It used to be so easy.

IT departments got to define just what could be used by a company’s staff. Everything from PCs to laptops to phones was in their purview, and everything that could be controlled was - locked down and managed to make sure that nothing went wrong.

But then came a rash of new devices, of new services, and a new generation of staff.

They’d grown up with a flexible world, and they wanted nothing less from their employers.

At least Windows group policies meant that a proliferation of desktop PCs could be managed, but how could new mobile devices be controlled - and how could potentially expensive roaming bills be managed?

Laptops were safely under control, as tools like iPass gave businesses the  ability to manage WiFi access, with one flat fee for each user every month, rather than having to pay expensive hotspot roaming rates.With WiFi now a common smartphone feature, it can also be used to avoid data roaming costs(as well as delivering more bandwidth than slow and congested 3G data services). That’s where iPass’ new strategy comes in, as instead of just delivering Windows and Windows Mobile clients, there are also Mac, iPhone and Symbian versions of the software - with more to come. There’s another advantage here, as the same username and password can be used with mobile devices as well as with laptops, keeping billing to the same single flat fee per user.

We recently spent some time with the iPass iPhone client, and were pleasantly surprised that it worked around the device’s limitations effectively (and  still works happily with OS 3.0). There’s a BlackBerry client on the horizon now, too, which will make it a lot easier for roaming BlackBerry users to avoid racking up their bills (though there still needs to be a better way of managing which browser you’re using on a BlackBerry). And of course these are tools you can push out to users, using device management suites to make sure that only devices with WiFi hardware get the software they need.

Tools like this mean one simple thing: any device is an enterprise device.

And you know? That’s a good thing.

–Simon

Three years ago, when WiMAX looked like the best way to get faster mobile data, the then head of Vodafone made a point of stating the obvious at the Mobile World Congress; the networks would rather stick to 3G, the HSPA enhancements and eventually the ‘Long Term Evolution’ standard because evolving your network may be painful, but it’s better than ripping it out and putting in a brand new one, especially when they’d need twice as many base stations to provide the same coverage. But if HSPA and LTE didn’t show signs of showing up and speeding up to match the 100Mbps WiMAX promised in the long term, the convenience wasn’t going to stop the networks abandoning 3G.

3G speeds have been creeping up ever since, from 1 to 3.6 to 7 and now to 14.4Mbps. On the face of it that sounds faster than the average 2Mbps DSL connection in the UK; faster even than the 8Mbps you get on a faster exchange. But there’s a dirty little secret about most mobile broadband connections. It’s not just that the quoted speed is always a theoretical maximum and just as you never get a gigabit of data a second over gigabit Ethernet, you need to take off a quarter to a third from the maximum speed. It’s not just that the actual speed is shared with everyone else using data on the same cell; it’s that the speed quoted and the actual speed delivered are both only the speed to connect to the base station - not the Internet. And a surprising number of 3G base stations connect on to the Internet over 2Mbps DSL (and remember; you’re still sharing that speed with up to 50 other users in the same cell).

Not Vodafone; backhaul matters, says Vodafone CTO Jeni Mundy. “The pipes we put into the cell sites are key for anything you want to do on the Vodafone network or going out to the Internet; the bandwidth of those pipes is critically important and we’re absolutely doing not just a base station upgrade, we’re making sure we put the right backhaul in place to carry that traffic.”

In this case, rather than a single 2Mbps line, each Vodafone base station has eight 2Mbps E1 fibre connections adding up to 16Mbps of bandwidth. That’s courtesy of the deal Vodafone did last spring to connect to BT’s 21 Century Network and it means there’s slightly more than enough backhaul to deal with the incoming connections.

Vodafone’s press release about the launch was far more honest than most discussions of mobile broadband, which often suggest that no-one could tell the difference from DSL. Instead of trumpeting that Vodafone has the first 14.4 network in the UK, it pointed out “whilst 14.4 Mbps is the theoretical peak rate, customers can expect to see typical speeds of anything between 1 and 4 Mbps with a practical maximum speed of 10.8 Mbps.”

Mundy was equally frank about what that actually delivers: “As you improve the speed it works in two ways. If you look at the purest end, you can get up to 10.8Mbps -but in reality, few users get all the bandwidth. Where you have a number of users, we’re able to have those users further away from the cell because we’ve got more capacity. We can either have a broader cell coverage area or a much higher speed for single users, so you get advantages either way and the smarts of our technology will optimise that to maximise the benefit for users at any one time.”

