FOXNews.com - Electrical 'Smart Grid' Not Yet Smart Enough to Block Hackers - Science News | Science & Technology | Technology News

This story was especially timely, since just last week we had a representative of Oncor, our electricity delivery company, knock on the door and tell us that the power would be off for a few seconds while he installed a “smart meter.”  I’m not so sure I want my meter to be smart, but of course, we had no choice in the matter. And to add insult to injury, the brochure he left informed us that we’ll be paying for it through a surcharge on our bill every month for the next eleven years.

All that, and a brand new attack surface too. Well, heck, another nice little notice we got last week from our electric company began with “This letter is to notify you about a data breach that may have involved your non-public personal information.” And that was before the smart meter was installed. Even more frightening than the possibility of identity theft, though, is the prospect of terrorists taking over the power grid – or even just some mischievous teenage genius bringing it down for fun. Either way, without electricity we can’t do business, food spoils, and in some cases, people die.

Now I concede that there are some advantages to the new technology.  Theoretically, at least, there should be fewer meter-reading mistakes since there will be no more manual meter-reading. This also means that we can move our fence up to encompass the side of the house since there will no longer be a need for a meter reader to be able to see the meter. One might also think that laying off all those meter readers might result in some cost savings and thus lower electricity bills – but surprisingly enough, the brochure says nothing about that.

The Fox News story notes that “customers will be able to choose to operate their appliances during the hours when consumption — and prices — are at their lowest.” Okay, maybe I’m just overly suspicious because of all those years as a cop, but I have to wonder if they’re really doing this to give customers more control.  Actually, I can already choose to operate my appliances when I want to – I don’t need a smart meter for that. But with a smart meter, the electric company can control when I get power (or don’t).

Pacific Gas & Electric in California back in 2007 proposed “programmable communicating thermostats” that would allow the utility company to adjust the temperatures in individual homes. Wow. That means if you’re keeping your house too cool and “wasting” energy, they can fix that for you. Now, PG&E dropped that request in 2008 after complaints that it smacked of Big Brother, but does anyone really doubt that’s the way we’re headed?

Seems as if every day, we lose a little more control of our lives to the government or quasi-public entities like the electric company. Makes me want to move out into the country, dig a well, buy a generator and go off the grid. Not going to happen any time soon, of course. But there are times when I think the recent series finale of Battlestar Galactica may have been more prophetic than intended. I love technology, but I can’t help wondering if we – along with our meters – are getting a little too smart for our own good.

deb@shinder.net   www.debshinder.com

Although I liked Vista a lot, one thing that I didn’t like was having to give up Corel PhotoPaint 10. In my opinion, that was the best graphics manipulation program of all time. I didn’t like the later versions of PhotoPaint, and then Corel stopped selling it as a standalone program at all and you had to pay big bucks for the whole Draw suite to get it.

In fact, one reason that I kept an XP computer around (in addition to the fact that I write about XP) was so I could run PhotoPaint 10. I tried installing it on Vista several times, but it never would work, even in compatibility mode.

Then last week, I read this article in GCN Magazine titled Windows 7 reincarnates old apps. It said that a team at Microsoft had so far discovered thirty applications that don’t work on Vista but will run on Windows 7. So I figured, why not give it a try?

Wow. I’ve never seen the program install that fast. I well remember sitting and waiting for half an hour for PhotoPaint to copy all those files and complete the installation. On my Win 7 system, it took six minutes. I opened it up and started opening photos and cropping, resizing, applying special effects, etc. So far, everything seems to be working just as it did back in XP – only faster. The lack of support for PhotoPaint 10 was one of my few complaints about Vista. Getting it back is priceless.

 
PhotoPaint 10 is back – running on Windows 7

I continue to be impressed with Win 7. Can’t wait to see what additional pleasant surprises it has in store for me.

deb@shinder.net   www.debshinder.com

A feature that I was hoping would make it into Windows 7 – but which didn’t – is the ability to set different wallpapers for different monitors in a multiple monitor setup. I use three monitors and I don’t want the same old boring wall paper on each. With Vista and XP, I used UltraMon to accomplish this, but when I tried it on Win 7, I got a “fatal error” message.

Besides, much as I like UltraMon, it’s a little costly. At $19.95 I’d say it was worth every penny – but it costs $39.95. Okay, not a big deal but I know a lot of folks who are on a tight budget and can’t afford forty bucks for a GUI-enhancer. So I started looking around to see what else was out there.

