November 5th, 2008

Google calls it quits on the Yahoo ad deal; Will Microsoft enter the picture?

Posted by Larry Dignan @ 7:11 am

Categories: General, Google, Security, Web Technology, Yahoo

Tags: Google Inc., Advertisement, Yahoo! Inc., Agreement, Larry Dignan

Updated: In a move that’s not terribly surprising, Google said Wednesday that it is scrapping its search advertising deal with Yahoo. Google’s decision puts Yahoo’s search business back in play and may bring Microsoft back into the picture.

In a blog post, Google announced it was ending its plans for a Yahoo partnership. In separate statements, Yahoo and the Department of Justice responded. The DOJ noted that it would file an antitrust lawsuit if Google and Yahoo went forward with a deal. Yahoo had planned to use Google’s ads if the monetization rates were better than its own. According to David Drummond, Google’s Chief Legal Officer the headaches just didn’t make sense.

After four months of review, including discussions of various possible changes to the agreement, it’s clear that government regulators and some advertisers continue to have concerns about the agreement. Pressing ahead risked not only a protracted legal battle but also damage to relationships with valued partners. That wouldn’t have been in the long-term interests of Google or our users, so we have decided to end the agreement…We’re of course disappointed that this deal won’t be moving ahead. But we’re not going to let the prospect of a lengthy legal battle distract us from our core mission.

The move comes just days after Google and Yahoo submitted a proposal that pared back the terms of the deal. In fact, analysts were handicapping the revised Google-Yahoo deal as if it would clear the Department of Justice’s concerns.

Now that the Google-Yahoo deal is finished–before it even started–Jerry Yang & Co. will take a revenue hit. According to Piper Jaffray analyst Gene Munster, Yahoo would have reaped revenue of about $665 million under the revised Google ad deal with operating cash flow of $200 million to $350 million. Shortly after the Google news, rumors began to swirl on trading desks. The rumor was that Yang would step down and Microsoft would buy Yahoo. The company has denied the rumor, which was reported by VentureBeat. Why is this rumor shaky? If Yang were to step down today he would have canceled his Web 2.0 Expo keynote today.

On the bright side, Google’s exit from its proposed partnership with Yahoo does clear the way for what could be a search partnership with Microsoft, which still maintains that some sort of deal makes sense. A deal with Microsoft is certainly on the table now according to Wall Street’s prognosticators. Look at the reaction following Google’s announcement. Investors surely are not reacting to a potential combination with the struggling AOL.

In many respects, the Yahoo deal just wasn’t worth Google’s time. The deal between Yahoo and Google was cooked up to block Microsoft’s takeover of Yahoo. Ironically, Google’s move may attract Microsoft back to Yahoo to craft a search partnership. As of yesterday, the probability of Yahoo selling its search business to Microsoft was about 10 percent. Those odds are likely to increase given Google’s move.

Analyst reaction was swift on the end of the Google-Yahoo partnership. Munster says:

Despite altering the terms to the original agreement just two days ago, Google announced it would withdraw from the proposed Yahoo! search outsource deal. The company cited continued pressure from the DOJ as rationale for its withdrawal. However, investors are likely to view this as a positive for Yahoo! as it opens the door for Microsoft to return to the picture with some type of deal. Our belief of a Microsoft return is based on recent comments from Yahoo! board member Carl Icahn and Microsoft CEO Steve Ballmer, both suggesting the pairing still makes sense. We believe there is a 60% chance we see a new search proposal from Microsoft by the end of the year.

More reading on the saga:

• Mission accomplished: Google’s ad deal with Yahoo has already worked
• Yahoo: What happens if Google deal doesn’t go through?
• Handicapping the neutered Google-Yahoo ad deal

November 4th, 2008

Stop Windows XP from nagging you about updates you've already completed or don't want [video]

Posted by Larry Dignan @ 3:57 am

Categories: General, Microsoft, Security

Tags: Video, System Tray, Microsoft Windows, Corporate Communications, Microsoft Windows XP, Operating Systems, Software, Marketing, Larry Dignan

Microsoft’s Patch Tuesdays (the second Tuesday of every month) are an important part of every Windows user’s and system administrator’s regular system maintenance. In fact, regularly applying fixes, patches, and updates should be part of your routine, no matter which operating system you use.

Unfortunately, Windows XP sometimes gets stuck in update mode and will consciously show a flashing yellow shield in the System Tray–suggesting that you need to download and install important security patches.

In this IT Dojo video, Bill Detwiler shows you how to get rid of those annoying yellow shields that Windows sticks in your system tray after an update gets stuck.

After watching the video, you can read Mark Kaelin’s article, “How do I… stop Windows XP from nagging me about updates?”–the basis for this video.

November 3rd, 2008

Microsoft: Third party apps killing our security

Posted by Larry Dignan @ 12:40 am

Categories: General, Microsoft, Security, Software Infrastructure, Web Technology

Tags: Microsoft Windows Vista, Microsoft Corp., Web Browser, Third Party Application, Chances, Microsoft Windows Vista (Longhorn), Security, Operating Systems, Microsoft Windows, Software

Why would hackers target Microsoft directly when there is so much low hanging fruit hanging from the Windows operating system?

The short answer is that hackers won’t attack Microsoft directly because they have plenty of alternatives via third party applications such as QuickTime, RealPlayer and WinZip. That’s the big takeaway from Microsoft’s Security Intelligence Report (January to June 2008), which will be unveiled Monday. Microsoft prebriefed a few folks including me and The New York Times on the key findings of the report, but the real interesting data will appear in the full blown document, which will be dissected by Ryan Naraine at Zero Day later.

