Category Archives: internet

internet, security

The insecurity of Verified by Visa and MasterCard SecureCode

3 Comments

An article on the H points to this paper by Steven Murdoch and Ross Anderson, from the University of Cambridge Computer Laboratory, on the poor security design of the 3-D secure (3DS) protocol used by Visa and MasterCard in the UK and catching on worldwide. In addition, 3DS undermines privacy by sending a full description of each transaction to the card issuer or its contractors.

Banks also use the supposed additional security of 3DS to shift liability for fraudulent use towards the customer.

What’s wrong with 3DS? The authors list a number of issues. The 3DS system throws up a request for additional authentication in a pop-up dialog or iFrame, which means you cannot easily check its source; it could be a phishing attack. The memorable pass phrase that is meant to prevent this is vulnerable to man-in-the-middle attacks, as well as impatient users who might not bother to read it. Password reset mechanisms are often poorly implemented, and may depend on semi-public information such as date of birth.

The authors suggest that a simple approval process, such as a text message to your phone asking for an authorisation code, would be more secure, even if only as a stop-gap before adopting a more robust solution.

I find it surprising that 3DS has been adopted so widely despite well-known flaws. As the authors note:

3-D Secure has received little public scrutiny despite the fact that with 250 million users of Verified by Visa alone, it’s probably the largest single sign-on system ever deployed.

Well, with this post I am doing my bit.

.net, internet, microsoft, silverlight, software development, windows, windows 7

Silverlight 4 with COM can do anything – on Windows

7 Comments

At PDC Microsoft played down the significance of adding COM support to Silverlight 4 when run out of the browser and fully trusted (you can also be out of the browser and not fully trusted). The demos were of Office automation, and journalists were told that the feature was there to satisfy the requests of a few Enterprise customers.

Now former Microsoft Silverlight program manager Justin Angel, who has implemented his blog in Silverlight, has spelt out what we all knew, that Silverlight with COM support can do just about anything. His richly-illustrated blog post has code examples for:

  • reading and writing to any file (subject I guess to the permissions of the current user)
  • executing any command or file
  • emulating user input with WShell.SendKeys
  • pinning files to the Windows 7 taskbar
  • reading any registry values
  • adding an application to the Windows startup folder
  • doing text to speech using Windows built-in engine
  • accessing local databases with ODBC
  • automating scanners and cameras
  • using the Windows 7 location API, accessing the full .NET Framework
  • and of course … automating Microsoft Office.

Well, fully trusted means fully trusted; and these are great features for powerful though Windows-only Silverlight applications, though I hope no user installs and trusts one of these applets thinking it is “only Silverlight” and can’t do much harm.

The post also has comments on the lack of any equivalent feature for the Mac in Silverlight 4:       

If Microsoft chooses to not go ahead with Mac support in Silverlight 4 RTM, well, it’s not because they couldn’t

says Angel, suggesting that it would be easy to add AppleScript support. (I had to type that quote – no clipboard support in Silverlight 3).

Of course there is time for Microsoft to unveil such a feature, say at Mix10 in March, though I wouldn’t count on it.

internet, microsoft, security, windows

Government security advice is misguided; switching browsers will not make you safe

9 Comments

I have mixed feelings about the recent government recommendations from France and Germany to switch from Internet Explorer for security reasons.

Although raising security awareness seems on the face of it to be a good thing, this is naïve advice and may do more harm than good. Security is a complex and multi-faceted problem, and it does people no service if they believe it can be fixed by switching browsers. Another common illusion is that running anti-virus software, or even up-to-date anti-virus software, makes you safe. It does not. Anti-virus software does not detect all viruses, and in particular it frequently fails on those that are most dangerous, in other words, those which are newest.

Another factor is that many of the most successful malware attacks come via social engineering. That’s not browser-specific, though there are attempts to maintain bad site lists, which don’t in my experience work very well.

The danger is that people think they are safe, and take fewer other precautions, ending up less safe than before.

Is FireFox, Chrome or Opera safer than IE? I’m not even sure about that. The latest versions of each are massively safer than IE6, for sure. But how does a fully-patched IE8 compare to the latest fully-patched versions of the other browsers? At least one test [pdf] says that IE8 is actually safer, though unfortunately it dates from March last year and does not cover drive-by downloads:

Microsoft Internet Explorer 8 (RC1) was the standout in our tests, achieving a best-in-class 69% catch rate against Malware. It is clear that Microsoft is making an effort to provide security to their customers with IE8.

Know a better one? I’d be interested in more recent tests.

Microsoft is not always competent; read this blog for evidence. But it has made genuine efforts to improve security and has a comprehensive update mechanism that mostly works. IE now has protected mode on Vista or Windows 7, which is no panacea but helps a little.

But what about the known zero-day vulnerability in IE? Isn’t that enough to make switching browsers necessary, if only temporarily?

I’m not so sure. Frankly, it would surprise me if there are not known multiple vulnerabilities in all the major browsers, if you move in the right (or wrong) circles.

How then do you do secure computing? Don’t connect to the internet. OK, how else? The risk cannot be eliminated but it can be reduced … don’t run with local admin rights, don’t run unknown executables, only enable plug-ins and scripting for web sites you know to be safe, keep your operating system patched and up-to-date, and so on.

Another thing you can do is to browse the web in a virtual machine – a sort of super protected mode – not perfect, but would prevent some attacks at the expense of convenience.

If you are really serious you can use AppLocker, or another whitelisting technique, to control what can run on your box.

And passwords … one thing I do hold against Microsoft is that the company has a brilliant authentication mechanism called InfoCard that is almost never used, even by Microsoft. Unfortunately that’s not something any individual can change; but it is possible at least to use more complex passwords and not to pass them over the internet in plain text.

I’m not sure, even today, that many people realise that when they use Twitter on an airport or hotel or conference wi-fi, or collect email via POP3, that they are likely passing their credentials in plain text over the internet for any smart hacker to read.

I am also depressed how often I see “security questions” on registration forms, asking for things like mother’s maiden name to be used in case of lost password. It is obvious that these are actually insecurity questions; they lower security while easing the burden on support desks. All too often, these organisations then lower it further by emailing your password back to you in plain text. It also sometimes turns out that the password itself is stored in plain text on their web-connected databases, accessible to hackers.

Overall the IT industry is desperately bad at security, and by and large convenience has won. Yes, I think that should change. No, after years of reporting on IT I am not optimistic that it will, certainly not soon. And knee-jerk instructions to switch browsers may please Mozilla and Google, and web developers for whom Internet Explorer is a constant irritation especially in old versions, but will do little else to improve the situation.

internet, microsoft, sharepoint, Uncategorized

SharePoint Explorer View hassles show benefits of cloud storage

3 Comments

Many of us want access to our documents from anywhere these days, and if you are still storing documents on a Windows server then remote access to documents usually means either VPN or SharePoint. VPN is heavy on bandwidth and not great for security, so SharePoint seems the obvious solution.

SharePoint is a mixed bag of course, but once it is up and running the browser user interface seems reliable as a means of getting at your documents over the internet. That said, it is inconvenient to run up the browser and navigate to a web site whenever you want a document. A user recently highlighted another issue. Their company uses a web application that frequently requires documents to be uploaded. This is straightforward if the document is on a local hard drive or network share, but not if it is in SharePoint. The workaround is to save the document out of SharePoint to the local drive, then upload it.

Fortunately there is another option. SharePoint Explorer View lets you access documents through Windows Explorer; you can even map SharePoint as a network drive. Now you can browse documents without a web browser, and upload directly to a web application.

Sounds great; and when it works, it is great. Troubleshooting though is a world of pain. If you have looked into this, you will know that there are really two Explorer Views, one using Internet Explorer and ancient FrontPage protocols, and the other using WebDav and Explorer. It’s the second of these that you most likely want. However, achieving this is notoriously troublesome, raising uninformative messages such as “Your client does not support opening this list with Windows Explorer", or from the command line System Error 67, or System Error 53 “The network path was not found”.

image

Another common complaint is incessant login dialogs.

I discovered a few useful resources.

