Friday, February 29, 2008

beware of geeks baring grifts

[Kudos to http://www.awpi.com/Combs/Shaggy/615.html]

ASUG.COM has an open discussion forum thread titled: "Security Influence Council"

Multiple posters from well known companies discuss their wish lists for improvements in security management. I'll paraphrase their ideas as best I can, shrouding their identities. ASUG.COM posts are "members-only" and Influence Councils often are subject to non-disclosure agreements, so I'm partly obfuscating here for effect. Members have exclusive access to SAP product management through channels designed to maximize the community voice of a large number of SAP customers.

The thread started in mid-October, just after SAP TechED 07 US concluded, with the potent question from G.C., "Have you noted flaws in the SAP security design? Do you have requests for enhancement?" It linked to the October 2007 ASUG BITI newsletter, which summarized recent Security Influence Council requests. While SAP responded to open requests at TechEd, the customer concerns persist.

Thread capsule summaries



[2] PD:
"Authorization Group" AKA field BGRU usage seems to be incredibly complex cannot find good documentation ... should be redesigned and simplified

[3] GL:

See :http://www.sapteched.com/usa/home.htm Executive Keynote
1 hr and ~38 minutes in, SAP acknowledges the wide variety of authorization concepts contributes to the burden and expense of [enterprise] security support.

*** Identity Management has the potential for managing users, but no impact on improving authorization/role management***

Holger Mack later spoke about simplifying documentation; fewer authorization concepts is desirable.

[4] SL: silent authorizations confusing. SAP said: "No attribute for identifying 'silent checks' in the trace file". Would like to see return code in trace file designating silent checks, and the checks not appear in SU53 as user errors.

[5] SG#1: SUIM reports should be 100% reliable.

[6] SG#2: SU53 is not 100% reliable; generic error that the S_CTS_ADM is missing with certain values. In all these cases, my analysis proved that the error shown is completely irrelevant to the error itself.

[7] LH: Job (role) based security in HR, with SAP focusing on Java development, where portal and Java gear toward user-based roles. Says Java is transparent, but ye editor thinks this means opaque...

[8] WM: Prior false starts ("Global User Manager") [leaves experienced admins leery of the latest product announcements]. SU24 CRM backend has never been accurately updated with auth objects that link to BSPs. "should sell our USOBT_C table to other CRM customers." ;-)
like one of those russian doll nightmares where I keep opening up one, and there is yet another small one inside.. =)

[9] JA: Identiy Management 7.0. The only training was in Germany when I looked in 2007. Now the training site says that training materials have not yet been developed. need more standalone classes solely dedicated to security for this new technology. (We have purchased the online training for NetWeaver, but that is a poor substitute for hands-on training).

[10] GM: would like to see a standard best practice process documented and supported by SAP that distributes SAP Security Business Application control to individuals in the business depts
many companies put too much on the shoulders of the technical security administrator and do not require enough hands on tasks for business owners, or delegated Super users for their departments.

[11] PR: struggling with the UME in NetWeaver since 2005 and haven't found a good way to trace what a user is doing other than to try to decipher the java logs themselves. Those are extremely cumbersome. The other way I have found is to look into the Visual Administrator.

What Else?



THREATS TO CIVIL LIBERTIES

I am sure the author of this SAP SDN blog intended the complete opposite of what I think -- "Threats to the community - Government working with Business." Just as I think the founders of the U.S. were on the right track separating church from state, it is right to separate business from government, from lobbyists, to telecommunications corporations giving away our privacy without due cause, warrants or legal review. Not to mention outsourcing mercenary activities to the lowest bidders. Cause for concern in my opinion!


ALL EGGS IN ONE BASKET

I read this blog and completely agree that different problems require different solutions. Follow up posters seem mainly to be from those interested in providing security solutions. Not so much noise from the harried security administrators who need to execute the goals.

