People are asking a lot of questions about this one, and while I haven’t heard directly from the seller, her letter is posted on Regretse. (The buyer’s identity has not been disclosed.)  The dispute appears to focus on the violin label. I’m certainly not qualified to discuss violin labels and associated traditions, but these folks are and have something interesting to say.

I was a bit surprised to hear that PayPal had the instrument destroyed rather than returned to the vendor, but I found this in PayPal’s user agreement:

If a buyer files a Significantly Not as Described (SNAD) Claim for an item they purchased from you, you will generally be required to accept the item back and refund the buyer the full purchase price plus original shipping costs. You will not receive a refund on your PayPal fees. Further, if you lose a SNAD Claim because we, in our sole discretion, reasonably believe the item you sold is counterfeit, you will be required to provide a full refund to the buyer and you will not receive the item back (it will be destroyed). PayPal Seller protection will not cover your liability.

Merchants take heed — “in our sold discretion” gives PayPal at lot of power.

In response to my query, a PayPal spokesperson replied via email,

“While we cannot talk about this particular case due to PayPal’s privacy policy, we carefully review each case, and in general we may ask a buyer to destroy counterfeit goods if they supply signed evidence from a knowledgeable third party that the goods are indeed counterfeit.  The reason why we reserve the option to ask the buyer to destroy the goods is that in many countries, including the US,  it is a criminal offense to mail counterfeit goods back to a seller.”

A lot of small businesses rely upon PayPal, and this type of incident causes concern among merchants.  For example, one commenter on Regretsy pointed out,

This scheme of PayPal’s makes a great way to perpetuate fraud. Want to swap the fake Vuitton bag you bought on Canal Street for a real one? Just buy that real one on eBay, pay through PayPal and report the ‘fake’!

Credit card transactions in general place the burden of proof on the merchant. For example, if I ordered goods and subsequently advised the credit card issuer that the product didn’t arrive, the merchant would face a chargeback unless they were able to provide strong evidence to the contrary. PayPal adds an additional layer. If a buyer who has purchased through PayPal using a credit card is not satisfied and disputes the charge through their credit card issuer, the burden of proof falls to PayPal.

My point is not to excuse PayPal of their responsibilities.  They’re in the payment game and need to treat all parties fairly as well as manage their own risk. However, it’s also not fair to assume that these type of disputes or the potential for merchant losses are specific to PayPal. It’s also not realistic for sellers to assume that PayPal will protect them from all potential fraud scenarios.

I’m happy to see PayPal take a strong stand against counterfeit goods, but I just wonder if destroying a violin — even if the label was wrong — was the right answer in this case. I suspect executives at PayPal are asking that same question.

1) The iPad is beyond cool – it’s affordably cool. While the device may cost the same as netbooks and low-end laptops, consider the apps. $10 gets you Keynote — which last night flawlessly slurped in a .pptx from Microsoft PowerPoint. I put my final touches on today’s presentation and emailed myself both a .ppt and .pdf of the presentation.

2) As a device for mobile users, the iPad is light, has a battery life easily twice that of most laptops, and is virtually instant-on. The main drawback for writers is the on-screen keyboard, but with Bluetooth keyboard support the number of options continues to increase.

3) Mobile phone operators are slowly starting to provide affordable data plans for the iPad. In Canada they generally continue to screw their customers – the original $30 for 6GB iPhone plans are nowhere to be seen, but good deals will hopefully return as additional competitors enter the market.

4) Cloud computing is making remote access to virtual computers a cost-effective reality. With Citrix and Windows Remote Desktop clients available for the iPad, connecting to a remote computer with resources that far exceed that of any laptop is not only possible – it is about to become a commodity.

5) For many companies, the days of 3-year laptop refresh cycles are over as they seek all possible cost reductions. As a result, a new generation of workers are emerging: Those who are sick of lugging around heavy, old, and frustratingly slow laptops that have a negative impact on their productivity. (These same companies appear oblivious to the productivity losses and morale issues caused by their failure to provide decent tools to their employees, but let’s save that for another article.) Some workers now choose to use their own computer for work – and for many the iPad and virtual machine solution will be a winner. Some firms are embracing this, including updating their infrastructure to support corporate email on a variety of employee-owned devices.

In short, expect laptop sales to decline.

Apple seems to get this too — you won’t need a Mac or PC to set up, backup, or use your iPad or iPhone with this fall’s release of iOS 5.

I’ve only had two bad online experience, and I got my money back both times.  Yet I continue to hear horror stories from others.  So I thought I’d share my approach.

First and foremost, there is nothing magic about shopping online.  The major difference when you walk into a shop is that you have a good idea where they are located. However, disreputable bricks-and-mortar stores (along with phone and mail order outfits) ripped off consumers for years before the Internet was invented.

So how can we shop online with confidence?

1) Consider ordering from businesses you know.  Saving a few dollars on an unknown vendor may not be worth it.

2) If you’re looking for something and don’t know where to find it, consider using eBay or Amazon. Carefully check feedback on the vendor before buying.

