amarbledesk.com
paean of a columnist
« Older Entries | archive for 2009 | Newer Entries »
NaGoGymMo
03 Oct 2009 15:25 EDT
NaGoGymMo? National* Go to the Gym Month! It’s an event in the spirit of NaNoWriMo (National Novel Writing Month) and NaBloPoMo (National Blog Posting Month) — both of which I’m also doing. And it’s very simple to participate:
Just go to the gym every day for a month.
Easy! If you don’t have a gym membership, well, you might consider getting one if you can afford it. It doesn’t have to be a traditional gym. We belong to the YMCA. If you live in a condominium or apartment community, use the gym at your clubhouse. If you can’t afford a gym membership, then run or walk or sweat to the oldies. Get out and move your body intensely every day. Your heart, your muscles, your joints, and your brain will thank you.
Please join me in NaGoGymMo!
*National? My apologies to international readers — as they put it at NaNoWriMo, “We are very proud to be an international event, and don’t consider the “National” in the title to refer to the United States. This is an event for all nations.“
A Big Blue Cloud of Lotuses Engulfs Enterprise IT
02 Oct 2009 21:09 EDT
IBM has launched a cloud-based email service. Lotus Live iNotes offers webmail (as well as traditional POP/IMAP/SMTP support), calendaring, contact management, and 1GB of storage per user. According to disruptive technology blogger Dave Rosenberg IBM is selling this for only $3.75 per user per month, which is actually a Darn Good Price.
What’s so interesting? IBM getting into the cloud? Nah, IBM gets into everything. The feature set? Nope, you can get this from Google. The price? Eh, sure, it’s competitive. What’s really interesting is that they are releasing this with the Lotus name.
The Lotus brand is no longer well-known among small businesses but it’s still a stalwart in the enterprise. This shows they are aiming this straight at their bigger customers. Enterprise IT seems uncomfortable with cloud-based services, but IBM’s move may be just the push they need. It’s from IBM, so it’s expected to be reliable and secure.
Another reason this may help push Enterprise IT to the cloud is that this is a hybrid cloud/datacenter strategy that is built for migration. It’s not an all-or-nothing strategy. CIOs can take a sip of the cloud kool-aid and if they like it they can drink some more. Eventually tht ey can even migrate all their users to the cloud if they like it a lot. And the CISO’s imprimatur will be much easier to get with IBM’s name behind it.
Expect this to increase acceptance of cloud services in Enterprise IT. Also expect IBM to offer additional affordable cloud-based services like storage, antivirus, and even computing if Lotus Live iNotes takes off.
Tags: cloud computing, computing, IBM, web services
Posted by mark beadles in Uncategorized | No Comments »
Posted by mark beadles in Uncategorized | No Comments »
Hatred is not a viable network security mechanism
01 Oct 2009 23:39 EDT
Twitter was one of the topics at the recent Forrester Security Forum. As related by Rob Whiteley, Twitter was roundly condemned by the security luminaries present, including Marcus Ranum and Hord Tipton (former CIO of the Dept of the Interior):
”On day one, there was loud, thunderous applause when Marcus mentioned that he is adamantly against Twitter. This was repeated on day two when Hord mentioned he, too, didn’t see the value in Twitter.”
I understand where Marcus and Hord are coming from. Twitter is new potential threat vector and a new potential data leakage point. What are these gentlemen to do — say they are in favor of threats and data leakage? They really have no choice but to proclaim they don’t like Twitter from a security point of view.
But come now. Robert Westervelt frames the issue clearly when he writes: ”standing in the way of innovation is not the goal of security“. Twitter (it seems almost shocking to say) is nothing new. Twitter is the web. Twitter is text messages. Twitter is the telephone. Sure, the under-the-hood details are different. That’s tractable with current security technologies. In the long run, it may not be Twitter itself that’s successful. It may be Facebook, it may be Nixle, it may be something else altogether. Successful and useful applications come along, people start using them, then along the way they become mainstream applications.
CISOs need to decide for themselves what’s acceptable and what’s not. Surely they can choose to block applications like Twitter if they are compelled to. They do need to consider a couple questions along the way:
1) Where along the spectrum between total lockdown and total employee freedom are you? Unless you’re in certain specialized industries, total lockdown is a choice that brings down employee satisfaction. Employee dissatisfaction can lead to security breaches too!
