Windows XP just can’t get to its end-of-life fast enough

What does an electronic safe and a undersea fiber optic cable-laying ship have in common? Both are still using Windows XP as their underlying operating system. As Microsoft releases Windows 10 this week and we start getting those annoying upgrade messages, it might be amusing to note exactly how hard it is to rid XP from the entire world. Killing off kudzu is probably easier.

The ship is the Rene Descartes and is laying the latest high-speed fiber on behalf of Google and a consortium of telecoms between Japan and Oregon. It promises to carry traffic at 60 Tbps when it is lit up next year. The ship uses Windows XP to drive its very sensitive GPS systems to lay the cable very precisely on the seabed. In shallower waters, the cable is buried by robotic shovels so that commercial fishing boats and sea life don’t accidentally cut the cord. My guess is that these systems were designed a long time ago when XP was the current OS and it isn’t easy to update them. The French mathematician Descartes would agree, after all he once said: “It is only prudent never to place complete confidence in that by which we have even once been deceived.” Also, with all the dough at stake does anyone want to try to mess with a newer OS?

Okay, you can see why XP is used there. But how about a Brinks safe? Most of the safes that I have seen are room-plus sized things that have very heavy doors and very little to do with computers. Brinks also sells a model called the CompuSafe Galileo, which runs software that keeps track of the money that is inserted into it over the course of the day. The notion is that having this software can make it easier for businesses to manage their cash deposits and make sure that no one has their hand in the till, so to speak. Think of this as the industrial-sized version of your banking smartphone app, where you don’t have to actually deposit a check and wait for it to clear but still get credit to your account. The Brinks safe (pictured below) does the same, and can free up time that a business would normally spend on counting the cash and reconciling it with its bank deposits.

However, the safe also runs Windows XP and what is worse, sports a USB port on the outside. At the DefCon conference this week, security researchers showed how they could reboot the safe and take control of its systems, and mess with its underlying Microsoft Access database to open its door and steal the money inside. Yes, you are reading this correctly. All it took was 100 lines of code to make this happen.

And while most of you know the Italian astronomer Galileo, you might not recall one of his more pity quotes: “I do not feel obliged to believe that the same God who has endowed us with sense, reason, and intellect has intended us to forgo their use.” Great words to live by, as Brinks struggles to remove those USB drives and make XP really operate in Safe Mode.

ITworld: Five ways to save money on your cloud costs

Keeping track of your monthly cloud computing bills isn’t easy. While it is great that cloud providers usually charge you on the resources you consume, the various elements of your bill are very complex and made up of dozens of different factors, such as CPU core, storage units, RAM size and data transfers. Fortunately, there are a number of online services (see chart below) that can help you save money by using a series of clever choices. In this article for ITworld (email reg. req.), I will look at five questions that you can ask to try to reduce your monthly cloud computing bill.

Service, link Number of Cloud Providers Expertise Free or paid?
Cloudability AWS Cost monitoring Paid
Cloudorado Cloud Hosting Comparison 27 CPU benchmarks Free (paid by participating vendors)
Cloudyn AWS, Azure, Google Costing trends Both
CloudHarmony CloudSquare 101 Uptime status Free
CloudSpectator Varies Custom analytics Both; paid reports are $400 each
CloudHealth Technologies AWS, Google Costing, performance and security analytics Paid services start at $250/mo
Datapipe Analytics AWS, Azure Management tools Paid services start at $3500/mo
RightScale PlanForCloud 6 Deployment scenarios Both; paid services start at $6000/mo



Network World: 7 encrypted email services to hide your messages

Whether you think Ed Snowden is a patriot or a traitor or somewhere in between, it certainly has been an interesting couple of years in the secure email business. It is a continued series of ironies, starting with the fact that Snowden had trouble convincing his chosen scribes to make use of encrypted email technology itself to transmit his documents. As I wrote about earlier this year, since Snowden’s revelations, more people have been motivated to employ encryption than ever before.

Ironically, it seems that the type of encryption that you use can make you a target of the spy agencies, who can scoop up your transmissions and figure out your origins. As Bruce Schneier said in a post last year, “There’s nothing that screams “hack me” more than using specially designed al Qaeda encryption software.”

