If you’re not already restricting your workstation’s user rights, then, as my colleague Bryan Young put it, "shame on you." However, there are some scenarios where you may feel that a user needs administrative rights, and this report will certainly encourage you to second guess that thought. These numbers shouldn’t be surprising. Malicious code typically gains access via an opened file or application. Thus, this bad code will run initially as the particular user that accessed the host file. If that user doesn’t have the necessary access to change system files or settings, then it makes the life of malicious code that much more difficult. Obviously, some exploits allowed this malicious code to be run as the administrator, and thus why restricting user rights is not an end-all solution.

For Beyond Trust’s study, they examined the list of vulnerabilities posted in the last years worth of Microsoft Security Bulletins. Going over each vulnerability, Beyond Trust determined whether or not a user’s rights had any effect on the vulnerability. After these tests, the results were broken down to, not only general Microsoft vulnerabilities, but also Microsoft Office and Internet Explorer security issues.

For Microsoft Office, a surprising 100% of vulnerabilities could be thwarted by restricting user access. For Internet Explorer, almost all security holes could be resolved via rights. In IE 8, 100% were fixed, but only 94% of exploits were thwarted when you included all versions of IE. In OS related vulnerabilities, only 53% are mitigated when restricting user access. I say "only 53%", but in reality this is a significant addition of security – potentially doubling your security holes if you fail to restrict user access.

Be advised that though these numbers look really strong, simply restricting user access is not an alternative to staying up-to-date on your system updates and patches. It is, however, a standard practice that should be practiced in all networks, companies, and even personal desktop environments.

Network neutrality is the philosophy that all things related to the network of the internet be neutral, i.e. unregulated. In a completely neutral network, there would be no regulations on what can connect to that network and what data can be transferred across that network. This is the environment in which the Internet has grown in and thrived upon, and thus the environment that most Internet purists strive to maintain.

However, the issue with this idea of neutrality is the Internet is now a vessel of capitalism. Capitalism revolves around the creation and protection of wealth. Therefore, it has become in the best interests of many players in this industry to begin to protect their wealth. An example of where this protection of this wealth clashes against net neutrality is the Comcast and BitTorrent issues. As you may recall, Comcast began capping the rates at which their subscribers could use BitTorrent transfers. In Comcast’s defense, it was a matter of protecting their services for all their subscribers. The bandwidth required to support BitTorrent had never existed previously, and was a strain Comcast was not ready to support. On the net neutral end of things, what gave Comcast the right to dictate what John Q. Public could or could not do on the Internet?

Like many political documents, Google and Verizon attempt to avoid clearly defining their stance on net neutrality. It doesn’t appear that Google and Verizon intentionally sought any policies to hinder net neutrality, but by omitting language to specifically foster net neutrality, they opened the flood gates of opposition. For example, a specific clause of “Network Management” was introduced, encouraging the right of an ISP to “engage in reasonable network management.” This clause was skillfully crafted in such a manner to ride the fence of net neutrality. If this was a legal language that existed when Comcast decided to control BitTorrent usage, the outcome of that situation would not have been any more clearly defined than it was without this kind of guideline.

Google’s position shown in this document, is somewhat of an identity crisis. Google’s lifeline is this free and open Internet. However, Google must work with the other big players in the net to create a framework in which Google’s capital interests can be protected. It will be interesting to continue to follow how and what legal entities get involved. One thing is for certain: despite any goodwill shown by any of the parties involved, network neutrality is at risk.

See also:

http://googlepublicpolicy.blogspot.com/2010/08/joint-policy-proposal-for-open-internet.html

http://googleblog.blogspot.com/2010/08/facts-about-our-network-neutrality.html

According to USNews.com, Network Architects will see expansive growth going into 2010. Of course, this should leave you with a smile and some hope if you’ve been having trouble finding work as of late. According to their estimates, the occupational section that network architects fall under (computer science) will grow 53.4 percent by 2018.

To couple with this good news, the Wall Street Journal has also written that growth will occur in the computer-network administration field. With this information there’s of course a positive side, but like all things could have unforeseen consequences.

With a highly needed position, competition will undoubtedly grow. This leads to the field expanding, which is a good thing, but it also means you have to appear as more of an asset. Education being your first step in improving your resume. With younger recruits coming out of college, it can seem they might have a step ahead. Network technology is continually growing and changing, therefore staying informed is the key.

