BeyondTrust is all about solving problems that perplexed me six years ago. And I mean that as a compliment, since no one else has really addressed those problems in all this time.
Before I came to eWEEK in 2003, I worked at an IT consulting firm serving small businesses in and around San Francisco. One of our hallmarks was an early encouragement of the practice that later became known as "Least Privileged User." Basically, we persuaded a lot of clients to have their users run only with local User permissions, rather than with Administrator rights.
As a result, our customers had a lot less trouble with viruses, spyware or unwanted applications. Of course, we also had to make work all the applications they needed to use on a day to day basis -- and we ran into hundreds of applications that wanted Administrator rights, often for pretty banal reasons ("We write our preferences file in the c:\Windows directory!")
Identifying those applications that would have a permissions problem was kind of a crap shoot and I spent hundreds of (non-billable) hours poking around various apps and watching other people over their shoulders. It was hardly an effective way to identify troublesome apps, but there wasn't a tool to do it and it was bad PR for a customer to find them before we did.
And I don't even want to talk about the various things we did to actually fix the permissions problems once we discovered them. Kludgey does not even begin to describe that process.
Of course, BeyondTrust (along with a couple other companies that don't really exist anymore) helped solve the "fix" problem a couple years ago with its Privilege Manager product (formerly known as Desktop Standard's PolicyMaker Application Security). And now, finally, it is trying to solve the identification and location problem with a new product called BeyondTrust Application Rights Auditor.
Of course, Microsoft has offered a tool kit for a while that allows idividual scanning of applications for permissions issues, but that solution didn't really scale well for companies with a large application base, particularly one already deployed and in use.
With Applications Rights Auditor, BeyondTrust is looking to fill that gap. And it's free (as in beer).
The product gets deployed to a representative sample of desktops throughout an enterprise, for a two-pronged search for applications needing administrative rights. The client software first performs an inventory to identify all executable applications on each machine. The findings are then transmitted to BeyondTrust's repository, where the found applications are compared against a database of known applications and versions.
For applications that are not already in BeyondTrust's database, the client software continuously monitors unknown application as it is being used, recording and flagging specifically when (and what) Administrator privilege is required.
Administrators can then look at the inventory results of the two types of scans and run reports for individual clients or the collective to see what applications will need permissions help in a move to Least Privilege. Because all the data is stored on BeyondTrust's network, there is no need to install a local database or application server, so it should be pretty easy to get started quickly.
The hosted model scared me a little bit, for security and privacy reasons, but the folks at BeyondTrust assured me that each customer has its own unique certificate that gets generated when the customer first acquires the code. All of the agents deployed within a company transmit their data with the certificate, so all the information should be isolated from other companies' data.
Unfortunately, BeyondTrust has not yet decided to take the additional steps to make Application Rights Auditor even more valuable. Since it is collecting information specific to applications that are already in use, it makes sense that one should be able to automatically create policies based on the information provided by Auditor in order get going quickly with Privilege Manager. But of course, you can't yet do that.
Dock my laptop, connect my iPhone, then sync my calendar from Outlook.
I'm sick of it.
But I need iTunes on my work system to sync that damn calendar. And as I've stated before, iTunes is a pig--consuming copious processor time and memory for what, in this case, is nothing more than a synchronization program.
That's why Apple's announcement of the impending integration of Microsoft's ActiveSync, along with all the other corporate-geared enhancements (like Cisco VPN Client, Remote Wipe), are such a welcome relief. I would absolutely love to get iTunes off of my primary work computer. I synch music, podcasts and video to the iPhone from home--all forms of media that have no business tying up my company's storage or networked resources, and I have no other need for the application at work other than the calendar and contact sync.
But after watching the video of Apple's iPhone SDK and enterprise feature set, I'm wondering if corporations will simply be juggling one ill-considered delivery mechanism for another, as there was a pretty tidy lack of details about many of the features, including application delivery.
Apple's going to tightly control application availability for the iPhone. iPhone application makers are going to have to join the developer program (for $99) to make the apps for distribution to the iPhone or the iPod Touch, then get their application signed, vetted, and qualified against Apple's ratings system before it will be made available.
After that process, the application will be available via Apple in two ways: via iTunes (and a sideload to the iPhone) and by way of their new Web-based App Store. But since Steve Jobs said at one point that "The App Store is going to be the exclusive way to distribute iPhone applications directly to every iPhone user," we have to anticipate this will be the primary delivery mechanism as far as Apple is concerned.
