That being said, there is a possibility (considered and discounted by the court) that the alternative media player software vendors might try to do exclusive 'bundling' deals with Dell, etc - but no-one (including MS) seemed to be convinced that such an eventuality was terribly likely, or particularly threatening.)
Crying over spilt milk
The 62 page decision is fastidiously argued and framed, and makes short order of many of MS's arguments, especially in light of very recent settlements with Novell, arch -rival Sun Microsystems, and the US government (terms approved back in November 2002, and subsequently on appeal in June 2004).
The Court had little difficulty in drawing the entirely rational conclusion that the likelihood of a cloud of locusts descending forthwith from the heavens and devouring MS from the outside in (if the stay was not granted), was negated by historical events:
MS has already made its client-to- server specifications available to developers et al (beyond what is required of them by agreement with the US government). They have also concluded cross licencing agreements with Sun (that presumably satisfy their deep concerns about protecting their source code and IP rights). This deal includes licences for access to the same specifications sought under the EU decision (beyond that required by the US settlement).
Business as usual at MS: massive dividends, huge profits, no sign of mordant decline in the empire- all circumstances that did little to support the picture painted of imminent catastrophe- and justifying a stay.
Security raises its head
In a somewhat bizarre argument, MS apparently argued that providing TPs access to their 'private communications protocols' 'might lead to malfunctions, crashes and security risks' (page 19 0f 62).
But isn't that the scenario we have already?
They also argued that they would have to harden their protocols before releasing specifications, to ensure no 'inadvertent and malicious use'.
And why, one might ask, would that be such a bad thing?
They also raised the spectre of exposing customers to 'technical vulnerabilities', ' data loss and corruption' - if technical specifications had to be released.
Not surprisingly, the court found that the parties on the receiving end of the interoperability specifications would be amply incentivized to ensure resulting products did not crash, or hurt their customers. Indeed, the fact that increased testing would be necessary to ensure interoperability would ultimately ensure we are better off on the security front - not worse -as a result of the increased transparency.
A nod perhaps to the 'security through obscurity' approach to software development, that the Commisison has previously derided?
Not all doom and gloom
However, the picture is not entirely bleak for our breathern at Redmond over this festive season. There is a ray of hope that MS is not ' done like dinner' in the main action (several centuries hence), based at least on a preliminary reading of this fat interim order.
The court seemed perturbed by the Commission finding that relied on the probability that the market would 'tip', as grounds for imposing the unbundling sanction (re Media Player) - especially if the facts supported a contention that the bundling (notwithstanding MS's dominant position) did not in fact restrict competition (as other media players are readily available in the market), etc. In other words (on my reading) - was this a punitive finding against MS, unjustified by market realities?
In addition, the court mused as to whether more account should have been taken (by the Commission) of certain ' positive effects' associated with 'increasing standardisation of certain products' (i.e the Win OS). They posed the question as to whether standardisation must arise from purely competitive forces, or standards bodies alone.
They also offered hope that there is legs in the important MS argument that the Windows and media functionalities are not in fact two distinct products (as held by the Commission), passing comment on the fact that other companies bundle media functionality with competitive OSs.
No proof that consumers are really dummies
The MS argument that a stand alone Windows OS product (without Media Player) would be so lousy as to hurt their reputation with customers was discounted on the basis that no evidence was presented to show that marketing wouldn't adequately inform customers as to the the consequences of their choices. And that there was no evidence produced ' to permit an assessment of the real extent of consumers' ignorance' (page 59).
Where does it leave MS?
The court pointed out that although MS must communicate its specifications for interoperability protocols, they can design the protocols as they see fit. Also, as under the US settlement, they can improve these protocols and make them available outside the OS (for installation separately), and by so doing, not have to make them available to the competition (through 'update' features, etc).
Much for MS to chew on over the vacation. Of course, by the time the main action is heard, all this teeth gnashing may be mute. Google may own the media space, and even content ...
Or who knows ?
Symantec to acquire Veritas
It seems a deal has been done. Symantec will acquire Veritas for USD$13.5 billion in an all stock deal yet to be approved by both company's stockholders. This move is a serious comedown for Veritas, once a stockmarket darling, but recent problems with regulators and senior management have taken the hue off the stock.
