Nov 30, 2009

Understanding scam victims: seven principles for systems security

Interesting University of Cambridge paper on how scams work and the psychological factors behind them. The authors essentially cover common scams and the reasons why they work but also take some time to explain how administrators need to consider these factors when designing system security.

For example, one of the seven principles of a successful scam is called the Dishonesty principle, whereby a scam goes unreported because the mark would have to admit some dishonest act in order to expose the fraud. The paper's authors offer some wise advice on creating corporate policy that will encourage reporting of fraud without fear of retribution.

The security engineer needs to be aware of the Dishonesty principle. A number of attacks on the system will go unreported because the victims don’t want to confess to their “evil” part in the process. When a corporate user falls prey to a Trojan horse program that purported to offer, say, free access to porn, he will have strong incentives not to cooperate with the forensic investigations of his system administrators to avoid the associated stigma, even if the incident affected the security of the whole corporate network. Executives for whom righteousness is not as important as the security of their enterprise might consider reflecting such priorities in the corporate security policy—e.g. guaranteeing discretion and immunity from “internal prosecution” for victims who cooperate with the forensic investigation.

The authors note that well designed security should make it easy for users to "authenticate" the validity of the system they are entering sensitive information into.

Much of systems security boils down to “allowing certain principals to perform certain actions on the system while disallowing anyone else from doing them”; as such, it relies implicitly on some form of authentication—recognizing which principals should be authorized and which ones shouldn’t. The lesson for the security engineer is that the security of the whole system often relies on the users also performing some authentication, and that they may be deceived too, in ways that are qualitatively different from those in which computer systems can be deceived. In online banking, for example, the role of verifier is not just for the web site (which clearly must authenticate its customers): to some extent, the customers themselves should also authenticate the web site before entering their credentials, otherwise they might be phished. However it is not enough just to make it “technically possible”: it must also be humanly doable by non-techies. How many banking customers check (or even understand the meaning of) the https padlock?


The verification must be easy enough for mortals. Likewise, any mechanism used to authenticate users should not be overly draconian since users will circumvent the system. An interesting example of this effect concerns e-mailbox quotas. When administrators limit attachment sizes to accommodate small mailbox quotas they run the risk of data leakage because users turn to consumer messaging systems, systems administrators have no control over such as Gmail, to send large file attachments to co-workers and customers.

Understanding scam victims: seven principles for systems security

Nov 27, 2009

Search engines are source of learning

Search can make you smarter...

The researchers sought to discover the cognitive processes underlying searching. They examined the search habits of 72 participants while conducting a total of 426 searching tasks. They found that search engines are primarily used for fact checking users' own internal knowledge, meaning that they are part of the learning process rather than simply a source for information. They also found that people's learning styles can affect how they use search engines.

Search engines are source of learning

Nov 16, 2009

Cisco Raises Its Bid for Tandberg of Norway - NYTimes.com

Cisco going big on video for the UC as collaboration market. That was evident from John Chambers keynote last week (see my post).

The network equipment maker Cisco on Monday raised its bid for Norwegian videoconferencing equipment maker Tandberg. The increase was backed by holders of more than 40 percent of Tandberg’s shares, few of whom had warmed to Cisco’s previous bid.
I am reminded of Mike Gotta's work a couple years ago on different approaches IBM and Microsoft are taking to the UC market*; IBM being more partner-friendly, focusing on the software side of UC and working well on other's equipment, versus Microsoft's more all-or-nothing approach to building UC solutions including soft-PBXs and equipment (e.g., Roundtable). Cisco's approach takes a network- and video-centric approach to UC, preferring to rely on its strong network roots as the the backbone to delivering high quality communications and collaboration. It's all a matter of perspective.


Cisco Raises Its Bid for Tandberg of Norway - NYTimes.com

*Logically each vendor's approach has evolved over the last couple years, with Microsoft taking on partnerships of convenience and IBM's subtle movements toward its own PBX server (Sametime Unified Telephony) as a less aggressive market play (or market safety net) while telephony vendors begin to struggle to stay alive.

Nov 13, 2009

Windows Mobe Marketplace sets its stall out • The Register

More on the Mobile apps store front....

And Windows Phone applications are worth a little more: Handango noted in its last YardStick that while it was now selling more Blackberry applications by volume, Windows Mobile is where the profit comes in. The average price of a Windows Mobile Phone application is more than $20, making development worthwhile and profits possible. Just not for Microsoft. At least, not yet.

So as a mobile phone app vendor do you go for volume or hope that users really want to buy the app? I know I'd rather go for volume. iPhone apps average $.99 price, something I as a consumer find easy to spend on an app even if I stop using it after a month. If an app cost $20 I'd think really hard about if I wanted it, even if I could write it off.

