April 2011 Archives

I'll be teaching tutorials and maybe more. Watch this space: http://www.picconf.org/

I recently posted my "6-point list of security minimums" for the enterprise. That is, 6 things that may have been "would be nice" in the past but are now absolutely required as far as I'm concerned. Most sites do not do all 6, and I think it is time that such sites got with the program 'cause you are making the rest of us look bad.

I got a number of comments asking if I was serious about malware scanners on all computers.... did I really mean servers too?

Yes.

If the machine is a file server then the files being stored should be scanned. It prevents this server from being the unintentional transmitter of infected files. [As a bonus it is an interesting way to detect which users are not protecting themselves. Notice that a large fraction of the infected files are in a certain person's network home directory? Yeah, better check to see if they've disabled their malware detector.]

Web servers, email servers, and "shell servers" all have the same issue. One of my personal servers is a FreeBSD box that I permit friends to have shell accounts. I recently ran a popular commercial virus scanner on all the files. I found 3 files with viruses: One in my home directory (I had done a backup of a laptop to the server ages ago). Two in the home directory of users that were just as shocked as me. Fixing those infected files prevented those users from passing the malware along.

Server performance won't suffer very much. Modern malware scanners are much better behaved. Operating systems have more efficient hooks to let them do their work. Plus, the better vendors are trying to be the lightest burden on system resources. Competition will help that.

I also run a malware scanner on my personal Mac even though Macs are known to not have a lot of virus problems... at this time. Most of the infected files it has detected are Windows virii which wouldn't harm me but this is worth it because it means I haven't propagated the file to my Windows-using friends.

The problem, however, is that in this era of APT it has become very common to find malware written specifically to seek out a particular person or company. The anti-malware vendors are less likely to discover such junk, and if they do there isn't as much financial incentive for them to publish signatures for such things. However, doing this kind of scanning is still important just like people with strong teeth should still brush their teeth. It is good hygiene.

There are still threats from XSS, weak passwords, social engineering and so on and so on. However not doing these 6 basic things is irresponsible bordering on professional negligence.

If you have an iPhone or Android, download "The Conventionist" and enter code "picc". You'll get the complete schedule for the conference (even if you aren't attending, it is a fun app to play with). Congrats to Matt, William and everyone for putting this together!

I'm almost done with my slides for PICC. I can't wait to see everyone there!

On-line registration is open for another 11 hours. After that, you can register on-site!

LOPSA board elections are upon us. The candidate statements are being published and before I read any of them I want to make this statement of my own:*

It is my experience with volunteer organizations that people that have achieved tangible results are more likely to produce more tangible results. Ideas are a dime a dozen. Everyone has ideas. They pour in from everywhere. Don't worry about electing "idea people"; a group of LOPSA's size only needs 1-2 "vision" people but a lot of "do'ers". Elect people that have a track record of getting things done.

Years ago when I was in college there was a student government election. At the "debate night" the two candidates for president had an interesting exchange. The first candidate listed his vast experience: his list of accomplishments was a list of committees he had served on. The other candidate asked him, "But what have you DONE? What on this campus can you point at and say, 'I did that'? You know how there weren't soda machines in the dorm buildings until last year? That was me. I went door to door in the administration building, got everyone to approve it, helped pick a vendor, and so on. When I walk around campus I can point to those machines and say, 'I did that.' What can you point to?" The other candidate had nothing to point to except the chair he had filled in all those various committee meetings. The soda machine guy won the election. He was the best damn student government president we had in years.

This is not to say that idea people aren't friendly, wonderful people. I'm just saying that as a new-ish organization LOPSA kind of knows what needs to be done: it's the "doing" that is important.

I'm not endorsing anyone. I'm not telling you who to vote for. I'm simply saying that this is my formula. You can consider it open source. You can use it, modify it or even ignore it. Just remember that it was pretty damn nice to have soda machines finally in the dorm buildings.

Tom Limoncelli

• Damn, I read one... kind of by mistake. ..but it won't change my vote.

Someone recently ask me how often an enterprise might expect to be attacked.

Attacks are no longer something that happens now and then, they are constant. An hour without an attack is an hour your network connection was down. This is sometimes known as the "Advanced Persistent Threat". Shortly after APT was declassified someone gave a lecture about it at Usenix LISA. You can watch it here. (Note: I found some of what he revealed to be disturbing).

I think the person meant how often an enterprise might expect a successful attack.

That's an entirely different matter.

Knowing about APT is one thing. What does it mean to you and me? To me it means that the following things are no longer "would be nice" but are required:

1. virus scanners on all machines (even servers)
2. virus scanners must automatically, silently, update. No user confirmation.
3. a way to verify that virus scanners aren't disabled and/or flag any machines that haven't updated in X days.
4. OS patches must be automated and, for critical security fixes, performed without user confirmation. (If you admin Mac OS X, try Munki)
5. email filters (anti-virus, anti-spam) centralized; you can't trust each individual machine to filter on their own. Do it on the server or before it gets to your server.
6. firewalls in front of external servers, not just in front of the enterprise

Lastly, the belief that "I won't be attacked, I don't have anything valuable" has to come to an end (and has been for a while). The fact that you have CPU to exploit or bandwidth to consume is valuable to attackers.

My 6-point list seems long but I bet it isn't long enough. What would you add?

The early bird price for Confernece + training ends on Tuesday April 12th at 11:59 pm. Have you registerd to get the $75 discount?

http://picconf.org

Seating is limited for my new "Advanced Time Management: Team Efficiency" tutorial. Register soon! I won't be teaching this again until December!

[I just learned the early-bird discount deadline was changed. You now have a few more days to get the discount!]

If you live in Silicon Valley it is easy to make technical connections; for the rest of us, regional conferences rule.

I attend many conferences: small and large, invite-only and public, regional and national, vendor-specific and vender-neutral, even some international ones too. My next speaking gig is is LOPSA PICC in New Brunswick New Jersey, which is a small, regional, conference this April 29-30. People there will be from New Jersey, New York, Pennsylvania, Connecticut, Delaware, Massachusetts and more (last year 4 people came all the way from Virginia!).

I love regional conferences.

Community: All conferences have some feeling of "community" but the regional conferences have a special feeling because of the common geography. It's nice to post a technical question on a mailing list and get an answer from 3,000 miles away, but developing a professional relationship with someone from 20 miles away is so much more powerful.

Local Knowledge: Smaller companies depend on local resellers a lot more than big companies. At last year's PICC I saw a lot of people talking about which local vendors were better than others. You can't pay for that kind of frank opinions. (All the meals are included in the registration because we find that if everyone eats together they get more opportunities to network.)

It makes your boss happy: "Conference" sounds like a company-paid vacation; but a regional conference is very inexpensive. In fact the "early bird discount" of PICC is $125, which more than pays for the one night at the hotel. If your boss isn't impressed by the low cost (and yet, all the training is nationally-known people you usually find at national conferences) point out that you'll only miss 1 day of work even though it is a 2-day conference.

So what can you expect at this year's PICC? Well, about 100 people, more than a dozen training sessions, and all the food is included.

Topics range from:

Half-day tutorials: Grokking Python, Non-Obvious Nagios, Advanced Time Management: Team Efficiency, Backups, Archiving, and Life Cycle Management: Riding the Wave of Data Proliferation, Blitzkrieg Branding, Internal documentation for SysAdmins, Over the Edge System Administration, Volume 1, PowerShell Fundamentals, Security Best Practices and Tools for Linux, Using and Migrating to IPv6, Windows Enterprise Security, Workplace Presentations 101 for IT Professionals

Talks and presentations: Effectively Monitoring MySQL, Stack Overflow Infrastructure, Using http Response Time Histories to Detect Problems, Leadership and Troubleshooting from the Trenches, The Path to Senior SysAdmin, Change Management and the IT Infrastructure Library (ITIL), Leveraging an Enormous Technology Community, Thoughts on a University-level Major in System Administration, Continuous Integration via Hudson

Plus an awesome Keynote from DevOps guru and general sysadmin mega-mind, Theo Schlossnagle!

(Oh yeah... This will be the only place I'll be teaching Time Management until December, so sign up before the class fills up!)

I look forward to seeing you there! http://picconf.org

I am rewriting my class "Advanced Time Management: Team Efficiency" class in preparation for teaching it at LOPSA PICC 2011. I need to cut about 30 minutes from it.

If you attended when I taught it at Usenix LISA 10 you may recall that I had to rush at the end and didn't have a lot of time for Q&A. My notes say I need to cut 30 minutes.

If you have thoughts about what to drop, please post a comment below.

Thanks!

1. Today is April Fools day. If you see something fishy, pause and think before you react. It could be a joke. Today is an opportunity to show how good you are at taking a joke.

2. We still have a few copies left of The Complete April Fools RFCs. One big book of all the funny Internet RFCs (as of a few years ago). http://www.rfc-humor.com for more info. Makes a great gift for the geek in your life and is the perfect conversation piece for your office.

Today is the first day of the month. You, no doubt, have received a flood of reminders from mailing list servers about which mailing lists you are on.

This is a good opportunity to unsubscribe from the lists you no longer find useful.

Being able to manage a lot of email is good but getting less email is better.