Security issues will always exist 
At a recent tech show I was asked a question as to what I think the future trends will be in security. I think that security will always be an issue for a number of different reasons. First one of the key features of computers is also one of their downfalls when it comes to preventing malware from running on a computer. Computers are flexible and are meant to run programs, and on top of that programs one person runs are likely very different from the programs another person runs, so the idea of determining what good software is pretty well impossible. While digital certificates and signing code add to the level of user confidence in a program there is no way to programmatically determine that software is not malware. For example typically how anti-malware detection software works is to look for some known code signature within the program, which while effective means the malware author has period of time before the malware is discovered, analyzed and signatures generated and distributed, and often this period of time is sufficient for the malware to generate favorable results from the malware authors perspective. So what I’m driving at is malware will never totally disappear, sorry to say.

Now if we look at trends within attack vectors we see that some vendors have made great strides in securing their software. For example Microsoft has done a very good job at securing their operating systems, in that we have not see a purely technical attack in a very long time (Sasser I believe was the last major worm of this type) By technical attack I mean exploiting a vulnerability which exists in the OS and only requires the vulnerable system be connected directly to the internet, it requires zero user interaction (other then the user doesn’t patch their system). All global attacks we have seen lately requires some form of user interaction, to click on the attachment, go to some web site, fall for some phishing scheme, etc. Our inability to fix or otherwise totally education users and human nature is another reason why security issues will never disappear in that users are just to easy to exploit. A good social engineering attack is always easier and better then a good technical attack.

Since the OS has become much harder to exploit one trend that is on the increase is the number of attacks which focus on third party software or on internally developed software. Very few companies have invested in training their developers in secure coding practices or have made security a fundamental consideration in every phase of software development. The unfortunate result of this is most companies develop software which is full of potential exploits like SQL or script injection, cross scripting, privilege/authentication issues, canonicalization, etc. The list is almost endless and far to many corporations are vulnerable to far to many of these types of attacks, so until corporations and third party developers start investing in secure code by design and development, their security issues will never go away.

New technologies and practices are always a source of new exploits. For example wireless networks continue to be a security issue and despite the progress of secure protocols such as WPA, far too many wireless networks remain unsecured. Things like home or otherwise remote workers can have huge impact on security. We live in a world of constant change both in technology and human issues, and where there is change there is opportunities for security exploits.

Hacking itself has changed radically over the years, and given it has evolved far beyond a mere curiosity or hobby to become a very profitable business, security issues will not go quietly into the good night but will be exploited in every fashion possible which will benefit the black hats. If nothing else as security gets better, hackers have gotten better, and more creative. Certainly the advantage belongs to the black hats as typically security is a ‘reaction’ based process (it typically hasn’t matured beyond being reactive yet), so black hats still sit back and pick apart software, processes, etc looking for vulnerabilities to exploit and white hats try to keep up with patching code etc. Certainly the secure by design and development helps reduce the number of vulnerabilities and layered security minimizes their impact but we still large depend on reactive process to secure systems.

Microsoft’s Vista presents some very interesting changes in the concept of security, and while I very much like Vista and think it represents a huge step forward in security, it also presents some interesting challenges to both users and corporations. Vista is not only a very secure OS, but it can treat data in a very secure fashion and for the first time corporations can have the security they have always dreamed of, but I sometimes wonder if they find instead that their dreams are in fact too restrictive. So certainly for the first time corporations will have to confront security not just at a systems level, but on other levels as well. For example they will really have to think their processes through and find that balance between security, productivity, creativity and user involvement. This is totally new terrain to most corporations and will no doubt take companies a very long time to figure out what to do and while they are evolving there will be security issues. I very much look forward to the release of Vista and seeing the impact it has on security as I think it will be substantial, but yet very interesting in that it will create a number of new issues we haven’t even considered yet.

So are we winning the so called war of security, I think so, but I don’t think it’s truly possible to fully win this war and security issues will remain with us forever.


[ view entry ] ( 945 views )   |  permalink  |  $star_image$star_image$star_image$star_image$star_image ( 3 / 1498 )
First big upset - Edmonton lays waste to Detroit 
Its that wacky time of the year again called NHL playoffs, which is something like March Madness (its hard to describe just how low I finished in that pole this year), where NHL teams battle it out for the oldest professional sport trophy in North America (they were still inventing football when Lord Stanley's Cup was all the desire of hockey players everywhere).

So let me go out on a limb and make my prediction for the first big upset of the playoffs. Detroit will lose to Edmonton in 6. The Red Wings are only where there are because they play in what is without a doubt the weakest division in the NHL so they are not as good as most people think they are. The really bad thing about this is Edmonton knows it, and knows they can beat Detroit, so there will not be any respect shown to the Red Wings by the Oilers. The Oilers can skate with the Red Wings, but more important they can out hit them and that will be the downfall of the Red Wings. Stevie Y fans better enjoy this series as I fear it will mark the end of the line for one of hockey's greatest players and all round class acts. Stevie Y isn't the kind of person who gets beat and still has something left in the tank, so you can count on him to put it all on the line as he always does.

If Detroit somehow manages to get past Edmonton don't look for them to get much further as Edmonton will have worked them over pretty good.

Note I'm not an Oiler fan, just a hockey fan.

Go Flames Go!!!

