Google spotlights data center inner workings

From CNet (hat tip to Slashdot)

In each cluster's first year, it's typical that 1,000 individual machine failures will occur; thousands of hard drive failures will occur; one power distribution unit will fail, bringing down 500 to 1,000 machines for about 6 hours; 20 racks will fail, each time causing 40 to 80 machines to vanish from the network; 5 racks will "go wonky," with half their network packets missing in action; and the cluster will have to be rewired once, affecting 5 percent of the machines at any given moment over a 2-day span, Dean said. And there's about a 50 percent chance that the cluster will overheat, taking down most of the servers in less than 5 minutes and taking 1 to 2 days to recover.

This is an example of designing networks to handle failure, but can apply to almost anything one cares to build. Sadly too many times the driving parameter is cost, resulting in the lowest bid doing the building, and absorbing the losses incurred during the lifetime of a project. Most of those costs are hidden in the form of employee overtime, disgruntled customers and 'upgrades.'

This requires a mindset change. Projects must not be designed and built to work, they must be designed and built to not fail.

Israeli AG Says Employer May Not Read Employee eMail Without Consent

From SANS NewsBites Vol. 10 Num. 43

(May 29, 2008)
The Israeli Attorney General has ruled that employers may not read their employees' email without their free and informed consent. Attorney general Menachem Mazuz submitted the opinion to the National Labor Court which was hearing an appeal filed by an employee whose employer had been granted access to email from her personal computer.

Globes Online

Oddly enough I had recent experience with this when an employer placed forwards on the mails of two employees, without their knowledge or consent. The first was an employee who had resigned and was serving his notice period, and the second is an employee that's currently still working for the company.

The first employee found out because his wife wondered why mail she sent to him had bounced. He was confused because he had received the mail. Being one of the system administrators he investigated and discovered the snooping.

The second employee discovered the snooping through a different route.

Aside from the legal issues, one has to question the culture of a company where such incidents occur.

The biggest drawing in the world

Artist Erik Nordenankar used a GPS to draw a self-portrait on the planet.

He placed a GPS unit in a suitcase then gave the case and a specific set of instructions to DHL. DHL carried out the instructions.

When the GPS unit was returned, Nordenankar downloaded the GPS data to his computer and the 110664km long path taken by the unit inscribed his portrait on a map of the world.

See it at biggestdrawingintheworld.com

UK theme park bans PDAs, mandates family fun time

From ars technica

Alton Towers Resort, an amusement park in the UK, is trying out a ban on PDAs this week. The experiment could become a permanent policy if things go well, becoming part of a social movement designed to draw lines of proper gadget usage in public sands.

With a squad of "PDA police" roaming the park, any adults caught using a qualifying device will be directed to one of five "PDA Drop Off Zones" at which they can "safely" leave their PDAs for the day. The experiment's declaration at Alton Towers' site is low on details as to what measures will be taken to ensure the devices wouldn't be tampered with (it also specifically uses the term "PDA," though we're fairly certain it's just an umbrella term for other devices like smartphones, BlackBerrys, etc.). There's also no word on what repercussions, if any, adults will face if they refuse to make the trip to a PDA Drop Off Zone.

This is more than just asking people to turn off their cell-phones, but I like the idea. Maybe some people have to be forced to relax and to spend time with the family.

Back to My Mac and PhotoBooth Used to Identify Thieves

From SANS NewsBites Vol. 10 Num. 38

(May 10, 2008)
Police were able to track down a pair of thieves after the owner of a stolen laptop computer used the "Back to My Mac" service to gain access to the computer when the thieves used it to surf the Internet, and then took pictures of the suspects using PhotoBooth, a standard software on new Apple laptops. One of the woman's roommates recognized one of the men from the photo as a guest at a recent party. The two men were arrested and police recovered two laptops, two flat screen televisions, two iPods, and other electronic and related items.

NY Times
Sydney Morning Herald

It's always heart warming when victims successfully fight back.

Microsoft Will Release Four Security Bulletins Next Week

From SANS NewsBites Vol. 10 Num. 37

(May 8, 2008)
This month, Microsoft says it will release four security bulletins on patch Tuesday, May 13. Three of the four bulletins have been given severity ratings of critical; the other has been rated important. The patches address flaws in Windows, Word, Publisher and Jet Database Engine. The important bulletin will address flaws in Microsoft's anti-malware products. Two of the four patches will require restarts.

