Todd Kwon-Do

Wednesday, July 30, 2008

Virtually Indispensable

Ten years ago this October, Envision Technology Advisors was incorporated. Our first client hired us to replace an aging Novell network that was crashing multiple times each day. Their Internet access was a 56k (fast at the time) dialup connection that was shared among the 20 users with a little piece of equipment called a “webramp”. Their “email server” was running on an old laptop and it checked for new email twice a day.

I clearly remember replacing that network and how great it was to add a second dialup to their internet access. Everyone marveled at the speed that two dialups delivered! It was so fast that we changed the mail server to check four times a day and patted ourselves on the back as our new Windows NT 4.0 server ran the network.

Technology has changed a lot since then. Windows NT hasn’t been supported for years now, and I would bet that there are people that will read this who have never used a dialup Internet connection. The one constant though is the aggravation that I feel after I roll out some new technology in one place and then have to work in other networks that don’t have it yet.

The reality is that not everyone can afford to be on the leading edge. However, as a consultant, it sucks to know what the available technologies are capable of and to not have those resources at your disposal. If you can imagine how it would feel to watch a client ride to work on a donkey everyday when lots of your other customers just bought BMW’s then you can start to catch my meaning.

Today the BMW is virtalization and centralized storage, and the donkey is pretty much everything else. With a well designed virtualization and storage platform, a computer network can deliver high availability that was previously reserved for fortune 500 companies.

Just last night, one of our engineers started a vendor mandated upgrade on a database application for a customer that has this technology in-place. The upgrade crashed the server. In a conventional network, we would have had to work all night to put that back together. However, for this client, we clicked the mouse about 5 times and the entire server was recovered to the state it was in moments before we had started the upgrade. It was as if nothing ever happened. There was no downtime, and our engineers were on their way home 15 minutes later.

Aside from the disaster recovery and uptime benefits, virtualization also reduces long-term IT costs. In fact, if the customer from last night didn’t have this technology in-place there would have been a huge bill for the all-nighter we would have had to pull to recover their systems. In that one moment, the storage platform saved that company about $1,500 in operational expenses. It only has to do that a handful of times for it to pay for itself.

As if all of that wasn’t enough, these technologies are a great way to jump on the “Green” bandwagon. The point of this technology is to do more with less. A virtualized environment typically employs significantly fewer servers. This means less waste, less electricity, and less heat generation which means less air conditioning. All the way around, these technologies reduce your carbon footprint and make mother earth smile!

Is it hard to get started with Virtualization? NO! All you need is a desire to save money, have better uptime, and to do the right thing for the planet. That is why Envision is focused on these technologies. It’s a great feeling to sell something that is such an easy win for everyone involved.

So why do some companies try to ride that donkey until it drops dead? The most likely reason is that no-one has ever told them not to. According to VMWare, 96% of small businesses run on conventional computing technology and have not yet switched to virtualization. Their IT people may fear change, or it could be that their IT company isn’t trained in these technologies so they are keeping their clients in the dark.

Whatever the reason, my advice is that you should ask your IT people or your consultants about virtualization. If you don’t know what questions to ask, feel free to email me at Todd@envisionsuccess.net or call at 401-272-6688 and ask for Todd Knapp. Any of our engineers will be happy to spend some time talking to you about how you can leverage these solutions to streamline your business and at the same time give the planet a helping hand.

I guess I should get back to work now. I am very busy watching a server in its fourth hour of a data transfer. This would have taken about 3-5 minutes if the client had centralized storage. [sigh]

posted by Todd @ 11:59 AM 0 Comments

Todd Kwon-Do

Wednesday, July 23, 2008

He should have carried a pack of Mentos....

The best thing about Mentos (according to the commercials) is that you can get away with anything you want if you have a pack of them in your pocket. Steal a taxi, run through a stranger’s living room to catch a bus, or use wet paint on a bench to pinstripe your suit after accidentally sitting on it! All you have to do is flash that pack of Mentos, give a toothy grin, and it all seems to work out.

Unfortunately, Larry Mendte didn't know that. He wasn't carrying Mentos this past Monday when he was charged with hacking into Alycia Lane's email accounts 537 times over the last two years.

It seems that Larry, as a product of obsession or just plain avarice, got into the habit of reading, recording, and leaking to the press, the embarrassing details of Alycia's life. He wanted to get ahead, and he wanted her to fall behind. Well, it worked... sort of. She did fall behind. In fact, she was fired from her job at the TV station after Mendte leaked sensitive (embarrassing) information about a pending legal case she had. Unfortunately, it backfired when the police seized his computer in May after discovering that it had been repeatedly used to access her accounts.

Everyone knows that accessing another user’s account is illegal. However, what caught my attention is that the authorities are focusing on the fact that he intercepted communications between Alycia and her lawyer. As a result, they are arguing that he violated privileged communications. The communications are only privileged if Alycia had a reasonable expectation of privacy when she sent her email.

The bottom line is that when it comes to email, privacy is subject to where you live. Some states claim that you have an expectation of privacy, and still others say that you don’t.

There have been plenty of law suits against companies that let people go after monitoring inappropriate email use. Of course, the business owner feels like corporate email accounts belong to them and that if they own the mail server, they own what it contains as well. Most of those business owners lost their case. As it turns out, you have to make it clear to your employees that you reserve the right to monitor them if you want to be able to smack them over the head with their own email.

Regardless of what the law says, if you know anything at all about the technology behind email, then you know there is no expectation of privacy. Here is some food for thought;

  • Email messages sometimes pass through a half dozen servers before arriving at their destinations. A copy is often left on each server the message touches. That server’s administrator (a complete stranger to you) can read that message any time he/she wants. In that way, sending an email across the internet is a lot like passing a note in class and hoping no one will read it, even though everyone that passes it along will have the opportunity.

