Archive for March, 2008

Tech speak vs. corp speak

Thursday, March 20th, 2008

If someone doesn’t know what TCP/IP means or what a CNAME record is, I can direct him to appropriate RFCs that define them.

Now, I wouldn’t actually direct an MBA to an RFC, because his eyes would glaze over about the time he got to “this memo has unlimited distribution.” But what matters is that I can direct him to such a document, because such a document exists. Tech-speak is done with well-defined terms that have standardized meaning, and it is used to clarify how we talk to each other.

If you can point me to a document or documents standardizing terms like “Web 2.0”, “enterprise”, “solution”, “mission-critical”, “partner”, etc., then I will admit my criticism of corporate speak is wrong. However, I don’t think you will be able to, because those documents don’t exist. Because these words’ meanings are not standardized. They mean to the speaker what he imagines he means, and they mean to the listener what he imagines he hears. That, I think, is what business types don’t understand when they compare themselves to techs: what we say means something, because we had to learn something objective, verifiable, and repeatable to get where we are, while they didn’t.

Why virus scanners are useless

Tuesday, March 11th, 2008

It’s been a long time since I’ve used a virus scanner at home, and I’ll tell you why:

1. Well, I’ve been using Linux since 1998. However, let’s put that aside as this still applies to before I completely converted to using strictly Linux in 2002.

2. It eats up system resources like you wouldn’t believe. Thanks, but I’d rather put my processor to better use – something other than doubling the processor power it takes to open a spreadsheet.

3. They can only find known viruses. Maybe being “protected” from tens of thousands of viruses comforts you, but I’m worried about the few no one knows about yet, and AV software provides no protection against those.

4. They are only partially successful in removing virii. How many times have you seen “Delete Failed! click here for more info”? I saw it a few times too many. I SHOULD NEVER EVER SEE THIS MESSAGE! This is a design failure.

5. AV software is not effective as a means of prevention. Virii come in two flavors, trojans and worms. Trojan – idiot user clicked on BrittneySpearsNaked.jpg.pif.bat.js.exe; AV cannot prevent this. Worm – Windows security issue; AV cannot prevent this. This is an over-simplification, and may not be 100% technically accurate, but you get the picture.

6. If AV software can’t prevent infection, and if it sometimes can’t even remove the infection, what good is it again? It’s good for Symantec, its good for Macafee, and its good for IT professionals who get to say “its not my fault, I did everything i could to prevent it” next time a code red happens.

Thoughts on worm complexity

Friday, March 7th, 2008

I have often wondered why we haven’t seen the emergence of worms with truly spectacular levels of sophistication. Nearly every worm/virus is small presumably so that it can spread quickly in limited bandwidth situations. The limited size means limited sophistication and sometimes flaws in the design or operation.

To the best of my knowledge no one has developed a worm with fully pluggable attack verctors and pay loads and automatic updating. An attack from such a worm would be all but unstoppable because there would always be a huge user base from which to start an attack. The attack would go like this:

1. Author writes the first version of the virus and deliberately infects machines. This version doesn’t spread on it’s own. This version doesn’t need to be terribly good it just needs to infect 1000 machines or so, be upgradeable and form the initial core of the virus P2P system (maybe that should be V2V?).

2. Author refines virus and releases a new version. Some of the 1000 initial infections are still infected and upgrade themselves. They go on to infect other boxes automatically. Each box will try and upgrade and infect new boxes.

3. Hole exploited by the stage two virus is closed. Many are lost.

4. Author writes new exploit module and uploads it to virus network which them re-infects lost boxes and new boxes.

5. Virus scanners get to understand core virus and destroy numerous infections.

6. Author releases new version into the virus network which upgrades currect installs. And so it goes on.

Perhaps someone is already doing this, I don’t know. It seems like a natural evolution for viruses though. A sort of virus P2P system so that the virus network can respond to attacks. You could even build viruses that knew the network was under attack and hid or destroyed themselves.

“IT saves the day!”…or something

Saturday, March 1st, 2008

When it comes to fuckups, IT is usually the last guy to get the hot potato, and they’re expected to save the day.

Any time a user screws up, the IT department is EXPECTED to save the day by upper management. If they don’t, it is (rarely) the fault of the employee, it’s the fault of the IT department for not anticipating such a need, or not being available at a second’s notice, or simply not being able to save someone else’s bacon. Often times we’re asked to perform miracles.

It sounds reasonable, until you cross professions. Someone drives off the company driveway, crashes their car into a tree, car bursts into flames. Do the facilities people get in trouble for not ancticipating the employee who leaned over to pick up his cell phone off the floor while driving, and failed to install a nice big inflatable barrier along all the roads? Of course not. Yet IT departments are expected to back up everything known to man and expected to resurrect deleted and/or overwritten files.

Another example – it’s 4:55pm and Fedex comes at 5:00pm to pick up a package that is going to The Big Client. The employee has procrastinated working on it, and goes to print at 4:57pm. There’s something wrong with the printer or their system. Guess whose emergency it becomes? Guess who gets screamed at on the telephone? Guess who gets reamed by the CEO because the package didn’t go out? Usually the IT department. “Why was the printer broken? Why couldn’t you fix it?”…not, “Bob, why did you wait until 5 minutes before your deadline?”

Then there are security breaches due to stupid people. Here’s a way to fix this:

Education and consequences.

Nobody takes security seriously because regular staff thinks that the IT guys are there to clean up the messes when they occur. What they don’t understand is that the IT department is not there to be a janitor or babysitter. The IT department is there to provide the information infrastructure to enable the company and to ensure the company’s information security. That doesn’t necessarily include end users.

My personal philosophy is that end-users should be punished severely for security breaches. Sure the IT department will fix the problem, but the person who clicked on the link (or opened the email) needs to pay a price for their behavior, otherwise they will continue to do it. Nearly every company has an IT AUP. Nearly every company says that you can be disciplined, including termination of employement, for violating the policy. Yet I have never worked at a company where day-to-day infractions (even those with security risks associated with them) were punished. Sure, every once in awhile someone gets fired for surfing porn, or when their misuse of the system affects their ability to work (goofing off online for hours), but who gets fired for forwarding chain letters with flash animations in them? Nobody.

This absolutely has to change. If you had a receptionist who let random strangers in to wander the halls of your building she would be disciplined and probably canned. If you have a receptionist who forwards chain letters, clicks on suspicious links, downloads spyware and causes virus infections, the odds are nothing will happen to her.

Company officers think Information Security means securing the company with a firewall and looking out for hack attempts. They still don’t take Information Security seriously, and until they do, the rank-and-file won’t either.

Education alone is not going to do it. Education that is reinforced with consequences will.