Link: Heartbleed update

A quick follow up, back from a few days away.

Huffington Post have a recent update which notes that the Open SSL vulnerability applies in major products from Cisco and Juniper Networks. They also repeat what’s becoming the consensus on passwords: change your passwords for services which you know were vulnerable but have now been patched. There’s no point in changing a password which might still be at risk.

They reference the Mashable resource on what’s been patched a,md copy the patchable list: Google (and Gmail), Yahoo (and Yahoo Mail), Facebook, Pinterest, Instagram, Tumblr, Etsy, GoDaddy, Intuit, USAA, Box, Dropbox, GitHub, IFTTT, Minecraft, OKCupid, SoundCloud and Wunderlist.  A quick look, though, suggests that the Mashable article was a one-off and the list is not being kept updated.

The article also recommends turning off external access to your home network: the sort of capability, for example, that you might use for remote access through LogMeIn, TeamViewer or similar. If you’re not using this kind of facility, disable it. Your firewall should already be holding the line on this.

And check what your Internet provider is doing and the status of your wireless router. Being a BT user. with a BT Home Hub, I tried searching the website for information on Heartbleed but nothing surfaced. It would be nice to know.

Huffington suggests that, at the moment, public WiFi has to be treated as an unknown quantity since you can’t tell what infrastructure they use or whether it’s been patched. BT again doesn’t have any information on the impact of Heartbleed on BT Wifi (Openzone, as was) but it does say that user details are encrypted when you log in to their service. It’s perhaps ironic that they offer free Cisco VPN software, which you can download when connected to one of their hotspots. I didn’t know this. I’ll take it up for my laptop.

I also have an O2 Wifi locator app on my phone. There’s nothing about security on their website. Anyone with other Wifi-finder apps? Please check their sites and post a comment here about what you find.

• The Heartbleed Bug Goes Even Deeper Than We Realized – Here’s What You Should Do, Alexis Kleinman, The Huffington Post, 11 Apr 2014
• Security when using BT’s Wi-fi hotspots,, with link to the Cisco offer
• The Heartbleed Hit List, Mashable, 9 Apr 2014
• What to make of Heartbleed? ITasITis, 4 Apr 2014

Apple iPhone: the good and the dodgy

Two reports on Apple this morning, both in the mainstream press.

Earnings have jumped, driven largely by the iPhone. The iPad is doing well, but has fallen back after the big Christmas rush. Apple assert that they have been able to manage the supply chain issues resulting from disruption in Japan (see Japan’s troubles touch the IT economy, 24 Mar), though there will be an effect on revenue; and that demand for the iPad2 is surging.

But reports also assert that the iPxxx poses a challenge to user privacy. The Guardian quotes analysts at O’Reilly Radar, one of InformationSpan’s favourite tech watch sources, who have shown that iOS4 automatically collects location data, stores the results in a file on the device, and replicates it unseen to the “home” computer when synchronised. There’s no opt-in or opt-out. The Guardian say that it has itself ascertained that the iPad also stores these data; and the information is transferred to a new device when the user migrates.

The privacy threat is twofold. First, from the data file: if the device is lost the file is hackable. Second, the data can also be unearthed on the synchronised computer.

O’Reilly says “Don’t panic”. It doesn’t appear that information is transmitted back to Apple. But the Guardian does point out that the iTunes conditions of service include the collection of location data “to improve location-based services”.

People trade privacy for benefit. But it needs to be an informed and active decision. And this is not going to decrease the already burgeoning fears (whether or not justified!) of IT Security professionals at the encroachment of these “unconventional devices” into the hitherto well-regulated corporate space.

• Apple’s iPhone rockets quarterly earnings by 95% to $6bn, Guardian, 21 Apr 2011
• Got an iPhone or 3G iPad? Apple is recording your moves, O’Reilly Radar, 20 Apr 2011
• iPhone keeps record of everywhere you go, Guardian, 21 Apr 2011
• Japan’s troubles touch the IT economy, ITasITis, 24 Mar 2011

Social computing and the enterprise user: something’s missing

Something’s missing from our discussions about social media (and Web 2.0 more generally, and Cloud even more generally).

We often discuss the benefits of user-managed technologies (is that a useful phrase?) and despair of  “The answer’s no. Now what’s the question?” from corporate rottweilers. Thought leaders like Euan Semple provide clear case studies and benefit realisation.

That stereotypical response (and no, it’s not always like that in practice) is driven perhaps by two things. A perception that central is better and that the need for control is absolute. And, more in line with the business, a strongly developed sense of risk both to the corporate infrastructure and its data stores, and to potential leakage of intellectual property.

As I’ve commented elsewhere, these reactions are not new. They characterised many companies when email and the Web began to replace newsgroups and FTP networks. But let’s look at more positive scenarios.

Suppose you’re a member of an enterprise research team; you use many external sources of information. Should you create a Googlemail account for these, separate from more specifically workplace-oriented email? What’s the case for? and against?

Suppose you’re a senior international manager, with direct reports in several countries and your own boss in yet another. You have a range of industrial strength collaborative tools at your disposal, but simple desktop videoconferencing isn’t one of them. Some conversations benefit substantially from face to face contact, and your travel budget has been cut. So should you buy a cheap webcam and use Skype on your company computer? Or on your mobile phone? Or from your home computer if Skype is blocked at the firewall? What’s the case for any of these options? Or against all of them?

You’re a marketer. You want to experiment with virtual presence but SecondLife isn’t accessible through the company network. Do you just go and do it from your home computer?

