+1 812 868 ROSS (7677)

NSA’s Domestic Spying Grows As Agency Sweeps Up Data – WSJ.com

Quoted from http://online.wsj.com/article/SB120511973377523845.html?mod=hps_us_whats_news:

NSA’s Domestic Spying Grows As Agency Sweeps Up Data – WSJ.com

NSA’s Domestic Spying Grows
As Agency Sweeps Up Data

From the “The price of freedom is eternal vigilance” department, come this article from the front page of today’s Wall Street Journal. This is interesting for me on a number of levels; not only am I responsible for the management of my company’s information assets, and having a master’s degree in information assurance. I find this truly disturbing. The fourth amendment of the constitution prevents the illegal search and seizure of our property, but in the interest of “national security” the NSA seem to find this notion… inconvenient. Now, honestly, this isn’t anything that hasn’t been happening since before the days of J. Edgar ran the FBI, but this move of “openness”? The NSA effectively states “yeah, we’re monitoring you, and you should probably be careful.” Interesting… I could rave on about this being a fascist plot to oppress the populous by “the man,” but they’re probably already monitoring this blog.

 

Ten Things Your IT Department Won’t Tell You – WSJ.com

Link: Ten Things Your IT Department Won’t Tell You – WSJ.com.

OK, so my network manager sends this link to me yesterday as he was perusing the internet for some research I have him doing on locking down user profiles.

Now, honestly, I don’t consider myself to be the IT Nazi, I really don’t. I always contended that my role in an organization is to protect the company’s information assets from attack, and compromise. But it always, and I mean always seems to be at odds with the general user community.

We in IT are always in a precarious position, between protecting the systems, information, and infrastructure that IS the life blood of our organizations, and the seemingly endless cry from the general community that we are inhibiting their productivity and contributing to the malaise of the workplace.

What sort of raises my blood pressure about this article isn’t that it’s a how-to on circumventing the measures we’ve put in place (the perimeter of an organization is porous, always has been, always will be, whether or not it involves technology). What raises my blood pressure over this article is the general cavalier tone the article takes. Here’s a way to get around "the man" Vara claims, and it’s not really that difficult.

Well maybe not, and there are always exceptions, but the security measures we put in place are in place to protect the organization (from which you draw your paycheck) and you (from yourself, quite frankly). And if everything is consistent, it levels the playing field, and makes anomalies easier to find.

So here we go again, round two of the great debate of IT…

Social Networking Extravaganza!

For the last couple of months I’ve been working on my general internet presence, looking in to how organizations and individuals can create an effective marketing and internet presence using the technologies that have been popularized in the media over the last couple of years.

This entry isn’t really going to present any new information, but I wanted to understand, first hand, what this is all about, and you simply can’t read a book about it, I dove in and started doing this on my own.

I’ve used sites like LinkedIn for a while; it’s an easy place to be very specific about my business contacts. I’ve also played around with MySpace, and more recently Facebook. What I found in a really short time is that just in the last several weeks, I can start to see the sites I’ve created take on a life of their own.

The real intent of this exercise was to find out how to apply these technologies to specifically non-profits on how they can create a more effective marketing campaign, and connect with their constituents. I have a lot of material, found out a lot about what’s going on, and I’m beginning to understand the impact this can have on the organizations connecting to people.

With sites that focus on interest ranging from photos, to blogs, to music, to business contacts, social networking isn’t about Facebook and MySpace any longer. Aggregating these sites together to create a composite of interests can including event photo’s on Flickr, event music play lists on iTunes, or Virb, websites using del.icio.us and live updates using Twitter or Pownce. Organizations can even create encyclopedia articles using Wikipedia.

All of this together can be used to create a powerful marketing tool for those organizations who know how to use them, aggregate the information together, and market that to the internet. A couple of important points to remember for organizations wanting to use the Web 2.0 are:

1. It’s highly important to use a consistent look and feel, organizations have spent a great deal of energy creating their "brand," it’s important to carry that forward in an internet presence; in my own efforts I’ve started using the same picture thumbnail on every site (it’s not a picture I particularly like but it’s something I had on hand).

2. Understand the strength of each of the technologies and how to apply them, e.g. Flickr is great for sharing photos, but not for blog entries or editorials, and you wouldn’t use LinkedIn in the same way you’d use Facebook.

3. The real power behind this is not only the separate nature of each of the sites, Facebook being different than MySpace which is different than Pownce, but rather that organizations create mechanisms for aggregating this sites together to create a uniform presence, with a single static site acting as a “hub” to all other services, this is called a mashup. Very much the same way that MySpace and Facebook uses “widgets” and RSS to aggregate content from other sites.

This, IMHO, is both a good and bad thing from several perspectives; first it’s become incredibly easy, with just a little bit of savvy, to create an entire internet presence complete with contacts, networks, and so forth. That said, with Google and other search engines in the mix, this internet presence becomes the encyclopedia galactica for your life, all of a sudden it’s not as difficult as it used to be to find you in the background of a flag burning photo from college hidden. You 20 somethings, and 30 somethings, take note; the internet has a VERY long memory.

I’ll be continuing this as a project over the next several months, but in the meantime, here’s a list of my places on the information superhighway:

Connect with me on LinkedIn
My Facebook Page
MySpace Page
My Flickr Photos

Ross’ Tumblr Page
My links on del.icio.us
Follow me on Twitter
Follow me on Pownce
Follow me on Jaiku
This is the software I use posted at Wakoopa
Connect with me on Xing

My Playlists on Virb
Google me

The Two Biggest Lies Told During an Audit…

My wife (an accountant) and I were having a discussion on the way to my dropping he off at her office this morning, and the whole thing stuck enough of a chord with me that I thought I'd share my insights with you on the subject (imagine that).

She and her office had just completed a year end audit from their internal audit department, and I'm about to go through the same thing shortly with my yearly GCC (General Computing Compliance) audit.

Apparently the auditor assigned to their case was more concerned about tactics than strategies in performing their audit.

It's been my experience especially in assessment and audit situations, that the demeanor and background of the folks responsible for audit oversight are every bit as important as the organization and processes being scrutinized during the audit itself.

I've found that the worst personality type to have an audit oversight is a highly structured and detailed oriented individual, someone with the background of requiring compliance in strict accordance with the letter of the law (or internal procedure as the case may be).

The problem with this approach, is that like most things in life, though rules may be interpreted as binary (0 or 1, black or white), life is not binary, and mostly consists on a continuum with everything being shades along the continuum.

Such is the case with the assessment or auditing process, the type of auditor, in my belief, that makes the best of these types of situations is that of someone with the heart of a teacher. An individual that understands the strategies involved with the process under assessment, understands that situations are different for different cases, and subsequently adjust to meet the spirit or intent of the process, not the letter of it.

I'm not advocating being sloppy about assessment processes, I'm suggesting that life requires balance. And understanding the spirit of the process and measuring against the objective evidence for assessment is every bit as important as the assessment itself.

I would rather have an organization seek to understand WHY things are measured a particular way, so they can do a better job at improving the QUALITY of the process, than worrying about HOW a particular instrument was implemented to collect data for producing an assessment artifact.

In my own experience I've run across several auditors, but three of them specifically come to mind, my experience with all three have been if not enjoyable, then at the very least educational. These are all people with the heart of a teacher, professionals interested in seeing organizations succeed during the assessment process, while not allowing for sloppy process failures. They are come from different organizations and disciplines but all share the same spirit of education.

I've worked with Mary Sakary and Neil Potter from The Process Group for several years in improving the processes on our software development systems using the CMMI, as a model systems and software process improvements.

Without this spirit of education, auditors can get caught up in the HOW data are collected and loose sight of the nature of the control and risk the process is intended to mitigate. This "tactical" approach can lead to crushing rigidity in organizations where strict adherence to the law actually causes processes to fail.

So as a note, remember WHY you're assessing a process, understand the risks and measures needed to mitigate the risks, instead of getting wrapped around the axle about HOW the data are collected.

So what are the two biggest lies told during an audit?

1. "We're here to help."

2. "We're sorry to see you leave."

FBI Prepares Vast Database of Biometrics – washingtonpost.com

Link: FBI Prepares Vast Database Of Biometrics – washingtonpost.com.

Under the title of "The Price of Freedom Requires Eternal Vigilance," this article in today’s Washington Post caught my eye. We’ve been facing the issues of personal privacy for some time; the notion that the FBI is spending $1 billion to build a database of personal biometrics is, in a word, frightening.

Ostensibly, the intent of this massive effort is to assist in the identification and capture of criminals, but this also provides the US government unprecedented ability to identify individuals in the United States and abroad.

Opponents of the initiative cite the fact that the increasing use of biometrics raises worry that such measures become a "de-facto" national identity card, thus making more and more difficult for citizens to avoid unwanted scrutiny.

This biometric information includes not only finger/palm prints, but irises, faces, and soon DNA. DHS, the Department of Homeland Security, has been using iris recognition to verify identity of persons wanting to move quickly through lines at some airports.

Though this information is currently being collected through direct interaction of the individuals from whom the data are collected, researchers at the FBI’s biometric facility are working on capturing this biometric information covertly. Though several years away, this ability is of great interest to government agencies.

One of the biggest concerns made by skeptics is that such projects are proceeding before there is reliability in matching suspects against the enormous amount of data collected. In one of the world’s first large-scale study on the reliability of this technology, the German government used face recognition to identify people between October 2006 and January 2007. The technology proved reliable 60% of the time under the best daylight conditions but fell to between 10 and 20% at night.

The long term goal is "ubiquitous use" of this recognition technology, where individuals will have biometrics captured without ever having to step up to a kiosk and looking in to a camera.

I’m ready for my close up Mr. Demille…


 
 

» Mac versus Windows vulnerability stats for 2007 | Zero Day | ZDNet.com

Link: » Mac versus Windows vulnerability stats for 2007 | Zero Day | ZDNet.com.

I’m not big on the Windows vs. Mac vs. Unix vs. Linux vs. etc discussion. During the course of my entire career, this whole discussion has been irrelevant.  Much in the same way how a particular professional sports franchise is doing in any given season. Guess what? It’s all hammers and nails. Use the right tool for the right job, you wouldn’t use a 16oz hammer with a 2 penny nail.

Well now to add fuel to the Windows fire, this article today on ZDNet points out an interesting statistic, apparently Mac OS over the last year has had more critical vulnerabilities than Windows (243 for Mac OS versus 44 total for XP and Vista). Now, before this starts a riot, let me point out that this argument has nothing to do with anything except this following point:

It matters not what hardware/software/system combination any person/organization uses. Personal security and the security of organizational assets requires diligence from all parties involved and doesn’t rely on a system combination. If it is made by human hands, it’s flawed.

Gone are the days when we could leave our computers unlocked as much as gone are the days that we could leave our front doors unlock. It doesn’t mean it’s a cruel world, it just means that nobody is responsible for keeping our house in order except us. Part of being responsible adults is recognizing that WE must keep vigilant watch over our house, and that no person/system/software is going to do it for us.

So keep the doors locked, don’t let the newspapers or mail pile up on the porch or mailbox, and keep your systems updated and patched, because that’s what responsible adults do.