Full Human Wormhole Teleportation Patent

So, I was teaching today on intellectual property concepts and came across this very interesting patent on using wormholes to transport full human bodies through hyperspace. Quoting now:

A full body teleportation system consisting of: generating a pulsed
gravitational wave which propagates through a magnetic vortex wormhole
generator; and generating a wormhole with the magnetic vortex generator whereby
the pulsed gravitational wave traverses through the wormhole and enters into
hyperspace where the wave is enormously magnified due to the lower speed of
light in that dimension.

Right. You know we’re living in an age of technological magic when you start seeing this stuff come down the pike…

R
www.micklerandassociates.com

Microsoft Announces Longhorn Beta Portal

Microsoft has released a new portal site for Longhorn (Windows Server):
http://www.microsoft.com/windowsserver/longhorn/default.mspx

They’ve also begun registering partners for the beta release…

R
www.micklerandassociates.com

Keylogger Exploits Soar 250-Percent

McAfee’s recent White Paper on Identity Theft and the state of malware identified that keylogger use rose over 250-percent from 2004 to 2006.

Keyloggers are usually software applications that can reside in the memory of a computer and record keystrokes from the keyboard input; keyloggers can also be hardware devices that are installed as a wedge between the keyboard port and the keyboard itself.

Software keyloggers are installed by phishing scams, as virus components, or as a part of a 3rd party application install. They’re usually an executed program that can reside silently in memory and go unnoticed. Many users don’t go inspecting their keyboard inputs before using their PC, so someone can install a wedge, capture keystrokes, then recompile the keystrokes into account numbers, passwords, and other private information for the purpose of compromising the user’s security.

You’d see the use of a wedge when somebody has physical access to a computer – think a janitor or co-worker, someone within proximity. Software can be installed through multiple means.

The keylogger works well because it captures the data straight from the inputs (the keyboard), bypassing encryption processes or visible transformation processes on the screen (like converting your password to *****).

Interested in keeping away from phishing scams and keyloggers? Try this site out:
http://nophishing.org/

R
www.micklerandassociates.com

Five Windows Vista Upgrade Pitfalls

A couple of pitfalls you should be aware of when upgrading to Microsoft Windows Vista from Microsoft Windows XP this next month.

1. No DVD? No Vista-A-la-Vista, baby!

Windows Vista will ship on 1 DVD. If you’re still using a CDROM Drive, you’ll have to request that Microsoft send you alternative media in order to even install Vista.

2. Legacy Antivirus Tools? They Won’t Work!

Have a copy of an antivirus product made prior to 2007 already installed? Try uninstalling them before the upgrade – they likely will not work inside of Vista.

3. Driver Support? Extremely Limited!

Your existing driver set will not port over into the Vista environment. New device drivers will be supplemented during installation; a majority of OEM’s don’t have driver sets ready for Vista upon consumer release! You may install Vista but then your printer, external hard drive, or PDA suddenly won’t work with the new o/s.

4. The MyDocuments Folder = Documents in Vista!

Many of your system’s automatic paths in pre-installed applications will look for the “MyDocuments” folder. In Vista, this folder has been renamed to “Documents”. Pre-settings will now appear as if all of your documents have gone missing.

5. Don’t Upgrade. Buy New.

Word on the street is that Vista upgrade installs perform slower and less predictably (ie, significant installation problems befuddle the installation). Most recommend that, unless you want the cutting edge new Aero interface benefits and security benefits rolled into the Vista product, do not upgrade from WinXP. Instead, identify your driver set ahead of time, wipe the drive clean and install fresh, then restore your files and drivers and customizations. Users unfamiliar with this process will probably just want to buy a new PC with the “Vista Premium” logo.

Bonus Tip:

Identify your licensing ahead of time. There are six different licensing options to Windows Vista.

Starter
Home Basic
Home Premium
Business
Enterprise
Ultimate

The average home user will likely desire Home Premium; support for Home Basic is already set to expire in 2012 and has a crippled feature set in comparison to Windows XP; Starter is not available as a retail box set and will be used for 3rd world computing.

Want to use Windows to tie into a corporate network, then Vista Business is for you. Larger companies will want Vista Enterprise. But if you want all of the multimedia capabilities you already have with XP (grin) along with that Vista Business package capabilities, then you’ll need Windows Vista Ultimate!

In short, use a lot of caution in this upgrade. Take nothing for granted.

1. Do a full system image (Acronis, for example, would be a good product here, or Norton Ghost) prior to install.

2. Use the Vista Upgrade Advisor to check out your hardware and software compatability.

3. Plan for complications; have your drivers ready on a burned ROM and not a USB drive.

4. If you can, wipe the existing drive image before installing Vista.

If you can wait on paying more for the same features you already have, then do so -you might want to wait until it comes pre-installed on a new PC.

R

Russell Mickler works a technology consultant in Battle Ground, WA, USA. With over thirteen years of experience, Mickler holds a CISSP, MCSE, a Masters Degree in Information Technology, and is pursuing his Doctorate at Walden University. His website can be found at www.micklerandassociates.com; he can be contacted at mickler@micklerandassociates.com.

In Consideration of the CPO

The CPO – Chief Privacy Officer

Privacy has become a principle concern to organizations given the problems of regulatory compliance, the potential for negative press, and the looming aspects of corporate liability associated with identity theft. Inasmuch, the CPO – Chief Security Officer – is rapidly becoming a familiar IT specialty role in the corporate executive team.

The CPO joins a litany of other IT executive specialties – the CIO, CTO, CSO, CKO, and CCO. Already, the CPO has had welcome corporate acceptance through corresponding trade associations like the International Association of Privacy Professionals (IAPP), the privacy mandates in the US derived from HIPAA and GLB, and the EU regulatory mandate passed in the late 1990’s requiring corporations to have a designated privacy compliance role. Perhaps it is the sheer presence of a CPO which provides the most benefit: installing a strategic role concentrated on privacy sounds good in a positive-PR-kind-of-way doesn’t it? It says, “We care so much about the consumer that we’ve installed this high-ranking corporate ombudsman to fix privacy problems.” Hmmm tastes great, less filling. Indeed, some of the material I’ve read actualy labels the CPO as serving the consumer interest in strategic decision-making.

So the CPO must understand a breadth of discipline ranging from regulatory law and technology to marketing and public relations. But ultimately one must question the benefit to segregating strategic privacy decisions to a specific executive rather than making privacy a concern for the whole executive team. Whether or not the presence of a CPO diminishes the ability for a CIO, CTO, CCO, or CSO to execute a privacy policy on their own could probably come up to debate; I picture a bunch of executives around a table trying to craft a policy by consensus. I can see a lot of contention between IT executives on authority: what changes could be exercised by the Chief Compliance Officer; does the CPO have authority to bypass the CIO; is the CPO a routine consult on executive decisions concerning HR or Operations?

I found an article on the CPO on the web concerning this very problem of power sharing among the CPO and other executives. Sandy Hughes, the CPO for Proctor & Gamble interjected as a consumer advocate in the decision to deploy RFID tags. The article suggests that Ms. Hughes’ role was to “determine the right way” for P&G to use RFID’s. Truly, the CPO’s involvement must frustrate those accountable for RFID execution who have a technical and operational picture of that “right way” without Hughes’ involvement. Certainly, can IT be executed if the consumer privacy interest is constantly leering over your shoulder? Does it limit P&G’s use of RFID or strain its competitive advantage?

The CPO looks good on paper and we must admit that it’s probably a proactive, visible gesture useful to a positive spin, especially when the chips are down and there’s a real problem to contend with. However, I find it difficult to imagine the CPO being useful to IT execution – yet another party that must be negotiated with if you’re trying to improve business processes, or, release a new product to market on-time. An interesting analysis would be to resolve which company is more nimble: one where a privacy policy guides the activities of its executive team, or, one where a CPO is interjected into the decision-making process, seemingly diminishing the authority of the other IT executives, who’re supposedly versed in the nature of privacy and security anyway.

R

Russell Mickler works a technology consultant in Battle Ground, WA, USA. With over thirteen years of experience, Mickler holds a CISSP, MCSE, a Masters Degree in Information Technology, and is pursuing his Doctorate at Walden University. His website can be found at www.micklerandassociates.com; he can be contacted at mickler@micklerandassociates.com.

A Letter to Steve Jobs

The Guru Speaks…

Dear Steve:

Your astounding yet so thoroughly anticipated release of the iPhone at MacWorld has lead me to believe that you’ve lost your way. You even went so far as to re-name Apple Computer, Inc. to Apple, Inc. Apple is not a computer company, you’ve proclaimed, but a consumer electronics company.

Hey, I’m all for revenue diversification, don’t get me wrong, but Steve, do you feel that you’re maybe putting iProfits ahead of iPrinciples? Yes, I intentionally used your i-branding strategy here to illustrate my point and iPollogize if iInsult you. But Steve, Apple has survived because it has historically addressed a niche need in the microcomputer industry, supplying an exceptional and high-quality product that had a very devout consumer following. I can’t help but feel you’re abandoning this core set of consumers by assuming portable electronics hegemony.

