows XP, still the second most used desktop OS, lag behind in security and will stop issuing patches in April of 2014.  There is nothing wrong with XP, even the MS page on its retirement makes it clear that they don’t have to support it, by law, so they won’t.  There are no claims related to it not being good or safe.  I read it as, “There is no money in it for us, so we will spend the resources in a money making area”.  If you add no context, this is a totally rational business decision.  I won’t pretend to have all the data on the financial and opportunity costs of patching XP and enhancing it.  I have no idea how much money it costs Microsoft to fund the groups that take down botnets.  I also don’t know who the users of XP are, but I expect they are those who can’t afford to upgrade.  This may be due to the cost of the OS, lack of skills to safely upgrade, or in the case of businesses, economy of scale making it very expensive.

Figure 1 All OSs on the Web

WT OSs.gif

Figure 2 Windows OS Breakdown

Web OS Trends.gif

Here is what I do know.  MS will continue to support Server 2003 until July 2015.  XP and Server 2003 are mostly built on the same code base, so patching XP isn’t a complete diversion from their business.  If MS stops patching the OS that is nearly 30% of the desktop market, XP will become the most researched and exploited OS on the web in fairly short order.  The MS team that is taking down botnets will sure have their hands full then.  Maybe MS thinks that the fear of no patches will finally get users to upgrade.  In the case of the enterprise, I would think so.  In the case of small businesses and individuals, I expect this to be a boon for little IT shops; removing viruses and selling cheap fixes like host based firewalls, more anti-virus, anti-malware, and Advanced Persistent Controls.

Considering that Microsoft has zero legal or contractual obligations to improve or maintain XP, perhaps they can write off the cost of not turning the internet into a XP infested filthy virus zone.  OK, intentional hyperbole aside, I vehemently urge Mr. Nadella to throw his predecessor under the bus and take up the cause of keeping XP healthy.  This doesn’t just mean patching; it means a few basic enhancements that are needed.

OK, when I say, “there is nothing wrong with XP”, I know, it doesn’t have Address Space Layout Randomization and User Account Control, and many other benefits of post-XP OSs.  Let’s not confuse the “need” for the next best OS for an actual need to get off a dangerous OS.  I guess XP will be that OS soon, if Mr. Nadella doesn’t reconsider.

My in-depth focus on security is mainly around applied cryptography and identity management, so I welcome other suggestions in the comments. Below is my wish list for XP enhancements. 

Upgrade to schannel.  XP does not support Server Name Indication and TLS 1.2 with AES cipher suites.  There are some patches for 2003 that add AES cipher suites, but with TLS 1.1 and below are vulnerable to BEAST attacks, as the added cipher suites use CBC mode. Make all these changes part of critical updates, not hotfixes. No one applies hotfixes unless they know about the issue.

Force stronger NTLM settings as part of a Critical Update, rather than simply issuing advisories.  Nobody reads the advisories; they apply patches and cross their fingers.

Saturday, January 11, 2014

Godaddy Asks People NOT TO USE ITS HOSTED EMAIL and May Not Even Use It Themselves

