Archive

Posts Tagged ‘technology’

Toward a new strategy for Microsoft

December 2, 2012 Leave a comment

Back on 7 August I suggested that Microsoft’s plan for its own tablet was a big mistake (A Microsoft-made tablet? Big mistake). I may have been wrong – but only if it is part of a completely new and wider strategy.

Let’s look at the Big 4: Apple, Google, Microsoft and The User.

Microsoft’s strategy is built on the predominance and continued dominance of the PC. Without the PC there is only a small Microsoft – and the PC is in decline, and possibly a terminal decline. Microsoft’s strategy is in decline.

Apple’s strategy is built around owning everything, both hardware and software – and charging an obscene price for that monopoly. So far it has worked very successfully; but if you listen to the undercurrents from The User there is growing User dismay over both the price of that monopoly, and the frequency with which loyal subjects are asked to dump existing product and buy new product. Apple’s strategy is at the apex, and the only way is down (with a slight delay when it dumps OS/X in favour of desktop iOS).

Google’s strategy is to base everything in the cloud, and to own the cloud. This makes distribution very, very cheap, and upgrades cheap, seamless and invisible to the User. Google is proving very, very successful in this strategy.

But what about The User? The User’s strategy is to demand everything now, preferably free (but at least very cheap), anywhere and anytime. Microsoft provides none of this. Apple provides some, but not much, of this. Google provides it all.

So on current strategies, Microsoft is doomed, Apple will decline while Google will grow and thrive. (Incidentally, Amazon seems to have seen the writing, and I rather suspect that all three will have to watch out for Amazon in a few years time.)

But what if Microsoft has also finally come to its senses? What if the Microsoft tablet is not just a one-off foray into hardware, but part of a completely new strategy aimed at combining Apple’s hardware/software monopoly approach with Google’s cloud efficiency?

There are growing rumours that Microsoft is about to switch from, say, 3-yearly Windows releases to yearly releases. This makes no sense whatsoever under the current strategy. Expecting users to buy a new operating system every year won’t wash. Unless…

Let’s say that the MS plan is not new operating systems delivered in box or on disk, but new downloads delivered from the cloud just as its current patches are delivered every second Tuesday of the month. This model would require something like an annual license for the OS rather than a fixed price for the box. If that license were around £25 per year (preferably less), few users could say that use of Windows for just £2 per month is excessive. Let’s now take that to the logical conclusion: Windows and Office both migrate to the cloud and are both upgraded or patched on a continuous basis, as and when required, and paid for on a low-cost rolling license.

So Microsoft’s new strategy could be to own both hardware and software – starting with its own tablet but moving into phones (perhaps by buying Nokia?) and desktops (perhaps by buying Dell or Acer, or even building new from scratch?) – in mimicry of Apple; and then maintaining its software in and distributing from the cloud in mimicry of Google. Such a strategy would combine the best of all possible worlds; and while it is by no means certain that Microsoft could do it, if successful it could reverse the decline of Microsoft.

Categories: All

Liberty, security and prejudice

September 2, 2012 Leave a comment

Prejudice is the difference and depth between any point of view and our own. If someone agrees with us, that person is unprejudiced; if someone disagrees with us, that person is prejudiced – either against us personally or at least our point of view. The ‘difference’ is a measure of distance in argument; the ‘depth’ is a measure of entrenchment despite argument. To be truly prejudiced, someone must have a different view and be impervious to logical and compelling argument.

So, from my point of view, anyone who disagrees with me and refuses to listen to me is prejudiced (and requires educational redirection). To them, it is I who is prejudiced and requires re-educating – but that is just a measure of their prejudice. I make this point so that any person who reads this post and flatly refuses to agree with me can understand just how prejudiced he or she really is.

OK – so I came across this article in governing.com, written by Steve Towns. It starts:

Until cybersecurity standards are in place, security professionals worry that terrorists could shut down large swaths of the U.S. economy with the click of a mouse.

