The DCC Holiday Party

Here are some photos of our evening out!

 http://dccblog.wordpress.com/files/2007/12/melissa-melanie-heather-angela-ashley-carrie.jpg

http://dccblog.wordpress.com/files/2007/12/melanie-heather-ashley.jpg

http://dccblog.wordpress.com/files/2007/12/steven-carrie-melanie-heather.jpg

http://dccblog.wordpress.com/files/2007/12/allyson-and-molly.jpg

IT ROI calculations

I have been trying to research ways companies track ROI associated with various IT projects, and  I have to admit, I'm becoming frustrated. There doesn't seem to be a standard  out there for any part of the business  world in which IT is involved. 

I suppose this goes back to the unique nature of IT as a part of business. Remember, a long time ago I wrote about how all the geeky guys with pocket protectors got stuck in the closet when they first entered corporate America and never came out? I get the feeling that problem persists! As I have studied page after page of white papers and reports, it seems that IT staff are rarely called upon to make a solid business argument for their choices. Even when a company is in trouble, IT is the last group they consult to streamline operations.  (Or so it seemed to me as I read one story after another on the subject.) I have also noticed that some companies do have ROI calculators on their web sites; but these tend to be slanted in such a way to convince the user to purchase a certain product no matter what. As a DCC staffer I'm honor-bound not to recommend that type of tool, because we promise our customers that we are brand neutral. Frankly, I am looking for a real ROI tool, not a glorified sales tool, because sometimes "no, don't buy this product" is the right answer.

In my opinion, today's marketplace requires IT agility. It requires IT efficiency to compete on costs, and it also requires IT accountability for data integrity, uptime, and efficiency. Why, after all, would we expect any less from our IT team than we do of our accounting team? If the accounting team took 6-8 weeks to launch a new check to pay a bill, surely the company would drop everything and reorganize until that problem was solved, right?

At any rate, all frustrations aside, I'm working on a comprehensive IT project ROI worksheet, which I hope will help. I am writing mostly about virtualization in my worksheet, since that's one of the more difficult things to assess, but I think it could be useful for lots of different IT projects if you change a word or two. If you're interested in my ROI worksheet, just hop over to our main web site  (http://www.dcc-online.com) and sign up for our e-Newsletter. I will have the project completed in time for our July e-News mailing.

Vista Dilemmas & Tips

While I haven't made the change at work, I decided to install MS Vista Premium on my brand-new home-built PC this week.

If you have used Vista before, you might be familiar with the most irritating problem I had with it. Every time I try to run anything, Vista pops up a little window asking me if I really want to do that. There's no option to click "Always Trust this program", and no way to add exceptions or relax the rules. Absolutely everything I try to do triggers this really annoying response. Granted, it's one click to get rid of the window each time, but the incessant nagging really gets on my nerves.

I think it's nice that they stepped up security, but this feature needs to have an exception list like a firewall, so that I can permanently authorize third-party apps to run on my system.

In the meantime, I found a way to turn it off.* Open the control panel, and click in the search box. Type in: "User Account" and hit enter.  Click "Turn User Account Control On or Off". Remove the checkmark by clicking it, then OK your choice. You'll need to reboot, and that will be the end of the nagging. Your computer will be slightly less secure, but you will be less likely to throw things at the screen, so I think all in all you're better off. You'll still get a little annoying red shield with an "x" on it down by your system clock, but you can get rid of that easily enough if you turn off security notifications.

The rest of my Vista experience has been pretty good, all things considered. As expected, I had to download new drivers for most of my hardware, even though it is all  brand new. The good news is that all of the new drivers, once loaded, seem to work very well.

The big hurdle for this process was my motherboard's onboard wireless card. It was not recognized by Vista at all, and Vista would not allow me to use the Asus install disk. I ended up using my laptop to download a new version from ASUS, sneakernetted that to my new PC, and loaded it up from there. Voila! The card was recognized.

The next tale of woe involves Windows Defender, which consistently disables some of my ASUS software during the boot sequence. This means every time I turn on the PC, I have a broken wireless connection to fix. This is a rather long and involved process, since for some reason Vista keeps losing my WEP key for an unknown reason. I'm also still learning where things are, and the wireless controls have become much more complicated. I really miss XP's "Repair this connection" feature, which automated the old DOS "ip config/release and /renew" functions. I haven't decided yet whether to consider disabling Windows Defender. Again, I wish Microsoft had made the security tools in a sensible way so users could more easily control which programs are allowed to run on their computers.  

My boot time is still a bit longer than I would like, but other than that, I don't have any complaints yet. I'll let you  know how things go as I upgrade components along the way. Here's what I've got so far:

Antec 9000 Case

ASUS M2N32-SLI Deluxe Motherboard

AMD Opteron (Second-Generation) 1220 (2.8 Ghz) dual-core processor with 2MB L2 cache

2 GB (2X1GB) Wintec AMPX SDRAM DDR2 800 (PC2 6400)

2X Hitachi Deskstar T7K500 250GB 7200 RPM 8MB Cache SATA 3.0Gb/s Hard Drive

My old ATI Radeon GPU that keeps overheating in this rig.  :-(

Vista Premium 64-bit edition

I think my next upgrade will be a new GPU. My new PC has been designed to be very quiet, and I don't want to add a GPU cooler to make more of a ruckus. I'm considering two quieter PCI-E cards with the SLI bridge.

*Caviat:  You probably shouldn't disable UAC if you're concerned about security very much; but this is just my home PC, which doesn't have any critical data on it. It's behind a firewall with address translation, and I run pretty agressive antivirus, antimalware, and antispyware regimens.  

Sneak peek at our new White Paper

As part of the work we do for our customers, DCC has started a series of white papers. Our goal is to answer a lot of the questions lurking behind the scenes of our clients' IT shops.  As the writing-addicted member of the staff, naturally I'm involved in putting this document together. I love to write papers, because inevitably I find something in my research that is simply not what I'd have expected to find.

