Skip to content

Want to be more productive then get a new keyboard

Earlier this year as my trusty old Lenovo X61s started to draw it’s last breadths I made the decision to swap over to using products from the people who have been making my personal machines for nearly 25 years and got a 13inch Mac Book Air as my primary work device. I coupled this with a 27 inch Cinema display and the fantastic BookArc from Twelve South. I was going to need something to type on. I took the easy option and went for the very sleek looking Apple Keyboard with Numeric Keypad. It looked the part but sadly as the months went buy I realized that was about all it did.

I type quite a lot. I am not an efficient typist. That I can remember I was never taught to type. Perhaps if I had it might work for me, but it does not. I need a good old fashioned bash the keys hard type of input device. You know like real computers of yesteryear had on them. Real key switches, not a big membrane with key tops.

I found that a company based up in Canada called Matias make such a thing, the Tactile Pro. It is heavy, in fact very heavy, it is noisy, really very noisy but it is so lovely to type on. the weight means it does not move no matter how hard I punch at the keys (the best way I can describe my typing style). the noise would drive people crazy if you were in a shared workspace, but I am not so apart from typing when I am on the phone it is not an issue for me. However that audio feedback is important to me. It helps create a rhythm, my typing is more accurate and faster and those combined are good as they enable me to get more work done and to be more creative.

Next time you need to do some typing go get a proper keyboard and plug it into your laptop. I think you will be amazed at what it can do.

The Cloud and Virtualization are different

My team work on the four primary mega trends that are driving information security, the cloud, virtualization, mobility and APTs.  There is a 5th but it is less of a trend and more of a fact of life these days and that is the data explosion.  However when I talk to some people they see the cloud and virtualisation as one and ask why we differentiate.

The fact that the two have become synonymous is testament to VMWare’s marketing skill and power, anyone driving around silicon valley will have seen the hoarding from Microsoft on the 101 stating that “VIRTUALIZATION ALONE DOES NOT A CLOUD SOLUTION MAKE” further proof to me how good they are. What is more to a large extent I believe VMWare are right.  The main tool that I see being used to build private clouds within large enterprises is virtualization, it also figures in many public cloud infrastructures.  However from a security standpoint the two are very different and present different challenges. Read more

How many times do you use a password in a day?

I estimate that I enter a password, passphrase or PIN perhaps 50 times a day with my browser silently passing my password onto sites that I consider to be low risk many more times than that every day. Userid and password combinations are by far the most common forms of authentication we use on a daily basis.  Most have a feature that massively increases their effectiveness, our ability to change them yet how often do you exercise that ability?

I am pretty sure out there there are some people who wear little tin foil hats who change all their passwords once a day, possibly some aluminum clad types who sit in a faraday cage they have built in their basements who do it every hour.  However if like the majority of people who I quiz it is very infrequently if ever. So when was the last time you changed your password on your email system or  primary social media network?  within the last month, this year, ever?  I am not judging you, but you probably need to do it more often. Frequency of change combined with password complexity provide you with protection and these days we need all of the protection we can get.

I can hear the complaints already, “there are too many systems to remember all the passwords ….” etc.  You do not have to have a separate password for every site, yes it would be more secure but it is not necessary.  In fact most people can get by having a handfull of passwords that they use for different classes of site or application.

Read more

Digital goo

For some time the opponents of nano technology and some forms of genetic engineering have banded around the concept of grey goo. Clouds of microscopic life forms or structures that destroy or clog up the world. All very apocalyptic but I wonder if we are not on the verge of something similar happening in IT.

So hands up who has a password protected/encrypted file or directory or a thumb drive possibly even a hard disc that they do not exactly know what is in it? and you are not sure what the password/phrase/key is to unlock or decrypt it are?  My hand is up and waving in the air, and I very much suspect I am not alone.

Most of mine are confidential office documents that I have been sent and the password is possibly somewhere in my email, I also have a few encrypted archives that I could probably by deduction find the password I also have a thumb drive that I have no idea what the key is. With the files the worst ones are where I cannot tell by the file name what it is but because it is encrypted I know it is important, so I keep it, even if I do not have the key!  In effect I have just filled up part of my disk, and my backups with useless digital noise, it is digital goo.

With encryption becoming a common feature in today’s information protection armoury I predict that this situation without the simultaneous introduction of key management will become increasingly common.  One of the first things anyone deploying any technology that encrypts or locks data in anyway needs to consider is how are they going to manage the keys. How will key recovery work? Where is there key material in my environment? Can master keys be used to allow trusted processes such as backup and archiving solutions understand the content and apply appropriate policies? All questions that need to be answered before you deploy the technology, otherwise do not blame me if in a few years time all of your systems are gummed up with digital goo.

The RSA first and last timers game

A little bit of fun.  At RSA 2011 I found the sign below outside the exhibition hall.  It lists all of the people who are exhibiting for the first time.  Of the product companies it is always interesting to see for how many this will be their first and last time at the show, well as an independent company.  Past experience tells us that a good number of these guys will have come to the show because they are hot, and if you are hot and small come next year there is a good chance you will be on one of the big stands in the centre come RSA2012 wearing your new employers embroidered shirt.

I promise to revisit this post next year.

