“I Keep Working My Way Back To You, Babe”

Originally posted on www.dpitts.com, May 1, 2018 “I Keep Working My Way Back To You, Babe” The title of this article is both a hat tip to The Four Seasons, as well as a wish for talented workers to come my way. Today the unemployment numbers were released for May, 2018. In case people were not aware of it, the President of the United States tweeted that it would come out today and he was looking forward to it. Of course, Mr. President, you already knew what the numbers were. So why did you tweet them? Because they were very good – well above the expected. Something the sitting President is all too eager to take credit of. Not sure if the reverse were true if he would take credit for that, but I suppose with the next recession we will see. I’ve been a first and second line manager for more than a decade. At times it has been difficult to find good, qualified, eligible and available employees. However, in my current region (Washington, DC area) and in my current field (Information Security, Compliance and Risk Management), I have to admit, this has been a difficult adjustment. Unemployment is at its lowest levels in 18 or so years with May coming in at a staggering 3.8%. While it is good that 223,000 jobs were added to the economy in May, this also means that wage growth is also rising due to supply and demand. As an employee, these numbers are good news. As a hiring manager, not so much. I’m sure economists are saying things like “is the unemployment too low”. I’m not an economist. I’m a technologist and an executive manager. To me, when the unemployment rate gets below 5% hiring gets difficult. When they drop below 4%, hiring moves to a headhunting mode of operations. Add to the general unemployment numbers the locale and market mentioned above where anyone who is any good at what they do are already working, then this gets next to impossible. So, I have a few choices. First, I can choose to hire a less-talented workforce or second, I can raise salaries to entice people away from their current places of employment. The reality is, I may have to do both! The bottom line is that this is an employee’s market. To those of you in risk, compliance, information security and the cloud, look me up – I probably have a job for you. To those of you who are already employed, this might be the time to talk to your manager about a raise, otherwise, maybe you contact me instead. To the hiring managers out there, how are you coping with the current environment?

Bad Boys, Bad Boys, whatcha gonna do when they come for you?

By David Pitts

March, 2018

Phishing, spear phishing, whaling, pharming, viruses, spam, rootkits – it’s as if computer people have their own dictionary! And, they do!

Back in the fall (2017), Deloitte, one of the world’s “big four” accounting firms stated they had a breach of their internal email system. Internet rumor has it that the breach had been around for about a year and involved a compromise of all administrator accounts and their entire email system (c.f. https://krebsonsecurity.com/2017/09/source-deloitte-breach-affected-all-company-email-admin-accounts/ (1) for more on this). It is not uncommon for systems and companies to have breaches. Companies include Deloitte, Uber, Equifax, Sony, FedEx, Pizza Hut, Yahoo, and the list goes on and on of companies with breaches in just the past year.

Many of these breaches occurred in conjunction with or even through email systems. Current statistics estimate that there are over 100,000 new pieces of malware (malevolent software) found each and every day(2). Perhaps, it is time to rethink how we think about, react to, and compose email.

Hackers look for the path of least resistance. Taking advantage of organizations large and small for most hackers is all the same. They look for vulnerability, and they exploit it. For most hackers, brute forcing a password is a huge waste of time. There are so many other, easier, paths to take that are quicker and result in greater and more frequent success. Once a system is breached, that system is no longer secure. Email servers are a great source of vulnerabilities for hackers. Gaining access to one account can often lead to many more, both inside and outside the organization.

Security takes a look at three facets when it comes to data. The first is confidentiality. Is the data properly protected and limited to the people, systems, and services that need access and no further? Integrity is the second facet. Is the data what it is supposed to be or has it been altered? Is it trustworthy? The third facet is availability. Is the data available when you want it and where you want it by those authorized to view it? In security terms, this is known as the CIA triad(3). Is your data and are your systems confidential, trustworthy and available? Will it be tomorrow?

Recommendations concerning emails:

• Always read emails you compose as though it might be read by someone other than the intended recipient. Don’t include personal information, ID numbers, phone numbers, email addresses, etc. that are not absolutely needed. Maybe that information, criticism, or whatever would be better shared in a phone conversation? Ask yourself, what would happen if someone like Anonymous or a foreign government, a customer or a competitor saw the email? What if it were released to the press or put on social media? What would be the ramifications to you, your co-workers, your organization, your clients, vendors, and partners?
• Make sure that if you are including company or personal confidential information that it is protected according to your organization's data classification standards.
• Make sure your email is addressed to the correct people before you hit send. Many hackers have set up “similar” domain names that account for popular misspellings in order to harvest information.
• Make sure you use passwords that are complex and lengthy and are different for different types of sites and uses.
• Ensure your operating system and software is up to date. Even if you think the software is automatically updating, regularly check manually. Software such as Adobe, java, Office products, internet browsers, and security software update frequently. Get in a habit of checking frequently. This includes browser add-ons.
• Is your firewall on? Software firewalls are recommended to be running on end-user systems.
• Carefully scrutinize emails and especially attachments. Never open or download an email attachment if you can help it. If you are going to open one, ensure you know where it came from and that your anti-virus is actively checking email attachments. Even emails from people you think are legitimate can contain malware.
• Do not trust email – particularly unsolicited email
• Don’t click on links in email messages.

