9.6.08

This spike does not score



With oil reaching $137/barrel on Friday, the Chicago Tribune reports a possibility of up to $150 by July 4th, right in time for the many service calls our integrators endure due to lightning, multiple power outages and other summer related challenges. The Trib's story is here:
http://www.chicagotribune.com/business/chicago-oil-prices-150-july-jun06,0,6180202.story
Some issues:
Some integrators' revenue rests primarily on service agreements for preventative and demand maintenance of systems installed by other integrators
Most of the negotiated rates are in effect well before the "spike" and will sometimes be fixed for even years to come for larger projects
End users depend on courtesy field visits from design professionals usually without the pressure to buy. Those salespeople that are on commission-only contracts and do not get mileage expense reimbursement will have to rethink how many courtesy design calls they do that are far into their territory.
Associations and SDOs will have to start thinking about expense reimbursement of key activities as airfare and car travel costs are far higher now for the "pro-bono" work they receive from industry professionals
Mass Transit Agencies are already rethinking and discontinuing less profitable routes, making less popular areas even less desireable to visit
...and so it goes. I know I state the obvious here, but we depend on our service pros to keep our systems running; let's try to help them out here and there by (perhaps) allowing a temporary fuel offset charge.
Hey before I conclude if anyone is ever in NYC, you are cordially invited to one of our Times Up! rides, like the midnight one we did yesterday through Central Park. This is one alternative transportation non-profit organization that I would like to post a plug for...
http://times-up.org/
...and reduce our dependance on oil.

29.5.08

Analog vs. IP Video Surveillance. . . it's about the customer, folks!

I was really lucky to spend the past eight years working intensely on education programs dedicated to enhancing end user's physical security programs.

The single most important thing I learned that electronic security system deployment is one tool for the physical security or surveillance professional and not the center of their universe.

I am continually amazed at how some discussions about analog or IP video systems lead immediately to technology discussions rather than what's good for the customer. What do they need the system to do? What is their existing infrastructure?

There was an article I read about City Center Surveillance deployment acceptance.

http://www.citynews.ca/news/news_6687.aspx

Technology may, in the future, be enabled by enhanced wireless infrastructure technologies like WIMAX, but will not automatically be adopted as a result of technology. The requirements of the end user drive the use of technology and if IP video will provide the right product to more widely distribute video content for mobile reponders, then adoption will be encouraged. Here, mobile responders and emergency services have specific needs that are met by the distribution of IP video to many clients simultaneously.

Does the same system properly service the Loss Prevention or Gaming Surveillance Professional? Not currently, and I know that I am inviting commentary here, but first think of the needs of your customer or, more specifically, your customer's customer! The variable and often slow camera control system response on many IP Video Systems have slowed this deployment since the user has to, without compromise, keep up with tracking an individual through a casino or along the aisles of an electronic superstore. Yes, there are those systems available that provide an uncompromised solution, but at a greater cost than their analog counterparts.

So the next time someone jumps right into a technology discussion, ask them to instead take a moment and "listen up!" as a popular singer says, and perhaps the solution will turn out better for everyone...

22.5.08

Java Junkies beware!

disclaimer: This article is for informational and educational purposes only. Hacking into a internet stores is illegal and is not the intent of this article.

Now you can buy anything, even if someone has taken it off their company store.

Well, that is, if they've not protected the Online Store Product ID to the item you wish to purchase. So you've visited the dynamically rendered web page that does not contain a "add to cart" button. You want to buy that item. The vendor has restricted purchase, sometimes in the hopes of maintaining inventory for a specific client, etc.

We'll have none of that!

Just go to another item that has a "add to cart" button. Copy the javascript shortcut and paste it to your notepad. Notice that it will usually have the Store Product ID (secret number) and the actual (public) Model Number. Now you need to find the secret number for the item you want, that they are not letting you purchase. All you usually have to do is go to the technical information page on the product and look at the URL to get three possibilities for Store Product IDs.

