Ruminations - An IT Blog2023-0725T04:16:00ZRobert Gezelterhttp://www.rlgsc.comtag:www.rlgsc.com,2021-01-25:RuminationsTrusting Encryption Supply Chains
A recent ArsTechnica article raised questions about Chinese-supplied
encryption chips, specifically the possibility that the chips could
include backdoors allowing information to be compromised or decrypted
by other than the authorized parties. This is a serious concern, but
in my opinion the article erred by taking a far too narrow perspective
on the implications. ...
tag:www.rlgsc.com,2023-07-25:trusting-encryption-supply-chains2023-07-25T04:16:00Z2023-07-25T04:16:00ZOrderly Shutdown Should Be First Priority
Full applications shutdowns do not happen as frequently as
in the past. However, the increasing tempo of revisions means
that real-time and online systems component shutdowns and restarts
are inevitable. Controlled shutdowns and restarts differ dramatically
from uncontrolled shutdowns resulting from hardware and power
failures. Despite the undeniable reality, many software components
lack a pre-planned capability for controlled quiescence and
shutdown. ...
tag:www.rlgsc.com,2023-05-16:orderly-shutdowns-first-priority2023-05-16T18:31:00Z2023-05-16T18:31:00ZWorldwide Broadband Vlnerabilities are a Significant Hazard
We live in an interconnected world. We think nothing when we open
our mobile phone to order something from an online store or to
video chat with someone anywhere in the world. Distance matters
little. Many people and businesses use online merchants with
overnight delivery in place of local stock. Meeting and shopping
online became second nature during the COVID-19 pandemic.
Business organizations have followed suit. Business applications are
now accessed in "the cloud," with users located almost
anywhere on Earth. ...
tag:www.rlgsc.com,2022-10-06:worldwide-bandwidth-vulnerability2022-10-07T02:00:00Z2022-10-07T02:00:00ZPublic Health Endangered by Deficient Use Models and Insufficient Applications
The general public is rarely impacted by poor choices in IT
implementations. Unfortunately, the COVID-19 vaccination program has
become an example of how not to implement important public-facing
computer systems. ...
tag:www.rlgsc.com,2021-01-25:Public-health-endangered2021-01-25T12:00:00Z2021-01-25T12:00:00ZJourney into Peril: Rolling Your Own Security and Access Control
Regularly, I come upon reports that customer accounts at a
website have been compromised. Invariably, users are told
to change the passwords to their accounts, and consider the
password compromised if it was used on other sites. ...
tag:www.rlgsc.com,2020-10-05:Journey-into-peril2020-10-05T12:00:00Z2020-10-05T12:00:00ZRemote Security in Times of Expansion
The COVID-19 pandemic has skyrocketed interest in and deployment of
remote access arrangements. Previously, many organizations had
arrangements for a limited amount of remote access - often
professionals, IT staff, and field personnel. Some larger
organizations, particularly those in finance and related industries,
have already had long-standing contingency plans for remote working
situations when their office facilities are unavailable (e.g., 9/11).
Such plans are easily altered to deal with the lockdown in response
to a pandemic. ...
tag:www.rlgsc.com,2020-03-16:Remote-security-in-times-of-expansion2020-03-16T12:00:00Z2020-03-16T12:00:00ZDealing with SPAM Calls
Targeted SPAM calls soliciting payments are an escalating scourge,
particularly when they target seniors. Exercising common sense when
dealing with such calls is not difficult, and vigilence is essential. ...
tag:www.rlgsc.com,2019-04-24:Dealing-with-SPAM-calls2019-04-24T20:00:00Z2019-04-24T20:00:00ZThe WebSocket Protocol: Past Travails Are To Be Avoided
The WebSocket protocol is a new facility; originally conceived as part of
the HTML5 effort. Together with its applications programming interface (API),
the WebSocket protocol provides a standard framework for ongoing
communications between web clients and servers. The authors of the
protocol deserve kudos for leveraging the existing HTTP/HTTPS
infrastructure to provide an extended-lifetime link between a web browser
and one or more web servers. However, the specification includes decisions
that need revision and deficiencies in drafting that beg correction.