REINVENTING THE WHEEL

An issue many software vendors gloss over is that customers may already have solutions in place, incompatible with the latest and greatest versions the account representative wants to unload. I don't know how may times I've had the pitch - "we bought (or developed, or whatever) this new solution to your problem". "But we already have a solution that works". "This one is better." Not cheaper, not faster, and rarely easier. It's just the product of the months. I usually ask, "will you pay to retrofit my customizations and configurations, train my users and staff the help desk for the first 90 days as part of this wonderful deal?" The answer never seems to be "no problem."

For SAP, I keep hitting this with Solution Manager. "Oh it has Change Control". Well, gosh, we've been using a third party change management system for years. I believe ChArM might be better, but where was it when we needed it?

THE TOWER OF BABEL


I'm no security expert, but I know a few. What they tell me is that the SAP Identity Management product approach is geared towards provisioning users , not towards the real goal they own, which is asset protection. There are many products that SAP has acquired or developed outside the core functionality of R/3 (the "Enterprise Resource Planning" - remember what Enterprise means???) with completely foreign methods of managing access control. Other vendors provide similar tools (anyone not running Windows desktops in their Enterprise, with Active Directory, or another LDAP directory not from SAP?).

When your company merges with another, acquires or is acquired, what do you find? They've implemented security and identity management in a completely different way. During those times, it is good to be the acquirer, but only slightly, as all the remaining staff need to be re-provisioned in order to gain those fabled synergies the folks in shiny shoes promised.

AND


ASUG Webcast: Central User Management with Windows Active Directory

http://www.asug.com/CommunityCalendar/tabid/58/ctl/Details/mid/439/ID/644/Default.aspx

WAS HELD FEB 7, 2008

Agenda

Learn how to simplify user management

Understand how the J2EE engine accesses LDAP data

Understand the LDAP synchronization tools for ABAP provided by SAP

Speaker

Tobias Waldvogel, SecurIntegration GmbH. Tobias is an SAP Security Consultant employed by SecurIntegration GmbH, a leading company in SAP Security.

ASUG MEMBERS CAN REVIEW THE WEBCAST (70MB PDF FILE!!!)



I Don't Want Identity Management, I Want Identity Theft Protection, Or Insurance.

{other than the folks I liberally quoted from above, all opines are mine alone}

http://en.wikipedia.org/wiki/The_Soul_of_a_New_Machine:
Steve Wallach ... coined the phrase, "I'm not puttin' a bag on the side of the Eclipse."

This blog was inspired by Gali, who claims to believe that I can write about any topic. I got an extra day this month but almost missed.

Monday, February 25, 2008

ethics and corporate social responsibility - a question?

Dennis Howlett blogged on An ethical question on SAP Community Network (SDN) last week. He asked whether companies should be responsible for their suppliers compliance with human rights standards. My opinion is that people have ethics; companies have ethics policies. I am responsible for my actions, only people controlling a company can he held accountable for that company's actions.

(Full Disclosure: As of February 2008, I own 1 share of Federal Mogul). Rather than comment on Victoria's Secret and their supply chain, I looked at the public records for a company I partly (though quite de minimus) control, through being a stockholder. On their web site are references to supplier requirements, for example:

http://www.federal-mogul.com/en/Suppliers/Purchasing-Policies/TermsConditions/ .

In this document, Section 5 is titled "Compliance with law" and Section 10 is "Environmental Compatibility." I'll pick on the latter, as I have more environmental experience than legal. It says, among other things, " Supplier warrants that the Goods comply upon delivery with the state of the art as regards their environmental compatibility" - whoa, "state of the art". That's pretty far-fetched to believe that all suppliers maintain current low-emission, highly recyclable and sustainable processes. It's more likely these are empty words, an canard that whatever exists must be the state of the art.

My point, like an earlier post on corruption, is that it's up to stockholders and corporate offices to verify that company policies point in the right direction. It's up to me to follow best practices.

[all opinions expressed here are mine]

a couple days, a couple more miles

Saturday and Sunday I took a hike each day, walking around 4 miles each. I looked on Google maps to figure out a route, but the first one didn't quite compute as the "move your route" feature would not let me move my path off the main road onto the road into the State park. So, I took a different road past the archery range and down to the fishing area.

