Monday, December 3, 2012

The other DDoS: Denial of Service by DMCA

In information security, the common definition of DDoS is Distributed Denial of Service attack. However, there is a legally sanctioned form of DDoS: DMCA Denial of Service, where a user acting in good faith is 'denied service' because of an alleged infringement of the DMCA. The DMCA (i.e. the Digital Millennium Copyright Act) provides a means to enforce of copyright protections online and was ultimately responsible for killing Napster (who enabled peer-to-peer sharing of  music and other files). Although the Napster case was cut & dry to some (like the Recording Industry), there are some where users are actually acting in good faith, but are taken down through enforcement of such  an Act.

The case that illustrates this issue is the take down of 1.45 million education blogs in October. James Framer, CEO of EduBlogs, noted that "ServerBeach, to whom we pay $6,954.37 every month to host Edublogs, turned off our webservers, without notice, less than 12 hours after issuing us with a DMCA email." He went on to explain what the actual infringement was: "one of our teachers, in 2007, had shared a copy of Beck’s Hopelessness Scale with his class, a 20 question list, totalling some 279 words, published in 1974, that Pearson would like you to pay $120 for." Reading the blog further it turns out that EduBlogs did actually comply with the DMCA request that they received. However, the issue that Pearson had was (a) it was accessible via Google's cache and (b) it was accessible by its Varnish cache. In other words, James Farmer got legally DDoSed: 1.45 million blogs were made unavailable due to ServerBeach rush to comply with the DMCA instead of "calling any of the 3 numbers for us [ServerBeach] have on file".

Edublogs, however, is not the only company to be DDoSed in this manner. Small companies that publish news reports on YouTube or other content sharing sites also face this danger. Take for example Leo Laporte's This Week in Tech (TWIT) new media network, which publishes tech related podcasts and videocasts. The business model of this network resides on him being able to make the video available soon after its airing. Failure to do so will result in the company losing out on ad revenue because the "eyeballs never made it" to the particular show. Consequently, when one of their episodes gets pulled down by Google's robots, or due to request of the copyright holder (as noted here), it jeopardizes the TWIT business model making him another DDoS victim.

From a risk perspective, the risk of such event should be evaluated, especially for businesses that rely on revenues via the distribution of online content. Specifically, the agreement with the third parties that host their content should include provisions that enable them to at least demonstrate compliance prior to be taken down. However, both James Farmer and Leo Laporte have attempted to work with their respective providers to prevent this type of risk. Farmer complied with the request, while Laporte has attempted to contact Google and explain that he is news organization. So this is easier said then done. Laporte hosts the videos on his own servers, however the popularity of YouTube limits the effectiveness of this "backup strategy" (i.e. users won't go to the site to watch the video instead of YouTube). In the end, it may just be an unavoidable cost of relying on such providers.

From a longer-term perspective, it illustrates clash of legacy laws and the capability of the Internet to "network knowledge". This the concept is taken from David Weinbergers's "Too big To Know", who identified how the ability to share, link and debate information on the Internet transforms knowledge into a more fluid state in contrast to the static nature of books. He explains this concept in the following video:

James Farmer implicitly argued this point in his rant against Pearson when he said: "Here’s another idea Pearson, maybe one that you could take from Edublogs, howabout you let this tiny useful list be freely available, and then you sell your study materials / textbooks and other material around that… maybe use  Creative Commons Non Commercial Attribution license or similar to make sure you get some links and business." In other words, Pearson has failed to understand this new world of networked knowledge, where a link to the "offending" list would link to other resources that has Pearson has - enriching both Pearson and those using its publications.

Monday, November 19, 2012

Hurricane Sandy and Disaster Recovery: Cloud to the rescue?

When looking at the aftermath of hurricane Sandy, the most important aspect of the event is the toll it has had on the people. The Atlantic puts the total impact in terms of dollars at $60 billion, with death toll at 123 people. However, those that survived face the challenges brought about by the flooding and living without power for weeks. For example, 4 million remained without power for extended period of time. This of course challenged individuals to keep their frozen food cold and live without technology for that period of time. As for companies, their disaster recovery plans were put to the test. Perhaps the most poignant example was the New York University Langone Medical Center who had to evacuate patients because their backup generators because they were located in the basements, which got flooded. Hospital officials defended their preparedness  but critics pointed out that the backup power generators "are not state-of-the-art".

Samara Lynn of PC Magazine published an article on how Sandy taught organizations valuable lessons from a Disaster Recovery (DR) perspective (she previously painstakingly put together a 4 part series for small and medium sized businesses on DR planning; see here, here, here, and here). Before I read the article, I was expecting a bulleted list of dos and don'ts when it comes DR planning. But what I was surprised to find is that companies are relying on cloud computing service providers to make up for the unavailability of local processing. Examples include:
  • A New York Architectural firm Diller Scofidio + Renfro used Amazon Web Services (AWS) to relocate the company's core applications, enabling users with the proper license configuration to access these applications right from their laptops. Also, the IT Manager, Chris Donnell, used AWS as a remote desktop during the disaster. (I encourage you to read the whole article as it details how Chris was in the middle of an email migration from Outlook to Gmail when Sandy hit; poor guy!). The company also used Panzura to store the data temporarily in the cloud.
  • Ring Central, a cloud-based pbx hosting service, (they sponsor TWIET and other podcasts on the TWIT network) was able to relocate their operations away from the storm. More importantly, they offer near instant recovery of phone support by plugging in a piece of hardware they can "bring in a live extension under 10 minutes". Naturally, there is an increased interest in Ring Central by those that were satisfied with the lengthy recovery times of their providers. 
The article also discusses how a service provider made DR as part of IT outsourcing service and how the key to DR is backup power. 

