Total Immersion

For anyone who might be interested (and for those who aren’t ) I’m running a half marathon on October 12th. Its not my first - I did that a couple of months ago, baulking at the idea of sponsorship in case I didn’t finish. Which I did. So, this one is the Royal Parks Run in London. I’ve decided to run for UNICEF, what a fine bunch of people, and I quote, “working for children and their rights.” I would very much appreciate any sponsorship, as of course would they - I want to raise a thousand quid so the way I see it, that’s only 200 kindly souls donating a fiver. How hard can that be?

So, if you do feel like splashing out five pounds (but of course , don’t feel limited by that!), you can donate here. Thanks for all your support, and for reading!

Just got an email through from those nice folks at RSA Conference Europe. Here’s the skinny:

Session Track: Business of Security

Session ID: BUS-207

Scheduled Date: Tuesday 28th October

Scheduled Time: 16:05 - 17:05 hrs

Session Title: Software and Security as a Service: the risks and the rewards

Session Classification: Strategic

Session Abstract: There is much buzz in the IT industry at present around Software as a Service (SaaS). As with any new trend in IT, there are a number of potential risks which need to be considered when looking at SaaS solutions – but things don’t stop there. At the same time, certain security services can also be delivered using the “as-a-service” model. This panel of security vendors and consultants considers both the risks and rewards of SaaS and security as a service, and delivers practical advice on what organizations should be thinking about today.

Moderator(s):

Jon Collins, Analyst, Freeform Dynamics

Panelist(s):

Gerhard Eschelbeck, CTO, Webroot

Eldar Tuvey, CEO, ScanSafe

David Stanley, MD EMEA, Proofpoint

This must be desktop operating system geek heaven - but even as I say that I realise ‘m missing out on a whole bunch of ‘em. To the point, I have recently come into the possession of a MacBook Pro, which is running OSX 10.4. With that, I’ve got XP running in a (donated, thanks) VMware Fusion virtual machine - which runs like it’s native. Meanwhile, on my old Samsung laptop I’ve gone for a dual boot with Ubuntu Hardy Heron on one partition, and (also donated, thanks too) Windows Vista on the other. What of Solaris or indeed OS/2, I hear you cry.

Its an interesting set-up. A key question is interoperability - which I define as, “Being able to do whatever I want on any platform, without seeing the joins.” I think that’s a bit different to the interoperability Microsoft keeps banging on about, which sometimes seems more about keeping the more evangelical chatterati at bay (incidentally, my suggestion was to ask the silent majority what they thought - I believe there’s far less anti-Microsoft sentiment out there than some bloggers might imply). But the world of Mac interoperability is questionable - iTunes will only recognise iPods for example. Is it a problem? I honestly don’t know - the slickness that the fanboys love so much is a consequence of a tighter control over hardware, and no doubt software specs. Balancing such usability with interoperability is an issue we see in the large in corporate IT shops, and it is no coincidence that CIOs often talk in terms of “One throat to choke.” Thinking out loud: would ‘proprietary’ be such a bad thing, if it just worked?

But I digress. Just one last thing to do is to re-install Lilo, then I’m done.

I was recently asked for some examples of events I have spoken at, so for the record this is what I’ve participated in so for this year:

Taking back control of IT, Webinar, 28 February 2008 (video stream - registration required)

Improving business productivity through effective content management, Webinar, 4 March 2008 (video stream - registration required)

Governance in virtual worlds, Pisa, Italy, 13-14 March 2008 (slides)

Which is more Important – Compliance, Security or Operability? (Panel Chair) - Infosec Europe, London, UK, 22-24 April 2008 (podcast)

Progressive IT, Sourcing and Architecture, Microsoft Architect Insight Conference - Windsor, UK, 28-29 April 2008 (slides/video stream - requires Windows Media Player)

How to sell virtualisation (Panel Chair), Channel Expo, Birmingham, UK, 22 May 2008

IBM Optim Internal Data Threat event, London, UK, 29 May 2008 (slides)

If you need any more information please do get in touch.

I can’t remember who said that to me a couple of weeks ago, but its one of my favourite phrases at the moment - it applies so well to so many things we’re dealing with right now: SOA, Identity Management, Information Management, BPM. Give it a go, and se where it sticks.

For anyone who’s interested in either topic, I’m going to be presenting on the role and impact of business governance in relation to virtual worlds, in a few weeks at the ISGIG conference in Pisa. What an irresistible topic - here’s my outline so far:

There is (currently anecdotal) evidence that immersive environments such as Second Life are losing their mainstream popularity, as potentially are such social networking sites as Facebook. All the same, together with such technologies as telepresence, the potential for such collaborative technologies is great, in terms of how it enables stronger relationships to develop with the subsequent impact on productivity; virtual worlds also offer the opportunity to interact physically and collaboratively, for example to demonstrate a product prototype. But there are plenty of downsides – not least the potential for abuse which is leading many corporations to ignore, if not avoid such technologies. This presentation considers the benefits and challenges of socially enabled virtual worlds, gives examples of where organizations are using them for corporate benefit, while minimizing the governance risks and operational challenges they cause. Where are the boundaries between real and virtual worlds, and how do they interface with social technologies? What are the problems of doing business in a virtual world, and how is that affected by real word business and regulations? Also, if Second Life is indeed losing its sheen, what’s Third Life going to be like?

Unfortunately Second Life doesn’t run on the OQO 01+ but if anyone’s interested, you can contact Nathan Neumann, I’ll be in there sporadically.

I’ve been road testing my new acquisition - the OQO Model 01+ UMPC running Windows Tablet. I’ve been hankering after one of these for a while, but it is only recently that price has dropped to a justifiable level (340 quid + VAT from Expansys). So, what’s so good about it?

1. It really is a real Windows computer.  Not a PDA, or some other device running Symbian or Linux, but a fully fledged Windows PC.  This isn’t some Microsoft hugging statement, more a simple question of broad application support, specifically for voice recognition (see 3) and mind mapping. Bluntly, the things I want to do with this device, I can.
2. I can get it out on the Tube.  Indeed, I can get the OQO out just about anywhere.  It is all very well checking a map on a laptop, but it is a bit of a drag having to walk the streets with a 15 inch computer screen open in front of you.  Much of the challenge is logistical (see 8), but equally, the London Underground is not seen as a place for laptops - journeys are shorter, and the potential for theft is reputedly higher (see 7).
3. It really does work as a voice recognition Dictaphone.  This was the main reason for justifying the purchase of the OQO, as a proof of concept: I am very surprised that such a capability has not been tested publicly before.  It’s not perfect, but it does indeed work: I shall be writing more about this in a future post.
4. It is a tablet PC.  If XP Tablet edition is installed, the benefits that apply to tablet PC’s also apply to the OQO.  This includes quite reasonable handwriting recognition: some people prefer to write than type, and indeed it is a lot more friendly in meetings having someone scribbling on a tablet, then tapping behind a laptop.
5. It really is very small.  This may sound like in stating the obvious, but it is true.  The advantage of size is that it can be taken places where a normal computer could not go: it can fit, for example, in a jacket pocket.  Yes, you absolutely know it’s there, but it’s not half as obtrusive as a full-size laptop.  So if, like me, you sometimes find yourself with that dilemma of whether to take a computer or not, for example to a meeting - then you still can, taking all your files with you.
6. It can be taken on holiday. Yes, yes, I know, it should be necessary to take computers on holiday.  However, those working in smaller companies don’t always have the luxury of choice; equally there are plenty of uses of a computer that have nothing to do with work.  The convenience of the OQO means that it can be put into the bottom of the case and forgotten until it should be needed.
7. It more surreptitious than a laptop. Because of (4) it is easier, nay possible to put an OQO into the glove compartment of the car, and it is less of a theft-magnet in general than a fully fledged laptop. From a near distance it looks like some obscure games console.
8. It can be used standing up, or while walking. My train ride home yesterday involved an hour’s standing in a tightly packed carriage, but I was still able to finish off the day’s affairs by completing a report and closing down my email. It does require two hands to use the keyboard or pen, however.As another example, a pretty standard thing for me to do on a flight is to get back up-to-date with my e-mail.  With the OQO on Tuesday, I was able to upload my e-mail as soon as my plane had landed and the seatbelt light had gone off, which for me was a real boon as I could then go straight to my car in the knowledge that all those pesky messages had been sent to area.
9. It can be powered by a portable battery. A couple of years ago I bought a 12V extension battery from Brookstone in the US, for the express purpose to act as a backup power supply for my gadgets when I was out and about. The extension battery is completely inadequate for laptop use, but it can power the OQO via the latter’s own 12V adaptor input. Together with (6), this makes the OQO a much more suitable device for camping trips etc, when access to mains power may be sporadic.
10. It looks good. This is very much “last but not least” - but I did get a buzz when the usually dour security staff at Gatwick struck up a conversation about it. Having technology as a talking point doesn’t have to be limited to Mac fanboys, you know!

What’s there not to like? Well. I wouldn’t suggest the OQO as a desktop replacement - with the caveat that I have bought what is now an old model, the OQO is underpowered compared to what multicore desktops can do. Having said that, my virtualisation experiences have led me to believe in the model of smaller computers that are scaled to suit the workload, and the OQO 01+ is an adequate base for office and email use, running on XP. Even so, the screen size is a decidedly limiting factor when it comes to usability - I have found myself frowning when starting to use it, as though some part of my brain is trying to understand if the OQO is just a normal sized computer, but a little too far away.

A second issue is around power. The first OQO I was shipped had a faulty power supply, which I understand is a common fault; the battery when fully charged can power the device for up to 2 hours only, though there is a double capacity battery available (Expansys was shipping spare batteries for 20 quid each, so I bought two of these instead). Finally, a battery “feature” is that, if fully discharged they need to be plugged in for sometimes up to 24-48 hours before they will trip back into charging mode. Nice.

