Skip navigation
All Places > PI Developers Club > Blog > 2012 > December
2012

And that's it.

Posted by spilon Dec 21, 2012

It's a bit ironic that my last blog post was about the fact I passed the 10 year mark at OSIsoft, because my post today is to let you know this is my last day at OSIsoft. Indeed, I recently had to take a tough professional decision and as a result will be leaving OSIsoft to pursue a great opportunity with the family business.

 

While I look forward to the upcoming challenge, this is a heartbreaking decision because I leave nothing but positive behind me: I love the company, the product, the people I’ve worked for/with, this community, and the future was holding even more exciting stuff to work on. This has been a truly exciting and fun 10-year journey: Field Services, Training, Tech Support, vCampus and Product Management… I have learned so much and met so many wonderful people.

 

As you may know, I have been pretty involved with vCampus since its very inception, and I must say you are truly a great bunch of people. You guys are brilliant, innovative, collaborative and funny, and I will certainly miss you.

 

I hope to stay in touch with many of you and that our paths will cross again in the future, but in the meantime keep up the good work and long live the PI Geeks!

 

 

vCampus Live 2012 Summary

Posted by RJKSolutions Dec 17, 2012

It has been far too long since vCampus Live 2012 for me to be writing this summary blog post but I felt the need to anyway.

 

For those of you who want to summary version then you can simply compile and run the following console application C# code:

 
Console.WriteLine(“Awesome!”);
Console.ReadLine();

 

 

If that code is too abstract for you then read on as I decompile the code.

 

Firstly I decided to travel well before vCampus Live started as I knew all too well that coming from the UK I would be jet lagged for the vCampus Programming Hackathon.  So I arrived on the Saturday before vCampus Live with my family in tow.  That was a challenge in itself, the amount of luggage required for a family of 4 that includes 2 children was unbelievable but, I digress.

 

Venue & Registration
The Grand Hyatt was in a great location and was a great venue for vCampus Live, strides ahead of last year’s venue.  The 36th floor was a great setting for events so was pleased to see that the Hackathon and Geek Extravaganza were being held up there.  The décor for vCampus Live was spot on, subtle things like the banners running down the middle of the escalators were a nice touch.  Congratulations to the event team and everyone involved for that!  Food, coffees, drinks, snacks, … all seemed to be well stocked and available, which was great.

 

Registration was simple and painless, seemed to work great.  A little shy on “freebies” that we usually get during registration but no great shame.

 

The Hackathons
The Hackathons were side-by-side in that they were both run at the same time.  The selfish person inside me wanted to participate in both the Security and Programming Hackathon but I had to choose one so I opted for the programming Hackathon.  Having already been drip fed some details of what the hackathon would entail I was still a little nervous because I just didn’t know what to expect or how I would react as an individual (even though I thrive on pressure) or how as a team we would work together. 

Michael opened the Hackathon and started talking about the data, the rules of engagement, and what was expected.  He touched on the team aspect of the Hackathon and mentioned encouraging others to join a team even if you didn’t know anyone on that team…I liked that idea.  Two of my Wipro colleagues, Zev Arnold and Peter Jackson, were also participating in the hackathon so we needed two more.  A very nice guy called Paw from Denmark approached our table and asked to join, he was more than welcome.  So we needed one more for a team of 5.  Out came my iPhone, I opened Twitter and sent Lonnie Bowling a tweet asking him to come join us on our team in the Hackathon.  Lonnie was presenting the next day so needed some beauty sleep so couldn’t join us this year.  I’ve given him 1 years notice for the next Hackathon to get plenty of sleep.  Then like a scene out of a film, the hackathon room doors were thrown open, a bright shining light filled the room and there at the centre of the light was a shadowy figure.  The room fell silent, footsteps were heard approaching our hackathon table followed by a Canadian French accent “Hi Rhys”…it was Gael Cotett, our French saviour and soon to be 5th member of our team.  Dramatic recollection aside, Gael was the 5th member of our team after joining us a few hours in to the hackathon right when we hit some issues with the “mapping” portion of our application where he helped to get us back on track.  Gael even went to bed, got in to his pyjamas, made a hot chocolate, put his eye mask on (okay, I’m exaggerating again) but then realised something about our application and ran back to the hackathon room to explain.  A great example of team work during the hackathon.

