alfweb.com

First of all what is BYOI is a series I’ve decided to create to “talk” about #identitymanagement so it is about #security, #governance, #management and many other aspects of the #IAM realm.

Few days ago I was sit on a bench in one of those mega-hyper-shop center where you may buy everything you want and obviously one of the things they offer is free wi-fi, of course is not an #open one but you first need to register, in this case with your cell phone number to obtain the first 2 hr. free. Observing the “appealing” wi-fi advertise many questions came to my mind:

• Do you trust this “free” and “public” service provided by a “someone” (the provider) you don’t actually know without doubts ?
• Do you share so easily personal info’s (cellphone,etc… ) based on the simple fact that this provider is suggested by “someone” else you trust (you buy stuff in this place remember?)?
• Is it the level of security you apply to your data/information based on the perception you have or an habit you apply “no-matter what or who” you refer to?

the last question made me think more and more..is it security something tangible or it is more something related to the subjective perception we have regarding many aspects like: the level of sensitiveness of data we own, how we related with the “outside” world in terms of protection and so on?

Based on a generalist definition (i.e.: Wikipedia) of security :

Security is the degree of protection against danger, damage, loss, and crime. Security as a form of protection are structures and processes that provide or improve security as a condition.

so based on this definition one would say that Security it is a sum of tangible structures and operation well defined and clear enough to guarantee to everyone to have, at least, the right level of information when, in example, you are requesting 2 hr. of Wi-fi free service from a public provider.

But is it so simple? I’ve already blogged about “the level of trust” we have (here) so I’ll not come back on it now, so as I said I was asking my self if when we “talk” about security it is a a perception or an habit? Well, let me do a step back and start my analysis:

on the 24th of April 2012 I’ve tweeted this:

24 April 1824 B.C Troy was attacked by Greeks and their Trojan Horse, it was the first real example of a "virus" attack /cc@mikko

So apparently it is a  “useless” information, something you retweet just because it’s a funny thing..let alone, please, if the information is real, confirmed, based on reality or not by now…

In the original tweet I would even add a link to explain my source (here), and there wasn’t  intentionally any kind of “sociological experiment” with that… @mikko was there just ‘cause I thought it could be one of the things he like to tweet.

What happened? well hundred of retweets immediately after his retweet, some negative reaction, some interesting “ I explain you why you are wrong” tweet.  All normal but..what is a tweet? is an information NOT confirmed by anybody if not by the source who tweet, you trust the source you share the information.

Do you remember another way of attack similar to that? Let say..I bring you a “gift” and the person who bring it to you is a trusted source (aka the Trojan Horse).

so the tweet is composed by two “aspects”:

1) the gift : “24 April 1824 B.C Troy was attacked by Greeks and their Trojan Horse, it was the first real example of a "virus" attack”. this is not the Trojan Horse since it is just the honeypot used to let you accept the real Trojan Horse.

2) the “trojan horse”: @mikko (sorry but yes you were my “sociological trojan horse”), this is the real Trojan Horse nobody could be sure that his retweet was made by him really.

let’s call things in a different way:

tG: is “the gift”, it’s the the attacker will use to infect you

tH: is the Trojan Horse, it is the “gift” you present to be accepted in my case a “source of trust” @mikko.

ToA: is the Time of Attack that will occur when the value of tG + tH is major than a definded level (call it loT “level of Trust”),

So the loT is simply defined by what? it is just the assumption of risk you have based on the value you give to the “source”, it is just a subjective evalution everybody do.

Again we are back to the first question:

is it security an habit or a perception?

everybody reposted my original  tweet did it based on the information in the tweet itself, it was not subject to the gift or the Trojan horse, but simply evaluate the information, security is than an habit (hA).

hA: I behave not because I trust you but on the basis that I evaluate your potential impact toward my “systems”.

let say:

loT =(tG+tH)/hA where the loT should tend to zero always.

those that retweeted @mikko where different types, but mostly they did because he did it…it is a perception of the risk (pR) where:

pR: is the value from X to 1 you define based on how much you trust the source, where zero is the maximum level of trust.

so your loT is:

loT=(tg+TH)/pR

The attack occur when the value of ToA is major or equal to loT.

so in this case the security is a simple perception of the risk and do not consider the security defense, in example I disable firewall since I am inside my Org ecosystem.

Now…I was still sit on the same bench… looking a the teen in front of me busy typing the cell phone number on the provider registration webpage and thought that we are in 2012 and still there are greeks and trojans, trojan horses.

it is appealing, it is #open, it is #public and should be an habit to remember that the electronic device you are using is still full of sensitive data, that you are asked to act as the security guy not simply trust in his/her capability to protect you.

In the end, are you a trjoan or a greek?

