For as long as we’ve had computers, we have instigated competitions between the humans and the machines. In chess, world champion Garry Kasparov won over specialized chess computer Deep Blue in 1996, only to loose against an improved algorithm in 1997.
Many experts believed the game of Go, with its many more possibilities for each move, was unbeatable by a computer. However, dispensing with the brute force approach of earlier systems, the AlphaGo computer program beat the Go world champion.
Unfortunately, we are also facing less benign man vs. machine battles. Large parts of the internet were temporarily inaccessible to humans due to a DDOS attack coming from large number of badly protected IoT devices like webcams, DVRs and printers.
You want to be part of the solution, not part of the problem. If you have the responsibility for computers, websites or IoT systems, make sure you have hardened them appropriately.
Side note: When I checked this site, I realized that my anti-spam protection worked, but I had neglected to restrict new user registration. I had 15,777 registered users (!) and had to install a bulk delete plug-in to get rid of them. So if you’ve commented on my posts in the past, I regret to inform you that you’ll have to re-register to comment again (now with Google reCAPTCHA)
After some persuasion, one of my customers was ready to experiment with the Oracle cloud. So I signed him up for a trial Database Schema Cloud service and built him a little APEX application to show how fast and easy it was to get rid of some spreadsheet-based business processes.
This morning, my customer called me to say that the service didn’t work. Indeed it didn’t. I had neglected to put the expiry date into my calendar, and when your 30 days are up, Oracle will wipe out your instance. There is no warning email and your instance is gone without any possibility of restoring it.
So the demo was gone, and with it that potential Cloud customer.
My fellow ACE Director Tim Hall said recently on his blog:
Having used Amazon Web Services, Microsoft Azure and Oracle Public Cloud for quite some time I have to say that Oracle Public Cloud lags far behind the other two in user experience.
I fully concur with that opinion. Additionally, when your process for trials is to wipe them out without warning, you are making it really hard for even your most enthusiastic supporters to recommend you.
Oracle still has a lot of work to do on their cloud services.
I’ve just started my Private Pilot’s License project, and the first order of business was to get a Class 2 medical. Being a triathlete and considering myself fairly healthy, I expected that to be a formality. To my surprise, the examiner detected that my blood pressure was too high, and I’ll have to work on getting it down before I can fly solo.
Similarly, I’m sure that Delta Airlines considered their data center fairly healthy. Unfortunately, they did not test. So when the power supply disappeared, they discovered that 300 out of 7,000 devices were not properly connected to backup power. And 2,000 planes were grounded.
If you don’t test, you don’t know.
IT suffers from Ostrich Syndrome: The belief that if you put your head in the sand and refuse to face facts, nothing bad will happen. Real ostriches don’t do this, of course – that would soon make them extinct. But IT does.
Finding the right amount to spend on all elements of IT (security, testing, fault tolerance etc) requires proper risk analysis. This is taught in Project Management 101, but recent events show that not everybody in IT understands this.
For example, the Democratic National Committee apparently thought that nobody would bother to attack their systems. After all, it just contained boring political emails, right? Wrong.
Similarly, Delta had apparently forgotten to attach about 300 computers to their uninterruptible power supplies, making their system very interruptible indeed. The had to cancel more than 2,000 flights.
Last month, it was Southwest Airlines who cancelled 2,000 flights, supposedly because a router went down. Talk about single point of failure…
Network segmentation, security patching, high availability, and disaster recovery all costs money. But being hacked or down also costs money. Did DNC, Delta and Southwest make the right call? I don’t think so. Maybe it’s time you looked at your risk analysis. Because you do have one, don’t you?
My kitchen has a very nice range hood over the cooktop. It has a powerful fan and beautiful brushed steel finish. And it has a user experience like most IT systems: Lousy.
Let’s think about what a range hood does. It has two main functions:
- Start the fan to extract grease and fumes
- Turn on the light over the cooktop
Because of the shape of a range hood, the buttons to operate it are typically placed in a row. A row of buttons has two good, easily found positions:
- To the far left
- To the far right
Two primary functions, two good button locations. It would not take five minutes of thought to allocate functions to buttons. Unfortunately, the engineers at ATAG did not spend those five minutes. Instead, they placed the button for the light 5th from left, 3rd from right. And what did the use the good right-hand position for? The rarely-used feature of resetting the filter cleaning warning. A button I press every three months at most.