In my opinion, these shortcomings constrain the specification unnecessarily
while realizing no commensurate benefits. ...
tag:www.rlgsc.com,2011-03-23:websocket-rediscovered-travails2011-03-24T01:42:00Z2011-03-24T01:42:00ZDangerous Assumptions: Solid-State Disk Behavior Underlying Digital Forensics
Forensically capturing a conventional disk is straightforward: power down
the system, attach the drive to a portable forensic unit using a protective
write blocking device, and then capture the device bit-for-bit. Since the drive
is protected by a write blocking device, the drive is presumed completely
intact. Non-conventional mass storage devices (e.g., "solid-state disks,"
hereafter "SSD") implement features that invalidate the presumptive efficacy
of write blockers. This has implications in both the government and corporate
worlds. ...
tag:www.rlgsc.com,2011-03-06:ssd-disk-behavior-dangerous-assumptions2011-03-06T17:17:00Z2011-03-06T17:17:00ZElectronic Discovery and Digital Forensics: The Applications Front
The sheer volume of electronically stored documents (ESI) often seems to
obscure the actual business data stored on information systems. Digital
forensics and electronic discovery (e-discovery) procedures encompass the full
spectrum of digital information. In the legal community, electronic data is
known as "Electronically stored information" (ESI). The sheer volume of
documents, presentations, spreadsheets and similar electronic analogs of
paper documents has spawned a huge need to collate and analyze data. The
"paperless" office has, in this sense, produced a blizzard of electronic
documents for analysis. In this blizzard of standard format electronic
documents, the actual contents of various information systems are often
underappreciated. This should not be so. Information systems, whether
custom or packaged, are an important source of original raw data about a
business. Abstracted documents, whether memoranda or invoices, are
derivative forms based upon the raw information. ...
tag:www.rlgsc.com,2011-02-28:discovery-and-forensics-application2011-02-28T13:45:00Z2011-03-01T16:23:00ZColliding Worlds: Juries in the World of Pervasive Connectivity and Social Media
Pervasive communication is more than a convenience; the societal landscape
has been significantly altered by pervasive connectivity and the resultant
availability of information. Our practices must correspondingly be revised to
reflect this new landscape. The pervasiveness of wireless communications has
reached the threshold where the integrity of jury trials is at risk. ...
tag:www.rlgsc.com,2011-02-09:colliding-worlds-juries-connectivity2011-02-09T18:25:00Z2011-02-09T18:25:00ZSaas: Accountability Can Get Lost; Not Liability
Recently, I received a call from a former client about an incident involving an
outsourced business-critical application. His experience illustrates both the
advantages and hazards of outsourcing a business-critical application. These
issues affect all pay-as-you-go providers, whether Software-as-a-Service
(Saas) or Applications Service Providers (ASP).
tag:www.rlgsc.com,2011-01-10:saas-accountability-lost-not-liability2011-01-10T14:42:00Z2011-01-10T14:42:00ZSearching for Airline Security, Part Deux
X-ray exposure and damage to human dignity are not the only potential
hazards of recent changes in US Transportation Security Agency (TSA) procedures. While I
freely admit that I have not had to go through a TSA checkpoint in the last
few weeks, I note that the last time I traveled, I do not recall seeing a sight
that should have been obvious: a supply of disposable gloves. In many ways,
this is an emblematic communications problem. Contagion and contamination
are more of a hazard to both screeners and those screened than any terrorist
threat, yet straightforward steps of industrial hygiene are not obvious at
checkpoints. The hazards posed by poorly-thought out procedures are
contagion, contamination, and infestation. ...
tag:www.rlgsc.com,2010-11-26:searching-for-airline-security-partdeux2010-11-26T11:45:00Z2010-11-26T11:45:00ZSearching for Airline Security
The US Transportation Security Administration (TSA) implementation of
enhanced security for air travelers has raised a well-spring of protest. What
has been absent from the conversation has been a full discussion of the
efficacy of these measures versus the risks. ...
tag:www.rlgsc.com,2010-11-22:searching-for-airline-security2010-11-22T11:39:00Z2010-11-22T11:39:00ZReconnaissance Gone Retail and Security: A Challenging Duality
Reconnaissance has gone retail. Capabilities that used to be the costly
province of nation states have been democratized. Communications
technologies have become so pervasive that a newborn's first pictures are
likely to be transmitted wirelessly within moments of birth, arriving at
beaming grandparents half a world away within seconds, if not in real-time.
