What's the Word? Tell Me What's A Happening.

Recent legal decisions based upon the XML (Extensible Markup Language) used in Microsoft Word 2007 appear to have put a stagger in the step of the software giant. A recent ruling by the Washington, D.C.-based U.S. Court of Appeals for the Federal Circuit upheld a U.S. District Court for Eastern Texas judge's injunction in favor of Toronto-based software developer, i4i, Inc.

The Associated Press summarized the situation quite nicely on December 22, 2009:

"Toronto-based i4i Inc. sued Microsoft in 2007, saying it owned the technology behind a tool in the popular word processing program. The technology in question gives Word users an improved way to edit XML, or code that tells the program how to interpret and display a document's contents.

A Texas jury found that Microsoft Word willfully infringed on the patent. Microsoft appealed that decision, but the U.S. Court of Appeals for the Federal Circuit on Tuesday upheld the lower court's damage award and the injunction against future sales of infringing copies of Word."

What will happen on January 11, 2010?

Whatever occurs on that date will probably be as eventful as Year 2000--some users will be affected by the inconvenient changes that are mandated upon them by change; however, the general population is not likely (as per Microsoft) to be significantly affected. Microsoft, in its modest scale, has already perceived and addressed the potential turnouts of the judgment, thus it is issuing the 2007 Microsoft Office OPK Master Kit Download. This kit and its functionality will strip Word and other Office programs of the custom XML editing capabilities.

What exactly is the patent about?

Nothing in the press has been very explicit, but the hullaballoo is about patent number 5,787,449 which describes how programs go about "manipulating a document's content and architecture separately." What exactly does this mean? Without being a patent attorney or software programmer, it is difficult to state; however, Microsoft commented on Tuesday that "it had put the wheels in motion to remove this little-used feature." The same statement added that Microsoft's upcoming Word 2010 and Office 2010 "do not contain the technology covered by the injunction."

What did the ruling cover?

The ruling means Microsoft cannot sell versions of Word that can open documents saved in .XML, .DOCX, or .DOCM formats that contain custom XML. According to Paul McDougall (Information Week, 12/23/09, "Microsoft Word Gets Facelift"), Those formats were at the heart of the patent dispute. DOCX is the default format for the most current version of Word, which is included in Microsoft Office 2007. Custom XML is used by businesses to link their corporate data to Word documents. The Court left an out for Microsoft. The company can continue to sell Word 2007 after January 11 if it removes the offending technology from the product. By virtue of its recent patch release, it appears that Microsoft is willing to comply with the order.

Who wins?

It appears the winners in this case would be i4i as it gets its share from the suit and to some extent will get some recognition as a possible benefit (and the lawyers that processed the case). Microsoft, on the other hand, will have to pay a $290 million fine (they will probably present additional appeals), and the end users will either be compelled by a forced "update" to revise their installed applications or will have to revise some code once they determine that they actually used the little-used feature.

Although we do not normally report on news items, we felt that this item was worthy of note. Hopefully, it will not adversely affect most of you, but if further insights should arise, we will do our best to keep you well assessed of the situation. If you feel that there is a subject that you deem merits our attention, please feel free to notify us at info@tech4now.com. For more information about a technical subject or for insights to improve your business' productivity, feel free to visit our website at www.tech4now.com. Happy holidays and a Happy 2010.

How Can I Tell Who's Been On My Computers At Work?

A client recently posed the following question:

"I have a small office with about ten users in a large office building. These users often leave their desktop computers unattended while they leave for lunch, go home at night or attend meetings. I am concerned that the computers near the reception area are not only unattended, but may possibly be compromised by strangers who could just walk in. What can I do to help reduce the likelihood of someone breaching my network and accessing confidential data?"

Review the situation...

First of all, you need to educate your users in general security awareness for your office. Larger office buildings provide a situation in which unauthorized individuals may gain access to restricted areas in an inconspicuous and anonymous manner. The fact that you have a computer in the reception area and do not limit access to it, is already a modest concern.

Initial thoughts...

A Password Policy would provide you with a prime opportunity to expose your users to the risks inherent in "unprotected computer use." This document, by virtue of making it a condition of employment will require the staff members to become more aware of the concerns that you, as management, carry while enforcing their cooperation for the benefit of the company. Too many companies have users that have a lax attitude toward securing the computer at work; for them, it is an inconvenience.

