If you tell enough stories, perhaps the moral will show up.


How policy suceeds, for once

I've been purging out a dying domain. Disabled accounts with a last logon more than three months ago are deleted; enabled accounts with a last logon more than one month ago are disabled with a note in the comment. Do that every week or so. Keep a safe list for genuine service accounts and the domain will be nicely compliant by the time it stops.

The reason I've had to do this myself is a bit sad: the helpdesk, who own all account administration, will go through any distortion to avoid account difficulties. An odd-looking account -- precisely what should be disabled -- won't be touched for fear of breaking something. The policy itself gets re-interpreted to be "disable after ninety days" with no-one able to trace where that decision came from.

It's understandable. The best outcome from good application of the policy is that no-one complains. The likely outcome is senior staff complaining that the helpdesk has broken their account -- and no-one wants to hear that.

So, I've been doing it myself, and that makes everything different. Everyone knows that I break stuff, but everyone also knows that challenging me on what I break can leave them on the wrong side of a clearly distributed policy that they didn't read or understand....

Yes, and in this case I did a blinding job: The account policy allows just two types -- owned, which are subject to the AUP, and service which have to be on my list. The AUP says that owners are responsible for owned accounts, have to log on more often than once a month, and log off after no more than a week. That was carefully chosen to update the last logon time, and to transfer blame.

And it works! Hundreds of users deleted, a few tactful explanations, and no trouble at all. This is the root of the security truism that you start with a policy. You can't act without it -- but it has to be a good'un.


Audits fall with autumn leaves

We've just been visited by one of the many audits to which a regulated firm is subject. We didn't come out as well as I would have hoped but the point for me was different and more worrying.

These were competent people. They were clear about their wants: Evidence that the controls we publish and claim to adhere to are actually working. And they knew what "working" meant -- that the circle is closed with human escalations and choices on exceptions. So that was good (and a lot of work for us) except for one teeny issue.

"Working" also means that the control environment will actually stop trouble. And these guys had essentially no interest in the technical effect of the controls. If I said "this is a report that shows yesterday's changes to all application admin groups", that was the truth. No test that we have the same reporting on all production DCs. No enquiry about alternative ways to get the privilege. No test that our installations actually adhere to the admin group conventions. If I listed a firewall policy, or handed over the perimeter network diagram, that was it. No enquiry about how often I checked the cable patching....

Now I know that they can't check everything. And I wouldn't want them to.... I know that they're at the wrong end of a crushing knowledge asymmetry. But all the same, it reminds me of the drunk searching for his keys under the lamp post: not because he lost them there, but because the light is so much better.

In the mean time, remember:

  • A big four signature on a statement of controls -- SAS70 or whatever -- means less than you think.
  • Somewhere in the big city, a security guy is neglecting controls that expose trouble in favour of those that'll audit well.


Choice. I hate it.

I bought a new computer last night. Even though I'm not exactly Mr. Desktop I thought I would be able to make a sensible choice. In fact I was so overwhelmed, I nearly bought nothing.

First: supplier. I've bought from Morgan before and had a slightly patchy experience (but nothing unfair, and nothing that couldn't be resolved with my own skills.) This time I was going to avoid trouble by sticking to brand new stock -- retired from shops after going out of date. I liked the look of the HP media PCs with TV tuners and big plug-in HDs -- they were old enough to be packaged with XP Media centre (I really don't want that "which Vista edition" issue until SP1 --maybe not then), they were fully loaded with ports and the more expensive models had Intel dual cores, 2GB memory and GEForce 7600 with 256 MB. I didn't want a screen package because the more mad son has a history of headbutting flatscreens to death: CRTs are tougher and I have them already.

So I thought that was pretty cut and dried. But I can't resist a quick visit to Dell.

First impressions are low price -- Dell include VAT, and Morgan exclude it (which I think is a tad dodgy on consumer kit sold retail). Now I know that Dell charge a shameless £50 for delivery but it turns out it's free until the end of the month. Second thing is that XP is back on offer -- it was Vostro-only in September but now the consumer pages have it too. And it's XP Pro which is a big plus.

