Facebook and All About Me

A couple years ago there was highly publicized criticism over employers asking potential employees to turn over their Facebook login userid and password as part of the interview process.  This resulted in laws being passed to prevent that, but to me the central theme was all wrong.  The potential employees saw it as an invasion of their privacy or just that they view their personal identity as separate from their professional identity and what they do on their own nickel as no business to business.  Employers wanted to learn more about the person than a well-rehearsed interview tells them.  Both miss the real point.

What would I have done if I found myself being asked for my Facebook account? One of two things.  Probably just got up and left, then wrote their CEO and HR VP a letter that I don't share their company's values on work-life balance, privacy and confidentiality.  But I also would have missed the real point, as I attempted to allude to in part of the title of this article, "All About Me".  Giving up my Facebook login allows someone that was not granted access to see other’s posts, not just mine.  Giving up my login compromises a couple hundred other people’s, my friends, right to their expectation of privacy.  So I'm not giving up just me, I'm giving up them.  I don't have the moral right to do that.  So the second choice would be to say something like "while I don't mind giving you access to my posts, for I have nothing to hide, you will have to get permission from all my Facebook friends before I betray their trust".  And I'm not giving you their names since that's also betrays their trust in me.  Case closed.

This mental "All About Me" model is so pervasive in our world today, from drivers behind the wheel to shoppers in the grocery store.  But it surprises me to see this in the Social Media space, where it should be abundantly clear that others are sharing their thoughts, hopes, prayers and cat pictures with me and hundreds of their friends.  Why wouldn't our first reaction to being asked for our Facebook login be that this would violate other people's rights?

As our world becomes more socially interconnected, our mental model needs to shift to "All About Us" and keep "Us" first and foremost.  Employers wouldn't have asked for login credentials in the first place and people wouldn’t have given them.  They would know better.

Email Legalese

Have you ever received a footer on an email that reads something like this?

--

This electronic mail and any attached documents are intended solely for the named addressee(s) and contain confidential information. If you are not an addressee, or responsible for delivering this email to an addressee, you have received this email in error and are notified that reading, copying, or disclosing this email is prohibited. If you received this email in error, immediately reply to the sender and delete the message completely from your computer system.

--

How stupid is that?  A lot.  Let me elaborate.

Of course I was an addressee, because I received it.  That makes the remainder of this dire warning pointless.  Why further mention that I might have received this in error, when by its very definition, I couldn't have?  Wouldn't it make more sense to say that if I, the sender, made a mistake and accidentally misaddressed my email so that you unintentionally received it, that I would appreciate a heads-up?  It is, after all, their mistake, not mine.  This part is just plain rude.

Assuming the first part mysteriously applies to me, how in the world am I suppose to avoid reading it?  Did the sender really think that any human being reads their emails starting at the bottom and moving up?  There are languages on Planet Earth that are read right to left, but nowhere in existence am I aware of one that’s bottoms up.  This part is just plain stupid.

If I did receive this email in error, which of course is the sender’s mistake, why does the sender think, no, demand, I somehow owe them an immediate response and take my time to “completely” remove the email?  I might if I was asked nicely, but making it a demand is the least likely way to gain my assistance.  This part just pisses me off.

That’s it, there’s no part of this email footer that in any way makes any sense or entices me to help out the sender in any way.  

They shouldn't piss people off, particularly those of us with blogs.  Take the hint.

Brains Over Brawn

Oh so many years ago when my children were growing up I instilled the message that brains are stronger than brawn.  In other words, that thinking through a problem will usually result in finding an easier solution than simply applying more brute force.  The shady side of the Internet has figured that out and use socially engineered attacks and keylogging malware to get passwords in clear text..  It's about time that the good guys starting using their brains, stop suggesting stronger passwords, and start getting smarter at identifying and stopping authentication attacks.

I've written before on the statistics around passwords and that it is nearly impossible for a crook to simply guess anything other than the most simple of passwords, most of which inexplicably are allowed in most systems.  Passwords structured like "can9dy11" or "mis0s0up" require billions of attempts before they are likely to be guessed and shame on the IT department that doesn’t detect and prevent more than a few incorrect password attempts.  Ideas like taking a phrase like "I would like to destroy every password I have" and turning it into "Iwltdep1h" is great, at best, for passwords that don't ever have to change, but coming up with a new phrase every 60-90 days and repeating the learning curve to remember this formulation of password just doesn't make sense, unless you are one of the few that have a perfect memory and total recall.  Us normal folk just struggle to remember where we left our car keys.  Stop treating us like Einstein.  And then blaming us for choosing bad passwords.  Ultimately it's your fault Mr. or Ms. security professional that we do, because you allow us to use them.

