Software Vulnerabilities

To ensure software products are kept up-to-date, lot of software products provide available patches and services packs as part of manual update or as part of automated updates(similar to Windows Updates). If your machine has been updated with the latest application patches and service packs. Does this mean applications have no vulnerability ? NO Updates consist of the vulnerabilities analyzed and fixed by the product company. if the product make use of  third party software, who supports to fix the vulnerability in third party software? The product company would support a specific version of third party software and might not support the later versions of third party software.

How to become aware of the vulnerabilities reported on a particular product, but not accepted as vulnerability by the product manufacturer? if you need this information, a good website to check would be the National Vulnerability Database. NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). NVD supports Common Vulnerability Scoring System (CVSS), which provides an open framework for communicating the characteristics and impacts of IT vulnerabilities. They make the vulnerabilities publicly open and shareable, without distribution restriction.  Based on impact, vulnerability can be either software flaws that could directly allow serious damage or software flaws that are stepping stones for a successful attack. To understand the software vulnerability cycle starting from discovering the vulnerability to fixing the vulnerability, we can have a look at the article Transformational Vulnerability Management Through Standards

NVD provides two RSS 1.0 data feeds. The first feed provides information on all recent CVE vulnerabilities. The second feed provides only fully analyzed CVE vulnerabilities. The advantage of the latter is that we are able to provide vulnerable product names in the title. You can subscribe to these feeds and build your applications that would help to understand the vulnerability of the products used in your enterprise.

Search for contents that are privy to search engines

Today when I want to know some information on any specific topic, I perform search on Google and obtain the answer or information I was looking for.

Can I get all the information needed from the web only? NO. May be search is for medical records with similar disease across my hospital of my current patient will help me provide the patient with better medication. May be CEO would like to search ERP system for all the purchase orders placed with a specific vendor across departments of the company to understand the status of vendor dependency.

Can we place all documents that need to be searched in HTTP medium and allow indexing by search engines? NO. This information needs to easily retrievable, but at the same time confidential information cannot be made available to public or neither be allowed to be crawled or indexed by search engines.

There are other areas too where there is need for specialized information retrieval and search engines do not return desired results. For example, a civil designer or electrical engineer who wants to perform search for a specific term related to his current profession. He is very interested and wants specific information related to his profession to be part of search results. He does not want to be spammed with all the contents in the web that contains the search term

Even more complex information retrieval is for needed by news paper or publication companies. They want search functionality that would retrieve would retrieve all article(paid and free) for their subscription users .For guest users search returns only free articles and summary of paid articles to woo the user to purchase the subscription.

Federated Search (in windows 7) can be used to help users to find high-quality information in more specialized or remote corners. Federated search makes use of the OpenSearch protocol to enable users to search a one or multiple local or remote data stores and view consolidated results. The OpenSearch v1.1 standard defines simple file formats that can be used to describe how a client should query the Web service for the data store and how the service should return results to be rendered by the client. Windows federated search connects to Web services that receives OpenSearch queries, and returns results in either the RSS or Atom XML format.  Federated search applications excel at finding scientific, technical, and legal documents whether they live in free public sites or in subscription sites. Many libraries and corporate research departments provide federated search applications to enable easy access for their students and staff.

Windows 7 provides Windows Explorer as a default search client for federated search enables on any data store via OpenSearch with RSS or Atom output. In addition at Proteans, we explored the following aspects related to Federated search in Windows 7.

• Ability to expose any data store via Federated Search. We were able to enable federated search capability on simple data store books.xml (explained in the next sections).
• Ability to perform federated search using custom application (web or desktop). We were able to build a web client to perform Federated search(explained in the next sections)
• Ability to search additional data store using Windows Explorer.

Windows Server Update Services(WSUS)

I assume that all of us are aware of  windows updates.  We buy the software/operating system from Microsoft and we get the security patches, updates and service packs for free to download. To download these software, we incur a cost for bandwidth. If you have 3 computers at home, each PC must manually download the updates from Microsoft, which can be quite demanding on your Internet link. Let us assume an enterprise with 1000s of machines.  Automatic Update feature has no information and makes no judgments about service level agreements (SLAs), buggy updates, or anything else; it simply downloads and applies. .

if there are large number of machines and there is a need to keep the windows updates synchronized in all machines. it is not simple affair. Some would perform update on auto mode and some would perform on daily basis. That means the machine environments are going to be inconsistent.  More is this example, enterprise applications work only on IE6 and I do not want my user desktops to be upgraded to later versions of IE. if they have windows updates, they can upgrade and this can cause productivity problems in operations. What happens if the windows updates has a bug and make the enterprise vulnerable. How can I evaluate an update on some test machine and and test the updates prior to deploying in all the machines of my enterprise.

