Archive for the ‘Tech’ Category

Internet of Things roundtable: Experts discuss what to look for in IoT platforms

Networking is at the heart of every Internet of Things deployment, connecting sensors and other “Things” to the apps that interpret the data or take action.

But these are still early days. Assembling an IoT network from commercial off-the-shelf components is still, let’s just say, a work in progress. This will change over time, but for now the technical immaturity is being addressed by System Integrators building custom code to connect disparate parts and by a new class of network meta-product known as the IoT Platform.

IoT Platform products are still in their infancy, but there are already more than 20 on the market today. Approaches vary, so when making a build or buy decision, consider these critical areas of IoT Platform tech: security, sensor compatibility, analytics compatibility, APIs and standards.

iot platform diagram Iot-Inc.

To see where we stand on developments in these areas, I emailed experts from seven IoT Platform companies, big and small, asking for input: Roberto De La Mora, Sr. Director at Cisco, Steve Jennis, SVP at PrismTech, Bryan Kester, CEO at SeeControl, Lothar Schubert, Platform Marketing leader, GE Software, Niall Murphy, Founder & CEO at EVRYTHNG, Alan Tait, Technical Manager at Stream Technologies and Raj Vaswani, CTO and Co-Founder, Silver Spring Networks. Here’s what they had to say:

* Security
De La Mora: Security technologies and solutions that are omnipresent in IT networks can be adapted (carefully) to serve Operational Technology in IoT environments. But security is not about adding firewalls or IPS/IDS systems here and there. Cyber Security for IoT should follow a model applied at every layer of the architecture, and be combined with physical security to add intelligence to the operation via data correlation and analytics.

Jennis: Without a standards-based security framework it is very difficult to create communication channels that are both secure and interoperable. An interoperable security solution is very important in order to prevent vendor lock-in and to enable the system to be extended if required.

Kester: Sophisticated customers are encrypting traffic between the sensor board and the cloud. However most deployments are using private VPNs which don’t require a lot precious CPU or RAM from the remote device/system.

Murphy: Crypto-secure digital identities for physical things enable authenticated identities online by applying token-based security methods through Web standards to manage application access to these digital identities.

Vaswani: Embed security at each layer of the network, including sophisticated authentication and authorization techniques for all intelligent endpoints, require digital signatures and private keys to prevent any unauthorized access or activity on the system, and end-to-end encryption for all communications across the network. Incorporating physical tamper detection and resistance technologies further reduces the risk of unauthorized access and monitoring.

* Sensor Compatibility
Jennis: The following Platform considerations should be taken into account:

· Memory footprint – how much memory does the Platform require to function? Some simple sensors have only 128KB of memory to work with.

· Operating system support – does the Platform require a full POSIX-like OS or can it accept something simpler?

· Network stack support, e.g. IPv4, IPv6, 6LoWPAN, other – simple sensors used in Low Power Wireless Area Networks (LoWPAN) may require a cut down IP stack.

· Programming language support – a Platform may provide APIs for only specific programming languages (e.g. C or C++).

· Java dependence – does the Platform require a JVM to function, limiting sensor choices?

Murphy: The most important consideration is recognizing the risks inherent in vertically integrated solution architectures. By definition, the Internet of Things is heterogeneous in the types of things it is connecting. A horizontal architecture, to manage the information from and about the things they are connecting, can abstract the transport layer from the application layer. This allows applications to be developed independently of specific sensor devices, and sensor devices to be changed and network connectivity methods changed without breaking the application dependencies.

Schubert: A Software-Defined Machine (SDM) decouples software from the underlying hardware, making machines directly programmable through machine apps and allows connecting with virtually “any” machine and edge device, including retrofitting machines and connections to legacy systems.

* Analytics Compatibility

De La Mora: Support for structured and non-structured data, ease of integration with existing operation, automation and control systems, and the ability to operate in a distributed computing environment are all important factors for analytic compatibility.

Kester: To do advanced long-term business intelligence, machine learning or Hadoop-type of parallel processing, your Platform choice should have a well-documented and Web accessible API to interface with your analytic product of choice. It should also be easy for any IT employee, or even savvy business analysts, to use without training.

Murphy: The network platform has to enable multiple disparate audiences within a company access to benefit from data collection and perform meaningful analysis. Analytics is often thought of in a reporting sense only, but increasingly analytics is being applied in conjunction with machine learning algorithms and rules logic to drive applications and actuate devices.

Tait: You need to be sure the information you are collecting is stored well (backed up, secure, etc.) and that you have the ability to export your data and you maintain ownership.

Schubert: The tremendous data growth in industrial IoT demands massively scalable, low-cost infrastructure, such as that based on Apache Hadoop v2 and COTS (commercial off-the shelf) hardware. It has to support the various security, compliance and data privacy mandates. Predictive Analytics is how value is delivered to customers. It provides timely foresight into asset and operations, and provides actionable recommendations (when paired with rule engines). Perhaps most important, analytics need to be integrated into the operational processes, rather than be a stand-alone IT solution.

* APIs
De La Mora: RESTful API’s are becoming standard. The abstraction capabilities they provide, along with the architectural model based on the Web, are key. SDK’s that provide API’s that are not compatible with the W3C TAG group are a nonstarter for applications that should be in the end, connected to the Internet.

