Monday, December 12, 2011

How Confused SysAdmins Are Rendering SPF Useless

The idea behind Sender Policy Framework (SPF) is to eliminate the possibility for spammers to send messages which appear to come from a given company or entity, even though nobody at that entity sent it.

SMTP allows for this kind of impersonation because, by itself, nothing in SMTP ever checks to see that you are who you say you are in the FROM line.  Remember that SMTP has been around longer than most system administrators and was built in a time when everyone on the internet knew everyone else by first name.  "Trust" was never a design principle for the internet, and we've been dealing with the fallout ever since.  The bottom line is that, as far as SMTP goes, you are who you say you are because you say so.  If only it were that easy in real life.

Enter the Sender Policy Framework.  SPF is implemented by both senders (as a DNS entry, saying "mail from me is going to come from the following addresses only"), and receivers (by checking the IP address of the sender connecting to your system against the list of valid addresses for the domain they say they are at).  Simple.

The problem is this - if you don't implement SPF properly at both ends, it ends up causing more problems than it solves.  Confused system administrators are likely to get this wrong, and are likely to be even more confused when you explain to them why they got it wrong and how to fix it.  It's happening more and more often, and it's a pain.

The bane of a mail administrator's existence is the false positive - that is, a message which is legitimate, but that got blocked or bounced erroneously by the cocktail of email protection mechanisms they employ.

If as a receiver, you are not properly evaluating SPF for incoming messages, you are creating a problem for your users and the people trying to communicate with them by creating false positives in droves.

Worse yet, if your default action when you think there's an SPF issue is to bounce the message, you eliminate any chance that a human being can spot the problem and bring it to your attention.

Such is the case with tons of Barracuda anti-spam appliance users, who are responsible for a rash of "550 Rejecting for Sender Policy Framework" replies reaching support desks around the world.

A proper implementation of SPF will evaluate the IP address of the connecting system against the list of allowed IP addresses for that sender's domain based on their DNS record for SPF.  No more, no less.  In the case of the Barracuda, their devices are erroneously evaluating not just the IP address of the connecting system, but the IP addresses of every hop along the way.  It is as if they inherently assume that even if the connecting system is in the SPF list, it is an open relay and is being abused by a spammer.

We've seen screenshots of Barracuda administrative consoles, and for messages they blocked as false positives due to "Sender Policy Framework", the details reveal that an IP address of a server involved early in the relay was NOT in the SPF record for that domain - even though the server establishing the connection to the endpoint WAS in the SPF record for that domain.  If you use a smarthost configuration, whereby your public-facing mail server always relays to a service "in the cloud" for anti-virus scanning, etc, you are very likely having this problem or will soon.  Postini is a good example of this type of setup, but there are others.

So both sides are using SPF, and both think that problems with SPF "violations" are the other one's fault.  How do you tell who is right?  Well, if you've already validated your record against an SPF query tool, a good source of arbitration is for a sender to send a message to Port25's SPF check service.  They'll send you a return message with full details about whether your message complies with SPF properly and if they'd have delivered it.  Ours, for example, does comply with SPF properly.  And largely, we have no issues, but lately we've seen a rise in bounced messages due to reported SPF problems, and in actual fact, they have all (every single one) come from Barracuda appliance owners.

Plainly, if you are so dim witted as to put a Barracuda anti-spam appliance in place, little if any of this is making any sense.  And that's the problem.  What you're trying to do is admirable - cut down on spam.  What you're really doing isn't - you're blocking legitimate email because you don't understand how this stuff works.  Stop it.  If you have a Barracuda, turn off SPF checking.  It's broken, and you're eating up a lot of our time chasing issues that aren't in our sphere of influence.  If you are unwilling to turn it off, see if you can adjust the default behavior for SPF violations to be something other than BOUNCE. Amateurs.

Wednesday, November 16, 2011

You Can Toucha The Mango

I've used enough iOS devices to know them inside and out.  Simple, clean, no frills - much like Windows for Workgroups 3.1.  It doesn't do a heck of a lot other than let you launch apps, and the apps don't really do much outside of their sandboxes.

Same with Android, with the exception of being able to tweak it to look and behave how you'd like.  You can't really cover up the fact that it's little more than a platform for launching apps.  The cases and screens may change, but at the end of the day, they appear to me no different than iPhones or iPads.

