Saturday, June 29, 2013

The danger of license plate scanning systems and other unauthorized databases

The license plate scanning systems allow you to build databases that are used to draw the path of a vehicle within a geographical area where there is a certain minimum amount of surveillance cameras connected to the system capture / scan / ANPR.

That way, you can achieve extremely valuable metadata, and technological infrastructure necessary to obtain relatively cheap and accessible in Argentina.

The problem is that they are a gray area to regulate: a database that stores information publicly available (tuition, is visible from anyone on the street), but accumulates extremely sensitive metadata: because the State has the information and the ability to associate patent data (owner, model, etc..), usual routes traveled by a vehicle that has given tuition.

In Argentina the gray area occurs in this type of database "derived" is not entirely governed by the law, at most could be legally challenged at some point, if data traffic / travel is reached using as evidence in a trial.

Similarly, this notion is preferably avoided by any means, and tour metadata are mainly used for research and obtaining other evidence of crimes, less controversial and / or with the potential to be challenged legally, but even trigger a public controversy leading to regulate a gray area that today is not regulated.

Examples of possible problems:

Most of these databases use "internal" in the security forces are accessed by operators who are not specialists, and many rigid and strict procedures hardening of access must be followed in order to ensure that access to metadata tracking enrollments remain available only as specifically authorized - and eventually auditable - for this, and not made available to third parties interested eyes, and worse, third parties from which there is no knowledge and no one is going to be audited.

The problem is given in the current databases are immersed in highly connected systems, and a database that few or almost no one is aware is particularly appropriate for unauthorized access, precisely because many users of networks and systems could eventually be connected to the database, have no true idea of ??the importance of being wrong and / or minimal skipping hardening rules.

For example, are classic examples of de-securitization of facilities and secure computer networks include:

- USB ports in the access terminals to the database, where anyone can connect:

* USB Keychain: they may contain trojans built to work in disconnected networks (with "air gap", which do not have any Internet network link) and go riding infrastructure "dropboxes" data (which will keep the stolen information , which will be transferred to key the next time you connect), but directly go installing backdoors that try to connect to the Internet.

* USB devices via 3G or Wifi connectivity: thus, an alleged safe immediately becomes a network connected to the Internet, with the number of potential problems that this entails.

- To allow access to the facility smartphones: hacking possibilities are from few to total in the case of a targeted attack that is using smartphones as "post" to achieve circumvent the "air gap" that keeps the network safe Base disconnected.

- Let there be no surveillance, automatic constant video recording for operators: A security measure extremely simple to use (almost all medium sized supermarkets hereinafter implemented in their collection boxes), if absent, generates deshusada the possibility of invalidating all other measures, for example, an operator simply because if lost or stolen credentials (ideally 2-factor: credenciales-smartcards/contraseña), that way if anyone else - including other authorized operator - used access, there is no way to identify the person who impersonó the operator. etc.


That is, the potential for misuse of databases with sensitive metadata is great, and have no criminal problems - yet - simply because very few people - ordinary citizens and "civilian" unrelated mainly security forces - is to both the potential of these tools in the usual political games, economic, socio-economic, etc..

As "players" sufficiently motivated and well funded require access - legally or illegally - to metadata, we may see the first cases - public - misuse of these databases.

If Argentina is almost a habit which complete records appear - privadísimos and very restricted access - photocopied out of court, it is expected that given the superlative value of the metadata (as opposed to a "simple" file for example), eventually give rise to important interests move toward trying to access them illegally, which effectively will be much easier if people totally ignore the danger and the real value of these databases.

Tuesday, June 18, 2013

XBOX ONE in june
Today we will discuss the microsoft xbox one, the new generation console that comes with microsoft polemics.

Technical characteristics are known, eight cores AMD, AMD Radeon graphics card, 8GB RAM DDR3 and 500GB internal storage. It also has Blu ray reader and is accompanied by kinetic 2 which comes with an upgrade to play in low light.

The completely redesigned, more square, perfectly straight lines, it has gone from a game console into a multimedia center for our home. According to some PS4 is focused on ONE XBOX Gamers and the whole family.

Some of the connection are to be connected to electric power, HDMI, USB 3.0 positions, optical audio, ethernet connection, kinect and an infrared port is not yet known what is its usefulness.

What is the controversy of this console? to start, we will have to connect once every 24 Hs Internet, one of the negatives is that games can not be delivered to more than one person at once. Something is rumored that will have regional limit, ie if you buy a game in Japan may not be used in Europe.

