Now, Zoho has several million users, including us, so fixing data corruption of that magnitude is not like letting Windows chkdsk just run for a few minutes after the server is rebooted. We’ll have to wait to see what the final outcome is, and for how long Zoho CRM (and SugarCRM and another 214 customers Equinix claims to host at that data center) remain down.

We suffered the same fate a few years ago at our former colocation host.  That and other issues caused us to move to a new colocation facility.  What happened at our former colocation host was that there was a power outage, the data center UPS (uninterruptible power supply) kicked in, and the system waited for the generator to start.  Only the generator didn’t start, and the UPS system had only a few minutes of juice in their batteries, so every server in the data center crashed, quite hard.  Fortunately, we had plans in place so we were able to recover quickly.

When we did a new colocation facility bakeoff, one of the detailed questions we asked was what happens if the power goes out and the generator fails to start?  Most data centers told us things like “We test the generator weekly! That won’t happen!” (which is what our former data center provider told us as well). Well, guess what?  You-know-what does happen periodically.

At the end of the day, we chose BayRing Communications, a New Hampshire-based phone company with two data centers at the old Pease Air Force base.  When we asked that same question of them, they laughed, literally, and said that in their experience gear fails all the time and so one needs to be prepared.  In their case, they bought a lot of batteries for their UPSs. When the power goes out, their UPS can run everything for several hours – plenty of time to either fix the generator or get a portable generator trucked in and hooked up.  They reminded us that, as a phone company, they get in big trouble if things like 911 don’t work for any length of time.

Indeed, at the end of the due diligence, we understood in more intimate detail what “carrier-grade” really means. And why, if you are running your own and hosting your clients’ mission-critical applications (like electronic health records, and email for regulated companies for example), “carrier-grade” has to be the minimum standard.

Does that cost more? More than some and less than others.

Will we survive without access to our CRM application through Zoho for a few hours? Sure. For a few days would be a real problem though.

At the end of the day, the takeaway here is that, whether you are taking care of a few dozen customers or a few million, when you choose a data center provider you really need to do your due diligence carefully.  Something clearly went horribly wrong at Equinix, and as of this writing, though power has been restored for a few hours, they haven’t disclosed the root cause.  We’ll have to wait and see…

If you have mission-critical applications and you have concerns about their hosting, we’d be happy to help you through a due diligence process that we organized for ourselves and our clients who host with us. Just give us a call at (207) 772-5678.

Mark

Lockheed and Northrop the articles further point out have already suffered intrusion attempts, with Northrop reportedly going so far as to shut down all remote access.

It’s not just defense contractors, Sony, VMware, Amazon, Google, and the State of Texas who suffer data breaches increasingly measured in the millions of records. We see typically half a dozen or so very professional intrusion attempts every day on our home firewalls; our data center firewalls see about the same.

SecureID, combined with a personal password known only to the user creates what is called a “two-factor authentication” authorization scheme.  Described as “something you have, plus something you know”, it works just like an ATM card (something you have) with your PIN (something you know). The two-factor authentication provided (past tense…) by SecureID often lulls users into a false sense of security and the temptation to use weak passwords; how many of us have 10-digit ATM card passcodes?  I used to have an 8-digit passcode but found it didn’t work on about half of all store credit card swipe pinpads.  Not terrific security…

And what happens when we lose our ATM card?  We cancel the card and get a new PIN.  Well… RSA just “cancelled” some 40 million SecureID cards.

With our without SecureID or some other two-factor authentication scheme, there is no substitute for good, basic password policies. We recommend strongly that our clients adopt password complexity, reuse and rotation policies, at least as follows:

1. Passwords should be a minimum of eight characters long and contain at least one each of:
   1. Uppercase character
   2. Lowercase character
   3. Number
   4. Punctuation mark or symbol (e.g. semi-colon, underscore, hyphen, parenthesis, etc.)
2. Passwords should be changed no less frequently than every 120 days (one company we know requires weekly password changes)
3. Passwords should not contain dictionary words or derivatives, or be based on personal information like birth dates or anniversaries.
4. Passwords once used should not be able to be reused for at least a year.
5. Lastly, the log files need to be parsed routinely for intrusion attempts (this can be automated) and a human alerted ASAP when something looks wonky.

Consider the costs to a company when a user’s email password is compromised and a hacker starts using that account to send out thousands and thousands of spam emails.  In short order, the company’s email server becomes blacklisted, no one in the company can send email anywhere, and business comes to a grinding halt.  It can take a few days to get off all the blacklists, so we advise clients to consider the costs of a few days of email downtime against the complaints from a vocal few users who don’t like changing their passwords three times a year.  It’s all about tradeoffs and risk management at the end of the day.

If you would like an objective review of your company’s security, remote access, password and related policies, give us a call at (207) 772-5678.

