Category Archives: internet

Don’t just blame users for woeful security online

The BBC this morning reports that many net users are not safety aware. The piece is based on research by Get Safe Online, a UK Government-sponsored initiative to promote internet safety. More details of the survey are here. I’m intrigued by a couple of these figures. Apparently 45% of internet users only connect to “secure” wi-fi networks outside the home. That’s surprising since most public wi-fi is not secured; but why would you trust the security of someone else’s network anyway? I’m in the 55%.

There’s also some figures on passwords, showing that nearly 25% of users have a single password they use everywhere. Even more surprising, another 25% claim to use a different password for every site. It’s a mess either way. We will never get even a moderately secure internet without better authentication.

The key question, as this Get Safe Online press release observes, is about who should take responsibility for online safety – meaning everything from viruses and fraud to predatory chatroom impostors. Here are some popular candidates:

  • The ISPs
  • The banks (presumably for financial safety)
  • The individual
  • The security companies – Symantec, Sophos etc.
  • The operating system vendor – Apple, Microsoft etc
  • The Government – let’s regulate

I guess the answer is “all of the above”, though the role of security software is vastly exaggerated, especially that of anti-virus software which in reality does not work well – see Ed Bott’s recent piece The Sorry State of Security Software.

User education is welcome though anyone with technical knowledge will likely find the homely advice doled out by a site like Get Safe Online frustratingly inadequate. Online safety is difficult for all sorts of reasons. One problem is that users get confronted with decisions they are not equipped to make. Another issue is that even conscientious and informed users are forced to compromise in order to get their work done, like the occasion last week when Thawte advised me to turn off my firewall in order to buy its product.

The Internet will never be safe, but it can be made better. Strong authentication, no more passwords. Digitally signed emails. Networks of trust. Secure operating systems. It’s no good just blaming users, many of them are doing their best.

 

Thawte promotes security, insecurity

I recently headed over to Thawte to purchase a digital certificate for code-signing. According to Thawte, it:

Promotes the Internet as a secure and viable platform for content distribution

I agree with the value of signed code. However I had problems making the purchase, which involves a web form and some ActiveX stuff. Here’s what Thawte tech support advised me to do:

  • Switch off the personal firewall.
  • Add the url to the trusted sites store.
  • Set all the activex controls and plug-ins to prompt or enable.
  • Set the privacy security level to low.

It is not quite as bad as it looks at first. You only need to do the ActiveX changes for trusted sites. Further, I’m not convinced all the steps are needed in all circumstances.

Still, asking someone to connect to the Internet with a disabled firewall is, on the face of it, irresponsible. In mitigation, if you are trying to purchase a digital cert you are probably clueful enough not to disable a personal firewall unless there is some other protection in place; most users have at least a NAT router between their PC and the Internet.

There is a generic problem here. Support departments confronted with users who “just want it to work” may resort to scattergun disabling of security software, never mind the risks. Of course it is better to figure out exactly what is not working and find the minimal relaxation of security needed to solve it, but this is harder to do.

Nevertheless I’m disappointed that Thawte can’t find a more secure technique for delivering its certificates; and that these technical issues are not spelt out more clearly on its site (perhaps it is embarrassed?).

 

Technorati tags: , ,

Salesforce.com hints at Adobe Flex support

Salesforce.com announced its Spring 07 release yesterday, including what it calls an Business version of MySpace: a portal where organizations can share of their data or applications with their customers and collaborate with them. During a briefing, I talked to Adam Gross, vice president of developer marketing. Salesforce.com has a SOAP web services API, and apparently more than half of the platform traffic is via the API rather than through direct visits to the Salesforce.com site. Would it make sense for Salesforce.com to use Adobe’s Flex Data Services to support rich internet applications created with Flex or Apollo?

“Stay tuned,” was his response. “Flex makes so much sense for us. I can build those experiences, just like I can in AJAX,but I can build richer experiences that are easy to build, they plug right in and I can upload them to Salesforce, it’s hand in glove to our model.”

Of course it is already possible to use Flex with Salesforce.com, since Flex supports SOAP web services. On the other hand, if Saleforce.com exposed a Flex Data Services API using AMF (Action Message Format), that would make for smoother, faster and easier development of Flex clients, which use the Flash player as a runtime.

Technorati tags: , , , , , ,

Microsoft attempts to buy search share

Microsoft is giving enterprises incentives to use Live Search instead of Google or Yahoo, according to a ComputerWorld report; John Battelle has more details.

