The Writing is on ‘The Wall’

April 26, 2013 Leave a comment


As I wrote back in 2011 ‘A fickle prospect – Business dependent on the Social Flocking collective’ and then again in July 2012 ‘Facebook and the ‘The Emperor’s New Clothes’  it looks like Facebook is nothing unique and is reproducing a user analysis declining trend of past failed social media sites.

The article in the Business Insider Why Mobile-First Teens Are A Big Threat To Facebook’ highlights the weakness of the Facebook business model and this in turn points to the complete lack of ANY structured alternative on the Facebook strategic roadmap. This is not however the first time this decline has been reported, New drop in number of UK users’ user fickle attitudes go back to this report in June 2011.

As I have stated before with its hyped IPO Facebook achieved a valuation that allows it to effectively buy a business model. The recent Facebook Home on Android attempt at re-inventing itself as a Mobile device ‘Skin’ seems to have flopped Facebook Home flops, gets terrible reviews’ so where will they throw their next wad of shareholder cash?

However the latest reports do have greater substance, and the failing of the Facebook Home initiative supports this. The analysis reflects maturing use patterns on the internet and the simple nature that Information and collaborative resources are becoming very fragmented in the nature of how users consume them. No single resource satisfies, with the resource platforms recognising this and the need to interact through cross-posting and ‘mash-ups’. This is after all the strength of Cloud Computing and the new Application Programming Interface (API) orientated service environment that is being built out. All of which waters down the traction any single site or vendor is able to have on their audience, placing greater emphasis on DEPTH versus BREADTH of service delivery capability. It is the vendors demonstrating greater domain expertise in DEPTH that are the ones that will retain their niche user base, and those vendors that provide flexible well documented and user friendly API’s to allow third parties to integrate their unique offering instead of trying to compete.

If Facebook had any imagination, instead of copying other ideas and or closing its environment to cross-posting by trying to be all things to all users, it should open up to the new API world. BUT this is where its poor privacy record and attitude to data makes it a dinosaur, and one that will constrain how any API data sharing will benefit the platform. So until Facebook matures its data usage, retention and privacy attitude it is likely to continue to miss out on the next wave of Internet innovation.

That having been said for better or worse the Internet has not heard the last of this Data Privacy predator.

Filed under Cloud Computing, Computers and Internet, Legal, Privacy, Security

Security 365 – Toilet Paper & Tea bags!

April 19, 2013 1 Comment


OK the title got you this far, so what has Toilet Paper and Tea bags got to do with Security? There is a genuine point to it, please read on …..

Following a recent Cloud Computing event I found myself increasingly alarmed by the prevalence of red herrings being thrown around by vendors with respect to how their solutions and or products solved Cloud security issues when in fact they did little more than try to address them individually at best.

The reality is that DATA must be exposed to the software we use to orchestrate it, be that photo’s in Photoshop, a Document in Microsoft Office Word or a record in a database or a record spread across multiple databases. That is where the issue lies in the exposure of Data. The challenge is how we protect that which is of true value. No longer the network boundary, but protecting the DATA, wherever it goes, however it is being accessed, regardless of its form factor. Not how a software solution can provide a secure environment in which to process data, albeit an important factor, it is not a solution in itself.

Bring on the day when data in its raw form is encrypted and the owner can manage that encryption with convenience and ease whilst ensuring complete control over whom they elect to share any part of that data set with. Imagine being able to share data and attach an expiry date, or revoke data usage at will (regulatory retention aside) instead of having to go through lengthy protracted third party information disclosure requests, which even then are often questionable in their accuracy.

What is appealing about this concept is the reality that it places the control of data back into the hands of the individual. The individual or corporation can then dictate whom, when and for how long they share their data. It opens up possibilities like levying a micro payment charge in cases where that data sharing has a commercial value transfer to any benefiting third party. Assuming a trusted platform that can orchestrate this according to a set of user defined sharing rules (policies), such micro payments would soon add up to reasonable sums of money when considering the current spread of personal data. Sadly we are currently a long way from that Holy Grail. It would certainly sober up the Internet Corporatocracy (Facebook, Twitter, Google and their ilk) of this world who have been building personal value by gorging themselves dining at the Internet table of free data. Their addiction to the concept of free data will I suspect see little support from that quarter for such a solution.

Data security software solutions and products largely address a single issue and do not materially protect the critical payload in transit, rest and during its consumption. The payload being none other than data and the information that is ‘data’.

Erosion of privacy through data seepage into the public domain out with owner’s control or intent is an issue of paramount importance and at a corporate and enterprise scale the exposure and risk grows exponentially. On a private individual level that is often of singular concern, attitudes towards privacy of data influenced largely through the Social Media behavioural contagion, massaged by the Internet’s Corporatocracy, who work hard at breaking down the principles of privacy for self-interest. At some point the Social Media lemmings of the world will wake up to find themselves victims of ‘The Emperor’s New Clothes’, loss of privacy and control of one’s personal data is a sorrowful state of affairs many will have to come to terms with. Reminds me of the immortal words ‘For fools rush in where angels fear to tread’ from the poem ‘An essay on criticism’ by Alexander Pope, or for the more contemporary and more poignantly named song ‘Jokerman’ by Bob Dylan.

I digress, Social Media aside, the simple acts of transmitting and collaborating on information present the largest risk surface area(s) for data compromise. Surfaces that are being built out faster than ever before with the boom in personal / portable compute devices (PCD’s) be that a smartphone, tablet, laptop or the next gadget that gets christened off a keyboard with a stuck ‘i’ key!

