Traditional Cable Satellite Providers Take Note! Netflix traffic eclipses P2P file sharing!

Each year Sandvine produces a report on broad band network usage and trends.  The big news coming out of the report this year is focused on Netflix.  The report notes that “Netflix is now 29.7% of peak downstream traffic and has become the largest source of Internet traffic overall”.  That alone should be an interesting statistic, but what really makes a statement is that it has now eclipsed P2P file sharing (which is broadly assumed to be pirated content more than legitimate file sharing).  Perhaps I’m jumping to conclusions here, but I would think this should cause traditional delivery services (Cable, Satellite, etc) to take note.  Streaming or Internet delivery of content is viable and people are willing to purchase it (vs having to do illegally) if you provide a model that works.  Part of that model is a cost structure that is compatible with the offerings.  Granted Netflix has had to increase it’s subscription costs in the past year, but offerings in the $10 range for streaming and DVD delivery seem quite reasonable compared to the $60-$150 a month for cable and satellite offerings (to include premium services).

Additionally you can compare overall broadband usage against that of Europe where Netflix is not a factor.  You can note that Real-Time Entertainment has been static while there is an increase in P2P sharing.  Amazon is hoping to recreate this trend in Europe as they have purchased which was a DVD-by-mail service only until recently which has now entered the world of Internet streaming too.  If enjoys the same success as Netflix in the US, Amazon will have done quite well with this purchase and will probably resurrect more rumors of Amazon to purchase Netflix.

If the major cable and content providers don’t take note at this point, I believe they do so at their own peril.  Yes I’m somewhat of an early adopter for technology, but Netflix has easily taken over as 80% of our television content at home.  I’m more than ready to drop my cable service, if I could only get a good reasonable ISP that wasn’t a cable provider….


“Two” many calendars on your BlackBerry?

After a week of having duplicate calendars on my BlackBerry driving me crazy, I did some research to figure out what was going on.  (This is not original information, but is good to have if you find yourself in my situation.)


In order to update to the most current version of BlackBerry OS on your device, you’re best to install the BlackBerry Desktop Manager.  Having completed this (including the OS update) a second calendar showed up on my device. However there were enough other features to the new OS to keep me occupied so the calendar issue went to the back of my mind for a while.  That was, until I started to get duplicate updates for every event I had.  That got old fast.

After trying the calendar options, finding I could really only change the color for the calendars I had already installed, I found that my answer was not in the device options.

After reading quite a few other web postings on the subject, there were many recommendations about deleting service books for all CICAL entries, etc.  But that too wasn’t the answer.

If you have two calendars, here is the most direct way to consolidate them into a single calendar (assuming that is your goal):

  1. Open the Calendar.
  2. Press the menu key.
  3. Choose Options
  4. Type MOVE on the keypad.
  5. You will be asked to move all appointments in the base system calendar. Choose YES to accept moving all entries in the Device Default calendar to the default active calendar.
  6. Perform a hard reset of the BlackBerry by taking the battery out while the phone is still powered on and placing it back in.

This operation will move all calendar entries existing on the Device Default calendar to the active calendar shown in OptionsAdvanced Options > Default Services.

At this point, I was good.  And in fact this may be all you need to do also.  However if you had this issue because you have two calendars on two separate email addresses, you may need to do the following:

  1. Go to Options > Advanced Options > Default Services.
  2. Verify the correct email address is shown for Calendar [CICAL].
  3. Press the back arrow and save the changes if prompted.
  4. In the Advanced Options menu, choose Service Book.
  5. Highlight the entry for the calendar you do not want. This will appear as [CICAL].
  6. Press the menu key and choose Delete.

When deleting a CICAL, any calendar entries associated with it are moved to a Device Default calendar.

Hopefully this is helpful.

Why you should hack your iPhone

or really why you shouldn’t.

I know quite a few people who have jailbroken their iPhones.  And I will apologize to many of them now, but I can tell you that most all of them should not have done it.

I realize that in their frustration to have the iPhone be all the things that it is capable of being, many users feel the need to bypass the constraints put in place by Apple.  Unfortunately they also bypass a lot of the security functions (roughly 80%) built into it also.  I see the stat that nearly 7% of all iPhones are jailbroken.  Given that 90% of those probably have not done anything to increase that security posture, there are roughly 2.1 million “vulnerable” iPhones in use today (given 34 million in use Q9 2009).

