And in other news, Gunter Ollman joins in the debate as to whether Imperva’s quasi-testing is worth citing (just about) and, with more enthusiasm, whether AV is worth paying for or even still breathing. If you haven’t come across Ollman’s writings on the topic before, it won’t surprise you that the answer is no. If you haven’t, he’s thoughtfully included several other links to articles where he’s given us the benefit of his opinions.

If it’s free, never ever bothers me with popups, and I never need to know it’s there, then it’s not worth the effort uninstalling it and I guess it can stay…

Ollman notes:

In particular there was great annoyance that a security vendor (representing an alternative technology) used VirusTotal coverage as their basis for whether or not new malware could be detected – claiming that initial detection was only 5%.

However, he doesn’t trouble himself to explain why the anti-malware industry (and VirusTotal itself) are so annoyed, or to comment on Imperva’s squirming following those criticisms. Nor does he risk exposing any methodology of his own to similar criticism, when he claims that:

desktop antivirus detection typically hovers at 1-2% … For newly minted malware that is designed to target corporate victims, the rate is pretty much 0% and can remain that way for hundreds of days after the malware has been released in to the wild.

Apparently he knows this from his own experience, so there’s no need to justify the percentages. And by way of distraction from this sleight of hand, he introduces ‘a hunchbacked Igor’ whom he visualizes ‘bolting on an iron plate for reinforcement to the Frankenstein corpse of each antivirus product as he tries to keep it alive for just a little bit longer…’ Amusing enough, I suppose, at any rate if you don’t know how hard those non-stereotypes in real anti-malware labs work at generating proactive detections for malware we haven’t seen yet and multi-layered protection. But this is about cheap laughs at the expense of an entire industry sector that Ollman regards as reaping profits that should be going to IOActive. Consider this little exchange on Twitter.

@virusbtn
Imperva’s research on desktop anti-virus has stirred a fierce debate. @gollmann: bit.ly/XE76eS @dharleyatESET: bit.ly/13e1TJW

@gollmann
@virusbtn @dharleyatESET I don’t know about “fierce”. It’s like prodding roadkill with a stick.

What are we, 12 years old? Fortunately, other tweeters seem to be seeing through this juvenilia.

@jarnomn
@gollmann @virusbtn @dharleyatESET Again just methaphors and no data. This conversation is like trainwreck in slow motion

The comments to the blog are also notable for taking a more balanced view: Jarno succinctly points to VirusTotal’s own view on whether its service is a realistic guide to detection performance, Kurt Wismer puts his finger unerringly on the likely bias of Ollman”s nebulous methodology, and Jay suggests that Ollman lives in a slightly different (ideal) world (though he puts a little more politely than that). But no doubt the usual crop of AV haters, Microsoft haters, Mac and Linux advocates, scammers, spammers and downright barmpots will turn up sooner or later.

There is, in fact, a rational debate to be held on whether AV – certainly raw AV with no multi-layering bells and whistles – should be on the point of extinction. The rate of detection for specialized, targeted malware like Stuxnet is indeed very low, with all-too-well-known instances of low-distribution but high-profile malware lying around undetected for years. (It helps if such malware is aimed at parts of the world where most commercial AV cannot legally reach.) And Gunter Ollman is quite capable of contributing a great deal of expertise and experience to it. But right now, it seems to me that he and Imperva’s Tal Be’ery are, for all their glee at the presumed death of anti-virus, a pair of petulantly twittering budgies trying to pass themselves off as vultures.

David Harley
AVIEN/Small Blue-Green World/Mac Virus/Anti-Malware Testing
ESET Senior Research Fellow

We got new cell phones (mobiles, for you non-North Americans) recently.  In the time since we last bought phones they have added lots of new features, like texting, cameras, email and Google Maps.

