2007/04/20

The End of the Internet, or the Microsoft Users Net-Meltdown?

The 2005 Australian Computer Crime and Security Survey(PDF) reports that at the end of 2004 "the hackers turned pro". The ACCSS index may be easier for downloads.

For 2-3 years now, most malware has satisfied the definition of Organised Crime - it's theft, it's purposeful, it's co-ordinated.

In an August 2006 post, I reported the ACCSS comments and new comments from SANS .

ZDNet now report that Rootkits becoming increasingly complex and operate by stealth. They say:

Rootkits -- malicious software that operates in a stealth fashion by hiding its files, processes and registry keys--have grown over the past five years from 27 components to 2,400, according to McAfee's Rootkits Part 2: A Technical Primer (PDF).
If you use a Microsoft system and connect to the Internet without extensive protection, you should be afraid, very afraid. And even large organisations who do everything right, are still open to targetted "zero day" attacks. The first Windows Vista security problems are being reported. It's better than their previous efforts, but still contains significant security flaws. The Whitehouse mandated a minimum security configuration for all US Federal Government Vista destops.


2007/04/10

Microsoft troubles - II

Follow up to a previous post on MSFT hitting a 'financial pot hole' by 2010. The numbers look very, very bad to me. The seeming lack of management response and apparent leadership would deeply disturb me as a shareholder...
The Paul Graham piece Microsoft is Dead and the follow-up were a prompt for this post.

2007/04/09

Startups: selecting and nuturing.

A comment on Paul Grahams post Why to Not Not Start a Startup.

Paul along with Robert T Morris (author of the 1988 Morris Worm, now MIT assoc. professor) run a Venture Capital firm.
They run Startup School as well. An exceptional idea.

At the end of this is a list of Paul's 16 points.

My comments:
1. *the* best piece I've ever read on startups.

2. These ideas don't just apply to technology startups.
They apply to new businesses generally.

3. Walt Disney couldn't make it on his own, knew this and got his brother Roy out of hospital (!) to work with him. Roy outlived Walt. Walt painted castles in the air, Roy built the (economic) foundations.
=> Co-founder good, Creative+Executor great :-)
=> There has to be real trust/loyalty between the founders. With enormous wealth on offer, enough people go crazy & try to take it all. A partner you don't know well can take you down easily.

4. 'Founders', a.k.a. entrepeneurs, are more willing to take *risk* than most people - which means they get pretty comfortable with failure. They are also a special breed.
=> Comfort is the enemy of Change.
=> Change is Risk, but the only way forward.
=> Comfortable people won't pursue a startup vigorously...

5. How do you get your Founders to "put skin in the game"? To have a personal stake in the outcome? (Besides losing their dream - or is that generally enough?)

6. One of the most important personal traits of a great entrepeneur - keeping a journal... Gotta write everything down. Crops up repeatedly in biographies. Richard Branson is quite clear about it - but doesn't relate it to his success. There is supposedly some research that says 1.5-3% of all people write down their goals. Once there was a long-term Ivy League school study (is this apocryphal?) showing that people who wrote down their goals out-performed others by 5:1 or 10:1

7. People are different. Some are shy/introvert, many extrovert. Shy people don't sift through the large numbers needed to establish 'good networks' and check-out who'd make a good partner.
Many of the best geeks are quiet & retiring folk. They will, by definition, find it hard or impossible to bring along a partner. But forcing someone on them won't work either.
This is a hard problem to solve.
=> A solution is something like your "Startup School", but a little more frequent, to provide a mileu in which these people can mix and hook up. [As conferences and User Groups can do.]

[For a great example of this, see how Paul Allen was treated by Bill Gates and Steve Balmer on his last project at Microsoft.]

8. The Internet changes everything. But the VC process is still face-to-face personal contact... Silicon Valley was caused by VC firms like "Kleiner, Perkins, Caufield & Byers" bringing money from The East into technology. Even with the hordes of imititors and rip-off merchants, greedy investors flocked and made out well...
Because the place had critical mass - in people and places to meet, and the culture to support it.
These comments are peppered with genuine frustration (& longing) from would-be entrepeneurs.
=> How can the Internet overcome this tyranny?
=> Business is about personal relationships. Can the Net ever replace or augment that critical factor?

9. Technology support. Finding someone who is fluent with a key technology, like hardware hacking, can be critical to the success of a project/startup. When it's not your field, how do you find a way in? Then how do you get taken seriously by an expert??

10. Scaling: small trials and growing entrepeneurs.
My belief is that good entrepeneurs are grown, not born. And that there are predictable growth stages for all companies.
A wealthy friends' advice is: Never attempt anything more than 30% larger than you've done before.
=> Have you thought of building a process to train up entrepeneurs before they enter your funding process?
=> I'm thinking graduated funding levels, starting low ($10k) and in a couple of stages getting to $500k or so.

11. For solid research on what makes *great* employees, see Robert E Kelley's book "How to be a Star Performer"
[http://www.kelleyideas.com/pages/howtobeastar.htm]
Number One Quality: Initiative.
Sounds the same...

