Books2Byte – September 2004
- Make your network a digital fortress (September 06, 2004)
- `IT is just one more factor of production’ (September 13, 2004)
- Software – study in complexity (September 20, 2004)
- Talk about business value of security (September 27, 2004)
Make your network a digital fortress
|The first step in understanding network security is to not underestimate the hacker. Here’s a book that tells you how to go about building a safe network.|
TOM Thomas claims he never works because he loves what he does. That’s just the type I like, so I grab his book Network Security First-step, published by Cisco Systems (ciscopress.com) though it has a daunting lock on its cover. “No security experience required,” it screams, and the intro would tell you that Tom has approached the book “from the standpoint that every reader needs security, but does not necessarily understand the risks, techniques and possibilities that are available.”
He explains his method: “Take each component of the network and verify how it can be deployed securely. When complex security technologies or concepts are encountered, they are explained with real-world examples and practical analogies.” Be enticed: “This book covers serious topics, but it should also be fun and easy to read.”
And fun starts in chapter I where an anon quote meets your eye: “When the ancient mapmakers reached the edge of the world, they said, `There be dragons here!'” The chapter is titled, `Here there be hackers!’ The first step in understanding network security is to know the hacker, says the author. You have a great IT staff or even a team dedicated to network security. That’s good, says Tom, but read on: “Security professionals are expected to have a high level of technical competence and, for the most part, this is true. However, these same professionals often do not expect the same to be true of those attackers and intruders from whom they defend their sites.” Thus, if you have an engineer who thinks that he is the smartest person in the company, what you have is “a recipe for disaster.”
Elsewhere, you’d read about AAA technologies. Not some rating for deposits, but the three things needed if you access services via a network: authentication, authorisation and accounting. Similarly, when talking of IDS (Intrusion Detection System), there are three basic premises: Where to watch, what to watch for, and what to do. Towards the end of the book too, you come across some sobering truths: “Bad guys have good tools.”
If you’re looking for a good tool to protect yourself, take the first step towards Tom.
Sequel to fetch answers
STRUCTURED Query Language or SQL is a standard language to retrieve, add, update and delete information in a database. To help you master SQL, here is Oracle Database 10g SQL, by Jason Price, from Tata McGraw-Hill (www.tatamcgrawhill.com) . First learn that it is often pronounced `sequel’ to save time, and is based on “the groundbreaking work of Dr E.F. Codd”. In mid-1970s IBM conducted a research project known as System R; and SQL was born from that project, informs the intro. “Later in 1979, a company then known as Relational Software Inc. (known today as Oracle Corporation) released the first commercial version of SQL.”
There are five types of SQL statements: Query to retrieve rows from database tables (using SELECT); data manipulation language (DML) to modify the contents of tables (using INSERT, UPDATE and DELETE); data definition language (DDL) to define data structures (using CREATE, ALTER, DROP, RENAME and TRUNCATE); transaction control (TC) to permanently record changes (using COMMIT, ROLLBACK and SAVEPOINT); and data control language (DCL) to change the permissions on database structures (using GRANT and REVOKE). That may look like a crash course in SQL, so you may be tempted to move on to SQL*Plus.
As an accountant, I’m interested in reading about database security, discussed in a separate chapter. It tells you how you can create a user and also about changing a user’s password (for example, ALTER USER jason IDENTIFIED BY marcus;). Deleting a user is important especially when staff leave the company; remember to add the keyword CASCADE after the user’s name in the DROP USER statement “if that user’s schema contains objects such as tables and so on.” You can check system privileges granted to a user, and from the data you get on this, it would be possible to also know if the user is able to grant the privilege to another user. The chapter on `high performance SQL tuning’ talks of `cost of performing queries’. For this, the `optimizer’ subsystem helps by generating “the most efficient path to access the data stored in the tables.”
If you’re looking for a cost-effective method of learning SQL, here is the optimal solution for a small price: Price.
Three million processors all running in parallel
WHO doesn’t know The Da Vinci Code. From its author Dan Brown is Digital Fortress, published by St. Martin’s Paperbacks. The book has been around for some time now, yet it is about `the ultimate code… dangerous… unbreakable’, so worth a read. The teaser on the back cover narrates: “When the NSA’s invincible code-breaking machine encounters a mysterious code it cannot break, the agency calls its head cryptographer, Susan Fletcher, a brilliant and beautiful mathematician.”
