Featured Posts

<< >>

MSFT Clossing More Windows Support

IT departments organizations are busy keeping up with XP replacements, Cloud migrations, BYOD implementations and now Microsoft has reminded everybody that there are other fires burning on the horizon. Microsoft (MSFT) is warning that they are ending mainstream support for more popular Windows products. Some of the key products ending mainstream support include; Widows 7, Window

Password Free Future

Lets just admit it, passwords suck, people don’t use good passwords. Password breaches seem to be the new normal. Firms are being forced to find new ways of verifying their users and securing their data. Now, security firm Trustwave says traditional password policies are useless. According to an article at Infosecurity Magazine the Chicago based

Projector Lamp Risks

I have done over a dozen audio-video projects in my career. One of constant complaints I would get from Owners, were about projector lamps. The Owners would inevitably complain about the sticker shock for replacement bulbs. Despite the fact I recommended a mass purchase of replacement bulbs as part of the project. A bulk buy of

Who Needs Two-Factor Authentication

The recent epidemic of online security breaches has shown the folly of passwords as the sole protector of your online data. As I have covered several times, most users depend on the same passwords. So what are we to do? One solution is multi-factor authentication. John Shier at Sophos‘ Naked Security blog provided a primer

Tips to Blend Agile, Waterfall

There is a battle waging for the hearts and minds of project managers. The battle is between Agile advocates and Waterfall supporters according to Eric Morgan, in a recent FierceCIO article. The CEO of AtTask explains that Agile loyalists see the benefit of empowering people and teams in a bottom-up approach that produces a faster, more responsive

MSFT Clossing More Windows Support

MSFT Clossing More Windows Support IT departments organizations are busy keeping up with XP replacements, Cloud migrations, BYOD implementations and now Microsoft has reminded everybody that there are other fires burning on the horizon. Microsoft (MSFT) is warning that they are ending mainstream support for more popular Windows products. Some of the key products ending mainstream support include; Widows 7, Window Server 2008, Exchange 2010 and SharePoint 2010.

Microsoft SupportSo what does Redmond mean when it ends “Mainstream Support”?

  • Mainstream support is the typically five-year period when Microsoft provides free patches and fixes, including but not limited to security updates, for its products.
  • When a product exits the mainstream support phase, Microsoft continues to provide a period (also often five years) of extended support, which means users get free security fixes but other types of updates are paid and require specific licensing deals.
  • “End of support” means there will be no more fixes or patches — paid or free, security or non-security — coming for specific products. CNET says there are some temporary work-arounds, as Windows XP users have discovered, but as a general rule, end of support means, for most intents and purposes, the end.

calendarHere are some critical (or not so critical) dates. You may want to circle in red on your calendar and start planning now. Do you have funds in your 2020 capital budget for new hardware? Will cloudifying these be the answer? Are you up to speed on Azure? Are your apps up to speed on Azure?

September 14, 2014 mainstream support ends Windows Phone 7.8.

October 14, 2014 is a critical date, support ends for

  • Office 2010 (Including Viso and Project) with Service Pack 1 mainstream support ends.
  • SharePoint Server 2010 Service Pack 1 mainstream support ends

Alarm clockJanuary 13, 2015 is a big day for Microsoft support

  • Windows 7, Mainstream, free support ends on for all versions of  Windows 7 (Enterprise, Home Basic, Home Premium, Ultimate and Starter) as wall as Windows 7 SP1.
  • Extended support for Windows 7 lasts until January 14, 2020, so users can expect to continue to receive free security updates, but not feature updates, for Windows 7 until that point.
  • Some industry watchers have speculated that Microsoft will end up pushing out Windows 7′s support dates the way the company did for XP, given Windows 7′s popularity and pervasiveness, but so far, CNET says there is no evidence of it happening.
  • Windows Server 2008 – Mainstream support also ends on all versions of Windows Server 2008 and 2008 R2. Extended support remains in place until 2020.
  • Exchange 2010 – Mainstream support will also end on all versions of Exchange 2010. Extended support remains in place until 2020.
  • Other Microsoft products whose mainstream support ends on January 13, 2015 include :
    • All editions of Windows Storage Server 2008,
    • Dynamics C5 2010,
    • NAV 2009 and NAV 2009 R2
    • Forefront Unified Access Gateway 2010 with SP3
    • Visual Studio 2012
  • Microsoft recommeds its customers to get updated, “Customers should migrate to the next available Service Pack to continue to receive security updates and be eligible for other support options.”

extended support period for Server 2003 cuts off July 14, 2015 Microsoft’s extended support period for Server 2003 cuts off (I covered the end of 2003 here). MSFT won’t be issuing patches, updates or fixes of any kind for that operating system (unless users have pricey Custom Support Agreements in place). Redmond is hoping to move 2003 hold-outs to Windows Server 2012 R2 and/or Azure.