This white paper on Understanding and Troubleshooting the SharePoint Explorer View is essential reading.

From this you will discover that if you are using Windows XP, the WebDav SharePoint Explorer view will not work over SSL or on any port other than 80. You are stuck with the FrontPage view, which is less useful. Apparently Microsoft has no intention of fixing this. Upgrade to Vista or Windows 7.

In addition, many XP and even Vista users find this update essential before anything starts working. It is necessary on Windows 2003 since the web client is not installed by default. It does not apply to Windows 7 though.

A good resource on the repeated login issue is here. It can be tamed.

Windows 7 is better, though I experienced an odd issue. One Windows 7 machine cheerfully opened the Explorer view to a remote site on port 444. I could engage Explorer View from the SharePoint web site, or from Network in Explorer, and it just worked.

On another machine, same network, also Windows 7, same web client settings, I could not get it working. I was on the point of giving up when I happened on the right incantation from a command prompt:

net use s: https://your.domain.name:444\shared%20documents /user:domain\username password

In this example S is the drive letter for a mapped drive, your.domain.name is the URL for SharePoint, 444 is the port number, shared documents is the folder name. For some reason this worked instantly.

Well, SharePoint is an option. Before leaving this subject though, I would like to mention Gladinet, a third-party utility which is able to mount a variety of cloud storage providers as network drives, including Amazon S3, Google Docs, Windows Live SkyDrive, and in the latest version Windows Azure.  It works on XP, Vista, Windows 7 and Windows 2003, comes in 32-bit and 64-bit editions, and worked immediately in my quick test. The ability to mount drives in Explorer itself, as opposed to an Explorer-like application, makes a big difference in usability.

image

Gladinet does not support SharePoint, sadly. Still, before you roll out SharePoint it is worth considering that something like an Amazon S3 account requires no CALs (though third-party clients like Gladinet may do), is maintained by a cloud provider rather than on your premises, is not hooked in any way to Windows clients, and might be a lot less hassle to deploy.

I do also understand the attraction of SharePoint, if you don’t or can’t trust the cloud, and like the way it integrates with Active Directory or its other clever features such as versioning or workflow management. What I don’t get is why Microsoft makes basic features like Explorer View so hard to get working.

Finally, this aspect of SharePoint should get better in Office 2010 and SharePoint 2010, which includes SharePoint Workspace 2010. This will synchronize with SharePoint 2010 document lists, giving you an offline copy you can access in Explorer. Agnes Molnar has a summary with screenshots.

azure, cloud computing, hp, internet, microsoft, virtualization, windows

New HP and Microsoft agreement commits $50 million less than similar 2006 deal

1 Comment

I’ve held back comment on the much-hyped HP and Microsoft three-year deal announced on Wednesday mainly because I’ve been uncertain of its significance, if any. It didn’t help that the press release was particularly opaque, full of words with many syllables but little meaning. I received the release minutes before the conference call, during which most of us were asking the same thing: how is this any different from what HP and Microsoft have always done?

It’s fun to compare and contrast with this HP and Microsoft release from December 2006 – three years ago:

We’ve agreed to a three-year, US$300 million investment between our two companies, and a very aggressive go-to-market program on top of that. What you’ll see us do is bring these solutions to the marketplace in a very aggressive way, and go after our customers with something that we think is quite unique in what it can do to change the way people work.

$300 million for three years in 2006; $250 million for three years in 2010. Hmm, not exactly the new breakthrough partnership which has been billed. Look here for what the press release should have said: it’s mainly common-sense cooperation and joint marketing.

Still, I did have a question for CEOs Mark Hurd and Steve Ballmer which was what level of cloud focus was in this new partnership, drawing these remarks from Ballmer:

The fact that our two companies are very directed at the cloud is the driving force behind this deal at this time. The cloud really means a modern architecture for how you build and deploy applications. If you build and deploy them to our service that we operate that’s called Windows Azure. If a customer deploys them inside their own data centre or some other hosted environment, they need a stack on which to build, hardware software and services, that instances the same application model that we’ll have on Windows Azure. I think of it as the private cloud version of Windows Azure.