Meet TRANSLTR — “the single most expensive piece of computing equipment in the world”. It hid 90 per cent of its mass and power below the surface. “Its three million processors would all work in parallel — counting upward at blinding speed, trying every new permutation as they went.” Thus, codes that boasted of `unthinkably colossal pass-keys’ were not safe from TRANSLTR’s tenacity. It got its power “not only from its staggering number of processors but also from new advances in quantum computing — an emerging technology that allowed information to be stored as quantum-mechanical states rather than solely as binary data.”
Digital Fortress is an unbreakable algorithm. But there is Strathmore who wishes he could make a small modification to it. “A back door,” says Susan. Many pages later you come across Jabba talking about viruses: “Viruses reproduce. They create clones. They’re vain and stupid – binary egomaniacs. They pump out babies faster than rabbits.” But what he had on hand was not one such; the program had no ego, no need to reproduce. “It’s clear-headed and focused. In fact, when it’s accomplished its objective here, it will probably commit digital suicide.” That’s the `kamikaze of computer invaders… the worm.’
Take cover — in the Fortress!
“User name: trucker.”
“Is your password, `Service_Tax’?”
Monday, Sep 06, 2004
`IT is just one more factor of production’
|Technology is necessary but not sufficient, for business if one goes by what this expert has to say. Here’s why.|
HE had declared, “IT Doesn’t Matter” in the hallowed pages of Harvard Business Review and invited mixed reactions, ranging from “dead wrong” to “bombshell”, from around the world. Here comes his book with the same phrase twisted as a question: “Does IT Matter?” by Nicholas G. Carr, published by Harvard Business School Press (www.HBSPress.org) .
“Every year, companies spend more than $2 trillion on computer and communications equipment and services,” notes the blurb. The underlying assumption is that IT is “critical to competitive advantage and strategic success”. But the sub-title of the book rebuts: IT and `the corrosion of competitive advantage’.
Why so? Because IT is becoming another infrastructural resource, “such as railroads and electric power”, and is “steadily evolving from a profit-boosting proprietary resource to a simple cost of doing business”. Just one more factor of production, in the words of Carr: “A commodity input that is necessary for competitiveness but insufficient for advantage.”
Adding IT simply doesn’t add up as better business. “Companies continue to make IT investments in the dark, without a clear conceptual understanding of the ultimate strategic or financial impact.” Simply put, IT is losing is strategic edge. Period. Wait, what is IT? Carr clarifies: “All the technology, both hardware and software, used to store, process, and transport information in digital form.” It does not encompass the information that flows through the technology or the talent of the people using the technology, he adds. “As the strategic value of technology fades, the skill with which it is used on a day-to-day basis may well become even more important to a company’s success.”
The author points out how claims of big companies can be rhetoric: “The CIO of Cisco Systems says that `IT is becoming a more powerful tool for gaining competitive advantage, not less so.’ Microsoft claims on its Web site that a new information system at one of its clients `delivers tremendous strategic value’.” You gain an edge over rivals only by having something or doing something that they can’t have or do, reasons Carr. “By now, the core functions of IT – data storage, data processing, and data transport – have become available and affordable to all.” So, shift your aim to achieve distinctiveness, the “Holy Grail of differentiation”, he exhorts. Take home this lesson, therefore: Key to success may lie not in seeking advantage aggressively but in managing costs and risks meticulously. Also, take Carr to work.
Open the PC with confidence
LET’S say you know how to fix a leaky tap, make a breakfast, or work the jack to remove a flat tyre. How about remodelling your PC to improve its performance, replacing its outdated parts, adding peripherals, boosting storage capacity, and revamping hardware configuration?
Don’t step back because Barry and Marcia Press equip with required inputs in “PC Upgrade and Repair Bible”, from Wiley Dreamtech India P Ltd (www.wileydreamtech.com) . “This is a book both for people who will be opening up and working on their computers and for people who want to understand what goes on inside a computer,” says the preface. The current `desktop edition’ slims down the original Bible, to suit the home and small-office user.
Three basics you must get right first are: Control static electricity (a.k.a. electrostatic discharge or ESD) because “voltages you can’t see or feel can kill the chips”; follow careful, well-defined procedures, rather than “ripping hardware or software apart and making random changes hoping something will work”; and use proper tools, instead of thinking of “vice grip pliers as the universal tool”.