To solve this challenge, there comes Windows Server Update Services, otherwise known as WSUS. It Enterprises make use of  WSUS integrated under SCM(System Centre Configuration Manager). In addition there is a simple programmable interface WSUS SDK. This programmable interface helps application to get the meta data about the various updates without getting the actual updates.

How to select a cloud provider

When I want to sign for services to a Cloud provider, I would like to look how the cloud provider scores on the following, in addition to cost advantage and other technical design constraints

1. Can I move my existing applications to cloud, with little or no effort? This is in addition to building new applications.
2. Easy way to export and import deployment environment
3. Support for reusing existing software licenses and not need to purchase licenses again
4. Support for various infrastructure configurations like firewall settings, configure host IP address, host name and MAC address
5. Role based user features and provide permission levels for operations: administrator and users
6. Does the provider helps me to generate costs specific to a specific department in my organization against one single cost to charge back the respective departments. the only way today is to sign multiple accounts.
7. Self-Service Web Portal for Functional Users to get the job done with minimal intervention
8. Good support from the provider and good availability of training materials

Am I becoming ineffective?

It is very tricky to become aware that you are effective. This is a way to see whether you are ineffective

1. Gives lack of time as an excuse to learn
2. Always looks at exceptions for problem solving
3. Not able to pick up questions from conversations
4. unable to build trust
5. Gives up easily when things do not go smooth
6. Treat all activities same
7. Do not know exactly what is required of them
8. inability to identify long term potential
9. Always in a hurry to close the issue

Volunteering: transformation from thoughts to action

I am writing this blog to motivate myself and keep myself motivated to continue this journey in community service. I  thank my wife and my children for support in this journey. I have successfully spend last 5 Saturday for community programs and improving myself. The journey has been a very learning process for me and is teaching me to learn to live with silence and become more patient. 

Post Dec 2008 AID India conference in Bangalore, I attended Bangalore CSHs on regular basis and also performed passive volunteering coordinating with treasury and operations of AID INDIA, Bangalore , but never realized the desire to perform volunteering in the field. Staying at Brookfield’s, I found it tough to visit AC3 centre for volunteering as it was more than 20 Kms away. To perform volunteering locally, I was always looking for a existing setup and the search for the same was limited. I never went out of my home and decided lazily that around AECS layout, BEML layout and Brookfield’s, it all seemed to be areas where there might be no need of volunteering. Effectively volunteering has been the concept or dream and I was looking for a piggy ride one existing setup and wanted that to be close to my home and did not want to take any more initiatives.  In 2009, the only initiative was distributing 5^th pillar zero rupee notes in Cosmos mall, Brookfield’s for Republic Day. In addition, I accompanied other AID volunteers to corporate offices and collect fund raising cheques and coordinate project payments

2010 arrived.  An year has gone! I decided to really search for volunteering opportunity and id it does not exists, i would create one. I could find two of them very close to my home one for teaching and one for medical care .

Every Day I have been crossing twice Karunashraya on Old airport Road and never went ahead and looked what they do. Karunashraya is hospice for advanced stage cancer patients.  On my first visit, I was welcomed by them to join for volunteering. They said that you can help us and the immediate work was in helping in the reception. I went and sat for three Saturdays at the reception handling telephone calls and understanding what the organization does. it was a learning experience and I learnt being patient.  Later I got an opportunity to participate in Walkathon organized  by Jain College on the World Cancer Day. Later they were looking for volunteers to spend a day at booth setup in the premises of one of their CSR donors (Financial) explaining karunashraya activities. I signed up and learnt how a positive attitude and smiling face helps to build a better mind model that gives happiness at the end of the day.