Both iOS and Android are essentially software showcases.  They provide developers a nifty, powerful, portable stage to do their thing and a solid commerce mechanism to help them get paid.  They're giant digital flea markets (or malls if you will) with everything you need from anyone who makes it, in one convenient spot.  The iOS mall is very exclusive, and the Android mall is kind of like the run down joint in the bad end of town where the owner doesn't seem to know or care what happens as long as he gets his cut.

Color me uninspired.  The Apple fanbois and Google fandroids can argue about which app launcher / flea market is better than the other.  It's like arguing the difference between off-white and eggshell.

Enter (of all people) Microsoft.  Yes, the same Microsoft who only ever accidentally trips over an extremely successful product.  The same Microsoft with a total lack of coherence, consistency, or a compelling vision for how their products should improve people's lives.  Slowly, it appears, they have been coming to grips with the world in which Apple and Google would see us live.

The living room is kind of where it all started.  The XBOX 360 platform has been extremely popular, for all the right reasons.  It works well.  It looks dynamite.  It's cheap.  It's great with media.  It has access to streaming content.  It's audiophile and home theater enthusiast-friendly.  It's small.  It's WiFi.  The games are compelling.  The multiplayer Live experience is impressive.  You don't need to be a rocket scientist to work it.  Everyone has one.  People continue to trust Microsoft to get it right, whether or not they realize it.  A console from two or three years ago will still hang with the latest games, no issues.  Brilliant.  New stuff like Kinect works with any XBOX 360, no matter how old.  Brilliant!  Executives across the nation have ditched their Harley helmets for copies of Halo and Modern Warfare.  It's cool to be a gamer...finally.

In another part of Redmond, another group of people appeared to have been told "find a spot in the mobile market where nobody else dares go, and own it."  The result is impressive.  Very impressive.  Even if nobody knows it yet, it's fantastic.

Windows Phone 7 was the best mobile user interface of any device ever, period.  And it was flawed in some significant ways.  There were lots of things you couldn't do with it that you should have been able to do, but at its core, WP7 was a completely different approach to smartphones.  Revolutionary, really.  Yes, there were some sandboxes, but the difference was that there were also cool Habitrail tunnels connecting them, and very smart hamsters trained to run back and forth.

For example, on WP7, a contact becomes an incredibly powerful thing.  The phone almost magically combines everything you know about a person from every source you feed it - Exchange, GMail, LinkedIn, Facebook, etc, so that a person is represented in one "object".  You don't need to download a bunch of apps to do it - it just knows, out of the box, that you're probably on several of those services.

Because of this, any action related to a contact is available just about everywhere.  You can write on their Facebook wall, send them a tweet, a text message, an email, call them, pull up a map of where they work - all in one place.  And you get to do it in what must be the best implementation of graphic arts ever employed in a user interface.  It looks great, and it works phenomenally well.

Common bits of information are recognized everywhere.  An address, for example - whether it be part of a contact, or your current location (the GPS is freakishly fast and the street address resolution feature is freakishly accurate) - is understood as an address.  When you tap on an address, what should happen?  A map should appear.  What might people want to see in addition to a dot on a map?  How about a list of nearby restaurants and things to do?  What information should show up if you tap on one of those links?  Everything.  Phone number, hours, reviews from popular websites, who has checked in there on Facebook, spoken turn-by-turn driving or walking directions, etc.  Everything of interest, that you would most likely want to do or know about a place or a person, has been captured and gorgeously integrated in an incredibly simple interface.  Two taps simple.

The dependency on tethering to a computer appears to be somewhat diminished, but you will need Zune on PC (or the Mac plugin thingy) to do some things.  The good news for PC folks is that the latest Zune is also beautifully designed and simple to use.  Microsoft is doing some absolutely remarkable things in terms of user interface.  It just works.  Hardly a row/column table to be found anywhere.  There are definitely feature issues in Zune, but someone else can dive into that.  I'm just happy (actually, ecstatic) that Microsoft is demonstrating a capability approaching mastery of the user interface and that the penny has dropped for them in terms of making deep, meaningful interoperability of their various products and platforms a priority.  SharePoint, Lync, Office, Exchange, Windows 7, Server, and now Windows Phone.  They are all connected. No, really connected.

