Sunday, August 31, 2008

Oh frabjous day! The telco Jabberwock is dead

From Thought Leader - M&G Blogs

Today may have seen the beginning of the end of the dreaded monster lurking in the tangled forests of South African telecommunications law.

When Justice Dennis Davis ruled in the high court this morning that value-added network services (VANS) must be allowed to provide their own networks — and that the regulator is obliged to grant the appropriate licence to any network that chooses to do so — he heralded the beginning of a truly competitive environment in telecommunications.

The court case was brought by Altech Autopage against the telecoms regulator, Icasa, essentially to force Icasa to issue a new category of telecoms licences to anyone who applied, rather than cherry-picking a select handful that Icasa decided were worthy. The Electronic Communications Act envisages that these ECNS (electronic communications network services) or i-ECNS (individual ECNS) licences would eventually allow their holders to provide any communications service, from internet or phone to broadcasting, as the technology underpinning these services is all moving to a common platform, namely the internet protocol. Little wonder everyone would like a slice of that pie.

Friday's court ruling in favour of Altech is probably the most important Telecommunications event since the Government decided to allow a 2nd Network Operator. If you recall the enthusiasm from the public regarding the announcement of the new operator, the depression as the process dragged on for several years and now the eagerness with which we all wait for Neotel to finally launch, you will understand what this means. In effect the court has ruled that anyone who has a VANS license can roll out a network that competes with Telkom (and Neotel, MTN, Vodacom, iBurst, CellC and Sentech), and currently 600 companies in South Africa are licensed.

Expect lots of people to be competing for your telecommunications business in the near to medium future.
Posted by Unknown at 7:39 PM 0 comments

Stopping the e-mail bloat: Are your business processes and e-mail the same thing?

From Tech Republic Blogs

I was reading the July issue of CIO magazine when I came across a quote from Ross Mayfield, the president and cofounder of Socialtext, which produces enterprise wikis. The quote from him reads, “(Employees) spend most of their time handling exceptions to business processes. That’s what they are doing in their inbox for four hours a day. E-mail has become the great exception handler.”

I couldn’t agree more, but I would like to add to his statement and say that, in my opinion, e-mail is not just the exception handler, but in many cases, it’s the primary method for business process communication.

How did we get here and why has it happened? There are a number of reasons, and I’d like to expand on a few.

  • Making it up as we go along.

  • Not enforcing business processes.

  • Business processes that are not automated or automated with software that is outdated or doesn’t fulfill the user’s needs.

  • Lack of communications within an application or integration with other communication mechanisms.

  • Lack of communication alternative besides e-mail.


This is especially true of small to medium companies, and is a critical factor in them not graduating to becoming bigger companies. If your business processes do not exist, or are not being used, then your company is too dependent on critical employees. Aside from the fact that that makes you vulnerable to those employees leaving, it also means that your company cannot scale. Of course the downside of business processes can be the dreaded 'company policy' that is so hated by customers. A successful company is one that can solve that dilemma, and judging by the number of such companies it cannot be too difficult.

Spend some time reading the linked article and a bit more time thinking about your companies processes and how to automate them without stifling the ways in which you deal with your customers. After all, other benefits of well designed and adopted processes include exposing performance metrics and quality control.
Posted by Unknown at 6:50 PM 0 comments

Ten Tips for Successful IT Disaster Recovery Planning

From Information Security Today

Businesses of all sizes rely on information technology as a crucial component of their day-to-day operations. Because data availability is a top priority, the need for companies to compile a thorough disaster recovery plan is essential.

According to Info-Tech Research Group, however, almost 60% of North American businesses do not have a disaster recovery plan in place to resume IT services in case of crisis - a recipe for possible business failure. Faulkner Information Services found that 50% of companies that lose their data due to disasters go out of business within 24 months, while the U.S. Bureau of Labor indicates that 93% are out of business within five years.

Ten Tips for Disaster Recovery Planning:-

  • Devise a disaster recovery plan

  • Monitor implementation

  • Test disaster recovery plan

  • Perform off-site data back-up and storage

  • Perform data restoration tests

  • Back-up laptops and desktops

  • Be redundant

  • Invest in theft recovery and data delete solutions for laptops

  • Install regular virus pattern updates

  • Consider hiring a managed services provider


Read the complete article for more details. Although DRP is now a common check item on many IT departments lists, it still regarded as a burden rather than a critical task. Companies need to do more than request that DRP be a part of IT's functions. They need to fund it and make it a high priority item on job descriptions. With IT departments working in reactive mode DRP will be neglected.
Posted by Unknown at 6:19 PM 1 comments

Monday, August 25, 2008

Hackers Crack into Red Hat

From PCWorld

Red Hat confirmed Friday that hackers compromised infrastructure servers belonging to the company and the Fedora Project, including systems used to sign Fedora packages.