Now you've got three possible Store IDs and one definite model number. Just take the javascript shortcut you pasted earlier and make three different scripts, trying each one until one adds your item to the cart! Once the item is in your cart, they can't stop you from buying it. It's a good idea to take a screen shot of the cart page in case the vendor does not wish to fulfill your order (very rare).

Next week we'll talk about coupon codes!

15.5.08

Leave the standards to the SDOs, or collaborate independently?

Allow me to first state that the following is simply the personal, subjective opinion of this author...

This week began with an announcement from three manufacturers of a "new" cooperative effort to start a communications forum and develop an interoperability standard. I felt like the Jeff Goldblum character from the great "The Right Stuff" movie that would run breathless down the hall to report on the latest activities by the Russians in space, only to hear "we know about it already."

It's probably good that I waited a few days before posting this as I was pretty disappointed that yet another group was doing an "end run" around the Standards Development Organization (the SIA) that has developed the only ANSI-approved interoperability standard for the Security Industry. The interesting thing is that this week's actions, though well intended, have helped me see how impartial SDOs and Credentialing organizations are in the best position to recognize, organize, focus and manage manpower to achieve realistic interoperability goals.

I completely understand how interoperability efforts are quite useful and will greatly benefit everyone in the Security Industry "food chain." However, when an effort exists, why not contribute to it and improve it rather than create another, duplicated, parallel effort. 'Nuff said on that one, right?

Well, not really. You see, last year I had the benefit of meeting a particular end user that taught me something quite insightful. "Think of my customer as your customer."

Wow!

If I can help my customer improve their customer's experience, or contribute to savings for his (or her) organization that could mean savings passed onto their clients, we all win.

What does this have to do with a parallel standards effort?

Simply put, it is industry resources not applied toward better helping the (hopeful) benefactors of this industry. If we took the time spent on multiple device and system interface efforts and applied those efforts to introduce more useful applications for the end user, we all win.

So where do we go now? What can we do to improve this situation?

Ask the SDO. They have a method in place for recognition of standards development activities and a way for these efforts to focused correctly and impartially.

6.5.08

The case for a Cooperative Certification Program

Whether you are a self-commissioning end user, a multi-site integrator or a smaller reseller, your time is important and needs to be spent on what keeps your business going. Why would our industry require multiple certifications on different products that are similar and share a basic skillset for deployment?

Each manufacturer would like the opportunity to tell their story in front of these key influencers, and then train on the nuances of product deployment and adjustment. I'm thinking that on one hand manufacturers might find the comparison less fruitful, but on the other there's an opportunity to meet end users and resellers they would not have.

Why end user's? There are a number of multi-site, large end users that will always use integrators for product purchase and commissioning, but need an understanding of the system deployment for planning, design and maintenance.

Stayed tuned; we may just be making history on this, yet!

3.5.08

I can buy anything at Amazon...

...and feel safe. I'm not quite sure how they do it, but their partners just provide a better purchasing experience and I don't have to worry about CC fraud. If you saw my previous post, I had a bad experience after Vegas and, well, it's a real hassle if merchants don't provide the best in transaction security. Here's a few of my last recent Amazon diverse purchases...


Bike in Tucson!

Yes it's bike friendly and you can ride an expensive bike around and feel secure - read all about it below:
photo of the Bianchi Ti courtesy msurfaro spigelman

Wifi - Wardriving and the fleecing of the traveler or randonneur

disclaimer: This article is for informational and educational purposes only. Hacking into a private security-enabled wireless network is illegal and is not the intent of this article.

Like sheep we are drawn to them. They are everywhere, in pockets and often located right at another addiction's distribution point, the coffee house. The WiFi hotspot is not a hotspot at all for connectivity, but for someone else's money.

When I fly into Vegas, I can feel the extra $$$ already leaving me as I know it will cost $15 per day at the hotel, and $40 at the convention center for three hours, and without adequate credit card transaction security.

In fact, the last trip to Vegas found my CC taken on one of those networks (I had a company firewall in place), and the rogue user began to selectively siphon $500 at a time from my account.