If you wonder what I write in Part I and II click here(Part I) and here(Part II)

#SexDoll: So here we are finally, defining the #sexdoll, firs of all let’s take a classic definition of a it, from wikipedia:

A sex doll (also love doll or blow up doll) is a type of sex toy in the size and shape of a sexual partner

in other words, we may say that a #sexdoll could be defined as something really similar to something else, who may be used to obtain the same level of services (or sort of).

Let me do an example in “our” world:

1. User Joey C. login through the browser to his cloud email service, to do this Joey C. use an authentication system based on a SAML or, in order to be more specific:
2. Joey C. logs into IdM Service Provider system using a SAML, basically this service is provided by the customer itself and it is highly customized,this is due the fact that the customer use a standard (SAML) but do not want that everybody may log in into his system without “explicit permission”.
3. Joey C. log now to a second system,based obviously in the cloud, to do so he got two option :

1. The first is re-login as everybody did in the “ancient” years
2. The second option is to re-use the the previous log-in credentials to access to the second system.

• Joey C. request will be, in fact, redirected to the provider IdM SAML authentication system that will recognize the federated service from a specific organization hostname who will be presented by, guess who, our SAML protocol and the OAuth login request.
• The IdM SAML authentication system of the SP will “talk” with the Authentication systems of Joey C. and the “magic” will happen.

So…we just said that we combine SAML and OAuth to give federated access to other systems in order to provide SSO to users or better (and in a more detailed way) SP like Force.com said that ( click here for a detailed explantion), but if we stop for a moment and we think about it we just defined the #sexdoll

the sD (#sexdoll) is the act of delegate our identity to a third party system in order to obtain the same level of service instead of “do it” as we use to do with a “real” system. I know I’ve played a bit with the words, let me rephrase:

In order to use third party systems without need to re-login each time I need to create a link between “my Org” and the third party “Org”, this is called federation. A Federation means only that I have to use a system (normally defined by the third party) to identify myself when I ask for services, this is called Authentication System.

Since I’m lucky enough to live in a world where, at least, third party systems adopt standard and try to find way to standardize what they consider an annoying yet “timewaster” procedure, as it is login into the “new” system everytime, we ended up to create #sexdolls that allow us to obtain the service we need in the way we need or, at least, we signed a deal for…since as many of you known sexdoll is not necessary a whole body anatomically (or almost) precise body doll but even just a part of it.

SAML and OAuth are our sD but not only….

sD, in my opinion should  be the combination of other factors that are even much more important in our discussion:

Do you remember our question in Part I ?

how many of you exist? how many identities you “use” daily still continuing being you?

Me : where Me is your network account that allow you to access to your computer every morning when you sit at your office desk

and we said:

Me(1) to Me (1-n): where the number of Me is directly related to the number of applications, services,systems you access using a different account.

but we ended up saying:

Me = Employee  Where Employee is (Person + Business Role)

and the conclusion was the #unicorn or:

First paradigm: “The audit not audible”: we said:

Me(Auth)={Me + Me(1to n-1)}/Roles

the #sexdoll just told us that we use a fake “Me” to obtain services and we do not have a real control since we trust the thirdparty so much to give our identity without really control who may access to our data in the third party enviroment.

so sD is  for sure :

lCf(level of Confidence): where the value assigned is the capability of the customer to obtain an adequate level of information on the third party enviroment in order to know who may access to what (auditing).

but sD is even:

aT (averageTime of Login procedure): where the average Time of login in the worst condition should be enough to guarantee that a malicious third party cannot act as ourself or as the SP in order to intercept our procedure and re-use those data (Man in The Middle attack).

and sD is finally:

uOp (Uniqueness of Procedure): where uOp is, or should be, the capability of the authentication system to be unique to the customer system in order to guarantee the proper level of  isolation and control over (even) the third party system (yes it is  another #unicorn)

So sD is:

sD=(lCf *aT) +uOp

Now based of what said we demonstrated that there is not a real answer as of today, since the whole formula:

IdM-C (IdM in the Cloud) = {[(Me(Auth)+uC+lDu)*Di]/cEc} * sD

is still based on #unicorns and #sexdolls and, personally, this means we are trusting blindly someone who, in some cases may have, access to our sensitive data.

Cloud or not Cloud it is not acceptable the risk to place information where you are not able to control who may access to them at any level.

If you wonder what I wrote in Part I just click here

Unicorns: Based on what said in the previous post the problems remain the same, let me describe through the “words” of someone who knows #identitymanagement better than me.

Do you know the Kim Cameron’s (bio)7 laws of identity?

User Control and Consent: Digital identity systems must only reveal information identifying a user with the user’s consent.

Limited Disclosure for Limited Use: The solution which discloses the least identifying information and best limits its use is the most stable, long-term solution.

