Most companies, since companies began to be the preferred business unit, have wanted just a few things from their employees: Be as young and energetic as possible; Be as experienced as the older staff; Spend 100% of your time working, no meal or toilet breaks would be just bewdiful thanks; Work for junior rates doing a senior job.
After all, it's not much to ask, is it? And yes yes yes I'm being sarcastic. The work day for all critters seems to be a big long but amusing search for food interspersed with intervals of work, not the other way around. Articles like this one demonstrate the efforts that management have to go to, in order to try and get that work/leisure/effort/effect balance right. Do you open the Internet? Block most of it? Have company firewalls, or secure application servers?
Let me put it this way - twenty years ago, how did companies prevent the equivalent circumstances? Instead of a firewall, there was a mailroom that inspected stuff going inbound and outward. Long employee chats with colleagues were examined for whether they were relevant to work or not, and then controlled as needed, by supervisors. And try as they might, employers had no way of preventing employees from walking out with company secrets firmly engraved in their brains, any more than they have a way today to prevent a company database walking out on an iPod or MP3 player or memory stick or card...
The thing that worked best, it turns out, is maintaining watchfulness. So here's a thought, given freely after nearly two decades of dealing with users and technology: Watch, Decide, Act.
Watch what happens in your office and on your LAN. Are your servers logging and flagging unusual events? That's the first thing you should be watching - and in order for the "unusual" flags to apply, you have to decide what constitutes "usual" and "unusual." Capture all traffic and put it through transparent proxies. not to prevent, but to record it. Experiment with the output of the logfile. A good analyser program will soon start telling you which machines spent how much time surfing what, where, and when.
Similarly monitor all accesses to your own servers and workstations. Is that new person poking around on the Sales VP's machine? That might be deemed "unusual," unless they are the SVP's secretary or PA. Is someone repeatedly trying to send malformed traffic to your SQL server? Time to check that they're not hacking you, or that their workstation might not be compromised by a Trojan.
As has been repeatedly pointed out, you can't prevent sufficiently determined employees from doing all the above and more. Shutting the barn door after the horse has bolted may well lose you a horse, but shutting it before the horse bolts, prevents anything from happening in the barn at all. Making the door more person sized means all your chickens will still be able to escape, and raising it still won't prevent the rats and pigeons from using it...
The problem lies in working out what's usual and useful, compared to unusual and harmful. Block YouTube or FaceBook? Fine, but some people actually use those in the course of their duties. I might find it easier to post a video and let a sales prospect know about it via their FB account. On the other hand, I might also be using those two to dig up dirt on colleagues to coerce their cooperation with a pet project or a project to steal data...
In all the time I worked in IT and system and network admininstration, the problems such as the above were always "unusual," and that's generally how they were picked up, precisely because they were unusual. Locking down access and traffic generally resulted in less bandwidth, but no discernible change to the risk/benefit ratio. I became a great logfile reader, and picked up no end of minor breaches that way. There are now programs that do what I did, but they need to be trained and set up, and usually the person that has to do that is the system admin.
In an age where personal electronics is everywhere, it's also possible for an employee to place company data onto their personal multimedia device, then connect right up to the Mcdonalds hotspot right outside your office and upload that data - it takes only minutes, or even seconds given a suitably skilled person - and all your logs would show is that employee "Z" accessed the payroll database for a bit longer than normal.
That information didn't - and can't - help you at the time, but it will form a trail that can be backtracked on when you discover that your best people have been headhunted at salaries that are just the right margin above the salary you were paying them...
"Blocking" the external WiFi hotspot? You may as well try and hold back water with a flyscreen. And indeed it may well be illegal to block wireless communications, in some places, and with certain forms of wireless. (You may not, for example and as far as I'm aware) block mobile phone signals at any time, and what if your superduper "cellphone buster" that you've placed in operation to block employees from spending all their time calling friends and family also blocks cellphone access to the company next door? And if you reduce the range of the quencher, then you'll find knots of employees in the areas that the signal misses...
