The problem is that people don't understand problems in general. They may see them, they may even try to resolve them, but they are completely ineffectual because they lack the knowledge that 95% of problems we see – in any form or practice – are really just symptoms of the other 5% of real issues. Allow me to demonstrate with some analogies.
Suppose you have a deep chest cough, a severe sinus headache, a constantly running nose, chills, fever and achy joints. Suppose you've felt this way for over a week with no improvement. Do you take Tylenol for the headache, a sinus decongestant for the nose, a cough suppressant for the hacking cough, a cough expectorant to loosen the phlegm, cover with blankets to address the chills, use ice to mitigate the achy joints and occasionally cold baths to reduce the fever? Or do you consider these "problems" as merely results of a larger chronic issue that will not spontaneously improve by simply addressing the symptoms. Perhaps you head to the doctor and get an antibiotic to combat the root of your problem – the infection that is causing your symptoms. Perhaps the doctor takes it one step further and recommends you wash your hands often with antibacterial soap, get enough sleep each night and eat a proper diet to help your body's ability to fight off infection before it gains a foothold. Not only have you addressed the root cause of your ailment, but you’ve learned how to prevent it in the future.
It seems people may be aware of the fact that every action has consequences – although that statement could be debated. Assuming people believe it, it troubles me that when the consequences are undesired, people try to fix them one by one. Instead, take a look at the original action. Undue it – if possible. Work to stifle the root cause of the unwanted consequences rather than allowing them to persist with impulsive remediations.
In my profession, there is no end to application designers that have one major skill – they can code. Each and every one of them has two major flaws that counteract their coding magic: they can not code securely and they can not code an application that uses any kind of networking - whatsoever. This leads to shoddy software that performs poorly on networks, opens them to attack and leaves users to complain, "the network is slow". In fact, the network is not "slow", everything is working as it should be. Routing is working, skillfully written applications are working correctly and the one poorly written, hastily deployed application is ruining it for everyone. How to address this?
Should the network operations people deploy application acceleration technologies to compensate for the poorly written application? Should the network operations people now manage a new set of devices and configurations to offset for the poor planning of the application group? Should users learn to live with poor performance? Or instead, should the application group be held accountable? Should the application be pulled from production so it can be reengineered to work optimally across a network? Should the root cause of the network "slowness" be addressed so that no one suffers, or should everyone be brought down a level to that of the poorly performing application?
The correct answer is obvious; however, not the easiest and thus, the path never followed. No one ever said doing the right thing was easy. Proper planning and risk anticipation always fall by the wayside when a highly visible issue requiring "immediate" attention is brought to light. Corners are cut, haste is employed and waste is deployed. In networking, in politics, in personal decisions – this is always the case.
I'm convinced there are only two possible reasons people can not effectively problem solve. First, people are lazy and would rather take the easy way out by addressing the many smaller issues that result from poor decision making. The other more troubling reason – which I think may subconsciously cause the first course of action – is that people don't have advanced problem solving skills. Basic problem solving skills simply involve identifying a problem, formulating a solution and enacting it. The advanced skills include feedback loops and actually learning from successes and failures and I fear this is far beyond the grasp of normal everyday people (it shouldn't be, but I'm afraid it is).
Hazardous situations should be immediately addressed with stopgap measures. Systemic issues require a more holistic approach including analysis and research. Where did the issue come from? What is the root cause? A comprehensive understanding of the issue leads to a detailed plan of action to not only resolve the issue, but also to eliminate the resultant issues – the symptoms people spend so much time fussing over – and prevent future recurrences.
Politicians and lawmakers are probably the guiltiest of these trespasses. Writing new laws to address undesired outcomes of previous legislation is not the correct path. Creating new directives that address shortcomings in civil systems is not fruitful. If drunk driving is an issue, the answer is not to raise the drinking age, but to create stiff penalties for first time offenders and mandatory maximum sentences for repeaters. If high health care premiums are of concern, don't ban smoking and fatty foods, fix the health care system so that smokers and fatties pay more for their habits. Eating bad foods in large quantities is not a disease; however, it does cause disease – heart disease for example. Chronic diseases are much more of a drain on health care dollars than are the occasional X-rays and stitches I may get from mountain biking.
