This week Amazon’s Simple Storage Service (S3) suffered a major outage that affected several websites that rely on the service. This is actually the second major outage for Amazon S3 this year. As a result of these and other reported outages, some companies will come to question whether they should pursue these new cloud-based services in the future. I agree with Nick Carr, whether you’re a startup looking to rely on the cloud almost exclusively for computing power and storage capacity or you’re a brick and mortar company who may want to use SaaS services for CRM or an online backup service, these outages should not scare companies away from cloud-based services. Outages are inevitable; no one, not the most sophisticated internal IT shops on Wall Street, or the largest service providers can offer 100% availability all the time. Amazon threw everything it had to fix the problem and was able to address the outage in several hours. How well would you be able to execute on your disaster recovery plan if you had a major outage?

Instead of avoiding cloud-based services, organizations need to be savvier about security and resiliency of the service provider. In fact, your organization may already be in pursuit of these services. Online backup is becoming a viable alternate to premise-based solutions for PC backup as well as remote office backup. Next will be a number of services related to information management such as online archiving and online records management and more online storage offerings to support low cost storage. Further down the road, there will also be hosted, multi-tenancy Exchange solutions. Get involved in these discussions. Don’t take it for granted that the potential service provider has hardened data centers that meet Tier III or Tier IV classifications (these classifications describe data center site infrastructure and topology, Tier IV is the highest rating), that your data is replicated to another data center, that your data is encrypted in flight and at rest and that the service provider has strong security measures in place so that administrators can support the infrastructure but not access or even see your organization’s information. Organizations should have consistent processes before, during and after the contracts have been signed.

And, when you ask about SLAs regarding resiliency, keep in mind that there will be some downtime for routine maintenance and that some unplanned downtime is inevitable. Consider a service provider that might boast about 99.9% availability (8 hours/year outage for 24x7). What is the difference between the following?

· 8 AM to 4 PM on the last Friday of the quarter

· Biweekly outages of 30 min at 4 AM local time

Timing and duration are more important than total downtime/outage.

Get involved in these discussions but be careful not to come off as the obstacle or as the doomsayer. Quite the opposite, you want to be seen as the enabler. Help the organization understand some of the potential risks but then help the organization define its resiliency requirements, security requirements, and risk tolerance. When the organization knows this, it can more confidently go out and select the right service provider, negotiate the appropriate SLAs and be prepared ahead of time with contingency plans for any potential service outages.

When I discussed this openly with Waters in Muddy Waters comments they kindly replied that “customers are loath to be a reference client for a vendor,”  like this fact somehow justifies having 600 people, most who have never actually used the software in practice, vote on how great it is.  

Follow the Yellow Brick Road.

Or, as Mark Adler pointed out in his well written blog post The First Annual Fluffies for CEP , a secretive “panel of renowned judge” is going to tell us, via Jolt, who has the better solution?  Holy Cow Batman!   Let me buy a nice layout in your magazine  or web site,  please, so “my software company” will be on the short list for the “the awards”.  

Follow the Yellow Brick Road.

All this smoke-and-mirrors. share-the-love, marketing reminds me of The Matrix a bit, where the world as we observe it, is a complete artificial construction, where most people in the Matrix believe they are “real” because they do not know that they really just a computer generated program designed to keep humans happy as they sleep in some cold goop with electrodes stuck up their you-know-what, really just bio-batteries insuring the light bill is paid.

Follow the Yellow Brick Road.

Or better yet, these fluffies are similar to most of the Webinars we see where there are questions from “the audience” but we know that most of these questions did not come from the “audience” - yet we all seem to continue ”the  audience” myth just like Santa Claus and the Easter Bunny! 

Follow the Yellow Brick Road.

The Easter Bunny, Santa Claus, the Tooth Fairy and the Fluffy Awards are real, if you want them to be real.  Just close your eyes and click your heels three times….

Follow the Yellow Brick Road. Follow the Yellow Brick Road.
Follow, follow, follow, follow,
Follow the Yellow Brick Road.
Follow the Yellow Brick, Follow the Yellow Brick,
Follow the Yellow Brick Road.