For instance, right now I'm writing about data center energy efficiency. In the interest of writing a thorough, well-researched paper,  I'm  fact-checking everything, even things that seem to be common sense. A larger capacity hard drive, for instance, consumes more energy than a smaller one of the same type. That makes sense, right? The manufacturers' specifications for those drives lists their wattage requirements, and sure enough, the greater capacity drives require more watts to spin and idle.

Ergo, to be more energy efficient, stick with smaller drives... or so I would have thought. Then, consider that I'm writing about a data center, which has a large array of disks. From a space perspective, it's more efficient to have larger drives, so I decided to examine the cost of using that extra energy compared with the square footage consumed by using more drives with a smaller capacity.

It turns out that if you look at it in terms of watts per gigabyte, larger drives are the way to go. Here's a sampling of my results:

Drive	Energy Required	Watts/GB
Samsung SATA 120 GB (7200 RPM)	Seek: 9.5 W Idle: 7.7 W Standby: 0.9 W	.07 w/GB .06 w/GB .007 w/GB
Seagate SATA750 GB (7200 RPM)	Seek: 12.6 W Idle: 9.3W Standby: 0.8 W	.016 w/GB .012 w/GB. .001 w/GB
Hitachi Deskstar SATA 1TB (7200 RPM)	Seek: 13.6 W Idle: 9 W Standby: 0.9 W	.013 w/GB .008 w/GB .0008 w/GB

 These are, of course, based upon the seek, idle, and standby times provided on the manufacturer spec sheets, and they are averages. Still, it seems pretty clear to me that in an array scenario when you're trying to squeeze the most possible storage out of your available space and wattage, larger drives are better.

JackPC

I am now completely tempted to put a Citrix server in my house, and then put one of these in every room.

One of the silly things about thin clients in my opinion has been that in the past, you didn't get much real estate back when you made the transition from a traditional PC to a thin client. Most of them aren't that much smaller than a MicroATX-based PC. They have the same number of cables tangled up at the back, too. Of course they have many positive features; fewer moving parts for a longer life cycle, and easier management for the IT staff.

The JackPC has added the features I thought the thin client was lacking. I wish I could get my hands on one to try it out!

Amazing gear coming!

I have to admit. Microsoft has knocked my socks off this time. Their surface computing stuff looks pretty awesome.

Don't settle for reading an article; you've got to see this thing in action: http://crave.cnet.com/8301-1_105-9723647-1.html 

It's being proposed for uses on restaurant tabletops, though, which to my mind is a bit impractical. I'm thinking this will be fairly pricey, and do you really want a restaurant patron dumping a plate of spaghetti on your extremely expensive computer?

Still, kudoes to Microsoft for bringing us ever-closer to the world of Philip K. Dick.

Longhorn Beta 3

Microsoft is looking for folks to try out Longhorn Beta 3, their long-developed Windows Server offering. The following is a quote from their press release:

The release allows people to evaluate the increased control, flexibility and protection built into Microsoft Windows Server “Longhorn” Beta 3, available for download today at http://www.microsoft.com/getbeta3. The final version of Windows Server “Longhorn” is on track for release to manufacturing in the second half of 2007.

“As they take it for a test drive, our customers and partners will find we made some vast improvements in Windows Server ‘Longhorn’ to help them reduce costs and adapt to changing business needs,” said Bill Laing, general manager of the Windows Server Division at Microsoft. “Between early adopter customers and Microsoft IT, we have hundreds of servers running in production environments today. If there’s one message we want to send today, it is get ready, download and evaluate.”

Improvements Microsoft is touting for this release:

1. Windows PowerShell, a scripting tool for administrators, is now included in the product.
2. Active Directory Federation Services improvements allow customers to implement new policies and make it easier to set up a relationship between trusted partners.
3. The Server Core installation option now comes with additional roles and enhanced functionality, such as print services and Active Directory Lightweight Directory Services.
4. The Server Manager console includes additional remote administration tools to provide a more integrated management environment.
5. Windows Firewall with Advanced Security, now on by default, provides a persistent and more secure environment beginning at installation.
6. NAP is integrated with Microsoft Update and Windows Update to enable administrators to decide which updates are critical and set policies accordingly. It also has a new administrative interface for simplified setup, scalability and better performance.

Ubuntu Out of the Box

Ubuntu's next release is creating quite a stir this week, as Ubuntu makes aggressive strides into the world of high-end servers.  Essentially, the next release of Ubuntu (Feisty Fawn, scheduled for April 19) is the first Linux distribution with Para-Ops and VMI support for optimized performance under VMware.  Of course, Feisty Fawn still supports open-source virtualization packages, like Xen.

If the release works as it should, you could run Feisty Fawn on your Linux server, and install a VMWare layer. From there you could do all the ordinary things VMWare supports, including running virtual Windows machines.

New Mac Pro reaches epic proportions...

When I saw Apple's web site this morning, I think I heard the lofty trumpet sounds of Copland's Fanfare for the Common Man chiming down from the heavens. I am pretty sure the murky clouds over the Detroit area parted, and a single ray of sunshine beamed directly down through the Dynamic Computer ceiling and onto my flat panel.

The new Mac Pro is just an unspeakably awesome computer. Let's start with options for 8-core Xeon processing. Up to 16 GB of RAM. 3 TB of storage & your choice of three hot graphics carts. It is downright swoonworthy. The best part: the entire thing is customizable. You can opt to start out with this case nearly empty, leaving a ton of room for expansion, or you can load up. The price difference there is about $2500 for the bare bones (still pretty great) up to about $12,000 for the most incredible desktop computer I have ever seen.

