350 likes | 460 Views
WISE GEN and The IT Revolution*. Prof. Kamakoti, IIT Madras. *All characters and entities in this presentation are imaginary. TTT: Buy a Photocopy Machine. TTT Releases a Tender Statement
E N D
WISE GEN and The IT Revolution* Prof. Kamakoti, IIT Madras *All characters and entities in this presentation are imaginary.
TTT: Buy a Photocopy Machine • TTT Releases a Tender • Statement • Quotations invited for Photocopy machines with speed at least 60 copies per minute, duplex, at least three year warranty, discounted cartridge cost, ethernet-Wifi-USB interface.
Tender Opening • The Purchase Committee • Technical committee – Machine is an elephant – cartridge is the food to it. The latter costs heavily. • Finance Committee – Recurring expenditure is very high and we have to somehow bring it under control. • An Oldy: DEF is servicing us for last two decades, very reliable, can we consider? • An youngy: What is there to service in a photocopy Machine? Use your common sense. Decision: BUY from JKL
Happy JKL!!!! • Old machine at CTO’s office moved to Canteen • New Machine installed at CTO’s office • JKL did excellent service checking the machine and replacing the cartridge every 15 days. • Process setup for shutting down the machine for 30 minutes every 15 days for maintenance. • Recommended for Best Practices vendor award for JKL at DIOklub meet for customer friendliness, cartridge re-use by re-inking it (Green) and donating to Government schools (CSR).
Bad Luck – TTT!!!!! • Started losing Tenders – al most all of them in the next quarter • Share prices fell drastically. • Only sustainable (no money demand) equipment was the photocopier as they need not even buy a cartridge.
End of TTT!!!!! • Management met and broke their head – How can this happen? • No clue • “Economic Untimely” rated TTT as “Does not know how to do business” • So CLOSE TTT operations.
Employee Compensation • Employees can take home their computers and any other items they feel could be of use to them at nominal cost. • This shall reduce disposal cost • Employee “WISE GENE” decided to take the photocopy Machine, as she wanted to setup a photocopy shop. • It was a HUGE one, so she wanted to dismantle it. • She called JKL and they “promptly replied” – CALL Registered, possible date of visit – within next 32 days!!! • WISE-GENE tried dismantling it at office and when she removed the cartridge – it fell down and broke.
When the Cartridge broke!! There were two items inside it – a microcamera and microfilm • WISE GENE was curious. A print of the microfilm revealed that images of all papers that were photocopied using the machine were stored in it. • This explained the FALL OF TTT!!!! • JKL – leaked all the tender documents photo-copied in the CTO’s office to TTT’s competitors, using the micro camera and micro film fixed in the cartridge once in every 15 days when they LEGALLY removed the cartridge.
The Legal Battle • TTT sued JKL – paid lot of lawyer fees • Court Proceedings: • JKL: My Lord “ we removed the cartridge based on TTT’s purchase condition. We promptly gave the same for re-inking. We did not give to competitors of TTT.” • TTT: They did not inform us that there is a camera inside the Cartridge. • JKL: Camera is an additional backup mechanism used in case of destruction of records and is used for surveillance of unauthorized photocopying. We have mentioned this in page number 342, section 169.1.4 of “Additional advanced Features booklet” which can be downloaded FREE from our website. A link to this is mentioned in Section 721.3.4, page 423 of “Advanced features booklet” which can also be downloaded FREE from our website and is in turn referred in page 22 of the User Manual shipped with the product.
The Legal Battle • Court Proceedings: • TTT: My Lord “ We do not put everything in one manual and put only the essential features. Else, it will confuse the customer” • The Judge did not have any option but to dismiss the case in favour of JKL, with an advice to TTT to be careful in the future which any way it had lost. • Once the judgment came, JKL sued a defamation case on TTT for questioning its integrity.
