Kyle Smith

What is the risk and cost involved in having a data breach at a large company these days?

The Associated Press reported today that personal data loss hit record levels in 2007. Between the TJX break-in early in the year and the weekly reports of unencrypted tapes being lost or stolen, I’m really not surprised.

To be honest, I think companies that aren’t smart enough to use encryption for their data when it’s readily available deserve to be hit. This seems like a case where legislation to mandate back-end data encryption would be good, but instead banks are being told to add stupid security features like multi-factor authentication to secure the front-end.

What strikes me as even more silly is that given the exorbitant cost of a breach [1], companies still want to be the keepers of customers’ personal or financial data and impose fees on the customers that don’t want to share it. For example, my auto insurance company has an extra $5/mo. service fee for customers that opt to make payments themselves instead of providing bank account information to them and letting them pull the money via an electronic fund transfer (EFT).

Given that there is little to no security for most electronic transfers (all you need are routing and bank account numbers and a willing bank), I am reluctant these days to provide my bank account information to most companies. I don’t even provide my credit card number to most service or utility providers any more. Instead I use my bank’s online bill pay feature and have them push the money electronically or via a paper check in the mail [2].

But hey, instead of charging a fee why not pay me a few bucks to keep my sensitive information to myself as long as my payments are made in a timely manner? I’m doing you a favor because if you don’t have my account number, I can’t sue you later for accidentally disclosing it.

[1] The public settlement TJX made with financial institutions was around $40M and included 3 years of credit protection to consumers plus fraud insurance.

[2] Still not great, as most of these checks are done as personal checks and not bank checks (which wouldn’t include your account number), but one can hope that an electronic record containing account information isn’t created by the recipient.

Tags: data breaches, data security, privacy

Jacob asks why software and hardware vendors insist on restricting their products (such as Apple’s iPod and iPhone or Microsoft’s Zune) so that customers cannot easily modify or add to the product.Having worked for an Internet Service Provider as well as a fairly large software and hardware company for a number of years, the answer that first came to mind was related to another response I wrote to him: the cost of support.

Most consumers that purchase a product want to be able to call up the manufacturer when things go wrong and expect them to be able to fix it.  Anyone that’s done technical support knows how difficult troubleshooting can be when dealing with a complex system.

An iPhone is complex you say?  Well yes, actually, when you allow consumers to arbitrarily modify or hack the software that’s loaded onto the phone.  Tracing problems to the root cause are difficult enough without having to worry about third party apps.  Maybe that one little tweak it made just caused something as subtle as a timing issue in the system, maybe it just mangled the encoding for some essential property, or maybe it just caused some unexpected memory contention the system wasn’t designed to handle (particularly with embedded systems where resources are usually limited).

Another potential issue is that hacks could run afoul of legal agreements that the vendor has made with others.  Apple had to convince the music industry that it could protect their product and wouldn’t allow unauthorized copies.  Not only could individuals circumventing the copy protection be liable, but perhaps Apple could be as well.  At the very least the industry could revoke Apple’s ability to sell or distribute its music.

And in the case of the iPhone, one serious issue I was recently made aware of is that cell phones are often designed so that apps are isolated and cannot take over the transmitter and wreck havoc on the (largely unprotected) cellular networks.

While I as a technology-savvy consumer would love to be able to hack my gadgets, I can certainly understand why manufacturers might be afraid of openness.  It’s our duty as the enlightened to help assuage their fears and to help design the appropriate solutions to ensure that the FUD doesn’t become reality.

Tags: , digital rights, open source

Final question to empty out the pending queue…

Anyone come across any good JVM performance comparisons? Namely Sun vs. IBM. I’m especially curious about app server benchmarks and general desktop usage with Eclipse.

Tags: java performance, jvm

Dear lazyweb,

Has anyone published an in-depth comparison of TurboGears vs. Rails vs. various servlet/JSP frameworks?

Two points that I’m especially curious about are the templating solution offered by each alternative and how easy it is to write extensions for them.

Most of the templating packages I’ve found suck because they really don’t separate the model from the view. JSP is my preferred method for building views so far, as I’m not forced to embed scripting code into the HTML and its easy to define new tags.

As for extensions, a friend and former colleague at IBM tried both Rails and TurboGears and found that writing extensions to Rails was cake compared to the hoops he had to jump through for TG. I’m wondering if this is a common experience or whether his particular situation was an oddity.

Tags: frameworks, mvc, rails, turbogears, webapps

Jacob, I’m sure you’ve already considered this, but keep in mind that cross-platform support and technical superiority don’t always cause universities or enterprises to make changes to their IT infrastructure.

Two primary things to consider when proposing Zimbra as an alternative to Exchange are the availability and cost of support as well as the cost and effort required to migrate the University to a new solution.

From looking at the Zimbra site, the University would likely need to purchase their premium support option in addition to the base Network Edition software subscription.  Here’s hoping the sum of those prices is less than the potentially steep discounts Microsoft can afford to offer for Exchange pricing otherwise you can forget Gard et al. from considering it seriously.

