Tumblelog by Soup.io
Newer posts are loading.
You are at the newest post.
Click here to check if anything new just came in.

February 24 2014

August 28 2012

Find Out How Google Earth Is Changing The World

Mashable is excited to announce that Rebecca Moore, engineering manager at Google Earth Outreach and Google Earth Engine will join the 2012 Social Good Summit. Moore will share her insights on how Google Earth is being used by individuals and organizations to make a positive impact in the world.

From exploring the effects of logging in the Amazon to mapping the refugee and genocide crises in Darfur, Google Earth Outreach supports non-profits, communities and indigenous peoples around the world by applying Google's mapping tools to the world's pressing problems.

Rebecca Moore joined Google in 2005, where she conceived and now leads the Google Earth Outreach program and Google Ear
Continue reading...

More About: Google, Social Good, conferences, event, social good summit

Sponsored post

Soup.io will be discontinued :(

Dear soup.io fans and users,
today, we have to share very sad news. Soup.io will stop working in less than 10 days. :(
It's breaking our heart and we honestly tried whatever we could to keep the platform up and running. But the high costs and low revenue streams made it impossible to continue with it. We invested a lot of personal time and money to operate the platform, but when it's over, it's over.
We are really sorry. Soup.io is part of the internet history and online for one and a half decades.
Here are the hard facts:
- In 10 days the platform will stop working.
- Backup your data in this time
- We will not keep backups nor can we recover your data
July, 20th, 2020 is the due date.
Please, share your thoughts and feelings here.
Your Soup.io TEAM
Reposted bydotmariuszMagoryannerdanelmangoerainbowzombieskilledmyunicorntomashLogHiMakalesorSilentRulebiauekjamaicanbeatlevuneserenitephinangusiastysmoke11Climbingpragne-ataraksjisauerscharfArchimedesgreywolfmodalnaTheCrimsonIdoljormungundmarbearwaco6mieczuuFeindfeuerDagarhenvairashowmetherainbowszpaqusdivihindsightTabslawujcioBateyelynTabslaensommenitaeliblameyouHalobeatzalicexxxmgnsNorkNorkarthiimasadclownwhatssurprisemeTriforce

August 23 2012

Oscar Winner Forest Whitaker to Speak at Mashable’s Social Good Summit

Mashable is thrilled to announce that Oscar-winning actor and humanist Forest Whitaker will speak at our Third Annual Social Good Summit, taking place Sept. 22-24 in New York City.

Forest Whitaker was named UNESCO Goodwill Ambassador for Peace and Reconciliation in 2011 for his personal dedication and work in the field of conflict resolution, as well as his commitment to promote humanitarian ideals. He also founded the Los Angeles-based Peace Earth Foundation in 2012.

Mr. Whitaker joins our dynamic lineup of speakers at the Social Good Summit to discuss how modern technology is not only facilitating development around the world, but also bringing peace to troubled urban neighborhoods…
Continue reading...

More About: Events, Social Good, UN, conferences, social good summit

114 Entrepreneurs On 1 Train For 8 Hours Pitching Ideas

Think an elevator pitch is hard? Try selling your vision with a beer in each hand, balancing in the aisle of a train barreling north at 80 mph. That's exactly the challenge posed by Geeks on a Train, a veritable Nerd Express from Portland, Ore., to Vancouver, where passengers will "rethink business" among like-minded entrepreneurs and investors. 

The destination was Dealmaker Media's GROW 2012 conference, a summit of startup rock stars and wannabe-rock stars raring to pitch, invest and innovate their hearts out in Vancouver.

Sprinkled among the travelers were some stand-out personalities that had ample opportunity to shine in the close quarters, including Silicon Valley super angel Dave McClure; Scott Kveton of Urban Airship; Rick Turoczy, curator of the Portland Incubator Experiment and lolcat king Ben Huh, CEO of I Can Haz Cheezburger.

The final headcount was a raucous, adventuresome 100+ founders, investors, entrepreneurs, bloggers, developers and designers. 

All (geeks) aboard, the #PDX train station, sunset views, the party gets started

In two packed Amtrak cars, the high-energy crowd buzzed with ideas, mingled in the aisles, donned fake mustaches, arm wrestled, pitched between cars, and told more than one joke at Klout's expense -- all while the train jostled north.

We tweeted it up (#GOAT), high spirits intact for the eight-hour ride, even when it was discovered that the train's beer supply had been sucked dry a mere two hours in.  

We pulled into Seattle about four hours in to scoop up the city's GROW-bound passengers (and, mercifully, to restock its beer supply) before rolling on to the Canadian border.

One expertly executed planking (Ben Huh, naturally) and many, many trips to the bistro car later, the geeks were let loose in an unsuspecting Vancouver. For the next three days, they'll join up with hundreds more of GROW's attendees for talks, roundtables and networking events with speakers ranging from web commerce solution PayPal to Mountain View incubator 500 Startups, all aimed at making their companies leaner and meaner in order to survive a market that can turn on a dime. And since what happens on Amtrak stays on Instagram (and Twitter, and Facebook...), here's the evidence.

Stay tuned as we'll be judging GROW's sure-to-be-epic Startup Smackdown competition, in which a handful of fledgling startups speed-pitch on stage to a split group of investors and tech media, who in turn duke it out over which contenders are buzzworthy. We imagine it will be exactly like The Hunger Games, but with more venture capital at stake.  

It was a mobile sea of Macs as passengers nobly battled the flickering wi-fi signal


IPad DJ wars, sunset views and readying for the Canadian border

  Dave McClure listens to an eager pitch on the floor between train cars

RWW on rails, pulling into Vancouver

Morning Vancouver skyline as (not) viewed from a train  

Tags: Conferences

April 19 2012

DEMO Report: 3 Startups Vie to Take Photo and Video Sharing to the Next Level

A picture is worth a thousand words, and at the DEMO Spring 2012 conference, three innovative startups are hoping to turn those words into dollars. No doubt with visions of Instagram's $1 billion payday dancing in their heads, these photo- and video-sharing app makers vied to take the concept to the next level.

San Francisco-based TourWrist showed off its iPhone and iPad app that can take 360-degree panoramic photos. In mid-May, the company plans to add features to stitch multiple panoramas together, similar to Google Street View. In addition, people can link their panoramas to Facebook profiles.

The panoramas can also be linked to brands, which is how founder and Chief Executive Charles Armstrong hopes to build a profitable business, with the free iPhone and iPad app driving buzz. Panoramic views of hotels, real estate and tourist attractions are only a few of the possible commercial applications.

"I find Charles' products to be visually stunning," Bill Gurley, a general partner at Benchmark Capital, said on an investor panel after a string of demonstrations, including TourWrist. "Especially if you get to hold it and play with it, where you're just like blown away. He's accomplished something truly remarkable."

Despite the impressive technology, TourWrist requires some work to learn, which could make widespread adoption a struggle. The company also has to transition from a free-app maker to one that sells its technology to businesses.

Charlottesville, Virginia-based Arqball adapts that panoramic approach from photos to interactive video. The company's free app can create a 360-degree interactive video, using a a slow-moving ArqSpin spinner accessory - sold by Arqball. The user places an object on the spinner and takes a video of the object using an iPhone or iPad. Arqball hopes to get traction with consumers, and eventually sell the software to businesses for use in online retail. A new labeling feature should be attractive to retailers.

But Arqball, too, may not be easy enough to use to attract a lot of consumers. On the business side, the company must find a way to stand out among competitors. "The type of stuff that Arqball is doing will no doubt increase convergence on commerce," Jason Krikorian, general partner at DCM, said. "The question is really on how to make money."

While Arqball focused on futuristic interactives, San Francisco-based Daemonic Labs went old-school, demonstrating its Dabble application for creating digital postcards with the iPhone camera. After taking a picture, users create a card, add text and then pin the image on a map that can be shared with other Dabble users. In essence, the app lets people create and share photo journals.

While the app seemed to work well enough, observers questioned whether the features were enough to make Dabble stand out. "I find this notion about (saving) memories a little blurry," said panelist Claire Lee, head of the emerging business team at Microsoft. "There are a lot of people trying to do it."

Tags: Conferences

March 10 2012

Invasion of the Risk Managers: Altering the Complexion of Security

120228 Risk management panel 01.jpg

The modern-day philosopher Thomas Kuhn theorized that scientific revolutions are only brought about by practitioners who are not already trained to think a certain way - or to use Kuhn's terminology, in keeping with a given paradigm. When people train themselves to believe something, they expect their observations to match their beliefs, and thus may fail to observe something truly revolutionary. And it is observation that is the "step one" of science.

So it was with the face of Thomas Kuhn looming largely overhead that a panel of two security architects, a noted Gartner researcher, and two risk management professionals met at the RSA Conference in San Francisco last week. Two worlds collided here, and this was one of the focal points. One side represented the existing paradigm. The revolutionaries came in suits with calculators and adjustment formulas. And Gartner's Bob Blakley literally wore a Satan suit just to make sure the fire and brimstone kept flowing.


The Balancing Act

"We teach people that risk is about science, about numbers, and about metrics. And the reality is, that only works for half of our risk. The other half of our risk is the things that we can't predict how frequently they're going to happen." This from Andy Ellis, the Chief Security Officer of Akamai. No, he's not a risk management professional by nature. He's learned the language because, as he explained, he had to. He's been converted to the extent, he says, that he has constructed a business continuity plan for Akamai in case of a zombie apocalypse.

120228 Risk management panel 02.jpg

"We do that because it's an easy way to cover a whole lot of different threat scenarios. But I cannot make a prediction of what the likelihood is of that event happening. And an awful lot of the risk that we face, you can't calculate the likelihood, we're not part of a large population that we can do actuarial studies on. So risk management becomes more of an art than a science, and we have to discern which risk is art and which is science, and not apply the principles of one to the other."

The traditional data center security paradigm is based around responding to threats as they occur or after they have been detected. An evolved version adds a layer of prevention, though in recent years, this layer has taken on the flavor of a handful of household maintenance tips from your afternoon local TV news. Risk management (applied properly) should be the application of principles in planning and procurement so that the impact of threats that may occur is kept within tolerable levels.

That is, when it's applied properly. And here is where Bob Blakley enters the picture. "Risk management is not bad," he told attendees. "It's evil, and it's actually the enemy of security.

"You go through this exercise every year," said the devil incarnate. "You bring a bunch of security people into the room, and their job normally is to defend against threats." The exercise proceeds, he explained, with these security people generating a list of threats. That list is then presented to upper managers so that they may use the principles that they consider risk management "to decide which controls they are not going to implement. In hindsight, it's really diabolical. We get the security people to cut their own budget to participate in the exercise that builds the list of what are guaranteed to be 365-day vulnerabilities - the list of things we know are currently broken, and we're not going to fix until we get the budget to request for next year."