So, for you to have the ability before anyone else to teather, MMS, Google Voice, etc you open yourself up to the following:

  • Default SSH password setting –  since this is often not changed by users who jailbreak their iPhones, this is the easiest port to access the phones OS.
  • Use of iPhone to proxy your connections

Via those vectors “one” can easily connect and:

  • See the iPhone OS file system… hmmm what files can I see and copy over from there?  How about:
  • Email
  • SMS Messages
  • Voicemail in .amr format
  • Addressbook/Contacts
  • Call History
  • Notes
  • Bookmarks
  • History
  • Cookies (could really find some interesting things with persistent cookies here)
  • Even more fun?  What about recAudio?  Remotely, from the command line, enable the audio recording feature of the microphone.  The audio is then stored to a local file (.aiff) that I can now SCP from the iPhone to the machine I’m on.  Bamo… you have your own remote bugging device and no one will think twice about it sitting in a conference room while they are talking about… well anything.
  • Uber stalker?  You can also query the iPhones GPS API to return HI RES latitude/longitude information in XML format.  Put those coordinates into Google maps and you can (with a tremendous amount of accuracy) track the path of an iPhone user.
  • Make phone calls?  What about making the remote phone make calls?  You can make someone prank call without their knowledge.  If you know them, you can make them call you and give them a hard time about calling and not saying anything.  The uses are endless, eh?
  • Remember the use of your phone as a proxy connection?  How many users connect their iPhones to their office or home wireless networks?  Since there are multiple interfaces on the iPhone and you can route between them.  “One” could now use this as a bridge into a private network.  So much for your firewalls and perimeter devices protecting your network.

Sweating yet?

Well believe it or not, there is good news for you jailbreakers out there.  AT&T has begun to filter addresses on their NAT’d wireless network.  But only quite recently.  Prior to this, “one” could pop an AT&T aircard into a laptop, get onto a mobile wireless segment, get “one’s” own IP address and quickly scan that entire segment for users.  A port scan will tell you which of those devices are iPhones.  With this filtering in place (and only in some places) you are limited and not able to (as easily) map the devices around you.  So this is a hurdle, but don’t take too much comfort in it being high enough to keep very crafty people out for long.

So the long a short of it?

Given how much information is contained on your iPhone, I don’t think there’s any application you need so badly that you’d be willing to give up access to all your personal information.  So suck it up and use the apps/functions/features that Apple has available.  When it can be provided securely (and probably profitably for Apple) it will be released.  Until then, go play outside.

Special thanks to Trevor Hawthorn for his research and demonstration of these exploits at Schmoocon 2010.

Just say no! BlackBerry + Facebook = Security FAIL

Point 1:

I’m not the biggest fan of any RIM device, though I do utilize one for my job.

Point 2:

I support the development of applications for mobile devices.  Applications are key to driving the adoption and growth of many of the new “smart” (and I use that term loosely) phones on the market.

Point 3:

Applications, regardless of what platform they are developed for, should all be done securely and efficiently.  And in that order.

What the heck does all this have to do with the BlackBerry and Facebook????


Thanks to the guys that really spend a lot of time reviewing social media stuff (specially Tom Eston and Kevin Johnson), they have noted that specifically crafted SPAM messages will show up as a Facebook notification in your Facebook for Blackberry application.

What makes this troublesome from an information protection standpoint is that, the Facebook application is actively scanning your email inbox.  In the case of many, many Blackberry users, this is not your personal email, but your corporate email.  Of the 13,934,752 monthly active users (according to I’m sure you all read the EULA when you installed the app right?  That’s another post…

To be fair, this is how the application is presented to the end user: “Facebook for BlackBerry smartphones allows BlackBerry smartphone users to connect their friends’ profile pictures, Facebook names, and company names to existing BlackBerry smartphone contacts in the Contacts application. Facebook for BlackBerry smartphones updates the caller ID pictures of your synchronized friends with their latest profile pictures.”

So in order to do this, you have full access to contact names.  So if you’re on a corporate BES, the information contained therein is your corporate email directory?  Uh, yeah.  So corporate BlackBerry users with the Facebook app are willingly providing a valid contact list for their entire company.  My understanding of SPAM and capitalism is that this is quite valuable information and can be sold to email distribution list providers quite readily.  Can someone please point me to the data management policy that protects this information from disclosure?  I’d be ecstatic if it existed.

