On the subject of security…

DOD reveals viral infection:

A virus infected two computers managed by the Army Space and Missile Defense Command operating on the Defense Department’s classified Internet recently, according to Lt. Gen Larry Dodgen, head of the command.

Dodgen, speaking here at the Army Director of Information Management (DOIM) conference said two computers in the Space and Missile Defense command connected to the DOD Secret Internet Protocol Router Network (SIPRNET) were infected because they did not have any virus protection.

At the same conference, according to the article, the Army Chief Information Officer said:

Despite years of emphasis, the Army still does a poor job of protecting its information systems…. But, he added, that will change now that “information assurance is a commander’s responsibility,” not just the job of the Army’s IT establishment.

Which takes us back to the question of, “Who’s responsible?” In the Army it is the commander (THE boss). Who is responsible in your organization?

And the biggest security threat in the IT age is…

If you said “Microsoft” you wouldn’t be too far off, but according to Bruce Schneier the biggest threat in the IT age is people.

Since the beginning of time, people have always been the biggest security threat. That hasn’t changed because of computers. People are why firewalls are invariably misconfigured. They’re why social engineering works. They’re why good security products are rarely deployed properly. Securing the computer and network is hard, but it’s much easier than securing the person sitting on the chair in front of the monitor.

“So, who is responsible for security?” you may ask. According to Schneier, in an interview at Neowin.net:

Right now, no one is responsible; that’s part of the problem. In the abstract, everyone is responsible…but that’s not a fair answer. In the end, we all pay. The question really is: what’s the most efficient way to assign responsibility? Or: what allocation of responsibility results in the most cost-effective security solutions?

We can’t survive with a solution that makes the user responsible, because users don’t have the knowledge and expertise to be responsible. The sysadmins have more knowledge and expertise, but they too are overwhelmed by the sheer amount of security nonsense they have to deal with. The only way to solve the security problem is to get to the root of it, and the roots are in the software packages themselves. Right now, software vendors bear no liability for the software vulnerabilities in their products. Changing that would put enormous economic pressure on software vendors, and improve computer security faster and cheaper than anything else we can do. I’ve written about this here.

Other topics addressed in the interview include a brief discussion of Microsoft (and why they aren’t overly interested in making a secure product) and his thoughts on what systems/apps are better from a security standpoint.

I’ve been a reader of Schneier’s Crypto-o-gram monthly newsletter for several years and highly recommend it. I also recommend his books. Beyond Fear and Secrets and Lies (my personal favorite) are especially good for a general audience interested in security in general, while some of the others are much more technical in nature.

Throwing down the gauntlet. or “You just don’t get it!” – The Gospel according to Joe Trippi

From Robert Paterson’s Weblogis this review of Joe Trippi’s The Revolution will Not be Televised: Democracy, The Internet, and The Overthrow of Everthing.

I have been feeling that we are indeed at a point of paradox where a new and better world is in sight just as we see the world of corporate power and alienation at its most powerful.

The new is no longer a theory. Companies such as eBay, Amazaon, Southwest are eviscerating their traditional competitors. Bottom up organizations will replace command and control, where ever it exists – in business, in politics, in government – everywhere. Community will be the organizational structure and where power will reside. Open Source will be the organizational model. The new is now inevitable. For those who lead organizations the time to decide has come. Do you vainly defend the indefensible or embrace the world to come?

It seems to me this has been building for several years now, since I first read The Killer App way back when. Every year we get closer, and every year the approach gets faster.

What do you mean, no e-mail?!?

Could you live without your e-mail for a day? That’s the question posed by Eric Mack in More productive with[out] e-mail? After a brief history of e-mail’s climb to the top, Eric points to They’ve got less mail, a Fast Company article about the Veritas Software marketing department making Friday a “no e-mail day”.

On Fridays, it’s half that many. Now his employees talk face to face. Or they pick up the phone. They’re more productive on days like today because there’s less miscommunication and less time spent crafting notes just so.

Has e-mail become a productivity drain? Based on the way it is used in most organizations today, I would say YES. Does it have to be that way?