An Ounce of Prevention, As Compared to a Ton

One questioner in the audience admitted that his business employs risk managers, but says they understand some of both the art and the science, as Ellis explained it, more than they understand how to defend against threats. Confirming Blakley's pessimistic picture, he explained how risk managers in his business calculate how much loss of business or capital it would incur as the result of a threat event, balance the more nominal losses against minimal expenses for protections and remedies, and in the act leave behind the more serious threats that they can't afford to throw money at. Inevitably, these risk managers have the wrong executive sign off on their finalized list of expenditures, asking that executive to decide whether to a) fix the problems, or b) accept the risk. If a five-year-old running out in the middle of traffic were to run into one of these risk managers, he said, given the same type of assessment and asked to make the same decision, it's impossible to imagine him being convinced by a table of probabilities to stay safe behind the curb.

Andy Ellis took that analogy one step further. Asking parents in the audience to confirm this observation, he said when a five-year-old runs out into the street, it's parental instinct to run toward him and grab his arm. Hopefully this is followed by a stern explanation of the risk of running into traffic. If every time the child darted or walked or nudged his way toward the street, the parent gently nudged the child back without a word spoken, Ellis said, "you're making a risk decision on their behalf. You're not educating them.

"Realistically, people have a constant level of risk tolerance," he went on. "They will tolerate a certain amount of risk, and if you take some away, they'll go find more risk. NASCAR drivers are a great example of this. They keep doing things to make the cars safer, and they drive more and more dangerously and recklessly because they now think they're invulnerable. So what we find is, there are fewer accidents, but the ones that happen are really big and really bad. The same things happen on our streets."

Many executives make the mistake of believing that when the calculated reward or benefit for a project exceeds the calculated risk, then the difference between the two becomes an acceptable level of extra risk that can be tolerated for the next project. Ellis suggested that a risk decision should be met with a binary yes or no, not a calculation of probability. Security engineers should utilize those probabilities in their internal assessments, but in their end, apply their philosophies clearly and coherently. "At the end of the day, the business decision maker - the person who gets to choose to take risks, who is not INFOSEC - is making that decision," he notes.

Next page: What are "acceptable levels?"

120228 Risk management panel 04.jpg

Acceptable Levels

Alex Hutton is a senior analyst for risk intelligence with Verizon Business. Citing data from Verizon's 2010 Data Breach Investigations Report, Hutton created a table of all the possible types of threats to an enterprise data center, and distributed incidents into each cell of the table by type (while Bob Blakley wiled away the time by blowing up "Anonymous" balloons). You don't actually need to read the labels or the numbers here to make sense of the conclusions: Of all the things that risk managers say could happen in the enterprise, only a very few classes of those events are actually happening.

"It may be that attackers are particularly clever, and all that stuff. But at least we're not forcing them to be," said Hutton. "90% of that [table] is empty. Of all the possible things that they could do, they're focused on 10% of them." Hutton promised an even more lopsided shift for the 2011 table, which Verizon expects to publish soon.

Formerly a risk management professional with PayPal, Allison Miller is now Director of Security and Risk Management for social meeting destination Tagged.com. Five years ago, Tagged had a reputation as a spam producer. Now, Miller's job is to make it feasible for the network to provide its members with tools that protect them from receiving spam. So she deals with risk management from both the user's and the organization's perspective.

Miller questioned Ellis' assertion that the final decision in risk management must be a binary state. She and her team are held to a certain set of quarterly performance metrics, which are agreed upon in advance. Some of those metrics hail from the financial services realm, where she received years of experience with PayPal. "For some of the things that I'm evaluated on, there is an expected experience associated with something security related," she told the audience, citing fraud rate as one of those measurable, agreeable levels. When you have millions of users (Tagged claims 100 million), the security state of the platform must be held to a certain tolerable metric.

"And that has been compliance, has it not? There's an agreed-upon standard to which you're expected to adhere," said Miller. "And that is something that is hard to count, because compliance is either on or off. That's an interesting challenge... If there's a standard that's written down, and you're either compliant or not, that gives your management less flexibility around their risk tolerance." What would be preferable, she added, would be "if there are other things that you could be held to that would demonstrate your performance, but within a range as opposed to something that's on or off."

That range can be calculated, she suggested, from an examination of user activity, and the metrics applied to it. Financial fraud, account takeovers, collusion, and spamming are among these metrics. "There's a lot of data there, but there's also something else that's really important for having really high confidence and good science, which is that feedback loop - knowing whether you were right or wrong." Right now, humans - both users and operations teams - serve that feedback, and that may actually be a problem for any business that needs more quantifiable, reliable metrics.

120228 Risk management panel 03.jpg

Harnessing the Feedback Loop

Gartner's Bob Blakley conceded that the discussion was leading toward a possible improvement of risk management in organizations - and, speaking as the devil, he condemned it. "I love the security community's assumption that we are a passive target, and we are hoping that the armor is thick enough. This is wonderful. Let's quantify the probability that the enemy can hit us with a 50-caliber round from a mile away. It's a very dispassionate statement for somebody who's actually inside the target vehicle."

The real feedback loop, Blakley suggested, is not the one that re-evaluates whether the right diagnoses were applied to the population of malicious agents. The true loop, he said, should be the one that signals whether what security is doing to disrupt malicious agents - the counter-offensive, if you will - is effective, neutral, or counter-productive. "As soon as we start performing experiments on live subjects... by screwing with them and watching how they react, then we will be completely indistinguishable from 'Anonymous' but we'll still still think we're on the side of the angels."

Sometimes it's difficult to know when Blakley is speaking in jest. Still, he blamed folks like me (he could clearly see I was media, sitting in the front row taking pictures) for agitating the situation for folks tasked with making these decisions, whether they be on-or-off or acceptable percentages. "The generation of constant, heightened fear surrounding all sorts of security instances is fashionable. It's a free reality TV show.
"The choice that business faces is between investing money to increase revenue, or investing money to decrease losses," Blakley argued. "To a businessperson, this is not a hard decision, and it means that the security [initiative] always takes the hit."

"Unless a dollar of reduced loss is worth more to your profitability than a dollar of additional revenue," countered Miller.

"The difficulty is that, of course, the security people are not in the conversation when the line-of-business executives go to the CEO and say, 'Instead of spending one dollar to get two dollars in risk reduction, we can spend one dollar and get ten dollars.' They're not even in the room."

"Is that why you invented compliance?" Miller asked the devil.


Tags: Conferences

March 08 2012

Security Leaders: How Can Something This Dumb Be Called a "Smart Grid?"

shutterstock_74538691 (150 px).jpg"I don't know how you can call something this dumb a 'smart grid.'" This from the former Assistant Secretary for Policy at the Department of Homeland Security - the man who created the job. Serving nearly three-and-one-half years at DHS, and before that, several years with its predecessor agency and with the NSA, Stewart A. Baker got a first-hand look at the present and future battlefronts of electronic terrorism. You could read his book, or you could get the gist of his impressions from its title: Skating on Stilts.

Sec. Baker was referring to the relative state of readiness and resilience of the computer equipment protecting America's energy distribution networks and industrial control systems. Presently a senior counsel at the Washington, D.C. law firm of Steptoe & Johnson, LLP, he introduced his firm's report on our present status. "I thought I would start with some obvious things," he began. "Security sucks."


Last year, the pervasiveness of the Stuxnet worm demonstrated that it's possible to break, Baker said, the industrial control systems after penetrating the Windows networks that connect to them. "Not only can you, it's a great idea if you're thinking about attacking another country," he told the RSA Security conference in San Francisco last week, with only a hint of sarcasm. "It's a wonderful weapon, if you're into weapons. It's very effective at bringing down industrial control systems, upon which civilian life depends. There's none of the taboos around this weapon that you have around nuclear weapons. And it's easy to develop if you've got the makings of a cyber-weapons industry. It's asymmetric - you can go up against the toughest guys in the world and cause some real pain in ways that they may not be able to cause you."

A Fence Around a Hole

120229 Stewart A. Baker 01.jpgBaker notes that the authority for government agencies today, such as the Commerce Dept.'s NIST, to contribute to the management of Internet security is somewhat repurposed from their original mandate. But partly because these agencies are now perceived as protectors of all things digital, he said, those responsible for direct management and operation of industrial control systems are not focused on digital network security. Remarked Baker during an RSA panel on smart grid protection, "They've got an equally important nightmare that they have to live with every day, which is that the power will go out and they won't be able to deliver it. All of their security features are designed around that."

While these operators are focused on maintaining the nominal status of the power infrastructure, they tend to trust one another, like soldiers locked in combat against the common enemy of rust and corrosion. And as trusted co-combatants, they share everything with one another - including passwords. So when a power system does fail, and experts are sent down from Canada to manage the issue (gee, I wonder whom Baker was referring to), someone leaves them a note with the passwords so they can get into the system.

Because of incidents like this, Baker says, the security of power systems today is actually worse now than in the past several decades. "This is not exactly the security that you and I grew up with."

120229 Donna Dodson - NIST 01.jpgDefending her agency's role in protecting the grid, however smart or dumb it may be, was Donna Dodson, NIST's Deputy Chief Cybersecurity Advisor. "The goal of standards is to provide the fundamental tools and technologies that you can use in support of information assurance, to really help protect the smart grid," she told the panel. "We've been working very closely with DHS, the Dept. of Energy, with the entire smart grid community, so that public/private partnership has come together with our smart grid efforts... to begin to understand, from the very top level of understanding risk and risk management, down to the technical details of what standards are available. NIST has pulled that community together."

Dodson said this community is comprised of standards development organizations and academic leaders, brought together by agencies with the goal of identifying gaps and deficiencies in current standards. As part of a partnership with DHS and private organizations, NIST is supporting a National Initiative for Cyber-Education. Later this spring, it will be hosting a workshop on smart grid security, followed by another on cyber-physical systems.

The Legislative Foundation

But the authority for these agencies to take decisive action, even after these more concrete standards have been ironed out, may only be established through new legislation. That process has made molasses seem slippery. As House Homeland Security Committee general counsel Kevin Gronberg described it, "The activity on the Hill, depending on whom you ask, is fast and furious or slow and monotonous.

120229 Kevin Gronberg 02.jpg"Cyber security - and especially securing the smart grid - has been recognized as an increasing need for legislation in Washington... Because there have been previous attempts at passing cybersecurity legislation, they have been thwarted, so to speak, by multiple jurisdictions." Gronberg then reminded attendees of the simplified version of how a bill is passed, as presented by the old Saturday morning kids' show from the 1970s, "Schoolhouse Rock."

"With the underlying nature of cybersecurity being what it is, as everyone knows, it permeates almost every element of our economy. And as such, there are so many different committees on Capitol Hill that feel they have jurisdiction over the issue - whether it's Financial Services or National Defense or Homeland Security," he explained. "With the Republicans regaining the majority in the House in 2010, Speaker of the House [John] Boehner commissioned a task force report on what should be included in the cybersecurity bill."

That report was released last October, with the hope of each committee being able to create a bill that addresses its respective jurisdiction. Those bills would then be combined into a version that could then be reconciled with a Senate counterpart bill. The resulting bill, called the PRECISE ACT (PDF available here) and which passed Gronberg's committee on February 1, would enable interagency sharing of standards and information in the event of a national cybersecurity event, as NIST's Dodson has called for.

