I had to revert to typing in a password on my notebook the other day.

I usually brush my finger over the fingerprint scanner and as I let the security software store passwords and login details for as many sites as possible I don’t have to remember many passwords at all now. Roll on CardSpace - when I can store my details on an InfoCard and present that instead of typing in whatever random selection of information a site demands to let me download trial software or white papers, I shall feel a lot more productive.

I always scan at least two fingers when I set up a biometric system, because the software insists. I usually scan a thumb as well but with a minimum of three scans to do per finger and me in a hurry to try out a new system, that’s usually enough. Perhaps I won’t mention which fingers I usually scan, just in case, but I scan a thumb  so that I can log on in tablet mode without having to twist - a well placed fingerprint scanner is convenient for both modes but you do need different fingers.

But come Boxing Day, none of my fingers or thumbs were getting me in. Turns out this was because they were all on my right hand - and I’d been preparing Christmas lunch with someone else’s knives. It’s not that they’re bad knives, just that they have a different weight and angle and they’re not as sharp as I’m used to. It’s like using a US keyboard - mostly it’s fine but the odd thing trips you up. In this case, slicing the potatoes and carrots and parsnips and sprouts and cutting the onion in half for bread sauce and shoving cloves into it, and cutting the lemon in half to go inside the turkey and even scraping ribbon with a scissor blade to make it curl had left me with very fine cuts on the pads of both fingers and the thumb that were in the system. Not enough for me to notice, certainly not enough to bleed but enough to stop the system recognising my fingerprint.

I hope the fingerprint scanner at US immigration in Las Vegas can cope with the marks better than this notebook!

Mary

The holiday break means more unusual transactions, in stressful circumstances, with fewer support staff around. We know what it’s like, as we spent  plenty of time on hold trying to rebook a flight to Jersey , thanks to the unseasonal fog.

How did you prepare your IT for the seasonal - and predictable - interruptions? 

1. We planned ahead to add more automation including handling more exceptions so there weren’t as many problems that needed a real person to handle them…
2. I made everyone on the IT team take a BlackBerry or smartphone home over Christmas…
3. I added a festive jingle to our hold music…

What part did technology play in your Christmas personally?

1. I’ve been looking forward to playing with my new iPhone/Wii/robot dinosaur and Boxing Day is the ideal time to do online shopping for sale prices without the crush of people…
2. I had to bring a BlackBerry home from work…
3. I’ve been listening to some kind of festive jingle while I’m on hold for tech support…

What’s your favourite Christmas music?

1. Something I downloaded on my new iPhone to play to my robot dinosaur…
2. Chestnuts roasting on an open server - I got called in on the BlackBerry I had to bring home from work…
3. Anything except this festive jingle they’ve been playing all the time I’ve been on hold…

One of the themes at last week’s CScape event was the re-invention of Cisco as a collaborative service oriented organisation.

This is one of the issues I’ve been thinking about for some time. How do we build businesses that focus on process, on collaboration and on dealing with a global organisation? The service orientated enterprise is on its way, and we need to consider how we structure businesses to operate in a world where IT is no longer hierarchical, where users can define their own applications, and Web 2.0-style tools bring social networking to the desktop.

I’ve written about the architecture council movement before, as an approach to aligning business and IT goals. Cisco has taken this approach to heart, and has taken it further, using the idea of stakeholder councils as a structure for managing a business that’s too global and too large for the traditional hands-on C-level management structure we’re familiar with.

Councils of interest are a new way of working that really couldn’t have existed a few years ago. To work effectively they need to be part of a networked organisation that has tools to enable deep collaboration.

That’s more than just emailing documents around an intranet - it’s about collaborative document creation, video conferencing, expert identification, and distributed decision making. There need to be tools to help teams build their own enterprise mashups, bringing information together from multiple sources and finding appropriate ways of visualising the resulting data set without distorting the information it contains.

These are complex tasks, and Cisco has a big job ahead as it reengineers its business model. However the rewards are great, and Cisco’s CEO John Chambers says it has already seen benefits - allowing the company to substantially increase its number of key goals from two or three to more than ten. That’s a change that allows Cisco to increase its risk of project failure, as an expanded portfolio can be expected to contain projects that fail - in the certainty that there will be many projects that succeed.

