Yesterday, I published an article asking, "Did Docker Declare War on RedHat and CoreOS?" I received several responses pointing out market-related developments. A number of people said they know that Docker did not intend to "declare war" on CoreOS and RedHat. Docker simply was developing its tools that they needed anyways and advanced their market. With the change in CEOs this week at Docker, highly unlikely they would start a war immediately before changing.

In my world of technology operations, two major themes recur again and again (redundantly): Incentives Litmus Tests I have written about incentives extensively on this blog. In short, as the saying goes, "you get what you measure." Don't expect extra customer handholding if you measure your support team by time spent on issues or minimizing average ticket time. Sure, you need to operate cost-effectively, but the key word is "

A few weeks ago, Amazon Web Services held its annual AWS re:Invent conference. Unsurprisingly, they announced, yet again, a slew of new services, all meant to ease adoption and management of technology services. Yet, something felt a little amiss: https://twitter.com/avideitcher/status/804418718994407424 Not only are SaaS firms getting nervous, but plenty of large firms, as well. As Benoit Hudzia pointed out, many on-premise software giants, including Oracle/PeopleSoft and SAP, should be getting nervous (but perhaps are not):

Architecture determines capabilities. This is not new. Anyone who has planned and architected a new product, or has tried to retrofit capabilities for which a platform has not been architected, knows it first-hand. Yet, time and again, I come across products that have not been planned, and therefore architected, around reasonably expected capabilities. Sometimes I see these as a user. Last week, a client wanted to give me access to their Dropox Team account, so we could share information.

For a long time, I have felt that SSL/TLS - the protocol that secures your communications with Web sites, mail servers and most everything across the Internet - is broken. It is broken to the point that it is fundamentally insecure, except for the most technically-aware and security-alert individuals, who also have the time to check the certificate for each and every Web site. SSL is supposed to provide three guarantees:

Sometimes I am amazed by open source software... even as I contribute to it. The largest repository of public open-source projects, GitHub, has over 35MM repositories in it. Granted, some large percentage of those are private, and therefore closed-source, but even if only half of those are public, and by all accounts it is much more heavily weighted towards open, the numbers are in the tens of millions. Add in other source hosting locations like BitBucket and sourceforge, as well as privately hosted sites like GNU Labs' git.

It seems every day there is another article about how "vulnerable" the Internet of Things (IoT) is. Here are two choice excerpts from the last year: "Hackers Remotely Kill a Jeep on the Highway," Wired, 21st July 2015 "Security Researcher Claims to have Hacked into Flight via Entertainment System," CNN, 19th May 2015 While these are major life-threatening issues - one cannot compare a malicious actor disabling your iPhone while you are on it with someone talking control of your car going 110 kmh down the highway, let alone a plane flying at 35,000 feet and 600 mph!

From the Cambridge Dictionary of English: iota (n.) - an extremely small amount From the Wikipedia: Internet of Things (IoT) - the network of physical objects—devices, vehicles, buildings and other items—embedded with electronics, software, sensors, and network connectivity that enables these objects to collect and exchange data. As electronics get smaller and smaller, not just wearables like an Apple Watch, but even tiny full computers like the Raspberry Pi, the "

I have been pondering this article for quite some time, then came across a great similar quote from Bryan Cantrill: "Don't just reboot it, goddamn it! Debug it!" Since Bryan always is a great speaker, watch it here. Time and time and time again, I come across companies and people with systems that are misbehaving. Time and time and time again, people suggest "why don't we just restart/reboot it?" What these people really are suggesting is, "

In a world full of email, then SMS, then Twitter-based abbreviations for everything - ttyl, afaik, iirc, rtfm - do good, clean, clear writing skills still matter? Yes. Unquestionably, and without a second's hesitation, writing certainly matters, not solely for the pedantic nitpickers. Good writing skills greatly affect your business success. Secret of Success I once asked a very successful executive what he thought was the single most important factor in his success.

