The Writing is on ‘The Wall’

April 26, 2013 Leave a comment


As I wrote back in 2011 ‘A fickle prospect – Business dependent on the Social Flocking collective’ and then again in July 2012 ‘Facebook and the ‘The Emperor’s New Clothes’  it looks like Facebook is nothing unique and is reproducing a user analysis declining trend of past failed social media sites.

The article in the Business Insider Why Mobile-First Teens Are A Big Threat To Facebook’ highlights the weakness of the Facebook business model and this in turn points to the complete lack of ANY structured alternative on the Facebook strategic roadmap. This is not however the first time this decline has been reported, New drop in number of UK users’ user fickle attitudes go back to this report in June 2011.

As I have stated before with its hyped IPO Facebook achieved a valuation that allows it to effectively buy a business model. The recent Facebook Home on Android attempt at re-inventing itself as a Mobile device ‘Skin’ seems to have flopped Facebook Home flops, gets terrible reviews’ so where will they throw their next wad of shareholder cash?

However the latest reports do have greater substance, and the failing of the Facebook Home initiative supports this. The analysis reflects maturing use patterns on the internet and the simple nature that Information and collaborative resources are becoming very fragmented in the nature of how users consume them. No single resource satisfies, with the resource platforms recognising this and the need to interact through cross-posting and ‘mash-ups’. This is after all the strength of Cloud Computing and the new Application Programming Interface (API) orientated service environment that is being built out. All of which waters down the traction any single site or vendor is able to have on their audience, placing greater emphasis on DEPTH versus BREADTH of service delivery capability. It is the vendors demonstrating greater domain expertise in DEPTH that are the ones that will retain their niche user base, and those vendors that provide flexible well documented and user friendly API’s to allow third parties to integrate their unique offering instead of trying to compete.

If Facebook had any imagination, instead of copying other ideas and or closing its environment to cross-posting by trying to be all things to all users, it should open up to the new API world. BUT this is where its poor privacy record and attitude to data makes it a dinosaur, and one that will constrain how any API data sharing will benefit the platform. So until Facebook matures its data usage, retention and privacy attitude it is likely to continue to miss out on the next wave of Internet innovation.

That having been said for better or worse the Internet has not heard the last of this Data Privacy predator.

Filed under Cloud Computing, Computers and Internet, Legal, Privacy, Security

Security 365 – Toilet Paper & Tea bags!

April 19, 2013 1 Comment


OK the title got you this far, so what has Toilet Paper and Tea bags got to do with Security? There is a genuine point to it, please read on …..

Following a recent Cloud Computing event I found myself increasingly alarmed by the prevalence of red herrings being thrown around by vendors with respect to how their solutions and or products solved Cloud security issues when in fact they did little more than try to address them individually at best.

The reality is that DATA must be exposed to the software we use to orchestrate it, be that photo’s in Photoshop, a Document in Microsoft Office Word or a record in a database or a record spread across multiple databases. That is where the issue lies in the exposure of Data. The challenge is how we protect that which is of true value. No longer the network boundary, but protecting the DATA, wherever it goes, however it is being accessed, regardless of its form factor. Not how a software solution can provide a secure environment in which to process data, albeit an important factor, it is not a solution in itself.

Bring on the day when data in its raw form is encrypted and the owner can manage that encryption with convenience and ease whilst ensuring complete control over whom they elect to share any part of that data set with. Imagine being able to share data and attach an expiry date, or revoke data usage at will (regulatory retention aside) instead of having to go through lengthy protracted third party information disclosure requests, which even then are often questionable in their accuracy.

What is appealing about this concept is the reality that it places the control of data back into the hands of the individual. The individual or corporation can then dictate whom, when and for how long they share their data. It opens up possibilities like levying a micro payment charge in cases where that data sharing has a commercial value transfer to any benefiting third party. Assuming a trusted platform that can orchestrate this according to a set of user defined sharing rules (policies), such micro payments would soon add up to reasonable sums of money when considering the current spread of personal data. Sadly we are currently a long way from that Holy Grail. It would certainly sober up the Internet Corporatocracy (Facebook, Twitter, Google and their ilk) of this world who have been building personal value by gorging themselves dining at the Internet table of free data. Their addiction to the concept of free data will I suspect see little support from that quarter for such a solution.

Data security software solutions and products largely address a single issue and do not materially protect the critical payload in transit, rest and during its consumption. The payload being none other than data and the information that is ‘data’.

Erosion of privacy through data seepage into the public domain out with owner’s control or intent is an issue of paramount importance and at a corporate and enterprise scale the exposure and risk grows exponentially. On a private individual level that is often of singular concern, attitudes towards privacy of data influenced largely through the Social Media behavioural contagion, massaged by the Internet’s Corporatocracy, who work hard at breaking down the principles of privacy for self-interest. At some point the Social Media lemmings of the world will wake up to find themselves victims of ‘The Emperor’s New Clothes’, loss of privacy and control of one’s personal data is a sorrowful state of affairs many will have to come to terms with. Reminds me of the immortal words ‘For fools rush in where angels fear to tread’ from the poem ‘An essay on criticism’ by Alexander Pope, or for the more contemporary and more poignantly named song ‘Jokerman’ by Bob Dylan.

I digress, Social Media aside, the simple acts of transmitting and collaborating on information present the largest risk surface area(s) for data compromise. Surfaces that are being built out faster than ever before with the boom in personal / portable compute devices (PCD’s) be that a smartphone, tablet, laptop or the next gadget that gets christened off a keyboard with a stuck ‘i’ key!

For every collaborative event requires a transmission of data, and such events are infrequently constrained within Local Area Network (LAN) but at some point transit a public fixed or wireless network (Internet) exposing or depositing data en-route as well as compute devices out with any structured realm of control. Increasingly the securing of the communication conduit is addressed using HTTPS (Hypertext Transfer Protocol Secure), an encrypted transmission that secures data in transit. But that is only part of the exchange process, and one that has had its security reliability tested and questioned, with early iterations of its underlying protocol having been hacked, ref; Infoworld Article ‘HTTPS has been hacked’. So far we have secured the trickiest part of the information exchange to compromise, the transmission, leaving the easiest, the PC and or Server, available and ready to be compromise. An email attachment click away and data on any unsuspecting PCD regularly falls victim to malware.

