RSS

@LastPass and Password Management

password_postit

This blogpost is about my recent escapades in password reset and password management. Before I dive in I need to fess up. Despite decades of experience, I have over time seriously miss-managed my passwords. That’s despite having used tools like Lastpass for a couple of years. I haven’t been naughty such as writing down passwords on PostIT notes, but I have re-used similar or same passwords across multiple websites – even though I knew this exposed me to so-called “weaker sister” style breaches – that is to say that if you use the same password across multiple site, it’s the one that is most vulnerable to attack which then allows access (assuming the same user ID is in use) to all the rest. So this New Year I decided to put a stop once and for all to this bad practise. What follows is a description of what that was like, how bad/easy it was, and some general thoughts about the nature of security in the modern world. I might add the recent 1B breach of user ID by Yahoo was a wake-up call. I wasn’t personally hacked and I believe my account was secure (after all 1B accounts takes some going thru even by modern computing standards). I guess the operative word there is ‘believe’

Firstly, if you a LastPass user – check out how many websites you have listed, and run the security challenge. This does a good job of flagging up how bad your situation is, as well as flagging – compromised passwords, weak paswords, reused passwords and old passwords. You can see the result of my score above. Actually, this was in terrible state until I set about resetting the passwords. I had bad reports for Step1/2/3/4. My master password (the one that allows access to the LastPass word vault) was the same as one of the websites I had saved. Lastpass does warn you about doing this – but I foolishly ignored it and never got round to resetting it…

screen-shot-2017-01-02-at-18-40-03

Secondly, where possible use Lastpass ‘Change Password Automatically’ feature to reset bum entries. This feature works well with the website it works with (paypal, twitter, amazon). However, it DOES NOT work with the vast majority of other websites. This is NOT Lastpass fault, but because we have no uniform standard for how password reset webpages should be constructed and formatted. This means authenticating individually to each and every site, and doing the password reset manually. I had over 240 sites. A follower on twitter had over 600 (admittedly he said he was okay as everyone was unique)

Note: Incidentally, I found “Change Password Automagically” is available for Yahoo, it didn’t work. I also found it got confused with the multiple Google accounts I have. I think this is because both Yahoo and Google have their own special UI and method of handling logins. I found Lastpass would reset the wrong accounts password.

screen-shot-2017-01-02-at-18-43-16

Thirdly, let LastPass generate new passwords for you. But beware that not all websites support special characters (!@£%^&*_), and some require things like 2 numbers and two letters with Upper-Case. Also I found occasionally that Lastpass would not ‘see’ the password reset, and it wouldn’t prompt to update the username/password stored in the Vault. I took to copying the password to the clipboard, just in case – and doing manual updates. This is because there are really no standards for how password resets are managed for web-pages.

Lastly, Lastpass creates a little icon in the username and password areas – this works on Yamaha’s website for example but not for Hertz’s website.

screen-shot-2017-01-02-at-18-56-25

screen-shot-2017-01-02-at-18-53-02

Note: You can right click in these fields, and select Lastpass, and Generate Secure Password

Also I spent many minutes trying to find the place to reset my password in some websites which slowed the process down. This is because there is no standardisation really for where this information is held. Sometimes it’s easier to pretend you’ve forgotten your password, to get an easy to click reset link. However, this isn’t standardised either – as some websites reset your password to a value which you have to subsequently change (which means you wind up having to locate and work with their password reset feature).

Fourthly, rinse and repeat for every single login ID – I ended up running down my 240 stored usernames/passwords to about 160. This is because some of the websites no longer exists or I couldn’t access them. For instance I had username/password combo for internal systems at vmware.com stored behind a VPN accessible firewall. This does raise the spectre of bad username/password combinations that can never be fixed. However, I take the view that if ALL of the existing websites I do have access to – each have their own unique password – I’m as safe as I could ever be. And in comparison to my poor rating before – I now have a much better situation. It does raise the issue of remembering to delete accounts or reset passwords on systems you are not using anymore. The Yahoo warning was about an email address I have not used in years….

