Wednesday, January 31, 2007
So, here I am in lovely Thompson Falls, middle of nowhere, Montana (pop. ~1,500) enjoying the scenery and wildlife. I'm perplexed as to how I can drive through this town and pass three gas stations who all offer gas at a lower price ($1.99/gallon) than what I can get back home in Bellevue, WA (pop. ~120,000). In fact, the highest price in Thompson Falls ($2.11/gallon) is well below the lowest price in Bellevue, WA ($2.41).
What's up with that?
Bruce Schneier wrote an article in Wired Magazine called Secure Passwords Keep you Safer. He concludes his article with the following paragraph that is so true and exactly to my point:
For years, I have said that the easiest way to break a cryptographic product is almost never by breaking the algorithm, that almost invariably there is a programming error that allows you to bypass the mathematics and break the product. A similar thing is going on here. The easiest way to guess a password isn't to guess it at all, but to exploit the inherent insecurity in the underlying operating system.
group policy, Microsoft, passwords, security, Active Directory
Tuesday, January 30, 2007
OK, I've put EuroDisney behind me now. How did I manage to do that? Well, a bunch of us moved down to Paris for the rest of the week to meet with our staff in the Paris office and to host a customer roundtable. The sights, the food and the customer roundtable were totally awesome! About a dozen of us went out for dinner our first night in Paris at Roger le Grenouille. Billy Bosworth ate two orders of profitorolles for dessert - the food was that incredible. What a relief from that EuroDisney slop.
On Friday we hosted a number of customers at the Hôtel le Crillon which is arguably the best hotel in Paris. It is located on the Place de la Concorde. The hotel's neighbors include the U.S. Embassy directly next door, the Louvre and it is a stones throw from the Tour Eiffel, Arc de Triomphe, Notre-Dame, Musée d'Orsay and my personal favorite, the Musée Marmottan. Our meeting room overlooked the Place de la Concorde. We were waited on by butlers all day long and all got to enjoy a wonderful four course lunch with both red and white wine pairings. Our Paris office sure knows how to host customers! In some ways the Crillon reminded me of the Fairmont San Francisco. Why? The charter for the League of Nations - the predecesor to the United Nations - was discussed at the Fairmont. The terms of the armistace of World War I were discussed in the meeting rooms we were in at the Crillon. OK, end of history lesson. What did we learn?
Of course, all the customers in attendance had deployed Active Directory already. An interesting note was that one of the customers had literally just finished his upgrade from NT4! So for folks who think everyone has migrated off of NT4 think again. All of the customers were also great examples of heterogenity. Not only did they have AD/Windows but each one of them had Unix, Linux, mainframes (RACF) and mid-range AS/400s. You can imagine the problems they have with forgotten passwords...
- One customer had reports showing 60% of their calls were for password resets
- Another customer has an outsourced help desk that charges €10 per call - about $13.50!
- In September, when most employees come back from their summer vacation they average 4,000 calls per week
- At one organization it takes 8-10 hours to get a password reset so they see a big spike in calls to the helpdesk on Friday's. I wonder why? Apparently employees are deliberately locking themselves out.
I think the other area that we had really interesting discussion around was two-factor authentication. Each one of the customers was using RSA tokens for remote access to their networks. Each one of the customers was very unhappy with the both the up-front and annual maintenance costs to maintain those RSA tokens. It leads me to think about a couple of things:
- How sticky are those RSA tokens? Will a customer actually begin to swap those tokens out for lower cost but similiar capability tokens from ActiveIdentity, Entrust or whomever? Or, do they just use those other vendors as a bargaining chip with RSA to get a better deal on acquisition and on-going maintenance fees? In other words, will they really switch out the RSA tokens?
- What are the migration requirements for switching from one token manufacturer to another? Quest has had a history of building good migration products. Is this an opportunity for us? It wouldn't be if customers didn't actually migrate off of RSA and they simply used the other token vendors as leverage for a better deal with RSA.
So, if your company has RSA tokens let me know how you are handling this issue. Are you migrating to another token? Or, are you simply beating down RSA's pricing? Drop me a line or post a comment.
