|
|
|
|
|
Thursday, May 15, 2008 8:14 PM/EST
The Port of Richmond Is WatchingThis week, I took a tour of the port of Richmond, Calif., where ADT Security Services was showing off the brand-new video surveillance system it put together to monitor the port against intruders, theft or possible terrorist action -- utilizing an all-wireless network to move data from all the cameras back to the centralized video analytic equipment.
Monday, May 05, 2008 9:00 PM/EST
Expanding the Reach of Least User PrivilegeFor several years, I've been a big proponent of operating Windows-based desktop computers in a Least User Privilege mode, removing Administrator (or Power User) rights from end users so they cannot install unapproved applications (or unwanted malware). However, instituting such a policy throughout an enterprise is not the easiest thing in the world because many applications still require administrative rights to run correctly and some power users need to do more (unpredictable) things to their computers than the average user. BeyondTrust addressed the first problem a few years ago with its Privilege Manager application (formerly known as DesktopStandard's PolicyMaker Application Security), which helps administrators change the privileges token of a process or application via centralized policy-based controls. This allows, in a nutshell, a limited rights user to run certain preapproved applications with administrative rights on those applications only. In the years since the product first came to market, BeyondTrust has heard about the second problem many times. According to a survey the company conducted among its customers, two-thirds of those asked had been able to remove administrator privileges from 90 to 100 percent of the users in their organization. Of the remaining third of its customers, however, BeyondTrust found that special use cases -- users such as system administrators or developers, or laptop computer users -- were generating too many support calls to be effectively pulled into the Least User Privilege initiative. As a response, the latest iteration of Privilege Manger looks to squarely address those special use cases, as Version 4.0 adds a series of new features aimed at easing administration amid the unpredictability generated by these users. First of all, Privilege Manager adds another way for administrators to batch-approve software from a particular vendor. Administrators can approve rights escalation for applications or installation packages based on the digital certificate used to sign the code. An administrator can simply allow the system to escalate rights for any Microsoft signed application, for instance. With Privilege Manager 4.0, administrators can also approve privilege escalation for software that comes from a particular CD or DVD, as administrators can approve the serial number of a particular piece of media. This allows administrators to control the flow of new software installations in remote instances, sending out a preapproved disk full of new applications or updated versions of existing ones. The best news for users, however, is that Privilege Manger 4.0 allows approved users to perform on-the-fly exemptions at their discretion. Users can right-click an application or installation package, and see a new context menu item that allows a temporary privilege escalation. Administrators can audit the use of this exemption by asking the user to type in a reason for the request and by requiring the user to enter a password before the escalation can take place. Privilege Manager 4.0 also looks to extend some of the native features of Windows Vista. BeyondTrust already did some work in Version 3.5 to tone down the chattiness of Vista's User Access Control feature, and now in Version 4.0, BeyondTrust has extended the security afforded by Vista Integrity Levels to applications other than Internet Explorer. In essence, with Vista Integrity Levels, a process with Low Integrity cannot interact with processes rated Medium or High Integrity (but a High Integrity process can interact with anything with a lower rating). According to BeyondTrust representatives, a standard Vista user will normally run all applications with a Medium Integrity level -- except for Internet Explorer, which operates with a Low Integrity level (enabling IE Protected Mode). In a WebEx demonstration, BeyondTrust engineers showed me that the Integrity Level protection could be extended via policy to any other Internet-facing application, so administrators could lock down the behavior of Mozilla's Firefox browser in the same way that IE is protected.