The bill also includes measures enabling agencies, under DHS supervision, to acquire databases that happen to include personally identifiable information from services that host critical government infrastructure, so long as that data remains protected. So far, the ACLU has responded with guarded skepticism, but has not raised any alarms. The Union has stated its tentative approval of cybersecurity measures being managed by DHS, instead of the NSA which is also an intelligence service.

"As of now, the cybersecurity mission is poorly defined in legislation," said Gronberg. "It has been more of a function of executive order and public expectation. I think the Department [of Homeland Security] has filled that role admirably, but we'd like to clarify those roles, especially the cross-jurisdictional aspect of the team sport that is cybersecurity."

Next page: Failure By Design?

Stock image by Shutterstock.

Failure By Design?

120229 Jason Healey 01.jpgAs the Atlantic Council think tank's Jason J. Healey asked attendees, why should so much effort and legislation be expended on protecting a system that's fundamentally flawed in the first place?

"If we make these kinds of decisions, could an attack on [the smart grid] and a failure make us pre-industrial?" asked Healey, who directs the Council's Cyber Statecraft Initiative. Having met with members of Carnegie Mellon University's Software Engineering Institute, he asked them - perhaps not in jest - "Let's design a perfectly bad system. Could we design a system so atrocious that, if it got knocked over, we'd be pre-industrial? What would that look like? Well, first, you'd have to be fully dependent on the system. In case there was a failure, it would have to cascade both directly and indirectly into the other sectors. And our perfectly bad system would have to be not just silicon, or something we could just reboot... it would need to be made of real stuff, concrete and steel that hard-brakes... that might take months to get a replacement part to fix."

To help maintain the system's poor reliability and vulnerability, Healey went on, everyone should be made completely aware of the problem, without any real interest in solving it. Potential adversaries who have created back doors in the past - perhaps the distant past - should be encouraged to return by building up their egos in news reports, and should find those back doors left wide open for them. Then the system must be made a political priority. "We'll worry about security later. We'll just get it out there, and then once we know if it's working, we'll have security. And then we're gonna take this system and we'll connect it to the Internet!"

Later, in response to a question, Healey suggested that if America truly cared about the operational integrity of the private sector in the event of a national cybersecurity emergency, agencies would bend over backwards to make certain that private network administrators and security engineers have all the tools and information they need. Legislating that NSA should monitor this part of the network on behalf of the private sector, he said, was "somewhat of a failure of imagination."

Stewart Baker disagreed, pointing out that malicious agents use information being broadcast from agencies to their own advantage. For instance, they watch public service announcements to see which malware they put in the wild has been blown. When they see no such announcements, said Baker, "they know they've got a winner." So protecting the status of these investigations, and not being completely transparent with private industry, gives NSA, DHS, and other departments and agencies the advantage of not leaking easily discernible intelligence to their enemies.

"It is not absolutely necessary that NSA do all of this monitoring," Baker added. "The fact is, these are the operational guys - these are guys who live this daily, and anybody who's in this room and who's in this business understands that there's all the difference in the world between sitting in the C-suite and being down, actually dealing with the code, and fighting these guys on a daily, hourly basis. This is a matter of minutes and hours, if you want to keep your systems from getting compromised in ways that we can't undo. The only really operational fighters in the federal government are at NSA... I have a lot of sympathy for their desire to get out and do something."


Tags: Conferences

Ed Skoudis of SANS on the Vulnerability of DNS

shutterstock_76719568 (150 px).jpgOne of the more embarrassing revelations from last week's RSA Security conference in San Francisco was that bigger businesses take longer to discover security breaches. The DNSchanger Trojan, which was in the wild in 2009 and whose proprietors were busted last November, is still leaving damage behind in government systems days before a scheduled deadline (now extended) for it to have been eradicated.

And yet the DNS changing malware - so deceptively simple it can't even legitimately be called a hack - may yet be undetected in targeted systems. At RSA last week, SANS Institute Faculty Fellow Ed Skoudis, a world-renowned author in the anti-malware field for over two decades, reiterated the dangers of leaving the DNS command and control channel open to outside influence.


In the past decade, malicious agents would craft or deploy back doors that would listen to enterprises' Internet activity through the inbound connection of TCP ports. Some of them were detectable through port scans, which became a regular procedure in scouring for bad actors.

Skoudis told RSA last week that back doors have since evolved, leveraging their ability to take over DNS to utilize enterprises' outbound connections. Most networks are, after all, configured to allow for outbound traffic. Some of that outbound traffic even uses SSL or TLS encryption, using HTTPS protocol. And some modern malware today even gets its commands from loosely masqueraded Twitter feeds, or Facebook or YouTube comments. If you've been wondering about the proliferation of nonsensical Twitter feeds and thinking, what exactly are they doing, now you know.

120228 Ed Skoudis 01.jpg"The issue here, though, is that each of these mechanisms requires the malware on the affected machine to have a direct outbound connection to where the bad guy places his commands," Skoudis explained. "So if we as defenders could sever that connection - if the inbound machine can't get out - we fix the problem... well, not so much."

After feigning a self-correction, Skoudis went on to explain that modern malware now acts as DNS servers inside the computer, resolving certain names internally before passing on unresolved requests to real DNS servers on the Internet. That position inside the machine gives malicious agents command and control, he explained, pointing to the possibility of a name resolution system that works exclusively for malware that resolves commands that aren't even properly formed DNS requests.

And so much for the firewall. "With malware on the infected machine... that machine does not have outbound connectivity at all. If it tries to send traffic through the firewall, it's blocked. No TCP, no UDP, no ICMP. Instead, it sends a DNS query just to its internal DNS server. The internal DNS server then looks that name up for it by maybe sending it to an external DNS server on the DMZ, which may even forward out to an external DNS server on the Internet, which could do a full recursive lookup, ultimately getting to the bad guys' server."

That recursive lookup could be capable of fetching back a command, which is delivered to the malicious DNS server inside infected computers and then executed, perhaps with elevated authority. "This is very subtle," said Skoudis.

The FBI's indictment against the Estonian proprietors of the DNSChanger malware last November told a story of how the malware redirected DNS queries to one of a surprisingly large, amassed networked of DNS server addresses. The sole objective there was allegedly to display ads their system hosted in place of ads and pages that users frequently visit - for example, instead of Yahoo or Netflix or even the IRS. Ed Skoudis' warning is of something even more sinister. He speaks of a distribution mechanism where, ultimately, an agent on your computer and an agent in the Internet have full communication with one another outside of firewalls, by masquerading as the service upon which the Web completely depends: the domain name resolution system. If getting the malware inside your machine is as easy as the DNSChanger folks demonstrated - by having an upstream server masquerade as the DHCP configuration server normally used by Wi-Fi routers - then there could be a gaping security hole in the Internet right now. In a backwards way, the DNSChanger folks may have done the world a favor.

120228 Ed Skoudis 02.jpgHis suggestions for defending against this vulnerability: One free tool Skoudis suggested is DNSCAT by Ron Bowes. "First, look for unusual DNS traffic. This introduces strange patterns of DNS traffic, very frequent barrages of requests, maybe sent to places in the world that you're not normally doing business in." While logging all DNS responses would cause systems to take too big a performance hit, simply sniffing outbound requests on the perimeter network could reveal anomalous patterns or unusually long queries with strange names.

The theoretical ability for such a malicious network to be established has existed perhaps since the beginning of the Internet, Skoudis told the RSA audience, though he's only seeing it put to the test recently - with a new set of tools responsible for at least two large-scale breaches he's seen within the last eight months.

Stock image by Shutterstock.


Tags: Conferences

March 05 2012

Redrawing the Battle Lines: What We Actually Learned at RSA 2012

120229 RSA show floor 01.jpgPasswords are dead. Of course, passwords have been dead for over a decade, but the problem with this dead technology is that it just won't die. The successful breach of security nearly one year ago on the RSA division of EMC targeted an all-too-weak two-factor authentication system.

For a moment during the Tuesday round of keynotes at the conference that bears his company's name, RSA Executive Chairman Art Coviello, Jr looked despondent, helpless, like an executive pleading the Fifth. But this time, Coviello didn't just blame the usual suspects. Striking a strange new theme that resounded through the entire conference, he cited employees' irrepressible desire for a new mobile device, and companies giving it to them, as the eventual culprit.


"Employees are used to having powerful technologies, hardware, and applications as part of their everyday lives. Everything is an app now. Not only are they not waiting for IT organizations to catch up and provide these capabilities, employees and entire business units have been bypassing those IT organizations to achieve their business and personal goals," Coviello pleaded like a suspect student at the principal's office, someone getting no respect from the world. "And increasingly, they're winning the battle to have all of their mobile devices supported. The point of all this is, while no one knows where these trends are going to take us, it's clear: We're well past the tipping point where our physical world and our digital lives can be separated."

This just moments after a gospel choir belted out, shall we say, updated lyrics to the Rolling Stones' classic, "You Can't Always Get What You Want."

No, businesses did not wait for the IT department to invent the "business edition" of the iPad. Yes, they made investments before they ever considered formally integrating it into their migration plans. (If they hadn't, it would be the iPad 5 before they made the first move.) But it's doubtful that the late Steve Jobs is to blame for the RSA breach. While a sizable chunk of presentations last week at RSA began with some variation on the dying proclamation that passwords are dead, their common theme was what followed: a reflection upon the notion that nothing has taken their place yet.

Last February 24, we previewed RSA 2012 in San Francisco with six "keys to the conference" that we said we'd be sure to follow. There's more stories to tell from the conference this week, though let's take a moment now to revisit these six key themes to see how RSA 2012 advanced their story line, if at all:

1. Who or what defines identity for cloud access? I found it a little shocking that, on several occasions, the news about how Windows 8 would use a kind of single sign-on (SSO) authentication sharing system (sometimes called "identity federation," but in this case, not really) came from, of all people, me. I was the one who informed many security engineers and software experts about what will be called Microsoft Account.

So for some companies this week, Windows 8 will be an entirely new, if equally proverbial, monkey wrench. However, for members of the Cloud Security Alliance, who met in a special summit session last Monday, the news was certainly closer to home. The problem is something that experts readily acknowledge, and which many believe the authentication sharing scheme could actually exacerbate: It's the proliferation of the same weak passwords which tends to weaken them further, as folks who use a password for one purpose will use it elsewhere. Case in point: Users of systems that identify them by their e-mail addresses (as opposed to their arbitrary usernames) and passwords, tend to use the same passwords. So a breach of a relatively weak password system anywhere on the Internet could impact Google, whose accounts are often secured by users' Gmail account names. This is a topic we'll discuss in greater detail this week, although for now, the boldfaced question above remains dangerously unresolved.

120229 San Francisco 01.jpg2. The rise of risk management. A new and very different class of RSA attendee arrived this year, in full volume and in native dress. Risk management professionals, whose background is in business management as opposed to software engineering or systems analysis, demonstrated that they're putting more direct pressure on organizations to improve the way their information systems are designed, implemented, and maintained.