This version of the Security Intelligence Report looks at the evolution of emerging threats and focuses on botnets. While the key findings highlight a few interesting threads–vulnerability disclosure continues to fall; disclosure of Microsoft software vulnerabilities continue to fall and Chinese are victims of more than 46 percent of browser-based exploits–the big item is that the software giant is being buffeted by attacks via third party applications.

Microsoft’s data confirms the findings of other security vendors such as Kaspersky. For instance, hackers are attacking Vista almost entirely through third party applications.

Microsoft then goes into the top 10 browser vulnerabilities and notes that its software accounted for half of the biggest flaws on XP. On Vista, Microsoft software accounted for none of the top flaws. Here’s the breakdown:

Top 10 browser-based vulnerabilities on XP:

And the top 10 browser-based vulnerabilities on Vista (click to enlarge):

The tale: RealPlayer, Apple QuickTime, various toolbars and other tag-along applications are vulnerable.

These statistics leave one question hanging: Is Vista really more secure or is it just that third party applications are easier to exploit? The truth is that we may never know about Vista’s security level–unless third party application developers suddenly get security religion. Chances are that won’t happen.

George Stathakopoulos, general manager of Microsoft product security for the Security Engineering and Communications Group, roughly agreed with my theory. He maintains that Vista is more secure–and I don’t think that take is a big stretch–but the degree of security over XP may be skewed by third party applications. Simply put, Vista isn’t the primary target of attackers, which are opting for easier prey.

“I think Vista is better on security. Microsoft products better on security and I think our focus is paying off. The numbers say third party applications are an issue. What we need to do as community is figure out how to solve this problem,” says Stathakopoulos, reiterating his common theme. I told him that insecure third party applications may skew how secure Vista looks and he generally agreed. “Absolutely, third party applications affect the magnitude of how secure Vista looks.”

Indeed, Microsoft is working on getting the ecosystem to cooperate more. Earlier this year, Microsoft launched its trusted Internet initiative, which is still in the whitepaper stage.

Among other nuggets of Microsoft’s findings that stood out:

• Brazil is the global king of password stealers and monitoring tools. More than 60 percent of the computers cleaned in Brazil had password stealers on them. Globally, Trojan Downloaders and droppers are the most popular mean of attack.
• China is dominated by pop-up ad toolbars and browser modifiers. This malware usually stays in China since they are in Chinese.
• Viruses still work in Korea relative to the rest of the world. Most of these infected files are swapped via peer-to-peer networks. Stathakopoulos says gaming is a primary target for attackers in Korea. Cybercrime is localized to each unique characteristic of a country.
• The infection rate for Windows Vista is lower than Windows XP at any service pack level. Vista 64-bit infection rates are lower than the 32-bit versions.

October 29th, 2008

Symantec cuts outlook amid 'pause' in IT spending

Posted by Larry Dignan @ 2:20 pm

Categories: General, Security, Software Infrastructure, Symantec

Tags: Revenue, Symantec Corp., IT-spending, Operational Accounting, Security, Finance, Larry Dignan

Symantec sees tough sledding ahead as the company cut its fiscal third quarter outlook. “Like many other companies we saw a pause in IT spending the last week of the quarter,” said CEO John Thompson on a conference call.

The security software vendor said Wednesday that its third quarter earnings (statement, all resources) would be about 11 cents a share to 14 cents a share, or 30 cents a share to 33 cents a share excluding charges. Revenue for the quarter ending Jan. 2 will be $1.45 billion to $1.5 billion. Wall Street was expecting earnings of 36 cents a share on revenue of $1.61 billion.

Thompson noted that the “strengthening of the dollar also hurt our results.” However, Symantec executives said that the company is well positioned to grab more customer wallet share as vendor relationships are consolidated. Even so, Thompson said that customers are taking longer to decide on deals and consumer spending may be weak. When asked if Symantec was being too conservative, executives said it only makes sense to cut the outlook.

Also see: Tech giants may face dollar daze

Symantec’s outlook overshadowed a strong second quarter. The company reported net income of $140 million, or 16 cents a share, for the second quarter ending Oct. 3. Excluding charges, the company reported earnings of 37 cents a share, two pennies better than estimates.

Revenue in the second quarter was up 7 percent from a year ago to $1.52 billion.

By the numbers:

• International revenue was 50 percent of Symantec’s revenue in the second quarter.
• As for Symantec’s total revenue, Europe, Middle East and Africa revenue was 32 percent of sales. Asia Pacific/Japan revenue was 14 percent of the total with the Americas (including U.S., Latin America and Canada) accounting for 54 percent.
• Storage and server management accounted for 38 percent of revenue with the consumer business representing 29 percent. Security and compliance was 26 percent of the total with services accounting for 7 percent.
• Symantec signed 326 agreements compared to 302 a year ago. Of those deals, 77 topped $1 million.

October 23rd, 2008

IT Dojo video: Five ways to keep your own IT staff from stealing company secrets

Posted by Larry Dignan @ 2:30 am

Categories: General, Hardware Infrastructure, IT Management, Security

Tags: Information Technology, Video, Corporate Communications, Strategy, Marketing, Management, Larry Dignan

High-profile breaches of private data are often the results of lost or stolen equipment, malicious hackers, or improperly disposed of storage devices. Yet, the July 2008 arrest of a network administrator who hijacked the city of San Francisco’s network focused the spotlight on a potentially more dangerous threat–your own admins.

In this IT Dojo video, Bill Detwiler discusses five security practices that will help protect your company secrets from the very people who should be keeping them safe.

Once you’ve watched this IT Dojo video, you can find a link to the original TechRepublic article and print the tip from our IT Dojo Blog.

