Thursday, June 22, 2006

The Police State...again

Va. Students to Be Checked for Sex Offense Jun 22nd - 3:19am By KRISTEN GELINEAU Associated Press Writer RICHMOND, Va. (AP) - A new law requiring Virginia's colleges to hand over prospective students' personal information to police for cross-checking against sex offender lists is coming under fire from privacy advocates and education leaders.

Under the law, which takes effect July 1, public and private college officials must send state police the names, Social Security numbers and birth dates of all students accepted to their schools. [WTOP News]

While on the surface, this seems like a good idea, it is just wrong on so many other levels that I am amazed it was even approved, much less passed with little or no discussion. How many 18 year-olds have been charged with a sex offense? How many are likely to be charged? Frankly, it makes no sense. Yes, not every student going to University in Virginia is 18 years-old, but the vast majority are, and it is pointless to be looking for sex offenders in that demographic.

The further issues of data transfer, security and such are not trivial and judging by the manner that this sort of information is being handled at the Federal level, it is questionable that the Commonwealth of Virginia could handle it any better. And, what is glossed over is what happens if other outstanding issues pop up in this check? At what point was a background investigation a requirement for attending an institute of education?

Wednesday, June 21, 2006

Is Microsoft still the right answer?

Former 'Get the Facts' leader leaves Microsoft Martin Taylor, who led Microsoft's anti-Linux campaign, has left the company Elizabeth Montalbano June 21, 2006 (IDG News Service) -- Martin Taylor, best known for his role in leading Microsoft's anti-Linux "Get the Facts" campaign, has abruptly left the company, Microsoft confirmed on yesterday.

"We've made the difficult decision to part ways with Martin, but we don't comment on personnel matters," the company said through its public relations firm, Waggener Edstrom Inc. "We appreciate Martin's contributions at Microsoft over the past 13 years." [Computerworld]

I guess you can only lie to the public for so long before things backfire on you.

There is no question that Windows, both Workstaton and Server have their place in the data center, but there is growing concern over the increasing lack of security, bloat and flexibility offered by the product as more and more dollars become tied up in larger and larger systems that seem to sit idle for more hours of the day than ever before.

As IT shops are expected to do more, the ease of use that is the Windows GUI is beginning to be seen as the obstacle to really getting things done. Why else would there be dozens of books on how to do things by the command line when before it used to be hidden knowledge passed around from system admin to system admin? And with more complex desktops, the simple administration has chewed up more resource and created more companies to ease the burden than any other operating system in history.

It is little wonder, that as the next release of Windows looms, IT managers are beginning to seriously reevaluate their marriage to Microsoft and question whether or not there is a better way to be doing business.

Monday, June 19, 2006

When Congressional mandates collide, confusion results

Federal Breaches Spark Security Review Push: GAO, administration officials call for look into data collection processes Jaikumar Vijayan June 19, 2006 (Computerworld) -- The massive data breach disclosed last month by the U.S. Department of Veterans Affairs has triggered sweeping reviews of information security policies at the VA and at several other government agencies that recently suffered smaller data losses. [ComputerWorld]

Agencies, vendors struggle with HSPD-12, surveys say By Jason Miller, GCN Staff
Two recent surveys signaled just how much agencies and vendors are struggling to implement Homeland Security Presidential Directive-12.

The area most often identified by federal IT security executives and systems integrators as needing attention was physical-access control. In a survey of federal IT security executives released yesterday by Computer Associates International Inc. of Islandia, N.Y., 56 percent said they had seven or more physical-access control systems, and 58 percent said their agencies had yet to make a decision on whether to standardize these systems. [GCN]

Telework cheaper than expected, but agencies still not on board By Rob Thormeyer, GCN Staff Although the costs of implementing effective telework programs are far less than predicted, agencies have yet to provide a programmatic and enterprisewide approach to solidifying telecommuting within the government, a General Services Administration report said.

