« July 2003 | Main | September 2003 »
August 29, 2003
Security through more centralization?
Salt Lake Tribune had an article from the Washington Post about the future direction of virus defenses.
Troy Jessup, our resident Security Analyst, has written some about this recently, as have I. We've talked at length about how to resolve this situation. This article gives one option: let better, faster, smarter people take care of it for us.
The latest SoBig virus showed how vulnerable the distributed anti-virus method is. Even in cases where a competent I.T. professional is managing the email system, the SoBig virus got through to infect whole organizations before the system-wide anti-virus was updated.
I don't think that consolidated email virus filtering is the solution, but it may be a big part of the solution. I'm sure that service providers will have an increase in customers who purchase virus-filtered email now, and organizations will look for better, faster, more reliable ways to filter virii from their email systems.
None of these really focus on the most important part of this problem: users who open executable attachments. Maybe it's just unreasonable to expect that users can be educated on such a complex issue. But users have to be involved, educated, and made more responsible for their activity on the Internet.
Microsoft, too.
Posted by pete at 2:46 PM
McCarthy wasn't so wrong, after all
NOVA is one of my favorite shows. I get to watch it pretty regularly, now that I have TiVo.
I watched "Secrets, Lies and Atomic Spies" (buy) last night. This show details evidence found in both Russia and the U.S. after the Cold War ended, showing (irrefutably) that there were more than 300 Soviet spies in every federal government agency, defense contractor, and defense laboratory. Most importantly, these spies, most of them Americans recruited by the KGB, made all of the nuclear bomb details available to the Soviet Union as they were developed in secret at Los Alamos and other labs, leading to the Soviet Union developing identical nuclear capabilities within months after the U.S. did.
There is a technology spin to this. America found out about this in the late 1940's by breaking an unbreakable encryption code, through some of the most tenuous manual and semi-computerized work I can imagine. Breaking the Soviet code to decrypt the telegraphs that contained the evidence of this massive spy network, is still one of the most incredible cryptographic feats to date.
The most disturbing part of what has been uncovered, is that the KGB knew that America had broken the code from the first message that was decrypted (and immediately changed their communications methods, preventing any future message from being exposed). The American government knew since at least 1948, but details were never revealed to the American public until they were unearthed after the Cold War, first in Russia, and a few years later, when some of the documents were de-classified.
It's interesting to think how different the McCarthy era would have been, had McCarthy found out about this secret information--and the 300 active KGB spies. The McCarthy era ended up being (somewhat deservedly) as a real-life episode of "The Boy Who Cried Wolf," and as a result, Americans probably have an unwarranted sense of security (or naivetee), even disbelief, regarding the possibility of foreign infiltration of our government.
It's interesting to think how differently American's would think today about foreign spies, had this information been made available 50 years ago (instead of just now). And how differently Senator McCarthy would have affected the future of American foreign politics and perspectives. Also interesting to think about how this would have affected the Cold War (maybe for the worse), or if there even would have been a Cold War.
But maybe it's better we're not so paranoid. Maybe naivetee is good sometimes. Whether it is or not, I don't think it excuses the government for not making this information available to the public a long time ago.
Posted by pete at 1:55 PM
August 28, 2003
Fiction is less interesting than real life
I've been an avid reader since before I started kindergarten (only a few years ago). During summers as a kid, I'd usually finish the local library summer reading program the first week or two of summer. I finished the Hardy Boys' series one summer, Three Investigators the next, and the whole collection of Louis L'Amour books the next year.
Until just the last few years, I read almost exclusively fiction books (I include many of the technical books I read in that category, too). But a few years ago, I started reading Michener books, and have found myself more and more interested in (near) non-fiction books, and less and less interested in fiction.
Some of the books I have recently read: The Civil War Trilogy, The Dancing Wu Li Masters, The Source, Guns, Germs and Steel, and Trust. Next up, I plan to read A New Kind of Science and The End of History. (Plus, I'm usually reading one or two business books and a couple of technical books at any time, but I don't usually consider those recreational reading)
I think one of the reasons why I have become so interested in non-fiction books is that I'm finding that the world and the people who live in it are so interesting, I really don't need to escape to the fiction world for entertainment. Or maybe I just read too much fiction as a kid and now I'm balancing it out with non-fiction.