October 21st, 2008

Motorola pushes secured wireless LAN into enterprise

Posted by Sam Diaz @ 6:00 am

Categories: Enterprise 2.0, General, Hardware Infrastructure, IT Management, Motorola, Security, Wired & Wireless

Tags: Network, WLAN, Motorola Inc., Wi-Fi, Wireless, LANs, Wireless LANs, Networking, Sam Diaz

Motorola, with the close of its acquisition of AirDefense at the end of last month, is wasting no time integrating AirDefense’s wireless security technology into its wireless LAN access points.

Today, as part of the company’s announcement of a hardware-based wireless intrusion prevention system built into its wireless access points, Motorola noted that it’s not only eliminating the clutter of unnecessary wires but also the need for an added layer of hardware that was once needed to secure the LAN.

It marks a turning point for enterprise customers who are looking at wireless networking solutions as a way of not only identifying potential cost savings but also delivering throughput that exceeds traditional ethernet.  With the arrival of 802.11n technology, networks can now wirelessly move data at the rate of 300 megabits per second, compared to the 100 megabits per second in Ethernet and 54 megabits per second of previous “a” and “g” versions of 802.11.

It’s also worth noting that Motorola’s security features not only protect the network from intrusions but also allow administrators to monitor where potential compromises exist. If a foreign wireless access point were connected to the network and enabled unsecured access to the network, administrators would be able to quickly identify and remove it.

When I met with Motorola, I asked how they planned to talk to potential customers about making an investment while so many companies are being asked to make cutbacks. The short answer was that enterprise customers are more often asking about wireless LANs as a way of reducing costs of installing hard-wired networks while increasing data throughput speeds. At the enterprise level, the common theme is trying to do more with less.
Separately, research firm IDC said this week that the worldwide wireless LAN semiconductor market is expected to pass the $4 billion mark by 2012 with a compound annual growth rate of 22.8%. Personal computers remain the largest application segment for WLAN semiconductors, with 802.11n technology serving as the next growth driver, there’s opportunity for new applications and usage models.

October 8th, 2008

Symantec buys MessageLabs for $695 million; Bolsters SaaS lineup

Posted by Larry Dignan @ 6:56 am

Categories: General, SaaS, Security, Software Infrastructure, Symantec

Tags: Software-as-a-service, Symantec Corp., MessageLabs Ltd., Software As A Service (SaaS), Cloud Computing, Security, Emerging Technologies, Larry Dignan

Somebody is finding some values out there in techland. Symantec on Wednesday said it is acquiring MessageLabs for $695 million in cash.

MessageLabs, which offers messaging and Web security services, had about $145 million in revenue for the fiscal year ending July 31.

Symantec said that the final price will depend on currency fluctuations–it is paying pounds for MessageLabs–but the bigger theme here is that the security software giant is grabbing some turf in the software as a service market.

In a statement (Techmeme) Symantec said its plan was the following:

• Use MessageLabs to bolster its online messaging security services;
• Cross-sell and up sell its SaaS-based storage and online remote access products to MessageLabs customers;
• Use MessageLabs to position the company as a SaaS player;
• And more importantly be able to offer a SaaS lineup as customers worry about IT spending.

On a conference call with analysts, Symantec CEO John Thomspson said:

This transaction immediately leverages our respective core competitive strengths. It will extend Symantec’s software expertise in data loss prevention, compliance, archiving and endpoint security solutions when combined with MessageLabs’s online expertise in email, web security and instant messaging. The combination will create what we believe will be the most comprehensive SaaS offerings with a simplified user experience that packages billing, support and application management through one easy-to-use portal. Increasingly, our customers want choice. The opportunity to provide them an expanded set of on-premise and off-premise solutions for many of their most critical information management challenges is truly exciting.

Simply put, MessageLabs is a nice hedge to Symantec’s core business of selling you suites of security apps. Symantec said MessageLabs will give it a strong portfolio of SaaS offerings and cloud infrastructure services. If the cloud ever replaces the shrink-wrap Symantec will be in position.

October 2nd, 2008

Schwarzenegger terminates new data breach bill (again)

Posted by Larry Dignan @ 1:26 pm

Categories: General, Government, Security

Tags: Bill, Payment, Arnold Schwarzenegger, Agency, Schwarzenegger, Advertising & Promotion, Operational Accounting, Marketing, Finance, Larry Dignan

California Gov. Arnold Schwarzenegger has vetoed data breach notification legislation for the second time in the last year.

The bill, dubbed the Consumer Data Protection Act, would have required retailers that take card transactions to disclose more detail about any data breach. Schwarzenegger’s veto comes after the bill–AB 1656–handily passed in California’s State Assembly and Senate.

From the bill:

Existing law requires any agency, person, or business that maintains computerized data that includes personal information that the agency, person, or business does not own, to notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person. This bill would require that notification to the owner or licensee of the information to include, among other things, a description of the categories of personal information that were, or may have been, acquired, a toll-free or local telephone number or e-mail address that individuals may use to contact the agency, person, or business, and the telephone numbers and addresses of the major credit reporting agencies. If the owner or licensee of the information is the issuer of the credit or debit card or the payment device, or maintains the account from which the payment device orders payment or is an agency required to give notice of a security breach, as specified, the bill would require the owner or licensee to disclose the same information to the California resident in plain language, as specified.

Schwarzenegger shot down the bill and in a notice said:

Clearly, the need to protect personal information is increasingly critical as routine commercial transactions are more and more exclusively accomplished through electronic means. However, by requiring notification even where no information was obtained improperly, this bill would likely result in significant costs to businesses and to the state.

Via ComputerWorld.

October 1st, 2008

Is security really a big drag on innovation?

Posted by Larry Dignan @ 3:17 am

Categories: EMC, General, IT Management, Innovation, Security, Software Infrastructure

Tags: Innovation, RSA Security Inc., Security, Larry Dignan

Have you ever held back innovation because of information security concerns? Apparently more than a few technology executives are repeatedly gun shy.