The authors explain terms so you not only know where buses are but also that they connect the processor to each of the other components. And that `ghosting’ doesn’t show as screeching doors and white smoke, but happens on computer monitors when cable is too long or of poor quality.
After leading the reader through processors, cache, memory, motherboards, video, disks, networks, multimedia, laptops and so on, the authors conclude with a chapter on building “an Extreme Machine” – a very high performance PC, “one suitable for intense first-person shooter gaming and DVD production… and quiet enough to be in the room where people are watching TV or talking.”
Shall we open the computer cabinet and start looking inside?
Metaphors for machines
BIOLOGY has kept generations of men and women busy for ages, now it is inspiring computing. “As computers and the tasks they perform become increasingly complex, researchers are looking to nature – as model and as metaphor – for inspiration,” writes Nancy Forbes in “Imitation of Life”, published by The MIT Press (http://mitpress.mit.edu).
Not too new a development, the author points out, because “John von Neumann, the architect of the first digital computer, used the human brain as the model for his design.” The must-read book identifies “three strains of biologically inspired computing”. These are: development of algorithms, use of biological materials, and effort to understand how biological organisms compute and process information.
The chapter on `artificial neural networks’ cites the Pitts-McCullough theory, which described “a network of neurons that cooperated to sense, learn, and store information”. There is, therefore, a `neural calculus’ that goes on up there! Successful applications include pattern recognition (such as finger print identification) and classification (as in the case of speech recognition).
In `evolutionary algorithms’, the author discusses `genetic programming’, something expressed not in the form of code lines, but a `parse tree’ with branches subdividing at nodes. A question that Forbes likes to discuss in a chapter on `artificial life’ is: Can there be `silicon-based life, or germanium-based life’, instead of depending on carbon?
Don’t miss the discussion of `swarm intelligence’ as seen in termites that build complex systems of tunnels in wood, without each insect really knowing what it’s building. Another example is of Craig Reynolds who created a virtual flock of birds, called `boids’ which flew according to three rules: Always avoid collisions with your neighbours; always try to fly at the same speed as your neighbours; and always try to stay close to your neighbours. “The boids flew as a coherent group, automatically splitting into two groups when encountering an obstacle, and reuniting after it had passed.” I guess that applies to our politicians too!
“And there was this last item in her will… ”
“What was that!”
“The balance in her prepaid card.”
Monday, Sep 13, 2004
Software – study in complexity
|The road to hell is paved with works-in-progress. Here’s insight into what makes a software project tick or fail.|
THE road to hell is paved with works-in-progress. How bad! But that’s a Philip Roth quote that greets you right at the start of Software Project Management, by Bob Hughes and Mike Cotterell. Now into its third edition, the book from Tata McGraw-Hill Publishing Co Ltd (www.tatamcgrawhill.com) handles “the more agile approaches to software projects such as Dynamic System Development Method (DSDM) and Extreme Programming (XP)”, apart from giving inputs on Project Management Institute of the US and Association of Project Management of the UK.
How are software projects special? The authors speak of four qualities, viz. invisibility, complexity, conformity and flexibility. “With software, progress is not immediately visible”; and “per dollar, pound or euro spent, software products contain more complexity than other engineered artefacts.” To add to the woes of software creation, “Organisations, because of lapses in collective memory, in internal communication or in effective decision-making, can exhibit remarkable `organisational stupidity’ that developers have to cater for.” Software is so easy to change; but flexibility is both a strength and source for trouble because “software will change to accommodate the other components rather than vice versa.”
Often projects fail because of faulty estimation of effort required. An over-estimate can cause the project to take longer, because two laws come into play: Parkinson’s Law, that work expands to fill the time available, and Brooks’ Law, that putting more people on a late job makes it later! What happens if there is an under-estimate? Your staff may respond to deadlines with substandard work, and this is `Weinberg’s zeroth law of reliability’ in action – “if a system does not have to be reliable, it can meet any other objective.”
A parametric model you’d read about in the book is COCOMO – short for COnstructive COst MOdel). The basic equation is effort = c x sizek where effort is measured in pm, or the number of `person-months’ consisting of units of 152 working hours, size is measured in kdsi, thousands of delivered source code instructions, and c and k are constants. “Boehm originally used mm (for man-months) when he wrote Software Engineering Economics,” states the book, and that’s another book you can catch up with. Also, there is now a newer version called COCOMO II, like a movie sequel. For Boehm, the constants depended on the mode of the system, which was organic, embedded or semi-detached.
