Entertaining and informative reading, Ethan Zuckerman’s notes on his talk at ETech, “The Cute Cat Theory”.

A couple of excerpts to draw you in, but you should go read it for yourself.

Web 1.0 was invented to allow physicists to share research papers.

Web 2.0 was created to allow people to share pictures of cute cats.

and

Based on my Tripod experience, I’d offer the hypothesis that any sufficiently advanced read/write technology will get used for two purposes: pornography and activism. Porn is a weak test for the success of participatory media - it’s like tapping a mike and asking, “Is it on?” If you’re not getting porn in your system, it doesn’t work. Activism is a stronger test - if activists are using your tools, it’s a pretty good indication that your tools are useful and usable.

When I was working in the online dating space, I assumed the deluge of porn was a function of our being the intersection of people who were single/horny and willing to use their credit card to buy things online. Now I’ll have to re-think that assumption, something I probably should have done long ago based on the presence of porn comments in my spam filter.

I don’t recall any activism in the dating business, but maybe it just never made its way over to me since I was focused on security and fraud.

But I digress…

The real point of the talk is about activism, not porn, and more specifically about how activists effectively use social networking tools to align the interests of people who share pictures of cats, drawing in the cat sharers of the world (who far outnumber the activists) as collateral damage.

That’s not to say this approach is perfect–he explains how the Chinese government has engaged in a game of measure and countermeasure censorship, but in general, it provides an interesting example of how activist signal benefits from cute cat noise and the unintended conseqences of both.

The current enterprise infrastructure is expensive, designed and based on the need to preserve the status quo rather than deliver optimal services. Thinking in terms of services we must deliver, the platform becomes less and less relevant. Look at the percentage of services we can get from the Cloud (both external and internal), the platform becomes nearly irrelevant.

We have to “buy” the most cost-effective platform. Microsoft Windows is not cost effective — it requires its own set of services just to provide a minimal platform. No, it will not all go away with Linux, but many of them do, or become a much smaller problem and require a lot less engineering & architecture to provide required services.
Change happens in volatile times.  This is a volatile time…

Bob

I’m somehow surprised that I totally missed the announcement of a DLP partnership between Microsoft and EMC.

Bob had seen it, but his response was a yawn: “I saw it but the results from the work are a couple of years out so I ignored it. Maybe it will come sooner, but I do not trust that it will work beyond the MS world for years to come.”

The more I think about it, though, the more I see that all it does is provide yet another example of how hard it is to keep things under control in a large corporation. I’ll start with a quote from Rich Mogull’s generally excellent analysis,

One of the biggest obstacles to a successful DLP deployment can be a poor directory infrastructure. If you don’t know what users have what roles, it’s awfully hard to create content-based policies that are enforced based on users and roles.”

Let’s be honest. Most large corporations can’t even begin to do that. At best, we know which Business Unit most of our employees generally work with. Take me as a case-in-point. I work for the CSO, who in turn works for the CFO, but I do half my work with IT, half with the Business Units, and half with the Security Group (yes, that’s three halves. I’m bad about 60 hour weeks).

So even if we could do this in theory, the reality is that this is as much a political as a technical or management problem. For example, when sales and marketing can’t agree who should be allowed to show sensitive information to customers, things tend to either be designed to fail open or get killed before they happen at all.

So now we’re left with an exception process that either subverts the goal of the control (indicating controls in excess of actual risk tolerances) or a huge cost center to manage and provision those exceptions, in which case the cost of the control makes it a target for cutting until we’re left with the former problem.

Second, given how much of our information no longer even pretends to live on systems we control, it would have to integrate with third parties, all of whom would need to be compliant. I suspect that even Wal-mart, legendary for their iron grip on their partners and suppliers, would struggle with this one.

Those third parties would have to have both the ability and the willingness to implement their technology to match “our” specifications, which probably aren’t their other customers’ specifications, and it all spirals downhill from there.

I’ll be honest. We struggle to get third parties to implement basic network-level controls or follow patching regimens (which, come to think of it, can we often can’t do so ourselves). What chance do we have of getting them to adopt a significant systems integration project which will require them to “open the kimono” to us regarding their own internal business processes and organizational structures?

Finally, given that the IT infrastructure, despite all efforts at “standardization” (which is what an IT person says when they really mean “monoculture”) is still a fragmented mess of platforms, vendors, and versions.

