Advice

As promised, the White House yesterday released their "Strategy on Mitigating the Theft of U.S. Trade Secrets" document yesterday, otherwise known as the "Keeping The Chinese From Running Off With The Silver" plan.

You can download the strategic plan, along with supporting documents (which are the more interesting part of the read; but I won't discuss them in this post) here (PDF).

The orientation of the plan should be clear from the title; it's not strictly, or even primarily, about network security. It's about corporate investments. As such, it's actually not very good news for the small businesses threatened by state-sponsored cracking groups. As with most government initiatives, it is more about keeping big corporate donors big.

But it may not even accomplish that dubious goal. The first action item revolves around bringing diplomatic pressure to bear on trading partners (for "trading partners" you can read "China"). But the first sentence says it all:

"The Administration will continue to apply sustained and coordinated diplomatic pressure on other countries to discourage trade secret theft."

Yes, that's the same pressure they've already been applying with so little success.

Which is not to say that the Russians and Chinese have not been of some assistance in prosecuting certain infringement cases raised by the US. But those have obviously and uniformly been instances where state actors were not involved, and probably were exercised against rogue groups which were as pesky to the foreign governments as to the US.

A slender ray of sunshine emerges with the second action item, which seeks to promote voluntary best practices among private industry, and the third, which promises law enforcement emphasis on the problem. Private industry is the front lines in this conflict, and the overwhelming preponderance of the companies in which these fights will be fought are showing up poorly armed to battle.

Education and best-practice dissemination is a good role for the government to fill; realistically, most federal agencies aren't particularly better equipped than the largest and best private firms in the technology industry. Security at Google or Amazon likely fights off more, and understands better, cyber-attacks than any federal agency.

But if the government can work to distill what Google and Amazon and other private security firms are learning and doing to secure their operations, and then disseminate it to other vulnerable businesses, which would never have the resources to develop such practices independently, a valuable service will have been done.

Equally important are assurances that federal intelligence agencies will continue to improve their sharing of data detailing threats and vulnerabilities with private industry. There are quite a number of out-of-band intelligence gathering mechanisms which the private sector has no real access to. While an organization like Mandiant can do yeoman's work monitoring and dissecting attacks and researching attackers through open-source methods, the US government has considerably greater options for producing intelligence on threats. Unveiling select information obtained through such covert means could give industry powerful tools to protect network infrastructure and defend information.

In a similar vein, the final idea revolves around public awareness and outreach. While not wishing to contradict myself on the merit of the information-sharing proposals cataloged above, I will say that I, along with most other IT professionals, have well noted the lack of effect that end-user education efforts have had. Despite years and years of browbeating people about not giving out passwords or not clicking links in random e-mails they might have received, those mechanisms continue to be among the most popular for compromise today. Education, put plainly, doesn't work.

So I question the utility of stopfakes.gov in advancing the cause of intellectual property protection, but I suppose we still have to try.

Of course, only some of this effort can be accomplished by the unitary executive branch, and so a part of it revolves around enacting additional legislation, and this is where the whole thing starts to get creaky and fall on its face. There is no good idea that Congress can't somehow badly screw up, and some of the ideas that the Administration is starting out with aren't that great in the first place... tacking five years onto the statutory maximum for economic espionage to take it up to 20? Really?

The bad news in all this is that it is all proceeding under the aegis of intellectual property rights enforcement. While trade secrets and the like certainly fall under that banner, lately it has been broadly misapplied as a powerful force against innovation and creativity... exactly the qualities that the President claims to be acting in defense of. It's not hard to see much of this extra effort going not into investigations of or defenses against Chinese hackers, but rather attempts to prosecute American teenagers looking to download the latest P.Diddy song (or whatever it is that the kids listen to these days).

This isn't the place for an impassioned argument about software patents and copyright laws, but I will say that much of the furor that has been raised over intellectual property theft in recent years has had far more to do with the defense of entrenched, if out-moded, business models, and much less to do with genuine cases of innovation and ingenuity. If the primary effect of this strategy is to further empower the music and movie lobby to chop down genuinely interesting and innovative technologies and websites, then it will go much further toward diminishing American greatness than the Chinese could accomplish on their own in a hundred years.

