, , ,

Make software as simple as possible – but not simpler

Albert Einstein famously said, “Everything should be made as simple as possible, but not simpler.” Agile development guru Venkat Subramaniam has a knack for taking that insight and illustrating just how desperately the software development process needs the lessons of Professor Einstein.

As the keynote speaker at the Oracle Code event in Los Angeles—the first in a 14-city tour of events for developers—Subramaniam describes the art of simplicity, and why and how complexity becomes the enemy. While few would argue that complex is better, that’s what we often end up creating, because complex applications or source code may make us feel smart. But if someone says our software design or core algorithm looks simple, well, we feel bad—perhaps the problem was easy and obvious.

Subramaniam, who’s president of Agile Developer and an instructional professor at the University of Houston, urges us instead to take pride in coming up with a simple solution. “It takes a lot of courage to say, ‘we don’t need to make this complex,’” he argues. (See his full keynote, or register for an upcoming Oracle Code event.)

Simplicity Is Not Simple

Simplicity is hard to define, so let’s start by considering what simple is not, says Subramaniam. In most cases, our first attempts at solving a problem won’t be simple at all. The most intuitive solution might be overly verbose, or inefficient, or perhaps difficult to understand, even by its programmers after the fact.

Simple is not clever. Clever software, or clever solutions, may feel worthwhile, and might cause people to pat developers on the back. But ultimately, it’s hard to understand, and can be hard to change later. “Clever code is self-obfuscating,” says Subramaniam, meaning that it can be incomprehensible. “Even programmers can’t understand their clever code a week later.”

Simple is not necessarily familiar. Subramaniam insists that we are drawn to the old, comfortable ways of writing software, even when those methods are terribly inefficient. He mentioned someone who wrote code with 70 “if/then” questions in a series—because it was familiar. But it certainly wasn’t simple, and would be nearly impossible to debug or modify later. Something that we’re not familiar with may actually be simpler than what we’re comfortable with. To fight complexity, Subramaniam recommends learning new approaches and staying up with the latest thinking and the latest paradigms.

Simple is not over-engineered. Sometimes you can overthink the problem. Perhaps that means trying to develop a generalized algorithm that can be reused to solve many problems, when the situation calls for a fast, basic solution to a single problem. Subramaniam cited Occam’s Razor: When choosing between two solutions, the simplest may be the best.

Simple is not terse. Program source code should be concise, which means that it’s small, but also clearly communicate the programmer’s intent. By contrast, something that’s terse may still execute correctly when compiled into software, but the human understanding may be lost. “Don’t confuse terse with concise,” warns Subramaniam. “Both are really small, but terse code is waiting to hurt you when you least expect it.”

Read more in my essay, “Practical Advice To Whip Complexity And Develop Simpler Software.”

, ,

Let’s make data warehouses more autonomous — here’s why

As the saying goes, you can’t manage what you don’t measure. In a data-driven organization, the best tools for measuring the performance are business intelligence (BI) and analytics engines, which require data. And that explains why data warehouses continue to play such a crucial role in business. Data warehouses often provide the source of that data, by rolling up and summarizing key information from a variety of sources.

Data warehouses, which are themselves relational databases, can be complex to set up and manage on a daily basis. They typically require significant human involvement from database administrators (DBAs). In a large enterprise, a team of DBAs ensure that the data warehouse is extracting data from those disparate data sources, as well as accommodating new and changed data sources—and making sure the extracted data is summarized properly and stored in a structured manner that can be handled by other applications, including those BI and analytics tools.

On top of that, the DBAs are managing the data warehouse’s infrastructure. That includes everything from server processor utilization, the efficiency of storage, security of the data, backups, and more.

However, the labor-intensive nature of data warehouses is about to change, with the advent of Oracle Autonomous Data Warehouse Cloud, announced in October 2017. The self-driving, self-repairing, self-tuning functionality of Oracle’s Data Warehouse Cloud is good for the organization—and good for the DBAs.

Data-driven organizations need timely, up-to-date business intelligence. This can feed instant decision-making, short-term predictions and business adjustments, and long-term strategy. If the data warehouse goes down, slows down, or lacks some information feeds, the impact can be significant. No data warehouse may mean no daily operational dashboards and reports, or inaccurate dashboards or reports.

For C-level executives, Autonomous Data Warehouse can improve the value of the data warehouse. This boosts the responsiveness of business intelligence and other important applications, by improving availability and performance.

Stop worrying about uptime. Forget about disk-drive failures. Move beyond performance tuning. DBAs, you have a business to optimize.

Read more in my article, “Autonomous Capabilities Will Make Data Warehouses — And DBAs — More Valuable.”

,

The economic cost of data breaches to a business – and to the country

“We estimate that malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016.” That’s from a February 2018 report, “The Cost of Malicious Cyber Activity to the U.S. Economy,” by the Council of Economic Advisors – part of the Office of the President. It’s a big deal.

The White House is concerned about a number of sources of cyber threats. Those include attacks from nation-states, corporate competitors, hacktivists, organized criminal groups, opportunists, and company insiders.

It’s not always easy to tell exactly who is behind some event, or even how to categorize those events. Still, the report says that incidents breaks down as roughly 25% insiders, 75% outsiders. “Overall, 18 percent of threat actors were state-affiliated groups, and 51 percent involved organized criminal groups,” it says.

