Monday, February 26, 2007

A shout out to Alan Shimel

Hi there Alan (et al),

Thank you for the little blog post on me. I hope I can respond with some good, insightful (incite-ful?) posts to keep you interested.

Congrats firstly on your anniversary.

I consider myself a lay-expert (in other words I spent way too much time on slashdot for my career's good) on GPL so I'll add in my 2c.

The GPL severly restricts what you can do with the source in order to try keep the source available. It is known as "viral" in that if you want to use the source in a project - all the source of that project must also be GPL or compatible.

The big news of a project being GPL compatible is that once the source is GPL compatible it can be added to other GPL projects and in turn other GPL code can be pulled into this project.

Being GPL compatible is also a nice buzzword to use. And it would make coding easier - "Oh, its GPL. I know that". (No need to read the license and compare it to GPL to understand how compatible it is.)

I'm not sure exactly in this case how it benefits everyone but the above may give a good idea of why GPL is better to have than just "open source".

Thursday, February 22, 2007

Drive-by Downloads

Hi,

This is a very informative and rather scary video.

I suggest all Information Security people watch it. Then show it to all their Internet users.

Home users should watch it too. They may learn something.

The good news is that drive-by downloads are almost impossible if you keep your machine fully patched which - for almost all Operating Systems - is free, so why not?

The official description is:
Network security analyst Corey Nachreiner, CISSP, shows what happens when you're browsing the Web and a "drive-by download" attack hits you. Produced by LiveSecurity for WatchGuard Technologies.


It is brilliant stuff and hopefully there will be more from these guys.

Wednesday, February 21, 2007

$M$

Another off topic posting. For an information security blog - I'm not doing so well... but then I never promised that I would. And this is my second post in one day!

According to the wikipedia: The first commercial SMS message was sent over the Vodafone GSM network in the United Kingdom on 3 December 1992, from Neil Papworth of Sema Group (using a personal computer) to Richard Jarvis of Vodafone (using an Orbitel 901 handset). The text of the message was "Merry Christmas".

That was 15 years ago. According to an article in itweb SMS revenues are to hit $67 Billion by 2012. Their source is Portico Research.

Thats a lot of beep-beep-ing money.

New York - City that never sleeps.

Just a quick one - promise.

Mayor Bloomberg of NYC on the www.nyc.gov site in his "State of the city" boasts that NYC had 44 Million visitors. Thats pretty good going considering that the number of people in the whole of South Africa is 44 Million and the number of people in Australia is 25 Million.

So, essentially the whole of South Africa could have visited New York. Or the whole of Australia could- twice in one year.

Amazing.

Coincidently, the number of people living in NYC is 8.2 Million - which is roughly the number of visitors (estimated, very badly by yours truly, but probably rather accurate) to South Africa in a year.

Tuesday, February 13, 2007

Eventually we may make it back to the early nineties (Part 2 of the 70s post)

In 1995 IBM bought Lotus for $3.5 billion. Cash.

Read that again.

Sure, Lotus 1-2-3 was still around and still (if I recall correctly) the market leader. Office95 total killed that. But it was not Lotus's most famous software package that IBM wanted. They wanted Lotus Notes. And they paid $3.5 billion (cash money) for the pleasure.

IBM Lotus Notes is still around today and very well respected. And used by some very big companies. But I really don't think it had the impact it should have. I think the reason is that Microsoft Exchange adapted more quickly to what companies wanted.

But, didn't need.

The thing is that IT has (unfortunately) positioned itself both as a strategic tool and a grudge expense. (It is also an operational tool..hmm..maybe we'll come back to this point... but I want to focus on strategic).

What the above means is that companies have salivated at the idea of using technology to beat their competitors. And it is very quick for something to go from stategic (read: competitive advantage) to operational (read:everyone is doing it). So companies push projects out quickly. If you are a leader you want to be that way as soon as possible..if you are catching up - the same. You also want to do it as cheaply as possible, obviously.

So the poor IT department has to roll out projects as quickly as possible, as cheaply as possible. And probably with very little planning or training.

So, with the choice between a proper system for managing staff using workflow, perfectly designed job descriptions and properly though out business processes that all just works or a quickly cobbled mail system with a nice directory system and calendar - what would be the choice of most IT decision makers. Yep, the cheaper and quicker.

Now, don't get me wrong - I don't know enough about Lotus Notes to promote it as a perfect system, nor do I know enough about Exchange to put it down. Thats not my point here. And, in fact, I bet that a good system where Exchange is used as part of a well organised workflow solution would probably be better than a badly created Notes implementation.