No, this is not about "White Hats" - security hackers who try to break into systems in order to strengthen them, as opposed to "Black Hats" - but really about what we can learn from white rats. In the last few weeks, I have helped solve a number of vexing problems on behalf of customers, both in technology and process. Each time I am asked how I do it, and each time the answer is the same.

For a very long time, corporations treated their corporate networks as safe protected environments. The data and applications inside that network are: confidential and must be kept safe from unauthorized access (protect from loss), and crucial to business processes and must be kept accessible to employees (protect from denial of service). Over time, however, two trends have challenged these assumptions. First, more and more business-critical data has migrated to the Internet.

TrueCrypt was a great open-source encryption program. It created files that, when opened by the program, looked to your computer like an additional drive. Any files placed in that drive would be encrypted and protected from prying eyes. Why would you do it? To keep files protected on your computer. To send files securely from one person to another. To protect files that you might store in the cloud, for example, on Dropbox.

There is a belief in startup-land that you have to be younger than ___ to successfully innovate. To some extent, that is driven by the youth of the founders of a few highly successful companies like Facebook and Twitter, magnified by the adoring media coverage they get. And yet, even when I was back in my 20s and 30s, there was a nagging presence in my head that said, "

Passwords are insecure and annoying. I get that, I have written about it, and I experience it. So lots of companies and organizations are working on replacing passwords with something that is both more secure and more convenient. For example, Twitter's Digits service. Other approaches, like 1Password's password manager, make passwords easier to manage and auto-generate, so they simultaneously can be more secure and more convenient. Then there are "

About five months ago, I looked into the "Not-So-Simple SIM Card." In short, I called for the abolition of the SIM-to-carrier-to-number tie. For those who never change carriers or travel, this doesn't matter much. You get your phone, you go to your carrier store - or a local retailer like RadioShack (RIP) or BestBuy - sign some paperwork, get a card, insert it into your phone... and never worry about it again.

After our article last week discussing the economics of moving into AWS vs. do-it-yourself (DIY), Jim Stogdill wrote an excellent follow-up about when enterprises aren't moving into the public cloud; Simon Wardley - whose strategic situational awareness mapping is in a category by itself and should be required reading for anyone responsible for strategy - continued with his input. In Jim's words, private clouds are like SUVs; they rarely make sense economically, but sometimes you buy them anyways because:

The browser is the single most ubiquitous piece of software on the planet. Nearly every computing device has at least one one. Because of its ubiquity, and its use across multiple applications from open (Google "how much does a banana weigh") to private (browser-based email) to secure (office applications or banking), it is also a source of many risks. This article will dig a little deeper into issues of browser security and privacy.

How did Lenovo do something so inane as fundamentally breaking their customers' laptop security by installing Superfish? What is Superfish, and what is wrong with it? I have often asked clients to consider, "what business are you in?" The right answer is not, "to make profits", or "shareholder return", because those are bland, meaningless statements. Every business wants to make profits and return value to their shareholders. Peter Drucker said, "

You are reading this blog on WordPress. It is not a secret; any technologist with experience managing WordPress can look at the page and see that it is run by WordPress. How does WordPress show you this page? Here is what WordPress does, simplified: Look at the requested address, showing right now in your browser's address bar. Translate that address into a specific article. Retrieve the text for that article from the database.

"We made a small change and it brought down our customers for 4 hours." - colleague "Network issues caused outage" - GoDaddy "A configuration error... caused days of downtime." - Amazon "Facebook was down... for 2.5 hours." - Facebook Every one of us has seen human errors cause significant, revenue-affecting, downtime. Our stability instinct always is to tighten up change control to try and prevent a recurrence. In a cloud environment, though, our agility instinct is to be as nimble and loose as possible.

The Internet has been abuzz for the last week about a hitherto little-known clause in Samsung's "Smart TV" privacy policy. The news was most prominently covered in the Daily Beast, here. The Daily Beast includes a link to the entire privacy policy, but the important element is: Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party.

In the previous article, we discussed what the (terribly overhyped) word "cloud" means. Before we start to delve into the difference between "true cloud" and "we just call it cloud", let's look at the different major categories of "cloud" services available. As we discussed previously, cloud services replace: Expertise with consumption Capex with opex Fixed costs with metered prices Unsurprisingly, you can use that model with any technology you consume.