The 14.4 network is live in the “busy areas” of London, Birmingham and Liverpool already; other areas - like London suburbs - will have the faster speeds by next March and Vodafone estimates that 80% of the 3G handsets and dongles that currently connect to their network can use the faster speed. And for once, a faster speed really will give you a faster connection.
-Mary

Remember macro viruses? Trojans and bots have taken over from them in the virus top ten, but there could easily still be binary Office documents lurking in your business’s fileservers with unwanted code in them. The XML file formats introduced with Office 2007 mean you know when a document has a macro by the file extension (an XLSX file can’t have code in, an XLSM can) but even though XML files are smaller as well as more secure, not everyone wants to spend the time to convert a backlog of many years. So to protect you from anything worrying, Office 2010 introduces a Protected View that locks documents when you open them, and runs in an isolated, low-integrity  process with a restricted token (rather like combining the protected mode that IE 8 runs in with the secure desktop you see with UAC elevation prompts - Protected View uses the same User Interface Privilege Isolation).

As the Office engineering blog post puts it, “For a malware to actually be able to run in Protected View it will first need to find a way around DEP, ASLR, GS and our new 2010 Office File validation checks.  After all that, the malware would need to find a way to break out of the sandbox.”

The Office team is confident enough in Protected View that opening and previewing attachments from Outlook will get less annoying; you won’t have to say yes, you trust every different type of document to open and preview individually the first time you come across it. It seems like a welcome security measure that will make life easier too. Sadly, as implemented it’s currently a productivity blocker that will be turned off or loathed by every user that comes across it.

On my system at least, every single document I open in Office 2010, binary or XML, from the office network is opened in Protected Mode and tagged as coming from ‘an unsafe location’. That’s supposed to be for documents downloaded from the Internet (”When a file is downloaded from the Internet the Windows Attachment Execution Service places a marker in the file’s alternate data stream to indicate it came from the Internet zone,” says the Office Engineering blog) and I’m kind of offended that Microsoft is telling me that our network isn’t secure - it is Windows Server 2008 we’re running. I’m also losing time on every document, having to click through before I can start editing.

I tried turning Protected View off; you can’t. You can go into the Trust center, ignoring the sign that tells you not to go in there and not to change anything, and tell Office to trust network documents (again, ignoring the warning that a network is a scary place and you shouldn’t be trusting it) but that didn’t fix it. I had to manually add the file shares on the server, mount point by mount point. You can’t just give office the name of your file server and trust the whole thing; Office refuses to mark the root of the server as safe.

This isn’t supposed to happen, says Microsoft. In some cases, the proxy settings are to blame (check out The LIZ and Proxies: the surprising connection for an explanation by Eric Lawrence of the IE team of why proxies are involved in the intranet at all. We don’t use a proxy. Maybe the Local intranet setting in Internet Options isn’t set to ‘Automatically detect’? It is, as it happen. 

Ah, says the Office team; it’s a bug, and they’re working on it. That’s good news; if I only have to put up with this until the beta of Office 2010 this autumn, that’s fair enough - you expect problems when you use a ‘technical preview’ (or alpha code as we used to call it).

But the fact that Office 2010 is relying on Internet Explorer options that may or may not apply if you don’t have Internet Explorer on your system is a little worrying (Firefox doesn’t use security zones, for example). And Simon, who is joined to the domain doesn’t see Protected View on network documents. So the underpinnings of Protected view seem to be a tangle of Internet Explorer, Active Directory and Microsoft network settings; that’s fine for an all-Microsoft business - like Microsoft. It’s less useful for the rest of the world where heterogeneous networks are the norm and security is important - but will always get demoted if it gets in the way of getting your job done. Let’s hope the bug fix does more than just tweak things; Protected View uses a spiffy new architecture inside Windows and it needs to take a clear and manageable approach to defining what a ’safe’ or ‘unsafe’ location actually is, or it’s going to be unpopular and insecure (cue everyone copying documents onto their laptop to edit them without the nagging and leaving them in the pub car park).
-Mary
 

It’s probably about buying market share and reducing the competition that drives down prices, but there’s a new problem for mobile operators to think about these days - bandwidth and backhaul.