This, plus the fact that I am away on a trip right now, and Gloria has to calculate what time it is for me when we communicate (exacerbated by the fact that I never change the time zone on the laptops to local time), prompted her to ask the question above.  (She knows that I have an NTP client that updates the time on a regular basis.  She’s even got the associated clocks, on her desktop, in pink.)

Cell phones, of course, have to know where they are (or, at least, the cellular system has to know where they are) very precisely, so they can be told, by the nearest cell tower, what time it is (or, at least, what time it is for that tower).

Computers, however, have no way of knowing where they are, I explained.  And then realized that I had made an untrue statement.

Computers can find out (or somebody can find out) where a specific computer is when they are on the net.  (And you have to be on the net to get time updates.)  Some Websites use this (sometimes startlingly accurate) information in a variety of amusing (and sometimes annoying or frightening) ways.  So it is quite possible for a laptop to find out what time zone it is in, when it updates the time.

Well, if it is possible, then, in these days of open source, surely someone has done it.  Except that a quick couple of checks (with AltaVista and Google) didn’t find anything like that.  There does seem to be some interest:

http://stackoverflow.com/questions/8049912/how-can-i-get-the-network-time-from-the-automatic-setting-called-use-netw

and there seems to be an app for an Android phone:

https://play.google.com/store/apps/details?id=ru.org.amip.ClockSync&hl=en

(which seems silly since you can already get that from the phone side), but I couldn’t find an actual client or system for a computer or laptop.

So, any suggestions?

Or, anybody interested in a project?

I’ve mentioned before that I use Shaw as my ISP at home.  Right at the moment, they have an advertising campaign that claims they are, or have, Canada’s fastest network.

Now, I’m willing to believe that Shaw is not being deliberately mendacious or misleading.  There is probably someplace, or some part of Shaw’s network, that transfers data faster than other vendors in that area or for that component.

And, I have to admit that, since I am not, generally, a high volume user, even the basic service I have for them is usually sufficient.  In the afternoon and most evenings.

But, right where I am, Shaw can’t seem to get any data moving in the morning.

I first noticed this a few months ago, and spent quite a bit of time contacting Shaw’s generally unhelpful help staff.  This involved them asking me to try a different network cable to the router, or a different computer, or bypassing the router, and checking their speedtest.  (None of which made any difference.)  They finally sent someone around.  The next day.  Of course, by that time the problem had resolved.  But by that time I’d noticed that traffic was only slow in the morning.

So, over the past few months there have been numerous mornings when it has been slow.  I don’t mean just “they promised me speeds up to 5 Mbps and I’m only getting 1.39″ slow, I mean “they promise a minimum of 1 Mbps and their own speedtest is showing 0.02 Mbps and that’s only when it actually completes” slow.  It doesn’t happen every morning, but often enough to see that the pattern is extremely regular, starting about 8:30 am, and trailing off (as in, network speeds start working again) around 11:30 am.

I’ve reported this to Shaw’s technical support, mostly through Twitter, since it takes less time than fighting your way through their phone voice menu tree and it doesn’t matter what reporting method you use, they never do anything anyway.  (Along the way I have learned that the ShawHelp Twitter people have a “Hello $username. If you follow and DM your account info and phone number we can look into it for you” macro, and that, if you submit details about the speeds and the fact that you have tried various configurations, you will receive a “No issues in your area, modem signal is good. Is computer direct to modem or are you using router?” message about 3 or 4 hours later.

It’s been annoying, but I’ve lived with it for a while.  Except that, for the past week and a half, this has now happened every single day.  It is pretty much impossible to do anything in the morning.  This morning was particularly bad: I couldn’t even get the speedtest to run, for the most part.

So, if I suddenly stop posting, you’ll kn()^(*%(&*(&*(&^ NO CARRIER

http://www.sophos.com/en-us/security-news-trends/security-trends/threatsaurus.aspx

Concentrating on malware and phishing, this is a very decent guide for “average” computer users with little or no security background or knowledge.  Three sections in a kind of dictionary or encyclopedia format: malware and threats, protection technologies, and a (very brief but still useful) history of malware (1949-2012).

