Real Life Lessons: The Story

[flickr]photo:218204744(small)[/flickr] I will sometimes have friends over. This blog series with an event that occurred after a small gathering and then veers into a security analysis. It is my hope that it is as educational for you as it was for me.

We ended the night much later than planned, and since I had a busy morning, I neglected my normal nightly routine. Thus, that night, I neglected to arm the security system. I also assumed that my friends had locked the door as they left. As I am sure you can tell, this does not bode well…

Later that night, I awoke to the smell of smoke. While unpleasant and unusual, my neighbor is a smoker and when the wind is just wrong, I sometimes get a whiff of it in my bedroom. Since it was definitely cigarette smoke that I smelled, I went back to sleep. Then, a bit later, I woke up to my cats acting oddly. Not terribly unusual, but strange enough that I probably should have checked it out. Being half asleep, I didn’t. Instead, I just closed my bedroom door to keep my cat from bugging me. This is the part that I’m kicking myself over.

Why?

Well, once I finally wake up, I go about my normal morning routine. During this process, I see a pair of shoes on my living room floor that had not previously been there. Looking up, I see a young man sleeping on my couch, who had also not previously been there.

This is a situation for which I did not have a ready response.

Since it was dark, I considered the possibility that one of my friends couldn’t start his car or had gotten kicked out of his house (unlikely, but not outside the realms of possibility, especially given how late we broke up the party) and came back to my place for the lack of anywhere better to go. Another possibility was that a stranger had broken in (unlikely) and taken a nap on my couch (considerably more unlikely). Obviously, the way to determine which of these two possibilities were occurring was to turn on a light somewhere.

First, however, I decided to put on some pants. *shrug* it just seemed like a good idea.

Given that I was going into an unfamiliar situation, I decided that preparation would be wise. I grabbed my sword from my bedroom (I don’t own a gun, but that’s a completely different post), and entered 9-1-1 (but did not hit “send”) on my cell phone prior to waking the individual. I then turned on the light in the kitchen, so that I would have enough to see by, and positioned myself between the man (boy? Not really sure. He seemed to be in his (very) young twenties.) and the light (maximizing my visual advantage), and started prodding him.

He is probably not the only person in Des Moines to wake up that night in a strange place, utterly confused and hung over. He is, however, likely the only one to wake up with a sword at his throat.

He was quite apologetic.

In response to my questions, I learned that he had been drinking last night (he said “a lot”) and that the last thing he remembered was thinking that it was too cold and he had to go inside. He then gathered his shoes and windbreaker(!) and left, asking only what part of the city he was in. I locked the door behind him.

I elected not to call the cops as I suspect that he had just learned a lot in those sixty seconds, and I have no desire to ruin someones life over a single stupid mistake.

So, what did I learn from this experience?

  1. When suddenly finding myself in a potentially dangerous situation, I am calm and logical. I have suspected this for a while, but it’s nice to have the (very) occasional confirmation.
  2. I was in complete control of the situation from the moment I became aware of it. While I am not a control freak, it is nice to know that I have that in me when it is needed.
  3. At no point was I afraid. Concerned, yes. Afraid, no. I like that.
  4. Even though I hardly ever use the front door (garage is in the back), I need to check that door nightly and not assume it is locked. I do always check the back door.
  5. I need to be better at arming the security system at night than I have been. I used to be an extremely light sleeper, but I can apparently no longer rely in my ability to wake up at the slightest noise. (I guess living in a city has changed me).
  6. It was stupid of me to ignore the subtle indicators that did wake me up. I need to be better at checking those out.

So, in conclusion, I did some very negligent things that resulted in a situation that should never have occurred. This is bad. However, once in that situation, I think that my reaction was acceptable. There is, however, ample room for improvement. We shall explore the lessons learned in greater detail in future posts

Twenty years of X11

As some of you know, I do the occasional technical edit for a book. I find it relaxing, interesting, and educating.

Hey, you have your hobbies, I have mine.

Anyway, I recently completed editing Chris Tyler’s X Power Tools – a book on how Unix and Linux systems handle windows and such. It made me think a bit. See, X11 was released in 1987. Back then, I wasn’t terribly interested in learning its intricacies, being far more involved in learning how to ride a bike and catch a ball. (The “catching a ball” bit took many more years to master, perhaps I should have focused on X11 instead). As I recall, in 1987, there was a small amount of discussion on the relative merits of NeWS vs X11, however most people were more concerned with issues like the Iran/Iraq war, the world population reaching five billion people and the Iran-Contra affair. At the same time that Bob Scheifler and Jim Gettys were writing X11, Los Lobos were writing their version of “La Bamba” and Peter Wolf (Wang Chung) was writing “Everybody Have Fun Tonight”.

