Wednesday, October 27, 2004


This is a stupid test to see whether Google will pick up this word, which can not be found in it's dictionary so far. So, dressfullness is the word. I'm just curious whether people are actually searching for this word. Chances would be very good I estimate, that someone will click when they see this one and only link.

Fresh Inspiration: logging-/debugging tool

Reading "How to be a Programmer" by Robert L. Read, I felt inspired by the part on debugging. Thought to myself: well, my not using real debugging tools lead almost always to Debug.Print debugging. How often do I find myself putting Response.Writes on ASP pages and Debug.Print in VB code. Or... even MsgBox come into play sometimes. Wouldn't it be nice to have an abstract class which I can call, and which handles the debugging/logging for me. So far I set up something simple which just writes some info to a logfile. For me, it's easy working like that, because I can have an Editpad window with automatic refreshing open on the log. So far I can thing of the following features:

  • choose debugging (immediate/debug window) or logging (file) mode
  • loghandling: overwrite existing file, append new info, or use multiple files based on datetime
  • handle verbosity, logging level: low, medium, all?

What do you think: is this the mother-of-super-dullest helper apps, or can it really be interesting? So far, I tend to the former, negative side, as for the usefulness to the community this can be. I am the last to say there are no logging applications so far. But being it the mother-of... it can still be a good learning experience for me. And something to keep me up at night, if both my son, and his soon-to-arrive brother or sister aren't already doing that :)

Wednesday, October 13, 2004

"Open Office" at the Public Prosecutor

These days, here in the Netherlands, we have our own little security scandal. Let me introduce you to the story: a public prosecutor by the name of Joost Tonino in Amsterdam saw his PC affected by a virus. He couldn't get it to boot anymore, and thought he might just as well throw it away . An effective means of getting rid of a machine is, of course, to put it bluntly on the street as sewage to be taken away. And that's exactly what he did. You can read more on the story e.g. elsewhere, but there's lot's of English language stories on the subject, so you don't need to master the Dutch language in order to understand the story. It all started with a cabdriver who took the machine home, was able to get access to the unprotected hard drive, and read all of Tonino's personal and confidential stuff. There was an abundance of info related to recent criminal lawsuits in our country. Couple days later, the story continues as some cracker hacked the personal mailbox of the man, which email address was already shown in a Dutch crime fighters' TV show. The password was supposedly communicated (I haven't seen the program myself) but was subsequently already changed. I can imagine how much of a trigger this can be to some, to give it a try... Why at least something so trivial as this personal email account, free to acquire, was not immediately taken out of use is beyond me. This morning the latest news is that the Tonino has resigned from his function.

Well, my point is not to discuss how stupid it is to put your machine on the street just like that. Nor do I want to talk about or the to put highly sensitive information on an exposed free mailbox by one person. I think the background is much more interesting. Supposedly people in these positions, who handle information about matters of life and death, are able to do things like this. This was an accident, but it would be quite naive to think that it doesn't happen on a larger scale. Also the Public Prosecutor's Office (Openbaar Ministerie) won't be the only government organization affected. Maybe this happens on a much larger scale than I can even think of. It gives me the shivers imagining all the information flowing around the unprotected. Now, it is said that the Justice Department should take preventive measure, but of course that's nothing more than an automatic reaction. This is 2004, we have the opportunities to prevent these things already for years. Let me enlighten you:

The first they thing should have done - not now, but in the not so recent past- is to have a security audit team investigate information flows in the complete organization. It will show quite soon that there's a lot of information that maybe shouldn't cross the internet at all. This is something that should be discussed with all employees involved. They should be communicated clearly the dangers of letting sensitive information flow outside the organization. In my point of view, it all starts with having everybody involved understand thoroughly what's going on. Once it's common knowledge that information os an important asset worthy of protection, you can talk about the specific course of action. In this case an obvious point would be to have no work related information go to personal external mailboxes. There are ways to enforce this, such as monitoring the internet usage, or scanning where documents are sent to. Furthermore a more rigid way of working should in no way inconvenience the employee's way of access to vital information. Think VPN's or other ways to log in to the network securely (man, it is even imaginable to have dedicated lines from the employee's private home to the court. It probably is not feasible for everyone, but for people in positions like the prosecutor is in, it should be given at least some thought. Btw, I heard on the radio the Dutch Parliament connects this way to their network, on machines which are not used on the internet; you have a closed circuit this way, which is of course much more safe. As an aside: even in the NSA there have been computers intended only for internal use been compromised by viruses because they were connected to the internet. So how much of this info is true, I wouldn't know).

But, we were talking VPN's: one should be careful about client-side trouble, so a remote machine must be protected adequately. There are ways to enforce this. It's more or less trivial these days to have secure access to the work environment. If we, with our very small company can handle this, why can't the government? They have some of the smartest hackers around at the Forensic Service, they have a Secret Service who knows how to break in to mailboxes if they want to; so they also know how to be secure, one would think. The correct way to handle this is not to require the Justice Dept to take appropriate steps to prevent this in the future. No, one should on a much higher entry point think about all places in the government where sensitive information is handled. How are we going to secure all these information streams in appropriate ways? How are we going to learn employees how to work securely. Not in all cases it can be prevented I think, that information will cross the internet. In that case, use SSL, VPN's, personal email certificates or other measures. These encryption tactics are certainly not the whole picture, but can be a good enhancement. Awareness and appropriate employee tools are just as important. You can tell everybody on a monthly basis how dangerous it is to zip your stuff and mail them home, but if there's no suitable solution to access information from home, this *will* happen in the end.

Of course, no meaure can create a 100% secure organisation, where never, ever any sensitive information will get in the open. In the end there's always people involved. Someone somewhere can be bribed, someone bears a grudge, or whatever. No hardware, electronic tripwire, encryption software or what have you will prevent someone to put something on a diskette, print information out and take it home, etc.etc. You get the point. Information is always a trade-off, as Security Guru Bruce Schneier uses to say. These days, budgets are tight, and never can we be completely save, but surely we can do something valuable with our money. Just as in medicine it is just not possible to always treat everybody with the most expensive / most effective drugs, we also have to take care where to put our money.

Tuesday, October 12, 2004

Just to tell you I'm still here...

Just read a nice article by Mike Gunderloy of Coder to Developer fame, Query Analyzer Tips and Tricks. Although I'm working in the Q.A. almost every day, there's still some things I didn't know about. Point is, as soon as you find a way how to do something, you stop looking for quicker shortcuts (assuming doing it your way is 'fast enough'). Therefore it's good to never stop reading, and learn something in the process...
[aside]Btw, when I stopped blogging more than two months ago, I was curious whether I would quickly feel the need to continue writing. As it turns out, this hasn't really been the case. Only sometimes, when new security troubles loomed onthe horizon, e.g. de recent ASP.NET Canonicalization issue, I thought 'man I should blog this'. But then, dozens of bloggers just did nothing other than just reporting this, and referring to the aforementioned site. So, what could have been my contribution other than repeating what's already been said?
Maybe it's unfortunate, this lack of blog urge; maybe I'm just not much of a writer. Well, I guess you'll be hearing something of me in the near future, only I don't know how near. In the meantime, can you please please let me know you are also still there, beloved reader???