The study concluded that the lack of investment and commitment in making telework acceptable across the government is not only hampering the telecommuting workforce, but agencies overall are losing out on productivity. [GCN]

In one day, in two different papers, three article on basically the same issue from three different points of view, neither of which seem to be paying any attention to the issues in the other court. This is not new in either journalism or the operations of the Federal Government. What is sad, however, is that while the journalists continue to write their stories, and the SESs in the Federal Government continue down their merry road, the is a serious lesson to be learned and no one seems to be connecting the dots for those that are seriously technically challenged. And what is truly frustrating about this whole mess is that each of the requirements are Congressionally mandated! At some point, should someone maybe stand up and tell Congress (and the President) that they can have either or, but not both, at least given the current playing field? Yet no one seems to be able or willing to stand up and do this.

At some point, can we not expect, that if our elected leaders, who are mandating at cross purposes, will not own up to not "getting it" in regards to data security, that the CIOs, who's job it should be to understand the conflicts and clearly don't seem to be speaking up, some analysis beyond "this was bad, it should be stopped..." from the press?

HSPD-12 is going to create a mess in the IT shops of every major agency. Rep. Tom Davis (and others) is screaming for increased telework (for a variety of good reasons - reduced traffic, pandemic/disaster preparedness) and yet every day we hear (or don't) about yet another data leak at an agency. All of these mandates are good in and of themselves, but when they are combined, the resulting train wreck is only going to be confusion and more insecurity - it cannot help but be anything less when the funding levels (especially at agencies like the VA that took a serious budget cut to their IT funding) are dropping, tasks are more complex and various agencies are issuing Federal wide directives. In the last 12 months, the infrastructure of every agency has been told to improve, upgrade or prepare for upgrade by GAO (IPv6), The President (HSPD-12) and Congress (Telework, budget levels). Along with ongoing internal modernization programs (getting off Windows NT for example or preparing for Windows Vista). At some point, even with all the requirements, something has to break. The data loss at the VA was an issue of policy rather than technology, but you know as well as I that the fix will be driven by yet another technological fix that will be bolted on to the existing Frankensteins monster that is most Federal networks.

It is a very sad state of affairs for the nation to be in.

Monday, June 12, 2006

It is still about time

Lunch break becomes briefer as 'hour' shrinks By Stephanie Armour, USA TODAY Mon Jun 12, 7:11 AM ET What lunch hour? More employees today are forgoing the traditional long lunch and taking an abbreviated afternoon break instead, using the time they'd normally eat to keep working or get other errands done. [USA Today]

In case you have not noticed (and judging by the surprises in this article, most of you have not) the average person spends more time working in five days than they do sleeping in seven. Throw in the commute and of a 7 day week, three-quarters of it is gobbled up by work and work related activities with about six hours of sleep per night. And we wonder why our co-workers are sick so often? Why less work seems to be done in an average week instead of more? These are all symptoms of a society that is on the ragged edge. It is not a function of business but a terrible by-product, a toxic waste if you will, that is further affecting the already burned out employee doing the job of more people that should be possible.

You cannot have double digit productivity gains year after year and expect people to be able to operate. Mistakes will increase as focus is continually eaten away. A short lunch break is only a symptom of a much larger problem.

The Police State, Take II

DHS Draft Report Says RFID Poses Privacy Risks Marc Songini June 12, 2006 The draft report had stated that while RFID is useful for tasks like inventory management, the technology should rarely be used to track people. The risks to privacy outweigh the technology's communications and security benefits, the authors said. They recommended that "RFID be disfavored for identifying and tracking human beings." [ComputerWorld]

I always find it amusing when one branch of the Federal Government issues a report that slams an adopted technology in another branch of the Federal Government. It is especially amusing when the branch that is in charge of Homeland Security is issuing a report about privacy and supporting it, while a few blocks away, the State Department is busy issuing passports loaded with RFID technology that experts have been saying since they first got wind of the program was a bad idea. Of course, if you think that State will stop issuing RFID passports, you are completely wrong.