Conclusions:
Firstly, You will notice that the word ‘standardisation’ comes up a number of times. It’s my belief that this lack of standardisation in the industry concerning password management significantly reduces the value of tools like Lastpass. This isn’t Lastpass fault, they must work with the reality they find. However, given recent breaches I think pressure should be put on the large stakeholders to adopt uniform standards.

Secondly, I shocks me that today in 2017, many website use your ’email address’ as the username. I doubt very much if the average joe/Josephine creates a bogus email address simply for the purpose of logins. This means the very means by which people requests password resets can be hacked. I see no reason why folks can’t have a user ID that is distinct and separate from their email. It would make swapping out email when they change infinitely easier. If I change my email address many hundreds of entries in my Lastpass vault become stale or invalid.

Thirdly, given this a manual process cared out me a monkey with an oversized wet brain – mistake can and do happen. There are couple of website where I screwed up their password reset process and found myself locked out. This means I have to request a password reset email (or in the case of outllook.com/live.com get codes sent to other email addresses or my phone).

Finally, although Lastpass has an automatic password reset feature, it’s not supported uniformly. This makes the process very labourious, and is a dissensitivity to fix the problem – but also reset passwords. It’s common standard in the enterprise environments to change passwords on a 30/60/90 cycle. No such standard exists in the private internet space. It took me ALL DAY to fix my problem – starting at 9am and finishing at nearly 11pm. It’s unacceptable to me to have carve out a whole day annually, quarterly or monthly to reset all 160 entries. The only ‘reasonable thing is once a week do a block of 10 or alternatively – make a folder of the MOST sensitive accounts (email, banking and anything that processes money – paypal and ebay for instance) and put them on a more frequent cadence of resets.

 

Posted by on January 2, 2017 in Other

Comments Off on @LastPass and Password Management

Employee Alert: VMware Foundation Charity Listing – AQUABOX

aquabox

Hello my fellow VMwareans. (Yes, I know that makes people sound like their some kind of alien species that have just landed on planet earth).  Although this post is public on my blog, it’s actually directed at all the folks who work at VMware. I’m currently on my gap year which officially ends at midnight on the 31st Dec, but will mostly like carry on until such time as I find gainful employment. One of the things I’ll be doing in the mean time is volunteering. I had thought of starting in the New Year, to mark the end of this time. But after attending September’s VMworld in Vegas – I realised that there was no time like the present.

If you are searching for Aquabox in the VMware Foundation – change the filter to be “UK” you can locate it Registered Charity Number which is 1098409.  This year the company has allowed you to donate a fixed sum for a good cause, if you donate more this triggers a matching donation from VMware.

What follows below is a description of Aquabox and what we do. I realise many are you time poor, but if you prefer videos. Grab yourself a brew, some M&Ms, and watch this 8 minute YouTube. It will tell you why Aquabox is so important, and how the technology works.

For the rest of you who enjoy reading my excessively verbose blogposts… Hello!

One of my activities is volunteering at local charity to me called Aquabox. I say local to me, because although the technology and concept we developed in the town I now call home, its remit is a global. So what is Aquabox? At the heart of it is a unique and innovative water filter that’s gone through a number of iterations over the years. When a disaster strikes the first thing that goes to pot is the water supply. You can survive for many weeks (if your well nourished) without food, but without clean and non-polluted water you will die in days (and in some cases hours). Historically, the big charities have distributed chlorine tables to kill off water born bugs such as cholera. Have you ever taken a gulp of water in a swimming pool? Think of that, but 100 times worse. So what happens is people in dire straits (and this often includes children who know no better) drink dirty and polluted water – and die not of starvation or thirst, but from the diseases that water contains.

There’s two type of AquaFilter – a Community and Family. As you might imagine the big daddy serves a large number of people, whereas the family is intended for a group of five. As for the Aquabox itself some of the filters have been running for 4 years in Africa. The technology is robust, simple and easy to maintain. As piece of technology its a thing of beauty to any engineer worth their salt, and it’s perfectly fit for its purpose. And of course, it needs to be – given the hostile environment it has to function in. Aquabox has been operating for 20 years – and employs just one part-time manager – the rest of us are volunteers. So you can rest assured that the vast majority of your donation will go to the end-user. Aquabox started its life as part of the Rotary Club Organisation which has a global reach with a good reputation for trustworthiness. So the supply chain of getting the boxes to the family is one that comes with a high integrity.