For every collaborative event requires a transmission of data, and such events are infrequently constrained within Local Area Network (LAN) but at some point transit a public fixed or wireless network (Internet) exposing or depositing data en-route as well as compute devices out with any structured realm of control. Increasingly the securing of the communication conduit is addressed using HTTPS (Hypertext Transfer Protocol Secure), an encrypted transmission that secures data in transit. But that is only part of the exchange process, and one that has had its security reliability tested and questioned, with early iterations of its underlying protocol having been hacked, ref; Infoworld Article ‘HTTPS has been hacked’. So far we have secured the trickiest part of the information exchange to compromise, the transmission, leaving the easiest, the PC and or Server, available and ready to be compromise. An email attachment click away and data on any unsuspecting PCD regularly falls victim to malware.

This gives a false impression of security, rarely are the end points to a data exchange, the PC, Servers or PCD’s similarly encrypted. But it is not JUST end points is it. Every device en-route between exchanging parties holds the data be it for milliseconds or in some cases longer. A veritable pass the parcel where, Data is cached and stored in a myriad of places, where the parcel is little more than a colander raining data and the information life blood of companies and individuals into the public domain.

A recent study released by Team Cymru reveals that hackers misappropriate more than 1TB of data daily from corporate networks alone. If they can do that from corporate systems what hope is there for the Silver Surfers (60+ generation), one of the fastest growing use bases on the internet today. This is not an isolated issue either. With a global population of Zombie computers in the millions the bad guys capacity to leverage compute power with malicious intent outnumbers the good guys. Moving briefly off theme a bit, the escalation of this power was clearly demonstrated recently with the 300GB Distributed Denial of Service (DoS) attack on Spamhaus ‘When spammers go to war: Behind the Spamhaus DDoS’. This was a x6 increase on the previously largest recorded DoS attack of 50GB. At this scale of escalation attacks are having a collateral impact affect beyond the targeted systems. Subject for a future article I would hazard.

Back on theme, we have all heard of ‘Data Security’, but as a term its use is more often not a full truth. As with the data in transit example above, data security is subjective when it needs to be objective. The security that vendors address today is addressing an environmental state that the data is not persisting in, or not persistent in for long. Securing the protocol’s that we communicate data through, or the servers, datacentres, PCD’s that we store data on or the software applications with which we orchestrate our data, is not true ‘DATA’ security. Access to any of these environments, whether authorised or not, means data can readily be harvested, and believe me it is and most of you will not even know it is happening off your own computers.

I feel like shouting in frustration sometimes – it’s in the name ‘DATA’ security, so secure the DATA itself, as I have blogged before ‘Data Security – It’s in the Name!‘ OK good that you secure the other servers, datacentres, PCD’s or software application assets but what about the DATA! I am not proposing we stop securing servers, datacentres, PCD’s and software application, but their security is addressing THEIR security profile and the DATA security is largely by association only. As we currently deal with security at the server, datacentre, PCD and software application level we create security silo’s that require gatekeeping. Thus the cracks start to appear and data fall’s through or the hacker sneaks in, every other which way the data is exposed to higher risk and the prospect if not likelihood of compromise.

Now throw into the mix the structural nature of Cloud Computing architectures and its fastest growing method of interfacing systems with the use of Web/Cloud services. A Web or Cloud service being little more than a traditional API (Application Programming Interface) exposed to a public network. Designed to link disparate systems to deliver richer and often more real time functionality at scale and with collaborative resources unattainable until now to single organisations. Web/Cloud Services live for data exchange and data retention follows hard on the heals of those exchanges between API exposed entities. API’s = more joins and cracks, not to mention interactions to be audited and jurisdictions that will be challenging to reach into to audit and truly validate Service Level and or compliance. This is no scare tactic, I work with programmers every day, and these are some of the smartest guys around, but they are human, and ‘humanum est errare’ (it is human to err).

With an Industry average of “about 15 – 50 errors per 1,000 lines of delivered code” Quote Steve McDonnell from his book ‘Code Complete’ (2nd Edition. Redmond, Microsoft Press, 2004. 960 pages. ISBN), there is an inevitable high risk in API’s, they are just code after all. Yes errors can be ironed out, but the effort is often not commercially viable. For example only after using extensive format development methods, peer reviews, and statistical testing did the space-shuttle project achieved a level of 0 defects in a random sample of 500,000 lines of code. The ‘Cleanroom Development’ technique pioneered by Harlan Miles achieves consistent rates as low as 3 errors per 1,000 lines of code (Cobb and Mills 1990), so there are no easy options. All said and done commercial realities turn this into a real concern, the cost of this diligence means API’s will not all be tested to such robustly high quality levels as the space shuttle which means there are errors, and where there are errors there will be means to an end for hackers:

But what if the data itself was of no use once the hackers got hold of it? Do you think they would bother spending long ours gaining access to it if they found it worthless?

What I am getting at is the act of encrypting the DATA itself, the raw data packets, only then are we starting to address the nub of the issue – making the data secure. Encryption (to encipher) and Cryptography (hidden, secret) is a powerful resource. I like the core message in these terms because they point to the essence of what we must achieve with our data to make it truly secure to turn it into something of ‘no value or importance to anyone else’ = cipher to encipher / encrypt our data. Whilst that may sound simple I and the rest of the security community are under no pretence of the challenge this would represent to manage.

Encryption is no small undertaking, by its nature it is very unforgiving to the forgetful or unstructured amongst us which is why all but the very large Enterprises can afford data encryption systems. It is no wonder Enterprise Digital Rights Management (E-DRM) has become a familiar term transposed onto the more generic Information Rights Management (IRM). At a private level it is almost non-existent, for even if you understand the principles of Public Key Infrastructure (PKI) and can wield the tools of Pretty Good Privacy (PGP) to manage you data in an encrypted way you will find yourself limited in terms of who you can interact with as this is far from user-friendly or mainstream.

Do not be misled, poor adoption of PKI, PGP and their ilk are not an early adopter issue, it is a fundamental structure issue. These mechanism are complex to get to work optimally, and in a sub-optimum deployment they are compromised so its worth is questionable and in a corporate world ‘it works some of the time’ does not win much in budget debates. At an individual level it is simply the complexity of management and exchange of encryption keys and their associated Certificates validating key ownership that renders it unusable.

