The Worth of College Degrees

About 3 or 4 years ago I found myself in a Barnes & Noble (an actual store for books for you young ones) looking for a programming book of sorts.  I was pretty disappointed in the selection and vocalized this not realizing there was someone standing nearby.  The older gentleman, overhearing me, decides to spark up a conversation with me about education (this seems to happen to me often).  During the course of this discussion, this anonymous man makes one comment to me that has stuck with me for years – “Degrees only matter for a point in time.”

Over the years, while completing my degree and making the transition into the real world, this statement has resonated in the back of my mind.  As my career has progressed and my skills have developed, I’ve come to really understand the meaning of this anonymous man’s statement.  Moreover, I’ve come to believe whole heartedly that college degrees actually don’t mean much more than you are a trainable monkey.  That is to say that we, as a society, put too much emphasis on college degrees.

Before I continue, let me make one thing very clear.  This article is not meant to say that college is all bad.  It is not meant to be a debate about the value of higher education.  I fully believe that higher education is completely necessary.  College is not all bad.  You have a tremendous amount of learning opportunities in and outside of the classroom that you would not get in any other environment.  The networking opportunities that you have in college are unparalleled.  So for emphasis, the argument here solely focuses on the value of a college degree.

Depending on where you live, the salary discrepancy between those with college degrees and those without is somewhere between 40 and 99%.  What I have always found particularly interesting about this little statistic is that those with only high school degrees tend to find their way into the workforce much earlier giving them the opportunity to gain real world experience, while those in college come out (in a lot of cases) with little to no real world experience.  A degree is not necessarily a good indicator of one’s ability to perform a job.  It is a good indicator of that individuals ability to test well in controlled situations.

Real world experience, whether through internships or full time work, is much more valuable than a degree.  I have interviewed many recent grads over the past few years only to find that most of them spend no time outside of the classroom learning about the industry they hope to play in.  They come to interviews with the ability to regurgitate textbook definitions of technical terms, but no idea how to apply that knowledge to a real world situation.  Perhaps my standards are a bit high,  but only 42% of employers believe recent graduates are ready for work so I am obivously not alone.  Even companies like Google see less of a value in college degrees these days with more emphasis on the skill set of the individuals.

The fact is, education actually extends beyond the classroom, and many students fail to realize this.  If you are a student in a a college degree program that stops learning once you leave the classroom, you are not doing your job.  The traditional definition of the word education is dated with an emphasis on classroom based education and perpetuated by a class of individuals that view themselves above those without college degrees, unless, those individuals become tremendous success stories like Mark Zuckerberg and Bill Gates.  Sadly, this definition is taken as doctrine by most of today’s students leaving them far behind the curve when they graduate with these degrees.

Websites like Coursera and services like iTunesU providing top notch education from major Universities are making higher education much more accessible to individuals who have an interest and drive, and are making college degrees less necessary.  Society today still puts a heavy emphasis on college degrees, but we are starting to see a shift from that model to something different.  It is not an entirely new paradigm.  We are all required, in the professional world, to stay current on the changing times, laws, and technologies long after receiving that piece of paper that seems to define us; however, it seems society may finally be starting to put less emphasis on college degrees.

Posted in college degrees, higher education, Tech Ed | Leave a comment

What You Give Away

“…You also agree that you will not use these products for any purposes prohibited by United States law, including, without limitation, the development, design, manufacture or production of nuclear, missiles, or chemical or biological weapons”.

Even though you have probably never actually read that statement, you have more than likely agreed to those terms on several occasions. That little gem comes right out of the Apple iTunes End User Licensed Agreement. You know – the thing that you usually just hit “Accept” or “I Agree” to without reading so you can get to using the application?

How about this one:

“To enhance your online experience, we use “cookies” or similar technologies. Cookies are text files placed in your computer’s browser to store your preferences. Cookies do not contain personally identifiable information; however, once you choose to furnish a site with personally identifiable information, this information may be linked to the data stored in the cookie”.

That came right out of the CNN Website Privacy Policy. Their policy goes on to say that “third party service providers” may also use these cookies to collection information and that “Visitors should consult the other sites’ privacy notices as we have no control over information that is submitted to, or collected by, these third parties”.

