That's how e-business works when big established companies want to put the "e" into an existing business. I've been through that procurement process - IBM was the ONLY vendor that responded competently to us. Broadvision and Interworld told us (paraphrasing slightly) to bend over and squeal like a pig.
OTOH, much e-business isn't about Sears going on-line, it's about Amazon and Furby-4-U starting from scratch. These are companies with no initial attachment to a particular vendor, and no legacy issues to fight. The one thing they care about is time to launch - they don't even mind spending money like a Swedish sportswear shop, provided it gets that site live by yesterday. At this point in time, there isn't any vendor that's offering good products that can reliably build big sites like this. The market is completely wide open to a vendor with a good product - IBM don't have lockdown on it by any means.
No, template driven shopping carts are NOT what a large site wants.
> It's a shame that everything in the world is getting tunneled through HTTP
A very large Amen! to that.
I love SOAP, and the whole XML-RPC concept. I've been using it for a month, and it's giving a lightweight protocol for shoving simple well-structured data around an Extranet. Yes, I've done DCOM, I even know a little about CORBA. Neither of these would have given me the ease of setup (especially at the client's site, and behind the client's firewall) that I get with XML-RPC (my strict SOAP compliance is ragged).
If I was doing SOAP right now, I'd be doing pure http and using URLs that put BroadVision to shame.
Yes, tunnelling everything through http to get past the firewall is bad juju. When we start seeing commonplace SOAPservers that are worth subverting, then it really will be time to worry about it. Anyone for challenge-response firewall tunnels opened on the basis of certificates in the SOAP header elements ? I currently have an open SOAPserver that would attempt to ship you a bucketful of valuable product, in response to a trivially formatted SOAP request (Don't try it - there's also a human reading the orders). To regain the security benefit of reliable firewalls (reliably culling the nasties below the application level), then we'll start needing techniques like this as standard. After all, no-one needs (sic) a firewall today, as all our machines are secured anyway...
OTOH - No way would I be pushing DCOM around a big LAN, let alone across the 'Net at large. No F'ing way, not after the continual shafting from Teardrop/NewTear that my ports took back in the Service Pack 3 days.
gop.gov has some measure of branding kudos, and thus it's valuable. It's the GOP's job to try and acquire such things, and the objective election watchers and federal civil servants to exercise whatever control they can to stop them.
Should it be there ? No. hrc.house.gov should be permitted instead and scrutinised very carefully to ensure it doesn't exceed whatever Whitehouse rule there is about limiting Federal funding of party campaigning.
Is it understandable ? Absolutely. It's just politicians taking anything that wasn't nailed down, and we clearly didn't nail this one down firmly enough beforehand. Don't blame crocodiles for biting your leg off, it's just what they do best.
Personally I'm dubious on any.gov domain that isn't honestly a UN-based New World Order. Having.com imply the US is reasonable enough, but the Whitehouse should stick firmly to.gov.us and stop trying to rule the whole world.
Paxman is something of a technophobe (listen to his Radio 4 work, an environment where scientific guests are more common than TV). Clearly he's not the perfect interviewer for Gates, but who else could there have been ?
Paxman is, above all, trusted as an interviewer who takes no nonsense from a powerful guest (c.f. his superlative kebabing of Michael Howard). The BBC does still have some technically adept interviewers, but none with the tenacity of Paxo, or his reputation for it.
If this had been a fawning hagiography with Carol Vorderman, would anyone have watched it ? To reverse the question somewhat, who is the worst interviewer the BBC might have used ? Phillipa Forrester ? James Burke ?
It's also interesting that the BBC chose to use Paxman in this role -- it indicates that they see Gates as a powerful figure in the world, rather than merely something to do with those silly computer things (a common BBC attitude is that nothing important exists beyond Westminster and entertainment)
Expect hordes of knee-jerking Slashdot readers flaming this article without even reading it. The Sacred Penguin is insulted and so its acolytes must rush to its defence.
What the article actually says is that Linux is taking its market share from the nasty old dinosaurs like SCO and building new share in the home geek market. Desktop Windows in offices, where the vast majority of suit-and-tie wearing people work, isn't affected, nor will it be until Word runs under Linux (and Hell freezes over and and Puget Sound runs with molten lava).
People are running Linux on net-connected servers with little or no interactive desktop usage. So when was this ever a big NT stronghold ?
