IBM | Bach Seat

Tag Archive for IBM

RB | May 26, 2015

Comments Off

Another Hole in Internet Armor

Another hole in our Internet armor has been discovered. The hole is in the Diffie-Hellman key exchange, a popular cryptographic algorithm that allows Internet protocols to agree on a shared key and negotiate a secure connection. It is fundamental to many protocols including HTTPS, SSH, IPsec, SMTPS, and protocols that rely on TLS.

Researchers from the University of Michigan, Inria, Microsoft Research, Johns Hopkins University, and the University of Pennsylvania have uncovered several weaknesses in how Diffie-Hellman key exchange has been deployed. In what they are calling the Logjam attack the DF flaw allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit export-grade cryptography. This allows the attacker to read and change any data passed over the connection.

The problem, according to the researchers, is that millions of HTTPS, SSH, and VPN servers all use the same prime numbers for Diffie-Hellman key exchange. Practitioners believed this was safe as long as new key exchange messages were generated for every connection. However, the first step in the number field sieve—the most efficient algorithm for breaking a Diffie-Hellman connection—is dependent only on this prime. After this first step, an attacker can quickly break individual connections.

To prove this hypothesis, the researchers carried out this computation against the most common 512-bit prime number used for TLS and demonstrated that the Logjam attack can be used to downgrade connections to 80% of TLS servers supporting DHEEXPORT.

They also estimated that an academic team can break a 768-bit prime and that a nation-state can break a 1024-bit prime. Breaking the single, most common 1024-bit prime used by web servers would allow passive eavesdropping on connections to 18% of the Top 1 Million HTTPS domains. A second prime would allow passive decryption of connections to 66% of VPN servers and 26% of SSH servers.

VPN attack There is speculation that this “flaw” was being exploited by nation-state bad actors. A close reading of published NSA leaks shows that the agency’s attacks on VPNs are consistent with having created, exploited, harnessed the Logjam vulnerability.

What should you do?

1 – Go to the researcher’s website https://weakdh.org/ to see if your browser is secure from the Logjam flaw. (It reported that Google Chrome Version 43.0.2357.81 (64-bit) on OSX 10.10.3 was not secure}

2 – Microsoft (MSFT) patched the Logjam flaw on May 12 with security bulletin MS15-055. A Microsoft spokesperson told eWEEK;

Customers who apply the update, or have automatic updates enabled, will be protected. We encourage all customers to apply the update to help stay protected.

3 – Google (GOOG) fixed the issue with the Chrome 42 update, which debuted on April 15. Google engineer Adam Langley wrote;

We disabled TLS False-Start with Diffie-Hellman (DHE) in Chrome 42, which has been the stable version for many weeks now.

4 – Mozilla’s patch for Firefox isn’t out yet, but “we expect it to be published in the next few days,” Richard Barnes, cryptographic engineering manager at Mozilla, told eWEEK.

5 – DarkReading reports that on the server-side, organizations such as Apache, Oracle (ORCL), IBM (IBM), Cisco (CSCO), and various hosting providers have been informed of the issue. There has been no response from these tech titans.

The researchers have also provided guidance:

If you have a web or mail server, they recommend – disable support for export cipher suites and generate a unique 2048-bit Diffie-Hellman group. They have published a Guide to Deploying Diffie-Hellman for TLS with step-by-step instructions.
If you use SSH, you should upgrade both your server and client installations to the most recent version of OpenSSH, which prefers the Elliptic-Curve Diffie-Hellman Key Exchange.
If you’re a sysadmin or developer, make sure any TLS libraries you use are up-to-date, that servers you support use 2048-bit or larger primes, and that clients you maintain reject Diffie-Hellman primes smaller than 1024-bit.

rb-

Finally, get involved. Write someone, your representative, senator, your favorite bureaucrat, the president, your candidate, and tell them to get out of the way.

Ars Technica notes that Logjam is partly caused by export restrictions put in place by the US government in the 1990s, to allow government agencies the ability to break the encryption used in other countries. “Logjam shows us once again why it’s a terrible idea to deliberately weaken cryptography, as the FBI and some in law enforcement are now calling for,” said Michigan’s J. Alex Halderman to the report. “Today that backdoor is wide open.”