I can't wait to see if the reviewers like these. I think it's a great move for Apple to offer just one really amazing new computer, and let people scale it the way they want it. I'm sure most home users aren't going to shell out $12,000 for a machine to play World of Warcraft or Doom; the nearly empty version could still make for some pretty smooth gaming or multimedia performance. I can, however, see how some professionals might want to inch toward the $12,000 top end. I have got to think this would be an amazing architect's or engineer's computer. It would also be great for my work with the Adobe Creative Suite, rendering vector graphics and such, although I'd have a tough time convincing Casie and Farida of the ROI of switching me from Windows to Mac and buying me a computer that costs as much as a car.

Dare to dream.  And now, all together on the count of three:

one,        two,         three:    *swoon*

Don't forget your Windows Update today

Microsoft released a patch yesterday for that security hole in all Windows operating systems that I mentioned last week. As it turns out, Vista was also susceptible to these exploits; it just took a little convincing to get Microsoft to admit it.

So, if Windows is nagging you right now to run your updates, you probably should go ahead and do that. Unfortunately, it requires a reboot; but then you will have the peace of mind that comes with knowing your computer is free of holes. Well, that is, until the next one is discovered sometime next week...

A services-based model for software

Among the many ways computer science is changing, I think the most important shift is a philosophical one.

For example, in the old days, technicians would design a network with a "File Server" box, an "Email Server", an Applications Server" box, a "Web Server"  box, and so on. A technician's job was to install and maintain various boxes that did various things.

Now, with virtualized servers, a technician is providing file storage, applications, and hosting services. It's no longer about managing boxes, but managing system resources and scale, to provide optimal and sustainable performance for all the services required. It's a service-based philosophy.

Yesterday Google made the news by announcing their upcoming launch of a professional version of GoogleApps. For $50 per person per year, they will be entering direct competition with the much more expensive MS Office, with a word processor, spreadsheet program, and incorporating versions of Gmail and the google calendar program.

This is a truly service-based launch, and I think it's a step forward. No one wants to buy a cellophane-wrapped box and then spend an hour installing software, and then another hour waiting for security patches and updates. Furthermore, in order to keep traditional boxware* secure,  users need to keep updating it with patches. Don't even get me started on the headache involved in entering a 25-digit key code to get the software working, and then keeping it around for reinstallations. Also, with boxware the software license is tied to the computer. If I buy another computer, I must buy another box of software, with another 25-digit key code. This is not fun, and it's not productive. It's wasting time spinning a CD and then consuming lots of local computer resources to run.

Opponents of Google's software delivery model argue that users will be dependent on their Internet connection for performance, and also on Google's ability to maintain their promised 99.9% uptime on the system. I would argue that the potential of a hardware outage, software glitch, or MS Office security hack in the boxware model causing a loss of productivity is about the same as the risk of a Google App outage, if not slightly more risky. This is especially true for mom & pop shops who are running their own systems. I'd trust Google to keep my apps up and running a lot more readily than I would trust my Uncle Joe. (No offense, Uncle Joe, but your one class in computer science in the age of punchcards does not make you superior to Google's tech team.)

Time will tell what will come of this, and I'm sure many companies will be reluctant to shift from the pay-once boxware method and the software they know, to a subscription-method to use less familiar apps. I think, though, that I will be recommending this to the struggling local bookseller, and my retiree parents who were having some trouble running the older versions of office on their ancient computer. The great thing about online applications is that they don't require much from the local machine, which will be good for my folks, who think a computer should last 10 years before retirement.  /sigh.

*I think I may have just coined the term "boxware". I intend it to mean software that comes on a CD, is packaged in a box, and is rendered obsolete by update patches before you buy it.

Tips and Tricks

We've all been using Windows for so long that we're in the habit of interfacing with the computer in a specific way. You have built a relationship with Windows and with your computer, which may or may not be a healthy and functional one.

Here are some basic ways you can improve your communication style with your computer, and possibly have a happier relationship with it:

1. Lay off the mouse when you're trying to type. If you're performing a keyboard-intensive task, like entering data in a spreadsheet or writing a long document in Word, odds are that you'll be more productive with both hands on the keyboard.

• Use your keyboard to select text, copy, and paste. To select text you can hold down your shift key and use the arrow key to highlight it. To copy, hold down Ctrl and hit the "C" key. Put the cursor where you want it using the arrow keys, then hold down Ctrl and hit the "V" key. This works in most Microsoft applications, and also in most web browsers, online email and blog interfaces, and so on. It takes a little practice, but can be a valuable tool! You can also cut and paste using Ctrl+X and Ctrl+V.


• Use the Windows button to navigate. If your hands are busy on the keyboard and you want to launch another application or another window, you can use the Windows key, which looks like a wavy set of four squares, probably near the Ctrl and Alt buttons.

2. Try to avoid using the "File" menu so much. If you're in the middle of a document and want to save changes, hit Ctrl+S and keep typing. Ctrl+P will print to your default printer. These shortcuts are listed on the file menu as a reference.

3. Never type out a URL. Try this: Navigate to the site you want. Then click the address in your browser, and the whole thing will highlight. Ctrl+C, then flip to where you want to place the URL, and Ctrl+V. Voila. You can also drag a URL directly from the browser's address bar into your other document. To do this, click and hold down the little icon between "Address:" and the "http://" on your browser's navigation bar. Drag it to the window you want and drop it, or drag it to the right program on the task bar, wait until that program pops up, then drop it. It's very easy.

4. Listen to your computer when it tries to tell you stuff. A PC doesn't communicate like a human, so it's useful to think of the "Computers are from Mars, Users are from Venus" analogy. As an example of bad communication from a PC, think about the ways your computer tries to tell you it has a virus.

• Uploading anything to the Internet without your telling it to do so is a sign that there's probably malware involved.


• The hard drive spinning constantly when the computer is sitting idle.


• Your antivirus software is mysteriously shut down, will not update, or locks up.