Posted by pete at 11:36 PM | Comments (2)
August 27, 2003
Spam Irony
Too bad I didn't buy this product before I got their spam message
Subject: Tired of Deleting Junk e-MailFrom: MailWiper <MailWiper@SUMMERPRODUCTS.NET>
Date: Wed, August 27, 2003 2:44 pm
Title: Never See another Spam again
The following message was sent to you as an opt-in subscriber to Results-Driven Network. We will continue to bring you valuable offers on the products and services that interest you most. If you wish to unsubscribe please click on the remove link at the bottom of the page.
Sick of Junk e-Mail and Spam? Mail Wiper KILLS all Junk e-Mail & Spam. Easy to Install. In just a few seconds, you will never see another junk e-Mail again!
You are receiving this email as a subscriber to our mailing list. To remove yourself from this and related email lists click here: UNSUBSCRIBE MY EMAIL.
Posted by pete at 11:58 PM
August 26, 2003
The Internet as an organism, virii as ... virii
Zone-H has an insightful interview with an immunologist on the parallels between the role viruses play in strengthening the human immune system, and how viruses actually make the Internet better (or kill it).
Why computer virus writers are useful and we should thank them
I need to learn more about immunology, to see how deep this comparison goes. Security, anti-virus (they are called virii) in particular, has been compared to the immune system (though I think somewhat superficially). I'm sure there's a lot to be learned about computer security by better understanding nature's security mechanisms.
The biggest flaw I see in the comparison is that natural viruses and bacteria (by the Doctor's own admission) are inherently simple. Computer virii and worms are created by humans, so they can be more complex and evolve much faster.
I think a more apt comparison would be with biological weapons, human-engineered virii and bacteria. We deal with nerve gas much differently than we do with the common cold. If we let the human immune system naturally develop a defense against anthrax, instead of imposing an artifical (physical) defense on anthrax, we'd probably not be worrying about Internet security (or anything else) anymore.
Can the virtual Internet organism--the people who build the routers, who write the network and application software, the people who administer the systems, the security overseers, and the average end-user who puts a computer on a broadband connection, and opens attachments allegedly sent by friends--develop immunities faster than the virus writers?
I don't know if I agree that more viruses are better. There's a reason why we celebrate the irradication of smallpox, and why first-world citizens don't drink the water in third-world countries. Is the technology industry really going to stage a come-back if our I.T. people (and computer users) spend increasing amounts of time and money fixing bugs, patching systems, and cleaning up after the fact? The human immune system works well because we don't spend much time thinking about it--the Internet immune system is anywhere nearly as efficient.
I need to learn more about immunology.
Posted by pete at 11:47 AM | Comments (1)
GURLs: Google URLs for fun and fortune
Google is a search engine, a chaos directory. Google is a trusted source of general information, at least as close as we can get to such a thing on the Internet.
I have some confidence that the search results Google returns are deemed reliable, or at least interesting and relevant, by someone else's links to those sites. For example, a search on Google for "breast cancer" yields "National Alliance of Breast Cancer Organizations" at the top of the list, which appears relevant, and "ford tire recall" offers the National Highway Traffic Safety Administration page on the Firestone recall. Google is so confident about its ability to put the most relevant, reliable and/or interesting link at the top of the list, they will take you right to it using the "I'm Feeling Lucky" button. Why even bother looking at the results: they know what you want.
I've had my way with Google before. Could I possibly find yet another way to use the power, the prestige, the authority of the Google PageRank, for my own benefit, to further my own personal interests?
I suggest that a Google URL has much more credibility than the URL does by itself, at least for the average Internet URL. How so? A Google URL (GURL) such as http://www.google.com/search?q=computer+security includes descriptive information (I can see that this URL will return information about computer security) as well as implied authenticity (Google will show me a list of sites related to "Computer Security" ranked the way hundreds or thousands of Internet Web sites perceive their relative value, so I can assume that the top few are the most relevant and authoritative). Certainly more credibility than www.computersecurityconsultants.com (probably not more than www.fbi.gov though--but I'm talking about the average Web site owner here).
So, making this personal. Why tell people to go to my resume, http://pete.kruckenberg.com/resume, which is just a resume site like so many others out there?
Why not suggest instead that they go see who Google thinks is the most relevant, interesting and authoritative site on the topic of "network engineer": http://www.google.com/search?q=network+engineer&btnI=. Now it's not just my resume, in fact it's not my resume site at all. That's my GURL. My Google-validated resume URL.
Now, that's power and influence: that's using Google.
How can you create your own GURLs?
