Return of the Hanging Chad? Mon 13 Aug 07

Cast_vote_travelin_librarian The other day while driving to work I heard an interesting report, Voting Officials Wary About Electronic Ballot,  on NPR (National Public Radio).  The report talked about the potential problems with electronic voting machines.  Like a number of other reports such as a recent New York Times article or Bruce Schneier's excellent analysis from November,2004 on "The Problem with Electronic Voting Machines" the NPR report talked about some of the issues of electronic voting.

The problems associated with electronic voting machines are well-known and Schneier does an excellent job of expanding on them:

  • Hacking - someone hacking into the system to commit voting fraud
  • Programming errors - software errors causing unintended widespread consequences
  • Accuracy - under-counting, double counting etc.

In looking at this I found two thing rather interesting.  The first thing is that we are still seeing technical issues with electronic voting.  We do our banking, manage our 401Ks, buy stock, arrange mortgages and more electronically without these issues (well, OK, hacking will always be a concern).  So why can't we solve the issue around electronic voting?  It just seems rather strange that we haven't been able to address all of these issues yet.

The second and most interesting thing (at least for me) was the reaction of some politicians and journalists to the issues.

Continue reading "Return of the Hanging Chad?" »

Tell A Friend Tell a Friend    View blog reactions   Bookmark    rss RSS Feed

An IT Question: Blocking Non-Business Internet Sites Wed 01 Aug 07

Help_cobber99_3One of the company Vice Presidents stops by your office and expresses concern that some of their people may be spending too much time on the Internet and wants to know if there is any thing you can do about it.  You mention that you do have a filtering program but it is set only to filter objectionable sites such as gambling, porn, etc.  You explain to that filtering non-offensive but seemingly non-business related sites may be counter-productive as it is often difficult for IT to determine which sites truly have no business application.  You go on to cite examples of the need to view sports, restaurant, job boards, real estate and other sites was business related.  The VP is not impressed and insists that you block all sites that are not obviously and directly related to your company's business.  You know other VPs do not have this concern.

How do you respond to this request to block Internet access to "non-business" sites?

"Help" photo by Cobber99

Got a question you'd like me to post for future discussion?  Email it to me using the "Email Mike" link in the left hand column.

If this topic was of interest, you might also like the other posts in the IT Question category.

Tell A Friend Tell a Friend    View blog reactions   Bookmark    rss RSS Feed

An "Ah Ha" Moment on Computer Security Thu 01 Feb 07

Ahha I had a reminder the other day on computer security that was an "Ah Ha" moment.  It was one of those moments of breakthrough understanding where you instinctively say "Ah Ha".  The concept was not new to me, I instinctively  have "known" it for some time but the elegance of a simple 5 word statement just struck me for its clarity.

Continue reading "An "Ah Ha" Moment on Computer Security" »

Tell A Friend Tell a Friend    View blog reactions   Bookmark    rss RSS Feed

Surfing Conditions Mon 29 Jan 07

Websurfing_3 In my last post, "IT is NOT your Mother", I talked about IT restricting access to non-business sites and made my case for why this is a bad idea.  Two key points I made were:

  • It is the supervisors job to let people know what is expected of them.  Excessive use of the Internet for non-business items is a supervisory issue more than a technical issue.
  • It's was important to treat people as adults with trust and respect.  I believe it is likely that most will act accordingly.

To go along with this I promised some practical tips on how to write and use good email and Internet usage polices (also known as AUPs or Acceptable Usage Policies). 

Continue reading "Surfing Conditions" »

Tell A Friend Tell a Friend    View blog reactions   Bookmark    rss RSS Feed

A Timely Example Wed 17 Jan 07

My good friend Russ Svendsen recently sent me a link to a rather timely article in the International Herald Tribune (IHT) that ties in nicely with my recent post on shadow IT and also my post on People and IT Security.  The IHT article "Firms fret as office e-mail jumps security walls"  talks about corporate email users forwarding company email to free web-based email programs such as Google's gmail or Yahoo! Mail.  The story is also posted at TechNewsWorld.

Emailsecure_3 People like to use these systems because it lets them by-pass the hassle of dealing with security provisions such as multiple passwords, the corporate email system only being accessible through company PCs, or special security systems.  Simply put, using these services is easier and quicker than the approved corporate systems.  Use of these methods can quickly spread as users pass along tips to each other or the shadow IT guys add it to their bag of tricks to make things simpler.

The formal IT folks are understandably worried about this due to the increased possibility of viruses and spyware.  But it isn't only the IT folks that have some concerns.  Circumventing the corporate email systems raises issues of data control and integrity which gets the lawyers and Human Resources folks attention.  Having email stored where IT can not locate it can raise serious legal issues if it involves subject matter caught up in a lawsuit.  Likewise there are certain legal requirement regarding data privacy such as patient data being stored in this manner.  As the IHT story reports "The Web mail services may also be prone to glitches. Last month, Google fixed a bug that caused the disappearance of "some or all" of the stored mail of around 60 users. A week later, it acknowledged a security hole that could have exposed its users' address books to Internet attackers."  Try telling your CEO that Google lost your company's data.

Obviously we have a significant security issue resulting from the shadow IT effect of using outside emails system.  The challenge is how do we address this in our IT security program?  The 3 goals of an IT security program are:

  • Tight security
  • User convenience
  • Low cost

Along with this goes an old saying - that when implementing a security system you can pick any two of the above but have to be willing to sacrifice the third.   This is not a pleasant scenario.  So what do we do?