I drive or bike a good deal to my local destinations, so I'm not shy about getting on someone's unsecured network, doing what I have to and leaving. That is, if I haven't found a T-Mobile hotspot that I already pay for.
When in New York City, or a major city, there are times I am restricted to where the car, or a comfortable spot and PC can be, so sometimes I have to resort to looking at the person's router if its response is very slow.

Most people leave not only the default IP address and transmission unsecured, but also the router's password. A simple lookup and I find not less that 30 blackberrys consuming this network, and three PCs. I'm only going to be about 5 minutes, so I log on to the router, knock off the Blackberrys, keeping the users PC online, change the password on the router (I'll be changing that back before I leave), and limit the number of DHCP clients to 5.

I log off. I send my email and upload some large files and I'm almost out of there. I re-enter the router's admin app. and restore their settings, leaving the DHCP limit to 40, just in case they get another 30 visitors to crash their network.

Ethical or non-ethical? However you feel about the above, I can assure you that right now there could be"klingons" on your Wifi network at home, especially if you have not:
1. stopped broadcasting your SSID
2. changed your default router password and applied WEP or better, WPA2
3. limited the number of DHCP users
4. upgraded your firmware
5. filtered your MACs

Hey, we take some and we give; please feel free to pass along this advice and the very good reference below to your neighbor.

That is, after you've downloaded Madonna's latest CD...

From The Ethical Hacker:

Just as it’s important to know how to utilize the aforementioned tools, it is important to know best practices on how to secure your Wireless Network Against these tools.

NetStumbler – Do not broadcast your SSID. Ensure your WLAN is protected by using advanced Authentication and Encryption.

Kismet – There’s really nothing you can do to stop Kismet from finding your WLAN, so ensure your WLAN is protected by using advanced Authentication and Encryption

Airsnort – Use a 128-bit, not a 40-bit WEP encryption key. This would take longer to crack. If your equipment supports it, use WPA or WPA2 instead of WEP (may require firmware or software update).

Cowpatty – Use a long and complex WPA Pre-Shared Key. This type of key would have less of a chance of residing in a dictionary file that would be used to try and guess your key and/or would take longer. If in a corporate scenario, don’t use WPA with Pre-Shared Key, use a good EAP type to protect the authentication and limit the amount of incorrect guesses that would take place before the account is locked-out. If using certificate-like functionality, it could also validate the remote system trying to gain access to the WLAN and not allow a rogue system access.

ASLeap – Use long and complex credentials, or better yet, switch to EAP-FAST or a different EAP type.

Ethereal – Use encryption, so that anything sniffed would be difficult or nearly impossible to break. WPA2, which uses AES, is essentially unrealistic to break by a normal hacker. Even WEP will encrypt the data. When in a Public Wireless Hotspot (which generally do not offer encryption), use application layer encryption, like Simplite to encrypt your IM sessions, or use SSL. For corporate users, use IPSec VPN with split-tunneling disabled. This will force all traffic leaving the machine through an encrypted tunnel that would be encrypted with DES, 3DES or AES.
courtesy to Daniel V. Hoffman, CISSP, CWNA

http://www.ethicalhacker.net/content/view/16/24/
BTW, there's one gentleman who is an ASIS Vice President who does a great job giving a "wardriving" and prevention class. Should anyone be interested in him presenting at a conference or consulting on this subject, feel free to ask me for his contact information.

28.4.08

Fun and controversy in the classroom

Well, we've got almost a day under our belt at an ASIS Workshop and I'm happy to see the group "gelling" quite nicely. What makes for a successful workshop? I really don't fully understand the dynamic since there are so many variables, but I know that...
  • if you've got great talent in speakers, it's going to be worth it; worth it, that is if you like as Severin once told me, "it's like herding cats"

  • everyone has a different reason for going to the class and not everyone will be satisfied

Ben came through with a couple of great speakers, one of which sounded exactly like David Letterman - an excellent bonus. We should have had a session where we have "David" at his desk and one of the speakers as a guest on the couch. I must find someone who will let me do this.