Hema of Karunasharya, introduced us (Sujatha (my wife) and me) for the campaign collection of old news paper and used clothes. We started this campaign in my apartment and have a good response. I am looking for help from the readers of this blog if they can help us implement this campaign  in other apartments and offices. I have started to evaluate whether ZWM can be implemented with Karunashraya, but we need more volunteers to start ZWM in Karunashraya

When i started thinking on these lines in 2010, it struck me that my house maid lived somewhere closeby and there might be a need for volunteering there. Yes! I did find through her the existence of a primary School (Class 1 -5) here. Initially I thought that I would set a replica AC3 centre evening visits, but was scared of how the school would take this concept. I went to the school and was welcomed by one of the teachers, Mr. Suresh there (at 8 AM on Saturday). I expressed my wish to help the children become computer aware help in their learning. I was preset with the thought of evening session. Suresh explained that the time that I would get time was weekdays from 3: 30 to 4: 30 or Saturday morning from 9 AM to 11 AM. I took time to digest the time given to me. I agreed for Saturday morning time. (Now I go to bed early on Friday evenings)

I understood more about the school and talked to other school teachers. There were 4 teachers and there were 5 classes and a helping hand was always in need. They already have computers (donated by some other organization). It was a realization that something was available all along and it took me one year to search and realize the same. Good now I know there is place. How to get to know to a school (students and teachers)? That was my first test.

How to get across the kids? I planned to join the Republic Day function there and took permission with Suresh to join. Remember I have not started actual volunteering till then. I also pulled Vidhya and Maqsood [ AID INDIA volunteers looking for volunteering in teaching]. We (vidhya brought her friend Saini too) went to the school. when I went at 8AM, nothing was setup and that was raising questions in my mind, which has been used to see organized Republic Day functions. Just then the kids started coming and they took initiative to clean the area, brought pictures of Gandhi, Nehru, Ambedkar and Bose. Within 30 minutes, a stage was getting ready and there was chairs for delegates. Every child said “Good morning Sir” to me and i used to respond to each one of them “Good morning sir”. Kids started wishes more times and kept wishing each one back individually. I did not realize that this simple response made me connected with them.

Being excited, I asked my wife and children to join me there in republic Day function. We also bought some chocolates for school children. Something shocking and very nice happened. The school students and teachers asked the four of us to sit in the stage of the function. I cried in my heart “ what have I done to get this respect and love? Am I eligible for them? Can I stand up for this love and respect?”Going forward, I am going to there on Saturday mornings as long as possible.

In this journey, some times I feel it would be nice to have manager who will pull me and ask why things are not completed. There is no manager neither monetary benefit to keep myself focussed and generated energy needed, have positive attitude and  keep me motivate all along. here no one would appreciate you, point your mistakes and neither ask why you did not come that day. I am happy with the journey till now.

Book marking this

A SOULFUL RELATIONSHIP by Rev. Ronald McFadden
If you’re not married yet, share this with a friend.
If you are married, share it with your spouse or other married couples and reflect on it.
An African proverb states, "Before you get married, keep both eyes open, and after you marry, close one eye."
Before you get involved and make a commitment to someone, don’t let lust, desperation, immaturity, ignorance, pressure from others or a low self-esteem, make you blind to warning signs. Keep your eyes open, and don’t fool yourself that you can change someone or that what you see as faults isn’t really important.  Once you decide to commit to someone, over time his or her flaws, vulnerabilities, pet peeves, and differences will become more obvious.
If you love your mate and want the relationship to grow and evolve, you’ve got to learn to close one eye and not let every little thing bother you. You and your mate have many different expectations, emotional needs, values, dreams, weaknesses, and strengths.
You are two unique individual children of God who have decided to share a life together.
Neither of you are perfect, but are you perfect for each other? Do you bring out the best in each other? Do you compliment and compromise with each other, or do you compete, compare, and control? What do you bring to the relationship? Do you bring past relationships, past hurt, past mistrust, past pain?
You can’t take someone to the altar to alter him or her. You can’t make someone love you or make someone stay. If you develop self-esteem, spiritual discernment, and "a life", you won’t find yourself making someone else responsible for your happiness or responsible for your pain.  Manipulation, control, jealousy, neediness, and selfishness are not the ingredients of a thriving, healthy, loving and lasting relationship!  Seeking status, sex, wealth, and security are the wrong reasons to be in a relationship.
What keeps a relationship strong?
Communication, intimacy, trust, a sense of humor, sharing household tasks, some get away time without business or children and daily exchanges (a meal, shared activity, a hug, a call, a touch, a note).  Leave a nice message on the voicemail or send a nice email.  Sharing common goals and interests. Growth is important. Grow together, not away from each other, giving each other space to grow without feeling insecure. Allow your mate to have outside interest. You can’t always be together. Give each other a sense of belonging and assurances of commitment. Don’t try to control one another.  Learn each other’s family situation. Respect his or her parents regardless.  Don’t put pressure on each other for material goods. Remember for richer –or for poorer. If these qualities are missing, the relationship will erode as resentment, withdrawal, abuse, neglect, dishonesty, and pain replace the passion.

