Enterprise IT Watch Blog


November 11, 2009  2:08 PM

Sesame Street’s 10 lessons for IT departments



Posted by: Michael Morisy
Advice, IT Project Failures, Link Bait, Project Management, Sesame Street

10. Focus on the fundamentals. Sesame Street tackles a whole host of issues, from basic counting and the alphabet to overcoming cultural differences and even death. For the most part, however, the issues are key elements of early development: Not always easy, but necessary. Are the projects and problems you’re tackling necessary to the bottom line? Will they give a return to the business?

9. Speak different languages. Early on, Sesame Street emphasized the importance of learning foreign languages, even if it was just the basics, such as the Count learning to say uno to diez in Spanish. More now than ever, it’s critical that IT learns to speak in business terms to explain value, as recent guest blogger  Claude Roeltgen noted. So-called soft skills can save a career, and really, it’s just a matter of saying what you need and what you can do in the right language. [kml_flashembed movie="http://www.youtube.com/v/Jg3WY2Sgxtw" width="425" height="350" wmode="transparent" /]

8. Learn to count. Or better yet, teach others to count. Just as our dear friend The Count spent painstaking hours teaching others to count from one to ten (in English and beyond!), IT must teach the rest of the business how IT enables profits and performance. And if you let others do the counting? Expect IT to become a cost center, with aggressive accounting for every dollar and annual budget fights.

7. Be wary of strangers. Sesame Street wins over adult fans with copious guest stars, running the gamut of celebrities, athletes and musicians. But these guests are introduced by trusted adults on the show, and viewers learn that while you shouldn’t fear people different than you, you also shouldn’t give them your complete trust until they’ve earned it. What are your security policies, and what do you do to ensure that temporary workers or outside consultants have what they need — but nothing else?

6. It’s not (always) easy being green. Kermit the Frog was right: No matter often people tout the benefits of “going green,” cutting costs while saving energy can be full of trade-offs. There’s always new equipment to buy, new processes to manage, and while there may be a green revolution, there’s a premium to be paid for leading that charge. On the other hand, Kermit did get the girl and in many cases the energy savings from a comprehensive, business-savvy “green” policy can bring home the bacon at the end of the day.

Continued »

November 10, 2009  10:17 AM

Bernie Madoff’s unwitting accomplice: The AS/400



Posted by: Michael Morisy
AS/400, Bernie Madoff, Scam, Security

When an Investment Dealer’s Digest article lumped some of the blame for Bernie Madoff’s scam onto the AS/400 (“The Technology Behind the Scam”) and Madoff’s “antiquated systems,” IBM’s venerable business system, the iSeries developer community was quick to defend its fabled friend. After all, technologies don’t scam people, people scam people.

John Dodge does dig up some juicy details on the Ponzi scheme’s execution based on forensic reports:

“[House 17] was a closed system, separate and distinct from any computer system utilized by the other BLMIS business units; consistent with one designed to mass produce fictitious customer statements,” according to Looby’s declaration. House 17′s expressed purpose was to maintain phony records and crank out millions of phony IRS 1099s on capital gains and dividends, trade confirmations, management reports and customer statements.

The AS/400 was like a giant Selectric — indeed, the Application System/400 is a multipurpose server that’s very good at printing. IBM publishes several technical overviews for IT professionals known as “RedBooks” on the AS/400′s extensive printing capabilities and also offers printing and forms design software for it.

But does the AS/400 actually make it any easier to perpetrate an $18 billion scam? Or is it simply a reliable Wall Street standard, a poor technology caught up in the wrong place at the wrong time with the wrong crowd? Vernon Hamberg, a software architect and regular on the Midrange technical dicussion list, wrote a spirited defense of the platform, which he kindly offered to let me publish here:

Mr Granahan:

I read with interest the article by John Dodge about technology behind the Madoff scam. It appears, from a quick read, to put much of the blame squarely on the AS/400 – the technology in question. I strongly object to this – it is, in my opinion, completely wrong-headed. I learned long ago that computers are stupid – they do exactly what you tell them, not what you want. If things were done on these systems that allowed Madoff to carry out his Ponzi scheme, it is not the system’s fault. It is some programmer, some auditor, some whatever human being behind it all.

