An interesting question, posed by V3.co.uk: Can cloud security ever work? – How relevant is the question by itself? When computers and especially personal computers were introduced, people asked as well whether the security on a PC will ever work – the question is just not relevant. Let’s face it: The Cloud will come! Period. We just have to figure out, how we will manage risks in the Cloud – that’s our job.
I read figures that Cloud computing will be up to 8 times less expensive than on-premise computing. Now, show me the CEO who will not want to save this money. And the order given to the CIO will be “make it happen”. And then the CIO comes to the CSO and says: “secure it”. Here I am completely sure. What about turning it around and being proactive? Making security an enabler instead of a disabler? Then we can make the Cloud happen with acceptable risks.
I just got a mail that my Windows Phone 7 is ready for pick-up. Unfortunately I am in Redmond at the moment and my Windows Phone 7 is in Switzerland. The poor device will have to wait for me for another week (or is it the other way around – poor Roger has to wait for the phone another week?).
In the meantime I read some reviews, which even make me more hungry.
And allow me to blow away any chance of surprise and tell you right up front that my experiences with Windows Phone over the past several months has led me to one very clear conclusion: Regardless of my need to cover the platform as a job requirement of sorts, I will be using Windows Phone going forward. This is the system I prefer, honestly and openly, and I feel as strongly about this as I did about the inevitability of Windows 95 over 15 years ago or the righteousness of NT over 10 years ago. The quality of Microsoft's work varies from product to product, and certainly my enthusiasm can wane depending on what we're talking about. But I have very rarely ever been this excited about any technology product, from Microsoft or anywhere else, or in its ability to transform a market that has grown very stale with copycat features and products. Windows Phone is not just another smart phone. It's a revolution. It's right. Heck, it makes me smile. I want it to make you smile too.
Microsoft's virtual keyboard on Windows Phone 7 is one of the most impressive I have used on a mobile device. The implementation of a wheel for word suggestions makes it quick to pick out words before you finish typing. The target size of the keyboard increases smartly. For example if you type "th" it guesses that the next letter will likely be an "e" or "a" and increases the target size of those characters. You don't see this visually but it certainly helps for typing words. When incorrect words are picked out, it shows a wheel of suggestions and underlines the incorrect word with a red squiggly line, like Microsoft's Office products. The target area for the backspace is also reduced when you're typing to avoid mistakes.
[…]
Microsoft's approach to Windows Phone 7 is refreshing. The concept of hubs and tiles pays off across the operating system and provides a seamless and integrated experience for consumers. Although the operating system has a number of issues and feels like a work in progress in some areas, we're confident that Microsoft will address this quickly. Windows Phone 7 devices are extremely compelling smartphones at a time when many will be considering their holiday purchases. Microsoft is betting big with Windows Phone 7 and that bet has to pay off. From what we've seen, Windows Phone 7 will be a huge success for Microsoft. Although Apple's strategy and device offerings are solid, we fully expect Windows Phone 7 to eat into Android sales and recover its lost market share. Is Windows Phone 7 enough to save Microsoft's failed mobile efforts? Yes, it's a giant step in the right direction and one that the software maker will back with funding, support and development. Windows Phone 7 is a beautifully crafted work of art that you should definitely consider on your next phone.
My conclusion is that Microsoft has used its years in the smartphone wilderness to come up with a user interface that is novel and attractive, that stands out from the Apple and Google approaches, and that works pretty well. Instead of multiple screens filled with small app icons, or the occasional widget, Windows phones use large, dynamic tiles that can give you certain information, like your next appointment, at a glance. And it has special "hubs" for things like contacts and entertainment that use bold, attractive interfaces and offer personalized, updating information.
but
But I couldn't find a killer innovation that would be likely to make iPhone or Android users envious, except possibly for dedicated Xbox users. Even the built-in Office can be replicated with third-party Office-compatible apps on competing platforms; and the iPhone and Android phones also can interoperate with Microsoft's corporate Exchange email, calendar and contact system.
So for now, I see Windows Phone 7 as mostly getting Microsoft into the game, and replacing the stale, complicated Windows Mobile system that preceded it. It will get better. The company is already working on a copy and paste system, and said it is coming early next year. But, today, I see Windows Phone 7 as inferior to iPhone and Android for most average users. It's simply not fully baked yet.
[…]
Overall, I can't recommend Windows Phone 7 as being on a par with iPhone or Android—at least not yet. Unless you're an Xbox Live user, or rely on Microsoft's SharePoint corporate Web-based document system, it isn't as good or as versatile as its rivals.