To all the BlackBerry users:

Rather than send out 14,000,000 apologizes, I put it out there now.  Sorry.  But if you have this app installed on your BlackBerry.  Uninstall it.  NOW! Do not finish reading this post, uninstall the app and come back to finish the post.


I trust (which is always a bad thing) when you provide a singed application that you have performed a review of how the application performs on your device and that it doesn’t do anything we don’t expect.  Like skim our emails and contact information.  Much like an application requests permission to utilize your GPS coordinates (which is another bad thing) why would you not have the same request when an application wants access to your personal information and email?

Let me check here… Options – Security Options – Application Permissions -….  hmmm I’m sure the app is on here, let me look again…

Options – Security Options – Application Permissions -… nothing.  So, when I install Facebook for BlackBerry devices, it doesn’t ask me for any permissions?  NONE?!?  FAIL!

But wait, during the setup there is an option to “allow” access to your messages, calendar, and contacts.  First, the statement that it will send a copy of your contacts to the FaceBook site should be alarming enough.  But worse yet, it seems that turning all these off during the setup did not affect a SPAM’ers ability to inject a properly crafted email.  I infer from this that it still reads emails from your message list.  So can I expect it will also send contacts even if I ask it not to?

To all BES admins (you know who you are):  (updated May2010)

It appears that RIM may be slightly ad odds with the application developers here.  In the 5.0 release of BES, the settings that allow an end user to do this are set to FASLE by default.  Which is what I would expect those settings to be. It is my hope at this point that you are running BES 5.0.  If so, please make certain the IT policy Disable Organizer Data Access for Social Networking Applications is used.  I also understand that this is backwards compatible to BES 4.x installs, so everyone has the opportunity to enable this policy.

Is the integrity of your public information vital?

My research on information classification policies kept turning up the statement that “the integrity of public information is not vital” for public and unclassified information.  I even stated the same in my earlier article on Information Classification.  I had taken for granted that this statement is correct.  That is, until I was called out by a co-worker.

“You can’t be serious, right?” was how I was approached.

“The integrity is not vital?”

She began to explain her viewpoint on it and my first thought was “…at least someone read my article…”.  Then I started to wonder, why did I take that for granted?

On its face, you could make the argument that, maybe they mean that you can’t control the information once it’s in the public so you can’t possibly be capable of maintaining its integrity.  Or could they really mean that you are concerned about the integrity of the source of the information and that as long as the source integrity is maintained, then your information is good?

Yeah, that justifies the statement.  Now we can all sleep peacefully.

But then you read further and statements are made to further qualify the position by providing examples of what types of information are included in this classification:

  • Product brochures widely distributed
  • Information widely available in the public domain, including publicly available Company web site areas
  • Sample downloads of Company software that is for sale
  • Financial reports required by regulatory authorities
  • Newsletters for external transmission

So if I put those pieces of information together, I can make statements like:  We are not concerned about the integrity of the information found in our product brochures. Hmm… don’t think that flies.

Okay, let me try again.  We are not concerned about the integrity of the software downloads that our customers (or potential customers) could download from our site. Okay we’re 0 for 2.  Remind me never to buy software from anyone who actually thinks this…

Last try.  We are not concerned about the integrity of the financial reports required by regulatory authorities. Um, hello, Enron?  I think we found your information classification policy.

So which is it?  Are the commonly accepted frameworks incorrect?  Or are they being widely misinterpreted?

Let’s address the frameworks first:

  1. ISO guidance states that”All information should be classified into categories. This classification should be based on value, sensitivity, legal requirements, and criticality to the organization. The classification policy should include guidelines for the initial classification and the reclassification of the data. The classification schemes should not be overly complex.”  Okay, nothing wrong there.
  2. The FFIEC Handbook states “A data classification program should be established to identify and rank data, systems, and applications in their order of importance.”  I’m good with that too.
  3. NIST says “The organization must assign assurance categories for all information types that can be associated with both user information and system information, and can be applicable to information in either electronic or non-electronic form. The organization must also assign appropriate assurance categories for each system and information type (low, moderate, or high for confidentiality, integrity, and availability) based upon the potential impact for the loss of each of the just mentioned assurance objectives.”

