Kirt Cathey, CISA, CISM, CISSP

It’s been a long while since this blog has been given any attention. In my new position, a lot more time is spent in the office behind a secure connection that does not allow the liberty of accessing blog and typing into web/text interfaces. Of course, there’s always a way around that, but as one of the rule-makers, it wouldn’t be wise.
Anyway, I’ve decided to eliminate all the traditional hard disks in my life. I have five computer systems (four laptops and one desktop), but only three systems are currently operational due to hard drive failure. That is a 40% failure rate! Our daughters’ MacBooks and my desktop work just fine – for the time being. In my experience, just about all hard disk drives fail. It’s only a matter of time. Here are my reasons for giving up on traditional hard disk technology.

1) We have been using the same technology for hard disk drives – spinning metal platter and mechanical reading arm – for over forty years. This has got to be the oldest technology still in our systems, and the faultiness is starting to stand out against the myriad of other technologies that are included in modern systems. Hard disks creep me out, buzzing, crick, creek, scratch, then spin-to-no-end until… nothing happens some times. When that happens, we get edgy and testy, especially if you’ve had a number of crash experiences. Okay, we should recognize credit for the fact that technoogists have found ways to cram more and more data on the same platter. We should also give credit for the fact that the platters did get smaller and the drives got quieter. We should also give credit for the creative ways they have found to coat the platter with strange things from animal fesces to frog mucus to make the platter just a bit more reliable. But that’s about it! A floppy arm with a little head that reads a platter is old, has-been technology that needs to go the way of vinyl LP!
2) Most OS fit on 10 GB. The latest version of Ubuntu (11.0.10) will fit on about 5 GB, OS X (Lion) will fit on 7 GB, and Windows 7 will fit on 10 GB. Okay, I know these are bare minimums, but with proper swap space in most computers, all we really need is about 16 GB anyway. With a 32 GB flash or SD disk, that leaves about 16 GB for files and stuff that many are not storing on their computer, or only storing temporarily anyway. We also have to address OS bloat soon, because over 10 GB for a read/write system, input system, windowing system, and network connectivity even with a few extra features is indicative of sloppy code. Code bloat also means that there is more code to secure, so we need to start demanding fast, secure, and slim code in our OS. Now that I let the cat out of the bag, yes, I am converting all of my systems to SSD and advancing to a computing life beyond hard disk failure. More on that later.
3) Most of our storage is centrally located on resiliant network storage and synced with cloud services, so who needs local storage? About the only thing we store on our computers are links and Kindle books, and maybe some music. The rest of my data is in the cloud or on my iPad, or in Carbonite or DropBox. ‘Nuf said here. We really have nothing to hide except passwords, so cloud storage and cloud document services (Google Apps, for example) work fine for us.
4) We don’t really use anything beyond the first 100 GB of our hard disks. Yes, there is the pack rat freak that has 50 GB of music, 50 GB of books, and 200 GB of torrented programs combined with about 300 GB of installed programs. But that person over the course of a year (or years) will only listen to about 1 GB of music, watch 5 GB of movies, read 200 MB of books, and only really use about 20 GB of installed programs. All other computing is on the internet in one form or another. We are also approaching an age where just about any installed program has an online compliment. Even image editing, for example – the other day I really wanted to re-install one of my Adobe programs, but decided otherwise, edited an image with an online service instead.
5) We need more resilience – I touched on this in the first point, but it deserves a separate point. Traditional hard disks are not resilient. No matter how refined the ‘parking’ capability (remember that phrase?) of the disk arm and head have become. No matter what kind of fish poop and seaweed/silicon mixture coating covers the disk platter, that metal disk will become corrupted with the slightest piece of dust or blemish. With a reading head flopping around on top of that platter, the slightest bump, or even over-reading the same tracks, and almost anything else in that should-have-been-left-behind-in-1999 has-been technology can and will go wrong.

