In the last three years, IT security issues haven’t changed that much - but perceptions might have. Trojans and worms might have taken over from viruses, but the problem is still a combination of security holes, social engineering and putting protection in the right place without destroying productivity.

We’re pleased to see Microsoft finally admit that, yes, Windows security could do with a helping hand. If you’re not running an anti-virus or anti-malware application you really don’t have any excuses any more. Microsoft Security Essentials isn’t a bells and whistles security package like McAfee or Norton, or even AVG. It is, to steal a cliche, what it is. And that’s an easy to download, quick to install, and simple to use anti-malware package.

MSE is also pleasantly processor friendly, with very little impact on performance - even on Atom netbooks. With low-powered devices increasingly common (and Windows 7 likely to be on of the main operating systems on the next generation of devices) it’s good to see a package that respects your CPU and still manages to keep you safe and secure. What Microsoft has learnt, and it’s something that other security vendors are also learning, is that the security you have is a lot better than no security at all. Sure some people want something that tells them every time there’s a possible threat, and that inspects every packet going in and out of a network connection - but what most people want (and what most people need) is a tool that just gives them enough protection to keep the most egregious malware away, blocking trojans and spyware, as well as keeping them safe from good old-fashioned viruses.

That’s what MSE is, and that’s all it is planned to be. It’s the tool I’d give my sweet white-haired retired-school teacher mother. And that’s probably the best recommendation you’d hear from me!

There’s only one place that security through obscurity works, and that’s in the criminal coding fraternity. If you use an OS that only another 5 people in the world use, it’s not worth the effort to hack into that OS. When Apple had 2% or 5% of the market, it could safely claim that Macs were more secure because they were less of a target and any security holes would get ignored by hackers. Hit enough market share and you have to get a bit more protection - especially as hackers target the apps that run on the platform and the Web pages users visit.

We’re glad to see that Apple has gone on a security hiring spree recently; security experts and cryptographers from companies like PGP and OLPC are now working on security at Apple. That doesn’t mean Macs and iPhones are instantly more secure than they were last week; but it does mean Apple isn’t sweeping the security problem under the keyboard any more.

And with this post it’s time to bid you all farewell. We’ve been writing this blog for the last three years, since the launch of IT Pro. All good things must come to an end, and it’s time for us to pack up our keyboards and ride off into the sunset. We’ve had fun writing here, and we hope you’ve had fun reading us.

–Mary and Simon

Is this another Beacon moment? Keeping apps out of the Facebook inbox is good security. Even though the new Facebook plan to give apps access to the contents of user inboxes is restricted to whitelisted apps, that doesn’t mean they’re safe apps. Despite Google’s airy claims, just because something runs online, in the browser, does not mean it is safe (I’m still boggling security professionals with the claim by the Google gears team at Google IO that “everything in the browser is inherently safe”). Whitelisting means the app isn’t only malicious, but it doesn’t guarantee it’s not vulnerable.

If you’ve ever spent time drilling into the Facebook APIs (and the FBML language) you won’t be surprised at just how much data a not-so well-behaved application can harvest and take back to its own servers. Sure, it helps build more complex games and powers the viral explosion of memes across Facebook, but it’s a whole heap of security violations just waiting to happen. Yes you have to opt-in to every request, but ticking boxes and clicking OS is what we’ve been doing on Facebook for the last couple of years. Why change your habits now?

And making inbox access opt in doesn’t make it safe. We’ve trained the monkey to click OK on just about any dialog box if what the dialog offers is tempting enough - or if the dialog box is in the way of what I really want to do. Put a dialog box between me and my plan to dash off a quick update as I jump in the taxi to the airport and I might not read that dialog with the same due care and attention you were counting on.

And Facebook is full of career-limiting, security-breaching detail. Bank security questions? I bet I can answer them if I can see what memes you’ve been answering. Last three things you bought, first pet, second school you went to? There’s a meme for that. What’s in your inbox that you wouldn’t want posted on some random Web site?

Inbox access is the latest opt-in feature for apps; but they can do a lot more than throwing sheep…
I’ve been waiting for the Google backlash for a couple of years now; the blanket promise ‘not to be evil’ is no replacement for a thorough security lifecycle and privacy policy. Facebook’s Beacon advertising obviously didn’t make people too worried; the recent collection of ‘resignation by incautious Facebook status update’ proves that. Facebook users want to share; it’s up to Facebook to make sure that the platform doesn’t turn that enthusiasm into a threat.