2) Can you really block these things? The security perimeter is rapidly vanishing, and in fact is flickering in and out of existence. You probably can’t block these things on the network — and with ubiquitous personally-owned mobile devices, you can’t even block these things on the client.
So don’t hate on Twitter and its siblings. If you can instead learn to embrace them in a managed and manageable way, your company might stay innovative and your employees might stay happy.
MS kills the consumer AV market
30 Sep 2009 13:28 EDT
MS has just released Microsoft Security Essentials, which they call “high-quality, hassle-free antivirus protection for your home PC“. It’s free – ‘free’ as in beer, not ‘free’ as in speech. And, surprisingly, it works: independent anti-virus testing organization AV-Test GMBH says that MSE detected every virus on the WildList of viruses, and detected no false positives: “All files were properly detected and treated by the product. That’s good, as several other AV scanners are still not able to detect and kill all of these critters yet.”
Microsoft already has an AV product in the business market, OneCare, but it hasn’t really taken hold since it’s not a free product, MS does not have a good security reputation, and AV vendors are already very entrenched in most organizations. So there is not a huge threat to the AV vendors in the business sector.
There are a lot of free AV products already available in the consumer market: Avira, AVG, Avast, BitDefender, etc. These often don’t reach mainstream consumers, though. Microsoft has a huge marketing engine and unbeatable distribution channels. If MS AV is free, works, well-known, and easy to get, then people will use it.
MS has probably changed the market. Consumer AV will become free. Symantec, Trend, McAfee will keep making consumer AV but their enterprise business will just become even more important. Companies like Sophos that focus on business only will escape this one.
"Is 0 Odd or Even?" Are you serious?
29 Sep 2009 22:10 EDT
Eugene Volokh of the eponymous Conspiracy took a poll of his readership, asking Is 0 Odd or Even? Look ye upon the poll results and despair!
This, gentle reader, is why we don’t do mathematics by popular vote.
An odd number of Kudos to Eugene for exposing such innumeracy. An even number of kudos to about half his readers….
Browser-in-browser virtualization security nightmare
29 Sep 2009 20:45 EDT
So I’ve got five browsers running on my Windows laptop, three running on my Blackberry handheld, and at least one more on the Mac Mini. OK, this isn’t exactly typical. But all these browser choices are available on the market today to consumers who want them. Most people still use IE, but Firefox now has a respectable market share (65% IE vs 26% for FF). Apple Safari (4%), Google Chrome (3%), and Opera (2%) have a small but noticeable and growing share of the browser market. These figures don’t include the matrix of OS’s x Browsers. The browser market is finally competitive.
From an economic and feature perspective, competition is obviously a Good Thing. At first blush it seems that it would be a security Good Thing as well, since there are more competing platforms to drive security fixes and avoid a monoculture. But there’s a new wrinkle in the browser security, which may be an indication of more problems to come.
Google Chrome is a stand-alone browser — which I love for its speed and simplicity and hate for no adblock — but its technologies are also now available as a plug-in to IE. Google Chrome Frame is an open-source project which allows you to essentially run Chrome inside of IE. Geeky/neat functionality, to be sure. But what a security outcry it has raised!
In rare agreement, Microsoft and Mozilla both slammed Google on Chrome Frame. They pointed out that since browsers are now the primary route for infection on PC’s, slamming two browser’s worth of potential security flaws into one browser is asking for trouble. Each browser may have security bugs, and the combination of the two may open yet more holes. Microsoft also piles on to point out privacy implications: Chrome Frame breaks IE 8′s private browsing.
As the latter article reveals, Google’s answer isn’t good: “Google Chrome Frame is an open source plug-in that is currently in an early developer release and was designed with security in mind from the beginning…” Open-source and developer releases are not excuses for lax security. If the security isn’t there, don’t release the code. Google’s other point is that they can somehow magically secure old browsers, in particular IE6:
“Accessing sites using Google Chrome Frame brings Google Chrome’s security features to Internet Explorer users, providing strong phishing and malware protection (absent in IE6), robust sandboxing technology, and defenses from emerging online threats that are available in days rather than months.“
Again, this answer is not well thought out. There is a simple answer to improving security on IE6: don’t run IE6. Yes, it’s still supported by MS, but IE8 is out now; upgrade. Google Chrome Frame isn’t a patch to IE; if there’s a bug in IE6 allowing an attacker to gain a foothold, that bug is still there in IE+Chrome Frame.