As for myself. I’ve been packing the boxes which include not just the AquaFilter, but whole host of items a family would need in the first hours, and days of humanitarian crisis. The other thing I’ve been doing is trying to establish other methods of raising funds. As former employee I thought of VMware and you my former colleagues – and the VMware Foundation. I’m exceeding grateful to the folks within the VMware Foundation who have expedited this new beneficiary so swiftly and efficiently. And I’m very grateful to my good friend Hans Bernhardt (who many will know as Chicken Man!) for helping getting the word internally.

By its nature Aquabox  goes everywhere and we operate in the most extreme of situations because that is where the greatest need exists. Aquabox has been helping the many tens of thousands of people who remain trapped inside a war zone in the Aleppo. These include incredibly brave team members from our aid distribution partner Hand in Hand for Syria يدا بيد لنبني سوريا . Hand in Hand in Syria is UK registered charity, and the team at Aquabox have been sending shipments to distribute to Syrian refugee camps, and they have 1,000 Aquaboxes ready to give out to families once they have been evacuated from Aleppo. Very few aid organisations are able to operate in Syria because of the nature of the conflict, and the only way to achieve this is with trusted partners who’s only concern is life and limb.

Of course, Syria is not Aquabox’s most recent recipient of aid. In fact, the main focus has been Hatti. We are continuing to send emergency disaster relief to the people of Haiti whose lives have been thrown into chaos following the devastation of Hurricane Matthew. We are sending a further 250 family sized Aquaboxes, to add to our previous shipments of 500 Aquaboxes and 18 Community Aquafilters.

That timeliness even more acute today. As you have seen Aleppo in Syria is about to fall, sparking yet another massive humanitarian crisis – with mass exodus from the city of almost biblical proportions. I want to put aside any political analyse or opinions, to ask you to think of those people this Christmas Time – the vast majority are innocent civilians just caught in the crossfire. People just like you and me, caught at the wrong place at the wrong time. All too often in our modern media saturated world, tragedy spills out on to our screens. The scale of the suffering can lead you feel to be numb at times. It’s so overwhelming it makes you wonder what can be done. Well, something can be done. An Aquabox can be sent. You can make that happen. Today.

Please think of Aquabox if you if you have the opportunity to donate.

And if you reading this and your not a VMware Employee, there’s nothing stopping your donating from your own pocket. Think of it this way, how much do you spend in coffee shops in a week. Why not give that amount?

 

Posted by on December 16, 2016 in Announcements

Comments Off on Employee Alert: VMware Foundation Charity Listing – AQUABOX

Check out Neil Anderson’s (@flackboxtv) “How to Build a NetApp ONTAP 9 Lab”

68mwgl0y_400x400

Neil Anderson has been in touch to let me know that he’s produced an extensive guide to building a complete vSphere Lab with NetApp ONTAP 9 as the backend. So its essentially a free eBook to cover the new version. Neil is kinda tooting his own horn but he’s confident my book blows the NetApp setup guide out of the water – He’s got full step by step instructions with screenshots about how to build a fully networked two cluster lab with Windows and Linux clients. I’ve taken a quick gander and I can tell its a quality ‘product’ that might have once found a home on my old “RTFM Education” site from the good old days!