What I found was DisplayFusion. There are both free and “pro” versions. If all you want is to be able to diversify your wallpapers, the freeware does that beautifully. Below is a photo of my main Windows 7 computer running different poses from my Siamese on each side monitor and a picture of sunrise on the lake taken from my backyard on the middle screen.

 
Multiple monitors deserve multiple wallpapers

With the Pro version, you can do more: Put a taskbar on each monitor and configure them so that all taskbars show all windows pr so each shows “relevant” windows (those on that monitor). If you’re a keyboard-only kind of person, there are also a bunch of key combos that can be used to do things like:

• Move a window to the center of the monitor
• Move a window to the next monitor
• Size and move a window to the bottom, top, left or right side of a monitor
• Span a window across all monitors

There are a number of key combinations you can use to manage how windows are displayed

Best of all, the full-fledged version of DisplayFusion costs about half the price of UltraMon ($20). So if you’ve been looking for a multi-monitor solution that isn’t quite as full featured as UltraMon but also doesn’t cost as much, check out DisplayFusion at http://www.binaryfortress.com/displayfusion/ 

deb@shinder.net    www.debshinder.com

I’ve been using Windows 7 on my primary desktop computer in the downstairs office (Dell XPS) and my main notebook (Sony TX) for quite some time now. In the upstairs office, I was still running an XP/Vista dual boot configuration.  It’s an older system (Dell Dimension) and I don’t work up there nearly as often (now that Tom’s job has him in conference calls for hours every day, working in the same room is more difficult) so I’d never gotten around to it.

Yesterday, though, Tom was gone and I was working up there and I had a little extra free time for a change, so I decided “why not?” One thing that system does have is plenty of hard disk space, two large physical drives divided into five partitions. I had a Win 7 disc lying there, just begging to be installed.

I fired it up and started the installation from within XP, but instead of upgrading I did a new install to another partition. The process took longer than on the systems I’ve installed it on before – about an hour and a half – so I was a little wary. However, when it rebooted for the last time and opened up my Win 7 desktop, I was pleased to find that performance was better than either XP or Vista on the same computer (of course, I haven’t installed as many apps on it yet). Almost everything worked. Sound was fine, and graphics were glorious – on two of my three monitors.

As with Vista, the third monitor wasn’t recognized (all three work in XP). I’d had high hopes because I read that Win 7 would be able to support video cards from different vendors, something that Vista didn’t do. It may just be a driver issue; I’ll have to hunt around and see if I can find drivers for the second card. Meanwhile, two monitors are probably enough for that workstation but it would be cool to have all three again.

Other than that, though, now I have “Seven Up” as well as downstairs and it easily connected to its downstairs cousin via RDP. I am slowly migrating all of my computers over to the new OS. Next challenge will be the elderly Xeon-based Precision in the bedroom. Is it just too old or can I teach it a new trick? Stay tuned to find out.

deb@shinder.net   www.debshinder.com

My husband finally entered the 21st century today – the final release of Internet Explorer 8 is out and he installed it. Up until now, he’s been using … IE 6. That’s right, he skipped 7 altogether. Can’t say I blame him, as I had all sorts of problems with IE 7 crashing. I installed IE 8 as soon as it came out in beta and was happy with it on Vista. Then I switched to Windows 7 beta, which has a pre-release version of IE 8 built in, and I’ve been happy with it, too.

It’s a good thing the built-in version works well, because you can’t install the final on Win 7. The IE web site has this message for Windows 7 users:

Okay, makes sense that the version in Win 7 is different because of the Touch functionality and jump lists and all. I don’t feel particularly left out. I’m just glad Tom finally has a browser with tabs. :)

Meanwhile, if you’re running Vista or XP and you want the latest version of IE, you can get it here:
http://www.microsoft.com/windows/internet-explorer/worldwide-sites.aspx 

deb@shinder.net    www.debshinder.com

Last week, the most popular social networking service underwent a Face(book)lift, with a new look for users’ home pages and a more “stream”lined approach to display of friends’ posts. Reactions thus far seem to be mixed; of those I’ve talked to, some folks hate it, others love it and a few apparently didn’t even notice the changes.