We’re off to see the Wizard, The Wonderful Wizard of Oz.
You’ll find he is a whiz of a Wiz! If ever a Wiz! there was.
If ever oh ever a Wiz! there was The Wizard of Oz is one because,
Because, because, because, because, because.
Because of the wonderful things he does.
We’re off to see the Wizard. The Wonderful Wizard of Oz

When the original iPhone came out I thought it was pretty cool, but at the end of the day it did not do for me what my Windows Mobile Smartphone did.  Namely gave me 3G access speed and Exchange integration.  Those two things alone were enough to keep me a Windows smarthphone user.

As I wrote earlier July 4th my phone got wet in my backpack and though I have blown dried it often since than, it has just never come back. I can make a call now and than and use, but you never know when it is going to whig out and I have to reboot (actually it was like that before it got wet, but it is much worse now).  So having had this phone over a year, it really was time for a new phone. 

I was not totally sold on the iPhone and it was not my only choice. I wanted no part of the lines and crowds, so I waited until Saturday to go to the ATT store and see what my options were.  Frankly, I didn't have many options.  The upgrade for my current phone is the HTC Tilt.  Nice phone and I would consider it, but not at the $450 dollars that they wanted to charge me.  After that, there was the Blackjack, not interesting.  A few others and than Blackberries. I need the Exchange integration.  So when it came down to it, you could not beat the $199 price for the iPhone. The 2 year contract didn't scare me, as I am at ATT wireless user for about 10 years already.  The only bad part is that they did not have any in stock and I had to order mine. It should come within 5 to 7 days, but all set up for me to just plug in to iTunes and away I go!

So a few more days of this water logged brick and than on to joining the "mod squad".

The Sopranokovs 

The Russian mob comes to town with a new scam—medical identity theft. 

When FBI special agent Ted Price peered through the window of a dingy brick storefront on Southwest Morrison Street in March, it was what he didn’t see that caught his attention. 

The business, called UnimedCorner, claimed to provide ailing seniors with orthotics—braces and other devices to correct foot, joint and back problems. 

Price and other federal investigators were skeptical. 

On Unimed’s showroom floor, Price saw wheelchairs, motorized scooters, a variety of canes and, on the walls, a selection of amateurish paintings and framed photographs. There was no evidence, however, of the kinds of equipment for which Unimed had billed Medicare nearly $2 million in the previous couple of months. 

“I observed wheelchairs and canes through the window but did not see any orthotics in the store,” Price later wrote in a search-warrant affidavit. “It is a sign of fraud that the store is not stocking the items [for which] it is billing.” 

By the time Price arrived on the scene, the company’s owner, a shadowy Russian immigrant named Alexandr Shcherbakov, was long gone. 

Today, Shcherbakov’s store sits undisturbed. The message light on the phone blinks, dead potted plants droop and a stuffed toy monkey slumps in a glass display case. 

And behind the cash register hangs a framed poster of television’s best-known mobsters, the Sopranos. 

From interviews and information presented in federal affidavits, it is clear Shcherbakov moved to Oregon to commit a crime elegant and lucrative enough to make Tony Soprano envious: medical identity theft. 

... 

“Medical identity theft is the new frontier for organized crime,” says Alex Johnson, a former FBI agent who investigates fraud for Regence BlueShield. “Pretty much anybody can set up a mom-and-pop operation and start cranking out claims.” Someday, most Americans will need a cane, wheelchair, home hospital bed or another of the items healthcare professionals call “durable medical equipment,” or DME. 

For those over 64 and without private insurance, there’s a good chance federally funded Medicare will pick up the tab for that equipment. Last year, according to federal statistics, Medicare spent $8.6 billion on DME. 

Here’s the way the system is supposed to work: A doctor prescribes a device such as a wheelchair for a patient, who presents his prescription to a DME supplier. The supplier provides the equipment and bills Medicare, which typically pays 80 percent of the cost. Unlike pharmacists, who fill prescriptions under strict scrutiny of state and federal watchdogs, DME suppliers are lightly regulated. “DME is very vulnerable to fraud,” says Consuelo Woodhead, the chief healthcare fraud prosecutor for the U.S. Attorney’s Office in Los Angeles. “It doesn’t require any background in medicine, any kind of professional licensure or appreciable capital. 

There are barriers of entry in other medical fields, but not in DME.” To operate, DME suppliers simply need a place of business, a business license and liability insurance. Unlike pharmacists, DME suppliers operate under an honor system: The feds count on them to supply the equipment they claim to provide to the beneficiaries who need it. 

That honor system is not working. 

