I’m writing an article about wireless e-mail for Network Computing and we are taking a close look at the leading products in this space. I’m also trying to get as much hands-on experience with these products as I can, and one of my preliminary conclusions is that while having instant access to e-mail can enhance productivity, moving business interaction from fast to supersonic, that part of the appeal is one of instant gratification, with the hope and excitement in each chime of an incoming message that something good has just arrived. The sad reality is that most e-mail we receive represents new obligations, and it is only a small percentage of e-mail that actually brightens our day. Yet because we receive those occasional nuggets, we keep opening each message as soon we receive it fully of expectations. No wonder wireless e-mail is so addictive.

I can hear Elvis now, "Return to SPAM sender!"

Alright, maybe I'm taking a little creative license here, but if IBM's claims are to be believed, we may be able to do just that very soon. This week the company unveiled a new solution called FairUCE -- a service that uses a giant database to identify computers that sending spam. The emails are jettisoned directly back to the computer, not just the email account, that sent them.

The cynic in me says that the SPAMMERS will get around this in a month's time -- but what a wonderfully tranquil month that would be.

We've touched upon this subject before -- the fact that contrary to popular belief, the Macintosh platform is not threat and vulnerability resistant. According to Wired.com, the folks at Symantec have reported over 37 high-vulnerabilities in Mac OS X this past year.

Granted, the Mac's security track record is a lot better than its Windows counterparts -- but most experts agree that's simply because the Mac's share of the user pie is that much smaller, making them a smaller target for malicious activity.

With the arrival of the Mac Mini on the scene, however, all that could change very quickly. The average, not-so-security-savvy user will no doubt be eagerly eyeing the inexpensive computer. And you can bet as they quickly disappear off the shelves, the hackers will be taking notice, and quickly update their armaments to adversely affect the new Mac adoptees.

The bottom line here is use your common sense. Having a picture of a half-bitten apple on the side of your computer isn't going to amount to much when you can't access your files thanks to malicious code. Whatever your platform is -- it's vulnerable.

Connection managers are the software utilities that allow users to control their wireless network connections, used with cellular-data networks, WLANs and Wi-Fi hotspots. These managers may also configure items such as protocol stacks, COM ports as well as Bluetooth and IR configurations. They are supplied by multiple entities, including wireless operators, modem vendors, computer operating system vendors, computer hardware platform vendors, roaming enablers and wireless middleware providers. Their existence can simplify the user experience considerably, but they can also affect interoperability and cause complications, such as when a user wishes to have access to multiple networks and needs more than one manager. I mention this because I chair the Standards and Architecture Committee of the Portable Computer and Communications Association (PCCA). Our next meeting, May 12, in Seattle, will specifically address Connection Managers, as well as wireless network management interfaces. If this topic is relevant to your work, I encourage you to come to this meeting. Details are available at http://www.pcca.org.

Verizon Wireless and Cingular Wireless have just announced interoperability for their picture messaging services, technically known as Multimedia Messaging Services. Now a Cingular subscriber will be able to take a picture with their camera phone and send it to a Verizon subscriber, and visa versa. This is certainly an important step in making this type of service more popular. The industry has had high expectations that multimedia messaging would become as popular as text messaging, and would drive traffic on new data networks. So far, however, MMS has not taken off quite as quickly as hoped. This may be because sending text messages allows flexible communication between people, whereas there are only so many pictures you can send your friends and relatives. Still, I’m confident that over time people and developers will find innovative ways of taking advantage of multimedia messaging.

Yesterday was the first day of testing for BPM suites. We have 12 total products to test so we've got a full lineup for the next two months.

At 9pm - thanks to remote access technology - the first suite was actually running. I think it might have been running earlier had the installation process not required that the machine be restarted fifty gazillion times. Seriously, the process would install a component, then require a reboot, it would finish installation that component and then install another, only to require another reboot. That poor machine was rebooted yesterday so often I felt like I was running Windows ME again.