October 13, 2015 is another big deal day

  • Office 2010, Visio 2010, Project 2010 — Mainstream Support ends. Extended support should run into 2020.
  • SharePoint Server 2010 — Mainstream support ends. Extended support should run into 2020.

April 11, 2017 – Extended Support ends for Windows Vista ends. No more updates. Time to upgrade (rb- if you haven’t already moved on).

August 11, 2017 – Extended Support ends for Exchange Server 2007. No more updates. Time to upgrade.

January 10, 2018 Mainstream support for Windows 8.1 ends for all versions of Windows 8. Customers still running Windows 8 have until January 12, 2016 to update to Windows 8.1 in order to stay supported.

rb-

Remember this – running out-of-date software which no longer receives security updates is playing into the hands of online criminals and hackers.

Ralph Bach has been in IT for fifteen years and has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me at Facebook and Twitter. Email the Bach Seat here.

Password Free Future

Password Free FutureLets just admit it, passwords suck, people don’t use good passwords. Password breaches seem to be the new normal. Firms are being forced to find new ways of verifying their users and securing their data.

Business Insider - The Worst Company Data Breaches Ever

Longer passwords are more secureNow, security firm Trustwave says traditional password policies are useless. According to an article at Infosecurity Magazine the Chicago based firm says mixing upper and lower case letters, numbers and special characters doesn’t make passwords any harder for hackers to crack, only increasing the number of characters makes passwords more secure. Will we end up with 1,024 character secure passwords. I say lets ditch passwords all together.

What else can we use to secure our ID’s? John Hawes at Sophos Naked Security Blog recently bemoaned the state of the clunky, fiddly and mostly rather insecure passwords we use for almost all of our authentication needs. He says we may not be stuck with passwords forever. He offers some future options.

Password dogFacial Recognition – The author cites Australian researchers who have been promoting facial recognition as a means of authentication. This idea seems obvious, faces are the main way people identify each other in the real world, so it makes sense to have computers recognize our faces, or at least bits of our faces. The Sophos article says the approach has become common of late, with PC login systems and mobile apps trying to use our faces to authenticate us to various things. There is even a Finnish company that plans to use faces in place of credit cards.

The anti-malware firm says facial recognition systems have proven less than perfect, either easily fooled by photos, similar-looking people or technical tricks, or failing to authenticate real users thanks to bad hair days or bad moods affecting how we look.

Passwords are like pantsMr. Hawes says University of Queensland researchers are trying to improve accuracy and security of facial recognition. The Aussies are working to be able to get facial recognition to work from a single initial still image and from different angles and different lighting conditions, which sounds like a must for any decent recognition system.

The good thing about face recognition, the author says is that it’s relatively low-tech, using a standard part (the rear-facing camera) of most of the devices we use. The software looks for patterns on the human face, such as distance between eyes, to identify people. But the researchers expect it will take more time to have a fool-proof working prototype.

Facial recognitionCNN points out that security is great for consumers, but it’s not the primary goal of most facial-recognition tools. Law enforcement and spy’s are building databases (PDF) to take advantage of recent advancements in facial recognition. Identifying one person using their trail of selfies left online and in surveillance footage from stores could be a huge business. Some stores already use facial recognition to build profiles on repeat customers and collect data about how they shop.

Facebook (FB) recently bragged that its own facial recognition project named DeepFace, was almost as accurate at detecting people as the human brain. More recently, it also claimed to be able to recognize faces from the side as well as the front.

EarEars - CNN reports that with the right software, a phone can detect the shape of a human ear and use it to login. That’s the idea behind the Ergo Android app by Descartes Biometrics. When an ear is pressed against the screen, the points where it makes contact with the glass are mapped out and compared to a stored ear print. If it matches, the user is authenticated. The app is adjustable and can require multiple scans for the highest levels of security.

For now, it’s limited to unlocking a phone. But CNN claims ear prints could be used to identify people for any number of uses on the phone, such as making purchases in app stores or signing into services.

