New Containers Tech From Microsoft Announced

Nano Server, Hyper-V Containers and Swarm

Yesterday Microsoft announced a couple things, Nano Sever in Server vNext, which is available to partners and I would guess to the public at Ignite.  The other announcement which is more interesting is the Hyper-V containers, running on Nano Server of course.  They also kind of snuck in support for Swarm.

So What?

To put this in context, you can run containers on Windows Server (Nano), using Windows container and Hyper-V containers.  This would allow you to take advantage of Swarm to deploy containers into virtual or real operating systems.  And when you add the isolation that Microsoft has added to containerization this is the virtual server killer app.

Still, So What???

Instead of installing a server OS on your server, and then multiple virtual servers, all running their own OS on that hardware, this completely removes the need for any virtualized OS.  Instead you have a single OS running on your hardware and your apps / services / processes are virtualized without the overhead of the virtual OS.  And then add in hyper-scale.

Interesting Details

I recommend you read the full article as it has many interesting items in it that I don’t include below, but here are some of my favorites.

“we are taking containerization one step further by expanding the scenarios and workloads developers can address with containers:

  • Hyper-V Containers, a new container deployment option with enhanced isolation powered by Hyper-V virtualization.
  • Nano Server, a minimal footprint installation of Windows Server that is highly optimized for the cloud, and ideal for containers.”

“Microsoft will now offer containers with a new level of isolation previously reserved only for fully dedicated physical or virtual machines”

“Hyper-V Containers will ensure code running in one container remains isolated and cannot impact the host operating system or other containers running on the same host.”

“Windows Server Containers can be deployed as a Hyper-V Container without modification”

“Finally, we’ve added integration for Swarm, Machine and Compose into Azure and Hyper-V.”

“Nano Server, a minimal footprint installation option of Windows Server that is highly optimized for the cloud, including containers. Nano Server provides just the components you need – nothing else, meaning smaller server images, which reduces deployment times, decreases network bandwidth consumption, and improves uptime and security.”

http://azure.microsoft.com/blog/2015/04/08/microsoft-unveils-new-container-technologies-for-the-next-generation-cloud/

Best,

Anthony

Top 5 Configmgr vNext Rumors

These are the top 5 rumors for Configmgr that are floating around.

  • Next up will be a new version, CM16 I suppose based on the date.
  • It will not coincide with Windows 10 release and instead release 90 days or so after W10 launch.
  • There will also be another service pack for CM12 to address the thousands of bugs (finally!).
  • Feature parity with Intune (cloud) standalone version.
  • Supported client count for primary sites will double.  Think 200,000+ clients per primary site.

10 years from now Apple will be a jewelry company, that is more of a prediction than a rumor.

Rumors

 

Android Support Added to Workplace Join in Azure Active Directory

Microsoft added the ability to allow Android devices to register in Azure Active Directory.  This also allows them to take advantage of SSO for apps that use Active Directory Auth Library to AD.  In the article is also states that policy support for all Azure AD connected apps is in the works which then allows IT to setup conditional access across all devices.

http://blogs.technet.com/b/ad/archive/2015/01/15/azure-authenticator-for-android-with-support-for-workplace-join.aspx

Orchestrator Runbooks SMART Documentation and Conversion Helper 2.0http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-85-24-metablogapi/clip_5F00_image002_5F00_738912EB.jpg

SMART Documentation and Conversion Helper 2.0 is a tool to help you document your Orc runbooks in Visio and Word.  Built from PowerShell.  You can read more about it here or download it directly here.

Updated tool : SMART Documentation and Conversion Helper for your Orchestrator Runbooks - Building Clouds Blog - Site Home - TechNet Blogs

Azure Active Directory Basic Available Now

Microsoft announced today the Azure AD Basic is available.  It includes four additional features not available in Azure AD Free version.

Company branding to match your internal LAN’s styling and logo.

Group-based application access for your cloud hosted apps.  With the ability to query your own directory to build and populate groups or build them in Azure.

Self-service password reset to allow users the ability to reset their own passwords without contacting IT.