Jennis: First and foremost, APIs should be clean, type-safe and idiomatic. In addition, APIs should favor non-blocking/asynchronous interaction models to make it easier to build responsive systems. Where possible APIs should be standardized to ease component integration and prevent lock-in.

Murphy: APIs should use Web standards and blueprints (e.g. REST and no WSDL/SOAP), and state-of-art Web security systems. They should also offer ways of extracting the data, not just feeding it in.

Tait: Keep it simple, truly good APIs are clear, concise and have a purpose. They should also do the common things easily.

Schubert: Service-oriented architectures (SOA) and related application development paradigms rely on APIs for integration of services, processes and systems. APIs must be open, accessible and upgrade-compatible.

* Standards
De La Mora: We are calling this the Internet of Things because it will be part of the next generation of the Internet, so the only key standard protocol, that I see in the future, is IPv6.

Kester: Any Platform that is in communication with devices should support the major communication protocols in use today, which are UDP, MQTT, XMPP, CoAP, Modbus/TCP and HTTP.

Murphy: RESTful application programming interfaces, JSON and similar Web-centric formats for data exchange should be used. The Platform that an enterprise uses to manage its physical products and assets as digital assets, needs to be able to integrate smoothly with both the enterprise’s other systems and third party applications. Integration means both the technical protocols of system-to-system interaction (e.g. REST, OAuth) but also critically, the semantics of the information itself.

Vaswani: The use of universal standards such as IP ensures that products can be easily mixed and matched from different vendors to ensure full interoperability and to deliver on other applications supported by an even broader ecosystem of hardware and software players.

MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training at



Workers use their own devices at work, without boss’s knowledge

Line between work and play is getting more blurred, Gartner survey indicates

Many workers use their personally owned smartphones and other computers for job tasks, but a new survey shows a big percentage are doing so without their employer’s knowledge.

Market research firm Gartner surveyed 4,300 U.S. consumers in June who work at large companies (with more than 1,000 employees) and found 40% used personally owned smartphones, tablets, laptops or desktops as a primary or supplemental business device.

That 40% might not be unusual, but more surprisingly, Gartner found that 45% of workers not required to use a personal device for work were doing so without their employer’s knowledge.

“Almost half [are using their device] without their employer’s awareness,” said Gartner analyst Amanda Sabia in an interview.

“Are those without employer’s awareness violating a rule? That would depend on the employer,” Sabia added. “The point is that some CIOs are underestimating [the number of] employees using their devices and should be prepared for this.”

The Gartner survey found the most popular personally owned device used for work was a desktop computer, at 42%, closely followed by a smartphone, at 40%, a laptop, at 36%, and a tablet, at 26%.

“The lines between work and play are becoming more and more blurred as employees choose to use their own device for work purposes whether sanctioned by an employer or not,” Sabia said. “Devices once bought for personal use are increasingly used for work.”

Technology manufacturers and wireless service providers could do more to respond to the bring-your-own-device trend, Sabia said. The survey found that the primary use of a smartphone, after making calls and texting, was to get maps and directions.

“Smartphone vendors should focus on ensuring ease of integration of a smartphone with in-car sound and media systems for hands-free and real-time operation of these [mapping and directions] functions,” Sabia added.

The survey asked a wide range of questions beyond BYOD concerns. Another finding was that 32% of respondents plan to buy a smartphone in the next 12 months, while 23% want to buy a laptop or notebook, 20% plan to buy a tablet and 14% a desktop PC.

Also, about 80% of respondents said they had downloaded a mobile app. Of that number, three-fourths of the apps were free, and one-fourth were paid.

Nick Ingelbrect, a Gartner analyst, noted that the app industry has struggled to make money on its products, but the survey results should provide encouragement. The app market is maturing, and consumers are more discerning, but will pay for apps that they find valuable, he said.


MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training at

9 employee insiders who breached security


These disgruntled employees show what can happen when an employer wrongs them.

Security admins used to have to worry about keeping the bad guys out of the network, but there have been many documented cases where the devil you know is sitting right next to you. A review of recent FBI cyber investigations revealed victim businesses incur significant costs ranging from $5,000 to $3 million due to cyber incidents involving disgruntled or former employees, according to AlgoSec. Here are just a few over the years of insiders trying to take down their employer’s network.

Terry Childs, the former network administrator for the City of San Francisco, held the city’s systems hostage for a time. He refused to surrender passwords because he felt his supervisors were incompetent. Childs was convicted of violating California’s computer crime laws in April 2010.

In June 2012, Ricky Joe Mitchell of Charleston, W.Va., a former network engineer for oil and gas company EnerVest, was sentenced to prison for sabotaging the company’s systems. He found out he was going to be fired and decided to reset the company’s servers to their original factory settings.

It was discovered in 2007 that database administrator William Sullivan had stolen 3.2 million customer records including credit card, banking and personal information from Fidelity National Information Services. Sullivan agreed to plead guilty to federal fraud charges and was sentenced to four years and nine months in prison and ordered to pay a $3.2 million fine.

Flowers Hospital had an insider data breach that occurred from June 2013 to February 2014 when one of its employees stole forms containing patient information and possibly used the stolen information to file fraudulent income tax returns.

According to, 34-year-old Sam Chihlung Yin created a fake VPN token in the name of a non-existent employee which he tricked Gucci IT staff into activating after he was fired in May 2010.

