I Am. When? - Tech

It's All About Perception

nospam@example.com (Andrew Maxim) — Mon, 17 Mar 2008 19:01:00 -0700

I spent the majority of my time this past weekend divided between cutting and gluing straws, and completing the first section of my Operations Management course. There were a few other tasks thrown in throughout my two days of rest, which ultimately resulted in a very productive weekend. A lot was accomplished that needed to get accomplished.

I also made time to relax, which, laced with the recently absorbed chapters on service management from my textbook, brought about some reflection on the IT service industry. More to the point, the role of management within the IT field, and in particular the roles I have played throughout my career. In the forefront of this is a short coming of mine (and most in the field) that I have been endeavoring for some time to overcome.

Information Technologies is a very behind the scenes service field; it is something that is rarely noticed save for when a system stops working. If the people performing the work within an IT department do their jobs correctly and efficiently most of their fellow employees will never even know they are there. I have always related the IT field to the people in the nuclear missile silos; you know they exist and you pay them well to be there, but you almost never see them and hope you never have to use them in an emergency.

Although the wording might be different, this is the general view most senior managers have for the IT departments within their companies; and it can lead to problems. If you work in the industry, you know there is far more going on behind the scenes than simple break fix. Technology initiatives created and put into place by IT service personnel save thousand and millions of dollars for a company each and every year. A good department will pay for itself in savings through these cost and time saving projects, a great department can save a company more with the right projects than all other cost cutting strategies implemented by a company combined.

Throughout my career I have been part of many major cost cutting projects within various organizations; from team projects implementing new technology, to developing simple applications that can automatically manipulate data, to upgrading existing processes and procedures that make them more efficient. And I never was bothered when during each company meeting an administrative assistant would get an award for saving the company $1000 by purchasing pens in bulk, while the IT department was ignored after saving $50,000 through one of its latest projects. It is what was expected of us.

Then I became a manager and suddenly it bothered me. I am not sure if my perspectives had changed with taking on more responsibility or if it was something else entirely, but my people deserved better than that. They deserved the recognition they had earned, to be seen as the valuable employees they were, the people who earned the salaries they were given and, further, deserved raises, not the first thrown up onto the chopping blocks when it was time for layoffs. Only, that is the way of the Information Technology field. Or at least how it was.

Times have changed for many corporations. Smart executives who have learned to leverage technology to the benefit of the company are bringing with them an understanding of the departments that previously went unnoticed. These companies are still far from the norm, but their numbers are growing and the reason is something I should have learned a long time ago: Marketing.

Savvy IT leaders have not only learned to leverage the resources of their departments, but have also made a concerted effort to promote those resources to others within the organization. These leaders make certain that every project, every cost saving endeavor, and every time cutting process is heard about by every employee within the company, not just senior management. It is something we should have been doing all along, because in the end it is all about perception.

Unfortunately for most of us in the IT arena, myself included, marketing is something we have never been very good at, or at least never saw a reason for. It is, however, a skill I have been working to hone, and will continue to work at. After all, I spent the majority of my time this past weekend divided between creating the base propulsion structure for an autonomous mobile robot, and enhancing my managerial skill-set through further study and education.

A Little Home Tech - Home Automation

nospam@example.com (Andrew Maxim) — Fri, 29 Feb 2008 10:23:49 -0800

In the personal project arena I have been known to overdo things on occasion, to jump in with both feet and go full bore into the task at hand. Some might see it as obsessive, but I prefer to view it as doing things right. I imagine it is a fine line between the two, a line that blurs into the reality that are Andrew Maxim projects. Few other home projects could provide a better example of this than my home automation system; it wasn't just feet first, it was head first through dry wall and electrical wiring and fiberglass insulation.

I had known about home automation only in the vaguest of senses; computer based answering machines, X-10 lighting and whole house audio systems. What I knew really did not interest me much. Surprisingly, or perhaps not so surprisingly, it was my PVR system, SageTV that eventually sparked the interest. In going through the user created add-ons for Sage, I came across one that integrated with a home automation system known as HAL, and the things I read on it I found intriguing.

HAL stands for Home Automated Living and is one of the many companies involved in the home automation "revolution", as well as the name of their software product line. It was their website that first began showing me what this field had become since the days I had first heard about and dismissed the concept as "not being ready". Once my eyes were open, however, I began my usual research phase, looking into all sorts of products from high-end hardware devices to open source software products to user's personal web pages. The more I read, the more I decided this was something I was going to implement in my home.

