Intuitive Password Online Password Management Review

Written by William Roush on September 8, 2014 at 8:06 pm

A review for the online password manager Intuitive Password.

Disclosure: I was requested to look at Intuitive Password, I generally don’t look at online password managers due to a lack of self-interest in them, but I’d figure I’d give it a go if a reader suggests it.

Intuitive Password is a software as a service platform for storing and managing your passwords, similar to KeePass or PasswordState, but out on the internet where you don’t have to manage it and it’s nearly always available.

Registering

 

Registration page

Registration page

Registration page is really straight forward, just one minor complaint, the “security question” is an open-ended free form text field. This leads to people putting in things like “how many cubes away from John am I?” (I have actually run into this one before), which after a few guesses you’re into their account. Though honestly this is less Intuitive’s fault and more of how security questions can be broken. Just make sure you pick a really solid security question.

Gmail used to do the same thing, now they have more secure password reset options (phone call, recovery e-mail, or a Google-enabled device).

Logging In

On-screen keyboard, an attempt to fool keyloggers.

On-screen keyboard, an attempt to fool keyloggers.

One thing I noticed during the log-in process was a Javascript driven keyboard for password entry, on one hand this will fool a lot of keyloggers, on the other hand I have seen keyloggers that tracked enough to pull your password off of this (some take screenshots, others mouse positions on clicks). I couldn’t really imagine myself using it really.

Password Management

All that you'd really want.

All that you’d really want.

Password management is really straight forward and like every other password manager, give it a title, set the password. These fields are driven by what category your password resides in.

Password ratings give a quick visual cue on your password's security.

Password ratings give a quick visual cue on your password’s security.

Organization

Password category management is nice.

Password category management is nice.

The slick UI really helps with this, and the default layout shows that Intuitive Password isn’t just for logins, but any other encrypted information you want to keep. You can create additional custom categories, each with their own custom fields, leaving it up to you how much or how little you want to keep in here.

This software by default has security questions for general logins, domain/machine name, IP address, etc. for network logins. So a bit of thought was put into having a nice starting configuration for your categories.

Sharing

You can share individual passwords with other people, it’s as simple as inserting an e-mail address. Not exactly useful for larger teams without a lot of tedious work, but it’s good if you want to share a handful of passwords with another person.

Account Management

IntuitivePassword - Account Details

Account management is straight forward: ability to reset your password, your security question, set up two-factor authentication, pretty standard stuff. Biggest thing I like here is the display of the currently running version of the software. I always like to know when my SaaS platforms get updated (and push for this to be an option on projects I work on).

IntuitivePassword - Country Restrictions

An interesting feature I’ve observed was login restriction by country, pretty cool little feature.

Additionally they do support the concept of downloading all of your passwords in case you want to move to another platform which is always an awesome option (may be required by law in Australia, not sure), and have the ability to download/restore your own backups in case you’re paranoid about Intuitive Password’s team to be able to do that.

UI/UX

IntuitivePassword - UI

Intuitive Password has a pretty slick UI, I like the look and feel. The only complaint I have is that the textured background that permeates through all UI elements can sometimes make certain letters not the easiest to read (only had that happen once on a specific field), but generally the chosen font size and style makes everything really clear.

As for UX design, everything is pretty accessible and intuitive (heh), the only feature that wasn’t immediately apparent was sharing passwords (I was always mentally driven to the “shared” tab to try to figure things out, not to the bottom of your currently selected password). The integrated help is unobtrusive and very informative and is available throughout the software.

Quick Login

This is similar to your auto-type you have on similar software, this only applies to web based software (so no auto-logging into your games). It consists of a bookmarklet that pulls scripts from Intuitive Password’s servers and will attempt to log you in.

IntuitivePassword - Quick Login Training

If you attempt to quick login on to a page that Intuitive Password doesn’t know how to log into, it’ll ask you to train it to understand what the login process is. So instead of just jabbing at currently selected fields like KeePass does, it is actually somewhat aware of the website layout (though this wont work for those multi-step banking sites that have a massive amount of security theater going on).

Offline Storage

Offline storage is pretty cool, right now they only support sending you an HTML document with everything embedded. Your passwords sit in a base64 encrypted blob to be decrypted with an AES key derived from your offline password. They’re also looking at add Dropbox, Box, and OneDrive support in the future.

Mismatching password lengths.

Mismatching password lengths.

One thing I thought was a problem but figured out it was a major benefit was this password screen. Here I’m trying to type a 32 character long password (longer than the 20 character limit), here they only truncate the confirmation password field. This prevents silent truncation of passwords, which is a major thing I complain about in my up and coming post about password security theater causing massive user experience issues.

I like these little details that prevent me from accidentally doing dumb things.

Online Storage

Well if I was to investigate how passwords are stored offline, it only made sense to figure out how passwords are being transmitted online. Due to offline storage I had a lot of hopes for this, until I ran across this:

Password being sent embedded in the JSON response.

Password being sent embedded in the JSON response.

I’m kind of surprised that with all the care passwords are given on client-side storage that the server still handles decrypting/encrypting your password for you, meaning a breach at the cloud provider can put your passwords at risk.

This is why I generally like the option like CrashPlan provides — a second password so that the Software-As-A-Service provider CAN’T decrypt it even if they wanted to. There are methods that involve using a single password where this method could be viable (use a derived key from your password to sign something to verify your login instead of sending it to the server, send encrypted data to client to be decrypted with derived key… something of the sort).

Master Password

They do have the ability for you to add additional security to your passwords, via a “master password”, this is still sent to the server and decrypted server side, it really just adds a layer for if someone gets your account password on your desktop.

Overall

Intuitive Password is a pretty slick product, if you’re not paranoid and don’t mind storing your passwords online (and the provider having access) I’d definitely recommend it. I’ve been recommended to eyeball LastPass being as they apparently handle online password transmission differently, so keep an eye out for that review too.