Available free for download, and (unlike a great many “free” downloads I could name) you don’t even have to register for endless spam from the company.

Recommended to pass around to family, friends, and your corporate security awareness department.

I have been interested in the LOCOG insistence that the 2012 games are the first “social media” games.  (Apparently 2010 didn’t count since the winter Olympics aren’t “real” Olympic games: ancient Greece had no curling sheets, and there were problems using Mount Olympus for the downhill events.)

It’s particularly interesting that so many people are having problems using networking to watch the “first social media games” …

Among other things …

In the wake of the recent account “hacks,” and fueled by the Yahoo (and, this morning, Android) breaches, An outfit called Avalanche (which seems to have ties to, or be the parent company of, the AVG antivirus) has launched https://shouldichangemypassword.com/

They are getting lots of press.

“If you don’t know, a website called ShouldIChangeMyPassword.com will
tell you. Just enter your email—they won’t store your address unless
you ask them to—and click the button that says, “Check it.” If your
email has been associated with any of a large and ever-growing list
of known password breaches, including the latest Yahoo hack, the
site will let you know, and advise you to change it right away.”

Well, I tried it out, with an account that gets lots of spam anyway.  Lo and behold, that account was hacked!  Well, maybe.

(I should point out that, possibly given the popularity of the site, it is pig slow at the moment.)

The address I used is one I tend to give to sites, like recruiters and “register to get our free [fillintheblank]” outfits, that demand one.  It is for a local community site that used to be a “Free-net.”  I use a standard, low value password for registering on remote sites since I probably won’t be revisiting that site.  So I wasn’t completely surprised to see the address had been hacked.  I do get email through it, but, as noted, I also get (and analyse) a lot of spam.

When you get the notification, it tells you almost nothing.  Only that your account has been hacked, and when.  However, you can find a list of breaches, if you dig around on the site.  This list has dates.  The only breach that corresponded to the date I was given was the Strategic Forecasting breach.

I have, in the past, subscribed to Stratetgic Forecasting.  But only on the free list.  (Nothing on the free list ever convinced me that the paid version was worth it.)  So, my email address was listed in the Strategic Forecasting list.  But only my email address.  It never had a password or credit card number associated with it.

It may be worth it as a quick check.  However, there are obviously going to be so many false positives (like mine) and false negatives (LinkedIn isn’t in the list) that it is hard to say what the value is.

No!  I’m *not* asking for validation to join a security group on LinkedIn!

Apparently several million passwords have been leaked in an unsalted file, and multiple entities are working on cracking them, even as we speak.  (Type?)

So, odds are “low but significant” that your LinkedIn account password may have been cracked.  (Assuming you have a LinkedIn account.)  So you’d better change it.

And you might think about changing the password on any other accounts you have that use the same password.  (But you’re all security people, right?  You’d *never* use the same password on multiple accounts …)

Galina Pildush ended her LTE presentation with a very good question:”Who is responsible for LTE security?  Is it the users? UE (User Equipment, handsets and devices) manufacturers and vendors?  Network providers, operators and telcos?”

It’s a great question, and one that needs to be applied to every area of security.

In the SOHO (Small Office/Home Office) and personal sphere, it has long been assumed that it’s the user who is responsible.  Long assumed, but possibly changing.  Apple, particularly with the iOS/iPhone/iPad lines, has moved toward a model where the vendor (Apple) locks down the device, and only allows you certain options for software and services.  Not all of them are produced or provided by Apple, but Apple gets vetting responsibilities and rights.

The original “user” responsibility model has not worked particularly well.  Most people don’t know how to protect themselves in regard to information security.  Malware and botnets are rampant.  In the “each man for himself” situation, many users do not protect themselves, with significant consequences for the computing environment as a whole.  (For years I have been telling corporations that they should support free, public security awareness training.  Not as advertising or for goodwill, but as a matter of self defence.  Reducing the number of infected users out there will reduce the level of risk in computing and communication as a whole.)

