Archive

Archive for April, 2009

GoDaddy Terms with 6 Month Passwords

April 26th, 2009 No comments

godaddy-blog-sticky-noteThere are a few things you have to take into account when creating a password security policy.  You take care to make sure people can’t use normal dictionary words, you require more characters on the passwords, and you even require two passwords for really secure area.   If you make any part of the password experience too difficult, human nature will bypass your entire policy.  The human nature factor has become a valid model which we all recognize in security.  We know that the harder you make the password policy, the more likely people are to write that password on a sticky note.  I think you may be able to graph sales of sticky notes in correlation to password policies.

April 25th, 2009, I received the notice that GoDaddy has changed their terms of service for their password policy. They didn’t tell me what the policy change was, but said it was for passwords and account security and gave me a nice link back to the site.

4. ACCOUNT SECURITY.
You agree You are entirely responsible for maintaining the confidentiality of Your customer number/login, password, credit card number, and shopper PIN (collectively, the “Account Access Information”). You agree You are entirely responsible for any and all activities that occur under Your account. You agree to notify Go Daddy immediately of any unauthorized use of Your account or any other breach of security. You agree Go Daddy will not be liable for any loss that You may incur as a result of someone else using Your Account Access Information, either with or without Your knowledge. You further agree You could be held liable for losses incurred by Go Daddy or another party due to someone else using Your Account Access Information. For security purposes, You will be required to change Your password and shopper PIN every six (6) months, for every Go Daddy account, subject to Go Daddy’s password and PIN guidelines. You should keep Account Access Information in a secure location and take precautions to prevent others from gaining access to Your Account Access Information. You agree that You will be responsible for all activity in Your account, whether initiated by You, or by others on Your behalf, or by any other means. Go Daddy specifically disclaims liability for any activity in Your account, whether authorized by You or not.

I have to change my password and my pin number every 6 months? Really?  While this password approach is recommended for systems in a corporate environment accessing multiple resources on a DAILY basis, GoDaddy is an online account.  In the world of online accounts it is a move backwards in actual security to require this frequency of password changes.

For one, I don’t access my GoDaddy account every 6 months.  Now I am going to get a notice, explaining that I need to reset my password AND pin number for an account I haven’t even used.  I have to remember to go in and do it that before…how long exactly do I have to change this password GoDaddy?

Insert sticky note problem number one here.  Can I just ignore your request to change my password for another 6 months?  That is my first reaction of human nature.

What if the other 316 online accounts I have required me to change account information every 6 months?

Insert sticky note problem number two. Human nature would take over, and I would revolve all of my passwords to the same thing, all at the same time.  My password to go online and shop for car parts would be the same as my super secret GoDaddy account.

While this may help GoDaddy expunge themselves of some legal requirement to offload responsibility for account access, it punishes the end users and creates a larger security problem in the end. GoDaddy has started down a path that will fail if it becomes adopted elsewhere, possibly opening the door to the modern day sticky note of security problems.

Categories: IT Perspectives Tags:

Google in 3D, Really this time

April 22nd, 2009 No comments

beachdemotinyI thought the April fools prank was rather fun, when Google announced that you could use their browser in 3D. I even poked fun of it in our corporate intranet, announcing our commitment to the entire CADIE project.

It turns out that Google wasn’t really joking. On a newly created blog for their 03D project, developers have created a plug-in that will enable 3D in most browsers. While it is a step away from needing to wear 3D glasses, the move is an interesting one, considering we are not done laughing at the thought of seeing the Internet in 3D.

While I haven’t been following the efforts, somewhere last month, Google announced it was working with the Khronos Group, an open standards group for Media Authoring and Acceleration. Sure enough they just released the API based off the open-source standard that will bring 3D rendering and graphics to major browsers.

While I always enjoy the projects underway in Google Labs, this one may be a little early to become excited over. The community of mainstream Internet users is not ready yet to use 3D to navigate the Internet. While we are not ready to live in a 3D browser, it certainly does offer up some opportunities for development of other applications.

This is attractive is in the eyes of the gaming community, or at least in my eyes as one person in the community. For years I have always ran ahead of some invisible curve of technology, trying to keep hardware up to spec, just so the game that I was playing would run as smooth as possible. That cost has been an expensive one.  Keeping behind the pricing curve of hardware, but ahead of the requirements curve of software requirements is a never ending race. For myself, the latest round of console development in the past couple years have been the only reprieve to allow me to ween off the yearly gaming budget, while satisfying my cravings.

