A Need for Monitoring without Administration

Posted on January 6, 2021 by way0utwest

There was a report recently that a number of US government agencies were hacked through a network management system. Apparently Solarwinds had their code hacked, and this resulted in a backdoor being distributed to customers via software updates.

There is a lot that went wrong here, and this ought to make many system management software vendors very nervous. Attacks on your software developers, designed to allow a hacker to put backdoors into source code repositories is a wild second (or third) order attack. I would certainly be nervous to be a software developer right now, and be extra cautious about any sort of potential phishing email sent to me. Yes, that’s a thing.

The bigger issue, to me, is that monitoring most systems ought to be possible without requiring escalated privileges. While there are some ways to get metrics without requiring administrative rights, most OSes and most administrative and monitoring software expects to have complete rights to all resources.

That’s a hole in design. There are plenty of cases where we want monitoring data (and alerts/notifications) distributed to other automated systems or to interested individuals, but we don’t want to expand the number of administrators. Every additional individual or system that can potentially change something as an administrator is another potential attack vector.

We have built our core operating systems with the idea that someone needs complete control of the system to work with it. For some things, that’s true, but for resource usage, especially in the way that many of us need to watch at scale, I’m not sure that this needs to be the case. My view is that Windows, MacOS, and Linux ought to undertake fundamental design reviews to determine if they can further shrink the scope of privileges for monitoring systems.

In the meantime, granting privileged access to an automated system for monitoring ought to be done very carefully, even more carefully than for human sysadmins. This account will run by itself, and someone might not notice if it is compromised. Set strong, very long passwords, change them periodically, and audit the account to be sure it is only accessing what you think it should access.

Steve Jones

Listen to the podcast at Libsyn, Stitcher, Spotify, or iTunes.

Posted in Editorial | Tagged | Comments Off on A Need for Monitoring without Administration

Daily Coping 6 Jan 2021

Posted on January 6, 2021 by way0utwest

I started to add a daily coping tip to the SQLServerCentral newsletter and to the Community Circle, which is helping me deal with the issues in the world. I’m adding my responses for each day here. All my coping tips are under this tag. 

Today’s tip is to be kind to the planet. Use less energy today.

This isn’t always easy to do, but I am trying to be a little better about this. As my kids leave the house, with the last one going in a couple weeks, I know that there should be less energy usage around here. I’ve made it a point to shut down my computer more often, and also kill more electronics that don’t need to be plugged in and running. There are some we rarely use, so flipping a power switch on a strip is the best way to reduce some usage.

I’m also trying to make less trips to the gym and store, combining things when I can. Small changes, but lots of small changes add up.

Posted in Blog | Tagged , , | Comments Off on Daily Coping 6 Jan 2021

The Devil is in the Details

Posted on January 5, 2021 by way0utwest

Some of us have run into perplexing technology  problems, where we had to dig deep into an application to solve a problem. We might need to work with our own staff, vendor support, perhaps even coordinate people across multiple different organizations. This can be even more challenging when we don’t have access into the internals of all the code.

I ran across a neat story from Netflix, where an engineer had to dig into an issue with one of their partners. In this case, there were hardware and software components, and four different companies involved. The problem involved a playback issue, with deadlines and finger pointing over the issue.

Eventually the root cause discovered was a thread level issue in the Android OS, but the tale of how the engineer asks questions, looks at good, sets up tests, and more is a good examine of how to dive into an issue. While many of us wouldn’t get involved in threads on the data platform, we do need to understand the code and use metrics and data to narrow down the issues. It’s certainly possible we could discover a bug, but most of my experience is that I’ve found a problem in developer code or insufficient hardware resources.

The story is a nice read, and the final paragraph made me smile It had this quote: ” This story really exemplifies an aspect of my job I love:…” It’s always inspirational to find someone truly enjoying their job, and I find myself thinking about the things I love about my job, with problem solving being one of the best parts.

Steve Jones

Listen to the podcast at Libsyn, Stitcher, Spotify, or iTunes.

Posted in Editorial | Tagged | Comments Off on The Devil is in the Details

Daily Coping 5 Jan 2021

Posted on January 5, 2021 by way0utwest

I started to add a daily coping tip to the SQLServerCentral newsletter and to the Community Circle, which is helping me deal with the issues in the world. I’m adding my responses for each day here. All my coping tips are under this tag.

Today’s tip is to call a relative who is far away to say hello and have a chat.

This is an easy one this time of year. If you didn’t make time during the holidays, do so now. For me, I try to call my Mom every week or two and chat a bit. We also email and text, but it’s good to keep in touch.

My brother is busy, with three kids in high school now, and we don’t talk enough, but I reached out a few times across the last few weeks to chat and say hi. We even had a family video chat on Christmas day.

I also joined my wife in reaching out to her sisters, who we haven’t seen in a long time because of the pandemic.

I’m not a big talk-on-the-phone person, but it was good to reach out and touch a few others.

Posted in Blog | Tagged , , | 2 Comments