> being genetically engineered, the Monsanto plants might be more marketable than the normal type.
This is simply untrue (especially in Europe). Our supermarkets are falling over themselves in their hurry to declare their own products free of GMO. GM products are not a selling point to the consumer.
The GMOs on offer from Monsanto are not a bigger, shinier tomato, nor a solution to 3rd world hunger. They are simply either the Roundup ® glyphosate weedkiller resistant gene that allows farmers to buy and use more Monsanto Roundup ® weedkiller, or the Terminator gene (whose demise was recently announced) that would allow Monsanto to sell more seed.
The really scary issue with the Terminator gene is that of cross-pollination. No one knows how likely GM products are to cross fertilise with nearby crops, nor do they know how close they have to be to be "nearby". This is a huge question over GM in general, and the doubt is sufficient to justify a halt on the entire commercial usage of GM crops, until more is known.
If Terminator crops cross-pollinate with non-GM, then the seed from that plant will also be substantial sterile (I'm assuming Terminator is dominant, else how do they produce it commercially). This means that not only will the crop of seed purchased from Monsanto fail to deliver seed for next year, but so may the neighbour's crops. Why should any farmer or agri-business have the right to destroy another farmer's crop like this ?
(UK poster - we're scared and angry on this side of the pond, not just the duck squeezers)
> I noticed the author mentioned that the Hardware Abstraction Layer (HAL) was used for security purposes.
That, and several other howlers, is a good reason to ignore almost everything that article states.
OS Wars are dull. They're dull when an experienced Linux geek flames an experienced NT nerd over subtle points of truth (admissions time - I grok NT to a reasonably deep level). They're exspecialy dull at the depths of this bozo article, sinking to levels beneath that of the usual Slashdot, "Four legs good, M$oft bad" rant.
One of the nicest things about NT is the hardware compatibility. If I buy a box from Electrode Hut and it won't run FreeWotsit, then it's my fault. If the same box won't run a product from the Redmond borg, then it's their problem.
Indeed, not much content. It would barely rate a story on Slashdot, were it not already a Slashdot-related issue.
I agree with his conclusion, but not his argument (such as it was). Slashdot is currently worth listening to because it's populated by people who grok the tech and it's still novel enough to appeal to their interests and their willingness to spend time on it. When (and it will happen) Slashdot is dumbed-down by the barbarian WebTeeVee hordes, the nerderati will no longer care enough to re-write Jane's pieces for them, or at least to do it well.
> Making examples of script kiddies will reduce their numbers > but transform the remainder into really angry and careful hackers.
I doubt this. The script kiddies I've met didn't have the brains (or more importantly, the obsessional dedication) to invent an original exploit. Capable hackers are born, not made, and although many will use a script that's there and freely available, they have even more disdain for the kiddies than most sysadmins do. You can't turn a kiddie into an inventive hacker, just by pissing them off.
3l33t d00dz are like British Admirals - we should hang the occasional one, pour encourager les autres. I don't think they should be Mitnicked into oblivion, but a good full-blown public trial, confiscation of kit and a fine is going to send a clear message that hacking is for real. Hack if you want, join the Mafia if you want, but don't think that either of these is just some new sort of RPG that's socially acceptable.
Is this the best that Janes can do ? The tone is not necessarily over-alarmist, but it's incredibly simplistic. The Economist would be ashamed to run this piece, and I doubt if even USA Today would be exactly proud of it.
The content is almost devoid of useful facts, or even well-grounded opinions. Apart from the duplication of almost every point (do you have an editor ?), it's vague and wooly in a way that really isn't what I expect from a publication like Janes.
The most glaring issue is the CBRN / Cyber confusion. Is the article's point the very reasonable one that IT terrorism is a whole new ballgame ? - in which case, why are the two opposing circumstances lumped together as if they were the same thing ?
On the specifics:
> Using CT, how easy or otherwise is it to bring > down or attack vital systems?
As is very old news to anyone close to the scene, hacking is NOT about gaining some sort of wizardly superpowers that allow one to access anything, anytime. It's much more like stealing cars by walking through a carpark and trying the door handles. As this industry still hasn't learnt to make a robust doorlock, and most new drivers haven't yet learned where the keys are, then this process will net an awful lot of exposed IT assets. Remember too that automatic scripting / searching techniques let you try an awful lot of door handles without much walking.
