9 minutes read

A Year in Review: South Bound and Down

The last year or so has been… busy. Around this time last year the company I work for got acquired by Kaseya and it was a reasonably smooth transition. I went from being the Identity Guy to Lead Member of Technical Staff, and from a small engineering team to, well, a lot more. Our products went from being somewhat silo’ed in nature to being the secure foundation for Kaseya’s new next generation platform. As such my team has spent the last year building some pretty cool things that everyone will see in the coming months. We made amazing progress over this…

2 minutes read

What is Code?

Source: http://www.bloomberg.com/graphics/2015-paul-ford-what-is-code/ One of the lessons that TMitTB [The Man in the Taupe Blazer] has tried to get across to you, the big message that matters most to him, is that code is never done; after shipping the new platform (no longer a website, this is a platform), with all its interlocking components, he and his team will continue to work on it forever. There will always be new bugs, new features, new needs. Such things are the side effects of any growth at all, and this platform is, he insists, designed to scale. What no one in engineering can…

78 minutes read

Going Nuclear: Modeling Threats to Distributed Systems

It probably won’t come as a shock to you that as I was writing up my last post on IoT and my new Geiger counter I was mentally reviewing all the things that scared the crap out of me had me concerned security-wise. I don’t mean the apocalyptic visions of Fallout, but about the fact that I have a device I don’t necessarily trust sitting on my network constantly feeding data to a remote server without much control by me. I’m predictable like that. Upon further review I realized I wanted to write up my thoughts on how I would protect against such an…

11 minutes read

IoT is Weird: Or Why I now have a Network Connected Geiger Counter

Update I have a page of data here: http://syfuhs.net/my-rad-monitor/. It’s a bit weird to imagine everything with an IP address. I’m not entirely sure how I feel about this idea. My feelings about this aside though, this is becoming more and more prevalent with the advent of cheap and powerful processors available to anyone with an idea. It used to be that you needed a team of engineers to build embedded devices that can connect to the internet, but now all you need is an Arduino, a few components, a few hundred lines of code, and a few hours to build an internet connected device….

1 minute read

Ptr: Azure Pack UserVoice Feedback

Ptr: http://feedback.azure.com/forums/255259-azure-pack Looks like Microsoft just launched a public UserVoice site for Azure Pack! You can submit or vote for your most wanted features for upcoming releases. Cool! Like all feedback sites not all features or requests can be met, but it’s still a great way for customers to tell Microsoft where they should focus their energy. Do you have an idea or suggestion based on your experience with Azure Pack? We would love to hear it! Please take a few minutes to submit your ideas about providing Azure technologies and services on-premises, or vote up an idea submitted by…

1 minute read

Ptr: Authentication Scenarios in Azure AD

Came across a great article on MSDN recently that outlines the various authentication scenarios in Azure AD. Azure Active Directory (Azure AD) simplifies authentication for developers by providing identity as a service, with support for industry-standard protocols such as OAuth 2.0 and OpenID Connect, as well as open source libraries for different platforms to help you start coding quickly. This document will help you understand the various scenarios Azure AD supports and will show you how to get started. The knowledge has been around for quite a while now, but it’s nice to see it all centralized into an easy…

14 minutes read

Windows Azure Pack Tenant Public API Authentication Options

Web services, as we’ve learned throughout this series, are integral to the workings of Windows Azure Pack. Every UI exposed to the user connects to the backend via web service, every resource provider is managed by Windows Azure Pack through their own web services, and 3rd party functionality can be tied in through web services. It’s an SOA world. Last time we looked at the Tenant Public API and how it uses client certificates for authentication. Client certificates are paradoxically complex beasts while also being the easiest authentication method for 3rd parties to use. This is because you don’t really…

2 minutes read

Windows Azure Pack at TechEd 2014

It looks like Windows Azure Pack is starting to become my new favorite thing — so much so that I was excited to see that there were a number of presentations on it at TechEd this year. What makes this even better is that the presentations were recorded and you can stream them from Channel 9! Take a look at the full list here: http://channel9.msdn.com/Events/TechEd/NorthAmerica/2014?t=windows-azure-pack#fbid=. While you’re at it, start with Marc and Bradley’s presentation: Lessons Learned: Designing and Deploying the Windows Azure Pack in the Real-World. I liked it so much and I think its such a great starting point that I’m going…

13 minutes read

Web Service Authentication in Windows Azure Pack

It’s been a couple months since we last looked at Windows Azure Pack so before we jump into the thick of it lets recap. Windows Azure Pack is an awesome on-premise private cloud platform The interactive portions are broken down into two sections: admin areas and tenant areas It relies on JWTs as bearer tokens to authenticate between UI surfaces and backend web services It uses federation to authenticate users at two separate Security Token Services using WS-Federation A JWT is used as the token in the WS-Fed protocol You can use your own STS or ADFS to authenticate users…

2 minutes read

Covert Redirect in OAuth 2.0 and OpenID — or yeah, and?

Earlier today a news story broke claiming the sky is falling because OAuth 2.0 and OpenID are vulnerable to “Covert Redirect” attacks — or as the rest of the world calls them — open redirects. This class of vulnerability has been around for quite a while and frankly is already mentioned in the threat model for the protocols in question. The mitigation is very simple: make sure you trust the location you’re sending data to before you send the data. This is an implementation detail. A very important implementation detail, but an implementation detail nonetheless. For a more detailed look at…