Saturday, January 27, 2007
If you've been in the IT industry for more than five or so years you probably remember predictions like "This is the year of the PKI". In fact, for a number of years this was the prediction each new year! Again, if you've been in IT for a while you know that the year of the PKI still hasn't come. Well, as evidenced in the picture below you can see that EuroDisney has implemented smart cards for guest room key access.
Mickey, in case your listening: I'd suggest spending more money on better food - like real eggs - and less on smart card enabled room keys.
Thursday, January 25, 2007
Mickey, what have you done? The picture below illustrates how I feel about EuroDisney: Bleak, barren, dull, grey, cold, rainy, wierd and freaky. Granted it was January, but who in their right mind would want to go here in January for a vacation? (I was here for our European kick-off event)
On the second day a friend from Paris called me to ask how I was enjoying France. My response? I'm not in France - I'm in EuroDisney. Surprisingly, he needed no further explanation!
Oh oh, I'm starting to gag again just thinking about it.........
Wednesday, January 24, 2007
Tuesday, January 23, 2007
As I sat flying to Paris on Sunday I was reviewing some of our business plans and came across IDC's analysis of the Identity and Access Management market by vendor for 2003-2005. I don't know why I didn't notice this before but Quest was ranked #18 in a pretty large field. According to IDC our revenue in 2005 was $32.7M. The most interesting aspect of the numbers wasn't our showing at #18 but the fact that Microsoft is #19, BMC is #21, HP is #25 and RedHat is #30.
The comical thing about these numbers is that I spent nearly six years at Microsoft working on building up their presence as an IAM vendor and I end up at a company that until recently barely considered itself part of this market yet is ranked higher than Microsoft. As also noted, we beat out BMC, HP and RedHat, too. Amazing.
Well, I hope with our 2006 results we maintain our impressive position and maybe even move up a rank or two!
Friday, January 19, 2007
Well, I downloaded a program called "ophcrack" last weekend that managed to decrypt all of the local passwords - seven of them - in just over 5 minutes. My local administrator password on this machine is a 9 alphanumeric characters so I thought it was a bit stronger than 5 minutes of clock time!
This feat was easy to achieve because the LAN Manager hash is basically insecure. LAN Manager hashes are relatively easy to crack with a brute force cryptographic attack. The hashes that are created have the following characteristics:
- The new password is padded with null characters until it's exactly 14 characters long
- All lowercase characters in the password are converted to uppercase
- The password is split into two 7 character chunks
- Each chunk is used as a DES key to encrypt a specific string
- Concatenates the two strings into a 128-bit string and stores the result
As with anything the stars have to align for a bad guy to make this work. He has to have access to your machine and he needs to run the decrypt program on a machine that has administrator access. In my case, my domain account is in the local administrators group. Also, I pretended I went out to lunch and left my machine unlocked. The rest was easy.
Once a bad guy has access to your machine it's possible to get the local passwords and other goodies like your VPN, network shares and Passport passwords as well. And, if you happen to be logged on to the network the bad guy can attack the SAM database on the domain controller.
My advice? Enable the group policy so the LAN Manager password is not stored! You can have a very complex password policy but if you are allowing LAN Manager hashes to be stored...
p.s. If you're interested in cryptography I highly recommend Bruce Schneier's Applied Cryptography book. It's my standard reference.Technorati Tags:
group policy, Microsoft, passwords, security, Active Directory
Thursday, January 18, 2007
Novell has released the preliminary agenda for BrainShare 2007. The most interesting sessions related to Active Directory I can find are listed below. There are lots of other session related to identity management and security, of course. My big interest is to see what will be discussed at BrainShare that relates to the Microsoft and Novell announcement from earlier this year. I wonder if any Microsoft executives will be presenting?? That would certainly go a long way to showing how real the deal is!!
Microsoft and Novell will undertake work to make it easier for customers to manage mixed Windows and SUSE Linux Enterprise environments and to make it easier for customers to federate Microsoft Active Directory® with Novell eDirectory.
