Category Archives: Opinion

What I Was Doing On 9/11/2001

In 2001, I was the security strategist for a national wireless telecommunications company. I usually awoke early to read the news online, and on September 11 I was in my home office shortly after 5:00am Pacific Time.  I was perusing corporate e-mail and browsing the news, when I saw a story of a plane crashing into a building in New York.

I had a television in the home office, and I reached over to turn it on. I tuned to CNN and watched as smoke poured from one of the two towers in the background, as two commentators droned on about what this could be about. While watching this I saw the second airliner emerge from the background and crash into the second tower.

Like many, I thought I was watching a video loop of the first crash, but soon realized I was watching live TV.

I e-mailed and IM’d members of our national security team to get them aware of these developments. Before 6am Pacific time, we had our national emergency conference bridge up and running (and it would stay on all day). Very soon we understood the gravity of the situation, and wondered what would happen next.  We were a nation under attack and needed to take steps to protect our business.  Within minutes we had initiated a nationwide lockdown (I cannot divulge details on what that means), and over the next several hours we took more steps to protect the company.

——–

Since being a teen-ager I had a particular interest in World War Two. My father was a bombardier instructor, and his business partner and best friend was a highly decorated air ace.

——–

We are under attack and we are at war, I thought to myself early that morning, and while I don’t remember specifics about our national conference bridge, I’m certain that I or someone else on the bridge said as much.  Like the sneak attack on Pearl Harbor on December 7, 1941, we all believed that the 9/11 attacks could have been the opening salvos of a much larger plan. Thankfully that was not the case. But in the moment, there was no way to know for sure.

For many days, I and probably a lot of Americans expected more things to happen. The fact that they didn’t was both a surprise and a relief.

Neat Receipts Has Forgotten (or never knew) How to Earn Customer Loyalty

I’ve been a happy user of Neat Receipts for years, having purchased one of their portable scanners. It has worked pretty much  trouble free on PCs and Macs since I purchased it. But that was all about to change.

I upgraded my Mac to El Capitan a couple of months ago, and today needed to scan some diagrams that I’ll be using in an upcoming book. The Neat software did not recognize the scanner, so I went through the usual troubleshooting, including special steps on the Neat website for El Capitan users. Still, no luck.

Neat

I went to Neat’s customer support page, and found that their chat function was working (today is Saturday). I discussed the matter with the support rep, who asked me for the model of my scanner (it’s NR-030108). The rep told me that this model was no longer supported and would not work any longer. Oh great.  I asked whether there was any kind of a trade-in allowance, and he answered that there was not.

So, Neat has obsoleted my scanner.  I can get over it – it’s a part of the regular improvements in information technology. I get that. But, Neat is offering nothing in order to keep me as a customer.  There is nothing keeping me from considering other good products such as Fujitsu ScanSnap S1100i, for instance. In fact the Fujitsu is a little less expensive, it works with Mac, does everything I need, and has a slew of good online reviews.

Apparently Neat is going to just let me walk.

Security: Not a Priority for Retail Organizations

Several years ago, VISA announced a “liability shift” wherein merchants would be directly liable for credit card fraud on magstripe card transactions. The deadline for this came and went in October, 2015, and many merchants still didn’t have chip reader terminals. But to be fair to retailers, most of the credit/debit cards in my wallet are magstripe only, so it’s not ONLY retailers who are dragging their feet.

My employment and consulting background over the past dozen years revealed plainly to me that retail organizations want to have as little to do with security as possible. Many, in fact, even resist being compliant with required standards like PCI DSS. For any of you who are unfamiliar with security and compliance, in our industry, it is well understood that compliance does not equal security – not even close to it.

I saw an article today, which says it all. A key statement read, “There is a report that over the holidays several retailers disabled the EMV (Chip and Pin) functionality of their card readers. The reason for this? They did not want to deal with the extra time it takes for a transaction. With a standard card swipe (mag-swipe) you are ready to put in your pin and pay in about three seconds. With EMV this is extended to roughly 10 seconds.” Based on my personal and professional experience with several retail organizations, I am not surprised by this.  Most retailers just don’t want to have to do security at all. You, shoppers, are the ones who pay the price for it.

tacoma-narrows

IT Lacks Engineering Discipline and Rigor

Every week we read the news about new, spectacular security breaches. This has been going on for years, and sometimes I wonder if there are any organizations left that have not been breached.

Why are breaches occurring at such a clip? Through decades of experience in IT and data security, I believe I have at least a part of the answer. But first, I want to shift our focus to a different discipline, that of civil engineering.

Civil engineers design and build bridges, buildings, tunnels, and dams, as well as many other things. Civil engineers who design these and other structures have college degrees, and they have a license called a Professional Engineer. In their design work, they carefully examine every component and calculate the forces that will act upon it, and size it accordingly to withstand expected forces, with a generous margin for error, to cover unexpected circumstances. Their designs undergo reviews before their plans can be called complete.  Inspectors carefully examine and approve plans, and they examine every phase of site preparation and construction. The finished product is inspected before it may be used.  Any defects found along the way, from drawings to final inspection, results in a halt in the project and changes in design or implementation.  The result: remarkably reliable and long-lasting structures that, when maintained properly, provide decades of dependable use. This practice has been in use for a century or two and has held up under scrutiny. We rarely hear of failures of bridges, dams, and so on, because the system of qualifying and licensing designers and builders, as well as design and construction inspections works. It’s about quality and reliability, and it shows.