As for the individuals and smaller businesses who struggle to find the resources to protect against such concerted intrusion efforts, there is little hope in the new strategy. At best, some of the information sharing and best practices dissemination may filter down to our level, but I wouldn't count on it... most of the cooperation will likely be reserved to the titans of information services, not the small manufacturer with a fifty PC network and one part-time IT guy trying to keep it secure. The government and larger corporate interests may win or lose their ongoing battle against foreign governments, but the battlefield will continue to be your devices and networks, and that is where most of the casualties will continue to accrue.

At some point in Rajeev Goel's missive over his mis-placed love in Microsoft products over the years, you start imagining him on stage on an afternoon talk show for battered women. "But I still love him!" you can hear him saying.

But after someone like that keeps going back and getting more of the same time after time after time instead of getting a clue and moving on, you just want to slap them. Or turn off the TV.

Rajeev is trying to pretend he's over Microsoft after having been jilted on product after product after product that he has faithfully adopted with some investment of time and money that has gone to waste as it has been cancelled out from under him. "Just friends"… sure, Rajeev! We see right through you.

Tech companies are going to be like this or not; you don't really know it for a while, but it's a safe assumption that they're like every other company, and that they're going to follow the money. Products that aren't raking it in, or aren't in keeping with the overall thrust of revenue generation in the organization, aren't going to be maintained.

Of course, they're not going to tell you this. Not even hopeless romantics like Rajeev buy the Zune if Microsoft is up front and says, "This is just our hopeless, half-baked attempt to convince Wall Street we can really compete with Apple in the consumer devices market… it's probably gonna tank and we'll quietly strangle the market-place we have walled off, leaving you with a lot of orphaned tunes and wasted time."

When a company gets to be a certain size, it seems, it's going to generate more losers than winners. I honestly don't know if they convince themselves they are going to pull a hit out of their hat or if they just want to be seen to be doing new things; Google comes to mind, as well, cranking out, then killing, project after project, undermining users time after time. They're just using you!

But neither you nor Rajeev need despair at this state of affairs. As Doctor Phil might tell you, you simply need to set some boundaries in your relationship. You have to understand why these products are coming out and where the interests of the corporation are in producing them. Don't just buy them because Microsoft is behind them… Microsoft probably isn't behind them. Have a little self-respect; look at their motives!

You know what products Microsoft hasn't cancelled? Windows. Office. Exchange. SQL Server. What has Google supported faithfully since its inception? Search. AdWords. AdSense.

You know why? Take a look at the corporate balance sheet! This is where the money comes from.

If you're a little suspicious when your ex comes back in the middle of the night with alcohol on his breath and tells you he loves you, and this is the last time, then you should be equally suspicious the next time Microsoft comes out with a phone or music player or something entirely tangential to their future success… a tablet, maybe.

Sungard Availability Services made a presentation at the Seattle INTERFACE 2012 conference purporting to reveal their lessons learned from handling disaster recovery services during Hurricane Sandy. As is the style at these conferences, the presentation was primarily a sales pitch, and the presenter basically acknowledged that they haven't actually learned any particular lessons from Sandy just yet.

Nonetheless, it was an instructive seminar on disaster recovery the way the pros handle it. Sungard operates more than ninety hardened recovery centers servicing over 8,000 customers globally, and they are always dealing with a problem somewhere… whether it's a fire or power outage affecting a single client facility, or a hurricane or wildfire that has knocked out hundreds. Most small businesses will never have to deal with a significant, facility-destroying incident; Sungard copes with them every day.

Most SMBs won't even have considered using a professional service like Sungard, and few of those who have will have judged themselves able to afford it. Frankly, the solution is more appropriate for larger businesses with less flexible commitments and deeper pocketbooks.

