A contract generally involves at least 2 parties - one offering a service and the other consuming it. The basic idea of a contract is to formalize a business relationship, and may consist of one or more agreements, which define the contract terms.

Agreements in turn may contain language that deal with the specifics of the contract – such as an ETD, cost, options, and so on. These specifics would be the ‘targets.’

To make sure the defined work is getting done properly, there is a need to MEASURE the terms of the agreement. As an example, you can have a contract with a landscaper with an agreement that the work shall be finished in 5 days at the cost of, say, $1000. And if done early, a bonus of $50 would be offered; but if late, then a penalty of $50 would be assessed. This is a simple definition, but it gives enough information on how the work shall be done and the expected rewards/penalties.

In much the same way, IT shops that offer services to their customers have a strong need to be monitored and measured, with feedback coming in via surveys, data analysis, and direct customer comments.

What is the need to measure something like, for example, the amount of time taken to set up a virtual machine for a test environment requested by a QA team?

If you think about it, the advantages of a measurement/monitoring system are tremendous: Scope for improvement, increase in productivity, cost savings, more efficient use of resources, improvement in customer satisfaction – are just a few, as long as the data are being collected accurately and fairly, and are analyzed the right way.

For instance, you can’t fault the IT tech if the VM host itself develops a failed disk – it’s something that can’t be controlled, and thus cannot be counted towards the SLA (the Service Level Agreement).

What an SLM tool should do (terms/definitions/implementations may vary):

1. DEFINE contracts – the overarching buckets that holds everything
2. DEFINE agreements – sets of agreed-upon goals
3. DEFINE and TRACK targets – the actual definition and implementation details of the goals
4. DEFINE and TRACK milestones – how long to wait when an SLA is violated before taking action; or run certain tests at certain points in time during the project
5. DEFINE and EXECUTE actions – when milestones/SLAs are violated
6. DEFINE and TRACK penalties/rewards
7. REPORT on any aspect of the measured data (transforms data into information)

What can be measured? Anything. Absolutely anything, as long as the information about the measured entity can be parsed (mathematically/semantically). As an example, you could measure the amount of time taken to close out a customer issue, and you could also measure the number of times a customer has used the word “terrible.”

Let’s expand on the landscaping example.

CONTRACT – the document you sign to have the crew perform the work

AGREEMENT – that the overall cost will be $1000 and time to finish would be 5 days

TARGETS – cost, time estimate, number of people doing the work, number of bags of mulch, type and quality of top soil

MILESTONES/ACTIONS – at most grant an extra day; notify contractor if delay goes over allotted time

PENALTIES/REWARDS – bonus $50 for finishing before time; penalty $50 for being late

REPORT – give feedback to the contractor when work is done; post review on consumer websites

More later...(especially how things can plug into ITIL processes)

As any Hannaford exec will tell you, the last place you want to secure is the first place hackers will target. As the cliché goes - a chain is only as strong...

In this case, although details are quite nebulous, it appears that malware running on internal servers intercepted credit card data as the cards were swiped (plaintext data is sent from the POS terminals to the processing servers before the data is encrypted, so anyone snooping right in the middle could easily get access to the entire card data), and then simply shipped the info off to the hackers.

Really simple operation, but how did the malware get inside the internal servers? There are a few ways:

a. Someone used it to surf the 'Net, and probably downloaded it by mistake

b. Someone planted it on purpose (inside job)

c. Hackers got in from outside and planted the program

The company will not really say what happened, so the possibility that it was an inside job is quite high.

Steps the company has taken to avoid such illegal interception include encrypting the data right at the POS, having IBM monitor the network for suspicious activities and so on. This, thus, is another case of bolting the barn...although it is a sure deterrent to hackers planning the same method of stealing information in future.

The problem is hackers will probably find a way around it; they always do. The PCI-DSS standards (see one of my previous blogs) only regulate the encryption of data when it reaches the servers and not before or during, so that is definitely a weakness.

Further, as the article in the link notes (and is so true anyway), retailers depend badly on the software vendors to update their software/patch issues and vulnerabilities, and overall make sure their product is not a gateway for hackers to drill into the enterprise and steal information.

One critical step would to monitor INTERNAL traffic (in terms of always monitoring who accesses sensitive servers, implement a strict ACL, and checking ALL packets that leave the servers - especially those that break known patterns/signatures).

Doing extensive background checks on staff that must have access to these machines should be made mandatory, and any unauthorized attempts to peek at the database or perform any kind of illegal operation should result in immediate termination, no exceptions. Quite obviously (as before in my earlier blogs) I am not advocating tyranny at the workplace, just prudence/caution/curiosity- and lots of it.

Hacking is done by humans - not machines or software, although they're indispensable in meeting their nefarious goals. The instigator is still a living, breathing human; so any security plan that mindlessly targets malware, viruses, worms, trojans etc without taking into account the human element (especially employees and also the psychological aspects of hacking/hackers) is doomed to fail.

For most large corporations that deal in data (finance, medicine, retail etc) there is nothing more horrific than a panicky call in the middle of the night from the sys admin. Don't let it happen to you - tighten your network; encrypt; monitor; adjust; implement; monitor.