Although not related directly to cloud, one of the most amazing story that I've heard is how SquareSpace (SQS) kept it's platform up and running. Like the hospital, SQS had its back up generator in the basement and that got flooded. It published this blog post to inform customers of what was happening. However, the real interesting story is the lengths that team went to ensure the site stayed up and running. The team physically took fuel from the basement to the generator of the roof going up 17 flights of stair

Even more amazing was that the founder and CEO, Anthony Casalena, personally helped in this effort. Talk about Tone at the Top

Saturday, November 3, 2012

Can we live in the cloud? Prof Jeff Jarvis intends to find out

On This Week in Google (TWIG) episode 169, Jeff Jarvis, professor of journalism at CUNY, announced that he will be attempting to live only in the cloud and abandoning the comforts of offline desktops.  He recently moved to the Android eco-system (i.e. for his mobile device and tablet), which he accredits to Google's wide range of services from maps to Google Docs. Taking it to "whole nother level", Jeff is planning to live only in the cloud once he gets his hands on Samsung's ultra-cheap Chromebook, which is expected to retail for $249. The Chromebook (as its names suggests) is based on Google's Chrome OS, where the OS is basically the Chrome browser. Here's the ad in case you missed it:

As illustrated in the ad, the concept is that the Chromebook is something that everyone and anyone can use. The premise is: if you primarily do everything in the browser, then you really don't need a full laptop. A few years ago, as Leo Laporte pointed out in the episode, this experiment by the way of netbooks failed. Does Jeff have a fighting chance or will Leo tell Jeff "I-told-you-so" after Jeff experiment ends? Well, I think Jeff does have a fighting chance. Firstly, cloud computing has matured significantly since netbooks have hit the scene. Secondly, people are now accustomed to using tablets and smartphones as a way to get things done.

In a way the Chromebook represents an intersection between the trend of cloud computing and thin client devices and taking technology back to the early years of computing, where users had to "dial-in" from their "dumb terminals" into powerful mainframes. Except the Chromebook,smartphones, and tablets are replacing the dumb terminals, while the cloud computing service providers are replacing the mainframe.

Why should information security & privacy professionals care about this?

It is really about the price point. If Jeff Jarvis can successfully move to the cloud with this device, it means that the economics of the consumerization of IT has arrived. Think of a 10-person small business that is starting up. It really just needs email and office productivity apps for their clients. The IT cost would be $2500 for the hardware and then recurring cost of $500 a year for the Google Apps. The traditional  Dell laptop + MS Office license would cost about $6480 upfront + the cost of an email server + the IT resources an effort to maintain/patch the laptops and the server.

In terms of data redundancy, one could argue that all the data is on the cloud so it's actually safer. Theoretically, if the owner loses their Chromebook, they can just change their password and then the Chromebook is essentially just a "dumb" piece of hardware with no data. And as illustrated by these stats, this is no small benefit. Of course, cloud computing does have its risks as mentioned on a previous blog post and this publication (which I co-authored for the CICA). It's not that the risks in the cloud are insurmountable, but they are different then the ones we are accustomed to dealing with.

From a usability and information risk perspective I would ask these questions to Jeff Jarvis about his experiment:

  • Printing: What are the hiccups in terms of producing and printing formatted documents? What I am thinking about are the mundane things like resumes, reports and the like. 
  • Working with Luddites: How do you work with others that are not in the cloud? Sometimes working with a colleague the most efficient way to transfer a number of documents is via USB, especially when the other party does not have Internet access (e.g. think of locked down company laptops). 
  • Handling Sensitive Data: What is the sensitivity of the data that is being on the cloud? For example, we keep private things like tax files that contain SSNs, SINs, income, etc offline. So how would one keep such things private or is it matter of just living in public? For readers that are unfamiliar with Jeff Jarvis, he takes "what's the harm approach and has written two books (click here and here) on the topic of being more open and social with one's information. But I hope he can appreciate not everyone uses his "privacy settings" :)
  • Trusting cloud providers: What due diligence does someone do before trusting a cloud provider? I suppose this is a "leading question".  Accounting associations in Canada (i.e. the CICA) and the US (AICPA) have established Service Organization Control (SOC) Reports. These reports replaced the SAS 70 Type II reports in the US and Section 5970 Reports in Canada. So do you need this type of assurance before dealing with companies? Going back to the tax return example, one solution would be to use cloud-based tax services. But how do you establish trust that this information is appropriately. One may attribute my repetitive use of the tax return info to the fact that I am an accountant. However, to be fair Gina Trapani on a previous episode of TWIG did point out an accountant should not be putting tax info on the cloud unless it was encrypted. 
  • Securing data on the lost Chromebook. If the Chromebook is lost, what are the precautionary measures the person has to take? In other words, the theory meet reality. 
  • Making local backups:  Currently, we back from offline to the cloud, but how does this work in reverse? The reason this is important is illustrated by Mat Honan's Apple iCloud account getting hacked and watching helplessly as his data got deleted
  • Working without internet access: How many times does the lack of internet access due to being in a subway or non-WiFi become an obstacle to being productive?
  • Working through cloud outages: What happens if there is a disruption at the cloud provider or underlying infrastructure? Jeff lives in NY (and judging by his tweets; he's doing okay), so he does have some experience dealing with such a scenario given the disaster brought to his area by Hurricane Sandy. 

Assuming Jeff actually does gets his Samsung Chromebook and goes through with this experiment, I will post an update to this post.

Wednesday, October 24, 2012

Did the SC Supreme Court legalize industrial espionage on the cloud?

As reported in Ars Technica, the South Carolina (SC) Supreme Court iruled that gaining access to someone else's email does not violate any laws, specifically the Stored Communications Act. In the case, Jennings vs Jennings, the husband (M. Lee Jennings) was suing his ex-wife's (Gail M. Jennings) daughter-in-law, Holly Broome, (from a previous marriage) for unauthorized access to his personal email account. Holly had guessed the correct answers to the secret questions and gained accessed to his email accounts. She had been asked by her mother-in-law to look at M. Lee Jennings's email because he admitted to her that he was having an affair and had exchanged email correspondences with this woman. Holly printed the emails and provided it to Gail and her defense team, who used it against ML Jennings during their divorce trial.

The Supreme court found that the hacking was not in violation of the Stored Communications Act (SCA) because cloud-based email does not meet the "definition of "electronic storage" within the SCA [which] requires that it must be both temporary and intermediate storage incident to transmission of the communication and storage for the purposes of backup protection".  It should be noted that, as pointed out by William Shapiro on this episode of This Week in Enterprise Tech (it's the first segment so you don't have to listen to the whole episode), that this judgment is only limited to South Carolina.

