We are regularly hearing from our security clients about their difficulties finding people with the right skills – or when they do finally find them, these people are too costly to employ because their skills are in such demand.

Indeed, the “unavailability of people with the right skills” was cited as a top challenge for security groups in both our enterprise and SMB surveys.

In comparing need for talent across 25 different IT roles, Forrester analysts came to the conclusion that information security experts are among the hottest roles in IT, sharing the top spot with information/data architects.

The skills shortage is likely to get worse before it gets better. We’re unlikely to see a significant spike in security experts’ salaries to attract those we need to hire: large changes in compensation for senior security personnel would run against the current of economic belt-tightening. Another typical approach to offsetting the shortage would be to train up: foster the career development and advancement of existing security personnel on our payroll. However, with all the outsourcing that is going on – and which will increasingly occur – there is a shrinking pool from which to find people with “the right stuff” worth championing their advancement.

We could look outside of security to others in IT, or even to co-workers in other departments or business groups. But given how poor a job IT Security does of marketing its value proposition, I don’t hold much hope for attracting non-security people.

What do you think? Are we about to hit a very big wall when it comes to skills and staffing? Are you presently feeling the pain of a skills shortage? Do you see such a shortage looming? What measures are you taking to acquire and nurture talent? Which ones are successful and why?

I welcome your thoughts on the topic.

Minneapolis suffers the heartbreak of leafage: Leaves are popping in Minneapolis, and Star-Tribune columnist Steve Alexander writes that residents are seeing some Wi-Fi reception problems on that city's Wi-Fi network. This is the only big-city network that can be currently described "successful," even though its long-term success has to be proven out. The firm responsible, USI Wireless, told Alexander they're working on adjusting about 5 percent of antennas to cope with the pesky greenery.

St. Louis Park sues ARINC over Wi-Fi network: The Minnesota town says the network never worked, and had earlier discussed a lawsuit. The city wants the value of the contract ($1.7m) plus a very modest amount in damages and fees ($50,000). The city plans to start removing gear if ARINC doesn't sometime in June. But they have to deal with 490 poles erected to hold the nodes and solar-charging gear--sunk into concrete. More recent testing showed that the network worked well in some areas, but the majority of the network did not, according to the Star Tribune.

Verizon builds out fiber in AT&T territory: Interesting sign of competition in otherwise monopoly-per-provider-type world. Verizon is using AT&T's hard-won statewide video franchising rules in Texas to build competitive fiber in Dallas suburbs. They're apparently not bringing telecom; they're acting like a cable TV firm with data. Verizon owns chunks of territory all over due to it encompassing GTE in a deal years ago. GTE serves suburbs west of Portland, Ore., and east of Seattle, for instance, while Qwest serves most of the rest of each state.

Foster City Wi-Fi dies on June 20: MetroFi is unlighting its cities, and Foster City opted not to spend the nearly $200,000 asking price MetroFi put on its equipment. MetroFi might still find a buyer, but June 20 is the network's current final day. Naperville, Ill., also expects a June 20 shutdown. They, too, were offered the network hardware for 200 grand.

Chehalis lights up: A small city in southern Washington votes to put in Wi-Fi hotzones. The cost is about $53,000 and annual fees $15,000. Funds will come from existing tax and grant sources. The city chose to install service to make sure they're not missing a checkbox on the amenities list for visitors and businesses rather than for a particular, measurable goal.

Nearby Centralia pulls its Wi-Fi: A pilot project in the larger city of Centralia, Wash., a bit north of Chehalis, is shut down when poles used to mount Wi-Fi radios are removed as electrical wires are buried. (The reporter here confuses broadband over powerlines (BPL) with broadband wireless.) The system might be restarted later.

Craig Settles writes up Pennsylvania's Cambria County wireless success: This is a network built for particular municipal purposes, part of Settles's long-time drumbeat about having applications first and then networks built for those networks second. He notes that Cambria built a 700 sq mi network that sounds nearly cost neutral through efficiency and cost conservation--it's cheaper to get much more service with this network than it was for a smaller array of services with incumbent-provided networks.

Santa Fe residents oppose Wi-Fi in the library on health grounds: You know what I have to say about how provable this has turned out to be in clinical studies. I am, however, as always, concerned about these people's health, even if I don't believe that Wi-Fi (or EMF) causes their problems. The group opposed to library-Fi is citing the ADA in this case, uniquely I believe. Six libraries suggested that EMF triggers seizures in epileptics, something I've never heard cited before; maybe CRTs (flickering), but EMF? Wired is substantially less kind than I am, pointing out that EMF other than Wi-Fi produces vastly higher signal strength. (They're sort of ignoring signal strength at a given point where an individual stands in relation to a transmitter, however.)