The Law of Fewest Parties: Digital identity systems must limit disclosure of identifying information to parties having a necessary and justifiable place in a given identity relationship.

Directed Identity: A universal identity metasystem must support both “omnidirectional” identifiers for use by public entities and “unidirectional” identifiers for private entities, thus facilitating discovery while preventing unnecessary release of correlation handles.

Pluralism of Operators and Technologies: A universal identity metasystem must channel and enable the interworking of multiple identity technologies run by multiple identity providers.

Human Integration:  A unifying identity metasystem must define the human user as a component integrated through protected and unambiguous human-machine communications.

Consistent Experience Across Contexts: A unifying identity metasystem must provide a simple consistent experience while enabling separation of contexts through multiple operators and technologies.

Now if we relate this laws to the cloud realm what we have is:

User Control and Consent:Let me quote myself :

“The audit not audible”: we said:

Me(Auth)={Me + Me(1to n-1)}/Roles

where the Roles able to define where I may access or may not are, obviously defined by my Organization. But we just said we are “on cloud” this means that based on the model I am using (IaaS, PaaS or Saas) there are many chances that some of the “Roles” are not defined by “myOrg” but from the provider from I am buying “the service”.

User Control and consent means that as customer I must know or at least, must be in the position of be able to control who may access to my resources and in which way, public or private, free of charge or under contract no matter what.

So we may define this as:

 uC (User Control and Consent)

where the value we assign to uC is  the #openess of control that the service provider grant us in terms of Governance (Auditi, Role Based management, etc…).

Please take in mind the uC

Limited Disclosure for Limited Use + The Law of Fewest Parties: How do you access to data on cloud  or, better, which way you use to authenticate Yourself to the different service provider who offer you access to your data in your/their cloud? did you catch the non-sense of the question? yes I’ve just said that to access to something that is yours you have to demonstrate that you, are who you said you are.

But it is not only this, let me call this the #sexdoll, I’ll describe this concept in the third part of this post, by now I simply say that we may define:

lDu (Limited Disclosure Use)

where the value you assign to lDu the capability of your system to allow you to access using the most limited disclosure of information.

lDu is a value that varies depending on: authentication system (homogeneous vs. heterogeneous) , the number of authentication systems and their ability to recognize one to each other (federation vs isolation).

Directed Identity:Take this example, a vendor offer you a new service that allow you to profile your users and allow them to subscribe themselves to multiple services external to your Organization. So you may, from the same “console” access to data inside and outside the organization. This system is based maybe on OAuth and SAML as authentication dialect.

I am not saying this system is not secure or not accurate, neither is my intention to convince you that exist  a solution better than another (yes I work for a company that offer an #identitymanagement solution but not here to do marketing or evangelization).

The image below is and extract of the loginflow used by google to authenticate a user through it’s APIs. This systems is aligned to OpenID (I’ll describe it in a moment).

from the public Google documentation ("Google Accounts Authentication and Authorization" https://developers.google.com/accounts/docs/OAuth2?hl=it-IT#scenarios) :

The login sequence starts by redirecting the browser (popup, or full-page if needed) to a Google URL with a set of query string parameters. Google handles selecting the correct session (if the user has previously logged in with multiple identities), accepting and validating the user credentials and one-time-passwords (if the account requires it), obtaining consent to release basic profile information, as well as minting and returning an OAuth access token to your application.

Simple and accurate, limited use of information and ability to define “who you said you are”, but what if the same system is used in a multi-tenants ecosystem where every tenant use the same technology but do not recognize the validity of the already logged in account.

All of this would accurate but inefficient, OpenID is an example of solution that try to work around this problem.

OpenID: OpenID Connect is a suite of lightweight specifications that provide a framework for identity interactions via RESTful APIs. The simplest deployment of OpenID Connect allows for clients of all types including browser-based, mobile, and javascript clients, to request and receive information about identities and currently authenticated sessions. The specification suite is extensible, allowing participants to optionally also support encryption of identity data, discovery of the OpenID Provider, and advanced session management, including logout.

we may define Di as:

Di:is the value you assign the efficiency of the authentication system you use, where the value is determined by the capability of the various system to re-use the already issued information when you did the first login.

The direct consequence of this value define the satisfy the existence of a real Pluralism of Operators and Technologies. In other terms we may say that

pOT (Pluralism of Operators and Technologies) is True if iD is > 70% of your iD scale.

Consistent Experience Across Contexts: in association with Human Integration evrything described above must be evaluated to the capability of the system you use to access to your data and to the information related to the use of your data reusing the authentication information but providing an adequate level of separation between identities.