Wow. In these few small sentences, the SC Supreme Court has allowed unauthorized access to anything that is stored on the cloud. In the last few posts on the UWCISA blog, I have commented on industrial espionage and Microsoft's move of Office to the cloud. On my entry on cloud I noted that the cloud pretty much gives access to law enforcement:
"In terms of privacy, the way the privacy rules works is that if the provider tells you in the ToS that they will hand over things to law enforcement then they are covered from a privacy compliance perspective. (See the Privacy Commissioner's handling of the complaints against CIBC). Furthermore, as noted in this article both American and Canadian law enforcement and other agencies can access what you put on Office 365 and they don't need to do tell you about it. "

On my entry on industrial espionage, I highlighted that, in addition to the risks highlighted by US government officials on using Chinese hardware manufacturers, "it is important to recognize that other factors are at play on the specific issue of ZTE and Huawei and that the risk of Chinese hacks should not be overstated. After all, non-Chinese companies do conduct industrial espionage against one another. For example, SAP had to pay $120 million to Oracle for such activity, which occurred in 2007. But if you raised the threat of German firms hacking to get into American companies, people would think you are not well. So although this threat is real, it is not new and it's not just coming from the Chinese."

Furthmore, I have been immersed in the last few week's in Kevin Mitnick's (wiki, his site) Ghost in the Wires, which details how he hacked into Motorola, Sun, and other major companies.Once you read his story, you will quickly realize how this ruling by the SC Supreme Court makes it open season on any corporation that uses the cloud as means to outsource processing. If an average person, like Holly Broome can access confidential email - imagine what a determined hacker like Mitnick could do!  For example, if you use Google Docs or the soon to be released Microsoft Office 365, then a competitor can gain access without violating the SCA and use that information. Will this judgement spur hackers to relocate to South Carolina and access all types of confidential information stored on the cloud? Of course they can't take patented or copyright information, but what about companies that likely don't have such information patented, trademarked etc or protected by other laws (e.g. privacy legislation, theft of credit cards, etc)?

It's interesting how vulnerable cloud, and technology in general, is to the inability of law makers and judges to see into the future. Common sense would dedicate that a person that buys or uses a service and keeps it secret via a password, expects that the information to be confidential to them. But I am not a lawyer, just an accountant in tech. That being said, it is unlikely that Google, Microsoft, Amazon, and the other tech giants will take this ruling lying down. One can expect that they will use their dollars and influence to allay fears that their services are safe from "legal industrial espionage".

Tuesday, October 9, 2012

Huawei & ZTE: Corporate spies or victims of non-tariff trade barrier

On this episode of the TWIT network's Tech News Today had an interesting discussion regarding the recent allegations that Huawei and ZTE were spying on US companies that purchase and use their equipment. As they hosts of the tech news show pointed out, Congress does not have any evidence that the firms were involved in such activity, but were rather concerned with the relationship of the two companies with the Chinese government. Another interesting point that they pointed out was that Cisco would benefit from such a ban. And according to this article, Cisco has paid $640,000 in lobbying on "measures to enhance and strengthen cyber security". As one analyst quoted by Bloomberg put it, "This is going to allow Cisco and Juniper to compete more fairly". However, Huawei too has been lobbying the US government to the tune of  $820,000. Although many have cited Chinese hackers as a threat, for example, it is suspected that Nortel was targeted over a ten-year period by such hackers. However, it is important to recognize that other factors are at play on the specific issue of ZTE and Huawei and that the risk of Chinese hacks should not be overstated. After all, non-Chinese companies do conduct industrial espionage against one another. For example, SAP had to pay $120 million to Oracle for such activity, which occurred in 2007. But if you raised the threat of German firms hacking to get into American companies, people would think you are not well. So although this threat is real, it is not new and it's not just coming from the Chinese.

Big Data: Some resources

For the CAs and CISAs, looking for the coles notes version of what's going in the world of big data, check out the following podcast by David Linthicum and company; some of the most knowledgeable people on Cloud computing. Chris Daly (who works with Dave) provides a good nine item list based on this article. Chris did us all a big favour by breaking down the slideshow into a nice list of nine points. I will let you click on the link to see what they are, but I thought it was interesting to comment on the first two:

  • "Define the business drivers". It's pretty amazing how this single premise is one of the most critical concepts on business-technology, that requires constant attention! Ironically, I just finished answering a question to a fellow accounting profession who is taking a course on IT controls to emphasize this point. What I explained to him was that the fundamental concept here is that technology changes are driven by business. In other words, IT Strategy or investments must be driven by the overall value drivers of the business.As for why you would not make changes to the system because of technological improvements is because those technologies may have no actual "Return on Investment" (ROI) for the business. In other words, companies should not adopt technology for the sake of technology. 
  • "Discover the data and it’s location". Wow! For those of IT-auditors that run computer assisted audit techniques (CAATS) can really appreciate how these six words can represent a mountain of work! When I teach the computer-assisted audit techniques course at University of Waterloo, I always make a point of warning my students of the practical limits of running CAATs: getting the data can be the hardest aspect of the whole process. For those of you not familiar what CAATs are, they are basically  automated tests that auditors will run using "generalize audit software" on data that is used to support items on the financial audit. You can also use these technique to identify security issues or fraud; see IDEA's Caseware. (Full disclosure: Caseware is a both a sponsor of the Center that supports this blog as well as the course I teach at UW). For example, these tools help perform full analysis of a set of data e.g. identify all the negative amounts in an inventory file or link files to together using a unique identifier to compare the data from one file (e.g. credit limits) to the data in another file (e.g. total amounts owing by the customer. Also, check out the wikipedia entry it's pretty good. 
For other sources, check out the massive (and free) report from McKinsey on Big Data, which they have even made available to run on your Kindle App on your Android or iOS device. Also, check out this CAMagazine article on the topic. This HBR blog post has provides a look at the overall issues, including privacy problems. 

If you have any other resources, especially from an IT Auditor (i.e. security, data integrity, etc), perspective, please do share.