Watch this, and be fascinated (maybe with horror):

http://www.youtube.com/watch?v=JDaicPIgn9U

Princeton researchers have found a couple of ways to get around BitLocker etc. I won't bore you with the details - just read this rather informative article

http://www.news.com/8301-13578_3-9876060-38.html?tag=nefd.lede

What's surprising is the EASE with which all the security boundaries were crossed (smashed, actually) and the data retrieved. When a company promises that hard disk encryption will save you from lost data because the thief won't be able to get to your information, they're only half right. If your computer was ON or in sleep mode (or in screensaver lock mode) they can easily get to the RAM and harvest all the memory in it - then simply look for keys.

The best way is to power down your computer and make sure it's off for at least 4-5 minutes, otherwise it's way too easy to get to the innards.

The weakness lies in the fact that the encryption key is stored in RAM - quite obvious because data needs to be en/decrypted on the fly, and the only way this can be done efficiently is by storing it in RAM. The DRAM chips are supposed to lose their data right at power-off, but that's not always true. The chips keep the content alive without any refresh for up to 10 MINUTES. That's a lot of time.

So once they have the computer the hackers would simply remove the chip after spraying it with duster liquid (so it cools it down to -50 deg), and that extends the life of the data on the chips quite a bit. Then they'd copy over the content to their machine and just look for the key. Simple.

Or, they can boot from an external disk and run a program that'll dump the contents of memory and simultaneously retrieve the key as well.

What does this mean for all those people that believed disk encryption was the cure-all? Well, it's still better to have this protection than not to have it, but be careful that you don't have your computer on if you must leave it unattended for even a minute. For any reason whatsoever, don't lose track of it, of course, even for a minute, but if you must...

The article discusses some countermeasures, but the IT organization that was sold on this technology now is probably getting bombarded with all sorts of questions and concerns, and justifiably so.

The only safe way to prevent data theft is to prevent the theft of the computer itself.

How much sense does it make? Not much. Not much at all. MS is known for its aggressive marketing, product growth, and pushing strongly into areas that have already been cleared for it by others - and very often overrunning the precursors in the process. However, it is not very much known for innovation.

Y, on the other hand, was one of the first true innovators on the Web, bringing a 'directory' approach to search. However, as the Web grew exponentially, people had little time or patience to look through subdirectories and such -- they just wanted the ability to type in something and see something useful come up quickly.

Google satisfied that need splendidly. Its simple, understated interface with just three or four links, and two simple buttons, did it all. Magic, nearly every time. Witness its torrid revenue growth and the merciless streak of profitability, a portion of which comes at the cost of others, mostly Y and MSN (which is, in my opinion, the most anemic of all search engines).

Others somehow stumbled along, while G, with the incredible muscle of its finances and the fantastic brains behind it all, simply left everyone dazed (and tottering).

Little wonder that it cried foul at MS's offer; and even less surprising that it offered a 'helping' hand to Y. But I think secretly G wants MS to get into Y the way a dying man gets trapped in quicksand. Y just announced it would lay off 1000 people worldwide; it has shut down its Photo division, and probably will shutter many others that are simply not contributing to the bottom line. That leaves a WHOLE lot of disgruntled, and in many cases, very talented people just waiting to jump ship.

Enter MS - to hasten the fall, and enter G - to welcome the jumpers.

Y is decaying; I have no doubt about it. Jerry or Terry - same results. Its Panama initiative is not going to get results anytime soon, and worse, MS may cause the most important property of any company - its developers - to quit, thus endangering significantly any future revenues.

Further, while Y has a startup-type outlook, MS is on the other side of the Net divide: Stodgy, self-important, dull, and a penchant for monopolistic tendencies. Therefore, a clash of the cultures is definitely not to be ruled out.

Overall, not a very rosy picture there.

However, as my wife will occasionally point out, not all of my notions are accurate to the last detail all the time. Besides, every now and then I'll come up with a non sequitur or two: Because both MS and Y are competition to G, combined they'll surely kill G.

Yeah, right.

Anyway, the mise-en-scene has been set - let's get the popcorn and watch the fun unfold!

One must remember that desktop virtualization is still new and hasn't really become popular yet, but should take off like a rocket once corporate types figure out it's cheaper, easier, more secure, and more reliable to push out a preformed virtual image to employees' machines than any other solution.

Now that the Server 2008 will have Hyper-V built-in - and with the same OS layer that they sell so much of, the teaming up with Citrix (which purchased XenSource) will further help consolidate their position as being highly committed to the VM platform. VMWare must now fight back with new relationships/partners and technologies that will improve the speed, response, security, and performance of their products in general. Although they have a commanding lead in the market and are seen as the leaders, MS thrives on starting late and catching up then overtaking. So, despite any delay or kludgy/buggy interfaces that one may encounter in MS' first offering, you simply can't write them off. They have the money, the resources, and the doggedness to go after *anything* - however dumb a move it *may* seem to outsiders.

To be sure, the OS is still their main source of revenue; however, they'll take anything they can get in the fresh, still-quite-untested market of VMs. No question it's a new source of revenue (and customers), and it's also one that's bound to grow very fast, and by large amounts. The 'green' message behind VMs helps a lot, plus space and time savings. The Citrix partnership could hold back those companies that want to move from MS to Linux and keep them safely ensconced in the MS fold.

Although analysts seem to be confident about VMWare's current strategy and product direction, they'd do well to keep looking over their shoulders.

All in all, it's a VERY positive announcement from MS, but let's hope they don't come up with another Zune (if they did, then with a little stretching one could call VMWare the Apple of VMs).