Army Private First Class Bradley Manning released sensitive military documents to WikiLeaks in 2009. Manning, now known as Chelsea Manning, was given a sentence of 35 years in prison.

Back in 2002, Timothy Lloyd was sentenced to three-and-a-half years in prison for planting a software time bomb after he became disgruntled with his employer Omega. The result of the software sabotage was the loss of millions of dollars to the company and the loss of 80 jobs.

Earlier this year, NRAD Medical Associates discovered that an employee radiologist had accessed and acquired protected health information from NRAD’s billing systems without authorization. The breach was estimated to be 97,000 records of patient names and addresses, dates of birth, Social Security information, health insurance, and diagnosis information.

And of course there is the most famous whistleblower of all time: Edward Snowden. Before fleeing the country, he released sensitive NSA documents that became a blowup about government surveillance.


MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training at

8 cutting-edge technologies aimed at eliminating passwords

In the beginning was the password, and we lived with it as best we could. Now, the rise of cyber crime and the proliferation of systems and services requiring authentication have us coming up with yet another not-so-easy-to-remember phrase on a near daily basis. And is any of it making those systems and services truly secure?

One day, passwords will be a thing of the past, and a slew of technologies are being posited as possibilities for a post-password world. Some are upon us, some are on the threshold of usefulness, and some are likely little more than a wild idea, but within each of them is some hint of how we’ve barely scratched the surface of what’s possible with security and identity technology.

The smartphone

The idea: Use your smartphone to log into websites and supply credentials via NFC or SMS.

Examples: Google’s NFC-based tap-to-unlock concept employs this. Instead of typing passwords, PCs authenticate against the users phones via NFC.

The good: It should be as easy as it sounds. No interaction from the user is needed, except any PIN they might use to secure the phone itself.

The bad: Getting websites to play along is the hard part, since password-based logins have to be scrapped entirely for the system to be as secure as it can be. Existing credentialing systems (e.g., Facebook or Google login) could be used as a bridge: Log in with one of those services on your phone, then use the service itself to log into the site.

The smartphone, continued
The idea: Use your smartphone, in conjunction with third-party software, to log into websites or even your PC.

Examples: Ping Identity. When a user wants to log in somewhere, a one-time token is sent to their smartphone; all they need to do is tap or swipe the token to authenticate.

The good: Insanely simple in practice, and it can be combined with other smartphone-centric methods (a PIN, for instance) for added security.

The bad: Having enterprises adopt such schemes may be tough if they’re offered only as third-party products. Apple could offer such a service on iPhones if it cared enough about enterprise use; Microsoft might if its smartphone offerings had any traction. Any other takers?

The idea: Use a fingerprint or an iris scan — or even a scan of the vein patterns in your hand — to authenticate.

Examples: They’re all but legion. Fingerprint readers are ubiquitous on business-class notebooks, and while iris scanners are less common, they’re enjoying broader deployment than they used to.

The good: Fingerprint recognition technology is widely available, cheap, well-understood, and easy for nontechnical users.

The bad: Despite all its advantages, fingerprint reading hasn’t done much to displace the use of passwords in places apart from where it’s mandated. Iris scanners aren’t foolproof, either. And privacy worries abound, something not likely to be abated once fingerprint readers become ubiquitous on phones.

The biometric smartphone
The idea: Use your smartphone, in conjunction with built-in biometric sensors, to perform authentication.

Examples: The Samsung Galaxy S5 and HTC One Max (pictured) both sport fingerprint sensors, as do models of the iPhone from the 5S onwards.

The good: Multiple boons in one: smartphones and fingerprint readers are both ubiquitous and easy to leverage, and they require no end user training to be useful, save for registering one’s fingerprint.

The bad: It’s not as hard as it might seem to hack a fingerprint scanner (although it isn’t trivial). Worst of all, once a fingerprint is stolen, it’s, um, pretty hard to change it.

The digital tattoo
The idea: A flexible electronic device worn directly on the skin, like a fake tattoo, and used to perform authentication via NFC.

Examples: Motorola has released such a thing for the Moto X (pictured), at a cost of $10 for a pack of 10 tattoo stickers, with each sticker lasting around five days.

The good: In theory, it sounds great. Nothing to type, nothing to touch, (almost) nothing to carry around. The person is the password.

The bad: So far it’s a relatively costly technology ($1 a week), and it’s a toss-up as to whether people will trade typing passwords for slapping a wafer of plastic somewhere on their bodies. I don’t know about you, but even a Band-Aid starts bothering me after a few hours.

MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training at



Gartner: IT careers – what’s hot?

Do you know smart machines, robotics and risk analysis? Gartner says you should

ORLANDO— If you are to believe the experts here a the Gartner IT Symposium IT workers and managers will need to undergo wide-spread change if they are to effectively compete for jobs in the next few years.

Gartner 2014

Gartner: Top 10 Technology Trends for 2015 IT can’t ignore
Gartner: Top 10 strategic predictions for businesses to watch out for
Gartner: IT careers – what’s hot?
Gartner: Make way for digital business, risks or die?

How much change? Well Gartner says by 2018, digital business requires 50% less business process workers and 500% more key digital business jobs, compared to traditional models. IT leaders will need to develop new hiring practices to recruit for the new nontraditional IT roles.

