The Relay

Martin Chorich writes:

I was thinking the other night of the opening sequence of the 1990 movie The Grifters where John Cusack makes a living cheating bartenders by convincing them that he proffered them a $20 bill for a drink when they only gave him change for a 10. Even when I saw the movie in 1990 I didn’t see how Cusack could steal enough to make it worth his while, especially measured against the risks of arrest or bar room vigilante justice. Each con must have taken at least an hour to set up, execute and then move on to another bar, limiting Cusack’s take to about $8.50 an hour ($10 in change, minus the estimated 1990 cost of a beer.)

Jim Thompson wrote the novel that became The Grifters movie in the 1950s, when $9 or $10 an hour was a decent take, especially considering that the income was tax free. But even in 1990, much less 2008, Cusack’s con was obsolete. I doubt than anyone has pulled it for years, except as a stunt on a spot basis to defray the high cost of drinking.

The point of this story is that when it comes to security, maybe our focus should not be on trying to track down and arrest all of the con artists, but make their efforts obsolete. To be fair, it was 40 years of bad monetary policy that inflated Cusack out of a job. But I wonder how it would be possible to get beyond reactive cops and robbers IT security and instead develop preemptive processes and techniques that make today’s viruses, intrusions, worms, phishes, and cons beside the point.

Martin Chorich writes:

I’ve noticed and interesting thought trend in our industry. As pessimism grows that the black hats are winning against the security sheriffs, the notion has emerged that what really need to do is to figure out ways to do clean business in a dirty world. Rather than expending endless efforts to stop viruses, squash worms, eject intruders or awaken zombies, maybe we should take all of this as a given and devise mechanisms to send messages, make purchases and seek out information while treating chaos and malevolence as so much background noise. I think we do this informally already when we avoid opening obvious spam and maintain (probably misguided) confidence that it is safer to pay bills on-line than drop checks into the mail.

Raymond Chandler put the situation nicely when he wrote: “But down these mean streets a man must go who is not himself mean, who is neither tarnished nor afraid.”  Seek such people out, and it is possible to transact with them in the darkest, rainiest nights.

Martin Chorich writes:

The following appeared on a NetworkWorld.com page where they asked readers “What are your best Products?” (Edited for capitalization and clarity–otherwise complete and verbatim.)

“We use BigFix, 400 individual sites on a private WAN, 103,000 desktops and the product works really nice. It is amazing to watch it operate in real time in a huge environment and only [one] BigFix server for the whole thing. Very robust product and the product is domain/AD agnostic. It will work across all kinds of places and it is very trouble free with little management overhead and excellent tech support. You actually deal with the developers who wrote the product etc. instead of some moron reading from a script. But it is very rare [that] you will need it anyhow.”

I brought the second to last sentence to the attention to of our tech support people (just a row of cubes away from me here in Emeryville) and they took it in good humor, and an exception to the rule that no one notices support except for the wrong reasons.

Ted Samson, writing in his Infoworld blog suggests that IT departments take ownership of electric bills, at least as far as computing and network assets are concerned. I have to say this idea makes a certain amount of sense. Traditionally, electric power has been the concern of the facilities department at most organizations. They usually have no responsibility for computing. When it comes to computing power conservation, they don’t have a budget for IT power management tools and projects. Politically, IT departments do not want the same people who are responsible for keeping the walls painted touching any computers.

It’s not that IT departments revel in wasting energy. The vast majority of IT workers are aware of environmental concerns and the role of computing in adding to burdens on the electric grid. But at the end of the day, they have no direct responsibility, incentive or project budgets to curb IT energy consumption.

Ideally, facilities and IT should work together. Very often this works to the advantage of both organizations. At Miami-Dade Public Schools, after the IT group installed BigFix Power Management and turned off computers overnight and on weekends, they discovered that the school system could also turn off air conditioning in computer rooms, increasing the cost savings delivered by the product. Needless to say, this makes IT and facilities partners in energy conservation and a win-win for all concerned.

Martin Chorich writes:

This weekend found me adding two Gigabytes of RAM to one of the family computers to support an operating system upgrade*.  As I walked out of the local Geek Temple, I reflected that my little plastic bag probably contained more RAM than existed in the world in 1960. And it cost only $54.