It’s More Than Stolen Valuables

The report points out that the economic cost includes many factors, including the stolen property, the costs of repairs – and opportunity lost costs. For example, the report says, “Consider potential costs of a DDoS attack. A DDoS attack interferes with a firm’s online operations, causing a loss of sales during the period of disruption. Some of the firm’s customers may permanently switch to a competing firm due to their inability to access online services, imposing additional costs in the form of the firm’s lost future revenue. Furthermore, a high-visibility attack may tarnish the firm’s brand name, reducing its future revenues and business opportunities.”

However, it’s not always that cut-and-dried. Intellectual property theft shows:

The costs incurred by a firm in the wake of IP theft are somewhat different. As the result of IP theft, the firm no longer has a monopoly on its proprietary findings because the stolen IP may now potentially be held and utilized by a competing firm. If the firm discovers that its IP has been stolen (and there is no guarantee of such discovery), attempting to identify the perpetrator or obtain relief via legal process could result in sizable costs without being successful, especially if the IP was stolen by a foreign actor. Hence, expected future revenues of the firm could decline. The cost of capital is likely to increase because investors will conclude that the firm’s IP is both sought-after and not sufficiently protected.

Indeed, this last example is particularly worrisome. Why? “IP theft is the costliest type of malicious cyber activity. Moreover, security breaches that enable IP theft via cyber may go undetected for years, allowing the periodic pilfering of corporate IP.”

Affecting the Economy

Do investors worry about cyber incidents? You bet. And it hits the share price of companies. According to the White House report, “We find that the stock price reaction to the news of an adverse cyber event is significantly negative. Firms on average lost about 0.8 percent of their market value in the seven days following news of an adverse cyber event.”

How much is that? Given that the study looked at large companies, “We estimate that, on average, the firms in our sample lost $498 million per adverse cyber event. The distribution of losses is highly right-skewed. When we trim the sample of estimated losses at 1 percent on each side of the distribution, the average loss declines to $338 million per event.” That’s significant.

Small and mid-sized companies can be harder hit by incidents, because they are less resilient. “Smaller firms, and especially those with few product lines, can easily go out of business if they are attacked or breached.”

Overall, the hit by cyber incidents cost the U.S. economy between $57 billion and $109 billion in 2016. That’s between 0.31% and 0.58% of that year’s gross domestic product (GDP), says the report. That’s lot, but could be worse. Let’s hope this amount doesn’t increase – by, say, a full-fledged cyberwar or significant terrorist incident.

, ,

DevOps gets rid of the developer / operations wall

The “throw it over the wall” problem is familiar to anyone who’s seen designers and builders create something that can’t actually be deployed or maintained out in the real world. In the tech world, avoiding this problem is a big part of what gave rise to DevOps.

DevOps, combines “development” and “IT operations.” It refers to a set of practices that help software developers and IT operations staff work better, together. DevOps emerged about a decade ago with the goal of tearing down the silos between the two groups, so that companies can get new apps and features out the door, faster and with fewer mistakes and less downtime in production.

DevOps is now widely accepted as a good idea, but that doesn’t mean it’s easy. It requires cultural shifts by two departments that not only have different working styles and toolsets, but where the teams may not even know or respect each other.

When DevOps is properly embraced and implemented, it can help get better software written more quickly. DevOps can make applications easier and less expensive to manage. It can simplify the process of updating software to respond to new requirements. Overall, a DevOps mindset can make your organization more competitive because you can respond quickly to problems, opportunities and industry pressures.

Is DevOps the right strategic fit for your organization? Here are six CEO-level insights about DevOps to help you consider that question:

  1. DevOps can and should drive business agility.DevOps often means supporting a more rapid rate of change in terms of delivering new software or updating existing applications. And it doesn’t just mean programmers knock out code faster. It means getting those new apps or features fully deployed and into customers’ hands. “A DevOps mindset represents development’s best ability to respond to business pressures by quickly bringing new features to market and we drive that rapid change by leveraging technology that lets us rewire our apps on an ongoing basis,” says Dan Koloski, vice president of product management at Oracle.

For the full story, see my essay for the Wall Street Journal, “Tech Strategy: 6 Things CEOs Should Know About DevOps.”

,

What Java 10 means for developers

Simplified Java coding. Less garbage. Faster programs. Those are among the key features in the newly released Java 10, which arrived in developers’ hands only six months after the debut of Java 9 in September.

This pace is a significant change from Java’s previous cycle of one large release every two to three years. With its faster release cadence, Java is poised to provide developers with innovations twice every year, making the language and platform more attractive and competitive. Instead of waiting for a huge omnibus release, the Java community can choose to include new features as soon as those features are ready, in the next six-month Java release train. This gives developers access to the latest APIs, functions, language additions, and JVM updates much faster than ever before.

Java 10 is the first release on the new six-month schedule. It builds incrementally on the significant new functionality that appeared in Java 9, which had a multiyear gestation period.

Java 10 delivers 12 Java Enhancement Proposals (JEPs). Here’s the complete list, followed by a deeper look at three of the most significant JEPs:

  • Local-Variable Type Inference
  • Consolidate the JDK Forest into a Single Repository
  • Garbage-Collector Interface
  • Parallel Full GC for G1
  • Application Class-Data Sharing
  • Thread-Local Handshakes
  • Remove the Native-Header Generation Tool (javah)
  • Additional Unicode Language-Tag Extensions
  • Heap Allocation on Alternative Memory Devices
  • Experimental Java-Based JIT Compiler
  • Root Certificates
  • Time-Based Release Versioning

See my essay for Forbes, “What Java 10 And Java’s New 6-Month Release Cadence Mean For Developers.” We’ll look at three of the most significant JEPs: Local-Variable Type Inference, Parallel Full GC for G1, and the Experimental Java-Based JIT Compiler.