But as a delivery system, the App Store seems to leave a lot of holes for the enterprise admin.
If a business is buying iPhones for their users--and I certainly expect this to now be an appealing option, given the new features and the iPhone's market-leading mobile browser--these businesses may want to control what goes onto the devices. And since the App Store is open and available to all, the problem of iPhone users running as root by default will become an even greater liability.
As root, users can install anything they want-- like AIM client and Spore, for example--whether or not their company approves. The corporate mobile admin may not be able to stop the install, and it is unclear at this point whether they will be able to automate the removal of offending applications. Listed among the new features was also "security policies" but what these consist of is so far unstated.
So I'm trying to imagine how the App Store--with security policies in place--will work. I sincerely doubt Apple will build something akin to Microsoft's Windows Server Update Services, where the admin approves certain packages which are then hosted locally and delivered to clients according to policy. Will Apple instead make some kind of group registration to the App Store available, where a corporate admin approves software packages which can be pushed (or pulled manually) to the devices directly from the App Store? The security policy would then define the group membership, and the App Store has an account page where admins need to define the MAC addresses or device ID of every iPhone that needs to access the "personalized" store.
I'm no Apple expert, but I don't think they have any kind of experience with the latter kind of implementation, and I question whether Apple would really want to get that granular, unless they can generate a new revenue stream off of it.
According to Engadget's live blog of the event, there was some nebulous talk during the Q&A session where Jobs indicated they are "working on a special app for internal enterprise applications," but I am unclear whether that means "apps designed for internal use" or "apps deemed necessary for deployment."
Of course, this point is moot if the root issue has been addressed with Version 2.0 and admin get some tools that help clearly define and articulate an individual user's rights on the device. But we don't know that yet.
As I noted previously in my review of OCS 2007, RT Audio is an adaptive codec. In high bandwidth situations, the codec is in a wideband mode, offering HD Audio quality. But in lower bandwidth situations, the codec scales back to narrow-band and standard definition voice quality automatically - which requires less network bandwidth. In both modes, I found the codec provided good audio quality without taxing my client machine's resources significantly (even with the signal processing done in software).
But With the codec integrated into TI's DSPs (Digital Signal Processors), OEMs can now rapidly produce a variety of different devices to work with OCS - from desktop phones to mobile phone to trunk gateway devices.
In the press release, TI's General Manager of Communications Infrastructure and Voice Business, Brian Glinsman said, "By working closely with Microsoft to include their wideband codec into TI's VoIP solutions, we are supporting the dissemination of unified communications solutions to the market and further enabling Microsoft to quickly meet the application demands of service providers, enterprises and SMBs."
TI's DSPs supporting RT Audio should be available mid-year.
Today in my spare time, I've been combing through Microsoft's e-mail trail (PDF) regarding the internal (and external) confusion about what Vista Capable really means (and Microsoft's blatant capitulation to Intel regarding low-end chip sets), and I caught this little nugget that made me smile:
On page 34 of 158, there is a note that says:
"Most of the software I use is OK or available for Vista except for spyware and some obscure utilities. Jon"
Now, of course, I know this is not what he meant, but that excerpt sure make it sounds like Jon counts spyware among the apps he uses.
I spent Tuesday afternoon visiting iSimCity, Ixia's new for-hire testing facility and Executive Briefing Center, which is located in Santa Clara, CA. With the new facility, Ixia hopes to give their customers - service providers, government agencies, high-end enterprise, and network equipment manufacturers - access to the testing equipment, know-how and test plans needed to perform extremely large-scale performance and quality assurance tests on network equipment, applications, and services. It seems an attractive alternative for those companies wanting to do large scale testing without requiring the significant cash outlay to build it in-house.
In addition to the access to hardware, Ixia is partnering access to iSimCity with their professional services department, which can help develop, automate, and perform tests or provide the training necessary to do all of those processes independently instead.
At the time of my visit, the testing facility was not fully populated with Ixia's equipment - according to their provided literature, the facility is running at 1/10th capacity at this time, with plans to get it fully populated by the end of the year. At its peak density, Ixia's Director of Worldwide Support, Steve Cummings, estimates that they would have the capacity to test up to 4000 gigabit Ethernet ports simultaneously, or about 700 10G Ethernet ports instead. He also estimated that they could emulate up to 250,000 simultaneous video or IPTV subscribers at a time.