My hackles rise. Typical government-sponsored fear-mongering to get the people to accept loss of freedom to an increasingly authoritarian government in exchange for the fallacy of security.

The second paragraph continues

Dan Lohrmann has been in the information security business for the bulk of the past decade, and he’s scratching his head over the continued inability of Congress to enact nationwide cybersecurity protections.

I don’t know Mr Lohrmann, but I scratch my own head that any thinking person can be taken in by this government claptrap. So I need to know more about Mr Lohrmann. Enter LinkedIn. A quick search reveals

Since his career began as an [sic] computer systems analyst at the National Security Agency (NSA) in the 1980s, Daniel J. Lohrmann has been a recognized leader in addressing the importance of global computer networks and security.

NSA huh? Well that explains it all. Just another pro-government, un thinking, pre-packaged, prejudiced apologist.

But seriously, I beseech all citizens of the land of the free and the home of the brave to stop and ask, just how much of that freedom am I willing to give up for the promise of unquantified, un-guaranteed, undeliverable, vote-winning security?

Categories: All, Politics, Security Issues

WikiLeaks, Antileaks, DDoS, Stratfor and TrapWire

August 11, 2012 Leave a comment

Life is a game of cricket – sometimes you face bouncers, and sometimes beamers; but usually it’s spin and swing. The internet is full of spin and swing, with business, government, law enforcement and hackers all trying to spin the news to their own advantage in order to swing public opinion behind their own position. It’s called disinformation, and everyone’s at it. But like cricket, you only need one ball to spin or swing, and you cannot trust anything ever again.

So with that introductory warning that I really haven’t got a clue, we can ask, what’s going on with WikiLeaks? This is one possibility. It’s all down to TrapWire and the information about TrapWire coming out of the latest WikiLeaks Stratfor emails.

TrapWire seems to be an international surveillance system centred in and run by the US. It makes Cameron’s Communications Bill look pedestrian. That’s not strictly accurate, since the Communications Bill watches people’s cyber movements, while TrapWire watches real world movements; that is, pedestrians (and cars and anything else that moves). It connects the nation’s CCTV surveillance cameras. As an aside, we can be pretty confident that when (not if) the US gets its Cybersecurity Act, that data will be connected to the TrapWire data. What’s more worrying for Brits is that when (not if) Cameron gets his Communications Bill into an Act, that data will also be connected to TrapWire.

This latter is just conjecture, but look at the parallels in UKUSA and do the math. Also consider this from one of the WikiLeaks emails (dated 22 September 2010):

This week, 500 surveillance cameras were activated on the NYC subway system to focus on pre-operational terrorist surveillance. The surveillance technology is also operational on high value targets (HVTs) in DC, Las Vegas, Los Angeles and London and is called TrapWire (www.abraxasapps.com).

So TrapWire was already operational in the UK almost a year ago.

Well, of course I checked on the Abraxas site (a company apparently populated by a high density of ex-CIA staff), but got nowhere.

abraxas not found

Google cannot connect

It’s not just me.

Abraxas not just you

…and neither can anyone else…

There’s no buzz on the internet (yet at least) that Abraxas has been tangoed down by Anonymous (in retaliation for Antileaks taking out WikiLeaks). So – pure conjecture – they’ve taken it down themselves.

Thank goodness for Google cache (if you’re quick, it might still be there…)

and…

It wouldn’t be surprising if Abraxas has disconnected itself. This TrapWire thing is big, and the Stratfor emails show it’s being used much wider than published. It’s bad enough that the UK government wants to spy on its own citizens (using our taxes to pay for it, of course), but that it has already opened the door to facilitate US government spying on the British people is quite simply obscene. Or, to be British, unacceptable. I can’t begin to think what the American people will make of it.

