Tuesday 18 November 2008

On Microsoft Online Services (a retread post)

Yesterday, Microsoft did its big launch of Online hosted services, opening it up to SMEs as well as large organizations. These are “in the cloud”, or software-as-a-service (SaaS) implementations of Exchange and SharePoint (not to be confused with Exchange Hosted Services, which is the hosted email security service formerly from Frontbridge).

Microsoft first announced this about 18 months ago, and has been offering it only to large organizations for several months.

The services run in Microsoft’s own datacenters, on shared hardware — or dedicated hardware for larger customers.

In June I saw a demo of the tools to migrate users from an in-house Exchange network to the service. It looks comprehensive. The most useful aspect is that a customer can choose a subset of their users to move to the service, retaining other users on the in-house system.

Naturally, the service allows customers to synchronize their Active Directory (AD) forest between their in-house AD servers and the ones in the cloud.

Of course, this puts Microsoft into direct competition with their partners who are already offering hosted Exchange/Sharepoint — often using market development funds from Microsoft itself. However, this does at least validate the market. Microsoft will also allow partners to resell the Online services, with some attractive affiliate kickbacks.

For the combination of Exchange, OCS, LiveMeeting, and SharePoint Online, Microsoft announced the price would be $15.

$15 is too expensive. Here’s two reasons why:

First, compare that price with Google Apps at $50/year ($4.17/month). At one third the price, the combination of white-label Gmail, Google Calendar, Google Sites, and Google Talk may not provide 100% feature equivalence — but in most cases it will be more than good enough. Don’t forget that Google offers 25GB of email storage at that price, versus Microsoft’s 1GB, which is paltry by comparison. Some organizations may even find the free version of Google Apps is sufficient for their needs, assuming they can live with the lack of a service-level agreement.

Second, Microsoft doesn’t seem to have learned from the mistakes of others. Over the past ten years, we’ve seen vendor after vendor try to offer hosted Exchange — many of them backed by substantial Microsoft resources — but few have survived. Again, the problem is one of cost. Although the vendors would make a coherent, well-argued case that an organization should migrate to its hosted service, few IT managers believed it would save them money.

These vendors would tell potential purchasers that they could provide the service for less money than it was currently costing to run it in-house, but when it came time to actually quote for the service, most IT managers simply didn’t believe it cost them that much.

For fans of Economics 101, the hosted providers were charging more than the market would bear. Looks like Microsoft is making the same mistake. It’s a pity: Exchange 2007 is much more suited to offering the required economies of scale than previous versions.

Friday 19 September 2008

How Wall Street Lied to Its Computers

New York TimesI really like Saul Hansell's post in the NYT's Bits blog. He eloquently explains how it is that so many financial institutions managed to fail so spectacularly -- given that they are regulated as to how much risk they can expose themselves to.

In summary: the institutions had sophisticated computer models to warn management if things were getting too risky, but the people running the models didn't give the models the right data.

Saul summarizes the summary thus: "Lying to your risk-management computer is like lying to your doctor. You just aren’t going to get the help you really need."

To summarize the summary of the summary: garbage in, garbage out.

Hat tip: Techmeme.

Sunday 14 September 2008

Bye Bye eBay

Eric Savitz at Barrons writes that eBay's (EBAY) business is "deteriorating" and is preparing big layoffs (like: 1500-employees big).

Ina Steiner seems to agree, pointing out that "Meg Whitman and her inner circle of top executives are gone" --to which I say: good. And not a moment too soon.

eBay is now a complete, unmitigated disaster zone:
  1. It's managed to alienate both its sellers and buyers with a sequence of ill-thought-out and badly-executed actions, such as mandating PayPal.
  2. It's PayPal division seems to be staffed exclusively by cut'n'paste junkies who couldn't spot a fraudulent seller if you painted him flourescent orange and dangled it from a cherry picker.
  3. It even seems to have strangled the life out of its exciting Skype acquisition.
Lest we forget, this is the company who in 2005 soothingly reassured concerned recipients that a blatant phishing scam was actually sent by eBay themselves. I still pinch myself.

Hat tip: Techmeme

Saturday 13 September 2008

Jeremy Jaynes gets a free pass?