That is a scary thought. But I don’t want to debate this here; instead I wanted to take a closer look at both new and older email encryption technologies and how much they actually protect your communications.

tutanota outlook betterI took this two-year mark of Snowden’s unintended flight to Russia to write this review of seven different products for Network World. They include Hushmail, ProtonMail, Datamotion SecureMail, HP’s Voltage SecureMail, Tutanota, Virtru and AppRiver. Using one of them will certainly be better than not using any encryption, even if it raises your profile with certain three-lettered agencies. Tutanova’s Outlook plug-in is pictured above.

You can read my full review here.

Making ride sharing legal is akin to the DSL battles of yore

When new technology enters the marketplace, there can be major disruptions to the way that our existing legal system was constructed with the older incumbent technologies in mind. Such is the case with Uber, Lyft and the other ride sharing services. The legal battle is with the metropolitan taxi commissions that want to protect the incumbent taxi companies.

I am reminded of the events of the late 1990s, when competitive DSL carriers wanted to enter the Internet access market and were blocked by the local phone companies. The first order of business for these DSL carriers back then was to deploy lawyers at the various state capitals and argue before the public utilities commissions that their services were legal and worthy. Many of these new carriers had to fight tooth and nail to get their gear allowed inside the local central phone offices. Often, the incumbent phone companies would say they ran out of room to house the new guy’s equipment. Yeah, right.

Fast forward to today, and companies such as Covad and Rhythms – the ones with all the lawyers running around the countryside — are long forgotten. We now get our DSL service mostly from Ma Bell. Ironic, isn’t it?

aa1The same thing is happening with the ride sharing services. Sue now; figure out how to implement later. Here in St. Louis these services are still illegal, and while things aren’t as bad as in Paris, it is still very messy. Last week we had in the span of a day an offer by Uber to provide free ride-shares for the holiday weekend. This offer was quickly withdrawn when the taxi commission said whether they are free or not, the drivers still need permits issued by the commission.

Last week in Paris, the taxi drivers staged a protest stopping traffic and burning tires over the UberPop service, which is about half the cost of the more typical UberX service that is its most popular service and uses registered drivers. The French are always good for labor strikes, and have taken things a step further by indicting the two local Uber managers for breaking their laws. Uber is available in more than 100 cities in the USA and in 57 countries, Lyft in more than 50 US cities. Some of these cities only have the Uber Black (akin to a private limo) while others have the cheaper UberX. It is confusing because Uber refers differently to its various services depending where they are offered, in an attempt to game the legal system. Maybe it is time to hire some of those DSL telecom lawyers that haven’t had much to do over the past several years.

I have not yet used any of the ride sharing services, but know many friends who have and are quite upbeat on them. They have their advantages in that you can see how far away your ride is on your phone, and in some countries the taxi commission has added a 15-minute wait time no matter how close they might be to level the playing field. Even so, it is like have a private driver without having to pay through the nose for one.

The sharing services get around the driver registration system with a two-way rating system: drivers rate passengers, and passengers rate drivers. This is a key element of their service: while there is some log-rolling (you rate me highly and I will do the same for you), it does tend to weed out the worse elements of both. Imagine if the incumbent taxi companies had something similar, our cabs would end up looking like Japan’s that are spotless.

The sharing services also have their disadvantages. They make use of surge pricing, so popular times, such as holiday evenings, cost more. You also don’t know the final cost of your ride until you leave the car, unlike a traditional taxi where you know while you are still in the car. And if you want to use multiple services, you need to download an app for each one to your phone.

Back when DSL was first founded, we had 17 different varieties and speeds and feeds of the service. No two were compatible, and consumer confusion was significant. (Here is an article that I wrote back in 1999 that describes the situation.) Now I just call AT&T and order U-Verse and tell them how much I want to pay a month.

The same thing is happening with the ride sharing services. The early days (say in 2012/2013) saw many cities initially ban them, then eventually allow them. The taxi commissions around the world will continue to block these new technologies under the mistaken mandate of protecting their citizens. But eventually things will change: we will have multiple ride sharing vendors, all offering some confusing array of services, and eventually they will be incorporated into the incumbent taxi companies, if they can see the future properly. Or maybe Google will end up owning all of them and substitute driverless cars instead. Their Waze subsidiary is already planning to roll out ride sharing in Tel Aviv later this year.

