I.T. Erudio

Category: business

  • Security, “cyber security”, system administration

    “Enough”
    During the “lost decade” of my “20’s” I had a LOT of different jobs. PC repair, high school wrestling coach, security guard, and a lot of “student” time in general.

    The (pre 9/11) “security guard” time was nice because I was usually left alone all night. I was there to be visible and act as a deterrent – not perform heroic acts – which since I was looking for a paycheck and not an adrenaline rush was exactly what I wanted.

    Of course there are also “private security personnel” that are highly trained professionals. Obviously the “highly trained professional” is going to demand a larger paycheck than the employee that did the “1 day orientation/computer training.”

    From an “organizational” point of view – security is similar to “insurance.” Both deal with “risk management” – as in “you can’t eliminate ‘risks’ but you can minimize your vulnerability/exposure”.

    SO the best practice with security and insurance is to have “enough” to cover you needs.

    “Sales”
    Then the question becomes “just how much is enough?”

    Have you seen the commercials for “home security system” where a masked intruder breaks a window (in what looks like a nice suburban home) in the middle of the day?

    Then cut to a frightened child and woman clutching each other in a state of panic – followed by the phone ringing and a reassuring voice saying “We have detected a break in at your premises. Authorities have been notified. Do you require assistance?”

    The relieved/grateful woman picks up the phone and says something like “Thank you security system! I don’t know what we would have done without you.” — and then you get the sales pitch from the security monitoring company (e.g. for less than $ a day you can protect your family…)

    Now, I’m not dismissing the need for/utility of these systems – I’m pointing out that the scenario used is “unlikely” at best and designed to manipulate your emotions. After all – can you put a price on “protecting your family?”

    On a less emotionally charged front – the answer to “can you put a price on the security of your business” is “yes.” In a nutshell – you don’t want to pay more for security than the value of the object being secured.

    SO that storage facility housing spare parts for your “commodity widget” making factory PROBABLY doesn’t need as much security as the distribution center that processes orders from customers for your “commodity widget.”

    Now that sales person working on commission might try to convince the “commodity widget maker upper management” that they need the top end security everywhere – and maybe they do – but obviously the “sales person” is biased.

    SO when the widget making enterprise gets past a certain size – they will probably hire a “director of security” or something to evaluate the needs of the company.

    “Cyber”
    That same process/concept applies to “computer network security.” Q. How much “cyber security” do you need? A. “enough”

    As a long time “I.T. professional” my view of “cyber security” is that it is a marketing term. Obviously I am NOT saying that “computer network security” is irrelevant – just that “good system administration” has ALWAYS included “network security.”

    Consider “automobile security” – how much should someone spend to “secure” their car?

    Well, if you have a beat up Ford Pinto with 500,000 miles on it that starts shaking if you go over 65 miles per hour and you only keep to haul garbage to the landfill – then maybe you are comfortable leaving the keys on the dashboard with the windows rolled down. If someone steals the car they might be doing you a favor.

    BUT if you have “new luxury SUV” you might invest in a car alarm, and some form of remote monitoring. If you live in “big city” you might pay for “off street” parking. In any case you certainly aren’t leaving the keys on the dashboard with the windows rolled down.

    Getting back to “computer network security” – MOST networks probably fall into the “nice four door sedan” category. They need to be secured – and they will be compromised if left un-secured – but they aren’t a specific target.

    e.g. roll up the windows, lock the doors, don’t leave valuables in plain sight – and your “family sedan” is probably secure enough. Adhere to “good system administration practices” and your computer network is “probably” secure enough.

    I also like the idea of a Magnificent Seven approach to security – NOT that you need to hire hackers to protect yourself from hackers, but that you need to secure your network enough to make the “casual attacker” go somewhere else.

    IF someone is intentionally targeting your network AND they are willing to spend money and time THEN they will probably be able to compromise your network. Your goals should be to not “make it easy” for them and also to detect and respond to the intrusion when it happens.

    For individuals your small home network probably is more valuable to the bad actors as a resource for “zombie”/spam activity – but still, don’t make it easy on them.

    If you REALLY want to worry about something – more important than the network itself is the data moving on that network – so the biggest threat to the “average network” is the people using the network. Which is a slightly different subject …

    TL;DR
    Yes, there are needs for “security specific” computer professionals – things like penetration testing and security auditing come immediately to mind. The concept of a security “baked in“/first approach to application development is also obvious. I’m just tired of hearing “cyber security” presented as something new and novel …

    e.g. A combination of good backups, sensible user management, and applying encryption to both file storage and network traffic probably protects 90% of “computer networks”

  • The “regulation” thing

    First Principles
    At a “first principles” point of view – USUALLY the best thing for the U.S. Congress to do is “nothing.”

    Arguably the “Founders” believed the same thing. Which is why the U.S. has the system of gov’ment that we have. Just from a practical “organizational behavior” the larger the group of people – the less likely you are to agree on anything.

    The “wheels of gov’ment” are supposed to be slow moving and inefficient – remember the Founders’ goal was the preservation of individual liberty via the limiting of “gov’ment.”

    SO anything that the gov’ment does do, shouldn’t be fast or drastic – again, just in general “government is best which governs least”

    But then …
    Of course the gov’ment isn’t just window dressing – they are supposed to do SOMETHING. e.g. In times of war trying to rule by committee is a recipe for disaster – which is why the POTUS is “Commander in Chief.”

    In the Ancient Roman Republic – traditionally two “Consuls” were elected to “run” the Republic. The Consuls had full executive power, but each also had veto power over the other. This meant legislative stalemate was the norm and preservation of the status quo was achieved – which was kinda what the “powers that be” wanted.

    BUT in times of emergency/war – i.e. when things needed to “get done” – a single person would be put in charge.

    Fans of Ancient History will be familiar with the story of CIncinnatus – but I’ll move on – after pointing out that in peacetime it is always worth taking the time to examine the issue and “get it right” as opposed to “doing it fast.”

    If it moves regulate it …
    Ronald Reagan described the “government’s” view of the economy as: “If it moves, tax it. If it keeps moving, regulate it. And if it stops moving, subsidize it.”

    Which is a great line – but hits on several big issues. The purpose of taxation tends to get “complicated” but isn’t important right now. However, REGULATION should be easier to agree about as far as “purpose” goes. (and subsidizing something is probably just another form of taxation)

    In general “gov’ment regulation” should NEVER be punitory – i.e. protecting the consumer/individual SHOULD always be the purpose of regulation – NOT simply punishing a specific company/industry because it is politically expedient to do so.

    From a practical point of view – that means government should do what individuals can’t do for themselves. SO things like controlling access to a limited resource (e.g. the old radio/television broadcast spectrum), or ensuring that drivers are not a danger to themselves or others (e.g. physical checkup requirements for CDL, or vision tests for driver licenses) are obvious candidates for regulation.

    The form that regulation takes is up for debate – but regulating interstate commerce is obviously one of those functions the Feds are supposed to handle — but one more time “regulation” should not be “political punishment”, it should always serve the consumer.

    Internet/Web/Walled gardens/Facebook…
    The story of the “internet” can be told numerous ways – some of which are interesting, but not important right now.

    (no matter how you choose to tell the “Internet story” – it didn’t just spontaneously appear, but it also wasn’t created by government bureaucrats.)

    If we accept that “sharing information” (to one degree or another) is the point of ANY “network” then the “Internet” has been a great success story.

    BUT you needed affordable personal computers AND the “world wide web” to make it useful to the average person.

    (btw if the “internet” is the “highway” then the “web” is one type of vehicle using that highway – but not the ONLY type of vehicle)

    For a lot of folks back in the early 1990’s “America Online” (AOL) was their first “information service.” AOL charged a monthly fee for access to their network – and bombarded the nation with 3.5″ disks and then CD-ROMs offering monthly free trials.

