I did a security audit a few years ago for a healthcare provider’s IT department. One of the things I pointed out was that while I was asked when I signed in to their facilities for my name and car license plate, nobody asked for picture ID. Additionally, I noted that on several occasions when entering the building, the receptionist had a sign on the desk: “if you need assistance, pick up the phone and dial x…”. When I asked, I was told this person was part-time. Clearly, these folks didn’t feel they needed very good physical security.

You’d think on the other hand, that the federal government, in particular people like the Treasury and the Nuclear Regulatory commission would be more sensitive to the needs of physical security, which is why this article in the Washington City Paper is such an amazing story. This 19 year old mother of two bluffed and blustered her way into very secure facilities doing little more then acting like she belonged there.

Witnesses who later realized they’d seen the thief said she passed muster at the time. The fact that she didn’t have an escort, one secretary reasoned, proved that she belonged in the building. Another employee described the potential suspect as dressing and acting like a typical secretary at the NRC. Those who stopped and questioned her gave up on their suspicions as soon as she started talking.

Her excuses were flimsy inventions. But people don’t like confrontations. They feel they’ve done enough if they ask a question and get an answer.

When I first started out from college, I held a job at a defense contractor, and we were very specifically told that if we found people wandering around who we didn’t recognize, that we should challenge them. We were also told what to do in the event we didn’t get answers that were satisfactory: walk the person to security. I had an occasion once where I encountered a group of visitors in a secured area, and they were without an escort. I knew that one of the VPs had visitors in, so I very cordially asked them whom they were visiting, and escorted them to the VPs office, remarking when I arrived that I had found them without an escort. I didn’t stay long enough to find out if the VP was at all interested in that, or to give him my name.

I’ve seen what it takes to combat this sort of problem, and it’s really only a couple of things:

Following up on that last point, having a single person in charge of an area can be a big help as well. Psychology research shows that people look at others around them to help make a decision. They ask themselves “well, what is Bob doing? He’s not challenging the stranger, so I shouldn’t either.” Unfortunately, Bob is looking around as well, with the same question in mind.

Having a person who is in charge does two things: it means that the person in charge should not be looking at others to decide if they should challenge, and it gives others a person to whom they can address their concerns if they’re uncomfortable challenging by themselves.



Securing WordPress

February 15, 2008 | Leave a Comment

Found online today was this helpful article at Web Design Goldmine on securing WordPress. If you’re a fan of WP (as I obviously am) it’s a good read.



Spreading Fixes by Worm

February 14, 2008 | 1 Comment

Microsoft is researching ways to spread computer fixes by making them more like worms, per this interesting article in The New Scientist.

Milan Vojnović and colleagues from Microsoft Research in Cambridge, UK, want to make useful pieces of information such as software updates behave more like computer worms: spreading between computers instead of being downloaded from central servers.

I’m unsure how I feel about this, but I think it’s mostly negative, and that disappoints me. On the positive side, I think that it’s a cool idea that you’ve got autonomous pieces of software that are making their way around the net, and trying to install themselves on machines. It offloads servers, eliminates the need to go off hunting for fixes, all in all, noble goals.

I think where my concern comes from is that these types of worms are going to make use of the very same types of mechanisms used by the eeeevil worms to spread, or if not, then the eeeevil worms will soon start to masquerade or abuse the new mechanisms provided for the good ones. How do you tell the good guys from the bad guys?

In such an environment, I’d be inclined to disable the services such a “white-hat” worms use to access my systems until I had a good deal more opportunity to study how they really work in the wild. What do you think?



Corporate IT departments are incorporating a new way of meeting corporate IT needs, called Software as a Service (SaaS).  SaaS promises outsourced application management, reduced infrastructure costs, and easily terminated services if needs change. Whether SaaS delivers on these promises is the subject of another post, but it’s certain that SaaS presents some compelling reasons, to both the providers and consumers of services, to adopt cross-domain single-sign on (SSO).