Ultimately, people don't want to be held responsible or liable for any of their actions when in reality, that is precisely what should happen. If you make stupid mistakes, you – not me – should suffer the consequences. If you are genetically predisposed to heart disease, laziness or stupidity, I refuse to help you. As it is your choice to ruin you life or to make the best of it, it is mine to neither watch you do either, nor care about - or much less be responsible for - your consequences.
Wednesday, December 20, 2006
Sunday, December 10, 2006
Security Solutions for Uninterested Users
With the latest concerns of IT security being insider threats and the lack of user participation in security, Single Sign On (SSO) coupled with biometrics may become the most important technologies in securing your network.
The alternatives are rigorous user training on information security and policies that not only enforce, but provide penalties for non-conformance. User security awareness training is not new to the industry, but the seeming unwillingness of users to comply may be. A change in user attitudes towards corporate security may be a task rapidly approaching the impossible.
While network administrators try to mitigate weak user security habits with password controls such as uniqueness and complexity algorithms, these approaches are more counterproductive than beneficial. The more users are required to have complex and changing passwords, the more likely they are to write them down or share them with co-workers to prevent troublesome logons. Complicating matters is the many applications that are moving to web based interfaces that do not integrate with a user's desktop environment. These individual applications require a unique sign on that in many cases differs from the user’s normal username/password combination for desktop access.
While SSO can minimize the user frustration of multiple passwords, it does provide the "keys to the kingdom" if a user's password is compromised. The elimination of the "what you know" form of authentication addresses this.
Biometrics, a form of authentication based on "what you are" – such as a fingerprint or retina scan – is unique per user and does not require the user to remember a complex or changing set of criteria. Single or dual factor biometric authentication methods – such as fingerprint with or without voice recognition – provide a secure, easy authentication method while proving more robust and reducing false positives.
The main hurdle is the cost of deployment. Integrating biometrics into the user desktop logon procedure is not an inexpensive proposition especially with a large install base. Some laptop models provide integrated biometrics in the form of a fingerprint scanner; however, this requires a one-for-one swap of all installed models. Furthermore, the deployment of new applications – either those developed in house or those from external vendors – is seriously limited to applications that support integrated token authorization based on the biometric authentication method.
Still, when weighed against the potential losses of a data compromise, a technically feasible authentication scheme that addresses the crux of the problem – users that do not have the same priority for information security as those enforcing it – is the best approach.
The alternatives are rigorous user training on information security and policies that not only enforce, but provide penalties for non-conformance. User security awareness training is not new to the industry, but the seeming unwillingness of users to comply may be. A change in user attitudes towards corporate security may be a task rapidly approaching the impossible.
While network administrators try to mitigate weak user security habits with password controls such as uniqueness and complexity algorithms, these approaches are more counterproductive than beneficial. The more users are required to have complex and changing passwords, the more likely they are to write them down or share them with co-workers to prevent troublesome logons. Complicating matters is the many applications that are moving to web based interfaces that do not integrate with a user's desktop environment. These individual applications require a unique sign on that in many cases differs from the user’s normal username/password combination for desktop access.
While SSO can minimize the user frustration of multiple passwords, it does provide the "keys to the kingdom" if a user's password is compromised. The elimination of the "what you know" form of authentication addresses this.
Biometrics, a form of authentication based on "what you are" – such as a fingerprint or retina scan – is unique per user and does not require the user to remember a complex or changing set of criteria. Single or dual factor biometric authentication methods – such as fingerprint with or without voice recognition – provide a secure, easy authentication method while proving more robust and reducing false positives.
The main hurdle is the cost of deployment. Integrating biometrics into the user desktop logon procedure is not an inexpensive proposition especially with a large install base. Some laptop models provide integrated biometrics in the form of a fingerprint scanner; however, this requires a one-for-one swap of all installed models. Furthermore, the deployment of new applications – either those developed in house or those from external vendors – is seriously limited to applications that support integrated token authorization based on the biometric authentication method.
Still, when weighed against the potential losses of a data compromise, a technically feasible authentication scheme that addresses the crux of the problem – users that do not have the same priority for information security as those enforcing it – is the best approach.