Thursday, May 01, 2008 4:09 PM/EST
Interop's WLAN Architecture DebateAt the Interop conference in Las Vegas May 1, I sat in on a pretty fascinating panel discussion called "The Great WLAN Architectural Debate" that brought together representatives from five enterprise-grade wireless LAN companies -- ostensibly to compare and contrast their technology with that of their competitors, particularly in regard to 802.11n. Moderated by IDC's Abner Germanow, the discussion allowed each vendor the opportunity to highlight its differentiators on both the wired and wireless sides of the network -- and to take some pointed potshots at its competitors in the process. The panelists were: Kurt Sauter - Xirrus Keerti Melkote - Aruba Networks Luc Roy - Siemens Adam Conway - Aerohive Networks David Confalonieri - Extricom Below is my perception of what was said during the panel. It's not a direct transcript, since I don't type nearly fast enough for that, so I may have missed some points here or there. Nonetheless, what follows captures the spirit of what turned out the be a fascinating and lively debate.
Tuesday, April 29, 2008 12:46 PM/EST
AirMagnet's 802.11n Planning and Analysis ToolsAs anticipated, the first WLAN planning and analysis tools made their way into the light at the Interop show in Las Vegas, as AirMagnet announced 802.11n support for both its Survey Pro and Laptop Analyzer Pro applications. Full 802.11n analysis will require new hardware, so AirMagnet also announced its new Wireless PC Card. All three products can be purchased as a package for $7,305 or separately: Laptop Analyzer Pro ($3,995), Survey Pro ($3,695) and the Wireless PC Card ($150). Fortunately, current customers of Laptop Analyzer Pro or Survey Pro with up-to-date service contracts can download the 11n-capable versions for free. AirMagnet's tools try to blend the theory and the practice of 802.11n wireless networks, including tools that aim to provide its customers with theoretical advice on 802.11n propagation in order to help them purchase the right 11n-capable infrastructure devices and then the right tools to manage and troubleshoot the network after it is deployed. For instance, Analyzer Pro includes a Device Calculator that allows wireless administrators looking to buy new 802.11n equipment to enter the configurations options they would like to use (like short guard interval, channel width, frame size and protection scheme) -- and then the tool will spit out characteristics like maximum data rate, number of spatial streams and modulation coding schemes supported by various vendors. Of course, this information is based on the specifications published by the vendor rather than real detections, so expectations should be tempered. Predeployment, wireless administrators can also scan their existing legacy networks to build a good map of current coverage and then drop in simulated 11n access points to the network to predict the impact of the new devices when placed in various locations. AirMagnet is pushing the predeployment use of active surveys, in which the survey machine joins and actively uses the wireless LAN while conducting the scan. Passive surveying will be insufficient for 802.11n networks because a passive scanner cannot accurately measure the effects of spatial multiplexing used by MIMO (multiple input, multiple output) technologies or for devices using beam-forming antenna technologies. AirMagnet's tools can also provide different information based on the intended usage scenario -- whether the network will be deployed supporting only 802.11n or, more likely, with support for legacy devices. For use once 802.11n is deployed, AirMagnet introduced tools like Analyzer Pro's Efficiency Tool, which helps the wireless administrator determine where the network is not operating in High Throughput mode and gives detailed explanations of the various 11n features and options that could be causing the problems. AirMagnet's tools also include a copy of the NLANR (National Laboratory for Applied Network Research) Iperf throughput measurement tool, so administrators can conduct on-the-spot performance measurements. All three products should be available on May 6. I will provide an update on how the products perform in the labs once I can get my hands on them.
Wednesday, April 02, 2008 3:31 PM/EST
Using and Installing Yahoo! OneSearch VoiceAs promised, here are some screen shots of Yahoo! OneSearch Voice in action on an AT&T Blackberry Pearl 8120. 
Install was pretty simple. Went to http://m.yahoo.com/voice, clicked yes to a couple things and the install went ahead. One troubling note was this disclaimer on the install page that deserves more investigation later on: "For devices that support WiFi, please make sure to turn off the WiFi option before starting the application." 
I chose not to change permissions on the device at install time, so I was instead forced to approve the changes the first time I ran OneSearch. 