3) Always pay by credit card.  From time to time you may run across vendors who request payment by other means.  They might want to you wire money using Western Union or a similar service.  The problem is that once you’ve sent your money, there is little you can do about it.  Real online merchants accept credit cards or use a service like PayPal that accepts credit cards on their behalf. Period.

4) Understand any rules that apply to disputes.  For example, if you make a purchase on eBay and pay using PayPal you must open a dispute within 45 days.  Be wary of anyone who may be trying to string you along with a series of excuses, delays and apologies.

5) Next to how they treat other customers, the best predictor of how a business will treat you after getting your money is how they treat you before. When shopping online we often have our choice of products and resellers.  When I”m trying to decide, I’ll often email a few vendors to ask their advice or for product information.  The timeliness and quality of their response speaks volumes about them.

Have other words of wisdom to share?  Please comment!

But then consumers still receive calls like I did on Saturday afternoon.  The bank – or someone claiming to be from the bank – called me, advised that they were recording the call, welcomed me as a new customer, and then asked me for my date of birth and postal code, “to confirm they were speaking to the right person.” 

I have a very simple rule: If I call you, it’s reasonable for you to ask me to prove I am who I say I am.  However, if you call me, you get to go first.  And unfortunately, while banks are somewhat good at authenticating their customers, they never seem to consider how customers should authenticate them.

When I declined to provide personal information to the caller, she politely replied that I could call the number on the back of my card if I had any questions and then she ended the call.

So I did just that, and asked about the call.  The CSR verified that the person who called me was indeed from the bank, and that they ask for a date of birth and postal code to make sure they’re speaking with the “right person”. But he didn’t have a solution to how I should authenticate future callers who claim they’re from the bank.

Banks should know better.  Telephoning customers and asking for personal information is irresponsible and contributes to the identity theft problem.  Banks should be telling their customers that they will never call them and ask for personal information – just as they currently do for PIN numbers.

There’s also an obvious solution: The bank could easily add one more field to their database, a password that they will use when they call me. In fact, next time they do call, I think I’ll ask them for their telephone password.

Perhaps the Bank’s security, fraud and marketing people need to have a chat.

Highly recommended reading!

The full report is available for download here.

The reality, of course, is that there is no such thing as a free domain registration.  Somebody pays for it.  And while there is nothing wrong with giving a customer a “free” domain when they purchase other services, as one of my colleagues recently found out, ethics among hosting services greatly vary.

My colleague purchased a hosting plan for $5.95 per month with HostPapa.ca that included a free domain.  According to the terms of service posted on their web site, there shouldn’t have been a problem:

“You have all rights to transfer, sell, or modify your domain name to another person or individual. If you decide to sell or transfer your domain name and HostPapa is the domain name registrar, please request our “domain name transfer instructions” by sending an email to support@hostpapasupport.com. We will send you the specific details and information about transfer of ownership.”

But, when my colleague decided to transfer his domain to another registrar, he found out that it wasn’t that straight-forward.  Host Papa had registered the domain in their own name.  In email, he was told,

“The $100.17 you paid upon sign up with HostPapa was for a hosting account. We included a FREE domain as a thank you for creating an account with us. This domain is only free as long as you are a HostPapa customer, hosting the domain on our servers.

If the domain was not free, you would have been charged $126.37 for hosting and a domain purchase. Now that you wish to cancel your services and take your domain away, the invoice I have created for your domain in the amount of $26.20 covers the cost of HostPapa registering this domain on your behalf when you signed up with us.

This is standard for anyone cancelling their account and wishing to retain their domain.”

During his email discussion with them, at one point a representative of HostPapa wrote chillingly, “Legally, the domain name is ours.”

We contacted HostPapa and inquired, and they explained,

“Yes, you can transfer your domain name to another host at a later date, however, there will be a fee of $24.95 + GST for Canadian clients to release the domain, since it’s only free as long as you are hosted by us.”

Your domain name is key to your Internet presence, and losing it can have a significant impact.  Assuming you maintain a backup of your web site, you can easily move to another hosting company if you control your domain.

So what can you do to protect yourself?

First, keep in mind that virtually anyone can become a ‘registrar’ through a simple reseller agreement. The fact that a company can register a domain for you doesn’t provide any indication of business ethics. Search the web, read their agreements carefully, and do your best to check our their reputation.  Be cautious if transferring your domain requires emailing or telephoning support or the description of the process is vague.

Second, check your domains to ensure that they are registered in your (or your company’s) name, not a provider’s.  If you don’t already have a favourite “whois” tool or web site, try allwhois.com. If the domain is not in your name, contact the registrar immediately and ask that it be corrected. If they refuse, indicate that you wish to transfer your domain to another registrar. But keep in mind that as far as the domain registration world is concerned, the owner is the entity listed in the whois database.

Third, consider using a separate registrar from your hosting provider.  If you’re more technically inclined and have a number of domains, you might consider opening your own reseller account with a large registrar like Tucows and becoming your own registrar.  It also might make sense for you to use a third-party DNS provider like dnsmadeeasy.com.  Ideally you want control of your domain information including the contact names, addresses, and DNS servers. Your registrar should allow you to update at least your DNS information through a web-based interface.

