Microsoft’s Inner Conflict With Privacy

This article from The Wall Street Journal offers a fascinating glimpse into some inner workings at Microsoft. The short version of the story: the IE team was building in some pretty powerful anti-tracking technology into IE 8.0; Microsoft’s ad business got wind of it; the functionality got quashed or crippled. Microsoft's ad group saw the privacy controls as a significant threat to their business: namely, that curbing data collection reduces the effectiveness of advertising. The article notes:

“When Microsoft released the browser in its final form in March 2009, the privacy features were a lot different from what its planners had envisioned. The feature, called InPrivate Filtering, isn’t turned on by default, and resets to OFF every time the browser closes down."

According to the article, the two sides faced off, and Microsoft “convened a four-hour meeting…to allow outside organizations to voice their concerns, including the Interactive Advertising Bureau, the Online Publishers' Association and the American Association of Advertising Agencies.” Sounds like a pretty stacked deck. What about organizations representing the privacy side, such as EPIC or EFF?

Microsoft’s CPO was involved. But I wonder where the Trustworthy Computing (TWC) team was in all this? Here’s an excerpt from TWC’s  privacy page:

Read more

Security Vendors: Think Of Mobile As A Lifestyle, Not Just A Platform

There’s been a minor flurry of activity in the mobile security space lately. On the vendor side we have McAfee’s acquisitions of tenCube and Trust Digital and Symantec’s investment in Mocana (Symantec’s acquisition of VeriSign’s security business has mobile implications as well). In other developments, we have the new ruling that it’s legal to jailbreak your (i)phone and AT&T’s breach of iPad owners’ personal data, and you can see that the mobile security space is getting interesting.

Many of the vendor moves in this area – including, but beyond, the acquisition and investment activity mentioned above – are merely extending anti-malware to the smartphone. We’re still in the early days for mobile malware, and it’s premature to expect much traction by providing malware protection on the smartphone (as I blogged about here).

Read more

Twitter Settles With FTC For Privacy Breach

Organizations continue to face risk for security breaches. Normally, we talk about the risk of security breaches being fines and other costs around loss of PII, per California Senate Bill 1386 and similar laws in 45-or-so other states.

What’s interesting about Twitter's settlement today with the FTC is that it had to do with a breach of information that is not protected under these kinds of laws. This isn’t the kind of data breach that the FTC normally delves into. My sense is that the oversight must have appeared to the FTC to be so lax as to be in violation of Twitter’s privacy policy – that is the kind of thing that it would and does pursue. Of course, having someone crack into Barack Obama’s account on your service is certainly going to raise the profile of the incident. (So why isn’t the FTC looking into the breach of Sarah Palin’s Yahoo! Mail account? Where’s the right-wing/tea-party outrage? ;-) )

The FTC specifically identified these practices (among others) that constituted insufficient care:

Read more

Evolving The Consumer Security Market Beyond The PC

Today came the news that Trend Micro is acquiring humyo, a service that offers file backup, access, sync, and sharing across PCs and mobile devices.

As I wrote about in “New Growth Opportunities In The Consumer Security Market," my view is that PC-based protection, no matter how broad, is the new "point product,"  and the new “suite” that consumers seek is product plus services whose functionality goes beyond security to help consumers deal with their other major challenges as well. Security is still important, but privacy is a huge and largely unmet need, and so is supporting the new consumer computing models, as my colleague Frank Gillett formulated a year ago with the concept of "The Personal Cloud." Frank and I are currently discussing ways to bridge our research streams more formally.

Read more

What Facebook And Google Can Learn From Avast! And AVG

The latest string of privacy fiascos from Google and Facebook lead me to wonder if they will ever learn to respect their consumer users. For both companies, I think one of the dynamics behind this is the fact that their these consumers aren’t the ones from whom the companies collect revenue, the incorrect conclusions the founders and executives derived from that, and the cultures they developed within their companies as they grew based on these erroneous assumptions.

Google has an almost innate ability to develop applications and services that unleash the power of the Internet to transform people’s lives. Yet the engineering culture that drives such stellar technical achievements is what hinders Google in their relationships with consumers. Google doesn’t have what it takes to run a consumer business: it’s just not in their DNA. This is how we can hear on the one hand about how Android is a smashing success from an engineering perspective and is purportedly now outselling the iPhone in the US, while learning the same week that Google is going to stop selling Nexus One direct to consumers.

To succeed with consumer products would require Google to have more polish and quality assurance beyond the core engineering challenge (versus relegating some services to the purgatory of perpetual beta), development of consumer customer support services (a la the Nexus One), and of course a more respectful approach to users (see: privacy).

Read more

Symantec's Acquisition Strategy

Late last week, Symantec made two acquisitions in the encryption space, scooping up both PGP and GuardianEdge. My colleague, Andrew Jaquith, is publishing an in-depth report analyzing the acquisition, so there’s no need to go into too much detail here. We’re in total agreement that encryption has been a significant hole in Symantec’s security portfolio, given that data security is the #1 focus for IT security shops. You can also see some of my initial comments to the press on the acquisition here.

