jump to navigation

Security 01/29/2013

Posted by TBoehm30 in Uncategorized.
Tags: , ,
5 comments

I have a spreadsheet with over 150 passwords on it. I have to change my work passwords every 45, 60, and 90 days depending on the system. I ask myself ‘is this more secure?’

I’m no security expert, and sometimes the rules really bug me. Why do I need to change my password? Why should I have different passwords? What is the risk if I don’t follow the rules? I wanted to vent a little, so I started this article. Then I did my research to better understand the issue. Here is what I learned:

The security experts tell us to change our password often. The best reasons I have seen have to do with holding off the attackers long enough for the password to have changed. If an attacker gets ahold of a password file, from a backup tape, the trash, or breaking in; then they could use that to log onto any accounts that haven’t changed the password.

The nice thing about those password files is that they are encrypted, or hashed, so that hackers don’t actually put in your real password, they use the hashed version from the file. If you simply change 1 letter, or add a number, then the hash is different and can’t be hacked. The problem is that a hacker could break the encryption and actually figure out your password pattern. Then they could easily guess your next password giving them access to your account.

What are the odds that you or I would be singled out for attack? Hopefully, those odds are not very high, but how much risk are you willing to take? If your whole company system gets stolen, copied, shut down, or broken, how much blame do you want to take? It’s probably better to just suffer by changing your password.

Why can’t all my passwords be the same? The problem with that is that hackers can get passwords from the least secure system. Even worse, is that the people who run all of those other systems have access to your unencrypted password. Joe, at buycoolstuffhere.com, created the site simply to steal people’s password with a good username. He then uses those codes at every financial web site until something works. Then he has full access to your money.

Why do I have to answer security questions? The security questions are usually there in case you forget your password. The answers are usually pretty simple to find on the internet and are the most risky for casual users. People in the public eye are constantly having their email spilled to the public by people who figured out what street they lived on when they were growing up. Some advice from the internet is to have answers that are not really answers, but hints to your password. What was the name of your first pet? “My favorite song lyric”

Bad passwords and pins: American Express has an authentication pin that has to be 4 digits. When I tried to give them numbers I could remember, they told me it had to be a date. Why would they decrease the security possibilities from 10,000 down to 365?

I can see my payroll info online if I remember an 8 digit pin number. The problem is that I am running out of unique numbers that I can actually remember. For me to remember an 8 digit number, it must be a full date, or part of a phone number; I don’t have any other long numbers that are burned into my brain well enough to not forget.

Internal security is just as important as external security. Most companies won’t get hacked by strangers in a way that will cause them any material harm. It is the employees who pose the most danger. If your employees have access to everything, what’s to stop them from downloading the customer list and selling it to the competition? It is important to divide up all data, and only give access where it is needed for people’s jobs. Look at SOX requirements even if they are not necessary; they make sure that users don’t have too much access to the system. That may be why you are limited on your own system, and sometimes can’t even get data you actually need.

So, until a better security system is built, I’ve got over 150 passwords to remember. My spreadsheet doesn’t actually have the real password listed, just a hint to it. The file itself is password protected, heaven help me if I forget that one.

Do you have a good security story? Leave it in the comments below. Do you know that it’s a global world and Technology makes it happen?

ERP Access – Getting Things Done 03/26/2012

Posted by TBoehm30 in Database.
Tags: , , , ,
1 comment so far

I need 20,000 products changed.  Can that be done this week?

If you went through the normal ERP screens, that would take forever (at 5 seconds each, that is almost 28 hours, or 3 ½ working days).  Who could spare that much time to get an important, but non-priority, project done?  Who would even have the patience to do that.

For most ERP systems, you wouldn’t have to worry about it taking up over 3 days.  This can be done reasonably easily using an import/export process.  You export the existing data and put it on a spreadsheet so that the new data can be entered easily.  Then, you save the spreadsheet in a format that can be used by the ERP system.  Importing the new data should be simple from there.  It can be done in just a few hours.

Even better would be someone who has direct access to the database.  Give him the raw data and let him create a quick query or program to insert the right data into the correct fields and tables.  That could be done in under an hour with the correct knowledge, skills, and access.