For example, I’ve recently been dealing with a situation involving the use of Yahoo Groups.  While it’s a great way to share information with a group of people, here’s what can happen:

1. A volunteer sets up a group on behalf of the corporation, bearing the corporate name.
2. The volunteer runs the group for a while but subsequently decides to leave the role.
3. The volunteer refuses to turn over control of the group to a board member.
4. When pressed on the issue, the volunteer claims that the group is inaccessible because it hasn’t been used for a while.
5. When pressed further, the volunteer deletes the group including all content.

Unethical volunteers (and employees) can create disruptive scenarios. In this case, they have the potential to impact communication with group members and information can be quickly lost. While criminal and civil proceedings can be initiated after the fact, the disruption has already occurred. 

In an ideal world, there would be services available that take these issues into account. For example, one could have multiple administrators and require two of them to approve sensitive transactions.  But until services like that exist, your best defence is to recognize what can happen, ensure that someone other than the group administrator has a copy of all documents and maintains a list of participant’s email addresses so that they can be contacted if an issue arises.

Have another suggestion?  Please comment and let me know!

Take dates for example.  If I were to suggest we meet for a 10:00 coffee on 07/10/09, when should you show up?  Most of you would assume that 09 is 2009.  Then you’d hope to infer from other information whether I meant July 10th or October 7th.  Those who know I’m a night owl might wonder if I mean 10 p.m., while my old army buddies would assume that if I meant 10 at night I’d write 22:00.

About ten years ago, software developers and IT managers were in hectic race against the clock. In many cases they just didn’t know what would happen when computers using two digit dates rolled from 99 to 00.  Or 100. And it appears  that in the past 10 years we’ve learned very little about standardization.

Of course there are those who don’t bother with the year at all.  The yogurt in my fridge reads JL13.  At least I can figure out that they mean July 13, and I can hope that this container didn’t somehow get shoved to the bottom of the pile for a year.  Or even worse, the dreaded “Best before 08/01.” Is it good for another month and a half, or should I carefully double bag it and put it in the trash without disturbing whatever new life form might dwell beneath the lid? It just doesn’t make sense to force product manufacturers to put a date on something if we can’t be positive what it means.

Fortunately there is a simple solution:  Adopt the international standard, ISO 8601. Unlike many ISO standards, it isn’t all that complex.  June 22, 2009 is 2009-06-22 or 20090622.  10:00 a.m. is 10:00:00, and 10:00 p.m. is 22:00:00. Provisions exist for omitting seconds, etc., if they aren’t required.

Isn’t today a good date to become part of the solution?

If you accept credit cards, you’re required to comply with the PCI DSS standard. There are ways to simplify PCI compliance requirements, especially for small businesses, but it all starts with understanding what those requirements are.  If you business accepts credit cards, you owe it to yourself to watch this video.

Every year we have “flu season”.  And every year we have people show up at work with the flu as if doing show displays their dedication.  In reality, they’re spreading a virus to their colleagues. Hopefully employers are looking at the bigger picture and making simple policies such as prohibiting employees with a fever from entering any company facility.

The larger picture is business continuity planning.  There are countless reasons why employees may not be able to come to the workplace:  Illness (the employee, a family member or fear of contact with ill colleagues), power failures, protests, floods, severe weather and other natural disasters. While firms in the manufacturing sector may have to shut down, many others could, with the right planning, sustain operations with employees working remotely.

How well prepared is your company?

“It could be that the purpose of your life is only to serve as a warning to others.”

In the security field we strive to keep our employers and clients out of that category.  However, reality is such that we often learn best from our mistakes and those of others.  As any parent can attest, even the best warning about the potential danger involved in a childish act of stupidity doesn’t come close to the educational impact of falling, or watching one’s friend fall, flat on their face.

Last week I wrote about a security breach at Twitter that resulted from a poor security design.  The kindest thing I can say is that Twitter managed to ignore more than thirty years of security knowledge and made a design error that I would expect a junior security consultant to pick up in a matter of minutes.

Don’t get me wrong — I’m a huge fan of Twitter.  The basic concept behind their service isn’t new, but their timing, marketing and some of their technical decisions are brilliant. But, as much as it pains me to say this about any company, they are making the same critical mistake that has plagued many startups in the Internet space: They obviously lack competent security expertise.

I’m sure that they mean well, and I’m sure Twitter has some very talented developers that really want to do the right thing.  I’m sure that they have considered some aspects of security.  But they need more.  They need a security pro sitting around the development table.  They need to critically examine every aspect of their system from a security perspective.  And they desperately need a good security risk assessment.

Take, for example, my experience with Twitter last week. On Tuesday they announced the ability to send updates via SMS to Rogers phones. I found out because my phone suddenly started getting SMS messages. I replied with “off” and it stopped.  Wednesday the exact same thing happened again.  “Off” worked, and I logged in via the web to make sure it was really turned off. 

Thursday morning it was back with a vengeance. I was driving to the office and a flood of messages began.  Having worked on an SMS project, I knew that mobile phone companies require systems that use SMS to honour the ‘stop’ command.  As soon as a mobile phone subscriber sends ‘stop’ the service provider is supposed to reply with an acknowledgement and not send any further messages.  So I replied with ‘stop’.  Twitter sent an acknowledgement, but messages continued to flood in.  At first I assumed there must be a queue somewhere, but an hour later I was still being flooded with so many messages that my phone was almost useless.

