Friday, June 27, 2008

Thanks, Bill

I read several of the articles this evening describing the departure of Bill Gates from Microsoft, and quite a lot of the commentary.


While some of it was appropriately complementary, I thought a lot of it was kind of spiteful and missed the mark. One of the comments that I did see that I agreed with was from Rob Pegoraro of the Washington Post:

"...one of the foremost virtues of Microsoft's operating systems has been the staggering variety of third-party programs available for them."

Pegoraro is correct. This really is Gates' legacy at Microsoft: unlike the Apple world, which until very recently was a (relatively) closed environment, Gates perpetrated a non-Jobsian world in which we all got to write software and compete with each other.

Yes, there's that whole monopoly situation that happened, but for all the word processing companies that were put out of business, there are a bunch of other software developers - including several extremely large companies - that would not (could not) have existed without the hobbyist approach taken by Gates and Allen.

For anyone interested in these *real* early days of Micro-Soft (when it was three employees - Gates, Allen and Davidoff - and still had a hyphen), check out the text of the letter written by then-hobbyist Gates pleading with hobbists to pay him and Allen royalties for BASIC so they can "hire ten programmers and deluge the hobby market with good software".

Like the shareware/hobbyist generation of developers he helped get started, he lists his apartment as the suggested drop point for donations - 1180 Alvarado SE, #114, Albuquerque, New Mexico, 87108.

Did Microsoft simply do a better job of engaging the user? Or did convenience (and bundling, as in Office) win the day? The release of FireFox 3 may settle once and for all the questions about whether better design (and investment in innovation) eventually win out over time.

For me, the most interesting aspect of Gates is not his company but the approach he is taking to deploying his wealth. He and his wife are doing some pretty remarkable things around the world, and are, unlike many organizations, attempting to deploy their money in ways that will ensure the bulk of it is used efficiently.

I think a century from now, Microsoft will almost certainly no longer exist. Gates' wealth distribution - and the results of his actions in this area - will be his lasting legacy.

Internet DNS Root Managers Attacked

In the past hour, various news outlets have reported that users to the web sites of ICANN (the Internet Corporation for Assigned Names and Numbers) and IANA.org, the Internet Assigned Numbers Authority, have been redirected by a Turkish hacker group calling itself "NetDevilz".


According to the New York Times, users visiting the servers of the above organizations were re-routed to a domain called "atspace.com" and greeted by the message ""You think that you control the domains but you don't! Everybody knows wrong. We control the domains including ICANN! Don't you believe us?"

This is obviously *not* good news. These two organizations manage the core (root) servers that match domain names (i.e. web sites) with the http requests made by your browser (the site you type into the address field - i.e. www.google.com).

When hackers "poison" DNS servers (Domain Name Servers) in the manner they did today, their intention is most often to take your request for the web site of a bank and redirect it to a site "dressed up" to look like your bank.

This is usually called a "DNS poisoning" or "pharming" attack, but the points are usually much closer to your PC: common points of attack include your local hosts file, your cable router, the DNS server at your ISP - in short, places relatively close to home.

An attack on the root DNS system would be of a different magnitude entirely. Attacks on the root DNS system are potentially far more damaging than attacks on your local ISP DNS servers. Rather than just re-route a single request, or group of requests from a user, a prolonged attack on the root DNS system could have potentially quite harmful effects if the rerouting were to involve targeting of banking or financial systems, or government addresses.

I'm frankly amazed that attacks of this nature are still possible at organizations like this. To me, the attack, labeled a "cyberprank" by some news organizations, is anything but a cyberprank. A different, lower-level hack involving manipulation of records for financial gain or terrorism could have created quite a different story.

DNS security is an often overlooked requirement and something that almost no security software suites provide an answer for.

When we were designing the core concepts for SafeCentral at Authentium, one of the requirements that I added to the service early on was a requirement that every DNS request generated by the user should be send to a secure infrastructure for resolution - rather than into the non-secure DNS system as it currently exists. We've since added additional security methods to ensure that these DNS requests reach the right destinations.

Today's attack shows why such diligence is necessary - and why the Internet remains a somewhat unpredictable and non-secure environment - and why you should use the best security possible when banking or transacting online.

Sunday, June 22, 2008

The Non-Innovator's Dilemma

"The Innovator's Dilemma" refers to the value-reducing situation that arises when a company decides not to innovate, and chooses instead to focus on merely sustaining its existing products and processes.


This phrase was first introduced by Clayton M. Christensen in the best-selling book of the same name. However, I personally think the title doesn't provide an accurate description of the situation.

I would have gone with "The Non-Innovator's Dilemma". Yes, it's less catchy, but it potentially better reflects what actually goes on inside a company populated by both innovators (who are typically not managers) and managers (who are typically not innovators).

First of all, some definitions. The word 'dilemma' comes the Greek words "di" (meaning two) and "lambanein" (meaning, "to take", as in choosing a path). Not every decision results in a dilemma. A dilemma only occurs when the choice becomes difficult, and the decision process becomes prolonged. Dilemmas last only as long as the decision-making process.

"Innovation" usually involves a new or novel approach to solving a problem - i.e. the invention of the telephone solved the need for inter-personal communication, the automobile solved the need for inter-home transportation, the assembly line solved the need for mass-production (in the face of mass-demand), and the advertiser-supported search engine enabled advertisers to place targeted advertisements in front of users via the Internet.

Innovations are often termed "disruptive technologies" because they "disrupt" the markets they enter, displacing older technologies (hello TV dinner, goodbye home-cooked meal) and creating new disruptive manufacturing processes (and new marketing channels, markets and support systems) in the process.

Because true innovators are usually future-aware and focused of the potential value of their innovation, they rarely find themselves in any kind of dilemma at all when it comes to plotting the company's forward path. To them, the reason for the disruption they are proposing is obvious, and value of their tinkering and suggested changes abundantly clear.

The real dilemma usually starts when the non-innovative decision-maker, typically a manager of the type produced by the various business schools, is forced into a room with an innovator and asked (by the innovator) to change his capital allocation budget or the course of the company, either slightly, or in a very disruptive way.

It is this executive, not the wild-eyed innovator/developer, that now faces the true dilemma. Depending on the scope of the new idea, the challenges the manager faces in making a choice whether or not to pursue the disruptive innovation may be enormous, and involve every facet of the corporation's life. Here's an imaginary summary of half a minute's worth of his/her brain activity upon hearing about this new approach:

"I have 'x' amount of capital. I have made firm commitments to my investors as to what our existing product will produce in terms of an ROI (return on investment) for the next three years.

"The cost of ripping up my business plan, disrupting my staff, recruiting new experts, reinventing my processes and legal forms, retraining my sales and support networks, pitching new customers on the new idea, refocusing my development team, and repositioning us in the market is going to be enormous...

"Not to mention the cost of emptying my warehouse/servers of all that old product/code and upgrading customers and the potential liabilities of sunsetting that business - this is going to require me to spend hours engaged with board members and lawyers and other executives and require me to rewrite the budget, and..."


Faced with these kind of challenges, many executives will often just politely tell the innovator "let me think about it", and back away from the table. Or, if they can't articulate these feelings to this basic level, they may instead decide to say something along the lines of:

"You damn guys are the *exact same team of guys* that asked me for millions of dollars to come up with the product that we're shipping *right now* - and now you're saying that it isn't good enough?!"

Sometimes, a decision-maker will listen and respond in cool fashion to disruptive ideas with this time-honored answer - "prove to me that a market exists for this innovation."

In response, the innovator will often mention that the inventors of the car, Coca-Cola, canned food, the radio, the television, PCs, Kool-Aid and Guitar Hero were all unable to show that a market existed for their innovations - until after they were released.

Which brings us to the dilemma.

The imagined scenarios above are, of course, gross simplifications. But regardless of the relative complexity (or not) of the events that lead up to the decision point, it is at the decision point that the non-innovator's dilemma actually begins.

Will the non-innovative decision-maker choose merely to sustain the existing business? Or get in behind the disruption/innovation? (It should perhaps be pointed out that at the moment the executive makes the decision in favor of disruptiveness, he is no longer a non-innovator, but has joined the ranks of the innovators - maybe Clayton has the right title after all.)

I am lucky enough to work with a smart bunch of guys at Authentium, both on the board and in management, that understand that disruptive technologies - like SafeCentral - are solely needed in the security software space. But many other inventors and innovators aren't as lucky - which means their companies wont be as "lucky" either.

Nassim Taleb, author of The Black Swan, suggests that businesses succeed only when they create environments within which "aggressive trial and error" is tolerated - and he goes further to suggest that only with "endless tinkering" can innovative companies get "lucky" and deliver to stockholders the future Black Swans/Googles of the business world.