There’s a petition against app inbox access over at http://www.keepmyinboxprivate.com/?ref=nf, which takes you in turn to
http://apps.facebook.com/keepmyinboxprivate/; ironically, the petition itself is an app that asks if it can publish a link to the petition on your Facebook Wall.

–Mary

If Google’s Android OS is open source, why is the company going after an Android developer? Because not everything that you think of as Android is actually open source.
CyanogenMod http://www.cyanogenmod.com/ is an alternative, unauthorised, third-party version of Android for Android phones. As Android is an open source operating system, why has Google hit the developer behind it with a cease and desist letter? Because the Google Maps, Android Market, Google Talk, Gmail and YouTube applications on Google’s own Android builds are Android apps rather than part of the OS - and they’re not open source. That means Google has every right to tell the developer behind Cyanogen that he can’t distribute them as part of his build http://androidandme.com/2009/09/hacks/cyanogenmod-in-trouble. Google told Intel the same thing back in the spring when it was trying out Android on netbooks. Search, and the apps powered by search, are where Google makes its money and they’re not open source and you can’t use them without permission. Parts of the Android SDK are proprietary as well.
Microsoft has never seriously gone after the developers on sites like XDA Developers who create ‘cooked’ ROMs for  Windows Mobile devices. That might be because Microsoft makes its Windows Mobile money by selling licences to the phone manufacturers. There’s also the fact that many of the XDA developers work for phone manufacturers and mobile operators and have a fairly good understanding of what you don’t want a phone to be able to do - as least as far as the phone network is concerned.
The mobile networks have a rather ambivalent attitude to open source on phones. On one hand, anything that makes it easier to make powerful phones cheaply is good, because it costs them less to subsidise. Plus open source should make it cheap for developers to create apps for the platform. This is a big change in attitude because an open, easy to configure, easy to develop for platform is also very scary for the operators because they’re paranoid about a rogue - or just badly-written - app or phone taking down the phone network. That’s why the OpenMoko phone - a truly open phone - never got very far; the operators were just too worried about having it on their network.
Vodafone’s support of the JIL platform in the 360 launch shows that the networks have realised - with a lot of help from the iPhone app store - that having lots of apps on a phone is a good thing. The reason Windows Mobile looks so far behind in the app space isn’t that it’s hard to develop good apps for - although the mix of screen resolutions and Compact and Micro Framework versions certainly doesn’t help. It isn’t just that it’s too complicated to find, install and uninstall apps (I can’t find a good version of Spider solitaire from a site that I trust and I can’t find a way to get Windows Live off now that I’ve realised that having Hotmail on my phone isn’t worth it if it’s going to slow down the mail interface this much). It’s also that the over-cautious operators held back the first wave of app developers by insisting on lengthy certification and approval systems.

The operators are a lot more confident now (although there were still some nerves at the Vodafone 360 launch yesterday -  “Is opening up our network services like this a good thing?” asked one spokesperson rhetorically; “we hope so!”). It’s also interesting that despite being a member of the Open Handset Alliance, instead of following Motorola down the Android route Vodafone has put MotoBlur-competitor Vodafone People onto the LiMo platform instead. Linux Mobile (and Maemo and Moblin) aren’t just different flavours of Linux from Android (which Google says is built on the Linux kernel, but is not actually Linux); they’re Linux-based mobile operating systems that Google doesn’t control.

Handset manufacturers and operators like Linux phones for lots of reasons. They like open source for lots of reasons. But for an industry that contributes as much to UK GDP as the oil and gas industry, few of those reasons are connected with the philosophy of openness that draws developers like Cyanogen.

–Mary

Intel has just launched its first appstore - in the shape of appdeveloper.intel.com.

Targeted at Netbooks, appdeveloper.intel.com is more than just another Apple-style appstore. It’s also a set of tools to help developers build applications that run on Atom. Integrating into common IDEs, Intel’s Atom SDK contains tools to help manage your applications, as well as integrating with Intel’s ecommerce platform for licensing and for handling delivery of additional content.