Modern IT Infrastructure • Extremely Complex Systems • Entire CSE curriculum tightly coupled with each other • Hardware, Operating Systems, Application Software • Database, Web Technology • Networking • 95+% Outsourced model • IT aids business and is NOT the business itself
IT-head Responsibilities • Hardware Selection • Software Selection • Vendor Selection • Gave a clue on Hardware/Vendor selection • Can I continue with my story?
WISE GEN – Next Step • WISE GEN joined the IT wing of a Public Sector company. • To her “fortune” they wanted to buy a Photocopy machine and she was in the committee. • She shared confidentially her experience with the other committee members. • The committee decided to place order with the vendor who is “TRUST WORTHY”.
Next Steps • Audit asked them to define “TRUST” • Mathematical Properties that could help any definition • Reflexive – TRUST is NOT • Symmetric – TRUST is NOT • Transitive – TRUST is NOT • Context Independent – TRUST is NOT • Invariance with time – TRUST is TEMPORAL • No convincing definition for TRUST
Next Steps • Experts Broke their head to arrive at a SPEC so that XYZ Ltd – the TRUSTED vendor – alone can quote • This is the spec – Photocopy machine, duplex, 60 pages a minute, weighing 67.28435 Kgs and dimension 19.22” X 20.45” X 72”. The vendor should have a branch office 4.6324 kilometer from the premises of installation. • XYZ knew it alone can satisfy the SPEC and quoted 7.2 Lakhs for a 1.2 lakhs machine – the COST OF TRUST. No negotiation with L1. • WISE GEN felt very bad and quit.
The Next Company • WISE GEN joined another private Ltd. company, RRR, wherein all IT services were outsourced. • There was a major breakdown of IT services • The Network team blamed the Hardware Team, which blamed the Software Team, which blamed the Database team, which blamed back the Network team. • The management decided that in the next AMC all services shall be given to the same vendor so that there is a single point of responsibility.
VVV gets the Jackpot!!! • Next year VVV was selected to handle ALL IT operations in the organization. • The hardware, networking, software were under the single supervision and control of VVV. • Even if RRR wants data they have to ask VVV for it.
RRR – Bad Luck • RRR started losing tenders • Started moving towards bankruptcy. • WISE GEN first checked the Photocopy machine, and also started looking closely at what major IT changes happened. • She started looking closely at VVV. • Her luck, she was reminded of a presentation by VVV on a recent set of hard disks purchased and installed.
What did the Vendor Say • We are a HIGH AVAILABILITY disk system vendor. • Description of “availability” - • You will get a Fed-Ex carrying a disk • You go an open the disk rack and find a red-color light burning on top of one disk. • Remove that and replace with this disk. • How this is possible? • While installing disk we asked for 24 X 7 support • The disk installation process, “registers” disk with the vendor site and keep sending “health” information.
WISE GEN’s Wisdom • What is this information – • The manual tells “Health” and the information is encrypted • The disk vendor introduced by VVV alone knows the key to decrypt. • WISE GEN found the size of “Health” information to be too large and asked for clarification with VVV. • On investigation she found that confidential information was sent in encrypted form to VVV for leak to competitors. • Since all the infrastructure were maintained by VVV, it could create necessary rules in (network) firewall and also configure hardware accordingly so as to send such large packets carrying confidential information. • The Gopalakrishna Committee (RBI) guidelines for IT infrastructure management in Banks advices different vendors for different components of the IT infrastructure.
WISE GEN as CIO • Management appreciated WISE GEN’s presence of mind and made her the CIO. • The company that quarter was making a loss. • 15 minutes before it was announced on the web, around 3 million shares were sold by shareholders. • This created suspicion and WISE GEN was asked to investigate.
WISE GEN’s Investigation • The only medium through which one can leak information is through the web. • The web admin is locked inside the office without mobile or telephone connection, while he is uploading the results. • How did information leak?