“Our recommendation is that IT leaders have to develop new practices to recruit for non-traditional IT roles…otherwise we are going to keep designing things that will offend people,” said Daryl Plummer, managing vice president, chief of Research and chief Gartner Fellow. “We need more skills on how to relate to humans – the people who think people first are rare.”

Gartner intimated within large companies there are smaller ones, like startups that need new skills.

“The new digital startups in your business units are thirsting for data analysts, software developers and cloud vendor management staff, and they are often hiring them fast than IT,” said Peter Sondergaard, senior vice president and global head of Research. “They may be experimenting with smart machines, seeking technology expertise IT often doesn’t have.”

So what are the hottest skills? Gartner says right now, the hottest skills CIOs must hire or outsource for are:
User Experience
Data sciences

Three years from now, the hottest skills will be:
Smart Machines (including the Internet of Things)
Automated Judgment

Over the next seven years, there will be a surge in new specialized jobs. The top jobs for digital will be:
Integration Specialists
Digital Business Architects
Regulatory Analysts
Risk Professionals

MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training at


‘Bigger than Heartbleed’ Shellshock flaw leaves OS X, Linux, more open to attack

Well, this isn’t good. Akamai security researcher Stephane Chazelas has discovered a devastating flaw in the Unix Bash shell, leaving Linux machines, OS X machines, routers, older IoT devices, and more vulnerable to attack. “Shellshock,” as it’s been dubbed, allows attackers to run code on your machine after exploiting the flaw, but the true danger here lies in just how old Shell Shock is—this vulnerability has apparently been lurking in the Bash shell for years.

Why this matters: A large swath of the web-connected devices, web servers, and web-powered services run on Linux distributions equipped with the Bash shell, and Mac OS X Mavericks is also affected. The fact that Shellshock’s roots are so deep likely means that the vulnerability will still be found in unpatched systems for the foreseeable future—though the odds of it directly impacting you appear somewhat slim if you use standard security precautions.
MORE ON NETWORK WORLD: Free security tools you should try

Heartbleed redux

The news comes as the security community is just shaking off the effects of Heartbleed, a critical vulnerability in the widely used OpenSSL security protocol. “Today’s bash bug is as big a deal as Heartbleed,” says Errata Security’s Robert Graham, a respected researcher.

Hold your horses, Robert. Before we dive into dire warnings, let’s focus on the positive side of this story. Numerous Linux variants have already pushed out patches that plug Shellshock, including Red Hat, Fedora, CentOS, Ubuntu, and Debian, and big Internet services like Akamai are already on the case.

But Graham says Shellshock’s danger will nevertheless linger for years, partly because “an enormous percentage of software interacts with the shell in some fashion”—essentially making it impossible to know exactly how much software is vulnerable—and partly because of the vulnerability’s age.

“Unlike Heartbleed, which only affected a specific version of OpenSSL, this bash bug has been around for a long, long time. That means there are lots of old devices on the network vulnerable to this bug. The number of systems needing to be patched, but which won’t be, is much larger than Heartbleed.”

Now consider that more than two months after Heartbleed was disclosed, hundreds of thousands of systems remained vulnerable to the exploit.
Maybe not Heartbleed redux?

But don’t panic! (Or at least not yet.) While Heartbleed had the potential to be widely exploited, Jen Ellis of security firm Rapid7 says the Shellshock bug’s outlook isn’t quite as grim, even if it is rampant.

“The vulnerability looks pretty awful at first glance, but most systems with Bash installed will NOT be remotely exploitable as a result of this issue,” Ellis writes. “In order to exploit this flaw, an attacker would need the ability to send a malicious environment variable to a program interacting with the network and this program would have to be implemented in Bash, or spawn a sub-command using Bash.”

As a result, Ellis and Rapid7 urge keeping a level head about the bug.
“We’re not keen to jump on the ‘Heartbleed 2.0′ bandwagon. The conclusion we reached is that some factors are worse, but the overall picture is less dire… there are a number of factors that need to be in play for a target to be susceptible to attack. Every affected application may be exploitable through a slightly different vector or have different requirements to reach the vulnerable code. This may significantly limit how widespread attacks will be in the wild. Heartbleed was much easier to conclusively test and the impact way more widespread.”

While older Internet-connected devices (like, say, security cameras) seem to be likely victims of Shellshock, respected security researchers Michal Zalewski and Paul McMillan note that many embedded devices don’t actually use the Bash shell at all.

Beyond Linux-based systems, Graham and Ars Technica report that Mac OS X Mavericks contains a vulnerable version of Bash.

To test if your version of Bash is vulnerable to this issue, Red Hat says to run this command:

$ env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”

If the system responds with the following, then you’re running a vulnerable version of Bash and you should apply any available updates immediately:

this is a test

“The patch used to fix this issue ensures that no code is allowed after the end of a Bash function,” Red Hat reports. So rather than spitting out “Vulnerable,” a protected version of Bash will spit out the following when you run the aforementioned command:

$ env x='() { :;}; echo vulnerable’ bash -c “echo this is a test” bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x’ this is a test

What does this mean?

When it boils down to brass tacks, most major websites and modern gadgets you own likely won’t be affected by this Bash vulnerability, and Apple will no doubt patch the OS X implementation quickly. (Here’s a highly technical DIY fix for now.)