There’s a lot in appdeveloper.intel.com, and more to come. IDE support is a ways off, and it’ll be interesting to see how Intel handles integration with Eclipse and Visual Studio (and how it intends to deliver support to Flash Builder and Aptana). Sign ups are already open, and are free for now ($99 in the future), and there’s plenty of content on the site, so developers can get started quickly.

One big difference from other appstores is the developer catalog - where you’ll find components you can use in your own applications. Intel’s planning on building a developer ecosystem with its Atom offering, and getting tools out there is important. Software components and component stores were one of the drivers that contributed to the success of Visual Basic, and it’s good to see that Intel has learnt that part of the developer ecosystem lesson… The first batch of components is up already, and includes power and network management tools as well as video capture libraries.

There’s also a cross-platform bent to the site that’s refreshing. Developers can use the site to work with two operating systems - the Intel-sponsored Moblin Linux and Windows 7 - and two run times - Java and Adobe’s AIR. Moblin is becoming increasingly important to Intel (and we wouldn’t be surprised to see a tie up between it and Google’s ChromeOS in the future), and this year’s IDF will also see it get a new release and a whole new UI.

However the big winner here is Adobe. AIR’s still a relatively new arrival on the application development scene, but one that’s quickly picked up some very significant mindshare. With netbook’s relative low power, and near ubiquitous connectivity, there’s a lot of synergy between the hardware and Adobe’s rich internet application vision.

Yet Another Appstore it may be, but appdeveloper.intel.com looks set to be an important tool for developers who want to work with the growing netbook segment - and who want to turn them into devices that are actually useful rather than glorified Gmail appliances.

–S

The only time I don’t want to hibernate my PC is if I’m walking from one meeting to another that’s two minutes away - like a conference where I use the ten minutes between sessions to catch up on my email before rushing off at the last minute to the next presentation. And with the much faster resume time on Windows 7 (15 to 30 seconds) I might remove my complicated hybrid sleep timer (3 minutes into sleep then 7 minutes into hibernate, in case I find a fascinating conversation and linger in the hall) and just hibernate all the time.

So many updates slipstream without forcing a reboot now that I can just keep going until I choose to restart (assuming Office 2010 sorts out its issues with making Word documents left open from the server during hibernation read only, which I’m working around by using Offline Files - although that has its own issue where the files can’t be saved when I’m actually offline; there’s always something with pre-release software).

But  when we first put the RTM code for Windows 7 on it, Simon’s HP EliteBook 2710p kept waking up like a child asking for a glass of water.  If you upgrade a machine from Vista to 7 and you find it won’t stay in hibernation, check the BIOS. Do you have Wake On LAN turned on? If not, check the disk partitions.

Like many OEMs, HP ships the 2710p with a recovery partition; it has a utility for fast booting and looking at email and contacts in a pre-boot environment and it has what you need to get the original version of Windows restored if you ever need it. That means it’s a system partition that the BIOS needs to know about and that means it ought to be marked as active, but then you wouldn’t be able to boot from the Windows 7 system partition. Sometimes that’s not a problem - but sometimes it means that when you try to hibernate, when the system hits a sufficiently deep ACPI power-off level, it all wakes up again because of the recovery partition - which puts you straight back into Windows. If you do an upgrade install to preserve your installed applications, that leaves the original - and now useless - recovery partition in place. You can remove that and add the disk space to the main partition; we’ve seen that fix some hibernation issues, and on a two-year-old notebook the 8-10GB disk space you get back is well worth it.

However, it didn’t fix the hibernation problem on the EliteBook. We had the same problem with our elderly Elonex media center, which has a new lease of life with Windows 7; with the Release Candidate it was so sprightly that about a minute after we hibernated the machine it would just start back up again, and that didn’t have a recovery partition. The EliteBook didn’t have the hibernation issue with RC, so it’s not a bug. In both cases, a clean install of the RTM code fixed the problem instantly - our suspicion is that it’s an interaction between a driver and an RC to RTM upgrade (which, although, possible, certainly isn’t recommended). In practice, you’re not likely to see this issue on any user machines when you roll out Windows 7, though you might find on your own test system. Bite the bullet and do the clean install; it’s going to give you a more reliable system.