Backup your important data. If your computer right now locked up due to any number of reasons (breakage, malware, ransomware, etc.), do you have a storage device separate from your system where your important files are kept? If you are putting them on an external hard drive, do you detach it when you are not backing up?

The image posted on Krebsonsecurity(4) in 2013 shows some of the value of hacked email accounts. While it could be updated the essence of it is spot on.

You may ask yourself, what is an email credential worth. According to the same Krebs on security article, “One prominent credential seller in the underground peddles iTunes accounts for $8, and Fedex.com, Continental.com and United.com accounts for USD $6. Groupon.comaccounts fetch $5, while $4 buys hacked credentials at registrar and hosting provider Godaddy.com, as well as wireless providers Att.com, Sprint.com, Verizonwireless.com, and Tmobile.com. Active accounts at Facebook and Twitterretail for just $2.50 apiece.”

There is lots of good literature out there on recognizing and avoiding email scams including information from US CERT(5) and others. At least once a year read through one or two of these and take note of what is going on and be smart about things. Above all, use common sense! Remember, just about everybody is a victim. Some have not been victimized yet, but it is coming. Also, we are all humans. We make mistakes, we accidentally click on things we shouldn’t and expose ourselves and our organization to risk. Add to that the number of usernames and passwords that are already compromised and in the hands of nefarious people, the problem only gets worse. A security researcher in Paris has unearthed an open web server hosted in the Netherlands that contains as many as 711 million usernames and passwords(6). The bottom line is that we are past the point where we should be thinking about breaches in relation to others. PII is no longer private. Usernames and passwords are compromised. Use 2-step verification where available, add recovery email accounts, harden hardware, use strong passwords, don’t use the router’s default DNS servers, keep software up to date, but remember, even the best defenses fail.

If you do fall victim to an attack. First, know now, it is no fun. It is frustrating and time-consuming. Cleaning up can be very difficult. Sometimes this include completely wiping many computer’s hard drives and reinstalling fresh operating systems (you do have that disconnected backup, right?). Get assistance quickly. Communication with your organization’s security team is key. Taking systems off the network is key. For personal equipment tools like Malwarebytes(7) and superantispyware(8) are useful to have on hand (before the breach).

Oh, and one final note... Microsoft doesn't call you at home. Just don't accept that!

Sources:

1. Krebs Deloitte Breach: https://krebsonsecurity.com/2017/09/source-deloitte-breach-affected-all-company-email-admin-accounts/
2. Cybersecurity Threats and Basic Cyber Hygiene: https://www.brookings.edu/on-the-record/cybersecurity-threats-and-basic-cyber-hygiene/
3. CIA Triad: http://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-CIA
4. The value of a hacked email account: https://krebsonsecurity.com/2013/06/the-value-of-a-hacked-email-account/
5. US CERT Recognizing and Avoiding Email Scams: https://www.us-cert.gov/sites/default/files/publications/emailscams_0905.pdf
6. 32 of the most infamous data breaches: https://www.techworld.com/security/uks-most-infamous-data-breaches-3604586/
7. Malwarebytes: https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/
8. Superantispyware: http://www.superantispyware.com/

Why I Am Leaving A Great Company and a Good Job

I have been in the IT industry since the early 1980's. My first paid gig was programming an inventory and invoicing system. Since then I have worked for many great companies including Boeing, IBM, Sutter Health, and Ashland Oil working as a developer, systems and network administrator, database administrator, first and second level manager and small business owner. I have had the pleasure and opportunity to work on major high traffic web sites delivering millions of pages a day. My current assignment is that of a security manager with NIC's Indiana subsidiary. We process billions of dollars on behalf of the State of Indiana.

Friday, November 3, 2017 will conclude an eight and a half year run with NIC. When I look back at the many successes I have had with NIC, I can honestly conclude I have been successful. I have had many opportunities to make NIC better and I have succeeded with most of them. I believe the states (and their businesses and citizens) I have worked with - particularly Indiana, Mississippi, and Maryland - are better off because of what I brought to the situation.