I was ambivalent about it at first. Then I discovered the ability to “turn off” comments from specific friends – without “unfriending” them – and decided that alone was worth the price of admission. I also like the filtering options on the left side. These changes got me to thinking, though, about other ways to make a social networking site like FB better. Here’s my wish list:

• I like that I can separate friends into categories (lists), and I’ve used this feature extensively. I now have lists for Family, Cops, Tech Industry, Writers, and Local Politics. It’s nice that I can click on a category and see just the posts from that group of people. But what I’d really like is the ability to filter the distribution of my own posts by category, so that I could tag a post as “Family” only, or “Tech and Writers” and it would go only to those people, instead of having all my friends be able to see all my posts. I know I post a lot of tech stuff that probably bores/confuses my non-techie family members to death, and I doubt my cop friends really care about my writing travails (except for the couple of cops who are also writers, and I can always put a person in more than one category).
• It’s nice to be able to turn off all comments from a particular person – especially when that person tends to spout a lot of liberal/conservative (choose one, depending your own political persuasion) nonsense in his or her status updates. :) But I don’t always want to go that far. Sometimes someone posts one really annoying thing, but doesn’t make a habit of it. Still, I’d like to get that one post off my home page so I don’t have to look at it all day, without hiding everything the person posts. If there is currently a way to do that, I haven’t found it.
• More integration with other services would be nice, too. I like that my Twitter posts can be automatically fed to Facebook and show up as FB status messages. I’d like it even more if my Windows Live Spaces blog posts were automatically picked up, as well. Maybe there’s a way to do that, but if there is, it’s certainly not made obvious. Doesn’t Microsoft own a small chunk of Facebook? Seems like the two could get together and make it easier to cross post.

These are just a few of my thoughts in regard to how FB could be made more useful. I’m sure there are plenty of other folks out  there who have great ideas, too.

deb@shinder.net   www.debshinder.com

I reported in the Windows 7 Corner of last weeks VistaNews that Microsoft has included something new in Windows 7: the ability to turn off built in applications that couldn’t be easily disabled before, such as Internet Explorer, Windows Media Player, Windows Media Center, and Windows Search.

If you’re using the public beta that was released in January (Build 7000), you won’t see the options to turn off IE, WMP, etc. there. But a more recent build (7048) has those programs included in the list of Windows features that you can turn off through the Control Panel Programs and Features applet. Build 7000 does allow you to turn off games, the indexing service, IIS, the RIP listener, Telnet client and server, the Gadget platform, XPS and others.

Speculation is that this was done to head off antitrust complaints from the EU and other entities. However, I see it as a security enhancement, too. According to reports, administrators will be able to use Group Policy to force disablement of these features. That will help you to reduce the attack surface on Windows 7 machines on business networks.

I had wondered how companies were going to handle the fact that, based on what I’ve heard, each successive edition of Win7 will have all the features of lower cost editions, which means Business and Enterprise will include Windows Media Center, Media Player, DVD Maker and other applications that you might not necessarily want employees to be using on company time. Now we know: you can simply block these with Group Policy – but an individual who buys a laptop that comes with Business edition installed will still get those programs. I like this approach a lot.

Just one more way that Microsoft got it right this time. Windows 7 makes me think of that old song: To know, know, know it is to love, love, love it.

deb@shinder.net    www.debshinder.com

The new administration is reviewing the nation’s cyber defense policies, and has announced that any changes will be made to “… deter, prevent, detect, defend against, respond to, and remediate disruptions and damage to U.S. communications and information infrastructure” and at the same time to “safeguard the privacy rights and civil liberties of our citizens.” It sounds good, but is it even possible to do both at the same time? And if not, which goal will take precedence? Which goal should take precedence?

According to this article in SecurityFocus, one of the recommendations to come out of the review could be to designate the National Security Agency (NSA) as the lead agency in the event of a major “cyber event.” Just a few days ago, the director of the National Cyber Security Center (NCSC), part of the Department of Homeland Security, resigned from his position in protest of the dominant role the NSA currently plays.

Regardless of the merits of his argument, this type of internal bickering doesn’t seem to bode well for the country’s cybersecurity efforts. And correctly or not, many Americans already distrust the NSA. Although it’s been around since the 1950s, it was kept secret for a long time and in fact its initials were said to stand for “No Such Agency.” It was created to gather intelligence based on foreign communications, but today’s global communications technologies make it inevitable that there is an overlap between foreign and domestic surveillance. The ECHELON system is said to monitor most of the data, telephone and fax transmissions sent in the country and world-wide, although the law prohibits interception of information about U.S. persons and entities unless they are operating abroad or unless the U.S. Attorney General gives permission.