Take care!

Mark

During this action, SCO threatened every Linux user with claims that Linux violated SCO’s intellectual property. Microsoft-friendly entities invested in SCO apparently to help SCO continue the litigation and, it is alleged, arm-twist risk-averse customers away from Linux and back towards using Microsoft products. Microsoft too has alleged that Linux infringes on its intellectual property as well.

A few years back, Novell made a bold move, and did a deal with Microsoft to indemnify Novell Linux users from any follow-on claims. Microsoft in turn agreed to improve interoperability with Novell’s Linux server systems, which resulted in Microsoft’s Hyper-V virtualization software being able to host Novell SuSE Linux Enterprise Server guests, among other customer benefits.

Novell was roundly trounced for doing that deal with Microsoft; “selling out” was frequently heard at the time. But we thought the deal was very shrewd on Novell’s part, for two reasons. First, Microsoft paid Novell ~$350 million, which gave Novell some extra cash to see the SCO litigation through to completion. Second, a number of our risk-averse clients who were on the fence about using Linux over Microsoft Server products could now choose between the two without worrying about any legal exposure. We ourselves continued to use Novell’s SuSE Linux server products in favor over other Linux distributions, including RedHat, in part because of this legal protection.

SCO can certainly appeal the decision, and given their history of tenacity, they might indeed do so. But yesterday’s ruling casts a long shadow protecting Linux users everywhere. And if that increasing competition spurs Microsoft towards greater innovation, then everyone benefits.

The full history of this fascinating case, and other related actions, can be found at http://www.groklaw.net.

If you need help understanding how to choose between Linux and Windows (and Macs, too!), we actively support all three platforms and would welcome the opportunity to help. Call us at (207) 772-5678.

Mark
CIO

P.S. If you’d like to subscribe to our blog, you can do so by linking to http://feeds.feedburner.com/ReliableNetworks

The article is a bit technical, but if you skip over the techno-blah-blah-blah, you’ll see that these two researches essentially circumvented what Microsoft is touting as the two primary lines of defense in protecting Windows systems from becoming compromised. Here’s a link to the ComputerWorld article: http://bit.ly/cs8jP9

Reps from Microsoft and Firefox were in attendance at the contest, and things were arranged in advance that the exploits were not to be made public, and indeed the security firm who sponsored the contest bought the exploits from the contestants and gave them to Microsoft and Firefox.

But that doesn’t help any of us at this moment, when we still have work to do on the public Internet. So, what can you do to protect yourself when the software that’s supposed to protect you doesn’t?

The short answer is: “Take your time and be careful.”

Take your time to be sure that your systems are fully patched, that you are running modern intrusion-prevention (expanded anti-virus) software with updated virus definitions, and that you don’t click immediately on any new popups, warnings, alerts etc. (often used by malware to get you to bypass your computer’s protective systems). Although the exploits these researchers used were very cutting edge, there are still a lot of older, equally dangerous exploits out there that patches and security software can defend against successfully.

Be careful about where you browse and the links on which you are tempted to click. Your best friend may have sent you an email with a spicy link you are drooling to click, but you got that email because your friend’s machine has been infected with malware which is trying to spread itself by sending emails to everyone in your friend’s address book! Click that link and you’ll infect your own machine… Be careful clicking on ads, even on reputable web sites. The ads are served up by third party servers, and malware-infested ads are all the rage right now as a favored attack vector. You would think you could trust an ad on, say, cnn.com, but you can’t always.

A terrific Firefox extension that helps with ads is Adblock Plus, which has been downloaded more than 75 million times and which has a five-star rating. You can learn more at https://addons.mozilla.org/en-US/firefox/addon/1865?src=api

Lastly, recognize that Microsoft and all the anti-virus software vendors are in a perpetual game of catch-up against the bad guys. If your job requires you to be a heavy Internet user, the chances are that your machine will at some point become compromised.

And when that does happen, we are here to help. Call us at (207) 772-5678 when you are ready.

All the best,
Mark Stone, CIO

We don’t play favorites here at Reliable Networks, and we think Exchange 2007 and Exchange 2010 are very good products, much improved over Exchange 2003 and earlier versions. We support Exchange at our clients as well as Zimbra; which platform they choose is based on each client’s unique needs.

VMware is now headed by Paul Maritz, who many pundits feel left Microsoft in a “three’s a crowd” situation nearly a decade ago.

Zimbra has been taking away some very big Exchange accounts from Microsoft since being acquired by Yahoo, and we expect that trend will accelerate with Zimbra now under the VMware umbrella.

So the good news for clients is that, when it comes time to upgrade your old Microsoft Exchange installation, you now have more interesting options than you did yesterday.

And watching the action as VMware and Microsoft compete on this new front, at least to techo-heads like us, is more entertaining than a new season of American Idol!

If you have questions about your email/collaboration choices, give us a call at (207) 772-5678. Zimbra isn’t for everyone, but neither is Exchange. We’ll help you make the choice that’s right for your company.

All the best,
Mark
CIO

Once the servers go off site however, the office’s connection to the Internet becomes the “weak link in the chain.” Some clients attacked that link by swapping out their current Internet connection for a more enterprise-grade connection (e.g. SDSL or bonded T-1s), but that still represents a single point of failure. Other clients upgraded their router/firewall to a device that can load balance or failover between two simultaneously active Internet connections. So when the cable modem service is down, the router automagically switches over to the DSL connection — totally seamlessly to the end users. Some router/firewalls even allow you to use one of those Sprint/Verizon Wireless PC Cards traveling laptop users have for the office’s secondary Internet connection. Which mix of redundant connections to use is a complex matter, requiring careful analysis of not only your bandwidth usage as a whole, but the workflow processes utilized by your employees, customers, vendors and others with whom you connect over the Internet, even if only by email.

As the Commonwealth of Virginia has discovered, not having any redundant Internet connectivity, even when using so-called “bulletproof” network connections, is just not acceptable. (You can read the story here.)

Consequently, we find our clients’ businesses increasingly require a conversation about the merits and costs of redundant Internet connectivity. For increasing numbers of clients, redundant Internet connectivity is no longer a luxury; rather, it is very cheap insurance if not a necessity.

If you need help deciding if redundant Internet connectivity is appropriate for your business, please feel free to give us a call at (207) 772-5678.

Mark
CIO

Now back to our regularly scheduled programming…

Zimbra 6 includes a number of document features already in Gmail and Google Docs, providing spreadsheet and Word-like document features.  Considering the price of Microsoft Office these days, Zimbra 6 and Gmail/Google Docs can be very cost-effective alternatives.

Unless of course the spreadsheets and documents you are creating you want to keep private.

You see, the Google Terms of Service give Google a perpetual and irrevocable right to use all of your Content pretty much any way they want, including republishing rights (It’s all in Section 11, here).  Sure, those same terms of service allow you to retain the copyrights in your works, but so what if Google can repurpose your content at will.

So, if you are using Gmail or Google Docs for anything confidential, well… it’s not.  If you are a bank, doctor, attorney, accountant or any other kind of professional with a fiduciary, regulatory or contractual responsibility to protect information and you have put any of that information in Gmail or Google Docs, you probably ought to speak with an attorney–fast.

Zimbra 6 on the other hand, has no such content licensing terms.  Nor do we (we are a Zimbra Premiere Hosting provider BTW); you not only retain full ownership of your data, you grant no Google-like licensing to us nor to Zimbra when you use Zimbra.

So if you are looking to avoid an expensive company-wide upgrade to Microsoft Office and/or Microsoft Exchange, while Gmail and Google Docs may look like good value for money, you’ll get what you pay for.  Talk to us about Zimbra (our system is very secure and  HIPAA-compliant out of the box.)

And the next time you speak to your own attorney, accountant or health professional, ask them if they are using Gmail or Google Docs, and if they answer yes, you may want to find a different attorney, accountant or health professional…

Mark Stone,

CIO

Since we are ourselves somewhat frugal, we have been using OpenOffice instead of Microsoft Office for several years now. Sure, we still have a few copies of Microsoft Office around when needed, but propeller heads like us get a big discount from Microsoft so the pain to our wallets has been minimal. (FWIW, Typically we exchange documents with others in Adobe Acrobat format, not Microsoft Office. OpenOffice includes a free pdf generator with a one-button click.)

Being open source, OpenOffice is both free and readily customizable by anyone who cares to. Novell (SuSE Linux), offers a version called Go Office which includes bits not included in the version available from OpenOffice.org, like better WordPerfect and Microsoft Office import filters. Sun offers a paid, supported version of OpenOffice and IBM’s Lotus division has a free, supported version of OpenOffice called Lotus Symphony.

Not widely reported, back in the Spring IBM made a decision that the OpenDocument format (a world standard supported by OpenOffice) would be the document interchange standard within IBM. The deadline for all 360,000 IBM’ers to start using Symphony (OpenOffice) instead of Microsoft Office is September 22. Already, 330,000 IBM’ers are using Symphony, according to Linux Magazine (http://www.linux-magazine.com/Online/News/IBM-Throws-Out-Microsoft-Office).

Of course, this doesn’t mean the end of Microsoft Office, but it is a nice reminder that we all do have choices, and that if IBM can cut the cord, then maybe we can do it too.

If you would like to learn if OpenOffice is for you (because it isn’t for everybody), call us at (207) 772-5678.

Mark Stone
CIO

Click here to subscribe to our RSS feed