Oddly enough those terms are pretty standard for any website you go to. In fact, if you take a look at every privacy policy and terms of service agreement you have ever agreed to, tacitly or explicitly (Don’t try it. It would it’d take about 76 work days), you will find that you give away more information on a daily basis than you knew was being collected about you. For instance, when using Netflix, did you know they track whenever you rewind or pause a movie/show? Mobile service providers track things like what cell towers you connect to and how long your calls last. To top it off, they retain all of these data points later run massive analytics to profile who you are. Your mobile service provider likely knows more about your day to day habits than your closest friends.

A few years ago I decided to take all of the publicly available information on Foursquare in the Northern Virginia area for 4 months. I picked a random, seemingly anonymous user out of this mass of data and tracked the movements for those four months. End result – with this data and a little bit of social networking was able to determine the name of this pilot who was based out of IAD that decided it was a good idea to check in at every airport he flew to, and at the Burger King he liked to frequent between 6:15-6:18 am before arriving at work around 6:45 am when in Virginia.

The amount of information we as a society willingly give away is very scary. We provide everything someone would need to identify, track, profile, or rob us. This culture of sharing has largely been influenced by social media giants Facebook and Twitter, but there is a layer beyond that. We actually PAY corporations to take our data and turn around and do whatever they want with it (store it, analyze it, read it, listen to it, sell it). Your cell service providers, your television providers, even your energy providers have more data about you than you would imagine because you willingly give it away.

[Begin digression]

We willing give away data to private corporations who only want our data for a bottom line (improving services and selling data are all just ways to make more money), but we seem to have a major problem with our governments using the same data to protect us. At some point, we decided it was okay to entrust employees of private corporations with this data, but we kick and scream when our governments want to use the same data to protect us at home. Something about that seems off and I think it is time for society on a whole to start reevaluating what is important.

[End digression]

In the age of information, we freely give away data without thinking twice about it. Turns out this is also the age of “big data” and “data analysis” so profiling you and knowing more about you than you ever knew about yourself has become somewhat of a game. A very profitable game at that. So now that you know this, what is going to change? There will be no huge uprising to take back control of our data. There will not be national discussions about privacy and human rights violations. We will continue providing this data willingly, but knowing what is being collected and how it is being used gives us opportunities to forcibly change our own behaviors and limit the amount of data we allow to be collected on us. Food for thought.

Posted in Age of Information, Analytics, big brother, Big Data, Data Analysis, Large Scale Systems, Politics, social networking | Leave a comment

National Security Rant

<Begin Political Rant>

I have not done this in a while, but after watching this evening’s debate on Foreign Policy, I am thoroughly disappointed in both candidates. When asked what the #1 future National Security Threat was, neither candidate responded correctly. What answers did we get? Some fluff answer about jobs and China and a nuclear armed Iran. You both receive a grade of F on this question. In fact, the President gets an F- for saying the words “cyber security” and not following up.

Why am I so harsh on this particular issue? Let’s take a quick look at just the past two weeks:

That’s just to name a few biggies. News media not enough? How about these little tid-bits:

  • In 2009 the current Administration established the nations first cyber security czar to respond to cyber threats against America
  • In the same year the US Cyber Command was established to respond to cyber threats and expand the Nations capabilities in cyberspace
  • 2010 Stuxnet was discovered – one of the most massive computer worms ever.
  • 2012 Flame – even worse than Stuxnet

With all of this going on, please tell me how throughout their campaigns and in the debates how:

  • Neither candidate discusses the cyber threat at any length
  • Romney has failed to even mention the phrase “cyber security”
  • Obama has mentioned “cyber security” and not expanded on it

It is an absolute shame that these candidates flat out ignore the significant threat that is posed in the cyber arena. The “major” newsworthy events that I have mentioned here do not even scratch the surface of how significant the threat is. I didn’t even mention the fact that major defense contractors are being hacked by China.

Yes, I blame these candidates for not talking about this, but I also put blame on the moderators of debates and every single journalist out there who has had the opportunity and failed to press these candidates on this topic. I put the blame on all of those undecided voters in New York who asked about all the same things we heard about all along the campaign trail. I am thoroughly unimpressed right now.

It amazes me that this is not one of the deciding factors of this election. It amazes me that no one seems to think to ask about this. It amazes me that in 2012 abortion and GLBT rights are still being discussed as if they affect the very fabric of our ability to survive as a nation and cyber security is not even mentioned.

Very frustrated right now.

