Comprehending the intricacies of the emerging IoT world takes more than looking at a static Visio diagram, it takes a tool that is designed to deal with both virtual and physical devices and the ability to visualize those complex interconnections dynamically.
The “FREAK” vulnerability that downgrades and weakens secure web connections doesn’t just affect Google and Apple users — according to a security advisory from Microsoft, all supported versions of Windows are vulnerable too.
FREAK (Factoring attack on RSA-EXPORT Keys) is a recently discovered hangover from the early 90s, when the U.S. government banned the export of most software that used strong encryption. The SSL web security protocol was for that reason built with a special mode that uses key lengths considered weak today. The law was changed but the weak cipher suites remain, and although most modern browsers are supposed to avoid them like the plague, a widespread bug means they don’t always do that.
The FREAK flaw allows “man-in-the-middle” snoopers to downgrade a session’s security to that mode – as long as the browser is vulnerable and the server accepts those weak old cipher suites — then crack the keys and spy away.
When the flaw was publicized earlier this week, it was Apple’s Safari browser and the stock Android browser that were on the firing line for being vulnerable, endangering those users who communicate with servers that accept “export-grade” encryption – apparently a whopping third of servers with browser-trusted certificates. But it turns out the list of affected browsers and systems is way longer than that.
The big one is Windows. In pretty much every version of Windows that’s out there, Internet Explorer and whatever else uses the Schannel security package are vulnerable to the FREAK attack.
In its advisory, Microsoft said:
We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers.
Upon completion of this investigation, Microsoft will take the appropriate action to help protect customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.
Per the researchers who brought this all to our attention, here’s the current list of browsers that need patching:
- Internet Explorer
- Chrome on OS X (patch available)
- Chrome on Android
- Safari on OS X (patch expected next week)
- Safari on iOS (patch expected next week)
- Stock Android browser
- BlackBerry browser
- Opera on OS X
- Opera on Linux
As a Firefox user, I’m feeling slightly smug this week — the researchers’ FREAK test tool just gave my browser a clean bill of health, and told me my never-used IE installation is vulnerable. Not too smug though, given the impact on other Windows software.
Good thing the anti-strong-encryption nonsense that caused this mess is a relic of past decades, eh? Oh wait…
BlackBerry has launched a touchscreen-only smartphone — its first since the Z3 a year ago — called the Leap. It will be reasonably affordable at $275 off-contract when it goes on sale this April.
The handset has a five-inch display and will reportedly go on sale in Europe and Asia first. BlackBerry is pushing the security angle pretty hard on this one, no doubt as a partial reaction to efforts by the likes of Blackphone and Jolla to appeal to privacy-conscious businesses and consumers.
“Companies and everyday consumers are finding out the hard way that mobile security is paramount. BlackBerry Leap was built specifically for mobile professionals who see their smartphone device as a powerful and durable productivity tool that also safeguards sensitive communications at all times,” BlackBerry devices chief Ron Louks said in a statement.
Indeed, the company also used Mobile World Congress in Barcelona to announce the BlackBerry Experience Suite, which is actually three suites of services that will work across rival platforms including iOS, Android and Windows. Two of the bundles will cover productivity and communications and collaboration, while the third will provide encryption and privacy controls for emails and documents.
Security aside, BlackBerry is promising that the Leap can take up to 25 hours of “heavy use” before its 2,800mAh battery gives up. It has an eight-megapixel rear camera and 16GB of internal storage with extra microSD support. As with other recent BlackBerry phones, the Leap also comes with the Assistant voice-and-text command feature and two app stores, BlackBerry World and the Amazon Appstore.
According to reports of the MWC unveiling of the device, Louks also briefly held up an unnamed handset with a slide-out keyboard that will properly appear later this year.
Swiss plastic watchmaker Swatch is preparing to launch a smartwatch in the next few months, promising mobile payments functionality and compatibility with both Android and Windows. Most interestingly, it told Bloomberg and others the watch won’t require charging. There are no details of how this will be achieved, so I can only theorize that its power requirements will be low enough to feed off kinetic energy from the user’s movements — Swatch has a technology for this called Autoquartz. The device will probably launch around the same time as the new Apple Watch, but given Swatch’s pricing it’s likely to be a darn sight cheaper.
