Archive for August 2004

For years, we’ve seen characters in science fiction movies using a hand, an eye, or voice to gain access to highly secure areas in a building. The hero always manages to find a way to around these barriers and save the day. It’s not quite so simple, but it’s more challenging for the hot shot spy to access areas using physical characteristics than using passwords.

How much of your day is spent helping end-users track down, reset or gain access to the network because they lost or forgot their passwords or other security issues? What if you could have extra security and added convenience by not using passwords again?

This no-password technology is here and is growing rapidly. It is called *biometrics* and you’re on your way to becoming a hero like those in the movies.

*Biometrics* is the use of automated methods of recognizing an individual based on physical or behavioral characteristics. Common commercial examples are fingerprint, face, iris, hand geometry, voice and dynamic signature recognition.

Adopting new technology

Not all cool technology becomes viable. The old ‘build it and they will come’ concept only works if the buyer is looking for something to solve a business problem. Not just a minor irritant, but a major pain.

Think about the main motivator behind most of the technology purchases you make. There is likely a loss of productivity, existing stress point, or both behind each one.

Password scenarios

In the security world, there is continuing pressure to make your network more secure. Each layer of additional security implemented also adds more complexity to the process. One of the major time wasters for a help desk staff is assisting end users with password problems. Password issues have also become an annoyance for the end user.

Consider three different basic password scenarios. You operate either with no passwords, simple and same passwords, or complex ones for logon screens, applications and secure Internet sites. Here are the rationalizations for the scenarios regarding passwords and their tribulations:

* No passwords: it’s effortless, but not secure. It’s an open invitation for hackers and peers, and it’s highly vulnerable. There are many people using this method today. Startling, but true.

* Simple or same passwords for all logons: simple to remember, but not secure, easily guessed, and leads to havoc if one password is cracked on a system.

* Complex passwords: these are perceived as secure, but they’re inconvenient. They can be cracked by patient hackers with a little help from password generating programs.

Here is story from the front line involving a “simple password” usage policy in a particular company. A company’s passwords policy for employees was as follows:

1. Use first initials of the first name,
2. Then the last name
3. Add the number one (1) at the end of the string of characters.

Therefore, Joe Shmo’s password was “jshmo1.”

This policy applied for all 70 plus employees. Management’s insecurity for wanting to know all the passwords caused this unsecured inefficiency. They did not see the other side of the coin; a wicked-minded employee with minimal technical expertise could access the company’s intellectual property for snooping.

There is another contributor to the already complex password issues. It’s bad enough there are password generator programs, which enable hackers to crack passwords when they want to infiltrate into a network; even when complex passwords are used companion such a network.

This contributor is called, social engineering. People share passwords with their peers, co-workers, friends and bosses. In a corporate setting, when network break-in issues occur, it creates finger pointing. Worst of all, it causes the loss of valuable time, money and resources. Furthermore, company intellectual property is exposed to the wrong individuals with potentially catastrophic consequences for the company.

If someone breaks into your network, which of the previously mentioned password issues will come to mind? Most likely, none. The media and marketing firms have brainwashed the public because they want to frighten, to promote and to sell security prevention products blocking outsiders from infiltrating your network.

The reality is there is good likelihood that the infiltrator could be working within your department, sitting in an adjacent office or in the cubicle at the end of the hall or even the person who greets you every morning and offers you a cup of hot cocoa in the hallway.

As big as a problem as passwords are for everyone, not being able to secure your network is unthinkable.

A more efficient solution

Biometrics is the solution for simplifying these password security issues. Biometrics provides an additional layer of security, efficiency and convenience for users and IT administrators. The passwords are there if you need them. Nevertheless, you can implement a simple policy to use back-door passwords—say 30 characters long—so no hacker or program can easily break it—and use biometric authentication for all logons, applications and secured internet sites.

Here are a few facts about most biometric solutions:

1. In general, it’s a non-intrusive solution. Often people relate biometrics devices to those fingerprint imaging devices used by law enforcement agencies. In biometrics during fingerprint enrollment, the fingerprint image is converted into often-encrypted binary data and stored onto the hard drive. Reverse engineering, to convert this data back into the fingerprint image, is virtually impossible.

2. It’s easy to setup and to use.

3. A combination of different biometric devices with Boolean authentication methods can be used for additional layers of security. For example, using a fingerprint together with iris recognition methods of authentications, or even combined with passwords.

4. It can significantly minimize the cost and the time wasted on administration and maintenance of password related issues for IT departments.

5. It maximizes efficiency and convenience by avoiding the need to remember passwords.

The wide spectrum of industries that already have adopted biometrics solutions are as follows:

* financial institutions
* pharmaceuticals
* small businesses
* medium and large corporations
* healthcare industry
* educational institutions
* remote corporate employees
* health clubs
* government agencies
* hospitality industry
* consumer industry

The “password” future is here

Firewalls, virus protection programs, intrusion detection and prevention, and programs and operating systems patches for their vulnerabilities and loopholes are examples of the nuisances embrace even though it comes with additional costs and headaches.

Biometrics is ready for embracing by those who require and understand the benefits of added security (from insiders and outsiders), efficiency and convenience for our everyday computing experiences. Just like online transactions, once you start using it, you can’t imagine returning to the older and inefficient technology. Biometrics adoption is real and not an underground movement nor a fictional scene from a James Bond movie. It is the road we will travel.

Discussion: There’s talk that the next step is to protected access is passphrases. What do you think?

About the author:
Nick Farzanfar, founder of FOQUEST Incorporated, has worked in research, consultation, recommendation and implementation of advanced biometrics solutions for organizations in all sizes. He is acting as a forefront in educating the market regarding the inefficiencies of passwords–as being the “weakest link in IT infrastructure.” He is working with Boston University, Vermont University and Massachusetts General Hospital to assist them with research and implementation of biometrics solutions. Nick holds a Bachelor Degree in Computer Mathematics from San Jose State University, San Jose, CA.

It’s finally happening. The start of a collection of notes in the form of eReports. I kept telling myself, “Gotta sit down, write what I know, and share it with others.” It happened in early August when the kids started school and the house was quiet again.

The first report will appear next week accompanied with an article to give you a taste of what it’s about. If you like what you read, then jump in and grab the report for yourself. More later. Now, time to get my rear down again for eReport #2.

You’ve seen the programs on TV: homes get cleaned and spiffed up, women get Botoxed, men get coiffed and coutured. And on the Web, sites get redesigned. Times change, technology evolves, and business needs mature. The Web site has to respond to all these forces. As any marketing project, a site redesign is a planning-intensive effort. [ Read more and comment... ]

There is no such thing as bad PR, any PR is great PR. A bad PR site making this list of worst PR sites of 2004 (as far as I know, 2004 isn’t over yet) gets a little attention, but in the long run, it is going to fail its users. I won’t even cover the use of tables in any of these sites.

First victim, Red, is redecorating. So I can’t see what it’s about. Either way, it uses Flash. There is no reason for it on the home page as it will scare away the search engines, close the doors on those who use accessibility tools, and lose those who don’t have patience for “skip intro.”

Next, Bite bites. It has text problems all right. Can’t change the size. It uses images for text when it is not necessary. The colors are a hard on those who have colorblindness. The company doesn’t establish credibility as it doesn’t provide names of the people behind it. I’ll give it one point for the 10 reasons for hiring Bite.

Where is the big bad wolf to blow down Cohn & Wolfe‘s front page that has no skip intro. I have to sit through it’s cutsy Flash animation. Finally pass that. Anyone want to tell me what is on the home page WITHOUT touching the mouse or keyboard? I am not up for guessing games.

Text 100, 1995 called and it wants its scrolling text back. Scrolling text is the next worse thing to have as nothing tops blink. Text is illegible. Navigation is all over the place. Enough putting it down.

Man, the logo on August.One, which is black and white, is a slow loader when it shouldn’t be. “Enter site?” Uh oh… I am in for it. I bet this means a new pop-up window. I hate it when a Web site takes control of my browser. The scrolling here is worse than Text 100. Dizzy. Must stop. Flipping channels.

Henman Communications Limited. I sweat I didn’t read the article’s comments as I just clicked on the link. Going through the site’s navigation, I’m wondering if a mime wrote the content as there isn’t much there. Certainly not to make a business decision as to whether or not to contact them.

Dynamic Solutions. Flash with annoying line all over the place. Beat it. [ Link and interesting commentary PR Opinions ]

The book is based on Land’s Web site of the same name, spamletters.com, which I discovered a few years ago and submitted a letter. The spam letter in question is about hydrogen peroxide and it’s included in the book (p. 112). The original letter is presented along with Land’s creative and hilarious reply to the spammer.

He takes on the role of lawyer, doctor, pastor, casting director, and woman (Joan). Pastor Land is the proud pastor of Church of Our Mistress of the Perpetual Blonde where he spent the ’80s importing hydrogen peroxide he baptizes his brethren through the blonding process. If anyone knows how he can get 500 gallons of the stuff, contact Pastor Land.

That’s what Land has been doing, replying to spammers, and in some cases, the spammers have written back and those are included in the book. He produces works of fiction (don’t tell anyone) and for once, spam is fun instead of an aggravation.

If the book is based on the Web site, why should we read the book? Here are the reasons:

1. There are many letters; it’s difficult to read more than a few online.
2. It’s great reading material away from the computer and the Internet.
3. Laptops don’t handle beach sand, ocean water, or other exotic locales very well.
4. After a lousy day at work, who wants to get on the computer at home? Get a good laugh with the book instead.
5. The book organizes the letters by topic and you can see which ones have replies from the spammers.
6. A book doesn’t make your legs go numb like a laptop on your lap while in the bathroom.
7. No downloading time involved!

You can try before you buy by going to the Web site and reading the letters. Also, check the table of contents to find out what letters are included in the book. Bet you’ve received over half of them. Take out your spam frustrations by reading Land’s retorts. Those who like reading humor books will enjoy this one, it’s one-of-a-kind.

Oh, if you’re one of the few people who buys books at those stores with bricks around them — you can’t miss this one. It’s bright pink. Odd, eh? At least, it will be harder to lose the book since it sticks out like a sore thumb.

Title: The Spam Letters
Author: Jonathan Land
Publisher: No Starch Press
ISBN: 1593270321
Date: June 2004
Format: Paperback
Pages: 336
Price: USD$14.95
CDN: 19.95
UK: 11.99

Wow! Wired has proclaimed It’s Just the ‘internet’ Now. Yet, I have Wired Style, which justifies capitalizing each one. Heck, even the book says, “The Net (also initial capped).”

Wired says, “The simple answer is because there is no earthly reason to capitalize any of these words. Actually, there never was.”

So, does that mean the magazine admits it is wrong and the book is wrong?

Wait! I bet I know why this is happening! It’s releasing a new edition of the book and it wants us to replace our outdated books, right? There is no mention of a new edition in Amazon, perhaps it is a perfectly timed ploy so that when it is there… people won’t make the connection between the declaration and a promotion for the book.

OK, I can handle change. Hey, I’ve done TQM, IDEF0, CMM, and all that fun stuff where change is a big theme. In a heartbeat, I invest in new technology when the wallet allows. Heck, I’m all for ‘E-mail’ becoming ‘email.’ Who wants to add extra keystrokes? But can you give me examples of words where they were initially capped and later dropped the cap? I am blank.

I guess I’ll go burn wired style. It’s dated 1999 anyway — 35 years old by ‘internet’ standards.

Update: I corresponded with Tony Long who wrote the edict. He said, “We’re not the magazine. This edict applies only to Wired News, the website (www.wired.com/news). The magazine, a separate entity entirely, continues to cap the I.” The book is from the editors of the magazine.

I always go to sleep before Paul does and he stays up watching TV and computes on his laptop. I’m sensitive to light, so I have creative ways to ensuring the light doesn’t bother me while I’m trying to fall asleep. Along comes the Nite Key Lite to make things a little easier.

The light plugs into the USB port, so it’s easy to use it on any laptop. Sharing is a breeze, which makes for a happier marriage. The cord is 18″ long and flexible so you can adjust it to your needs. It has two LED lights for lighting up the keyboard work area.

The lite comes on when it’s plugged into the USB, but light on / off depends on the laptop. On my laptop, it goes off when I close it. On Paul’s, it’s on the minute it’s plugged in and doesn’t go off until it’s unplugged. His computer is not too bright. I like how it works on mine that way I can keep it plugged in and turn it off when the laptop is not in use by shutting it.

It only comes in one color: purple, which was my favorite color… when I was a teenager. Silver, clear, or blue would be cool.

You can use it with your desktop computer if the cord is long enough and you work in the dark, which I do once in a while when I get up too early. The accessory is meant for laptops.

I’ve been sleeping better since Paul has been using it. Although Paul and I can type without looking at the keyboard, we type better when there is light otherwise there’s something about the inability to see the keyboard from the corner of your eyes. He says his type is better with the light and it doesn’t drain his laptop battery any faster than without it.

The Nite Key Lite is an excellent accessory. It’s lightweight, portable, and flexible. Available from Lapworks. The Lite alone is $19.95. It’s also available for purchase as part of a Laptop Desk ensemble.

You won’t see people sweating while doing 100 push ups, running in the pouring rain and taking their physical fitness beyond their limits. There is no bugle blowing at 5:00 AM. Heck, no one dresses alike at geek boot camp. It may not have such physical challenges, but it’s demanding like a traditional boot camp with a different focus.

For 14 straight days, geeks and geek wanna-bes gather in a classroom for a crash course on the subjects covered in the camp. Subjects depend on the selected session. Paul attends the session covering Windows 2000 network, server, administration, and security; MS SQL Server; and Windows Server 2003 upgrade. He takes two exams on exam day in the following order:

70-210 and 70-214
70-215 and 70-220
70-217 and 70-218
70-216 and SYO101
70-228 and 70-229
70-292 and 70-296

For details on the exams, go to Microsoft’s Certification Web site. The odd exam ID is from CompTIA and it covers Security+. The exams start easy and progress to the hardest.

