Archive for the ‘General’ Category

Moonshot SSP

Wednesday, October 12th, 2011 by hartmans

It’s been a while since I’ve written about Moonshot. A lot has gone on; we’ve been too busy doing to be busy blogging. However there’s something that’s happened recently that’s so cool I had to take a moment to discuss it. Padl Software, the same people (well person) who brought us LDAP support to replace NIS and the first Active Directory clone, has now produced a GSS-EAP Security Service Provider. That’s software that implements the Moonshot protocol and plugs it into the standard Windows security infrastructure. This is neat because it allows you to use GSS-EAP with unmodified Windows applications like Internet Explorer and Outlook/Exchange. Obviously, this will be great for Moonshot. However, I think the positive affects are more far-reaching than that. Luke has demonstrated that we can evolve the Windows security infrastructure without waiting for Microsoft to lead the way. For those of us working in the enterprise security space, that’s huge. We can innovate and bring our innovation to Windows. In terms of getting acceptance in important user communities, getting funding for work, and making a practical difference, that’s a big deal.

This code is still in the early stages. Padl has not decided how the code will be made available. We don’t know if it will be under an open-source license yet. Luke, naturally wants to get paid for his work. However if this code does get released under an open-source license, it will be very valuable. That will give all of us who are looking for a starting point for security innovations a starting point for bringing our innovations to Windows. Some in the open-source community will argue that we shouldn’t work on improving Windows: if the open-source platforms have features Windows does not, then it may drive people to open-source. Especially for enterprise infrastructure, it tends not to work that way. You need broad cross-platform support to drive new technology. However, it does mean that we can take control of the evolution of our infrastructure; even for Windows there is no requirement that a single vendor controls what is possible.

V6 Really is that Hard

Tuesday, March 8th, 2011 by hartmans

Sometimes I begin to think that we’ve solved most of the challenges to IPv6 deployment. Then something happens.

This time it was a DAP-1522 access-point. Not a NAT, not a router, just a layer 2 device. A while after deploying the device, I noticed that sometimes mail failed to work. After attempting to debug the problem was that the device wasn’t getting an IPv6 address. The router appeared to be sending out advertizments. Other machines on the same subnet were working fine.

This laptop had associated with the new access point. The default configuration helpfully includes IGMP snooping. The IGMP snooping detected that no one subscribed to any IPv4 multicast group corresponding to the router advertizements and thus didn’t forward them to the wireless link.

We have a long way to go if layer 2 devices sold today are incompatible with v6 in their default configurations.

Slides for Bar BOF

Thursday, March 25th, 2010 by hartmans

Here is a pointer for slides for tonight’s bar bof. It’s likely that we will only be using the diagram slide.moonshot-ietf77-01

Federated Authentication discussion tonight at 9 PM Pacific

Thursday, March 25th, 2010 by hartmans

The federated authentication bar BOF will be held tonight at 9 PM US Pacific time in the Manhattan room at the IETF 77 meeting.. Here is information for participation.

Reading List

Remote Participation

  • Join our audio stream during the session
  • Join our jabber chat room at
  • Join our mailing list
  • Open Source Accounting Software

    Wednesday, January 13th, 2010 by hartmans

    I’m developing a huge backlog of things to write about, going back as far as a couple of posts inspired by the Kerberos conference in October. However, those require more effort putting together the post, so I’m going to focus on something more recent.

    Part of running a business—even a small business like Painless Security—is dealing with the administrative and bookkeeping. The normal solution seems to be Intuit’s Quick Books. When I set up the company, I looked into that. However, Intuit’s accessibility story starts with “give up,” and goes down hill from there. Apparently, screen reader vendors have offered to work with Intuit to help them, but have been turned down, or at least that’s the strong implication I get from reading blogs from these accessibility vendors. So, I’d definitely rather not give Intuit my money. I’m also looking for a bit more than the minimum in accounting software. Keeping the books in order enough to pay taxes would be easy. However I want to be able to understand where I’m making money; I want to be able to figure out if the fixed price contracts I enter into end up being good ideas. I want to understand how expensive community projects Painless Security gets involved in like Debian and IETF work are both in terms of direct costs and opportunity costs. I want to understand what sorts of work ends up being the most profitable. All of these are fairly typical management questions; solutions to varying degrees are understood. however it means I’m actually going to use an accounting product more than just to track my invoices and prepare taxes.

    I decided to see what the open source world was like in this space. I started with Ledger SMB. Ledger SMB’s main claim to fame is that it tries to be better than SQL Ledger. Being better than SQl Ledger is definitely a good thing. It “worked” well enough to generate invoices and income statements. It nominally had facilities to track the sort of per-project information I’m looking for, but the facilities are not near good enough. Also, there were some issues—things like the fact that total debits didn’t particularly need or tend to sum to total credits got old after a very short while. Also, facilities for correcting mistakes were unfortunate. You could either operate in a mode where you could delete a transaction, or a mode where you reverse transactions. Deleting transactions in practice meant deleting most of a transaction; balances became out of sync and half of the transaction tended to stick around using some interfaces but not other interfaces. Database cleanup was almost always required. In principle, reversals are better. However, there is no facility to indicate that you’re not expecting payment on a reversed invoice. The receivables/payables account balance out because of the reversing transaction, but both the reversing and reversed transaction end up becoming over-due. “Hey, can you please send me some anti-money to clean this up?” The code was dreadful; the goal was to have better abstraction than SQL Ledger. Perhaps that was achieved, but man that leaves a lot to desire.

