2nd ISACA Athens Chapter Conference

Yesterday I attended the 2nd ISACA Athens Chapter Conference. Time and money did not permit attending the workshop the day before, but I heard it was a great success. So here are some of the highlights:

Paul Spirakis talked about “Trust in the Web”. His talk followed closely the spirit of “Reflections on Trusting Trust” with a bit of mathematics and more time at his disposal. He concluded with a metatheorem (a conjecture really) that we cannot achieve perfect trust in the web and in his line of thought this closely resembles Arrow’s Impossibility Theorem. In my mind and following the same path of thought, this is not similar to Arrow’s theorem, but more closely to the Good Regulator which also depicts the complexity needed in order to achieve this.

Spirakis’s talk made me think that we System Administrators love to say that trust is not transitive, or as my good friend George loves to recite “I trust my friend who trusts the President; do I trust the President?”. And yet, although we say this thing like we believe it, at the same time we demand using protocols that depend on PKI or other third part infrastructure all the time. And we feel good about this and our users do not complain since their browser (who also trusts a set of third parties) does not complain too. The truth is that trust decays upon transition. We trust someone to a degree of certainty (which can be absolute) but when we introduce that someone to a third person, a lower degree comes along with the introduction. Why? Because it is always possible that the person we introduced do something we did not expect. The person accepting the introduction, accepts it with even less certainty that we do (yes they may accept our word blindly, so multiply by one in this case) and the two newly introduced parties work their trust from there. So given time, trust either builds up or dies out. But I digressed long enough.

@kpapapan (Greek OWASP chapter leader) presented the idea where bugs in code are debt waiting to be paid later. I had never considered this point of view and I liked it very much. I surely hope he can have the opportunity to present again the subject this time with the aid of numbers from a real software project that costs money to develop and support. I sure hope that there can be one or two software vendors that can provide him the numbers to support the “bugs as debt” point of view. It would help project managers deciding realistic deadlines.

This was part of a “20 slides in 20 seconds” track where George Raikos gave an excellent presentation based on the “Ginetai” (it can be done) rebranding strategy for Greece. I am opposed to “Ginetai” but I have to acknowledge excellence even to stuff that I do not agree with. In the same session there were also two presentations from the ISACA Athens Chapter board members thanks to which I learned that in Greece there exist 192 CISAs, 71 CISMs, 24 CGEITs and 52 CRISCs. That was Friday. Saturday was ISACA test day, so I am guessing these numbers will grow.

The best presentation in the room was given by Ramses Gallego. Forget all he spoke about going beyond identity management and towards access governance. The man asked the audience the Drucker question:

If you were outside the industry that you are in now and you had all the information that you have now, would you join it?

– If not run away; otherwise embrace the field.

Pretty generic, but that is what you take away from impressive speakers. Stuff that can be applied in multiple cases. Closer to home Ramses also insisted on asking the right questions (about access) at the right time. Because this gives you control of the world that you are supposed to be managing: Who? What? When? Where? Why? How?

And of course there was the “hallway track”. Usually the most important part of a conference. I did not have the chance to talk to a lot of people but really exchanged a few ideas with some, triggered mostly by what was presented. Even though it may be unconscious to many of the attendees, they are employing a systems approach on the (well) systems that they manage. To that end a bit of studying system dynamics is needed, since it will enrich the view we have on the behaviour of the systems (people, machines, processes and information) that we manage. The hallway track is always the best part of the conference and this time I left with a whole lot of pointers for stuff to look up.

There were four or five people tweeting from the conference, less than 3% of the attendees. That was bad. I would have loved to see what others made of the presentations while they were being given.

Congratulations to the ISACA Athens Chapter board members for organising what seems to be a conference that will last many years. Congratulations to them also for making it possible for unemployed members of the Chapter to attend free of charge.