What it is going to allow the sale of second-hand, but only in approved.

Hand in hand with this console will come out some games like dead rising 3 spark project, forza motorsport 5, halo spartan assault.

This console cost Many euros, it is estimated that will be released in November. In this case includes the kinect.

Monday, May 20, 2013

Opensource monitoring rapid testing, the 2013 update of capabilities

It was a busy week so far, I've been re-examining the status of different monitoring solutions based on opensource soft, and since Monday I deployando Nagios, Icinga, Ganglia, Cacti, OpenNMS and Zabbix, and Sensu'm installing now.

 Basically OpenNMS is what worked best out-of-the-box, carrying only a couple of hours the first complete installation + configuration (the 1st. Was the test too), and then with a few clicks, a self-discovery well swept detecting range of my network devices testing. Set thresholds and messaging was a bit more work, another hour of work, reading some documentation rather confusing and confused mails requests for assistance from users and vague answers. Sure, the solution was quite simple and intuitive ... after having operated the first time. Basically it works quite well but is a bit unstable in the sense that additional plugins deployar fast - track apt for example - will not end up always in a completely stable OpenNMS, and can have a service running perfectly for hours after installing plugins, and then the first system reboot, something triggerea boot failure, and error messages are basically the output dump of Java VM, and rarely contain useful information for recovery (the "profile "Response of the forums / lists that aims lot OpenNMS advanced users are very familiar with identifying" parts "of the soft setting to change / fix directly looking JVM dump rather than search / find that information in some documentation).

For example, to install the DHCP monitoring plugin, configure it, and then uninstall it, let the software unable to boot due to lack of binaries to start the service, in this case was lucky and the error message clearly indicated that the failure was because I could not start the DHCP service monitoring, and the solution was simply to return to comment on the service in the corresponding configuration file (and thus the attempt to start it off at the start of OpenNMS).

Cacti was very easy to install, use Cacti is so simple that almost no one bothered to create tutorials on how to add a device and potentially generate (and order), the graphics, but .. "simple" does not imply that it is fully intuitive, and I was a good half hour playing with the GUI to understand the workflow to add devices and generate graphical information, reason deployar basis for Cacti (anyway, apparently, OpenNMS is generating "exactly" the same information, but of course , must navigate several menus to find, in Cacti it has in view after login directly).

Ganglia is always my first choice to gather information and use performance servers, mainly because it installs quickly, requires no more than installing the software server, the soft client, and "hook" in configuration (you have to tell the client soft , the agent on the server ganglia to monitor, what is your - or their - server to accept communications). After installing Ganglia and leave taking information, I began to review the other options and half way to be pretty determined to implement OpenNMS and Cacti, Ganglia already had armed graphic profiles of my testing systems.

A Zabbix installed it in minutes (and a couple of agents as well), and the GUI is very attractive although it is not as intuitive as the OpenNMS (which is not too intuitive either), anyway I placed the capability of self- triggereé rapid discovery and discovery, which failed to capture a single device on the same network range that had loaded two hours earlier in OpenNMS (where the latter soft and perfectly detected my test servers and devices, snmp data included). So I went to the GUI to find documentation without further explanation of the procedure added - "intuitive" - ??devices, hence I find in forums and mailing lists, finding nothing back, I guess it is so easy that anyone bother to write a step-by-step, so I left without configuring Zabbix running for now (to find how to add devices). Similarly, at each stroke of Google I keep finding recommendations that Zabbix is ??"very easy", I guess you refer to the installation, but I have to devote more than the 20 minutes I spent in order to conclude something about the software ( and be able to charge at least a couple of test devices). If it does work, you might have a little utility that OpenNMS inclusive.

Nagios (and Icinga, in my first contact with the soft, I used my expertise in Nagios and I could configure / manage without any issue, so the portability of skills I can confirm) is what I left to prove in the end, it is tempting the desire to produce the software easier and faster set deployar, this does not always mean that the software is reasonably easy to manage on a day to day (well, in the case of Nagios IS easy to manage), and / or that scales very well even in the medium term.

Nagios does not scale at all well in dynamic environments where servers production up and down constantly, and the basic measure of this is to implement nagios to monitor clouds environments, however, if you implement Nagios in virtualized environments, quickly see how your servers only and stable production are constantly monitored, while the other servers that are plucked and off dynamically, even though they are in production, while slowly being left behind Nagios configurations only dedicated to control the servers that are running continuously without downtimes dynamic .