I logged into Twitter and tried to turn off the SMS updates.  But the system gave me an error and continued to show the updates as ‘on’.  Next I tried to delete the phone.  Given that the Twitter ‘Devices’ page displayed my mobile phone number, that should have been easy.  But in response to the ‘delete’ button Twitter replied that there was no valid device to delete.

I opened a support case and while waiting found that the ‘sleep’ function would still work. I temporarily managed to get messages under control by telling Twitter that I sleep 23 hours per day.  About 10 hours into the incident, I received a reply from Twitter support indicating that they couldn’t resolve the issue and had escalated it.  Some time after that they managed to delete my phone from the system.

From a security perspective, a few things went wrong.  First and foremost, the system is clearly not designed to gracefully handle database inconsistencies.  I don’t know how Twitter’s database works.  Presumably it’s large and complex due to the sheer volume of data it handles.  But if the system can display your telephone number and not delete it, sometime is very wrong.

In a perfect world, databases maintain internal consistency.  But we don’t live in a perfect world, and all sorts of strange things can happen in a database.  From a security perspective (as well as an operational one), we need to accept this fact and design for it.

When it comes to any type of communications system, we must recognize that system failures do occur.  For example, radio systems often have timers to shut down the transmitter in the event that a person, computer, or stuck microphone attempts to transmit for a long period of time. When designing an SMS gateway, we similarly need to recognize that database issues or queuing problems could potentially result in a large quantity of undesired messages being sent to a mobile phone.  To protect both both the organization and the user, the system should be designed to tolerate these failures gracefully.  And when the user sends ‘stop’, the system must ensure that the messages do indeed stop.

Then there’s the helpdesk issue.  Twitter is a free service, and we all understand that free services can’t always provide immediate technical support.  But Twitter doesn’t give the user any way to indicate the severity of the issue.  A ten hour response time to most support requests is fine – but when Twitter is malfunctioning and slamming a user with SMS messages it is woefully inadequate.

Part of a security risk assessment involves asking difficult questions about internal and external threats.  It requires considering what can go wrong and determining the potential consequences. It involves exploring scenarios like, “What happens if one of our executive’s email accounts is hacked?” and “What could cause the system to go berserk and start flooding users with messages?”

Good security is about much more than checking a user’s password.  It’s about achieving a holistic understanding of the system’s confidentiality, integrity and availability properties.  It’s about understanding what can go wrong and how to design and operate  the system to minimize the risk. And ultimately it is about protecting the organization’s bottom line.

If Twitter wants to avoid serving as a warning to others, they need to start taking security much more seriously.  They need to find about $50,000 in their budget for a proper risk assessment.  Then they need to start incorporating security requirements into their software development lifecycle. Investors may be desperate for a good start-up these days, but they understand that security breaches, especially those that reveal questionable security competencies, are bad for business. And in the fickle word of social media, they can be fatal.

Protecting sensitive information gets more difficult every day, and it shows. We hear about major security breaches on a weekly – sometimes even daily – basis. There are several reasons:

• Corporate perimeters are disappearing due to information sharing requirements and an increasingly mobile workforce;
• To remain competitive, applications are often rushed to the market without adequate security design and testing;
• More data is in motion, both inside and outside corporations, on a variety of mediums; and,
• Employees often receive little security awareness and training.

Every company should be conducting risk assessments, vulnerability assessments and security awareness training. But a significant contribution to the problem is that most of the security controls we have traditionally used focus on protecting networks and computers instead of data.

The assumption, of course, is that by protecting the server, you protect the data on it, and that remains an important concept in a layered security architecture. But what about protecting the information asset more directly?

Corporate and government information is subject to all sorts of threats. And while we tend to focus on espionage and the theft of financial information, a lot of information leakage is unintentional. For example, employees often email confidential information because it’s convenient, without realizing that it is highly vulnerable to interception while in transit. It’s also easy to accidentally send email to the wrong person, as many of us have embarrassingly found out. Sometimes issues results from what I call the “intentional unintentional”. For example, and employee who can’t send a .zip file attachment due to corporate rules might log into a webmail account and send it from there. While the employee knew that they were breaking corporate policy, their intent was just to get their job done, not create a security incident.

Some organizations have reacted to the data leakage risk by implementing draconian ‘security’ measures like physically disabling USB ports and using web filtering technologies to prevent employees from accessing webmail accounts, social media sites, and other resources deemed “not employment related”. While these measures can sometimes help, overkill is not without cost, including impact on employee morale and retention. Perhaps I’m a security rebel, but I suggest that my clients consider encouraging employees to use webmail accounts for personal email and reserve their corporate email account for company business. This reduces risks such as embarrassment due to employees writing controversial emails, makes it clear when the employee is speaking for the organization and when they are not, and reduces the amount of personal information on company servers and in archives.

But enough on the problem. What’s the solution?