SLA 99.9% (3 Nines) guaranteed uptime of 99.9%.  That equals: 1m 26.4s/day or 10m 4.8s/w or 43m 49.7s/mo or 8h 45m 57s/y.

Azure Active Directory Basic is now GA! - Active Directory Blog - Site Home - TechNet Blogs

Apple Pay – Great New Feature or Future Nightmare?

Apple Plays

Apple introduced the iPhone 6’s this week and spent time talking about the size, display and CPU speed but it also spent an exorbitant amount of time, marketing dollars  and effort to push a new feature most people could really care less about, Apple Pay.

What is Apple Pay?

Apple Pay is a payment service on the iPhone that stores and transmits your credit card information.  Let that sink in before moving on.

iPay-01

Apple has not released much in the way of details yet on exactly how Apple Pay works to the public and the media has several different guesses of how it thinks the system will work.  Gartner claims no credit card information will be stored on the phone, using your iTunes credit card information, others including Apple say your card details will be stored on the phone.  The Washington Post writer assures his readers that by using the iPhone finger print reader no one else will be able to make purchases with your phone.  He doesn’t bother to mention how the fingerprint reader was also hacked, in less than two days after it was released.  And that  virtual card numbers are what will be sent to the merchant from your phone instead of your actual card number.

Using the docs from stripe.com, a third party offering an API to allow merchants to use Apple Pay without needing to do all the integration on their own it would seem that credit card information is stored on your iPhone and depending on the merchant you are using you will be sending them your card number, CVC code, name, expiration date and billing address, all information that they can choose to store for later use if they decide they want to.  Stripe.com’s documentation includes frightening phrases including “Make sure any communication with your server is SSL secured to prevent eavesdropping.”  Shouldn’t Apple Pay force SSL communication?

This is all speculation at this point but I think Stripe.com likely has better information than the Washington Post and Gartner at this point.

However, I couldn’t leave out this little gem out from Makeuseof.com as they stay in lock step with the party line claiming anyone who doesn’t fully embrace Apples latest feature as the greatest change to the monetary system since the advent of coins is a lunatic alien abductee.

“Those of you reaching for your tinfoil hats will be relieved to hear the usual security and privacy spiel from such an announcement involving sensitive financial data. Merchants cannot see card numbers, Apple cannot tell what you are buying, and if you lose your phone, you can simply suspend the service using Find My iPhone.”

All but the last part about using Find My iPhone is incorrect, but it doesn’t matter because they don’t address the real security concerns.

Update: According to Nerd Wallet, Apple will get 0.15% of each transaction paid to them by the bank issuing the credit card.  This new additional fee on top of the regular fees paid per transaction for the convenience of using a card instead of cash will unwittingly be paid for by consumer.  When you think about the concept of paying a company to lend you your own money with interest and fees added on to it you may begin to understand that using cash and living within a realistic budget is better than using Apple or any credit card company.

The Real Point Please?

Here is the main problem with what Gartner, WAPO all of the internet sites claiming there is nothing to worry about.  They all talk about how the transaction is secure, how the merchant doesn’t actually get your card details, how a random number or one time token is going to keep your purchase secure.  Great.  But what about the phone?  How secure is the device where you are storing the cards?  With all the information needed to use each one of your cards.  I don’t recall Apple talking about how secure their phone and new OS are, none of the websites fighting for your precious monetized clicks talk about how secure the platform storing all your data is.  Instead they make claims to ensure you that Apple has it all figured out, after all it’s Apple! They never have security problems, just ask Kate Upton, Kirsten Dunst, Jennifer Lawrence or Jonathan Zdziarski.  Jonathan is the researcher that presented a paper recently on how every iOS device is running hidden and undocumented services that allow access to phone data even the ability to bypass the iTunes backups encryption all without needing physical access to your phone.  Which it doesn’t take much thought to figure out exactly how someone could get at all the photos of all celebrities, your spouse or your own photos stored in iCloud.