The Bush administration was roundly criticized for its position holding that the president could establish a program of eavesdropping on Americans without warrants. The Obama administration may talk a good game about protection of civil rights, but actions speak louder than words, and the new administration has taken the same position in the U.S. District Court case Al-Haramain Islamic Foundation v. Obama and in defending federal legislation that protects telecom companies from lawsuits for taking part in the eavesdropping programs. So if you’re expecting some big changes in this respect, you’re likely in for a disappointment.

The hard truth is that, regardless of who’s in the White House, the interests of national defense and civil liberties sometimes (often) conflict. In many ways, it’s a no-win situation for the policymaker-in-chief. If you curtail freedoms to prevent disaster, and if you’re successful, you’ll only be remembered for taking away liberties. If you choose not to do so and the disaster occurs, you’ll be blamed for it. One thing all new presidents discover is that the perspective from the Oval Office looks very different from the view from the campaign trail.

Security always comes at the cost of freedom. The question is: how much are we willing to sacrifice of one to get more of the other?

 
deb@shinder.net    www.debshinder.com

In the March 9 edition of WinInfo Short Takes, Paul Thurrott first simultaneously compliments and slams Microsoft CEO Steve Ballmer (“refreshingly candid” but “Microsoft is crazy to let [him] get in front of a microphone”), and then, in regard to Windows Mobile, says “And what about the junk your [sic] selling today?”

I have a Samsung Omnia running Windows Mobile 6.1 and it’s the best phone I’ve ever had or tried out (and yes, I tried out the iPhone). It’s responsive, email works great, the web browser works great (both IE and Opera are installed and I prefer the former), the OS never locks up, I’ve only had to reboot it twice since I got it several months ago.

Will WM 6.5 be better? Based on what I’ve read and seen, probably so. And I think/hope WM 7 will be even better than that. But that doesn’t mean the current version is “junk.” I love my WM 6.1. Go drink the Apple Kool-Aid or turn into a ‘droid if you want, but don’t call my phone “junk.”

 
deb@shinder.net    www.shinder.com

In the March 5 VistaNews editorial, I took up the topic of social networking, including both the benefits and some of the “dark side.” Since writing that a week ago, I’ve been doing a lot of thinking about it and discussing it with others, and there are a few thoughts that I wanted to add on the subject.

So many sites, not enough time

This morning my inbox held a couple of invitations to “connect” – from people whose names I don’t recognize, using social networking sites to which I don’t belong. One problem with getting involved in SN is that there are so many options out there. Some folks try to belong to all of them, like those people I know who, in the real world, try to join every club and group in town.

Been there, done that. Back when I first got interested in city politics, I joined everything. In addition to serving on the city council, I was an executive officer of the local Chamber of Commerce, vice president of the Kiwanis club, sat on half a dozen boards and committees, and ended up completely overloaded with meetings and obligations and acquaintances. Today, it’s even easier to do the same thing online. But that’s a good way to quickly burn yourself out on the whole concept.

I decided to pick my SN tools carefully. I use Twitter, mostly for announcements about when I publish an article or to announce some good link. I belong to LinkedIn, which I joined some time back to further networking with others in the tech industry. Now I also use Facebook, which has become a way to interact with colleagues and cousins. I picked those forums because they seemed to have the most potential for reaching the most people and doing it in a time-effective way. My Twitter account is linked to my Facebook account, for example, so that when I post a new “tweet” it automatically updates my FB status. Less effort to reach more people.

There are dozens of other sites out there that are very similar in nature to the ones I use. But if I also joined MySpace and MyLife and all the others for which I get requests, I would probably end up with a bunch of pages that never got updated. I’d prefer to devote my social networking energies to a few sites and keep those up to date rather than spread myself too thin.

Dangerous combinations

A Facebook friend today posted that she “has friends, family and co-workers on Facebook. Seemingly dangerous combination.” I touched on that danger a little in my original editorial, but I want to comment on it more here. The social networking sites are unique in the way that they can bring different parts of our lives together. That can be a good thing – or not so much. Almost all of us compartmentalize to some degree. We aren’t quite the same when we’re with our families as we are when we’re with our co-workers (unless, of course, we work in a family business). We act a little differently when we’re out with old friends from high school than we do when we’re with our church group. The side of us that we show to our children isn’t necessarily the same as the one that we put on with our best friends. And so on.

My son has a Facebook page but I don’t visit it. After thinking about it, I made a conscious decision not to “friend” my kids. They’re great kids and now that they’re grown up, they actually are two of my best friends. BUT. I am still their mom and they are still and always will be, to me, my “babies.” I was twenty-five once and I remember being pretty protective of my privacy. I would not have wanted my parents “hanging out” with me and my friends – and that’s essentially what young people do on the social networking sites. Do I really want to see the kinds of jokes and photos and such that my son’s twentysomething friends might post? Probably not.

