A year ago, at his first BlackBerry Live, according to BlackBerry President and CEO Thorsten Heins, many people told him that it would be his -- and the company's -- last. As Heins went on to say, they were wrong.
Here at BlackBerry Live 2013 in Orlando the company had an upbeat story and lots of news.
The sharks are in the water smelling Microsoft blood. It's the company's "New Coke" moment. Windows 8 is too little too late (hey, that rhymes).
Over the years Microsoft has had a number of true product failures, genuine losers, but fewer than you'd think. I'd certainly count Microsoft BOB as one of these; BOB was an attempt at a cartoony, fun interface to Windows that was laughed off the market in short order. (Microsoft reps told me at the time that the focus groups loved it.)
After a year-and-a-half on an iPhone 4S, I'm now on the current cutting-edge of smartphonery: Samsung Galaxy S4. I've used the phone for almost 3 days now. It's good. I'm excited. Are there any ball games on tonight?
Where was I? Oh yeah, the phone. I'm so excited that I could...do something that excited people do. Honestly, it's a phone. It's a very nice phone with some great features, a great physical design and a lot of bling features that I'll probably never use. I can believe it's the best of the Android phones, but I haven't tested all the others.
Editor: This weekend, esteemed radio program "This American Life" aired "Retraction" -- a stunning refutation of its most popular episode ever -- "Mr. Daisey and the Apple Factory", which aired on January 6. A "Marketplace" investigation has revealed that Mike Daisey fabricated or exaggerated aspects of the stage play upon which the segment is based. In April 2011, long before the TAL episode aired and the Apple controversy and protests following it, Larry Seltzer attended the stage play and expressed doubts about the presentation's accuracy. We reprint his review, which takes on stunning prescience in context of TAL's retraction.
I had no idea what I was going to see when relatives took me out in Washington DC to see The Agony and the Ecstasy of Steve Jobs starring -- exclusively -- Mike Daisey. I didn't expect a political polemic. I'm still not totally sure what to make of it. Daisey's style is a monologue, a combination of storytelling and lecturing, just him on the stage. It was a hell of a performance and this was his second show that day.
The hallmark of effective security in any field, especially computers, is defense-in-depth. There is always a way around any particular defensive measure, so you need multiple defenses in order to stop attacks with a high level of confidence. Large organizations are full of multilayered defenses, but they are no less essential to small businesses.
It's never big news, but small businesses get hit all the time by cybercrime. Reporter and analyst Brian Krebs has many stories of small businesses that fell victim to attacks, losing hundreds of thousands of dollars. Specialized malware (malicious programs) named Zeus and SpyEye find ways to get into your bank accounts and steal your money. In some cases, businesses have sued their banks to get their money back, but the courts have sided with the bank. It's the business's responsibility to secure the access the bank has given to the account.
Microsoft contacted me about yesterday's story on Metro-style apps only being available at the Windows store. One of the prominent facts in the story, which I got from Microsoft presentations, was that they would be taking a 30 percent cut of app proceeds from the store.
Turns out it was all a big mistake. The reference to a 70/30 split "...was actually a placeholder we neglected to remove (realize it was a mistake). We will have more to share about economics when the Windows Store goes live", according to a Microsoft spokesperson. Can you believe that? Editor: No.
Apple sets the standard and Microsoft follows; has this ever happened before? The new example is that Metro-style apps will be sold only through the Windows 8 Store with the now standard 30 percent cut going to the house. Enterprises and developers will have ways to install their own apps, but you can't just sell to others without going through Microsoft. The result will be a much more secure 'ecosystem'.
It's all explained in a Primer for current Windows developers about Metro-style apps and the Windows Store:
It really should have been obvious, but in case you were confused, ARM versions of Windows 8 will not be able to run x86 apps and vice-versa. In fact, Microsoft has said as much in the past. This is a model Microsoft has used unsuccessfully in the past, but are things different now? Will ISVs make more than one binary?
