The Daily Incite - December 14, 2007

Submitted by Mike Rothman on Fri, 2007-12-14 07:26.
::
Today's Daily Incite

December 14, 2007 - Volume 2, #163

Good Morning:
Although the stock market has been a bit turbulent over the past few months, the major averages are still up nicely for 2007. Not too many more nicely than Apple, and Google has certainly done OK too, especially given the rapid run-up over the past two years. Both of these companies have super-sized market caps that would make Ronald McDonald proud. I also heard the Hamburgler is thinking about coming out of retirement to get some of that. OK, maybe not - but I just had to work the Hamburgler into the piece. Love the Hamburgler.

Cut the CordBut how do these companies maintain such astounding growth rates, given the size of their companies? They need more customers to use more of their stuff. Brain surgery, right? I can only look at my own purchasing and use habits, and I know I am consuming a lot more Apple and Google than I have in the past. Although my Mom may like to think I'm "unique," I suspect there are a lot of people with buying habits similar to mine.

I've got 4 Macs now (yes I bought the iMac, so I could stop using that nightmare that is Vista), a bunch of iPods, and I'm increasingly using Google for a lot more things. With word that Google can natively sync with the Blackberry calendar, it's time to now revisit whether I can leave Microsoft in the rear view mirror. At least for a little while.

The reality is that I've been held captive by Microsoft Exchange's superior integration with the Blackberry for years. I pay about $22 per month for my hosted Exchange service, and I'm starting to scratch my head and wonder if I'm still just married to my old corporate mentality and whether it's time to really cut the cord. I don't use Tasks and I don't use the Memopad often at all, so having to actually sync with my desktop (using PocketMac) probably isn't that big of a deal.

Now I haven't used the Gmail application on the Blackberry, but I hear it's outstanding. But the key attraction of the Blackberry has always been push email. Do I really need instantaneous email? I probably won't get back to you instantaneously anyway. Won't email through IMAP to a mailbox provided by one of my 3 different hosting providers suffice? I'm trying to restrict my email usage to a morning and evening block anyway.

I've been waiting for Mac Office 2008 mostly for the allegedly enhanced connectivity with Exchange. But now it seems Microsoft is backpedaling a bit relative to how well Entourage 2008 will really stack up to Outlook. It's just ridiculous that I need to run Windows on my Mac mostly for Outlook. It's even more ridiculous that I'll need to wait for better Exchange support to roll out in phases. The situation is pretty much non-tenable at this point. In my opinion, Entourage 2004 is the worst email client I've ever used. If Entourage 2008 is only marginally better, then it will still suck. And E 2008 still won't be able to import Windows Outlook .pst files, so a bunch of my old mail will still be trapped in Windows land, unless I want to use a cludgy work-around. Arghhh.

So I guess I'm wondering about this entire Microsoft hegemony. I'll need to get some more feedback from folks I trust, but it may be time to give iWork '08 a try as well. It takes a few more steps to work with the Office file formats, but it can be done. Or maybe I'll just go with Google Apps. I wonder if the editors I work with would take a link, instead of an attachment to the pieces I write every month? Then I can use Google Apps to provide my mail and calendar (since it's natively integrated with the BB now). I can also start using GDocs and the spreadsheet program as well. When was the last time I really needed a pivot table?

I think it's time to cut the cord. The more I think about it, the better idea I think it is. I'll ditch my hosted Exchange Service and try out Google Apps. I'll save about $200 and probably be a lot happier. Even after buying iWork, I'll still be ahead $120. Maybe I can push out the Mac Office 2008 upgrade (which will set me back $300 big ones). By then I'll have played around with Pages and Keynote enough to know whether I'll be able to make it work. I've heard good things about OpenOffice as well.

Am I crazy? Will I come running back to MSFT Office with my tail between my legs by February? Will Captain Privacy's hidden subliminal messages finally convince me that having all my stuff with Google is a bad thing? If anything it will be an interesting experiment. Interesting indeed.

