December 23, 2007

Android and business cards

We are used to the idea of VCard and cell phones. That is, exchanging contact information via bluetooth should be quite easy and an old story. What we know is that firing up BT, selecting the VCard and so on is quite slower than just handling out a business card.

Now think about this: an Android powered application able to broadcast (or unicast, in case) your "Social Network Presence". That is, URLs to your linkedin profile, facebook pop and so on.

Think about including some snippet of information from those networks and a little nice "who do we both know?" function. A must have for the next conference...

December 22, 2007

Another point of view on IT security

I'll start this post with a strong statement:security as we know it today is 90% smoke and 5% useless crap.

Antiviruses: useless. Intrusion detection systems: useless. Encryption: useless. Firewalls: useless.

Since most of the more security-savvy people are now wondering if I've gone nuts, I'm just asking you all to follow me. This will be the first article of a short cycle of posts in which I will go through all the standard security "stuff" we all know about, and - hopefully - I'll show how it's time to rethink about almost everything.

Let's start with an old friend, and the easy pick: the antivirus.

The Antivirus is one of the oldest security measure: its usefulness has been discussed many a time, but no organization would every in its mind get rid of it.
What I think is that in a well managed organization there should be no need for an antivirus.

Enumerating from an high level perspective the main vectors a virus - and with this term I'm encompassing more than just viruses: I'm including trojans, general malware, spywares and so on - we have;


  • - Executing a file infected by a known virus. So, your users can execute any file on their machines, having the power to bring havoc to the whole network? And how did the file got there? Uncontrolled internet usage or maybe a floppy disk?

  • - Executing a file infected by an unknown virus. Idem.

  • - An unknown or known virus executing itself using some known exploit. So you're using vulnerable and unpatched software? Reminds me good old Godsend.

  • - An unknown or known virus executing itself using an unknown exploit.



While one can argue than heuristics are working better and better, the hard fact is that the virus - or the trojan or whatever - has to be known, and the antivirus signature file has to be up to date. So, I think we all agree that there is nothing an antivirus can do against new viruses. Actually, there's nothing an antivirus can do about whatever software, since it can't obviously know about the semantic of the software: in the DOS age we had format.bat files, and no antivirus could stop that. I don't see any progress since then.

Organizations spend a huge lot of money to keep corporate antiviruses up to date: cost analysis can easily show how just one virus spreading in the enterprise network and bringing the business down for 12 hours (not to mention potential data loss!) is enough to justify the expense. And after all, the managers are using antiviruses at home, too, so it's something they can grasp, something they are comfortable with.

What these analyses never include is an alternative which actually works. No matter what, you are not going to be protected against a new virus, and you have the same chance(nowaday I'd say it's MORE LIKELY, but that's just my opinion) to be attacked by a new one than an old malware. So you're spending money hoping that a new WhateVerEvil.M12 won't hit your network before the others, so you can have the time to upgrade you signatures.

I feel this is not a good idea.
Of the attack vectors I've listed before, only one - the autoexecution via 0-day exploit - cannot be prevented.
If the machines - all of them - are patched up, the virus won't be able to execute itself using an exploit.
If you are in control of your infrastructure, users won't be able to execute software - they just won't need to do so - or they will be able to do so in sandboxes and in a responsible manner (training anyone?).
And the list goes on and on.

That's it, antiviruses are not part of the solution anymore, so they most likely are part of the precipitate.

December 16, 2007

Opening up Open Source

Every time I start planning for a web site or a web application, I end up with some feature I really like from some opensource software, and I wonder "can I just use it?". The answer, 99%, is no, plain and simple.
That's because most open source developers just don't think about integration. You are coding a (possibly) small software, meant to do just one thing: KITS, right?

Wrong. We're not in an unix mainframe environment anymore. We NEED interoperability and accessibility to all the services. We need integration. And we need embeddable software, not just code, be it an opensource project or not.
Web services (even simple REST enabled services) are a huge step forward, not 100% ok maybe, but yet...

Many programming frameworks (like cakephp) are already providing a web services infrastructure you can leverage to implement a webservice with ease. Do it, next time you start coding.