Disclaimer, Godaddy made me angry with a billing issue.  This is what caused me to look into the value I get from them.  While my language may be angry and inflammatory, the facts are not disputable.  I have informed them about their messed up SMTP TLS, but have not heard back.
Try to send a secure mail to Godaddy hosted addresses and they will return this message
Sample server certificate, do not use on production systems!
Maybe they are hosting customers’ mail on non-production systems.   For additional irony, they are hosted in the domain, secureserver.net.
farmtomarketcreations.com. 3600 IN      MX      0      smtp.secureserver.net.
farmtomarketcreations.com. 3600 IN      MX      10    mailstore1.secureserver.net.
Even more irony!!!!  Godaddy doesn’t even use their own hosting for email, they use Microsoft!
                godaddy.com.            3600    IN MX      0     godaddy-com.mail.protection.outlook.com.
OK, so this could be that they just use MSs Cloud Anti-Spam and then relay the spam free mail into their systems, but I am dubious.
A quick word about SMTP and TLS.  It is a great way to keep mail more secure because it does not require an end user to know anything or that it is even there.  It just requires mildly qualified techs to configure their mail servers correctly.  TLS, done right, will protect the message in transit from one mail system to the next. 
Back to the hosting I pay for.  While the MX records do not change for my hosting, the corresponding A records change a bit, and multiple tests against the same IP render different results, in terms of TLS support. It appears they use technologies like global traffic management, round robin DNS, and load balancers, and every host was configured by a different incompetent tech.
Their MX records for both names seem to correspond to the same 4 IPs
smtp.secureserver.net. 300     IN      A       72.167.238.201
smtp.secureserver.net. 300     IN      A       72.167.238.29
smtp.secureserver.net. 300     IN      A       68.178.213.37
smtp.secureserver.net. 300     IN      A       216.69.186.201
mailstore1.secureserver.net. 300 IN     A       68.178.213.37
mailstore1.secureserver.net. 300 IN     A       216.69.186.201
mailstore1.secureserver.net. 300 IN     A       72.167.238.201
mailstore1.secureserver.net. 300 IN     A       72.167.238.29
Here’s what CheckTLS shows me over a decent number of tests. Never a score above 68 and never once a valid SSL certificate.  Of 18 tests, 2/3rds fail to even allow TLS.
Godaddy.png

