Last week's articles
Microsoft bungles every opportunity to win hearts and minds
T-Mobile needs more than Catherine Zeta Jones
Naiveté and money (CIBC and Genuity spat)
French security researcher faces jail for exposing security flaws in anti-virus product
Report from RSA Security Conference - San Francisco
It was quite the spectacle.
Last I heard, in the region of 13,000 people attended, from all over the world. The quality of the speakers was generally high- not top heavy with vendors. There was also an excellent prohibition era themed party, that everyone enjoyed. Cryptographers don't get out much, so they made the most of it.
Not that it is purely crypo. geeks any more. In any event, they are a mild mannered, gentle bunch, top heavy with grey matter, but otherwise non- threatening.
All the security movers and shakers were there, or so it seemed. Bill Gates opened the event, to great fanfare: throbbing music, strob lights and lots of razzle, dazzle. You have probably read by now that he announced a new version of IE - to come out in beta in mid-2005. IE 7.0 will not, however, be available for Windows 2000 users. I assume Windows Me. users are similarly excluded.
He also announced that the new beta anti-spamware product will remain free to licensed Windows users - for personal and home use - at least the basic version. Enterprise users will have to pay a fee. He also said that they are working on a next generation consumer anti -virus product - to emerge by year-end 2006. No doubt a horrible prospect for anti -virus product vendors everywhere. But not much of a surprise.
What the media did not generally mention, was his demeanour.
Bill seemed decidedly lacklustre in his presentation. He said, 'super' a few times, and 'it's all very exciting'- but with the passion of a wet tea towel. He just seemed a trifle dis-engaged. Or maybe he just doesn't need to be passionate anymore- maybe the well oiled machine just mints so much money, that gung- ho enthusiasm seems gauche.
Or maybe he will focus more on his admirable aids work, and bow out gracefully.
By comparison, John Thompson (CEO- Symantec), a welcome non white face in a sea of 'tall white guys' (metaphorically speaking- many are not tall) came out fighting- like a middle weight champion who has recently moved up a class, and is just ripping to get out there and slug his opponents.
He threw out several not so subtle digs at Bill, and generally threw down the gauntlet. He got a few cheers. However, he seemed defensive- a living personification of the '"offence is the best form of attack" philosophy. MS was a 'Johnny Come Lately'- a nasty, noisy kid unwelcome in the adult (security) playground; new money at a party full of aristrocrats, and so on.
I am sure Bill was quaking in his chinos.
John Chambers (CEO- Cisco) was like a freight train moving through Frisco. The Speedy Gonzales southern drawl delivery - all in the same mesmerizing monotone. He paced the crowd, and made disconcerting eye contact. He was folksy and self - depreciatory. There was a certain messianic zeal about the whole performance. Resistance seemed futile.
It was a little bit scarey.
However, the product suite he was rolling out- the aptly named 'Self Defending Network'- seems a decent premise-and was generating a lot of interest at the Cisco booth. However, I strongly suspect that there is nothing truly 'new' about it all - just a hodge- podge of generally well accepted security principles embedded in hardware and software.
Which leads me to another theme at the event.
Where has all the innovation gone?
Gates, Chambers, Thompson, Sklavos (Verisign)- in one respect at RSA, they were all singing from the same Hymn book.
Innovation was everywhere. It positively imbued the room with its smart aroma. The mere spectre or mention of legislation to make vendors liable for defects in their products produced howls of protest.
What would happen to 'innovation'? Innovation would just stop in its tracks and be turned to stone; jobs would be irretrievably lost; the economy would grind to a halt.
Ne'r was the apocalypse closer at hand - it lurked and menaced behind every corner.
I smelled fear in the room -but not from the audience, bemused and sceptical as many were. It came from the stage- from the big guys - the movers and shakers. Fear of impending doom should a single software vendor have to make customers whole for defects in their products.
It all seemed a trifle overwrought. Like a corny, late night, horror flick. The audience didn't buy it. I wondered did any of them challenge the underlying premise- that the software industry is awash with 'innovation' - that is threatened by legions of marauding class action lawyers?
Chambers mentioned in his opening that "8/9 years ago" there were challenges to the notion that 'innovation' abounded, but that those days were (mercifully) long past.
