Category Archives: Security

Are we in the hype phase of AI?

The entire tech industry has embraced the “AI” label in the past few months, but how real are the offerings in the marketplace today, and who will reap the benefits of these AI functions and capabilities in many of the tech tools we all use?

AI, ML, LLM and related terms have been emerging in many different areas of tech for the past few years. At Oracle for Research, we funded a lot of AI projects – including use of AI to triage accident victims based on X ray images of long bone fractures, use of ML to interpret three dimensional posture analysis based on the inputs from a smart watch (trained on exercise videos on YouTube), AI assisted molecular modeling for drug screening; and a project for which I was proud to be a co-author on a conference presentation using AI to map agricultural land use in Nigeria from satellite photos. In fact, we sponsored so many AI and ML workloads that I had a weekly meeting with the GPU team to determine where in the world was best to run these workloads to minimize impacts on paying customers.

It’s clear that the impacts of AI and ML in many enterprise systems will be large and I see Microsoft, Apple, Oracle, Google, and others making enormous investments to add these capabilities to consumer and enterprise products. This afternoon I was able to take a photo of a plant in my garden, and the ML integration with the iPhone camera was able to tell me immediately what the pant was and gave me a set of informational links on how best to care for it.

I’ve been using ChatGPT for help on scripting and coding too – it’s great at suggesting R and Bash prompts based on what I have already done – and then I can test whether it’s correct in RStudio immediately. The success rate is not 100%, but it’s pretty good – and more efficient (although probably not as good for my learning) than the countless google searches for suggestions I would have otherwise used.

Realistically, though, how is AI going to impact most of the businesses and organizations that I have spent the past 20 years working with around the world? AI and ML might transform how things are done in Palo Alto, Seattle, Austin, and Cambridge but are they really going to make a big difference for that international steel distributor I worked with? The one that had 35 different ERP systems with no shared data model, data dictionary, or documented processes (and yet was still a billion dollar company). Or the truck parts manufacturer in Indiana with facilities in five countries who didn’t use cloud resources because they weren’t sure if it was a fad? How about the US Federal department that oversees a substantial part of the GDP of the nation – where their managers vaguely waved their arms about “AI” transforming their (non-documented) processes. How, I asked, were they going to train models when they didn’t actually collect data on processes and performance today?

I don’t mean to be a downer, and I think the capabilities of AI and ML can, and will, transform many aspects of our lives but I do worry that most of the people who are the technology’s biggest advocates have no idea how exactly the vast majority of their users (organizations and end-users) work day to day. Most companies and organizations in North America, Europe, and APAC haven’t even mastered and deployed search yet. Employees spend substantial parts of their work weeks looking for things that exist – and many of the largest tech firms are in this situation, not just mom and pop businesses.

The process of transforming most organizations and enterprises around the world to data driven practices – which will then provide data that can be used to train models – is still underway and has been for many years. The general purpose LLMs will be great for fettling language in press releases, and the pattern matching models will be great for sorting and tagging my photos, but true, transformative change to the way that organizations work based on AI insights tailored to their specific needs and trained on their data will be much further away.

Why I changed my mind about the cloud

I was very skeptical about cloud deployments for quite a while. I had seen the failed promise of application service providers (ASPs) and virtual desktops in the late 1990s and early 2000s and was very cautious about committing our company’s or our clients’ most sensitive data to “computers that belong to someone else”.

What changed my mind? I think it was primarily security and management and I remember being at an AIIM meeting in NYC (at the Hotel Pennsylvania, across 7th from Penn Station and MSG) and the speaker asking people if they thought their own security people were as good as those that Amazon and Microsoft could attract. Like all good scientists, I knew to re-examine my assumptions and conclusions when faced with new data and that comment really resonated with me.

I thought about where the vulnerabilities and issues were with self-hosted systems. How their ongoing stability often relied on heroic efforts from overworked and underpaid people. How I had started my tech career at a 2000-era dotcom and had been the manager of the team desperately trying to scale for growth, manage security and also fix email and phone issues in the office. I remembered the ops manager at doubleclick (when they were based at the original skyrink building in Chelsea) telling me how they treated their commodity servers to reboot after an error, then a reimage, then straight to the dumpster if that didn’t fix it – the earliest instance I had come across of treating servers “like cattle not pets”.

Over time, my thinking changed and I now think that cloud server deployment is the best solution for almost all use cases. We’ve deployed complete cloud solutions for ministry clients in NZ on private cloud engineered systems and on government cloud virtual servers. TEAM IM moved all of our internal systems to the cloud and gave up our data center 6 or 7 years ago – now everything is Azure, AWS, or Oracle Cloud.

Is it right for everyone? No; here are some examples I’ve encountered where it is not:

  • Insurance client that does 40+ data validations against internal (AS400) systems with every process
  • National security client managing extremely secure archival data in house (although that may change in the future)
  • Oil exploration company deploying to remote sites with very limited bandwidth (although we did some backend sync nightly).

But for most of you? Can you hire better engineers and security staff than Microsoft or Amazon? Can you afford to deploy servers around the world in different data centers? Can you afford to have additional compute and storage capacity sitting in racks ready to go? Do you operate in an environment where connectivity is ubiquitous and (relatively) cheap and fast?

Rethink your assumptions and biases. Change your mind when presented with new data. Make the best decision for your organization or clients. Good luck!

Apple “just works”?

Marco started the conversation with his posting questioning whether Apple had lost the plot – an article which he now says he wishes he hadn’t posted.  I can see why he would rethink the language and tone of the piece, but he does raise an important point that the quality of software execution at Apple has been markedly poorer in the last 1-2 years.

I’ve been an Apple user since 1988 and shareholder since 2000.  I sold most of the shares I bought at $15 in late 2000 when the stock split and then hit $100 in 2007; it covered most of the downpayment on my apartment (may have been a poor choice in retrospect, but I needed a place to live).  Historically Apple didn’t release major OS updates very frequently and that frequency of release has accelerated since Lion in 2010.  It’s clear to anyone who pays attention that software quality has been problematic since then and is getting worse.

  • iTunes has major issues that haven’t been addressed for years
  • Yosemite had major functional problems in the initial release, and many serious OS X users have still not upgraded because of this (including me)
  • Apple Mail is outdated, inflexible, and barely functional
  • User security for iCloud is terrible and risks damaging Apple’s reputation altogether.

I could go on.

Five years ago I would have recommended OS X and iOS to friends and relatives because things were simpler and easier to use.  The hardware is higher quality and the integration between devices is still better than the other options, but this is mainly because the other options are so terrible. Microsoft lost the plot with Windows 8 and I almost never see it in the wild. Desktop linux is still reserved for enthusiasts and is still not an option for most users. I spend too much time in the work day wrestling with linux and solaris servers, I don’t need that for a desktop platform.

Apple is still my OS of choice but I worry that they really need to improve their software development and release process.  This probably means slowing major releases to 18 or 24 month intervals, but who would complain about that?

 

Alfresco integration with Salesforce

Back to meat and potatoes – or their vegetarian equivalent in my case.

We are working with a client to deploy Alfresco One as a content and records management platform for their business.  An important requirement is that we be able to integrate with Salesforce as that’s where their contracts are currently stored as attachments and where their workflow exists.  During the scoping process we knew that Alfresco had created a Salesforce integration app that was available on AppExchange.

However, there are some limitations and “gotchas” that are good to know about  when designing a solution around this integration.

  1. The integration is only supported for my.alfresco hybrid cloud integration.  This is driven by Salesforce’s security requirements.  If you have an on-prem or hosted Alfresco installation you will need to synchronize with the cloud extranet.
  2. The integration is really designed to be initiated from the Alfresco end rather than (as in our case) putting attachments from Salesforce into Alfresco.  The developers at Alfresco have been very helpful in giving us guidance on how to work with this, but understanding this “normal flow” would have helped us earlier in the process. Learn from my mistake!
  3. All the content from Salesforce is put into a single “attachments” folder in a single site. However, if the SF record has an account record as parent record it becomes the root for that structure and then each object becomes a child of that folder.  For example: Attachments ->ClientA->OpportunityZ                                       Attachments ->ClientB->CaseY
  4. You can use Alfresco rules to move content around if it makes better sense in your existing organization because nodes are tracked no matter where the files are moved to.
  5. All the content in the SF site will have common security, so you will have to assign security to content.  Again, the integration is built from the PoV that content is initiated in Alfresco, synced to the cloud, and from there to SF. If you are reversing that flow, things become WAY more complex.
  6. The current release of the Alfresco integration app only supports a default set of metadata for Accounts, Opportunities, Contracts, and Cases – these need to be mapped to Alfresco properties. However, we hear that there may be support for custom metadata in the next release.

Overall the integration is great if you are following the use case it was designed to address.  The documentation is good, installation is easy, and the developers have been helpful and responsive to questions. But we may need to look at other ways to extract the existing content and populate our Alfresco repository.  I’m currently looking at Data Loader as a tool to extract existing objects for import into the Alfresco instance.

(Thanks to Jon Chartrand, Jared Ottley, and Greg Melahn for their help in gaining this insight – all mistakes are mine)

Encryption – iOS8, Google, and OSX

When Apple announced that iOS 8 would enable encryption of the on-device files by default, there was a lot of ill-informed outrage by various pundits and law enforcement types around the world.  After Google also announced plans to follow suit in the next release of Android, FBI director, James Comey, described this as allowing “people to place themselves above the law.” Predictably, various politicians, police, and spies complained that it would make their lives somewhat more difficult and trotted out the standard disinformation tactic that only terrorists and paedophiles would need this capability.

The trouble with the argument that only people of bad intent would need to encrypt their phones or computers is that there is clear evidence in recent history of who considers themselves to be “above the law”. Hint: it’s not consumers. Could it be the FBI illegally searching call records for years without warrants? Perhaps the NSA’s illegal surveillance of US citizens? Even the Daily Mail was driven to report that over 25% of searches by UK police were illegal. There are similar stories in Canada, Australia, and New Zealand, not to mention all the countries we were supposed to be better than because their police and government undertook this kind of surveillance.

Not content with state actors breaking the law, we find that companies are also stealing data and information from individuals.  Not Chinese state authorities, but stalwarts like Verizon who were hijacking and tracking all traffic using a “perma-cookie”, LinkedIn illegally slurping users email contacts against their express wishes, Google illegally collecting wifi network info, and AT&T illegally copying all internet traffic and passing that traffic to the NSA.

So who are the bad people in this equation? I have to add the various police and security forces of most of the countries in the world to the list of people who will break the law to steal my personal data and files.  Faced with overwhelming evidence of illegal activity going on all around me, I’m currently in the process of encrypting all my external and internal hard drives (using FileVault on OS X).  I’m very happy to see that this is default behavior in the latest Yosemite release of OS X – although I’m holding off upgrading for other reasons.  I will happily embrace two factor authentication wherever offered and encryption of all traffic and stored files as far as practical.

If the police or legal authorities of whichever country I am in at the time wish to follow the laws of that land and swear a warrant for lawful access to my machines, I will respect that process. Until then I’ll be using 256-bit encryption as widely as possible.

As an interesting aside, the RIPA (Regulation of Investigatory Powers) Act  in the UK makes it a criminal offence, punishable by up to two years in prison, to refuse to provide encryption keys to police. Many other countries have similar laws, but the USA appears to be currently upholding the 5th amendment.

Update on Shellshock

Having poo-pooed much of the overreaction about the “shellshock” bug in bash, I will still be patching my systems.

Apple have released a patch for Mavericks here and it’s probably wise to patch now rather than waiting for it to be pushed in an App Store update.

I still don’t think it’s a big risk for most users, and it’s definitely not a reason to eschew cloud deployments in the future.

“Shellshock” and various other FUD

I was going to write about what’s new in Alfresco Enterprise 5.0, which was launched at the Alfresco Summit in SF this week.

But then I got distracted by Bash and “shellshock“.  I linked to the Forbes article, but I could have linked to 77,500 other news articles (according to Google at 5pm today) and I guarantee that 77,000 or more of those stories will contain misinformation, confusion, FUD, and general bullshit.