The best we have at present for securing our data files is through forms of IRM / E-DRM, but this has until recently been out of reach of not just the Small and Medium Size Business (SMB / SME’s) but even large Corporates. OK there are proprietary application level encryption and password locking features, but they lack the truly ‘in-line’ capacity as a real time solution and after all the internet is full of solutions that can break these within seconds just head over to the likes of:

Not all is lost though. Most of us have come up against the power of IRM in the form of Digital Rights Management (DRM) with online music purchase, finding that if we try to share a music file bought through one of the online stores we cannot. Why? Because the data is secured and has been locked for use to a single user account. Reflect, the data itself is secured this is the DATA protected, OK the software you use to play the media has to know how to read the data. The data compliance with a standard supported by the software that allows the software to interpret how to authorise the user to use the data, but again I point out this is the DATA that is secured, secured by encryption that refers a user (be it individual or software) to comply with a policy set by the data owner.

Welcome to the future of corporate and personal data, where software (any software) conforms to a standard whereby data is encrypted and software has to comply with that standard to use that data. Just as your Windows Media Player or iTunes software does today through their respective online stores which act as a validation and authorisation proxy for the music industry who are the ultimate rights owners of the tunes you play. In such a new world of data, you could perceivably leave you data anywhere and it would be secure. Why? Because it is encrypted, available to those authorised by the data owner. In such a utopia hackers would gain little from stealing data, and Google would not be able to scan your documents and emails so readily!

IRM as stated above has been the exclusive realm of large Enterprises with the deep pockets to invest in the necessary infrastructure and process discipline mandatory to ensure such an environment works seamlessly and critically data encryption keys are not lost! Until now….

May I introduce or re-introduce you to Microsoft Office 365, Microsoft’s Software as a Service platform for business of all sizes, affordable even for individuals. Microsoft Office 365, delivers Enterprise grade email, collaboration, conferencing and productivity software amongst other benefits. It reset’s the bar in terms of empowering organisations and even individuals and most poignantly stands alone in its security capabilities with its Information Protection and Control (IPC) in the form of Windows Azure Rights Management Service:

Microsoft Office 365 forges a Grand Canyon of a chasm between it and the following herd of online Saas business productivity service vendors when it comes to its compliance credentials and security capabilities, and at a price point that is challenging for any serious functionality and data conscious business executive to not consider very, very seriously. Microsoft Office 365 scales from 1 to 50,000 user environments OUT OF THE BOX! Now NO organisation has an excuse for inappropriate document or email disclosure. It allows ANY organisation to Rights Manage their documents and emails, applying Enterprise class encryption helping to ensure they are only visible to those that have been given explicit rights. This protects organisations in the following common risk scenarios:

  • Laptop theft.
  • Portable media loss.
  • Dismissed employee data retention.
  • Inadvertent CC’ing of emails or sending to the wrong recipient
  • Email interception.
  • Internet vendor document/data scanning.
  • ….. amongst others

Not 100% full proof by any means but 100% better than about 95% of the ‘Data’ security being implemented by organisations today. Be assured that just because you believe you have not been compromised does not mean you have not. In fact I would challenge an organisation, IF you have any Intellectual Property worthy of being stolen KNOW that you are either compromised and you don’t know it or adversaries are going after it, if you don’t believe me I fear your falling foul of the old ‘Struthio camelus’ syndrome of head in the sand!

The elephant in the room then becomes how to validate the identity of those access in the data, how do you prove that you are who you are and not an impersonator or a middle man ‘borrowing’ someone access code(s). Single factor Username + Password authentication mechanism are too weak for true identity security, multi-factor authentication (something you know and something you have) is a step in the right direction but many multi-factor authentication approaches remain vulnerable, and thus the goalposts move …. that’s a subject for another day.

Conclusion
So whether you believed me at the start of this article or not here it is, for little more than the cost each year most organisations spend on toilet paper and tea bags (Ok and coffee) per employee they can enjoy Enterprise grade document and email security amongst a bucket load of other powerful features with Microsoft Office 365, no excuses.

——————–

Toilet Paper & Tea Bags Analysis

Thanks to Discovery Channel and MySupermarket.com:

  • Average usage per employee/yr = 30,000 sheets/year or 134 rolls/year (@ 150 sheets per roll).
  • Average price of 50p/roll

Total £67/year per individual on toilet rolls + Tea breaks at £300 per employee per year – Epiphany research 2012 quoted on ‘The Workplace Savings and benefits’ website.

Filed under Cloud Computing, Computers and Internet, Home Computing, Legal, Office 365 and Azure, Privacy, Security

The ‘Freemium’ cost to ISV’s

March 18, 2013 Leave a comment


Most of you reading this will no doubt at some point have tried a ‘Free’ service or online product offering from a vendor website.

Free in most cases means ‘Freemium‘ = a limited service offering designed as a ‘Hook’ to get users to consume a service or product. The ‘Free’ service or product offering just enough features and or resources to make it useful for users. The ultimate goal of course being to get subscribers to the ‘Free’ versions to upgrade to a premium or professional paid-for version of the product or service that gives more functionality and or resources.

For new Cloud Start-ups and ISV’s looking to create market this sounds like a great way of attracting a user base and the techie business start-ups flock to this model with little real awareness of the poor returns this can offer. The challenge lies in the conversion rate of subscribers from ‘Freemium’ to ‘Premium’ paid-for usage. The conversion rate is not encouraging. Compare high user volume applications with low and you get to see the hard facts:

  • 560 million user base – Skype = 8%
  • 300 thousand user base – Ning 5%
  • Pandora, Dropbox and Evernote conversion rates are in the range 0.5% to 4%.

What is clear is there is these are not impressive and no ‘Average’ can be used as a rule of thumb, it largely relates to the value proposition for the users and that is the quandary for ISV’s looking at this model.