In terms of properly managing expectations, publishing of TDI will be kind of lumpy through January. Between holidays and other work commitments, my goal is to do 3 next week to finish the year and then review the 2007 Incites during Xmas week. In January I'll be publishing when I can, but figure at least 2 TDI's per week. Have a great weekend.

Cutting the Cable image originally uploaded by George Reilly

Technorati: , , ,

The Pragmatic CSO
The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com
 Get Your Special Report:
6 Easy Steps to Protect Your Identity
and
get access to Security Mike's Portal today

www.securitymike.com

Security Mike's Guide to Internet Security

Top Security News

ITIL-a the Hun coming to a security program near you
So what? - Sometimes it's hard to remember that the true "practice" of information technology is young and immature. Folks have been applying process-models with the aim to refine assembly lines since the 40's. We have been doing IT seriously for what, maybe 30 years? So this idea of best practices and process orientation that represents ITIL (yes a very significant simplification of what ITIL is, but go with me here) is gaining steam because the complexity of today's IT environment requires an abstraction to help get our arms around it. Well, security is in the same boat and I've been hearing folks talk about applying ITIL practices to security for at least 18 months. Now it seems some folks are actually doing it, according to this NetworkWorld coverage. Personally, I don't care where the program/framework/processes, etc. come from. As long as it's focused on solving on protecting the most important assets of the organization and structured in a way to ensure you can communicate your achievements, I'm all for it.
Link to this

If you can't compete, cry monopolist behavior and sue!
So what? - This isn't really security related, but I tend to believe the success of the security vendors (Symantec and McAfee) getting Microsoft to open up specific APIs had a lot to do with Opera deciding that complaining to the EU was actually a better idea than competing in the market. Now if IE still had 97% market share, they may have a point. But with Firefox continuing to grow and make inroads, Opera just seems like they are suing because they can't compete. Basically it seems their entire intention is to figure out a way to be distributed with the base OS. Here's another idea, actually go to the PC makers and see if they are interested in bundling your app. Oh yeah, a little detail... customers don't want it. As evidenced by the special, Windows without Media Player version that was a result of Real Networks suing Microsoft in Europe, or something like that. I'm pretty sure that everyone is free to load software onto their devices and to use alternative technologies to the stuff that Microsoft bundles in. How many of you are using Windows Mail? Right, you can load up whatever is the standard for your companies email client. But I guess the mobile browser game is OK because it can fund Hail Mary's like this.
Link to this

Enderle hits the egg nog - hard
So what? - I continue to read Rob Enderle's Dark Reading column, well I'm not sure why. I guess with all the negativity relative to 2008 flying around, the idea of someone saying "New and Built in security technologies could soon make the PC safer than ever" is a welcome idea. But then he goes on to talk about TPM. Right the Trusted Platform Module. What problem does having an on-board encryption chip solve again? Oh yeah, what about all the software that would be needed to use it in practice (I spent $30 million of other people's money in the late 90's to prove that if ANYONE has to do ANYTHING to make encryption work - they won't)? What about the fact that the data and user's identity is then married to the device. I know I use 3 devices very regularly, so that won't work for me. Then he goes on to talk about anti-bot technology and a sort of LoJack for your PC. But the close is the killer: "When these features are coupled with Vista SP1 and an adequate biometric authentication system, enterprises should be able to provide an unprecedented level of data security." An "unprecedented level of data security," by securing a laptop? There seems to be a disconnect about what data security is. I guess when all you know is a PC, everything looks like a laptop.
Link to this

The Laundry List

  1. What's next OysterNAC? Sourcefire's plan to make customers pay for ClamAV support is to add DLP. Good luck with that. - Sourcefire release
  2. nCipher shops at the NeoScale fire sale. Amazing what $2 million will buy you nowadays. - nCipher release
  3. What is Security Risk Management again? I'm not sure, but you can now get it as SaaS from TraceSecurity. Remember the good old days when companies would actually try to create new categories, as opposed to everyone jumping into the same poorly defined buckets?  - TraceSecurity release
  4. If at first you don't succeed...try try again. Marc Maiffret suddenly sees and decides to leave eEye to start another venture. Actually he's been gone since September, but no one seemed to realize he was missing. - NetworkWorld coverage

