I thought the following article had pragmatic advice:
Becoming a Great Manager: Five Pragmatic Practices by Esther Derby
For my job, I write corporate employee monitoring software. Some people see it as Big Brother software, and it could certainly be abused in the wrong hands. I believe that technology itself isn’t good or evil; instead it is subject to ethical and unethical use by individuals.
There are many aspects of security. One of them is auditing, the purpose of which is to verify the trust we have placed in an individual. It’s a way of managing risk. The people in whom we place the most trust can do the most damage to us and to our organization. In many cases, we have no choice but to trust. To be distrustful of everyone and everything would be unproductive. I’ve heard the saying “Trust, but verify”, and that’s where our software comes in, because it allows companies to verify the trust they place in their employees — to pinpoint and mitigate risk.
Our software is a great solution in the corporate environment, but it’s not designed nor priced for home and small business use. In particular, I wondered what solutions exist for parents who want to reduce risk to their children who use the internet. I’ll get to that in a moment, because I believe that technology alone will never be a complete solution.
First and foremost, I believe we must teach our children correct principles of safety and responsibility. Teach them what is expected of them when they go online, and what dangers to avoid.
Second, place the computer in a public, high-traffic area in the home.
Third, talk to children about what they do online.
Fourth, since it’s not always possible to be at home monitoring what they do, consider using child monitoring software. As I understand it, it’s legal to monitor children under the age of 18 without their consent.
Fifth, review what the monitoring software collects.
The most complete website I’ve found about child monitoring software is www.1-spy-software.net.
The most mature and industry recognized solution, as far as I could tell from my google research, is Spectorsoft, which is available for Windows and Mac OS X computers.
I haven’t used child monitoring software (my children are too young to use the Internet), so I can’t vouch for its quality, its ease of use, or its effectiveness. What would I look for in a home solution?
Bruce Schneier writes in Forbes about electronic voting:
Electronic voting is like an iceberg; the real threats are below the waterline where you can’t see them. The problem is software — programs that are hidden from view and cannot be verified by a team of Republican and Democrat election judges, programs that can drastically change the final tallies. And because all that’s left at the end of the day are those electronic tallies, there’s no way to verify the results or to perform a recount. Recounts are important.
This isn’t theoretical. In the U.S., there have been hundreds of documented cases of electronic voting machines distorting the vote to the detriment of candidates from both political parties: machines losing votes, machines swapping the votes for candidates, machines registering more votes for a candidate than there were voters, machines not registering votes at all. I would like to believe these are all mistakes and not deliberate fraud, but the truth is that we can’t tell the difference. And these are just the problems we’ve caught; it’s almost certain that many more problems have escaped detection because no one was paying attention.
For the most part, and throughout most of history, election fraud on a massive scale has been hard; it requires very public actions or a highly corrupt government — or both. But electronic voting is different: a lone hacker can affect an election. He can do his work secretly before the machines are shipped to the polling stations. He can affect an entire area’s voting machines. And he can cover his tracks completely, writing code that deletes itself after the election.
You can even do away with the electronic vote-generation machines entirely and hand-mark your ballots like we do in Minnesota. Or run a 100% mail-in election like Oregon does. Again, paper ballots are the key.
Paper? Yes, paper. A stack of paper is harder to tamper with than a number in a computer’s memory. Voters can see their vote on paper, regardless of what goes on inside the computer. And most important, everyone understands paper. In today’s world of computer crashes, worms and hackers, a low-tech solution is the most secure.
For my first computer job, I did half tech support and half programming at Brigham Young University. I enjoyed helping people because they were appreciative when I could solve their computer problems.
It was interesting that about a third of the time, all I had to do was walk into the office of the professor that was having a computer problem, and the problem would be solved. I didn’t have to do anything. It was like magic. The same scenario occurred for the other tech support guys.
That was in 1992, and I had forgotten about that magical aspect of computer support. Last night, however, I was reminded when I went to a neighbor’s house to help with a printer that wouldn’t print. I didn’t expect to find an iMac. It seems like most people have Windows computers. Here was an exception. The first task was to power it on. Where was the power button? I felt foolish that I couldn’t find it. Although I programmed in 4D and Foxpro for four years on a Mac, the experience with legacy systems didn’t help me with today’s hardware. I searched for the power button on the keyboard, on the monitor, and on the base of the iMac. Somehow, I missed the nearly invisible power button located near the back of the base. Fortunately, the 10 year old son showed up and powered it on. He also turn on the printer. I had him print a test page, and it worked. The 10 year old was shocked. It hadn’t worked before. He had tried fiddling with USB cables, etc., but to no avail. Once I showed up, it worked, magically.
