Like this one is a surprise to anyone:

Solid-State Memory Will Kill HHDs - Data Storage

I mean, why would anyone want a storage solution that is impact resistant, doesn't case if you are moving, works faster, and uses less power? So this "prediction" by eWeek doesn't feel all that impressive.

Having said that, some of the promises just haven't proven out - yet.

The pricing is still obscene - look at the MacBook Air - a $1200 premium for an SSD option.
The performance isn't that much better - for certain functions (reads versus writes and small files versus large).
While there are no moving parts, they aren't as reliable - so far.
Finally, they appear to use more power. Why? Well, they are always on, whereas a HDD can spin down.

So they have a way to go, but I do agree with eWeek that this appears to be the storage direction of the future. Could be a bit longer than predicted, or could be very very fast. Enough big storage vendors are working on this to make it look like a real possibility in the very near future.

Just don't be surprised if it takes a little while for the versions grabbed by early adopters don't perform as well as they do once the technology matures a bit.

Also be ready for lots of screaming by those early adopters when SSDs don't deliver everything expected. As outlined above!

Interesting bit of discussion on Network World today regarding FireFox 3's handling of trusted versus untrusted SSL Certificates

Firefox SSL-certificate debate gets gnarly - Network World

The debate revolves around whether or not the normal (i.e., non techie) will understand and be able to differentiate the difference between a valid certificate issued by an untrusted root CA, and one that is expired or even revoked.

The concept of PKI is pretty reliant on informing someone if the certificate they are using (or are relying on someone else to be using) is invalid for one of several reasons. Potential reasons for getting this family of messages are:

• Certificate Expired
• Certificate Name Mismatch (i.e., the website name doesn't match the cert)
• Certificate Revoked
• Certificate Issued by Untrusted Root Certificate Authority
  

Now there's nothing inherently wrong with using an untrusted root to issue a server certificate thatis used to create a secure connection - in this case, via SSL. The connection is still encrypted, the data is secured via that encrypted channel, and you have security established via this endpoint to enpoint encryption.

The real question is around the message. How secure is secure? In my opinion there's value in this message. The recent rash of DNS attacks that have the potential for DNS poisoning of global DNS servers (resulting in those same 'normal' users hitting websites run by others purporting to be an expected destination) is one very important reason to have this function in place.

Take this example: I'm a hacker. I manage to poisons some DNS servers into redirecting https://yourbank.com to my website. I make it look just like the yourbank.com website, and I fake the URL, and I even issue an SSL certificate so you can feel secure about the online banking.

Of course, your account and PII goes right into my database.

On the other hand, if I get this warning, your caution is engaged. You might wonder why yourbank.com is suddenly causing your browser to warn you that you don't recognize mytrustedroot.com as a valid trusted root CA. You might even call your bank to question what happened, or you might avoid the site until you have a chance to ask your bank about it.

Crisis averted.

Now it's not perfect. The functionality needs to make it as easy as possible for the so-called 'normal user' to add the root CA as a trusted root. I mean, if I decide I trust it, don't keep asking me. And maybe it needs to allow a user to submit the CA to Mozilla as a potential addition to the trusted CA list. All of this should be easily accomplished.

The bottom line (and I can and probably should delve into this in greater depth) is that the technical implementation need to fit the needs of the users. In this case, consumers (the users) need this kind of functionality. It's a new wild west out there, and the functionality that FF3 introduces here is one more gun in the belt.

Well. If this isn't a great argument for multifactor authentication systems I don't know what is.

Wells Fargo code used to illegally access consumer data - Network World

And here's the disturbing thing: Wells Fargo has already had to deal with leaking consumer data in the past. At least twice!


The real problem here is that, as a consumer, you can't really do anything about this. It's not like moving your money or investments away from Wells Fargo protects you from their disgustingly poor security. Your data is still in their system - would anyone believe them if they told you they purged it securely?


Wells Fargo needs a broad review of their technical security, and I have to believe that a massive redesign will prove to be necessary.

So the RID tech being used in passports has been hacked. See this link for the WSJ article.

Laurie showed us his son’s British passport, in which he embedded a chip that displays Osama Bin Laden’s photograph. The passports have a key needed to access the electronic information, but it is taken from information found in the passport like the date of birth. Laurie was able in about four hours to decipher the key and use an RFID scanner to steal the digital information from a passport contained in a sealed envelope.

