Security

Sneaky Microsoft tricks backfire

29 Sep , 2007  

Microsoft is already considered "big brother" by many who dislike it’s dominance of the IT and personal computing market, so when they do something with less than genuine intentions it’s going to raise the ire of many. Any business relationship (B2B or B2C) boils down to a few key tenants; the benefits both parties receive through the transaction, and the trust underlying the relationship. The more dominance, power or control one side has than the other, the easier it is for trust to be damaged.

As Brian Krebs of the Washington Post reported, one such occurrence surfaced this week by WindowSecrets.com confirming Microsoft literally "pushed" a software update onto Windows XP users. The update ignored their Windows Update setting, requiring an okay before applying any updates.  Now that move has backfired because users who repaired their XP system from the installation CD have an operating system that blocks the installation of 80-some updates, leaving their systems vulnerable. That strands users, unknowingly, with systems that can and may have been (though none have been confirmed that I’m aware of) compromised as a result.

Now any anti-Microphobe (of which I’m not one) can say told ya so when it comes to abusing control over your PC. Have any PCs been damaged (hacked) as a result? That we don’t know, but the damage here is to customers’ trust that power won’t be abused. Something similar happened a year or so ago when too much information about your computer was being sent back to Microsoft during system updates. Each situation erodes that trust a little bit further.

SpideyI think it is important for every vendor, not just the big ones like Microsoft, to place a high value on the trust relationship with the customer. Not just because of potential media exposure or public embarrassment. But because ultimately trust is the foundation that relationship is built upon, and when destroyed or eroded far enough the relationship breaks.

As Uncle Ben taught Spider-Man Peter Parker; "with great power, comes great responsibility."

(Man, I love it when I can get in a great comic book reference every once in a while.) 🙂

Uncategorized

Stop, enjoy the moment, say thanks

28 Sep , 2007  

A good friend of mine used to tell me, "Mitchell, be sure to stop and take time to enjoy the moment." I think it was Jim Young who told me that. Sometimes I didn’t quite know what that meant, and other times I think I get it.

Enjoy_the_momentWell, today was one of those days – During a company meeting, I just stopped, looked around, and really took stock of how much I appreciate all of the contributions, skills and unique talents of the people I work with at StillSecure. We’ve enjoyed a number of company and product successes and it is really a great thing to be a part of a talented group of people who band together to accomplish shared goals.

As part of enjoying that moment, I took time later in the afternoon and tonight to send a few emails out to teams within the company, just to say thanks and let them know how much their hard work is appreciated. I heard once that you can never say thank you enough, and that’s probably true because we usually don’t take the time to say thanks often enough. Sort of a self-fulfilling prophesy. It’s easy to get caught up in successes, challenges, and even the fun you are having.

Thank you also to our customers and partners, who ultimately are the judge of any company’s success. We continue to enjoy great relationships and I’ve made a number of business and personal friends as a result.

So for me, part of enjoying the moment is also taking the time to say thank you. That’s something I’m  continuing to make a priority. It’s important that everyone know they are appreciated. And that’s too important to let go unsaid.

Security

3Com to be private – Update

28 Sep , 2007  

UPDATE to my post 3Com to be private

Sramana Mitra left a comment about her conversations with Eric Benhamou of Benhamou Global Ventures (and on 3Com’s BOD) about 3Com going private. Here’s a link to Sramana’s blog post about how this might be a play against Cisco. Very interesting read.

Also, in the interest of full disclosure, my company has a business relationship with 3Com but I don’t have any inside knowledge, confidential or related information about this transaction. For the record – I’m an observer like everyone else. 🙂

Security

3Com to be private

28 Sep , 2007  

3Com is announcing today it’s being taken private by Bain Capital and partner Huawei Technologies for $5/share equaling around $2B. Sheds a little more light on 3Com making Tipping Point private too.

Some are guessing that Huawei with 3Com will cut costs to continue 3Com’s cash generation capability and focus on the China markets. Possible, but I’d see 3Com as Huawei’s entre into US markets and why lose ground on that, keep the 3Com train a runnin’ and go after both markets, or more. There is some momentum to build on, as 3Com generated reasonable cash ($58m) at corporate 2007 year end but lost $89m on $1.27B in sales.

I believe 3Com still has a lot to offer the market and spinning off Tipping Point, getting the markets off their backs by going private, and some likely belt tightening will help them refocus and serve their customers. I wish them the best of luck in coming back as a stronger company.

Product Mgmt

Product Bistro: Aggressive Behavior

27 Sep , 2007  

Product_bistro_burgerI’m starting a new category of posts about my personal experiences conceiving, designing, implementing, software development, testing, and experiencing products and services. Those experiences are an amalgamation staring with my first product, medical office business software, and include creating end user software, data/video/online and Internet services, and networking products.

