proxy70

                Where is it all going?

First cut Q4/04 -- gopher://sdf.org/1/users/chrisb 

It has come to the point where I just felt I needed to put my
thoughts on to paper.  Well, in print anyway. I know a lot of what
I am about to write will be at odds with the technologies I work
with and you could say this is biting the hand that feeds me, but
I get the strong feeling that I am not alone with these thoughts
and comments.

This is not intended to turn in to a weblog, or I guess a gopherblog,
just a chance to put down my thoughts and let others comment on
them.

The Internet is a revolution, and as with other historical revolutions
before it, the Internet has had a vast impact on a very large number
of people's lives. More so than any other revolution has the Internet
had an impact on people in such diverse places around the world,
as they say, the world is now just a global village.

I know as one gets older, one starts to view the past with slightly
rose tinted glasses, "it was never like this when I was young" and
so forth. But I am not talking about events which occurred thirty,
forty or even fifty years ago. Ok, I know that computers have been
around a long time (comparatively), but I am referring to this
modern revolution thats known as the 'Net'.

Before we go any further, I must state (as I have before) that I
am not a ludite, I love technology and gadgets. I was on the 'net'
in the mid 90's using Fidonet for email and ftp'ing stuff over a
2400 modem (well a 1200/300 originally) and played with Packet radio
for a while after that. I live in the UK so some comments are based
on life and experiences here, though I am aware of legislation in
the US.

It all started for me about a year or so ago, thats late (fall)
2003 - the 'dot com' boom was long forgotten and IT security was/is
the buzz word. Microsoft had just started to get its act together
and secure its products and Linux was seen as the big white hope
for the future by the technologists, geeks, hobbyists and anyone
who dislikes monopolistic corporations in general.  "Linux will be
on the desktops soon they all proclaimed" (I know, I was among
them).  Well 2005 is here and Linux is most defiantly NOT running
the desktops of the fortune 500, and to be honest its not even
running my desktops any more (well not this week), Mac OSX and BSD
are. But I digress.



What has 'The Net' really given us as end users or consumers of
technology? I would venture to say, very little in real terms. I
keep asking myself, what would all these people in the IT industry
be doing if the 'Net' had not come along, or to be more precise,
if the commercial world had not seen it as a way to make a fast
buck. And before you correct me, yes I know the porn industry is
mainly accountable for the popularity of the 'Net', just as it drove
the popularity of VHS video systems and made them a house hold item.
The answer to the question is I do not know, the obvious one would
be 'pushing pens and paper' around all day. Possibly this is so,
the trouble is, IT, far from making our day to day work lives easier,
appears to have made them far more complex and frustrating. Update
(Apr 2005) I have just read a report which say's PC's have suffered
more days downtime due to spam/virus than workers have sick days!

For a start, the poor old user has to remember a number of different
passwords or carry about access tokens to enable them to even get
in to the computer. Then they have to wait while the thing boots
up, or if they have had the sense to leave it logged on overnight
(with a password protected screensaver of course) then it will
probably run like a dog because of the Operating System or memory
leaks from the shoddy applications they ran the previous day.  Once
the PC has booted up, the user then attempts to open the email
client and possibly Web browser and Word processor as well. Even
on a high spec machine, this will take time as the 100-1000 plus
other employees have also arrived at work and are also trying to
do the same thing.

The corporate LAN is groaning under the load as not only is this
taking place, but half a dozen staff members 'need' to view the
mornings news feed in full streaming video!  The email server is
churning away, desperately attempting to Virus check the latest
batch of in-bound messages and also sort out the SPAM and bin it.
Time for a cup of coffee.  Ok, the scenario above could be likened
to the opening of the post in the office of the 1980's I will admit.

The user returns for the coffee point/kitchen (after a good chat
about last nights football/rugby/TV sitcom/<enter your favorite
topic here>. They are then presented with a bulging email box, about
half of this is junk or SPAM (70% according to some reports), and
possibly thirty percent personal stuff. That leaves about twenty
percent as valid and work related.