Very few expert hackers are expert on more than a small niche of the problem, an operating system or a communications technique. Sometimes they accept that deep skills simply cn't be gained over such a broad area, sometimes it's disguised as the Unix nerd whowouldn't "dirty their hands" on an NT box.
> What sort of skills would be needed to do so, > and are they common/teachable?
The skillset needed is more of a lifestyle than a specific skill - the adolescent boy's obsessional devotion to a particular niche, despite its lack of utility to all aspects of normal life. Some of us collect baseball cards, others analyse protocols.
The skills are unteachable, as they aren't skills as such. Those who could be taught, probably already taught themselves. Encouragement, provision of a conducive environment and peer pressure (especially over ethical issues) is much more significant.
The real danger in recent years has been the rise of the Script Kiddie, an ignorant upstart with access to powerful tools like L0phtcrack or Back Orifice. These tools are far more freely available now than, say, 5 years ago. This obviously increases the exposure of "those who would" to "those who can", but it also removes much of the previous generation's "hacker ethic". When exploiting a hole required skill and dedication, it increased both the exploiter's sense of identification with those being exploited and also the sense of reward felt at its successful completion. Now the instant acccess of a script tool presents a system "on a plate", encouraging its perception as a thing of low value and also leaving the exploiter still unsatisfied by the mere task of gaining access.
Mountain climbers don't vandalise mountain tops, because they're hard to reach and appreciated as such. Graffiti sprayers will happily spray a wall, because it's "just a wall".
>Commercial-off-the-shelf software: can it really do CT? All armies rely on mundane items like food and boots. Neither of these need to "military", just available when you need them. It's the same with IT tools for access - it's knowing where to send the bytes that matters, not having some flashy gimmick to do it for you. Hackers don't need radical tools that escape from secret laboratories - Microsoft Word can build you the CIH virus and Frontpage can take over an insecure site with FPSE.
>Which systems are actually attackable? All systems (IT hardware, software, wetware and management practice) may be attacked. If the hardware has no security whatsoever, the OS is widely understood and frequently penetrated, then your security is entirely reliant on good working practices amongst the admins. Custom crypto boxes, olive drab computers and the like make things more secure because they reduce this single point failure mode, more than any inherent magic. If a careless sysadmin mis-enters the value on just one or two checkboxes, then I (or a million others) could enter their Wintel box, because we already know them inside out. If I had the same depth of knowledge on Racal / Marconi kit, then I'd probably be just as dangerous -- but how many people have experience on those mil-only platforms, compared to the vast numbers who intimately understand Wintel ?
>Can a recovery be made from such attacks?
We're not yet at a stage where it's practical to do real life-threatening damage on a large scale, on a regular basis. A denial of service attack that closes a stock exchange for a day is hideously expensive, but it's still a DoS, not an irrevocable maiming or killing. In terms of body count, a totally psychopathic hacker is still going to do better(sic) with a crowded post office.
Recovering from a specific attack is easy - burn the computer and reinstall the backups. After all, hardware is cheap and the real damage (to your prestige, or loss of trading etc.) has already been done.
>Is it likely to improve/get worse?
It will get better, but only slowly and after it gets a whole lot worse first. Expect to lose the London Stock Exchange for a day, or have Nike mis-deliver an entire shipload of trainers (or something on that scale) before the real money takes things seriously enough to mandate security, and to ask the right people for advice on how to do it. The big consultancy houses certainly aren't the best people to do this, nor is their current track record particularly impressive.
I'd look at building my own client and DEFINITELY back-ending it with MS SQL 7.0 and their OLAP. Yes, yes, yes, it's the Spawn of Bill and it hasn't got any penguins in it, but it's still the best thing out there for under a gazillion bucks. It's also pretty easy to build PHB compliant or web-based front ends to it, as it's amenable to remote control from a pretty simple API(sic)
Use your favoured web tech du jour to front it, but personally I'd be using a stack of client-side XML, even if that meant entering the IE5 tar pit.
Whatever you do, start out by reading Kimball / Inmon's books. The Data Warehousing Toolkit is abso-damned-lutely essential reading before starting. Buy it now ! Give copies to your friends! Their pets! Even their PHBs!
If the data volume is enormous, then switch to RedBrick - by then you'd be well into SuitSpace though.
Slashdot Mirror
Very good summary.