Sunday, September 30, 2012

MS Office goes Cloud: Quick overview of benefits and things to watch out for

Earlier this month, CNET's Mary Jo Foley reported on Microsoft's move to Office 2013. As noted on a previous blog post, this is a huge year for Microsoft as it moves to the tablet-centric  Windows 8 operating system. Well, they seem to be doubling down on dramatic shifts as they launch a SaaS offering of their infamous Office productivity suite; Office 365. Mary Jo reports that Microsoft will be giving a choice between purchasing Office 2013 as "normal" or as a subscription to its cloud version of the software. To sweeten the offer Microsoft is offering the following extras (credits: Mary Jo and Paul Thurrott): 
  • Ability to log-in to 5 different PCs or Macs 
  • Access to Word, Excel, Powerpoint, OneNote, as well Access, Publisher and Outlook
  • 60 Skype World Minutes a month
  • 20 GB of SkyDrive storage
  • Update on security and other patches
  • Access to new functions through the subscription period (i.e. you don't need to wait for the next version)
In contrast, the standard PC-installed version of Office 2013 can only be installed on one machine. Also, to get access to Access, Publisher and Outlook you need to Professional version (Mary Jo has a great table here that explains the different options). 

Office 365 Home Premium is $99.99/year, which covers an "entire household" (i.e. Paul Thurrott explains that it is not tied to a single individual, but can be used any person located at that address). Assuming that this will be same price in Canada, this would amount to $9.42/month (including HST) which is cheaper than two venti lattes at Starbucks. This is in contrast to Office 2013 Professional, which retails for 399.99+HST (and 139.99+HST for the Home & Student version, which includes Word, Excel, Powerpoint, and OneNote). 

However, the big story here is that Microsoft getting the average user  - to the Cloud! (Oh, yes – it was Microsoft that came up with those terrific ads didn't they?). Some may say that this is yesterday's news because Google Docs  has already brought cloud-based office productivity. Although that may be true, if you ask my students they're using Google Docs to collaborate but still rely on MS Office to print a report or assignment. And of course when they go on their work terms, the firms are still using MS Office (so they need to know how it works and be able to use it well).   

In other words: Is the world ready for moving their recipes, financial budgets, and other personal documents to the cloud? 

For those that want the full low down on cloud, they can download this whitepaper from the CICA, which I wrote with Yvon Audette of KPMG. Alternatively, here is a short list of things that you can talk to your friends or whoever that are wondering what happens if they decide to go to go with Office 365 or another cloud based app.

Pay for what you use: In terms of benefits, MS has really sweetened the pie with the extras they noted above. The other implicit benefit is that you are not paying for a static piece hardware upfront. Furthermore, if you decide to change your mind later on you will be out only $100 instead of $400. For example, to buy Office  Professional you have to fork over $400 on the spot, where as with Office 365 you pay as you go (i.e. $100 per year). So if you decide a year from now that you don't use all the extras that Office 365 comes up (i.e. let's say you are not using the extra software, such as Publisher, Access, Skype, etc) you can buy the Starter version or switch to an open source alternative. 

The Cloud Can Go Down, but so can your laptop: There have been cases of cloud outages, as I noted in my last post. Consequently, you should create a local backup of your files from Office 365, so that they are accessible off of the cloud (I am hoping Microsoft will make this easy) and won't get corrupted if there is a problem at Microsoft. However, let's be honest - what's more likely to go down Microsoft or your own laptop? The advantage of Office 365 is that if your laptop goes down, you can always access it from another laptop. In other words, your data is no longer tied to your machine.

You have less control, but you've handed it over to Microsoft (who should know a little bit about good computing practices): It should be clear that you are handing over your files to Microsoft to manage for you. But this may be a good thing, as they may do a better job than you. For example, if you don't do local backups (as you should), then Microsoft likely does. According to this link, they perform an ISO 27001 audit (click here to see what that covers) as well as HIPAA, FISMA, and EU Model Clauses. The certification that is absent is the new SOC 2 (see here for the difference between SOC 2 and SOC1. SOC 1 replaced the SAS 70 Type II reports, which outsourcers previously used and abused).

Terms of service (ToS), assume nothing: In general, cloud service providers have an army of lawyers to indemnify them from pretty much everything. So you should assume if anything goes wrong it's tough luck for you. Also, beware on what they say in terms of who owns the data (ZDNet did an analysis last year for online storage, we hope they update it for the new Office 365). According to this post, Microsoft pays back money for downtime for the Office 365 they were offering to businesses - but it is unclear whether they would do the same for consumers. 

Is a hacker also using Office 365? Amazon's cloud service, EC2, was used by hackers to launch the infamous attack on Sony's PSN. Security researchers were also able to spy on fellow "tenants". So what do these two facts add up to? Hackers will try to see what  vulnerabilities exist in Office 365 to exploit to get data from other users. That being said, hackers are mostly after credit card data and it may be more trouble than it's worth to mine terabytes of cake recipes and essays on Shakespeare to find what they are looking for (but 'big data tools' do make this easier). 

Privacy: accidental disclosures and the reality of law enforcement. In addition to nefarious individuals lurking on the internet, there is a risk that something will go wrong and the wrong user will get access to your documents. For example, Microsoft's precursor to Office 365 (known excitingly as BPOS) experienced precisely this kind of breach (to be fair here is MS's defense). In terms of privacy, the way the privacy rules works is that if the provider tells you in the ToS that they will hand over things to law enforcement then they are covered from a privacy compliance perspective. (See the Privacy Commissioner's handling of the complaints against CIBC). Furthermore, as noted in this article both American and Canadian law enforcement and other agencies can access what you put on Office 365 and they don't need to do tell you about it. 

With Microsoft's push to the cloud, it will be interesting to "consumer outsourcing" works out. For example, how will the masses react to an outage? Will grade school teachers accept the excuse that the "cloud ate my homework"? Or will we be surprised at how adept people are to the new realities of the cloud? For example, people nowadays have camera free parties to manage the risk of the 24-7 surveillance world we live in due to social networks. Practically, consumers can use free open source alternatives to keep their personal documents offline and use Office 365 for things that they don't consider sensitive or to meet the demands of employers/customers and some of these providers are keenly working to make their offerings interact with Office 365. However, the problem is that if they are used to using Excel offline to keep their budgets are they really going to switch to the open source alternative? I guess we will wait and see what happens. 

Sunday, July 8, 2012

Electrical and cloud outages: Is it time to bring both on premise?