The “vendor” model, in Apple’s case (and Microsoft seems to be trying to move in that direction) has generated a reputation, at least, for better security.  Certainly infection and botnet membership rates appear to be lower in Macs than in Windows machines, and lower still in the iOS world.  (This, of course, does nothing to protect the user from phishing and other forms of fraud.  In fact, it would be interesting to see if users in a “walled garden” world were slightly more susceptible to fraud, since they were protected from other threats and had less need to be paranoid.)  The model also has significant advantages as a business model, where you can lock in users (and providers, as well), so it is obviously going to be popular with the vendors.

Of course, there are drawbacks, for the vendors, in this model.  As has been amply demonstrated in current mobile network situations, providers are very late in rolling out security patches.  This is because of the perception that the entire responsibility rests with the provider, and they want to test every patch to death before releasing it.  If that role falls to the vendors, they too will have to take more care, probably much more care, to ensure software is secure.  And that will delay both patch cycles and version cycles.

Which, of course, brings us to the providers.  As noted, there is already a problem here with patch releases.  But, after all, most attacks these days are network based.  Proper filtering would not only deal with intrusions and malware, but also issues like spam and fraud.  After all, if the phishing message never reaches the user, the user can’t be defrauded.

So, in theory, we can make a good case that the provider would be the most effective locus for responsibility for security.  They have the ability to address the broadest range of security issues.  In reality, of course, it wouldn’t work.

In the first place, all kinds of users wouldn’t stand for it.  Absent a monopoly market, any provider who tried to provide total security protection, would a) incur prohibitively heavy costs (putting pressure on their competitive rates), and b) lose a bunch of users who would resent restrictions and limitations.  (At present, of course, me know that many providers can get away with being pretty cavalier about security.)  The providers would also, as now, have to deal with a large range of devices.  And, if responsibility is lifted from the vendors, the situation will only get worse: vendors will be able to role out new releases and take even less care with testing than they do now.

In practical terms, we probably can’t, and shouldn’t decide this question.  All parties should take some responsibility, and all parties should take more than they do currently.  That way, everybody will be better off.  But, as Bruce Schneier notes, there are always going to be those who try and shirk their responsibility, relying on the fact that others will not.

LTE.  Even the name is complex: Long-Term Evolution of Evolved Universal Terrestrial Radio Access Network

All LTE phones (UE, User Equipment) are running servers.  Multiple servers.  (And almost all are unsecured at the moment.)

Because of the proliferation of protocols (GSM, GPRS, CDMA, additional 3 and 4G, and now LTE), the overall complexity of the mobile/cell cloud is growing.

LTE itself is fairly complex.  The Protocol Reference Model contains at least the GERAN User Plane, UTRAN User Plane, and E-UTRAN User Plane (all with multiple components) as well as the control plane.  A simplified model of a connection request involves at least nine messages involving six entities, with two more sitting on the sides.  The transport layer, SCTP, has a four-way, rather than two-way, handshake.  (Hence the need for all those servers.)  Basically, though, LTE is IP, but a fairly complex set of additional protocols, as opposed to the old PSTN.  The old public telephone network was a walled garden which few understood.  Just about all the active blackhats today understand IP, and it’s open.  It’s protected by Diameter, but even the Diameter implementation was loopholes.  It has a tunnelling protocol, GTP (GPRS Tunnelling Protocol), but, like very many tunnelling protocols, GTP does not provide confidentiality or integrity protection.

Everybody wants to the extra speed, functions, interconnection abilities, and apps.  But all the functionality means a much larger attack surface.  The total infrastructure involved in LTE is more complex.  Maybe nobody can know it all.  But they can know enough to start messing with it.  From a simple DoS to DDoS, false billing, disclosure of data, malware, botnets of the UEs, spam, SMS trojans, even run down batteries, you name it.