According to an IDC-RSA study to be released Wednesday security fears stifle business innovation at 80 percent of companies. This security vs. innovation theme was sounded by RSA president Art Coviello in April at the RSA conference. Coviello, who advocates a thinking defense system,  returned to that theme and noted that security is hampering daily business.

I don’t doubt the business disconnect between security folks that want to lock everything down and innovation, but the linkage may not be as tight as IDC and RSA are portraying. I could be wrong, but I have a hard time envisioning a chief security officer telling some marketing chief or operating guru that some technology can’t be deployed over data protection. Why do I make that leap? Companies seem to be doing a really crappy job at protecting our data today. If businesses were really locking things down there would be fewer data breaches.

What’s really going on? I think security and business folks surveyed by RSA and IDC are indicating that they want to ditch a few compliance shackles in the name of innovation. And naturally, everyone says security is a top priority. No one will ever pooh-pooh security in a survey. You’d get fired if you actually admitted that security was the No. 7 spending priority.

Nevertheless, the IDC-RSA findings, which are based on 200 respondents, are interesting. To wit:

44 percent of security leaders are being measured on their innovation contributions.

21 percent of respondents said security efforts are aligned with the business. But 61 percent consider themselves compliance jockeys.

87 percent of business types said that creating an innovative environment was extremely important or important. 78 percent of security/IT types had the same answer. A little more than 14 percent of the security/IT managers were neutral on innovation with about 7 percent saying it wasn’t important.

54.4 percent of business types, known as line of business or LOB below, see joint ventures as their biggest priorities. Here’s the rest of the breakdown:

45.7 percent of respondents say the info security team reports to the CIO, but 37.6 percent actually think that’s the right reporting structure. Here’s the breakdown:

September 19th, 2008

Can a case be made against the Palin e-mail hacker?

Posted by Sam Diaz @ 9:02 am

Categories: General, Legal, Security

Tags: Electronic Frontier Foundation, Service Component Architecture, U.S. Department Of Justice, Hacker, E-mail, Online Communications, Storage, Hardware, Sam Diaz

It’s probably only a matter of time before the feds arrest the kid who allegedly hacked into Sarah Palin’s Yahoo e-mail account. If the news reports are true, it looks like fingers are pointing to the 20-year-old son of a Democratic state legislator in Tennessee.

But, here’s the thing. What do you charge him with? That is - under what law? The Electronic Frontier Foundation, in its blog, found a little loophole that could impact the ability of the Department of Justice to charge this kid for a violation of the Stored Communications Act.

According to the site, the act defines “electronic storage” as “any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof,” or in the alternative as “any storage of such communication by an electronic communication service for purposes of backup protection of such communication.” The courts have interpreted the act to conclude that both received and unreceived e-mails fall under the umbrella of “electronic storage.” From the EFF’s blog:

This is because when the recipient accesses an email but does not delete it, it moves from storage incident to transmission to backup storage under the second part of the SCA’s “electronic storage” definition. See Theofel v. Farey-Jones, 359 F.3d 1066, 1075 (9th Cir. 2003) (finding that “obvious purpose” for storing a message on the provider’s server after delivery is to provide a second copy of the message in the event it needs to be downloaded again). Thus, since Gov. Palin and Yahoo! are both in the Ninth Circuit (Alaska and California respectively), it would violate the SCA to obtain unauthorized access to her emails, whether opened or not.

Here’s the twist: the DOJ has disagrees with that interpretation, the EFF said. The DOJ basically argues that an e-mail that’s already been read but then is left on the mail servers is no longer “electronic storage” as defined by the act.

This would mean no SCA privacy protection for the majority, if not the entirety, of the Gov. Palin’s email messages at issue. As the DOJ acknowledges, “[i]f Theofel’s broad interpretation of ‘electronic storage’ were correct, prosecutions under section 2701 would be substantially less difficult…” On the flip side, if the DOJ were right and Theofel were wrong, any hacker responsible for obtaining access to those emails - or any other individual’s opened messages - could not be prosecuted under the SCA.

It’s quite the interesting little twist. Politically, there are plenty of folks who want this kid taken out to the wood shed for exposing the VP candidate’s use of personal e-mail for doing state business. Those e-mails also show how closely connected her husband - Todd Palin - was when it came to correspondence about state business (relevant because he has been subpoenaed to testify in the troopergate matter.)

The EFF has done a good job of analyzing the legal arguments in this matter. If you’re a legal buff, you’ll find some interesting reading by clicking through some of the links on the EFF’s blog post.

September 17th, 2008

DHS still doesn't quite get this cybersecurity thing

Posted by Larry Dignan @ 12:41 pm

Categories: General, Government, Security

Tags: U.S. Department Of Homeland Security, Cybersecurity, Intelligence Community, Security, Larry Dignan

The Department of Homeland Security is still lacking in the cybersecurity department, according to a bevy of critics. What’s galling is that the DHS’ inadequacies are barely news anymore. Here’s what would be a real news flash: “DHS locks down cybersecurity. Hackers locked out!”

Perhaps I’m cynical from following the DHS from inception, but that’s my reaction after reading the latest dose of criticism detailed by News.com.

Stephanie Condon outlines how some are saying that the DHS can’t be trusted with its cybersecurity mission. Trust isn’t the issue. Bureaucracy is. The DHS is a hodge-podge of 22 agencies and frankly I’d rather have them sniffing out explosives than worrying about hackers. The job is big enough. Perhaps we need a DCS, or Department of Cybersecurity.