It's déjà vu all over again. I see that Jeremy Jaynes has won his most recent argument in Virginia that the state's anti-spam law is unconstitutional. (Once again, thanks to Slashdot for the heads-up.)

Jaynes would have us believe that spamming is protected speech under the U.S. First Amendment. The court didn't exactly say that, but concluded that the law as written was overly-broad, because it didn't explicitly differentiate between commercial speech and any other kind of speech (e.g., political expression).

While I agree that anti-spam laws shouldn't restrict political speech, I have a couple of issues with this decision:
  1. Spam is spam, whatever the content; I'd hate this to be seen as a license for nut-jobs to fill my inbox with political rants.
  2. Doesn't the U.S. constitution already make it clear that commercial speech isn't unprotected?
As I noted back in March, it was worrying that the previous decision was split 4-to-3.

Again, I say I find it really hard to believe that the American founding fathers intended my inbox be full of spam.

Wednesday 3 September 2008

Stephen Fry: Must Try Harder

Stephen Fry, we love you very much. You are a National Treasure.


If you're going to expound the delights of free software, you could at least make an effort to pronounce Linus's name correctly.

Anyway, if you can't be bothered to muck about with Ogg Vorbis and such, I found this version of the video on the evil, unfree YouTube.

There's more at IT Blogwatch.

Video not displaying? Try this link.

Wednesday 27 August 2008

Cisco buys Exchange-a-like vendor PostPath

Updated with more commentary 4.16pm UTC. Hello, Techmeme.

Suddenly, things are getting interesting again in the Exchange-alternatives market.

The quintessential growth-by-acquisition specialist, Cisco (CSCO), has just announced that it's acquiring PostPath.

Once again, Cisco makes a sound investment in an email technology vendor. Just like it did with IronPort. Great choice.

These are the clever guys who reverse-engineered the Exchange client protocol, MAPI/RPC, and the related on-the-wire details needed to make a vanilla install of Outlook talk to a non-Exchange mail server with full fidelity. Impressive stuff.

Despite Om Malik's analysis, this is quite a bit different from Zimbra.

Of all the other Exchange alternatives, PostPath has the most interesting architecture. And I say that as one who has years emotionally invested in the HP OpenMail technology ;-)

All the others rely on additional software on the desktop. In the case of OpenMail/SamsungContact/Scalix/Domino/etc., a MAPI service provider "plugin". Or, like Bynari/OpenXchange/etc., a separate app that synchronized an IMAP store with an Outlook.PST (personal store file).

I think Cisco fell out of love with Microsoft a while back. Something to do with VoIP support in Exchange and how Cisco thought it was Microsoft's partner but it turned out that Microsoft was competing with them. Nothing familiar there at all...

Sounds like Cisco wants to offer SaaS collaboration, based on PostPath and WebEx. Whoever said the email world has become dull and uninteresting?

Thanks to Jeff Brainard for the tip.

Friday 20 June 2008

"Secure Resolutions" Sends Spam

Update August 25: Just a quick note. I'd appreciate it if shills for Secure Resolutions would stop emailing me to say I'm an ignorant idiot.

Update June 19: VerticalResponse has confirmed that Secure Resolutions's account is now closed and banned. Well done, guys.

Yesterday, I got email from some company called Secure Resolutions.
We are contacting you because you are currently a customer or you have been a customer and we would like to continue to be your supplier of anti-malware and backup protection. I would like to take this opportunity to introduce you to our award winning, patented technology...
etc., etc., etc.

Trouble is, I've never heard of them, and the role account they sent it to is incapable of being a "customer" of anyone. Yes, friends: ergo, this email was spam.

(Incidentally, there seems to be some connection between this company and Panda Security, who I've also caught spamming.)

The company uses VerticalResponse to send this spam, so I shot a note to their abuse alias and got an encouraging note back from their Email Delivery & Policy Enforcement team. VR says it has "completely disabled" the Secure Resolution's account and "opened an investigation."

Watch this space for updates.

Anyone else had problems with this sender?

Tuesday 17 June 2008

Scott Richter Settles Another Spam Suit

Oh looky, it's our "friends" Steve and Scott Richter in the news again. This time, they've settled with MySpace for $6 million after being accused of spamming thousands of MySpace.com users -- and using phished accounts to do it (see today's IT Blogwatch for more).

