Monthly Archives: December 2008

Seasons of Change

2008 has been a year of change for me, both good and bad. In Feb I was laid off by BMC and hired by SunView Software. In the process I ended 10 years of working in Identity Management and started my career in Change Management.

We took a family trip to northern CA to see my nephew graduate from high school. After that both families vacationed together at Lake Tahoe.

I took over as the Pack Leader for the Cub Scout Pack our boys participate in. My youngest son joined Cub Scouts and my oldest son crossed over into Boy Scouts.

We got a puppy, a now 5 month old Chocolate Lab named Moose. Yes, I did indeed name my dog Chocolate Moose. I simply couldn’t resist.

The weekend after Thanksgiving my father got re-married at the age of 76, demonstrating that there is always room in our lives for new beginnings.  

The weekend after Christmas my father-in-law passed away. Although we end 2008 on a sad note, we are Lutherans, so for us this is a new beginning for him as well.

As we enter 2009 I am hoping for a little less change in my life.

Having a Malware Christmas

Apparently some Amazon customer got a little extra something under the tree this year: Inc. last week warned customers running Windows XP that a Samsung digital photo frame it sold through earlier this month might have come with malware on the driver installation CD.

It’s interesting the Samsung isn’t saying how the malware got onto to the CD. They may have no idea.

This highlights one of the least appreciated dangers today, malware in the supply chain. From infected CDs to credit card readers with a built-in back door, 2008 saw a spate of incidents with malware being injected in the manufacturing process. It’s hard to imagine how this isn’t going to get a lot worse unless manufacturers overhaul their processes.

This also relates to a point I made previously about how a company treats its employees will affect its overall security. Low paid or ill treated workers will be much more easily tempted by bribes to slip some malware into system. The problem is made worse by outsourcing components. A security breach in a tiny sub-contractor can cause a black-eye on a major multi-national corporation.

Expect a lot more of this in 2009.

Phillips versus flat-head, for real this time

A while back I wrote this post comparing the argument between Virtual Directories and Meta-directories to an argument comparing Phillips and flat-head screw drivers. I forgot about it until I noticed something interesting. Somehow a lot of readers found there way to the post from a thread comparing Java and C#. But another group of readers found arrived by searching for, oddly enough, information about Phillips versus flat-head screws.

Now I have no more interest in getting involved in the Java versus C# language debate than I am in the Virtual Directory versus Meta-directory debate.

But Phillips versus Flat-head screws? Boy have I got some opinions on that.

If you have to work with existing screws your choice has already made for you (just as if you join a project in progress you seldom get to choose between Java and C#). But if you are starting a project from scratch, you not only have to choose between Phillips and Flat-head, there is also Torx (the commercial name for hexlobular internally driven screws), square, hex, Allen (internal hex), one-way-flat-head, spline drive, etc. Just as you might consider more choices than Phillips and flat-head, you might also consider a myriad of programming languages in addition to Java and C#.

But some are clearly superior to others in certain aspects. Flat-head screws have more driving power than Phillips head screws (Phillips head screws are designed to cam-out to prevent over tightening, an intentional design feature). But flat-head screws are much harder to drive by hand due to tool slippage. This is an interesting analogy to  the ease of development of C++ versus both Java and C#.

Allen and hex head screws have even more driving power than flat-head screws and are easier to user, but suffer from the limitation of needing have the exact size tool to fit the specific head size, whereas flat-head screws can accommodate a wide variety of tool sizes. This is similar to how scripting languages are often limited to use in a specific framework.

Wait, am I still talking about screws?

The Speed Cameras of Montgomery County

Unfortunately it seems the cities and counties in the US are starting to emulate the repulsive UK practice of installing speed camera and red light ticketing systems. Some enterprising high school students in MD have found a interesting way to have fun with it:

Whenever a new, relatively unpopular technology hits the streets, you can always count on teenagers to try and exploit it for their own gain. Such is the case with speed cameras, as high school students in Maryland have begun playing the “Speed Camera Pimping Game,” wherein they attempt to punk the not-so-accurate cameras by creating faux license plates that can be traced back to peers and teachers they have it out for. The trend has parents and law officials worried, and it raises even more questions about the cameras’ usefulness.

