Monday, November 27, 2006

IT security

You may think that the IPCC incident is the biggest joke in IT security, and that Hong Kong, in particular the government, is inadequate in IT management and IT security training. Not necessarily so. There are many ways to breach the most sophisticated IT security protection. Getting a system protected by the leading edge firewall and intrusion detection system and other advanced technology is only half the solution. The human factor is the most vulnerable, including evil-minded criminals, and ignorant and careless users and staff.

I read an article from Reuters yesterday reporting that banks are getting increasingly concerned about the physical theft of confidential client data by insiders or impostors. You can read the full article at this link. Here are some main points.

"Banks are pouring money into building formidable defenses against computer hackers, but are only just waking up to what may be a bigger threat -- the physical theft of client information by people in the office. 'You can have a fortress-like security system, but if you are not terribly discriminating with consultants and temporary employees, there is a terrible vulnerability,' 'If people can get physical access, the game is over.' said Oveissi Field, managing director of Daylight Forensic & Advisory, a security consultancy."

"Banks, especially in Europe and the United States, are investing vast sums to make computer systems impregnable and have been warning customers of the dangers of being duped into giving away confidential information about their accounts. 'Identity theft can happen through hacking into a bank system or internally with someone walking out of the door, and that worries me more than phishing.' said a security officer at a major European bank.

"Widespread outsourcing of data management and other services has exposed some weaknesses and made it harder to prevent identity theft by insiders. 'There are lots of weak links.' said Oveissi Field. 'Back-up tapes are being sent to offsite storage sites or being mailed and getting into the wrong hands or are lost through carelessness.'"

"What banks worry about is that they may have a combination of weaknesses such as staff vetting and physical security, which when put together can let a sophisticated attacker get at their real crown jewels. Banks are starting to respond to the threat by combining teams working on physical and information technology security, which traditionally have been separate functions"

I think the article is a bit unfair on outsourcing as a source of data leakage. Outsourcing is the order of the day. Very few companies can afford a high skill level IT team without resorting to expert help in the market. The loop hole is actually a neglect of IT management and lack of proper IT security guidelines.

The point about staff vetting and physical security is quite valid. For that matter, I note that this point is valid for any type of security, not just IT security. For staff vetting, it can be extended to all staff, including those from outsourcing contractors if necessary. However, there is very little that staff vetting can do. First, it reveals inaccurate security information at only a certain point in time; and second, people may turn bad any time thereafter. The suggestion on combining physical and IT security is good. A single team led by someone with the overall security in mind can help plug more loop holes.

Reflecting on the IPCC case, it was not technical incompetence nor a skilled hacker that caused the data leakage. It was the insiders, or those who were entrusted with the data, that negligently or carelessly let loose the data into the internet sea. Such leakage could also be caused by malicious intent of dissatisfied employees. A sophisticated IT security system can only do half the job. In fact, the easiest way to get access to a secured system is through unaware clients and staff. A secured system starts with a proper level of alertness on user names and passwords.

Wednesday, November 22, 2006

Make it Mozart 純呈莫扎特

現在是2006年11月,仍然是莫扎特出生250年,所以慶祝莫扎特250歲生辰仍未算遲。較早前看到香港城市室樂團 City Chamber Orchestra of Hong Kong 將主辦一場全部演出莫扎特作品的音樂會,曲目非常吸引,就匆匆買票。昨晚(11月20日)到港大聽其演奏。

節目很理想,有莫扎特的D大調第十一嬉遊曲 Divertimento No.11 in D Major、降E大調第九鋼琴協奏曲 Piano Concerto No.9 in Eb Major、女高音和鋼琴音樂會詠嘆調 Concert Aria for Soprano and Piano 及G小調第四十交響曲 Symphony No.40 in G Minor。

客席音樂家來頭不少。有著名以色列指揮沈伯道 Lior Shambadal,他現為柏林交響樂團總指揮及萊比錫孟德爾遜樂團音樂總監。鋼琴獨奏是奧地利鋼琴家斯圖哈勒 Gerda Struhal ,而女高音是加拿大女高音韋健絲 Amelia Watkins。臨場嘉賓有這三個國家的註港領事,我還發覺有疑是以色列特工出現於會場。

各首樂曲都已很熟識,但令我有深刻印象是 Struhal 演繹的第九鋼琴協奏曲。她的演出穩重而流暢,充分表現出莫札特音樂的神韻。我承認在此我可能有點偏見,因為我特別熟識這首樂曲,其中幾個樂章的數個主題我都十分喜愛,所以聽到出色的演繹就特別感動。

特別值得一提的是這個音樂會在港大陸佑堂演出。古老的會堂有很高的樓底,音響效果會很好。但如果在預設的舞台上演出,就不能有效地利用這個條件。這晚樂團不用舞台而使用前排座位位置,座位少了但音色很理想。但可惜因為位置低了所以後排觀眾的視線就大大被阻礙。幸好我因預知音樂會不設劃位而一早到場,所以選了一個前排理想位置。

Friday, November 3, 2006

Centre Pompidou 龐比度中心

本來預算十月去法國,會在巴黎時參觀龐比度中心;可惜法國行程要延至明年,但龐比度中心數十幅珍藏卻送來香港展出,反而在巴黎會看少很多,之所謂世事難料。旅行回來就一直準備去看,終於在今個星期花了一個下午在香港藝術館看畫。

這一個展覽收費四十元,但物超所值,單看兩幅 Modigliani 就已值回票價。香港大眾藝術不值錢,一般人的概念是各種藝術都是要政府出錢。不過如果藝術家要靠政府養活,那還有真正藝術創作自由嗎?我剛在柏林參觀 Pergamon Museum,入場費是四十歐羅,即四百港元,是十倍價錢。真是要多謝香港政府。

去年香港藝術館有法國印象派名畫展,很多朋友都有去看。印象派畫風的發展,就正是一群不獲當時政府和上流人士接受的畫家開闢出來的路。這個藝術的轉向,在藝術史上極有價值,但我覺得今天看印象畫派的表達方式,比現代藝術感情上的抒發還是遜色。不竟現代藝術承接印象派的力量,而又發展了一兩個世代。

我找來幾張展出的畫,給尚未去參觀的朋友看看。這些都是我喜愛的畫家;尚有我欣賞的 Miro,可惜只有他的一幅 installation 而沒有畫。

Paul Klee - The Blacksmith


Pablo Picasso - Harlequin


Amedeo Modigliani - Gaston Modot


Rene Magritte - La Modele Rouge


看現代畫之餘,不要錯過在四樓的齊白石畫展。這個展覽規模很大,資料很詳盡。除了齊白石各時期的畫作之外 (當然有他最著名的水族系列) ,還有他各個畫風期的轉變和和因由,以及他週遊中國的遊蹤。齊白石曾於上一世紀早期到訪香港;展覽根據他在香港時的日記,介紹他參觀的地點的古老風貌,值得一看。