Real Life Lessons: Access Control

[flickr]photo:321434733(small)[/flickr]The third lesson to learn from my incident is the importance of access control. This model is often described in policy and procedure terms. We’ll use as an example, the different levels of people who I allow into my house.

From a policy perspective, I lay out the rules and roles of different people who are permitted to access my house:

  1. I always allow myself access to my house. In I.T. terms, I am my house’s administrator (or “root”) and have permission to go everywhere.
  2. I also allow my cats access to much of my house. However, as I have a higher level of clearance, there are certain rooms into which I may go (laundry room, exercise room), from which my cats are banned.
  3. At a lower level of clearance are my friends and family. While they can come over, I generally prefer that this occur only when I am present. While they are some rooms in which they are permitted without supervision (bathroom), others I need to be present (bedroom and office).
  4. Lastly, some people fall under the “service personnel” category (plumbers, electricians, etc). Their access is limited to a “need to know” basis, and I tend to be present at all times.
  5. All other people are not permitted in my house.

Once a policy is defined, the next step is to implement it. There are many many ways to do this. In my case, I use an access control list (ACL) which defines who has access to do what, and rely on a combination of mandatory and discretionary access controls. Allow me to explain:

  • To implement (1) in the policy, I give myself a set of keys to everything in the house. This gives me complete access to everything that exists. The ACL entry would read: “Me: ALL“. The control would be mandatory, as I require a key to access what I need.
  • To implement (2) in the policy, I give my cats free range to all the rooms in which they are permitted. For the rooms from which they are banned, I simply close the door. The ACL entry would read: “Cats: ALL except ‘laundry room, exercise room, office’“. The control would be mandatory, as I am relying on the fact that my cats lack opposible thumbs and cannot operate the doorknobs. (They are also not allowed on the kitchen table or counters, but this is a descrectionary control, as can evidenced by the fact that I often hear a thump when I walk into the kitchen, followed by a small furry face looking up at me with a perfect picture of innocence.)
  • To implement (3) in the policy, I had to be somewhat more complicated. Generally, my friends are allowed in my house, but only when I am present. However, in certain circumstances (when I am traveling), certain friends are allowed to come over and feed my cats. The ACL here is somewhat more complex:
    • Friends: ALL when ‘Me in room’
    • Friends: ‘bathroom, kitchen, living room’ when ‘Me in house’
    • Friends.trusted: ‘bathroom, kitchen, living room’

The control here is a combination of mandatory and discretionary. In order to access my house, my friends must either request access (ring the doorbell) and have it granted (I open the door and let them in) or be in the Friends.trusted group (I give them a key). This allows them access to the house. Once they are in, I rely on the discretionary access control of social mores (the customs, not the eels) to keep them from digging around my private areas.

  • To implement (4) in the policy, I use a similar method as with friends but with a tighter ACL rule: “ServicePersonnel: ALL when ‘Me in room’ AND ‘have reason’“. As with my friends, the service personnel must request access and have it granted. Then, I stay with them at all times keep them where they only have a reason to be.
  • To implement (5) in the policy, I simply keep the doors locked and the security system armed.

Though I failed operationally to implement (5) at the time of my incident, I have corrected this problem. My questions for you:

  1. What different roles/groups of people do you have in your business?
  2. How do you make sure that you limit access to these roles?

Real Life Lessons: Monitoring

[flickr]photo:2194849199(small)[/flickr]The second lesson to learn from my incident is the importance of monitoring. The concept behind monitoring is where you have a service that periodically checks the status of your resource and if there is a problem, it lets you know. These are commonly seen in physical security (where you have a device that knows when doors/windows open or if there is movement where there should not be) and in I.T. (where you periodically look at a web or email server and make sure that things are running properly).

In my case, I had three monitoring systems. My security system is aware of when doors or windows open, and if that occurs, it sounds an alarm and notifies the security company. This is highly (99%) reliable, when it is active. The fatal flaw in the system is that it does this whether a criminal comes in the house or if I leave the house. Thus, it is easy to leave it off when I am home. The second monitoring system is that of my watch cats. In theory, if someone enters the house, the watch cats will start hissing and clawing and otherwise alert me to the individual’s presence. In practice, the proper operation of watch cats is directly proportional to how tired they are… and how likely the intruder is to give them yummy food.