Yes, you cannot please everyone; right after the required and perfectly executed chocolat chip cookie break (thanks Becky), I had someone complain to me that I should not have had the classes go to 5PM as all the stores in town are closed after hours.

It was so great seeing Dave and Leslie, those two lovebirds from San Francisco; Dave carried a good "managing" load of subjects in this workshop. Charlie boy had his usual rip-roaring form of entertainment, while Severin provided the backbone of the seminar with a very excellent metrics presentation. I could not continue the "shout-outs" without recognizing Jeff's hard work, our Practitioner Professionals, Jim, Jose and Ed (Special Ed here on the boards). Shaun Pal gave us quite a nice overview on standards. Above all and the man who was there for me throughout this whole ordeal, was Phill who untiringly both emceed and taught many sessions. I will never forget our fireside chats with a few entertaining students and his lovely wife Sandra. West coasters know how to live!

25.4.08

People and companies that are "always right"

Do you know anyone like this in the industry; I'm sure you do!

Here's a couple of related questions:

  • How do you figure out whether they are right, wrong or just early?
  • How do you use, ignore or postpone the use of a technology?
  • If a person or a company is so influential that you can't ignore them, how do you deal with this?

Only Yoda is always right, especially when he makes reference to Road Cycling:


"Remember, a Roadie's strength flows from the Schwartz. But beware. Anger, fear and strange brightly colored clothing...Fredliness are they. Once you start down the path to Fredliness, forever will it dominate your destiny"

Security Trade Shows and the Tour de French Toast


After another couple of events under my belt where I was both excited and honored to conduct or be a session contributor, I noticed a few startling (and comforting) facts:

There are many of us that don't know the difference between techical evangelism and outright product marketing

When given the opportunity to share the stage, you may be either uncomfortable or wonder why you didn't do this sooner

I also noticed that everyone except for the contributors here, my cats and local bike store are claiming to originate standards in the security industry

If you have friends in this industry, they will help you out...thank you Kent, Jerry, Michael and Severin for doing great sessions on Network Security, Practitioner Focus and New Tech

Finally, the answer that you really want to know is to get the stuffed French Toast with strawberries - excellent right before a 40 mi bike ride

Your Best Class?

I've been really lucky the past five years to have come across professionals that have helped me in workshops, sessions, internet stuff and generally how to communicate.

Here's a few random thoughts; please discuss...

  • A subject matter expert that write a session is not always the best person to give it
  • The person that organizes a workshop is not necessarily the best person to present a session
  • You should always assume the teacher will not show up or say the dog ate the presentation- If you can cut a session's slides by 2/3 and say about the same thing, you should do it (I have to really start taking my own advice!)
  • Stop using PowerPoint as your primary means of communication; the slides are just there to support what the edu team has to say, not the other way around
  • People are freshest in the morning- People like freshly baked chocolat ship cookies in the afternoon
  • Put an energetic speaker on after lunch so as to not induce "food coma"
  • If you're managing a workshop, make sure the content is useful for the goals of the workshop- "Design" sessions are far easier to write than "Managing" sessions
  • Involve people that actually use the systems, not just the marketers of them
  • Everything has a means of regulation; if there is an AHJ out there that can impact your discussion or some legal precedent, you better be ready to talk about it
  • Many come to education sessions expecting there will be a discussion of the device's, system's or security program's cost- Many people will try to leave early
  • If you tie in some type of relavent accreditation or recognition, they will come in droves
  • Every industry has its terminology; show people how to survive a project meeting?
  • If you can provide the handout material electronically, people seem to prefer that media
  • If you have a professional event person like someone having the CMP (Certified Meeting Planner) credential, you'll take a huge step closer to success
  • Keep the room cold; plan on 20% of the people attending to show up unregistered (walk-ins)
  • Get plenty of sleep the night before your session, or just plan on having a Starbucks runner ;)