The GURL is the easy part. Simply go to Google, type your query in, and grab the URL from your Web browser to do some editing. Keep the http://www.google.com/search? part, the q=XXXXXXXX (up to the & part), and append &btnI= (tells Google you're feeling lucky) to the end. You'll end up with something like http://www.google.com/search?q=XXXXXXXXX&btnI= (you can reverse the q= and btnI= parts for visual appeal).
The difficult part is that GURLs only work if your site is the first one ranked by Google. So, you may not be able to use your GURL until you successfully convince Google PageRank that your site is the most relevant.
Posted by pete at 12:00 AM | Comments (2)
August 25, 2003
More on Trust, the Internet, and Microsoft
I've had a number of discussions since I wrote about how poor software development, Microsoft's predominantly, is the most serious threat to widespread Internet adoption (and connectivity).
A week later now, the world has a heightened appreciation for how vulnerable Microsoft's software is, and how unrealistic it is to put the burden on the end-user to patch, patch, patch, and patch again.
Patching and anti-virus can only be effective when there's enough time between the discovery of the vulnerability and/or exploit to develop the patch or virus signature file, make it available, distribute it, make sure it gets installed (and doesn't break anything else). In the old days, that cycle could take months, even years, before the exploit would show up (which would still be successful because people didn't bother to patch it). In the last month, that has changed completely.
First, we had the announcement by Microsoft of the most wide-spread, most serious vulnerability in recent history, followed up only a month later by an exploit. A month would seem like enough time, but a process developed around a 3-, 6-, or even 9-month notice-to-patched cycle doesn't compress to a month easily. Many organizations were just mobilizing wide-scale Windows updates, after completing testing and pilot deployments of the patch, when MSBlaster hit, shortly followed by Nachi-A. They may have been able to temporarily block the ports used by these worms, but Microsoft uses those ports for the majority of their network applications (Exchange, Windows file and print services). These organizations were reduced to complete network shut-downs and manual machine-by-machine patching.
The processes and tools (when there are tools) just aren't built to move so quickly. And the evening news doesn't report on the "potential" for a worm, they only report when the sky is falling, so most end-users didn't get the message (repeated often enough to notice) until they were already hit.
Of course, users of Linux, Unix, and Macintosh systems were only indirectly affected (by the Windows machines who were slowing down the network).
Then, in the middle of the Blaster/Nachi worm fiasco, SoBig.F was released. This was a zero-day virus, based on the previous SoBig, but changed enough that anti-virus signatures did not detect it. The anti-virus signatures were only made available hours before SoBig.F was showing up in tens of thousands of email boxes, and the attachment being opened by end-users confident that their anti-virus program was protecting them. And it appears that this is only the first of many iterations of SoBig that will be tested on the world's Microsoft email systems in the near future.
Of course, users of all non-Microsoft email systems were not affected, except indirectly with dozens of emails from their Micrsoft-using friends and associates.
What's the solution? It almost seems an impass now.
If anything, it's becoming more obvious that Microsoft software has a much higher TCO in the security category than almost any other main-stream software. Maybe that's because it's a bigger target, maybe it's just worse software, but regardless, it clearly costs more to secure a Microsoft network than a network based on Novell, Linux, Macintosh, or Unix. I wonder if that is factored into Microsoft's TCO analyses.
The solutions that people are starting to implement do not look favorable for Microsoft. After a lot of networks blocked the ports (135, etc) used by MSBlaster and Nachi-A, Exchange suddenly became one of the most cumbersome email programs to use (ie VPNs are being implemented at record paces). I've been involved with several organizations who are discussing further security restrictions for Microsoft-based networks, including building "walled garden" networks that put Microsoft clients on the Internet only with very strict (and less accomodating) security policies, and with more restrictive access to servers. A lot of companies and individuals running Windows for Web and email servers, as well as desktops are seriously looking at Linux, Unix and Macintosh as more trusted alternatives, if they haven't already moved.
It's fortunate that we have so many choices and alternatives, even in a world that's almost entirely dominated by Microsoft's insecure software.
Posted by pete at 12:53 PM | Comments (1)
August 19, 2003
Don't say you've got it unless you've checked first
No, really.
Posted by pete at 2:33 PM
August 17, 2003
How can I trust the Internet?
I have just finished reading "Rethinking the design of the Internet: The end to end arguments vs. the brave new world." This paper revisits the original End-to-end paper written by Saltzer, Reed, and Clark in 1984, which was fundamental to the design of the Internet (especially the Internet Protocol and the Transport Control Protocol--TCP).