Vague talk about the universal nature of Windows Metro apps led some to assume that such apps will run on any Windows 8 installation, either ARM- or x86-based. This is not the case. Metro apps will be composed either of x86 binary code or ARM binary code, and each can only run on the appropriate CPU.
Security vendors will have an increasingly hard time making a case for expensive subscriptions as Microsoft keeps pushing Windows to be "secure enough" out of the box. Windows 8 adds a number of impressive features that really should make a difference in the "ecosystem".
The main feature chart for security improvements in Windows 8 is described by the ubiquitous Steven Sinofsky of Microsoft in this blog entry entitled "Protecting you from malware".
Digital certificate problems are much in the news, owing to the scandal over compromised certificate authority DigiNotar, but the more common certificate problems are much simpler and more confined. Large, complex organizations often have trouble keeping track of all their certificates.
It's surprisingly common to find management of external CA-issued digital certificates to be decentralized and unorganized. Different groups buy them for different sites and some guy keeps track of them, including minor details like the private keys and expiration dates, in an Excel sheet. One day when he falls through a manhole or leaves for another job, what's going to happen? You may not even remember about it until one of the certificates expires and users start getting errors. "I think that file was somewhere here in his network folder..."
It's received wisdom in software development generally that you don't write your own code when a perfectly good implementation is there for the taking. It's the old saw about reinventing the wheel. But it's especially true of cryptographic code. Windows programs that utilized the OS standard crypto functions got fast and automatic protection from the rogue certificates distributed during the DigiNotar scandal.
Over the last couple weeks, as stories about the hacking of certificate authority DigiNotar increased, various companies retracted their trust and the Dutch government stepped in. Given that the criminal who did the hacking announced the fact, it was potentially too late for anyone to protect themselves, but still time is of the essence in such matters.
The security requirements for certificate authorities have, so far been, well, there haven't been any. Mozilla is attempting now to impose some and giving CAs precious-little time to come up to standard. Could the Mozilla "death sentence" be imposed?
Moailla's letter to certificate authorities demands some significant information by September 16, 2011, the end of next week. While it shows nothing about breaches, we know from the EFF's SSL Observatory project that many certificate authorities aren't sticklers for detail when it comes to security issues.
The hacker who breached the DigiNotar certificate authority has come out, or at least claimed to. He appears to be the same hacker who breached Comodo, another CA, several months ago. (Hat tip to F-Secure.) "COMODOHACKER" seems to have a problem with the Dutch government.
He claims to have gotten past numerous sophisticated protections in DigiNotar's systems, the details of which he will divulge later, and that he retains inside access to four other "high-profile" CAs and can still issue rogue certificates from them. He also claims that the password for the PRODUCTION\Administrator account (the domain administrator of certificate network) is "Pr0d@dm1n".
It has been obvious for some time that Google's app standards for Android are lenient to say the least. That's why Android is the favored platform for mobile malware. But it turns out that Chrome extensions are a huge, and similar problem that I'm beginning to really worry about.
When Android phones started coming out Google had a lot of catching up to do. Back then there was a lot of mindless talk about how many tens of thousands or hundreds of thousands of apps a phone had. Obviously 200,000 apps is twice as good as 100,000, right? The way Google structured their app system for Android seems to me to be designed to maximize the number of apps by making it cheap and easy to create and distribute them. And this happens at the expense of security.
If only there were a way to keep up to date automatically on vulnerabilities and have Windows apply patches to the important ones. Secunia's Corporate Software Inspector (CSI) 5.0 lets you do that, applying even your 3rd party software updates through Microsoft's WSUS (Windows Software Update Services) and SCCM (System Center Configuration Manager).
I've been complaining for years that Microsoft should open up the Windows Update process to third parties. Secunia has filled in most of this gap with their Personal Software Inspector (PSI) for individuals and CSI for managed networks.