Upsource EAP Preview – Repository Browser and Code Review From JetBrains

Written by William Roush on August 28, 2014 at 10:38 pm

Upsource is a new code browser and code review system by JetBrains, the guys behind popular development software like Resharper, IntelliJ IDEA and TeamCity.

Update: I’ve been talking with some of the developers, I’ve made notes around the article with things they’ve gotten back to me about.

Upsource Early Access Program

Upsource is currently available through it’s Early Access Program — Mind you everything you read here is about Upsource in it’s EAP state, I’ll be doing more reviews as the software evolves (JetBrains continuously adds awesome stuff to their software).

Requirements

Shame on me, didn’t check this at first. Threw it on a Linux machine with 2GB of memory, watched the entire system crash with out of memory exceptions. Oops.

The 8GB of RAM is a little steep, but it’s sitting on top of Java, so some memory hungry behavior is expected.

UpSource is a bit hungry resource wise.

Upsource is a bit hungry resource wise.

You may want to throw two CPU cores at it, startup was a bit slow, however once it was running the application was smooth.

Lets Get Started

So I unpack the zip file, install OpenJDK 7’s JRE, and fire up the services, Upsource is reported as online, but I’m met with a blank page while Java thrashes about. Very easy to set up though.

Project Management

Creating A Project

Creating a project is quite easy, give it a name, point it at your current repository sever, and away you go. No hang-ups here really.

Project Sprawl

At the current moment, for those of us working at places that have 40+ projects, it looks like there will just be a massive amount of horizontal sprawl going on, TeamCity had a similar issue until recently when project hierarchies were added, I’m sure this will end up in Upsource at some point.

This also includes the groups that are automatically created (“[project] Developers”, “[project] Observer”, and “[project] Project Admin”), these will be created for every repo you have, even though you’d likely have a ton of repos under one group schema.

Main Upsource UI

Main UpSource UI, showing projects and a news feed.

Main Upsource UI, showing projects and a news feed.

When logging in you view all available projects and your news feed. I really dig the news feed, showing all comments on your reviews and mentions for your user account. The main thing I don’t like is that getting to this page from a child project is annoying.

Project Status UI

Project overview UI is pretty straightforward.

Project overview UI is pretty straightforward.

The main project UI is pretty basic but gives you what you want, on the left side you see a handful of recent changesets with a nice visual tree. From here you can navigate to a commit to start a review, browse code in the repository or jump straight to analytics.

Analytics

This is one of those major extras I love with systems like Upsource and Crucible. This gives a very visual breakdown of who handles what commits, and who is handling what reviews.

Statistics for Redmine contributions pulled from Bitbucket

Statistics for Redmine contributions pulled from Bitbucket

The visualization is powerful, I’d like the ability to map multiple users together to a single user in Upsource (doable in Redmine, Crucible, etc.), please allow this setting to be global (a major problem that Crucible had the last time I used it).

 

Code Reviews

This is by far the biggest reason I was looking towards Upsource. Previously I’ve looked at using Crucible for our code review system, and like 90% of it, however there is a critical piece of functionality it lacks, and that is supporting a good UX workflow for post-commit review for multiple branches of code. Sadly Upsource also suffers from this problem (and straight up doesn’t support it, more on this later).

My Mercurial Workflow

Basic mercurial workflow I follow.

Basic mercurial workflow I follow.

The workflow process I follow is pretty straight forward, each bug or feature gets it’s own named branch on Mercurial, each branch is closed and merged onto a staging branch where things are tested, verified and reviewed, and once everything is approved onto default it goes to get tagged and released.

Where Upsource Fails To Support This Workflow

Update: This is planned to be fixed in the 1.0 release, I’ll see if the UI works well.

To create a review in Upsource you select a single commit and click “Create Review”, from here you can add more revisions using Upsource’s powerful search system.

There are a couple issues I have however, if I search for “branch:stage-1.1.0″, it will also apparently bring in any parent of the named branch “stage-1.1.0″ which will include all previous commits, so I can’t easily just add all commits I see on the search page.

I can search for each invididual commit ID by searching for “id:[] OR id:[] OR id:[]” for every included changeset, however there is a problem with including changesets from different branches (more on that later).

I’d love for some powerful way to select all items between the default commit at the bottom of the workflow image above and the last staging commit, this would make the workflow a thousand times easier and would instantly have me sold.

Code Review UI

 

Inline review is pretty clean, single-line comments leaves a little to be desired.

Inline review is pretty clean, single-line comments leaves a little to be desired.

The UI is pretty clean, one feature I do miss from ReviewBoard is being able to make block comments. This allows you to choose a range of line numbers by clicking and dragging and putting a comment on them. This allows you to bring a developer’s attention to a block of code instead of an individual line.

Side-by-side diffs are available too.

Side-by-side diffs are available too.

Side-by-side diffs are nice, double clicking allows you to still add comments to the commit, this wasn’t immediately apparent and they should probably leverage the same edit icon on the inline code review diffs.

 

Additionally, I really did prefer the nice single file UI that Crucible has, I’ve worked with some changes that can span 10-15 files, and hundreds of lines of changes. When these are all crammed onto the same page your scroll bar can get really tiny (and some other ill effects in terms of browser performance can begin to happen). These aren’t often, but when refactoring old code bases it’s bound to happen.

Code Review Process

Unlike Crucible there isn’t a predefined process, which is unfortunate, every time you do a review you add individual users to the review and individual users as watchers.

Completed reviews show a green check box near the user's icon.

Completed reviews show a green check box near the user’s icon.

I do like that you complete reviews, which is better over ReviewBoard which only includes a “ship it” button, so no way to mark a review as completed but the code quality insufficient for production.

Reviewing Code From Multiple Branches

Update: This is planned to be fixed in the 1.0 release.

So when attempting to review code from multiple branches (say from my example of the resulting code from bug 1 and bug 2 to be pushed to live), you are greeted with this error:

No multi-branch review support.

