Thinking Tech

Ok, so I'm not a reactionary when it comes to security. I've generally thought that if you were reasonably careful, you'ld be OK. And my experience has confirmed it. You need the basics: a firewall; virus protection; occasional malware scans; some intelligence regarding what to click on, what attachments to open; some intelligence regarding...oh, wait, I said that already. Unfortunately, malware has now become almost as big a problem as viruses.

Soon, it will become a more serious problem. With a keyboard logger loaded on your computer, I can see your bank account access information, corporate logins, what web sites you visit, and virtually anything else that gets typed on your keyboard. You might think twice about letting your kids download games from just anywhere...

Here's the opening paragraph from yesterday's SANS ((SysAdmin, Audit, Network, Security) Institute's @RISK newsletter:

This will be a bad week for cyber defenders; the vulnerabilities that will be announced this week will affect a very large proportion of business executives. Last week's critical vulnerabilities included an unpatched, important vulnerability in Apple Safari and a very critical vulnerability in Firefox that demands immediate upgrading.

Hey, folks, when SANS cries, it ain't "Wolf!"

For more from SANS:

SANS Institute - @Risk: The Consensus Security Alert

Be careful out there!

Ok, so someone ought to ask me, "As busy as you seem to be, how do you have time for blogging?" My answer is the same as I've heard from others in the past when I've asked similar, "How do you have time for..." questions. I hated it when I got it; I hate it when someone at a seminar says it; now here I go blogging the same thing:

I don't have time NOT to blog. It's relaxing for me, but more than anything else, it FORCES me to keep up on the technology. It FORCES me to remember to tell our clients about the things that I think will affect their businesses. It HELPS me focus my own thinking.

So there, another meaningless answer to a very good question.

Employees steal from businesses every day. I don't know why I thought of this issue. I guess that I've been working with a few clients that seem to have some exposure to Fraud. So here goes.

A Certified Fraud Examiner (CFE) is trained to detect, prevent, and determine the extent of fraud. I'm not a CFE, so anything I may write here is based on my experience as a CPA, not on additional training or expertise on fraud. If you think you have an issue with fraud, I can find someone to refer you to, but I'm not the guy.

During my career, I've known many CPAs. One of the favorite issues for discussion is the fraud they've seen. Here are some of the best/worst:

• The company had three groups of people who could sign checks. The bookkeeper would produce a check to a "short-name" company (VISA, for example), then get the President to sign. This check would go with the bill. Another check would be signed by the Vice-President. This one would have "VISA" erased and the bookkeeper's name inserted. The expenses were hidden in a variety of accounts. Best I could tell from my CPA friend, she got about half-a-million before they caught her.
• The secretary who just wrote checks from the operating account in her name and buried them on the financial statement. No telling how much she got.
• The accountant who stole the cash from "counter" sales and the coke money.
• The bookkeeper who doubled her own salary and approved personal loans from her 401(k)
• The company manager who came in on the weekend, did work with company materials and machinery, and sold it at a fraction of what it cost the company to produce
• The foreman in the building products business who set aside a certain amount of each received shipment as "rejected" to be returned. This was placed at a special location during the workweek. The foreman then had the (completely different) weekend crew move the "rejected" product to a special warehouse. By the time they caught him, he had stolen enough to build a house for himself, a garage for his father-in-law, and he had started on a new house for his sister-in-law.

Well, you get my drift. All of these were small businesses. None could afford the loss. All got taken for several thousand dollars, some for several hundred thousand. And, perhaps most important, none of these companies were stupid or negligent. They were all duped. And so were there accountants. Sometimes for many years. Here are some of the common ways people steal:

• Setting up dummy vendors (really themselves or accomplices) and paying invoices to them.
• Taking kickbacks from vendors to continue approving artificially high prices
• Lapping. Lapping is taking cash (or check) and covering the cash stolen with later cash. It works like this: Customers A & B pay $200 which is stolen. Customer C pays $250. $200 of Customer C's payment is applied to A & B, $50 is stolen. This continues until the person is caught. Obviously, the person doing this has to keep good notes, can't very well go on vacation, and has to keep stealing more and more to cover earlier theft.
• Stealing cash which isn't accounted for. My auditing professor said that the easiest theft is from churches. There are no invoices, so there is no way to know how much cash "should" have been collected. Poor recordkeeping in situations like scrap sales allow this.
• Selling product off the back dock.
• Stealing product for personal use.

I'm sure there are many more ways people steal, but this will give you and idea. How do you prevent it? Based on my experience, here are a few suggestions:

• Control cash, credit cards, and inventory tightly. Make sure that even highly trusted management employees are not trusted with these items. Many businesses don't control inventory tightly because they believe it will impact customer service. If theft puts them out of business, that's more likely to impact customer service.