The first oddity I saw was a microphone about 3 feet off the ground, on the side of the road just after the last house, before getting to State property. It has a large metal base, with a huge cable leading to a suitcase size box chained to a utility pole, and appears to be powered by a solar panel.

On the base is a title "Aberdeen Test Range Environmental Sound Meter" which must be for a study being conducted by the U.S. Army at the "nearby" Proving Grounds. I found a 1993 study titled " Measurements of Blast Noise Propagation Over Water at Aberdeen Proving Ground, Maryland" but that is over 10 years ago. I can't make out the phone number on the plate, so I'll need to go back [I went back - it is 410-278-8605]. Here's the base's main web page: http://www.atc.army.mil/.


I pick up trash, recyclables and other detritus on most of my hikes. Usually, by the end of a weekend or week-long camping trip I have a gallon-sized plastic bag of odd novelties cast-off by society. The plastic fishing line is difficult to see in this scan, and the 2 larger pieces of hard plastic are unidentifiable, but the laser cleaning box yielded a serviceable CD/DVD case.


The audio tape is cracked and useless, and the title is probably illegible on this image, but the tunes are a commercial product from the 1999 release Esperando Un Angel by Banda Arkangel R-15.

Each 4 mile walk was just around 1 hour. Saturday was raining slightly, but Sunday was sunny. On the latter, I went around the main park loop, seeing cardinals, bluejays, and a red-headed wood pecker (I heard several others). Just before getting back on the main road, a herd of 8 or so white-tailed deer bounded away from my trail. I now have ideas for the next Scout nature hike.

Friday, February 22, 2008

Commentary on SAP anti-corruption Wiki

I posted this on sdn.sap.com, but the wiki editor acted in unexpected ways, plus I found a typo which I can't edit, so I'm republishing the commentary here.

If you have access to SDN, here are links to the original topic:

https://www.sdn.sap.com/irj/sdn/wiki?path=/display/CSR/Invitation+to+RESIST

My commentary



Much of what I have seen published on Corporate Social Responsibility & Sustainability (again, CSR for short) is from the perspective of a corporate entity. Thus, we see terminology such as:


  • provide practical guidance for companies to deal with
  • state this policy on your company website
  • train your personnel


Alas, most of us are not in a position to control or directly influence the above. We may work for a company and want to know what those policies are, or we may be shareholders (or prospective shareholders) and want to know if a company has such policies. What you could do is use the internet to find what a company has published. If it is easy to find, clear and unambiguous, all to the better. If it is hard to find, or just not there, it is time to follow one of my favorite bumper sticker slogans, "Question Authority!"

Full disclosure: I own (as of February 2008) 1 share of Federal-Mogul, a company recently reorganized out of bankruptcy triggered by lawsuits related to asbestos-bearing products such as automobile brake shoes.

I looked on the Federal-Mogul web site (www.federal-mogul.com/en/) and after a short search, found information related to Financial Code of Ethics. On many corporate web sites, public statements related to responsibility are found in Investor Relations or similar places, because most need to deal with Sarbanes-Oxley and other legal requirements. While this is important data, it doesn't directly relate with corruption issues.

Looking further, I found paths to:

Home > Investors > Corporate Governance > Code of Ethics

and

Home > Investors > Corporate Governance > Code of Ethics > Integrity Policy

This is more related to the ethical questions around bribery and corruption. The web content was rather meager, but I found a link to a PDF document entitled "Integrity Program for Federal-Mogul Employees." I'm not an employee, so I might have skipped that, but being a stockholder, I was interested in what management was communicating to employees. Right up front, I found the media contacts that I could use to ask questions on topics that were unclear or not covered by this document. For comparison purposes, does your company, or companies you work with, share information such as this:

Reporting Integrity Issues
If you have a complaint or concern about Federal-Moguls accounting, internal controls, auditing matters or would like to report a violation of the Federal-Mogul Integrity Policy, you may call 800-368-4338 (outside North America and Puerto Rico, call 770-582-5258) at any time 24 hours per day, 7 days a week, or write to: Federal-Mogul Helpline, The Network c/o 5015, 333 Research Court, Norcross, GA 30092.


