SOA for E-Government Conference Wrap-up

Posted in SOA by AST on Monday, May 29th, 2006

Last week, I had the opportunity to present at the SOA for E-Government 2006 conference held in McLean, Virgina at the MITRE facility. If you are interested in seeing some of what I talked about, my presentation slides (MS PowerPoint) are available as part of the conference proceedings.

The main focus of my presentation was to try and share some of what we’ve learned in implementing an SOA solution for the Irish Government, and to illustrate that there’s more to SOA than WSDL, XML and dropping in ESB vendor X. It was supposed to be a case study of the requirements and how we’ve addressed them as well as highlighting that some of the decisions made for the Public Services Broker (PSB) were made in 1999 and 2000, when a lot of what people automatically think of when you say SOA didn’t exist yet.

Unfortunately, my presentation ended up being a bit shorter than I’d intended, but I tried to address the highlights. It’s pretty normal at conferences for things to slip from the original schedule as the day progresses, so it wasn’t that big of a deal. However, I hope I was able to convey some of what I wanted to say about technology choices and interoperability in a coherent fashion.

Other than that, it was a really great opportunity to meet many of the people from the SOA Community of Practice (CoP) mailing list and explore in more detail some of the themes we mentioned. I had some great conversations with Rebekah Metz & Joe Chiusano (Booz Allen Hamilton), Mills Davis (Project 10X), Miko Matsumura (Infravio) and, of course, Greg Lomow who also works for BearingPoint. Cory Casanave (Data Access Technologies), Richard Soley (OMG) and I almost had a really interesting conversation about OMG’s Model Driven Architecture (MDA) initiative and how it fits in with SOA. Unfortunately, we ran out of time, so I hope I can have the opportunity to explore this a bit more. At the moment, let’s just say that we’re not in agreement on how the two concepts (SOA & MDA) are related… ;)

The opening keynote from Ron Schmelzer (ZapThink) was pretty on target, and it served to highlight all of the “big picture” issues that were on the table for discussion for the rest of the conference. One thing that really bothered me though was the following general line of thinking:

If I want an SOA, then I need to define some WSDL so I can generate my service implementations which I just deploy into my ESB. – NOT!

One of the things that Rebeka’s presentation on the OASIS SOA Reference Model was trying to do was illustrate that SOA is first and foremost a way of thinking about building systems. After that, you can design your systems using the SOA architectural style (yes, the first paragraph still applies even though the article is talking about buildings and physical structures), and then you might implement that architecture using Web services, JMS, JINI, CORBA, XML/HTTP or something completely different. There’s too many automatic assumptions of technology choices when most people mention SOA, leading to some misguided and distracting silliness like “SOA 2.0″. SOA isn’t about technology.

One of the more interesting topics of discussion on the SOA CoP mailing list was trying to come up with definitions and what SOA really means. I agree with a comment Greg made over lunch that what was being discussed was way ahead of our respective employer’s positions and “blessed” views on SOA. Building impressive demos via point-and-click service generation and deployment is all well and good, but, it’s having a solid understanding of the underlying architectural paradigm which will allow the resulting system or systems to evolve gracefully in the face of guaranteed change as well as allow you to sleep peacefully at night. Limiting your thinking to SOA = WSDL + SOAP + ESB and Point-to-Point integration is certainly not going to meet either of those requirements.

Speaking of interesting demos, one of the projects presented by Anthony Bradley (Booz Allen Hamilton) on the DCGS-A integrates signals intelligence providers, weather services and some other goodies to plot “interesting” locations via integration with Google Earth’s rich client interface. Apart from the obvious security implications of calling out to Google (it is only a demo/proof of concept; the service offered by NASA is implementing the same service interface) this is a pretty cool, near real-time SOA infrastructure that is going to really make a difference by providing a common infrastructure across the different signal intelligence provider platforms. This presentation as well as other discussions last week which are applying SOA to the US DoD put a lot of stuff around the reliability, quality of service and security of SOA implementations in a different light. E-Government is somewhat different than E-Business, but it’s all a lot different than E-Defense when it comes to implementing those pesky non-functional requirements.

I’m sure there is more stuff that I’m forgetting right now. Dr. Richard Soley (OMG) gave one of his trademark, bigger than life keynote presentations to close the conference. I first met Dr. Soley when I was presenting at the Segue Software QUEST ‘99 conference and was doing some interesting stuff with CORBA at Informix. In some ways, he and Marcus Ranum share some personality characteristics: they’re both highly opinionated, very ready to defend/support their position and very intelligent individuals who give witty presentations. I enjoyed the presentation quite a lot, even if we don’t see eye-to-eye on MDA’s role in SOA. Still, I could be wrong–it isn’t like it never happens.