Microsoft turned in pretty good second quarter results on Monday, but its stock still took a hit after hours and into Tuesday. At time of posting, Microsoft shares were off 8.6 percent to $42.97 from Monday’s close of $47.01.
Why? After the earnings call, [company]Microsoft[/company] watchers seemed to remember that the company cash cows remain good old-fashioned Office and Windows, sales of which aren’t setting the world on fire. Sales in the company’s Commercial Division, which includes those products, missed expectations, logging “just” $10.68 billion for the quarter compared to the $10.94 billion that FactSet analysts had expected, according to Marketwatch.
Another data point: Revenue for Windows OEM versions of the operating system — which get pre-loaded on new PCs — fell 13 percent year over year. And Windows Volume licensing revenue grew just 3 percent, as CRN pointed out.
Monday’s call was characterized as the end of the honeymoon for Microsoft CEO Satya Nadella, who took the reins in February, 2014. I don’t know about that, but there does seem to be a growing realization that replicating the wild success Microsoft had selling tons of copies of Office and Windows — either through volume licenses to big companies or at retail — will be a tough task in the cloud era where Microsoft was not first out of the gate.
On Monday’s earnings call, Nadella acknowledged that Windows suffered a tough year-to-year comparison noting that: “As expected, the one-time benefit of Windows XP end-of-life PC refresh cycle has tailed off.” He was referring to the fact that Microsoft stopped supporting the popular XP operating system in April 2014, and that publicized deadline probably pulled many PC purchases forward from this year.
Microsoft CFO Amy Hood cited that “comparability issue” as a headwind that will “show itself most directly as weakness in commercial licensing and most specifically as weakness in Office transactional licensing.” Transactional business refers to sales of full-licensed software to run on a PC or server, as opposed to the more incremental subscription Software-as-a-Service (SaaS) model.
So Office and Windows sales took a hit because they did well last year, but there’s more to this concern than the lingering impact of Windows XP’s demise.
At the heart of Microsoft’s problem is that, for many companies, it is just not the brand it once was. Whereas people of my era grew up relying on Microsoft Office applications, startups and young employees are less likely to use them. Google Apps is more likely their productivity suite. So [company]Google[/company] is strong in small companies, but it has also been aggressive courting enterprise accounts.
That means that, in this SaaS era, Microsoft faces a formidable name-brand competitor that can compete with it on price. The days of Microsoft being able to demand a premium price are over.
The company is doing lots of smart things to try to remedy the attention deficit among young companies. Its decision to go “freemium ” with PowerBI is smart, but then again the prospect of free software won’t endear it to Wall Street analysts, a constituency that was thrilled to see Nadella replace Steve Ballmer at CEO.
Sure, Microsoft can claim progress in cloud with Azure infrastructure as a service — but that comes from a small base of users compared to the [company]Amazon[/company] Web Services juggernaut. So when it says its cloud business hit a $5 billion run rate in the second quarter it’s worth noting, but with a grain of salt. Cloud numbers from legacy vendors are fluffy at best as they typically include a lot of legacy stuff and services thrown in. Last week, [company]IBM[/company] claimed its cloud business hit its $7 billion target, a claim that met much skepticism.
Microsoft will have to keep investing in key new technologies if it’s going to build relevance for modern companies. The goal is to make sure that PowerBI or some other Microsoft product becomes as essential to a big class of users as Excel and Word did 20 to 30 years ago. And Nadella has opened up the check book — Microsoft has almost $89 billion in cash after all. Last week, Microsoft acquired Revolution Analytics, the company that backs the R language used by many data scientists.
Big data and machine learning will be key areas — which you can hear more about from Joseph Sirosh, corporate VP for machine learning who will speak at Structure Data in New York City in March.
Microsoft’s consumer-focused Windows 10 reveal kicks off at company headquarters in Redmond, Washington today and we’re live from the event to see what the next version of Windows has in store.