It’s impossible to know just how far this flaw reaches, and it’s likely to linger on in neglected websites, older routers, and some legacy Internet of Things devices—many of which are impossible to patch—providing an opening for determined hackers to sneak into those systems.

So what should you do? Here’s some actionable advice from security researcher Troy Hunt’s tremendous in-depth primer on Shellshock:

“In short, the advice to consumers is this: watch for security updates, particularly on OS X. Also keep an eye on any advice you may get from your ISP or other providers of devices you have that run embedded software. Do be cautious of emails requesting information or instructing you to run software – events like this are often followed by phishing attacks that capitalize on consumers’ fears.”

PCWorld’s guide to protecting your PC against devious security traps can help you I.D. bad actors, while Ian Paul has three tips for spotting malicious emails over at his Hassle-Free PC column.


MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training at




Sneak Peek: New features coming to Internet Explorer

Microsoft’s new Developer Channel offers glimpse into upcoming features of IE.
Microsoft recently released a “Developer Channel” edition of Internet Explorer, launching a new way in which upcoming features will be previewed, and laying the groundwork for a business strategy focusing on web services. Here’s what you need to know about the future of Internet Explorer.

Developer Channel version offers sneak peek at new features
Though it’s available for the public to freely download and install, Internet Explorer Developer Channel is not meant for everyday use, whether business or casual. As its label implies, IE DC is primarily geared toward developers with which to play around. But anyone can try out the browser to see what new features are being worked on by the IE development team.

No more betas
Instead of releasing betas, the IE development team will update IE DC with the latest features, fixes and optimizations. Throughout this process, you’ll be able to keep up with the work-in-progress of IE by downloading the most current release of IE DC. When the IE team determines this code is ready for public consumption, it will then be rolled out as the next version of IE.

Compatibility is limited to Win 7/8.1
IE DC is available for Windows 7 and Windows 8.1 only. Either OS also must have Internet Explorer 11 installed on it. You should probably also ensure your Windows 7 or Windows 8.1 system has the latest official updates for the OS installed, as recommended by Windows Update, prior to installing IE DC.

IE DC runs within a virtualization system, which keeps the browser in a “sandbox” operating separately from the rest of your Windows environment. This is for reasons of security. The consequences are that IE DC cannot share add-ons or settings that you already have in place with your installation of IE 11; IE DC may run slower than IE 11; and it cannot be used as the default browser.

Tracking features in development
The IE development team set up a web page where you can follow the latest features they’re working on to possibly add to future versions of IE. It also lists features that are already in the most recent final releases of the browser, and ones they are considering, but not officially developing yet. You can easily set this list to show only features that are in development, under consideration, under which version number of IE they first appeared, or their interoperability with the other major web browsers.

New features in IE DC
As of this writing, release of IE DC includes only a few new technologies being actively worked on. Two are interesting for the average user: GamePad and WebGL Instancing. They obviously tell that the IE development team is expanding the capabilities of the browser for gaming. (WebGL Instancing utilizes a system’s GPU, graphics processing unit, to more efficiently draw copies of an object without hitting up the system CPU for this task.) These technologies could alternately be integral for less leisurely pursuits, like using a controller to interact with a productivity web app.

Features in development
Other technologies listed as “In Development” (which also means they are not yet implemented into the actual IE DC browser) include Media Capture and Streams, and Web Audio. The first indicates a web app in IE would be able to access audio or video from your computer’s or device’s mic or webcam. Web Audio would enable a web app to produce audio through JavaScript.

Features that are being considered
Listed as “Under Consideration” are features that point to granting web apps even more access to control or receive feedback from the hardware of a computer or device (Ambient Light Events, Battery Status, Vibration). Web apps could also be allowed to encode audio or video from within the browser (MediaRecorder), incorporate speech recognition and synthesis (Web Speech), and manipulate the local files on a Windows system (Drag and Drop Directories, FileWriter).

End of numbered versions?
This new system of providing early looks at IE under a continuous development cycle could suggest Microsoft may de-emphasize version numbering. If this happens, then, as far as the general public is concerned, the upcoming 12th release of IE could be referred to by Microsoft as simply “Internet Explorer.” As for new features, IE appears to be becoming a more technologically capable browser for using with sophisticated web apps. The IE development team isn’t just looking to make a better browser; they’re aiming to make Internet Explorer a better web app platform.


Best Microsoft MCTS Training – Microsoft MCITP Training at


Let’s scuttle cybersecurity bachelor’s degree programs

It may sound counterintuitive, but the way to increase the number of cybersecurity professionals is not to start granting degrees in cybersecurity

I suppose it sounds logical.

We’re hearing that the best way to deal with the shortage of cybersecurity professionals is to funnel students into cybersecurity degree programs.

And while we’re at it, let’s address the problem of all those hackers who are thinking outside of the box by recruiting them for these degree programs.

Unfortunately, the logic of these statements is about a micron thick.

Let’s look at those cybersecurity degree programs first. In no other computing discipline do you have a specialized degree program. You do not earn a bachelor’s degree specifically in software engineering, computer graphics, artificial intelligence, database management, systems administration, Web applications programming or project management. Why should there be a bachelor’s degree specific to cybersecurity? (And please note that I am talking about undergraduate cybersecurity programs, not graduate-level programs.)