Compared to a typical datacenter, Ixia's facility lacks some elements of privacy and security, like locked cages. I asked one of their representatives how they planned to deal with privacy, since they count among their customers many rival network equipment manufacturers. Privacy, I was informed, would be maintained via scheduling, essentially making sure that customers were not booked to use the facility at overlapping times. While that seems like an inefficient way of allocating resources, particularly if clients don't need the whole she-bang at once, I guess that will depend on the demand they generate for the facility.
Ixia plans to further their iSimCity initiative via worldwide expansion over time, and the company has plans in place to build similar for-hire labs first in Bangalore, India and then in London, England.
After reading Cisco's press release and many of the news reports about Duke University's gigantic 802.11n deployment, I found many of my questions were left unanswered. So Cisco put me in touch with Duke's Kevin Miller, assistant director of Communications Infrastructure, whom I quickly peppered with some more questions about the deployment.
Duke's 802.11n network, which will be a replacement for an existing 802.11a/b/g network, will also utilize both the 5GHz and 2.4GHz bands -- with both bands offering backward compatibility. For the 5GHz band, the university will utilize wide 40MHz channels while continuing to use 20MHz channels in the 2.4GHz band.
To Miller's recollection, the 130M-bps wireless throughput rating that was initially reported for Duke's 802.11n network represented performance in the 5GHz band.
I also asked Miller about his expectations for how the network will perform under load from a mix of 802.11n and legacy traffic, and he revealed some surprising findings about the client ratio they are currently seeing.
"For some hard data, we are going to have to wait and see as the network rolls out. In our pilot area, we see very high use of 11g, but we also see, on average, about 40 percent of the clients are connecting via 802.11n. The Pilot area is a first-year residence hall and typically we see a lot of new hardware coming in with new students, and laptops manufactured for about a year now have had 11n capabilities," Miller said.
He continued, "Really my next biggest investigation in going to be looking at the three generations we support -- 11b, 11g, 11n -- and trying to minimize the 11b clients first to protect the space a little more. To identify if and when there is an opportunity to discontinue supporting 11b. We know there are devices today that require supporting 11b, but they are dwindling over time."
I also asked Miller about his team's -- and the university's -- plans for helping educate the students and users about the new network, and to help manage expectations for just what the network should be able to do.
Miller said, "We are working closely with our computer store, as well as with administrators across campus, and making sure they understand not just the headline, but what are the impacts and what does it mean in terms of computer purchases and configurations."
He continued, "We are working with departments and IT administrators throughout campus, and we are adding information to students' incoming packets. In April we send out packets of information to incoming students with a plethora of information about Duke -- not just our IT -- but everything about the university. Certainly one of the aspects in there will be the availability of the 11n network and what sort of things to look for when purchasing laptops."
Miller said he also sees mobile devices with Wi-Fi inside to be of growing importance on the network, but laptops for now represent most of the wireless clients he is seeing.
Lastly, we discussed Duke's plans for POE (power over Ethernet) support. These plans call for every access point to be powered via POE, a process that will require a gradual rollout of power in excess of that supported by the current 802.3af standard. Initially, Duke will target the highest priority areas and those areas with the greatest client density, then gradually upgrade support throughout the network.
My recent review of Microsoft's Response Point awakened in me an interest in speech recognition technology. Microsoft's product utilized speech recognition to help users perform regular commands using only their voice -- to call contacts, check voicemail, or answer a few simple stock questions. I found the technology worked extraordinarily well -- requiring little to no voice training, making the entire experience very straightforward and easy to use.
I have been vaguely interested in speech recognition technology for the last few months as I have conducted many interviews with vendors, users, and analysts -- and have wasted many hours transcribing those interviews. My relatively slow typing speed makes transcription a tiring affair, and speech recognition technology seemed to be the perfect antidote -- saving me both time and effort. But inertia (ok, laziness) kept me from actually doing anything about it.
Fate finally handed me the perfect excuse this week, as I broke my left pinky finger while playing basketball. As it turns out, that finger is pretty important for the process of typing -- and typing is a rather large component of what I do. With the splint on my finger, my left hand has become functionally useless on a keyboard -- and I still need to write.
After performing next to no research at all, I decided to buy Nuance's Dragon NaturallySpeaking because 1) I had heard of it, and 2) the Preferred version promised transcription of MP3 files, which would allow me to transcribe those pesky interviews.