My quick scan of the session titles and abstracts highlighted a number of interesting sessions which I've listed below. I think if I was still at Microsoft I'd be planning on attending...
Interoperability with Microsoft Windows and Active Directory There are several open source and closed source initiatives underway to have better interoperability and co-existence with Microsoft Windows and Active Directory environments. Come to this Birds-of-a-Feather session to learn more about what others are doing to save money by deploying Linux-based solutions that either emulate or work with existing deployments. You will learn what others are doing and what Novell's plans. Bring your ideas and suggestions regarding tools and technologies; protocols and packages; and integration and interoperability.
All Things Samba Join others like you who are interested in learning about, deploying, configuring, managing, running, and improving Samba on Linux. Members of the Samba Team will lead the discussion. Meet others who make up the Novell Samba Team and share your ideas and stories. Also, bring your Samba-related questions; there will be plenty of answers. Learn and share with others in an open discussion environment.
Smart Card integration into SUSE Linux Enterprise Desktop 10 Learn how to use smart cards for authentication and authorization on SUSE Linux Enterprise Desktop (SLED) 10 from Novell. Find out how to configure local authentication as well as smart card-based authentication to Microsoft Active Directory and Novell eDirectory.
Learning to Live With Microsoft Without Turning Blue There are several open- and closed-source initiatives underway that are striving for better interoperability and co-existence with Microsoft Windows and Active Directory environments. Learn best practices for deploying Linux-based solutions that either emulate or work with existing deployments by examining tools and technologies; protocols and packages; and integration and interoperabilty.
Advanced SUSE Linux Enterprise Desktop Deployment and Customization To deploy Linux desktops in today's enterprise environment you must understand how Linux works within your existing infrastructure, how Linux desktops can be managed, and how existing corporate policies and lockdowns may be applied. This session explores the concepts, methods and tools used to deploy and customize the SUSE Linux Enterprise Desktop (SLED). We show you how to integrate Linux into Active Directory or eDirectory environments, how to lockdown the desktop, how to customize Firefox, how to deploy thin clients and how to deploy Linux desktops with scripting and imaging.
Tuesday, January 16, 2007
I was bopping around the blogosphere and came across Scott Lowe's blog where he has a number of posts on Linux-Windows integration. Good stuff. It's interesting to see that he surfaces a lot of technical detail around this integration and discussion around Samba also.
Scott clearly has done a lot of work in this area but you can see how difficult this integration is. It's like one of those Mecanno toys you'd construct and if you got one thing wrong you had to deconstruct it and start over again. That's the whole reason d'etre of the Vintela products. Automate all of these details across all of the various platforms that customers are using. Scott presents the nuts and bolts of doing the integration but enabling things like group policy for Linux/Unix, automating UID/GID assignments, building out the PAM stack, automating the configuration of Kerberos, LDAP & NSS are tricky and necessary pieces to enabling true interoperability of not just the identities but also the applications.
I can't tell you how many customers I have met with who all have a similiar story that goes something like this...
- We were able to integrate x flavors of Unix & Linux with Windows in our lab (x is usually >5)
- For the last y months we have been trying to roll-out that work in production (y is usually 6-18 months)
- We can't keep up with the number of versions of Unix & Linux that we have and the differences between each one so it makes maintenance very difficult
- We can't get what we did in the lab to scale-out and scale-up to meet our operational demands
- We've had a bunch of really smart people working on this (always true)
Vintela, Quest Software, Active Directory, identity management
Monday, January 15, 2007
Quest Software is holding it's North American kickoff in Anaheim, CA at DisneyLand. It started today and finishes on Wednesday. A lot of great sessions today. Vinny Smith (on the left in the picture) and Doug Garn's (right) session on the 2006 highlights (and lowlights) was really good. No specific financial numbers given but I think as a company we did well. Forbes somehow had this information long before I did, not sure how but you can see their coverage of how they think Quest did in Q4 and on the year here.
I can't state the specific numbers for my Active Directory products but I will say that for 2006 we were up a lot. It's just freakin' amazing to see how well we did. I've really got a great team. So all I can say to a certain competitor of ours (aka "Company G") is:
Stick that in your pipe and smoke it.
What makes me really happy is to see that a lot of Quest's top deals were Microsoft products and Quest's biggest deal ever was mostly composed of Microsoft products. The commission check that got handed out for that deal was over $500K - congrats Patrick (and team), you deserved that one!
This year we invited many of our key partners to kickoff. There were some great presentations today from Microsoft, Dell and Accenture. It's really great to see how much work we are doing together with so many great partners. Lots of fun with the Quest Idol contest and we even had William Hung come in for a bit of singing and signing autographs.
More sessions tomorrow. We get to go into a bit more detail on plans for 2007. I have to leave really early (2AM!) Wednesday morning to get to LAX for an early flight to Salt Lake City so I'll miss the last day unfortunately.
Next week I'm off to Paris (DisneyLand Europe) for kickoff in Europe and a customer roundtable on Friday. More on both those next week.
Quest Software, Active Directory
Monday, January 08, 2007
Join Quest Executives, Product Managers and fellow Quest customers interested in Identity Management for cocktails and dinner.
Where: Harris’ Restaurant - 2100 Van Ness Avenue (at Pacific)
When: Tuesday February 6, 2007
Dinner & Discussion begin at 7:00 p.m.
Quest Software invites you to an Identity Management Roundtable Discussion & Dinner, exclusively for our valued National and Strategic Accounts during the RSA® Conference in San Francisco. This is an exciting opportunity to meet with Quest Software Product Management & customers like yourself to share your thoughts on the challenges of Identity Management and influence future product direction.
What to Expect:
- An open forum with informal, interactive discussion on the challenges and issues you face in Identity Management (including: authentication, access management, single sign-on, audit, provisioning, password management, role management & federation)
- Gain valuable insight into Quest's Identity Management strategy and direction through conversations with Quest experts like Dave Wilson (VP, Identity Management Products), Matt Peterson (CTO, Identity Management Products) and Jackson Shaw (Quest Senior Director of Product Management)
- Influence the direction of Quest's Identity Management offerings
- Learn from other Quest customers about their project plans and implementations
Meet other IT Executives facing Identity Management challenges within a heterogeneous IT environment
We look forward to having you for an evening of good food, good company and open dialog. To register, call Kimberly Myers at 917-472-4629 or email Kimberly.email@example.com by Tues. Jan. 23rd. Confirmation and directions to follow.Technorati Tags:
Quest Software, identity management
In my post "Zunes are on the shelf and I’m worried!" I mentioned how at the Microsoft company store there was a dusty display of MSN SPOT watches and how I hoped the Zune didn't end up in a similiar dusty corner.
Today I saw this press release which actually made me think that perhaps there's still a chance that SPOT can hit the spot...
Today at the 2007 International Consumer Electronics Show (CES), Microsoft Corp.’s Smart Personal Objects Technology (SPOT) Group announced the availability of MSN® Direct navigation services and announced that Garmin International Inc. will be the first to offer the new MSN Direct service to Global Positioning System (GPS) devices. Customers will be able to receive dynamic local information, including weather condition and traffic updates, movies listings, and gas prices.
I must say that I do like the idea of automated traffic and weather updates along with not only seeing where the gas stations are but how much they are charging for gas.
p.s. I am using Windows Live Writer to write this post...
This statement stood out for me in Derek Melber's article on Vista Group Policy at redmondmag.com. In Windows XP SP2 there were more than 1,600 new policies added. With Vista, over 2,400 additional new policies have been added! According to Melber this number will dramatically increase when Microsoft releases Policy Maker.
Melber goes on to detail some of the really cool policies that have been added to Vista including: power options (control power settings to save $$$), printer installation and removable storage devices (disable USB devices to prevent straying of confidential data). In addition, a number of tools will be released (GPOVault, PolicyMaker) that Microsoft obtained via the Desktop Standard acquisition. In fact, Melber came to Microsoft via that acquisition.
I'm a huge - repeat HUGE - believer in Group Policy. I always have been and I always will be. I know for a fact that most customers are not taking advantage of all of the Group Policy capabilities that are currently (Windows 2000, Windows XP) at their disposal. I hope Vista is added impetus to customers to evaluate the benefits of Group Policy and how they can further leverage their Active Directory investment.
Melber's conclusion is "a thumbs up" to the advances. The reasons for his thumbs up - and my concerns - include:
- Changes to how the ADMX files are handled in the central store should give your Administrators an immediate return on investment (ROI) because they no longer need to fight with ADM templates or their updates, or the mismatches in ADM templates
BUT: Most execs don't care that much about an adminstrator's time savings unless it is massive. This doesn't sound like a massive difference and if a customer starts using Group Policy in Vista this won't really matter, will it?
- The options that come standard with the additional 800 GPO settings are sure to give you more immediate ROI because you can now save $75 per desktop, per year, with just one of these settings. The other settings will also provide immediate ROI, because you no longer need to worry about printer distribution or removable storage device misuse.
BUT: If and only if the desktop is a Vista desktop. These policies are not backwards compatible to Windows 2000 or Windows XP, right?
- Lastly, with the new acquisition of GPOVault and PolicyMaker, Microsoft is delivering innovative Group Policy technology and incorporating it into their own offerings.
BUT: You didn't define how Microsoft is delivering this technology. No charge download? Or is it via an add-on to desktop assurance (i.e., definitely not free!).
BUT BUT: You state that "it has not yet been decided if the new implementation of PolicyMaker will be backward compatible with Windows 2000 and Windows XP." Isn't the currently shipping PolicyMaker already compatible with Windows 2000 and Windows XP? Why not the next version?
I will re-iterate that I agree that Group Policy is one of the most spectacular technologies delivered with Active Directory. In fact, Group Policy helps to make Active Directory really "sticky".
However, in order to benefit from any of these amazing advances I have to upgrade to Vista...and to get the new tools (GPOVault, PolicyMaker) I might have to have desktop assurance and possibly have to purchase something additional on top of desktop assurance?
I'm not sure I'm feeling the ROI...
group policy, Active Directory, Microsoft
Sunday, January 07, 2007
I find a recipe is only a theme, which an intelligent cook can play each time with a variation. -Madame Benoit
Last night, my wife Kathie and I had the pleasure of wine, dinner and an amazing Seahawks football game with Kim Cameron, his wife Adele and their son Max. Adele cooked a traditional Québécois tourtière which was absolutely delicious. Adele used Madame Jehane Benoit's recipe. Madame Benoit was a French-Canadian institution when it came to cooking. That's a picture of Adele doing the honours -you'll have to put up with my spelling, I'm writing in Canadian - and my wife waiting patiently for her slice. If you want to check out more pictures of the fête click on the picture above to jump over to the Picasa album.
I grew up in Montréal during the late sixties/early seventies and Kim attended the Université de Montréal. Madame Benoit had a cooking show that used to air on the Canadian Broadcasting Corporation (CBC) television network. Adele's tourtière was just awesome. It brought back so many good memories of Montréal, Christmas réveillon, our French-Canadian friends and our ski place in Québec.
Kim and I talked about federation and how his CardSpace project differs with OpenID but we spent most of our time opening and tasting wine, watching the Seahawks' amazing nail-biting, down-to-the-wire victory over Dallas, drinking unbelievable, freshly roasted Kona coffee and enjoying Adele's superb meal.
Saturday, January 06, 2007
For those that care, the poodle party pictures were taken with a Canon 30D DSLR camera sporting a Canon 70-200mm f2.8L IS USM lens. Not only an awesome camera but a truly awesome lens. I use Google's Picasa2 software to upload the shots to Picasa web albums.
Friday, January 05, 2007
I think that's an awesome challenge for Michael to work on - heaven knows we need more management capabilities for mobile devices.
