Once Again We Bid Farewell to a Beloved Cat! RIP Gwen

Here we are again on a sad day for our beloved pets. Just shy of 19 years but going on a thousand (she aged with grace all the while being the grumpiest sod on earth), Gwendoline was bade a fond farewell today (2009-10-27) with great hesitation but compassion. Time had come to pass as Gwen's health had been seriously degrading over the past few days...

We had been hesistating for awhile as she kept pinging back to a pseudo state of well being. Our running joke was that she would outlive us all or at least her cat siblings out of pure jealousy and spite. But yesterday, her mother and I realised that her health had taken a big fat slap in the face, which was confirmed by the Vet this morning (very little to do and it would only help her for a couple of days) as with advanced age comes the slow detoriation of critical body functions like bowel, bladder & mind. So this morning around 10:00, Gwendoline drifted off to a better place!

There are fond memories of Gwen as she has always been very close to both of us despite her inate jealously of all over cats (except Mogwai)! At one point she was even jealous of our own relationships and was quickly renamed my second wife as she would force herself between us in bed.


Overall, however, she seriously preferred her mother and as she grew older became a permanent appendage on her arm. She did love us greatly and continuously demonstrated her affection toward us all.

Gwen will be remembered as the much loved jealous queen of the manor! ;-)

Farewell and R.I.P.

PS: don't worry, life goes on, the populus was augmented just last week with one female black entity (Beauty - the basement cat).

Thus Begineth a New Chapter in my Career

Tomorrow [1 October 2009], I am embark on a new job and role. I am moving away from the general IT consultant & internal architect role in the big corporate environment to a more focused architect/consultant role for a security software company. I will be more focused on helping customers pull together IdM solutions using the company's product.

This will be an interesting change providing a much more focused activity on one specific subset of security but I hope to carry on exploring the vast and interesting subject that security is. My last position lasted almost 10years and in itself was quite interesting considering the variety of activities and projects I was involved in. This new position will be just as challenging if not more as I will be participating in the growth of this company as it evolves internationally (they are already a major player in the domain in this country and are planning to expand heavily in the rest of Europe, middle-east and the US).

On the other side and for my personal growth, I am still working on a few things including passing my GCIH (that happens next wednesday), doing the CISSP (end of October) and continuing to look at developing for the iPhone & Android platforms. Hopefully, I will also be able to finalize a couple of blog entries I am working on the subject of the real-time web, a micro-blogging feature request and some thoughts on Vanish.

Wish me luck!

A Fun Way to Understand AES!

Constantly on the look out for information on encryption and better understanding of the mechanisms behind algorithms, I was amused to discover this morning the MoserWare's A Stick Figure Guide to the Advanced Encryption Standard (AES).

The information presented is significantly accurate but presented in a humorous plain cartoon format. Quite enjoyable! What was interesting is that it goes back to the history of how AES came about and presents a basic overview of how block ciphers work...

Application Updates Tops Cyber Security Risk, Real World Fix is More Complex

A few days ago, SANS released it's new Top Cyber Security Risks report with a new interesting twist to the usual well-explored risks (such as web server vulnerabilities). The new risk that is highlighted quite effectively is the problem of application vulnerabilities which have had an increase and become much more visible. A good example of this has been the ongoing reports of vulnerabilities in Adobe products such as Flash and Acrobat.

Part of the issue that is highlighted by the report is the slow turn-around to deploy application patches/updates to reduce the risks and fix certain vulnerabilities. This is in fact no surprise! Having spent a number of years in the corporate IT security environment the application update process is a bigger dilemma than one might think. There a number of factors that impede an effective and complete application patching process be it for a few thousand to 10's or 100's of thousands of an installed client base. Some of these issues can be highlighted by the three following concepts:

• Online availability of clients to receive the updates, making it more difficult to get an effective deployment rate;
• Patches for versions that are in-use might not exists and upgrading to new versions presents other challenges such as budgets, compatibility with other applications, continued functionality support for the business solutions;
• Patches (or upgrades) can break or change features that are relied upon by business solutions or process effectively breaking the latter and presenting an impediment on business ability to work effectively.

For a corporate IT security team a balance has to be achieved between the need to carry out effective patching or upgrading versus the need to let the business continue to work as effectively and efficiently as possible. This is the hard truth, patching to mitigate vulnerabilities is not necessarily the best solution for a business if it breaks functionality or impedes the business process!

An effective IT security team will understand this and works towards an acceptable compromise that balances the risks versus the business' ability to carry on efficiently through policies and process that mitigate the risks or control/patch the vulnerabilities. Notably, the report section on best practices for mitigation and control provides a number of effective risk management techniques that start by understanding the applications that present risks and building an effective defense plan...

Related Links:

• SANS www.sans.org
• The Top Cyber Security Risks
• Twenty Critical Controls for Effective Cyber Defense.

Firefox 3.5 Hates Google Searchs Rant

After recently updating to Firefox 3.5, I have run into a seriously annoying and killer problem. Firefox 3.5 refuse to correctly load Google searches in a reasonable amount of time or even the Google main page (www.google.com). In a painstaking attempt to figure this out, I have tried everything from running Firefox in safe mode as well as turning off things like Norton Internet Security.

The problem doesn't lie in my computer or in my infrastructure. Firefox loads all other pages normally (including Bing.com) and even loads mail.google.com as well as reader. It's just the search that it doesn't want to do. BTW, IE, Safari & Chrome load the pages perfectly well!