Various commentators believe Symantec (CEO John Thompson is ex IBM) wants 'to be more like IBM' (a big player in storage - Veritas's back yard) and move away from the consumer focused anti-virus market. Whether imitation (albeit flattering) of a formidable entrenched rival is a sound corporate strategy remains to be seen.
Symantec's stock has taken a beating since the announcement, with fears about that merging the two companies with widely disparate business lines will prove challenging and drag down Symantec's stock, which has been on a roll all year.
(It is also by no means clear that high roller Gary Bloom (Veritas's CEO), not particularly known for his modest and unassuming persona, will enjoy sitting in the back seat for very long. Expect an exit strategy to emerge in early course.)
The spectre of Microsoft undoubtedly also loomed large, with rumours circulating that they were on the verge of entering the security market. John Thompson in a recent interview with Business 2.0 was asked if he was "worried about Microsoft". With alacrity, he responded that Symantec have been " at this for a long long time, and we think we can outrun almost any large company that wants to play in this space".
Start running John.
In an interview with silicon.com in June, he also reinforced the advantage that specialist security companies (i.e. Symantec) have over mere dabblers, and commented; "We don't do game boxes and we don't do operating systems. We do security."
And now they do storage. Time mellows all.
With the announcement that Microsoft will offer an anti- spyware product to customers within an aggressive time frame, not to mention anti-virus protection at a later (as yet undisclosed) date, things are heating up.
But who will prevail? Will the news impact MS's new data protection server rollout?
Are Bill and Steve awake at night? Is EMC (Veritas's arch rival) quaking at the news of the merger? Does the news spell the dawn of a new age for integrated security/storage solutions?
With Siebel buying eDocs; Larry Ellison finally clubing PeopleSoft into submission; Cisco (and Symantec) on a buying spree, Sprint & Nextel getting married..... glory days are clearly here again for investment bankers - fat Christmas bonuses on the horizon.
An interesting year ahead.
Microsoft enter the security market (finally)
Microsoft announced the acquisition of a 12 man NYC anti- spyware firm, Giant Company Software, and the availability of an anti-spyware product to Windows XP and Windows 2000 customers within a month. It will initially be free, but they may charge for it over time.
Despite suggestions that MS's due diligence on the purchase may have been less than stellar, and the PR folk a bit quick off the mark to trumpet the deal (with co-owners of the Giant software emerging from the woodwork), it seems unlikely MS will back off the deal, and end up with egg on its face.
Although the acquisition is small, tiny by comparison to the mega mergers previewed above (there were rumours earlier this year that a MS bid for McAfee floundered), it is significant as Microsoft are (finally) formally putting a stake in the security ground.
As operating system vendors enter the security space, and anti-virus companies enter the storage space, and telecos, gear makers (Cisco, Juniper Networks) and ISPs all race to secure their pipes (and much needed new revenue), a shake out can be expected.
Linux code has least bugs
According to Wired magazine, a four-year analysis of the 5.7 million lines of Linux source code, conducted by five Stanford University computer science researchers, indicates that the 2.6 Linux production kernel has 985 bugs in 5.7 million lines of code (100 were security holes - supposedly mostly cleaned up already by the open source maestros) - and well below the industry average.
According to Carnegie Mellon University's CyLab 'Sustainable Computing Consortium', commercial software typically has 20 to 30 bugs for every 1,000 lines of code.
The suggestion that the open source Linux OS is a relatively secure, bugless option for business will undoubtedly fuel the rancour between MS CEO Steve Ballmer ("Linux is a load of old rubbish" - or words to that effect) and the 'high road' Linux community.
However, while the heated war of words (if rarely wits) is entertaining, and unlikely to abate any time soon- it remains to be seen whether MS can debug its code (and write better quality code going forward) faster than the competition.
Wishful thinking by Linux buffs aside, it appears hugely unlikely that the monolith would cede ground to the upstarts without a rollicking, knock 'im down fight on such a critical issue, especially as they are aware that their customer base cares, and want results - this century.