Thanks to Amazon Prime's discount on one-day delivery, I had the software in hand the next day. Installation and initial training of the software took under an hour, and now I am writing using (mostly) only my voice, as I am still working out streamlining a combination of voice and one-handed editing. First impression -- pretty cool.
So far, what I actually find the most difficult when using the software is knowing what I'm going to say far enough in advance to form together a cohesive sentences and paragraphs that the software can better understand and punctuate. I guess that will come with time.
I assume I will be using the software frequently over the next several weeks as the finger heals, so I am sure I will have more things to say about the software later. But right now, I think I've found a godsend.
With Windows Vista Service Pack 1 kinda, sorta ready for its public debut, I felt it was time to follow the time honored IT tradition and the make the leap to Vista on one of my primary use-PCs for good. While I've spent hundreds of hours with Windows Vista and its beta iterations over the last two years, reviewing various subsystems like BitLocker, User Account Controls, Group Policy, USB drive controls, and the wireless networking system, I've never really experienced the operating system for day to day computing. It's about time to change that.
This oversight is not out of character for me, as I've a history of slow migration. For instance, I did not move from Windows 2000 to Windows XP for good until late 2003 - a full two years after XP made the scene. Ultimately, as a user, I really don't want to incur the time or dollar expense to make a move that doesn't motivate me. I don't care - nor do I want to care - about what operating system I use. Rather, my concern is simply for the applications and devices I need and want.
Do my applications run right, and can I do what I need to do? For me, this means email, IM, word processing, web surfing, and maybe my taxes - need to work. Everything else, I will figure out as I go along.
I decided to burn one of my precious 32-bit Vista Business activations for the install, figuring this particular PC does not need the full media capabilities offered by Vista Ultimate, but I wanted to get more of the experience than is possible via the more basic versions. The PC itself is a laptop, a Lenovo T60p with a dual-core processor, 2 GB of RAM and 802.11n wireless. The Vista Experience score is 4.3, with the graphics subsystem being the most lagging component.
With resounding success, I threw the open source gamut of applications on Vista for my productivity software. OpenOffice, Thunderbird, Firefox, and Pidgin all installed perfectly. For testing and research, VMWare Workstation seems to work just fine. And for security, the latest iteration of Trend Micro Internet Security installed without a hitch.
In fact, the only thing that did not work was my printer drivers. I have an HP Laserjet 1000 attached to another PC in my network. While I could install the printer drivers offered from the share, I could not actually print any jobs. The HP website had a note from December 2006 saying Vista drivers were coming soon, but there has been no further news in the intervening 14 months. It's disappointing, but I can't blame Microsoft for HP dropping the ball.
After three weeks of frequent usage, Windows Vista somehow seems like less than the sum of its parts. I know there are a lot of compelling features under the covers (I've reviewed them ad-naseum), but their impact is hidden by a few glaring features that are constantly in your face, making you forget - or never notice - all the interesting stuff under the hood. Unfortunately, this is the level of experience that most people will have with Vista -intruded upon by the three features and characteristics that dominate the Vista experience.
One, everything has moved. I'll never understand why Microsoft feels the need to re-architect the interface for every iteration of Windows. The company is looking for an intuitive interface, presumably to make it easier for new or novice users. But for most people, navigating an OS is a rote affair - find something, play with it awhile, try to remember where it is for next time. Yet every iteration, Microsoft moves stuff around to make it "easier," but destroys everyone's rote memories. And Vista changes things a lot more than previous iterations, so I am constantly looking for that which I used to know where to find it.
Two, Aero Glass is an uninteresting resource pig, completely unworthy of all the resources it consumes. 40 percent of my system memory is consumed out of the box right now, and Aero Glass is the largest consumer. For what exactly? A 3-D ALT-TAB screen selection screen, translucent window edges, and a handful of Sidebar widgets. This feature singlehandedly hamstrings Vista installations with only 1 GB of RAM, making slower computers swap memory with just one or two applications open.
Third is UAC, and it does not bother me at all. I've been a big proponent of Least User Privilege computing in the enterprise for a long time, and I have tried with varying success to practice it at home as often as possible. Frankly, Least User Privilege is much, much easier to accomplish in Vista than in any other Windows operating system. I can live with it, and actually appreciate it.