My point is - we have now, through the mistakes of the past come to a point where it can happen that a business is not sure what information it has, (perhaps even) what machines it has and what people it has. There are ways to track all of these but the computer systems were never designed for that.

In the heady, do anything days gone by companies from small to big did things like this:
  • A server comes to end of life and is removed from the network. But, a project that is way over budget needs a not-so-powerful server so the old server is used. Maybe the server was an HR server (inside and fairly safe) and is now a webserver (open to the world). Because its a mission to re-install the OS, the box is left as is and just has a webserver added to it. Your HR information is now at risk and because there was no formal installation or project - the new server is a ghost server, only noticed if/when it goes down.
  • The mail server administrator moves into a new job but his mail server access is not taken away. He now has access to all the mails on the server.
  • Even worse - he leaves the company and his account is not removed.
  • The CEO's personal assistant who has access to all his files downloads a valentines day card that is actually a trojan. It is able to install itself because she has Administrative rights to her PC.
Etc.

If processes had been in place long ago this would not be an issue. Now, you have 10000 user accounts, no paperwork. Who of those is still employed and has all the access (and only the access) they need. If you start a clean-up now - you will piss everyone off, from the top, all the way down. Woops...due to IT's need to impress ages ago and business's need for speed you are the bad guy.

But it will happen. With (more) money, time and tears.

Slowly companies will realise what problems they have and how insecure they are. Or someone out there will show them. And they will put the procedures in place, the technology will follow and the organisation will be turned into a perfect workflow oriented organisation.

And there will be some ROI as people's jobs are down quicker, smoother and with less paperwork. Private information of 3rd parties will be in secure databases. Databases will be backed up and the information will not leak out through discontinued servers and stolen laptops.

And it will all be good.

And then we will have caught up to the vision that IBM had in the early nineties when they paid paid $3.5 billion cash for Lotus - a company that know who it is and what it is doing with IT systems that know the same.

Thursday, February 8, 2007

Intra-company PreCommunication Policy Exchange

You heard it here first!

I'm sure that someone out there is going to try patent this idea so let me put it out on the Internet first. I'm not interested in the patent - if I make this I'll try my best to be the best and beat competitors that way.

Right - I will try explain this in simple terms.

(As I see it) The problem with mail these days is
  • Spam
  • Contract law
Mail as we know it (SMTP for the geeks) originated in a wonderful carefree environment untouched by the ugliness of unfettered Capitalism. There was no spam. I remember the days when you could use any SMTP server out on the Internet to "relay" your mail. Sorta like travelling in New Guinea or New zealand or New York and you just happen to pass a letterbox/postbox and you pop your mail in. And it will get where you want it to. For free - the owner of the mailbox paid something ridiculously small to move your mail and secure in the knowledge that if he was in your home town your mail server would relay his mail.

Then companies saw this marketing opportunity - free mail! And decided to abuse it. Hence spam. Now everyone only relays their own mail. And we still have spam.

The other issue with mail's naive beginnings is that anyone could pretend to be anyone. It was based on trust. After the first few times of pretending to be someone else the fun wears off. Not for spammers - they need to pretend to be someone else all the time. Otherwise they would be simple to block and everyone would except for idiots who want to lose money on the stock exchange and make up for it with huge..well... pfiser's blue pills.

Wouldn't it be great to be able to only receive mail from companies we deal with? I think so. setup an information account that can still receive spam and all sorts of junk but have regular users only get mail from companies that are trusted.

The other issue is that email was just for fun - first for geeks, then for cool geeks, the for cool people (like wow!) and then for the man in the street (and his tech savvy kids). Then more and more business people saw the advantage of cheap and quite written communication - untrusted as it was.

And more business information was exchanged over email. As information decided it wanted to stay as bit and bytes and not ink spots on a page the definition of "document" as a piece of paper became increasingly wrong. (I remember a story about this - I will put it in my next post). The laws became wrong and they were changed. South Africa made a new law called the "ECT Act" which mainly extended the definition of "documents".

The law was slow to recognise email as a legitimate business tool but so were the geeks. Email today is the same as email of when it was not important to business. All of a sudden email was important - deals could be made through email. Decisions could be made. Companies could be sued. People could be fired. All through a medium that can be very easily spoofed or lost. How does one know exactly who sends an email? You can't, not easily. Not yet.

So companies have been scared of the laws and scared of the power email has the disclaimer was born. The disclaimers used to say "if you are not the intended recipient of this email - destroy it and forget what you have read,please". Now they are more complex but they say "if you are the recipient of this mail and we have written anything that we may want to take back at a later stage - we can!". I know a company that says the above and adds "The law that makes this a document - ignore that law". Its a technology company.

