Saturday, June 27, 2009

Security B-Sides

If you are headed to Las Vegas for Black Hat and/or DefCon, check out Security B-Sides.  If you wanted to talk at Black Hat or DefCon, but didn't get the chance, then sign up to talk at Security B-Sides.

What is this Security B-Sides thing?  I'm glad you asked-

BSides is an ad-hoc gathering of information security types born from the desire for people to share and learn in an open environment. It is an intense event with discussions, demos and interaction from participants. We've followed the BarCamp format... because it works.

This is a work in progress, so if you have a brilliant idea, please share it, and please participate.

Full Disclosure bit: the nice folks at Astaro are likely to help sponsor the event, they also "sponsor" me by providing gainful employment.  Both Astaro and I think this is a great idea and want to help it develop and grow.



Thursday, June 25, 2009

Mourning a great loss, Phillip Simmons

As our celebrity culture mourns sensationalizes the deaths of celebrities this week, I have learned of the loss of a truly inspirational figure and craftsman, Phillip Simmons.Phillip Simmons

I cannot do Mr. Simmons' story justice, so I will ask you to spend a few minutes at the Phillip Simmons Foundation website to read about an amazing man. His story begins:

"Born June 9, 1912 in Wando on Daniel Island, near Mt. Pleasant, South Carolina, where he was reared by his grandparents. At age 8, he was sent to Charleston (via the ferry), to live with his mother on Vernon Street and enroll in the first class at Buist School.


While walking to and from school, young Philip noticed the ironwork and became intrigued with it. The neighborhood was a Mecca for craftsmen who serviced the waterfront businesses..."

I hope that has you intrigued enough to read more of his story here. While I first learned of him as a blacksmith, his achievements and his influence reach well beyond his craft. And we have not only lost Mr. Simmons, we may lose his shop, too; the National Trust for Historic Preservation has named Simmons' home and workshop in Charleston, SC as one of eleven most endangered historic places in America.

I will leave you with Mr. Simmons' favorite quote, they are words to live by regardless of your beliefs:

"If you want your prayers answered, get up off your knees and hustle."


Monday, June 22, 2009

How many fluid ounces between Boston to New York?

That doesn't make any sense, measuring distance with a volume measurement.  Inches of iStock_000000981533XSmallmoney doesn't really tell us how much beer we can afford, either.  But we mis-measure all the time, applying the wrong metrics to things.

The errors aren't always this obvious, however.  Back in the Dark Ages, when I worked in the automotive world, the EPA got some teeth and started really cracking down on auto emissions.  It needed to be done, and I am glad it was- but there were bureaucrats and engineers involved- so it was needlessly convoluted and many things were just plain wrong.  One of the real advances in cutting emissions was the introduction of "low smog" fuel blends.  Fuels that burn cleaner, that's a great idea, right?  Stop.  Define cleaner.  That's easy- reduced harmful emissions.  (Or at least a reduction in the pollutants that they were measuring, but that's another story).  But that is meaningless by itself- because...

Vehicles do not exist to burn fuel, they exist to transport people and products. 

Oh, no- this may involve math, and variables, and stuff. Crap.  And since engineers and bureaucrats were involved (and probably even scientists), they decided to weigh mileage.  Sure enough, the emissions from the fuel were lower than the old, dirty fuel...per kilogram of fuel burned.  Too bad the stuff had fewer BTUs per kilogram than the old fuel, because the substantial loss in fuel economy somewhat offset the reduction in emissions when you considered emissions using a valid measurement, emissions per mile traveled.

So, were the gains real?  Yes.  Were they overstated by pinheads weighing miles?  Yes.  Did the pinheads appreciate being called on this oversight?  Not especially.  Moral?  Don't be a pinhead.

Now the tricky bit- what are the right measurements in security?  You already know that in my version of InfoSec NIST, there is one immutable measurement, failure.  It isn't the only measure, just the one most likely to kick you while you're down, so respect it.

As far as wrong measurements- I know you can come up with plenty of those on your own.