It's a very welcome development, because it addresses Art Coviello's problem head-on. Up to now, most security technologies have been either preventative or remedial in nature - systems designed to either maintain or restore normal functionality in the event of "bad stuff happening." When risk management is applied (correctly) to the evaluation and purchasing or requisition process, components that are purchased must be resilient by design. You don't reduce the risk of one purchase item by way of investing in another. This is changing the entire marketing scheme for security vendors, who can no longer present themselves as the fix. They have competition now, in the form of improved systems. If cloud technologies can resolve the identity issue, purchasing managers can use risk management procedures to justify replacing existing, on-premise software with cloud services and apps. And that leads directly to the next point:

3. The decline of endpoint security. There's no longer a question mark at the end of that topic. The fortress mentality is dying. We did see this week, however, the last gasp of endpoint security providers, with the publication of charts either advocating a relocation of the firewall, or showing it already having been moved, beyond the data center boundaries and into the cloud.

The argument is that virtual systems essentially perform the same "palace guard" roles as components inside the traditional firewall of the data center. So virtual firewall appliances are essentially remote palace guards, sent "on assignment" to protect these new, remote outposts. The problem remains, though, that in versatile cloud models, the idea of "hardening" endpoints tends to fail. There are ever more relevant traffic monitoring services that use shared data and evolving criteria to judge patterns of questionable behavior, and to isolate malware before it ever becomes formally identified and catalogued. These new systems are indeed making progress; the problem of late has been that more sophisticated, industrially supported botnets are turning their attention to weakened access points, and are breaking through with a low degree of intrepidity.

Next page: Can privacy be delivered by technology?

4. Can privacy be delivered by technology? The moment for the Web to have become a harbinger of privacy was at the very beginning, when it had the opportunity to encrypt and authenticate all transactions. In the absence of a full-time Web authentication model, the capability for any big data service to aggregate multiple characteristics about any individual from disparate sources - as BT's Bruce Schneier warned attendees Wednesday - rises exponentially.

120228 Enrique Salem - Symantec 01.JPG

"Yesterday's enterprises tried to be more locked down," stated Symantec President and CEO Enrique Salem during the Day 1 keynotes. "Today's enterprises are more open, more distributed, and less secure than they need to be. And I think many of you are frustrated by how much complexity has been introduced. But this new world is one where we don't control the devices. With the expanded use of the public and private cloud, we don't know where our data necessarily resides. With the increasing use of virtualization, it's not always clear where a specific workload is being run."

Salem then picked up on Coviello's theme of blaming end users, giving them the blanket euphemism "the digital data generation" (as if there has ever been any other type of data). "The digital data generation brings into sharp focus three questions: How do we manage online identities when our employees maintain dozens of them? Number two, how do we protect information when the workforce shares information freely, and isn't that concerned about its security? Number three, how do we keep track of a substantially higher volume of online activity?" Step one, it would appear, is to appropriately enumerate all the questions.

5. Is infrastructure security a joke? As I'll explain in a story later this week, analysts and engineers were openly snickering at the notion that a "smart grid" even exists at all. With almost trivial, if non-existent, security measures in place throughout the nation's energy delivery and infrastructure networks, evidently the only thing truly protecting us from a random shutdown event is the continued vigilance of government security agencies.

120229 Smart Grid panel 01 (Kevin Gronberg).jpg

One of the most poignant statements on this topic came from Kevin Gronberg, a senior counsel for the House Committee on Homeland Security. Actually, as you'll see later, Gronberg made several brilliant observations, but this one deals with a cybersecurity protection bill introduced last month. "As of now, the cybersecurity mission is poorly defined in legislation. It has been more a function of executive order and public expectation. The Department [of Homeland Security] has filled that role admirably, but we would like to clarify those roles."

6. Could government really lead the way in security architecture? Yes. In fact, as we saw plainly demonstrated on several occasions, including by Margaret Salter of the NSA, government is already leading. One of the most striking revelations of the week was that commercial security components, even the open source ones, are not interoperable with one another. It is as if they were all developed in separate vacuums.

The need for a secure government smartphone based on common hardware architecture is leading to an interoperable system of components that could be better than BlackBerry - and what's more, that could be shared with the private sector without owing anybody royalties. The one good thing to come out of government budget cuts (perhaps there is only one) is that it has forced engineers to forge workable solutions from available parts. Making square pegs fit into round holes is something only governments know how to do. As the NSA's Salter pointed out, buyers of commercial equipment have grown accustomed to purchasing only what's sold to them. They don't use collective influence as leverage to improve what it is they purchase, because the retail process whittles them down to mere individuals. The government cannot be whittled down like that; it's either a big buyer or a non-buyer. That influence is changing security design, both on the part of NSA and DHS; and it was obvious last week that commercial endpoint security vendors will be the last ones filled in on those changes.

120229 San Francisco 03.jpg


Tags: Conferences

March 01 2012

Strata: Mixing the Social Data Cocktail

strata-conf.jpgEveryone knows you can learn a lot by trawling data coming from social media services like Twitter, Facebook and Flickr. But sometimes the data will surprise you. For instance, you'd expect to be able to glean product feedback from Facebook's public feed, but did you know that shoplifters tend to brag about it in social media?

Chris Moody, CEO of Gnip talked about exploring social data and the real-world use cases for some of that data at the Strata Conference.


Gnip is a major provider of social media data. It has deals with many of the major social media services and provides normalized data to clients, which in turn process the data and serve (according to Moody) about 90% of the Fortune 500.

The Data Cocktail

Much of this is what you'd expect. Companies trawling Twitter data doing brand monitoring, for instance. But some of the uses are a little less obvious, and this is where it gets interesting.

First, Moody covered how folks should decide what data they need to follow. Twitter, for example, is great for getting real-time feedback to events, but (obviously) is very concise. Conversely, WordPress.com provides more depth on topics, but at a slower pace. IntenseDebate and Disqus provide more concise feedback (usually, anyway, comments are shorter than the posts) but are even slower than posts to WordPress because comments by necessity follow posts. YouTube is slowest of all, usually, due to the time it takes to create videos but often provides really rich insights.


So most of the use cases need a "data cocktail" that combines two or more sources to get what they want.

For instance, Moody talked about the partnership with geodata provider ESRI to provide data to local retail companies. This combines Twitter, Flickr and YouTube to provide a "lens of what people say in store." This goes beyond supply chain information, because they can see what people say about things that are not in stock and whether they care.

This is also where Moody mentioned the tidbit about shoplifters. He says that retailers can use social data to see when people are stealing from their stores. He declined to specify what's done with that information, but you can infer that retailers are using it to tighten up security and pursue the shoplifters.

Another case study involved J.D. Power and Tropicana. Moody says that they were able to glean insight from blogs and comments about Tropicana that show many children of Baby Boomers view Tropicana orange juice as "a reward." Using that data, they decided to start placing vending machines close to the exits at gyms.

Many businesses want to know where the next big box store is going up, because they depend on the construction dollars or providing other services to the Walmarts of the world. Moody says that, typically, businesses would keep an eye out for paperwork to be filed.

Now? A lot of times you can see in social media when Walmart has come up in meetings with town councils and such long before paperwork is actually filed.

All of this depends on having the appropriate mix of information, and knowing what to look for. Unfortunately, the session was short on technical detail, but if you're looking for ideas how to use social data it was well worth attending.


Tags: Conferences

RSA Security Giants on the State of Crypto: Can Whit Be Right and Ron Be Right?

120228 Whit Diffie & Ron Rivest.JPG

Two weeks ago, a security researcher set off an intentional firestorm over the discovery of data that seemed to indicate a flaw in the way cryptographic systems using "multiple secrets" (more than one key) protect a session. Since the report of that discovery was published, experts have claimed its author may have reached an unsubstantiated conclusion.

In any event, yesterday at the RSA Security conference in San Francisco, the man the report's very title praised for being "right" all along - cryptographic pioneer Whitfield "Whit" Diffie - told attendees that if a problem actually does exist, its solution may be deceptively simple.


The problem, as the report "Ron was wrong, Whit was right" indicated, was that a substantial percentage of generated RSA keys contained common factors, thus rendering them ineffective or untrustworthy. "That seemed very serious to me, and sort of a phenomenon unique to RSA," Diffie told a packed keynote session. "And eventually I realized - and as I thought about it for a week, it's come to seem just as charming, but as a practical matter, much less serious than it did to start with, but something that probably does need a bit of addressing."

Diffie noted, with perhaps a hint of sarcasm, that the report's authors - who included Swiss professor Arjen K. Lenstra - avoided sensationalism by refraining from alleging that RSA keys had been "cracked." But he posited that what Lenstra's data could actually be indicating is a flaw in as few as one bad random number generators. "It seems unlikely that two independent prime random number generators are going to be producing the same 500-bit primes." He then expressed skepticism at the idea that one person's key could be compromised by someone else, simply by virtue of that person holding a key generated by a common factor - when that fact is not automatically made evident to either party.

120228 Whit Diffie & Ron Rivest 03.JPG"But the fact is, if you manufacture your key material correctly - that is to say, you're very careful about production testing of your own random numbers - this is simply not going to happen to you," he said. "If you adopt a random number generator that has whatever this fault is, you might get this effect."

To help improve the system, Diffie suggested it might be necessary to "out" the bad random number generators. "So my notion is, why don't we just publish hash codes for all of the primes selected to go into keys? As a matter of fact, you might publish hash codes for all of the keys that you've selected for any purpose... and then anytime you generate one, if you see that it's already in the database, you know two things immediately: One, you probably have the same random number generator they did. Two, it's no good."

120228 Whit Diffie & Ron Rivest 02.JPGAt that point, Diffie turned to the fellow that Prof. Lenstra called "wrong," who was seated to his immediate left: Ron Rivest, the "R" in "RSA." "I think if I get a chance to referee the paper, I'll suggest a change of title," Rivest said. "You are often right, and I am sometimes wrong."

Switching back to serious mode, Rivest suggested that behind the firestorm in the report, there really wasn't much substance. He noted a much earlier work in 1996 by Adam Young and Moti Yung on cryptovirology - the intentional creation of deceptively secret and malicious software, often for extortion. A maliciously bad random prime number generator could theoretically be written, Rivest said, so that the public key may be computed in such a way to reveal the corresponding secret key to an adversary. "I don't think we've paid enough attention to that possibility," he remarked, noting the much more serious prospect for damage.


Tags: Conferences

February 29 2012

Strata Conference 2012: The End of Big Data Hype?

strata-conf.jpgLast year, I was slated to attend the first O'Reilly Strata Conference, but the 2011 Snowpocalypse intervened and said "no flights for you, St. Louis." Not only did I miss the inaugural Strata Conference, but it seems like I missed out on all the hype and irrational exuberance for big data as well.

The first day of the 2012 conference was dedicated to half-day tutorials and the all-day Strata Jumpstart. The Jumpstart sessions were geared for business leaders looking to see "how information can transform the enterprise."


The over-arching theme for the Jumpstart sessions? As Rob May said on Twitter "be wary of the religion of data." That's not quite the message one might have been expecting in attending Strata, but it's a good one.


To be clear, nobody was saying "big data is over" or that it's useless. But the message from most of the speakers was that it's deeply important to know what data can do for you, and what it can't before you decide you've got to get you some Hadoop.