Of course, if the kids were still minors and living in my house, I would insist on having access to their pages. But they’re young single adults supporting themselves. I figure we will all be happier if I stay out of their online business.

I can see how being one another’s FB “friends” could cause problems between romantic partners – or even spouses – as well. Remember that you don’t have control over what your friends post on your wall (although you can remove items – when you get around to seeing them). What if your significant others sees something there that he/she finds offensive, that causes jealousy?  Of course, refusing a friend request from a husband/wife could be fraught with danger, too. How about the awkward situation where your ex-spouse sends you a friend request? That might be enough to make you drop out of social networking altogether, maybe even disconnect your computer from the Internet. :)

Social networking in the business world

Something that was brought up by Steve Riley at the MVP Summit earlier in the week is the fact that young people today have grown up using these technologies. It’s part of their lives, an important part. Some companies want to ban social networking sites from their premises – often with good reasons (security, productivity) but it’s not going to be that easy. Bright young folks who are entering the workforce expect to be able to access their Facebook pages at lunchtime or tweet during break in the same way we of the older generation expect that we can make a personal phone call from the office during our free time. If you try to restrict them too much, they simply won’t work there.

The point is …

This is a Brave New World that’s been made possible by modern communications technologies. People are people and they interact in much the same way online or off … except when they don’t. Many of us join these sites pretty casually, but maybe we ought to put a little more thought into all the implications.

Social networking is part of today’s world, whether you like it or not. Today, among certain circles, that you have a Facebook page is taken for granted in the same way we now take for granted that someone we meet has an email address. Certainly if you want to, you can refuse to embrace the new technology – just as some people refused to get those “new fangled” telephones or televisions, just as some (though an increasingly small number) still refuse to get cell phones. And depending on your social circles and how you make a living, you may be able to get away with it. But in many industries, by looking down your nose at social networking and staying out of it, you’ll do yourself a disservice. You might as well learn to use it to your advantage.

deb@shinder.net    www.debshinder.com

Wednesday morning brought the last official day of the MVP Summit, with everyone gathering back at the Seattle Convention Center in downtown Seattle for breakfast and a set of closing speeches from Microsoft executives. Not having to make the long bus ride out to Redmond was nice and allowed us to sleep an hour longer … well, at least theoretically. In my case, not so much.

I got to bed before midnight Tuesday night, but at 3:00 a.m. I was awaked by someone apparently taking a shower in the room next door. That went on for half an hour or so. I drifted back to sleep, until 5:00, when my dream was interrupted by a loud buzzing sound. It took a moment to realize that it was the phone. Why would anyone be calling on the hotel phone (instead of my cell phone), and at 5:00 a.m.?

Hotel operator: “This is your wakeup call.”
Me: “Oh … okay.”
Click.

Did I ask for a wakeup call at 5:00 a.m.? I’m very sure I didn’t. I guess somebody out there overslept because I was too half-asleep and surprised to say “you’ve got the wrong number.” My cell phone alarm was set for 6:30, but by that time, I was awake. So I went ahead and got up earlier than planned (yet again), took care of my morning email and took my time showering and getting dressed.

By 7:00 a.m. Tom was up and dressed, and we caught the bus from the hotel to the Convention Center and were in the big hall set up for breakfast a few minutes after 7:30. Once again, it was a fine buffet breakfast, with yummy scrambled eggs, some great breakfast breads, fruit, and for those who like it, meat products, cereal, etc. I think I’ve eaten more eggs this week than in the entire previous year.

Following breakfast, we made our ways over to the auditorium where the keynote presentations were to be held. Getting a seat in the third row, center, certainly didn’t hurt. We were able to feel “up close and personal” with the speakers.

An eager audience of MVPs awaits the closing keynotes

We were told at the outset that it was okay to take still photos, but no video recording. Much of the actual content is under NDA, so we were also told to be careful about taking pix of the slides that show that type of information. Thus, I can’t say a whole lot about what was said except in generalities – but I can talk about (and show photos of) those who said it.

 
Introductory slide – one of the few that I felt comfortable taking a picture of

Toby Richards, the General Manager of Community and Online Support at Microsoft, kicked off the morning’s presentations by welcoming returning MVPs and congratulating new MVPs.

|
Toby Richards got things going around 9:00 a.m.

Next, he turned it over to Mike Nash, Corporate Vice President in Windows Product Management.

