Thursday, November 2, 2017

Why I Am Leaving A Great Company and a Good Job

I have been in the IT industry since the early 1980's. My first paid gig was programming an inventory and invoicing system. Since then I have worked for many great companies including Boeing, IBM, Sutter Health, and Ashland Oil working as a developer, systems and network administrator, database administrator, first and second level manager and small business owner. I have had the pleasure and opportunity to work on major high traffic web sites delivering millions of pages a day. My current assignment is that of a security manager with NIC's Indiana subsidiary. We process billions of dollars on behalf of the State of Indiana.

Friday, November 3, 2017 will conclude an eight and a half year run with NIC. When I look back at the many successes I have had with NIC, I can honestly conclude I have been successful. I have had many opportunities to make NIC better and I have succeeded with most of them. I believe the states (and their businesses and citizens) I have worked with - particularly Indiana, Mississippi, and Maryland - are better off because of what I brought to the situation.

I sincerely appreciate having had the opportunity to work with this company and the people I have met and worked with along the way. The old cliché for a break up is “It’s not you, its me.” While this cliché many times gets a bad rap, in this case it is true. I'm about to turn 50. I started at NIC at 41. My expectation was in 8-10 years to be a part of executive management. I have learned and grown a great deal serving this company and many people have helped and supported me leading to my success. My current role, while has some interesting aspects to it, is not where I want to be. I want to focus on running things - both strategically and operationally.

I haven't "quit" a job since February, 2003. It is not easy leaving a job. In fact, it takes a lot of courage. Quitting a job is a choice, an active choice. Quitting a job is a risk. However there is value in the risk. Whether the value of the risk is greater than the option of staying where I am is part of the entire risk equation. Do I fear regret more than I fear failure? I am not a fan of regret. It is negative, ugly, and scary. Failure is also scary, but it is not ugly nor negative. How will my 20-something self react to this decision? How will my 70-something self react to this decision? Have I disappointed my 20-something self? Have I put a smile on my 70-something self?

I guess it boils down to trust, doesn't it? The path to the future is unclear. But, I don't fear the unclear path. I have faith in it. I am reminded of a story I was told many years ago. It holds special meaning in times like this.

A group of boyscouts (could have been girlscouts, who knows!) were hiking down the path one Saturday afternoon. After about a mile down a particular fork, the lead boyscout realized they were on the wrong path. The current path was fairly smooth and was a good path. Unfortunately it didn't lead to where they wanted to go. The scout had a choice. Continue down the comfortable path, or go back to the fork and head down one of the other paths. How would the other Scouts react if the lead said to turn around, or, worse, said to cut through the underbrush in an attempt to find another path that might get them closer to their desired destination.

It is all about scope then, isn't it. What is the destination. There are millions of destinations. What is the desired one for me? As I stated above, my desire is focusing on running things - strategically and operationally. I know where I want to be. Time to cut through the underbrush.

Monday, March 27, 2017

To arms! To arms! The British are coming!

The British are coming! The British are coming! To arms! To arms!

No, this is not a reenactment of the war of American independence. But, it is a call to action to go to war to protect liberty! And have no doubt, it is a war. The thing with wars are there are winners and there are losers. History is written by the winners. In today's war on liberty there are no winners and everyone loses. Worse yet, other wars (perhaps, also unwinnable) are some of the battle fields upon which the war on liberty is fought. The "war on terrorism" is a good example of such a battle field. "Terrorism" is such a convenient term to use after all. It evokes very strong emotions. It is a strong word, and one, which, I believe, is highly over used. However, politicians and others with an agenda will use such strong words to evoke emotions and sway people to action. In today's world, we don't have a word or phrase for "somebody is doing stupid stuff like destroying property or killing people" that evokes the proper horror or malcontent as it should. So, the governments have politicized and armed "terror" and "terrorism" to be blanket terms for all sorts of deplorable actions. They are then using these "terrors" to remove the civil liberties of those being terrorized - that's right, the victims.

Today's New York Times (03/27/2017) has an article where "Amber Rudd, Britain’s home secretary, said that the country’s intelligence agencies should have access to encrypted messages sent through WhatsApp, an instant-messaging service owned by Facebook. Her remarks were part of the British response to the fatal terrorist attack last week in London" (c.f. https://www.nytimes.com/2017/03/27/technology/whatsapp-rudd-terrorists-uk-attack.html). Here we see where "Khalid Masood, a 52-year-old Briton, drove a car into pedestrians before attacking a police officer." Is that terrorism, of course not. Is it deplorable, yes it is. But, they are calling it terrorism so that they can justify crossing civil liberties. They want to require that technology allow back doors into software so that they can see what data is being transferred.

If they do get access to the encrypted data, what they would see is garbage. That's the idea behind encryption. Cryptography, the use of codes and ciphers to protect secrets, began thousands of years ago. The basics of it are there is a secret part and there is a public part. The public part is available for viewing/hearing. The private part is what turns the public part into something useful for the receiver. Since the 1970's, the public has had access to the ability to encrypt data at a level that the governments have historically had. And governments, as Ms. Rudd points out, do not like it. In fact, the despise it. So much so that they want to entice persons (and companies) to be refrained from having and using encryption that the governments can't unencrypt. How might they entice such actions?

In the same New York times article it said, "The move by British lawmakers is the latest effort in Europe to police how internet giants operate online. This month, a German government minister, Heiko Maas, said that he would propose new legislation that could fine tech companies around $50 million if they failed to stop hate speech being spread on digital platforms like Facebook, Twitter and Google’s YouTube."... "Officials in Britain, however, are going a step further. And by demanding that intelligence agencies be allowed to read encrypted messages, Ms. Rudd is reiterating long-held plans to gain more control over digital services."

