StratVantage – The News – 12/06/01

 Software Quality and Cyberterror Threats, Part 2

Last SNS, I discussed the huge task confronting Richard Clarke, the counter terrorism expert in charge of the president’s Critical Infrastructure Protection Board. Despite the disparate issues surrounding computer security, it is at bottom a software quality issue. If software were properly written, there would be a lot less cybercrime. In this issue, I’ll examine some of the challenges businesses face in responding to computer security threats.

In a recent issue of his newsletter, Cryptogram, renowned security expert Bruce Schneier, CTO of Counterpane Internet Security, explains the lifecycle of a security bug:

I coined a term called the “Window of Exposure” to explain the evolution of a security vulnerability over time. A vulnerability is a bug; it’s a programming mistake made by a programmer during the product’s development and not caught during testing. It’s an opening that someone can abuse to break into the computer or do something normally prohibited.

Then, someone writes an exploit: an automatic tool that exercises the vulnerability. [. . .] Once a tool is written, anyone can exploit the vulnerability, regardless of his skill or understanding.[T]his tool can be distributed widely for zero cost, thereby giving everybody who wants it the ability. This is where “script kiddies” come into play: people who use automatic attack tools to break into systems. Once a tool is written, the danger increases by orders of magnitude.

Then, the software developer issues a patch. The danger decreases, but not as much as we’d like to think. A great many computers on the Internet don’t have their patches up to date; there are many examples of systems being broken into using vulnerabilities that should have been patched. I don’t fault the sysadmins for this; there are just too many patches, and many of them are sloppily written and poorly tested.So while the danger decreases, it never gets back down to zero.

Microsoft operating systems have been the number 1 target of software crackers and cybercriminals over the past couple of years. One reason is there’s an awful lot of installations of these OSes. That alone does not account for the truly staggering number of security bugs exhibited by release after release of these systems.

Part of the problem, according to Schneier is Microsoft’s and other software makers’ attitude towards software vulnerabilities. Schneier makes the case that full disclosure of vulnerabilities and independent code review should be the rule and not the exception. Rather than maintaining closed code and stonewalling reports of problems, software vendors should open their code for expert review and not only acknowledge problems, but actively partner with software researchers to ferret out the bugs and exterminate them.

This has not been the overall practice in the industry in general, and Microsoft in specific. Until relatively recently, Microsoft utilized the deny and disparage technique for dealing with security bug reports. If a researcher or talented amateur brought a bug to the company’s attention, often Microsoft’s first response was to deny its existence. If pressed, the company often disparaged the bug, calling the vulnerability “theoretical” or minor. To be fair, the software monopoly has drastically changed its handling of security vulnerabilities in the last couple of years. And they are by no means the only offender; plenty of software companies employ the deny and disparage defense.

When there isn’t full disclosure about a software vulnerability, users have no way to evaluate the threat, and the advisability of using the software. Furthermore, wrong-headed legislation like the Digital Millennium Copyright Act (DMCA) complicates the issue. The DMCA makes it a crime to unravel security measures like encryption. In fact, a Russian citizen is being held in jail today for breaking the encryption Adobe uses for its eBooks. The act was not a crime in his homeland, where he did the work, but when he traveled to the US for a conference, he was apprehended and thrown in jail. We can only hope he’s not brought up before a military tribunal.

It gets worse. As I discussed in a previous SNS, an August 2000 court decision preventing cracker site www.2600.com from linking to the outlawed DeCSS DVD cracking code has thrown open the whole question of hyperlinking. In addition to worrying about keeping cybercriminals out, businesses now need to worry about linking to criminal sites and criminal code, assuming they can keep up with what’s illegal.

Determining what’s illegal and abiding by the law will get harder, thanks to the international Convention on Cybercrime, which imposes some very interesting responsibilities upon signatory nations. This treaty enables any signatory nation to enforce their cybercrime laws against citizens of other nations, and requires the cooperation of those other nations in bringing criminals to justice. This means if it is illegal to transmit a particular document, run a particular program, or link to a particular Web site in Bulgaria, a citizen in the US could be legally and criminally liable, despite abiding by US law. The US would cooperate with any Bulgarian warrant to search and seize assets of US companies or citizens in order to investigate the case.

If that’s not bad enough, the treaty also specifies that companies are liable for any cybercriminal actions of their employees if those actions were due to“the lack of supervision or control” by the company. Thus businesses need to be cognizant of the cybercrime laws of the 31 nations that have so far signed the convention, must educate their employees on how to comply with all those laws, and then must keep tabs on their workers’ behavior in order to avoid liability.

All this has cast a chill upon computer security research. Trying to figure out if closed source code is vulnerable to attack could land you in jail. Schneier notes the case security researcher Niels Ferguson who found a security flaw in Intel’s HDCP Digital Video Encryption System. Ferguson did not publish the flaw due to fear of prosecution. “Intel’s reaction was reminiscent of the pre-full-disclosure days: they dismissed the break as “theoretical” and maintained that the system was still secure,” said Schneier. “Imagine you’re thinking about buying Intel’s system. What do you do? You have no real information, so you have to trust either Ferguson or Intel.” Since using the software could put you afoul of the law in another country, this is an important issue.

So what is the computer software industry doing about all this? Are they banding together and taking a pledge of quality, determined to release no more buggy software lest they make their customers liable? I’ll take a look at the industry response in Part 3 of this article.

Briefly Noted

  • Shameless Self-Promotion Dept.: On Friday, StratVantage is debuting a new service, CTOMentor™, designed to allow Chief Technology Officers and other technical leaders to sweep the newspapers, magazines, and newsletters clogging their inboxes into the trash. CTOMentor is a subscription advisory service tailored to customers’ industry and personal information needs. Four times a year CTOMentor will provide a four-hour briefing for subscribers and their staffs on the most important emerging technology trends that could affect their businesses. As part of the service, subscribers also get a weekly email newsletter containing links to the Top 10 Must Read articles needed to stay current.
    CTOMentor
  • Unintended Consequences of Search Engines: The major search engines use automated programs called spiders (they walk the Web) to search through and index Web sites. The spiders typically start at the main page and follow links. This works well for directing people to resources that Web site owners want them to see. But it also works well for turning up stuff they don’t want you to see, like passwords, credit card numbers, classified documents and even computer vulnerabilities that can be exploited by hackers. While this has always been a problem with indexers, it has gotten worse now that Google searches for other file types such as Adobe PostScript; Lotus 1-2-3 and WordPro; MacWrite; Microsoft Excel, PowerPoint, Word, Works and Write; and Rich Text Format. Viewing the new file types can also expose you to viruses that may be contained in the files. This happened to me recently when I clicked on a link in Google to a Microsoft Word file that had been infected with the Melissa virus. Luckily my antivirus caught it.Businesses need to make sure that the only files on their public Web sites viewable by the public are those they intend to share with the world.
    C|Net
  • Another Fixed Wireless Player: After a pilot in Memphis, TN, WorldComsmhas widened its Broadband Fixed Wireless offering to 11 markets total: Bakersfield, CA; Baton Rouge, LA; Chattanooga, TN; Hartford, CT; Jackson, MS; Kansas City, MO; Memphis, TN; Minneapolis, MN; Montgomery, AL; Springfield, MA; and Tallahassee, FL. The company is planning on rolling out the service nationwide. As discussed in a previous SNS, Fixed Wireless involves putting microwave antennae on rooftops and offering broadband Internet connections over a radio connection. WorldCom can service roughly 70 percent of a 35-mile radius of users from a single tower-mounted “super cell.” Each rooftop antenna needs a clear line of sight to the super cell antenna.WorldCom is targeting the service at businesses, offering downstream transmission rates of 1 Mbps to 10 Mbps and average upstream speeds of around 512 Kbps. Pricing is comparable to DSL and cable modem broadband service offerings. Competitor Sprint offers Fixed Wireless in 14 markets, none of which overlap WorldCom’s, but the company is not acquiring new customers, having determined that current wireless technology can’t support their business model. I wonder if WorldCom will find the same thing?
    WorldCom
  • Yet Another Fixed Wireless Player: NextNet’s Expedience™ solves the line of sight problem with a single compact, indoor, portable unit that integrates the modem, transceiver and antenna. Even better: The unit is customer-installable, so there’s no mucking about up on the roof or waiting for the technician to show. The company uses a traditional cell-oriented scheme, with each cell tower serving about three square miles. The company is targeting resellers rather than end users, which sucks because the company’s in my backyard (Minneapolis).
    NextNet
  • My, How We’ve Grown: 2001 is the 20th Anniversary of the original 8088 PC and the 1 billionth PC will ship by the end of this year.Here are a couple of stats to illustrate how far we’ve come in 20 years:
    • If you were to build the original Pentium processor with the technology used to build ENIAC, the first computer, it would cover more than 10 square miles.
    • By 2005 we’ll see the first 30 nanometer transistors (0.03 microns). A hundred thousand of them stacked on top of each other will be the thickness of a sheet of paper. This will enable 10GHz processors that can process 20 million calaculations in the time a bullet flies 1 foot.

    Intel

  • Online Exchange Volume is Up: The Global Trading Web Association (GTWA), an independent membership organization of electronic marketplaces, reported a 733 percent increase in transactions among its members in January-June 2001 compared with the same time period in 2000. Projected 2001 year-end transactions are expected to reach 2,140,500 with a sales volume of $6,238,433,526.
    GTWA
  • Wireless LAN Productivity: Cisco announced the results of an independent study by NOP World-Technology that found end users using wireless LANs stayed connected one and three-quarter hours more each day, amounting to a time savings of 70 minutes for the average user, increasing their productivity by as much as 22 percent.
    Cisco
  • If You Need Phone Word Help: If you’re having a hard time coming up with cool mnemonics for the Queen’s cell phone number (as discussed in aprevious SNS) here’s a Web site that can help. Phone Spell tries to convert a phone number into words. Unfortunately, it doesn’t use “license plate tricks” like converting 0s, 2s and 4s into letters, or “2c00l d00d tricks” like using the pronunciations of numbers as syllables (as in the number 423-2863). Fortunately for those trying to come up with the Queen’s number, you can type in words and Phone Spell will give you back a phone number. Unfortunately, my best offering for the Queen has 14 digits, although I can get it down to 12 by substituting 0 for the word not: 932730268733. Worst of all, my cell phone number spells nothing at all!
    Phone Spell

 

StratVantage – the News 11/02/01

How Many Search Engines Are There?

Recently I decided to try one of those search engine submission services that claim to submit your Web site to dozens, hundreds, or thousands of search engines. Many of these companies offer premium services that purport to be able to increase your ranking in target search engines, and sometimes these services are quite expensive. After years of ignoring the spam offering search engine submission, one caught my eye because of its low price: $2.50 (normally $9.95!!!!!!!). I figured, what the heck, for $2.50, I’d see what this search engine submission thing was all about.

The service I selected was INeedHits.com. Their Submit Pro service submits your site to 300 search engines, and, incredibly, they were having a sale that ended 10/31. Even more incredibly, it seems they’ve extended the sale, and it now ends 11/30. The company claims, “Our professional team will review and adjust your web site code to increase your Search Engine position. We will then submit your adjusted web site to 300+ major Search Engines including: Yahoo, Excite, Lycos, WebCrawler, Hotbot and Google.” This sounds like a tremendous deal: Actual humans would consult with me to “adjust” my Web site code to maximize my search engine position, all for $2.50.

