Enterprise IT Watch Blog


March 30, 2010  6:00 AM

SQL attacks come from the darndest places

Michael Morisy Michael Morisy Profile: Michael Morisy

SQL injection attacks are a constant thorn in the side of security practitioners, claiming the dubious distinction of being the attack vector for the largest U.S. ID theft case ever. And while tools are arriving on the scene to help businesses root out potential problems before the bad guys do, there’s plenty of attack vectors just waiting to be exploited. The latest case? An image floating around the web showing a, er, creative license plate cover designed to foil traffic cameras:

Will it work? Unlikely (see commentary on Gizmodo), but it’s a good reminder that attacks can come from the darnedest places. It’s also a nice throwback to the classic SQL injection comic from XKCD:

As if “smoker doors“, weaponized e-mail and your own PC weren’t enough to keep you worried.

March 29, 2010  11:32 PM

Green IT: Myth or Reality? Help tell the true story

Michael Morisy Guest Author Profile: Guest Author

This is a guest post and request for information by Johanne Murray, a Canadian research student at National Cheng Kung University in the Business Management Department.

The concept of green information technology has been around since 1992; however, like other green products, it has not experienced a tremendous growth rate. Green products in general have not followed a traditional product adoption model.

Stakeholders have now begun to put more pressure on companies to adopt greener technology systems, of which many companies are making the claims they are either in the process or have already done so. However, in my research so far I have not been able to get passed the managers that are making these claims. This makes it difficult to understand the adoption process and the perceptions of personnel.

Although it is of great interested to speak with project managers, directors, CEOs that are mandating Green IT within their companies, it is difficult to base academic research on these claims alone. So far there has been little academic research based on the people, the personnel and management that are working with these newer and greener IT systems.

Are companies really going green or is it something that is just stated to appease stakeholders? Where are the personnel that are adopting these new systems? Are you supposedly using green IT in your work place? Does it make a difference? Does it make your work easier? Was it easy to adapt to? Do you feel there was sufficient resources and education in order to adopt this technology?

This research is attempting to answer these questions; however it has been a challenge finding people that are supposedly using recently adopted Green IT.

Is green IT just a myth? Is it a case of company green washing or are these companies really transferring their technology?

This academic research is dedicated to the advancement of Green IT.

If your company has mandated and adopted Green IT and you are using green computers or other information technology that is more environmentally friendly than its predecessor please take a minute to fill out this survey:

http://www.surveymonkey.com/s/JBG9C2N

Or if you are working for a company that claims it is adopting Green IT and you are not so sure and have issues with their claims please contact: johannemurray@hotmail.com

All respondents’ details will be kept confidential.

If you are a manager/CEO and you are truly proud of your Green IT technology transfer and would like to make your company an example for others to follow please contact johannemurray@hotmail.com to become part of an exciting case study. This would include telephone interviews of a variety of personal affected by the transfer. This is cutting edge research and would be a great opportunity for companies tell their Green IT story to the world.


March 29, 2010  7:00 AM

Weighing the Real Cost of Mobile Broadband

Michael Morisy Guest Author Profile: Guest Author

Should you take the mobile plunge if you haven’t already? While many companies’ workforces are wired with the latest gadgets, IT departments have occasionally been hesitant to jump on board for a number of reasons. Today’s guest post – by Tim Scannell, editorial director of sister site TechnologyGuide.com – outlines why 4G might mean it’s time to re-think corporate wireless strategy.

One strong theme at this year’s CTIA conference, which wrapped up last week, was the evolution of mobile broadband.   Loosely defined, this refers to everything and anything traditional broadband offers, but accessible through a mobile device – in the case of the CTIA cognoscenti, this specifically related to small, handheld systems.

Up until very recently, this has pretty much been a blue-sky concept since there were only a handful of devices that were really capable of providing a rich browsing experience.  Also, the browser software still had a way to go in terms of development, and cellular infrastructures just weren’t up to snuff when it came to fast and reliable service.

All of that is changing rapidly, however.  At CTIA, there were a number of interesting and powerful devices that were capable of operating across emerging 4G wireless networks – like the HTC EVO 4G, that will reportedly be the first smartphone available in the U.S. with built-in WiMAX (which, in many cases, provides much more reliable wireless access than cellular, particularly in congested urban areas). The new HTC system also runs Google’s Android OS and has a very large high-resolution display.