Again, what is at stake here is individual liberty. A person is permitted to do all and only the things he is not obliged to refrain from, and obliged to do all and only the things he is not permitted to refrain from. In other words, they have liberties and rights. Rights can be taken away, but not liberties. Liberties are those which you can do just because God gave us life. (I realize this isn't quite legal definitions - as those would refer to Liberty Rights and Claim Rights. I'm just simplifying.)

While I understand the frustration the British government and all governments are facing, such actions cannot be condoned. This is not about terrorism. This is about basic civil liberties. I completely understand that when people are at liberty to do something, then there is risk. They might get out of control. They might use this liberty to harm others. As in London, people have the ability to run over people with a car. However, to use this as an excuse to curtail liberty is more than an injustice. It is a duty of every human to "secure the blessings of liberty to ourselves and our posterity." In today's world, that security includes confidence in secure communications.

Amendment IV of the Bill of Rights states that "the right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized." The American Bill of Rights gives a way for the US government to inspect a person's home, papers, or effects. It is done at the "person" level. Corporations do not have the right to infringe upon the individual and disclose private data transferred. If the government has probable cause, they can get a warrant to the individual.

However, if a position were adopted that sought to curb these liberties, then people would be controlled. This would certainly make the job of the British government, FBI or local police force easier. However, in elevating "safety" to the place of primary value, then we lose that which we value even more - liberty. In opting for security, we are opting to give up freedom of movement, freedom of choice, freedom of speech, freedom of action. We have already given up too much of this due to terrorists and terrorism. Giving up liberty to gain safety means we gain nothing and lose a lot. We have already lost too much. It is the duty of technology companies to society to not comply with these demands.

Have no doubt the war is not coming, it is here, and our liberties are at stake. The Google's, Facebook's, Apple's, etc. are on the front lines. They must fight and we must support them in this fight.

Originally published on www.dpitts.com on 3/27/2017. This article is not meant to be legal advice. The author is not a lawyer. Reprint and publication requests can be sent to publications@dpitts.com

Friday, September 9, 2016

Dear Credit Card taker - turn off autocomplete

This is a letter I sent today to <security certification organization>. As they have not had time to respond, I will protect their name. The *were* using https at least. I realize that there are different names for this with different browsers - AutoFill (Safari/Chrome), Auto Form Fill (Firefox), AutoComplete (Internet Explorer), but the concept is the same. Turning off this feature has been around since at least 2011. Also, it should be turned off for the CVV as well.

Dear <Security Certification Organization>
I am a new member. I registered today putting my credit card into your system to pay the annual dues. I then went back and added on-line training. I found it disturbing that an organization promoting and certifying security people would not have autocomplete turned off for credit cards being accepted on-line. This makes me question whether other security precautions have been taken and how much I should trust the <Security Certification Organization>'s web site.

Always, always set autocomplete="off" in the input tag. For example:
< input autocomplete="off" name="cc" type="text"  >

so, perhaps it might look like this (i have not validated this):
< input autocomplete="off" class="form-control" id="j_id0:j_id1:j_id2:j_id45:j_id46:j_id47:j_id48_11:j_id539:CreditCardNumber" maxlength="255" name="j_id0:j_id1:j_id2:j_id45:j_id46:j_id47:j_id48_11:j_id539:CreditCardNumber" onkeyup="toggleSelectedCreditCard(this);" pattern="[0-9]{13,16}" required="required" size="20" type="text" / >
Otherwise, if people have the form completion feature turned on their credit card number will be stored in plain text somewhere on the computer (in the registry, or elsewhere). This is especially dangerous if someone enters their credit card number from a public computer.

I have a screen shot showing that this is not turned off on your site, however, your form has no option to upload a file.

Thank you!

David Pitts
If I remember correctly, PCI-DSS requires this in sections 3.2.3 and 3.4 (page 17 of SAQD for Merchants, v3.0).

Friday, September 5, 2014

Advertising your work

One of the things I have been reading lately is the Guide to Senior Executive Service Qualifications published by the United States Office of Personnel Management. The idea behind this guide is to help senior executives represent themselves best in terms of core qualifications. As such it lists 28 core qualifications broken down into five categories. These categories are
  • Leading Change
  • Leading People
  • Results Driven
  • Business Acumen
  • Building Coalitions

Most of the document is really about writing narratives about accomplishments and doing so in a way that meets with their criteria - i.e. following the CCAR model of Challenge-Context-Action-Result. The narratives should include specific examples of experience and focus on results. Basically it is building a good business and marketing plan for your work and your career.

In a previous post I wrote on the topic of who talks about your work says a lot about its importance.  While I wholeheartedly agree with OMB and their SEQ's and I am looking to add CCAR narratives to my resume, I find it is not the ONLY way to talk about your qualifications.  In fact, when using these for resumes, it talks about references.  It states to ensure that individuals provided as a reference can attest to your ability to perform the job and can speak to specific competencies.

In that previous post I gave examples of a digital reference - i.e. Governor O'Malley talking about a service we built for the Maryland Motor Vehicle Administration.

My company and my group has done some good work for MEMA - the Maryland Emergency Management Agency. Some of that work includes a free app for Apple and Android that gives you real time alerts in your area called Maryland Prepares.

MEMA is working with various organizations and have begun positing advertisements on digital billboards in the Baltimore and Salisbury markets. Below is a picture of a billboard in Baltimore.

MEMA Maryland Prepares app advertised on digital billboard in Baltimore, MD
I think advertising like this is just cool!  As MC Hammer said, "U Can't Touch This!"