I am now using the Samsung Focus S.  Yes, there are still gaps I'd like to see addressed, but the Mango release has done an amazing job of addressing the most common issues people doing an evaluation would run into.  You have to dig at least a little bit to uncover the dead bodies now, whereas before you had to step over them.  If I had no interest in connecting to corporate email or no concerns about managing them, I would never use another phone.  The app marketplace is not on-par in terms of absolute quantity, but what is there is of high quality and the selection is broad enough to facilitate more time wasting and work-from-Starbucks activities than you can probably justify with a straight face.

For the first time in as long as I can remember, I love my phone.

Friday, November 11, 2011

Froyo Snackins

It took careful explanation by a "fandroid" over lunch one day to understand Froyo, Gingerbread, and Ice Cream Sandwich.  Are they even trying?  Is there a dartboard somewhere in Google headquarters with a dessert menu stapled to it?

If you struggle like me with all the TOMS shoe-wearing meme-ery going on around the Android camp, you'll be happy to know that each subsequent "major" version of an Android operating system gets a new name, and each new name starts with the next letter in the alphabet.  Froyo begat Gingerbread, which begat Ice Cream Sandwich (F-G-I).

Given that, the next Android OS name will begin with a "J", the one after that a "K", and so on.  Which got me to thinking...if I were to be as dopey as possible, what names would I come up with for future Android releases?

The following is the fruit of that labor.


  • J - tough call, but either Jelly Roll or Jujube
  • K - should be Key Lime Pie, but with these people you might well get Kaiserschmarrn
  • L - Ladyfinger?  Maybe, but that ruins tiramisu later.  I'm going with Lemon Bar
  • M - Mincemeat Pie.  Yes, going for stupid intentionally.  Tough to out-stupid "Froyo".
  • N - They like cold stuff don't they.  Neapolitan Sundae?
  • O - would ABSOLUTELY HAVE TO BE Oreo Cookie, but if that would cost them a cent, you'll get Orange Sherbet and like it.
  • P - Peanut Butter Fudge
  • Q - um, let's hope the next great thing is out by then.
Happy Friday.

Thursday, October 06, 2011

On the Passing of Steve Jobs

On the day after the passing of Steve Jobs, it's popular to say what an incredible innovator and pitchman and pioneer he was.  And he was all of those things.  It's also popular to say that his legacy, in the form of Apple Computer, puts him into a league of his own in terms of accomplishments in affecting the technology industry, and society at large.  His importance as an American businessperson cannot be overstated.

Looking ahead though, it's not difficult to harbor grave fears for the long-term future of Apple.  That company lived and died with Steve Jobs, and the truth of that is evidenced by the financial performance and market capitalization of Apple during his periods of tenure versus its performance in his absence.

What made Apple remarkable was Steve Jobs.  That's easy to say but perhaps harder to understand.  Jobs had an unyielding sense of what made a product great, and an almost pathological inability to tolerate anything which fell short of his standards.  He set the bar at Apple, and continued to raise it higher and higher over time.  He was uninterested by bureaucracy, deadlines, investor expectations, or anything else that would result in Apple delivering a less-than-perfect product.  Was he always right?  No.  But, any deficiency in an Apple product - especially a new one - could never be blamed on an attitude of "just push it out now, we'll fix it in the next version."  That is the singular quality of Steve Jobs which, paired with his remarkable ability to envision technology operating in such a way as to be compelling to huge swaths of people, resulted in Apple becoming the largest, most valuable company in the world.  Steve Jobs was bigger than everything other than God, and there's a good likelihood that even God uses an iPad.

And now that's gone.  There's no-one left at Apple who made the name for themselves that Jobs did - there couldn't be.  What does that mean?  Can they really maintain that level of inspiration among Apple employees, and that fierce dedication to quality above all else?  Can they really continue to fan the flames of true innovation indefinitely, as Jobs had, or are we in for a long future of repackaged/reshuffled products in the catalog as it appears today?

To me, this more than anything, will be his legacy.  A leader has many obligations and duties, and one of them is succession.  Has Jobs adequately instilled a sustainable culture at Apple, and has he done a good job at surrounding himself with people who can seamlessly carry on his vision and prepare the next generation of leadership, indefinitely?  Has he really built an Infinite Loop in Cupertino?  Only time will tell.

In the mean time, we will mourn the passing of a technology icon - a man without whom the world as we know it would be a lot worse.  Rest in peace, Steve.

Thursday, September 01, 2011

They Live

Ever since finding out about Google Cloud Print embedded into the Chrome browser, I feel like I'm living in a Sci Fi movie. I've discovered a nefarious secret plot, and nobody else is onto it yet. When you search for information on it, you see nothing but happy people who think it's cool but probably haven't used it.