Enough is Enough... Let me know if you've had similar issues?

To Reader or Not? Can we Really Do Without It?

Yesterday being the 2nd Tuesday of the month, saw the usual slew of update notices from the regular culprits. However, a new actor came into play this month: Adobe! The first appearance of what has been nicknamed «Adobe Black Tuesday Updates». This actually represents Adobe's commitment to having a regular patching schedule to address security issues, bugs and whatever else needs to be fixed.

Adobe since late last year has been hard with a slew of vulnerabilities in their products but more so in their flagship Reader product. The root cause of the issue was the inclusion of JavaScript and related bugs in that provided a vector for exploit. The vulnerabilities have been covered to a great extent on the intrawebs and there isn't really much more to add. Adobe attempt to take a rational approach to the issue and sent out advisories on how to take palliative actions (by disabling JavaScript support in the product) until proper patching could be done.

The push that some security experts (including some prominent figures such as Mikko H. Hyppönen from F-Secure, Paul Asadoorian from Pauldotcom.com) to abandon or adopt alternate products and formats is just not realistic! The biggest criticism toAdobe has been why use JavaScript in what is essentially an electronic paper format. This attitude neglects the important factor that the technology is there for a reason. In most cases that reason is based on identified business/customer needs and those same customers have built solutions which need the scripting to continue to function effectively.

A number of business and government organizations have adopted the additional scripting capabilities to make the documents more interactive and to facilitate the content entry/usage for their users at a time when Web2.0 was far-away. A lot of interesting solutions have been explored and created using this dynamic document capability such as automated tax reporting forms, real-time report generation, ... There are and probably will be a continued need to support this type of scripting technology to give documents more interactivity and to breach the divide between static data and the ability to have near real-time solutions for reporting and information manipulation.

Could Adobe have handled this better? probably but they have embarked on a road to manage the risks more effectively! Could a solution other than JavaScript be used? from a technical point of view most likely but practically Java is a well-adopted programming language.

The underlying hard truth though is that calling for the dropping of one or another product is just not constructive and in most cases will go against the end-user's business goals! More constructiveness is needed to achieve solutions that help end-users minimize the risks but at the same time continue to allow them to streamline business process with the solutions at hand.

Related Links:

• SANS Adobe Black Tuesday Updates
• US-CERT Technical Cyber Security Alert TA09-133B -- Adobe Reader and Acrobat JavaScript Vulnerabilities (15 June 2009)
• US-CERT Technical Cyber Security Alert TA09-051A -- Adobe Acrobat and Reader Vulnerability (15 June 2009)
• F-Secure says stop using Adobe Acrobat Reader | Security - CNET News (15 June 2009)
• Two New Vulnerabilities in Adobe Acrobat Reader - F-Secure Weblog : News from the Lab (15 June 2009)
• Mikko H. Hyppönen http://mikko.hypponen.com/
• Paul Asadoorian http://pauldotcom.com/

Seesmic Desktop Revisited

A few weeks ago, I posted an article about Seesmic Desktop in which I promised to continue to revisit the product. About a week ago Team Seesmic released a new version...

I have to say that the feature set on Seesmic Desktop continues to impress me and the integration they are doing with both the Twitter and Facebook API is amazing. But, yes there is a but and continues to big a But before I can fully adopt it as my staple client. Looking back at my main list of qualms from the previous post, some things have changed for the better and some things just haven't changed and plague IMHO the experience.

Most of the bugs that were itemized seem to be under control but I am still seeing some problems with CPU and still don't have my twitter avatar as well as the two window link click. I've also noticed some new quirks like right clicking on a link or other hypertext in an entry brings up either a copy/paste menu that is disabled or a weird menu with lots > symbols. Outside of that, I do believe that the stability of the solution has potential achieved a milestone.

The UI issues remain a sour point with me. Although the close box issue (at least on Windows) seems to be behaving as you would expect, I just don't understand the remaining UI and how people can actually live with them. The primary points that really need to be addressed remain: real-estate usage; the weird column/tab bar behavior; and strange column resizing layout in the scroll window when the window is resized. That last point is difficult to extrapolate but essentially I get the impression that some weird ration is being applied based on the size of the window to determine the width and number of detached columns that are displayed in the visible part.

Now don't get me wrong, I can easily live with new UI paradigms do it all the time. The problem is that this UI just does not seem intuitive and gives me the net impression that it's not convenient for ease of manipulation and interactivity.

Let me know you thoughts and/or comments through this article or via my Seesmic Profile or thru Twitter

Related Links

• Twitter (Me: @FVT)
• Seesmic Desktop & Team Seesmic (@Seesmic, @AskSeesmic on Twitter)

RAID!!! Running With the Guildies... or Why WoW Just Keeps Players Going

So early this morning (around 02:00 23.05) or late evening server time, I hooked up to World of Warcraft (WoW) for a guild organized RAID of Blackwing Lair (BWL). One of my characters, Balaluze - Death Knight, is a member of the «Project Lore» guild. The premise behind this guild is that everyone is a fan in some form of the Project Lore Video/Blog/Guides getting together to play WoW and have a good time playing as a team. About 2hours in, it reminded me why I still invest my time and attention in WoW enjoying every moment.