BONUS HELP: if you have a completely different hibernation problem, and you’re looking on the Microsoft knowledge base, you might find a new tool called Fix It. When there’s a registry change that needs making, or some other simple-if-you-know-how fix that you wouldn’t want an end user to mess around in the system trying to implement, many KBs now give you a button to press to make the change for you. No copying keys into your own registry fixomatic scripts, no wondering if the advice site you’re getting a .REG file from is really safe to use. This has been quietly building up since last autumn and you can see all the fixes so far at the Fix It blog or keep them to hand for users with the Fixit sidebar gadget. Invaluable!
-Mary

If you’re an Exchange admin, use the “Require encryption on the device” policy, and you’ve got users out there who are using first and second generation iPhones to get their mail over Exchange ActiveSync, then be prepared for a whole rush of support calls as users update to the latest version of the iPhone OS.

Why?

Because iPhones have stopped lying to Exchange servers.

The hardware on earlier iPhone models doesn’t have the power needed to support whole device encryption -you need the 3GS for that - and  that means that if your business needs to secure its mail, then most of the iPhones out there can’t be trusted. Apple’s earlier versions of the iPhone email software just ignored that policy setting, and reported back that all policies had been applied.

That meant that devices that should have been encrypted (either for corporate or regulatory reasons)  weren’t - and all the mail on them was available for anyone with a USB connection and the appropriate software.

As I’m sure you can guess, that drove a coach and horses through your  security policies, and opened your business up to all sorts of regulatory problems.

Now at least those phones will stop getting mail.

But it’s a bit of a worrying thought that one of the most popular phones in the world was skating past security policies. Of course that leaves us with two more worrying thoughts:

First, how many other phones out there are doing just that without you knowing?

And secondly, just how are you going to tell your bosses that they can’t use their phones for email any more?

It used to be so easy.

IT departments got to define just what could be used by a company’s staff. Everything from PCs to laptops to phones was in their purview, and everything that could be controlled was - locked down and managed to make sure that nothing went wrong.

But then came a rash of new devices, of new services, and a new generation of staff.

They’d grown up with a flexible world, and they wanted nothing less from their employers.

At least Windows group policies meant that a proliferation of desktop PCs could be managed, but how could new mobile devices be controlled - and how could potentially expensive roaming bills be managed?

Laptops were safely under control, as tools like iPass gave businesses the  ability to manage WiFi access, with one flat fee for each user every month, rather than having to pay expensive hotspot roaming rates.With WiFi now a common smartphone feature, it can also be used to avoid data roaming costs(as well as delivering more bandwidth than slow and congested 3G data services). That’s where iPass’ new strategy comes in, as instead of just delivering Windows and Windows Mobile clients, there are also Mac, iPhone and Symbian versions of the software - with more to come. There’s another advantage here, as the same username and password can be used with mobile devices as well as with laptops, keeping billing to the same single flat fee per user.

We recently spent some time with the iPass iPhone client, and were pleasantly surprised that it worked around the device’s limitations effectively (and  still works happily with OS 3.0). There’s a BlackBerry client on the horizon now, too, which will make it a lot easier for roaming BlackBerry users to avoid racking up their bills (though there still needs to be a better way of managing which browser you’re using on a BlackBerry). And of course these are tools you can push out to users, using device management suites to make sure that only devices with WiFi hardware get the software they need.

Tools like this mean one simple thing: any device is an enterprise device.

And you know? That’s a good thing.

–Simon

You might think it’s just a font, but it’s not really. It’s a statement of who you are, what you mean, and why you’re doing something.

Pretentious?

Perhaps - but it’s still true. There’s an underlying meaning and message in the shape of the type face you’re using. Serif fonts can be serious, with plenty of gravitas just like The Times used to have, while sans serif are direct, quick to deliver a message. Bold fonts emphasise, while italics rush you along. Then there are the many millions of speciality fonts, which give your message a spin that only they can. And then, of course, there’s Comic Sans - but there’s always a runt of the litter (or in this case, a runt of the letter).

It’s a matter of semiotics. There’s meaning to the symbols we use, meaning that we all interpret in slightly different ways. Some if it comes from the way those symbols are used in a cultural context, while other comes from the very shape grammar of the symbol - angular shapes are disturbing, while smooth lines are pleasing. We can go on: circles encompass, arrows point, while lines join things together. The meanings in symbols touch users and viewers in visceral ways, and a poor choice can be the difference between a customer saved and a customer lost.