Now I hope it continues to work.
David A. Wheeler explains Why Your Vote Doesn’t Matter with Direct Recording Electronic (DRE) Voting. This doesn’t mean we should stop voting. It means we need to hold our public servants and our vendors accountable to give us secure voting systems.
The solution to any problem is found in the proper definition of the problem
— Doug Hale
Everything in software changes. The requirements change. The design changes. The business changes. The technology changes. The team changes. The team members change. The problem isn’t change, because change is going to happen; the problem, rather, is our inability to cope with change
— Kent Beck
Creativity has more to do with interaction that brilliance — CTO
“Security systems are never value-neutral; they move power in varying degrees to one set of players from another.” — Bruce Schneier, Beyond Fear p. 35
“People exaggerate spectacular but rare risks and downplay common risks”. — Bruce Schneier, Beyond Fear p. 26
“Technology is generally an enabler, allowing people to do things. Security is the opposite: It tries to prevent something… That’s why technology doesn’t work in security the way it does elsewhere, and why an overreliance on technology often leads to bad security, or even to the opposite of security.” — Bruce Schneier, Beyond Fear p. 13 Is your client-server software secure? You may be surprised to find that even mature software, sporting the use of standard encryption, could be putting your mission-critical data at risk. Why is that? It has to do with economics and the lifecycle of software. Here are the stages. Prototype. No one cares about the security of the client-server communication. First release. Althought the system (likely little more than an improved prototype) has been shipped, it may not be usable, and if it is, it lacks mission-critical features. Security is low on the priority list. If encryption and authentication were implemented, it is most likely minimal, brittle and insufficient. If the security is robust, the product is not functional and likely never will be because the ISV will go out of business. Second or third release. If the ISV has survived long enough to release a second or third version, customers likely demanded the use of standard encryption. In the old days (the 1990s), this means the ISV would have switched from XOR “encryption” to DES or 3DES. These days, standard encryption probably means use of SSL/TLS without certificate checks. Note that customers probably won’t ask about the security of the authentication mechanisms. Unfortunately, use of a standard encryption algorithm doesn’t mean communication is secure. Software is likely to be vulnerable to man-in-the-middle attacks and have authentication bugs. The customer isn’t likely to know this, and neither is the ISV. If the ISV does know, they won’t fix the problems. This shouldn’t be surprising — the risk tolerance is different for the ISV versus their customers. The software vendor isn’t the one that is going to suffer losses due to information disclosure or breach of integrity. At this stage, customers usually apply more pressure to implement new features than to focus on security. Of course, this is based on ignorance of the actual situation. The vendor isn’t likely to want to pay the price to improve security… unless the customer knows and applies pressure to get it fixed. Eventually, a security-conscious customer (i.e. a financial institution or a government) hires someone to evaluate the software, and they start asking hard questions of the ISV. Most of the ISV’s software engineers won’t know the answers because the security mechanism is transparent to their daily work — it stays out of sight, and out of mind. Eventually, people figure out that the encryption is vulnerable to man-in-the-middle attacks or authentication bugs. At first, customers may be reluctant to believe that the security holes are serious, and then they will panic. They will apply pressure to the ISV to get it fixed.
Take-away points:
Tim Bray explains what is to like about the Ruby programming language:
I’ll jump to the conclusion first. For people like me, who are proficient in Perl and Java, Ruby is remarkably, perhaps irresistibly, attractive. Over the last week I’ve got an unreasonable amount of work done in a ridiculously short period of time, with lots of interruptions, in a language I previously didn’t know. It’s intuitive enough that I’ve often found myself guessing at a syntax or a method or a usage and getting it right first time.
Maybe the single biggest advantage is readability. Once you’ve got over the hump of the block/yield idiom, I find that a chunk of Ruby code shouts its meaning out louder and clearer than any other language. Anything that increases maintainability is a pearl beyond price.
I’ve been programming in C and Java for a quarter-century and I find Ruby easier to read, only a week in. Of course, a language’s culture is often more important than all that technical crap. I’ve found the ruby-talk mailing list to be a fount of wisdom and friendly to ignorant newbies too.
http://www.tbray.org/ongoing/When/200x/2006/07/24/Ruby
Follow the link to find out “What’s Lame” about Ruby.
breakfast discussion, Phil Windley
Security quotes
Stages of Security in the life of computer software
Tim Bray tells us what’s awesome about Ruby