I sincerely appreciate having had the opportunity to work with this company and the people I have met and worked with along the way. The old cliché for a break up is “It’s not you, its me.” While this cliché many times gets a bad rap, in this case it is true. I'm about to turn 50. I started at NIC at 41. My expectation was in 8-10 years to be a part of executive management. I have learned and grown a great deal serving this company and many people have helped and supported me leading to my success. My current role, while has some interesting aspects to it, is not where I want to be. I want to focus on running things - both strategically and operationally.

I haven't "quit" a job since February, 2003. It is not easy leaving a job. In fact, it takes a lot of courage. Quitting a job is a choice, an active choice. Quitting a job is a risk. However there is value in the risk. Whether the value of the risk is greater than the option of staying where I am is part of the entire risk equation. Do I fear regret more than I fear failure? I am not a fan of regret. It is negative, ugly, and scary. Failure is also scary, but it is not ugly nor negative. How will my 20-something self react to this decision? How will my 70-something self react to this decision? Have I disappointed my 20-something self? Have I put a smile on my 70-something self?

I guess it boils down to trust, doesn't it? The path to the future is unclear. But, I don't fear the unclear path. I have faith in it. I am reminded of a story I was told many years ago. It holds special meaning in times like this.

A group of boyscouts (could have been girlscouts, who knows!) were hiking down the path one Saturday afternoon. After about a mile down a particular fork, the lead boyscout realized they were on the wrong path. The current path was fairly smooth and was a good path. Unfortunately it didn't lead to where they wanted to go. The scout had a choice. Continue down the comfortable path, or go back to the fork and head down one of the other paths. How would the other Scouts react if the lead said to turn around, or, worse, said to cut through the underbrush in an attempt to find another path that might get them closer to their desired destination.

It is all about scope then, isn't it. What is the destination. There are millions of destinations. What is the desired one for me? As I stated above, my desire is focusing on running things - strategically and operationally. I know where I want to be. Time to cut through the underbrush.

To arms! To arms! The British are coming!

The British are coming! The British are coming! To arms! To arms!

No, this is not a reenactment of the war of American independence. But, it is a call to action to go to war to protect liberty! And have no doubt, it is a war. The thing with wars are there are winners and there are losers. History is written by the winners. In today's war on liberty there are no winners and everyone loses. Worse yet, other wars (perhaps, also unwinnable) are some of the battle fields upon which the war on liberty is fought. The "war on terrorism" is a good example of such a battle field. "Terrorism" is such a convenient term to use after all. It evokes very strong emotions. It is a strong word, and one, which, I believe, is highly over used. However, politicians and others with an agenda will use such strong words to evoke emotions and sway people to action. In today's world, we don't have a word or phrase for "somebody is doing stupid stuff like destroying property or killing people" that evokes the proper horror or malcontent as it should. So, the governments have politicized and armed "terror" and "terrorism" to be blanket terms for all sorts of deplorable actions. They are then using these "terrors" to remove the civil liberties of those being terrorized - that's right, the victims.

Today's New York Times (03/27/2017) has an article where "Amber Rudd, Britain’s home secretary, said that the country’s intelligence agencies should have access to encrypted messages sent through WhatsApp, an instant-messaging service owned by Facebook. Her remarks were part of the British response to the fatal terrorist attack last week in London" (c.f. https://www.nytimes.com/2017/03/27/technology/whatsapp-rudd-terrorists-uk-attack.html). Here we see where "Khalid Masood, a 52-year-old Briton, drove a car into pedestrians before attacking a police officer." Is that terrorism, of course not. Is it deplorable, yes it is. But, they are calling it terrorism so that they can justify crossing civil liberties. They want to require that technology allow back doors into software so that they can see what data is being transferred.

If they do get access to the encrypted data, what they would see is garbage. That's the idea behind encryption. Cryptography, the use of codes and ciphers to protect secrets, began thousands of years ago. The basics of it are there is a secret part and there is a public part. The public part is available for viewing/hearing. The private part is what turns the public part into something useful for the receiver. Since the 1970's, the public has had access to the ability to encrypt data at a level that the governments have historically had. And governments, as Ms. Rudd points out, do not like it. In fact, the despise it. So much so that they want to entice persons (and companies) to be refrained from having and using encryption that the governments can't unencrypt. How might they entice such actions?

In the same New York times article it said, "The move by British lawmakers is the latest effort in Europe to police how internet giants operate online. This month, a German government minister, Heiko Maas, said that he would propose new legislation that could fine tech companies around $50 million if they failed to stop hate speech being spread on digital platforms like Facebook, Twitter and Google’s YouTube."... "Officials in Britain, however, are going a step further. And by demanding that intelligence agencies be allowed to read encrypted messages, Ms. Rudd is reiterating long-held plans to gain more control over digital services."