    Then when the “web” happened – AOL started offering unlimited “Internet” access through their network. AOL still had a lot of “AOL network” content, so people might login to AOL and never leave AOL – this was kind of the “Walled Garden” internet (or if you logged into a local ISP – that homepage might have been your concept of the “web” in general).

    (btw the AOL merger with Time Warner is probably one of the worst mergers of all time from a “combined value” view – i.e. the perception of AOL’s value was much greater than what they actually possessed)

    Maybe the 1990’s could be called the “era of the portal.” The web may have offered access to vast amounts of knowledge – but finding anything was difficult. So “web directories” (like Yahoo! ) ruled the day. Then Google happened in the late 1998 – which is also another story …

    Facebook is just another version of the “walled garden” – and they continue to add services trying to keep users on their platform. Of course the more users accept Facebook as “walled garden” the more Facebook can earn in advertising $$ – which once again, is neither good or bad, just good business

    The important thing to remember is that Facebook is NOT the “Internet.”

    Regulation, but how?
    I’ve seen Facebook running ads (on Facebook) advocating changing the “Internet regulations.” This always comes across as self-serving as well as slightly pernicious – just because the regulations are older than Facebook doesn’t mean they need to be changed JUST for the sake of changing them.

    The problem with “regulation for the sake of regulation” is that it tends to be counter productive. “Big business” actually benefits from “increased regulatory requirements” because it tends to cut down on innovation/disruptive competition.

    “Bad regulation” simply reinforces the status quo and/or cements things in place preventing change. “Good regulation” will protect the consumer while encouraging growth/competition.

    My personal preference would be to apply “newspaper”/media conglomerate standards to Facebook. Hold them accountable for “censorship”, create a truly independent “arbitration board” (not one bought and paid for by Facebook) – but don’t cement them in place as the status quo.

    Regulation should not stifle whatever the “next big thing” may be …

  • Competing with Facebook

    A federal Judge recently dismissed “anti-competitive”/monopoly charges against Facebook

    The problem is that just being a very popular platform doesn’t make you a monopoly – e.g. Walmart is not a monopoly simply because a lot of people shop there and they are hard to compete against
    FB allows people to easily connect with each other and share information – which is not monopolistic in any form.
    from a business standpoint FB is selling access to those peoples information. SO FB isn’t doing anything different (from a legal standpoint) than what a popular tv network does – which again is functionally “build an audience” and then sell advertising to that audience.

    Google and Facebook allow “targeted advertising” – which ends up being very cost effective for “business users”

    BUT if you are a “content producer” you need to remember that FB is not your friend or partner. The wise content producer is NOT going to use FB as their primary platform

    i.e. FB is a great platform to acquire/build an audience (at a price) – but then the first step for the “wise FB business user” should be to connect with that audience OUTSIDE of FB – after all FB can cut off your access to THEIR platform as they wish.

    from an “anti-trust” issue FB (probably) isn’t a “monopoly” – as in they are not actively being “anti competitive” — their moderation is questionable, and they are obviously biased and they might be engaging in “illegal discrimination” – but that is a different legal argument …

    btw: how you “successfully compete with FB” is similar to “how a small retailer successfully competes with Walmart (or Amazon)” – step 1 is to understand that you (probably) aren’t in the same business

    Walmart is a logistics company that specializes in “low costs” – the “core business” for Amazon is (probably) “I.T. services” (in the form of AWS), but they are also a logistics company

    While the local hardware store is in the business of “selling service” – which means “individual attention” and/or “high level of customer interaction.” … sure that local hardware store charges a little more, but they are nice to deal with

    Remember FB is not selling a unique product – they are selling access to an “audience.” FB provides services to that audience BUT the “audience” is the product not FB

    Quick how does “local newspaper” compete with the NY TImes? well, NOT by trying to do better national news coverage – “local newspaper” needs to concentrate on having “local news” – and a lot of pictures of “local people” doing “local stuff”


    oh, and WHEN something better comes along – users can leave FB with minimal effort. Of course Mr Zuckerberg et al realize all of the above and that is why they make an effort to make people “FB dependent”