As I constantly tell my children, “If it seems to be too good to be true, it is.” And sure enough, I got no personal review and adjustment of my Web site code. When you click to order the service, no mention is made on the next page of code review as part of the Submit Pro package. You have the opportunity to order additional services like the Keyword Analysis Report (normally $45, now $15!) and the Website Code analysis (normally $50, now $20!). These extra cost options are such a good deal the company preselects them on your order form for you. I wasn’t really surprised at this sleazy sleight of hand, of course. The search engine placement world seems to be full of hype and promises.

What was really interesting, however, was what happened when my submission actually ran (I didn’t fall for the extra cost extras and took the base package). One cool thing INeedHits does is give you a free email account and then submits your search engine requests using this email account. This turns out to be a very good idea because the act of submitting to some of these “search engines” generates a stream of spam selling everything from 3,368,420 free Web page hits to roses and garlic (I think that’s the title of my next album). The come-on that most interested me, however, was a site that offered to submit your Web site to 600,000 search engines.

Now I was willing to believe that there were 300 search engines as claimed by INeedHits. I didn’t believe that there were 300 major search engines, but it wouldn’t surprise me to find that number of credible engines filling various Internet niches. But 600,000? How could that be? Turns out there’s a whole network of Free For All search engines (the acronym is FFA, which means something different to those of us in the Midwest). And it resembles a huge pyramid or Ponzi scheme. As best as I can figure, FFA search engines make money off advertising on the “search engine” sites and through spam email the sites send to people who submit to them. The services are created by sites likeRateSaver.com and BigMailBox.com. A good explanation of the methodology can be found on the RateSaver site of Matt Perdeck, who claims to be, “a regular guy. Not super smart. Not well connected. Just average.” Yet somehow Matt has been able to generate thousands of dollars even while he sleeps using a “hits tree.”

The hits tree concept apparently combines the labyrinthine and convoluted Free For All search engine phenomenon with affiliate programs. An affiliate program is a way to get other people to market something for you, for example a book. Amazon runs an affiliate program enabling people to embed a link on their Web sites that takes visitors to Amazon. If the visitor buys, the affiliate gets a commission. The world of affiliate programs is easily as convoluted as the FFA search engine world, and will have to be the subject of another article.

The hits tree concept is immediately recognizable to anyone who’s made it out of the 8th grade: It’s basically an electronic chain letter. Your hits tree pagecontains boxes with six Web links in positions one through six. These links are to pages of other hits tree members’ Web pages, where they undoubtedly sell something. According to the explanation that is also posted on your hits tree page, “Your own hits page has a link to your website (or any website you like) in position #1. When people sign up (for free), they get their own hits page, with their own link in position #1. Your link is copied onto the new page and goes into position #2. All other links are also shifted back. This means that if 20 people sign up from your hits page, your link winds up on 20 new pages, in position #2.”  You do the math. Actually, you don’t need to; it’s provided for you:

Pages with your link
20 people visit your page and get their own page:
Those 20 pages each get 20 visitors themselves, producing 20 * 20 = 400 pages:
Those 400 pages each get 20 visitors themselves, producing 20 * 400 = 8000 pages:
Those 8000 pages each get 20 visitors themselves, producing 20 * 8000 = 160,000 pages: 160,000
Those 160,000 pages each get 20 visitors themselves, producing 20 * 160,000 = 3,200,000 pages: 3,200,000
————————
Total pages with your link: 3,368,420

Wow! Three million pages that point to my Web site! But wait, there’s more! You can also put banners on your hit tree pages and earn easy money! Plus you can automatically email (Not spam! They asked for it!) people who visit your page! You can also include access to free ebooks! And the best part: It’s all only $45!

Despite the breathless hype, you may be wondering if anyone falls for this stuff, and if they’re making money. All I can say is that plenty of people are falling for it. But the only folks making serious coin are those who collect the $45 for creating a new hits tree. As in any pyramid scheme, only those in at the top are likely to be making any money. Regular Guy Matt Perdeck must be making some money selling his eBook, Living Off the Net, for between $29.95 and $39.95. Try aGoogle search for his name and see how many sites are flogging his book.

So how many search engines are there really? I can’t say, although one site lists a thousand of them. But when I tried to find several of the engines listed on that site, all I got from Google was links to other lists of search engines. I could never find a real site! Another list of search engines included links, and did appear to include valid search engines, many of which were simply “meta” search engines. (A meta search engine submits your query to several established search engines and collates the results. My favorite is MetaCrawler, although it’s gone downhill recently.) So it appears that there really are 1,000 search engines out there.

The bottom line is: Don’t waste your time with search engine submission services. You’ll get the most traffic out of getting the major search engines to list you. Then you can engage the services of a reputable search engine ranking specialist to help you achieve a favorable search engine position. If you want to learn more about search engines and search engine placement, check out Search Engine Watch. As for me, I decided in the name of journalism to drop 45 bucks on the hits tree concept. I’ll let you know how it turns out.

Search Engine Watch

Briefly Noted

  • Shameless Self-Promotion Dept.:  Look for a new directory, debuting this week: Nanotechnology Resources. Frankly, I was overwhelmed at the amount of information on the Net about this technology and thus didn’t get the directory finished in time for the article in the last SNS. It will feature commercial and academic resources along with pointers to other directories and link pages.
    StratVantage Directories
  • A Foolish Security: Renowned computer security expert Bruce Schneier examined the new changes in airline security in his email newsletter last month. He puts into words better than I can the problems, dangers, and false sense of security half-baked security measures provide:

Computer security experts have a lot of expertise that can be applied to the real world.  First and foremost, we have well-developed senses of what security looks like. We can tell the difference between real security and snake oil. And the new airport security rules, put in place after September 11, look and smell a whole lot like snake oil.

All the warning signs are there: new and unproven security measures, no real threat analysis, unsubstantiated security claims. The ban on cutting instruments is a perfect example. It’s a knee-jerk reaction: the terrorists used small knives and box cutters, so we must ban them.  And nail clippers, nail files, cigarette lighters, scissors (even small ones), tweezers, etc. But why isn’t anyone asking the real questions: what is the threat, and how does turning an airplane into a kindergarten classroom reduce the threat?  If the threat is hijacking, then the countermeasure doesn’t protect against all the myriad of ways people can subdue the pilot and crew.  Hasn’t anyone heard of karate? Or broken bottles?  Think about hiding small blades inside luggage. Or composite knives that don’t show up on metal detectors.

Parked cars now must be 300 feet from airport gates. Why? What security problem does this solve? Why doesn’t the same problem imply that passenger drop-off and pick-up should also be that far away? Curbside check-in has been eliminated. [Note: it’s been reinstated since this was written.]  What’s the threat that this security measure has solved?  Why, if the new threat is hijacking, are we suddenly worried about bombs?

Cryptogram

  • Face Recognition Again: Schneier also eloquently punctures the idea of using face recognition on crowds to separate out the known bad guys. His analysis is much longer, and I refer you to his newsletter for it, but here’s the gist:

Biometrics is an effective authentication tool, and I’ve written about it before. There are three basic kinds of authentication: something you know (password, PIN code, secret handshake), something you have (door key, physical ticket into a concert, signet ring), and something you are (biometrics).  Good security uses at least two different authentication types: an ATM card and a PIN code, computer access using both a password and a fingerprint reader, a security badge that includes a picture that a guard looks at.  Implemented properly, biometrics can be an effective part of an access control system.

I think it would be a great addition to airport security: identifying airline and airport personnel such as pilots, maintenance workers, etc.  That’s a problem biometrics can help solve.  Using biometrics to pick terrorists out of crowds is a different kettle of fish.

In the first case (employee identification), the biometric system has a straightforward problem: does this biometric belong to the person

it claims to belong to?  In the latter case (picking terrorists out of crowds), the system needs to solve a much harder problem: does this biometric belong to anyone in this large database of people? The difficulty of the latter problem increases the complexity of the identification, and leads to identification failures.

Getting reference biometrics is different, too.  In the first case, you can initialize the system with a known, good biometric. If the biometric is face recognition, you can take good pictures of new employees when they are hired and enter them into the system. Terrorists are unlikely to pose for photo shoots.  You might have a grainy picture of a terrorist, taken five years ago from 1000 yards away when he had a beard.  Not nearly as useful.

Schneier goes on to point out that thousands of false positives would be generated even if the system were 99.99 percent accurate. In fact, current systems aren’t anywhere near that accurate. The US Department of Defense (DoD) Defense Advanced Research Projects Agency (DARPA) sponsored the Facial Recognition Vendor Test (FRVT) 2000 test, which concluded that the best false detection rate (FDR) was 33 percent, with a false acceptance rate (FAR) of ten percent. Are you willing to take a one in three chance of being detained as a terrorist the next time you fly?
Cryptogram

  • Wireless Data and Terrorism: Wireless Internet and Mobile Computing published a six-part Wireless Data and Terrorism report.  The report takes a look at both the failures and value of wireless data in critical situations. It provides emergency wireless data checklists, and examines the industry’s economic outlook in the aftermath of the terrorist attacks.  The most notable failure of the wireless industry during the aftermath of the attacks was a marketing one, according to the report. Because wireless data is treated not so much as a “’second fiddle’ to voice, [but] more like a ‘third piccolo,’” many people who could have benefited either did not know about wireless data services, or did not know how to use them.
    Wireless Internet & Mobile Computing
  • Blinding Flash of the Obvious: OK, am I the last one to figure out the significance of the date chosen for the terrorist attacks: 9-11 or 911 – call for help?
  • Gov Favors Limiting FOIA Disclosure of Computer Attacks: To encourage corporate victims of crackers to report crimes, the White House said it will support proposals to withhold details about electronic attacks against the nation’s most important computer networks, according to an Associated Press story. The Cyber Security Information Act, originally introduced last year and then again this past July, would restrict government agencies’ disclosures about attacks under the Freedom of Information Act (FOIA). The bill has languished in committee since July. I don’t know quite what to think about this one. On the one hand, it’s a given that computer intrusions are under-reported due to fears of liability, competition, and embarrassment. On the other hand, restricting FOIA in this case may lead to the proverbial slippery slope. Perhaps disclosing these attacks to an industry ombudsman would be a good compromise.
    Security Focus

StratVantage – The News – 10/26/01

Nanotubes May Be For Real

I’ve yammered on before about nanotechnology and the huge disruptive effect commercializing this futuristic-sounding technology will have. I recently put nanotech on the list at the TrendSpot at number 13 after realizing I hadn’t added it before. Many readers may have yawned a bit and thought, “Sounds like Star Wars stuff that we’ll be seeing in about 20 years.”

Welcome to the future. If it wasn’t enough of a jolt to realize that 3rdTech is offering the $85,000 Nanomanipulator™ that allows you to manipulate individual molecules and atoms in 3D, or that IBM is makingnanotube transistors in the laboratory, then prepare for the real paradigm shift: Startup Nantero is developing NRAM™, a high-density nonvolatile random access memory chip, using nanotechnology. Specifically, they’re using nanotubes, which are long hollow molecules made up of carbon rings. Nanotubes are 100 times stronger than steel, hard as diamonds, and can conduct electricity as well as copper. Typical Nanotube diameter is approximately 100,000 times smaller than a human hair. (Don’t get me started on the varying estimates of the width of a human hair. In researching it, I found estimates that varied more than a thousandfold. I even found a tidbit that claimed Japanese hair is twice as thick as European hair. So that’s why they appear to be so much better at miniaturization!)The micrograph at right is of a similar memory array developed at MIT. Each square on the grid is 300 nanometers by 400 nanometers.

Nantero claims to have patented a method of using nanotubes as nonvolatile (meaning the contents don’t disappear when you turn off the power) memory. This could result, according to the company, in “MP3 players with 1000s of songs, PDAs with 10 gigabytes of memory, high-speed network servers and much more.”

The company just received $6 million in venture capital from industry heavyweights like Draper Fisher Jurvetson, and they’re definitely not thinking small, claiming their revenue potential exceeds $100 billion.

If that’s not enough to knock your socks off, you must be wearing nanotube socks, perhaps made in Japan. Gunze Sangyo, Japan’s biggest men’s underwear maker in March unveiled a new process to make fabric using nanotubes. Their rough-edged nanotubes conduct heat more than twice as effectively as copper and would initially find uses in heat sinks to help keep microchips cool. The first device containing the nanotubes is expected to reach the market this year. The tubes are already in production at a joint venture, Nano Graphite Materials Inc, in Ohio.

Argonide Nanomaterials uses a technique that explodes a wire with a huge electrical pulse, firing small particles through cold argon gas. The result is a powder that is 10 to 500 times smaller than that produced by other processes. The company recently received a contract from NASA to investigate the new material for on-board water sterilization filters. Their aluminum nanopowder, Alex®, can be used to accelerate the burning of propellants like those used in artillery shells. Argonide also is developing NanoCeram™, ceramic alumina fibers two nanometers in diameter. The fibers could be used in medical applications as an aid to growing bone because of their bio-adhesive properties. NanoCeram fibers also can be used to remove bacteria and viruses from water.

Nanotubes may also provide a means to set us free from oil dependence. Rhombic is developing a technology that uses carbon nanotubes to store hydrogen in a proton polymer exchange membrane (PPEM) fuel cell. Such fuel cells could replace gasoline as a source of power in cars. Rhombic’s technique grows nanotubes using chemical vapor deposition. Nanotubes turn out to be a great way to store hydrogen, since the space inside the tubes is just wide enough to contain hydrogen molecules. The company hopes to create highly efficient and cheaper fuel cells that combine nanotube hydrogen storage with their innovative Diamond Exchange Membrane (DEM), which separates the anode side from the cathode side in a fuel cell.

Other companies and researchers are trying to create nanomachines, also known as MicroElectroMechanical Systems (MEMS). In fact one MEMS company,Coventor, a provider of MEMS software, ranked 152 on the Inc 500 list of fastest growing companies in the US, experiencing a 1739% increase in sales over five years. I particularly like one of the phrases from Coventor’s Web site: “we work aggressively with customers to summon the future and wire it for power.” O, Future! I summon thee!

optf2One of the most promising areas for MEMS development is the routing of optical signals in fiberoptic networks. On these networks today, the predominant way to route optical signals is to convert them from light-based to electronic, perform the routing, and convert back to light-based. This obviously introduces delays in delivering the information to its destination. Various companies have tried to create mirror-based systems to eliminate the conversion process, but these systems tend to be slow and bulky. Switches built with nanoscale MEMS-activated mirrors, however, promise to overcome the limitations of current solutions. That’s the approach taken by switch maker OMM. Their MEMS-based optical switches have been carrying live network traffic since early last year. OMM recently announced a 32 X 32 switch which they claim reduces the cost of switching 32 channels by 70 percent.

By now you get the idea that nanotechnology is far from science fiction. It’s here, in production, and revolutionizing many industries. I’ve just scratched the surface here, and haven’t even talked about important nanotechnology concepts like self-replication. (For a glimpse of what a future driven by nanotech might look like, I heartily recommend two books: Neal Stephenson’s The Diamond Age, and William Gibson’s Virtual Light.) Companies who make things for a living need to be aware of the challenges posed by new advances in nanotechnology. Even those who make such old tech products as ball bearings need to be aware. The picture at the left represents a concept of ananoscale ball bearing, which might have the capability to accelerate from zero to 500 billion revolutions per second in a fraction of a nanosecond. No one’s building it yet, but just wait.

O, Future! I summon thee!

ZDNet Australia

Briefly Noted

  • Shameless Self-Promotion Dept.:  Look for a new directory, debuting early next week: Nanotechnology Resources. Frankly, I was overwhelmed at the amount of information on the Net about this technology and thus didn’t get the directory finished in time for this article. It will feature commercial and academic resources along with pointers to other directories and link pages.
    StratVantage Directories
  • Sprint Readies Visor Phone Plug-in: A GSM cell phone module that plugs into the PalmOS-based Handspring Personal Digital Assistant (PDA) has been available for some time. Now Sprint gets into the act with an add-on module called The Sprint PCS Wireless Web Digital Link. The gadget allows users to make calls and surf the Web on the SprintPCS network and is expected to begin shipping next month for around $250. Right now, however, you can buy it for $49 from Handspring with service activation. Or, you can get the GSM module, with service from Cingular or VoiceStream, for free with activation. OK, I read that news item in Emazing’s Wireless Tip of the Day, and so I go to Sprint’s and Handspring’s sites to check it out. Nothing. Not so much as a word about this module. Either Emazing has a scoop, or this item is erroneous. You decide.
    Handspring
  • Track the Crackers: The DShield site is used by firewall administrators worldwide to post information about attempted break-ins. The site collates the information and displays graphs of the most active cracker network addresses and pie charts of the types of exploits attempted. You can even see a five-day “movie” to see how attempts are changing over time. You can also check out your IP address to see if crackers have used your machine to launch exploits.
    DShield
  • Securing Wireless LANs:  As I’ve pointed out in previous issues of SNS, the basic security scheme built in to 802.11b or Wi-Fi wireless networks is easily defeated. So it comes as no surprise that there are folks out there who roam the streets looking for unsecured Wi-Fi connections. What they do with them depends on whether they are white hat or black hat hackers. An article at IBM’s wireless site profiles Internet security consultant Peter Shipley, who trolls the streets of San Francisco in his black Nissan looking for Wi-Fi connections. According to Shipley, “A majority of people are running their APs [Access Points] in effectively open mode – basically wide open, no encryption . . . The only true solution I find at this point – and probably in the future – is to set up IPsec. You wish to place your WAPs or APs – your wireless access points – on a DMZ zone. This DMZ zone should be restricted from the Internet and from your internal network. And the only thing you should allow out of this DMZ zone are connections or computers that have authenticated themselves with IPsec.” What this means in English is: Set up some primary security on your wireless network, based on a standard called IPsec. Don’t trust the built-in security of your Wi-Fi system. Isolate your wireless network from Internet access and from your internal network, and control access to these resources using IPsec.
    IBM DeveloperWorks
  • The High Tech Hunt for Bin Laden:  The coalition is using some very high tech gadgets in their hunt for suspected terrorist mastermind Osama Bin Laden, according to a Reuters story. Among the tech are miniature motion sensors hidden on the ground and in rocks that can detect whether caves and bunkers are in use, British Canberra photo-reconnaissance aircraft which can produce images 100 miles from a target, and “keyhole” satellites that can take detailed pictures from space and can be maneuvered into the best orbit to look at Afghanistan.
    Security Portal
  • Coordinated Cyberattacks Stopped on 9/10/01: This item belongs in the Very Strange Coincidence Department. According to California Attorney General Bill Lockyer, well-coordinated cyberattacks that targeted computers in California and 21 countries over three months ended abruptly on September 10th in an eerie prelude to the terror attacks of the 11th. Lockyer said the 120 attacks attempted to strike university, business and government agency computers and were systematic, extensive and appeared to be government sponsored.“There’s a lot of hacking that goes on that’s not this disruptive or expensive,” Lockyer said.“This was notable in that it was sophisticated enough to be beyond the capacity of ordinary hackers. So it suggests that there’s actual government involvement on the other end.”The state is working with the FBI to investigate the attacks.
    Contra Costa Times
  • Java Phones on the Rise: Most of your garden-variety pundits and prognosticators won’t tell you when they’ve been wrong. This is unfortunate, because predicting the future is a very risky business, and because of that, much of what you predict turns out to be wrong. Well, I had two predictions go sour so far this year. I predicted that Japan’s DoCoMo wouldn’t meet their October target for releasing their third generation wireless network. They did. I also predicted that we wouldn’t be seeing Java support on phones for a while. There’s more than 25 Java phones listed on the JavaMobiles site. Hey, if punditry wasn’t hard, everyone would do it!
    JavaMobiles
  • No Comment: Microsoft includes the following statement in the license for FrontPage 2002: “You may not use the Software in connection with any site that disparages Microsoft, MSN, MSNBC, Expedia, or their products or services.” InfoWorld
  • Carbon-Based Computer Memory: In one of those wonderful examples of scientific serendipity, a researcher who was hunting for high-temperature superconductors instead found the first non-metallic magnet to work at room temperature. The material is transparent, flexible, made from buckyballs, an exotic form of carbon in which the atoms form a sphere. Since carbon is much lighter than other magnetic materials, the substance could be ideal for creating computer memories of unprecedented capabilities.
    New Scientist

Return to Mike’s Take

StratVantage Consulting, LLC — Mike’s Take on the News 10/23/01

From Evernote:

StratVantage Consulting, LLC — Mike’s Take on the News 10/23/01

Clipped from: http://www.stratvantage.com/news/102301.htm

The News – 10/23/01

Security Problems Plague All Operating Systems

Alert SNS Reader Larry Kuhn (speaking for himself and not his employer) points out that Microsoft is not the only operating system maker plagued by security problems. This is certainly true, and is a point I have made repeatedly in the past. However, it can’t be stressed enough that just because you follow my advice and don’t expose Microsoft OSes to the Internet, you can’t be complacent. As I always say, if you’re not terrified about security, you’re not paying attention.

Larry sent along a link to an article written by TechRepublic and published by ZDNet Australia that compares the raw number of bugs for various operating systems tracked through the Security Focus Bugtraq system. Bugtraq is a commonly used repository for reports and questions about security bugs. The TechRepublic article appears to have counted the bug reports for major OSes so far in 2001 and placed the results in this table:

The article makes the point that Microsoft Windows 2000 at number 7 is far from the most-buggy OS, and this appears to be true from this analysis. What’s especially comforting for Microsofties is that last year, Windows NT 4.0 was the bug champ, with Windows 2000 taking fifth place. Two factors have probably influenced this better showing: Lots of companies have replaced Windows NT with Windows 2000, and both platforms have benefited from fixing previously reported bugs. Windows 2000, for example, is already on Service Pack 2. (A Service Pack is a compilation of bug fixes that users download and install over an existing installation. SP-2 is 101MB in size; hardly a quick download.)

Now I’m a little skeptical of the numbers, and wonder, as did a responder to the article in TechRepublic’s talkback forum, if a raw bug count is really all that relevant. Of more importance is the amount of time for the vulnerability to get fixed, the severity of the vulnerability (is it in the wild, or theoretical?), and the source of the bug report (was it found through a code review or because it has been actively used to circumvent security?). The poster asserts that closed source vulnerabilities (like Microsoft’s) are almost always found because someone has compromised the service, since there is no independent review of the code as there is in Open Source Software.