Meanwhile, some important and business oriented softwares are indeed "going open" - via ws API or inclusion point: KnowledgeTree and eGroupWare, just to name a couple, are both exposing an web service endpoint.
Others are not doing the same - phpBB, one of the best known forums, is a nightmare to integrate.

So? Next time you choose, or write, or buy a software be sure to check how OPEN it is. It doesn't need to be OpenSource, but it HAS to allow for easy integration. It's mandatory nowaday, and it's not about the stupid SOA hype. It's about IT 2.0.

December 07, 2007

Disaster recovery made easy

As virtualization.info announced today, Platespin has just revealed its new disaster recovery product.
Summing up, it's an hardware appliance able to provide "incremental" virtual images of up to 25 physical servers (via it P2V technology) without the need of a dedicated infrastructure. In the occurrence of a disaster, this appliance will be able to automatically recover the images to physical servers and notify the administrator.
This is a striking idea and I'm sure we'll se a lot of these appliances around if the price isn't insane.
I've already mentioned how virtualization can be used in disaster recovery, and this is the exact implementation I was thinking about.

December 05, 2007

On Email

Last week I met the owner of a small company in Italy. The problem was they were having "issues" with email.
There is no need for details here: the point is that they were having their whole business going around emails: client's orders, notices... anything.
If an email doesn't get to destination, it's a big trouble. This company is one of those small realities doing huge business: their customers are all enterprise-level realities and they're almost monopolists. Still, they're doing what most SMB do: they find an almost-working medium and stick with it.

It doesn't matter if it's not perfect: it's easy and it doesn't need training for the employers. But as soon as your business grows, it really matters.

So what? Start thinking NOW about how you communicate with clients: have you got Out Of Band connections? How do you know if that mail got lost? Even more: are you sure there aren't better ways to do what you're doing with emails?

My advice was very simple: build an extranet, and use it as the hub of your communications. You're asking your customers to do something (logging in requires more effort than just downloading emails) so be sure to offer something in return: targeted ads are not enough!
Is there anything new in an extranet? Well, there are plenty of things you can do with it, but we'll speak about them in another post: what you can do NOW is to be proactive. Do not let your current media fail you, be ready to scale!

November 26, 2007

Tiny screens

Many vendors (like Sharp ) are now releasing tiny (2 inches, 5 cms) screens.
Any geek can say wow, cool but what are they good for in a business environment?
Just a couple of ideas:
  • Graphs. Everyone loves graphs and statistics. Think about a showroom with tiny stats screens(like sells or expected grow) embedded in the walls. Striking. Rember, you don't just have to be good, you have to be remarkable.
  • Personal information: think about a creditcard size device you can lend to visitors at your building or at your congress, broadcasting tv streams with directions or ads on the next speech. Very sci-fi, isn't it?
  • MMS: yes, short video messages. Image a network of tiny screens broadcasting short messages in a production or industrial environment, solving noise and communication problems in the assembly line.

November 22, 2007

Social Intranets

There is a huge anti-revolution going on the last years. It's the "Web 2.0 isn't for serious people" attitude. Followers of this thesis will point out how digg doesn't present business-relevant news, and many famous and popular 2.0 services aren't usefull anyhow in a working environment. These are often strong arguments (take a look at the front page of digg and you will see what I mean) but let's see it from another perspective.

Think about YOUR intranet: it might be featureful, it might support document management integration and have many many features. So, what is missing?
Community, that's what Web 2.0 is all about. It doesn't matter what you are doing with it, but you need a community nowadays.

Now imagine an Intranet where you can know who's online looking at their faces in the upper part of the page, and you can chat with them with one click. Think of a Tag-based information repository, a user-based internal news system and personal blogs. Then, think about integration with outside services, and maybe even your partners' extranets.

If you still don't see how this can help the business, review the budget for the HR division under the "team building" entry: you'll see it can cover twice the price of such an infrastructure. Decrease in productivity and work time? Think about cross selling, think what your organization can do if it really starts working as one individual.

Maybe web 2.0 as-is isn't business oriented, but the right ideas are there for you to take. Do not overlook them.

