MindBuzz

Moving Blog ...

vineetgupta — Wed, 10 Aug 2005 15:56:00 GMT

I am moving my blog to http://spaces.msn.com/members/vineetgupta. The reason is simple: a visitor on http://blogs.msdn.com expects a technology / MS-centric blog. Over the last few months, I have held back posts which are not tech / MS-centric exactly for this reason. However, at times I do feel a need to express my views on non-technology matters which to my mind, (I could be entirely wrong) are not appropriate here. It does not make sense to maintain two blogs so I am discontinuing this one and moving to MSN Spaces.

To those who have been following my blog, big thanks and hope to see you guys on the new blog!

Links to India Security Week Presentations

vineetgupta — Fri, 27 May 2005 02:23:00 GMT

As promised, the ppts for the India Security Week are available for download:

MSDN: http://www.microsoft.com/india/msdn/events/may%5Fsec/
Technet: http://www.microsoft.com/india/technet/briefings/may%5Fsec/

I will post the webcast link as soon as it is ready! (Mon?)

India Security Weeks

vineetgupta — Wed, 25 May 2005 03:55:00 GMT

I spent the last two weeks on the road as a part of the "India Security Weeks" team, meeting developers, IT Pros, academics and CXOs across India. In all, we conducted around 20 seminars / conferences with the various audiences across 5 cities. It was a huge learning experience.

The traveling party consisted of Detlef Eckert - Chief Security Advisor, Microsoft EMEA, Steve Riley - Program Manager, Security Business Unit, Microsoft HQ, Dave Glover - Developer Evangelist, Microsoft Australia, Ramshankar Krishnan - Group Manager, Microsoft GDCI, Sanjay Sinha - IT Advisor, Microsoft India and myself. Detlef focused on Microsoft's strategy around security, our long-term goals and our progress on this front. Dave talked about security from a developer's perspective: VS 2005 security enhancements, web-services security and threats at the application layer and how to combat them. Steve gave a lot of insight around network security - the inadequacies of TCP/IP, the advantages offered by IpSec and most importantly about how we think about security - right from tools and technologies to our choices while defining policies and our actions as end-users in day to day life. Ram, who is a part of the team which defines security for our internal IT, made the advise and the best practices offered by the rest of the speakers very real, as he talked about how we internally implement the same principles, and shared our internal process for making our applications more secure. Sanjay and I were in a supporting role.

We received great feedback from the attendees - the speakers were inundated with questions at every seminar / conference we attended. Here are the top 5 common questions we heard and some advise for the same:

1. I have a large network and cannot control who gets on the network. How do I handle rogue clients who have no business being on the network?

A: It is no longer feasible to control physical access a network. The solution is logical isolation: Domain members can be configured to accept incoming TCP/IP connections only from other trusted members on the domain. The idea is to use a protocol at the network layer (called IpSec) which signs and/or encrypts every network packet exchanged on the network. A host with a configured IpSec policy will ignore the traffic which is not signed / encrypted. As usual, this can be centrally managed using AD and Group Policy. We call this approach "Server and Domain Isolation." You can find out more about this at Server and Domain Isolation Using IPsec and Group Policy. Microsoft IT uses the same approach internally to secure the Microsoft corporate network. They have published their experience on Improving Security with Domain Isolation - Microsoft IT implements IP Security (IPsec). Both the articles are fairly detailed, but quite readable.

2. I want to provide users remote access to my company's network. What are the risks? What steps should I take?

A: Providing remote access in a secure way takes a combination of several technologies. There is a guide titled Introduction to Remote Access Services which provides a prescriptive architecture. The basic idea is to adopt a defense-in-depth approach. As usual, Microsoft IT adopts (and often comes up with) the best practices we prescribe. Have a look at how we manage our own remote access at Security Enhancements for Remote Access at Microsoft.

3. How do I protect my data from being stolen?

A: Put access control on the data, and not just on the medium of access. Windows Rights Management Services provides a way of doing this. In short, the idea is as follows:

A user wanting to protect a document needs to be a trusted entity in a Rights Management System. He uses Microsoft Office to define permissions on the document (by default the permission is unrestricted access). This process transparently validates the user as being trusted and issues the licenses that define the usage rights and usage conditions provided by the user. The data is encrypted using keys generated by RMS. Now the document will open only using the public key resident on the RMS server. The RMS server issues the key only if the user is a) trusted by RMS, b) meets the usage rights as given by the creator of the document and defined in the license.