• MSConfig and/or the Window Registry Editor will not open.

All of these things are martian for "I think I have a virus, please oh please disconnect me from the Internet and call tech support."

5. Use content-based shortcuts in spreadsheets. How often do you insert today's date in a spreadsheet? Ctrl+Semicolon will do it for you. You don't even have to know what today's date is! Ctrl+Shift+Semicolon will insert the current time. ALT+0162 enters the cent character ¢.  ALT+0163 enters the pound sterling character £.  ALT+0165 enters the yen symbol ¥.  ALT+0128 enters the euro symbol €.

6. If you're not using a Mac, you should definitely use the right-side mouse button. Right-clicking things to pop up their menu is a great time-saver, and will help you to stay off the "File" menu.

It might seem counterintuitive at first to try these ideas, but I hope you will give it a shot sometime. Having multiple ways to tell your computer the same thing can make you a more efficient user.

Benefits and Drawbacks of Virtualization

To virtualize or not to virtualize? That is the question. In short, every organization's needs are unique, and there's no 'canned' answer that will fit everyone. Here are some questions to ask as you're making this decision.

1.  How many 'boxes' do you have right now per staff member, and how many do you think you'll have in 2 years? 4? Will your staffing level be able to keep up with the growth of your server farm?

2. What is your IT funding model? With virtualized servers you have the option to bill back actual computer usage to the department who used it, since you can identify each department's data footprint and CPU usage. If your budget is still divvied up over departmental lines based upon physical boxes, you may need to make some changes in the finance office first.

3. What is the cost of the physical space required for your servers? If you are in a crowded environment and space is at a premium, you may wish to elevate virtualization to a higher priority. If you're in a giant warehouse with ample space to spare, this may not be a concern for you at all.

4. What is your company's overall ecological footprint, and is it important to you to be eco-friendly? If you place a high priority on reducing your power consumption, that may be a vote for virtualization, since your systems and cooling devices will suck up much less power than a box-based architecture. This will also save you money on your power bill each month.

5. What is the size of your network? If you are running a small network of less than 10 servers, virtualization may not give you a good return on your investment. The "sweet spot" for virtualization starts somewhere between 15 and 30 servers, and generally occurs in companies with 100-5000 employees. When companies are much larger than that, they will tend to fragment their IT services into different physical areas, and usually a mix of virtualized and non-virtualized approaches is best.

6. What kind of long-term savings are you hoping to achieve? In truth, virtualization may not help with your software budget at all. Hardware, though, can make a huge impact on your bottom line. Everything depends on what sorts of hardware you were buying in the past, but most companies who virtualize have projected savings of 40-70% on hardware purchases in their budgets following virtualization.  

7. This won't reduce your staffing budget. You likely will not be able to reduce your IT staff due to virtualization. The level of responsibility they have in a virtualized environment is about the same as with a server farm performing the same computing workload.

8. Is up-time important to you? Availability of virtualized systems is the highest of any type of server architecture. If you place a high priority on 24/7/365 up-time, that's a big "yes" vote to virtualize.

9. What is the cost and headache associated with your current disaster recovery plan? Virtualization can alleviate a lot of this concern.

10. What is your vision for IT? This seems to be an abstract concept, but your overall long-term view of what you provide for your organization really does matter to your strategy. If  you view technology as a service you provide for the people in your organization, virtualization can be a great tool toward designing those services and separating them ideologically from hunks of hardware on a rack. If your goal is to impress visitors with the size and splendor of your astonishing 30 racks of servers, virtualization is not for you.

Some drawbacks of virtualization you'll need to be prepared to handle:

1. Your software licensing might get complicated. Though more software vendors are adjusting their approach, historically licenses have not allowed for the way virtualized servers utilize their processors. One example is Oracle, which sells licenses on a per-processor basis. If your virtualized server has 4 servers, and you plan to use just one of them with Oracle, Oracle is still going to charge you for a four-processor license.

2. You have to very carefully manage your system resources when you virtualize multiple servers into one,  because all of those will share the same I/O. You'll need to make sure you have plenty of machine to handle the demands of your users, or you may run into bottlenecks.   

Social Engineering II: A guide for newbies

I don't mean this article to be condescending. I'm sure the majority of people reading this blog already know their basic Internet safety; it's been 10 years since you were called a "newbie". What about your kids, or your grandma? Last month I spoke with a lady who works as a secretary for a large university, and was just assigned to begin using the Internet last year. As much as it may seem to us that everyone we know has been online forever, that is simply not the case.  So, in the interest of arming you to help them out, here are the basics of online safety.

1. Never give out digits to strangers. A stranger can be a guy in a chat room or a web site whose validity you can't verify using offline methods. Digits include any number, of any kind. Your most closely guarded secrets should be your social security number and birth date, your drivers' license, passport information, and account numbers. It is also a good idea to guard your telephone numbers to avoid nuisance callers. If your kids are online, they should never give out their telephone number, address, or school information, since that is one of the ways predatory adults can begin to manipulate them.

2. Avoid chat. If you must chat, try not to chat with strangers. If you must chat with strangers, never reveal truthful personal data. You can never know who you are talking to in a chat interface. That could be a 12-year-old girl, or it could be your mother, or it could be a professional thief in a non-extradition country.

3. Don't create web content without carefully considering it first. Don't post private information, or anything you wouldn't be comfortable telling your boss or your first grade teacher. Web content must be considered permanent. Don't assume you can take it offline and it will disappear. Once it's out there, it's out there. You have to assume that potential employers, your future spouse, your future grandchildren and their college application boards will see what you've posted.

4. Never share a password or PIN. There is not a single legitimate reason for a technical support person or account rep to ask for your password. This is rule #1 in online customer service. If your password has been compromised, report it and change it immediately.