You can read more about this sadly misguided person's story here:

http://www.informationweek.com/news/showArticle.jhtml?articleID=205601393

The ultimate irony is that he was kept while other SAs were shown the door.

In previous postings I've mentioned that the biggest threats often come from insiders - disgruntled employees, saboteurs that get employment in the target company so they can perform destructive actions, corrupt workers and so on.

Obviously the idea is not that one should distrust their workers - on the contrary one should trust them completely, but while still taking protective actions, such as routine scans of all admin commands/actions; sweeping the disks of critical servers to check for any obvious problems and so on, and maybe even having a trusted party check important systems for signs of unauthorized or unacceptable activities.

While there are pretty good tools to prevent virus/DoS/hacking attacks, none that I know of protect against such deviously simple yet hard to find attacks. Unless AV software can start incorporating intelligence (singatures) of destructive behavior it won't be simple/possible/easy to stop such people.

Their model is brilliant - simple yet very effective. No question that DELL saw the gem and grabbed it. The only thing is, their website (TNWSC.com) states that they are 'fiercely independent' in the sense that they do not owe allegiance to any one vendor. However, with DELL now buying them out, how does that change things?

From their website's FAQ section:

Check out their FAQ here: http://tnwsc.com/faq's.html (I'm not a fan of apostrophes where they DON'T belong, especially in plurals).

TNSWC do not recommend solutions, yes, and they have a methodology called 'Point of Proof' which DELL is going to market, but still the idea of a previously independent entity flaunting its disinterest now getting bought out by a storage vendor is somehow a bit odd, although I'd think it will make no difference in how TNWSC will continue to work or how DELL will treat its old (and new) customers -- because ultimately credibility (and honesty) is everything. As long as they continue to save their clients tons of money and guide them through the labyrinth of storage acronyms and technologies who cares! I look forward to seeing how DELL exploits this to-be-hot-soon market (that of IT Storage consulting). Companies have invested millions (and billions) of dollars in their complex IT (storage) infrastructures, so if they want to see returns who can blame them! As an analogy I'd say such firms are like the patient advocacy firms - they promise results for your investment; no more no less. See http://en.wikipedia.org/wiki/Patient_advocacy: another hot trend considering healthcare costs and a seeming apathy towards the very people that fund the system - the patients.

****

Another curious thing I read recently related to IBM's release of the semantic search (for email), available on their AlphaWorks site (http://www.almaden.ibm.com/cs/projects/avatar/)

The first thing that'll come to anyone's mind is Google Desktop Search (GDS) - a very powerful and unimaginably quick search tool that I used for a long time before the index became a bit much for the disk (I have a pathetic 12 GB disk). Now, if you had a 100+GB disk with a lot of documents/email etc you'd really want GDS. GDS however does a (I think) strictly string-search approach - no 'intelligence' or 'rule-based search'.

The new tool from the Avatar research team does a lot of similar things -- it mines unstructured information and renders them searchable (albeit in an 'intelligent' fashion -- heuristics, really; so watch out for cognitive biases). So what's new? I know that Stratify (used to be known as Purple Yogi) used to do the same. I think Stratify was funded by In-Q-Tel, apparently the funding arm of the CIA.

The problem statement posed by the researchers/inventors is nothing new - there's a whole lot of information that's just lying there, waiting to be found, associations waiting to be made, text waiting to be indexed. To make the process of digging through the dirt cleaner, quicker, easier, and accessible is an unenviable task. Imagine a corporate website that has individual blogs/mini websites/documents all over the place, containing sensitive, important, and critical material that's probably needed by many others (or they don't know that they need it). An index-and-search tool such as Google's SearchAppliance would be a great thing to have, but only to search for actual strings (again, I think they simply index and search - corrections from the knowledgeable welcome).

With IMB's OmniFind (Omni is overused to the point of being a cliche' now) you could type in, say, 'requirements gathering' and it will search even for something like 'how to create great requirements' or 'the art of successful project management' etc - you get the picture. I'd like to repeat that this is not a new area, but to my knowledge it's also not an area that's been developed very well in the consumer area (including corporate customers). And therefore such initiatives are most welcome as they'll help people do better searches and save a whole lot of time in finding the things they're looking for -- so they can be more productive and efficient.

Not to mention they'll REALLY help trial lawyers when they do e-Discovery (remember, all those rules that you're going to be punching in, creating associations and relationships) could become evidence - not just the results but also the RULES AND THE INTENTION(S) behind the rules as well.

Anyway, I'll give it a try and update this blog sometime next month with my findings on how good it is.

http://www.informationweek.com/blog/main/archives/2007/12/we_need_to_talk.html

John Soat talks about how end users take untold liberties with IT policies and probably take them as suggestions rather than mandatory rules. It's quite complex as to why this happens -- it's quite clear that they probably know what they're doing is wrong, but just not *so* wrong that they shouldn't do it.

See, the issue is that many of these areas are left in the gray part of 'can do or must not do' policies. And worse, I'm willing to bet that 99% of employees have NO IDEA what constitutes proper 'secure' behavior and what constitutes a violation of company policy and thus their employment contract.

Along with continual education, the only other way to make sure that corporate data doesn't leave the network is by using software to track the packets and ensuring they are not sensitive. To do that you'd have to get one of those 'anti leak' DLP software modules (like what Vontu/Symantec does) and establish clear demarcations between acceptable and non-acceptable information leaving the network.

