Email Legalese

Have you ever received a footer on an email that reads something like this?

--

This electronic mail and any attached documents are intended solely for the named addressee(s) and contain confidential information. If you are not an addressee, or responsible for delivering this email to an addressee, you have received this email in error and are notified that reading, copying, or disclosing this email is prohibited. If you received this email in error, immediately reply to the sender and delete the message completely from your computer system.

--

How stupid is that?  A lot.  Let me elaborate.

Of course I was an addressee, because I received it.  That makes the remainder of this dire warning pointless.  Why further mention that I might have received this in error, when by its very definition, I couldn't have?  Wouldn't it make more sense to say that if I, the sender, made a mistake and accidentally misaddressed my email so that you unintentionally received it, that I would appreciate a heads-up?  It is, after all, their mistake, not mine.  This part is just plain rude.

Assuming the first part mysteriously applies to me, how in the world am I suppose to avoid reading it?  Did the sender really think that any human being reads their emails starting at the bottom and moving up?  There are languages on Planet Earth that are read right to left, but nowhere in existence am I aware of one that’s bottoms up.  This part is just plain stupid.

If I did receive this email in error, which of course is the sender’s mistake, why does the sender think, no, demand, I somehow owe them an immediate response and take my time to “completely” remove the email?  I might if I was asked nicely, but making it a demand is the least likely way to gain my assistance.  This part just pisses me off.

That’s it, there’s no part of this email footer that in any way makes any sense or entices me to help out the sender in any way.  

They shouldn't piss people off, particularly those of us with blogs.  Take the hint.

Brains Over Brawn

Oh so many years ago when my children were growing up I instilled the message that brains are stronger than brawn.  In other words, that thinking through a problem will usually result in finding an easier solution than simply applying more brute force.  The shady side of the Internet has figured that out and use socially engineered attacks and keylogging malware to get passwords in clear text..  It's about time that the good guys starting using their brains, stop suggesting stronger passwords, and start getting smarter at identifying and stopping authentication attacks.

I've written before on the statistics around passwords and that it is nearly impossible for a crook to simply guess anything other than the most simple of passwords, most of which inexplicably are allowed in most systems.  Passwords structured like "can9dy11" or "mis0s0up" require billions of attempts before they are likely to be guessed and shame on the IT department that doesn’t detect and prevent more than a few incorrect password attempts.  Ideas like taking a phrase like "I would like to destroy every password I have" and turning it into "Iwltdep1h" is great, at best, for passwords that don't ever have to change, but coming up with a new phrase every 60-90 days and repeating the learning curve to remember this formulation of password just doesn't make sense, unless you are one of the few that have a perfect memory and total recall.  Us normal folk just struggle to remember where we left our car keys.  Stop treating us like Einstein.  And then blaming us for choosing bad passwords.  Ultimately it's your fault Mr. or Ms. security professional that we do, because you allow us to use them.

A recent security headline was an OpenSSL bug that allowed an attacker to collect information stored in memory, which among other things could be your password.  No password was immune to this type of leak.  No combination of length, capitals, special characters or other "best practice" (a term I despise) offered any protection.  So what did I hear from every expert quoted in the press about how to protect yourself?  Choose harder passwords.  Would it have protected you?  No.  Would it have made the crooks job any harder?  No.  Did the interviewer ask that question?  No.  Would it drive you nuts having a harder to remember password?  Probably.  Would you be more than mildly upset when you found out this didn't help the least bit?  Absolutely!

The answer is to move beyond passwords and add some form of secondary challenge, at least for that small number of systems that contain financial, health or other personal information valuable to the crooks.  Let's try not to solve world peace here.  Let's get focused and truly solve the small part of the problem we really care about, for as many people as we can.  The clear technology winner, for now, is two-factor authentication. In a nutshell this involves entering a second code, but one you don't store in your brain. It can be delivered via a smart-phone app, a phone call, a text message or an email.  Many popular web sites, like Google's Gmail, Apple’s iCloud and Bank of America offer this as an option.  Check out twofactorauth.org for a list of popular web sites and if they support a second factor.  Would two-factor authentication have drastically reduced the risk associated with the OpenSSL issue?  Absolutely!  Was that ever mentioned?  Sadly not.  Makes you wonder if security folks really want the problem solved or just like to hear themselves talk.

We also need to detect authentication attacks and make a meaningful response.  Years ago I made a credit card purchase in Key Largo, Florida and immediately received a phone call to verify it.  Turns out that lots of fraud occurs in that area.  When I travel internationally I call the credit card company and tell them when and where I'll be.  I recently added the option to my primary credit card to send me an email every time a purchase is made on my card.  If I spot a charge I didn't make, I can call and have my account locked out.  These are simple, yet effective, methods to detect fraud and limit their impact.  These types of methods are also appropriate to IT security, and need to be routinely deployed to protect our most important online assets.  