Data Loss Prevention (DLP) is the next big thing in information security. DLP is a discipline to reduce information leakage by discovering, monitoring and protecting sensitive information assets. DLP products are both content and context sensitive — a new level of sophistication for security products.

DLP products use different terminology, but it’s easiest to understand them by thinking of a toolbox rather than a single tool. Most vendors offer a central point of administration, and those who don’t are in the process of integration. The other tools have specific purposes. Discovery modules scan file shares, databases, web servers and other repositories for information that shouldn’t be there. Based upon the policy configuration, they may generate alerts, reports or automatically move information to a secured location, leaving behind a ‘breadcrumb’ to tell users what has been done.

Monitoring modules work at the host or network level. A sniffer approach is often used to monitor network traffic at the organizational perimeter to detect sensitive information leaving the organization. Endpoint agents (installed on user laptops and workstations) can also provide passive monitoring. It’s important to note that this is very different from the “spyware” type of monitoring that I’ll be discussing next month. The purpose of these modules is to detect and monitor the movement of sensitive information assets, not the user’s overall activity on the system.

Last, but not least, are modules that provide active protection. In some cases, such as the endpoint, the difference between monitoring and protection may simply be a matter of configuration. In network applications, protection agents are placed inline. For example, outbound email can be inspected and automatically routed to an encryption gateway or bounced as dictated by policy.

But there is much more to the discipline of DLP. Successfully using DLP tools in the corporate environment requires vision, strategic implementation and integration with other security program fundamentals. To begin, one has to be able to define sensitive information in order to detect it. If the organization already has a good classification policy in place it may need to be refined. If not, that’s a good starting point.

DLP tools can then be used to identify areas of concern. For example, a data loss assessment at the corporate perimeter can be used to quantify the organization’s leakage onto the Internet. Scanners can rapidly detect credit card numbers in documents on file shares. And endpoint agents can be used to monitor sensitive parts of the organization.

Once the magnitude and location of the data leakage problems are identified, an appropriate business case can be developed and DLP tools deployed where a sufficient business justification exists. I usually recommend a period of passive monitoring to fine-tune rules prior to implementing active protection. This reduces the likelihood of business interruption due to false positives. In addition to rules, some DLP products can also fingerprint both structured and unstructured data known to be sensitive so that it can be recognized in the future. Using these features requires careful planning so that the DLP deployment itself does not create vulnerability.

I’ve often said that security awareness is the best security investment an organization can make, and it’s noteworthy that DLP vendors seem to understand the value of education as well as the need to minimize operational overhead. Products on the market today have feature sets that facilitate automated remediation and user education. For example, we can write DLP rules to automatically notify the user if they have breached (or are attempting to breach) the organization’s policy.

For example, when a user attempts to email a file containing personal information, a DLP endpoint agent could pop up a box to warn the user and ask why they are trying to send the file. This not only educates the user, the also gathers important information for DLP administrators. At the network perimeter, a DLP sensor could detected that a user has included one social insurance number in an email, bounce it back to the user with an explanation, notify the user’s manager and close the incident. On the other hand, if the email included an attachment with many social insurance numbers, the email could be quarantined and an incident opened with the information security team.

The DLP discipline offers us new tools to directly address serious issues that corporations and governments face today. By combining them with other sound security fundaments, we can significantly reduce risks related to data leakage.

How will this impact your business?

Adobe deserves a Colbert-style wag of the finger and I can understand why Seltzer is frustrated by the delay in obtaining a patch. But his suggestion that companies consider dumping Adobe in favour of other third-party pdf readers — that he himself admits also have a track record of security issues — just doesn’t make sense.

Let’s take a look at what happened.

In February, a vulnerability in several versions of Acrobat was discovered.  In summary, it is possible to manipulate a pdf document so that your system becomes infected when you open it or under certain circumstances, when your computer indexes it (more on that later).

Things appear to have been quiet until Feb 19th, when various security researchers and vulnerability databases picked it up.  Adobe released an advisory the same day and updated it on Feb 24th.  The advisory stated that a patch will be available on March 11th.  They worked with antivirus vendors to protect customers, released a patch and have information on their blog.

Yes, Adobe had a security defect in their code and took a few weeks to release a patch.  Yes they need to be more careful and respond faster.  But that’s only part of the story.

Aside from the overly sensationalistic and unbalanced journalism, much of the buzz had to do with the fact that, as Stevens points out in his blog post, infection can occur, “…on a Windows XP SP2 machine with Windows Indexing Services started and Adobe Acrobat Reader 9.0 installed…And the bug happens in a process running with Local System rights!”  Nasty indeed, but that is only partially Adobe’s fault.

No process interacting with user data, including an indexing service, should be running with system privileges.  It’s the type of stupidity that should cause first year computer science students — and experienced IT writers — to point their finger and laugh.  No process indexing a user’s files should have the right to change operating system files. Ideally, the process also should not be able to write to any of the files it is indexing.  It doesn’t need those privileges to do the job and it shouldn’t have them. It’s called the Principle of Least Privilege.  If the operating system was properly designed, the impact of this code defect would have been significantly decreased.