No matter how fast the 3G chipset in your mobile phone, you’re not getting on the Internet at that speed; you might have 3, 7 or 14Mbps between your phone and the base station but that base station is connected into the net at the same DSL speed as your home broadband. And you’re sharing that with everyone else  connected to that base station; say the 50 people in the same mile radius on the same network. Wimax and LTE promise speeds of 80-100Mbps; that means backhaul will have to get much faster and wider - according to a recent In-Stat report, backhaul capacity has to triple by 2013 to a worldwide total of 90,000Gbps to match demand. To get faster speeds needs faster physical  connections; faster DSL, expensive fibre optic cable or laser links. And that costs money…

Vodafone and T-Mobile both use BT for backhaul. Last year Vodafone started rolling out Tellabs’s Ethernet-based backhaul to replace the legacy voice network it was previously built on top of (getting an IP network for next-generation services at the same time);or rather BT is doing it for them (it’s all part of the ’21st Century Network’). O2 is taking the same service, and T-Mobile had signed up for it a year before that. Currently the system promises to deliver up to 60Mbps (a big improvement on the 2Mbps at most base stations). If T-Mobile is further along with the rollout, buying them could give Vodafone better bandwidth faster - and in the long run that could be worth as much as buying market share.

T-Mobile users might want to cross their fingers that the deal goes through (which is far from certain). Coverage and the weather and device configuration and the number of other people around and whole bunch of other variables make it hard to compare networks precisely, but of all the networks I test phones with Vodafone consistently gives me the best connection and coverage.
-Mary

I hate VPNs. I’m not alone; the VPN that Microsoft – who ought to be able to get IT right - runs for internal staff is so slow (it takes four or five minutes to get connected) that many staff refuse to use it whenever possible, which makes it hard to patch their systems. And the less they connect, the longer the connection takes, because it’s busy forcing security updates on them and slowing down the connection even more. DirectAccess, a new feature in Windows 7,  could make that a thing of the past, creating a secure connection that’s more efficient than a VPN and much easier to use, so you can tell end users you’re making their life easier and get access to their machines for maintenance at the same time.

But the way DirectAccess makes the secure tunnel between the remote PC and your network to give them access to file shares and applications and everything else, is by using IPSec and IPv6. You need IPv6 on your internal network and on the network they’re connecting from – and that’s still rare. Luckily, there are ways around it.

One way is use the Forefront Unified Access Gateway; this does a lot more than DirectAccess, including enforcing application whitelisting on remotely connected systems, but it simplifies setting up DirectAccess. “We’re the plumbing,” says Scott Roberts of the Windows team; “sometimes what we give you is the 16-step guide to do something – and UAG is the friendly face on top. They have some really nice wizards.” UAG also helps you configure DirectAccess without needing an end-to-end IPv6 connection.

The roadmap for Forefront includes a version of UAG to run on the mid-market two-server system (codenamed Centro – it’s the step up from SBS), which will also support DirectAccess  DirectAccess isn’t going to be available on SBS, at least in the Windows 7 timescale, because it needs two servers, one of them with two network cards – so you can’t run it in a VM or behind a NAT firewall - and because Microsoft feels that the complexities of setting up DirectAccess are too much for small companies.

The other solutions involve encapsulating IPv6 packets inside IPv4. You can do it using the 6to4 and Teredo protocols, but not all networks support those; if you’re visiting a business that does outbound proxying for security, they won’t work. You can put in a protocol translation adapter on your network, or use a Windows Server 2008 R2 system running ISATAP to convert IPv6 into IPv4 to move the packets across your network. Or you can just use the new IP-HTTPS protocol which takes IPv6 into IPv4, just like an SSL VPN.

If you don’t want to put IPSec on your network, you can send the packets across your internal network in clear text; if you do have IPSec you can choose between integrity assurance and full encryption, but that does limit you to using DirectAccess to access resources on servers that support both IPSec and IPv6. That’s fine for Windows Server 2008 and for many Linux systems, but not Windows Server 2003. The DirectAccess server itself needs to be running Windows Server 2008 R2. All that means that DirectAccess while will make life a lot easier for your users, and give you a way of reaching out to touch PCs as soon as they go online rather than only when they’re forced to use a VPN – but it’s going to take a fair amount of setting up, and that may seem like too much work when it doesn’t work with any other versions of Windows than Windows 7.

-Mary

Why bother with local storage and heavyweight applications when you could just use the cloud? Because they always work, that’s why.

To prepare for six solid days of meetings and presentations, crowds, queues and the three-ring CES circus, we’ve been driving through the quiet, cold American southwest. It’s been extra quiet and peaceful without email and phone calls. It’s not that we swore off connectivity to take a holiday. It’s not that there isn’t 3G and HSDPA coverage out in the wilds. We didn’t forget to enable roaming or run out of battery and I have a bag-ful of handsets to try out… It’s that the cellular networks that serve the Navajo Nation and many of the surrounding counties don’t have international roaming agreements.