</End Political Rant>


Posted in cyber security, Politics, security | Leave a comment

Building Better Software

I have never been just a Software Developer.  In every job that I have had since I was young and started my own web development business, I have been put in the sales role performing functions from marketing and business development, to sales negotiation and fulfilling contracts. In every sense of the word I have been an entrepreneur. Working as a Software Developer, I never just wanted to write code. I wanted to build effective tools that made business more efficient and to do so I had to understand the business. Perhaps my experiences gave me a bit of an advantage, but it is an advantage that can be learned.

Not too long ago, an old co-worker of mine and I were having a discussion in which he described 3 types of technologists. The first type – your Level 1 technologists are effectively your soldiers. These are the developers that you can give a set of tasks to and they will march forward and write some of the most brilliant code you have ever seen to do exactly what you have asked them to do in the most efficient manner possible. Level 3 technologists are what you call your visionaries. These are the most brilliant minds in academia or a particular domain who are consistently ahead of the game. They are thinking about technologies 5 to 10 years out and are the ones who drive innovation. Level 2 technologists lie firmly in between and  spend a lot of time understanding the business use case and attempting to apply the ideas of the visionaries to today’s businesses cases.

I lie firmly at Level 2 at this stage in my career, and I can confidently say that because of this I write better software than most others at the same stage in their careers. Writing software should not just be about writing code in the fewest number of lines possible. It should not just be about finding the best algorithms for specific problems. All of those things are components of writing software that solves real world problems. We absolutely need those people at the Level 1 stage who can effectively execute when given a task, but in order for those individuals to truly be effective Software Developers they need to be able to understand the business case.

I’ve worked on many projects and one common problem that I have seen is there is always a non-technical requirements team that understands the business case who hands technical requirements to a development team. The end result is usually a software product that the end users did not want. Sound familiar? The motivation behind this is usually because there is a stigma that developers do not know how to communicate with end-users. The fact of the matter is – all of the successful projects I have ever worked on were successful because I went out and spoke to the end users to truly understand their business case.

These projects were successful because when I approached the end-users, I took off my developer hat. I put on the hat of the end-user and fully immersed myself in what they were doing to truly understand the problems they were experiencing. This gave me not only insight into what they thought the problems were and how they could be solved, but also what other problems existed and how those could be solved. As technologists, it is our job to apply technologies to domains to make the life of the end users better – not to show off how you can write a data mining application in python in less that 10 lines. After the immersion session, I took what I learned and put my developer hat back on. What you eventually learn is that most users in across domains have very similar problems, and later you can spend less time trying to understand the problems because you already know them.

It is time to stop building development teams full of only Level 1s who never become domain experts. They have a lot offer to the visionaries who may not be aware of the technical capabilities that exist right there within their own teams.  Additionally, when you have the opportunity to become a domain expert by being surrounded by Level 2s and 3s, you start to write better software. I intentionally surround myself with Level 3s in hopes that one day I will become the visionary type that everyone looks to. In order to build better software, we need to be sure that all levels are tightly integrated and understand the business domains in which they work. Otherwise, the software is being written for the sake of writing software.

Posted in Age of Information, Application Development, General, Programming, Software Development, Tech Ed | Leave a comment

Rackspace Cloud And Domain Transfers

For starters, I actually had not planned on writing this article… Sometimes topics just fall into your lap, and you can do nothing else, but move on them. This one is going to be a little more directed than usual as it is inspired by an event that occurred today. For my more technical readers you can skip over the next three paragraphs to get to the meat of this story while explain a few things like DNS to everyone else.

Here goes a quick crash course on the Internet, IP Addresses, Domains, and DNS. Contrary to popular belief the Internet is not run by a bunch of elves running around putting “cookies” on your machine. In actuality, what happens is your computer sends things called packets across the huge network that is the Internet.  These packets contain data with your requests or responses to and from servers and other devices on the Internet. Now usually you’ll type into your browser (i.e. Internet Explorer, Firefox, Safari, Chrome or the like) and magically get the days latest cute kittens, but how does this work?

Every device on the Internet has something called an Internet Protocol (IP) Address (for the sake of simplicity we won’t get into IPv6 vs IPv4 here today). An IP Address is effectively your online phone number. For instance, the IP address for this website is When a computer makes a request to another computer it is actually using the IP address. But wait, you didn’t type that into your browser, so how did it know how to find me? That’s where DNS comes in. Domain Name System (DNS) is essentially the phone book for your computer on the Internet. Your computer shoots out a request and says “Hey which of you DNS servers can tell me where to find’s phone number?” One of them responds with a “Hey that’s me, his phone number is” Once your computer has the phone number it can appropriately route packets across the Internet to serve you the content you want.