Any practical ideas from readers?

How did they figure this out? Well, simple - network monitoring via WireShark (I saw it on the blog of the original CA researcher that found this activity). The idea behind Beacon was to send out info on your online habits to your friends on the site. However, soon people started complaining that the surprise element behind their surprise gifts were ruined because the intended recipient got to know of the purchase. Well, that's fine, and you can turn it off, but not even when you're logged off?? Whoa - that's serious breach of trust in my opinion.

As a reference, see this:

http://www.cio-today.com/story.xhtml?story_id=010000ZKE6WS

So, they track non-users as well - except that they will discard the data if it did not include an FB cookie saying it's an FB user - and then even if you were an FB user and even if you'd opted out of the 44 websites that work with FB, your info will STILL be sent except they won't process it (because you'd opted out). I don't think this is a good idea. Doesn't matter if you throw away the information or not: if I'm not an FB user you have NO RIGHT to my data. And who's to say the data is being REALLY thrown out? Who audits that?

You should know that you have to opt out ONE BY ONE - not all of the sites simultaneously. Couldn't be more painful than that. And considering how popular the site is, what if hundreds of companies choose to join the program. You'd have to constantly change your preferences to avoid opting in. It should be the reverse - unless you chose to opt in, nothing about you should be known to anyone.

This is why they are in very serious need of a customer privacy advocate, someone who can dispassionately identify such issues and guide the misguided person that chose to implement it so that people don't start abandoning the site or decide against joining it. I'm quite sure that many people have decided not to join FB after this fiasco. I know I won't.

A slew of announcements this year must have gladdened the hearts of those that store away every last bit of data, those that don't/won't delete a single temp file.

With Microsoft's SkyDrive, Google's "GDrive", Amazon's S3, EMC's purchase of Mozy and many others now making a push for online backup/storage and promising ease of retrieval and ubiquitous availability of data (all you need is a browser), suddenly your D: drive doesn't look so big/small anymore - depending upon how you see it.

Some of these sites have automatic backup features while others are simply 'dumb' drives that you upload files to - but the overall principle remains the same: Stop clogging your disk space with files that you can store online instead. For some others it might be a dash of paranoia in storing the file in multiple locations, and for some it might be a case of hey-there's-nothing-to-lose-and-it's-cheap!

In any case, what all of this boils down to is this:
Ordinary computer users are now becoming storage-savvy. The falling prices of storage devices, the dramatically reduced form factor, availability of advanced technology combined with an intuitive interface - all have made consumers demanding and resourceful.

As more and more aspects of our lives go digital, what used to be a "WOw! 250 GB - what am I going to do with all that space!?" is now "I have a NAS that can expand up to 2 TB."

I am thinking that commodity storage will both help and hurt storage vendors: help them by driving up demand in the online storage world, and hurt them by turning off the nascent consumer market, one that probably is much more profitable and much less exacting. However, who's to say both can't co-survive? They very well might - and that's what the future will tell us.

So, turning now to the online storage guys -- how will they manage this demand? I'm hoping the solution won't be to throw more disks (JBoDs) at the problem but will involve meaningful and relevant storage management, starting with some solid prediction models of resource usage.
Without that, where would one even start?

Next would be evaluation of various technologies - SAN/iSCSI/SAS/NAS - which? Maybe all of them - they all have their advantages and drawbacks. But for the sheer scale of they're trying to achieve (couple that with disaster recovery - with the DR center most probably located several hundred miles away) and you realize the enormity of the issue. Again - the fact that disks are cheap doesn't help but only adds to the problem.

So, a sane person would sit down with reputable consultants, spend decent money on experts/consultants coming up with an architecture that satisfies the criteria the CTO (and/or Legal) is asking for, then develop a quick prototoype to see how things fit. In this stage evaluating various vendors would be a good idea for benchmarking, pricing, scalability, and affordability.

A totally worthwhile investment would be good SRM software.

However, none of these will really bring any results unless there is a SOLID PROCESS to hold the entire thing together. Here's where ITIL and products that help implement ITIL-related methodologies will assist tremendously.

Check out various systems-, network-, and storage-management software to see which one would help you most. But beyond that, you really need to tie them with the help of a CMDB, and that's where a BSM (Business Service Management)-type solution can prove invaluable. The idea is to link the failure of a disk to the exact business unit that's affected (say Image Services) and then calculate any losses/SLA violations, and also figure out any compliance issues.
Such a system is surely going to be expensive at first sight, but the benefits will soon far outweigh any cost concerns.

Which would you rather have: A $3M outage or a $200,000 software that'll save you that $3M and more and more on a perpetual basis? Of course, what I mention is hypothetical, but such a situation is not uncommon at all! In fact, the costs of fixing a data breach or a downed network keep going up because the speed of business is getting only higher/faster and each 'unreachable' or '404' or '500' probably means several customers lost. Maybe several hundreds/thousands including existing ones that surely will go for something more reliable.

...and I haven't even gotten into security yet...

http://sunbeltblog.blogspot.com/2007/11/breaking-massive-amounts-of-malware.html

I thought it was a minimal but visually arresting article - enough information to make sure you don't stumble into the dark areas of the web - or at least know what to look for.