Read more



Caveat: I’m not a big user of social networking sites. I’ve always thought of myself as a bit more private than that. Perhaps this amplifies my concern over this story in the New York Times (found via Slashdot, where there’s more commentary) about Facebook subscribers inability to remove their information from the service when they decide to “deactivate” their accounts. Per the NYT story:

While the Web site offers users the option to deactivate their accounts, Facebook servers keep copies of the information in those accounts indefinitely. Indeed, many users who have contacted Facebook to request that their accounts be deleted have not succeeded in erasing their records from the network.

This is very troubling in the age where companies are compromised every day, and personal information routinely and illegally disclosed. Many enterprises are adopting the position that if they don’t need information about you, they’re simply not going to store it. In the event of a compromise, the less information a company has about you, the less it can lose.

Against this tide goes Facebook. Their privacy policies state that they may maintain backup information for “a reasonable period of time” but are not very forthcoming about exactly what’s going on. If you contact customer service, it apparently becomes somewhat clearer what you have to do:

Only people who contact Facebook’s customer service department are informed that they must painstakingly delete, line by line, all of the profile information, “wall” messages and group memberships they may have created within Facebook.

“Users can also have their account completely removed by deleting all of the data associated with their account and then deactivating it,” Ms. Sezak said in her message. “Users can then write to Facebook to request their account be deleted and their e-mail will be completely erased from the database.”

The arguments are that you may want to return in the future, but these seem like hollow reasons to me.

“Deactivated accounts mean that a user can reactivate at any time and their information will be available again just as they left it.”

Much more compelling is the argument that they want to continue to sell your information to their ad partners.

The network is still trying to find a way to monetize its popularity, mostly by allowing marketers access to its wealth of demographic and behavioral information. The retention of old accounts on Facebook’s servers seems like another effort to hold onto — and provide its ad partners with — as much demographic information as possible.

Perhaps I’m just too used to the fact that I have a personal side, and business/public side, and that the two shouldn’t mix. It would scare the willies out of me if I discovered I could not change my mind, and easily leave a site like Facebook if I wanted to.

Update: Apparently Facebook has added instructions on deleting your profile to their help page, in the face of public pressure. From the sounds of it, it’s still not entirely satisfactory.



The Age of Human Factors

February 13, 2008 | 2 Comments

Wired is over in Barcelona, covering the GSMA show. As you might expect, the news this week is all about cell phones, but Charlie Sorrel made some comments in his coverage that resonated:

Most apparent at the show, the biggest mobile conference in the western world, is that nobody is doing touch screens properly.

Sure, Apple didn’t invent touch screens, but it was arguably the first company to do it right. Sony Ericsson, no latecomers to the touch game, showed myriad new phones today, and of all of those we tried out, the UI was invariably clunky, counter-intuitive, or downright hard to navigate.

Flashy, animated icons are great, but not if they come at the expense of usability. It feels like everyone is scrambling to add touch capabilities because they feel they have to, ease-of-use be damned. The point of the iPhone is being missed: It’s a pleasure to use because of the fancy UI, designed from scratch to be intuitive, attractive and easy.

This struck a nerve with me. I recently spent a large chunk of time working with some folks who, to be brutally honest, didn’t know the difference between a flashy interface, and a beautiful and intuitive one. It’s very easy to mistake flashy for easy to use and intuitive, it seems. I’ve seen it done time and time again, and Charlie’s comments seem to reinforce that it’s even more common than I thought.

I’ve even been told of some products “It doesn’t have to work, it just has to look good.” This sort of extreme position, saying in effect “it’s okay if it’s garbage, so long as we can wrap it up pretty we can sell it” gives me heartburn. I take pride in my work, and I can’t really line up behind “it’s okay if it doesn’t work.”

I’ve begun to wonder if the proliferation of flashy is a question of capabilities: whether people recognize a attractive, clean, intuitive user interface such as the iPhone, and want desperately to emulate it. Unfortunately they don’t have the skill or training, and  do what they can, which results in flashy.

I know what I’m good at. There are a considerable number of skills I’ve honed in 20 years: mentoring, project management, software architecture, security, requirements, business analysis, development, testing, and a fair degree of psychology, frankly.