This topic is one I’ve wanted to bring some focus to in my blog for some time so I guess there’s no time like the present. I chose Product Bistro as the category name as bistros are associated with high quality, creativeness, well designed presentation, and innovation brought to foods we might eat everyday. So, enough of the whys and why-for’s, pour a glass of wine and lets dig into the next course.

First, A Pet Peeve – Aggressive Messaging

Since I’m such an avid consumer of information on the web, RSS feeds and information portals (magazine sites, vendor sites, etc.), there’s a number of things I’ve observed about them. There are some bad design practices which I categorize as "aggressive behavior". I’ve been collecting these complaints for a while, so ‘here goes.

Design Axiom: Try not to make pissing of the user the first thing you do.  –  Anyone notice that websites are getting more aggressive about in-your-face advertising? It’s not any one single problem (though even one bad design can be very annoying) but the cumulative effect before you get to the content on the site. It can be really aggravating.

Landing_page_advertisement_2Annoyance #1 – Skip The Welcome Advertisement. Many sites now have landing pages that present an animated or static graphic advertisement and then redirect you to the page you really wanted to see. Some pages don’t even redirect, you have to find the clicky to move forward. Now, I’m not anti-advertising. I’ve clicked many an ad when something interested me or happened to be timely with my interests. But creating an impedance between me and the content, or making me find the clicky to get around it isn’t endearing my endorphins to the advertiser’s message.

Annoyance #2 – Thou shall not hover thy reader’s text. Ad, surveys or any floaty that hovers on top of the text you are trying to read is like flinging mud on your goggles. It doesn’t happen all the time, and it’s likely due to browser incompatibilities or script errors. Regardless the cause, it’s better "not to give and not to receive" if users will experience errors like this. Just avoid such practices in the first place.

Page_cornerAnnoyance #3 – Coffin corners and sonic disturbance. I usually have quite a few tabs open in Firefox, I open tabs to articles I want to read later. A few information portal sites have these nasty advertisements lurking in the upper right hand corner of the web page. They look like a curled end of a piece of paper.  When I’ve gone to select the right farthest tab, a link or Firefox browser feature, fireworks happen. The page corner curls down three-fourths the way across the page, bugs start stomping across, and a really annoying and loud chirping sound starts blasting. Frankly, it’s scared the crap out of me a few times when I didn’t expect it. Rather than interest me in the product, my reaction was to close the page as soon as possible to turn the dumb thing off.

Annoyance #4 – MTV "twitch", vertigo simulator or information portal?. Animation can be a very effective tool in product design. It’s not used often because if the animation itself doesn’t portray some valuable information, then it is eye candy and gets turned off. Most products use it sparingly, and wisely so. An entire screen of flashing red icons isn’t necessary more effective than a solid red banner across the bottom of the screen warning of the condition. Where I see animation overused most is in advertising on information portals. Animation gets your attention, and that can be a good thing. But if 3, 4 or more things are barking at you while you’re trying to read something, your life’s too short gene triggers and its time to move on. Remember, for animation to be valuable, it should help communication some information, not just be a barker on your computer screen. (I won’t subject you to a bad example of this.)

There ya have it. I hope you enjoyed this first post. Don’t worry, I’m not just going to complain about web sites all the time. More too come… Next I’ll talk about "cracks in the drywall". Thanks for reading.

Network

Should IPS kick wireless users off the network?

26 Sep , 2007  

Downed_towerJamey Heary of the Network World Cisco Subnet blog discusses the benefits of the Cisco IPS’ ability to request wireless access points disconnect offenders when malicious traffic is detected. Is this something many people use? Or is this a "feature" masking the need for better IPS capabilities needed in WAPs compared to the Layer 2 IPS built into most wireless access points? Seems like a poor substitute for designing an IPS implementation that addresses coverage of wireless traffic.

Unless it’s very finely tuned, this is likely to generate lots of calls to the help desk line. Kicking users off the network completely, wireless or not, when an IPS finds some offending traffic is likely to create more cry wolf events than thwarting real attacks. Blocking packets and stateful sessions is much more the norm. Seems like one of those features you’d try out and then very quickly turn off after a few false alarms.

Blocking offending packets or quarantining users with limited access is likely the better solution. But maybe I’m wrong and am missing something here. I would be very interested to hear if any Cisco IPS and WAP customers use this feature and what their experiences have been.

Please email me with your experiences if you would. Thanks.