...
tag:www.rlgsc.com,2010-11-02:reconnaissance-gone-retail-and-security2010-11-02T16:09:00Z2010-11-03T10:15:00ZGoogle Street View and Unencrypted Wi-Fi: Not a Hazard
There was never much of a question: Google Street View's cars logged
unencrypted Wi-Fi data as they traversed streets and neighborhoods around
the world. Given the number of networks surveyed, it is unsurprising that
some of the logged data contained messages or passwords. However,
the reaction to this episode is out-of-scale to the actual risk that it poses. It is
well-known that unencrypted Wi-Fi has privacy and security hazards when used
without a supplemental VPN (Virtual Private Network) to provide
encryption. The snapshots of network traffic as Street View cars cruised
public roads do not truly rise to the level of hazard. Certainly, the attorney's
general of all 50 states here in the United States have far more serious
matters to attend to. The problem here is akin to the difference between
being a “peeping Tom” and having a neighbor who parades in front of a
picture window au natural. ...
tag:www.rlgsc.com,2010-10-25:google-street-wise-and-unencrypted-wifi2010-10-25T11:00:00Z2010-10-25T11:00:00ZComments to the IRS Counsel: Impact of Sec. 6041 Changes
The Patient Protection and Affordable Care Act of 2010 (PL 111-148) enacted
a dramatic expansion of transactional reporting. Under the enacted
changes, all payments made in a trade or business for goods and/or services
whose aggregate value exceeds US$600.00 must be reported whether the
recipient is an individual or a corporation. Previously, only services provided
by proprietorships had been subject to a reporting on Form 1099-MISC.
Previously, I had commented on the impact of these changes in
Ruminations – An IT Blog. Recently, the
Counsel to the Commissioner of the United States Internal Revenue Service
solicited comments from those affected. I prepared a summary of these
comments in an e-mail to the
Service's counsel. ...
tag:www.rlgsc.com,2010-09-28:comments-to-irs-counsel-re-sec-60412010-09-28T16:25:00Z2010-09-28T16:25:00ZGPS Recorders and Law Enforcement Accountability
Decreasing technology costs challenge privacy. In the United States, privacy
is protected by law and economics. Economic feasibility is the often
unmentioned leitmotif behind our constitutional rights. Government
surveillance can broaden substantially when the costs dwindle to
insignificance. This is a challenge. For example, telephones were a century
in the future when the US Constitution and its first ten amendments,
referred to as the Bill of Rights, were ratified. The advent of the telegraph
and telephone in the 19th century created a new situation, one that
eventually required legislation to ensure privacy and law enforcement
accountability. Inexpensive GPS recorders present such a challenge. ...
tag:www.rlgsc.com,2010-08-31:gps-and-law-enforcement-accountability2010-09-01T01:30:00Z2010-09-01T01:30:00ZDisposable Virtual Machines: Deliberately Expendable
Processor virtualization is trendy. It is a buzzword often used in corporate and
professional IT. While undoubtedly highly useful in professional contexts;
processor virtualization has far wider applicability.
Disposable Virtual Machines are one such use. ...
tag:www.rlgsc.com,2010-08-23:Disposable-Virtual-Machines-Deliberately-Expendable2010-08-23T13:00:00Z2010-08-23T13:00:00ZExpanded Form 1099-MISC Reporting: A Pilot Demonstration
Feasibility tests are important. Many ideas seem logical and well-thought out,
only to show fatal flaws when implemented under real conditions, even on a
small scale as pilot projects. Demonstrating feasibility and uncovering hazards
and side effects are the raison d'etre of pilot studies, innovation demonstration
programs, and medical trials. Sometimes such experiments are a success,
sometimes not. ...
tag:www.rlgsc.com,2010-06-21:expanded-form-1099-misc-feasibility2010-06-21T14:00:00Z2010-06-21T14:00:00ZFor the Commissioner: Invoices as Substitute Forms W-9
Each December, my office receives a flurry of requests from clients by
facsimile, electronic mail, and conventional mail. In and of itself, each request
is simple: A request that we supply a current Form W-9 certifying our Employer
Identification Number (EIN) or Social Security Number. This despite the fact
that our billhead clearly includes our Employer Identification Number on the
masthead. We keep an electronic copy of a completed Form W-9 in Adobe's
Portable Document Format (PDF) to simplify responding to these requests. ...
tag:www.rlgsc.com,2010-06-14:Invoices-as-Substitute-Forms-W92010-06-14T12:00:00Z2010-06-21T21:26:00ZNew IRS Reporting Requirements Have Implications for Business Large and Small
A provision deep within the recent Patient Protection and Affordable Care
Act (Public Law 111-148) will drastically change record keeping and
processing beginning in January 2012. This has dramatic and serious
implications for Information Technology professionals, who must architect,
design, and implement the business and information processes needed to
collect the required data and produce the required reporting. These rules
apply to all businesses, from the one-man office to the top of the Fortune 10.
