Oren’s Weblog

Chuck Kenney, our local Apple rep, dropped by an iPod Nano for us to take a look before I left for last week’s meetings on the East Coast. I finally had time to take it out of the box this morning and play with it just a little.

As many others have commented, the Nano inspires pure techno-object lust. Apple has managed to package the incredibly nice iPod user interface into a tiny package, including the scroll wheel, full color screen, and all. Four gigabytes of data in an incredibly small package with no moving parts – wow!

One thing I managed to do today on it (in addition to putting a bunch of music on) is to export an ical file from Oracle Calendar, import it into Apple’s iCal software and synchronize that onto the iPod. With one of these, maybe I won’t forget where I’m walking as I’m grooving my way across campus to my next meeting!

Sheila has shown us the timeline for Chandler development. I like the five stages of software feature development they’re using:

embryonic -> initial -> plausible -> dogfood -> usable

Sheila is showing the Westwood Advisory Council for Chandler the latest build of the coming 0.6 Chandler software.

The calendar is now displaying colors, supports recurrence, and display of multiple calendars. One big new feature is that individual events are specific to a timezone – this will help a lot with those of us who travel.

There’s a new web page of the Chandler development timeline that makes it far clearer which sets of features and usability are targeted for which releases.

Lisa is giving a presentation that started with articulating the current vision of the project – Mitch noted that this is the first time in four years that anybody other than he has given the vision statement.

Now she’s talking about paradigms for email usage and the implications of that for workflow UI in Chandler.

All of the slides for the WAC meeting are available on the OSAF Wiki.

Sheila is showing the Westwood Advisory Council for Chandler the latest build of the coming 0.6 Chandler software.

The calendar is now displaying colors, supports recurrence, and display of multiple calendars. One big new feature is that individual events are specific to a timezone – this will help a lot with those of us who travel.

There’s a new web page of the Chandler development timeline that makes it far clearer which sets of features and usability are targeted for which releases.

Lisa is giving a presentation that started with articulating the current vision of the project – Mitch noted that this is the first time in four years that anybody other than he has given the vision statement.

Now she’s talking about paradigms for email usage and the implications of that for workflow UI in Chandler.

All of the slides for the WAC meeting are available on the OSAF Wiki.

Jon Giltner from Colorado notes that they respond to about 50 incidents per week. They have a formal documented process established in 2004 that requires notification and involvement of central IT. They use the CERIAS open response database for tracking.

If the incident involves compromise of PII they form a team and mandate independent forensics with a third party company that takes the machine and does the forensics. The team’s primary role is to handle communications – notification to affected individuals (via US postal mail using); any press release, etc.

Who’s involved? Legal Counsel, compromised department head; IT security coordinator; tech lead from dept; campus police; university communications; university privacy officer; university officer with oversight for compromised departments.

They take pains not to point the finger too quickly at the local IT admin – they’re usually overworked, underfunded, and not always properly trained.

There follows some discussion of some specific incidents at some our institutions, and lessons learned.

In one incident a visiting researcher from another institution had a file obtained from the state that contained names and SSNs. The researcher put a laptop containing that information on the campus network despite not meeting campus minimum standards for up-to-date patching and OS levels, and sure enough it was compromised.

The issue of who ends up paying the bill for notification of the people whose information was compromised may well end up in court.

This institution has very good policies about security – but that doesn’t really make much difference as what they have is massive non-compliance across the campus. And that’s not just because people don’t know about the policies. It takes massive culture change, and the top leadership of the institution is now very concerned about it. They have an online security tutorial, and the cabinet has now approved a requirement that everyone complete this tutorial.

They are now doing proactive scans of machines on the network, using a product from MacAfee.

A CIO is describing another incident where a machine containing personal and financial information in a department was compromised. Again, this was an incident where the information was being gathered in violation of institutional policy.

What lessons were learned?

- funding security matters, and it’s difficult to obtain on an ongoing basis.
- distributed computing environments are difficult to secure, due to social factors, not technical. In this instance the time-to-market for a web site took precedence over a known security hole.
- the institution had no list of where sensitive data is stored – how can you do a risk assessment?
- patch management and antivirus installation is ad-hoc – who’s responsible? Often it’s students bringing up servers, and they don’t always have a clue about securing the machines.
- How do we help system administrators respond responsibly to unreasonable demands from their management?
- Central IT is frequently aware of compromises in departments before the department itself.
- Unpatched web servers are often a vector for compromises