Now let’s look at this from the other side. When I purchased by domain from my registrar, I had to point it at some name servers and say “Hey name servers, you’re responsible for telling the world what the phone number is of the computer I assign this domain to.” Without getting into too many details – A Name records are the records that tell the name servers what the phone number is. So I add an A Name record to the DNS service telling it that is at, which is the IP address of the server that I’m hosting this website on. Typically, when I purchase that domain and point it to name servers, the only account that can change the IP Address of my domain is me by modifying the A Name record. All of this is very simplified, but it gets the point across.

Now that we are all caught up, let’s get to my day. A few days ago, I decided I wanted to use Rackspace’s Cloud Servers for some random development projects and such that I was working on. I’ve used Rackspace in the past, love their support, the management console is great for rapid deployment of cloud servers, full control, prices are great etc… Now I’ve got about 10 domains with Bluehost (great host btw). I wanted to move some of those over to Rackspace so I could just manage domains and servers in the same place. Before I start rambling, let me just allow you to read the conversation I had with Rackspace support earlier today (scrubbed only to protect identity of support member):


Welcome to the Rackspace Cloud! My name is <redacted>, how may I help you?
<redacted>: Hi Tim!
Tim Tutt: Hi <redacted>,
Tim Tutt: I just spoke with one of your other support members about transferring a domain of mine to rackspace cloud servers
Tim Tutt: they referenced a document, and in reading through it, I seem to be missing a step to bind a domain to my account and my account only.
<redacted>: Can you post the link you were provided?
Tim Tutt: It says I need to point to rackspace’s name servers, and then add an A name record in DNS, which is fine, but couldn’t in theory someone else add an A name record pointing my domain to their servers?
Tim Tutt:
Tim Tutt: I’m assuming I’m just missing a step or it’s not documented.
<redacted>: Of course!ß
<redacted>: To answer your question, yes
<redacted>.: you could update the DNS which your current DNS provider
Tim Tutt: right – that was my other option if this turned out to not be a viable solution
<redacted>: understood.
Tim Tutt: so to be clear – someone with another rackspace account could add an A name record before me and point to their servers if I pointed the domain to the rackspace dns servers?
<redacted>: Correct.
<redacted>: That wouldn’t be very nice but its possible
Tim Tutt: Okay got it – Well thanks very much. That makes my decision easy.

Yes, you read that right… Essentially in using the Rackspace name servers for my domain, I am giving the ability for anyone with a Rackspace cloud account to hijack my domain. This completely floored me. How could a vulnerability so obvious exist in a provider that is so well known and trusted? To their credit, I am very impressed that Rackspace knew and were honest about this vulnerability, but it is still one that is hard to overlook.

In talking to some buddies of mine, Rackspace is not the only offender. Slicehost has a similar issue. What is really concerning here is the fact that this is not a hard issue to fix. Imposing a validation step to see if a domain is associated with a particular account is a trivial task.  Additionally, validating user ownership of a particular domain is also a trivial task so the association should also be easy.  It tends to amaze me when such large companies make mistakes like this one.  They have a number of resources at their disposal and lots of technical talent, yet they lack the ability to think about situations that compromise security.

Large organizations focus on implementing best security practices to ensure the safety and security of information and property of their customers, but the fact of the matter is even the most advanced of systems won’t help if there are bad practices in the most simple pieces of the system. Security should be focused on in every aspect of a system not just the major parts that everyone pays attention to. This seemingly small issue is actually a major vulnerability. Hopefully Rackspace and others take care of issues like this one. I’d like to see less simple issues like this out there from major providers and vendors.


Posted in Application Development, DNS, security, Server Setup, Tech Ed, Web Development | Leave a comment

Time For A Change

So as you have undoubtedly already noticed, the site has gone through a major facelift. It took me all of 5 minutes to make the decision when I started searching for new themes. Ran across this one over at and thought it was pretty amazing. Quick install, and boom I’m done. I think I’ll stick with this one for a bit. Not the only technical change I’ll be making, but more on that later.

You should all also expect me to pick back up on writing a lot more starting soon. I’ve got a lot of posts that I’ve had in draft for a while, that will be finished, and many other ideas in the works. Focus will remain largely on the technical side, with some of my other rantings here and there. We’ll also have a few special guest writers, but again… more on that later.

