IT Outsourcing - Percento

Archive for November, 2010

Data Management: The Heart of Financial Reform

Tuesday, November 30th, 2010

while the Dodd-Frank Wall Street Reform and Consumer Protection Act, signed into law July 21, 2010, by President Barack Obama, represents multifaceted regulation that essentially reaches every component of the financial services industry in the United States, its implications on data management represent a mandate to improve infrastructure or risk being unable to meet the evolving requirements set forth by regulators.

The Dodd-Frank legislation establishes the Office of Financial Reform (OFR), a new department within the U.S. Department of the Treasury that is tasked with gathering and reporting to lawmakers information regarding potential risks and threats within the nation’s financial industry. To accomplish this, the OFR’s director can use his or her subpoena power to gather data from any financial institution.

Simply, says Michael Atkin, director of the Enterprise Data Management Council, a nonprofit trade association focused on managing and leveraging data, the regulation gives banks’ corporate leadership a new opportunity to examine the growing problem of managing skyrocketing amounts of data and finally to budget appropriately to meet the challenge. “It kicked the practice of data management into high gear,” Atkin says. “We’re now set up for addressing the data dilemma that we have because we finally have a reason that is not subject to the whim of a business case. It is a regulatory requirement.”

The OFR director, who has not yet been appointed, will make his or her report to Congress in 2012, adds Atkin. But that initial report, he notes, likely will be more on the state of the industry than a detailed analysis of its data, giving financial institutions a window of several years to prepare for potential requirements. “The implications from an infrastructure perspective are about getting the core building blocks of risk management in place,” Atkin relates.

Changing Priorities

Financial institutions now will be required to operate with greater transparency, points out Frank Fanzilli, chairman of the RainStor Advisory Council, which provides guidance to the San Francisco-based data retention provider, and former managing director and global CIO of Credit Suisse First Boston. “The Dodd-Frank reform is just starting to take effect, and we will likely see many more IT changes evolve over the next few years to accommodate these external demands,” he says.

“CIOs have been heavily focused on deploying solutions that focus on low-latency applications and web-enabled self-service capabilities, which have served the business well,” Fanzilli observes. “Attention now needs to turn to the improvement of infrastructure and data management systems to provide the transparency that these reforms have mandated. If the IT division cannot efficiently store and retain their most critical asset — data — it will become extremely difficult to stay compliant, let alone stay in business.”

Jane Griffin, an Atlanta-based principal with Deloitte Consulting, affirms that data management must become a top priority. “Historically, before regulation, we certainly saw a recognition of a need — a need for cost reduction, a need for better customer management, risk management, financial management,” she says. “Definitely the regulatory oversight and the level of confidence of management and different regulators has brought this to a board-level visibility like it’s never had before.”

As the EDM Council’s Atkin explains, getting data management right starts with establishing quality, consistent data. According to Atkin, there are five types of “building block” data on which the regulatory reporting is based: reference data, entity reference data, pricing, positions/positions and transactions, and economic statistics. “The industry is moving toward getting that data structure right,” asserts Atkin, who says the key is developing standards. “We have a fragmented chain of supply without standards,” he explains.

But defining terms and setting standards within which data is classified will be an early challenge for the OFR and financial institutions, says Fred Cohen, VP of the asset management practice at Patni Systems, a Cambridge, Mass.-based IT and business processes provider. “You have to create standards, people have to conform to those standards, and then they need to be able to collect data and build reports off of it,” Cohen comments.

Doing so is particularly difficult when there are hundreds of vendors that independently acquire, rename and integrate various systems into existing infrastructure, adds the EDM Council’s Atkin. Further creating dissonance in data standardization, he continues, financial institutions often silo data, and individual units may use their own proprietary terms to define it.

New York-based Citibank ($1.9 trillion in assets) is among the financial institutions that has gotten a head start on consolidating and standardizing its data environment. According to Anthony DiSanto, Citi managing director, North American region head, the bank has invested heavily in data consolidation and standardization for the better part of the past decade. “We have worked on a consolidation of data centers over the past several years that is fairly dramatic,” he says. “It’s all engineered around the way we do our work.”

And while it has been a costly project, DiSanto acknowledges, the savings come through centralization of the bank’s physical footprint, a standardized desktop environment that has all Citi employees working on effectively the same software image, and the adoption of virtualization, he reports. “I like to use the tag phrase that ‘It’s better, faster and cheaper’ — in that order,” DiSanto says.