Who do you give that type of access to?  Who do you trust with the ability to make any type of change they want, without additional passwords and auditing?  Who would have both the access to make the change plus the knowledge of the risks of performing the change?

I have worked with many SMBs where the IT groups are great at some problems.  They can reset your password, diagnose network issues, and sometimes even troubleshoot the ERP.  Some problems, however, require more assistance than the IT department can provide.  Changing data in the database requires the knowledge of how fields are linked together and why.  You don’t want to permanently screw up the database because of integrity issues.  Normal databases have tables that should be linked together so that no data is repeated.  Most Normal databases don’t actually follow that to its final conclusion where absolutely no data is repeated (1NF to 6NF), so changing one table without the other might do some serious damage.

There is also a security issue.  If they can make any changes they want, what else can they do?  Would they be good enough to create new records?  Could they create the necessary records that would automatically pay someone some money?  Could they redirect money to themselves?  Some of those rules to separate duties are just for that purpose.  This project would definitely break those rules.

But, now we are back to having to manually update 20,000 records.  What do you do?  This won’t be a one-time occurrence.  You know that next week, someone is going to find another tweak for 20,000 records.

This is where you need someone trustworthy to work outside some of the rules.  You need someone who understands the data, has the access, and has the confidence to make changes to a production database.  Without that person, you are stuck with manually updating 20,000 records. 

You need someone who is good enough to say ‘no’.  If he can say ‘no’ to the boss when asked to make a dangerous change, then you can trust him with the access to make the important changes.  That is the deciding factor in trusting someone with access outside the rules.

Sometimes someone will ask for a change that seems logical, but could produce serious side effects to the system.  You need someone who can stand up, even to the boss, to say ‘no’ that won’t work.  Hopefully they are good enough to find a workaround, but the key is saying ‘no’.  I have worked with too many IT people who have a little knowledge, want to look good to the boss, and end up wrecking everything.

Another helpful tip is to test everything in a testing environment.  Don’t test in Production.  When you are hacking into the database to make a change, you need to double check everything.  Make the change in a test environment and then use the data.  Create some Work Orders, or Purchase Orders; solve some cases, or redirect calls.  You need to do regression testing on those changes.

If you don’t have someone at your company who is that good and that trustworthy, then good luck fixing the products by hand.  It should only take a couple of days without sleep. 

Tell me about your large tedious project; did you hack the system to fix it quickly, or have to spend days doing it the hard way.  I’d like to hear your stories, because it’s a global world out there and technology makes it happen.

How close is your software vendor? 10/12/2011

Posted by TBoehm30 in Software.
Tags: , , , , , ,
1 comment so far

 

The other day I had a software problem.  My client had come to me with an issue and I had to come up with a solution.  I have been working with them for a while so I know their software pretty well.  I can usually figure out their problems and either solve them or come up with a workaround.  At the very least I can use their testing environment to document all the steps to recreate the problem as well as the steps taken to try to solve it.

My client has a valid contract with the software vendor and has full access to their help desk.  I am sure you have dealt with many ‘help’ desks and are completely familiar with what that means.  Some of them are very good and some of them are worse than a hot day in the desert.  I have to admit that this one is actually pretty good.

The trick is in the communication.  The people who I work with can’t always communicate their problems in such a way that the help desk can solve them.  They also have trouble understanding the responses.  Sometimes the tech-speak is just too complicated.  That’s where I come in.  I can help translate for both sides to get the problem solved.

Today, I found what I thought was a bug in the software.  The company that created this software is very sensitive about criticism of their programs.  I didn’t want to go to the help desk with this one until I had verified functionality with one of their senior consultants.  Since I am on good terms with several of them, my options were open.

The project manager for our implementation likes for me to go through him before talking to the consultants.  I shot him an email with my problem.  Within a few hours he had confirmed my problem, sent it off to tech support, and came back with a solution.  It wasn’t really a bug, but a setup problem.

I have dealt with many software companies throughout my career.  I have talked to people who were really good at their job, but the company was terrible; and I have talked to people who couldn’t help a cat out of a bag, even when their company was great.  A response within a few hours with a solution, going around the help desk, is above average support.  I would recommend that any day of the week.