A recent security headline was an OpenSSL bug that allowed an attacker to collect information stored in memory, which among other things could be your password.  No password was immune to this type of leak.  No combination of length, capitals, special characters or other "best practice" (a term I despise) offered any protection.  So what did I hear from every expert quoted in the press about how to protect yourself?  Choose harder passwords.  Would it have protected you?  No.  Would it have made the crooks job any harder?  No.  Did the interviewer ask that question?  No.  Would it drive you nuts having a harder to remember password?  Probably.  Would you be more than mildly upset when you found out this didn't help the least bit?  Absolutely!

The answer is to move beyond passwords and add some form of secondary challenge, at least for that small number of systems that contain financial, health or other personal information valuable to the crooks.  Let's try not to solve world peace here.  Let's get focused and truly solve the small part of the problem we really care about, for as many people as we can.  The clear technology winner, for now, is two-factor authentication. In a nutshell this involves entering a second code, but one you don't store in your brain. It can be delivered via a smart-phone app, a phone call, a text message or an email.  Many popular web sites, like Google's Gmail, Apple’s iCloud and Bank of America offer this as an option.  Check out twofactorauth.org for a list of popular web sites and if they support a second factor.  Would two-factor authentication have drastically reduced the risk associated with the OpenSSL issue?  Absolutely!  Was that ever mentioned?  Sadly not.  Makes you wonder if security folks really want the problem solved or just like to hear themselves talk.

We also need to detect authentication attacks and make a meaningful response.  Years ago I made a credit card purchase in Key Largo, Florida and immediately received a phone call to verify it.  Turns out that lots of fraud occurs in that area.  When I travel internationally I call the credit card company and tell them when and where I'll be.  I recently added the option to my primary credit card to send me an email every time a purchase is made on my card.  If I spot a charge I didn't make, I can call and have my account locked out.  These are simple, yet effective, methods to detect fraud and limit their impact.  These types of methods are also appropriate to IT security, and need to be routinely deployed to protect our most important online assets.  

It’s time to stop acting like John Henry, who believed his brawn was better than the brains that built the steam-powered hammer.  According to legend he succeeded, only to die in the effort.  Let brains prevail, or die losing the authentication battle.

A Daily Blog

I have recently starting posting, usually once a day, to the following new blog:

http://paulsdailyposts.blogspot.com

This started as a Social Media experiment at work using Yammer (basically Facebook for companies) back in January 2013 and I accumulated several hundred posts there before starting this new external blog. The Yammer posts can be downloaded from: 

http://www.technologyfirst.org/images/CIO_Presentations/Yammer_2013.pdf

http://www.technologyfirst.org/images/CIO_Presentations/Yammer_2014.pdf

These posts cover future technologies, technical tips, general tips and a little humor, mainly whatever I find interesting, useful and humorous.

Out With the Old

Over the many years of my career I’ve been involved with efforts to get rid of hardware and software that was difficult to maintain, expensive to run, licensed from unfriendly vendors or a duplicative of other solutions in place.  Why I like to get rid of things as much as I enjoy building new solutions is a bit of a mystery, but I think I like the challenge of finding the right moment, the right approach or using the long-term thinking that’s sometimes required.  The following is a short list of some of the better “good riddance” stories I’ve had a hand in pushing out the door, and some of the lessons learned from them.

In the 1980s mainframe terminals used coax cables to connect their “dumb” terminals to their control units.  These cables were bulky, heavy and required special tools and training to attach their connectors to each end.  In large buildings like I worked in, over a thousand cables spread out from the computer room.  We proposed to our Director a project to replace all the coax with twisted pair wiring and baluns.  He flat out refused.  So we looked for another way to get our way.  We discovered that one or two floors of our 27-floor building were in the process of major reconstruction at any point in time.  Instead of running new coax, we ran twisted pair instead, a less costly alternative, and more importantly, one where the materials and labor were charged to the reconstruction project, not the IT budget.  Several years passed away and we removed coax one floor at a time.  A few years later the same Director walked into my office, concerned about the safety of coax, which when it burns was found to release a toxic gas.  He asked me how much coax we had.  I had to honestly reply that other than about 4 cables in place for TVs on the executive floors, we didn’t have any left.  I can still remember the look on his face that said “I don’t know whether to thank you or fire you”.  He just shook his head and left.  But some technology can only be replaced or retired over the long-term and being persistent and “eating the elephant a bite at a time” can be the only solution.