I tried to use it, and it scares the hell out of me.

Our firewall and proxy servers are pretty well bolted down. They don't allow any traffic we don't explicitly name, and we blacklist a ton of URL's above and beyond what the filtering software blocks. Google Chrome's Cloud Print just works, right out of the chute, in ways that are difficult to track down exactly.

From a firewall standpoint, we were able to shut it off entirely, but through the proxy, it's a far trickier operation. The conversation essentially goes from client to google.com directly. It hops to SSL pretty much right away, meaning you have no idea what's going on from a packet capture standpoint. It's all on port 443, and it just works. Google can see behind your firewalls and into your enterprise, using Chrome as a spy agent.

I am not a fan of that for a lot of reasons that should be obvious. I'm even less of a fan of the fact that I cannot cleanly and easily lock down that capability. The options I have are draconian and will definitely result in an internal shit-storm.

Apparently "do no evil" is an increasingly subjective and malleable standard for the Google juggernaut, because this is pretty damned evil.

Monday, July 11, 2011

Everyone's a Cloud Expert

In case anyone wonders why discussions of Cloud Computing are met with such broad skepticism and cynicism, I submit to you Exhibit "B" in the case against the cloud. (Exhibit "A", of course, is the question of "what happens if you, the service provider, end up being terrible?")

This example demonstrates how tenuous a grasp even those selling and advocating cloud technologies seem to have on the concept. They end up prattling on ad nauseam with a collection of garbled nothing-speak that causes the eyes to roll back in one's head.


"Why Cloud Computing Must Evolve" - wait, what? It has barely been born, yet you talk about it as if it were a foregone certainty.

The adoption of cloud computing — with businesses running a significant portion of their applications in the cloud — is on the verge of becoming ubiquitous. This marked increase in the use of the Internet for accessing computing resources will necessitate an evolution in the cloud computing network, which will include accessing public and private data.

"On the verge of becoming ubiquitous." Really! Eddie's in the space-time continuum, you say?


Hogwash.

The rest of the article is a thinly-veiled effort to drum up interest in the author's company, and as an advertising piece goes, it is pretty lackluster. It seems to me that those who will be successful in marketing their product, will be able to do so in simple terms anyone could easily understand.

Thursday, April 28, 2011

That Took Long Enough

It's tough to imagine that it's been eight years since Novell appointed the single least effective C-level officer in the history of modern business, John Dragoon, as its head of marketing. Today, at last, and perhaps far too late, they are free of him.


It's interesting that the chief marketing officer of a (formerly) great technology company like Novell could go 6 months without updating his blog, after having done so fairly regularly at least in the beginning. This speaks to his utter failure to move the needle even the slightest bit despite having all the time in the world and a canyon full of cash to spend.

Novell's best marketers have always been its customers. That is a sad truth, because its customers have no business being the primary marketing vehicle. It was as if Novell was content with the status quo. Rely on a fickle and often under-equipped channel to deploy and maintain increasingly complicated products (a model that should have disappeared with the emergence of NetWare 4 and NDS, since hardly anyone understood what was happening until they attended expensive training); and allow the people who know and use the products - customers - to sell the advantages over Microsoft.

At the time, Microsoft's data-center (ha!) offering was incredibly weak. No-one who did an objective and thorough evaluation of Novell vs. Microsoft for file & print services would have bothered with Microsoft until roughly 2003, at which point it was becoming clear Microsoft was doing a better job of integrating all their stuff, courting developers, and (ding ding ding) marketing - than Novell. Eight years on, John Dragoon's complete and miserable failure is evident. Novell is almost a distant memory, and even the most loyal key Novell employees and customers have jumped into Microsoft's warm waters. And guess what, it's really nowhere as bad as we had been making it out all of those years. Not now it isn't.

Dragoon is far from alone in taking the blame for Novell's inexplicable failure to dominate the enterprise IT microcomputer landscape. The board of directors has installed one feckless leader after another, and none of them seem to understand the value of what they have. Sure, they're good business people and have a lot of relationships, blah blah blah, none of that matters (or mattered, more appropriately) as we can plainly see.