Amazon experienced an outage that affected a number of companies that rely on their cloud service. The company informed its users that its service went down due to the power outage stating: 

"On June 29, 2012 at about 8:33 PM PDT, one of the Availability Zones (AZ) in our US-EAST-1 Region experienced a power issue.  While we were able to restore access to a vast majority of  RDS DB Instances that were impacted by this event, some Single-AZ DB Instances in the affected AZ experienced storage inconsistency issues and access could not be restored despite our recovery efforts.  These affected DB Instances have been moved into the “failed ” state.

This notice was actually taken from CodeGuard (a start-up that takes snapshots of websites enabling owners to undo unwanted changes) who was one of the companies affected by the outage. 

As can be expected, many will use this as an opportunity to illustrates the danger of moving from on premise to the cloud. A parallel argument would be to highlight the dangers of drawing on electricity from the central grid. One would argue one is more reliant on power than on computing - so why not bring electricity "back" on premise? This is an absurd argument, but that is exactly the point. Companies, as pointed out by Nicholas Carr in the Big Switch, used to produce their own electricity, but eventually moved to rely on the grid for power.  Today hardly anyone produces their own power, but has backup generators in place to provide power should grid go down. And that's the right question to ask: why was there inadequate backup power at Amazon? In other words, society has decided to live with the fact that electricity is delivered centrally - but has built in controls to manage issues that may arise. 

Instead of viewing this as a black mark against cloud computing, it is important to view this discussion in the context of risk. Charles Babcock, InformationWeek published a good article on the reaction to the Outage. He noted that some are leaving AWS in reaction to the service. Specifically, (an online dating service) is moving to a hosted solution - away from the cloud. However, he also mentions, Okta (an identity management service) that was unaffected by the outage because they designed their application to be fault tolerant.  

In other words companies need to focus on whether the benefits of cloud computing outweigh its risks. Cloud provide pay-as-you-go computing - giving companies who have uneven workloads the ability to buy compute resources when they need it. It also give start ups, like CodeGuard, a chance to get their offerings into the market.  Here,here and here are the follow-up posts to their outage - they were able to get back online and they are sticking with Amazon. And this should not be a surprise to anyone. Technology startups can leverage the pay-as-you-go model of cloud computing to conserve their capital and instead focus on getting their offering out. For example, the founder of Animoto, points out they went from 50 to 80 compute to 3,500 instances over three-days (they were signing up 25,000 new users per hour at the peak) when their app went viral. So companies will hopefully use the cloud outage to highlight the need for good design and appropriate controls instead of an excuse to stick to the status quo of on-premise computing. 

Thursday, July 5, 2012

Tablet: Who will challenge Apple - Google or Microsoft?

Microsoft: Enters with a tablet that it manufactures
On June 19th, Microsoft unveiled it's Surface tablet. Microsoft did its best to enshroud the announcement in secrecy creating a buzz in the press (attendees did not even know until the last minute where the location of the event was - they just knew it was in Los Angeles). Microsoft released the following promotional video of the device: 

The big surprise is that the company is following Apple's lead and getting into the hardware manufacturing game. Although Microsoft has experience successfully manufacturing hardware (i.e. the X-Box gaming console), the issue is that it is now competing with the OEMs that have been the key distribution channel for Microsoft's Windows OS. One key advantage of this approach is that they will be able to control the product end-to-end and seamlessly integrate the Windows 8 software and the hardware. The second key advantage is that they will have more control over the pricing, as they can effectively waive the licensing fee and just make profit off of the hardware. 

In a recent interviewBill Gates attempted to quell OEM fears that have emerged as a result of this move. But to put things in perspective, Microsoft has been aware of the issues related to relying on the OEMs to produce a great Windows experience. In early 2011, they started Microsoft Signature program. For $99, Windows 7 user can remove the "bloatware" installed by OEMs and get Microsoft to install a suite of Microsoft software, such as Windows Security Essentials (but this has to be done in a Microsoft Store and there is only rumours of one to open at Yorkdale). Alternatively, users can buy a Signature certified PC from Microsoft directly from its web store. The result is a better performing PC. Consequently, the move to manufacture its own device is a good way to ensure that Microsoft is setting the standard for performance of Windows 8. That way if there are any issues it can be blamed on the OEMs and not the actual OS. 

Google's Regroups and Attacks with the Nexus 7 Tablet
Last week at Google I/O, Google unveiled its much rumoured 7 inch tablet, the Nexus 7:

Google, like Microsoft, is manufacturing the tablet itself and has already made it available for pre-order via the Google Play store (and yes, unlike Amazon's Kindle Fire, it can be bought in Canada!). 

Google's challenge is similar to Microsoft, with an added snag: they depend on the carriers to roll out their OS releases. This, speaking from personal experience, can be a tedious process. As an owner of the Samsung Galaxy Note, I am still waiting on Bell Canada to roll out Ice Cream Sandwich (Android 4.0) - even though Google has already moved on to the next relase of their OS:Jelly Bean (Android 4.1). With this wifi only tablet, they can reach the consumer directly and give the consumer access to the latest and greatest OS.  Similar to what Apple does with its iDevices and what Microsoft is attempting to do with the Surface, Google is controlling the hardware, so they can also create a seamlessly integrated product. 

Microsoft vs Google: Who will give Apple a run for its money?
The two offerings compete against Apple in two different domains: Microsoft is relying on consumerization to eat into Apple's domination, while Google is going after portability and price. 

The primary focus of the Surface tablet (as illustrated by the fancy ad, revealing the tablet in LA, etc) and Windows 8 in general is the consumer market. In the short term, Microsoft is hoping that their tablet offering will be appealing to Corporate IT because of its easier fit into the enterprise (i.e. in contrast to the iPad): executives and other employees that want a tablet can get an easier to integrate Microsoft tablet (e.g. Active Directory, etc) instead of the iPad. Furthermore, it has Microsoft Office - which is a key standard in office productivity that iPad users have to had work around. However, this is a minor aspect of the Microsoft strategy which is more about stopping the bleeding of their corporate stronghold to Apple

In the short term, the majority business users will resist the move to Windows 8 because it is so radically different. And according to Paul Thurrott, it appears that Microsoft has given up on the business users with this release of Windows 8. However, this may not be a bad strategy. Microsoft realizes that corporate IT was going to take a few years to switch to Windows 8 - even if it was not radically redesigned. During these years between when corporate IT would have migrated from Windows 7 to Windows 8, Microsoft is expecting users to become  accustomed to the new windows 8 interface in their personal lives. Once this occurs, Microsoft is hoping that trend of consumerization will play in its favour: home users who enjoy the Windows 8 Metro interface will put pressure over time for corporate IT to switch to the new version of Windows - just as the iPhone users put pressure on corporate IT to dump RIM in favour of Apple. 