November 18, 2007

Kindle and the future

As you all most likely know, a couple of days ago Amazon launched Kindle. Kindle is a whole new step in the world of e-books:the design looks great and early reviews are very good, from a technical standpoint.
What's more important, Amazon has created a completely new distribution channel for ebooks, and the story goes on.
But let's imagine, for a moment, that indeed this is the future of reading. Maybe not tomorrow, maybe not in a year, but that's the way to go.

Now, there are a couple of things I'd like to point out.

First: this opens a whole new market. No, I'm not speaking about books: costs in the "printing industry" aren't in the actual printing, nor they have anything to do with authors. It's all in the marketing department, and that's a greatest barrier to entry into this market: even with huge investments it's hard to be noticed, to be trusted.
I'm thinking of everything "side related" to the world of ebooking: everything making the experience of reading an e-book different from reading an "old" paper-book. Services. Subscriptions.Kindle-widgets. This is the new market, the innovation: there's nothing new in a pdf, nor in a txt.

Second: once Kindle (and its clones) will start to become more and more popular, it's likely we'll start so see some "write enabled device". You want to write on your book (well, maybe your textbook at least) don't you? I'd say we'll have write enabled devices in a couple of years,IF Kindle is as big a killer as it seems.
Once you have a very cheap reading device with some writing capabilities, what's the use for paper? You are reading your books on an LCD, you can take notes on an LCD... do the math.
I'd say that the benefit here is for early adopters: a paperless environment might mean huge savings in a short time span, and thus a big competitive advantage. At least, until it becomes a commodity.

NSA backdoors and encryption standards

It's on every security related websites: according to Schneier (actually Shumow and Ferguson) the NSA might have placed a backdoor on one of the new NIST approved random number generators.
This mathematical backdoor could allow the NSA to guess the random numbers given only a small sample: a huge problem for any security algorithm using those numbers. SSL (well, TLS), encryption, anything.
There are huge concerns in the security community about this story: while the standard itself can be easily not implemented - since it's just one of the three generators proposed - one could wonder what's lurking in the other algorithms.

This story reminds me the DES "scandal": NSA modified part of the IBM algorithm (sort of, constants) and shortened the key. No one actually knew was going on then, but after 20 (20!) years it was discovered that the tweaks actually improved the security of DES: NSA knew about differential cryptanalysis, thanks to an IBM engineer, and kept the secret for years while improving DES' resistance to it.
But still, NSA was able to break DES white relatively little effort, due maybe to the reduced keysize. You can read more here.

What's the lesson here? You can be 100% compliant and still be vulnerable in a matter of seconds: a new research is published, a new tool becomes available, and your "one million years guaranteed" encryption can be beaten in 24 hours. And it's likely that someone somewhere is able to break that encryption right now.

So, what are we - what are you - going to do about this? No, the answer is not "stop trusting encryption". You can't do it anymore, not in this world.

Instead, change the way you think about encryption. Most organizations, most people, think about encryption like a commodity, like something that is "hard-coded" and immutable, at least for some years. We'll change the encryption when we'll change the software is a very common quote. It's not enough anymore.

Start thinking about encryption like any of your security-related component: you have to monitor it, you have to upgrade it, maybe you even have to patch it. Here, standards are your friends: what's the chance of getting an upgrade for some obscure proprietary algorithm (Oracle anyone) ?

So, the next time you hear about encryption - anywhere: in a new software, in your network, in a new server - demand it to be modular, to be open. You want to manage it like any firewall, any antivirus, any IDS in your infrastructure.

Otherwise, you can just let NSA handle the problem, right?

November 15, 2007

Virtualization for Disaster Recovery

I wont' discuss why ANY business structure should have a strong Disaster Recovery Plan here. The point is, DR is deadly expensive.
The argument usually used is that since it's a strategical priority (most of the enterprises suffering severe data loss are out of business within 2 years) the cost of a DR solution are not avoidable.

What usually happens is that there is no such thing as an "Enteprise-wide tested DR plan". How can we achieve an affordable, testing-friendly, enterprise-level DR solution? Enter virtualization...