• Have a process for approving expenditures and bids that assures that the prices being paid for products and services are in-line with market prices. This will avoid many kickbacks.


• Require vacations, and move employees to cover the function of vacationing employees while they are gone.


• Consider fraud like a cheating spouse. If you suspect it, there's probably a good reason for it; check it out.


• Ask yourself this question about each employee: On a scale of 1 to 10, how much do I trust this employee. Choosing 1 means I wouldn't trust them to close the door on their way out. Choosing 10 means, "I'd give them my entire fortune in cash and expect them to give it back to me even if I were lost at sea for 10 years." If you rank any employee 8 or above, you probably trust them enough for them to have opportunity and means to steal.


• Look for motivation to steal in employees. An employee with constant financial trouble has a motive to steal. Fraud seminars teach that it takes (a) opportunity, (b) motivation, and (c) means [method] to steal. If an employee has any two of the three, watch out!

As small businesspeople, we're incredibly busy. It's easy to just trust people to do what they are supposed to do, but if we ignore the signs that someone might be stealing, we're asking for trouble.

Computers don't implement anything in general...and neither do programmers. But we business folk tend to think in generalities. Someone might say, "Put the cost in column 3." Seems simple enough. Until you start to try to calculate cost. Which cost? Last cost? Average cost? FIFO cost? Cost including freight or not? Cost including handling and warehousing charges? What cost? There are a lot of costs.

When I ask these questions of some clients, they get frustrated. It's as if I'm trying to pin them down. So the typical answer is something that evaluates to, "I don't care, just pick one." So we do. And then....

It is terribly important when you talk to computer folk that you think in specific. Computers have to think in specific. Over the years, I've worked with perhaps a dozen or so off-the-shelf computer software programs that dealt with inventory. Pehaps a dozen or so more that were custom written. Most of these implemented the details of inventory cost differently. Many of them differed in how they made the General Ledger entries. Some of them reported different numbers on financial statements than they did on management reports (for very good, well-thought-out reasons). But all of them implemented very specific processes for determining cost. And it was important (ultimately) to understand the details in order to figure out what they were doing.

Let me say that as a CPA and a programmer, I have trouble saying that some of these were right and some were wrong. They were different. I could argue for all but a few being appropriate. But I had to understand the details to understand what I was seeing in reporting and on financial statements.

When we ask detailed questions or seem to bog down in meaningless drivel, keep in mind that we're just trying to get to the best result for everyone. And try to think specifics...

Web sites just haven't felt like software! Drag and drop, copy and paste, etc., haven't worked as well on web sites as in software. Several technologies have come and gone to make the web act more like software running on a desktop (ActiveX, JavaScript, Java, etc.) Now comes one of the most promising, AJAX. Like all the others, it has risks. Check out eWeek's review.

AJAX Vulnerabilities Could Pose Serious Risks

In the running for the tackiest use of the Internet...and one that almost makes me ashamed to be part of the Internet revolution is the Beautiful People site.

Beautiful People Website

Here's the concept: If you're a fashion model, or beautiful enough to be one, you probably want to join a dating service (member organization) that only allows in equally beautiful people. So you'd--of course--apply to be a member of Beautiful People. Wait...excuse me...wave of nausea coming over me...ok, there, it passed.

I saw this in passing on ET or some equally obnoxious television program, and had to check it out....and it's real. Take a look at the "newest members." A couple of these were on the show last night. Most of these photos look like glamour shots taken for a modeling portfolio...oh, except for the one gal that has the "red eye" (Produced when a flash from a camera bounces off the back of the retina giving an appearance to the eyes something like you might expect from Devil-spawn.)

The "member" on the TV promptly let us know that, "If you want to meet people, everyone wants to meet people like themselves. Beauty is just like any other thing about you, it's infused [sic]" Hey, I think she may mean "inherited," but from what I could see of her lips and other body parts, she may actually mean "infused."

In a culture where we have teenage girls starving themselves and sticking their fingers down their throats, and boys taking steroids that could damage things they need later in life, the one thing we DON'T need is a site where members get to vote to decide whether new applicants are "beautiful" enough to join.

Think I'd rather have a relationship with someone less infused...

I don't know how I got along without my Treo. BlackBerry users seem to be just as taken with their little fruits. Recently, though, eWeek reported a serios security flaw in the BlackBerry server product that might be installed behind an internet gateway in the corporate environment. Most individual BlackBerry users won't be affected, but if you are check out the eWeek article.

Researchers Warn of Serious BlackBerry Vulnerability

I've followed Linux for a long time now. Most of the posts on my other blog (now deleted) related to Linux opined that it wasn't yet ready for prime time. When Novell bought SUSE Linux a year or so ago, it looked like another in a long sequence of Novell missteps. How can any business with overhead like Novell make money with a basically free product??