Take my suggestion: Better be attached to completing the software project because an unfinished one is only a ticket to hell.
Thinking hat for Red Hat
READ, practice and pass the test. Thus screams the cover ofRHCE, Exam Study Guide by Michael Jang, published by Dreamtech Press (www.wileydreamtech.com) . The abbreviation stands for Red Hat Certified Engineer Linux. “Major corporations, from Home Depot to Toyota, and governments such as Germany, the Republic of Korea, and Mexico have made the switch to Linux,” states the preface. “Major movie studios such as Disney and Dreamworks use Linux to create the latest motion pictures.”
About the exam, the author cautions that it is a gruelling five-and-a-hour exercise (twice the length of a world-class marathon). “The most important thing that you can take to the exam is a clear head.”
Okay, it’s time for some teasers: Which of the following services works to connect Linux to a Microsoft Windows-based network – NFS, SMB, DNS or Windows for Workgroups? Which of the following commands would you use to write an ISO file to a CD – cdburn, cdrecord, isorecord, or xcdrecord?
Some queries are detailed: “You are running an ISP service and provide space for users’ Web pages. You want them to use no more than 40MB of space, but you will allow up to 50MB until they can clean up their stuff. How could you use quotas to enforce this policy? a) Enable grace periods; set the hard limit to 40MB and the soft limit to 50MB; b) Enable grace periods; set the hard limit to 40MB and the soft limit to 50MB; c) Enable grace periods; set the soft limit to 40MB and the hard limit to 50MB; or d) None of the above.” Are there answers? Yes, in this problem, `c’ is the right answer because “this will warn users they are over their limit after the grace period, but will make sure they do not exceed the 50MB true maximum barrier.” Option `a’ is wrong because “the soft limit must be less than the hard limit,” and `b’ is same as `a’. Option `d’ is incorrect because `c’ does the job.
Ready for the double-marathon?
“I bought a modern dustbin!”
“Oh, the one that makes a gnashing electronic noise when you put garbage into it?”
“No, mine goes about and picks up trash!”
Monday, Sep 20, 2004
Talk about business value of security
|Security makes business sense. So, get your tech experts to do the right kind of talking – not too secretive about security but not giving away secrets either.|
BULLETPROOF your systems before you are hacked! That’s the simple message of Roberta Bragg’s Hardening Windows Systems, from Tata McGraw-Hill Publishing Co Ltd (www.tatamcgrawhill.com) . So, “mount your hardening, securing campaign in at least two directions,” says chapter 1, titled `an immediate call to action’. One, the big picture, and two, the intimate reality of day-to-day work.
Hardening takes time and cultural change in organisations is slow. For this, you would need “evangelists and disciples, leaders and doers, talkers and strong, silent types”. You can effect significant changes in the security posture and actual security status of your networks right now by doing things that are under your control, goads Bragg.
Among the tips is this: keep secrets. “Learn to shut your mouth. It’s not rude, but a good practice, to refuse to talk about those things that might compromise security.” That doesn’t mean you turn non-communicative because: “It’s one thing to share a security-hardening tip, or to alert someone to a bad practice that can be corrected. It’s another thing to reveal your own system’s security weaknesses by talking about them to others.”
If there are high-risk systems in your organisation, requiring extra physical security, you may consider the following at workstation level: “a BIOS password; a required syskey Windows boot password; a smart-card, token, and/or biometric for administrator logon; removal of floppy, CD-ROM, or other removable drives; disabling of USB, serial, and other communications ports in the BIOS; hardware locks on cables and drives; physical locks that prevent theft of the workstation; and alarms that warn of computer movement.”
`Harden WetWare’ says the last chapter. WetWare? That’s “the people part of an information system,” explains the author. An important lesson for techies is to learn to speak business, because “management is not going to learn to speak geek.” So, express security concerns in the context of business value, advises Bragg. “If you have trouble thinking what the business value is, just think money.”