I installed two other suites earlier in the day. One is installed, but it appears to have gone poorly because there is no database (for the repository) running and no application server (for the portal). The installation appears to have gone fine, the logs indicate success at every step, but the product is obviously not installed and isn't running. No services to start, no scripts to run, nothing. Documentation is scanty and for once I wish I had one of those stupid color-coded "step by step" installation posters because I'm fairly certain that hidden in the documentation is some fine print requiring the sacrifice of a live chicken in order to successfully complete the installation process.

Another product installed just fine, only to ask for license keys - which had not been submitted with the product. I've since received the license keys, so today we'll see if the product installation was truly successful or whether the damn things are just toying with me.

After yesterday's experience, I'm betting on the latter.

It’s hard to fully capture a wireless conference that has hundreds of exhibitors showing everything from RF connectors, tower equipment, wireless e-mail to the latest phones. However I was impressed by how cellular data is finally, after all these years, gaining serious traction both in consumer and enterprise markets. As for handsets, it was fascinating to see all the new features being incorporated into mobile phones, including instant messaging and e-mail clients, large color screens, MP3/AAC players (with multi GBytes of storage in the works), voice dialing, voice recognition for data input, built-in flashlights, 2 megapixel cameras, video recording and playing, navigation systems, and push to talk. The trend towards a single communications device that “does it all” has huge momentum, and though phones my not displace digital cameras due to the optics involved, they could make a serious dent in the music player market. As for myself, I’ve stopped using my PDA since I can now synch up my contacts and calendar with my phone, and use it to access my e-mail.

We just finished our annual employee briefings for IT security awareness as required by several regulations and our external auditors -- and of course a good idea in general. Awareness is not training but rather a point where we focus attention on this important topic.

Our IT security manager at ACME, Bucky Rogers, was keen to develop a formal security awareness program. We used various resources and guides to create our overall program. This annual briefing is just one part.

We also take the time to alert employees about new severe threats and use those alerts to remind them of our awareness policy as well as our various security bulletins (useful info) posted on our intranet.

Read on…..

"Bernie Ebb, Bernie Ebb,"
the judge he did decree --
"It's okay kid, you're free to go...
Just kidding, you are guilty!"

And so the tale of WorldCom's boss
it seems comes to an end
You started as a milkman,
now you're heading to the penn.

"I don't know tech, I never did!"
We heard poor Bernie cry.
Sure you don't -- and by the way,
them pigs -- they still can't fly.

So Goodbye Bernie and hello SOX,
What is there left to say?
Well, we're the ones now stuck with this thing --
so who's really gotta pay?

This morning IBM announced its intention to acquire Ascential, a data quality/ETL/integration vendor.

I spoke with IBM this afternoon, wondering why in the world the software giant, which already boasts a fairly comprehensive integration portfolio, would be interested in Ascential. After a short chat it became clear that it isn't the integration technology IBM is necessarily interested in, but rather Ascential's data quality and ETL technology.

As real-time decision making becomes more imperative to the enterprise, data federation (information integration) becomes more appealing to the enterprise. Likewise, the need to present a 360 degree view of the customer in real-time can only be truly efficiently met by an information integration solution that provides federated access to data stored across disparate systems, such as DB2 II or products from MetaMatrix and Composite Software. But to insure data quality requires more than simply allowing access and this is a technology in which Ascential excels.

Competitor Trillium Software spoke up after the announcement, saying in press release:

"IBM's announcement of their intent to acquire Ascential validates the need for high quality information on an enterprise-wide scale. News of this type is welcome in our industry. The nature of providing enterprise-level data quality is not simple particularly in a global marketplace and this helps communicate the complex nature of providing organizations with information that is fit for business purpose, regardless of the source or target system."

Trillium Software is right. Data quality is an issue. Proof of the need for such technology is evidenced by the number of SOA based services popping up from multiple vendors providing isolated access to data quality services for everything from e-mail addresses to physical addresses and phone numbers.