I’m sure this little kerfuffle will blow over soon. Browser makers fighting with each other in public is just business as usual. IE6 will end-of-life, Google Chrome Frame will improve its security and its mechanisms for integrating with IE, etc. This is a harbinger of things to come, though. Browser technology is getting more complex, and complexity is the enemy of security. Chrome Frame is an early example of browser-in-browser virtualization. Just as desktop virtualization brings new security headaches along, so will browser virtualization.
Welcome to my nightmare.
Tags: apple, google, security, UI, virtualization
Posted by mark beadles in Uncategorized | No Comments »
Posted by mark beadles in Uncategorized | No Comments »
Who moved my cheesy UI? (or, an Opera by Dvorak)
29 Sep 2009 02:05 EDT
The Dvorak keyboard — developed by August Dvorak, no relation to this Dvorak, but a distant relation of this Dvorak — has a very devoted following. Users like its more ergonomic design, which is different from the familiar QWERTY keyboard. Devotees claim (with some evidence) a much faster typing rate, and love using the keyboard. Heck, there are even Dvorak activists asking you to write to the local paper about the keyboard, and call manufacturers to get support.
As you can imagine, since they love their keyboard, they are miffed when it’s not available for a certain device. Today in the Wall Street Journal, there is an article by Joseph de Avila on Dvorak users who are unhappy that iPhones, Blackberries, and other handhelds only use QWERTY.
But here’s the thing: there is no advantage for Dvorak on a handheld. The layout was designed to improve two-handed touch-typing speed. There is no evidence to show that the same advantage can be found on chiclet keys that are thumb-typed, or virtual touch-screen keys. To be sure, the Dvorak users are used to that layout, and prefer it for sentimental or even principled reasons. Still, the original benefit is lost (admittedly, any traditional layout is probably not optimal on a handheld device).
My first reaction was that these Dvorakians (maybe Dvorks?) should realize this and move on. Then I downloaded Beta 5 of the Opera Mini browser…
I’ve used Opera Mini on my BB Curve 8330 for a long time; it acts and renders like a real desktop browser, not the limited default Blackberry browser. I’ve grown used to its features, such as zooming in and out on pages, using the trackball for navigation, the options key to bring up the menu, etc. Beta 5 has totally thrown my paradigms for a tangled loop. The trackball navigates on the page, but also controls navigation between pages now. The options key brings up not the standard BB app menu, but a custom Opera icon-only menu which requires further selection by the sensitive trackball. I really don’t like it. It’s not what I’m used to.
That’s when it struck me that I’m just like the Dvorks in the article. Ah well, on to Opera Mini 5 it is….
Excelsior!
Mental Health, or "Hey! If my kidneys are the problem, why do I need my head shrunk?"
25 Sep 2009 19:18 EDT
You may have read my recent references to trying to go off steroids after 18 years. I’ve taken oral prednisone during that whole time, and also had occasional high doses of IV steroids as well. The reason I take steroids is of course so I can compete at a nation level in weightl…actually, no. The reason I take them is because steroids have an anti-inflammatory effect; specifically, they depress the immune system. Normally, depressing the immune system is a Bad Thing, but in my case it prevents my immune system from attacking my donated kidneys. But because of advances in medicine, immune suppression no longer requires steroids; the doctors would like me to discontinue them because they do have nasty side effects like diabetes and osteoporosis, especially over the long run. They also can cause your adrenal cortex to stop working. But either starting or stopping steroids has its effects too, one of which is “the crazies”. OK, you’ve all heard that already.
I spoke with the psychologist at my transplant clinic, who confirmed that, yes, discontinuing steroids can certainly make one cranky. She said that my regular shrink would certainly have encountered this issue before and should be able to handle it. Sure enough, at my psychiatrist appointment earlier this month, we brought this up with him, and he was very familiar with it. Evidently this is a common problem, and patients discontinuing steroids often need adjustments to psychiatric medicines at the very least.