These two acquisitions got me thinking about Symantec’s acquisition strategy in general. What we’ve seen from Symantec over the years is a clear proclivity to paying more in order to acquire market-leading vendors. This doesn't mean Symantec overpays. Simply that Symantec seems to weigh established customer base and market share more than other security specialists. Certainly, McAfee has its share of big acquisitions (it paid about as much for SafeBoot as Symantec paid for PGP and GuardianEdge combined, and the Secure Computing acquisition was no small purchase either), but as a more general rule Symantec goes after the big game on the plains more than other security specialists. In security, Symantec is clearly moving to more head-to-head competition against the mega-vendors with deep pockets: IBM, Cisco, Microsoft, EMC, etc. I believe that this approach to acquisitions is a key factor that helps Symantec over the long term against this competition.

Read more

More detail surfaces about the attack on Google

John Markoff’s article yesterday in The New York Times reveals that Google’s authentication system, code name "Gaia," was one of the targets of attack.

The target wasn’t Google users’ passwords, but the authentication system itself (Markoff refers to it as a “single sign-on” system; I’m reluctant to do that, since my own experience shows it to be a rather confusing mesh of both interconnected and disconnected authenticators… seems like Google could do a lot more to help users link and manage their IDs under one master account of their choosing). Why not the passwords? It’s far more valuable to gain access to the code and learn the intricacies – and weaknesses – of the system itself, rather than gain access to a few (or even a few thousand) accounts. My own theory is that this is why Adobe and various antimalware companies were targeted by the same network of attacks: the former, to find more weaknesses in Flash and Acrobat to exploit, and the latter, to learn how to bypass security mechanisms designed to defeat such attacks.

Markoff has several other excellent articles on the cyber attacks made public by Google in January, most notably this one.

Symantec: Looking like a security company again

I attended the Symantec WorldWide Industry Analyst Conference earlier this week. Here is the "net" of my impressions / takeaways from the event, not necessarily reflecting any specific statements by Symantec.

  • Symantec is more pointedly focused on being a security company. Symantec is re-orienting its strategy and position on information protection foremost, with systems management (Altiris, etc) and information management (Veritas, etc) being subservient to that broader mission.

Security took center stage at this event. The storage and availability management portfolio was mentioned quite a lot, especially de-duplication, but most of it was subservient to the broader security context. There was hardly any mention of Altiris solutions until a deep-dive on the second day. Security is certainly Symantec’s strength, even as its Storage and Availability Management portfolio is a major component of its overall revenues and profit.

  • Symantec’s articulated unique value proposition is in providing coordinated security in a world of complex threats. Symantec’s management heritage and breadth of portfolio lends itself to this .

As Symantec competes on the plane of security against Kaspersky, LANDesk, IBM ISS, McAfee, Microsoft, Postini/Google, and Trend Micro, that makes sense.

Read more

Launch of Forrester's 2010 Security Survey

We’re just ramping up at Forrester to start our 2010 Business Data Services’ Security Survey. To begin, I’ve started taking a measured look at last year’s questions and data. Additionally, I’ll be incorporating input from those analysts with their ears closest to the ground in various areas, and will be considering the feedback from our existing BDS clients.

I also welcome input here into what you would find useful for us to ask of senior IT security decision-makers, as development of the survey is take place over the next three weeks.

The survey is scheduled to be fielded in May and early June—with the final data set becoming available in July. The projected sample size is 2,200 organizations across US, Canada, France, UK, and Germany: split roughly 2:1 between North America and Europe, and with a 55/45 split for SMBs (20-1000 employees) vs. enterprises (1000+ employees). Concurrently, we ask a separate set of questions to respondents from “very small businesses” (VSBs) with 2-19 employees.  We also set quotas around industry groupings, so each industry is appropriately represented. We source our panel from LinkedIn, which provides an excellent quality of respondents.

The Security Survey is an invaluable tool that provides insight into a range of topics critical for strategy decision-making: IT Security priorities, challenges; organizational structure and responsibilities; security budgets; current adoption and across all security technology segments, be they as products or as SaaS/managed services, along with associated drivers and challenges around the technology.

Here are a few valuable data points from last year’s survey:

Read more

Security of open source: Sunlight disinfects, but does it introduce germs as well?

The security of open source software took a small hit this week as Mozilla reported that Firefox currently contains a root certificate authority that has no owner.  The fear being that this is a bogus CA inserted by hackers to provide trustworthiness to malicious sites.

This potentially provides an example of a nightmare scenario the anti-open-sourcers talk about: that hackers can inject back doors or introduce vulnerabilities within the open source development process.

Indeed, Fortify is drawing a rather extreme conclusion to this situation with its European director, Richard Kirk, stating that “this tilts the balance in favour of Microsoft’s Explorer”. That’s a ridiculous claim: in the browser war, this event will not move the needle one way or another. All it’s served to do is get much of the security community (which tends to favor openness) to jump on Fortify. Besides, while good theoretical arguments are made on both sides of the “security of open source versus closed source” debate, in practice it comes down to, well….practice. And it has been shown that one of the best practices is openness: whether closed or open source, an open and transparent disclosure process improves security over time.

I do agree with what Fortify’s Kirk says later, that “The important thing to stress, however, is the need for software security testing to identify and remove vulnerabilities from applications, rather than simply trying to block attacks on software by securing the network.”

Lesson #1: DO use these moments to offer constructive advice by raising awareness of issues and solutions.

Read more