Yes, there’s hotel and motel Wi-Fi - but you’re often sharing a very slow DSL connection with everyone else in the hotel that everyone else is using to upload their photos to Flickr. Plus, you don’t want to be tied to the hotel when you’re wanting to explore.

Cloud services and cloud storage are great for collaboration and for having files available on any machine you happen to pick up. But switching entirely to the cloud assumes that the network is always there, always working, always fast enough, always cheap enough and doesn’t run down your battery too much. Back in the real world, it’s too easy to run out of power or drive out of range for online to be your only option. And don’t say it’s a contrived case and only a few people will be driving around wanting to do email or update their diary in Monument Valley: there are plenty of places in Las Vegas where you can’t get connected either.
-Mary

The cloud demands identity. Microsoft has a strong, secure, privacy-friendly identity technology that’s open, easy to federate and will transform the Web and the cloud. So why is Windows Live ignoring CardSpace?

OpenID is a great tool for logging in to a Web site that you want to use but don’t need to trust. You wouldn’t want to use OpenID to get into your banking site because it’s just not secure enough, but it’s great for not having to remember passwords for LiveJournal, Dopplr, Plaxo and the like. You log into one site and tell the others to ask that site who you are. OpenID is getting less vulnerable, but it’s simply not intended to protect really important information.

The information card system is secure; it’s protected by cryptographic keys, it’s got a user interface that makes it very clear when you’re being asked to log in to a site, what the site wants to know about you and it lets you choose from a ‘wallet’ of cards to prove your identity. That gives you security and privacy and ease of use together (which improves security by stopping people using the same password everywhere. Microsoft put it into Vista and Internet Explorer 7 as CardSpace (information cards are the generic system and there are implementations that you can use in Firefox and Safari, on Macs and Linux machines, CardSpace is just the Microsoft implementation).

And since then, I’ve been waiting for Microsoft to deliver the next pieces. A token server that a business can use to issue its own information cards, and to validate them so you can use them for access to internal apps, preferably federated so you can also validate partners. And a public service that issues not just the self-certified cards that anyone can create with their public details but managed cards that have useful information that you want to protect. When you wave your passport or driving licence in an American bar, the bar doesn’t - or shouldn’t take a copy of it; they just need to know you’re old enough to have one.  Put your birthday into a managed card and you can prove that you’re over 16 for a shopping site without handing over details that could help someone hack your bank account if the site loses its customer details on a USB stick, because the site only gets the assertion that you’re old enough, not the actual day, month and year.

Issuing cards was going to be a function of ADFS at one point, because it fits with where enterprises store identity information; for development and resource reasons it went on and off the feature list and now it’s going to be a free component in Windows Server 2008 (and maybe other versions), code-named Project Geneva. Currently in beta at www.microsoft.com/geneva, there will be a feature-complete beta in the first half of 2009 and a final version in the second half. It leverages AD and SAML and x509, it interoperates with a wide range of line of business applications and it makes using secure identities easy in a business.

That just leaves a managed card service for those of us who aren’t in a big business and I’m still waiting. And in the PDC keynote today, Microsoft announced that Windows Live ID would be issuing a new kind of identity - but it’s not information cards.

So why is Windows Live ID proudly announcing that it’s issuing OpenIDs but not CardSpace IDs? Is it because OpenID is accepted by a lot of sites? So are information cards, and if you could get an identity you could trust from Windows Live other sites would be more likely to adopt them - because it’s easy to use Windows Live ID instead of running your own username and password system.

Is it because OpenID is, well, open?
CardSpace is the most open project Microsoft has ever done. The architect, Kim Cameron, has almost single-handedly changed the perception of Microsoft in the identity community, which isn’t bad for a company that was so roundly derided for Passport. The open nature of information cards “just isn’t up for discussion” Cameron said to me (before plunging into a discussion with senior VP Bob Muglia about why you can’t constrain the scope of identity to just in the cloud or just on the server or just on the Web or just on the desktop).

Is it because CardSpace 2 is going to better than CardSpace 1? It will let you transfer information cards from one PC to another, and when you go back to a site you’ve used an information card with before, CardSpace 2 will show you the card you used last - which means that even if a phishing site accepts information cards to try and fool you, you’ll be able to tell (and the phishing site isn’t going to get the details out of your card so scammers can’t steal it). But Microsoft has adopted the first version of plenty of its own technologies even when there has been something new and better just around the corner. And issuing managed cards today, cards that have been verified and are backed by an identity provider, would be a huge step forward.