But then what is the point of email?

I think that it would be a great idea to work out all the companies that your company emails. This may be a mission at first but I doubt it would be as bad as people may think. Then work out what sort of relationship you have with the company. Make out a few contracts - one for suppliers, one for once-off-suppliers, one for customers, etc. Then approach them and ask them to enter into a contract. I will provide an example contract soon. Once that is done - no need for spam checking.. just have a white list. No need for disclaimers. You want to do ordering through email and have it binding - perfect - it can be done legally and (now) safely.

More on this soon.... but, remember, you heard it here first!

Tuesday, February 6, 2007

We support you FNB!

Ok, this is way off topic. But it is my blog so I can do what I want with it, not?

I bank with FNB and I am proud to be a customer of theirs.

South Africans should know this story by now but overseas readers may not:

First National Bank is involved in a number of non-banking initiatives to give back to the community etc.

One of these was a petition to the Office of the President asking for more action to be taken on crime. They made thousands of little booklets that were addressed to the above Office. The plan was to send these out to the general public who would then fill in an incident of crime that had touched them. The petitions were (at the bank's expense) already stamped and addressed.

The Government got wind of the idea and (it is alleged) put pressure on the bank (who does the banking for some big government departments) and the whole plan was dropped.

FNB is a business and I understand them needing to reassess the situation and watching the bottom line first but I am very upset with the Government and the position they have taken.

It is obvious that crime is a huge deal in South Africa - even the conservative, edited, diminutive statistics that get released each year show how bad South Africa's crime levels are.

Even wikipedia has an article on crime in South Africa which begins "Crime is a major problem in South Africa. According to a survey for the period 1998-2000 compiled by the United Nations Office on Drugs and Crime, South Africa was ranked second for assault and murder (by all means) per capita, in addition to being ranked second for rape and first for rapes per capita."

(I feel that) It got to the point where normal people were sick of crime but were numb to it. The papers stopped printing stories about crime unless they were strange or terrible.

Then South Africa got interested in crime again:

  • The Minister of Safety and Security, Charles Nqakula caused outrage among South Africans in June 2006 when he responded to opposition MPs in parliament, who were not satisfied that enough was being done to counter crime, saying that MPs who complain about the country's crime rate, should stop whining and leave the country (Also from the wikipedia)
  • The 19th FIFA World Cup is scheduled to take place in South Africa. This event will bring tons of foreign capital into South Africa and promote to the entire world the idea of South Africa as a holiday destination. On the other hand - the infastructure and initial outlay is huge too. It is do-or-die. This competition has to be handled perfectly for the country to benefit. Crime is a risk to this. Possibly the most important one.
These combined with the fact that Governement does not seem to be willing/able to deal with crime has led South Africans to feel lost about this issue.

First National bank seem to be a very patriotic bank. They have loads of adverts promoting how great the 2010 FIFA World Cup will be. They are also (the main?) sponsor of http://www.homecomingrevolution.co.za/ which aims to promote South Africa to ex-patriots who may be interested in returning.

Reading a few messages on the forum there, the message is quite clear - "we would love to return home for a million reasons. and we will not for one reason - crime!"

It seems to me that FNB as a place has just, like the rest of us, had enough of the moaning about crime and wants to do something about it. They are not allowed to start their own police force and justice system so they are trying to get the attention of the people who can deal with crime.

Unfortunately instead of taking action against crime the Government have taken action against FNB.

And that...is a crime.

Friday, February 2, 2007

Racing to get to the seventies.(Part One)

A quote, attributed to Henry Spencer goes " Those who don't understand UNIX are condemned to reinvent it, poorly."

I always, being a Linux boy, liked that quote. And I could see it in practice. Linux never hid the fact that it was mostly based on Unix but Dos/Windows did. Microsoft was caught in a bit of a bind with Linux being free that they had to pretend everything DOS was better, everything non-DOS was worse. Fair enough, DOS and the pretty stuff that they placed on top of it was their bread and butter.

But as time has progressed Windows has moved toward looking and working more like Unix. The main change being the fact that the main user of the box is not innately trusted. There are no file permissions on FAT, all files are available to whoever uses the machine. NTFS has changed all of that. Windows 98 didn't need the user to log on, XP does.

It is not my purpose here to trash the Windows Operating Systems of yesteryear. In fact, Linux had some shortcomings in the 90s too. It is my point that it has taken us about 30 years to get our PCs to the point where they are now as safe as the Unix servers that were around in the 1970s.