In other words, as administrator of the Organization I must be able to Audit the entire stack of :technologies,roles,information no matter if thei are on-premises, outsourced or cloud based but at the same time as provider of service I must be able to maintain the separation of duties between user that have the same roles in “my” Organization but are defined as “subscribers” of differente “sub”-Organizations.

cEc:is the value you assign to the capability of your cloud service provider to satisfy this law.

now, first of all thank you to still be here, second the unicorn is:

[(Me(Auth)+uC+lDu)*Di]/cEc

where:

Me(Auth) value is between 1 and n-1

uC value is between 1 and 10 where 10 is the most satisfying value

lDu value is between 1 and 10 where 10 is the most satisfying value

cEc value is between 1 and 10 where 1 is the most satisfying value

End of part II

In the part III I’ll discuss about the #sexdoll dilemma.

Note from the Author: If you don’t like long post stop reading this one now.

Me,Myself and I: a definition of Identity Management

So what it is this Identity Management (IdM) thing and why I would care about if I am in the process of design the next, fantastic,hyper-technological cloud architecture?( And, just for the note, no matter if we are speaking about hybrid,public or private cloud). So, why I should care about it? Well, believe it or not you’ll have to face with this IdM thing at some point and somehow you’ll have to find a way to solve the “problem”, but, first of all, let’s define some basic concepts:

Identity Management: Identity management refers to the representation and recognition of entities in computer networks (Jøsang, Fabre, Hay, Dalziel & Pope, 2005)

Cloud Computing(short version):Cloud Computing refers to both the applications delivered as services over the Internet and the hardware and systems software in the datacenters that provide those services. (Above the Clouds: A Berkley view of Cloud Computing)

Unicorn:Unicorn is a legendary animal from European folklore that resembles a white horse with a large, pointed, spiraling horn projecting from its forehead, and sometimes a goat’s beard and cloven hooves.(Wikipedia)

Plastic Doll (Sex Doll):In this connection we may refer to fornicatory acts effected with artificial imitations of the human body, or of individual parts of that body. (Wikipedia)

No I’m not crazy, I know I just wrote  a definition of a legendary animal and of a sexual toy but please let me explain better my point of view.

Me:  Basically who am I? This simple question require to drill down at  the real core of the Identity Management dilemma that I am trying to describe here, so please, let me rephrase my above sentence:

how many of you exist? how many identities you “use” daily still continuing being you?

The below image is a graphical illustration of  a hypothetical you from the point of  view of the “n” You that everybody use daily to access to various systems.

Image 1. Identity Management Tree

Let say you are who you said you are, so we may define you as:

Me : where Me is your network account that allow you to access to your computer every morning when you sit at your office desk

You, as person, access to the local network and decide, for example, to check email; obviously for you (Me), it is irrelevant if this system is using your local credential or another through a specific method of authentication (I’ll discuss about this later), what you matter is just that at the very end of the authentication “trail” you are able to read your email.

Let describe the identity you are using to access to the corporate service as:

Me(1) to Me (1-n): where the number of Me is directly related to the number of applications, services,systems you access using a different account.

Now  Me is the main account and it represent you as Employee inside your Firm, so we may speak about You as

Me = Employee  Where Employee is (Person + Business Role)

As everybody here, you have a Business Role inside your Employer Organization and this Role allow you to access to specific data,services,systems. Your Role is related to other Roles and allow you to claim access to other information just because “you are who you said you are”.

Myself: But what it  is  exactly a role? A Role is a definition, it is a way to “describe” the combination of multiple things and adapt it to a organization.

Role samples:

IT Roles: Users,Sys-Admins,

Business Roles:Account Payable, Account Receivable

Business/IT Roles: Auditors, Controllers, Administrators

So if the Role is a way to describe your position related to the system you are using we may said that you, as yourself, got not only multiple Identities but even multiple Roles inside your Employer Organization.

I: Basically you are always who you said you are but you are even other “yourself” related to your  multiple roles and every combination of those two definition allow you to access to the various systems of your Employer. Confused? Okay let say that as long as the systems you  are trying to connect recognize your main identity or the  multiple Me(1 to n-1)you are using, probably you do not even notice this BIG mess of the multiple “Me”, solutions like Single-SignOn (SSO),  express clearly the idea of “I am logged what I do care about how?”.

But is enough? Well, if you are still using system that are all “on-premises” so administered by  your Employer IT Staff, with almost “no connection” with other providers you have almost total control on who access to your system, how , when and why.

This means that if an Auditor comes to you (as sysadmin) and ask for a report of who access to what, you are able to reply in few seconds (or minutes..or well if you are over the 2 hrs times give me a call, got the solution for you)

The cloud dilemma:I am not going to discuss about cloud from a technological point of view, so sit down and relax all, my point is what happen when my multiple Me are “in the cloud”?