A full understanding of the Freemium dilemma for ISV’s going online is well laid out in the article by Kim Joar Bekkelund ‘Understanding User Acquisition in Freemium’ Kim interviewed 10 companies that use Freemium and provides an insightful analysis of the success of this model.

To achieve even the ‘Freemium’ subscription rate from which you hope to convert users there are some clear rules that are appearing to maximise this potential. Some top tips that are not rocket science but aim to lower the bar of entry to get users to sign-up and convert:

  1. Remove as much ‘Threat’ and friction as possible:
    1. DO NOT demand a Credit Card or other payment method upfront for a Freemium or Trial. This will immediately reduce your sign-up rate to a trickle. Handing over payment details is the biggest decision for the users, so make sure you get them right to the wire first.
    2. Do use a third party authentication channel such as Microsoft Account (Former Live ID) or LinkedIn, Twitter etc This reduces time to sign-up and through association makes the process less threatening. Great for doing user marketing research as you will get more perspective from these login resources which often expose more information about users across other systems helping you to build up your customer knowledge.
    3. Automatically sign-users up to receipt of customer support and training as part of the quid pro quo for the ‘Freemium’ offering.
    4. Have a clear Privacy Policy statement that make sit clear what you do with users supplied data.
    5. IF you solution stores data in The Cloud, state clearly where and the nature of the security of that storage. Is it encrypted (ideally).
    6. If your service application stores data, have a European data location option. This is not expensive in the new Cloud world and will be a green light for offerings into a Professional user base who will be more data compliance aware.
    7. Provide a Contact form on the website for users. You don’t have to respond, its good to, but it is critical you provide a means of connection.
  2. Conversion MUST DO’s:
    1. Get to know your market so you can communicate to users and gain mindshare.
    2. Follow-up by reaching out to your new subscribers within a week of sign-up. If users do not engage the resource in this timescale they are unlikely to, so stimulate action.
    3. Use training tips and videos to encourage user adoption of the ‘Freemium’, a great method of increasing the traction of your offering and to dangle Premium features.
    4. Use your ‘Freemium’ audience as voluntary testers of BETA ‘Premium’ features. Remember Google apps etc for years had BETA stamped all over them.
    5. Use support as a channel into ‘Premium’ if you have a business audience. According to David Skok, business users want professional customer support and are willing to pay for it, consumer users are less likely to pay for support.
    6. Make it easy and simple for users to get to ‘Premium’, some tricks include:
      1. In app free 30 days activation of premium features. Can be re-activated again IF user signs up to BETA test for example.
      2. Delay payment prompts till the last moment. I repeat, handing over payment details is the biggest decision for the users, so make sure you get them right to the wire first.
      3. Provide 7 days free email support. Be proactive if they call on it, you can charge for this afterwards so make it appealing. As existing Freemium users they are unlikely to need it but it’s a comfort factor that plays to the Professionals more than consumers.
  3. Evolve and adapt:
    1. LISTEN to your users, let them show you the way forward and drive features. Just because you think you know what they want does not mean it’s right!
    2. Use surveys to reach out to users. Many users like to provide feedback and feel they can influence a toolset they are adopting.
    3. Adapt your Freemium offering to maximise adoption. Existing users will see this as a bonus (they either retain functionality or gain), new users may need this to get them on the Freemium conveyor belt and or into Premium.
    4. Do be a good data citizen. Secure your user data online PROPERLY, and don’t sell contact details. If you get compromised or found out you have just killed your credibility.
    5. PARTNER – The new world of Cloud Computing allows you to extend functionality quickly and cost effectively. API’s (Application Programming Interfaces) allow you to tie in niche features from third parties quickly and in so doing add value and give yourself a Premium revenue option. Yes you will have to share revenue with the partner but then you do not have the development costs but hopefully will get the marriage value incremental gain with your offering.

This is by no means exhaustive in detail or exclusive. Make sure you manage a detailed conversion pipeline, a finger on the pulse of your cost of conversion will save you from any unpleasant surprises and keep you firmly rooted in the realms of reality.

Good luck!

Filed under Cloud Computing, Computers and Internet, Small Medium Enterprise (SME)

Nokia Loses The Plot

February 26, 2013 Leave a comment


This week Nokia pushed out an update to its ‘Nokia Drive‘ Windows Phone application. The pre-eminent satellite navigation application of the Nokia Windows Phone platform partnership.

Wonderful, reminds me of the great new real time service world we are now living in where updates come automatically and services are iteratively improved. So goes the story. But for the fact that the Nokia update this week forgot the rules and left me amongst many other Nokia an HTC users stranded and frustrated.

What appears to have happened is Nokia has ‘flipped a bit’ in their software that now restricts the application to providing directional guidance to users default region ONLY. The UK in my case. Somewhat useless as I am sitting in the US. The worst of it was at the weekend the application got me up to Stevens Pass, WA, for some wonderful skiing, only for the update at lunch to then deny me directional guidance to get home! Not that I would mind being stranded on the hill, there was some great snow to carve up, but I was due to be in Seattle the next day for meetings with none other than their Phone buddy Microsoft. If this was a conscious feature addition or rectification of a bug that should have had this locked down in the first place is largely irrelevant. Nokia were aware of what they were doing and the impact was crystal clear to even the most closeted of product development managers.

This would not have been so bad IF they had declared this in the update log, but they did not, I tend to check the update logs before hitting update as some app vendors have done manipulative things in the past. Nokia did not provide any notice, furthermore they provide NO means for me to purchase or extend my applications regional support, or any guidance as to how I could remedy the situation. Just a cold and hostile message that left me stranded.