Myself, I'd like to see an email address, or a web page to report questions, but toll-free numbers plus street addresses are good enough.

In this 30+ page document are chapters "Working with Customers and Suppliers," Fair Competition," "Your Personal Integrity," etc. On the specific concern about gifts and hospitality, these tips are listed:



  • Could it harm Federal-Moguls reputation?
  • How would my actions or choices appear to others?
  • What would my family or friends say?
  • How will it come across when presented by the media?
  • Should I make sure?


And, then in more detail, the following:


Never offer or give anyone a bribe, kickback, illegal political contribution or other improper payment. Use good judgment to avoid even the appearance of an improper payment. Make sure business entertainment is lawful, reasonable and permitted by the policy of both your customer and Federal-Mogul. Employ reputable people, and require sales representatives and other third parties to comply with this policy. Follow the laws of the United States and other countries that relate to these matters.

Never offer or provide anything of value to a customer or government official to influence or reward an action (refer to Foreign Corrupt Practices Act, p. 16). Never offer or accept a business gift or entertainment if it could create even the appearance of impropriety.

All good, clear, and helpful information.

But then I saw this on page 12 under Working with Customers and Suppliers, Following International Trade Controls:
What to watch out for:

  • ...
  • Requests for information related to the Arab boycott of Israel


As a stockholder, this is where I would stop and write to management to ask for a clarification of this policy. It seems there is something unwritten here, where management is trying to prevent employees from taking political stances, but not being an international trade lawyer, I have no idea how a request for information is harmful.

The main point of this example is to show that corporations have ethics policies, they are likely to be found on their web sites, and that employees, stockholders, partners and consumers can be more informed with a bit of research.

[All opinions expressed here are mine, not my employers, customers, suppliers or partners. Well, maybe some of Kathy's are here ]

Eight is enough things to know about me (or 10 base 8)


As an avid reader, my library card is extremely handy in preventing the house from being completely overrun by piles of books I have picked up and refuse to be rid of. Pictured is one of the earliest books I've collected that I'm fairly certain was mine from the beginning, rather than a hand-me-down or second hand purchase (I have a ton of paper backs like James Bond novels from the 60's in that category). This one is copyright 1958, 1960; second printing 1962, so it coincides with Miss Barlow's report card.

I remember graduating from a Children's card to an Adult card at the Enoch Pratt Free Library, so I could take out up to 10 books at a time, rather than the limit of 3 or so I had earlier. Plus I could borrow from any section other than reference, not just the children's section. Moreover, I could visit any library in the city and return it locally. Awesome to a walker.

While I don't remember this directly, my Mom tells the story that when I moved up from kindergarten to first grade, I came home upset at the end of my first day. When asked what was wrong, I supposedly told her I was not able to read yet. I had been promised I would learn to read in the first grade, and it just didn't happen! Of course, this was a time when kindergarten wasn't as structured and pushy as now.

The Giant Golden Book of Mathematics has well-illustrated short stories about a wide range of physical, numerical and spatial concepts, and is well beyond the dry boring tone of most text books. It turns out the author was a social activist as well (see: en.wikipedia.org/wiki/Irving_Adler). I'm still using what I learned from that book to this day, as I often run computer benchmark programs to generate prime numbers with techniques illustrated as The Sieve of Eratosthenes and explained in the section Numbers We Cannot Split.

Tuesday, February 19, 2008

7 out of 8 doctors don't know this about me

I can make a claim that few others can, or would admit to. I have been to Green Bay Wisconsin. Not just to the city, or to Lambeau Field, or to one of the many breweries or eateries or wineries in the vicinity. No, I have been to the Green Bay Sewage Treatment Plant, more properly known as the Green Bay Metropolitan Sewerage District. What's shown here is one of the primary clarifiers, I believe, that I photographed on a tour in 1979. The US EPA gave money to local jurisdictions to construct wastewater treatment plants. My job was to make sure that's where the money went. Fascinating.