This is coupled with the fact that users will no longer need to carry a laptop and a tablet: the Microsoft window 8 machines can act as a laptop when you are at work or at home and as a table when you are on the go. There is no need to sync files between the two machines. Of course, this assumes that Window Surface machines have a long battery life and will be as reliable as iPads. But the new Windows 8 is smooth and responsive (I had an opportunity to try it out on a Windows 7 Acer Iconia tablet), so there is a reason to hope that this will work out. 

Google's recent foray into the tablet market is a little different. Google is working off its previous failed attempts, specifically Honeycomb, to get something out there that will compete against the iPad. With the success of the Kindle Fire, Google has zeroed in on price and portability as key features of the tablet. Will the fact that it is WiFi only hurt its appeal? I don't think so. With the majority of smartphone (even BlackBerry!) being able to act as WiFi hotspots, this is not much of an issue. More importantly, users are not locked into 3 year contracts with cell phone providers.  From Google's perspective, it also removes the carriers as an obstacle to getting the latest-and-greatest Android OS to the end-user. Initial reviews of the device are positive. Although I was tempted to buy this, I realized that since I have the Galaxy Note "phablet" (a term that I despise) it doen't make sense to get a 7 inch tablet. Besides, I should save up for the Surface :)

It appears that Apple is aware of Google's strategy: they have lowered the iPad 2 by $100 (i.e. when they released the 3rd generation iPad) and rumour has it that they are preparing to launch a 7 inch tablet themselves.  But is the company underestimating Microsoft? Microsoft's Windows 8 Metro interface appears to be unique enough that Apple can't rely on its armies of lawyers to sue Microsoft (i.e. as it has done to "compete" with Samsung's products). The other problem is that Microsoft still dominates not only corporate IT, but also office productivity - people are addicted to Word, Excel, PowerPoint, etc and it is hard to let go. That being said, Microsoft is rumoured to have a version of MS Office for the iPad. If this is true, then Microsoft would be shooting itself in the foot as it would hand over this key strategic asset to Apple on a silver platter. On the other hand, Microsoft could become a dominant force for tablets when it comes to business users (anyone ranging from a business student, entrepreneur, or cubicle dweller). However, I think that Apple will continue to dominate the pure consumer market because they have been successful a the "toasterfication of IT": using the iPad is almost as easy as operating a toaster. Anyone with kids or older family members, can see how intuitive the device is. Microsoft is attempting to get into the space with the ARM version of the Surface Tablet. However, this is a long shot because they are behind in apps and, more importantly, the device is quite a bit more complex than a toaster. 

Wednesday, June 6, 2012

Oracle & Google IP Trial: the Judge is the Gem

Last week the "WorldSeries of intellectual property trials" came to a close. Oracle, who purchased Sun Microsystems, was suing Google over its use over Java. Oracle claimed the Google had infringed on 37 of its copyright "APIs" or application programming interfaces. 

What is an API, you may ask? I also had the same question and found the following resources that may be of help:
  • Simplest definition that I found was on the Guardian's reporting of the trial who defined APIs as "computer language that connects programs and operating systems – known as application programming interfaces". But I wasn't satisfied with that, so I dug some more.
  • CNET had a number of good resources on the topic. This FAQ gives a good broad overview of Java and explains the relevance of APIs to the programming language. However, the article that probably sheds the most light on the topic is this one. The article walks through a key part of the trial where Joshua Bloch (former Sun Java-expert-engineer now working for Google) defines an API "as "names or words and a set of rules." When the program speaks to a library, it has speak in a very precise language, he continued. Typically the words are verbs and phrases, such as "remove the header."". What is also helpful is the accompanying slideshow that illustrates the lines of codes that Oracle claimed that Google infringed upon.

Google sought to pay Oracle 2.8 million, but Oracle wanted a cool billion for what it deemed to be a violation of the copyrights. The end result was that Oracle lost; the judge delivered a narrow ruling that Google use of the APIs was not a violation of copyright because APIs cannot be copyrighted. As reported on GigaOm, "The crux of Alsup’s ruling today is that 37 of the Java application programming interfaces aren’t eligible for copyright in the first place. Copyright typically protects authors’ work — in the form of books, music, computer code, etc — but doesn’t extend to functions or ideas."

IP: A drain on innovation
The case is a good piece of evidence for those that are critical over the patenting of software.Critics, such as John C. Dovorak, point out that the system is dysfunctional altogether. From a resource allocation point of view, this trial illustrates that a significant amount of resources are dedicated to litigation. According to Patrick Doody, an-ex partner at Pillsbury law firm, the trial is estimated to cost $50 million. Leo Laporte, owner of the This-week-in-Tech (TWIT network), routinely points out in the podcasts that he produces - that software giants waste money on patent suits instead of spending those same funds on innovation. To quantify his argument: if the average salary paid to an IT professional is $80,000,Google and Oracle could have invested in about 625 full-time equivalents (FTEs)  worth of work instead of litigating this trial. Of course such logic is lost on Capitalist enterprise, whose focus is profits over innovation. 

Technology & Society: A Watershed Moment
Another nugget that came out of this trial was the reason that judge William Alsup's (the judge presiding over the trial) rejected Oracle's argument. The judge challenged Oracle's assumption that a "range check" was difficult to build - because he knew how to code in Java! 

According to Wired,  "he had learned to code in Java for the trial — implying that he knew other languages as well — and he said that he had written some of the infringing code at least a hundred times since Oracle filed its suit in August 2010. “I can do it. You can do it. It’s so simple,” he said, adding that it takes less than five minutes. Then looked directly at Boies. “You’re one of the best lawyers in America — how can you make that argument?” he demanded.

Posts in the tech community, notably on I-Programmer and O'Reilly, point out that this is  a watershed moment in society: code and technology is "a part of the world we live in".

Can one make the analogy that if judges should be this technology proficient, so should audit practitioners?  

