Gameforge supports theft

Up until a few days ago I played ogame. This is a browser based online game where thousounds of people interact to steal and trade resources. It was the sort of game that you could spend 10-20 minutes on throughout the course of a day and provided a welcome respite from work.
My finacee also played it for similar reasons. She played for almost a year and I did for 2 and a half years.

That is, until the other day. Because I was helping out my financee (which is within the rules) and because she was on the same IP address (also within the rules) when the resources arrived (against the rules) we both got banned until 2036. Now, I'm not disputing the ban. We both violated one small part of the terms and conditions. The penalities for that are a permanent ban which seems a little draconian but that's how it is.

So, Ban in place I decided to ask for my money back as I've got 8 months left to run on the account only to be told to go away.

So, bewary of online games especially of places like gameforge who will happily take your money and then ban you for an infraction.

This to me is theft - a bought for service is not being provided, they won't transfer the subscription to another account and they won't refund me.

So, thanks to Gameforge I'll not be trusting any MMO ever again.

Company Takeover

The company where I work has just been taken over by a much larger organisation. I'm not going to say where I work for now as enough has been plastered over the technical press but I'll have a few things to say on the matter much later on.

It's an interesting time for both good and bad reasons. Obviously the economic problems have hit both companies hard so the usual bans on travel and overtime have come into force. This presents a problem for us IT Department types who have been given a lot of work to do around the integration and are going to have to take time off in lieu for it. At the end of the year I think they will have many staff out as they will have leave that they will have to take. Hell, they will probably buy it off us!!

The current plan is to re-ip all the devices as the company that has taken us over use the same IP range as we do and this is right on the back of recently relocating them all to new data centres do yet more out of hours work and then fixing things that break.

The Chinese have a curse "May you live in interesting times" and for the next few months those times sure will be interesting....

Mac OS

I'm not much of a Mac fan. This is simply because I don't have a need to use Mac's. I have friends who use and love the Mac book pro and I've seen a few being used on the train when I travel into and back home from work. I'm still not a fan though so never looked into Mac OS until a few days ago when I was testing out a new security tool for some due dilligence work that was required and a copy of Mac OS would have been very useful for testing.

Could I just go to Apple's site and download a trial? Nope. Not allowed. It seems insane to me that Apple have no ability to allow the regular intel user the ability to try out Mac OS without having to buy the hardware. This policy must be causing Mac sales.

Data lost by Revenue and Customs

The news story linked above talks about the UK Government losing 25 million records containing names, addresses, national insurance numbers and bank details.

Apparently the data was password protected but not encrypted, Now depending on the application used there may be some encryption there. I'm hoping that the data is an encrypted database that also has a password on it which is where the confusion is coming from but why do I have a feeling that it's just a CSV file?

The thing is, this is NOT NEWS. It's happened before, there have been reviews and procedures created yet it KEEPS happening. It happens in pretty much all companies and yet no one seems to care.

I, for the life of me, cannot work out why security is second fiddle. With word terrorism, bank fraud, phishing and everything else why am I and other members of the IT security industry still fighting an uphill battle? What is it going to take to get security onto the agenda?

Project time Analysis

After last weeks fun and games with project management and changing deadlines I've come to the conclusion that I really don't like MS Project. Maybe this is because I don't really know how to use it and I don't have the back end server infrastructure set up for it all to work.

Even after saying that I still don't like project. I don't like the way it requires dates. If a persons time was dedicated to a single project then fine, project will work better but when you have a person whose time you get in varying lengths and that length of time is unpredictable then project is unable to cope with working that way and breaks down.

I personally feel that what is needed is a time planner tool which can be used as a time base for tasks. This system would become a centralised store of tasks - what to know how long it takes to get a server? Not a problem, look it up and the tool will give you the average time it takes based on previous knowledge.

MS Project is not able to offer this, in fact no project tool I have used seems to be capable of offering this pooled knowledge and therefore all project plans are new, finger in the air guesses with no ability to draw on previous learned experiences.

Additionally, the tool I envision will be able to detect compare the tasks you are creating and suggest others based on previous projects.
Once your project tasks are drawn up it will be easy to see the amount of hours required and most of this information will be based on known information!