To sift through this lot can take from a few minute to several
hours.


Back in 'our' office of the 80's things are different. The dumb
terminals do not have email (and those lucky enough to have a Unix
system connected to the ARPA-net would receive very few emails
unless they were academics). The Telephone was the main communication
tool (no, not the PMR/Brick 'mobile' telephone or its modern relation
which you see 'glued' to the ear of shell suited (track-suit) people
in cheap hyper-marts) but that old white thing connected to the
wall by a wire!

With a telephone it was not easy to multi-task, ok conference calls
were possible but few bar the large companies used them, at least
in the early 80's.  So after the post was opened (or opened for you
if you were important - or lazy) replies were dictated or written,
or you telephoned the person to discuss things further.

No distractions - bar the piped radio station or the newspaper to
get in the way. Telephone pranks did not take off till the late
80's early 90's in the UK.  Returning to the subject of the post,
this was relatively small, no major marketing or junk mail to deal
with and very few 'I AM A LAWYER IN AFRICA AND HAVE AFTER MUCH
LOOKING WANTED TO HELP U GET RICH' type nonsense. Certainly the
only virus you had to worry about was the Flu doing the rounds at
Christmas.

This is one of the major problems today, big business has got
involved and is trying to push its Corporate message down your
throat at every available opportunity. TV, Radio, bill boards,
newspaper adverts and now the 'net' with pop-ups, SPAM and 'targeted'
advertising. Any and every opportunity to try and make a fast buck,
no stone is left unturned in the quest to make even more profit.
This will, I guess become an even bigger issue, with the prevalence
of technology like Tvio which allows one to 'skip' adverts in between
recorded TV shows, the media industry (who have considerable clout
with Government) needing to find alternative advertising mediums.
How that particular issue will pan out I do not know, but it is
possible that they will encode the adverts so that one can not Fast
Forward over then, much as you can not FF over the copyright message
on some DVD's today.

Point in question, I attempted to sign up an email address with the
main Telephony provider in the UK (BT). Of the handful of questions
they asked, three looked odd to me. They wanted (and these were
required fields on the form), Age, Sex and Post code (Zip code if
you are reading this is  the US). Underneath was a little link
titled help, so I clicked it and was amazed to read a small pop-up
page telling me that "BT used this information to provide relevant
and targeted marketing information" to me!  I decided not to signup
as you can imagine, but found another free web-mail based company
who did not ask these types of questions.  In my search for this
'other' mail provider I stumbled across a report that our good old
friend Microsoft were offering, in effect, to allow certain companies
unrestricted advertising access through its SPAM filters on the
Hotmail service.  I assume this is for companies who pay Microsoft
the prerequisite fee rather than being based on any other judgment.
In case you wondered, I did not sign up to Hotmail as on connecting
to the Web page it popped up a window asking for me to signup for
a .Net passport. So, I can keep all my passwords in one easily
assessable place for the computer fraudster (I do not use the word
Hacker as I still believe it to hold its original meaning - not the
one the popular media have bestowed upon it), to access them I
presume.

If we return to the office I was busy describing, we now find it
is mid-morning and the server has just crashed. Email is down and
so work comes to an abrupt halt. Great, time to surf the web!  If
the File server had crashed then everyone would have moved to their
email inbox and then realised they could achieve little as the files
they needed to email were 'stuck' on the crashed file server. Time
to surf the web.  Now the LAN is under pressure (as are the IT
staff), streaming media, Power Point jokes passing in the email,
large PDF downloads (these by diligent staff members taking the
opportunity to check up on the competitions products or services),
the usual amount of porn flooding in and a load or Malware (yet
something else for the over-worked IT team to sort later).

But it's 2005 I hear you cry, porn, SPAM and Malware should all be
blocked at the gateway/boarder, the Directors can be fined and
imprisoned for this type of thing these days.  Yes, and thats all
fine and dandy until we look a little more in detail and get to one
of my major gripes (and partially the reason for this paper).