My personal belief is that keeping people engaged, involved, rewarded, and stimulated is the best way to command loyalty, and watchfulness to make sure that this loyalty doesn't waver is is the second step.
Sunday, July 12, 2009
Thursday, July 9, 2009
Veni Vidi Virus
And here's the rest of the world catching up to my thoughts from years ago... In the dusty archives somewhere, I think I had an article about what will happen to implant wearers once those implants connect part of their real life bodies to the virtual world, to the real life world of script kiddies, sociopathic hackers, and other online entrepreneurs.
Here's one of the things that worried me then, and worries me now: If I have a prosthetic limb or just an enhancement to existing limbs, and this is controlled via a brain implant, which in turn has wireless connectivity to allow the control and adjustment of the augmentation. And if some script kiddie finds a way to reverse a few numbers somewhere. And I happen to be walking along an elevated footpath, I think "move right" and the brain implant issues a "move right" and the augmented limb then moves left. And happens to knock a fellow pedestrian off the footpath, they crack their head, and subsequently die.
Who's guilty now? Me for being the one who physically carried out the action leading to the death? The manufacturer of the system for not building in safeguards and intrusion protection? The hacker, wherever and whoever they may be, and who may have carried out the hack without any knowledge of where i was and what I was doing at the time?
This situation isn't just going to apply to body-worn augments, of course. Assume I'm and early adopter and have a personal robot assistant. Or (and this would be one reason car manufacturers might be a tad shy to put automatic drive controls in their cars) I have a personal transporter that pretty much runs on autopilot and connects via mobile broadband to download routes from Google Maps. Only Google Maps has been hacked and along with the map it downloads a zero-day payload...
You can see that where the Law has been slow to catch up with current cyber wrongdoing, the rate of change is about to ratchet up by another whole order of moral and legal decisions needing to be made.
Here's one of the things that worried me then, and worries me now: If I have a prosthetic limb or just an enhancement to existing limbs, and this is controlled via a brain implant, which in turn has wireless connectivity to allow the control and adjustment of the augmentation. And if some script kiddie finds a way to reverse a few numbers somewhere. And I happen to be walking along an elevated footpath, I think "move right" and the brain implant issues a "move right" and the augmented limb then moves left. And happens to knock a fellow pedestrian off the footpath, they crack their head, and subsequently die.
Who's guilty now? Me for being the one who physically carried out the action leading to the death? The manufacturer of the system for not building in safeguards and intrusion protection? The hacker, wherever and whoever they may be, and who may have carried out the hack without any knowledge of where i was and what I was doing at the time?
This situation isn't just going to apply to body-worn augments, of course. Assume I'm and early adopter and have a personal robot assistant. Or (and this would be one reason car manufacturers might be a tad shy to put automatic drive controls in their cars) I have a personal transporter that pretty much runs on autopilot and connects via mobile broadband to download routes from Google Maps. Only Google Maps has been hacked and along with the map it downloads a zero-day payload...
You can see that where the Law has been slow to catch up with current cyber wrongdoing, the rate of change is about to ratchet up by another whole order of moral and legal decisions needing to be made.
Wednesday, July 8, 2009
Saw Point
As a teenager, I was pretty handy in manual arts, both woodwork and metalwork. I remember once I left high school pricing the odd tools for handyman jobs both at my parents' house and my own projects, and one of the more highly priced (and prized) of my hand tools was a Disston foxtail saw. Back then I didn't know the background or the history of Disston saws, I just knew that they were one of the better quality saws available, they were imported from "overseas," and I saved a few weeks before I could buy mine.
Now the back story is filled in for me, by this short story and the lovely slideshow of pictures, of the history of Disston Saw Works in Philadelphia.
Now the back story is filled in for me, by this short story and the lovely slideshow of pictures, of the history of Disston Saw Works in Philadelphia.
Tuesday, June 9, 2009
Upload Thyself.