The difference between ‘United’ and ‘Untied’ is where you put the "i".

Attended Cloud Camp 2010

I attended Cloud Camp 2010 in Bangalore. I found a good learning experience and this was the first time I attended unconference and Dave Nielsen made the attendance as worthwhile experience. At an unconference, none of the sessions are chosen in advance and the attendees would rise to the challenge and propose topics for discussion.

Hadoop is software platform(Apache Open Software project) that easily lets one easily store and run applications to vast amount of data. The platform helps you to build your own private cloud. Yahoo is making use of this platform to enable providing a private cloud for  their Production and Research teams to innovate. Yahoo  provide source code used in their private cloud to the open source project by sharing stable builds and unearthing bottlenecks and bugs in Hadoop and is available at Yahoo! Distribution of Hadoop. If you are a small enterprise and are looking for a cloud platform to deploy your applications, I would surely recommend to make use of Hadoop and evaluate how your application would scale in a cluster of 100 modes with minimal cost and effort. By the way, Yahoo does not provide a public cloud offering based on cloud. Hadoop exposes all the three layers services,storage and processing are integrated and are exposed by Hadoop. if you want to start development on Hadoop , there is a book called Hadoop: The Definitive Guide

Services<—>Storage<——-> Processing(Scheduling,Mining, Modelling and Data Warehousing).<——>Services

Some  perspectives from Cloud Camp 2010 participants.

• CloudEra is public cloud enterprise data platform built on Apache Hadoop
• Cloud has the potential to become the back end processor for the convergent platform of PC ,Television and Mobile
• Cloud Storage might be different from RDBMS? RDBMS is good only when there are large number of transactional read and writes to a storage and there is a need for random access of dynamic data. if you application has more static data and very little dynamic data, RDMS might not always be the best fit .
• Grid is platform build to optimize usage of available free processors available in network of processing node. Cloud is way to get resources when you need and is self serviced and you procure procure the needed processor on demand.
• Power Pivot for Excel 2010 is a data analysis tool that delivers unmatched computational power directly within the application users already know and love—Microsoft Excel and can be used for data mining and data warehousing needs on large amount of data. I would check this when i move to Office 2010.I saw the features and they seem to reflect a superset of Pivot table in Excel
• I  enjoyed “Introduction to Cloud Computing” by Dave Nielsen and he explained how Amazon, a book seller became  first largest public cloud provider and  why large enterprises did not move to provide cloud offering and why data centre and web site hosting companies were not the first ones to become a cloud provider.  He also briefed upon the traditional it development structure consisting of business users who took charge of the costs and investments, development team for building the application and system administrator to provide right and optimal IT infrastructure. I was wondering  how this model would accept the cloud era of computing. Now one person can take charge of all these things, which means both fast and high risks.
• I shared with MS team that there is no simple way for developers to move across to windows Azure and there is little or no help with respect to what type of Azure offering provides benefits for developers and the challenge developers face in  the cloud world. MS team also seems to be of the view that VS 2010 cannot be solely depended for building cloud applications without an actual Windows Azure account.

Book marking The Animal School: A Parable

Found this interesting

Once upon a time the animals decided they must do something decisive to meet the
increasing complexity of their society. They held a meeting and finally decided to
organize a school. The curriculum consisted of running, climbing, swimming and flying. Since these were
the basic behaviours of most animals, they decided that all the students should take all the
subjects.
The duck proved to be excellent at swimming, better in fact, than his teacher. He also did
well in flying. But he proved to be very poor in running. Since he was poor in this
subject, he was made to stay after school to practice it and even had to drop swimming in
order to get more time in which to practice running. He was kept at this poorest subject
until his webbed feet were so badly damaged that he became only average at swimming.
But average was acceptable in the school, so no body worried about that – except the
duck.
The rabbit started at the top of her class in running, but finally had a nervous breakdown
because of so much make-up time in swimming – a subject she hated.
The squirrel was excellent at climbing until he developed a psychological block in flying
class, when the teacher insisted he start from the ground instead of from the tops of trees.
He was kept at attempting to fly until he became muscle-bound – and received a C in
climbing and a D in running.
The eagle was the school’s worst discipline problem; in climbing class, she beat all of the
others to the top of the tree used for examination purposes in this subject, but she insisted
on using her own method of getting there.
The gophers, of course, stayed out of school and fought the tax levied for education
because digging was not included in the curriculum. They apprenticed their children to
the badger and later joined the groundhogs and eventually started a private school
offering alternative education..