Again, what is at stake here is individual liberty. A person is permitted to do all and only the things he is not obliged to refrain from, and obliged to do all and only the things he is not permitted to refrain from. In other words, they have liberties and rights. Rights can be taken away, but not liberties. Liberties are those which you can do just because God gave us life. (I realize this isn't quite legal definitions - as those would refer to Liberty Rights and Claim Rights. I'm just simplifying.)

While I understand the frustration the British government and all governments are facing, such actions cannot be condoned. This is not about terrorism. This is about basic civil liberties. I completely understand that when people are at liberty to do something, then there is risk. They might get out of control. They might use this liberty to harm others. As in London, people have the ability to run over people with a car. However, to use this as an excuse to curtail liberty is more than an injustice. It is a duty of every human to "secure the blessings of liberty to ourselves and our posterity." In today's world, that security includes confidence in secure communications.

Amendment IV of the Bill of Rights states that "the right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized." The American Bill of Rights gives a way for the US government to inspect a person's home, papers, or effects. It is done at the "person" level. Corporations do not have the right to infringe upon the individual and disclose private data transferred. If the government has probable cause, they can get a warrant to the individual.

However, if a position were adopted that sought to curb these liberties, then people would be controlled. This would certainly make the job of the British government, FBI or local police force easier. However, in elevating "safety" to the place of primary value, then we lose that which we value even more - liberty. In opting for security, we are opting to give up freedom of movement, freedom of choice, freedom of speech, freedom of action. We have already given up too much of this due to terrorists and terrorism. Giving up liberty to gain safety means we gain nothing and lose a lot. We have already lost too much. It is the duty of technology companies to society to not comply with these demands.

Have no doubt the war is not coming, it is here, and our liberties are at stake. The Google's, Facebook's, Apple's, etc. are on the front lines. They must fight and we must support them in this fight.

---

Originally published on www.dpitts.com on 3/27/2017. This article is not meant to be legal advice. The author is not a lawyer. Reprint and publication requests can be sent to publications@dpitts.com

Dear Credit Card taker - turn off autocomplete

This is a letter I sent today to <security certification organization>. As they have not had time to respond, I will protect their name. The *were* using https at least. I realize that there are different names for this with different browsers - AutoFill (Safari/Chrome), Auto Form Fill (Firefox), AutoComplete (Internet Explorer), but the concept is the same. Turning off this feature has been around since at least 2011. Also, it should be turned off for the CVV as well.

Dear <Security Certification Organization>

I am a new member. I registered today putting my credit card into your system to pay the annual dues. I then went back and added on-line training. I found it disturbing that an organization promoting and certifying security people would not have autocomplete turned off for credit cards being accepted on-line. This makes me question whether other security precautions have been taken and how much I should trust the <Security Certification Organization>'s web site.

Always, always set autocomplete="off" in the input tag. For example:

< input autocomplete="off" name="cc" type="text"  >

so, perhaps it might look like this (i have not validated this):

< input autocomplete="off" class="form-control" id="j_id0:j_id1:j_id2:j_id45:j_id46:j_id47:j_id48_11:j_id539:CreditCardNumber" maxlength="255" name="j_id0:j_id1:j_id2:j_id45:j_id46:j_id47:j_id48_11:j_id539:CreditCardNumber" onkeyup="toggleSelectedCreditCard(this);" pattern="[0-9]{13,16}" required="required" size="20" type="text" / >

Otherwise, if people have the form completion feature turned on their credit card number will be stored in plain text somewhere on the computer (in the registry, or elsewhere). This is especially dangerous if someone enters their credit card number from a public computer.

I have a screen shot showing that this is not turned off on your site, however, your form has no option to upload a file.

Thank you!

David Pitts

If I remember correctly, PCI-DSS requires this in sections 3.2.3 and 3.4 (page 17 of SAQD for Merchants, v3.0).

Advertising your work

One of the things I have been reading lately is the Guide to Senior Executive Service Qualifications published by the United States Office of Personnel Management. The idea behind this guide is to help senior executives represent themselves best in terms of core qualifications. As such it lists 28 core qualifications broken down into five categories. These categories are

• Leading Change
• Leading People
• Results Driven
• Business Acumen
• Building Coalitions

Most of the document is really about writing narratives about accomplishments and doing so in a way that meets with their criteria - i.e. following the CCAR model of Challenge-Context-Action-Result. The narratives should include specific examples of experience and focus on results. Basically it is building a good business and marketing plan for your work and your career.

In a previous post I wrote on the topic of who talks about your work says a lot about its importance.  While I wholeheartedly agree with OMB and their SEQ's and I am looking to add CCAR narratives to my resume, I find it is not the ONLY way to talk about your qualifications.  In fact, when using these for resumes, it talks about references.  It states to ensure that individuals provided as a reference can attest to your ability to perform the job and can speak to specific competencies.