Of course, Scott gave up spamming some time ago. Or did he? Brian Krebs today offers an interesting investigation into domain registrations of spamvertised Web sites:
More than three quarters of all Web sites advertised through spam are clustered at just 10 domain name registrars ... Out of the 15,000 spam-advertised domains we examined, nearly half -- 7,142 names -- were registered through a Broomfield, Colo. company called Dynamic Dolphin ... the seventh most-popular registrar among spammers ... [and] owned by a company called CPA Empire, which in turn is owned by Media Breakaway LLC. The CEO of Media Breakaway is none other than Scott Richter, the once self-avowed "Spam King" who claims to have quit the business. Anti-spam groups also have recently implicated Media Breakaway in the alleged hijacking of more than 65,000 Internet addresses for use in sending e-mail and hosting commercial Web sites.
Remember kids, Rule #1: Spammers lie.

Thursday 15 May 2008

The Top 25 B-to-Z List Blogs

My piece at the "new" Industry Standard is finally up, with additional additions from Ian Lamont.

"These are the blogs you won't see on the Techmeme Leaderboard, Technorati's Top 100 blogs, or the CruchBase BloggerBoard ... at least not yet. They include VCs, entrepreneurs, coders, experts, and observers, and they bring a delicious mix of insight, experience, and passion to their blogs. While they may not have the right amount of link love, they need to be on your radar screens."

Monday 12 May 2008

Hello, BlackBerry Bold and its Sexy New UI

Wow, from the look of this video, Research in Motion has really done a great job of sprucing up its user interface. Looks speedy, too.

I've always been a PalmOS fanboi (I know, I know) and have gone through a succession of devices: original Pilot, Palm V, Treo 180, 270, 600, 650 -- but this could be the device that finally weans me off of PalmOS.

Disclosure: RIM is a client.

More of this nonsense in today's IT Blogwatch.

Hat tip: Kevin Michaluk.

Tuesday 6 May 2008

Lost in Translation? Bill Gates in Korea...

Something very wrong here...
SEOUL, South Korea (AP) — Microsoft Chairman Bill Gates said there will be a vast shift in Internet technology over the next decade as he met Tuesday with South Korean President Lee Myung-bak.

"We're approaching the second decade of (the) digital age," the software mogul and philanthropist told Lee at the start of their meeting at the presidential Blue House, according to a media pool report.

"The Internet has been operating now for 10 years," Gates said. "The second 10 years will be very different."
Excuse me? “The Internet has been operating now for 10 years”???

Uhh, tell that to the National Science Foundation, who switched on the Internet as we know it today in 1983, migrating from the old ARPANET, which had been going since 1969.

He can’t possibly mean the Web, as that’s been going for over 15 years. He can’t even mean Internet Explorer — the first version of which was released in 1994.


Wednesday 30 April 2008

Your Reputation in Peril: Use Outbound Spam Filtering

Whether or not you or I believe Borderware's amazing claim that it filters 98% of spam using reputation alone, it's clear that reputation is increasingly important.

No surprise there, but what's the implication on legitimate email users?

As more and more spam filtering relies on your reputation as an email sender, your reputation gets more and more important. Lest we forget, most spam is sent by malware-infected zombies, some of which could be on your network.

That's why outbound spam filtering is increasingly important. It's not just about being a good 'net citizen -- you need it to protect your reputation.

If you don't keep a lid on spam exiting your network, your reputation will be trashed. In crude terms, your outbound IP addresses will be blacklisted, meaning your ability to send email to your legitimate business contacts will be severely limited.

If a few of your users are unwittingly sending spam, then all of your users will have serious trouble sending legitimate email.

Of course, an outbound spam filter can't, by definition, use sender reputation. It has to rely primarily on content filtering. Those that claim that reputation is the be-all-and-end-all of spam filtering are missing an important point.

With thanks to Proofpoint's Andrew Lochart and David Stanley, for a stimulating conversation last week.

Saturday 19 April 2008

The Media is Bored with Spam?

bored catI moderated a Ferris Research webinar earlier this week. It was intended to be a press-only event, to support a client's press release. Inevitably with these things, a few non-press register, but that's perfectly OK.

The client is a new spam filter vendor, that seems to have an interesting new twist on the problem (I'm reasonably convinced that it's not just a silly FUSSP).