Solution – Most modern BIOS on laptops and computer systems will allow you to boot from USB. The latest version of USB is rather fast, but you will notice slower write speeds. The next best option is to pickup the SATA II or SATA III flash memory adapters and put in separate fast compact flash. However, the ultimate best solution, and what I am in the process of doing, is to install SATA III SSD – both 64 GB and 128 GB – in place of a 2.5 hard disk on laptops, or use the 3.5 inch bay brackets that come with most kits to install on a deskop.
On, on!

Share on Facebook

Share on Facebook

As many of you know, I left Deloitte late last month and have moved onto a position within IT Audit at SMBC Nikko Securities. This new position puts me in the thick of a Japanese working environment, which is challenging on many levels – language being the least of which. I look forward to this career change since it pulls out of the rat race that Big Four job have turned into. Long gone are the days where Big Four managers could get regular work and charge exorbitant rates. The competition is stiff and the rates are falling through the floor, which makes it a good time to get out.

The new job, however, is a solid audit department with appropriate positioning independent from finance and reporting directly to the board of directors. While this new audit team has not had the recognition they deserved, now that we are a part of SMBC, the team’s visibility is elevated and most corporate politics aside. The last point is usually a big deal for auditors.

I spent the weekend moaning because I couldn’t go mountain climbing, but also put together a great dual monitor setup on Ubuntu 11.04, and am running (quite successfully) VirtualBox for a Win7 virtual machine. So far, I am impressed with this Ubuntu setup. Quite a contrast from Redhat that I was using back in 1999!
With Ubuntu I managed to get live streaming from a web cam running into justin.tv, so you can see me working at the console, or view an empty messy home office. If anything, take a peek after you hear about a Japan earthquake to see if the book shelf fell over and destroyed my desktop. http://justin.tv/workpapers

Share on Facebook

I’m back in Japan and back to the grind after a good, short vacation on Guam. I was called back to JP for some clean-up work before I change jobs, and also thought it would be a good idea to do some programming on the home development server to release WorkPapers Windy 2011; which is about two weeks past due.
Lately, I have been programming a lot of python in order to create a REST API for WorkPapers (http://workpapers.pro). The first version of this API will be used for push/pull/replication functions in this upcoming release of the desktop application. While working on that Python project, I managed to pickup Django and Django-CMS, which led into a portal for WorkPapers users (beta version at http://portal.workpapers.pro) to exchange templates, checklists, and audit programs. We currently have a library of MS Word, Excel, and PDF documents that will be uploaded to this portal for sharing with paid WorkPapers users. Right now, if you are reading this blog posting, you can see the site without paying but the content is limited.

So much for WorkPapers…. while on Guam last week, I created a bunch of water slide videos with the GoPro100 sports camera. Here is one picture which shows that it also comes in handy as a wide angle camera as well.

Atsuko and I - using the GoPro 100

As a father, sometimes I feel guilty for not taking enough family photos or videos. With other equipment, we have photos down to a science, but videos get tiresome. So with the little GoPro, videos become a passive activity. Check this one out taken by my daughter Hannah going down the water slide.

Hannah On Waterslide @ PIC Guam from Kirt Cathey on Vimeo.

As you can see, it’s HD quality, sound is well controlled even in a water-proof casing, and water does not distort the image too much. For more information on GoPro, Google it.

On, on…. stay away from nuclear waste and ‘try’ to stay on firm ground.

Share on Facebook

I was perusing freelance programming postings on elance and found this one:
=================================================

Following is needed:
1) Recommend the most cost effective Java host for developing a small web app
2) Set up this host, AND development environment (IDE) — I am a rusty programmer who does not know Java.
3) Provide working Java code samples that perform the same/similar functions on each of the following web APIs: Facebook, Google, LinkedIn, Yahoo, Twitter. These functions are:
a. Authenticate/login (store a user’s login credentials for each and login to each API)
b. Perform a query against each (e.g., find people I know with last name “Smith”).
4) Provide some training to help get me modifying and running my own Java web apps utilizing these samples.
============================================
The funny part is this job was posted for ‘less than $500′! First of all there is no ‘API’ for a Facebook, Google, etc…. those services have APIs that allow a variety of connectivity/functions. Second, the big red flag is that the person that is hiring doesn’t program, so he will never be satisfied. He may as well have posted:
========================
I want a starving programmer I can underpay and abuse for an unlimited amount of time. I do not know what I am doing, so I need somebody to boss around because I just got hired in a real job as a programmer but don’t know how to program.
=========================

Share on Facebook

Or, as normal as a foreigner living in a Japanese nuclear leakage zone can be. Packed my brief case, put on a necktie, and headed into Tokyo this morning. Was interesting with dark train cars, no heating on the trains, darker train stations, and all the escalators shut down. It’s a different Japan and will be different well into summer of this year.