The iPad is not an oversized iPhone that you cannot make calls on

Firstly I see an increasingly large number of people using third party VOIP apps to use them to make calls, it may not be as good an experience as the native iOS phone interface but it works.  So that just makes them oversized iPhone, right?

No, there is something intrinsically different about the iPad, just look at how people use them. The only physical difference in terms of things that the iPad has and iPhone does not is screen real estate, yet I am seeing for the typical user that change, and in many cases fundamentally the way the typical users uses the device. This week is CES which is awash with tablet devices and if you get the screen size and resolution right I think what is true for iPad will be true for them.

So what does the bigger screen give you?  Well obviously it gives you space, space where information can be visualised.  I have very good eyesight, the technology on the display on the iPhone 4 is fantastic but give me the same information scaled up on an iPad and it becomes much more accessible to me, especially as the UI is based on my stubby fingers.

Now the screen on an iPad is only a bit smaller than the screen on my workhorse laptop a Lenovo x61 so it would be reasonable to assume that they kinds of information I access on both would be pretty much the same, and it is. Mail, web pages, office documents and presentations are all equally accessible on both.  The difference is with the exception of  web pages is where theses things come from.  On my laptop most of it comes from the hard disk, on the iPad the majority comes from the cloud.  I even use applications on the iPad to render information that I would have previously accessed as HTML is new interactive formats, so to an extent, but I can only see it increasing, the way I access web pages has changed on the device.

The iPad and the tablets that follow it are changing the IT industry and this reliance on the cloud is a key factor in how it is doing it. Be it store and share repositories, thin information visualisation widgets and readers or VDI clients they have all been given a new lease of life by an iPhone with a bigger screen that does not make calls!

Enterprise Security – Candy or Nightclub?

Often when discussing technical things we revert to using analogies.  An almost throw away one that is used for security in many enterprises is the soft centred candy, a hard outer shell that once you bite through it is soft on the inside. Use it and you get many knowing looks from your audience.  This is because a lot of investment and time has gone into creating a hard perimeter around and organisation, its data, people and infrastructure on the assumption that keeping the bad guys out was the answer, neglecting how easy it is when the bad guys get in or a good guy turns bad. However many organisations do care and treat parts of their soft centre differently, for these I prefer the Nightclub model, especially when discussing things like adaptive authentication. Read more

Free two factor authentication for Paypal, eBay and others

VIP Access on a Blackberry

Do you use eBay or PayPal?  Ever wondered what happens when your account gets hacked? Credentials for both services are some of the most valuable “assets” available in the underground economy (we publish details in the Internet Security Threat Report ).  Yesterday I discovered that there is a free way using one of our recently acquired technologies to provide sophisticated but easy to use protection for them.

As part of our acquisition of VeriSign security business we acquired the software based One Time Pass-code solution called VeriSign Identity Protection (VIP) this includes a software solution that runs on your smart phone (Blackberry, iPhone, HTC, Nokia, Palm, etc.) and turns it into a security token. Every 30 seconds your device generates a unique pass-code that websites, applications, VPNs etc. can use to provide a secondary factor of authentication in addition to your regular password/PIN.

VIP Access on an iPhone

The B2C sites that use this include PayPal and eBay but there are many more although most are US based.  To get VIP onto your blackberry go here, fill out your number and a download URL and instructions will be sent by text.  If you have an iPhone you will find the free app in the iTunes Store here for other devices refer to this page, or for most devices including Blackberry you can go directly on your device to

Once you have downloaded your VIP client you will need to register it with PayPal and eBay or the other services that use it.  This takes just over 30 seconds as you have to enter two consecutive pass-codes.

Of course exactly the same technology leveraging the smart-phone based client and cloud based authentication can be used by businesses to provide B2B or B2E 2 factor authentication for remote access, CRM and line of business applications.

Wave Goodbye

In a rather downbeat post Urs Hölzle has announced what is effectively the end of Google Wave. He notes that the core technology will be used elsewhere and that teh Wave site will remain active for the time being but due to the low adoption what was once an exciting technology is now no more.  Is this really surprising?  Do not get me wrong, I am, or is that was a Wave fan.  It pushed the bounds of what is possible in a browser, introduced new concepts for on-line collaboration and in a very geeky way was cool.  Wave could be a great collaboration tool, I could see many use cases, especially if extended to not just text but drawing, however all of those use cases rely on one thing that was always missing from Wave, a means to communicate as well as collaborate. This became the fatal flaw.

To collaborate using any form of media you must first be able to communicate.  Watch a team working around a whiteboard, unless all of the participants are mute they will talk about whet they are adding or changing.  It is what you do to help sell your contribution.  Wave relied on the users setting this verbal communications channel up, it needed to be right there in the app.  Every Wave hosting it’s own real time voice conference.  So when Google get into that market hopefully they will dust Wave off and give it another try.

Keeping the lights on for longer, or at all

I know two data points do not make a trend, but I my interest is always peeked when they come in quick succession and backed up by other data in the environment.  When browsing the agenda for Blackhat last night a session by Jonathan Pollet and Joe Cummins entitled Electricity for Free? The Dirty Underbelly of SCADA and Smart Meters lept out at me, and this morning I find coverage of a paper by Ross Anderson at Cambridge University entitled Who controls the off switch? which addresses the same issues.  In addition to this a survey was quoted on the news on my drive in that showed that energy costs were the current #1 concern of European consumers. Read more