Having said all of that, as a proof of concept (to me) it is keeping  its end up admirably. I would love to see an OQO-sized brick that could be inserted into a laptop or desktop form factor like a hard drive, and I am surprised, given its clear usefulness, that we do not see a wider audience for the OQO - I would speculate that this is because few have the luxury of two computers. From the research we conducted last year it was clear that PDAs wouldn’t be replacing PCs any time soon - as costs continue to tumble I expect to see the UMPC form factor to reach a much wider market, not to replace the laptop, but to extend the web of mobile computing still further.

I wrote this review of Bluetooth and infrared keyboards a while back, and then promptly forgot to do anything about it, so here it is. A word of warning - I have had issues with the (increasingly locked down) drivers for the Freedom Keyboard. Still, while I’m loving my OQO (review to follow), I can still see a place for these things. I hope its useful!

A while back, I remember seeing a sketch by Eddie Izzard. The detail eludes me but roughly speaking it covered the cyclic nature of being cool. One could progress from totally uncool, to slightly cool, to cool, to - put one matchstick in the corner of the mouth - very cool, to - put another matchstick in the other corner - totally uncool again.

So it is with technology-related PR, and nowhere is this more starkly illustrated than in the press releases associated with IT security. I have written about how hard it can be to incite a sometimes apathetic audience into action about very real threats; equally, many IT managers will agree how difficult it can be to get funding for security-related purchases. IT security companies have a vested interest in both of these issues: they are obviously not working altruistically. However, in my experience the majority nonetheless do want to deliver value to their clients.

Such desires may be reflected in IT security PR, which often needs not only to explain what a company does, but also why it matters. Frankly, when a “bad thing” is reported in the media it can be gift for any company that offers products in that area – but what to do when there is no bad news to piggyback on? The answer is to put out awareness-raising press releases, to augment the more standard ‘customer win’, ‘expands in Europe’, ‘new partnership’ fodder. It is here, just as with Eddie Izzard’s sketch, that we find the line which should probably not be crossed.

What are the different kinds of press releases? I would grade them into four categories:

· Best practice activity. A vendor may have put together a set of guidelines explaining how to deal with an issue. While it is a fair assumption that it may reference their product or service, it may also contain some sound advice. Press releases saying that a vendor has documented some best practice are little more than treading water in PR terms, but they are innocuous enough.

· Publicising research findings. A security vendor may conduct a study to highlight the scale of a given problem. This is useful when although the area is known about, there is general complacency that the issue has already been dealt with, or that it only happens to other people. Indeed, this is often the kind of activity that we get called in to help with – anonymous surveys may be the best way to talk about an issue that nobody is supposed to have.

· General awareness raising. These tend to be more educational, to highlight that a problem or threat really does exist. A good example of this would be PR surrounding man in the middle attacks, which are a valid candidate for awareness raising. The only downside is that sometimes such press releases assume the audience knows what is being talked about, which is more than a little counterproductive.

· Publicising specific examples of where things have gone wrong. This is probably the worst kind of awareness raising press release. At best, it draws attention to an example of where the threat has been realised, or malpractice has been found in that, “I told you so,” kind of way. At worst, it can only be construed as ambulance chasing, using some unfortunate soul who has found themselves wanting, and attempting to bask in the reflected publicity.

Don’t get me wrong. In general, I like receiving press releases. I may not read all of them, end to end, but I am not embarrassed to admit that I cannot keep on top of everything that is going on, all the time. So, if I am told about a threat that I did not know existed, nor indeed, a product which in some way can resolve that threat, I can add this to my catalogue of knowledge. Equally, however, I make no bones about the fact that I detest ‘ambulance chasing’ press releases. While I concede that it can be useful to use such incidents as examples, they should be used as no more than a passing mention to support any of the other kinds of awareness raising. Consider the difference in the following two statements:

· “The HMFE were foolish, and should get their act together,” said Charlie Farley, vice president of security firm Ultrasecurix. “By using technologies such as ours, it would never have happened in the first place.”

· “Ultrasecurix would like to announce the latest iteration of our product. “It has been redesigned from the ground up to deal with the latest generation of threats,” says Charlie Farley. The many features include… which enable comprehensive protection. “Situations such as those am highlighted at the HMFE only serve to highlight how things are changing and the need to stay vigilant.”

OK, the latter requires the company to have actually done something, which should maybe be the prerequisite in the first place. If, however, you feel the need to put out awareness raising press releases, remember the first three kinds before settling on the fourth. The bottom line is, if you can’t be constructive and add value in the first few paragraphs, then please don’t bother at all.

A random thought, prompted by a discussion with APC a few years ago. I was surprised to discover (having clearly been a poor student in O Level Physics) that the amount of heat output by a rack of processors, storage etc was exactly equivalent to the amount of power that went in. I know, its so obvious it hurts. More recently, there are plenty of stories of office blocks being heated using computer equipment. The question - as I sit in a relatively warm room,  no doubt due to the two computers pumping out hot air right now - is whether such a strategy could also be adopted by the “connected home”?

Which begs the next question - which is the more efficient heating device - the computer  or  the oil-fired radiator - and why? It would be funny if, at some point in the future,  processor cycles were seen as a knock-on benefit of our silicon-based wall heaters…