Incentivizing Change

In the case of Citi’s consolidation, virtualization and standardization of its data centers, PCs and phone systems, the initiative was brought on by the bank’s executives, who saw a business need to modernize the way the bank managed its data, according DiSanto. But Deloitte’s Griffin suggests that not every bank is as forward thinking. “Without the [regulatory] impetus to have the data management architecture and hubs that are needed to manage data across the enterprise — without the external need to consolidate information across product lines, across finance risk and compliance — they would be hard pressed to allocate their budgets,” she says.

But with the pending establishment of the OFR and the specter of having to provide the government with any type of financial data it requests, getting data in order at the enterprise level becomes a higher priority. “The regulation helps put fuel to the fire of something that’s already in motion but probably didn’t have the motivation to change without this catalyst,” Griffin contends.

Banks are concerned about several areas from an implementation standpoint, according to the EDM Council’s Atkin, including the current state and future condition of governance, the operating model for data management, the state of internal standards and the obstacles to adopting those standards, the state of systems/data integration, and data quality gaps. But, he adds, these are things financial institutions have been working to resolve for some time.

“The banks collectively have been doing a great job,” Atkin asserts. “So this is just pushing it up the priority list and pushing it up the recognition list at the top of the house. And all of that is good for the practice of data management.”

And whether financial institutions recognize the need for improved data management or not, the consequences of failing to align with regulation add motivation, Patni Systems’ Cohen adds. “Those people who don’t have their data management world in order,” he says, “it’s going to be an incredibly painful world to be in.”


Financial IT Support

Dell Laptop Uses New Intel Cooling Technology

Tuesday, November 30th, 2010

Dell has announced an ultraportable laptop with a new technology from Intel that sucks in outside air to keep the system quieter and cooler.

Dell’s Vostro V130 is one of the first laptops to incorporate Intel’s Hyperbaric cooling technology, which uses an internal fan that draws air into the laptop to keep it from overheating. With most existing designs, the internal fans are used to push hot air out.

The air that’s pulled in is channeled toward key components to keep them cool, such as the CPU. The air is drawn in through the left side of the laptop, and the warm air is then expelled out the right.

The system allows the fans to run at lower speeds, which results in a quieter laptop, said Rajiv Mongia, a principal engineer at Intel. It also leads to a cooler laptop, according to Intel, because the cooling system is more efficient.

“By using cold air directly from the outside and then directly blowing across the hot components, you create a more efficient cooling solution. This is because by blowing air across the components, you create more intense convective cooling and often get more cooling flow through the platform,” Mongia said.

Intel has not measured the impact of Hyperbaric cooling on the battery lives of laptops, Mongia said.

The laptop is targeted at business users, a Dell spokeswoman said. It has a 13.3-inch screen and weighs 3.5 pounds (0.45 kilograms). It is powered by ultra-low-voltage Core i3 or Core i5 processors from Intel. It has a six-cell battery that offers four-and-a-half hours of battery life, according to Dell.

The laptop has up to 4GB of RAM and up to a 640GB hard drive. It also has an HDMI (high-definition multimedia interface) port, 802.11n wireless technology, a 5-in-1 media card reader and a webcam. WiMax broadband and a SIM card slot are optional. It’s priced starting at US$429 and is shipping worldwide.


IT Management Company

Cloud security is dependent on the law

Tuesday, November 23rd, 2010

gavelI am a true believer in the disruptive value of cloud computing, especially the long term drive towards so-called “public cloud” services. As I’ve noted frequently of late, the economics are just too compelling, and the issues around security and the law will eventually be addressed.

However, lately there has been some interesting claims of the superiority of public clouds over privately managed forms of IT, including private cloud environments. The latest is a statement from Gartner analyst Andrew Walls, pointing out that enterprises simply assume self-managed computing environments are more secure than shared public services:

“When you go to the private cloud they start thinking, ‘this is just my standard old data centre, I just have the standard operational issues, there’s been no real change in what we do’, and this is a big problem because what this tells us is the data centre managers are not looking at the actual impact on the security program that the virtualisation induces.”

“They see public cloud as being a little bit more risky therefore they won’t go with it. Now the reality is, from my own experience in talking to security organisations and data centre managers around the world is that in many of these cases, you’re far safer in the public cloud than you are on your own equipment.”