Windows Mobe Marketplace sets its stall out • The Register

Nov 10, 2009

When It Comes To In-App Purchases On The iPhone, Games, Social Networking, And Books Rule

An interesting view of the mobile apps market. The upsell market looks like entertainment and socializing are the big winners...

Games, social networking, and book apps are doing the best job upselling consumers from free apps to paid enhancements. Music, news, and finance apps, not so much.

Makes some sense, we want to keep renewing that type of content. Except the punchline....

People just don’t want to pay for songs, news, or stock quotes.

Songs? We want our songs for free or do we consider that we've already bought the songs before and are not willing to pay again.

This is an interesting snapshot of the times, especially when vendors like IBM, Microsoft and others are considering the dowloaded apps model as a new venture for selling/distributing mobile as well as web-based applications that support their business collaboration and social software platforms.

When It Comes To In-App Purchases On The iPhone, Games, Social Networking, And Books Rule:

Nov 9, 2009

Cisco throws a collaboration party

Cisco detailed it's Collaboration Strategy and emerging product line for collaboration at it's Collaboration Summit on Monday afternoon. Chairman and CEO John Chambers outlined Cisco's vision and plan which includes technologies from its collaboration and unified communications portfolio.
Cisco today announced significant product introductions across all categories of its collaboration portfolio. The company also announced its entrance into two new markets, enterprise social software and hosted email, with the goal of bringing the collaborative power of online social communities to businesses.
Some of the strategy is based on years of acquiring front-end technologies such as PostPath for e-mail and WebEx for online meetings and combining them with back-end platform services that support secure federation of directory information and media exchange. The Cisco collaboration platform combines real-time and asynchronous communications and collaboration with some twists. For example, Cisco's dedicated to Video (communications and content) as a core technology for collaboration.

Many of the ideas that Mr. Chambers presented on how collaboration is key to innovation are not ground breaking if you've been around the collaboration space for any time. He mostly reiterated the value proposition that electronic communications and collaboration have offered for years. However it's been a long awaited conversation from Cisco and all the talking points are on mark. Like most vendors the semantics and strategy is slightly different; collaboration, for example, in the Cisco vision leans more to the socialization of content and group interactions and real-time communications supported by TelePresence (i.e., presence awareness) and video technologies. This is a contemporary perspective that includes social feeds and threading of information based on tags and/or meta-data that many older collaboration solutions are currently retrofitting into their products.

The product announcements are broken into three lines: Cisco TelePresence, Cisco Unified Communications, and Cisco WebEx solutions. A strong connection to real-time communications over different modes, devices, and networks using open-source technologies are common threads in the strategy. In addition to providing services and presentation layer interfaces Cisco reiterated its dedication to extranets and federation of key service information, like federated presence awareness or directory information.

It's finally good to know what has happened to PostPath. Over a year after acquiring the open-source Exchange alternative, Cisco has subsumed PostPath into it's WebEx product line and released a SaaS-based e-mail package called WebEx Mail. They are still riding on the value proposition that WebEx Mail is 100% Outlook compatible and built on open-source technology that makes it easier to extend and manage. While the Outlook point might be valid, management and extensibility is likely only a benefit to Cisco now that it's a hosted solution. The offering seems to be along industry standards with 25GB of mailbox space. Details on data centers and risk management are limited and Cisco relies on it's hosted IronPort solution for in-the-cloud content filtering.

The social software and collaboration efforts are even more nascent with only choice customers getting beta access to the service for the next three to six months. Again the offering will be delivered as a SaaS model. There are some demos on the Cisco site that illustrate it's social, Cisco Pulse, and ad-hoc teaming solution, Show and Share. We'll have to wait to see more on how customers will respond to the tools.

So will this be disruptive to the collaboration market? Cisco definitely has strong technology and the high-definition video interfaces will be attractive to many customers who rely on teleconferencing. Cisco's strategy is a network centric vision - which is to be expected. Large global companies that want to create their own secure networks will likely be very interested in the Cisco solution. Although Cisco points out that it's platform is extensible, like most collaboration providers, the idea of a single platform for the most fidelity is strong here. Of course for e-mail and collaboration customers will need to weigh the cloud risks, which is still a tough subject when considering the regulatory and legal complexities that global firms face. What I think these offerings do is add yet another better defined platform solution to the choice matrix for customers, which for Cisco did not exist in a coherent form until now.

For more details on the Collaboration Summit with lots of resources go to Cisco's Community Central.

Cisco Breaks Down Barriers to Business-to-Business Collaboration -> Cisco News

Microsoft Announces Exchange Server 2010 Availability and Wave of Innovations at Tech•Ed Europe 2009: Exchange 2010, Windows 7 and Windows Server 2008 R2 help customers realize better productivity, efficiency and potential cost savings up to 70 percent.

Exchange 2010 goes into General Availability today. If you want to follow announcements and the technology check out the TechEd Europe 2009 press room for sessions and keynotes.


Microsoft Announces Exchange Server 2010 Availability and Wave of Innovations at Tech•Ed Europe 2009: Exchange 2010, Windows 7 and Windows Server 2008 R2 help customers realize better productivity, efficiency and potential cost savings up to 70 percent.

Nov 5, 2009

Judge jettisons lawsuit challenging Gartner's Magic Quadrant | NetworkWorld.com Community

It's all a matter of opinion, even when the opinion is very influential.

In essence, this case boiled down to a question of whether the Magic Quadrant is an objective presentation of quantifiable facts, or -- as Gartner argued and should be obvious to all -- simply Gartner's opinion based on its research.


Judge jettisons lawsuit challenging Gartner's Magic Quadrant | NetworkWorld.com Community

Nov 4, 2009

Design Criteria Defaults: SaaS

Yesterday I wrote about vendors making mobility a primary design criteria when developing collaboration platform interfaces, today I want to focus on the SaaS.

Still in it's 20o9 rage, the Cloud continues to pose issues for customers and vendors alike. Since late 2006 we've seen traditional software vendors, including IBM, Microsoft, Oracle, and Cisco, throw their hat and products into the Cloud and offering SaaS-based delivery of many of their popular solutions. Spurred on by Google's ambitions in the the enterprise market, each vendor has come up with their own approach to SaaS and the Cloud. Some have made it out of beta to deliver ready for prime time offerings (Microsoft Online, LotusLive), some have pulled back to only providing private offerings (Oracle), others are emerging through building on top of consumer-based acquisitions (IBM Lotus and Cisco), and others are working on configuring the right architecture (Cicso).

Bottom line, updating existing products and systems and building a hosting operation is not simple. It's not easy to transform an installed, on-premise system - like e-mail or collaboration - into a multi-tenant, scalable, and secure SaaS offering. The migration of back-end servers to support larger loads and parsing out multiple domains can take time. Once that's in place modifying other supporting services like Directory or Search to support the complex security and permissions also takes time. Finally, designing the presentation layer to provide secure functionality also requires a change in attitude and development assumptions.

As with mobility, vendors need to consider hosting capabilities as an primary design criteria for all new system software. Microsoft has done well in coming closer to this goal in its SharePoint and Office 2010 designs, but still some of their forthcoming BI servers are still treating the hosting part as a follow-on job. IBM Lotus on the other hand appears to be approaching things differently, developing on-premise solutions separately from it's LotusLive offerings, many of which consist of acquired hosted products like Outblaze's e-mail or the Unyte hosted meetings.

It's not a foregone conclusion that all on-premise platforms need to be retro-fitted or upgraded for SaaS delivery. Designing for hosting will likely help in the integration department and make hybrid on-premise/Cloud delivery easier for both the vendor and the customer.

Design Criteria Defaults: Mobility

A few weeks ago I wrote and article for SearchDomino on IBM Lotus' continued expansion into mobility. One of my predictions was that we'd "see increased dedication from IBM Lotus and other vendors to make designing for mobility a primary consideration when building future versions of software tools." As my article points out, the current state of the mobile device OS market means that are lots of moving parts for vendors to keep track of and strategic partnerships appear to be the preferred approach for vendors when tackling mobility. Recent smartphone developments are swaying the market to the downloaded, device-specific application model (which vendors have to address on a platform-by-platform basis) rather than web-based software interfaces optimized mobile browser support (which vendors have more control over).

While IBM Lotus is doubling down on mobility it appears that Microsoft is not, at least not in the collaboration arena. Having just returned from Microsoft's SharePoint Conference, little focus was spent on mobility. The one session I attended on mobility consisted of an advert for the latest Windows Mobile version and a look at .NET APIs for making mobile applications. Using SharePoint on a mobile device is still, even in the 2010 release, relegated to adding a "/m" to the end of a SharePoint URL. Considering the promise of SharePoint 2010 as a content management and reach collaborative solution, it is likely that many users will find typing long URLs into mobile browsers sub-optimal.

Dedication to designing for mobility is one thing, execution is another. Mobility should be part of the design process in the earliest stages these days. IBM Lotus has revealed their mobility intentions and now it remains to be seen how they will execute. Microsoft has yet to take a stand on mobility for it's next generation of productivity and collaboration tools.