Friday, June 09, 2006

Security or Police State? The trouble with normal...

Go read The Practical Nomad...it describes only part of my overall frustration with the TSA and the current protections implemented after September 11.

More thoughts, inspired by the data loss at the VA

VA conducts security review of laptop PCs, bars nondepartment PCs from VPN BY Bob Brewin Published on June 8, 2006 The Veterans Affairs Department has ordered a security review of every laptop computer at the VA and has banned employees from connecting any employee-owned computers to the VA virtual private network (VPN), VA Secretary James Nicholson said in a hearing at the House Committee of Government Reform today. [Federal Computer Week]

As I was theorizing yesterday, this is one way to solve the problem, but it is hardly the best and is probably the most knee-jerk that could have been taken. The VA will now have to come up with literally thousands of laptops for the employees that have been doing work from home for the myriad reasons that employees have to work from home. Add to that the push from people like Tom Davis in Congress who are bashing federal agencies for not having enough people teleworking. This sort of decision is going to make it very hard to implement any sort of telework at the VA for years to come. Let us all hope that there are no real pandemics on the horizon, or, for that matter, any continuity of operations issues that have to be addressed.

Thursday, June 08, 2006

Questions raised by the VA system theft

For those that have not been in IT for very long, you will not notice that we have almost come full circle. In fact, in some cases, we have come full circle and are starting over again. With that being said, the theft of data from the Department of Veterans Affairs raises a whole mess of issues. And I do mean a mess, because it points at some diametrically opposite ideals that have to be addressed and recognized and either accepted or rejected, but that will lead to consequences no matter what course is taken because they are almost mutually exclusive.

To begin, let us take the simple issue of access. Almost since the first operator signed on to one of these machines and screwed something up that he (almost always was a he) was not supposed to, we have had some form of access control. Usually, this is in the form of user name and password. As time went on, the requirement for complexity and frequency of change increased, but we still had a user name and password. Still more time passed and the issue of multi-factor authentication became the vogue way to log onto the system, whether it was token based or biometric. As operations became more and more complicated, access and access controls too became more complicated and in some ways more sophisticated. Of course the user population grew and managing authentication and access became a full time job.

Enter the Internet, modems and broadband access. All three of these resulted in a train wreck of access issues. Everyone, in theory, could now access their data from anywhere, also in theory, if the access controls were properly established. Millions and millions of dollars were poured into remote access methods to allow the right people in and keep the wrong people out. Some companies encouraged their employees to work-at-home, while others did not openly encourage it, they did make it possible for it to occur. One of the biggest corporations, the United States Federal Government, continues to wrestle with this issue.

Along comes a natural disaster. Take your pick there are dozens to choose from. Each one spurs some group of people to think about continuity of operations or how to keep things going when bad things happen. Suddenly, companies were taking their data centers and copying them, either as an active or passive back-up site, somewhere that was safer than the current location and usually a significant distance away from any of the users, operators or maintainers of the systems, meaning more remote access and controls.

Now, we have the fear of a pandemic. Planning estimates are that upwards of 30% of your staff will be unavailable- whether this is because of being sick (or dead) or having to care for someone who is sick (or making arrangements) or being in a quarantine zone. Essentially, their butt will not be in the chair they normally occupy, but they are capable of working, just not coming to work. This is something that scares those continuity people, so they demand yet more people be able to remotely access the corporate systems. I expect there will be big business done in this over the next 12 - 18 months.

Suddenly, a laptop is stolen from the house of a VA employee who downloaded millions of records to work on them from home. Say what you will, there are implications here. 1) While the VA employee did violate policy (a written document that he or she probably did not even know about), the individual was authorized to have access to the information. 2) They had been issued a laptop, presumably so that they could do work at home. 3) This is not an unusual case, either within the government or within corporate America.