Ok, if that was cryptic, you may want to read Windows Rights Management Services: Helping Organizations Safeguard Digital Information from Unauthorized Use. For more details, check out Windows Server 2003 Rights Management Services (RMS).

4. It is difficult to manage the various patches Microsoft keeps issuing. Besides, these patches break existing applications. What should I do? How is Microsoft helping me?

A: We are attacking this problem from two perspectives: consistency and quality. Consistency means that we give you the same patching experience irrespective of the product / technology being patched. This will hopefully reduce the "extra effort / patch" significantly. More on Standardizing the Patch Experience. Quality means every patch that comes to you is tested rigorously before we give it over to you. More on Understanding Patch and Update Management: Microsoft’s Software Update Strategy. That said, no amount of testing on our part will replace testing the patch in your own environment before you deploy it. There is an extra cost to this testing, and we can help you to some extent using Virtual Server, but testing a patch is essential before you deploy it. This scenario would certainly improve in future, but will not go away.

5. I do not know if my applications are secure. How do I find out? How do I make them secure?

A: This is as much a problem for us at Microsoft as it is for everyone else. Our product teams came up with an approach called "Threat Modeling" to ensure that we write secure code. This is now used by not only our products teams but also our internal IT.

In short, the idea is this: 1) Analyze your system's security, 2) Understand the hacker's perspective of your system, 3) Determine threats and take steps against it. The process is described in detail at http://msdn.microsoft.com/security/securecode/threatmodeling/default.aspx?pull=/library/en-us/dnnetsec/html/thcmch03.asp. There is a tool that allows creation of threat models which can be downloaded from HYPERLINKhttp://www.microsoft.com/downloads/details.aspx?familyid=62830f95-0e61-4f87-88a6-e7c663444ac1 &displaylang=en. The tool was written by Frank Swiderski who has also written a book on the subject.

Couple of other good resources on the subject:

1. Writing Secure Code by Michael Howard and David LeBlanc. Seminal work. Required reading at Microsoft.

2. Top Ten Security Tips Every Developer Must Know by Michael Howard and Keith Brown.

3. Improving Web Application Security: Threats and Countermeasures on Patterns and Practices.

4. Patterns and Practices have just released Threat Modeling Web Applications. Read it today!

I am sure Steve, Dave and Ram would be blogging about their experience and providing more insights into the topics I have given above. Do check out their blogs. BTW, We video recorded the MSDN and Technet sessions in Bangalore and are making the same available online along with the presentations. I will post the link as soon as the content is ready.

On a personal note, I think I have made some new friends - it was a motley crew I was traveling with, but there were a couple of common traits. One, they are all very professional people - dedicated to their work about which they think deeply. Second, they are all very good human beings - unassuming, down to earth and great fun to be with. I enjoyed myself thoroughly and am looking forward to meet them once again!

Linux Asia 2005 Conference

vineetgupta — Tue, 15 Feb 2005 23:49:00 GMT

The Linux Asia 2005 Conference was held in New Delhi from Feb 9-11 and I got a chance to attend it. It was quite an experience.

Highlights

1. Dr. Deepak Phatak's keynote on the first day on open source and its relevance to Indian economy. He emphasized on the need for open source to combine with a commercial model and clearly said that he differed from Prof Stallman in that software should be free. His only reason for looking to open source was that it made software "affordable" for the masses and gave knowledge back to the community, unlike the existing IPR laws which allow companies to renew copyright by derivation, which he said was violation of the spirit of the copyright period. He talked about the OS and the Productivity Suite his "Affordability Lab" is building in IIT Mumbai, and his initiatives on spreading technical education for the masses thru open source software (e-Dronacharya) - experts answering student queries over the web. It was the best lecture in the entire conference and received tremendous response from the audience.

2. The Grid computing lecture by CDAC. The speaker, Mr. Seetharama Krishna followed the Oracle speaker (who talked about 10g) and straight away blasted Oracle on marketing a product by using a wrong definition of the Grid (I had pointed out during the Q&A that the Oracle definition of "coordinated sharing of resources" without mentioning "commercial, political and geographical boundaries" was very restrictive and does not address the real issues of the grid). He then went on to describe the work CDAC has been doing in HPC and Grid - its really impressive - see http://www.cdacindia.com/html/hpcc.asp for details. He also talked about the relevance of open source to such "experimental work" since this "gives access to source code which is key to making fundamental changes to suit the various purposes" and said that their work could not have been done without open source and Linux. His lecture triggered off a long discussion in the audience on the need for open source to be more pervasive.