No multi-branch review support.

So even if I was patient enough to select each individual changeset it won’t support it.

Repository Browser

Code Display

Code browser, limited language support.

Code browser, limited language support.

The code display is pretty straight forward, lets you browse through your repository, uses the same display as your inline diff UI, only thing I wish I had here was multiple language support (even if it was a framework that 3rd parties could write tools for).

File History

File history, what more is there to ask for?

File history, what more is there to ask for?

File history is pretty straight forward, I seriously can’t think of anything to ask for.

Code Annotation

Annotation works like blame in Git/Mercurial.

Annotation works like blame in Git/Mercurial.

Code annotation is pretty nice, shows you who and what changeset the last changes came from, much like blame in Git and Mercurial, but this UI is a bit nicer and will let you navigate straight to the related changeset.

Final Thoughts

Sadly Upsource doesn’t support the code review process I’d need to adopt it, however JetBrains is known to constantly improve their product line and I’m eager to see this product continue to evolve. If you don’t mind per-commit reviews (instead of batching reviews based on branching policies) then I’d recommend you keep an eye out for Upsource coming out.

Required Features Before I’d Use it

  • Support for batched reviews, based off the results of multiple branches coming together.

Tasty Features

  • Ability to define a more strict revival process (all reviews require approval from [x] people from team [a] and/or [y] people from team [b]), with the ability to automatically mark a review as complete with this objective is met.
  • Approval/rejection of a code review.
  • Single-file review process that isn’t just side-by-side.
  • A little more love for the side-by-side UI.

Bugs I Ran Into

  • Every once in awhile when refreshing a page, I was greeted with an authentication failure error, refreshing the page a few times would generally fix this.
  • Adding an empty repository will have pretty bad consequences and errors everywhere.

Curiosities

  • On every page you navigate around Upsource you are greeted “Loading Upsource” UI element while the page loads, as if they intended it to be a single page application but moved away from it. At least I don’t typically see this behavior in an application that has a bunch of individual pages. Update: The application is supposed to be a single page application! Found a bug that apparently is known but they’re gathering info on, will be providing info to JetBrains to fix.

How VMware Can Make The Web Client Awesome

Written by William Roush on August 4, 2014 at 12:39 pm

Some pretty basic design principals that would make the web client on VMware awesome, including the ability to make it redundant and supported on free systems!

I was reading this article by Trevor Pott, which does a fairly good job dealing some major problems on VMware’s vSphere web client, and how absolutely terrible it is. However I have some major issues with this article, first of all is no real concrete suggestions on architecture changes (how do we handle the vCenter single point of failure? What about free clients? What about the Flash plugins?). Here I’m going to offer up some suggestions to reaffirm Trevor’s stance that VMware could and should do this better!

A True Single-Page Application

By far I figure one of the easiest ways to resolve all of our issues is a solid single-page application. This is the concept that the website you visit will load all the resources needed on your computer to run without refreshing the page. This is generally done using HTML5 and Javascript, common frameworks include AngularJS and Ember.JS. A giant flash application like the vSphere web client has now doesn’t really count.

How to Handle the API

Some suggestions on how to handle API calls to the hosts/vCenter:

  1. Transparent layer – Have the web server host a JSON based API that gets translated into the API calls to the host/vCenter box. This allows you to have very low overhead calls (as opposed to very noisy SOAP), and allow Javascript to do what it does best (talking in a native tongue instead of using Apache CXF for Javascript clients). This incurs minor overhead on the host running the web server to do the translations, this also effectively creates two web APIs you use (though arguably you wouldn’t support consumption of the JSON API).
  2. Reverse Proxy – This allows you to remove any difficulty with Javascript dealing with cross-port requests, but you’re going to be leveraging something like Apache CXF for the web services.
  3. Direct Communication – vCenter and VMware’s APIs already exist over HTTPS for web services, if you serve up the single-page application from the same domain/port in a hybrid host setup there will be no additional overhead!

In-Browser Remote Console

Now this is the one piece I will detail is pretty experimental, and by all means feel free to fall back to a Flash/Java console, but what I’d really like to see is a true in-browser console, look at solutions like Guacamole which runs a full VNC client in-browser. Of course there may be some barriers here (Guacamole requires server-side code, not sure how much overhead is acceptable on the Busybox management VM on vSphere).

The only feature I can’t think of reproducing in HTML5 is direct device access required for mounting ISOs/USB devices.

Addressing The Single Point of Failure

These thin API layers (or in one case non-existent) allows not only vCenter to support these single-page web applications, but also the individual hosts. Now it becomes safe to completely scrap the old vSphere desktop clients.

Browser Security

Trevor Pott does some hand-waving about security issues on browsers, and then goes in to complain that the problem really relies with Flash and Java Applets. I’d recommend dropping auto-sign on removing all need for plugins and leaving it at that.

The current desktop client embeds Java applets for some 3rd party tools, so to say it’s more secure is silly.

Speed

The old Windows client is imperceptible. Click and the info is there. Expanding a tree just completes in a time frame so short that a human can’t tell there was a delay.

Yeah, I’m not going to stand by this stance at all, the desktop client is a massively bloated slow piece of garbage. It eats a massive amount of memory, is prone to killing consoles and requiring you to play whack-a-mole in your process manager to kill the spawned processes and get it online again.

The web client is slower, but the desktop client isn’t some kind of idea of what we’d want to achieve, that was pretty bad to begin with.

Using PowerCLI it seems like most operations are pretty instant, so it just seems to be entirely overhead on the applications themselves, so a well-written single-page application could easily handle this and be lightning fast.

What’s ultimately the damning element of this is that Internet Explorer is the most common enterprise browser. In many environments, browsers that aren’t Internet Explorer are outright banned. 

