The End of the Internet, or the Microsoft Users Net-Meltdown?

The 2005 Australian Computer Crime and Security Survey(PDF) reports that at the end of 2004 "the hackers turned pro". The ACCSS index may be easier for downloads.

For 2-3 years now, most malware has satisfied the definition of Organised Crime - it's theft, it's purposeful, it's co-ordinated.

In an August 2006 post, I reported the ACCSS comments and new comments from SANS .

ZDNet now report that Rootkits becoming increasingly complex and operate by stealth. They say:

Rootkits -- malicious software that operates in a stealth fashion by hiding its files, processes and registry keys--have grown over the past five years from 27 components to 2,400, according to McAfee's Rootkits Part 2: A Technical Primer (PDF).

If you use a Microsoft system and connect to the Internet without extensive protection, you should be afraid, very afraid. And even large organisations who do everything right, are still open to targetted "zero day" attacks. The first Windows Vista security problems are being reported. It's better than their previous efforts, but still contains significant security flaws. The Whitehouse mandated a minimum security configuration for all US Federal Government Vista destops.

For more on the various types of computer crime Wikipedia is a good resource.

The Internet Meltdown

So when will the Internet Meltdown occur for ordinary home users of Microsoft system? Perhaps it already has... Already 50% or more of Internet e-mail is spam. A large chunk of other traffic has to be attempts to break into systems, and sometimes Distributed Denial-of-Service attacks (DDoS).

Banks already advise PC owners to use a personal firewall, virus and spyware scanners and perform regular checks and software updates.

But the number one and two malware vectors, Internet Explorer (IE) and Outlook, aren't mentioned. Worse, most sites are optimised for, or will only work with, IE.

Banks are already moving to "two-factor authentication" - usually a device (a 'token') that provides "one-time passwords" on a little LCD. But that isn't entirely secure - there have already been "session hijacking" attacks. For more see the 2006 The Crimeware Landscape (PDF) from the US Dept. of Homeland Security, SRI International and the Anti-Phishing Working Group.

How can a home user tell if their machine is compromised and part of the spam and hacker tool of choice, a botnet? They mostly can't without expert help and specialist tools. They might experience the normal random problem of "The Internet is running slow today".

Savvy hackers and botnet owners operate just like the best "special forces" and "secret agents" - by stealth. They want to own your computer and internet link and not have you know anything is wrong.

For 5 years or so I've thought the Internet would end for naive home users in an obvious "Meltdown": Within minutes of connecting a new system to the Internet, it would be compromised and then brought down.

What competent cyber-criminal would do that? They want to "own" and use your computer and internet resources for their own ends - and they can't do that if your system isn't running. So I've been wrong. The "Meltdown" won't occur like that in a criminalised world.

What will happen is:
Go on-line and have your credit-card and banking access data stolen.
That will seriously impact e-Commerce and banks will have to shell out Billions in internet-based banking theft and fraud.

Here's the thing

The Microsoft security problems are entirely preventable and avoidable.
It's all about Good Design, Good Development Processes and Software Quality.
Testing only reveals the presence of bugs, not their absence. A rigourous testing regime, whilst necessary, will only take you so far. Achieving Good Security is purposeful, directed activity - it requires good, careful design not compromised by insisent business or marketing demands for "more features" and "fancier interfaces".

Proof:

Look at all the widely deployed non-Microsoft systems on the Internet. Many are extremely high-value targets and the technology they use is usually much older than Windows NT. Remember than Microsoft IIS is out gunned 2:1 by the free Apache server on the public Internet (Netcraft survey)

These non-Microsoft systems don't suffer the same rampant security problems and breaches/compromises. And it's not because they are ignored by the attackers - they would if they could get into these high-value targets. The botnets are constantly probing every public IP address for weaknesses.

And those same, now old, system grew up with the Internet, in the most hostile of environments - Universities. All those bright, bored computing undergraduates looking for accolades/kudos by beating the system.

That's the nub of the Internet Security problem, and it's solution...

Microsoft troubles - II

Follow up to a previous post on MSFT hitting a 'financial pot hole' by 2010. The numbers look very, very bad to me. The seeming lack of management response and apparent leadership would deeply disturb me as a shareholder...
The Paul Graham piece Microsoft is Dead and the follow-up were a prompt for this post.

What amazed me was: there are 4,500 MSFT employees (of 71,000) out there blogging. And it's a live campaign led by the MSFT management... Wired have a piece on this effort Channel 9, and the text of an internal memo critical of the PR/Developer Relations effort (6,000 words!) accidentally leaked.