Network security worst practices

I recently came across a company with amazingly poor security practices. Over the course of time, the company was so lax about tracking its laptops that many were either lost or stolen with sensitive customer data, of course kept unencrypted on the laptop’s hard drives. For many months, the company had no Internet firewall. It didn’t track any network egress traffic and didn’t routinely examine any of its network log files to see what what actually going on across its infrastructure. Routine software updates were ignored, many of which had security implications. And the final coup de grace: it never kept any records of who had administrative access to various critical resources.

None of these things are hard to do. All can be done with technology that is common at least ten years ago, in some cases 20 years old. All require some diligence, and staying on top of things, and having the personnel who are responsible for these tasks to actually be doing them on a routine basis. So what happened? You probably won’t be surprised when I tell you that all of these activities were common IT practice at several US government agencies. We aren’t even talking about government contractors (which also fall down on the security job). These are full-time employees, and at agencies that should know better, such as the SEC or NRC. People that handle sensitive stuff.

As an aside, both agencies are among the top places to work for midsized agencies.The SEC actually has two IT specialist job openings (at least for now) that pay quite well. Sounds like a pretty cushy position to me, since you probably spend your time playing computer games or surfing the web.

And I haven’t even gotten to the latest revelations about Chinese hacking into the database of people who have applied for security clearances, which has been happening over the last year. This gives new meaning to being “red flagged.” Quite literally, and one with five yellow stars on it too.

My story gets worse. I should mention that many users were found with that old bugaboo, using “password” as their access passwords. Really? This is more than embarrassing.

And all jokes aside about going with the lowest bidder or cost overruns on $500 toilet seats. These agencies don’t have to buy anything much to cover the basics.

If a private industry CIO had this sort of security record, they would never work in IT ever again, unless to become a motivational speaker and tell people what not to do. Instead, because they are the Feds, we just shake our heads and wonder what is going on, and some how give them a free pass to mess something else up again. It really boils my blood.

I recently had a friend of mine ask me to serve as a reference for his security clearance renewal interviews. So chances are my name is in the hands of the Chinese somewhere. It was an interesting moment for me: when I met the investigator, he showed me his credentials, and I joked with him that I wouldn’t know if they were legit or not, I didn’t even know the name of the agency that he was supposed to be working for. As my friend explained, they aren’t looking for youthful indiscretions (not that I knew him when he was younger) but things that he hasn’t revealed on his application that can somehow be used to compromise him. Too bad the network administrators already blew it for him and millions of other Americans that are serving their country.

Okay, we lived through and all that mess. We made it through some pretty massive screw-ups where our 57 different intelligence agencies couldn’t even share basic threat information, or where innocent people with names that are similar to the bad guys are flagged by the TSA. This takes government tech to a new low.

When we can’t have basic, simple IT security practice that just involves people doing their jobs, that gets my goat. This is not a technology problem, it is a leadership and people problem.

Tom’s Hardware: Bitdefender’s Box not recommended

IMG_0008When Bitdefender announced its Box, a new breed of security hardware, I was intrigued. It sadly over-reaches and isn’t quite ready for prime time, will be only useful in a very limited number of circumstances, and falls far short of being the kind of unique protective appliance that it promised.

It is a very unusual product: basically, it supplies the DHCP addresses in conjunction with your existing home router. But getting that combination to work reliability wasn’t pretty, and took weeks of effort too.

You can read my review in Tom’s Hardware today here.

Top ten most annoying things writers do to their editors

I recently got to see “Author Anonymous,” a very funny mockumentary movie about a bunch of writers and how their group dynamics change when one of them (played by Kaley Cuoco of Big Bang fame) experiences success. It reminded me about how badly many fellow members of my fellow writing fraternity are when it comes to pitching potential stories to prospective editors. Here are my top ten mistakes you can make.

  • Make incomplete pitches.

Make it hard for the editor to understand what you are trying to do, why your pitch is important, what is your angle or expertise, or whatever. Put as much information as possible into your pitch

  • Don’t waste an editor’s time with inane queries.

Editors are busy people, make each email count. Try to figure out stuff on your own. Silence is golden.

  • Do follow your editor’s instructions.