It’s a brave new world out there - and it’s one that traditionally hierarchical businesses like Microsoft need to embrace. There’s no point in being conservative for comfort’s sake, especially when you’ve got thousands of experts you can draw on when making a decision. The networked business should be able to make decisions far more quickly than the slow hierarchical organisation tree, as messages pass from synapse to synapse directly, rather than up and down the slow chain of command.

So, are you a dinosaur or a shrew? If the pundits are to believed, there’s a big asteroid of a recession on the way, and one way to survive is to be nimble and fast. If you can respond to your customers needs faster than the competition, well, then you’ve just proved Darwin right. Evolution is for businesses and IT too.

It’ll be interesting to see if Cisco 3.0 is an example of the next stage in business evolution. I suspect it is.

–Simon

Technorati Profile

My shiny laptop is so shiny and new it doesn’t have a PC Card slot. That’s a bit of a problem, when the only 3G mobile data cards we have in the office are PC Cards. It’s even more of a problem when you’re in the car park at Costco and need to get a file from your home PC…

Express Card slots are great - if you’ve got an express card.

Built in antennae for WAN modules are even better - if you’ve got a module fittted.

It took me a while to get around the problem, but the solution turned out to be easier than I expected. All I needed was a Windows Mobile 6 device and its built in Internet connection sharing tool (the same feature is in Windows Mobile 5, but it’s hidden away in the file system).

I installed the Windows Mobile Device Center on my laptop so I’d have all the drivers I needed, and then plugged the phone in for an initial synchronisation.  The phone was recognised, and I was able to make a connection. I disconnected the phone, and clicked on the Internet Sharing icon. You can use USB or Bluetooth connections - USB is probably your best bet, as there’s no point in using up your limited battery capacity powering multiple radios (of course if you’re able to power both your laptop and your phone from the mains, Bluetooth suddenly becomes the best option).

Click connect and wait for your phone to hook up to the network, before plugging it in to the computer. When you connect your phone to the laptop, it’ll install a new set of drivers. These, well, they just work. Your phone becomes another network connection, and you can download files and email and browse the web just as much as you like (or at least as much as your bandwidth allowance gives you…).

(You can find a walkthrough of the process on Microsoft UK Windows Mobile Evangelist Jason Langridge’s blog.)

A useful tool for extra on the road connectivity.

– Simon

I spent much of last week at Cisco’s CScape analyst event in San Jose. It was a fascinating few days, as it meant I got a very different look at a company that affects our online lives. I’ll write about the development of Cisco 3.0 as a collaborative company in another entry, but one thing caught my attention.

It was a simple slide in CEO John Chambers’ keynote presentation, one that showed that the amount of bandwidth that was going to be needed to deliver the next generation of internet services was going to quadruple by 2011, with the amount of data traveling over the global network measured in the tens of exabytes. That’s an awful lot of data - as one exabyte can be thought of as the total sum of human knowledge at the start of 2007.

I’m not sure if I agree with Chambers’ that most of this traffic will be streamed video (though friends of mine who run ISPs are looking at the video traffic on their networks with some concern), but there’s certainly going to be a lot of video traffic streaming through the networks. It’s probably not going to all be telepresence running at multiples of HD, but there’s certainly a place for high quality video conferencing.

Where I can see video coming in useful is in delivering snippets of explanatory content over mobile phones. There’s a lot to be said for a quick movie showing just what’s gone wrong and where if you’re debugging a business process. There’s even more to be said for a video showing just how to make something work that little bit better. Suddenly a snippet of video becomes a resource that needs to be seen by lots of people - and that needs to be stored and shifted around a network.

One of the speakers at the event, telepresenced in from London, was the BBC’s Erik Huggers, who heads up the future media team. He noted that the BBC is already pushing out 1.3 petabytes of data a month, much of it audio. However he’s expecting that to increase by 500 TB a month by the end of the year, with the iPlayer launching on December 25. That’s not the end of his predictions - he expects things to ramp up to 3PB a month very quickly, with the BBC delivering 5PB a month by the end of 2008, which is what the BBC is designing its network to support.

Understanding the requirements of your network a year from now may seem to be taking the belt and braces a little too far, but are you on top of your network traffic - and its growth rates? If video starts becoming more and more part of the way you work, is your network ready?