Ηλεκτρονικές εκλογές και ηλικία

49 καθηγητές του ΕΜΠ ισχυρίζονται πως (ανάμεσα σε άλλα) οι ηλεκτρονικές εκλογές εμποδίζουν τα μέλη ΔΕΠ που δεν είναι εξοικειωμένα με την τεχνολογία να ψηφίσουν. Μου θύμισαν δύο παλιές ιστορίες:

Ιστορία 1η:

Ένα βράδυ όταν είχα πρωτοξεκινήσει να δουλεύω στο ΤΕΕ μπήκε στο γραφείο ο τότε πρόεδρος των συνταξιούχων Μηχανικών, ετών 92. Στο χέρι του είχε μια σακούλα με μια κάρτα ήχου και ένα CD και μας είπε:

– Παιδιά, πήγα και πήρα αυτά από το Πλαίσιο. Μου δείχνετε πως να τα συνδέσω στον υπολογιστή μου;

Πως να τα συνδέσω. Όχι αν μπορείτε να μου τα συνδέσετε εσείς.

Ιστορία 2η:

Κάποτε όταν ακόμα δούλευα στο NTUA-NOC, τόλμησα να πω πως αρκετοί Καθηγητές επειδή είναι μεγάλοι σε ηλικία ίσως να έχουν πρόβλημα προσαρμογής στο να δουλεύουν με το Internet (και μέσω web ειδικότερα). Από τις αντιδράσεις (“είπαμε είμαστε γέροι, αλλά όχι κι έτσι” η πιο ήπια, μέχρι να κληθώ σε κάποιο είδος απολογίας η σκληρότερη) θα έλεγε κανείς πως μάλλον προσέβαλλα το σύνολο των μελών ΔΕΠ εκείνης της περιόδου.

Δεν θα έγραφα τις ιστορίες αυτές, εάν τουλάχιστον ένας από τους φερόμενους ως υπογράφοντες αυτό το επιχείρημα δεν ήταν ο ίδιος high tech user που την μόνη φορά που “ζορίστηκε” ήταν όταν του έδωσα να διαβάσει το βιβλίο του sendmail.

How to teach a 4 year-old child geometry

Kirsti Määttänen on PEIRCE-L:

Jerry, list,

I’ll explain to you how to teach some basics of geometry to a 4 year old. – My grand-son is now 4 years 2 moths, I just a while ago taught him. 4 years is excellent age for these studies, perhaps the very best.

You’ll need either a chalk-board or a white plane with a peg in the middle. Then you’ll need a string and a chalk or a pencil. Then you’ll have to make a tiny groove to the peg, as well as one to the chalk, or the pencil. – Best if the distance of the groove from the plane is about the same in the peg and in the chalk/pencil.

Then you tie one end of the string to the peg, and the other to the chalk or pencil. Make sure the ties hold and that the length of the string is not too long. – If you use a pencil, it should be B 6 (quite soft, the kind artists use).

Then show the child how to keep the string straight, as long as possible, that is. Then instruct him/her to move the chalk/pencil to draw on the plane. – Then, like a miracle, a circle is being drawn.

It is a true miracle to the child. – The child will soon learn that a really fine and even circle will only be formed IF the string is kept tense, stretched to the utmost.

By now you have DEMONSTRATED the nature of a circle to the child. Now he/she understands the SOUL (as topologist say) of a circle.

Then use various lengths of the string – and you get a set of concentric circles. – And the child’s understanding gets deeper.

Children of this age get really enthusiastic. – My grandson Mikko was jumping and shouting: I drew a CIRCLE, I can make a CIRCLE!!! A FINE circle!!!

Now you have a great opportunity to discuss all you have done together. The child will absorb all the information like a sponge absorbs water.

But this is not all. Now the child is ready to understand the functions a pair of compasses. – That it has to be stiff, with a joint in the upper end. And with a sharp spike in the other end, as well as a piece of lead in the other end.
Then take a paper-block, and let the child draw various kinds of circles on the paper. – Some of them overlapping each other. – You’ll get various Venn’s diagrams to discuss.

Make sure that you pace these demonstrations and discussion in accord to the child’s enthusiasm and interest. – With the first signs of slackening attention, stop and tell the child that you continue some other day. (My grandsons are both BDM Baby Dance children, so they both have exceptionally long attention spans & are quite skillful.)