Primarily as a result of two different people's personal websites, I eventually I narrowed my search down to two competing base products, the previously mentioned HAL system and HomeSeer. Controlling your house through a computer or touch panel is a pretty neat concept and is something almost all the packages out there offer, but controlling your house with your voice is just plain cool and was what narrowed things down to these two products. Paul Koslowsky (using HomeSeer) and Jim Lipsit (using HAL) both had accomplished home automation voice control and provided terrific documentation on the subject matter, as well as a plethora of additional information and abilities of their respective systems. Not to say that other people had not integrated voice control with their systems, but the knowledge shared by these two deserves a definite nod of appreciation.

Both systems had their own quirks and abilities, different ways of handling the same things, different equipment supported, and even different levels of user activity. HomeSeer users are far more vocal on their message forums, which is something I find very appealing in a product that makes use of user customizations. The decision between the two systems finally came down to pricing. The base packages for each were priced about the same, but where as HAL includes all features of a product in that product, HomeSeer charges for a majority of plug-ins to encompass the features which HAL includes.

I wound up purchasing the HAL2000 system from Home Automated Living, actually I purchased HALdeluxe and upgraded to HAL2000. For the electrical control system I went with a UPB based system for the reliability, making use of both HAI and Simply Automated switches and devices, dependent on what they were for and current pricing. A combination of the ClearOne XAP 800, the Russound CAA66, several Crown PZM and MB microphones, and a dozen generic ceiling mount speakers make up the home audio portion of the project. Lastly an Applied Digital Ocelot provides control over sensors and audio equipment.

The system is far from complete, as I not only have several light switches and outlets left to replace, but also am patiently waiting on a few things to happen in the industry. Aside from things like the need for a UPB based ceiling fan control, I am anxiously awaiting the release of HAL version 4 in order to finish off the long standing project of complete audio control. Not that the new version includes this functionality, but rather the HALi interface for version 4, which allows programmers to write additional plug-ins, is rumored to contain the features needed for me to continue forward with my own plug-in entitled HAZ (Home Audio Zoning). Even once that is complete, it will be an ongoing project with my Home Automation system that will likely always be a work in progress, but it’s just plain cool to have.

Application Security

nospam@example.com (Andrew Maxim) — Wed, 27 Feb 2008 08:17:42 -0800

As part of the requirements to maintain my CISM designation, I regularly attend ISACA e-Symposium events. These web events are held once a month and, to be completely honest, while my primary purpose of attendance is the 3 cpe received, I do tend to learn a thing or two on the subject matter offered. Sometimes what I learn is just in what I spout out while yelling at the screen (I am known to do this quite often with scientific documentaries on TV), but it gets me thinking at the very least. Yesterday's e-Symposium entitled "Application Security The New Gateway" was no exception; I learned some and spouted off at the non-replying screen more.

The two things that will get me talking back to a screen, computer or television, are when an important subject matter is glossed over or when something simple is over complicated. Experts always seem to like to over complicate things. In an effort to be completely fair to the e-Symposium, each presenter only has a limited time span to cover a wealth of information, so a lot will be glossed over to provide time to focus on their primary topic (which sometimes is a sales pitch).

One of the items glossed over was a statistic from Gartner stating that 75% of attacks occur at the application level. The statistic itself was not glossed over, but rather the reason it is 75% rather than 25%, and I feel that reason is important: System Security. Hackers didn't just decide one day to change their attack methods from network/system infiltration to application hacks; they did it because of path of least resistance. Once upon a time networks and systems were not very secure and allowed an easy path into all sorts of information, but system security became a hot spot and made accessing data through the "old school" methods far too time consuming and difficult. The number of web-born applications has also increased, presenting a doorway to data. And so application level attacks became the way to go.

I actually find it insulting to the security industry that the statistic is not 90+% in favor of application layer attacks, given the amount of time and volume of information regarding the need for good system security practices. It is what it is though, and some people and companies will always prefer to pay tons of money and time in a year or two than to pay a relatively small amount now to protect their investments. They would be better off selling their companies and spending the money at the craps tables in Vegas, a roll of the dice is just that and will always be in favor of the house, but at least this way they would only be wasting their own time and money and not hurting other people.