This gives a false impression of security, rarely are the end points to a data exchange, the PC, Servers or PCD’s similarly encrypted. But it is not JUST end points is it. Every device en-route between exchanging parties holds the data be it for milliseconds or in some cases longer. A veritable pass the parcel where, Data is cached and stored in a myriad of places, where the parcel is little more than a colander raining data and the information life blood of companies and individuals into the public domain.

A recent study released by Team Cymru reveals that hackers misappropriate more than 1TB of data daily from corporate networks alone. If they can do that from corporate systems what hope is there for the Silver Surfers (60+ generation), one of the fastest growing use bases on the internet today. This is not an isolated issue either. With a global population of Zombie computers in the millions the bad guys capacity to leverage compute power with malicious intent outnumbers the good guys. Moving briefly off theme a bit, the escalation of this power was clearly demonstrated recently with the 300GB Distributed Denial of Service (DoS) attack on Spamhaus ‘When spammers go to war: Behind the Spamhaus DDoS’. This was a x6 increase on the previously largest recorded DoS attack of 50GB. At this scale of escalation attacks are having a collateral impact affect beyond the targeted systems. Subject for a future article I would hazard.

Back on theme, we have all heard of ‘Data Security’, but as a term its use is more often not a full truth. As with the data in transit example above, data security is subjective when it needs to be objective. The security that vendors address today is addressing an environmental state that the data is not persisting in, or not persistent in for long. Securing the protocol’s that we communicate data through, or the servers, datacentres, PCD’s that we store data on or the software applications with which we orchestrate our data, is not true ‘DATA’ security. Access to any of these environments, whether authorised or not, means data can readily be harvested, and believe me it is and most of you will not even know it is happening off your own computers.

I feel like shouting in frustration sometimes – it’s in the name ‘DATA’ security, so secure the DATA itself, as I have blogged before ‘Data Security – It’s in the Name!‘ OK good that you secure the other servers, datacentres, PCD’s or software application assets but what about the DATA! I am not proposing we stop securing servers, datacentres, PCD’s and software application, but their security is addressing THEIR security profile and the DATA security is largely by association only. As we currently deal with security at the server, datacentre, PCD and software application level we create security silo’s that require gatekeeping. Thus the cracks start to appear and data fall’s through or the hacker sneaks in, every other which way the data is exposed to higher risk and the prospect if not likelihood of compromise.

Now throw into the mix the structural nature of Cloud Computing architectures and its fastest growing method of interfacing systems with the use of Web/Cloud services. A Web or Cloud service being little more than a traditional API (Application Programming Interface) exposed to a public network. Designed to link disparate systems to deliver richer and often more real time functionality at scale and with collaborative resources unattainable until now to single organisations. Web/Cloud Services live for data exchange and data retention follows hard on the heals of those exchanges between API exposed entities. API’s = more joins and cracks, not to mention interactions to be audited and jurisdictions that will be challenging to reach into to audit and truly validate Service Level and or compliance. This is no scare tactic, I work with programmers every day, and these are some of the smartest guys around, but they are human, and ‘humanum est errare’ (it is human to err).

With an Industry average of “about 15 – 50 errors per 1,000 lines of delivered code” Quote Steve McDonnell from his book ‘Code Complete’ (2nd Edition. Redmond, Microsoft Press, 2004. 960 pages. ISBN), there is an inevitable high risk in API’s, they are just code after all. Yes errors can be ironed out, but the effort is often not commercially viable. For example only after using extensive format development methods, peer reviews, and statistical testing did the space-shuttle project achieved a level of 0 defects in a random sample of 500,000 lines of code. The ‘Cleanroom Development’ technique pioneered by Harlan Miles achieves consistent rates as low as 3 errors per 1,000 lines of code (Cobb and Mills 1990), so there are no easy options. All said and done commercial realities turn this into a real concern, the cost of this diligence means API’s will not all be tested to such robustly high quality levels as the space shuttle which means there are errors, and where there are errors there will be means to an end for hackers:

But what if the data itself was of no use once the hackers got hold of it? Do you think they would bother spending long ours gaining access to it if they found it worthless?

What I am getting at is the act of encrypting the DATA itself, the raw data packets, only then are we starting to address the nub of the issue – making the data secure. Encryption (to encipher) and Cryptography (hidden, secret) is a powerful resource. I like the core message in these terms because they point to the essence of what we must achieve with our data to make it truly secure to turn it into something of ‘no value or importance to anyone else’ = cipher to encipher / encrypt our data. Whilst that may sound simple I and the rest of the security community are under no pretence of the challenge this would represent to manage.

Encryption is no small undertaking, by its nature it is very unforgiving to the forgetful or unstructured amongst us which is why all but the very large Enterprises can afford data encryption systems. It is no wonder Enterprise Digital Rights Management (E-DRM) has become a familiar term transposed onto the more generic Information Rights Management (IRM). At a private level it is almost non-existent, for even if you understand the principles of Public Key Infrastructure (PKI) and can wield the tools of Pretty Good Privacy (PGP) to manage you data in an encrypted way you will find yourself limited in terms of who you can interact with as this is far from user-friendly or mainstream.

Do not be misled, poor adoption of PKI, PGP and their ilk are not an early adopter issue, it is a fundamental structure issue. These mechanism are complex to get to work optimally, and in a sub-optimum deployment they are compromised so its worth is questionable and in a corporate world ‘it works some of the time’ does not win much in budget debates. At an individual level it is simply the complexity of management and exchange of encryption keys and their associated Certificates validating key ownership that renders it unusable.