What good can virtualization technologies do for us in the DR space? Just to cite a few:
  • They provide a mean to achieve High Availability, even on remote sites. P2V migration software are available, without even a reboot required.
    Just create a Virtual copy of ALL your production servers and store them on a single machine. In the event of an hardware failure, just bring your virtual copy back online within 2 clicks. Just keep in mind you'll have to keep those server synchronized.
  • They finally allow us to do testing within an environment closely resembling the production one. This is a huge deal, since most DR solutions aren't fully tested: no one will take the responsibility of pulling the plug from the main database server to test a recovery plan, but with virtualization this suddenly becomes doable and easy. Most virtualization solutions will even allow you to test your application under hard network condition (high packet loss, narrow bandwidth and so on).
  • They can be used to leverage the existing backup infrastructure: data backup technology is far more advanced than "machine" and "application" backup. With virtualization, machines are nothing more than files and your "proven" backup infrastructure can be exploited to achieve a wider reach.

And the list goes on. Vendors are fully aware of this new business environment for virtualization, and are now releasing DR oriented products. VMWare has its Site Recovery Manager almost ready and the competitors are catching up quickly.

If you are not planning for server consolidation or virtualization just yet, keep in mind to think about it in your DR plan: it might be the right time to introduce this new technology.

November 12, 2007

10M for an android application

When ten or more chariots have been taken, those should be rewarded who took the first.

-Sun Tzu

That's exactly what's happening here . Google and the Open Handset Alliance wants developers for a still unreleased market, and they're issuing a challenge. There's nothing brand new here, but think about it for a moment.

When the IPhone was launched, we had not even one application available and no plan for an SDK. When Android will start running, we'll already have plenty of (free) software available. High quality software, too. See the point? That's what Google wants to make evident as the difference. It has "we're Google, we're different" written all over the place.

What can we learn from this? It is indeed possible to build communities even before the actual product is released. Specs, APIs and a "low hype high facts" attitude is all you need.
I bet we'll see this happening more and more. Why? Because, as Seth Godin would say, people in such a community are enthusiasts, and esthusiasts spread the word.


Edit Italy is out of the contest. No comment. More info here

November 10, 2007

Knowledge Tree 3.5 is out

KnowledgeTree opensource 3.5 STABLE is out and ready to download.
Sadly, we're still missing the upgrade scripts, but eventually they will be ready too. Knowledge tree is the opensource document management system.

Documanagement is often overlooked by managers in SMB, or handled by huge "fully integrated" colossuses in Enterprise environments. I won't debate on commercial solutions (mostly because I feel the Microsoft solution being the most advanced nowaday, and this hurts my opensource-oriented feelings) but there's something I'd like to point out.

We are in the middle of a deep rethinking of how our digital offices work. We are on the edge of a huge revolution, started something like a year ago and gaining impetus in the whole time. We're moving from a client-oriented software-strong environment to a web-centric browser based environment, where integration and compatibility are the core differential factors.
For years, we wanted the most feature-full softwares we could get, and we would expect everyone to use the same software. Now, we're more and more aware of compatibility issues.

That's the point. Compatibility, integration, flexibility. They're more important than a featurefull proprietary software, doing exactly what you need to do in your business right now. What will happen in 2 years? What if you switch your office suite for an online one (google-docs anyone?)?

Yes, one might argue that investing in an opensource solution is not a 100% protected engagement, since the project might just die. True, but how many business oriented, wide adopted big projects have you seen disappearing in the last couple of years? A couple, at most.

On the other hand, who's going to adapt faster and embrace others' (possibily, competitors') standards: an opensource community powered web-based software or a commercial gargantuan juggernaut application?

November 09, 2007

Going Live

Oversighting is a blog. Not a personal blog, it's a blog about technologies.
It's not a "what's new" blog like Engadget, nor a "long posts, huge contents" blog like Delirandom. It's not even a focused blog like Virtualization.info.

So, what is this blog about?
Oversighted technologies. And what's an oversighted technology? A technology with a completely unexploited use, able to change the way you do business - or maybe improve just a little your life.

Who's the audience?
I'm writing for the IT guys, in the broader meaning but with a business-oriented focus. IT managers or code gurus, I hope they will both find this blog useful.

What about that innovation evangelist tag?
It's half a joke half serious. Just follow the blog and see by yourself.