By seeding all sorts of sites (blogs/trackbacks/comments) with their infernal site links they try to fool search engines into listing their URL at the top, or at least at the middle of the search results. Unwary users will no doubt not bother to CHECK the URL before clicking it, and what happens next should not be surprising: a whole lot of popups for installing malware/rootkits/password stealers, and of course, the maddening ads.

Here's my suggestion:
When you search for anything, first make sure you check the URL to see if it's a nonsensical mix of meaningless words. If yes then stay away.
You could also try searching your favorite sites first (such as GPSPassion/Poi-Factory for GPS stuff; ExpertsExchange for technical questions; dpreview for camera questions etc). You get the idea.

http://www.guardian.co.uk/feedarticle?id=7092429

I noticed that fellow blogger Jeff Bohren also mentions it.

Seems like an ingenious way to make sure that the next incoming plane is exactly that - a plane and not a missile (user authentication).

The idea seems pretty straightforward. Israel issues these devices - called SCS/Code Positive - to every airline that wants to do business with it; the pilots use them to authenticate themselves upon approach. How exactly? Well, details are not available, but it looks like a credit card-size, calculatorish-looking, geeky little tool. I guess they'd enter a code/speak into it/something else.

I guess somehow at some point the pilots are given a number that they need to enter into the SCS when they're about to enter Israeli air.

The actual working is probably known only to the company that made it (Elbits), the pilots, and maybe a few other folks.

It addresses 2 types of situations:

a. Hijackers have disabled/killed the pilot and have taken over the plane

b. Hijackers have a gun to the pilot's head

What about the third - that the pilot himself/herself is a terrorist (belonging to a sleeper cell)? What then?

So, if the code does not match the pilot will get several warnings, followed by the IDF planes doing a 'what's up' up close, and then followed by (upon ignoring their orders) a hello from the IDF's air-air missiles.

Unless we know for sure how this little gadget works, I think it's a lot of fun to speculate, as long as we're not on either side of the device!

That SUN and DELL are now partners would have been unthinkable just a few years ago considering they sold to the same market.

Stung by the dot-com bust, the alarmingly cheap and easy availability of Linux distros that are spreading quickly, its decline of SPARC-based sales and other factors have made SUN realize it'd forgotten that times are a-changing in terms of how budgets (as well as schedules) are shrinking and how advanced technology is not restricted to expensive servers anymore. Costly OS tied in to a specific hardware is probably the worst combination to offer because the alternatives are vast and costs extremely affordable (I have UBUNTU Gutsy Gibbon running extremely well on a old, very outdated Compaq Armada).

The decision to approach DELL bodes well for DELL as well, which is basking in a weird glow achieved by hitting at EMC's stock price with its acquisition of EqualLogic. A master strike, in my opinion.

However, DELL is not having a great time right now - with accounting and sales issues dragging down its resources while sales languish amid quality and support issues - all the while rival HP continues to innovate the 'personal' computer based on both design as well as quality (and Lenvo strongly marching on with its IBM technology).

Therefore, I'd liken this to two wounded warriors joining hands to overthrow the curse of the commodity PCs.

Considering how many people already have Solaris running on their x86, and how Java is now opensource (and Solaris as well) SUN seems to be making all the right moves in how it demonstrates its commitment to the developer and opensource communities while also committing to IT shops that a tighter (and official) integration between its OS and DELL's hardware will result in better turnaround times for issues and probably much fewer problems.

The use of TORn (http://www.torproject.org), an open source project, helps mask the origins of a user that wants to surf or send/receive data anonymously. However, the most obvious vulnerability of this software, that the endpoint (exit node) of the traffic can be monitored and plaintext, unencrypted data can be easily captured - was/is not very well understood by users. The only solution is to use SSL (HTTPS) or end-end authentication and encryption (use GPG etc).

Who uses TOR? Lots of people: (apparently) the intelligence community, human rights activists in nations with a less-than-impressive human rights credentials, embassy employees, those that hold sensitive jobs, and, of course, people that want to see (ahem!) objectionable content while hiding behind mangled ones and zeroes.

Further, more than half the people that use it have is  misconfigured, which can lead to some undesirable results. In any case, the point is that any software is only as good as its end-user understanding of it. It's not the fault of the software that users/promoters allegedly overestimated its value (esp in terms of anonymity) - as the article says.

I looked at TOR out of curiosity back in 2004/5, and found it incredibly slow, so I lost interest. But I do remember thinking this could be a pretty interesting tool for those that want the claws of the Web away from their private data.

Couple of interesting acquisitions:

a. Symantec gobbles up Vontu

b. DELL swallows EqualLogic

For Symantec, Vontu essentially fills a void in the DLP (data loss prevention) space so now that's a nice, juicy checkmark for Sym when it goes to customers about a 'complete' security solution. There have been many acquisitions in the DLP space before, and there will be many more in the future. As startups evolve the technology to stem leaks and theft over the network -- driven by needs and laws -- more and more aggregation/consolidation in the space is forecast. Better to buy up something that already has a decent customer base, a tested and near-to-maturity product, and the latest technology -- than spend millions on something that may not even work out, and crucially lose out on TTM.

As data breaches become more and more commonplace and as governements around the world institute stronger and more consumer/customer-friendly laws with harsh and severe penalties to boot, corporations really need to think about implementing such solutions so they at least can't be blamed for not trying. Of course, it comes with the added advantage that such breaches may even be detected and stopped - a huge facesaver.

As for DELL, it's a big, big move. They rebrand/resell EMC arrays, and for them to walk the path alone now - even for a short distance - speaks of the independence and credibility they crave as a storage vendor that doesn't just stamp their name on someone else's intellectual accomplishments. Under Michael Dell, I think they're going to be a lot more aggressive in areas that are growing (aggressive in terms of acquisitions and investments). No question that storage is a hot field (if somewhat sober/boring) but ROI can never be a dull thing - especially if it's a healthy number. To that end, the mainly server- and reselling-storage-oriented company (which books up to 10-15% of EMC's revenues) needs to wake up and figure out new revenue streams. As competition heats and up and hardware costs come down dramatically with every passing year, looking for money in all the old places won't yield much. It's time to take some risks - even big ones - and that's exactly what Michael Dell wants to do.

I predict at least one security-oriented purchase by DELL within the next 3-6 months (hardware, software, or services) or/plus at least one more storage (technology or hardware) vendor - preferably connected to the superhot virtualization field. Although EqualLogic does help virtualized environments by cutting down the cost of fabric SANS (by using iSCSI instead), unless I'm missing something I don't think it does much by way of virtualization DIRECTLY. I also would say a solid SRM-type company (storage resource management) is probably in their sights as well, but that's probably for later, once they've digested a couple of heavy meals.

These are intriguing times, indeed.

http://searchstorage.techtarget.com.au/news/article.asp?DocID=1280298

The more I read the article the more similarities I found with BMC's acquisition of Emprisa

http://www.vnunet.com/itweek/news/2200643/bmc-provides-management

And I didn't know this - BMC and Voyence are technology partners.

http://www.voyence.com/partners/technology.shtml

So what is this trend telling us?

A. That ITIL is very quickly catching on in the US (FINALLY) - meaning, people are seeing the value of what ITIL is all about

B. That both hardware and software companies are willing to work hard to make their customers happy with solutions and services that implement ITIL

C. That any commodity-technology (such as storage) vendor will have to differentiate themselves from the lower-end of the spectrum

D. That ITIL is not all talk and no action -- customers are actually asking for, implementing, and expecting the world from/of it

E. That customers are willing to try new things and be adventurous in managing IT better (and make things more cost-effective)

F. That technology companies are listening to their customers closely and actually delivering what's being asked of them

EMC

------

EMC is mainly a hardware company - but its strong purchase history

http://www.emc.com/ir/mergers/index.jsp

Content Management: Documentum (among others)

VM technology: VMWare

Storage: nLayers, SMARTS, BDS (among others)

Security: Tablus, RSA, Network Intelligence (among others)

should tell you something.

If you haven't guessed already, the USP/differentiator is SERVICES/SOFTWARE. Meaning, hardware companies are using software to differentiate themselves from the pack. And offering all sorts of cool services while at it.

What kinds of software? ALL kinds - security management, network management, systems management, device management, configuration management. One company, one set of hardware, one set of software that manages ALL. In effect - EVERYTHING management.

While the price of storage falls with better technology hitting the market ever so frequently, what's left to get one to stand out? Lower prices, market domination, interoperability, range of offerings, completeness of solutions - these are all fine but don't always figure in the scheme of things. Else you'd have only one storage company. But as you know, that's hardly the case.

So one easy way to get new technologies and integrate them into your hardware solutions would be by simply acquiring them. Which is what many storage companies have been doing, if you've been following what HP, NetApp, Sun have been up to.

For now, the idea is this:

ITIL is hot. No question. So definitely companies need to have that as a checklist item. But if treated as a simple checklist item the strategy will almost immediately backfire. If you don't have the stuff to back up the claim, you're history.

Therefore, companies with a good reputation should do everything they can to ensure their solution is legitimate, does what they say it will do, and that it's certified by a third-party (for ITIL/interoperability etc). Otherwise it's going to get hard to penetrate the murky world of brochure-speak, unless companies go head-to-head in a real-world lab and demonstrate how and why they should be considered superior in the ways customers want them to be superior.

Consolidation: Impact on News Coverage
-------------------------------------------

Mr. Chester raises the specter of a few large conglomerates controlling not just 'benign' online content (such as 'fun, entertainment' sites) but also the 'serious' sites, such as those that deliver the news. That ideally should concern everyone - not just netizens - because online news in the near future will overtake physical media (such as newspapers, magazines) as the most common/popular way to getting to know what's going on around the world.

It's certainly not unusual for news channels to have a specific philosophy (politically), and the way they portray world events very strongly suggest that partisanship overrides any semblance of the truth. When such media are not large or do not have high penetration levels, they are usually ignored. However, it's when they become pervasive (via ownership of multiple channels) or become the only entities that have the breadth to cover large areas that they start to raise alarms. Unfortunately, by that time it'd be too late to do anything about it. Media behemoths could simply crowd out the smaller, independent channels using money power, advertising prowess, political connections, and lobbying for favorable laws (lobbying costs huge sums of money, something which smaller channels do not have).

Data Aggregation: Impact on Privacy
-----------------------------------------
The thought that a computer somewhere knows your 'secrets' and is quite capable of creating a psychological profile based simply on your mouse clicks and the places you visit on the web should be unnerving, but it's not to most people that use the web. And why would that be?
Simple: Lack of knowledge, education, and curiosity about how things work. As long as you're fed your daily fix of the news (Infotainment, really; when did you last see hard news on TV?), you're happy and satisfied. Why unnecessarily take the trouble to figure out WHY you read WHAT you read!

