NOWHERETOHIDE.ORG

Love Guiness? Hate Cyber Crime?

Get on a plane and join me at International Cyber Threat Task Force (ICTTF) Cyber Threat Summit in Dublin, Ireland 20/21 September 2012, be my guest by using the registration code: nowheretohideguest – http://www.cyberthreatsummit.com/

New Scrum Guide Posted: Gone are the Chickens and Pigs

Scrum is a process framework that has been used to manage complex product development since the early 1990s. It’s a framework within which you can employ various processes and techniques for developing software products. The authors, Ken Schwaber and Jeff Sutherland, just relased an updated guide to implementing Scrum; you can get a copy of it by clicking here–> Scrum Guide 2011 ,or on the picture.

A good comparison of the differences between the 2010 version and the 2011 version was done by Charles Bradley and I recommend you go to his blog by clicking HERE to read it.

Steve Porter, of www.Scrum.org describes one aspect of Scrum – the Chickens and the Pigs – that is gone…

Enjoy…r/Chuck

Tips for Public Safety: Seventy-Seven Windows 7 Tips and Tricks

If you are like me, you are still learning your way around the new Microsoft Windows 7 operating system. Well, I found a great article in the october 2009 TechNet Magazine that lists 77 tips for techies and operators…here are the first 10:

1. Pick Your Edition — Most users do not need the more expensive Ultimate Edition; stick with Professional unless you specifically need BitLocker.

2. Upgrading? Go 64-bit — As the second major Windows release to fully support 64-bit, the x64 architecture has definitely arrived on the desktop. Don’t buy new 32-bit hardware unless it’s a netbook.

3. Use Windows XP Mode — Yes, it’s only an embedded Virtual PC with a full copy of WinXP—but it’s an embedded Virtual PC with a full copy of Windows XP! This is the first profoundly intelligent use of desktop virtualization we’ve seen—and a great way to move to Windows 7 without giving up full Windows XP compatibility.

4. Use Windows PowerShell v2 — More than just a shell, this is the administration tool you’ve always wanted: Parallel, distributed processing for administrative tasks! Manage 100 machines literally as easily as you manage one with the new Remoting feature. Windows PowerShell v2 ships for the first time in Windows 7, and within six months will be available for older versions of Windows.

5. Use AppLocker — We’ve been fans of Software Restriction Policies since Windows XP, and AppLocker finally makes application whitelisting possible. Use it to enhance or even replace your anti-virus software, ensuring that only the software you want to run will run.

6. Shift to and from Explorer and CommandPrompt — The classic Windows power toy Open Command Prompt Here is now an integral part of Windows 7 Explorer. Hold down the shift key then right-click a folder to add this option to the property menu. While you’re in a command prompt, if you want to open an Explorer window with the focus of the window on the current directory, enter start.

7. Record Problems — The Problem Steps Recorder (PSR) is a great new feature that helps in troubleshooting a system (see Figure 1). At times, Remote Assistance may not be possible. However, if a person types psr in their Instant Search, it will launch the recorder. Now they can perform the actions needed to recreate the problem and each click will record the screen and the step. They can even add comments. Once complete, the PSR compiles the whole thing into an MHTML file and zips it up so that it can be e-mailed for analysis to the network admin (or family problem solver, depending on how it’s being used.

 8. Make Training Videos — Use a tool like Camtasia to record short, two to three minute video tutorials to help your users find relocated features, operate the new Taskbar and so forth. Get them excited about Windows 7—and prepared for it.

9. Start Thinking About Windows Server 2008 R2 — Some of Windows 7′s more compelling features, like BranchCache, work in conjunction with the new server OS. The R2 upgrade path is pretty straightforward, so there’s little reason not to take advantage of the synergies if you can afford upgrade licenses.

10. Prepare Those XP Machines — There’s no in-place upgrade from Windows XP to Windows 7, so start planning to migrate user data now, in advance of a Windows 7 upgrade deployment.

For the complete list, click here http://technet.microsoft.com/en-us/magazine/gg394259.aspx.

I also recommend that you visit the www.TechNetMagazine.com website and sign up for their free newsletters.

Finally, i have included a snapshot of 14 Windows 7 keyboard shortcuts included in the article above…enjoy!

r/Chuck

It’s 2pm on Sunday: Do you know where your data is?

