Three of my favorite things...

...are space, Texas, and data security, and they're all right here!

The Endeavor Space Shuttle passed over the Gazzang world headquarters in Austin this morning.  The Statesman has the full article.  This image is pretty spectacular without my grafitti (but I couldn't resist)!

:-Dustin

Gazzang Secures Cloudera Distribution of Hadoop, MongoDB

Earlier this week, Gazzang and Cloudera publicly announced an official partnership, providing the Big Data industry with a first-of-its-kind offering ... a commercially supported encrypted Hadoop distribution!  Check out that spiffy Gazzang logo right there in the mix with our esteemed friends at Ubuntu and PuppetLabs!

We have certified Gazzang's eCryptfs-based transparent filesystem encryption solution, zNcrypt, running under the Cloudera Distribution of Hadoop (CDH), protecting all of the data at rest.

We at Gazzang are really quite proud of this milestone and our unique opportunity to really help secure enterprises leveraging Big Data.

It quite nicely aligns with our partnership with 10gen as well, where we have also certified zNcrypt protecting MongoDB NOSQL data as well.  Once again, we feel we're in quite good company with our colleagues at Canonical and Red Hat, working with 10gen.

Here's to building an ecosystem around security and privacy of this next generation of applications leveraging NOSQL and Big Data!

:-Dustin

A Food and Drink Guide to Nawlins

Knowing that I grew up in Louisiana, a colleague asked me recently for some restaurant recommendations, as she's heading to New Orleans soon.  I sent her this email privately, but realized in retrospect that I've been asked this question before, from time to time.

Also, how long overdue are we for an Ubuntu Developer Summit in New Orleans?  :-)

Breakfast

 For that New Orleans ambiance, it's hard to beat Cafe du Monde, for chicory cafe au lait and beignets.  I'm definitely more of an espresso-based coffee drinker, but I make an occasional exception for a little chicory cafe.  And the beignets are to die for.  If you're more in the mood for a classic egg/toast/bacon/sausage breakfast, you can venture a bit further afield to the Camelia Grill (expect to wait a very long time, though, as the line is typically wrapped around the block).

Brunch

You'd be hard pressed to find a more ridiculously overwhelming all-you-can eat pile of decadent deliciousness than the jazz brunch at the Court of Two Sisters.  It's quite possibly Kim's favorite thing to do in the entire world.  It's a little pricey, maybe $25 per person. But it's all you can eat of the best Cajun sweets and savories.  It's in the courtyard of a 200+ year old house, with a little jazz band
that wanders around the courtyard serenading you at table side.  I'd call this a don't-miss dining experience in the world (much less New Orleans alone), if you're a true foodie at heart.

Lunch

There's a ton of good po-boy options all around the city -- they're pretty easy to sniff out.  Literally just follow your nose, smelling around for the best fried oysters or shrimp or catfish you can find, and you won't go wrong.  But I'd recommend seeking out a good muffaletta -- basically a giant Italian sandwich with olive tapenade and multiple cuts of meat.  My favorite is from Cafe Maspero.  That's a lot harder to find outside of New Orleans.  You can either order a half or get a whole one to split.  It's gigantic.

Siesta

I much prefer the mid-day crowd at Pat O'Brien's (compared to the craziness that ensues after dark).  Pat O'Brien was a bartender in the 1930's in New Orleans that supposedly invented the hurricane cocktail.  I'll actually have a refreshing mint julep, especially if it's even slightly warm outside in their lovely courtyard.

Dinner

So, so many dinner options...I dedicate an entire blog to it.  You can't go wrong with any of the Brennan family restaurants.  All are very high-end, with world re-known, expert chefs.  There's a few options in the French Quarter. My favorite is the Bourbon House, which in addition to having an amazing seafood and steak menu, also has a few hundred whiskey options and a fabulous cocktail bar.  There's also just the classic Brennan's, which is outstanding too, as well as the Commander's Palace.  If you really do one of the nicer restaurants around town, maybe bring a dinner jacket and a nice dress-- a lot of these places are very French, very traditional, and very fancy, even if they're not terribly expensive.

