joeware - never stop exploring... :)

So one year ago on July 18, 2005 I announced that Sanjay Tandon had left Microsoft. So what has happened in that year and are we now more secure as a result of it?

 

Well to start out…. let me first say that contrary to what some folks thought when they read my blog post from a year ago; I was not recommending or endorsing Sanjay’s new project nor company. My specific words were that I would be watching to see what he was going to do and that he was an upbeat friendly guy with a lot of ideas and interesting security stories. That isn’t an endorsement. It was simply a statement of the facts as I knew them at the time. Certainly now I think he has a lot of ideas and he still probably has some interesting security stories but from his recent spat of emails, I can’t state friendly nor upbeat any longer as none of those emails potrays anything like that.  

 

Shortly after that blog post I started getting what I considered comment spam. You will notice only a single comment for that post; I let that one through even though it had a similar “signature” to the other spam entries. By signature I mean that everything about the comment that I see (IP info, etc) was quite similar except the name of the poster. And basically every message had the same basic content of that one comment I let through; unrealistic drooling over the website Sanjay set up even though it didn’t actually say anything concrete. I can say I wasn’t very appreciative of it and terminated every comment that came through from then on with that signature. After several more attempts the spammer realized I wasn’t playing and stopped.

 

Shortly after that post and the launch of the website Sanjay asked me to use my reputation and connections to get his vision documents in front of the CIO and the CISO or anyone else at a well known Fortune 5 company that could get him in the door. I was blunt with my response and said that he would need to actually have something tangible to show them as they were extremely busy and wouldn’t put up with any hazy touchy feely I think I can accomplish this in the future presentations. If he actually made it in the door he would make it back out the door with a severely damaged reputation within minutes if that is all he had. I refused to push forward and tell anyone in that company to look into it.

 

Throughout the year I, like others, checked into the website(s) that Sanjay slowly put together to see if there actually was any tangible content. I have to admit, although the music selection on the main page is incredibly annoying, the web site layouts look very pretty. The images and fonts and color choices are all great. Unfortunately nebulous, pie in the sky, ethereal, wispy, foggy, dim are about the best words I can use to describe the actual content if you can read more than a few words and this hasn’t changed since the sites first went up. I certainly couldn’t use the words concrete nor tangible to describe anything on any of the pages. I will mention the various sites through the course of this post so you can check them out yourself if you haven’t already. I actually highly encourage it in fact if you want to weigh my opinions against what is available for your viewing. The summary overall though is that the websites are very pretty so good job in the “it sure is pretty” category.

 

I have to be brutal yet again and say that I would have hoped that something would have actually been delivered by now. A year of dedicated time and resources on this as Sanjay as had should have resulted in something, anything, even a beta or some sort of description of what the actual product might be would have been nice. All we have been treated to are a series of webpages and a morass of buzzwords, nebulous/hazy/ethereal vision, “I am the authority on AD, come back on such and such a date” promises, and quite frankly, self absorbed and self promoting tripe. This absolutely isn’t what the security field needs. We need more clarity and transparency and tangible guidelines and products. Cloak and dagger, stealth, secrets and fear are counterproductive to the world of computer security. 

 

I have long had a personal outlook of don’t tell people how great you are, at least not seriously, joke sarcastically about it if you want but when it comes down to it, let people tell other people how great you are and then don’t believe any of it yourself. If people aren’t saying amazing things about you, then just maybe you aren’t doing amazing things and if you want people to say amazing things about you, you need to do some amazing things. Telling them you can do amazing things isn’t going to cut it.

The instant you start believing you are some wicked awesome incredible being that walks on water and you start believing your own propaganda others will see through it, and you, very quickly. It is extremely hard to get rid of that image once you are tattooed with it. I regularly hear that I am “great” with Active Directory or Windows or what not and I brush it off because I know how much I don’t know. It breaks down to two words – a lot. Every time I learn something new, there are three other things that crop up that I find out I know nothing about. I have heard on several occasions that people tell me that they would rate me as a an 8 or 9 out of 10 for AD knowledge and call me authoritative on the subject. I thank them and laugh. Realistically I am more around a 6 or maybe a 7. I know people in Microsoft that I would truly rate as an 8 or a 9. Those same people, if asked if they were authoritative would probably say they weren’t. Why? Because AD and its code base are HUGE. I have been casually (some days less casually than others) going through that code base for over three years and I expect I still haven’t seen most of it. Certainly I wouldn’t consider myself authoritative on it and even if I worked on it every day I couldn’t visualize myself saying I was authoritative.