Section 9006 of the Patient Protection and Affordable Care Act amends
Section 6041, amending subsection (a) and inserting new subsections (h) and
(i) of the US Internal Revenue Code of 1986 altering the rules for reporting
business transactions to the Internal Revenue Service. Previously, Form
1099-MISC was used to report payments to unincorporated independent
contractors and similar payments for services. Payments for goods were
exempt from this requirement, as were payments to corporations. Both of
these exemptions were removed by the recent legislation. ...
tag:www.rlgsc.com,2010-05-25:new-irs-reporting-requirements2010-05-25T20:23:00Z2010-05-25T20:23:00ZWhy Settle on a Hosting Provider? Bandwidth liquidity and other issues
At the 2009 Trenton Computer Festival Professional Conference in April 2009,
I presented
“Web Efficiency: Using XHTML,
CSS, and Server-side to Maximize Efficiency”. The focus of my presentation was that efficiency,
scale, and costs are inextricably connected. ...
tag:www.rlgsc.com,2010-05-12:why-settle-on-a-hosting-provider2010-05-13T02:30:00Z2010-05-13T02:30:00ZPlease Do Not Spare the Parentheses
Parentheses often seem an afterthought. Readable code is deemed important, but
often the emphasis seems to focus on typographical concerns such as
indentation and spacing. The same can be said for good
commenting, which is non-operative commentary. These practices are part of every introductory
programming class.
Documentation and readability are important, yet correctness of code is even more critical.
The proper use of parentheses often does not receive similar attention. This is a
severe shortcoming. ...
tag:www.rlgsc.com,2010-03-02:Please-Do-Not-Spare-the-Parentheses2010-03-02T14:17:00Z2010-03-02T14:17:00ZEmergency Procedures: For Driving and Other Purposes
The recent news of unintended acceleration incidents involving Toyota-made
automobiles raises an interesting, but unsurprising question of preparedness:
Why are more people not prepared to deal with the unexpected while driving?
This is not a question of reducing the manufacturer's liability or responsibility, but
a simple matter of self-preservation: It is better to be a survivor able to bear
witness than a victim leaving an estate with a large legal claim. ...
tag:www.rlgsc.com,2010-02-08:Emergency-Procedures-For-Driving-and-Other-Purposes2010-02-08T14:25:00Z2010-02-08T16:15:00ZBricks and Mortar Hidden by Cyberspace
Cyberspace is not a universe unto itself. For businesses, cyberspace is intimately
connected to the real world. Most of the time, these connections are beneficial.
Sometimes they are not.
tag:www.rlgsc.com,2009-12-21:Bricks-and-Mortar-Hidden-by-Cyberspace2009-12-21T17:10:00Z2009-12-21T17:10:00ZNetworks Placed At Risk: By Their Providers
Some network security incidents are so obviously preventable that it is mind
boggling. Such was the case with a recent
Wi-Fi-based
network security breach at a client. It was eminently preventable. It
was even more upsetting when I found out that the source of the incident was a
carrier-supplied device that had been configured by the broadband provider's
technician.
tag:www.rlgsc.com,2009-12-07:Networks-Placed-At-Risk2009-12-07T14:00:00Z2009-12-09T20:56:00ZThe Silence of Censorship
A recent episode involving an online site,
Switched.com, brought the
1964 Simon and Garfunkel song, “The Sounds of Silence” to mind. In
this case, the reminder was not pleasant. It was the realities of
censorship, albeit a subtle censorship. It is a censorship that seems to
happen without notice in the online world. ...
tag:www.rlgsc.com,2009-11-24:the-silence-of-censorship2009-11-24T17:00:00Z2009-11-24T17:00:00ZVanishing E-mail and Electronically Stored Information: An E-Discovery Hazard
Last week, there were several articles about Vanish, a technology to automatically render
electronic data unrecoverable at a specified future time. Vanish was developed by
a team at the University of
Washington. The goal of Vanish is to enhance privacy by creating data that will automatically self-destruct
at a specified time in the future, making protected electronic information immune to future disclosures in
any fashion, including in response to legal process.
tag:www.rlgsc.com,2009-07-31:vanishing-electronic-data-ediscovery2009-08-01T03:59:00Z2009-08-03T10:04:41ZGovernor Mark Sanford Email Disclosure: An ECPA Violation?