In response to the Sony hack, in which not only valuable intellectual property, such as movies, was stolen, but also (previously) confidential emails, a number of experts have recommended increasing the usage of email retention policies. They go something like this: Email is confidential People put things in corporate email that they do not want seen outside the company Companies get hacked Therefore, we should limit the damage by forcibly deleting all emails older than some time period, say, 30 days The Wall Street Journal also had an article discussing the debate about email retention policies.

Recently, I had a conversation with a senior executive at a company about the firm's information security. The conversation, like others I have had, revolved around a sudden increase in interest in that security. To be clear, we are not talking privacy settings on Facebook (use them) or whether or not Snapchat pictures and messages really disappear (they don't). These people are seriously concerned about loss of data due either to security breach by bad actors targeting the company, or simple loss of data due to employee errors.

Today, we present the second guest post in the series by Ted Lloyd, editor of OnlineCISO. Yesterday, we explored why security spending need not be a bottomless pit, and how yesterday's tools, such as antivirus, can be evaluated using familiar risk management methodologies. Where then, should a business reinvest the funds previously allocated to antivirus solutions? Another analogy to the physical world can help to answer this question. Malware and variants are similar to microbiology in our physical world.

Today, we are honoured with the first of two guest posts in a series by Ted Lloyd, editor of OnlineCISO. Cybercrime has emerged as a multi-billion dollar business and spawned another mufti-billion dollar business to combat it. As 2014 closed, Gartner estimates that global spending on information security will top $71 billion representing a nearly 8% increase in spending over 2013. The trend and trajectory are expected to remain steady for 2015 as well.

In the first half of this year, I noted that ReCAPTCHA was a lot like the "TSA of the Web" - an annoyance that is sometimes necessary to keep bad actors out and good (or, in the case of ReCAPTCHA, "real") actors in. I also noted that Google, itself, had publicized that it had broken ReCAPTCHA, rather than wait for someone else to do so. In that respect, ReCAPTCHA was lot more like the TSA - weak, broken, but good "

Probably the biggest story of the last few weeks has been the hack of Sony Pictures by North Korea (or the Democratic People's Republic of Korea / DPRK, naming convention courtesy of George Orwell). While hacks happen all of the time, this one is particularly notable for several reasons: It was directed by a state actor. The US Government officially responded and "named and shamed" the state actor, thus forcing itself to respond.

Safes. They are big, heavy, and make us feel, well, "safe" about our valuables stored inside. Historically, safes were controlled by a series of complex gears that only the correct series, or "combination", of dials would open. I loved the illustrations for gears and other mechanical devices in David Macaulay's "New Way Things Work". Digital safes, whether the professional variety of the home variety, were created largely for convenience. They are faster to open, easier to share (and change) codes, and required less physical space for all of the gears.

The Internet has been abuzz with the discovery by Dani Grant, a writer at BuzzFeed, that she had found an easy way to explore - and print, and use - lots of boarding passes from Delta, even those for other people and other airlines. When you ask for your mobile boarding pass, Delta sends you a URL to click and view your boarding pass QR code as well as all of the "

So we have yet another attempt to succeed at mobile payments, courtesy of Apple Pay. However, Apple has a very long history of taking inventions and putting them together in just the right way that they finally are usable, and take off. As Tim Cook said on Tuesday, "every other attempt looked at it from the perspective of the business model, rather than the user experience." Given the many high-profile security breaches over the last several years, I would like to take a look at the security implications.

Two interesting events came to light in the last week for me. First, I am working on getting a company towards compliance with the Payment Card Industry Data Security Standards (PCI-DSS or just PCI). These are the standards that govern the technology and processes you use to protect data when you handle credit or debit card transactions. An auditor checks your questionnaire or audits your systems and people, "recommends" changes if necessary, and then issues a PCI certification, which must be renewed each year.