Tags: open source vs commercial, software support

The day I walked into VMware it started. It didn’t hit me right away, but by the end of the day I was surrounded by it: virtualization. It ran on my development server (ESX 3), it ran on my laptop (Workstation 6). Everybody in the company seems to run one of our products on some machine of theirs, whether it’s ESX, Workstation, or our Fusion product (which I look forward to trying very soon).

Virtualization isn’t new to me. I’ve been using it for 4 years, but mostly on IBM mainframes. What is new is being surrounded by it. All of my work has been in virtual machines and you quickly come to recognize the power of taking an entire system and transferring it from your workstation to your laptop, or letting your teammates capitalize on your labor and get copies of a VM you spent days setting up and tweaking.

Yesterday I found myself wanting to use Drupal for a new project, because someone is always talking about it (and happened to coauthor a series of articles on using it). But Ubuntu doesn’t have the latest release and I was reluctant to install Apache, MySQL, and Drupal on my desktop PC.

What did I do? I downloaded the VMware Player, snagged a minimal Ubuntu server appliance from the Virtual Appliance Marketplace, and installed it all there. Problem solved. In about 15 minutes even.

I’m now wishing that I had a beefier PC at home to run additional VMs. And no, I have not had any Kool-Aid or taken any blue pills. It’s easy to win someone over when the product is good.

Tags: the-future, virtualization, vmware

Stacy and I are now living in Massachusetts and I am working for VMware in Cambridge. Great company, awesome products, and the area is pretty cool too. That is all.

Tags: new-job

As part of the preparations for our move to the Boston area next month, I’ve been shredding old receipts I had saved for some reason. It was rather enlightening to look back on what I’ve been doing for the last two and a half years.

Most of the receipts from 2005 were from Potsdam favorites such as Eben’s Hearth (big beers & wings), Maxfield’s (beer), P&C (beer), T&R (liquor), and Sergi’s (fat bags). Looking back on it, I can see where my spending and temporary drinking habits started, as illustrated by the daily Maxfield’s receipts between April 1st and May 8th and the weekly trips to Eben’s before COSI meetings that spring.

You can even see how my habits have changed. There are plenty of receipts from Starbucks and the Eveready Diner in the fall of 2005.

There are better ones too, like December 17, 2005, when Stacy and I went to New York City for the first time. The receipts reveal the plans for the day: a train ride down & back, coffee at Dean and Deluca, cheesecake at Roxy’s in Times Square, dinner at Planet Hollywood (it sucked), a quick stop at Starbucks, and then Fiddler on the Roof on Broadway. Reading through them the whole trip came back to me.

Stacy always asks why I keep receipts. Now I have an answer. Because they’re just as revealing as photographs.

Tags: memories, receipts, tracking-habits

Had an interview recently with a manager about a development position.  When I asked for his organization’s view on spending company time to work on patents, publications, and Redbooks his answer was that they certainly valued patents, and depending on my family situation I should be able to find some time to work on those types of things.

When I later asked about working on an M.S. or participating in a BizTech project he started talking about turning down my workload to 80% and the management team understanding that I’d be working on other things.  Elsewhere in the conversation he mentioned “turning it to 100 or 120.”

Am I the only one out there that doesn’t want a job where I’ll be expected to sacrifice time with my family in order to work on intellectual property for the company or am treated as a machine with a knob that can tune how much and how hard I work?

One of the main selling points of software as a service is that people don’t want to maintain their software and don’t want to worry about security. There are plenty of services out there today that people love to use — Gmail, Google Calendar, Google Notebook, Twitter, Flickr, IBM’s Dogear and Plaxo.

I’ve had my own domain name and web site for almost 8 years and in recent years I’ve grown tired of maintaining the various software packages that my site is comprised of — WordPress, Gallery 2, WikkaWiki, and others. Software as a service is a partial solution to this.

The problem with the current generation of services is none of them are integrated all that well. I don’t really want 7 distinct services to manage and keep up to date. It’s no more efficient than maintaining the software myself.

I would like to see those service providers team up with web hosting companies to offer an integrated solution where the hosting provider provides a breadboard of sorts that the services plug into. The hosting provider would be responsible for my site, including billing, but the actual functionality of the site would be provided by the service providers.

If that vision isn’t working for you, think of the hosting provider as an EJB container (which provides all the common supporting services you want) and the service providers as the developers of the add-on components (the actual EJBs) that are deployed in the container. I like this notion even more, because it suggests that if I’m not happy with a particular service, I can swap it out for another that’s written to the same API.

No more building your site from scratch and then trying to integrate it. You log in to your hosting provider, pick your domain registrar, your webmail provider (Gmail, Squirrel Mail), your photo management solution (Flickr, Picassa, Gallery), etc. and then click the Make It So button.