First paradigm: “The audit not audible”: we said:

Me(Auth)={Me + Me(1to n-1)}/Roles

where the Roles able to define where I may access or may not are, obviously defined by my Organization. But we just said we are “on cloud” this means that based on the model I am using (IaaS, PaaS or Saas) there are many chances that some of the “Roles” are not defined by “myOrg” but from the provider from I am buying “the service”.

So we may say that my level of control (LoC) is similar to:

LoC=vR(myOrg) – vR(prvOrg)

where:

vR(myOrg) is the level of autonomy in manage Roles inside my organization

vR(prvOrg) is the level of control of Roles in the provider organization

if, we set the level from 1 to 10, where 1 is the lower level and we consider the 3 cloud models of implementation we may assume that:

SaaS model: I do not have access at all to the Roles, since I simply use a software as a service, this means that my vR(prvOrg) probably is between 1 and 3. Example: Microsoft Office 365 and the role of Admin (is limited to the base management of the users)

PaaS model: as above, I have limited control on who may access to what, I may  maybe control Roles inside the program if it allow me to create them but I do not have control on the Infrastructure stack. My vR(prvOrg) level probably is between 3 and 5.

IaaS model: I built my infrastructure and so I have definitely more control over it, my level of confidentiality is for sure over 5 but still have some “black spots” here and there that I cannot control. This not meant IaaS is better than SaaS and Paas models but only that offer a different angle and a better control in terms of risk management.

Yes I said risk management and not identity management cause this is the unicorn remember?

We said I want  to be sure that “Me”  and the “Me(1 to n-1)” are the key point of this post but I am “working” in a distributed (even geographically” enviroment called cloud, I access to the data from various systems:corporate computers,tablets,phones, kiosk, etc…

Risk management is part of the way I manage me, myself and I.

in a more “academic” definition what I need to mitigate the risk that someone act like me I need:

• Be able to strongly authenticate in order to validate my multiple identity .
• Access rights must be checked against cloud application’s access control policies.
• All user interactions must be logged to ensure non-repudiation .
• User accounts must be de-provisioned in a timely manner .
• Dormant accounts must be identified and removed quickly .
• Access permissions must be certified on a continuous basis.

so think about your cloud system, think about your cloud provider, the contract you just subscribed and think about the Auditor that just walked in and ask for a detailed report on who access to what.

The Unicorn start to become more defined isn’t it? The first big question is:

how I may audit something it is not auditable by design?

the second question is:

am I mitigating risk or I simply pretend to mitigate the real risk ?

End of Part I

In the Part II I’ll describe the Unicorn, the efficiency vs. accuracy model and of course the plastic doll dilemma.

Do you remember that stickers in the 70’ “Shit, Happens”? Well if you combine this with “Idiot,Idiot,Idiot!” you got a clear idea of how I felt when I’ve started to receive from my twitter friends messages like “hey dude seems you’ve been hacked”. So, first of all, sorry everybody for the spam and thanks for the support.

But you’ know we’re all geeks here and so the question is “what happened?”Let start from the beginning:

I’ve received a tweet similar to this:

“rofl…omg i am laughing so hard at this picture of you someone found http://t.co/ROEGZLR”

Okay it was obviously an malicious tweet and even not so sophisticated, let say it just miss the sentence “hey dude I’m an amateur hacking trick would click on me?” and please stop laughing at my stupidity please, I see you buddies!!!!Basically the trick was to click on the t.co link, land on a fake API twitter page who require you to re-login and generate an, even, more fake login error.

I’ll not go deep into the code stuff and how this could be done, everybody here for sure can figure it out (do you remember the concept of POST and GET in a HTML page don’t you?).

My point is different and is : Why I’ve clicked on that link? 

Point 1:

Trust is based on value similarity, and confidence is based on performance…judging similarity between an observer’s currently active values and the values attributed to others determines social trust. Thus, the basis for trust is a judgment that the person to be trusted would act as the trusting person would. Interpretation of the other’s performance influences confidence.

"From:Test of a Trust and Confidence Model in the Applied Context of Electormagnetic Field (EMF) Risks. – Michael Siegrist, Timothy C. Earle and Heinz Gutescher http://www.mobile-research.ethz.ch/var/pub_siegrist_pref4.pdf)”

Let me explain it with a simple formula:

yT= You trust yourself 10 on a 1 to 10 scale

ylT=Your level of Trust, the number that you consider acceptable to trust someone.

lT=Level of Trust

lC=Level of Confidence: determinate on a the same scale above and valued on the basis of the “knowledge” you have of the other party. Is a scale from 1 to 10 where 10 is an excellent lC

lS=Level of Security: you value to the other party based on the actual performance when act toward you (number of days,months, years you know each other, way he/she act toward you,way he/she act toward strangers). Is a scale of 1 to 10 where 10 is an excellent lS.

pR=Potential Risk: based on way the person you just “meet” seems or act related to your perception of risk. is a scale from 10 to 1 (where 10 is an high risk)

so when you “meet” a person you attribute to him/her a value like:

lT=(lC+lS)-pR

Now based on this simple formula you act differently based on the following formula:

ylT=yT- lT of Y 

Where Y is the person we’re facing.