But there are still interesting ideas and information to be learned from large-scale disaster recovery services as practiced by Sungard-scale organizations. I touched on a different way to approach small business disaster preparedness in another post recently, and it is gratifying to see how many of the typical problems Sungard identified with business continuity planning are addressed there. But there were important things I missed, as well.

One item of interest is that most Sungard customer prefer to recover locally. The company made its name providing and staffing disaster recovery hot-sites, desirable by dint of their geographical separation from possible disaster locations. But most customers during Sandy chose to attempt to operate out of the closest available hot-site… even though that hot-site was also directly in the path of the storm, and came within four inches of being flooded and shut down itself. Meanwhile, because it was one of the few hardened, prepared, supplied locations in town, it was forced into double-duty as a headquarters for civil disaster response, cutting down on its efficacy as a business continuity site.

But even more significant was the degree to which Sungard customers (at least those who were physically able) preferred to have replacement and recovery equipment and space shipped to them on-site. Sungard's fleet of configurable office trailers were kept hopping during the disaster. And with many local staff trapped in the area, perhaps their business customers had little choice but to attempt to recover in place, no matter how deeply affected their offices.

I did not adequately explore the effect of that preference. It remains a poor one for the SMB, since recovery in place requires the availability of replacement resources and workspaces, which in many cases will not have survived in any form inside the disaster zone and would have to be shipped in. A company the size of Sungard can commandeer transportation and supplies out of the area by dint of purchasing power and relationships; a small business will have no such luck.

Still, if you can identify that impulse as a preference or a requirement for your own business, you can still attempt to pre-plan emergency procurement and backup facilities in your locality... a replacement equipment order made ready and saved on your favorite vendor website, a few likely hotels scouted out ahead of time. The process would provide far less certainty than a geographically remote location, but it might provide a comfortable medium.

Also highlighted by Sungard was the importance of having decision-making capabilities on-site at the disaster recovery scene. They flew their own COO and key staff into the path of the storm ahead of Sandy to ensure that even after communications went down, a sufficiently-ranked officer from the company would be available for immediate decisions on critical questions.

Small businesses are frequently already challenged in their decision-making hierarchies. One of the big misses in their continuity planning is often staffing. There may be some inherent advantages due to the cross-training that naturally occurs in small organizations, but there has rarely been a conversation about authority and chain of command in the absence of owners and managers. Have that conversation.

There's been a dramatic uptick in interest recently over my post on community alternatives for Internet access in locations where access has been cut off (either politically, as with Syria or Egypt, or environmentally, a la Sandy or Katrina). Coincidentally, I was at a conference today in Seattle where on oddball presentation on cellphone mesh networking was being made by Josh Thomas of Accuvant Labs. I say oddball because the conference was largely enterprise vendors pitching enterprise solutions to "Big IT" problems, and while mesh networking addresses a certain sort of problem, it's not one that enterprises put a lot of thought into or are likely to spend any time adopting.

When I was suggesting mesh alternatives for re-establishing local networks, I focused on router-based solutions such as Meraki access points. Fixed-point hardware remains vulnerable to a number of ills but it goes some way toward addressing the dearth of other realistic, amateur-deployable solutions in the field currently. Of course, in this day and age, the obvious question when it comes to establishing a real mesh network is, why not use cell phones? They are nearly ubiquitous, are by definition self-powered and portable, and each and every one of them represents a radio transceiver with respectable local range.

Until I saw the blurb in the conference seminar track list for SPAN, I had no idea anyone was actually working on such a thing.

So of course I went to check it out.

I don't even remember (and can't find on the various websites or presentation materials Thomas scattered about as he charged through the material) what SPAN stands for... Self-Powered Android Network? Except it also may sort of work on iPhones. More easily. On account of you don't have to root them first. At least not yet. It wasn't entirely clear to me, nor can I now find any evidence of an app now for the project in the iTunes store. But you can at least download the Android source code here, if you are equipped for diving into such things.

