Both TechCrunch and Mashable have blogs about it so no need for me to say much.

I realized recently the failure of Zen 1.0, or the blog I called Operational Intelligence, was probably because I was trying to be too focused. I tried to write about topics that are related to my work. Not that the topics are not interesting or plentiful, it’s just that I was trying to be too careful on not being biased.

In any case, for Zen 2.0, anything and everything goes. Well, in my case, anything and everything will likely be all related to tech since I am a geek (but I am a cool geak since I use a mac! ) through and through. Let’s see how far this one goes this time.

The least convincing one is probably the mouse. Even though there are small mice, I can’t imagine people using those small mice for a long time and not get sick of it. Human hands haven’t shrunk over the past ten years, so the mouse most likely won’t either.

You can get more information at Netflix Prize. The download file is 697,552,015 bytes long.

[ Coverage by NY Times ]

From ajaxian.com:

• Archetype-Based A stylesheet for each class of page, e.g. homepage stylesheet, article stylesheet, etc.
• Page Element/Section-Based A stylesheet for each class of page section, e.g. header stylesheet, sidebar stylesheet.
• Tag-Based Similar to the previous approach, but based around tags, e.g. form stylesheet, table stylesheet.

A Democratic member of the U.S. House of Representatives said Thursday that she plans to introduce legislation next week that would force Internet providers to record customer information for one year.

Personally I think it’s stupid for the gov’t to create such mandate, especially for the reasons they are citing.

because members of Congress have “learned that Internet service providers and social networking sites have information that law enforcement needs when investigating pedophiles online, and that is the IP address on a particular date and time that will help identify those involved,”

It’s one thing that ISPs retain logs as best practices, e.g., for forensic analysis and troubleshooting, it’s totally another for the gov’t to make it a mandate.

I certainly don’t want anyone to nose around in my stuff. Total violation of privacy if you ask me.

EMC and Network Intelligence: What it Means.

In the last few months, Novell bought e-Security and IBM got GuardedNet through its acquisition of Micromuse. Cisco grabbed Protego about and year ago and rumor has it that Oracle is about to buy either NetForensics or Intellitactics. It’s likely that HP, McAfee, and BMC are looking at other leaders like LogLogics as well as network behavior specialists like Mazu and Q1.

Building The New EMC, One Acquisition At A Time

Interesting comments from Dennis Hoffman, vice president of information security at EMC

Network Intelligence plays in three areas of the security industry, he said. The first is log management, a space where the leader is another company, LogLogic, San Jose, Calif., Hoffman said.

The second is event management, or the real-time processing of data for security purposes. “ArcSight is the leader,” Hoffman said. “There are lots of others in this space, too. Names you’ve never heard of.”

The third is security information management, which includes the reporting and forensic analysis of where security problems occur. Network Intelligence is the leader here, Hoffman said.

On a side note, here’s an article about ArcSight.

Ray Lane buys dinner - Who buys ArcSight?

One of ArcSight’s board members told me the company is hitting close to the $75m revenue number, that’s getting close to the magic $80m to $100m level that could initiate an IPO–except that the IPO market is in the doldrums.

Agree with most of what it says. Though I wouldn’t call these “easy ways.” None of them is easy unless you are willing to spend time working on them.

My comments on the points…

1) Learn Ruby and Ruby on Rails.

So I call BS on this one. I know the author says these are examples of how to write clean code, but you don’t need to learn a specific language just to learn how to write clean code. What happens now if you have to work in a C or Java or C# environment?

The latest language and coolest technology is just fad. It will come and go. However, basic fundamentals of good programming is always necessary. I’ve always said that once you understand the semantics of programming, syntax will come to you. There’s really no difference in how you program in C, PHP, Java, Python, Ruby or whatever the latest language is. Once you understand WHAT you want to do, you can pick up the language syntax fairly easily.

2) Read The Daily WTF?

This actually is a pretty interesting site to read, if you have the time. Every once in a while it gives examples of good and bad pieces of code.

3) Learn something new every week.