It’s time to stop acting like John Henry, who believed his brawn was better than the brains that built the steam-powered hammer.  According to legend he succeeded, only to die in the effort.  Let brains prevail, or die losing the authentication battle.

A Daily Blog

I have recently starting posting, usually once a day, to the following new blog:

http://paulsdailyposts.blogspot.com

This started as a Social Media experiment at work using Yammer (basically Facebook for companies) back in January 2013 and I accumulated several hundred posts there before starting this new external blog. The Yammer posts can be downloaded from: 

http://www.technologyfirst.org/images/CIO_Presentations/Yammer_2013.pdf

http://www.technologyfirst.org/images/CIO_Presentations/Yammer_2014.pdf

These posts cover future technologies, technical tips, general tips and a little humor, mainly whatever I find interesting, useful and humorous.

Out With the Old

Over the many years of my career I’ve been involved with efforts to get rid of hardware and software that was difficult to maintain, expensive to run, licensed from unfriendly vendors or a duplicative of other solutions in place.  Why I like to get rid of things as much as I enjoy building new solutions is a bit of a mystery, but I think I like the challenge of finding the right moment, the right approach or using the long-term thinking that’s sometimes required.  The following is a short list of some of the better “good riddance” stories I’ve had a hand in pushing out the door, and some of the lessons learned from them.

In the 1980s mainframe terminals used coax cables to connect their “dumb” terminals to their control units.  These cables were bulky, heavy and required special tools and training to attach their connectors to each end.  In large buildings like I worked in, over a thousand cables spread out from the computer room.  We proposed to our Director a project to replace all the coax with twisted pair wiring and baluns.  He flat out refused.  So we looked for another way to get our way.  We discovered that one or two floors of our 27-floor building were in the process of major reconstruction at any point in time.  Instead of running new coax, we ran twisted pair instead, a less costly alternative, and more importantly, one where the materials and labor were charged to the reconstruction project, not the IT budget.  Several years passed away and we removed coax one floor at a time.  A few years later the same Director walked into my office, concerned about the safety of coax, which when it burns was found to release a toxic gas.  He asked me how much coax we had.  I had to honestly reply that other than about 4 cables in place for TVs on the executive floors, we didn’t have any left.  I can still remember the look on his face that said “I don’t know whether to thank you or fire you”.  He just shook his head and left.  But some technology can only be replaced or retired over the long-term and being persistent and “eating the elephant a bite at a time” can be the only solution.

Getting rid of things directly affects people’s jobs, or at least a portion of their job, and likely one they have become skilled and comfortable in performing.  And it takes work to eliminate or replace those things, and we always seem to push those projects to the back burner.  Back in my networking days we had predominantly an IBM SNA (Systems Network Architecture) network, but PCs, LANs and the Internet were pushing us quickly to TCP/IP.  We worked like crazy to keep up with the new demands, but I also insisted that we take time to have an active project or two to get rid of some old stuff.  I had to explain to my team that if we didn’t spend time now eliminating that stuff, we would have both the new and the old stuff to maintain going forward, and more new stuff would continue to come at us.  If we didn’t a spend a little time now, we would be spending even more time later.  So we always has a plan to reduce, so we would always have time to grow.  

One of the best methods of consolidating technologies is merging them into the same department, preferably directly reporting to the same manager.  That was the case back when we had both Novell’s Netware and Microsoft’s LAN Manager, and each was doing well under their own very-capable managers.  But these technologies were very much duplicates of each other and the expense of having both was most likely unwarranted.  After placing both under the same manager the combined group decided they wanted to consolidate, decided which solution they wanted to support and quickly eliminated the other.  Simple as that.

Looking for opportunities can be difficult and vendors are experts in getting you to renew a contract, for a nice discount of course, a year or two before your current one expires. They know you are likely  growing or shrinking faster or slower than the rate you planned and leverage that situation to keep you under their contracts forever.  When we found that our SAP project would cause our mainframe capacity to grow by a factor of 10 in a couple years, I knew we had the opportunity to eliminate some expensive and difficult vendors, particularly Computer Associates (CA), and replace them with “good enough” products from another vendor.  These new products were “good enough” because the new mainframes would be database-only and didn’t need the numerous “bells and whistles” that the legacy mainframe applications needed.  The result was paying CA for the 3 remaining years on their contract, although we no longer used their software, and paying the new vendor their license fees on the total mainframe capacity, all at a cost far less than paying CA’s ransom.  Recognizing situations that are far beyond the ordinary course of business can result in an opportunity of a lifetime.  Seize those chances.