Marketers and Analysts

Avinash Kaushik, co-founder of Market Motive, says that we have enormous data, but very little insight.

Kaushik says that if you have a budget for data, spend 90% of it on people who can work with the tools and derive insight from the data, rather than spending the bulk of the budget on technology to gather data.

He also questions the need for real-time data. If you don't have the ability to act on real-time data, then don't try to gather real-time data. Instead, Kaushik argued for "right-time" that is available when decisions need to be made.

The exception? When "you can get rid of humans" in the decision-making process. If you can make decisions algorithmically based on real-time data, then it might be worth it. But, Kaushik says, "if humans are involved, you're screwed."

Ammo for the CFO

Continuing the theme of cautiously adopting big data, J.C. Herz spoke on "Ammunition for the CFO: How to be a Hard-Nosed Business Customer for Analytics." Herz, in particular, played devil's advocate to the question of whether companies need big data and analytics.

Herz is CEO of analytics company Batchtags. At the last Strata, says Herz, everyone came out saying "we've gotta get us some Hadoop" after being pumped up by the sessions extolling the virtues of big data without really understanding what they wanted. "Hold on cowboy," she says, "let's figure out what you want to accomplish before we 'get us some Hadoop.'"

One step companies need to undertake is a data audit. Companies may think they have "big data" but "sometimes it's not as big as you think it is." One company Herz worked with had bought into infrastructure to support "massive flows of data" but after spending millions of dollars "they had something like 2TB of data."

Companies need to know how much data they're working with, how fast it's being generated, and how many places the data is coming from.

Next question? Who owns the data? Who's taking responsibility for cleaning the data and making sure it's accurate? Who's in the position of saying 'no, you can't have it?" Herz described a few horror stories about companies that thought they had rich data sources, but when they really dug in they found that human laziness meant that the data was missing or inaccurate.

By the same token, companies need to ask who's going to do analysis on data. When you're deciding on a big data strategy, Herz says that companies need to decide exactly who is going to be doing the analysis, by name, and who they'll be reporting to.

Another question, are you using the data to make a decision – or avoid one? Herz says that analytics are good when management wants to make a decision, but it's a waste of money when companies are gathering data so that decisions can be put off.

Time is a resource, says Herz. One of the worst scenarios is when management gets the "big data religion" and throws "obscene" amounts of money at it, wants results yesterday. It doesn't work like that.

Companies also need to realize that data decisions "have consequences" says Herz. If you're embarking on a data strategy, Herz warns that companies need to understand that it might piss off a few people when the results come in, and you need to be OK with that. As Kaushik says, when humans are involved...

That doesn't mean that Herz is against companies embracing analytics, just that they need to be thoughtful when doing it.

When working with vendors about big data and analytics platforms, Herz says that companies should ask for three cost scenarios that factor in the "data iron triangle." The triangle is storage, cycles, and performance. Ask vendors to come up with three cost scenarios that minimize one corner of the triangle each. Most of the time you can make sacrifices in one area and get the results you want.

It's interesting to see just how fast big data is moving out of the hype cycle. If you're following along with Gartner's technology life cycle, we should be hitting the "trough of disillusionment" shortly. However, I think that's likely we're going to be skipping that or seeing a very abbreviated trough. It seems that a lot of companies are hitting "enlightenment" already and moving towards productivity very quickly.


Tags: Conferences

RSA 2012: Bruce Schneier on the Threat of "Big Data, Inc."

120228 Bruce Schneier 01.jpgIt's not the "Big Data" we usually talk about, which refers more to the size of the data than of the company behind the management tool. It's the term Bruce Schneier uses to refer to the industry that has evolved around data as a commodity, the way the energy industry was once considered "Big Oil." Schneier - the celebrated cryptographer-turned-technologist and easily the RSA Security Conference's biggest draw, and a CTO at BT - believes "Big Data, Inc." poses as great a threat to personal security and privacy as malicious actors.

"I mean Big Data as an industry force, like we might talk of Big Tobacco or Big Oil or Big Pharma," Schneier told an overflow crowd of attendees. "I think the rise of Big Data is as important a threat in the coming years, one we should really look at and start taking seriously."


Schneier defined this industry as "the companies that collect, aggregate, and use personal data," citing as one example data aggregation company ChoicePoint (now part of Reed Elsevier and integrated into LexisNexis). To this mix, he added Internet magnets like Google and Amazon, social networks including Facebook, a certain very large company named Apple, "and really the entire marketing ecosystem that surrounds the Internet. I think that is becoming a powerful industry force, and is a risk to our community."

But a risk in what regard? Can this risk be quantified, anticipated, managed? Amid a growing community of risk managers who are joining the RSA attendees, many for the first time, did Schneier use the right choice of terms?

Here's how he explains the situation: The onslaught of new consumer cloud services that provide free storage have rendered it as easy, or even easier, for individuals to hold onto data as it is to throw it away. "The marginal utility of saving some data is so low, because the cost of saving it is so cheap. You know this in your own lives: We all hit a point some years ago where we stopped throwing away e-mail that wasn't important, and started saving it all because it was just easier. And search became cheaper than sort. When that happened, we just saved everything, because why not?"

More devices now than ever before contain sensors, but Schneier describes that these devices are being coupled with more organic entities through the Internet, gathering aggregate data from user transactions. "The collection is becoming ubiquitous. More importantly, it's all being aggregated. And we kind of knew this in the background, but we're seeing new examples of it: Google's new privacy policy talks about the aggregation of data. They're no longer going to silo their search data from their Google+ data from their Flickr data. It'll all be collected because they want to make more money serving you ads.

"Our computers are becoming more like terminals again," he added, citing the degree to which they're serving as collection points for data and documents for cloud storage. Younger users are accustomed to engage with the closest available screen, he said, as the most convenient collection points. The companies that operate in this space are competing, he explained, to be the first to monetize your data.

"Monetizing data has a variety of different faces. There's showing you personalized ads. But there's [also] credit-worthiness, employment assessments. There are linkages with government databases," he added, citing recent controversy over the Transportation Security Authority's recent proposal to access a broader base of personal data in assessing whom it should ban from flying on airplanes.

The actual threat comes not from Big Data, Inc.'s size in and of itself, BT's Bruce Schneier explained, but from the way it leverages that size. "These companies are now very powerful, and they are using their muscle to resist changes that hurt their industry. And their industry does not equal our industry. Our industry is IT; their industry is basically advertising. And this affects security, because [with] a lot of these changes, the result is that control is taken away. We have no control over our Facebook data."

120228 Bruce Schneier 02.jpg

Pulling out his own iPhone, he continued, "Even more importantly, I have much less control over this iPhone than I do over my computer. As a security guy, I cannot do things on this machine that I can do on my computer. I can't erase data to my satisfaction, I can't run an antivirus program to anybody's satisfaction. Because Apple isn't giving me the same level of control, of access, that I have to a PC or even to a Mac." He added that Amazon's Kindle renders pages prior to delivering them. "This might be good for performance, but for security, it depends.

"There's kind of a war against general purpose computing going on," the security expert pronounced. "I actually believe the companies realize they made a mistake when they created general purpose computers, because they gave users too much control, and they're trying to get that control back. Whether it's smartphones or tablets or game consoles or cameras, all of these special purpose Internet devices, give much more control to the companies in the back that run them."

Bruce Schneier's latest book, Liars & Outliers: Enabling the Trust That Society Needs to Thrive, is - perhaps ironically - very highly rated on Amazon.


Tags: Conferences

February 28 2012

RSA 2012: Security Engineers Seek Prophecy in Mick Jagger, Aretha Franklin

120228 Keynotes 01.jpg

"You can't always get what you want" is literally the theme of this year's RSA Security conference in San Francisco. "With increased speed and cunning, hackers are taking advantage of the openness of today's infrastructures," said EMC's executive vice president Art Coviello, Jr. And exacerbating the problem, he said, is the fact that despite openness and open architectures, people aren't banding together for solutions.

This at a conference that officially opened Tuesday morning to a gospel choir prophesying the coming of the age of Getting What You Need. Hopefully Aretha Franklin received a cut of the royalties when one soloist, breaking from script, sang her original lyrics instead of the ones inscribed on the big-screen closed caption: "I-N-F-O-S-E-C, find out what it means to me."


Though today's theme is a subtle, and maybe honest, admission of the current state of affairs in security technology, it would actually come as a shock if the vice chairman of RSA were to announce how much the world had stayed the same over the last year. "Quite frankly, we are at serious risk of failing... In my 17 years in the industry, I've never sold on the basis of fear, and I'm not about to do that now." This after a warning of the "harsh realities" that the world's security infrastructure has become "hell," citing RSA being a major target of attacks itself in March 2011. "We hope the attacks on us will strengthen the resolve of everyone. But the fact is, we are not alone. Never have we witnessed so many high-profile attacks in one year."

"We need to understand that an attack on one of us is an attack on all of us," said Coviello, echoing Pres. George W. Bush just after 9/11, in a tone that could have used the gospel / Rolling Stones treatment from 20 minutes earlier.

He started to integrate messages of resilience, of understanding that networks will be penetrated and resources will be exploited. "We shouldn't be surprised by this easier. However, accepting the inevitability of compromise does not mean we have to accept the inevitability of loss... We can reduce the window of vulnerability to all attacks, and return control firmly to the hands of security practitioners."

120228 Keynotes 02.jpg

This requires a mindset shift, Coviello suggested, from investigating individual events to utilizing analytics tools that "spot faint signals." "Right now, more often than not, they [the attackers] are winning," he said, citing a Verizon report that 91% of data breaches led to compromise within a few days, if not hours. "We need to take the advantage of time away from our adversaries. But we cannot do this with the conventional, silo-oriented point products we have today. Some of these products, we just need to dis-invest in."

Three properties of new security infrastructure: One is that systems must be risk-based. "We must learn to evaluate risk at more substantive and granular levels... There's risk, and then there's risk." Second, systems must be agile. Today's systems, he said, are patchwork quilts of updates that are expected to provide a priori knowledge of threat signatures. "This static model breaks. It does not bend. It provides no resiliency."

The solution to that problem is something that detects patterns of regular user behavior better, in order to detect irregular behavior when it comes along. "Ultimately, we'll have to automate these capabilities and responses. But fortunately, products [along these lines] are already available. We must accelerate their adoption."

The third property he suggested was contextual. "The ability to succeed depends on having the best information available." Log data will not be enough. "Organizations need to adopt a big data model." He defines this as the gathering of security-relevant data sets at massive scale and multiple formats. Data must then be correlated using high-speed analytics, to arrive at actionable information. Coviello believes that intelligence-driven model will leverage big data to shrink the window of vulnerability.
"We need to tap more military experience and military intelligence," Coviello added, citing from a colleague's blog and utilizing a stock photo image of a security geek to illustrate the point that engineers need to be less civilian, less culturally siloed, and more like Gen. Patton.