 

We did experience something during the hackathon that none of our team members were prepared for, something that proved to be the most difficult part of the entire hackathon for us: a team name.  Yep, we could write an application all night long but couldn’t focus our minds on a team name until we stumbled on the team name “01”.  We know, we know, we suck at team names.  We have vowed to go on a 1 week “team names 101” course.

 

In the end we finished our application, a journey mapping application with fuel efficiency overlays based on Event Frames, and presented to the judging panel.  We were all proud of what we achieved in such a short space of time.  Well it turned out that despite the poor team name, team “01” were chosen as the winners of the 1st Programming Hackathon! 

The cloud based environment seemed to work great on the whole for the hackathon, a few hiccups along the way but small things that will help to shape an even better hackathon next year.

 

The hackathons are definitely a must for all future vCampus Live events!

 

Hands-on labs
The hands-on labs this year were great and much improved from last year.  I had a couple of highlights from the hands-on labs, Abacus and OData. 
Abacus looks like it is going to propel AF further in to the laps of customers, not only because it looks like a well put together addition for AF but because it completes one of the most sought after gaps with AF; AF based scheduled calculations.  With that said it was after all a preview of what is coming and not at a beta stage yet.  There were questions that everyone wanted to ask, there were things that didn’t flow nicely (it would help to be able to drag & drop Attributes), and things that I just wanted time to try and break.  Overall I came away with a smile and disappointment, disappointing that I don’t have Abacus right now in a couple of projects.

 

The OData hands-on was one of my highlights because it was a new area of technology for me, it seemed to work great, had great content in the material and was the one lab I came away with multiple idea explosions in my brain.  It was definitely a light bulb moment for me, suddenly I started to get why the OData service is going to be great for mobile development, Win8 development and Azure (e.g. data exchange).  Great Job OSIsoft.

 

Keynote speakers
Rob Craft and Stephen Few were fantastic.  Some of the simplicity of Stephen’s work was a real eye opener, I am sure most of us think twice now before we change the type of an Excel chart to a Pie Chart.
Rob Craft had a wonderful presentation style that kept me glued to his every word, apart from the time when I was distracted by the shoes he was wearing.

 

All-Stars
Being voted as a vCampus All-Star for the 3rd year in a row was an obvious highlight and proud moment of vCampus Live 2012 for me.   I have long been a massive fan of vCampus and the community it has grown (that continues to grow daily!) so it is always a great honour to be rewarded by the very thing you believe in.  Even after 3-4 years of participating in vCampus I still feel the need to participate more each day as newer OSIsoft products are released, as the community grows, and as new innovative ways of using the PI System are materialising.  Looks like there are some changes coming up with OSIsoft communities as a whole, something I want to continue to participate in.   
It was a privilege to share the stage with Lonnie Bowling and Michael Halhead (in spirit ) as community All-Stars.
The OSIsoft All-Star awards this year were a great addition to the All-Star ceremony, after all the community wouldn’t be the same without the active participation of OSIsoft and its staff.  Congratulations to David Hollebeek, Chris Manhard and one of the vCampus founding fathers Steve Pilon.

 

Geek Extravaganza
The Geek Extravaganza night was a great idea that was implemented after everyone’s feedback from last year.  There was quizzes, drink, food, Jenga, drink, food, multiplayer RPG, drink, food … I even found out the next day that there was a Dancing arcade game.  Now I would have loved to have found that game on the night and thrown down some moves albeit long limbed moves…next year I’m all over it.  I hope this stays for future vCampus Live events.

 

Developers Lounge
My only disappointment of the event was the developers lounge.  It just didn’t seem to work for what I was expecting.  I was hoping for something like the expo pods at the regular User Conference but only OSIsoft expo pods (Event Frames, AF, PI Server, ProcessBook, ...) that are manned by 1 or 2 OSIsoft employees at a time so you can walk up to a pod, talk about a problem/issue/enhancement or whatever and see it right in front of you.  The room was too big with too little going on – why not have some arcade machines in there, a Xbox, … foster more of an engaging atmosphere.  My opinion on the developers lounge anyway, be interesting to hear other opinions here.