Save for the printer drivers, everything works, and I can safely say that so far, I am fine with Vista. I wouldn't say it impresses me, but it does (almost) everything I need it to. The operating system certainly does not live down to the reputation it has garnered out in the field. I can see how it has frustrated many, but not to the level that would cause me to petition to keep Windows XP alive for longer.
I wouldn't spend money on an upgrade necessarily, but I would definitely go with Vista on any new PCs that I buy. It makes absolutely no sense to waste money on a 6 year old operating system that is winding down its shelf and support life. In this case, newer may not be significantly better, but because it is newer, it will last longer. And has history has shown, Microsoft will make it better over time.
Unified Communications products like Microsoft Office Communications Server 2007 make it pretty simple to integrate the video experience into a user's daily routine, requiring only off-the-shelf Web cameras to layer on the new communications channel.
But what quality of video are you really getting with this kind of integrated solution? Will it meet your needs and expectations?
In my tests of Office Communications Server, I learned from Microsoft's Quality of Experience Monitoring Server that video calls use Microsoft's RT Video codec. By default, I found person-to-person calls had a 352-by-288 resolution at a frame rate of 14 frames per second--when the call is placed over a LAN.
Qualitatively, the video picture looks fine in the small Office Communicator box that is normally shown on the screen. But when blown up to full screen size, I could see some slow transitions and artifacts, and I could definitely tell that the lip synchronization of video and audio was not that great.
The video quality is certainly not up to the standard of high-definition audio we get from Office Communications Server, which uses a wideband RT Audio codec on fast network connections--and sounds excellent and clean. But again, the video quality is not too bad on a small screen, especially if you don't come to the game expecting the best quality.
On the other end of the spectrum, there are some really fabulous high-definition video alternatives out there that also rely on software rendering--not hugely expensive dedicated A/V rendering hardware. But these software solutions come with their own kind of costs.
Take for example the HD video experience offered by GIPS (Global IP Solutions)--which has HD video capabilities in both its two-way VoiceEngine products and multiparty ConferenceEngine line--and uses both its own proprietary LSVX codec as well as standard codecs like H.264. Global IP Solutions first demoed at the Fall VON conference in 2007, and I got to see it up close in person last week at the company's offices in San Francisco.
In my demo, the video stream--at 30 frames per second--had a resolution of 960 by 720. This translated to a truly stunning picture--so clear that I was literally able to count the bricks in the side of a building half a block away when we pointed the HD video camera (a pretty high-end Sony HD camera, by the way--not some Webcam) out the window. And the lip synch between audio and video was practically perfect, making it much easier to carry on a conversation without getting distracted by slightly out-of-sync behavior.
The company claims it can scale up to a full HD picture as well.
Of course, the tax in this case is computational. During the demonstration, the quad-core server doing the rendering on my end of the call was clocking in at a hefty 55 percent overall utilization--something that would be even higher for full HD. The company claims to have done significant work to optimize its rendering for Intel processors, and it claims testing on AMD platforms will also be done in the coming weeks, with the expectation that rendering performance will at least be in the same ballpark.
GIPS sells its own products, or you might find its technology in other products. For instance, I know that Toktumi is working on integration with GIPS' REX softphone (which I will be reviewing soon), and yesterday, RADVision announced that it will be using GIPS codecs and features from the VoiceEngine platform as well.
Last week, I attended the San Francisco premiere of a new short documentary, "The New Face of CyberCrime." Directed by Frederic Golding and brought to fruition by the folks at Fortify Software, the film was screened for select members of the media as well as IT executives from around the Bay Area and was followed by a panel discussion moderated by Fortify founder and Chief Technology Officer Roger Thornton.
The panel featured:
Howard Schmidt, president and CEO of R&H Security Consulting and former White House cyber-security advisor
Ted Schlein, managing partner of Kleiner, Perkins, Caufield and Byers
Grant Bourzikas, director of Information Security for Scottrade
Frederic Golding - director of the film
The 20-or-so-minute film talked at a high level about the cyber-crime landscape, focusing on the role organized crime now plays because there is money to be made out there. Discussions with a few grey-hat hacker types, some IT folks and analysts around the industry, and Schmidt himself hammered home the point that this is a dangerous time on the Internet, and people need to be aware of how they and their information can be tricked, captured and compromised online. However, there really wasn't any prescriptive advice to be gleaned from the movie, which left me (and, I felt, many in the audience as well) wanting more.