So, to go back to the original question, what’s going on with WikiLeaks? The obvious conclusion is that it has been taken down (well, effectively blocked) by a continuing DDoS that has been claimed by Antileaks specifically to suppress the emerging information about TrapWire (WikiLeaks is still down as I write this). This is just conjecture on my part; but, well, the dots connect. Under the guise of anti-terrorism western governments will stop at nothing in their determination to have absolute control over us.

Categories: All, Politics, Security Issues

A Microsoft-made tablet? Big mistake

August 7, 2012 Leave a comment

Microsoft once ruled a roost that is now dominated by that great cock, Apple. Apple dwarfs all other technology – in fact, all – companies. And Microsoft is jealous.

Apple’s secret is that it owns both the hardware and the software; and is a must-have brand. Microsoft owns only the software; and for many is a must-not-have brand. None of this is written in stone.

But Microsoft’s solution is just plain wrong. It is planning to build its own tablet, to compete with the iPad and Android.

This would be a mistake. Microsoft should remember its roots (software) and its history (it destroyed IBM’s PC-DOS, and the IBM PC, by making MS-DOS available to any and all hardware manufacturers; but made none itself). Google has learnt this lesson. Android is the antithesis – and possibly the ultimate nemesis – of iOS. It is open, cheap, and available to all hardware manufacturers.

Microsoft’s latest plan for its own tablet will merely hasten its own demise. Already, MS-fanboy Acer has said, “If Microsoft is going to do hardware business, what should we do? Should we still rely on Microsoft, or should we find other alternatives?” There’s some sort of advice here: if you want to rule the roost, don’t shit in your own hen-house.

Categories: All

Is it safe to carry on using Dropbox? Yes and No: Part II

August 5, 2012 12 comments

Ever since the news of a potential breach at Dropbox emerged, my old post “Is it safe to carry on using Dropbox?” has been getting an elevated number of hits. It is time perhaps to update.

Firstly, what’s this about a breach? Well, Dropbox wasn’t breached in the traditional sense of the word. The likelihood is that a number of Dropbox users had the same log-in credentials (email address and password) that they used on a different web account that was breached. The criminals were able to reuse the credentials stolen from elsewhere, and gain access to a number of Dropbox accounts.

Unfortunately, one of these accounts belonged to a Dropbox employee. The criminals gained access to his account and found a file containing an unknown number of users’ email addresses. It was probably these users that were subsequently spammed, leading to the suggestion that Dropbox had been hacked.

This leaves us two questions: is Dropbox safe to use; and what lessons should we learn?

Dropbox is no more nor less safe than it was before; that is, it is not safe. This for two reasons: firstly, it is in the cloud; and secondly, Dropbox is a US company. You don’t know what is happening in a cloud that is not your own; so it is not safe. Dropbox is registered in the US, and is subject to the PATRIOT Act – the US authorities are able to demand details of you and your account simply because they want them. So Dropbox is just not safe for confidential or incriminating content (and nor, note, is any other US-based cloud company).

But why worry if the data you store is neither of these? You can increase the level of security by locally encrypting the files (with something like TrueCrypt) and storing only encrypted files. The basic rule is simple: if it is important that nobody else ever sees the data, don’t use Dropbox; if it doesn’t matter if other people see your files, you can use Dropbox. If you’re somewhere in-between, encrypt.

What should we learn from this? Well, it is good that Dropbox has or will be initiating additional security – including two-factor authentication. This will make your data more safe from hackers, but it has no effect on law enforcement intrusion. And judging from Google’s 2FA, few people will bother using it.

I also very much like the new security page (partial screenshot below). It’s available at your Dropbox settings location, and shows who has recently accessed your account and who is currently accessing your account. This is certainly worth checking regularly. Note also that this is where you change your Dropbox password.

Dropbox security

The new Dropbox security page

But despite this good response from Dropbox, the fact remains that these are reactive and not proactive steps. Security is still an afterthought, added on to systems rather than designed into them. That’s one lesson we don’t seem able to learn. Secondly, it is sad that a Dropbox employee should be guilty of fundamental security no-nos: he stored a file with user emails in plaintext; and he was reusing the same password on at least two different accounts.