I think he's right. Interestingly, when you look at shareholder growth, it is the tinkerers that make for a good long-term bet - Bell (Bell), Marconi (Marconi), Edison (GE), Ford (Ford), Jobs (Apple), Page and Brin (Google) all returned huge multiples to their investors.

In fact, several studies have shown that public companies led by an entrepreneur/tinkerer (i.e. Steve Jobs at Apple, or Fred Smith at FedEx) grow 8% faster year on year than companies led by a non-tinkerer. One more myth exploded.

Speaking of myths, in addition to the excellent Nassim Taleb (who causes me to wear a permanent wry smile while reading), I would recommend Scott Berkun's book "The Myths of Innovation".

Berkun does a great job of debunking the stereotypes associated with the typical inventor-genius and provides instead an overview of the kind of hard work - and tinkering - that has always been required to create a successful new product.

Thursday, June 19, 2008

SafeCentral "Free Trial Version" Link

A couple of you wrote in yesterday asking for the downlink link for the "free trial version" of Authentium SafeCentral.


Rather than bury this response in the "Comments" section... the "free trial version" link is the same as the main link I quoted in the blog: http://www.safecentral.com

Just head over there, enter your email address, and the download should start immediately. That's all there is to it.

Note: kudos to Daniel Sullivan of Konceive. The new SafeCentral site design looks really nice, Dan.

Wednesday, June 18, 2008

Gpcode and the "Long Tail" of Ransomware

Many years ago, when I used to work in parts of the world that were considered unsafe (e.g. Washington D.C.), I was sent by my former employers to a day course on "kidnapping and ransom insurance" so I would know what to tell my abductors if I were ever bundled into a stolen SUV, tied up with coarse ropes, and held for ransom in a damp basement somewhere.

(Note to any would-be potential kidnappers - the policy I'm referring to above lapsed over a decade ago. Please take me off your list.)

Aside from the surge of vanity that came over me at the thought that I might be of value to a kidnapper, one of the other things that struck me as strange during this briefing was that their instructions went against everything I'd ever seen in a movie.

In fact, what my instructors advised me to do was this: be boring. Do *not* try to be a hero and/or try to escape (this was, according to them, when most injuries/deaths happen). Tell the kidnappers the dollar amount you're insured for - and hand them the phone number of your insurance company (this was conveniently printed for me on a plastic-coated, wallet-sized card).

I was to do zero negotiating myself - they were adamant about this. It was critical to tell the kidnappers the correct dollar amount. It needed to match the dollar amount the kidnappers would hear upon calling the insurers.

According to these guys - who, despite the apparently exciting nature of their work, were insurance salesmen - having this "fixed value" would be helpful in reducing the time in captivity and the phone number/trusted party would keep me alive.

Not only would it reduce the "back and forth" of negotiations, and allow everyone to get back to a happy place (i.e. home/the jungle) faster, it would reduce the possibility of a "long tail" - which is the (belated) subject of this blog.

What is the "long tail", in kidnapping terms? That's what happens when your distressed wife empties out your bank accounts, then drives to the alloted meeting point under the train tracks on 10th Avenue at midnight, expecting to see your bloodied and battered face in the headlights - only to be told by the kidnappers "we want more".

I could keep telling this story, but you can probably see where this is going. The first demand was simply the start of a very long process of wringing every last dollar out of the "channel" - in this case, the distressed spouse, her family, your family, your employer. This, dear reader, is the "long tail" of kidnapping. And this is unfortunately is what also occurs in the kidnapped home computer version of our story.

By now, everyone has probably heard of "ransomware" - the kind of virus that somehow gets onto your c: drive, encrypts your data using terrorist-grade encryption, then asks you to buy a "key" to unlock it.

Failure to buy the key, the hackers warn, will cause your data to be "publicly released" (almost always a bogus claim, because they don't have the server space to store your 80 gigabytes of downloaded videos, along with everyone else's).

Alternate claims include the threat that your personal data will be permanently deleted on date "x" (also bogus - because most of these programs don't include a "delete" function), or rendered "permanently inaccessible" (unfortunately, probably true).

You may have also heard via the media that there is a new version of this form of malware, identified last week by Kaspersky as the "Gpcode.ak virus", that will wrap your personal data up into a ball and then encrypt it using a 1024 bit key.

How much encryption is 1024 bits? A lot. The government standard-length key used by your browser to encrypt transactions is billions of times easier to crack. In fact, the largest number that has ever been factored by anyone was this number, and according to several experts, that outcome has been achieved precisely once.