There shouldn’t be. Security professionals need to function in a variety of disciplines. They can be called upon to evaluate software for security vulnerabilities, to determine whether a user interface is suffering from information leakage, to design secure databases, to secure operating systems, to assess and shore up the security of websites, to incorporate security requirements into new developments and so on. The person you ask to do all of those things needs to be well rounded. But a cybersecurity degree program offers many security classes at the expense of classes that would normally be required to get a general degree in computer science or information systems.

With exceptions like architecture and nursing, bachelor’s degree programs are not intended to be trade schools. The best college degrees strive to help people have a broad understanding of not just their field, but culture in general. Personally, the skills that have helped me most in the cybersecurity field did not come from computer courses, but from the mandatory writing and business classes I took, which taught me to be a better communicator and how to determine what was valuable to decision-makers.

To paraphrase Jim Rohn, the value of going to college is not in the degree you are awarded, but in what you had to become to earn that degree.

My feelings about cybersecurity degree programs isn’t bias of the “that’s not how it was done in my day” variety. I sincerely believe that cybersecurity degree programs are producing graduates inadequately prepared for the positions they believe they are training for, and quite possibly compromised in their ability to get any job at all.

Consider the National Security Agency, a promoter of the cybersecurity degree movement and a highly coveted employer in the field. The NSA designates some cybersecurity degree programs as Centers of Excellence in Information Assurance Education. So, the graduates of those programs should have no problem getting hired by the NSA in a cybersecurity capacity, right? Well, maybe not. Take a look at the NSA’s cybersecurity professional development program. It wants people with strong programming skills. But many cybersecurity undergraduate programs do not offer any programming coursework. It’s been cut out to make room for more classes in things like writing security policies.

Now, a general degree in computer science can pretty much qualify a person for any entry-level position in the computer profession, including a cybersecurity position. But a person with a highly specific degree may have a problem getting a broader position. And I don’t think new graduates armed with a bachelor’s degree in cybersecurity are going to want to limit themselves to that relatively small subset of available jobs.

Think of it from a hiring manager’s perspective. She has an opening for a database manager and must choose between two candidates. One has a general CS degree, and his studies included classes in database management. The other has a cybersecurity degree, but though he says he can write a database management security policy, he never took a course in database management. Welcome aboard, CS graduate!

While you might contend that the cybersecurity graduate will look for the plethora of cybersecurity job openings, and not a database management position, this first assumes that the new graduate wants to limit themselves to a very specific, and small, subset of computer related job openings. Again, they will still be competing with general computer degree holders.
My Magic Wand

If I could wave a wand to fix the problem of a lack of information security knowledge in college graduates, I would have the NSA and other stakeholders invest their time and money not in developing Centers of Excellence, but in influencing computer science and information systems departments to incorporate security into all relevant courses and degree programs.

This is actually the direction recommended by the Association for Computing Machinery and the IEEE Computer Society in their most recent update to their recommended curriculums for computer science programs and for information systems programs.

Unfortunately, I recently reviewed introductory computer science courses from a wide variety of prestigious universities, and none of the courses that I looked at seemed to be implementing the guidance. Incidentally, in the course of doing some volunteer work, I spoke to some college officials about adding a security course to their curriculum. Next to impossible, they said, since curriculums go through lengthy approval processes. To get a course to include security, you have to find a textbook that covers the subject. Good luck. Few of the most popular textbooks used in computer science classes have even one chapter devoted to security, and many have no specific content. Some of the newer introductory IS textbooks cover security to some extent, but I have yet to see any detailed security content in textbooks for advanced courses.

So, magic wand, let the NSA and other organizations begin to write content for such textbooks, and then offer grants to colleges to enhance their curriculums.

The issue is to create not a handful of people who have a little extra specialized education, but to ensure that the future computer professional community, as a whole, at least has the fundamental knowledge to begin proactively securing their work products.
Thinking Inside the Box

And what about the idea that the graduates of cybersecurity programs should be drawn from students who somehow are better at thinking outside of the box? Quite simply, it is a notion that is grossly ignorant of what has actually been working for decades.

Until recently, the NSA had never hired anyone with a cybersecurity degree. And yet the NSA is widely considered to be the world’s leader in information security and information warfare. How then did the NSA establish such pre-eminence in the field?

It searched among its employees for high-caliber people and then cross-trained them. It is that simple. The NSA continues to do so in many fields, including information assurance.

But will cybersecurity degree programs give the NSA and other employers people who think outside of the box? And will such new graduates have an edge over experienced professionals? No; that is frankly delusional. The proponents of such nonsense argue that hackers are able to get through the strongest security countermeasures by dint of some unique thought processes.

Wrong. Teenagers have been able to break into systems not because of superior skills, but because the people running the systems in question have inadequate professional security training. The hackers aren’t thinking outside of the box; they are just thinking about the task at hand.

Skilled professionals are not usually asked to break into computer systems. As a rule, violating laws is not their task at hand. But look at what happens when you make it their job. When I recruit a new trainee for penetration testing, I look for the smartest, most experienced computer professional available — not a teenager. When I tell them what I want them to do, they’re generally shocked. They have never applied their skills to such a purpose. But after they get over the surprise, they do things that make my head spin. What they tend to do is to perfect the attacks that they have had experience repelling on a regular basis, and incorporate their detailed knowledge of operating systems gained from years of administering systems.