Ignorance of law is no excuse, and there are laws beyond Moore’s and Murphy’s. In the US context, there is the Gramm-Leach Bliley Act that requires financial institutions to implement a security program that safeguards customer info. HIPAA or the Health Insurance Portability and Accountability Act requires the protection of health-related personal information that is maintained electronically. Sarbanes-Oxley Act or SOX emphasises on internal controls. The Computer Fraud and Abuse Act “seeks to punish people whose unauthorised access to computer causes harm.” Likewise, there are laws on wiretap, economic espionage, and electronic communications privacy.
It’s hard to think of hardening if you trust too much in the goodness of the world. So, first harden your heart before bulletproofing your systems, because there are those with guns outside!
SOX is something you can’t shoo away
YES, we’re talking about Sarbanes Oxley Act that was born when the match between good and evil in the US was going in favour of the latter! To help you take SOX in the stride, Mohan R. Lavi has written A Practice Manual, published by Snow White (www.swpindia.com) . The book includes the IT Control Objectives issued by the IT Governance Institute. The author draws attention to the fact that the US Public Company Accounting Oversight Board (PCAOB) emphasises IT controls as having a pervasive effect on the achievement of many control objectives.
Thus, in drawing the IT Control Objectives, two things have been done: One, the IT controls from Control Objectives for Information and Related Technology (COBIT) were linked to the IT general control categories identified in the PCAOB standard; and two, control objectives were linked to the COSO (short for Committee of the Sponsoring Organisations of the Treadway Commission) internal control framework. It would be interesting to know that COSO was born in 1985 to sponsor the National Commission on Fraudulent Financial Reporting, and the sponsoring organisations included the American Institute of Certified Public Accountants (AICPA), American Accounting Association (AAA), Financial Executives International (FEI), Institute of Internal Auditors (IIA) and Institute of Management Accountants (IMA).
There is a snatch about multi-location assessment considerations, talking about three situations: One, “where the financial business units within a territory are not significant individually, but if IT processing occurs in a central location, then the IT business unit may be significant.” For this, example given is of “a US multinational’s British financial business units that are not individually significant and most financial reporting IT processing is performed by a single IT business unit.” Two, “where the financial business unit is not significant in a particular territory, but the local IT business unit is responsible for regional IT processing.” Example, “an IT business unit in Singapore that is responsible for IT processing throughout Asia-pacific.” And three, “where there is no financial business unit in a particular territory, but US-based IT responsibilities have been outsourced to that territory.” Well, that seems to come closer home, and so the example is: “a US insurance company that outsources IT processing and maintenance to an IT business unit based in India.”
Is it time to see SOX in the eye?
Ambient computers, interactive design
THIS is an unusual book from the Massachusetts Institute of Technology’s stable: Digital Ground, by Malcolm McCullough (http://mitpress.mit.edu). The author is Associate Professor of Architecture and Design at the University of Michigan and the current work is “an architect’s response to the design challenge posed by pervasive computing”. You may wonder what the connection is if not familiar with the technology getting embedded in everyday things.
Interactivity has become ambient, pronounces the blurb, and the author argues that the ubiquitous technology does not obviate the human need for place. “An invitation to share in the author’s inquiry,” says McCullough in his preface. “Interaction design is poised to become one of the main liberal arts of the twenty-first century.” Don’t turn your backs to computer `saturating’ our lives, exhorts the intro. Accept them, instead, as a design challenge. “Unlike cyberspace, which was conceived as a tabula rasa, pervasive computing has to be inscribed into the social and environmental complexity of the existing physical environment.” (For starters, tabula rasa is no dish on the table but `blank slate’ in Latin; meaning that individual human beings are born with no built-in mental content, and that identity gets defined by events after birth.)
Chapter 1, `Interactive Futures’, indicates the need for a range of disciplines when IT becomes part of social infrastructure. “Social, psychological, aesthetic, and functional factors all must play a role in the design,” because “appropriateness surpasses performance.”
Human sustainability depends on the appropriateness of technology adaptation, McCullough says. “Technologies of world making become dangerous unless they are complemented by technologies of world knowing.” As the British did in nineteenth century India, `going native’ would help, after all. Let artifice, therefore, copy the resilience and wastelessness of nature, is a wish that the book wraps up with.
Interesting philosophy for those who consider IT as their religion.
“Crossword clue says, `One K in money (6)’.”
“No, that’s 8. I guess it must be monkey!”
Monday, Sep 27, 2004