Novell had botched so many things. Ten years or so ago, they had 80% plus of the server market with the Novell operating system. They botched that. Then they decided that the way to combat Microsoft's rise was to "integrate" and create a "suite" of products. They bought ailing Lotus, and WordPerfect and bundled them with the database Paradox (in its various incarnations) from Borland. They botched that.

So when Novell jumped into the fray and bought SUSE, I suspected that this was another in a long list of botched strategic moves. It may yet prove so.

But at least for this release of Linux, Novell is getting good reviews. And the sentiment that there needs to be an alternative other than Microsoft is growing in some quarters.

SLED 10 Is a Linux Distro Windows Users Can Love

When the Department of Homeland Security AND Microsoft warn you about a bug, you'd better pay attention. The article below explains why every Windows user should apply the fix released Tuesday. The article reads:

Wednesday, Department of Homeland Defense (DHS) called out a rare warning, and Microsoft acknowledged that the patch should be at the top of every computer user's or administrator's to-do list.

Windows Worm Warnings No Joke - Security - CRN

There's been a debate for years about whether there was such a thing as "pure" management. That is, is it possible to take a freshly minted degree in "management" and go "manage" somebody without knowing how to do their jobs. I used to think it was a crazy idea. Of COURSE, you needed to know how people do their jobs in order to manage. Now I'm a bit older...and a bit wiser (might be)...and I think it may not be necessary to know the details, but it sure helps to know some of the basics. The quote below is from the article above,

The other faction believes that IT is just another production function and that line management and general management skills are more important. They want a focus on financial management, budgeting and cost management, on human resources development skills and on the processes by which IT organizations align their portfolios with the needs of the business. For them the content ratio was reversed: 80% (or more) "general" management skills, 20% (or less) IT specifics. They expected the graduates to be able to take many different paths to the CIO role and to be less information technology managers than managers who from time to time manage IT.

Seems that IT managers want to have a "general idea" of what's happening in their functional area. I have a problem with that.

John Parkinson: Why Business Schools Aren't Turning Out Good CIO Candidates

The clients we work with that cause themselves the most trouble are those that know enough to get themselves in trouble. They know some buzz words. They have some idea of how the technology works, but because they have no theoretical foundation, they cannot evaluate alternatives, cannot assess new technologies for strategic potential, and cannot tell when vendors are blowing smoke or when they actually have a viable product.

Let me put it even more strongly: I completed all of the Computer Science classes offered at the time I was an undergraduate, spent the next 10 years studing programming technologies, wrote several articles, taught courses, etc. To suggest that it's possible to "shortcut" this or to get it in 15 hours of a 45 hour MBA or Master's degree is pure lunacy...better yet, it's just plain laziness. If you REALLY want to be a CIO, you'll have to pay the price. And that means that you'll have to develop some technical competence.

Sorry. Ain't no such thing as a free lunch.

When many companies bought Software Assurance three years ago, they thought they would get the new version of Microsoft Office and Microsoft Windows, called Vista. Now it's obvious that these two products probably won't ship before some of these customer's agreements expire. Not that Microsoft intended it this way, but as schedules have slipped for delivery of the products, people debated whether Microsoft would make it good for these customers.

Gartner (a major IT industry research firm) now says the answer is "No go."

Windows Vista - What's Next

If you own a Dell laptop, check out the following article. Turns out that Sony manufactured several million batteries that have the unique feature of bursting into flame. Flame on! (Sorry!)

News from PC Magazine: Dell To Announce Massive Laptop Battery Recall

You've probably heard about the recent security hole in Microsoft Windows that generated a stir of warnings about another PC Armageddon. One security researcher infected a machine and watched it to find out what the Mocbot was doing. His conclusion:

"The entire scheme of mass infection is simply to facilitate the sending of spam. The proxy Trojan is also a bot of sorts; reporting in to a master controller to report its IP address and the socks port for use in the spam operation," Stewart said.

Botnet Eavesdropping: Inside the Mocbot (MS06-040) Attack

SPAM! But the point is this: If they can get to your machine to send SPAM, there's very little they can't get to your machine for.

Be careful out there!

Since 2005 when WalMart required its top 100 vendors to RFID (Radio Frequency Identification) tag product shipments, RFID has been a big news item. Most of the news hasn't necessarily been good. Early RFID results were poor: tags couldn't be read, information decayed on the tags quickly, equipment was sluggish or didn't work at all, and so on. Forklift drivers skewered their share of RFID readers in warehouses.

Gen II RFID is looking better. Read rates are up. Cost is decreasing. Many suppliers and customers are insisting on the new technology.

Keep watch. This rapidly evolving technology may soon replace standard barcode.

Gen II tags: No surprises here - 8/23/2006 - Modern Materials Handling