[ view entry ] ( 3028 views )   |  permalink  |  $star_image$star_image$star_image$star_image$star_image ( 3 / 1582 )
I will be at realDevelopment_2006 in Calgary on June 13th 
Time again for a Microsoft road show, and you will be able to join me in Calgary on June 13th at realDevelopment_06. In the morning get some inside information and demos from Microsoft on improving the user's web experience using Web 2.0 using AJAX (cool), RSS, Gadgets etc. In the afternoon the topic is security with information and demos on Digital IDs, Hacking and Defending.

For all you unlucky people who don't live in Calgary, you can attend this presentation in Ottawa on May 30th, Toronto on June 1st, Montreal on June 6th and Vancouver on June 8th. Typically these things fill up fast so I'd recommend not waiting to long to register. Lots of opportunities for questions and answers and I promise you will leave at the end of the day having learned something which will make you a better and more secure developer.

[ view entry ] ( 980 views )   |  permalink  |  $star_image$star_image$star_image$star_image$star_image ( 3 / 1467 )
Cleaning up a drive, how to find the big files, duplicates etc 
Have you ever copied a huge file onto your system, but forgot where it was? Or have you ever needed to free up some space on your drive and hence needed to get rid of old or duplicate files? How would you do that? Try this, first open File Explorer (hold down the Windows Key (yes the funny key with the Windows logo on it) and then press the E key and the file explorer will appear). Then select the drive where you want to search or clean up, right mouse button it to bring up the pop-up menu and select ‘Search…’ to bring up the search dialog. On the search dialog select the ‘What size is it?’ option and then choice ‘Specify size in (in KB)’ and enter something like 10000 such that it will then search for all files over 10 GB and then press the Search button. Now this will return a list of all files on that drive (or sub directory depending on where you selected to search) which are bigger then your entered size.

Now this might not give you enough information to determine what you can delete or if a file is the one you are looking for, but fortunately you can get more information if you need it. I always use the ‘Details’ view, but the default setting within the search dialog often isn’t enough, so you can change this by selecting ‘View’ from the menu and then ‘Choose Details…’ where you have all sorts of details shown for the files found.

Happy cleaning….

[ view entry ] ( 921 views )   |  permalink  |  $star_image$star_image$star_image$star_image$star_image ( 3 / 1602 )
Suunto n3i Watch - Worthy and cool at the same time 
After going 40+ years without wearing a watch, the Suunto n3i and MSN Direct adds up to me wearing a watch for the first time in my life and liking it. I've never been one to obey time as I often feel that it is little more then a placebo for humans giving them a feeling of control over something that plows on no matter what they do. Time began long before us and will continue long after we are gone and our concept of measuring it often only serves to help humans cope with the idea of eternity. You can't really save time, stop time, or anything else as all you can do is use the time you are given. I don't care about time as I'm task driven, in that I set daily goals for myself and then spend as much time as needed to achieve those goals, so a watch was always meaningless to me. Now my wife and others no doubt wish I paid a little more attention to time, but that is how I am.

I guess it would be two years ago I received a Suunto n3 watch which was cool as it could be connected to my MSN account and was far more then just a watch as it automatically downloaded information and such that I selected. So I tried it for awhile and while I liked it, the bulk and strap (stiff) resulted in the watch eventually finding its way to the bottom of a drawer to be somewhat forgotten. I then received a Suunto n3i which was thinner and the strap was far more comfortable, so now more often then not I find myself wearing my watch and have been for sometime now.

I find the watch to be useful for tracking my appointments, news and of course sports teams. Now tracking of my beloved Calgary Flames hockey team is more then what you might think. For example I see who they are playing next and when, how they compare in the standings with whom they are playing, and if a game is on, 'live' updates of the score and time remaining in the game and a wrap up of the game afterwards. I must admit that more then once I've been out in a formal social occasion where for whatever reasons of formal etiquette watching sports or otherwise interrupting the so called occasion with sports score would be frowned upon (likely by the female gender), but my watch has allowed me to get my scores in pretty close to real time. In fact my watch tends to draw a crowd of other males who are similarly being deprived of their sports.

The watch offers a number of other advantages such as current weather and forecasts which if you live in Calgary can be rather nice given how fast our weather can change. I also get weather conditions in other cities which is handy when traveling or talking to associates in those cities. I must admit I do like being able to change the watch face as I'm not sure how someone could stand to look at the same watch day after day for years. Another feature that is handy is it can receive MSN Messenger messages, so people can send me a text message via my watch (handy when I forget to take my phone). Another feature I've enjoyed is when I travel the watch adjusts it own time and the time is very accurate and I don't have to adjust it. Funny how many times commercial pilots have asked me for the correct time (makes me wonder if perhaps I should be flying the plane).

So how does the watch receive all of this information? MSN Direct operates radio transmitters such that your information is sent via FM signal to your watch, so you are always current. Appointments and such are sent from Outlook to MSN and then sent to your watch. The coverage is actually really good, for example Calgary and the surrounding area is covered as is Edmonton as well as other major cities in Canada. Coverage in the States seems even better, and one feature I'd like to have in Calgary is traffic updates but that only seems to be available in the States.

You can learn more about my watch here

Note MSN Direct supports a number of different watches from different vendors. You can learn more about MSN Direct here here


[ view entry ] ( 1127 views )   |  permalink  |  $star_image$star_image$star_image$star_image$star_image ( 3 / 1648 )

<<First <Back | 1 | 2 | 3 | 4 | 5 | Next> Last>>