12. One of the prime causes of some recent major corporate collapses here in Australia was: "Ignorance, Arrogance and Self-Delusion". They are a powerful triplet that can't be broken through. Witness the non-musical entrants in "American Idol" who honestly believe they are brilliant.
=> How do you sort these out? They'll always have a high opinion of themselves, their abilities and a string of huge accomplishments.



Summary points of Paul Graham's piece:
He is going against the usual practice and debunking some myths and adding own observations.

1. Too young
2. Too inexperienced
3. Not determined enough
4. Not smart enough [have to be smart enough, not ultra smart]
5. Know nothing about business
6. No cofounder
7. No idea [good people generate them quickly]
8. No room for more startups
9. Family to support
10. Independently wealthy
11. Not ready for commitment
12. Need for structure
13. Fear of uncertainty
14. Don't realize what you're avoiding
15. Parents want you to be a doctor
16. A job is the default

2007/04/08

Web 2.1 - Meta-tags by default

Why do we need fine products like Content Keeper, when the problem is one that should be solved at source?

[11-Apr-2007 Addition]
The "Kathy Sierra" affair caused Chris Locke, co-author of Cluetrain Manifeso to post his version/take. My take from reading about the affair.
This whole affair unfolded because "Web 2.0" not just allows, but
enforces, anonymity. Provable Identities don't exist.

In an hour's scrolling through posts, I never saw this point [or anything like it] made.
How far would this thing have gone if the police could've tracked the posters quickly and unequivocally?
Presumably within a day or so the perpetrators would've been identifiedand action initiated, legal jurisdictions allowing.

There are good reasons to allow & support anonymity on the Web -"Freedom of Speech" is part of it, along with denying Political suppression and enabling 'whistleblowing'.

But the ugly human stuff of stalking, intimidation and control-by-fear need effective checks and consequences.

[End Addition]

Knowing the type of content you are downloading is a basic right - the same way that we don't go into newsagencies, bookshops and libraries and get surprised by the content. The same way that various TV stations will broadcast 'social content' warnings before some programs (violence, 'disturbing or graphic images', 'images of deceased people' and even 'images of surgery'). Our society has very well developed methods of flagging content that some audiences may wish to avoid - right up to full TV, movie & print "classification" and censorship. Plus we have blanket bans, enshrined in legislation, on things like "kiddie porn" and "snuf movies".

Simple minded banning of pages based on keywords or URL makes a priori judgements of what will and won't offend the audience - or under high-control regimes, what is or is not banned/seditious material. Then it becomes a simple "arms race" - two camps competing against one another (attack and defense), and by definition the reactive side can only respond once a new exploit/mechanism is noticed and identified. Yep, it's effective against people obeying the rules, but at the price of massive collateral damage and never being sure you're not compromised.

Generally, the USA is particularly sensitive to sexual matters, but not to violence. Sweden mostly has very different mores...
Filtering all pages that mention 'breast' or it's (English language) derivatives and colloquialisms fails in many ways, especially for medical & pregnancy issues ('false positives') and is easily circumvented by mistyping, obfuscation or using images ('false negatives') and is completely irrelevant for non-English language pages.

In the world of IT Security, this is why we now have Firewalls andIntrusion Detection Systems [and now systems that actively seek to confuse/entrap/counter attackers.] Funny - just like in the real world.

I'm thinking the web-server is the place to insert consistent meta-tags into content.
And that requires a minimum additional two publication stages - author, reviewer, editor/publisher - [as described by Peter Miller in his Aegis Documentation piece (82Kb PDF ) Aegis Is Only For Software, Isn't It?].

Nothing publicly published should go untagged - and that needs independent review and an enforced process to
[OK, so where does that leave the wonderful world of 'blogs'?]

We live in interconnected communities, now global in Cyberspace. All of us have sensitivities that should be respected and the publishing world evolved over many centuries a tradition of "no surprises". It's a convention that has served us well before Cyberspace, it would serve us there as well or better - with everyone "just one click away" from your content.

Free Speech is only a Right in some countries.
Censorship is a given and necessity, even in the most "enlightened" countries - where it might be called 'national security' :-)
And there are globally shared mores/values/injunctions against such things as child pornography and worse.

It's not an even playing field, and will never, can never, be.

My opinion is that laws like the DMCA [USA - Digital Millennium Copyright Act] and the Australian "anti-spam and pornography" laws [no refs] are wrong-headed and irrelevant at best - and counter-productive at worst.

With the Global Net and One Shared Cyberspace, and many cultures, beliefs, religions, etc etc, "Web 2.0" needs to add:
mandatory content tagging.

Then we can adibe by our tired-and-true convention "no surprises" and respect all our differences and sensitivities.

2007/04/03

Selling Good Goverance - I.T. Services Audits

IBM got to be bigger, by turnover, than everyone else combined for nearly two decades, accounting for up to 60% of IT sales. One of the chief factors was they were good salesmen - they knew their audience: who to target and what things they wanted (and only sell to people that can sign the cheque!)