, , ,

Don’t take stupid Facebook quizzes

“What type of dog are you?” “I scored 9 out of 10 on this vocabulary test! Can you beat me? Take the quiz!” “Are you a true New Yorker?”

If you use Facebook (or other social media sites) you undoubtedly see quizzes like this nearly every day. Sometimes the quizzes appear in Facebook advertisements. Sometimes they appear because one of your friends took the quiz, and the quiz appeared as a post by your friend.

Is it safe to take those quizzes? As with many security topics, the answer is a somewhat vague “yes and no.” There are two areas to think about. The first is privacy – are you giving away information that should be kept confidential? The second is, by interacting with the quiz, are you giving permission for future interactions? Let’s talk about both those aspects, and then you can make an informed decision.

Bear in mind, however, that quizzes like this were likely used by Cambridge Analytica to harvest personal details about millions of Facebook users. Those details were allegedly used to target political advertising and disinformation.

Personal Dossier

Let’s start with content. When you take a quiz, you may not realize the extent of the personal information you are providing. Does the quiz ask you for your favorite color? For the year you graduated secondary school? For the type of car you drive? All of that information could potentially be aggregated into a profile. That’s especially true if you take multiple quizzes from the same company.

You don’t know, and you can’t realistically learn, if the organization behind the quiz is storing the information — and what it’s doing with it. Certainly, they can tag you as someone who likes quizzes, and show you more of them. However, are they using that information to profile you for their advertisements? Are they depositing cookies or other tracking mechanisms on your computer? Are they selling that information to other organizations?

A quiz about your favorite color is probably benign. A quiz about “What type of dog are you?” might indicate that you are a dog owner. It’s likely that ads for dog food might be in your future!

Be wary of quizzes that ask for any information that might be used for identity theft, like your home town or the year you were born. While you might sometimes post information like that on Facebook, that information may not be readily accessible to third parties, like the company that offers up those fun quizzes. If you provide such info to the quiz company, you are handing it to them on a silver platter.

Consider the “Is My Dog Fat Quiz,” hosted on the site GoToQuiz. It asks for your age range and your gender – which is totally unnecessary for asking about your dog’s weight and dietary habits. (You can see the lack of professionalism with misspellings like, “How much excersize does your dog get?” This quiz isn’t about you or your dog, it’s about gathering information for Internet marketers.

Permission Granted

Second, you’re giving implicit permission for future interactions. Sometimes when you click on a Facebook quiz, you take the quiz right inside Facebook. When you do so, you are interacting with the quiz giver – which means that future posts or quizzes by that quiz giver will show up on your news feed. You may be totally fine with that… it’s not particularly harmful. However, you should be aware that this is the case. (Those posts and quizzes may also show up on your friends’ news feeds as well, spreading the marketer’s reach)

What concerns me more is when clicking the quiz opens up an external website. When you are on an external website, whatever happens is outside of Facebook’s privacy protections and security protocols. You have no idea what the quiz site will do with your information.

Well, now, perhaps you do now.

Yes, this scam sounds strange and unbelievable

Oh, no! The scammer’s letter was returned undelivered! Well, this is a nice scam, isn’t it, including using an address at lawyer.com as the faked sender. (According to my quick detective work, the email originated from a commercial Internet service in Guatemala.)

How about the reference to the Helicopter Society? That presumably means AHS International, which used to be called the Helicopter Society. In any case, referencing a real organization doesn’t make a scammer more legitimate. Same with referring to the IEEE (which I’m a member of).

Don’t reply to scam messages like this – simply delete them.

From: email hidden; JavaScript is required
Subject: Attention:
To: Recipients email hidden; JavaScript is required
Reply-To: email hidden; JavaScript is required

Attention:

On behalf of the Trustees and Executor of the estate of Late Eng. Jurgen Krugger. I once again try to notify you as my earlier letter was returned undelivered. I hereby attempt to reach you again by this same email address on the WILL. I wish to notify you that late Eng. Jurgen Krugger made you a beneficiary to his WILL. He left the sum of Thirty Million, One Hundred Thousand Dollars (USD$30, 100.000.00) to you in the Codicil and last testament to his WILL.

This may sound strange and unbelievable to you, but it is real and true. Being a widely traveled man, he must have been in contact with you in the past or simply you were nominated to him by one of his numerous friends abroad who wished you good. Eng. Jurgen Krugger until his death was a member of the Helicopter Society and the Institute of Electronic & Electrical Engineers. He was a very dedicated Christian who loved to give out. His great philanthropy earned him numerous awards during his life time.

Late Engr. Jurgen Krugger died on the 13th day of December, 2004 at the age of 80 years, and his WILL is now ready for execution. According to him this money is to support your humanitarian activities and to help the poor and the needy in our society. Please if I reach you as I am hopeful, endeavor to get back to me as soon as possible to enable me conclude my job. I hope to hear from you in no distant time.

Note:You are advise to contact me with my personal email: email hidden; JavaScript is required

I await your prompt response.