There are a slew of options available for keeping informed. Here are a few places to take a look at if you wish to expand your knowledge-base:

Ashworth College
University of Phoenix

While education is a must, experience is more important. Whether you’re out of work or currently have a job, now might be the time to look for an upgrade. With growth going into 2010, jobs with better pay, working conditions, and benefits might be out there lurking. You can search for these jobs by traditional means, classifieds, Monster.com etc…

Somewhere else to keep a look out for networking positions is social media. With LinkedIn being the best example, there’s a huge movement to look for potential talent in social networks. Create a LinkedIn resume, and get your name out there. Before you know it, a new position could present itself all because you took 5-10 minutes to create an online resume.

The networking field expands, and with the right frame of mind, you can stand to profit from it. I’m not talking about money, but expanding your horizons. With numerous amounts of different fields going virtual, they all need an expert.

Miko said he is working on a long paper on cloud adoption and shared some of the thoughts he is working on. He began with a definition of an enterprise as an organization that requires size, and longevity to carry out its mission. This has implications for IT. First longevity tends to create IT segmentation and silos and this leads to complexity in IT supply. Size and growth create organizational fragmentation that leads to complexity in user demands on IT. These factors can impact IT strategies. For example, SOA can be a rational response to simplify the complexity of IT supply but it can fail to address the complexity of user demands in not implemented correctly.

Miko puts these complexity factors in a 2 x 2 grid. Organizations tend to start in the simple supply and demand quadrant. The ideal situation would be a simply IT supply that can meet complexity users needs. However, most organizations have developed a complex IT supply before all of their complex user needs had emerged. So, lacking a green field, this approach becomes difficult. If there is already a complex IT supply, the cloud can add to complexity, rather than simplifying it.

Now I asked Miko how can you be successful in this typical situation. He replied that several factors need to be present. First you need a mature understanding of how the behavior of the organization connects to the mission. This requires strong leadership. Then you need an enterprise IT architect that reflects this understanding. Unfortunately, most IT architectures are limited to IT issues and not business issues. It is not about optimizing IT, but optimizing the business.

This lead us to a discussion of process. Miko said that processes are done at the micro level. Part of the challenge for an organization is to become best in class in the many niches that their processes inhabit. Processes are often done in a silo and not at the enterprise level. The goal should be to align these silos but not to tear them down. Miko said that the goal of enterprise 2.0 is not to break down silos but to align them allow for cross-silo communication and collaboration.

This makes a lot of sense to me. It reminded me of some work I was involved within the early 90s that was done in the spirit of enterprise 2.0 but with the tools of the day. In a property casualty insurance company we created new processes for underwriting, claims and sales. The best practices of the organization where embed in individual applications. Then these applications were aligned and connected. We were trying to break down silos of communication but not silos of processes and applications. These latter two types of silos were essential for efficient processes and should not be destroyed. Now alignment of silos along a value chain is an enterprise level task and can benefit from enterprise 2.0 approaches.

This line of thought took us back to the question of cloud computing. To be successful it needs to recognize and deal with the complexity of user needs and the alignment of silos, but not the destruction of necessary silos. I am sold.

Comments

Funny Pictures

So here are some of the generic statements (aka “facts”) that I see daily:

• Cloud is not secure
• Application  XYZ failed therefore the cloud is a failure
• You are crazy if you put mission critical applications in the cloud

I could go on and on but you get the point.  So let’s discuss these “facts” one at a time.

Cloud is not secure

This one drives me nuts!  I heard a well respected industry analyst at a well respected conference declare “I just don’t understand how you can put customer data in the cloud.  When you buy Amazon, you don’t buy security”.  I raised my hand and asked, “When you buy a rack of servers from IBM, are you buying security?”.  The point is, you don’t buy security, you architect for it.  Whether you are using a SaaS, IaaS, or PaaS provider, you must understand what security features are addressed, what isn’t, and what the risks are.  Then you must design to mitigate those risks.  It is not different than what you should be doing on-premise.  Understand your requirements, and build (or buy) the appropriate solution.  So to sum it up, the cloud by itself is often not secure enough.  You may outsource your infrastructure but don’t outsource your brain.  There are still things you must do to secure your systems and services in the cloud.