Though Rethinking addresses many issues which threaten the end-to-end principle, the most serious one is that of trust.
Most of the discussion and development regarding trust on the Internet has been on technologies such as PKI for authentication and encryption.
In theory, PKI and similar technologies are the right direction. But there is a more serious threat to trust, that is undermining the general confidence in the Internet as a viable long-term communications medium.
As discussed in Rethinking, the first implementation of trust on the Internet was with the TCP checksum. The receiving host can validate the trust relationship by checking the checksum to verify what was sent. This is a fairly simple but scalable trust mechanism. TCP and the underlying Internet Protocol have allowed millions of computers and hundreds of millions of users to develop spontaneous associations with enough trust to interact effectively.
Trust on the Internet is much more complicated and diverse today. We have SSL, double-opt-in spam, RBL's, route registries, PGP, encrypted and authenticated IM and email, and more.
But in spite of all these trust mechanisms, trust on the Internet is more threatened now than ever. The miscreant community has repeatedly undermined public confidence in the most basic and pervasive implementation of trust: the Microsoft operating system.
Every time another Microsoft vulnerability is exposed and exploited, tens of millions of people lose confidence in their ability to productively use the Internet. Yes, users of other operating systems have the same experience, but those incidents happen far less often, to far fewer people. Relative to the impact of Microsoft, they cause an insignificant amount of damage (and more likely provide some hope for those Microsoft customers looking for alternatives).
As valuable as the Internet is, home users, small business owners, and others who can't afford full-time staff to watch for these incidents, defend against them, and clean up the mess afterwards--they are the ones who with each loss of data, customer information, tax records, billable hours, from whatever latest virus or worm is circulating now to exploit one of the many Microsoft vulnerabilities, question the value of being on the Internet, and whether they're better off being less-connected if only to be less-vulnerable.
I use Windows (desktop and laptop), and I take great caution in keeping it updated and protected from the network. It's a fair amount of work, that I doubt the average computer user could keep up with. In spite of that, during the most recent RPC worm, I have been scared that I have overlooked some patch and my machine is still vulnerable (as happened to many sysadmins with the SQLslammer worm).
I get much better sleep knowing that my most important machine runs Linux. Linux has certainly had it's security issues, but I personally feel the development model behind Linux, it's transparency to the general public, and it's track record inspire confidence that it is an operating system to be trusted. I know that having been a user of Linux for only a few years less than I've used Windows, I feel Linux merits my trust far more than Windows does.
Maybe Linux and OSS are the counter-balance to Microsoft, giving users confidence enough to stay on the big, bad Internet.
Posted by pete at 12:08 PM | Comments (1)
August 6, 2003
Linux upstages Netware
So now it's not just Solaris that will be replaced by Linux, but Netware as well. The Solaris admins should have an easy time moving to Linux (many of them already run Linux at home). The Netware and Groupwise administrators may have a tougher time, since Netware is pretty much still DOS.
Novell's Ximian acquisition is also pretty exciting. Using Evolution as a Groupwise client will be one of Novell's best moves in many years. Once I can get rid of Groupwise, the only (important) application I run that requires Windows is Visio--so I may finally be able to move to Linux on the desktop.
Posted by pete at 10:13 AM
August 5, 2003
Work 2.0: Principles for modern manager-employee relationships
Work 2.0: Building the Future, One Employee at a Time
It's probably universal, that non-management employees usually think management doesn't get it, and most managers probably think the same about employees. It's especially true in knowledge-worker jobs, where employees are highly-skilled, highly-intelligent, and often managers are people who aren't hands-on anymore (or never were).
Work 2.0 proposes that that the greatest opportunities for dramatic, lasting bottom-line and top-line business improvements can only be achieved by finding a better way for managers and knowledge employees to work together for their customers.
Bill Jensen argues that the workers who have grown up with the Internet, and work in knowledge-based companies, have significantly greater potential than ever to improve the companies they work for, but only if they are managed in the right way.
He suggests four principles in the book:
Jensen acknowledges that the way we do things now (or used to do them at a few companies) overlooks (and doesn't benefit from) the most valuable asset at any company: the knowledge, ideas, energy and attention of the employees. Many employee-manager relationships today are based on practices from factories, when employees were trained in almost robotic procedures. Knowledge-workers are not button-pushers, order-fillers or cogs in the wheel; companies that learn to extract the most from their knowledge workers by encouraging, supporting and embracing their personal contributions, will be the most successful in the future.