So, fast forward by twenty years and join me here in 2007. The world population is now 6.6 billion, no one really thinks much about the Contras, and I suspect that a lot fewer people are dancing around singing “La Bamba”. However, an estimated 29 million people are using X11. That’s more people than are listening to Wang Chung (I hope).

So, what is it that gave this humble display protocol such staying power and allowed its usage to increase while other 1987 events are hardly even recognizable? Perhaps it is that X11 is inherently visual, rendering it usable from China to India to the US? I’m sure that the average Chinese computer user has a bit more trouble understanding Los Lobos. Perhaps it is the fact that it was built by a unified team and released to the world for free, thus eliminating the need for a middle man like Oliver North.

Perhaps. . . But I don’t think so.

See, I use X every day. I have since around 1999. However, at no point do I wake up and think “Yay! I get to use the X11 display system today!”. No, I just sit down at my computer and get to work. I move windows from desktop to desktop. I make them big, make them small, and make them hide away like little frightened squirrels. And these days, I even make them translucent, wobbly, three dimensional, and can set fire to them if I get bored (the windows, not the squirrels). Sure, I may get a small feeling of glee when I make a window burn up and go away, but am I sitting here thinking about all the work that Bob Scheifler and Jim Gettys put into the system to allow me to be nonproductive in such an enjoyable way? No, I just sit there and use the system.

There are three other systems that I use on a daily basis without thinking about it. When I wake up, I turn off my alarm clock, turn on my light, take a shower, get dressed, open the garage, drive into work, park, lock the car, and start my day. To do so, I use the electrical system, the water system, and highway system. At no point am I blessing Tesla and Edison, or the Romans… or the Romans. (Wow, those Romans were a smart bunch, weren’t they? Too bad about the lead poisoning.)

Nope, I just use them because they are there. That’s what infrastructure is for. You can tell when a technology moves from being “technology” to “infrastructure” when you no longer notice it. A widget is a thing that is either bright and shiny or breaks when you need to use it. Sadly, these two often go together. Infrastructure is something that you never notice until it fails to give you the seamless experience that you are used to.

Note that. The key difference is not that infrastructure is noticeable when it breaks… it’s noticeable when it breaks and keeps working. You complain about the power company when there are brown outs, the water company when the water tastes funny, and the DoT when the roads get pot-holes. In all of these cases, you can still use your devices, drink your water, and get to work. It’s just not as pleasant as it was before. That’s huge. It means that the technology got so close to perfect that you don’t notice it anymore.

That’s the beauty of X11. When I was first starting with Linux, it was sometimes hard to get it to work (See Basic X.Org Configuration). Then, as I got better, I would sometimes run into some odd problems (See Advanced X.Org Configuration). I used to have problems with fonts and colors (See the Fonts and Colors sections). More recently, I have needed to build kiosks (Yep, there’s a Kiosk section) remotely access servers (That in the book too) and turn on fancy effects (I’ll let you guess on this one).

Today, I can use X11 and the tips in X Power Tools to:

  • Build one server that can give up to 10 school children their own desktop . . . simultaneously
  • Build a kiosk system that provides point of service for years without maintenance
  • Configure a single interface that works identically on an 800×600 CRT monitor, a 5120×3200 LCD wide-screen monitor, an HDTV, or even a normal (old school) television
  • Connect to a server on the other side of the world and see a graphical screen just as if I were sitting in front of it
  • Use a keyboard and mouse from 1987, 1997, or 2007 — often without a configuration change. I can use strange hardware such as tablets, touch-pads, and high-end multi-head video cards

I can all of this with the same protocol developed in 1987. That’s good design.

I learned to do all this in the same amount of time that it took me to learn to catch a ball. I can do it as easily as riding a bike. If I had had Chris Tyler‘s book in 1999, I could have done it much more quickly and easily. That’s good writing.

So, if you use a computer and want an edge over the extra 1.4 billion people that will be here by 2027. If you’re tired of listening to Wang Chung and Los Lobos. If you don’t want to think about the upcoming Iran/Iraq war, then pick up copy of X Power Tools. Take a few hours and learn about the past, present, and future of how people use computers.

Have some fun tonight.

Solutions are everywhere

One aspect of my job that people simultaneously do not understand and think is marking speak is that of custom solutions generation.