Then take an A4 sheet of paper and draw as big a circle as you can on the sheet. – Then two points of the circle will touch the edge of the paper (if you have measured it’s shorter side & chosen a middle point as the center of the circle).

Then take the pair of compasses, taking care not to change it’s angle (which you point out to the child), and put the spike on any point on the circumference of the circle. Then mark two points on the circumference, one to one direction, one to the other direction.

Then take a ruler and draw lines connecting the two marks + the little hole left by the spike. – Now you have got an equilateral triangle inside the circle.

Then cut the circle out of the sheep of paper. – Then fold the paper according to the lines drawn with the ruler.
– Then you’ll have a triangle AND a circle. – When flat, it is a circle, when folded, it is a triangle with “wings”.

This, too, is for the child a miracle. – My grandson Mikko absolutely wanted to save this miracle. And he spoke for days to come, that granny made a triangle out of a circle.

You may then point out that all the “wings” are of equal size. – By this time you have had lots of opportunities to demonstrate “equal” and “unequal” to the child. – Also “more” and “less”. Etc., etc.

The next phase, where you go from plane geometry to three-dimensional geometry I have not yet done with my grandson.

For that you need these Japanese Origami papers in various colors, in order to get the most of it.

First, choose a selection of the biggest sheets, with a variety of colors. – You also need a pair of compasses, a ruler, scissors and glue. And a pencil, of course.

Then make, according to the rules above, a set of these triangles with “wings”.

Then start gluing them together, two wings at a time first. – Now establish a rule: the two “wings” to be glued together must always be of different colors. – Let the child choose the colors. – Do not, however, take a new color if it is not needed because of the rule.

When the glue holds, show the child that a third triangle with “wings” can be attached to the former two by two of their “wings”. – Remember the rule about colors!

The idea of a curved space begins now to show itself.

You then continue, and in the end you will have a Platonic Solid, the Octahedron. – The “wings” are there to remind the child that you started with circles. – Also, you may point out to the child that an imaginary sphere, a bigger one may be thought – around the one formed out of triangles. This imaginary sphere is determined by the “highest points” of the wings. – There is the idea of concentric spheres demonstrated.

You may also dwell on the idea of determination. (You may need a little practicing to learn to speak so that a child can understand what you mean. One of the benefits for you yourself is that by learning to do so, you simultaneously learn to understand yourself. – Not a small benefit, I assure you!)

Now you can put a lamp inside, so you get a multicolored lamp shade, preferably hanging from the ceiling.
This is ideal for the child (as well as for you) to meditate on. – It works miracles on geometrical imagination!

Note that you have here introduced the basics of the famous map-coloring problem as one side-product (one amongst many).

Then all you need to do is to nourish your child’s geometrical imagination – and mathematical in general – from time to time — and just wait for your little genius to grow and prosper!

If you happen to feel a shortage of geometrical imagination to nourish that of your child’s, then just take up Euclid’s Elements to enliven it.

Cheers,

Kirsti

When times are tough …

“When times are tough IT gets beaten hard” –Rolf von Roessing

When times are hard IT is the first to take the heat. Budget cuts, “rightsizing” (which always equals downsizing) and a mandate to do more with less is in order. And let us not forget outsourcing which of course costs less, provided there is still someone there, the key person, to inform the outsourcer and interface with the rest of the organization. Most likely that person jumped away upon seeing the iceberg and not after the hit.

So what do we get after this? We get a lower budget for the next year (hence a success!), poorly documented systems for which there is no one around to ask details about (and guess when will you need this tiny bit of missing detail) and systems that must continue to operate with large portions of them unpatched, unmaintained and halted not following the normal upgrade path of their cycle. This operations nightmare can easily become a security one too.

And what about training your staff? Training is spending and thus cut. After all, staff is supposed to freely dig the Net and find out appropriate answers. For that is the best it will get, answers, not training. No one will stop staff being trained on their personal time and budget, but not on company time. “What if we train them and they leave?”. Is that sensible? How about not training them and see how far they can go.