 

All in all a very successful vCampus Live 2012, thanks OSIsoft!  Only problem you have now is to better it next year.

 

 

 

 

 

Here are some humorous comments about my trip to vCampus Live 2012:

  • I forgot to pack my English Tea Bags; literally a “noooooooooo” moment when I realised sat on my flight halfway across the Atlantic Ocean.  Boy was I glad to get a proper cup of tea when I got home.
    tetley_2D00_tea_2D00_bags.jpg

 

  • Heading back to my hotel room at about 2 am for “some sleep” during the hackathon only to flip open my laptop and work some more on our application in my room.  About 2 hours later I lied down for my 2nd attempt at some sleep but 2 hours later I was woken by my excited 3 year old son with the biggest smile shaking me saying “did you win Daddy?”  Needless to say that was my cue to get up, showered and back up to the hackathon room to finish off.  At least I could tell him and his younger brother the next day that we did win
    mytwoboys.jpg

 

  • Being sleep deprived for Day 1 of vCampus Live felt like I was walking around drunk.

 

  • Tweeting before vCampus Live about my new “Beats by Dr. Dre” headphones for some late night hackathon programming, having that tweet featured on the “new look vCampus” presentation by Ahmad but then realising after vCampus Live had finished that I didn’t even get the headphones out of my suitcase.

 

  • I was far too excited on the San Francisco 'Ride the Ducks' city tour.
    ducktour.jpg 

 

  • Our ridiculously poor attempt at a Hackathon Team Name: “Team 01”.  Surpassed by our even worse application name of “01a”.

 

  • Telling a fib in Bubba Gumps restaurant on Fishermans Wharf that it was my birthday just so they would sing their happy birthday chant.  (It was my birthday 2 weeks before vCampus Live.)  My son, Ethan, had fish in a boat shaped plate.  He was amazed.
    bubbagumps.jpg

 

  • My obsession with eating the energy/protein bars from the developers lounge.  Apologies if every time you saw/spoke to me that I was eating one of those.

 

  • Trying to ice skate with a 3 year old after not skating myself for about 15 years.
    tryingtoskate.jpg

 

BlueHat v12 included a broad spectrum of topics. In addition to Microsoft’s usual gathering of top experts on hot topics like mobile and cloud the program also featured a sobering look at security fundamentals like passwords, pass the hash, and social engineering.

 

Perhaps nothing new for folks used to the BlackHat/Defcon experience but social engineers are just plain scary! Chris Hadnagy, Chief human hacker at Social-Engineer, wowed the audience with his real life pen-test tales. The clever tricks used to impugn and abuse good natured people are enough to lose sleep over.

  • Chris did a fine job of not blaming end users – it seems humans are just wired to be trusting creatures.  SE’s pen-test engagements are always successful.  In the case history he presented 99 out of 100 employees in a company as ‘drinking the cool aid’. In this case logon to sign up for a new company iPhone. After recognizing the initial phish many employees changed passwords. The pen tester then called the victim posing as help desk – just run this tool (unsigned and hosted on my private FTP site) to clean up your machine. Audio playback of the 1 who stood her ground garnered applause!
  • The key takeaway for me isn’t so much about awareness programs (which are necessary and valuable) rather as a priority accept that social engineering will succeed. Mature security programs must include detection and response capability for such intrusions.

Continuing on with fundamentals was an interesting demo pitting a ‘Pen-Test sniper’ versus ‘Forensic Analyst’. In short, a sniper uses passive techniques as much as possible. The idea is to remain hidden and gather enough information to ‘go native’ by masquerading as a legitimate user. Forensic analysis is way more difficult when a sniper uses harvested credentials. The demo highlighted two common sniper tactics.

  • The first is identifying network traffic to databases.  Unencrypted traffic is studied for weak authenticators and exposure to SQL injection. Only then would the sniper go active to establish a MitM position to attack the database with intent to pwn the server.
  • The second common target is spoofing network shares. A network broadcast signals when users attempt to access a share; if the spoofed response is fast enough an attacker can readily capture the client hash when the authentication method is NTLMv1. Pwnage!