In that previous post I gave examples of a digital reference - i.e. Governor O'Malley talking about a service we built for the Maryland Motor Vehicle Administration.

My company and my group has done some good work for MEMA - the Maryland Emergency Management Agency. Some of that work includes a free app for Apple and Android that gives you real time alerts in your area called Maryland Prepares.

MEMA is working with various organizations and have begun positing advertisements on digital billboards in the Baltimore and Salisbury markets. Below is a picture of a billboard in Baltimore.

MEMA Maryland Prepares app advertised on digital billboard in Baltimore, MD

I think advertising like this is just cool!  As MC Hammer said, "U Can't Touch This!"

A Layman’s Guide to Heartbleed

A Layman’s Guide to Heartbleed, David Pitts, April 18, 2014

Originally published on http://www.dpitts.com/2014/04/a-laymans-guide-to-heartbleed.html

The modern world relies on computer security.  Unfortunately, the modern world also takes security for granted.  My goal with this article is to write about the Heartbleed security flaw so that non-technical people can understand what it is, what its impact is, and how to help protect themselves and to be able to have an intelligent discussion about it.  I try to limit the technical jargon, but given it is a technical topic, some will have to be there.  The reader can search the internet for “CVE-2014-0160” or visit http://heartbleed.com/ to get a more technical understanding. 

The Heartbleed security flaw has been all over the news the past couple weeks and rightfully so.  Its official reference is “CVE-2014-0160”, but that’s hard to remember and hard to sensationalize in the news.  The flaw is part of the software that allows and responds to “heartbeat” requests.  So, it gets called the Heartbleed bug as a play on words.  This is (hopefully) the worst security flaw the computing world will see exposed this year.   I say this, not because I know what has yet to be exposed, but because I understand what this one does and can do.   Generally when I think about security I break it down into three major factors – impact, severity, and difficulty.

1. Impact:  How prevalent is it – in other words, how many systems and services are potentially affected.  Also, how many users are potentially affected.
2. Severity - How much damage can it do – what is capable of giving or exposing and to whom?
3. Difficulty - How difficult is it to exploit – do you need special access or knowledge, etc.  This would also include whether an exploit has been made available “in the wild”.

For Heartbleed, it is the trifecta of security flaws.  It has very high impact, very high severity, and very easy to exploit.

What is it

Heartbleed is the term that has been given for a flaw in some software used to encrypt data.  It is not a virus.  You can’t update your antivirus and be protected.  The software is part of the OpenSSL project.  The particular bug was in the transport layer security protocol.  If you want to know more about the heartbeat protocol, search the internet for RFC6520.

Where is it

It is used for web sites, network equipment, mobile phones, firewalls, etc.  Basically, it could be anywhere where developers have wanted to secure a transmission and have used this library.  The fix, therefore, is for organizations to be responsible and to fix their services.  According to heartbleed.com, about 2/3rds of all servers on the internet use software that uses the OpenSSL library.  Some percentage of those potential servers was actually affected. 

Why is it

It was a human mistake.  One of the nice things about open source is if you have the inclination, you can see who wrote the code, when it was made part of the library and actually look at the code. 

When

It was found by several groups around the same time.  Google reported it on April 1, 2014, Codenomicon (a Finnish cybersecurity company) discovered it on April 3^rd.  They are the ones that named it and then put up the heartbleed.com web site to explain it to the public.  In giving these dates, I am presuming that some security agency didn’t find it before then, so they don’t get credit.  The bug was analyzed and verified.  The organizations contacted the OpenSSL group and reported the flaw.  A patch was put in place and released on April 7^th and the bug was publicly disclosed the same day.  The code that introduced the bug was written in 2011 and became part of OpenSSL March, 2012.  Rumor has it various entities have been exploiting this bug for months if not years.  One such story was published here:  http://arstechnica.com/security/2014/04/heartbleed-vulnerability-may-have-been-exploited-months-before-patch/. I’m a fairly paranoid person, so I don’t believe that two independent organizations within two days of each other found the same bug.  I would be more willing to believe they were led that direction or that they were working together or that they were tipped off, or some other such story.  I just have a hard time suspending my disbelief for such a coincidence.

What does it do

The heartbeat protocol is a way to keep a communication conversation from timing out.  It ensures that the peer can be reached and is alive.  In computing terms, starting and shutting down a secure communication stream is much more work for the computers than maintaining an open connection.  The basic concept is that almost any time a “heartbeatrequest” can be sent.  The receiver then responds with a “heartbeatresponse”

But, what does it respond with?  Since computers can’t do random, it can’t pull something out if its magic hat, instead it pulls data from memory somewhere near what it is working with.  As a heartbeat response is just supposed to be a single character response, pretty much any single character response will do.  (I am reminded of Sean Connery’s character in The Hunt for Red October requesting “just one ping please” - https://www.youtube.com/watch?v=jr0JaXfKj68.)

