Thursday Aug 07, 2008

So what's new?

Previously, I promised to do an update since it had been such a long time between postings. Well, wait no longer. Honestly, the last six months or so were fairly light on security work for me. I have continued to work with customers around the world helping them to apply Sun and partner technologies to their business challenges, but my team has continued to deliver on the Sun Systemic Security vision and we have recently started exploring adaptive security architectures. In fact, Joel was published and featured on the cover of the ISSA Journal for his article titled Adaptive Security and Security Architecture (an abridged version was also posted here). You can follow us on this journey at

So if not security, what have I been up to?

Before answering, when you hear the words "High Performance Computing" or HPC, what is the first picture that pops into your head? Does your mind drift immediately towards the hallowed halls of government and research laboratories? Do you think of Top 500 lists or of supercomputers named Ranger? Do you think about exploring the mysteries of weather patterns, "seeing" back into space and time or even keeping tabs on the behaviors of sub-atomic particles? If so, you are not alone, but that is certainly not all there is to HPC.

Today, there is no shortage of computing problems that today are being tackled using high performance computers, interconnects, storage and data visualization, but we need to widen our views, remove our blinders, and begin to see HPC as it exists everywhere.

  • structural analysis, computational fluid dynamics, crash and safety simulations
  • fraud analysis and detection, anti-money laundering, credit derivatives pricing and hedging
  • reservoir simulation and visualization, seismic processing
  • media rendering and transcoding
  • DNA sequencing, molecular modeling and bio-simulation

Customers employing these processes share common traits. They are all trying to drive better business results, more quickly and efficiently. They have huge data volumes and often short windows in which to derive actionable results. They are trying to reduce their time to market, speed up their ability to make key business decisions and thereby maximize their value to their customers and shareholders. Customers such as these are using IT as a strategic weapon.

Sound cool, right? I thought so! For the last six months or so, I have taken on an additional role of leading a global, virtual team across our Global Systems Engineering organization to focus on these "non-traditional" or "commercial" HPC environments. What is truly fascinating is that this is all just the tip of the iceburg. Wired Magazine noted recently that "The quest for knowledge used to begin with grand theories. Now it begins with massive amounts of data." While perhaps an oversimplification, the idea is dead on. We have collected massive amounts of data and more is collected every day. Just as often new ways are being developed to analyze this data. This is where HPC meets main street. Problems with HPC-like characteristics are all around us and only recently have we been given the (commodity) processing power, storage capacity and network bandwidth to employ HPC-like solutions more broadly from government to industry, from large corporations to small startups, from the data center to the home.

It has been a very cool ride and collectively the GSE HPC Tiger Team (as it is known) delivered remarkable results including millions of dollars in wins, training and education for thousands of people, and the capture of key requirements, use cases and design patterns. With this group solidly running on all cylinders, it is time for me to turn my focus back to security (although HPC will never be rid of me!). In the coming months, you will hear more about our work on adaptive security including some really interesting practical applications you can start trying today. Is that enough of a teaser?

Until next time, take care!


Wednesday Aug 06, 2008

2008 SIA Award: Sun Systemic Security

I was a little hesitant to write about this as I did not want it to come across as self-promotion, but in the end I felt that it was important for me to say something on behalf of my team. In July 2008, my team and I were awarded with one of the highest honors that Sun can bestow on its technical professionals - the Sun Innovation Award (formerly known as the Chairman's Award for Innovation) for our contributions to the Sun Systemic Security framework. Collectively, these achievements enabled Sun to improve its products to better comply with our customers' security policies and requirements, develop new architectures and best practices that solve key customer security challenges, and position Sun as an architectural and security thought leader across industry and government.

For those unfamiliar with this award, here is a brief summary:

Sun's Innovation Award recognizes those individuals and teams who have made a significant contribution to Sun through innovation. Innovation is a starting point for the Sun Strategy and is key to helping differentiate Sun and attract communities to Sun. Product, process, and project innovations have increased Sun's ability to grow, make money, build our communities, enlist champions, and accelerate our business. The purpose is to reinforce and recognize exceptional performance related to a key pillar of Sun's strategy and one of our key values: Innovation.
The award ceremony was on July 16, 2008 at the Sun Leadership Conferece held in San Jose, CA. The award was presented to the team by both Greg Papadopolous and Jonathan Schwartz.