 
Next up: Mike Nash, Corporate VP of Windows Product Management

Mike talked about Windows 7 and did a demo of some of the cool things you can do with it. Of course, I’ve been running it as my primary OS for a while now so I already knew how great it is, but Tom was amazed and impressed by some of the things that Mike demonstrated and I do believe when Win7 comes out, I am finally going to be able to pry XP from his hands before they are cold and dead. :)

 
Mike did a demo of some of Windows 7’s cool new features

Mike’s talk was great – but he was still an opening act. We all knew which headliner we were really here for: Steve Ballmer. We weren’t disappointed when he bounced onto the stage to lead us in an “I love Windows 7!” chant.

 
Steve B. gets the crowd all revved up.

Steve presents a challenge for any photographer. The man never stops moving. Combine that with the high contrast stage lighting and getting a good photo isn’t easy to do. I did capture him here in a rare moment of relative calm:

Steve actually stops moving for a moment

Steve provided some great info on the directions in which Microsoft is headed with their products and the audiences they plan to target. I’m not going to go into detail about what he said since it wasn’t made absolutely clear what was and wasn’t covered by NDA, but suffice it to say there are exciting times ahead.

Following his presentation, Toby rejoined Steve on stage as Steve fielded questions from the audience. Last year, some of the questioners got downright hostile. This year, although there were some frustrations expressed, people seemed much more upbeat and seemed to realize that hey, we’re on the same team here.

 
Steve addresses a question from the audience

There was a sobering moment, when it was announced that Small Business Server MVP Frank McAllister, had passed away unexpectedly from a heart attack just prior to the Summit. In fact, he was scheduled to be there. If you saw a bunch of Twitter posts saying “I was a friend of Frank,” on Wednesday, that’s what that was all about.

 
Steve, and the rest of us, paused for a moment in memory of MVP Frank McAllister

There were also moments of levity. Steve graciously donated the “large amount of advertising space on his forehead” to give a bit of much-needed publicity to Windows Home Server (WHS) in response to a request from one of the WHS MVPs.

Steve wears the Windows Home Server hat

Although it was over much too quickly, we enjoyed Steve’s talk just as much as we always do and thank him for taking the time out of his busy schedule to spend with us.

 
Farewell salute

There were two more brief presentations scheduled before the closing lunch, but we had a plane to catch and had to miss them. For us, though, this year’s Summit definitely ended on a high note and we’re ready to get back home and get back to work spreading the word about Microsoft’s technologies.

deb@shinder.net   www.debshinder.com

Okay, maybe this is just a proud mom bragging, but that’s what moms do. My twenty-five year old son, Kris, just published the following article in TechRepublic titled “Ten Reasons Linux isn’t Triumphing over Windows.”

http://blogs.techrepublic.com.com/10things/?p=556

He wrote it in response to an article by Jack Wallen that came out last week, “Ten Reasons Linux will Triumph over Windows.”

I’m hoping that he will continue to follow in my and Tom’s footsteps and that one day we’ll have three MVPs in the family. Until then, I just want all my friends at Microsoft to know that I raised that boy right. :)

deb@shinder.net
www.debshinder.com

After my 4:00 a.m. wake-up call, it was a long and full day. It certainly started off right.

Breakfast at the Hotel

Breakfast this morning was a nice surprise. At last year’s Summit, they gave us boxes containing a small bit of egg on a croissant and a piece of fruit. That was a huge comedown since in past years we’d always gotten a great breakfast with a variety of hot and cold choices. Well, the old style breakfast returned today. There were various breads, cold cuts, a platter of cheeses and several fruits, as well as hot chafing dishes with scrambled eggs, hash browns, sausage, even grits. All that was punctuated by a good conversation about SQL Server, and soon it was time to catch the bus to Redmond.

 
Breakfast done right – no more boxes like last year

 
Good food and good conversation; you can’t beat that combination

We made it to the Microsoft campus in record time – about 35 minutes – and went our separate ways for the day’s sessions. My group (Enterprise Security) spent the day in Building 122. There were a number of familiar faces and I met some new folks, including a few “fans” (which is always nice).

Steve Riley: The Future of Security isn’t What it Used to Be

The morning started off with one of Microsoft’s “rock star” speakers, Steve Riley. Although in many cases the information we get in the Summit sessions is confidential under the NDA, Steve stated that his entire presentation was non-NDA and we were welcome to share it as long as we gave him credit. Here, then, are my notes from his talk:

He began with a short history of hacking, detailing the progression from mainframes (which were rarely hacked) to the hacking of networks (not necessarily due to inherent insecurity of protocols but rather insecure implementations) to attacks on services (applications and OS services).

