Nobody knows what Web 2.0 really is
By Simon Bisson & Mary Branscombe in Editorial
Posted in Business, Enterprise, Web browser, Futures, Google, Internet on
Well, Tim O’Reilly has an idea, because he came up with the term. And the new O’Reilly Web 2.0 consulting practice ought to know. In fact one of the reasons the company set up the consultancy arm is to get everyone to agree on a definition, because we can’t have a good conversation about the
Rated: 100% (3 votes)
Loading ...
Shine a light: how HP wants to get a lot greener
By Simon Bisson & Mary Branscombe in Editorial
Posted in Hardware, Server, HP on
Every three seconds, HP sells a printer (two of them in Europe). That makes HP responsible for a lot of the 22 pages office workers print every day, half of which end up in the bin. All that paper and ink can make it hard to think of HP as particularly green, especially when Vyomesh Yoshi, the VP of the print and imaging division, talks about wanting to see more pages on HP printers.
Naturally enough, he doesn’t think it’s what much of a contradiction. “We are in the printing business; we don’t want customers to not print. We have to make sure they use it, but also make sure they use it effectively. We want to make sure every printer they buy from HP has lower energy consumption than any other printer. ” Make sure printers turn on “instantly” and people will be happier to turn them off; use the WebJet admin software to turn printers off at the weekend and you’ll save even more energy. “Make duplex printing the default and you can save a tremendous amount,” he says.
And if you think we throw away a lot of paper in offices, 20% of newspapers are discarded, as are 40% of books and 20-30% of marketing bumph. People print too many copies that go out of date, because of the setup charges on offset printing. Naturally again, HP has a solution; customised on-demand printing for everything from wine labels to out of print books.
HP is also pushing green ideas for the data centre like running the air conditioning four degrees higher by blowing cold air directly into the blades. The air coming out the back of the blades is a lot hotter - more like a sauna - but heat behind the blade doesn’t matter so much. But if CEO Mark Hurd is right to predict that data centres will use 50% less energy soon, it’s going to take more than hot air.
The reason smart cooling works is that HP puts sensors on each rack to make sure the air is only as cold as it needs to be. Without those, says HP fellow Chandrakant Patel , a home air conditioning system is more sophisticated what’s in most data centres. The next step is to use optical interconnects and lasers to replace copper data cables - which saves the 20% of your energy that’s heating and cooling the copper. More likely now HP Labs has come up with a photodetector so sensitive it works as a solar cell.
But the carbon footprint of a data centre includes the CO2 from the concrete used to build it, and the manufacturing and transportation of everything from the blades to the carpets. Really reducing that means calculating it and Patel is working on a framework to cover technology in general. That would measure the true energy cost, down to what it takes to deal with the fertilizer runoff from the fields growing the corn that’s made into the ethanol that goes into the biodiesel that drives the backup generator. It’s a huge undertaking, but it strikes me as more likely to help than maintaining that video conferencing can solve the problem by taking cars off the roads (hint: maybe not if that means more data centres to run the video conferencing).
Rated: 60% (3 votes)
Loading ...
HP and Microsoft; who do you think matters more to the technology industry?
By Simon Bisson & Mary Branscombe in Editorial
Posted in Futures, Business, Hardware, Server, HP, Microsoft on
Microsoft makes a lot of noise. The company holds dozens of conferences, broadcasts its ambitions in every market from mobile phones to data centres to next-generation TV, goes on a buying spree, gets taken to court by everyone from Novell to the EU. HP also makes acquisitions and has ambitions in a lot of markets and employs over twice as many people as Microsoft, but it doesn
Not yet rated
Loading ...
RSA 2008 - Computer Anti Forensics
By Simon Bisson & Mary Branscombe in Editorial
How do you know you’ve been hacked? You may have a suspicion that someone’s inside your network, but if your log files don’t show anything, don’t assume that your systems are secure. The bad guys know all about standard compouter forensic techniques and have toolkits full of techniques and programs to cover up their traces. The computer security team at Verizon are finding that anti-forensics are used in more than 2/3 of intrusions.
One of the most common techniques is data wiping, used to reduce the evidence available to security analysts. Used in only 18% of cases in 1998, things are very different today, with data wiping used in 80% of cases. The popularity of data wiping can be seen by the sheer number of tools available on black file sites - with more available than all the other types of anti-forensic tools combined.
Luckily for us data wiping is not perfect, and even the best tools leave some files behind - especially when files have been locked or are still in use. It’s a good idea to think outside the box - often literally. Perhaps a backup has traces of the bad guy at work, or there may be traces of his tools and actions on a clustered storage array somewhere else in your data centre. And of course there’s the old forensic stand-by: running memory. A memory dump can show traces of running programs in old page files.