"To date, information sharing has been almost a cliché for failure. Its success has been limited by distrust, technology gaps, and legal constraints." This has given rise to grass-roots networks of security information sharing, that are developing outside organizations and outside governments. Slowly they're being formalized, going more viral, collaborating with the Dept. of Homeland Security, and presumably looking less and less like a stock photo of a security geek.

Throughout the duration of his keynote speech, the XVP of EMC invoked G.W. Bush ("If you're not with us, you're against us"), Winston Churchill ("If you're going through hell, keep going") and Twisted Sister ("We're not going to take it anymore.")

More news from the RSA Conference in San Francisco throughout the day on ReadWriteWeb.


Tags: Conferences

Would an Internet of Things Threaten of the Internet of People?

shutterstock_41006221.jpgIf 50 billion, or however many billion, devices share the same Internet as some 8 billion humans by the year 2020, will the weakest links in data security be on machines that have any degree of human control? Put another way, could a not-so-smart client on a machine-to-machine (M2M) network become a future target of malicious Internet activity? These are questions worth asking; and this morning at Mobile World Congress in Barcelona, security consultants at mobile security firm ActiveMobile asked them in a very bold way, starting a discussion that's resonating worldwide - including as far as the RSA Security conference in San Francisco.

On the other hand, are these questions being answered to any significant degree? Or just being "focused on?" In an interview with ReadWriteWeb this afternoon from Barcelona, AdaptiveMobile's Cathal McDaid spoke to some of the questions asked in a new report published for MWC. Entitled "Machine to Machine: The Future Threat?" the report asks whether a new universe of relatively simple and unsophisticated communications devices will lead to an Internet that is, by design, insecure.


"The security that we have for mobile networks has really been designed for humans," McDaid tells RWW. "For example, if I send you a spam message, you're going to report us to the operator or some concerned party. But if you're actually a mobile device and I send you a spam, you're not going to report it - you're not going to do anything about it. You're going to continue on. If I send you a thousand or tens of thousands of messages, you have a potential for denial of service... So what we're trying to push is, when it comes to security, we need to have security by design, and we need security by design that takes account that we have people and machines communicating with other machines."

The nature of malicious attacks will not be made harder or easier by the infusion of M2M, McDaid believes. They will be different. Because they're low-power devices, the automated clients on M2M networks will not be able to run security software, he says.

The Low End as the Vulnerable One

The AdaptiveMobile report goes into that point in greater depth: "The latest smartphones and tablets come with complex, high-end operating systems that can be protected and reinforced against even the most advanced mobile security threats," the report reads. "Unfortunately, the same cannot be said of all of the devices that will be connected to the M2M enabled 'Internet of Things.' Without hard drives and with any processing power often devoted solely to performing the operation it was designed for, the limited nature of many M2M devices means there is less ability to embed security software."

McDaid cites statistics showing that 1 Internet message in 20 is sent from machine to machine. The protocols involved, he says, are not sophisticated, streaming solutions but rather something as simple as SMS. While consumers may drive newer and more sophisticated communications protocols for their mobile devices, M2M communications may not require an upgrade of format for the foreseeable future - certainly not, by McDaid's estimate, within the next 20 years. So during that timeframe, the same protocol will need to be supported as the foundation for secure communications between machines.

"Those protocols were designed for people, essentially," he says. As his report puts it, "The upgrade mentality does not apply." But shouldn't the age of that technology, if it does carry on for a few decades as McCaid predicts, help ensure its viability and reliability? He answers, "Yes and no."

"Yea, we know how all about new technologies, we know all about how the communications medium works. But on the other hand, our security model has included humans in the past... If somebody's [mobile] device get compromised by virus, one result could be high data usage [on the bill]. This isn't going to happen on M2M. It's going to simply keep processing and running. So you would hope in that situation that somebody notices, which is not guaranteed."

M2M Access May Not Be Open By Design

We ran McCaid's conclusions today by Alex Brisbourne, the president and COO of KORE Wireless Group, and a world-recognized expert in the construction and management of M2M networks. KORE has been delivering M2M connectivity systems since 2003. Reading through the AdaptiveMobile report today, Brisbourne called its interpretation of M2M networking as a security strain on existing human networking "an interesting observation but one not wholly legitimate.

"The fact is, as you make more 'doorways' into the internet, the challenges of controlling access will become ever more acute," Brisbourne tells RWW, also from Brisbourne this evening. "Machine devices will add significantly to the 'access doorways' - just as increasing delivery of smartphones, etc., will do. But this is where there is a substantial difference: Smartphones typically create open access mechanisms to the Internet. Each has its addresses, just as any PC does. Most are using browser technologies that have not been tested in the white heart of hacking, but it's a fact that virus management, malware, and security attacks via smartphone browser are rising fast. Part of the reason is their very openness."

By contrast, Brisbourne goes on, a true M2M environment is already very closed. It is not, as some corporations' marketing has suggested, an extension of the Web into the everyday life of soulless devices.

"Edge devices typically use dedicated network access (custom APNs, etc.) that route data solely to/from specific network resources (servers, hosts) with quite complex (not impossible, however) challenges to getting outside of those domains," Brisbourne remarks (with plenty of parenthesis). "In addition, the streams are often subject to security processes from encryption to SSL support, depending on the application. In sensitive markets such as energy utilities or payment processing, the industries are further beefing this up with industry specific security overlays that go far beyond simple 'end point ingress' - PCI in the payment area, and NIST driving security standards for utilities. These look at both end-to-end as well as indemnity of the points in between. This will certainly continue to grow."

Put another way, just because the endpoint of an M2M transaction doesn't contain Norton Antivirus, doesn't mean it will be insecure. There are architectural differences in the M2M platform that transcend the level of how humans communicate over the Internet.

Cathal McDaid believes these differences are not widely known, which is why a new approach to securing both communications models is necessary. "You don't throw away what you have for human communications. You need to operate like P2P but smarter when it comes to M2M." That extra layer of smarts, he says, should come in the form of some kind of authoritative arbiter, to determine whether a party has the authority to communicate with a device. This is where McDaid and Brisbourne come to some modicum of agreement, especially with regard to the need to decide how much authoritative access a system should grant, and at what time.

"Do you want absolute denial of access (Fort Knox) or do you want simply to impede access until timeliness no longer makes any action relevant (border fences in a prison)?" asks Brisbourne. "Each situation is different, each market different, all have to be considered. M2M, as a part of a broader enterprise data management architecture, is not immune to needing this level of thought."


Tags: Conferences

February 25 2012

What Security, Where? Keys to the RSA Conference

shutterstock_14602486.jpgThe cloud is huge. Client access devices are small, and they're everywhere. Personal computers are virtual. Access to all of these resources is continual. Control over the world's single most precious information resource - identity - has become a jump ball.

Next week, ReadWriteWeb will be covering the annual RSA security conference in San Francisco. I never attend a conference without an agenda, and no, I'm not talking about the pamphlet and the floor plan. There's an agenda all my own, and it's based on the subject matter that I've discovered you want to know more about.


There are six flashpoint topics that are relevant to this year more than any other. We'll be touching on each of these flashpoints throughout the week on RWW, and at the end, we'll revisit each one and review what we've learned... or whether we ended up with more questions than we started out with.

1. Who or what defines identity for cloud access? With Windows 8 - which may come sooner than you might think - you'll be logging on using something called a Microsoft Account. Apple iPad and iPhone users are already becoming accustomed to the iCloud account, which we can expect will be integrated into the iTunes account scheme. Before long, for you to use any functionality from any device, you will need access, and the thing that you access must either have or discover some way of recognizing you.

Are you prepared for that something to discover you through Facebook? Is that level of trust something you can accept? This will likely be a huge topic of discussion during the colossal four-hour Cloud Security Alliance Summit session on Monday. Business users expect single sign-on. That means, the credentials they use to log onto their computers or portable devices, must be translatable into credentials recognized by the services they use once they're logged on. Imagine trusting the credential level you use today to log onto your Desktop, applied to your bank account or your company's private network. (And you thought Facebook was dangerous?)

2. The rise of risk management. Because both cloud service providers and their customers have more specific expectations for their service level requirements than ever before, they've been able to state those expectations in service contracts with greater ease. And because businesspeople protect their interests when they're specified in contracts, the insurance industry plays a greater role now.

It is insurance that is compelling enterprises everywhere (including insurance itself) to institute risk management procedures. Every year when you see the ads for a security conference, you expect to see blurbs about the latest vendors for remedial technologies like backup and recovery, disaster management, loss mitigation. Now you're seeing the antithesis: Risk management, when done right, minimizes the need for loss mitigation, and replaces disaster management with disaster avoidance.

3. The decline of endpoint security? "Hardening the endpoints" was a metaphor intended to convey a picture of an armored fortress, a "Helm's Deep," impenetrable from the outside. With transaction models now incorporating cloud services at a rapid rate, suddenly the imperfections in modern endpoint security become clearer. New and more clever security services are demonstrating that it's not only feasible, but preferable, to secure the fortress by stopping malicious activity from ever reaching the endpoint in the first place. And it may be more practical to achieve this through the cloud than anywhere else.

At RSA next week, we expect to see some live demonstrations of cloud-based security in action; though we'll also certainly hear from the endpoint security pioneers, with the latest antivirus, firewalls, and spam blockers, defending the fortress the only way they know how.


4. Can privacy be delivered by technology? It's a question our Joe Brockmeier explored on Thursday, casting a ray of hope for technological methods - especially when compared to the legislative alternative. On the other hand, my interview with the co-creator of P3P revealed that privacy could be more of a psychological concept that technology may only serve to exacerbate - the way the presence of armed guards at an airport makes people feel less secure.

Some still debate whether privacy actually belongs as a subtopic of security in the first place. From the end user's perspective, no one feels truly secure unless she's certain she's not being spied on. The sad fact is that, while technology may have a better chance at delivering privacy than any laws passed by Congress, it has not done so yet, and it's had plenty of chances.

5. Is infrastructure security a joke? With nearly all of computing moving to a service model, and with centralized and virtualized data center resources relying more upon the security of power centers and the integrity of energy infrastructure, is the notion of a "smart grid" really an illusion? As easy as it appeared for someone to don the name of "Anonymous" and shut down the Justice Dept. Web site, could it be just as easy to shut down electric power to the Great Plains?

We don't talk a lot about the macrocosmic elements of technology around here, usually because we're playing with our smartphones. It's the little things that hold our attention, like cute kittens. The nation's energy infrastructure, by comparison, is an unexplored wilderness. We hope to change that fact a bit next week.

6. Could government really lead the way in security architecture? No, seriously? Government?

I'm not talking about Congress, though. The Dept. of Homeland Security is implementing some very clever new policies for rethinking government resources' approach to managing security. Risk management plays a role here as well, but also resilience - employing NASA-like procedures to keep the mission running smoothly even when failures do happen. And the National Security Agency is also implementing some bold initiatives in the field of mobile device security, that pick up at the point Research In Motion stopped moving.

Stay tuned to ReadWriteWeb all next week as we put on our thinking caps, our tinfoil helmets, and our stovepipe hats (hopefully not all at once) and talk to all the world's leading security authorities in the public and private sectors, in the enterprise and in academia.