Finally, I’d like to thank Brand Niemann the SICoP Co-Chair and Greg Lomow as co-chairs of the conference and MITRE for hosting it. I very much appreciated the opportunity to present what I’ve been doing and hope to continue to actively participate in the on-going activities of the SOA CoP. I think that the conference was a success, but I still think there’s lots of work yet to be done by the CoP in defining a strategy for SOA within the US Government. Also, I’d like to apologize to David Webber and Ken Laskey because I didn’t get the opportunity to speak to them in person. Hopefully, I’ll get the chance next time.

Doug & Wendy vs. Your Credit Card Data

Posted in Rants, Security by AST on Tuesday, May 16th, 2006

How many people ever saw the SNL skits featuring Doug & Wendy Whiner? If you never did, then the title won’t make much sense to you. Essentially, the Whiners are a couple that whine about nearly everything. Unfortunately, it’s remarkable how much reality was in those skits.

Having just come back from giving presentations about effective data protection and understanding the fundamental premise of legitimacy or fairness expected implicitly by customers from organizations who store our data, this CNET article scared me to death: “Credit card security rules to get update.”

The article discusses proposed changes to the security requirements for businesses that accept credit card information. Currently, the PCI standard (PDF) developed by both MasterCard and VISA requires the following (from the VISA CISP information page):

  1. Install and maintain a firewall
  2. Do not use vendor-supplied default passwords or other security features
  3. Protect stored data
  4. Encrypt transmission of cardholder data and sensitive information across public networks
  5. Use and regularly update anti-virus software
  6. Develop and maintain secure systems and applications
  7. Restrict access to data by business need-to-know
  8. Assign a unique ID to each person with computer access
  9. Restrict physical access to cardholder data
  10. Track and monitor all access to network resources and cardholder data
  11. Regularly test security systems and processes
  12. Maintain a policy that addresses information security

To anyone who has ever built or implemented a security policy, the above should seem to be pretty standard stuff, and it’s pretty fair to the customer in attempting to protect access to their data. However, these quotes from the article indicate that some legacy systems can’t cope with the requirements, so they need to be “relaxed”:

“Today, the requirement is to make all information unreadable wherever it is stored,” Maxwell [director of e-Business and Emerging Technologies at MasterCard] said. But this encryption requirement is causing so much trouble for merchants that credit card companies are having trouble dealing with requests for alternative measures, he said.

and

The challenge with encryption is that older payment systems were not built to support the scrambling technology, said Qualys CEO Philippe Courtot. “Encryption is the ultimate measure of security, but the current applications have not been designed with encryption in mind,” Courtot said.

These systems and their delinquent owners are holding your, yes, that’s right, they’re holding your credit card data unencrypted because of flaws in the application. That’s equivalent to the police saying that it was too hard to catch the guy breaking into your car, so you should just keep it in the garage instead where it’s safe.

The Whiners who own the defective applications are whining to Visa and MasterCard–and they’re listening! This is incredible. To be fair to Qualys’ CEO, I’m going to assume that he’s stating that there were complaints rather than his own opinion here.

So, how are these delinquent systems going to keep your data (and your identity) safe from the bad guys? You’ll love this:

Changes to PCI will let companies replace encryption with other types of security technology, such as additional firewalls and access controls, Maxwell said. “There will be more-acceptable compensating and mitigating controls,” he said.

Right, so let me get this straight: no encryption; more firewalls. Because, as Marcus Ranum says firewalls just don’t work, and, well, nobody reads any of these articles anyway:

Granted, this article from ZDNet, “Lose your backup tapes? It could be worse” makes two good points: a) it would take some pretty serious knowledge to get the data off the tapes, and b) the fact that the tapes are missing is going to be pretty obvious. However, what he also points out is that there are even easier ways to get at the data–all you need to do is get to the machine. Since the data isn’t going to need to be encrypted on the machine anymore, once you have access to the machine, you have access to the credit card data. It’s as simple as that.

The silly thing is that encryption isn’t rocket science, and it isn’t hard to design systems to take advantage of encryption techniques to store the information. In the absolute worst case scenario, you just have to pay your database vendor to solve the problem for you, and you don’t even need to change a single line of application source code. I don’t recommend this as the right way to solve the problem, but it is an alternative if all else fails. The latest versions of Oracle actually have some pretty sophisticated mechanisms for compartmentalizing data in the database.