Critical Encryption Bug Affecting Millions Might Have Enabled NSA’s Attack on VPNs (wccftech.com)

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: 2015, AAPL, Apple, Cisco, CSCO, Diffie–Hellman key exchange, Encryption, HTTPS, IBM, IPsec, MITM, MSFT, Nicrosoft, OpenSSH, Security, SMTPS, SSH, Threat, TLS, University of Michigan, VPN, Wi-Fi

RB | April 7, 2015

Comments Off

Another Cloud Goes Bust

On April Fools day, another cloud provider closed down without any warning. FierceBigData reports that OpenStack cloud vendor Nebula ceased operations on April 01, 2015 without ever a heads-up.

shut-down operations without ever a heads-up The firm, founded in 2011 by former NASA CTO, Chris Kemp, appeared to have it under control. According to CSC, they seemed to have customers for its Nebula Cloud Controller, an appliance that integrated up to forty x86 white-box servers into a turnkey OpenStack cloud. Customers of Nebula have included Lockheed Martin, Shutterfly, Sandia National Laboratories, and Genentech.

The company also had a fat war-chest of almost $40 million from top-tier VCs. Silicon Angle reports that Nebula managed to burn $38.5 million in venture capital prior to its closure, from investors including Webb Investment Network, Comcast Ventures, Scott McNealy, William Hearts II, Kleiner Perkins Caufield & Byers, Highland Capital Partners, and others.

Despite its well-stocked war-chest, customer support ended immediately. The defunct company told its former customers to turn to “OpenStack products from vendors including Red Hat, IBM (IBM), HP (HPQ) and others.”

rb-

The stability of cloud providers is really questionable. I have covered other cloud provider implosions; MegaCloud, Nirvanix, and Code Spaces.

In the end, it is as simple as the author says the moral of the story is “that you should look very carefully at your partners … you must be able to count on your system integrator, value-added reseller, whoever, to be there when you need them.

UPDATE 1-Juror in gender lawsuit sympathized with Pao, sided with Kleiner (biztechclass.com)

Category: Uncategorized | Tags: 2015, Bankruptcy, Cloud computing, HP, IBM, Nebula, Networking, OpenStack, Red Hat, VC, Venture Capital

RB | September 23, 2014

Comments Off

Super-Sized Storage Saves Tape

The LTO Program Technology Provider Companies (TPCs) recently announced the extension of the LTO tape product to generations 9 and 10. SearchStorage says that Linear Tape-Open (LTO) is an open-format tape storage technology. LTO was developed by Hewlett-Packard (HPQ), International Business Machines (IBM), and Certance. (Quantum (QMCO) acquired Centance in 2004). The term “open-format” means that users have access to multiple sources of storage media products that will be compatible and save tape backups from being replaced.

LTO Tape Backups

SearchStorage reports that the LTO tape vendors plan to grow the technology to super-size. LTO-9 will offer up to 25 TB of native capacity and LTO-10 will offer 48 TB. Transfer rates will increase over earlier generations. LTO-9 and LTO-10 will offer transfer rates of 708 MBps and 1,100 MBps, respectively make tape backups faster.

The new generations will allow your to keep your existing tape backups. The new LTO will include read-and-write backwards compatibility with tapes from the previous generation. It also has read compatibility from the previous two generations. The new generations will also continue to support LTFS, WORM functionality and encryption.

LTO Generation	Product shipped	Storage capacity (TB)*	Transfer Rate (MBps)*	Compatible with	Notes
LTO-1	2000	.1	20	LTO-1
LTO-2	2003	.2	40	LTO-1
LTO-3	2005	.4	80	LTO-2 & 1
LTO-4	2007	.8	120	LTO-3 & 2
LTO-5	2010	1.5	140	LTO-4 & 3
LTO-6	2012	2.5	160	LTO-5 & 4	Current Standard
LTO-7	2015?	6.4	315	LTO-6 & 5	Development
LTO-8	2017?	12.8	472	LTO-7 & 6	Development
LTO-9	TBD	26	708	LTO-8 & 7	Development
LTO-10	TBD	48	1100	LTO-9 & 8	Development

Another super sized storage option

In case you are not a LTO user, FierceCIO reports that Sony (SNE) has developed super-sized storage tape. The Sony magnetic tape cassette capable of storing 185TB of data by optimizing its nano-technology process.

Sony optimized its “sputter deposition” technology to create a soft magnetic layer, allowing it to shrink magnetic particles, on the storage layer to an average size of 7.7nm, and increasing density according to the article. This allows the Japanese firm’s forthcoming cassettes will be able to store 74 times more data than conventional tape media or the equivalent of 3,700 Blu-ray discs.

The creation of a 185TB cassette will no doubt be welcomed by large enterprises as they try not to be overwhelmed by the explosion in big data. Various studies estimate that in the next decade the amount of data stored will increase by 50 times. IDC predicts in 2020, over 40 trillion gigabytes of data will be stored around the globe.

rb-

Not so fast, these developments are not the holy grail of backup’s.

I know of several organizations that have dragged their fiscal feet and are still running LTO-1 or LTO-2. They have limited their own upgrade path. Right there in the LTO.org spec’s it says that LTO only allows for support of the previous two generations of cartridges on LTO Tape Drives.

FierceCIO speculates that after cost, Sony’s biggest challenge with a 185TB tape will be making it sufficiently fast in terms of its read and write performance, and the possible need for non-conventional peripheral interconnects so that data backups can be completed within increasingly decreasing backup windows.

No TKO for LTO: Tape format spawns another 2 generations, sports 120TB bigness (go.theregister.com)

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow him at LinkedIn, Facebook and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: 2014, Backup, Hardware, HP, HPQ, IBM, LTO, QTM, Quantum, SNE, Sony, Tape

RB | June 3, 2014

Comments Off

The Evolution of Backup

Have you ever stopped to think about how the technology for data protection has evolved? Backup has been around, in one form or another, since 3000 B.C. It has evolved and adapted to take advantage of improvements in technology platforms. Storage vendor Axcient traces the evolution of backup technology from clay tablets to the cloud in this infographic.

Axcient traces the evolution of backup and key events in backup methods.

According to CrunchBase, Axcient is an entirely new type of cloud platform. Their technology stack eliminates data loss, keeps applications up and running, and makes sure that IT infrastructures never go down.

Axcient is designed for today’s always-on business, The system replaces legacy backup, business continuity, and disaster recovery software and hardware. They claim it reduces the amount of expensive copy data in an organization by as much as 80%.

By mirroring an entire business in the cloud, Axcient makes it simple to access and restore data from any device. They claim that with a single click their app can configure failover systems, and virtualize your entire office – all from a single deduplicated copy.

rb-

The key to any successful Business Continuity Plan is a solid, verified backup plan. The impact of a major data loss on a SMB can be devastating. The actual numbers are debatable, however, it seems that a significant number of firms go out of business after a major data loss.

There are many new ways to backup your data, from Acronis, Axcient, Barracuda (CUDA), EMC (EMC), Exagrid, HP (HPQ), IBM (IBM), Symantec (SYMC), Veem what is important is that you have a plan, execute it and test it.

3 Things SMBs Must Do Before the Next Natural Disaster (thevarguy.com)

Category: Data protection | Tags: 2014, Axcient, Backup, Barracuda Networks, Cloud computing, CUDA, Disaster recovery, EMC, Exagrid, IBM, Symantec, SYMC, Veeam

RB | January 2, 2014

Comments Off

Tech Titans Crush Patent Reform

Jeff John Roberts at GigaOM reports there is a battle going on in Washington DC over patent reform. Some in DC are attempting to rewrite the broken patent system. Under the current patent laws, what the author calls the struggling old guard firms can exploit the patent system to abuse monopolies over basic software concepts from decades ago. The result has been to smother start-ups and weigh down vibrant parts of the tech economy with frivolous lawsuits; lawyers get fat at the expense of those who are building real businesses.

The latest push by Congress to fix the software patent problem suffered a setback after Congress allowed Microsoft and IBM to gut a key House bill that would have made it easier for victims to push back. TechEye explains that the “covered business method” (CBM) program drew the ire of Microsoft (MSFT) and IBM (IBM). The changes proposed would have sped up the method for the Patent Office to get rid of low-quality software patents. Under the reformed program, MSFT and IBM could not sue someone until the Patent Office considered if the patent was viable. TechEye reports that IBM flexed its political muscle (cash?) to stop the effort to expand the CBM program. An IBM spokesperson said that while “we support what Mr. Goodlatte’s trying to do on trolls, if the CBM is included, we’d be forced to oppose the bill.”

The upshot according to GigaOM is that for the second time in three years, the U.S. is poised to pass a law that will make cosmetic changes to the patent system without addressing the root cause — garbage software patents — that has made the system a mockery and a byword for legalized extortion.

The article claims that reformers shouldn’t despair quite yet. GigaOM cites sources close to the legislative process that think real reform could still happen if powerful senators prevail and if opponents outgun Microsoft and its allies in the grubby money and lobbyist game. GigaOM lays out how the reform was de-railed.

Money Talks in the House

The chair of the House Judiciary Committee, Rep. Bob Goodlatte (R. Va.), was scheduled to bring his much-touted patent bill for a vote. The bill arrived on schedule — but it was a neutered version.