After a small delay of getting everyone together, Executation lead us into Blackrock and up to the BWL entry point... We entered the instance with about 10 people (plus or minus - to be honest we lost a few because they had not been keyed which is a necessary step to open the door and been given access to the dungeon), which was a little more than 10 shy of the required number of players. We figured it might work since we had a few high levels... This was our mistake and despite a tough battle but victorious one against the 1st boss Razorgore the Untamed, we proceed to the 2nd area with Vaelastrasz the Corrupt. Here we hit what might in the end be construed as an epic fail in the Lore history books. We just did not have enough damage per second (DPS) capability with our combined strengths. In fact whenever Vaelastrasz hit 15% health, the dragon would launch its power attack and we would go down one-by-one in a matter of seconds. 3 tries down, we called it a night as there was just noway that the group would be able to down the dragon and let alone continue on.

So outside of a quick & dirty recount of the night, the reason this post came to be is that the RAID reminded me why WoW, & other MMORPGs, just keeps drawing me in. The RAID reminded me of some important aspects of an aspect of gaming playing in MMORPGs that defines its ability for continuous challenge and enjoyment. In most games be they RPG or RTS there is a level of certainty and consistency in the game by that I mean that the tasks, quest, combat or other game scenarios share a goal and that goal is always the same each time you play. In a standalone game, one can build a strategy and consistently repeat the strategy to win the trial leading to a play once only scenario. One might even say that this stays true in whatever game you play.

However, MMOs bring an external factor that changes the certainty and consistency in the game. That factor is a higher level of human interaction and game play style that quickly becomes apparent. Each human player brings his/her own way of directing his avatar's actions into the group and the combined different play methodologies actually changes the way the events happen & the outcome. Let me clarify using the BWL RAID that was run this morning in WoW, despite following a well-known strategy and having a leader to coordinate the RAID party our efforts did not achieve success. Not for a lack of willingness of the team but that's not the point nor was it the issue, the players each used there style and abilities giving different outcomes and thus changing the way the battle laid itself out... Essentially each try gave a different play experience and keeping the player on his/her toes trying to achieve the best possible set of actions! Turning every encounter into a new challenge and definitely not the same reptitive thing.

To sum it up, a continuously evolving and changing game play driven by the individuality of all the human players making the game and keeping it attractive as if it were day one...

Let me know you thoughts and/or comments through this article or via my Seesmic Profile or thru Twitter

Related Links

• World of Warcraft
  
• Balaluze - Death Knight
• Project Lore Guild (WoWArmory Entry)
• Project Lore
  

Why I'm Not Switching to Seesmic Desktop...

For a long time now I've been on the quest for a better Twitter desktop client. The reason I use a desktop client is to facilitate the reading of the tweets but also to avoid having to have an additional browser window/tab open [rant: browsers give me headache between slow performance and memory usage at least on my systems, blah blah blah]. Plus the advantage of having a separate client is to be able to get OS level notifications of new tweets. My typical poison has been TweetDeck or Twhirl depending on my mood but overall TweetDeck has been the staple diet mostly because its features suit my needs.

A few months ago, Loic Le Meur and Team Seesmic began to embark on building the “next best” thing in desktop integration of Twitter feeds and more recently to include Facebook through the new Stream API under version 0.2-rc2. Now the purpose of this post is not to review the feature set (please the Seesmic Desktop web page) but to give a critical analysis on why Seesmic Desktop is not for me (just yet)! I ran the new version of the Seesmic Desktop client for the release til May 5th evening about 4 days. To be fair, there are some interesting concepts and innovations present in this new version of the Seesmic Desktop, this is why I continue to try it.

There are two categories of issues that brought me to take this decision: Bugs and UI Issues. The bugs will be covered first with a fine grain of salt as parts of the issues are not necessarily related to the client itself but can be partially attributed to the Adobe Air platform. Bugs are also transitive things and can in most cases be corrected overtime, although I must admit that some of these issues have been around since I first started to try out Seesmic Desktop (ed. I have tried the last 3 or 4 versions) and in theory I have reported them (I think - too much on my plate).

Bugs:

• Refresh Issues :- I've had a number of screen refresh issues where-in either new tweets don't appear (as compared to what's on my web version) or tweets appear but no notification is issued which kind of defeats the purpose (and it's not an API call limit issue as a refresh loads the missing tweets). This is even more pronounced when using multiple columns...
• Missing Avatars Including my Own :- I've had over the testing periods moments when the avatars of the different accounts that I follow don't get updated but more challenging is the fact that my own avatar that sits next to the input box under the twitter account has never been present (it is loading the one associated to my Facebook account);
• Memory Usage :- there is debate among the developer community on the cause of memory usage in Air applications whether it is the application or the Air framework. So I will defer on this one although I am getting mixed results from different applications, a quick quit and relaunch usually fixes this issue. But in general, I continued to see memory usage increases after initial launch but controlled (over applications I have seem to be afflicted in the same way);
• CPU Usage :- this one was quite disturbing for me, I got a consistent above 5% cpu usage while running Seesmic Desktop there never seemed to be any idle time. Worse though was that it seemed to be rising to 15% to 25% cpu use when it was loading tweets or Facebook items;
• Link Click Opens 2 Web browser pages :- when clicking on a link, two browser windows are launched (instead of one). I know that some developers blame the Air framework for this and how it handles the default browser settings in Windows (yes, I check my browser settings).