These are the main lessons that we all need to learn: do not trust other people or systems to do security for you. It is your, not their, responsibility (or at least, even if it is their responsibility, you cannot assume they will do it).

And finally, and fundamentally, and beyond all others: when will we ever learn to stop re-using the same password on multiple accounts? Tens of millions of passwords have been stolen from tens of major providers this year alone – and that’s just the ones we know about. Are you sure that your own password is not included? If it is, and you re-use it on multiple accounts, then you simply don’t know who has access to your accounts. And if that includes your email account or bank account, not to put too fine a point on it, you’re screwed.

So, is Dropbox safe? Probably not; but that doesn’t mean we shouldn’t use it under certain circumstances. I shall certainly carry on using it. But are we safe? Absolutely not until we start using unique, strong passwords for every different account. Hint. Use a good password manager.

Update: the revelations from Edward Snowden concerning US government access to cloud services, which will include Dropbox, adds new urgency to considering the use of Dropbox. See our latest commentary following Edward Snowden’s Prism revelations: Is it safe to carry on using Dropbox (post Prism)? Yes and No: Part III

See also: Is it safe to carry on using Dropbox following the DMCA takedown revelations? (03/31/2014)

Is it safe to carry on using Dropbox with Condoleezza Rice on the Board? (04/14/2014)

Categories: All, Security Issues

Simon Cowell: creativity? Roger Daltrey: my generation? I don’t think so

July 26, 2012 Leave a comment

Here’s a puzzle. What do Simon Cowell, Roger Daltrey (CBE), (the Lord) Lloyd Webber, and (Sir) Elton John (CBE) have in common?

Yes, you’re right, they’re all aging fuddy-duddies. But that’s not the answer. You can choose from any of the following correct answers:

Their letter includes this:

Illegal activity online must be pushed to the margins…

The simplest way to ensure this would be to implement swiftly the long overdue measures in the Digital Economy Act 2010; and to ensure broadband providers, search engines and online advertisers play their part in protecting consumers and creators from illegal sites.

Let’s look at this.

implement swiftly the long overdue measures in the Digital Economy Act 2010
That is, start the three strikes graduated response to frighten UK citizens into doing what we want: which is to support a broken business model in order to carry on making our fortunes even bigger.

ensure broadband providers, search engines and online advertisers play their part
That is, get ISPs to block sites we don’t like; get search engines to censor links we don’t like; and prevent advertisers advertising things we don’t like.

The problem here is this. Those things they don’t like are mostly (but far from entirely) already illegal. We have laws (even without the Digital Economy Act) that can be used against illegal things. But what these people want is to become the arbiters of the law – they wish to tell the courts what is illegal rather than have the courts decide. And they don’t care how many innocent people are hurt or disrupted in the process.

Yesterday, TorrentFreak published an overview of the rightsholders’ leaked strategy. On cyberlockers, for example, they want sites that do not comply with their own infringing-content removal criteria, to be shut down. Megaupload is a good example. It didn’t remove infringing copyright fast enough for the rightsholders – so in conjunction with the FBI it was taken down. Who cares about the thousands of legal users with thousands of legally stored documents? Certainly not the rightsholders.

Frankly, if it wasn’t so serious it would be hilarious. Daltrey made a fortune by talking about his generation. That generation was young and dynamic and rebellious. Now he has abandoned the young and the rebellious in favour of the rich and staid. Cowell has put his name to the statement, “To continue to create world-beating creative content…” This is Simon Cowell. The same Simon Cowell who has sucked creativity out of the music industry by concentrating on pre-packaged, good-looking pretty boys and girls who can do nothing but recycle cover versions of old music. Creativity? All of these people want to stamp out creativity and concentrate increasing their own – nobody else’s – fortunes.

You and me and the internet generation are the enemy; and you and me must be made to conform to an internet made in their own image.

