SmoothSpan Blog

For Executives, Entrepreneurs, and other Digerati who need to know about SaaS and Web 2.0.

Archive for September, 2011

Understanding What Joe Hewitt is Saying About the Open Web

Posted by Bob Warfield on September 27, 2011

Courtesy of ReadWriteWeb’s article, Firefox Creator Says Web is Dead Meat, Android Creator Disagrees, I got to read Joe Hewitt’s missive on the problems he sees ahead for the Open Web.  For me, Joe’s missive is all about the dangers of fragmentation and parochial interests around walled gardens for the web.

It’s been clear to me for a long time that standards created and managed by consortiums are messy political enterprises that often do not benefit the standard or the community.  A few big players manage to get control of the process, and it is alternately paralyzed when it doesn’t fit their needs and moves forward in fits and starts when it does.  Java and earlier language standards have often seemed like that, and the current poisoning of the Java well by Oracle doesn’t really help that perception.

Much better is when an enlightened altruistic force can move quickly and silently enough to create something great which is then quickly adopted due to its greatness filling a vacuum.  Things like Linux seem to fit into that category.

Hewitt’s concern seems to be about what happens when some shiny wonderfulness appears that wasn’t principally originated by some enlightened philosopher king like Linus T.  How do we mobilize a force of enlightened Open Source developers to quickly deliver the shiny wonderfulness in an open way?

I wonder if we even can do that, given the efforts of the device platform owners and the way the game is now played.  Would be monopolists have gotten really good and really clever after watching Walled Garden 1.0 in the form of the OS guys be replaced by Walled Garden 2.0 in the form of the social platform and mobile device guys.  They’ve learned how to be just open enough to lure in a huge audience, just viral enough to have huge network effects, and just smart enough to know when to slam the garden gates shut, having reached critical mass so they’re no longer touchable.

Twitter has been masterful at this, having attracted a huge developer following which they’ve now cut off from direct client development.  The only critique one might have in their execution is whether they moved to soon to slam the gates or not.

Apple wanted to exclude Flash to protect the Walled Garden that was the iOS platform, so they cut it out of everything initially, and then allowed it to come back into the App Store, but not the browser.  Their argument was that Flash was slow and closed, but it isn’t.  We can see now from the apps appearing in the App Store that it is plenty fast enough for elaborate games like Machinarium.

We hear that HTML5 will someday be able to do everything Flash can do today.  Indeed, many developers are now flirting with whether they can make their apps run on the HTML that the iOS Safari browser can handle.  But is it in Apple’s interest to ever let the dialect of HTML that runs under iOS be as powerful as Flash?  Forget Flash, can it ever be allowed to be a full-fledged platform that circumvents the App Store?  I suspect not.

I have noticed over the last 6 to 12 months that Google’s apps, and especially GMail, Google Analytics, and Google AdWords, have become increasingly unreliable under Internet Explorer.  I run IE not because I like it, but because the majority of my customers run it, and I feel compelled to experience things as they do.  Has IE become less compatible with the HTML standard?  I doubt it.  Have the Google Apps become less compatible?  I doubt that too.  The thing is, it is well nigh impossible to specify these standards with enough precision and robustness to guarantee compliance.  There is a ton of wiggle room, and where there is wiggle room, groups will decide to comply or not comply according to a huge variety of factors.

Is Google motivated to encourage people to move to Chrome or Firefox and off of IE?  Absolutely.  Am I saying they’re actively engaged in tinkering with HTML to force it?  I have no idea.  But I do want to point out that companies are largely motivated to implement a standard just well enough to claim compliance, and after that all bets are off.   As Joe Hewitt says in his post:

I know where we need to go, but not how to get there. It would help if all the rendering engines but one were to die, but even that would not be enough. Even if WebKit was the only game in town, it would still be crucial for it to have competent, sympathetic, benevolent leaders.

So, we live with only a couple of possibilities.  The Enlightened Open World can create word class technology that competes on an even footing and is every bit as good as the technologies owned by some walled gardens.  That may still not save us given the power of network effects to lock people in and create barriers to exit, but it certainly couldn’t hurt.  Or, we can count on commercial players for all the innovation and live within their walled gardens and let Open Source be the “lowest common denominator”, as Chris White (the Android guy) argues in the RWWeb article.

We have seen where the latter leads and how long it takes to get out from under the yoke of a monopoly.  Be careful assuming companies will do no evil.

Posted in saas | Leave a Comment »

Your Security Rests With Sites You Don’t Even Own

Posted by Bob Warfield on September 12, 2011

This post is on  behalf of the Enterprise CIO Forum and HP.

What if your business could suffer a major security breach even though your own sites were all properly secured and not penetrated?  “How can that happen?” you ask.

Welcome to the world of typosquatting.  The problem starts when employees send emails containing sensitive information.  If they mistype the name of the destination domain slightly, and there is a live mail server at the mistyped destination, your sensitive information just got sent somewhere else.  Somewhere not under your control and potentially harmful to your interests.  Sites created for this purpose are called “Doppelganger Sites.”  Two researchers from Godai Group managed to scoop up 20GB of data over a six month span in over 120,000 emails by creating doppelgänger for several Fortune 500 companies.  Data included daily cargo tank reports for a large oil company.  Their original paper is available for download.

Technically, this approach provides just one more way to mount a “Man-in-the-middle” attack, where two participants think they’re communicating securely, but there is an unknown man in the middle overhearing and tampering with that communication.  Send an email that is intercepted by the doppelgänger and they get not only the information but the ability to reply back, and with a little social engineering, potentially wreak havoc.

Scary?  You bet.  But what can you do about it?

Policy-Based Encryption

One solution: policy-based encryption in MS Exchange.   Exchange has a facility to transparently encrypt and decrypt email.  The recipient has to go through a brief process just once and after that email encryption is transparent.  Policies let IT decide when to encrypt.  By setting up policies to encrypt email sent to the company’s domain and all likely misspellings, a couple of advantages accrue.  First, having the email be encrypted and only decrypted when received by a legitimate recipient makes it that much more secure.  Second, anything sent to the typos will arrive encrypted, and those recipients do not have the keys to decrypt.

When using this approach, it pays to be conservative–protect as many misspellings as you can and be clever about it.  The researchers who did the study, for example, built their doppelgänger through omissions of the dot between host/subdomain and domain.  It’s an easy typo to make and an easy one to miss if you’re staring bleary eyed at hundreds of emails coming and going.

Similar solutions are available for web-based email as well, and don’t forget to deal with your mobile devices.

Godai mentions a variety of other solutions, such as registering the doppelgänger domains, knocking them out of your internal DNS, and several others.

Consider these doppelgänger one more thing to watch out for on your checklist.


Posted in saas | Leave a Comment »