To me, this seems to be a common sense approach based on learnt knowledge yet no one seems to work this way and I can't find a tool that is able to do this type of time analysis?

Bad Project Management

Sometimes this industry makes me want to scream. My old favourite the artificially tight deadline has been back in force this week with a project due to finish at the end of the month being shortened to the 23rd and now further short end to this Friday.
Obviously, in order to deliver the project will have to skip most if not all of the testing. Problems will occur in a very user facing environment and there will be no pre-learnt knowledge of failure modes which in turn means a very steep learning curve.

of course, chances are everything will be fine. Chances are testing won't uncover any major problems, chances are the testing can be deleted with no obvious impact to the systems.

however, without testing its impossible to know, without testing the little oddities that do crop up during the operation of a system cant be found or at least recognised.

a second really annoying part is that the project management tool we are using requires testing to be added so all the tests have been carefully thought about and added and now they won't be used.

this is my bosses boss demanding this so do I get on with it knowing the system will be inferior or refuse unless its properly tested?

At the end of the day I consider myself part of the engineering community with standards and a pride in my work so I will make a noise but fights like these end up leaving me drained, tired and wondering why the hell I still work in this sector.

This project doesn't need to deliver early. It just makes the stats look good and I am now fed up of working long days to fix something that should not have been delivered broken in the first place.

InfoSec

I had the pleasure of attending this years infosec event at Olympia and it was a thoroughly enjoyable afternoon - even with the hard sell By some vendors!!

I wasn't aware of any particular focus to this years event, certainly there were vendors who duplicated other vendors products with password management systems seemingly the 'in' thing. At least three vendors had the same password management product just presented in a slightly different way.

One vendor has an interesting approach to the problem of single sign on - Imprivata, whom I've had the pleasure of dealing with before displayed their showpiece single sign on tool - This appliance is a very impressive piece of technology that not just does single sign on but can also integrate with the building management system make decisions on access based on where your door card is used.
For example, No local logon's allowed on the servers unless your swipe card has been detected as being used to access the server room, also no vpn access for your account if your pass HAS been used to gain access to the building.
With Imprivata's single sign on technology these types of rules can be used to build a very powerful and comprehensive access control layer

The second vendor I was impressed by was Secerno. They have an appliance that is desigend to sit in front of SQL servers and reject or accept SQL queries dependant on where the query originated.
For example, if you have a payroll system that HR have access to but you don't want anyone else running (or trying to run) queries against it you can just block ALL queries from other IP addresses/terminals, etc. This is very handy for the casual browser or for the SQL admin who wants to poke around confidential databases. Obviously, if the SQL admin can take a backup of the database and take it offsite then the security is broken but it's an interesting idea.

Another vendor. GFI may well have something of a niche product with their endpoint security software. Many vendors have endpoint software for managing USB, CD burners and so on but this is the first I have seen that claims to be able to do the range of mobile phones as well. It should be an interesting application to play with.

The final stand I have to mention is Microsofts where I got to meet Claire Smyth of Technet magazine and she is an absolute delight to talk to, Obviously very comitted to TechNet and the technet community. Just a few minutes at the Microsoft stand really gives you an idea of the passion these people have for thier products and the comittment they have to security.

Overall, The event was a lot of fun and I'd recommend it to anyone who has to deal with IT Security.

Automated phone systems

Working in the IT field means I'm often on the phone to different companies and the one thing I VERY quickly learn to hate are the automated call handling systems that it seems everyone has introduced.

There are several things that I truly hate about these menu systems but one of the main ones is how every damn system has a variant of "In order to serve you better our menu has changed" - err, how does you messing around with your MENU serve me? It just means I have to sit here and listen to you twittering on when you could serve me better by fixing the product in the first place!
In actually many people do the same as me, they listen to the menu options once and write them down for future use - Outlook's notes field is particularly handy for this.

The other big problem I have with these systems is how you have to negotiate a maze of options to finally get the dept you want only to be told "This department is closed". Frustrating doesn't even begin to describe it.

There has got to be something better than a digital Dorothy answering the phones for every company.

Odd thoughts

If you take all the tarmac used in speed bumps across London and put it together in one spot - What size speedbump would you have?

Idle thoughts.........