A key provision, which would have provided a way to challenge software patents at the Patent Office, is no longer in the bill, which Fat cat money passed 33-5 vote by the committee. The change is significant, the author says because it means victims of patent bullies must still pay millions to challenge the patents in federal court or, as most do, simply swallow hard and pay a licensing fee.

Mr. Goodlatte’s decision to drop the provision is a victory for IBM and Microsoft, which have stacks of old software patents that provide licensing revenue even as their product lines sputter. It’s also a victory for trolls, which the article says are shell companies backed by private equity firms and lawyers that use patents (often obtained from Microsoft and others under a “privateering” arrangement) to wage ruinous legal war against everyone from Martha Stewart to individual users. (rb- Click here to read about IBM’s efforts to Patent Patent Trolling)

According to reports, the change to the Goodlatte bill came after intense lobbying from groups linked to Microsoft, IBM, and others. The account was confirmed by a source close to Google (GOOG) and other groups that pushed for the provision to challenge software patents.

“They outspent the living shit out of us,” said the source, who did not want to be named. He said that the companies spent heavily to lobby Democrats on the Committee and freshman Republicans, forcing Mr. Goodlatte to remove the provision rather than seeing it voted down at this stage.

A source with a lobbying group allied with Microsoft said the software giant’s role had been overstated, and that the change in the bill was less about money than it was about “shoe leather” lobbying.

Patent reform in the Senate

“If we had a quarter of the people who opposed SOPA supporting this anti-patent troll law, we’d win,” Sen. Chuck Schumer (D-NY) told the author. Mr. Schumer was joined by the Electronic Frontier Foundation, to talk patent reform and his up his bill to take on trolls, which he said are “preying on New York’s technology industry.”

Mr. Schumer is pushing a bill that includes the key provision about software patents that was stripped from the House bill. Schumer’s support is significant, not only because he carries clout in the Senate, but because he succeeded in including a similar provision aimed at frivolous financial services patents in the America Invents Act of 2011.

Other patent reform bills are circulating in the Senate including similar bills from Sen. Patrick Leahy (D-Va.) and Sen. John Cornyn (R-Tx.). According to the source tied to Google, Mr. Leahy has signaled that his bill is a “Christmas tree,” meaning other politicians can hang their preferred provisions atop it; the bill that will ultimately get a vote on the Senate floor will likely contain a provision to challenge software patents.

Washington insiders said patent legislation is one of the few bipartisan initiatives available to members of Congress, who are eager to notch legislative achievements before the mid-term campaign season begins next summer. This means that the bills are expected to go to a full floor vote in the House and Senate by early 2014 and that a markup session on a final bill will take place in the spring — the only question is which version will prevail.

The endgame

“There’s months to go till conference committee,” said the source close to the reform lobby, predicting that the balance of power will tilt towards the software patent reform camp, as Google and others ramp up lobbying efforts. The source tied to Microsoft, unsurprisingly, panned this prediction and declared that challenges to software patents are now a “third rail” that most in Congress don’t want to touch.

The outcome will be determined in large part by money, and whether Google and the other companies that recognize the harm caused by software patents (Twitter (TWTR) is another) are willing to seize the chance at reform that is within their grasp.

Today, attitudes have changed after a steady parade of patent horror stories: Boston University using a 1997 patent to sue Apple and seek an iPhone ban; a troll using a 1998 patent from a Holocaust foundation to shake down the New York Times; a troll lawyer who boasts he likes to “go thug,” and is pressing an extortion campaign against hundreds of companies.

All of this has led everyone from small app developers to President Obama to suggest the patent system is out of hand. After years of asking defendants to take it on faith that the system is working, it’s now up to Microsoft and others to justify that their ancient software patents — which award 20-year monopolies in a fast-moving industry — do more good than harm.

rb-

While I’m not a lawyer, this seems pretty messed up to me. But that is the magic of Democracy, we get the leadership we elect.

Congress uses cartoon video to explain the problems with patent trolls and “legalized extortion” (gigaom.com)

Category: Uncategorized | Tags: 2014, Business, GOOG, Google, IBM, Microsoft, MSFT, Patent, Patent Office, Politics, Reform, Troll, Twitter, TWTR, USPTO

« Older Entries Recent Entries »

Bach Seat

Tag Archive for IBM

Another Hole in Internet Armor

Super-Sized Storage Saves Tape

LTO Tape Backups

Another super sized storage option

Related articles

Tech Titans Crush Patent Reform

Money Talks in the House

Patent reform in the Senate

The endgame

Related article

Meta