Trading CPU for Money

The deeper I dig into each generation of tools (VS 2005 at the moment) the more I see the trade off of CPU for developer time.  It used to be that the programmer would go to extremes to maximize the performance of their code and that the tools were written in much the same way.  Over the years this trend has reversed and has really accelerated the other way.  When you hit enter in VS 2005 it is doing a background compile which allows it to catch typos and other errors in much the same way that Word does.  This is great if you want to be productive, but I often hear lamentations that performance is being tossed.  When I look at modern CPU power, I have to admit that I think it is high time we made reasonable tradeoffs.  I see more and more servers that are barely touching CPU usage in double digit percentages as the march of Moore’s law overtakes our consumption of the resulting CPU cycles.

I am not advocating wasting resources, but it I have to write a small application for a simple task then I am all for getting it done in half the time in exchange for it using more memory or even if it were to run 5% slower than writing it with older tools.  The truth is that as applications evolve and add features they almost always run slower in most circumstances than they used to, but only if you stick with the same hardware.

For myself I say keep the productivity gains coming in the tools and as long as it doesn’t get caprious, I won’t complain.

Sony Outflanks Hackers

For a week or so…

Sony is now providing an update to their PSP game system that provides a web browser most likely because hackers have been finding ways to enable web browsing on their own.  It is a smart move, but it certainly won’t stop users from reverse engineering every single aspect of the system.  What it does for Sony is provides them some good will by providing what users will get eventually anyways.

A primary tenet of leadership is to never give an order that won’t be obeyed, it just makes you look like an idiot.

It will be interesting to see what Sony’s next move is in this game of cat and mouse.

Code Camp 4

In New England we are holding our fourth Code Camp in late September (24th and 25th) in the Waltham, MA offices of Microsoft.  This is where it all began and the fourth will likely be bigger than those before it.

I wanted to not only remind people of the date, but also tell about a special meeting that will help us deliver better and better community content by fostering the develop of our technical speakers.  The local (and newly formed) MCT User Goup is focusing their meetings on helping sharpen technical presentation skills and their September 1st meeting (6:00 PM I think in the Waltham MS Office) is dedicated to what can only be called a Code Camp speaker casting call.  We are hoping to educated and recruit the next generation of Code Camp presenters and establish a best practice of actually caring about the quality of local technical presentations.

Hope to see you there if you are interested in being a technical presenter, are already a technical presenter or just like / are good at heckling technical presenters!

Wounded in Iraq

A classmate of mine from West Point, LTC Erik Kurilla, was wounded (shot 3 times it seems) while serving as a combat commander in Iraq.  While I rarely (almost never) bring personal stuff into my blog and as you will see I will weave this a bit toward my favorite subject of security, but I felt I had to say something here.

If you read the writeup it is pretty amazing when we read that, “The Commander of Deuce Four, LTC Erik Kurilla, was shot three times in combat yesterday in front of my eyes. Despite being seriously wounded, LTC Kurilla immediately rejoined the intense and close-quarter fight that ended in hand-to-hand combat. LTC Kurilla continued to direct his men until a medic gave him morphine and the men took him away.”.  I haven’t seen Erik for a while, but he is a stand up guy who has always been very serious about every mission he gets.  If I am reminded about any lesson here it is that when we get a setback or even a catastrophe, we have to keep our heads and not make it worse.  If you flail, you fail.

Being in the service helped me immensely in dealing with security because it is the same mindset (though the military consequences are much more intense I have to admit).  You have to re-evaluate every time the situation changes and that could be minute by minute.  Erik could easily have just rolled over once he was hit and let someone else direct the battle or do the fighting, but he determined that he was still required and still able (though God knows how) so he made the call. 

My info says that Erik is OK and is already back stateside.  It was not my intention to stir up political debate with this post, but to show the kinds of people I look to for my inspiration when I think about protecting resources.  I believe that the wars we fight will and are extending into cyberspace faster than most people think.  Ultimately the courage to do the harder right rather than the easier wrong is easiest to find when we are reminded regularly of the immense sacrifices and miraculous bravery of people like Erik Kurilla.  I am proud to know him and regret that I haven’t seen him in so many years and didn’t get know him nearly as well as I would have liked while we were at school together.

Erik, get well soon and thanks!

Phishing Exposed

I know there is alot of information about Phishing attacks (attempts to trick users into logging into fake sites with credentials for things like ebay or paypal), but I am seeing more and more sophisticated attacks and felt that I had to raise the warning again.  In our company and those clients who listen to our advice, it is a general practice to remind the staff of anything important from time to time, such as virus warnings in case people’s guard has fallen or there is a new twist on attack vectors.

In that spirit, when I see a more potent phishing attack I think it is wise to remind people about the hazards.

The message that caught my attention and spawned this post invited me to “Verify your PayPal Account” in the subject.  As I had just messed with PayPal, I was particularly vulnerable, just as an employee whose brother was on vacation would likely succumb to something spoofing him that said, “see the photos” (from an actual client case).  Being very wary of anything online (or otherwise), I examined the actual destination of the link that looked like it would take me to “https//” and noticed that the link actually pointed me to” (URL changed slightly to protect the innocent and not aid the guilty).  At first glance you might not notice that the domain isn’t, but is actually  This could be a very painful mistake for the user who goes to this page and types in their paypal credentials which are likely linked to their credit card.  This is the online equivalent of using a fake cash machine and punching in your PIN for the bad guys to harvest later.