Leveraging the graphics in the browser and being able to produce that level of rendering, once reserved for a localize application, Google has opened a door to moving computer gaming closer to a cloud environment. Take that game which you are already addicted to, and move it to a browser. You now make that game available anywhere, on almost any platform, in the same quality that you have at home now.  Want to see if you can install or play a particular game?  It might not matter what computer you are on, as long as you have a web browser.

Nobody can predict the exact direction Google will take this development, or if there focus is even on the gaming industry. I do know that I am frustrated walking into a store at all after doing all my shopping online. I do not want to re-live that experience in a web browser, so I hope something fun comes out of this development.

Categories: IT Perspectives Tags:

We all still need Email size limits

April 5th, 2009 1 comment

There are so many modern day ways to transfer large files, that it still saddens me that the only method anybody can conceive of using is by sending attachments in emails.  It does not surprise me when people continue to ask for larger message transfer sizes.  I work for a manufacturing company whose only resource to move information around has become email.  While FTP and other transfer methods have existed for years, without exposure to these technologies, the mainstream office worker only knows email.

heavy_emailThis week I found myself defending the restriction on message size limit against our organization itself.   When people stop trusting the restrictions I put in place, it tells me I need to pause enough to listen to what real problems might be happening.

The administrator who tells you that they don’t have any problems running higher or no limits in place, doesn’t have a grasp on his/her own resources or network.  While it is technically possible to open the limits up, there are reasons why it is just not done.

Why does there have to be a limit?

It is important to understand why we need to have limits in place. The first obvious one is that you make yourself more susceptible to Denial of Service attacks.  Now when I say “attacks”, people immediately jump to thinking about hackers and scary 8 year olds with hoodies on, trying to take down our network.  In reality you could inadvertently trigger a denial of service onto yourself, crippling your own network.

Large email sizes will directly impact network performance, as people transfer these larfe files around. If your office is running a T1 line for internet connectivity and you send or receive a 30MB file over that connection it doesn’t take much to see you could stop your network. If it was even possible to max out that T1 line at 1.544Mb, that would consume all of the bandwidth for 3 Minutes and 17.01 Seconds to make it happen.  You don’t actually have that full bandwidth available so it is easy to see how crippling this could be for smaller office.

A larger message size will also put an enormous strain on the client and the client antivirus software.  Most anti-virus programs scan messages within the mailbox and the large files may appear to lock up or stall the entire application.

I have a large pet peeve when people respond back with my requirements with “storage is cheap”.  You can certainly go buy another 5400 RPM hard drive able to store a terabyte of information for cheap.  Now multiply the number of people on a corporate network, expect to buy some enterprise level storage increases on you SAN network, and you will start to think differently.

What is a good limit?

Certainly necessity is the first rule.  If you NEED a larger limit, then everything else must adapt to keep up with what you need.  If you live and die by Microsoft best practices, you start with 10MB as the default setting on any Exchange mailbox.

http://technet.microsoft.com/en-us/library/bb124345.aspx

Depending on the size of your organization, you will need to be proactive in determining how much of an impact increasing email size limits will have on your network, your clients, your servers and your storage.

What are my alternatives?

Most people in the organization don’t need to have this large limit in place.  Consider setting up a small group of people who might need a higher limit, and educate them on the dangers of sending and receiving the large files.

Make the files smaller.  I know that sounds simple, but it is.  The number one complaint from people getting blocked has to be powerpoint presentations gone to the extreme.  For some reason people aren’t very efficient at making powerpoint documents, using properly scaled images and going back later to compress the files size down.

http://office.microsoft.com/en-us/powerpoint/HA011168821033.aspx

There are hundreds of online storage services are available like putfile.com, filesavr.com or filefactory.com who allow you to transfer large files.  You will want to make sure you are not copying company sensitive information before using a service like this, but they can be very easy to use and setup.

If your company doesn’t have a secure channel for transferring files to customers, then push to make it happen.  The push for this doesn’t go to the IT department, but rather through management to identify the business need to make this happen.  While stretching the capabilities of your email system is not an option, it helps the company to identify why you are having problems in the first place.

Categories: IT Perspectives Tags: