I have created a play list for when I run that I periodically update.  I have a separate play list for when I workout, and another when I am in the office working.  They do not limit play lists or music listening.  They even have Grooveshark Radio which will pick songs for you based on your criteria selection and taste.  Everything is available without a subscription as well.   The difference between subscription and non subscription is advertisements.  Non subscription users will see advertisements appear on the side of the screen while music was playing.  Obviously these will go away when you purchase a subscription. But that is not why I purchased a subscription.  I purchased a subscription because unlike others they gave me the customer what I want.

My wife has an Xmradio in her car and we have a subscription.  The subscription permits you to log on via the web and listen sort of.  They have a ‘better sounding’ version you can pay extra for to listen on the web.  For basic subscribers that only have a car radio and do not wish to give them more money than we already do, there is a lower quality version if you choose to listen on the web.  In order to run it, I had to use a windows machine (the only windows machine in the house is my work one).  I had to run Internet Explorer as apparently Firefox isn’t supported.   Aside from their obvious vehicle penetration, the service is really a subset of what Grooveshark offers at a higher price point and they are difficult to deploy in the home.

Last.Fm I have already written about here and here.  My views on them have not changed.

If Grooveshark offered an ‘in vehicle’ version of their service I’d sign up.  I’d gladly give the money we pay for our XMradio subscription to them. Based on my feelings about these online services, I found the latest Google Webtrends data interesting.

Grooveshark is a slow almost constant trend upwards. Xmradio.com is the reverse (of course this represents web access not vehicle access), and Last.fm, is heading downward in 2010.

If you use online music services, give Grooveshark a try.  You won’t be disappointed.

One thing I had identified to the client was that the subject was using a type of VoIP software.  They asked if it was possible to listen in on the voice conversations.  I told them it was, and that I could probably get them a copy of the voice conversations the subject previously had during the time I was monitoring.  I had packet captures, most non-encrypted so it was just work and time.  At the clients request, I extracted the VoIP conversations into wmv files using date and time of the call as a file name.

At the end of the job, I was having a conversation with the CTO.  He was wondering if there was an automated way to keep audio conversations of all the employees.  At the time, this technology was not as prevalent, cheap, and available to the general public as it is today.  I asked him if he thought that was really appropriate.  I explained that I had just listened in on someones private conversations.   Maybe it wasn’t any of the companies business.   Maybe there were legalities if they were to do that (yes, I was annoyed).  His response was very quick.  “The company has a right to view all data, monitor activity that its equipment or network is used for, period”.   He told me all the employees know this and sign a document to that effect.  I said that made sense.   I asked him what he would think if he was in a confidential conversation on the phone with someone in a different province and Bell had listened in on his conversation?  I said that I assume he didn’t have problem with it, after all it is their network, their devices.  Aside from the angry facial expression, he said that was ‘different’ and they shouldn’t be allowed to do that.

Fast forward to now.  Everyone has a video camera or picture camera on them as a result of mobile phones.  If you are serious about it, you can find all kinds of tiny spy cameras.  Rob Spence has implanted a camera in his eye. It amuses me when law enforcement gets all concerned about citizens taking their picture and video taping them.  I guess they feel that they should be able to watch and monitor us, but we shouldn’t be able to watch and monitor them.  Of course if they are not doing anything wrong, then they should have nothing to worry about right? (that statement is an entire topic in and of itself).

Everyone has reasons why a particular person or group of people should or should not be monitored.  It really comes down to the basic premise that we as humans don’t want to be monitored, but we want the ability to monitor others, especially if we deem them as a threat.  Government wants the ability to covertly monitor their citizens but do not want organizations covertly monitoring them.  Police want cameras everywhere so they can monitor what is going on and use it to assist with their job, but they don’t want to be video taped in case they get caught doing something controversial, such as Robert Dziekanski being killed by officers at Vancouver airport. The video once released on the Internet, forced police to change their story.  Businesses feel they have a right to monitor their employees, but would have concerns if employees were monitoring some of their activities.

Personally, I think it is futile to attempt to stop one group from monitoring another, especially in public places.  It will never be successful.  Who do you feel should be able to monitor who?   Under what circumstances and conditions is video or audio surveillance appropriate?

photo credit

I have been traveling for work a fair bit lately, and two months of expenses have piled up.   Begrudgingly, I sit down to do my expenses. All the transactions are fine, except for two, one on each month for $6.79 cents from a company called clickandbuy.com.  Not a company I have dealt with.  I go to the clickandbuy.com website.  In the FAQ section I find an entry describing my problem.  In order to contact them electronically, I have to register first, giving them a bunch of information I don’t want to give them.   The fact is they probably already have the information from whatever method they obtained my credit card information, but I don’t want to confirm it, I don’t want to be their customer.  There is a long distance number I can call if I want a person directly, no toll free number.