This "radical transparency" is an amazing artifact. It should go down as one of the most innovative and successful acts of Microsoft. Many other companies could do well emulating this effort. And do better by listening to their staff...

Blog the First

From Mini Microsoft Blog, "Should you stay or go". This from a self-described "senior" MSFT employee who is highly committed to the company.

In the context of the blog entry, lots of their senior/long-term people are leaving. That's gotta hurt.

I can tell you this: I, like a lot of senior Microsofties, can't imagine staying for another year of flat stock growth. I'll have to be developing the bestest, funnest software in the world to live through another year of watching a stock price that meanders around like a fat, gassy contented cow from Carnation. I see this next year as the loyalty tipping point for Microsofties who have held on this long, hoping beyond hope for the shares to finally perform. If that doesn't happen, the office spacing problem around large of chunks of Microsoft will start to ease up without new buildings opening. And be wary of those who do stay, because you'll have to ask why.

From MSFT Extreme makeover blog around end March-2007.

Stats

• Shareholder value destroyed since 1999 = $320B
• Shareholder value lost at Tyco, Lucent, Worldcom, and Enron combined = $192B
• Years underperforming all major indices = 4 of the last 5
• Cumulative underperformance over that period = 40%
• Performance since 1998 = Flat
• Peers outperforming it this DECADE include: AAPL, AMZN, CSCO, EBAY, HPQ, IBM, ORCL, SAP
• Cash as at last Q yielding just 5% for shareholders = $28.873B
• Current dividend yield = 1.47%
• Dividend yield rank in S&P500 = 224th

What's up blog entry

Full article For want of shoe.... This reeks of frustration and insight - and a high-committment to the company. Are they listening??

Conclusion

Those are some of the issues as I see them - strategically and tactically. Again, I don't profess to have extra insight, nor do I think I have all the answers - or even any of them. At the same time, I'm not splitting $1B in bonuses with 800 other senior colleagues because of my supposed world-class brilliance. What I am, is a shareholder who has held an underperforming stock for this entire decade, while the current management team has been telling me to "have patience, our plan is working". It isn't, and it's time for someone new to come in, acknowledge that fact, and start making the tough choices required to get things back on track - or at least fail trying.

Blog the Last

Not everyone in MSFT thinks it's sinking... [But Robert Scoble, a strong pro-MSFT voice, did leave mid-2006.]

Don Dodge in Since when does growing $4 Billion a year = Dead? bags the Paul Graham piece Microsoft is Dead.

Good to see a dissenting voice.

For the record, Microsoft is growing revenues at over $4 Billion a year and is on track for $50 Billion this year. Since when does growing $4 Billion a year equal DEAD? If that is dead I know a lot of companies that would like to be so dead.

Don Dodge has a later update saying that "$4Bn growth is more than the full income of the likes of Yahoo! and Adobe". Yes, he's absolutely right. IBM, right up until it's two years of massive losses, created record profits every year. That's the whole point: businesses that "milk the cash cow" and don't understand that pushing prices up to force profits will antagonise customers, probably permanently, will suffer exactly this sort of market collapse.

Answer: It's about the second differential of financial performance. The acceleration or rate-of-growth in rate-of-growth. When the acceleration goes negative, not just zero, then there is only one outcome - a crash... By the time the rate-of-growth (velocity?) goes negative, it is too late to do many things. Only radical options are left - because of acceleration and 'momentum' any turn-around effects will take some time to show up. Which takes nerves of steel for owners/shareholders and managers alike.

When the negative acceleration is due to a shift in the underlying technology, like in 1984 when G3 fax "took-off" and telex started to decline - crashing heavily by 1988, the marketing term is 'product substitution' - then you've probably lost the game if you don't have many strings to your bow... If you don't have a diversified product portfolio.

MSFT know some of this stuff, which is why for more than a decade they've been actively trying to come up with new product lines - with new revenue streams. But their money still mostly comes from what they've always done: "Office", "Windows" and ???

Microsoft is too deeply embedded in Corporate and Domestic computing to just go away. And there are far too many I.T. people who know only Microsoft (and I suspect, many don't realise the thinness of their experience) who have a vested interest in their vendor of choice, the one to whom they've nailed their career to, not failing.

So the future holds rough times but not extinction for our favourite "Evil Empire".
And who will take the mantle that got passed from IBM to Microsoft...

Startups: selecting and nuturing.

A comment on Paul Grahams post Why to Not Not Start a Startup.