I am a computer professional who works on these so-called legacy systems – a false categorization, unless you lump Unix systems in along with it. (Unix came out over 40 years ago – shall we talk legacy?) The IBM midrange systems have a tremendous feature, backward-compatibility – anything you wrote 20 years ago can be compiled on current systems without any change in source code. Talk to us about VB.net – about API calls in Windows that don’t work in the next release.

This strength of the system was exploited by a human – the extreme segregation of computing resources that let Madoff get away with his scheme. Mr Dodge’s report of the printing characteristics – well, it is a very narrow presentation of the system’s capabilities. That seems completely beside the point. And this is not unique to these systems. At all!! A distinction without a difference.

I appreciate you taking the time to read this. I ask you to publish a retraction or clarification – e.g., that the technology behind it was NOT to blame. Perhaps something about the true strengths of the platform and how human beings were able to take those strengths and fleece other people in such a way. THAT would be an interesting study in human nature – not the veiled suggestion of culpability of any technology as against that of those who use it.

Regards,

Vernon M. Hamberg
Software Architect
RJS Software Systems

What are your thoughts? Does complex, custom legacy software make it easier to quietly caper, or are villains just villains, no matter how shiny the software and technology? I’d love to hear your thoughts in the comments or at Michael@ITKnowledgeExchange.com.

More on the Bernie Madoff scam:


November 9, 2009  4:11 PM

Can your IT security take a page from Wikipedia?



Posted by: Michael Morisy
Bruce Schneier, Security, Wikipedia

Security guru Bruce Schneier recently noted some Columbia University research on “Laissez-Faire File Sharing,” which advocates allowing users to set their own sharing permissions, with a focus on access auditing rather than access control (administrator policies don’t stop users from receiving or sharing a file, but all the viewers and editors of that file are then logged for later review and flagging).

Schneier simplifies it as a Wikipedian ideal (“Everybody has access to everything, but there are audit mechanisms in place to prevent abuse”), but that shortchanges the idea. Not all users can access files, for example: They must be granted access by a current user. The paper’s authors argue that this is already happening in an underground IT economy through e-mail attachments, USB thumbdrives and other workarounds, and that by working with the system, rather than against it, the new paradigm has the potential the “potential to increase both productivity and security.”

The paper outlines 5 cornerstones of Laissez-Faire File Sharing: Continued »


November 5, 2009  9:12 AM

New SSL security hole allows man-in-the-middle attacks



Posted by: Michael Morisy
ICASI, Security, SSL

SSL Security Hole meeting

A newly disclosed SSL security hole allows savvy attackers to inject data into supposedly secure streams of the encryption standard, but while standards bodies and major vendors are quickly working to plug the vulnerability, it seems the attack avenues are currently relatively minimal.

As The Register reported on the SSL bug:

Indeed, Moxie Marlinspike a security researcher who has repeatedly exposed serious shortcomings in SSL, said the attacks were hard to pull off in the real world, in large part because they appeared to target a rarely used technology known as client certificate authentication.

“It’s clever, but to my knowledge the common cases in which the majority of people use SSL (webmail, online banking, etc.) are currently unaffected,” he wrote in an email. “I haven’t found these attacks to be very useful in practice.”

The security hole has been known since August in some circles, with ICASI (Industry Consortium for Advancement of Security on the Internet) heading up “Project Mogul,” an attempt to roll out an industry-wide set of security patches in a coordinated manner.


November 3, 2009  10:10 PM

Should IT police “dual use”?



Posted by: Michael Morisy
BlackBerry, Harvard Business Review

Harvard Business has an interesting post by Michael Schrage on how to deal with BlackBerry junkies and other techno abusers, pointing the finger at two pilots who allegedly lost track of their current flight while scheduling future flights via their laptops.

IT is supposed to be about enabling the business, but what happens when it has users hell bent on using good technology to their own or corporate detriment? It’s not a new question: Enabling Internet browsing alone has caused innumerable productivity drains, from hours lost to cat videos and Facebook to more serious corporate threats like making data leakage as simple as sending an e-mail to a personal account.