What this all means is that unless you can get you hands on the key (or find some flaw in the implementation of the encryption mechanism, which is what Kaspersky is attempting to do, in partnership with other security firms), your data is staying locked up. Which leaves you with a stark choice: Either give up on your data permanently, or pay the ransom demanded by your kidnappers.

My advice? Do *not* pay the money.

Yes, I know - this contradicts my opening story. But in the real world example that I provided above, an entire industry has gone to work to understand the myriad factors at work when a real-world kidnapping is committed, and has determined that the best course of action is a one-time payment, negotiated via experts, and executed via a trusted party.

In the case of ransomware, or the kidnapping of your computer data, no such trusted party exists, and there is no guarantee that the first payment isn't simply the start of a "long tail" that could get extremely ugly.

How long? How ugly? Well let's look first at the payment mechanism - do you really want to give these hacker/ransomware guys a credit card? Do you really think they'll just ding it once and send you a receipt? Of course not.

Sure, you could potentially bypass that problem by using a debit card purchased from that nice lady at the mall - and you could potentially have them send you the key to a free email account you'll use only once - but what if they send you an executable? Do you think it will just install and magically unlock all that personal data that has been sewn up and then uninstall and you'll never hear from the hackers ever again?

Talk about a "long tail" - when I think of all the possible things that their "data unlocking" executable might include, and could do to your credit, your bank accounts, and your PC over time (please see yesterday's post on Man in the Middle attacks for one example), it makes buying a new PC look like a cheap option.

Which brings us to the happy ending: the reason that ransomware has yet to become a plague on the computing subset of humanity is that most folks, by the time they get set to enter their credit card or unlock their data using the "unencrypt" package they just received via Hotmail, have cycled through the above options, made the right call, and said "goodbye" to their data.

That's what you should do too.

ADVICE #1: PC users have one excellent option available for thwarting potential hostage takers that unfortunately doesn't exist in the real world: it's called "data backup". If you haven't already reached for your backup drive after reading this, now would be an excellent time to do so. One backup a day, and you'll never feel like a victim. Easy.

ADVICE #2: Since I wrote this, Kaspersky has posted a happy ending of their own - a free utility based on Christophe Grenier's PhotoRec utility that Kaspersky claims will restore data and file paths erased by Gpcode. You can get it here. Kaspersky suggests that users who have suffered from Gpcode donate to the author of the PhotoRec utility rather than pay cybercriminals. I agree.

Note: Don't count on this fix working the next time - it is going to get harder as the Gpcode versions get higher. Back that data up!

ADVICE #3: A final piece of advice: make sure your browser disallows "drive-by downloads" - or downloads from unknown or non-trusted sources - so you can avoid getting hit by Gpcode and its clones at the outset. The best solution in this area is Authentium's very own SafeCentral.

Tuesday, June 17, 2008

First Amero, Then Fiola, Then...

You'd think after the mess created by the prosecution of the Julie Amero case in CT, State Prosecutors (and employers) in nearby North Eastern states (i.e. MA), might have become a little more informed as to the myriad ways in which "bad content" can find its way onto a computer - other than via the hand of the computer user.


Apparently not. Anthony Fiola, a 53-year -old MA resident (and a former accident investigator with the Department of Industrial Accidents - tell me *that* isn't irony), is the latest guy to be told to clean out his desk and frog-marched from his former employer's offices a la Amero after a search of his laptop revealed porn on the computer.

And because this story is now out there, you know it didn't stop there. After a forensic investigation by the State, Fiola was charged with downloading "unauthorized content" onto a laptop he was given by his former organization's IT department and sent up for trial - a series of events that led to Fiola losing his paycheck, his insurance, and his employment benefits.

Although most friends deserted Fiola, his wife did not. Fired up, she hired a lawyer and the lawyer hired an independent expert. And as a result, Fiola became the second person to be saved from jail time for an act he most probably did not have anything to do with.

Memo to MA state computer crime detectives and consultants: Guys, the kind of spyware that causes this stuff is rife, and well-documented (check out Alex Eckelberry's site over at Sunbelt Software for some great analysis and commentary on the Julie Amero case, or Authentium's very own Robert Sandilands for more technical analysis).

In any case, maybe it's time that state forensic experts also started relying a little less on one piece of fairly well-discredited forensic analysis software. You all know the application I'm talking about.