The epicenter of DME fraud, according to the federal Department of Health and Human Services, is South Florida, where Medicare billing for DME quadrupled from 2002 to 2006 to $1.7 billion. Investigators found much of that increase was due to fraud. In 2006, federal inspectors revoked the licenses of 634 DME suppliers in South Florida, nearly half the DME dealers in the region. 

Later the same year, raids in Southern California yielded similar results: The feds shut down 95 DME suppliers. Many of the DME suppliers shut down around Los Angeles were run by immigrants from the former Soviet Union. It’s probably no coincidence that when the feds raided Los Angeles DME suppliers, some Angelenos fled to cities where there was less scrutiny—such as Portland.

First it was the EU looking at passing a law that would require bloggers to disclose their identity and affiliation. Now the AP is looking to enforce a new license that would require payments when a blogger puts an excerpt from an AP article in their blog.  My friend Kevin McLaughlin blogged on this over at Channel Web blog today. Basically the AP says that if you excerpt more than 5 words you need to start paying them fees.  Kevin reached out to me and I gave him my views on this one.

I think that it is a really short sighted move by the AP.  First of all it shows they really don't understand blogging.  Blogging is about taking an idea which often comes from another source and putting the bloggers own spin and ideas behind it. In this way topics are built on one blog at a time with each blogger adding a bit more to the conversation. Each additional blog on topic enriches those blogs and articles that preceded it.  As I said in the Channel Web article, it is like a jazz musician playing a riff on top of a line already laid down.

In real terms blogging on the AP content will only generate more views and interest in the AP content.  AP is just a dinosaur with this type of view and will soon go the way of dinosaurs if they try to enforce this. In the meantime bloggers can talk about an AP article, but don't link to it and don't excerpt from it. I suspect that the next thing is we will have a replay of the inbound links litigation we had 8 years ago.  In the meantime blogging will continue to march on with AP or not.

First it was the EU looking at passing a law that would require bloggers to disclose their identity and affiliation. Now the AP is looking to enforce a new license that would require payments when a blogger puts an excerpt from an AP article in their blog.  My friend Kevin McLaughlin blogged on this over at Channel Web blog today. Basically the AP says that if you excerpt more than 5 words you need to start paying them fees.  Kevin reached out to me and I gave him my views on this one.

I think that it is a really short sighted move by the AP.  First of all it shows they really don't understand blogging.  Blogging is about taking an idea which often comes from another source and putting the bloggers own spin and ideas behind it. In this way topics are built on one blog at a time with each blogger adding a bit more to the conversation. Each additional blog on topic enriches those blogs and articles that preceded it.  As I said in the Channel Web article, it is like a jazz musician playing a riff on top of a line already laid down.

In real terms blogging on the AP content will only generate more views and interest in the AP content.  AP is just a dinosaur with this type of view and will soon go the way of dinosaurs if they try to enforce this. In the meantime bloggers can talk about an AP article, but don't link to it and don't excerpt from it. I suspect that the next thing is we will have a replay of the inbound links litigation we had 8 years ago.  In the meantime blogging will continue to march on with AP or not.

The Card Rewards program allows anyone with a Starbucks Card to register it with Starbucks for freebies, including Wi-Fi. There's an interesting choice (when it worked) where you can select whether to have freebies like free exotic milk options or brewed coffee refills by themselves or with Wi-Fi on top. If you choose Wi-Fi, you're redirected to SBC servers (for nostalgia's sake), at which point everything seems to fall apart.

Trying two separate cards, I was unable to set up an account and get the cards to take. The errors weren't clearly spelled out. Clearly, the system was neither designed to handle demand, nor designed to fail gracefully, blocking users until capacity was available.

For loyal Starbucks patrons, this doesn't come across very well at all.

[Photo by Matt Davis. Used under Creative Commons license.]

We sincerely regret this intrusion into our systems, which we believe, are among the strongest in the industry. The stolen data was limited to credit and debit card numbers and expiration dates, and was illegally accessed from our computer systems during transmission of card authorization.

While I would love for Congress to fix our copyright laws, I regard the notion as fantasy.  They don’t appear capable of fixing any complicated issue and tend to muddy the waters making any situation worse off than when they began.  Secondly, the media industry will either collapse under the weight of their archaic business model or realize the impossibility of DRM and move in another direction.  Either of which nullifies the issue.