Sunday, September 17, 2006
Reach the Beach Relay - 2006
Genetically Challenged - Mixed Open
Back row from left: Tina (leg 11), Tom (leg 7), Ted (leg 8), Gavin (leg 3), Vince [aka: Me] (leg 1), Suzi (leg 6), Ania (leg 2), Rich [aka: Generalissimo] (Team Captain)
Front row from left: Gabriel [aka: The Janitor] (leg 5), Jody (leg 9), Dan (leg 12), Jodi [aka: Boob] (leg 4), Jul (leg 10), John [aka: Johnny Cisco] (Injured)
NOTE: Start was at Bretton Woods with Leg 1 (mine) being run to the top of the mountain, then back down.
| Distance | Difficulty | Time | Pace | |
|---|---|---|---|---|
| Leg 1 | 3.1 | Extremely Hard | 24:45 | 7:59 |
| Leg 13 | 3.8 | Easy | 29:51 | 7:51 |
| Leg 25 | 8.9 | Hard | 1:15:05 | 8:26 |
| 15.8 | 2:09:41 | 8:13 |
Monday, September 11, 2006
Reach the Beach 2006: Before
We're getting ready for the RTB Relay 2006. Again with Team Genetically Challenged; however, this year we're a mixed open team and we're missing our captain - Rich. Same as last year what with the last minute drop outs and scrambling to find runners. This year, I'm prepared to run 4 legs if need be. Perhaps ultra next year.
Monday, August 28, 2006
Sunday, August 27, 2006
Traffic
I feel sorry for the family of the truck driver that crashed on the highway and closed it down from 1PM well into the afternoon rush hour. I feel sorry for them because even though he is in critical condition, he is going to die. After all, that's the only thing that could justify my spending 2.5 hours on what should have been a 45 minute commute.
Tuesday, August 15, 2006
The Truth About Truth
It's ironic that something called Truth.com can’t actually tell the truth – that is – if you believe "the truth" is the "whole" truth and "nothing but" the truth. Their ads are deliberately misleading to anyone who has an iota of brain cells left. It seems almost hypocritical that their message can only be believed by those people who have smoked too much pot to have any brain cells left to think for themselves.
The perfect example is the commercial where they go into a mattress store and ask if it makes sense to ban sleep because it's dangerous. Apparently, they claim a tobacco executive suggested that "sleep be banned because many people die in their sleep". Perhaps that actually did happen, but FAR more likely is that the tobacco executive was forming an argument against a left-wing communist who was trying to force their anti-smoking agenda on the world rather than letting people decide for themselves. You can image in the interaction was far more like:
Lunatic Fascist: "You have to ban smoking because it kills so many people (whine, cry, complain, etc...)"
Tobacco Executive: "A lot of people die in their sleep. Should we ban sleep?"
Lunatic Fascist: "... Umm ...."
Five minutes later ...
Lunatic Fascist [on phone to Truth.com]: "I just talked to some tobacco executive that said we should ban sleep because people die in their sleep. Let's make a commercial that makes them look dumb and furthers our cause among those ignorant peons who can't think for themselves and need government and political correctness as we define it to rule their lives."
The perfect example is the commercial where they go into a mattress store and ask if it makes sense to ban sleep because it's dangerous. Apparently, they claim a tobacco executive suggested that "sleep be banned because many people die in their sleep". Perhaps that actually did happen, but FAR more likely is that the tobacco executive was forming an argument against a left-wing communist who was trying to force their anti-smoking agenda on the world rather than letting people decide for themselves. You can image in the interaction was far more like:
Lunatic Fascist: "You have to ban smoking because it kills so many people (whine, cry, complain, etc...)"
Tobacco Executive: "A lot of people die in their sleep. Should we ban sleep?"
Lunatic Fascist: "... Umm ...."
Five minutes later ...
Lunatic Fascist [on phone to Truth.com]: "I just talked to some tobacco executive that said we should ban sleep because people die in their sleep. Let's make a commercial that makes them look dumb and furthers our cause among those ignorant peons who can't think for themselves and need government and political correctness as we define it to rule their lives."
Posts