It seems the Los Alamos National Laboratory (LANL)  is  in the news again. Just when you’d think they addressed the vulnerabilities that Wen Ho Lee exploited back in 1999 (Lee has his own Wikipedia page now), they got slammed again in 2006 when local police found a thumb-drive with classified information on it at local residence involved in a local narcotics investigation.  Well now the U.S. Government Accountability Office (GAO) just release an audit report of LANL that reported:

LANL has implemented measures to enhance its information security controls, but significant weaknesses remain in protecting the confidentiality, integrity, and availability of information stored on and transmitted over its classified computer network. The laboratory’s classified computer network had vulnerabilities in several critical areas, including (1) uniquely identifying and authenticating the identity of users, (2) authorizing user access, (3) encrypting classified information, (4) monitoring and auditing compliance with security policies, and (5) maintaining software configuration assurance.

While LANL got slammed for losing information on its  ”classified” network…what about all of the unclassified information that’s floating around out there? I feel it is just as important to make sure all of the sensitive but unclassified case information, organization proprietary information, or intelligence data that contains Personally Identifiable Information (PII) is protected as well–would you want to be the person explaining to their boss what data was just lost on that USB drive you left at the airport restaurant?

While I was at the International Association of Chiefs of Police Conference in Denver last month, I ran across a security item that really caught my eye–it was a standard, run of the mill 4GB USB thumb drive, but this one was unique–it had a built in PIN keypad, encrypted all data with AES encryption, and you didn’t have to plug it in to the computer first before unlocking it.  I got to thinking…if every law enforcement officer and intelligence analyst who had a legal, bonafied reason for copying sensitive data  onto portable media like CD-ROMs, SD cards, or unsecured thumb drives had one of these, they could sleep better at night knowing that the information on the thumb drive wouldn’t be compromised if it were lost or stolen, or than an unauthorized person who happend to get access to the drive couldn’t stick it in their computer and access the information it holds.

The item is called the Classified Secure Flash Drive. It’s a 4GB thumb drive with a built in 5-key keypad for entering a 1-10 digit PIN.  There is NO software required on the desktop/laptop to create or enter the PIN and all data on it is secured with 256 bit AES encryption. Those of you who know me know that I do not want to become another big IT vendor; however, I have decided to make these (and other innovative, niche technologies) available to agencies through NOWHERETOHIDE.ORG.  For Federal agencies; the manufacturer has developed a FIPS 140-2 compliant version with a built in 10-key keypad; they are in the midst of the validation process now.

Beware of geeks bearing free online apps…is your privacy at risk?

If you’re like most folks, you stopped reading the “fine print” terms and conditions on free online appliactions like Google Apps, Windows Live, Zoho, and MySpace. I did too, until today. I caught an article  on NetworkWorld.com today entitled “Privacy groups rip Google’s targeted advertising plan” that described how privacy advocates are concerned about Google’s foray into the world of behavioral targeting in its DoubleClick advertising business.  So, that got me curious…what can Google (and others) do with your personal data, files, etc?

I did a quick check of four online appliactions that I use–Zoho, Windows Live, MySpace and Google Apps–here’s what I found.

1. ZoHo’s terms of use states:“We store and maintain files, documents, to-do lists, emails and other data stored in your Account at our facilities in the United States or any other country. Use of Zoho Services signifies your consent to such transfer of your data outside of your country.  In order to prevent loss of data due to errors or system failures, we also keep backup copies of data including the contents of your Account. Hence your files and data may remain on our servers even after deletion or termination of your Account.”
   
2. Windows Live had a different twist:
   “Microsoft does not claim ownership of the materials you provide to Microsoft (including feedback and suggestions) or post, upload, input or submit to any Services or its associated services for review by the general public, or by the members of any public or private community, (each a “Submission” and collectively “Submissions”).  However, by posting, uploading, inputting, providing or submitting (“Posting”) your Submission you are granting Microsoft, its affiliated companies and necessary sublicensees permission to use your Submission in connection with the operation of their Internet businesses (including, without limitation, all Microsoft Services), including, without limitation, the license rights to: copy, distribute, transmit, publicly display, publicly perform, reproduce, edit, translate and reformat your Submission; to publish your name in connection with your Submission; and the right to sublicense such rights to any supplier of the Services.”
3. MySpace pretty much mirrors Microsoft’s terms:
   “After posting your Content to the MySpace Services, you continue to retain any such rights that you may have in your Content, subject to the limited license herein. By displaying or publishing (“posting”) any Content on or through the MySpace Services, you hereby grant to MySpace a limited license to use, modify, delete from, add to, publicly perform, publicly display, reproduce, and distribute such Content solely on or through the MySpace Services, including without limitation distributing part or all of the MySpace Website in any media formats and through any media channels, except Content marked “private” will not be distributed outside the MySpace Website.”
4. Google had the best (or worst) of all worlds: It’s Privacy Policy states “Google processes personal information on our servers in the United States of America and in other countries. In some cases, we process personal information on a server outside your own country. We may process personal information to provide our own services. In some cases, we may process personal information on behalf of and according to the instructions of a third party, such as our advertising partners.”It’s Google Apps terms of service states “Information collected by Google may be stored and processed in the United States or any other country in which Google or its agents maintain facilities.”It’s general terms of service states “You retain copyright and any other rights you already hold in Content which you submit, post or display on or through, the Services. By submitting, posting or displaying the content you give Google a perpetual, irrevocable, worldwide, royalty-free, and non-exclusive licence to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute any Content which you submit, post or display on or through, the Services. This licence is for the sole purpose of enabling Google to display, distribute and promote the Services and may be revoked for certain Services as defined in the Additional Terms of those Services..You agree that this licence includes a right for Google to make such Content available to other companies, organizations or individuals with whom Google has relationships for the provision of syndicated services, and to use such Content in connection with the provision of those services.You understand that Google, in performing the required technical steps to provide the Services to our users, may (a) transmit or distribute your Content over various public networks and in various media; and (b) make such changes to your Content as are necessary to conform and adapt that Content to the technical requirements of connecting networks, devices, services or media. You agree that this licence shall permit Google to take these actions. You confirm and warrant to Google that you have all the rights, power and authority necessary to grant the above licence.”

