Personally I am a big fan of proper password management procedures. For my personal data I always used the open source tool Keepass (http://keepass.info/) for my passwords, but it was always missing two items:
For my encrypted data I always built hidden share volumes using another open source tool Truecrypt (http://www.truecrypt.org/). The product works great, but I find that I need to encrypt less and less of my data these days.
I just replaced them all with Lastpass (http://lastpass.com/), which is a very impressive product. It integrates with pretty much every major browser out there and it's all centralized and allows for web access for all of your data. It allows for import from pretty much any browser database, or product (such as keepass). Its $12 per year for premium, I buy products like this because the value is high and the cost is low. If we don't support companies like this then they are not around for us.
For our enterprise I have used several nice distributed products in the past, but one always stands out as a cheap and well built solution. The product we use is Password Manager Pro (http://www.manageengine.com/products/passwordmanagerpro/), we don't use the enterprise products from them which allow for centralized password reset and such. All systems, regardless of if they are Linux, or windows use active directory for authentication (thanks winbind).
The product is a great secure repository, and it allows us to share relevant passwords with finance, HR, Marketing, Development, or the Database teams. It allows for dynamic groupings which are very flexible based on the content of the resources defined.
At my previous company we were a heavy user of Solaris, and we also had a lot of legacy specific SCO systems as well. 3-4 years ago, some person (who shall remain nameless) was pushing Opensolaris as "the future", personally I thought the guy was way off base. He did deploy some of it, and it worked well, the problem would be the support and future for another player in the x86/64 market. There was no future, I saw it, but apparently other people in management didn't. I then read this article:
I love being right J
Sorry to see you go, but it's for the better. Oracle hopefully will invest more resources into Linux which it hasn't been doing as much since the Sun purchase.
I've been waiting for quite a while for a major security firm to be purchased by one of the big boys. I am glad that Intel was the first one to start this trend, because they are generally only a hardware player. If security were embedded at that level it would create a differentiator from other competitors, weather they are x64 based or other chips (Oracle, IBM). Security has become very commoditized and consolidated over the last several years.
You haven't seen much innovation in several years either. Is that because we've solved the problem? I think not… Is that because there isn't capital in this market? Nope… I think the main reason is due to the massive consolidation and the work needed to integrate all of these smaller companies together. You are also seeing players like Microsoft developing a larger security portfolio, as well as network vendors integrating more security features and products into their appliances. If you look back 5 years ago, there wasn't much as far at UTM (Unified Threat Management) devices, now every firewall vendor has one, you can find hundreds of products both commercial and open source in this area.
Some other thoughts on how security is being embedded across the stack are by Bruce Schneier, who is a superb writer and author as well as a great cryptographer.
http://www.schneier.com/blog/archives/2010/08/intel_buys_mcaf.html
Writing this thanks to gogo wireless… Love this service.
I'm going to start upgrading our hosts to 4.1 next weekend probably. Going to try update manager even though it crashed and burned on my 3.5-4.0 upgrade and I ended up using the host utility. I know the command line upgrader works.
I read this on the spiceworks message board:
Resolution:
This is worth knowing as it's a bug and definate gotcha.
VMWare said:
"I had one of the escalation engineers for Update Manager look at the log and here is what he said
The customer imported the pre-upgrade offline bundle which is NOT needed and in fact causes problems.
[2010-07-28 13:36:55:781 'DownloadOfflinePatchTask.DownloadOfflinePatchTask{9}' 3700 INFO] [vciTaskBase, 530] Task started...
[2010-07-28 13:36:55:781 'DownloadOfflinePatchTask.DownloadOfflinePatchTask{9}' 3700 INFO] [downloadOfflinePatchTask, 123] Upload offline bundle: C:\Windows\TEMP\vum8205261630712700578.pre-upgrade-from-ESX4.0-to-4.1.0-0.0.260247-release.zip
We are working on correcting the situation so this doesn't happen. The existing pre-upgrade bundle will be replaced and we are working on a KB for those that have gotten into the situation (iKB 1024805). Unfortunately, there is no easy workaround once VUM is in this situation. A reinstall/DB reinit is suggested."
The end result is that VUM didn't want to reinstall cleanly so I had to nuke my Vcenter server and rebuild it from scratch.
So, DON'T APPLY THE PRE-UPGRADE PACKAGE IF YOU ARE USING UPDATE MANAGER TO UPGRADE YOUR ESX HOSTS!
:)
Maybe useful next weekend J
Let me start off, by just saying that this site is great, its always entertaining and filled with great data : http://get-admin.com/blog/
I'm very happy that Vmware released 4.1 recently. After the horror stories I read about 4.0U1 we decided to skip them and wait for 4.1. There wasn't a lot in the updates we cared for anyways. There are quite a few interesting features in 4.1, and one of the good things that Vmware has done is finally killed off ESX (after this release). ESXi has been great for us over the last couple years, and I haven't had any complaints with switching over to it from ESX in previous years. I found using update manager was not the most reliable when moving from 3.x to 4.x on the physical systems themselves, so we opted to use the host upgrade tool. This is not a supported method to move from 4.x to 4.1. We will probably have to give the update manager another run, which concerns me. At least its not as complex as upgrading Hyper-v J
I will probably start upgrading our enterprise (not production) systems to 4.1 in the next couple weeks, and I will post my findings on the blog as I go.
Bigfix makes some excellent products, and they have been moving in great directions over the last couple years. They have moved out of pure remediation and into configuration management and control. I would have loved to have purchased them for use at my current company, but the pricing was a bit higher than I'm using for Shavlik HFNetchk Protect, which is another good product, but is far more limited. I wanted to have one tool to patch Linux and Windows systems.
IBM has been really struggling to provide a good provisioning and patch management tool for years and years. First they were pushing TPM which is probably the worst product I have seen IBM release. Unfortunately a company I worked for previously was obsessed with using this product that most Tivoli enterprise customers get for free and completely disregard. I spent a good amount of time looking at the product and its capabilities, or lack thereof. I'm concluding my rant now, but its happy to see IBM adding a superb replacement for TPM and adding additional security related products they will acquire with the Bigfix purchase.
I was also quite surprised at the cost of the purchase at $400m. I know Bigfix has a lot of customers, and they sell a service, which makes it nice for both operating business as well as the customers who can bill this against opex versus capex. I would have assumed they would have had to pay more for the company. It will be interesting to see what features IBM takes from them and puts into Tivoli, and which other ones become part of the ISS portfolio over time.
Now that the workload has reduced a bit over the last month or so we can spend time doing project work. It's always been my philosophy to simplify as much as possible, this is normally because I end up having to fix messes, which are normally caused by undue complexity. Complexity can affect performance, availability, and manageability. Automation can often create complexity, as can requests by various people in the business who don't necessarily plan the projects or requests they make of others (especially development and operations).
This being said I often get blocked when I try to simplify things, because people want to build things out in a more redundant manner than is required for the business needs. There are a lot of ways to create a redundant system without creating complexity, you just have to step back and look at the overall configuration and requirements to come up with the best solution.
We get a lot of requests from our QA team to reload various Resin app servers, and other processes. What we are doing now is creating a web based interface for them to do the reloads on their own. This eliminates the need for operations to run the scripts, and saves time and resources.
