Latest CIO posts
20 May 2011
If you've ever frequented an internet forum, besides dodging the incessant sniping, flaming and accusations of being just like Hitler, you might have seen the odd acronym that I've chosen as this week's title.
Whilst I won't translate it for you (come on, it's not hard to work out), I will describe it as an expression of extreme frustration. That's the sort of emotion you might be feeling right now if you're a Sony customer.
Not content with leaking the personal (and in some cases financial) details of over 100,000 customers following a cyber attack, it has stumbled, Harold Lloyd-like, into a succession of security and PR failures since.
Let's have a look at what Sony's done so far:
• Took a week to tell anyone about the breach. Given the extent of the attack, and that other DDoS attacks were being perpetrated simultaneously, you could argue that it should be forgiven for this one.
• Complained (in a letter to the US House of Representatives) that it was hard to detect the hack. Yes, welcome to the internet. Hacks are often hard to detect, that's often sort of the point.
• Complained that it was hard to know what was stolen because the hackers deleted the log files: see above. Log files are all well and good but if your forensic capability begins and ends with log files then you're living in 1996.
• Finally began to bring the PlayStation Network (PSN) back online... then immediately had to take it down again because everyone was changing their passwords and the system couldn't keep up. Not a massive issue, but what were they expecting people were going to do when access was restored?
• The PSN comes back online again...then the password reset pages are taken down as reports of another vulnerability emerge, where anyone can hack an account simply by knowing the username, and date of birth used in its creation.
At the time of writing the PSN is up across most countries, and normal services appear to have been restored... for now.
But what can we learn from Sony's experience? Hackers are good at what they do? Everyone is vulnerable, even (or perhaps especially) large organisations? Nothing new there.
Since the initial attack, Sony has engaged external security advisers both to plug the security hole, and help to ensure there aren't others. It has also announced that it will appoint a new CISO (chief information security officer), who will report directly to the CIO.
To my mind, given the scale, severity and notoriety of the problem, it doesn't appear to have done an awful lot. And the reason is that ultimately it doesn't need to. It all comes down to financials, quel surprise. Sony needs to balance the cost of its restorative measures against the cost of doing nothing.
And the cost of doing nothing is very low. Plug the breach sure, as making exactly the same mistake twice will incur the wrath of the governments of several countries in which the corporation operates. But don't go overboard. Don't bother changing your infrastructure, or stripping out your existing (and patently ineffective) security measures and replacing them with more layers.
The harsh reality is Sony just needs to make a few of the right noises, give its customers a little compensation (both of which it has done), and then it's back to business as usual.
After all, its customers just want to get back to playing games. They're not all going to switch to Xbox Live; they've invested in the PlayStation platform and its games, so very few will jump ship. OK, they might type a few obscenities onto internet forums, some may even go as far as OMGWTFBBQ, but they'll be back on the PSN soon enough, credit card details and all.
So I've spent the day at probably the smartest hotel I've ever visited, the Sofitel in Munich, where I am attending the Samsung CIO Green Forum 2011.
My room runs over two floors, and the electric blinds sweep underneath the glass windows that span a whole wall and half the ceiling if I flick a switch next to the bed.
There is also a 'light wall' on the first floor which glows red, green and yellow, and is frankly terrifying, and the lift automatically remembers my room number.
The in-room entertainment system is operable using several dials; one of which is in the bathroom, while a second is in the en-suite loo and a third next to the front door.
It is ironic then that amid this hotel's smorgasboard of power-sapping technology, the conference intends to provide CIOs with information around its efficient use with a view to reducing carbon emissions.
The conference has focused particularly on how smarter memory chip technologies have a defining role to play.
The efficiencies discussed have been related to the provision of cloud services, the in-house datacentre prior to a move to the cloud, and how the memory in the server itself can help drive efficiencies.
Speakers have included representatives from Microsoft, SAP, as well as the OECD and the United Nations, with the central theme in all cases being the need to use energy-efficient technology.
Rick Bakken, senior director of datacentre evangelism, global foundation services Microsoft, explained in a complex presentation that Microsoft is working hard to reduce the PUE in its datacentres.
PUE is a metric used to determine energy efficiency of a datacentre and is worked out by dividing the amount of power entering a datacentre by the power used to run the computer infrastructure within it. It is therefore expressed as a ratio and overall efficiency improves the closer the quotient is to 1.
Bakken explained that the company was aiming to reduce its datacentre PUE to 1.04 down from 1.25 in 24 months.
As well as using water to cool its datacentres as it currently does, Bakken explained it would also be looking at fuelcell and underground technologies in the near future.
The giant is now rolling out its fourth generation datacentre which is modular, based on a pre-fabricated building and a series of commoditised components.
The conference has also examined the sort of refreshes an IT department should make prior to its move to the cloud, and why.
Alan Priestley, marketing director, server and cloud, Intel EMEA, explained convincingly that proactive server refreshes had proven the largest driver of value and energy savings with Intel itself, saving the company $250m in eight years.
In addition, Moore's Law, which states that a technology doubles its capability every two years, means that a company that last updated its racks in 2005 could now replace 15 of these with one system, leading to a 95 per cent reduction in energy consumption.
The final presentation looked at chip technologies themselves, with Myung Ho Kim, vice president of global memory marketing at Samsung, detailing the ecological benefits of its new 30nm green DDR4 Dram technology.
Kim explained that the technology can achieve data transfer rates of 2.13Gbit/s compared with the 30nm DDR3 chip at 1.6Gbit/s. It also uses a technology called Pseudo Open Drain (POD), which uses half the electric current of the DDR3 chip.
Nicola Brittain, News and Analysis Editor, Computing
From the Newsdesk
The Computing newsdesk's views on the latest issues in UK business technology
Andy Lydiard on H4cked Off: Doom-mongering for fun and profit
Colin Robbins on H4cked Off: UK cyber security – a disaster waiting to happen?
Charles M. Stephens President of www.marinebidexchange.com on The American Way: A tech tour with network operator AT&T
angus claydon on Stop delaying the G-Cloud