Most of these 'blocking' products or applications are sold by the
large corporations, the 'security specialists'. The problem is that
a lot of there products do not appear to have been coded by security
specialists. At this point we can almost exclude dear old Microsoft,
who a) do not sell security products per se, and b) put all their
developers through secure coding courses and make extensive use of
code auditing tools these days.  As an example I found over thirty
vulnerabilities listed against the industry leading Firewall
Checkpoint-1 and six against an ISS product set and over twenty
against the McAfee AV product set.  These products are meant to
protect our systems, not introduce yet more vulnerabilities in to
them, or am I being too naive?  When these types of issue arise,
the vendors marketing dept. swings in to action to allay user fears
and a patch is rushed out.  Interestingly I see only 14 CVE
vulnerabilities listed for Microsoft Excel (all versions and OS's).
This is sadly not the case for other software products.

After all these years, I would have thought that the AV vendors
would have found a way to stop 99 percent of Viruses using AI engines
or sophisticated heuristics. Or is it that by locking users in to
a yearly licensing deal they keep the money rolling in, money for
comparatively 'old rope'.  If the AV products are so good, why do
so many 'old' viruses keep appearing in the top ten lists?

By all accounts the SPAM/Adware issue is going to become worse in
2005, already at the end of 2004 the rise in infections was almost
exponential.  I wonder how the poor home user and small business
cope with it all. Each year they are being told to buy more products
to protect them from this threat - which largely to them is invisible,
ok they have to deal with the SPAM but they do not see their
address-books being stolen or their PC's being turned in to zombies
or joining Botnets controlled by yet more SPAMers.

They need Firewalls, Anti-Virus and now Spyware scanners and all
this on top of a perceived (and possibly real) loss of functionality
from both their E-mail client and Web Browser as built-in SPAM
filters and pop-up blockers start being implemented in each security
upgrade from the vendor.  All this of course costs money, and even
if they use the free AV and Firewalls and Spyware cleaners it still
impacts on system resources and Internet band-width as they download
updates etc.  The system resource issue is one that bugs me. Each
security product that is applied grabs even more memory and CPU
cycles than the last. If things carry on at the rate they have been,
the poor user will need a Supercomputer or Grid system just to play
solitaire on! Maybe thats why all these Linux Live CD cluster
computer distro's have sprung up?

At a Corporate level things are worse. What with the legislation
threats, spyware, script kiddies and philshing scams every PC is
now loaded with stuff.  The user in our little office scenario now
has to wait a further 5-10 minutes for all their AV and stuff to
start-up and update. And worse of all, half these products can only
detect and clean about 50% of the in-bound junk they are meant to.

All this places an ever increasing burden on the (normally) under
staffed and over worked IT dept.  They are constantly worrying about
patching systems, updating applications and worrying that the IDS
(intrusion detection system) has missed something and the script
kiddies have 'broken down the castle walls'.


And it does not end there, several years ago Firewalls were perceived
as the Security panacea. Install a Firewall and you are protected
proclaimed the sales blurb. Well the CFO signed up to it (auditors
and impending threat of legislation always helps open the company
cheque book) and the Firewall was duly installed.  A year of so
later, it was decided that the Firewall was not enough and Intrusion
Detection System were what was required. This at a time when the
phrase Penetration Testing meant a license to print money for so
many contractors who could spell Cybercop or ISS.

IDS costs, not only the high cost of the 'product' but in time and
resources as well. Another dead end? Well not quite, we now have
Intrusion Prevention systems (IPS) which cost even more - but do
not require the human resource, they make the decision themselves.
I do not trust my PC to save data to it's hard disk, let alone allow
a 'black-box' make those sort of decisions.

So boarder or gateway protection is taken care of, Now we now need
to harden the OS, lock it down so the poorly programmed Apps now
don't work.

And for 2004/5 it the year of the application test. Having patched
and locked down every thing from the ISP's router to the users
desktop, we now find that applications can be exploited. The nice
Firewall is basically a rather expensive network colander.  And so
I guess it will continue, ad infinitum until we all give up and
return to pen and paper.

While all this has been going on, where has IT advanced too? Not
very far. Microsoft .Net did not really live up the hype (thats a
surprise). So what is there. Not a lot is really different between
the desktop of now and that of three or four years ago. And I bet
the CPU speed increases have all been swallowed up by bloat-ware
apps and security programs.  Linux is still scuffing about in the
dirt, still used by hobbyists and those who like to tinker or do
not like using Microsoft Products. Some forward thinking companies
use Linux but many have backed off from plans to investigate or
deploy it for fear of the SCO law case or concerns over lack of
support and direction. This lack of direction is a major problem
for the Linux crowd from what I can tell. With Microsoft and Apple
you get a set of applications bundled with the OS and these have
been written by the OS developer so  a level of integration, integrity
and support is assumed, though that is not always the reality. With
Linux this is not the case. The basic distro's come packages with
a handful of e-mail clients and web browsers. There is too much
choice and diversity in Linux and this confuses the casual user who
has stumbled into Linux.

What do the majority of home users do on their computers. Well play
games, solitaire is still a very popular game on the Microsoft OS
(and I suspect Linux as well). Games, Email and Web browsing are
the most common uses of Home PC's, followed by ripping CD's/MP3 and
video I guess. In the office they are used for a bit of WP, email
and web access with PDF viewing and Database access.  Do we really
need all this bloated software applications to play a few games and
write the odd letter or paper.

Dedicated appliances are, in my opinion a much better option. If
you want to play a game then use the PS2/Xbox/GBA, thats what is
is designed for. Music sounds better through a Hi-Fi and films (DVD)
look so much better on a large screen TV than on a 12 inch PC screen,
and sound better too.

The 'dumb-terminal' of the 80's and 90's could provide all that
functionality with mail and Uniplex? The big advantage was that the
administration work was all on a centrally located Server so admin
was simpler. Control over the app's being used, central back-ups
and central virus control. The thin-clients go some-way to addressing
this issue, but they still load the network when all the users login
and 'pull' down the app's at the start of the day.  How much time
would a 'dumb-terminal'/Thin-client solution save most companies
and save on the cyber-skiving issue. Some figures put cyber skiving
losses at around 30-40% of a work day. The total cost to industry
of all these combined issues, Spam, malware and Cyber-Skiving must
be massive!

It is impossible to guess what the IT industry will be doing in the
coming years and I am not going to even guess but I bet that
Microsoft's next OS (BlackComb or Longhorn or whatever it will be
called) will be more secure (read very restrictive)  than anything
we have ever seen before. Digital Rights Management (DRM), will
also feature heavily in any commercial OS I suspect.

DRM will become a bigger issue as more and more people buy in to
the iPod/MP3/WMP appliance market. This is an area where the
Pc/Mac/Linux box does work well. Rip your CD's and copy the trax
on to your portable music player. I guess then next thing will be
the portable DivX/MPEG4 players. All these have copyright issues
that will cause the industry a big headache.  If I download and pay
for a music track, I expect to be able to play that track on any
system or appliance I own, not have it tied to a single instance,
say for example my Windows PC. I might want it on my iPod (if I
could afford one) or to burn it on to a CD and play it in my car
on a MP3 player (again if my car had one).

How do they (Government and eCommerce) expect home users to be
secure? Most people do not worry about security for the house they
are buying and often pay scant attention to it when they buy a motor
car. House alarm systems, if purchased are normally an install and
forget item, the same goes for car alarms. If people are this casual
in their approach to protecting these valuable assets, how can they
be expected to worry about security upgrades on a cheap PC.

Well I hope you enjoyed my rambling and thanks for reading this
far!  If you want to comment/agree/disagree/correct me, then please
feel free to email me at

chrisb@bsduser.uk
Chris.