Tuesday, May 30, 2006

Microsoft Onecare Released 5/31/06

Microsoft's OneCare service is Microsoft's answer to McAfee and Symantec anti-virus and PC security software. I have not tried it, as I am try not to work with beta software. My gut tells me this, for what it is worth:

The main target of virtually all virus writers is coding errors and security holes in Microsoft's product base. Windows 2000, Windows XP, the Microsoft Office suite, Microsoft Outlook (for email viruses) -- these are all rich targets for hackers and crooks. And, the target has been an easy one. Many, many, many of the holes that are exploited are boneheaded (in my humble opinion) programmer and designer errors. "Buffer overruns" that allow viruses to take over your computer, for example, are errors that grade-school programmers are taught to avoid, and yet they are rampant in Microsoft's code. Code complexity has nothing to do with it -- or maybe it does, in the case of overly-complex code. Regardless, well-designed and well-written code (and, therefore, software applications) do not leave room for hackers to get in.

Now, Microsoft is writing security software designed to save you from people who take advantage of faulty Microsoft code. I don't buy it.

To be fair, OneCare comes with a bundled backup and restore capability, which may be worth the price, but there are other applications that you can use to backup and restore your PC. That is the only service OneCare provides that does not in some way correct an inherent Microsoft problem.

Yes, there are "phishing" emails, trojan horses, and other annoying security problems that are not exploiting Microsoft's flaws, and they are real threats. But MS's product line is a main source of trouble for viruses. You are going to pay money to Microsoft for software that "saves" you from errors of Microsoft's own making. Does this sound like a good idea? Not to me.

So, stick with McAfee. It works.

Happy News Web Site

It is really easy to find bad news in newspapers and web sites. In my random wanderings, I came across Happy News -- a news site that is dedicated to only good news. You would think it would be difficult to find good news in these times, but it has many, many positive articles. I can guarantee that no matter what your mood, you will be smiling by the third article.

Thursday, May 25, 2006

RFID "Security" failings

There is an interesting article on RFID's security problems. "RFID" means "Radio Frequency Identification" and is being touted as the newest way to track goods and services, and people. An RFID tag emits a response when activated by a scanner or other device. So, if you have an RFID tag on a shipping container, a scanner can quickly and easily ID the container from a few feed or yards away, without the need for line-of-sight visibility. So, if you have a frighter full of hundreds of thousands of containers, or a Fedex truck filled with hundreds of RFID'd shipments, a scanner can scan all of them, and quickly know what is in the freighter or truck. Much easier than scanning each one individually using barcodes, say.

With "easy" comes "easy to hack," or break into. Wired has an article showing that this can easily be done. Good reading, and informative. The bottom line is -- once again, we have a cool technology that is not "ready for primetime" that is being pushed for adoption before the kinks are "dekinked." Wal-Mart is pushing the technology because it will save them a lot of money in logistics. However, at what cost? When leave the Wal-Mart parking lot after you buy that RFID'd stuff, can some thief scan you as you leave, follow you home or hijack you and steal it? If you have an RFID passport, can some random person walk by you and pull your ID without even touching you? Can a walk in downtown Manhattan or LA result in a thousand thieves reading your personal information from your RFID tagged ID cards? That is the issue, and the issue is not yet resolved. My guess is that the security issues will be addressed, but not fully, because of the huge profit potential. Just as the financial services companies do not yet have an incentive to really ensure online transactions are really coming from you, RFID users are not incented to protect your privacy. So, my advice is, beware and cautious when dealing with this technology, both as a consumer and as a user.

Other articles on this include an article from Techworld from last year, and InformationWeek from November, 2004. This has been an issue for a while, and it is still a problem, showing that this is not an easy problem to solve -- so, again, treat RFID with suspicion.

The "Baby Photo" Scourge

In today's Wall Street Journal's Personal Journal section, there is a page one article on "The Baby-Photo Backlash." Apparently, proud parents are sending pics of their kids to their friends and family, and some people are okay with it, and others are annoyed by it. Also, parents can set up websites and blogs with photos of their kids, and send links to them. There are, apparently, "etiquette experts" that have something to say about this, like "show restraint," except, of course, when sending pics to the grandparents. Some parents have sent pics to wrong addresses and didn't know it.

That's the article. I don't want to be a critic, but that was about 24 column-inches on a really vacuous subject -- who cares? The one thing that I, being very sensitive to misuse of the web and the diabolical types who troll web sites, care about is that if you have a web site that anyone can access with pictures of your kids, please be aware that anyone can access it, and copy those pictures or your darlings for whatever nepharious reason. Of course, the article didn't mention that, and yet that is the potential tragedy. That is one reason -- the only reason -- I have never posted pictures of my beautiful child on an open web site.

By the way, one of the pieces of advice the article mentioned was to "make sure they are good quality photos." "Good quality" could mean "high resolution" which means "really big," like five or more megabytes per picture. It is not a good idea to send high resolution pics to people via email -- rather, it is better to scale them down by compressing them or resizing them so that they are about two-three hundred kilobytes each -- still big, but not earth-shattering. Of course, "good quality" could mean "nicely framed, in focus, good looking" photographs, and I agree with that wholeheartedly!

Tuesday, May 23, 2006

Nike and Apple -- Together

Nike and Apple?

Just read it.

This is a good example of technologies integrating. Not sure if it makes sense to "do it," but it is interesting!

Also, the new Apple ads are really cute.