James Lewis, a director at the Center for Strategic and International Studies, testified at a house hearing on the cybersecurity matter and concluded that the existing setup isn’t conducive to effective battling hackers. Lewis said (full testimony):

It did not take long for our group to conclude that our national efforts in cyberspace are disorganized. None of the existing cyber security structures are adequate. We found that the central problems in the current Federal organization for cyber security are the lack of a strategic focus, overlapping missions, poor coordination and collaboration, and diffuse responsibility. Much of the problem resides with the performance and capabilities of the Department of Homeland Security. While the Department’s performance has improved in recent years, making this Department more effective will be an immediate task for the next administration. However, our view is that any improvement to the nation’s cyber security must go outside of DHS to be effective, and this will require rethinking the roles of DHS and the Homeland Security Council.

Given DHS’s weaknesses, we considered a number of alternatives. The Intelligence community has the necessary capabilities but giving it a lead role poses serious constitutional problems. DOD is well suited to manage a national mission, but giving it the lead suggests a militarization of cyber space. We concluded that only the White House has the necessary authority and oversight for cyber security.

Simply appointing a czar, however, will not work. Czars in Washington tend to be either temporary or marginalized. Longing for a Czar is a symptom of our industrial-age governmental organization. We are developing recommendations on how to leverage information technology to increase security while improving the efficiency, and transparency of government operations. Our thinking on this has been shaped in part by the implementation of the Intelligence Reform and Terrorist Prevention Act, which imposed a new, more collaborative structure on the Intelligence Community. This is still a work in progress, but the IC’s experience shows that the combination of a Congressional mandate, adequate authorities, and a focus on “enterprise” solutions (e.g. those that cut across traditional agency barriers) can improve federal performance.

The big conclusion from Lewis: The U.S. needs the President to be Mr. Cybersecurity and impose better practices on the army of bureaucrats. Color me skeptical.

Meanwhile, the General Accountability Office (GAO) reports that the DHS hasn’t fully learned the lessons of Cyber Storm, an information security exercise in Feb. 2006. The problem with this tidbit: The DHS has already conducted Cyber Storm II in March.

Commenting on their experiences during the second Cyber Storm exercise, in March 2008, participants observed both progress and continued challenges in building a comprehensive national cyber response capability. Their observations addressed several key areas, including the value and scope of the exercise, roles and responsibilities, public relations, communications, the exercise infrastructure, and the handling of classified information. For example, many participants reported that their organizations found value in the exercise because it led them to update their contact lists and improve their response capabilities. Other participants, however, reported the need for clarifying the role of the law enforcement community during a cyber incident and for improving policies governing the handling of classified information so that key information can be shared. Many of the challenges identified during Cyber Storm II were similar to challenges identified during the first exercise.

Based on the GAO–the single best part of government by the way–I’d have to side with Lewis. Cybersecurity has to be more of a priority and lumping it into the DHS isn’t going to work. However, any fool (including me) can identify the problem. What’s the solution? Keep in mind that the reality will differ greatly from the white board and toss me a few fixes. If you were king of cybersecurity in the U.S. for a day what would you do?

September 16th, 2008

Now Debuting: One-Click Payment For Illegal Downloads

Posted by Tom Steinert-Threlkeld @ 11:53 am

Categories: Amazon, Broadband, E-commerce, Entertainment, General, Innovation, News to know, Personal Technology, Security, Web Technology, YouTube

Tags: Payment, Musician, Antipiracy, Nexicon Inc., Piracy, Operational Accounting, Business Operations, Corporate Law, Finance, Tom Steinert-Threlkeld

Frank Zappa again is a mother of invention.  

Since Friday,  songs of the experimental musician, dead now for almost 15 years, have been used to test a one-click system for getting payments from individuals who download works of artists illegally.

The test is being conducted by Nexicon Inc., a Malibu, Calif., supplier of anti-piracy technology and services. Nexicon last week announced that it had reached an agreement with YouTube to monitor videos uploaded to its site for possible copyright infringement on behalf of motion picture studios and other content owners.

As early as next week, Nexicon is preparing to announce the debut of a service for musicians and music owners that will sort through billions of files from peer-to-peer and other file-sharing services as they are downloaded, identify those which are being downloaded illegally, and send notices automatically to the downloading party that they are breaking the law. As part of sending the notice, the service will propose a settlement that includes instant payment by Visa, MasterCard, PayPal or electronic check of the retail price of the file plus an administrative fee to cover costs.

This “actually provides dollars in the pocket of the musicians a fair amount for the distribution channel that online peer-to-peer file sharing, etc.,” said Samuel M. Glines, Nexicon’s vice president of strategy and planning.

The International Federation of the Phonographic Industry estimates that 95% of all music downloads are illegal.  The music reaps nearly $3 billion now, from legal sales of digital music.

The company has applied for a business process patent on its approach to the sending of notices en masse to violating parties and the automated resolution of dispute, Glines said. The company calls the process and program GetAmnesty. TorrentFreak last year labeled  the tactic of turning infringement notices into cash as “extortion.”

The approach has been pioneered by founder and chief technology officer Tommy Stiansen, who describes himself as a “natural-born  content pirate” from Bergen, Norway. Since 2004, Stiansen says he has devoted himself to creating a business model for profiting from protecting content owners from piracy, instead.

In the Frank Zappa case, he contends that a top tune from the eccentric musician such as “Bobby Brown” is downloaded illegally in copyright-protecte d countries around the globe roughly 60,000 times a day. All told, Nexicon says its anti-piracy technology inspects 19.6 billion file transmissions every day,  including files using BitTorrent, eDonkey, Gnutella, and other protocols.  

The Nexicon collection system is being based, to great degree, on online retailer Amazon’s “one-click” process for taking payments, Glines said.

The Nexicon approach to one-click payments will allow content owners to have “100% automated responses” to illegal downloads. They could even use the contacts with fans as opportunities to deliver notices of concerts of living artists that will be coming soon to a city near the downloader, a chance to give away a new song from a new collection and other types of communication, Stiansen said.