Buying search share is nothing new; the Mozilla Foundation apparently gets a ton of money from Google for making it the default in FireFox. This is just another skirmish in the search/toolbar/gadget wars; the stakes are high, because search is the user interface of the web.

I doubt the strategy will have much impact, unless Microsoft fixes what really matters: the quality of its search engine.

It’s hard to overstate the importance of search today. I was reminded of this during a recent presentation on software usability. Speaker Larry Constantine made an example of a feature in Word: how to insert a caption for an image.

Problems like this are easier than they were in the pre-Google era, for the simple reason that users are now able to search for the answer. Try it: Google for “word insert caption” (without the quotes) and up come dozens of postings on the subject. Quicker and better than online help.

Since the ability to search efficiently is now a key productivity factor, it follows that businesses should think twice before allowing themselves to be bribed into enforcing search preferences. Better to evaluate the search engines, and maybe give some training in how to use them.

 

Technorati tags: , ,

Farewell to the Times Reader

Fired up the New York Times Reader today, to be greeted by a message:

This note is to let you know that the beta period will be ending in two weeks. Times Reader will launch as a subscription service on March 27. It will cost $14.95 a month or $165 a year.

Times Reader, you will recall, is a fantastic WPF (Windows Presentation Foundation) application for reading online content. It works offline and nicely demonstrates how rich Internet applications can improve on web browsers.

In one sense I have no quibble with the price. I believe journalism is worth paying for; and $15.00 a month is not excessive.

Unfortunately it’s not good value for me, nor I suspect for many others who have tried the beta. For starters, I’m in the UK which makes much of what is in the NYT of less interest. Second, I have access to a ton of free content – starting perhaps with bbc.co.uk along with innumerable blogs – and I don’t have time to read as much of that as I would like. The subscription model makes no sense for this kind of general content.

The NYT would do better to continue providing free Reader content. Give subscribers some extras like premium content, or earlier access to articles, or less intrusive advertising.

I understand the pressures though. It’s an unsolved problem.

 

Technorati tags: , ,

Blogging is on the brink of a new phase

Washington-based Pew Research Centre has published a 160,000 word report on “the health and status of American journalism.” Although it is US-based much of it is relevant worldwide, particularly in the online realm; in fact, among the publications covered are bbc.co.uk and The Economist.  

Much food for thought here. The online business model remains uncertain; the report suggests that advertising is not enough and speculates that:

…news providers [will] charge Internet providers and aggregators licensing fees for content.

which strikes me as highly speculative; I don’t see ISPs wanting to pay for online content though I suppose aggregators might. The report doesn’t say how well the subscription model is working for sites like nytimes.com. I am sure subscription works well in niche areas like high-end business reports, but is it ever going to be a major source of funding for general news?

As for blogging, the report says that blog creation has peaked but that blog readership is growing – see Steve Rubel’s summary to get the picture. Blogs are an increasingly tempting target for PR and vulnerable to manipulation. Here’s an interesting comment:

Blogging is on the brink of a new phase that will probably include scandal, profitability for some, and a splintering into elites and non-elites over standards and ethics. The use of blogs by political campaigns in the mid-term elections of 2006 is already intensifying in the approach to the presidential election of 2008. Corporate public-relations efforts are beginning to use blogs as well, often covertly. What gives blogging its authenticity and momentum — its open access — also makes it vulnerable to being used and manipulated. At the same time, some of the most popular bloggers are already becoming businesses or being assimilated by establishment media. All this is likely to cause blogging to lose some of its patina as citizen media. To protect themselves, some of the best-known bloggers are already forming associations, with ethics codes, standards of conduct and more. The paradox of professionalizing the medium to preserve its integrity as an independent citizen platform is the start of a complicated new era in the evolution of the blogosphere.

The highlighting is mine. I reckon this is spot-on.

A virtual conference for Delphi 2007, Delphi for PHP, JBuilder

Starting today, you can attend the CodeRage 2007 developer conference. It’s free, entirely virtual, and has some promising sessions for anyone wanting to keep up with what’s new for Delphi, Delphi for PHP and JBuilder. For some reason there are also sessions on Ruby; looks like CodeGear (a wholly-owned Borland subsidiary) is cooking something up here.

I like this idea. Conferences are part of IT culture, and I guess pros will always want to get together for real conferences, if only for the networking opportunities they present, along with the chance to collar the people who actually have the answers and grill them with your burning questions or complaints.

Even so, there is huge logic behind virtualizing conferences, especially bearing in mind the environmental cost of travel. The vendor gets access to a larger potential audience, and delegates have more flexibility over what content they view.

This one looks rather good.