Students at Montgomery High School in Maryland have discovered that they can duplicate the license plates of their archenemies by printing a Maryland plate template on a sheet of glossy photo paper and digging up a handy license plate character font, according to a parent speaking to The Sentinel (via /.). This may sound like a janky craft project at first, but these cameras are not sensitive enough to pick up the differences between these paper license plates and the real things. The students then tape the faux plate over their own and purposefully speed in order to be caught by the speed camera, causing the real owner of the license plate to receive a $40 citation in the mail.

It would be irresponsible of me to suggest that this same tactic be employed to send speeding tickets to the members of the politicians that approve these devices. That would be wrong.

As would actions such as these.

Cloudy forecast

Bavo De Ridder has this interesting take on Cloud Computing:

Cloud computing is cool, no doubt about that. There have never been more good looking and futuristic looking schematics been made in Visio. Thousands of presentations, workshops and even conferences have been held on the subject.

One question however has not be clearly answered yet … what about data ownership? What about privacy of that data? When your applications are running in the cloud you are also handing over your data to whoever is running the data center. How sure are you that they protect this data as they should do?

Bavo does point out some valid concerns. But I feel he goes too far when he links these concerns to the recent Microsoft Live TOS change:

Your cloud partner decides to disable a feature in their application, a feature you depend on. Does your disaster recovery plan takes this into account? This is not far fetched, in a small way this is what happened when Microsoft decided to disable anonymous comments on their Live Blog. They even did this retroactively and so revealed identity information of authors who previously had been anonymous.

While the Microsoft Live situation was a disaster for the users that had an expectation of continued privacy, there is an important distinction, namely the Golden Rule. No doubt the TOS for Microsoft Live, like all free services, are very one sided. For most free services you get the service for, well free, on whatever terms the provider dictates and you are, again, free to take your non-money elsewhere if you aren’t happy.

Commercial service providers typically provide a much different kind of contract with their paying customers. Such contracts would dictate under what conditions features could be added or removed. And there is a strong financial motivation to keep the customers happy.

Of course Bavo’s points about your provider going under or being acquired are quite valid.

Still it all comes down to risk. Successful companies don’t avoid risk. They balance risk against reward. If the cost savings with moving to Cloud Computing makes these risks acceptable then companies will consider doing it.

After all, are these risks so different from what companies take on when they contract with any provider, from payroll down to cleaning services?

Two kinds of anonymity

When thinking about anonymity (and privacy), I like to divide it into two main categories, Real Anonymity and Granted anonymity. Real Anonymity is where you don’t reveal any information that could identify yourself when performing a public act (like posting comment to a blog). Granted Anonymity is where a third party knows who you are, but “grants” anonymity based on a pre-arraigned agreement such as a TOS.

Microsoft Live customers are now discovering the main drawback to Granted Anonymity; it can be revoked (hat tip to Pamela Dingle).

I am not going to comment on this specific case, enough others will do that. But I would like to share one rule I live by:

Never say anything on the internet under a grant of anonymity that you wouldn’t say publicly as yourself.

Some of the things that can cause the grant of anonymity to be revoked include:

  • Change of TOS (which seems to be the case here)
  • Acquisition of your service provider, resulting in a new TOS
  • Government subpoena (including private lawsuits)
  • Security breach at your service provider
  • A breach of the TOS on your part

Keeping it in the family

I don’t normally blog about politics, but this is just draw dropping.

Apparently there is a battle in NY to determine whether Andrew Cuomo or Caroline Kennedy will replace Hilary Clinton, who is moving from the Senate to the administration of the President Elect replacing George Bush and whose own Senate seat may be filled by the appointment of Jesse Jackson Jr.

When did nepotism become so chic in this country?

And where are voices of those who supposedly speak truth to power?