So what we have is something that sounds great in theory, but in more of a Platonic Ideal of secure information flow than anything that realistically accurately describes the messy reality of how information is created, used and distributed across the modern corporate world.

And, despite claims to the contrary, my experiences dealing with The Business–the non-IT people who actually conceive, make and sell things–that’s at least partially by design.

That’s not to say that all hope is lost, nor that this isn’t valuable and useful technology. But it’s like anything other tool–it has a time and a place, and things may get broken if used otherwise.

Hello,

My name is Bob; Chandler and I have known each other and worked together for several years. He kindly invited me to be a guest author on the Cubicle. I have been spending a lot of my time in IT Security thinking around alternate computing styles and ways to get the cost out. With the modernization of the Internet, broadband access expansion, and high speed wireless data gives us some interesting new ways to run a business. This is the first in a series and I hope a good discussion around new computing models.

If you still have a small amount of credit in this crazy market you can build and mobilize your business without building big buildings, data centers, or buying lots of new computing hardware. So lets build a business! And buy a few new toys.

If you have an office you have to equip it with Internet access and I would make it wireless. Get the best, it fastest Internet service you can afford. Buy a decent router that has at fast wireless For around $500 get a good double sided color ink-jet printer that has wireless, fax, scanner,etc. You will need one real land line and a REAL phone that does not need batteries. Note that you can maybe save some money and hassle if you set what is called e-fax or electronic fax. (more on this later, there are alternates!)

You need email , the world uses email to do business. For $50 per year per user you can get a Google email account with your own custom domain, web hosting, calendaring, document, storage, and on-line editing. Add a few dollars and Google will provide you advanced features in email controls, filtering, and archiving. Good solid enterprise class tools, storage off of your local computer to keep your data safe and a decent environment to work in.

Now how are you going to access all these fine tools and data? I am a big fan of mobility so I would issue laptop computers and cell phones. But lets be smart about this.

In keeping with the lower cost model (the machine has to have WIFI) lets get a bit lower tier laptop and here is the shocker; run Ubuntu Linux on it. Most of your day to day work will be in Firefox as it works very well with Google. When you need offline access Ubuntu has Open Office and make sure you have the 3.0 version so you are more compatible with all the Microsoft stuff out there. For almost all of your needs you will not need to purchase ANY software! Over time we will talk about applications that will just get the job done for you.

We still need telephones and in today’s world I feel it is important that everyone have a telephone. This is going to cost you a bit of money but the productivity is worth it. With all that nice Google stuff out there you need your email, calendar, and data access on the phone. Well guess what Google got together with some other folks and built a phone operating system called Android and with HTC and T-Mobile made the first Android phone. The phone is good, T-Mobile is getting better all the time so for around $150 for the phone and around $75 per month you have all you need. When you get the phone you sign into your Gmail account and it pulls down your email,contacts, and calendar in just a few seconds.

So now you have the basic end user computing hardware and software you need to operate. No software licensing costs, better performance and best in class communications.

Oh hey maybe a business plan would be cool, but you knew that already. Welcome to Enterprise 2.0 and End User Computing 2.0.

This may be one of the worst ideas I’ve heard in a long time.

Cary Sherman of the RIAA…[is]…trying to convince other industries to step up and help the entertainment industry as well. His latest, as pointed out by Broadband Reports, is that one possibility would be for anti-spyware/anti-malware applications to also watch for the transfer of unauthorized copyright material. Sherman suggests that this would be one way to get around the question of people simply encrypting traffic to avoid ISP filters.

The original TechDirt piece does a fine job of explaining how it is not the job of others to break their products to help prop up a broken business model, and I wholeheartedly concur. As a general rule, if your business model needs people beyond your influence to change what they’re doing in a manner that’s not in their own best interest, then you’re the one with the broken model.

Fortunately, I think that the risk of this actually happening is close enough to zero that I can just laugh at the absurdity of it all and maybe have some fun batting it around like a cat with a toy mouse.

I mean, how much better example could you provide of how not to solve a problem? Ignoring the fundamentally shifting business landscape for music (micro-targeting, the Internet breaking the radio+record company cartel, etc.) and instead trying to screw up the new distribution mechanisms is just silly.