Here are links to the GBMSD site:

Main site

Water Quality Exhibit

Liquid Processing

Pump Station Photo

Primary Clarifier #1

6 of 8 things you don't know about me


I have owned way too many computers over time, and while it took me a few years to get a job where I could work with technology, I spent my spare time as a computer hobbyist. The attached clippings are the beginning and ending of an article I wrote as editor of the TBUG newsletter, the "TRS-80 Baltimore Users Group". I didn't make up the club name, but probably would have created something just as lame.

The group had existed for a couple years before I joined, back before every store in the country stocked software, so young guys got together to trade stories, and perhaps to share software. That is, until the owners of The Program Store (I did not make that up) showed up at a meeting and put the fear of the law into the group, for making illegal copies of software.

This meant that, for many, the reason for going to the meetings was not there any more. I wasn't that interested in commercial software - I was interested in software and hardware hacks. Thus, I ended up as the mailing list owner, the newsletter editor and keeper of many records. I did a monthly edition, and would send copies to other clubs around the country, who would in turn, share their stories. It was a scratch my back, scratch your back time. The standard blurb said that our content could be reproduced as long as proper attribution was given. As a result, my review of an early commercial C compiler was reprinted
not only in the Kansas City TRS80 club newsletter, or wherever, it was printed in the Computer Shopper. I had tried unsuccessfully to get published in Byte, but here was my name and words being sent around the country. Cool!

So there you go, my first published words, not counting self-publication like the TBUG newsletter or the high school literature magazine Paul Hartman put out (Renaissance!). And a close friend at the time was torqued, because I was published before she was.

The TBUG club slowly dwindled in the face of that upstart, the IBM "Personal Computer" (boy did we think that name was lame). I can't remember the last meeting, but I recalled we got kicked out of one school because children of a member trashed the cafeteria when we weren't watching them. One club president (Jack) went on to open a store, selling Apples and PC clones, before the big chains came in to put him out of business.

I still write C programs on occasion, over 20 years later. I think some others are still using that language too, but I think the CP/M Operating System has gone the way of the dinosaur. And what's a Z8000 anyway?

:-)

The 5th thing in an increasingly personal saunter down memory lane.

I met Bobby probably the first or second day in college, once I located the persons of mutual interest. Not sports, not books, not chess, but listening to comedy albums such as Firesign Theatre, watching movies, riding bikes, and camping or hiking. He started in my department, Geography and Environmental Engineering, but I'm not sure he finished with the same degree. He took off hitchhiking one summer through Europe and made his way to India before turning around (getting a tape worm on the way).

Other friends in our group would get into varying degrees of trouble. Tom disappeared a few years later, Bruce dropped out only to return for a computer degree almost 10 years later. Only Chuck had the fortitude to stick through a degree in Geology and then go on to a PhD and work for an oil company. I worked for the government, and lost track of Bobby somehow.

Then I moved back from Chicago to Baltimore and started visiting New York, where I discovered Bobby was living in the East Village in the 12th Street walk-up pictured above. He had wrangled a job working on Wall Street, where he met and hung out with the rich, cool crowd. But he often seemed depressed, or "bummed out" as he said. I didn't know how he could be so well off, and not be happy about it.

One night, and of course I will never forget it, and not because I had come back from seeing This is Spinal Tap for the first time, I stopped at Bobby's apartment. He seemed serene, and said "I have AIDS." I was shocked, not realizing until that night that he was gay, not to mention deathly ill. I got to see him a few more times, and he visited me in Baltimore once, before his totally untimely, and unfair death.

We used to joke about being chronologically close, as Bobby's birthday was one day before mine, same year. Only he will always be 29.

To try to cope with the cruelty I saw, I started working at Baltimore HERO, on the phone lines. I spent the next few years, every Wednesday night, helping to pass on what news and hope I could.

Thing 4, or I'm pretty sure the statute of limitations has run out on this one

I had a PC in the 1970s. Who didn't? It was a Radio Shack Model 1, but that was before there was a model II, so it was called the TRS-80. But that's not what this blog is about. This is about Max, Bert and the contact list.