But John Dragoon had a real chance to make a difference and stem the tide. He had the enthusiasm of a lot of passionate people to build upon, all of whom were begging and pleading for Novell to do a better job selling the story into the board room rather than relying on grass-roots, organic growth to occur in every customer's IT shop. The most we got out of him was some magazine ads that looked foreign to even Novell employees. Nobody had any idea what they were selling. It looked like buzzwords in search of problems. In many, many ways, Novell continually missed the mark.

It is sad to see what was a company of such bright people doing such amazing things become a wilted husk of its former self. I am glad to see Dragoon gone, but I know it's too late for it to make any difference. It's hard to know where Novell should go now, but I think we have enough data to know with certainty that this path leads nowhere for them.

Thursday, April 21, 2011

Chipotle!

It was announced today that Chipotle would replace Novell in the S&P 500 index.

No, Chipotle is not some new technology company, or the result of the Novell-Attachmate merger. It's a national chain of fast casual dining restaurants.

This today as I listen to a former Novell whiz kid and ZEN Master address an audience of CIO's about (gulp) Microsoft products.

How far the mighty have fallen.

Monday, April 11, 2011

Of Smartphones and Sycophants

Naturally, like everyone else in the world, we are faced with the fact that people want to use their own gadgets to do work stuff. The chants are increasing and getting higher up the ladder, which has made for an interesting set of philosophical conversations around the importance of technology to the business - conversations we've never really had.

It started, predictably, with the iPhone 3. Immensely popular, that was the sound of the first shot so to speak. IT had plausible deniability though - lack of encryption support would undoubtedly result in company data making its way into unscrupulous Russian hackers who walked by with Bond-esque electronic plot devices. With the advent of the the 3GS, IT had to work a little bit harder to stem the tide - they would be difficult (i.e. expensive) to manage, and wouldn't have the same controls as our beloved BlackBerries.

But the screens were awesome on these things, and old eyes kept begging..."Please, please give me more than a postage stamp-sized display for my e-mail, since I can only read it at 72pt."

This whole time, RIM was working on their strategy - an iPhone imitator with all the warm fuzziness of BlackBerry Enterprise Server security & controls. "Awesome!" said the IT department, "That'll shut 'em up!"

We were wrong.

The device RIM delivered was called the "Torch", and it sucked. It sucked worse than anything has ever sucked before. How in the world did the brilliant minds at RIM - the people who created the damned smart phone to begin with - end up laying such a huge turd? Who knows how, but they did. It was bad by all accounts, universally decried as slow and clumsy and a really poor effort from a company that appeared to be well past it's prime.

Crud.

We didn't even bother buying any - we knew people would hate them and the demands would arise anew, but louder, for iPhones. Oh, and Droids! Don't forget the Android devices! We love them, they tell us, because they have an app that turns my phone into a level and it's "open" - nyah nyah, take that Apple f4nb0yz!

How do you explain to people who are operating at that level, that there is A LOT more to supporting these things than simply pointing them at Exchange ActiveSync? They aren't going to get it, and don't really care.

If only there was another option...

Enter the Windows 7 Phone. or Windows Phone 7. I keep flip-flopping on which I like less. I suppose there were Windows Phones before this one, but I don't know anyone outside of Redmond who used them - and even they seemed to do so grudgingly.

It has the same form factor as the Androids. It has the same pretty display, the same touch-screen feature, the same glossy interface gestures as iPhone, but it's just a little different. It has a number of negatives, to be sure - there aren't nearly as many things you can do with it in terms of App availability (I can't believe I have to capitalize App now so that people know what I mean). But, it is made by Microsoft, which means it should work really well with all this other Microsoft stuff we have. Right? Wait, no...right???!?

Facepalm.

It has Word, which is cool. It has Excel and PowerPoint even, and OneNote - nice. It has Outlook, which works well with Exchange as one might expect. But it trips over itself going the extra mile. Want to read PDF's? Create a Live ID and sign-in - hey, it's good enough for Apple! - even though the app is completely free. So much for appealing to enterprise customers at all.

If Microsoft ever figures out what an incredible platform they have in Windows 7 Phone / Windows Phone 7, it will be a dark day somewhere in Canada where incredibly nice people are failing miserably to make a compelling 21st century mobile device. There are a handful of options, probably not difficult to implement, that would make this consumer "also ran" into the dominant, if not singular option for corporate customers. Which, by the way, are the ones who have all the money.