(Some IT professionals do indeed pursue such activities as part of their job, but we only catch glimpses of the successes of these U.S. government “hackers,” who break into highly secure foreign government systems, such as Iraqi air defense systems. They were also prepared to cripple the Iraqi financial system. There are also claims that U.S. cyberwarriors designed the Stuxnet virus to damage Iran’s nuclear capability. These hackers accomplish tasks that teenagers think are science fiction. Their exploits are just rarely publicized.)

But we give young hackers more than their due. Some people say we should harness their supposedly superior knowledge of security and recruit them to protect the systems they break into. Need I point out the absurdity of this idea? It is akin to thinking that just because some idiot is capable of stealing a car and crashing it into a wall, he should have the skills to fix the damage. I’m sorry, but anyone claiming that the idiot could fix the car should likewise be thought an idiot. It is exponentially easier to break something than it is to fix it, especially when computers are concerned.
The System Ain’t Broke

I find the idea that what the U.S. government really needs is a crop of new cybersecurity graduates to be insulting to the hundreds of thousands of current government computer professionals. The government needs to stop this nonsense and focus on expanding programs to cross-train highly skilled and immediately available workers.

Similarly, private organizations need to properly invest in their staffs. Just as they expect to train new employees in their job functions, they need to expect to have to invest in the training of their cybersecurity professionals.

What we need are not a bunch of cybersecurity degree holders, but a willingness to invest in current employees. Employees who earned a broad-based CS degree and then gained years of experience on the job are quite simply a better resource than a green graduate.

Don’t get me wrong. I have nothing but admiration for the young people who are pursuing cybersecurity degrees. Most of these degree programs are tailored to part-time students, who usually have to juggle full-time jobs, coursework and a family life during a program that can take more than seven years to complete. That demonstrates true character and perseverance, which is more important than skills. However, a breadth of knowledge is still more important than the topic of the degree.

Unfortunately, the colleges are often selling these people hype, not reality. For example, one college is telling people that they are training them to be cyberwarriors, while the actual coursework teaches them to write security policies, not to be hands-on practitioners. This is like telling someone that you are training him to be a Navy SEAL, while you are only training him in logistics, qualifying him at best to be a quartermaster for the SEALs.

When you come right down to it, though, there is little in the world of information security that is more valuable than experience. And new graduates nearly always lack it to any significant degree. Just think about someone who takes a class in security policy. Say there are 15 class sessions that average three hours each. Then let’s generously assume that the student does 115 hours of work outside of class. By putting in 160 hours, the student can rightly be said to have worked hard for his grade. But all that time is still the equivalent of just four workweeks. Would you trust someone with that level of experience to develop a policy document for a large office or to meet some regulatory compliance standard? Clearly not. It is nice that they have this experience, but it just makes them better than a person with no experience at all.

Undergraduates don’t have expertise in their major; they have a slightly enhanced background. As for being qualified to combat the most elite hackers in the world, well, what exactly in a degree program that focuses on policies is preparing you to take on the hackers?

If the NSA and other parties want to reward promising students with scholarships for studying cybersecurity, then they need to think long and hard about what they expect to gain from such programs.

Scholarships are great. I believe in giving a hand to young people who show aptitude. But highly targeted scholarships can go wrong when the grantors expect to get certain results in return. And just consider some of the ways they could be disappointed in the results of their cybersecurity scholarship programs.

First of all, up to 80% of college students change their majors in college at least once. This means that as many as 80% of the people who receive cybersecurity scholarships are likely to not want to be in the cybersecurity profession by the time that they earn their undergraduate degrees.

Worse, in a way, are the incompatible goals of an organization such as the NSA. It wants to give cybersecurity scholarships in particular to young people who have a tendency to think outside of the box. The funny thing about young people who think outside of the box: They often do things that will disqualify them for the security clearance they will need to get a job at the NSA.
Opinion by Ira Winkler

Let’s say that they are encouraged to develop their hacking skills. Will they resist the urge to use those skills, or will they do something like join up with Anonymous? If they do, the NSA is not going to get the benefit of their education in cybersecurity. Even more common, though, are young people who download music and other intellectual property illegally. I have heard that this has become a reason for denying clearances. What I hear is that there is a floor in the value of what was downloaded for a clearance to be denied. OK, but students who were selected because they are on the edge are probably more likely than other students to breach that floor.

When you come right down to it, there is more than a little bit of wishful thinking in this entire drive toward granting cybersecurity degrees. This is actually a case where the thing that we have been doing for years, specifically taking high-caliber people and cross-training them for cybersecurity roles, is a better approach than what has been proposed to replace it. It puts highly skilled people to immediate use, solving immediate problems. We simply have to fully commit ourselves to expanding a proven model, instead of grasping on to what is literally a science fiction plot and hoping we will get results many years from now.


MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training at


Tech giants appeal settlement decision in Silicon Valley hiring case

Attorneys for Google, Apple, Adobe Systems and Intel have appealed a judge’s decision to throw out a proposed settlement in Silicon Valley’s employee hiring case.