I know I’m not skilled in human factors, the study of making sure that our interactions with computers are as easy and intuitive as possible. I haven’t an artistic bone in my body it seems, as I’ve created some fugly interfaces in my time. I know the difference when I see it, I know when I’ve produced something ugly and hard to use, but not how to make it better. That’s why I need these skilled professionals to help me  fix it. It’s like not being able to reach an itch in the middle of your back.

Human factors is as much art as science, and I suspect it’s a pretty rare skill. I’ve only run into a handful of people truly who have it.  Sometimes it seems like Apple got all of them: maybe that’s where they all are.

Apple has a history of making a product that looks good and is intuitive: the Mac was the first commercially successful computer with a gui interface (way back in Windows 2 and GEM Desktop days, for those who remember those). Most PCs today are still beige boxes, while current Macs are attractive and functional. I still drool over the Mac Cube, frankly, and wonder why PCs are still stuck in the past.

And then we come to the iPhone and iPod. Wow. I think these devices really raise the ante for all of us. They’ve got beautiful, usable interfaces, which clearly others are trying to emulate. With Apple seemingly having hired all the people who are any good at human factors, I think we’ve got our work cut out for us.

It’s nice to see devices like these, they’re a joy to look at and use, but as someone who produces software for a living, they’re a little intimidating. I realize the magnitude of the challenge they present to us as software professionals. We have to do much better at designing interfaces like these. The public will come to expect it, and will flock to those who can provide it.



Wired Labs is over in Barcelona at the GSMA show, and they’ve posted this article about their hands-on experiences with Android, the much-hyped “Google Phone”.

“…judging by the crowd reaction, these ‘phones’ are the hit of the show.”

I mentioned Android briefly once before, when talking about Palm’s decline, but here’s a quick catch-up.

Google Android is an effort to create an open-source mobile/cell phone platform, onto which anyone could add their own features. Rather than having a locked in platform such as Motorola or Nokia, Android’s specs are out there to be used by anyone.

It’s a little easy to dismiss the breathless mentions of Android as just another tempest in a teacup, but the Goog claims 30 vendors on board, so maybe this will evolve into something. One day not so long ago, PCs were “IBM Computers”, then they became “IBM Compatibles”, with the claims of “100% compatible”. These days, that claim is nowhere in sight, so there’s precedent for software platforms moving from the proprietary to commodity world, why couldn’t it happen with cell phones? There are more of those than computers, it makes a certain sense.

What was Wired’s assessment?

Right now the UI is clunky and slow, but the fact that so many manufacturers are already on board means that Android is already a success.

It’s too early to tell whether Android will unhinge the handheld computer/cell phone world, but It’s going to be an interesting thing to watch.



This is the third in a series of posts on the fundamentals of Unified Modeling Language diagrams. The first two posts covered requirements diagrams and behavioral diagrams.

In previous posts in this series, we’ve discussed requirements diagrams (use case diagrams) and commonly used behavioral diagrams in the Unified Modeling Language (UML). This article is about the last category of diagrams: the structural diagrams, which are sometimes called static diagrams. I like to think of structural diagrams “pictures of the system standing still,” where the behavioral diagrams we already discussed are how the system behaves. Read more



This will likely be no surprise to regular readers here, you’ve probably already noticed the increased sophistication in web browser attacks. IBM’s X-Force backs up your feeling with numbers, however. IBM is happy to oblige, here you go.

The report is chockablock full of disturbing information on the ways in which the exploits evolved in 2006, complete with attractive graphs and charts to get the points across.

A trend that became prevalent in 2007 was the use of IFrames and other methods of hosting links to malicious content. IFrames make third-party content appear as if it is a part of the URL displayed by the browser, when, in fact, the content within the IFrame is hosted by another server.

Since it has charts and graphs, it’s suitable for showing to your boss to get him to let you go to Black Hat this year.



Humorous Pictures
moar funny pictures

« go backkeep looking »


WP Themes