Newer classes of mobile computers – like netbooks – are also catching on in the small business and small enterprise markets, especially as the numbers of mobile workers increase and efforts continue to extend customer relationship management and internal information resources out to the point of customer contact.  The number of online consumers who own a netbook has increased from 10 percent last year to 15 percent this year, with most people using a netbook as a second device and not a replacement to a notebook computer, according to a recent survey.

Tablet PCs are also finally finding their niche in mobile business computing, spurred by interest in the soon-to-be-shipped Apple iPad.  Fifty seven million “media tablet PCs”  are expected to ship in 2015 according to analysts at ABI Research, which is roughly thirteen times the 4 million expected to ship this year.

As prices for mobile system plummet and the wireless infrastructure becomes more reliable and varied with converged connectivity options (cellular, WiFi, WiMAX, etc.), it makes sense for companies of all sizes to have a mobile solutions strategy.  Yes, there are some significant challenges, like mobile management, service and support, security and developing a collaborative strategy.  But the benefits can be huge in terms of getting closer to customers and speeding transactions.

Since every company is different, it is difficult to come up with a ‘one size fits all‘ return on investment (ROI) formula that can quickly validate initial purchases, training, support and other functions.  Focusing too much on the cost of implementation and operations can also be a mistake – especially in a down economy where the mandate is slashing expenses rather than adding to expenditures.

To get a more realistic and long-term picture (as well as convince upper management a mobile strategy is working), an increasing number of companies are instead measuring the efficiencies created by a mobile strategy.  At a major magazine distribution company, for example, the goal is to use mobile solutions to increase the efficiencies of every worker by about 5% – saving about 24 minutes of wasted time per day.  When you translate that savings in time into dollars and extend it across hundreds or thousands of mobile workers, the cost savings can be in the millions, notes the IT director.

The real question to consider then is not how much implementing mobile systems and services will cost, but what the expense will be if you do not take the plunge and make mobile broadband an integral part of your business strategy.

If you’re a fan of Tim’s writing, be sure to check out his soon-to-be-launched blog, Technology Guide Lines, hosted right here on IT Knowledge Exchange.


March 22, 2010  2:28 PM

Google skipfish, 0-day hunter

Michael Morisy Michael Morisy Profile: Michael Morisy

If web apps are really going to take off in the way Google hopes, the Big G knows it needs to tighten up the security holes on web apps at large, no matter how elegant their own solutions are.

Enter skipfish, Google’s automated web security scanner, which was launched Friday by Michał Zalewski in a post on the Google Online Security Blog:

Today, we are happy to announce the availability of skipfish – our free, open source, fully automated, active web application security reconnaissance tool. We think this project is interesting for a few reasons:

  • High speed: written in pure C, with highly optimized HTTP handling and a minimal CPU footprint, the tool easily achieves 2000 requests per second with responsive targets.
  • Ease of use: the tool features heuristics to support a variety of quirky web frameworks and mixed-technology sites, with automatic learning capabilities, on-the-fly wordlist creation, and form autocompletion.
  • Cutting-edge security logic: we incorporated high quality, low false positive, differential security checks capable of spotting a range of subtle flaws, including blind injection vectors.

For those worried that this just further enables malicious script kiddies to hunt out and play with gaping holes in your poorly designed web app (or that budget SaaS vendor your CIO chose), Google included this disclaimer:

First and foremost, please do not be evil. Use skipfish only against  services you own, or have a permission to test.

We’ll see how long that lasts, but at least there’s another (open source, no less!) tool from a reputable company to help catch problems before someone else does. If you’re interested in a second opinion, the folks at Securi Security also took a closer look at skipfish, and left with a favorable impression.


March 18, 2010  1:07 PM

Performance Management is Critical for Agile IT

Michael Morisy Guest Author Profile: Guest Author

This guest post is by Doug Willoughby, director of cloud computing for Compuware Corporation. Members interested in writing a guest post about an IT topic near and dear to their heart should e-mail community editor Michael Morisy at Michael@ITKnowledgeExchange.com.

Agile IT

Smart phones, social networks, Web 2.0, cloud computing, borderless applications: information technology is being reshaped by waves of disruptive innovations. Some enterprises will benefit from disruption, while others will be buried by it. Enterprises who position themselves to capitalize on innovation will benefit the most. To capitalize on innovation, successful enterprises are moving information technology to the forefront of product strategies, from a supporting role to the means of monetization.

In this environment, established IT organizations are likely to find their greatest challenge is their previous successes. To deliver on time and on budget, successful IT organizations have optimized their processes based on assumptions about the environment. Innovations and the changing role of IT throw many of these assumptions out the window. As a result, the primary challenge to established IT organizations is how to adapt their existing best-practices and tools to fit their new role.

One such best practice is the Agile development process. The Agile process has enabled IT organizations to be more responsive when faced with changing business requirements. In the past, the Agile process has been used exclusively by development teams. To address the operational requirements of ubiquitous access, social applications and cloud computing, successful IT organizations will become “Agile” across the application lifecycle-from requirements to operational deployment. These organizations will have all the advantages of being first to market, while enjoying lower operational costs.

To support an Agile application lifecycle, IT organizations need an integrated suite of tools that support each stage of the application lifecycle.

The Internet is the New Data Center

For the last fifty-years, IT has been optimized around the assumption that applications and data centers are fairly static. Lines of business owners generate requirements. Developers build and test applications in isolation before passing them over to the operations group for deployment. Once deployed, the operations group is responsible for monitoring the performance of the applications to detect and resolve problems.

Web applications are making the Internet the new enterprise data center. Research indicates that typical Web applications depend on six or more services located outside the direct control of the applications’ owners. These are not new-fangled cloud services, either. Rather, they are the bare minimum of ordinary Web services required to deliver consistent and compelling user experience, and include such Web staples as content distribution networks (CDN), ad distribution networks, content management servers, analytic services, streaming media services and other types of service delivery platforms.

The Web breaks many of the assumptions built into the traditional application lifecycle model. For example, thorough testing of many Web applications before their deployment may be a practical impossibility. There can be too many variables for proper coverage testing. Client browser compatibility (which release, what operating system, which plug-ins and what configuration options) is just the beginning. End user experiences will vary depending on where users are physically located–not just due to network latency and bandwidth, but also because the quality of service provided by Web services can vary by geography.

Performance Management is Critical for Agile IT

This is not saying that Web applications do not need to be tested before they are deployed. Instead, it suggests a new strategy that mirrors the Agile process that many development organizations have already adopted. This strategy is called the Agile application lifecycle.

The Agile application lifecycle is a cross-organizational approach that brings together line of business (LOB) owners, developers, and IT operations. Agile teams work closely with LOB owners to define requirement and IT operations to detect and resolve problems quickly. The approach is characterized by smaller, more frequent releases. New functionality is tested as extensively as practical, but greater reliance is placed on detecting and resolving problems once the Web application is deployed.

To be successful, Agile teams need integrated tools that provide seamless visibility from development to testing and on through to the management of deployments. LOB owners are concerned with end user experience, developers need end-to-end visibility into composite Web applications, and operation teams need to determine business impact and deep dive tools to resolve problems quickly.

Capitalizing on Innovation

Enterprises that see change as a normal business driver will benefit most from disruptive innovation. Adopting an Agile application lifecycle strategy enables these organizations to react quickly to change. Agile is a cross-organization approach, so teams need tools that encourage the integration of concerns from LOB to operations and enable them to move seamless from requirements to deployment. The end-to-end visibility and end user experience context provided by integrated application performance management tools, such as those offered by Compuware, are a critical component of any Agile application lifecycle strategy.

Doug Willoughby is currently the Director of Cloud Computing for Compuware, a leading provider of APM tools for Web applications. Prior to Compuware he was at Sun, which he joined in 1988 and where he participated in the development and marketing of some of Sun’s most pioneering and disruptive technologies, including Project Spring, Distribute Objects Everywhere (DOE), NextStep/OpenStep, and Java. Willoughby was also part of the team of 14 engineers and architects who developed “network.com,” Sun’s first utility computing offering

Compuware offers an integrated suite of application performance management tools. Gomez Actual User Experience XF and Vantage for End-User Experience provides LOB owners visibility into real user experience. Gomez Web Load and Performance Testing and Cross-Browser Testing tools, combined with Vantage for Java and .NET performance tools gives developers clear insight into how applications will perform when deployed. IT operations can leverage the full suite of Gomez and Vantage tools, including Vantage for Business Service Management, to understand the business impact of service problems.


March 17, 2010  8:30 AM

What secrets is your Intranet hiding?

Michael Morisy Michael Morisy Profile: Michael Morisy

That’s the question Intranet vendor ThoughtFarmer put to the world on Intranet Secrets, and the answers have been pouring in:

  • “Our intranet is optimized for Netscape Navigator 4.0.”
  • “I hate our intranet with a rage as white hot as the sun.”
  • “Just noticed that a hidden corner of our company intranet has a page with several lines marked “under construction” for, oh, 6 years or so.”
Ouch. And many of these are beautifully illustrated in the Post Secret mold:


March 16, 2010  8:51 AM

Windows Mobile 7: What is it good for?