In the Red Hat compromise, the intruder was able to sign a small number of OpenSSH packages relating to Red Hat Enterprise Linux 4 (i386 and x86_64 architectures only) and Red Hat Enterprise Linux 5 (x86_64 architecture only).

As a precaution, Red Hat released an updated version of those packages, a list of tampered packages and a script to check if any of the packages are installed on a user's system.

About a year ago hackers were able to get into the Ubuntu servers. And some time ago Microsoft were also victims of a hack.

Being a System Administrator is like being a goal keeper in soccer. Everyone forgets the great and not-so-great saves, because what counts are the goals. Even when you are at the top of your game and are working hard to keep things running, the times you get hacked, and those will happen, are the times that are remembered. The example above are of Administrators in the major leagues, and even they get hacked on occasion.

Whilst it's sad to know that one cannot be 100% successful, I think it's helpful to know that failure will happen and that one needs to plan for that eventuality.

So? Do you have a disaster recovery plan?
Posted by Unknown at 8:44 PM 0 comments

Opinion: Why Google has lost its mojo -- and why you should care

From ComputerWorld

Google has gone from innovative upstart to fat-and-happy industry leader in what seems like record time. Put simply, the search giant has lost its mojo. That's good news for Microsoft, and it could affect how you use Google's cloud computing services.

Google looks as if it's on top of the world right now, holding an ever-increasing lion's share of the search market. So why do I think it's lost its mojo? Let's start with the way it treats its employees. Google's largesse has been legendary -- free food, liberal maternity and parental leave, on-site massages, fitness classes and even oil changes.

Many people, including me, use Google's services. After search and e-mail, there are documents, spreadsheets, calendars and drawing. In fact I have read about people who now use Google Apps exclusively. Google is their IT department.

But this is not what worries me about Google. Consider that they track everything you do, so even though they may not keep identifying information about you, they do track that user #45EF821F9BC8EA50, for instance, is interested in rock music, the Far Side, Dilbert, lingerie, cars, The Simpsons, cricket, John McCain, etc. In fact they can tie every search you have done to you.

And combine this with them having access to your calendar, documents and spreadsheets, they probably know more about you than you do.

Why would you trust anyone with that information, let alone someone who would have to turn it over to the US government, if asked, and is not allowed to inform you that they have done so?
Posted by Unknown at 8:16 PM 0 comments

Wednesday, August 20, 2008

HTTPS: Surf jacking makes it vulnerable

From Tech Republic Blogs

The infamous cookie causes yet more grief

In reality, it’s not the cookie that causes the problems; they are just an easy way to subvert HTTP and now HTTPS connections. There are two major categories, persistent cookies and session cookies. It’s important that we know the difference between the two when discussing how surf jacking works:

Persistent cookies are so named because they have a time to live that lasts longer than the current web browsing session. The first- and third-party cookies I discussed in my article about Behavioral Targeting and Deep Packet Inspection would be considered persistent cookies. Persistent cookies have very little to do with the actual Internet connection.

Session cookies only last the length of a web browsing session. More importantly, they carry information that validates the web browser to the web server.

A specific set of circumstances are needed to take advantage of Surf Jacking, but this is still something to keep in mind. Website developers should also look into the suggested changes to the way they develop sites and so make it harder for this to work.
Posted by Unknown at 5:27 PM 0 comments

12 early warning signs of IT failure

From ZDNet

High rates of IT project failure persist because most organizations don’t understand the real reasons why their projects fail.

Sensitivity toward early warning signs [EWSs] can increase project success rates by giving advance notice of potential points of failure. For example, the team can shore up weak executive sponsorship if it identifies the problem sufficiently early. The paper groups causes of failure into two categories: people-related risks and process-related risks.

Here are the top people-related risks:

  • Lack of top management support

  • Weak project manager

  • No stakeholder involvement and/or participation

  • Weak commitment of project team

  • Team members lack requisite knowledge and/or skills

  • Subject matter experts are over-scheduled


And the most important process-related risks:

  • Lack of documented requirements and/or success criteria

  • No change control process (change management)

  • Ineffective schedule planning and/or management

  • Communication breakdown among stakeholders

  • Resources assigned to a higher priority project

  • No business case for the project


You can read the entire report at the ISM Journal site (pdf). I highly recommend it. Some of the signs apply to any project, not just IT projects, and they also apply to any sized project. Even if the boss stuck his head around the door and delivered the specification verbally in 50 words, does not mean that your project is not important, or that it cannot fail.
Posted by Unknown at 10:30 AM 0 comments

Tuesday, August 19, 2008

More Than One-Third of Vista Purchasers Downgrade to XP

From SANS NewsBites Vol. 10 Num. 65
(August 18, 2008)

Statistics gathered by Devil Mountain Software indicate that nearly 35 percent of new PCs have been downgraded from Vista to Windows XP. Microsoft's end-user licensing agreement allows users who have purchased Vista Business and Vista Ultimate to downgrade to Windows XP Professional; those who purchased Vista Enterprise are permitted to downgrade to XP. Devil Mountain Software operates the exo.performance.network.

Computer World
Info World

[Editor's Note (Pscatore): I know it is popular to bash Vista, but from a security perspective, this is pretty silly. Delaying upgrading to Vista is one thing, buying a new PC with the capacity to run Vista and going backwards to XP makes no sense. At this point the applications that don't work with Vista are all badly written applications that should be shunned anyway.]

I have moved my primary Windows Machine to Vista 64-bit. It can address 6GB of RAM, is fast and the only real issue I have had is that it sometimes does not wake from sleep, and thus requires a reset. But even that has not happened in a while (about 2 weeks.) All in all I am happy with Vista. I even use IE7!

In my opinion it's easier for most users, by far, to move from XP to Vista than to get to grips with a completely new system like OS/X or Linux.
Posted by Unknown at 9:35 PM 0 comments

10 common security mistakes that should never be made

From Tech Republic

The following is a list of ten security mistakes I see all the time. They’re not just common, though — they’re also extremely basic, elementary mistakes, that anyone with a modicum of security knowledge should know better than to make.

  • Sending sensitive data in unencrypted email

  • Using “security” questions whose answers are easily discovered

  • Imposing password restrictions that are too strict

  • Letting vendors define “good security”

  • Underestimating required security expertise

  • Underestimating the importance of review

  • Overestimating the importance of secrecy

  • Requiring easily forged identification

  • Unnecessarily reinventing the wheel

  • Giving up the means of your security in exchange for a feeling of security

Nothing very difficult. In fact some are obvious, although one or two are counter-intuitive. It just helps to think about security a little bit. Click on the link to see more detail.
Posted by Unknown at 9:27 PM 0 comments

Tuesday, August 12, 2008

Dutch Police Notify Users Infected with Bot Malware

From SANS NewsBites Vol. 10 Num. 63

(August 8, 2008)
Dutch police have notified people whose computers were infected with malware that made them part of a botnet comprising more than 100,000 PCs. People were redirected to a web page containing directions on disabling the malware and a link to an online virus scanner. The police were able to automatically forward the infected users to the help page because they have taken control of the botnet. A 19-year old man was arrested last week when he tried to sell the botnet to someone in Brazil for GBP 25,000 (US $47,839).

Computer World UK

[Editor's Note (Ullrich): An interesting tactic that should probably be investigated more. In the past, investigators of botnets (law
enforcement or not) have been careful not to use the botnet functions themselves. Most of the time, the exact effects of these actions are not well understood. Other methods have however not been very successful in notifying users.]

I believe that the larger ISP's in South Africa can do something like this. If they can detect Bot type traffic on their network, they can modify the routing rules so that all web traffic from infected networks is routed to a page notifying the user of the problem, and whom the user can contact for help (note that they already redirect international web traffic to their transparent proxies).

Of course the cynic in me notes that as these ISPs charge per MB they might not be too keen to do anything that reduces traffic.
Posted by Unknown at 9:17 PM 0 comments

Apple Sells 60 Million iPhone Apps, Jobs Confirms Kill Switch

From Wired Blogs

In a rare gesture of openness, Apple has revealed data about iPhone application sales and confirmed the existence of a "kill switch" to disable malicious applications.

"Hopefully we never have to pull that lever, but we would be irresponsible not to have a lever like that to pull," he (Jobs) told the WSJ. An example of a malicious application would be one that stole users' personal information, Jobs explained.

Something like this seems like a good idea, until it is abused. I can't help but think about detention without trial, the PATRIOT Act and licensing journalists. They all presented as a solution to a problem and we are asked to trust the users. Sadly it's usually a misplaced trust.
Posted by Unknown at 8:38 PM 0 comments

The World's First Webmail Service Using Live Snails

From Gizmodo Via Khetan

If you thought the post office was slow, get a load of this Real Snail Mail project. Created by the aptly titled Boredom Research team for the SIGGRAPH 2008 Slow Art Exhibition, this snail mail service uses live snails to deliver your email messages via RFID chips planted on the shell.

You can send someone mail from the project page.
Posted by Unknown at 5:38 PM 0 comments

Monday, August 11, 2008

Aug. 11, 1942: Actress + Piano Player = New Torpedo

From Wired

1942: Hedy Lamarr, once described by German actor-director Max Reinhardt as "the most beautiful woman in Europe," receives a U.S. patent for a frequency-hopping device designed to guide radio-controlled torpedoes while making them more difficult to detect in the water. Holding the patent with her is George Antheil.

It's the incongruity of the patent holders with their invention, as much as the invention itself, that is remarkable. Lamarr, a Viennese-born movie actress, would eventually be given a star on the Hollywood Walk of Fame. Antheil, an American avant-garde composer of orchestral music and opera, lived in Paris during the '20s and counted Ernest Hemingway and Igor Stravinsky among his friends.

Read the complete article
Posted by Unknown at 12:33 PM 2 comments
Subscribe to: Posts (Atom)