3. The lecture by Shrikant Patil from Intel. It was a very frank talk - he pointed out that there was great demand for Linux on the server but the client had a long way to go and was today really a proxy for piracy of Microsoft Windows. Said that Intel's goal is to make Linux run best on their chips and they support Linux on all their processors and motherboards - from Itanium to Centrino. He talked about the Quickstarter kit and the perf-tuning tools Intel provides for Linux. The quickstarter kit was extremely well received since it addresses the device-driver issue in a big way.

4. A lot of enthusiasm in the student / academic community for adopting open source and using it. However, I hardly heard of anyone contributing their time to develop code to distribute in the "open form" (except for people like Dr. Phatak and his teams).

5. Some great questions on the problems surrounding the Linux model - multiple distributions making things difficult for ISVs, patch distribution, lack of relevant applications for students on Linux (right from Doom 3 to VHDL compilers), lack of GUI tools for a guy managing Internet Cafes in Chandigarh ...

Low Lights

1. No Q&A sessions for the opening keynotes - people were not happy about it.

2. The keynote address by the Redhat CEO - Matthew Szulik. He followed Dr. Phatak and apparently had his talk on similar lines, so he got down to talking without slides and it was really unstructured - I had trouble following the points he was trying to make. As expected he made a oblique reference to Microsoft - "There are one or two companies who don't want this (Open Source) to happen" and tried to evoke a response from the audience. It took two attempts before he got some muted laughter. He talked about how Redhat has built a successful model on open source and encouraged entrepreneurship and VC funding for launching similar companies in India.

3. The keynote address by the Suse CTO - Juergen Geck. He started off by saying that the multiple distribution problem is no longer there - there are really only two distributions out there - Novell/Suse and Redhat. This got a deafening silence in response. He complimented Microsoft on .Net and talked about enabling it on Linux thru Mono, but when a student later asked him on IDEs for Mono, he said he expected the community to come up with these tools. This did not seem to resonate with the audience very well. He also talked about the Linux API forking issues and said that open source prevents this from happening since people can see each other's code (so goodbye to design by contract!).

4. The execution of the "Migration to Linux made Easy" workshop. It only succeeded in demonstrating how difficult and tacky it is to migrate to Linux. The speakers focused on Microsoft only (so migration from Exchange, not Domino, till I asked about it, migration to mySQL from MS-SQL, and not Oracle or DB2). There were several references to the "closed" nature of Exchange making migration difficult. When I asked how IBM has opened up Lotus, there was reluctant agreement that Lotus too was proprietary and migration from Lotus was as difficult. The only thing that looked doable was migration from NT domains (not much talk about AD or group policies). And really the only capable technology discussed was Samba. The rest of the tools still leave a lot to be desired.

5. The panel discussion on "Is Linux Ready for the Desktop." The discussion was really a presentation by three speakers followed by some Q&A. 90% of the time was taken by the speakers who all made the assumption that Linux was ready and then proceeded to give some arguments. The audience really dug into them and asked some very pointed questions (guarantee of not having viruses on Linux, claim of lesser hardware requirements, the not-so-nice look and feel, inefficient performance, interop with existing systems, etc.). The answers typically were "next version" (where have I heard that song before?) and not too convincing.

6. Logistics. There were several registration counters by audience types and the number of conference days / workshops they were attending. I had to shunt around three desks before getting my badge. Similarly, the signs for the workshop was placed on day one and the venue changed on day two, but the signs were not updated - it took some hunting before I could locate the workshop. There was wireless networking but not much coverage - you had to be within a 20 m range of the single access point to get a decent signal. The food though was pretty good.

What surprised me was the misinformation and the FUD. Almost every vendor made a reference to Microsoft on security, proprietary nature, creating lock-ins, etc, without bothering to explain where the assumption comes from, and how the same issues would not plague the Linux vendors as they try and build more features to gain competitive advantage. IBM stuck to creating confusion between open source and open standards. For example, Jyoti Satyanathan, Country Manager Power Projects from IBM, cited the example of being unable to browse some sites using Firefox since they were optimized for IE and checked the browser. This, he said, was perversion of the Internet and that open source prevents this. During Q&A, when I asked him to distinguish between open source and open standards, his colleague responded that open source leads to open standards. On challenging that assumption by citing examples of open standards and pointing out that there was no "open-source" involved in development of any of these standards, there was no credible response.

What was also surprising was the lip-service to open-source, but thankfully, more and more people are waking up to the fact that there is a little substance behind it. When IBM was talking about the "opening up" of the Power-PC architecture, I asked about their plans to open the source code for their key product lines - Mainframes, WebSphere and Lotus. The IBM speaker responded that it would never happen since they had to make money too. He later came up with a more politically correct response, but the damage was done. The audience picked it up and questioned them more deeply on their philosophy for open source. The responses were not credible. The same speaker said that they considered their support of open source a competitive advantage, but failed to explain why they don't open source WebSphere App Server like J-Boss.

What this means in the long term for companies like IBM that endorse open source today, is that when it comes to strategic technologies and products, they will continue to be proprietary, and even compete with the open source offerings. So Eclipse is open source, but not WebSphere - it competes with JBoss. Cloudscape is open source, but not DB2 - it competes with MySQL. Same issue with Oracle - they "make Linux secure," but would not open the source code of their product. Obviously it makes sense - you don't want to open up your strategic, revenue-earning assets. But then why pay lip-service? Isn't this plain hypocrisy? Would these companies ever let open source spread to the areas they compete in? What does this mean for companies like Red-hat? Even if they wanted to, would they ever be able to grow into the middleware, database markets, or any markets IBM and Oracle compete in?

On a personal note, Dr. Phatak's talk was quite inspiring. His vision - affordable computing, education for the masses - is indeed laudable. But there are more fundamental problems to solve - the most critical one being getting cheaper life saving drugs and vaccines in this part of the world. The issues, I believe, are same - pharma companies spend billions of dollars in research and then obviously don't want to just give away their IP. Obviously, something as simple as making the formula open and free to modify - the current open source model - wouldn’t work. If a model can be found for addressing this issue in the pharma world, I am sure the software industry will also be able to adopt it in a more holistic way.

Accessible Software

vineetgupta — Thu, 10 Feb 2005 04:10:00 GMT

I saw this movie the other day - "Black". It is the story of a girl who becomes deaf and blind as an infant after a sickness - much like Hellen Keller - and her relationship with her teacher who makes her discover the world around her, when everyone, including her parents, had given up hope of her living like a civilized person. After putting his student on the road to graduation, the teacher disappears, only to return 10 years later in an advanced state of Alzheimer's, having forgotten everything. The girl takes it on herself to make him re-discover the world which he had once revealed to her.

It was a powerful film and may well go on to win most of the Indian film industry awards and may even get nominated for an Oscar in the foreign film category - at least I was deeply moved. It made me think of the role software can play for those who have special needs. A lot of work has already been done to make software more accessible, but there is a long way to go. Unfortunately, we often ignore this key aspect of software design.

Over the next few months, I will try and communicate the value and techniques of writing accessible software thru my blog. There is already one out on this topic from the VS Accessibility team - http://blogs.msdn.com/vsaccessibility/, with a bunch of excellent articles. I would try and keep things simpler and broader.

A new way of searching the web!

vineetgupta — Tue, 04 Jan 2005 11:54:00 GMT

I was recently looking for information on the risk ratings of the various GGs and what initiatives exist to study these phenomena. It took me over half an hour to find what I was looking for. The problem was simple - too much information. Try googling on Tsunami and you get well over 11 mill results. How does one go over this result set and find relevant information?

Enter Search Result Clustering - a non-linear way of looking at results as compared to the traditional "ranked list" that makes it faster for the user to reach his desired results. The idea is to use a clustering algorithm to aggregate related results together under derived headings. Want to see how this works? Check out http://wsm.directtaps.net/default.htm - courtsey MSR Asia. Download the toolbar or search from the site directly!

Note that this is not a search or indexing technology - the input to the algorithm is the original query and the returned ranked list of results (could be from any search engine) - the algorithm extracts phrases from results-titles and ranks these phrases as cluster headings. More details on http://research.microsoft.com/users/hjzeng/p230-zeng.pdf.