Yours in Service,

BARRISTER TEDDY WILLAIMS ESQ.PRINCIPAL PARTNERS: Barrister Aidan Walsh.Esq Markus Wolfgang,Smith Esq

,

inching toward cyberwar with Russia

Has Russia hacked the U.S. energy grid? This could be bigger than Stuxnet, the cyberattack that damaged uranium-enriching centrifuges in Iran back in 2010 – and demonstrated, to the public at least, that cyberattacks could do more than erase hard drives and steal peoples’ banking passwords.

For the first time, the United States has officially accused Russia of breaking into critical infrastructure. That’s not only a shocking admission of vulnerability, but also pointing the finger at a specific country.

While there may be geopolitical reasons for the timing of the accusation, let’s look at what’s going on from the tech perspective. On March 15, the U.S. Computer Emergency Response Team (US-CERT) put out an alert entitled, “Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors.” It’s not blaming hackers, or hackers based in Russia, it’s blaming the Russian government.

The danger couldn’t be clearer. “Since at least March 2016, Russian government cyber actors—hereafter referred to as “threat actors”—targeted government entities and multiple U.S. critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.”

The Targets: System Controllers

What were the attackers doing? Reconnaissance, looking for information on the critical controller in the energy facilities, also known as SCADA systems. The US-CERT alert explains,

In multiple instances, the threat actors accessed workstations and servers on a corporate network that contained data output from control systems within energy generation facilities. The threat actors accessed files pertaining to ICS or supervisory control and data acquisition (SCADA) systems. Based on DHS analysis of existing compromises, these files were named containing ICS vendor names and ICS reference documents pertaining to the organization (e.g., “SCADA WIRING DIAGRAM.pdf” or “SCADA PANEL LAYOUTS.xlsx”)

The threat actors targeted and copied profile and configuration information for accessing ICS systems on the network. DHS observed the threat actors copying Virtual Network Connection (VNC) profiles that contained configuration information on accessing ICS systems.

The Attack Vendor: User Accounts

How did the attackers manage to get into these energy systems? First, they carefully chose which companies or facilities to target, says US-CERT: “The threat actors appear to have deliberately chosen the organizations they targeted, rather than pursuing them as targets of opportunity.” The attackers then using spear phishing (custom-crafted malicious emails) and watering holes (hacks into trusted websites that employees of those energy sites would visit). For example, says the report,

One of the threat actors’ primary uses for staging targets was to develop watering holes. Threat actors compromised the infrastructure of trusted organizations to reach intended targets. Approximately half of the known watering holes are trade publications and informational websites related to process control, ICS, or critical infrastructure. Although these watering holes may host legitimate content developed by reputable organizations, the threat actors altered websites to contain and reference malicious content.

These hacks into user accounts were delivered via malicious .docx files that energy employees opened – and which captured user credentials. The attackers then used those credentials to get into the energy systems, create new accounts, and begin their work. The US CERT reports that the attackers weren’t able to get into systems that require multi-function authentication, by the way.

A History of Targeting Energy

We don’t know what Russia was doing, or why – assuming that it was Russia, of course. Dustin Volz and Timothy Gardner, writing for Bloomberg, say,

It was not clear what Russia’s motive was. Many cyber security experts and former U.S. officials say such behavior is generally espionage-oriented with the potential, if needed, for sabotage.

Russia has shown a willingness to leverage access into energy networks for damaging effect in the past. Kremlin-linked hackers were widely blamed for two attacks on the Ukrainian energy grid in 2015 and 2016, that caused temporary blackouts for hundreds of thousands of customers and were considered first-of-their-kind assaults.

As political issues escalate between Russia and the West, these types of reports and unanswered questions are indeed troubling.

No, I am not embarrassed by your spam scam attempt

I had to clean up the formatting on this email to make it somewhat more readable. I hope you enjoy the stilted language and attempts to assure the recipient that this isn’t actually a scam.

These messages are always scams. Delete them, don’t ever reply.

From: AHMADU SAMBO email hidden; JavaScript is required
Subject: HELLO DEAR,
To: undisclosed-recipients:;
Reply-To: email hidden; JavaScript is required

PETROLEUM PROJECT AND FINANCE DIVISION

FALOMO, NIGERIAN

Email: email hidden; JavaScript is required or email hidden; JavaScript is required

DATE: 14-03-2018

DEAR,

This letter is not intended to cause any embarrassment in whatever form, rather is compelled to contact your esteemed self, following the knowledge of your high repute and trust worthiness.

Firstly, I must solicit your confidentiality, this is by the virtue as being utterly confidential and top secret though I Know that a transaction of that magnitude will make anyone apprehensive and Worried, but I am assuring you that all will be well at the end of the day. A bold step taken shall not be regretted I assure you. I am ahmadu sambo, and I head a seven men tender board in charge of contract awards and payment approvals, I came to know of you in search of a reliable and reputable person to handle a very confidential business transaction which involves the transfer of a huge sum of money to foreign account re requiring maximum confidence.

My colleagues and I are top officials of the NIGERIA NATIONAL PETROLEUM CORPORATION (NNPC) OUR DUTIES INCLUDING EVALUATION AND FORESEEING THE MAINTENANCE OF THE REFINERIES IN ALL THE OIL PIPELINES.