I learned quickly that I had to hold down the Call button while speaking. Once I discovered that little detail, I was able to speak into the phone to find the status of a flight (that I am not going to be on) or look for a Sushi restaurant in town (I actually ate at the first restaurant listed last night - the Unagi was spectacular.) What is startling about OneSearch Voice was how quickly I was able to get going with the application. Having spent a lot of time with Dragon voice recognition software recently, I was expected there would be some period of training to accustom the software to my voice. But there was none at all. The first two questions I asked it (while holding the button down, of course), I got exactly the results I was looking for. OneSearch Voice is available now for Blackberry devices, and Yahoo! expects to have the software available via operators on new devices sometime this summer.
Wednesday, April 02, 2008 12:39 PM/EST
Live-Blogging the Yahoo Mobile CTIA KeynoteWednesday at the CTIA show in Las Vegas, Yahoo! Mobile's President Marco Boerries will be giving a keynote speech "articulating the company's vision for leading and enabling the global mobile ecosystem." According to the early press notification I received, Boerries will talk about talk about new "game-changing" innovation to Yahoo! OneSearch. Below is a live-blog account of the keynote:
Tuesday, April 01, 2008 3:30 PM/EST
Sprint and the Samsung InstinctToday at CTIA, I got to spend a few minutes with the new Samsung Instinct smart phone, which is coming soon to the Sprint Network. 
Enabled for Sprint's EvDO Rev A. data network, the Instinct is Samsung's attempt at the iPhone form factor including the full touch-screen capability (for navigation and virtual keyboard). Samsung has added haptic feedback to the functionality, so the device offers some tactile feedback to the user when an action is triggered via the touch-screen. "What's that grinding?" was my not-too-tactful question when I first felt the device quiver in my hands. Personally, I've never really thought that forced feedback was going to improve my interactions with a touch-screen. It's not like it will tell me adequately whether I've typed the letter "a" or fat-fingered an "s" instead, which tends to be the kind of problem I have with virtual keyboards. (I never liked forced-feedback on joysticks either, but that is another story.) Instead, I just sit there, device vibrating in my hand, thinking about how much battery power is getting wasted. On the other hand, I think I will really like the customizability of the Instinct. The Instinct has three physical buttons near the bottom of the device--Home, Phone and Back. The Home button can toggle between a few different menus--Favorites, Main, Web and Fun--and the Favorites menu is user customizable, so I could easily configure it with the applications I use most. Pretty slick. Some stats and features on the Instinct: - 2.17 x 4.57 x 0.49 inches - 4.4 ounces - 3.1 inch TFT (240 x 432 pixels) - rated for 5.75 hours of talk time - GPS (Telenav) - 2.0 MP camera - MicroSD slot (up to 8GB supported) - Advanced Stereo Bluetooth Sprint expects the Instinct will be available in June, but pricing is not yet available.
Thursday, March 20, 2008 3:25 PM/EST
VON.x WrapupI just wrapped up a two-day visit to the VON.x telephony show in San Jose. Below are some of the highs and lows from my experience at the show. Most Lively Booth: BroadSoft BroadSoft, a company that makes VOIP platforms and applications, then resells them to carriers and ITSPs (Internet telephony service providers), was at VON to talk about a new development effort called BroadSoft Xtended. In essence, BroadSoft has put together a snazzier and simplified interface for its old development APIs and protocols, and invited third-party developers to create applications to work with the platform. The program's genesis was last summer when someone developed Unified Connector for Salesforce.com integrating BroadSoft's communications services directly into the CRM service -- allowing users to place and manage calls directly from customer records. Basically, this mashup sparked a flare within BroadSoft suggesting where to next take the platform. 
Among the new applications for BroadSoft that were on display in the booth were ACT! by Sage, an even more fully featured communication integration into ACT! software; a Facebook widget allowing users to place a "CallMeNow" button on their Facebook pages; and SimulScribe, a voice mail-to-text translation service. 