Dessert

If you end up at either Brennan's or the Bourbon house, make sure you have a Banana's Foster.  It was actually invented at Brennan's in 1951.  I'm also a big fan of New Orleans style Bourbon bread pudding and pecan pie.  These are everywhere.

Night Cap

You can drink all the Huge Ass Beers and Handgrenades you want outside as you walk up and down Bourbon Street.  On the other hand, if you want to dip in for a couple of fancy cocktails, I'd recommend getting a Sazerac at the gorgeous Sazerac Bar (the world's first jazz nightclub) in the bottom of the world famous Roosevelt Hotel (now a Waldorf Astoria property). Another amazing, New Orleans original cocktail is the Ramos Gin Fizz at the Hotel Monteleone, which actually has a "carousel bar" -- if you're lucky enough to get a seat at the bar, you'll rotate 360 degrees around the bar tenders while they serve your fellow patrons.

:-Dustin

The Linux Foundation's Cloud Open: Security and Privacy in the Cloud

Howdy all!

I just delivered my presentation at the Linux Foundation's CloudOpen 2012 event, and I'm happy to share my slides below.  You can also download the PDF.


I must say that this conference is simply one of the absolute best conferences around.  This year co-located several events, including LinuxCon, Linux Plumbers, as well as the new CloudOpen conference.  I've spoken at each of these in the past, and always found the quality of the presentations, evening events, and hallway conversations as the absolute best in the industry.

:-Dustin

Data encryption -- Why? Some numbers...

At last weekend's Texas Linux Fest, at the end of my presentation, Data Security and Privacy in the Cloud, an attendee asked a great question.  I'll paraphrase...

So...  What's the actual threat model?  Why are you insisting that people encrypt their data in the cloud?  Where's the risk?  When might unencrypted data get compromised?  Who is accessing that data?

A couple of weeks ago, an article from ComputerWorld made the front page of Slashdot:

'Wall of Shame' exposes 21M medical record breaches New rules under the Health Information Technology for Economic and Clinical Health Act, By Lucas Mearian, August 7, 2012 06:00 AM ET

Here's a few absolutely astounding numbers from that article, which were pulled from the US Department of Health and Human Services Health Information Privacy website by the author of that article.

Since the data is publicly available, I was able to download and import all of these into a spreadsheet and run some numbers and verify ComputerWorld's article.  I can confirm that the Mr. Mearian's numbers are quite accurate, and just as scary.  Since September 2009:

• 21+ million people have had their health care records exposed
• 480 breaches have been reported

The top 6 breaches all affected more than 1 million individuals:

• 4.9 million records: TRICARE Management Activity, the US Department of Defense's health care program, exposed 4.9 million health care records when backup tapes went missing
• 1.9 million records: Health Net lost 1.9 million records when backup hard drives went missing
• 1.7 million records: New York City Health & Hospital's Corporation's North Bronx Health Care Network reported the theft of 1.7 million records
• 1.22 million records: AvMed Health Plans reported the loss of a laptop with 1.22 million patient records
• 1.02 million records: Blue Cross Blue Shield of Tennessee exposed 1.02 million records with the loss of an external hard drive
• 1.05 million records: Nemours Foundation (runs children's hospitals) lost 1.05 million records with missing backup tapes

Such breaches are very costly, too.

• $4.3 million: Cignet Health of Prince George's County civil lawsuit penalty
• $1.5 million: Blue Cross Blue Shield of Tennessee penalties
• have since encrypted all of their hard drives, 885TB of data
• $1.7 million: Alaska Department of Health penalty
• due to theft of a thumb drive, stolen from an employee's car

Running a few more reports on the public CSV data,

• Across 480 reported breaches, these were the top reasons given for the incident:
• 55%: Theft of devices or physical media
• 26%: Hacking/Unauthorized access
• 12%: Lost devices, disks, tapes, drives, media
• 5%: Improper disposal of devices
• 3%: Other

The most disappointing part, to me, is that 72% of those breaches stemming from theft, lost devices, and improper disposal -- a total of 15.6 million individual's health records. This means that the vast majority of these compromises are easily preventable, through the use of comprehensive data encryption. And I'd argue that many of the remaining 28% of the breaches attributed to hacking, unauthorized access, and other disclosures could also be thwarted, slowed, or deterred by coupling encryption with advanced key management, access controls, and regular auditing.