So now we're going to get a method to upload your body to a computer. Fair enough, it's just a virtual body, but that's all you need in virtual life. I've already posited that this will happen, and that we'll also get the technology to upload our brains. (Don't ask me when - look wayyyy back in this blog, cos I predicted this wayyyyy back...)
So am I going to sit back smugly and say I tolja so? YOU BETCHA! %)
Tolja so! Nyah!
So am I going to sit back smugly and say I tolja so? YOU BETCHA! %)
Tolja so! Nyah!
Wednesday, June 3, 2009
Tuesday, May 26, 2009
Day Not At The Office
Maybe it's working in IT. Or maybe just working at an office that Scott Adams could have based his comic strip on. But it puts me of a mind to agree with this Treehugger article. The days of the office are over.
One of my least favourite activities had to be meetings. Once, sometimes twice a week. To begin with. But then suddenly there were meetings to schedule meetings, meetings to discuss stuff raised at other meetings, and more. I'd often take a wirelessly-connected laptop to those meetings so that while it might look like I only had my notes and spreadsheets with me, I was actually remote logged into the servers and doing the work that I would have been doing had the damn meeting not been called...
So I agree - in a teleconf, who hasn't been doing other things? And why not? That whole argument by Lane wallace smacks of someone who doesn't have focus, or at least who doesn't trust the rest of humanity to be as focused as her. Yes I can understand that some people would use teleworking as their chance to goof off and just draw wages - but that's where management have to take a responsibility for monitoring and - surprise! - managing their teams. If someone isn't performing, invite them to the (much smaller) office for a face to face if you must, or preferably have a telemeeting with them. If that doesn't get their attention and their work ethic, then dismissal is always an option - after all, there's going to be ONE person in the world who will see that job as interesting and an opportunity...
I've worked from home with people around the globe, on servers at the end of a chain of VLANs and VPNs and office networks, and even for an IT administrator who needs to reboot and restart servers, it was possible to set up mechanisms that meant I rarely had to be onsite. I've done helpdesk and remote admin for people up and down the state - while sitting on the edge of the bed watching TV and chatting with my partner.
Our Sales force were more on the road than at the office, and didn't even use a home office, instead using their laptops, mobile phones, and a dash of ingenuity to work remotely long before teleworking became a buzzword. Most of our office staff that were in the office could easily have worked from home instead, the only thing keeping them at work was the management who were not at all receptive to teleworking or trusting of their staff to remain work-centric if they weren't under a watchful gaze and itchy whip hand. I've got news for them, 75% of the office staff goofed off for periods of from 30 to 120 minutes every day anyway...
Lastly - I think I mentioned in another blog post that smaller enterprises are going to be a bit of a market force to deal with. And it's also going to be the enterprises that work smarter, and can cover more of the globe. You can organise almost anything using the Internet these days, and the 'almost' will be covered before another year or two have gone, mark my words. Instead of having an office full of local people - many of whom will suffer from that "I'm only here for the wages" syndrome - you can pick a smaller, dedicated team from anywhere in the world. And have a presence 24/7, everywhere.
They say that if you find a job you like, you'll never work for a living again. And if you raise your sights when looking for staff to fill positions, you're more likely to find that person that actually likes the job you're offering, and reap the benefits...
One of my least favourite activities had to be meetings. Once, sometimes twice a week. To begin with. But then suddenly there were meetings to schedule meetings, meetings to discuss stuff raised at other meetings, and more. I'd often take a wirelessly-connected laptop to those meetings so that while it might look like I only had my notes and spreadsheets with me, I was actually remote logged into the servers and doing the work that I would have been doing had the damn meeting not been called...
So I agree - in a teleconf, who hasn't been doing other things? And why not? That whole argument by Lane wallace smacks of someone who doesn't have focus, or at least who doesn't trust the rest of humanity to be as focused as her. Yes I can understand that some people would use teleworking as their chance to goof off and just draw wages - but that's where management have to take a responsibility for monitoring and - surprise! - managing their teams. If someone isn't performing, invite them to the (much smaller) office for a face to face if you must, or preferably have a telemeeting with them. If that doesn't get their attention and their work ethic, then dismissal is always an option - after all, there's going to be ONE person in the world who will see that job as interesting and an opportunity...