So into the configurator to be faced with all those tough choices. Many of the base builds lack 2GB and the prices start notching up as I make those tempting choices. Not all models let me configure "no screen" and if I'm having a screen maybe I should get the posh graphics as well.

I finally settle on a bearable heuristic. I'll only get factory fitted upgrades where I haven't upgraded myself successfully in the past.

I end up with PC Duo 6550, 2GB (I've had problems with dodgy 1GB parts), the base graphics (because no-name GEF8600 will be cheap and good in a years time), the base HD (definitely getting NAS ....) And a screen, which was too good to give up for £80 and I will put on the PC upstairs to keep the less mad son happy until he gets his laptop.

All that choosing left me emotionally committed to the Dell. I matched it to an HP package from Morgan and found it close (screen to placate LMS with graphics upgrade option in the future vs. no screen, and better but obsolete graphics now; no media centre tuner remote & wireless vs. XP pro and the confidence I wouldn't use that stuff; in stock vs two week delivery ouch) but a few pounds less.

So I bought the Dell. But it wasn't easy.


Secure Timestamp

I enjoyed watching the moon race past some bright planet a little above the sunrise last week. I guess it was Jupiter -- a bit too far along the ecliptic to be Venus.

Over the weekend, there was a news feature about the Mahdi army in Iraq. At one point the camera zoomed in on the moon to show this conjunction closer than I ever saw it. For me, that dated the report better than any digital means -- no encryption, no secure timestamp -- just very hard to fake.



Every morning lately, when I've been there to see, a train of twenty or so flatcars each with twelve colossal steel billets heads east, to Ashford and I guess the tunnel. This morning they were behind a class 92. In my mind this question: If the country is so prosperous that the government can offer flexible working hours to every employed parent, how can anyone make money exporting raw steel? Am I that detached from the real world?


Geek Alert

The shed computer has been on my queue for a very long time. It was running an elderly Kubuntu (6.04?) and I've never found it entirely satisfactory -- Konqueror is not supported in Google Docs, I couldn't get Firefox to install and in fact I couldn't get anything to update or install. Well, I can see which way the world is going, so I wanted to put a current Ubuntu, and I've finally done it. It wasn't easy. The PC is a Dell Latitude PIII. It was classy in its day, but I think it has problems, especially with the CD drive. The steps I've had to take to get it installed are these:

  • Switch off the Hot-Switchable Floppy option in the BIOS. I don't even have an FD, but with the switch on, the boot was delayed for tens of minutes negotiating /dev/fd0 errors.
  • Don't even try to boot the live CD into safe video (forcevesa). It would boot, in an hour or two, but it was continuously frobbing the CD and it would be impossible to get to the fourth screen of the installer. And the bars ar the top and bottom of Gnome were lost.
  • And I gave up on the live CD. The text mode install CD (select it with the check box on the Ubuntu download page) installed first time. The live CD install failed at random points copying files to the HD. My burn of that image passes the veracity test, and I exchanged HDs, and the problem was still there. But the text installer just works.
And once it's up, it's pretty good. I was notified of 16 updates, all of which applied even though one was for Firefox which was open at the time. I've added MPEG codecs (which I suspect are excluded from the build to preserve its freehood -- Fraunhofer have some MPEG patents) directly from the player, mc (which I have to have) through apt-get, and Penguin Command (which I've missed ever since I tried Suse 7.2) through the Synaptic package manager. It all works. The only real hiccup was the networking -- it needed a few restarts to work -- I think it wasn't playing nicely with DHCP on the firewall. I've tried tuning the display, but the automatic setting seemed best. Sudo works nicely. It's not quite as responsive as W2k but it is all so much better done than I remember -- and I don't miss KDE at all. Best of all -- malware won't run. I can browse on! Oh -- and on the whole, I don't think it's as stable as Windows. The kernel is better (though the scheduler is cruder) and the management GUI and command-line stuff is fine, but in userland many of the third-party apps can silently disappear.