So, let’s look at the hosts that do offer up SSL/TLS certificates.   First, they send their Root certificate twice, adding to handshake time and size.  The root and SSL certs are both 1024 bit.  We already covered the clearly stated “Do not use”.   The SSL certificate is good for 10 years?  At least it is not expired.  :-P Crazy… Finally, the subject common name on the SSL certificate doesn’t match any of their server names.   I guess they can’t afford certificates… Wait, isn’t Godaddy an SSL cert provider?
Certificate 1 of 3 in chain:
Certificate:
  Data:
    Version: 3 (0x2)
    Serial Number: 2 (0x2)
    Signature Algorithm: sha1WithRSAEncryption
    Issuer:
      countryName         = US
      organizationName      = Sample, Inc.
      organizationalUnitName  = IT Team
      commonName        = CA
    Validity
      Not Before: Nov 18 14:58:26 2010 GMT
      Not After : Nov 15 14:58:26 2020 GMT
    Subject:
      countryName         = US
      organizationName      = Sample, Inc.
      organizationalUnitName  = IT Team
      commonName        = Server
    Subject Public Key Info:
      Public Key Algorithm: rsaEncryption
        Public-Key: (1024 bit)
        Modulus:
          00:f3:89:dd:43:f0:ad:84:1a:dd:f1:fd:2c:83:bd:
          ae:01:17:d8:ab:4e:02:f4:7f:85:0a:ec:70:5e:8b:
          19:69:78:6c:61:b8:82:5b:dd:e8:ea:48:23:6b:9f:
          68:80:76:67:34:d3:94:e7:a4:54:38:bb:72:c7:ba:
          da:cc:d6:cb:f8:6b:91:53:f2:be:44:61:9c:a0:64:
          d1:02:e8:df:5b:95:7f:ae:e3:82:d1:e7:2a:96:eb:
          53:9e:17:b3:f5:d9:d1:7a:ca:dd:74:1e:97:3a:44:
          54:5d:02:54:8d:f0:7b:85:39:9f:e9:a3:f3:e7:20:
          14:1d:58:c9:f9:0d:63:fc:d3
        Exponent: 65537 (0x10001)
    X509v3 extensions:
      X509v3 Basic Constraints:
        CA:FALSE
      Netscape Comment:        
        Sample server certificate, do not use on production systems!
      Netscape Cert Type:
        SSL Server
      X509v3 Extended Key Usage:
        TLS Web Server Authentication
      X509v3 Key Usage:
        Digital Signature, Key Encipherment
  Signature Algorithm: sha1WithRSAEncryption
    38:d1:85:a8:51:8c:1b:04:a5:95:39:19:7c:6e:38:f6:e8:ef:
    27:23:40:17:11:ba:bc:7a:0c:be:39:ee:f4:2b:8d:5c:5d:dd:
    c4:ea:54:e1:d9:fd:7c:96:b2:a0:9b:67:cd:f9:06:ed:7e:02:
    8a:96:fd:f6:4d:bf:64:22:17:a5:9b:e3:33:15:7e:fe:a7:30:
    53:21:55:ba:20:c5:a6:19:50:f0:d2:44:e9:a9:1c:5a:37:20:
    cb:26:15:da:73:ba:67:29:f3:1d:f2:69:97:31:26:92:04:f9:
    6a:c3:ec:ff:6a:65:60:ef:78:54:44:7f:81:22:24:aa:e8:cd:
    fa:6b
-----BEGIN CERTIFICATE-----
MIICkTCCAfqgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBDMQswCQYDVQQGEwJVUzEV
MBMGA1UEChMMU2FtcGxlLCBJbmMuMRAwDgYDVQQLEwdJVCBUZWFtMQswCQYDVQQD
EwJDQTAeFw0xMDExMTgxNDU4MjZaFw0yMDExMTUxNDU4MjZaMEcxCzAJBgNVBAYT
AlVTMRUwEwYDVQQKEwxTYW1wbGUsIEluYy4xEDAOBgNVBAsTB0lUIFRlYW0xDzAN
BgNVBAMTBlNlcnZlcjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA84ndQ/Ct
hBrd8f0sg72uARfYq04C9H+FCuxwXosZaXhsYbiCW93o6kgja59ogHZnNNOU56RU
OLtyx7razNbL+GuRU/K+RGGcoGTRAujfW5V/ruOC0ecqlutTnhez9dnResrddB6X
OkRUXQJUjfB7hTmf6aPz5yAUHVjJ+Q1j/NMCAwEAAaOBkDCBjTAJBgNVHRMEAjAA