IBM didn't sell to "techos" - but managers, the more senior the better. They talked their language (cheaper, better, faster) and gave solid "Dollars and Cents" Costs and Benefits. They got to come back because they generally made good on those promises.

Selling I.T. Services Audits, Security and Continuity


These functions are Goverance related and should be contolled and reported directly to Board Level - not even senior management or CEO.

Board Pitch


Can your Business run without Accounting??
  • No!

Can it run without it's I.T. services?
  • No!

What part of your business isn't affected by I.T.?
  • None!

Why do you have Accounting Audits?
  • "Have to" - regulatory requirement.
  • "credibility enhancer" - investors and owners can trust the figures claimed.
  • Integral to Good Goverance. The things the Board want done, are being done.

Why don't you do I.T. Services, Security and Continuity Audits?
  • Ummmmm?


If you're entrusted with husbanding other peoples money, not assuring and insuring the I.T. Services of the business isn't sound practice.

Major failures/events in anyone of these functions is high impact: They are "Bet the whole company".
The sort of decision that the owners need to make, and make consciously.

Supporting Facts


From a Sarbanes Oxley site:
Fifty percent of companies that lose their data go out of business immediately and ninety percent don't survive more than two years, according to research firm Baroudi Bloor International. ...
Only three percent of all data loss is caused by fire, flood and other such disastrous events. The most common causes are hardware or system malfunction (44 percent), human error (32 percent), software corruption (14 percent) or viruses (7 percent). ...
And remember, without your business's data, there's no business at all.


In a brief report on a fire in a British Telecom hub in Manchester affecting 136,000 phone lines:
  • 86 percent of firms affected found the fire was disruptive and it had an impact on voice communications in 60 percent of those polled....

  • Just 34 percent had a disaster recovery or business continuity plan in place ....

  • Those polled showed low awareness of solutions, nor did most appreciate the need for business continuity planning. 71 percent saw little value in automatic call diverts in emergency situations and 70 percent of those polled were unaware that banks expect businesses applying for loans to have a proven disaster recovery plan in place.


In 10 Steps to surviving a disaster(PDF)
According to the Association of Records Managers and Administrators, about 60 percent of businesses that experience a major disaster such as a fire close within two years. According to Labor Department Statistics, over 40 percent of all companies that experience a disaster never reopen and more than 25 percent of those that do reopen close within two years.


And from Glen Abbot, Scotland’s leading supplier of Business Continuity Services.

Business Failure

A business failure is defined as:
"An occurrence, and/or perception, that threatens the operations, staff, shareholder value, stakeholders, brand, reputation, trust and/or strategic/business goals of an organisation."

In a five-year period, twenty percent of companies within the UK will suffer some kind of serious disruption to their operations. This may be as a result of an IT failure, emergencies such as fire or flood, or some other unplanned disruption. Eighty percent of those companies who suffer a serious disruption suffer severe losses or fail to survive in business during the following eighteen months (National Audit Office).


And yet more in the Reader Comments section of this piece on 'Continuity Central'.

2007/04/02

Three Metrics to change our business

In a previous post, Research Outline,3 sets of metrics were proposed that, if applied consistently across large organisations, would change the face of our industry (IT&T), perhaps even support the transition to a Profession.

"IT is done for a Business Benefit"


After 50+ years of doing it, we are looking at the end of the Silicon Revolution by 2010. Already we've passed the end of Moore's Law for CPU speed [Q1-2003]. But more than that - Business & Government are getting hard-nosed about IT&T delivering 'value'.

The IT recession we're just coming out of was a direct reaction against the perceived needless waste of Y2K. The other in 1991 was the marker that all the 'easy wins' in IT had been achieved and IT itself could be cut.

Big Business and Government account for over 60% of the Australian GDP. Around 45% of GDP is influenced directly by IT&T - with an investment rate of around 10% - $45Bn/year for 'the majors'. Globally, multiply this by 50-60 times. [Source: ABS surveys]

Compare this to the ~$50Bn earnings by all companies listed on the ASX. Leveraging IT&T whilst containing costs is a central concern of all good business execs - and becoming more so. Shaving 1% off IT&T inputs goes directly to the bottom line and allows good companies to easily outperform their competitors.

My belief is that the first people to adequately address these questions in quantifiable terms will dominate the market . And what better way than to charge than a percentage of the realised savings? For a consulting firm, that's putting it's money where it's mouth is...

Metrics


The three sets of figures I'd like to produce are linked to this central question:
Doing More with Less.

  • What's the leverage IT&T gives us? [Virtual Employees]
    • Year on Year reporting from a consistent base.
  • Where do our IT&T costs go? [Standard reporting in Business Inputs andOutputs]
    • Are we getting a good deal from our IT&T?
    • Comparing to what?
  • How effective are our IT&T processes? [Benchmarked KPI's]
    • If ITIL is the answer, how well are our folks doing it?
    • How much more room for improvement is there?


And the worst thing that could happen is:
You find out your IT&T people do a good job.