For now, enjoy the new theme. Re-read some old stuff, and be on the look out for the new things coming.


Posted in Uncategorized | Leave a comment

Why Agile Isn’t So Agile

Project managers are process driven people. In fact, without the processes they put in place, project managers would be out of jobs. When it comes to software development, these guys make sure developers stay on track and don’t run down paths that have nothing to do with customer requirements. Sadly, developers are known for this. Something about personalities… I still don’t get that one. If more developers learned how to understand and speak to customers, project managers would be obsolete…

I digress – The point here is, the Agile Software Development methodology, while it has it’s benefits is a tool for the project managers of the world to help enforce a process that actually is not as “agile” as it sounds.

Don’t get me wrong – for initial delivery of projects, the agile methodology has it’s benefits, but when customers hear the term “agile” they are thinking something a little different than what your local IT organization is thinking. A customer hears a PM sell them on the “agile” development team and thinks, “Once we’ve got our application, bug fixes and improvements will come immediately. This team is dedicated to my project and I can call upon them at a whim for my needs”

As a member of several of these development teams, let me break it down for you. With the agile methodology, any single customer is only as important as their initial delivery. Every development team in any decent sized IT organization has several customers to deal with. Each one of those customers is just as important as the next unless this is the first time you have encountered this customer.

The first time you encounter a customer, that customer is Priority 1. Your team (or usually just the PM and lead developer) sits down with the customer, gathers requirements, and sets a schedule for the development team to follow. This schedule is usually designed for delivery of software within 3 to 6 weeks. From that point, until the end of the period, that customer’s requirements are the only priority because the goal here is to win them over with the speed at which your group can deliver product. You’ll have your daily scrums to discuss any issues that your testers have found, you’ll prioritize specific features against user requirements, and you’ll have two or three meetings on the design/architecture of any particular feature, and somewhere in between, you’ll find time to actually write code. Usually, in a last minute push, your team somehow, miraculously pulls this delivery off just under the wire and the customer is elated.

This will last right up until your customer finds the first problem with the product you’ve delivered – so usually about two hours. Congrats – you’ve just finished your first iteration of the product and now you’ve been tasked with more to fix or improve. Lucky for you, your PM is there to block all of that non-sense. Now that the system is in production, a bug or new feature has to be put into your issue tracking system which will later be prioritized and scheduled against every other issue from every other customer .

This is the point where the agile method ends up being not quite so agile for the customers at least. Sure, your development team is running through about 50 features every 6-week Sprint. And yes, you are spending 50+ hours get all of the tasks you have in this Sprint done, but no single customer is feeling the love because you’re not delivering in an agile enough way specific to their project.

Look at it from the customer’s perspective. You have moved from developing and delivering a full blown production system in 6 weeks to now delivering 2-3 bug fixes and 2-3 feature improvements (of the 30 they’ve asked for) every six weeks. You no longer appear to be this agile team that they were sold on. In a lot of cases, the application is turned over to an operations team that doesn’t know what it takes to keep the application running in production and can’t fix bugs as quickly or as effectively as the development team.

The new and emerging trend is the concept of a “Dev-Ops” team. “Dev-Ops” teams are development teams that are integrated with the operations team to effectively manage issues as they occur in production. I find the trend interesting as a few of the teams that I have been involved in have been doing this for a very long time now. We’re able to mitigate production issues quickly and effectively because our development team is also the operations team. We are not bound by the order of the Scrum and Sprint. It’s a process that seems to work well… that is until you decide to form a process around it, which I do not doubt will happen.

Process is important and the Agile Software Development Methodology is not all bad, but looking at it from the customer perspective it could be more “agile”. I’m in favor of these dev-ops teams, mostly because in my experience they seem to work more effectively for the customer, and if you ask me, how the customer feels is better than any process that makes an IT organization look good.

Posted in Application Development, Programming | Tagged , , , , , , , , , | Leave a comment

1 Millisecond Is Too Slow

“640K ought to be enough for anybody” – This quote from the 1980s which may or may not be attributed to Bill Gates is quite laughable quote these days. We live in a world where exabytes of data isn’t even enough to classify the amount of data we will consume as a world in the next five years. For the more non-technical readers out there a exabyte is roughly equivalent to 9×10^15 a kilobyte. To break it down just a little more, that’s about 10,000 terabytes of information.