Besides there is the temptation to integrate Nagios + Cacti, Nagios Royal Decrees + Nagios + whatever, a solution that will quickly stop correctly reflect the true performance profile total virtualized environments, of course, unless you choose to handle the architecture so your servers "fixed" in production are always working on certain hypervisors and others, but dynamically torn production / off and of testing (that are created and deleted regularly), are limited to other hypervisors.

Mmm, there is a problem in that precisely the possibility of using idle capacity in hypervisors virtualize is reason in principle, so "limit" the focus of virtualized infrastructure for one (1) software does not have capabilities to "follow "the dynamism of virtual infra take excess capabilities in virtualization solution. Consider for example that the power limitation is dramatically when run on servers virtualized infras complex configurations (which define hierarchies for dynamic off hypervisor VMs under certain performance profiles, for example).

Sure, Nagios can be "adapted" to dynamic scenarios, but those settings will be static (basically you could "play" with schedulear downtimes scheduled downtimes match the estimable that VMs will take off when the servers virtualized infra ), with the result that on one hand we set the virtual infra automatically to fit on the other hand we have to deal with (re) adapt manual / software configuration continuously monitoring for servers.

Almost none of these conclusions is new (see the links monitoring-sucks), or use commercial software is the solution (it has the same limitations to adapt to dynamic infrastructures in general), and not that the same thing happens with the rest software I tried: OpenNMS, Cacti, Ganglia, etc.

I lack Groundwork and HypericHQ test (similar to Zabbix, commercial, but at least opensource or freeware) and see how they behave. I find it funny how the pages of all monitoring software sold say they are the best or something like this:-D> "The World's Largest Monitoring Web Applications"

Tuesday, May 7, 2013

Complete IT solutions and an example with vSphere virtual infrastructure

This article tell you how stole. solutions "complete" are not, and you have to complete them to really fulfill the purpose for which they were designed. There are also comments on the areas of responsibility of third party IT providers and suppliers regarding internal IT organization with its main client (the organization).

Good solutions, but partial
Infrastructure is common to see that when buying an IT solution, the company agrees to perform work, comes to the company / organization, does the work and then leaves. Leaving outstanding guarantees, for a time, under certain conditions, etc..

For example, installing an infrastructure vSphere hypervisors are installed, mount the vCenter server is added to vCenter hypervisors, virtual machines are deploya some - probably not, and ready (up there is the work agreed with the supplier IT service in this example). The customer then takes the baton from there, managing all infrastructure - now virtual. Installing, migrating operating systems from physical to virtual, etc.. etc.

The spot price of infrastructure work and its limits are essential, but the supplier will take over to Infinity any question related to what you installed / configured initially.

Complete IT Solutions
Now, the case of the areas of internal systems in the organization is rather different. Each area internal IT organization is required to sustain the continuity of the infrastructure over time, long-term.

What is very different from commercial IT supplier obligation, however it is common for the internal IT solutions are implemented in an organization "one-time", then they are left "as is" and without taking into prerogative account maintenance and continuous improvement (which is stole. a requirement of the job for internal IT employees in the area by the way).

Following the example of vSphere infrastructure, some steps after the "simple" installation and configuration of vSphere virtual infra could be (more or less in order of strategic importance-technical):

1) Implement automated backup vCenter Configuration (and backend DB)

2) Implement the automated backup ESXi configuration,

3) Deployar (buy stole.) Virtual backup solution (Veem, etc..) To the virtual machines themselves,

4) Implement automated check settings (remove all settings in vSphere, dump a GIT or the like, then go doing it regularly, to have an accurate central record of each configuration change), AKA "configuration management".

5) Implement virtual infrastructure monitoring (several ways)

6) Deployar one vSphere Update Manager (to keep all hypervisors updated / patched),

7) Implement High Availability for vCenter (ie mount another vCenter server, any of the several possible ways),

8) Implement required maintenance automation for vCenter (tip: the DB backend needs attention at times).

9) How to proceed and what to do just from the technical to recover the fall / crash / out of service any component of vSphere virtual infrastructure (including having installed and configured the tools, plans, and that there will be any recovery, have done internships and field tests to know that all policies / procedures / tools actually work as they should).

If you notice, extrapolating the general idea of ??the example, basically any infrastructure needs (plus installation, configuration and start initial production):

- Backup,
- Configuration Management,
- Monitoring and Optimization / Maintenance / Continuous Improvement.
- Add redundancy / additional resilience (as part of the continuous improvement)
- Action plan for disaster recovery.