We are therefore soliciting for your assistance to enable us transfer into your account the said funds. Our country losses a lot of money everyday this is why the international community is very careful and warning their citizen to be careful but I tell you “A TRIAL WILL CONVINCE YOU”

The source of the fund is as follows, during the last regime here in Nigeria this committee awarded a contract of US$400 Million to a group of five construction companies on

behalf of the NIGERIA NATIONAL PETROLEUM CORPORATION for the construction of the oil pipeline in Kaduna, Port-Harcourt, Warri refineries, during this process my colleagues and I deliberately inflated the total contract sum to the tone of US$450 Million with the intention of sharing the inflated sum of US$50Million.

The Government has since approved the sum of US$450Million for us as the contract sum, but since the contract is only worth US$400Million, the remaining US$50Million is what we intend to transfer to reliable and safe offshore account, we are prohibited to operate foreign account in our names since we are still in Government.

This, making of impossible for us to acquire the money in our name right now, I have therefore been delegated as a matter of trust by my colleagues to look for an oversea partner into whose account we can transfer the sum of US$50Million. My colleagues and I have decided that if you / your company can be the beneficiary of this funds on our behalf, you or your company will retain 25% of the total sum of US$50Million while 70% will be for us the officials and remaining 5% will be used for offsetting all debts/ expenses incurred during this transaction.

We have decided that this transaction can only proceed under the following condition:

  1. That you treat this transaction with utmost secret and confidentiality and conviction of your transparent honesty.
  2. That upon the receipt of the funds you will release the funds as instructed by us after you have removed your share of 25% please acknowledge the receipt of this letter using the above email address.

I will bring you into the nomenclature of this transaction when I have heard from you your urgent responses through my email, will be highly appreciated as we are catching on the next payment schedule for april.

Please be assured that this transaction is 100% legal / risk free, only trust can make the reality of this transaction.

Best regards,

AHMADU SAMBO

, ,

Users mess up security on browser-equipped IoT devices

Go ahead, blame the user. You can’t expect end users to protect their Internet of Things devices from hacks or breaches. They can’t. They won’t. Security must be baked in. Security must be totally automatic. And security shouldn’t allow end users to mess anything up, especially if the device has some sort of Web browser.

Case in point: Medical devices with some sort of network connection, and thus qualify as IoT. In some cases, those connections might be very busy, connecting to a cloud service to report back telemetry and diagnostics, with the ability for a doctor to adjust functionality. In other cases, the connections might be quiet, used only for firmware updates. In either case, though, any connection might lead to a vulnerability.

According to the Annual Threat Report: Connected Medical Devices, from Zingbox, the most common IoT devices are infusion pumps, followed by imaging systems. Despite their #2 status, the study says that those imaging systems have the most security issues:

They account for 51% of all security issues across tens of thousands devices included in this study. Several characteristics of imaging systems attribute to it being the most risky device in an organization’s inventory. Imaging systems are often designed on commercial-off-the-shelf (COTS) OS, they are expected to have long lifespan (15-20 years), very expensive to replace, and often outlive the service agreement from the vendors as well as the COTS provider.

This is not good. For all devices, the study says that, “Most notably, user practice issues make up 41% of all security issues. The user practice issues consist of rogue applications and browser usage including risky internet sites.” In addition, Zingbox says, “Unfortunately, outdated OS/SW (representing 33% of security issues) is the reality of connected medical devices. Legacy OS, obsolete applications, and unpatched firmware makes up one-third of all security issues.”

Need to Restrict IoT Device Access to Websites

Many devices contain embedded web browsers. Not infusion pumps, of course, but other devices, such those imaging sensors. Network access for such devices should be severely restricted – the embedded browser on a medical device shouldn’t be able to access eBay or Amazon or the New York Times – or anything else other than the device’s approved services. As the study explains, “Context-aware policy enforcement should be put in place to restrict download of rogue applications and enable URL access specific to the operation of the device.”

Even if the device operator’s intentions are good, you don’t want the device used to access, say, Gmail. And then get a virus. Remember, many of the larger IoT medical devices run Windows, and may not have up-to-date malware protection. Or any malware protection whatsoever.

When planning out IoT security, the device must be protected from the user, as well as from hackers. “IoT Security: How To Make The World Safe When Everything’s Connected,” published in Forbes, quoted Gerry Kane, Cyber Security Segment Director for Risk Engineering at The Zurich Services Corporation:

Information security must evolve with the times, Kane believes. “It’s not just about data anymore,” he said. “It’s an accumulation of the bad things that could happen when there’s a security breach. And consider the number of threat vectors that are brought into play by the Internet of Things.”

Human error poses another risk. Although these devices are supposed to operate on their own, they still need to receive instructions from people. The wrong commands could result in mistakes.

“Human error is always a big part of security breaches, even if it’s not always done with malicious intent,” Kane said.

Indeed, the IoT world is pretty dangerous… thanks to those darned end users.

Fake Amex message is barely trying

Could anyone fall for this spam message that claims to be from American Express? Sure, it has pretty graphics, but come on. Look at all those typos. Look at sentences that don’t make any sense.

And really, we’re going to open that file? Amex would never ask you to download or click on a file. This particular file prompts you to provide personal information which could be used for identity theft – but it also could have contained ransomware or other malware.

Delete such messages immediately. Don’t click on links or open attachments, or reply to them.