Read about MS efforts to write better code, their book on the subject, and my article on the thorny subject.
Mandatory reporting of security breaches under Ontario’s Personal Health Information Protection Act, 2004 (PHIPA)
As of November 1, 2004, Ontario takes a step in the right direction with mandatory reporting under the new PHIPA Act. Section 12 (2) requires that a 'health information custodian' (as defined under the Act) that has custody or control of personal health information about an individual shall notify the individual at the first reasonable opportunity if the information is stolen, lost, or accessed by unauthorized persons'.
Section 12 contains the requirement to actually secure health records 'against unauthorized copying, modification or disposal'. In doing so, custodians must take steps that are 'reasonable in the circumstances'.
This woolly requirement will undoubtedly cause a raft of problems as providers try to figure out what it actually means. However, the sensitivity of any particular record will clearly impact what is reasonable in a given circumstance.
There is a bizarre exemption in Section 12 (3) for researchers. (See also S.44 (3)(b) - researchers must adhere to required safeguards, etc). It seems that if a researcher is responsible for a security breach, or becomes aware of such a breach- he/she must go a long winded route to get permission (to contact the victim) from the original custodian before being able to do so.
A recent (second) security breach at the University of Berkeley (that may have exposed Social Security numbers and other personal data on 600,000 Californians) occurred when the data was in the possession of a visiting research professor. It seems the University was not alerted for nearly a month after the breach occurred.
As time is often of the essence in alerting victims to such occurrences (that could conceivably expose them to a heightened risk of identity theft), it is hard to determine the rationale for this research exemption in PHIPA, especially as researchers (using insecure/un backed up home PCs) may be a weak link in the chain.
Section 13 also requires that records be 'retained, transferred, and disposed of in a secure manner'.
A set of guidelines for complying with the (far more complex) data security requirements under the US Health Insurance Portability and Accountability Act (HIPAA) (which takes effect in April 2005) is expected to be released by the Healthcare Security Workgroup in April 2005.
They are a group that includes representatives from a variety of stakeholders. It is hoped that the guidelines will assist smaller providers who can not afford legions of consultants to implement the rules.
Who is in charge of the IT henhouse?
Read Mary's latest Globe & Mail column
Note: The US Cyber Summit Task Force on Corporate Governance produced an April 2004 report entitled, “Information Security Governance: A Call to Action.” In the report, the task force calls for the private sector to incorporate information security into its corporate governance efforts:
“The road to information security goes through corporate governance. America cannot solve its cybersecurity challenges by delegating them to government officials or CIOs [Chief Information Officers]. The best way to strengthen U.S. information security is to treat it as a corporate governance issue that requires the attention of Boards and CEOs [Chief Executive Officers]".
.."Although information security is often viewed as a technical issue, it is also a governance challenge that involves risk management, reporting and accountability. As such, it requires the active engagement of executive management.”
Communication barriers inhibit security
Richard Clarke, who served as a counter-terrorist expert and cybersecurity advisor under four US presidents has stated that there is a need for better communication with corporate board members on security issues:
"It seems that most useful piece of information a CISO can have is how to get to the board member, the CEO or the CFOs, and make a case in their language. Every expertise speaks its own language. What would be useful for these user groups is learning ways to speak the language of the people who are making the decisions".
There is really no escape at this juncture - senior management and the board of directors must take note, and govern themselves accordingly.
See '20 Questions Directors should ask about IT' from the Canadian Institute of Chartered Accountants. The list is pretty basic- but a good start.
Florida sunshine could prove hazardous
No. Never fear. Sunscreens have not been proven useless.
Rather, Florida drivers are in danger, according to a report in the Sun Sentinel, of being fleeced at the pumps- in unexpected ways.
Since January of this year, card skimming scams at Florida gas pumps have become a major problem - especially at large gas stations close to major interstate highways.
Thieves use a standard key to open gas pumps and hook up a skimming device to the pump’s keypad and card reader, to intercept credit or debit cards numbers as they are swiped. They will then try to replicate the cards elsewhere, or simply use the numbers gleaned to rack up fraudulent charges.
Law enforcement officials believe that the' taking candy from a baby' scam has not reached its prime- but rather is attracting drug traffickers and petty criminals.
They recommend that motorists use credit cards when paying at the pump for gas (extra legal protection if fraudulent charges emerge), and use pumps closest to the clerk’s window.They also suggest the old staple - checking statements for unauthorized charges, and reporting card fraud to the Florida state consumer-services agency via its phone hotline.
Those of you who hate the cold, and cannot afford to head to the sun at the first sign of snow, can take solace from the fact that it is not all fun and games in Florida. But that wouldn't be nice, now would it?
Technology narrows casino odds
In a story guaranteed to put hair on Donald Trump's head, a "chic and beautiful" Hungarian woman (so described by clearly infatuated London bobbies), aged 32, and two "elegant" Serbian men, aged 33 and 38, are being allowed to leave England, and to keep their suspect winnings from a gambling session at the casino at the London Ritz hotel. Their ability to fly the coop is based on an assessment by police that they have not broken any current UK laws.
However, while beauty can often be equated with luck, the glamorous crew had more than good looks on their side in winning STG 1.3 million pounds at the roulette table. According to the Sunday Times, they used a laser scanner inside a mobile phone that was linked to a micro-computer, that measured the speed of the ball as it was released by the croupier, identified where it fell and measured the declining orbit of the wheel.
The data was beamed to the micro-computer, which calculated on which numbers the ball would land. This information was then sent to the screen of the mobile just before bets had to be placed, and massively improved the chances of the wily gamblers hitting the jackpot.
I recall Data in a Star Trek Enterprise episode having similar good fortune at roulette. It is surely gratifying that mere humans, with technology at their bidding, can mimic his considerable talents.
Bad news for casinos though.
People willing to barter privacy (and security?) away
Privacy mavens are understandably unwilling to contemplate the horrible - that people will nonchalantly, but pragmatically, give away their precious privacy rights, for very little in return. However, many surveys strongly suggest this to be the case.
However, it now seems that many are even happy to invite spyware onto their systems - if it seems worth their while.
That being said, there is also plenty of evidence to suggest that consumers will be most unforgiving, if A) they do not get the goodies they were promised in return for their data, and most especially B) if they have their identities stolen, or end up in some way worse off ( for instance, as a result of lax security practices).
In these cases, you will never see them again.
This article in Wired magazine suggests that some consumers are indeed willing to endure spyware on their computers. However, they may not appreciate the potential for such malicious code to result in a major security breach. Clearly more education is needed, and the oft ambiguous difference between adware and spyware needs to be thrashed out - to prevent the self interested consumer making a choice they may come to heartily regret.
Meanwhile, marketers everywhere take note.
US banks phishing for help
US banking security chiefs are finding it tough going getting a handle on increasingly sophisticated phishing scams that threaten the viability of lucrative e-banking initiatives, and risk alienating customers.
According to a report in eWeek magazine, they feel they have 'run up against a wall in trying to find new ways to deal with phishing attacks and are getting little or no help from federal law enforcement agencies'. The federal agencies and law enforcement are undoubtedly constrained by finite resources, and statutes that often require proof of considerable damage before they can launch an investigation. So the banks are often left to their own devices to solve a complex problem
And while recent surveys suggest that current financial losses from phishing scams have possibly been over hyped, they strongly imply that the real damage is to highly valuable intangible assets (loss of customer confidence, brand damage, etc). Therefore, the threat cannot be ignored.
What to do?
European, Australian, and EU financial institutions are turning to two factor authentication (see the archives for related stories) - smart cards and tokens that generate one time passwords - for help to enable them add a further layer of security that miscreants must breach before doing their worst.
However US banks, in particular, are slow to change from simple passwords - looking for proof of concept before spending the dollars for such a roll out - despite the fact that costs are invariably passed back to customers. They also blame US consumer obsession with privacy as an impediment to move to more complex technology.
Gartner predicts that by the end of 2007, less than 20% of banks worldwide will rely on simple passwords to authenticate retail customers, but more than 60% of US banks will continue to do so. This fact is particularly cogent as recent statistics show that e-payments have surpassed cheques in popularity in the US for the first time.
Consumers expect more
Using consumer fears about privacy infractions in the US as an excuse to avoid doing anything is a particularly lame argument - especially as outside the healthcare and financial services sectors, there are few privacy laws to worry about - at least at the federal level. In addition, surveys show that consumers expect the banks and online retailers to protect them from identity theft, phishing scams and a raft of additional evils that blithe cyberspace.
Indeed, a recent Gartner survey of 5000 adult Internet users confirms that online consumers (often portrayed as 'lunk headed' idiots) are unimpressed with the level of security provided by banks and online retailers, especially passwords.
Almost 60% of the respondents said they are concerned or very concerned about online security, and more than a whopping 80% said they would buy more from online retailers who offered them more protection than just a username and password to protect their accounts. Talk about motivation to change!
The respondents preferred low-tech options such as challenge and response (mother's maiden name, etc) solutions, or shared secrets that allow them pick images for display on Web pages - to prove the authenticity of e-commerce Web sites. See my phishing article for examples of such ingenuous, albeit low tech services.
They were less enamoured with security software downloads, smart cards or USB tokens. However, it is trite to say that they may be open to persuasion if a compelling cost/benefit analayis is presented to them. i.e. "use enclosed strange key ring thingie at minimal/no cost and do not get identity stolen online". Consumers are simply not the daft idiots they are frequently made out to be - by people who should know better.
There will be winners and losers in the online retailing world. The winners will not be those that treat consumers with disrespect and ill disquised contempt. They will be retailers that understand the give and take in retail - the trust paradigm- and what consumers are willing to bear.
The elusive US Cybersecurity Tsar
Will the powers that be in the US create a new, high ranking Cybersecurity Tsar role - or won't they?
A recent report by a US Subcommittee on Cybersecurity has said that they should. It describes the need to create the position of 'Assistant Secretary of Cybersecurity' within DHS (Dept. of Homeland Security) as a 'top priority' for the 109th Congress.
The speedy exit of the last incumbent, Amit Yoran, from the less exalted position of 'Director of Cybersecurity'' after a mere one year on the job, makes it unlikely that the security digerati are lining up with bated breath.
Happy days here again for IT vendors..
The report contains a useful synopsis of the main issues in cybersecurity today (as we know and love them), but closes with a series of wimpy, old and tired recommendations for change - in many instances reading as if dictated from an IT lobbyist's manual.
The lack of serious data on the extent of the problem of security breaches is lamented - but the obvious response to this intractable conundrum, namely the suggestion that companies be mandated to report such incidents where customers are affected, as in California, does not even get a mention.
Indeed, regulation in the field is generally 'out'. 'Incentives' (as ever, vaguely defined) are definitely 'in'. A considerable victory for IT vendors, who can continue to sell unwarranteed, sub -standard, error ridden gear to global customers with officially sanctioned impunity.
It is noted that 'several IT security businesses' have stated that 'they have efforts underway' to ' eliminate as many flaws and vulnerabilities as possible before their products enter the market'. No examples of these commendable activities are cited.
By way of explanation for not suggesting legislation as the route to change, it is deemed 'inadvisable', as it might set the security bar 'too low'. And, in a flagrant sop to vendors, it is stated that it would be 'difficult' to draft legislation that could 'stay the test of time'.
Little mention is given to the disagreeable fact that the US Constitution, written in 1787 by white guys in tall hats, has proven to have well stood the test of time.
But little good news for business
While the IT vendors get a gentle commendation for their 'efforts underway' to up their game, alas, there is little solace to be found in the report for their long suffering customer base.
Indeed, it is declared that 'cybersecurity should be treated as a cost of doing business by the highest levels of an enterprise’s Leadership'.
Even worse - " it is clear that information security governance requires that corporate management take the lead in securing computer systems".
.
So yet again- a decent analyis of the issues, but an entirely vacuous conclusion.
One wonders why they continue to even bother? And when customers will finally say 'enough is enough' and start to fight back, and demand better product. |
|