That thing is going to be an integrated stack from the hardware, the virtualization layer, the management layer and the app model. It’s on that that we are focusing the technical collaboration here … we at Microsoft need to evangelize that same application model whether you choose to host in the the cloud or on your own premises. So in a sense this is entirely cloud motivated.

Hurd added his insistence that this is not just more of the same:

I would not want you to write that it sounds a lot like what Microsoft and HP have been talking about for years. This is the deepest level of collaboration and integration and technical work we’ve done that I’m aware of … it’s a different thing that what you’ve seen before. I guarantee Steve and I would not be on this phone call if this was just another press release from HP and Microsoft.

Well, you be the judge.

I did think Ballmer’s answer was interesting though, in that it shows how much Microsoft (and no doubt HP) are pinning their hopes on the private cloud concept. The term “private cloud” is a dubious one, in that some of the defining characteristics of cloud – exporting your infrastructure, multi-tenancy, shifting the maintenance burden to a third-party – are simply not delivered by a private cloud. That said, in a large organisation they might look similar to most users.

I can’t shake off the thought that since HP wants to carry on selling us servers, and Microsoft wants to carry on selling us licences for Windows and Office, the two are engaged in disguised cloud avoidance. Take Office Web Apps in Office 2010 for example: good enough to claim the online document editing feature; bad enough to keep us using locally installed Office.

That will not work long-term and we will see increasing emphasis on Microsoft’s hosted offerings, which means HP will sell fewer servers. Maybe that’s why the new deal is for a few dollars less than the old one.

bbc, internet, microsoft, mobile, web authoring

Going Mobile

In the back of my mind I knew that this blog looked terrible on a mobile, but I did nothing about it until @monkchips complained that it was unreadable on his HTC Magic, which runs Google Android 1.6.

I don’t have an Android device, but I grabbed the SDK, ran up the emulator, and had a look. The page took ages to load, and did not work properly even when fully loaded.

I figured “there’s a plugin for that”, and there is – several in fact. I settled on the WordPress Mobile Pack. Installed, configured, and a short time later was up and running.

I had a few hassles, mainly because most of my wordpress installation is not writeable by the web server, and this plugin needs to write themes on installation and temporary images after that, so I had to loosen permissions slightly. I then set the themes directory back to read-only, and configured the cache so that Apache will only serve images.

I still only get a score of Fair (2 fails) from the MobiReady report. Still, progress. I am ahead of bbc.co.uk which gets Bad (10 fails); but behind microsoft.com which rates Good (0 fails).

The plugin also tells me that 5% of the traffic to this site is from mobile users. More than I had expected.

Beep beep.

.net, agile, google, internet, java, javascript, software, software development, web authoring

Technology trends: Silverlight, Flex little use says Thoughtworks as it Goes Google

1 Comment

Today Martin Fowler at Thoughtworks tweeted a link to the just-published Thoughtworks Technology Radar [pdf] paper, which aims to “help decision makers understand emerging technologies and trends that affect the market today”.

It is a good read, as you would expect from Thoughtworks, a software development company with a bias towards Agile methodology and a formidable reputation.

The authors divide technology into four segments, from Hold – which means steer clear for the time being – to Adopt, ready for prime time. In between are Assess and Trial.

I was interested to see that Thoughtworks is ready to stop supporting IE6 and that ASP.NET MVC is regarded as ready to use now. So is Apple iPhone as a client platform, with Android not far behind (Trial).

Thoughtworks is also now contemplating Java language end of life (Assess), but remains enthusiastic about the JVM as a platform (Adopt), and about Javascript as a first class language (also Adopt). C# 4.0 wins praise for its new dynamic features and pace of development in general.

Losers? I was struck by how cool Thoughtworks is towards Rich Internet Applications (Adobe Flash and Microsoft Silverlight):

Our position on Rich Internet Applications has changed over the past year. Experience has shown that platforms such as Silverlight, Flex and JavaFX may be useful for rich visualizations of data but provide few benefits over simpler web applications.

The team has even less interest in Microsoft’s Internet Explorer – even IE8 is a concern with regard to web standards – whereas Firefox lies at the heart of the Adopt bullet.

