December 2006 Archives

Bruce Schneier asks:

How good are the passwords people are choosing to protect their computers and online accounts?

It's a hard question to answer because data is scarce. But recently, a colleague sent me some spoils from a MySpace phishing attack: 34,000 actual user names and passwords.

The attack was pretty basic. The attackers created a fake MySpace login page, and collected login information when users thought they were accessing their own account on the site. The data was forwarded to various compromised web servers, where the attackers would harvest it later.

MySpace estimates that more than 100,000 people fell for the attack before it was shut down. The data I have is from two different collection points, and was cleaned of the small percentage of people who realized they were responding to a phishing attack. I analyzed the data, and this is what I learned.

It seems we're getting incrementally better with passwords, at least as compared to studies conducted a decade or more ago. The reasons why aren't clear: maybe it's because the MySpace user demographic (which is significantly younger than the corporate user crowd) is more password-savvy, or perhaps it's because these users have bad password hygiene in other ways, such as reusing the same password across multiple services.

Tags: , , ,



I thought of this Andrew McAfee post as a continuation of the "Does IT Matter?" debate sparked by Nick Carr.

[T]he strong relationship between IT investment and productivity growth has broken down recently.  If this is accurate, it's quite bad news.  Productivity growth is a primary engine of economic growth and, ultimately, of increases in standard of living.  If the wonderful, unprecedented, and unanticipated productivity increases we've been enjoying since 1995 are in fact coming to and end despite our continued investment in computing, and despite the fact that computers continue to get much more powerful over time, then we have a problem.

Is IT really such a great leap forward in companies' abilities to better themselves that it's more than another process improvement program?  Does modern IT really deserve a place alongside electricity and the internal combustion engine?

The optimist would say that IT-enabled collaboration and knowledge sharing will usher in huge, but hard to quantify, productivity boosts. The pessimist might note that optimists have been saying bascially the same thing since computers were first networked.

Perhaps there's room for a third perspective, the realist, who says that businesses shouldn't invest in the basic building blocks of IT any more than they should invest in the basic building blocks of electricity. They should, however, spend on IT-enabled services to be delivered on demand. Put another way, spending money on infrastructure is spending money on infrastructure is spending money on automation; maybe we've done all the heavy lifting we can there. Innovation, on the other hand, where we improve processes or uncover new advantages, is where the discretionary IT dollar should be spent. By allowing companies to specialize in infrastructure in order to deliver higher-order services, IT organizations can shift their spending to higher impact efforts that subsume technology.

Tags: , , ,

This post on an Intel blog caught my eye:

A core component of a business value program is the concept of a using a common language of value that is defined by the customer, not IT. Business value dials (e.g., days of inventory, employee productivity, system end-of-life) represent the common language for identifying the value IT solutions deliver. To define business value dials, you need to know what is seen as valuable through the eyes of your end-users, your customer, and your company. For example, employees responsible for product inventory won’t think of IT solutions in terms of server uptime, database optimization, etc. They want to know specifically how the IT solution is going to allow them to better manage inventory and to do their job better.

Whether you call them dials, dashboards, reports, or scorecards, there's an increasing need for technology and business to erase the lexicographical lines that separate them in the enterprise. You'd have to search hard indeed to find a business process that isn't expressed in code somewhere, and enterprise technology isn't created simply for technology's sake. So why do business and IT have such a difficult time communicating?

My guess is that, in general, the functions have evolved faster than the reporting tools have. In other words, enterprise IT, as it's gotten more embedded, has become more business-savvy, and the business has gotten more digitally-aware, but the basic tools we use for communication, reports, analytics, metrics, haven't evolved in the same way. What we report is often dicated by what we can collect most easily, and that often means relying on the analytics and reporting tools built into the systems sold by enterprise IT vendors. Those tools are often limited in scope to the specific product sold by that vendor, or to the vendor's vision of enterprise architecture. When we try to implement reporting tools to cross vendor boundaries, we see difficult integration and information discovery issues. The desire to develop a complete picture that's as relevant to the business as it is to IT is clearly there, but it's thwarted by the complex, fragmented nature of the enterprise IT landscape.

Stepping back for a second, that means that even if the CIO and other top IT leaders have a vision for communicating with the business, as you get deeper into the technology organization, middle-managers, constricted by the tools they use, lapse back into an inward-looking, technology-driven vocabulary.

Since technology is Intel's business, perhaps their issues here will be easier to untangle, but it's telling that, even at Intel, the problem remains.

Tags: , , ,

This post on an Intel blog caught my eye:

A core component of a business value program is the concept of a using a common language of value that is defined by the customer, not IT. Business value dials (e.g., days of inventory, employee productivity, system end-of-life) represent the common language for identifying the value IT solutions deliver. To define business value dials, you need to know what is seen as valuable through the eyes of your end-users, your customer, and your company. For example, employees responsible for product inventory won’t think of IT solutions in terms of server uptime, database optimization, etc. They want to know specifically how the IT solution is going to allow them to better manage inventory and to do their job better.

Whether you call them dials, dashboards, reports, or scorecards, there's an increasing need for technology and business to erase the lexicographical lines that separate them in the enterprise. You'd have to search hard indeed to find a business process that isn't expressed in code somewhere, and enterprise technology isn't created simply for technology's sake. So why do business and IT have such a difficult time communicating?

My guess is that, in general, the functions have evolved faster than the reporting tools have. In other words, enterprise IT, as it's gotten more embedded, has become more business-savvy, and the business has gotten more digitally-aware, but the basic tools we use for communication, reports, analytics, metrics, haven't evolved in the same way. What we report is often dicated by what we can collect most easily, and that often means relying on the analytics and reporting tools built into the systems sold by enterprise IT vendors. Those tools are often limited in scope to the specific product sold by that vendor, or to the vendor's vision of enterprise architecture. When we try to implement reporting tools to cross vendor boundaries, we see difficult integration and information discovery issues. The desire to develop a complete picture that's as relevant to the business as it is to IT is clearly there, but it's thwarted by the complex, fragmented nature of the enterprise IT landscape.

Stepping back for a second, that means that even if the CIO and other top IT leaders have a vision for communicating with the business, as you get deeper into the technology organization, middle-managers, constricted by the tools they use, lapse back into an inward-looking, technology-driven vocabulary.

Since technology is Intel's business, perhaps their issues here will be easier to untangle, but it's telling that, even at Intel, the problem remains.

Tags: , , ,