Information technology is not anything like civil engineering. Very few organizations employ formal design with design review, nor inspections of components as development of networks, systems, and applications. The result: systems that lack proper functionality, resilience, and security. I will explore this further.

When organizations embark to implement new IT systems – whether networks, operating systems, database management systems, or applications – they do so with little formality of design, and rarely with any level of design or implementation review.  The result is “brittle” IT systems that barely work. In over thirty years of IT, this is the norm that I have observed in over a dozen organizations in several industries, including banking and financial services.

In case you think I’m pontificating from my ivory tower, I’m among the guilty here. Most of my IT career has been in organizations with some ITIL processes like change management, but utterly lacking in the level of engineering rigor seen in civil engineering and other engineering disciplines.  Is it any wonder, then, when we hear news of IT project failures and breaches?

Some of you will argue that IT does not require the same level of discipline as civil or aeronautical engineering, mostly because lives are not directly on the line as they are with bridges and airplanes. Fine. But, be prepared to accept losses in productivity due to code defects and unscheduled downtime, and security breaches. If security and reliability are not a part of the design, then the resulting product will be secure and reliable by accident, but not purposely.

So Long, Microsoft, And Thanks For All The Fish

Word Version 1.1a

Word Version 1.1a

I have been using Microsoft software since 1985 when I purchased Microsoft Word and Microsoft Multiplan for my new Zenith Z160 “portable” PC. I’ve used Word continuously for thirty years at home, at work, as a university instructor, and as a published author.

I wrote my first three books in FrameMaker, a superior but far more expensive word processor ($500 per user in 1998) as required by my publishers at the time. But by the early 2000’s most had moved to Word since Microsoft had sufficiently closed the feature gap.

I’m coming to realize that this weekend might be the last time I use Microsoft software – at home anyway (I use a PC running Windows 7 and Office for work).

z160

Zenith Z160 portable computer

I ordered a new MacBook Pro yesterday, and it will arrive on Monday. The MBP comes with Apple’s versions of office programs, called Pages, Keynote, and Numbers. Next week I will try them out on my university teaching and on my current writing project. If it goes alright and I figure out all of the subtle differences, I will probably not purchase Office for the new Mac.

Part of this comes down to economics. Office for Mac costs $150 or more, and the same programs from Apple cost $20 apiece (if you don’t have a new Mac that came with them), or free with your Mac since some time in the past year or two.

I’ll post a review of Pages, Keynote, and Numbers in a month or so after I’ve been using them a while.

Still, I can’t help but feel somewhat nostalgic, as I’ve had Word with me nearly all of my adult life. But as the dolphins exclaim in Hitchhiker’s Guide to the Galaxy, “So long, and thanks for all the fish.”

In air travel and data security, there are no guarantees of absolute safety

The recent tragic GermanWings crash has illustrated an important point: even the best designed safety systems can be defeated in scenarios where a trusted individual decides to go rogue.

In the case of the GermanWings crash, the co-pilot was able to lock the pilot out of the cockpit. The cockpit door locking mechanism is designed to enable a trusted individual inside the cockpit from preventing an unwanted person from being able to enter.

Such safeguards exist in security mechanisms in information systems. However, these safeguards only work when those at the controls are competent. If they go rogue, there is little, if anything, that can be done to slow or stop their actions. Any administrator with responsibilities and privileges for maintaining software, operating systems, databases, or networks has near-absolute control over those objects. If they decide to go rogue, at best the security mechanisms will record their malevolent actions, just as the cockpit voice recorder documented the pilot’s attempts to re-enter the cockpit, as well as the co-pilot’s breathing, indicating he was still alive.

Remember that technology – even protective controls – cannot know the intent of the operator. Technology, the amplifier of a person’s will, blindly obeys.

DSL Hell

I am a CenturyLink DSL customer in Seattle, WA. CenturyLink advertises 1 Gig Internet, but in our neighborhood, 10MB is all that is available.  Countless inquiries to customer support and tech support have not identified a soul who knows if or when faster DSL is coming to my neighborhood.

Often, the DSL is so bad that simple tasks such as loading web pages often times out. Speed tests typically show < 1MB of download speed. Here is a typical test from earlier today.speednot

CenturyLink techs have been out to the house numerous times. I’ve tried several different modems. I’ve bypassed my internal wiring altogether. Nothing they have done has made any difference.

I am a work from home (WFH) security consultant. However, on bad days, WFH is more like “wait from home”. Some days it seems like a miracle if my VPN connection stays up for more than an hour.

Here in Seattle, my only choices are CenturyLink for DSL and Comcast. CenturyLink has had two years to get the DSL service working right. Comcast, you’re next. My neighbors all say their Comcast Internet rocks and is really fast. Let’s hope so.