Radovan Semančík's Weblog

I had a terribly busy time. Tones of work. Lots of new projects in preparation. And that's mean lots of "how long it will take?" and "what will be the cost?" questions. I answer these questions too often ...

Some of the "foresight" work that I did lately was for several Enterprise IDM projects. It was not a difficult task as already lived through some projects in this area. I've considered the size of the target organization, number and types of systems there, the experiences of implementation team and especially the issues ([1] [2] [3]) that are likely to be encontered in the projects. And I've produced the estimations.

The projects were quite different. Different organizations, different set of systems, expected deadlines and even different size. But one thig was allways common: the customer reaction. In all the cases the reaction was "Oh, that's too much!".

It surprised me the first time. Aren't the customers aware of the things that the project may uncover? And I've realized that they are not. The customer expects that deployment of IDM solution will be like installing a fridge. You buy it, plug it in, turn the switch and it works. It does not.

Any Enterprise IDM project will need some part of software development. Most obvious case is a development of custom connectors to exotic systems. While that is usually the most time-comsuming part, it is not the most important software development task. There will be a need to customize user interface, workflow processes, reconciliations tasks. And there usually are requirements to integrate the IDM solution with organizational structure sources and task listing applications.

Enterprise IDM solutions are no easy projects. These are definitelly not a turn-key solutions. They needs to be customize. Why? Because the primary goal of Enterprise IDM project is not a simple process automation. The real goal of these project should be cleaning up the mess that piled up in the digital cellar for all the long years.

And that is not an easy task ...

All the local news are full of it. National Security Office of Slovak Republic was hacked. You can look at the hackers's description of the attack (Slovak only, sorry). The attack was trivial: The attackers probed the system using a bug in the webmail system. They got a suspicious username, tried to guess a password and ... it just worked. There was a "public" SSH connection and the same password worked on several other systems. Too easy ...

The National Security Office is quite an important organization of Slovak government. It supervises the use of classified information, it administers most of the security checks and clearences. It even hosts the national (root) certificate authority for qualified digital certificates and sets the digital signature regulations. You can image the panic that started after the announcement.

The real impact of the attack was minimal. Hackers gained control over several servers in the DMZ, stolen few gigs of data, could read and spoof mails and do similar things. The Office denies that they've stolen any classified information. But the impact of this actual attack is not that troubles me most. The scary thing is the fact that the attack was so easy and straightforward. I would not wonder if it eventually turns out that a teenager did it. That triviality of the attack means that the failure is quite deeper than just a "one weak password" problem.

Every system can be compromised. That's the fact that any security expert knows. The trick is to make the compromise infeasible. To make it difficult, time-consuming, expensive. To combine systems and procedures in such a way, that a compromise is either very unprobable or that it's impact is negligible. The fact that the Office was compromised so easily, that the attack was not detected and that the attackers gathered quite a lot of information tells about severe system failure. I'm not talking about the operating system, not the firewalls or any other technical system, but the "security system" as an organizational process.

If the system worked as it should, the hole in the webmail interface would not be there. It would be fixed by regular patching. It the system worked the public ssh access would not be there. Would be limited to some IP address range, would use public-key authentication only, or it just would not be there at all. If the system worked the user with the weak password would not be there. It would be detected by regular audit and deleted (or at least the password would be made stronger). If the system worked the same password would not be used over several systems. Any of this could hinder or at least limit the attack.

It is not a failure of system administrators. Considering organization like this, the security system should address even the deliberate attempt of a system administrator to lower the security level of the system, not to mention common unintentional mistakes. The multi-level security and separation of dutties principles are good just for that.

The fact that all of the weaknesses existed in the system is a yelling evidence that no effective security system was in place. And that is the thing that really troubles me. This attack was just a fun. The attackers had no real intention to harm. The next attack might not be that friendly ...

Do not look for the www.nbusr.sk webpage for a while. It looks like it was torn down as a mean to secure the agency. In fact, all the agency looks to be disconnected from the Net.

Bob Blakley recently argued to avoid automatic exposures. The debate further continued with Phillip Hallam-Baker's reaction and Bob's reply.

Bob is indeed right that the "pure" automatic exposure does in fact homogenize your photographs. But he may be wrong with the method how to avoid that. Well, there are essetially two approaches to "creative" exposure:

1. Switch to "manual" as Bob described. But for that you need another way how to meter the lighting conditions. Maybe your expert judgment, maybe handheld exposure metering device. The former needs tons of experience and is not reliable even if that is given. The latter is expensive, cumbersome and unreliable for beginners.
2. Switch to "automatic" and use exposure compensation of some form. The camera meters the "normal point" for you. You just have to decide how much darker or lighter you want the scene to be and compensate for that. You need not have decades of experience nor separate device. And it does not really matters if the "automatic mode" is aperture priority, shutter priority or some program mode. It does not really matter if the metering is spot, center-weighted or multi-zone, as long as you can predict the results.

The photograph is not produced by camera. The photograph is produced by photographer. And it really does not matter that much what camera you use. What really matters is how much you know your device. How you can predict it's behaviour and results. Therefore, both of the approaches will work, and I could say that both will work equally well.

Know your equipment. That's one of the basic photography mantras.

Want a proof? Look at my photographs. Most of them were taken using some sort of (tweaked) auto-exposure. And you really cannot say that the exposure is "homogenous".

The real problem with auto-exposure is that most photographers do not think about it. They do not "tweak" it. Do not use exposure compensation, they do not choose a segment of image for measuring the exposure, they just take the picture as it is. That's the real problem. Not the feature of the camera, but the mind of the photographer.