The good news is that it’s only currently a proposal, but the bad news is that, due to the Whiners of the world, the proposal is likely to be accepted by MasterCard and Visa. If MasterCard and Visa accept it, they’re really going to loose a lot of points with people, because it proves that they really aren’t as serious about security as they should be, and that with enough pressure, they’ll revisit security controls which some find “inconvenient” or “difficult to implement”. Given the number of people in IT and especially management who actually understand security is quite low, this is a slippery slope to start down.

InfoSeCon 2006 Wrap-up

Posted in Security by AST on Friday, May 12th, 2006

I originally had grand plans to do a day-by-day summary of the conference, but then I decided that I really didn’t want to touch my computer any more than I had to while I was at the conference (well, that and the fact that the wireless in the hotel didn’t cover my room). As a result, I’m going to lump it all together and just focus on overall impressions and highlights.

Personally, I had a great time at this year’s InfoSeCon conference in Dubrovnik. Last year, I had the opportunity to meet some really well-respected security professionals like David Bianco, Vince Gallo, Richard Neely, Jorge Sebastiao and John Sherwood who were all back for this year’s conference. It was great to see them all again and see what they’ve been up to since last year.

This year, I also had the opportunity to meet and have some really good chats with Ron Collette, Steven Cox, Mike Gentile, Marcus Ranum and Radovan Semancik. The nice thing about InfoSeCon is that because it is a smaller conference, you really have the opportunity to interact and get to know people. I think this is a really valuable experience for both the speakers and the delegates.

Some of the things that really stand out in my memory of this year’s conference are:

Vince Gallo’s presentations on Steganalysis and Intel’s new LaGrande technology

The steg presentation was very interesting because it showed that there really are trends that you can identify from seemingly random image information that can be used to detect messages embedded in binary formats. I’m not giving anything away here because the research and implementations that Vince and his team at Inforenz are doing are based on published work that is freely available.

The LaGrande technology is something that I hadn’t heard about yet, but it is intended to allow you to provide, in Vince’s words, a secure “VPN-like channel” for the execution of code within an untrusted environment [software and hardware] that has important applications for trusted computing.

While the technical content of both presentations was very interesting, some of the stories Vince was telling at dinner really reinforced that we really do need to cultivate more people like Vince in the current technology workforce. He’s been in the business of writing security code and building secure hardware devices for more than 20 years.

What this really means is he’s seen a number of the 6-8 year iterations of ideas and technology come and go, and understands the strengths and weaknesses of technologies and techniques at a level that a lot of “senior and experienced” security professionals and developers just don’t have. It isn’t that there aren’t people like or better than Vince in the world, but they’re few and far between because of the way the industry works–you’re not supposed to have 20 years of experience and still be writing code every day. I mean, come on, what’s wrong with you?

However, if you ever have an opportunity to sit down and talk with these guys, you’ll be doing yourself a great disservice if you don’t take advantage of it. Think about this the next time a vendor or consultant tries to sell you a new security solution. Experience really does matter.

Marcus Ranum’s presentations on general security and firewalls

Of all the things you could say about Marcus, saying he was not someone with strong opinions wouldn’t be one of them. His presentation, “Dude, where’d my firewall go?” was very interesting and highlighted a few things that most people don’t think about:

  • Why today’s firewalls are so fast

    Marcus contrasted the early firewalls that he developed against the firewalls of today. There’s a couple of key differences: first, the 1st generation of firewalls enforced protocol correctness based on the limited number of commands that were actually used by deployed software vs. the number of commands that were actually available.

    With the original firewalls, it didn’t matter too much about the vulnerabilities in the software because the firewall wouldn’t let unexpected application protocol traffic (often referred to as layer 7 traffic) past them. The device actually understood what was going on on the connection and would drop it if strange things started happening.

    Today’s firewalls don’t understand applications, so they don’t do anything other than relay traffic to a specific back-end application–with all of its vulnerabilities laid bare to the world for exploitation.

    The second reason that today’s firewalls are so fast is they generally don’t do anything useful out of the box. That’s right, the $60K piece of hardware is actually going to do nothing to protect your network until you enable the controls. What’s that about default to no access or something crazy like that? Oh, and when you do start turning on those controls, it will slow down the traffic going through your network. Wow. What a surprise, but, according to Marcus, people don’t find that acceptable so they turn off the protections. Excellent stuff.