So here I am, writing the same thing I've been writing in this blog for 4 years now...

1. Encrypt your data.
2. Help your colleagues, friends, and families encrypt their data.
3. Insist that your employers institute thorough security policies around encryption.
4. Ask hard questions of your health care providers and financial services professionals, about the privacy of the data of yours they have. Hold them accountable.

There's a wide range of tools available, from free/open source, to paid commercial offerings. On the free/open source side, I'm a proponent, author, and maintainer of both eCryptfs and overlayroot (which uses dmcrypt). These can help protect your home directory and your private data in cloud instances.

And from the commercial side, my employer, Gazzang, sells an enterprise-class encryption product called zNcrypt, and I've architected Gazzang's cloud-compatible key management system, zTrustee. I have no doubt that the combination of these two technologies -- comprehensive data encryption and a robust key management solution -- could have prevented the compromise of millions of these records.

:-Dustin

ecryptfs-utils-100 released

Most of the original IBM LTC Security Team that designed and implemented eCryptfs, 2005-2008, along with a couple of Gazzangers who have also contributed to eCryptfs.  Gazzang hosted a small reception on Thursday, August 2, 2012.

I'm pleased to announce the 100th release of the ecryptfs-utils userspace package!

Somewhat unusually, eCryptfs userspace packages simply increment a single integral revision number, rather than a major or minor revision.  That project maintenance decision predates my involvement as project maintainer.  But it seems to work, at least for me :-)  I started maintaining the eCryptfs project and package at release 50, so this marks roughly my 50th release too.

Grepping through the changelog, I counted 157 bugs fixed over the last 6 years.  I really like to recognize the contributors who have helped bring a stable and reliable eCryptfs to you:

• Andreas Raster, anrxc, Arfrever Frehtes Taifersar Arahesis, Colin King, Colin Watson, Daniel Baumann, David Hicks, David Planella, Diego E. "Flameeyes" Pettenò, Dorin Scutarașu, Dustin Kirkland, Eddie Garcia, Eric Sandeen, Evan Dandrea, Frédéric Guihéry, George Wilson, Jakob Unterwurzacher, James Dupin, James Westby, Kees Cook, Kent Yoder, Marc Deslauriers, Martin Pitt, Michael Rooney, Michael Terry, Michal Hlavinka, Paolo Bonzini, Phillip Hellewell, Sebastian Krahmer, Serge Hallyn, Sergio Peña, Stephan Ritscher, Steve Langasek, Tim Harder, Tyler Hicks, Wesley Wiedenmeier, Yan Li

Apologies if I missed you...let me know and I'll add you in there ;-)

Changelog follows.   Here's to another 100!

ecryptfs-utils (100) precise; urgency=low

  [ Tyler Hicks ]
  * src/pam_ecryptfs/pam_ecryptfs.c, src/libecryptfs/key_management.c:
      LP: #1024476
    - fix regression introduced in ecryptfs-utils-99 when Encrypted
      Home/Private is in use and the eCryptfs kernel code is compiled as a
      module
    - drop check for kernel filename encryption support in pam_ecryptfs, as
      appropriate privileges to load the eCryptfs kernel module may not be
      available and filename encryption has been supported since 2.6.29
    - always add filename encryption key to the kernel keyring from pam_mount

  [ Colin King ]
  * tests/kernel/inode-race-stat/test.c:
    - limit number of forks based on fd limits
  * tests/kernel/enospc.sh, tests/kernel/enospc/test.c,
    tests/kernel/Makefile.am, tests/kernel/tests.rc:
    - add test case for ENOSPC

  [ Tim Harder ]
  * m4/ac_python_devel.m4: LP: #1029217
    - proplery save and restore CPPFLAGS and LIBS when python support is
      enabled

 -- Dustin Kirkland Thu, 02 Aug 2012 16:33:22 -0500

Cheers,
Dustin

Texas Linux Fest 2012 Presentation

As promised, here are the slides from my Texas Linux Fest 2012 presentation:

Data Security and Privacy in the Cloud

Enjoy!
:-Dustin