[SecurityRatty] tag: forward

Gartner Data Center Conference 2008

Tue, 02 Dec 2008 15:55:49 +0000

The Gartner Data Center Conference kicked off this morning in Las Vegas. Despite the completely packed plane coming out here, Vegas seems quieter and not so crowded. The bartender at Wolfgang Puck’s Bistro told me they were looking forward to the 1800 people coming to this show to fill the hotel up. As we’ve noted, the economic crisis is impacting business travel all around.

22% of the attendees at Data Center come from the public sector and government, with 44% coming from very large enterprises of 20K+ employees.

During the Gartner IOM conference in June, some of the most interesting info coming out of it was the quick polls of the audience on a variety of infrastructure and operations management topics. What are enterprises doing? Where are they headed? What’s important to them? Here are some quick takes from the opening session:

1) What is the largest data center challenge that you currently face?

Smaller Budgets: 21%
Power & Cooling: 20%
Dealing with the Rate of Technology Change: 15%
Aligning Activities with the Business: 15%
Modernizing Legacy Applications: 10%
Lack of Data Center Space because of Equipment Spread: 9%
How to Source IT Services: 5%
How to Find and Retain Talent: 5%

Well, it’s taken almost a year to be “official”, but the National Bureau of Economic Research just announced that the US has been in a recession since December of 2007. It should come as a surprise to no one that dealing with smaller budgets is top of mind, even for the predominantly larger enterprises attending here.

2) What projects will receive the most funding in 2009?

Virtualization/Consolidation: 31%
Data Center Facilities – new builds: 17%
IT Operations Process Improvement: 12%
IT Modernization: 7%
Green IT: 5%

Virtualization and (server) consolidation projects are clearly a priority for larger enterprises in 2009. What’s interesting here is the relatively very low priority of Green IT projects – in spite of the importance to attendees of getting power and cooling costs under control. Perhaps there’s a gap here between what’s often the hype of Green IT and practical considerations for data center managers when it comes to power and cooling management.

3) Where are you with server consolidation projects?

No Plans: 3%
Looking at it now and will start in next 2 years: 13%
In process now: 58%
Have already completed server consolidation project: 26%

Larger enterprises are consolidating servers with a quarter of attendees already having gone through the process at least once. And according to poll #2, this trend will definitely continue.

Online Finance Flaws: An Awareness Campaign

Sat, 29 Nov 2008 19:08:00 +0000

Here begins a series regarding web application security inadequacies in online financial service offerings. The services to be discussed will include banks, credit unions, credit card companies, and others. As the economy struggles profoundly, and much of the blame points at the financial sector, I believe it important to point out the false sense of security so many brand-name financial services wrongly instill in their customers.
Often this sense of security is coupled with a typical "security badge" provider, helping drive conversions rather than security, as we will also legitimize how often the badge providers miss the mark on their promises.
Accountability in loan making decisions and practices might have prevented the sub-prime market collapse and the subsequent credit crunch that has hogtied our economy.
Accountability with regard to web application security while providing online financial services is now all the more important as cybercrime will continue to increase at a pace proportionate to economic woes.
Each post relevant to this campaign will include Online Finance Flaw in its title for tracking purposes.
Look forward to surprising flaws in financial services brands you'll recognize.
Perhaps, the more attention we draw to services that should place security above all else, the more likely it is they'll commit to improving their security posture.
Feel free to comment or contribute; we'll begin in a day or two.

A Review of EM7

Tue, 25 Nov 2008 14:39:38 +0000

We’re very happy to have had EM7 reviewed by The Tech Stop. We originally met Fr. Robert Ballecer SJ at Interop Las Vegas 2008. Padre (as everyone knows him) was one of the networking team leads at Interop and got hands on experience with EM7 in the NOC at the show. As far as we’re concerned Interop was the best way to review EM7. While working with a product in a lab gets you a reasonable idea of how it works, using the product in a high pressure, real world environment like Interop, really shows you what a product can do. We’d like to thank Padre for taking the time to do such a complete review of EM7 and look forward to hopefully working with him again during Interop 2009.