Application XYZ failed therefore the cloud is a failure

Whether it is GMail, Tmobile losing Sidekick data, Ma.gnolia database crashes, or Coghead going out of business, any failure of an off-premise solution seems to feed the myth cloud computing is too risky.  However, we continue to fail miserably each day with our on-premise solutions but we can keep it from the press because it is behind our firewall!  In each one of the above mentioned failures, the issue lies with operational issues on the side of the provider and not issues with the cloud infrastructure itself.  I would argue that GMail, which is free, is at least as reliable than most corporate Microsoft Exchange implementations (at least for the companies that I have worked for in the past).  Also, if you are using SaaS solutions, you should have a mitigation strategy in place for lost data.  Outsource the business processes but not your brain!  You still need business continuity, disaster recovery, record retention policies, etc.  And when did on-premise become so perfect? How many companies do you know keep the lights on by having employees run around with duck tape and bailing wire plugging up the holes in the bottom of the boat.  Let’s face it, most failures are due to issues in architecture, design flaws, missed requirements, human error, weak controls, or poor implementations.

You are crazy if you put mission critical applications in the cloud

This one really drives me nuts.  The problem here is semantics and we really should be careful what we say.  It is one thing to say mission critical apps don’t belong in the public cloud and another to say it doesn’t belong in any cloud (which is how it often gets interpreted).  But even the term mission critical means different things to different businesses.  Even though you and I might not see Twitter as a mission critical application to our business, it is for others.  Some companies exist solely because they leverage Twitter’s APIs to deliver their products and services.  Now we all know Twitter’s track record of reliability.  But their performance and up-time was failing miserably before they moved to the cloud.  It improved once they migrated to Amazon.  Twitter’s problem is a flawed architecture, it is not a cloud computing issue.  I have written in the past about our secure hybrid cloud solution for processing micro-payments.  As a startup, I would argue that I would be crazy not to build this in the cloud.  In an era where it is difficult to raise money, my costs would increase ten-fold had I opted for an on-premise solution.  I would have to build or lease at least two data-centers and staff them accordingly.  Instead I can use a combination of cloud vendors coupled with a sound architecture to secure these transactions and meet all regulatory requirements.  If I already had an existing data-center, I would not have been forced to look beyond the opinions of others and try to solve the security and compliance requirements that my business required.  I just think that many people’s opinions about the cloud are focused primarily on their specific business models or domains.  So what may be true for their world does not necessarily apply across the board. We tend to generalize too much.

Summary

There are many opinions out there about cloud computing and there are many smart people offering them.  Unfortunately, many of these these smart people have not rolled up their sleeves and tried to solve real business problems in the cloud (nor do they need to).  In my case, as a matter of survival, we had to find out for ourself.  By no means, do I consider myself an expert in cloud computing.  But I do believe that spending a year actually working on delivering enterprise solutions in the cloud from scratch does entitle me to challenge the opinions that are deemed facts.  At the end of the day, it all comes down to knowing your business and technical requirements and applying sound architectural practices to provide a secure and compliant solution, whether it is in the cloud, on-premise, or both.

Comments

LinuxQuestions.org came in my help, suggesting simply to delete some network files because apparently those files get corrupted when the battery runs out.

To fix it type the following comand on the command line sudo rm -rf ~/.gconf/system/networking or follow this step by step guide.

1. From the regular Aspire One options page, go to the Files panel

2. Click on the triangle to see more icons

3. Click on MyFiles, which opens a file manager window.

4. In the menu bar, select View->Hidden files, to show a tick in the box. (Sorry, I’m translating from a German display, so the option names may not be spot on.)You should be in the “My Disk:///” directory.

5. Find folder “gconf” and click on that

6. Find folder “system” and click on that

7. You should now see folder “networking” listed as one of the folders.

8. DELETE IT! (Right click on the networking folder, and select option delete.)

Okay, once you have recovered from the fear of deleting goodness-knows-what-file because you are just following some internet instructions, you have to re setup your wireless connection:

1. Shut down all those windows, and go back to the regular Aspire One options page.

2. Click “Settings” on the bottom right.

3. Click icon for “Netwrok Center”. If this works, and a window pops up then it’s going well.

4. Click on “New”, and follow the on screen instructions to connect and re-setup your WLAN or LAN.

Comments

This led me to start this discussion which is most excellent because it shows how to do password security right. I’ll be honest, I’m going through right now and changing all my passwords because I was practicing several of the bad practices that Twitter’s employees were. I bet many of you are doing the same stupid things too.

While I’m on this topic, last week the hard drive in my Mac died. I lost a few days of videos and emails because I wasn’t backing up as often as I should be. Naughty me. The drive just stopped right in the middle of me working. Apple replaced the drive but that didn’t help me get back the videos and emails. Today I’m setting up my new hard drives with JungleDisk. I don’t care what you use to back up, but I know lots of you aren’t. I bought a couple of 1.5TB drives from Seagate, too. Costs $159 at Best Buy and probably cheaper online. No excuses for not backing everything up now. You haven’t done it, have you? (I know most people don’t back up).