UI:

• Unable to Quickly Identify New Items :- new tweets or Facebook items appear in the Seesmic Desktop application in either the home column or one of the user defined columns, however, there is no distinguishing mark or highlight that shows which are new and which have already been viewed. This makes it difficult to keep track of where you are or have been;
• Difficult to Differentiate Facebook vs. Twitter Items :- the main home column aggregates all incoming items which is useful, however, there is no in your face mark that distinguishes from which account the item comes. This is a minor issue but it would be nice (for us older folks with vision problems) to be able to apply some kind of background colour coding for the different accounts or just make it easier to see which account it comes from (instead of the small text at the bottom of the item);
• Where are my Favorites (missing feature?) :- so I use Twitter favorites feature to «bookmark» tweets with interesting information I would like to revisit at a later time. For the life of me, I was unable to identify (outside of the Like menu item) who to visualize or manage these short of going back to the web page;
• Column Always Selected in Menu :- Seesmic Desktop gives you the possibility to detach menu items so that you can have multiple columns open at the same time, giving you the ability to have multiple streams viewable at once. However, for the life of me, I don't understand why when you detach columns you must still have an item open in the menu. This is difficult to explain without a visual but essentially, once you detach the columns you want to see you are still forced to have one of the left side menu items open effectively covering up parts of the column scroll window. You would think that the purpose of detaching is to be able to manage the columns and menu items independently;
• Clicking on the Window Bar [X] Doesn't Quit :- I hate when applications do this, I don't understand why some developers think that they can redefine the meaning of menu items or window bar items. The [X] is generally considered to be the close box but when you only have one window open it should also quit the application at least that is the common accepted protocol. Seesmic Desktop doesn't quit but just closes the window and there is no quit button. To quit you need to right-click the taskbar icon (but what if you hide these) and select quit, definitely unintuitive and inconvenient;
• Real-Estate Hog! :- Seesmic Desktop is a screen real-estate hog and the UI structure is incredibly fixed in size (apart from window resizing) and has a lot of wasted space (large borders, fixed proportion columns & menus). I know that Team Seesmic has gotten a lot of flack on this issue and I am just adding my 0.02¢ worth. Comparatively with TweetDeck for example, I've calculated that for viewing the same amount of columns and tweets, Seesmic Desktop can take as much as an addition 20% to 30% space. This is a big issue for a user who spends a good portion of his time on a laptop or wants the window to sit on the side and take up minimal space but still provide enough information.
  IMHO this type of issue can easily (as well as the performance bugs - CPU, ...) can easily be avoided by giving developers and UI designers the lowest-common denominator machines. That is to say give them a machine with a small screen (13"or 10"), low memory and a minimal CPU (maybe netbook). From what I've seen, this is probably not the case for Team Seesmic, having watched their demo videos - they all appear to have large 22" or bigger screens.

As a general comment, the UI issues is where Seesmic Desktop really looses in my book. I can eventually live with bugs and wait for fixes or try work-arounds but the UI leaves (at least in my book) much to be desired and makes it difficult to adopt the product for everyday use. I would have liked to graphically demonstrate some of these issues but for some unknown reason when you try to take a screen shot, the Seesmic Desktop window disappears...

My search continues, future release of Seesmic Desktop may get my attention, who knows!

Let me know you thoughts and/or comments through this article or via my Seesmic Profile or thru Twitter

Related Links

• Twitter (Me: @FVT)
• Seesmic Desktop & Team Seesmic (@Seesmic, @AskSeesmic on Twitter)
• Loic Le Meur
  
• Seesmic Desktop Reviews: Mashable, Twitter Chat
  
• Facebook Stream API
  
• Adobe Air
  

To Core i7 or Not? Just Go for a Core2 Quad Q9550

Today, I started to notice some weird fan noises coming from my Home PC that we use for general all around work and also for playing PC based games. So it made me realize that my want to move to better hardware may just have to be done sooner rather than later. Now as much as I would prefer to move to something like a MacBook Pro, I don' t have the budget to undertake that kind of move.

Thus I started to investigate the possibilities of upgrading the Hardware to move to either a Core2 Quad platform or even a Core i7 platform. To be honest, the upgrade which ever way I go would require a motherboard and RAM upgrade on top of the CPU. Also I more interested in going the Quad way to be able to better multitask :- i want to be able to watch or even edit multimedai all the while playing World of Warcraft.

Visting my favorit parts supplier in France, I noticed that the price of the Core2 Quad vs. Core i7 was not that much different (around €50 to 75) but the killer price impact is the motherboard and the need to use DDR3 RAM. The comparison that was done involved trying to get the same basic hardware infrastructre with only the CPU changing. That means that whichever direction was taken, the number of ports, memory (going for 8Gb), I/O support, audio, etc would be an almost 1:1 comparison. References to the different parts are attached in the links section of this article.

Truth be told, I would much rather go with the Core i7 option as it would have a longer life span. Unfortunately it's still an expensive option to go for and for the same price or less even, I could essentially walk away with not only the CPU/motherboard upgrade but also a brand new ATI 4890 graphics card. There is a whopping €225 to €275 difference which is not negligible an can' t be ignored.

You got to hate having to make these kinds of decisions! Seriously, I wish that I had cash to spare...

Let me know you thoughts and/or comments through this article or via my Seesmic Profile

Related Links

• Intel Core 2 Quad Q9550
  
• Intel Core i7
  
• Asus P6T Deluxe
  
• Gigabyte Ep45-UD3P
  
• ATI Radeon 4890
  
• Apple Macbook Pro
  

«Sign-In with Twitter»: Should we be Scared?

Last week, Twitter opened up it's «sign-in with Twitter» open authentication or OAuth service under the radar. To be fair to Twitter, the news last week was more focused on the one million follower story and the arrival of big media names onto the service. Now, I've always been an advocate of using OAuth type services (I personally use OpenID as much as possible) to both simplify a user's life and to avoid the problem of password re-use.

It also goes to Twitter's credit to move in this direction and to provide this type of service to ease the integration of external applications as well as make it easier for user's to provide their Twitter information.

Disclaimer: I have not had the time and that's not likely to change in the near future to fully investigate and examine the security of the Twitter OAuth service. The following rant is purely about Twitter's current public track record...

Twitter's public track record of securing and making a reliable service is less than top par. My top 3 frontal issues that have been discussed, re-discussed and overall made serious news for Twitter can be summed up with this list:

• The service has a huge history of availability issues, well rather non-availability in times of high traffic although this hasn't occurred in a while it's bound to happen again seeing the growth patterns of late;
• The security has a number of times criticized the continued use of basic-authentication (inc. accepting base64 password encoding) to use the service. The problem being that this is an easy way to grab the user's password which would break or poke serious holes in the OAuth service;
• There have been a repeat number of XSS attacks and worms including the most recent mikkey work which last over two weeks in its different iterartions.

These three points push me to think on whether or not I would be able to really trust such a service. Will I be able to use it at all times? Am I sure the authentication might not lead to a password leak? Am I sure that the OAuth won't be replayable? Can I be sure that the OAuth session isn't being misdirected or stolen somehow in XSS or via a worm? Makes me wonder if the service will actually provide a decent and safe mechanism for authentication and whether or not my credentials are going to be safe :- scary......

Related Links:

• hueniverse: Introducing 'Sign-in with Twitter', OAuth-Style "Connect"
  
• TechCrunch: Did Twitter Just Quietly Start Twitter Connect? If Not, It Should.
• Dave Winer: Twitter and OAuth, interesting brew
  
• Twitter OAuth FAQ
  
• Mashable mikkey worm coverage: http://mashable.com/2009/04/11/stalkdaily-twitter/; http://mashable.com/2009/04/12/mikeyy-another-twitter-worm-on-the-loose/
  

Old Posts Appearing in Feed...

So you maybe seeing some old posts appearing that had not be published before. I finally got down to finalizing and editing the content of some older drafts that I think needed to be published just for the historical content.

I am hoping to avoid this situation in the future and should be able to keep a normal release schedule between draft status and published. Let's hope it works!

To Vista or Not? Need a 64bit OS but Linux not an Option - Your Thoughts

So I am planning on moving my home PC to a 6Gb memory base (and also moving to a Core i7). Because of limitations in a 32bit system for supporting memory over 4Gb, I am going to have to move to a 64bit platform. So the question becomes which OS should I use on this new hardware configuration?
The machine in question is used extensively for gaming and other «productivity» usages by all the members of my family. Let's just say that Linux is not an option on this machine for many different reasons including the fact that a lot of games and apps that I use just don't work properly...

So I need advice on which way to take the platform:

• Should I move to Vista Home Premium? or,
• Should I stick with Windows XP 64bit?

Your thoughts and opinions very much appreciate, please don't hesitate to comment on this post or video replies to this Seesmic thread!

OnLive :- Thoughts and Ramblings

During this weeks GDC'09, the OnLive service was announced and demoed. I can only really comment on this service based on the reviews and reports coming out of Joystiq, Gamespot, Engadget & others... The idea behind OnLive is to marry cloud computing with high end PC gaming. It is best described on the OnLive website How OnLive Works. Personally, I find this service intriguing and potentially a mini-revolution (might be a bit strong but that's why the mini prefix) in PC gaming. It also has the potential to open the availability and introduce gaming to a much globaller audience who don't have the buy-in power. It could also be a simple and interesting entry level platform for testing games before purchasing.

Much of the initial commentary coming out goes from amazement and how incredible a service like this would be to a yes but attitude and sceptism on the actually possibility and ability of the service to work. The main concern in current commentaries is the ability of the service to perform as stated due to a lack of network bandwidth and responsiveness. While I do agree that there a lot of challenges for this service to be able to get thinks working as smoothly as possible, my humble belief is that this service will get kicked off and have more than acceptable performance capabilities. One fo the reason I feel strongly is due to some of the minds behind OnLive. Steve Perlman, being on of those minds and one of the original technological minds behind Quicktime, has done a lot for streaming and has already provided some amazing solutions to optimize the interaction of the user and media across the Intranets [ed. note: I've had the chance to see Perlman talk in an Apple Dev. Conference and he knows what he is doing to be quite honest].

However, I need to disagree with the main focal points that a lot of commentary has taken. Much of the commentary has centered on the fact that they don't believe the service will work because of the network performance. My rant here has a lot to do with the fact that most of these reviewers are making assumptions based on their current network experience which is mostly USA, Canada or UK centric. These assumptions are based on areas where ISP performance is average and not fantastic or where there are known (or suspect) ISP network controls and restrictions. Nigel Cooke on his recent Monkyenuts podcast (episode 7) bought about similar comments but with a touch of his own experience on optimizing and managing corporate networks. While I respect his knowledge on the subject, you can't compare an Internet based service and network optimization approach to that of a corporation. Most coporate networks are based on a hub & spoke model which tends to lead to fixed route paths and a series of bottlenecks that hamper performance. The Internet being a much more meshed environment is constrained in this manner at least not until the last leg between the user and the ISP.

The problem with this overall line of thought is that it doesn't reflect a reality of what the network can actual do (where I live, my two ISPs provide me with amazing performance with average latency of @400ms, @1100 kb/s down & @350kb/s up) and the potential that a service like this can do with a proper network environment, network optimization and more importantly the optimization of the compression & handling software. The comments also don't take into account on the amount of advances that have been made in data center hardware and network advancements that have been made over the years especially by companies like Google that have learned how to make small footprint high-performance hardware and optimize the placement of that hardware to better serve the Internet.

Finally, some of my beliefs are founded on the fact that I have been involved over the years in projects where bringing distributed high-end pc computing over a network was successful. In a similar case, all graphics and manipulation was to be done on core centralized machines while the user would be provided with a web interface to manipulate the data and visualize the graphics models and displays.

So definitely a gaming technology to keep an eye on and potentially something bound for success. I for one would use this type of service to avoid the heart break of having to own multiple PCs or to continuously upgrade those machines!

Discuss this with me via my Seesmic Profile on this thread.

Article Links & References

• OnLive
  
• Onlive: How OnLive Works
  
• Joystiq Posts with OnLive Tag
  
• Engadget Posts with OnLive Tag
  
• MonkeyNuts Podcast Episode 7
  
• Google Declassifies Some Key Server Design Secrets (Gizmodo)
  
• My Mean Line Speeds & My Mean Latency
  

A Friend's Blog Got p0wnd

I spent a good part of today investigating a javascript injection that a friend of mine suffered on his personal blog site. It turned out that this is nothing more than a typical adbot/scriptjacking malware infection. The actual injection code is an obfuscated iframe that tries to download a HTTP browser attack tool. The code is inserted in the page build (usually via the wordpress function framework, the style-sheet or even maybe a rogue module) and looks something like this:


The obfuscation resolves to a call that pulls a source script from a website hosted at add-block-filter.info and by then tries to either retrieve stored passwords & cookies or hijack open webpages. More generally targeting e-mail services to send out spam ( your typical adbotnet behaviour).

Tracking back the domain name, it came back to a know malware pusher 7addition.info/8addition.org. So in most likelyhood a new variant of script injection attack whish is picked up & revealed a known trojan downloader javascript iframe infection (at least reported by a few AV vendors e.g: trojan-downloader.js.iframe.ah). In this case, the trojan goes on to contact 2 other malware sites at firstgate.ru & benyodil.cn whom in turn download 3 additional malware infections to continue the pownage:

• a malicious flash file which is in fact a download exploit (e.g: Exploit.SWF.Downloader.ks);


• another html based script which is fact a trojan download agent and also sends out spam asking you to visit a site or click on a video link(e.g: Trojan-Downloader.HTML.Agent.np);


• and finally, a packer javascript html agent which installs a BHO (browser helper object) that turns off the firewall and other windows services (e.g: Packed.JS.Agent.ad).

That's as far as I went with the malicious activity...

Before investigating, my friend and I exchanged a few messages regarding him being p0wnd. He was trying to figure out what had been the root of his infection. Although he blames it on a combination of Twitter/Hotmail and a few other sites, seeing the root of the malicious software that gets pushed I would say that he original got hit from visiting an already infected site or from clicking on some weird website with flash videos (he does love to visit those). Interestingly enough, I think I can track back part of his problem to the 13th of march or a few days before. At that time I received an e-mail from him that was unusual:

I didn't really pay attention to it but maybe should have and warned him at that time of the possible hijacking of his info. He learnt a few things (like not using the same password for his different services). I learnt for myself that when I see a friend sending a weird message to me to get on the ball and warn him/her.
Some more advice I offered is to:

1. Update with regularity his personal blog framework;


2. Recommend also to be careful about using the remember me option on some of these websites as the stored cookies give these clickjack malware a fair bit of leverage.

In These Times, Can You Protect the Business From Insider Threat

This post & thoughts are a reflection on my experience and years of dealing with the problem of identity management and how to relate a user versus his roles and responsibilities in the IT infrastructure and how this affects the departure processes (or exit procedures).

As the economic recession goes into it's darkest times, businesses are making the hard choice of letting people go. The IT organisation is typically an area were decision makers take the opportunity to trim the fat. However an important part of decision making process, that can be easily overlooked, needs to be a good understanding of the risk involved in letting go of certain categories of IT staff and how their roles and responsibilities can potentially create a serious exposure footprint.

