Monthly Archives: May 2013

brian

So today we have a very special podcast for you with Brian Stevens our CTO at Red Hat. Brian kindly recorded this with me, I'd meant to record this twice before, at GigaOM last November and then at ODS in Portland but Brian is always so damn busy I didn't get a chance to get a microphone in front of him. I'm doing some more recording with the exec team in June in Boston for the official Red Hat Summit podcasting channel I'm setting up which I'll blog more about in the coming weeks prior to Summit.

Brian is what I'd call a tech prophet, a thought leader in every way. He's watched Red Hat evolve and he's watched the market embrace Open Source and against that tsunami of demand he's crafted and shaped supported technology offerings that have seen the company grow to fit customer ambition. That is no easy task to marshall.

brianstevens

He's been a trailblazer for OpenStack, hugely supportive and very humble in how he's ensured our contributory and community approach is transparent and very real. Hear more on the podcast. We talk OpenStack, the Red Hat RDO community release, the amazing HeatAPI project and we take you behind the scenes.

Not often you get to listen to the CTO of a $1bn+ company talk openly and honestly about tech, so take time out to listen to it, remember to subscribe via iTunes, Stitcher internet Radio or the RSS feed directly to the shows, for those that haven't ever listened there is some thirty three hours of broadcasting there to catch up on.

Enjoy the show and come back soon for more unique content from the Cloud Evangelist podcast channel.

Download the podcast here in MP3 format only

My thanks for the photo of Brian at Summit go to Mr Pulsecaster himself, Red Hat's Paul W Frields

So recently I sat down with a good friend Mr Steve Higashi, possibly my favourite Canadian who actually lives in Austria. He works for OnApp a company I rate highly and we've been threatening to do this recording for nearly two years and when he was in London the other week we sat down and talked KVM.

Steve loves Cloud, he's a righteous dude when it comes to getting down and deep in the weeds talking to customers about engineering goodness. We touch on CloudForms 2.0, Red Hat OpenStack, OpenKVM, the Red Hat stack etc . We try to put some clarity around the whole KVM vs Xen vs proprietary alternatives and to do it in an easy to listen / easy to consume show for you guys to listen to.

Hope you enjoy it, come back later in the week for a great show with Brian Stevens, CTO of Red Hat.

Download the podcast here in MP3 format only

So last week I blogged about a breach of security at a major company that was actually extremely isolated and I am totally satisfied that this was a breach contractually outside of their control and hopefully will land in litigation with the company who breached their contract and terms of reference with the originating company.

So what actually happened is that tech refresh took place with equipment being taken offsite under contract by a industry regulated company specialising in recycling corporate IT hardware whose job it is to sanitise and where applicable destroy or recycle / remarket IT equipment to the "third market" that is eBay etc.

Unfortunately this third party failed utterly to understand their responsibility and re-marketed this multi function laser printer containing sensitive and potentially compromising information that is once more entirely in the hands of the originating customer, the data controller in the eyes of the ICO. Considering they are ISO 27001, 14001 and 9001 certified they demonstrated a total and utter failure both to their customer and to the needs of data sensitivity. I'd assume they just lost a customer and I certainly would have major concerns over their capabilities and can't see them being a continued supplier of the organisation concerned.

Conclusion

I am entirely satisfied having seen first hand the processes that this major organisation has in place, having worked with their IT staff since last week and having met with one of their IT managers today in person that they have been failed badly by a supplier.

Word of caution, data has a lifecycle. When you handle something non specific such as an MFP, a router, a network boundary device, switch, firewall or the like - kill it before it goes to your third party recycler. Heres where having a CUPS print server could have saved a world of pain. Don't rely on the manufacturers to assist you, most hardware vendors do not take security seriously and sacrifice price point and features over security management capabilities. Heres where Software Defined Networking in Cloud is going to prove invaluable.

My thanks go to the CEO, IT staff and the Public Relations person at the company concerned for having jumped on this and proved that lessons do need to be learnt in all organisations of every size but that they have been able to show me, in writing, and to demonstrate proveable thought leadership around IT process management.

Oh and they replaced the printer which will go in my soon to be massively downsized office (a pregnant wife giving me clear instructions to give away hardware and to hire a skip) up the road in Devizes in the next few weeks before the baby arrives.

1 Comment

For those that listen to my podcasts, read this blog or see me on stage or at conferences with my security hat on you'll all be aware I take security and privacy of data seriously, very seriously.

In 2000 I co-invented SmoothWall the ubiquitous firewall that became so popular (from where Endian and IPCop then became derivatives) and I then bankrolled and started the company of the same name. Since exiting there in 2003 I've advised at the highest government levels as a certified cleared consultant and advisor and now tell you all how to protect yourself in Cloud.

Therefore tonight when configuring some 2nd user kit acquired from an eBay commercial seller nowhere near my home I was surprised to find the kit actually originated from a very large commercial company in the catering sector four miles from my home here in Wiltshire.

The kit, a multi function laser printer, HP branded presumably was from an office clearance. Now heres where I get prickly. I wrote white papers and good practice guides for MFP disposal years ago recommending the only way to get rid of them is to actually scrap them as industrial waste and not to let them go to a recycling company. Most recycling companies are generally self proclaimed specialists with VERY BASIC ISO 27001 / BS standards (read paper collection exercises that don't qualify you to do squat) who can run dban on a laptop and apply an acetate sticker saying data cleansed on it. You can't do that with MFP's they have either solid state logic, flash memory or worse a harddrive. And they're manna from heaven for hackers.

Cue some basic easy legal and above board manipulation of report functions via HPLIP under Linux and now I have 150 confidential faxes sent and received from the original owner on what is now actually legally my property, and worse because it's a network device I now have their IP address schema, gateway details and enough info from the faxes to play social engineering havoc if I was a malicious hacker.

I am on vacation for my sons birthday the next few days so I am not going to go out my way to point out to the IT director concerned what shape and size a fine from the office of the CIO looks like but after the recent food scares in the UK I am sat on purchase orders from every supplier they work with and it's just stupid, idiotic and immature awareness or lack of awareness on their part that they 1) contracted their IT disposals to a bunch of clowns who broke the law and presumably their contract 2) left the original entity open to a fine or worse still a malicious hacker had they got that info.

Heres the worse kick in the teeth to me personally, turns out they're a SmoothWall user so they obviously do get Security not just the major risks of data privacy or their responsibilities under any of the blended security matrixes that make up common sense IT practitioning,

Time to draft an email to their CIO and ask him who he employs to look after security as I'd be handing them a P45 and working out how to get this back into a box to own it. Wonder what else they recycled without due diligence ? Time to hand these faxes to their rightful owner and to point out the genuine sheer unadulterated stupidity of their ways. It's even more stupid when you think that this company are actually market leaders by hard won hard grafted achievement supplying catering to local government organisations, hospitals, care homes etc. Not small fry - so you'd expect better process control and understanding of IT security.

Epic fail.

Please if you are one of the thousands of people who read my blog don't emulate them.