Stories by Frank Hayes

Opinion: Sure the Cloud's insecure; it's like everything else

Worried about security in the cloud? Fret over this instead: Last month, a hacker surfaced who claimed he can sell access to more than a dozen government, military and university websites — all cracked easily because of bad programming.

IE6 dependence - a debt that IT need not pay

Internet Explorer may be losing favour among most users, but in big companies, it is still doing fine — especially IE6. Why? "We have to use IE6," a contractor at one telco told me recently. "We have all these web applications that won't run on a browser that isn't broken." And that means big trouble — doesn't it?

IT managers must learn to love the iPad

Quick – how many iPads are in your users' hands right now? You don't know? Of course not. Your IT shop is not supporting the iPad. You probably can't even figure out what an iPad is good for .

No need for IT shops to panic over swine flu

Fed up with swine flu fearmongers? Feeling suspicious that the people whose bird-flu pandemic predictions didn't pan out, are now trying for a second bite at the apple? You should be. Yes, the current swine flu outbreak is a real health problem. In some places, it's also a real economic problem.

Energy efficiency that saves pennies won't fly

Fifty cents. That's how much US businesses could save by shutting down individual PCs at night and on weekends, according to a study released last month by the Alliance to Save Energy. Of course, that's not how the report headlined it. The alliance's number was US$2.8 billion per year.

The reverberating sound of Y2k in 2009

Can you hear it? Amid the deafening silence that was the the Conficker nonevent of April Fools' Day, you should be able to detect an echo from the past. It started as a quiet murmur, but over time, it will build to a crescendo that could make Conficker the most dangerous malware IT has ever seen.

Consumer tech at work a threat and an opportunity

Last week, I saw a plug-and-play web camera. OK, you've seen things called that before, but this was different. It works like this: You plug a gateway device into a network. You switch on the battery-powered camera. You push one button. Now you have a palm-sized device beaming live images onto your network.

Facebook fiasco has lessons for IT departments

Forget Facebook. Well, OK, you can't forget Facebook's recent terms-of-use fiasco — it's been all over the media. First, Facebook claimed it owns everything its users post — forever. Then, after bloggers raised a mighty stink about that, Facebook reversed course.

Rogue administrator reveals single-point-of-failure flaw

Terry Childs is in the news again. Remember Childs, that lone-wolf network administrator who worked for the city of San Francisco? In July 2008, he was arrested for refusing to tell his bosses the passwords to the city's high-speed network. He's been in jail ever since because he hasn't made his US$5 million bail.

Microsoft's parallels with 1990s IBM are many

Microsoft cuts 5,000 jobs. That's big news. Not just because the layoffs will cut one in 20 of Microsoft's 91,000 employees. Not only because it signals just how hard Microsoft has been hurt by the failure of Vista and by shifts in the way big customers license and use software. Not even because of the grim sign it represents for the rest of the IT industry.

Twitter's twittish security is a warning for IT

Please tell me this isn't happening in 2009: Last week, an 18-year-old student reportedly used a password-guessing program to get into the account of a Twitter employee. From there, the teen cracker hijacked the accounts of President-elect Barack Obama, Britney Spears, Fox News and 30 other Twitter users.
A password-guessing program? That is so 1983.
According to Wired blogger Kim Zetter, who tracked down the cracker calling himself "GMZ" and interviewed him via email, the crack was a marvel of old-school simplicity. GMZ noticed that one Twitter user named "Crystal" was following a lot of Twitter feeds. GMZ went to the Twitter log-in page, typed in Crystal's name, pointed his homebrew guessing program at the password field, and went to bed.
When he checked the next morning, he discovered the correct password was happiness — and he was in.
He also discovered that Crystal wasn't just a Twitter user. She was a support employee, and her account had access to an administrative tool that could reset the password for any Twitter user. GMZ says he didn't access any other accounts himself — but he did give access to fellow hackers.
Twitter regained control only after several hours.
Scary, isn't it? Not that Obama and Fox News had phony messages sent out on their Twitter feeds — that turned out to be prankster-level stuff. What's scary is that systems administrators ignored so much basic password security on a system with millions of users.
You don't let your employees pick easily guessable passwords like happiness. You don't allow anyone to keep trying to log in for hours after repeated password failures. And you don't use the same log-in interface for powerful employee accounts that you use for ordinary customers. You just don't.
The idea that sysadmins could be so sloppy that they'd get hit by this kind of '80s-era hack is mind-boggling — right?
Hold that thought.
Now consider this: We're entering the second full year of a recession. When it comes to staffing, we've cut the fat, we've cut the muscle, and we're starting to saw away at bone. That means in even the best of corporate IT shops, we're starting to cut corners.
There's always too much to do in IT. It's all about choosing priorities. Operations — keeping everything running — is always at the top of the list. Support — helping out individual users with problems — is usually next. These two things have big constituencies on the business side because, if they fail, things will happen and business people will notice. And then they'll howl.
But security doesn't have a big constituency. If we cut corners on security, no one may notice, because nothing bad may happen right away.
No one on the business side will howl until something does happen. And it's likely to be something very, very bad.
We don't know how Twitter, a start-up with 31 employees, got sloppy with password security. But it's not hard to imagine how it could happen in a big corporate IT shop. A little too much corner-cutting in the face of way too much work is all it would take.
That means we need to be vigilant even on simple security — even when there's no demand for it from the business side. We have to keep passwords hard to guess, lock out repeated log-in attempts and keep powerful IT accounts especially secure.
Because it is 2009, brutal economy and all. But if we slip up on something as simple as password security, it could feel like 1983 all over again.

Harnessing collective wisdom is a CIO's mandate

One of this year's Computerworld US Premier 100 honorees, Sheldon X Wang of eHealth, quotes an old Chinese proverb: "If you put three shoemakers together, they are going to be smarter than the prime minister".

Some tips for managing the gadget season

Finally, there's a silver lining in the ever-darker economic cloud: For once, corporate IT people are facing a gadget season in which we can honestly tell users, "I'm sorry, but we can't support use of your new gadget. This year, we simply can't afford it."

Start getting ready now for browser upgrade

Your IT shop is about to be forced into a technology refresh. You don't have a choice. You can't stop it. You can't put it off until the economy gets better. You can't scale it back. You don't even get to decide what products your users will move to.