So, Walls seems to be saying that many (most?) IT organizations don’t understand how virtualization changes “security,” much less cloud, and therefore those organizations would be better off putting their infrastructure in the hands of a public cloud provider. That, to me, is a generalization so broad it’s likely useless. There are way too many variables in the equation to make a blanket statement for the applications at any one company, much less for an entire industry.

In fact, regardless of the technical and organizational realities, there is one element that is completely out of the control of both the customer and cloud provider that makes public cloud an increased risk: the law. Ignoring this means you are not completely evaluating the “security” of potential deployment environments.

Some laws affect data management and control
There are two main forms of “risk” associated with the law and the cloud. The first is explicit legal language that dictates how or where data should be stored, and penalties if those conditions aren’t met. The EU’s data privacy laws are one such example. The U.K.’s Data Protection Act of 1998 is another. U.S. export control laws are an especially interesting example, in my opinion.

The “risk” here is that the cloud provider may not be able to guarantee that where your data resides, or how it is transported across the network, won’t be in violation of one of these laws. In IaaS, the end user typically has most of the responsibility in this respect, but PaaS and SaaS options hide much more of the detail about how data is handled and where it resides. Ultimately, it’s up to you to make sure your data usage remains within the bounds of the law; to the extent you don’t control of key factors in public clouds, that adds risk.

The cloud lacks a case law
The second kind of risk that the cloud faces with the law, however, is much more nefarious. There are many “grey areas” in existing case law, across the globe, with respect to how cloud systems should be treated, and what rights a cloud user has with respect to data and intellectual property.

I spoke of the unresolved issues around the U.S. Constitution’s Fourth Amendment protections against illegal search and seizure, but there are other outstanding legal questions that threaten the cloud’s ability to protect users at the same level that their own data center facilities would. One example that is just coming to a head is the case of EMI versus

Three years ago, EMI sued the company and it’s founder and CEO, Michael Robertson, for willful infringement of copyright over the Internet. EMI claims that and its sister site, (a digital media search engine), are intentionally designed to enable users to violate music copyrights.

Robertson defends the sites as simply providing a storage service to end users, and therefore protected under the “safe harbor” provisions of the Digital Millennium Copyright Act. These provisions protect online services from prosecution under the DMCA as long as they remove infringing content when notified of it’s presence.

At stake here is whether any online storage service (aka “cloud storage provider”) is protected by the DMCA’s safe harbor provisions, or if the very ability of users to find, upload and store infringing content is grounds for legal action. Even if MP3tunes is indeed found to be promoting infringement, what are the legal tests for identifying other such services? Will a new feature available at your favorite storage cloud suddenly put your provider–or worse, your data–at risk?

Yet another has to do with ownership of the physical resources, and what protections you have against losing your systems should those systems be seized for any reason. Imagine that your cloud provider was found to have been involved in violating federal law, and the FBI decided to seize all of their servers and disks for the investigation.

In this hypothetical situation, could you get your data back? What rights would you have? According to the 2009 case of a Texas colocation provider, in which 200 systems were seized–the vast majority of which belonged to the provider’s clients, not the provider under investigation–very few.

There is no single “better option” for cloud
I don’t want to overstate the risks here. We’ve worked with colocation, outsourcing and even cloud offerings for a number of years now, and there have been very few “disastrous” run-ins with the law. Providers are aware of the problem, and provide architectures or features to help stay within the law. In the long term, these issues will work themselves out and public cloud environments will grow in popularity even before they are resolved.

However, making a blanket statement that public clouds are by de facto “more secure” than private clouds is just hype that ignores key realities of our fragile, nascent cloud marketplace. Until the market matures, the question of “better security” must take into account all factors that lead to risk in any given deployment scenario. With that context in mind, public and private clouds each have their weaknesses and strengths–which may vary from company to company or even application to application.

That said, Walls made one key point that I agree with emphatically. Just because a private cloud is behind your firewall, doesn’t mean you don’t have additional work to do to ensure the security of a private cloud environment. Having a data center does not automatically make you “more secure” than a public cloud provider any more than a cloud vendor is automatically more secure than anything an enterprise could do themselves.


Smartphones As ‘Black Friday’ Shopping Tool

Tuesday, November 23rd, 2010

GPS for your Cheerios: Aisle411

Monday, November 22nd, 2010

aisle411Aisle411 launches today. As we’ve written previously, this iPhone app will locate items for you inside a store. Can’t find the rice flour? The pipe wrench you need? An employee to help you find what you’re looking for? Aisle411 is building databases of what’s where in large retail stores.