Why would HR & the security officers need to establish this risk analysis? The simple answer is that businesses need to ensure that staff who potentially hold the keys to the kingdom are not irate when they leave. The risk here is that an irate ex-employee with key information to be able to access the infrastructure may be tempted to take action in frustration or revenge. This unfortunate (and let me be clear sometimes illegal) type of action potentially involves damage that can range anywhere from serious data leakage to denial of services hampering a company's ability to do business.
A few examples scenario of a departing IT staff's role versus what they can do could involve:

• A network engineer (remember the San Francisco city network incident) who has extensive knowledge of the network configuration and holds some of the common super-user password could place back-doors allowing him to later bring down the network, redirect traffic out of the corporate network releasing sensitive information, or even using the network as a way-point for other types of illegal activities.


• How about a server system administrator who has local administrator access to boxes and can place a backdoor allowing for remote acces and thus the ability to grab information or even stop critical business applications.


• But even more critical (at least from my experience) is surely a security engineer, the knowledge of the security profile and accesses that have been made available to that profile makes this the highest risk footprint. To do the job, he/she has gained knowledge that renders the infrastructure critically vulnerable.

So the question that begs to be said out-loud is can a company avoid any issues?

The real protection that a company can achieve is to have a comprehensive identity management process and tool. Identity Management [IdM] is about a lot more than just being able to determine who works in the company which unfortunately is the baseline thinking or the minimal implementation that gets carried out. It's also about being able to link a person to his/her role and authorizations. A well implemented IdM process and infrastructure will ensure that a person in the organization has a well defined role. That well defined role will correctly identify his/her authorizations and access rights. The ability to correctly define those authorizations provides a safeguard and a well-defined means to not only properly implement an exit procedure but also help evaluate a risk profile based on that persons footprint in the organization. The well-defined profile will ensure that the user is correctly matched to the tools & resources required for the job: no more, no less. This same correlation can then be used in the exit procedure to quickly identify and revoke all accesses. There are of course many more benefits for day-to-day operations to a complete IdM environment but that may be the subject of an alternate post.

The simplistic answer or quick fix if a comprehensive IdM is not in place is to make sure that the person leaves on good terms. The important part is to evaluate the risk versus the cost versus the potential loss. Unfortunately that is a short term strategy and somewhat impractical.

Related Links

• Protect Yourself from IT Staff Abuse: How to Manage Privileged Identities


• Security Experts Weigh In on Insider Threats


• Suspect In Hijacking Of San Francisco Computer Network 'Willing To Cooperate'


• Identity management takes on new shape, importance


• Drunken BOFH wreaks $1.2m in Oz damage


• Risky Business #99 — H D Moore rang… 4500 times [during the podcast guest interview they also cover this subject]


• Sony execs detained by workers over severance pay [not really related to the issue being discussed but reflecs on the current mode]

Using TweetDeck's Features

Following a pleasant feature review (or how-to) of TweetDeck by Cali Lewis on GeekBrief.TV ep.517, I figured it was about time to actually sit down and fully investigate the different functions in the utility and did so this weekend.
I've been using TweetDeck for quite a few months now from time to time (I alternate with Twhirl) and was only really using it with some of the default columns :- all friends, replied, directs.

From time to time I also used twitscoop and in rare occasions would also run a search. For what it's worth that basic mode in itself is a very functional Twitter interface with the benefit of quickly allowing you to see the tweet feed plus tweets where you are mentioned. That's about it for the TweetDeck features :- this post is about some new features rather than a review.

The function that intrigued me during Cali's how-to was the groups ability. With it, you can group different Twitter accounts into one column. I follow a number of tech & general news magazines/webzines that use Twitter as a form of notification. The group functionality allows you to put these all together for quick identification and review. I set this up and a couple of others (tech products, security & close friends tweets).
After running TweetDeck for a few days like this, my conclusions are that it's useful and interesting but... (the buts are related to the following two points):

• you need a really wide monitor (on my laptop this is inconvenient as you spend much time scrolling in all directions);
• it hasn't given me and noticeable benefits in the way I look at tweets! The main reason for this is that I tend to speed read through most Internet chatter/info and focus on the points that catch my eye or raise a flag. I can do this quite easily and efficiently in the general all friends feed. This however could be a side effect of the lack is screen realestate.

I'll continue to use these features especially on my gaming rig with the big monitor where it will give me a better vision of things. On another note here, it would be nice to have a save/transfer settings feature.

I am still stuck on one point with TweetDeck and that is that I am unable to find and easily follow a new Twitter. I am sure it is there somewhere but just not that obvious (at least from my PoV). It will be interesting to watch it evolve.

Related Links:

• TweetDeck
• Twhirl
• GBTV epsiode 517
• My profile on Twitter

Halo Wars Demo - Hits my Sweet Spot

At the end of the week, the Halo Wars demo was released on the x-box live service. As soon as of hit the Europe servers, I jumped onboard.

I admit that I have always enjoyed a good RTS (real-time strategy). They tingle my logic neurons and I enjoy having to sit down plan and be tactical in order to achieve a goal unlike FPS type games which are more fast action pace & brute force.

Surprisingly, Halo Wars brings a good balance between the need to be tactical and the fast pace of an action game. Building and creating your force-de-frappe has a good feel to it as you can get things up and running quite quickly but you need to plan ahead to be able build more advanced units. Combat is fast paced and easy to jump into. The parts I played on the demo were very focused on achieving goals and the intermingling of the Halo Wars storyline (including some amazing cut scenes) made it attractive and enticing to move forward in the game. Now I did not get a chance to play the online team mode but I've heard that it is quite an experience as well.

All-in-all Halo Wars looks like it will hit a sweet spot :- a must buy!