GCN
IDG
Microsoft

[Editor's Note (Cole): It is critical that organizations have an approach to apply patches within 24 hours. I am seeing patch Tues. and exploit Thurs., where attackers will reverse engineer patches and exploit the systems within 48 hours. Timely patching is no longer a recommendation it is a requirement.]

Exploit Thursday? That is a worrying, if expected development. Attackers have obviously built some sophisticated tools to quickly reverse engineer patches and then use the knowledge gained to add a new attack vector into their malware. This is far easier than trying to track holes themselves. Very smart.

The Mac in the Gray Flannel Suit

From BusinessWeek:-

Soon after Michele Goins became chief information officer at Juniper Networks (JNPR) in February, she decided to respond to the growing chorus of Mac lovers among the networking company's 6,100 employees. For years, many had used Apple's (AAPL) computers at home and clamored for them in the office as well. So she launched a test, letting 600 Juniper staffers use Macs instead of the standard-issue PCs that run Microsoft's (MSFT) Windows operating system. As long as the extra support costs aren't too high, she plans to open the floodgates. "If we opened it up today, I think 25% of our employees would choose Macs," she says.

I think the 25% estimate is low. People who have changed to Mac's are really enjoying the experience. There is the initial honeymoon period where it's more emotional than rational, but that no longer ends in divorce. People are genuinely finding OS/X easier to use, stable and pretty.

Millions of consumers are seeing the Mac in a new light. Once an object of devotion for students and artists, the Mac is becoming the first choice of many. Surging demand for the machines led Apple to predict revenues will rise 33% in the second quarter, to $7.2 billion, even in the face of an economic slowdown.

We are seeing this as well. We have just completed a weekend long, 30 workstation plus an XServe deployment in a design department. As a result of the process, two people who normally use Windows bought Macs, and a internal support technician on hand to help with IT issues was blown away at the ease of the deployment.

Mac fanboys have been singing Apple's praises for years, of course. But now the call is coming from mainstream users, people who may have started off with an iPod, then bought a Mac at home and no longer want a "Windows-by-day, Mac-by-night" existence. At Sunnyvale (Calif.)-based Juniper, CEO Scott Kriens is one of the people with a new MacBook laptop. "Everybody told me I should get one," he says. "It's not anything to do with negative perceptions about Microsoft. It's just that Macs are cool." IBM (IBM) and Cisco Systems (CSCO) are running similar tests on whether to let Macs into the office. Google (GOOG) has allowed employees pick their machine of choice for years.

Others are sure to follow suit. Mark Slaga, chief information officer of Dimension Data , a large computer services firm based in suburban Johannesburg, says he has received 25 e-mails recently from employees who want permission to use Macs at work. So far he has refused, because he doesn't want to hire people to provide Mac tech support, but "it'll happen someday," he concedes. "Steve Jobs doesn't need a sales force because he already has one: employees like the ones in my company."

If you have not yet tried a Mac, maybe it's time you considered doing so. From the desktop to the server, you will find a product that has a lower TCO then you expected. Macs are more stable, have less security and virus issues, enjoy a longer effective life span and they are ready for the Enterprise. Each of these alone would be reason enough to consider a switch to Macs. Put them together, factor in the nervousness associated with Vista and the end-of-life of XP and I think a serious case can be made for looking in Apple's direction.

Nine Memory Sticks Stolen from Hong Kong Hospitals

From SANS NewsBites Vol. 10 Num. 36

(May 5, 2008)
In the last year, nine memory sticks have been stolen from five Hong Kong hospitals. In all, the devices hold personally identifiable information of more than 3,000 patients, including 700 children with developmental problems. Those files also hold patient interviews, assessments, and for some, photographs and identity card numbers. A task force has been set up to investigate the thefts and develop ways to avoid similar data security breaches.

Monsters and Critics
The Standard

[Editor's Note (Schultz): A six month delay in notifying potential victims of identity theft is inexcusable. Until harsh punishments are handed out for such negligence, this kind of thing will continue to occur.]

