Duncan Unwin

The vision of the Internet by Big Media is TV

2010-11-20T07:16:00.002+10:00

The recent trend to apps - away from open web standards and browsers - as the standard for information sharing on the Internet, has far reaching implications, beyond the normal consideration of the users downloading and using these apps.

I smell a conspiracy (although to be fair its not really that secret - Newscorp is openly pushing it in their App paywall). I think Steve Job's Apple is part of this conspiracy - he is the guy pushing slick design that limits freedom; in the way that the drug dealer pushes opium as a health tonic. And lets face it Steve has no instinct for openness and freedom - never has and never will.

The problem (for them) is that open access to information allows you to truly select what to read/see/view and utimately THINK. This can mean excluding Advertising and bypassing pre-packaged propagnda streams. They know that as long as we have open standards people will be able to repurpose content (or in their mind steal their audience and hurt their advertising dollar).

What do they want to see - in a word lock-in to an environment that encourages lazy reading. In short TV. They want a one-time purchase decision to lead to single-source provision of information from that point onwards. An App is much better than a web site. With an app we can push demographically, geographically and psychographically targetted material to consumers as a Channel.

Surely you can download any app? Well no - you as an App creator have to pass the Steve Jobs censors. Just read the term and conditions for happing an App on the Apple App Store. For example you can't stay anything wrong about Apple. In fact to test this I plan to develop an App for iPhone called "Bad Apple" that streams all negative news about Apple and then submit it to the iTunes's Store. I am sure it will be rejected. Oh hang on, I have to pay money to be a developer first and then more money to submit an App - I'll start some fundraising to see if we can raise the money for this first.

They want the Web to go dark with less information and to only have that information shared in very controlled ways off the WWW. Rememebr the WWW was created AFTER the Internet network as an infromation sharing system. You can subvert the net as a private network and make it a mere technical networking mechanism.

News always go on about copyright infringement and information stealing BUT it really is about audience stealing and the loss of political and economic power that audience control brings. If it was about licensing they would have been working on protocols to transactionalise licensing of copyright content but they don't want that - they would loose control of the consumer eyeballs. They want to get rid of this business risk that some upstart in a bed room or garage will create a new trusted intermediary of information to a new niche Audience. In the world run by Rupert and Steve there will be no more Googles or Techcrunches.

So next time you download the Australian App or similar to your iPad, remember you are making a decision to only consume information from a single source and to support a model that erodes information freedom.

Getting involved with the local AISA branch

2010-11-20T07:04:00.002+10:00

This next year I'm going to be coordinating the Queensland branch of the Australian Information Security Association. After the formal discussion we talking about what topics people were interested in and meeting format.

Topics included: cloud security, virtualisation and security, business's approach to risk appreciation - we would like to get a) board members and/or b) an actuary that insures online systems to talk about how they assess the risk level of web exposed systems. Theer should be a mix of deep technical and high-level business topics.

There was interest in trying at least one lunchtime meeting.

Finally a few AISA members are going to Sydney for the Conference.

Sydney – Tuesday November 30, 2010
Annual Conference - Full Day Event @ Westpac
Details and Agenda - http://www.aisa.org.au/index.php?page=310
Registration Link - https://s.eventarc.com/event/view/1505/entry/aisa-national-annual-seminar-day-nasd-sydney-2010

This is a event exclusive to AISA members. Next year we plan to have something in Brisbane about this time.

Next gen of iPhone to support multi-tasking and Ads

2010-04-09T08:44:00.004+10:00

As quotes today on slashdot:

"Apple had an event today to show off the next major update to the iPhone OS. iPhone OS 4.0 should arrive this summer (presumably with a new iPhone) for iPhone and iPod Touch, and in the fall for the iPad. According to Apple the update has more than 1,500 new APIs and 100 new features including the sorely missed multitasking. Other highlights include unified inbox, improved security, support for multiple Exchange accounts, application folders, iBooks, and iAd, an advertising framework for developers to put ads in their applications. The official word from Steve on Flash and Java remains a simple 'No.'"

Multi-tasking, now there's an idea!

And how have we been able to live without Ads! Now we can be annoyed by multiple ads at the same time.

One more reason not to use an iPhone. I think Android is looking better and better as the marketing department at Apple takes over from the R&D team.

In 1965 Multics had most of this on a smaller kernel for a slower processor. It is amazing how little we have advanced in the past 45 years on some fronts.

The value of corporate secrets

2010-04-07T16:34:00.005+10:00

As reported on Slashdot, Forrester has a new report on the value of corporate secrets. While I usually get irritated by the lack of academic rigour from analysts, the findings are interesting and include:

* There is an overwhelming focus on compliance rather than security
* The worst source of incidents come from employees loosing laptops and PEDs
* The real risks are from theft rather than accidents, but firms focus on the later
* CISOs can't measure the effectiveness of their security programmes

Click here for the full paper.

EMV Chip Cards Hacked

2010-02-22T06:37:00.002+10:00

http://www.lightbluetouchpaper.org/2010/02/11/chip-and-pin-is-broken/

I have had concerns since 2000 about EMV's implementation in practice. The root cause is economics: Most of the banks I worked with were trying to spend the least they could to get a tick in a box for EMV and none were really trying to look at the end-to-end security system needed around EMV (or any authentication and authorization system). If one was cynical the motivations are more about being able to look customers in the face and say "it's not our fault, you must have done something stupid" and believe it themselves. The security folk in large FIs have known about these weaknesses since the get-go but were generally ignored and sidelined by the cards business unit.

Interesting criticism of Verified by VISA

2010-02-19T05:32:00.003+10:00

http://www.cl.cam.ac.uk/~rja14/Papers/fc10vbvsecurecode.pdf

Murdock and Anderson have written a critic of VbV - it is worth a read. Much of their criticism is in fact about how VbV has been commonly rolled out OR around UI experience issues. These have some validity.

On three points I challenge their assertions:
1. They seem to imply that economics and security are fundamentally different - which I question. It reveals a lack of understanding on their part of the fundamental motivation for VbV - to reduce chargeback costs to the payments system and thereby ensure the continued value of the payment network.
2. They fail to differenciate between VbV itself as a scheme and the choices banks have made in implementation - the widespread use of ACS managed services INSTEAD of the better approach of linking the ACS with the IDM process of the retail online banking system. The VbV lets the issuing bank determine how their customer should be authenticated with the original vision being that they would leverage established banking credentials. The managed service was a transition assistance measure.
3. VbV is a protocol and yet they really are criticising specific implementations. They don't questions the protocol per se. It would be like saying that SSL is no good because IE3 had a broken implementation.

I have written on VbV before and my issue is roll out has stalled because the implementations are poor. There is some suggestion that in the EU, at least, roll out is growing.

I recommend the article to you.

Gartner says Smartphone secure - WTF!

2010-02-13T09:00:00.003+10:00

GARTNER says Smartphones more secure than PCs
In an AFR article on the 19th Jan 2010

Banks target smartphone customers
PUBLISHED : 19 Jan 2010
http://www.afr.com/p/business/technology/banks_target_smartphone_customers_szpRB6BfC2BkGOOETy9G9I

A Gartner analyst claims that smart phone apps (iPhone, Blackberry) are more secure than PC users using a browser to access an eBanking site. If this is an accurate quote it marks a new low to Gartner's credibility in the security space.

I don't know what others think about this but we are seeing a rapid increase in vulnerabilities in smartphones with a rash of data leakage incidents. I have extreme doubts about the maturity of the sandbox security models used on these devices - we already have plenty of examples of it not working. For corporations I am now recommending they seriously consider third-party end point protection on these devices.

So what are the issues:
* The security models of the devices place too much trust in device providers and their acceditation of app security
* There is insufficient isolation of different app contexts on the device
* Physical security is an issue
* Apps tend to store private data either explicitly or implicitly - without effective measures such as strong encryption
* Few of these banking apps are being subjected to rigourous and independent vulnerability analysis
* App functionality is being driven by the marcoms team - we saw where this lead in eBanking back in the late 90s

I'd be interested in hearing from others:
1. How many of you use a smartphone and would you be comfortable using an app to do online banking?
2. How many of you are seeing hacks on these devices and how nasty are they?
3. What do you think of this reported view of the Gartner analyst that smartphones are more secure than PCs

Strategic Alignment & Enterprise Architecture

2009-08-15T16:34:00.003+10:00

We are going through an interesting journey at a government department I am working for. The business unit we are establishing is only partially established. We are building an EA for this business but the legisation and regulations, let alone the actual oeprating model of the business, is still being developed. As such we are having to deal with capabilities in a general way and strategic linkage can only be done at this level. This is quite different from most established organisations and the traditional top-down linkage models are fairly hard to apply. We are working through the challenge but I was wondering how many people had found themselves in this situation and how they approached it.

For the record we are doing the following:

Linking Vision, Strategic Objectives and Principles
to
Business Capabilities
to
Logical Technical Capabilities
to
Physical technical capabilties

The future of MRPII is Lean

2009-01-23T07:26:00.003+10:00

I have been working with a manufacturing client (T/O $12M, light industrial, MTO) that has been running an ageing MRPII platform - MK if you are interested. Originally they implemented the full breadth of capabilities from MPS to SFC. Over the years they have found that the return on effort of running all these features is not justifiable and they have progressively simplified the system's use. Over the past month we have been helping them evaluate a replacement strategy for this system which is now end of life and this week we had a eureka moment. Money is tight and the group this business belongs to uses an ERP solution targetted at the enterprise asset manageemnt space, not manufacturing. I had raised the possibility that one approach was to fairly radically simplify the production management process and only use the corporate system for sales orders and inventory. This week the light bulb went one in the MD's head and he asked me to elaborate on this idea. I outlined Lean manufacturing and described the experiences I had with seeing lean in action at Toyota and implementing it in Australia. He is getting the boards sign off and we will be organising training in Lean for the team. Our plan is to implement a full lean philosophy in the plant and slowly decommision the MRPII system. When we are back to just using Sales Orders and Inventory then we plan to swap to the corporate ERP system. My feeling is that, not only will they save much of the replacement and reimplementation costs of a new MRPII system BUT they will get a much better business in the prcoess. The more I see small manufacturers like this the more I think that MRPII is a bad fit for most of them and the more I like Lean as an approach. Lean can use technology - of course - but it puts people and process ahead of it. So the future for these types of companies may be an Accounting system with Lean rather than MRPII. I'll keep you posted on how it goes.