Anyway, for those wishing to get mad at the world (and at over-eager state prosecutors) all over again, PC World has a very well-researched article on the Fiola story here that I couldn't hope to embellish or improve. It's told by Fiola in his own words, and its pretty candid, and pretty darn sad.

If this guy's a liar, I'll eat this blog.

Monday, June 16, 2008

Man in the Browser Attacks - Worse Than Viruses?

The problem with computer security terminology is that while some forms of attack sound appropriately nasty, some of the emerging forms of malware sound more like cartoon characters than serious threats. Take, for example, the "Man in the Browser" attack.


The idea that a computer can become "infected" with a virus, or piece of self-replicating malicious code, is universally understood as "bad", because the analogy is fairly straight-forward, and viruses are universally bad things.

But the idea of using CPU cycles to replicate viruses is considered pretty old-hat these days. Most criminals think it better to use your CPU to process transactions, or ship online banking credentials.

In fact, that's all they think about. Today's villains don't spend their time figuring out how to open your CD tray remotely or clog up your memory - they spend their time engineering ever-smarter ways to get their hands on your money.

So while virus-like behavior can sometimes still be helpful, the model for emerging attacks is no longer the infectious agent. Today's model is the "secret agent", or "snitch". Criminals are now focused on placing their malware in line with your transactions.

Which explains why the focus - and the battleground - for security threats and preventative measures alike is now your browser.

Your browser acts as the central interface for almost every transaction on the internet. Browsers are relatively simple creatures - over ten years, they have evolved to simply render the code passed to them into "pages" of text and images, forms, flash objects, popups, and javascript alert boxes, among other things.

When you make a request to your bank, via your browser, both you and the bank's server are saying to your browser, "render this". Unfortunately, your browser can sometimes prove to be a little too obliging.

Man in the Browser (MITB) attacks have been around for several years, but have recently begun receiving more attention because of their (now proven) ability to thwart the additional security that was supposed to be provided by expensive two factor authentication devices, including physical tokens.

Talking to an authentication token salesman about "challenges" used to invoke funny stories about pocket-lint and what happens when tokens accidentally go through the wash, or end up at the cleaners, or in the hands of valet parking attendants.

This is no longer the case - most two factor token sales reps are now extremely aware of the limitations of these devices - and somewhat nervous about the future of their industry. In the past two months, several large banks - including Abbey and HSBC - have announced rollbacks of these programs.

If you're a two factor authentication user, you should be nervous too. Because those sleek black physical security tokens with the gorgeous flashing red LED readouts are fairly easily bypassed using pretty standard social engineering techniques. Read on.

The "hack" looks like this: You head on over to your bank's site, and tab into the wealth management portal. You enter your user name and pull out your expensive, clock-based, two factor authentication token. You turn it on and key the PIN into the site.

What happens next varies, according to the criminal's MO, and the type of malware installed on your machine. But typically, as your page is being rendered, a piece of software now resident in your browser (that you - or your teenage daughter - previously installed because the video you were watching said "you need a new video codec") wakes up and inserts a few additional lines into the code - maybe five lines of javascript - an alert box, a timer function, and maybe some in-page content -and sends a message to a hacker, far far away.

What happens next looks perfectly normal. Upon loading, the alert box pops up - something like the dialog box pictured above - and says "Server synchronization in process... please be patient", accompanied maybe by a nice animated GIF in the bank's colors.

Except at that moment, as you sip your coffee and watch the seconds pass, secure in the knowledge that these sophisticated systems and occasion waiting periods are the "price of modern security", a hacker somewhere is receiving a timely message that you have started an authenticated session and are ready to transact, using the credentials contained in the message. At which point, he can simply log in as you.

Now this doesn't happen every time. Sometimes, the hackers choose to wait, secure in the knowledge that this capability will be there many sessions into the future, and that at some future point an increased account balance may make it more worthwhile to have waited.

And sometimes, the crimeware is configured to allow the hacker session to kick in when you "log out" (was that really the bank's "log out" screen that you just saw? Really?)

As the guys in our labs are quick to point out, there are many variations on the MITB theme, most of them horrible, and well-funded. In some instances, MITB malware is programmed to decrypt and load only when the users requests content from a particular bank (this is apparently a common approach right now in Brazil).

The bottom line is this - no matter what you see going on during your session, if you see something "different" or unexpected happening during your online banking session, close your browser immediately, and call your bank or online broker.

Most online banks are exceedingly good at *not* changing things within their UI - because their user interface designers know that changes make users nervous. So if you see something new, like an alert box, please don't assume that the bank has changed their policy. This almost never happens.

Luckily, this story does have a happy ending. For a solution to the above conundrum (at least one that doesn't involve getting in your car and going to the branch), check out some of my previous posts on SafeCentral - an end-to-end secure session technology that stops MITB attacks from happening in the first place.

I strongly recommend that you download and use this protection - regardless of how sophisticated your authentication token may appear to be. It's free, and it works.

Tuesday, June 10, 2008

Cuomo's Surprising Victory Against Child Porn

Today, the news broke that several major ISPs have reached an agreement with NT Attorney General Andrew Cuomo to block child porn sites from their networks.


The Attorney General didn't act directly against the ISPs, or try and break new legal ground in the State Legislature - instead, Cuomo and staffers dove into service level agreements provided by the ISPs to customers, and looked for clauses obligating the ISPs to act in instances where child porn was reported by customers.

And when the ISPs didn't act when consumers called in, in accordance with their SLAs ("service-level agreements"), the Attorney General took them to court, on behalf of the "wronged" consumers, and extracted a settlement.

In the settlement announced today, the ISPs, Sprint, Verizon and Time-Warner, agreed to pony up over a million bucks to help fund further efforts to stamp out child porn, which will fund a few salaries over at the excellent National Center for Missing and Exploited Children.

The ISPs are also obligated to "search and report". According to one news source:

The investigators identified a total of 88 newsgroups that were distributing child porn; the ISPs have agreed to block access to all of them. The AG's office has also created hashes for over 11,000 images they have identified, and the ISPs have pledged to scan the websites they host for items matching those hash signatures.

Monday, June 9, 2008

Firefox v3: Exciting but Incomplete Security

Make no bones about it: the FireFox version 3 release version is the first software application download that I've looked forward to in years.


FireFox 3 is, for me, the first really user-friendly browser. As Google knows, but no one else cares much to admit, an awful lot of consumers currently go to Yahoo by typing "Yahoo" into the search field, rather than the address bar.

FireFox is potentially changing the game by moving all of this "action" into the address bar, and matching previous site requests and paths with keywords.

The new FireFox address bar is screamingly intuitive (want to find that weather site you went to three days ago? FireFox will pull up everything with "weather" in its path when you type "weather" into the address bar.)

Wow.

On other issues, the security stuff is really nice-looking, and the integration with Verisign EV is very tasty as well. But "Larry" the FireFox security icon (actually described as a "customs agent" on their site) may actually end up setting up users for a "cavity search"...

The problem with solutions that look after just one small piece of the problem, is that you end up facing the "armored Humvee problem" recently described to me by a "security logistics expert" over lunch in Kuwait.

This problem is, in short, that all defenses are "weapons-specific". No amount of armor on a Humvee will stop the most recent insurgent IED innovation - a shaped charge that turns a sheet of copper into a molten fireball that can burst through any amount of armor.

While the consequences are nowhere near as serious, software/browser designers face the same issue.

The changes to FireFox, while welcome, have modified the "armor" of FireFox without taking into account the massive changes that have taken place in the area of weapon-development by the insurgents of the Internet world - the identity thieves and online criminals.

As sexy as it looks, and as welcome as it will be to lots of users, FireFox 3 unfortunately lacks armor in several places where armor is most needed. As such, it will not present a barrier to serious intruders looking to steal data.

To really operate a defense, the user needs to have everything locked down in the DNS request chain, everything locked down in the OS, and all malware, including any horrible zero-day keyloggers and screen-capture devices already on the PC, needs to be rendered harmless.

As for the message above ("Your connection to this web site has been encrypted to prevent eavesdropping"), don't get me started on the many ways this tells users the wrong thing.

SafeCentral (the next version of which will incorporates FireFox 3, including the FF3 address bar), and the SafeCentral Secure DNS Service, together plug virtually all of the security holes that I just talked about. V3 will be available mid-July.

The downside? None.

You were going to download FireFox v3 anyway, right? ;-)

Tuesday, June 3, 2008

The Buzz on SafeCentral

Internally at Authentium, the story about SafeCentral is well-known. But now a buzz is building to match the story - a buzz that is a lot of fun to be part of.


The story I just referred to is just part of a path we've been on, for many years now. As a company, our developer team has been building security software and serving up virus definition files for more than seventeen years.

In 1992, we released the world's first professional antivirus product (F-PROT Professional), a technology that many IT administrators still remember fondly - and still buy from us.