So, what’s the moral to this story?  Three things…

1. Take the time to read the fine print; make yourself and others aware of the privacy and terms of service conditions for these and other (free or fee-based) online appliacations;
2. If your federal, state or law enforcement agency, fusion center, or other government agency are using any of these services, make sure you have written policies about what can and cannot be posted, stored, or shared through these services; and
3. Assume anything you do post or share will a) make its way outside of the United States and b) reused in some way for marketing or advertising purposes.

Play it safe; don’t assume your information posted to these services will remain private. Remember, once out, that privacy genie will be nearly impossible to get back in the bottle.

As always, your thoughts and comments are welcomed…r/Chuck

"Shovel-Ready" Projects for Public Safety

Change you can believe in!  Change is here!  Yes we can! 

While we eagerly wait to see how our 44th President translates these memorable election mottos into tangible projects for rebuilding our nation’s infrastructure, one colleague of mine, Charles Jennings, CEO of Swan island Networks stepped up and laid out eleven very forward leaning “shovel-ready” ideas for investing in America’s “virtual” infrastructure.  Below I point out three of Charles’ ideas that have a direct impact on law enforcement and public safety,; and include some personal thoughts.

- National Information Exchange Model (NIEM) – Let’s speed-up development and implementation of NIEM; this is critical for expediting law enforcement and homeland security information sharing programs such as N-DEx, LInX, ISE-SAR, and others.

- Rural Broadband – While this is good for our ecomomy, it’s VERY good for small rural law enforcement agencies, many of which who still do not have decent internet access.

- State/Local/Tribal Clouds – While this is good for agencies of any size, this will (again) benefit the smaller law enforcement agencies who don’t have the time, expertise, or resources to be in the “IT” business; shared-services using in-the-cloud strategies can bring advanced capabilitis to these agencies very quickly.

You can see Charles’ paper in its entirety here –> http://www.swanisland.net/solutions/Shovel-Ready.pdf

As always, your thoughts and comments are welcomed…r/Chuck

What Gets Measured Gets Done…Using Evaluation to Drive Law Enforcmement Information Sharing

Tom Peters liked to say “what gets measured gets done.”  The Office of Management and Budget (OMB) took this advice to heart when they started the federal Performance Assessment Rating Tool (PART) (http://www.whitehouse.gov/omb/part/) to assess and improve federal program performance so that the Federal government can achieve better results. PART includes a set of criteria in the form of questions that helps an evaluator to identify a program’s strengths and weaknesses to inform funding and management decisions aimed at making the program more effective.

I think we can take a lesson from Tom and the OMB and begin using a formal framework for evaluating the level of implementation and real-world results of the many Law Enforcement Information Sharing projects around the nation.  Not for any punitive purposes, but as a proactive way to ensure that the energy, resources, and political will continues long enough to see these projects achieve what their architects originally envisioned. 

I would like to propose that the evaluation framework be based on six “Standards for Law Enforcement Information Sharing” that every LEIS project should strive to comply with; they include:

1. Active Executive Engagement in LEIS Governance and Decision-Making;

2. Robust Privacy and Security Policy and Active Compliance Oversight;

3. Public Safety Priorities Drive Utilization Through Full Integration into Daily Operations;

4. Access and Fusion of the Full Breadth and Depth of Regional Data (law enforcement related);

5. Wide Range of Technical Capabilities to Support Public Safety Business Processes; and

6. Stable Base of Sustainment Funding for Operational and Technical Infrastructure Support.

My next step is to develop scoring criteria for each of these standards; three to five per standard, something simple and easy for project managers and stakeholders to use as a tool to help get LEIS “done.”