Of course, users can only really reap the benefits of these integrations if they are customers of one of the service providers powered by BroadSoft, but as Director of BroadSoft XTended Marketing Michael Lauricella boasted, BroadSoft powers over 300 ITSPs worldwide, including seven of the top 10 (and 13 of the top 25) globally. It looks like nine service providers are on board already (including SimpleSignal ), with many other interested parties currently in discussion now. Best Single Demo: D2 D2 Technologies, a company that generally makes low-level VOIP software for chip implementations (protocol stacks and the like), was showing the newest fruits of its mCUE Mobile Convergence Software Solution. Representatives demoed for me a mobile contact manager solution that was above and beyond anything I'd seen before. Every time the user logs in to a communication service (such as GMail, AIM, e-mail or an enteprise directory) the software would add the user's contacts to the mCUE contact list. Over time, the user builds an über contact list, and under every contact is each of the contact's different personalities. So if I wanted to contact my colleague Cameron Sturdevant, I would select his name and a submenu of his available personalities would pop up on screen, allowing me to decide whether to AIM him, e-mail him, send him text message or simply call him at any of the numbers I have on file. I'm probably not doing it full justice here, but it was really slick. Unfortunately, at this time, D2 is only working on Linux platforms, with Windows Mobile and other mobile operating system availability depending on customer demand. Bodes well for future Android users, I suppose, but leaves pretty much everyone out in the cold for now. Best About-Face: Digium In past VON conferences, Digium has extolled the Asterisk Appliance and AsteriskNow as the next big things from the company. Neither was to be seen anywhere at the show. Instead, Digium wanted only to talk about Switchvox, the Asterisk-appliance maker it bought last fall. I have to admit, I've been pretty curious about Digium's purchase of Switchvox, since it already had so many distributions of Asterisk in the works already. Now, admittedly, the Switchvox management GUI was really nice when I looked at the product a couple years ago, and apparently there are a lot more features in the newest version, Switchvox 3.5. But I wanted to know exactly how Digium was handling the different versions it has to offer. From the looks of things, Switchvox is going to be the new path forward on the open-source side of things for a full distribution (the actual Asterisk binaries for the central software will of course still be available as well.) For companies looking for indemnity, Asterisk Business Edition is still available and being actively developed for. But what about those hardware and software appliances? Apparently, the Asterisk Appliance is still being sold where applicable, but I didn't get the sense there was much activity from partners looking to adopt the device -- which was the whole point of developing the device in the first place. On the other hand, it really seems like AsteriskNow is a lame duck, even if Version 1.0.2 did just come out last month. Mark Amick of Digium's Business Development group basically stated that the developer community hadn't embraced it, and without that community support, Digium had to look at going another way. So now there is a Switchvox Free Edition. Best Tagline: iRobot and Trinity Convergence iRobot and Trinity showed me their collaboration project: a social proxy/surveillance robot called the ConnectR Virtual Visiting Robot. iRobot outfitted a Roomba with a video camera, speakers, a microphone and a Wi-Fi radio (instead of a vacuum), while Trinity provided a Web-based management console and NAT tunneling software to remotely access and drive the robot (and its components).When Bryan Adams, iRobot's research program manager for Home Robots, told me, "It's a whole new way of interacting with your pets or your kids," I thought perhaps we'd hit a new low in absentee parenting. Pretty cool watching it roll around though.
Wednesday, March 19, 2008 2:16 AM/EST
Polycom Entices Small Business to Voice over Wi-FiAt the VON.x conference in San Jose, Calif., Polycom let me play with their latest voice over Wi-Fi phone -- the Polycom SpectraLink 8002 Wireless Telephone. Intended for small-business customers, the phone is intended to be easier to set up and manage -- and cost significantly less -- than its higher-end SpectraLink cousins. Designed to work with SIP-based voice systems, the 8002 has been certified interoperable with Digium's Asterisk Business Edition IP PBX and is expected to work just as well on any of the other Asterisk distributions available nowadays. The 8002, which costs $349 (or $399 with a dual charger and an extra battery), weighs in at 4.2 ounces and is rated for 3 hours of talk time or 50 hours of standby time. 