Given the nature of the accounting profession, it would be difficult to make it mandatory for audit practitioners to program. However, on the other hand, the profession should use this opportunity to re-examine what aspects of technology should be a part of the audit practitioners skill set - given that is clear that society's attitude towards technology has clearly changed. 

Sunday, May 13, 2012

DNSChanger Virus & Trust on the Internet

I came across this forum in a CNET Newsletter which I subscribe to. The immediate issue on hand is the DNSChanger trojan. As discussed in this post, it is a nasty piece of malware that has infected not just PCs and Macs, but also routers and other network hardware. As mentioned on my post on the virus attacks on Macs, the culprits are not attention seeking hackers but an Estonian criminal gang that managed to steal $14 million from its victims. Although the FBI was able to catch the criminal gang and the rogue DNS server, they were unable to shut off the rogue servers immediately because this would result in the infected computers being suddenly cut off from the Internet. So instead the FBI "chose to keep the rogue DNS servers active and convert it to a legitimate DNS system for infected computers" and conduct an awareness campaign to alert users about this potential infection before shutting off the rogue DNS server. They plan to do this on July 9 2012.

For more information on how to address this issue, see:
The other aspect of this story relates to credibility on the Internet. "Barbara" submitted a classic "Dear Editor" letter to CNET which was the subject of the feed I received in my email. She did not know whether she should download the tools from and thought it could be a scam (see the first post at the top). Although she more than likely Googled (or Binged) the topic, she did not trust the results. Instead, she needed to turn to CNET as a "trusted intermediary" to verify that the tool the FBI was offering to clean the system was indeed legitimate. This illustrates a challenge for the new "here comes everybody" approach to the Internet enabled media: How do we verify claims on the Internet? Clay Shirky (who is the author of the book Here Come's Everybody) has analyzed how the Internet as a broadcast medium has made it possible to get one's news on events outside of the traditional mediums of print, television or radio, which were controlled by professional journalists. The implications of his analysis is that the previous monopoly that journalists had on broadcasting will be undermined by just regular people who can supplant such traditional media organizations through blogs, wikis and the like.  However, Barbara's concern about being duped by nefarious actors on the open Internet highlights how there continues to be a need for trusted institutions or individuals, such as CNET, to add credibility to news in order to effectively act on something such as the DNSChanger trojan.

This, however, does not mean that pre-existing business model of the media, which relied on its on monopoly on broadcast technology will continue to be viable. Changes will have to be made. For example, Encyclopedia Britannica was able to successfully shift from its previous model to of selling physical books to an online subscription model. In fact, 2012 will be the last year that they will be selling its iconic set of encyclopedias. More importantly, Encyclopedia's new approach is a good example of how people are willing to pay a premium for an "authenticated encyclopedia" instead of solely relying on the "free encyclopedia" Wikipedia. That being said, Encyclopedia Britannica's model may not work for traditional news outlet. As Jeff Jarvis,  professor in journalism at CUNY and author of "What would Google do?", points out on his post on the danger of pay walls, media organizations stand to lose audiences and therefore "Googlejuice" by adopting this approach. His post highlights the conundrum that media organizations find themselves in. Do they opt for the pay walls which are akin to the old way of doing things? Or do they embrace the "Googlejuice" and rely on online ads and greater user interaction? It will be interesting to see how this all gets sorted out.

Thursday, May 3, 2012

Mobile Access: Canada falling behind India and China

According to a survey from Randstad found that Canadian workers are less connected then counterparts in India and China. According to the article, 76% of Canadians were connected. Although this is the majority, it is materially lower than the level of "connectedness" with counterparts in India and China where 93% of workers were connected. The article lays blame on the exorbitant fees paid by Canadians for the Internet in contrast to other countries (e.g. see this post which compares to the US. Besides the stats, US providers give 2-year contracts instead of 3 year contracts) . One of the factors that contributed to the adoption of the internet was the availability of unlimited dial-up access: users did not have to worry about rates, so they were more willing to adopt the new technology (e.g. users had to pay $20/month for unlimited internet in 1997). So price does matter when increasing the adoption of technologies. With the growth of mobile commerce in places like the UK, Canada could fall behind not just in mobile commerce but the overall development of local apps and mobile services.  

Sunday, April 29, 2012

Cloud Computing and Unbilled Deferred Revenue: On the way to another bubble?

I was reading this report on the outlook cloud computing from GigaOm and came across an interesting accounting term:  "unbilled deferred revenue". When I googled the term, I came across the following explanation from "Unbilled deferred revenue, represent[s] business that is contracted but unbilled and off balance sheet". In other words, it is revenue that can't be recognized because it is not earned and it is off-balance sheet because it has been collected! Will such funky accounting terms be used to fuel a bubble vis-a-vis the cloud? It appears I am not the only one that saw the need to look into this a little deeper. This article actually analyzes the term and gives some rationalization to the concept: "[Subscription economy is] one way to make sense of cloud computing and the many new and very different ways of doing business on the Internet. We're most familiar with Software as a Service and how different it is from conventional licenses; so familiar, in fact, that I don't need to describe it for you here." 

One of the key factors in bubbles (based on a paper that Efrim and I wrote a few years ago) was "speculative valuation models".  So the next step is for some physicist to figure out how  "unbilled deferred revenue" can be put into a black-scholes type finance model -  and voila! -  we are are on our way to the next tech bubble. 

Of course there are other factors (see the paper for the list) that are necessary to inflate a bubble. The one to pay particular attention is to whether the credit is flowing freely. With the debts woes of Europe and people still stinging from the sub-prime crisis, this factor may inhibit the inflation of such a bubble. However, this assumes banks and traditional lenders will be the primary source of capital. The reality is that tech companies are awash in cash, and as evidenced by Facebook's acquisition of Instagram for a cool billion, they appear ready to step in and make the necessary deals to potentially fuel another tech bubble.  

Thursday, April 26, 2012

Google Drive: Cost, Security and Other Issues

Earlier this week, Google released its much anticipated release of Google Drive (even the official blog referred to it as the "Lochness monster"; due to the fact that Google was supposed to release this years ago). For those interested in how Google Drive stacks up against other cloud based storage services, see Dana Wollman's post on Engadget. Included in her post is a side-by-side comparison of Google's offering against  Dropbox, Microsoft SkyDrive and iCloud. In terms of security issues, this CIO article points out that it will be hard for system administrators to block Google Drive because it will be hard to distinguish from the other Google services (e.g. Gmail, youtube, etc), which many organizations allow users to access. 