Gmail security and recent phishing activity

Tue, 25 Nov 2008 10:22:00 +0000

Posted by Chris Evans

We've seen some speculation recently about a purported security vulnerability in Gmail and the theft of several website owners' domains by unauthorized third parties. At Google we're committed to providing secure products, and we mounted an immediate investigation. Our results indicate no evidence of a Gmail vulnerability.

With help from affected users, we determined that the cause was a phishing scheme, a common method used by malicious actors to trick people into sharing their sensitive information. Attackers sent customized e-mails encouraging web domain owners to visit fraudulent websites such as "google-hosts.com" that they set up purely to harvest usernames and passwords. These fake sites had no affiliation with Google, and the ones we've seen are now offline. Once attackers gained the user credentials, they were free to modify the affected accounts as they desired. In this case, the attacker set up mail filters specifically designed to forward messages from web domain providers.

Several news stories referenced a domain theft from December 2007 that was incorrectly linked to a Gmail CSRF vulnerability. We did have a Gmail CSRF bug reported to us in September 2007 that we fixed and deployed worldwide within 24 hours of private disclosure of the bug details. We know of no affected users. Neither this bug nor any other Gmail bug was involved in the December 2007 domain theft.

We recognize how many people depend on Gmail, and we strive to make it as secure as possible. At this time, we'd like to thank the wider security community for working with us to achieve this goal. We're always looking at new ways to enhance Gmail security. For example, we recently gave users the option to always run their entire session using https.

To keep your Google account secure online, we recommend you only ever enter your Gmail sign-in credentials to web addresses starting with https://www.google.com/accounts, and never click-through any warnings your browser may raise about certificates. For more information on how to stay safe from phishing attacks, see our blog post here.

National Security Perspectives A Post-Election Insider View

Tue, 18 Nov 2008 11:13:25 +0000

Recently I participated in an event entitled National Security Perspectives held at the famous Congressional Country Club in Maryland. The featured panelists had impressive credentials from the NSA, DHS and the CIA. The topics of discussion ranged from Current Geopolitical Threats and Evolving Technology Demands to predictions about the New Administrations Intelligence, Defense and Homeland Security focus.

The panelists were:
William P. Crowell – former Deputy Director of the National Security Agency
Michael P. Jackson – Deputy Secretary, Department of Homeland Security
Jose A. Rodriguez, Jr. – former Director CIA, National Clandestine Service & CIA, DCI Counterterrorist Center

Overall, it was a very nicely arranged event on a brisk fall evening with about 100 CXO attendees; mostly large but some small government contractors and a few product companies like ScienceLogic that conduct business with military, intelligence and the public sector.

No surprise, given the financial crisis the economy is suffering from that the panelists said we also have a crisis coming on the Federal budget front. This will put enormous pressure on the way Administration thinks, and how and where to spend the $$.

Obama’s tone regarding the issues he will be confronting in the world during the election was encouraging. Make the world more non-partisan and take on the threats that we have in front of us head-on!

The panel was very upfront about current threats. William Crowell said,

“It is highly imprudent to believe that there will not be another 9-11. We have to fund and support the work to stop other attacks. We can only mitigate risk but we can’t eliminate risk. We have to try to absorb the sense of urgency and wake up every day looking at the intelligence screens as if 9-11 happened within the last couple of months.”

He added,

“They (the intelligence community) need the innovation, sense of commitment and urgency that comes from the private sector – a sense of mutual commitment to that mission.”

Predicted Priorities for investment for DHS:

Cyber attack as the top issue
Nuclear threats including dirty bomb
Chemical and biological attacks
Explosive attacks against critical infrastructure with maximum # of lives and or financial disruption / loss.
Large scale natural disasters – hurricane + earthquakes
Border penetration - identity management and border management issues

An Obama administration will spend dollars around these threat vectors. They will want to spend $$ to help state and local governments. Grants to state and local governments should significantly increase with the Obama administration, so think about how you will increase your focus on the state and local government spending initiatives.