Outsourcing transforms a service from being a part of the family to an expense to be managed and an opportunity to save money.  As mainframes were replaced with newer server technologies, they were often outsourced to a vendor that would take care of them and provide whatever modest investments were needed to keep them running, at a cost less than replacing the dozens of remaining applications.  But most of those applications eventually get replaced over time and you’re left with one or just a few applications needing a new home.  I found that simply communicating that the mainframes needed to go, the amount of money that we would save and what’s standing in the way was the key to having the organization find the solution, all without the burden of knowing they would be saying goodbye to current work colleagues. Never underestimate the emotional wall you have to overcome, but try to remove it beforehand.

I hope these stories demonstrate how different these situations can be and how understanding them and applying some innovative thinking can lead to the desired results in unexpected and innovative ways.  I truly enjoy helping take things apart, even things I’ve built up.  The only thing that slows technology down is the friction of the old.  And today’s IT departments can’t live past.  

So throw it out.

Redundancy Options

Computer systems can be architected to provide redundancy and recovery using a variety of technologies, such as Microsoft Server clustering, IBM DB2 data sharing and Cisco’s Hot Standby Router Protocol (HSRP).  The discussion can get very confusing very fast, so awhile back I made up a few terms that describes what the final result ends up delivering, which is all that really matters.

The first term is Failover, which provides a rapid switch from a failing primary service to a ready-to-go secondary service.  Failover solutions result in the user experiencing an unusually long response time and possibly the failure of their current transaction, but the user is still connected and would not be required to log back on.  Failover solutions, in my experience, work only about 50 percent of the time, the result of two causes.  First, most Failover solutions are architected using an active-passive rather than an active-active design.  This typically results in the passive side not being used for months before it’s called to active duty and for a variety of causes doesn’t cleanly accept the Failover.  The second cause is the lack of a clear, hard failure.  Failover tends to work well when the primary fails hard, such as a total hardware failure.  Failover tends to work poorly when only a portion of the primary experiences problems.  Either the Failover doesn’t get initiated at all or only a portion starts to move.  In either case you don’t get the result you need.

The second term is Fallover, as in “you fall over and get back up”, and results in the user being disconnected from the service and having to log back in again.  For example, an SAP ERP implementation typically has several application servers, and a web application has several web servers, any of which can provide service to the user.  Which one the user gets connected to is decided at login time, but in the case of that server’s failure, the user simply logs in again and a different, working server is selected.  Fallover tends to work very well because it’s a much simpler solution than Failover and less costly.  Failover usually involves twice the expense to build a fully capable secondary.  Fallover typically involves buying just one extra server, adding perhaps 10% to the total cost.

The third term is Findover, and like Fallover, is a made up word to make a series of words that are easy to remember.  Findover solutions involve finding a secondary service that provides the exactly the same thing as the primary.  A list of Domain Name Servers (DNS) provide a type of Findover.  If a PC or server can’t contact the first DNS server in the list, it tries the next one, and repeats the process until it either contacts an active server or runs out of options.  IBM Lotus Notes servers can be configured to continuously replicate data between each other and if one goes down, the Lotus Notes PC client software will automatically find one of the other replicas.

Failover, Fallover and Findover.  Hopefully an easy to remember list of options.  

And a colleague of mine made up a fourth, self-explanatory term to describe that lack of a recovery option.  

Bendover.

Say no more.

The Future of Information Technology

For a time it appeared that the Information Technology profession was dwindling, being reduced to working for a large outsourcer or technology vendor.  Off-shoring was all the craze and IT jobs appeared to be permanently lost to cheaper labor.  All of that might continue in a substantial way, but the rise of Cloud, Mobile, Social and Big Data, while still in their infancy, portend to an exciting future, albeit too fast for some and too scary for others.  

But why are these four forces unlike any other over-hyped buzz words?  For the same reason the Internet has become much more than its hype of the mid-1990's.  It was simply a common communications protocol that allowed anywhere to anywhere connectivity, just like the railroad, and then the highway, transformed where we live, where we work and all that we can experience.  The Internet, the railroad and the highway all democratized movement.  They laid the foundation for huge numbers of innovations. They were the things necessary to build our next way of living.  

The Cloud, which is simply computing power, both vast and affordable, is starkly different than traditional server farms where a fixed amount is purchased and paid for upfront.  The Cloud allows for experimentation, short-duration projects with vast requirements (e.g. hundreds of millions of visitors to the three-week Olympics web site) or needing thousands of servers for a few minutes.  The Cloud is similar to electricity and gasoline; ubiquitous, low-cost, multi-purpose energy.  Electricity and gasoline did not change the world overnight, but enabled innovations like the light bulb and the automobile, which, in time, changed our everyday life.  