What's involved in the process?

1. Draft an outline

In it provide an overview of the who, what, where, when and why involved. It must be simple to read and understand, but should be comprehensive enough to help you get your objective.

2. Define a purpose

If the staff reads the policy (and even if they sign-off on it) and don't clearly understand why it is in place, you will be wasting your time and aggravating them.

3. Provide a scope

Anyone who must comply with the policy must not only be made aware, but those who work with them must see that the policy applies to all that work with confidential information or client personal information or enables the office to comply with HIPAA or SOX, ensuring that all systems that reside on the company network are protected.

4. General - Passwords subject to Policy

It should be clear to all users which passwords are subject to scrutiny under the policy and the frequency by which the passwords should be changed. Enumerate the cases where it applies such as Admin Passwords, User Passwords for e-mail, web access, system access. Let the admin passwords change quarterly and the user passwords change semi-annually.

5. Guidelines

A. Provide general guidance to the composition and selection of the password.

B. Inform the number of generations required before a password may be reused, if ever.

C. Provide a format for the complexity:

i. No username may be incorporated into the password (e.g., Fred1234)

ii. The password must contain uppercase, lowercase, numbers and special characters to comply and be allowed as a valid password.

iii. It should not be a word found in the dictionary (due to dictionary attacks).

iv. Make it clear how long the password length must be in terms of characters (e.g., 8 to 15 characters long)

v. If using a passphrase, the length should be significant and should comprise as many aspects of difficulty as possible. For example "I try not to drive down Route 208 South during the rush hour." could convert into: "1#tRy_n0+$to#DrvDwN_R+2o85_DrnGdaRUSHOWER!"

vi. If a user suspects that the password may have been compromised, all involved passwords must be changed immediately.

vii. Where resources are available, attempts to guess the password should be employed and, if guessed, the password must be changed immediately.

D. Inform the users how to maintain a secure password.

i. Do not write the code on a Post-It note affixed to the monitor or under the keyboard.

ii. Do not share passwords with colleagues inasmuch as it helps identify individual accesses.

iii. Do not send password information in correspondence whether printed or electronic.

6. Enforcement of the Policy

If the users are advised of the ramifications of non-compliance, they will be more adherent to the Policy. Violations should be subject to disciplinary action, up to and including termination.

What Else Can I Do To Communicate The Importance Of This Policy?

In general, if the user does not change the password on his/her own, you may enforce the change through system policy. The user would login to the account on the day it expires and would be informed that a new password must be provided before proceeding onto the system.

In addition to this, if a user has changed the password, but forgets the code, enforce a lockout of account for X number of failed login attempts. This will not only force the user to maintain their level of compliance with Policy, but will reduce the system's exposure to a hacking attempt.

Another facet to the system policy would be to set the default on the system to deny remembering login names and/or passwords within applications such as Internet Explorer and other browsers.

The extent to which users will comply with a Password Policy are directly correlated to the costs of non-compliance. If you establish and enforce a strong policy, it will reward you with greater compliance and a more secure network. The level of complexity and inconvenience is totally discretionary; however, the more lax the policy, the greater the risk for exposure. There are clearly many more aspects to security that may be layered upon the users (e.g., Two Factor Authentication (TFA) using a PIN and a time-sensitive code).

If you wish to implement a more stringent Password Policy in your office or would like to learn more about using a TFA in your network, feel free to contact us at support@tech4now.com or call us at (201) 797-5050. This is your opportunity to maintain your network's security and your strategic edge over your competition. If you want to maintain or upgrade your network, visit us at http://www.tech4now.com/. Remember, the best time to act is now because tomorrow never arrives.

I Backup On Tapes, So My Network's Secure, Right?

The Opening Scene...
Your business has a server with a tape drive. You have been using this drive for the past three or more years to backup a full image of your server's data. It has become a regular step in your day to swap out the drive and confirm that your backup was successful. You even replace all of the tapes in the weekly rotation based upon manufacturer's recommendations. You may have even performed test restores from your tapes to verify their usefulness. You feel secure, but are you?

