Enterprise IT Watch Blog


October 20, 2009  11:20 PM

Everyone hates your insecure password rules

Michael Morisy Michael Morisy Profile: Michael Morisy
Nick Summer spent an entertaining afternoon with William Cheswick, author of Firewalls and Internet Security: Repelling the Wily Hacker and a godfather, at least, of modern password policy. It’s a follow up to an earlier piece about how broken password systems are, while offering a peak at what Carnegie Mellon University’s cyber-security-research department and others are doing to fix it.

Cheswick himself offered up some alternatives: Continued »

October 19, 2009  4:39 PM

Medical malfunction reminds some bugs bite harder

Michael Morisy Michael Morisy Profile: Michael Morisy

The latest GMail outages may have stolen some of the thunder from cloud computing, but Wired’s ThreatLevel reminds us IT failures can do a lot more damage than momentarily lost e-mail and contacts, even if they aren’t a cloudastrophe:

The maker of a life-saving radiation therapy device has patched a software bug that could cause the system’s emergency stop button to fail to stop, following an incident at a Cleveland hospital in which medical staff had to physically pull a patient from the maw of the machine.

The bug affected the Gamma Knife, a device resembling a CT scan machine that focuses radiation on a patient’s brain tumor while leaving surrounding tissue untouched. A patient lies down on a motorized couch that glides into a chamber, where 201 emitters focus radiation on the treatment area from different angles. The patient wears a specialized helmet screwed onto his skull to ensure that his head doesn’t move and expose the wrong part of the brain to the machine’s pinpoint tumor-zapping beams.

Sounds like a set up for either a sci-fi spectacular or horror schlock, but such accidents highlight the danger imperfect code can pose, particularly when it comes to radiation therapy, which has seen more than its fair share of faults.

Some recommended reading: Wired: History’s Worst Software Bugs; WhatIs.com’s Bug Definition; Pingdom’s 10 historical software bugs with extreme consequences


October 15, 2009  4:10 PM

Cisco’s Tandberg acquisition faces stockholder scuttling

Michael Morisy Michael Morisy Profile: Michael Morisy

Where’s Jack Bauer when you need him? The 24 hero and Cisco Telepresence booster could surely help ram through Cisco’s attempted Tandberg acquisition. It would even be a bit poetic, since it’s a 24% minority of Tandberg investors who are nay-saying Cisco’s $3 billion offer.

Of course, it might take more than Bauer’s signature swagger to convince stockholders to sell: Even in the world of high-definition video communications, nothing speaks like cold, hard cash. As Shamus McGillicuddy reports on the Cisco-Tandberg deal at Unified Communications Nation:

According to Reuters (via GigaOm), Swedish brokerage SEB Enskilda has told Cisco that it represents 21 shareholders who own 24% of Tandberg’s stock, and those shareholders want more money.  “We think the price is too low,” Amund Lunde told Reuters. Lunde is CEO of life insurance firm Oslo Pensjonsforsikring, which owns 1% of Tandberg, It’s not clear what it would take to win over these holdouts, but clearly Cisco will have to dig deeper to get a controlling interest in the company.

Shamus goes on to note that some management sweeteners might be the reason which top Tandberg executives were so keen to close.


October 15, 2009  1:13 PM

Finding an IT match made in heaven

Michael Morisy Michael Morisy Profile: Michael Morisy

Choosing the right contractor or product integrator can mean the difference between smooth sailing and endless headaches. At a recent IT user group meeting, one contractor told me that often, it was as much personality matching as technical expertise (although the latter never hurts) that makes the relationship work. Ben Gladstone offers some tips on picking an IT supplier:

  • If you opt for a fixed-pricing model, ask whether maintenance contracts and warranties are included, as well as management of contracts and interactions with equipment suppliers. Check that your pricing is transparent and watch out for any hidden extras.
  • Go for a one-stop shop that offers hardware, software, networking and support. This will avoid the need for multiple suppliers and finger pointing.
  • Go for a medium-sized supplier that offers breadth and depth of skills.

The rest of his Q&A, with some other great tips, is up at ComputerWeekly.com, and is likely worth a look even if you’re not specializing in virtualization.

I’d love to hear your thoughts: When choosing a partner for a large project, what are the qualities you value most? Do you get the best luck with personal recommendations, or just trust your own instinct? Let me know if you have any advice to share at Michael@ITKnowledgeExchange.com, on Twitter at @Morisy or @ITKE, or right in the comments. If requested, I’m happy to keep your information private.


October 13, 2009  2:10 PM

Google Wave as status symbol

Michael Morisy Michael Morisy Profile: Michael Morisy

I’ve previously written that early Google Wave accounts are most useful to developers: The service is, as Google promised, quite buggy, and the available features are still only touching upon Waves’ potential (I think it will only really get interesting when they throw open the gates and allow organizations to get their hands on it company wide, but that will come).