I was puzzled. The Harvard Business Press article by Nicholas Carr that gave rise to a fever pitched debate on the issue, and subsequent book - 'Does IT Matter?' (published in 2004) are all very recent. And if my clients, and the Wall Street Journal are to be believed - the debate is far from over.
But such heresy is terrifying to vendors, who raced out to fund 'innovation' heavy research programmes at schools around the planet as soon at Carr's book hit the book store shelves.
Their fear is palpable.
MS enters security market: But why?
MS announced recently that it will buy Sybari Software. It seems enamoured with Sybari, having used them to secure the internal MS infrastructure.
Read an ecstatic interview with the MS CIO about a trial of the Sybari suite of products at Redmond.
According to the MS interviewee - "we've worked to become leaders in the security industry through the formation of working groups such as the Virus Information Alliance, which fosters information sharing among antivirus providers about emerging threats, for better response and greater protection for customers. We also partner with service providers and government agencies as a member of organizations such as the Global Infrastructure Alliance for Internet Safety."
The interview is worth a read to get a glimpse into the new party line around security. It was also interesting to note at RSA the unveiling of the new MS CSO- a soft spoken (ex AT & T) grey haired and attractive woman - whose name escapes me - who was remarkable for her unassuming, reassuring presence on stage, and persistent use of the phrase- 'stewardship'.
Expect to hear a lot more soft and cuddly rhetoric from Redmond around security; rhetoric carefully calculated to make us feel that they too feel our collective pain; that they too face similar challenges around security. That they are just like you and I.
Will customers buy it?
The simple fact remains, that spending shareholder dollars on security acquisitions is a bizarre strategy going forward. Why not invest in solving the underlying problem- flawed code-by buying companies in the patch management business, or focused on software assurance and code testing? In that way, they would obviate- at least to some significant extent - the need for a plethora of security products in the first place.
Instead, they invite customers to spend additional money on upgrades, and MS security products that depend for their very existence on flaws in MS flagship products. Such a strategy seems to exploit further the misery of their customers - it gives the appearance of kicking them while they are down.
Alternatively, if they are indeed intent on solving the security conundrum, they will, assumedly, soon cannabalize the business model of their latest acquisitions, and strip them of their inherent value to shareholders. It makes no sense to me.
Consider what they are asking customers to do:
A) 'Buy more of our (insecure) products, without any legal redress if something goes wrong;
B) You will only get 'new and improved' (read: more secure) products if you upgrade (= pay us more money);
C) By the way - if you have legacy products in your infrastructure, we probably won't support them at all;
D) We want you to give us more money for our new security products to fix holes in A) and B) above'.
It is audacious. It is gutsy. It is time to consider your options.
Another Gartner analyst compares MS to a purveyor of 'smelly water'.
Cruel words indeed. Who pays for ATM fraud?
The Canadian Bankers Association report that $44-million (U.S.) in unauthorized debit card transactions was reimbursed to consumers in 2003, a mere drop in the ocean to financial institutions, and no incentive for a costly migration to the more secure smartcard (chip and PIN) system up and running in the UK and much of Europe — and not likely to be seen in Canada before 2010 when Visa Canada have committed to rolling it out. While smartcards are by no means immune to attack, not every Tom, Dick and Harry can do it.
Even our beloved ATMs are not invulnerable — a fact that became clear when the Slammer virus hit the back end systems of the Bank of America in January 2003, and 13,000 U.S. ATMs went offline. Then in August 2003, the Nachi worm compromised Diebold ATM machines built atop Windows XP Embedded at two U.S. financial institutions. In both these instances, patches were available from Microsoft, but had not been applied.
Read more in Mary's latest column in the Globe & Mail
Canadians spend $6 million in the US on debit
An article in today's American Banker magazine (subscription only) states that Canadians are spending a bundle on PIN based debit transactions in the US- especially in border areas. A cross border debit alliance was formed some three months back, and is clearly proving popular.
What is not apparent is what level of protection Canadians have using debit in the US as the voluntary code on debit cards applicable in Canada- where there is no binding legislation- is restricted to domestic transactions.