Next, I call my Visa company.  I get the standard series of  endless automated prompts.  Eventually I get an option for customers that wish to discuss specific charges on their account.  Selecting that option the first thing the recording system tells me is (paraphrased):  If the charge in question is related to an internet transaction, please contact the vendor to resolve the charge.  If I still have trouble, I can work with them because after 45 days the transaction is my responsibility.  I wait on the line.  Next I receive a message that they are not open right now and to call back during ‘normal business hours’, which they don’t provide.

At this point I have spent approximately 30 minutes, dealing with two transactions worth $13.58 on my weekend.  I am mad at clickandbuy.com and I am furious with my Visa company.  How dare they waste my time.  How dare they permit a charge to be placed on my card, then make it inconvenient for me to discuss and dispute the charge they put on a card I did not authorize (at least not knowingly).   The question becomes, how do I save my time?  I call my Visa company back up select the ‘report a lost or stolen Visa’ option.  I immediately get a person, who is very helpful and I have a new card coming to me in a few days.

Why did I do this?  Well this happened to my wife about a year ago and experience is a good teacher.  Different financial institution, different scummy vendor.  We spent hours of time and frustration on the phone, email, filling out forms, responding to voice mails, waiting on the phone in queues.  Not worth it.   And since the Visa companies value the merchant and their time more than their customers and my time (this is obvious by their actions), I can play that game too. In five days it will be all fixed, minimal time lost and stress induced for me.

End result is that scummy ClickandBuy.com, obtained $13.58 from me due to the despicable and scummy business practices they employ — you are welcome Clickandbuy.com.  $13.58 vs. calling my Visa company repeatedly, having to fight with them, then having them send me forms via snail mail, which I have to fill out, return via snail mail or fax, then wait for the to investigate and decide, easy choice.

As for the company who provides me the Visa, I will receive a new one next week.  I may not activate it however.  I am going to look around, maybe select a new provider.  Sure they will probably be the similar with rules as my current Visa company when it comes to despicable companies like clickandbuy.com.  My Visa company is big and I am just a tiny little single customer.  But I will do it on principle.  I highly recommend that everyone that has a problem like this to just call in and report your card lost.  They have to terminate the card, they have no choice.  They are obviously trying to push the Internet purchasing problem off to their customers rather than come up with a solution.  This makes it their problem again, which is where the problem is and should be.

See, I do research into security technologies as part of my job.  Security is also a personal interest of mine.  As an example, I am currently looking into a particular application that uses SSL to encrypt the data between points.  In order to do what I need to do for the research, I downloaded an open source tool, that basically breaks the SSL.  This allows me to work on my research with the application in question. If that tool was not published due to Bill C-32, then that stops me from doing my research.  I suppose I could create my own version of the tool, but why would I do that if someone already has a tool readily available?  It makes no sense.   The most likely response to my specific example is that SSL isn’t proprietary so it does not matter.  That is true in this case, but what about when I am evaluating a Blackberry PDA or an IPhone?   I suspect RIM and Apple might not take to kindly to me exposing problems in their software.  See, the current Bill C-32 might allow them to do this.   That is bad for security, bad for keeping companies honest.

I think it makes more sense to punish those that use the tools in a wrong way.  If someone was to take the tool, and use it in a botnet to extract credit card information, then the individuals that did this are guilty and should be charged.  The person that made the tool is not the guilty party.  It is like making Smith & Wesson responsible because they created the firearm that was used in a murder.

Overall, I think Bill C-32 has made much progress from the previous bills in Canada.  My hope is that the Government starts to do their job and properly debate the bill and get input from all interested parties, not label people that question them as extremists.

My first day in Dubai, I went to lunch with one of the executives of the Telco.  During our lunch, I asked him how they manage encrypted connections.  He explained that they were currently getting ready to deploy a solution to solve that.  The infrastructure was being upgraded to decrypt all SSL sessions and parse the data as required.   Aside from opening my eyes to the difference in privacy between North America and the Middle East from a privacy perspective, I found it interesting that SSL decrypting was so easily available.   Previously, I had seen software that law enforcement used for this purpose.  I myself had done it for clients using available tools during a engagement.  But these tools were designed more for targeted surveillance, not mass scale.  Like all technology, it improves and gets less expensive over time I guess.