The best we have at present for securing our data files is through forms of IRM / E-DRM, but this has until recently been out of reach of not just the Small and Medium Size Business (SMB / SME’s) but even large Corporates. OK there are proprietary application level encryption and password locking features, but they lack the truly ‘in-line’ capacity as a real time solution and after all the internet is full of solutions that can break these within seconds just head over to the likes of:

Not all is lost though. Most of us have come up against the power of IRM in the form of Digital Rights Management (DRM) with online music purchase, finding that if we try to share a music file bought through one of the online stores we cannot. Why? Because the data is secured and has been locked for use to a single user account. Reflect, the data itself is secured this is the DATA protected, OK the software you use to play the media has to know how to read the data. The data compliance with a standard supported by the software that allows the software to interpret how to authorise the user to use the data, but again I point out this is the DATA that is secured, secured by encryption that refers a user (be it individual or software) to comply with a policy set by the data owner.

Welcome to the future of corporate and personal data, where software (any software) conforms to a standard whereby data is encrypted and software has to comply with that standard to use that data. Just as your Windows Media Player or iTunes software does today through their respective online stores which act as a validation and authorisation proxy for the music industry who are the ultimate rights owners of the tunes you play. In such a new world of data, you could perceivably leave you data anywhere and it would be secure. Why? Because it is encrypted, available to those authorised by the data owner. In such a utopia hackers would gain little from stealing data, and Google would not be able to scan your documents and emails so readily!

IRM as stated above has been the exclusive realm of large Enterprises with the deep pockets to invest in the necessary infrastructure and process discipline mandatory to ensure such an environment works seamlessly and critically data encryption keys are not lost! Until now….

May I introduce or re-introduce you to Microsoft Office 365, Microsoft’s Software as a Service platform for business of all sizes, affordable even for individuals. Microsoft Office 365, delivers Enterprise grade email, collaboration, conferencing and productivity software amongst other benefits. It reset’s the bar in terms of empowering organisations and even individuals and most poignantly stands alone in its security capabilities with its Information Protection and Control (IPC) in the form of Windows Azure Rights Management Service:

Microsoft Office 365 forges a Grand Canyon of a chasm between it and the following herd of online Saas business productivity service vendors when it comes to its compliance credentials and security capabilities, and at a price point that is challenging for any serious functionality and data conscious business executive to not consider very, very seriously. Microsoft Office 365 scales from 1 to 50,000 user environments OUT OF THE BOX! Now NO organisation has an excuse for inappropriate document or email disclosure. It allows ANY organisation to Rights Manage their documents and emails, applying Enterprise class encryption helping to ensure they are only visible to those that have been given explicit rights. This protects organisations in the following common risk scenarios:

  • Laptop theft.
  • Portable media loss.
  • Dismissed employee data retention.
  • Inadvertent CC’ing of emails or sending to the wrong recipient
  • Email interception.
  • Internet vendor document/data scanning.
  • ….. amongst others

Not 100% full proof by any means but 100% better than about 95% of the ‘Data’ security being implemented by organisations today. Be assured that just because you believe you have not been compromised does not mean you have not. In fact I would challenge an organisation, IF you have any Intellectual Property worthy of being stolen KNOW that you are either compromised and you don’t know it or adversaries are going after it, if you don’t believe me I fear your falling foul of the old ‘Struthio camelus’ syndrome of head in the sand!

The elephant in the room then becomes how to validate the identity of those access in the data, how do you prove that you are who you are and not an impersonator or a middle man ‘borrowing’ someone access code(s). Single factor Username + Password authentication mechanism are too weak for true identity security, multi-factor authentication (something you know and something you have) is a step in the right direction but many multi-factor authentication approaches remain vulnerable, and thus the goalposts move …. that’s a subject for another day.

Conclusion
So whether you believed me at the start of this article or not here it is, for little more than the cost each year most organisations spend on toilet paper and tea bags (Ok and coffee) per employee they can enjoy Enterprise grade document and email security amongst a bucket load of other powerful features with Microsoft Office 365, no excuses.

——————–

Toilet Paper & Tea Bags Analysis

Thanks to Discovery Channel and MySupermarket.com:

  • Average usage per employee/yr = 30,000 sheets/year or 134 rolls/year (@ 150 sheets per roll).
  • Average price of 50p/roll

Total £67/year per individual on toilet rolls + Tea breaks at £300 per employee per year – Epiphany research 2012 quoted on ‘The Workplace Savings and benefits’ website.

Filed under Cloud Computing, Computers and Internet, Home Computing, Legal, Office 365 and Azure, Privacy, Security

EU Cyber Strategy – A Risk of Overkill!

February 11, 2013 Leave a comment


Last Thursday the European Commission of the European Union (EU) released their much leaked and awaited Cybersecurity plan to protect open internet and online freedom and opportunity – ‘Cyber Security strategy and Proposal for a Directive’

The challenge that faces all Nations and individuals alike is the increased impact of Cyber Thread. This is fundamentally what the European Commission is attempting to address for the whole of the European Union (EU) by encompassing an eye watering range of disciplines and jurisdictions from law enforcement, defence, the digital agenda, security, and foreign policy. On the face of it the format fits the EU objectives of greater integration and harmony, but under the surface it has all the hall marks of an exercise in herding cats. The rubber will not really hit the road till we see the action plans, and the monitoring process to qualify results, that are going to be fundamental to exercising and delivering on this ambitious strategy. This latter point being the Achilles heal of the exercise in tight economic times when the EU budget has to reflect the austerity measures of its members with NO exceptions.

Most worryingly cost of delivery is in the timescales this whole process is going to take to implement. In the meantime Cyber Crime becomes more creative maturing as fast as, if not faster, than the creative innovation engine that drives the digital landscape, itself moving at a faster and faster rate of evolution.

In summary the politicians and unelected cohorts of bureaucrats will forever be playing catch up. The fear is that in their haste they will be riding rough shod over some of our core democratic rights. As the Dutch Member of the European Parliament, Sophie in ‘t Veld was quoted saying “The lines are being blurred and we need to safeguard the fundamental rights we expect in a democracy and not cede disproportionate powers to law enforcement”.

The rolling up of all these powers does have a very dark side. One that is open to abuse. The danger here is that once in place the temptation / convenience can become too compelling for any elected governing entity to leverage, and the European Commission has inadequately addressed historical challenges to its own Trust and Credibility record across too many areas to be endowed with this level of centralised power.

This exercise the EU is going through is communicating a need for a new approach. Instead of a Big Brother flavour about it, an approach that can reflect the nature of the changing environs that are being addressed. The problem is it is easier said than done to teach an old dog new tricks, especially when we are talking about what goes on largely behind the closed doors from behind which unelected bureaucrats influence our elected politicians and launch sallies of conditions on our lives.

Actions speak louder than words and one thing the new digital economy is good at is making things happen, and happen FAST.

Estonia and their implementation of X-Road and individual digital certificate usage demonstrates where there is a will there is a way, and leveraging the technology (not having to reinvent anything) can be an effective remedy. It is encouraging to see that Thomas Hendrik Ilves, the President of Estonia, has been elected as Chairman for the European Cloud Partnership governance Steering Board. But more needs to be done faster.

As I wrote just before Christmas ‘Data Security – It’s in the Name!’ We should perhaps be taking a fresh perspective on the problem. Protecting the DATA itself and less worrying about the actual environments that data exists in (networks/cables, computers/serves/PC’s, smart devices, datacenters/offices etc). Why? It’s actually about managing the risk of the loss of DATA availability, and this is an EDUCATIONAL issue more than a regulatory and legislative requirement. Risk management is an acceptance that there will be failures, and that is REAL WORLD.

Take for example:

  1. The internet – It was designed to withstand nuclear impact! It is largely self-healing and can route around network failures or even whole geographical regional blackouts. If so much of the Internet goes down that it ceases to function then no EU strategy is going to help. Furthermore Cyber Terrorists are unlikely to see much gain in the digital equivalent of triggering an extinction event by killing the Internet!
  2. Datacentres – Deigned for failure, or perhaps you should be re-evaluating your datacentre provider ;-)
  3. Computers – These are commodities today and with the exception of a few specialist systems, disposable with affordable options for data resilience through external backup storage media or cloud computing empowering even the most economically distressed with scalable backup. Or for the more paranoid both!
  4. Smart Devices – It’s in the name. If they are doing their job they should be replicating core data and configuration settings to resilient external storage options which will allow a new device to be provisioned conveniently.
  5. Data – Use of Information Rights management (similar or that used by the music Industry) encrypts data objects such as a digital document (Microsoft Office files) so they can only be read by those the creator has intended the document to be shared with. Theft of these files then becomes futile, remove the attraction, the threat is expunged. The same principles apply to an automated function of databases and exported record sets.
  6. Digital Certificates – A means for individuals to identify themselves consistently so that access to Data can be reliably managed and TRUSTED.

The demands of society are actually on mandatory digital education and should be taught like learning how to tie up your shoe laces. To cover the following areas amongst others:

  • Backup (and restore).
  • Encryption.
  • Digital Certificates.

At the moment society is learning by osmosis and Urban Myth. Times have changed, so must needs, and the EU Cybersecurity plan may have a place at a National response level but quite possibly there are more practical and immediate means of addressing needs further down the social hierarchy that will not have the cost burden on Small Medium Enterprises (SME’s) that the current strategy would impose.

Remove the ease with which data can be breached and the requirement for security and data breach notification regimes start to look somewhat dated controls.

Filed under Cloud Computing, Computers and Internet, Legal, Privacy, Security, Small Medium Enterprise (SME)

Oracle puts JAVA users at risk

January 14, 2013 Leave a comment


Recently there have been multiple very severe security problems found in Oracle Java.

For additional background there are a range of posts online addressing specific details of the exploits and vulnerabilities:

This is not just another extremely dextrous hacker trick that would be limited in its impact. It is a fundamental failure by Oracle the new owners of JAVA to address fundamental security flaws in JAVA that have led to widespread exploitation.

The worst part of this is Oracle have failed the JAVA community by skirting around the reality of the situation, Quote Java security expert Adam Gowdiak, ‘the update from Oracle leaves unfixed several critical security flaws’.

Because of the severity of this issue and the poor job Oracle has done, it is critical awareness amongst users is proactively promoted with the recommendation that appropriate action is taken to protect themselves and their companies.

The advice is to Uninstall JAVA if you don’t have a need for JAVA, and if you are unsure that you need it uninstall it to be safe. If in the future users find it is needed, then at least the latest version can be downloaded and easily installed and hopefully by then the problems resolved so the version of JAVA will be secure.

You can uninstall JAVA from the Windows Control Panel ‘Programs and Features’ (Vista, Windows 7 and 8) or the ‘Add / Remove Programs’ in Windows XP.

If JAVA is perceived to be needed for some reason, firstly check if there is an alternative method of accessing the content. If not and JAVA has to be installed then the advice is to make sure you are running the latest version which can be easily downloaded from JAVA.com this does not guarantee security, in fact the current version IS NOT SECURE.

The understanding is therefore even after updating to the latest version, you and your company are still exposed. To mitigate this disable JAVA web browser support when it is not explicitly required, only enabling it for sites you explicitly trust, then immediately disable Java support again once you are finished. To disable web browser support for Java on a Windows PC do this:

  1. Start – Control Panel – Open the Java icon
  2. Click on the security panel and uncheck the box for “enable Java content in the browser.”
  3. This will disable Java in your web browsers. You can manually re-enable it if you need it on a specific site.

Once Oracle addresses the current security holes in JAVA, it should be safe to re-enable Java support IF you require JAVA. That having been said it would be advisable for organisations to consider alternative technologies to JAVA that are better supported and in today’s modern multi-device world offer greater flexibility.

Perhaps this will see some sanity come back into decisions by the likes of HP, Dell and Cisco to continue building client management interfaces in JAVA.