The next most popular technique is data corruption, closely followed by data injection. The aim here is to hide from your logging tools - or even make your log files unreliable. One technique is very simple, with intruders resetting system clocks to create a whole new log that can be deleted when they leave. If there unexpected holes in log files, there’s a distinct possibility that someone is changing your system clock. More complex techniques use tools to corrupt log files to cover up attacks, or to edit out an attackers actions.
One case Verizon worked on was a retail customer that was seeing unexpected charges on its credit card system. Nothing was found in the logs, but the Verizon forensic team was sure that something was happening, so they began to monitor the system.
A few days later a tripwire was triggered, and they were able to watch (and screen capture) someone from the credit processing vendor coming in to the network on a trusted connection. The attacker first changed the system clock to hide their actions, and then using the debug mode in the credit card software to steal transaction data. The security team watched the attacker tidy up after themselves, deleting the debug files. Finally the attacker reset the system clock and edited the system logs to replace their external IP address with an internal one. They’d only made one mistake, which was how the security forensics team was convinced that there was an attacker.
What was it?
The internal IP address they were using wasn’t actually assigned to anything.
It’s clues like that that you need to look out for when assessing a system to see if it’s been compromised. You know what makes your network tick, what addresses are in use, and what your system logs should look like. Vigilance is the only way you’re going to be secure.
In the immortal words of Hill Street Blues: Be careful out there.
– Simon
Rated: 80% (1 votes)
Loading ...
From security theatre to security cabaret, or why too much security is worse than none
By Simon Bisson & Mary Branscombe in Editorial
Posted in People, Business, Identity, Futures, Security on
Security theatre is what security expert Bruce Schneier calls measures designed to make us feel safer that don’t actually make us any safer at all. He discussed the positive effects of this at the RSA conference this week; flying is one of the safest forms of transport and if having to take off your shoes and abandon your bottle of water make you feel that airport security is good enough to catch terrorists and you fly rather than taking a more dangerous method of transport, then the security theatre has made you more secure.
Here’s another paradox. Too much security makes you insecure. If someone in your company is emailing customer information to their Gmail account and copying market forecasts to their laptop and keeping old price lists for months after they’re out of date, it’s more likely that they’re just trying to get their job done on the road than that they’re stealing data to pass to a competitor - and that you didn’t give them a better way to do it. Make it impossible to do my job securely and I’m going to break or bypass your security so I can actually do my job.
The wireless network at the RSA conference was a good example of this. It was secure. Very secure. So secure that without the five pages of instructions I didn’t manage to get connected, and I didn’t meet anyone else at the conference who managed it either. If I’d wanted to hack into the laptops of anyone at the show, I wouldn’t have tried to steal them. I’d have set up an open free wi-fi connection on the show floor and everyone would have connected to that instead, giving me a great opportunity to see anything that didn’t go through a VPN.
Hugh Thompson of People Security has a good grasp of security and security theatre; you’ll have seen him if you watched Hacking Democracy, the documentary about the security problems with voting machines. He closed the conference with a chat show that ranged from a funny song about SQL injection (not a very funny song, but still) to Eric Drew’s tale of having his identity stolen by a lab technician at the hospital where he was being treated for leukemia and tracking the man down himself (a story Drew makes funny in the retelling that would have been a tragedy if he wasn’t in remission).
Thompson had a semi-serious conversation with Bill Cheswick, co-inventor of the firewall. Cheswick jokingly referred to malware as a “denial of spare time attack” that at least means you spend time with the family and friends who ask you to fix their computers. He was also slightly tongue in cheek when he said that he hadn’t used a firewall in a decade because he wants to use a secure computer instead; “it’s that whole crunchy outside, chewy centre thing; now we have much bigger liquid centres and once you’re past the outside you have access to everything.” But Cheswick also had some serious predictions to finish off Thompson’s security cabaret.
- “IPV6 has been three years away for the last 15 years. We’re finally approaching it - so all those firewall rules are going to need redoing. That will be fun…”
- “More attacks are going to come in through the browser so it may not matter so much what that the OS underneath is. You go to the wrong page, or the right page that has the wrong advertising agency - you did the right thing on your site but the other guy got hacked. To deal with that there’s going to be more sandboxes. I want users to be able to do everything online. I want them to run free in a sandbox. I used ASCII email for twenty years. ASCII email is safe but you want to be able click on the pictures.”
- “Computers are going to get better. We’re in the barnstorming era now. We’re going to look back and say ‘remember when you had to be careful about what you clicked on?’”.
Not yet rated
Loading ...