Attorneys for the companies filed a petition Thursday evening with the U.S. Court of Appeals for the 9th Circuit, appealing Judge Lucy Koh’s recent decision to throw out a proposed US$324.5 million settlement. Plaintiffs in the class-action case, Silicon Valley technology workers, accuse executives at the companies of conspiring not to hire each other’s workers between 2005 and 2009, which they say suppressed their wages and restricted their mobility.

Federal district court Judge Koh rejected the settlement in early August, on the grounds that it was too low given the strength of the evidence—specifically emails between executives—that would support a trial. That decision was a “clear error as a matter of law,” attorneys wrote in the Thursday filing.

“The district court applied a mechanical formula that overrode sensitive judgements of the class’s own counsel based on confidential information regarding the serious risks posed by their claims and their chances of success at trial,” it said.

“The ruling will inflict significant harm on all parties and the class action procedure,” it said.

A proposed start date for a trial has already been set for Jan. 12. Attorneys for both the defendants and plaintiffs have until Monday to file a joint statement regarding the proposed pretrial and trial dates.

If there is a trial, the reputations of several major technology companies could be re=evaluated, particularly if executives like Google executives Larry Page or Eric Schmidt take the witness stand.

Google and Intel declined to comment beyond the filing. Apple and Adobe did not immediately respond for comment.

Best Microsoft MCTS Training – Microsoft MCITP Training at



How to Identify Soft Skills in IT Job Candidates

As IT departments are called upon to play larger, more public roles in today’s businesses, the skill set of the ideal IT employee has changed. How can companies identify whether a job candidate has the ‘soft skills’ to bridge the gap between IT and the rest of the business?

IT is out of the backroom and in the front office – so it’s time to hire candidates who match that new reality.

This presents a vexing problem for both recruiters and employers alike. In a recent survey, the National Association of Colleges and Employers found that employers look for candidates who are decisive, can solve problems, are good communicators and are analytical.

That need is the same for technology hires. Given how the role of IT has changed, employers see soft skills mattering more than ever.

“IT is no longer in the back room with the lights off writing code,” says John Reed, senior executive director at Robert Half Technology, an international technology recruiting and staffing company. “IT is in the room with the business leaders when decisions are made.”

It’s also important to consider whether your IT people are working directly with customers or internally with other employees, says Tammy Browning, senior vice president of U.S. field operations for Yoh, a consulting organization that provides IT talent.

“The heads-down IT person who’s just programming is becoming less and less attractive to employers, because you have to be able to communicate with your business partners or their customers,” Browning says.

What Soft Skills Do IT Workers Need?
Reed says you want your IT people, whether they’re servicing external customers or employees within the company, to be able to communicate efficiency, understand business issues and offer resolutions, and possess problem-solving skills.

A separate survey conducted by the Workforce Solutions Group at St. Louis Community College found that 60 percent of employers say applicants lack “communication and interpersonal skills.” According to the report, this is up 10 percent from two years ago. “Many people tell me they’re looking for someone who has almost a customer service mindset,” Reed says.

Browning says she looks for candidates who can act almost like consultants – people who “can really coach non-IT people on how to articulate their needs.” She wants people who can reverse engineer a solution to a problem for someone, or even change the mindset of a person who says she needs A but would really do better using Z – even if Z hasn’t been created yet.

“In IT, it’s important to go to the non-IT people who don’t understand what technology can actually do,” Browning says. That’s where soft skills in an IT person come into play.
How to Identify a Candidate’s Soft Skills in the Interview?

This isn’t always easy. At the recent Microsoft Worldwide Partner Conference, Reed says he found that soft skills were a clear differentiator in tech candidates. But soft skills are hard to find.

Beyond asking potential tech hires about their hard skills and abilities, include questions that you’d ask people you’re hiring in any other part of the company. “IT should come out of behavioral interviewing,” Reed says.

In talking about past work experience, or suggesting hypothetical situations, follow up with questions such as the following:

“What was your approach to resolving that issue?”
“Talk to me about scenarios you’ve had previously where you’ve been put in this position.”
“How did you use your analytical skills to solve those problems?”

Reed says this is “a very different interview process for a lot of people in tech.” While you may ask a candidate to architect a tech infrastructure on a whiteboard, make sure to follow up with questions that will help you see how that person would work with a team or interact with customers. Spend as much time in the interview on both hard and soft skills, he says.
What About People Who Aren’t Actively Looking for a Job?

If you’re recruiting from a pool of people who aren’t active job seekers, you can also look at a possible candidate’s interests and activities outside of their work lives, says Pete Kazanjy. He’s the co-founder of TalentBin by Monster, a company that recruiters use to find what TalentBin calls “unfindable passive candidates” – people who companies want to hire but who aren’t actively looking to change jobs.

“Individuals signify this kind of information naturally by virtue of what they’re doing on the Web as opposed to a more artificial approach that’s associated with LinkedIn or posting a resume,” Kazanjy says.

For example, in addition to being part of an Oracle Database group on, the person may also be involved in mentoring programs or active in Oracle forums helping other people solve problems. This indicates that he or she would be a good mentor within your company and open to problem-solving activities, he says.

At the same time, someone who picks fights on Twitter or blogs about hating his or her current coworkers may not be the right person to call in for an interview, Kazanjy says. “Those are the sort of things that may fall out in the interview process and reference checking.”

MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training at