How much of policing this double-edged sword is IT’s job, and how much is it up to management, HR and other departments? Have you ever had a case where you pushed back? I’d love to hear your thoughts at Michael@ITknowledgeExchange.com.


November 2, 2009  12:14 PM

The hidden world of IT in companies



Posted by: Guest Author
CIO, Guest Post, IT

This is a guest post by Claude Roeltgen, author of the book IT’s Hidden Face. His book tackles the communications gulf between IT … and the rest of the world. Interested in being a guest blogger on the IT Watch Blog? E-mail Michael@ITKnowledgeExchange.com. -MM

“Why?” is the most frequently asked question by people when something goes wrong in real life. Not so in IT – Users never ask this question when something happens. They say “Fix it” and “I don’t want to know what happened.”

Business users like to reproach us IT guys with sitting in an ivory tower using strange gobbledygook. But, let’s face it, they are happy enclosing us there and do nothing to understand the hidden world of IT in a company. “IT” and “problem” are synonyms, and for the vast majority of users, that’s as far as it goes. The public knows more about the biology of deep sea fish than about the internal mechanics of an IT department.

Even the best CIOs get into a defensive position all the time. “Be faster”, “be cheaper”, “reduce complexity”, “you need to understand the business better”, “why doesn’t this work for us?”, “why are we over budget and time?” are heard all the time, but are generally poorly answered. Users tell us “I install software in 10 minutes on my PC at home, why do you need so long?” Defensive fights all the time.

What should we do then to make things better? Well, there are a lot of things we can do. We have to tell the realities of our world in words that every business user will understand, and, no doubt, there’s a lot we can talk about. Like the fact that there are no two identical IT-biotopes and therefore they all have their own specific set of problems. Or that we have to deal with an incredibly immature software industry that delivers new software containing thousands of errors. Let’s tell them that software providers have outsourced quality assurance to their customers. Or that systems presented by providers can sometimes be called more accurately “cheatware” than “software”. We can write newsletters to our users giving them background information in their words about what is happening – we need to have a constant dialogue with our users and we need to be patient with them. We need to explain why we say “no” sometimes. We must become good in marketing ourselves. Today, we leave marketing IT to consultants. And this is not good for us!


October 30, 2009  12:12 PM

Time Warner’s SMC8014 security hole could make for a spooky Halloween



Posted by: Michael Morisy
H1N1, Routers, Security, SMC, SMC8014, Swine Flu, Time Warner Cable

Not enough ghosts and goblins running around for you? Just wait: News that Time Warner Cable has deployed a dual Wi-Fi router/cable modem with a gaping security hole should send chills up the most hardened IT professional’s spine.

David Chen exposed the hole, which allows an attacker to remotely log in to a router’s administrative interface and possibly intercept traffic. Since being exposed by Chen, the story has been picked up by Wired’s Threat Level, CNET’s InSecurity Complex, and ITKnowledgeExchange’s own Sister CISA CISSP. The latter noted another particularly spooky aspect of the tale in a follow-up post on the Time Warner security hole:

Lo and behold, I am visited and left a comment by “Adam Wood” defending SMC, and telling me/us what a wonderful job SMC is doing about this issue.

(That’s got to be a really crappy job for a lowly PR flack; surfing the Internet for comments on the SMC modem, and uploading a canned positive comment wherever he can.)

Despite “Mr. Wood’s” comments about how SMC is fixing the problem in an absolutely wonderful way, I admit to some slight cynicism. Especially after reading more from David Chen, the guy who found it in the first place.

It seems that a fix from Time-Warner or SMC seems to consist almost entirely of PR.

Boo! And while it would be easy to respond that users have a responsibility to change their default passwords (they do!), the story goes a little deeper: This is putting sensitive corporate data at risk.

With more and more companies pushing for remote working both as a Swine Flu precaution and a way to cut office costs, an insecure router being pushed out could easily expose data that isn’t properly secured to all sorts of attackers, even those just trolling for random open vulnerabilities, like Chen did.