If that was the extent, then there wouldn’t be a problem.  The problem is that the way the code was written, the requestor can change the size of the request.  Instead of one character, say an “A”, it can request up to 64K of data. That is 64536 sequential characters from memory.  Technically speaking, the memory that it is reading has been marked to be reused.  However, computers don’t clear out the old data, it just over writes it.  I used to do the same thing with my file folders.  I had a file folder labeled “Windows NT”.  I then took another label and put it on it that said “Red Hat Linux”.  If you lift up the old label you can still read the label underneath.  To put it another way, let’s say you ask me for a playing card.  I’m supposed to give you one playing card.  So, I reach in, and I pull out a playing card and I give it to you.  You then come back and say, “Hey, I want a playing card, give me 10 of them.”  So, I see the request for a playing card, and I give you 10 of them (or sixty-four-thousand of them).  

Another aspect of this bug that makes it even more insidious is that in by far the majority of the cases, the exploit is not logged.  The device being affected would have to monitor both the incoming and outgoing traffic and notice that a single byte was requested but more than one byte was delivered.  The request isn’t going to a normal service (such as the web server itself), so that service is not logging it.  When you hear it said that there is no indication that it has been exploited.  The statement is true.  However, the statement means nothing.  I don’t know Latin, but I’m sure there is some Latin phrase that means “listener beware because the speaker is spouting doo-doo”, maybe something like “Qui audit, dicentis implebitur fimo” if http://translate.google.com is to be believed.

As a consumer, what should I do?

This is the tough part.  The real answer depends on many factors.  I used to say that there is no such thing as security.  The only way to make a computer secure, is to unplug it, put it in concrete, once the concrete sets, dig a deep hole, put it in the hole, bury it, and then forget where you buried it.  However, I am not convinced that this is secure either.

The question is really about what is secure enough?  The data you have on a social media account (Facebook, Twitter, Google+, Youtube, Pinterest, etc.) is supposed to be fairly public.  The data you have at your bank or the doctor’s office is supposed to be fairly private.  Now, treat it that way.

The media is telling you to change your passwords.  This is a good idea.  However, if the service is still vulnerable, then changing your password doesn’t help much, does it?  So, you want to make sure that the service you are using and care is secure is not vulnerable – at least as best you can.

Unfortunately there are a couple problems here.

First, at least in the United States, there have been laws on the books since the mid 1980’s trying to define what is legal and what is not.  I’m not a lawyer and I don’t play one on the internet.  There are people trying to figure this stuff out (http://www.fas.org/sgp/crs/misc/RS20830.pdf for example), but it seems to be a slippery slope.  If you test the service, you may or may not be violating laws.

Second, the current set of tools is only partially accurate.  Many organizations have released heartbleed checkers that you can run against websites, add as extensions to browsers, etc.  While I do not endorse any of them, the list includes http://filippo.io/Heartbleed/, https://lastpass.com/heartbleed/, https://chrome.google.com/webstore/detail/chromebleed/eeoekjnjgppnaegdjbcafdggilajhpic.  What the industry is finding is that various tools are looking for something specific that may or may not be accurate. 

In the US we live in a world where we feel we have very little control.  The rich, the law breakers, the “man”, or whoever, makes the rules and all we can do is try to cope as best we can within the constraints we are given.  Public awareness is probably the greatest tool. 

When former President Ronald Reagan said “Trust but Verify” (https://www.youtube.com/watch?v=As6y5eI01XE) he was referring to the treaty between the US and Russia over nuclear arms.  This concept is a good one and one that should be followed here.  Is the organization transparent in its treatment of security in general?  They should be.  Is the organization transparent in its treatment of this and other bugs?  They should be.  As a consumer, your job is to ask, and expect an answer.  Ask publicly, and expect a public answer.  There are several lists out there that will tell you some of the sites that were affected by the heartbleed bug.  One such site is Mashable (http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/).  As mentioned earlier, this bug, in almost all cases, does not get logged.  When they do tell you that “Currently, we have no indication that any of customers’ information was compromised“as one email I received on April 13^th stated, then you know they are telling you the truth.  It doesn’t mean anything, but it is the truth.

In an article on americanbanker.com (http://www.americanbanker.com/issues/179_75/heartbleed-bug-lurks-beyond-websites-1066969-1.html?zkPrintable=1&nopagination=1) on April 17^th, JD Sherry is quoted to say, “We don’t know the breadth or depth of this yet.”  I know JD. He is right.  We don’t.  As a consumer, our job is to make sure that our providers are being responsible.  JD said in the article that it may take “weeks and months to get people’s arms around this, and quite frankly some people are never going to get to the patch all their systems, which is a scary thing.”  Again, JD is correct, it is scary.