Two reports came out this week that reflect the poor (and weakening) state of security in technology. The first report is the 2014 edition of Mary Meeker's annual KPCB "Internet Trends" report, which I always recommend reading. On slide 18, she states that, "+95% of networks... compromised in some way," and "vulnerable systems on the Internet are compromised within 15 minutes." The same automation software that enables vacuums to move around the house, Google Maps / Waze to find alternate routes, and Chef to maintain consistent server state, let alone Google to scan and index the Internet, enables criminals to find and probe your deployment within less than an hour of it being deployed, even before anyone knows about it.

Is Anti-Virus Alive or Dead? That depends on who you ask. Certainly anti-virus makers continue to make plenty of money. Symantec, the largest anti-virus maker, earned $2,109 MM in consumer revenue, with nearly 50% operating margin in that segment. $1BN in profit is valuable in anyone's book. So why is Symantec, of everyone, trashing anti-virus? In a recent WSJ article, Symantec's SVP for Information Security said, "anti-virus is dead... we don't think of antivirus as a moneymaker in any way.

A decade ago, it would have been hard to imagine. In 2014, it is hard to imagine not. A CEO, serving in his post for a successful 6 years and as a company loyalist for 35 years, has been forced out due to a data security breach. At the same time, data security analysts have become kingmakers and kingbreakers. Gregg Steinhafel, CEO of Target, who oversaw a 14% increase in revenue in the last 5 years and a 17% increase in profit, has been forced out because of the massive data breach that occurred a few months back.

ReCAPTCHA is one of those parts of the Internet that we love and hate at the same time. A Captcha is a distorted letter/word/number picture that we need to fill in when we first sign up for a service; ReCAPTCHA is Google's version, developed by several computer scientists and acquired by Google in September 2009. It looks something like this: We hate it because it gets in the way of our doing what we want to on the Web.

The Internet is agog with the discovery of the critical bug in OpenSSL's heartbeat, nicknamed "Heartbleed." Bruce Schneier called it "catastrophic... On the scale of 1 to 10, this is an 11." What is heartbleed? I will leave it to other sites to explain; just Google it. Suffice it to say that it can accidentally expose in-system memory of SSL-secured servers. In that memory could be garbage, or it might be a user's password, bank transaction info, or even the private key of the site (which would allow any site to spoof it).

Brian Krebs, the cybersecurity blogger who first broke the Target attack, has reported that the hackers who infected Target's Point-of-Sales (POS) systems, did so via their Heating/Ventilation/Air-Conditioning (HVAC) servicing company. Unlike a simple home, large-scale office facilities have complex HVAC systems. On the one hand, they want the optimal temperature, humidity and airflow in their facilities. On the other hand, they are acutely aware of the cost; it costs a lot more to air condition a big-box store than your local townhouse!

I love incentives. They can explain strange behaviours and can help motivate people (inside and outside organizations). Incentives are all about Target's latest behaviour. After the last breach in which at least 40MM credit cards were stolen, Target's CEO is now in favour of a chip-on-card system. This is unsurprising; after all, merchants often get held responsible for fraudulent charges - and chargebacks that are validated often come with a hefty fixed fee for the merchant per chargeback - and Target is especially vulnerable after having been responsible for its breach.

In previous posts, most recently earlier this week, I discussed the benefits of testing and how admitting you have a problem is the first step, the first success, on the road to victory. Anyone who has managed engineers knows that they hate doing three things more than any others: Wasting time Writing documentation Testing Despite growing evidence that creating automated tests first and only then writing code to implement your business need (test-driven-development or TDD) is very successful and leads to faster, more stable and more reliable releases - which means more revenue for the company and, from the engineers' perspective, fewer nights of emergency bug fixes - engineers instinctively hate writing tests first (well, after too), and will take any opportunity to "

SnapChat was supposed to be a safe way to share pictures or text for a short (and controlled) time. You take a picture or send a text with your smartphone, set an expiry on it, and only the recipient can see it only for the time you set. After that, it is gone, lost forever. A few months back, some smart engineers proved that snapchat doesn't actually delete the pictures, and you can retrieve them.