In somewhat oblique irony, the technically sophisticated process for replacing the RAM in the computer involved wedging the thing open with a pair of putty knives. No kidding! This was the recommended procedure. It worked, too, but I was glad that significant others did not witness this.  Those who like sausages and snappy web surfing…

*(As we used to say at chip companies I formerly worked, “Moore’s Law giveth, and Microsoft taketh away.” Although in this case, it involved the latest predator cat from Apple.)

Martin Chorich writes:

We’re delighted that we can now cite a public reference to Stanford University’s deployment of BigFix Power Management.

A couple of aspects of the Stanford BigFix Power Management implementation are noteworthy. First, it’s an important component of the “Sustainable Stanford” initiative, a multi-disciplinary effort to add a green streak to the Stanford Cardinal.

Second, as universities are not as regimented as corporations and government agencies, Stanford is solving the “herding cats” problem by giving end-users the option of selecting their own power management policies from an interactive website. Once they opt for a power management regimen, the website automatically loads appropriate BigFix Power Management policies on the end-user’s computer and activates them.

In the meantime, BigFix Power Management is turning into a home-run product for us, opening doors at new customers and increasing the value we deliver to long-time BigFix users.

Martin Chorich writes:

While “seminal” may be too strong a word, InfoWorld Editor Matt Hines published an article late last year that has generated a lot of comment in the blogosphere. To summarize with maximum compression, as security attacks become more targeted and stealthy, IT departments are increasingly monitoring endpoint systems for symptoms of bad behavior and then taking steps to shut down malicious activities.

To my non-technical mind, this sounds like a perfect role for BigFix. We excel in delivering real-time information on what’s going on with networked system along with the ability to take fast action to correct misbehaviors. While we currently do not have a packaged solution to perform this kind of surveillance and response, it’s easy to imagine how customers or service providers could write policies that detect aberrant behavior, trigger alarms, and take automated remediative actions. Again, I speak only for myself on this point, but if customers want to take a canaries-in-the-coal-mine approach to identifying and containing threats, BigFix would be a good place to start.

BigFix customer Raymond Balaian shows off the the limited edition t-shirt we issued for a customer appreciation day at the Oakland Raiders-Indianapolis Colts game yesterday. While the concept of a “moral” victory is foreign to the Raiders, the team surprised fans by beating the point spread against the reigning Super Bowl champion Colts. For a few dollars more, McAfee Coliseum flashed the BigFix name on the scoreboard, taking it back from our competitors for a good 15 seconds or so.

Martin Chorich writes:

I’ve done better scans, but what you see here is an article from Ryowa, Mitsubishi’s in-house magazine, about the launch of the BigFix-Mitsubishi relationship in Japan. BigFix Chairman and CEO Dave Robbins stands third from the left. Ryowa is bi-lingual, published in English and Japanese and circulates globally. This article repeats in the Japanese section of the magazine. Needless to say, we are all very excited that Mitsubishi is enabling our entry into the Japanese market–a very solid partner whose backing gains BigFix some serious credibility.

Martin Chorich writes:

eWeek ran a more than averagely interesting article a few months ago, reporting research from IBM on the number of vulnerabilities disclosed by vendors in the first half of 2007. The list ranked vendors by the percentage of vulnerabilities they announced relative to the total number registered over the study period. Their list ran as follows:

Microsoft 4.2%
Apple 3%
Oracle 2%
Sun Microsystems 1.5%
IBM 1.3%
Mozilla 1.3%
XOOPS 1.2%
BEA 1.1%
Linux kernel 0.9%

The lesson here is that no one is immune and almost anything you touch carries some risk. It’s also clear that tracking and fixing vulnerabilities from multiple sources can drive you crazy–especially if you do it one vendor at a time. The best situation would be to have a single source of vulnerability intelligence and remediation content complemented by a unified infrastructure for assessing and repairing vulnerabilities on all hardware/software technology platforms in your organization. Your alternative is to use Linux tools to fix Linux vunerabilities, Microsoft tools for their vulnerabilities, Apple tools…well, you can see where this is going.

As enlightened self interest informs everything I write during business hours, I’ll invite readers to take a look at BigFix Vulnerability Management solutions as a way to consolidate and simplify the vulnerability assessment and remediation process.