As with VoIP before it, we are rolling our known data vulnerabilities, and known voice/telco/PBX vulnerabilities, into one big insecurity.

Mobile networks have many disparate types of devices.  You can probably guess what some of them are, or even go to the provider’s store or kiosk and get a list.  But there are going to be more devices out there.  So why not scan the IP addresses on your subnet?

Well, the access points for mobile networks generally don’t allow promiscuous access.  So you may have to go to ARIN and other lists in order to start getting some ranges to check.  You can also check access logs of a Website to find visitors with mobile devices.  (Of course, there is always the NATting that the providers do, not to mention DHCP, and the fact that most mobile devices don’t run servers or services.)

Colin Mulliner, of the Berlin Institute of Technology, did manage to find a fair amount of interesting stuff.  Windows Mobile tended to be a useful source of open ports and services (usually open FTP services on mobile devices).  He also found and was able to identify a number of specialized devices that were identifiable from responses to probes.  Some of the most interesting were mobile access points: connecting to the mobile networks and then providing local wifi for computers.  Others were HTTP servers for surveillance cameras.  (Others were GPS tracking devices which, oddly, had no security against “guest” login  :-)  (Some were smart meters.  With smart meters rolling out here in BC, lets hope they are more secure …)

Possibly of concern was the large number of jailbroken iOS devices.  Many of them still had the default “alpine” password.  (If you hack your own device, you’d better be prepared to secure it.)  This could form the basis of a fair sized worm and/or botnet.  Then again, iOS users aren’t alone here.  An awful lot of people seem to think nothing of creating mobile devices and hooking them up to mobile networks with very little in the way of security.

Scott Kelly, platform architect at Netflix, gets to look at a lot of devices.  In depth.  He’s got some interesting things to say about smartphones.  (At CanSecWest.)

First of all, with a computer, you are the “tenant.”  You own the machine, and you can modify it any way you want.

On a smartphone, you are not the only tenant, and, in fact, you are the second tenant.  The provider is the first.  And where you may want to modify and customize it, the provider may not want you to.  They’d like to lock you in.  At the very least, they want to maintain some control because you are constantly on their network.

Now, you can root or jailbreak your phone.  Basically, that means hacking your phone.  Whether you do that or not, it does mean that your device is hackable.

(Incidentally, the system architectures for smartphones can be hugely complex.)

Sometimes you can simply replace the firmware.  Providers try to avoid doing that, sometimes looking at a secure boot system.  This is usually the same as the “trusted computing” (digital signatures that verify back to a key that is embedded in the hardware) or “trusted execution” (operation restriction) systems.  (Both types were used way back in AV days of old.)  Sometimes the providers ask manufacturers to lock the bootloader.  Attackers can get around this, sometimes letting a check succeed and then doing a swap, or attacking write protection, or messing with the verification process as it is occurring.  However, you can usually find easier implementation errors.  Sometimes providers/vendors use symmetric enryption: once a key is known, every device of that model is accessible.  You can also look at the attack surface, and with the complex architectures in smartphones the surface is enormous.

Vendors and providers are working towards trusted modules and trustzones in mobile devices.  Sometimes this is virtual, sometimes it actually involves hardware.  (Personally, I saw attempts at this in the history of malware.  Hardware tended to have inherent advantages, but every system I saw had some vulnerability somewhere.)

Patching has been a problem with mobile devices.  Again, the providers are going to be seen as responsible for ongoing operation.  Any problems are going to be seen as their fault.  Therefore, they really have to be sure that any patch they create is absolutely bulletproof.  It can’t create any problems.  So there is always going to be a long window for any exploit that is found.  And there are going to be vulnerabilities to exploit in a system this complex.  Providers and vendors are going to keep trying to lock systems.

(Again, personally, I suspect that hacks will keep on occurring, and that the locking systems will turn out to be less secure than the designers think.)