The system also will be able, though, to build a history on any user that is a repeat offender, keeping track of any songs being illegally downloaded to a particular machine. The company will use “clock-skew” technology to identify each machine.

Nexicon maintains there will be no witch-hunting or bounty-hunting of illegal downloaders. Instead, the process will give content owners a chance to turn the downloaders into paying customers. According to Glines:

“We’re not looking to break the bank and sue individuals. We understand that these folks are the fans of these musicians.  The content owners want to embrace the fans and want to connect with the fans. They just want to be compensated for the work that they have produced.”

The numbers are changing every day of the Zappa test. But with tens of thousands of downloads put through the paces of the automated system for notices and payment collection, the company indicates that roughly half the time the users who get a notice pay up.

September 16th, 2008

IT Dojo: Track a user's Internet Explorer History with IEHistoryView

Posted by Larry Dignan @ 2:04 am

Categories: General, IT Management, Security, Web Technology

Tags: Information Technology, Microsoft Internet Explorer, Strategy, Management, Larry Dignan

Spying on end users may an unwelcome activity for most IT pros, but it is often a necessary duty for network administrators. In this IT Dojo video, Bill Detwiler shows you a free tool called IEHistoryView that can help you investigate complaints of inappropriate Internet usage and suspicious browsing behavior.

Once you’ve watched this IT Dojo video, you can find a link to the original TechRepublic article and print the tip from our IT Dojo Blog.

August 27th, 2008

Who’s Dumber: Bad Guys … Or Good Guys?

Posted by Tom Steinert-Threlkeld @ 7:57 am

Categories: General, Government, News to know, Security, Web Technology

Tags: Hat, Flaw, Internet, Social Security, BGP, Operational Accounting, Government, Networking, Finance, Tom Steinert-Threlkeld

In the old cowboy movies, the black hats were villains that created mayhem, until the white hats came along and ended their reigns of fear. Now, we have the spectacle of good guys seemingly educating the bad guys on how to exploit flaws or processes of the Internet, that could compromise traffic and users. Then, there are good guys who act in braindead ways.

So who should we fear the most?

Thus far this summer, the Internet has not cracked, even though Dan Kaminsky basically revealed all the details of a flaw in the Domain Name System that could have led to a train wreck on the Internet. Thankfully, he cautiously provided the details, so patches could be put in place to prevent identities of users of banking and other sites on the Web to be hijacked, first.

Now, two security researchers have demonstrated how huge amounts of unencrypted Internet traffic can be siphoned off through the Border Gateway Protocol. One computer expert said in this Wired article that he “went around screaming my head about this about ten or twelve years ago” to intelligence agencies and to the National Security Council to no effect.

That’s the point. So far, the black hats haven’t shown they are smart enough to exploit hijack IDs through the DNS flaw or Internet traffic through the BGP eavesdropping.

Meanwhile, though, there seem to be plenty of dumb guys in white hats, making life miserable for thousands or millions of computer and Web users.

There’s the memory stick that got lost in the United Kingdom by the consulting firm that is working on the government’s ID card project. Data on 84,000 prisoners and 43,000 serious offenders went missing. Oh, and the data on the stick was, naturally, unencrypted.

That’s data about lawbreakers. How about the million people whose account numbers, passwords, mobile phone numbers and signatures were sold, inadvertently, on eBay? Their information was supposed to be protected by The Royal Bank of Scotland. But its archiving company sold a server on the auction network without wiping the hard drive. Helllloooo … anybody home?

There is not just stupidity on the other side of the pond. Connecticut Gov. Jodi Rell has been probing the loss of Social Security Numbers and other personal information belonging to 4.5 million customers of Bank of New York Mellon. And Rhode Island lost a disk with the Social Security Numbers of about 1,400 state employees.

With consultants, bankers and government officials like this, too often it seems that “good guys” give us more to worry about than bad guys.

SLIDES: “Stealing The Internet” from Defcon

IMAGE SOURCE: www.fortunecity.com

August 13th, 2008

Police Surveillance: Go Snoop, Yourself

Posted by Tom Steinert-Threlkeld @ 9:18 am

Categories: General, Government, Legal, Mobile, News to know, Personal Technology, Security

Tags: Camera, Tom Steinert-Threlkeld

With New York planning to put in another 3,000 surveillance cameras and monitor all license plates coming into the island of Manhattan at 20 entrances with its Operation Sentinel, travelers and residents should not only get over any indignation at being snooped on to this extent by police, in their neighborhood(s). They instead should get with the program.

So says no less an authority than lawyer Norman Siegel, who was director of the New York Civil Liberties Union, from 1985 to 2000.

Let’s back up here, first. Surveillance cameras have been a hot spot, so to speak, with New York residents since at least 1998. That’s when 11 secret cameras were discovered in Washington Square Park, unbeknownst to those who frequented it. The cameras had a social purpose though: To clean out drug dealing.

Fast forward to 2006. The New York Civil Liberties Union issued a report that showed a massive growth in surveillance cameras around the city. Thousands upon thousands.

Here’s a comparison showing the growth of public and private cameras in different parts of the city, from that report:

And here’s how they looked, dotted around Lower Manhattan, where the 3,000 new police cameras are apparently slated to go.

At that time the NYCLU report stated:

“There is, however, a growing body of evidence that indicates the proliferation of video surveillance technology is undermining fundamental rights of privacy, speech, expression and association.”

So it is interesting to see in the space of two more years, the former head of the NYCLU come out four-square last week for citizens to arm themselves – with their own video cameras. To become proactive with the camera phones or digital cameras they carry around.

Siegel, you see, now counts Critical Mass among his clients as an independent attorney.