Update

I’m seeing reports of connection problems, video breaking up and so on. Perhaps that’s the major downside of virtual conferences. On the other hand, this stuff ought to work by now. If CodeGear can’t scale its conference servers, that’s not a good advertisement for its technology.

 

Technorati tags: , , , ,

Find the top ten of anything

This is skeletal right now, but knowing how much time we waste spend debating which is the best in this or that category (operating system, band, album, football club, office document XML schema, blog, breadmaking machine) it strikes me as a winning concept.

Top 10 Central is entirely user-driven and lets you create and vote on entries in top ten lists.

I’ve just contributed the top ten best ways to make coffee.

If it catches on it could evolve into something that is fun and occasionally useful as well.

Disclaimer: Top 10 Central is by Matt Nicholson, a friend and also the editor of dnjonline.com; I write for Matt from time to time.

 

Technorati tags:

What would the young Bill Gates make of today’s Microsoft?

He would be hacking (in a good way) with the crowd at the Future of Web Apps conference I attended two weeks ago, not here with a bunch of senior software architects discussing the failures and successes of SOA (Service Oriented Architecture). I’m at the Microsoft Architecture Insight Conference in Wales, where I’ve been hearing a lot about old-fashioned ideas like requirements analysis, making the business case for change, being realistic about software reuse, and other sound, sensible, but unexciting software development principles.

That’s not to say this is a bad conference, far from it. I had an excellent chat with Microsoft’s Jack Greenfield, a Microsoft architect who is putting together the next generation of Microsoft’s modeling and enterprise development tools for Visual Studio. “Software factories” is the buzzword – see here for more background on this. There is also good stuff on identity management within and beyond the firewall, sessions on using development methodologies in Visual Studio Team System; amigo Ivar Jacobson is here talking up his Essential Unified Process (though “process” is last year’s word; we do “practices” now); and a number of case studies including one on visualizing the London Underground network which I’m looking forward to later today – this is the amazing WPF application which was shown off at one of the Vista launches.

It’s easy to find fault with products like Vista or Office 2007; yet you have to give Microsoft credit for establishing .NET as a major platform for enterprise development against considerable JEE momentum.

That said, let’s go back to the young Bill Gates. There is a track here on SaaS (Software as a service), which seems to mean hosted, on-demand applications versus traditional premises-based development. We heard some research on disruptive technology which Microsoft is sponsoring in conjunction with the Manchester Business School, including a look at Siebel vs Salesforce.com for CRM (Customer Relationship Management). Here’s one facet that stuck in my mind. According to Dr Steven Moxley of the MBS, Marc Benioff’s first customers were not SMEs or start-ups, but groups within large enterprises that were frustrated by the shortcomings or inflexibility of their existing software. It was a kind of stealth adoption. Salesforce.com was able to sell to such groups because its software is zero-install, pay as you go.

I immediately thought of the times I’ve had phone calls that go, “Could you send that attachment to my Gmail account. Our email is playing up today.”

Gmail may be less feature-rich than Exchange; but it tends to just work.

In other words, you could as easily do Microsoft vs Google as Siebel vs Salesforce.com. Why is Microsoft sponsoring studies that articulate its own vulnerability? Officially, this is about helping its partners to grown their own distruptive solutions using Microsoft technology; but I also see this as evidence that Microsoft has abundant understanding of the difficulties it faces. What it lacks is any conherent strategy for overcoming them, though there are always hints that some such strategy will emerge sometime “soon”.

I think it might. Gates disrupted IBM; he didn’t topple it. But there is going to be some pain.

Postscript: See also this pertinent post from Zoli Erdos who is looking forward to ditching his desktop software, subject to finding a solution for a couple of unsolved problems:

My bet is on Google or Zoho to get there first. As soon as it happens, I’m going 100% on-demand.

 

IE7 phishing site confusion

Preparing for a conference, I saved the agenda from a web page to a file, so that I could read it on the train. I used the IE “web archive” feature, which saves a page to a single file with the extension .mht. When I re-opened the page later, I was suprised to see the following warning:

Local file identified as phishing site

Something wrong here I reckon. Apparently my own hard drive is a phishing site.

I suppose IE7 has a point. After all, I’ve copied the page from one place to another, and although it looks like a page on the web, it isn’t. Then again, it isn’t criminal either. I’m using a feature of IE exactly as designed.

Amusing; but the difficulty I have with these kinds of false alarms is that they undermine the real ones. How is the non-technical user to know which warnings they can safely ignore? The danger is that they end up taking none of them seriously.

 

Technorati tags: , ,