Readers can download it from Neils blog (it’s free of course) and the goal is to help people get their first hands-on look at the new OS

It’s downloadable from http://www.flackbox.com/netapp-simulator/

If you interested with connecting to Neil here’s followable (is that word now?) on twitter here: https://twitter.com/flackboxtv

 

 

Posted by on October 19, 2016 in Announcements

Comments Off on Check out Neil Anderson’s (@flackboxtv) “How to Build a NetApp ONTAP 9 Lab”

Do you want to be an author?

image001

For me writing a book was the next step up from being a blogger. True some of my early “RTFM Eduction” guides got pretty lengthy – but the commitment to writing a book was a whole new order. I really enjoyed the process and understanding how the publishing industry works. Plus there’s the satisifaction of seeing your work on the bookshelf at VMworld – or even you local bookshop. The other thing I would say is if your aim is to build your ID in the community and perhaps getting on the speaking circuit. Of course, a bit like a PhD you can’t measure the value of being an author in dollars and cents (I wouldn’t measure it in pound and pence, in case it devalues further). Its more a sense of achievement. But I would say that writing a book does seperate the men from the boys, and girls from the women. Lets face anyone these days can crank up a blog and write a couple of posts. But its different skill and commitment to write a book. I wouldn’t say your joining an elite officers club either, but you will become part of the support group (see it like Authors Anonymous) who have been there, and done that. Who knows you might actually enjoyed it. After each book I always said it was the last one –  some eight books later – I was still saying it.

My former publisher, McGraw-Hill Education, recently let me know about an authoring opportunity for a new book covering the VCP6-DCV certification exam. They are interested in technical expert(s) with a passion for educating. Ideal candidates will have the VCP6-DCV certification credential and possesses a combination of classroom training experience; course content development; and user group/community participation. They are interested in both prospective authors and technical reviewers. If you are interested, please contact them at authoring@mheducation.com

 

Posted by on October 19, 2016 in Announcements

Comments Off on Do you want to be an author?

Bright Light City…

…gonna set my soul, gonna set my soul on fire….

Just a quick blogpost to tell folks that I will be at VMworld Vegas this year (I arrive late Sunday afternoon). I had some frequent flyer points and hertz points to use. So I was able to cover my cost of travel to the event with minimal costs. A big shout out to the communities folks (you know who you are!) for seeing me clear for a bloggers ticket (not that I’ve been that prolific in this my gap year). I wasn’t sure initially if I was going to make the event – but with a cool head I decide that I couldn’t really not attend, as the event is a great opportunity for me to meet, greet and reconnect with people in the community & industry, and start the process of looking for my next role. I’ve assumed that its going to take anything from 3-6-9 months to find a suitable position – so it doesn’t feel too early to start putting the feelers out (so to speak), as in my experience things can take time to reach fruition. With that said, if there is anyone out there reading this who thinks there might be interesting opportunity that would suit my sort of unique background and skills – do get in touch by the usual methods (linkedin or twitter). As for what I’m looking for I’m open-minded and open to suggestions. Although another stint in vendorland or cloudland seems the most likely place.

After the trip I will be heading off to the Shenandoah National Park in West Virginia. In case you don’t know its part of the Appalachian Trail. I’ve enjoyed to holidays along the trail in the last decade, but I felt I need to see this end of it. Not least so I can take my guitar to the banks of the river, sing Country Roads!

 

Posted by on July 28, 2016 in Announcements

Comments Off on Bright Light City…

Open Home Lab Project

Ohpmedlogo

I’m pleased to hear that the Ope Home Lab Project has launched its website today. It’s testament to the guys who provided the inspiration for this project have acted so quickly to move from open discussion to open project so rapidly. As we all know Home Labs have been central to many people’s career development in the last decade, and the topic is a perennial favourite on the VMUG circuit. To date much of the material around home labs has been fragmented across a number of different blogs and forums – and those deciding to take the plunge, have had to resort to many hours of piecing together the information together – and speaking from personal experience – often one bit advice conflicts with another. We’re an opinonated bunch of people who is often a good reflection of different experiences and attitudes.

The Open Lab Project mission is to try to provide a central location where all the neccesary info can be found – whilst maintaining and encouraging that diversity of opinion. Here’s their blurb:

Homelab presentations are some of the most popular at technical user groups. The challenge is that unless they are recorded, the contents of these sessions is always lost at the end of the day, and only the attendees could consume the information and utilise it. What is needed is a method for crowdsourcing and capturing the collective homelab knowledge and experiences of the community, to provide people with a single source of information and advice which will help them make decisions on the best homelab solution for them, based on their individual requirements.