Couldn’t agree more. I’ve always told people that the best programmers are lazy programmers. Lazy programmers will try very hard to make things simple for themselves and avoid doing as much work as possible but still finishes the job. By that, I mean most lazy/good programmers will find existing code/libraries that fit their needs and use them. Obviously there’s certain amount of due diligence you have to do here to ensure the code you are copying is legal and “good.” For example, using Apache Foundation’s libraries is generally legal and “good.” Learning something new every week, e.g., find a intersting library and learn how to use it, will allow the programmer to be lazy when needed.

However, being lazy doesn’t remove the need for programmers to understand the fundamentals. I know I always have arguments with some folks on whether to develop everything from scratch or reuse other’s library. I am always on the side of reuse/copying other people’s code. Some folks tend to want to write his own to fit his exact needs.

Even though we are on the extreme opposite of each other, we generally agree that programmers do need to understand the fundamentals of algorithms and data structures, etc.

4) Understand customer wants != customer needs.

Again, agreed! To add to this point, I believe programmers need to understand the general market they are developing for as well. You need to make sure you understand the general market trend and why customers are buying your solution.

If you are just a programmer that always just take the “spec” from the architects and write the code to meet the “spec,” then you will never become a good programmer. A good programmer should be able to

• Understand what the customers need
• Anticipate the customer needs based on the understanding of the product and market. This is perhaps the MOST difficult step for most programmers as many are so used to just coding from spec.
• Spec a solution that meeds the needs as well as being able to critique others’ specs. Again, some programmers can spec a solution based on the requirements, but a good programmer with understanding of the market and product and customer requirements can critique others’ specs.

5) Find some passion!

This is a bit general but it’s somewhat true. If you don’t like what you are doing, you most likely won’t spend the time on doing the best job.

I also want to add a couple things to the list:

6) Communication is king!

One of the the things I find most lacking in most programmers is the ability to communicate, both written and oral. Just because one can code (even if he’s a clever coder), doesn’t make one a good programmer.

I believe communication is what separates a average programmer from a good or great programmer. In a rapid development environment, it’s critical that everyone understands

• What problem you are trying to solve
• Do you understand the customer use case
• What are the proposed solutions
• What are the pros and cons of the proposed solutions, essentially what’s the thought process behind these solutions
• Which proposed solution you chose and why
• What are the caveats with the chosen solution
• If there are any caveats, are there workarounds
• What is the workflow of the solution, e.g., how is the customer going to use the solution?
• Have you tested the workflow on others and convinced them that’s a viable solution
• Can you prototype it and show it to others for feedback

A good or great programmer would have gone through this process and covered every angle to ensure a successful solution. As you can see, most steps in this process is about communicating to others what your proposed solution is. Communication should happen way before any code is written (unless you are prototyping.)

If I were to hire programmers, regardless of how good the programmer’s coding skill is, if he cannot communicate effectively with the team, then he’s not a good fit for the team.

This article on Engineer Interview Triage? also emphasizes the importance of communication.

7) Be able to do mock ups and prototypes.

This again has to do with communicating your solutions to others. One of the best way I’ve found/seen to communicate your ideas, however brilliant, is to show people what it looks like and how it works. Prototypes are just that, examples and models of the real thing. It doesn’t have to be perfect or covered all cases. But it should be able to demostrate

• The solution. Does this idea really solve the customer issue?
• The workflow. How the customer (customer in this case maybe your fellow team members) will use it from start to finish?

The prototype should convey enough of your solution to get people talking and discussing.

Anyways, these are my thoughts. Love to hear what your thoughts are…

[Update: Announcement was made today on the NI acquisition by EMC. Interesting how the NI story is hidden inside a much bigger story. Does that indicate what's to come? That NI is going to just be a small piece of the EMC security story? The PR doesn't even mention the price. However, Reuters' piece mentions the $175m figure.]

I think one of the best description of COBIT vs ISO vs ITIL is the article The Big Picture: ITIL as an Integrated Framework written by Kevin LeBlanc:

All these frameworks can add value to just about any IT shop depending on the specific business needs of the parent organization. However, the best fit-for-purpose combination benefiting ITIL practitioners may point to CoBiT (audit), ITIL (improve) and ISO17799 (secure).

This description clearly defines the role of each of these frameworks and how they complement each other. Any organization wanting to improve operational efficiency should adopt these 3 frameworks.