Instructional Models for Using Weblogs in eLearning

From EduBlogInsights is a discussion of Instructional Models for Using Weblogs in eLearning: Case Studies from a Hybrid and Virtual Course, published in Syllabus magazine. The article includes survey results and observations from the integration of blogging into online and hybrid courses over the last year at the University of Arizona.

In various blogs and posts over the last few months, I’ve seen several discussions of what a blog isn’t, what a blog is, what blogs should have, what they shouldn’t have. This article, and some of the insights from it, go a long way to show that a blog is a blog. You use what works, you don’t worry about what doesn’t, and you do your thing.

My Brilliant Failure: Wikis In Classrooms

There are a lot of great tools out there: high-tech, low-tech, no-tech, and everything in between. Some tools are for individuals, some for organizations, some for both. Though all of these tools will likely work for some of the people some of the time, it is very unlikely that these tools will work for everyone. An example of a tool tried but not successful is documented in My Brilliant Failure: Wikis In Classrooms from Kairosnews.

I wanted to share with the participants my experience of collaborating in a wiki environment, and how it feels to have someone else edit your document, how you see a concept from someone else’s mind map…. But finally, I ended up using wiki as pumped-up PowerPoint. It turns out I changed the tool, but did not change the practice. It was WikiLite.

An experienced wiki developer told me that people come to him from “academia” and wanted to know questions such as: “how can I use this in my classroom”. What they don’t realize is that there is a great potential in this tool to be completely disruptive (in a good way) to the classroom setting. At this point, I made a connection to an article by Scardamalia and Bereiter about ‘Computer Support for Knowledge Building Communities’ which called for no less than restructuring our concept of ‘schools’ to allow for student to student interaction, negotiating meaning, and knowledge construction.

For my part, I’ve tried many new gadgets and apps over the years, some which I still use and some which never got past the early use stage. For the latter it was mostly because those gadgets and apps didn’t quite live up to my expectations (or their promises), but some were because they required me to change too much. This article is a good example of how sometimes it is a good thing to change my ways in the interest of progress.

In the Classroom, Web Logs Are the New Bulletin Boards

An article from the New York Times online, In the Classroom, Web Logs Are the New Bulletin Boards discusses the role that blogs can play in the classroom. An excellent example of how blogs can be much more than just a way to say something, they can actually be a way to help you say things better.

As the article notes, it is also a way to “even the playing field” so that the quiet students that may not get a spoken work in edge-wise can have there voice heard in the group.

Knowledge is power, but sometimes what you really need is Power

At least that is what retired Army Colonel Douglas Macgregor, PhD told the House Armed Services Committee (.pdf) at a July 15, 2004 session entitled Army Transformation: Implications for the Future. (For more info on DoD transformation, check out the Office for Force Transformation.) Some excerpts (the emphasis is mine):

I will begin by examining two of the fundamental assumptions that are distorting Army transformation. The first of these distortions arises from the belief that information can substitute for armored protection, firepower and off-road mobility.

Situational awareness promises that information about the enemy and his intentions will always be available when it is needed. It also assumes that everyone inside the battlespace will create and exploit information in exactly the same way.

In terms of doctrine, tactics and organization, the Army views FCS [Future Combat System] as shaping the battle “out of contact,” assuming that perfect situational awareness will turn every actual engagement into an exploitation operation rather than a decisive battle. Of course, unless the network operates perfectly the FCS equipped force may not be powerful enough to shape the battle extensively, much less win an engagement in contact.

More important, the kind of thinking that underpins the FCS also denies the enemy a vote in how he will fight.

For most of us, failures in effective information/knowledge management do not usually result in the catastrophic consequences that can result in the heat of battle for military forces. This does give us an extreme example, though, of the importance of not relying exclusively on technology to gather and process information and make decisions.

People ARE important, no matter how much the technology vendors try to tell us differently.