This is where the "people factor" I mentioned in People and IT Security comes into play.  Making security awareness an important part of your security program can help.  It won't solve the pick 2 and sacrifice 1 conundrum but it can help minimize the problem.  It is naive to think security awareness effort will eliminate the issue entirely but with some effort you may be able to contain the issue.  Without awareness user are only concerned with the convenience factor and hence their choice is easy.  Some would argue that users are concerned with security too but typically it is only when security becomes an issue and not until then.  A good awareness program can help them appreciate all 3 concerns and help create a workable balance.

What are your thoughts on this?

One logical question that this discussion raises is - What constitutes a good security awareness program?  I'd love to hear your thoughts on this and perhaps we can have a future post on that topic.

If this topic was of interest, you might also like these:

Tell A Friend Tell a Friend    View blog reactions   Bookmark    rss RSS Feed

People and IT Security Tue 09 Jan 07

Computersecurity I came across some interesting posts on IT security.  The first is 10 Steps to Creating Your Own IT Security Audit. by the folks at  This gives a good overview of some of the things your need to look for.  This is not a comprehensive outline nor is it intended to be.  The sub-title of the posting is "If a security auditor isn't in the budget, these 10 IT security audit tips will go a long way in empowering you to protect your business."  With that qualification it does provide a good starting point.  When you read this article also read the comment posted with the article and on  These also provide some interesting insight.

Door When I read this the one thing I did think was missing was employee awareness.  Getting employees on board with the concepts of your security program is essential.  If they "get it" your program can be a success.  If they don't they will figure out ways around it to make their life easier which also leaves big security holes for anyone to exploit.  Locks on the door don't help if someone props it open so to speak.  For me employee awareness is the number 1 tool in making a security program successful.

I subsequently found a posting by Dan Morrill entitled Information Security as a People Problem.  Dan references a posting on by John Colley entitled The information security professional is more than 'a necessary evil'.  I was encouraged to see his statement:

"We need to remind ourselves again and again that information security is not a technology issue – it’s a people issue. We are reliant on people, their awareness, ethics and behaviour, and we must understand what they want to achieve if we are to accomplish the goals of business. This includes the employees that deliver our services and the customers that take advantage of them, as well as the senior executives and board room directors that grant us our budgets."

Like so many other things in our technology environment the lesson remains - Don't forget the people factor.  Security (or technology) won't work if we don't design it in a way that our people will use it properly and effectively.

How have you applied the "people factor" in your security plan?

Tell A Friend Tell a Friend    View blog reactions   Bookmark    rss RSS Feed

99 Email Security, Netiquette and Productivity Tips Fri 22 Dec 06

Email2_1The folks at ITSecurity have a great article, Hacking Email: 99 Email Security and Productivity Tips that lists 99 great tips that can improve our use of email.  Email at times can be a powerful and useful communication tool.  At other times it can be the bane of our existence when the inbox is overflowing.  Take a look at these tips, I think you'll find them useful.  (Thanks to Grigor at behind the glasses for providing the link to this article.)

The two tips that I found especially significant were:

22. Remember the telephone. Unless you need a written record of a given communication (or if the person you're communicating with is long distance), consider calling (or sending a letter to) your intended recipient instead of an email. People often default to writing an email because it is quick and easy; but sometimes a handwritten letter or phone call can provide the personal touch your communication really needs.

42. Cut to the chase. Sometimes a text chat is the best way to resolve a communication quickly, instead of sending a dozen emails back and forth. By keeping the bank and forth emails to a minimum, you keep your inbox under control and prevent the need to declare email bankruptcy and starting all over.

I've always told the people that work for me about Schaffner's 3 email rule which is based on some of the same concepts that tips #22 and #42 are but with something extra.

If the email thread goes beyond 3 levels and it is more than a factual providing of information and more like a conversation then it is time to stop emailing, get up out of your cubicle and go talk to the person face-to-face (or if distance precludes then talk by telephone).

Discussion3 My reasoning is that with the inherent limitations of email (and for instant messaging too) where there is no body language feedback, or intonation of speech etc. you quickly have a "conversation" where the two parties are talking "at" each other rather then "with" each other.  Although this can happen with face-to-conversations if you are not careful, why not take the effort to increase the chances of a true exchange of viewpoints?

Break that email chain and actually go talk with someone.  You just might find out what you need and maybe some more and probably quicker too!

What email tips or rules do you have?

Tell A Friend Tell a Friend    View blog reactions   Bookmark    rss RSS Feed


tell_a_friend Tell a Friend About Mike's Blog

Creative Commons License 
This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 2.5 License.

My photos on
Mike Schaffner's items Go to Mike Schaffner's photostream

Free Subscriptions
  Free RSS Subscription

Free RSS Subscription

For An Email Of New Articles
Enter your email address:

Read On Your Mobile Device


Join the Conversation
Subscribe to Comments
  Free RSS Subscription

For New Comments Email
Enter your email address:

This is the personal blog of Michael W. Schaffner. The opinions expressed in this blog are soley mine and those of commenters. You should not infer that these opinions are the opinion of or have been endorsed by any current or former employer.

Please review the Privacy Policy.   I do love comments and trackbacks but I do reserve the right to remove any that don't comply with the Comments and Trackback Policy.  Rather than clutter up the front page with badges and statistics that are of little interest to anyone other than me I thought it would be best to establish a separate page for statistics and rankings.

Copyright © 2006, 2007, 2008, 2009 Michael W. Schaffner       You may copy or quote sections of this blog if you provide an attribution consisting of a reference to the Michael Schaffner and ''Beyond Blinking Lights and Acronyms" along with a hyperlink (if a web reference) to the blog posting.     

Creative Commons License 
This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 2.5 License.