MEsGCWCGSAGG+EIBDQQ+FjxTYW1wbGUgc2VydmVyIGNlcnRpZmljYXRlLCBkbyBu
b3QgdXNlIG9uIHByb2R1Y3Rpb24gc3lzdGVtcyEwEQYJYIZIAYb4QgEBBAQDAgZA
MBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIFoDANBgkqhkiG9w0BAQUF
AAOBgQA40YWoUYwbBKWVORl8bjj26O8nI0AXEbq8egy+Oe70K41cXd3E6lTh2f18
lrKgm2fN+QbtfgKKlv32Tb9kIhelm+MzFX7+pzBTIVW6IMWmGVDw0kTpqRxaNyDL
JhXac7pnKfMd8mmXMSaSBPlqw+z/amVg73hURH+BIiSq6M36aw==
-----END CERTIFICATE-----                                                                                                                                                                                                                                      
[003.724]                             
Certificate 2 of 3 in chain:
Certificate:
  Data:
    Version: 3 (0x2)
    Serial Number:
      92:69:45:90:f7:aa:ec:38
    Signature Algorithm: sha1WithRSAEncryption
    Issuer:
      countryName         = US
      organizationName      = Sample, Inc.
      organizationalUnitName  = IT Team
      commonName        = CA
    Validity
      Not Before: Nov 18 14:58:26 2010 GMT
      Not After : Nov 15 14:58:26 2020 GMT
    Subject:
      countryName         = US
      organizationName      = Sample, Inc.
      organizationalUnitName  = IT Team
      commonName        = CA
    Subject Public Key Info:
      Public Key Algorithm: rsaEncryption
        Public-Key: (1024 bit)
        Modulus:
          00:b8:ed:8e:6f:80:6c:10:56:21:16:b9:53:a9:00:
          95:b9:60:18:48:76:fd:a2:e4:b9:4c:21:03:d9:17:
          0f:f7:09:ae:31:f6:1b:ee:3f:d9:d6:fe:53:70:84:
          5b:df:63:7b:f4:a2:9d:34:4f:0e:55:33:e6:ee:a7:
          4c:b9:43:0f:70:51:71:bc:ee:50:6c:fd:4e:41:f2:
          4d:cf:9d:9c:94:a4:40:85:e9:27:74:08:78:fc:f6:
          2e:e4:a9:d5:3e:8b:27:a9:ed:52:06:45:a5:76:a4:
          2a:8d:2a:10:e9:31:6d:5a:6a:75:34:10:4c:85:9a:
          5d:4d:43:3a:24:59:95:29:7f
        Exponent: 65537 (0x10001)
    X509v3 extensions:
      X509v3 Basic Constraints:
        CA:TRUE
  Signature Algorithm: sha1WithRSAEncryption
    a0:04:32:10:92:46:dd:bd:e4:c2:71:0a:b2:d5:5c:9c:1c:8c:
    57:fa:3a:17:ed:aa:d9:28:09:f3:79:3b:18:d0:4d:e0:f8:6c:
    96:a4:b0:52:f9:8a:cd:bc:cf:1c:79:2a:6e:97:4a:89:4e:bb:
    f9:9b:0c:4c:e0:fe:a1:0f:53:7d:6b:04:3b:9b:05:1b:b7:37:
    13:ae:9d:02:58:14:7f:cc:d5:be:26:55:4e:02:15:bb:ec:9f:
    7d:b6:5e:fa:ea:c8:88:b1:b6:57:62:69:ba:c2:b1:d2:2f:a7:
    99:24:90:eb:52:a5:58:20:22:83:33:2c:37:64:84:0e:e9:46:
    90:53
-----BEGIN CERTIFICATE-----
MIICFDCCAX2gAwIBAgIJAJJpRZD3quw4MA0GCSqGSIb3DQEBBQUAMEMxCzAJBgNV
BAYTAlVTMRUwEwYDVQQKEwxTYW1wbGUsIEluYy4xEDAOBgNVBAsTB0lUIFRlYW0x
CzAJBgNVBAMTAkNBMB4XDTEwMTExODE0NTgyNloXDTIwMTExNTE0NTgyNlowQzEL
MAkGA1UEBhMCVVMxFTATBgNVBAoTDFNhbXBsZSwgSW5jLjEQMA4GA1UECxMHSVQg
VGVhbTELMAkGA1UEAxMCQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALjt
jm+AbBBWIRa5U6kAlblgGEh2/aLkuUwhA9kXD/cJrjH2G+4/2db+U3CEW99je/Si
nTRPDlUz5u6nTLlDD3BRcbzuUGz9TkHyTc+dnJSkQIXpJ3QIePz2LuSp1T6LJ6nt
UgZFpXakKo0qEOkxbVpqdTQQTIWaXU1DOiRZlSl/AgMBAAGjEDAOMAwGA1UdEwQF
MAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAoAQyEJJG3b3kwnEKstVcnByMV/o6F+2q
2SgJ83k7GNBN4PhslqSwUvmKzbzPHHkqbpdKiU67+ZsMTOD+oQ9TfWsEO5sFG7c3