 

You can rent a mid-size jet aircraft for $50,000 savings

This message came to one of my spam trap email addresses. So, this private jet company thinks that hovering addresses from websites is the best way to find customers. Maybe they’re right. In any case, it’s spam. Amusing spam, but spam nonetheless. (Plus, it is always suspect when the “from” email address is not the same as the “contact me” address in the body of the message.)

From: Thomas Panico email hidden; JavaScript is required

Subject: Returned Jet Card Hours

All,

We just had a client return hours that they purchased on a Mid-Size Jet due to them being bought out by another bank that owns aircraft already and does not allow for chartering.

These hours are available on a first-come, first served basis at $347,500.00 for the remaining 62.5 hours.

That is $50,000.00 less than our current pricing. They can be broken up amongst fliers or brokers.

First-come, first serve to all fliers and the same to all brokers.

Please contact me at email hidden; JavaScript is required or 646-896-3078 to secure any hours.​

Thomas Panico
Director Of Jet Cards

, , ,

Blockchain is a secure system for trustworthy transactions

Blockchain is a distributed digital ledger technology in which blocks of transaction records can be added and viewed—but can’t be deleted or changed without detection. Here’s where the name comes from: a blockchain is an ever-growing sequential chain of transaction records, clumped together into blocks. There’s no central repository of the chain, which is replicated in each participant’s blockchain node, and that’s what makes the technology so powerful. Yes, blockchain was originally developed to underpin Bitcoin and is essential to the trust required for users to trade digital currencies, but that is only the beginning of its potential.

Blockchain neatly solves the problem of ensuring the validity of all kinds of digital records. What’s more, blockchain can be used for public transactions as well as for private business, inside a company or within an industry group. “Blockchain lets you conduct transactions securely without requiring an intermediary, and records are secure and immutable,” says Mark Rakhmilevich, product management director at Oracle. “It also can eliminate offline reconciliations that can take hours, days, or even weeks.”

That’s the power of blockchain: an immutable digital ledger for recording transactions. It can be used to power anonymous digital currencies—or farm-to-table vegetable tracking, business contracts, contractor licensing, real estate transfers, digital identity management, and financial transactions between companies or even within a single company.

“Blockchain doesn’t have to just be used for accounting ledgers,” says Rakhmilevich. “It can store any data, and you can use programmable smart contracts to evaluate and operate on this data. It provides nonrepudiation through digitally signed transactions, and the stored results are tamper proof. Because the ledger is replicated, there is no single source of failure, and no insider threat within a single organization can impact its integrity.”

It’s All About Distributed Ledgers

Several simple concepts underpin any blockchain system. The first is the block, which is a batch of one or more transactions, grouped together and hashed. The hashing process produces an error-checking and tamper-resistant code that will let anyone viewing the block see if it has been altered. The block also contains the hash of the previous block, which ties them together in a chain. The backward hashing makes it extremely difficult for anyone to modify a single block without detection.

A chain contains collections of blocks, which are stored on decentralized, distributed servers. The more the better, with every server containing the same set of blocks and the latest values of information, such as account balances. Multiple transactions are handled within a single block using an algorithm called a Merkle tree, or hash tree, which provides fault and fraud tolerance: if a server goes down, or if a block or chain is corrupted, the missing data can be reconstructed by polling other servers’ chains.

And while the chain itself should be open for validation by any participant, some chains can be implemented with some form of access control to limit viewing of specific data fields. That way, participants can view relevant data, but not everything in the chain. A customer might be able to verify that a contractor has a valid business license and see the firm’s registered address and list of complaints—but not see the names of other customers. The state licensing board, on the other hand, may be allowed to access the customer list or see which jobs are currently in progress.

When originally conceived, blockchain had a narrow set of protocols. They were designed to govern the creation of blocks, the grouping of hashes into the Merkle tree, the viewing of data encapsulated into the chain, and the validation that data has not been corrupted or tampered with. Over time, creators of blockchain applications (such as the many competing digital currencies) innovated and created their own protocols—which, due to their independent evolutionary processes, weren’t necessarily interoperable. By contrast, the success of general-purpose blockchain services, which might encompass computing services from many technology, government, and business players, created the need for industry standards—such as Hyperledger, a Linux Foundation project.

Read more in my feature article in Oracle Magazine, March/April 2018, “It’s All About Trust.”

,

No lessons learned from cloud security breaches

Far too many companies fail to learn anything from security breaches. According to CyberArk, cyber-security inertia is putting organizations at risk. Nearly half — 46% — of enterprises say their security strategy rarely changes substantially, even after a cyberattack.

That data comes from the organization’s new Global Advanced Threat Landscape Report 2018. The researchers surveyed 1,300 IT security decision-makers, DevOps and app developer professionals, and line-of-business owners in seven countries.

The Cloud is Unsecured

Cloud computing is a major focus of this report, and the study results are scary. CyberArk says, “Automated processes inherent in cloud environments are responsible for prolific creation of privileged credentials and secrets. These credentials, if compromised, can give attackers a crucial jumping-off point to achieve lateral access across networks, data and applications — whether in the cloud or on-premises.”

The study shows that

  • 50% of IT professionals say their organization stores business-critical information in the cloud, including revenue-generating customer- facing applications
  • 43% say they commit regulated customer data to the cloud
  • 49% of respondents have no privileged account security strategy for the cloud

While we haven’t yet seen major breaches caused by tech failures of cloud vendors, we have seen many, many examples of customer errors with the cloud. Those errors, such as posting customer information to public cloud storage services without encryption or proper password control, have allowed open access to private information.

