I put Spottt up on my blog last Friday because I’ve seen it on a few other blogs and thought it might be a good idea to try. If it worked half as well as Entrecard for pulling in people to read then it would be worth the space. I read that I would have to wait up to 24 hours for my blog to be approved, so I waited patiently, but when Sunday afternoon rolled around I decided to start looking into the service a little more.

Since I was now looking for the banner, I noticed where most other sites had their Spottt advertisement displayed. Spottt “requires” that the banner be placed above the fold. Their specific definition is no more than 850px from the top of the page. I placed the banner within that limit but then started noticing that most sites with the Spottt banner were not displaying it within the top 850px. Right off the bat I’m disadvantaged because the way it is supposed to work is that you receive advertising on other people’s sites based on how much you in turn advertise locally. People are much more likely to look at or click on an advertisement that is placed above the fold.

On Monday they finally approved my site and started running advertisements. I was clicking through my site to get to the admin page this evening and noticed that there was a scantily clad woman on the ad. I refreshed the screen and up popped a second scantily clad woman. Now TechByPC is not specifically family oriented, but it isn’t anti-family either, and I have no intention of offending any of my guests by displaying a picture of a woman that might offend some. I went over to my wife’s blog and checked it out there as well since I had requested hers be added at the same time. Similar advertising was being shown. Well, they just lost me.

I really thought Microsoft had some clue where they were going with those Seinfeld advertisements, but it appears that they were just as clueless as the rest of us. It is sad really. I was hoping for some of those “Oh, I get it!” moments as the advertisements continued. Instead we get a failed advertisement campaign similar to the failed Vista launch. What is Microsoft doing correctly these days?

The one thing that I hope was a good move was partnering with Packet 8. As Vonage tanks due to overwhelming debt, Packet 8 continues to rise as the VoIP leader. I hope the Vonage folks take a lesson from the Sunrocket debacle and start thinking about options to change their phones to another service NOW so that if it does happen you are prepared as much as you can be. When Sunrocket disappeared I was in the process of evaluating a free month of Packet 8 and so I got a jump start, but I know many people were burned pretty badly.

One day just suddenly, Sunrocket’s dissolution was reported all over the news. We didn’t get any warning from them at all. My reaction was this: My service was through Sunrocket and currently incoming phone calls are receiving a fast busy. We are still able to call out, but if you are trying to reach me you’ll need to know my cell phone number. I will get this switched soon. My primary choices are Packet8, or ViaTalk. ViaTalk has the most comprehensive feature package and has responded quickly to the news http://vtinside.com/blog.html but I am partial to Packet 8 because of it’s long-time existence and numerous VoIP patents.
My decision was made quickly: It is a tough decision to pick which provider to go with. Vonage is expensive and in trouble with Verizon so I’ve left them out. ViaTalk has the best feature set and great prices, but they say it will be 5-7 business days even with expedited processing and overnight shipping before I’ll see a device. Then I’ll still have to wait for the number to be ported. Packet 8 says they can port the number in 2-4 weeks, but this is their standard answer, and I have a feeling that it will be faster. ViaTalk is completely overwhelmed with people signing up for their service. Since this is likely to better than double their business, I am unsure if they are equipped to handle the onslaught, and expect that they can’t be far behind SunRocket in the going out of business club. Packet 8 on the other hand is a 20-year old communications company with dozens of patents regarding VoIP technology. I think they have the longest staying power of any VoIP provider out there besides cable companies and landline phone companies who also provide VoIP. I’m going with Packet 8. Call me on my cell phone until my number ports.

The 911 issue has always been a concern with VoIP – if the power goes out so does your 911 service. Well, I use a UPS, but that doesn’t protect me from ISP outages or VoIP company outages. I feel secure with Packet 8 knowing that their company is making a profit.

Full Disclosure: I do own a few shares of Packet 8 common stock.

I saw a very strange article today where someone tried to argue that SaaS (Software as a Service) changes the CIA (Confidentiality, Integrity, Availability) paradigm (Triad). I was confused and read on only to find that there was no argument within the text to back up that statement. In fact, Availability was used as an argument against itself. I started to write a comment, but then it got too long and I realized that I was probably just going to offend the guy because of something he wrote out too quickly without reading it over. I’m sure I’ve already written something like that myself, or if I haven’t yet I will.

First, here is an explanation of the CIA Triad in a nutshell. These are the core principles of information security:

Confidentiality refers to preventing disclosure of information to unauthorized systems or people. Integrity refers to the data remaining in the system the same way it was put in – that it can’t be modified without authorization. Availability means that the data is available when needed and that security controls and systems that house the data are functioning correctly.

