July 28, 2007
Last weeks cut in SF which took out a whole lot of Web2.0 utilities such as Technorati are entirely predictable and avoidable.
The blog I linked to above is actually interesting because Derek Gordon mentions one of the ways in which to avoid losing connectivity during blackouts – radio. Not that Technorati, Craigslist etc. actually used radio, oh no that’d be far to old-fashioned for the oh-so-tech-savvy web gurus to think about.
In fact, a good backup plan would not only consist of regularly tested (and I mean, every week) UPS systems, generators (with regularly checked fuel levels), but also redundant, diverse comms links – here I mean different providers and different technologies. Radio links, microwave, satellite. If your traffic is too big for that to be realistic then you need to start thinking about operating out of two or more centres in geographically diverse locations.
The pain caused to these web utilities is entirely their own stupid fault, and I really have to wonder who is doing their infrastructure planning.
July 8, 2007
Certified Information Security Professional, is what.
Now what does that mean?
A lot of people (recruiters especially) think that the CISSP is just another ITSec qualification, like MSCE or CCNA etc. etc. Thus one sees a lot of adverts along the lines of “Windows 2000 Server Admin, MCSE and CISSP required”, or “PIX Firewall Admin, CISSP req.”
This is comparing apples with – well, the machines that produce the apple juice! Slotting a CISSP into a Windows admin role is pretty much a waste of the CISSP. Firstly, there’s no guarantee that the CISSP knows anything about administering a Windows server farm or running a PIX firewall (I certainly don’t, but then, I’m not an MCSE so I don’t claim to know everything). And secondly, you’re not getting good ROI.
A CISSP should be the person sitting between, or slightly above, the admins, HR, auditors, developers, etc. etc. taking the high-level company policies and turning them into concrete policies, procedures and actionable items. This might take the form of acceptable password policy to be applied across the various systems and OS that the company has. It might be putting in place SLA for Freedom of Information queries, so there’s some structure for dealing with those. It might be raising Data Protection concerns about the activies of a particular team or division. It might be sticking a sign on the fire-door that employee’s are in the habit of leaving ajar. All of which I’ve done or been involved in (the sign said “
July 2, 2007
“What?” says you. “How does a smoking ban relate to Information Security?”
Of course it does. Statistics show that heavy smokers will get through about 20 cigerattes in a day. If 1/2 of the waking day is spent at work, this means about 10 trips outside for a smoke, leaving their desks unattended for several minutes, entering and exiting their office and perhaps having confidential telephone calls while they are outside. This increases the risk of an unauthorised person getting access to the office and unattended desks.
If I wanted to exploit this situation, I’d just wait outside the office where the staff smoke (generally it’s frowned upon to smoke right outside the office door!) and strike up a conversation with a likely target – I’m a new hire, I don’t know anybody, this non-smoking rule is a pain is the ass, I’ve forgotten my entry card… When the target stubs out the cigeratte to go back to work, I stub mine out too, and follow the target into the office. Far fetched?
Now would seem a good time to rethink clean-desk policies and for re-emphasising the risks of tailgating.
July 2, 2007
A recent LinkedIn question asked if Privacy is an attribute of Security.
Absolutely not. Security may service the needs of Privacy, but does not guarantee it.
I have a friend who is a data protection officer in Germany, and she regularly has problems with IT people who think that secure data is private data, when in fact they are two very different things. The penalties for not understanding this point are quite severe.
To illustrate the differences between Privacy (and the Expectation of Privacy) and security, take for instance the Open Skies deal between the EU and the USA which governs trans-Atlantic flights. The American government data-mines the PNR without any privacy guarantees which is in breach of EU law (see (Outlaw) European Commission broke rules over passenger data). The DHS in fact broke it’s own rules on how to handle this data (see DHS Report (PDF)) and has publicly stated that it will be sharing this data with commercial data-mining operators. So now my private details are on any number of commercial databases in the US. Secure, perhaps, but private? Absolutely not.
Another example is the US datamining of SWIFT international financial transactions. See attached outlaw article. Again, now my private financial details are spread on various servers in the US and I have no right to privacy.
July 1, 2007
My first post and what better topic than the device of the moment – the iPhone!
Widely touted as an excellent example off covergence, which you should of heard about in your first year of Computer Science, it combines the iPod blah blah blah.
I obviously haven’t seen it yet as it’s just being released in the USA for the time being (the lack of some basic phone features and the number of Apple stores probably being the key factors there) but I already know that I won’t be buying version 1.0 of said phone. Some basic features that I personally tend to use a lot are;
1. Writing SMS
2. Reading SMS
3. Taking calls
4. Receiving calls
5. Playing music
Apparently only one of which the iPhone does well. Yes it’s all very flash and high-tech, and no I wouldn’t decline it if offered for nothing, but I’m not going to splash out some $2k to own one (price including the obligatory rip-off AT&T plan).
But there are some serious barriers to this phone in the European market. Unlike some of the media analysts I don’t see price being one of these – a lot of people will be thinking “Well an iPod costs €300, so for an extra €200 I could buy this really cool phone…”
No, the issues I see are;
the lack of 3G – after forking out several billion Euro, what carrier is going to take on a brand new non-3G phone?
the lack of voice dialling – it being illegal in Ireland & the UK, and possibly other countries also, to use a mobile phone whilst driving, unless it’s entirely hands-free
the tie-up with iTunes – is iTunes even available in all of Europe yet? Is this going to fall foul of the EU on competition law?
So in short I’ll probaby wait for a year or so, and if by that time Sony Ericsson, Samsung, Nokia etc. haven’t updated their UIs to something like the iPhone, and if it has 3G, and if I can unlock it so that when I travel I can stick in my SIM card for that country and not have to pay the extortionate roaming fees, I’ll be happy to bung one in my pocket.