Given Fortify's niche in the industry (code scanners), it is unsurprising that the film concentrated on how poor development practices and shoddy code open doors for thieves in the current threat landscape. As far as I can recall, cross-site scripting was really the only type of vulnerability that was discussed at length, as we got to see a grey-hat hacker type sit in an outdoor cafe, talking about the things that he could do from there over the Wi-Fi network. Hardly compelling visually, and probably hard to grasp for those unfamiliar with the ins and outs of coding best practices.
In fact, the whole film seemed to suffer from a bit of a lack of focus. In the panel discussion, an audience member asked what I was thinking, "Who is this film aimed at?" The quick-cutting visual style, featuring a lot of talking heads interspersed with jerky shots of racks of servers and network cables, and the high-level gloss-over of the problem with no real prescriptions, kind of indicated that film was directed towards a very mainstream audience. Like something you might catch on Nova on Saturday afternoon.
Yet cross-site scripting seems like a poor choice of angle for a mainstream audience, which would probably benefit more from a more endpoint-focused perspective, or better yet a look at how to actually protect and monitor your digital assets.
Golding made very clear that he did not intend the film to be a call to action, but rather an opportunity to initiate a dialog and help people in the industry build awareness of cyber-security. Something with recommendations or deeper discussion of the issues would be more of a corporate film rather than a documentary.
Thornton indicated that the filmmakers and producers needed to weigh the balance, keeping the audience engaged while still providing some meat. Apparently, they had initially planned to reach out to more criminal elements to show that side of the equation, but were warned off that course by law-enforcement advisors who told them they could get killed if they weren't careful with what was shown or who they talked to.
Golding consistently expressed surprise at the things he learned during the filmmaking process, and clearly showed his unfamiliarity with the technical matters at the heart of his film (honestly, why would any Joe User know about coding best practices and PCI compliance?) And I fear his unfamiliarity with the subject matter gave Fortify's folks a chance to steer the subject matter toward their own bread and butter -- a rather unfortunate, but unsurprising development.
Ultimately, the question of target audience was never answered during the panel, so I posed the question to the PR representative who invited me to the screening in the first place. His answer surprised me:
"The documentary will not be made publicly available, but I can send you a copy of the DVD if you like. I just need you to agree that the DVD will be for your own personal use and will not be made public."
So really, this film is only going to be shown to prospective Fortify customers. It's a marketing film. Super (I feel used). Some full disclosure up front would have been great, as it turns out that the panel itself was peppered with Fortify board members as well. Five minutes of research turned up the fact that both Schmidt and Schlein are on Fortify's board of directors.
Nonetheless, the panel discussion was a little more interesting, as the audience let loose some of its unrest regarding the film. Since the director intended the film to provoke a dialogue, in this one sense, it was successful.
An impromptu poll taken of the audience indicated that the majority of those in attendance thought of themselves as information security workers, while a handful of people were in software development, and almost no one considered themselves to be both. And if I may generalize a bit, the security-oriented audience had the reaction of, "We know all this. Now what are we supposed to do about it?"
Of course, Fortify's answer was an unspoken but quite evident, "Buy our products."
Scottrade's Bourzikas ultimately was the most interesting speaker as he weighed in on subjects like the biometrics and the efficacy of PCI compliance mandates.
Bourzikas called PCI compliance "Uh, interesting." He intimated that that kind of security doesn't really make you more secure. In the end, authorized users query a database and get a response. How do you ensure that that user is who he purports to be? Ultimately, these are business decisions and at some point security becomes a hindrance. The company first of all needs to make money, and can't tell users how to behave.
When two-factor authentication was mentioned as a solution, Bourzikas made it clear that his customers did not want it, and weren't willing to bear the additional expense to institute it.
TJ Maxx was used frequently as a case in point during the film and the panel discussion -- highlighting the real financial consequences for a business cleaning up a data theft mess, while hinting at what it means for end users as well -- the latter described basically with two words, "identity theft." But counter to the PCI discussion above, it seems the TJ Maxx example actually could have been prevented by conforming to PCI regulations, as evidence has pointed to wardrivers cracking WEP (Wired Equivalent Privacy) encryption on TJ Maxx's wireless network and culling customer information that way -- a situation clearly addressed in PCI.
The film is scheduled to be shown again on Jan. 24 in New York and Jan. 29 in London. For those who can't wrangle an invite, you'll have to make do with the preview.