Nonetheless, the results underscore Larry’s point: “People shouldn’t feel safer only because they’re using a non-MS OS. I think that’s the only meaningful conclusion that can be drawn from this article. IMHO, there are non-technical folks at the CxO level who read stuff like the Gartner recommendation to ditch IIS and mistakenly come to believe that the same type of risks aren’t possible in the alternative environments.” I couldn’t agree more. Just because you locked the front door doesn’t mean burglars can’t get in the windows (no pun intended! ö¿ð ).

Incidentally, front page news at Security Focus is a report that a hacker named Beale Screamer has cracked Microsoft’s Digital Rights Management (DRM) copyright protection scheme which is planned for use in securing audio files. Another front page article reports that hackers can get users’ passwords from Cayman Systems’ popular 3220-H DSL router. Both these items underscore the need to not be complaisant or to feel that securing your computer OS is all you need to worry about.

Larry continues, once again making a lot of sense: “Security (or the lack of it) is a multifacted problem – People, Processes and Technology. Any Technologically secure system can be compromised by an untrained person (someone who sets the "sa" password to blank), or by well-trained people who don’t follow processes (like stickies on the monitor with passwords written on them, or by not applying security patches as they become available) that ensure the security of the system.

Larry points to an online tool you can use to assess the security of your system, the Microsoft Personal Security Advisor , written by folks right here in the Twin Cities, Shavlik Technologies , who make an enterprise version of the tool. The PSA will check the strength of your passwords and see if you’ve applied all the relevant security patches on your system. I think everyone in your enterprise should run it and act on its recommendations.

The bottom line is, as much as I malign Microsoft, they’re by no means the only folks with security problems. Being the world’s most popular operating system means there are a lot more crackers out there trying to break their stuff, and that means their problems are ballyhooed in the press. But, hey, who said being a monopoly had to be fun? There are advantages to adopting Open Source Software for your Internet-exposed Web systems. Such systems are supported by fanatical, and I mean really fanatical, software zealots who consider it a point of pride to find and eradicate all bugs as quickly as possible. Even if Microsoft, or, heck, even Sun, for that matter, gets really serious about security, they will be hard pressed to match the dedication of OSS supporters. If you must use Microsoft software on the Internet, then you must accept as part of the Total Cost of Ownership (TCO) the responsibility to constantly update the software with the latest patches and to be eternally vigilant. In larger enterprises, this obligation can translate into dedicating one or more employees to the task.

If you’re not terrified about security, you’re not paying attention.

ZDNet Australia

Briefly Noted

  • Shameless Self-Promotion Dept.: I’ve added a security news ticker to the StratVantage Security Web page. It scrolls up to date information about viruses, worms, hoaxes and other items of interest regarding computer security. Check it out.
    StratVantage Security Resources
  • Are You Ready for CRM? I’ve had a problem with the area known as Customer Relationship Management (CRM) for some time. It’s a catch-all category for everything from contact management and sales force automation to call center management, database marketing, and data mining. Talk to one person about CRM, and they think you’re talking about contact management software like ACT! or GoldMine. Talk to another and they think about email marketing. A third person thinks about call center management. It’s too confusing to lump all these customer touch areas under one acronym. Often businesses need help in sorting it all out. Taylor Harkins Group publishes a newsletter that helps companies make sense of the various issues in CRM, and in their latest issue they list questions you should ask yourself to assess organizational readiness before considering a CRM system:
  • Do you know why your customers buy from you? Can you find prospective customers just like your current customers?
  • Can you match your key products and services against products and services of your competitors? What are the strengths and weaknesses? Are you selling against them?
  • Who are future purchasers of your products and services? What do they look like?
  • Do you know why your customers are not buying from your competitors?
  • Will changes in the economy have and influence your customer’s ability to purchase your products and services? How?
  • Will changing demographics have an impact on your business? How?
  • If your product or service is regulated will pending changes in legislation affect your profitability? How?

Taylor Harkins Group

  • Wireless Videoconferencing: Tandberg of Norway has announced one of the first videoconferencing products capable of running on an 802.11b Wireless LAN (WLAN). The Tandberg 1000 consists of an LCD screen with multiple network interfaces including IP, ISDN, and WLAN. In wireless mode, you only need to plug the power cord in the wall, and off you go. Of course, you’ll have to have a compatible wireless LAN running in your home or office first. The company envisions folks just grabbing it and toting it from office to office as the need for videoconferencing hits. The unit requires a PC/PCMCIA card that fits into the slot at the top and interfaces with your WLAN. Pricing starts at $5,490.

    And completely off the subject, who else thinks that looks like Ross Perot in the picture to the left?
    Tandberg

  • Life in Prison for Hacking? A new bill being considered in Congress calls for life in prison without a possibility of parole for people who engage in computer trespass, also known as hackers. The Anti-Terrorism Act , AKA the ‘‘Uniting and Strengthening America Act’’ or the ‘‘USA Act of 2001’’ has lots of folks up in arms about this provision. The Electronic Frontier Foundation has publicly condemned the bill for treating low-level computer intrusion against the government, already a crime under existing laws, as an act of terrorism. Let’s keep it together, people!
    East Carolinian
  • Record Industry Profiteering: As if upping the penalties for hacking wasn’t enough, our friends at Recording Industry Association of America (RIAA) tried to glue a self-serving hacking-authorization amendment onto the Mom & Apple Pie, er, Uniting and Strengthening America Act. The amendment , authored by RIAA lobbyists, would have exempted any actions the RIAA would take to preserve their copyright from the anti-hacking provision. This means the RIAA would have carte blanche to attack anyone who tried to circumvent their copyright or Digital Rights Management (DRM) schemes. That’s pretty extreme, and we can be thankful the amendment was dropped.
    Wired
  • Cracking Attacks on Pace to Double: According to Carnegie Mellon University’s Computer Emergency Response Team/Coordination Center (CERT/CC), attacks on Internet computers should easily double the last year’s reported number. Already, the number of security incidents reported has reached 34,754, a 60% increase over the 21,756 incidents logged last year. We’re on a pace to see more than 46,000 reported security attacks, more than twice last year’s number.
    Newsbytes
  • The Sky Is Falling: The FBI appeared to put their foot in it when they named the file containing the press release warning that Americans should expect additional terrorist attacks. The two-sentence press release on FBI.gov said there “may be additional terrorist attacks within the United States and against U.S. interests overseas over the next several days.” That’s bad enough, and contributed to the mixed message we’re all hearing these days: Be aware and worried; act normal or the terrorists will win. Even more worrisome, however, was the name the FBI chose to give the file that contained the Web version press release: http://www.fbi.gov/pressrel/pressrel01/skyfall.htm. Skyfall? As in Chicken Little? Or as in the novel Skyfall from the ‘70s? Or as in the name of a Transformer, Skyfall the Action Master (pictured)? The FBI could answer none of these questions, and eventually retitled the file. Things that make you go “Hmmmmmm.”

  • A Sound Link: US Robotics has released a cool gadget that sets up a wireless connection of up to 1,000 feet between your computer and stereo. So if you’re tired of listening to your MP3s (lawfully ripped from your own, fully licenced CDs, of course) on your dinky computer speakers, this $100 toy’s for you.
    US Robotics

Return to Mike’s Take

StratVantage Consulting, LLC — Mike’s Take on the News 10/11/01

From Evernote:

StratVantage Consulting, LLC — Mike’s Take on the News 10/11/01

Clipped from: http://www.stratvantage.com/news/101101.htm

The News – 10/11/01

In this Issue:

Someone to Watch Over Us

In the wake of the terrorist attacks, many people have wondered if one of the new battlefronts will be cyberspace. In fact, in a previous SNS, I reported the cracking of a German Islamic extremist Web site and the posting of subscribers’ names on a Swiss server. How well are we prepared for infowar? And who will fight it?

One of the forces that will fight to protect US networks is InfraGard , a cooperative undertaking between the FBI and an association of businesses, academic institutions, state and local law enforcement agencies, and other participants. InfraGard’s mission is to ensure the security of critical US infrastructures such as energy, banking and finance, water systems, government operations, emergency services, telecommunications and the Internet. To do so, they work with the National Infrastructure Protection Center (NIPC), a governmental organization that is dedicated, in part, to “detect, deter, assess, warn, respond, and investigate unlawful acts involving computer and information technologies and unlawful acts, both physical and cyber, that threaten or target our critical infrastructures.

The NIPC and the InfraGard are responding to the requirements of Presidential Decision Directive (PDD) –63, which President Clinton created on May 22, 1998. The directive orders the strengthening of the nation’s defenses against emerging unconventional threats to the United States to include those involving terrorist acts, weapons of mass destruction, assaults on our critical infrastructures, and cyber-based attacks. PDD-63 calls for a national-level effort to assure the security of the increasingly vulnerable and interconnected infrastructures of the United States.

While the FBI has called for managers of physical infrastructure to go to a high alert status, it may be even more important for networking and computer professionals to be on alert. This is because many physical infrastructure resources are controlled by computers, and the security of these computers has been compromised in the past. For example, several times this past spring, crackers attempted to gain access to the servers at California’s Independent System Operators (Cal-ISO), the agency that manages the state’s electrical supply and decides when rolling blackouts will occur. The crackers apparently got close to disrupting the flow of power in California during the rolling blackouts that occurred in May.

Many pieces of critical infrastructure today are controlled by Supervisory Control And Data Acquisition (SCADA) systems, which are basically networked computer systems. Like any networked computer system, SCADA systems can be vulnerable to attacks. Some of these systems, like GE SmallWorld’s PowerOn ™ electrical distribution system or Encorps Virtual Power Plant power dispatching system, are based on Microsoft Windows products, and many have Internet-enabled features (using Microsoft’s Internet Information Server (IIS)) for convenience.

Regular readers may remember I am not a fan of Microsoft products being exposed to the Internet. Well, I’m obviously not alone. Industry analyst GartnerGroup agrees:

IIS security vulnerabilities are not even newsworthy anymore as they are discovered almost weekly . . . As Gartner warned in 1999, pulling complex application software into operating system software represents a substantial security risk . . . Microsoft has discussed its Secure Windows Initiative, which details a well-thought-out program for improving Microsoft’s development processes to avoid repeating the same security mistakes that led to vulnerabilities in Windows NT and Windows 2000. However, the same old buffer overflow problems appearing in beta Windows XP code raises doubts over whether the security assurance tools Microsoft has implemented will effectively reduce the number of well-known security bugs that continue to show up in Microsoft products. For Microsoft’s vision of .NET and Web services to succeed, Windows XP will have to be significantly more secure than Windows 2000 has proven to be; otherwise, Microsoft risks losing some enterprise business to more-secure implementations of Web services.

To reduce their vulnerability, Windows-based SCADA systems may be hardened and protected by third party software, such as that available from Visual Automation . But the fact remains that many critical infrastructure systems are run by software from a vendor that has, to date, had serious problems with security vulnerabilities. And that makes me, for one, more than a little worried. It’s one thing for Web sites to be hacked. Even if the companies attacked lose millions, it’s only money. It’s yet another thing for critical infrastructure systems to be attacked, by joyriding script kiddies or by terrorists; the result could be disastrous. Here’s hoping the newly created Homeland Security Agency will act to bolster groups like InfraGard and will issue strong new guidelines for the use and protection of the software that controls vital services.