This technology incorporated some of the first, and eventually the best, anti-malware heuristics - a sophisticated set of technologies that was first brought to bear against the LoveBug virus back in the nineties, and has gone on to protect the customers of several software industry leaders, under multiple OEM deals, from thousands of threats since.

But the real story that is emerging currently is the story of what the defensive technologies will look like in the emerging world of predominantly zero day threats - a world in which even the very best reactive technologies can't stop hackers from stealing personal data, online banking tokens, or whole identities.

When our technologists first came up with the unique approaches to security personal computing environments, now productized as SafeCentral (previously VirtualATM), we were lucky enough to have backers and directors that recognized our approach that was potentially game-changing.

These guys voted to fund an approach that would be utilized to provide real-time protection, regardless of the amount of malware a consumer might have on their PC. These guys provided us with the cash and the support we need to get to this point, based on an understanding that the game is starting to change: reactive risk management solutions are within five to ten years of failing their SLAs. Pro-active risk management solutions are required in order to ensure business and consumers are able to continue to process information.

Last week, we received the results of third party testing of the final release version of our pown contribution to pro-active solutions: SafeCentral. The results clearly state that we are meeting our claims of enabling a secure, end-to-end secure session.

What is also clear from our testing is that our technology fares many times better than its closest competitor - a product that protects only certain types of text entry fields from keyloggers and screen-scrapers, and leaves pop-up windows and personal information in the clear.

In stark contrast to our competition, SafeCentral does an extremely good job of protecting users transactions, even when the originating PC has been compromised, or when the consumer chooses to go to a new site - an activity that most consumers will agree is an extremely common behavior.

We've come a long way in five years, and it feels good to be here. Developers, thank you, guys. It is really fun to be finally selling this stuff. Consumers, please go to SafeCentral.com and check it out - the full version is free, and we'd love for you to get the best protection you can - on us.

Focus should be AIR not Acrobat

I just took a look at Adobe's new step into collaborative/social web spaces - acrobat.com.


The site is not that impressive, and little more that brochureware really, for five of Adobe's least-appealing pieces of IP: Buzzword, Create PDF, Share, MyFiles and ConnectNow - Adobe's attempt at a WebEx clone.

I was surprised by the site's focus. To me, the site comes off as an attempt by the "older generation" Acrobat marketing folks to pull off a "younger generation" trick using stuff that isn't really suited for the kinds of collaborative applications that the site hints at.

And some other things were surprising too: despite an abundance of typically beautiful interfaces, clicking the Begin" button on any of the offerings I tried resulted in the appearance of a faux-dialog box that lacked any form of "close" button, tab or even text-based link. The only way to "close the box" is to click in the empty black space next to it.

This wouldn't normally be worth a mention, except that this is *Adobe* - the kings/queens of tasty UI design. There are very few folks better at the game than Adobe at walking consumers down a predefined nav path.

When it comes to potential for collaboration and sharing of tools, I think Adobe should have put all this PR money behind a truly socializable technology - Adobe Integrated Runtime, or AIR. AIR is a seriously cool collaborative platform, but despite some early successes, it just isn't getting the kind of push it should be, or being opened up to the extend it needs to be.

In fact, right now, AIR is on the same adoption path as PDF - which I'm sure pleases some of the "old time" marketing folks. But 2002 levels of success should please no one. The exponential rise of competitive pressures means that things need to be adopted at a much-faster pace these days to rank as even a partial success.

There is the kernel of a haiku in here somewhere for these normally hot product guys: Adobe should focus on the AIR, not the Acrobat.

Sunday, June 1, 2008

Turing and the Poison Apple

Okay, I'll stop it with the Bletchley posts after this one. But the story told by one of the guides - of the death of computing pioneer Alan Turing, by cyanide-laced poison apple - stuck with me, and deserves repeating.


Turing was, from the beginning, an outside. His several biographies point out his eccentricities in youth, including the death of his best friend (and rumored first love), Christopher Morcom, from tuberculosis.

My guide painted a similar picture of Turing as that painted in his bios - "scruffy", "loathe to wash", "difficult to be around", and the indecipherable (for me, anyway) "a man who likes his holidays, if you know what I mean".

But a few years after, after rising fast through Princeton and Cambridge, Turing, as everyone knows, helped save the free world. His breakthroughs in thinking led to the cracking of the Enigma and Lorenz ("Tunny") codes, the creation of the world's first programmable computer, and his last paper on computing, "Computer Machinery and Intelligence", published in 1950, was the first to propose a series of standardized tests for artificial intelligence.