This has without doubt been poorly implemented and I fear Nokia will hide behind the line that the software is technically classed as BETA = user beware. The lesson for Nokia is in this day and age a company of its calibre should be aware of the new attitude that BETA or not users should be respected and such dramatic feature changes communicated or fear the worst, brand trust and confidence damage, so easily incurred, so hard to regain. It is a very delicate balance dealing with real time, something I would not have expected Nokia to have got wrong having had more time in this type of service game than many. But a lesson none the less to ALL companies, that if Nokia can get it so wrong we all need to tread carefully.

The outcome is, I have now been driven (excuse the pun) by Nokia’s poor handling of this functionality injection into finding a replacement and at a commercial cost (£79 in my case) that will not see me reverting back to the Nokia application. Cost was never the issue, as such they have not only lost a user they have lost a customer and revenue to boot. Furthermore it has breached a delicate trust that means I am no longer have confidence this Nokia service has my best interests in mind and will not be venturing into the Nokia service or device ownership space in a hurry again.

Nokia has some damage limitation and trust re-building to do. At the moment I see little to suggest they even care. We can but hope.

Filed under Cloud Computing, Computers and Internet, Mobile

EU Cyber Strategy – A Risk of Overkill!

February 11, 2013 Leave a comment


Last Thursday the European Commission of the European Union (EU) released their much leaked and awaited Cybersecurity plan to protect open internet and online freedom and opportunity – ‘Cyber Security strategy and Proposal for a Directive’

The challenge that faces all Nations and individuals alike is the increased impact of Cyber Thread. This is fundamentally what the European Commission is attempting to address for the whole of the European Union (EU) by encompassing an eye watering range of disciplines and jurisdictions from law enforcement, defence, the digital agenda, security, and foreign policy. On the face of it the format fits the EU objectives of greater integration and harmony, but under the surface it has all the hall marks of an exercise in herding cats. The rubber will not really hit the road till we see the action plans, and the monitoring process to qualify results, that are going to be fundamental to exercising and delivering on this ambitious strategy. This latter point being the Achilles heal of the exercise in tight economic times when the EU budget has to reflect the austerity measures of its members with NO exceptions.

Most worryingly cost of delivery is in the timescales this whole process is going to take to implement. In the meantime Cyber Crime becomes more creative maturing as fast as, if not faster, than the creative innovation engine that drives the digital landscape, itself moving at a faster and faster rate of evolution.

In summary the politicians and unelected cohorts of bureaucrats will forever be playing catch up. The fear is that in their haste they will be riding rough shod over some of our core democratic rights. As the Dutch Member of the European Parliament, Sophie in ‘t Veld was quoted saying “The lines are being blurred and we need to safeguard the fundamental rights we expect in a democracy and not cede disproportionate powers to law enforcement”.

The rolling up of all these powers does have a very dark side. One that is open to abuse. The danger here is that once in place the temptation / convenience can become too compelling for any elected governing entity to leverage, and the European Commission has inadequately addressed historical challenges to its own Trust and Credibility record across too many areas to be endowed with this level of centralised power.

This exercise the EU is going through is communicating a need for a new approach. Instead of a Big Brother flavour about it, an approach that can reflect the nature of the changing environs that are being addressed. The problem is it is easier said than done to teach an old dog new tricks, especially when we are talking about what goes on largely behind the closed doors from behind which unelected bureaucrats influence our elected politicians and launch sallies of conditions on our lives.

Actions speak louder than words and one thing the new digital economy is good at is making things happen, and happen FAST.

Estonia and their implementation of X-Road and individual digital certificate usage demonstrates where there is a will there is a way, and leveraging the technology (not having to reinvent anything) can be an effective remedy. It is encouraging to see that Thomas Hendrik Ilves, the President of Estonia, has been elected as Chairman for the European Cloud Partnership governance Steering Board. But more needs to be done faster.

As I wrote just before Christmas ‘Data Security – It’s in the Name!’ We should perhaps be taking a fresh perspective on the problem. Protecting the DATA itself and less worrying about the actual environments that data exists in (networks/cables, computers/serves/PC’s, smart devices, datacenters/offices etc). Why? It’s actually about managing the risk of the loss of DATA availability, and this is an EDUCATIONAL issue more than a regulatory and legislative requirement. Risk management is an acceptance that there will be failures, and that is REAL WORLD.

Take for example:

  1. The internet – It was designed to withstand nuclear impact! It is largely self-healing and can route around network failures or even whole geographical regional blackouts. If so much of the Internet goes down that it ceases to function then no EU strategy is going to help. Furthermore Cyber Terrorists are unlikely to see much gain in the digital equivalent of triggering an extinction event by killing the Internet!
  2. Datacentres – Deigned for failure, or perhaps you should be re-evaluating your datacentre provider ;-)
  3. Computers – These are commodities today and with the exception of a few specialist systems, disposable with affordable options for data resilience through external backup storage media or cloud computing empowering even the most economically distressed with scalable backup. Or for the more paranoid both!
  4. Smart Devices – It’s in the name. If they are doing their job they should be replicating core data and configuration settings to resilient external storage options which will allow a new device to be provisioned conveniently.
  5. Data – Use of Information Rights management (similar or that used by the music Industry) encrypts data objects such as a digital document (Microsoft Office files) so they can only be read by those the creator has intended the document to be shared with. Theft of these files then becomes futile, remove the attraction, the threat is expunged. The same principles apply to an automated function of databases and exported record sets.
  6. Digital Certificates – A means for individuals to identify themselves consistently so that access to Data can be reliably managed and TRUSTED.

The demands of society are actually on mandatory digital education and should be taught like learning how to tie up your shoe laces. To cover the following areas amongst others:

  • Backup (and restore).
  • Encryption.
  • Digital Certificates.

At the moment society is learning by osmosis and Urban Myth. Times have changed, so must needs, and the EU Cybersecurity plan may have a place at a National response level but quite possibly there are more practical and immediate means of addressing needs further down the social hierarchy that will not have the cost burden on Small Medium Enterprises (SME’s) that the current strategy would impose.