In the tools area, Thoughtworks is moving away from Subversion and towards distributed version control systems (Git, Mercurial).

Finally, Thoughtworks is Going Google:

At the start of October, ThoughtWorks became a customer of Google Apps. Although we have heard a wide range of opinions about the user experience offered by Google Mail, Calendar and Documents, the general consensus is that our largely consultant workforce is happy with the move. The next step that we as a company are looking to embrace is Google as a corporate platform beyond the standard Google Apps; in particular we are evaluating the use of Google App Engine for a number of internal systems initiatives.

A thought-provoking paper which makes more sense to me than the innumerable Gartner Magic Quadrants; I’d encourage you to read the whole paper (only 8 pages) and not to be content with my highlights.

blogging, internet

Seven years of blogging, and a redesign

2 Comments

This blog began in 2003, though the website goes back to 2000, and I now see little difference between what is now a blog, and what in 2000 was a more painful process of authoring web content, especially with the decline of RSS readers. Still, my first blogging efforts were powered by a now-defunct project called bblog. I modified this heavily to add features and cope with comment spam – almost non-existent in 2003 – and then in 2006 accepted that I would be better off with a mainstream blog engine and selected WordPress, which has exceeded my expectations.

When I moved to WordPress I picked a theme which met my requirements, then modified it to tidy up the layout and to support non-intrusive advertising. I found myself to some extent boxed in once again, since I could not change or upgrade the theme without losing my modifications. This also meant I was missing out on newer features of WordPress. Widget support is a breakthrough feature, letting you add features to the site through a simple drag-and-drop admin page, but I could not use them. I also wanted to support gravatars, which show an image chosen by the author alongside their comments, and to add a ratings system.

Ratings are a lot of fun, though not really reliable as a gauge of quality. If your article extolling the merits of the Xbox 360 gets linked by a PlayStation fan site, or your article critical of Apple gets linked by an Apple fan site, there is little chance of a fair rating. Some readers also find it difficult to separate what they think about the subject matter from what they think about the quality of reporting. Even so, ratings are always interesting and I’d like to include a list of best-rated posts.

It has taken me some time to find a theme that looked right for my needs, but I have now settled on Atahualpa from BytesForAll. It is a popular theme, so my blog will look similar to many others, but it is flexible and I’ve been able to add the most important features by modifying settings rather than editing the raw PHP, a critical issue for upgradability. I’ve also added rating support with GD Star Rating.

As ever, it is work in progress, and I expect to modify the design and add features as time allows. Although it may not look much improved yet, it is much easier to modify in a maintainable fashion, so expect more changes soon.

internet, microsoft

What’s wrong with Microsoft Hotmail?

3 Comments

Joe Wilcox has a good post about Microsoft’s decade of shattered dreams. These are all things in which the company invested, but did not get right: eBooks, HailStorm web services, digital music, Origami small computing devices.

The list is longer than that of course. Tablet PC is a big one; we’ll see what happens to Apple’s efforts. And when I researched a retrospective on .NET recently I was struck by how well Microsoft got the mash-up idea: building block services pulled together by .NET web sites or client applications.  And let’s not forget that Microsoft demonstrated Ajax partial page refresh in September 2000. These ideas have not been total failures at Microsoft, but their potential has been realised mainly by others.

That brings me to Hotmail (also known as Live Mail), the web-based email service that launched in 1996 and was acquired by Microsoft in late 1997. Microsoft was long teased for keeping it running on Unix while promoting Windows Server; that is emphatically no longer the case, as explained in two recent blogs by Arthur de Haan and Dick Craddock. It was moved off Unix in 2004, and rewritten in C# and ASP.NET in 2005. According to de Haan, it is the largest SQL Server 2008 deployment in the world. Impressive.

It would be absurd to call Hotmail a failure, when it has 1.3 billion inboxes and 350 million active users. Nevertheless, when I read or hear people recommending a web-based email service, it is almost always Google Gmail, not Hotmail (nor Yahoo for that matter). There are several people with whom I communicate professionally at Gmail addresses, none that I can think of on Hotmail.