    Now, I’m playing with Open ERP. It wants to grow up some day to be a competitor to SAP R3. In a way that sounds good, although it does mean there’s a high complexity cost. There’s a lot of functionality. There’s reasonably good separation between view and model (and possibly even controller). The code is often clean, although the random blocks of commented out code with no explanation cause me to cringe. Many aspects of the system seem incredibly well designed; you can approach the system through a web client, graphical client, two different RPC mechanisms, XL and Open Office plugins.

    However, there’s this mix of missing stuff and completely broken that causes me to wonder whether I’m going to be sad. First, there appears to be basically no support for the US. All addresses are European format and are hard coded. Each individual report needs to be changed. Recently, I found cases where as best I can tell debits and credits are just reversed. I’ve found a case where backing up the database succeeds but generates a zero length file. I almost lost data through that last one. There’s a complex set of mechanisms to deal with units-of-measure for products—for example, some jobs billed in hours, some are billed in days. However other parts of the code just add quantities.

    Playing around with this I am reminded again that I really enjoy thinking about these sorts of problems. An interesting ERP project could be fun to work on. for example, I bet handling ERP needs for some cloud-centered company would be a lot of fun.

    Also, as part of looking at Open ERP, I’ve more or less developed the necessary scripts to migrate a simple service company from Ledger SMB to Open ERP. There are limitations of course, but if this would be useful to you, drop me a line.

    Ignoring Security makes it Better

    Thursday, January 15th, 2009 by hartmans

    The past few months have been busy, although there hasn’t been a lot of things that it made sense to blog about. I’ve been working on something Kerberos related which I will discuss shortly and a couple of requirement analysis/design projects. It is enjoyable to get back into designing new products; it has been a while since I’ve gotten to focus on that.

    The other day, I was trying to send some financial information to my accountant. I didn’t want to send it unencrypted, so I gave him an HTTPS URI to a website I set up with the information. He ran into trouble downloading the file: it took a long time and was corrupted on receipt. As best I can tell, there is something wrong with his networking or firewall.

    He suggested that I upload the information to a “secure” FTP site. I looked at the FTP server; as best I can tell, it doesn’t support TLS, SSL or any other form of encryption. I think it may be secure in that it is identified by an IP address rather than a hostname and that it is used for sensitive information.

    By this point, we were getting fairly frustrated. His IT staff had spent significant time on the issue at a very busy time of year for accounting firms. I’m a small client. I was investigating the email path between us, wondering if I should just give up on privacy and send the information unencrypted. I noticed that the mail server supported starttls, a mechanism for transporting mail encrypted between two systems. I checked; the email I had been sending to him was actually encrypted. Obviously, there are differences in the security guarantees you get by sending something encrypted between your computer and the next hop with a hop-by-hop protocol like SMTP and those you get with an end-to-end encrypted TLS connection for a website. Of course you also don’t know how information is handled once it is received or how reasonable it is to trust the receiving system. Still, hop-by-hop encrypted email was good enough for my purposes.

    I like this story because it’s one of those cases where security and usability align. By not thinking about security at all, I would have achieved protections that were adequate to my task. It’s great to be reminded that with today’s software that does happen. However it also illustrates the disconnect between actual security and the perception of security. Had I taken the extra steps of using the FTP site, most people would have viewed that as steps designed to better protect my sensitive information. However, as far as I can tell, it would have had the opposite effect. And, of course, we’re reminded that even when we expect a solution to be useable (like my https website), it may turn out not to be.As security engineers it is very easy to make assumptions about the usability of our work and hard to get it right without testing.

    Painless Security, LLC Formed

    Tuesday, August 5th, 2008 by hartmans

    I’m pleased to announce that I’m now in business: Painless Security, LLC was formed last week. The lack of a company has not kept me from being busy, but having a company makes it much easier to set up agreements. The standard agreement should be on the website in a couple of days.

    Painless Security Consulting–No Longer at MIT

    Wednesday, July 2nd, 2008 by hartmans

    As of April 18, I have left MIT and am working as an independent consultant. Information on my expertise is available.

    Since April I’ve been spending a lot of time with my family. I planned to start setting up Painless Security as a company in mid June and start looking for work around then. However, in late May, I received an offer to work on a project I’ll be discussing shortly. So, the good news is that work started sooner than expected. The bad news is that I have not made as much progress as I had hoped on infrastructure. That project is winding down now, so I am beginning to work on the infrastructure work and on finding more projects. If there are opportunities you think I should take a look at, please drop me a line.

    I’m going to expand the scope of this blog a bit. While I will think about the security implications of whatever I post, I’m going to broaden things a bit from the strict security focus. If you are interested in some of the content here, but find other content not to your taste, drop me a line. I can probably set up tags so you can find only what you’re looking for.

    Currently, I am not funded to participate in the IETF. If projects came along that involved contributing the the IETF, I’d definitely take a serious look. Meanwhile I will stay involved in some IETF activities as a self-funded individual, but my involvement will need to scale back.