The second bit of spouting at the screen for this e-Symposium had to do with the over complication of things. Again, to be fair, each of the presenters represents a company and that company would like to get something out of the three hours of otherwise billable time for their expert, so the presentation becomes a partial sales pitch and things get over complicated. And as I said, experts like over complicating things. In reality, application security is not an over complicated item.

There are two main culprits for flaws in any program, lack of security knowledge by the developers and lack of testing during the SDLC (software development life cycle). Both were covered in the e-Symposium, but the solutions really were not, and they are, in theory, the easy parts. First, companies need to require their developers to be trained in development security best practices. It is an investment on both the part of the developer and the company, but it is time and money well spent. Again, pay a little now or a lot later. The SANS Institute now offers training and testing in development security through their Software Security Institute programs. A little costly, but the benefits are huge long term and, as I previously stated, promotes employee retention, which saves more money.

The second part of the solution is something that has been yelled and screamed from the rooftops for as long as companies have been developing software. Give QA the time and resources to properly test software. Yes, deadlines loom and developers get behind schedule, but cutting QA time to meet a launch date is far more costly and time consuming than pushing back a release schedule in order to get the software right. There are a ton of stats available from all sorts of independent groups on that subject, or just look at Microsoft and their reputation as a result of forcing projects to market. Further, QA personnel need to be trained in application hacking and exploitation techniques and it needs to become part of the testing process. Once again, this is time and money well spent in the short and long term of a company.

If those two items are taken care of during application development we will see a vast shift in security incidents. The overall number of incidents might not drop, hackers will continue to do what they do, but the percentages of types of incidents will shift dramatically away from application level. My prediction would be that we will see a number around 60% of all hacks being related to social engineering instead. Some companies, after all, will always want to pay more later than a small amount now. For those who "get it", a little proactive effort will go a long way towards Application Security and keeping your company profits up in the coming years. Just don't forget to cover social engineering.

A Little Home Tech - The PVR

nospam@example.com (Andrew Maxim) — Fri, 22 Feb 2008 10:12:00 -0800

As I have stated previously, I loves me some technology, thus I thought it prudent to cover some of the pieces of technology I use at home in my everyday life. It goes without saying that I have a few computers at home, seven currently in use to be exact, as well as a host of other pieces of technology such as a television, microwave, etc. These are all things I think most people own (ok, maybe not seven computers) or at the very least use daily, and have become an integral part of a lot of people's lives, so it would be a waste of time to talk about these things. Instead, there are a number of "systems" that have become just as integrated into my life, as a television is integrated into the lives of others.

The first is my home PVR system. By now most people have at least heard of the mass market DVR systems available, and a good majority likely owns one flavor or another of the devices. DVR stands for Digital Video Recorder and does exactly what the name implies. It records television shows onto digital media (hard drives, RAM drives, etc) for later viewing, much as the VCR of days gone by did on tape; and for many people these devices have become an integral part of daily life, allowing viewing of television broadcasts at your leisure as opposed to on a set schedule.

Hopefully you noticed that I referred to my home PVR system above and not a DVR system. The difference overall really is a small one in the grand scheme of recording and watching television and mostly entails the PVR being a system running on an actual personal computer, as opposed to a prefabricated hardware device. What that difference means for me, however, is customizations.

While a typical DVR system is capable of recording one or two television broadcasts at a time, the system I am running is currently setup to record five simultaneous broadcasts (and I can add more if need be). A bit extreme one might think, but considering that the past fall television primetime lineup for Tuesday night had 90% of the television shows I watch, all aired around the same time, I would have missed several of the shows with a typical DVR package. On nights such as those, the system will usually be recording four television shows over the course of two hours, with a slight overlap on each recording schedule to allow for early and late starts so as to not miss the beginning or end.

Mostly on the recommendation of my friend, Anthony, but after almost no research, just a trial, I chose SageTV for my PVR system. I know, it is so unlike me to not do much in the way of research, but I was hooked after the trial because of, above all else, the customizations. And not just customizable options created by SageTV the company, but rather the whole host of options and add-ons (most of which are free) created and supported by the SageTV user community.

Aside from recording a few television shows, SageTV is a complete multimedia package; allowing playback of DVDs, music libraries, online content, and, my favorite feature, a personal video library. All at the click of a few remote control buttons. There have been a few hiccups along the road of setting up, tweaking and upgrading my system; some more frustrating than others, but it is well worth the effort when I can pick one of my many movies to watch without having to get up from the couch and search through the stacks of DVDs I own. The ability to watch the BBC television show The IT Crowd through the online content is just one huge added bonus, as was watching my television lineup from a laptop during trips out of state.

All and all, SageTV has definitely won me over, and I hope beyond hope that it will be able to maintain with the eventual switch to encrypted digital broadcasts by the cable companies (search for "cablelabs" and "OCUR" off Google if you want to know what the heck I am talking about). Only time will tell on that front, but until then I will continue to rejoice in my PVR system.

I.T. Specialists

nospam@example.com (Andrew Maxim) — Wed, 06 Feb 2008 00:15:15 -0800

I suppose I really should begin with an apology for implying that Specialists are "playing dumb," or even being dumb. It wasn't really my intention to make that broad stroke implication, but now that I seem to have made it (at least in rereading my own wording) I can't bring myself to correct that statement. I have had far too many experiences in having to go behind a so called specialist to clean up their messes, whether it is in an SQL implementation, PeopleSoft, Lotus Notes, or any number of other industry sub-fields.

That is not to say that all IT Specialists, or Experts, are bad; I have managed to gain a lot of knowledge from many, and even had a few just blow my socks off with their skill set. All and all it seems as if there is a 25/25/50 ratio when faced with a professional so-labeled. About 25% are those who really know what they are doing and make their specific field look like child’s play, the next 25% are capable and handle their own for that application, and the last 50% seem to get by because everyone else is afraid of the voodoo magic associated with that specific application (PeopleSoft is a big one here).

Specialization came about mostly as a division of labor sort of thing, but in the IT field (as well as others) it is now grown into an Information Security issue encompassing the mighty order of Segregation of Duties. Aside from complete SoD being a realistic impossibility, the main problem is that the "bottom" 50% of specialists (and even the next higher 25%) might know enough about their own application to keep it running for the most part, but they don't know enough about the system as a whole to be truly effective.

The reason I consider this a problem is that you wind up with a lot of finger pointing between departments for issues that should be relatively simple. Buggy servers taking a week to be repaired because each sub-department has a different view of what is wrong, or even worse, tries to fix the problem as if the problem really did exist in their area, thus adding more instabilities. I've heard enough IT Directors and Managers complain about this to know it is not just a personal pet peeve of mine.

Now here's the solution, and believe it or not it deals with taking Segregation of Duties even further, and will make your infosec even more secure as a result. "What? That's insane!" you say. I know, if SoD leads to specialization and specialization leads to people too narrowly focused to "be all they can be," so to speak, then how can more SoD fix it. Well, we learn from the other high priority information security area... Finance/Accounting.

Responsible CFOs and Finance Directors all divide up job duties and responsibilities among their workforce, but the very best add the twist of job rotation. A.K.A. cross training. The primary reasons being that people get too relaxed once they handle the same thing for too long and tend to make mistakes (ask any Aviation Structural Mechanic, Safety Equipment (AME) in the Navy about that), more importantly they get to know the accounts (people, not numbers) too well and are more inclined to bend or break rules as a result. So they get rotated on a semiannual basis, or there about. It helps make each person a more valuable employee (cross trained), increases accountability (new eyes catching old things) and enhances SoD (and thus infosec).

If Information Technologies applied the same practice (and some companies might already), periodically rotating a single specialist out of their department and into another for a set length of time, the benefits would be enormous, and not just to the company. Project teams become more versatile, the employee would be increasing their skill set (which contrary to some people's belief, actually promotes employee retention) and the employee would become even more capable in handling the specialist role they already fill. For a company with even small departments of specialists, not rotating people on a regular basis really is being dumb.

Certifiable

nospam@example.com (Andrew Maxim) — Mon, 04 Feb 2008 22:19:17 -0800

If you have worked in a company larger than 100 people you most likely have run across someone with an "I Love Me" wall, and if you have seen one, you know what I am talking about. I am not referring to the recent college graduate who reverently hangs their diploma on the wall out of their well gotten sense of pride, but more of the person who has it hanging there five years later. That same person who manages to find a need to frame every little accomplishment, every certification, every news clipping, every award, every picture with someone who might even vaguely qualify as a celebrity.

