Tuesday, January 25, 2011

How to Regulate Software Security


In the 1960's and early 1970's, my father worked for JC Penney's quality assurance (QA) department. In those days, JC Penney used to evaluate and test the products they sold.

After we moved from New York City out to Suffolk County, Long Island, my father decided to forgo the commute on the Long Island Rail Road and he went to work locally at Underwriters Laboratories (UL) which specializes in independent safety certification.

Growing up, I learned a lot about the importance of QA in manufacturing. After all, you can't know everything about everything, so it's nice to have a professional looking out for your safety.

The Emergence of Consumerism
As new industries emerged during the Twentieth Century, there arose a need for independent organizations to evaluate the suitability of third party products. A similar requirement now exists for the software industry where third parties need to evaluate software for security. However, these organizations cannot also sell the solution to the problems they discover.

These third parities would evaluate software in ways similar to how current private (Consumer Reports, BBB, UL, etc) and public (FDA, EPA, FAA, etc) organizations evaluate cars, planes, businesses, drugs, etc.

Regulating Innovation
But, software is too innovative to regulate.
That's what was said about the automobile industry more than 80 years ago. Today, NHTSA provides a meaningful safety rating system with 90% of cars receiving at least four out of five stars.

Walled
Garden
But, closed systems take power from the user.
This is exactly what was said to ADM Grace Hopper when she developed the first library of mainframe software routines in the early 1950s. However, over the time, more and more users are consumers, not programmers.

It's important to keep in mind that a regulated system does not have to be closed. Car owners are free to modify their cars, but very few actually do that. Nearly all consumers, these days, opt for a car and engine that's made by the same manufacture and rarely look under the hood.

With power, comes responsibility - if software engineers really wanted all the power and responsibility possible then they'd be programming in assembly language and foregoing higher level languages and operating systems.

App Store
The Apple App Stores for Mac OS X and iOS are a small step in the right direction. Over the years, we've come across software from independent developers and asked ourselves, "Do I trust this app enough to download and install it?" Having a creditable App Store is a good first step to building trust in both the product's quality and the financial transaction.

Nowadays, we don't dig too deep into safety when it comes to driving a car, flying on a plane, or driving over a bridge. The system works because we trust it.

Independent Evaluation
The next step would be independent organizations that evaluate software (including websites) for security.

Steps have already been taken to evaluate how companies store payment data, collected by websites, using the PCI Compliance standard.

An oversimplified sample of questions that could be answered in the evaluation would be:
How is my private information stored (is it encrypted)?
How does it communicate over the Internet?
What information is transferred?
Does it use third party open or closed software libraries?

For server software, metrics could be used such as determining how many transactions can be processed within a given time to size up the load it can handle. Of course, the transaction details would need to be specified so that others can reproduce them. Publishing how much load a server can handle is no different than publishing how much load a crane can hold.

The criteria for the evaluation is important, but it's up to each independent organization to develop their own standards for competitive reasons.

In the end, the evaluation would sum up the software quality using a rating system. Most people, when reviewing cars, look at the star ratings for specific vehicles that piques their interest and then they dig into the details of the review.

Simply because an application receives, for example, one star, doesn't mean that the government needs to intervene. We have plenty of "one star" software on the market, today; it's just a matter of giving consumers enough information so that they can evaluate the big picture.

Monday, January 24, 2011

Please make a voice call to 911.

"Please make a voice call to 911. There is no text service to 911 available at this time."

If you have your Facebook account tied to your Verizon cell phone then you may have repeatably received this message, tonight.

Neither the news nor bloggers have reported this incident - but, the Twittershpere is buzzing with complaints about it. I'm betting that it's a bug in Verizon's cell phone network as they get read to roll out the iPhone.

In the mean time, your best bet to stop the repeated text messages is to log into your Facebook account and remove your cell phone number.

Sunday, January 23, 2011

InTrade Futures Contract to Hedge Against Steve Jobs' Departure from Apple

Yesterday, I contact InTrade and asked them if they'd consider creating a contract to hedge against Steve Jobs' departure as CEO of Apple.

Less than 24 hours later InTrade replied back to me: "Thanks for your suggestion. A market for Steve Jobs to depart as CEO of Apple has now been listed".

These futures contracts are not valid, though, if Steve Jobs dies before he steps down. Why not? InTrade goes on to explain, "We are very reluctant to list a market where people can profit from the death of an individual."
Very classy, InTrade, very classy.

The thinking, here, is that Steve Jobs would step down before he became too sick to lead Apple

Following a Spammer's Trail



Yesterday, a friend posted an odd message to my Facebook wall. As soon as I read it I realized that her account was highjacked, probably by visiting a nefarious website.

This can happen when you click on a link that takes you to a website while you're still logged into Facebook. At this point, the nefarious website will exploit a vulnerability in your web browser and post something to Facebook on your behalf.

I decided to follow the trail. It started with a post that took me to allfreeipad.com (to be on the safe side, don't visit these websites).

AllFreeiPad.com redirected my web browser to www.ipadfree4me.com which lead me to www.ipadfree4me.com/freeipad.htm.