We’re expecting Microsoft to share new details about how the desktop version of Windows 10 works, but the bigger questions facing Microsoft surround its mobile strategy and the next version of Windows for tablets and smartphones. Will Microsoft merge its Windows Stores for mobile and the desktop into a single cross-platform app store? Microsoft is also to announce new improvements and features for Cortana, its voice-activated assistant, as well as possibly a new browser codenamed “Spartan.”
Windows 10 also marks Microsoft’s first major Windows release since CEO Satya Nadella took over last year. He’ll be speaking today, so make sure to tune in starting at 9:00am PT.
Here’s what’s been announced so far:
A Canadian outfit called Peerio has put its eponymous secure messaging and cloud storage app into public beta, promising a much more usable alternative to PGP email and file encryption.
Peerio was released on Wednesday for Windows, Mac and Chrome (which also gives Linux users an option) – apps for Android and iOS are in the works. It’s not quite perfect just yet, but it’s an intriguingly user-friendly take on secure cloud communications and storage.
“Our goal is for Peerio to succeed PGP in the use-cases of mail and file sharing,” co-founder and lead cryptography designer Nadim Kobeissi told me via a Peerio encrypted conversation. “We’ve developed a system built on foundations that are more modern, stronger, and simpler than PGP. Anyone who uses Peerio for a few minutes will quickly see how it’s years ahead of using PGP with Thunderbird, and never go back.”
Open-source and audited
The two-decade-old PGP is certainly a pain to use — at least, if you want to get it right — largely because of the complexity of PGP key management. Rather than requiring users to have their private key file to hand, Peerio requires them to create memorable (and long) passphrases that are then used to locally generate private keys for each session. The passphrase is used to log into Peerio for the first time on each new device. After that, a shorter, easier-to-type password can be created for that device, and two-factor authentication is also available.
Peerio incorporates the encryption technology of Kobeissi’s Minilock file encryption app. Users have usernames rather than email addresses and their client-generated, abstract avatars are used to verify their cryptographic identity (the client can automatically detect changes.)
From a functionality perspective, Peerio is a cross between email (albeit without the universality) and instant messaging. Files can be attached to messages, and conversations are threaded and searchable. There’s no draft functionality at the moment, which can be a pain when jumping between conversations mid-message, but Kobeissi said this will come soon and drafts will be safely encrypted.
Kobeissi, a PhD student in applied cryptography, is best-known as the creator of the Cryptocat chat app, which had a nasty security scare in 2013 (a bug left group chats vulnerable for months). However, this time round his co-creation has been audited by “expert cryptographers and system penetration testers” (Germany’s Cure53, per Wired). What’s more, the client code is open source and available on Github for scrutiny by whoever can offer it.
Kobeissi seems pretty confident about Peerio’s security. When I asked whether it was tough enough to be a secure channel for leaking information, he replied: “I think people doing something like leaking state secrets should not depend on the internet at all, personally. But I would say that Peerio can protect the content of people’s communications, even if they’re operating from a highly surveilled context.”
However, the service’s end-to-end encryption only protects the contents of communications, not the metadata about who contacted whom and when. Peerio’s Canadian servers still hold users’ contact lists, the number of files and messages sent, and message timestamps. Kobeissi told me access to this metadata is “quite minimal and well-guarded” and he and his colleagues “pledge to fight any overreaching government requests”, but still, the information is there and, unlike the contents of messages, available to Peerio itself. Will Peerio create a way to encrypt this metadata? “One thing at a time,” Kobeissi said.
Peerio’s team includes four permanent staff, but numbers 12 with hired contractors – the outfit has $250,000 in seed funding. The plan is to make money by charging for premium features such as more than a gigabyte of storage, and by targeting the business market at some point.
For a product just entering public beta, Peerio seems admirably clean, functional and user-friendly. As long as people don’t find nasty vulnerabilities – and the firm deals with its metadata-related issues — it could be a viable mass-market encrypted communications and collaboration service. (A minor warning, though: If you import a contacts list, Peerio will send out an invite to everyone on it.)