Hopefully the lesson from this is that we need better transparency from our service providers.  We need a more mature security model, particularly for those services that contain protected data, private information, health information, and personally identifiable information that the consumer wants kept private.  This also means that we, as consumers, need to be better informed.  Hopefully, this article has helped with that.

Mr. Pitts is a seasoned technology executive with over 30 years technology and operations experience including 10+ years senior technical executive management and 16+ years total management,.  Mr. Pitts has experience planning, developing, and implementing large distributed environments, public and private cloud computing platforms, utilizing resources, and managing projects and staff in such areas as E-Government, Internet, manufacturing, healthcare, and higher education. He is adept at crisis management, trouble shooting, problem solving, and systems architecture.  He is a trained educator, published author and an experienced public speaker.

Heartbleed - the most dangerous bug you will see this year - and the emails coming out from companies are almost criminal.

This "heartbleed" issue really shows how ignorant a world we live it at so many levels. It also shows how much we trust. After explaining the issue to my tech team, one of the things I told my tech team was to think about where this issue is in the whole stack and what that means. If you understand that, then you can respond to all the FUD and mis-information that is out there.

Simply put, the problem is/was with the OpenSSL library. The OpenSSL library basically sits between the Kernel and the Server (remember, server is SOFTWARE, not HARDWARE). When there is the overflow request, it dumps memory as the output. As you are not hitting a server, the server is not logging the request. This means that your web server, your ftp server, or your ssh server is not seeing it. Since it is not seeing it, it isn't logging it. The kernel is seeing it, but it doesn't log what it sees (under 99.999% of the scenarios) at this level, so it doesn't log it. Get details at many locations. Once such location is http://en.wikipedia.org/wiki/Heartbleed#Claims_of_possible_knowledge_and_exploitation_prior_to_disclosure; another such location is http://heartbleed.com/

So, what kind of FUD and dis-information is out there... let's see:

1. Change your password. While it is good to regularly change your password, to have distinct passwords for each service, and all that; this is NOT the first line of defense that people should be taking. This is the equivalent of putting your stack of $20 bills in the front seat of your 1967 mustang convertible, making sure the windows are up and the doors are locked and then walking away. Did you make sure the top was up? NO. Therefore, bad person reaches over the window and takes your $1,240 and laughs and laughs and laughs. The first thing you should do is make sure that the server has been patched and is no longer vulnerable. Once this has occurred, then change your password, make sure that each service has a distinct password, uses multiple forms of authentication, and whatever else will ensure that you can sleep at night knowing that your facebook, twitter, or email account is safe and secure.
2. Currently, we have no indication that any of customers’ information was compromised. Of course they don't. Nice marketing; doesn't mean squat and in fact is mis-leading almost to the point of criminal.

NIC Maryland finalist for Tech Company of the Year

http://chesapeaketech.site-ym.com/news/161894/CRTC-Announces-TechAwards-2014-Finalists-Honoring-the-Regions-Top-Technology-Companies-and-Leaders.htm


Annapolis, MD – February 21, 2014 – The Chesapeake Regional Tech Council (CRTC) today announced the finalists for the upcoming 9th annual TechAwards 2014: Get in the Game, honoring the region's rising tech companies, outstanding innovators and all-around top "geeks."


 ...


The Tech Company of the Year Award is awarded to an enterprise that has proven its dedication, vision and ability to work with a sustained, strategic business plan and to steadily grow into a prominent player in the Annapolis-Washington-Baltimore tech industry. Finalists include:
...

Maryland Interactive LLC - Annapolis, MD

Established in 2011, Maryland Interactive LLC, an Annapolis, Maryland-based subsidiary of the eGovernment firm NIC Inc. (http://www.egov.com), is the premier provider of the award winning Maryland.gov official government website and more than 23 online and mobile apps and secure payment processing solutions for the State of Maryland.  

Who talks about your work says a lot about its importance.

Who talks about your work says a lot about its importance.  The work we do in Maryland and the other twenty-some-odd states is important.  One of the things I like about Maryland, however, is that the executive branch embraces technology and embraces the work that we do.  In the video below(http://youtu.be/oEhOG17qLak) you won't hear my company mentioned.  This is as it should be. We are the people behind e-government ™. 

Who talks about your work?

Network Assurance Exam

 

Recently I cam across the Domestic Preparedness site for the Department of Homeland Security (DHS) and the Federal Emergency Management Agency (FEMA) which can be found at http://www.teexwmdcampus.com/.  I passed the first exam, Network Assurance.  Here is my certificate.