That's how e-business works when big established companies want to put the "e" into an existing business. I've been through that procurement process - IBM was the ONLY vendor that responded competently to us. Broadvision and Interworld told us (paraphrasing slightly) to bend over and squeal like a pig.
OTOH, much e-business isn't about Sears going on-line, it's about Amazon and Furby-4-U starting from scratch. These are companies with no initial attachment to a particular vendor, and no legacy issues to fight. The one thing they care about is time to launch - they don't even mind spending money like a Swedish sportswear shop, provided it gets that site live by yesterday. At this point in time, there isn't any vendor that's offering good products that can reliably build big sites like this. The market is completely wide open to a vendor with a good product - IBM don't have lockdown on it by any means.
No, template driven shopping carts are NOT what a large site wants.
A very large Amen! to that.
I love SOAP, and the whole XML-RPC concept. I've been using it for a month, and it's giving a lightweight protocol for shoving simple well-structured data around an Extranet. Yes, I've done DCOM, I even know a little about CORBA. Neither of these would have given me the ease of setup (especially at the client's site, and behind the client's firewall) that I get with XML-RPC (my strict SOAP compliance is ragged).
If I was doing SOAP right now, I'd be doing pure http and using URLs that put BroadVision to shame.
Yes, tunnelling everything through http to get past the firewall is bad juju. When we start seeing commonplace SOAPservers that are worth subverting, then it really will be time to worry about it. Anyone for challenge-response firewall tunnels opened on the basis of certificates in the SOAP header elements ? I currently have an open SOAPserver that would attempt to ship you a bucketful of valuable product, in response to a trivially formatted SOAP request (Don't try it - there's also a human reading the orders). To regain the security benefit of reliable firewalls (reliably culling the nasties below the application level), then we'll start needing techniques like this as standard. After all, no-one needs (sic) a firewall today, as all our machines are secured anyway...
OTOH - No way would I be pushing DCOM around a big LAN, let alone across the 'Net at large. No F'ing way, not after the continual shafting from Teardrop/NewTear that my ports took back in the Service Pack 3 days.
I think this was advice of the highest quality.
gop.gov has some measure of branding kudos, and thus it's valuable. It's the GOP's job to try and acquire such things, and the objective election watchers and federal civil servants to exercise whatever control they can to stop them.
Should it be there ? No. hrc.house.gov should be permitted instead and scrutinised very carefully to ensure it doesn't exceed whatever Whitehouse rule there is about limiting Federal funding of party campaigning.
Is it understandable ? Absolutely. It's just politicians taking anything that wasn't nailed down, and we clearly didn't nail this one down firmly enough beforehand. Don't blame crocodiles for biting your leg off, it's just what they do best.
Personally I'm dubious on any .gov domain that isn't honestly a UN-based New World Order. Having .com imply the US is reasonable enough, but the Whitehouse should stick firmly to .gov.us and stop trying to rule the whole world.
Paxman is something of a technophobe (listen to his Radio 4 work, an environment where scientific guests are more common than TV). Clearly he's not the perfect interviewer for Gates, but who else could there have been ?
Paxman is, above all, trusted as an interviewer who takes no nonsense from a powerful guest (c.f. his superlative kebabing of Michael Howard). The BBC does still have some technically adept interviewers, but none with the tenacity of Paxo, or his reputation for it.
If this had been a fawning hagiography with Carol Vorderman, would anyone have watched it ? To reverse the question somewhat, who is the worst interviewer the BBC might have used ? Phillipa Forrester ? James Burke ?
It's also interesting that the BBC chose to use Paxman in this role -- it indicates that they see Gates as a powerful figure in the world, rather than merely something to do with those silly computer things (a common BBC attitude is that nothing important exists beyond Westminster and entertainment)
Incoming !
Expect hordes of knee-jerking Slashdot readers flaming this article without even reading it. The Sacred Penguin is insulted and so its acolytes must rush to its defence.
What the article actually says is that Linux is taking its market share from the nasty old dinosaurs like SCO and building new share in the home geek market. Desktop Windows in offices, where the vast majority of suit-and-tie wearing people work, isn't affected, nor will it be until Word runs under Linux (and Hell freezes over and and Puget Sound runs with molten lava).
People are running Linux on net-connected servers with little or no interactive desktop usage. So when was this ever a big NT stronghold ?
In a pre-XML world, some of us encountered the UN's efforts to make EDI (Electronic Data Interchange) a world standard.