Unfortunately, GPS and even in-building Wi-Fi geolocation isn’t accurate enough to direct a user’s phone directly to an item in a store, so Aisle411 is landmark-based. It’ll tell you what aisle your desired item is in and which section. CEO Nathan Pettyjohn told me the app will take you to within about 4 feet of any item. From there it’s up to you.

The service first will roll out in a few grocery stores in San Francisco, Chicago, St. Louis, and San Jose, Calif., with more cities to follow. The company has been building systems to integrate with store stocking systems to keep its maps up to date. Unfortunately, it does not tie in to inventory systems. So users may still have experiences like the one I had with a clerk at the Whole Foods the other day: “Well, this is where the pine nuts would be. If we had them in stock. Sorry.”

Pettyjohn says that when Aisle411 can get its hooks into a store’s various inventory and logistics systems, it can provide extremely high accuracy on what’s where. But even without integration, it can be helpful. Big retail chain stores have some design similarities, so combining chain generalizations with a rough map of the aisles and sections in a particular location can still make for a useful production location database. The app will also work in a few big hardware stores at launch, but these stores are only authorizing the app, not providing the deep hooks into their systems the way the initial grocery store partners are.

Revenues will come from an in-app coupon system and brand advertising; this is also the model of shopping list app, Grocery IQ, a potential partner. The company may also sell aggregate shopper behavior and analytics data to stores.

It’s a useful idea, but unfortunately the team couldn’t leave well enough alone, and it looks like they’re jumping on the gamification and geolocation bandwagon in a way that will fuzz up the real utility of the service. The app will provide game mechanics along these lines, says Pettyjohn: “Say you’re searching for bananas in a store. We might pop up a monkey badge.” Also, if you’re a frequent shopper at a location, you can become the “captain” of a store. Finally, you’ll be able to Tweet, text, email, or Facebook your in-store finds to your friends. Pettyjohn has been studying Shopkick, clearly, but I do believe there’s a big emotional engagement difference between shopping for gadgets and apparel (mainstays of Shopkick) and following a shopping list for groceries or hardware.

However, shoppers’ helper apps, whether they’re time savers like this one, social like Foursquare, or game-based like Shopkick, all exist because there’s real money to be made by connecting offers from retailers with consumers in stores. If Aisle411 wants to dub me Captain Banana when I ask it to help me find something in the fruit aisle, I suppose that’s not too steep a price to pay.


Senate panel approves domain name seizure bill

Friday, November 19th, 2010


A controversial proposal allowing the government to pull the plug on Web sites accused of aiding piracy is closer to becoming a federal law.

After a flurry of last-minute lobbying from representatives of content providers including the Motion Picture Association of America (MPAA) and the Recording Industry Association of America (RIAA), a Senate committee approved the measure today by a unanimous vote.

In the last week, support for the bill known as COICA, for Combating Online Infringement and Counterfeits Act, broadened beyond groups traditionally active in online copyright disputes to include the Newspaper Association of America, which said the legislation was needed because online piracy “undermines the investments that newspapers make in journalism.” Labor unions, including the International Brotherhood of Teamsters, argued that American workers “have suffered significant harm due to theft of copyrighted and trademarked goods.”

An ad appeared in a newspaper targeting Capitol Hill yesterday signed by groups including Major League Baseball, the NFL, Nintendo, and Viacom. The U.S. Chamber of Commerce pressed Congress to move quickly, and even Rob McKenna, Washington state attorney general, signed on to the effort.

“Those seeking to thwart this bipartisan bill are protecting online thieves and those who gain pleasure and profit from de-valuing American property,” Mitch Bainwol, RIAA chairman, said after today’s vote. “We congratulate Chairman Leahy and Senator Hatch for their leadership on this bill and to the Senate Judiciary Committee for its action today.” (Patrick Leahy, a Vermont Democrat and chairman of the Senate Judiciary committee, and Orrin Hatch, a Utah Republican, are cosponsors of COICA.)

The sentiment is not universal: Since its introduction in September, COICA has alarmed engineers and civil liberties groups, who say that it could balkanize the Internet, jeopardize free speech rights, and endanger even some legitimate Web sites. Its wording says that any domain name “dedicated to infringing activities” could find itself in the U.S. Department of Justice’s prosecutorial crosshairs.