Scott is definitely a good speaker, and his slides and flow are decent.  However, most of the material he has presented is fairly generic.  CanSecWest audiences have come to expect revelations of real attacks.

So, I’m always excited about CanSecWest, and I was yesterday, as I got ready.  I went to do a last minute download of email.  (Yes, the conference provides wireless, and it usually works, after a few initial glitches.  But I like to avoid risks, and I like to have most of my stuff with me on my machine.)

I could pull the email off my main account.  (I have multiple email addresses with Shaw.)  But I couldn’t get any email off the subsidiary accounts.  In order to check if this was some setting gone wrong on my MUA I tried the Web interface.  Same result: I could get at my main account, but not the subsidiary accounts.

Later in the day, at the conference, I was able to access all the accounts.  But I found that, while my main account was still accessible though the original interface, suddenly all the others were using a new “Webmail 2.0.”

I thought this was kind of odd, so I reported this to Shaw through their “ShawHelp” account on Twitter.  You can’t explain a lot in 140 characters, so we passed a few “direct messages” back and forth.

I have previously mentioned that Shaw’s support is not the best, and their attitude to security could use some work.  (As a side result of this, a friend has provided me with an emergency proxy for outbound email.  I tried it this morning, and, unlike Shaw, which requires that you be on their network before you get access to your email, it works from CanSecWest.)  So I shouldn’t have been shocked when I got a message from ShawHelp saying … well, let me quote it:

“Not seeing issues with either of them. You can’t log into cissp? What is password so we can take a look? ^LL”

I had forgotten this.  In the old days, when I stilled tried to call Shaw support when I had a problem, I frequently got asked for my password.  Since I won’t give them my password (what do you think I am, a normal user?), that usually ended any attempt on their part to deal with the problem.

So, here we are, some years later, and Shaw is still asking their customers for passwords.  How many years have we been telling people, “customer support will never ask you for your password”?

On a very slightly positive note, I can say that, two months after they announced it, the Shaw Wifi AP in Lynn Valley is finally operating.

(I suppose I shouldn’t bash too hard on Shaw.  Their tech support and security is abysmal, but the service only goes down about once a quarter.  The other day I was at the barbershop.  They are putting in service through the other major provider in our area, Telus.  Telus’ initial installation had only given them partial access, so they called in Telus’ support.  The support tech managed to shut off access completely, and had been coming back, sporadically, for over a week, without success.)  (Yes, I did manage to get them partial access back …)

This sums up everything that is wrong with the “password policy” theme. From the t-mobile web site:

There is no way any reasonable person can choose a password that fits this policy AND can be remembered (note how they are telling you that you CANNOT use special characters. So users now have to bend according to the lowest common denominator of their bad back-end database routine and their bad password policy).

I’m sure some high-paid consultant convinced the T-MO CSO that stricter password policy is the answer to all their security problems. Reminds me of a story about an air-force security chief that claimed 25% increase in security by making mandatory password length 10 characters instead of 8, but I digress.

Yes, I know my habitat. No security executive ever got fired for making the user’s experience more difficult. All in the name of security. Except it’s both bad security and bad usability (which, incidentally, correlate more often than not, despite what lazy security ‘experts’ might let you believe.

I’ve ranted about this before.

It seems like nowadays China is the immediate suspect when it comes to hacking attempts or cyber espionage. It’s therefore interesting to know that they are suffering from as much internal attacks as anyone else.

The ‘cyber security china 2012′ is organized with ISC2, which is typically a good indicator for interesting speakers and content (at least, that’s been my past experience in other countries). The description shows that the Chinese are worried about the same things we all are:

With support from Ministry of Public Security  of  China,  and  working  with  ISC2, ITU-IMPACT and  ISFS Hong kong, Cyber Security China 2011  is successfully organized in March 24-25 in Shanghai, China.  The  2011  event convened 130+ delegates from global and local cyber security authorities, government, law enforcement  agencies, users  and  security  vendors,  and  mainly  explored  the solutions  against  evolving cyber  threats  and  attacks,  and how to fight the  cyber crimes through public-private-partnership.

More information here.

BKABVCLD.RVW   20110323

“Above the Clouds”, Kevin T. McDonald, 2010, 978-1-84928-031-0,
UK#39.95
%A   Kevin T. McDonald
%D   2010
%G   978-1-84928-031-0 1-84928-031-2
%I   IT Governance
%O   UK#39.95
%O  http://www.amazon.com/exec/obidos/ASIN/1849280312/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/1849280312/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1849280312/robsladesin03-20
%O   Audience n+ Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   169 p.
%T   “Above the Clouds: Managing Risk in the World of Cloud Computing”

The preface does a complicated job of defining cloud computing.  The introduction does provides a simpler description: cloud computing is the sharing of services, at the time you need them, paying for the services you need or use.  Different terms are listed based on what services are provided, and to whom.  We could call cloud computing time-sharing, and the providers service bureaus.  (Of course, if we did that, a number of people would think they’d walked into a forty-five year time-warp.)

The text is oddly structured: indeed, it is hard to find any organization in the material at all.  Chapter one states that the cloud allows you to do rapid prototyping because you can use patched operating systems.  I would agree that properly up-to-date operating systems are a good thing, but it isn’t made clear what this has to do with either prototyping or the cloud.  There is a definite (and repeated) assertion that “bigger is better,” but this idea is presented as an article of faith, rather than demonstrated.   There is mention of the difficulty of maintaining core competencies, but no discussion of how you would determine that a large entity has such competencies.  Some of the content is contradictory: there are many statements to the effect that the cloud allows instant access to services, but at least one warning that you cannot expect cloud services to be instantly accessible.  Various commercial products and services are noted in one section, but there is almost no description or detail in regard to actual services or availability.

Chapter two does admit that there can be some problems with using cloud services.  Despite this admission some of the material is strange.  We are told that you can eliminate capacity planning by using the cloud, but are immediately warned that we need to determine service levels (which is just a different form of capacity planning).  In terms of preparation and planning, chapter three does mention a number of issues to be addressed.  Even so, it tends to underplay the full range of factors that can determine the success or failure of a cloud project.  (Much content that has been provided previously is duplicated here.)  There is a very brief section on risk  management.  The process outline is fine, but the example given is rather flawed.  (The gap analysis fails to note that the vendor does not actually answer the question asked.)  SAS70 and similar reports are heavily emphasized, although the material fails to mention that many of the reasons that small businesses will be interested in the cloud will be for functions that are beyond the scope of these standards.  Chapter four appears to be about risk assessment, but then wanders into discussion of continuity planning, project management, testing, and a bewildering variety of only marginally related topics.  There is a very terse review of security fundamentals, in chapter five, but it is so brief as to be almost useless, and does not really address issues specifically related to the cloud.  The (very limited) examination of security in chapter six seems to imply that a good cloud provider will automatically provide additional security functions.  In certain areas, such as availability and backup, this may be true.  However, in areas such as access control and identity management, this will most probably involve additional charges/costs, and it is not likely that the service provider will be able to do a better job than you can, yourself.  A final chapter suggests that you analyze your own company to find functions that can be placed into the cloud.

Despite the random nature of the book, the breadth of topics means it can be used as an introduction to the factors which should be considered when attempting to use cloud computing.  The lack of detail would place a heavy burden of research and work on those charged with planning or implementing such activities.  In addition, the heavily promotional tone of the work may lead some readers to underestimate the magnitude of the task.

copyright, Robert M. Slade   2011     BKABVCLD.RVW   20110323

And, once again, Shaw has cut off my outbound email.  For no reason that I can determine.  This time tech support aren’t even answering messages.

Maybe I should make the point that if I can’t answer my email, I have more time to blog about their lousy service …