Michael Morisy Michael Morisy Profile: Michael Morisy

More and more Windows Mobile 7 details are drip-dropping out daily, with the latest being that Microsoft’s taken a trick from Apple’s playbook and pushing application downloads through its own store, with a “forthcoming” enterprise option to centrally deploy corporate apps.

But will it even matter to the enterprise? Windows Mobile devices have long been a consumer also-ran, but have found die-hard users for specialized applications in areas from the warehouse to the road to extreme heat and cold situations. They often put the “computing” in mobile computing, but it doesn’t look like Microsoft is trying to keep that market with the latest update, which Ed Hardy dubbed the “Zune Phone.” It probably makes a lot of sense from Microsoft’s perspective, but what will power enterprise warehouse floors now? Will device manufacturers rejoice at getting to drop the “Microsoft tax” and go with custom Android builds? Will Microsoft have a legacy program to keep this market just sated enough not to leave? Will we see Windows Mobile 6, like it’s distant (distant!) cousin XP, be end-of-lifed for years and years to come as demand continues and companies resist upgrades?.

I’d love to hear your thoughts, either in the comments or at Michael@ITKnowledgeExchange.com: Does Windows 7 Mobile matter to your business, and if so, how — even if it just means you need to start planning a transition to something else?.


March 11, 2010  8:59 AM

The Wireless Office: Don’t Believe the Hype

Michael Morisy Michael Morisy Profile: Michael Morisy

While it might make me a public enemy in some circles, I have to stand by my assertion that we haven’t truly hit the age of the wireless office … yet. Josh Stephens, head geek blogger for SolarWinds, vehemently disagrees however, arguing it’s time to cut the cord.

He makes some decent points about wired vs. wireless security, although I’d argue that while .11n brings some marginal security improvements, it really ramps up the security complexity and opportunity for misconfiguration, which even he fingers as the culprit in Ethernet security lapses.

Where Josh really goes off the rail, however, is cost:

Next let’s debunk my buddy Michael’s point about cost. With 802.11n you can run 30-40 users per radio which means fewer expensive cable runs and fewer wireless switches. Combine that with mesh technology and you may not even need to run cable to all of the APs. This cost calculator from Aruba Wireless shows some great examples of how much you save. Mike, buddy, have you priced the costs of having an office wired with cat-6 lately? Even if you go all redneck, like I’m known to do, and run, terminate, and patch the cabling yourself it’s still incredibly expensive. In what universe is this not signicantly cheaper than a wired environment?

This is where he swallows the wireless vendors’ bait hook, line and sinker. A calculator, put out by a wireless vendor, shows that their products are cheaper than a competitive technology? Shocker! The problem is that, once you dive into the real numbers, you’re not going to stick 30 to 40 users on an AP, as Josh suggests. Sure, you could, and you could also use .11n to blanket a huge range, and provide throughput of 200 MBits/second, but it can’t do all those things as once, which a lot of calculators conveniently forget.

Another fact they conveniently forget: Even with .11n now an official standard, compatibility between sanctioned .11n devices is very imperfect when you’re talking about enterprise equipment. This means that no, you’re probably not going to save on all those pricey wiring costs because something, somewhere will need Ethernet.

But don’t take it from me: I tracked down Osaka Gas, hailed in 2007 by ComputerWorld’s Matt Hamblen as the largest “all-wireless” office, to get an update on what they’d learned and accomplished since becoming a poster child for cutting the cord.

There were some surprises:

1. This case study for the all-wireless office wasn’t then, and isn’t now, “all-wireless”!

Osaka Gas’ Toyoshi Matsumoto wrote to me:

We are using WAN for phones and PCs. Is that your definition of 100%? In fact we have NOT removed all LAN cables. Some fixed IP phones,  mainly used for receiving calls from customers or business partners are wired because the calls should be answered as the company not as an employee. Desktop PCs are also wired because they do not need mobility. Another use of wired LAN is the emergency use when WLAN gets unstable.

Three years as an all-wireless office, and a) It still makes more sense for some tethered IP phones b) Desktops are still wired and c) their WLAN still becomes unstable!

2. Toyoshi goes further, and says forget saving money simply by cutting the chord:

It’s not necessarily appropriate to suggest that wireless itself contributes to cost saving or improving efficiency. In many cases of  introducing wireless LAN as a replacement of wired LAN, you cannot expect cost savings.