It was not a pretty sight. I doubt very much if a UN-sponsored human-readable language effort will fare any better.
> being genetically engineered, the Monsanto plants might be more marketable than the normal type.
This is simply untrue (especially in Europe). Our supermarkets are falling over themselves in their hurry to declare their own products free of GMO. GM products are not a selling point to the consumer.
The GMOs on offer from Monsanto are not a bigger, shinier tomato, nor a solution to 3rd world hunger. They are simply either the Roundup ® glyphosate weedkiller resistant gene that allows farmers to buy and use more Monsanto Roundup ® weedkiller, or the Terminator gene (whose demise was recently announced) that would allow Monsanto to sell more seed.
Monsanto are not altruistic philanthropists.
The really scary issue with the Terminator gene is that of cross-pollination. No one knows how likely GM products are to cross fertilise with nearby crops, nor do they know how close they have to be to be "nearby". This is a huge question over GM in general, and the doubt is sufficient to justify a halt on the entire commercial usage of GM crops, until more is known.
If Terminator crops cross-pollinate with non-GM, then the seed from that plant will also be substantial sterile (I'm assuming Terminator is dominant, else how do they produce it commercially). This means that not only will the crop of seed purchased from Monsanto fail to deliver seed for next year, but so may the neighbour's crops. Why should any farmer or agri-business have the right to destroy another farmer's crop like this ?
(UK poster - we're scared and angry on this side of the pond, not just the duck squeezers)
> I noticed the author mentioned that the Hardware Abstraction Layer (HAL) was used for security purposes.
That, and several other howlers, is a good reason to ignore almost everything that article states.
OS Wars are dull. They're dull when an experienced Linux geek flames an experienced NT nerd over subtle points of truth (admissions time - I grok NT to a reasonably deep level). They're exspecialy dull at the depths of this bozo article, sinking to levels beneath that of the usual Slashdot, "Four legs good, M$oft bad" rant.
One of the nicest things about NT is the hardware compatibility. If I buy a box from Electrode Hut and it won't run FreeWotsit, then it's my fault. If the same box won't run a product from the Redmond borg, then it's their problem.
I agree with his conclusion, but not his argument (such as it was). Slashdot is currently worth listening to because it's populated by people who grok the tech and it's still novel enough to appeal to their interests and their willingness to spend time on it. When (and it will happen) Slashdot is dumbed-down by the barbarian WebTeeVee hordes, the nerderati will no longer care enough to re-write Jane's pieces for them, or at least to do it well.
#include death_of_usenet_predicted.h
> Making examples of script kiddies will reduce their numbers > but transform the remainder into really angry and careful hackers.
I doubt this. The script kiddies I've met didn't have the brains (or more importantly, the obsessional dedication) to invent an original exploit. Capable hackers are born, not made, and although many will use a script that's there and freely available, they have even more disdain for the kiddies than most sysadmins do. You can't turn a kiddie into an inventive hacker, just by pissing them off.
3l33t d00dz are like British Admirals - we should hang the occasional one, pour encourager les autres. I don't think they should be Mitnicked into oblivion, but a good full-blown public trial, confiscation of kit and a fine is going to send a clear message that hacking is for real. Hack if you want, join the Mafia if you want, but don't think that either of these is just some new sort of RPG that's socially acceptable.
Is this the best that Janes can do ? The tone is not necessarily over-alarmist, but it's incredibly simplistic. The Economist would be ashamed to run this piece, and I doubt if even USA Today would be exactly proud of it.
The content is almost devoid of useful facts, or even well-grounded opinions. Apart from the duplication of almost every point (do you have an editor ?), it's vague and wooly in a way that really isn't what I expect from a publication like Janes.
The most glaring issue is the CBRN / Cyber confusion. Is the article's point the very reasonable one that IT terrorism is a whole new ballgame ? - in which case, why are the two opposing circumstances lumped together as if they were the same thing ?
On the specifics:
> Using CT, how easy or otherwise is it to bring
> down or attack vital systems?
As is very old news to anyone close to the scene, hacking is NOT about gaining some sort of wizardly superpowers that allow one to access anything, anytime. It's much more like stealing cars by walking through a carpark and trying the door handles. As this industry still hasn't learnt to make a robust doorlock, and most new drivers haven't yet learned where the keys are, then this process will net an awful lot of exposed IT assets. Remember too that automatic scripting / searching techniques let you try an awful lot of door handles without much walking.
Very few expert hackers are expert on more than a small niche of the problem, an operating system or a communications technique. Sometimes they accept that deep skills simply cn't be gained over such a broad area, sometimes it's disguised as the Unix nerd whowouldn't "dirty their hands" on an NT box.
> What sort of skills would be needed to do so,
> and are they common/teachable?
The skillset needed is more of a lifestyle than a specific skill - the adolescent boy's obsessional devotion to a particular niche, despite its lack of utility to all aspects of normal life. Some of us collect baseball cards, others analyse protocols.
The skills are unteachable, as they aren't skills as such. Those who could be taught, probably already taught themselves. Encouragement, provision of a conducive environment and peer pressure (especially over ethical issues) is much more significant.
The real danger in recent years has been the rise of the Script Kiddie, an ignorant upstart with access to powerful tools like L0phtcrack or Back Orifice. These tools are far more freely available now than, say, 5 years ago. This obviously increases the exposure of "those who would" to "those who can", but it also removes much of the previous generation's "hacker ethic". When exploiting a hole required skill and dedication, it increased both the exploiter's sense of identification with those being exploited and also the sense of reward felt at its successful completion. Now the instant acccess of a script tool presents a system "on a plate", encouraging its perception as a thing of low value and also leaving the exploiter still unsatisfied by the mere task of gaining access.
Mountain climbers don't vandalise mountain tops, because they're hard to reach and appreciated as such. Graffiti sprayers will happily spray a wall, because it's "just a wall".
>Commercial-off-the-shelf software: can it really do CT? All armies rely on mundane items like food and boots. Neither of these need to "military", just available when you need them. It's the same with IT tools for access - it's knowing where to send the bytes that matters, not having some flashy gimmick to do it for you. Hackers don't need radical tools that escape from secret laboratories - Microsoft Word can build you the CIH virus and Frontpage can take over an insecure site with FPSE.
>Which systems are actually attackable? All systems (IT hardware, software, wetware and management practice) may be attacked. If the hardware has no security whatsoever, the OS is widely understood and frequently penetrated, then your security is entirely reliant on good working practices amongst the admins. Custom crypto boxes, olive drab computers and the like make things more secure because they reduce this single point failure mode, more than any inherent magic. If a careless sysadmin mis-enters the value on just one or two checkboxes, then I (or a million others) could enter their Wintel box, because we already know them inside out. If I had the same depth of knowledge on Racal / Marconi kit, then I'd probably be just as dangerous -- but how many people have experience on those mil-only platforms, compared to the vast numbers who intimately understand Wintel ?
>Can a recovery be made from such attacks?
We're not yet at a stage where it's practical to do real life-threatening damage on a large scale, on a regular basis. A denial of service attack that closes a stock exchange for a day is hideously expensive, but it's still a DoS, not an irrevocable maiming or killing. In terms of body count, a totally psychopathic hacker is still going to do better(sic) with a crowded post office.
Recovering from a specific attack is easy - burn the computer and reinstall the backups. After all, hardware is cheap and the real damage (to your prestige, or loss of trading etc.) has already been done.
>Is it likely to improve/get worse?
It will get better, but only slowly and after it gets a whole lot worse first. Expect to lose the London Stock Exchange for a day, or have Nike mis-deliver an entire shipload of trainers (or something on that scale) before the real money takes things seriously enough to mandate security, and to ask the right people for advice on how to do it. The big consultancy houses certainly aren't the best people to do this, nor is their current track record particularly impressive.
I'd look at building my own client and DEFINITELY back-ending it with MS SQL 7.0 and their OLAP. Yes, yes, yes, it's the Spawn of Bill and it hasn't got any penguins in it, but it's still the best thing out there for under a gazillion bucks. It's also pretty easy to build PHB compliant or web-based front ends to it, as it's amenable to remote control from a pretty simple API(sic)
Use your favoured web tech du jour to front it, but personally I'd be using a stack of client-side XML, even if that meant entering the IE5 tar pit.
Whatever you do, start out by reading Kimball / Inmon's books. The Data Warehousing Toolkit is abso-damned-lutely essential reading before starting. Buy it now ! Give copies to your friends! Their pets! Even their PHBs!
If the data volume is enormous, then switch to RedBrick - by then you'd be well into SuitSpace though.