Without all these details (and several others not mentioned), the solution can "crash" very easily and stop working properly, and with some bad luck also unexpectedly (eg New Year morning, 3 am, call from the owner of the company IT staff, dropping to 3.10 when the personnel using the system will warn that just does not go. "Use Cases" guard clinic, pharmacy guard, security company, polícia, etc.).

* This is a matter of opinion, but to complete more than the TCO of the solution, you could add the forecast / estimate future costs of lifecycle management, for example, by providing a platform migration.

Following the example foresee a possible / eventual migration path VMware vSphere 5.1 (+ ESXi) to Microsoft Hyper-V 2012 + System Center 2012 Virtual Machine Manager.

For example: having to buy a SAN "now":
- Increases the TCO of the solution vSphere, but
- Lower the TCO of the - possible future - Hyper-V 2012 solution, but
- Stole. lowers the TCO of the solution "Virtual Infrastructure"
(Which is what matters to the organization actually), and therefore generates a "migration path" acceptable, and concludes that buy the SAN "be good" :-)

Areas and limited times
Internal IT areas have an area of ??interference and obligations to the IT infrastructure by far much greater than almost any solution "turnkey" that can provide a third party, as even with the best available budget, the scope of interference by an outsourced IT provider always - but always - is limited to certain tasks and obligations, and a range of time - engaged - during which he will respond to the client. And after which, it will no longer have an obligation to respond to the client.

The internal IT area otherwise not limited at all of its obligations to the organization, which must respond by organizational commitment (ie, regardless of who / is are integrating the area as employees / managers), so continuous , and is responsible for completing and correcting any limitations that exist in the infrastructure.

Following the example in the solution which "turnkey" has not provided a backup mechanism for ESXi hypervisors. If the provider does not, it is the duty of the internal IT area complete the solution.

The IT provider's contractual obligation, always has a practical limit: the maximum time hired and how much work can be done during that time. Although and though they usually hire:
- "Solutions",
- "Turnkey solutions",
- "Solutions",

and other good IT vendor jargon, though is "promised" the solutions provided by a third party will never be able to be fully complete, but only will be hired in accordance with (a tasks list contained in the contract) , any additional work, paid or not is at the discretion and goodwill of the third party provider.

Directly ... unless they are permanently contracted to do the work of the internal area IT ... ooops, but the contract also has a maximum, so no, you can not sustain unlimited outsourcing, there will always be that pay more or additional services outsourcing to have an unlimited (so it is very good business indeed.

Monday, April 29, 2013

Start the first mass deployment of Openstack (soft infrastructure services based on free)

Bah, not the first, but the first to be done in a couple of well-known companies (eBay, PayPal), and at the level of several tens of thousands of servers simultaneously.

We started ..
The enterprise-wide success of free software comes primarily from two sources:
- Be technically capable and viable as the soft option owner.- Be Free to use, having no license cost.
Spinning fine on TCOThe TCO (Total Cost of Ownership, TCO) includes several costs more than a license of the software (the administrators pagás will you install / manage the software for example), however given an infrastructure large enough, licenses the cost becomes much larger portion in the TCO than usual in smaller infrastructure.
In companies like PayPal and Ebay, with around 80,000 servers, the cost to pay for soft licenses will necessarily be quite high for the number of servers.
So when there is a - any - Free soft option, technically reliable, companies with large infrastructure - and a couple of important notions of finding a good balance vs. resource investment. yield savings in license purchase - to implement projects quickly start and stop paying licenses, when at that time there is - or would be - essential to.
The news below comments as PayPal and Ebay started a pilot project 10,000 migrating servers from VMware to OpenStack, with the possible idea - if all goes well - 80,000 migrating servers at some point and stop paying licenses for the use of soft virtualization.
As we walk with the TCO over hereIt is important to emphasize something, given the typical TCO, businesses / organizations seek to always have the least amount of IT specialist staff (which themselves on a common minimum, usually a team of 4 to 6 people), and VMware warrants that can manage a large virtual infrastructure - say, 10-50 physical nodes, with 20-100 virtual machines - with minimal staff and for staff fairly reasonable cost (since it is a market standard, many IT professionals have today certain management skills in VMware, and still hiring outside specialists also higher level entails stole. exceptionally high cost, as if it would be - probably - see complex software with few options of consulting).
So not many companies / organizations are even looking to replace their existing time solutions based on VMware (however expensive they are), including something similar can be said of other options already implemented (Hyper-V, Xen, KVM, etc..) .
And for organizations that are looking to leave sometime Vmware (so expensive it is just now), there are other commercial options extremely viable (and very sought after, in my opinion):
- From the technical (skills reused because the notions of configuration / management are similar to those found in Vmware), and- Since the economic (free hypervisors, or included with the operating system license, additional tools available and reasonably priced: centralized managers, some appliance such as antivirus software and virtualized networking, etc..) Highlighted in particular: Windows Server 2012 ( Hyper-V), RHEL and SLES (KVM and Xen), Citrix (Xen).
Close, not yet, but ...In other words, it is a very good sign starting Openstack massive deployments outside of existing, which was limited almost exclusively to cloud providers infrastructure (IASS): Rackspace, HP, etc.. But there is still some time to see OpenStack competing head to head the typical market - in Argentina, for example - with other offers infrastructure virtualization software, such as today when considering a server OS and compared RHEL, SLES, Windows Server, etc..
Sure, the pioneers who have enough on their computers IT skillset to anticipate, will have the potential for much faster approach to implement virtual infrastructure based on free software, with the many benefits that stole. have: not having to budget tens of thousands of U $ S of cost re-licensing in five-year cycles, and that budget to spend on other needs of IT and / or business / organization.

