I signed up with the reservists protest and did a 3 hour protest vigil yesterday evening in the Modiin shopping center. I got about 80 signatures and had some good conversations with people. I convinced 3 people to change their mind, but most of all I felt that there is strong grass-roots support for reversing the current state of affairs to make Israel a country by the people and for the people instead of corrupt Bolshevik state.
A few asked me what will be gained by forcing Olmert, Perez and Halutz to resign and who will replace them? My answer is that "You and I will replace them. Israel is full of talented people who believe in their country and can get things done".
There is so much wrong with the way this government managed the war and with the way the general staff executed but the real problem is weak and corrupt leadership who have lost their way and who are looking for cheap fixes for root problems.
A million Israelis in bomb shelters for a month or displaced from their homes. Total apathy on the part of the government towards the people up North and refusal to declare a state of emergency. A prime minister committing to bringing back the kidnapped soldiers at the beginning of the war and then spinning us a story for the mentally-retarded about how this was a great victory for Israel. A Minister of Defense trying to bribe his way out of the bind with the reservists who are on a protest vigil - offering them grants and additional compensation. Shameful and insulting to our sensibilies.
The IDF had 6 years to gather intel on Hizbullah arms buildup and preparations to attack Israel. If they knew, then why did the Chief of Staff think it was a 24 hour war. If they didn't know then we're really in deep trouble.
Olmert's corruption and spin cannot change the fact that he and Perez and Halutz are weak and weak leaders resort quickly to violence.
A strong national leadership would have taken a deep breath after the kidnapping and worked out that perhaps Israel was not best served by trying to take on the Hizbullah right now, especially if they intended to do a prisoner exchange anyhow. A strong leadership would step back and think about steps that would improve our national deterrence and strategic posture. They would think about how to win this war against Hizbullah not how to lose it and make the country vulnerable to Iran and Syria, who now realize that not only did they have have great victories 6 years ago when Israel fled from Lebanon and last year in the disengagement but now they know that the Jews can be disgraced in battle.
We will never get the leadership we need without getting back to basics; the basics of democracy, making Israel a country for the people, by the people and of the people.
The biggest barrier to change in this country is inertia, we may have gotten used to the corruption and violence, but we must remember what Thomas Jefferson wrote over 200 years ago:
"We can no longer say there is nothing new under the sun. For this whole chapter in the history of man is new. The mighty wave of public opinion which has rolled over it is new."
--Thomas Jefferson
Tuesday, August 29, 2006
Sunday, August 27, 2006
Are we capable of writing secure software?
As I wrote in my article Risk Reduction for Legacy Systems, half of all security breaches are due to fundamental software defects (like buffer overflows, hardcoding arrays, disclosing database table names in error messages etc..)
I've gotten some feedback on the article and quite a range of responses from: "Heah, that all sounds familiar" to, "Wow, I didn't think that application security was such a big deal".
So just to put the record straight:
If a company is more concerned about marketing their product than making sure it's secure, then they shouldn't bother with my methodology. Two years ago, a client of mine received an extremely detailed and draconic set of security requirements from their integrator in Europe, Alcatel. The client asked me to review the document and I told him that he was walking on thin ice since the Alcatel security spec exposed them to the entire liability for a security breach. It turns out that the client hadn't even noticed that particular clause.
This is an Achilles heel for software development organizations of all sizes, so I am sure is room for an agile methodology that reduces software defects in order to reduce OPERATIONAL RISK especially for those young high-startups that don't take the time to read the fine print.
Some readers commented that fundamental software defects can be eliminated by proper QA and decent code review. Yup, and if your grandma had balls, she'd be your grandpa.
A good point made by my colleague Chava Leviatan, is that many companies assume that buying an off-the-shelf-ERP system absolves them of exploitable security breaches created by buggy software. It's a good insight, but let's not forget that these are all large software system with huge amounts of legacy code written by developers that didn't know beans about secure software development practices.
Most of the firms that have security breaches run ERP systems like SAP or Oracle applications, and they still get bitten. The vulnerabilities in an ERP system are even more acute since than home-grown applications since: (a) the data model is centralized and (b) most vulnerabilies are created in the custom interfaces written by the ERP integrator.
I've gotten some feedback on the article and quite a range of responses from: "Heah, that all sounds familiar" to, "Wow, I didn't think that application security was such a big deal".
So just to put the record straight:
If a company is more concerned about marketing their product than making sure it's secure, then they shouldn't bother with my methodology. Two years ago, a client of mine received an extremely detailed and draconic set of security requirements from their integrator in Europe, Alcatel. The client asked me to review the document and I told him that he was walking on thin ice since the Alcatel security spec exposed them to the entire liability for a security breach. It turns out that the client hadn't even noticed that particular clause.
This is an Achilles heel for software development organizations of all sizes, so I am sure is room for an agile methodology that reduces software defects in order to reduce OPERATIONAL RISK especially for those young high-startups that don't take the time to read the fine print.
Some readers commented that fundamental software defects can be eliminated by proper QA and decent code review. Yup, and if your grandma had balls, she'd be your grandpa.
A good point made by my colleague Chava Leviatan, is that many companies assume that buying an off-the-shelf-ERP system absolves them of exploitable security breaches created by buggy software. It's a good insight, but let's not forget that these are all large software system with huge amounts of legacy code written by developers that didn't know beans about secure software development practices.