Peter Eckersley, a technologist at the Electronic Frontier Foundation, wrote earlier this week that the bill will create a 1950-style Hollywood blacklist with the government deciding which Web sites are legitimate or not. The federal government will be forced “into the swamp of trying to decide which websites should be blacklisted and which ones shouldn’t,” Eckersley said. “And they’re going to discover that the line between copyright infringement and free political speech can be awfully murky.”

At the same time, a group of law professors wrote an open letter (PDF) to the Senate saying the law is unconstitutional under the First Amendment and “would set a dangerous precedent with potentially serious consequences for free expression and global Internet freedom.”

Someone who knows the Internet Protocol address–the IP address for, for instance, is currently–would still be able to connect to the Web site even if the computer that normally translates a domain name into its numeric address pretends not to know it.

If all copyright- and trademark-infringing Web sites were hosted in the United States with their Webmasters living on U.S. soil, Leahy’s COICA would be mostly unnecessary. A straightforward copyright lawsuit of the sort that the RIAA and the software industry have spent years perfecting would suffice.

But that’s not the case. Sites like the Russia-hosted are accessible around the world, even though they almost certainly violate U.S. copyright law. in Sweden has not only survived what seem like innumerable attempts to shut it down, but its operators take special pains to mock copyright lawyers who write cease-and-desist letters meant to be both earnest and threatening.

A Web site is in danger of having its domain seized (or having U.S. Internet providers encounter a sudden case of amnesia when their customers try to visit it) if it is “primarily designed” and “has no demonstrable, commercially significant purpose or use other than” offering or providing access to unauthorized copies of copyrighted works. Counterfeit trademarks–that’s why Chanel, Nike, Tiffany, and LVMH Moet Hennessy Louis Vuitton also signed the letter–are also included.

The wording is significant. Because the phrase “providing access” appears, that would include specialty search engines including The Pirate Bay that provide links to copyrighted works, even if the actual files are available through BitTorrent elsewhere.

If COICA becomes law, domain name registries such as Verisign, which owns the rights to .com, .net, .tv, .cc, and others would find themselves under new and uncomfortable legal pressure. The .org registry has been run by the Public Interest Registry since 2003. (The law professors’ letter says: “For the first time, the United States would be requiring Internet Service Providers to block speech because of its content.”)

But registries for top-level domains in other countries would remain unaffected, and The Pirate Bay, perhaps as a precautionary measure, already owns Americans interested in free (if illegal) downloads could switch to an offshore domain name service or visit The Pirate Bay’s IP address at, which means that this congressional effort might accomplish less than its backers would like.

One open question: whether the lame duck Congress currently in session has time to enact COICA, which would mean votes in the House of Representatives as well. Even with this breadth of support, the odds are against it.

Update 11:30 a.m. PT: I received an e-mail from Gigi Sohn of Public Knowledge, which the RIAA said was “protecting online thieves” by opposing the bill. Sohn said: “And they are willing to throw free speech, International cooperation, due process, and the proper functioning of the Internet in the trash in the hope of shutting down a few bad actors. Their goal could be accomplished in a way that doesn’t have those consequences, but the media conglomerates aren’t interested.”


Facebook overhauling inbox, combining e-mail, texting and IM

Tuesday, November 16th, 2010

facebookSan Francisco, California (CNN) — Facebook wants to be your inbox for every kind of message.

The world’s largest social networking company is providing each of its 500 million users with an e-mail address as part of a revamped messaging system that integrates with various types of communications.

Facebook’s new inbox can tie together mail sent to someone’s e-mail address, instant-message aliases and cell phone number in addition to Facebook’s own messages and chat conversations. Like the News Feed, unread notes are ranked by how important Facebook thinks the sender is in your life, and users can tweak those settings.

“Because we know who your friends are,” said Facebook CEO Mark Zuckerberg, “we can do some really good filtering for you.”

Rather than creating separate threads for each conversation, Facebook logs all communications and groups them together by contact. So all chats with your mom are listed on one page. Based on a brief demo Monday, the stripped-down page resembles an IM or text-message window, eliminating the option of e-mail subject lines.

“I should only need those two things: a person and a message,” Andrew Bosworth, a software engineer at Facebook, said at the company’s news event Monday. “The system is definitely not e-mail. We’ve actually modeled it more after chat.”

Incoming messages pop up on the bottom of Facebook’s site, similar to the chat feature.