New clearing house arrangements for on line payments ( mainly contemplated are EFT/POS payments - i.e pay with your debit card on-line) come on line in Canada shortly, orchestrated by the Canadian Payments Association- no additional protection for consumers though. Simply a wishy- washly exhortation to providers to allow the Code (discussed in my Globe column above) to apply to such transactions.
This new initiative, while good for the banks and other service providers, will inevitably result in more cases of fraud, and more identity theft. And less protection for unwary consumers.
Watch this space.
FTC report identity theft still on the rise
Contrary to the results of a recent survey by the Better Business Bureau - showing US ID theft numbers to be down and off line scams to be more prevalent- the FTC reports that for the fifth year in a row, identity theft topped the list of complaints they received from consumers, accounting for 39 percent of the 635,173 consumer fraud complaints filed with the agency last year.
Internet-related complaints accounted for 53 percent of all reported fraud complaints and credit card fraud was the most common form of reported identity theft, followed by phone or utilities fraud, bank fraud, and employment fraud. Consumers seem reluctant to report to the police- or perhaps they don't realize they can- 61% of victims did not do so.
The report is fat (at 71 pages) but the first few pages are worth a look. Most of the report is taken up with a state by state breakdown of complaints and losses.
Overall, consumers reported fraud losses of over $547 million- the average loss was $259. Internet-related complaints accounted for 53% of all reported fraud complaints, costing consumers in excess of $265 million with an average loss of $214.
It is very interesting to note that 'the percentage of complaints about “Electronic Fund Transfer” related identity theft more than
doubled between 2002 and 2004'.
It is unclear whether this relates to debit cards, or other forms of EFT payments.
We will investigate and report back.
Microsoft accepts EU decision and moves on
Microsoft has wisely decided to take its lumps and abide by the terms of the recent EU court decision forcing it to unbundle Windows Media Player from the Windows operating system and divulge certain software interoperability specifications, although they are not abandoning their appeal in the main action (against a euro 497 million ($651 million) fine, etc). The new stripped down product will arrive at EU retailers in the coming weeks.
Moving on with life, striking deals with Yahoo and Hollywood power brokers seems a far better use of time and resources - than endless appeals against the inevitable, and a more likely strategy to win friends in Brussels.
Or maybe not.....(Update January 31, 2005)
Bill (Gates) is en route to Brussels to meet several top level EU Commission officials on Tuesday, February 1, 2005 after his trip to the Davos World Economic Forum (where he announced that he is shorting the falling dollar). (Hopefully he had time to hang out with my countryman, Bono. Soon he, Bono and Bill Clinton will all be jamming in Dalkey chez U2).
One delicate topic that may be avoided in Brussels is the latest twist in the EU v. Microsoft anti- competition debacle. As stated above, MS is on target to deliver a Windows Media Player-less OS to the EU market- but - and who would have predicted- MS has stuck its foot in it again - by calling it - WindowsXP Reduced Media Edition. I wouldn't have believed it except I have it on reliable authority that it really is so.
Is there a Kamikaze, sado masochistic streak amongst the folk in Redmond? Time and time again they display a spectacular talent for squandering every vestige of good will towards them with gaffes of momentous propertion.
It is increasingly hard to fathom, as lessons appear not to be learnt.
Moves are afoot to come up with a new name.
UK police exalt cybercrime victims to try civil remedies
Trying to get businesses to report incidents of cybercrime has never been easy- concerns about reputation risk, poor PR, and law suits abound.
And now it seems there are even bigger problems.
Unless you have been taken for huge sums- UK cyber crime cops advise they just don't have the resources - including cars to get around- to investigate and secure convictions.
As pointed out in the article- the absence of adequate numbers of convictions will result in a catch 22 situation - where it will appear that there is no problem to solve, and finite police resources will be funnelled elsewhere.
However - all is not lost. As stated- if you can't get them in the criminal courts- use the evidence you recover in a (competent) forensics investigation to file civil suit - to try to recover stolen funds, to seize assets and perhaps (depending on where you live) sue the parents of errant teenage hackers for vicarious liability.
Now there is a thought.
Viruses move to the Lexus platform
No- it's not a new a deadly threat to Windows, but the luxury automobile. Yes- you can drive, but you can't hide.
While I was agonising about the inevitable migration of malware to that most precious of personal belongings - the TV- the virus writers where quite literally hitting the road.
An anti virus company was recently contacted for help to disinfect the onboard computers of several Lexus cars -- the LX470, LS430 and Landcruiser 100. The suspicion was that the infection leaked onboard via a mobile phone.
Several Lexus models have a GPS system that can connect to a mobile phone over Bluetooth - for hands-free calls - the current hypothesis is that Bluetooth may have been used to transmit a virus to the car's GPS.
It is unknown as yet whether the intention of the malware writers was to command the Lexus to drive to the nearest Star Trek convention, or what dastardly plot they had in mind.
According to the report in ZDNet, "until two-way wireless transmissions were banned in races, Formula 1 racing cars were equipped with antivirus software to prevent virus attacks on the car's operating system".
With the Microsoft world vision in mind - and a deal already in place with Fiat - to embed Windows wherever they can embed it- bugs and all- the future seems bleak.
Look out for Romanian hacker controlled BMWs coming to a highway near you. |
Debate continues about divulging software vulnerabilities
After last week's story about the French researcher facing jail time for writing up a long standing security flaw in an anti-virus software product - the debate rages on.
Some security researchers that find security flaws in software simply advise their own client base, and not the manufacturers/vendors. Presumably they figure out their own work- arounds for customers. However, this approach to the problem is not ideal either as it ensures a patch is not made available for the problem by the folk most capable of providing it to the widest audience.
However, researchers who deal directly with vendors, such as Microsoft - and divulge flaws for praise from Redmond (and maybe cash) - also come in for flack, as vendors often don't exactly race to fix flaws, but do so at their convenience. And, as often pointed out on this site- sometimes they make the fixes available only to customers running the latest version of their software. Meanwhile, bad things happen to good people.
Researchers who don't play ball with Redmond get dressed down in press releases and generally derided.
An unhappy situation all round.
But as software vendors have no liability for security flaws, but do have a relentless drive to make profits, we cannot assume they will always have the best interest of the public at heart. Since when has the commercial sector been the exclusive keeper of that particular flame?
In an article in the WSJ on January 17, 2005 (The Revolt of the Corporate Customer- David Bank) - the author states that " software vendors are warming up to the idea of shared responsibility - up to a point". He then gets a classic 'waffle' quote from John Thompson, CEO, Symantec - 'no software company wants to be first to cross 'the chasm' on software liability etc, etc. It's like a guy who can't swim saying he won't be first to surf Pike in Hawaii.
Meanwhile, a big fuss has been made about a Brazilian virus writer's decision - supposedly an illegal act in Brazil- to post the source code of a Symbian OS virus (affecting certain Nokia phones) to his Web site.
(It seems that even guys who reveal the secrets to picking locks are in trouble).
Phil Zimmermann has also entered the fray- the gutsy crypto geek who risked US Club Fed jail time for releasing military grade encryption to the masses (PGP) in the 90's. He is concerned that the algorithm (RC4) Microsoft use to encypt Word and Excel documents is eminently crackable, and not certifed to any reasonable standard- such as Common Criteria (CC) or FIPS.
Apparently MS came back to him with a lacklustre response. If they really have their sights on being a security company- they will have to do better than that - especially as news is out that the MD5 algorithm (widely used in SSL to encrypt web commerce traffic) is also flawed. World renowned crypto geeks from the standards world tell me that the vendors are not racing to replace MD5 either- it would cost to much - and prefer not to talk about it at all.
Where will it all end? If I find a gaping hazard in my new scooter and post it to this site- will the Post No Flaws police come to take me away? The world is upside down.
Interview with ex top US cyber security Tsar
Read an interesting interview with Amit Yoran - ex top cyber dog at US Homeland Security - who fled the coop after one year on the job- with several other escapees following him in recent days.
Several important points are made about the current (maladjusted) relationship between industy and government.
The emphasis on physical security over cyber threats, the fact that government (product) certifications generally have no commercial justification - and simply serve to drive up costs- are all topics worthy of further debate- especially if government is expected (wishful, deluded thinking) to set an example in cyberspace risk management.
|