That hasn’t stopped Wave invite buzz from hitting eBay, including an offer (of unauthenticated veracity) as high as $27,000. Well before it got to this point, Google Wave hysteria has already become more of a status symbol than a technology demo, at least as far as coverage is concerned: Were you within 6 degrees of separation from the Google big-wigs making the list? Could you get your invite to the party?

It’s Gartner Hype Cycle meets Who’s Who in a small, geeky echo chamber. And after Scoble’s Wave attack, others have joined the fray, with techie PR meister Steve Rubel saying it’s like RSS … and dead on arrival. Alex Salkever offers a good summary of other Wave criticism, but maybe the biggest point: Google Wave antipathy is the new black.

Fortunately, if Gartner’s over-hyped Hype Cycle is a good predictor, we’ll soon see Wave’s true power as people stop talking about it and start actually kicking the tires, revving it up and putting it through the paces.


October 8, 2009  8:15 AM

How to find security Samsara

Michael Morisy Michael Morisy Profile: Michael Morisy

Samsara: In Buddhism and Hinduism, the endless round of birth, death, and rebirth to which all conditioned beings are subject. – Britannica Concise Encyclopedia

At last month’s Boston NAISG meeting, Zach Lanier gave an excellent presentation entitled “Disclosure Samsara: The Endless Responsible Vulnerability Disclosure Debate.” He’s since posted the slides, with a shorter summary also available.

The gist of Zach’s talk was that security researchers and the major software firms they cover are in a constant, mutually destructive cycle: Since much security exploit research, particularly for cross-site scripting (XSS) attacks, involves at least technical legal violations, researchers make themselves vulnerable to lawyer’s threats if they go approach vendors with discovered vulnerabilities.

When researchers do still go forward, there’s often strong disagreement about when public disclosure will happen, if at all (researchers typically strongly favor disclosure because it’s the only way they’ll be credited for their discoveries).

On the other side of the fence, there are lawyers, corporate goons … and developers who feel they’re being held hostage by pay-to-play schemes. In covering network vulnerabilities, the latter was the usual excuse, lame or not, for why vendors refused to discuss vulnerabilities with researchers.

Zach’s presentation outlines some of the benefits a peace agreement could be bring, including letting system administrators and security professionals craft workarounds more quickly, ultimately lowering the chance of a successful breach when an organization is on top of its security news.

Legislation has a done a good job in pushing companies to disclose when there have been security breaches involving user data, but could it be used to help security researcher/vendor tensions and work for the good of the overall (generally law abiding) IT community? After all, it’s often these vulnerabilities (though behind human error) that allows for these breaches in the first place.

The immediate answer would seem to be ‘no’: Allowing “research exemptions” to laws like the DMCA has worked poorly, if at all, in the past, and allowing greater legal leeway for researchers that are often misunderstood already seems like a tricky political sell even in the best of times.

Any legislation that did emerge could well cause more harm than good.

But what other options are there for a broadly applied vulnerability disclosure framework? Is “Samsara” even a realistic goal? Perhaps, and perhaps in the slow, piecemeal form it has taken: A more enlightened vendor here who offers a process to work with researchers, another security firm  there willing to consistently abide by RFPolicy or another disclosure framework.

What are your thoughts? Are security research disclosures more public nuisance than public good, or should there be a better understanding between companies and researchers when it comes to full disclosure? I’d love to hear your thoughts in the comments, or directly at Michael@ITKnowledgeExchange.com. I’ll keep your information private if requested.

Related:


October 7, 2009  1:41 PM

Why you should fire your Hotmail users

Michael Morisy Michael Morisy Profile: Michael Morisy

At mid-sized and larger companies, the question is not if data has been compromised in the recent Hotmail, Yahoo and GMail phishing attacks, but how much and how effectively the company can recover without embarrassment, fines or worse.

The truth is many modern knowledge workers don’t care about IT policies designed to protect sensitive data, and these employees often workaround HR policies and even IT controls on e-mail and files. Even Alaskan governors have been burned, after all. But with 8% of companies firing employees for social networking-related offenses, how many companies actively seek out and discipline employees for forwarding the occasional “internal-use only” document on their @hotmail.com, @gmail.com, or @yahoo.com address?

In tightly-controlled industries, like medicine and finance, it’s more likely to be common practice with strict enforcement, but time and again I heard even law firms bend the rules or just look the other way for the sake of convenience.

So the question is: Is your personal e-mail policy clear? And is it enforced? I’d love to hear what you see at your own business, so leave a comment or e-mail me directly at Michael@ITKnowledgeExchange.com. If requested, I’ll keep your name and any other identifying details private.

More on personal e-mail in the enterprise:


October 6, 2009  1:26 PM

Is Facebook killing the American economy?