Creative drops Wi-Fi music player: The formerly leading portable music player firm, before Apple and Microsoft entered the biz, confirmed a report that the Zen Share existed, but that the company chose to drop that Wi-Fi-enabled player. An under-wraps player may appear in about two months that could include Wi-Fi--the name Zen X-Fi could be revealing or not, as X-Fi is an audio-processing technology.

Inspiair's physics-defying technology sold, relabeled Max-Fi: I express my doubts about the combination of marketing promises, including area covered, low latency, and speed, and the collision of those promises with the laws of physics as well as regulatory issues. The lack of sales, noted in the article, tends to confirm my opinion, which is precisely what happened with Vivato after early positive response led to devices being built that couldn't meet the mark. Current claims are 30 sq km with 14 access points for outdoor coverage at the port of Antwerp, a network that's in a test. I wrote about Inspiair back in 2006.

Foster City, Calif., turns down MetroFi equipment offer: The city decided against paying $200,000 for MetroFi's gear, which serves about 1,500 people a month, partly because yearly operations would top $125,000.

This might not be everybody's idea of utopia -- and it certainly doesn't address the inherent value of privacy -- but this theory has a glossy appeal, and could easily be mistaken for a way out of the problem of technology's continuing erosion of privacy. Except it doesn't work, because it ignores the crucial dissimilarity of power.

You cannot evaluate the value of privacy and disclosure unless you account for the relative power levels of the discloser and the disclosee.

If I disclose information to you, your power with respect to me increases. One way to address this power imbalance is for you to similarly disclose information to me. We both have less privacy, but the balance of power is maintained. But this mechanism fails utterly if you and I have different power levels to begin with.

An example will make this clearer. You're stopped by a police officer, who demands to see identification. Divulging your identity will give the officer enormous power over you: He or she can search police databases using the information on your ID; he or she can create a police record attached to your name; he or she can put you on this or that secret terrorist watch list. Asking to see the officer's ID in return gives you no comparable power over him or her. The power imbalance is too great, and mutual disclosure does not make it OK.

You can think of your existing power as the exponent in an equation that determines the value, to you, of more information. The more power you have, the more additional power you derive from the new data.

Another example: When your doctor says "take off your clothes," it makes no sense for you to say, "You first, doc." The two of you are not engaging in an interaction of equals.

This is the principle that should guide decision-makers when they consider installing surveillance cameras or launching data-mining programs. It's not enough to open the efforts to public scrutiny. All aspects of government work best when the relative power between the governors and the governed remains as small as possible -- when liberty is high and control is low. Forced openness in government reduces the relative power differential between the two, and is generally good. Forced openness in laypeople increases the relative power, and is generally bad.

Seventeen-year-old Erik Crespo was arrested in 2005 in connection with a shooting in a New York City elevator. There's no question that he committed the shooting; it was captured on surveillance-camera videotape. But he claimed that while being interrogated, Detective Christopher Perino tried to talk him out of getting a lawyer, and told him that he had to sign a confession before he could see a judge.

Perino denied, under oath, that he ever questioned Crespo. But Crespo had received an MP3 player as a Christmas gift, and surreptitiously recorded the questioning. The defense brought a transcript and CD into evidence. Shortly thereafter, the prosecution offered Crespo a better deal than originally proffered (seven years rather than 15). Crespo took the deal, and Perino was separately indicted on charges of perjury.

Without that recording, it was the detective's word against Crespo's. And who would believe a murder suspect over a New York City detective? That power imbalance was reduced only because Crespo was smart enough to press the "record" button on his MP3 player. Why aren't all interrogations recorded? Why don't defendants have the right to those recordings, just as they have the right to an attorney? Police routinely record traffic stops from their squad cars for their own protection; that video record shouldn't stop once the suspect is no longer a threat.

Cameras make sense when trained on police, and in offices where lawmakers meet with lobbyists, and wherever government officials wield power over the people. Open-government laws, giving the public access to government records and meetings of governmental bodies, also make sense. These all foster liberty.

Ubiquitous surveillance programs that affect everyone without probable cause or warrant, like the National Security Agency's warrantless eavesdropping programs or various proposals to monitor everything on the internet, foster control. And no one is safer in a political system of control.

This essay originally appeared on Wired.com.

"Bricked" is the term, and Apple isn't the least bit apologetic about it.

Computer companies want more control over the products they sell you, and they're resorting to increasingly draconian security measures to get that control. The reasons are economic.

Control allows a company to limit competition for ancillary products. With Mac computers, anyone can sell software that does anything. But Apple gets to decide who can sell what on the iPhone. It can foster competition when it wants, and reserve itself a monopoly position when it wants. And it can dictate terms to any company that wants to sell iPhone software and accessories.