Getting rid of things directly affects people’s jobs, or at least a portion of their job, and likely one they have become skilled and comfortable in performing.  And it takes work to eliminate or replace those things, and we always seem to push those projects to the back burner.  Back in my networking days we had predominantly an IBM SNA (Systems Network Architecture) network, but PCs, LANs and the Internet were pushing us quickly to TCP/IP.  We worked like crazy to keep up with the new demands, but I also insisted that we take time to have an active project or two to get rid of some old stuff.  I had to explain to my team that if we didn’t spend time now eliminating that stuff, we would have both the new and the old stuff to maintain going forward, and more new stuff would continue to come at us.  If we didn’t a spend a little time now, we would be spending even more time later.  So we always has a plan to reduce, so we would always have time to grow.  

One of the best methods of consolidating technologies is merging them into the same department, preferably directly reporting to the same manager.  That was the case back when we had both Novell’s Netware and Microsoft’s LAN Manager, and each was doing well under their own very-capable managers.  But these technologies were very much duplicates of each other and the expense of having both was most likely unwarranted.  After placing both under the same manager the combined group decided they wanted to consolidate, decided which solution they wanted to support and quickly eliminated the other.  Simple as that.

Looking for opportunities can be difficult and vendors are experts in getting you to renew a contract, for a nice discount of course, a year or two before your current one expires. They know you are likely  growing or shrinking faster or slower than the rate you planned and leverage that situation to keep you under their contracts forever.  When we found that our SAP project would cause our mainframe capacity to grow by a factor of 10 in a couple years, I knew we had the opportunity to eliminate some expensive and difficult vendors, particularly Computer Associates (CA), and replace them with “good enough” products from another vendor.  These new products were “good enough” because the new mainframes would be database-only and didn’t need the numerous “bells and whistles” that the legacy mainframe applications needed.  The result was paying CA for the 3 remaining years on their contract, although we no longer used their software, and paying the new vendor their license fees on the total mainframe capacity, all at a cost far less than paying CA’s ransom.  Recognizing situations that are far beyond the ordinary course of business can result in an opportunity of a lifetime.  Seize those chances.

Outsourcing transforms a service from being a part of the family to an expense to be managed and an opportunity to save money.  As mainframes were replaced with newer server technologies, they were often outsourced to a vendor that would take care of them and provide whatever modest investments were needed to keep them running, at a cost less than replacing the dozens of remaining applications.  But most of those applications eventually get replaced over time and you’re left with one or just a few applications needing a new home.  I found that simply communicating that the mainframes needed to go, the amount of money that we would save and what’s standing in the way was the key to having the organization find the solution, all without the burden of knowing they would be saying goodbye to current work colleagues. Never underestimate the emotional wall you have to overcome, but try to remove it beforehand.

I hope these stories demonstrate how different these situations can be and how understanding them and applying some innovative thinking can lead to the desired results in unexpected and innovative ways.  I truly enjoy helping take things apart, even things I’ve built up.  The only thing that slows technology down is the friction of the old.  And today’s IT departments can’t live past.  

So throw it out.

Redundancy Options

Computer systems can be architected to provide redundancy and recovery using a variety of technologies, such as Microsoft Server clustering, IBM DB2 data sharing and Cisco’s Hot Standby Router Protocol (HSRP).  The discussion can get very confusing very fast, so awhile back I made up a few terms that describes what the final result ends up delivering, which is all that really matters.

The first term is Failover, which provides a rapid switch from a failing primary service to a ready-to-go secondary service.  Failover solutions result in the user experiencing an unusually long response time and possibly the failure of their current transaction, but the user is still connected and would not be required to log back on.  Failover solutions, in my experience, work only about 50 percent of the time, the result of two causes.  First, most Failover solutions are architected using an active-passive rather than an active-active design.  This typically results in the passive side not being used for months before it’s called to active duty and for a variety of causes doesn’t cleanly accept the Failover.  The second cause is the lack of a clear, hard failure.  Failover tends to work well when the primary fails hard, such as a total hardware failure.  Failover tends to work poorly when only a portion of the primary experiences problems.  Either the Failover doesn’t get initiated at all or only a portion starts to move.  In either case you don’t get the result you need.

