Category Archives: Security

What is Microsoft doing?

My opinion of Microsoft had been going up and up over the past 12-18 months.  I’d heard good things about Windows mobile and Windows 8.  The decision to make Windows 10 available to everyone (since walked back) was smart.  Sql Server 2012 seemed like a real database.  And, most surprising of all, I had installed Outlook 2016 on my Mac and preferred it to Thunderbird and made it my email client of choice.

But then I had to test Office 2013 for a client (or more precisely the interaction of Office 2013, Oracle’s DIS, and WCC 11.1.1.8).  I found a 60 day trial on Technet and downloaded it to my work laptop (the rarely-used, lead-lined, Dell PoS).  So far so good.

Actually not so fast – even though this is a 64 bit OS apparently my old version of Office 2007 was a 32 bit version – well, of course it was since Windows barely knew 64 bit existed in 2006.  In that case the 64 bit version of Office 2013 won’t install.  OK, that’s weird, since the OS is 64 bit, but OK – back to download the other version.

Install goes reasonably fine, although why you would distribute a downloadable trial version of a suite as an iso image I have no idea. Oh and Windows 7 no longer has the ability to mount disk images, so you need to wade through the sewer of infected freeware to find a solution that doesn’t require burning a goddam disk.

Then I open up Outlook 2013 and it wants me to log in to my personal microsoft account.  Not going to do that.  But it tells me now that my trial only lasts 4 days not 60 days.  Oh and it has completely destroyed my existing Office 2007 install.

No help or contact possible through Technet.  Online chat is a waste of time as the person has never heard of Technet – tells me to call.  I do and then speak to four different people over the next 90 minutes.  None of them has ever heard of Technet nor do they even attempt to try and solve the issue.  They all seem to be convinced I have tried to steal the software.  One keeps asking me to read the code off the disk that came with the software.

There’s a Twitter account on the Technet page and in the “welcome email”  @MicrosoftTrials.  Posted to that a few times but resounding silence.  No surprise since it’s no longer active.

Uninstall the Office 2013 trial and it nukes my entire Office 2007 install on the way.

Thanks Microsoft and Technet, what a great experience.  Back to the Mac for me.  You are making OpenOffice seem professional – and believe me that’s a hard thing to do.

Monopolists gonna monopolize, I suppose.

Apple “just works”?

Marco started the conversation with his posting questioning whether Apple had lost the plot – an article which he now says he wishes he hadn’t posted.  I can see why he would rethink the language and tone of the piece, but he does raise an important point that the quality of software execution at Apple has been markedly poorer in the last 1-2 years.

I’ve been an Apple user since 1988 and shareholder since 2000.  I sold most of the shares I bought at $15 in late 2000 when the stock split and then hit $100 in 2007; it covered most of the downpayment on my apartment (may have been a poor choice in retrospect, but I needed a place to live).  Historically Apple didn’t release major OS updates very frequently and that frequency of release has accelerated since Lion in 2010.  It’s clear to anyone who pays attention that software quality has been problematic since then and is getting worse.

  • iTunes has major issues that haven’t been addressed for years
  • Yosemite had major functional problems in the initial release, and many serious OS X users have still not upgraded because of this (including me)
  • Apple Mail is outdated, inflexible, and barely functional
  • User security for iCloud is terrible and risks damaging Apple’s reputation altogether.

I could go on.

Five years ago I would have recommended OS X and iOS to friends and relatives because things were simpler and easier to use.  The hardware is higher quality and the integration between devices is still better than the other options, but this is mainly because the other options are so terrible. Microsoft lost the plot with Windows 8 and I almost never see it in the wild. Desktop linux is still reserved for enthusiasts and is still not an option for most users. I spend too much time in the work day wrestling with linux and solaris servers, I don’t need that for a desktop platform.

Apple is still my OS of choice but I worry that they really need to improve their software development and release process.  This probably means slowing major releases to 18 or 24 month intervals, but who would complain about that?

 

Alfresco integration with Salesforce

Back to meat and potatoes – or their vegetarian equivalent in my case.

We are working with a client to deploy Alfresco One as a content and records management platform for their business.  An important requirement is that we be able to integrate with Salesforce as that’s where their contracts are currently stored as attachments and where their workflow exists.  During the scoping process we knew that Alfresco had created a Salesforce integration app that was available on AppExchange.

However, there are some limitations and “gotchas” that are good to know about  when designing a solution around this integration.