They’re not 100% reliable.

The third monitoring system was me. On some level I was aware that something wasn’t right, and the smell of cigarette smoke did wake me. However, while the monitoring was effective (I woke up), the monitor was not (I ignored the problem and went back to sleep).

Thus, all three of my monitoring systems failed, largely due to operational problems. I have corrected this by making sure that my security system is on, even when I am home. Like many operational challenges, the problem is taking the same action often enough to make it become a habit. Once you reach that point the operational costs are effectively zero.

My questions to you:

  1. What are your primary resources that need protection?
  2. How do you ensure that you know when they are affected?

Real Life Lessons: Defense in Depth

[flickr]photo:121282608(small)[/flickr] The first lesson to draw from my experience is that is almost perfectly illustrates the idea of Defense in Depth (DiD). Simply put, the concept is that it is best to layer your defenses. That way, if one layer fails, there is a good chance that a second layer will block the attack.

In my case, I had locks (two different ones). I had a security system. I also had two watch cats and a defensive weapon. When the incident occurred, my first two controls had failed. The locks weren’t engaged and the security system was off. However, my watch cats reacted to the changed circumstances (which I ignored). Once I became aware of the situation, I was able to arm myself and defuse it.

To generalize this, if you’ll oblige me while I lapse into a bit of math (a small amount, I promise).

Suppose that you are comparing two technologies. One is 99% effective, the other is 90% effective. If money were not a factor, most people would go to the 99% effective option. . . but let’s look a tad deeper. Let’s say that the 99% effective solution costs $100,000 but the 90% effective solution only costs $10,000. Now you’re caught in a classic security vs economy choice. However, suppose that there is a second product that is also 90% effective and costs $10,000. If you layer them, you get the following comparison:

99% – Cost = $100,000 – 1 out of every 100 attacks gets through.
90% + 90% – Cost = $20,000 – 10 out of every 100 attacks gets through the first layer… 1 out of every 10 attacks get through the second.

So, you are looking at the same average effectiveness – 1 out of every 100 attacks are successful, which leaves you free to compare the $100,000 and $20,000 price tags. The choice gets a lot easier, doesn’t it?

However, that’s only half of the story. Let’s extend this a bit with two more layers.

99% – Cost = $100,000 – 1 out of every 100 attacks gets through.
90% * 90% * 90% * 90% – Cost = $40,000 – 1 out of every 10000 attacks gets through!

So, for $100,000 you can get a single solution that is 99% effective. And for $40,000 you can get four solutions that combine to be 99.99% effective!

In my case:

  1. Locks ($200) – This is a binary defense. It is either ON or OFF. While you can still break the defense when they are ON, they are effectively absent when they are OFF.
  2. Security System ($200 + $20/mo) – This is also a binary defense. Given that it is inside the house, it is more difficult to break this defense, but still quite possible. Like the locks, it is 100% ineffective when it is OFF.
  3. Watch Cats (~$100/mo) – This is a complex defense. They have a high false positive rate. However, the false negatives are fairly low. The problem is that the high false postive rate creates the “cry wolf” problem that can render this defense ineffective. This is what occured in my instance.
  4. Me + Sword ($200) – This is also a complex defense. It is highly expensive, as it depends on the primary resource that needs to be protected (me) to be effective. If it fails, the resource (me, again) could be compromised (i.e. injured or killed). On the plus side, I have a fairly low false positive rate (I almost never stab legitamate visitors) as well as a low false negative rate (I almost never let strangers wander around my house without confronting them).

Thus, in an instance where I had four fairly inexpensive security controls, three of which failed. However, because I had a layered defense, the primary resource (me) and the secondary resources (my stuff) were kept safe from harm. My questions to you:

  1. What is your business’s primary defense?
  2. What happens when it fails?

Real Life Lessons: The Story

[flickr]photo:218204744(small)[/flickr] I will sometimes have friends over. This blog series with an event that occurred after a small gathering and then veers into a security analysis. It is my hope that it is as educational for you as it was for me.