Corner any wireless vendor for long enough on the cost savings issue, and they’ll invariably agree with this assessment. Sure, they have those nifty calculators Josh likes, but when you actually start computing the real totals, you’re maybe breaking even, but just as likely paying more for the Wi-Fi privilege.

3. Compatibility problems persist. Toyoshi puts a gentle spin on this one:

We have been using Meru since the project started. We have also other products from vendors such as Cisco, Aluba (sic), etc., to identify similarities and differences among them to determine their compatibility to our environment, because wireless technologies and standards continue to advance.

But the fact is, any major wireless deployment that’s dealing with more than students and their iPods has found the same compatibility issues. How often do you run into an Ethernet cord that isn’t compatibility with your laptop, projector, or other device (except those devices, naturally, that don’t have a port).

In the end, wireless is a great tool but it’s not the panacea that the industry makes it out to be. As Toyoshi put it, “‘Wireless’ is a means, but not a destination.” Don’t believe the hype otherwise.


March 11, 2010  1:42 AM

Checking back with 2006’s largest “all-wireless” office.

Michael Morisy Michael Morisy Profile: Michael Morisy

Editor’s Note: Below is the e-mail exchange between me and  Toyoshi Matsumoto of Osaka Gas Co., which was hailed almost four years ago as the largest all-wireless office. For background, see here. I reproduce the exchange below unedited. -Michael Morisy

1) How did the wireless experiment in 2006 go?

It went very well.  The project proceeded as originally scheduled and we achieved the 50% cost saving and improved efficiency as projected.

2) Did you continue on with Meru in this project?

We have been using Meru since the project started. We have also other products from vendors such as Cisco, Aluba (sic), etc., to identify similarities and differences among them to determine their compatibility to our environment, because wireless technologies and standards continue to advance.

3) Is this office now 100% wireless, or was it just deskphones that were wireless?

We are using WAN for phones and PCs. Is that your definition of 100%? In fact we have NOT removed all LAN cables. Some fixed IP phones,  mainly used for receiving calls from customers or business partners are wired because the calls should be answered as the company not as an employee. Desktop PCs are also wired because they do not need mobility. Another use of wired LAN is the emergency use when WLAN gets unstable.

4) Have you upgraded to .11n, and have you run into any challenges with that?

Not yet, but as stated above, we are trying various products and will try .11n in the near future because we are planning to replace the current wireless system in 2011 that is our Meru products’ economical end-of-life.

5) If you’ve moved to 100% wireless, why did you and what benefits did you see in terms of cost savings or efficiency?

6) If you’re not, what was behind the decision not to go 100% wireless?

It’s not necessarily appropriate to suggest that wireless itself contributes to cost saving or improving efficiency. In many cases of  introducing wireless LAN as a replacement of wired LAN, you cannot expect cost savings.

Our project started from the replacement of conventional PBXs. PBXs were so expensive that we could achieved 50% reduction of facility cost in terms of depreciation cost.

In terms of efficiency improvement, we not only introduced wireless LAN but also promoted to change our workstyle from paper-based one to full-digital one. Wireless environment and full-digital workstyle allow us to access, transmit and share real-time information anywhere, which leads to efficiency improvement.

7) Any other advice for companies considering going all wireless?

We believe that the use of wired and wireless systems and 3G and VoIP phones in optimal combinations is important for us to improve our work efficiency and thereby reducing operation costs.

“Wireless” is a means, but not a destination.


March 8, 2010  10:28 AM

Guide to Enterprise Mobile Communications and Productivity

Michael Morisy Michael Morisy Profile: Michael Morisy

This month, IT Knowledge Exchange is taking a special look at mobile communications and productivity in the business world. We’ll take a look at questions like whether it’s finally time we can cut the cord for office workers, who you should throw your lot in with during the mobility wars, and any other smart ideas for mobile discussions you e-mail in.

Frequently Asked Questions about Mobile Computing:

Still have unanswered questions? See what others are asking about cloud computing or ask your own IT question in our forums!

For a deeper dive, take a look at some of these excellent mobile computing book recommendations we’ve pulled together, or suggest your own:

Books on Mobile Computing:

Have another suggestion for this list? E-mail me at Michael@ITKnowledgeExchange.com or leave it in the comments.

Want to connect directly with experts? Read their blogs to hear straight from the horse’s mouth: The pioneers, cheerleaders and critics of the mobile computing landscape are often just a click away, and we’ve helped to organize the best of the best.

Top Mobility Expert Blogs:

What else would make this guide useful to you? Let me know in the comments or e-mail me directly at Michael@ITKnowledgeExchange.com with any additions, corrections or suggestions.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: