Jul. 25, 2008 - Bill Chee's wisdom

Inman news reported today that ex-NAR president Bill Chee, who delivered the "Lions Over the Hill" speech in 1993, now says that his fears of Microsoft and other threats to real estate industry at the time turned out to be unwarranted. In hindsight that may be true - but one should consider that Bill's own words and influence may have had at least some effect on how the industry responded to threats at the time and the resulting outcome.

Bill Chee is a very, very smart man, and I remember very clearly something he said to me when we were on a panel together for the Wisconsin Association of Realtors conference in 2002 - I even wrote it down at the time. He said, "I was wrong about Microsoft being the lion coming over the hill ... the lion really coming over the hill is the consumer."

I believe that our industry still has a lot of work to do to meet that next challenge. I've been doing a lot of thinking about that .... stay tuned.

Jul. 23, 2008 - The Best MLS System is...

"Which MLS system is the best?" Clients perpetually ask me that question, and it also regularly comes up on email lists and in web-based discussions.

To some extent, the question is a bit silly – akin to asking someone, "What’s the best place to eat in town?" Of course no two people agree on what restaurant is the best – they have different cuisine preferences, tastes, service requirements and budgets. One person will have a good experience at a restaurant and recommend it, while another will go to the same restaurant - maybe on an 'off' night - and have a bad experience and subsequently warn people away. We’ve got to recognize that answering the MLS question is similarly difficult.

Most vendors have both very happy customers and unhappy ones, as well as a number that are between those extremes. When one asks the "Which MLS system is the best?" question on a email group or web site, you will likely get answers from both extremes – and it’s just not that helpful. Every year Clareity Consulting performs a survey of MLS Customer Satisfaction (e.g. http://www.callclareity.com/7thAnnualMLSCustomerSatisfactionSurvey.pdf) to try to provide a more comprehensive answer to how each MLS vendor is doing – but while you have to take reference checking and customer satisfaction into account in such a system selection decision, the experience of others is not necessarily the best or only predictor of your own experience.

What differentiates the MLS options, really? At a high level, system and service. After all, MLS vendors are Application Service Providers (ASP) – they provide both system and service, and need to be evaluated on both. Service may seem easy to evaluate, but it can be difficult to measure. If the vendor is providing support to staff or MLS subscribers, what call center metrics can they share with you? How much service will they provide in customizing the system to your specific needs and how will they respond to ongoing enhancement requests? The “company fit” and relationship that your MLS will have the vendor can sometimes be difficult to gauge in advance. As for the system, sometimes things we take for granted, such as speed, reliability/accuracy, and uptime may not be a given, at least not these days. Each system also has a unique feature set for the web-based system as well as for PC-based software, PDA, or voice interface – we have to answer the question, “What would your subscribers be giving up if they were moved to a new system and what would they gain?” The MLS staff also has to consider how much functionality there is in the system to help them provide a high level of service to subscribers – this may includes features like listing compliance workflows, easy to use robust RETS / data feed setup, and features providing staff with direct control over many aspects of the system. There are other considerations these days as well – for example if your market is considering a data share, how much experience does the vendor have implementing them and what is their track record? Finally, though the vendors are generally very cost competitive, sometimes cost enters the equation. I always advise clients to choose the system they really want over a system they don’t want nearly as much but with which they could save some money. I don’t think any MLS ever regretted selecting a great system that they could afford, but I know of plenty that regretted going with the lesser preferred system to save money.

Changing systems is hard for MLS staff and subscribers alike, and it isn’t something to do lightly. I typically perform an extensive member survey as part of the selection process, and more than once in the past year clients have seen such high levels of satisfaction with their current system that they’ve decided there was no way a new system would provide enough benefit to justify moving to it. Of course, you have to find a good balance of listening and leading – if all MLS executives did was listen to subscribers, we may still be using books! Also, thoroughly evaluating the benefits of moving to a new MLS system involves rigorous work, and building a robust Request for Proposal (RFP) and evaluating the proposals obtained from qualified vendors as part of an MLS Selection Process is one of the more complex services my company provides.

Which MLS system is the best? Honestly, there’s no one answer that’s true for every potential customer. Only with rigorous evaluation of your system and service needs and comparing those needs to the capabilities, system, and services provided by each vendor can I even begin to know which vendors may be good to include in an RFP – let alone have some sense of the answer the final question: “Which MLS system might be best for your MLS?”  When I’m involved in a selection process, my goal is to make sure that all of the appropriate information needed to support the decision has been gathered and presented clearly so that the MLS leadership (board of directors, committee, task force, etc.) can easily answer the question for themselves.

Jul. 21, 2008 - Alert for Web Programmers and Managers: SQL Injection

This is for my readers who are, or who manage, web application programmers. I sent this update to my security assessment clients about a month ago but the urgency has continued to increase as attack rates are rising ...

I've been seeing a lot more injection attacks on industry sites - some automated, some manual. If you have web applications and haven't been testing for SQL and XSS injections - get on that PRONTO!

Even if you think your input validation is under control be careful - attackers are getting a LOT sneakier:

* Using HTML entities instead of the characters, encodings like UTF-8, long UTF-8, UTF-7, Unicode, US-ASCII and even HEX. Watch out for 'declare' and 'cast' in inputs ... not your friend.

* Not using special characters - leaving off the single quotes, using 'fromCharCode' to create them, or even use a grave accents as a replacement.

* Messing up regular expressions looking for SCRIPT by embedding tabs, spaces, carriage returns - or encoded versions of the same!

* Sending you naughty content not just through traditional inputs and URL strings, but through cookie manipulation.

* Leveraging your platform - such as SSI (if installed), renaming JS files to image extensions for upload, even using your application platform to create the script.

* Going beyond JavaScript and using VBscript.

* Injecting into image tags - including dynsrc and lowsrc attributes, in BODY onloads, in CSS calls, in titles, meta tags, iframes, TD backgrounds, DIV styles, BASE tags, OBJECT tags, XML, Flash actionscript and more!
 

I think my "favorite" workaround for XSS validation is where the validator gets rid of script tags in inputs but doesn't search recursively, so the hacker inputs [SCR[SCRIPT]IPT]" it gets rid of the middle "[SCRIPT]", leaving.... [SCRIPT]!

And they're using every combination of the above that you can think of!!!
 
Are you validating for all of these situations?

Be careful out there!
 

Jul. 17, 2008 - New Windows Features Help Secure Public or Employee Computers

This is a follow up to my earlier blog post, Limiting Internet Use to Protect Your Company.

Many of my MLS, association, and brokerage clients have computers in their offices that they allow visitors to use or which are used by employees for limited purposes. Windows Vista Home and Ultimate editions have easy to use controls that you can use to increase the manageability and security of those computers as well as lower the amount of maintenance they need as a result of user activities.

I'm referring to the "Parental Controls" features, which can be accessed through the main Windows menu, selecting Control Panel, and then Parental Controls. Assuming that you only allow your visitors and employees to access computers using a non-Administrative account - an Administrator account would let them change these settings at will - you can use Parental Controls to enforce useful policies for a specific user's login account. These policies include restricting web use to specific sites or types of web sites, putting time limits on when the computer can be used, and allowing or blocking specific programs.

The Web Filter allows you to limit use to specific web sites that you specify. This is a very powerful feature because if you only intend a computer to be used to access the MLS system, your organization's web site, or other specific sites, you can restrict the user to those "white-listed" sites only. If you do that, the chance of them visiting inappropriate sites or downloading malware is greatly reduced. You can also specify specifically that the user can not download any files to the computer. Not letting users save unwanted files decreases how often staff must 'clean' the computers, providing a management cost savings. Vista also comes with a web filter that attempts to block sites based on different types of content (e.g. pornography, hate speech, etc.), however I'm not confident that these filters are foolproof. But if you have a policy regarding harassment or other Internet misuse the least you can do is to enable this type of filtering, perfect or not.

Time limits are useful if you have users that you only expect to use the computer during a specific time of day and/or when the computer use can be supervised. It's easy to set specific days and hours when the computer can or cannot be used.

The Parental Controls that allow you to "Allow and block specific programs" (Application Restrictions) are also very easy to use. If you limit computer use to only those applications that are needed it increases the computer security by making it somewhat harder for users to install and use unapproved software and for malware to be accidentally executed by the user. Not letting users clog up computers with unwanted programs also decreases how often staff has the 'clean' the computers - additional management cost savings.

There are a number of additional features in the Parental Controls as well, including usage reporting and game-blocking features. Just remember, no one tool will be a silver bullet when it comes to security - but if you have deployed Windows Vista Home or Ultimate editions in your business you may find Parental Controls a useful tool to increase the manageability and security of your computers.

Jul. 9, 2008 - New software provides Java API for RETS server access

Check this out! RETS IQ RETS Library™ is a Java API that allows simple access to RETS servers. The API is designed to allow developers to connect to RETS servers and execute searches, photo downloads, metadata requests and updates without having to deal with the nuts and bolts of the RETS protocol.

Mind the license.

Jul. 8, 2008 - Telecommuting and the 21st Century Gas Crisis

With ever-higher gas prices putting the squeeze on employee wallets, some Clareity Consulting clients are exploring creative ways to help employees, including having some of them telecommute at least part time. According to a popular telecommuting website¹, 40% of the U.S. workforce have jobs that could be performed at home, potentially saving 625 million barrels of oil annually – that's over 80% of our annual Persian Gulf oil imports! Telecommuting also has a positive environmental impact.

However, there are some telecommuting issues to consider and manage. Some employees can't work productively at home while others work too much and burn out. Sometimes employees who can't work remotely resent those who can, and telecommuting can have a negative impact on employees working as an effective team. Managers used to a high level of hands-on organization, communication, and productivity measurement may be frustrated unless compensating mechanisms are implemented. There may be additional IT and management costs for facilitating remote work, and there are also possible liability and workers compensation issues that must be evaluated by human resources staff².

Finally, consider that one of the most disastrous information security breaches in U.S. history – involving the personal information of 26.5 million veterans, occurred because an employee took sensitive data home and didn't take steps to properly protect it³. Ask yourself, "Does my organization have appropriate information security policies and practices to address the risks of telecommuting?" The following questions need to be answered via a strong information security policy:

• What information can be taken from the office to a home office or to other locations?
• Are the computers being used at home properly secured? What are processes for ensuring:
  • Operating System security hardening
  • Platform and software security
  • Anti-virus / Anti-malware practices
• Is only authorized, licensed software installed on telecommuters' computers?
• If the employees work with sensitive or confidential information:
  • How is sensitive information securely transferred between work environments, both electronically and physically?
  • Can employees provide physically secure home environments? Do they have a media safe? Is there a process for proper disposal of both physical and electronic sensitive data at telecommuters' location?
  • How is sensitive information encrypted ‘at rest'?
  • Are employee computers on a separate firewall segment from the remote network, and is network traffic strictly controlled?
• If wireless access is used, are routers securely configured and use constrained to WPA encryption?
• If allowing additional remote network access, consider your VPN:
  • Is the VPN ready for increased load?
  • Is the VPN property encrypted?
  • Are individual accounts set up with appropriate privileges?
  • Does the VPN require a strong password be entered at every connection – or even use two-factor authentication?
  • Do the accounts time out after a short period of inactivity?
  • Is split tunneling disallowed?
  • Are banners displayed regarding monitoring?
  • Is there auditing of remote access?
  • Do users know not to engage in risky computer activity while connected via your VPN?
• Does the policy cover what to do if there is an information security incident involving company data in the remote work location?
• Are there appropriate and secure methods of backup and disaster recovery for remote locations?
• Are telecommuters regularly trained on security requirements for remote locations?
• Is there a process for monitoring and enforcing policy security compliance over time?
• Have managers and telecommuters signed off on all of those policies and procedures reflecting the questions above?

Telecommuting is a very exciting opportunity that allows employees to save on ever-more-expensive gas costs and to protect our environment. It's not the right thing to do for every organization, and it won't be possible for every job to be done remotely. Some Clareity Consulting clients are considering alternatives such as allowing some employees to work four days a week and ten hours each day and organizing carpools. However, if management takes the aforementioned steps to ensure employees are properly managed and to protect the organization against legal and information security risks, telecommuting can be a worthwhile endeavor that merits consideration.

¹ http://undress4success.com/
² http://www.businessweek.com/smallbiz/0003/sb000320.htm
³ http://www.securityfocus.com/news/11393