Last week there was a disturbance in the force, as if a million designers had suddenly cried out in shock and anger. Ikea had changed the font used in its catalogue. It wasn’t a big change,  a switch from Futura to Verdana. Both were similar sans serif fonts, though with one big difference: Futura had been designed as a modernist font, with distinct political intentions - while Verdana, well it had been designed by Microsoft to look good on screen and on print. To most of us it wasn’t much of a change - and one we barely noticed. Even so, there’s a change. Ikea’s edginess has become replaced with a comfortable, everyday look. It’s part of the background now,no longer out on the cutting edge. What’s more, it’s also cheap.

That’s the sort of message we need to consider in the fonts we use on our web sites and in our applications. Design is important in conveying the message behind a brand - just look at how the fonts BP uses have evolved over the years to carry the company’s corporate message. It’s a subtle process, but one that works well, and one that can increase user engagement with applications and services as well as with online properties. Yes, it’s easy to use one of the default fonts in Windows or OS X - but is that the message you really want to give?

One thing that’s changing are the limitations of screen fonts. Complex ligatures and the like just don’t work well when you’re laying out a page on screen. Computing the positions of letters is hard enough, let alone trying to deal with flying lines and curves.

If you’re running Windows 7 (and Office 2010), why not  play with Gabriola. It’s a new font with a difference - now you’re able to use those complex design type effects no matter what you’re doing. It’s the first font with the hints needed to build on new screen layout features that come with the latest version of ClearType. It’s an impressive feat - and something we hope that other fonts will support soon.

After all, good design really does matter.

–Simon

Three years ago, when WiMAX looked like the best way to get faster mobile data, the then head of Vodafone made a point of stating the obvious at the Mobile World Congress; the networks would rather stick to 3G, the HSPA enhancements and eventually the ‘Long Term Evolution’ standard because evolving your network may be painful, but it’s better than ripping it out and putting in a brand new one, especially when they’d need twice as many base stations to provide the same coverage. But if HSPA and LTE didn’t show signs of showing up and speeding up to match the 100Mbps WiMAX promised in the long term, the convenience wasn’t going to stop the networks abandoning 3G.

3G speeds have been creeping up ever since, from 1 to 3.6 to 7 and now to 14.4Mbps. On the face of it that sounds faster than the average 2Mbps DSL connection in the UK; faster even than the 8Mbps you get on a faster exchange. But there’s a dirty little secret about most mobile broadband connections. It’s not just that the quoted speed is always a theoretical maximum and just as you never get a gigabit of data a second over gigabit Ethernet, you need to take off a quarter to a third from the maximum speed. It’s not just that the actual speed is shared with everyone else using data on the same cell; it’s that the speed quoted and the actual speed delivered are both only the speed to connect to the base station - not the Internet. And a surprising number of 3G base stations connect on to the Internet over 2Mbps DSL (and remember; you’re still sharing that speed with up to 50 other users in the same cell).

Not Vodafone; backhaul matters, says Vodafone CTO Jeni Mundy. “The pipes we put into the cell sites are key for anything you want to do on the Vodafone network or going out to the Internet; the bandwidth of those pipes is critically important and we’re absolutely doing not just a base station upgrade, we’re making sure we put the right backhaul in place to carry that traffic.”

In this case, rather than a single 2Mbps line, each Vodafone base station has eight 2Mbps E1 fibre connections adding up to 16Mbps of bandwidth. That’s courtesy of the deal Vodafone did last spring to connect to BT’s 21 Century Network and it means there’s slightly more than enough backhaul to deal with the incoming connections.

Vodafone’s press release about the launch was far more honest than most discussions of mobile broadband, which often suggest that no-one could tell the difference from DSL. Instead of trumpeting that Vodafone has the first 14.4 network in the UK, it pointed out “whilst 14.4 Mbps is the theoretical peak rate, customers can expect to see typical speeds of anything between 1 and 4 Mbps with a practical maximum speed of 10.8 Mbps.”

Mundy was equally frank about what that actually delivers: “As you improve the speed it works in two ways. If you look at the purest end, you can get up to 10.8Mbps -but in reality, few users get all the bandwidth. Where you have a number of users, we’re able to have those users further away from the cell because we’ve got more capacity. We can either have a broader cell coverage area or a much higher speed for single users, so you get advantages either way and the smarts of our technology will optimise that to maximise the benefit for users at any one time.”