The Plot thickens...
Stop to consider how a tape drive works...
Data is copied from the drive, a reliable, high-speed, long lasting medium and gets written to a tape. The tape is a nylon/plastic-based ribbon which has a metal oxide coating capable of retaining information in a magnetic form. It can move quickly past the recording heads, but must perform all steps sequentially. Remember, as the information is written to the tape, the written tape is spooled onto a spindle. So, the question emerges... If so many people have been using tape for so many years, why should I begin to question its use in my office for backup?

Considerations...
Have you read any flyers lately from the computer or office supply stores? The price of hard drives has dropped dramatically in the past three years. Three to five years ago, the average computer came with a hard drive that was about 40GB in size. Now, the smallest drive you can get from these stores without special order is 160GB and it's getting larger all the time.

Moore's Law and Kryder's Law (compliments of Wikipedia):
Named after Intel's co-founder, Gordon E. Moore, the law describes a long-term trend in the history of hardware computing, in which the number of transistors that can be placed inexpensively on an integrated circuit has doubled approximately every two years. Whereas, Kryder's Law, named after Mark Kryder, Seagate Corp.'s SVP of Research and CTO, drawing from Moore's Law, says that magnetic disk areal storage density doubles annually. This held true from 1995 to 2005. Kryder also published a new study through PhysOrg.com which reported if hard drives continue to progress at their current pace, then in 2020, a two-disk, 2.5-inch disk drive will be capable of storing more than 14TB and will cost about $40.

Getting to the Point...
Look at the price of the tape drive and the price of the tapes. Their prices have dropped, but not significantly. Now, consider their reliability and dependability. If a tape is exposed to severe changes in temperature (e.g., Do you store it in your car's glove compartment?), don't you see how the tape may become more brittle and susceptible to breakage? Furthermore, it has been shown that at least once in its existence a tape is bound to fail, either being written to or read. If you have an alternative media that can read and write faster, retrieve data in a non-sequential manner and does not need replacement on a regular interval for a similar or lower cost, wouldn't you consider that a viable option?

Hello Hard Drives
With their prices dropping regularly and their capacities growing at a similar rate, the hard drive has become the new medium of choice for long term backup storage. Another wonderful thing about the hard drive as a storage medium is its ability to respond quickly--its read/write ability is "orders of magnitude" faster than tape. This capability enables the backup systems to store data to backup on 15 minute increments rather than wait for the full backup, nightly, which may take over eight (8) hours to process about 20GB (e.g., DAT and Travan tapes).

Capabilities of backup storage have been further enhanced with the NAS (Network Attached Storage) device. Essentially, a NAS is a hard drive built into an external housing that has its own power and network connectivity. Some NAS devices are even more intelligent and run code to enable them to backup multiple computers and servers automatically, then backup the same items as encrypted data to transfer offsite to secure locations. This offering of an automated, frequent and high-speed backup unit has changed technology's choice from tapes to drives. Even older systems used for backup (e.g., Backup Exec) provided in their later revisions, the ability to run B2D (Backup-to-Disk).

Now What?!
So, you have an investment in tapes. Perhaps, you even bought them a few years ago under our recommendation. Well, you needed to have a backup system in place and at the time that was the best for you. However, times have changed and now this is what we propose...

Assess your business' need for backup based upon the following criteria:

1. Timeliness - How often do you need to perform your backup? How often does data change?
2. Capacity - How much data do you have that needs to be backed up? If you were to backup the server, would that suffice? Do you need to backup other machines, too?
3. Turnaround Time - If your business had a catastrophe, how much time would be required to restore the systems to make the business viable again? How much time could you afford to be down?
4. Dependence - If your server were down, would you be willing to pay a little more to have the ability to virtualize the machine to allow others to access data on a quick turnaround?
5. Scope - How many machines are needed to run the office? Could the business recover if just the server and one workstation were restored?
6. Location - If your office became "off-limits" due to a police action, fire or flood, could you resume operations in either a new location or a temporary venue?

Once you have answered the six questions listed above, you can begin to determine the type of backup system you need to implement for your business. This information will also come in handy when you begin to compile your documentation to support a Disaster Recovery Plan.

If you feel you do not have an adequate backup system in place or are considering an "upgrade," please feel free to contact us to discuss your options. It's your business and your livelihood, don't let it slide for too long or you may have serious issues to contend with. To setup an appointment to review your backup, please contact us at support@tech4now.com or visit our site at http://www.tech4now.com/ or call us at (201) 797-5050. Remember, there's no time like the present.