I'm struggling a bit to figure out why this is a surprise. As usual, governmental agencies decided to proceed with technoogy that was poorly implemented and hackers have figured out how to take advantage of it.

Who'd have thought?

Actually, everyone should have thought. Best quote in the article? This:

The technique is pretty complicated, involving sophisticated software and know-how. It’s a sure bet that the chips make it significantly harder to make counterfeit passports. But would anyone be foolish enough to suggest that the new technology makes passport security infallible?

Turns out the British government would. When 3,000 blank passports were stolen there two weeks ago, the passport office said that “the stolen documents could not be used by thieves because of their hi-tech embedded chip security features,” the BBC reports.

One inconsistency: the technique of reprogramming an RFID chip really isn't all that complicated.

Rather amazing at this point that the Brits (or any government, this isn't just about them)
would consider any technoogy to be 100% infallible.

So how would you fix this? Well, bottom line is any solution that relies entirely on the data embedded on anything you are giving to anyone will result in the potential for exploit. As we all know, physical security is everything.

So for this to really work, it requires a multi-factor design. Something like the RFID chip combined with a bitmetric factor and validation against a back-end database. If all three don't match, further investigation is required.

Would this be perfect? Well, no. More secure? Well, yes - orders of magnitude more difficult to hack. And it's not all that complex to design, except for the back-end. How does one create a database capable of handling billions of records?

At the end of the day, this is a solution that will wind up being adopted worldwide, sooner or later. And it's eminently doable, especially as processing tech catches up with the need for this level of data access - but at the end of the day, can we really trust the government to fix it? Or does a creative company need to come along and offer the solution?

Lost in the noise of gas prices and energy bills is the new Identity Theft Enforcement and Restitution Act, which passed the Senate and is on the way to the House.

The bill purports to protect individuals from identity theft by increasing the potential penalties and better defining the crime (to include numbers of affected systems, spyware clauses, and key logging).  But does increased penalties really increase protection?  Will the Russian and/or Korean hacker that is spamming links to their phishing site really going to care?

According to Leahy:

"Because identity theft schemes are much more sophisticated and cunning in today's digital era, our bill also expands the scope of the federal identity theft statutes so that the law keeps up with the ingenuity of today's identity thieves," Sen. Patrick Leahy, D-Vt., said in July 30 floor remarks.

What was Leahy thinking, and why am I quoting him here? Because the theft schemes are in fact NOT more cunning. They're much simpler than true con artists of the past. Which is more complex - spamming email to find suckers who will send you back their social security number, or the following:

Frank Abagnale Jr made a fortune from forging checks and outwitting even the smartest of FBI agents. Posing as a Pan Am pilot, a paediatrician and a professor of sociology at a renowned American university, Abagnale's talents in deception saw him swindle millions of dollars from renowned banks, airlines and hotels around the world - all before the age of 21.

Although he seemed invincible, the FBI caught up with him. But he was not captured for long; the same people who caught him eventually offered him a job. To this day, Frank Abagnale Jr still remains the FBI's foremost authority on document fraud.

The fact is, con artists like Frank Abagnale were much more sophisticated than todays phishing and identity thefts.

But not so widespread. the reason? People don't bother to properly secure their systems. And not just individuals, but businesses as well. In this day and age, the likelyhood of a hack attempt against a bank is 1 in 2 (OK, I sort of made that up. But read this article for some frightening stats).

At the end of the day, idenitity theft doesn't need stricter laws - it needs stricter security stadards and awareness.

Well, you have to admire their tenacity. See the article here.

I think this is my favorite quote:

"It is very difficult to tell what Microsoft is talking about when they talk about numbers of seats or costs because they shove so much into their environment, but I do know we have been engaging against them and winning," says Bob Picciano, general manager of Lotus Software."

So Bob doesn't know what the deal is, but he knows Notes is winning. He must "Feel" they are beating Exchange.

If an email client falls in the woods and noone is there to hear it, does anyone give a crap?

The only challenge to Exchange in the coming years is likely to be Google Apps, or some other hosted solution. A cloud solution will gain momentum, but it's unclear if Microsoft will successfully fight it off or not (remember Linux would be dominating desktops by now according to pundits a few years ago).

Plus the client sucks. It doesn't matter that the application development capabilities are better in Domino - Notes' time has passed. Let it die peacefully.