Security: the impossible juggling act for Windows 7
By Simon Bisson & Mary Branscombe in Editorial
Posted in Windows Vista, operating systems, Windows, Security, Internet, Microsoft on
You want Windows to be secure; but are you prepared to use it if it is?
The big advances in Vista weren’t just the architectural changes that made for driver and application incompatibilities as the software vendors played chicken with Microsoft (or to be seasonal, pantomime dames: We’re finally going to launch Vista/Oh no you’re not!/Oh yes we are…). There are major security improvements, from the low-rights protected mode that browsers other than IE7 are finally taking advantage of to address space randomization - which isn’t perfect protection according to security expert and ex-Microsoftie Jesper Johanssen, but still gives you a one in 256 chance of getting infected by a Trojan rather than a hundred percent chance. And then there’s UAC - and the real problem.
UAC is far and away the most maligned feature of Vista. Microsoft’s Steven Sinosfky is only half joking when he compares it to Clippy: “the end user view of compatibility was the UAC prompt that was so famous I thought for a few moments it would surpass the fame of Clippy - and I’m now associated with both of those personally.” UAC is infamous but it’s widely used for something that’s supposed to be so hated - it was on in 88% of all user sessions in Vista by last April and probably rather more by now.
And it might be hard to believe as the screen goes dark yet again, but 66% of all Windows sessions have no UAC prompts at all and Vista SP1 will bring that down further because fewer tasks require an elevation prompt. When Vista came out, 80% of the prompts were caused by just ten apps (a mix of tools in Windows, Microsoft apps and third-party software). UAC is achieving its real aim, which is to get more software to work when you run as standard user. If you’re logged in as admin, you’re turning off almost every security option there is; according to David Cross, who made a name for himself by telling attendees at the RSA conference that Microsoft put in UAC to annoy users so much that software developers would do the work to make apps run in user mode, “almost half of vulnerabilities have a reduced impact because you’re running as standard user”.
But in Windows 7 you might not see any prompts at all, because Microsoft’s response to the UAC complaints has been to introduce a slider that allows silent elevation; that’s a nice graphical interface that makes the seven GPOs you could already use to control UAC much more accessible. But how does that make you more secure?
If you want to be 100% secure, you need to turn your PC off, unplug it and never use it again. Disconnect it from the Internet and don’t plug in any peripherals and you only have to worry about someone stealing your snail mail. It’s not very convenient, of course… and UAC did have an element of a toddler tugging at your sleeve and asking you ‘why?’ all the time. What people who think UAC is too much like hard work really want is the psychic computer; it should know when I want to install software, when I want to do updates and whether the link I’ve clicked on is legitimate, all without bothering me or tracking what I do. Security either needs to make dangerous things harder, or to make users more careful. How much inconvenience are you prepared to put up with to avoid getting hacked? If Windows 7 avoided Vista’s other flaws but had the same level of UAC prompts, would you be complaining?
Mary
Rated: 100% (1 votes)
Loading ...
Tombstone
By Simon Bisson & Mary Branscombe in Editorial
Posted in Enterprise, Windows, Server, Microsoft on
The other day I made a stupid mistake.
This one was particularly stupid, as in a momentary fit of neatness, I deleted all the old Small Business Server Group Policy Objects from my main office server.
The AD looked a lot neater now.
However I’d just given myself a whole new world of hurt.
I’d upgraded our network earlier in the year, and had replaced the SBS 2003 box with a Windows Server 2008 machine. In the migration, all the old GPOs had made their way across to the server, and one or two of them weren’t suitable for the current network configuration. Deleting them shouldn’t mean too much disruption - or so I thought.
I was very very wrong indeed.
Deleting the GPOs also took out the associated Active Directory objects.
That wasn’t good at all.
Bang went all the users, all the mailboxes, and all my domain attached PCs were left unable to log in.
Ooops.
Luckily for me, Windows Server is designed to help deal with that sort of mistake. Active Directory Tombstone Recovery stores deleted AD objects - the trick, of course is to find a way to undelete them.
Again, luckily for me, the folk at Quest have a free tool to do just that. It’s not their full-featured Active Directory Recovery Manager, which is an excellent AD management tool. Object Restore for Active Directory is a simple tool that scans a server’s tombstoned objects, and gives you a list of what’s been deleted. Windows Server’s Tombstone Reanimation interfaces let you recover stored objects, and the Quest tool simplifies the recovery process, quickly dropping your recovered objects back in the Active Directory.
You can then move them into the appropriate place. My users could now log back into the server. However, that was only part of the story, as I had to recover the mailboxes and reconnect them to the user accounts. Again, the tools built into the server saved the day, as Exchange 2007’s wizards quickly put user and mail back in touch.
I was lucky. It took less than an hour to get everything back in place - thanks to the tools built into my server, and the free applications I found online.
The moral?
Don’t rush at things - and make sure you know exactly what a change means to your server, and to your users.
Not yet rated
Loading ...
Does a netbook look like you mean business?
By Simon Bisson & Mary Branscombe in Editorial
Posted in Business, Christmas, Processors, operating systems, Toys & gadgets, Windows Mobile, Laptop, linux, Hardware, Mobile on
Thinking about a netbook as a last-minute stocking filler for yourself? There are some very usable netbooks now, especially the Dell Mini 9 and the new Lenovo. But they’re still cheap and cheerful personal machines with consumer features, and many of them look it.
In an ideal world, the ultraportable you want for business needs a few more features. A fingerprint sensor and Vista with BitLocker encryption would be a good start, along with a keyboard you can actually type full documents and emails on. A battery that lasts a full day saves you starting every meeting by looking for a power socket. Built-in 3G is more efficient, giving you better bandwidth and using less power than a USB dongle. And while looks aren’t everything, it doesn’t hurt to carry something stylish that marks you out as a success. Many of the netbooks on the market have basic looks to match their basic price and basic features. Customers and partners will want to take a look at a netbook and may be impressed by how much you can get done on it despite the limitations, but they can go away with the impression that you can’t afford anything better.
You certainly won’t give that impression with the unfeasibly light Toshiba R600 or the slim, sleek Sony TT. At the launch, the Chinese artist commissioned to produce signature chops for the journalists at the launch kept saying. TT. Like the Audi? That’s not a bad impression to leave people with.
After Steven Sinofsky flashed a Lenovo S10 around on stage at the Windows 7 announcement at PDC, Mike Nash did a little repositioning of the Windows 7 netbook story, telling a story about visiting a big-box store where the 20-year-old assistant insisted that the only people buying netbooks were “really old people!” Really old people? How old? “Old! 40 or 45!”
Leaving aside the way anyone over 21 looks old from a certain angle - like the New Yorker map of the world, where anything outside Manhattan might as well be in Australia - and whether white plastic looks more like a child’s toy than black metal, the real question is what can you achieve on a cheap machine. Hardly anyone wants a PC just for Web browsing, especially now the iPhone and the BlackBerry Bold and even Windows Mobile with Skyfire (http://get.skyfire.com) mean you can see real Web pages on a phone. There’s the ‘familiar applications from Windows’/'any application that does something similar so Linux is fine’ debate. And there’s can I run the applications I want, fast enough to do something useful and with enough battery life to make it worth carrying a netbook with me. Three hours doesn’t cut it for me, I want to be able to run five Office applications and a Web development tool, and I want a fingerprint sensor and a TPM while I’m at it.
It’s like the HTC Advantage, which I still think of as the first Mobile Internet Device by Intel’s definition; as soon as the screen was big enough and the processor fast enough I wanted all my usual PC applications instead of the cut-down Windows Mobile equivalents. I prefer Office to Google Docs because I like features like document reviewing and AutoCorrect and colour conditional formatting to show values visually as well as numerically. And I’d rather have an ultraportable than a cheaper netbook, because it does more. It’s nice if it looks as good as the Sony TT, but the Toshiba Portégé R600 isn’t any prettier than a netbook; but it is the thinnest, lightest machine I’ve ever picked up, which also has a DVD drive. Just as Apple products are undeniably desirable on a visceral level, netbooks are a hard to resist combination of cheap and cute. But if they don’t do what you really need, they’re no bargain.
-Mary
Not yet rated
Loading ...
Facebook for children, Facebook for hackers and the identity solution
By Simon Bisson & Mary Branscombe in Editorial
Posted in Identity, People, Web browser, Security, Internet, Microsoft on
Set up a safe online network for children, or create a target for unwelcome visitors? Make it easy to share pictures, videos and food fights with friends, or create another avenue for malware? If you want an Internet that’s not full of dark backstreets disguised as well-lit safe places, we need identity rather than censorship.
The koobface attack has spread from Facebook and MySpace to Bebo and other social networks: the message from a friend telling you to see a funny video takes you to a Web page that tells you that Flash needs updating and once it’s installed the Trojan masquerading as a codec, it does actually take you to the social network site to lull your suspicion. Does standard email hygiene avoid this? That says never open a link in an email message, even if it’s from a friend - so you go to the Web site, being careful to type the URL correctly to avoid typosquatters, and look for the message there. And you keep your anti-virus up to date, which will catch most of these Trojans.
But mostly you wish there was some way of knowing when it’s OK to follow a link, because let’s face it - who has time to actually stop and type in every URL by hand? Facebook is always sending me messages from people with a link to click at the bottom to reply to them; LiveJournal does the same and I actually reply. Friends and colleagues send me email with interesting link: so does the Microsoft security newsletter.
Links are for clicking. Assuming you’re up to date with patches against drive by downloads, what you’re really struggling with is the arbitrary behaviour of even legitimate Web sites and the hoops they make you jump through, from typing in a username and password every time or every two weeks or next to a picture you recognise or standing on one leg whistling God Save The Queen. And the passwords are each made up of some uniquely different regular expression. Punctuation, case, sequential numbers, length: does enforcing or ignoring them make your password more secure, more memorable, or more likely to be written down?
What would work better would be a familiar and universally recognised ceremony, like putting a credit card in a reader or using the Windows security dialog or pressing the button at a pedestrian crossing: no two pedestrian crossing are the same, but you know the protocol to tell them you’re a pedestrian. If you’ve read any of my password rants before, you might have guessed I’m talking about information cards: if not I’m going to point you at this Gartner interview with Kim Cameron and Dick Hardt’s excellent (and short) Identity 2.0 presentation
Not yet rated
Loading ...
Servers
By Simon Bisson & Mary Branscombe in Editorial
Posted in Hardware, Enterprise, virtualisation, operating systems, linux, Intel, HP, Server, Windows, Microsoft on
Server sales went down 3.8% and up 4.9% this summer. That’s up if you’re counting how many servers companies have been buying in EMEA in Q3, by nearly 5% and down by just under 4% if you’re counting how much they cost. It’s the biggest fall in the amount spent on servers since the end of 2005, and la the news is much worse in Western Europe, at least for server vendors. Revenue went down 7.6% compared to last year, although unit sales are only down by 0.6%; that means you can buy almost as many servers as you did last year and pay rather less for them.
Dig into the IDC figures and there are some other interesting trends. Central and Eastern Europe are using more and more IT and it’s not just commodity x86 servers (up by 15/9%); pricier Itanium, mainframe and other non x86 servers went up by 22% and IBM saw almost 50% increase in revenue for z OS here. Windows didn’t lose any revenue this year either, all though all other server operating systems did, including Linux (although only what IDC calls a ‘very minor drop’); in fact Windows gained another 2% of server OS market share across EMEA.
It’s still the year of blades: up by 37.5% in sales compared to last year, and now 12% of all server sales by revenue. IBM lost as much on falling sales of x86 servers as it made on System z mainframes. Sun’s SPARC Enterprise systems sold well but Sun still lost share in the server market. Like IBM, it’s losing out to Dell and HP: HP was the number one server vendor with 2.4% growth, mainly because of ProLiant sales. Dell had a small increase in revenue and a 4% increase in shipments: more than HP but much less than the double-digit growth it had been seeing in previous quarters.
So, yes, servers sales are down overall and manufacturers will be hurting; but so far it seems to be canny buying that’s affecting the market as much as buying fewer servers. And that makes me think that while some companies may be skipping new servers in favour of SaaS and the cloud, more are just tightening their belts. The credit crunch has led to plenty of mergers and acquisitions (some more voluntary than others); that’s a lot of heterogenous IT systems to integrate, which means less time to go building new systems that need new servers - and more servers in a business that might get better economies of scale.
And then there’s virtualization. The server vendors have been supporting virtualization to the point of putting hypervisors in flash on new servers to get you running 20 servers’-worth of VMs on your new box more quickly. I’ve been asking vendors if this isn’t storing up trouble and lost sales for the future. You might never have bought the other 19 servers, but how about just another two or three? Answers have ranged from blank looks to assurances that it wouldn’t be a problem for long enough to let them find a way around it (often followed by ‘people will always need new servers’) to the very honest ‘yes, but we have to do it these days’. VMware revenue was up 32% for Q3 2008 compared to the year before; growth for 2008 might “only” be 42% rather than 45%. Microsoft has only just got into the serious hypervisor market with Hyper-V but it’s free with Server 2008 so you can expect it grow fast; Citrix and Red Hat have been chalking up the numbers for a few years too. Maybe the credit crunch will be the point at which virtualising servers also comes to mean not buying as many new ones
Not yet rated
Loading ...
The ColdFusion Renaissance
By Simon Bisson & Mary Branscombe in Editorial
Posted in Applications, Developer, Adobe, Internet on
Most years you’ll see an “is ColdFusion dead?” article. Like the infamous bad penny that keeps turning up it’s a meme that just won’t die. So if it’s a story we keep seeing, surely there must be a grain of truth in it?
Spend 30 minutes with Adobe’s Ben Forta, and you’ll know that’s not the case. Ben’s been working with ColdFusion since the Allaire days, and he knows the product (and its market) inside and out. Sure, there are fewer pages that show up with that tell tale .CFML extension these days, but that’s more because the underlying technologies of the web have changed.