Pictured (left to right): Greg Papadopoulos, Rafat Alvi, Bart Blanquart, Glenn Brunette, Joel Weise, and Jonathan Schwartz

I would like to publicly congratulate my team on winning this award and thank them for all of their hard work, focus, and dedication. Through all of the ups and downs, you never failed to deliver innovative and highly impactful work that has helped customers and partners around the world and teams across this fine company. I could not be more proud of you all. This is a team award and it belongs to each and every one of you, and while we have been able to accomplish quite a lot, I have no doubt there are greater things yet to come. Thank you! Now get back to work! :-)

On behalf of the team, I think that it is important to thank both Jim Baty and Hal Stern for their coaching, leadership, and unwavering support over the years. They have helped to build and sustain an environment where we all can be challenged, where innovation can flourish, and where we can make a difference for Sun and our customers. You have both been invaluable to our success - thank you!

Tuesday Oct 09, 2007

Sun SPARC Enterprise T5x20s: A Security Geeks Point of View

What an exciting day! Today, Sun has officially launches the Sun SPARC Enterprise T5120 and T5220 rack-mount systems along with the Sun Blade T6320 blade server, the first to be designed for the UltraSPARC T2 processor. From the point of view of a security geek, there is a lot to be happy about. The UltraSPARC T2 has support for eight (8) cryptographic processing units, each of which supports ten (10) different cryptographic algorithms and a hardware-based random number generator. Lawrence has done a fantastic job of talking about these capabilities and performance if you are interested. It is simply mind blowing.

So, what else is new? Well, we now have actual servers that can leverage the computing power of these chips. This means that companies can now begin to rethink about how they have deployed cryptography in their environments. In particular, it is now much more practical to deploy cryptographic services more widely across an enterprise environment due to the performance gains achieved by offloading the work to the cryptographic processing units. For example, why not ensure that all of your internal web, directory and mail services are fitted for encryption? (Hint: you should be doing this already, but now you can do it while not sacrificing the performance of your CPUs!) Net-net: strong security + excellent performance + eco-friendly is a win-win for everyone.

In addition to enabling the wider use of cryptographic services, I would also encourage any organization to consider how the performance and power benefits of these systems can be applied to their existing environments and workloads. In particular, when used in concert with Sun's Logical Domains (LDoms) technology, organizations can get the benefits of performance, virtualization and security together in one system. Did I mention that today we are also announcing version 1.0.1 of our LDoms technology? Honglin has all the details. Of particular interest to us security geeks is the support for minimized and hardened logical domains! Combine that with the security isolation capabilities of the LDoms hypervisor, a boat-load of crypto performance, and a rock-solid, security, and scalable operating system - you just can't go wrong.

Talk about "zero cost security"! Taken as a whole, you get all of the performance (did I mention the 64 threads?), power and virtualization benefits with security just baked into the design! What's not to like? At least from where this security geek is standing, the view is simply unbeatable. See it all for yourself!


Technorati Tag:

Saturday Nov 04, 2006

New Presentations: Sun Systemic Security

Way back in February, I made a posting about Sun Systemic Security. Since it has been a while since that posting, and since I had developed some fresh material for our Customer Engineering Conference, I wanted to do a follow up so that I could share this new material with you.

I have posted two new presentations on the topic of Sun Systemic Security. The first is a general overview that is intended for use in executive settings or to provide a very high level introduction to the material. The second presentation is a deeper dive into architectural security patterns. This second talk was the basis for my presentation at CEC and provides a more in-depth treatment of various security patterns and how they can be instantiated with Sun products and solutions.

What I like about the second presentation is that it demonstrates, in I believe a very compelling way, the security value proposition for Sun by illustrating how Sun can help support customer security and assurance goals at every level of the stack and how using a pattern-based approach, a reinforcing architecture can be constructed (or an existing one adapted) to better embody a variety of security principles such as self-preservation, compartmentalization, least privilege, defense in depth and others.

The Sun Systemic Security program is always growing and evolving and so we are always looking for feedback from our customers and partners. Be sure to let us know what you think!

Take care,


Technorati Tag:

Tuesday Sep 26, 2006

Treo 700p on Nevada

Will wonders never cease? Today, I decided to plug my Treo 700p smart phone into my newly upgraded Solaris laptop. Honestly, I was not sure what would happen as this was the first time that I had tried to connect up a Palm device.

My goal for doing this was simple. I wanted to synchronize my calendar to my phone so that I would have a list of my appointments while I was on the road. I had wanted to use something more direct like SyncML, but that option was not available to me. Oh, well... I have been using Evolution lately to manage my appointments. What is interesting about my configuration is that my calendar is hosted on Sun's EdgeCal service which allows me to easily access and share my calendar from the Internet or within Sun. EdgeCal is basically a Sun Java System Calendar Server environment and I use the JESCS Evolution Connector to access EdgeCal. By the way, this all worked out of the box too!

So, back to today's experiment... Since Evolution already has an ability to synchronize with devices such as Palm Pilots, I decided to give that a try. The process was completely painless. I simply connected up the 700p via a USB port (actually on a USB hub since I am also using a USB keyboard and mouse), provided some basic settings information to Evolution (Pilot Synchronization Dialog) and hit the HotSync button. Evolution was able to not only find my device but also push the calendar information from EdgeCal to my phone in a matter of seconds. Way cool.

What is really nice is that I can also use the pilot-xfer command to also back up your device (to a ZFS partition in my case). You really have to love it when things just work.

Take care,


Technorati Tag:

Monday Sep 04, 2006

Google Hacking: Social Engineering Redux

While looking through some recent postings, I came across this posting by Dumb Little Man. His brief depiction is yet another in a long string of reminders for us all to be more careful about safeguarding our personal information. All too often, people take their (or their company's) privacy for granted and do not concern themselves with who will see the information that they post - that is, until something bad happens. Worse yet is that people often do not understand how the various types of information made available can be used together to create a multiplicative effect - except perhaps in the more publicized identity theft arena.

Each and every day, it is getting easier to find out greater amounts of information on people, places, companies and services. Let's consider extending the thought experiment discussed in the article above. What if an attacker were to use Google Earth to obtain satellite imagery of his target's house? This tool could be used to pinpoint the position of his target relative to other buildings, roads, or other environmental elements (e.g., wooded areas, etc.) The military has long recognized the value of such imaging for planning attacks and now this information is available (certainly at a lower resolution) to anyone, anywhere. Note: I do not want to pick on Google Earth since there are certainly many other ways to get some or all of this information (e.g., purchase paper maps and/or satellite images, personally scout out a location, etc.).

Going further, with your target's name, e-mail address or other personal details, you could use current search engines to discover pictures, movies, personal profiles, business profiles, interests, and even previous postings or affiliations of your target. There is a virtually unlimited number of potential sources depending on the nature of your target and goals. Of course, none of this is new information. Take a quick search for yourself to see what I mean. My point here is that vast amounts of personal information can be gathered today for little to no cost or effort.

Let me give you an example. I know of a family that was looking for pre-schools for their kids. After some research and careful discussion, they narrowed down their selection to a handful of schools. Enter Google. A quick search on one of the schools led the couple to a MySpace page apparently belonging to one of the school's young teachers. Reading through the teacher's public MySpace profile, the couple was horrified to find discussions and endorsements of vampirism, bloodletting and related topics. Remember, this was initially about finding a pre-school for their young children. Needless to say, that single search result caused the entire school to be taken out of consideration. Now, was the person really a teacher at that school? Who knows... but that is not the point. The personal postings of an individual had cost a school a student. One can easily imagine how personal information could be used by school or professional recuiters when examining candidates.

What is interesting to observe is the damage that can be done to individuals or corporations through the malicious posting of false information. Let's say that the person in the above case was not really a teacher but had some kind of grudge against that specific school. Who knows how much business could be lost (even without the school's knowledge) as a result of prospective parents (such as the couple above) coming across that MySpace page. Similarly, think about the damage to one's personal and professional reputation could ensue as a direct result of malicious (or perhaps accidental) postings. In the old days, rumors could often be contained to a single company or perhaps a small town. Moving out of the town could potentially wipe your slate clean. Today however, such information, correct or not, could literally be in the hands of anyone on the planet. There is no way to avoid it.

Beyond individuals, these same techniques can be leveraged to uncover potential corporate targets. For this posting, I just did a quick search of comp.unix.solaris looking for .rhosts and covered this same posting:

Even though I realize that use of /etc/hosts.equiv and .rhosts are not
very secure, I've thought I could possibly use them in setting up a
number of Solaris workstations in a lab/setup environment before
rolling them out to the desktops

This posting included both an e-mail address of an employee (presumably) as well as a company name. Comments like these made on mailing lists (from internal e-mail addresses) can often be used to determine key points about a target. From this small message, we can assume that the company uses Solaris and that they are using rsh with rhosts authentication. Not overly useful, but it is a start. Spending a little more time, it is not hard to find people asking security questions, talking about audit failures, or divulging information (seemingly harmless) that can provide clues about their security configuration, recent problems, or even how frequently they patch their systems, etc.

With the free and for-fee sources of information available today, the possibilities are truly staggering. That said, it is certainly not like this is anything new. The Internet is riddled with postings and pages detailing how to leverage these information sources as means toward various ends. Before Google there was the USENET and before that there were bulletin board systems, etc. The big difference today is that the Internet and its services are ubiquitous and greater numbers of people are sharing more personal information than ever (and this information is being captured by greater numbers of searchable repositories) - making access to such information downright trivial. Hell, for those needing a little help, there is even a book on Google Hacking.

So what is the lesson here? Simply put, you need to be careful. Don't take your privacy for granted. The damage once inflicted can be hard if not impossible to undo.

As a security professional, I want to be able to share information with people, post content and help answer questions, and generally help people better protect themselves. To establish a more personal connection with readers, I have shared a picture on my blog and have even published a LinkedIn profile. I have even occassionally posted on some personal topics. So, where do I draw the line?

Honestly - for me it comes down to a risk management decision. There are some topics that I am comfortable sharing and others that I am not. Weighting the risks and benefits, I try to strike a balance in my postings. Above all, I do my best to safeguard my (and my company's) private information. Further, I try to balance my inherent paranoia with some pragmatism so that we can engage in this virtual discussions from time to time. I for one enjoy them and hope you do too.

Take care,


Technorati Tag:

Saturday Feb 11, 2006

Sun Systemic Security

In advance of the RSA Security Conference, I wanted to give everyone a heads-up regarding the updated Sun BluePrint article and presentation just posted on the Sun Systemic Security Program. Some may remember that I have talked about systemically secure architectures previously. This new content is more comprehensive and includes more specifics about the overall program and several architectural design building blocks and patterns.

You can find even more information on Sun Systemic Security at Sun's Security Homepage.

If you are going to be at the RSA conference, be sure to stop by the Sun booth and look me up!

Take care!


Technorati Tag:

Tuesday Aug 02, 2005

Conflicting Security Messages

No wonder people are generally confused about how to protect themselves on the Internet.

Today, I arrived at the USENIX Security Symposium in Baltimore, MD. You will get the irony of this in just a second. The conference, this year, is being held at the Sheraton Inner Harbor Hotel. As with most hotels, they offer both wireless and wired Internet access through a contracted ISP. Next to the network jack in the hotel room is a small sign that provides details about the Internet service including how best to connect to the ISP's network. One of the most prominent sections is titled "Tips for a Successful Connection". The very first tip on their list is:

Disable any VPN, proxy or firewall software that may be running on your computer.

Riiight... As if.

Unfortunately, many people (despire warnings to the contrary) will follow this advise in an effort to make connecting to the service as simple as possible. Who wants to have a problem and then sit idlely by for minutes to hours while the problem is identified and resolved, right? Not to mention - how often will technical support just start with the same task anyway: first disable any VPN, proxy, or firewall software...

The problem here is that by disabling your local firewall software (in particular), you may be putting yourself in direct violation of your company's security policy and generally accepted common sense. The end result is that the consumer (yet again) is put at risk particularly especially if they have not taken other precautions to strength the security posture of their system (e.g., hardening, patching, etc.) Further, by extension these types of recommendations can serve to put our own companies (and potentially critical infrastructure) at risk by opening opportunities for such systems to be infected or otherwise compromised while employees and consultants are on the road. Systems compromised in this way invariably end up connecting back to a corporate networks where the scope and impact of the breach can be multiplied - all because an ISP told you that it would be easier to connect to their network if you disabled your firewall, etc.

Let's take it a step further. This recommendation could be potentially viewed as in conflict with the President's Strategy to Secure Cyberspace. The strategy document clearly says (for example):

Home users and small businesses can help the Nation secure cyberspace by securing their own connections to it. Installing firewall software and updating it regularly, maintaining current antivirus software, and regularly updating operating systems and major applications with security enhancements are actions that individuals and enterprise operators can take to help secure cyberspace. (from Action/Recommendation 3-3)

The real kicker here is that no where on the pretty little information card does it instruct the user to re-enable their protections (either while connected or when done using the service). The impact of these recommendations could have a long lasting impact to the end user especially in cases where the software is not configured to automatically enable itself upon next boot or in cases where the system is simply not rebooted frequently - such as when using suspend / hibernate modes instead.

So, enough ranting for one day... What are your thoughts?

To what degree should ISPs be held liable if their recommendations are followed by consumers trying to access their network, and those consumer's are exploited as a direct result of the ISP's recommendations?

Technorati Tag:

Friday Mar 25, 2005

I'm not dead yet!

It has been a very long time since my last post and for that I apologize. I have a good excuse honest! I was off for most of January with the birth of my second son. Following that, as you can imagine when I came back I needed to spend a good deal of time unburying myself from e-mail, v-mail and project deliverables. So, now that I am nearly unburied, I can safely proclaim that I am not dead yet!

I wanted to take a few moments to catch you up on a few things that I have been doing over the last two months or so. I will also preview a few things that will be coming up...
  • Upon my return from leave, I presented at the RSA 2005 Security Conference held in San Francisco, CA. I had the honor of presenting on the topic of "Adaptive Security for Dynamic and Consolidated Environments" with Dave Walker and Peter Charpentier. It was quite a blast!

  • I have continued my work as a member of the Unix Benchmark Team for the Center for Internet Security. Most of the recent work has been on the development and refinement of the Solaris 10 Security Benchmark. I have to say that in large part due to the teamwork displayed by that organization, the Solaris 10 Benchmark has come together very quickly and should be ready to release soon.

  • I have also been working on converting some of my Solaris 10 Security blog articles to become Sun BluePrints Cookbooks. The first of such to be converted was the Automating Solaris 10 File Integrity Checks. It was published this month. It looks like at least one more will be published next month. Don't think that this is just a rehash of the blog however. We did actually go in and add new clarifications, examples, and other content! Also, I would like to acknowledge Darren Moffat and Scott Rotondo for their careful technical review of the article. Thank you very much.

  • I have also been working on new material. Hopefully in either the April or May edition of the Sun BluePrints, you will see a new article titled something like Limiting Service Privileges in the Solaris 10 OS. The paper is done, it is just a matter of getting it through the necessary processes.

  • I have been doing a lot of customer briefings on a variety of topics. Most of my briefings are deep dives into Solaris 10 security features and capabilities. In fact, just last week I presented to over 300 customers in both New York, NY and Somerset, NJ on those topics. It is absolutely incredible the things that you can accomplish with Solaris 10 in the security space.

  • I have also been preparing a talk that I will be giving on April 4th at the EDUCAUSE Security Professional's Conference in Washington, DC. The subject of my talk will be "Systemically Secure Architectures". If anyone reading this will be there, please be sure to stop me in the hall and say 'Hi'!

  • I have also been accepted to present at the New York State Cybersecurity Conference. The subject of my talk will be "Lessons from the Trenches: Solaris Security Best Practices". Hope to see you there!

Those are just a few of the things that I have been working on recently - that I can talk about of course. ;-) I hope to do another posting with yet another Solaris 10 Security tip in the very near future.

Also, before signing off, I have to send some kudos to the Solaris Security Toolkit team. Thanks to their hard work and determination, we can now proudly say that the Toolkit has become an official Sun product that is supported under the Solaris Support contract. Great work everyone!

Take care,




« April 2014