Wasn’t it you that said, “Think Different” in an era of Microsoft dominance? Wasn’t it your 1984 television spot that thew a hammer into the largesse face of IBM to announce the Macintosh? Wasn’t the curved, almost effeminent features of the iMac a slap in the face of conventional PC design? In short, hasn’t it been you, the leader of the Rebel Alliance of Mac aficionados, that has stood up to the mass-marketed machines and software Empires of our time and shouted, “Nay, Vader: you are _not_ my father!”

Steve, I must ask: what is Apple if it becomes the very thing that it’s NOT supposed to be?

Think about what I’m saying. Ten years from now, as Apple continues to suck my wallet dry (yes, and this was for one kid: that was $199 for the iPod, $90 for a Shuffle, $199 for the Nano, $225 for the “new” Nano, and now you want $599 for the iPhone?!), and Apple totally controls the market on mobile computing, doesn’t this make Apple the Microsoft or IBM of a new generation?

All I’m trying to say, Steve, is to think about your roots. Apple _strives_ in adversity. Apple _strives_ as a brand because its the underdog. Apple _strives_ and makes excellent products that really aren’t perceived as a commodity. Yet, it looks to me, that you want to change all of that.

iPersonally Think Different: the iStrategy is iFlawed becaused it will turn Apple into the very thing it isn’t. And then where will it leave you? As the monolithic adversary that everybody wants to work against. Good luck with that.

R
www.micklerandassociates.com

Use Google for Free Telephone Calls

Want to make freebie phone calls and have Google pay for the long distance? The technology is called Click-to-Call by Google and here’s how it works:

1. Use Google Maps to locate an address.
2. Expand the map to view it in large mode.
3. View the target – a content balloon will expand on the screen.
4. An option to _call_ the location will be available.
5. If you click-to-call, you’re asked for your telephone number.
6. Google then calls _you_, and when you pick up your phone, you’re connected to the destination.

Here’s a simple screen shot:

This service started around the end of November 2006 so I’m probably a little late on the uptake. A couple of comments on this.

1. Hey, it’s free, and who wants to refuse a free lunch?

2. No extra software, cords, microphones, or speaker-tweaking necessary.

3. Google does have a terse FAQ on this: http://www.google.com/help/faq_clicktocall.html

4. Connectivity is provided by a mysterious unnamed 3rd party vendor. The privacy policy swears that they don’t use the information for marketing purposes (ahem…)….

5. According to the privacy policy, the numbers you enter are stored briefly on the server and then periodically deleted, not used for additional search criteria for their engine (which I find suspicious – why else would Google want to do this)?

6. The click-to-call may actually end up as a charge-back advertising expense to the advertiser. Some of the blogs I’m reading suggest that this integration with Maps is the same as the integration with AdWords.

When I made the call, I could tell it was VOIP and the QoS was questionable; the call quality improved as the call went on, and by the end of it, the call was crystal clear.

I’m just left wondering what’s up – what’s Google doing here and how are they using this information? Maybe I’m just too paranoid…. then again…. what if Google could flip their call logs for telemarketing research? Eeek! “Do No Evil”, eh?

R
www.micklerandassociates.com

Jan 9 Update to MMSRT

On January 9, Microsoft will release an update to its Malicious Software Removal Tool. This specific update and version will not be distributed via SUS (Software Update Services). You can find this tool at the following location:

http://www.microsoft.com/security/malwareremove/default.mspx

This tool is a free download and works on Windows 2000, Windows XP, and Windows Server 2003. Once ran, it inspects the computer for malicious software and helps to remove infections.

It could be useful in examining suspect PC’s running the Windows platform, or, in providing an extra stroke of confidence in your anti-spyware and anti-virus scanners.

R
www.micklerandassociates.com

Lock Down the Browser

This week, I found a great article from the US-Computer Emergency Readiness Team:

http://www.us-cert.gov/reading_room/securing_browser/#why

The article explains various vulnerabilities and attack vectors against a browser, then explains how to configure the browser to harden its security profile. It addresses IE, FireFox, and Safari, and provides step-by-step instructions on what to do.

Pretty informative and useful as a favorite, but a word of caution.

Some would suggest that there’s a balance in life. Example: we know that skiing is risky, but, in order to have some fun, it’s going to require us to wear some funky pieces of waxed fiberglass and point our toes down a mountain. We must balance fun/usefulness with risk. These suggestions are great but might just wind the security profile of the browser so tight that it interferes with your daily activities. If that’s the case, release just a few of them – find a “sweet spot”; use the article to find a balance of risk vs usability that works for you.