Filed under Cloud Computing, Computers and Internet, Privacy, Security, Small Medium Enterprise (SME)

Data Security – It’s in the Name!

December 20, 2012 2 Comments


I have just come out of my last meeting before Christmas in which security has been forefront (again) on both business and IT principles minds, and tongues…

The bizarre thing is that despite the obvious, the prevalence of IT security systems protect the ‘Environment Boundary’ in which data resides or is transmitted, whilst understandable form a certain perspective, it is somewhat medieval in its approach to the core ‘Data Security’ problems facing organisations and individuals today.

It is all good and well using SSL (Secure Socket Layers ) to ensure your communications (data exchanges in transit) are secure. BUT a waste of time if the communicating entities do not apply similar levels of security when the data is stored (data at rest). Even the most inept hacker knows that the easiest point to attack in any data exchange is the client (workstation, notebook, mobile device). The server end of the chain is likely to be more secure environment (not necessarily) than the end users. Hence the prevalence of end user vectored attacks, email being the weakest and most convenient conduit to perpetrate a hack. Once a Hacker can get some malware on a user’s PC they can just about do what they want with it, and that includes all the data unless the documents and or data is encrypted.

Thus we get to the headline of the article. DATA SECURITY. If all data adopted the same protective measures as the entertainment industry tries to do with their music and movies then less of our private lives would become public, and organised crime feeding off corporate systems selling inside secrets or blackmail would be poorer overnight. Organisations should be securing their CONTENT as well as their IT environments. Currently most organisations actually do ‘Environment Security‘ NOT ‘Data Security’.

Information Rights Management (IRM) has been around for decades in various guises.. ISV’s (Independent Software Vendors) are largely ignoring a HUGE market opportunity to tap this capability. Some understand it and build their business on this core feature, but most ignore it and defer security to the IT department’s ability to secure a whole environment. IRM has never been easier today to implement, without even needing to deploy a service it is possible to tap Windows Azure AD Rights Management and have this capability on tap. For organisations using the Microsoft Office 365 Online Software as a Service (SaaS) suite it is possible to enable this with ease:

Microsoft Office 365 with Windows Azure AD Rights Management enabled represents one of the most secure and feature complete collaboration environments available on the market today. I would challenge some enterprises to prove a more secure data environment, and this is available to the smallest of organisations for less than £15/mth per user. This default functionality in Microsoft Office 365 is just a baseline, for the more security conscious this can be enhanced exponentially with third party products.

IRM is not full proof, nothing can stop someone re-typing a document or photographing a screen. BUT it represents a significant convenience barrier to those perpetrating corporate espionage and removes any ‘accidental’ disclosures.

I suspect though there will be a few more fruitful Christmas seasons for the corporate espionage crime syndicates to roam deserted corporate systems before the penny drops.

Filed under Cloud Computing, Computers and Internet, Home Computing, Legal, Mobile, Office 365 and Azure, Privacy, Security, Small Medium Enterprise (SME)

Social Media Corporatocracy – Self-Regulate or Be Damned

November 17, 2012 Leave a comment


My earlier Blog on the subject ‘Social Media – Accountability’ made for some heated debate in a post event drinks session championed by a defensive cadre of the twitterati advocating the freedom of speech argument. An old chestnut I empathise with, but see it as a worn out defence. My view being it is time the Social Media Corporatocracy confronted their responsibilities and got their house in order. Addressing a need to become more accountable for the content they syndicate from their membership or put in place mechanism’s that prevent the kind of free-for-all we have recently witnessed to the detriment of innocent parties.

That appeared un-satisfactory to the twitterati, I came away somewhat disturbed by their underlying attitude, that of a ‘brave new frontier’, somehow exempt from societies rules on defamation, slander, denigration amongst other poignant terms. I do not believe it has, and on a broader canvas of the Internet this is a dangerous attitude that strikes at the heart of the Internet’s credibility as a platform for democracy and in the battle against ‘Big Government’ to coin a phrase championed by Ron Paul in his ‘Farewell to Congress’ speech in which he champions the Internet in this very context.

Back to the point ….

The issue I believe is the engagement process by which social media sites attract membership and the mechanisms put in place by those site operators. It is time that the Social Media Corporatocracy applied a Moral Compass to their actions if they wish to avoid litigation and formal regulation which means they need to better self-regulate.

I would suggest more robust self-regulation as a minimum reasonable demand by the litigants who have recently fallen victim of the invidious public social media feeds, as part of any settlement. Such self-regulation could include:

  1. Social Media owners who wish to have an uncontrolled (no mediation or content validation delay) public information feed accept and take FULL responsibility and are FULLY accountable for that which they publish.
  2. Making their environments EXCLUSIVE MEMEBERS ONLY, with a clear set of warnings that content is unregulated, un-validated and not mediated, and as such individuals consume at their own risk.
  3. The option of a Public information feed service as an Opt-In for members. By so Opting-In members accept FULL responsibility and are FULLY accountable for that which they publish.
  4. It would be mandatory that any individuals wishing to Opt-In to public and unprotected Social Media information services have their identities validated BEFORE they are permitted to publish to an unprotected live feed. Validation through a current Credit Card would suffice, with public feed rights withdrawn in the event of the Card Expiring and non- renewal.

The above suggested self-regulation measures are by no means exhaustive in detail but aim to provide a flavour of what would help address the current waves of Social Media abuse.

A by-product of this type of self-regulation is the containment of the ‘anonymous’ voices. The proposition is that the ‘anonymous’ can still persist BUT they are contained behind the membership closed doors of their elected Social Media forum.

I have no doubt that this would be contested very strongly by the social media corporatocracy after all they feed on this kind of perverse publicity, which in turn pumps there hugely overinflated and in many cases economic gravity defying valuations.

The reality is the Social Media Corporatocracy must start to demonstrate a responsibility to protect the innocent from rogue users, they have little more than a fig leaf in their own defence at the moment. …..  The Emperor’s New Clothes.

Filed under Cloud Computing, Computers and Internet, Legal, Privacy, Security

Social Media – Accountability

November 12, 2012 1 Comment


All things are relative and as with the moral and ethical maturity of our traditional media industry so to the time has come for the maturing of the feral online social media environment – Facebook and Twitter namely the most proclaimed setting an example for the plethora of aspiring smaller social media platforms.

Riches takes us to the nub of the issue. As I have written in the past (‘Digital Enslavement’ and ‘Facebook and the ‘The Emperor’s New Clothes’) these corporate entities build their value out of the goodwill and voluntary contributions of millions who sign away their rights to these social media platforms in the quid pro quo of infamy in a digital life.

I am not a lawyer but I would suggest that the terms and conditions of use equate to a contractual engagement, ‘you get to use our social media platform and we get use and have retention rights over your digital contributions of ANY kind’ (See my earlier blog ‘Click through’ to hell’). In which case these social media entities appear to  be establishing a new generation of syndication agreement with their membership. A syndication agreement that allows Facebook and Twitter to build their value proposition in the same way as any traditional offline media entity would, by publishing content from those they retain or syndicate for their own betterment by attracting audience which represents eyeballs for advertising and promotional revenue.

Apply the traditional rules of the press to this we can start to peel away at the onion of obfuscation that is the digital realm in the eyes and understanding of many. There is little real difference with much that occurs online to its offline counterparts or activities with which a parallel purpose or process can be drawn. I therefore subscribe to the thesis that much of the increasingly intolerable misinformation that purveys the social media channels should be subject to the same oversight and the publishers called to account as their offline kin and kind.

Let us bring this up to date. One of the most respected families in the land has suffered the white hot blast from the invidious social media spotlight. An unfettered social media has magnified disproportionately and granted credibility to a statement of ignorance that would never have attracted such infamy if even the most cursory of facts had been considered, facts that would have discredited it.

The very worst form of ill-conceived reportage that is not discouraged, why? Because it attracts attention and attention is good for Social media sites.

Social Media corporations should not be allowed to hide behind the acts of their members, they should be accountable for the words they publish. Such a proposition will no doubt be met with derision by shareholders and the supporting cast(s) of legal saprophytes, but I have always believed there is no such thing as a free meal. For Facebook, Twitter and their ilk the feeding frenzy that has pumped up their market valuations has a counterweight and it is time the pendulum swung back into the realms of reality.

It is time that Social Media grew up and did so at the same ‘Internet Speed’ that they have swaggered onto the public stage and into the social psyche. Firstly this is not entertainment, secondly if social media corporations are going to reveal in the Balance Sheet valuations attributable to their ‘active’ contributors (membership) then they are ready to take the associated accountability for the impact of their published content.

The Internet is all about freedom of speech, I am not saying no to that, what I am saying is for corporations that aspire to capitalise on the respectability of a legitimate business they have a responsibility to the society they are serving to mainstream their behaviour and not act like a radical fringe. Yes there will always be a radical fringe website here and there that breaks the rules and will provide a platform for extremists and wackiness, as there are groups who gather in the same way in the offline world. These will never be put down in a free society and nor should they. But their owners are and will continue to be accountable, so why not the likes of Facebook and Twitter? Just because they are the darlings of the new generation, and loved up to by Politicians and Celebrities does not exclude them from applying certain rules and honouring their accountability.

History is rife with cultural and social ‘flocking’ behaviours that have in hindsight appeared as inconceivable. Whilst I do not place the social media revolution in the same camp as the hypnosis that seemed to engulf a generation as did The Great Proletarian Cultural Revolution, commonly known as the Cultural Revolution thatswept China under Mao or the Nazi movement under Hitler. These illustrate how society can and does get swept up in even such extreme events.  I feel we have to wake up to what we are increasingly giving credence to in the digital dimension and reflect on how it can better positively contribute to society with proper governance and stem the recklessness that is being encouraged at the expense of many innocent parties.

Filed under Cloud Computing, Computers and Internet, Privacy, Security

Windows 8, Microsoft Account & Skype – A Tsunami of support in the making!

October 31, 2012 5 Comments


With the launch of Windows 8 Microsoft has laid out its house for increased adoption of what is now known as the ‘Microsoft Account’, formerly known as Live ID/Hotmail ID/ Passport amongst others.

Like many I have always been fastidious about keeping my Business and Private online existence separate. As such dual Microsoft Accounts have been the name of the game for as long as I can remember. This has a practical side apart from the Privacy dimension, in this modern age most individuals will move between employee’s at least once if not multiple times, therefore committing to a single corporate profile would be building in headache at transitions. Furthermore I know many organisations recommend the practice, for compliance amongst other reasons, that insist employee’s create separate corporate related identities to which corporate online assets or benefits may then be associated. This allows the organisation to maintain ultimate control over its assets and to provide a clear demarcation line for employee’s when they engage in social media amongst other online activities.

As for managing multiple Microsoft Accounts (Live ID/Passport etc) as far as I can see the whole Microsoft Account situation has been a challenge for Microsoft. Merging all the disparate backend resources is no mean task, Hotmail, Passport, Partner ID’s, Windows Azure and that is before you get to their new family of online services Office 365, CRM Online and latterly Skype.

The Microsoft Account ‘attach’ feature which is available in the account management section of your Microsoft Account user profile used to allow you to attach two or more Live ID and simplify login’s etc. Unfortunately it appears to not be working and has been broken for weeks (There’s a temporary problem with the service. Please try again. If you continue to get this message, try again later). This is regrettable at such a critical time with the launch of Windows 8 which is encouraging users to adopt a Microsoft Account as their principle login. Users cannot enjoy the convenience of this ‘attach’ feature’.

Users are now having to confront a change in behaviour from traditionally using multiple accounts and flexibility across services to selecting a single one as services are now becoming inflexible and demanding connection to a single account. Logically I feel users are better off consolidating on a Private Microsoft Account versus a corporate version. The latter could of course change if they moved jobs and present the associated headaches. Not to mention the risk of snooping that could occur as many corporate systems are open to monitoring for compliance amongst other legitimate administrative reasons. But then having to work across two separate accounts makes the whole Bring Your Own Device (BYOD) somewhat awkward as you start confronting the risk of confusing private and business data when accounts get ‘Connected’ either through Active Directory or Microsoft Online services (including Skype).

The biggest concern with the Microsoft Account in general is the distinct absence of any end user management. Users lack the ability to control their own Account associations, to ‘Dis-connect’ or elect at a granular level how to assign data sharing rights.

This is illustrated in stark terms by the less than congenial way Skype has decided to encourage (force on Windows 8 RT) users to adopt a Microsoft Account as their Skype login. In my recent experience with this I feel there is the potential of a 3 way cock up building a Tsunami of support headache for Microsoft as Windows 8 RT, Skype and the Microsoft Account converge.

My experience follows the receipt of a nice shiny new Microsoft Surface running windows 8 RT. I tested this with both my corporate and private account to see how it worked as part of a natural Techie’s curiosity, before settling on running my Private Microsoft Account as this device is for personal use.

That is when things went from great (see my Windows 8 RT Blog – ‘The iPad Killer) to grotesque (read on) when I attempted to configure Skype on my Personal Microsoft Account having tested it on my Corporate one.

Grotesque in that someone has not thought this through, or at least not got their priorities in the right order, summed up by the following:

  • At the time of writing, Windows 8 and Windows 8 RT are detected on the Skype site and make it VERY hard for you to get the traditional Skype desktop app, by forcing users to the new Windows 8 App store. As such users are in ignorance going to be installing the Windows Modern UI App version. (You can get the original desktop version with some laborious workarounds ie: login to the Skype website from a Windows 7 machine!)
  • Users of Windows 8 are encouraged to use their Microsoft Account as their principle login so that they can get all the benefits of replication across devices etc. Also internal AD accounts can now be ‘Connected’ to a Microsoft Account to also extend this to corporate accounts.
  • The Windows Modern UI App version of Skype prompts users to ‘Connect’ their Microsoft Account if it detects a user is using their Microsoft Account on their Windows 8 device and to use this now as the principle form of login to Skype.

All very innocent until you realise:

  • The Skype Microsoft Account attach is one way and CANNOT currently be reversed. I spend an hour on support with Skype trying to address this issue. Then had to repeat the exercise three times over a week and awaiting resolution.
  • The setting that should allow you to ‘Manage settings for all the apps and accounts you’ve connected’ in your Microsoft Account Profile is absent of any Skype option. So clearly the ALL word in this statement has some Microsoft hidden meaning, ALL non-Microsoft it would seem.
  • IF you have inadvertently Connected the wrong Microsoft Account and you are a proud owner of a new Windows 8 RT device then you cannot use Skype:
    • Because it will not let you login using your original Skype account login OR Connect using another Microsoft Account. It wants the one you connected.
    • Because Windows 8 RT does not support traditional desktop Apps you cannot revert to the desktop version so again Skype have successfully alienated users.

Skype suggested fixes’ are absurd:

  1. Create a new Skype account and connect it to the other Microsoft Account! (What and lose all my contacts, credits, Skype in and Out number etc)
  2. Create a second user account with the Connected Microsoft Account on the Windows 8 RT device and use that when you want to use Skype. (Oh nice one and what happens when people want to call me?)

Absolutely ludicrous!

So currently I have a nice new Microsoft Surface and cannot use Skype on it. Someone at Skype/Microsoft should be reviewing critical path practices and asking WHY enable a connected account BEFORE building in a dis-connect. IT history is FULL of similar situations where end user practices insist on such roll-back or flexibility. As a result the support desk at Skype is going to get heated, and from my experience they are poorly trained to address this, so a second faux pas for not getting the help desk up to speed first. The individual I got did not understand the difference and constraints on Windows 8 RT and Windows 8 or he would not have suggested using the desktop application!

The saga is ongoing, and I am not alone it appears http://community.skype.com/t5/Windows-8/Windows-8-Disconnecting-a-Microsoft-Account-and-a-Skype-account/m-p/1149344#M31  & http://community.skype.com/t5/Windows-8/Windows-8-Disconnecting-a-Microsoft-Account-and-a-Skype-account/m-p/1167114#M783

MESSAGE TO SKYPE - Release an interim patch version of the Windows 8 app that enables ‘Skype Account’ login as an option alongside the ‘Microsoft Account’ option whilst you sort out the sorry mess and enable end user ‘Microsoft Account’ connection management.

As and when this is resolved I will do an update.


UPDATE:

The Skype online support process referred to above DOES WORK. Advise is if you do not get a confirmation email soon after the online support session you should repeat the exercise. It took me 3 attempts so do persist. They will manually disconnect a Microsoft Account. But this is hit and miss in terms of the speed of response and far from convenient. Re associating a Microsoft Account will again commit you to a one way trip that will demand the manual support process should you wish to change it again.

Filed under Cloud Computing, Computers and Internet, Home Computing, Office 365 and Azure, Security, Small Medium Enterprise (SME), Windows 8

Facebook and the ‘The Emperor’s New Clothes’

July 30, 2012 1 Comment


For those who were not blessed with escaping into the world of Hans Christian Andersen in their youth the title may come across as somewhat cryptic, further enlightenment available at Wikipedia.

On reading the BBC’s article ‘Facebook: The challenges ahead for the social network’  I felt that the substance of the piece was rather dancing around the true core of the problem that faces Facebook and in part many start-ups and the investor community at large that prop’s these up.

The venerable experts warnings are a drum roll to a very long list of challenges facing Facebook as a business and a technology company.

The privacy and security issues particularly concerning to Facebook’s business, but a smokescreen to a more generic underlying rot that is symptomatic of too many IT specific Start-Ups and new IPO’d (Initial Public Offering) entities. Rot that in blunt terms transmutes good sound focused commercial opportunities with world domination agendas of Austin Powell proportions, funny if the implications on the individual investor were not so serious.

IPO’d entities that go on acquisition feeding frenzied binges. Binges that convert disciplined profitable businesses into rambling lossmaking entities, leaving investors with the worst kind of hangover. Hangovers and addiction because some of these IPO’s are so big, they are treated like the banks during the recent crisis as too big to fail, and commence a slow poisoning of the well every time they go back for more.

The problem is a moral one; the shift from a founder backed business model to one based on other people’s money. From the sanity of what a business is fundamentally about – the purchase and sale of goods and or services in an attempt to make a profit – to the vanity business model that is purely Revenue focused and in Facebook’s case arrogance that does not even commit to proper forecasting!

Firstly Facebook’s is the epitome of the new generation ‘Vanity Business’. A category of business pumped up by the market makers who conduct the Casino Investment with other people’s hard earned money that this model feeds on. Casino investment of a similar character that fostered the banking crisis whose shockwaves are still being felt across the world, driven by individuals who take disproportionate fee’s for risking other people’s money, fees paid whether the investor wins or losses.

If we apply this to Facebook’s $104bn flotation in May it would appear the company has reverted to this parasitic trend of third party funded public entities, Revenue vanity over Profit sanity. That such a disproportionate valuation set’s a totally unrealistic expectation at the outset, and as we are seeing stimulates comparably cavalier business practices, hoping to strike a rich vein.

This perspective was all speculative until the facts were born out in Facebook’s first earnings report , see the Facebook’s first financial results announcement.Symptoms of the corruption are in stark black and white:

  • · Exponential increase in Capital Expenditure = 213%
  • · Exponential increase in costs of = 295%
  • · Operating profit margin decrease = drop of over 10%
  • · Exponential losses = Swing from net income of $240m to loss of $157m, that is almost $400m!!

The BBC article is somewhat lost in the detail, it does not raise the spectra that Facebook is an entity with an unsustainable core business model. Having pulled off a multibillion dollar confidence trick it is now attempting to buy its way into profit. The shock is that it is achieving the opposite at the moment, which must put the CEO’s head on the block.

Any company with the investment injection that Facebook has just achieved has little excuse not to be making profit. If they had done little more than put the funds on deposit and continued business as usual they would be better off!

Like many tech start-ups when there is serious business to be done, you need business competence, techies need to step aside. The fly in this particular ointment is the fact that BILLIONS of dollars have been invested in a company for a minority stake!

Secondly Facebook’s core business is founded on a factor that is going to constrain if not kill its original service offering – data and personal privacy protection.

It is in a line of business that is likely to become so regulated and legislated that it will become a compliance minefield, sapping profitability and the very agility this market niche demands for survival.

I agree with much of what the venerable experts whose comments are a drum roll to a very long list of challenges facing Facebook as a business and a technology platform. With particular empathy for the security and privacy points that I have echoed in blunter terms in many of my earlier blogs so cast your browser back, particular reflections I would suggest:

Conclusion … so far

At the moment the business is flawed, floundering and visionless. On a short term event horizon to oblivion unless it can re-invent itself. Even the core advertising model is being thrown into question ‘Why GM and Others Fail With Facebook Ads’

Big is not always beautiful, and great success can be achieved focusing on getting the core right before building out dependencies, Facebook’s data protection challenges is the dirty bomb sitting in their basement. If the bomb goes off the whole house will come down.

The future is by no means clear; what will be in the sequel to the Facebook volume 1?

Will we find out in the sequel what the Emperor was wearing? Assuming death by ‘privacy’ exposure does not strike first!

Filed under Computers and Internet, Security

Apple iCloud – Set’s a worrying example

May 18, 2012 Leave a comment


Well so much for Cloud security if you’re an Apple iCloud user if recent headlines are anything to go by.

‘Off-the-shelf forensics tool slurps iPhone data via iCloud’

And

‘Beware of iCloud! Snooping software lets police read everything on your iPhone in real-time without you ever knowing’.

In summary you no longer have to have your mobile phone ceased by the Police for them to access data on it. If the Police can do it then you can bet that the hacker community will have their own ways.

What this means for users is ANYONE with your Apple ID and Password can monitor ALL your phone activities if you are backing it up to iCloud. This goes beyond your phone as well because iCloud of course can back up more than your phone.

If you think your Apple ID is secure then please don’t disillusion yourself. Apples ID’s have been compromised just like many other system have and will continue to be. Why do you think Apple has been prompting users for added security? Apple prompting some users for extra App Store security details’

So you want to play safe, as one customer requested. So duly obliging I proceeded to disable iCloud for him. With some interesting and worrying insights into how Apple is using some very dubious dialogue boxes to challenge users from breaking the commitment.

Don’t believe me? Then Try and disable it! Go into your iDevice (iPhone or iPad) and settings> iCLoud.

Switch it ALL off. Some nice prop’s for reminders for example give you a friendly option to keep or delete them on your device. So far so good…..

As I got down the list things got a little trickier. Almost like Big Brother was watching and whilst allowed me to switch off some frivolities like bookmarks and reminders, when it came to the meat and veg of a user’s digital collateral Documents, Pictures etc. the stakes were raised.

· Data – Thread of deletion off device.

· Photo – Thread of deletion off device.

See image below for reality check. No guidance as to what this actually means. But for any non-techie it would be enough to halt them from further extracting themselves from iCloud.

AppleiOS Dialogue2

Further investigation into what this ‘threat’ of deletion meant in real terms revealed that it does not delete data originating on the device as far as I can work out.

Apple simply cannot resist its controlling ways, all Apple needed to do was use a cordial prompt as it did with the Bookmarks and Reminders, users would have not had the frighteners put up them, and everyone would have parted friends. Instead users are placed in a high degree of uncertainty, stressed over the integrity of their data if they execute a reasonable request.

Thank you for being so friendly and welcoming Apple, NOT!

Filed under Cloud Computing, Home Computing, Security

Older posts

Follow

Get every new post delivered to your Inbox.

Join 181 other followers