This is a loosely organized group of bicycle riders that have caused varying degrees of traffic disruption and confrontations with police officers over the years, particularly in the last four.

One police officer recently was caught on camera phone knocking a Critical Mass cyclist off his bike, during a July ride. The officer had sworn that the cyclist ran into him and was disrupting vehicular movement. Neither was the case, as the citizen-held camera showed.

That led to a protest on the walk in front of One Police Plaza that tied that act of police disrespect to a host of cases of police brutality, as reported here.

And this is where Siegel and other community activists said all citizens should now arm themselves this way – as a check on police statements and, in logical extension, as a counterbalance to police surveillance.

Citizens’ own surveillance of public protests and activities “changes the dynamic” with police, Siegel said. “No longer can the police officer swear out a complaint that says A, B and C and the video shows X, Y, Z.”

People’s own cameras, for instance, will surely outnumber those of the police. Roughly 600 million camera phones were sold worldwide last year; that number should hit 1 billion a year, soon.

And the public is already being invited to do its own snooping on public locales. There are worldwide directories of webcams that any citizen can hook into at any time, from Trafalgar Square in London to Times Square in New York City to downtown Tokyo.

These will only get more numerous, more precise and more observant, changing the dynamic further. And the New York Police are hardly at the head of the pack on installing cameras, to start with. Londoners and their visitors are watched by roughly 4.2 million cameras.

Police cameras aren’t going to go away. So, when you’re about to head into Manhattan or any other public space, check your pocket or purse and make sure your camera is in there.

Don’t leave home without it.

NYPD Surveillance Camera photo from Pro-Zak on Flicker

August 11th, 2008

Video: Defcon: Where feds and hackers rub elbows

Posted by Larry Dignan @ 10:00 am

Categories: General, Security

Tags: Video, Hacker, Hacking, Security, Larry Dignan

It’s an unlikely pairing: security officials and underground hackers. Every year, they make peace and share information at Defcon, Black Hat’s sister conference. CNET’s Kara Tsuboi reports from the 16th annual event that begins in Las Vegas this weekend.

August 8th, 2008

CBS Video: Cyber Threat In China?

Posted by Larry Dignan @ 8:17 am

Categories: General, Security

Tags: china, video, cbs corp., corporate communications, strategy, marketing, management, larry dignan

US intelligence officials warn that American visitors to the Olympics in China face a serious risk of having sensitive information stolen by cyber thieves. Bob Orr reports.

August 8th, 2008

Facebook and MySpace: Walking the security-social networking line

Posted by Larry Dignan @ 8:16 am

Categories: Facebook, General, MySpace, Security, Social networking, Web Technology

Tags: facebook, network, myspace, defcon, phishing, web site development, security, viruses and worms, spam and phishing, internet

Security–actually insecurity–is a very social thing. Get a cute malware infested email and forward it along to your contact list. See a site that’s interesting–but is really just a phishing expedition–and you get hit with a virus/worm/rootkit. Social engineering makes the security world go around. So what do you do if you’re Facebook or MySpace? You tell folks to be less social.

Good luck with that folks. Earlier this week, security firm Sophos warned Facebook users to be careful given there was a malicious video being spread around. Sophos wrote:

Messages left on Facebook users’ walls are urging members to view a video (which pretends to be hosted on a Google website), but clicking on the link and visiting the webpage takes users to a site which urges them to download an executable to watch the movie.

Sophos detects the executable file as the Troj/Dloadr-BPL Trojan horse, which in turn downloads further malicious code (detected as Troj/Agent-HJX), and displays an innocent image of a court jester sticking his tongue out.

Here’s what you would see:

I’m not sure why anyone would click on that slop, but I guess some people do. Before this latest incident it was an attack on MySpace and Facebook. And why not? Given the social engineering effects a malicious hacker could have a field day.

Also see: Web worms squirm through Facebook, MySpace

Facebook and MySpace are on the case, but they’re really facing an uphill battle. These hacks just keep popping up. In a blog post, Facebook’s security chief Max Kelly wrote:

Most people use the internet without being aware of the constant threat of hackers, spammers, and phishers. Due to the nature of the internet, and the nature of malicious software, most websites will at some point need to deal with patching a security hole. All good websites take these issues very seriously, since no one wants users to suffer. At Facebook, where people keep so much of their lives and information, we’ve built an amazing security team solely focused on making sure our users have a safe experience on the site.

The security team at Facebook is dedicated to investigating and auditing our own code for holes, as well as reaching out to people in an extended community to let us know if we’ve missed anything. If we get a report of a bug or a hole from a user, a security researcher, a reporter, blogger, or anyone, we check it out and fix it as quickly as possible. In fact, we appreciate it when help comes our way from the many security experts and organizations out there. That’s why many of us are attending DEFCON this weekend. DEFCON is one of the largest and oldest running hacker conventions, held in Vegas. By going and learning from other people in the online security space, we make keeping people safe online a joint effort.

Even right now, as we’re preparing to leave for DEFCON, we spent most of last night working on a fix for a worm, which was targeting people on Facebook and placing messages on Walls urging users to view a video that pretends to be hosted on a Google or YouTube website. We’ve identified and blocked the ability to link to the malicious websites from anywhere on Facebook. Less than .002 percent of people on Facebook have been affected, all of whom we notified and suggested steps to remove the malware.

But the real fix is this: Be aware of your surroundings and don’t be stupid (that means don’t share passwords, report spam and make sure the site is legit). In other words, don’t be so viral. It’s a fine line and one social networking sites will have to walk repeatedly going forward.

August 7th, 2008

Will the Olympics melt the Internet?

Posted by Tom Steinert-Threlkeld @ 9:24 am

Categories: Broadband, General, Government, Security

Tags: nbc, network, video, stream, internet, corporate communications, web site development, marketing, tom steinert-threlkeld

Okay, sky-is-falling fans and network neutrality proponents: We’re about to find out whether the Internet can – or will – break down under the strain of mass consumption of streaming video.