Management avoids errors of commission by making errors of omission that have hidden costs which appear further in time, in most unexpected circumstances and of course at a time when the responsible one for the chain of events has left the helm. But then again management stays less time in office than those who foresee such errors and easily silences them in an uneven power game.

All that is left are the system administrators, developers and security guys still on board trying to clean up the mess. Sometimes you have to spend your way up, but almost always management interprets this like a supernova: They keep absorbing amounts of energy (budget) trying to keep doing their thing avoiding evolution (organized abandonment) like dinosaurs. I used to dislike Rand’s advice about when to jump ship, but he is certainly correct.

A traveler’s guide to cyber security

I am a big fan of Jeffrey Carr‘s “Inside Cyber Warfare“, so when he wrote “A traveler’s guide to cyber security” I went along and bought it. The booklet is exactly what the title says: A traveler’s guide. It puts you into the mind frame you have to have when you visit a foreign country (sometimes it may not even be a foreign country, it may be a certain building) and what measures to take in order to protect (as best as you can) your electronic data.

It is divided roughly in three parts, the first one being the measures that you have to take depending how high profile a target you assess that you are. The second part presents the legal framework within which Russian and PRC agencies operate, while the third is an interesting collection of news articles about espionage stories all over the world which involve cyber activities in the process.

Fun reading, cheap, small (40 pages) and handy to show when a less technical “higher up” needs to understand stuff.

being more flexible than FEATURE(compat_check)

A user at ServerFault asked how to restrict a user to send mail only to local addresses. Normally in sendmail, user / sender filtering decisions are done using FEATURE(compat_check), but while it does provide flexibility on deciding on specific pairs which are entries in /etc/mail/access, for more flexible stuff you have to write your own version of the check_compat rule set.

check_compat‘s workspace is a string that contains the addresses given in the MAIL FROM: and RCPT TO: SMTP dialog, separated by a $|. Whenever one works with addreses in sendmail, one has to canonify them, but since whatever rule set is called within another rule set always takes one argument (workspace) we have to use macros to store the canonified addresses before proceeding to any pattern matching. So first we have to declare the macros in our sendmail.mc:

LOCAL_CONFIG
Kput macro
D{put1}empty1
D{put2}empty2

The above snippet has declared a map (named put) and two macros that we will use to store the canonified addresses (named put1 and put2) initialized to some non empty bogus value. Since the workspace for check_compat is in the form sender address $| recipient address, we canonify the recipient address first:

Scheck_compat
R$* $| $*               $: $1 $| $>canonify $2
R$* $| $*               $: $(put {put2} $@ $2 $) $1

Up to here the rule set puts the canonified mail address for the recipient in ${put2} and returns the sender address (the last $1 in the second line) for further processing. Therefore we are now ready to repeat the process and store the canonified sender address in ${put1}:

R$*             $: $>canonify $1
R$*             $: $(put {put1} $@ $1 $)

Macro operations return an empty string so now we have to retrieve the addresses from the macros and reconstruct a canonified workspace for any further processing:

R$*             $: $&{put1} $| $&{put2}

This results in the workspace now being in the canonified form of:

sender < @ sender . domain . > $| recipient < @ recipient . domain . >

regardless of the multitude of ways one can express an email address in. This is why we need canonification in the first place: There are many ways one can enter an address in MAIL FROM: and RCPT TO: and canonification returns an address in a single format that all the other rule sets can work with.

Now if someone wants to restrict where a user sends mail based on MAIL FROM: and the recipient domain, one can add the following lines in check_compat:

# Now we can filter on sender and recipient
Ruser < @ $=w . > $| $* < $=w . >        $#OK
Ruser < @ $=w . > $| $*                  $#discard $: $2

The above silently discards email not directed to the local domains (Class $=w). If you want to test your rule sets (sendmail -bt) you have to keep in mind that sendmail’s test mode interprets $| as two characters, so you have to use a “translate hack”:

LOCAL_RULESETS
STranslate
R$* $$| $*    $: $1 $| $2

Now you can check check_compat by typing:

# sendmail -bt
> Translate,check_compat sender@address,recipient@address

and watch what happens. As always keep in mind that in sendmail.mc the left hand side of the rules is separated from the right hand side with tabs, not spaces. So do not copy-paste. Type the code instead. Next you need to compile your sendmail.cf and restart sendmail. In Debian as root run sendmailconfig to do this.