Related Links

• Halo Wars Demo (x-box live)
• Halo Wars Site
  

200 days of Wii Fit

So a few days ago, I hit 200 days of using the Wii Fit. I try to keep to a pretty regular schedule that is to say that I at least do the wii fit test every morning. Actual exercise is a bit different since, I am unable to do it on a very regular basis due to time constraints or just plain physical pain with my ankle but I try to get at least 3 to 4 days during the week of the aerobics and muscle mixed in with a bit of yoga (for the stretching).

Overall, I find the Wii Fit as a good motivator and a useful tool to be able to get some regular exercise. My only complaint might be that the presentation of exercise although good don't necessarily allow you to keep a good and proper posture to execute them yourself. This is especially true on the yoga parts...

Despite that, I am quite content and I have an average loss of about 5kgs since starting! Not bad hee!

Don't U H8!

The first in a series of video-blogs (me thinks)! And I am opening it up with my favorite subject - a rant!
Yesterday I discovered that the company was pushing out a new security policy on mobile devices that are connecting to the corporate exchange environment! I don't have a problem with this security policy and am all for it! The problem was that a proper change management process was not carried out and thus those who would have preferred to opt-out couldn't!
So I spent the better half of today removing the security policies (by hand) on my devices. I even bricked my HTC in the process and was forced to reload from scratch... [PS: You can add to the discussion in this Seesmic thread]

Another Day, Another Year

So the new year has come and gone, I've been queried a few times to see what kind of resolutions I was taking or if I wanted to join some challenges (like my friend Nigel is attempting).

Truthfully, for me the new year is potentially just SSDD (same s$#% different day). Resolutions are ok but tend to imply that you need to change something in your life for whatever reasons you might have. This is where it doesn't work for me for in general my life is what it is and I've accepted it as is. Granted things could much better and don't match where I saw myself at my age but I've spent too much of the past years trying to change things with no success - I seem to be plagued with bad vibes - and I'm not inclined to invest anymore energy in fighting it. Some might call it being comfortable with things as they are but at least I know what my crappy personal & work life entails...

Sure I know what needs changing and how to change them but that may mean spawning even more difficulties and issues. So this year, taking things as they go!

Aside from that shoddy rant, I expect that I'll try to do more of the same:

• 1 new video game a month;
• achieve some form of regularity in my blogging (I foresee a move to video blogging);
• and generally accepting my pains physical & moral alike.

And of course continuously complaining about it... Although I probably should try to stop sounding like a broken record!

Ian Curtis, in Joy Division's Heart & Soul, once wrote:

The past is now part of my Future
The present is well out of hand!

a motto I seem to be fully embedded in :-(

Games @ X-Mas

So this X-Mas we had a good set of games as presents (of course most of them being for my son): 2 xbox360 and 1 Wii games.

The Wii game was a no brainer for this year - I carried on the Raving Rabbids series and got the latest one :- Rayman Raving Rabbids TV Party. The nice part of this game is that it exploits the Wii Balance Board as a component for controlling your character. The game is still a riot and you can have some serious fun (in the stupidity sense) but with the Wii Balance Board it adds another dimension that makes the antics more physical ranging from space surf boarding to rhythm dancing. The kids (my cousin's & my son) played together and it was giggles all evening. Honestly these kinds of games, the Wii and the social interaction they bring is the platforms advantage. I keenly have to give this game a thumbs up just for the stupid fun.

For the xbox360, it was Star Wars Force Unleashed [SWFU] and Guitar Hero World Tour [GHWT] Band Pack. SWFU I find to be your typical FPS type of game where instead of being armed with a gun, you end up going around killing with a lightsaber & powers of the force... The twist here is that your on the dark side , w00t! Overall the game plays quite well and is fast paced. The ability to manipulate & throw things with the force is fun but I am bit disappointed in the lightsaber attack moves. The graphics are impressive and you get a wide range of open spaces to explore but it is still very directional based so the environment still seems stunted. Overall this turns out to be a neutral rating for me and to be honest my son has played this more than I have for the moment but I will get back to it someday...

Very much having enjoyed Guitar Hero 3 and having learnt a little about drumming when I was young, I'd been quite excited and impatient for the release of GHWT. Truth be told, I preferred to look at GHWT than Rock Band as, at least in France, the release dates were similar and I'd already had experience with Guitar Hero franchise and wanted to continue to support it. It was a good choice, GHWT turns out to be all around a good continuation of the franchise and, at least for me, continued to be a good multi-player experience on both a local and online level. If you're already familiar with the play still then you can quickly jump into the game. As previously said the experience and interface has a lot of similarity, however, I did find that game play was much faster as well as being some what easier in the sense more forgiving of mistakes. I find the new instruments well balanced but find the vocal part some what difficult (definitely not a singer) as hitting the right tone is hard. The new guitar feels much better than the default guitar in GH3 but the slide bar touch buttons I find difficult to move to (it' s locating the right colour that takes time and mess you up). Overall though, GHWT is a definite winnner and a great play solo or with others - definite thumbs up!

So that was a quick dirty review of my first days impression! If you want more details visit your usual game review online sources...

Links in this post:

• Raving Rabbids Site
  
• Raving Rabiids TV Party
  
• Wii Fit Balance Board
  
• Star Wars Force Unleashed
  
• Guitar Hero World Tour