WalkingCNN says that if you’ve ever identified someone by how listening to how they walk down the hall, you’ve already seen the power of gait recognition. For 30 years, researchers have tinkered with gait-recognition technology but the recent boom in inexpensive motion sensors like accelerometers and gyros have given new life to the field. CNN reports that with the right software and sensors, they should be able to analyze a person’s walk. A wearable fitness device or smartphone can authorize users.

The benefit of gait recognition is that it can gather the necessary information in the background while people go about their normal routines. There’s no need for the subject to touch their device or look into a camera.

KeyboardTyping - Like walking, typing varies from person to person according to CNN. Keystroke biometrics record how a person types and calculates their unique pattern, speed and rhythm. It determines how long they hold down each key and the space of time between different letters. Keystrokes could be used to authenticate anyone working on a computer, so the system could appeal to companies that are watching out for unauthorized users on their internal systems.

Gestures - Gesture-based authentication is another potential password replacement emerging from the world of smartphones and tablets. Mr. Hawes says hand movements repeated often enough can lead to muscle-memory, so quite complex patterns can become quite easy to reliably and accurately reproduce. This is the basis of a very venerable form of authentication, the signature. It should be harder to compromise though, as unlike signatures,  swipes leave few traces to be copied.

AnSwipedroid phones have long had swipe-pattern unlock features, and Microsoft (MSFT) Windows 8 includes a system based on a few swipes around a picture. Research has poked some serious holes in this approach though, showing that people are just as bad at picking hard-to-guess shapes as they are at choosing passwords.

Besides monitoring you body to authenticate you, there are hybrid authentication technologies. Hybrid authentication combines biometric factors with other techs.

Brain wavesBrain waves - I covered the Interaxon Muse headband sensor device a wile ago. It is designed to allow users to create a specific brain wave signature for a password that will never have to be said or typed to login.

Biostamps -  The biostamp idea proposed a hybrid of body and technology. The biostamps are flexible electronic circuits attached to the skin, which theoretically can communicate wirelessly with any device which needs to check who you are.

Bracelets - Another hybrid approach uses a bracelet device which measures heart rhythms to check who we are, and then connects to our devices via Bluetooth to pass on that confirmation. I covered Nymi here.

The actual authentication takes place only when the bracelet is first put on. It requires a quick touch of some sensors, and from then on it will confirm you’re you until it’s removed. It includes motion sensors, so the basic authentication can also be combined with movements and gestures to create multi-factor passwords, using both the body and the mind of the attached user. Gestures could be used to unlock cars, for example.

Over the years the password systems we use have seen various improvements, both in usability (ranging from simple but today’s indispensable systems for replacing forgotten passwords to the latest secure password management utilities) and security, for example two-factor authentication schemes using dongles or smartphones combined with our computers.

All have helped in some ways, but have also introduced further opportunities for insecurity – recovery systems can be tricked, management tools can have vulnerabilities or simply be insecurely designed, and two-factor approaches can be defeated by man-in-the-mobile techniques.

rb-

Biometrics are not bullet-proof. They have a number of problems still.

  1. Biometric data cannot be changed once it is compromised.
  2. Will stress, fitness, or aging, have on the physiological elements of biometrics.
  3. Cost, most of these techniques require new equipment.
  4. They all need connectivity, Bluetooth connectivity.
  5. Biometric data still needs to be stored somewhere. And that would be an attractive target for attackers.

Ralph Bach has been in IT for fifteen years and has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me at Facebook and Twitter. Email the Bach Seat here.

 

Projector Lamp Risks

Projector Lamp RisksI have done over a dozen audio-video projects in my career. One of constant complaints I would get from Owners, were about projector lamps. The Owners would inevitably complain about the sticker shock for replacement bulbs. Despite the fact I recommended a mass purchase of replacement bulbs as part of the project. A bulk buy of 50 to 100 lamps would have saved a lot of money. Nobody wants to spend that money up front. It’s easier to push the costs off of the capital budget into OPEX. It is somebody else’s budget.

Penny pincherThis penny-foolish procrastination could end up costing organizations a great deal more. When a department is required purchase its own consumable goods, they often buy the cheapest goods they can find and the results can be tragic. A recent example comes from Scotland. Back in May 2014 the 175 year old Glasgow School of Art (GSA) Charles Rennie Mackintosh building caught fire. The blaze inside the historic building is believed to have started when a projector exploded in its basement according to the MailOnline.

Luckily there were no reports of serious injuries. If it turns out to be and exploding projector, the cause could have been an grey-market bulb. Grey-market goods are often sold on dodgy web-sites as original equipment. They are cheaper and are often packaged in convincing counterfeited packing. Monoprice had this same problem a while ago (which I reported on here).

Daily Mail

In order to educate yourself, and protect your clients, projector bulb reseller – JustLamps.net -  published a website – Counterfeitlamps.com – which provides some pointers on how to recognize counterfeit lamps and what to do if you get Climb the ladderone (or twenty)

The second step to protect the installation is to service the projector. Everybody hates to climb the ladder and clean out the filters, but its got to be done. It increases the life of the lamp, so you save money by increasing the lamp life which reduces the risk of buying a counterfeit lamp and possibly burning down a building.

rb-

Protect your equipment (and buildings) by replacing projector lamps before they exceed their rated hours. Do not keep using it until it stops working. It could get ugly.

There are opportunities in here, many mid-high quality projectors  will now generate alerts when it exceeds a number of hours. Maybe you can be the on the ladders cleaning the filters for them.

 

Ralph Bach has been in IT for fifteen years and has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me at Facebook and Twitter. Email the Bach Seat here.

Who Needs Two-Factor Authentication

ThWho Needs Two-Factor Authenticatione recent epidemic of online security breaches has shown the folly of passwords as the sole protector of your online data. As I have covered several times, most users depend on the same passwords. So what are we to do?

Multi-factor authenticationOne solution is multi-factor authentication. John Shier at SophosNaked Security blog provided a primer on multi-factor authentication. Multi-factor authentication is an authentication process where two of three recognized factors are used to identify a user:

  • Something you know – usually a password, passcode, passphrase or PIN.
  • Something you have – a cryptographic smartcard or token, a chip enabled bank card or an RSA SecurID-style token with rotating digits
  • Something you are – fingerprints, iris patterns, voice prints, or similar

Two-factor authentication works by demanding that two of these three factors be correctly entered before granting access to a system or website.

Data breachSo if someone manages to get hold of your password (something you know), the article says they still will not be able to get access to your account unless they can provide one of the other two factors (something you have or something you are).

The author explains that secure tokens with rotating six-digit codes can be used to remotely access internal systems via a VPN session. Users need to provide a username, a password and the six digit code from the secure token appended to a PIN. Home users can use sort of two-factor authentication using SMS code verification. This is where, in addition to correctly entering your password (something you know), you must also correctly enter a numeric passcode sent to your mobile phone via SMS (something you have).

Secure tokenThe availability of mobile network service and the unreliable nature of SMS can make SMS 2FA difficult. However, some services allow you to use an authenticator app in addition to your password which present you with a different numeric one-time password (OTP) for each service that you register with the app. Both Google and Windows make these apps freely available in their respective stores.

Authenticator apps can be great for signing into sites like Google, Facebook and Twitter even when your phone does not have service (mobile or otherwise).

SPAMParker Higgins at the EFF, says normal password logins, which use single factor authentication, just check whether you know a password. This means anybody who learns your password can log in and impersonate you. Adding a second factor, like a PIN, something you know, with your ATM card, something you have, makes it harder to impersonate you. You need to both have a card and know its PIN to make a withdrawal.

Online two-factor authentication brings the same concept to your services and devices by using your phone—means that even if your password is compromised by a keylogger in an Internet café, or through a company’s security breach, your account is safer according to the EFF.

PhishingThat’s important because phishing, which is one of the most common way in which accounts are compromised, only gets information about passwords. By adding a different factor, phishing attacks become much more complicated and much less effective according to Mr. Higgins.

As two-factor authentication systems become more popular, they have gotten increasingly user-friendly; the EFF believes it doesn’t have to be a difficult trade-off of convenience for security. Major services like Twitter, Google (GOOG), LinkedIn (LNKD), Facebook (FB), Dropbox, Apple (AAPL), Microsoft (MSFT). GitHub, Evernote, WordPressYahoo (YHOO) Mail and Amazon (AMZN) Web Services have enabled two-factor authentication.

rb-

Users should get used to two-factor authentication. 2FA is not available everywhere but many of the most popular sites and services on the internet use the technology.  Hopefully this will compel the rest to follow suit. There is Android malware in the wild that is specifically designed to steal SMS verification codes trying to thwart 2FA so you still need anti-malware on you mobile devices.

In the wake of recent POS attacks (which I covered here), DHS has recommended 2FA for POS systems. While it is not bulletproof, it does increase your security by making it harder for your accounts to be compromised. All users will need Two-Factor-Authentication Authentication.

Ralph Bach has been in IT for fifteen years and has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me at Facebook and Twitter. Email the Bach Seat here.

Tips to Blend Agile, Waterfall

Tips to Blend Agile, WaterfallThere is a battle waging for the hearts and minds of project managers. The battle is between Agile advocates and Waterfall supporters according to Eric Morgan, in a recent FierceCIO article. The CEO of AtTask explains that Agile loyalists see the benefit of empowering people and teams in a bottom-up approach that produces a faster, more responsive way of working.  Meanwhile, traditionalists prefer a top-down Waterfall approach that neatly outlines all the steps in the project and defines the scope, budget and schedule upfront–minimizing risk and uncertainty.

Right or wrong?So who is right? The article says neither. Rather the article says that organizations with successful development cycles seem to use a mixed approach, using both methodologies for different projects. They cite Amazon (AMZN), an Agile powerhouse, could not have built s core web services product without some top-down dictation of standards. According to the AtTask CEO, the real difficulty for organizations, therefore, lies not in choosing one methodology over the other, but in successfully mixing the two methodologies.

Whether your organization is already juggling multiple methodologies or is considering adding Agile into the project management mix, here are four tips from the AtTask CEO on how to hybridize without sacrificing the visibility and productivity you need:

Scrum1. Transition slowly - The biggest issue organizations face in adopting or expanding Agile is the cultural transition. Change is never easy, and moving from a top-down culture of command and control to a bottom-up approach where workers self-organize and self-prioritize will certainly test your leadership team. the article stresses it’s a cultural transition that many people in an organization feel is disruptive and too much of a challenge to the established culture. To make the transition smoother and improve adoption, you should try to slow down your process transition. Understand that onboarding a system like Agile is a long-term commitment, and because only certain teams will benefit from its methodology, make sure that your organization takes the time to strategically consider where it would be most effective. Define upfront what you are trying to accomplish with Agile so everyone can understand the benefits. In addition, developing a culture of respect and appreciation for both methodologies within the organization is important. Acknowledge what works well with Waterfall and when it is most appropriate to use. This extra effort will build trust; make people more open and resilient to trying new methods; increase buy-in from management and team members; and ensure that everyone is on the same page and trying to accomplish the same goals.

2. Provide professional training – With dozens of different aspects and processes, Agile is complex. The AtTask CEO warns that one of the biggest strategic mistakes organizations make is not getting professional training at the start. In particular, it is crucial that middle management participates in training. “Middle management really holds the keys to the success of Agile adoption. They create all of the procedures and policies. If middle is not on board, transformation will be shunned,” says Dean Leffingwell, author of “Agile Software Requirements: Lean Requirements Practices for Teams, Programs, and the Enterprise.” When middle management is properly trained, not only do they understand the value of Agile for themselves, but they can be influential in mentoring the team and in demonstrating the value of Agile to the leadership.

Communications3. Allow teams to communicate across methodologies – In many organizations, Agile teams often become insulated from the rest of the organization. According to Mr. Morgan, they work in a kind of a bubble, rarely interfacing with other teams or departments. However, communication and collaboration are two of the most critical elements of an effective mixed-methodology enterprise. Finding a way to enable visibility and communication across distributed teams, such as developing standard processes for organizing requirements and cross-team development, ensuring comprehensive release visibility for both upstream and downstream stakeholders, and managing the entire work life-cycle within one tool, will make hybrid organizations much more productive.

4. Speak a language everyone understands – The nuanced terminology associated with Agile is often an area ripe for miscommunication according to the author. In addition to making sure everyone understands the terminology and is speaking the same language, it’s important to identify key data points, such as what the team is working on, where the team is along their work process, and when the team will complete the task. Then, translate the data points into either methodology. No matter what methodology your individual teams choose, the work being done ultimately must be visible to the organization’s management and executive teams. Because manager reports and dashboards tend to focus on Waterfall-centric metrics, Agile teams need to ensure they are able to translate their results and progress accordingly. Moving to a mixed management style will always present challenges.

The articles concludes that adoption may happen in baby steps, and not leaps and bounds. Following these four tips, however, can make implementation much more successful and enable you to structure projects in a more productive way to meet your business goals.

rb-

I have talked to several grey-hair PM’s and they have basically told me that Agile/Scrum is the best tool when you don’t know what you want and use PMBOK when you know what you want?

Ralph Bach has been in IT for fifteen years and has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow me at Facebook and Twitter. Email the Bach Seat here.