My eyes hurt! Can it be done another way?

Of course! You can install MIMEDefang together with sendmail and modify filter_recipient to your liking. Depending your operating system / distribution you have to check whether you need to enable filter_recipient or not. In Debian you have to edit /etc/default/mimedefang and restart the MIMEDefang daemon. After enabling it, you need to add in /etc/mail/mimedefang-filter your version for filter_recipient:

sub filter_recipient {
  my ($recipient, $sender, $ip, $hostname, $first, $helo, $rcpt_mailer, $rcpt_host, $rcpt_addr) = @_;

  $sender =~ s/^\<//;
  $sender =~ s/\>$//;
  $sender = lc $sender;
  
  $recipient=~ s/^\<//;
  $recipient=~ s/\>$//;
  $recipient = lc $recipient;

  # Put your conditions here
  ...

  return('CONTINUE', "ok");
}

You need to reload mimedefang-filter after editing this, so as root run (in Debian) /etc/init.d/mimedefang reload and check your logfiles for any errors.

Pro Website Development and Operations

I read about “Pro Website Development and Operations” at Tom Limoncelli’s site, so I immediately marked it on my list of books to buy. A few days later Apress held a $10 ebook sale on every title they had, so I bought it. The good news first: The epub version of the book renders nicely on my BeBook Mini.

I have not written a book yet, but I know one when I read one. And this is not a book. It is a series of good long blog posts expanded to fill the size of a book (124 pages). It was not very well proof read so that it has many grammatical and syntactic errors and some others like “you might have several hundred servers in the subnet 10.10.20.0/24,”. You can have a couple hundred servers on a /24 but not three hundred so it is not some, sorry. A trivial mistake, but indicating of things that can annoy you in the book.

The word engineering and its derivatives is overused. There’s a reason that the intended audience of the book are DevOps and not engineers, or software engineers (even though there exist people who can carry all three hats). And that is that they are not. There is a great difference between engineering a solution and calling everyone on board an engineer. That is unless what you build has a direct impact on human lives (or loss of them) or is something that when failing can cause a national economy to go under or a disaster of a similar magnitude.

An interesting thing about the book is that it talks a lot about the significance of measurements in order to understand a site’s usage patterns. However there is not a single formula or methodology mentioned which the read can use in order to measure things! It is more along the lines of “you need to measure stuff because it is important” but nothing about how to measure or how to lay out a plan for a measurement infrastructure. Because forecasting performance is a must in website development and operations, I was expecting something like “Forecasting Oracle Performance“. I was also expecting hints on how to size a new server. Of course I will size a new server carefully, but I bought your book not to read generalizations, but how you actually do it. Again no formula (if you want to see some interesting mathematics on the subject, see “Mathematical Server Sizing“). We need to model stuff, so where is how I build and test a model?

Another thing I take issue with is the special projects team that the author advocates. The author is right in advising rotating roles between members of the special projects team in order to diffuse knowledge among them, but I believe that he has managed to be a member of special project teams only. Otherwise he would have described the impact on the morale of the operators who are not members of the special team that builds exciting new projects. Projects that it that get the budget, get to use new technologies and hardware to experiment on, while the rest must work on (a restricted) budget to maintain a (legacy) system that already brings money on the table. So in fact you not only have to rotate people among roles in the special projects team, you have to rotate them in and out of the team too. This also brings the advantage of avoiding the build up of IT silos or other small dominions with a single point (the operator) of failure.

Is there anything good in this book? Taking good care of your people and their health is one. Making it sure that they get proper sleep, even before launching is important. Not only for the health of the workers, but for the health of the company (and its culture) too.

The other thing I really enjoyed in the book, was the interviews the author did with Tom Limoncelli and with Santiago Suarez Ordoñez of Selenium fame.

In its effort to be technology agnostic so as to stand the test of time, the book suffers from generalizations and is disconnected from practice. Wait for the second edition.