In the spirit of acting locally, here are some steps, courtesy of InfraGard, that you can take to improve your personal and company security:

  • Use strong passwords. Choose passwords that are difficult or impossible to guess. Give different passwords to all accounts.
  • Make regular backups of critical data. Backups must be made at least once each day. Larger organizations should perform a full backup weekly and incremental backups every day. At least once a month the backup media should be verified.
  • Use virus protection software. That means three things: having it on your computer in the first place, checking daily for new virus signature updates, and then actually scanning all the files on your computer periodically.
  • Use a firewall as a gatekeeper between your computer and the Internet. Firewalls are usually software products. They are essential for those who keep their computers online through the popular DSL and cable modem connections but they are also valuable for those who still dial in. [Editor’s note: I prefer ZoneAlarm , which is free for personal
    use.]
  • Do not keep computers online when not in use. Either shut them off or physically disconnect them from Internet connection.
  • Do not open email attachments from strangers, regardless of how enticing the Subject Line or attachment may be. Be suspicious of any unexpected email attachment from someone you do know because it may have been sent without that person’s knowledge from an infected machine.
  • Regularly download security patches from your software vendors.

You can also learn more about computer security at the StratVantage Security page. If these measures fail, and your company is a victim of a cyber break-in, it’s important to preserve the evidence so the perpetrators can be located. ZDNet recommends you take the following steps:

  • Record every action you take. Include the date and time.
  • Preserve evidence, no matter how small.
  • Think prosecution–every action you take should help build a possible court case against the perpetrators.
  • Notify key personnel immediately.
  • Limit the scope of the attack as quickly as possible.
  • Preserve all audits (disable any system log purges or overwrites).
  • Implement additional security, if necessary or available.
  • Review the incident response plan in light of the recent event and revise accordingly. Remember that any response plan is just a “work in progress.

You may be wondering whether you’ll be able to prosecute even if you catch the criminals. The National Security Institute maintains a list of computer crime laws by state.

And hey, hey, hey! Let’s be careful out there!

InfraGard at Iwar.org

Briefly Noted

  • Shameless Self-Promotion Dept.: I’ve added a new directory to the Directories section of the StratVantage Web site: Email Newsletters. After conducting a fruitless search for a central place listing interesting email newsletters, I decided to establish one myself. I’ve seeded it with newsletters I receive and find useful. If you’ve got a favorite, send it along and I’ll add it.
    StratVantage Directories
  • Advertising Has Changed: Stan Hustad, a performance coach with PTM Group, quoted a discussion with advertising executives John Partilla and Mike Campbell in his recent newsletter. The pair discussed how advertising will change in the post Tragedy world: “Cynicism will go by the wayside. It’s just not cool anymore. Relevance will be really important in terms of how you try [to] tie in what’s happened. I see every piece of work that goes out of the agency, [to see] if it has humor in it, if there is humanity in it, a humility that feels appropriate. You don’t need big focus groups [to
    determine what people want]. You can see it in the faces of people on the street. People are really tender right now. They don’t want to be presented with advertising that is too in-your-face.” Words to remember if you’re planning an advertising campaign. Stan’s newsletter, The Coaching Connection, offers tips on self-improvement and performance optimization as well as business and marketing tips. I heartily recommend it.
    PTM Group
  • Toshiba Rolls Out Handheld: Last week, Toshiba became the latest vendor to embrace Microsoft’s Personal Digital Assistant (PDA) Pocket PC platform. Microsoft also announced its latest revision of the system, dubbed Pocket PC 2002, available now. This is the first year-named product that Microsoft has released ahead of the year, as far as I can remember. Toshiba, on the other hand, doesn’t even mention their new product on their US Web site. Now that’s a great way to roll out a brand new product! While many industry analysts predict Microsoft will continue to take share from Palm, the price and still-poor usability will slow their momentum. The Palm platform got a boost recently when Samsung rolled out a new color PDA/cell phone for use on Sprint’s cellular network. The unit uses the Palm operating system, comes with 8MB of memory and supports Wireless Application Protocol (WAP), HTML and i-mode’s cHTML.
    Microsoft
  • First US GPRS Network Expands: AT&T, which established the first General Packet Radio System (GPRS) cellular network in Seattle a few months ago, is expanding the network to three more cities: Las Vegas, Phoenix and Portland. Unlike the Seattle area, coverage in these new cities seems to be fairly extensive. GPRS offers voice and data, with data speeds as high as 144 Kbps. Typical performance, however, is likely to be 56Kbps, the speed of today’s wireline modems. The company said it’ll roll out Detroit in the next few weeks, serve about 40 percent of current customers with GPRS by the end of the year, and serve all its markets by the end of 2002.
    AllNetDevices
  • Are U Ready 4 a New Buzzword? Let’s see. We’ve had eBusiness and e-Tail (stupid buzzword alert), eCommerce and m-Commerce (mobile commerce). Next, we’ll start hearing about u-Commerce, or ubiquitous, universal commerce. In the future, according to Accenture’s think tank, Accenture Institute for Strategic Change, you can wirelessly buy anything from anyone anywhere in the world. (Lest we get too starry-eyed, we need to realize there are places in the world where livestock is the only going currency.) The company predicts 630 percent growth worldwide for net-connected wireless devices over the next four years. Despite its breathlessness, I more or less agree with this forecast. As I’ve predicted in the TrendSpot , I fully expect ubiquitous computing, where computing becomes not a place you go, but a service you get from your environment, to arrive by the end of the decade. Local area networking schemes like 802.11b (or successors) and Bluetooth are starting to make this happen today. Will this new acronym stick? Well, a casual perusal of the Web using Google turns up some supporters: Visa (who apparently coined the buzzword), the Association for Computing Machinery , and South Africa’s McCarthy Online .
    Accenture
  • How Can You Be In Two Places At Once, When You’re Not Anywhere At All? A company called Teleportec has the coolest technology I’ve seen in a long while. Using three ISDN lines (roughly 384Kbps), a person using their $70,000 Teleportec Podium can project his or her image from the waist up to a remote location and appear lifesized and in 3D. Only one of the men in the picture to the left is really there; the other is hundreds of miles away. The company has tried it out with several businesses. It also makes a large Teleportec Theatre that is 20 feet across with an 11 foot wide “teleportation zone” designed for panel discussions or telemeetings. Given the recent events, all kinds of virtual meeting technology will likely be given a boost (witness WebEx’s 30 percent stock rise on the first day of trading after the terrorist attacks). If Teleportec’s technology is as good as they say it is, look for them to put the others in the shade quicker than you can say, “Help me, Obie-Wan!” The applications aren’t limited to distance learning and business conferencing, however, as illustrated by the Digie award given Teleportec by Realcomm, a realty eCommerce conference.
    Teleportec
  • Encryption a Threat? Alert SNS Reader Jeff Ellsworth sends along this article regarding the role encryption may have played in the recent tragedy. There is evidence that terrorists have used commonly available Public Key Encryption techniques as well as the more sophisticated steganography methods in their communications. Steganography is the embedding of secret messages in binary files such as image files or music files. The sender changes a few bits in the file and the result is invisible when viewed or listened to. There have been claims that the terrorists regularly used pornography files to communicate. Now Sen. Judd Gregg (R-N.H.) has proposed making it mandatory that software developers give government security agents the “keys” to encryption programs when they are created. The government tried this once before, in 1993 with a technology called the Clipper Chip . The idea was everyone would use the government’s encryption scheme, which had a “law enforcement back door.” This scheme was roundly criticized as unworkable by pretty much every knowledgeable security expert. Three main criticisms illustrate the folly of the Clipper Chip:1) Because the government would keep the Clipper methodology secret, the security community couldn’t point out any deficiencies
    2) Crackers would inevitably find ways to use the back door to their advantage
    3) Nobody in their right minds outside of the US would ever use this technology if the US government could eavesdrop on them, thus it would be useless in protecting us from foreign terrorists

    I really hope we don’t need to go down the Clipper path yet again. Phil Zimmermann, the creator of Pretty Good Privacy, a popular encryption technology, believes human footwork will be more useful in catching terrorists than more surveillance technologies: “It’s not practical to frisk everyone on the planet to find the one person with a box cutter.
    WashTech.com

  • Unsafe At Any Speed? Alert SNS Reader Bill Lehnertz sent along a pointer to a McKinsey Quarterly article, How Fast is Too Fast? It’s a nice analysis of the “Internet time” mania that gripped many of the dot-coms. The authors studied 80 Internet companies, including business-to-consumer (B2C) companies, business-to-business (B2B) companies, and infrastructure providers. They tried to determine the speed with which each built its business—and the outcome. One of the companies examined is my favorite dot-com/exchange success story: Altra Energy.
    McKinsey Quarterly (registration required)

Return to Mike’s Take

StratVantage Consulting, LLC — StratVantage News Summary 10/02/01

From Evernote:

StratVantage Consulting, LLC — StratVantage News Summary 10/02/01

Clipped from: http://www.stratvantage.com/news/100201.htm

Wireless Almost Usable

User interface guru Jakob Nielsen has been a curmudgeon about wireless devices ever since they started sprouting interactive features. He’s an advocate of the plain and simple, and of intuitive interfaces. So there’s no wonder he hated the phones that make you press the “7” key four times to type an “S”. After his visit to the recent DEMOmobile conference in La Jolla, California, however, Nielsen’s changing his tune, at least somewhat.

First off, he found a number of interesting wireless developments at the conference:

  • iPaq is now the mobile device of choice and was the platform for almost all new services. I’ve noted this trend myself, and that has led to a re-ranking of Personal Digital Assistant (PDA) technology in the TrendSpot this month. According to Nielsen, last year, most start-ups based their systems on Wireless Application Protocol (WAP) phones, which is now widely viewed as a limited and wounded technology. At the conference, virtually all presenters now see WAP as doomed. Nielsen, a strong WAP opponent, agrees: “Think of the hundreds of millions of dollars that could have been saved last year if the VCs had bothered running a WAP usability study .
  • Palm is still around, but used by dramatically fewer services at this year’s conference than last year. Palm’s inability to capitalize on its command lead in PDA sales by offering a decent development environment may have led to its loss of market share. Its primary advantages nowadays are its ubiquity and its smaller size. Plus, it may have been a blunder to offer a proprietary device plug in standard, unlike the iPaq and other Pocket PC PDAs, which use standard PC Cards. Sony may yet be able to morph the Palm into a consumer device, but the ease of programming and porting existing applications onto the Pocket PC platform could well spell the end of Palm’s dominance.
  • The PC is emerging as a personal server that supports a user’s mobile devices, often through its wired Internet connection. This is an interesting new trend, an extension of the PC’s role in synching contact and calendar information. For example, SimpleDevices downloads music to the PC and transmits the audio files wirelessly to the user’s car when it is within range. How cool is that? Nielsen notes that although SimpleDevices can’t support real-time news, it does offer a virtual broadband connection to the car.
  • Cheap humans add value to the network. (Editorial Aside: One of the problems of this world is that there are cheap humans, IMHO).Copytalk and Webhelp both presented ingenious ways of injecting full intelligence into a mobile system,” Nielsen said. “Users simply speak their information request; the system then compresses the audio recording into a data file and transmits it through the Internet, to locations where highly qualified labor is virtually free.” This makes possible all kinds of services, such as a human-powered AskJeeves -like service. According to Nielsen, a human expert at web searching could research the user’s question and transmit the answer back for less than a dollar. Once the answer arrives, it can be converted to speech using text-to-speech synthesis and played for the user.
  • 802.11 is now the wireless connectivity of choice and, according to Nielsen, was used by almost everybody at the conference. This is a big change from last year, when Bluetooth was on the rise. This year, Bluetoon was almost gone, Nielsen said. Followers of the TrendSpot know that I have downgraded Bluetooth consistently over the last three months, and this month is no different. But now there’s a growing feeling that 802.11b, the short range wireless network technology, combined with Voice over IP (VoIP), a technology that routes phone calls over the Internet, could threaten cell phone networks as well. This has given 802.11b a boost in the TrendSpot rankings this month.