Point 2:

Would you click on a link I’ve just tweeted you? At this point I’m sure you’re still think “no dude you’re the stupid one remember? Let me share another great article extract:

In our world of information overload and global connectivity leveraged through theWeb and other types of
media, social trust (McKnight and Chervany, 1996) between individuals becomes an invaluable and precious
good. Hereby, trust exerts an enormous impact on decisions whether to believe or disbelieve information asserted by other peers. Belief should only be accorded to
statements from people we deem trustworthy.

“From:Propagation Models for Trust and Distrust in Social Networks -Cai-Nicolas Ziegler and Georg Lausen (http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=926814)”

We never met, at least with most of you, you do not either know my face, on twitter I have an avatar as many of you and so, if you meet me on the street, you are not able to recognize me, but, most of you, trust me.

On the scale at the point 1 I’ve started at 2 or at 5 for most of you and when I was hacked yesterday that value fallen down of a couple of point, but now you’re reading this article and for some of you I am climbing again the scale.

Trust is a wave we ride everyday, we’re the surfers and our peers are the wave, we simply ride them and act based on how good they let us surf the wave in a confident way. Let me again use and example, this time visual to explain my point of you:

Image:Level of Trust and Confidence

Point 3: We live, all of us, in a globalized world where we are overloaded by information and we “virtually” meet people everyday through social networks, intranet chat systems, conference calls etcetera.. We are, and I am one trust me (LOL), trained and accustomed to live with an high level of security, we got complex password, we change them often and we are always “on alert” in order to not disclosure relevant information’s to others but in this “global-socialized” world we live sometimes we forget the rule at Point 1 and 2 too easily. You’ll say “what? nah not me…” let me do a final example:

Y tweet you with a fake tweet.

Y is a Friend, Collegue, Mutual Follower

Y is well-known person in the Internet realm

Y always act in safe and secure way and follow the “simple rule of security”.

how much you would rate Y in your vlT?

Still unconviced uh? final point:

Y do not live in your same country so it is obvious that Y communicate with you in english or, in any other language you use.

Due the confidence you have with Y both often exchange jokes and funny tweet.

now would you still think I’m stupid and you wouldn’t click that fake tweet?

Shit happens and security does not exist since we’re human and so we’re designed for FAIL.

I was reading the latest news from VMware and found an interesting entry on the announcement made on 30th of August, will let you read it here the full story but here it is the short version and why I was starting to think about it.
Let’s do things from the beginning, if you are reading the announcement you’ll see there’ a lot if information in it; VMware view 5, Horizon and in the middle-low end “Project AppBlast and Octopus”, in that paragraph VMware says:

Project Octopus will leverage data sync technology from VMware Zimbra™ and Mozy™to enable enterprise-grade collaboration and information/data sharing. Additionally, Project Octopus will offer easy integration with VMware Horizon, VMware View and Project AppBlast to create a secure enterprise cloud service. These two projects promise to dramatically simplify the access and sharing of information across people and mobile devices, contributing to the Connected Enterprise.

Now if you read it straight ahead it seems just another way to “push” people and technology from the “local”  to the “cloud” realm but, I wondering, why they speak about Zimbra and Mozy and most of all about do data sync with them and top of everything , what the hell is Mozy? I’m sorry but I’m not one of those smart guy with a VMware shirt that present sessions in Las Vegas so, excuse my lack of knowledge here.
So Mozy could be found here and from their site they offer, at the moment, two solution standard and pro of a product that is basically an online data synchronization tool (aka network backup to their datacenter or if you want backup in the cloud).
From their site:

Traditional backup solutions can be expensive and take weeks to implement, leaving your business vulnerable to revenue and productivity loss.

And

Hard drive crashes, spilled drinks, and accidental file deletion can occur at any time and put your company’s future in jeopardy. In fact, 93% of all companies that suffer significant data loss close down within 5 years!

Wow one cannot says their marketing is aggressive! (please smile here).
So let’s do a recap, I’m the biggest name or one of the two around in the virtualization arena, I am pushing things over and over with server virtualization desktop virtualization mobile virtualization, I have a strong and reliable solution for cloud, private, public or hybrid that could be, I have acquired a big competitor in the email solutions space (zimbra) so chances are that I am tryting, at some point to offer a all-in-one solution to my customers or that I am trying to be stronger , not the enterprise server market share where I am already doing a good job, but the SMB market share.
So what I miss here? Got the Servers, got the desktop I can manage your applications and your mobile phones what else? Yes you got my same thought the backup. VDR is a good solution as we all know but is not comparable when we go down through restore the single item quickly even less if we’re talking about emails or attchments. Zimbra got is own data archiving systems but again is locally  or at least it is not reliable as it could be a real backup solution and is, obviously limited to what Zimbra may handle.
So at the very end I am asking myself again is Vmware prepare itself to enter seriously in the backup arena? If so Mozy will be only the edge of the solution “iceberg”?

