simonmoffatt-IT

Last week Google announced that the Chrome web browser they have have been developing for the past couple of years will be extended into a fully blown operating system, aimed primarily at the netbook market. The OS will be a slimline offering which will focus on internet browsing with a limited resource base required to make it run efficiently.

The announcement was seen by many as a true threat to Microsoft's 90% dominance of the OS market with it's Windows XP and Vista platforms. Windows 7 will be also be available later in the year to help the 'end of life' of the 8 year old XP. But are Microsoft really worried?

Many pro-Microsoft bloggers simply commented that Google's announcement was brought forward early in order not to be overshadowed by Microsoft's own announcement next week of a 'significant' new product. Many believe this to their new Gazelle browser which is based on similar OS/browser blend based themes as Chrome.

With the continual development of netbooks and unified communications devices such as iPhones and PDA's the blur between mobile computing power and phone technology is ever greater. I personally think the netbook market is surely limited as most phone users expect 3G communications from their new mobile upgrades. With that comes the requirements of mobile web browsing and in turn a better equipped phone based OS. The Apple Store which allows the download of iPhone apps has seen thousands of downloads of free and commercials apps ranging from games to office related productivity suites.

The announcement of Chrome (and potentially Gazelle) may be breaking news but it may also just be the marketing FUD both vendors have been party to over recent years.

If the news is to be believed, over the last 15-20 years, the UK has seen an decrease in community spirit and social interaction coupled with increasing levels of youth crime associated with the ASBO generation.

Many people who lived in the 1950's and 60's claim that society today is not generally a happy or enjoyable place to live. On some levels I can understand the argument - less crime, better community spirit, more individual respect - but in many cases time tends to favour only the good memories for safe keeping.

Today, commuter towns replace placid rural villages and to many the notion of countryside living, 'yocals' and the social interaction of the village pub have been eradicated. This may well be the case in some areas.

My main thread is really surrounding one main factor that has formed community life, not just in the UK but in human interaction in general. The creation of a community, historically associated with where someone lives, is mapped to a Commonality Factor. This Commonality Factor (CF) has nearly always been where someone lives. You interact, respect and understand the person in the same street, village or town as they live there with you. You share the same neighbours, same roads, same weather, maybe have the same friends, relatives and so on. The CF tends to be quite strong. With that comes the community spirit, where everything is rosey in the garden.

Over time, the Commonality Factor linked with your physical location has drifted. People live in towns from which they have no historical connection due to work, commuting or simply due to house price changes. This has lead many to believe community spirit is declining. I believe the opposite.

The Commonality Factor has simply altered. The development of social networking sites like the omnipresent Facebook and Twitter coupled with the advancement of 'unified communications' has allowed virtual communities and groupings to develop much easier and more quickly.

Commonality Factors across geographical boundaries, political beliefs and religions have created communities that are more focused and specialised. This leads to potentially more communities as niches can be created for varying interests and backgrounds. The flip side of source, is that a gathering of fanatics or specialists that would in the past have been isolated can quickly create a polarized view or standing that maybe to the detriment of the remainder of the middle community.

In general I think fundamentally nothing has really changed. The advancement of news communications in the 20th Century lead to increasing numbers of national and international stories being delivered daily to remote once isolated locations, opening up information, commentary and in return feedback.

The use of Web 2.0, social networking and unified mobile communications is just another advancement of information management which people will utilise to develop communities of all kinds.

Technorati Profile

There are many new and existing IT and information security controls documented, practiced and preached. Most home IT users are familiar with terms like malware, anti-virus, firewalls and so on. The constant stream of warnings surrounding operating system patching, updates, service packs and the like all to help create a secure computing environment - or software companies more revenue depending on which paper you read.

Five years ago, most people wouldn't have home broad band and the likes of Facebook, Twitter and even iPhones were a thing of the the space age future. Like most technology, innovation and development occurs literally overnight. Things become faster, bigger and brighter with more features and functions available to the end user. With that comes the inevitable complexity of making hardware and software systems work. The interoperability, the stability, the ease of use, the definition of new standards and protocols and the integration with existing 'legacy' systems. All of which can lead to security loop holes and gaps.

The biggest security threat to information management and IT in general is not the 16 year hacker with an anti establishment manifesto, but from the insider. The co-worker. The system administrator or the security guard. This is well documented. It is sometimes better to keep your friends close and your enemies closer as the saying goes, but in IT terms that couldn't be more true.