Most of the firms that have security breaches run ERP systems like SAP or Oracle applications, and they still get bitten. The vulnerabilities in an ERP system are even more acute since than home-grown applications since: (a) the data model is centralized and (b) most vulnerabilies are created in the custom interfaces written by the ERP integrator.
Thursday, August 24, 2006
Things they don't tell programmers
Today is a rest day from bike riding. I have on my todo list a bunch of F&A items - like expense reports and cleaning out my inbox from old scraps of paper.
I found a scrap of paper with notes on writing a business plan. Waiting for a flight back to Israel from EWR end of June, I was hanging out in a bookstore and saw a shelf of Harvard Business Review books; jeez these books are worse than the dummies series from McGraw Hill - I read the book on Entrepeneurship in about 15' taking notes on a piece of paper I glommed from the guy at the cash register. No wonder my son Yuval, who is doing an MBA at Ben Gurion says that HBS stands for "Half Bull Shit".
So, I reckon this posting is worth about $15.95 for the book and 15' of your time or maybe 45' (if you move your lips).
The 15 minute Business Plan
Identify
1. Value
2. Profit, risk/return
3. Good fit to the founders capabilities
4. Durable, is there a large enough window of opportunity to build and grow a business
5. Amenable to financing, will external capital assist the business development ( I actually liked this one a lot, because practically no business plans I've ever seen really analyze how well the proposed venture is amenable to financing. It's more
like we're top notch entrepreneurs and I need 3M in seed, but not more because we don't want to get diluted...)
Evaluate
1. Market (Analysis of growth, size, TAM)
2. Competition, assess, find an edge
3. Economics of the opportunity
4. Resources required
Market
1. Benefit
2. Size
3. Dynamics
4. TAM
5. Competitors
6. Awareness or latency of demand
7. Name potential cases/clients
8. Access
9. Utility relative to substitute products/services
Economics
1. Price constraints
2. Supply and demand for product/service
3. Elasticity of demand
4. Substitutes
5. Fixed and/or variable costs of operation
6. Cost increases
Business model
1. Revenue sources
2. Cost drivers
3. Investment size
4. Critical success factors
Business plan
1. Executive summary, 1 page
2. Opportunity
3. Company
4. Team
5. Management
6. Operations
7. Finances
I found a scrap of paper with notes on writing a business plan. Waiting for a flight back to Israel from EWR end of June, I was hanging out in a bookstore and saw a shelf of Harvard Business Review books; jeez these books are worse than the dummies series from McGraw Hill - I read the book on Entrepeneurship in about 15' taking notes on a piece of paper I glommed from the guy at the cash register. No wonder my son Yuval, who is doing an MBA at Ben Gurion says that HBS stands for "Half Bull Shit".
So, I reckon this posting is worth about $15.95 for the book and 15' of your time or maybe 45' (if you move your lips).
The 15 minute Business Plan
Identify
1. Value
2. Profit, risk/return
3. Good fit to the founders capabilities
4. Durable, is there a large enough window of opportunity to build and grow a business
5. Amenable to financing, will external capital assist the business development ( I actually liked this one a lot, because practically no business plans I've ever seen really analyze how well the proposed venture is amenable to financing. It's more
like we're top notch entrepreneurs and I need 3M in seed, but not more because we don't want to get diluted...)
Evaluate
1. Market (Analysis of growth, size, TAM)
2. Competition, assess, find an edge
3. Economics of the opportunity
4. Resources required
Market
1. Benefit
2. Size
3. Dynamics
4. TAM
5. Competitors
6. Awareness or latency of demand
7. Name potential cases/clients
8. Access
9. Utility relative to substitute products/services
Economics
1. Price constraints
2. Supply and demand for product/service
3. Elasticity of demand
4. Substitutes
5. Fixed and/or variable costs of operation
6. Cost increases
Business model
1. Revenue sources
2. Cost drivers
3. Investment size
4. Critical success factors
Business plan
1. Executive summary, 1 page
2. Opportunity
3. Company
4. Team
5. Management
6. Operations
7. Finances
Wednesday, August 23, 2006
Software Security or Stupidity: AOL
I read today that AOL has fired its CTO, Maureen Govern less than a year after she started work, after it was discovered that the company disclosed the results of more than two million search queries made by 650,000 AOL subscribers between 1 March and 31 May. The data was posted to to a publicly accessible research website even though it was originally intended for internal use only.
AOL removed the data from Web, and no PII (personally identifiable information) about AOL subscribers ) was disclosed. However, privacy advocates continue to rage on the issue of protecting the privacy of search queries and results.
Although most breaches of customer data are related to software bugs, I can't classify this breach as a software-defect related - it seems to me more like stupidity and it's a no-brainer that people don't want the contents of their search queries disclosed - a lot of upstanding folks are googling for naughty words.
All beginnings are difficult
A Hebrew proverb says that "all beginnings are difficult" - after 3 years in the trenches of extrusion prevention/CMF/ILP (whatever you want to call it); it is high time for me to diversify and develop some alternatives for mitigating internal threats.
Subscribe to:
Posts (Atom)