Categories: All, General Rants, Politics

News stories on Infosecurity Magazine: 17, 18, 21 and 22 May, 2012

May 22, 2012 Leave a comment

My recent news stories…

You don’t need to be hacked if you give away your credentials
GFI Software highlights the problems of users’ carelessness with their credentials: who needs hacking skills when log-on details are just handed over?
22 May 2012

A new solution for authenticating BYOD
New start-up SaaSID today launches a product at CloudForce London that seeks to solve a pressing and growing problem: the authentication of personal devices to the cloud.
22 May 2012

New HMRC refund phishing scam detected
Every year our tax details are evaluated by HMRC. Every year, a lucky few get tax refunds; and every year, at that time, the scammers come out to take advantage.
22 May 2012

UK government is likely to miss its own cloud targets
G-Cloud is the government strategy to reduce IT expenditure by increasing use of the cloud. It calls for 50% of new spending to be used on cloud services by 2015 – but a new report from VMWare suggests such targets will likely be missed by the public sector.
21 May 2012

New Absinthe 2.0 Apple jailbreak expected this week
The tethered jailbreak for iOS 5.1, Redsn0w, still works on iOS 5.1.1. This week, probably on 25 May, a new untethered jailbreak is likely to be announced at the Hack-in-the-Box conference.
21 May 2012

TeliaSonera sells black boxes to dictators
While the UK awaits details on how the proposed Communications Bill will force service providers to monitor internet and phone metadata, Sweden’s TeliaSonera shows how it could be done by selling black boxes to authoritarian states.
21 May 2012

Understanding the legal problems with DPA
We have known for many years that the EU is not happy with the UK’s implementation of the Data Protection Directive – what we haven’t known is why. This may now change thanks to the persistence of Amberhawk Training Ltd.
18 May 2012

Who attacked WikiLeaks and The Pirate Bay?
This week both the The Pirate Bay and WikiLeaks have been ‘taken down’ by sustained DDoS attacks: TPB for over 24 hours, and Wikileaks for 72. What isn’t known is who is behind the attacks.
18 May 2012

BYOD threatens job security at HP
BYOD isn’t simply a security issue – it’s a job issue. Sales of multi-function smartphones and tablets are reducing demand for traditional PCs; and this is hitting Hewlett Packard.
18 May 2012

25 civil servants reprimanded weekly for data breach
Government databases are full of highly prized and highly sensitive personal information. The upcoming Communications Bill will generate one of the very largest databases. The government says it will not include personal information.
17 May 2012

Vulnerability found in Mobile Spy spyware app
Mobile Spy is covert spyware designed to allow parents to monitor their children’s smartphones, employers to catch time-wasters, and partners to detect cheating spouses. But vulnerabilities mean the covertly spied-upon can become the covert spy.
17 May 2012

Governments make a grab for the internet
Although the internet is officially governed by a bottom-up multi-stakeholder non-governmental model, many governments around the world believe it leaves the US with too much control; and they want things to change.
17 May 2012

Categories: All, Security News

Google removes Khosrow Zarefarid’s blog

May 1, 2012 Leave a comment

On Thursday last, while I was traveling home from Infosecurity Europe, Khosrow Zarefarid (the Iranian software engineer who tried to get better protection for Iranian card details held by the banks) contacted me:

Whay my weblog was stoped from google site? Can you help me to solve this problem? I had about 1000000 viewer.

Believe me, his English is infinitely better than my Arabic (which doesn’t exist).

KZ blog

Not what you want to wake up to...

I couldn’t respond immediately because I was just about to board a peak-time train, and had neither elbow room nor a signal. It wasn’t until Monday that I managed to talk (despite an appalling telephone line) with Google’s Ryan Brack, Manager, Global Communications & Public Affairs.

“Our policy is not to talk about individual cases when it comes to the sort of issue here, which is either a violation of policy, specific content on a blog, etcetera. We just don’t talk about specific cases; but I wanted to give you some sort of piece of information so that you can be clear what Google’s policy is…” He then kindly gave me step by step instructions on how to navigate to the Google policy page, and particularly pointed me to the paragraph:

Personal and confidential information: It’s not ok to publish another person’s personal and confidential information. For example, don’t post someone else’s credit card numbers, Social Security numbers, unlisted phone numbers and driver’s licence numbers. Also, please bear in mind that in most cases, information that is already available elsewhere on the Internet or in public records is not considered to be private or confidential under our policies.

That was it. The line dropped again, almost certainly due to problems at my end (thanks again TalkTalk) and I gave up attempting further voice contact. I emailed:

Hi Ryan

My apologies – I’m having serious line problems ATM. The point I wanted to make is the [that] Zarefarid posted only part of the credit card numbers – enough for the user to recognize that he had them, but nor [not] enough for anyone to make use of them.

This was a clear case of whistleblowing. He had attempted to report the issue through the official channels but was ignored. So he chose this way, but without actually endangering anyone’s personal information (or card numbers).

That was more than 24 hours ago. No response whatsoever.

I don’t believe that Khosrow Zarefarid breached Google’s policy, although he clearly went up to the line. In this instance he was trying to prevent ‘personal and confidential information’ from ending up on the internet. I also believe that under such circumstances Google has a duty to warn the blog owner and provide means by which the blog content can be retrieved by the owner (this may have happened without me knowing about it – but I doubt it).

Google claims, in the same ‘content policy’:

Blogger is a free service for communication, self-expression and freedom of speech. We believe that Blogger increases the availability of information, encourages healthy debate and makes possible new connections between people.

We respect our users’ ownership of and responsibility for the content they choose to share. It is our belief that censoring this content is contrary to a service that bases itself on freedom of expression.

In this instance it did not live up to this ideal. In this instance, Google fell far short – and I appeal to Google to reverse this decision and come to some arrangement with Khosrow Zarefarid.

Infosecurity Magazine news stories for 12-14 March 2012

March 15, 2012 Leave a comment

My news stories on Infosecurity Magazine for Monday 12 March to Wednesday 14 March…

BBC under attack from Iran
BBC staff face physical and emotional intimidation while BBC Persian TV services come under cyber threat from Iran.
14 March 2012

Performance comparison between Bit9, Symantec and McAfee
The Tolly Group has published a new report: ‘Comparison of Bit9 Advanced Threat Solution versus McAfee Endpoint Protection Suite and Symantec Endpoint Protection 12.1′. But are they apples and oranges?
14 March 2012

Dell buys SonicWALL
In 2010 Dell bought SecureWorks, last month it bought AppAssure, and now it buys SonicWall in a move that strengthens its security stance and makes it more attractive to the corporate market.
14 March 2012

SafeNet acquires Cryptocard
SafeNet buys Cryptocard to offer the best of both worlds (local and cloud) in user authentication.
13 March 2012

Framesniffing with Chrome, Safari and Internet Explorer
Security consultancy Context has produced an analysis of framesniffing, an attack technique that can data mine sensitive data through web browsers and iFrames.
13 March 2012

EPIC returns to court over NSA/Google relationship
The Electronic Privacy Information Centre is seeking to overturn the NSA’s Glomar response (neither confirming nor denying) to its FOI request for information on any post-Aurora relationship with Google.
13 March 2012

AVAST makes it easier for friends to warn each other about scams
While its customer support warns users about telephone support scams, the latest version of AVAST Software’s anti-malware product helps users help each other.
12 March 2012

The return of Kelihos
Recent reports on the return of the Kelihos demonstrate the difficulty in keeping a good bot down.
12 March 2012

ICANN contract renewal not necessarily the expected shoe-in
The National Telecommunications and Information Administration (NTIA) has canceled the RFP for the new Internet Assigned Numbers Authority (IANA) contract currently operated by ICANN.
12 March 2012

Categories: All, Security News
Follow

Get every new post delivered to your Inbox.

Join 127 other followers