So the outcome in my case was to increase my anti-crazy pills, to take it slow on the steroid discontinuation, and to be patient. It will pass, it will take time. This is excellent news, since with this new kidney, I have plennnnnnty of time 
I’ll editorialize now: this has direct bearing on the current American health insurance debate. Coverage for mental health conditions by health insurance companies is not comparable to coverage for other conditions. But as my example above should show, you really can’t separate the two. Physical health and mental health are so intimately related as to be indistinguishable. The body and the brain are both biology. In my opinion, if it is not medically or scientifically defensible to totally separate mind from body, then it is not morally defensible either:
Diseases of the brain are diseases of the body.
Mental health coverage should be on a 100% par with coverage for other health conditions.
Tags: health insurance, mental health, transplant
Posted by mark beadles in Uncategorized | No Comments »
Posted by mark beadles in Uncategorized | No Comments »
My security head's in the clouds
25 Sep 2009 17:34 EDT
Craig Balding at CloudSecurity.org has posted a gem of a presentation on the state of security in cloud computing (it’s a presentation he gave at something called BruCon, a security (and beer!) conference in Brussels.) It’s well worth reading for an overview of what cloud computing means for security practitioners.
One item that struck me was his slide 56. The slide asks “When’s the revolution?” — to wit, when’s the revolution in web security technology to match the revolution in web application technology? The answer to web security still seems to be “SSL and Firewalls”. Way back in 2002, I sat on the security panel at the Next Generation Web Services Summit. Chad Dickerson of etsy, the moderator and back then CTO at InfoWorld, asked about the role of SSL in web services security. I answered that it doesn’t solve the problem. “If you [don't] encrypt your channel, you open yourself, but that is not sufficient.”1 SSL is an absolutely minimal level of security — and here we are in 2009 still thinking that it’s good enough. But SSL only can protect data in transit from being snooped between the customer and the provider — or more accurately, between the customer’s last proxy and the provider’s first proxy.
You think you’ve got end-to-end SSL, but in truth you don’t.
It’s not that SSL is a bad idea — it’s not! — it’s ‘necessary but not sufficient‘. It does nothing to address a host of other issues: data integrity, repudiation, data loss, data comingling, availability, and so on.
Anyway, read the rest of his presentation for a good overview of the state of things, including the implications of virtualization, why cloud computing is or isn’t just outsourcing, and the current dearth of research into cloud-specific security vulnerabilities.
1Source.
Infecting you in 140 characters or less: why the Twitter Worm works
25 Sep 2009 00:12 EDT
It’s good to be concise when writing — Twitter‘s brevity is a great thing. It can force you to write more thoughtfully. Unfortunately, its simplicity can give a false sense of security.
The current Twitter Worm is sending DMs (Twitter direct messages) to people and including a link to a site that kinda-sorta looks like an official Twitter page. The message includes a link with the text “twitter” in it, and it appears to be a message from a friend. It’s enough to fool people into clicking on the link, and when they do, they are given what looks like a Twitter login screen. But when they enter their user name and password, what really has happened is that they’ve given up your password to criminals.
Look for more attacks like this to come, unfortunately.
Twitter’s brevity has come with a price: opacity. Since people cram as much as they can into 140 characters, including links, they use URL shorteners like http://bit.ly. URL shorteners do what their name says, but they obscure where the link really goes to. This can make phishing and related attacks much easier. Phishers try to steal people’s information, like passwords, by fooling them into thinking they’re giving the information to a trusted party. The current Twitter Worm relies on people not reading the link carefully enough. With URL shorteners that don’t have a “preview” function, you have no idea where the link is going. This makes it far too easy to trick people onto a fake site.
Twitter’s simplicity comes with a price as well: misplaced trust. Generally speaking, Twitter seems like a likable, simple little program without a lot of moving parts. Its user interface is straightforward. People feel comfortable with it and therefore are willing to trust it. This means people are also likely to trust messages that seem to come from friends or from Twitter itself. This again makes it easy to fool people.
So don’t get fooled again by Twitter’s brevity and simplicity. Inside those short, simple tweets there still can lurk thieves.
–
(PS: Here is an interesting explanation of just why Twitter has the 140-character limit in the first place. An accident of history, really….)
about mark beadles
I write the things you read here. Polymath renaissance redneck. I build software, stories, and young men. More...on the desk
around the web
in the vault
-