Vets Data Stolen

A laptop with the names, social security numbers, and other private information of 26.5 million (that is one tenth the population of America!) was stolen from a "data analyst's" house. According to the Department of Veteran's Affairs, the employee was "not authorized to do" this.

This is the latest in a long string of personal information being stolen or lost -- lost tape backups, stolen laptops, etc., etc. that happened in the last year.

The VA putting the data analyst "on leave" for this is, actually, ridiculous -- the real question is: How could the private information of 26.5 million people end up on anyone's laptop?

With the advancements of technology for mobilization and advances in data storage, data is more mobile than ever before. With wireless laptops, we can now work at our local coffee house. With ever-increasing storage capacity, we could keep detailed information on every man, woman, and child on the planet on a single laptop computer.

With this incredible increase in computer capability comes responsibility, and we run right into one of Uncle Mark's technology maxims:

Just because we can do something does not mean we should do something.

You can take your computer to the beach and work there. That does not mean you should. You are at the beach, for crying out loud! We can check email with our BlackBerries or Treos while tooling along the freeway at 75 MPH. That does not mean we should.

In the case of the VA, while it is true that certain administrators and technicians can access data and get around certain safeguards built into technologies like database servers and business applications, that does not mean they should, and in this case, I would take it further: the systems that have this information should be built to make it virtually impossible for even skilled internal people to get access to mass data.

This is true across the boards, at all companies and government agencies. If there is data that should be treated confidentially, then the systems that access and store this information must be built to always treat this information this way. Appropriate access must be given, but not Carte Blanche access. In other words, the systems should be built in such a way that copying 26.5 million names and Social Security Numbers to a laptop is extremely difficult and out of the ordinary. To skilled internal people, copying any data anywhere is always going to be possible, mainly because you must be able to manipulate and work with data and data structures to build and maintain systems, but skilled designers and developers can make it difficult and well-defined, and can also create an "audit trail" of access, so you know who did the deed.

Given the extreme mobility of data, IT departments (and audit committees, CEOs, CFOs, and HR personnel) really need to evaluate their own data security, and act accordingly. First, you need to know if the data you are keeping is sensitive or not. Are you keeping SSNs of employees on a computer system, or customer tax information or credit card data? What would be the impact of someone stealing this data? Who can access this data internally? Who should have access?

On the other side of the ledger, the government and financial services industry must be responsible as well. Why does it matter if someone has your Social Secutity Number? Who cares? Well, the problem is that someone can open credit card accounts and other financial products with that information, without your ever having to be directly involved. People can pretend to be you and gain access to your existing accounts. This is a big problem.

The cat is already out of the bag, really, on stolen information. As Scott McNealy, former CEO of Sun Microsystems said five years ago "You have zero privacy anyway. Get over it." The answer is not only to make it harder for people to steal information, because the information of millions of people has already been stolen. Rather, the answer is to make the stolen information useless. Financial services companies must be absolutely sure the people they are dealing with are who they say they are, and the government should back that up by making the firms liable for charges made in any other way. In other word, if a credit card issuer opens an account because someone sent in a form with your SSN on it, without absolutely verifying that the person applying was you, then they are liable for all charges made on that card -- you are not. Likewise, if a retailer does not really know it is you they are selling to, they, too, should be liable for the full amount.

Why should you be responsible for their lack of adequate security? They opened the account without your knowledge or consent. They allowed access to your accounts without fully verifying your identify. It is a breakdown in their processes, not yours. If the bank was robbed, the bank doesn't reduce your accounts -- why is this any different?

Technology exists to fully identify you to whomever needs to know who you are. There are no fool proof methods, but there are methods that reduce the risks considerably, and reduces to zero the risk that someone can open accounts with just your SSN and mother's maiden name. There are security token devices that, in conjunction with a Personal ID number (PIN), can ID you online or in person, and is virtually impossible to break. Someone would have to steal both your security token device and know your PIN to gain access.

There is also "in person." You show up in the office of the bank and establish your ID with your birth certificate, passport, or other documents, and thumbprint. You can add retina scans, or other ID technology. Soon, no doubt, you will be able to use your DNA.

This is why I have been a proponent of strong authentication and identification technologies where it matters. If you have money in the bank, it matters that only you or your designates have access to it. It matters that only you can open a credit card account, or pay pal account, or any other account, in your name. It matters that stores really know it is you buying books or CDs from them on line, if they are charging the purchase to you. It matters that when you send an email, people know it is you who sent it, not someone masquerading as you. It is really easy to be anonymous on the web (sort of, anyway), but really hard to be, well, you.

Financial services and retailers will balk at this, because their position is that it would be "onerous" to make this type of identification work. In other words, it is hard. Fine. My view is that the price for their convenience is the cost of fraud. If they are unwilling or unable to fully establish the ID of their own customers, it should be they, not the customer, who pays for the inevitable fraud that will occur. They may say that "the customer" does not want this. My view is that "the customer" has no problem with being correctly identified, and has a big problem with having to recover from "identity theft."

The current issue of Reader's Digest has cover article on "ID Thieves' New Tricks." The fact of the matter is that technology, such as the security token, can defeat most of these tricks.

The bottom line is that companies and government agencies need to put in place systemic safeguards for personal (or any sensitive) information so that laptops or backup tapes being stolen doesn't affect millions of people, and companies and agencies that work with people need to put in place identification safeguards that will make the theft of "personal" information a non-event. The technology exists today to do both. This is one case where "just because we can do something, we should!"