All that tying an evil-and-unnecessary thing to an irritating-but-necessary thing (if you run Windows) does is reduce the effectiveness of the irritating-but-necessary thing, since you now create a strong disincentive for some of the the most at-risk people (in this case, downloaders) to use the product.

It took me over half an hour to get to this news release, and that was before most of the United States was awake. TrueCrypt 5.0 has been released and it’s significant:

We are pleased to announce that TrueCrypt 5.0 has been released. Among the new features are the ability to encrypt a system partition or entire system drive (i.e. a drive where Windows is installed) with pre-boot authentication, pipelined operations increasing read/write speed by up to 100%, Mac OS X version, graphical interface for the Linux version, XTS mode, SHA-512, and more.

Up until now, full disk encryption was only an option for enterprises, and all-too-often, not even then. My hat is off to the TrueCrypt team once again.

according to BoingBoing,

Analyst reports circulating in the news today indicate that about a million iPhones have been unlocked to operate on networks other than AT&T — and that’s said to be roughly 27% of all the iPhones sold in 2007.

This is quite a dilemma for Apple:

Unlocked iPhones generate 50 percent less revenue and as much as 75 percent less profit than those tethered to service contracts, Sacconaghi said. If 30 percent of the 10 million iPhones Chief Executive Officer Steve Jobs plans to sell this year are unlocked, Apple’s earnings may be lower by about 37 cents a share in each of the next two years, Sacconaghi said.

The story would have us believe that if Apple sells the product that people want (unlocked phones), then they lose significant earnings. This may even be true, but I personally believe that what we’re seeing here is the below-the-waterline hole in the wireless business model. If you consider this list of locations where people are quite willing to pay at least list for iPhones, then I would argue that Apple is throwing away a golden opportunity to grow their global brand presence and continue to drive demand across their product line.

Right now, the iPhone is, hands down, the slickest phone on the market. I’ve either had or gotten to play with pretty much every smart phone out there, and for overall user experience, the iPhone blows them all away in terms of slickness and cool factor. Yes, I’m aware of the numerous criticisms of broken or missing fundamental features, but I don’t know a single iPhone owner who is so irritated by those things that he or she considers it a bad purchase, even at its relatively high price point.

Now the thing that I’m really curious about is if Apple made a good risk decision by following the (U.S.) carriers’ subsidized lock-in business model.

Did they lack sufficient confidence in the strength of their product and brand? Or is this (more likely) a symptom of a “razor and blades” business model, only with a very expensive razor, and if so, what does Apple think are the “blades” of the cell phone market? Were they unsure that they could bring a successful phone to market, given the fiasco of the design-by-committee joint venture with Motorola, the ROKR.

Digital economies built on scarcity are withering and dying–witness the music industry, whose model has collapsed to the point where the middlemen of the Major Labels and the RIAA really have nothing but the threat of lawsuits against customers and a historical monopoly over access to audiences

Given the rate at which people are willing to risk voiding their warranty and “bricking” their phones with a bad firmware hack just to gain functionality that they believe they deserver, I find it hard to believe that Apple wouldn’t have been better off selling an unlocked, unsubsidized device and sold blades based on findability (like iTunes), authenticity (the one upside of walled gardens/captive portals), and patronage (the Cult of Apple) rather than scarcity.

Is this a risky move? Perhaps, but I would argue that the trendlines are on their side, and remind everyone that risk is ultimately the downside of reward, so by limiting their risk, Apple also limited their potential success.

Security, as we all (should) know, is a people problem. Throw a little bit of technology into the mix and it can get messy in a hurry. I’ve got two interesting tales of security woe today, both addressing the role of people and, more specifically, the interaction of people and technology leading to security woes.

First, consider the case of a Powerpoint presentation from the Office of the Director of National Intelligence:

Terri Everett of the Office of the Director of National Intelligence gave a Powerpoint presentation which was also hosted online, unfortunately some data behind his pie charts revealed rather more than intended. Writer R.J. Hillhouse found that she could open the chart object and extract the numbers from within. The result is that she, (and all of us, thanks to her blog) now know that the budget of the 16 US intelligence agencies is 25% more than previously thought - $60 billion.

Oops. For some reason, people often fail to comprehend that that data-driven tools (such as graphing controls) are backed by data, and that unless they explicitly sever that relationship (for example, by copying and pasting the values they want to use into a new document), that the underlying data from which they distilled their pretty pictures is still there, either directly or indirectly.