When Target and the other retailers had their POS systems hacked, they did not attack the individual payments, they wanted the card data so they could sell the cards on the market and then those who bought the cards would use them to make fraudulent purchases, clean out accounts or worse.  Talking about how a single transaction is secure is only interesting if you are a merchant, bank, card processing company or Apple.  The consumer loses nothing if a retailer or bank doesn’t secure their transaction because they are covered.  But if the consumer has their savings account drained to $0, well they are just out all of their savings.  The banks, card processor and retailer will happily take that stolen money.

One Last Thing

Apple Pay uses NFC to transmit your purchase details.  In 2012, 2013 and 2014 there have been demonstrations on how to hack NFC to take advantage of payment systems to steal data, send payments and transfer funds.  It’s unfortunate that Apple and the media won’t spend the 30 seconds it takes to Google NFC credit card hack and watch the videos, read the conference notes and articles on how insecure NFC really is.

Apps use NFC technology to hack Credit Card credentials
Oct 16, 2013 – After months Google still hasn’t fixed the issue letting Apps from the Play Store use NFC technology to steal Credit Card credentials.
[PDF] NFC Hacking: The Easy Way – Def Con

https://www.defcon.org/images/…/DEFCON-20-Lee-NFC-Hacking.pdf

by E Lee – ‎Cited by 5 – ‎Related articles

NFC Hacking: The Easy Way. DEFCON 20 … between chipped credit cards and POS terminals … Contactless Credit card reader (e.g. VivoPay, Verifone).
[PDF]Hacking the NFC credit cards for fun and debit – Hackito …
Apr 3, 2012 – Hackito Ergo Sum 2012 – April 12,13,14 – Paris, France. 4. How to recognize an NFC-enabled credit card? ○. Small wave logo printed on the  …

How NFC phones can steal your credit card info. – YouTube
Jan 27, 2012 – Uploaded by Id Stronghold

How NFC phones can steal your credit card info. … Building a RFID Zapper – Hacking a Disposable Camera by Tobias Othmar Hermann  …

Hacking the NFC credit cards for fun and debit by … – YouTube
www.youtube.com/watch?v=VWIzW0rRw_s
Jul 24, 2012 – Uploaded by Shakacon LLC

Hacking the NFC credit cards for fun and debit by Renaud Lifithitz … The way of do business very much easy using NFC business card..

[NFC HACK] : Use Pass Snow card or transport card with
www.youtube.com/watch?v=B0pTdNrEXnI
Mar 8, 2013 – Uploaded by iHeathOfficial
[NFC HACK] : Use Pass Snow card or transport card with your … Cloning Credit Cards: Pre-play and downgrade attack (full length) by Michael  …

Android NFC hack lets subway riders evade fares | Naked …

nakedsecurity.sophos.com/…/android-nfc-hack-lets-subway-rider…
Sep 24, 2012 – Android NFC hack lets subway riders evade fares … Benninger said during his talk that he could replenish his card endlessly, according to Computerworld: “I can do …. Carwash POS systems hacked, credit card data drained.

Credit Card stealing Apps from NFC cards – Latest News …
www.secure-commerce.org/…/credit-card-stealing-apps-from-nfc-cards/
Apr 29, 2013 – This report in Mashable and CBS reports that there’s app’s now available to read and hack the NFC data on credit cards with the purpose of  …

The Perfect Hack for Enabling NFC Credit Card Payments …
www.businessinsider.com/the-perfect-hack-for-enabling-…
Business Insider
Aug 3, 2011 – Remember the good ol’ days when you actually had to swipe your credit or debit card to make a pay…

Hacking the NFC Credit Cards for Fun and Debit by Renaud …
www.slideshare.net/…/hacking-the-nfc-credit-cards-for-fun-and-debit-by…
Jul 2, 2012 – Small wave logo printed on the card: “Hacking the NFC credit cards for fun and debit ;)” Renaud Lifchitz – BT 4 Shakacon 2012 – June 18-21  …

Data Protection Manager Now Available as Azure IaaS

 

Azure IaaS workload protection using Data Protection Manager - System Center: Data Protection Manager Engineering Team Blog - Site Home - TechNet Blogs

The supported configuration is illustrated in the above diagram. The DPM installation prerequisites remain the same, as described in the TechNet documentation.

