Fog Creek Software
Discussion Board




Educate reluctant client about internet?

Here is the situation. This is a tough one. (You elitists who work with Dr. Dobb's and .Net Magazine readers who actually understand technology are spoiled pukes. :-) Ok, kidding. )

My client, whom I have worked with for several years, is a vertical market software product development shop.

Currently I am retained by the client to develop an online "service bureau" for their own customers. The service consists of online submission of financial data by their customers to my client's site, offline batch processing, and distribution back to the client of the results from this processing. Think of a service similar to credit report or online tax submission processing, except over the internet.

Here is one major problem I forsee: the owner is also the chief programmer, and he absolutely does not trust the internet in many ways. Think of a stereotyped Amish person let loose on Times Square or West Hollywood ... thinking that iniquity will come out and bend him over. :-) 

Yet we *have* to implement a solution that requires internet connectivity, and online help desk other functions. IE, that hypothetical Amish person has to set up his farmer's market stall right in front of the XXX Wet Hooter XXX Revue...

Here is how they do business involving the internet: they basically don't.

Examples:

- They generally treat anything having to do with the internet like it's electronic ebola virus growth medium. This thinking comes from the owner per above.

- There are a couple of DSL connected computers in their offices. They do not connect them to the internal LAN. Instead, employees walk to the 'internet workstation', work, and any data gets loaded onto a zip disk or equivalent. The disk is then taken to a dedicated PC in the corner, run against something like Norton AV, and only *then*, once certified 'clean' is it allowed to be inserted into a disk drive that is connected to their network.

- They have no resident network person. (they outsource this.)

- The owner has admitted to me that he does not 'understand' the internet or viruses. In the past he's stated concern that someone would sniff a dial up internet connection at random for their sensitive data. He believes that if a network workstation were connected for 5 seconds to an internet connection, that workstation would have to be scrubbed for viruses.  And so forth.

- Firewalls, NAT, filtering applications... I explain precautions they could and should take, and the owner is usually in an ADD type rush and won't listen. Any explanation drills down into areas that he is totally clueless about and the explanation meanders into tangents that never tie up in any real understanding. He seems to not want to understand internet stuff and vehemently resists the learning process.

- The owner throws up anecdotes from business acquaintances who complain about viruses shutting down their networks. I try to laboriously explain that these companies probably use tools like Outlook that are misconfigured that run the macro viruses, and they probably don't use firewalls and network applications that could filter and virus check suspicious attachments. Plus they probably have idiot employees going clicky-clicky on every EXE or PIF in an email.

- The owner is shall we say, the type of person who designed all of the original code used in the business himself. So if he does not have mastery of a technical area, he rejects it overall.  Major control freak.

I have the feeling that when we're done, I will have designed a system in which data transfer consists of copying internet data onto zip disks, walking it to the internal server, scrubbing it for virii, and likewise copying response data onto removable media and copying it back up to the internet. Sneakernet to support an online service.

PS: this company is extremely profitable. And the owner is amenable to logic, at least in a "money" negotiation situation. We're not talking about a downtrodden hack shop.

PPS: this is really a psychological and persuasion issue. NOT a situation where someone can just suggest a 'package' and expect buy-in.

PPPS: no, I'm not going to tell the client "you're an idiot" and walk.

Thanks, all.

Bored Bystander
Saturday, July 19, 2003

Remember the old phrase "you can lead a horse to water but you can't make it drink." You might never be able to convince this guy that sneakernet is the wrong way to go.

Are you being payed hourly? If so I wouldn't worry too much about developing a more complex application based around sneakernet!

Matthew Lock
Saturday, July 19, 2003

The guy is not completely wrong you know.  Not right either, but connecting the entire shop to the big ass world is not exactly the safest thing you could do.

One who has been burned
Saturday, July 19, 2003

You had it easy. I have worked with clients that keep rejecting offer after offer of firewall arrangements for application servers on the client's site. All B2B consultants live with this. At least their clients can shell out the thousands for the blind to spend weeks leading the blind. It isn't that your client simply isn't willing to spend the cold hard cash for security (he has the money), maybe he isn't sure if he is comfortable with your advices (maybe I am wrong, what's your credential in the security arena?) Looks like you have to bring in a good consultant who can put him at ease. If you build B2B sites or any kind of Internet resources that connects to internal resources, you should seriously consider bringing the big guns.

Li-fan Chen
Saturday, July 19, 2003

You did a good job of describing your current client (i.e. doesn't trust the Internet), but you didn't mention if you have already discussed "your solution" with this person.

I don't remember reading that your client explicitly told you to come up with a sneakernet solution. Even so, it certainly sounds like this may be a project constraint you are going to have to live with.

As others already mentioned, connecting the DSL computers in their offices with their internal LAN might not be the best thing to do. Remember you don't have live with your solution, but your client does.

Sounds to me like you need to sit down with your client and whomever takes care of the network and brainstorm an acceptable solution.

One Programmer's Opinion
Saturday, July 19, 2003

Other than online interfaces being trendy, why is mailing disks around a bad idea?  Is it really necessary for the data to be transferred immediately or can it wait a day?  It can sometimes be cheaper than bandwidth and network administration costs.  Even Microsoft does it sometimes.

http://www.acmqueue.org/modules.php?name=Content&pa=showpage&pid=43

"Who would ever, in this time of the greatest interconnectivity in human history, go back to shipping bytes around via snail mail as a preferred means of data transfer? (Really, just what type of throughput does the USPS offer?) Jim Gray would do it, that's who. And we're not just talking about Zip disks, no sir; we're talking about shipping entire hard drives, or even complete computer systems, packed full of disks."

Jeremy
Saturday, July 19, 2003

Tangential to the discussion, but along the lines of Jeremy's comment:

"Never underestimate the bandwidth of a station wagon stuffed full of tapes flying down the freeway at 80mph."

(Attribution unknown)

Christo Fogelberg
Saturday, July 19, 2003

The internetbanks around here send out a cert on disk that you install. After that its regular https.
(thats 128 bit encryption, right?)

Eric DeBois
Saturday, July 19, 2003

I think the real problem is that the guy outsources the admin of his network. So he hasn't anybody there to explain things, and he's worried about the time and cost of putting things right.

Maybe you could try and do a Powerpoint demonstration with the firewall, web server and database server all depicted like a sneakernet so he can see the analogy.

Stephen Jones
Saturday, July 19, 2003

I agree with  Stephen.

But I would add that you should speak to the outsourced admin. If the two of you come together on this, he might be more inclined to listen.

It might be worth it to the admin because he could then up-sell him more services down the road.

Marc
Saturday, July 19, 2003

Stephen, Marc -

My hat off to you guys. Good ideas. Thanks.

Bored Bystander
Saturday, July 19, 2003

"PS: this company is extremely profitable. And the owner is amenable to logic, at least in a "money" negotiation situation. We're not talking about a downtrodden hack shop."

So it seems like the owner does not think that there is anything wrong with the picture since the money keeps coming in. It is hard to overthrow mistaken beliefs if the person holding them is successful.

Even if the guy were to make a bigger use of Internet, things would not probably be much different to him money wise. Thus there is no reason to get out of the comfort zone.

That is how the likes of old Xerox and IBM became so rotten. All the internal BS was well financed by their highly successful old products and everybody thought they were doing all the right things.

"PPS: this is really a psychological and persuasion issue. NOT a situation where someone can just suggest a 'package' and expect buy-in."

OK. I am gonna give it away here. There is an excellent book on persuation called "Persuasion Engineering" by Richard Bandler. It describes some of the most effective tools that can be used to persuade someone. The book is more sales oriented but this is exactly the situation that you got.

Mr Curiousity
Saturday, July 19, 2003

Here is how I'd probably sell a solution to the man in question.

1.  He is absolutely right, having a direct connection with the internet is dangerous.

2. In the absence of any other system the sneaker.net approach is the safest and sanest.  So what you're doing is right.

3.  We can get the advantages of sneaker.net without the disadvantage of not being directly connected.

4.  Here's how, on the DSL we set the router up so that only the router can be seen from outside, nothing can be addressed inside (ok its NAT, its probably already setup).  On the router we install a further firewall component (or on a server in a DMZ but that's details).

5. We only install a mail client which we know is resilient to mail viruses.  (Ok I'd choose Calypso or Courier but there are alternatives).

6. We install the same anti-virus on all the workstations and it keeps up todate itself (Yes we have to leave the machines on).

7. The network is now the equivalent of sneaker.net we can get stuff from the net, send stuff up the net and no one outside can get to our machines.

8.  Once its in no one need care about it, your current network man can maintain it.

Simon Lucy
Saturday, July 19, 2003

Fake your own death...

Guy Incognito
Sunday, July 20, 2003

Heh, actually this guy sounds pretty smart.

In most gov't agencies I've seen, the internet and "classified" networks are totally separate, and people needing access to both typically have two workstations.

SG
Monday, July 21, 2003

Some suggestions ...

(1) Implement RFC 1149.  You'll experience a few latency issues, but as we all know, pigeons are relatively immune to viruses ... ;-)

(2) Figure out about how much money he's losing by being a Luddite.  That should be enough motivation to at least sit down with you and talk over possible strategies for a few hours.

It's a basic fact of human psychology that folks will trust themselves long before they trust others.  You need to make him a security expert (or at least feel like one) without sitting him down and lecturing at him like a college professor.  In other words, it's better to lead him into discovering the answers for himself.

Ask him what he would do, if he was a hacker, and he wanted to break into your corporate network.  At first he won't even have a clue where to begin, so you might start off by giving some basic education about hosts and IP addresses and ports.  Explain to him the modus operandi of any hacker -- searching for buggy ports and exploiting the bugs.

Then ask him what steps he'd take to mitigate attacks along these lines.  It might take ten minutes, but he'll eventually get the brilliant idea of limiting the number of ports that are out hanging in the breeze.  Pat him on the back, tell him how smart he is, and let him know about this cool technology called a firewall that does just that ...

Next, address his concerns about viruses.  He's a programmer, so he should understand that you can't get a virus by just looking at a text file ... you need to get some executable code and then trick someone into running it.  Ask him to think of different ways code could get past the firewall (pat him on the back when he mentions email).  Ask him then to think of ways of mitigating that risk (more pats on the back if he thinks of putting a virus checker on the mail server).  Once he sees that the result is functionally identical to the sneakernet solution, his reservations will probably fade away.

You'll also have to lead him into learning about the differences between IIS and Apache, worms, CERT advisories, and ways that poorly written ASP could divulge the wrong information, etc ... and strategies to mitigate those risks ...

But my last suggestion is most important ... get him involved in setting up his network.  If you do it all yourself, there will be an aura of mystery and hence distrust about what you've done.  But if you stand over his shoulder while he sets up the virus checker and firewall, he will feel much more confident about his newfound internet skills and the security of his enterprise.

Hope this helps.

Alyosha`
Monday, July 21, 2003

Show him how easily a Trojan still bypasses all the precautions in his current setup. Security is in the first place a people issue, with tech a far second.

Just me (Sir to you)
Tuesday, July 22, 2003

*  Recent Topics

*  Fog Creek Home