December 23, 2007

Android and business cards

We are used to the idea of VCard and cell phones. That is, exchanging contact information via bluetooth should be quite easy and an old story. What we know is that firing up BT, selecting the VCard and so on is quite slower than just handling out a business card.

Now think about this: an Android powered application able to broadcast (or unicast, in case) your "Social Network Presence". That is, URLs to your linkedin profile, facebook pop and so on.

Think about including some snippet of information from those networks and a little nice "who do we both know?" function. A must have for the next conference...

December 22, 2007

Another point of view on IT security

I'll start this post with a strong statement:security as we know it today is 90% smoke and 5% useless crap.

Antiviruses: useless. Intrusion detection systems: useless. Encryption: useless. Firewalls: useless.

Since most of the more security-savvy people are now wondering if I've gone nuts, I'm just asking you all to follow me. This will be the first article of a short cycle of posts in which I will go through all the standard security "stuff" we all know about, and - hopefully - I'll show how it's time to rethink about almost everything.

Let's start with an old friend, and the easy pick: the antivirus.

The Antivirus is one of the oldest security measure: its usefulness has been discussed many a time, but no organization would every in its mind get rid of it.
What I think is that in a well managed organization there should be no need for an antivirus.

Enumerating from an high level perspective the main vectors a virus - and with this term I'm encompassing more than just viruses: I'm including trojans, general malware, spywares and so on - we have;


  • - Executing a file infected by a known virus. So, your users can execute any file on their machines, having the power to bring havoc to the whole network? And how did the file got there? Uncontrolled internet usage or maybe a floppy disk?

  • - Executing a file infected by an unknown virus. Idem.

  • - An unknown or known virus executing itself using some known exploit. So you're using vulnerable and unpatched software? Reminds me good old Godsend.

  • - An unknown or known virus executing itself using an unknown exploit.



While one can argue than heuristics are working better and better, the hard fact is that the virus - or the trojan or whatever - has to be known, and the antivirus signature file has to be up to date. So, I think we all agree that there is nothing an antivirus can do against new viruses. Actually, there's nothing an antivirus can do about whatever software, since it can't obviously know about the semantic of the software: in the DOS age we had format.bat files, and no antivirus could stop that. I don't see any progress since then.

Organizations spend a huge lot of money to keep corporate antiviruses up to date: cost analysis can easily show how just one virus spreading in the enterprise network and bringing the business down for 12 hours (not to mention potential data loss!) is enough to justify the expense. And after all, the managers are using antiviruses at home, too, so it's something they can grasp, something they are comfortable with.

What these analyses never include is an alternative which actually works. No matter what, you are not going to be protected against a new virus, and you have the same chance(nowaday I'd say it's MORE LIKELY, but that's just my opinion) to be attacked by a new one than an old malware. So you're spending money hoping that a new WhateVerEvil.M12 won't hit your network before the others, so you can have the time to upgrade you signatures.

I feel this is not a good idea.
Of the attack vectors I've listed before, only one - the autoexecution via 0-day exploit - cannot be prevented.
If the machines - all of them - are patched up, the virus won't be able to execute itself using an exploit.
If you are in control of your infrastructure, users won't be able to execute software - they just won't need to do so - or they will be able to do so in sandboxes and in a responsible manner (training anyone?).
And the list goes on and on.

That's it, antiviruses are not part of the solution anymore, so they most likely are part of the precipitate.

December 16, 2007

Opening up Open Source

Every time I start planning for a web site or a web application, I end up with some feature I really like from some opensource software, and I wonder "can I just use it?". The answer, 99%, is no, plain and simple.
That's because most open source developers just don't think about integration. You are coding a (possibly) small software, meant to do just one thing: KITS, right?

Wrong. We're not in an unix mainframe environment anymore. We NEED interoperability and accessibility to all the services. We need integration. And we need embeddable software, not just code, be it an opensource project or not.
Web services (even simple REST enabled services) are a huge step forward, not 100% ok maybe, but yet...

Many programming frameworks (like cakephp) are already providing a web services infrastructure you can leverage to implement a webservice with ease. Do it, next time you start coding.

Meanwhile, some important and business oriented softwares are indeed "going open" - via ws API or inclusion point: KnowledgeTree and eGroupWare, just to name a couple, are both exposing an web service endpoint.
Others are not doing the same - phpBB, one of the best known forums, is a nightmare to integrate.

So? Next time you choose, or write, or buy a software be sure to check how OPEN it is. It doesn't need to be OpenSource, but it HAS to allow for easy integration. It's mandatory nowaday, and it's not about the stupid SOA hype. It's about IT 2.0.

December 07, 2007

Disaster recovery made easy

As virtualization.info announced today, Platespin has just revealed its new disaster recovery product.
Summing up, it's an hardware appliance able to provide "incremental" virtual images of up to 25 physical servers (via it P2V technology) without the need of a dedicated infrastructure. In the occurrence of a disaster, this appliance will be able to automatically recover the images to physical servers and notify the administrator.
This is a striking idea and I'm sure we'll se a lot of these appliances around if the price isn't insane.
I've already mentioned how virtualization can be used in disaster recovery, and this is the exact implementation I was thinking about.

December 05, 2007

On Email

Last week I met the owner of a small company in Italy. The problem was they were having "issues" with email.
There is no need for details here: the point is that they were having their whole business going around emails: client's orders, notices... anything.
If an email doesn't get to destination, it's a big trouble. This company is one of those small realities doing huge business: their customers are all enterprise-level realities and they're almost monopolists. Still, they're doing what most SMB do: they find an almost-working medium and stick with it.

It doesn't matter if it's not perfect: it's easy and it doesn't need training for the employers. But as soon as your business grows, it really matters.

So what? Start thinking NOW about how you communicate with clients: have you got Out Of Band connections? How do you know if that mail got lost? Even more: are you sure there aren't better ways to do what you're doing with emails?

My advice was very simple: build an extranet, and use it as the hub of your communications. You're asking your customers to do something (logging in requires more effort than just downloading emails) so be sure to offer something in return: targeted ads are not enough!
Is there anything new in an extranet? Well, there are plenty of things you can do with it, but we'll speak about them in another post: what you can do NOW is to be proactive. Do not let your current media fail you, be ready to scale!