The thing that really surprised me was how few press people turned up. In fact, non-press outnumbered the press folks two-to-one. What's up with that?

I also heard from the client's PR person (hi, Donna) that nobody has anything spam-related on their editorial calendars.

Doesn't the mainstream media care about spam any more? Certainly their readers do, as evidenced by the continuing churn in the spam filtering marketplace.

Any thoughts? Click the comments link below: I'm all ears.

Wednesday 9 April 2008

BorderWare claim: Amazing Reputation Filtering (RSA)

BorderWare is making a very interesting claim. It seems to be blocking an enormous proportion of its customers' inbound spam simply using IP reputation.

While most anti-spam vendors these days talk about blocking roughly 75% of the spam using IP reputation (basically a fancy word for DNSBLs), BorderWare's quoted statistic is 98.3%. Wow, that's a lot -- especially considering that the law of diminishing returns almost certainly applies.

This is a good thing because the more spam one can identify and block by reputation, the less spam content one has to examine using techniques such as Bayesian analysis, which are computationally "expensive".

But how does the company achieve such a high figure? By slashing the time taken for new entries to be added to its centralized reputation database (BSN, or "BorderWare Security Network" -- soon to be rebranded as "Reputation Authority").

These days, new zombie spam sources don't hang around to be detected, they get sending as soon and as fast as they can -- the botmasters have realized that a fresh, undetected spam source is far more effective than an old, known source. Minutes count; in fact in the spameconomy, time is money.

Proofpoint has a Reminder: It's Still Here (RSA)

Proofpoint has a new VP of marketing, and not a moment too soon. Andrew Lochart is the first to admit that his new employer has been very quiet recently, and he aims to change that.

Aside from the recent $20 million funding round and the additional 40 employees hired already this year, he reminds us that Proofpoint recently launched a hosted email security service, Proofpoint On Demand. This means that Proofpoint now offers its technology as a service, as software, as an appliance, and as a virtual appliance (a virtual-machine image of the appliance).

Sticking with what seems to be a "hybridized" theme, customers can mix and match the different form factors, while still managing them all from a single console. Handy, that.

2factor: Interesting Encryption Technology (RSA)

2factor is primarily an encryption technology licensing business -- the company sells its technology to OEMs. The core technology is called Real Privacy Management (RPM).

It works by calculating symmetric private keys (i.e., it doesn't use a public/private key pair). Each party in a transaction has a private key, which it presents to a trusted intermediary. The pair of keys defines a series of encryption keys, to be used in sequence.

2factor says the benefits are:
  1. Very fast encryption (the calculations can be done using register arithmetic); perhaps 100x as fast as Diffie-Hellman, for example.
  2. Provably secure, unlike elliptic curves for example.
  3. The trusted-intermediary architecture can be generalized, permitting a federated model.

Tuesday 8 April 2008

Voltage also has a Hybrid Service (RSA)

Hybrid services seem to be quite the theme on this weblog, for some reason. I just talked to Voltage Security, which announced something called "Connected VSN" today.

Now, I know what VSN is -- the Voltage Security Network. It's a hosted service that implements the key management for Voltage-style identity-based encryption (IBE). The idea being that instead of on-premise key management, you centralize the key generation in the cloud. This is similar to the architecture used by Identum (now part of Trend Micro). But what's the "Connected" bit all about?

There's a class of customer who wants to do outbound encryption at the gateway -- possibly driven by local policy -- but doesn't want to provide the decryption service to non-local users. This type of hybrid architecture is what Connected VSN is for.

The sender has an on-premise Voltage appliance that manages keys and performs outbound encryption. Recipients then use the VSN service hosted by Voltage to decrypt the message.

IronKey: an Encrypted USB Flash Drive on Steroids (RSA)

Update (April 16): IronKey yesterday “announced full FIPS 140-2 Level 2 security validation ­ at the product level, rather than the more typical component-level validation.” Shame it’s “only” level 2, but I guess that’s a start and is probably more than adequate for the vast majority of applications.