Although the site was started from a VMware user group, we believe that a homelab is a homelab! As such, we are keen for people across the IT community to contribute with their knowledge and tips across operating systems, hypervisors, tools and applications.

Technology agnosticism FTW!

Check It out today!

http://openhomelab.org/

 

Posted by on May 10, 2016 in Announcements

Comments Off on Open Home Lab Project

VMUG Wiki Update: Distributed Switches

Last week I got on a bit of roll updating my old vSphere 5.5 content on the VMUG Wiki to be vSphere 6.0 Update 1 content. I’ve had some time away from doing this bit of community work – a combination of family commitments and prioritising my own interests have had to come first. Hey, this is a Gap Year remember!

So there new chapter on Distributed Switches for vSphere 6.0 U1 is here:

http://wiki.vmug.com/index.php/Configuring_Distributed_Switches_in_vCenter_6

As with Standard Switches you’ll see there’s a couple of new options when creating vmkernel ports on a a DvS:

Once again I found enabling the Health Check feature helped me ID some tagging issues on VLANs on my ‘new’ pSwitch. I recently pulled the Cisco Nexus gear I had out of my lab – because I had to be returned to VMware when I went on my sabbatical – that meant bring in a new/old switch that had been gathering dust under the spare bed. There were a couple of VLANs I’d setup up where I had bodged the VLAN configuration. What can I say I’m bad network admin who does network admin every couple of years….

Some of the stuff in this chapter hasn’t changed – because it hadn’t changed. Some of it I could update because my physical infrastructure didn’t support some of the pre-reqs required. So if anyone spots anything that seems to be incorrect let me know – and provide a screengrab to swap out….

 

 

Posted by on May 10, 2016 in VMUG Wiki

Comments Off on VMUG Wiki Update: Distributed Switches

Facebook Live – This got too long for a tweet

I got one of those emails from Facebook introducing Facebook Live. It’s aimed at businesses (I still have LLC here in the UK, but it doesn’t do much. Anyway, they were advertings streamGO – which essentially offering video production services….

Anyway I was reading the stuff/guff online. When up pops an irratating “Live Chat” box that I had close and dismiss before I could carry on reading. Then I read this statement:

Screen Shot 2016-04-28 at 15.15.12

I’m sorry – but I don’t understand why any company would use Facebook Live/streamGo. If you have a marketing effort that has no measurement – and no method to contact interested customers – why would you bother?

 

Posted by on April 28, 2016 in Other

Comments Off on Facebook Live – This got too long for a tweet

VMUG Wiki Update: Configuring Standard Switches

Today I completed updating the original vSphere 5.5 content on Standard Switches to make sure it chimed with the vSphere 6.0 U1 release. You can see the new chapter over here:

http://wiki.vmug.com/index.php/Configuring_Standard_Switches_in_vCenter_6

As you might suspect there really isn’t much to write home about in vSphere 6.0 U1 when it comes to Standard Switches – consider the functionality and configuration of this type of networking hasn’t really altered significantly from one generation of vSphere to another. For the most part I saw no earthly point in retaking graphics of videos where nowt has changed.

However. There was just one area which I noticed what I felt was a change worthy of note – the list of “Available Services” that can be enabled is slightly different from vSphere 5.5 to vSphere 6.0. Let me show you where in the UI…

Before: vSphere 5.5

After: vSphere 6.0

As you can see there are now options for vSphere Replication Traffic/vSphere NFC Traffic as well as this thing called “Provisioning” Traffic. A quick click of the ? in the top hand corner of the box will take you to the online documentation – and some further clicking a bit – will (eventually) tell you what these Provisioning Traffic is all about:

http://pubs.vmware.com/vsphere-60/index.jsp#com.vmware.vsphere.networking.doc/GUID-8244BA51-BD0F-424E-A00E-DDEC21CF280A.html

Supports the traffic for virtual machine cold migration, cloning, and snapshot creation. You can use the provisioning TPC/IP stack to handle NFC (network file copy) traffic during long-distance vMotion. NFC provides a file-type aware FTP service for vSphere, ESXi uses NFC for copying and moving data between datastores. VMkernel adapters configured with the provisioning TCP/IP stack handle the traffic from cloning the virtual disks of the migrated virtual machines in long-distance vMotion. By using the provisioning TCP/IP stack, you can isolate the traffic from the cloning operations on a separate gateway. After you configure a VMkernel adapter with the provisioning TCP/IP stack, all adapters on the default TCP/IP stack are disabled for the Provisioning traffic.