Paul along with Robert T Morris (author of the 1988 Morris Worm, now MIT assoc. professor) run a Venture Capital firm.
They run Startup School as well. An exceptional idea.

At the end of this is a list of Paul's 16 points.

My comments:
1. *the* best piece I've ever read on startups.

2. These ideas don't just apply to technology startups.
They apply to new businesses generally.

3. Walt Disney couldn't make it on his own, knew this and got his brother Roy out of hospital (!) to work with him. Roy outlived Walt. Walt painted castles in the air, Roy built the (economic) foundations.
=> Co-founder good, Creative+Executor great :-)
=> There has to be real trust/loyalty between the founders. With enormous wealth on offer, enough people go crazy & try to take it all. A partner you don't know well can take you down easily.

4. 'Founders', a.k.a. entrepeneurs, are more willing to take *risk* than most people - which means they get pretty comfortable with failure. They are also a special breed.
=> Comfort is the enemy of Change.
=> Change is Risk, but the only way forward.
=> Comfortable people won't pursue a startup vigorously...

5. How do you get your Founders to "put skin in the game"? To have a personal stake in the outcome? (Besides losing their dream - or is that generally enough?)

6. One of the most important personal traits of a great entrepeneur - keeping a journal... Gotta write everything down. Crops up repeatedly in biographies. Richard Branson is quite clear about it - but doesn't relate it to his success. There is supposedly some research that says 1.5-3% of all people write down their goals. Once there was a long-term Ivy League school study (is this apocryphal?) showing that people who wrote down their goals out-performed others by 5:1 or 10:1

7. People are different. Some are shy/introvert, many extrovert. Shy people don't sift through the large numbers needed to establish 'good networks' and check-out who'd make a good partner.
Many of the best geeks are quiet & retiring folk. They will, by definition, find it hard or impossible to bring along a partner. But forcing someone on them won't work either.
This is a hard problem to solve.
=> A solution is something like your "Startup School", but a little more frequent, to provide a mileu in which these people can mix and hook up. [As conferences and User Groups can do.]

[For a great example of this, see how Paul Allen was treated by Bill Gates and Steve Balmer on his last project at Microsoft.]

8. The Internet changes everything. But the VC process is still face-to-face personal contact... Silicon Valley was caused by VC firms like "Kleiner, Perkins, Caufield & Byers" bringing money from The East into technology. Even with the hordes of imititors and rip-off merchants, greedy investors flocked and made out well...
Because the place had critical mass - in people and places to meet, and the culture to support it.
These comments are peppered with genuine frustration (& longing) from would-be entrepeneurs.
=> How can the Internet overcome this tyranny?
=> Business is about personal relationships. Can the Net ever replace or augment that critical factor?

9. Technology support. Finding someone who is fluent with a key technology, like hardware hacking, can be critical to the success of a project/startup. When it's not your field, how do you find a way in? Then how do you get taken seriously by an expert??

10. Scaling: small trials and growing entrepeneurs.
My belief is that good entrepeneurs are grown, not born. And that there are predictable growth stages for all companies.
A wealthy friends' advice is: Never attempt anything more than 30% larger than you've done before.
=> Have you thought of building a process to train up entrepeneurs before they enter your funding process?
=> I'm thinking graduated funding levels, starting low ($10k) and in a couple of stages getting to $500k or so.

11. For solid research on what makes *great* employees, see Robert E Kelley's book "How to be a Star Performer"
[http://www.kelleyideas.com/pages/howtobeastar.htm]
Number One Quality: Initiative.
Sounds the same...

12. One of the prime causes of some recent major corporate collapses here in Australia was: "Ignorance, Arrogance and Self-Delusion". They are a powerful triplet that can't be broken through. Witness the non-musical entrants in "American Idol" who honestly believe they are brilliant.
=> How do you sort these out? They'll always have a high opinion of themselves, their abilities and a string of huge accomplishments.

---

Summary points of Paul Graham's piece:
He is going against the usual practice and debunking some myths and adding own observations.

1. Too young
2. Too inexperienced
3. Not determined enough
4. Not smart enough [have to be smart enough, not ultra smart]
5. Know nothing about business
6. No cofounder
7. No idea [good people generate them quickly]
8. No room for more startups
9. Family to support
10. Independently wealthy
11. Not ready for commitment
12. Need for structure
13. Fear of uncertainty
14. Don't realize what you're avoiding
15. Parents want you to be a doctor
16. A job is the default

Web 2.1 - Meta-tags by default

Why do we need fine products like Content Keeper, when the problem is one that should be solved at source?