This is becoming such a common problem that reports are being relegated to the back pages. Stolen or lost storage devices such as memory sticks, phones, portable drives and even laptops can contain critical and/or strategic information. Users in companies are demanding that their information be available to them from wherever they are. This means that payroll spreadsheets get downloaded to cell phones, business plans are saved onto memory sticks or server passwords are kept on iPods.

The IT department will never be able to roll back the tide of convenience that this brings, not should they try to. What they should do is plan for disaster when devices with critical data are lost, even in the event that the loss is not reported.

Start implementing a policy that ensures that data on mobile devices is secured. Software like TrueCrypt can secure devices under Windows, OS/X and Linux. Simultaneously develop a password storage policy to deal with the initial tide of lost or forgotten passwords for encrypted devices. Password Management software will help immensely with this task.

Court Ruling on Electronic Border Searches

From SANS NewsBites Vol. 10 Num. 35

(April 23, 30 & May 1, 2008)
The Association of Corporate Travel Executives (ACTE) is warning members "and all business travelers to limit proprietary information on laptop computers when crossing US borders." ACTE issued the warning after an April 21 federal appeals court decision that "gives customs officials the unfettered authority to examine, copy, and seize traveler's laptops - - without reasonable suspicion." The decision covers a range of electronic devices; in addition to seizing data from laptops, US Customs and Border protection officials can seize data from cell phones, handheld computers, digital cameras and USB drives. The EFF, the American Civil Liberties Union (ACLU), and the Business Travel Coalition have written a letter asking that the House Committee on Homeland Security "consider legislation to prevent abusive search practices by border agents and protect all Americans against suspicionless digital border inspections."

Computerworld
ACTE
The Register

[Editor's Note (Ranum): It's as if someone in the administration mistook his copy of "1984" for a road-map not a novel.
(Schultz): Customs officials' ability to seize any kind of property without reasonable suspicion lamentably once again shows the current level of disregard for individual rights in the United States. Big brother is not only watching; big brother is being totalitarian.
(Honan) A number of organisations outside the US have banned staff from travelling to the US with laptops or other electronic devices.]

It's bad enough that trojans and adware can spy on your every move, or that lost and stolen laptops can expose reams of confidential data, but now the US government also wants in on the action. In the name of the War on Terror.

This is like everything America does. The rest of the world will simply have to accept that that's the way it's going to be. We can hope that US citizens will do something about it, but until then it might be a better idea to give us a call to setup a VPN that you can use to remotely access confidential data directly from your network rather than trying to carry it into the US on a laptop.

It's probably a better idea anyway when one considers the prevalence of laptop theft.

Latest Major Whaling Attack Uses US District Court Subpoena

From SANS Newsbites Vol. 10 Num. 31

(April 16 & 17, 2008)
A spear phishing attack emerged this week targeting high-level executives at US firms. The emails, which include the executives' names and other specific information, appear to be subpoenas from the US District Court in San Diego. The link, which is supposed to be a copy of the subpoena, actually installs malware on the victim's computer that is capable of logging keystrokes and sending the harvested information to the attacker. An additional piece of malware allows the attacker to take remote control of the victim's computer. Phishing attacks that
target corporate "big fish" have been referred to as "whaling."

NY Times
The Register
Computerworld

[Editor's Note (Honan): As these "Whaling" attacks are becoming more prevalent you should ensure you make your senior management on this threat. Reviewing their profiles on online business networks and Googling their names is one way of highlighting to them the amount of personal information they are leaking which could be used against them.]

I guess there is a certain amount of satisfaction when 'the bosses' get conned, evidenced by calling this whaling, but the truth remains that social engineering is still the easiest way to penetrate an organisation or a computer. And anyone can fall prey to this attack vector.

This attack is obviously more sophisticated than those that simply fire off thousands of anonymous mailings claiming to be from a bank that you may or may not use. However, in this case, the rewards for a successful attack are also much higher as the targets are likely to have more valuable information on their computers.

It's also an important heads-up. One of the easiest ways to recognize a phishing attack is the generic nature of the mailing. This highlights that just because a message contains specific information about a target is no reason to assume that it's legitimate. It's now important to also know what information about yourself is publicly available.

And that means that you have a legitimate excuse to indulge in a bit of ego-surfing... go on, Google is your friend.