Contact Information

  • Mickler & Associates
  • Vancouver, WA
  • Voice: 360.601.0818
  • Fax: 360.397.0468

Strategic Inflection Point: The Diminishing Importance of Windows

Written on March 31, 2007  |  by RP Mickler  |  Leave a Comment Leave a Comment  |  Bookmark and Share

For the last two months, I’ve been struggling with an intellectual problem.

Generally, it concerns the question of where the microcomputer desktop market, and, small business computing market are heading. Throughout all of my professional career in IT, the predominance of Microsoft has been unquestioned in the microcomputer desktop and small business server space. This isn’t to diminish the role of competitors Apple, Sun, or LINUX but it is a reflection on the reality of Microsoft’s pervasive influence. However, I’m quite certain that we’re in the midst of a sea change in Microsoft’s domination of these market places.

When I teach graduate IT strategy courses, I ask my students to look for Strategic Inflection Points (SIP’s). These are conditions when management strategy in terms of actions and principles seem to come out of alignment. What management says and does are seemingly inconsistent. SIP’s are also conditions when one can witness the decline of a post-paradigmatic technology design. Contention arises in the market place. Old ideas are challenged by new ideas. In terms of Porter’s 5-Forces, new entrants and substitution effects disrupt the rivalry amongst competitors and throw the competitive balance into an unpredictable state. And more rapid cannibalistic effects happen as companies attempt to innovate ahead of others and retire products early just to gain the new dominant technology design.

When it comes to the microcomputer desktop and small business server market, I see SIP forces at work. Windows Vista – and I don’t think I’m too far out on a limb here – will be a flop and a disaster for Ballmer. Consumers aren’t motivated to upgrade and value proposition is extraordinarily weak. Similarly, Microsoft Office 2007 suffers from the same problem; new looks are great but small business doesn’t need new learning curves to use a word processor. Consumers want more web integration, a bit-level delivery and supply chain, subscription-based licensing, and more mobile computing options. Consumers are more savvy, aware of their choices, and becoming increasingly competent with new interface models from exposure to the web. The consumer isn’t intimidated by new ways of getting things done and they have a stronger appreciation for real value.

When I look at this SIP – the diminishing importance of Windows as a common desktop metaphor and API (Application Programming Interface) library – I cannot help but be rocked by its consequences. The decline of Windows means that the market is entering another creator/destroyer phase – where do my skillsets, as an MCSE, fit into a picture where Microsoft’s importance becomes increasingly irrelevant? And how are companies, organizations, governments responding to this?

Municipal and state governments the world over are investing heavily in open source to avoid steep software licensing fees and to gain better control over their financial obligation in this area; being forced to upgrade and pay Microsoft every two years for productivity applications and operating systems stiffles innovation and sucks up needed capital. Online services like Google, Yahoo, Zoho, iTunes are captivatingly interconnected and profitable yet without software licensing models. The Open Office Document standard and the OpenOffice product is making significant impressions in terms of productivity applications, looking and feeling just like the MsOffice Suite yet also requiring no licensing. And Linux – the extraordinary diversity in metaphors and ideas – is becoming just as simple to use, deploy, and troubleshoot as Windows.

So, the point being, how will the market respond? How will Microsoft respond? How will Apple respond? What do small businesses want or need? How will that change commercial and residential computing? And how radical a change will there be? Do I spend resources in understanding and learning Vista and Longhorn, or, do I start picking up Ubantu and MySQL?

My intellectual problem is this: when a SIP happens, the new doesn’t simply replace the old – both are synergized into a new design that becomes an acceptable norm. Windows may still be around in ten years but it will be substantially different from what it is today, perhaps even going the same track as Apple with a Linux kernel.

Where to go, what to do. That’s the problem… but it’s also the greatest path to opportunity that we’ve probably seen in decades in the PC market. The opportunity to set the next design.

R
www.micklerandassociates.com

World’s Largest PPI Theft Announced Yesterday

Written on March 29, 2007  |  by RP Mickler  |  Leave a Comment Leave a Comment  |  Bookmark and Share

The largest exposure of personal private information (PPI), affecting 45.7 million consumer credit card numbers, was reported by the Framingham, Mass.-based retail giant TJX Companies, Inc.

The exposure was released in their quarterly SEC filing and announced by the Boston Globe last night, although the incidents happened in December 2006; the gag on the press was requested by law enforcement trying to investigate the crime. Within the filing, the company also indicated that “a relatively small number” (455,000) customers’ driver’s licenses and other PPI was stollen as a result of the release.

TJX said the attacker exploited a flaw in their computer network that handles credit, debit, check, and merchandising return transactions for its stores TJ Maxx, Marshalls, HomeGoods, TJX Bob’s Stores, and AJ Wright stores in the US and Puerto Rico, Ireland, and the UK; Winners and HomeSense stores in Canada.

