SAIJE Thoughts

or Uncommon Sense was a Common Virtue

A recent post on Codinghorror.com having to do with misuse of data (appropriating user name and passwords) caught my interest.  In this case, a developer was offering a free piece of software to archive a user’s GMail account on to the user’s computer. By doing this, one could access one’s GMail offline OR restore GMail if somehow one’s mail was lost. The person using this software had to supply their username and password so the program could download the email which makes sense. This is no different than setting up any email reader. Unfortunately for the user, the developer of the software  put in his code a means to forward the user name and password to his own GMail account. It turns out over 1700 people had unwittingly given this user their email account password and username The software’s name is G-Archiver.

This falls within one of the simple tenets of social engineering. Offer something free (even if relatively useless) and people will give away personal information (user names, passwords, email and physical addresses, etc.)  Even more ironic is that by using normal email clients from reputable open source shops or software firms, one could download their GMail easily. In other words, this software that was downloaded for no cost provided no real value but preyed on users’ ignorance of what else may be available.

This also highlights a danger in Freeware/Shareware/etc. Without knowing what company you are buying from, one may never know what you are getting into. Freeware/Shareware from well known sources may help and, of course, buying software from well known companies may work as well. Neither immunizes one from people misusing personal information, but at least there may be some legal recourse or the company/group may have self-interest in protecting their reputation (and your data by extension). Finally, a lot of people use similar usernames and passwords for their email account and other systems. For those that haven’t thought about this, keep in mind that once someone has your email username and password, it may be very easy to access all your other accounts.For example - you receive a monthly banking account reminder in your email to www.mybank.com.  The person with access to your email account can now go to www.mybank.com and log in, trying the same username and password you use for your email access. If it works, on the bank site, they can get your bank account number and even authorise transactions.  For those users that think their bank account number is hidden (many websites only show the last 4 digits), just pull up your paper statement or a check image….If you think you’re safe because your password is different, all they need to do is have the user name (or in some cases even email address), click on forgotten password and the password is emailed to your account that they already have accessed!Lesson - never use your email address/user name or password for other accounts and make sure you know when you are giving your username and password. If you’re doing that right now, you may want to consider changing your ways…. Thoughts?

With apologies to N.W.A’s Straight Outta Compton

 

The latest issue of Control came out. I have a hard time reading professional journals, although I know it’s in my best interest to do so, so I’m a skimmer. The contents of this specific issue can be found here: TOC. My main issue with most journals is that I prefer the “How to” type article or hard data. Often times you don’t get those. There are a few gems in this months journal that I think are worth reading and understanding. But first I found this rather humourous…

 The Article “Measuring the Readability of Sof tware Requirement Specifications” in the issue talks about how Specs are too hard to read and cover several tools that can help with readability and also provide other means to make them easier to read and understand. Two of the tools that are available in Microsoft Word are F.K. Readability and F.K Grade level. The authors stress that these tools should only be used as part of making specs readable but not the final determination of good quality specs and if used alone, the spec writer will likely still have a poor spec. In other words, they are a good tool to determine general direction and ‘Clues” to poor documentation but serious consideration needs to be made to have a more “holistic” tool avaialable to improve Specifications.  Quickly put, F.K Readability uses a score. The lower the score, the more difficult to read, with 30 or lower equating to college graduate level. F.K. Grade Level is a computation of the Grade Level. Out of curiousity, I cut and paste the article into word (realizing this is a Journal so I expected relatively difficult to read scores). Here is what I came up with.

I’m just saying…..

 OK - for the articles I LIKE….if you click on the link you will need an account with ISACA.org.

Practicing Information Technology Auditing for Fraud This is a good article (with a boring name) . One - lots of tables/pictures for simple guys like me.  Two, it really gives a good and simple methodology for determining Fraud risk and applying controls. Short, sweet and simple.

Is Your Printer Betraying Your Business?  Key items - networked printers have multiple services running on them that may be vulnerable to attack (IBM particularly had many services running), networked printers have admin accounts that would allow someone to redirect a copy of all documents by enabling fax forwarding - these accounts have default passwords that many don’t change. There are more intersting items here - I suggest reading this article.

Lastly Continuous Auditing Comes of Age is a good article looking to the future of Audit management . I found this interesting trying to put this in context of SAS70 audits. Continuous auditing means that data is constantly collected and audits then are incremental over time rather than massive efforts at certain points. This can reduce cost and find problems when they are small instead of later when the impact is cumulative. The article was directed at internal audit, I could see a significant benefit for external audits like SAS70 as well as the information/evidence should be much better and cleaner.

Or Viral Marketing vs Joe Sixpack

Guy Kawasaki wrote in his blog recently (blog.guykawasaki.com) a post titled “ Forget the A List After All” which actually references another blog post called ” Is the Tipping Point Toast” from Fast Company Magazine.  Essentially they refute “The Tipping Point” through some research that says “Influencers” actually have very little impact on a trend and mass marketing is the most effective means to market an item, depending on whether society is ready for a trend.  I think the answer really is somewhere in the middle. Like many quoted in the article, I find it hard to believe that someone others wish to emulate and have a lot of connections (either personally or through the media) would have the same impact as joe blow in suburbia. If that were the case, I don’t think there would be the success of the whole paparazzi / people magazine culture where everyone wants to see what these stars are wearing.

If we take the old model with influencers and just assume they have more connections (we aren’t even talking influence here, but the number of connections) and do your typical 2 friends tell 2 friends progression, with the exception of the influencer (I put 100 but I think in the case of many, the influencers would reach many more people), you get the following table (courtesy of Open Office). Of course in this case, this is just getting the word out (in other words, before the trend hits)

Side Notes: I found the article interesting regarding Malcom Gladwell’s response. He respects the work even if it is in opposition to his work, stating that the answer is likely somewhere in between and he likened it to his disagreements with Mr Levitt (Freakanomics) on the reduction in Crime (Broken Windows theory vs increased abortions).  It was interesting as in a short comment I had put in a book review on Goodreads.com, I noted that Gladwell Blurbed Levitt’s book, but the book disagreed with Gladwell’s use of the Broken Windows theory). Originally I was disappointed in both books (The Tipping Point and Freakanomics) as they seem to have answers that are too neat. In here Gladwell almost recognizes that., which tends to make me like him more. I guess for books to sell (or magazines in the case of Fast Company), they need to be conclusive, even if the real answers are not so pat.

Of course I found this post through an influential blogger and technologist (I saw him speak a while back on “The Art of the Start”) so that is a little ironic.