Remove the ease with which data can be breached and the requirement for security and data breach notification regimes start to look somewhat dated controls.

Filed under Cloud Computing, Computers and Internet, Legal, Privacy, Security, Small Medium Enterprise (SME)

Oracle puts JAVA users at risk

January 14, 2013 Leave a comment


Recently there have been multiple very severe security problems found in Oracle Java.

For additional background there are a range of posts online addressing specific details of the exploits and vulnerabilities:

This is not just another extremely dextrous hacker trick that would be limited in its impact. It is a fundamental failure by Oracle the new owners of JAVA to address fundamental security flaws in JAVA that have led to widespread exploitation.

The worst part of this is Oracle have failed the JAVA community by skirting around the reality of the situation, Quote Java security expert Adam Gowdiak, ‘the update from Oracle leaves unfixed several critical security flaws’.

Because of the severity of this issue and the poor job Oracle has done, it is critical awareness amongst users is proactively promoted with the recommendation that appropriate action is taken to protect themselves and their companies.

The advice is to Uninstall JAVA if you don’t have a need for JAVA, and if you are unsure that you need it uninstall it to be safe. If in the future users find it is needed, then at least the latest version can be downloaded and easily installed and hopefully by then the problems resolved so the version of JAVA will be secure.

You can uninstall JAVA from the Windows Control Panel ‘Programs and Features’ (Vista, Windows 7 and 8) or the ‘Add / Remove Programs’ in Windows XP.

If JAVA is perceived to be needed for some reason, firstly check if there is an alternative method of accessing the content. If not and JAVA has to be installed then the advice is to make sure you are running the latest version which can be easily downloaded from JAVA.com this does not guarantee security, in fact the current version IS NOT SECURE.

The understanding is therefore even after updating to the latest version, you and your company are still exposed. To mitigate this disable JAVA web browser support when it is not explicitly required, only enabling it for sites you explicitly trust, then immediately disable Java support again once you are finished. To disable web browser support for Java on a Windows PC do this:

  1. Start – Control Panel – Open the Java icon
  2. Click on the security panel and uncheck the box for “enable Java content in the browser.”
  3. This will disable Java in your web browsers. You can manually re-enable it if you need it on a specific site.

Once Oracle addresses the current security holes in JAVA, it should be safe to re-enable Java support IF you require JAVA. That having been said it would be advisable for organisations to consider alternative technologies to JAVA that are better supported and in today’s modern multi-device world offer greater flexibility.

Perhaps this will see some sanity come back into decisions by the likes of HP, Dell and Cisco to continue building client management interfaces in JAVA.

Filed under Cloud Computing, Computers and Internet, Privacy, Security, Small Medium Enterprise (SME)

Data Security – It’s in the Name!

December 20, 2012 2 Comments


I have just come out of my last meeting before Christmas in which security has been forefront (again) on both business and IT principles minds, and tongues…

The bizarre thing is that despite the obvious, the prevalence of IT security systems protect the ‘Environment Boundary’ in which data resides or is transmitted, whilst understandable form a certain perspective, it is somewhat medieval in its approach to the core ‘Data Security’ problems facing organisations and individuals today.

It is all good and well using SSL (Secure Socket Layers ) to ensure your communications (data exchanges in transit) are secure. BUT a waste of time if the communicating entities do not apply similar levels of security when the data is stored (data at rest). Even the most inept hacker knows that the easiest point to attack in any data exchange is the client (workstation, notebook, mobile device). The server end of the chain is likely to be more secure environment (not necessarily) than the end users. Hence the prevalence of end user vectored attacks, email being the weakest and most convenient conduit to perpetrate a hack. Once a Hacker can get some malware on a user’s PC they can just about do what they want with it, and that includes all the data unless the documents and or data is encrypted.

Thus we get to the headline of the article. DATA SECURITY. If all data adopted the same protective measures as the entertainment industry tries to do with their music and movies then less of our private lives would become public, and organised crime feeding off corporate systems selling inside secrets or blackmail would be poorer overnight. Organisations should be securing their CONTENT as well as their IT environments. Currently most organisations actually do ‘Environment Security‘ NOT ‘Data Security’.

Information Rights Management (IRM) has been around for decades in various guises.. ISV’s (Independent Software Vendors) are largely ignoring a HUGE market opportunity to tap this capability. Some understand it and build their business on this core feature, but most ignore it and defer security to the IT department’s ability to secure a whole environment. IRM has never been easier today to implement, without even needing to deploy a service it is possible to tap Windows Azure AD Rights Management and have this capability on tap. For organisations using the Microsoft Office 365 Online Software as a Service (SaaS) suite it is possible to enable this with ease:

Microsoft Office 365 with Windows Azure AD Rights Management enabled represents one of the most secure and feature complete collaboration environments available on the market today. I would challenge some enterprises to prove a more secure data environment, and this is available to the smallest of organisations for less than £15/mth per user. This default functionality in Microsoft Office 365 is just a baseline, for the more security conscious this can be enhanced exponentially with third party products.

IRM is not full proof, nothing can stop someone re-typing a document or photographing a screen. BUT it represents a significant convenience barrier to those perpetrating corporate espionage and removes any ‘accidental’ disclosures.

I suspect though there will be a few more fruitful Christmas seasons for the corporate espionage crime syndicates to roam deserted corporate systems before the penny drops.

Filed under Cloud Computing, Computers and Internet, Home Computing, Legal, Mobile, Office 365 and Azure, Privacy, Security, Small Medium Enterprise (SME)

Still paying for eMail & Website Hosting? Think again…

December 1, 2012 Leave a comment


If you are a sole operator and still paying for email and website hosting then you are throwing money away. It may not be a lot, but then I guarantee there are richer featured options that you can benefit from. Read on.

For many the reasoning is practical. You have your own Domain and you believe this requires you to pay for an email service that supports this. For others it is simply evolutionary, you have had an email and website packaged service many years with Vendor ‘X’ and have never evaluated your options so you are still paying for something you don’t need to.

For many of you in this scenario you may also find the interfaces for mobile connectivity and browser access are retro, as for website management solution (if at all), some websites are still limited to FTP (File Transfer Protocol) management access to a bare directory on the vendors servers, forcing you into the hands of a commercial agency to get any half decent site built and maintained at more cost.

The solution is simple:

  1. For eMail = Outlook.com
  2. For WebSite = Windows Azure Websites (See a follow-on blog for details on this)

If you want to see why and fancy a punt at other options such as ‘Google’ apart for the privacy issues that you may not be aware of with Google’s terms and Conditions, have a look at a straight Outlook.com v. GMail Feature Comparison which tells you why Outlook.com is the

If you are still not convince, just one feature should make it for you in this new mobile world we live in and that is Exchange ActiveSync (EAS)

For those who like a 3rd party opinion then head over to:

The following is a summary guide as to how to set-up your eMail and domain on Outlook.com, a separate Blog will cover the Free Website feature in Windows Azure and the rich content management options this can include.

A PDF version of this Guide is available for download – ‘Outlook.com Admin Configuration Guide‘ (PDF 428kb):

Outlook.com Configuration & Admin Overview Guide

Step 1.

First off you need a ‘Microsoft Account’, formerly known as Live ID/Hotmail ID/ Passport amongst others. If you already have one then that’s easy, just jump straight to the Outlook.com Webmail Login  and voila, you are now running ‘Outlook.com’. If as an existing Microsoft Account holder you get the old Hotmail interface, it is simple to click on the ‘Options’ then ‘Upgrade to Outlook.com’ link and that is you upgraded, per the image below:

That’s you set-up with free Outlook.com email on your Microsoft Account. This is not yet active on your own domain or domains. To get your email on your own domains working you need to continue to Step 2.

It is advisable to be ready to move ALL our email accounts to Outlook.com BEFORE you commence Step 2. This should include being clear who controls your domain(s) DNS settings. If in doubt contact your hosting provider AFTER reading through the rest of this guide so you are clear on what is involved.

Step2.

Configure your domain and get access to Multiple User accounts on your own domain FOR FREE.

  1. Head over to the ‘Windows Live Admin Center‘ at http://domains.live.com
  2. Click on the ‘Get Started’ link’ Assuming you’re already logged in!

  3. Enter your domain name. Don’t get confused by the ‘www’ prefix, it is perhaps not the most intuitive way of simply requesting a domain name! Then Click ‘Continue
  4. Next you will have to go through a formality, check the setting s are correct and assuming your OK with the Terms & Conditions click ‘ I Accept’

  5. The next screen is a little overwhelming for the non-techies. If you have access to your domain’s DNS or DNS management page then I assume you know what yru doing, if not you will be emailing a copy of this page to your Domains Registrar or Hosting provider who controls your domains DNS.

    In summary this page update your DNS records so that email etc will start getting pointed to your new Outlook.com profile.

    DO NOT initiate this till you’re ready for email to STOP arriving at your old email service, and you are ready to set-up all your email accounts on Outlook.com.

    You can pre-configure this and leave it as is, note the ‘Prove Ownership’ box highlighted in Blue. Until you have either made the changes or instructed someone else to and this box is replaced with a ‘Your Service is Active’ statement your email routing is unaltered.

  6. Assuming were good to go with Outlook.com and you have made the changes noted above in DNS instead of the yellow ‘Prove Ownership’ box, you should now see an ‘Your Service is Active’ message box as illustrated below:

Now you can configure a variety of features from the left hand Admin menu:

Custom Addresses – This allows you to create additional Domain URL prefix’s for your mail domain ie:’mail.yourdomain.com‘ :

User / Members Accounts – user mailbox’s (Up to 500!!)

Open Membership – Great commercial angle to allow you to share your Domain with subscribers to a service or your website:

Co-Branding – Allow you to brand your email experience, ideal if you are using Open membership features:

Domain Reports – All important management tool to monitor activity on your email usage, a summary list of available reports below:

You should not be set-up with your Outlook.com service. You can add additional domains to this all managed by your principle Microsoft Account, or any other Microsoft Account you may wish to designate.

Other features you may wish to explore will include the Microsoft Live SkyDrive and Office Web application linkage that you get for collaboration with Outlook.com, you can access this from the Outlook.com mail interface at http://mail.live.com, top left click the down arrow next to the Outlook banner, see image below:

This will open up a link menu to other rich interface features and SkyDrive for document sharing and Office Web Apps integration:

Filed under Cloud Computing, Computers and Internet, Home Computing, Small Medium Enterprise (SME)

Social Media Corporatocracy – Self-Regulate or Be Damned

November 17, 2012 Leave a comment


My earlier Blog on the subject ‘Social Media – Accountability’ made for some heated debate in a post event drinks session championed by a defensive cadre of the twitterati advocating the freedom of speech argument. An old chestnut I empathise with, but see it as a worn out defence. My view being it is time the Social Media Corporatocracy confronted their responsibilities and got their house in order. Addressing a need to become more accountable for the content they syndicate from their membership or put in place mechanism’s that prevent the kind of free-for-all we have recently witnessed to the detriment of innocent parties.

That appeared un-satisfactory to the twitterati, I came away somewhat disturbed by their underlying attitude, that of a ‘brave new frontier’, somehow exempt from societies rules on defamation, slander, denigration amongst other poignant terms. I do not believe it has, and on a broader canvas of the Internet this is a dangerous attitude that strikes at the heart of the Internet’s credibility as a platform for democracy and in the battle against ‘Big Government’ to coin a phrase championed by Ron Paul in his ‘Farewell to Congress’ speech in which he champions the Internet in this very context.

Back to the point ….

The issue I believe is the engagement process by which social media sites attract membership and the mechanisms put in place by those site operators. It is time that the Social Media Corporatocracy applied a Moral Compass to their actions if they wish to avoid litigation and formal regulation which means they need to better self-regulate.

I would suggest more robust self-regulation as a minimum reasonable demand by the litigants who have recently fallen victim of the invidious public social media feeds, as part of any settlement. Such self-regulation could include:

  1. Social Media owners who wish to have an uncontrolled (no mediation or content validation delay) public information feed accept and take FULL responsibility and are FULLY accountable for that which they publish.
  2. Making their environments EXCLUSIVE MEMEBERS ONLY, with a clear set of warnings that content is unregulated, un-validated and not mediated, and as such individuals consume at their own risk.
  3. The option of a Public information feed service as an Opt-In for members. By so Opting-In members accept FULL responsibility and are FULLY accountable for that which they publish.
  4. It would be mandatory that any individuals wishing to Opt-In to public and unprotected Social Media information services have their identities validated BEFORE they are permitted to publish to an unprotected live feed. Validation through a current Credit Card would suffice, with public feed rights withdrawn in the event of the Card Expiring and non- renewal.

The above suggested self-regulation measures are by no means exhaustive in detail but aim to provide a flavour of what would help address the current waves of Social Media abuse.

A by-product of this type of self-regulation is the containment of the ‘anonymous’ voices. The proposition is that the ‘anonymous’ can still persist BUT they are contained behind the membership closed doors of their elected Social Media forum.

I have no doubt that this would be contested very strongly by the social media corporatocracy after all they feed on this kind of perverse publicity, which in turn pumps there hugely overinflated and in many cases economic gravity defying valuations.

The reality is the Social Media Corporatocracy must start to demonstrate a responsibility to protect the innocent from rogue users, they have little more than a fig leaf in their own defence at the moment. …..  The Emperor’s New Clothes.

Filed under Cloud Computing, Computers and Internet, Legal, Privacy, Security

Social Media – Accountability

November 12, 2012 1 Comment


All things are relative and as with the moral and ethical maturity of our traditional media industry so to the time has come for the maturing of the feral online social media environment – Facebook and Twitter namely the most proclaimed setting an example for the plethora of aspiring smaller social media platforms.

Riches takes us to the nub of the issue. As I have written in the past (‘Digital Enslavement’ and ‘Facebook and the ‘The Emperor’s New Clothes’) these corporate entities build their value out of the goodwill and voluntary contributions of millions who sign away their rights to these social media platforms in the quid pro quo of infamy in a digital life.

I am not a lawyer but I would suggest that the terms and conditions of use equate to a contractual engagement, ‘you get to use our social media platform and we get use and have retention rights over your digital contributions of ANY kind’ (See my earlier blog ‘Click through’ to hell’). In which case these social media entities appear to  be establishing a new generation of syndication agreement with their membership. A syndication agreement that allows Facebook and Twitter to build their value proposition in the same way as any traditional offline media entity would, by publishing content from those they retain or syndicate for their own betterment by attracting audience which represents eyeballs for advertising and promotional revenue.

Apply the traditional rules of the press to this we can start to peel away at the onion of obfuscation that is the digital realm in the eyes and understanding of many. There is little real difference with much that occurs online to its offline counterparts or activities with which a parallel purpose or process can be drawn. I therefore subscribe to the thesis that much of the increasingly intolerable misinformation that purveys the social media channels should be subject to the same oversight and the publishers called to account as their offline kin and kind.

Let us bring this up to date. One of the most respected families in the land has suffered the white hot blast from the invidious social media spotlight. An unfettered social media has magnified disproportionately and granted credibility to a statement of ignorance that would never have attracted such infamy if even the most cursory of facts had been considered, facts that would have discredited it.

The very worst form of ill-conceived reportage that is not discouraged, why? Because it attracts attention and attention is good for Social media sites.

Social Media corporations should not be allowed to hide behind the acts of their members, they should be accountable for the words they publish. Such a proposition will no doubt be met with derision by shareholders and the supporting cast(s) of legal saprophytes, but I have always believed there is no such thing as a free meal. For Facebook, Twitter and their ilk the feeding frenzy that has pumped up their market valuations has a counterweight and it is time the pendulum swung back into the realms of reality.

It is time that Social Media grew up and did so at the same ‘Internet Speed’ that they have swaggered onto the public stage and into the social psyche. Firstly this is not entertainment, secondly if social media corporations are going to reveal in the Balance Sheet valuations attributable to their ‘active’ contributors (membership) then they are ready to take the associated accountability for the impact of their published content.

The Internet is all about freedom of speech, I am not saying no to that, what I am saying is for corporations that aspire to capitalise on the respectability of a legitimate business they have a responsibility to the society they are serving to mainstream their behaviour and not act like a radical fringe. Yes there will always be a radical fringe website here and there that breaks the rules and will provide a platform for extremists and wackiness, as there are groups who gather in the same way in the offline world. These will never be put down in a free society and nor should they. But their owners are and will continue to be accountable, so why not the likes of Facebook and Twitter? Just because they are the darlings of the new generation, and loved up to by Politicians and Celebrities does not exclude them from applying certain rules and honouring their accountability.

History is rife with cultural and social ‘flocking’ behaviours that have in hindsight appeared as inconceivable. Whilst I do not place the social media revolution in the same camp as the hypnosis that seemed to engulf a generation as did The Great Proletarian Cultural Revolution, commonly known as the Cultural Revolution thatswept China under Mao or the Nazi movement under Hitler. These illustrate how society can and does get swept up in even such extreme events.  I feel we have to wake up to what we are increasingly giving credence to in the digital dimension and reflect on how it can better positively contribute to society with proper governance and stem the recklessness that is being encouraged at the expense of many innocent parties.

Filed under Cloud Computing, Computers and Internet, Privacy, Security

Older posts

Follow

Get every new post delivered to your Inbox.

Join 181 other followers