Top Blog Postings

Getting the mythical seat at the table
Ernst and Young recently did a survey that tells folks what we already know. Security folks aren't taken seriously in the board room. It's still a problem, although I do see more folks talking about business issues, but maybe that's just because it's my spiel and I self-select people that tend to agree. Tom Olzak has a good post here relaying his efforts to be taken seriously and it's all about vernacular. You need to talk their language. When you see the CEO's of these big companies walking the shop floor, you think he/she is asking the workers how they hit their new $1000 Nike driver at the club last weekend? Probably not. You need to communicate to these folks in the way they understand and parse information, and controls and firewall rules and other arcane acronyms and techno-babble is not the way to do it.
http://blogs.ittoolbox.com/security/adventures/archives/security-must-have-a-seat-at-the-table-21147
Link to this

Mastering Wikipedia - Matasano-style
Matasano Tom comes back with a bang in this post, schooling security marketers about how to get a link to Wikipedia. It's good advice and stuff that I'm not sure most marketing folks think about. Why? Because they are too busy getting poked in the eyes by grumpy sales guys that can't make their numbers, CEOs that have no idea what marketing is, and reacting to competitors that have a flexible definition of speeds and feeds. The fact is SEO (search engine optimization) is a black art. So you pay lots of money to a 20-something to wave a magic wand and increase your organic search ratings. When all you need to do is play the game and get on Wikipedia and hits and leads and prosperity are sure to follow. OK, maybe not the leads and certainly not the prosperity, but the power of Wikipedia in generating traffic is well known. But now that Tom has unveiled the Secret, everyone will be doing it. Get back on that Hamster Wheel security marketers, and rejoice - at least for the next couple of weeks the focus won't be on how bad you are. Until January 2 anyway.
http://www.matasano.com/log/1002/the-wikipedia-advertising-vulnerability-and-how-not-to-mess-it-up/
Link to this

Willie Sutton was right
The Mogull rails about predications and their folly all the time. I kind of agree with him, but then out of the other side of his mouth comes this gem: "Data and business application security will drive most of the new growth of the security market over the next 3-5 years." The rest of the post goes through the history of why network security isn't where it's at - moving forward. I'm absolutely with Rich on this one, but it's a pretty obvious projection. There isn't really much innovation happening in the network and data center security markets. You have a lot of folks trying to figure out how their existing stuff works with virtualization, but I call that marketing - not innovation. Yet most new attacks are targeted at web applications with the only goal to be compromising data. And we do a really poor job as an industry at both application and data security, so there is a lot of upside there. While what's next for network security folks? A 100G IPS? That's just what everyone needs.
http://securosis.com/2007/12/10/data-and-application-security-will-drive-most-security-growth-for-the-next-3-5-years/
Link to this


Recently on the Security Incite's Blogs

Find out what Security Mike is talking about
http://sm-blog.securitymike.com

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite

Positive Experiences
Submitted by Dale Gardner (not verified) on Fri, 2007-12-14 08:11.

Over the last several years, I've almost completely cut ties to Microsoft in favor of Apple and I'm quite happy.

I do keep an image of XP that I run with Fusion - that's mostly for Outlook calendar with Exchange, and to do some checking and formatting with PowerPoint documents.

The current release of iWork seems pretty solid - there are feature gaps, so you should consider how you use Office apps before making the switch. All the iWork apps can read the latest Office file formats, so there are no extra steps in reading documents. Saving documents requires an extra export step - plus the inconvenience of keeping track of multiple versions of a document in two different formats. If I need to send something to another person, I generally export the file, email it, then delete the Office file - if they send it back with edits or comments, I can just read their version in directly.

Pages should work well for you - they've added support for change tracking, so you can work easily with editors and reviewers. I've not tried to convert documents that are heavily formatted - if I have something like that, I tend to just send a PDF.

Keynote is, in my opinion, a great app for presentations. There are some features that are missing - which I tend not to use anyway, so I don't really miss them. Like Pages, formatting is generally good enough - because I'm quite picky about how presentations are formatted, I use the XP VM to fire up PowerPoint to check the export file and make any tweaks required.