Fortunately, he also provided some quick fixes as Time Warner Cable works on a fix to push out (or not). Modify slightly and pass on to your users if your employees are working in a Time Warner Cable subscription area:

  • Change the default configuration of the routers to use WPA2 instead of WEP for wifi encryption.  It’s ok if you don’t want the customers to change their wifi settings, but at least use a key that’s not derived from the router’s MAC address (which is broadcasted over wifi).
  • Disable access to the router’s web admin page from outside IPs.  The options are in the router (see below), a simple config change would block access to the router from the internet.
  • Block traffic to port 8080, 8181, 23 (those are the ports that are open on the SMC8014 routers) at the ISP level.  This of course should be a temporary fix until the hardware can be replaced with something more secure.
  • Of course the best idea would be to immediately recall those routers and issue your [users] real cable modems and decent wifi routers with good security.

Have a happy Halloween!


October 29, 2009  2:56 PM

How to bridge the generation gap



Posted by: Michael Morisy
Advice, Generation Gap, management

Caroline Bender has a wonderful post on the somewhat snarkily titled Business Women’s Finishing School & Social Club about “Youthful Management.” Really, it’s about bridging the generation gap, particularly for those who find themselves employed by younger, perhaps less tactful if more energetic, bosses:

The young must lead because their skills are current, and the mature must advise them based on their experience, because their training is no longer applicable.

This can be unsettling for both parties, who are in such different stages of human development, much less career development, that the gap widens.  It can be difficult for report to someone your daughter’s age; it can be even harder to motivate a staffer who has clocked 25 years already.

Ouch, but often too applicable in the often fast-moving world of IT (the COBOL Y2K Renaissance aside). Bender offers some great advice for how older workers can mesh with younger executives, ranging from knowing when to stop trying too hard to fit; to toeing the line on corporate outings.

Have you found your own job role transitioning due to generational differences, either as a Boomer or a Gen Xer or even a Gen Yer? I’d love to hear what you’ve seen in the workplace, either in the comments or at Michael@ITKnowledgeExchange.com, or @Morisy on Twitter.


October 29, 2009  10:57 AM

Juniper’s ‘New Network Initiative’ has the blogs a’twitter



Posted by: Michael Morisy
Juniper Networks, Networking, New Network Initiative

Juniper’s currently unveiling their ‘New Network Initiative,’ and there’s no lack of interest. As the normally staid Tom Nolle blogs at Uncommon Wisdom:

We can’t apologize for the characterization here; Juniper announced a radical combination of an extensive service-layer software system and a new semiconductor architecture, taking the most profound step the company has taken since it was founded.

The new chip is a family, the first member of which is Trio. It is based on a “Network Instruction Set Processor” model that builds software on the device using instructions customized for network behavior control rather than general-purpose instructions, as NPs do. In this respect, the chip is almost like an ASIC, but unlike an ASIC it’s programmable at the primitive NISP-instruction level, so new features can be added right down to the instruction level.

That’s the tech speak, but Juniper Networks is using the launch as a chance to re-brand, with a new logo, a flashy advertising campaign and a jettisoning of the “high performance” slogan for a focus on being “the new network”:

[kml_flashembed movie="http://www.youtube.com/v/pb48EBFXjys" width="425" height="350" wmode="transparent" /]

And it’s certainly earned the company its share of buzz, including some strong Twitter chatter and the chance to ring the NYSE opening bell. If you’re quick, you can still catch some of the announcement which is being broadcast here. Let me know what you think, either in the comments or at Michael@ITKnowledgeExchange.com. Is this truly a networking revolution?


October 28, 2009  2:58 PM

Verizon’s Droid: Coming to assimilate users near you



Posted by: Michael Morisy
Android, Google, Mobile

The latest and greatest Google Android device, the Motorola Droid from Verizon, is coming, and Verizon hasn’t made any bones about what it’s targeting with the high-profile launch: Apple and AT&T’s Apple marketshare, which has skyrocketed to 30% in the past few years. If they’re successful, it will be one more device IT must learn to manage, along with BlackBerry, Windows Mobile, the iPhone …

No wonder the Droid promotional images look so menacing.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: