Sunday, December 21, 2014

Is corporate security, faced with determined hackers, just a matter of workplace discipline?


Was the Sony Hack by “agents” of a foreign power (that is, the DPRK) really the result of poor IT workplace discipline and procedures?
  
I think that’s possible  A lot of the security lapse seems to have occurred because an administrator’s logon was not encrypted and not properly secured, and probably not changed frequently enough. 
I was involved in a few controversial “scares” during my mostly mainframe career, and the technology involved in each incident would seem simple compare to the complicated scripting explained in US-CERT’s recent bulletin on the brute force authentication hack and SMB Worm. 
  
I won’t go into details tonight, but in every case (going back to the middle 1970s) there were simple procedures that could guarantee that production files could not get corrupted accidentally during testing, or that the source module and load modules being executed in production (after elevation) were consistent.  But one had to remain alert to use the procedures properly.  When updates to elevation procedures were announced, the programmer-analyst needed to pay attention, and realize that the procedure steps, when followed properly, guaranteed integrity.   There were a few occasions where neither myself nor several levels of management fully understood these things at first.  There is a degree of “maturity” required by everyone in staff to grasp the importance of following procedures.  The most serious breach might have occurred in the summer of 1991, when a member of the elevation team (a young male) discovered a serious error in the way some moves have been done for some time.  I remember the employee;  he was attentive, and he brought to the workplace the diligence that companies need all the time.

I do think that major Silicon Valley companies and telecommuncations companies have given more attention to goof-proofing their security than most entertainment companies would have done.  So I’m counting on the security procedures of the companies that provide they platforms upon which I do a lot of my self-expression (Google, Facebook, Twitter, Bluehost, Verio, etc).  The same should be true of banks and financial institutions, and of utilities and power companies.  Still, so much depends upon the attentiveness of every employee. 
  
In 2002, I did spend a lot of time looking at jobs at Warner Brothers, and it looked like a good shop, one that had a lot of both mainframe (DB2) and Internet.  It’s generally true that IBM mainframes are more difficult to compromise than Unix or Linux, and that the Unix-Linux-Mac world seems a bit more solid than Windows, which still has some real problems with very determined attacks.  Also, routers have vulnerabilities that need more attention. 
  
Picture: the Management and Administrative Subsystem of Medicaid MMIS used to be called “MARS”.  

Wednesday, December 10, 2014

Hourly workers might not get paid for downtime regarding security checks


The Supreme Court has ruled “unfavorably” for some lower income hourly workers in a case, “Integrity Staffing Solutions v Busk”, where workers in a warehouse supporting Amazon sometimes were detained as long as 25 minutes for a security check to ensure they weren’t pilfering goods before leaving. 
   
The SCOTUS blog has an analysis here.  The slip opinion from December 9, 2014 is here
  
I can recall when working in the summer of 2003 as a debt collector that we didn’t get paid for hours lost if their system went down.  It’s common for hourly workers not to be paid for “non productive” time, whatever the rationalization (as in the Opinion).  

Monday, December 08, 2014

A conversation about whether techies can sell, at Gaylord, right after the Ice slide


Today, on a visit to the Ice attraction at the Gaylord Hotel resort at National Harbor, MD, I passed a lot of tables of people hosting conventions, already irritated for being mistaken for hotel employees. 
After the Ice experience, I happened to sit next to a young woman attending the CPA conference.  She said she was not a CPA herself, but that she marketing CPA services.
  
This led to a discussion of all the unwanted invitations to unsuitable hucksterism jobs that came my way after “retiring” from IT at age 58 at the end of 2001. Become a life insurance agent.  (My disinterest in contact people to sell them things befuddled two companies, as they really needed someone with actual knowledge of how the industry works – which I had from IT – and actually willing to sell it, out of personal karma).  Become a financial planner.  (I do as well on my own.)  Become a tax preparer.  (I don’t want to make a life out of helping people use tax loopholes.) 
Once you enter the world of hucksterism, your whole social media presence becomes someone else’s .  There are no double lives anymore, thanks to Mark Ziuckerberg.  (Look at Lev Grossman’s article in Time today, here. ). 

I also gave the spiel that liberty is not served by no regulation at all.  Look at all the people “sold’ on going into more debt than they needed for more house than they needed.  Look at what happened when banks didn’t have their own skin in the game as mortgages got securitized.  I said, must sound like an Obama man, because the worst happened under the watch of George W. Bush. 

Here’s the fun I had  as "research in motion".

As I left, I ran into her again.  She smirked. 

Wednesday, December 03, 2014

Did by Internet activity and blogging hinder my return to old-fashioned IT?


One question that I sometimes process is why I never found a mainstream IT job after my career had its “cardiac arrest” and fibrillation on Dec. 13, 2001, 92 days after 9/11. Had I been able to do so, the course of my life might have been quite different and some existential issues (as what came up with substitute teaching) might have been avoided.  
    
I had two other complications in my life at that time (when I was 58), the likelihood of my mother’s needing care (which she eventually did, big time), and the visibility on the Internet, in the “good old days” before social media displaced old fashioned forums and flat-file websites with simple hyperlinks (like my old hppub.com) for unregulated self-expression.  By about 2000, it had become apparent that people could become global personalities just because of search engine presence (especially Google) which they did not have to pay for.  No, you didn’t need optimization.  Original and rich content would get indexed and show up highly ranked on its own.
  
In the early 2000’s, most of the jobs in the market were likely to be W-2 contract jobs where a contractor hired you, once the client had interviewed you (often by phone).  I screened for two jobs, one in Richmond with a PPO, and in Bloomington MN with Express Scripts.  The phone interview (late 2002) with the PPO did not go well, partly because it had been postponed so many times;  the Express Scripts interview (on Sept. 11, 2012) seemed to go well in person, but then the company didn’t have the authorization for the position after all.  I got feedback that I had “tried too hard”.
  
But in early January 2003, I had an interview in suburban Maryland with Group1, part of Pitney Bowes, with the idea of returning immediately from Minnesota if there was a job.  The interview went well enough, and I emailed a thank you when I got back to Minneapolis, but I never heard a thing.  It’s true that when I was at ReliaStar, some people didn’t like Group1’s support and I mentioned that out of candor in the interview.  Did that blow the job?  Maybe, even though that isn’t reasonable. Or did a Google search on my name make me seem controversial and dangerous to have around.  A company would have to worry that someone would make comments about the company on line and others would find it.  A contracting company that places people would have to be particularly sensitive to this risk.
  
Remember that mommy blogger Heather Armstrong had been fired for what she said in a personal blog in 2002.  She went on to be one of the most financially successful bloggers ever, and the verb “dooce” entered the English language.  I didn’t start using blogging platforms as such until 2006.

At the time, I was one of the few people really known for this.  The “risk” was just coming to be understood in the dark days after 9/11. 

Update: Dec. 10

Here's a good piece by Danielle Kurzleben on Vox about "skills erosion" when unemployed from a previous career indefinitely. But I was 58 when my "demise" started.