Friday, June 19, 2009

False economies and low-flow toilets

If you are old enough, and still have your memory intact, you may remember a time when toilets used a lot of water. As much as five to seven gallons per flush many years ago, and that's a lot of water down the drain. By the 1990s it was decided that this was unacceptable and that we should all use more efficient toilets- and so it was decreed that all new toilets sold in the US would use no more than 1.6 gallons per flush (as opposed to the then standard 3.6 gallons). The problem was that the technology iStock_000001766744XSmallwasn't up to the task yet, so it often took two or three flushes to do the job instead of just one- so the savings were less than expected, and in the worst cases the "water conserving" toilets used more water in practical use than the old "wasteful" ones. The uproar led to a variety of oddities, from Dave Barry's popularity (OK, maybe there was more to that than toilets, but low-flow toilets are still are mentioned in his bio) to alleged cross-border runs to Canada to get "real toilets" before the laws changed up north, too. Technology has finally started to catch up with the task, and a lot of water is being saved, but redundant flushes are still often required.

Technology budgets, and especially security budgets (because many just think of security as only an expense/impediment) are under extreme pressure at this time, and the demands for cost cutting are great; the danger is in falling for false economies when trying to save money. If you can cut costs without cutting corners, that's great- this is a good time to carefully review expenses and look for potential savings, as long as you don't make unreasonable sacrifices.

Flushing twice isn't a viable option in security.


Tuesday, June 9, 2009

How to not hire someone

There are plenty of guides on hiring people.  There are even guides to firing people (or "letting go", "releasing", "right-sizing" or whatever euphemism we're supposed to use now for screwing up people's lives).  I don't think I have ever seen more than a passing mention of how not to hire someone, and and almost nothing on how to not hire someone.  As with many of life's situations, a little common courtesy goes a long way here.

How not to hire someone- these are mistakes people make when hiring (or trying to hire) someone.  Here are a few hiring mistakes I have seen (and made) in the hiring process which led to losing a candidate:

  • Moving too slow.
    • Microsoft has made an art form of rapid assessment of candidates. Why? Because it gives them a competitive advantage, if they make the first offer on the people they want, they get them. And their competition does not.
    • If things are going to progress slowly make sure everyone understands and expects it- from the beginning.
  • Not offering feedback.
    • No, this is not just the candidate's responsibility.
    • Acknowledge receipt of documents, confirm appointments.
  • Asking for too much up front.
    • You do not need (or want) a candidate's Social Security number, salary history, or other sensitive data before you begin the vetting process.
    • Asking for this info can put off the candidate, and makes you responsible for the data.
    • Only ask for sensitive data if and when you need it, and treat it accordingly.
  • Forgetting to sell the position/your organization/yourself to the candidate.
    • Maybe if you get 400 applicants for 2 entry-level positions this isn't as important...unless you want the best two candidates.
    • This is critical when you have a hard sell- due to limited budget, high competition for candidates or other challenges.
    • Remind me to tell you about Captain Robin someday.

There are plenty more, but you get the idea- if you want the best people, act like it and treat the candidates well.

How to not hire someone- this is the way you handle candidates who did not get an offer, or those who declined an offer.

  • Provide timely and polite replies.
    • Again, this is not just the candidate's responsibility.
  • Candidates who decline an offer should be thanked for their interest and time, and wish them well.
    • You offered them a position, if you want a second shot at them later- act like it.
    • If it seems appropriate (and it wasn't already revealed), ask what drove their decision not to accept the offer.
  • Candidates not offered a position should be notified.  This will vary depending on the nature of the position and the opening, but it is the right thing to do.
    • Yes, it can be a pain.  It is more of a pain to be unemployed and strung along or left in the dark.
    • If you have 3000 applicants for 3 positions, posting a statement on the recruiting website may be enough.
    • The sad state of affairs today has so lowered the bar that an email message should be adequate for most situations, but put some thought into the message before you hit "send".
    • Why bother? Because it is the right thing to do, and because it builds good will.  A rejection message from you will (unfortunately) be better treatment than they will receive from many others, this reflects will on you and your organization.

About that rejection note, back in my auto tech days I applied to Rolls Royce for a technical training position, they turned me down- but the rejection letter made me feel better that the job I eventually got.  Sadly, I have lost the letter, but a couple of keys to the message were:

  • It was timely.
  • I was thanked for my time and interest.
  • I was complemented on my skills and experience.
  • I was informed that they had offered the position to a candidate whose "skills and experience more closely matched their current needs".
    • Not "someone more qualified" or even a "better match", but someone who more closely matched their current needs.  I don't know a better way to break it to someone that they aren't getting the offer.
  • Oh, and the gold, embossed seals with things like "By Appointment of Her Majesty the Queen..." were a nice touch, too.  I don't expect you to duplicate those, though.

Finally, remember the data you collect during the process needs to be handled appropriately.  There are legal and ethical issues with all that personal information, but you knew that.



Thursday, June 4, 2009

Your English teacher was right, punctuation matters.

Believe it or not, I try to write correctly and coherently.  I fail, but I try.  I consider it a success on the rare occasions when achieve either of these goals.  But this blog is just the rantings of a curmudgeon, nothing important, and certainly not a legal document.  I hope I would have the sense to have both grammatically and technically proficient people review anything important if the need ever arose.  Unfortunately for Rogers Communications, they signed a contract with an extra comma where it (according to them) didn't belong.  It may turn out to be a $2.13 million comma.

You can take this commatastrophe as a lesson about the importance of proper communication and use of language, or simply laugh at a cable company getting screwed by comma, or a bit of both. 



Wednesday, June 3, 2009

A different perspective on outsourced employment sites

My Matchmaker post elicited a question from Martin McKeay, which prompted my Connections... follow up post...

Then the folks at Aetna had a little problem with their employment website, outsourced to Taleo.  From a Network World article:

"Insurance company Aetna has contacted 65,000 current and former employees whose Social Security numbers (SSNs) may have been compromised in a Web site data breach.

The job application Web site also held names, phone numbers, e-mail and mailing addresses for up to 450,000 applicants, Aetna spokeswoman Cynthia Michener said. SSNs for those people were not stored on the site, which was maintained by an external vendor."

Who could have imagined such a thing happening?  I mean besides Martin's question and my post a month ago...

And while we're on the topic, in an interesting coincidence, I recently had a conversation with someone who provided some excellent insights into the way things work in the outsourced recruitment services field.

If they outsource wisely, most companies may be more secure than handling it internally, especially the "building and maintaining a recruiting website/portal" part of the process.  The Aetna incident notwithstanding, responsible talent service agencies have dedicated personnel who continuously test the security of their websites, and in some cases have large customers who test the sites as part of their due diligence- that is certainly more attention than most small to mid-sized companies pay to their own websites.  Core competencies and all that.

But how do you "outsource wisely", recruiting- or any other- services?  That's the trick, especially for SMBs.  While Fortune 50 companies may have the clout (and resources) to verify their service providers, neither Jimbo's Bait and Sushi nor Gunter's House of Squirrel and Kraut has either the clout or resources- so how do they handle this?  Start by asking questions about security, policies, testing, indemnification, whatever seems appropriate.  And ask for it in writing.  Ask for a customer list and references.  You will probably have to blindly trust some of what they tell you, but with a little effort you should be able to make an informed decision.

And remember, for those companies covered by Massachusetts' 201 CMR 17.00, section 17.03 (3) 6 states:

"Without limiting the generality of the foregoing, every comprehensive
information security program   shall include, but shall not be limited to:

...Taking all reasonable steps to verify that any third-party service
provider with access to personal information has the capacity to
protect such personal information in the manner provided for in
201 CMR 17.00; and taking all reasonable steps to ensure that such
third party service provider is applying to such personal
information protective security measures at least as stringent as
those required to be applied to personal information under 201
CMR 17.00. "

Similar laws and regulations are coming to a jurisdiction near you- keep that in mind when selecting vendors.