 

I regularly received email from Sanjay throughout the year telling me to look at the various things he put on the sites, the most recent was in mid-June. He pointed me to look at his new site http://www.activedirectoryconsulting.com/. The first thing I saw when I went there was disappointing, more of the same “I am great” propaganda that I had already heard people complaining about and that I had picked up on myself and felt was a little too self-promoting. I want Sanjay to succeed because I feel Active Directory Security is an extremely important topic and we really don’t have enough focus on it so I pointed out to him that the stuff that was on the page could be considered a little over the top and maybe he should consider rewording some of it. The items I pointed out were on the page http://www.activedirectoryconsulting.com/background.html. Also I pointed out an error on http://www.activedirectoryconsulting.com/links.html. The specific items were

1. “Sanjay Tandon is the world’s authority on Active Directory” – obviously my opinion is that NO ONE is the world’s authority on Active Directory. I think the product is too big for one person to be the end all be all authority on every aspect. The person with the best chance at it would be someone who was involved from the beginning and was responsible for massive portions of it; that isn’t Sanjay. Sanjay didn’t even have his degree in BS when most of AD was developed. I think for someone to claim themselves to be “the world’s authority” of pretty much anything especially on a business website is a bit magnanimous and taking one’s self a bit too seriously.
2. “Tandon single handedly authored the Active Directory Delegation White Paper” – I was a technical reviewer on that paper. It is not my opinion that anyone single handedly wrote it, there was considerably debate on how some of that stuff should be documented and from what I saw at the time, a lot of feedback. If I get time, I will try to dig out the old emails that got passed around discussing nuances of what was written. I am curious myself now about some of it and who was writing what. I know the final version was considerably different from the first version I saw. I do believe Sanjay was directly responsible for the creation of that paper, he was the AD Security PM after all, that was his job. I do not, however, believe he single handedly wrote it and I know there are others that were involved inside and outside of MSFT that feel the same. There are a lot of names on the second page of that document for acknowledgements and I know A LOT of those people personally and know of several others that I haven’t been lucky enough to meet. There are some amazing people on that list. To be blunt, most of the most knowledgeable people I know of in the world on the topic of AD are in the two paragraphs being thanked. These are people that I talk to and when they speak I listen carefully and often am in awe of their thoughts and ideas. Unfortunately, I am only aware of two of those brilliant people who are blogging, Eric Fleischman and Brett Shirley. I consider their blogs MUST READ blogs. BTW, Sanjay has a blog as well.
3. “The URL for the link to my blog was listed on Sanjay’s link page as http://www.blog.joeware.net/“. While this will get to my blog since I configured the redirection for it, my blog URL is actually http://blog.joeware.net/. I am not sure where the url http://www.blog.joeware.net/ even came from and why Sanjay would think that was the URL.

I received a response back and I was told that 1 & 2 occurred because Sanjay had given the project to write that page to one of “his guys” who spent 15 minutes on it. But besides that, he indicated that everything on the page could be substantiated and what scared me the most was the comment and I quote directly from the email

“I doubt there is a question on AD that I cannot answer…”

I obviously don’t know and it is just my opinion but even if one of Sanjay’s guys wrote the web page, I expect Sanjay looked it over and was fine with it. Certainly that response doesn’t project a humble “I do what I can” attitude that he tries to play on other parts of his websites. That was just the tip of the iceberg of comments in that email, I choose not to share the whole thing with everyone, I think at some point Sanjay will probably not be thrilled he wrote it at all.

For item #3, the incorrect URL, he thanked me for pointing out the mistake and indicated it would be fixed. Interestingly enough, the first two items were changed on the website within a day or so back in June but the URL to my blog was still not corrected until around July 17th when he removed the link entirely about the time he sent another email. One of the joeware blog readers informed of me of the change and I went and verified and quite frankly, I am glad my site is not listed on his site.

 

I mentioned to Sanjay that I was going to do a “one year later” piece on the blog entry to him, this is what I wrote

“You are coming up on a year away from MSFT now aren’t you? Is your product in beta now? I think it was called White Knight or something? I am curious what your security tool is going to do. I would like to do an update to the blog entry I wrote previously and say this is what Sanjay accomplished in the last year. Chatting with folks really isn’t anything worth putting up there as the site was all about changing the world.”

His response was that I should wait until July 10th because then the world would know what he has been up to.

 

So back to one of the previous comments Sanjay made… Anyone who knows me knows that someone saying

“I doubt there is a question on AD that I cannot answer…”

is going to prompt me to try and ask a question or two to respond to the challenge. I would love to meet someone who can answer absolutely any question on Active Directory authoritatively. So I asked a pair of questions. These were not casual questions with publicly known answers but they also weren’t questions that were all that obscure. 

The response I got from Sanjay was quite unexpected, he said my email was immaturish and said he was working 17 hours days and wouldn’t be able to respond to me until the week of July 10th (second mention of that date…). I responded with

Not sure where you could get immaturish. Could you be more specific?

Your statements about your ability were stated as sort of a challenge so I put a bit of a test in my response to see the your response. When someone says they can make it rain, I get out a bucket and say let’s see it. :)  I picked questions that shouldn’t be common knowledge to folks not pretty familiar with AD security internals but also not something so in depth or off the wall they wouldn’t be known about by someone with familiarity with the code base. 

His response to that was even more unexpected, in my opinion, he flew off the handle and purposely started trying to insult me. He started by saying that he gets over a hundred emails a day from CEOs and the press and customers (what product he didn’t indicate though…) and what not and if he stopped to answer every question in every email he would have to stop his business and that he doesn’t get to focus on one thing like I do (Sanjay really has no idea what I do now nor what I did previously). He also stated, and again this is an exact quote

“As for the immature part, you’re trying to question the knowledge of the one man that was responsible on behalf of Microsoft for this subject for the last four years – I find that really funny.” 

 followed up with

“As for the answers, I know them in my sleep, but I don’t consider it worthy of answering your email because, your questions come across as insulting.”

My response was quite simple

“Wow Sanjay, that was pretty rude, you have no clue what I do now nor what I did when I was “just an admin”. Don’t worry about having to respond to my emails any longer, that should lighten your load somewhat.
 
Good luck.
 
   joe” 

Even if for some odd reason I needed something from Sanjay I wouldn’t put up with the way he thought he could treat me. I can put up with people treating me like a shit head but you better make sure the level of respect I have for you is pretty high or I absolutely need something from you if you expect me to continue speaking to you. I don’t deal with people like that and if I treat someone like that I fully expect them to ignore me as well. The funny thing is that if he knew the answers to the questions I asked he could have answered in two short sentences in far less time and space than he used to explain to me how busy he was and how immature I was being and how amazingly more important he is than I am.

 

I thought about going through and pointing out everything that is a little over the top on Sanjay’s websites that even now proclaim him to be the authority of this or that or single-handedly doing this or that but I figured I would just give the links to his sites with some quick notes and others can make their own judgments. All I have to say is if even half of it is accurate, I expect Sanjay has a blue leotard and a red cape in his closet somewhere as the entire security infrastructure at Microsoft probably wouldn’t exist without him as he tells it. I have trouble swallowing that that is the case as I haven’t seen MSFT really stumbling around like it lost all of its security knowledge and direction with Sanjay’s exit. Also being a Microsoft Security MVP I see quite a bit behind the curtains at Microsoft regarding security and when I visited Redmond for a security summit a couple of years ago Sanjay was no where around nor even mentioned though I met a wide range of folks from the VP level security management to engineers dissecting root kits. But who knows, I am not truly on the inside at Microsoft and can only go on what I hear and see for myself. So here is the list of the websites with some interesting claims. Sanjay should like this as it is what he seems to want, attention. I think someone once said, no press is bad press.

http://www.sanjaytandon.com/homepage.html – general page about Sanjay including his interesting CV (that is resume for those unfamiliar with the term Curriculum Vitae which is not really a popular American term). I also find the Titans Agree link quite humourous. You will note that the joeware blog is the top two hits for Defending Security Infrastructures on MSN search  and google now. Yahoo has me at four but I am quickly rising as I just recently entered the race. Regardless, hits on a web search engine don’t really say if you are an expert in anything or not. This is obvious as I have no clue what Defending Security Infrastructures means but I have the top hits in google and MSN…. Take the Cat book as an example, before I revamped it for the third edition, it had made up some words/phrases about replication and the only hits were to the Cat book itself. That certainly didn’t make the cat book authoritative for the topic, it just meant no one else used the words and in fact they were wrong. Not something you generally want to advertise.

http://www.sanjaysblog.com/ – mentioned previously. This is Sanjay’s blog. In a word, I would describe it as interesting. At one point he describes in an entry that is taking pot shots at Dan Farmer (a true security genius who is a known producer of tangible tools and products) how he (Sanjay) doesn’t like to see fear being used to push/sell security because it is the low road and then in another entry where he describes what he told a steering committee that reported to the CEO

“The findings of my risk assessment were passed up to the CEO – the first line of the first paragraph of the summary of findings went something like this – The company’s security infrastructure, as it stands today, is highly vulnerable, may potentially already be compromised and should not be deemed trustworthy…”

and actually in several of his vision type comments

How much trust can you impose in the machine you’re browsing from, and on what basis?

PS: Thought for the day … today, how many bits would a malicious entity have to modify to stop the motor of the world?

Things I worry about – The free world’s walking on really thin ice.

Use at your own risk – how trustworthy is your security software?

and in his FAQ

9. So given your expertise in Active Directory, it seems reasonable to postulate that you can hack any Fortune 1000 company in the world?

To be quite honest, that’s a rather absurd postulation. I do not entertain such questions.
While it is true that Active Directory is my forte and yes, hypothetically speaking any individual with in-depth expertise or knowledge of a system could with a little effort compromise the security of any infrastructure protected by that system, in reality, we all live
our lives based on a core set of virtues and values and as I see it, engaging in any activity that violates the integrity of another human being, organization (or any such entity for that matter) is morally and ethically wrong, and I for one would never personally engage in or abet another party in any such activity, no matter what.

In general, I would appreciate if you please don’t ask me such questions and I will absolutely not entertain any contact in regards to requests to engage or abet in any such unethical or illegal activities. 

fear, IMO, seems to be the motivating component Sanjay is using.

Something else that I find interesting/disturbing about the blog is that some posts on his blog just seemed to disappear. These were some of the more recent posts and I cannot be sure what is going on but it certainly seems odd.

http://www.paramountdefenses.com/ – Not sure what this is going to be. The operation arm of the Tandon group is what is mentioned on the other pages. Click on the image and enter a bogus userid and password, I heard a rumour that you will get a knock on your firewall door from the site.

http://www.sanjaytandon.com/ – Main site, do yourself a favor and kill the volume on your speakers before going here. Other than that, very pretty site, great images and lots of buzzwords. Reminded me of the pretty pink cotton candy I used to enjoy as a child at the county fair. A lot of the stuff is PDF which is seriously annoying. PDF is for documents you want to print in a specific format, not for web pages.

http://www.thehammerofgod.com/ - I have no clue…

http://www.activedirectoryconsulting.com/ – The consulting wing.

http://www.activedirectorytools.com/ – This is where Sanjay is the world’s authoritative source on AD Management Tools

http://www.activedirectorysecurity.org/ – This is where Sanjay is the world’s authoritative source on AD Security

 

So, let’s wrap this up, it is entirely too long but again, I had a feeling my name and blog was being used to show some form of endorsement or recommendation from me for the work Sanjay is doing. That is not now, nor was it ever, the case and I want everyone to be aware of that. At best, I am extremely curious to see what Sanjay does. If you bring him in to talk to you, do it because you did a thorough check of him and his credentials and feel he could help you, not because you think I said you should. On the contrary, don’t NOT bring him in because I said “Don’t do it” because I didn’t say that either. All I am doing here is presenting the info available to me and my opinions and interpretations on some of it; anything you do with those opinions is on your head. Obviously, you will either listen or not as is your wont based on any thoughts you have.

 

You will note that the latest set of dates of several dates put forth by Sanjay on when we would know what he was doing was the July 10 date that he most recently gave me and told me to hold off writing the one year later blog entry for. I have failed to find anything anywhere that says what he has done. In fact, his blog indicates that as of July 3rd he flew off to Tahiti for a month or so. That seems an odd thing for someone running a startup to do, but maybe it works for him. Personally I couldn’t do email let alone focus on work while hanging out in Tahiti. But enough of Tahiti… where is this big announcement on July 10th that was going to change the world? Another date in a series of dates that first started popping up a year ago, did Sanjay work for Microsoft Marketing or the tech wing? IT/Tech people tend to be more action than what we have seen to date, they can’t afford to sit around yapping about what they are going to do, they just do it. I did real IT/tech work for almost 10 years, I have an intense love and understanding for the work done in IT. I am a sick puppy but at times I actually miss it.

 

But joe, you ask… what do you really think – we don’t read your blog for impartial or even aborted partial attempts at impartial examinations, we read it to see you actually do what you do best, spit out what ever is on your mind…

Well ok, since you pushed me… 😉 I think I don’t know for sure what Sanjay is capable of. I have never seen anything amazing out of him but that doesn’t mean he isn’t capable of it; quite honestly I haven’t really looked that closely into him nor known him that well. He could surprise us all and come out with something that blows our socks off. I am hoping so. But my personal opinion is that I don’t expect it. Sanjay never struck me as one of the great thinkers of Microsoft and early on I learned to listen carefully to what he said and weigh his words in my own head before considering any action. As I previously mentioned, stories are a great way to get a point across.

Sanjay certainly had a lot of experience and information and stories around security that many wouldn’t get a chance to hear and he certainly wasn’t anywhere near being stupid but that is part and parcel of the job he held at Microsoft, it doesn’t mean he was a prodigy in that space. I expect anyone who took that position would do the same. I think, but do not know positively, that he has overstated his impact on security and identity management at Microsoft, but again, that is my opinion, if you want to know for sure, ask the people at Microsoft who are responsible for that stuff, the Stuart Kwan’s and Kim Cameron’s…. If you are a Softie and you worked with Sanjay and you think that I have mistreated him here and that he did do amazing things at MSFT, feel free to write me an email or comment. Be warned though, I will not allow any comments through from people I don’t personally know and can contact directly because, as I mentioned previously, I already had comment spam around this similar topic and I am not allowing it.

I absolutely think Sanjay’s focus on Security is great; security needs focus and it needs people calling attention to it. I agree 100% that the Microsoft infrastructure’s are not 100% secure but I don’t think I have seen a 100% secure infrastructure from any vendor, certainly not one as well engrained as MSFT with as much market penetration and such a wide spread of quality of users and administrators. Sanjay is correct in saying that Active Directory has some fairly soft spots in its security resume but this is nothing new and certainly not a mystery or a secret, some of us knew that and were saying it before Sanjay even worked for Microsoft and many of us were working on securing Fortune 500 Windows installations when Sanjay would have been in high school.

At the moment, if I had to give an analogy for Sanjay and what he has produced, I would say he reminds me of a radio station that keeps telling you what a great station they are and how they play all the music and that’s all they do and you won’t get any talk out of us but they actually never get around to playing any music because they are so busy telling you how great they are and how they always play music.

I want to see Sanjay do amazing things and make an incredible product, the industry needs incredible security products. He often mentions how Quest and NetPro are “using” all of his security ideas so it probably would have made sense, if that was the case, for him to go work with them for a while and see how other companies work in the space because Microsoft really is a special case at this point. No small company is going to spin up and run like Microsoft regardless of the person doing it and what they think of themselves or the world. I would like to see Sanjay tone down some of his statements to the realistic realm of mortal men. I think he will find people have a hard time believing him or talking to him if he is going around telling everyone he is the absolute authority on things. Hell I am the closest thing in existence to the absolute authority on adfind and admod because I wrote every single line of code in both of them yet I don’t go around stating that. Sanjay did very good things inside of Microsoft as the PM, whether he did those things and no one else could have remains to be seen and quite honestly we are getting to the point now where he needs to stop selling himself as the former PM of AD Security of Microsoft, do something new and claim the credit for it and push that as your great selling feature.

I actually offered to Sanjay that I would recommend him for an MVP if he got up and started showing off all of his amazing knowledge on AD and security by interacting with the community. Not only could he become an MVP and get access into many of the internal information streams at Microsoft but he could also prove me wrong and show how knowledgeable he, in reality, actually is and that could do far more for any product he puts out than anything he can say about himself on his website. We shall see if he accepts that challenge. If he does, I will be sure to share that info as it will say a great deal.

So to answer the title… Are we any more secure now? I don’t know but certainly we aren’t any more secure from anything Sanjay Tandon has done or said. The one year update is… we are still waiting to see something that is produced by Sanjay.

  joe

 

Note: I wrote the bulk of this entry on July 12th and made some edits on July 18th at Sanjay’s request as well as edits involving some changes I noticed to the websites. However, I still see no status change in products coming out of any of the websites. Yesterday (July 17th) I received another email from Sanjay with a rather humourous threat concerning the posting of his previous email. I am debating whether to post it or not. I expect I won’t, but not because of the threat; that I immediately dismissed. People have found over the years that it is difficult to guilt me or threaten me because I stand behind my actions and words. However, I expect I won’t post it because I don’t think anyone actually cares. I promised this one year post both to Sanjay and others so I lived up to that promise but I think it ends here because I have wasted enough bandwidth on it unless Sanjay attempts to drag it out or Sanjay does something worthy of me announcing. On the positive side, Sanjay can be happy because one of his complaints in the email yesterday was that I didn’t provide context around some of the previous comments. Now the context is out there as he requested.