The Wi-Fi radio in the 8002 is only 802.11b, so the customer needs to make sure legacy protocol support is enabled on the Wi-Fi network. Built to work easily on the consumer-grade access points often found in the smallest businesses, the phone also only supports WEP and the PSK versions of WPA or WPA2 for wireless privacy. And for wireless quality of service, the 8002 supports WMM but not the SVP protocol that SpectraLink pioneered for higher-end wireless networks. Device configuration looks like it can be done a couple of ways, but honestly it seemed like none of the Polycom people I talked to at the show quite knew the full story. Here's what I can decipher:
Polycom also claimed that the 8002 offers text messaging via support for Open Application Interface v2.0, but they did not have this feature set up on the demo unit I played with, so I cannot verify this at this time. Polycom's people also briefed me on the same video integration with Microsoft's Office Communications Server 2007 and IP application suite that Paula Musich reported on. I won't rehash, but will add a couple of additional details Polycom provided in response to my questions:
Monday, March 17, 2008 6:34 PM/EST
BeyondTrust Roots Out Bad AppsBeyondTrust is all about solving problems that perplexed me six years ago. And I mean that as a compliment, since no one else has really addressed those problems in all this time. Before I came to eWEEK in 2003, I worked at an IT consulting firm serving small businesses in and around San Francisco. One of our hallmarks was an early encouragement of the practice that later became known as "Least Privileged User." Basically, we persuaded a lot of clients to have their users run only with local User permissions, rather than with Administrator rights. As a result, our customers had a lot less trouble with viruses, spyware or unwanted applications. Of course, we also had to make work all the applications they needed to use on a day to day basis -- and we ran into hundreds of applications that wanted Administrator rights, often for pretty banal reasons ("We write our preferences file in the c:\Windows directory!") Identifying those applications that would have a permissions problem was kind of a crap shoot and I spent hundreds of (non-billable) hours poking around various apps and watching other people over their shoulders. It was hardly an effective way to identify troublesome apps, but there wasn't a tool to do it and it was bad PR for a customer to find them before we did. And I don't even want to talk about the various things we did to actually fix the permissions problems once we discovered them. Kludgey does not even begin to describe that process. Of course, BeyondTrust (along with a couple other companies that don't really exist anymore) helped solve the "fix" problem a couple years ago with its Privilege Manager product (formerly known as Desktop Standard's PolicyMaker Application Security). And now, finally, it is trying to solve the identification and location problem with a new product called BeyondTrust Application Rights Auditor. Of course, Microsoft has offered a tool kit for a while that allows idividual scanning of applications for permissions issues, but that solution didn't really scale well for companies with a large application base, particularly one already deployed and in use. With Applications Rights Auditor, BeyondTrust is looking to fill that gap. And it's free (as in beer). The product gets deployed to a representative sample of desktops throughout an enterprise, for a two-pronged search for applications needing administrative rights. The client software first performs an inventory to identify all executable applications on each machine. The findings are then transmitted to BeyondTrust's repository, where the found applications are compared against a database of known applications and versions. For applications that are not already in BeyondTrust's database, the client software continuously monitors unknown application as it is being used, recording and flagging specifically when (and what) Administrator privilege is required. Administrators can then look at the inventory results of the two types of scans and run reports for individual clients or the collective to see what applications will need permissions help in a move to Least Privilege. Because all the data is stored on BeyondTrust's network, there is no need to install a local database or application server, so it should be pretty easy to get started quickly. The hosted model scared me a little bit, for security and privacy reasons, but the folks at BeyondTrust assured me that each customer has its own unique certificate that gets generated when the customer first acquires the code. All of the agents deployed within a company transmit their data with the certificate, so all the information should be isolated from other companies' data. Unfortunately, BeyondTrust has not yet decided to take the additional steps to make Application Rights Auditor even more valuable. Since it is collecting information specific to applications that are already in use, it makes sense that one should be able to automatically create policies based on the information provided by Auditor in order get going quickly with Privilege Manager. But of course, you can't yet do that.
|
|
|
|
|