The security fundamentals deep dive featured ‘Pass the Hash’ (PtH) with Mark Russinovich demoing a well-known post exploitation attack tool by Amplia Security called Windows Credential Editor (WCE).

  • PtH attacks have been around for a long time and will continue to be a top threat. Microsoft formed a cross functional task force to fully describe the issue (misconceptions are rampant), prioritize effective mitigations, and provide a focal point for ongoing activities. The recent white paper on PtH is the first work product.
  • The 1st mitigation on restricting highly privileged domain accounts has potential impact related to the PI System. In particular, domain service accounts represent attractive targets for PtH. While most PI System services logon using built-in service accounts, some allow use of domain service accounts. It is important such accounts are configured for least privilege.
  • Similarly, the 2nd mitigation on restricting local administrative accounts also has impact related to the PI System. In particular converting to PI Buffer Subsystem is recommended (configuration for the older PI Buffer Service was logon as administrator). While Microsoft’s advice is especially focused on accounts enabled for remote desktop access it is important to realize service account hashes are also exposed to PtH.
  • The 3rd mitigation recommends restricting lateral movement on the network using Windows Firewall. Inbound network ports used by the PI System are well documented and pose no impediment for implementing Windows Firewall.
  • Summary: Microsoft purposely advises low effort and effective mitigations for PtH risk and impact. It was refreshing to see consensus on the value of SSO as a business imperative. It seems reasonable and practical for recommendations to affect administrative roles rather than standard users.

What you say?  Enough with the fundies, show me the other cool stuff!  You bet. BlueHat v12 delivered on the cutting edge of security as well. Here are my favorites (with luck online sessions will be available soon).

  • Great idea: Gavin Thomas of Microsoft presented on using Windows Azure for fuzz testing. Microsoft requires a minimum of 500,000 iterations on a bug fix to pass SDL. MSRC is using hundreds of machines to fuzz update candidates. Using Azure has been an efficiency boon in time and resources. When you think about it – adversaries have almost infinite time and resources to find vulns, they may even use the cloud to attack. Using cloud resources for fuzzing makes sense. I will be recommending cloud based fuzzing over our current approach.
  • Best scoop: Building Trustworthy Windows Store Apps. You’d expect some hype on Windows 8 at an event like BlueHat. We got the news straight from the Microsoft security designers Crispin Cowan and David Ross. Windows 8 was described as a fresh start. Developers should expect some security rework when porting Win32 applications. In addition, every app in the store requires the compiler defenses. The scrutiny you should expect depends on the capabilities enabled for an app. It’s better to just not use capabilities, be especially careful when enabling the ‘File’ and ‘Network’ capabilities. David Ross posted this best practice article: http://blogs.msdn.com/b/windowsappdev/archive/2012/12/18/security-best-practices-for-building-windows-store-apps.aspx
  • The new new thing: Chris Hoff, Senior Director and Security Architect, Juniper Networks on the disruptive technology called SDN – Software Defined Networks. Although this talk was a bit like drinking from a firehose, Hoff warned that for SDN we need to learn from virtualization and cloud initiatives. While these innovations offered undeniable benefits but also some security failures. Something as simple as ‘how does a guest VM know that host resources are exhausted?’ were overlooked in the rush to virtualize. Hoff cited his previous BlueHat talk ‘Cloudifornication’ for similar cloud based concerns. It’s likely SDN is something that will touch all of our worlds. His presentation might not be the best introduction but it did put SDN on my security radar.
  • Most sobering: HTML5 to the rescue for XSS? Hardly. Mario Heiderich, security lead at html5sec.org, answers the question about how vulnerable are ‘No Script’ webapps?  Although safer without Java Script, XSS bugs still prove to be quite fatal. For his demo, Mario used regex support in CSS3 to crack a ‘strong’ password in the DOM. I was surprised to see how fast this happened – a user would never notice. Then, to exfiltrate the sensitive data he made use of standard SVG methods.  Yes I am totally freaked out by this. Anyway, in a nutshell HTML5 is coming. HTML5 adds support for powerful features. It doesn’t matter if you use them or not, the hackers can and will. Aside from a good SDL to avoid introducing XSS, Mario’s call for action cited the need for more participation in the HTML5 spec. In the meantime, you might want to buy stock in web application firewalls – although imperfect WAFs can restrict use of HTML features that are not needed in a given web application.
Rick Davin