A special helpline is in place for TJX customers who have questions about the data breach. Customers may reach the helpline toll-free at 866-484-6978 in the United States, 866-903-1408 in Canada, and 0800 77 90 15 in the United Kingdom and Ireland.

Ironically, Mass. is one of the 19 states in the US that does not have a data breach notification or information system security law in place to protect consumer PPI; a bill was first introduced last year by Rep. Michael Costello, a Democrat in the Massachusetts House of Representatives, to address this problem but it was shelved last year while lawmakers took up healthcare and other issues. This means that, unlike 31 other states, TJX is not under any obligation to announce the breach to end consumers nor is it considered a federal or state crime to “accidentally” release 45.7 million credit card records. Consumers are left to fend for themselves, capable only of filing a civil tort for damages individually against TJX should the breach be proven to be consequential and material.

R
www.micklerandassociates.com

Hacking with Google

Written on March 19, 2007  |  by RP Mickler  |  Leave a Comment Leave a Comment  |  Bookmark and Share

So you’re interested in using Google to pass you a heads up on a black hat exploit?

Google hacking has been reported in the news for about the last year and a half. Google indexes the heck out the web – people are starting to take it seriously.

It goes like this. Say you uncovered a specific script that allows you to steal private consumer information. Let’s say the name of the script is EXTEND.PRICE. If we wanted to use Google to locate where inside a URL the script is called from, we could type in at the Google prompt: inurl:extend.price. This would search for where URL’s mention the script (phrase) “extend.price”, allowing the black hat to search for all of those sites who either have or haven’t patched their server with the new script that would block the exploit.

Variations of the same theme allow you to look for common files, directories, client-side API’s, or control panels. For example, an interesting search in Google would be “inurl:cgi.exe” looking for gateway interfaces prompted through hyperlinks.

Dozens and dozens of servers to target for your exploit.

More useful commands that can be used with Google to isolate a search parameter:

  • intitle, allintitle — Terms in a webpage
  • inurl, allinurl — Terms in URLs
  • filetype — Search for specific files on the Net
  • site — Seach only the page of a specific server or domain
  • link — Look for pages that link from a page
  • info — Summary information about a site
  • related — Displays sites related to a site
  • phonebook — Seach business or residential phone listings
  • rphonebook — Residential phone listings only
  • bphonebook — Business phone listings only
  • stocks — Stock market information about a searched company
  • define — Definitions for a term used in google.

To make things easier on you, the black hat, swing by Johny iHackStuff for help in identifying vulnerabilities. Here’s a couple of doozies!

Files containing passwords that could be expressed in inurl: searches;
Advisories and Vulnerabilities to find unpatched servers;
Vulnerable Servers can be used to find unpatched servers sporting all kinds of bad scripts.

Freaked out yet? Try running a couple of these specific parameters against your own name, phone number, or business to do a Google Profile of your own footprint.

Run a server and want a solution to the problem, or, just want to see where you stand on the Google hacking exposure? How about a free web vulnerability scanner that you can download. They may ask for a credit card to fix the problems, but the Acunetix Vulnerability Scanner would at least let you know where you stand on some of these Google problems.

R
www.micklerandassociates.com

Hackers Strike UltraDNS

Written on March 7, 2007  |  by RP Mickler  |  Leave a Comment Leave a Comment  |  Bookmark and Share

Surprised that this didn’t make better headlines but hackers from South Korea successfully attacked 3 out of the 12 Internet DNS root servers last month. There was a scramble to thwart the attack and redirect name resolution traffic; it was the biggest attack since 2002.

http://www.msnbc.msn.com/id/17011675/

If it were successful, the attackers would have successfully prevented millions of Internet host computers from resolving names. Typing in www.microsoft.com or clicking on hyperlinks would have stalled as client PC’s waited name resolution responses from root servers. The Internet would have slowed to a crawl, and many webpages just would have timed out.

The attack demonstrates a certain hacker emboldenment, and, some degree of tactical prowess. This wasn’t simply a demonstration of the ability to cripple somebody’s computer or rip off personal private information. This was a tactical demonstration of somebody’s ability – by command – to send the Internet economy into the dark ages. If anything, the attack would have allowed the attackers to see what the UltraDNS response would be, and, to gage bandwidth and volume requirements on a quarter of the root servers. In effect, this may not have been an attack at all, but an intelligence gathering effort.

Interesting – the article seems to praise the resiliancy of the Internet by it’s design. I believe that’s too much confidence in the design. The next attack may prove that the aggressors learned from their experience and may simply bring the global Internet economy to its knees. Instead of thinking we dodged the bullet, we should be thinking out plans to dodge the next 50-caliber round that comes screaming our way.

R
www.micklerandassociates.com