The 14.4 network is live in the “busy areas” of London, Birmingham and Liverpool already; other areas - like London suburbs - will have the faster speeds by next March and Vodafone estimates that 80% of the 3G handsets and dongles that currently connect to their network can use the faster speed. And for once, a faster speed really will give you a faster connection.
-Mary

Windows 7 is done, but the massive Microsoft machinery is grinding slowly through the process of localising it into multiple languages, burning discs, printing, stuffing and shipping boxes and getting the PC manufacturers on the starting line. Snow Leopard is done and it went on sale on Friday. Does that mean Apple is more nimble - or just in more of a hurry?

Since Snow Leopard went on sale there’s been a flurry of posts and questions - about application compatibility. We knew Snow Leopard itself wouldn’t run on PowerPC Macs because they don’t have the Intel chips that the new features rely on, but unlike Microsoft’s massive app testing and beta program Apple hadn’t been pushing out details about application compatibility. Running 32-bit apps on a 64-bit system often causes problems. Apple was prepared for this; the reviewer’s guide says “During installation, Snow Leopard checks your applications for compatibility, and sets aside any incompatible applications that are known to create instability in Snow Leopard” and this page on the Apple support site http://support.apple.com/kb/HT3258 lists a handful of apps that are known to have problems. Most of them are the usual suspects; low-level storage and security software that has to be updated with any operating system release. But a wireless broadband card, or Adobe Director MX 2004? That’s down to a large number of API changes, designed to remove old bugs - but as Microsoft has often found, one developer’s bug is another developer’s feature and fixing it can break an app.

There was quite the snowstorm of discussion at John Nack’s blog about Adobe products and Snow Leopard. http://blogs.adobe.com/jnack/snow_leopard/ The official policy; CS4 is supported on Mac OS X 10.6, although Version Cue doesn’t work, CS3 isn’t supported. The unofficial line; CS3 “works fine” “to the best of our knowledge”; cue discussion about how long you should support old software on a new platform and whether you should delay creating the Cocoa version of Photoshop to go back and do the testing. But beyond the question of what resources Adobe could or should devote to supporting an OS update when it’s company policy not to put out updates to versions of software it no longer sells, is the question of how much time Apple has spent on testing third-party apps - and how much it could be telling users about potential compatibility issues. Apple certainly works very closely with the Photoshop team and would know about any problems they found (”If we found issues, we worked directly with Apple to get them fixed,” blogged Photoshop quality assurance manager David Howe) but there’s nothing about Version Cue on the support pages.

For Windows 7, Microsoft worked with 45,000 hardware and software developers, from IT departments inside businesses to one-man-bands to the big software and hardware names. There’s a long list of just a proportion of the devices tested at http://blogs.msdn.com/e7/archive/2009/01/10/primer-on-device-support-and-testing-for-windows-7.aspx and when you can actually buy Windows 7, the Windows Upgrade Advisor will be out of beta (http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=1b544e90-7659-4bd9-9e51-2497c146af15) - this checks the hardware and software you have installed -  the Vista Compatibility Center http://www.microsoft.com/windows/compatibility/ will turn into the Windows 7 Compatibility Center where you can look up that Photoshop Album needs a free upgrade to v3.2 and Corel makes you pay to upgrade to Paint Shop Pro X2. We’re still impressed by the range of hardware and software Windows 7 supports; at the end of last week our elderly Elonex Media Center PC picked up a new driver for the Hauppauge TV card that hadn’t worked for years and suddenly offered up 98 Freeview TV and radio channels.

Apple doesn’t give Mac users this level of detail (there’s a list of supported printers and scanners at http://support.apple.com/kb/HT3669 but nothing official for software), so they’re gathering it informally; check http://snowleopard.wikidot.com/ for a long list of apps that do and don’t have problems.

It’s unlikely that any of these application compatibility problems mean that Snow Leopard wasn’t ready to ship. But perhaps Apple isn’t able to test as widely as Microsoft does or perhaps it was so keen to get Snow Leopard on sale to deflate some of the Windows 7 momentum that it didn’t take the time to document the issues. Or is it the back to school market that Apple is chasing, now rather dominated by netbooks (which DisplaySearch now puts at 22% of all personal computers sold)? 
-Mary