IronKey isn't just another encrypted USB flash drive-key-stick-thingy. For a start, the company makes a big thing of their claim that IronKey is the only such device designed from the start to be secure (as opposed to a flash drive that's had security "bolted-on", presumably). Well, that's an interesting claim, but of arguable merit. However, there are other aspects that are worth talking about:
  1. This key will self-destruct -- if you try to disassemble it, or if you enter the wrong password too many times, the IronKey doesn't just wipe itself, it destroys the flash memory, the company says.
  2. It's not just a device, but also a service -- if you register the device on IronKey's Web site, the company offers password recovery/escrow and access to IronKey's own TOR anonimizing network (i.e., a private network, not the usual public one).
  3. It also acts as a 2FA device -- a firmware update will add the necessary logic to make it act as a Verisign VIP device, for two-factor authentication. An "enterprise" version of the device will also have similar support for RSA SecurID.
Shipping now for Windows XP and Vista. Mac and Linux support are "nearly ready".

Love him or hate him, the episode of Steve Gibson's podcast about IronKey has more about the device, including an interview with IronKey CEO, Dave Jevans (yes, that Dave Jevans).

Trend Micro's Hybrid Hosted Service (RSA)

Trend Micro takes an unusual approach with its hosted ("managed"; "in-the-cloud") email security service. Rather than trying to do everything, it sticks to what a service is good at.

Trend is applying the Pareto principle (a.k.a. "80/20 rule"). The company promotes a "hybrid" approach, with the hosted service implementing only a first level of spam filtering based on reputation -- filtering roughly 80% of the inbound spam. The remaining email is passed on to spam filtering appliances on the customers' premises, to deal with the other 20%.

The on-premise appliance can therefore more easily be customized to conform to local policy. When it comes to filtering spam using content, it's best to have an understanding of the types of legitimate content that the organization sends and receives -- the obvious example is medical organizations, who may well expect to receive email about a certain blue pill who's name begins with 'V'.

Of course, organization-specific customization ''can'' be done in the cloud -- there's nothing intrinsic about it that forces it to be on-premise, but this split in responsibilities seems like it has merit.

Monday 31 March 2008

Off to RSA

I'll be at the RSA conference next week, Monday-Wednesday. I'll also be doing other meetings in the SF bay area on the 3rd and 4th.

If you want to meetup or just get in touch, best bet is by email or text (+447789200701).

Monday 17 March 2008

Your humble, award-winning blogwatcher

Update: for those of you clicking through from Yahoo Finance's Apple page, no I don't know why, either. But welcome, anyway! Feel free to read some more of my stuff.

Golly. My IT Blogwatch thingy over at Computerworld was just recognized as one of three Computerworld blogs to swing a Jesse H. Neal Award.

If you peer really carefully at this pic, you'll see my idiot-grin in the screen shot...

The very not-dead Linda Rosencrance says:
Computerworld today won Jesse H. Neal Awards for best Web site, best online series for its coverage of Apple Inc.'s Leopard operating system, and best blog ... "I don't think it's a stretch to say this may well be the single most outstanding accomplishment in the history of Computerworld," said Don Tennant, vice president and editorial director of Computerworld. ... The blog award recognized three blog posts in particular, one from the Web site's daily IT Blogwatch written by Richi Jennings, and others written by Ian Lamont and David Ramel. more

Thursday 6 March 2008

Spammers attaching .ZIP files with HTML inside

Since about 1am GMT today, I've seen a steady stream of messages with .ZIP attachments hit my spamtraps. The Zip files seem to contain a simple HTML page spamvertising the usual fake ED drugs.

Subjects include:
  • On Top All Night
  • Your Sexual Health
  • Master in bed are you
  • Smart in bed games
  • Be a big bed man
There seem to be two templates in use:
  1. a simple plain text body and a .ZIP attachment
  2. an HTML body (plus /alternative plain text) with the .ZIP file as a /related part

Wednesday 5 March 2008

Email Address Typos can Spell Trouble

A quick extract from yesterday's IT Blogwatch, in which The U.S. Air Force gets caught sending classified data in unencrypted email:
Sensitive information ... swamped Gary Sinnott's email inbox after he established www.mildenhall.com ... Emails intended for Air Force personnel at the Mildenhall Air Force base (who uses the domain mildenhall.af.mil) were being misdirected to the owner of the .com site ... hundreds of classified emails were sent from around the world ... detailing all kinds of secret military information ... I ask you, what sort of drooling idiots do the US Military employ? Do they breed them in special farms?
And so on, and so on...