We ended the night much later than planned, and since I had a busy morning, I neglected my normal nightly routine. Thus, that night, I neglected to arm the security system. I also assumed that my friends had locked the door as they left. As I am sure you can tell, this does not bode well…

Later that night, I awoke to the smell of smoke. While unpleasant and unusual, my neighbor is a smoker and when the wind is just wrong, I sometimes get a whiff of it in my bedroom. Since it was definitely cigarette smoke that I smelled, I went back to sleep. Then, a bit later, I woke up to my cats acting oddly. Not terribly unusual, but strange enough that I probably should have checked it out. Being half asleep, I didn’t. Instead, I just closed my bedroom door to keep my cat from bugging me. This is the part that I’m kicking myself over.

Why?

Well, once I finally wake up, I go about my normal morning routine. During this process, I see a pair of shoes on my living room floor that had not previously been there. Looking up, I see a young man sleeping on my couch, who had also not previously been there.

This is a situation for which I did not have a ready response.

Since it was dark, I considered the possibility that one of my friends couldn’t start his car or had gotten kicked out of his house (unlikely, but not outside the realms of possibility, especially given how late we broke up the party) and came back to my place for the lack of anywhere better to go. Another possibility was that a stranger had broken in (unlikely) and taken a nap on my couch (considerably more unlikely). Obviously, the way to determine which of these two possibilities were occurring was to turn on a light somewhere.

First, however, I decided to put on some pants. *shrug* it just seemed like a good idea.

Given that I was going into an unfamiliar situation, I decided that preparation would be wise. I grabbed my sword from my bedroom (I don’t own a gun, but that’s a completely different post), and entered 9-1-1 (but did not hit “send”) on my cell phone prior to waking the individual. I then turned on the light in the kitchen, so that I would have enough to see by, and positioned myself between the man (boy? Not really sure. He seemed to be in his (very) young twenties.) and the light (maximizing my visual advantage), and started prodding him.

He is probably not the only person in Des Moines to wake up that night in a strange place, utterly confused and hung over. He is, however, likely the only one to wake up with a sword at his throat.

He was quite apologetic.

In response to my questions, I learned that he had been drinking last night (he said “a lot”) and that the last thing he remembered was thinking that it was too cold and he had to go inside. He then gathered his shoes and windbreaker(!) and left, asking only what part of the city he was in. I locked the door behind him.

I elected not to call the cops as I suspect that he had just learned a lot in those sixty seconds, and I have no desire to ruin someones life over a single stupid mistake.

So, what did I learn from this experience?

  1. When suddenly finding myself in a potentially dangerous situation, I am calm and logical. I have suspected this for a while, but it’s nice to have the (very) occasional confirmation.
  2. I was in complete control of the situation from the moment I became aware of it. While I am not a control freak, it is nice to know that I have that in me when it is needed.
  3. At no point was I afraid. Concerned, yes. Afraid, no. I like that.
  4. Even though I hardly ever use the front door (garage is in the back), I need to check that door nightly and not assume it is locked. I do always check the back door.
  5. I need to be better at arming the security system at night than I have been. I used to be an extremely light sleeper, but I can apparently no longer rely in my ability to wake up at the slightest noise. (I guess living in a city has changed me).
  6. It was stupid of me to ignore the subtle indicators that did wake me up. I need to be better at checking those out.

So, in conclusion, I did some very negligent things that resulted in a situation that should never have occurred. This is bad. However, once in that situation, I think that my reaction was acceptable. There is, however, ample room for improvement. We shall explore the lessons learned in greater detail in future posts

Twenty years of X11

As some of you know, I do the occasional technical edit for a book. I find it relaxing, interesting, and educating.

Hey, you have your hobbies, I have mine.

Anyway, I recently completed editing Chris Tyler’s X Power Tools – a book on how Unix and Linux systems handle windows and such. It made me think a bit. See, X11 was released in 1987. Back then, I wasn’t terribly interested in learning its intricacies, being far more involved in learning how to ride a bike and catch a ball. (The “catching a ball” bit took many more years to master, perhaps I should have focused on X11 instead). As I recall, in 1987, there was a small amount of discussion on the relative merits of NeWS vs X11, however most people were more concerned with issues like the Iran/Iraq war, the world population reaching five billion people and the Iran-Contra affair. At the same time that Bob Scheifler and Jim Gettys were writing X11, Los Lobos were writing their version of “La Bamba” and Peter Wolf (Wang Chung) was writing “Everybody Have Fun Tonight”.