Haven't used Numbers that much - I like it, but if you're a serious Excel jockey with pivot tables and the like, you're probably going to be unhappy, at least with this first release.

For mail, I use mail.app with a variety of accounts, including Exchange and Gmail (both as IMAP). Works great, no problems. Contacts are in Address Book. Calendar is the sore spot - there is a vendor that sells an add-on solution which syncs your iCal calendar with the Exchange server - but they've completely screwed up on Leopard, and have only just begun to look at compatibility. If you can go without Exchange for your own calendar, and just rely on the native iCal, you're ok - invites can be sent and received with Outlook/Exchange users.  As you've noted, the larger issue here seems to be making the transition and getting your data out of Exchange.

Good luck. 

MS Exchange
Submitted by Andre Gironda (not verified) on Fri, 2007-12-14 19:43.

Rothman,

Ditch Exchange and move everything to Zimbra. I think that using GApps or even GCal is like waiting for an XSS+CSRF and/or defacement to happen. You can install Zimbra on one of your 4 Macs. Make sure to setup SSL VPN or OpenVPN, too. Did you read my last blog post?

I also suggest that you do buy iWork and force yourself to not buy Mac Office. BTW -- Mac Office 2008 was RTM today, so it will be out very soon. But why Entourage? It's about as bad as Outlook, and for that matter -- why Outlook?

It may be more pleasing to the eyes to use a better phone, such as the iPhone or possibly a Mogul or i760. These phones have support for things like Ajax. Windows Mobile can support OpenVPN as well. Why Blackberry?

I've always said that my next "pda phone" device will be a UMPC -- so I've set my eyes on a Nokia N810 with USB EVDO Rev A and a BT headset with VoIP. Maybe I'll buy some TracFones with cash using fake names if I want a cell phone that is quick to dial and answer. Or maybe a CryptoPhone just to perform vulnerability research on. If the iPhone was on Verizon and had EVDO Rev A, then this would be an easy decision for me.

If you do choose to stick with MS Exchange and BES, why not host them yourself? You can get Free BES for 1-10 users. Too bad Windows Home Server doesn't bundle Exchange. Windows SBS wouldn't break-even for 2 years, but still might be worth it.

Are you still using Outlook and GoToMyPC in Vista under VMWare?

I favor hosted
Submitted by Mike Rothman on Tue, 2007-12-18 14:08.

Dre, thanks for the thoughts. I favor hosted solutions because I travel a lot and no one in my house can troubleshoot something if it goes down. So hosting Zimbra myself wouldn't work. I can't have mail down. I hear you on the Google issues, but I don't see another solution that will be cheaper than hosted Exchange. If I'm going to spend the same amount of money, I may as well stick with what I've got.

I was tied to Exchange/Outlook because of Blackberry integration. I don't like to do the same stuff twice, so OTA sync is huge and it works great with Exchange. But since the GCal stuff works now and I'm not so worried about email (10-15 minute window is fine), I'm not so dependent on Outlook/Exchange. At least in concept.

I'll have to physically sync to keep my BB and Address Book (and stickies) up to date. I figure Google will get those syncing things right over time as well and then I can ditch a lot of the 3rd party stuff I'll have to use.

All told, I'll save a couple hundred bucks doing this, and it's an interesting experiment. That is until Google gets 0wned or something and then you can tell me that you told me so.

 

Hosted Exchange
Submitted by Howard (not verified) on Wed, 2007-12-19 23:14.

I see what you are saying about Hosted Exchange but I could never cut the plug. I use 123Together's Hosted Exchange service, am heavy into project management using tasks and noted and really have to see everything on my crackberry. Tempting idea though but not right now. 

It's painful
Submitted by Mike Rothman on Thu, 2007-12-20 13:47.
I'll write up more later. But I'm off Exchange. It's painful as I try to get some level of comfort with alternative mail interfaces. I'll likely just use the Gmail interface when I'm online, but it's not very good via IMAP. I need to remember to delete the messages on the BB, not within Gmail. But I'll figure it out and it'll be fine. It will just take some time.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.