I've worked from home with people around the globe, on servers at the end of a chain of VLANs and VPNs and office networks, and even for an IT administrator who needs to reboot and restart servers, it was possible to set up mechanisms that meant I rarely had to be onsite. I've done helpdesk and remote admin for people up and down the state - while sitting on the edge of the bed watching TV and chatting with my partner.
Our Sales force were more on the road than at the office, and didn't even use a home office, instead using their laptops, mobile phones, and a dash of ingenuity to work remotely long before teleworking became a buzzword. Most of our office staff that were in the office could easily have worked from home instead, the only thing keeping them at work was the management who were not at all receptive to teleworking or trusting of their staff to remain work-centric if they weren't under a watchful gaze and itchy whip hand. I've got news for them, 75% of the office staff goofed off for periods of from 30 to 120 minutes every day anyway...
Lastly - I think I mentioned in another blog post that smaller enterprises are going to be a bit of a market force to deal with. And it's also going to be the enterprises that work smarter, and can cover more of the globe. You can organise almost anything using the Internet these days, and the 'almost' will be covered before another year or two have gone, mark my words. Instead of having an office full of local people - many of whom will suffer from that "I'm only here for the wages" syndrome - you can pick a smaller, dedicated team from anywhere in the world. And have a presence 24/7, everywhere.
They say that if you find a job you like, you'll never work for a living again. And if you raise your sights when looking for staff to fill positions, you're more likely to find that person that actually likes the job you're offering, and reap the benefits...
Friday, May 22, 2009
Can Haz New New Inventors Plz?
I've just had the most wonderful trip around the garden path, and I haven't even left my chair... As long-time readers know, I have ideas, eminently capitalisable ideas, and of the last five years at least, those ideas have been focused on making a difference to energy use, climate change, and sustainable resources use.
Today I think I experienced the ultimate "innovation" oxymoron. I went to an Australian Government department whose sole function is to nurture innovative ideas, and got shunted around Australia a bit, then finally told that they don't actually deal in innovation, but in fully-formed innovative business ideas. That was the main gist of the conversation I had with the various people on the phone. "We're not actually interested in innovation so much as in the business making money from innovation..."
There are research grants, too, yes, I nearly forgot. But for ideas and concepts that are already under development and which have projected earnings. So if I have an idea for a way to make a motor vehicle more environmentally friendly, I have to somehow fund enough research (on a pension) to prove that I can produce the whole thing (i.e. a prototype) and then have done all the market research (again, on a pension) to prove that people will flock to it and buy it in droves, despite any future further economic downturns or disasters? And I'm supposed to do this so that I can prove to that department that I don't need them? Please to be off-buggering now, government department.
And thanks for all the fish, cos it sure wasn't any help!
Today I think I experienced the ultimate "innovation" oxymoron. I went to an Australian Government department whose sole function is to nurture innovative ideas, and got shunted around Australia a bit, then finally told that they don't actually deal in innovation, but in fully-formed innovative business ideas. That was the main gist of the conversation I had with the various people on the phone. "We're not actually interested in innovation so much as in the business making money from innovation..."
There are research grants, too, yes, I nearly forgot. But for ideas and concepts that are already under development and which have projected earnings. So if I have an idea for a way to make a motor vehicle more environmentally friendly, I have to somehow fund enough research (on a pension) to prove that I can produce the whole thing (i.e. a prototype) and then have done all the market research (again, on a pension) to prove that people will flock to it and buy it in droves, despite any future further economic downturns or disasters? And I'm supposed to do this so that I can prove to that department that I don't need them? Please to be off-buggering now, government department.
And thanks for all the fish, cos it sure wasn't any help!
Subscribe to:
Posts (Atom)
Email Subscriptions powered by FeedBlitz