A friend from college (Bert) and I met up after going separate ways after a long strange trip in 1976 (a long blog series on that one day). He started a non-profit organization called Nuclear Free America (IRS 501 C3 qualified!), and I became the volunteer information technology department. To get a mailing list going, he was using a for-hire CP/M computer (a DEC Rainbow - how appropriate) at $1 an hour or something like that. This was somewhere around 1982. I convinced him that the well-meaning proprietors of Federal Hill Software, or whatever they called themselves ("Community Computing" maybe?) were locking him into a dead end architecture with their home built database software. dBASE II was the way to go, boy.

The only place that had an accessible, legal copy of dBASE was DHMH, the State Health Department. But I knew the good doctor who procured the TRS-80 Model II, with the 8-inch floppy disks, and knew she'd look the other way if some nice young people used her office computer after hours. Enter Max.

Max is now pretty well known in anti-war circles (also known as the Peace Movement), but at the time Max was not quite up to speed on the latest technology. Bert and I needed to get him to say NOOK-LEE-AR, not NOOK-YOU-LER, if you catch my drift. Max recruited a helper, I built the database specs, and off we went keying in hundreds of names from typewritten and handwritten sheets into the great magnetic media in the sky.

We spent time editing the newsletter, The New Abolitionist, and sticking labels on them for bulk mailing. Can't survive without a bulk mailing permit. Also can't survive without well-endowed sons of corporate America inheriting Daddy's trust fund, thank you very much.

After Bert got a computer for his office (a Chameleon, among others), I worked on setting up extended record attributes to track personal donor attributes, moving the data from 8-inch to 5-1/4 inch and presumably eventually a hard disk. Bert went on to start a few more semi-non-profits ("Eco-Works - 95 watt light bulbs!"; "MCS Resources" - Multiple Chemical Sensitivities), Max went on to be arrested from one end of the country to another ("first risked arrest at the NSA on July 4, 1996").

And me, I'm still driving the taxi.

Thing #3 I need to share about me



Back in the day, Kermit was the bomb. I still use it on occasion, but, well, you know. 15 years ago offices were just not connected to the internet. Computers weren't on every desktop much less lap top. So, my first corporate internet connection was a slight back door. We had a line to the US EPA mainframe so the air and water pollution data could be shared. My buddy Shermer (who shall remain surnameless) clued me in that the EPA had internet connectivity, and they had a Kermit program. So I FTP'd data to my mainframe account, and Kermit'd it back to a PC or a UNIX system.

Sperry/Unisys sold the State our first UNIX box, running AT&T 5R2, and gave out PC programs to connect over TCP/IP to login and transfer files. Turns out they swiped the Kermit protocol without attribution as I recall. Somehow I ended up getting new versions of Kermit for UNIX, and then Kermit for Windows 3.1, and then for Windows 95, because it did terminal emulation, moved files, and it was generally free. Then I started working on beta versions, emailing the Kermit maintainers with questions and comments.

The oldest code I can find on the internet that I contributed is in the Kermit beware file
http://www.columbia.edu/kermit/ckubwr.html with honorable mention in the overview file
http://www.columbia.edu/kermit/ckermit70.html


From: James Spath <no_longer_working@jhunix.hcf.jhu.***>
To: Info-Kermit-Request@cunixf.cc.columbia.edu
Date: Wed, 9 Sep 1992 20:20:28 -0400
Subject: C-Kermit vs uugetty (or init) on Sperry 5000


I sent binary versions of the compiled C Kermit for every machine we had, from the 68020 Unisys machines to a RISC Prime computer, and even some NetBSD binaries. I submitted typo reports after reading the C Kermit book, so Frank da Cruz sent me an autographed copy of Using C-Kermit Communication software Second Edition.

Tuesday, February 5, 2008

Things you didn't need to know about me (#2)

I read all 3 volumes of Marx's Das Kapital in college (in English, though). Got an A in the course, and slept well.