This is more of a problem with your work environment than the web application itself. If you’re on IE11, things are pretty decent (Javascript is fast, support for modern things is pretty up to date). If you’re at a company that keeps you on IE8 and wont let you install Chrome, that is absolutely no fault of VMware’s.

 Other Options and Why I Think They’re Not Good Routes

Native Application

This is going back to the roots of the vSphere desktop client, which generally comes with the same problems (going to be Windows only). I highly doubt VMware will write some GTK+ Windows/Mac/Linux client. So far VMware has still been unwilling to patch a major problem with RVC, so I don’t think they’re giving attention to more “hip” languages like Python and Ruby.

Cross-Platform Application

The next option is planning on a cross-platform application, and I know what they’re going to do: what ever other vendor has done.

Java.

I don’t really think I need to say more, I have a love/hate relationship with Java, but most system admins have just the hate side. Mainly it comes down to writing cross-platform applications can be more costly in languages that aren’t like Java with a nice solid platform.

Mono is also an option, but I have a feeling VMware won’t jump on that boat this early.

Freebies

By far, one of the best parts of major infrastructure decisions: freebies. Additional features or supported platforms with reduced, little or no effort. This list is by no means exhaustive.

OSX/Linux Support

This has been a goal off and on for VMware, obviously fully HTML5 will get you 98% of functionality on OSX and Linux, with minor plugins needed for device management.

Mobile Support

Take that single-page web application, wrap it in a delivery method like PhoneGap, stylize it so that it fits better on the device (different CSS files for phone/tablet), and you’re going to have not just a small subset of features (like most current mobile apps available), but the ability to fully manage your VMware cluster from the ground up.

Overall

There is no reason that VMware should have shipped the web client in it’s current state, nor is it an example of why VMware shouldn’t dedicate resources to writing solid web-based management software, it misses most of the point while throwing all of it’s resources into a dying framework. A bit of design centered around delivering the things customers have been asking for could lead to a product that will put all competitors to shame, instead of turning them away from vSphere.

ScreenConnect Review

Written by William Roush on July 16, 2014 at 9:00 pm

Looking for remote support software that wont break the bank? Open to self-hosted alternatives? ScreenConnect is a viable feature-rich option with a very affordable price point.

ScreenConnect

What Is ScreenConnect?

ScreenConnect is self-hosted remote support software, an alternative to to LogMeIn Rescue, GoToAssist, or TeamViewer. The largest difference between ScreenConnect and its competitors is that it is self-hosted, where you deploy it on your own private servers.

Why Self-Hosted

Self-hosting comes with a variety of benefits, first is complete control over your traffic and environment. You can lock administration to internal access only, put it behind a reverse proxy, require additional authentication. The sky is the limit.

However, the biggest benefit to self-hosted (at least in this case) is the price.

Licensing

The cost of ScreenConnect at the time of posting is $325.00 per license. Each license entities you to one connected support session. A support session is defined as an active connection between a host and a guest. This means this support session can float between a small team where any one person can be supporting another at a time. This also means multiple techs can be on with a single guest and still only consume one license.

Lets break down the cost for 3 years of ownership with some competitors:

Solution Licensing Scheme 1st Year 2nd Year 3rd Year 3 year TCO
ScreenConnect $325/seat + 20% support renewal/year. $325 $65 $65 $455
TeamViewer $749 one time (1 authorized workstation). $749 $0 $0 $749
LogMeIn Rescue $1,188/yr $1,188 $1,188 $1,188 $3,564
GoToAssist $660/yr subscription $660 $660 $660 $1,980

Requirements

Full list of ScreenConnect requirements can be found here. One of the biggest benefits is that you can run ScreenConnect on a variety of server platforms, including Windows, OSX and Linux!

ScreenConnect achieves this by running a .NET application on top of the Mono platform. I’ve been weary about Mono before, but ScreenConnect’s performance and stability has changed my mind entirely about how commercially ready Mono is.

Download And Installation On Debian 7

Installation is easy, download the latest tar.gz file, unpack, run install, and follow the instructions:

root@screenconnect:~# cd /tmp
root@screenconnect:/tmp# wget http://www.screenconnect.com/Downloads/ScreenConnect_4.3.6563.5232_Release.tar.gz
root@screenconnect:/tmp# tar xvf ScreenConnect_4.3.6563.5232_Release.tar.gz
root@screenconnect:/tmp# cd ScreenConnect_4.3.6563.5232_Install/
root@screenconnect:/tmp/ScreenConnect_4.3.6563.5232_Install# ./install.sh
Welcome to the ScreenConnect Installer

The installer will do these things:
1) Prompt you for installation options
2) Display a list of actions to be taken
3) Prompt you for execution of the actions
4) Execute the actions

Where would you like to install ScreenConnect?
[/opt/screenconnect]

What would you like as the service name for this ScreenConnect installation?
[screenconnect]

The installation will perform the following actions:
- Install libavcodec-extra-53 with Advanced Package Tool (apt)
- Install libswscale2 with Advanced Package Tool (apt)
- Install libavutil51 with Advanced Package Tool (apt)
- Install libavformat53 with Advanced Package Tool (apt)
- Create service script at /etc/init.d/screenconnect
- Create startup links in /etc/rcX.d/ directories
- Copy files into /opt/screenconnect
- Initialize configuration files
- Start screenconnect service

Do you want to install ScreenConnect?
(Y/n): y

[[Removed installation output]]

Running 'Create service script at /etc/init.d/screenconnect'...
Running 'Create startup links in /etc/rcX.d/ directories'...
Running 'Copy files into /opt/screenconnect'...
Running 'Initialize configuration files'...
Running 'Start screenconnect service'...

Installation complete!

Trying to figure out the best URL for you to use...

To access your new ScreenConnect installation, open a browser and navigate to:

http://localhost:8040/Host

root@screenconnect:/tmp/ScreenConnect_4.3.6563.5232_Install#

Navigating to http://[your host’s IP]:8040/Host will present you a wizard which will walk you through the rest of the installation process, including setting up your primary administration account and configuring your licensing information (if you need a trial license visit http://www.screenconnect.com/Try-It-Now).
Setup Wizard2014-05-25 22_48_20-ScreenConnect Remote Support Software

Hosting a Support Session

Hosting a support session is easy, click the plus button next to the “Support” header on the left, and you’ll be greeted with a list of options for sending your support request out.

Lots of options, easy to use.

Lots of options, easy to use.

I generally use invitation only and generate URLs to send to people over chat/e-mail, ScreenConnect supports plugging into a SMTP server and sending mail for you, or leveraging your locally installed mail client to send e-mails (I prefer this configuration for this method).

Active sessions are displayed in a list form, easy to tell status and who is connected.

Active sessions are displayed in a list form, easy to tell status and who is connected.

Your end user will be presented with instructions on how to connect, ScreenConnect supports a variety of methods to attempt to get the end-user online, including leveraging ClickOnce and Java Web Start, standard methods you’ll see competitors using.

Easy to understand instructions for the end user.

Easy to understand instructions for the end user.

From there it’s like any other remote desktop support software, with a large array of tools at the top of your screen.

Connection Information

Connection Information

Wide array of audio options, including listening and sending audio.

Wide array of audio options, including listening and sending audio.

Screenshot capture and video capture.

Screenshot capture and video capture.

Various file transfer options, nothing out of the ordinary.

Various file transfer options, nothing out of the ordinary.

Customizable toolbox, upload files that will be available between all sessions.

Customizable toolbox, upload files that will be available between all sessions.

Display quality and management.

Display quality and management.

By far the biggest thing I love about ScreenConnect’s UI is how well it manages multi-monitor clients. In most other software switching between displays is always clunky or seems sort of “out of the way”, ScreenConnect makes it feel right.

Various additional features.

Various additional features.

Nothing out of the ordinary in terms of rescue features, various blanking of devices, blocking of input, safe mode support. A bunch of “must haves” have all been checked.

Meetings

Meetings are kind of the inverse of support requests, a single presenter and multiple viewers. The UI is tweaked a bit to support this concept a bit more. I’ve had some minor UI workflow issues with handing presenter around being a little clumsy, but other than that it works well.

The only downfall about using it for meetings over GoToMeeting or something similar is that ScreenConnect doesn’t support plugging it into a phone system (though I understand this isn’t a trivial task from both the programming and logistics end), so you’ll either need to set up a conference room on your phone system or use the built-in VOIP functionality.

Administration

Administration is fairly straight-forward, everything is done with role-based access, though you can lock things down and prevent users from accessing specific groups of machines, the difficulty to do so leaves much to be desired on the UI (though this is currently being worked on as I understand it).

A nice server status screen showing general health of the application.

A nice server status screen showing general health of the application.

Funny enough the status screen shots “Windows Firewall Check” even though I’m on a Linux host…

ScreenConnect supports theming, allowing you to bring it inline with your company’s brand (be aware though, changing themes restarts the web site, so don’t expect uninterrupted service if you’re messing with that).

Additionally ScreenConnect keeps an audit log in the admin control panel, very useful if you need to track down changes or actions taken against the system.

Overall

ScreenConnect packs a ton of punch for a low cost with a wide range of platform options on a stable and rapidly developed software package. One of the most impressive things I’ve seen about ScreenConnect is the speed at which they’ve moved forward and provided more features, iterated on parts that were lacking and end up delivering a stable polished product every time.

In my opinion it is a must-have. With UPNP support it allows small-time technicians to purchase a copy, install it and run it on their home machines with no effort at all, but it includes the feature set and stability to be used at your SMB office (and probably beyond).

Passwordstate – Enterprise Password Management Review

Written by William Roush on May 30, 2014 at 4:40 pm

An end-user review of Passwordstate, a shared web-based password list software that gets you all the additional features you wanted over KeePass and other equivalents.

Before we start… Sorry about the large gap in posts, a mix of writer’s block and working on a reviews for a handful of things (Zultys PBX, ScreenConnect, etc.), there will be MUCH more to come soon!

I’d also love to write about more IT subjects in Chattanooga (locally developed software, startups, IT community, or businesses), if you have any suggestions feel free to throw them my way!

What is Passwordstate?

Passwordstate is a web-based password management tool written by Clickstudios. Think of it as KeePass on the web, but deployed inside your own private network.

Why Use it Over KeePass?

I personally love KeePass, I can’t talk about it enough, I wrote a post awhile ago all about it. However as much as I like it, it falls short on some management features that I feel I need when working in a team of diverse responsibilities and access levels. While we can create a lot of process and hoop jumping to resolve this issue, I’d rather not if it could be avoided (plus, we’re IT, we want software to do the hoop jumping and process for us! That is what it is there for).

Prerequisites For Install

The requirements for installation are pretty straightforward, IIS7+ and MSSQL 2005+, once these requirements are made the install for Passwordstate is easy. I’m deploying it on IIS8 and MSSQL 2012 Express on top of Windows 2012 R2 for this review.

Organization

Password state makes everything pretty easy to get to, unlike KeePass passwords are kept in “password lists”, imagine these lists as folders in KeePass. These lists can have a long list of permissions and customizations added to them (see later in this review for those options). On top of password lists you can create folders to store groups of password lists.

Navigating password lists is pretty simple.

Navigating password lists is pretty simple.

In the example above we have a folder for development environment passwords, we could grant access to our storage admin to “Storage Arrays”, our DBA to “Database” and so on. Allowing fine control to lists. Additionally I have a personal password list named “William’s Password List”, more on personal password lists later. Password Management Creating and editing passwords is pretty straight forward, a handful of fields you’re pretty familiar with if you use a password vault. Nothing really too special here other than a very nice UX design.

Auditing

By far the biggest benefit over a system like KeePass is the ability to audit access to passwords. What to know who last updated the password on a service account? System admin scanned all passwords before leaving? KeePass won’t tell me any of that.

Simple UI, easy to grab a password or check recent audit events.

Simple UI, easy to grab a password or check recent audit events.

Audit reports can be sent at regular intervals to your e-mail so you can stay on top of what is going on.

Further details on the state of your password lists.

Further details on the state of your password lists.

Personal Password Lists

Personal Password List Passwordstate has a different kind of password list for personal use, you can make a list for yourself that has additional security features (while you can password regular password list, I usually can justify additional passwords on personal lists a lot easier). In this case I’ve put a separate password on it from my account, requiring another step of authentication. These lists cannot be seen by administrators and stick with you.

Keeping personal passwords centralized have many benefits too.

Keeping personal passwords centralized have many benefits too.

The ability to keep your passwords in Passwordstate allows you to easily hand over all account passwords for various pieces of software (for example, if you hold a lot of licensing portal credentials on your personal e-mail account).

Password List Options

Another very powerful addition over Keepass is the customization behind your password lists.

A long list of configurable options to help make each list customized to it's purpose.

A long list of configurable options to help make each list customized to it’s purpose.

You can have some lists sync with Active Directory, others have very strict password complexity requirements, some lists only available during work hours, and other lists have expiration dates.

Problems With Passwordstate

There are a handful of issues with Passwordstate, first and foremost is that everything has to be done via the web UI. While Passwordstate is configured for SSL upfront, I can understand the argument that browsers are one of the most exposed pieces of software we use on a daily basis, putting our passwords in that basket may not be the best idea.

Additionally if you lose your Passwordstate server, your passwords are unavailable. Passwordstate does provide high availability options (additional cost for that though), but I’d throw an export of your password list every once in awhile with a DB backup into a fire safe and offsite just in case things get really bad. Update: version 7 includes an ability to export to a KeePass database which will help if your network is down.

A small annoyance is I can’t do upgrades unless I set up a backup path, when I’m backing up the entire machine with Veeam and I do an upgrade after a snapshot, I really don’t care if I have to roll the entire VM back, but I don’t really have the option. Really minor gripe though, I know why they’ve done it (for those that don’t have good backups in place). Update: version 7 doesn’t enforce this allowing you to upgrade and rely on your own backups.

Overall

With it being free up to 5 users, I don’t see why not for small businesses! Even beyond that I’d say the additional safety and auditing is worth the relatively low price $37/user (that lowers as you add more users) and tops out at $4272 for unlimited user installs. This is by far not an exhaustive list of what Passwordstate can do (we’ve just skimmed the surface), so go grab a 5 user license and try it out today!

100% Qualys SSL Test A+

Written by William Roush on April 1, 2014 at 10:41 pm
Obtaining 100/100/100/100 on Qualys SSL Server Test

Obtaining 100/100/100/100 on Qualys SSL Server Test

For fun we’re going to poke at what it takes to score 100 across the board with Qualys SSL Server Test — however impractical this configuration may actually be.

Qualys SSL Server Test… What Is It?

Qualys SSL Server Test is an awesome web based utility that will scan your website’s SSL/TLS configuration against Qualys best practices. It’ll run through the various SSL and TLS protocol versions, test all the cipher suites, and simulate negotiation with various browser/operating system setups. It’ll give you not only a good basis for understanding how secure your site’s SSL/TLS configuration is, but if it’s accessible to people on older devices (I’m looking at you Windows XP and older IE versions!).

Getting 100/100/100/100

Late at night I was poking at some discussions on TLS, and wondered what it really took to score 100 across the board (I’ve been deploying sites that scored 100/90/100/90), so I decided to play with my nginx configuration until I scored 100, no matter how impractical this would be.

server {
  ssl_certificate /my_cert_here.crt;
  ssl_certificate_key /my_cert_here.key;

  # TLS 1.2 only.
  ssl_protocols TLSv1.2;

  # PFS, 256-bit only, drop bad ciphers.
  ssl_prefer_server_ciphers on;
  ssl_ciphers ECDH+AESGCM256:DH+AESGCM256:ECDH+AES256:SH+AES256:RSA+AESGCM256:RSA+AES256:!aNULL:!MD5:!kEDH;

  # Enable SSL session resume.
  ssl_session_cache shared:SSL:10m;
  ssl_session_timeout 10m;out 10m;

  location / {
    # Enable HSTS, enforce for 12 months.
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
  }
}
Qualys wants only 256bit (or stronger) cipher suites.

Qualys wants only 256bit (or stronger) cipher suites.

This barely differs from our standard configuration (depending on if you chopse to mitigate BEAST instead of RC4 issues)

This barely differs from our standard configuration (depending on if you choose to mitigate BEAST instead of RC4 issues)

100/100/100/100 comes at a high price.

100/100/100/100 comes at a high price.

To get to having all 100s we drop pretty much all but the most modern browsers… oops!

100s Not Realistic

It seems you’ll want to aim for 100/90/100/90 with an A+. This configuration will give your users the ability to take advantage of newer features (such as Perfect Forward Secrecy and HTTP Strict Transport Security) and stronger cipher suites while not locking out older XP users, and without exposing your users to too many TLS vulnerabilities (when supporting XP, you have to choose between protecting against BEAST or use the theoretically compromised cipher RC4).

So we’ll want to go with something a little more sane:

server {
  ssl_certificate /my_cert_here.crt;
  ssl_certificate_key /my_cert_here.key;

  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

  # PFS + strong ciphers + support for RC4-SHA for older systems.
  ssl_prefer_server_ciphers on;
  ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:RC4-SHA:HIGH:!aNULL:!MD5:!kEDH;

  # Enable SSL session resume.
  ssl_session_cache shared:SSL:10m;
  ssl_session_timeout 10m;out 10m;

  location / {
    # Enable HSTS, enforce for 12 months.
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
  }
}

10/24/2014 Update: Removed SSLv3 due to POODLE exploit for A+ example.

Dan Kaminsky – Black Ops Of PKI

Written by William Roush on March 26, 2014 at 7:58 pm

Amazing talk by Dan Kaminsky discussing what is broken with X.509 (SSL). It’s an amazing dive into how X.509 works, various exploits, and the impeding problem of the Verisign MD2 root certificate that may be open to preimage attack sometime in the near future.

Solid State Drives Are More Robust Than Spinning Rust

Written by William Roush on March 20, 2014 at 7:37 pm

A number breakdown on why the idea that "SSDs are unreliable" is a silly statement.

I’ve been hearing some silly assumptions that magnetic drives are more "reliable" than Solid State Drives (SSDs). I’ve heard some silly ideas such as "can I mirror my SSDs to regular magnetic disks", while this behavior completely defeats the purpose of having the SSDs (all disks must flush their writes before additional writes can be serviced), but I’ll show you why in this configuration the traditional magnetic drives will fail first.

For the sake of being picky about numbers, I’m going to point out a few of these are “back of a napkin” type calculations. Getting all the numbers I need from a single benchmark is difficult (being as most people are interested in total bytes read/write, not operations served), additionally I don’t have months to throw a couple SSDs at this right now.

A Very Liberal Lifetime Of A Traditional Magnetic Disk Drive

So we’re going to assume the most extreme possibilities for a magnetic disk drive, a high performance enterprise grade drive (15k RPM), running at 100% load 24/7/365 for 10 years. This is borderline insane and would likely be toast under this much of a workload long before then, but this helps illustrate my point. The high end of the load these drives can put out is 210 IOPS. So what we see on a daily basis is this:

210 * 60 * 60 * 24 =     18,144,000
18,144,000 * 365   =  6,622,560,000

x 10               = 66,225,600,000

We expect at the most insane levels of load, performance and reliability that the disk can perform 66 billion operations in it’s lifetime.

The Expected Lifetime Of A Solid State Drive

Now I’m going to perform the opposite (for the most part), I’m going to go with a consumer grade triple-level cell (TLC) SSD. These drives have some of the shortest life span that you can expect out of an SSD that you can purchase off the shelf. Specifically we’re going to look at a Samsung 250GB TLC drive, which ran 707TB of information before it’s first failed sector, at over 2900 writes per sector.

250GB drive

250,000,000,000 / 4096 = ~61,000,000 sectors.
x2900 writes/sector = 176,900,000,000 write operations.

Keep in mind: the newer Corsair Force 240GB MLC-E drives claim a whopping 30,000 cycles before failure, but I’m going to keep this to "I blindly have chosen a random consumer grade drive to compete with an enterprise level drive", and not even look at the SSDs aimed at longer lifespans, which includes enterprise level SLC flash memory, which can handle over 100,000 cyles per cell!

So What Do You Mean More Robust?

The modern TLC drive from Samsung performed nearly three times the total work output of the enterprise level 15k SAS drive before dying. Well if that is the case why do people see SSDs are "unreliable"? The answer is simple: the Samsung drive will perform up to 61,000 write IOPS, where as the magnetic disk will perform at best 210, it would take me an array of 290 magnetic disks, at a theoretical optimal performance configuration (no failover) to match the performance of this single SSD.

Because of this additional throughput, the SSD wears out it’s lifespan much faster.

So I should Just Replace My HDDs with SSDs?

Whoa, slow down there, not quite. Magnetic storage still has a solid place from everywhere in your home to your data center. The $/GB ratio of magnetic storage is still much more preferable over the $/GB ratio of SSD storage. For home users this means the new hybrid drives (SSD/HDD) that have been showing up are an excellent choice, for enterprise systems you may want to look at storage platforms that allow you to use flash storage as read/write caches and data tiering methods.

PCI Compliant ScreenConnect Setup Using Nginx

Written by William Roush on February 19, 2014 at 9:26 pm

ScreenConnect’s Mono server fails PCI compliance scans from Qualys for a list of reasons out of the box. We’re going to configure a Nginx proxy to make it compliant!

There are a few things we’ll want before configuring ScreenConnect, we need two public IP addresses (one for your website, one for the ScreenConnect relay server). We’ll want a 3rd party cert from your favorite cert provider. I’m also going to assume you’re running Windows so I’ll include extra instructions, skip those if you know what you’re doing and just need to get to the Nginx configuration.

Get Your Certificate

mkdir /opt/certs
cd /opt/certs

# Generate your server's private key.
openssl genrsa -out screenconnect.example.com.key 2048

# Make a new request.
openssl req -new -key screenconnect.example.com.key -out screenconnect.example.com.csr

Go ahead and log into your server using WinSCP and copy your .csr file to your desktop, and go get a certificate from your Certificate Authority (.crt) and load that back to the server.

Recommended ScreenConnect Configuration

In your ScreenConnect directory you have a “web.config” file. You’ll want to edit (or add if not found) the following properties under the “appsettings” section of the configuration file.

<add key="WebServerListenUri" value="http://127.0.0.1:8040/" />
<add key="WebServerAddressableUri" value="https://screenconnect.example.com" />

We want to configure the web server address to listen on the first IP address we have, additionally pick a port that we’ll use for the internal proxy. I went ahead with the default port 8040. You’ll also need to set the URI to the domain for your first IP (should match the domain on your certificate).

<add key="RelayListenUri" value="relay://[2nd IP]:443/" />
<add key="RelayAddressableUri" value="relay://screenconnectrelay.example.com:443/" />

Additionally we’ll configure our relay server to listen on the second IP, we’ll set it to use port 443 which will help us punch through most firewalls, and we’ll want to set the URI to a second domain name we have pointed at the IP address we specified.

Nginx Configuration

# Defining our ScreenConnect server.
upstream screenconnect {
  server 127.0.0.1:8040;
}

server {
  # Bindings
  listen [1st IP]:80;
  server_name screenconnect.example.com;

  location / {
    # Redirect all non-SSL to SSL-only.
    rewrite ^ https://screenconnect.example.com/ permanent;
  }
}

server {
  # Bindings
  listen [1st IP]:443 default_server ssl;
  server_name screenconnect.example.com;

  # Certificate information
  ssl_certificate /etc/ssl/certs/private/screenconnect.example.com.crt;
  ssl_certificate_key /etc/ssl/certs/private/screenconnect.example.com.key;

  # Limit ciphers to PCI DSS compliant ciphers.
  ssl_ciphers RC4:HIGH:!aNULL:!MD5:!kEDH;
  ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;

  location / {
    # Redirect to local screenconnect
    proxy_pass http://screenconnect;
    proxy_redirect off;
    proxy_buffering off;

    # We're going to set some proxy headers.
    proxy_set_header        Host            $host;
    proxy_set_header        X-Real-IP       $remote_addr;
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;

    # If we get these errors, we want to move to the next upstream.
    proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;

    # If there are errors we're going to intercept them.
    proxy_intercept_errors  on;

    # If there are any 400/500 errors, we'll redirect to the root page to catch the Mono error page.
    error_page 401 402 403 404 405 500 501 502 503 504 /;
  }
}

I’ve run a server with a similar setup through a Qualys PCI compliance scan (which the ScreenConnect server failed horribly prior to the changes), and it passed with flying colors.

Additionally remember to lock down your IP tables so you’re only open where you absolutely need to be, mainly 80 and 443 on your primary IP and 443 on your second IP. Add SSH into the mix if you use that to remotely connect to your servers (only accessible from inside of your company network though!).

Statically Compiled LINQ Queries Are Broken In .NET 4.0

Written by William Roush on January 19, 2014 at 5:31 pm

Diving into how a minor change in error handling in .NET 4.0 has broken using compiled LINQ queries as per the MSDN documentation.

Query was compiled for a different mapping source than the one associated with the specified DataContext.

When working on high performing LINQ code this error can cause a massive amount of headaches. This StackOverflow post blames the problem on using multiple LINQ mappings (which the same mappings from different DataContexts will count as "different mappings"). In the example below, we’re going to use the same mapping, but different instances which is extremely common for short-lived DataContexts (and reusing DataContexts come with a long list of problematic side-effects).

namespace ConsoleApplication1
{
    using System;
    using System.Data.Linq;
    using System.Linq;

    class Program
    {
        protected static Func<MyContext, Guid, IQueryable<Post>> Query =
            CompiledQuery.Compile<MyContext, Guid, IQueryable<Post>>(
                (dc, id) =>
                    dc.Posts
                        .Where(p => p.AuthorID == id)
            );

        static void Main(string[] args)
        {
            Guid id = new Guid("340d5914-9d5c-485b-bb8b-9fb97d42be95");
            Guid id2 = new Guid("2453b616-739f-458f-b2e5-54ec7d028785");

            using (var dc = new MyContext("Database.sdf"))
            {
                Console.WriteLine("{0} = {1}", id, Query(dc, id).Count());
            }

            using (var dc = new MyContext("Database.sdf"))
            {
                Console.WriteLine("{0} = {1}", id2, Query(dc, id2).Count());
            }

            Console.WriteLine("Done");
            Console.ReadKey();
        }
    }
}

This example follows MSDN’s examples, yet I’ve seen people recommending you do this to resolve the changes in .NET 4.0:

protected static Func<MyContext, string, IQueryable<Post>> Query
{
    get
    {
        return
            CompiledQuery.Compile<MyContext, string, IQueryable<Post>>(
                 (dc, id) =>
                    dc.Posts
                        .Where(p => p.AuthorID == id)
            );
    }
}

Wait a second! I’m recompiling on every get, right? I’ve seen claims it doesn’t. However peeking at the IL code doesn’t hint at that, the process is as follows:

  • Check if the query is assignable from ITable, if so let the Lambda function compile it.
  • Create a new CompiledQuery object (just stores the Lambda function as a local variable called “query”).
  • Compile the query using the provider specified by the DataContext (always arg0).

At no point is there a cache check, the only place a cache could be placed is in the provider (which SqlProvider doesn’t have one), and that would be a complete maintenance mess if it was done that way.

Using a test application (code is available at https://bitbucket.org/StrangeWill/blog-csharp-static-compiled-linq-errors/, use the db.sql file to generate the database, please use a local installation of MSSQL server to give the best speed possible so that we can evaluate query compilation times), we’re going to force invoking the CompiledQuery.Compile method on every iteration (10,000 by default) by passing in delegates as opposed to passing in the resulting compiled query.

QueryCompiled Average: 0.5639ms
QueryCompiledGet Average: 1.709ms
Individual Queries Average: 2.1312ms
QueryCompiled Different Context (.NET 3.5 only) Average: 0.6051ms
QueryCompiledGet Different Context Average: 1.7518ms
Individual Queries Different Context Average: 2.0723ms

We’re no longer seeing the 1/4 the runtime you get with the compiled query. The primary problem lies in this block of code found in CompiledQuery:

if (context.Mapping.MappingSource != this.mappingSource)
{
	throw Error.QueryWasCompiledForDifferentMappingSource();
}

This is where the CompiledQuery will check and enforce that you’re using the same mapper, the problem is that System.Data.Linq.Mapping.AttributeMappingSource doesn’t provide an Equals override! So it’s just comparing whether or not they’re the same instance of an object, as opposed to them being equal.

There are a few fixes for this:

  • Use the getter method, and understand that performance benefits will mainly be seen where the result from the property is cached and reused in the same context.
  • Implement your own version of the CompiledQuery class.
  • Reuse DataContexts (typically not recommended! You really shouldn’t…).
  • Stick with .NET 3.5 (ick).
  • Update: RyanF below details sharing a MappingSource below in the comments. This is by far the best solution.