Podcasts, Security

Podcast #47 – Jeremiah Grossman and Rober Hansen/rsnake

25 Sep , 2007  

MicrophoneIt’s time to talk about application security again and we have two of the best to tackle the topic. Jeremiah Grossman, of Whitehat Security, and his good friend Robert Hansen (a.k.a "rsnake"), of SecTheory, join us for another romp through this hot industry topic. This is as top-shelf as it gets when it comes to application security so button down your networks and come along for the ride.

We hit a number of relevant topics, from why just using your browser is a big security risk (including the latest XSS vuln. btw), how the "safety in numbers" philosophy is not longer a valid strategy, and the lessons application security can learn from the security industry’s past experiences. We don’t leave too many stones uncovered so if you are interested in security research or application vulnerabilities, this is the podcast to listen to.

Enjoy the podcast. Please send us any questions, ideas or suggestions at podcast@stillsecure.com.

Icon_enclosure_music_7mp3 file

Security

NoScript is a must

24 Sep , 2007  

No_scriptReading Martin McKeay’s blog today about the Google address book vulnerability reminded me to tell you about NoScript. Before I say any more, if you don’t have No Script installed for your Firefox browser – GO DOWNLOAD AND INSTALL NOSCRIPT NOW, before your read a word more. Really, go do it right now.

Most informed web users would prefer to disable Javascript and other potentially harmful scripts on web sites we visit. Some Javascript can be a security risk, other Javascript is just plain annoying. But there are sites where you really must have Javascript enabled because without it the site is practically useless. 

NoScript gives you the ability to disable Javascipt by default, and then only enable it on sites you trust. It’s the best of both worlds. Now, the decision to enable Javascript on a page, domain or sub-domain is yours to make, so you’ll want to be selective and only enable it when you really need it and trust the site.

Security

The fastest way to implement NAC

24 Sep , 2007  

Network Access Control (NAC) is a very hot market, getting its far share of press coverage and buzz every day. One of the knocks though is NAC can be complex to implement, require infrastructure changes or pre-deployment of 802.1X throughout the network, or require you to use multiple NAC products to cover all the various network connection possibilities. That means even just eval’ing NAC products can be a lengthy or involved process, even just to set up a test lab.

Salite_web_pageToday, my company StillSecure announced a free version of our very successful NAC product, dubbed Safe Access Lite. Basically, it’s a very robust version of our full product that lets you very quickly connect Safe Access Lite up to the network and begin checking out endpoint devices. Up to 250 devices can be tested and the full suite of tests are included. Run Safe Access Lite under VMware (so you don’t have to dedicate a computer) or install it on an Intel computer, hock it up to a network port and you can be testing endpoints for AV, patch levels, P2P, browser settings, OS security configuration settings, required and restricted software, etc., etc. Those wanting to quarantine suspect devices can upgrade to the full Safe Access product, including all of the enterprise features such as load balancing, fail over and distributed deployment. You can check out all of the capabilities here.

Given the compliance information you can gather, it’s time well spent just for that. Plus it is a great way to come up to speed and learn about NAC by working with a very full featured, mature NAC product.Feel free (pun intended) to check out Safe Access Lite here.

And while you’re at it, check out our unified network platform, Cobia. Cobia offers integrated network and security functions, such as firewall, dynamic and static network routing, DCHP and more. Cobia is StillSecure’s open source software offered under our community license. It’s also free to use and you get source code too.

Hardware

PC manufacture pushes chip makers for open source drivers

21 Sep , 2007  

Ever order a new model of a computer or server only to find that Linux doesn’t yet have a driver to support the chipsets? This can even happen when there isn’t a new model or a substantial engineering change. A simple rev of a network chip or graphics processor can send your Google browser search bar a’ humming, looking for any news of a driver update. Sometimes it’s no problem. Or you may have to use a beta driver or just wait until one emerges.

Intel Chief Linux and Open Source Technologies, Dirk Hohndel, disclosed during a presentation that a major OEM customer (Dell, IBM, HP? We’ll just have to guess) is requiring an open source driver be available within 12 months of a new chip. That may sound like a long time but 12 months would be the longest they’ll wait. And, chips don’t make into boxes right away. Suppliers have to exhaust existing inventory or exchange with others who can use their inventory in order to take a new chip. Manufactures also have engineering, QA, testing processes and manufacturing specs and verification processes to go through in order to replace or introduce a new chip.

The good news for us is that either the chip makers will need to release an open source version of their drivers, or otherwise seed creation of open source drivers. Hopefully this means we’ll have both; choice of drivers to use, and drivers available to more quickly test and use. Either way, it’s a bell weather moment of one customer saying to their supplier, we require be open source software be available to help our products get into customers’ hands. That’s good news for all of us.

Note: Slides are available here if you are interested.