Although Nielsen was generally positive about one new device that debuted at the show, Danger Research’s Hiptop (OK, that’s a stupid name alert times two!), he had some criticisms of its user interface. The Hiptop, which people at the show were calling the Danger Device, is a 6-ounce Personal Digital Assistant (PDA) and a cell phone device with a a small but readable grayscale screen. The device has a thumbwheel control and a few visible buttons, leaving most of the room for the screen. You can browse the Web (with full graphics), send and receive e-mail and instant messages, or use it as a phone. The Hiptop also lets you take pictures, and play video games and other Java programs. What’s really nice, however, is the teeny thumb keyboard that you can expose by twisting the device.

The bummer for US wireless users, however, is that the Hiptop is a GSM phone, which means only Cingular and Voicestream will be able to sell it here, for about $200. Since GSM networks in the US are just getting started, that means accepting less-than-optimal coverage for the privilege of having the coolest wireless device on the block.

Nielsen is not convinced that tiny keyboards are the solution for mobile devices, putting his bets on improved handwriting recognition (it would have to improve a lot to read mine) and voice recognition. He also doesn’t like trackwheels, calling them unnatural (but then so was the mouse the first time you used it, yes?).

Whether the Danger device becomes the next big thing here will depend a lot on the progress of GSM and its successor, GPRS, in the US. With the first GPRS networks launched recently in China, England, and, incredibly, Seattle , the pervasiveness of this particular device will depend a lot on how quickly wireless network providers build out their networks.

UseIt.com

Briefly Noted

  • Shameless Self-Promotion Dept.: I’ve added a new directory to the Directories section of the StratVantage Web site: Email Newsletters. After conducting a fruitless search for a central place listing interesting email newsletters, I decided to establish one myself. I’ve seeded it with newsletters I receive and find useful. If you’ve got a favorite, send it along and I’ll add it.
    StratVantage Directories
  • Nokia Covering Its Bets: As reported in issues of SNS (here and here ), Nokia is very interested in m-commerce (mobile eCommerce). In addition to its joint SmartCover effort with Sodexho and its dual chip test with Visa, Nokia is collaborating with IBM, Luottokunta and Radiolinja to pilot secure credit card payments using a mobile phone wallet application. The participants hope to demonstrate using the wallet for transferring payments and loyalty program information, and WIM (Wireless Identity Module) for making non-repudiated transactions. The parties are in the process of choosing suitable merchants for the pilot, which will start in the fourth quarter of 2001 in Finland.
    Nokia
  • Java on the Phone – Your Desktop Phone: By now my prediction last spring that it would be a while before we saw Java on mobile phones seems pretty ludicrous. Not long after I made the prediction, Korea’s LG Telecom introduced a Java-enabled cell phone in July, Nextel announced a Java cell phone, and Nokia smart phones, available outside the United States, began using Java applications. Now Kada™ Systems has announced that Cisco will build their Java technology into its Voice over Internet Protocol (VoIP) non-mobile desktop phones. Sometimes the magic works, and sometimes it doesn’t.
    Kada Systems
  • Single Sign-On = Liberty? Nokia, Cisco, Dun & Bradstreet, Sony, Sun and many other companies have announced that they will co-found the Liberty Alliance Project “to create an open, standards-based solution for network identity and authentication to provide single sign-on to the internet and to the mobile Internet.” They propose to do this through a technique they’re calling federated identity. “In a federated view of the world, a person’s online identity, their personal profile, personalized online configurations, buying habits and history, and shopping preferences are administered by users, yet securely shared with the organizations of their choosing. A federated identity model will enable every business or user to manage their own data, and ensure that the use of critical personal information is managed and distributed by the appropriate parties, rather than a central authority.

    Notably missing from the roster of founding members is Microsoft, which wants the world to adopt its proprietary Passport technology. About the name Liberty Project, though: I squirm a bit when I see projects named in this manner. What’s next? The Mom & Apple Pie Project? Nevertheless, it’s way too early to say whether this project will enhance our online freedom or detract from it.
    Project Liberty

  • Too Many Clues: Was I the only one who thought the abundance of clues left by the terrorist hijackers was a little fishy? Apparently not, as an article on Stratfor indicates. The article states that the terrorists, “practiced near-perfect operational planning, coordination and execution before their mission but left behind obvious evidence leading to other operatives who may have supported the hijackings. This begs the question of whether these evidence trails were intentionally left in order to distract U.S. law enforcement from other terrorists.” The article is well worth reading.
    Stratfor
  • DoCoMo Starts First 3G Service: With no fanfare, Japan’s DoCoMo has started selling 3G phones that feature video services. The company thus met the timeline it announced late last year. I was among the skeptics that thought they’d never make it. Although the rollout is limited to a 30-mile radius of Tokyo, it soon will spread to other Japanese cities. The service, dubbed FOMA, (Freedom of Mobile multimedia Access), offers download speeds as high as 384Kbps. One of the phones the company is selling has a built-in camera for wireless videoconferencing. DoCoMo sold 4,000 phones the first day.
    AllNetDevices
  • Sprint Stops Whining; Debuts E911 Phone: You never heard such a bunch of whining as the din put up by US wireless carriers about having to meet the FCC’s E911 mandate by this month. Verizon led the pack with detailed whines about how it couldn’t comply. VoiceStream got a waiver. But Sprint has amazed us all by offering an E911-compatible phone right on time. E911 is an FCC rule requiring cell phone network operators to be able to locate a phone within 100 meters. Although Sprint is offering the phone, Samsung’s SPH-N300 GPS-enabled phone, it is not yet supporting it with network services. Nonetheless, way to go!
    AllNetDevices
  • Commitment to Make a Difference: Karen Holtzblatt, a principal of design services consultancy InContext, made the following commitment after the recent tragedy. Many other business people have made the same pledge:
    • When the NYSE re-opened, we bought and will buy stock in a company we believe in (and which gave generously to recovery and victim relief).
    • We will commit people and money to a development project that improves people’s lives.
    • We will fly and attend conferences and business meetings.
    • We will collaborate with colleagues–and competitors–to improve what we make and how we work.
    • We will watch our spending but not make frivolous cuts that hamper productivity.
    • We will invest in helping others secure a livelihood.
    • We will affirm our safety, security, and joy in living by spending on something fun.
    • We will work to help the triumph of openness, tolerance, and understanding over fear, hatred, and violence.

    InContext

  • Microsoft’s .NET Could Be Virus-Prone: Eric Chien, chief researcher for antivirus firm Symantec, has identified a number of areas in which .NET, Microsoft’s next generation Web services platform, could be even more vulnerable to security threats than existing Microsoft operating systems. Chien said: “There are a number of new threats here, most of which are dependent on how users set their permissions and other security settings.” Another vulnerability is .NET’s ability to run programs in a variety of different languages, many of which currently have no antivirus products available. Chien’s primary worry, though, is that users won’t know how to use the various security resources within .NET to protect themselves. Sounds like good news for Chien’s employer, though.
    Silicon.com

Return to Mike’s Take

StratVantage Consulting, LLC — Mike’s Take on the News 09/27/01

From Evernote:

StratVantage Consulting, LLC — Mike’s Take on the News 09/27/01

Clipped from: http://www.stratvantage.com/news/092701.htm

The News – 09/27/01

In this Issue:

National ID Cards As A Solution?

Oracle boss Larry Ellison recently called for the establishment of national ID cards as a curb to terrorist attacks. He’s also put his money where his (rather large ) mouth is by offering to donate the Oracle software to implement the scheme.

If you’ve been following SNS recently, you can probably guess I don’t think much of this idea. The terrorists had ID cards, after all. The Boston Globe reported that five of the hijackers had recently obtained Florida licenses. Ellison proposes that Americans be fingerprinted and that the information be placed on a database used by airport security officials to verify identities of travelers at airplane gates. He brushes aside civil libertarians’ concerns about the possible use of such a system to infringe on the privacy and other civil rights of law-abiding citizens. Echoing Sun Microsystems CEO Scott McNealy’s famous “get over it” pronouncement , Ellison said: “Well, this privacy you’re concerned about is largely an illusion. All you have to give up is your illusions, not any of your privacy. Right now, you can go onto the Internet and get a credit report about your neighbor and find out where your neighbor works, how much they earn and if they had a late mortgage payment and tons of other information.

Doesn’t that make you feel better? I wonder how easy it would be to get Larry Ellison’s credit report and other private information.

Anyway, the business effect of Ellison’s offer could be chilling to not only the database industry Oracle competes in, but also the employee identification and airport security industries. If the government gets into the business of assuring identity, many companies in these industries will go the way of the airport skycaps.