I run a mac, so as soon as I read the news I knew that OSX contains bash and would therefore be vulnerable.  I’m far from a bash guru, but it’s my shell of choice and I use it on Linux and Solaris as well if I can.

Last night I checked my firewall settings and tightened them up a little by enabling “stealth mode”, deleting rights from a couple of old apps that don’t need connections, and unchecking the “automatically allow…” box

firewall copy

However, the more I read about the issue, the less I saw it being likely to affect most users.  The bug/exploit/hack requires a remote user or process to execute a script on your server/computer in order to invoke the weakness – which is executing more code than the shell should allow, usually as profile settings.  This is a decent explanation of the issue.

So the average user will be unaffected by this unless she or he has enabled advanced unix services and set up their machine to respond to requests from external servers.  Obviously web servers and other public-facing servers need to respond to such requests, so they are more at risk.  Hopefully most of those systems will be professionally managed (he says with a straight face) and patched quickly and efficiently.  The embedded systems and infrastructure (switches, routers) weaknesses are potentially more difficult to solve and patch, but that’s another topic.

What really annoyed me about the coverage of this (apart from the general cluelessness exhibited by authors writing for many publications in order to incite outrage and fear) was that people who should know better were using this as an argument *against* cloud services.  That’s absurd, since both systems are equally at risk and the chances of cloud infrastructure being professionally and competently managed is (in my experience) higher than locally managed servers.

Two factor security challenges

<Updated> Clarification of specific issues with 2-factor authentication by vendor:

Apple – two factor authentication becomes three factor when Apple disables your password and refuses to re-enable or change it. The Recovery Key then becomes the only factor in single factor auth.

Microsoft – two factor authentication with your MS Account (live? not sure what they brand it as this week) is not supported for Office365 accounts – so you have to generate a new one time application password each time you reboot your computer.

Ebay/PayPal – handoff from Ebay to Paypal (with 2 factor auth) doesn’t work on iPad. Prompts for password and then redirects prompting for SecureID token.  Does appear to work on Safari for Mac.

Dropbox – does appear to work, but I’m sure I’ll find flaws

Google – do they even have two factor? I don’t use their spying stuff.

 

Those of you who follow me on twitter will know that earlier in the year Apple’s poor excuse for two-factor security and support frustrated me for months (literally) and ended with me losing everything I had ever paid for with that account and having to create another account from scratch.

I’m now finding out that Microsoft has implemented two factor security in a similarly half-assed way.  I just switched to a personal MS365 subscription for Office 2011. Since installing Office 2011 I had been annoyed by the 365 login screen each time I rebooted my computer.  But now I’m using my own account with 2 factor auth, it’s even worse. I get prompted for a login, but my password doesn’t work – I then have to login to account.live.com, authenticate, generate an app password, copy that and then paste it into the prompt screen.  After talking to 9 different MS support people, none of whom even understood the issue, I have to assume it’s working as designed.  Their only advice was to turn off two factor authentication.

Add to that my experience last week where the handoff between eBay and PayPal (also with 2 factor auth) was completely broken on the iPad and my conclusion is that for normal users the overhead and annoyance associated with security is untenable.

We are surrounded by news of security breaches on a daily basis and yet the largest software companies in the world can’t implement two-factor security properly. Password management is a mess because web pages prevent you from copying passwords into the login screens or because apps on your mobile devices forget the password at every update and again don’t support pasting of username and passwords.

I’m a technical person that has been using these systems since the mid 1980s. I understand the importance of password management, secure authentication, etc. and I’ve even experienced the outcome of hacked passwords and lost accounts. But to expect “normal” users to manage these broken and difficult to use tools is ridiculous.  People will just throw up their hands and go back to 1234 or password because trying to do the right thing is too hard and ends up with you locked out of your account.

I’m not sure how this is going to improve.  The burden for these insecure systems is still placed fairly and squarely on the shoulders of people with lithe to no interest or training in technology. There’s no clear competitive advantage in more secure and easy to use logins because nobody at the companies pays any price for their failures.

  • Two-factor authentication (as it is implanted by almost every tech company) is broken.
  • Username / password is broken.
  • There is no clear alternative currently out there.
  • We will continue to get daily reports of “hacking”, “cracking”, and online theft.