2007/04/20

The End of the Internet, or the Microsoft Users Net-Meltdown?

The 2005 Australian Computer Crime and Security Survey(PDF) reports that at the end of 2004 "the hackers turned pro". The 2006 ACCSS indexACCSS index may be easier for downloads. [In 2016, the ACCSS was replaced by "the BDO and Australian Cybercrime Survey".]

For 2-3 years now, most malware has satisfied the definition of Organised Crime:
it's theft, it's purposeful, it's co-ordinated.

In an August 2006 post, I reported the ACCSS comments and new comments from SANS .

ZDNet now report that Rootkits becoming increasingly complex and operate by stealth. They say:

Rootkits -- malicious software that operates in a stealth fashion by hiding its files, processes and registry keys--have grown over the past five years from 27 components to 2,400, according to McAfee's Rootkits Part 2: A Technical Primer (PDF).
If you use a Microsoft system and connect to the Internet without extensive protection, you should be afraid, very afraid. And even large organisations who do everything right, are still open to targetted "zero day" attacks. The first Windows Vista security problems are being reported. It's better than their previous efforts, but still contains significant security flaws. The Whitehouse mandated a minimum security configuration for all US Federal Government Vista destops.


2007/04/10

Microsoft troubles - II

Follow up to a previous post on MSFT hitting a 'financial pot hole' by 2010. The numbers look very, very bad to me. The seeming lack of management response and apparent leadership would deeply disturb me as a shareholder...
The Paul Graham piece Microsoft is Dead and the follow-up were a prompt for this post.

2007/04/09

Startups: selecting and nuturing.

A comment on Paul Grahams post Why to Not Not Start a Startup.

Paul along with Robert T Morris (author of the 1988 Morris Worm, now MIT assoc. professor) run a Venture Capital firm.
They run Startup School as well. An exceptional idea.

At the end of this is a list of Paul's 16 points.

2007/04/08

Web 2.1 - Meta-tags by default

Why do we need fine products like Content Keeper, when the problem is one that should be solved at source?

[11-Apr-2007 Addition]
The "Kathy Sierra" affair caused Chris Locke, co-author of Cluetrain Manifeso to post his version/take. My take from reading about the affair.
This whole affair unfolded because "Web 2.0" not just allows, but
enforces, anonymity. Provable Identities don't exist.

In an hour's scrolling through posts, I never saw this point [or anything like it] made.
How far would this thing have gone if the police could've tracked the posters quickly and unequivocally?
Presumably within a day or so the perpetrators would've been identifiedand action initiated, legal jurisdictions allowing.

There are good reasons to allow & support anonymity on the Web -"Freedom of Speech" is part of it, along with denying Political suppression and enabling 'whistleblowing'.

But the ugly human stuff of stalking, intimidation and control-by-fear need effective checks and consequences.

[End Addition]

Knowing the type of content you are downloading is a basic right - the same way that we don't go into newsagencies, bookshops and libraries and get surprised by the content. The same way that various TV stations will broadcast 'social content' warnings before some programs (violence, 'disturbing or graphic images', 'images of deceased people' and even 'images of surgery'). Our society has very well developed methods of flagging content that some audiences may wish to avoid - right up to full TV, movie & print "classification" and censorship. Plus we have blanket bans, enshrined in legislation, on things like "kiddie porn" and "snuf movies".

Simple minded banning of pages based on keywords or URL makes a priori judgements of what will and won't offend the audience - or under high-control regimes, what is or is not banned/seditious material. Then it becomes a simple "arms race" - two camps competing against one another (attack and defense), and by definition the reactive side can only respond once a new exploit/mechanism is noticed and identified. Yep, it's effective against people obeying the rules, but at the price of massive collateral damage and never being sure you're not compromised.

Generally, the USA is particularly sensitive to sexual matters, but not to violence. Sweden mostly has very different mores...
Filtering all pages that mention 'breast' or it's (English language) derivatives and colloquialisms fails in many ways, especially for medical & pregnancy issues ('false positives') and is easily circumvented by mistyping, obfuscation or using images ('false negatives') and is completely irrelevant for non-English language pages.

In the world of IT Security, this is why we now have Firewalls andIntrusion Detection Systems [and now systems that actively seek to confuse/entrap/counter attackers.] Funny - just like in the real world.

I'm thinking the web-server is the place to insert consistent meta-tags into content.
And that requires a minimum additional two publication stages - author, reviewer, editor/publisher - [as described by Peter Miller in his Aegis Documentation piece (82Kb PDF ) Aegis Is Only For Software, Isn't It?].

Nothing publicly published should go untagged - and that needs independent review and an enforced process to
[OK, so where does that leave the wonderful world of 'blogs'?]

We live in interconnected communities, now global in Cyberspace. All of us have sensitivities that should be respected and the publishing world evolved over many centuries a tradition of "no surprises". It's a convention that has served us well before Cyberspace, it would serve us there as well or better - with everyone "just one click away" from your content.

Free Speech is only a Right in some countries.
Censorship is a given and necessity, even in the most "enlightened" countries - where it might be called 'national security' :-)
And there are globally shared mores/values/injunctions against such things as child pornography and worse.

It's not an even playing field, and will never, can never, be.

My opinion is that laws like the DMCA [USA - Digital Millennium Copyright Act] and the Australian "anti-spam and pornography" laws [no refs] are wrong-headed and irrelevant at best - and counter-productive at worst.