Where we might have used a page markup language to dynamically generate page content, we now use AJAX - or even Flash. Today’s dynamic HTML pages talk directly to application servers and database engines, using REST and JSON to fire up their AJAX display components. It’s a much better architecture, separating business logic from display. That doesn’t mean those in-page dynamic content engines have gone away. They’re now in the background, handling database queries, managing and marshalling the new asynchronous connections between server and web browser.
That’s where you’ll find ColdFusion today. Sitting on top of Java, it simplifies the process of building and deploying web-facing Java applications. You don’t need to build complex new application server applications, wrapping Java classes in servlets - all you need are a few lines of hidden CFML to parse incoming XML and JSON, and to mediate the response from the server. Your browser (and the various site sniffers that people use to get the data for web technology surveys) won’t see the ColdFusion middleware layer - just the smooth Web 2.0 user experience we’ve come demand.
Cold Fusion’s also making quite a lot of inroads inside the firewall. Too often businesses and government lock up essential data in inefficient Access databases. Cold Fusion applications can take that data and make it available to any one on the network, with quick wins and rapid application development.
Adobe’s MAX event in Milan showed off a product codenamed “Bolt”, which will help developers work with ColdFusion in this new middleware world. It’s Adobe’s
Rated: 84.44% (9 votes)
Loading ...
Enter the interaction architect
By Simon Bisson & Mary Branscombe in Editorial
Posted in Applications, Developer, Adobe, Internet on
Adobe’s MAX event here in Milan has seen the European unveiling of its upcoming Catalyst web application design tool. It’s here that it’s also begun to discuss how it sees web application development workflows changing to improve the often fractious relationship between designer and developer.
The launch of Flex (developed by ASP co-architect Mark Anders) changed the way the development world looked at Flash. A tool for producing animations and the butt of a million “Skip Intro” jokes had become a new way of producing complex state-based user interfaces. Flex made Flash as much a part of Web 2.0 as AJAX. Even so, there were still problems. It was easy to tell a Flex site, as the limited skinning capabilities made Flex controls look the same wherever you went on the web. You could design your own controls from scratch, but then they became as much part of the code as a site’s business logic - which was exactly the thing it was trying to prevent.
Designers and developers don’t think the same way. That’s not a bad thing - the creative tension between the two ways of working can deliver amazing applications with intuitive ways of working. However, it also means that they don’t work well while sitting in each other’s pockets, working on each little piece of a page. What’s best is that architectural utopia, the complete seperation of design and code. Developers can work on business logic without affecting the design, and designers can do the opposite…
That’s the idea behind Catalyst (perhaps still best known by its codename “Thermo”). Designers can start work in familiar Illustrator and Photoshop, and then import their layers into Catalyst. Here they can map out buttons and dynamic content, marking them up and adding state information to a design. The resulting prototype can be converted into a new FXG format, and imported straight into Flex. Developers can start work on the code straightaway, adding the logic behind the buttons and the dynamic content. Meanwhile the designer team can concentrate on fine tuning the interactions, producing a user interface that’s clean and easy to use. The two versions can eventually be merged, ready for testing and delivery. It’s a simple, clear workflow that brings designers and developers closer together, concentrating on their strengths and avoiding the pitfalls of their weaknesses.
Of course this means we’ll need a new kind of designer, one who’s focussed on the user experience and on how it should be delivered. We’ve already got application architects putting together the backend, and information architects managing metadata (as well as database architects handling storage). So why not call this role the interaction architect? It’s definitely a senior role that defines the direction of the UI component of an application -
Not yet rated
Loading ...
Tag cloud
Archives
- September 2009
- August 2009
- July 2009
- June 2009
- May 2009
- April 2009
- March 2009
- February 2009
- January 2009
- December 2008
- November 2008
- October 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
- February 2007
- January 2007
- December 2006
- November 2006
- October 2006
- September 2006
Most commented posts
- Java's SSVAGENT.EXE: training the monkey
128 comments
- When Windows 7 upgrades won’t hibernate (the solution)
- Do you need IPv6 for DirectAccess? Yes and No
- Chrome OS: what happens when "always connected", isn't?
- The ColdFusion Renaissance
- Make Adobe Acrobat Pro deactivate
- Is there a showstopper bug in Windows 7 CHKDSK?
- There’s a reason smartphones are locked down
- At sixes and Windows 7s
- The LHC isn
Highest Rated Blog Posts
- Songs of distant satellites (100%)
- Nobody knows what Web 2.0 really is (100%)
- Log in and lock in (100%)
- Top tips for speeding up Vista (100%)
- Mommy, why is there a home server in the office? (100%)
- Employees are our most valuable asset (snigger) (100%)
- Locking down IT or blocking creativity (100%)
- Consumer BlackBerrys are good for business (100%)
- HD Trek (100%)
- Join the (beta) community (100%)