I’ve heard many people argue against the need for the Availability piece as it doesn’t sound as interesting as the rest of it. Of course the data needs to be available, but what does that have to do with security? Joe Technician keeps the systems available. The problem is, if the system is not available, then it is not valuable, and if it is not valuable, then it is not worth using. Availability also refers to security controls being in place at all times. If the security controls for a system suddenly become unavailable, say a log file fills up and no mechanism for rotation or offloading that file is in place. Subsequent actions taken on the system may compromise Integrity, and in fact simply because the logging facility was not available we may have an Integrity or Confidentiality issue.

I understand what the article was trying to say about increasing exposure to Integrity and Confidentiality by going to a service based environment because you will be offloading sensitive information to a 3rd party, however SaaS also increases Availability issues as well. Instead of running Word on your desktop, which works whether or not you are connected to your LAN, the Internet, or anything else, now you are relying on Google (for example) to provide your word processor over the Internet. Your 3rd party still has to get you the service. In providing SaaS, both the provider and the buyer need to consider Availability just as much as Confidentiality and Integrity.

I’ll give you a simple example. I can run your company’s ERP system for you. I’ll design the system so well that after you put data into it no one will be able to get it out. I’ll make it so safe that no one can make unauthorized changes. Actually, we will take your ERP system, unplug it, and stick it in a double locked vault where I know one combination and you know the other. That satisfies Confidentiality and Integrity completely, but ignores Availability.

Some businesses or systems within a business naturally emphasize parts of CIA over others. For example, there is a company that sells a USB key that has an internal self-destruction mechanism if an authentication is failed too many times. There are cases where availability of that data should suffer. If I am bringing a copy of proprietary company confidential information from one place to another, this might be the best means to transport it. If someone steals the USB key or I lose it in transport, I want to be assured that the data will not be available to whoever found it or be able to be modified by someone sneaking into my hotel room in the middle of the night. In this case I am willing to sacrifice some availability, for example if I forget my own passkey, for the sake of Confidentiality. This in no way negates the CIA triad or changes its paradigm. The USB key still must be available to me in order to be useful. I need to be able to put data on it, and it needs to be possible for me to bring it from one place to another. Once there, I need to be able to authenticate to it and decrypt the data that is there. In other words, the data must be available else I’d never buy such a device. The manufacturer still has other availability challenges such as how to decrypt and unlock the device on an alternative operating system (making it more available), or how to alert the user if someone was trying to guess the password since the last time it was successfully accessed (protection system availability).

In fact, each piece of the triad is intrinsically linked to each other piece in a delicate balancing act. As I said, it is easy to have a completely Confidential system if there is no Availability (try a pipe to /dev/null). When an end user asks for a network share behind the firewall to be available to a customer in another company, then we suddenly have much more need for security in the forms of Confidentiality and Integrity, but it was Availability that triggered the request. If we forget that Availability triggered the request, then we might as well not worry about the additional Confidentiality and Integrity needed to satisfy that unneeded Availability.

CIA is intrinsically linked and each piece must be considered in developing any system, including SaaS. There is no paradigm change. I know the author of the article knew this, because he argued points against his own thesis. It got me thinking about stuff though, and that’s always a good thing. I didn’t write this to offend or pick on anyone. If there is something I’ve overlooked or misread about the original article I’ll be glad to have it pointed out to me, because I just don’t understand it the way it was written.

Noscript is one of my essential browser tools. What it does is intercept java, flash, and other script including executable content on a Firefox browser and keeps it from executing until the user specifically whitelists the site. It can be an inconvenience to someone who doesn’t understand the dangers that exist on the Internet, however it doesn’t save us from every danger out there.

It seems someone at ZD Net noticed it recently. It’s nice to know that Noscript protects from specific Zero Day attacks too.

If you use Firefox (and you should) then you should use Noscript to complete your safety net.

It is rare when the XSS detection triggers, but even for someone that browses as carefully as I do, it can. In fact there are some times when I am browsing through things that aren’t necessarily all on the up-and-up. I had a PC that I needed to hack into a couple weeks ago and my traditional tool is ophcrack over at SourceForge. They recently updated the tool and it no longer performs as it did – very disappointing. I downloaded a previous version and let it crack away on the target computer, however it couldn’t reveal any of the passwords. I did some searching for an alternative tool, and as you can guess that led me to some shady websites. With Noscript I didn’t worry at all.

The one thing that Noscript doesn’t save us from is a trusted site that we’ve whitelisted that was subsequently cracked. If the defacement includes posting compromised code, then it will execute just as if it were trusted.