  1. The integration is only supported for my.alfresco hybrid cloud integration.  This is driven by Salesforce’s security requirements.  If you have an on-prem or hosted Alfresco installation you will need to synchronize with the cloud extranet.
  2. The integration is really designed to be initiated from the Alfresco end rather than (as in our case) putting attachments from Salesforce into Alfresco.  The developers at Alfresco have been very helpful in giving us guidance on how to work with this, but understanding this “normal flow” would have helped us earlier in the process. Learn from my mistake!
  3. All the content from Salesforce is put into a single “attachments” folder in a single site. However, if the SF record has an account record as parent record it becomes the root for that structure and then each object becomes a child of that folder.  For example: Attachments ->ClientA->OpportunityZ                                       Attachments ->ClientB->CaseY
  4. You can use Alfresco rules to move content around if it makes better sense in your existing organization because nodes are tracked no matter where the files are moved to.
  5. All the content in the SF site will have common security, so you will have to assign security to content.  Again, the integration is built from the PoV that content is initiated in Alfresco, synced to the cloud, and from there to SF. If you are reversing that flow, things become WAY more complex.
  6. The current release of the Alfresco integration app only supports a default set of metadata for Accounts, Opportunities, Contracts, and Cases – these need to be mapped to Alfresco properties. However, we hear that there may be support for custom metadata in the next release.

Overall the integration is great if you are following the use case it was designed to address.  The documentation is good, installation is easy, and the developers have been helpful and responsive to questions. But we may need to look at other ways to extract the existing content and populate our Alfresco repository.  I’m currently looking at Data Loader as a tool to extract existing objects for import into the Alfresco instance.

(Thanks to Jon Chartrand, Jared Ottley, and Greg Melahn for their help in gaining this insight – all mistakes are mine)

Encryption – iOS8, Google, and OSX

When Apple announced that iOS 8 would enable encryption of the on-device files by default, there was a lot of ill-informed outrage by various pundits and law enforcement types around the world.  After Google also announced plans to follow suit in the next release of Android, FBI director, James Comey, described this as allowing “people to place themselves above the law.” Predictably, various politicians, police, and spies complained that it would make their lives somewhat more difficult and trotted out the standard disinformation tactic that only terrorists and paedophiles would need this capability.

The trouble with the argument that only people of bad intent would need to encrypt their phones or computers is that there is clear evidence in recent history of who considers themselves to be “above the law”. Hint: it’s not consumers. Could it be the FBI illegally searching call records for years without warrants? Perhaps the NSA’s illegal surveillance of US citizens? Even the Daily Mail was driven to report that over 25% of searches by UK police were illegal. There are similar stories in Canada, Australia, and New Zealand, not to mention all the countries we were supposed to be better than because their police and government undertook this kind of surveillance.

Not content with state actors breaking the law, we find that companies are also stealing data and information from individuals.  Not Chinese state authorities, but stalwarts like Verizon who were hijacking and tracking all traffic using a “perma-cookie”, LinkedIn illegally slurping users email contacts against their express wishes, Google illegally collecting wifi network info, and AT&T illegally copying all internet traffic and passing that traffic to the NSA.

So who are the bad people in this equation? I have to add the various police and security forces of most of the countries in the world to the list of people who will break the law to steal my personal data and files.  Faced with overwhelming evidence of illegal activity going on all around me, I’m currently in the process of encrypting all my external and internal hard drives (using FileVault on OS X).  I’m very happy to see that this is default behavior in the latest Yosemite release of OS X – although I’m holding off upgrading for other reasons.  I will happily embrace two factor authentication wherever offered and encryption of all traffic and stored files as far as practical.

If the police or legal authorities of whichever country I am in at the time wish to follow the laws of that land and swear a warrant for lawful access to my machines, I will respect that process. Until then I’ll be using 256-bit encryption as widely as possible.

As an interesting aside, the RIPA (Regulation of Investigatory Powers) Act  in the UK makes it a criminal offence, punishable by up to two years in prison, to refuse to provide encryption keys to police. Many other countries have similar laws, but the USA appears to be currently upholding the 5th amendment.

Update on Shellshock

Having poo-pooed much of the overreaction about the “shellshock” bug in bash, I will still be patching my systems.

Apple have released a patch for Mavericks here and it’s probably wise to patch now rather than waiting for it to be pushed in an App Store update.

I still don’t think it’s a big risk for most users, and it’s definitely not a reason to eschew cloud deployments in the future.

“Shellshock” and various other FUD

I was going to write about what’s new in Alfresco Enterprise 5.0, which was launched at the Alfresco Summit in SF this week.