The second term is Fallover, as in “you fall over and get back up”, and results in the user being disconnected from the service and having to log back in again.  For example, an SAP ERP implementation typically has several application servers, and a web application has several web servers, any of which can provide service to the user.  Which one the user gets connected to is decided at login time, but in the case of that server’s failure, the user simply logs in again and a different, working server is selected.  Fallover tends to work very well because it’s a much simpler solution than Failover and less costly.  Failover usually involves twice the expense to build a fully capable secondary.  Fallover typically involves buying just one extra server, adding perhaps 10% to the total cost.

The third term is Findover, and like Fallover, is a made up word to make a series of words that are easy to remember.  Findover solutions involve finding a secondary service that provides the exactly the same thing as the primary.  A list of Domain Name Servers (DNS) provide a type of Findover.  If a PC or server can’t contact the first DNS server in the list, it tries the next one, and repeats the process until it either contacts an active server or runs out of options.  IBM Lotus Notes servers can be configured to continuously replicate data between each other and if one goes down, the Lotus Notes PC client software will automatically find one of the other replicas.

Failover, Fallover and Findover.  Hopefully an easy to remember list of options.  

And a colleague of mine made up a fourth, self-explanatory term to describe that lack of a recovery option.  

Bendover.

Say no more.

The Future of Information Technology

For a time it appeared that the Information Technology profession was dwindling, being reduced to working for a large outsourcer or technology vendor.  Off-shoring was all the craze and IT jobs appeared to be permanently lost to cheaper labor.  All of that might continue in a substantial way, but the rise of Cloud, Mobile, Social and Big Data, while still in their infancy, portend to an exciting future, albeit too fast for some and too scary for others.  

But why are these four forces unlike any other over-hyped buzz words?  For the same reason the Internet has become much more than its hype of the mid-1990's.  It was simply a common communications protocol that allowed anywhere to anywhere connectivity, just like the railroad, and then the highway, transformed where we live, where we work and all that we can experience.  The Internet, the railroad and the highway all democratized movement.  They laid the foundation for huge numbers of innovations. They were the things necessary to build our next way of living.  

The Cloud, which is simply computing power, both vast and affordable, is starkly different than traditional server farms where a fixed amount is purchased and paid for upfront.  The Cloud allows for experimentation, short-duration projects with vast requirements (e.g. hundreds of millions of visitors to the three-week Olympics web site) or needing thousands of servers for a few minutes.  The Cloud is similar to electricity and gasoline; ubiquitous, low-cost, multi-purpose energy.  Electricity and gasoline did not change the world overnight, but enabled innovations like the light bulb and the automobile, which, in time, changed our everyday life.  

Mobile is taking that computing power and connectivity with you wherever you go.  I liken this to the automobile and the airplane, which allowed our physical bodies to go places in minutes or hours, and at a far lower cost than their predecessors.  Mobile is at its infancy.  Sure we've had laptops and cell phones for most of our working lives, but laptops had limited connectivity and cell phones had limited applications.  That changed with the iPhone and its App Store, a short five years ago.  And while our personal lives may have changed significantly, it's just beginning to change our work lives. We currently have business processes built on the old computer-on-a-desk model and a large investment in those systems.  As our imaginations begin grasping how we can blow up the old rules, just like cars and planes changed our view of the bottlenecks of distance, we can expect how we work will change dramatically.

Social is about staying connected with hundreds, thousands or millions of family, friends, customers or business partners than ever before was possible.  How many classmates from grade school do you still have any relationship with?  High-school?  College?  At most, probably a few, unless you went through, or are still in, school.  Our previous generations had to write letters or make expensive phone calls.  It took a lot of time to share information on a one-to-one basis.  You might even add a photo to your letter to describe a particularly striking vacation spot.  But more likely your friends became the group you physically interacted with, and if you moved to another city, most of those friends dropped off and were replaced with new friends at your new physical location.  The Social technologies like Facebook, Twitter and text messaging allow you to remain connected and engaged with far less effort than before.  This may be the one that ultimately changes the world on a greater scale, just like the creation of language and the telephone brought the world closer together.

Big Data is about being able to quickly process vast amounts of data and could have a similar impact as the invention of the printing press and paper-making, which allowed for the storage and retrieval of vast amounts of human knowledge, but which are still gated by our human limitations.  We can now store, process and harvest insights from the information produced by our computer systems, medical sensors, manufacturing equipment, tweets, posts and many other sources.  And it will take big thinkers to gain new knowledge from our Big Data.  Perhaps that’s I.T.’s true future.  I think it should be.

Autos replaced horses, electricity replaced candles, the telephone replaced the Pony Express and books replaced scrolls.  The future of I.T. looks brighter than ever.  

But it won’t be hardly recognizable.

Should be loads of fun.