5. Always use up-to-date antivirus software, an up-to-date operating system, and an up-to-date firewall. None of this stuff will protect you if you turn it off or allow it to become out of date. Even though it is a pain to wait for an update, it's critical that you do so.

6. Never respond to online content or messages that make you feel uncomfortable or suspicious without talking to someone about it first. This applies if you are a kid, and someone has scared you, or if you are an adult wondering whether to click the link to update your account information with a strange-sounding bank site. If it's creepy or odd, err on the side of caution. Kids, talk to your parents. End-users, talk to your tech support person. It's not your fault you stumbled onto something fishy or dishonest, and you'll get kudoes for not responding to it.

7. Never agree to meet someone in person that you have 'met' online without proper safeguards. Kids should get their parents help. Adults should make sure to meet in a public place, preferably a busy one, with two or three viable plans for disengagement. (IE: I am 12 feet from my car, and if I can't get to my car I can go to the restaurant manager, and if I can't get to him I can go to the police officer on the corner.)

8. Check with someone before you download anything. Kids, check with your parents. Adults, check with your IT staff at work. If you're at home, and you're wondering if you should download something, try googling "security review x"  to see if anyone has posted a review of "x" software from a security standpoint. If the software is legit, you will usually find something. If it's a notorious hack, you'll find that, too.

9. Obviously, don't do anything illegal. Also, don't be a bad net citizen. Putting someone's email address on a spammer's list is not going to win you points with that person. Engaging in illegal activity doesn't just get you into trouble with other people; it can open you up to security problems, because sites where you do illegal things (like allowing people to download your copyrighted music files) will often open backdoors on your computer which hackers love to exploit.

10. Don't open email attachments unless you are sure of their source. Even if it comes from someone you know, you should think about it and ask yourself whether it is 'in character' for that person to send you that type of attachment. For example, it's a pretty safe bet your grandma did not intentionally send you an "exe" file. Many viruses use "spoof" addresses, and may appear to come from someone inside your company. If you have any doubt at all, send an email back and check with the sender. They will understand you are trying to maintain your security!

Social Engineering hacks top threat list

It's an IT staffer's nightmare, and it's knocking on the door. The top PC security threats in the past few days have been 'social engineering' exploits; which means they rely upon the end-user's cooperation to open the door for an attack. The people who design these attacks have studied basic psychology, and they know how to prey upon end-users' curiosity, credulity, or polite manners to gain access to your organization's network resources, data, or money.

This week's news reveals an exploit in IE 7, which will permit a hacker to gain access to the host PC once the end-user has supplied the path for a specific file location.  In an e-mail statement on Friday a Microsoft spokesman said: "In order to be successful, an attacker in advance would have to convince the user to enter the location of a file into an attacker's Web page through social engineering." Microsoft is still investigating the issue and will take "appropriate action," the representative said.

Why are these social attacks such a nightmare for IT staff? Mostly, this is where computer science intersects with human relations, and most technical folks aren't trained to handle that. We can't use software to control Mary the receptionist or John the CEO when they use the Internet. If John has been duped by a site that will allow him to prepare a nice-looking chart of interest rates for corporate loans, he may be convinced to upload a copy of his company's logo to customize the chart. Just like that, he has unwittingly opened his PC to the exploit, and if the hacked web site is running efficiently, his computer could be a zombie selling illegal copies of next week's movies within an hour or two. John might start to wonder what is happening if his computer slows down, or when the hard drive seems to be spinning constantly, but even if he realizes he has been duped, he may be ashamed, and therefore reluctant to admit his mistake to the IT staff. The IT department might notice this hack if the traffic patterns on the network change; but some of the newer, more sophisticated exploits are designed to use a trickle of bandwidth.

Meanwhile, at home, John's Anime-loving teenager is very excited to download a nice screensaver with some vintage Trigun images. Unfortunately, hackers have no qualms about using copyrighted images to dupe kids, so along with images of Vash the Stampede, she downloads a pack of backdoors and the home network immediately becomes compromised. This wouldn't be such a problem, except that John and his wife's laptop computers both connect to the home network, behind the house's firewall. John and his wife may or may not have the necessary skills to detect the problem and prevent its spread to their company laptops.

Both Microsoft and Mozilla, the maker of Firefox, are looking for solutions the security holes social engineering hackers are exploiting this week, but in the meantime, it's important that users are informed of the risks, and practice the new brand of safe computing.  Most importantly, your company's security policies must be codified, and must also be updated quickly as new risks present themselves. Someone must take the lead in adding new items to the security policy frequently,  and ensuring everyone is notified, because the hostile nature of our computing environment renders stagnant policies useless very quickly.

Here are some ideas for problems your cybersecurity policy should address:

What should staff do when confronted with an unexpected pop-up window? 

What security practices should staff use when using their  mobile devices outside the office?

Ensure staff know they will never be asked to give their password to another employee or system administrator.

Rules governing IM clients and file-sharing software.

Guidelines for running Windows Update, Java updates, and responding to various other update mechanisms built in to their systems.

Detailed descriptions of what users should do if they feel suspicious of a web site, phone call, or other type of contact.

Physical security measures preventing outsiders from walking into areas where computers are in use.

A plan for staff to enact the second they think their system or password may have been compromised. (IE: Unplug network cable, call Joe in IT.)

A policy for checking the credentials of anyone contracted to perform work for the company, whether they are a janitorial service or a network technician.

These are just a few ideas; but the overall point is that it's important to communicate with staff. A robust and updated security policy will increase their level of awareness, and therefore decrease the likelihood they will fall prey to a social engineering scheme.