Windows Phone 7 does a lot of things very well. The interface is well thought out and is a refreshing alternative to iOS. It looks good. You like using it. It's fast, at least on the Samsung and LG devices we've tried. It has a big screen that is easy to read. The camera is brilliant, and the video capture & playback are also fantastic. It does social well, even if you don't want it to.

Old fogies who use BlackBerry handhelds don't give a rip about Apps. That means this device would be perfect for them, because it doesn't have many. If only I could provision them complete with a handful of free apps like Acrobat reader and settings for our corporate wireless standard over the air, not require Live ID's, and not require Zune for updates. If only I could have them act as if they were on our private network - like BES phones - where our content filter and internal servers would be available to them. If only I could join them to my domain and have them controllable via GPO, or at least use NTLM authentication to our SharePoint 2007 sites (rather than making us re-deploy on 2010 with forms-based options enabled, which we can't do today). If only there were native integration with OCS 2007 or Lync for updating presence, having video chats, etc. If only there were a built-in RDP client.

It's an incredibly powerful platform, but not an especially good phone. If I'm lucky, Microsoft will figure this out and actually leverage it to embrace and reward enterprise customers...because the consumer ship has sailed, and it's flying an Apple spinnaker.

Tuesday, March 08, 2011

To Virtualize Desktops...

...or not to virtualize desktops. That, is the question.

I'm embarking on a journey of discovery regarding all things VDI lately. Our use case scenarios here are probably heavier than normal, and our organization's layout is definitely more WAN dependent than "normal". So we need to find out what is real, what is hype, and what (if anything) will work for us in this space.

Found a good resource here: Validated Design Resources. This is the best collection of technical docs I've found covering NetApp, VMWare, and Citrix Xen Desktop - on Cisco hardware, which seems a little bit like an odd marriage. You can tell where the funding came from.

VMWare View and PCoIP appear to have some real potential for us, especially in the graphics-intensive environments, but it remains to be seen what kind of scalability we would experience given our workloads. More to come as we learn it.

Tuesday, February 22, 2011

Crazy Ivan

We recently had a departure of a senior resource that prompted us to go through all of our administrative passwords for the (frankly, surprising number of) systems we manage and update them.

The great fear and apprehension we and everyone feels about changing root or admin passwords is that it's never really crystal clear - I'm talking about vendor documentation in particular - what might break when you do. Like many small-to-mid size shops, we don't do this very often, because it doesn't add money to the bottom line and we have more work than we can handle just keeping the important stuff running smoothly.

But there is value in the exercise. Not for the stuffed-shirt security-Nazi / audit-police reasons, but because it's easy to lose sight of hundreds and thousands of incremental additions and changes to the network - even if you have a careful change control process.

So we did the password change, and by and large, we did a good job of identifying important systems we knew to be using the passwords and prepare them accordingly. In one instance, we missed one, but knew exactly what was wrong and were able to quickly find where it had stored admin credentials. Another surfaced later in the week, that shouldn't have been using admin credentials at all. Sometimes, if you're not real careful, a lab effort can go so well that you just move straight into production rather than re-build everything from scratch. Time is money, after all. Easy enough to fix, create a new set of credentials for that system and move on.

That latter scenario - something breaking that never in a million years would have been expected to be using admin credentials - repeated itself twice. The people responsible for it are, interestingly, the people responsible for us wanting to change the passwords in the first place.

In the movie "Hunt for Red October", the captains of Russian submarines would spontaneously make a sharp turn one direction or the other. This prevented them from getting a false sense of security - the natural tendency when everything is going well to consider it a result of intention rather than chance. "If it ain't broke, don't fix it." The maneuver was called a "Crazy Ivan", and an experienced U.S. submarine crew knew to expect it and keep following undetected - but only if they knew which way to turn.

If it's been a while since you've changed admin passwords, consider doing a Crazy Ivan of your own - not because you should distrust employees, but because you should distrust your ability to remember whether or not everything you put into production is following best practices.

Friday, January 07, 2011

The Year of the Pad

It doesn't take a genius to figure out that 2011 will be the year of the tablet computer. Some people still think this means Windows-based tablet edition PC's or laptop hybrids/convertibles, but it really means the NEW tablet - Pads.

My worst fears have become a reality - the iPad has been ridonkulously successful and has spawned an entire industry of me-too Johnny-come-lately impersonators. So reality being what it is (inescapable), we'll have to adjust.