But the problems don’t stop there. A critical eye and a fundamental understanding of the system that the data is modeling can catch all sorts of interesting opportunities.

For example, a couple of years ago I was reviewing the results of our annual employee satisfaction survey. The information included not just my department, but the totals for each department in the entire group up through the CISO.

I noticed that there seemed to be an off-by-one error in one of the results, and realized that it wasn’t an error, but rather that the CISO’s answers had been included in the totals (”x people rated us a 1, y people rated us a 2 on it,” etc.) as an unlisted one-person department! It therefore became trivial to extract out his “confidential” answers to the entire survey.

Fortunately, the survey had not been widely distributed yet (and most people who had a copy hadn’t looked hard enough to notice this), but even so HR was loathe to withdraw and re-issue every report that was vulnerable to this simplistic Data Mining Attack.

Next, carrying forward the theme of the importance of knowing how much you do or don’t know, there’s a tale of social engineering gone horribly wrong. For a little background, Steam is a combination online community and license key management application that Valve Software, a major game developer, built to support their online games and (eventually) roll in some fairly DRM-ish anti-piracy features into their products.

Their technology is good enough that social engineering has become the preferred method of stealing keys. Of course, it works better for some than others, and so our story begins…

Greg_ValveOLS says:
my name is greg a member of the valve online Support team

br0kenrabbit says:
On MSN?

Greg_ValveOLS says:
yes :)

br0kenrabbit says:
Why?

Greg_ValveOLS says:
we logged multiple ips from your account and ned to verifi your information

br0kenrabbit says:
My information?

Greg_ValveOLS says:
we believe someone may have stolen your account mmmm you havent shared youre account infomation with anyone have you?

I won’t endorse the final outcome of the conversation, but needless to say, social engineering can be kind’ve like picking a fight in a bar–you won’t know just who you’re up against until it’s too late.

There was an article a few days about about Four Reasons Why Vista is not Worth it. It laid out, as the title suggested, four reasons that Vista wasn’t worth it (slow, bad UI, no one cares about security, and better alternatives). I tend to agree, but the first thing I do to any workstation or laptop I get is turn off the eye candy, I know all-too-well how little people care about security when it requires effort on their part, and I’m also a known Open Source fan.

Today, though, I saw an article in Computerworld about Vista’s DRM “Features” which they sum up as:

In a nutshell, this is the dilemma Microsoft faces as it prepares to launch Windows Vista. By any standard, Vista’s new DRM capabilities — aimed at protecting the rights of content owners by placing limits on how consumers can use digital media — hardly qualify as a selling point; after all, it’s hard to sing the praises of technology designed to make life harder for its users.

Microsoft itself defines DRM in straightforward terms, as “any technology used to protect the interests of owners of content and services.” In theory, it’s an easy concept to grasp; in practice, however, modern DRM technologies include a multitude of hardware-, software- and media-based content-protection schemes, many of which have little or nothing in common.

What’s missing are the rights of users–those pesky folks who actually provide the cash whose flow the “rights owners” are so intent on protecting. And in case there’s any doubt where Microsoft stands on this position, a person need look no further than their own contribution to the DRM stew, the Software Protection Program, the follow-on to Windows Genuine Advantage process:

SPP requires that users validate their version of Vista with a software license key within 30 days of its activation. Users who don’t validate the operating system will be prevented from using certain features, including the new Aero graphical user interface, the ReadyBoost system performance application and, most controversially, the Windows Defender antispyware program.

After 30 days, Vista goes into a reduced functionality mode, similar to Windows Safe Mode — users have access to a Web browser (so they can validate or purchase a copy of Vista), but none of their computers’ other functions.

This can be summed up as, “If Microsoft decides that you are no longer worthy (for whatever reason), then they have the right to break your computer.” It’s like a protection racket, except that your computer will break its own knees if “Balls” Ballmer decides you haven’t paid the juice.

Update: Changed title to more accurately reflect what I think will happen with Vista.

Security is like an analogy. It only works up until the point that someone considers an angle or aspect that you haven’t previously considered and accounted for.

Yes, (bad) security analogies are a pet peeve of mine. Analogies are defended as a mechanism to help people begin to understand a concept. Mostly, however, they seem to be used as an alternative to understanding a concept.