As its first order of business, the PCI Security Standards Council released PCI DSS v1.1. The Payment Card Industry Data Security Standard (DSS) v 1.1 has replaced the DSS v. January 2005, and the PCI Security Standards Council will no longer recognize DSS v. 2005 after December 31, 2006.

Here are some of the interesting documents.

• PCI Data Security Standard v1.1
• PCI DSS Audit Procedures
• Summary of Changes

One change that everyone took notice was the language around data retention.

In v1.0, sub-requirement 10.7 said

An audit history usually covers a period of at least one year, with a minimum of 3 months available online.

In v1.1, it now says

Retain audit trail history for at least one year, with a minimum of three months online availability.

The change is significant. It now means everyone who processes, stores or transmits credit card information MUST retain audit trails for a minimum of a year. Whereas before in v1.0, it was not a requirement.

There are other changes worth noting.

Changes to requirement 1.2 and 1.3

v1.1 removed some of the specific protocols and is now using phrases like “necessary for the cardholder data environment.” The question is who determines what’s necessary for the business?

Addition of 2.4

This requirement basically put all hosting providers including ISPs, MSPs and MSSPs in the same categories as merchants. The hosting providers must now conform to PCI DSS.

In addition, the hosting providers must ensure that the hosting customers can only see data that belong to them.

Changes to 5 and 5.1

v1.1 both expanded and restricted the scope of systems that require anti-virus software. It expanded the scope by stating “all systems commonly affected by viruses” instead of the old v1.0 saying, “all email systems and desktops.”

It restricted the scope because it added a note saying that UNIX-based systems or mainframes are typically not ffected by viruses.

There’s also a new sub-requirement 5.1.1 that requires anti-virus software to also detect, remove and protect against spyware and adware.

Added clarification to 6

A note is added to requirement 6 saying that

Appropriate software patches are those patches that have been evaluated and tested sufficiently to determine that the patches do not conflict with existing security configurations.

I am somehow seeing that many organizations will be using this as an out for not installing patches.

Auditor: “oh you don’t have patch X installed.”
IT Admin: “oh sorry, we haven’t tested it sufficiently to know if it will downgrade our security settings.”
Auditor: “but you are suppose to test this.”
IT Admin: “oh we know, but the PCI DSS doesn’t say when we have to do it”

Addition of 6.6

Sub-requirement 6.6 says you need to protect your web-facing applications by having someone do a code review of your application or install an appliation layer firewall infront of them.

I can just see a jump in sales for the Cyberguard, Symantec Enterprise Firewall and others.

• Eric Fitzgerald’s Windows Security Logging and Other Esoterica - Always a great blog to get all kinds of good info on Windows events. Eric’s a Program Manager for Windows Core Security. He’s pretty active on the loganalysis list as well and always gives out great tips.
• Windows & Active Directory Auditing
• Top 5 Security Settings to Audit
• Windows Security Logging and Other Esoterica : What is up with Audit Collection Services?
• Software Update Services White Paper - Lots of info here that talks about the different event IDs related to SUS
• Randy Franklin Smith’s Security Log Encyclopedia - The one and only resource you need if you want a good categorization of windows events
• Microsoft Events and Errors Message Center - Find detailed message explanations, recommended user actions, and links to additional support and resources.
• Automating Windows Patch Management: Part II - Some more event IDs here…
  

There are plenty of links out there. Can you add to this list?

I think the general consensus is that log signing ALONE is not going to be enough, and that signing just the filtered log is also not enough.

Very interesting read. Should definitely check it out.

I agree with Marcus… log signing [alone] is not going to make or break
a court case — it [alone] might almost be asking for trouble.

As I pointed out later in my earlier response, the big deal is to get
all possible logs, even if they don’t appear relevant to the particular
matter — so you can show the trace, other anomalies (or lack of other
anomalies).

It’s definitely worth scanning through. There are some interesting findings:

• Regulatory compliance related to information security is among the most critical security issues customers face.
• Virus attacks continue to be the source of the greatest financial losses. ($15.7 mil)
• Unauthorized access continues to be second-greatest source of financial losses. (10.6 mil)

It’s also interesting that e-mail and web activity are used by over 50% of the organizations as effective security techniques. (page 17)

Not surprisingly, data protection is cited as the most critical security issue for the companies for the next two years. (page 24)