When you are looking for software it is important to determine what kind of relationships they develop with their clients.  Sure, you will get references and talk to them about the pros and cons about the software; but you also need to find out about their responsiveness.  You need to find out about their personnel.  Do they stay in touch with their clients?  Do they come back to find out if there are any lingering issues?

Before you make a decision on your software, find out who your main contact will be.  Try to meet with him or her at a time and place where you have plenty of time for questions.  This person needs to be someone with whom you can trust and build a relationship.  They need to listen; you need to feel like they are listening to you and not thinking about what they will say next.  They need to be flexible.  Throw them a hypothetical curve ball; how do they react?

If this person doesn’t meet your criteria, don’t abandon the software vendor entirely, just ask for someone else.  Most companies would be happy to switch personnel if it means a chance for a sale.  Make sure you still have time to repeat the process with someone new.

My criteria is for someone who understands that it’s a global world out there and Technology makes it happen.

What is a bug? 04/02/2010

Posted by TBoehm30 in Software.
Tags: , , , ,
4 comments

What is a bug? Of course, I am talking about a software bug, and not the 6 legged variety. To me a bug is any quirk of the program that I find should and could be done better. That puts the entire definition in my hands. I am the one that gets to define what is and isn’t a bug. As the user, I get a say in how I think the program should work.

I don’t always get my way. Recently, I got into an argument over some software that wasn’t performing according to my needs. The problem was minor, the workaround was easy, and the reason for its existence was obvious. That doesn’t change the fact that this was a bug (see the definition above). The software vendor took offense at my criticism and explained that it was not a bug and that the underlying code is, in fact, written correctly.

Wikipedia defines a bug as:

A software bug is the common term used to describe an error, flaw, mistake, failure, or fault in a computer program or system that produces an incorrect or unexpected result, or causes it to behave in unintended ways.

By this definition I have to admit that he was right. Their system was designed by the software company to meet their requirements. Since he insists that the result meets their requirements, then there is no error, flaw, mistake, failure or fault.

So who is right?
This argument goes on all the time. Users often incorrectly think that something is a bug in all kinds of situations:
It is their own fault (PEBKAC).
They haven’t read the manual and therefore don’t understand the software.
They want the software to run better, and suggest an improvement.
They need new functionality in addition to what they’ve got.
They don’t like the output of the system, but they don’t have a way to change it.
The system isn’t as intuitive as it could or should be.
(Yes, some of these overlap; No it is not a complete list. Feel free to add to it in the comments; I’ll add them later if they are good enough.)

The software vendor can reply to almost any “bug” report that it fits into one of the above categories. Unless the bug is something obvious like “the computer crashes when I enter a 10 digit number in the text box prompting me for a phone number”; the vendor can come back to deny that it is a bug.

If the vendor actually does call something a “bug”, then they will be forced to fix it. If they can deny that is a bug then the cost of a fix can be avoided or at least delayed. Vendors have several choices in arguing against calling something a “bug”. They can say that it is not reproducible, so it must have been the computer. They need more information because they can’t reproduce in on their own systems.

My favorite is the SWAD excuse – System Works As Designed. This means that what I am seeing, not liking, and getting frustrated with, is not actually a bug. It means that the software programmers deliberately set out to annoy me. It means that they don’t really care that a simple peon like me has an opinion about their gigantic company. They don’t believe that I could have an inkling of an idea about how hard it is to write enterprise software; how difficult it is to please everybody.

The problem is that I do have a technical background. I do have an idea how hard it is to write large software programs. I do know the difference between a bug, a design flaw, a feature request, and a user problem. I’ve been on both sides of this argument. I’ve been the one who explained that the system works as designed because I designed it. I’ve been the one that denied the bug until it was reproduced in front of my face. I’ve tested software to report bugs. I’ve also used plenty of good and bad software.

If a user was asking for their accounting software to automatically search the internet for recipes, that would be a new feature. It is completely understandable for software vendors to reject those ideas as being too big a project to take on, and too costly an investment.

However, if the software allows the user to re-order the dropdown lists in the system, but ignores the text for some of those lists, that is a bug. Why is it up to the user to know that he shouldn’t use the re-ordering functionality on some lists? The software should either prevent the user from making the change, or allow the change and evaluate the choice in the dropdown correctly and dynamically. The latter suggestion would be my preference. It would make the software more intuitive, easier to customize, and better for everyone.