Secure border investments – the panelists believe that the new administration will feel compelled to invest here. Michael P. Jackson bluntly said, “You have to make investments in border tools to get meaningful immigration reform.”

Panelists agreed that the 1^st year will be an intense period of scrutiny about fundamental directions. We can’t afford it all at DHS; it is dramatically under budgeted. At TSA/DOT and then at DHS, we spent about $4 Billion on technology investments since 9-11; those investments are now reaching the end of the original service life.

One gripe from the panel that I found humorous: “We don’t have a group of people who think like entrepreneurs.” It is insane how long things last when you buy things in the government. As an example, we are still replacing vacuum tubes in some of the very old FAA gear… this is well beyond what any reasonable person would think these initial investments should/would last.

Final Thoughts:
I actually think that the Obama Administration will be quite favorable to COTS software products, SaaS offerings, and creative financing initiatives from the private sector. The government just won’t have the capital budget to do everything it wants to accomplish. I would say if you look at how intelligently and aggressively Obama used technology to assist his campaign, the odds are good that this new breed of IT talent (which is already really comfortable with SaaS products, blogs, wiki’s, hosted/outsourced Cloud solutions… this team really understands the latest technology trends) will quickly work to bring these new IT paradigms to the Federal marketplace. Clearly the private sector can help the Government achieve more with lower capital budgets – beginning to provide services rather than transaction-based selling. Another clear idea is to think about leasing as a better way to work with the government which going forward will have increased budgets restrictions.

They will likely be in confrontation with members of Congress that won’t change fast enough, however the future of our nation’s ability to fight terror lies in becoming more efficient and effective. It requires the government be flexible enough to figure out what jobs and IT functions to outsource in a nimble and smart way. My prediction: this is great news for Service Providers. Overall the next 4 years should be great for our business as well as the Managed Service Provider/SaaS industry!

America's CTO

Sat, 08 Nov 2008 13:08:05 +0000

I hope this message gets through to the Obama people - Bill Joy would be an amazingly good pick for the newly created CTO cabinet post. A grand slam to the upper deck. You can count the people with as a good a track record in technology on one hand.

Also, I could not agree more with John Doerr on these points:

The next question from the president-elect was what single policy issue he could focus on that would most help entrepreneurs.

“The most important thing he’s got to do is kick-start a huge amount of research and innovation in energy,” said Mr. Doerr, who backed Google and Amazon.com and has invested heavily in clean energy technology for the last few years.

The nation now invests less than $1 billion a year in renewable energy versus $32 billion a year in health care, Mr. Doerr said. “I think we’ve just scratched the surface in terms of clean ways to use energy, to produce energy. It’s the challenge of our generation.”

How to do that? Double the number of engineers who graduate from American universities each year to 60,000, Mr. Doerr said. Bring more women into the field, and encourage foreigners who study engineering here to stay here.

“What we do is bring foreign nationals to the world’s greatest universities. We train them, invest in them and make them go home,” he said. “What kind of national strategy is that? So I would staple a green card to the diploma.”

While it is amazing that it took until 2009 for the US to have a CTO as a cabinet level position, it is very cool to think about all the things that could happen going forward. As Neal Stephenson said the US is only world class at three things - 1. Movies, 2. High speed pizza delivery and 3. Software development.

If you read your John Hagel and JSB, then you know that innovation is the only sustainable edge. Luckily its hard wired into our system, but it will be helpful to have a seat at the table for certain things.

Links List 11.7.08

Fri, 07 Nov 2008 19:49:59 +0000

Government contractors spill their thoughts about how Obama’s historic win will affect the industry. A majority of those questioned agreed to the fact that nothing will change overnight and everything will occur within 2-3 years. Others expressed thoughts on who will lead procurement and acquisition policy at GSA and OMB, as well as a possible hiring freeze for the government workforce. We’re also waiting to see what will happen to FISMA and IPv6 compliance going forward as a new administration and new OMB management sets their own agendas and mandates.