Last year, Information Week reported that in the USA Gmail was set to overtake Hotmail in 2009; I do not know if it did so, but it would not surprise me, though internationally Hotmail is likely still ahead. Yahoo was well ahead of both, but will not be immune to the Google effect.

How has Google managed to steal mindshare away from Microsoft’s long-established service?

One reason is that Google got it right pretty much from the first public beta, whereas Hotmail has made pretty much every mistake in the book, though it has gradually corrected most of them. For a long time my Hotmail account was nearly unusable because of spam, whereas Gmail has great spam filters. Hotmail had inadequate storage, until Gmail turned up with 1GB of storage and its competitors quickly followed suit.

Another factor is the user experience. When I go to Gmail, I get a full page dedicated to email, and it is responsive and generally pleasant to use. The Hotmail UI is busier, the ads are more intrusive, and it takes longer to load.

Still, Hotmail is usable and much better than it once was. What else is wrong?

There is a clue in comments to de Haan’s blog. Hotmail has traditionally been awkward if you want to use offline mail clients, which is odd considering Microsoft’s “software plus services” approach. The Outlook Live Connector has always been troublesome. POP3 support eventually arrived, but users want IMAP as offered by Google.

Another problem is that Hotmail has never seemed core to Microsoft’s strategy. We all know how Microsoft does email, and it is not Hotmail, it is Exchange. Hotmail is a consumer service. Both marketing and product integration efforts are mainly focused on Exchange.

Despite its 350 million users, I reckon Hotmail needs a Bing-style makeover.

adobe, apple, google, internet, iphone, itunes, microsoft, mobile

Joining the Smartphone dots

1 Comment

Google has made a big splash with its launch of Nexus One, even though technically it is not all that exciting. A neat phone; 1 Ghz Qualcomm processor; runs Android 2.1; good for web video with its inclusion of Adobe Flash 10.1, along with the ability to capture your own videos at 20 frames per second in 720×480 pixels. No keyboard though; and the q&a at the press briefing revealed a few limitations, such as lack of tethering support (using the phone to connect a laptop to the Internet), and that downloaded applications all end up in the 512MB on-board RAM rather than on an SD card, making it more likely that you will run out of space. Tethering is being worked on, apparently, and the application restriction is for copy protection, supposedly making it more difficult to pirate paid-for downloads.

My biggest disappointment is the price. It is a fraction cheaper than an Apple iPhone, but still far from a mass market product; though it won’t feel that way in the tech influencer community.

All this is rather unimportant; even prices will fall eventually. What matters is that attention is shifting from web+desktop (or laptop) to web+smartphone as the computing platform of the moment. That shift is far from complete; most of us still need the large screen and comfortable keyboard of a laptop to do our work. It is real though, and it is obvious that the need to carry around a bulky laptop with a short battery life is diminishing. Netbooks and Apple’s rumoured tablet are part of the same movement towards smaller, lighter and web-connected.

Although these gadgets are getting more capable, there is no sign of them following the desktop model with feature-rich local applications and heavy use of local storage. The applications being downloaded in huge numbers from Apple’s app store – a breathtaking three billion to date according to today’s announcement – are small, single-purpose apps where speed and usability is valued over richness of features, and where data comes from the Internet. This is the new model of application development.

Google’s announcement is also an important move in the identity wars. Most computer users have multiple identities: maybe an Active Directory account on a Microsoft network, a Facebook account, an Apple ID for iTunes and MobileMe, a Google account for Gmail and Google Docs. All these competing players gain hugely if they can increase the importance of your identity on their platform versus the others. If Microsoft can keep your Active Directory account at the centre of your world, then you will be a customer for Exchange, Office, SharePoint and so on. On the other hand, if your Google sign-in becomes more important, then Google’s products are correspondingly more attractive and it can sell you more services and advertising. Buy a Google phone and you hook directly into Google’s world. In ChromeOS the link is even more obvious, since you sign onto the computer with your online Google credentials.

The power shift is obvious. And as Tim O’Reilly implies in his excellent post, Google’s lack of legacy desktop baggage is helping it to compete against Apple as well as Microsoft.