RSA 2008 - Spamming a shadow economy
By Simon Bisson & Mary Branscombe in Editorial
Posted in Security, Internet on
There
Not yet rated
Loading ...
ADFS 2.0 will issue info cards
By Simon Bisson & Mary Branscombe in Editorial
Posted in Privacy, Enterprise, Identity, Networking, Internet, Microsoft on
On the Internet, nobody knows you’re a dog. You can put up a Facebook page, send spam, pretend to be a bank; as long as you can read distorted characters, you can leave comments on a blog under any name you choose (I’d like to see at least one Mickey Mouse commenting to this post). Passwords are well past their sell-by date but proving your identity securely matters more and more. Identity online covers everything from throwaway accounts on forums to online banking and no one system is every going to ‘win’ - but they can learn to work together.
You can buy a hard drive from any vendor you like; as long as it fits in your PC and uses a standard interface, your operating system will take care of accessing the hardware and loading the drivers, leaving you to enjoy the storage space. The identity metasystem will do the same thing for user information, identity providers and sites that accept user details in the form of information cards. The terminology comes from Microsoft, the impetus comes from a wide range of customers and the technology comes from everybody from Oracle to Sun, IBM to Novell, the Liberty Alliance to the Higgins Project. Does it all work together yet? Not quite - but the Project Concordia interoperability workshop that opened the RSA conference today was a step forward.
Not least because for the first time Sun demonstrated an information card logon that used no Microsoft software at all; Sun’s Pat Patterson showed a system using OpenSSO v1 build 4 - which Sun will ship in the summer as Federated Access Manager 8.0, with an Oracle identity provider and Novell’s identity selector to deliver the same experience of logging in with an information card as a Vista user gets on the system using CardSpace.
Microsoft showed CardSpace sending SAML 1.1 and SAML2 tokens to a WS-Federation system. Ashish Jain of Ping Identity demonstrated a system using an information card from Sun to log into Gmail, running Vista in a virtual machine on a Mac talking to a Linux system. And systems from Ping, SymLabs, FuGen and Shibbloeth talked to each other and to Sun, Oracle and Microsoft systems using WS-Federation and SAML, transferring not just the identity of the user from a managed information card provided by a trusted identity provider rather than one the user had created themselves but also information like whether the user had provided a password or a smartcard rather than just clicked on a link.
Who needs that heterogenous a system? General Motors for a start, which is why Bob Haar, an IT architect at GM was chairing the workshop along with Microsoft’s Mike Jones and Eve Maler from Sun. Jones repeated what Microsoft is hearing from customers; “Some of the more interesting business discussions have been about risk. Certainly in the automotive industry, a decision has been made that there’s both at least cost savings and possibly minimisations of risk by going to federated authentication for collaboration with suppliers. Think about how many companies are involved in building a GM automobile or a Boeing airplane; it’s mind boggling.”
Haar explained that in a little more detail. “We think the federation gives us more control in real time to monitor and control access. There are legal and contractual aspects of setting up the business relationships and supporting for activities about auditing - if there’s a question about who changed this financial data or when it came through the federated environment, we have to have systems and procedures in place to make that happen.”
Sun’s demo didn’t use any Microsoft products at all and Patterson took something of a cheap shot by apologizing to Microsoft for that. Mike Jones smiled back and said actually, Sun had given him two of his three wishes. “I said three years ago we’ll know the metasytem is succeeding when interactions occur that use no Microsoft software, where Microsoft receives no revenue and Microsoft has no idea the interaction is taking place.” Today, the point is for the companies to be talking so they can make this all work. When it does all work, Sun wouldn’t need to tell Microsoft anything to have happy customers who could use CardSpace against a system that uses Oracle to issue identity information to connect through to another system that uses ADFS to do it. Assuming ADFS could issue and understand identity beyond Active Directory…
There isn’t a name for the next version of ADFS, or a shipping date but Microsoft promises, it will issue and consume information cards. This has gone in and out of the feature list for the next version of ADFS as shipping schedules and priorities shifted, but it’s back on the table says Jones - and Visual Studio will get tools for working with identity. “We probably wouldn’t have gotten permission to show SAML2 token support in the next version of our identity server products if we were not going to put tools into deployers hands to easily build and consume these tokens. We get that until it’s easy for developers to do this, a lot won’t. We’re looking at federation and information cards not as separate things but as parts of a spectrum people can deploy as it makes sense for them.”
Standards are good, runs an old joke; that’s why we have so many of them. Whether it’s a proprietary approach that’s become popular enough to document or a philosophical difference in approaches, there’s hardly anything in technology that you can’t do in two completely incompatible ways by following different standards. What’s happening in identity is a remarkably grown-up approach to tackling a problem. When did you last see Microsoft, IBM, Sun, Novell and Oracle playing nice together without government interference? Instead of expecting to own the marketplace, all the major players are putting in the effort to get their systems working with each other and with the standards. Imagine if all the effort spent arguing about whether OOXML and ODF could both be ISO standards had gone into writing translators to move documents between the two.