Most IT project do not spend these five minutes of thought either. Large, professional organizations have a team of UX professionals, like the people I work with at Oracle. But even if you don’t have professional UX designers, every developer can spend five minutes thinking about the task the user wants to achieve.
Most IT systems are like my range hood: Just inconvenient enough to make users slightly annoyed every time they have to concentrate on an operation that should have been easy and obvious.
Next time you build a system, spend a little while thinking about your users before you code. They’ll love you for it.
I spend much of my time advising people on Oracle software, and someone just asked me on Quora.com about the future of Oracle SOA.
I told him that the future of Oracle SOA is bright, but within a much bleaker future for SOA in general.
SOA in general has over-promised and under-delivered to such an extent that it now considered legacy and poor practice. While a few organizations have gotten SOA right, most haven’t and have little to show for their multi-million dollar SOA projects.
For the people who still belive in a Service-Oriented Architecture (mainly public sector and large, slow-moving organizations), the Oracle SOA product is a very strong offering. As is to be expected of a product from the largest enterprise software vendor in the world, the Oracle SOA suite contains everything you need and carries a corresponding price tag.
Is Oracle SOA right for you? Send me a mail and let’s discuss it.
IT projects fail when the complexity of your organization exceeds your capability to manage it. Large and complicated software systems must necessarily be built by large teams in order to deliver in a reasonable time. There are two approaches to managing the complexity of large organizations: Managing the development approach and managing the interfaces.
You can get developers to understand the need for common interfaces, so the difficulty of managing a large set of interfaces will level off once you have developed an approach that works for your team. But with increasing team size, you will get an increasing number of mavericks refusing to follow common development standards.
Simply standardizing the interfaces between teams harvests 80-90% of the integration benefits without the drama of forcing developers to work in a way they don’t want.
There is more about this in this weeks Technology That Fits newsletter.
Maybe I shouldn’t have written about flexible security, because I immediately starting hitting inflexible security, locking me out.
Today’s fail is courtesy of MailChimp.com, which I use for my newsletters. It’s OK that they decided they want a confirmation when I log on to my account from India, but it is not OK that they require a text message passcode with no other option.
I have my phone in flight mode, because I don’t want to pay extortionate India roaming charges. But the Millennials in Atlanta running MailChimp have decided that everybody always have their phone on. We don’t, and they don’t know their users.
Do you know your users? Are you offering appropriate security options?
My customer just had to wait four hours for me to help them with an urgent issue, because they had not implemented flexible security as I wrote about recently.
Like many others, they are using two-factor authentication, which is good. Unfortunately, like many others, they depend on a text message as the second factor. Text messages are known to be unreliable and liable to be lost or delayed, but their IT department did not offer any flexibility: Without your passcode, you are locked out.
I did eventually get eight expired passcodes in a row. Fortunately, I did not have to revive a dead production database, and they survived the delay. But if you are depending on text messages to allow your system administrators to access your system remotely, do think about whether you need some alternative security option.
The apartment where I stayed in Venice has an impressive lock on the front door with four large steel pins going into the door frame.
The most interesting detail of this lock, however, is that you can decide how much security you want. If you just close the door, the latch will catch and the door cannot be opened without the key. If you turn the key once, the pins will extend a little bit into the frame, adding security. If you give the key another twist, the pins extend further, until the maximum security setting of four key turns. You can trade convenience for security, depending on how you perceive the threat of burglary while you are gone.
Most organizations have only one security setting in their IT systems. They implement a firewall to protect from outside threats and leave it at that. However, many threats come from inside. Analysis of the most serious security breaches in the last two years show that most are initiated by hackers using social engineering to convince insiders to break good security practice.
True security comes from a layered and flexible defense, not just one piece of networking kit. Can you give the key an extra turn in your organization?