IBM's move will enable it to enhance its information integration line with proven data quality technology and potentially enable future software solutions that include real-time ETL and enhanced integration capabilities.

Application security vendor Teros has released a security threat bulletin for March 2005, available here.

The bulletin outlines a list of security vulnerabilities specific to web applications, such as cross-site scripting attacks as well as a list of security advisories for a plethora of applications including IE, PHP4 and Verity UltraSeek.

Two days ago, Nortel announced extremely high throughput speeds in an experimental MIMO-OFDM system of “37 Mbps over a standard 5 MHz PCS mobility band, taking into account noise and fading conditions found on a real-world cellular network.” This is significantly higher than what is being achieved today with 3G systems. MIMO-OFDM is also the basis of 802.11n, which promises throughput rates in excess of 100 Mbps for WLANs. I’ll have more to say about the evolution of 3G systems in subsequent blogs as this is an area I have been actively studying and reporting on over the last six months, but right now I want to raise an interesting problem, mentioned to me by a network architect yesterday who works for a major cellular operator. The problem is backhaul. As throughput rates increase with faster cellular air links, there is a fundamental problem connecting base stations to the infrastructure network. It used to be that a T1 (1.5 Mbps) would do the job, but now we’re looking at fiber rates (10 Mbps or greater), and fiber simply does not pass most cell sites. What to do? There are currently no good affordable answers for systems that are faster than the current 3G systems being deployed.

The primary connection for our Green Bay lab was down this morning - for no apparent reason. So after power cycling the router and proving to myself that it wasn't a problem on our end, I called our provider.

We traveled through the basic "what color is this light" game and of course all is well. Then the Tier 1 technician tells me with a straight face that he's going to "discharge the static on the line" and that it can take up to 5 minutes.

He's going to discharge the static on the line... by pushing a button on his screen. Yeah... and next he's going to blame solar flares for the outage.

Someone's been reading too much BOFH me thinks.

Finally I was given a ticket. Woo hoo! It's like winning the lottery. I have a ticket! An hour later a Tier 2 technician calls me.

So I walk through the basics with him and he wants me to read off the configuration from the router. I don't have the login/password so he gives me both of the default administrative logins for the router.

::grin::

No, I didn't write them down. They were at least not dictionary based and I'm not that evil. I did find it disconcerting that it was so easy to get them, however.

All is correct - except DNS entries - so I changed them and restarted the router.

Now I've already used our secondary connection (provided by someone else, of course) to trace traffic all the way to .. Milwaukee. The last hop between Milwaukee and Green Bay is the problem. All our equipment is functioning within normal parameters, but either some router in Milwaukee has decided to take the day off or their default router has gone bye-bye. Either way, it isn't our configuration, which hasn't change in a year or more and was working just fine yesterday. But he wants me to try to ping Google from the router.

By name.

Now I have no connection. I cannot ping the default gateway on their network and simple IP routing basics says if I can't route traffic through the gateway I sure as hell can't resolve Google's IP address.

But he insists I try. Because obviously the fact that packets are not getting from our router to the default gateway is all a DNS configuration issue. Yeah, I've seen that a million times. So I do and gee, golly, look at that - I can't resolve the address.

::sigh::

Eventually he tells me he'll do some more digging and get back to me and finally, about 1pm this afternoon, the connection is restored.

I'm still floored by the "discharging static on the line" line. I keep thinking maybe there's something here I'm missing, but I keep hearing Simon's voice in the background snickering because he's got my luser name now ....

Some of you may be heading to the CTIA Wireless 2005 show next week in New Orleans. If so, I may run into you. Like all consultants, I try and combine a show like this with exposure, research on projects I'm doing, and if I can actually earn some money, that's a bonus. So I feel fortunate that I'll be able to teach a half-day course as part of the show's Wireless Data University. My segment is "Wi-Fi and WiMAX in Detail". Given all the knowledgeable people who come to an event like this, it's a bit intimidating to get up there and to try and teach them things they don't already know. I expect the following to be big themes at this show: mobile entertainment (e.g., mobile video, phones with music players, multimegapixel picture/video phones), wireless VoIP, smartphones, 3G services (e.g., EV-DO, HSDPA), Wi-Fi/3G convergence and WiMAX. What an exciting time to be in this industry! I'll let you know next week how things turned out and what caught my attention.

