Security Through Collaboration

Throughout my time working in IT, security has always been important. As more and more things move online, ensuring good data security practices are even more crucial. What you do with your data, both personal and data for your company, can be a decision that leads to horrible results or can make your life easy. While securing your personal data is something that is on you (and your family), making sure that data for the company that you work for is secure can be an entirely different challenge.

I’ve spent the day at the DevOps Day in Minneapolis and it has been a great conference to go to. If you work in a development or integration environment at all, I could not recommend this conference more. If you think you want to work in this environment, it’s also great to attend. There are a lot of wonderful things that you can learn and people that you can meet. It’s an amazing networking opportunity.

Megan Carney discussing the idea of working with users

Since security is so important, one of the key points that a number of the speakers and sessions addressed here today was security and how to you maintain a secure environment. There were a lot of ideas out there and each company does things a little bit differently. All of the speakers did address a similar idea and it is one I honestly hadn’t heard talked about much before – security has a shared experience.

Most everyone is familiar with the Bastard Operator From Hell (BOFH). It’s the IT person who sits high upon their throne and issues edicts and proclamations, usually appearing arbitrary and capricious, to the masses of how things will be done. In the BOFH’s world, there is no room for negotiation or compromise. Those who try to offer suggestions or alternatives are met with scorn. Obviously the BOFH has the most experience, knows what is right, and woe be to the peasant who would dare defy the all-powerful BOFH. (Side note: I blissfully have never had to work with somebody like that. The IT director where I worked was *wonderful*)

The problem with the BOFH model is that there is no incentive to work with the person. And with no sense of shared experience or a desire to collaborate, people who work within the company may not have any reason to buy in to a security program or follow procedures, that while appearing arbitrary and capricious, actually have merit and that are probably a good program to follow.

Megan Carney (@PwnieFan) gave a wonderful talk about InfoSec and how security is everybody’s responsibility. Both she and Jeff Smith (@DarkandNerdy) continually emphasized that you need to get out and talk to the people you’re working with and get buy-in for the things you want to accomplish. This is so true in the security realm.

If you follow the BOFH model, you will never get full buy-in from your users. Without that, they won’t feel comfortable coming to you when there are problems, which there will be problems. Nobody knows better about issues brewing in an organization than the people who are right in the thick of it. If the people that you work with don’t feel comfortable talking to you, issues will become buried until it is too late. Trust me: you don’t want to find out about a security issue the first time because you’re leading the local news for a massive data breach.

Jeff Smith warning on the by-product of DevOps and
making sure Security is considered.

Avoiding the BOFH model also ensures that people that work in your company aren’t just going to try and go around you to do whatever they want. If people feel comfortable talking to you, they will come to you to make sure an application is safe to install or that new app is ok to use within the business. Keeping these lines of communication open are key to ensuring a secure environment. It also helps to document your processes and progress in terms of validating and verifying to applications and libraries. This lets people know what you’ve done and looked at and why decisions were made. This way if an application was rejected for some reason and that reason has been addressed, you could know to go back and try it again.

I think the best line I heard that really sums up the idea came during one of the Open Session discussions on security. Eric, whose last name I do not know, said “Figure out how to turn they into we.” The idea here is that you never address security in the mindset of “They need to make this change” or “They need to improve how they are handling this”. It should always come from a place of “we”. Once that mindset is in place, security becomes a team effort and much easier to maintain.

No system is ever going to be 100% secure. Software is written by humans and humans make mistakes. Our job in IT should be to try to minimize security issues as much as possible and to minimize the damage caused by them as quickly as possible. Doing that from a BOFH model is an approach, but it’s not an effective one in a world where so much collaboration happens across teams and across platforms. Working together and keeping open lines of communication with those that you serve is the best way to ensure that you are running in the most secure environment possible.

Microsoft Shouldn't Apologize for Tay - We Should

Earlier this week, Microsoft released a chatbot on Twitter named Tay. It only took a day for the worst of the internet to rear its ugly head and turn in to a hate-spewing, racist awful example of what AI can become. Microsoft pulled the bot and issued an apology.

But really I don’t think it is Microsoft that needs to apologize. What a segment of our society did in less that day was to take something that is impressionable and has the ability to learn and corrupt and destroy it so fully and so completely that it had to be pulled down. Think about that: our society can be so awful and so cruel that quickly.