DRM is impossible due to the fact that it falls under the BORA (break once run anywhere) principle.  This principle is understood thoroughly by those of us in the security industry.  When analyzing a threat, if it’s determined that an entity could be compromised once and then be exploited globally, you are faced with two choices: restrict access to the entity by limiting and hardening access points or decrease the exploitability of the entity once compromised.

Many industries have fought BORA, which is akin to fighting gravity.  I can think of three this morning, namely the software, credit card, and media industries.  It’s infuriating to think of all the revenue lost and the exorbitant externalities bore by an unassuming public all because these industries couldn’t understand simple logic.  This is especially true when the solution requires only a trivial leap of faith.  

The credit card industry is by far the clearest example of an industry that came to terms with the BORA principle.  Quite frankly, they delayed the success of ecommerce by about 5 years.  I’ll even go so far as to say that we would not have had a dotcom bubble if not for their foolishness.

In 1992, credit card fraud was at its peak (15.7 cents per $100 charged) due to fraudsters becoming more advanced.  The internet allowed people with similar interests who would have never came into contact in the physical world to find one another digitally.  Fraudsters were able to share information and increase the sophistication of scams long before e-commerce was a reality.

Faced with a bleak economic picture, the credit card industry became paralyzed by fear as they imagined credit card numbers floating unprotected through cyber space.  For 6 years their agenda was to spread fear in the hopes consumers (and brick and mortar retailers) wouldn’t embrace ecommerce until they created a process by which credit card numbers couldn’t be stolen online.

Their fear clouded their ability to approach the problem logically.  If a credit card can easily be cloned by your waiter at a restaurant, then why protect the same card during an online transaction?  Or better yet, why protect individual transactions while every brick and mortar retailer has a record of each credit card used for purchases?  As a criminal you target the warehouse, the delivery truck, the retailer, but never a single customer.

The history of ecommerce between 1992 through 1997 is fairly interesting and comical.  The failure to realize what seems obvious today is not the fault of a single company.  There were over 30 dotcom companies that were created during this period, all vying to be the payment processor for not only the web, but literally the future.  In 1994, Visa and MasterCard turned to Microsoft and Netscape, respectively, for solutions.  As any company would, these tech giants devised schemes that benefited them rather than serve the needs of their clients.

Fortunately for Visa and MasterCard, CNP (card not present) transactions were already allowed for mail order catalog purchases.  Despite their fear campaign and merchant agreements that left stores 100% liable for fraud, companies like Amazon accepted the increased risk and allowed the credit card industry to ultimately be successful.  By 1998, Visa’s sales volume had tripled which cut fraud as a percentage nearly in half. 

Credit cards went from being used for credit to being used for convenience (what they were originally designed for in the 1950’s when the banking system was fractured).  This was a massive shift in the financial industry.  Comparing one’s own experiences in the checkout line at a grocery store in 1992 and 2002 tells the story.  It went from checks and cash to plastic.  Even the stigma of credit cards is completely different today.  College students can’t survive without credit cards, a far cry from when they were counseled not to have one. 

With this shift, credit card companies began focusing on preventing fraudulent transactions.  By using two sets of data, one for CNP and the other for in-store transactions, they were able to prevent cards that were cloned from being used on the web, and card numbers stolen on the web from being used in person.  The other advent was address verification, which among other things allowed retailers (who are liable for fraud) to prevent highly liquid assets from being shipped to any address other than where the statements are delivered.

They then began to promote ecommerce as if they never said anything bad about it in the first place.  Consumers were given zero fraud guarantees which created a perception of little to no risk.  It wasn’t long before traditional brick and mortar retailers rushed to the web, displacing overnight dotcom sensations which lacked feasible business models.  Finally in 2003, we were at point that could have been accomplished in 1998. 

There are many parallels between what the credit card industry went through and where the media industry finds itself today.  Instead of focusing on preventing the Fair Use of their content, they should instead deliver it through open mediums creating additional revenue streams while increasing the popularity of their product.  Piracy can be handily defeated, not through the legal system but rather through a firm understanding of the economics of the environment. 

Today, credit card companies are at the peak of their success.  In 2004, the fraud rate for credit cards dropped to an all time low of 4.7 cents per $100, while setting records for volume and profits.  I know for a fact the same thing can be accomplished in the media industry because I’ve studied it.  All it will take is a trivial leap of faith.

-Eric Marvets