Reading this, you might get the impression that I recently found a bug in some software, but was rejected by the vendor. I like my software to be usable, intuitive, consistent, and complete. Most of the time software we use works well. Sometimes we have issues with it; and sometimes we report our issues.

All I really want is to be acknowledged. I want the vendor to either explain to me how I can accomplish what I am trying to do with a workaround, or agree to put this bug on a list that will eventually be fixed. I have no illusion that my little problem will ever be important enough to be completed. I don’t expect immediate results. All I want is for the people I am working with to recognize that a bug is defined by the user, and work to resolve the issue, not ignore it. How about you?

Do you need multiple databases? 02/19/2010

Posted by TBoehm30 in Database.
Tags: , , , ,
3 comments

Should you setup multiple databases for the company? No matter what your desire, you will always wind up with multiple databases. Whether they are backup databases, training databases or development databases, they will be needed.

The answer, however, is NO. You do not need multiple production databases for your company.

Using multiple database has its allure because it allows you to separate your data. You might have internal security issues which require separation of data and access. You might have reporting requirements which demand information to be segregated. You might have data issues which cannot exist on the same database. The easy, quick, answer is multiple databases.

There are too many problems with creating multiple databases. Let’s walk through an example that demonstrates the problems with the easy solution. You work at a company that wants a new ERP system for its 3 subsidiaries (it could be any database software – CRM, accounting, manufacturing, etc.). You want to make sure that each subsidiary doesn’t see any data from any of the others. You don’t want them poaching customers, or gathering data about the entire company.

You need a system that will work the same for everyone, but protect your security as well. You want to roll up accounting into corporate from the subsidiaries and have visibility from the top down. Multiple databases sounds ideal for that purpose.

Your company plans on creating or buying more subsidiaries in the future. Your plan for each new subsidiary is simple: Bring up a new database. As an added incentive, your subsidiaries use similar IDs for their data and would have to make significant culture changes if all their IDs had to change. [Think about a customer Id. If they don’t share data, then each of the 3 subsidiaries need a different Id for the same customer.]

Talk to the software vendor. Do you need to purchase extra licenses because of the extra instances of the software? Will they charge more for upgrades when it is not a single project? Will you have to replicate all customizations 3 or 4 times? Will you need extra hardware to handle the different databases? Can they exist on the same server or even the same instance of the database server?

Next look at your needs at corporate. You want visibility from the top which means logging into multiple databases. Are your executives savvy enough to handle that? Will they get confused logging into multiple databases? Is your IT staff savvy enough to handle the extra load? They will have to support all of them – that might mean simple password requests on 4 systems, or data inconsistencies from corporate reports.

Finally, look to the future. Could you combine your purchasing department to get better volume discounts for shared suppliers? How would you do that on multiple databases? How about centralizing the sales department? Could that be done with the setup you’ve chosen? The same goes for most of the functions that could be centralized, but are not today.

How do you solve these problems? Yes, there is extra work in that. You’ve got to setup security around each subsidiary so they don’t see other’s data. You’ve got to figure out a scheme for setting up IDs such as customer IDs and Supplier IDs that won’t conflict and won’t cause too much disruption. You’ve got to create a plan to bring up new subsidiaries within the existing system.

Again, talk to the vendor. You are going to save money on the software by only going with a single integrated system. You should need fewer licenses, and less expensive hardware. Your single database will be able to consolidate corporate data quickly and effectively.

Your IT department will be relieved from all the extra work. They will only need to support one system. They will only need to create 1 set of reports; even if they have extra security around them. They will have one system to have problems with and solve. There will never be integration problems between the systems. They’ll never have incompatible parameters, or global indicators that don’t match.

Talk to your executives and find out what information they need at their fingertips. Can you create real-time dashboards across multiple databases? Can you provide real-time reports on cash, inventory value, A/R, A/P, etc.? Do they need to export data from the system, and would that work if it was exporting from multiple systems?

The bottom line is that a single database makes sense for a single company. Don’t let the easy answer to tough questions change your outlook. It might take more work to set it up, but in the long run, it’s worth it. As we all know by now, it’s a global world out there and Technology makes it happen.