But once it’s easy for a service to accept identity logons from a variety of information providers, what is the user experience going to look like? The test sites had buttons to log on with every combination of service and they exposed the debug information so you could see what was happening; real sites won’t have that. But they shouldn’t have umpteen buttons to choose which information provider I want to use either; that way madness and another set of chances to get me to do something insecure lie.
Every credit card I have has its own branding, and there are plenty of different card readers in shops, but they all have a slot I put the card into and a keypad where I type in the PIN. I don’t have to press a button saying I want to use a MasterCard or an Amex card before I start - I put in the card and the reader works it out, hides the process and asks me for the important thing, my PIN. Sites using identity should do the same thing. Don’t give me a button for OpenID or SAML or Ping or Oracle or whatever underlying identity system I’m going to use happens to be, and make me click it and then click again to pick an information card. Use the same identity selector I’m going to give you my information card in; that way your Web site doesn’t have to have five otherwise identical pages and CardSpace or the Higgins identity selector or whatever the experience is on my OS and browser can do the hard work. All I have to do is say yes, I do want to use this information card with this site and you can concentrate on building something that works better because you know who I am without either of us having to care about passwords.
Not yet rated
Loading ...
Motorola: from RAZR-sharp to throat cutting
By Simon Bisson & Mary Branscombe in Editorial
Posted in Toys & gadgets, Hardware, Mobile on
Motorola has backed down from two big challenges this week. The announcements about support for LTE signal that WiMAX isn’t going as well as the company hoped, although they’re good news for users because it means we’ll get more than one system capable of true wireless broadband speeds up to 100Mbps.
Realistically, the future is going to be a mix of multiple wireless standards: mobile operators with investments in 3G have always been going to move to LTE - that’s what the name means, long-term evolution of GPRS and 3G. They’re going to use high-speed wi-fi and WiMAX as part of the back haul along with anything else they can lay their hands on, down to home broadband connections with femtocells. Fast Internet connectivity is expensive. That’s why the dirty little secret of 3G is that there isn’t a single mobile cell anywhere in the UK with more than 1Mbps of backhaul, so whether your HSDPA phone is 3.6 or 7.2Mbps it’s going to crawl along as shared DSL speed.
Fixing that will mean using a mesh of different technologies and WiMAX is only part of it. Motorola has done pretty well out of its WiMAX investments and supporting LTE is logical - but given the investment Motorola put into Clearwire’s US WiMAX service, the company must have hoped for more from WiMAX alone.
And then there’s the handset division losing money and market share hand over fist, which took down CEO Ed Zander and could easily scupper his successor, former CTO Greg Brown as well. The problem is there’s no sign of a new phone to give the company another success like RAZR. The real problem is, that’s actually business as usual at Motorola.
The original eye-catching mobile phone was the StarTAC. I had the analogue and digital versions and loved both (bearing in mind that this was when you had to learn the primitive user interface and put up with it). With the analogue CELLect data card I did email at 2400bps, sitting on a train to London downloading email from CIX to my HP OmniBook (the one with the mouse on a stick).
Rated: 70% (2 votes)
Loading ...
Tag cloud
Archives
- September 2009
- August 2009
- July 2009
- June 2009
- May 2009
- April 2009
- March 2009
- February 2009
- January 2009
- December 2008
- November 2008
- October 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
- February 2007
- January 2007
- December 2006
- November 2006
- October 2006
- September 2006
Most commented posts
- Java's SSVAGENT.EXE: training the monkey
128 comments
- When Windows 7 upgrades won’t hibernate (the solution)
- Do you need IPv6 for DirectAccess? Yes and No
- Chrome OS: what happens when "always connected", isn't?
- The ColdFusion Renaissance
- Make Adobe Acrobat Pro deactivate
- Is there a showstopper bug in Windows 7 CHKDSK?
- There’s a reason smartphones are locked down
- At sixes and Windows 7s
- The LHC isn
Highest Rated Blog Posts
- Songs of distant satellites (100%)
- Nobody knows what Web 2.0 really is (100%)
- Log in and lock in (100%)
- Top tips for speeding up Vista (100%)
- Mommy, why is there a home server in the office? (100%)
- Employees are our most valuable asset (snigger) (100%)
- Locking down IT or blocking creativity (100%)
- Consumer BlackBerrys are good for business (100%)
- HD Trek (100%)
- Join the (beta) community (100%)