The moral of this story is to be wary even of emails you expect as the attacker might just be lucky to hit you at the time you expect their kind of luring message.  It is a very costly mistake.  In most email clients such as Outlook you can see where a link points by just holding the mouse cursor over the link without doing any clicking.  A better practice is to open up the browser yourself and type the address of the site yourself and then you know you are going where you think you are going.

If you wish to stay up to date on phishing attacks I will do my best to bring up reminders from time to time, but you should also check regularly on Duane Laflotte’s blog as in the process of running our security practice at CriticalSites, he tends to see ALOT of these.

Shared Hosting Pro and Con

I have started to encounter more and more instances where companies want to get out of the business of hosting websites themselves and since the price of outsourced web hosting has dropped the use of shared and dedicated server hosting has accelerated.  There are many security as well as non-security related factors that should go into the decision on which approach is best for your application and I wanted to summarize them here.

I realize that to many people this is not news, but I am finding all too often that for a large part of the population this is a new insight so I intend to occasionally provide basic info as well as any advanced data that I can provide on both security and the growing practice of hosting sites with 3rd parties.

A 3rd party hosting company can afford to maintain servers at a fraction of the cost that anyone in any other business can manage.  When you sign up for a web hosting company to put your site on their server you are typically looking at a very low price (under $20 per month and sometimes under $5 per month) and in these cases the web hosting company is actually not using a dedicated server for your site.  If they were then they would be out of business very soon.  The fact is that in this situation you are signing up for shared hosting and that means that your website might me one of dozens or even hundreds of other web sites hosted on that same server.  The advantages of this model of course is the price.  You could never get a dedicated server for the same price (they typically run over $100 per month for the bare bones package and can run into the thousands per month depending on the bells and whistles you require).  The disadvantages of shared hosting are more numerous in my opinion than the advantages.  On a Shared Hosting plan you cannot install any software that isn’t already part of the package, you might be sharing the same IP address as many other sites and the server is distinguishing requests by address once they arrive at the server, and most importantly if someone on the same server as you compromises the server with their web application (in the case of dynamic code) then your site is going to be dragged down too.

This isn’t an attempt to completely scare you off of Shared Hosting solutions, but be warned about the disadvantages before you jump at the price.  I use shared hosting of simple sites that I consider low security, for everything else I go Dedicated Server all the way.  I see efforts to save money or time as the most common sources of bad judgement calls that undermine security.



Military Strategy Applied to Security

It is no secret to anyone who knows me or has heard me speak on the subject of security that I have learned quite a bit of my way of thinking about computer and Internet security while serving in the military and while attending the United States Military Academy (West Point).  I tend to think of securing a web application as a battle or campaign.  I want to destroy the hacker for daring to cross the line of departure.  As a result I have drawn heavily from the classics of military strategy and wanted to share a couple of titles with you.  I will spare you the references that are wholely obvious such as Sun Tzu’s “The Art of War” and “The Book of Five Rings” while also stepping gingerly around the more heavy reads such as Clauswitz’s “On War”.  I do suggest you read those if they peak your interest, but I think there are two books that should be read by everyone who seeks to have a deeper understanding.  The first is called the “Defense of Duffer’s Drift” and is a great introduction to defensive tactics written in a unique and entertaining style.  A friend of mine pointed me to an online version that I think is the complete text though if you like it definitely pick up a copy to read regularly.  The other book is called “Lure the Tiger into the Mountains” and it is a great read about the 36 classic strategems taken from Chinese history.

Expect some comments about and from these books in the future here on my blog.  Some of you may already know that Duane Laflotte and I are planning to write a book and our plan is to mimic the format to some extent of the Defense of Duffer’s Drift.

Quarantine VPN

Windows 2003 Server Pack 1 has a new capability that you might want to look into called Quarantine VPN.

With this technique you can validate that all clients that connect to your VPN meet specific requirements before they actually get access to network resources.  Microsoft has been doing this on their network for quite a while now and they have finally given everyone else that uses their products the same capability.

For details on how to implement it and a more in depth overview on Quarantine VPN read this Technet article.

Change in Blog

As you might have noticed I am reworking my blog (bit of a face lift and some bug fixes), but I am also changing the URL.  I registered and while I am leaving the blog accessible from the old address I am changing the redirects so let me know if it causes trouble.

Lets hope I didn’t break anything.

Least Privilege for Network Administrators

The concept of Least Privilege is applied to developers and software testers all the time to advocate that the application be developed and tested using the lowest privileged account possible to get the job done.  For our purposes (network administration), I am referring to using administrative accounts for administration only and regular user accounts for everything else including word processing, research (aka web browsing) or the ever popular solitaire!

This is about using the proper tool for the job. If you wanted to trim some leaves from a tree you would be thought a bit odd if you decided to use a chainsaw, especially if the same job could be done easily with a pair of scissors.  Why is this something almost everyone recognizes as inappropriate?  Because the potential for you to do damage is huge! There are certainly people out there who will be able to perform the task with the excessive firepower and not lose a limb, but why take the risk?  As an administrator, hitting the delete key by accident and inadvertently accepting the confirmation becomes a major problem as the odds of you having the rights to carry out the delete are much higher then if you were logged in as a normal user.  When you delete a directory on a network share you can’t just go to the recycling bin on your client machine to undo the damage.  Administrators even have the ability to change the permissions at the root of a system volume which will usually render the operating system unusable (requires a restore or rebuild).  Why would you want to have these unnecessary risks when it could cost days of downtime.  Claims that it is inconvenient to keep track of two logins are the most common justification.  Now that network operating systems have tools like the Windows “Run As” this is a hollow excuse. 
See developers and network professionals are that different after all!