First week

The class spends the first four days learning real world solutions and doing labs based on real world situations so they could apply what they were learning. Afterwards, they return to their rooms to do more learning by reading until their eyeballs fall out.

How’s this for irony? Everyone in the class is an experienced IT professional except for one person who receives a job with Microsoft during the first week of the class. This guy has no or expired certification, but his knowledge of three languages landed him the job.

The night before the test, it isn’t surprising to find a student up until 3:00 AM studying. The fifth day is test day and everyone passes, feeling more energized and ready to tackle more tests. More reading, and then tests again the next two days.

Everyone passes again. Only twice during this boot camp do two students fail, but they immediately re-take the test and pass. This is allowed under Microsoft’s rules and the school’s rules. The students begin racking up new titles all in one week… MCP and MCSA. To them, it feels longer. A few days after the first week, they gain more titles: MCSE, and MCSE Security +.

The toughest tests

Then comes MS SQL. This is a monster for the class because they have to learn some programming and the students are into networking and servers. Luckily, they’ve got a teacher who knows his stuff and gives them what they need and no more. The teacher has over 30 certifications, owns several businesses and plans to start a school.

On MS SQL test day, I anxiously wait for the news of the test results. This is the second longest wait with the last test day being the longest of them all. Finally, I get an email from Paul who announces he is an MSDBA! I breathe sigh of relief that had to have been heard throughout the third floor where I work.

By now, Paul is burned out. For the first time in almost two weeks, he doesn’t have to study and crashes early that night. The teacher has told the students he has taken the Windows Server 2003 tests four times before he finally passed. Before you call him an idiot, understand a couple of things: he did it on his own and Microsoft made 2003 tests the hardest to keep the number of certified individuals low.

The last day

Paul stays up till 3:30 AM studying for the 2003 tests, which occur on a Satuday. I know his test starts at 8:30 AM and how much he has to take it. An hour after when I thought he should have been done, I have yet to hear from him and grow uneasy. Finally, I hear from him and he reports he has passed one and failed the other. Immediately, I slump.

He makes me feel better by telling me everyone in the class has failed one test. He sends an email saying he will leave shortly. With all three kids at home, I leave the computer to do the usual mom stuff. He calls a few minutes later and my daughter talks to him. She tells me that he wants me to check my email. I told her I already know he failed one test and yadda yadda. She repeats.

Back to the computer, I find another email from Paul with the subject: Teacher’s name, that SOB (jokingly!). The message says, “Everyone passed. He pulled the wool over our eyes.” I scream and tell the kids their Dad has passed. The older two clap and cheer. Note: though everyone has passed, some pass by the skin of their teeth with the minimum score needed.

Final thoughts

Yes, it’s an expensive course and thankfully, we receive a loan to pay for it. It is worth it. When you’re a busy adult with kids, it’s difficult to make time for a regular class once or twice a week, do homework, and take a test. A boot camp is like quickly pulling a band-aid off. It hurts for a minute and it comes with the bonus of nine certifications. How it affects his career will come in a future article after he wakes up.

List of exams taken:

Exam 70-210: Installing, Configuring, and Administering Microsoft Windows 2000 Professional

Exam 70-214: Implementing and Managing Security in a Windows 2000 Network Infrastructure

Exam 70-215: Installing, Configuring, and Administering Microsoft Windows 2000 Server

Exam 70-220: Designing Security for a Microsoft Windows 2000 Network

Exam 70-217: Implementing and Administering a Microsoft Windows 2000 Directory Services Infrastructure

Exam 70-218: Managing a Microsoft Windows 2000 Network Environment

Exam 70-216: Implementing and Administering a Microsoft Windows 2000 Network Infrastructure

SYO101 – CompTIA Security+

Exam 70-228: Installing, Configuring, and Administering Microsoft SQL Server 2000 Enterprise Edition

Exam 70-229: Designing and Implementing Databases with Microsoft SQL Server 2000 Enterprise Edition

Exam 70-292: Managing and Maintaining a Microsoft Windows Server 2003 Environment for an MCSA Certified on Windows 2000

Exam 70-296: Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Environment for an MCSE Certified on Microsoft Windows 2000

You won’t see people sweating while doing 100 push ups, running in the pouring rain and taking their physical fitness beyond their limits. There is no bugle blowing at 5:00 AM. Heck, no one dresses alike at geek boot camp. It may not have such physical challenges, but it’s demanding like a traditional boot camp with a different focus. [ Read more in meryl.net articles: MCSE Boot Camp ]

I’ve had a word on the tip of my tongue many times. Here’s a great way to find that word. OneLook Reverse Dictionary.