But then I got distracted by Bash and “shellshock“.  I linked to the Forbes article, but I could have linked to 77,500 other news articles (according to Google at 5pm today) and I guarantee that 77,000 or more of those stories will contain misinformation, confusion, FUD, and general bullshit.

I run a mac, so as soon as I read the news I knew that OSX contains bash and would therefore be vulnerable.  I’m far from a bash guru, but it’s my shell of choice and I use it on Linux and Solaris as well if I can.

Last night I checked my firewall settings and tightened them up a little by enabling “stealth mode”, deleting rights from a couple of old apps that don’t need connections, and unchecking the “automatically allow…” box

firewall copy

However, the more I read about the issue, the less I saw it being likely to affect most users.  The bug/exploit/hack requires a remote user or process to execute a script on your server/computer in order to invoke the weakness – which is executing more code than the shell should allow, usually as profile settings.  This is a decent explanation of the issue.

So the average user will be unaffected by this unless she or he has enabled advanced unix services and set up their machine to respond to requests from external servers.  Obviously web servers and other public-facing servers need to respond to such requests, so they are more at risk.  Hopefully most of those systems will be professionally managed (he says with a straight face) and patched quickly and efficiently.  The embedded systems and infrastructure (switches, routers) weaknesses are potentially more difficult to solve and patch, but that’s another topic.

What really annoyed me about the coverage of this (apart from the general cluelessness exhibited by authors writing for many publications in order to incite outrage and fear) was that people who should know better were using this as an argument *against* cloud services.  That’s absurd, since both systems are equally at risk and the chances of cloud infrastructure being professionally and competently managed is (in my experience) higher than locally managed servers.

Two factor security challenges

<Updated> Clarification of specific issues with 2-factor authentication by vendor:

Apple – two factor authentication becomes three factor when Apple disables your password and refuses to re-enable or change it. The Recovery Key then becomes the only factor in single factor auth.

Microsoft – two factor authentication with your MS Account (live? not sure what they brand it as this week) is not supported for Office365 accounts – so you have to generate a new one time application password each time you reboot your computer.

Ebay/PayPal – handoff from Ebay to Paypal (with 2 factor auth) doesn’t work on iPad. Prompts for password and then redirects prompting for SecureID token.  Does appear to work on Safari for Mac.

Dropbox – does appear to work, but I’m sure I’ll find flaws

Google – do they even have two factor? I don’t use their spying stuff.

 

Those of you who follow me on twitter will know that earlier in the year Apple’s poor excuse for two-factor security and support frustrated me for months (literally) and ended with me losing everything I had ever paid for with that account and having to create another account from scratch.

I’m now finding out that Microsoft has implemented two factor security in a similarly half-assed way.  I just switched to a personal MS365 subscription for Office 2011. Since installing Office 2011 I had been annoyed by the 365 login screen each time I rebooted my computer.  But now I’m using my own account with 2 factor auth, it’s even worse. I get prompted for a login, but my password doesn’t work – I then have to login to account.live.com, authenticate, generate an app password, copy that and then paste it into the prompt screen.  After talking to 9 different MS support people, none of whom even understood the issue, I have to assume it’s working as designed.  Their only advice was to turn off two factor authentication.

Add to that my experience last week where the handoff between eBay and PayPal (also with 2 factor auth) was completely broken on the iPad and my conclusion is that for normal users the overhead and annoyance associated with security is untenable.

We are surrounded by news of security breaches on a daily basis and yet the largest software companies in the world can’t implement two-factor security properly. Password management is a mess because web pages prevent you from copying passwords into the login screens or because apps on your mobile devices forget the password at every update and again don’t support pasting of username and passwords.

I’m a technical person that has been using these systems since the mid 1980s. I understand the importance of password management, secure authentication, etc. and I’ve even experienced the outcome of hacked passwords and lost accounts. But to expect “normal” users to manage these broken and difficult to use tools is ridiculous.  People will just throw up their hands and go back to 1234 or password because trying to do the right thing is too hard and ends up with you locked out of your account.

I’m not sure how this is going to improve.  The burden for these insecure systems is still placed fairly and squarely on the shoulders of people with lithe to no interest or training in technology. There’s no clear competitive advantage in more secure and easy to use logins because nobody at the companies pays any price for their failures.

  • Two-factor authentication (as it is implanted by almost every tech company) is broken.
  • Username / password is broken.
  • There is no clear alternative currently out there.
  • We will continue to get daily reports of “hacking”, “cracking”, and online theft.