Our house is zoned outside of the regular power outages, so I can keep this new home server humming and continue to develop, script, and otherwise hack unencumbered. Well, almost unencumbered. This little server screams – it boots Win 7 Ultimate 64-bit in less than 15 seconds, the graphics are awesome, the screen is a nice 27 inches, and all is zippy except that about every four hours I get a BSOD. Yes, something I have not experienced for years. The sad thing is that it is not a consistent blue screen dump, but always changes, so probably a RAM thing. Probably go by the store tomorrow and invest some yen in a new matched pair of memory.
#293 of TWiT this week covers the iPad2 for a good part of the show, but they do not mention that it will probably be released a bit later than originally planned. Or, will it? Do they know something I don’t?
Now with two weeks passed since the earthquake, I am hoping that the nuclear situation will finally, finally settle and put all the drama queens among us at ease. I am sure it will take at least another two weeks for everybody to get back into a productive groove and actually look forward to it.
Over the past couple of weeks have been in an ongoing discussion that may change the course of my career… will reveal more on that in the next posting.

Share on Facebook

Throughout my life, the wiser individuals have pointed out propaganda, sensationalism, and how one should only believe a part of the news that’s broadcast. This experience has been a big lesson and has made those advisories so clear; especially as it applies to CNN and Wolf Blitzer. I am in Japan and have lived in Japan for a third of my life at this point. I read, write, and speak the language fluently at a near-native level. I am not confused by the events here… unlike the stupid American reporters that keep claiming ‘mixed signals’ or ‘unclear messages’ or ‘changing stories’. CNN can report all this because they do not know what is being said.
Three minutes after the earthquake last Friday, I knew that reactor #1 in Fukushima Dai-Ichi was damaged. Every hour since then I have had very clear updates and feel that the Japanese government and Tokyo Electric has offered full-disclosure and the greatest transparency possible. Associating this incident with Chernobyl or Three Mile Island is absurd. Both of those incidents involved cover-up. There is no cover-up here and I feel very confident that the situation will be resolved.
What I don’t understand is what the morons that ran away are going to do at the end of this three-day weekend and all is cleared up? I know of two people that may not have a job. I know of another person that will be completely broke, because he blew his life savings on business class plane tickets and hotel bills. All because he didn’t ‘understand’ the language and ‘believed’ CNN.
One thing for sure – all the stupid people are filtered out and life will be easier until they all come back. To have the nerve to think that we have it hard and that any kind of disaster is among us (yet… I could be wrong when the next reactor blows) is an insult to the tens of thousands of people north of us that lost all of their homes and belongings. We should be here to help them by keeping the economy going. The sooner we recover mentally and productively, the quicker our northern victims can pull pieces together and set out on the road to recovery.

Share on Facebook

Just as I start to write this blog entry the NHK station that I incessantly stay tuned into reports an upcoming earthquake warning… yet again. Since Friday March 11, there have been over 300 after-shocks only about 40 of which I can remember actually feeling or experiencing. Also, if the only news you have is from Wolf Blitzer on CNN, then you are drastically misled about the current situation.
Since I was small child I have experienced four major natural disasters – the first was typhoon Pamela when I was 11 years old growing up on Guam. Then the 1989 San Francisco earthquake, then typhoon Paka on Guam in 1997, then the great Kanto-Tohoku earthquake last Friday. This one is by far the most unsettling and ongoing experience because the people around me (namely, the Japanese people) are such drama queens. They freak out over the smallest bit of news. Besides a nuclear reactor melting down about 170 miles away, Tokyo residents are in such good shape because all the destruction really happened from the tsunamis that devoured Miyagi and Iwate well north of Tokyo. Despite this, Kanto residents are running to fill their cars up because they think that without power for a mere three hours a day, all the supplies and gas will run out! Pfff!
I want to meet that Japanese person I saw on Friday night that bought all the bread in the store. What’s he doing with five-day-old bread right now? We kept our cool, since my wife has been through a typhoon disaster or two. When there were long lines at the stores on Monday, we came home. When we went into stores and saw that there was no meat or bread, we bought flour, yeast, milk, and eggs. No biggie. Today (three days later) we went to the stores and I snapped a few pictures.

Empty cooler in a Japan grocery store.

The shelves are still empty, but you can buy bread, meat is back on the shelves. The quick foods like instant curry and noodles have doubled in price and there is a limit to two or three items per person. The only thing I really don’t understand is the unpreparedness. Living in Japan, we constantly get directions from the community and township groups to prepare – stock up on canned goods, keep five days of drinking water, know where the local disaster shelters are, and confirm protocol with your kids and spouse. We did all these things and it has been a smooth ride; literally. One thing for sure, I’m not the dumb ass sitting on five-day-old bread, wondering what I’m gonna do with it. Instead, we have fresh meet, ten cans of Stag Chili and many other varieties of canned food, all the fixings for tacos (including salsa and just bought the ground beef today), plenty of drinking water, and a whole lot of chocolate and candy, fresh home-made bread, and everything else we would normally have.

Dairy Cooler - Six Days After

As you can see from the dairy cooler above, some people are also sitting on a lot of that pasty, nasty-tasting boxed milk. All the good milk is at the bottom of the cooler and there is plenty of it.

Besides the death and destruction that was left in the wake of the tsunami on Friday, all we have to clear up to get on with life is the nuclear reactor. As I sit here, I am getting yet another report of the white smoke bellowing from the fourth reactor. Since Sunday, each day has brought a different reactor problem, starting with number one. Work is in Tokyo, which directionally would put me closer to the nuclear reactors, so I am diligently avoiding trips to Tokyo this week, or until those reactors settle down. On Friday night I was stuck in Tokyo without train transportation or any means of catching a taxi, so it took 21 hours to get home. By all means, I do not want to be in Tokyo when they call an evacuation due to a complete melt-down.
On! On!

Share on Facebook

Over the last couple of months have really enjoyed studying, coding, debugging a bunch of Python code, but last weekend I got the photo bug again. Going to make it a point to pick up the cameras this weekend and organize photos and shoot a few. Stay tuned.
If you are a WorkPapers user and are looking for a next release update, please visit that blog at http://workpapers.pro/blog.
After BASIC, Pascal, C, C++, Perl, Objective-C, RealBASIC, and Java, I have found Python! For the cloudy world that we live in these days, with applications being split between the web and desktop (e.g., real rich web applications), it’s really hard to beat the Java-Python combination. Of course, if you want to develop for Apple, then need to pull X-Code and Objective-C out of the arsenal, but for everything else – Java and Python more than fill the requirements.
First, many Java frameworks provide the ability to compile Java code into Javascript for rich, fast client-side web applications. Then Python on the server side is soooo fast and the frameworks are so abundant for just about anything you need to do.
My most recent tests with Python are at tuple.co and pst.bz. Tuple is still an experiment and very beta, but will be extended into a micro-blogging service that will put limitations on ‘noise’ and the number of followers one can have. In other words, I like micro-blogging, but Twitter is just too noisy these days; and I do admit guilt in promoting my own software on that network. But come on! With 6,000+ followers, I can no longer take updates through the cell phone, or I would have to pay money for another service that will filter and SMS these messages for me. Not. For security reasons, without getting into too many details, Tuple is a python script and it is blazing fast. If anything, I’ll use it and very soon will pipeline those updates to Twitter, Facebook, etc…

Overall, Python’s simplicity and odd coding structure make the learning curve similar to Objective-C. After a few weeks of pouring over code and debugging, this light flashes and you ‘realize’ yourself into understanding.
Now onto working on the SIEM white paper we recently started. When we release it at the end of the month, will blog about that.

Share on Facebook

Exactly one year ago when I started on the latest iteration of WorkPapers.Pro, the web application development took front and center position, and a desktop integration was an after-thought… for a couple of reasons. First, I had already developed about four different versions of the desktop application in multiple languages, so was not worried about generating another iteration to accommodate the web application rapidly. On the other hand, developing a web application for the internet (versus intranet) was a new experience and took more time.
The release times reveal this. The web application took about nine months to develop into its current incarnation, and one can argue that the development of a web application never really stops at version releases. The desktop application took all of about ten weeks to put together since we could re-use a lot of the web application code.
Anyways…. yesterday morning I set out once again to figure out a way to package a web application into a desktop package that end-users could install and be happy. For some reason, with all the web application (notice I did not use the word ‘cloud’) buzz you would think that users would not require a desktop application, but I have found that 80% of my users are willing to purchase the monthly subscription because we offer a desktop application.
To answer the end-user craving for a desktop application and to eliminate the requirement to manage two code sets, I am willing to go great lengths to deliver the web application in its entirety to the desktop application users. The first solution that came to mind was to develop a dedicated browser that throws the web application into a consolidated browser – hence, Prism from the Mozilla projects, and Fluid on OS X. Both of these solutions basically take your favorite web application or web site and put them into a dedicated browser experience, create a desktop icon, and isolate the browsing experience. With WorkPapers.Pro isolated into Prism, the experience was actually impressive. It really felt like a desktop application because all of the code is browser loaded script. Facebook, on the other hand, felt cumbersome because it constantly called back to the server to reload something and I felt like that experience actually belonged in a browser tab.
After a couple of hours of trying to package Prism with Advanced Installer and a couple of other solutions, I gave up and decided it was time to try something else. Then I went through the Mozilla projects page to see that Prism was becoming a deprecated project, patted myself on the back for giving up, then found Chrome-less. Chrome-less is an effort to allow developers to create whole web browsers with Javascript (and no you morons…. javascript has absolutely nothing to do with Java), HTML, and CSS. This development project offers a lot of potential, but it is so new that Mozilla still has not come up with an icon for the project and all of the tutorial and getting started links point to links to the tutorial and getting started links, which point to all the tutorial and getting started…. you know what I mean.
One big technology behind the Chrome-less project is XULRunner, which is the run time and SDK upon which Firefox, Thunderbird and many other commercial and non-commercial projects are built. I dabbled with XULRunner and discovered that you can build a whole browser with about 30 lines of Javascript and XML, if you are willing to accept the fact that the project file structure has to be a certain way without any real explanation for why it has to be that way.
In the end, I opened up RealBasic Pro and put an HTML viewer in a document window, coded a couple of pre-compile directive #if statements to tell Windows clients to use Firefox rendering if available or IE 8 if available, and had a custom browser that displayed the WorkPapers.Pro web application just the way I wanted it to. Bye, bye desktop code! This decision is not final, but close to it.Here is a screen shot.

WorkPapers Dedicated Browser

Click of the link for a bigger image. You can see that a dedicated browser without the navigation bar, navigation buttons, and browser menu can take a web application and make it look like a desktop application. There are some motivations for this effort:
1) Eliminates having to setup firewalls for desktop application to replicate data – especially in corporate environments
2) Eliminates data replication altogether
3) Generally speaking, data is safer on a server instead of spread out on everybody’s hard disks
4) Manage a single code base and include the dedicated browser code development with web app development
5) Users do not have to pay the additional cost of a desktop application
While most of the WorkPapers Browser was completed with just a few hours of coding, there are still a couple of necessary enhancements, such as proper file download handling, enhanced rendering for Linux, and installation file setup. After all this is done, will make the final decision – deprecated the WorkPapers desktop application once and for all, or keep on maintaining a second set of code?

Share on Facebook