  • Almost all email that is sent today passes through at least one or two spam filters. The filter’s job is to read the email! Then, if the message looks odd it will flag it. Most administrators review the messages that got flagged in the course of tuning their filters.

  • Most email is not encrypted. They travel across the internet in plain text where anyone and their brother can read them if they like. In Fact, there are “traps” online that collect random samples of email in transit to better update spam filters. Those samples are reviewed by network administrators in the name of creating better spam prevention products.

  • There are dozens of viruses and spywares that will collect and re-transmit email on any infected computer. Even if the recipient of your email is clean when you send the message, a future infection could easily result in the dissemination of your communication to hundreds, thousands, or millions of users. How do you think all that spam got out there in the first place?

I could go on for days, but I think you get my point. There is a lesson to be learned here. You do have an expectation of privacy when you are standing in a room with your lawyer and the door is closed, the shades are drawn, and you look around and don’t see anyone but your lawyer, his books, and maybe his 13 year old basset hound passed out on the floor.

However regardless of how this case goes, or how the law in your state reads, my feeling is that, when it comes to email, an “expectation” of privacy is a daydream. The fact is that your plain text email IS NOT private. Once you click send, you are leaving copies of it everywhere and setting yourself up to have someone read your message. Most of the time this will be harmless, but you should be prepared for the possibility that it might not be.

If you don’t email information that you wouldn’t want public then you have nothing to fear. For example, I sometimes will email a username to someone… but I never send the password. If I have to send something to my attorney, I encrypt the data BEFORE I attach it to an email. Do I email him the password for the file? NO! I use the phone, give him the password verbally, and take the opportunity to practice the long lost art of interpersonal communication.

Email is a great tool. It has revolutionized our lives. Unfortunately, it is also deceptively easy. If you are an employee, I would advise you to be more careful about how you use your email. Don’t expect that big brother isn’t watching.

If you are big brother, I advise you to inform your employees of that fact! Put it in the employee handbook so that you don’t end up emailing your attorney about being sued because you read an employees’ email……. perhaps you could email the revised email policy to your employees?

Wow. That’s it for me. I have to go now. I just got an email from a foreign finance minister. It seems that he has a large sum of unclaimed money. He needs me to to assist him by allowing him to transfer $30,000,000 to my account for which I can keep 20%.

posted by Todd @ 12:29 PM 2 Comments

Todd Kwon-Do

Friday, July 18, 2008

Is your caps lock on?

If you've been reading the news over the past few days then you know that network administrators in San Francisco had an interesting experience when they were unable to log onto the city's FiberWAN network which stores about 60% of all of their data. The inaccessible data includes payroll records, emails, law enforcement records, and a variety of other information.

Ultimately, it was discovered that one of their chief IT administrators (Terry Childs) had restricted all access to the network and put in place a password that he has refused to give to the authorities. Additionally, he setup tracking software designed to "spy" on his boss following a bad review. So, at least for the time being, it looks like the city will have to break out the old paper and pencil and find a new way to do business.

As you might imagine, that is easier said than done. All of us have had a computer crash, or have been unable to send an email or access a key piece of software at some time or another. When it happens it can be really hard to be productive, and extended outages or data loss can even threaten the survival of most companies.

There are a wide array of viruses, spywares, and glitchy software patches that our networks have to survive every day. So, with all of that conspiring to keep us from working, why would anyone expose themselves to the damage that a disgruntled employee can do? The answer is that they don't think they have exposed themselves.

The majority of the time, acts of technology vandalism are committed by someone that the company or business owner trusted. In 10 years of consulting, I have heard countless business owners tell me that they don’t need to worry about it. I hear things like, “We are a small company, and everyone here is a good guy” or “I trust everyone here, it’s not a problem”. We would all like to believe that, but I have had first hand experience with businesses who discovered that hell hath no fury like an employee scorned.

So, how can you protect yourself? It’s easier than you think. Take the time to get to know everyone that has administrative access to your network and ensure that you are on that list. Ask your IT administrator to provide you with a list of usernames that have admin access to your system and inform them that every once in a while you are going to log in using those names and you expect them to be working. Then… DO THAT!.

Keep your account list in the network current. By that I mean that you need to ensure that as employees leave, their accounts are disabled and later deleted. The fewer active accounts you have, the less opportunity there is to compromise them.

You should be leary of any IT consulting company or IT manager that doesn’t volunteer password information to you, or that doesn’t extensively log the setup of your network and offer that information to you. A good IT person doesn’t need to ensure job security by keeping you in the dark.

Finally, I suggest an age old tradition… AUDIT AUDIT AUDIT! For reasons passing my understanding, very few companies have a third party audit of their IT department. The accounting deptartment gets audited, but not the department that is responsible for all of the businesses data and operational needs? Yeah… that doesn’t make any sense to me either. A good IT manager or consulting company will have no problem with an audit.

Could San Francisco have prevented their current problem? I don’t know for sure, but I suspect that with minimal effort on the part of the non-IT management team, that this could have been avoided. Nothing is 100% effective, but even the smallest effort is more effective than doing nothing. Now it is up to the FBI and anyone else that is willing to help to get the city up and computing again.

More detail on this incident can be found on Information Weeks website. However, unconfirmed reports say that after several days effort, Tony Shaloub was unable to solve the case and reminded reporters that he only plays a detective on TV and that "Monk" is, in fact, a fictional character.

posted by Todd @ 6:58 PM 0 Comments