A day or two ago I was building one of the Pirateology wooden pirate ships with my Son and thinking a bit about some of the policy creation tasks I have on my plate I found some similarities I thought would be interesting to share.
These construction kits were new to me in their method of construction. You would get a sheet of mostly pre-cut pieces that you had to first number according to a paper that comes with the set. The numbers are placed where the pieces interlock and you then construct the ship in numerical order. This provides you with some guidance but really, all you have to go on is the following:
- A single view of the ship on the front of the package
- A pile of shaped pieces of wood which you can associate with parts of that picture
- The numbers on the wood to tell you what pieces intersect with each other and the order of assembly
To me, this left quite a bit to the imagination; maybe that was the point. Regardless, I was able to assemble the ship with a bit of analysis and experimentation. That got me thinking – if I felt like this didn’t provide me with much guidance then why am I so comfortable creating process and policy where there was none before? It’s not really a mystery – the answer is that there’s more of a framework already in place than we realize, which is where the similarities started to appear for me.
Read more…
I just received an email from VMWare regarding this problem they unintentionally released in a production version of ESX & ESXi. The problem causes Virtual Machines running on this version of ESX to fail to power on after a particular date – today.
Have you checked to see what public sites are down today? Anyone who is diligent about updating ESX just got screwed big time. Now, if you make the assumption that any site which is down today and recovers shortly after VMWare releases an update is running ESX – you probably can guess even what version they are running exactly.
Combine this with the increased focus on hacking virtualized environments as evidenced by all the news coming out of Black Hat & Defcon this year and you should be very concerned. These are not products which have yet seen the scrutiny that platforms like Linux & Windows have had over the years. Seems like a dangerous time for someone to know exactly what version of VMWare you are running.
Update: I didn’t realize originally that this only impacted the startup of a VM on ESX. Sites would have to power off a VM for this problem to surface apparently. It’s not likely that many (reputable) sites would power off all of their VM’s before realizing this issue existed.
I just read this article from Securityfocus about Nate Lawson’s BlackHat talk of a vulnerability in the FasTrack transponders used for toll in the Bay Area. When I originally received my transponder many years ago I had some concerns – at the time RFID hacking was all over the news and the talk of US Passports containing RFID tags was everyone’s concern. Much of my concern came from the ability to clone an RFID tag which would make it possible to be someone else as you pass through the toll booth.
FasTrack as well as other electronic toll systems are used for more than just toll in most cases. They are the pigment that flows through our interstate arteries allowing traffic analysis so that you can check for traffic on your way home at night using Google maps. I also have to believe that they are used by law enforcement to establish place and time of an individual or at least their vehicle.
What has always struck me is that FasTrack has never been concerned with the reliability of their transponders when it comes to toll collection. I’ve had numerous misses on mine as I drove through the toll plaza and had a dead battery in mine for months. When I called to have it replaced they told me not to worry about it – that after a certain number of misses they’ll automatically send a new one. They’re obviously not very concerned about the transponders functionality.
In all these cases they use license plate recognition to identify you. So I ask myself, why carry your transponder at all? It seems to me that by doing so you are simply participating in traffic analysis and allowing yourself to be located but are in no way risking a ticket or otherwise threatening the purpose for which you bought the transponder in the first place.
I would love to hear opinions on this.
About 2 years ago now, I had the opportunity to put together my organizations first change control process. The company at the time was a very typical startup with many smart people hacking away at the system throughout the day. At the time, this was perceived as a competitive advantage for our company. We were “agile” and able to out-maneuver our larger competitors. This opinion was strengthened by the fact that we were in a new industry which was rapidly evolving and we needed to change quickly.
With that environment in mind, you can imagine that introducing change control to the organization didn’t exactly get folks excited about the impact this might have. This short series is intended to outline what I saw work and what didn’t work. Change control is ever-evolving and our process today is no different. Even though it is celebrating its 2nd birthday, it is changing on a regular basis to be optimized and meet changing business requirements.
Read more…
In recent years I’ve become a huge fan of SaaS based applications. I’m not only interested in this architecture for my career but also for the tools that I use every day. I think Google’s suite of tools are great for the most part, I think Amazon EC2/S3/SimpleDB/etc are moving in a very interesting direction and just today I see that just about everyone is getting into the game. But what assurance do I have that my data is still mine? Nobody wants their data locked into a particular service provider, yet there is no huge push to ensure it doesn’t.
Read more…