I think its worth saying the a lof the time this might not happen. If you provisioning tasks happen within the SAME array then ideally VAAI will use its awareness of SCSI primatives to offload any IOPS so it happens inside the array (at blistering speed). However, there are some cases where this logically can’t happen – such as a move between two different storage arrays (you decommisioning one and emptying of VMs) or your unfortunate enough to be using local storage and moving a VM from one ESXi host to another (if you doing this you should be really thinking about VSAN my friend). Clearly, if the ethernet network must be used – this traffic can chew up the available bandwidth on you default management network – so dedicating a physical NIC and associating a portgroup with that type of traffic mitigates against that traffic. It’s akin to having dedicated NIC for VMotion because by default VMotion just gobbles up all the available network traffic to move the VM as fast as possible. Of course there other ways of limiting the impact these bandwith heavy process with traffic shapping for example.

As for vSphere Replication Traffic/vSphere NFC Traffic – as ever the phrasology in the vSphere product is rather letting the side down here. vSphere Replication Traffic source replication traffic and vSphere NFC Traffic is destination replication traffic. There’s probably a good reason for the ‘funny’ names used here – most likely because vSphere NFC Traffic is just used for replication but for other background process – NFC comms has been used for a man of communications not just replication – for instance it has been used in the past (and present?) for moving data around for backup purposes (to be honest, I don’t know if it still is…)

 

Posted by on April 27, 2016 in VMUG Wiki

Comments Off on VMUG Wiki Update: Configuring Standard Switches

March Acoustic Session Set Recording

This month’s set list is taken from a single singer-songwriter partnership comprised of Pete Atkin and Clive James. Yes, THE Clive James (Writer, Broadcaster, Poet) is also a lyricist. Clive and Peter began working together decades ago, and have an extensive recording career together. I first discovered them on BBC Radio4 about them. It’s a radio programme so even if you’re not in the UK you can still listen. For some reason the BBC doesn’t protect radio shows as much as television. Perhaps because so much BBC Radio content get syndicated to noncommercial radio elsewhere.

http://www.bbc.co.uk/programmes/b06nnnlc

So after a listening I identified three songs that I felt were outstanding. They are all from album called “Beware of the beautiful stranger”. The title track concerns a man’s trip to a fairground to have his fortune told – I guess its akin to when a woman is warned of a “dark handsome stranger”. Anyway, I bought the album off iTunes. Oddly enough despite the duo’s cult following this influential album is out of print – so the 2nd copies of the vinyl and CD are massively expensive on Amazon. But you can pick up the album from iTunes for less than a ten quid. The cover is wonderfully retro. That corduroy suit and cravat is sooo retro!

Screen Shot 2016-04-15 at 14.08.48

Anyway, my version of my favourite tracks is up on Soundcloud for your delectation. The only song I think I’m really doing different is the one called “Laughing Boy” which sounds a bit Elvis Costello like. Anecdotally, I heard a story that Pete and Clive did discussing writing for Elvis Costello. I think the generally view was Elvis didn’t need any help in the writing department!

So there’s three tracks in this single recording… and I’ve provided the links to the lyrics if your interest (and the music) Pete has the words and music up on his website.

  1. Beware of the Beautiful Stranger (http://www.peteatkin.com/a13c.htm)
  2. Laughing Boy (http://www.peteatkin.com/a12c.htm)
  3. Touch has a memory (http://www.peteatkin.com/a2c.htm)

 

Posted by on April 15, 2016 in Mike's Music

Comments Off on March Acoustic Session Set Recording