All this said, I think those who haven’t written off Microsoft in the mobile space — and especially those for whom a PC, Zune and/or an Xbox gaming console are part of their tech worlds — will find Windows Phone 7 worth a closer look. I will be sad to see my Focus go, but hoping to see some more Windows Phone 7 phones and more business functionality available for them in the not-so-distant future….
And I heard that you can hold the phone the way it is convenient for you and it still works
I already have a problem the way tourism develops on Mount Everest (definitely understanding that some people in the region can make money and a living of it) but now you can even get fast Internet on the base camp: Peak signal: 3G cell service comes to Mount Everest…
Stuxnet is a severe threat – that’s something we know for sure. But if we look at it – what do we really know? What can we learn?
Let’s start from the beginning. As soon as Stuxnet hit the news, it was interesting to see, what was happening. There was a ton of speculation out there about the source and the target of the worm, especially since it hit mass-media. It is obvious that this is a story which is interesting for a broad audience – however, wesecurity professionals need different sources.
If you look at this interview at CNN, they are giving background information but in the meantime are pushing for the story.
Unfortunately, even professionals seems to build their defense on what is heard somewhere because someone said… This is not the right source of information.
So, a lot of speculation on different channels, social media as well as mass media. What do we learn from that?
Rely on trusted sources only if you want to run your incident response.
I think, this is not the first time I am promoting this approach
If you want real information on Stuxnet, there you go:
This is one side of the problem. What about the critical infrastructure? It seems to be common knowledge that Stuxnet is leveraging a vulnerability in the Siemens PLC code to manipulate parameters in control systems. This leads us to an interesting question, which is how to protect embedded systems.
So far, I am convinced that within the industry we know fairly well how to protect classical IT systems like servers and PCs. If we extend this to embedded systems, the problem becomes much bigger. I once worked on this problem for medical devices. I was talking to the hospitals and they were telling me that they are not allowed by regulation to touch any technology on a medical device (even though they are connected to their internal network to exchange patient data). If you talk to the regulator, they are telling you that they are satisfied with a risk management process by the vendor (nobody really checks the risks in the process as the regulation does not address this) and if you talk to the vendor they do not want to take the cost of maintaining the software on these devices – a classical example of passing the hot potato from one player to the other. This is a latent risk, which might be above the acceptable risk threshold for a society.
What can we do to approach this? On a tactical level, this means reducing the risk by shielding such systems. Do not attach them directly to the network but indirectly behind a reverse proxy. On a strategic level, we have to look at it from a maintenance perspective like any other IT-system. E.g. FDA realizes that not patching a system might create higher risks than patching systems. This by itself is a remarkable statement. This does not – by no means – allow you to just deploy without testing but probably without re-validating.
When it comes to SCADA systems, one of my readers, Shoaib Yousuf, wrote a really good article published in Computerworld and CIO in Australia called Smart grid security: Critical success factors showing the different approaches to secure such systems.
What do we learn from that?
Realize that systems with embedded IT have to be maintained and protected like any other IT device, taking into consideration the special safety needs.
And then finally, who are the players behind Stuxnet? A lot of people in the press and the blogosphere talk about an “act of war”. This is hard to tell based on public sources as there is too much speculation and misinformation. Fact is, that nations are ramping up their cyber capabilities and/or are partnering with high-skilled groups in that area. But does this already mean that we have seen a nation state attacking another one with Stuxnet?
Do not rely your judgment on sources, where speed is more important than accuracy (something I often see in Twitter).
Scot Charney recently decomposed the threats in his paper called Rethinking Cyber Threats and Strategies (or – if you really want - the pdf-version J). He separates four categories of attacks:
Conventional Cybercrime
Military Espionage
Economic Espionage
Cyber warfare
What did we see with Stuxnet? We do not know and just jumping on the bandwagon of the mass-media because it is “cool” would be a little bit too easy. Fact is that the industry come together to fight this beast – which is the right thing to do – and I hope that the governments come together to find the criminals behind the worm and take appropriate actions.
What do we learn from that?
Do not draw conclusions on who is behind an attack just because of the media (being them social media or mass media).
Finally, this just leads me to my final plea, as fairly often, when I blog on such things: Without good collaboration within the industry, between the industry and the governments and between governments, it will be very, very hard to fight such attacks.
And the “really finally”, as security professionals, we have to make sure that at least we keep an eye on the facts and to not help to spread fuzz
(or is it the other way around – poor Roger has to wait for the phone another week?).