This is where things got interesting, at least from a technical point. Most people know that you can view a web page's HTML source code to see its details (View -> Page Source). This is the first step to finding out the "where and how" a webpage was created, and the source code is almost always human readable unless you're trying to hide something. Instead of normal HTML, the actual source of this page uses JavaScript encoding (called escaping).



This is what you get if you decode (unescape) the JavaScript:



This escaped JavaScript tells your web browser to create an HTML frame and display the contents of elitesiteemporium.com/ipad-for-testers/?mn=54321.

After all these hops, you're now at elitesiteemporium.com. This domain name is private, so you can't see who actually owns it, but you can find out that its IP address (92.241.169.14) reveals that it's located in Russia. However, this isn't the end of the line, after a few more hops, you'll end up at a web page that wants you to enter your e-mail address so that they can send you a free iPad.

The trail ends at yourrewardinside.com's servers (IP address 204.51.78.152) running on a network leased to MPC Systems LLC which could be based in Delaware or perhaps Texas, depending who you ask.

Keep in mind that there are two parties (confederates) involved in this scheme which could be unrelated, but that's usually not the case. One party created the nefarious web page which posted their message to your Facebook wall, without you knowing, and the second party is located at the destination website (yourrewardinside.com) which claims that it will give you an iPad for the low (free) price of giving them your e-mail address.

I wouldn't recommend giving them your e-mail address.

Thursday, January 20, 2011

Privacy Concerns on Twitter?

Is it really necessary for Twitter to put my cell phone number and e-mail address in the HTML source code, in the clear?

To see your cell phone number and e-mail address, log into your Twitter account and then view an individual tweet. For example, view this tweet's source code and search for "Init CurrentUser Method":



Usually, sensitive information, like this, is encoded in a cookie. The cookie can change the information encoded, from time to time (for example, each time you log in). However, I can't change my cell phone number if it's compromised.

Wednesday, January 19, 2011

Jerry York's Ethics

The late, great, Jerry York has received some attention this past week.

When I worked at Apple, I had the opportunity to have one-on-one phone calls and exchange e-mails with Mr. York regarding non-Apple business. During our first phone call, he was adamant that I review Apple's ethics policy's to ensure that our conversations wouldn't jeopardize my job at Apple (it was a non-issue, since there was no conflict of interest, and he agreed).

Service Academy Networking
Jerry York graduated from West Point (USMA '60) and he would always make the time to take a business call from another Service Academy graduate. An Annapolis classmate of mine pointed me towards Mr. York after the two had spoken about a year earlier.

My first phone call with Mr. York was scheduled for half an hour, but it lasted about 45 minutes. I called him at his home in Michigan and, during our conversation, his wife came home. He very politely excused himself for a minute or two to talk to her and I was struck by how pleasant he seemed as I could hear the beginning of his conversation with his wife.

Off the Record
So, why would Mr. York go off the record with Doron Levin? Part of the reason may have simply been privacy. How much privacy does someone deserve? Every life threatening disease is a very personal issue. Some people don't want a soul to know about it while others broadcast it over the Internet. Mr. York may have realized, as soon as he mentioned Steve Jobs' undisclosed trip to Switzerland, that it wasn't for public consumption.

Additionally, I think that Mr. York felt conflicted (to put it lightly) about Steve Jobs' lack of transparency regarding his illness since he had considered resigning from Apple's board over the disclosure of this information. While Apple's shareholders may want to be aware of these facts, regardless of Steve Jobs' privacy concerns, it would certainly give a competitive advantage to Apple's competitors. I'm sure one could argue that the shareholders also want to know what future products Apple has in its pipeline since that, too, will affect Apple's stock price.

AAPL Competitive Advantage
While competitive advantage concerns may seem like a stretch, the ideal outcome, from Apple's point of view, would have been if no information regarding Steve Jobs' health leaked out. This is exactly what happened in 2004, when Steve Jobs was first diagnosed and treated for cancer which wasn't disclosed until immediately after his surgery; and, at the end of 2004, Apple's stock price took off on its current rocket ride through its all time high, previously set in 2000.

As an Apple shareholder, I, too, want to know just how sick Steve Jobs currently is. However, I have to pause, for a moment, and wonder: Had the news of Steve Jobs' cancer been revealed in early 2004, as soon as it was discovered, would the stock price had begun its climb to where it is now?

But, perhaps this type of thinking is too Machiavellian.

Tuesday, January 18, 2011

Simplifying AWS S3 Bucket Sharing

The problem with sharing buckets on Amazon's S3 is that it's too complicated for the casual user.

I have yet to see a simpler way to share a bucket on S3 other than the technique outlined in the link, above, but I envision a "Share my bucket" link on a web page which, when clicked, pops-up the following widget:



When the user clicks the Share Bucket button, the user's web browser would communicate directly with AWS to share the bucket. The fact that the Secret Access Key is not stored by the third party's (developer's) server is important for this to work and be trusted.

AJAX Limitations
Of course, this technique may require a little AJAX finessing since browsers only allow an XMLHttpRequest back to the server host name, port, and protocol from where the web page originated. So, the web app developer may need their own web server (e.g. Apache with its rewrite engine) to proxy the XMLHttpRequest.

Added Security
Also, for added security, the developer should be able to create a new pair of AWS Access Credentials, since up to two can be created at one time. Then, once the bucket is shared, the developer can delete the Access Credentials used for sharing the bucket.

Monday, January 17, 2011

Apple's Human Interface Guidelines

I was at Apple's World Wide Developer's Conference (WWDC), in 2004, when Apple announced a subtle change to their UIs. Specifically, Apple announced that they were going to begin branding search fields with rounded corners, instead of square corners found on regular text fields.


This change is not a big deal and it works well since people are already familiar with text fields. Also, most people won't even notice the difference between square and rounded corners. More importantly is the fact that Apple announces and documents their UI design changes.

Human Interface Guidelines
It's been ten years since Apple launched Mac OS X. A key philosophy that's kept the Macintosh user experience consistent, regardless if was developed by Apple or a third party, is their Human Interface Guidelines (HIG).

A quick glance of the HIG shows how Apple explains each detail of UI design. Of course, developers are free to deviate from the HIG. But, since most developers tend to create things that are "engineer ugly", they're usually more than happy to follow these guidelines.

Friday, January 14, 2011

Kudos From Dave Winer

I know that I'm bragging (yet again), but I'm honored that Dave Winer has been talking up some Internet tricks that I've used over the years related to DNS and Amazon Web Services.

Dave is the co-creator of RSS, he's a pioneer in blogging and podcasting, and, among other things, he's currently a visiting scholar at NYU.

Dave and I first connected about two years ago.


This past week, I received three great mentions from Dave:

1. Connecting reallysimple.org to Twitter

2. How to share a bucket on S3

3. Why bucket-sharing is important

Thanks for the credit, Dave!

Tuesday, January 11, 2011

American Health Care. Is it Un-American?



Yesterday, I spent about ten hours as a visitor (not a patient) at a hospital emergency room (ER). During that time, I heard a good number of stories. Several members of the staff told me that, for some reason, they'd been swamped since the New Year with three to six hour ER wait times for their patients. But, during my visit, I heard, first hand, the story of one patient which stood out as a symbol of our out-of-control health care costs.

Can't Breath in Japan
A young man was admitted with a breathing problem who was very pleasant until the nurse started explaining how much his ER visit would cost.

He was genuinely shocked when he was informed that his visit would cost $750, based on the hospital's flat rate level for a person in his unemployed and uninsured financial situation. He was told that this amount was a big savings when compared to an insured patient's billing. As the nurse started to explain how the costs would be billed he kept nervously interrupting her to say, "$750 is too much to charge a person to be treated".

His breathing problems began as a result of sleeping in a dusty and moldy apartment when he was in Japan, several weeks ago. He told the nurse that his hospital visit in Japan cost only $15, which also included a medical inhaler that was provided to him and instructions to stop working out for a few weeks. That treatment was working well, until the last day or so.

The young man told the nurse that he had no income, since he was unemployed, and that his hospital bill would probably end up being referred to collections. The nurse told him that, in order to qualify for any of the hospital's flat rate, reduced cost, plans, he'd have to leave a token deposit. His question, "How much do you need?" was literally answered with, "How much do you have?"

He dug around and gave her all the cash he had in his pocket: $7. Obviously, this American, who was a very fit and healthy young man, received a rude awaking to our country's health care costs.

O Canada, I'm Having a Heart Attack
Last Memorial Day, while visiting Canada, Guy Kawasaki had symptoms that mimicked a heart attack. A trip to a Canadian emergency room cost him a grand total of $853.04 with a final diagnosis of pneumonia. Guy said that his bill was about $9,000 less than he expected for his visit which included three ECGs, one blood test, one chest x-ray, two aspirins, and a few hits of nitro.

Congress, Security, and Health Care
I have no doubt that Representative Giffords is alive, after this past weekend's shooting, due to America's outstanding and world leading health care. But, does our health care have to cost as much as it does? More than $750 just to walk into an American emergency room verses $15 in Japan, or $853 in Canada for a complete ER heart attack symptom workup.

While these two examples of ER visits are cherry picked, they still represent the actual costs paid by any foreign national in the respective countries. Costs paid by local nationals would actually be less.

I'm sure that personal security is foremost on Congress's mind in the wake of this past weekend's shooting. We all hope that this shooting is a one time incident and the odds are very good that it is. Only one member of Congress has ever been assassinated in the line of duty: Congressman Leo Ryan was assassinated at Jonestown, Guyana on that faithful day in 1978 when more than 900 people drank the Kool-Aid.

But, once decisions are made regarding the security of Congress, I hope they can bring some sanity to health care costs. I'm not asking for socialized medicine (or, maybe I am, depending on your definition), but $25 for an aspirin is obscenely excessive. Do we begin with the health care providers, the health care insurance companies, the malpractice insurance companies, or our legal system? Or, do we just surrender, chalk it up as "too hard", and accept the status quo?