My team launched the Central Business Licensing application for the State of Maryland (https://egov.maryland.gov/easy/) and then Governor O'Malley had a press release about it. You can read a story about it and watch a nice video at technicallybaltimore.com here: http://technicallybaltimore.com/baltimore-2-0/gov-omalley-unveils-central-business-licensing-system-at-betamore-video/

My team worked hard to get this done. Very proud of the entire team!

Management Philosophy: behavioral versus training issues

Many years ago I learned a management philosophy. It was my first time being a manager. I was young and I was ignorant. I was also more fortunate than I deserved. My district manager never used the word mentor, but that is what he was. Like a good mentor he was wise and he was patient.

When I would talk to my district manager about employee issues he would ask if it was a behavioral issue or a training issue. Sometimes it was easy to answer, sometimes not so much. However, he wouldn't quit asking questions until I could answer this question.

The answer to this question did not affect what was done. It affected when it was done. Showing up late, leaving early, insubordination, fighting, bad attitudes as well as more grievous things like theft, drinking, drugs, illegal activities are all behavioral issues. These must be addressed immediately.

Other types of issues are training issues. How to do things - frying burgers or building servers - are trainable. Sometimes the training is for the manager. Did the manager make it clear what the expectations were? I talked about asking what success looked like here. These things you address over time.

For me, having learned this distinction has really made my management easier. I am a big proponent of categorization. You can't predict the million ways things can go wrong or at least the million ways things can go not right. Therefore, you figure out what right looks like, manage toward that, and then address the problems as they arise. Of course, there are times where it isn't a case of a problem, it is a case of defining better. These are generally educational issues, so you address them over time.

Two questions I keep asking...

Somewhere along the road of my career I learned the value of asking two questions. I have repeated them over and over. Recently I heard a former colleague ask the first question. My ego hoped he had learned it from me. I don't know, really, but I won't risk bruising my ego by asking. You would think that these two questions are fairly intuitive, but people fail to ask them and then they can't figure out why they are not successful. Of course, just asking the questions does not immediately make you successful. However, without asking, you are as doomed as the dart thrower in a blackout or the blind pig. So, even though I know there is a chance of getting an acorn or even hitting the target and possibly the bull's eye, the chances are greater when you can see what the goal is.

The first question is "What does success look like?" I remember when I was younger and dating this nice girl. Her mother was a seamstress. She would be there sewing away or cutting some fabric. You would ask her what she was doing and she would say, "making a dress!". She knew what success looked like. It looked like a dress and one that was the correct size, the correct fabric, the correct print, the correct buttons, the correct ribbons, the correct everything.

So, with anything in my career, this is the first question that I try to ask. I am amazed at how many people don't have a good answer to this question. I am equally amazed at how many people have a bad answer to this question. For my career, an easy example of what success looks like is Eric Schmidt of Google fame. Do I think I am Dr. Schmidt? Of course not. However, I do see here a man who knew what success looked like and pursued it. I love seeing Dr. Schmidt's videos. I get encouraged when I see videos of him earlier in his career as well as those from later in his career. Not only do I learn an example of what success looks like (and sounds like), but I also get an insight into his management style, his speaking style, and his presentation style.

"Where there is no conflict there is no life... " Machiavelli

I think it is particularly interesting to compare two people on the same stage. Eric Schmidt and Larry Page is a good example.

The second question I like to ask after asking "what does success look like" is to ask, "what are the barriers to success?"

This is the one that I think separates people from leaders. The example that I gave above shows a good example of people asking for how to remove the barriers. It is certainly interesting to watch from that aspect. Here you have an internet company talking about the barriers that they can't control. It is also interesting to see what they are talking about and then looking at how they have changed since those statements. I get the valuable insight of time! I also get the valuable insight of repetition. I can watch hundreds of hours of video of Dr. Schmidt and I can catch on to patterns that he has used and has been successful with. Dr. Schmidt is very intelligent and has a research focus. He uses this research to help him remove barriers to success. He also uses "tag words and phrases" and is very repetitive.

So, what does success look like for you and how do you remove the barriers standing between you and your success?

Google Glass Project

I have been following the Google Glass project (#projectglass on Google+). I am so looking forward to these. One of the things I do not know, however, is whether you will get a choice which eye has the "stuff" on it. When i look at various pictures, the "stuff" part is always over the right eye (see example here).

I currently wear glasses. Several years ago my right eye got a scratch and I have corrections on that side so that I see around the blurry spot. The left lense is nothing but regular glass. I used to see better than 20/20 and do in my left eye.

So, I am thinking when I get a pair, I want the "stuff" on the left eye, so I can have the prescription on the right eye.