Most computer theft and information leakage comes from the same people who use the systems impacted. Sometimes intentionally and sometimes due to bad business process and lack of user control. For example, most corporate authentication directories will have a password complexity checking policy. This will require users to choose a password containing three of a number, letter, special character or an uppercase character. On initial inspection seems a sensible thing to do. Passwords become more secure against brute force attacks for example. However realistically the more complex the password the more difficult it is to remember, resulting in end users simply writing the password down! End result, password documentation that takes someone minutes to find and utilize.

Most data warehousing and network file systems will have some sort of ACL protection. Managed either via an application specific grouping or enterprise RBAC model, permissions are granted to individuals via business function or location for example. This again results in what looks like a sensible and well crafted method of information protection. But what happens when an authorized user prints a secure document? Where is the printer located? Next to only the authorized users? Is the printer only used for secure documents? It is unlikely given the cost of laser printers. What happens to the printer waste? Excess copies, mistakenly printed sheets and so on? Is it shredded?

These basic steps and those in the basic password example are the ones that cause the most damage. Complex security management is important and helps drive high level strategy but basic steps and end user education are equally if not more important.

As information complexity increases from the likes of social networking and mobile information services
the need for simple basic controls becomes paramount.

Would you want to be operated on in a highly sterile operating theater with new instruments and equipment by a surgeon with unwashed hands and no gloves? I think not.

The following is my new vendor related blog at Sun Microsystems where I focus on Roles Based Access Control and Identity Compliance.

http://blogs.sun.com/rocknrole/

Enjoy.

I am currently working towards the SCJP - Sun Certified Java Programmer on Java 5. I have been self learning Java for quite a while, but decided to embark on a thorough learning curve in order to remove any bad habits I had picked up over the months. To that, I quickly purchased the "SCJP Study Guide" by Osborne as my main text. In addition I am always reading about systems methodology but recently I focussed more on SDLC and frameworks used within Java development.

"Java Development with the Spring Framework" is both informative and very detailed. It gives a break down of why Spring evolved and how it can be used for successful development. Each branch of Spring is covered in detail explaining it's uses and deployment scenarios.

In addition I recently read two language agnostic books covering productivity and best practice within software development.

"Productive Programmer" by Neal Ford was a great read. Really simple and direct with millions of great tips, anecdotes and stories written by an industry veteran. The book focus's on automation, strategy and tools and tasks that can make you an more efficient software creator.

"Emergent Design" by Scott Bain was a more detailed look at the future of the software profession and how the profession may change. Again it is based on best practice and full of war stories and spends great time looking at software patterns used within OOP.

For additional syntactial learning though, I found a great site run by an evangelist of the Java platform, Sang Shin. He has developed several courses that focus on Java, webservices, AJAX and more. The site (http://www.javapassion.com/) provides training materials, sample code and a structured way of learning that looks at all aspects of Java development.

The following is an article I submitted to the ISC2 Security Transcends Technology blog last month:

http://blog.isc2.org/isc2_blog/2008/06/how-to-eat-the.html

The main focus of the article is to argue that large scale roles based access control projects require significant business sponsorship and understanding to allow them to be successful.

Last month I purchased 'Role Engineering for Enterprise Security Management' by Edward Coyne and John Davis.

The book was a recommendation from a colleague who thought it might be one of the first pragmatic and non-academic books on the topic of roles based access control and its implementation.

I have worked in the field of identity management for a while and specialised exclusively in the niche area of RBAC for over 12 months as an architect and consultant. The last year has seen a major increase in demand and general interest from larger organisations within Europe who are keen to increase IT security, while reducing adminstrative complexities and cost.

RBAC isn't a new area of discussion and many academic and abstract papers have been written on the subject. This is turn has helped develop frameworks, standards and universally accepted definitions for key terms in the RBAC market place. On a flip side, many organisations simply see an RBAC implementation as being too complex and too costly to be a viable solution for increase IT security.

I was refreshed to hear someone had written a more practical and experienced based book on the ideas and pitfalls of an RBAC framework and quickly purchased a copy from Amazon. The book took me about 4 hours to read, spread over 2 or 3 days. Overall I was left feeling disappointed and generally frustrated by what I had read. To an inexperienced consultant or systems analyst for a company looking to embark on an RBAC project, I would have been left feeling the whole process of role engineering to be complicated and time consuming. This is not the case. The book lacked depth and understanding not only on the tools available in the market place, but the methodologies being used to successfully implement large scale RBAC frameworks.