R
www.micklerandassociates.com

Risk Management Lectures (5)

The following series represents lecture material that I’ve used from time to time in discussing the problem of IT Risk Management. I’ll be providing this material on my blog as a series of information related to the topic.

***

This week we explored the variable dimensions of “measuring” security – security is a feeling, a perception, an understanding of confidence that we have in the controls and countermeasures we’ve introduced to mitigate or eliminate the risk of exploit. Therefore, “security” is relatively a challenge to measure. Like our example ealier in the week, how secure is secure?

This course focuses on two general risk assessment methodologies: PARA (Practical Application of Risk Analysis) and FRAP (Facilitated Risk Analysis Process). PARA is quantitative where FRAP is qualitative. PARA is traditionally practiced with a key set of metrics:

Exposure Factor (EF) is the percentage of loss a realized threat even would have on a specific asset. It is used to calculate the SLE and ALE.

Single Loss Expectancy (SLE) is the monetary amount that is assigned to the loss due to a single event. It is caculated as follows: Asset Value ($) * Exposure Factor (EF) = SLE.

Annualized Loss Expectancy (ALE) is the monetary amount that represents the annually expected loss to an organization from a threat and is calculated as follows: SLE * ARO = ALE.

I also added a few more metrics into the mix:

Maximum Tolerable Downtime (MTD): The maximum length of time a business function can be discontinued without causing irreparable harm to the business. Business functions associated with customer service and billing often have the shortest MTDs.

Recovery Point Objective (RPO): In a disaster you will generally lose data. The Recovery Point Objective is the time (relative to the disaster) to which you plan to recover your data. For example, if you take overnight backups, the recovery point objective will often be the end of the previous day’s activity.

Recovery Time Objective (RTO): The time period after a disaster at which business functions need to be restored. Different business functions may have different recovery time objectives. For example, the recovery time objective for the payroll function may be two weeks, whereas the recovery time objective for sales order processing may be two days.

Metrics give management a quantitative understanding of risk, usually something that can be related in dollar terms so that countermeasures can be evaluated in the same light. PARA’s Underlying Principle: the expense to safeguard an asset should not exceed the value of the asset. Let’s do a PARA example:

The Sacramento, California office is located in a 20-year earthquake zone. Once every 20 years, it estimated that a 6.0-Richter scale earthquake or greater will strike the facility, likely causing damage to the facility/computer equipment; management assumes losses to computer assets could be estimated at 20%. As a countermeasure, the company has purchased insurance with $18,000.00/year annual premiums that increase 5% every year. Calculate SLE and ALE, and each of their subcomponents; show all of your work. Come to a conclusion: is the insurance premium a reasonable Safeguard as measured against the Threat of an earthquake? Explain your answer.

Asset Value (AV) = Total cost of the asset being evaluated in book value

Exposure Factor (EV) = Often just an estimate, the percentage of the Asset Value at risk if the vulnerability is exploited.

SLE (Single Loss Expectancy) = AV x EV

Therefore, SLE = $320,000 x 20% ($64,000). A single incident where the risk of an earthquake took place would cost the company an estimated $64,000.

ARO (Annualized Rate of Occurrence) = Expected frequency of the vulnerability being exploited within one year. Therefore, ARO = 1/20 years – a .05-probability that an earthquake could happen each year.

ALE (Annualized Loss Expectancy) is the evaluation of the risk of financial loss in terms of annualized dollars; certainly the company cannot expect to lose $64,000 every year as it is projected that such an earthquake only had a 1 in 20 chance of happening. Therefore, we must multiply SLE * ARO to come up with a more accurate annualized figure: $3,200.

Extending this reasoning out, over the course of a single year, the company shouldn’t pay more than $3,200 to safeguard the asset at its current cost, since the value of the loss and the probability of loss are reasonably low.

In this case study, the organization is paying yearly insurance premiums of $5,000, and every year the premium will increase by $250. Over the course of the policy (presumed 20 years), annual premiums will double to $10,000 by year 20; at year 1, the organization is overpaying insurance premiums by $1,800/year; at year 20, the organization is overpaying insurance $6,800/year. We could conclude that the policy should be re-written to accommodate a more accurate picture of financial risk.

R

Russell Mickler works a technology consultant in Battle Ground, WA, USA. With over thirteen years of experience, Mickler holds a CISSP, MCSE, a Masters Degree in Information Technology, and is pursuing his Doctorate at Walden University. His website can be found at www.micklerandassociates.com; he can be contacted at mickler@micklerandassociates.com.