With the Global Net and One Shared Cyberspace, and many cultures, beliefs, religions, etc etc, "Web 2.0" needs to add:
mandatory content tagging.

Then we can adibe by our tired-and-true convention "no surprises" and respect all our differences and sensitivities.

2007/04/03

Selling Good Goverance - I.T. Services Audits

IBM got to be bigger, by turnover, than everyone else combined for nearly two decades, accounting for up to 60% of IT sales. One of the chief factors was they were good salesmen - they knew their audience: who to target and what things they wanted (and only sell to people that can sign the cheque!)

IBM didn't sell to "techos" - but managers, the more senior the better. They talked their language (cheaper, better, faster) and gave solid "Dollars and Cents" Costs and Benefits. They got to come back because they generally made good on those promises.

Selling I.T. Services Audits, Security and Continuity


These functions are Goverance related and should be contolled and reported directly to Board Level - not even senior management or CEO.

Board Pitch


Can your Business run without Accounting??
  • No!

Can it run without it's I.T. services?
  • No!

What part of your business isn't affected by I.T.?
  • None!

Why do you have Accounting Audits?
  • "Have to" - regulatory requirement.
  • "credibility enhancer" - investors and owners can trust the figures claimed.
  • Integral to Good Goverance. The things the Board want done, are being done.

Why don't you do I.T. Services, Security and Continuity Audits?
  • Ummmmm?


If you're entrusted with husbanding other peoples money, not assuring and insuring the I.T. Services of the business isn't sound practice.

Major failures/events in anyone of these functions is high impact: They are "Bet the whole company".
The sort of decision that the owners need to make, and make consciously.

Supporting Facts


From a Sarbanes Oxley site:
Fifty percent of companies that lose their data go out of business immediately and ninety percent don't survive more than two years, according to research firm Baroudi Bloor International. ...
Only three percent of all data loss is caused by fire, flood and other such disastrous events. The most common causes are hardware or system malfunction (44 percent), human error (32 percent), software corruption (14 percent) or viruses (7 percent). ...
And remember, without your business's data, there's no business at all.


In a brief report on a fire in a British Telecom hub in Manchester affecting 136,000 phone lines:
  • 86 percent of firms affected found the fire was disruptive and it had an impact on voice communications in 60 percent of those polled....

  • Just 34 percent had a disaster recovery or business continuity plan in place ....

  • Those polled showed low awareness of solutions, nor did most appreciate the need for business continuity planning. 71 percent saw little value in automatic call diverts in emergency situations and 70 percent of those polled were unaware that banks expect businesses applying for loans to have a proven disaster recovery plan in place.


In 10 Steps to surviving a disaster(PDF)
According to the Association of Records Managers and Administrators, about 60 percent of businesses that experience a major disaster such as a fire close within two years. According to Labor Department Statistics, over 40 percent of all companies that experience a disaster never reopen and more than 25 percent of those that do reopen close within two years.


And from Glen Abbot, Scotland’s leading supplier of Business Continuity Services.

Business Failure

A business failure is defined as:
"An occurrence, and/or perception, that threatens the operations, staff, shareholder value, stakeholders, brand, reputation, trust and/or strategic/business goals of an organisation."

In a five-year period, twenty percent of companies within the UK will suffer some kind of serious disruption to their operations. This may be as a result of an IT failure, emergencies such as fire or flood, or some other unplanned disruption. Eighty percent of those companies who suffer a serious disruption suffer severe losses or fail to survive in business during the following eighteen months (National Audit Office).


And yet more in the Reader Comments section of this piece on 'Continuity Central'.

2007/04/02

Three Metrics to change our business

In a previous post, Research Outline,3 sets of metrics were proposed that, if applied consistently across large organisations, would change the face of our industry (IT&T), perhaps even support the transition to a Profession.

"IT is done for a Business Benefit"


After 50+ years of doing it, we are looking at the end of the Silicon Revolution by 2010. Already we've passed the end of Moore's Law for CPU speed [Q1-2003]. But more than that - Business & Government are getting hard-nosed about IT&T delivering 'value'.

The IT recession we're just coming out of was a direct reaction against the perceived needless waste of Y2K. The other in 1991 was the marker that all the 'easy wins' in IT had been achieved and IT itself could be cut.

Big Business and Government account for over 60% of the Australian GDP. Around 45% of GDP is influenced directly by IT&T - with an investment rate of around 10% - $45Bn/year for 'the majors'. Globally, multiply this by 50-60 times. [Source: ABS surveys]

Compare this to the ~$50Bn earnings by all companies listed on the ASX. Leveraging IT&T whilst containing costs is a central concern of all good business execs - and becoming more so. Shaving 1% off IT&T inputs goes directly to the bottom line and allows good companies to easily outperform their competitors.

My belief is that the first people to adequately address these questions in quantifiable terms will dominate the market . And what better way than to charge than a percentage of the realised savings? For a consulting firm, that's putting it's money where it's mouth is...

Metrics


The three sets of figures I'd like to produce are linked to this central question:
Doing More with Less.

  • What's the leverage IT&T gives us? [Virtual Employees]
    • Year on Year reporting from a consistent base.
  • Where do our IT&T costs go? [Standard reporting in Business Inputs andOutputs]
    • Are we getting a good deal from our IT&T?
    • Comparing to what?
  • How effective are our IT&T processes? [Benchmarked KPI's]
    • If ITIL is the answer, how well are our folks doing it?
    • How much more room for improvement is there?


And the worst thing that could happen is:
You find out your IT&T people do a good job.