Good luck, Michael!!!
group policy, Microsoft
I had lunch with Karen Forster of WindowsIT Pro Magazine on Thursday (Jan 4) at Lisa Dupar's Pomegranate Bistro restaurant over in Redmond. We had a great meal - I'm adding Pomegranate to my list of good restaurants over on this side of Lake Washington. You might not recognize the name Lisa Dupar but she owns a catering firm in Redmond that Microsoft uses frequently. I've had my share of Lisa's catering while I was with Microsoft so I figured her bistro would be a good bet. Nice choice, Karen!
I had the privilege of working with Karen a number of times when I was at Microsoft. Karen did a story on Group Policy back in November 2004 that I participated in along with Michael Dennis and Mark Williams. It was called "The Group Policy Product Team Hears Customers and responds to their feedback". We get together every once in a while to talk about trends in the industry, gossip about Microsoft and share a good meal.
Lots of discussion over our awesome sandwiches about the recent Desktop Standard acquisition by Microsoft, Active Directory, identity management, Active Directory Federation Services and the recent Microsoft/Novell deal. We had quite the discussion regarding the Microsoft/Novell deal. Anyone see the parallels to another Microsoft deal not to far in the past?
It will be interesting to see what turns into stories in future issues!
Active Directory, Active Directory Federation Services, Microsoft, Group Policy, Novell, identity management
Thursday, January 04, 2007
Well, imagine my excitement when the customer said to me "Oh, they support federation now"! Well, after some digging my excitement was quickly replaced with disbelief. The not-to-be-named payroll provider supports federation by requiring their customers to install Computer Associates eTrust SiteMinder product and configuring it in a particular way in order to get the federated single sign-on benefit. What if I had a different product that implements federation like Active Directory Federation Service, Oracle Identity Federation or BMC's Federated Identity Manager? Apparently, I'm on my own in that circumstance as only the CA product is supported.
Federation is supposed to be about interoperability between dissimilar products, environments and even differing standards like SAML, WS-* and Kerberos. There are a lot of vendors in this space spending time on interoperability workshops and working on standards together to achieve this goal so customers will have a choice of products.
Defining a product requirement and requiring customers to purchase a particular product doesn't make a standard and it certainly isn't the intent of federation.
Technorati Tags: SAML, eTrust, federation, identity management, SiteMinder, kerberos, WS-*
Wednesday, January 03, 2007
Congrats to the guys on the Exchange team at Quest. I guess the gauntlet is thrown down now. We need to get one of the Active Directory or Windows products on the list for next year!
Quest Software, Exchange
He goes on to say that it's time we "took a long hard look at the standards process and started using existing systems rather than creating new ones".
Well said, Dave.
Maybe we need a standards reduction standard? Just kidding...
Technorati Tags:identity management
Tuesday, January 02, 2007
We get told, advised and taught to protect our passwords, change them frequently and be aware of the potential for identity theft. We also trust that our passwords are secure.
What the heck is Comcast up to? Clearly, my password is not secure. If Comcast technicians have your account and password information printed on work orders who else has access?
identity management, Comcast
A recent article in NetworkWorld recounted what four veteran enterprise network executives would do and how if they had a magic wand. Christopher Paidhrin's quote caught my eye for obvious reasons: "...identity management would be a breeze..."
He states that strong, transparent identity access control is critical as the perimeter dissolves and we move towards the service provider and virtual network models. I can't disagree with him there. However, he goes on to "recommend the adoption of an international standards body model for identity management, where differing technologies and solutions could build on a common set of protocols, encryption algorithms and interfaces to vastly simplify the individual's experience".
Personally, I think we already have many of the standards in place that we need today like SAML, WS-*, LDAP, DSML, AES, PKCS, etc. Many of these standards are IETF, NIST or industry standards versus international standards like those set by the ISO.
I remember the days when X.500 and DAP - both ISO standards - were going to take over the world and solve all of our problems. Anybody out there using DAP to communicate with and between their directories or still using X.400 for e-mail? Not many are because LDAP and SMTP rule; neither of which are "international standards".
We don't need more standards - we need vendors to use the standards that exist today and build better products.
Technorati Tags:identity management
Monday, January 01, 2007
Chris, Kathie, Jake and Jackson (l-r)