Thursday, June 25, 2009 was eventful. In the morning (Eastern Time in North
America), Farrah Fawcett passed away after an extended battle with cancer.
In the evening, Michael Jackson suffered an apparent cardiac arrest, and
passed.
Somewhat overshadowed by these event in the entertainment and
culture world, a political drama was unfolding with the revelations of an
extra-marital relationship involving sitting Governor Mark Sanford (R-SC).
I have no comment on the issues surrounding those involved in this affair,
except that I am sorry that they must deal with these issues in the glare
of public view.
tag:www.rlgsc.com,2009-06-26:Sanford-ECPA-Violation2009-06-26T22:14:44Z2009-06-29T07:11:00ZMicro-blogging and Personal Self-Surveillance
Micro-blogging is all the rage. Social networking sites including
Twitter, Facebook, MySpace, LinkedIn,
and numerous others encourage us to share details about our daily lives with
all those we know, even passing acquaintances. While this can be
entertaining, there are numerous hazards from widely sharing unfiltered
information about our lives, whether personal or professional.
tag:www.rlgsc.com,2009-06-25:micro-blogging-and-personal-information2009-06-25T18:20:24Z2009-06-25T18:20:24ZCorporate Tool: Mobile WiFi Hybrids
In the mid-1990's, I was on-site when a bank's data center was caught by a
power failure. As is the case with most “interesting” events, the incident
exposed a number of shortcomings in the contingency plans. One of these
shortcomings was that the data center, located in the upper reaches of the
building, lost touch with the IT staff, who were domiciled on a far lower floor
of the same building. It did not help the situation that the power failure
happened between 8:00 AM and 9:00 AM in the morning, trapping several
key members of the IT staff in a commuter train from Long Island, just inside
one of the railroad tunnels. I later head from one of the staff members that
they were close enough to the mouth of the tunnel to see the incoming calls,
but did not have enough signal to answer.
tag:www.rlgsc.com,2009-05-08:wifi-as-mobile2009-05-08T14:00:00Z2009-05-08T14:00:00ZThe need for backup
Sometimes, one gets asked a question in an informal context, and it triggers
a whole line of thought. The other day, I was waiting for my car to have an oil
change. Another customer asked what I did, when I told him, he asked if I
thought that the whole “running a computer” thing would disappear in a few
years. He was asking about whether the answer to backup was to put
everything “in the cloud” and not worry about the details.
tag:www.rlgsc.com,2009-05-05:the-need-for-backup2009-05-06T01:50:00Z2009-05-06T01:50:00ZWill Long Term Dynamic Address Allocation Record Retention Help or Hurt?
Requirements to preserve records always need to achieve a complex balance between costs,
accuracy, and public policy. The February 13 introduction of
S.436, the "Internet SAFETY" Act offered by Senator John Cornyn (R-Texas) proposes to
mandate long term storage of dynamic address assignments presents several interesting
policy and technical challenges.
tag:www.rlgsc.com,2009-03-31:retain-dynamic-address-allocation-logs2009-04-01T02:23:15Z2009-04-01T02:23:15ZComputer Security Handbook, 5th Edition Released
I am pleased to announce that the Computer Security Handbook, 5th Edition
has been released for shipment by John Wiley & Sons.
tag:www.rlgsc.com,2009-03-21:Computer-Security-Handbook-5th-EditionReleased2009-03-19T01:38:00Z2009-03-19T01:38:00ZPresentation Announcement: What to do when "There is a problem"?
The New York Enterprise Windows Users Group has invited Robert Gezelter
to speak on March 5. My presentation will be on a topic which is delicate for most
organizations: What should the response be when something happens involving the
network or computers attached to it?
tag:www.rlgsc.com,2009-02-20:Ruminations-IncidentResponseForensics200903052009-02-20T14:00:00Z2009-03-12T21:32:00ZSecuritization: A Risk to Compliance Integrity
This morning's paper had yet another story about a major security breach at a payment card
processor. In "Credit Card Processor Says Some Data Was Stolen", the
compromise of a large number of credit card numbers and other data was recently
reported. Presumably this processor was reviewed under the applicable standards, so why are data
breaches continuing?
tag:www.rlgsc.com,2009-01-21:Ruminations-ARisktoComplianceIntegrity2009-01-21T14:00:00Z2009-03-12T21:31:00Z