[11-Apr-2007 Addition]
The "Kathy Sierra" affair caused Chris Locke, co-author of Cluetrain Manifeso to post his version/take. My take from reading about the affair.

This whole affair unfolded because "Web 2.0" not just allows, but
enforces, anonymity. Provable Identities don't exist.

In an hour's scrolling through posts, I never saw this point [or anything like it] made.
How far would this thing have gone if the police could've tracked the posters quickly and unequivocally?
Presumably within a day or so the perpetrators would've been identifiedand action initiated, legal jurisdictions allowing.

There are good reasons to allow & support anonymity on the Web -"Freedom of Speech" is part of it, along with denying Political suppression and enabling 'whistleblowing'.

But the ugly human stuff of stalking, intimidation and control-by-fear need effective checks and consequences.

[End Addition]

Knowing the type of content you are downloading is a basic right - the same way that we don't go into newsagencies, bookshops and libraries and get surprised by the content. The same way that various TV stations will broadcast 'social content' warnings before some programs (violence, 'disturbing or graphic images', 'images of deceased people' and even 'images of surgery'). Our society has very well developed methods of flagging content that some audiences may wish to avoid - right up to full TV, movie & print "classification" and censorship. Plus we have blanket bans, enshrined in legislation, on things like "kiddie porn" and "snuf movies".

Simple minded banning of pages based on keywords or URL makes a priori judgements of what will and won't offend the audience - or under high-control regimes, what is or is not banned/seditious material. Then it becomes a simple "arms race" - two camps competing against one another (attack and defense), and by definition the reactive side can only respond once a new exploit/mechanism is noticed and identified. Yep, it's effective against people obeying the rules, but at the price of massive collateral damage and never being sure you're not compromised.

Generally, the USA is particularly sensitive to sexual matters, but not to violence. Sweden mostly has very different mores...
Filtering all pages that mention 'breast' or it's (English language) derivatives and colloquialisms fails in many ways, especially for medical & pregnancy issues ('false positives') and is easily circumvented by mistyping, obfuscation or using images ('false negatives') and is completely irrelevant for non-English language pages.

In the world of IT Security, this is why we now have Firewalls andIntrusion Detection Systems [and now systems that actively seek to confuse/entrap/counter attackers.] Funny - just like in the real world.

I'm thinking the web-server is the place to insert consistent meta-tags into content.
And that requires a minimum additional two publication stages - author, reviewer, editor/publisher - [as described by Peter Miller in his Aegis Documentation piece (82Kb PDF ) Aegis Is Only For Software, Isn't It?].

Nothing publicly published should go untagged - and that needs independent review and an enforced process to
[OK, so where does that leave the wonderful world of 'blogs'?]

We live in interconnected communities, now global in Cyberspace. All of us have sensitivities that should be respected and the publishing world evolved over many centuries a tradition of "no surprises". It's a convention that has served us well before Cyberspace, it would serve us there as well or better - with everyone "just one click away" from your content.

Free Speech is only a Right in some countries.
Censorship is a given and necessity, even in the most "enlightened" countries - where it might be called 'national security' :-)
And there are globally shared mores/values/injunctions against such things as child pornography and worse.

It's not an even playing field, and will never, can never, be.

My opinion is that laws like the DMCA [USA - Digital Millennium Copyright Act] and the Australian "anti-spam and pornography" laws [no refs] are wrong-headed and irrelevant at best - and counter-productive at worst.

With the Global Net and One Shared Cyberspace, and many cultures, beliefs, religions, etc etc, "Web 2.0" needs to add:
mandatory content tagging.

Then we can adibe by our tired-and-true convention "no surprises" and respect all our differences and sensitivities.

Selling Good Goverance - I.T. Services Audits

IBM got to be bigger, by turnover, than everyone else combined for nearly two decades, accounting for up to 60% of IT sales. One of the chief factors was they were good salesmen - they knew their audience: who to target and what things they wanted (and only sell to people that can sign the cheque!)

IBM didn't sell to "techos" - but managers, the more senior the better. They talked their language (cheaper, better, faster) and gave solid "Dollars and Cents" Costs and Benefits. They got to come back because they generally made good on those promises.

Selling I.T. Services Audits, Security and Continuity

These functions are Goverance related and should be contolled and reported directly to Board Level - not even senior management or CEO.

Board Pitch

Can your Business run without Accounting??

• No!

Can it run without it's I.T. services?

