[SecurityRatty] tag: render

Myth or truism? IT security experts render judgment on 12 beliefs

Mon, 10 Nov 2008 02:00:00 +0000

They are etched into the conventional wisdom of IT security, but are these 12 beliefs actually wise, or myths?

PasswordTextBox

Wed, 29 Oct 2008 16:49:54 +0000

Chris Sells used to poke fun at me when we worked together in my former life. He used to call my security class, "Essential Access Denied". His point was a good one: when they aren't applied carefully, security countermeasures often just get in the way of getting work done. I don't know about you, but password-mode text boxes in web forms have always been one of those annoyances.

I'm not complaining about the fact that I can't see what I'm typing. I understand and laud that feature, because I don't want someone looking over my shoulder at the password I'm typing, and this even applies when I'm at home. I love my children, but I certainly don't want them knowing the password to my bank account!

No, what I'm bothered by is how a typical password text box behaves on a form that may incur multiple post-backs before it's finally submitted. If you use the built in ASP.NET TextBox control, it purposely does not repopulate the password text, which means if you press a button on the form that performs a post-back, or if you have a multi-page form that posts back on every step, that password disappears, and the user typically has to re-enter it. You could solve this with liberal use of ASP.NET Ajax UpdatePanels, but that adds its own complexities. I wanted a simpler solution.

So I did a little research to see what others had discovered about this problem, and I ended up deriving my own custom control from TextBox to make a much more user-friendly (and developer-friendly) TextBox control. I called it PasswordTextBox, and it acts just like a TextBox in password mode, but it retains the password while still giving the user the same level of protection the standard TextBox supplies.

My PasswordTextBox operates very simply: it stores the password in control state, and renders a series of fixed characters (with the same length as the actual password) into the text box so that it "looks" like the user's password has been rendered. Since control state is part of view state, and since view state is stored in a hidden field on the form, I encrypt the password before putting it into control state.

The result is quite nice - the user can post your form back as many times as she needs to, perhaps moving back and forth across wizard steps or tabs, and when she finally presses the "Finish" button (or whatever you call the last step of your input form), your code will be able to read the password by simply accessing the Text property on the PasswordTextBox. The user will believe that her password is sitting there on the form while she's working, as the same number of obfuscated characters will show up in the field as she typed in originally (what she doesn't know is that those characters aren't her real password anymore, but what she doesn't know won't hurt her!)

Note that to keep this simple, I used DPAPI to encrypt the password, which suited my purposes. But if you have a web farm, that won't work well at all if you don't know which machine the user's going to post back to, so you'll want to replace that with something more robust. I could see looking up the for entropy, as that tends to be sync'd already across the farm, but I've not yet spent the cycles to go down that road, since unfortunately all of the code for generating keys based on that config section are off limits in ASP.NET (most of the useful stuff is marked internal). I don't think it'd be that hard to do though.

Anyway, without further ado, here's the code, which you'll see is quite simple. I'd love feedback, especially if you see any glaring problems with the idea or the implementation!

public class PasswordTextBox : TextBox
{
    // unlikely that a string of these would be used for a password
    const char PasswordPlaceholderChar = '}';

    string password; // stored encrypted in control state

    protected override void OnInit(EventArgs e)
    {
        base.OnInit(e);
        Page.RegisterRequiresControlState(this);
    }

    protected override object SaveControlState()
    {
        byte[] encryptedPassword = ProtectPassword(password);

        object baseControlState = base.SaveControlState();
        if (null == baseControlState)
            return encryptedPassword;
        else return new Pair(baseControlState, encryptedPassword);
    }

    protected override void LoadControlState(object savedState)
    {
        byte[] encryptedPassword;

        Pair pair = savedState as Pair;
        if (null != pair)
        {
            base.LoadControlState(pair.First);
            encryptedPassword = pair.Second as byte[];
        }
        else encryptedPassword = savedState as byte[];

        password = UnprotectPassword(encryptedPassword);
    }

    /// 
    /// This control always uses TextMode=Password
    /// 
    public override TextBoxMode TextMode
    {
        get
        {
            return TextBoxMode.Password;
        }
        set { }
    }

    /// 
    /// TextBox doesn't render value attribute for TextMode=Password
    /// So we add code that renders a placeholder text instead
    /// 
    /// 
    protected override void AddAttributesToRender(HtmlTextWriter writer)
    {
        base.AddAttributesToRender(writer);

        string text = Text;
        if (text.Length > 0)
            writer.AddAttribute(HtmlTextWriterAttribute.Value,
                GetPlaceholderPassword(text));
    }

    /// 
    /// TextBox doesn't save the "Text" viewstate in
    /// TextMode=Password and we don't want our behavior to break
    /// if ViewState is turned off so we store the password in
    /// Control State, encrypted with MachineKey
    /// 
    public override string Text
    {
        get
        {
            return password ?? string.Empty;
        }
        set
        {
            // this prevents us overwriting the actual
            // password with a placeholder
            if (!string.IsNullOrEmpty(password) &&
                value.Equals(GetPlaceholderPassword(password)))
                return;

            password = value;
        }
    }

    private string GetPlaceholderPassword(string realPassword)
    {
        int length = 12;
        if (!string.IsNullOrEmpty(realPassword))
            length = realPassword.Length;

        StringBuilder sb = new StringBuilder();
        sb.Append(PasswordPlaceholderChar, length);

        return sb.ToString();
    }

    public byte[] ProtectPassword(string password)
    {
        if (string.IsNullOrEmpty(password))
            return null;
        byte[] cleartext = Encoding.UTF8.GetBytes(password);
        return ProtectedData.Protect(cleartext, null,
            DataProtectionScope.LocalMachine);
    }

    public string UnprotectPassword(byte[] ciphertext)
    {
        if (null == ciphertext)
            return null;
        byte[] cleartext = ProtectedData.Unprotect(ciphertext, null,
            DataProtectionScope.LocalMachine);
        return Encoding.UTF8.GetString(cleartext);
    }
}

The web browser is sick but wheres the cure?