At least that’s the opinion of Brick Eksten, the president and CEO of Digital Rapids, who is pretty well in position to know.

“We’re going to find out whether the Internet is going to melt under the weight of video in a couple days,’’ he told Between The Lines this morning.

Eksten’s company, based in Markham, Ontario, is providing encoding, streaming and management systems to provide live streaming of the 2008 Olympic Games to Internet audiences in China, working for CCTV. Closer to home, Digital Rapids is providing encoding, transcoding and streaming systems to NBC Universal, for the live streaming of the Games that have already begun at www.nbcolympics.com.

This is not like streaming a single event, such as the Victoria’s Secret show that crumpled Mark Cuban’s broadcast.com a decade ago. NBC plans to stream 2,200 hours of live competition in 25 sports, ranging from cycling to soccer to table tennis. Cycling, Eksten says, can be the most challenging of sports to send out good feeds, because in road races like the Tour de France you are dealing with cameras on the back of motorcycles taking pictures of cyclists with lots of flying wheels against a constantly changing scenic background.

Also see: Time Warner’s Olympic Boost, Courtesy NBC

More Worries For Beijing Visitors

Tech ‘tips’ for Beijing visitors

But it’s the simultaneity that almost became a brick wall for Eksten and his outfit. He had figured, originally, that he’d be taking in a single feed from NBC bouncing off a satellite and landing somewhere in North America. No sweat to clean up, encode and send out to Internet users in the United States.

That is not the case. All the prepping, encoding and sending out of streams happens at the International Broadcast Center in Beijing. And there is not just a single stream coming in. NBC and Digital Rapids are set up to take in as many as 112 video streams, at one time.

Then, there’s not just 112 potential streams to send across a virtual private network to a landing point in North America for dispersal to Internet viewers all across the U.S. There’s the high-resolution stream for NBC’s enhanced player, there’s the lower-resolution version for normal viewing, and a third stream for a picture-in-picture view. All told, 336 streams, maximum, at one time, going out.

Beyond that, we’ll see how technically adept NBC, Microsoft and Digital Rapids are. Because the Olympics organizers in Beijing put significant rack space, heat dissipation and other restrictions on this initiative. Which forced the encoding to take place in half as many servers as originally planned, according to Digital Rapids. Instead of each of those 112 streams coming into its own system, two incoming streams and six outgoing streams will be handled by 56 systems. That meant getting creatively adept at preprocessing each stream, before encoding, and allowing some extra capacity to handle complexities of each stream.

So, soon, we’ll see if it all will work. We’ll see how many of the U.S.’s 210 milllion Internet users (and China’s 220 million) want to watch sports they’re personally interested in, on their computer screens. If NBC has a hit on its hands with streaming video, the demands on Internet service providers’ networks will be evident, soon enough. The opening ceremonies are tomorrow, 08/08/08.

Eight is a lucky number in China. But all these streams can come apart, as office workers keep streams open as they try to conduct business. That, you have to believe, will be NBC’s prime audience for the streaming video.

In my test this morning involving the U.S. vs. Japan soccer game, the main video frame locked up when I threw up three other games into side viewing panels on a split screen presentation. I had to close the browser and restart, to keep watching the game.

That’s probably an isolated incident. But Eksten is watching to see if there are lots of these lone cases, which aren’t to be worried about. If 50 people at a single office building report problems, that’s not too worrisome to Eksten, either, because the problem likely will have to do with the capacity of a corporate network to handle simultaneous live streams. [Side note: How many CIO's are going to block these streams altogether, for the duration of the Games, to maintain productivity in the office, not to mention to protect the capacity for those actually doing work?]

If usage overwhelms a regional network belonging to a cable company like Time Warner or phone company like AT&T, however, then it’s worrisome. And if many people on many systems have failures, then eyes turn toward the content distribution network. If no one in North America can see NBC’s streams, then it’ll be a problem with the fiber that is carrying all the streams under the Pacific Ocean.

This will be the biggest test today of Internet viewers’ appetite for streaming video of live sporting events – and of the Internet’s ability to handle that.

If the Internet service providers networks start getting maxed out, you can probably expect some “rate shaping” or other bandwidth management techniques to come into play, Eksten notes. After all, you still have to get the e-mail through for non-sports fans.

Which means not just technologists like Eksten but network neutrality proponents should spend a lot of time looking at logs and statistical reports from the service providers, after this is all over to see how the streaming affected the Internet’s fabric of networks.

The odds of the Internet melting down, once the Games begin?

Eksten puts the odds at 60 percent for achieving a “generally great experience” and between 5 and 10 percent for “the whole thing melting down.”

Stay tuned. If you can.

August 7th, 2008

More worries for Beijing visitors

Posted by Tom Steinert-Threlkeld @ 9:13 am

Categories: General, Government, Security

Tags: olympic games, hard drive, analysis, government, tom steinert-threlkeld

If you are headed to (or already at) the Olympic Games and you weren’t worried by my Tech Tips for Beijing Visitors at the end of last month, maybe you should be now,

In telling the Wall Street Journal’s readers “Don’t Forget About China’s Dissidents,” Ellen Bork notes at the tail end of her piece:

The world isn’t just sending athletes to the Olympics, but surveillance technology that will help the government keep tabs on its people for years to come. American companies alone have sold China technology that invisibly copies computer hard drives, reads encrypted text and performs facial recognition analysis on surveillance video.

So, even if you store your photos, documents and other files on a hard drive, they may not be safe from duplication. Your notes may be decrypted. And your face picked out of a crowd, as you move about.

Have fun. Carefully.