UPDATE: Reading through some of the other testimony at the meeting mentioned above, I came across the following in the testimony of retired Army Major General Robert Scales (again, the emphasis is mine):

Yet the military still remains wedded to the premise that success in war is best achieved by creating an overwhelming technological advantage. Transformation has been interpreted exclusively as a technological challenge. So far we have spent billions to gain a few additional meters of precision, knots of speed or bits of bandwidth. Some of that money might be better spent in improving how well our military thinks and studies war in an effort to create a parallel transformational universe based on cognition and cultural awareness. War is a thinking man’s game. A military all too acculturated to solving warfighting problems with technology alone should begin now to recognize that wars must fought with intellect.

Clearly these imperatives place an increased premium on the ability of America’s

military to understand the nature and character of war as well as the cultural proclivities of the enemy. Yet increasingly military leaders subordinate the importance of learning about war to the practical and more pressing demands of routine day to day operations. In a word, today’s military has become so overstretched that it may become too busy to learn at a time when the value of learning has never been greater.

The Network Effect of “Brains”

Several recent articles have focused on the ability and power of groups to come up with better solutions than any individual can.

The power, and goal as I see it, of Knowledge Management is to make it possible to make the group connections that enable this improved decision making while preventing the negative aspects (e.g., groupthink) of human social decision making. The problem, as always, is that we humans don’t always act the way we should.

(An interesting read along these lines is What is neurofinance?, first in a series by David Edwards posted on Brain Waves.)

On the importance of rules

After reading some of the various recent posts concerning Mind Maps® and downloading and using the trial version of MindManager, I went back to the source of my first introduction to Mind Maps®, Michael Gelb‘s book How to Think Like Leonardo DaVinci: Seven Steps to Genius Every Day. I was fortunate enough to meet Michael when he was touring for the book when it came out several years ago and hear him speak about the book and his experiences. If you’ve not read this book, I strongly recommend it.

After a brief description of Mind Maps, Michael lays down the rules of Mind Mapping before presenting the exercises. The rules themselves were very familiar to me since I have been playing around with Mind Maps over the last couple of days. What really grabbed me was Michael’s “justification” for using rules, a quote from DaVinci’s Treatise on Painting:

These rules are intended to help you to a free and good judgement: for good judgement proceeds from good understanding, and good understanding comes from reason trained by good rules, and good rules are the children of sound experience, which is the common mother of all the sciences and arts. (emphasis added by me)

Throughout my adult life I’ve had a “glass half full” perspective on rules that somewhat mirrors DaVinci’s sentiments. This comes from the scientist and engineer in me. To paraphrase another great mind, Richard Feynman, it is important to know what has been done before so that you can build from it.

As anyone with children – especially teenagers – knows, though, rules have a very bad reputation. From the kids point of view, rules are evil things meant to repress (oppress?) kids and limit their adventures in life. I see this as a “glass is half empty” perspective on rules.

Unfortunately, it seems to me that many people in organizations I’ve been involved with have this same perspective. Rules in the form of organizational processes, best practices, etc., are all too often ignored – often quite blatantly and proudly. The not invented here syndrome is alive and well. That said, I do not advocate blind following of rules or application of past success (best practices) to any “knowledge” problem.

One aspect of Knowledge Management, process improvement, etc., is the capturing and use of best practices. Much of the writing and practice of best practices, at least that I’m familiar with, and my past experiences with organizations doing work with best practices focuses on the capturing of past practices that worked and the application of those practices, as is, to future situations that are similar. While this works fine for what I call “information” processes – and is, I believe, a critical step in helping any organization improve – I don’t believe that it is appropriate for “knowledge” processes. Or, in terms of DaVinci’s scheme above, the blind use of rules, in the form of best practices, stops short of the goal – good judgement.

This is not to say, however, that past experiences should not be exploited in creating/acquiring new knowledge. Except for the rarest of occasions of thinking “outside the box” (e.g., Newton’s discovery/invention of the calculus and Einstein’s General Theory of Relativity), most new knowledge created today is derivative of something past. It is important to know what has come before and learn from the success and mistakes of others. The rules that come from those past lessons then become the framework for the future, not the fully developed solution to be applied like a generic template to a MS Word or PowerPoint document.