Today, there are many more companies in North America and abroad that either have deployed SSL decrypting capabilities or are in the process of doing so.  Security, diagnostics, audit and legal requirements to know what is coming and leaving their networks and being able to log and trace back data transmissions to the originator are some of the reasons.  One driver is Data Leakage Protection (DLP), currently a very ‘hot’ topic with many new vendors jumping on the opportunity with solutions.  In order to look for data leakage, you need to see past any encryption that might be present.  Cisco, Bluecoat, PaloAlto, Fortinet are just a few companies that offer products for SSL decryption.

With Google deploying encryption for Gmail and more recently searching, plug-ins such as the EFF Firefox plug-in to help secure your communications, companies are feeling more and more concerned about what data is coming and going.  What worries me is that all these security, legal and audit requirements companies face are actually not helping them in the long run.   If these companies are decrypting SSL sessions that egress and ingress their network, you can be sure that other companies are doing the same to theirs.  The net result is that everything is decrypted and no one has any privacy.

Next time you connect to your bank, doctor’s office, insurance company, Gmail or any site and see secure indications from your browser similar to these

along with the companies re-assurances that the site is secure, keep in mind things may not be as they appear – today even more so than yesterday.

Do you deploy any type of decryption on your network?  If it is deployed are you aware of it?

photo credit

Up until now, the main reason I used LinkedIn and Facebook was to keep abreast of what is happening in my contacts lives.  Typically LinkedIn are people that I have worked with, and Facebook is more social friends.  This is a really useful feature to myself for a couple of reasons:

Are people leaving a company? If there is a increased rate of people leaving a particular company and you are considering working for that company, you might want to re-consider. Or you might see it as an opportunity.  Regardless of your decision, it gives you valuable insight.  Insight that was not as easily available before social networking.

Transparency. It forces transparency for companies as they do not have any control over LinkedIn.  I love this.  If suddenly there is an increased rate of people leaving a company, public announcement or not, something is up.  Good information to have, especially if you are considering them as a potential candidate for employment or contract work.   The reverse (where a company is suddenly hiring) is also true.

One can suggest that it is not ‘official’ information, but in reality that doesn’t matter.  Forgoing statistics and math,  ask any investigator or law enforcement detective.  If you get enough information from enough people, eventually you will get to the truth.  Sure each piece of information is biased, leaves something out, or has added  titbits for colour, but if you get as much information as you can (sample size), you will start to see what most likely is the situation. At the very least where to focus your efforts to answer the question.  The same applies to information from LinkedIn.   It may not be official, and sure maybe one or two people are potentially mis-representing their position or title, but if there is a sudden change in a company’s employees, there is usually a common set of reasons for the change.

A few months ago when I was looking at changing careers, I was actively on LinkedIn.  Even without the follow feature, it became obvious to me over the weeks that one company I was interested in, was letting people go.  Looking at the profiles of individuals that were leaving,  they had been at the company for a long period of time, and were typically in senior management positions.   The company was not officially downsizing.  Curious, I contacted a few of individuals at the company.  My assessment based on LinkedIn was correct.  They were quietly removing higher paid employees for lower paid ones.  Correlating this information with their hiring positions published, you could see this was clearly the case.

What fundamentally worries me is that companies start to see this as a problem and attempt to ‘fix’ it.  They could do this in several ways.  Dis-courage employees from posting to LinkedIn, offering LinkedIn money to change the perception of their company, or LinkedIn could see it as a business opportunity and offer perception control as a ’service’ to companies.  I hope this will never be the case, but money talks.  I recently saw a tweet about Facebook, but the concept applies to LinkedIn as well:

RT @ruv: “The most important thing to understand abt Facebook is that you are not fb’s cust, you are its inventory” via @davehyndman

The risk of social networking in this case is we have to trust LinkedIn.  LinkedIn is the control point of this information and we have to trust them to do the ‘right’ thing.  While this might seem okay, one only needs to look at the recent happenings at Facebook to understand what can happen when a company gains a clear majority of followers and controls the information.

I do like this stuff though!  Isn’t behavioural analysis awesome?