• No!

What part of your business isn't affected by I.T.?

• None!

Why do you have Accounting Audits?

• "Have to" - regulatory requirement.
• "credibility enhancer" - investors and owners can trust the figures claimed.
• Integral to Good Goverance. The things the Board want done, are being done.

Why don't you do I.T. Services, Security and Continuity Audits?

• Ummmmm?

If you're entrusted with husbanding other peoples money, not assuring and insuring the I.T. Services of the business isn't sound practice.

Major failures/events in anyone of these functions is high impact: They are "Bet the whole company".
The sort of decision that the owners need to make, and make consciously.

Supporting Facts

From a Sarbanes Oxley site:

Fifty percent of companies that lose their data go out of business immediately and ninety percent don't survive more than two years, according to research firm Baroudi Bloor International. ...
Only three percent of all data loss is caused by fire, flood and other such disastrous events. The most common causes are hardware or system malfunction (44 percent), human error (32 percent), software corruption (14 percent) or viruses (7 percent). ...
And remember, without your business's data, there's no business at all.

In a brief report on a fire in a British Telecom hub in Manchester affecting 136,000 phone lines:

• 86 percent of firms affected found the fire was disruptive and it had an impact on voice communications in 60 percent of those polled....


• Just 34 percent had a disaster recovery or business continuity plan in place ....


• Those polled showed low awareness of solutions, nor did most appreciate the need for business continuity planning. 71 percent saw little value in automatic call diverts in emergency situations and 70 percent of those polled were unaware that banks expect businesses applying for loans to have a proven disaster recovery plan in place.

In 10 Steps to surviving a disaster(PDF)

According to the Association of Records Managers and Administrators, about 60 percent of businesses that experience a major disaster such as a fire close within two years. According to Labor Department Statistics, over 40 percent of all companies that experience a disaster never reopen and more than 25 percent of those that do reopen close within two years.

And from Glen Abbot, Scotland’s leading supplier of Business Continuity Services.

Business Failure

A business failure is defined as:

"An occurrence, and/or perception, that threatens the operations, staff, shareholder value, stakeholders, brand, reputation, trust and/or strategic/business goals of an organisation."

In a five-year period, twenty percent of companies within the UK will suffer some kind of serious disruption to their operations. This may be as a result of an IT failure, emergencies such as fire or flood, or some other unplanned disruption. Eighty percent of those companies who suffer a serious disruption suffer severe losses or fail to survive in business during the following eighteen months (National Audit Office).

And yet more in the Reader Comments section of this piece on 'Continuity Central'.

Three Metrics to change our business

In a previous post, Research Outline,3 sets of metrics were proposed that, if applied consistently across large organisations, would change the face of our industry (IT&T), perhaps even support the transition to a Profession.

"IT is done for a Business Benefit"

After 50+ years of doing it, we are looking at the end of the Silicon Revolution by 2010. Already we've passed the end of Moore's Law for CPU speed [Q1-2003]. But more than that - Business & Government are getting hard-nosed about IT&T delivering 'value'.

The IT recession we're just coming out of was a direct reaction against the perceived needless waste of Y2K. The other in 1991 was the marker that all the 'easy wins' in IT had been achieved and IT itself could be cut.

Big Business and Government account for over 60% of the Australian GDP. Around 45% of GDP is influenced directly by IT&T - with an investment rate of around 10% - $45Bn/year for 'the majors'. Globally, multiply this by 50-60 times. [Source: ABS surveys]

Compare this to the ~$50Bn earnings by all companies listed on the ASX. Leveraging IT&T whilst containing costs is a central concern of all good business execs - and becoming more so. Shaving 1% off IT&T inputs goes directly to the bottom line and allows good companies to easily outperform their competitors.

My belief is that the first people to adequately address these questions in quantifiable terms will dominate the market . And what better way than to charge than a percentage of the realised savings? For a consulting firm, that's putting it's money where it's mouth is...

Metrics

The three sets of figures I'd like to produce are linked to this central question:
Doing More with Less.

• What's the leverage IT&T gives us? [Virtual Employees]
  • Year on Year reporting from a consistent base.
• Where do our IT&T costs go? [Standard reporting in Business Inputs andOutputs]
  • Are we getting a good deal from our IT&T?
  • Comparing to what?
• How effective are our IT&T processes? [Benchmarked KPI's]
  • If ITIL is the answer, how well are our folks doing it?
  • How much more room for improvement is there?

And the worst thing that could happen is:
You find out your IT&T people do a good job.