While chaos is ensuing around Washington, we all need to take a deep breath and ask some hard questions:

1) Since the employee was doing work, why was encryption on the desktop not standard? In short, because most single disk encryption schemes require that the employee know a password. How many times have you forgotten your password? How much data might be lost when this happens? OK, so suppose you have a key escrow policy in place (something that the Federal Government has been working on for years I might add with little or no success, except within highly segmented pockets of technological brilliance). Key escrows are nice fuzzy things for management - it means that someone can loose the password (or get hit by a bus) and the data is, in theory, recoverable. Key escrows are a nightmare to manage, require complex webs of trust and a team of skilled and trusted engineers to implement and maintain.

2) Suppose the employee was working at home on their own machine? This becomes one of the biggest sticking points in the whole remote access debate. Regardless of who you work for, this is discussed until it is dead because there are no easy answers.

First issue - who ensures the machine can connect to the corporate system? In a large number of cases, the home PC is incapable of connecting because of limitations of software or operating system. Just because the corporate standard is Windows, I might use a Mac at home.
Second issue - who ensures that the machine is clean? Most home machines are unpatched and unprotected. This is a fact of life, but you do not want to spread the love around your pristine corporate environment.
Third issue - who is responsible for tech support? Most users who have to do remote access are not technical. They are accountants, marketing people, executives. The are not IT. So who is going to provide them with the support they need when something breaks?
Fourth issue - do you provide each employee with a machine if they need to access the corporate systems? This is a solution that many companies have undertaken, but it is hardly an inexpensive one. It makes some of the initial questions easier to answer, but places a great burden on the IT staff, especially from a tracking standpoint.
Fifth issue - how do you ensure the data being accessed is secured on the remote system. The short answer is you almost cannot. Hook a printer up and the data escapes (and not allowing people to print is the most draconian of methods of security I have ever been involved in). Of course, if you have a pencil and paper, there really is no foolproof way to secure the data, but a pencil is a lot slower than a hard drive.
Sixth issue - if you designate only a percentage of your population as having a need to remotely access the systems, which manages the access controls and some of the technical issues, what do you do when someone needs that access and cannot get it or be given it? Especially in a continuity of operations scenario.

3) Data management and control is difficult at the best of times. With a few exceptions, there has been very little work done in the field of data integrity. Sure I can tell when someone pulled data and if I try hard enough from what tables, but let us be honest. If the employee had access to the system, then they had access to the data and I really do not care what they pulled. Nor do I really have time to be sorting through the thousands of log files or writing custom scripts or sitting watching a monitor. There is enough to deal with keeping the bad guys out of the system. If we have to start monitoring the good guys activities as well, we are sunk.

The issues surrounding the VA have raised all kinds of awareness and focus. Now we have to keep our eye on the ball and not implement any knee jerk reaction that will only make it harder for the authorized user to get their work done. After all, if you make security difficult for the user, they will either work around it or use it as an excuse not to do the work. In either case, the end result is the same.

Can we get some work done now? Please?

Gay marriage ban fails to pass US Senate by Charlotte Raab WASHINGTON (AFP) - A constitutional amendment seeking a national ban on gay marriage, strongly backed by US President George W. Bush and conservative Christian groups, failed to pass the US Senate. President George W. Bush and conservative Christian groups, failed to pass the US Senate. [Yahoo News]

OK, now that the Senate has spoken, can we please get some real business done before the fourth of July break (which, I believe starts Monday). There are roads and bridges in disrepair, a hurricane season, some serious issues with the national power grid and a real mess over at the NSA. Is it possible to get some work done by our Congressional representatives? Please? Otherwise, a serious job performance review might be in order.

Wednesday, June 07, 2006

When Religion does not keep pace with Society

Vatican Issues Sex-Related Condemnations Jun 6th - 12:37pm By MARIA SANMINIATELLI Associated Press Writer VATICAN CITY (AP) - The Vatican declared Tuesday that the traditional family has never been so threatened as in today's world, lashing out against contraception, abortion, in vitro fertilization and same-sex marriage. [WTOP News]

Let me see if I understand this correctly. A group of single, mainly white, males, in their early 70s, who tend to wear robes, is telling me that their definition of the family is the same definition that is used in the world of 2006?