If it’s because Microsoft wants somebody else to issue managed cards because a supermarket or a post office or a government already has relationships with people and systems for handling information - or because they look like a more natural place to prove your identity because they can prove that you have a loyalty card or a post office box or a passport - then I’d say yes, but you can’t wait for that to happen. Once the first managed identity provider proves its value then banks and services that sell you certificates will join in, but you can’t keep on waiting to go first them to go first.

I wonder if it’s the legacy of Passport. Maybe the Live team wants to be extra sure they don’t rush out with an implementation that could have problems and create another Passport backlash. Or maybe they aren’t comfortable with the way that CardSpace takes the power of identity away from the provider and gives it back to the user; issuing managed information cards would be admitting once and for all that Microsoft is never going to own user identities in the way that Passport envisaged. Everyone I’ve met from the Windows Live team so far is smarter than that, which leaves me confused. Because it’s ludicrous that Microsoft has a far superior identity technology to OpenID that it’s getting ready to offer to businesses and it hasn’t even talked about how to bring it to everyday Web users who need it just as much.
-Mary

It’s a simple rule, and one that fixes a huge proportion of IT problems. I’d have done well to remember it when the door to the office NAS neatly unplugged a network segment, and I spent a happy half hour trying to debug just why the wireless printer wasn’t working.

It’s also one that might have saved us several days of little or no phone connectivity, and an extremely flaky DSL connection that has yet to train back up to full speed. Still, at least now that the BT engineer has visited, we have a new cable between us and the street furniture, hopefully ensuring a faster and fault free connection in future.

BT’s online fault tracking service is well designed, and surprisingly helpful. Log on and report a fault with a line, and you’ll be

Simulating the big bang and colliding particles at the speed of light takes a lot of space, makes a lot of data - and it isn’t going to blow up the planet.

The Large Hadron Collider has been running quietly for a week and no tiny black holes have made their way out through the giant concrete end caps yet, so the world is probably safe.

The collider itself is a vast confection of superconducting magnets and we were lucky enough to go down into the caverns last year while it was still being constructed. The scale of the shaft and the cavern are impressive enough; ATLAS is just one of the detectors on the ring and the structure dwarfs the engineers putting to together.

We’ve put together a look at the detector using Microsoft’s Silverlight DeepZoom technology.

An experiment like the Large Hadron Collider also produces a lot of data: 15 million gigabytes a year, streaming out of CERN to a worldwide computing grid at 2GB/second through an HP ProCurve infrastructure. The mainframes and supercomputers that processed the data in decades past have been replaced by rows of PCs. The cavernous computing centre looks like an old school gym; half of it is full of familiar tower cases, the other half is filling up with racks and blades and tape library robots as CERN builds its own mega-data centre.

You need a special invitation - or a research project - to get into the caverns at CERN, now that the LHC is switched on. But you can book a tour to see one of the other particle accelerators, decelerators and colliders where researchers try to recreate the first seconds after the Big Bang - or you can head down to the basement to see the Tim Berners-Lee’s first Web server.

A slightly battered NexT cube with a hand-written label peeling off from the front of the case, the memo of the original World Wide Web proposal lying over the keyboard; if there was a coffee cup in the display case, you’d expect Sir Tim to come back and sit down at any minute. Also behind glass is one of the first Cisco routers to make it to Europe; it’s a hefty beige box that cost $10,000 back in 1984.

Tours start in the dramatic wooden Globe of Science and Innovation, but take a minute to stand in the main reception area across the road. The coloured lights shooting through the concrete floor flash every time cosmic rays are detected; that bright blue could be a solar flare or a supernova.

-Mary

BT shareholders should stop worrying about the cost of fibre. Everyone wants fast broadband and the current plans aren’t so expensive that they’ll take years to pay off.

I noticed the other day that the market didn’t take well to the news that BT is really moving forward on plans to roll out fibre across to the UK to drag broadband speeds into the 21st century (think 8Mbps DSL is fast? - check out Korea, or Paris where they’re laying 30Mbps fibre). Cable coverage in the UK is a joke (NTL bought the cheapest demographic data it could find for high population density and ended up cabling multiple occupancy council estates where it couldn’t get licenses to offer a service and running out of money before it got round all the consumers and small businesses that actually wanted cable modems).

Now the analysts at Point Topic have done some interesting sums. BT’s proposal to cover 40% of the homes in the UK for