"Tay" went from "humans are super cool" to full nazi in <24 hrs and I'm not at all concerned about the future of AI pic.twitter.com/xuGi1u9S1A

— Gerry (@geraldmellor) March 24, 2016

The AI was meant to represent that of a 19 year old girl. And sadly, the type of abuse and insults hurled at this AI was subjected to is not all that different from what women face on the internet daily from the underground lair of trolls who see it as there right to defend the internet from all that is improper and evil (read: non-white males). It learned and adapted to what it was presented, and how awful that was.

What I wish Microsoft would have done, and there is no way they could have, was to issue not a statement of apology but an absolute condemnation of what was done to their AI. Imagine for a moment that it wasn’t an AI on the other end of that handle reading and seeing all these things. Imagine it was a teenager going out in to the online world for the first time and seeing the worst of the internet. It’s not that hard to picture, really.  And if that was your child on the other end seeing this? You would be enraged, and rightly so.

We need to take a big, deep breath and slow down and really think about where we are going as a country and a society. We spew hate and degrading comments online like they have no effect on others; like the person on the other end isn’t real. We belittle those who stand up and say “This isn’t right” and compare them to Hitler or claim they hate America.

Presidential candidates from one of the major political parties in this country have no issue with labeling Mexican migrants as rapists or saying we need to patrol and secure Muslim neighborhoods. And to a segment of the population, this type of demagoguery and defamation is perfectly acceptable.

Some in the Computer Science world have said Microsoft should have known better and that this was an example of bad design. I disagree.

This is a perfect reflection of where we are right now as a society. It’s not pretty, either. This has nothing to do with Microsoft writing a poor AI. This has everything to do with us and our not living up to the ideals and potential that we claim to possess.

In Defense of Microsoft's Patching Plan

I read an article yesterday from Computer World that called out Microsoft's patching plan moving forward with Windows 10 and dropping support for Windows 7 and 8. The crux of the article is that Microsoft are a bunch of idiots for their support strategy, that they are screwing over Enterprise IT, and how awful it is that they refuse to support the latest hardware with operating systems that were released nearly five and a half years ago.

The article has a bunch of quotes, including the lines "refusing to honor", talking about Microsoft's agreements to support older hardware and that "The trust is gone", in terms of Microsoft laying out agreements and support plans. The hyperbole would be hilarious if the people who said it didn't believe it so strongly.

You could click the link above to read it yourself, but it really a lousy piece of whining and Microsoft bashing, for what appears to be no other reason that to bash Microsoft for a while. The comments are pretty good though. (For a more level-headed, informative, article, and one that also shows what new hardware will be supported on Windows 7 and 8, I'd suggest this piece in PC World by Mark Hachman)

Windows 7 ended its mainstream support in January of 2015. That means no new features. Why in the world would people expect new features, including hardware drivers, which can destabilize an operating system, to be added to a product that is past its mainstream support cycle? Windows 8.1 has a support date of  January 2018, so I could see being a little upset about that if your shop adopted Windows 8.1, but I don't know many that did. And if you did adopt Windows 8, you're probably not rushing out to buy new hardware.

My biggest problem with the Computer World article is this: For years, Microsoft was ripped apart in the technology world and press for how vulnerable and unstable their products could be. A lot of that had to do with how much backwards compatibility they tried to keep around for legacy hardware, legacy software, and to keep older software running on newer hardware. That much change at core levels of code will cause problems. That's all there is to it.

In an era where more and more things are moving to computing and cloud platforms, security, stability, and up time are of the utmost priority. Microsoft cannot keep a good name for its brands if it knows there are gaping flaws still out there in the wild. It doesn't matter that they've fixed the issues and have been practically begging people to patch them, it's still up to the end user to install the update. And if the end user doesn't follow the patching directions or stays on older hardware with older software, guess who's name gets dragged through the mud: it's not the family down the road that won't upgrade. It's Microsoft.

Plain and simple, Microsoft must push people to upgrade to the latest software. They are throwing in a huge carrot by making it free. If it is a big, painful operation to handle that level of upgrade at your shop, you need to put in the procedures to deal with it. I work in a highly regulated industry. I know how much of a pain that it can be. But the bottom line is that you have to do it.

Microsoft is making the right move here. People need to move up to the latest software and they can't lollygag while doing it. Microsoft is even trying to make it as easy as possible in the IT world. But they, and the computer world as a whole, can no longer make it so you have no incentive to upgrade. Waiting two to three years to adopt a new operating system just isn't feasible any more and it is time to move on.