Gay activists should only be one of many groups that should condemn the Vatican's current statement of how out of touch it is with the world today. Human procreation has nothing to do with a family and never has. Procreation, a biological process, is related only to the continuation of the species. A family, on the other hand, is about the values and issues that shape and form the individual and the society that they live in.

The Vatican can be as opposed to contraception as it wants to be. At the end of the day, the Roman Catholic church is not paying for the upbringing of the children of a sexual union. If the children are really lucky, the two individuals involved in their creation are. It is not much of a stretch to see that most children are not that fortunate.

Time to think of more important issues?

Broadcast Indecency Bill Up for Vote Jun 7th - 7:27am by JIM ABRAMS Associated Press Writer WASHINGTON (AP) - The next raunchy expression or inappropriate show of skin could cost a radio or television broadcaster up to $325,000 in fines under a bill heading toward congressional passage. [WTOP News]

Would someone please explain to me what inappropriate is? We have seen Janet Jackson's breast, which had less exposed that Jennifer Aniston or any of the lifeguards on Baywatch. We have seen Dennis Franz naked backside (a scary sight for those that missed it). We have been through the opening credits of Miami Vice, and seen the insides of so many humans that I am at a loss to even begin to define the term inappropriate, much less what constitutes an inappropriate display.

There is sex on daytime TV, infidelity on the evening new and half naked individuals on every station at all hours and Congress, that bastion of well behaved individuals is trying to pass a law fining broadcasters for inappropriate displays of skin?

The Victorian era is past people, move on. Worry about the deficit or decaying roads. If I do not like what is on TV, I have a power button. If I do not want my children to see it, I have a circuit breaker.

Friday, June 02, 2006

Wither the FCC?

It Seems to Us . . . The Third Battle of Bull Run By David Sumner, K1ZZ ARRL Chief Executive Officer June 1, 2006 [ARRL] Manassas, Virginia is best known as the site of the First and Second Battles of Bull Run during the American Civil War. Today there is another battle being fought in Manassas. On one side are the City of Manassas; COMTek, the franchisee that provides Broadband over Power Line (BPL) service to a few hundred customers in the city; and Main.net, the Israeli manufacturer of the city's BPL hardware. On the other are radio amateurs who live in and pass through Manassas and who have the right to not receive harmful interference to their licensed stations.

BPL has been an ongoing issue in Manassas for the better part of the 21st century. Snake oil and posturing is about all that has come out of it, on both sides of the argument unfortunately. While there are some legitimate issues, one line from this article really jumped out at me - and it was at the end:

Further delay simply serves to undermine the [FCC's] credibility.

It jumped out at me because it really is laughable. The FCC lost any credibility it had years ago and it has never really regained it. One has only to look at the (continuing) debacle over the sale and reapportionment of radio spectrum to see this. From the sale and then the cancellation because of default for some of the 3G spectrum to companies that were little more than financial shells, to the insanity that everyone is going to have to have a high-definition television so that first responders can use their radios, to the silly fines imposed on broadcast TV for language that can be hear on any playground in the country, the FCC has not only lost its way in managing and enforcing the radio spectrum, but they have become little more than a marketing agency for every big business that needs, wants or uses the radio spectrum to make money.

The Amateurs in Manassas are upset. The City is upset. The residents will be upset when then realize that their city government, which recently said it could not afford to hire an Emergency Manager because there wasn't enough money but continues to carry the charge for a failed network installation, thus costing them State matching funds for disaster preparedness. The ARRL is upset. COMTek will be upset when its shareholders tell it to stop pouring money into this failed experiment, but the one group of people who should be really upset are not, and that is the people of the United States. But their lack of concern is understandable. After all, it is an issue that only affects a handful of people...except when all else fails.