It’s time to get out the monitoring gear and start looking at just what traffic your network is carrying - and how its changing. You may get a shock…

–Simon

I’m not a big Facebook fan. Part of it is that I’ve seen a lot of online communities, from Usenet and the uniquely British CIX to AOL and Web forums and IRC and LiveJournal andLinked in - and the evolution of online behaviour that occurs in all of them is the same. Food fights and virtual flowers replace SIG files and ASCII art but a me-too meme is the same whether it’s plain text or fancy CSS (and don’t get me started on second life because that’s a whole ‘nother rant).

But I’m not an online Luddite. I live in email and IRC. Simon and I met online (in a virtual bar,  when it took a really long time to explain to people what a virtual bar is. Online interactions can be efficient, lightweight and productive or rich and deep. Being able to find and connect to people you know is both fun and useful. Sharing what you do online is all fun and games until someone finds out what you’re buying them for Christmas (or in a Love, Actually manner, what you bought for someone who isn’t them).

Facebook has scaled back its Beacon advertising programme and issued a disingenuous ‘my bad!’ apology that still makes it sound more like a feature for users than a revenue stream for Facebook.  After all, the apology doesn’t say you can opt out of having what you do on partner sites like Blockbuster sent to Facebook in the first place. It says “If you select that you don’t want to share some Beacon actions or if you turn off Beacon, then Facebook won’t store those actions even when partners send them to Facebook.” Facebook could still use the details to optimise the ads you and your friends see, and there’s nothing in the privacy settings to let you turn that off.

I’m not the only one who thinks this is irresponsible. There’s been a lot of complaining going on - from a VP at Microsoft who reports to Ray Ozzie trashing both Facebook and Blockbuster publicly to the sterling efforts of Valleywag -the Silicon Valley equivalent of Private Eye - to find out exactly what information Beacon does and doesn’t store. There’s been some back and forth between Facebook and Harvard’s 02138 magazine over whether it was OK to put court documents about damages to the college house where Facebook was written and Mark Zuckerberg’s response to the Harvard disciplinary committee online or whether that was an infringement of privacy (Facebook took the magazine to court and lost).

But while I’ve been excoriating Facebook for not buying a clue about how to treat information users never gave it permission to publish, it struck me that maybe we should be thanking them. After all, Facebook has done more for public awareness of privacy issues than any number of well-meaning campaigns. A bit like HMRC and data security, Facebook has made sure that people all over the world care a little bit more who knows what about them. It’s an excellent time for Ask to launch its new privacy feature, AskEraser, where you give up the personalisation search engines thing we want in favour of the privacy some of us actually prize.

The option has been in development for a while - it takes time to code these things up - so the timing is just luck for Ask. It’s an opt-in system, so you have to click and turn it on and accept a cookie that says nothing but ‘privacy please’ - and if you try to use a feature that relies on personalisation you’ll get the option to turn it back on. Ask promises that details like your IP address and search terms will be scrubbed off the system swiftly. They’re not expecting enough people to choose the option to cause problems with the analytics they use to tune searches based on how people use the results.

If I was searching for something I really didn’t want anyone to know about, I’d use an anonymising proxy. Ask will still have some information about you that lets them comply with legal demands. But this is an excellent opportunity for people to show that actually, we don’t care if your company thinks using us to market to our friends is just the same as me saying voluntarily that I like to shop with John Lewis for the service, support and never knowingly undersold bit, we’d like to choose who we have those conversations with and when. If what I have to hide is Simon’s Christmas present or just my personal business, why should you get to broadcast it without permission to make money from it?

Facebook has made a lot more people consider what’s personalisation and what’s an invasion of privacy. Head over to Ask.com and you’ve got a chance to have your view counted.

-Mary

I narrowly avoided having an argument with a friend about touch screens the other night. We were talking about the new OQO model e2, an adorably small and functional ultra-mobile PC. It’s available with the ordinary version of XP, the tablet version or with Vista Ultimate (which the CEO Dennis Moore tells me he prefers because he’s getting more battery life). All versions have the active digitizer touch screen, but only the ones with tablet software come with the active pen you need to use it.