  • Why signature-based tools like IDS and virus scanners don’t work

    This point was illustrated with a brilliant story about castle guards and Vikings (Marcus is also a bit of a military historian). The problem is that the tools (firewalls and anti-virus) don’t know about Vikings, they know about Eric the Red.

    Castle guard: “Are you Eric the Red?”
    Canute the Viking: “Nope.”
    Castle guard: “Ok, then. In you go.”

    At which point, Canute the Viking enters the castle and begins his conquest of England, Denmark, Norway and part of Sweden. Are you starting to see the issue here?

    The issue is that the guard needs to know all of the potential attackers on a first-name and by-sight basis. While this is theoretically possible, in practice it will never work because you’re always reactive and there are a lot more potential Vikings in the world than there are of you. Military history shows us that the people who were always on the defensive generally didn’t end up winning the war.

I hadn’t gotten the opportunity to meet Marcus in the past, but I had read some of his articles. I have to say that you can’t really form an opinion about Marcus until you meet him in person. I certainly have a different impression of him than I did before the conference. There was no question that he was a smart, funny and irreverent guy who knew his stuff, but he’s also a very interesting and genuine guy who really doesn’t just disagree with things for the sake of disagreeing (despite what you may think from reading some of his work). I have a tremendous amount of respect for Marcus and what he knows–even if I don’t always agree with him (now that I know Marcus, I’m sure he’ll take this in the way that it was intended). :)

Jorge Sebastiao giving me the best intro I could have possibly wanted for a presentation on privacy (flash required)

At the end of Jorge’s presentation on Business Impact Analysis, he played the above flash video about the guy who tries to order a pizza and is refused the one he wants because the pizza order taker has access to his health records and other personal information. I don’t really remember how it fit with his presentation, but I think I’ll have to work it in to mine for the next time I give it. Why is it we’re concerned about access to our personal information again?

The tag-team presentation by Mike Gentile and Ron Collette on security program development

I ended up sitting on the plane next to Mike and his wife on the way to the conference and this was the start of a couple of new friendships with the folks from California. All week long, Mike and Ron were talking about what a rebel each of them was and how many people they deal with see what they’re saying about security as highly controversial. I was looking forward to their presentation, and couldn’t imagine what it was going to be like.

You also need to understand they both are accomplished athletes (Mike played soccer and Ron played American football), so to see them present is a very interesting study in both American culture and teamwork. It wasn’t quite one completing the other’s sentences, but it was a very effective presentation technique. Having spent a lot of time with them this week, I can attest that they’re really just like that, but I can imagine the reaction they might get at Fortune 100 companies, because they’re both really down-to-earth and practical guys focused on results.

The best part was that after their presentation, David Bianco made the comment that he really didn’t see anything controversial in their message at all–it was just sound security practices. David’s comment got resounding nods from most of the other people in the audience. However, the issue here isn’t that Mike and Ron were preaching to the choir, because there was really some good stuff in what they said; instead, the issue is that what they said could be considered controversial at all. It underlines the fact that in any aspect of security, most organizations really have a lot to learn about how to do it properly. While this is good news for security professionals, if you really think about it, it’s pretty terrifying as a customer of these organizations. Mike and Ron are going to be really successful because they know what they’re talking about, they can articulate it in a way people understand, they’re genuine and they care about what they’re doing.

In reality, there were a lot more great things that happened at the conference than these, but I don’t want to end up writing War and Peace. I think that everyone I talked to really enjoyed the conference and thought it was worthwhile.

Finally, I want to thank Stanko & Biljana Cerin for all their hard work in putting the conference together. These are two of the nicest, most genuine and hard working people that I’ve met. They really believe in bringing a high level of quality security material to people in Croatia and the surrounding countries. Not only do they believe it, but they are also qualified security professionals in their own right.

I’m already looking forward to next year’s conference–better go start figuring out what I’m going to talk about…

Travel Time

Posted in Life by AST on Monday, May 1st, 2006

The two of you who regularly read this blog may have noticed that I got kind of quiet lately–as unusual for me as that is. ;) The last few weeks have been pretty manic, but I’m now starting to catch up and return to normal. The good thing is that it’s given me a few brief opportunities to practice with my new Canon EFS 17-85mm IS lens.