SiliconValley.com

Briefly Noted

  • Shameless Self-Promotion Dept.: I’ve added a new directory to the Directories section of the StratVantage Web site: Email Newsletters. After conducting a fruitless search for a central place listing various email newsletters, I decided to establish one myself. I’ve seeded it with newsletters I receive and find useful. If you’ve got a favorite, send it along and I’ll add it.
    StratVantage Directories
  • Random Web Usage Tip: eMazing has a nice tip of the day service you can subscribe to. Even a Web junkie like myself can learn a thing or two from their service. Their latest tip about Internet Explorer is a good example: “When a page is taking forever to download all of its graphics, press the Spacebar to stop the graphics and allow you to read the text. Another trick is to click Stop and then click Refresh. Sometimes starting over will get you a faster download.” I knew the second tip, but not the first, which is very useful when some huge gratuitous image file is downloading and preventing me from getting on with it.
    eMazing
  • Expanded Wiretap Authority Analyzed: Alert SNS Reader Jeff Ellsworth sends along a pointer to an article written by Georgetown University law professor and former Clinton chief of staff John Podesta. It’s a very easy to read consideration of the problems facing law enforcement in the digital age and the threats to freedom that could be involved if we help them do their job better.
    WashTech.com
  • YAMV (Yet Another Microsoft Virus) Report: I’m thinking of making this a regular feature. A new Visual Basic script-based worm, dubbed Vote, is a mass mailer which sends itself to e-mail addresses harvested from the Windows address book of infected systems. It is an email file with the subject line “Peace between America and Islam,” and it not only sends large amounts of e-mail, but also overwrites HTML (Web) files on the infected computer and can delete the system’s Windows directory and reformat the hard drive when the machine is restarted. The e-mail includes an attachment document called WTC.exe, which, when double-clicked, infects the computer. This makes Vote unlike the Nimda worm, which can infect without double-clicking, and thus experts consider the virus low risk. Nonetheless, businesses should make sure all employees know not to double-click attachments from unknown emailers. In addition, businesses should make sure antivirus protection is up to date on all computers.
    The Standard (Australia)
  • Unmanned Aircraft May Be Key: In this war unlike any other, automated flying drones may be essential to gathering intelligence in mountainous Afghanistan. One possible problem: These unmanned aerial vehicles (UAVs) are largely untested. The Predator UAV has been flying reconnaissance missions over Iraq, and the military has other tactical UAVs including the Global Hawk, Pioneer and Hunter. Chances are good that the Defense Advanced Research Projects Agency (DARPA, the fathers of the Internet) will step up production of the “micro-UAVs” that are currently on the drawing board. Deploying untested, leading edge battletech has a precedent. The military first deployed an experimental airborne battlefield-management system, the Joint Surveillance and Target Attack Radar System, in the Gulf War. The bad news is control stations for UAVs would need to be close to the front lines, probably in Pakistan.
    EE Times
  • Background Check Business Booming: Many companies are benefiting from the recent tragedy, including those that specialize in performing pre-employment background checks. The company behind Pre-employ.com and MyBackgroundCheck.Com reports they are fielding 2,000 queries a day, double the normal number, since September 11.
    LA Times
  • Nokia and Visa Piloting Dual Chip Mobile Payment Service: One of the dreams of mobile commerce is the ability to quickly and wirelessly pay for goods and services using a mobile device. Nokia and Visa took a step closer to realizing the dream recently when they announced a pilot in Finland of Nordea’s Open Plaform chip card. Nordea’s card will be installed in 150 Nokia phones to be distributed to customers in Helsinki. These customers can only buy groceries and movie theater tickets, so the pilot is quite limited. Nonetheless, it will offer good data on the use of the dual chip concept, which relies on a chip card issued by a bank and a separate chip running the Wireless Identity Module (WIM) application in a Wireless Application Protocol (WAP) cell phone. If the pilot is successful, look to see the technique rolled out in Northern Europe and the rest of Europe before it arrives in the US. But be careful: Don’t lose your phone!
    Nokia
  • Visualization As Decision Support: Sun and Landmark Graphics have combined to offer a data visualization solution for Unocal, which will use it to help improve departmental-level collaboration and decision-making in oil and gas exploration and production. Oil companies use massive amounts of seismic information to find pockets of oil and gas. Unocal will use Landmark’s 2003 versions of Earthcube™ and OpenVision™ graphics applications to visually inspect the data and detect telltale patterns. Up to now, such data visualization techniques involved very expensive installations. Sun and Landmark’s solution promises to bring such high-end capabilities within reach of smaller companies.
    Sun
  • Inventor of Popular Crypto Program Clarifies: Phil Zimmerman invented a cryptographic program called PGP (Pretty Good Privacy) in 1991. The program allows its users to take emails or other documents and transform them into a virtually unbreakable set of codes that only the intended recipient can decode. In this way, users can communicate with others without law enforcement officials being able to understand the communication. Zimmerman was widely quoted – he now says misquoted – recently as being full of remorse due to the likelihood his program was used by the terrorists. After the article was published, Zimmerman clarified his statement on the Cypherpunks discussion list for cryptographers:The journalist slightly misinterpreted my remarks, and missed the shades of grey in some of what I said. I did *not* say that I was overwhelmed with guilt over PGP. I told her about my crying, just as everyone else I knew had cried over what had happened. I also told her about the hate mail, and that I “felt bad” that the terrorists may have used PGP. Indeed I do feel bad about that. But feeling bad about them using it is not the same as feeling that PGP was a mistake, or that I have changed my principles about human rights and crypto. I thought I had also made it clear that I had no regrets about developing PGP. She did not report any individual facts incorrectly in her article. But I think she connected the dots in a slightly different way, and seemed to conclude that I was wallowing in guilt over PGP. I’m sure she meant no harm. I am still very much aware that PGP was a good thing, and that strong crypto helps more than hurts. I have been saying that to the press all week. I just said it again in two more interviews I had before breakfast this morning, and will continue to say it. It seems I have to say it more forcefully. I will prepare a statement on this later today. In the meantime, feel free to let our colleagues know that I have not gone soft on civil liberties.

    To stop terror, you must stop terrorists, not abridge the rights of the rest of us.
    Cypherpunks

Return to Mike’s Take

StratVantage Consulting, LLC — Mike’s Take on the News 09/21/01

From Evernote:

StratVantage Consulting, LLC — Mike’s Take on the News 09/21/01

Clipped from: http://www.stratvantage.com/news/092101.htm

The News – 09/21/01

In this Issue:

Guns On Planes As A Solution?

What’s Wrong With This Picture? I don’t know about you, but I worry about recent statements recommending that Federal marshals with guns be stationed on airplanes. I always assumed that the risk of catastrophic decompression or other really bad outcome due to discharging a firearm on a plane was quite high.

According to the site, KeepAndBearArms.com (now, let’s consider the source here), it ain’t necessarily so. First of all, you could use pre-fragmented “safety slugs” designed not to penetrate walls or ricochet from hard surfaces. Great. But even if you put a hole or two in the side of the fuselage, you could plug it with an airplane pillow, according to the site, which quotes a couple of self-identified aircraft engineers on the subject. They say the risk of a single bullet causing massive structural failure of these “bulldozers in the sky” is very slim. Of course, they don’t worry too much about what would happen if the bullet happened to shoot out a window or penetrate the fuel tanks in the wings. One of the “engineers” says that he “read someplace” that a 747 could keep flying with four windows blown out. Of course, several passengers might get “extruded” in the process, but I guess you should learn to accept that kind of collateral damage. Anyway, the site seems to be advocating that normal folks be able to fly while armed, arguing, “Concealed carry permit holders are among the most lawful people in our society.” OK, now I’m really scared.

Let’s not take leave of our senses here, folks. It’s OK with me if you’re a gun advocate. But get a clue: Arming all air passengers would arm the stinking bad guys, too! Hello? All a terrorist has to do in this scenario is get a conceal carry permit, perhaps with stolen credentials. The idea of arming passengers is looney, and typical of the type of knee jerk overreaction we’ve heard a lot of since the disaster. Never one to be outdone in the knee jerk category, our Congress has proposed a bill named H.R. 2896 — Anti-Terrorism Act of 2001 that would allow pilots to be armed. Now I feel safer. Let’s see. Who was it that brought down EgyptAir 990 into Long Island Sound? Could it have been the pilot?

Don’t get me wrong. I’d much rather have pilots armed than passengers, but, let’s face it: Pilots are not immune to mental illness, marital problems, depression, bigotry, hatred, or other antisocial behaviors. Some have even flown drunk . Nevertheless, we do entrust them with our lives, and the vast majority of the time they come through. I’m not saying pilots shouldn’t have the ability to respond to a hijacking situation, but placing a very dangerous weapon in their hands (one that can be stolen and used against them) while they are dealing with flying the plane and keeping the crew and passengers calm may not be the smartest thing. Has anyone ever heard of sub-lethal weapons , for crying out loud? Please write Republican Representative Ron Paul of Texas, who sponsored the bill, and express your feelings. I’d like to suggest that it be amended to allow the carrying of sub-lethal weapons designed to protect against a terrorist attack.

While we’re on the subject of preventing skyjacking, wouldn’t it make more sense if, instead of the primitive tech of a bullet, we used the modern technology called fly-by-wire (FBW)? Modern passenger jets such as the Airbus A320 and the Boeing 777 (as well as many modern fighter jets) utilize FBW technology. What it means is the plane’s controls are not mechanically connected to the control surfaces of the plane, and all pilot actions can be modified by computers. In the case of the Airbus , hard limits are placed on what the pilot can ask the plane to do. If the pilot tries to take an action that would make the plane stall or crash into a building, for example, computers override the action and attempt to carry it out within acceptable limits of control. Boeing allows the pilot to override the computer, believing that the human has a better grasp on the situation. Well, what if there was a ground override that would enable airline officials to cause the plane to land and not respond to cockpit inputs? Or perhaps just programming a building avoidance routine would do the trick. Wouldn’t that take care of the hijacking problem?

Of course, such as system would need to be completely hacker-proof or it could be neutralized or co-opted by terrorists or antisocial script kiddies. Despite my misgivings about the security of secure systems, I for one would feel much more comfortable with such a system than with guns on board. Of course, having said that, the folks at KeepAndBearArms.com might want to put my picture in their rogues’ gallery of gun opponents, right next to Stalin and Hitler.

KeepAndBearArms.com

Briefly Noted

  • Shameless Self-Promotion Dept.: CFO Magazine quoted me for a story they ran on the SirCam worm and peer-to-peer networks. Like most media contacts, I said a great many brilliant, insightful, impactful things, but they only used two quotes. It’s online now, but I don’t think it gets into print until next month.
    CFO Magazine
  • Vigilante Crackers Warned: A loose knit-group of hackers known as the “Dispatchers” vowed shortly following last week’s terrorist attacks to damage and destroy Internet service providers, Web sites and networks operated by terrorist organizations. The Dispatchers said that they would target ISPs in Palestine, Afghanistan and other countries that support terrorism. The FBI doesn’t think this is such a good idea. “There is the opportunity for significant collateral damage to any computer network and telecommunications infrastructure that does not have current countermeasures in place,” the FBI’s National Infrastructure Protection Center (NIPC) said. “The Dispatchers claim to have over 1,000 machines under their control for the attacks. It is likely that the attackers will mask their operations by using the (Internet protocol) addresses and pirated systems of uninvolved third parties.” This type of attack might work against a country, but is likely to be a mere annoyance to terrorist groups, who can switch providers or adopt alternative means of access. Unless hackers take down all ISPs in the target countries, very little good is likely to come from such an exploit.
    NationsAtWar
  • Taleban.com Cracked: A cracker with the handle RyDen defaced the Afghan Taleban Mission to the UN website, taleban.com. The site is now down, but as of last Sunday it read: “Own3d by RyDen.” The site was apparently first defaced in March and this is the third time in six months that RyDen has attacked the Taleban site.
    NationsAtWar

Return to Mike’s Take

StratVantage Consulting, LLC — Mike’s Take on the News 09/18/01

From Evernote:

StratVantage Consulting, LLC — Mike’s Take on the News 09/18/01

Clipped from: http://www.stratvantage.com/news/101601.htm

The News – 10/16/01

In this Issue:

Web Services On the Radar Screen

According to a July InfoWorld survey of 500 readers involved with technology strategy and technology buying, although only 6.4 percent are extremely familiar with Web services, 75 percent of them rank Web services as a moderate-to-critical IT priority for the next two years, and 66 percent will develop a Web services strategy within a year. These findings seem to indicate that Web services are more buzz than substance: Few of those surveyed really knew what they were talking about, but most were ready to make plans.

