I was asked a question around the Capital One breach. It seems that, in some areas, fingers are being pointed at Amazon, and they should be held (at least partly) to blame for this. It also seems as if Senator Wyden is also asking Amazon questions around this. There’s also a question around Paige Thompson, the hacker, and her previous relationship as an Amazon employee. If she used any insider knowledge to break into Capital One then this would erode a lot of trust in Amazon’s Web Services, and the public cloud in general.
I was at a conference the other week and the discussion turned to DevSecOps, and the comment of “it should have remained SecDevOps” was made. Now I’m a security guy so I joked that it really should be “SecDevSecOpsSec”, which got a laugh. But I was actually serious because I feel the focus on DevSecOps is causing a lot of other work to be missed. DevSecOps is good… A lot of the focus on DevSecOps is around improving code quality and security without harming the productivity enhancements that DevOps has brought to the table.
Every day we hear of yet another data breach. One common reason is because of password compromise. The problem may be because of successfully phishing; it may be due to password re-use; it may be due to brute force attacks; it may just be weak passwords. So it is now considered best practice to use some form of Multi Factor Authentication. To quickly summarise, MFA is 2-or-more of the following factors:
I have a Friedrich aircon. It’s of the old school. The only intelligent part of it is “eco” mode (turn off the fan when the temperature is cold enough) and a simple timer (“turn on in 9 hours time”). It’s this timer that annoys me; you have to set it every day. A number of days I would go to work, forgetting to set it, and come home to a house in the mid-90F.
My garage door is controlled my a Lynx 455 Plus garage opener This is a pretty traditional opener; a door-bell type button inside the garage to open/close the door and a remote control for wireless access. I wanted to see if I could make this smart-enabled. Now the control side is simple enough; just put a relay in parallel to the button. If the relay closes then the opener will think the button has been pressed.
This post isn’t in my normal theme. I’m gonna describe how I made my home smart. Well, semi-smart. Over the past couple of years I’ve slowly been making my house lights be smart. In many places I’ve used Hue White Bulbs. They’re frequently on sale and can be got for around $10/bulb, which isn’t bad. With the hub they can be controlled by Alexa, or locally by using the API exposed on the hub.
Over the past couple of years I’ve been building out an Alexa skill for my media center. So now I can say things like “Alexa, tell media to play music”. That will turn my receiver on, switch it to the Mac input, and start iTunes playing. Similarly “Alexa, tell media to switch to TiVo”, “Alexa tell media to pause”. The backend code running on the Mac asks the receiver what input is selected (TiVo, Mac, BluRay…) and if on the Mac it works out what application has focus (iTunes, DVD Player, Kodi, …) so when a command such as “pause” is received then it knows how to send the appropriate action.
I get email… What are your thoughts about making a career out of specialising in Unix? It seems like you’ve done quite well… Interesting question… Realise that I started doing this 30 years ago. At that time there was no Windows (Windows 1.0 was around the corner). We had DOS. Networking was mostly serial based; if you were (un)lucky you might have had Banyon Vines or Novell or some other proprietary network stack.
It’s an article of faith that the development process starts in the part of the network set aside for development work. Then the code may go to the QA area for QA testing, UAT area for UAT, production area for production. That statement almost looks like a truism; development work is done in DEV. So a corporate network may be divided along dev/uat/prod lines, with firewalls between them so that development code can’t impact production services.
In a well controlled environment you typically do not want people logging into servers with privileged access (absent of additional external processes, such as a keystroke logged session manager). If you have 5 SAs all logging in as root then how can you audit activity and determine if it was Tom, Dick or Harry that rebooted the server? Similarly you don’t want DBAs directly logging in as oracle; how do you know who dropped the production table?