As I walked around Hut 8 last week at Bletchley Park - still largely in the same condition it was when occupied by its chain-smoking mathematicians and crossword-solvers - I found myself becoming angry at the story of what happened to Turing later - after so my lives had been saved, and so much had been contributed to the future of computer science.

As the story goes, in the very early part of Bletchley Park's formation, before frivolities such as cinema were curtailed, Turing had gone to see the Walt Disney cartoon feature Snow White, and was much taken with the scene in the movie involving the Wicked Witch's Poison Apple.

According to the accounts of at least two historians, Turing left the movie much enamored with the story, and quoting one line over and over:

"Dip the apple in the brew, let the sleeping death seep through".

These were to prove to be prophetic words.

Sixteen years after he started his ground-breaking work for MI5, in 1952, police received a phone call from Turing complaining that things had been stolen from his house by 19 year old Arnold Murray, a young man he'd "been seeing", and an accomplice.

When questioned about Murray, Turing admitted, naively, that yes, he was a homosexual, and he had been having a relationship with the younger man.

The police pounced. And despite all Turing had contributed during the war, and despite his OBE (or perhaps because of it), prosecution for public indecency (and a public trial) followed.

During the trial, the press took him apart. Upon his conviction, Turing's GCHQ security clearances were withdrawn. Hormone treatments involving injections of estrogen were ordered by the judge and resulted in Turing growing breasts and becoming obese, depressed, and ultimately, suicidal.

Turing did struggle to publish a few additional works - including a paper of the first linking the Fibonacci Series with the structure of plants - but one night in 1954, he finally decided he'd had enough.

The next morning, Turing's housekeeper found Turing dead, a half-eaten, cyanide-laced apple beside his bed.

Al-Kindi, Frequency Analysis and Scrabulous

Ever wonder why you get stuck with too many "I" tiles while playing Scrabulous, but never have enough "H" or "S" tiles?


Ever have the feeling maybe the letters aren't distributed optimally? As it turns out, you're right.

How do we know this? Frequency analysis - the study of repetition of certain letters or words within encrypted messages - a science first conceived in the ninth century by the great Arab philosopher Abu Yusuf Ya'qub ibn Is-haq ibn as-Sabbah ibn omran ibn Ismail al-Kindi.

Al-Kindi was the first to note that encrypted messages could be cracked by using "cribs" - i.e. by looking for repeated groups of letters or words, such as the arabic "al", roughly equivalent to the English "the", and according to Simon Singh, he even wrote a book on the subject (one of 290 such contributions to science) entitled "A Manuscript on Deciphering Cryptographic Messages".

"One way to solve an encrypted message, if we know its language, is to find a different plaintext of [that] language... and then count the occurrences of each letter... then we look at the ciphertext and classify its symbols. We find the most occurring symbol and change it to the form of the [most occurring] letter of the plaintext symbol... and so on, until we account for all symbols of the cryptogram we want to solve."

Yes, dear reader, this was written over a thousand years ago - most probably at the "House of Wisdom" in Baghdad, where Al-Kindi spent most of his life, before dying in 873. Al-Kindi's original book can still be found in the Sulaimaniyyah Archive in Istanbul.

It was the use of frequency analysis by British scientists at Bletchley Park that allowed Britain to win the second war. Turing and others, looking for ways of breaking the codes, theorized that early-morning reports from naval vessels would contain reports on weather.

By using the German words for weather ("wetter") and time as "cribs" (and employing other pieces of knowledge, such as the fact that in German, the letter "E" appears, on average, once every five letters), and using automated analysis machines called "bombes", they were able to determine the settings used by the Enigma machines, often early in the day - a breakthrough that saved millions of lives, and changed the course of history.

Anyway, back to Scrabulous and those missing tiles...

The original Scrabble game called for 100 tiles, and for the most part, the distribution follows the general distribution of letters in the English language. However, is we use Beker-Piper, we quickly find that things are not "as they should be".

Based on analysis of English conducted by Beker and Piper, authors of "Cipher Systems: The Protection of Communication", there should be 4 additional letter "H" tiles, 4 additional "T" tiles, at least 3 additional "S" tiles, and 2 less letter "I" tiles - even accounting for the blanks.

So the next time you're stuck for a chat subject on Scrabulous, you can say "I was reading about this ninth century Arab philospher the other day, and as it turns out..."