Stock photos by Shutterstock.com


Tags: Conferences

February 07 2012

PR for Developers 101: How to Bootstrap Project Coverage

redmonk-1.jpgOne of the things that I'm often asked by developers at conferences is "how do I get coverage for my project?" I had that conversation with several people at Monktoberfest, and thought it might make for a good talk at Monki Gras.

Specifically, the talk was for individual developers, small groups working on open source projects or startups (to a point). It's not meant for people looking to grab press coverage for a business, but for developers largely interested in finding more users and developers for their project.



Why do I care specifically about developers? First, It's far more enjoyable. All other things being equal, if I have to choose between talking to a PR-trained executive or a developer, I'll choose a developer every time. There's few things less interesting than listening to someone reciting the talking points they've gone over with 10 other reporters while they tap-dance around anything that might be perceived as even slightly negative. Developers will usually be pretty blunt about the limitations of projects and the roadmaps for their projects, because they have little interest in being opaque.

Many developers are working on interesting projects that deserve attention, but don't have the resources to hire a PR person to get the word out. The truth is, they don't really need a PR person to get the word out – and the best PR person in the world won't do much good if the project isn't fantastic anyway.

The other reason to work directly with developers? Businesses already have a PR machine in place to see to their interests. I get plenty of pitches from companies, but not enough from developers. Some corporate pitches are interesting, and I jump on those. Most aren't even in my coverage area, but that doesn't stop folks from carpet-bombing me with emails.

Do Wonderful Things

The best way to get coverage? Do something really good. Yeah, easier said than done. But if you want to snag interest from the press (or anybody else), you have to be doing something that's really good.

Case in point, Jenkins. As I mentioned in the Monki Gras wrap-up, Kohsuke Kawaguchi started the project as a one-man show. It grew slowly but steadily. Why? Because developers seem to find Jenkins absolutely wonderful. I've been hearing about Jenkins for years from developers that were really excited about what they could do with it.

Let's Go

The first thing that developers need to do is decide who their audience is and then figure out the publications that are best suited for their project. This should be pretty obvious, but I've run into plenty of projects that are not entirely clear on their target audience. When I was working with Novell on openSUSE, for instance, they were not at all sure who the target audience was or should be for openSUSE.

Once you've figured out the target audience and publications, make a short list of the writers who are on your beat. This might just be the guys over at the High Scalability blog (one of my favorites), or it might be a list of 10 folks who cover Linux and FOSS regularly.

Take some time and email the folks who you'd like to work with. Just introduce yourself, and give a brief intro of what your project is/does and why it's a fit for their beat if it's not obvious. Brief is key because most anyone working in IT in any capacity is going to be buried in email. This is especially true for press, because we get a ridiculous number of pitches every day. Note, if you don't hear back right away, don't be discouraged or offended. See above about a ridiculous amount of email.

But, if possible, establish a relationship with the press that address your audience before you have an announcement. This makes it much more likely that when you do have an announcement you'll be able to get attention. It's also more likely that your project will be mentioned in other stories where it might be relevant.

Web Site

Even if you reach out to some of the press, other folks might pick up on your project as well. Many project sites have little or no information. Make life a bit easier for press, and help ensure that stories about your project will be as accurate as possible. Keep the site up to date with releases, screenshots, prominent developers, licensing, and so on.

This is good for more than press, of course. It's good for users and prospective developers to learn about a project and decide if they want to get involved.


When you have something that you think is newsworthy, send an email a few days (I'd recommend at least three) before your announcement. You do not need a formal press release. A simple email that states what's happening, why you think it's important, and includes relevant details is plenty.

day-two-monkigras.jpgThe Audience at Monki Gras day two

Provide a contact who's ready to hop on the phone or at least answer questions via email.

If you don't want coverage until a certain date, you can ask reporters to honor an embargo. Some publications and reporters are better than others at this, so if you really don't want something published before a specific time, be very specific about embargoes and which reporters you work with. Also? Be sure to specify time zones if you do set embargo dates.

Once you do get coverage, it's a good idea to follow up with the folks that write about your project. It helps to know that the people you're writing about actually read the coverage. I also recommend spreading the word by sharing the coverage on social media, your project's site, etc.

If you notice some bugs in the story, do feel free to point them out politely. Everybody makes mistakes (do you write bug-free code?), and the press are no exception.

Everything is PR

If you're working on an open source project, blogging about your project, chatting on social media or talking at a conference, you're doing PR. Whether you like it or not, everything you do in public might wind up in a story.

And when I say everything, I do mean everything. It could be something as obvious as a post to the project, or a comment in a bug tracker or a commit message. Never say anything you wouldn't want to see quoted the New York Times or on the front page of Hacker News.

Become the Media

Speaking of Hacker News, it's not necessary to wait for someone else to write about your project. A link on the front page of Hacker News can net you quite a lot of attention without ever being featured in the press.

As I mentioned at Monki Gras, though, a single burst of attention isn't sufficient. For best results, you want sustained coverage. That means links off of Hacker News, being mentioned regularly in "official" tech press, and keeping contact with your audience directly.

It takes very little effort to set up a blog and post updates about your project. This is particularly useful for project updates that might not be worth a full story here on ReadWriteWeb, but will still be interesting to users and developers involved with your project. Speaking at FOSDEM, for example? That's nice, but so are hundreds of others. It's not usually newsworthy unless Steve Ballmer does a keynote at FOSDEM. (He might find a less than receptive audience, though...) But your users and potential developers that live near Belgium or plan on attending the show would care.

Have questions? Drop a note in the comments, shoot me an email or give me a shout on Twitter. I'm always thrilled to hear from developers doing interesting things.


Tags: Conferences

January 20 2012

It's Embedded vs. Mobile Devices for the Hearts and Minds of Retailers

120120 Intel kiosk (150 sq).jpg"The Store of the Future," as retail electronics vendors have depicted it over the past few years, features eight-foot touchscreen walls that double as mirrors, interacting with the customer as she tries on virtual clothes without sacrificing her own modesty, scanning the ID tags and profiles of items she's already selected, and giving store clerks tools to dazzle the customer with demos and make on-the-spot deals without having to rush to the back office. These are the wonders made possible by embedded technology... ah, can't you hear the voice-over announcer now!

The thing is, customers are already entering the stores right now with touchscreens, scanners, IM clients, Twitter clients, and live video displays - they're just in the customer's pocket or purse. So at the National Retail Federation's big show earlier this week in New York City, there were dueling visions of "The Store of the Future." The challenger looks more like a kind of smart Wi-Fi that communicates directly with the devices the customer already has, using hardware that could cost retailers a lot less.


Embedded: Big, bright, and in your face

120120 NRF show 01.jpg

Representing the "champion's" corner for embedded technology is Intel, whose message is that screens should be big. To illustrate its point, it gathered together an impressive list of consumer goods partners, including Kraft Foods, HSN (above), and Adidas (below), in live demonstrations of interactive kiosk technology featuring feedback cameras and live analytics. Imagine super-chef Wolfgang Puck welcoming incoming shoppers everywhere (literally) with, "How do you do, ma'am?" If you're a man, you wouldn't appreciate it much. That's what the cameras and analytics are for; to determine what gender and approximate age you must be.

It is Intel's software division that provides the masterstroke here, with what it unveiled this week as its Audience Impression Metric (AIM) suite. As with a Microsoft demo of the same technology RWW featured last Monday, Intel is literally aiming to reinvent the billboard, replacing ordinary signage with huge devices that may be able to ascertain your identity, guess your interests, and maybe say hi to you by name.

"Deployers don't want an ad or message merely to be seen. They want it to be relevant," reads a new Intel white paper on AIM (PDF available here). "Otherwise, if consumers pass by unfazed by what shows on a screen, they're wasting time and money. Video analytics distinguishes how much attention people put toward digital signage. As someone approaches a monitor, cameras focus in, capturing a digitized impression of the signage viewer. Actual images are not used, thus keeping data anonymous. Through those impressions, the technology is able to discern a person's gender, race, approximate age and, based on the contours of the person's face and positioning, just how long he actually looks at the screen."

Now, although the "H" in "HSN" originally stood for "home" - as in "home shopping" - it's actually been extending its brand beyond the scope of just television. The publicity firm that helped HSN connect with Intel made it clear it also handles marketing for Starwood, the parent company of Sheraton and Westin hotels. Conceivably, digital signage such as this could transform an arm's-length span of unused wall space into valuable real estate.

120120 NRF show 02.jpg

Something else you might possibly find in a hotel lobby might look like a rejected design for a refit TARDIS. It's called the Diji-Touch (above), and it's actually an Intel prototype concept for a kind of interactive vending machine that incorporates the same technology as the video wall. With two big screens at right angles to one another, it has better opportunity to capture customers' attention walking down a hallway.

If you can believe this, Diji-Touch devices could be managed through a cloud-based content management system. While the cloud can't exactly deliver Cadbury eggs or Jell-O, it could serve as a deployment point for customized advertising campaigns, and also (you knew this was coming) display ads from outside sources. So just the same way a company may buy display ads on a Web site today, it may buy ads on a vending machine tomorrow.

Mobile: Small, portable, and in your pockets

120120 NRF show 03.jpg

One company already very familiar to retailers is VeriFone, which makes point-of-sale (POS) systems and credit card readers. Normally, VeriFone fights in the embedded systems camp, but at the NRF show earlier this week, it came forth with a surprise: a portable catalog and payment system that could also be beamed via Wi-Fi to an iPad (shown above).

The idea is to extend VeriFone technology to smaller retailers whose proprietors may already have iPads. Imagine one of those middle-of-the-mall kiosks that may only have a temporary contract. With VeriFone's software and an iPad stationed near the register, the clerk could show customers a wide variety of sale items without having to keep them in inventory first.

120120 NRF show 04.jpgOne of the more intriguing concepts for leveraging existing mobile devices came from Aruba Networks. It produces in-store Wi-Fi systems that lets clerks and sales associates roam the entire showroom floor, handling demonstrations, inventory checks, and final POS directly from their iPod Touch or iPad. On the right, you see one of the attachments Aruba was demonstrating, called a Linea-Pro 4. It's a snap-on attachment to an iPhone or iPod Touch that includes a barcode reader and a magnetic stripe reader.

It's cool device attachments like this one that should get Aruba's in-store Wi-Fi installed on major retailers' networks. But once it's there, the opportunity arises for another kind of customer contact. Imagine apps, if you will, that sense when a customer's own smartphone has entered the in-store Wi-Fi's range. Conceivably, those apps could produce lists of store specials, check prices on non-priced goods, generate instant discounts or coupons, or even map the locations of store clerks wearing the Linea-Pro devices.

Aruba is calling the back-end architecture for bringing shoppers online MOVE. During the show, Aruba made it clear that MOVE is definitely being crafted to extend the digital retailing experience to the customers themselves.

So over the next three years, more retailers will definitely be reaching out to you with digital, interactive, multitouch devices, and capturing information about you as they do. The only question now is, will they be using their own devices or yours?