Five years ago, Microsoft began offering a choice of browsers to European customers who were booting up a copy of Windows for the first time. It did this in order to settle an antitrust case with the European Commission and avoid a hefty fine.
That commitment – which [company]Microsoft[/company] wasn’t entirely consistent in sticking to — ended on Wednesday. The firm has accordingly axed its browser choice mechanisms, telling users: “Microsoft encourages customers who want more information about web browsers or want to download another browser to do so by visiting the websites of web browser vendors directly.”
Windows is obviously still a big deal, but not as market-dominating as it was back in 2009. Back then, if you wanted a personal computer, you were most likely to buy a Windows PC. As of next year, according to analyst estimates, you’re as likely to buy a tablet instead – though don’t write off the PC just yet, particularly in Europe and the U.S.
The main reason that the European Commission wrung the browser choice concession out of Microsoft was that the company was trying to extend its market dominance past the operating system to the next big platform: the web. It was doing so by making Internet Explorer the default browser in Windows, something that the Commission saw as an anticompetitive abuse of its dominant position.
By removing that default status, other browsers got their chance to shine – it was no longer necessary for users to already know about that other browser and consciously visit its download site on Internet Explorer, for them to be a click away from downloading it. Five years later, Chrome is now the most popular browser in the world.
And the statistics for Europe versus North America, for example, are telling. Looking at desktops specifically, in North America, Chrome has a 41.52 percent share of the browser market and Internet Explorer is in second place with 32.75 percent. In Europe, Chrome has a 47.2 percent share and IE has just 17.53 percent, putting it in third place behind Firefox (on 25.68 percent.) While regulatory intervention isn’t the only reason for this situation — Chrome still beats IE in North America, where there was no intervention — it’s likely to have been a big one. Defaults matter.
The rise of Chrome across the desktop and mobile, with [company]Google[/company] as its default search engine, has become a key factor in Google’s 90+ percent dominance in the EU search market. Now it’s that company’s turn under the Commission’s antitrust spotlight, thanks to its abuse of that position to stamp out vertical search rivals and the like. If the Commission manages to cut Google down to size with whatever the settlement of that case entails, who knows which future monopolist will get the chance it craves?
This article was updated at 9.20am PT with some statistics about browser share, and slightly rearranged around that addition.
Despite what you may hear from the Linux-and-Mac crowds, a good chunk of today’s enterprise workloads run on Windows Server, which is why Google really wants them to also run on the Google Cloud Platform.
And now they can. Because [company]Google[/company] is now party to the Microsoft License Mobility program, existing SQL Server databases, SharePoint document repositories and Exchange Server mail can run on the Google Cloud Platform without having to cough up additional licensing fees to do so. At least that’s the case if they now run on Windows Server 2008 R2, support for which Google announced in March. But Google is also working on analogous support for the newer Windows Server 2012 and 2012 R2 releases, about which it will talk “soon,” according to this Google Cloud Platform blog post.
As for why a Windows shop would opt for Google’s cloud as opposed to, say, [company]Microsoft[/company] Azure, Google director of product management Greg DeMichillie didn’t hesitate to play the anti-lock-in card.
“Almost every enterprise intentionally wants to be multi-cloud,” DeMichillie noted. “Let’s face it, some of them got locked into on-prem licenses fees from vendors that were much bigger than they expected. Most companies will qualify two or three different cloud vendors.”
Plus, he noted, when customers look at Google Compute Engine’s local SSD storage and data center peering, they’ll see it “as a great place for enterprises to bring their apps” along with other perks like Google Firebase for mobile development and Big Query analytics.
Google has indeed been working overtime to portray its cloud as a good home for enterprise data and workloads. It sort of has to since [company]Amazon[/company] Web Services has an 8-year head start and Azure can parlay Microsoft’s branding and existing relationships with enterprise accounts. Google has made some inroads, especially among younger companies with Google Apps et al, but it’s still playing catch-up in big companies.
But I would agree that most large companies do not want to lock into one cloud vendor, and that may play to Google’s advantage.
Apple has had an on again off again strategy when it comes to providing customers traditional access to online storage. The question is did they finally get it right this time with iCloud Drive.