So how do we fix this? Work 2.0 is difficult for companies to embrace. It's contradictory to many management assumptions and perspectives. But it's exactly what employees want, and exactly the thing that will result in more productive employees and a more productive organization.
Work 2.0 is primarily targetted at managers and executives, but one thing I like is that it's also directed at the knowledge worker. In fact, there are many things that the employee is expected to do to make Work 2.0 successful.
The principle document, The New Contract, is available on-line (http://www.work2.com) and is a good overview from the employees perspective what they expect from their employers, and what they bring to the table.
Bill Jensen also wrote Simplicity: The New Competitive Advantage in a World of More, Better, Faster, which is a companion to Work 2.0. I highly recommend both for managers, executives and employees.
Posted by pete at 9:32 PM
August 4, 2003
More on Personal Publishing
I wrote a few weeks ago about how blogging, Wiki and other technologies were making personal Web publishing available to the masses.
Robin Good writes much more elegantly (and profusely) about the same topic. Quoting part of his article:
| I cannot recommend enough the use of weblog/CMS based technology for both traditional business applications as well as for those organizations entrenched in publishing methods that require a seven-day tour before the content even makes it to the test server. The learning curve for these powerful CMS technologies is basically none and the cost-effectiveness is several orders of magnitude better than when working with a full-time webmaster or with an IT/Information Publishing department that wants to "webmaster" everything you do. |
Posted by pete at 2:10 PM
August 3, 2003
New Blog
Christian Nielsen has been a good friend for almost a decade. We grew up in the Utah ISP industry in the early 90's, and started the Utah Regional Exchange Point together. He moved away to California in 1999 and now lives in Redmond.
I'm excited he's started a blog, so I can keep in touch with what he's up to. Christian is an experienced network engineer and an avid traveler. Should be an interesting blog to follow.
Posted by pete at 6:47 PM
August 2, 2003
Paper or plastic
I've spent a lot of time with my kids this week. After almost 1,000 miles in the car, they've gone through every possible combination of toys, games, songs, electronics, fits and whinings. For some odd reason, I got to thinking about how my kids would feel about using electronic gadgets instead of "traditional" tools.
I learned to touch-type in sixth grade on an electric typewriter (with some required practice on a manual)--it was considered important but not required, since most likely my assistant would do all of my typing and transcription for me when I had a job. I learned word processing in ninth and tenth grades. The only homework I had to (or could) submit on computer in college--in the early 90's--was in my C.S. classes (most of my non-CS instructors didn't use email).
My oldest daughter started learning touch-typing in 2nd grade. She regularly has assignments that encourage the use of the Internet and computers. She has submitted several reports written solely on a word-processor. She does regularly use "traditional" materials such as pencil and paper, but computers are integrated into her education, where for the most part they were ancillary to mine.
I consider pen and paper a more natural writing experience. I like reading paper books and the newspaper in physical form (partly because there are a couple of places I refuse to take a laptop). I usually find reading more enjoyable when it's not on the screen. If I'm taking notes or brainstorming, I prefer a pen and notepad over a computer most of the time. (Jeremy has had similar experiences.)
So I got to wondering whether my kids would ever think that it's easier to think with pen and paper than staring at a blank Word (or maybe OpenOffice) document on the screen.
They will probably think of the computer as a much more natural reading/writing environment than I do, and will probably have much more success using the computer natively for brainstorming, thinking and reading than I do. Especially with matured versions of computers that fit those functions more naturally.
Posted by pete at 11:37 PM
August 1, 2003
Feedback for direction-givers
Over the last several days, we've inevitably had to ask for directions a few times. Even though we have lots of maps, they aren't always accurate, or we can't find some of the landmarks.
I can't believe how often people don't know the area within just a couple of blocks around their workplace (and the town they live in). We repeatedly get conflicting directions from multiple people as we tried to find major streets and major landmarks. They would even disagree with each other (and the maps) on the actual existence of some of the streets and landmarks (which in every case turned out to exist).
It would sure be cool to be able to check the ratings and reviews other tourists give of the person I am asking directions. It would have saved me a couple of hours on this trip alone.
I should probably consider a GPS navigator for the next trip, but asking a stranger for directions is just part of the trip, and it just wouldn't be the same without it.
Posted by pete at 10:17 AM