There is a need to ensure audit compliance across the entire banking infrastructure.   From a financial perspective, compliance with the various audits is a must if you wish to stay in business.  Of course, my background is in network security.  Network security is not the same as auditing.   Although I have not met anyone that would say if you pass a particular set of audits you are secure, I have noticed across the audit industry in general there seems to be a unstated understanding that if you do pass audits you are secure or more secure than if you don’t.

Passing an audit does not mean you are secure.  Here is one of a few, but simple examples I have come across.  One of the audits requires that your entire internal network has address translation from inside to outside.  Effectively, the idea is that if I as a outside user browse to http://michaeldundas.com, that address would appear to the requester as 216.240.0.43.

From the quick diagram above, you can see how the client thinks that it is directly connected to 216.240.0.43/32, and it is.  Based on the audit requirement of having complete address translation with the untrusted Internet, you would have to configure a device that would convert the IP address the client has, to a different IP address.

The second diagram shows a router configured with Network Address Translation (NAT) to convert the IP address in both directions.  In this way the client does not know the real IP address of the server.   Any attack that you could do without NAT, you can do even if NAT is there.  Anyone that is active in attacking servers knows this.  It offers no additional security, just extra work.

Auditing does have its place and is necessary.  Complying with audit requirements for many industries is not an option and your staff must understand that.  But don’t let yourself or your staff be fooled into thinking audits make you more secure.  Audits help but they are not a substitute for good and proper security.   Passing an audit does not mean you are secure.

I just finished watching a Ted presentation by Sir Ken Robinson.   It is a informative and entertaining presentation on how the education system of today does not need an evolution.  Instead it requires a revolution.  Much of what he says parallels what Seth Godin wrote about in Linchpin.  One of Ken’s analogies is how our children do not see the point of a wrist watch.  A single purpose device that is no longer necessary but people over the age of 25 typically wear a wrist watch simply because we always have.   I have to admit, I am well over the age of 25 and I still wear one.  I also have a PDA, tweet, blog, and am very current in the latest technology, networks and security.  I don’t need a wrist watch.  Not only do I still wear one,but I still want a Breitling.  Why?

I love their website.  It is current and artistic, constantly being updated.   It shows you the ‘flashy’ look of their products, yet those wishing to obtain technical details of a specific product can do so easily.  It doesn’t send you to a PDF, technical specifications and flashy displays are all integrated into the site design.  It is well thought out and well designed.  This is important.  It tells the viewer that is how they do everything including how they design their wrist watches.  The design of the site, shows their personal brand.  There are lots of videos of their jet team.  You might wonder what a jet team has to do with the wrist watches.  My wife joking said “That is why they have to charge so much for their watches.”   Just like the design of their website, the videos of the jet team re-enforce the Breitling personal brand.  Jet teams flying with accuracy, speed, timing, focus, trust, taking risk.  That is how they make their watches, their website, train their jet team, how they view their trade craft.  How they do everything.

I want a Breitling watch because I like watches and the attributes of the Breitling brand resonate with me. I feel sad sometimes with the “get it out the door” approach of many companies, because they ignore what I value.  Precision, speed, timing, attention to detail, trust are attributes I have valued since I was the age of 6.

In an attempt to mitigate this problem, we use firewalls, Intrusion detection/protection systems (IDS/IPS), and other devices along with design principles to create Zones.  These Zones then have policy applied around them indicating levels of trust to be permitted into a particular zone.  All this is very similar to physical security principles, just stop and think about an airport.

Most large companies apply these theories described above on their internal network as well where they have enjoyed much more control.  Often an organization has a laptop they give you.  It has their chosen Operating System, their selected applications, and is locked down by a policy they have chosen and enforce via Active Directory or some other mechanisms.  Combine this with internal security devices, apply “Zoning” and appropriate policy and you feel safe — you have control of your internal network right?

But there are always the exceptions.  These exceptions represent the outside pressure to change your security stance.  A consultant or vendor is a good example.  In comes a consultant to do a 8 month project.  She needs access to certain aspects of the systems.  Access to employees calendars, access to critical systems for the project, external access to the VPN of her own company, external resources on the Internet that are ‘bocked’ by your particular policy.  She doesn’t use Windows, but her own flavor of Linux she created herself.   Taking a security stance you can say no, but that only works for a while.  Eventually a project comes along that is too critical, costs the company a lot of money to complete, and completion means bigger sales.  Now you and the security principles you enforce are perceived as a roadblock to accomplishing a key objective.  Inevitability, you are forced to make an exception.  It is at this point all your hard work is nullified.  Not only that, you loose the respect of others in the organization.  You are seen as a inhibitor, a constant roadblock, a team that no other teams wants to deal with.

