Posts by Robin Joinson

Who was responsible for auditing DHS computer security?

It's not clear from the article what was compromised; for example desktops or servers, or both? Were the machines behind the corporate firewall or in the DMZ?

DHS ought to have an independent security officer whose job it is to do a comprehensive security risk analysis and a thorough compliance audit, especially where contractors are concerned, to ensure that standards are adhered to and maintained. The responsibility for ensuring this happens lies squarely with DHS senior management. Vigilant, independent scrutiny of contractors is a basic 'must-have' where strategic IT is outsourced and contractor incentives and penalties must be appropriately aligned to prevent commercial interests from compromising quality of service.

Desktops running Windows are especially vulnerable. For handling sensitive information, thought should be given to systems which are easier to secure and present more difficult targets for hackers. In any case, steps should have been taken to ensure that the compromise of a desktop does not necessarily lead to the theft of information.

Having network intrusion detection is good, but security should be multi-layered and the set up provided by Unisys, for whatever reason, was clearly unable to prevent the theft of important information and the misuse of DHS assets.

Part of a much deeper malaise

Sadly, the departure of Richard Granger is symptomatic of the way big projects like this often go.

Some involved in this project were smart enough to cut and run months ago, when the taxpayers money started to dry up and the writing was on the wall. They hired slick lawyers to get them off paying contract penalties, too. The less fortunate, who stayed on, have practically been bled to death.

Nobody in an official position seems able to say, in unambiguous terms, what has been delivered and there's very careful avoidance of concrete time lines and budgets; a very bad sign. It says something for Granger, I suppose, that he was prepared to sustain this amount of career damage and serve out (most of) his five year term.

Unfortunately, on the whole, the people who run these big projects tend to excel at manipulating networks of business relationships and meetings, acquiring status and grandiose titles, but they lack the managerial and engineering acumen to pull off a big project.

That's an important reason why (depending on whose statistics you believe) something like 80% of big IT projects fail when measured against their startup criteria. They're not more inherently risky than, say, building a motorway, but fail they do. I doubt whether this failure rate would be acceptable in civil engineering projects of a similar size.

IT seems to have been particularly unfortunate in acquiring a class of pseudo-professional 'project managers' who equate high status, big budgets and a ton of paperwork with delivering something real. The warning signs are often ignored until the thing has gone way over time, way over budget and delivered very little of substance.

As many Reg readers may know, the term 'City Slackers' has been coined to describe such people. Apart from the designer suits, blackberries and over-specified laptops, their main distinguishing characteristic is a CV full of 'successful projects'. Closer examination reveals that these are projects they have left at just the right moment, before, as another reader says: "enormous quantities of excrement collide with the the spinning bladed thing".

Unfortunately, there's no driver for change here. This culture is self-perpetuating. Who wants to do the real work, when there's a great career to be had, at the tax payers risk and expense, by swanning through a bunch of meetings, landing one plum job after another, without actually delivering anything?

Exactly what has NPfIT delivered? And how much has it really cost? I think we should be told! Or will we all have to wait for the Public Enquiry?

Better than what's already offered by Eclipse?

I don't think so!

What MS _don't_ seem to be offering is a cross-platform IDE for a full range of languages with a good choice of developer tools from a wide range of vendors.

How do I work with Java (MyEclipse) or my Oxygen XML editor, for example?

Where's the Ruby integration? How about Google Web Tools?

I'll need a _lot_ more than this to make me switch from Eclipse!