“We think that we should take features away from messaging,” Zuckerberg said. “We think it should be minimal.”

But like e-mail, users can attach files. Sharing documents via Microsoft’s Office Web Apps service will be integrated “over the coming months,” a Microsoft spokeswoman said.

The inbox is broken into three folders.

The “social inbox” contains conversations with your top contacts — people you message with most often. An “other” folder keeps correspondences of less importance, or those with people or companies that Facebook’s system is not familiar with, such as banking notices. (Operators of pages you’ve “Liked” can send messages to this folder as well.) Finally, the service filters what it thinks is spam into a last bin.

Facebook will launch this with a “slow rollout,” said Bosworth, turning it on for more users over time. Facebook’s iPhone application will support the new inbox Monday for accounts that have it enabled, Bosworth said.

The system may incorporate more services later. Zuckerberg said he considered voice as one.

For instant messaging, it supports Jabber — the underlying technology of Google Chat — but not Skype, AIM or Windows Live Messenger. Support for IMAP, which would allow e-mail users to access their inbox from a program such as Microsoft’s Outlook, is in development, Zuckerberg said.

Zuckerberg opened the announcement by talking about changes in how young people communicate. He reminisced about a conversation with some high school students who said they primarily talked through Facebook and text messaging on their phones. E-mail is “too slow,” he recalled them saying.

“It’s not that e-mail doesn’t get delivered immediately,” Zuckerberg said. “It’s too formal.”

Numerous studies, as recently as April of this year, have found that e-mail is a very small part of how young people keep in touch. Facebook has modeled its new system to reflect those trends. Zuckerberg said 350 million people use its system for private correspondences, transmitting 4 billion messages a day.

Zuckerberg will take the stage again Tuesday during the Web 2.0 Summit, presumably to elaborate on this new system, which Bosworth said has been among the company’s biggest undertakings. The project took about 18 months of work from 15 engineers — the largest team the company has ever devoted to a new product, Bosworth said.


Security firms blast Microsoft for free antivirus offer

Monday, November 15th, 2010

MSETwo security software makers are complaining about Microsoft using its update service to deliver its free antivirus software to Windows users who don’t have such protection on their computers.

No, it’s not 1998. And we’re talking about allowing customers to choose whether they want the software, rather than bundling a particular browser–say Internet Explorer–on Windows.

Microsoft began making its Security Essentials software available to customers through its Microsoft Update service as an optional download on November 1 for U.S. customers and October 19 for U.K. customers. It offers the download only to customers who do not have an antivirus solution that is detectable by Microsoft’s Action Center.

“Despite the broad availability of anti-malware software, we still find that many consumer and small business PCs remain unprotected,” the company said in a statement to CNET on Monday. By offering the free antivirus download, “we make it easy for those who want and know they need protection, but for whatever reason have not gotten around to installing it. Now they can download the software when they perform their other system updates without having to search the Web or make a special trip to the store.”

Who can argue with a company offering people a free download of security software if they want it? Trend Micro and Panda Security, that’s who. Executives from both companies claim the move is anticompetitive because Microsoft is leveraging its update service that downloads software to millions of Windows computers to plant its own antivirus software on systems.

“This will end up in action taken, especially in Europe,” Panda Chief Executive Juan Santana told CNET in an interview on Friday afternoon. He stopped short of saying that Panda would lodge an official complaint. “We will monitor the situation,” he said.

“Commercializing Windows Update to distribute other software applications raises significant questions about unfair competition,” Carol Carpenter, general manager of the consumer and small business group at Trend Micro, told Computerworld late last week. “Windows Update is a de facto extension of Windows, so to begin delivering software tied to updates has us concerned,” she said. “Windows Update is not a choice for users, and we believe it should not be used this way.”

Reached for comment today, Trend Micro spokesman Alan Wallace told CNET that the company had no further comment beyond what was already reported.

Beyond the anticompetition concerns, Panda Security has other gripes. For instance, Pedro Bustamante, a senior research adviser at Panda, said Microsoft Security Essentials is insufficient protection compared with other free antivirus products that offer multiple layers of security such as Web filtering and behavior blocking. And from a global overall security perspective, Microsoft’s plan is flawed because it will only get installed on computers with a valid license to run Windows and will thus leave millions of unlicensed computers unprotected, he wrote in a blog post today.

In addition, the move will create a “monoculture” with millions of computers running the same antivirus software. That means malicious hackers can infect all those machines if they are able to bypass only one antivirus program instead of having to get past multiple programs, Bustamante said.