Then he discussed why people attack - curiosity, personal fame, personal gain, national interests – and correlated those motives with types of attackers: script kiddies, hobbyist hackers, experts and specialists. He presented a matrix showing how these attackers range from vandals to trespassers to thieves to spies, as well as authors who enable others (with lesser skills) to more easily conduct sophisticated attacks. As the tools get better, the less skilled attackers can do just as much damage as their more skilled counterparts.

Next came a comparison of “us” (the good guys) vs. “them” (the bad guys), which examined the differences in terms of vulnerabilities, victims, automation, work to do and time to do it. The main takeaway here is that being a bad guy can seem attractive when you compare on this basis. A theme common to homeland security applies here: the good guys have to get it right (prevent attack) EVERY time, whereas the bad guys only have to get it right (find a vulnerability) ONE time.

Some key points:

• Automation reduces mistakes
• The purpose of an audit is to measure how well you’re doing what you say you’ll do

The fundamental problem with software is intended behavior vs. actual behavior.

Traditional bugs: functionality you expected but didn’t get
Security bugs: functionality you didn’t expect but is in your application

With physical engineering, you end up with what you designed
The software industry is still in its infancy, still in a learning phase

The problem with traditional approaches is that you pile on more firewalls, more VLANs, etc., focusing on only one leg of the CIA triangle (for example, thinking more network rules will address confidentiality and integrity issues).

Next he addressed the security updates timeline, reminding us that the client is vulnerable until the update is installed. 24 hours after release of the update, on average 30% are still vulnerable. At 48 hours, it’s 20%, and so on. It takes 24 days to get to the point where 98% are secure. A key point here is that patching is important, but it can’t be relied upon as your only line of defense.

According to Privacyrights.org, which tracks data breaches in the U.S. only, there were over 253 billion publicly reported breaches. This translates to a cost of more than $51 billion, BUT these aren’t getting fixed because recovery is less expensive than fixing the problem.

First they came for bandwidth, now they want to make a difference. First attacks went after availability (DoS). Then the target was confidentiality – stealing the data.What comes next: malicious modification of the data (attack on integrity of the data). Protecting data requires thinking like a bad guy, i.e. generate unexpected input.

Three facets of security: technologies, processes, people.

What about the cloud? It doesn’t matter where you store it, as long as you encrypt it, digitally sign it and manage the keys yourself.

IT Plan: Shrink exposure and simplify networks.
Standardize images
Require authentication
Encrypt and sign data (in storage and in transit)
Audit activity

Default should be remote access, not storage (don’t carry it with you unless you have to).

Container mentality: the original IBM PC weighed a lot, stored very little – these were (inadvertent) security attributes. Reduce the attack surface on clients and servers where users store data
AV software raises the attack surface on servers where no files are stored

“Who would ever attack us?” Naive assumption of some companies, but data + Internet connection = interesting.

Hire testers to think about how code could be abused.
Build resiliency and protection into applications – design them to run in a hostile environment. Must rethink how software is designed and how information is protected (in the early days of computing, it was assumed that all people and machines could be trusted).

New model of thinking: it’s all about the data. The container based approached used to work, but not anymore. Now we need data self-protection because threats are not against the network but against the data.

Primary goals are to get back online and don’t let anyone get hurt.

Bottom line: good security can save people’s lives.

The Rest of the Story

(In memory of Paul Harvey, who passed away a few days ago)

Several more excellent sessions followed Steve’s. Jeff Jones presented a deep dive on the Security Intelligence Report (SIR), built on the premise that the threat ecosystem has evolved into a business model.

Then Olav Opedal gave a fascinating overview of the processes and technologies used for information security at Microsoft. Once again, the information in this session was non-NDA so I can share it here. Most interesting were the statistics pertaining to the Microsoft IT environment:

• 334K + PCs and devices
• 111K+ email accounts
• 1.9 TB DB - single instance SAP
• 6M + internal email messages/day
• 10M - form Internet / 9M rejected as spam
• 106K + end users in 98 countries - 441 buildings
• 9.5M + remote connections
• 70% of valuations based on IP
• 120 TB + data on file servers in Redmond
• 30K partners with connectivity needs
• Large population of mobile clients - 50-60K cell phone devices

He went into a great deal of detail on how Microsoft operates as its own “first and best customer,” running a production environment on pre-production software. Main concerns discussed were:

• Regulatory compliance - PCI a big concern
• Mobility of data - exponential growth of data
• Data classification: low, med, high business impact
• Unauthorized access to data - internal/external
• Malware
• Supporting an evolving client - business disruption based on innovation (New innovation creates innovation on criminal side)

Key strategies and tactics include:

• Assessment of risk - takes time, costly process. Must show metrics.
  Lower budget, bigger problem (economic downturn = more computer crime)
• ID of potential threats
• Mitigate risk through five key strategies:
  • Secure the network
  • ID & access mgmt
  • IP and data protection - how do you manage the data in the cloud? How to ensure security of data when someone else is in control? Identify which data is truly sensitive and encrypt that instead of the entire set of data.
  • Enhanced auditing and monitoring
  • Awareness

There was a lot more to Olev’s talk, but this post is getting long and I’m getting tired. :) Suffice it to say it was a good one all the way to the end.

After a lunch break, we heard from Frank Simorjay on Compliance and MVPs, with the focus on HIPAA, PCI DSS and internal audits, and he demonstrated some useful tools such as MSAT, MAP and DCM.

My day wrapped up with a multi-presenter talk on the SDL and threat modeling, much of which was covered by NDA so I won’t go into any details here.

After way too much good food today, I skipped out on the dinner and made my way back to the hotel so I could get this blog post out. I’m looking forward to more fun and good info in the next two days.

deb@shinder.net
www.debshinder.com

We arrived at SEA-TAC yesterday (Sunday) a few minutes after noon. We decided to save money this time and flew Southwest. For $99 each way, we got a better flying experience than we ever get on AA for twice the price. Parking at Love Field is simple and considerably cheaper than DFW.  There’s far less hassle checking baggage. I checked us in online 24 hours prior, so we got a good spot in line. Thanks to that, we got the one row on the plane (the right exit row) that has two seats across instead of three, and also has extra leg room. First time in a long time in an economy seat that I had room to cross my legs. We had a brief stop in Albuquerque, but we still got to Seattle in only about twenty minutes more than on American’s non-stops. I think that’s because we didn’t have to spend twenty or thirty minutes on the tarmac, waiting in line for clearance to take off.

We also did it differently this year in regards to the hotel. We’ve always stayed at the Hyatt before, but this time – since we’re having to pay half the bill – we went with the Renaissance.  That actually turned out nicely. Because the Hyatt is only a block from the convention center, you have to walk. That’s fine when it’s not raining – but in Seattle it’s (almost) always raining. I hate always arriving at the convention center with my hair wet and frizzled. Because the Renaissance is further away, Microsoft provides a bus to the convention center. No more getting wet!

The rooms are nice, with a great desk where you can spread out your stuff and really get some work done. That’s a good thing, because I’m going to have to take Tuesday morning off and do the VistaNews newsletter, then take a cab to campus (no buses after 8:15 a.m.).

 
Hotel room with great, long desk for spreading out my work

All in all, we seem to have made some good choices.

Registration went smothly, and the opening keynote speeches were good. There was also a Q&A session.

 
Toby Richards and his team gave the opening keynote speeches and fielded questions from the MVPs

After all the speeches, we hung out at the reception for a while, met our new MVP lead, Jake Grey, and of course we had to go by and say “hi” to Melissa even though she’s no longer “ours.” We miss you, Melissa!

There was plenty of free food and drink at the reception, but not nearly as many tables as there were attendees. I’m not a fan of eating while standing up under any circumstances, and I was dead on my feet after getting only about four hours of sleep the night before, so after talking for a while with some of our fellow MVPs, we cut out and came back to the hotel for a nice, quiet, relaxing dinner.

The hotel restaurant turned out to be great. This is the first restaurant I’ve been to in Seattle where they actually had white Zinfandel on hand and the waitperson didn’t sneer when I ordered it. I had the scallops and they were delicious – and it was a huge portion (with rice pilaf and vegetables). Most of the restaurants I’ve been to here in the past served tiny little portions for big bucks. Price was reasonable ($19 for the entree).

All in all, an excellent first day. I had no trouble falling asleep – although I got up a bit earlier today than I intended. Sleepy as I was, I forgot to reset the time zone on my phone, so when I configured its alarm to wake me at 6:00 a.m., it was actually 6:00 a.m. Dallas time, a.k.a 4:00 a.m. here. Didn’t realize it until after I’d showered and gotten dressed. At least I didn’t have to hurry.

deb@shinder.net   www.debshinder.com