Twitter has about 100M updates per day. We won’t even begin to guess how many updates Facebook has. Blogging is a ubiquitous term so there are plenty of those out there. What I’m getting at is there is a lot of data out there just waiting to be analyzed and analyzing data at these volumes is no trivial task.

Before I end up in a rant about big data let me get to the point. Analyzing data at those volumes takes time. Let’s look at Twitter for instance – 100 million tweets per day. Tweets are relatively small records – 140 characters plus any additional meta-data about the user and retweets and such. Let’s say it takes about 1 millisecond to process a single tweet. 1 millisecond 100 million times is 100,000 seconds, which is about 1667 minutes, which is about 27 hours. So at 1 millisecond per record it would take just over a day to process 1 day worth the tweets. My point – 1 millisecond is too slow.

Enter “the cloud”. Cloud is probably one of the most overloaded terms in the technology space today so let me apologize for using it and explain what I mean by the term. I’m talking about horizontally scaling your architecture in order to process these large volumes of data in parallel.

You have to be smart about how you do this. If you have a web service that can only handle two requests at a time and takes 600ms to process data, scaling out to hundreds or thousands of servers does you no good. The bottle neck still exists at the web service.

We are no longer living in the days where 1 millisecond is considered fast. We live in a world of instant information. 27 hours to process yesterday’s data is unacceptable.

So how do you fix this? You optimize your processing algorithms. This is my call to software engineers everywhere to start optimizing your code and prepare for scaling so that your code meets the demands of today and tomorrow. Eliminate bottlenecks in your code and make those that you cannot remove scale horizontally. Stop accepting “good enough”.

It’s a tall order coming from a small fish low on the totem pole. There is a completely different mindset that software engineers have to switch to in order to achieve this. You have to stop thinking about solving problems in a single threaded manner and move to thinking about problems in parallel.

It’s a new age with new rules. Take the advice or leave it, I’m just a guy that deals with big data on a daily basis.

Posted in Age of Information, Application Development, Big Data, Data Analysis, Large Scale Systems, Programming | Tagged , , , , , | Leave a comment


I’m going to start this one off by saying that I know I am setting myself up here for a full onslaught of attacks, but there are some things that cannot be left alone. That being said, please go watch this video before reading the remainder of this article.

To members of the “hacker” community, this post actually may come off as a little sacrilegious to some, but I ask that you hear me out before making any quick judgements. It is very easy to be sympathetic to this group given what it claims it stands for. This video is actually propaganda at it’s finest. It appeals to every soul that sees the government as the big-bad attacking some small innocent group that just wants to be heard. It’s brilliant in all honesty, but it is nothing more than propaganda.

I’m not going to sit here and argue about legality of what they do – that would just be silly. What I will contest is the questionable morality and hypocrisy of what is being done. I have no problem with a group or person taking a political stance and discussing or openly debating it. I have no problem with a them enabling others to speak out for themselves (all things that Anonymous has done has a hacktivist organization). Where I begin to draw issue is when any organization decides to take action that is damaging to others, whether that is the opposition or innocent bystanders caught in the cross-fire.

The organization has been known to help out in cases where people would have not been heard had Anonymous not given them the ability to speak, but Anonymous supporting an organization like Wikileaks is when I first began taking issue. While Wikileaks claims to be all about exposing the truth that “the people to deserve to know” – what they are actually doing is putting lives at stake. Without getting into the politics behind it all, I’ll just say this: when what you are doing puts innocent lives at stake, you are no longer acting for “the greater good”. At that point, you are self-focused on a goal. Morality says this is wrong.

Anonymous has been known in the past for it’s usage of DDoS attacks and defacing of websites to shutdown the voices and services of others. They silence the opposition. The justification that they use is just silly. Claiming that “Arresting somebody for taking part in a DDoS attack is exactly like arresting somebody for attending a peaceful demonstration in their hometown” is a wildly false statement. Performing a DDoS attack, or defacing a website for comments that are not favorable to your cause is more like bombing and abortion clinic, or spray painting defamatory remarks on your neighbor’s home.

In some cases this can be acceptable (though ill-advised and illegal) – for instance when you are defending yourself from being attacked as they did with HBGary Federal, but attacking groups that have no means of defending themselves from such attacks, or the means to retaliate other than to involve the law (which you then attack them for) is hypocritical and immoral.