As with any other cloud service, users need to be aware of the terms of service (ToS or "click wrap" agreement) which bind the users to all sorts of conditions (this ZDNet article gives a good analysis of how Google is imitating DropBox a little too much). This article claims that users concern that content shared would be owned by Google "are probably unfounded". Their evidence: Google's ToS are the same as Microsoft's ToS for their cloud drive offering. However, the following ZDNet article extracted the ownership clauses and it seems that Microsoft is much clearer in stating that the content belongs to the user and not Microsoft (but you can see it for yourself and decide). 

Although Google may capitulate to public pressure and alter the terms of service, the incident highlights one of the key trade offs with the cloud: convenience of the cloud comes at the cost of control. For example, most, if not all, cloud service providers (CSP) will hand over data to law enforcement - without the consent of the data owner. However, if the same law enforcement agencies wanted the data hosted at your business or house; they would have to obtain your consent first - because you are in control and not the CSP. 

Beyond the privacy issues, if CSPs are free to write their own terms of service customers, especially the small and medium sized businesses (SMBs), will be at the mercy of these large players who have an army of lawyers at their disposal to write the ToS in a way to protect the CSP - leaving the SMBs vulnerable. That's until there's some cataclysmic breakdown in the cloud forcing the regulators to act in a way to protect users from such agreements, similar to what we saw with SOX or even the birth of the SEC itself after the depression.

Sunday, April 22, 2012

Macs & Viruses: The End of Innocence

Macs & Viruses: The End of Innocence

With the Flashback botnet continuing to plague Mac users, it's good time to reflect on those Apple vs PC Ads. Oh you know the one where the slick Apple dude tells the PC guy that Mac's "don't get viruses".  And that probably was true when the ads ran in 2006: malicious code has been traditionally targeted towards Windows. For the cybercriminals behind these outbreaks it's just a game of numbers: more PCs users = more potential victims =more $$$. However, the picture has changed from 2006: Macs have risen from being 4% of the market to nearly 13% of the market in Q3 of 2011.  However, the numbers are just one part of the story. As illustrated Apple's smug ad, Apple users have been lulled into a false sense of security: "PCs not Macs" get viruses. This makes Mac users a juicy target for viruses, as they are likely not to have the proper security in place to prevent viruses.  Sorry Mac users, I know it's a sad day - but you have to defend yourself from viruses just like all the PC users out there. 

Monday, April 2, 2012

Security Rating in the Cloud

Security in the cloud is an issue of paramount importance to companies. Cloud computing is one of the biggest trends in eBusiness since the invention of the internet. But security has lagged behind the other aspects of cloud management.

In the attached (referenced) article published in ISACA Now, Antonio Ramos, CEO of Leet Security puts forward an argument for the implementation of security ratings for cloud service providers. Such ratings would be similar to credit ratings used in the financial world. He points out, correctly I think, that although credit ratings suffered credibility during the financial crisis, generally they have served the financial and investment world quite well. he argues that security ratings could serve a similar purpose for the cloud.

An idea worth thinking about. Check out his article here.

Wednesday, March 28, 2012

Black Holes a Major Security Concern

Scotiabank recently named black holes as its major security issue for 2011. They encountered a concerted effort by hackers to draw their people into them through setting a variety of traps (some 50 types of them they said). When users click on the URLs in the traps, they are drawn into a series of illicit domains that search their computers for vulnerabilities and then plant viruses that exploit these vulnerabilities. The viruses are shielded so that the anti-virus software can't recognize them. The most effective way to safeguard against these black hioles is to block the URLs that lead to them, but this is a big job and depends on having a knowledge of what those URLs are. Scotiabank managed some success in dealing with them, as explained in this article.

Friday, March 23, 2012

Growing Security Issues  - IBMs Response

It's no secret that security has been increasingly challenging in recent years. And the challenges have been growing at an alarming rate, with some security experts claiming that the situation is becoming unmanageable. The scale and sophistication of hacker organizations, such as the one called "Anonymous" has outstripped the capabilities of most security systems except (perhaps) some of the world's most secure sites.

IBM has announce the formation of a new business unit IBM Security Systems - a complete unit of the company that combines its massive data analytics capability with its IBM Managed IT Services, another area for which IBM is well known. Amazingly, IBM  security systems monitor some 13 billion security incidents PER DAY. Which indicates the company's expertise is beyond question.

This announcement comes on the heels of the announcement by Big Blue of a new security tool QRadar, which applies powerful data analytics to security related data. These are significant events, and important advances in the interests of fighting cyber crime. Here's an article on the subject.

Wednesday, March 21, 2012

Need for Better Security on Smartphones

The Privacy Commissioner of Canada is calling for people to use passwords on their smartphones. She points out that they already contain a lot of personal information (and often sensitive corporate information) that should be protected. Security on phones is very lax now, but the need for it is growing daily. Also, the pending movement into mobile payment systems will make smartphones much like wallets, with perhaps even greater risk.

Some experts say it is time that the manufacturers should be required to install mandatory password systems.Not an unreasonable proposition, given the security risks out there. Here's a write-up on the Commissioner's thoughts.

Monday, March 19, 2012

Courts Strengthen Privacy Law

In a recent case involving two bank employees, Jones vs Tsige, one of whom accessed the bank records of the other for personal reasons, the Ontario Court of Appeal granted the offended party the right to pursue an action, despite the fact that there was not a clear legislative basis for the action. Current privacy laws do not cover such events.

The decision also did not require a measure of damages, which is one of the normal foundations for civil litigation. Instead it established a standard remedy based on a scale of importance.

The decision could trigger a new era in privacy law, whether or not it is followed up with new or revised legislation. The court indicated that in making the decision, it is trying to keep pace with rapidly changing technology, which is making access to information increasingly difficult to protect.

For a summary of the case, check this article.

Thursday, March 15, 2012

COSO Exposure Draft - Comments Due Soon

On 19 December, an updated Internal Control – Integrated Framework (COSO) was released for public comment. Deadline for comments is March 31, 2012.  ISACA provided a Webinar on February 23 which is archived on its site. For further information and to provide comments, visit the COSO site at