If we really want to see fewer security vulnerabilities, we need to start better architecting software and operating systems and building-in security, rather than considering it as an afterthought.  We need to design systems to tolerate code mistakes without breaching security.  It can be done but software developers won’t do it until the market demands it.

Or, I guess you could just take Seltzer’s advice. Dump Adobe, and move to Foxit. That product hasn’t had a security vulnerability announced in two days. And look, it’s the same issue as Adobe. Or take Seltzer’s advice and try Sumatra PDF, an open source solution that has about 200 open defects, some of which are from 2007.

Adobe may not be perfect and the company could have reacted faster. But put away the pitch forks. Or, at least, aim them in the right direction.

There is a segment of our population who simply must get to work: Police officers, fire fighters, teachers, bankers, assembly line workers and those in the health care, retail and hospitality sectors. But many of us can — or could, with the right solution — work from anywhere we have access to a computer and telephone rather than sitting in traffic.

Now, before I give you the wrong impression, I do live in the real world.  Face-to-face meetings are often more desirable than teleconferences, and some companies aren’t set up to support remote workers.  Some corporate cultures are such that working from home is seen as a euphemism for a day off and having one’s buttocks pressing upon a chair for the requisite number of hours is considered far more important than actually getting work done.  As a result modern day office martyrs drag themselves to the office when ill and consider sprinkling their viral load amongst colleagues a badge of honour.

When we step back and look at the issues from a broader point of view, it’s clear that during a transit strike we would all benefit by keeping the roads clear for those who must go to work and spending our time working instead of sitting in the car.

From a business perspective, not only are there advantages during transit strikes and severe storms, but the capability also allows the organization to function despite other emergencies such as fires, building evacuations and localized power failures.  Enabling employees to work at home also helps to retain top talent by promoting a better work-life balance. And less commuters is a better thing for the environment as well.

Enabling remote work — like any other infrastructure change — does have security implications.  Some organizations already have fundamental components in place such as laptops with VPN connectivity and the ability to forward phone lines.  For those who don’t, products are available to specifically address the issues.

One company seeing increased interest in their products is Route1, the Toronto-based firm that developed the MobiKEY product. “The user simply plugs MobiKEY into any computer with Internet access and within seconds they are able to access their home or office computer through the TruOFFICE service,” explained Tanieu Tan, Director of Marketing.  “With MobiKEY, all information remains behind the corporate firewall and no footprint of the work session is left on the guest computer. In the event that there is malware on the guest computer, it can not be introduced into the corporate network, making this a very secure solution.”

The product also offers other features to facilitate secure access to Web portals or specific applications instead of an entire remote desktop environment.  These solutions also tout a high level of security by eliminating dependence upon applications on the user’s local computer.

So, whether you blamed the City, OCTranspo workers or, perhaps, both, we did get a great lesson in business continuity planning.  Acting now can better enable you and your company to cope with similar events in the future.

Last week I introduced the concept of cloud computing. To recap, the concept is that one can simply buy computing and storage resources as needed rather than investing in hardware and Internet connectivity.

While a few companies have been talking about cloud computing, Amazon is doing it and selling it to anyone with a credit card under the Amazon Web Services banner. To get a better understand of the future of web application development, we’ll take a look at what they offer.

Amazon Elastic Compute Cloud (Amazon EC2) is a Web service that provides resizable compute capacity in the cloud. It is designed to make Web-scale computing easier for developers. To summarize, you upload one or more virtual machine images to Amazon. Then you use an API to start and stop instances of your virtual machines — and pay only for the time you use. Amazon offers several virtual computer ‘sizes’ starting at $0.10 per hour. There is no minimum commitment. You simply pay for what you use. If you design your application right, it can scale very quickly by spinning up additional instances as needed to handle the load.

Of course, almost any application requires storage space and that’s where Amazon Simple Storage Service (Amazon S3) comes in. Amazon S3 provides a Web services interface that can be used to store and retrieve any amount of data, at any time, from anywhere on the Web. It’s storage on demand and, in Amazon tradition, it’s also pay-as-you-go with no minimums. The pricing model takes into account charges for storage, inbound traffic, outbound traffic, requests and whether storage is in the USA or Europe. For example, storage in the USA starts at $0.15 per GB, inbound traffic at $0.10 per GB, outbound traffic at $0.17 per GB, and requests are one cent per thousand. Prices to store data in Europe are slightly higher.

Amazon also offers a database service, a message queuing service to facilitate communication between computers in a distributed architecture and recently introduced the beta CloudFront service which looks like a very promising, easy-to-use content delivery service.

So what does this all really mean?

Amazon has removed many of the barriers to developing Internet-scale applications. Developers can start small with no capital investment and only pay for what they need, when they need it. They also have an unprecedented ability to scale applications quickly in response to increasing demand for them.

But this change also has some interesting security implications which I’ll discuss next week.

Hosting providers understood this, too, and quickly started offering turnkey solutions that included both the server and Internet connectivity. For example… Today, that same $100 per month gets you a basic server in a commercial data center connected to the Internet. From a business perspective, it makes a lot of sense: There’s no capital outlay, no hardware maintenance cost, and the fact that it’s a pure expense is often a tax advantage.