Web screen shorts Page at 2:15 PM Page at 2:45 PM
WISE GEN checks the Source <html> <body bgcolor="#bbddff" VLINK="#ffaa00"><font="arial"> <center> <h1> Management Tasks </h1> <BR><BR> <table border="#ffffff"> <TR> <TD> <h3> Task-id </h3> </TD> <TD> <h3> M-001 </h3> </TD> </TR> <TD> <h3> Description </h3> </TD> <TD> <h3> <li> Ensure Updating of lab web-page every Monday or the next working-day following Monday, if latter is not a working-day. The date in the lab home-page should reflect the update. <BR><BR> <li> Requests for Updates shall be sent to you from lab members and you must acknowledge all requests AFTER the update is done, to the respective members so that they can check if the update is done properly to their satisfaction. This Acknowledgement shall go with an update-id.<BR><BR> <!DOCTYPE html> <html> <body bgcolor="#bbddff" VLINK="#ffaa00"><font="arial"> <center> <h1> Management Tasks </h1> <BR><BR> <table border="#ffffff"> <TR> <TD> <h3> Task-id </h3> </TD> <TD> <h3> M-001 </h3> </TD> </TR> <TD> <h3> Description </h3> </TD> <TD> <h3> <li> Ensure Updating of lab web-page every Monday or the next working-day following Monday, if latter is not a working-day. The date in the lab home-page should reflect the update. <BR><BR> <li> Requests for Updates shall be sent to you from lab members and you must acknowledge all requests AFTER the update is done, to the respective members so that they can check if the update is done properly to their satisfaction. This Acknowledgement shall go with an update-id.<BR><BR> Source at 2:15 PM Page at 2:45 PM
Who was the Culprit? • The culprit was the Web admin. • At 2.15 PM he has started uploading the result and he knows the content. • He told his accomplice at 2.15 PM if you see a <!DOCTYPE html> in the first line it is PROFIT and else it is LOSS. • In this case it was a LOSS. • The external world can check this out using “View Source”. • The web-admin can legally edit this.
Reactions to Frauds • All the three stories were reactions to frauds and in no way could have prevented the fraud. • Why can’t we be proactive? • Reason is WE DO NOT KNOW THE THREAT MODEL. • Why is it so?
High Level programming You do not care • Computing system is nothing but layers of virtual machines. Compiler Application Programs Beyond programming languages Assembly Language Level Beyond Compilers Operating Systems Beyond OS routines Microprogramming Beyond Micro Architecture Digital Hardware
How Prevalent is the problem • Select 100 COTS/open source applications packages randomly • Packages with dead code 79 packages • Packages with unwanted code (backdoors, etc.) 23 packages • Packages with suspicious behaviors 89 packages • Packages with possible malicious code 76 packages • Known worms, Trojans, rootkits, etc. 21 packages • Possible worms, Trojans, rootkits, etc. 69 packages Source: Reifer Consultants presentation at Oct 2007 DHS SwA Forum
Borland Interbase 4.0, 5.0, 6.0 (2001) Hard-coded username “politically” with the password “correct” allowed remote access Credentials inserted into the database at startup Support for user-defined functions equates to administrative access on the server Undetected for over seven years Opening the source revealed the backdoor
At the end of this presentation M/s. VVV wanted to take Prof. Kamakoti to court for using their name in his story. Prof. Kamakoti says he has indeed wrote on the screen “ALL characters and entities used in this presentation are imaginary” Where did he? IN HIS VERY FIRST SLIDE
WISE GEN and The IT Revolution* Prof. Kamakoti, IIT Madras *All characters and entities in this presentation are imaginary.
SLAs and License Terms • Key points in SLAs and License Terms are in fine print. • By not reading these in full customers get trapped and could potentially be sued for illegal usage. • I am yet to see an SLA with a penalty clause relating to performance, leave alone security. • LOOOOOOOOOOOONG WAY to GO……..
A tough road ahead – In next 10 years either the world would be happy with Computers calling them the eighth wonder of the world OR they curse the CS and EE guys – why the hell you invented one. The former will happen if we could deliver the necessary security, else the latter is inevitable. Thank You