This increases Apple's bottom line. But the primary benefit of all this control for Apple is that it increases lock-in. "Lock-in" is an economic term for the difficulty of switching to a competing product. For some products -- cola, for example -- there's no lock-in. I can drink a Coke today and a Pepsi tomorrow: no big deal. But for other products, it's harder.

Switching word processors, for example, requires installing a new application, learning a new interface and a new set of commands, converting all the files (which may not convert cleanly) and custom software (which will certainly require rewriting), and possibly even buying new hardware. If Coke stops satisfying me for even a moment, I'll switch: something Coke learned the hard way in 1985 when it changed the formula and started marketing New Coke. But my word processor has to really piss me off for a good long time before I'll even consider going through all that work and expense.

Lock-in isn't new. It's why all gaming-console manufacturers make sure that their game cartridges don't work on any other console, and how they can price the consoles at a loss and make the profit up by selling games. It's why Microsoft never wants to open up its file formats so other applications can read them. It's why music purchased from Apple for your iPod won't work on other brands of music players. It's why every U.S. cellphone company fought against phone number portability. It's why Facebook sues any company that tries to scrape its data and put it on a competing website. It explains airline frequent flyer programs, supermarket affinity cards and the new My Coke Rewards program.

With enough lock-in, a company can protect its market share even as it reduces customer service, raises prices, refuses to innovate and otherwise abuses its customer base. It should be no surprise that this sounds like pretty much every experience you've had with IT companies: Once the industry discovered lock-in, everyone started figuring out how to get as much of it as they can.

Economists Carl Shapiro and Hal Varian even proved that the value of a software company is the total lock-in. Here's the logic: Assume, for example, that you have 100 people in a company using MS Office at a cost of $500 each. If it cost the company less than $50,000 to switch to Open Office, they would. If it cost the company more than $50,000, Microsoft would increase its prices.

Mostly, companies increase their lock-in through security mechanisms. Sometimes patents preserve lock-in, but more often it's copy protection, digital rights management (DRM), code signing or other security mechanisms. These security features aren't what we normally think of as security: They don't protect us from some outside threat, they protect the companies from us.

Microsoft has been planning this sort of control-based security mechanism for years. First called Palladium and now NGSCB (Next-Generation Secure Computing Base), the idea is to build a control-based security system into the computing hardware. The details are complicated, but the results range from only allowing a computer to boot from an authorized copy of the OS to prohibiting the user from accessing "unauthorized" files or running unauthorized software. The competitive benefits to Microsoft are enormous (.pdf).

Of course, that's not how Microsoft advertises NGSCB. The company has positioned it as a security measure, protecting users from worms, Trojans and other malware. But control does not equal security; and this sort of control-based security is very difficult to get right, and sometimes makes us more vulnerable to other threats. Perhaps this is why Microsoft is quietly killing NGSCB -- we've gotten BitLocker, and we might get some other security features down the line -- despite the huge investment hardware manufacturers made when incorporating special security hardware into their motherboards.

In my last column, I talked about the security-versus-privacy debate, and how it's actually a debate about liberty versus control. Here we see the same dynamic, but in a commercial setting. By confusing control and security, companies are able to force control measures that work against our interests by convincing us they are doing it for our own safety.

As for Apple and the iPhone, I don't know what they're going to do. On the one hand, there's this analyst report that claims there are over a million unlocked iPhones, costing Apple between $300 million and $400 million in revenue. On the other hand, Apple is planning to release a software development kit this month, reversing its earlier restriction and allowing third-party vendors to write iPhone applications. Apple will attempt to keep control through a secret application key that will be required by all "official" third-party applications, but of course it's already been leaked.

And the security arms race goes on ...

This essay previously appeared on Wired.com.

EDITED TO ADD (2/12): SlashDot thread.

And critical commentary, which is oddly political:

This isn’t lock-in, it’s called choosing a product that meets your needs. If you don’t want to be tied to a particular phone network, don’t buy an iPhone. If installing third-party applications (between now and the end of February, when officially-sanctioned ones will start to appear) is critically important to you, don’t buy an iPhone.

It’s one thing to grumble about an otherwise tempting device not supporting some feature you would find useful; it’s another entirely to imply that this represents anti-libertarian lock-in. The fact remains, you are free to buy one of the many other devices on the market that existed before there ever was an iPhone.

Actually, lock-in is one of the factors you have to consider when choosing a product to meet your needs. It's not one thing or the other. And lock-in is certainly not "anti-libertarian." Lock-in is what you get when you have an unfettered free market competing for customers; it's libertarian utopia. Government regulations that limit lock-in tactics -- something I think would be very good for society -- is what's anti-libertarian.

Here's a commentary on that previous commentary. This is some good commentary, too.