I found this link to a data center that the Swedes have built in an old nuclear fallout shelter.  Really, it looks like something out of Jurassic park.

Replete with waterfalls, greenhouses, German submarine backup engines, and simulated daylight this facility has the added benefit of being able to withstand an almost direct hit by a hydrogen bomb.



I want to work here…

[ via HotHardware.com ]



I’ve been aware that one of the teams at my current client has been experimenting with using SecondLife for their collaborative space.  The project is coached by one of the other agile coaches, and I admit I’ve been curious to see what it looked like.  I’ve been aware of SecondLife for a while now, but never seemed to get around to creating an account or doing anything more than saying “Huh.  That’s interesting.”

Today I got a chance to see SecondLife in action.  The coach, who sits by me when we’re not off coaching teams, was logged in and showing some of the other agile coaches what it was like.  It was really interesting. They’ve built themselves a custom story wall widget, they’ve got a secured building on what seems like a private island, and they were, by chance, having a meeting with some of their stakeholders when we were there.

SecondLife seems like a very compelling idea.  More live than an IM link, somehow more tactile than a conference call.  We watched for a while, and then the next time I looked, one of the other avatars was dancing.  On the conference table.  Well, it’s just a virtual conference table.

I’m not big fan of political correctness myself, but I was a product of corporate America in the 1990s, so I got trained in what some people consider “hostile work environment.”  It really doesn’t take much.

At first I was just bemused by the dancing, but a little later in the day I started to think to myself that it certainly wouldn’t be acceptable conduct to dance on a table in a conference room in “first life,” if you will, but it seemed just fine in SecondLife.  I mentioned it to the coach who was using SecondLife, and he told me that they had been obliged to sign a document attesting to their understanding that the code of business conduct extended to SecondLife as well.

“But hey! It’s just virtual, right?”  I suspect that we’re in for some interesting times, my friends.  As we live more and more in the virtual world, I suspect that courts will view them in much the same was as the original: harassment and other misdeeds, even if virtual, will be something the courts will have an interest in.  Will codes of conduct be viewed as applying to the virtual world? I suspect so, but I think things will be interesting to watch while this get sorted out.



So a colleage and I are going to try to put together a series of courses for data professionals that helps them understand how to work in an agile fashion.  If you have suggestions for topics or other related items for such a course, please let me know!



It seems that if you steal enough credit cards, then you might actually get arrested.  Last week I posted about the Heartland Payment Systems case, and today, Computerworld is reporting that the first arrests have happened in the case.  This to me is remarkably swift justice.

The Leon County, Florida Sheriff’s office earlier this week announced the arrests of three area residents — Tony Acreus, Jeremy Frazier and Timothy Johns — for allegedly using stolen credit card numbers associated with the breach.

I was just reviewing some of the Payment Card Industry Data Security Standard information today, and was struck by the requirement to encrypt data when it was in transit. According to all the information I’ve seen so far, this breach happened because someone managed to get a network sniffer in place, and capture transaction data.  I may be missing the point, but how were they able to read the traffic if it was encrypted?  Did they have the keys, or was Heartland playing fast and loose with the DSS?  I don’t understand enough about either the facts in the case, or the DSS to say if this is reasonable or not, but it sure seems like someone at Heartland could be in a world of trouble.



RFID Wardriving

February 4, 2009 | Leave a Comment

A copule of years ago, governments around the world began deploying RFID enabled identity documents, including passports and drivers licenses.  Knowing this was coming, I renewed my passport before RFID was included.  I’m a paranoid geek, but then I’m an IT security guy, so paranoia is part of the job description.

Last week, Geeks are Sexy reported that a fellow in California decided to prove the point.

By hooking a $250 Motorola RFID reader and an antenna to his laptop, Chris Paget was able to easily harvest and clone multiple RFID identity documents while driving through San Francisco.

It’s certainly convenient for travelers and for governments to be able to read passports and other identity documents without us having to present them, but this sort of thing violates one of the basics of information security, namely confidentiality.  If the information in question is out there in the open, without any sort of controls on who can read it, should we really be surprised when someone decides to read it?  Geeks being who we are, we’ll do this sort of thing, or bluetooth sniping, or some other unintended but obvious use of the information that’s floating around.

I’d like to think that governments would have a stake in making sure that our identity information is secure, but most of my arguments seem pretty hollow in my ears. Does it cost them money in lost tax revenue? How about investigative costs? Aren’t they supposed to uphold law and order?  My fear is that all of these pale in comparison to the ability to monitor people without their being bothered.  My more paranoid self says that RFID enabled passports, drivers licenses, and cell phones could be turned into an awesome tool of a police state.  Your location would be known at every moment.  Heck, every month I print out my iPass tollway traffic so I can expense it for the business.  Who else has access to this information?

Advocates of government surveillance frequently ask us “what do you have to be concerned about if you’re not breaking the law?”  They say “We’ll only use our powers for good.”  My latest response has been to point them to the reports last year regarding NSA eavesdropping on American soldiers calling home and having steamy conversations with their significant others.  In fact, here’s a good case in point.  We have a policy of “Don’t ask, don’t tell” in the armed forces.  Homosexuality is not technically illegal, but if it comes to light, a soldier can be discharged.  What would happen if the NSA eavesdropped on a call between a male American soldier and his boyfriend back home?  I’m sure it would be great consolation to him that the government only eavesdrops on us for our own good.



Perhaps I’m just getting to be an old timer. When I started managing computer systems for the telephone company in the late 1980s, the game was to break into systems primarily to learn something.  Occasionally there were malicious attempts to access information, such as the phreak’s setting themselves up with free phone service, but for the most part, the damage to society at large was fairly limited.

Late in January, we learned about a security breach at Heartland Payment Systems.  According to coverage at Computerworld, it seems the attackers placed some sort of malware into the Heartland network, and were able to capture an undisclosed number of credit card transactions, primarily from smaller businesses such as gas stations and convenience stores.  Heartland isn’t saying how many accounts were compromised, but they process about 100,000,000 transactions per month, and they were apparently notified by the card companies of a possible problem last October, and well you do the math.

People breaking into computer systems these days aren’t doing it for fun, or to learn how things work, or at least they’re not the only ones breaking in.  The naive period of hacking adolescence has passed.  We’re not looking around in empty houses under construction, we’re breaking into occupied houses and robbing them while the owners are there.

Computer security is serious business, and business has given it very little attention.  To make matters worse, the public really doesn’t seem to care either.  TJX has a massive security breach: what happens to the stock? It goes up.

Until consumers start caring about how much money lax security is costing them, there will be no change.  Since consumers aren’t showing any inclinations to care, the only hope for us is making a criminal negligence complaint against businesses that take absolutely no care of our identities.


WP Themes