Anyway, just a friendly reminder to pay attention to these things before you get bitten.

Comments

Dave’s Answer:

The way that Mac OS X and its underlying Unix foundation are designed, it’s relatively easy to set up account and computer names and related on first run, but can be quite complicated to change them once you’ve gotten apps installed, documents created and otherwise have used the machine for a while.

In fact, I recently changed the admin account on a MacBook, including the home directory, and it took almost half an hour of careful steps, most done from the Terminal at the command line, before I was convinced it was done correctly and wouldn’t blow up on the new owner of the system when they tried to restart or log in. (if you’re trying to do that, you might well find that the Apple support docs are insufficient for 10.5 and above too)

Changing the name of your used iMac on the network shouldn’t be quite so difficult because there’s a place in the System Preferences to do just that, but what is a bit tricky is that you have to change the name twice for it to work.

First off, go to Apple –> System Preferences…. You’ll see this:

What you seek here is “Sharing”, almost exactly dead-center in the window.

Click on it and you’ll jump into the sharing configuration window:

As you can see, I already have a name collision on my network, which is why this computer is identifying itself as “Dave’s MacBook Pro (2)”: the “(2)” is added by Mac OS X when it finds another computer on the network with the same name. Not so good, but let’s fix things in order. First, click on the “Edit…” button:

Change the computer name here to what you want to have as your computer’s identity on the local network, and click “OK”.

Now, while you’re at the main Sharing window, change the name here too:

If you close this window and restart the computer, you should find that your iMac now identifies itself with the new name you’ve specified.

Good luck with your new Apple iMac!

Comments

Unfortunately for all the hope I might have for these roadblocks of change being removed or for more hurdles of authority being removed the scary part is that for every one we remove two are replacing it. For every story we hear about how social media services have done some good thing we hear ten stories of some new way those in power seek to extend their control. Whether it be the English government passing a law to make photographing the police illegal through to the RIAA encouraging ISPs to remove peoples access to the net we are seeing a rise of repressive policies. While our freedoms on the Internet might appear to be growing there is also an obvious move in our offline lives to take away our freedoms. Source: WinExtra

I have spent the better part of 22 years in industry as an information security person, and I know exactly how easy it is to bypass many of the restrictions that are put in place already. If you take a look at Cuba, people have been silently bypassing authority there in the few ways that they can, the same holds true in China, the Middle East and even in England, no matter what hurdles are put up, there are ways around them.

Systems like TOR, Proxy Systems, even hopping the local non-encrypted wireless connection carelessly left open by your next door neighbor all leave open the possibility of bypassing authority. Server jumping, dynamic DNS, free hosting, drive by propaganda dropping, private video systems, long forgotten bittorrent servers, insecure networks, all these open the door to bypassing the regime. I spent the better part of my working career trying to convince people to fix these things, along with just about every other information security professional out there. Fortunately for people who need to dodge government controls, these systems exist by the hundreds of thousands on the global network. Satellite phone systems, disposable cell phones, SIM cards, all make hiding and evasion easier. The more disposable the easier it is to hide your message in the noise.

People every day bypass firewalls, even the great firewall of China cannot keep up with the internet. People every day bypass corporate controls on their networks, every day we see malware that uses DNS shifting techniques making it harder to hunt down the primary servers that control the botnet. These same techniques are used for people to spread their message or their propaganda worldwide. Even under the Taliban in Afghanistan, people worked out some very clever ways of getting information out of the country when the entire network was controlled by a “repressive regime”. What works for people bent on destruction can work in the same way for people whose intent is to get the word out and do good or spread a message.

Social networking is about the message and the ability to fire back and start a conversation, some messages will get out no matter what and start conversations if not on line, in darkened living rooms because people live in fear. We have not hit the bottom of what people will try, and it worries me to think that when we were at Waterloo Station, I took pictures of the local police services responding to an incident when they shut down Waterloo station. If there had been a real issue, those pictures would have been news worthy, if England passes the law, I would be arrested rather than having the scoop of the century. I was the only one there with a camera when they shut down the station. That worries me, but there are ways around that, I don’t even need to look like I have a camera on me. Taking a look at the current state of investigative reporting and hidden cameras, things will always get out, things will always be taped, recorded, viewed, shared, commented, and otherwise distributed on the internet.

Do the laws matter, yes, but humans have been very clever in working out ways around laws they do not like or agree with. I would expect no different in the future, based on 4000+ of recorded years of human history.

Comments