Using PI with the new AFSDK

Posted by Rick Davin Employee Dec 14, 2012

Earlier in the year I blogged about using the AFSDK 2.5 to write tag-centric apps.  See the original post here:

 

http://vcampus.osisoft.com/bloggers_place/b/ricksblog/archive/2012/05/16/tag-centric-apps-and-afsdk-2-5.aspx

 

I mentioned how I would be glad to try writing a traditional PISDK app using only AFSDK.  Not only have I done this but my boss Randy has as well.  Using the managed objects in AFSDK for traditional PI apps is a goal for both Randy and me.  Plus Randy finally agreed to let us use C# instead of VB.NET.  Both C# and AFSDK 2.5 has been easy to work with.

 

Regrettably I can't post the apps or some of the code.  I think many Americans are muffled by such notions as 'proprietary' or 'competitive advantage'.  Not that I think we have brilliant code.  Far from it.  Yet oftentimes both my boss and I have stumbled on a few things in our code writing so we are reluctant to share in the sincere hope that our competitors will stumble harder upon!

 

But I can briefly describe in general what we did with each app.  Randy wrote an app to perform data fanning across PI collectives.  He was truly amazed about how simple it is to work with a collective and its member servers.  What used to take dozens of lines of code now takes 2 or 3.  Not 2 or 3 dozen, but 3 as in 1-2-3 or the answer to "How Stooges are there?"

 

I wrote a PI app to scan a tag's archived values looking for a certain digital state and 'changing' it to another digital state.  I quoted 'changing' because it actually deletes the archived value and writes the new value - all this just to remove the substituted flag.  This required fetching a tag's RecordedValues filtered for the 1st digital state and then issuing 2 UpdateValues - the first with AFUpdateOption.Remove to delete prior values, and the second to write the new values.  

 

Sure there was some syntax change and a few things done differently but it was all-in-all about the same effort to write a PISDK app.  For me anyway.  For Randy it was actually easier to write because the PI collectives and member servers are just so much easier to work with in AFSDK.

The latest release of PowerShell Tools for the PI System 1.1 is now available in the Download Center!  This new version provides support for PI Collectives, PI Annotations, PI Firewall (courtesy of this request from Rhys), reading the local PI Message Log, removing of PI Values, and minor enhancements and bug fixes.  In addition, we included support for PI Server 2012, Windows 8/2012, and PowerShell 3.0.  Several new example scripts which are documented in the Release Notes are also included.  We encourage you to try PowerShell Tools for the PI System 1.1, check out the “PowerShell for PI System Admins” session materials from vCampus Live! 2012, and direct any questions or feedback to the Discussion Hall.  Happy Scripting and Happy Holidays!

Three very different cyber security hands on labs were offered at VCL12:

  • Improving the Security of your PI System Infrastructure: Whitelisting, Firewalls, & Windows Core (Level 100)
  • Security for PI System Administrators (Level 200)
  • Web Application Security: Introducing the OWASP Tools (Level 300)

Whitelisting, Firewalls, & Windows Core

 

Every workstation was busy for Improving the Security of your PI System Infrastructure class by Jim Davidson. As an extra surprise many folks were getting their first look at Windows Server 2012!

 

Jim started with a primer explaining application whitelisting and why this approach is strongly recommended by OSIsoft and other reputable sources (eg SANS, Australian Defence Signals Directorate). The class then began to explore various configurations of Windows Applocker.

 

Exercising automatic rule generation was a snap.  The most tedious part was assigning the rules to specific groups.  For instance, the rules required for a PI System Manager were generated by scanning the PI and PIPC folders and then granted to a Windows group corresponding to PI System Managers. Finally you set rule enforcement options. We choose to audit Applocker by logging any rule exceptions.  This step helps you verify Applocker won’t interfere with normal operation.