This problem which has been around for years is accelerating and getting worse.  With PDAs, netbooks, iPads, iPhones, and every other network enabled device that is becoming common for everyone to have.  They are going to want to connect them to your corporate network.  You can resist for a while, but resistance is futile.  Like the common consultant example above, you will make exceptions and eventually the number of exceptions will be greater than the non-exceptions.  Bruce Schneier recently commented on this when he was interviewed at RSA.

More and more companies now have to get used to the fact that people are going to come in with the technologies they want and that is what they are going to use.  So we are going to see a lot more security around connecting random untrusted devices into a trusted network.

When you get to the younger generation, they are not going to work and get a computer that is less powerful than the one they use at home.  They are not going to be given a second cell phone.

“I’ve already got a cell phone, I’ve already got a PDA! … I’m not going to use two.”

We need to shift how we design security.  Rather then resist these new devices, we need to design our security on our internal networks and systems so that we can manage the security around these untrusted devices connecting to our networks while allowing these devices to function.  Resisting this will end up just like trying to resist the consultant or vendor, being forced to make an exception, being perceived as the team that is difficult to work with, and loosing the respect of your colleagues.  With the number of Android phones, iPhones, iPads, and other portable network devices coming onto the market, the exceptions to most security policies are about to sky rocket.

Is your organization working pro-actively to address, incorporate and manage untrusted devices in your internal network?

photo credit

Telecommunications companies are not concerned about security, or more specifically their customers’ security.  They are concerned about security that affects their systems or their brand image.  But if you are trying to get them to spend money on technology that will help secure their customers or make the Internet a better place, it is a much more difficult sell.  Basically, unless there is some way it will affect the customer directly or they will look bad if it becomes public or they experience downtime that might tarnish their image, they are not interested.   There are international differences with telecommunications companies and security, but even in these cases you can boil it down to laws or issues that will affect the customer directly in some way.  When they do engage in security, if the telecommunications company can spin it so it looks better for the them taking care of their customer, all the better.

The telecommunications industry should be regulated. Just as gas, hydro, and emergency services are regulated industries, so should the telecommunications industry.  The Internet is an essential service now, for those that disagree I encourage you to go and pull the plug on your Internet service during a peak time and see what happens.   These companies should have simple and clear business objectives.  You deliver bits of information.  Your job is to deliver packets to their destination as quickly and efficiently as possible.  The type of packet or data it contains is not your concern, just deliver it and charge accordingly.  And yes, charging accordingly should be regulated, just like electricity.  I am not suggesting there is not a need to prioritize certain traffic over other traffic, just that the telecommunications companies should not be concerned about that.

They are fighting against becoming a commodity. When I started at my previous employer, they were easily one of the top in their field and the best at what they did.  There was and still is a great group of people that work there to make that happen everyday.  Although there was competition, they were easily the leader.  Move ahead 5 years and there are many players that are as good.   Cisco, Juniper, offer comparable feature sets in their existing hardware and that didn’t exist before.  From a security perspective, some of their ideas were ahead of their time.  But they have been surpassed in this area now due to increased competition and smaller companies with a focus in specific areas.   The big focus in the industry over the last year or so has been wireless.  While wireless offers many opportunities, the competition is not as it was when broadband became popular.  Lessons learned from broadband will be applied to wireless by everyone.  The playing field is much more level now than it was in the past.

Net Neutrality. While a recent decision has the market declaring that net neutrality is dead, I don’t believe it is over.  Rather the fight has just begun.  Personally I feel the way to end the debate is to force everyone to pay for what they use, and regulate the industry and what they can reasonably charge, like other essential services.   Given the increase of encryption, privacy awareness, and detection avoidance practices, the current methods of deep packet inspection will become useless.  A different approach has to be developed.

These are the major reasons for wanting to leave telecommunications for the time being.  I did look at and consider other offers  in the telecommunications field and I may go back someday.  For now I’ll enjoy watching what happens from a distance.  In my new position, I will still be working with telecommunications carriers and vendors, just as a customer.   Albeit a customer with a lot of experience and knowledge from the other side.  In a future post I will write about my reasons for choosing the financial services industry.

Do you ever consider changing not just your current employer, but an entire industry?   What would make you consider such a switch if at all?

photo credit