These choices can be made without involving the corporate IT department. Or even in order to circumvent the restrictions of the corporate environment, which might be as simple as lack of bandwidth, as complex as incompatibility with a core company application, or as explicit as the threat of disciplinary action.

But so far as I’m aware there’s little help for responsible users trying to make decisions, or which supportive IT groups might deploy to guide them. Not “can this do the job?” but how to assess terms of use, risk to the organisation, standards, interoperability, unintended consequences … We can ignore cost, I think; these services conform to Euan’s rule that “No-one bothers about ROI if the I is small”.

But take the SecondLife (2L) example and suppose that our user is a genuinely responsible corporate citizen. How far is it reasonable to go?

In her own time at home she creates a private persona in 2L and experiments with what she can do there – learns to walk, sit down, communicate, attend meetings, build property and so on. I don’t think anyone at work would be concerned.

But she then begins to develop ideas for a marketing campaign and wants to keep the credit. She stays home for a couple of days, on her own initiative, and works intensively in 2L. Still on her home computer, and not involving the use of company information. No problem?

Later, her enhanced presence could identify her or the company to those with sufficient information to recognise the clues. The competition, most likely. She forgets to fence off her 2L area with “No entry” barriers. She then discovers that the 2L protocol isn’t actually blocked at the company firewall, so she demonstrates her work to a couple of colleagues through the company network …

Now re-cast the example, but with the latest, newest, unproven, “risky” cloud service in place of SecondLife (which, after all, is getting pretty respectable by now).

The point is this. Our employee is working for the best interests of the company, as she perceives them. But she’s working in a vacuum. There’s no set of guidelines she can consult. And I do mean guidelines, not rules. Not “SecondLife is forbidden”, for example. There might need to be a few like that, but it’s a losing battle of the boil-the-ocean variety.

Here are a quartet of ideas. I’d like to gather yours.

1 – Always look at the terms and conditions when you sign up. Read them with the company’s needs in mind. These are enforceable legal contracts.
2 – Do you lose control over the content which you confide to this system? (Look at Sharing your Content and Information, for example, on Facebook)
3 – How far does the provider claim the right to monitor your traffic? (Most systems at least prohibit explicit or inflammatory content)
4 – Does the service claim access to your computer? (You don’t get a more respectable institution than the BBC; but the early versions of iPlayer operated peer to peer, so they used everybody’s processor cycles and disk storage)

Please contribute, so we can build up a body of advice on this. I look forward to your ideas. And if anyone knows of a body of best practice like this that already exists, I shall be delighted to be corrected!

• Facebook Statement of Rights and Responsibilities
The Obvious Euan Semple’s blog (or see my posting Social media Q&A: Euan Semple at Guru Online)

reCaptcha uses one problem to crack another

You’ve heard of Amazon’s Mechanical Turk function call, which provides a software interface to human agents? A call to the Turk offers a task – anything a human might do and a computer can’t, like deciding “Does this image include a face?” – to the community, and acts as agent for any appropriate payment as well.

And you’re familiar too with the grid approach to large scale problems, farming out small components of a task to large numbers of distributed PCs and using their idle cycles to contribute to the task.

One task for the Turk might be interpreting the parts of scanned text which Optical Character Recognition (OCR) software fails to successfully digitise. Some years ago I was involved with scanning in the American Petroleum Institute thesaurus: a very large volume. We had a success rate of about 95%, excellent for those days. But finding and correcting the gaps and mistakes was still a time consuming task.

It appears the New York Times (NYT) is undertaking the digitisation of its archives: with older print material, the success rate can be as low as 80% accuracy.
The Guardian, in its Technology section, reports on a truly innovative approach to this problem which made me shout for joy – because in tackling it, a quite different problem is harnessed and both are solved. Each problem becomes part of the solution to the other. How elegant is that?

Luis van Ahn of Carnegie Mellon University invented the Captcha technique that many online services use to defeat spambots. It’s good, but not entirely effective (watch his online video to see why not). Now, van Ahn has harnessed the NYT’s problem to become part of the Captcha solution, and in doing so is also solving the NYT’s problem. In effect, every user who signs up using the new reCaptcha becomes a Mechanical Turk for the NYT (or the Internet Archive, also being tackled).

van Ahn says he works on “Human Computation, which harnesses the combined computational power of humans and computers to solve large-scale problems”. reCaptcha is a classic of this approach. It will display two “puzzles” from the NYT’s digitisation project. One will be a word whose correct digitisation is already known. The other will be one the software has failed to analyse. Fairly obviously, it’s the first one whose correct interpretation is the key to being permitted to sign up. But when several people have provided the same interpretation of the second, so far unsolved, word then two things happen.

First, it is added to the library of “known” puzzles. This means that the puzzles presented to the users are real puzzles, likely to be far less easy for spambots to solve. After all, it’s already been demonstrated that quality OCR software finds them hard to analyse

But second, the solution is returned to the NYT project as a presumed correct interpretation of that segment of the scanned text – so the NYT project progresses.

For me, it’s this synergy of two apparently unrelated puzzle tasks which is the beauty and the elegance of the solution. Who says IT people can’t be creative?!

• Antispam weapon recaptures lost text: The Guardian, 27 Nov 2008
• reCaptcha: look at the Learn More page for uses of reCaptcha (e.g. on your blog)
• reCaptcha’s sister application Mailhide (uses reCaptcha to secure your email address on the web)
• Amazon’s Mechanical Turk
• Luis van Ahn at CMU: click the Video link for a video of a presentation he made at Google (52 minutes)