Hosting providers also responded to the demand for something between shared Web hosting and a full server. Leveraging virtualization technology (most commonly, open source Linux), the Virtual Private Server (VPS) market was born, giving small businesses and individuals their own virtual server starting around a $30 per month price point.

For many small businesses, a rental VPS server is a great solution. However, if you’re setting out to develop the next Web 2.0 killer application, your major challenge is scalability. If you’re lucky and your app is an amazing success, how will you handle the load? Will it become the next Facebook, or will will poor performance send it spiraling right into its grave?

Cloud computing is a simple concept: Instead of purchasing specific hardware, why not just purchase computing resources such as virtual computers and virtual storage as you need them?

Over the next few weeks, I’m going to be looking at the Cloud computing phenomenon and discussing the security implications. If you have any questions, please feel free to send them via TLP’s ‘Ask the Editor’ page.

Having your laptop stolen can ruin your whole week. Hopefully, by now, you’re backing it up regularly and you know that there’s software available that can dramatically improve the odds of getting your computer back. But perhaps the creepiest aspect of having your laptop stolen is that someone might be going through the information you have on it: Email, contact lists, web browsing history, passwords, financial information, family photos and, if you use the computer for work, potentially sensitive business information.

Just imagine a drug addict (they steal computers and sell them to buy – you guessed it – more drugs), a competitor (they’d like to know what you’re up to) or a nosy, unethical employee where you work (70 per cent of thefts are committed by insiders) sitting there looking at everything on your notebook, including some things that even have been deleted.

And then there are overzealous governments, criminals, and other prying eyes who might enjoy rifling through your notebook hard drive or even copying every bit on the hard drive for a detailed forensic analysis when you’re not around.

If none of that would bother you, no need to read further. But, for the rest of you…

There are a lot of different encryption products available to protect data on your laptop. But, sadly, many of them dive quickly into technical details and scare most people off. So, while I’d be happy to answer your technical or security questions , I’m going to avoid all that and just tell you what you need: Full disk encryption software or FDE, for short.

Once installed, FDE software protects your entire hard drive and is very simple to use: You turn on your computer, type in your passphrase, and then the computer boots as usual. Some people confuse their computer’s BIOS password with FDE. but the two are quite different. BIOS passwords can be easily bypassed but, if you forget your FDE passphrase, the same mechanism that stops an intruder from getting your data will apply to you. If you’re using a corporate FDE solution, your company will almost always have a system that allows them to recover your passphrase or decrypt your hard drive. If you’re using a stand-alone solution, make sure you understand the recovery options availible. For example, many products will allow you to create a recovery disk to keep somewhere safe in case you forget your passphrase.

There are several good products on the market, including SecureDoc from WinMagic, Check Point Full Disk Encryption (formerly Pointsec), McAfee Endpoint Encryption (formerly SafeBoot), DriveCrypt, from SecurStar, and TrueCrypt.

The WinMagic, Check Point, and McAfee products cater primarily to corporate and government clients. These products emphasize enterprise management of encrypted drives and are generally too complex and expensive for individual users.

DriveCrypt is available as an online purchase from Germany, and TrueCrypt is a free, relatively easy-to-use open source product with a huge following. Both offer some interesting features, including the ability to hide one operating system inside another. While there are some catches, the feature is intended for situations where one may be (or feel) compelled to disclose their FDE passphrase. Without going into technical details, it basically gives the user two passphrases. One provides access to their “real” system, while the other provides access to a decoy.

While each of the products has its strong points, TrueCrypt is hard to beat for individual users. I’ve tested it on several laptops with great success. Corporations, of course, should compare the commercial products so that they can retain control of their encrypted information and assist users should they forget their passphrase. When purchasing a new notebook, both individuals and businesses should also consider a “self encrypting hard drive” if offered by the manufacturer. (More on hard drives with built-in cryptography in another article.)

No matter which product you choose, there are three very important things to remember:

• Pre-boot authentication is a MUST. In other words, if you can turn on your computer and it boots into Windows (or whatever operating system you are running), your data is not protected.
• You must choose a complex (i.e. difficult-to-guess) passphrase and it must not be written on your computer, in your laptop case, or anywhere else someone is likely to find it. The best passphrases are created by creating a phrase that is easy for you to remember and difficult for others to guess. For example “elephantseatbreakfastB4readingtheTLP” would be very difficult to someone to break. Chances are you’ll only be typing it once or twice a day, so make it long!
• Take the time to understand the recovery capability your product provides. If it offers to create a recovery disk, do so and store it safely. Never store it with your computer!

Protecting your data in the event that your laptop is stolen is easy and, in the case of TrueCrypt, it’s also free. Speaking of free, I also should mention that some of the easiest ways of preventing laptop theft are free: Don’t leave it unattended in hotels, airports or meeting rooms — even for a few minutes — and make sure it is not visible if you leave it in your car.

Last week, I wrote about the importance of backups in preventing data disasters but that’s only one of the things I worry about. Even if you can recover your data from a recent backup, a few questions remain: Who has your data, what can you do about it, and can you get your computer back?

A few weeks ago, at GTEC, I met up with Stephen Midgley, Senior Director of Marketing for Absolute Software, a successful Vancouver-based company that specializes in laptop recovery and asset control.