Many items referenced in the book were outdated and seemingly focussed on single project experiences based on a specific toolset and methodology and often pratronising the reader.

Many papers have been now been written from the likes of Burton, Gartner and Forrester that not only explain fully the toolsets and companies operating in the role mining/management space but also the succesful methodologies being used.

Base standards from NIST/ANSI are extremely dry reads but put the scope in to perspective, while many of the large software vendors in this space (www.sun.com & www.vaau.com) provide easily available white papers on implementation methodologies for role enginering and life cycle role management. Thus proving that an RBAC framework is easily obtainable within a realistic time scale, providing a strong ROI.

A colleague of mine was familiar with mySQL and the feature of being able to timestamp a column automatically if a row of data changed. This feature allowed each record to be tracked, based purely on the last time and date of record change.

Within MS-SQL however this feature isn't automatically available. The data types available for a column don't include a TimeStamp value that will automatically update.

To overcome this I found this easy trick to allow a row record the time it was last added/updated.

Firstly create a new column against the table you want to the store the modify time. Set the type to 'timedate'.

Against this table, then create a trigger for every insert and update, looking something similiar to this:

UPDATE [tablename]
SET [column-name] = getdate()
FROM [tablename] [alias], Inserted i
where [alias].[unique column] = i.[unique column]
GO

The above uses the MS-SQL concept of the Inserted table. This table is a virtual table and contains the insert/update records before transaction. In this case I'm simply compare the Inserted table against the actual table and identify the diffs. Against the diffs I then utilise the inbuilt GETDATE function to populate my new column with the current time and date.

Not pretty but it works very effectively!

In my job I travel across Europe relatively often, perhaps to 3 different countries a month. The majority are in the EU and I can easily pass through the respective border control restrictions with my standard issue EU badged passport from the UKPA. If travelling to the RoI I can get away with simply my driving license as the authenticating mechanism to prove who I actually am.

Both IDs (or authentication devices in geek terminology) are respected as they have been issued from a trusted source. This trusted source happens to be a government agency in the UK which is seen across Europe as being a reliable and trust worthy source of identity information. This is similar to a Certificate Authority in a PKI environment with the issuer being the trusted third party between two transacting bodies. Anyway I digress. But hold that thought.

Last week I had the misfortune of being on the receiving end of a cancelled flight from Amsterdam Schipol to Leeds. This basically lead me to booking a hotel and a new flight with a different operator the following day to get home. In order to do that I had to go through the following rather mundane steps.

1)Collect my luggage from my cancelled flight from the arrivals section going through inbound passport control
2)Pass through arrivals back to departures to get details on my cancelled flight and book on a return flight with the same operator for the next day
3)Next day return to airport and check in - showing passport and dropping off luggage
4)Go through passport control into duty free shopping area
5)Have hand luggage scanned and go to departure gate

At this point my second flight with the first operator was cancelled again. So I then had to...

6)Collect my luggage from my cancelled flight from the arrivals section going through inbound passport control
7)Pass through arrivals back to departures to book another flight with a different operator
8)Check in on second flight - showing passport and dropping off luggage
9)Go through passport control into duty free shopping area
10)Have hand luggage scanned and go to departure gate
11)Board flight and come home!!

So the point of my boring list is to show that I actually had my passport checked 4 times in 6 hours, on top of the scanning when I actually arrived in the country on the day before.

Each and every one of the passport checks was done manually - that is a simple visual scan of my passport to make sure it matches my face and vice-versa. My passport was reissued this year and came with a small chip - similar in size to standard credit card chips. This chip contains the entire back page of the passport including the photo, meaning the actual photo can't be tampered with or replaced. I have only ever seen this scanned twice - at Luton and Heathrow airports on arrival. The scanning machine lists my details and my picture without having to swipe the passport number.

Anyway, I was suprised that in one of the busiest airports in Europe not once was my passport scanned or my details checked, and potentially flagging the fact that I had on paper at least entered and left the country twice in a day. Ie typical smuggling traits.

The introduction of a consistent method for ID checking - we've done the hard bit by agreeing on country specific cards (driv lic or ID card) or a region wide document (EU passport) - would surely allow for a more secure and easily accesible pool of border control information?

I am indeed in favour of the national identity scheme currently on hold in the UK which is popular with our European neighbours, but I guess before that we need to make the fundamental checks more consistent.

It again is not the technology which is causing the issue but the people or perhaps more accurately the process which always lets us down.

We're only as strong as the weakest link in border control.