“In summary, while it’s commendable that Microsoft is trying to protect users, offering only ‘their’ basic MSE antivirus provides neither sufficient protection against today’s threats nor does it solve the malware problem of millions upon millions of pirated PCs who will continue spreading viruses. In fact, it can easily achieve the contrary by making it easier for hackers to infect users,” Bustamante wrote. “Microsoft should offer the complete portfolio of more advanced and secure alternatives of free antivirus products and time-limited versions of paid security suites, allowing users to choose any of them from the Optional Windows/Microsoft Update.”

Several analysts dismissed Bustamante’s arguments, as well as the antitrust concerns and said Microsoft’s plan was a good thing for Internet security overall and offering any security protection was better than offering none at all.

“I think the vendors are simply complaining because Microsoft is the dominant vendor on PCs in the world,” said Don Retallack, research vice president for systems management and security at Directions on Microsoft. “Other security vendors do offer a wider range of tools that go far beyond what Security Essentials provides…so I think there is still a place for other vendors and they’re not being squeezed out.”

“Microsoft is not bundling (its antivirus software) with the operating system. That’s where the line typically is drawn with antitrust issues,” said Neil MacDonald, a vice president and fellow at Gartner market research firm. “You could make an argument that it’s in the best interest of consumers and the rest of the world to have more people protecting their machines. That’s a good thing.”

However, a colleague of his had a different take on the matter. Given Microsoft’s history fighting antitrust claims, the company would be wise to avoid leveraging its Windows dominance to increase the market share for its other software or avoid even the mere appearance of doing so, said Gartner analyst John Pescatore.

“There is still sensitivity to that issue in Europe even if there isn’t in the U.S. If it looks like they’re using that solution to bundle in essentially a security program that competes with other players, then there are concerns,” he said in an interview. “They still have huge competitive advantage.”

Pescatore suggested that Microsoft add other antivirus software to its list of options for its update service. “They would be better off making sure they are helping people install any security software that’s out there,” he said. “I’m sure Panda and Trend Micro would be happy to participate.”

A Microsoft spokeswoman did not immediately have comment to that suggestion or to the antitrust concerns.

Update Nov. 9 at 11:02 a.m. PST: Trend Micro provided an e-mail statement. “In principal, we welcome Microsoft or anyone else entering into the security market to provide more choice for customers — even if it’s just baseline protection. As we mentioned previously, our concern is about any mechanism or tactic that may obscure that choice for consumers. While techies may recognize the difference between “Microsoft Update and “Windows Update,” many consumers may not be familiar with this distinction or see any difference between optional and recommended updates from Microsoft.


viaForensics discusses mobile financial app security

Sunday, November 14th, 2010

Andrew Hoog of viaForensics appeared on the WGN Evening News to discuss recent the discoveries of security flaws within mobile apps provided by major financial institutions.

Chicago, November 5, 2010 – After the Wall Street Journal reported on the financial mobile app security flaws uncovered by viaForensics, CIO Andrew Hoog was asked to discuss the topic on the WGN Evening News. The clip aired at 5:00 p.m. CT, Friday, November 5th. Hoog discussed viaForensics’ recent findings, including flaws in apps produced by Bank of America, Chase, PayPal, TD Ameritrade, USAA and Wells Fargo, as well as how viaForensics was able to work with these institutions to fix the flaws.

The development of viaForensics’ new free public service, appWatchdog, came about after viaForensics began to note new and increasing numbers of flaws in mobile device applications during the course of investigations. viaForensics initially tested seven financial applications for both iPhone and Android. Only Vanguard passed with flying colors. These findings are posted on viaForensics’ website. Users can submit requests for specific apps to be tested and additional findings will be posted as they become available.

Additionally, developers can take advantage of viaForensics’ unique testing techniques through the appSecure service. By performing this high level testing, developers are providing an additional level of assurance to their users, thereby building user confidence that the applications produced by the developer are secure.

Will the IT guy learn to love Apple?

Sunday, November 14th, 2010

iPadWhen you’re listening to music, it’s likely your earbuds are plugged into an Apple device. Making a phone call? One out of every five people buying a smartphone are choosing an iPhone. And Apple’s share of consumer laptop sales jumped to 10.6 percent in the last quarter.