 

An interesting part of the Windows Firewall lab was about enabling outbound rules. Blocking outbound network traffic goes a long way toward containing post exploitation activity. Especially if the attack relies on outbound access to download additional attack payload.

 

Jim saved one more surprise in the Windows Core exercise. Server 2012 has a command to add or remote the desktop GUI (most of us didn’t hit enter since it takes a while). But still, converting to ‘core’ has never been easier!  Server Core remains a top recommendation for improving the security of your PI System infrastructure.

 

Security for PI System Administrators

 

PI System security is no small task and the exercises in this lab focused on security tools and scripting to help manage the hundreds to thousands and potentially millions of related settings. No wonder this lab garnered an encore session.

 

We started by working with the official security baselines provided by Microsoft’s free Security Compliance Manager (SCM) tool.  While SCM is very useful for compliance documentation and security hardening tasks, the effort is still significant. This is another proof point supporting Windows Core as the quick and easy approach for a secure PI System server platform.

 

Our approach uses scripts and utilities to examine security settings embedded in various application and database stores.  The lab highlights scripts driving the recently updated ‘Bandolier’ audit checks.  Anyone using ‘Bandolier’ should welcome the lab manual as useful documentation for the PI scripts.

 

This lab also introduced Powershell as the successor technology for PI system management scripts. My intention is to sponsor a vCampus community project as the official home for the ‘Bandolier’ PI scripts. Knowing Mathieu and crew it won’t be long before all these scripts are available as cmdlets! Thank you in advance vCampus contributors.

 

Introducing the OWASP Tools

 

Most folks don’t come to vCampus Live to learn how to hack. We were compelled to make an exception this year in context of incident response to breach of the OSIsoft partner website.

 

This lab seemed to attract a tight knit crowd (perhaps it was the focus on a web application or the intensity of 300 level materials).  Imagine my surprise when we learned to hack a web site using a single key stroke!

 

Once the bug was found it was just natural to see what could be done with it. We followed along as tips from the SQL injection cheat sheet were demonstrated using an image our vulnerable web site.  

 

Now that the audience was hooked they were guided into the world of OWASP.  Lab machines were loaded with SamuraiWTF and each tool of the web testing framework was introduced. The materials from OWASP include test applications to help understand different classes of defect.

 

The question I remember most: Is it okay to do this on the internet?  The answer came in a chorus of Nooo!

 “What’s Wally doing? Kill Wally!” was overheard from Team 4 during the VCL12 Security Hackathon Day 0 event.

 

The team was referring to a possible breach of their PI System by an intruder (OSIsoft red teamer’s Bryan Pope and Luis Moux-Dominguez) using commandeered accounts.  The cast of accounts for the faux company were based on Dilbert cartoon characters. In this challenge, Wally was supposedly off duty and many teams picked up on the unexpected login.  Hooray!

 

Too bad Wally’s account had domain administrator rights.  Blue teams competing in the security hackathon practiced facing a nightmare scenario – a totally ‘pwnd’ domain. 

 

Each blue team had an embedded OSIsoft engineer providing technical support (shout out to Brian Deslatte, Dan Fishman, Gary Lee, Hahnming Lee, Jonathan Silvestre, Lily Wong, and Mariana Sandin). Many lasting friendships were made over the course of the 8 hour event… perhaps some rivalries too! 

 

About half of the security hackathon involved preparing for the red team challenges (instrumenting the system baseline, creating operational dashboards, and adding defenses). Teams could earn points by documenting what they did to prepare.

 

During the challenges points were awarded based on PI System health and sustained operation. Scoring factors relied on basics like archival rate, connections, uptime, and % good data. Performance indicators were periodically delivered as PI notification content to an automated scoring server.

 

The day is long and competition intense for a hackathon.  I saw this first hand as teams continued to detect and defend even with the lure of the opening reception during the last two challenges.

 

At the end Team 2 were top point earners and prize winners.  During the debrief session it was especially interesting to hear about what defenses seemed to work best.  The red team reported once people started changing passwords on the domain accounts it really stopped a lot of things.

Filter Blog

By date: By tag: