January 2013


development and infrastructure29 Jan 2013 03:47 pm

I have been playing with an HP 1U server for the last few days, installing CentOS 6.3 on the server, and getting it ready to be staged in the Data Center as part of the Data Loss Prevention (DLP) system QA environment.

I always recommend that when setting up any type of computer system for a company you first build out a full sized QA environment. That way you can always test upgrades or troubleshoot problems in the QA environment without impacting your production system.

Its interesting that some companies don’t want to expend the extra cost of putting in a QA system, but, now a days I insist on having a full QA environment. Without having one, nothing good will come of it.

A best practice that I learned from the company I work at is very interesting. NOBODY goes into the data center during daytime business hours. And, after hours, the only people that can access the data center are people that work for the Data Center operations team. If you need access to the server, you can to use the Lights Out access program.

This best practice reminds me of a funny story for a company I was working for MANY years ago. My cube was outside of their main data center. One afternoon, there were two guys working on the electrical panel outside of the data center that had the main cut off switch for all power in the data center and the building. These two guys had a ladder, and took off the front door of the electrical panel, and for what seemed like a good idea at the time, they hung this door above the panel.

So there I was sitting in my cube, and all of a sudden, I hear a POP sound, there is PITCH BLACKNESS in the room, followed by a few clangs and all of the power goes out. My computer, the lights, everything in the building. And then, a few seconds later, emergency lighting goes on.

The panel they they perched above the main cutoff switch fell from its perch, and hit the breaker, causing all power to be cut to the data center. And because that switch was thrown, the transfer switch did not transfer power to the batteries and generator and all power in the data center to all of their computers was shut off, causing their mainframe to shut down hard, which disrupted the order entry system for all of their 375 locations around the country.

After a hard shutdown, it took them 45 minutes to bring the mainframe back up after they two electrical works debated for a few minutes about flipping the breaker back restoring power to the facility. So I can understand first hand why NOBODY goes into the data center during business hours, and after hours, only the data center operations team.

Which brings me to the part of the blog entry I wanted to blog about. Using HP Lights Out, from my desk, I can access my server as if I am sitting in front of it. I needed to do this today, because when setting up the network for the server, I must have fat fingered the default network route so I was unable to SSH into the server until I fixed the default route today.

I was telling my son yesterday that we are very fortunate today to have Google at our fingertips with manuals and instructions for virtually everything available, including how to restart your network in CentOS when you change your default route. In the old days, you had to memorize all of the useless trivia facts and esoteric UNIX commands instead of being able to look them up on the fly.

So, my CentOS server is now installed in the data center, and security patched using YUM, and is ready to have the DLP component installed on it later today and added to the DLP QA environment. Another fun day.

IT Security15 Jan 2013 10:50 am
I’ve been doing a lot of thinking about the Internet Wunderkind Aaron Swartz case and his unfortunate suicide.  My day job is on a Global Information Security team for an amazing company as an expert in Data Loss Prevention protecting a companies Sensitive Information, Personally Identifiable Information including HR data, and Intellectual Property including Source Code.  I have also spent years as a Computer Forensics expert. So given my background I am typically never on the side of somebody who would be accused of hacking. But, was that really what was going on here? I’m not so sure

 

There are a few facts associated with the criminal case against Aaron.  He did access an unlocked wiring closet in the basement of the MIT campus, connect a laptop to the MIT wireless network, and download 4 million scholarly documents from the JSTOR repository.   When accessing the JSTOR database from the MIT registered IP Internet address block, unlimited access to the data was allowed.

 

Then we have a couple of facts that have not been reported as widely.  The wiring closet at MIT was unlocked.  In addition to computer wiring, a homeless person was using the room to store his or her stuff.  So there was not really a breaking and entering in my mind.   When I was in Boston last summer my boys and I walked through the MIT and Harvard campuses and buildings, to elicit interest and excitement for my boys in higher education. Its not like the campus was locked down. And, I believe that Aarons father worked for MIT. So was leaving a laptop in an unlocked room at the University really a crime?
 
The MIT wireless computer network had no authentication requested or required prior to receiving an IP address on the MIT wireless network.  You attempt to connect and you get an IP address.  There was NO authentication or security requested or required.  So where is the crime in accessing the computer network if the MIT computer network did not instruct you that access to the network was restricted. I believe in the past the court system has struck down implicit consent to terms of service without proper acknowledgment.
 

 

When I stay at a hotel, or attempt to use Internet access at a  restaurant like Panera, when I connect to the wireless network, I get directed to a web page that explains the terms of use when using the Internet access provided.  MIT had no such landing screen when connecting to the MIT computer network.  Without such warning or agreement on the part of the user, was there really a crime com committed?  I think that there would have been a very good chance that the charges would have been dismissed if the case ever went to trial.
 

 

There have been a couple of very good blog entries from people who knew Aaron and assisted him with the case.  One from a Harvard Fellow Lawrence Lessing, who characterized the US Prosecutors supposition that the Information that Aaron downloaded was worth tens of thousands to millions of dollars.  He characterized anybody who said that as “idiots and liars”.  Was the act of downloading scholarly journal information really a crime when access through the paywall was acceptable from the MIT network? And the MIT computer network had no authentication required and no warnings that using the MIT computer network was restricted? I’m not sure about it.

 

The entire article from Lawrence Lessing can be found here ;

 

 

There was also a very good article by one of the Forensic examiners who was working on the case. He said that if he was asked at the trial if Aaron’s actions were wrong, he would not characterize them as wrong, but rather, inconsiderate.

Now did Aaron have some accountability in the mess with the federal government and the US prosector that he found himself in?  Absolutely.  There are some damming pictures from the case circulating around the Internet that show Aaron being captured on a hidden camera in the wiring closet wearing a mask to hide his face when he returned to retrieve the laptop.  This documents that Aaron was well aware that his actions could be perceived as being against the law.  And to that end, he should have been held accountable.  And suffer a consequence for actions that he appears to know are illegal.

 

 

So lets talk about accountability.  JSTOR, the not for profit that stores and allows access to the information declined to press charges against Aaron, and settled with him in June 2011 when Aaron returned the laptop with the information, and agree not to publish the information.  JSTOR instructed the US Attorney they DID NOT want charges against Aaron for accessing the data, and would not participate further in the case. Kudos to JSTOR for recognizing the case for what it was. Much ado about nothing.

MIT the university DID NOT decline to press charges.  Because of this the US Attorney was empowered to bring 13 federal charges against Aaron that could have resulted in a sentence of 35 years in prison and a $1.5 million dollar fine.  I find this to be a ludicrous potential outcome for actions that I have not personally come to terms with even being considered a crime given where and how the activities occurred.

I think that MIT should take full accountability for the lunacy of NOT instructing the US Attorney that MIT did not want the case to move forward, would not participate in the case, and wanted the case dismissed. I mean what was the information being captured? Scholarly information? There was NEVER any proof that Aaron intended to publish the information online outside of the JSTOR paywall. Accessing JSTOR from the MIT network was not illegal. And accessing an open computer network at MIT that did not require authentication does not strike me as illegal. And, given the benefit of the doubt, maybe Aaron was an idiot savant who wanted to personally read the 4 million scholarly documents that he downloaded? I still fail to see illegality in Aaron’s actions. But, alas, MIT, to their shame, did nothing to stop the prosecution of by all accounts of a very talented technologist.

 

 

Over the course of the last two years, Aaron’s attorneys attempted to negotiate a plea bargain.  In my opinion, the charges should have been reduced to a misdemeanor and Aaron given probation and told to never do this again.  MIT, as an institution that’s sole mission is to empower our best and brightest technologists failed Aaron miserably.    The very lack of compassion by the leaders of MIT is mind boggling considering in the MIT museum they have a section devoted to MIT hackers.   Those at MIT  in the museum who have been honored in the hacker section are they because they chose to think outside the box.   Its interesting to note also that Steve Jobs and Steve Wozniak, the founders of Apple, dabbled in “hacking” back in the day creating BLUE BOXES that enabled a personal to illegally make long distance calls at no cost.    Its inconceivable that we would have NO Apple computers, iPhones, or consumer electronics, if the US Attorney put both Jobs and Wozniak in jail for 35 years for building Blue Boxes.  As it turned out, John Draper, AKA Captain Crunch got 2 months in prison for building and using BLUE BOXes during which time he wrote one of the worlds first word processing software programs.

 

 
In addition to the failure of MIT to protect a brilliant and naïve technologist it was an utter and complete failure of the US Attorney to pursue the scorched earth prosecutorial approach against Aaron for his crime.  While allowing the likes of HSBC to skate away virtually free and not accountable for providing money laundering services as the drug cartels laundered billions of dollars in illegal drug money, they chose to treat Aaron harsher then murders and the 9/11 terrorists.  I think that Eric Holder needs to initiate a through review of how this case proceeded through the justice department, and quite possibly request the resignation of the US Attorney who propagated this case through the court system.

.

With the entire weight and force of the United States government behind it, and all of the resources and funding that comes to bear with it, the US Attorney’s office must take a measured approach that truly and impartially reviews the causes and actions that they are taking. It makes no sense whatsoever in any measured view that downloading scholarly journals to a laptop computer would illicit 13 counts federal indictment, a potential of 35 years in prison and a $1.5 million dollar fine.

And now, its too late for Aaron.  I think that there were many reasons beyond the case that were bubbling through the mind of this young troubled and unstable brilliant technologist to lead him down the path he chose.  Depression can be a terrible thing.  If anything positive can come out of this sorry affair, maybe it would be a spotlight on depression and the treatment of it, and a review of the prosecutorial indiscretion demonstrated through this episode of folly with some checkpoints being put in so that this can never happen again.

 

 
God Speed Aaron Swartz