E66dAlgUf8zVviZVTgIVu+yffbZe+urIiLG2V2JpusKx0i+nmSSQ61KlWCAigzMs
N2SEDulGkFM=
-----END CERTIFICATE-----                                                                                                                                                                                                                                                                                                                                                                                          
[003.768]                             
Certificate 3 of 3 in chain:
Certificate:
  Data:
    Version: 3 (0x2)
    Serial Number:
      92:69:45:90:f7:aa:ec:38
    Signature Algorithm: sha1WithRSAEncryption
    Issuer:
      countryName         = US
      organizationName      = Sample, Inc.
      organizationalUnitName  = IT Team
      commonName        = CA
    Validity
      Not Before: Nov 18 14:58:26 2010 GMT
      Not After : Nov 15 14:58:26 2020 GMT
    Subject:
      countryName         = US
      organizationName      = Sample, Inc.
      organizationalUnitName  = IT Team
      commonName        = CA
    Subject Public Key Info:
      Public Key Algorithm: rsaEncryption
        Public-Key: (1024 bit)
        Modulus:
          00:b8:ed:8e:6f:80:6c:10:56:21:16:b9:53:a9:00:
          95:b9:60:18:48:76:fd:a2:e4:b9:4c:21:03:d9:17:
          0f:f7:09:ae:31:f6:1b:ee:3f:d9:d6:fe:53:70:84:
          5b:df:63:7b:f4:a2:9d:34:4f:0e:55:33:e6:ee:a7:
          4c:b9:43:0f:70:51:71:bc:ee:50:6c:fd:4e:41:f2:
          4d:cf:9d:9c:94:a4:40:85:e9:27:74:08:78:fc:f6:
          2e:e4:a9:d5:3e:8b:27:a9:ed:52:06:45:a5:76:a4:
          2a:8d:2a:10:e9:31:6d:5a:6a:75:34:10:4c:85:9a:
          5d:4d:43:3a:24:59:95:29:7f
        Exponent: 65537 (0x10001)
    X509v3 extensions:
      X509v3 Basic Constraints:
        CA:TRUE
  Signature Algorithm: sha1WithRSAEncryption
    a0:04:32:10:92:46:dd:bd:e4:c2:71:0a:b2:d5:5c:9c:1c:8c:
    57:fa:3a:17:ed:aa:d9:28:09:f3:79:3b:18:d0:4d:e0:f8:6c:
    96:a4:b0:52:f9:8a:cd:bc:cf:1c:79:2a:6e:97:4a:89:4e:bb:
    f9:9b:0c:4c:e0:fe:a1:0f:53:7d:6b:04:3b:9b:05:1b:b7:37:
    13:ae:9d:02:58:14:7f:cc:d5:be:26:55:4e:02:15:bb:ec:9f:
    7d:b6:5e:fa:ea:c8:88:b1:b6:57:62:69:ba:c2:b1:d2:2f:a7:
    99:24:90:eb:52:a5:58:20:22:83:33:2c:37:64:84:0e:e9:46:
    90:53
-----BEGIN CERTIFICATE-----
MIICFDCCAX2gAwIBAgIJAJJpRZD3quw4MA0GCSqGSIb3DQEBBQUAMEMxCzAJBgNV
BAYTAlVTMRUwEwYDVQQKEwxTYW1wbGUsIEluYy4xEDAOBgNVBAsTB0lUIFRlYW0x
CzAJBgNVBAMTAkNBMB4XDTEwMTExODE0NTgyNloXDTIwMTExNTE0NTgyNlowQzEL
MAkGA1UEBhMCVVMxFTATBgNVBAoTDFNhbXBsZSwgSW5jLjEQMA4GA1UECxMHSVQg
VGVhbTELMAkGA1UEAxMCQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALjt
jm+AbBBWIRa5U6kAlblgGEh2/aLkuUwhA9kXD/cJrjH2G+4/2db+U3CEW99je/Si
nTRPDlUz5u6nTLlDD3BRcbzuUGz9TkHyTc+dnJSkQIXpJ3QIePz2LuSp1T6LJ6nt
UgZFpXakKo0qEOkxbVpqdTQQTIWaXU1DOiRZlSl/AgMBAAGjEDAOMAwGA1UdEwQF
MAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAoAQyEJJG3b3kwnEKstVcnByMV/o6F+2q
2SgJ83k7GNBN4PhslqSwUvmKzbzPHHkqbpdKiU67+ZsMTOD+oQ9TfWsEO5sFG7c3
E66dAlgUf8zVviZVTgIVu+yffbZe+urIiLG2V2JpusKx0i+nmSSQ61KlWCAigzMs
N2SEDulGkFM=
-----END CERTIFICATE-----  

-->