Poor man's fraud scoring

2008-11-01T09:54:00.003+10:00

As part of a research project at Griffith University I have been looking at the variables that best predict CNP fraud risk. What is different about my research is that it is quantitative - i.e. I am dealing with hard data not mumbo jumbo marketing phrases like 'auto-adaptive neural networks with genetic algorithms'. The end of the research is still far away but I wanted to share a tid bit with you that will solve 95% of your fraud problems and cost almost nothing to implement.

IF Card is Overseas (use a BIN table to determine this) AND
email address is free email service
THEN
Suspect Fraud

Too simple? I thought so too. After double checking adn re-checking my analysis, I realised that this is because most eCommerce is still intra-national AND most fraud networks are globalised.

No doubt after the bad guys start reading this, they will up the stakes. But right now if you have no fraud scoring on your web site, try implementing these two simple measures.

Meldown and security

2008-10-31T06:46:00.002+10:00

A question my colleagues and I are asking ourselves is: will the financial meltdown increase or reduce organisations intent to improve imformation security? Will the companies that have just tkeen a bath see the 3 degrees of separation from financial risk, to risk culture, to information security to ICT security. Or will they once again see ICT Security as a nice to have that can be dumped when budgets contract.

Identity Management - lets integrate physical and digital

2008-10-31T06:40:00.003+10:00

I have spotted some interesting trends in the IM space. There is an increasing need to converge enterprise solutions in access control and IM space. The token of choice for this will be contactless smart cards. Readers will be in laptops and PC (turn 'em on when I sit down!) and on physical access (Unlock the door as I approach). The costs are coming down - now we need a smart systems integrator to package it all together. The Killa product is - well that would be telling ;-)

Verified by Visa - so near and yet so far

2008-05-29T06:45:00.003+10:00

For those who have known me for years, you will know that I have been involved with Verified by Visa (VbV) from the early trial way back in 1999. It was then called 3D Secure and QSI was the first vendor to go though vendor certification of a Merchant Interface Processor (MIP). Fundamentally I am a fan of VbV and compared with SET it is lightweight, practical, moderately secure and represents IMHO the way forward for online card holder authentication of ePayments.

The other day I signed up to skypeout, the service that lets you call land line phones from your desktop - and sound like an offshore call centre :-). Skype UK use Bibit, a Payment Service Provider (PSP) owned by my old friends RBSG. The visa card I used was from one of the big-5 Australian banks, who uses the Arcot Access Control Server (ACS). I suspect it is the hosted service. As my card was not registered with VbV, it send me to a registration page, prompting for DOB and the security code. These did not validate (although correct) which make me suspect that the bank is not keeping account details in sync with their core banking systems. This is the problem you get when you go the low road and don't really integrate the ACS into your eBanking infrastructure.

The result was that the transaction would have been flagged as VbV complaint transaction, card holder not enrolled. I am not completely up to date with the VISA EU region rules but I think this means that as far as Skype is concerned, it is covered under the Card Present rules. If it turns out that there is fraud on the card, it will be my problem. In all a pretty poor protection of the consumer by my bank.

I'll let you know that they have to say about this when I hear back from them.

Enterprises at risk from email leaks

2008-05-28T19:07:00.000+10:00

ITNEWS is reporting the results of a survey by Proofpoint that 30% of enterprises have investigated an email leak in the past 12 months. I have long been talking to clients about the risk of data leakage via email. Email is so widely used in corporations and so essential to business life that any move to limit its use is strongly resisted. Yet here is a mechanism that allows board papers, trade secrets, and personnel files to slip out the front door of the organization.

Prohibition of email is not going to work. Even blocking webmail access to employees will be unpopular with Gen Y employees. Unless you are the DoD or a major government department, this is not an effective management strategy.

Here are my suggestions of what you can do to:

Have a documented information classification and release policy
Require explicit classification of information as Public before the email gateway delivers to an external address
Keep a log of all outbound emails and monitor these logs
Conduct awareness training with all employees

You may be surprised that I have not mentioned DRM and secure mail. While I think these are excellent technologies, I don't think the social engineering works. KISS. Simple organizational process and procedures offer the best return on investment for this problem.

http://www.proofpoint.com/

http://www.itnews.com.au/News/76978,enterprises-at-risk-from-email-leaks.aspx