I would like to what you think of these standards and if you would like to help me develop the evaluation tool itself…r/Chuck

Chuck Georgo
chuck@nowheretohide.org
www.nowheretohide.org 

Sweet (Information Sharing) Home Alabama

I had the pleasure of attending a briefing today on the Virtual Alabama (VA) Project.  Jim Walker, Director, Alabama Department of Homeland Security, and Chris Johnson, VA Project Manager gave a full blown, real-time demonstration of VA’s capabilities.  While just seeing Google Earth Enterprise technology is cool in itself, what was really astonishing was to see how the project has worked to get access to an amazing number of data sources–they have engaged over 1,100 agencies in implementing information sharing accross the state! 

Driven by specific business needs, the VA project now supports law enforcement, fire, emergency management, business and economic development, property tax assessment, port security, emergency evacuation, and they’re only into the project about 10% (their number).  Other states would do well to take a look at what they’ve done in about 18 months for about $500,000 with a team of four people.  And, don’t focus solely on the specific technology they chose–the real lesson here is what they did to get Alabama agencies to share their data!  This is the true accomplishment.

I hope the project can find time write up and share a white paper to document the various strategies they employed to get access to the data–arm twisting, the shame game, Friday afternoon strategy sessions at local watering holes, etc.

Here’s a YouTube movie about it: Google Earth Enterprise Case Study: Virtual Alabama

Enjoy!…r/Chuck Georgo

How to Really Screw-Up Up an SOA Implementation

It’s impossible to goto a law enforcement information sharing conference these days and NOT hear about this thing called a “Service Oriented Architecture (SOA).”

One of the big questions I hear asked is “How do I go about implementing an SOA?”

If you do a google on “Service Oriented Architecture” (use the quotes to be fair) you will find that Google lists 11,500,000 documents related to SOA. If you go to Amazon.com and do the same search, you’ll see 609 books on the subject.

The majority of these documents and books basically tell you to do the same five things to transition your organization’s information technology infrastructure to one based upon SOA principles: 1) have governance, 2) have a roadmap, 3) take one bite at a time, 4) train your staff for SOA, and 5) use open standards.

I don’t want to dispute or debate any of what they have to say; I’m certain it’s all good. Instead what I thought I would do is mix things up a bit and share with you what I consider to be the top ten things you can do to really screw-up up a move to SOA. Let’s begin…

1. Run and tell your CEO or Agency Executive that SOA is going to save the day by solving all of their IT problems. Tell them it’s easy. Show them the glossy brochure your vendor gave you; that’ll really impress them.
2. While you’re at it, tell them that you won’t need all the money they gave you this year. With all this stuff about reuse you’ve been reading, SOA is going to save them a boatload of money.
3. Treat moving to SOA just like any other IT project. It’s still just hardware and software, no use getting all excited. You just need SOA requirements, and then it’s coding, testing, and deployment.
4. Keep the “operator” folks away from the effort. You know that as soon as they get their fingers on the project, they’re going to want to muck it up with business needs and process diagrams.
5. Plan to convert all of your applications to SOA all at once. In fact, go ahead and announce the date you’re going to shut-down the mainframe. That will illustrate your commitment to SOA.
6. Inform the mainframe COBOL programmers and DB2 admins that they need to find new jobs and then immediately put in a request with HR to hire a dozen XML and SOAP programmers.
7. Don’t waste your time on developing a plan or roadmap (aka enterprise architecture) to move to SOA. No one really reads all those documents; and after all, you have the functional specifications from your existing applications.
8. Immediately go out and buy an ESB from your favorite vendor. Don’t know what one is? Don’t worry, your vendor will know, and they will be glad to come in and just plug everything together. SOA, done.
9. Also make sure you develop as many services as possible. You’ll be able to justify your move to SOA based on the number of services you develop; the more you develop, the better you’ll look.
10. Finally, if all else fails screw-up up your SOA project, then try this – take your best techie and put them in charge of the effort, then sit back and enjoy the fun!

I hope that you enjoyed my little diversion from the serious side of SOA, and I also hope that you were able to see through my satire and recognize some of the silly things organizations do to torpedo what should be a fun and beneficial experience for every organization.

BTW, no vendors, programmers, or other techies were actually harmed in the writing of this blog, at least none that I know of.