Anonymous Collateral Damage

Once again Anonymous is releasing the personal data of a host of random private individuals, in the name of fighting for freedom. Over the weekend they hacked various Bay Area Rapid Transit (BART) systems in retaliation for BART shutting down cellular services at several stations last Thursday to avoid a potential protest. It seems like the “regular people” are the proxies in this battle. In both cases they were the ones to suffer, both at the hands of BART and Anonymous. In neither case did they have anything to do with the issue.

BART claims they had information related to a potential protest the was being coordinated on Thursday. Further, they claim that a protest creates a safety issue for BART passengers, therefore they are justified in suspending freedom of speech (vis-a-vis cellular service) because they believe safety trumps civil liberties. As you may have guessed, I feel that’s a pretty specious argument. There are various groups looking into a variety of remedies and legal action related to this issue, and the courts are the right place to tackle this problem.

Like petulant children, Anonymous feels that it’s better to work outside the system. Innocent bystanders are of no concern – “If I can’t have it my way, no one gets to play”. In all likelihood the outcome of legal action will result in a change or clarification of policy, and may even cause a few heads to roll at BART, as they should. Hacking on the other hand will do nothing to stem the problem. The funny thing is, it’s easy to sympathize with Anonymous on the surface, since they claim to be taking on the evil government for the little people. Why then are their target consistently users of the organizations they attack, and not the organizations themselves? This is the same tactic as when they went after Sony, but instead released credentials for thousands of customers, cause little problem for Sony, but a huge problem for many innocent bystanders. Some Anonymous members say that it wasn’t them, but LulzSec is a spin-off, so this is like saying the US Army didn’t attack, it was just Delta Force. The two organizations are intertwined.

The truth is if you look back at the attacks, the ones that cause the most problems are consistently related to publishing the private information of individuals. Organizations can easily weather a web outage for a couple of hours, or repair their home page from silly graffiti. But end-users can end up as victims of identity theft, have bank accounts ravaged, and more. Problems difficult to deal with and unrelated to their personal behavior, other than the bad luck to patronize an organization that Anonymous doesn’t like. In the case of Sony, maybe users could choose a different gaming system, but is that really the goal? Maybe Anonymous is pushing X-box? Ridiculous of course. In the case of BART – what choice do commuters have? Does Anonymous prefer they use their cars to go to work, increasing traffic congestion and pollution? If not, why attack people who use BART.

Anonymous talks a good talk but until they start behaving like responsible individuals, it’s difficult to see how the world would be a better place if they got their way.

[Update 2011-08-15]
As expected, the FCC is reviewing the cellular shutdown.
[/Update]

[Update 2011-08-17]
Anonymous has hacked BART police officer accounts once again avoid those really responsible and harming the little guy.
[/Update]

[Update 2011-08-19]
A member of Anonymous has quit the group and says that it’s members are hypocrites. He says “Does anon have the right to remove the anonymity of innocent people?” and “Truth Is Anonymous Hasn’t Brought Down Governments. The People Have.” Worth a read.
[/Update]

[Update 2011-08-20]
A member of anonymous spoke with the Cisco Security blog and says “Getting files and giving them to WikiLeaks, that sort of thing, that does hurt governments. But putting user names and passwords on a pastebin doesn’t [impact governments], and posting the info of the people you fight for is just wrong.
[/Update]

[Update 2011-09-21]
Apparently the FBI have arrested a few more LulzSec and Anonymous members. The release says that one of them is the person responsible for the Sony attack.
[/Update]

Agile 10 years later: Dogma vs Doctrine

It seems like every few years a new software development methodology comes along. Frequently it’s a rehash of an old methodology, like object oriented programming’s rise (again) in the 90’s. Sometimes it’s a formalization of existing ideas and techniques, and sometimes it’s something completely new. Invariably the new toys excite a group of people who will promote them ad nauseam. Many of them become a flavor-of-the-month (or year) and then are never heard of again. Despite that, some of them end up being interesting and manage to survive their 15 minutes of fame.