Beyond policy, it is time for IT staff to get out of the server room and build strong relationships with their systems' users. The hackers are many steps ahead of the good guys on the human-relations side of computer science, and IT staff need to step up their efforts to match.  The time for technical staff to look down their noses at users from a position of technical superiority is long past.  The new IT department needs to understand users, relate to them, and communicate with them openly. They also need to develop an excellent 'bedside manner' so that end-users are comfortable discussing potential social engineering threats without embarrassment. The biggest mistake an IT staffer can make at this point is to make a user feel stupid. While in the past I'd have considered that sort of thing rude, I now think it is both rude and risky, since it increases the likelihood a social engineering scam will go undetected.

Time to think about changing the clock...

Everyone knows that daylight savings time comes up in spring, and that we all set our clocks ahead, somehow losing an hour of sleep. We also know that our government has decided that this year we will be losing sleep a bit earlier in the year than ever before. In the past we rolled back our clocks around the first of April. This year we will turn them back on March 11 at 2 AM. At first glance it seems to be no big deal, just another way to try to conserve energy. Yay us.

The thing is, we aren't just talking about the family grandfather clock and the alarm clock next to the bed. Think about how many devices and software packages you use with the time included, and how many of them are programmed to automatically adjust for daylight savings time. (The one on the first Sunday in April, not the one we have now.)

Some of us are already sighing and rubbing our eyes as we recall the absolute joy and anticlimax that was Y2K for IT people.

Microsoft released an announcement which essentially said that users with Vista and parts of Office 2007 are all set! Everyone else (the vast majority of Windows users) will need to put in a little work. Users of XP Pro who have service pack 2 installed will simply need to run Windows Update, no reboot necessary.

If you're still running pretty much anything else, there is a bit more involved. Outlook 2007 and its predecessors, Windows NT, Windows 2000, Visual Studio, and Windows CE, will all require a manual edit to update, including servers, and will then require a reboot. No word yet on Windows Mobile, other than to say that it will require a registry key set to be installed, and Microsoft has released those keys to the OEM vendors for distribution.  

Mac owners, I'm afraid you don't escape from the grief this time. Apple OS will run an automatic update, and will require a reboot.

HP-UX, older versions of Suse, and Red Hat will require patch installs. Solaris and AIX will require a patch and a reboot.

Beyond the operating system, enterprises will need to fix: Exchange Server, Outlook, Dynamics CRM, SQL Server Notification Services, Windows SharePoint Services, Office Live Meeting and/or Microsoft Entourage, according to Microsoft.

Microsoft advises that updates should be organized from the core of the network and move out to the edges. So, companies should upgrade their servers and MS Exchange first, then go through and patch the desktop OS, then patch MS Outlook, then work on mobile PCs. At home, users are advised to patch their OS first, then their applications.

If you are a heavy calendar user (not using an online calendar app, but one on your PC) Microsoft advises that you should go online and download a small program known as "tzmove" - Time Zone Move - that can retrofit all previously booked appointments to the new daylight-saving rules. Other vendors offer similar tools for their systems. This will fix the appointments which were entered prior to the time change bug.

The fun doesn't stop there, however. There are also a lot of nuisance bugs related to the time change. You're probably going to have to figure out how to fix your car yourself, or simply live with the clock being wrong for four weeks per year. Then you get to go home and figure out how to fix the clock on your entertainment system, camera, phone, and thermostat. At least none of these devices is going to change all your appointments to the wrong time. I think I'm just going to leave my Xbox and Playstation alone; the time isn't displayed on screen that often, and I'm therefore just going to settle for knowing they are wrong.

If you're scheduling an international conference call, you should probably not rely on any automated systems, instead agreeing to use Greenwich mean time for planning purposes. There may also be some issues with late-night financial transactions being posted on the wrong day, so this isn't a good time to conduct time-sensitive funds transfers at the last second.

Power Consumption

The Berkeley National Laboratory is scheduled to release a report today on the amount of electricity being guzzled by our nation's servers. The report, according to Cnet, will say servers and their cooling gear in the U.S. consumed 45 million kwh's of electricity in 2005.

To put that number into context with similarly large power drains, Mississippi and 19 other states consume less power than that. (Stephen Shankland, Cnet, Feb. 14, 2007.)

Researcher Jonathan Koomey, who is the author of the study, says most of this new power drain is guzzled by a large number of lower-end servers.

Obviously, for large enterprises, this power-sucking black hole in the server room must be making an impact on the bottom line. Beyond the costs, however, is the natural resources problem, since the DoE reports 86% of power consumed in the US is derived from petroleum, coal, and natural gas, none of which is a renewable resource.

The industry has started an energy star movement, but the government began to address the issue as recently as December, 2006, so it will be a while before the EPA is on board with those little "star" stickers we've all been sporting on our refrigerators for a decade.

In the meantime, many companies have spotted ways to decrease power consumption at the desktop level. Laptops use less juice than workstations, and mobile PCs use less than that. Ergo, mobile computing saves energy. Keeping documents electronically and not printing them also saves energy. Flash memory rather than spinning hard drives saves energy, too. These are no-brainers.

What can we do about our servers, though?

The only current answer I've been able to find that makes sense is virtualization. By using one processor to perform the work of many, virtualization reduces the number of 'hot' points in the server room, reducing the enterprise's power consumption.

In the future, however, we may have more options. Rambus's experimental Loki device can perform at 6.25 gigabits per second and pass information at 2.2 milliwatts per gigabit. Similar products on the market now can transfer more gigabits per second, but they operate at around 15 to 30 milliwatts per gigabit.  Perhaps Rambus is on to a new technology that will allow us to keep ramping up our processing speeds without installing private power plants in our company's backyard. It seems, though, that a real-world implementation of the Loki technology is a long way off.

Not sure whether this is a good thing or not.

This month the One Laptop Per Child project will be shipping laptops to some of the poorest developing countries in the world. The laptops cost $150, and operate on a pull-string or hand crank so that they don't require a battery. I love the technical innovations involved; these laptops use flash memory drives instead of spinning hard disks, and run on very little energy.  I like the idea. Computers can bring kids the entire body of world literature at a click, in a place where they can't afford textbooks. They inspire kids to be creative, to explore other cultures and their own, and store information on everything imaginable.