Well then.  I don’t see anything listed in the frameworks that makes any statement on integrity, other than you need to make a determination of integrity for each item/classification.

So what does that leave us with?  The mass redistribution of an incorrect statement across the Internet.  I would inset a poll to see how many people are surprised by that, but it seems a bit unnecessary.

Somewhere along the way, a policy or guideline was written and publically posted.  It was either one of the first references to the subject or had very good search engine results.  Because of that, it managed to make its way into many more articles and policies posted online.  So much so that the abundance of that information made it assumed to be correct.

So, you should take away two points from this post:

  1. Yes, the integrity of your public information is vital
  2. Don’t take for granted everything you read on the Internet

Neither of those should surprise you.

Why We Classify

Information architecture made easy

Image by recursion_see_recursion via Flickr

Toys.  Clothes.  Books.  Trash.

These four simple categories were assigned to items to assist my six-year-old daughter in understanding how to clean and organize her room. In doing so, we’ve intuitively classified each area’s importance.

Trash hopefully has an obvious classification to her. We don’t care much about what kind of trash it is or where it ends up as long as it’s in a trash can.

Books are on the other end of the spectrum from trash. We teach that they are to be respected and cared for. They have a particular place on her shelves and should always go there. In the scope of my daughter’s room, this holds the highest level of classification.

Clothes and toys, each independent of each other, are items that further decisions may need to be made about before an action is taken. Are the clothes clean? Then place them in the appropriate drawer. Dirty? Then they are placed in the basket, not kicked under the bed. Toys have a particular destination based on their type, size, etc.

Companies (should) have categories for their information so associates understand how to handle it. Handling information appropriately maintains the integrity of and reduces risk to the company. This is the thought I want you to carry with you as you approach any information classification policy.

Information classification is not about technologies (DLP (Data Loss Prevention/Protection) vendors often cringe when I say this). It’s about an education and awareness initiative that informs associates how to handle information. It is ultimately the person handling the information (often referred to as a “data owner”) that has the most knowledge about its content and is best able to make the informed decision about its treatment.  That doesn’t mean that technology doesn’t have a place in your program.  As an enforcement and reporting mechanism, it can serve a distinct purpose.  I’ll address DLP in another post.

While companies are required to be compliant with many regulations (GLBA, HIPPA, SOX) and have programs that subscribe to methodologies or frameworks (Six Sigma, ITIL, ISO ), no entity will provide comprehensive oversight to all the areas where we create, manage or distribute information. Therefore it is incumbent upon us to, with those constraints in mind, to create a policy that supports them and is applicable to our information.

Generally speaking, there are typically four classes of data:

Public or Unclassified Information

This type of data can be made public without consequence to a user or the company.  The integrity of this information is not vital.

Internal Use Only or Restricted Information

Access to this type of information should generally be prevented; however, if it became public, the consequences are not critical. Internal access is selective. Data integrity is important but not vital.

Confidential or Classified

Data in this class is confidential within the company and protected from external access. If such data were to be accessed by unauthorized persons, it could influence the company’s operational effectiveness, cause financial loss, provide a significant gain to a competitor or cause a major drop in customer confidence. Data integrity is vital.

Proprietary or Secret

Unauthorized external or internal access to this data is critical to the company. Data integrity is vital. The number of people with access to this data is very small. Very strict rules must be adhered to in the usage of this data.  This is usually your “secret sauce”.  If this isn’t protected, things like “New Coke” can happen.

Top Secret

Unless you are working for a government agency or watching a movie, this often doesn’t come into play, but I’d be remiss not to bring it up. Most definitions of Top Secret include works like “grave” “exceptionally grave” “really really really bad” in reference to the consequences of disclosure.  It’s good to know this exists.  If you are in a job where this is necessary, you already know and this blog isn’t telling you something you don’t already know…. I hope…

Wash.  Rinse.  Repeat.  (Remember, it’s a process)

When my daughter gets frustrated because her  three-year-old sister took books out and didn’t put them back, I know that we are making progress. As you begin to use information classification in practice, it will become intuitive to you in your daily work. You’ll know exactly how to handle information as easily as you know what belongs in the trash and what should be placed on the bookshelf.