This is often described as “We don’t sell products, we sell solutions.” or “Clients all have different needs, instead of fitting each one into the same box, we build a custom box for each client.” It’s a good story, but what does it actually mean?

The problem with explaining it, is that most of what I do for one client would make absolutely no sense for another, which leaves us to only speak in generalities. Of course, when you do that, people get bored and drift off. So today, I’m going to try to do it differently.

Over the weekend, the following news story was released. The attention-grabbing headline was “China tells living Buddhas to obtain permission before they reincarnate”. Of course, being in the business I am in, I immediately had the following thoughts:

  • Boy is that an implementation headache
  • China just created another branding problem for themselves

So, I am going to look at this problem from an IT/Business perspective. Suppose for the moment that China hired me as a consultant, and they posed the problem. This is how things might evolve:

China: Welcome. We need to prevent the Dalai Lama from re-incarnating. We’d like you to help.
Me: OK, we’re starting a bit early here. Let’s take a step back and reconsider the problem.
China: The Dalai Lama has too much power in Tibet, we need to be able to control things over there.
Me: Alright, if I am hearing you correctly, you are saying that you perceive the situations in Tibet as a threat to China
China: Right.
Me: Now, from what I know about Tibet/China relations, one of the reasons that Tibet is a threat is that China puts increasing control over Tibet, and the people don’t like that, right?
China: Well, maybe.
Me: I fully understand your need to keep your people safe, but let’s consider what might happen if you were to ban reincarnation…
Me: It seems to me that, since many people in Tibet are already reincarnating, this policy would either be ignored or would seriously upset the population.
China: Hmmm.
Me: Now, suppose you could ensure that the policy would be followed by increasing the military presence in Tibet.
Me: What would that cost?
-China pulls out an envelope and runs a few numbers.
China: Umm, that would take 50 million troops, at 85 yen per day blah blah blah (I’m not even going to pretend that I know what it would cost China to fully invade Tibet).
Me: That sounds like a lot of money.
China: Yeah.
Me: So let’s look at the other option. Suppose that the people feel compelled to follow the policy, but get upset. What would you do in that situation?
China: Send in the troops.
Me: So the cost for that would be…
China: Oh.
Me: So maybe this isn’t the best solution to your problem. Let’s brainstorm a few others right now.

Let’s compare this to the standard IT solution that does not consider the entire business case:

China: Welcome. We need to prevent the Dalai Lama from re-incarnating. We’d like you to help.
GenericIT: Sure, we can do that for you.
GenericIT: First things first, we need to install a firewall on each of your reincarnate lamas, to block outbound soul migration.
GenericIT: We recommend using SoulShield.
GenericIT: Next, you’ll need a maintenance plan for each firewall, and we recommend that you install a country-based reincarnation detection system in Tibet, so you can find when souls are trying to break out of containment.
GenericIT: You’ll need one CRDS installed in each of Ngari, Tsang, Ü, Amdo and Kham
GenericIT: Now, who will manage the system? Do you want the hassle of manually allowing reincarnations, or would you like us to do this as a managed service for you?
China: Umm, get us a quote on both options.
GenericIT: Sure, no problem.
-GenericIT doodles on back of envelope.
GenericIT: Well, we think we have what we need. We’ll get back to you next week with two quotes.

Now, I ask you to consider two things.

  1. If you were China, which long-term solution would be best?
  2. If the technical solution fails to work 100%, what are the chances of GenericIT’s contract being renewed at the end of the year?

Retractable Doorknobs?

Merlin Mann of 43 Folders fame, just posted a link to a new doorknob design. (Merlin’s Post, Doorknob)

Basically, the doorknob is built so that it can physically retract into the door when the person on the inside wishes to not be disturbed.
Clever idea, but ultimately flawed. I’d like to discuss this from three perspectives.

Security

I anticipate that we will start seeing technology like this advertised as a new security tool. On the surface, it makes sense. If the doorknob isn’t there, an intruder can’t get in, right?

Wrong. To draw an analogy to IT security, having a retractable doorknob is like having user account without a login. If the intruder can only get in through the door, then you did good and blocked the bad guy. However, the security of a system is only as strong as the weakest link. On a house, having a doorknob that is sometimes absent only prevents someone from coming in through the door. They could still break a window, saw through the siding, or kick the door in. In a hotel, it’s somewhat better, as most of the direct access points are either in public areas or sufficiently high to cause problems getting in. However, the door could still be kicked in and the room ransacked quickly enough to allow the perpetrator to get away.