If you’re not writing on screen, the mini joystick on the slide-out keyboard and the finger-sensitive strips beside and blow the screen let you scroll and move the mouse pointer as normal. My colleague hadn’t realized there was a touch screen at all until I lent him the pen from my HP 2710p tablet to try with it and then he started telling me he’d rather have it work with the standard stylus from his Palm PDA. Yes, but…

For a start, Windows - XP or Vista  - isn’t geared up for finger touch.

Try doing anything apart from opening the Start menu and selecting an icon with your finger? Radio buttons, checkboxes, even menu items are designed to be selected with a mouse pointer - your finger is going to press three or four of them at once. The Media Center interface is a good size for fingers because it’s designed to be driven by a remote control, but I use my PC for a lot more than viewing media. The Origami pack for UMPCs gives you nice finger-sized buttons - but it’s like the interface on the HTC touch, barely skin deep. As soon as you open an application, you’re back to needing the fine resolution of a mouse or pen. HP does rather better with the finger interface on the TouchSmart PC, which I miss hugely now it’s no longer in our kitchen, because there are apps and tools in it to do a lot more - including a family calendar and sticky notes. But eventually, I’m browsing a Web site and ticking boxes and with a finger it’s frustrating.

The TouchSmart is the only finger-touch device that gives you the hints you get with a mouse or an active pen - hover behavior that changes icons, lights up menus and generally lets you know that yes, you do have the pointer in the right place. That’s because it uses four cameras to detect where your finger is. Active digitisers do need a special pen; passive touch screens put more of the workings as a layer over the screen - which means a passive touch screen will never be as bright or clear as an active screen. The sampling resolution is higher too; so writing on an active touch screen can be as fluid as writing with a real ink pen. And while most tablet pens are like a cheap biro, Cross makes a line of tablet pens that feel like a fountain pen.

And then there’s being able to write on the screen with the pen without having the side of your hand writing right alongside it. There’s a technique called blunt touch blocking that it supposed to stop that - ignoring the blunt touch of your hand in favour of the precise touch of the pen. Usually it means you have to press harder with the stylus and you’ll still get some random scribbles. I’ve only ever used one passive touch screen that got the blunt touch blocking right, the Tablet Kiosk UMPC.

Vista improves on the handwriting recognition of XP significantly, and it learns when you correct the recognition - you don’t sit around training the PC. It also introduces pen flicks - gestures that let you copy, paste, delete, scroll or do any eight things you fancy by flicking the pen up, down, sideways and to the four quarters. That only works with an active pen.

My friend might have been saying he wanted a screen he could touch with his finger for pushing the few buttons that are the right size. There are dual-touch screens that work with both finger and active pen and they would give him what he wants - the ability to write with a pen or tap with your finger. This would increase an already high price - but if you think the Eee PC is a bargain and the OQO is overpriced, you’re not the customers OQO is building for (adding an expensive array microphone wouldn’t put off the people who need the functionality it will deliver, Dennis pointed out). But what he was really saying was that he hasn’t seen the point of an active pen because there have been so few successful tablet PCs for the mass market. The OQO e2 still isn’t for the mass market - but if you do get the point of an active pen you’ll love it.

Mary

You type most of your passwords into it - and you type your credit card details into it every time you shop online. It’s how you unlock an iPhone so you can install applications on it. It’s the home of many of your applications and it’s the first avenue of attack for most malware. Really, if you wanted to be secure, you might never use a Web browser again.

You don’t have to be a hacker in the criminal sense to want to get around some security lockdowns. The latest iPhone cracker uses an image security issue in the Safari browser to open the system up. If you have a Buffalo NAS box you can use a security hole in the Web administration interface to make yourself root to install Perl so you can run SlimServer and get music onto your Squeezebox. I’d like to run SlimServer on something other than our main server - but I’m not cracking the security on our backup and media store to do it.

I’ve never switched away from IE to Firefox; originally it was because I had to have IE on my system for work and didn’t want the hassle of managing two browsers. Since IE 7 came out and I found IE 7 Pro I just haven’t bothered. It’s not perfect, but it’s good enough for me. Given that it took me five hours of browsing dubious sites and downloading known spyware to infect a machine running XP SP2 when I tried a few years ago, and given that everything that interested me in Firefox turned out to be Greasemonkey scripts (and I’m probably unfair to carry on thinking of that as a security problem waiting to happen, but I do), I’ve been assuming the security (dis)honours are about equal.