Although it didn't live up to the billing in the conference guide, Thomas's presentation was interesting and informative with respect to some of the challenges of mesh networking and the current state of the art in the field. Turns out that mobile transmitters introduce a variety of predictable, but hard to solve problems for networking protocols. And that's after you address what may be an even more insurmountable problem, which is that device manufacturers have not made it incredibly easy to re-purpose the handset radios in such a fashion.

The SPAN project's proximate goal was to fix some of the "easy" problems of putting a controllable toolset in the hands of other mesh developers, while providing some guidance toward cracking the "hard" problems. In broader terms, however, Thomas indicated that his more elemental purpose was to raise enough of a ruckus about phone-based mesh networking to get someone at Google to sit up and consider incorporating better tools--or at least removing further obstacles--from Android to make it easier to build mesh networks on the platform.

That larger goal is not only laudable, it's probably a requirement for the success of phone-based mesh networking. Mesh networks live or die by the number of available nodes covering the territory. The ubiquity of ownership of cell phones only serves that goal if the ease of enabling the network is within the grasp of the average user. Rooting a phone isn't difficult but it's outside the comfort range or amount of effort that most users are willing to extend. Perhaps in some particular scenarios--such as Syria--a sufficiently motivated group might accomplish this in sufficient numbers to make the effort of use, but in general, it's not going to happen.

SPAN takes an approach that enables just about any network-aware application by installing itself beneath the larger part of the Android network stack. This addresses a separate, but related ease-of-installation problem, which is that unless all the desired apps work with the mesh layer switched on the same way they do on a regular network connection, users are presented with another barrier; namely, the necessity of downloading special mesh-enabled versions of their apps (if such even exist) and remembering to use them when off the regular network.

It's a bit of a chicken and egg problem, but at this point, I think most users would be more capable of downloading and using separate apps than of rooting their phones. Neither approach is ideal, which is why getting Google on board may be the best possible solution.

The odds of accomplishing that may not be insurmountable, given the number of other mesh projects that are underway based on, or at least accessible to, Android devices. Thomas was kind enough to include links in his slide deck:

http://code.google.com/p/android-wifi-tether/

http://www.olsr.org/

http://www.servalproject.org

http://project-byzantium.org

Each has its drawback and benefits. None are easy, dependable, or fully functional. However, exigencies through history have driven technological development, and the dramatic circumstances in disaster-afflicted or war-torn parts of the world, combined with the exploding number of mobile computing devices in the hands of average citizens, leaves me optimistic that these efforts will soon bear fruit.

Microsoft appears poised to disappoint the "pad" market with their announcement this week of the pricing for their soon-to-be-released Surface tablet running the full version of Windows 8. With both the 64GB and 128GB versions hovering in the vicinity of a cool thousand dollars, US, with keyboard covers, the tablet blows right past the already established $600-$700 range for the high-end iPad tablets... themselves already considerably spendier than the $200 level Android tablets brought out by Amazon and others.

Microsoft seems to be taking the position that the premium tag is worth it, emphasizing that the full version of Windows 8 can run all your favorite Windows applications, all while fitting into a lightweight, useable tablet form factor.

If, as a customer, you are convinced that this is in fact a sort of two-for-one deal, combining all the best features of a netbook and a tablet, well, it's possible that such an argument will find some traction with you. I suspect, however, more folks are going to recoil from the "neither fish nor fowl" characterization and tend to lump it in primarily with other tablet options... to Surface's clear detriment.

Geekwire's Todd Bishop, in the above-linked article, speculates that the company is aiming the pitch primarily at CIOs, who have presumably been gasping for a tolerable Windows-flavored tablet that will fit neatly into their structured Microsoft-based support and management systems. If so, it's probably too late; most organizations (more than 80% of the Fortune 500, as of 2010) have already had to do the hard work of integrating iOS with their current operations, and a more expensive alternative isn't going to be appealing to either users or managers.

Even before the pricing announcement, news also broke that Microsoft is chopping device orders in half for Surface tablets based on lackluster performance of the already available Windows RT version.

I'm guessing they could slash them in half again at those prices and still have plenty of stock on the shelves for next fall.