Why did I feel the need to talk about this tonight? It is no secret that support that the hacker community. I even support the ideals that they claim to stand for. I support the enabling of groups that have no ability to speak out for themselves.  What I do not support is the hypocrisy and immorality of the actions that the organization tends to take.  As it turns out, what they end up being is no better than those that they claim to stand against.

That’s my venting for the evening. Bring on the attacks.

Posted in General, Politics, Uncategorized | Tagged , , , , | Leave a comment

What Users Don’t Know Will Hurt Them

There’s an old saying, “ignorance is bliss”, that I’d like to add an addendum to today. The quote should be “Ignorance is bliss, until that ignorance hurts you”. In the IT world we have the tendency to build systems to the specifications provided by the “customer”. I quote customer like that because although there is usually a requirements group that provides the specifications to us, the real customer of the applications that we build are the end-users. (As a complete aside -  I’ve never been a fan of requirements groups. They rarely get the customer requirements right, and can never really explain why the end-user “needs” something. Another conversation for another day.)

I bring this up because usually what happens is a number of requirements are defined, the system is built to those specifications, the end-users are given a training on the most common features, and are pointed to documentation that they will never read for more advanced features. Even worse is when a user is “voluntarily” enrolled in some system as a part of some contract that they signed. The worst case is when a user signs up for a system, and is completely unaware that their information is also being used by several other systems. Users are often times harmed by not knowing how to protect themselves in these systems, or when they do not know what is in the realm of the possible.

Here’s just one specific example. Recently, I was planning on getting a birthday present for a friend of mine from college. I knew she was going to be at her parents place for her birthday, so I wanted to have the present sent to her home. The problem with that was I didn’t know her home address. Virginia Tech has a system that the students typically refer to as “Hokie Stalker”. You can search for a person by name and it returns their local address, home address, major, phone numbers, and e-mail address if they have not elected to suppress that information. The system is actually a public system, so anyone can go to the Virginia Tech website and search for any student and get all of that same information.

Needless to say, she got her present, but was curious as to how I got her home address. I explained it to her, and then explained that she could suppress it by clicking a checkbox in her account. The problem here was two-fold. She was unaware that I could even get that information and also unaware that she could hide it. Luckily, I was a friend just trying to send a gift, but the situation could have been a lot worse. Just by having a name, I could launch a very effective social engineering attack on some unknowing student. Knowing a major, a home address, the school they attend, and an e-mail address, I can make myself sound like a valid authority and request additional information.

A more interesting example deals with security in browsing the web. It is common these days that users know to look for the little lock in the bottom of their browser before entering personal information or credit card details, but they don’t really understand what that lock means. They assume that if the lock is there, then the site is secure and they can safely enter information. They also know to look for the “https” in the URL bar of their browser. While they know to make these checks, one thing that users are still very bad about is reading pop ups about security certificates. A user is trying to get to a site and this annoying pop-up prevents them from getting there – the auto-reaction is to click “Confirm Security Exception”. The user does not understand that a website can sign it’s own certificates and that if they accept these certificates, the browser will do as they say and treat this site as trusted thus showing them that lock that makes them feel all warm and fuzzy inside.

Browsers have done their part in attempting to explain to users what they are doing, but unless the user is security conscious, they don’t bother reading it. Some things are just beyond our control. Sure we can provide and require certain security trainings on the job, which hopefully employees will take and apply in their personal lives, but not every user of the Internet is granted these learning experiences. There are several other examples of users being unaware of how systems actually function and how these things can hurt them. Facebook privacy is one that we’ll leave alone today because it’s almost like beating a dead horse with a stick, but the point is users lack of awareness can and will hurt them.

Whether it be someone using information the user could have hidden for malicious social engineering attacks or a website claiming to be a user’s bank by providing a self-signed SSL cert, users can and will be attacked when they are unaware of what is possible. The question is how do we protect them from every threat? Productivity would certainly be lost if we explained every system in full detail to every user. That is just not a feasible solution. Perhaps the answer lies in how we present documentation to users. If documentation is hidden underneath layers of pages, then we can expect that users will not find it. Should we make documentation apart of the entire user experience with hints and tip boxes? Would that deter users from using systems? It’s an interesting question that I do not have the answer to. I do know, however, that as long as users remain ignorant of certain features of the systems they use, they are more likely to be attacked.

Posted in Application Development, Privacy, security, social networking, Tech Ed | Tagged , , , , , , , , , , , , , , , , | 1 Comment