Absolute Software’s consumer product, Computrace LoJack, installs on your notebook. About once a day, when connected to the Internet, it transmits a message to Absolute Software. If your computer is stolen, you contact the police, get a report number, and then call Absolute Software. They flag the notebook as stolen in their system. Next time it checks in, they not only know the IP address of the notebook at the time of the check-in, but they also send it an instruction that will cause it to begin reporting in every 15 minutes. Absolute Software then works with the police to help recover your notebook.

I had certainly heard about the product but I must admit that, before meeting Stephen, I didn’t understand why people would buy it. I figured that the thief would simply format the hard drive or install a fresh operating system and that would be the end of it. However, I was wrong: Absolute Software has worked with a number of leading notebook vendors, including IBM, DELL, HP, Toshiba and Acer, to embed an agent right into the BIOS. Assuming your notebook is supported, once you install the software, it activates the agent in the BIOS and even formatting your hard drive will not stop the notebook from reporting in the next time it is connected to the Internet.

Computrace LoJack has some other interesting capabilities. For example, if you have sensitive information on your laptop (which really should be encrypted, but that’s another article), Absolute Software can initiate remote deletion of the information once the stolen notebook connects to the Internet and checks in. The company also has a suite of offerings for corporate use that, in addition to the consumer features, helps companies keep track of their notebook fleet. Since many larger companies lease their laptops, knowing where they are at the end of a lease can save them a lot of money.

According to Midgley, 70 per cent of laptops are stolen by insiders, and across the industry approximately 3 per cent of stolen laptops are recovered. In sharp contrast, with tracking software and the BIOS agent, Absolute software’s recovery rate is around 75 per cent. He also shared some great stories about how police have executed a search warrant to recover a stolen laptop and ended up finding a lot more.

Computrace LoJack is available online for just under $40/year, and that will be an issue for some users. However, when my laptop was stolen the insurance deductable was $500, and it’s hard to put a price on the opportunity to remotely delete sensitive data, recover the notebook, and hopefully put the thief in jail.

Next Monday, I’ll conclude this three-part series with how to protect your data from thieves, overzealous governments and other prying eyes.

Sadly, this isn’t just imagination. Computers, especially laptops, are easily stolen and face other threats like being dropped or accidentally left in a taxi. Of course it could all be much less dramatic: Your hard drive could just fail causing you to loose everything on it. The good news it that protecting your data is easier today than ever before.

There are several ways to protect your data. For example, I burn my original digital images to DVD and store them separately from my computer. External USB hard drives are also large and inexpensive, last I looked you could pick up a 250 GB drive at Costco for around $100. The more technically inclined can also purchase a Network Accessible Storage (NAS) device and backup across your network. All of these options protect against hard drive failures, and they might protect you against theft if you hide them or store them off-site. But the problem with these methods is that most people don’t automate them and they forget. And with DVD or USB drive backups, automating it requires that you leave the media connected, where it is likely to be stolen along with the computer.

Fortunately there’s a better option for most home users: Internet backup services. A few years ago when I looked at some of the services they were too expensive and complex to recommend. But times have changed, and services like Carbonite have become cheapn ($50/year for unlimited backup space) and very easy. Carbonite integrates into Windows so that you can simply right-click on files and folders to set whether they should be backed up. I configured the product to automatically back up my desktop and documents and worked great. The reason I’m starting to recommend these types of services is that they are simple and automatic. Once configured, Carbonite automatically backs up files in the background as they change. The first backup may take a while, even a few days, but then it only uploads changes. From a security perspective, the product offers advanced users the ability to maintain their own cryptographic keys. If you choose this option nobody at Carbonite will have access to your files, but if you loose your key neither will you.

For more advanced users, or those who want more control over the backup process, another great product is Jungle Disk. Jungle Disk leverages Amazon’s S3 storage product. In fact, you open your own account with Amazon, pay $20 for Jungle Disk (you can try it for free for 30 days), and within minutes you’re able to back up data to Amazon’s ultra-reliable storage service for $0.15 per GB per month (storage) plus $0.10 per GIG for data transfers and a few other small fees. Put in perspective, tranfering one GB of data to S3 and storing it for a month will cost you about thirty cents. Jungle Disk’s backup capability is more traditional, meaning that you define and schedule back-up jobs within the application. If your computer isn’t turned on (such as if often the case with a laptop), you’ll probably need to remember to run it manually, and for that reason Carbonite is probably a better bet for most laptop users. However, Jungle Disk also allows you to create a storage container (called a “bucket”) on S3 and map it to a drive on one or more of your computers. You can use the drive like you would a local drive, and uploads to S3 occur in the background. Advanced users can use this functionality with their existing backup software or even manually transfer files to it.

Jungle Disk communites with the Amazon S3 service using HTTPS, so it will work from almost anywhere. It also supports optional encryption using 256-bit AES. Enabling this option and typing in a passphrase allows you to have all files encrypted prior to being transfered to S3, giving you a second layer of security.

Next week I’ll have a look at how having the right software on your computer can help you get it, and maybe even your other stuff, back if it is stolen.