CyberArk’s view is dead right: “There are still gaps in the understanding of who is responsible for security in the cloud, even though the public cloud vendors are very clear that the enterprise is responsible for securing cloud workloads. Additionally, few understand the full impact of the unsecured secrets that proliferate in dynamic cloud environments and automated processes.”

In other words, nobody is stepping up to the plate. (Perhaps cloud vendors should scan their customers’ files and warn them if they are uploading unsecured files. Nah. That’ll never happen – because if there’s a failure of that monitoring system, the cloud vendor could be held liable for the breach.)

Endpoint Security Is Neglected

I was astonished that the CyberArk study shows only 52% of respondents keep their operating system and patches current. Yikes. It’s conventional wisdom that maintaining patches is about the lowest-hanging of the low-hanging fruit. Unpatched servers have been easy pickings for hackers over the past few years.

CyberArk’s analysis appears accurate here: ”End users deploy a lot of technologies to protect endpoints, and they face many competing factors. These include compliance drivers, end-user usability, endpoint configuration management and an increasingly highly mobile and remote user base, all of which make visibility and control harder. With advanced malware attacks over the past year including WannaCry and NotPetya, there is certainly room for greater prioritization around blocking credential theft as a critical step to preventing attackers from gaining access to the network and initiating lateral movement.”

Many Threats, Poor Planning

According to the study, the greatest cyber security threats expected by IT professionals are:

  • Targeted phishing attacks (56%)
  • Insider threats (51%)
  • Ransomware or malware (48%)
  • Unsecured privileged accounts (42%)
  • Unsecured data stored in the cloud (41%)

Meanwhile, 37% respondents say they store user passwords in Excel spreadsheets or in Word docs (hopefully not on the cloud).

Back to the cloud for a moment. The study says that “Almost all (94%) security respondents say their organizations store and serve data using public cloud services. And they are increasingly likely to entrust cloud providers with much more sensitive data than in the past. For instance, half (50%) of IT professionals say their organization stores business-critical information in the cloud, including revenue-generating customer-facing applications, and 43% say they commit regulated customer data to the cloud.”

And all that, with far too many companies reporting poor security practices when it comes to the cloud. Expect more breaches. Lots more.

,

Surprise! Serverless computing has servers

Don’t be misled by the name: Serverless cloud computing contains servers. Lots of servers. What makes serverless “serverless” is that developers, IT administrators and business leaders don’t have to think about those servers. Ever.

In the serverless model, online computing power gets tapped automatically only at the moment it’s needed. This can save organizations money and, just as importantly, make the IT organization more agile when it comes to building and launching new applications. That’s why serverless has the potential to be a game-changer for enterprise.

“Serverless is the next logical step for computing,” says Bob Quillin, Oracle vice president of developer relations. “We went from a data center where you own everything, to the cloud with shared servers and centralized infrastructure, to serverless, where you don’t even care about the servers themselves.”

In the serverless model, developers write and deploy what are called “functions.” Those are slimmed-down applications that take one action, such as processing an e-commerce order or recording that a shipment arrived. They run those functions directly on the cloud, using technology that eliminates the need to manage the servers, since it delivers computing power the moment that a function gets called into action.

Both the economics and the speed-of-development benefits of serverless cloud computing are compelling. Here are four CEO-level insights from Quillin for thinking about serverless computing.

First: Serverless can save real money. In the old data center model, says Quillin, organizations had to buy and maintain expensive servers, infrastructure and real estate.

In a traditional cloud model, organizations turn that capital expense into an operating one by provisioning virtualized servers and infrastructure. That saves money compared with the old data center model, Quillin says, but “you are typically paying for compute resources that are running all the time—in increments of CPU hours at least.” If you create a cluster of cloud servers, you don’t typically build it up and break it down every day, and certainly not every hour, as needed. That’s just too much management and orchestration for most organizations.

Serverless, on the other hand, essentially lets you pay only for exactly the time that a workload runs. For closing the books, it may be a once-a-month charge for a few hours of computing time. For handling transactions, it might be a few tenths of a second whenever a customer makes a sale or an Internet of Things (IoT) device sends data.

For the rest of the list, and the full story, see my essay for the Wall Street Journal, “4 Things CEOs Should Know About Serverless Computing.”

, , ,

How transformative is DevOps? Well, it depends

DevOps is a technology discipline well-suited to cloud-native application development. When it only takes a few mouse clicks to create or manage cloud resources, why wouldn’t developers and IT operation teams work in sync to get new apps out the door and in front of user faster? The DevOps culture and tactics have done much to streamline everything from coding to software testing to application deployment.

Yet far from every organization has embraced DevOps, and not every organization that has tried DevOps has found the experience transformative. Perhaps that’s because the idea is relatively young (the term was coined around 2009), suggests Javed Mohammed, systems community manager at Oracle, or perhaps because different organization are at such different spots in DevOps’ technology adoption cycle. That idea—about where we are in the adoption of DevOps—became a central theme of a recent podcast discussion among tech experts. Following are some highlights.

Confusion about DevOps can arise because DevOps affects dev and IT teams in many ways. “It can apply to the culture piece, to the technology piece, to the process piece—and even how different teams interact, and how all of the different processes tie together,” says Nicole Forsgren, founder and CEO of DevOps Research and Assessment LLC and co-author of Accelerate: The Science of Lean Software and DevOps.