CES this week showcased Google's latest Android OS, which is being called Honeycomb in a manner consistent with their irritatingly quirky penchant for naming their releases. Froyo is as stupid to say as it is to write, and whoever had that idea should be punched someplace tender for a few hours (or at least once for every time an IT executive has been forced to use the term).

Its goofy name aside, it did look impressive in the live demo. It was running on Motorola hardware, and one would fairly imagine that any and every Apple competitor will be cheaper than Big White. If the ActiveSync support is good, well, it's hard to say no.

In quite an about-face, we've actually been talking about supporting these things. Even down to the iPhone. There have emerged some very compelling business apps that bring a sort of Star Trek futurism into the present day. It's amazing how powerful information can be when it is easy to access and truly portable. If only wireless networks were worth a damn. There are a couple of SharePoint apps that do a fantastic job of present collaboration spaces in Apple's intuitive (and almost ubiquitous now) touch interface. With iOS at least, handling PDF's and Office document types requires no configuration at all. Modifying lists is simple and fast. And if all else fails, you just fire up Safari and do things the old fashioned way.

I would still not personally pay for an iPad, but if the company provides one, I'm confident I would be able to replace my laptop with it for daily use. Or perhaps go to a modest desktop configuration and travel only with the iPad. I've done enough testing with it to have become used to them, and my shoulder / back would definitely appreciate it. The apps are 95% there, and improve far more rapidly than their shrink-wrapped counterparts. For all the concerns bandied about, I really do see these as far easier to manage than traditional computers. In the right environment, they would be a brilliant way to augment virtual desktop initiatives.

Some polls show people flocking towards standardization as if that is what IT needs to be able to effectively manage these devices. I can't personally see why that would be the case unless you plan on doing A LOT of development - certainly far more people advocate standardization than I imagine really need it. ActiveSync with Exchange 2007 or later is really adequate for most small-to-medium organizations right out of the box, and it puts the onus on the device - not the admin - to work properly. The most IT would NEED to do is plainly state which OS platforms and versions it wants to support based on their risk profiles.

The only constant is change. Customers first. Antidepressants are fun!

You're Being Throttled

One of the things you become aware of when you buy more internet bandwidth than you need, is that no matter how fast your connection is, the other side is probably throttling you down. Big sites do this all the time - we have 50Mbps here, and a single download will rarely exceed 6-7Mbps from Microsoft, VMWare, Novell, IBM, etc. as we get patches or ISO's for products. There is a point at which, no matter what, your downloads will not get any faster. It's not a CPU, memory, or LAN bottleneck on your firewalls, not a latency issue, not 70% or more of network overhead - nothing but simple traffic control implemented at the far end.

Never turn down more bandwidth for less money if you can get it, but definitely be cognizant of the fact that if you're not using all the bandwidth you have today - even during spikes - things won't get faster just because you buy more. If you have a big pipe and internet sites still aren't fast enough, it's probably out of your hands.

Thursday, January 06, 2011

If you think about it...

...GUI's like Windows and the original Mac OS pretty much destroyed any real ability a company had to secure its data from walking away. Going back in time, the last instance I can think of where information was not portable was in custom-apps or databases on character based terminals or PC's. Of course you could argue that the dot matrix printer would have probably been the real death knell of distributed computing information security. It's not like you could lock that stuff down back in the day.

In modern times though, the ability to cut & paste in browsers, command prompt windows, etc. means you have to jump through enormous hurdles to institute a truly read-only security level for your data, meaning it only exists within an application and can only be read on-screen. If it's possible at all (it may be and I just don't know what products one would use to perform Windows surgery to disable any cut/paste ability anywhere).

All of the effort an administrator could go through would still be vulnerable to something that renders the measures moot - either that or you have so greatly impacted user productivity that the question becomes why let them come to work at all?

Just once in a while it seems like it would make sense if it were at least a little easier for companies to say "you can see this, but you can't do anything else with it" - especially in browser based apps. Yes it may be possible with a lot of custom coding or third-party products, but they're all essentially working around a fundamental oversight in information security inherent to GUI's. Can't we patch that? Like a GPO setting that disables the ability to select text in a DOS window on a per-user basis, or that disables text selection per-user or per-URL wildcard entry in a list. I bet people would use it if they had it.

Computers - especially networked systems - are inherently insecure. Data breaches and loss should really be expected, frankly. If your data is really that valuable, don't put it on a computer. At least not until OS manufacturers start to take it seriously.