This sounds exciting, doesn't it? But then I started to wonder if this is really what the kids in question need. Let's take the children of Rwanda, for example. According to the World Bank's data (from 2005, which is the most recent I could find) the gross national income per capita in Rwanda is $230 per year. They represent the one-fifth of the global population living in abject poverty the likes of which no one born in the US could possibly imagine. According to the CIA Factbook, taking into account the excess mortality caused by AIDS and infant mortality, the life expectancy of a child born in Rwanda in 2006 is 47 years.

If I were the average Rwandan mother, according to the Factbook, I would have 5 or 6 kids to feed, clothe, and shelter, and I'd have to do all of that on less than $1 per day. As a US citizen I can't presume to know how that would feel; but logic and common sense dictate that if had a laptop, I would sell it in a heartbeat to buy food and medicine. It's a no-brainer. If I'm asked to choose between a device that allows my kid to read Shakespeare and a year's supply of food, I choose food. (And I like Shakespeare, too.)

I don't think it's entirely wrong to want to share technology with developing nations; but I think these things need to happen in some sensible order. Before we provide the Internet and an e-book, the global community needs to address the increasing gap between wealthy nations and the poorest ones, where daily life is a horror show of disease, war,  and crushing poverty.

The gadgets are neat... but they aren't a basic human need.

The Increasingly Mobile World of Computing

Once upon a time IT staff didn't have to worry about people from their company walking home with sensitive data in their pockets, or leaving it in a hotel room after check-out. Those days, however, are long gone.

This week's technology news will no doubt be absorbed with the 3GSM World Congress in Barcelona. 60,000 people will crowd together to see the latest and greatest in wireless networking. Many new devices will be revealed; there are already leaks concerning Samsung's rival to the iPhone, and the latest business model of the Blackberry. Microsoft is also rumored to be releasing Windows Mobile 6 this week, its most capable mobile OS to date. With this version, users will be able to run SQL at the palmtop level.

These devices are, of course, capable of continuous internet connectivity via an ever-expanding network of wifi coverage, not to mention wireless internet connectivity included in cellular phone contracts, such as Cingular's Edge networks, and the pervasive 3G wireless network.

Pundits are calling this the era of "pervasive computing", and they aren't wrong. Unfortunately, I have yet to see a smartphone or PDA with voice print, fingerprint, or some other biometric identification technology, so I suspect IT teams are going to have to find a way to secure these mobile devices with some sort of policy-based security plan. I'm also concerned that there doesn't seem to be much emphasis on finding a way for mobile devices to transmit data securely.

By default, mobile computers are not password-secured. This means if one of these handheld devices is lost or stolen, the data can often be read by any five-year-old or career criminal who picks up the device. Remember how resistant everyone was to passwords when they first became a policy? We will have to overcome that hurdle all over again, as users of mobile devices have become accustomed to instantly accessing information in the palm of their hand. We will have to impose strong password policies just as we do with laptop and desktop PCs.

Also, in the vast array of mobile devices on the market, no one has developed a cryptographic standard for the transmission of handheld computer data to a central network. It is up to the IT staff to find some method of creating a secure pipe, so that packet sniffers can't simply browse the data as it flies through the air.

Apathy is the enemy in this case. Although IT staff are already stretched thin keeping abreast with new infrastructure technologies and staying on top of an increasingly hostile networking environment, I'm concerned that wireless and mobile devices could be the achilles' heel of many corporations' security stances.

There are some companies with solutions for the mobile user, and my hope for this week's 3GSM World Congress is that those companies will step up and knock our socks off. I think they would be filling a great need if they did.

Virtualization for Security Purposes

Our industry's model for data security has not changed in a long time. We peg down our perimeter, and keep a current backup of our data so that when our network is compromised, we can get things back on track as soon as possible. The problem with a perimeter-based defense, as scholars dating back to the Art of War will tell you, is that people engaged in perimeter defense tend to focus their attention outward, when their most vulnerable points are on the inside. We’re all aware that the software on our computers tends to have vulnerabilities, but there is often a large gap between discovery of a vulnerability and the hot-fix to handle it. Employees also tend to download the wrong software, click the wrong hyperlinks, and tape their passwords under their keyboards. All of these problems occur inside the perimeter, and our software solutions may or may not be equipped to detect these compromises with a routine scan operation.

Security industry leaders know that they need to make changes.  In yesterday’s interview, RSA president Art Coviello said, "As an industry of security vendors, we've been too self-righteous and smug--focused more on our challenges than on trying to perfect security. We've been motivated largely by threats, and we've been chasing after them while looking over our shoulders and muttering to everyone 'We warned you' like a bunch of latter-day Cassandras," said Coviello, referring to the mythical Greek soothsayer whose prophecies were ignored. The solution, Coviello argued, is to worry less about individual threats and focus more on ensuring that the most important data is kept properly secure, perhaps through strong encryption. This requires data to be properly tagged and stored. Pattern-recognition systems could also be built into a company's infrastructure, to detect and respond to suspicious behavior.  (Graeme Wearden, Cnet News.com 2/7/2007).

I really like the idea of detection systems focused inward to detect improper behavior. I think it’s the missing piece of our security puzzle.

Until the software companies present a behavior-based solution, I think our best bet for handling security is to be creative with our storage solutions in a way that protects our data. I believe server virtualization is our current best bet. Through virtualization, some of these futuristic security ideals can be used today:

1. Virtualization can isolate programs in a way which limits an intruder’s capabilities. An example of this comes from VMware, which promoted the concept of Virtual Appliances, launching a Browser Appliance: an operating system in a virtual machine just for Internet-related tasks, like surfing, reading emails, chatting, or using P2P networks. Attacking software cannot interact with the underlying host operating system, and cannot gain access to the rest of the network.