Mobile is taking that computing power and connectivity with you wherever you go.  I liken this to the automobile and the airplane, which allowed our physical bodies to go places in minutes or hours, and at a far lower cost than their predecessors.  Mobile is at its infancy.  Sure we've had laptops and cell phones for most of our working lives, but laptops had limited connectivity and cell phones had limited applications.  That changed with the iPhone and its App Store, a short five years ago.  And while our personal lives may have changed significantly, it's just beginning to change our work lives. We currently have business processes built on the old computer-on-a-desk model and a large investment in those systems.  As our imaginations begin grasping how we can blow up the old rules, just like cars and planes changed our view of the bottlenecks of distance, we can expect how we work will change dramatically.

Social is about staying connected with hundreds, thousands or millions of family, friends, customers or business partners than ever before was possible.  How many classmates from grade school do you still have any relationship with?  High-school?  College?  At most, probably a few, unless you went through, or are still in, school.  Our previous generations had to write letters or make expensive phone calls.  It took a lot of time to share information on a one-to-one basis.  You might even add a photo to your letter to describe a particularly striking vacation spot.  But more likely your friends became the group you physically interacted with, and if you moved to another city, most of those friends dropped off and were replaced with new friends at your new physical location.  The Social technologies like Facebook, Twitter and text messaging allow you to remain connected and engaged with far less effort than before.  This may be the one that ultimately changes the world on a greater scale, just like the creation of language and the telephone brought the world closer together.

Big Data is about being able to quickly process vast amounts of data and could have a similar impact as the invention of the printing press and paper-making, which allowed for the storage and retrieval of vast amounts of human knowledge, but which are still gated by our human limitations.  We can now store, process and harvest insights from the information produced by our computer systems, medical sensors, manufacturing equipment, tweets, posts and many other sources.  And it will take big thinkers to gain new knowledge from our Big Data.  Perhaps that’s I.T.’s true future.  I think it should be.

Autos replaced horses, electricity replaced candles, the telephone replaced the Pony Express and books replaced scrolls.  The future of I.T. looks brighter than ever.  

But it won’t be hardly recognizable.

Should be loads of fun.

Google BigQuery

During the recent Google I/O 2012 conference I watched one of the keynote sessions from the comfort of my favorite web browser and was introduced to their BigQuery service, which is the public version of Google Dremel, their internal tool for analyzing large datasets.  I was intrigued by the demonstrations on a dataset of 137 million records with query response times in the 3-5 second range.  But was this like the tomato-slicing machines hawked on television that work great for their well-practiced spokesperson, but do a better job of making tomato juice in my kitchen?  But if this few order of magnitude difference in performance was real, it could be a great benefit, and since the cost to try it out amounted to pocket change, I decided to see for myself.

First a little background on the three key differences between using BigQuery and the familiar relational database technology.  BigQuery uses a table scan for everything.  No indexes or other mechanisms to write data to disk in a manner that may help later retrieval.  Its those key differences that make this happen with great speed.  

The first difference is using a column-oriented database approach, which simply is writing a table to disk column by column instead of row by row.  Row by row is great for finding one or a few rows, like is typically needed for executing transactions, but would require reading the entire table to read a single column.  By storing the data column by column, an analytic query can just read the columns requested, greatly reducing the amount of data that needs to be processed.

The second difference is a high degree of compression.  Since the data in a column is the same type and frequently contains large amounts of duplicates, it’s much more likely to compress well, quite often in the 10-to-1 range.  So for example, say we have a 100GB table with 100 equally-sized columns and 10-to-1 compression and we run a query retrieving 5 columns.  Instead of reading 100GB we read just 500MB, a considerable improvement.

The third difference is the number of servers that participate in the query.  While Google doesn’t comment on how many servers a query will be spread across, and it likely will vary on the size of the table queried and other factors, they use enough that the resulting response time stays so fast that people are motivated to use it alot.  It’s a simple equation.  The more you use, the more money they make, and the faster it performs the more you’re likely to use.  

For my test case I had 87,232,116 records consisting of 139 columns, for a total of about 45GB of data.  I’m not saying this is “big data”, but it’s large enough to be interesting and this had never before been attempted before due to performance concerns.  I compressed the data into gzip (.gz) files no larger than 1GB each, uploaded them to Google Cloud Storage and imported them into BigQuery using their Python-based BQ command line tool.  There are a few other setup steps that preceded this and the data was already in a form, pipe-delimited, that was compatible.  Then using the BigQuery web browser interface (bigquery.cloud.google.com) I ran several dozen queries, none that took more than 5 seconds to complete.  I also downloaded their Excel add-in which allows queries to be executed from inside a spreadsheet, with equally impressive results.

The cost to use BigQuery is straightforward.  Twelve cents ($.12) per month per GB stored and three and a half ($0.035) per GB scanned.  The first 100GB scanned per month is free.  So my testing cost $5.40, all in storage costs.  No really a bank breaker.