Chambéry, France in springtime. A picture of rooftops, flowers in bloom and the mountains.First off was a trip to Chambéry, France. Sophie and I hadn’t been there since the wedding and we had a few days off for Easter, so we decided that it was a good time to go. It rained a little bit while we were there, but for the most part, it was sunny and beautiful days, lots of food and walks in the mountains. A nice break, even if I did have to spend a part of the time studying for a certification test.

I spent about 2 hours walking around Barberaz which looks down on the city of Chambéry, so I guess, technically, this picture should better be titled “Barberaz in Springtime”. I discovered a few things about my lens, though. It really doesn’t like having both the UV filter and a polarizer on it when it is set to 17mm. You get dark corners from the polarizer. I haven’t tried it without the UV filter to see if that makes a difference, but it was somewhat of a surprise. Either way, with the clouds that were out that day, it didn’t make too much difference, so I ended up not using it for most of the shots.

Frankfurt, Germany. A picture of distant skyscrapers from along the river near the Intercontinental Hotel.After a short week back in Dublin, it was off to a BearingPoint training course in Frankfurt on Sunday afternoon. I had never been to Germany before, so I was looking forward to the trip, however I wasn’t really sure what to expect from the training course. My general experience with training courses is that you’re better off buying some sort of book about the subject and spending the time that way. Fortunately, this didn’t hold true in Frankfurt.

The course had several really good aspects. First and foremost, it was great to meet other people from BearingPoint from the Americas and Europe. While the majority of people attending were from Germany, there were representatives from the US, Canada, UK, France, Spain, Finland, Denmark and Russia (I know I’ve forgotten a few, so please don’t get upset). I think the course did pretty well on cultural diversity, and that was also one of the subjects of a session. Knowing the cultural assumptions and grounding that may influence someone is a big help when you need to communicate with them effectively in both business and personal settings. It was actually interesting to see how many of the sweeping generalizations held true as you interacted with the participants. Another topic which was the subject of an entire day was Ken Blanchard’s Situational Leadership II. Ken is the author of the One Minute Manager series of books. I thought the sessions were quite good, but I’ll talk more about SLII in another post.

After the 4 late nights and early mornings of the training session, I was a bit wrecked. In order to unwind and to re-introduce myself to my wife, Sophie and I made some sandwiches and headed off for some hill walking in Glendalough yesterday morning. The weather was supposed to be sunny in the morning, but then start to rain later in the day. It turned out that the forecast was half right–from about 5pm until after midnight, it was steady rain.

Glendalough, Ireland. A picture of a waterfall near the old miners ruins above the big lake.Fortunately for us, we missed the rain. It only started after we got back to the car park. Growing up in the Alps, walking in the mountains is something Sophie enjoys quite a bit. The closest approximation we have in Dublin is the Wicklow mountains, which, if you’ve ever been there is not exactly the same definition of mountain as in France. We were looking for a half-day walk, so we decided to take the “white” trail this time.

The white trail starts at the bottom of the big, upper lake and goes up one side of the mountain, down around the back of the lake to the old miners village, then makes a circle through the pine forest back down to the bottom of the lake. The view of the valley is pretty impressive from the top, but both of us were chuckling a bit as we were walking along the path (two railroad ties bound together with studs and chicken wire for traction). I don’t think whoever labeled the white trail as “dangerous cliffs; for experienced hikers” has ever spent much time hiking in the Alps. Still, everything is relative. I couldn’t shake the impression of the 4-lane motorway though as we walked along.

Once you get to the top of the upper lake, there really is a lot of water flowing down the mountain. I’ve always liked moving water, and with a slower shutter speed, you can get some nice visual effects that capture the overall impression of the movement. Once we got this far on the trail, it was “waterfall day”, and I ended up taking lots of pictures of the literally hundreds of waterfalls in this part of the park. I like this one the best. It was taken at 1/12th of a second and f/11 at 33mm with ISO100 using the timer. I’m still trying to come to an agreement with my camera. There are a lot more crap pictures than there are good ones, but, it’s just a matter of practice. Hopefully, we’ll have a few more nice days and we’ll be able to make it back for more opportunities.

Next week is InfoSeCon in Dubrovnik, and then I’m back for a week before I head to Washington D.C. to present at the SOA for E-Government conference. Croatia will be a nice trip, and I’m looking forward to returning to DC. It’s been about 4 years since I’ve been there, and I’m sure that it’s changed quite a lot. I expect both trips to give me ample opportunities to tackle my current biggest challenge: indoor photography without a flash and without using ISO1600. I’ll hopefully be able to show you some of the positive results. :)