This week heralds announced a wealth of new SOA focused tools -

NetManage OnWeb 7.2 from NetManage

OnWeb 7.2 is now delivering support for .NET and Java based connectors, which enables customers to connect to and leverage data from mission critical enterprise applications including SAP, PeopleSoft, Oracle, Siebel, JD Edwards and more. OnWeb 7.2 also has improved support for SSH and SSL and integration capabilities to ERP and CRM systems, databases, and middleware as well as Microsoft BizTalk 2004.

Also announced by NetManage is RUMBA 7.4, which offers increasing support for Windows based host access, complete with SSO (single sign on) capabilities.

Synapta from Attachmate

Synapta Services Builder and Synapta Presentation Builder lead the way for Attachmate's move into the SOA space. Both build on Attachmate's long experience and are focused on empowering end-users through SOA.

Presentation Builder is the first step in a series of moves to provide a comprehensive SOBA (service oriented business application) environment in which end-users can easily create composite applications from web services - complete with a user interface.

Services Builder provides the framework for turning virtually any data source - application, databases - into a service consumable by end-users.

The recent release of a paper detailing the way that a Shandong University team found a significant flaw in the SHA-1 encryption algorithm has caused major ripples in the cryptoanalysis world, and it's time to ask whether the ripples will turn into major waves for folks implementing computer and network security. The answer depends on a couple of major factors--how far into the future you look when making implementation decisions, and how much security is enough for you and your situation.

First, understand what the paper said. One of the ways in which encryption schemes are evaluated is the frequency with which two different strings of text would encrypt (or hash) to the same result. SHA-1 was designed, and had been assumed, to have a collision in 2⁸⁰ operations. The team at Shandong University found a method by which they could reach a collision in only 2⁶⁹ hash operations.

Now, in realistic terms, that still a lot of operations, and it's more than the average hacker is going to be willing to brute force their way through in order to compromise a piece of communication. For the short term, then, there's no need to panic. Over the longer term, though, there is more room for concern.

The real problem is that the Shandong team's results show that there is a problem with SHA-1, and now the likelihood grows that more issues can be found. Since more people are likely to be looking for problems that could very well exist, the result is a lack of confidence in SHA-1. It's time to start looking for a replacement.

Where are the replacements going to come from? The NIST has four hash versions specified in standards; SHA-224, SHA-256, SHA-384, and SHA-512. These are the most likely replacements in the near term. The good news is that the science and art of cryptography keeps moving forward through research like that engaged in at Shandong University. The bad news is that, like all advances, there's going to be just a hint of a growing pain as we move the state of security forward. Get ready.

Thanks to Bruce Schneier for following cryptography more closely than I do, and for explaining the intricacies without dipping more deeply into the math than is absolutely required. His free monthly newsletter is a must for anyone who wants to keep up with what's happening in cryptography and encryption.

Finally, some numbers have been collected to show the costs associated with Sarbanes-Oxley compliance projects. But in the final analysis, the whole thing remains one big crapshoot.

Readers and other IT professionals have been telling us for months about the time and headaches they have incurred in trying to comply with Sarbanes-Oxley. The trick is that none of them seem to have a handle on exactly what they need to do, or how much it is going to cost them.

One smart researcher, A.R.C. Morgan, decided to comb public SEC filings to see if any company has filed data that would give us a clue as to the cost of the SoX compliance effort. What they found was all over the map -- everything from detailed numbers on partially-completed projects to statements of bewilderment as to the potential project costs. The good news: most other companies are just as clueless about SoX compliance requirements and costs as you are. The bad news: nobody really knows how much it's going to cost, or how long it's going to take.

Posted here at 12:42 AM in Business Strategy

Comment on this blog entry