2. Recovery on a Virtualized system is very fast and reliable. Instead of saving files, backup solutions working at host level can copy the whole virtual machine, in some environments even if it is running, which appears as a unique file, which will take much less time to restore than re-installing the operating system and restoring data.

VMware is already working on a self-defending storage solution, in which an entire virtual layer will run security applications, which can access virtual machines and correct security problems without human intervention. This will be a breakthrough technology, and I can’t wait to try it out.In the meantime, IT folks are finding innovative ways to use virtualization for security, even at the workstation level! Baker Hill, a subsidiary of Experian, has been using VMware Ace to secure desktop and laptop PCs containing sensitive financial data. Check out this article for more details: http://www.networkworld.com/news/2006/010906-virtualization.html?page=1

It's nice when the plan works!

Last night CNN reports there was a massive influx of traffic targeted at the DNS root system. The attack, which seems to have originated in South Korea, spectacularly failed to cause any problems for us at all.

The DNS system as it stands today has so much built-in redundancy that the good guys won this time! It is nice to hear that proactive system design can work for such a large and critical target.

It is difficult to budget and design proactive solutions, even on a smaller scale. It is always a guessing game; how will intrusions and attacks happen next? 12 years ago the chief concern for office-level security staff was email-borne virus attachments. It's safe to say that the types of computer threats have diversified and intensified since then, and will likely continue to do so.

Can we look to our government for protection? Yesterday both the Senate and the House introduced revamped versions of failed bills to address Internet security. Both bills seem to focus on punishing companies who attempt to conceal breaches after the fact. I suppose this indirectly discourages them from allowing a breach to occur in the first place, but it seems odd that the bills are focused on the defenders, not the attackers. One important exception is the Cyber-Security Enhancement and Consumer Data Protection Act of 2007, which criminalizes attempts to gain access to private data:

"Section 1030(a)(7) of title 18, United States Code, is amended by inserting ', or to access without authorization or exceed authorized access to a protected computer' after 'cause damage to a protected computer'."

The interesting word in that paragraph is "protected". While the bill doesn't define a "protected" computer, it seems to suggest that an uprotected system is fair game for the hackers and thieves. I hope that is not the spirit of the bill.

Maybe it is merely restating the fact that we're on our own in terms of data security. This could be the next iteration of American individualism. The pioneers in the 1800's were theoretically protected by the laws of the land, but they advanced west more quickly than the 'long arm of the law', and were in effect on their own.  Perhaps to some degree, modern data security comes down to individuals making the decision to protect their own, since we have run so far ahead of our government's ability to protect us.

Virtualization and Funding

I heard a bizarre argument against server virtualization yesterday.

I spoke with a colleague in higher education, and when the subject of virtualization came up, he laughed and shook his head. He works for a large public University, which tracks inventory based upon the funding source used to purchase the hardware. If funds were obtained via a grant proposal, and one of the items requested in the proposal was a "server", the University would expect a physical box with a bar coded tracking device to be part of its regular inventory. In this way they hold researchers accountable for the proper allocation of funds.

I'm sure there must be a better way to handle this than to avoid virtualization altogether. Surely the cost-savings involved in virtualization justify some changes in the way spending is tracked. There was an article in Network World magazine last May with the following example from a college in Maine:

"Davis says 58 per cent of Bowdoin's applications run on virtualized servers. The 15 HP blade servers cost $93,000. VMware's ESX pricing for the education market is $3,000 per server, which can each support multiple virtual machines, for a total of $27,000.

Antonowicz says that to support the new applications deployed, 57 additional physical servers would have been needed. But as a result of using virtualized servers, Bowdoin bought none apart from the blades. Antonowicz estimates the 57 boxes would have cost $356,250."  (By John Cox, Network World, May 2006)

So, the trusty calculator says that in this case, Bowdoin saved $236,250 through virtualization. Surely the public University could realize similar savings by finding a simple way to track multiple grantors' investment in a blade array.

Perhaps they need to change the language of the grant proposals, inserting a paragraph explaining that servers are virtual. Maybe the IT staff who are managing the network can come up with a standard cost for everyone, and it can become part of the 'administrative overhead' in the grant proposals, rather than a physical item to be purchased.

I'm sure I don't have the answers, but I am also sure that it's a mistake to stumble over an inventory system at the cost of so much efficiency.

The Evolution of the Interface

It seems that the hottest topic in technical news for the past couple of weeks has been the iPhone, which is a phone/palmtop computer/iPod in one device. At first glace I thought it was strange that there is so much hype surrounding the iPhone when it isn't all that revolutionary; but then I realized that convergence isn't the key feature of this device. Apple's designers are following the same strategy they used to dominate the media world with the iPod. They are simply taking the interface forward a few steps. As they proved with the iPod, that is all it takes to make people fanatical about your product. 

One of the iPhone's updates is the visual voicemail display. This allows you to view all your messages and select the one you want to hear first by pointing your finger. No more listening to each message in order, or trying to skip through them using a number pad while trying to hold the phone to your ear. It makes every kind of sense.

This doesn't seem like a revolution in itself, but it is a great example of the type of thinking that has kept Apple going all these years. Yes, they have good devices that function smoothly; but they have proven time and again that people are willing to pay just a little more for a better interface.

Microsoft has often attempted to replicate Apple's interface successes, and I believe with Vista they are trying to get ahead a little bit. While I am not a proponent of early adoption of any OS (let them shake the bugs out first) I am interested to see how the 3D window design and zoom navigation will work for me.

I think this is the natural evolution of customer service. While the front lines of good service were human beings in the past, it seems that the interface has taken over. Tech companies are using the interface to anticipate people's wants and needs, and fulfill them before they think to ask for fulfillment.