Imagine if your neighbor comes to know your deepest, darkest secrets; even what you think about or are capable of thinking about (Minority Report, anyone?) - will that be a source of unease/concern to you? It should be if it's not already.Now imagine if millions of computers (and very likely thousands of people) know about what you clicked, your intent in doing so, and maybe even what you'd do next - and why. Again, something to worry about when you can't sleep at night.

Combine Google's power of serving advertising to nearly all (including physical) media with its knowledge (thanks to DoubleClick) of your exact behavior when you are online. If you cannot see what's coming, you need a stinging splash of cold water on your face.

The next step, in my opinion, will be the creation of something like a 'life-model' - a model that constitutes EVERYTHING that is you, for EVERYONE on this planet, and this model will keep growing in intelligence and get closer to the real you with every click of your mouse and every tap of your keyboard. By now the reference to 'Big Brother' is redundant. Google is already on your computer via its toolbar and search utility, and it's also in your office via its web-based productivity software. It knows about your pictures - via Picasa, about your outpourings on any and all topics - via Blogger, your search patterns - via its all-powerful search engine...and so on.

This information is WAY more than enough to construct a halfway-decent model of you (powered by a well-populated database, which GOOG already has, and data mining software, which is not rocket science). So, as it stands today, GOOG knows more about you than anyone else (assuming you use Google services frequently), and DoubleClick is going to help it connect the dots where the data is patchy or missing. Of course, this is not to say that other companies do not have the dirt on you -- they do. Any search engine website that you use is perfectly capable of storing such information on you forever.

I am not one for conspiracy theories, but recent developments involving large companies (such as News Corp's acquisition of MySpace, the rumored - potential - investment in FaceBook by MS, rapid buyouts by GOOG of various tech companies, YAHOO's purchase of Zimbra, MSNBC's purchase of NewsVine etc etc etc) have me thinking about the eventual direction of everything that makes up the Web, the most visible part of the Internet.

Yes, it's true that smaller companies will either go under or get bought, and that as large companies become slower in innovating as time goes on they must purchase new technology outright, mainly from small companies since they are much more nimble and not restricted by any shareholder of investor pressures.

This wave of consolidation, fueled by - among other factors - a most favorable market where:

* interest rates were/are low,
* intense competition rage[sd] to capture eyeballs and dollars,
* money velocity was high,
* shareholders didn't care as long as their holdings appreciated,
* governments have been revolving doors for bureaucrats-turned-lobbyists,
* apathy and lack of concern by the general masses reigned supreme,
* lawmakers, some of whom in my personal opinion may not be very tech-savvy, create unsound tech-related laws that affect us profoundly,
* lawmakers, some of whom in my personal opinion are beholden to corporate interests, do right by them and hurt the general public,
* and, the leaps in technological accomplishments far outstrip any little jumps in laws serving to keep their uses legal and legitimate

will change the direction of how we view the world, and how the world will view itself - and maybe how the world will develop, too.

My first concern (as is the author's) is not only that the pipeline of news will be controlled by a handful of coroporate monsters dedicated to making profits and keeping investors sated, but also the idea that the news can also be easily MANIPULATED by the same guys. If you have but one source, how will you verify what you see?

In the ancient Indian Scriptures - the Vedas - it's said that doubts should be/can be cleared via either your Guru (the spirtitual master), a Sadhu (a learned person who's not your Spiritual Master), or the ultimate authority - the Scriptures themselves. That way a doubting mind can make sure it's free of all doubts when/before it learns something new.

In these times, the ultimate authority is missing, and the rest don't even matter since they're tainted by their bias and assorted illicit relationships. Where's a truth-seeking person to go!

My second concern stems from the privacy aspect. SO MUCH information in SO VERY FEW hands is a great cause for worry. As the cliche goes - Power corrupts...It's not that these data brokers and analysts WILL misuse the data (of course, they easily could) but that hackers and criminals will truly rejoice: it'd be like a pack of bank robbers in an unguarded bank. I am not saying that these monstrosities will leave their data unprotected, but that the temptation is extremely high to hit once, hit hard, and spirit away as many GBs of data as possible. Needless to say, every record that's stolen could cause a new case of identity theft, blackmail, or worse crimes.

More likely than not, the threat will come from insiders rather than complete strangers. Therefore, extremely strict rules and policies should be enforced when it comes to handling sensitive information, and very severe penalties should be levied both by the company on the employee and by the govt on the company.

My appeal to the government would be that they should step in, investigate ALL such deals (targeting any one company for political reasons would be most deplorable), and evaluate:
* the types of data being collected,
* the big picture when all data are combined,
* and finally the impact on users if such data were stolen.

Further, there's a desperate need for stronger consumer protection laws against misuse and abuse of such sensitive information both by the holders of the data as well as by hackers.
I'd urge the government to institute a technically adept panel (with no members having any vested interests in seeing results go a way specific way) to research the data aggregation and advertising industry, and recommend reforms and strategies to protect users from this stealthy onslaught of the information merchants.

Be safe!

The sheer dynamic nature - where things change all the time, mostly with no warning - makes it an elusive, slippery animal. 

Needless to say, the market is full of solutions that promise to tame the situation, and make it docile and manageable.

A single source of frustration for most administrators is uncontrolled, unauthorized, and unscheduled change. Change is inevitable, unpredictable, and unexpected most of the time.