Jeff Jones at Microsoft has done another vulnerability survey, this time for IE and Firefox. Since Firefox 1.0 came out in November 2004, Mozilla has patched a total of 199 bugs: 75 high severity, 100 medium severity, 24 low severity. Microsoft has only patched 87 IE bugs in the same time (and we’re assuming fewer bugs patched is a good thing rather than avoiding the problem): 54 high, 28 medium and 5 low severity. Honours are more equal comparing just Firefox 2 and IE 7 for known bugs that haven’t been fixed: eight high severity bugs for Firefox versus ten for IE, 15 medium severity bugs  and one low severity bug for Firefox versus 11 and none.

Firefox also stops patching old versions of the browser six months after a new version comes out. Microsoft has much longer support lifecycles - ten years for business software and at least one year for service packs. How do enterprise Linux vendors who include Firefox in their distribution get around the problem? Red Hat and Ubuntu write their own patches (Ubuntu 10, Red hat 7 and in this case fewer bugs fixed is not a good thing); Novell pushes out updates that upgrade you to a newer version.

Do the figures make Firefox less secure than IE? They certainly make it less secure than popular opinion - and IE hasn’t really been a sump of iniquity and vulnerability since XP SP2 came out. But it’s not just the numer of bugs that matter - the arguments raging about the report bring up the issues of patch management and stability.

There’s a lot of squabbling about the terms of the report because it doesn’t count days of risk, just numbers of bugs and because it can only count published and not unpublished vulnerabilities. Mozilla has backed down from claiming that Firefox is more secure than Internet Explorer - or at least the FAQ answer comparing the two has vanished from the FAQ page in the last few days. But the Firefox camp disputes the conclusion of the report (without denying the actual figures). The Mozilla Security blog at http://blog.mozilla.com/security/2007/11/30/critical-vulnerability-in-microsoft-metrics/  critiques the study for counting number of bugs rather than days of risk and Mike Schroepfer, the Mozilla Corporation’s vice-president of engineering, picks on a specific vulnerability he says Firefox fixed first. He also quotes Secunia figures for the overall security picture that Jeff Jones debunked when we spoke to him in the summer.

Jeff said at TechEd: “I’ve talked to their CTO and he’s acknowledged this problem. Unless they want to assign somebody to check the code for every distribution they track, they run the risk of saying this applies to a distribution when it doesn’t; instead they err on the other side inaccurately saying there’s nothing unpatched. The site says “You can use this vulnerability report to make sure you’re aware of all vulnerabilities both patched and unpatched, allowing you to take the necessary precautions.” Not true. Secunia tracks the issues fixed by the vendor not the issues reported. Why do I care? I issued my 90-day Vista report and there was an article that said ‘Ubuntu scores a remarkable zero unpatched vulnerabilities of 61 of the lifetime of the product’. As of that date the Secunia site showed zero unfixed but in my spreadsheet there are 25 issues fixed since that were public prior to that date and nine of them were high severity. And that’s true all the time, when I put out my reports I get this thrown in my face – ‘zero unpatched’. ”

One question none of the Mozilla viewpoints have addressed. For Vista users, IE 7 is more secure than Firefox however few patches and updates you’ve installed; that’s because IE runs in protected mode. Any malware that launches from IE might get to read files on your hard drive - and not many of them - but it can’t write anything to the drive, so nothing gets installed without you Oking it.  Social engineering gets past a lot of people - Microsoft’s Mike Nash gets a laugh when he says that nothing is going to stop his brother-in-law clicking link after link to get something cheap or free no matter how suspicious it looks, but that’s true of many users. But reducing hackers to social engineering rather than programmatic attacks is a big step and it’s a shame that Mozilla isn’t using the extra security option that comes free in Vista to take it.

The other side of this is that the real Firefox advantage is the auto-patching mechanism that downloads and installs updates without waiting for Patch Tuesday or user agreement; next time you run Firefox, you’re running different code.  Should Microsoft do that for IE? Only if it wants the usual firestorm of complaints about taking over user machines. And if your line of business applications run in IE, you’d probably like the chance to test patches before they roll out across your network rather than after.

-Mary