Due to the slow economy, most tech companies are being cautious and ratcheting back sales forecasts for software and hardware. The exception: Infra-Strategy, a company that operates a group of Web sites that help people find a lawyer and info to deal with bankruptcies, divorces and DUI cases. Visits to the sites are booming – with visits to totaldivorce.com, for example, up 112% in October 2008 (I found the picture on the website particularly compelling). Apparently, in bad times, divorce rates go up. Who knew?

Is it always a recession when it comes to IT Operations? Companies are constantly trying to find ways to do more with less in IT – reducing costs but keeping the same or even adding functionality – deploying technologies that drive IT consolidation such as mobile and remote access, unified communications and virtualization. Chris Silva of The Forrester Blog for IT Infrastructure & Operations Professionals is looking for a research panel to find out what fellow IT companies are doing to keep their IT budgets in check. To join the research panel visit: http://itpanel.forrester.com/.

The Cloud Computing Monopoly debate continues. O’Reilly Media founder Tim O’Reilly and technology writer Nicholas Carr (of “IT Doesn’t Matter” fame/infamy) have been discussing the ‘potential for a single company to achieve monopoly control of the world of cloud computing.’ But what’s even more interesting is the “who will make a lot of money” in cloud computing question.

VC and IPO Outlook

Fri, 07 Nov 2008 06:07:37 +0000

Forbes interviews venture capitalist Charlie Harris. He is the Chairman of Harris and Harris (NASDAQ:TINY) a venture capital fund which is focused on funding nanotech companies. He is bullish looking forward from today for a couple of reasons

1. We have an eight year back log of good companies and ideas due to a poor IPO environment, we have had an eight year drought in IPOs but still lots of good ideas out there.

2. Clean tech theme has a lot of room left to grow

3. The recent financial crisis has revealed and removed a lot of risks

4. The best businesses are started in times of economic distress. Dislocation equals opportunity. Companies that start during financial distress have tremendous discipline to survive.

Somewhat surprisingly for a person with 100% of his fund invested in nanotech, he does not see nanotech as the leader of a next IPO bookm. He seems to see nanotech as an enabling technology (my words not his) so you will see nanotech enabling clean fuel, cancer drugs and so on, and these individual spaces could boom, but not an "all things nanotech" type boom.

Hackers Jailbreak T-Mobiles And Googles Android Phone

Wed, 05 Nov 2008 21:35:13 +0000

Hackers have managed to jailbreak T-Mobile’s new G1 phone by exploiting a gaping loophole in Android, the open source operating system supplied by Google. The hack, which was posted to XDA-Developers forum, is a straight-forward process that allows root access in about one minute. It involves using the widely available PTerminal application to telnet to the [...]

Sleep more and live longer

Fri, 31 Oct 2008 00:16:00 +0000

An interesting study was discussed on WTOP radio today.

It seems that two Swedish doctors conducted a sleep study between 1987 and 2006. Their findings have been published in the New England School of Medicine's records.

They discovered that 5% more heart attacks were recorded the Monday after clocks go forward. At the same time, there were less heart attacks documented on the Monday following the weekend period when clocks go backward.

The findings indicate the importance of getting a good night's rest. When the clocks are set forward an hour, people lose an hour of sleep. That was the time when more heart attacks were found to have occurred.

In the field of security, it is not always possible to get enough rest. Many times it is necessary to work a 12 hour shift and then drive home afterwards. If this is the case, the officer/agent should make sure that he/she gets adequate rest when they are off duty.

Unfortunately, there are other elements that add to a less than healthy lifestyle such as; drinking a lot of coffee, not eating balanced meals, lack of exercise, etc. Armed with the knowledge that sleep is so vital to our health, it is more important now than ever to ensure that we are taking proper care of ourselves.