This invention does not significantly enhance security.

Social

Socially, all that this invention does is inform someone who is outside the door that the person inside wishes to be left alone. Traditionally, this is done with a little sign that says “Please do not disturb” and such.

I suspect that, in practice, this invention would result in more people knocking on the door to ask “Hey, where’s your doorknob?” than it would actually limit intrusion. Humans understand what a sign means. It’s been part of our culture for hundreds of years. People don’t understand what a retracting doorknob means. Much like the famous pay-to-ring doorbell, people can subvert the system as easily as knocking on a door. Unless this is paired with an un-knockable door, it does not improve the social situation. Instead, it hinders it.

Business

Here we get down to brass tacks. Who is going to buy this thing? Probably hotel managers and builders. Possibly apartment managers. Possibly condominium builders. And why would they buy it?

Because it looks cool. Really, it does look remarkably cool, and as such, will be very popular with people trying to make places that appear “trendy”. Of course, one year from installation, most of the doors will be covered with stickers saying “Please do not knock” and “No door knob means do not disturb.”

Why?

Because people already know what signs mean.

Experience

I’m sitting here thinking about experience. At one point or another, we’ve all been in the position where we see a cool job posting, and think “Hey, that job is just perfect for me!”. Then, we read further and see something like “candidates must have five or more years experience”, where the amount of experience required always exceeds the amount that you have. For years, that always bothered me, because I thought that there’s more than experience that matters, there’s also how good you are at what you do.

For example, let’s pick a technology like perl. I’ve been using perl since 1999. I’m better than probably 80% of perl programmers in perl. So, logically, that means that I should have a skill level of (2007-1999) * .80 = 6.4 skill-years.

However, for a more complex example, I’ve been using iptables since about 2004. Before that, I did a little bit with ipchains, but not much. Suppose I’m better than 60% of sysadmins at using iptables, but only better than 20% of users at ipchains (iptables’s predecessor). Is my skill level (2007-2004)*0.6 = 1.8 skill-years or (2004-2002)*0.2 + (2007-2004)*0.6 = 2.2 skill-years? Obviously, were we to be using this system, I’d put 2.2 on my resume.

You can see how it could get confusing, which explains why there is a lot of “x-years experience in y” notes out there. It’s an easier system.

I think that there’s more to it than that though. I’ve been at Alliance long enough now, that I’m starting to see a pattern. My boss has been with Alliance since he was an intern. Now he’s the COO. That’s a lot of experience in years, but very very few in the technology that we’re using today. In previous jobs with previous bosses, I would draw a conclusion like “yeah, he’s got a gazillion years of experience, but he’s not better than anyone I know at the tech”, leading to (gazillion)*0.0 = 0 skill-years. That’s not how it works in reality though.

We just had a conversation today about backups. We are using a backup technology that my boss doesn’t know. However, he knows how backups worked back in the days of the Vax. He extrapolated from then until today, and we discussed the issues at a high-concept level. See, even though he had 0 experience in his technology, his years of experience in general helped out a lot. And he does this in almost every conversation we have.

Nutshell: Experience is important. Skill level is important. The ability to draw upon both experiences and skill level and apply it to new problems trumps them both.

Web 2.0

Several weeks ago, I gave a talk at the local meeting of the Association of Legal Administrators . They had asked me to discuss Web 2.0, and what it might mean for business. This is what I discussed. ( Here is the handout that I prepared for my talk. )

While there are numerous articles and postings floating about the Internet regarding Web 2.0, most of them focus on the technical differences. From a business perspective, there are four things that distinguish legacy Web-based applications from Web 2.0. They are:

  • In-browser responsiveness
  • Always-on services
  • Pull vs Push
  • Finer Granularity

In-browser responsiveness

The fact that Web browsers have matured, and are capable of doing a lot more than simply viewing Web pages has made the difference here. One of the big changes here is that Web browsers can now handle much of the graphical experience directly. In other words, you are now able to use techniques like “drag and drop”, “double-click”, and “wizards” in Web applications. This has resulted in Web applications that are just as functional as the applications that run directly. However, you also get the advantage of being able to run these applications from anywhere that has an Internet connection, and without worrying about the specific operating system of your computer.