So, fast forward by twenty years and join me here in 2007. The world population is now 6.6 billion, no one really thinks much about the Contras, and I suspect that a lot fewer people are dancing around singing “La Bamba”. However, an estimated 29 million people are using X11. That’s more people than are listening to Wang Chung (I hope).

So, what is it that gave this humble display protocol such staying power and allowed its usage to increase while other 1987 events are hardly even recognizable? Perhaps it is that X11 is inherently visual, rendering it usable from China to India to the US? I’m sure that the average Chinese computer user has a bit more trouble understanding Los Lobos. Perhaps it is the fact that it was built by a unified team and released to the world for free, thus eliminating the need for a middle man like Oliver North.

Perhaps. . . But I don’t think so.

See, I use X every day. I have since around 1999. However, at no point do I wake up and think “Yay! I get to use the X11 display system today!”. No, I just sit down at my computer and get to work. I move windows from desktop to desktop. I make them big, make them small, and make them hide away like little frightened squirrels. And these days, I even make them translucent, wobbly, three dimensional, and can set fire to them if I get bored (the windows, not the squirrels). Sure, I may get a small feeling of glee when I make a window burn up and go away, but am I sitting here thinking about all the work that Bob Scheifler and Jim Gettys put into the system to allow me to be nonproductive in such an enjoyable way? No, I just sit there and use the system.

There are three other systems that I use on a daily basis without thinking about it. When I wake up, I turn off my alarm clock, turn on my light, take a shower, get dressed, open the garage, drive into work, park, lock the car, and start my day. To do so, I use the electrical system, the water system, and highway system. At no point am I blessing Tesla and Edison, or the Romans… or the Romans. (Wow, those Romans were a smart bunch, weren’t they? Too bad about the lead poisoning.)

Nope, I just use them because they are there. That’s what infrastructure is for. You can tell when a technology moves from being “technology” to “infrastructure” when you no longer notice it. A widget is a thing that is either bright and shiny or breaks when you need to use it. Sadly, these two often go together. Infrastructure is something that you never notice until it fails to give you the seamless experience that you are used to.

Note that. The key difference is not that infrastructure is noticeable when it breaks… it’s noticeable when it breaks and keeps working. You complain about the power company when there are brown outs, the water company when the water tastes funny, and the DoT when the roads get pot-holes. In all of these cases, you can still use your devices, drink your water, and get to work. It’s just not as pleasant as it was before. That’s huge. It means that the technology got so close to perfect that you don’t notice it anymore.

That’s the beauty of X11. When I was first starting with Linux, it was sometimes hard to get it to work (See Basic X.Org Configuration). Then, as I got better, I would sometimes run into some odd problems (See Advanced X.Org Configuration). I used to have problems with fonts and colors (See the Fonts and Colors sections). More recently, I have needed to build kiosks (Yep, there’s a Kiosk section) remotely access servers (That in the book too) and turn on fancy effects (I’ll let you guess on this one).

Today, I can use X11 and the tips in X Power Tools to:

  • Build one server that can give up to 10 school children their own desktop . . . simultaneously
  • Build a kiosk system that provides point of service for years without maintenance
  • Configure a single interface that works identically on an 800×600 CRT monitor, a 5120×3200 LCD wide-screen monitor, an HDTV, or even a normal (old school) television
  • Connect to a server on the other side of the world and see a graphical screen just as if I were sitting in front of it
  • Use a keyboard and mouse from 1987, 1997, or 2007 — often without a configuration change. I can use strange hardware such as tablets, touch-pads, and high-end multi-head video cards

I can all of this with the same protocol developed in 1987. That’s good design.

I learned to do all this in the same amount of time that it took me to learn to catch a ball. I can do it as easily as riding a bike. If I had had Chris Tyler‘s book in 1999, I could have done it much more quickly and easily. That’s good writing.

So, if you use a computer and want an edge over the extra 1.4 billion people that will be here by 2027. If you’re tired of listening to Wang Chung and Los Lobos. If you don’t want to think about the upcoming Iran/Iraq war, then pick up copy of X Power Tools. Take a few hours and learn about the past, present, and future of how people use computers.

Have some fun tonight.

Other Sites: Business, Photos/Conservation

Get the feed (RSS):



Josh More - Entropologist
Expert in removing chaos from
I.T. and business systems.