Tags: Conferences

November 14 2011

MLB.com Challenge 5th Inning: Break of Dawn

111111 6 am 05.jpg

Hinds Hall, Syracuse University campus, 5:31 am ET November 11 - There comes a time with every long, drawn-out project where you begin bargaining with yourself. The best way for me to think about how to finish this next stage, you find yourself saying, is if I were something closer to horizontal than vertical. Something tells you your brain will work better if it were tipped 90 degrees for 30 minutes, in exchange for hard work for 60 minutes. It might be a false bargain, but there's only one way to find out. And you might not remember what happens after that.


There's sunlight beginning to peek through the damp, overcast skies on the Syracuse University campus. There are no showers in Hinds Hall, and one's nose comes to this realization. After 12 hours of hard work and about that much more still to go, about a dozen of the students in the MLB.com University Challenge have taken to the hallways, jogging up and down the staircases and through the halls to get blood and other fluids of necessity circulating again. Some venture outside, until the stormy, cold air descending on them from Lake Ontario meets the film of sweat beneath their layers of sweatshirts, and like the victims of practical jokes, they immediately head back inside.

111111 6 am 02.jpg

The "Fab 5," at least for the moment, is the "Fab 2." Rachel has been perfecting the layout of her reimagined, single-screen MLB.TV masterwork, and Jordan has been creating a giant mockup in Photoshop, complete with original buttons, realistic scores, and a believable rendition of a video player.

I asked the remaining full-time team members what this process taught them about themselves that they didn't know 12 hours ago. "I really didn't know that I could see the picture as a whole, and then break the picture down into step-by-step processes," Rachel told me. "I didn't know systems like this were so intricate until we delved into it (yea, 'delved' is a word, isn't it?). You can really get an appreciation for the things that we're about to learn, being freshmen."

111111 6 am 01.jpg

111111 6 am 04.jpgJordan, a veteran of two years of courses in Photoshop, admitted he thought he'd never actually put those skills to use, but today changed his mind. "I think after twelve hours, I've established a pretty good base, maybe with a little more editing to go by 8 o'clock. And then I have class at 9:30, and I'll be back here, get into a suit, and present."

111111 6 am 06.jpg

The boys of "Hashtag Swag" are working on a kind of loyalty points tracking system for regular viewers and ticket-holders of Major League Baseball games. In the social network they envision exclusively for baseball fanatics, the ones with the greatest level of influence, who drive the most discussions, and who provide the most insight during the games themselves, would be rewarded with higher rankings on a 100-point scale.

111111 6 am 07.jpg "I feel like how I imagine radioactivity feels," says Mike (left), a business information systems major. The others have started a kind of mock argument over the relative quality of Dunkin versus Starbucks coffees, which over a minute's time degenerates into a kind of existentialist exchange over whether "no" is truly a binary state, or whether by virtue of the existence of politics and relative degrees of donut frosting, "no" actually has several underappreciated layers.

111111 6 am 08.jpg

The trio of ladies calling themselves the "Rockford Peaches" staked out prime territory at one of the school's "iLabs" from the very beginning, and their strategy is literally not to move from their chairs until they've reached a major milestone. Even as News Channel 9 interviewed them live on morning TV (admittedly, they're more photogenic than most of the guys at this point), they didn't rise from their chairs.

111111 6 am 09.jpg

Courtney's vision is coming together, and starting to look like a professional layout. Rather than a social network of individuals, the Peaches have centered on a network of fan clubs. These clubs would perform tasks in the name of their favorite ball clubs - some of it publicity, other parts community service - with loyalty points to be dispensed by other fans to the extent that they're impressed by what they see.

111111 6 am 11.jpg

When I asked "The Walkoffs" what was giving them the most trouble this early in the morning, Deven (in the middle, above) responded like a hungry crow in the desert, "Things with words!" He's keeping himself awake by saying aloud everything that he's doing. "Put the method on the end here, move the breakpoint to there, get rid of that old breakpoint, F5, the event didn't fire, I'm pulling my hair out..."

Chris, the veteran jQuery expert of the crowd, thinks he has an epiphany. "If debugging is the act of removing bugs," he says, "then programming must be the act of... creating them!" He takes a short bow, then realizes that was a mistake as his body would like to have gone the rest of the way.

111111 6 am 14.jpg Neil may have had the right idea from the beginning. His team runs the gamut of human physical activity, with Ross still bouncing from terminal to terminal like an ad for Rockstar Energy Drink (gallons of which were consumed tonight), and Neil... well, being here.

111111 6 am 15.jpg

"The first thing that's really interesting was that there was a lot of turmoil within the group," Ross admits when I ask him what he's learned about himself that he didn't know 12 hours ago. "And it wasn't until we figured out how to effectively work together and communicate properly that our development picked up, because we were stagnant for a while until we figured out how to stop our infighting and just communicate. I learned how to communicate better with different team members and different personality types." Certainly Neil's easier to get along with now than he was a few hours ago.

111111 6 am 16.jpg

The "Saltine Warriors" are showing the least signs of fatigue. They haven't seen much of the carnage outside their conference room, and ask me whether folks out there have started to nod off. "Started?" I respond.

111111 6 am 17.jpgIt's still an upbeat mood, although one notices an empty crate where 24 Rockstar cans once stood. Terence, who's familiar with the Meetup API, makes the startling admission that for a moment, he calculated 4 plus 5 to be 11 and would have sworn he was accurate. Compared to his competitors, Terence is still adding. Meanwhile, Ariel remains cool and collected, having completed a full mockup of her Facebook-like mobile app well ahead of her own personal deadline. "It's nice to know you guys appreciate my skills in PowerPoint," she tells the group. "It's amazing what I've managed to accomplish in just a few short hours with a million, like, donuts and rectangles."

Ah, donuts, some of the other guys were obviously thinking. I know they're delicious... I think they're round... What was I thinking again?


Tags: Conferences

November 12 2011

MLB.com Challenge 4th Inning: The Point of No Return

MLB.com (150 sq).jpgHinds Hall, Syracuse University campus, 2:48 am ET November 11 - Three in the morning is a magical time. There's a certain weightlessness about 3 am, when you're up all night working on a huge project, after midnight has hurdled you into the great unknown, when you realize you're reaching maximum altitude and every action seems effortless. Inertia seems to carry you forward, and for a few moments, it's as though your body were floating in front of you.

From the point of view of 3 am, everything seems equalized. The pressure subsides, a new rhythm enters your head, and only tomorrow exists. For the students cranking away at the MLB.com University Challenge, there's no question any more about which way to go. That decision was already made, the booster stage has already blasted off, and from here until the rest of the project, they'll be feeling more and more like passengers.


111111 3 am 01.jpg

Team "Winston" is now committed to a Flash-based interactive mockup of its "game within a game." They've moved from one of the conference rooms to one of the open iLabs, where each terminal has dual monitors, the air circulates a little more, and there's the sound of other students in the hallways to keep you from feeling you're in a cavern.

111111 3 am 06.jpg

Ross is driving "Winston's" vision with his trademark laser-like precision and intensity. You get the feeling that, if he were your younger brother, he'd still be badgering you like your older one.

111111 3 am 02.jpg

Elsewhere in the iLabs, the "Web Gems" have hit upon an HTML5 motif. They've seen some impressive demos of layering, where separate elements can scroll at different speeds, creating a Disney-like rotoscoping effect.

111111 3 am 05.jpg

Right now, they're scrolling everything they can find, and they're raiding the Web for photos. What they don't have in mind quite yet is an application for their vision, but they know they have a technology and they're storing up the energy to drive it. Which makes "Web Gems" like a great many Silicon Valley startups.

111111 3 am 07.jpg

"The Walkoffs" have the most experienced talent in the game: two of them graduate students, one of them a senior majoring in aerospace engineering, one a senior majoring in architecture. And Reynaldo, the only sophomore, is the expert on the Android SDK. Chris, a library science major, is a JavaScript expert. His vision is to create a fully working mockup, not using Flash, but real events captured by the browser, processed, then rendered using jQuery.

Like a battle cry for the ages, Chris has emblazoned along the top of the whiteboard in his cramped lab room, "Flash is dead!" You can see the remnants of impromptu lectures he's been giving on JavaScript events architecture. He's teaching Deven, a computer science major but not yet the jQuery expert, how the jQuery syntax simplifies itself by chaining new methods onto the end of the results of earlier ones. The trick they're working on at the moment, apparently, is knowing the variable type of the returned value before passing it to the next method.

111111 3 am 08.jpg

It's not the type of subject matter that keeps Deven's eyes from glazing over at 3:30. He's starting to switch to autopilot mode, as they engage the help of Reynaldo's Droid phone, which is hooked up via USB cable. They're trying to find which events fire at what times, so they can chain the events to one another in jQuery in the right order. This way, if they're successful, they might be the only team to show their real-world mockup not on an SDK, but with an actual, live smartphone demo.

111111 3 am 09.jpg

They're not seeing the results they're looking for, and they're starting to blame the Android operating system. There's too many simultaneous versions, Chris notes, so some phones may fire events that are recognized by jQuery 1.7, and some won't. That's a problem in the end, because Chris wants believability. He doesn't want to say his team's demo can do something, if it can't work on a Droid.

111111 3 am 10.jpg

"Rubin's Army" is spinning out. They've abandoned their previous ideas, and now they're scanning through the history page of the existing MLB.com in search of clues for where to go now. Their palms are telling them the only place they'd really like to go contains pillows.

111111 3 am 11.jpg

"SRFA" is made up of management and entrepreneurship majors, who also happen to be dedicated console gamers. They know the Asian games market as well as, if not better than, the U.S. market. And German (pronounced "H-herr-mann," he tells me, with Ricardo Montalban's accent) has hit upon a market need he'd like to fill: There's no franchise game for smartphones in the U.S. based on Major League Baseball. Ironically, there is one in South Korea, and it's a huge hit.

From German's perspective, it's a no-brainer: Obviously the MLB franchise needs a smartphone game. So instead of writing one, think like a businessman, he proposes. Buy the two existing games that are already written and already supported. Merge the best parts of both into a single unit, and market it as "MLB: Challenge." Launch it online with a downloadable component at a low $5 price point.

It would solve the problem of having to create a mockup, German reasons, as he begins listing the reasons for doing it on the whiteboard he is now the unchallenged master of. Why mock up something that's already a huge hit? There is the problem of tying it in with the MLB.com Web site, the others point out. Don't focus on it as a problem, German posits like a marketing specialist, but recast it as a solution. MLB.com doesn't have a smartphone game. That's a market void. Here's something to fill it. Bam.

For some reason, it's hard to sit through marketing jargon when the clock on the wall says 4 am. Funny, but at 3 am, the world seemed so effortless. Now all of a sudden, "vertical" is a direction that takes many opposing angles at once. And horizontal is starting to look like the best one of all.


Tags: Conferences
Older posts are this way If this message doesn't go away, click anywhere on the page to continue loading posts.
Could not load more posts
Maybe Soup is currently being updated? I'll try again automatically in a few seconds...
Just a second, loading more posts...
You've reached the end.
No Soup for you

Don't be the product, buy the product!

YES, I want to SOUP ●UP for ...