Now here’s the big question: Does your IT department, the guys who think it’s just fine that you’re still using a Windows XP laptop (and P.S., stop whining about it), give a hoot about all this Apple stuff?

Apple executives hope so. The pitch the company has been making in recent months is simple: Employees are already using plenty of Apple products on their own time and like them, and the iPad is a great, lightweight tool for Web-based corporate software. If you thought this was just lip service, Apple is even now working with the decidedly old-school consultants at Unisys to approach big corporate and government customers.

If Apple can make these sorts of corporate inroads, it could be Steve Jobs’ greatest trick yet, because he’s got a lot going against him in the corporate market. As of the third quarter of 2010, Apple sold 1.4 million of the 40.8 million computers sold to commercial customers, according to data gathered by IDC. That’s 3.6 percent of all corporate computer sales.

Blame history…and inertia. Large companies usually have a contract with a Windows-based PC seller, often a third party. Switching contractors could result in higher costs and a lot of hassle, and can also be stymied by an old-school perception among the often conservative IT outfits at large companies that Macs are “toys,” and can’t integrate easily with Windows-based systems. On the mobile side, corporate IT shops long ago became comfortable working with Research In Motion’s Blackberry; supporting the iPhone could add new complexity and potentially more cost to their work. Many people don’t even know Apple sells servers. (It does.) And the iPad? Well, you could argue the touch-screen tablet computing market didn’t exist a year ago.

Andrew Kaiser, a former Apple business sales manager who hawked enterprise systems to companies of all sizes until recently, said often the biggest barriers in selling were opinions formed sometimes decades ago, before Office for Mac, before virtualization, and before Apple switched to Intel chips. “Some had no idea Apple could integrate into a Windows platform,” he recalled.

Employees like Thomas Caleshu, an interactive producer for educational software maker WestEd, have seen that firsthand. Caleshu is an iPhone and Mac user outside of work, and though he said there were no technical issues in getting his company’s IT guys to add his iPhone and MacBook to the network, they were definitely skeptical.

“Some of the established IT people didn’t trust or believe that I could sync my calendar on my phone, and on iCal on my Mac, and in a (corporate) Web interface,” he said. “I had to prove it to them.”

That skepticism is almost always rooted in something real–bad past experiences with Macs before the technology improved, or in times before Apple products were properly compatible with Windows-based hardware. And even though much of that has changed, the features that now are selling points for consumers with the iPhone or the Mac–the focus on design, the cachet of the Apple brand, the idea of a unique experience–doesn’t go over as well with the guy who’s managing that stuff at work.

“IT managers in the past have said, ‘I don’t want unique experiences,’” pointed out Richard Shim, analyst for IDC. For IT department managers, people on different systems often just translates to a huge headache.

Plus, there’s the reality of enterprise applications not being written with the Mac in mind, which is a huge hindrance for companies who’ve invested in software for their employees, Shim added. “Especially because some custom, propriety applications are expensive to create and maintain, as is having to come up with an alternative when people are used to using the old version.” And many people are simply averse to change.

Apple’s recent announcement that it is unlikely to support Java in future versions of the Mac is also sure to irritate plenty of IT folks. Though others might say not that much has changed anyway.

“As far as I’m concerned, they don’t support it today,” said Robert Pickering, vice president of Information Services for the auto club AAA. He expects it will mean his employees will have to patch and update their software on their own, which he says they were already doing because Apple doesn’t support the most up-to-date version of Java anyway.

And of course, there’s a rich tradition of labeling Apple products as unnecessarily expensive.

All of those things amount to big hurdles, but Apple has one very important thing going for it: The end users are often very familiar with their stuff. And with its momentum in mobile devices and the overall “consumerization” of technology, now is the time to make this kind of move.

Apple has sold more than 12 million iPads worldwide in the first six months–for comparison’s sake 170 million PCs shipped worldwide during the same time period. And the iPhone, already a success, has even beaten the workhorse of corporate smartphones, the BlackBerry, in unit sales for the first time ever. IDC counted 12.4 million BlackBerrys sold during the third quarter, compared to 14.1 million iPhones.

The people buying those for personal use have jobs, and like Thomas Caleshu, are increasingly asking their corporate IT folks to connect their new Apple device to their network. And more recently, large companies appear to be complying: Apple COO Tim Cook said recently that two-thirds of Fortune 100 companies are testing or deploying the iPad on their networks, and 85 percent are testing or deploying the iPhone. Those companies reportedly include Citigroup and Bank of America.