The adoption and effectiveness of DevOps within a team depends on where each team is, and where organizations are. One team might be narrowly focused on the tech used to automate software deployment to the public, while another is looking at the culture and communication needed to release new features on a weekly or even daily basis. “Everyone is at a very, very different place,” Forsgren says.

Indeed, says Forsgren, some future-thinking organizations are starting to talk about what ‘DevOps Next’ is, extending the concept of developer-led operations beyond common best practices. At the same time, in other companies, there’s no DevOps. “DevOps isn’t even on their radar,” she sighs. Many experts, including Forsgren, see that DevOps is here, is working, and is delivering real value to software teams today—and is helping businesses create and deploy better software faster and less expensively. That’s especially true when it comes to cloud-native development, or when transitioning existing workloads from the data center into the cloud.

Read more in my essay, “DevOps: Sometimes Incredibly Transformative, Sometimes Not So Much.”

No, the UN and IMF aren’t sending you $2.6 million or anything

Such an obvious scam, but for some reason, I find it amusing. Is it that they don’t know how to spell out $2.6 million? Is it that they keep repeating the amount over and over again? Is it the implied legitimacy because of the FedEx link? Is it that they’re using a fake Israeli domain for sending, and a gmail domain for replies? Is it that they are asking for only $120 (don’t worry, they’ll want more later)? Is it the 100% money-back guarantee? Is it the claim of no hidden fees? (Ha ha ha)

Don’t reply to messages like this. Delete them right away.

From: “United Nations Liaison Office – Africa” email hidden; JavaScript is required
Subject: Your ATM Card is Ready for Delivery
To: email hidden; JavaScript is required
Reply-To: email hidden; JavaScript is required

United Nations/IMF Assisted Program
Directorate of International Payment
United Nations Liaison Office – Africa

Dear Scam Victim,

Beneficiary:

This is to bring to your notice that I am a delegate from the United Nations to The IMF (International Monetary Fund) West Africa Regional Payment Office to pay 521 scam victims $2,600,000.00 USD (Four Hundred Thousand Dollars only) each. You are listed and approved for this payment as one of the scammed victims to be paid this amount, get back to me as soon as possible for the immediate payments of your $2,600,000.00 USD compensations funds. On this faithful recommendations, I want you to know that during the last U.N. meetings held at Abuja, Federal Republic of Nigeria, it was alarmed so much by the world in the meetings on the lost of funds by various individual to scam artist operating in syndicates all over the world today.

In other to compensate these victims, the U.N Body is now paying 521 victims of this operators $2,600,000.00 USD each in accordance with the U.N .recommendations. Due to the corrupt and in-efficient Banking Systems in Federal Republic of Nigeria, the payments are to be paid by UN officials sitting at IMF (International Monetary Fund) West Africa Regional Payment Office as corresponding payment center under funding assistance by United Nation body. According to the number of applicants at hand, 284 Beneficiaries has been paid, half of the victims are from the United States, and we still have more 237 left to be paid the compensations of $2,600,000.00 USD each.

ATM VISA Card: We will be issuing you a custom pin based ATM card which you will use to withdraw up to $10,000 per day from any ATM machine that has the Card Logo on it. Also with the ATM card you will be able to transfer your funds to your local bank account. The ATM card comes with a handbook or manual to enlighten you about how to use it. Even if you do not have a bank account.

Check: To be deposited in your bank for it to be cleared within three working days.Your payment would be sent to you via any of your preferred option and would be mailed to you via FedEx. Because we have signed a contract with FedEx which should expire by the end of February 2018 you will only need to pay $120.00 instead of $454.00 saving you $369.00! So if you pay before February 20th you save $334.00 Take note that anyone asking you for some kind of money above the usual fee is definitely a fraudsters and you will have to stop communication with every other person if you have been in contact with any. Also remember that all you will ever have to spend is $120 nothing more! Nothing less! And we guarantee the receipt of your fund to be successfully delivered to you within the next 24hrs after the receipt of payment has been confirmed.

Note: Everything has been taken care of by the Federal Government including taxes, custom paper and clearance duty so all you will ever need to pay is $120. DO NOT SEND MONEY TO ANYONE UNTIL YOU READ THIS: The actual fees for shipping your ATM card is $454 but because FedEx have temporarily discontinued the C.O.D which gives you the chance to pay when package is delivered for international shipping as stated on their website:

http://fedex.com/us/international/irc/profiles/irc_ng_profile.html?gtmcc=us#C10

We had to sign contract with them for bulk shipping which makes the fees reduce from the actual fee of $454.99 to $120 nothing more and no hidden fees of any sort! To effect the release of your fund valued at $2.6million you are advised to contact our correspondent in west Africa the delivery officer Wali Ibrahim with the information below:

Name: Mr. Wali Ibrahim
E-mail: email hidden; JavaScript is required
Tel: +234 9095134207

On contacting him do provide him with the following information:

Your full Name………….
Your Address:…………..
Occupation:……………..
Home/Cell Phone:…………..
Preferred Payment Method (ATM/Cashier Check):

Upon receipt of payment the delivery officer will ensure that your package is sent within 24 working hours. Because we are so sure of everything we are giving you a 100% money back guarantee if you do not receive payment/package within the next 24hrs after you have made the payment for shipping.

Yours sincerely,

Ms. Adekunle Bola