Michael Morisy Michael Morisy Profile: Michael Morisy

As my time reporting for SearchUnifiedCommunications.com wound down, there was one story I kept coming back to again and again: How social media and social networking were playing out in the enterprise. For some companies, social media was the creative lifeblood of their employees, letting them quickly and efficiently connect with the right people more deeply and directly than IM or e-mail allowed. For other companies, all it took was a CEO to stroll down cubicles all tuned to Facebook and the firewalls came crashing down.

But talking with a lot of companies, it seemed the movement was towards a more liberal policy – Freedom with responsibility, as it were – when it came to social networking. Generally, IT departments were at least allowing it during non-peak hours, or for certain departments that could justify the benefits.

Now Mashable brings word that fully 50 percent of companies are blocking social media access, but buried in there was the truly startling statistic: “8% of companies in the US have fired staff over social media misuse.”

[kml_flashembed movie="http://www.youtube.com/v/JIKaIriiK8w" width="425" height="350" wmode="transparent" /]

With those kind of numbers, you’d think that it was Facebook that was single handedly driving all the unemployment as those who still had jobs frittered away their productivity by posting cute animal videos and eBaying. I’m skeptical about what those numbers mean, to say the least: Were some of those 50% of companies limiting social networking during peak hours to conserve bandwidth, for example? Almost none (with a few exceptions) of the companies I’ve spoken to over the year have a black-and-white policy on this stuff, and while nuance doesn’t make eye-grabbing survey data, it often maeks a lot of sense.

Although IT departments rarely have the final word on these policies, I’d love to hear your advice on developing and implementing social media guidelines, from both a technical and policy perspective, since it’s something that almost every enterprise has started confronting. I’ll try and write up some of the best ideas later this week, so feel free to leave your thoughts in the comments or e-mail me directly at Michael@ITKnowledgeExchange.com.


October 6, 2009  8:18 AM

Shake things up to catch a cybercrook

Michael Morisy Michael Morisy Profile: Michael Morisy

Resident expert Kevin Beaver recently pointed to a great post about 5 Ways to Protect Against Employee Theft over at BizMore. It included a lot of common sense advice on security, and particularly data leakage, but one idea stuck out to me in particular:

5. Once in awhile, shake things up. Don’t always have the same employees doing the same things. Theft often comes to light when a person stops working in his or her usual position for a few weeks and doesn’t have the opportunity to cover up any improprieties. Have a manager fill in for employees who are out sick or on vacation. Switch crews around periodically. Move managers between divisions. Enforcing mandatory vacations can be one the best tools for catching crooks.

(emphasis mine)

Mandatory vacations to catch crooks? Sounds like a win-win to me. It’s also not a bad way to make sure your disaster recovery (DR) plan has position redundancy: If Steve is the only Cisco sensei you have, you need to make sure someone else gets prepared to hold down the fort if, say, a nasty case of Swine Flu hits unexpectedly.

Any other cybercrime prevention strategies you’ve seen? Let me know in the comments, or directly at Michael@ITKnowledgeExchange.com.


October 2, 2009  9:37 AM

Robert Scoble kicks off Google Wave blowback

Michael Morisy Michael Morisy Profile: Michael Morisy

Wednesday, I wrote about the potential for Google Wave to end up all wet if the rollout isn’t handled well:

An analyst friend of mine, with a less technical background, recently got an invite. He was pretty optimistic about Wave’s potential, but admitted that, as of now, his team had been able to do very little with the offering. There just wasn’t much there for the average end user yet, and if early users are turned off by being prompted by a blank canvas, it won’t matter how great that canvas really is because the word of mouth will be negative.

Well, tech blogger Robert Scoble has now kicked off the discontent with a scathing blog post that rather than replacing e-mail, IM and meetings, Google Wave gathers the worst elements of each:

… it’s a productivity sink if you are trying to just communicate with other people.

It also ignores the productivity gains that we’ve gotten from RSS feeds, Twitter, and FriendFeed.

What do I mean by that?

It is noisy, but the noise often happens way down in a wave deep in your inbox.

This is far far worse than email. (New email always shows up at the top of my inbox, where Google Wave can bring me new stuff deep down at the bottom of my inbox).

It’s far far worse than Twitter (where new stuff ALWAYS shows up at top). It’s even far worse than FriendFeed, which my friends always said was too noisy. At least there when you write a comment on an item it pops to the top of the page.

And, worse, when I look at my Google Wave page I see dozens of people all typing to me in real time. I don’t know where to look and keeping up with this real time noise is less like email, which is like tennis (hit one ball at a time) and more like dodging a machine gun of tennis balls. Much more mentally challenging.

Ouch. But Google’s Android faced early criticism too, and now (thanks in part to the developer community behind it) has won over many former critics. Google Wave’s handler just need to figure out the best way to manage the hype cycle before the service goes belly up due to criticisms like Scoble’s.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: