Big Tin

Big tin: IT infrastructure used by organisations to run their businesses. And other stuff too when I feel like it…

Whom do you trust?

Keeping your data secure is something you need to be constantly aware of. Apart from the army of people out there who actively seek your credit card and other financial and personal details, not to mention the breadcrumbs that accumulate to a substantial loaf of data on social media, it’s too easy to give the stuff away on your own.

It’s really all about trust. We’re not very good at choosing whom we trust, as we tend to trust people we know – or even people we have around us sometimes. As an example, I present a little scenario I encountered yesterday on a train.

The train divides en route, so to get to your destination, you need to be in the right portion of the train. An individual opposite me sat for 45 minutes through seemingly endless announcements – from the guard, the scrolling dot matrix screens, and the irritatingly frequent, automated announcements – all conveying the same information both before, during and after the three or four stops before we arrived at the decision point about which bit of the train to be in.

At the station where a decision had to be made, she leaned across and asked if she was in the right portion of the train for her destination.

Why? She would rather trust other passengers than the umpteen announcements. She’s not alone, as I’ve seen this happen countless times.

So it’s all about whom you trust. As passengers, we were trustworthy.

So presumably were the security researchers with clipboards standing at railway stations asking passengers for their company PC’s password in exchange for a cheap biro. They gathered plenty of passwords.

I recently left a USB phone charger in a hotel belonging to a major international chain. They said they would post it back if I sent them a scanned copy of my credit card to cover the postage. That they offered suggests there must be plenty of people willing to take the gamble that their email won’t be read by someone who shouldn’t. Not to mention what happens after the hotel has finished with the data. Can they be sure the email would be securely deleted?

I declined the offer and suggested that this major chain could afford the £7 it would cost to pop it in the post. Still waiting, but not with bated breath. I don’t trust them.

Filed under: data protection, Security, Technology

Solving the ‘too many passwords’ problem

Recent events at Evernote, which was hacked and whose file containing users’ passwords could have been stolen, reminds us that, despite the insistence of the IT security industry that passwords offer poor security, that’s what we all continue to use. But there is a way to make remembering passwords easier.

As ever, there’s a trade-off between convenience and security and, it would appear that most of us, especially at the small business and consumer level, don’t want the hassle that stronger security involves. Usually, it involves some form of two-part authentication – something know and something you have – and the banks have gone furthest in implementing this. You know the drill: give us a number and then tell us something else you know.

I reckon most people can cope with this – even I, with my appalling memory, can handle it.

And then there are the burgeoning numbers of passwords we need to remember for the rest of our lives which, whether we like it or not, we are increasingly being forced to conduct online. And this is my point.

I’ve been accessing online services since 1992, so I’ve used a lot of passwords. To start with, there weren’t that many, and it was easy to remember them. The numbers of services grew and I started using the same or similar passwords for services that fell into the same category.

That’s not great security – so after hunting for a solution, I discovered a free, lightweight password generator which I used for over 10 years – until about three years ago.

What happened? The generator worked fine and produced unique passwords tied to the name of the service, but it had a number of limitations.

First of these was its inability to tune passwords to the requirements of some sites – the ones that demand a specific password length and/or format – so many digits and capitals, and no repetitions, for example.

The second was more serious: it was Windows-only. That was fine at first as I still run mainly Windows, but as mobile devices have become more capable, I now access multiple services on tablets and smartphones too – they don’t run Windows.

At that point, the answer was clearly a password safe. After some research I lit on KeePass. As the product’s website says: “KeePass is a free open source password manager, which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key file. So you only have to remember one single master password or select the key file to unlock the whole database. The databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish).”

Even better, it’s cross-platform – as well as Windows, there are versions for iOS, Android, MacOS, J2ME, BlackBerry and Windows Phone 7 – and it works. You can drive it using hotkeys so, for example, Ctrl-Alt-K brings up the database containing your passwords, which you can import from pretty much any file format you like. Other hotkeys will auto-type passwords and/or usernames into your web browser, or you can cut and paste them, in which case the software removes them from memory after a short while to enhance security.

There’s a host of other features but it’s a very easy application to set up and to use – you can get into the more advanced stuff when you’re good and ready. For example, Evernote asked all users to reset their passwords as a following the hack. KeePass generated a new password for Evernote to a security standard I’m happy with, and that was it – no dramas.

So if you ever find that you have too many passwords to remember, take a look at KeePass: free, easy to use, and does the job superbly, in my view.

UPDATE 7 June 2017
Since writing this blog post, I’ve continued to use KeePass and have not changed by positive opinion of it. I’d say though that it remains head and shoulders above an oft-touted alternative, LastPass, which is cloud-based. This means that your password and other data are not always under your personal control – and that if the company is hacked, (as almost all large targets at some point are more likely to be), then your database could be vulnerable.

Far better to stay in full control, using your own resources and two-factor authentication (2FA) to sync the password database: the combination of 2FA and encryption is mighty tough (you can never say impossible but it’s as good as in practical terms) to break.

On the other hand, I’ve stopped using Evernote, having found that Microsoft’s OneNote does it better – and remains free to use.

Filed under: Security, ,

Technology highlights 2013

I’ve been shamefully neglecting this blog recently, yet a lot of interesting new technologies and ideas have come my way. So by way of making amends, here’s quick round-up of the highlights.

Nivio
This is a company that delivers a virtual desktop service with a difference. Virtual desktops have been a persistent topic of conversation among IT managers for years, yet delivery has always been some way off. Bit like fusion energy only not as explosive.

The problem is that, unless you’re serving desktops to people who do a single task all day, which describes call centre workers but not most people, people expect a certain level of performance and customisation from their desktops. If you’re going to take a desktop computer away from someone who uses it intensively as a tool, you’d better make sure that the replacement technology is just as interactive.

Desktops provided by terminal services have tended to be slow and a bit clunky – and there’s no denying that Nivio’s virtual desktop service, which I’ve tried, isn’t quite as snappy as having 3.4GHz of raw compute power under your fingertips.

On the other hand, there’s a load of upsides. From an IT perspective, you don’t need to provide the frankly huge amounts of bandwidth needed to service multiple desktops. You don’t care what the end user wants to access the service with – so if you’re allowing people to bring and use their own devices into work, this will work with anything, needing only a browser to work. I’ve seen a Windows desktop running on an iPhone – scary…

And you don’t need to buy applications. The service provides them all for you from its standard set of over 40 applications – and if you need one the company doesn’t currently offer, they’ll supply it. Nivio also handles data migration, patching, and the back-end hardware.

All you need to do is hand over $35 per month per user.

Quantum
The company best known for its tape backup products launched a new range of tape libraries.

The DXi6800 is, says Quantum’s Stéphane Estevez, three times more scalable than any other such device, allowing you to scale from 13TB to 156TB. Aimed at mid-sized as well as large enterprises, it includes an array of disks that you effectively switch on with the purchase of a new licence. Until then, they’re dormant, not spinning. “We are taking a risk of shipping more disks than the customer is paying for – but we know customer storage is always growing. You unlock the extra storage when you need it,” said Estevez.

It can handle up to 16TB/hour which, is, reckons the company, four times faster than EMC’s DD670 – its main competitor – and all data is encrypted and protected by an electronic certificate so you can’t simply swap it into another Quantum library. And the management tools mean that you can manage multiple devices across datacentres.

Storage Fusion
If ever you wanted to know at a deep level how efficient your storage systems are, especially when it comes to virtual machine management, then Storage Fusion reckons it has the answers in the form of its storage analysis software, Storage Fusion Analyze.

I spoke to Peter White, Storage Fusion’s operations director, who reckoned that companies are wasting storage capacity by not over-provisioning enough, and by leaving old snapshots and storage allocated to servers that no longer exist.

“Larger enterprise environments have the most reclaimable storage because they’re uncontrolled,” White said, “while smaller systems are better controlled.”

Because the company’s software has analysed large volumes of storage, White was in a position to talk about trends in storage usage.

For example, most companies have 25% capacity headroom, he said. “Customers need that level of comfort zone. Partners and end users say that the reason is because the purchasing process to get disk from purchase order to installation can take weeks or even months, so there’s a buffer built in. Best practice is around that level but you could go higher.”

You also get what White called system losses, due to formatting inefficiencies and OS storage. “And generally processes are often broken when it comes to decommissioning – without processes, there’s an assumption of infinite supply which leads to infinite demand and a lot of wastage.”

The sister product, Storage Fusion Virtualize “allows us to shine a torch into VMware environments,” White said. “It can see how VM storage is being used and consumed. It offers the same fast analysis, with no agents needed.”

Typical customers include not so much enterprises as systems integrators, service providers and consultants.

“We are complementary to main storage management tools such as those from NetApp and EMC,” White said. “Vendors take a global licence, and end users can buy via our partners – they can buy report packs to run it monthly or quarterly, for example.”

Solidfire
Another product aimed at service providers, SolidFire steps aside from the usual pitch for all solid-state disks (SSD). Yes solid-state is very fast when compared to spinning media but the company claims to be offering the ability to deliver a guarantee not just of uptime but of performance.

If you’re a provider of storage services in the cloud, one of your main problems, said the company’s Jay Prassl, is the noisy neighbour, the one tenant in a multi-tenant environment who sucks up all the storage performance with a single database call. This leaves the rest of the provider’s customers suffering from a poor response, leading to trouble tickets and support calls, so adding to the provider’s costs.

The aim, said Prassl, is to help service providers offer guarantees to enterprises they currently cannot offer because the technology hasn’t – until now – allowed it. “The cloud provider’s goal is to compute all the customer’s workload but high-performance loads can’t be deployed in the cloud right now,” he said.

So the company has built SSD technology that, because of the way that data is distributed across multiple solid-state devices – I hesitate to call them disks because they’re not – offers predictable latency.

“Some companies manage this by keeping few people on a single box but it’s a huge problem when you have hundreds or thousands of tenants,” Prassl said. “So service providers can now write a service level agreement (SLA) around performance, and they couldn’t do that before.”

Key to this is the automated way that the system distributes the data around the company’s eponymous storage systems, according to Prassl. It then sets a level of IOPS that a particular volume can achieve, and the service provider can then offer a performance SLA around it. “What we do for every volume is dictate a minimum, maximum and a burst level of performance,” he said. “It’s not a bolt-on but an architecture at the core of our work.”

Filed under: Business, Cloud computing, Data centre, desktops, Enterprise, Product, Product launch, Servers, Storage, Systems management, , , ,

Manek’s twitter stream