I just picked up on this story today, and I have to say it kind of creeps me out.

The gist of it is that an Apple Store employee in the UK posted some disparaging remarks on a private Facebook page (I’m not sure what “private” really means in the context of Facebook, but that’s a different issue). Someone (a coworker I believe) saw the post, printed it out, took it to the store manager, who then fired the poster. The UK Employment Tribunal upheld the firing.

A critical component of the story is that part of Apple’s employee indoctrination includes specific prohibitions on posting anything negative regarding Apple (the company, it’s employees, or it’s products) on social media sites. So the employee presumably understood that this was a condition of his employment, and he presumably understood that what he was doing was a career-limiting move.

What’s disturbing to me (ignoring the creepiness of Apple’s social media policy for now), is that the Tribunal cited the fact that even though the employee took precautions to make sure his post wasn’t public, the fact that “Once posted, it will be difficult to show the necessary degree of control over Facebook comments as—by the very nature of the Internet—these may be copied and passed on with ease.” was part of the reasoning that the termination was “justified and proportionate”.

My inner Libertarian doesn’t see a problem with this situation… it was a voluntary contract between two parties, the employee understood the terms of employment and violated them, and got fired. That’s how things should work. But the fact that the employee took steps to keep the post private, and it was still considered a public post, gives me the chills. Think about it… his coworker consciously subverted the security mechanisms in Facebook by printing and distributing the post. I assume that cutting and pasting it into an email would have been legally equivalent. What if the employee had simply complained about Apple in an email to his dad, and his dad forwarded the email to a friend, who then forwarded the email to the store manager? Wouldn’t that essentially be the same scenario? Maybe the Apple employment rules specifically define what social media is, but it’s no leap at all to include email in the social media category and emails are just as easy to copy as private Facebook posts. I guess that is the nut of the problem for me. The employee used the available mechanisms to keep the post private (i.e. making it non-social), but that doesn’t matter. The fact that even private Facebook posts can be publicized by printing or copy-and-paste seems to be what made the firing appropriate.

I can’t help but think that the PR fallout of this event will grossly outweigh any negative publicity from a practically invisible post on a private Facebook page. Then again, public opinion (as represented in comments posted on news pages) seems to be running strongly in favor of Apple, with the primary thought being that “if you hate your job, you should quit and get another one.” In the era of nominal 9% unemployment, that seems particularly harsh. Maybe Apple has mobilized the faithful to make sure this doesn’t turn into a PR nightmare.

You can read more here, hereand here.

I just saw thisin the SANS vulnerability alert this week. If you don’t want to parse the text yourself, it is essentially four separate remote denial-of-service vulnerabilities in the MIT Kerberos implementation for krb5-1.8 and later.

It’s amazing to me that we are still finding fatal flaws in a core security service like this. I’m not sure exactly how old the MIT Kerberos implementation is, but the protocol as defined in RFC 1510(which has been obsoleted by RFC 4120) has been around since 1993, and as far as I know, the MIT Kerberos implementation was the original.

Patch your code!

This articledescribes how a disgruntled IT worker used a back-door account he had created to wreak havoc on his former employer. The story is notable not just in how familiar it is, but in all the ways basic identity and access governance (IAG) practices could have prevented the attack.

The story line goes like this (sing along if you’ve heard this one before): David Palmer, an IT administrator, was fired from his job at McLane Advanced Technologies, a military contractor and IT service provider. He had set up a back door account before he was escorted out. Some time later, he used his backdoor account to log into his former employer’s systems via the Wi-Fi at a local restaurant, and deleted the payroll files for one of McLane’s customers, and apparently accessed files belonging to another customer. The customer was unable to process timecard entry or payroll for a few days, and ultimately McClane contacted the US Secret Service to report that their computer systems had been attacked. Palmer admitted his guilt in Federal Court and stated that "The only reason for logging into any of these servers was to create general havoc and disorder for McLane Advanced Technologies the following day.” Just to add a little insult to injury, McLane advertises themselves as “… adhering to a strict set of values and ethical standards by doing what’s right for our customer” in the areas of (among others) “Software Development”, “Data Management”, and “Information Security”. Fine sounding words for a company that apparently couldn’t muster enough ethics to implement even basic identity and access governance processes. Thank goodness it was only a payroll system. What if it had been something more critical?

Ok, I’m being harsh. I don’t know the company, and perhaps there are some extenuating circumstances. But there are so many ways that this attack could have, and should have, been prevented, I can only conclude that no one was paying attention. Let’s see how many simple identity governance practices might have helped prevent this mess:

1. Appropriate delegation of administrative rights – assuming that Mr. Palmer’s job didn’t require routine creation of user accounts, he shouldn’t have been able to create his backdoor account to begin with. Nor should the account he created had any access to customer files.
2. Appropriate workflow around creation of a privileged account – apparently there was no review and approval for the creation of the back door account.
3. Proper auditing and review of user account changes – the creation of a privileged account should have fired an an alert and immediate review.
4. Privileged account management – privileged accounts should be normally disabled and “checked out” for use only after appropriate approval, and only for a specific amount of time.
5. Functioning account deprovisioning – when Palmer was fired, all of the accounts he owned should have been immediately disabled.
6. Access attestation and certification – no one attested to the validity and necessity of Palmer’s privileged back door account. To be fair, you usually do access reviews and attestations on some sort of a scheduled basis, e.g. quarterly, and he may have created and used his backdoor account within that period.
7. Appropriate authentication technology – As a general rule, privileged accounts should not be usable by people logging in from non-company-owned devices from public networks without a second form of authentication like a smart card or OTP. I’m assuming of course that both his company laptop and any smart card would have been confiscated when Palmer was fired.
8. Appropriate authorization technology – Smarter (e.g. dynamic and contextual) authorization technology would have saved the day here as well. An appropriate access policy for deleting customer files would have included rules like “only from a recently certified (attested to) account” and “not from a public IP” and “not from a public device”.

So that’s eight different IAG activities, any one or two of which would have prevented this attack. All of them are well-known practices, and all but the last one are implementable using commercial off-the-shelf software such as Quest One Identity Manager, Active Roles Server, Quest Privilege Manager, Change Auditor for Active Directory, and Defender. Some of these processes and controls are implementable (with effort and some scripting) just using what’s in the box with Windows. For a Gold Certified Microsoft Partner boasting a CMM Level 3 software development certification as McLane is, putting these processes in place should not have been a problem provided someone was actually paying attention. And there’s the point. If you host sensitive data on your computer systems (and who doesn’t?), someone in executive management has to be paying attention. Typically this would be the CIO or CSO, but at the end of the day it’s on the CEO to ensure that the company is taking due care to ensure that access to critical corporate assets is controlled and audited in a way that ensures the security of the data and of the company. Perhaps that’s something they should be teaching at Famous CEOs School.

In case you didn’t get that last reference, see Famous Artists Schoolon Wikipedia.

My colleague Eckhard sent me these pictures from Hamburg, Germany. It is of the construction of a new retail store on the main shopping street in Hamburg. You might think that it would be a new Microsoft store, but you would be wrong. Look carefully at the “Windows” logo. What’s wrong with it? Are the blue and green squares in the right place? Why no, they’re not!

It turns out this is of the new Apple Store. Nice to see someone in a large corporate marketing department has a sense of humor. Good one, Apple!

The priority of backwards-compatibility in the Microsoft development culture is sometimes overlooked. Check out this video of upgrading a single machine from DOS/Win 1.x through each successive version of Windows up to Windows 7. You can still run many (most?) 20-year old DOS and Win 1 apps on Windows 7. http://www.networkworld.com/community/blog/absolutely-brilliant-windows-upgrades-through

Believe it or not, this is the 10th year for The Experts Conference(formerly The Directory Experts Conference). We (as NetPro at the time) hosted the first DEC in Scottsdale, AZ in 2001 with an audience of about 40 or so who all shared a strong interest in Active Directory. Since then, we’ve tweaked and expanded the conference to reflect changes in the technology landscape as well as the fickle whims of our corporate masters (I exaggerate. But not really. :Q) Today we routinely bring 500 or more people together to provide advanced Microsoft technology training and professional networking, for the experts, by the experts.

Starting in 2008, we expanded the technology scope of the conference beyond Microsoft directory and identity technologies, while maintaining the model that has made TEC so successful. We added a conference for Exchange in 2008 (now moderated by David Sengupta), a conference for Sharepoint in 2009 hosted by Joel Oleson, and new for 2011 is the Experts Conference for Virtualization and Cloud, organized by Dmitry Sotnikov. The agendas for all of the conferences look really strong. Just browsing through the current lineup, several sessions jump out as being particular compelling (yes, in the interest of not showing favoritism, I picked one from each conference).

• Business in the Cloud, Identity Strategies and Technologies to Get
  Your Business Off the Ground – Brian Puhl
• After the Cloud: The future for Exchange Administrators – Tony
  Redmond
• Real World Implementation of Social Media Governance Leveraging
  SharePoint – Shaheed Eleazar
• How to Sabotage a Cloud Project – Felix Gaehtgens

There are a ton of other sessions of course, and you can check them all out at http://www.tec2011.com.

Another new item this year is the Powershell Deep Dive that will provide “deep technical and strategic engagement within the PowerShell community.” There should be about a half-dozen PS product group members attending, so you can get some quality face time with the guys who are building the next version of PowerShell. You can see that the size and scope of TEC has really expanded in the ten years we’ve been hosting it, and astoundingly, the same two women who organized the first TEC in 2001 for 40 people are laboring behind the scenes to bring you TEC 2011 for upwards of 700. Christine McDermott and Stella Lowe bring the attention to detail and their unique personal touch to each and every conference to make TEC the one conference you have to go to each year. Organizing a conference like TEC is a giant PITA, particularly when you have to juggle competing priorities, recalcitrant vendors, and technical prima donas that don’t know the different between a deadline and a lifeline. If you do make it to TEC in Las Vegas this year, take the time to give them a hug and say thank you. Bring a nice gift, perhaps some flowers or a bottle of wine (keep the Jack Daniels till the last day of the conference, ok?).

I hope to see you at the Red Rock in Las Vegas!

Robert deLuca and Dean Wells are organizing another Customer-Focused Design (CFD) session for TEC Europe. The CFD session they ran at TEC Europe last year was by far and away the most popular event at the conference, and I’m really excited that we get to have them do it again. For those of you who aren’t familiar with the idea, CFD is a structured process for generating and prioritizing software requirements. In this case, Dean and Robert will lead you through a process of developing requirements for the next version of Active Directory and its related technologies. I expect that a lot of the discussion will be around the connection between Active Directory and the cloud, but even so, I’m sure there will be a lot of features discussed for on-premises AD as well.