Always-on services

In the past several years, broadband access to the Internet has become quite prevalent in business regions. This means that businesses can access Web applications quickly and reliably. Similarly servers and clustering technology has matured, which means that hosted services have become much more stable. These two factors combine to result in an environment that provides Web applications 24×7, with no increased cost for when and how long they are accessed. This small change has resulted in a shift to the working day, where employees are spending increasing amounts of time online, both at work and at home.

Pull vs Push

In the old days, if you wanted up-to-date information, you would either have to check Web pages manually or step outside of the Web and get your updates via email. Now, however, there are technologies such as RSS/ATOM, which allows you to subscribe to various information sources. This small shift from the user needing to go to the information to where the information comes to the user has dramatically accelerated information exchange on the Web. This allows social networks to be built and extended much more quickly than word of mouth or email/usenet-based networks. This results in a social amplification effect, where if something of interest occurs, it quickly becomes more positive or negative depending on the number of people that pick up the story and discuss it within their social networks.

Finer Granularity

Much as children graduate from large building blocks to smaller ones as they grow, we have seen the parts of which the Web is built shrink over the last few years. From a technical perspective, this allows people to build increasingly complex applications. From a non-technical perspective, this means that applications are quickly extended and can grow very quickly. Competition occurs at a more rapid pace, and services must compete on ease-of-use, as functionality is easily duplicated.

Analysis

So, what does all this mean to business? First of all, the fact that these services exist and are available everywhere means that your employees can be more productive working at home. However, the flip side of this, is that they can just as easily access their personal systems from work. There are two common ways to deal with this challenge.

  1. Ban you employees from working on personal items at work.
  2. Allow employees to work on what they wish when they wish, but hold them accountable to deadlines and other measurable goals.

Most companies are selecting the first option, which is regrettable, as productivity often increases with the second. Additionally, high-performing employees may be attracted to companies following option two, leaving companies that follow option one with a staff of people that need to be micromanaged — at a higher management cost.

The other concern about using Web 2.0 in business is that of data control and ownership. If you are using a service, then the data involved is often stored outside of your environment. This means that you cannot backup the data or control who sees it. Sadly, there are few ways to address this problem, so I just suggest that you look at the SLA of any service before you commit your business to it. Eventually, I am certain that these services will allow you greater control of your data.

Lastly, I encourage you all to take a look around and decide how your company will use Web 2.0, because if you don’t, then your employees will decide for you.

Be careful on social networking sites

I found an interesting security-related attack this morning, based on flickr. Technical details are below, if you are so inclined. The short form is: “If someone leaves you a comment and a URL on flickr (or some other social site), and you do not know them, do NOT click on the link.”

Details:

I started my morning by uploading a set of photos to flickr. Almost immediately, I got a comment from a user that I did not recognize. By itself, that’s not unusual. However, what follows triggered my “weirdness” alarms.

The comment read as follows:

“This is such a cool pic, good work! I Love viewing your stream. I Recently constructed a gift for all of my favorite flickr users, you were included, so i would be honored if you can accept it and tell me if you like it or not! Thankyou!”

Then, there was a link. As it turns out, the link was to a windows executable, but it could just as easily have been to something harder to detect. What I did next is what saved me (or would have, had my system not been Linux which protected me anyway… from this attack).

Since I didn’t know the user, I checked out her profile. Interestingly, none of my photos were tagged as her favorites. Also, I was not listed as one of her contacts. So, if I wasn’t someone she knew well enough to keep track of that way, why would she be offering me a “gift”?

I poked a bit further, and found that the file behind the link was on a website having something to do with paintball. That’s odd, but not necessarily a bad thing. However, as she did not have any photos about paintball or listed paintball as an interest, I became more suspicious. Also, the file was stored in http://site/calendar/ws/PhotoSeries3412459741.exe

Those who are not in the industry might not know, but this means that it’s located within the WebCalendar application, which is not a normal place to store files. Additionally, there have been security problems with older versions of this application, so it was highly likely that the site was hacked.

I downloaded and scanned the executable, and it came back clean. But, to be safe, I decided to contact SANS (an excellent security group), and they helped me to track down the rest of it. It turns out that the exe file is a “trojan dropper”. It connects to another site to download the nasty bits. That way, it can bypass antivirus and other security measures.

SANS is contacting the site hosting the malware, and I will be contacting flickr. I suspect that flickr already knows, as they deleted the comment fairly quickly. However, they did not delete it from the RSS feed, which is how I read them. I will let flickr contact the user whose account was hacked.

Other Sites: Business, Photos/Conservation

Get the feed (RSS):



Josh More - Entropologist
Expert in removing chaos from
I.T. and business systems.