Some of my editors have very specific instructions on how to assemble a draft for them. How hotlinks should be represented, or whether they like or hate in-line images, or whether they want subheads or suggested Tweet language or whatnot. Try to obey these instructions and keep them straight so you won’t waste their time in this fashion.

  • Don’t look at the website and understand their target audience.

This one is easy to fix: read and review the site and understand who they expect their readers to be.

  • Don’t know what articles have already been published.
    Make sure what you are pitching already hasn’t been covered on the site.
  • Don’t pitch something that you have already written for some other pub.
    This is a big no-no. Editors want unique content, unless they tell you otherwise.
  • Don’t have any clue on when you can actually finish a draft or hit a self-imposed deadline.
    When you are pitching a story, make sure you have the bandwidth to actually write it and finish it, because usually the next question is going to be when can the editor have it in hand?
  • Do understand the meaning of deadlines in general.
    And respect that deadline too. This isn’t some approximate timeframe. Don’t hold up the rest of the production process because you are late delivering your copy.
  • Don’t submit a story without any accompanying art, suggested Tweets, or other information that the editor requested.
    It isn’t just your text that is important, but the other information that supports your story is critical too.
  • Don’t whine about how much time revisions will take you.
    I know some editors are a major pain with serial revisions. Just don’t work for them again if they offend you or tie you up in knots with all sorts of back-and-forth emails. But your goal should be to finish the assignment at least to your standards. Now, I have worked for editors that like to subtract value, or think of themselves as writers, but that will be for another post.

Network World: Centrify tops the group of 7 SSO products

Since we last looked at single sign-on products in 2012, the field has gotten more crowded and more capable. A number of new vendors have come to ply their wares, and a number of old vendors have been acquired or altered their products.

Centrify admin dashbdFor this round of evaluations, we looked at seven SSO services: Centrify’s Identity Service (the overall winner who’s dashboard is pictured above), Microsoft’s Azure AD Premium, Okta’s Identity and Mobility Management, OneLogin, Ping Identity’s Ping One, Secure Auth’s IdP, and SmartSignin. In addition to these products, we also looked briefly at AVG’s Business SSO. Overall, products have expanded their authentication support, moving towards integrated mobile device management,  using more cloud-based solutions, and supporting more apps. You can read here the entire text of my review, published today.

Learning from my bitcoin mistakes

bit2So you want to get into bitcoin? Don’t do what I did: spend about $60 in banking fees that turned my investment of $150 into $90. I always said my investment strategy is buy high, sell low, but I didn’t think it would happen in a matter of microseconds.

Actually, it took the better part of a week. I first wrote about bitcon a few weeks ago here and got some great comments, along with a recommendation to read this book by two WSJ reporters that I found very interesting. Then I decided to take the plunge and set things up. I found it wasn’t as easy as, say Paypal or Square, two apps that I use more or less all the time when I have to move money around.

If you want to enter the bitcoin universe, you need the following:

  • A digital wallet to store your bitcoins. The one that I am using is Bitpay’s Checkout, but if you are going to be serious about storing a decent amount of value you probably want to use Copay, which asks for multiple signatories to move money around. Think of this like Square: you set up a transaction and then hand over your phone or tablet to your customer, who sends you money. Instead of taking a day or so to get into your bank account and being charged a 2.75% fee, you get the funds with almost no fees that goes to your wallet within a few minutes.
  • An exchange. I set up my account on and that took some doing. The exchange is where you can move money from one currency to another or to bitcoins. You probably don’t need to start out with an exchange, but I wanted to have flexibility and also prepare myself for when I could become a day trader (JK). I liked Bitstamp because they had good reviews and handled a variety of currencies, including Euros. We’ll get to that whole experience in a moment
  • Access to a wire service from your bank to fund your initial account. More on that too.

First there is the exchange. They operate on a know your customer basis, meaning they want to see some documents that prove you are whom you say you are. That gives me some small measure of comfort. So I had to scan my passport, my utility bill, and so forth. I made the mistake of using my corporate bank account to send them a wire: that held things up for a few days while they wanted to see my corporate bank statement and answer a few other questions about why I wanted to use their services. Once we got everything working, they charged me a $7 fee to move my money into their system. Buying or selling bitcoins comes with another small fee of 0.25% per transaction.