Saturday, April 20, 2013

First, we must understand that a forum is created to obtain opinions on
a particular topic; has a general theme that guides each proposed specific debate. An online forum allows the administrator to define multiple subforums site on a single platform, which act as containers starting discussions users.
Of course, other users can answer and begun in discussions or start a new, as they see fit. Internet forums can be classified into those requiring register to participate and those which can provide anonymously.
In the first type, users choose a nickname, which will associate a password and probably an email to confirm your desire to join the forum. Typically, members have certain advantages, like being able to customize the appearance of the site, posts and profiles.
Some users could obtain privileges in the forum, and then they are called moderators.
These privileges may include the ability to modify messages outside, move or delete discussions, and other mechanisms designed to keep the cordial and friendly (regulations designated by the administrator).
One of the main features of Forums is that we do not know many facts
on the "forum user" (a person who participates in it). Generally, simply enroll providing a nickname (alias, nickname, username) and an e-mail, which, inclusive, may have been created for the sole purpose of participating in a forum and keep total anonymity.
Now we define quite precisely the forum, we are able to understand the
assertion of the title of this section. That is, the passage of the Community Forum Manager Manager.
As a first step, the administrator is circumscribed to this area, while community members, together or separately, may be interacting in other Spanish services without the administrator knows or somehow part. From this point of view, the claim that is made is that the forum can be part of the community, but not the community.
The forums have been very useful before the advent of social networks, and we highlight the advantage they had in terms of management participation and the possibilities of centralization on particular topics. But is it correct to speak in past Forums? Probably the reader to participate in one or more and is in total disagreement with the verb tense used, but it is undeniable that participation has declined markedly, and at the time of creating communities, forums should not be the first alternative that comes to mind to a Community Manager.
Today, we can create our own social network, using free tools
are offered on the Web or other more professional, while not free, are priced
more accessible, such as Ning.
The big difference, then, between a manager and discussion forums Community
Manager is that the former is responsible for that area only, while the CM can be an administrator manage parallel forums and all other areas where you think you are your community ..

Sunday, April 7, 2013

HA, DRS, VMotion and Storage VMotion

We will analyze the most powerful tools VMware infrastructure d.

VMotion is an essential tool in the virtual infrastructure, which basically allows moving a virtual server from one node to another ESXI.
This option is really interesting because, to use, we will have no loss of service connection or drop the move equipment. This is because the file system using the ESXi, called VMFS.

Once you configure your network for VMotion, we do a test migration. Migration can be hot or cold, that is, with the server on or off.

VMotion is essential to create dynamic datacenters and automated. Now you can perform the maintenance of physical hardware if nafectar business continuity in any respect. It is a technology of 2004 or so, meaning that, at the time of writing, is a development of more than 8 years.
To connect the nodes to the storage and use VMotion, you can connect from a SAN (Storage Area Network) fiber, also supports compratibilidad with NAS (Network Attached Storage) and SAN iSCSI storage systems that are economic.
Migration tasks have priorities and can be scheduled to be performed at a certain time of day. Because we could have a problem if you move a virtual server when you have to move for some reason.
Suppose we are performing a configuration task uan NIC in a node, and an administrator puts a virtual server with VMotion destination node that we are fixing. Could lose the service and business continuity. To do this, the console has a view of all the tasks performed in vCenter.