I'm not a psychologist (I've only been analyzed by one on TV), but there seems to be only a few types of people with the need to create such a shrine to self. As mentioned, recent graduates will sometimes do this as a sense of pride, it might be their first license or a college diploma, but it generally does not last very long. The second are a type that have historically been handed everything, although they will always claim having earned it all, and will post their placard as a way of saying, "I'm better than you because I have this." The third is someone who springs up in middle management far too often, those who use their well framed walls as a shield, a way of deferring questions over their own incompetence by the sheer volume of credentials adorning their office walls (killed a couple potential interviews with that one, didn't I?).

You have likely had the opportunity to meet all three types of office space decorators if you have been in the workforce for a while. You might even have been, or still are, one of those people. Eventually, if you are very very good and eat all your spinach, you might run across the fourth type. These are the people who are generally low-key, do good work, don't make much of a fuss and almost never need an attaboy, but they are arrogant, and always happy to take those needing it down a couple notches. I know this type well, I am definitely one.

Perhaps it was my prankishness, perhaps it was just being fed up with dealing with the second and third types listed above, or perhaps it was just because I could; but one day I had enough and decided to create the true "I Love Me" wall. For most people they saw it as a bit of an over eccentric sense of accomplishment, the second and third types congratulated me on having such a masterful wall, but a few people "got it." Mostly, they were IT people who have been around for a while and recognized the joke in having Packard Bell certificates hanging up on my wall (the four at the far left). Oh, I rotated certificates in and out of the wall from time to time, even had to expand it once, but there was always at least one Packard Bell certification hanging amongst the rest. What does this have to do with "tech" you might ask? Well I assure you there is a segue here, someplace.

A few years back I had written an article for the online publication Workitecht by Dennis Faust. While Workitecht is no more, I feel the article still holds up a few years later and thought I might share it with anyone looking for a light read. And what better way to announce an article about certifications in the IT profession than to show off my very own "I Love Me" wall full of certificates. So I give you Certification Killed the IT Professional, uncensored and with full grammatical errors. Enjoy.

The Three Princes of Serendip

nospam@example.com (Andrew Maxim) — Mon, 28 Jan 2008 18:48:02 -0800

Once I set out on something I move forward in a very fast pace. Information is absorbed at alarming rates, options are weighed and a decision gets reached. Were my brain possessed of a gag-reflex I am certain it would explode within hours of beginning any project with the sheer volume of data that is force-fed into it. Of course a good chunk is lost minutes after it is processed, but not before a decision is made on the information. Thanks to the Information Age that we live in, I don't really have to worry about holding on to all of it anymore, which makes decision making move even faster.

When it came to creating a weblog of my own I went at it with the same, not-so-reckless, abandon. I consulted with friends, viewed websites, read the propaganda, looked at other weblogs and even took a look at the products offered directly through our web host. And then I stopped, took a breath and went over to the SANS Institute website. All the weblog scripts and engines and backends I could remember at the time were sent straight into their search bar. Unfortunately for me, all of them returned results, and relatively recent ones at that.

If you are not familiar with the SANS Institute, they are IT when it comes to IT Security. Training, articles, research, advice, certification; they are the people you go to in order to get the information you need about IT Security. So when articles came up in my search for my weblog choices, I was a little put out. Each of these news blurbs contained some sort of recent exploit or loophole in the security of the web application, which is not generally a good thing for any application, let alone one sitting open to everyone on the Internet. The more exploits that show up, the more you will likely want to find a different program.

So I began looking further, refining my search and looking at security as part of the key ingredients for my new weblog application. Some how, on page 87 of my google search or so, I came across an interview type article about Stefan Esser leaving the PHP Security Team. Well, I needed a break from the search so I read it. While the article was informative, it was that glorious shining link pointing to this man's, this PHP Security Guru's weblog: http://blog.php-security.org/

Should you not have guessed by now, Stefan Esser uses Serendipity for his weblog. A quick check over at SANS and a few other security related sites revealed to me what I already knew, this is a pretty secure piece of coding. There was one entry from version 0.7-beta1, but I am good with that.

After looking through the Serendipity website and installing a test of the software on the Proverbs server, I was hooked. Easy to setup, easy to use, customizable beyond belief, a ton of plugins, very nice layouts and it hit the marks for security. For me, however, the best part is the affirmation that I get to keep "Serendipity" as my favorite word.