So how does one go from this chaotic, ad-hoc mode of affairs to something that resembles the way a cat walks a thin ledge 200 feet in the air - cool, calm, sure-footed, and awe-inspiring.

Many would think that the source of all such problems is software (or hardware, which means firmware); that if only software were well-written, there would be no need for change (patches), version control, or much of change/configuration/release management - all three of which can cause severe headaches if not handled properly.

So, what IS the source of all IT-related problems? In one word, the unpopular answer is: people.

People create software, deploy it, manage it, USE it, maintain it, and render it obsolete when a better version comes along. Since this is an obvious answer, a slightly un-obvious way to put it would be: IT planners (IT managers/architects). Sure, the buck can simply be passed to the CIO - who'd be equally responsible for a badly planned deployment (think complex software like ERP systems).

To control the insanity that makes for IT management, the very first questions to be asked are the most fundamental ones (they may sound primitive and even preposterous, but it's because these questions - among many, many others - do not get asked that we have so much trouble on our hands):

Who? (will use the system; will be the point contact; is the stakeholder)

How? (will they use it; will it be installed; will it be maintained; many users)

When? (would the deployment happen; do we schedule downtime/maintenance windows)

What? (is the need for this resource; is the ROI; is the SLA; are the chances of changes)

Why? (should we do this; not do it *this* way)

ITIL - the buzzword that's beyond just a buzzword now - can help. A lot. But not quickly, though. If you want quick solutions, be fully prepared to sink deeper into the morass of incidents and problems. ITIL provides a nice framework that can be used to implement your OWN solutions - that which apply to YOUR organization and not a generic template that is twisted to fit unsolvable situations.

The new version - V3 - is a more compact and portable version. Look into it if you have not already. Train yourself first so you know what to expect, and then train your staff. Then, when you throw around words like "Service Transition" and "Service Operation" you won't get empty stares and barely-hidden yawns.

The initial terms that you should familiarize yourself right away are all of ITIL's key entities: Release Management, Configuration Management, Change Management, Security Management, Availability Management and so on.

In my opinion change management, configuration management, release management, and security management are critical (others are also equally important, but these three can make or break your plans).

So, you'd begin with a plan for your IT dept. How often would you allow changes (if periodic); who would make them and when; what is the process to be followed; what is the backup plan if the change failed; how to store the changes for future reference and audit; what are the security implications; how long would it take to get it done: how to plan release management, in effect, with change management controlling the deployment of the configuration.

It is very easy to miss steps or overdo things - but with practice it'll get better.

Combine the power of ITIL (people, process, technology) V3 (where changes over V2 include detailed information on how-to topics, better metrics, and information on ROI among others) with software that integrates tightly with - and implements - ITIL concepts, gives you a fantastic overview of your environment, helps control and configure changes in a secure way, identifies network security problems, helps enforce security and compliance policies - and you're very nearly there.

1. Map your network; discover, identify, and catalog your devices (edge devices, servers, storage devices). All of this information would go into the CMDB.
2. Get the configuration baseline of the devices and servers (firmware, settings, OS image and such)
3. Identify the security vulnerabilities in your network (unauthorized server, illegal access point, default passwords)
4. Chalk out what configuration changes need to be made
5. Identify the targets, the maintenance window; backup plans etc
6. Prepare the deployment on a test device/server and iron out any kinks before the final deployment

At this point, the CMDB should have all of the configuration items; the reference library should have the deployed configuration (not to be confused with configuration management or configuration item, which have to do with CMDB), the devices should have the new configuration, and all the incident and problem handling areas should be ready to handle any requests or calls regarding problems.

Now, the next phase can be implemented.

A. Automate the most rudimentary and common tasks (especially those that are tiresome, manual, and easily prone to mistakes) first, and later on as you get more confidence and at ease with the software, go for complex tasks. Of course, remember to subject test machines to your tests first.

B. Audit the environment continually - it should not be an ad-hoc task but something that's ongoing and repeatable. This will help you be prepared for any untoward incidents - not to mention you'd look really up-to-date on non-compliant entities.

C. Always keep an eye out for any security problems - they may look trivial but could end up costing a whole lot if/when a breach occurs. The cost to fix a vulnerability is a lot less than dealing with the aftermath of a breach that exploited the weakness.

D. Finally, automate as many tasks as possible - including audit/compliance policies, deployment of baseline configurations, security scans, regular reporting and such.

It is one thing to send out surveys based on rough demographics, but it's totally another to send out surveys based on SPYING on your movements; and then have the gall to ask why you were where you were, and what your ultimate destination was.

In an ill-conceived move, TxDOT spied on motorists by taking pictures of their license plates, then mailed out surveys asking the recipients about their trip. Who cleared this idiotic project, which cost nearly $800K?

Apparently this has been going on for some time in other states; I wonder why nobody said anything. There is no information on what they'd do with the data (other than "plan" for the future in terms of highway construction and traffic patterns). How long is this data going to be stored, who will have access to it, and most importantly, what ELSE are they planning on doing with it (in the future)?

Is this information subject to discovery in case of a lawsuit against one of the travelers? What liability does TxDOT expose itself - and the travelers - to in implementing such projects?

It's obviously not sufficient that Houston has a ton of red-light cameras, cameras on streets, in malls - well, everywhere, but this particular move is more Orwellian than anything else I've heard. In my opinion this is a seri