Reminds me very much of when I helped migrate Ferris Research's email accounts from The Electric Mail Company to Google Apps. -- I set up a catch-all account to make sure we hadn't missed any weird aliases or mailing lists. You've almost always got to do this when migrating an email setup, because it's so easy to miss a useful address. You'd be surprised how many times you can ask the question "Is this alias still needed?", getting the answer "no", and find that in fact it is.

Anyway, I was amazed how much misdirected email we received -- much of it meant for ferris.edu (Ferris State University, Michigan), as well as obviously confidential attorney-client communication, love notes, and more. All of human life was here for a while.

I guess it only goes to prove -- if proof were needed -- that .com is the only game in town, when it comes to domain choice.

Sunday 2 March 2008

Jeremy Jaynes Lost Appeal, but...

Hmmm, so I see that Jeremy Jaynes has lost his appeal in Virginia that spamming is protected speech under the U.S. First Amendment. (Thanks to Slashdot for the heads-up.)

Jolly good, and no surprise there, I think. However, why on Earth was it a 4-to-3 split decision? What were those three state supreme court judges thinking?

Well, according to the AP:
Justice Elizabeth Lacy wrote in a dissent that the law is "unconstitutionally overbroad on its face because it prohibits the anonymous transmission of all unsolicited bulk e-mail including those containing political, religious or other speech protected by the First Amendment."
Oh, balderdash. I find it really hard to believe that the American founding fathers intended my email to be full of spam.

Friday 29 February 2008

Spammers work for Desperate Social Networks

Hmm, email hitting spamtraps this morning for a social network called Friendsgroup.co.uk. Sounds suspicious, no?

Let's see:
  • Spam sent to email addresses that only exist to trap spam? CHECK
  • Spam comes from dynamic consumer ISP space? CHECK
  • Envelope sender forged? CHECK
  • Date: header a couple of hours in the future? CHECK
  • "Content-Transfer-Encoding: 7bit" but includes 8-bit characters? CHECK
  • Text mentions "double opt-in" CHECK
  • Spamvertized website operates out of Latvia, not the UK? CHECK
Update: I only had a quick look and can't see anything obviously dodgy with the site itself. My suspicion is that it exists to spread malware -- either by exploiting browser vulnerabilities or by making people download Trojans when they register.

It could alternatively be a come-on for a Russian Brides style scam.

Monday 25 February 2008

Crypto vendor Identum bought by Trend Micro

It's official, so I can now write about it. Trend Micro and Identum today announced that Trend is buying Identum.

Identum is an encryption vendor, which does away with certificates -- which are difficult to manage -- in favour of encryption keys that are based on a user's "identity" -- typically the email address.

On the face of it, this is similar technology to Voltage Security's IBE, but with better performance, simpler administration, and arguably better security.

Identum chose not to offer a federated model. Instead, it's a service, based in a super-secure bunker in "an undisclosed location" (well, I could tell you where, but then I'd have to kill you).

Congratulations to Andy Dancer and the rest of the Identum crew for successfully getting this interesting technology out of Bristol University, incubated, and flipped.

Thursday 21 February 2008

Can Anyone from Yahoo Help?

I have a client with a problem getting email to his customers on Yahoo. The users want the email, but it keeps turning up in their Bulk folders, not the Inbox. Most frustrating.

I've walked him through making everything squeaky-clean, but no luck.

Yahoo's "Postmaster" contacts just seem to be a huge black hole. Is there anybody reading this who can offer a clueful contact at Yahoo?


Thursday 14 February 2008

Back from Barbados; Mojo Returning?

That was a relaxing break. There are a few photos on Facebook.

I may regret saying this, but I think I feel my blogging mojo returning...

Friday 4 January 2008

Alan Ralsky Indicted

Well well. It seems the Feds have decided that Ralsky has been helping the Russian stock kiters...
A federal grand jury indictment was unsealed today in Detroit charging 11 persons, including Alan M. Ralsky ... in a wide-ranging international fraud scheme involving the illegal use of bulk commercial e-mailing, or "spamming" ... The charges arose after a three-year investigation ... revealed a sophisticated and extensive spamming operation that, as alleged in the indictment, largely focused on running a stock “pump and dump” scheme.
Much, much more at today's IT Blogwatch.

(Happy new year, by the way.)