  • DPM is supported on any Azure IaaS virtual machine that is size A2 or higher.
  • DPM can protect workloads that run across multiple Azure cloud services that have the same Azure virtual network and Azure subscription.
  • The number of disks that can be used for the target storage (DPM storage pool) is limited by the size of the virtual machine (maximum of 16). For more information about size limits, see Azure Virtual Machines.

via Azure IaaS workload protection using Data Protection Manager – System Center: Data Protection Manager Engineering Team Blog – Site Home – TechNet Blogs.

MS-AZ-Kubernetes

Microsoft Azure Versus VMware on Containers

Some basics if you are new to containers. CargoContainer Applications run inside containers.  Containers believe they are running on an independent operating system but in fact they are running in isolated partitions sharing a single operating system while other containers are also running other applications using the same operating system.  Where in traditional hypervisor virtualization a server will run several virtualized operating systems and applications.  Remember ESX?

Here is a popular graphic explaining the difference between the two types of virtualization.  The top of the graphic shows the hypervisor style of virtualizing and operating system an application while the lower portion shows a single operating system using Docker container software to virtualize the operating system while several instances use that one virtualized operating system.
docker-containers

Who cares?

Some companies think this is the future of virtualization, dismissing the traditional hypervisor model of virtulization as an archaic technology like the CD-ROM, good in its day but no longer needed. “Everything at Google runs in a container” according to Google.  Their entire cloud infrastructure is running on containers.  Also using another application to dynamically cluster containers known as Kubernetes. https://developers.google.com/compute/docs/containers The most popular container software today is known as Docker, like the formerly popular OG pleated pants, still worn by some, minus the ess. San Francisco 49ers v Arizona Cardinals

Microsoft’s Approach

How has Microsoft and VMware reacted to this new (not really) virtualization technology?  Microsoft to its credit has worked to embrace the technology by allowing customers to use it within Microsoft Azure.  In fact I am going to quote their explanation of Docker and Kubernetes because they do such a nice job of explaining them. “Docker is an open-source engine that automates the deployment of any application as a portable, self-sufficient container that will run almost anywhere. Kubernetes is an open source cluster management tool, a declarative technology supporting orchestration and scheduling of Docker containers.” Here is what they have actually implemented of the two technologies into Azure.

The key features we have implemented are documented in the Kubernetes project and can be summarized as:

  • Build a container and publish it to Azure Storage
  • Deploy an Azure cluster using container images from Azure Storage or the Docker Hub
  • Configure an Azure cluster
  • Update the Kubernetes application on an existing cluster
  • Tear down an Azure cluster

Keeping in mind that containers run on *nix, this is quite a departure from the traditional Microsoft.  While adoption and continued development will demonstrate if Microsoft has really embraced the technology at this point it looks like they are living up to their announcement back in July where they stated they would support containers and were joining the opensource development project.

MS-AZ-Kubernetes

VMware’s Approach

VMware also announced their partnership with Google, Docker and Pivotal last week during VMworld.  Their approach is slight different but also similar to Microsoft.  The major difference in VMware’s approach is that they support containers on top of their hypervisor.  While Microsoft’s approach is more inline with the spirit of how the technology was intended to be used.  Based on what VMware has announced it seems more like they are taking the traditional defensive approach I would expected Microsoft to have taken in the past.  I am not faulting VMware for this and I am sure they are making the best decisions regarding the technology that they feel is best for their vision of the company.  Keep in mind that they have recently purchased Air-Watch and I believe that coupled with the fact that their parent company EMC (for now) is a storage company I believe they are planning to compete with AWS and Microsoft in the DaaS (Desktop as a Service) space.

I don’t think VMware is ready to compete with Microsoft in the DaaS space, they don’t have the same configmgr tools as Microsoft, they don’t own the operating system but they are getting there so it will be an interesting battle over the next decade.