The Web services concept is still ill defined, but in general it refers to the ability to assemble applications from component services that are available over the Web. Web services are the glue that can integrate a legacy system, for example, with new capabilities. Suppose you want to set up an intranet service to let employees find out how much vacation time they’ve accrued. If the information is on a mainframe, you can employ a Web service to interact with the mainframe database, and another to format the data as a Web page. If later you want to add an application to calculate sick days, you can reuse one or both components. And if you decide to jazz up the service by adding a stock ticker, you just plug in the appropriate Web service. Sounds great, but there’s much to be done before application development is that easy.

The biggest problem with Web services involves a lack of standards and a generally fuzziness of the concept. For example, 30 percent of the respondents in InfoWorld’s survey claim to have already reaped the benefits of Web services. This is odd, because only 6.4 percent are extremely familiar with them. The various competing standards form a confusing alphabet soup: XML (eXtensible Markup Language), DCOM (Distributed Component Object Model), RMI (Remote Method Invocation), SOAP (Simple Object Access Protocol), WSFL (Web Services Flow Language), ONE (Open Net Environment), UDDI (Universal Description, Discovery, and Integration – see the TrendSpot for more info), WSDL (Web Services Description Language), and CORBA (Common Object Request Broker Architecture). There are other problems as well, most notably the question of security and enforcement of business rules.

Perhaps the biggest problem with Web services is the hype. The concept is being sold as a new way to create applications rather than an easy way to integrate some valuable services into an application. So far with Web services, there’s really no groundbreaking going on in the way an application is built. Currently, Web services are unlikely to be interchangeable Legos you can use to snap together an application. You still need to do hard stuff like understand what the problem is, what the users want, and how your system will flow and hang together.

The list of existing Web services at XMethods.com serves to prove this point. You might be underwhelmed by the array of services offered. Among the stupidest services are those that translate inches to millimeters or Fahrenheit to Celsius. If you’re a programmer, and you’re too lazy to look up the formulas for such simple transformations, I guess you’d be stupid enough to solve the problem by making an inefficient Web request to get the answer. Other Web services simply automate the retrieval of readily available information, like stock quotes, newsgroup postings, or zip codes. Still others seem to offer a little value, like a nucleotide sequence lookup or a credit card validator. But there aren’t services that really provide snappable application parts, like: Accept user’s login and password; Validate against corporate LDAP database; Establish Virtual Private Network and session credentials; and open a session log. That Web service might be useful, at least more useful than one that “Provides Internet Time (ITime ), as defined by Swatch.” (Oh, don’t ask. If you don’t already know what ITime is, you really won’t care to know.)

So, while Web services are getting a lot of ink, it’ll probably be a while before the reality lives up to the hype. Businesses should be wary of anyone selling this snake oil as a panacea. Developing applications remains hard work, best left to professionals. Web services can be a part of an application development effort, and may even bring real value, but we’ve been around this block before with other reusable code schemes. It remains to be seen if Web services can truly accelerate the development process.

InfoWorld

Briefly Noted

  • Shameless Self-Promotion Dept.: I’ve added a security news ticker to the StratVantage Security Web page. It scrolls up to date information about viruses, worms, hoaxes and other items of interest regarding computer security. Check it out.
    StratVantage Security Resources
  • Manufacturers Move to Protect Critical Infrastructures: The National Center for Manufacturing Sciences (NCMS) and the National Infrastructure Protection Center InfraGard Program have established the first InfraGard Industry Association. I wrote about InfraGard in the last SNS. The new association, called the InfraGard Manufacturing Industry Association (IMIA), aims to provide manufacturers and their supply chain partners with communications, education, and collaborative project services to help assure the security of critical business information and manufacturing infrastructures.
    NCMS
  • Microsoft Finally Serious About Security? I’ve got to give our buddies in Redmond credit. After thousands of bugs and hundreds of virus attacks, they finally appear to understand that security is important. However, their marketing spin makes it seem like they’ve recently uncovered serious security threats: “Internet security and the increased threat from computer viruses are serious and growing issues that impact businesses around the globe, regardless of platform.” Very true, and in the spirit of helping address these threats and to benefit humanity, Microsoft announced the Strategic Technology Protection Program, “to help customers get secure and stay secure.” “Part of the company’s ongoing security commitment, this program marks an unprecedented mobilization of Microsoft’s people and resources to proactively assist customers of any size to secure their computing environments.” No, no, silly person, they’re not paying to convert people to Linux! They’re going to help people get current and stay current with the bewildering array of security bug fixes they issue each month. Hey, it’s a start!
    Microsoft
  • Spears Hoax: Pranksters are getting cleverer and cleverer. Tim Fries, a Saginaw, Mich.-based online comic strip artist used a trick to make it look like CNN.com had a scoop: Singer Britney Spears Killed in Car Accident. Fries claimed he was conducting research as to how far and fast misleading information travels on the Web. “With the recent terrorist attacks and such an increasing reliance on the Internet as a trusted news source, misinformation could prove to be a powerful weapon,” said Fries. The cartoonist used a quirk in the way Web browsers handle URLs to direct users to mock-up of a CNN.com Web page at an external site. Incredibly, the distribution of the special URL to just three users of AOL’s Instant Messenger chat software resulted in more than 150,000 hits to the fake site. The URL began with the characters http://www.cnn.com, followed by "@" and the IP address of the fake site Web site. Since browsers ignore anything to the left of an "@" in a Web address, users were taken to the phony article but assumed they were going to CNN.com. In this time of ever more outrageous sounding real news, the ability of just one joker to spread disinformation could move from merely annoying to incitement to riot.

    Please, before forwarding any incredible news, check the source, and check the Urban Legends Reference pages at www.snopes.com . And no, blue envelopes are not contaminated, and no mysterious Arab ex-boyfriend forecast September 11 and a mall attack on Halloween. Let’s keep it together, people.
    Security News Portal

  • Gartner Says Ditch IIS or Face Risk: GartnerGroup has taken a very strong position against using Microsoft’s Web server, Internet Information Server (IIS), either on the Internet or even inside the enterprise. The analyst firm has faced the fact that using the buggy, security hole-riddled IIS instead of readily available and free alternatives increases the cost of ownership.

Code Red also showed how easy it is to attack IIS Web servers. Thus, using Internet-exposed IIS Web servers securely has a high cost of ownership. Enterprises using Microsoft’s IIS Web server software have to update every IIS server with every Microsoft security patch that comes out—almost weekly. However, Nimda (and to a lesser degree, Code Blue) has again shown the high risk of using IIS and the effort involved in keeping up with Microsoft’s frequent security patches. Gartner recommends that enterprises hit by both Code Red and Nimda immediately investigate alternatives to IIS, including moving Web applications from other vendors to Web server software, such as iPlanet and Apache. Although these Web servers have required some security patches, they have much better security records than IIS and are not under active attack by the vast number of virus and worm writers.

Sun has taken advantage of these recommendations to announce a “trade up” program to help businesses transition off IIS and onto its iPlanet Web server. It even offers free software that allows programs written to IIS’ Active Server Pages (ASP) API to run on Sun equipment. Sun has knocked $500 off its normal iPlanet pricing as an incentive. As reported in a previous SNS, even the insurance industry has taken notice of the problems with IIS, with one insurer charging higher premiums for disaster insurance to businesses using IIS.
TechRepublic

  • Making Copies to Ensure Availability: Sun Microsystems and Stanford University said recently that the LOCKSS (Lots of Copies Keep Stuff Safe) program – designed to protect the integrity of valuable electronic content – is performing well in large-scale tests at 47 global locations. The LOCKSS system is an open-source, Java-based, distributed content mirroring system, designed to run on low-cost computers without central administration. Computers continually monitor files on their hard disks at random intervals. If files have been corrupted or altered, an automatic caching system replaces them with intact copies derived from redundant copies on other machines. This enables content providers to maintain access to critical information.
    Sun
  • Too Much Sun? At the risk of overloading you on news from our buddies at Sun Microsystems, I have to let you know about their collaborative effort with Lucent to deliver unified communications via a mobile portal. Unified communications has been the next big thing for a couple of years now. It promises to allow you to access all your communications in whatever form you want. For example, you can get your email, voicemail, and faxes all via the telephone. The new service will allow users to browse the Web, check and send voice and e-mail messages, initiate calls from their address book via voice command, hear faxes, and attach e-mail to voicemail messages (and vice versa) all via their cell phones. Messages can also be bookmarked by voice command so users can easily jump back to them later. Sounds pretty cool. Let’s see if it can fly in real life. (Disclaimer: I do indeed own stock in Sun and would love to see it come up from under water.)
    Sun
  • I Want This Phone: Nokia has come out with another cool phone. The Nokia 5510 is a music player, FM radio, messaging machine, games platform and phone. It includes (of course) an Internet browser as well as 64 MB memory to store up to 2 hours of music, the ability to answer and end phone calls with the stereo headset while listening to music, voice dial for 8 names, and 5 built-in games. The game controller-like form factor will certainly attract the kids, while business people will like the full keyboard (for two-fisted typing) and the ability to send longer messages. Unfortunately, the phone won’t be available in the US. Drat. (Pet Peeve, part XXIII: I’ve complained before about Nokia’s Web site. Now wouldn’t you think when they announce a new phone you could use their search capability, type in the model number, and find the appropriate page? Nope.)
    Nokia

  • Stupid Quote Alert: I get eMazing’s Stupid Quote of the Day email service, and most of the quotes aren’t real winners. But last Wednesday’s brought a smile to my face:

    "The department takes very seriously its responsibility to protect the privacy interests of Americans who have been the subject of investigative scrutiny."
    – Justice Dept spokeswoman Susan Dryden, explaining that the Justice Department invading your privacy and other people invading your privacy are two completely different things.
    PBS

Return to Mike’s Take

StratVantage Consulting, LLC — Mike’s Take on the News 09/18/01

From Evernote:

StratVantage Consulting, LLC — Mike’s Take on the News 09/18/01

Clipped from: http://www.stratvantage.com/news/091801.htm

The News – 09/18/01

In this Issue:

Can Freedom and Security Coexist?

My heart, like every American’s, is broken due to the horrific acts of a few fanatics a week ago. Commentators are fond of saying nothing will ever be the same again, but I hope that’s not true. Nonetheless, there are elements in the government that are trying to make some pretty important things change. Things like freedom. Attorney General John Ashcroft wants sweeping new wiretap powers that would essentially allow the government to eavesdrop on any conversation anywhere as long as they have a “reasonable” expectation that a suspected criminal is involved in the conversation. Rather than wiretaps being associated with a particular telephone, Ashcroft wants them to be associated with the suspect. While I agree police need more freedom to intercept communications in this age of disposable cell phones, I worry that the Feds will end up listening to a lot of conversations that don’t involve the suspects in question. What happens if they turn up evidence of other wrongdoing as a result?

Personally, I’m sick to death of the usual response I get when I bring up potential threats to freedom like this. The average person responds, “I’ve got nothing to hide, so I don’t care if the authorities can [wiretap my house, search it without a
warrant, confiscate my nail clippers at the airport, read all my email, know
whenever I travel on the tollway, and so on]. My usual response is to point out that the listener is not a criminal, yet. Until recently, it wasn’t a crime to post a link on your Web page to a site that hosted software to break copy protection schemes. Today it is a crime. So you’re not a criminal now, but in the future you could be criminalized.

One company that stands to make a lot of money over the hysteria over airport security is Visionics , a maker of face-recognition equipment and other security products that use biometrics