The funny thing is that you can usually separate such ideas into two key components. One is the actual technology (ideas, tools, techniques, etc) and the other is the philosophy or religion. In other words, the “why” behind the whole thing. I prefer to think of it as religion because it tends to provoke the same kind of arguments and behavior as religious discussions and disagreements.

Agile development is a clear-cut case of such a problem. There are some wonderful, useful ideas embodied in the Agile Manifesto. If you apply them judiciously with an eye toward constant improvement and productivity, and where necessary take into account the evils of financial viability and mandated compliance overhead (such as aerospace, FDA, government, etc), you can start producing better software more quickly, and with less cost.

However when a group of people start doing Agile for Agile’s sake, you can have a disaster on your hands. I have witnessed this personally at some large companies where an Agile team had an interpretation of agile development that was at odds with the company’s needs.

I say interpretation of Agile, because different people have widely different opinions about the degree to which Agile alters their world. In one case a company building very specific hardware/software products has a very strong need to meet particular deadlines, and to deliver very specific features because they release a matched blend of hardware and software. In this company, the Agile team claimed that asking them to definitively schedule feature delivery was a ridiculous request. The team felt their company’s request was “ignorant” and beneath them. Not surprisingly, such an attitude doesn’t work well at companies who simply cannot have an agile release schedule.

For web-based organizations like Google or Amazon, the timing of feature delivery can be more or less whimsical. They can produce what they want, when they want.

On the other hand, companies building smartphones or heart-monitors face a very different reality. There are deadlines, requirements, scheduling, documentation, etc., all of which have to be met and coordinated.

The sad thing is that the dogma fueling the religious war (We can’t be expected to produce a schedule, we can’t write comments, etc) is counter-productive, which leads people to avoid Agile altogether, thereby depriving themselves of potential and probable productivity improvements.

In my experience Agile, like other methodologies before it, works best when followed in a contextual manner, mindful of product needs, organization (corporate) needs, and other issues surrounding the software in question. If you pick and choose the doctrines that can help your team and your product, you’ll be an Agile fan. If on the other hand you dogmatically adhere to “Full Agile,” without regard to the environment you’re in, you can cause project failure, put people out of work, and potentially kill a project or even a small company.

So Agile is 10 years old now. Should you use it? Will it make a difference? In my opinion if you separate the dogma from the doctrine you can definitely benefit. But beware the pitfalls. If you’re careless, you’ll waste time at best, and money, people and perhaps even more at worst. If you’re careful, the benefits from increase quality and productivity can be enormous.

Resources

Account Security and Gmail

Given the recent rash of web break-ins I thought it would be interesting to talk about personal security. Here are some steps you can take to keep yourself secure. The basics of course are simple things, IE use good passwords that are at least 8 characters, are combinations of upper and lowercase letters, contain special symbols and numbers. Make the password as long as the site will allow and you can reasonably remember.

Another simple basic is to not use the same password over and over again. For example, when Sony was hacked back in June, a lot of people had their usernames and passwords published on the internet. If you use the same name and password everywhere, it’s just a matter of time before someone hacks one of those sites and you’re compromised. Take the effort and do something unique for each site to keep yourself safe.

I was recently playing with Gmail, which I haven’t used much until lately. As I was setting up my account, I noticed they have a two-step authentication option. You should be able to see this on your settings page. If it’s not there, it’s probably because you’re using Google Apps and you need to talk to your domain administrator – it’s worth it.

So if you set this up, it basically does a phone text or voice message at the point when you try to login. For example, if I go to gmail.com and login, it will send a text message to my cell phone, and I get a unique code I need to login. I always have my phone, so it’s not inconvenient, and someone trying to get into my account needs to know my username, password, AND have my cellphone on them. At that point, I’ve got bigger problems.

Given the number of people who use gmail, this is probably something you can do yourself right now. Go ahead, give it a try. If you’re using other Google services, this can be critical. For example, the Foss Patents blog that I follow was shutdown because the author’s gmail was compromised. Using two-step authentication will help you avoid such problems.

What other simple tricks have you run into? Let me know.

Ranting about Software, Security and Tech