This morning Vmware released Esxi5 and immediately the vWorld  start to talk, try,discusse,post and everything else you could imagine related to vSphere.
One of the tweet I saw from  @XXX was about the fact that esxcfg was gone with vpshere5, the post was this:

“I’m quite disappointed esxcfg- comdlets are gone in #vSphere5 but i hear @alanrenouf has a great table to help the transition”

I simply jumped on my seat wondering if this was true or not, so went through the official documentation and found this:

“vSphere 5.0 introduces a new command-line interface (CLI). A challenge long faced by vSphere administrators has been the need to work with many different command-line tools, each with a unique syntax.
In addition, different commands were needed to manage a host locally versus remotely. vSphere 5.0 marks the beginning of efforts by VMware to standardize on a single CLI for both local and remote administration, as well as to help reduce the overall number of CLI tools.”

At least from what I read this only means that VMware decided to offer a single standard to the administrative cmd-lets, but not means necessarily removed (yet) the “old” tools. For another point of view on this look at this article by Duncan ”Thank You Lord he exist and post blog” Epping on Esxcli in vSphere5.
Now to answer, even if indirectly to the mr. XXX post, esxcfg is still alive and you may use it from local shell as from ssh session as well. Of course now you have to consider that the use of esxcfg- is deprecated and wherever is possible you should use esxcli.
Digging in the esxi 5 under the “/sbin” directory you may find all the old esxcfg commands that are:

esxcfg-advcfg
esxcfg-ipsec
esxcfg-resgrp
esxcfg-vswitch
esxcfg-dumppart
esxcfg-module
esxcfg-route
esxcfg-fcoe
esxcfg-mpath
esxcfg-scsidevs
esxcfg-hwiscsi
esxcfg-nas
esxcfg-swiscsi
esxcfg-info
esxcfg-nics
esxcfg-vmknic
esxcfg-init
esxcfg-rescan
esxcfg-volume

but in the same place you’ll find to the new esxcli as well, now I am not going to go through an extensive explanation of the escli new commands, I’m sure there will be plenty of bloggers/technicians that will cover the argument in a way I would never been able to but, just to make some examples:
Let see the old way to obtain information like ip address or nic infos (assuming you are working on a local shell or on a remote shell like ssh):

If I work with esxcfg I should write something like that :

esxcfg-vmknic –l

that would give me something like:

Interface  Port Group/DVPort   IP Family IP Address   Netmask         Broadcast       MAC Address       MTU     TSO MSS   Enabled Type
vmk0       Management Network  IPv4      8.0.0.201    255.255.255.0   8.0.0.255       00:0c:29:e6:ca:62 1500    65535     true    STATIC

Or if I need to be specific about the HW of the nic:

esxcfg-nics –l

and would have an output similar to this:

Name    PCI           Driver      Link Speed     Duplex MAC Address       MTU    Description
vmnic0  0000:02:01.00 e1000       Up   1000Mbps  Full   00:0c:29:e6:ca:62 1500   Intel Corporation 82545EM Gigabit Ethernet Controller (Copper)

Now with the new esxcli I simply have to write:

esxcli network ip interface ipv4 get

to obtain a result similar to this:

Name  IPv4 Address  IPv4 Netmask   IPv4 Broadcast  Address Type  DHCP DNS
—-  ————  ————-  ————–  ————  ——–
vmk0   8.0.0.201     255.255.255.0  8.0.0.255        STATIC            false

or

esxcli network ip interface list

and obtain something similar to this:

vmk0
Name: vmk0
MAC Address: 00:0c:29:e6:ca:62
Enabled: true
Portset: vSwitch0
Portgroup: Management Network
VDS Name: N/A
VDS Port: N/A
VDS Connection: -1
MTU: 1500
TSO MSS: 65535
Port ID: 16777219

quite simple and more powerful uh?

so eager to know more about esxcli? take a look at this great article from William Lam (again thanks to Duncan Epping for the link in his article).

for those who isntead like more the “official” documenation here’s the link (thanks to @GreggRobertson5 for the suggestion)

From: Windowsboy

To: Mom

Sent: August 24 2011

Dear Mom, it’s been a while since last time I wrote you, the PC you gave me worked so well till this morning. I swear MOM I didnt’ use to visit those perv website, I am serious guy Mom I do not do such things and no, Mom I didnt’poured any liquid substance on the laptop (you pervs do not think immediatly at something weird). The fact is, Mom, that this morning I simply downloaded a fantastic software and decided to install it when, all of sudden on the screen popped out a warning that says:

setup cannot open the registry key named Unknown/Component/[Random Numbers].

As first reaction, Mom, I was surprised by the evil popup, but as you always rember me ” lillone, calm down, back to the basic , think darling use that micro brain the nature gave you…” (and honestly Mom I always suspected that in that sentence you want to tell me something about my brain…but really still don’t have a clue on what is it).

So Mom I did what you always told me and so tried other 1500 times than downloaded other 320 software and tried all of them but the evil popup continue to comeback, I am now desperate Mom, please  help me!

WindowsBoy

From:Mom

To:Windows(Icant’beliveyou’remyson)boy
Sent: August 24 2011

Dear boy,

How many times I said you should pay more attention when Mom speaks? You make me desire to not reply at all at Your mail, even when You write me just because You fall in an issue. The, so-called, evil popup boy is related to the fact that the laptop I gave You it is not anymore in the perfect state it was, I’ll not go down in asking what You do when You’re connected to the Internet at office or why if I dig inside it I am sure to find more than 30 illegal software that were mysteriously installed by some(you)one, so here the explanation and the answer:

This error:

setup cannot open the registry key named Unknown/Component/[Random Numbers].

Is only shown when registry keys do not have the right permission basically missing the Administrator user in the ACL, the “Unknown” key is in fact the one in:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\

.obviously boy you are logged in as Administrator, right? As it happens some setup can mess up the registry permissions and your “fantastic” (do not want to know details please) installer is no exception.

As first help I would enter the following line in Command Prompt , it fix the problem for most people,

secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose

If it doesn’t work for you as well, follow the second method below.

Download SubInAcl, a command line tool from Microsoft that enables administrators to obtain security information about files, registry keys services, etc. It will install to Program Files folder, you may copy SUBINACL.EXE file to /Windows/System 32 folder or leave where it is. Boy please, remeber that if your laptop is x64bit so it will be installed in the “Program Files(x86)” directory so do not write me back whining that you’re not able to find the exe once installed.

Now create a new notepad and paste the following code in it:

subinacl /subkeyreg HKEY_LOCAL_MACHINE /setowner=administrators
subinacl /subkeyreg HKEY_CURRENT_USER /setowner=administrators
subinacl /subkeyreg HKEY_CLASSES_ROOT /setowner=administrators
subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f /grant=system=f
subinacl /subkeyreg HKEY_CURRENT_USER /grant=administrators=f /grant=system=f
subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f /grant=system=f
Exit

Save the notepad file with the name you want, I personally suggest “loveUmom” as name and change the extension to cmd or bat, the complete name will become “loveUmom.bat” . Run this file as administrator, you’re on Windows aren’t you boy?
The process will now take several minutes,  do NOT close the Window what may come. Once the process is complete, the command line window will automatically close and you can then install successfully your pervy software.
Mom

I was playing a bit with a newly VDR and found myself in a little curious issue. Question “how do I change the keyboard setting from the standard US to italian?”

Well the answer is quite simple, since this VM is a CentOS just login  and use system-config-keyboard command….but hey wait!

first of all how I can log into the VM? For the italians readers to login in a VDR the “@” symbol is made with SHIFT+2 (and for those who dont’know how to login in the VDR shell is:

username:root

password:vmw@re

now once you’re in all you have to do is type the following:

cd /etc/sysconfig

vi keyboard

type “I”

delete the “us” and type “it”

SHIFT+ç (remeber you’re still with US keyboard)

type “wq” thant press ENTER

reboot and that’s it.

Today vmware relased the Vsphere compliance checker, as from the help of the tool “The Compliance Checker runs an assessment on ESX/ESXi hosts managed by vCenter. The assessment is based on a predefined subset of 26 of the vSphere Security Hardening Guide rules and is run against the first 5 ESX/ESXi hosts found on the target vCenter. The assessment results for each host include the rules, the rule descriptions, and the success or failure of each rule.”

The  installation process is definitely simple, all you have to do is to go here, download it and launch the setup, at the end of it all you have to do is launch the tool

Basically what it will happen is that will be run an assessment against your vcenter/vpshere architecture that will match your actual configurations with what suggested by the  vSphere Security Hardening Guide.

The output produced is a nice web page where you may find what’s “wrong” and what’s “good” in your environment and decide how to proceed along.

The tool come along with another nice tool “VMware Compliance Checker for PCI”  that (from the vmware website) “Check the compliance of your IT infrastructure against specific standards and best practices that are applicable for the environment. The Compliance Checker for PCI DSS v1.2 is a free, downloadable, fully-functional product for checking compliance of your environment to help you ensure that it remains secure and compliant.”