Then my bank, which proceeded to charge me $45 for an international wire transfer to Europe, where Bitstamp is located. Sigh. That was the easy part, once I decided to accept that fee in the interests of science. The wire transfer takes a few minutes. Normally it would take Bitstamp a few minutes to recognize the transfer, but because I messed up and used my corporate account, it took a few days. Good thing I wasn’t trying to send a lot of cash this way.

As a side note, this outrageous wire fee is one of the reasons that bitcoin is catching fire. The fees are very low to move money around, in some cases almost nothing. But the bad news is that the value of the currency moves up and down very aggressively: at one point one bitcoin was worth $1200; now it is somewhere in the low $200s.

Then it came time to setup Bitpay. You first set up an account via the Web, and connect it to your bank account (if you want dollars out) or to your bitcoin account (if you want those out). They have a few other questions to ask you and documents to scan as well to prove who you are. They also have an interesting tier structure. When you first get your account you are set at tier 0, which entitles you to transfer $100 a day. The way they work, you send more documentation, they up your limit. Tier 1 is $1000 a day, and now I am at Tier 2, which is $10,000 a day with an annual limit of $500,000. This is all conducted via the Web, where you upload your scans, then they send you emails telling you that your account has been upgraded. And did I mention, there aren’t any fees? At least not yet.

The final step is to link your Bitpay wallet on your phone with your account. On the web, you go to Payment Tools and then Point of Sale app, where you add a pairing code, similar to how you would pair your phone on Bluetooth. You enter this code on your phone and your account is all setup. To test things I was able to send bitcoins from my exchange to my wallet. It was almost as exciting as sending my first Internet email message through MCIMail. (I know, I get off on some strange stuff.)

Was it all worth it? Certainly not the involuntary wire fee. But in the future I could use one of the bitcoin so-called ATMs that dot the landscape (we have one in St. Louis so far): they only charge about 8% fee to transfer funds, which is more typical of what my credit card company charges when I buy something abroad. And when one of my clients wants to pay me in bitcoin, I will be ready!

Wag the Dog, online and updated

In one of my favorite movies, Wag the Dog, we declare a fictional war on Albania in an attempt to manipulate a presidential election. While the movie (which was made 18 years ago) posits a ridiculous scenario, it is coming of age in today’s era of ubiquitous Internet and inexpensive video editing and social media aggregation tools.

MV5BMjA4OTQzODE1OV5BMl5BanBnXkFtZTcwNDIyMjY0NA@@._V1_SX640_SY720_According to Adrian Chen’s article in the New York Times, a secretive Russian agency has been fabricating various events for both American and Russian audiences using very similar “Wag the Dog” scenarios. Chen finds You Tube videos, fake Twitter accounts by the truckload, and phony websites and other postings that seem to all come from this agency. The effort is so realistic that many people are fooled into thinking its fabricated disasters, conflicts, and other newsworthy events are real, rather than the work of some clever and dedicated troll army.

Call it life imitating art 2.0. What took the prowess of a Hollywood producer (played superbly by Dustin Hoffman) and a studio back lot can now be done with a few clicks of a mouse and the right voice actor narration. Thanks to social media, it is easy to get something as a trending topic that is all a complete fabrication.

Russia seems to excel at truth-bending: witness the made-up details about the crash of MH17 in Ukraine. Whether you believe the plane was targeted by the Russians or the Ukrainians or just an accident, a year later it is still hard to tell.

Back with the real World War II we had squadrons of mis-information groups that didn’t have access to the Internet and personal computers. But they still managed to invent some amazing stories. If you want to read about one of them, try Agent Garbo, which accounts about the real life of one spy who managed to trick the Germans into thinking the Allied D-Day landings were happening elsewhere. And it all was done through the sheer force of his personality too.

Is it too much to hope that reporters should be doing this for a living and helping matters? Well, at least some of them now get trained in using tools to verify social media posts. This is a great start but there are still lots of reporters that get duped. It reminds me of my favorite media hoaxster, Joey Skaggs, who has made his living trying to fool the mainstream press over the years. (You can read about some of his exploits here.)

So a lesson from all this is to be more skeptical, I guess. And in Wag the Dog, Hoffman’s character says, “It’s the best work I’ve ever done in my life, because it is so honest.” Truer words were never spoken. Trust, but verify.