Thu, 14 Aug 2008 07:11:14 +0000

Blogger: Ramon Krikken

The web browser is one of those peculiar pieces of software, having to accept input from arbitrary sources and then parse and render the data that is sent to it. Part of this it does by itself, and other parts are taken care of by handlers and plug-ins. In doing so, it displays hypertext, images, videos, and even runs active content like Flash, JavaScript, and ActiveX.

But however much we love the browser, we’ve also come to hate the myriad of vulnerabilities that affect it. Everything from cross-site scripting to remote code execution via maliciously formed animated cursor files and Flash content can make browsing a hazardous activity. The browser is sick, and that’s not desirable for a platform we use for important business and personal transactions.

Worsening the browser’s diagnosis is the recent paper from Mark Dowd and Alexander Sotirov, sub-titled “Setting back browser security by 10 years,” which discusses how to bypass Microsoft Vista’s memory protection capabilities with some added effort for the exploit designers. It’s not that all of the techniques are necessarily new, but the browser appears to be particularly vulnerable to easy exploitation.

Surprising? Not exactly, when we take into account that the browser is suffering from the same disease as the general purpose operating system: bloat and compatibility. We expect the browser to do ever more, but everything we used it for before still needs to work as if it were yesterday. It feels a bit like people insisting on using a cardboard box as a safe, and wondering why their money keeps getting stolen.

It’s not like we haven’t been working on the browser’s cure, though. There have been some improvements in the browsers themselves, the operating systems have also implemented compensating controls, but most of all, there has been an enormous push for securing the web applications that deliver the data in the first place. Unfortunately, the latter two won’t help secure the browser in the long run.

The first issue is that not all content will come from ‘nice’ servers, the second that the server can only make an educated guess on how a browser will parse and render a given set of data, and the third that operating system controls have their own limitations, whether by design or implementation (for example needing to re-compile existing code to enable certain protections.) The browser, in the end, has to be mostly responsible for keeping itself safe; the operating system must assist it in doing so.

So we’re in a pickle. The browser is sick (and the operating system is too), but it’s hard to cure it without a redesign that will undoubtedly impact compatibility, the ever-so-desired multi-functionality, or its ease of use. We can layer defenses by using web filtering in the enterprise environment, but in the end – for the consumer market in particular – we need to fix the browser itself. I can think of a few things I think might help:

Some kind of site security policy to restrict where the browser loads auxiliary content from, and which data it can ‘trust’, when loading a web page (I’d prefer mandatory enforcement, and adding an HTML tag to be able to indicate blocks of untrustworthy data.)
Restricted compartments for plug-ins to run in, ensuring that their bugs cannot easily affect the whole browser.
Better software development practices for the plug-ins and content parsers themselves, so that they’re less vulnerable, and compiled with the latest protection measures to begin with.

All of this means more work, and some of it means a lot of unhappy reactions when things stop working. Even then we will of course still have to deal with additional vulnerabilities, such as those that may be present in hardware, but we will at least have taken prudent steps to ‘find a cure.’

The web browser is sick ??? but where???s the cure?

Thu, 14 Aug 2008 07:11:14 +0000

Blogger: Ramon Krikken

But however much we love the browser, we???ve also come to hate the myriad of vulnerabilities that affect it. Everything from cross-site scripting to remote code execution via maliciously formed animated cursor files and Flash content can make browsing a hazardous activity. The browser is sick, and that???s not desirable for a platform we use for important business and personal transactions.

Worsening the browser???s diagnosis is the recent paper from Mark Dowd and Alexander Sotirov, sub-titled ???Setting back browser security by 10 years,??? which discusses how to bypass Microsoft Vista???s memory protection capabilities with some added effort for the exploit designers. It???s not that all of the techniques are necessarily new, but the browser appears to be particularly vulnerable to easy exploitation.

It???s not like we haven???t been working on the browser???s cure, though. There have been some improvements in the browsers themselves, the operating systems have also implemented compensating controls, but most of all, there has been an enormous push for securing the web applications that deliver the data in the first place. Unfortunately, the latter two won???t help secure the browser in the long run.

The first issue is that not all content will come from ???nice??? servers, the second that the server can only make an educated guess on how a browser will parse and render a given set of data, and the third that operating system controls have their own limitations, whether by design or implementation (for example needing to re-compile existing code to enable certain protections.) The browser, in the end, has to be mostly responsible for keeping itself safe; the operating system must assist it in doing so.

So we???re in a pickle. The browser is sick (and the operating system is too), but it???s hard to cure it without a redesign that will undoubtedly impact compatibility, the ever-so-desired multi-functionality, or its ease of use. We can layer defenses by using web filtering in the enterprise environment, but in the end ??? for the consumer market in particular ??? we need to fix the browser itself. I can think of a few things I think might help:

Some kind of site security policy to restrict where the browser loads auxiliary content from, and which data it can ???trust???, when loading a web page (I???d prefer mandatory enforcement, and adding an HTML tag to be able to indicate blocks of untrustworthy data.)
Restricted compartments for plug-ins to run in, ensuring that their bugs cannot easily affect the whole browser.
Better software development practices for the plug-ins and content parsers themselves, so that they???re less vulnerable, and compiled with the latest protection measures to begin with.

PCI Compliance? Let's Talk!

Thu, 31 Jul 2008 13:35:05 +0000

During a meeting with an RSA customer earlier this week, I was asked a very detailed and pointed question about my interpretation of requirement 3.4. Specifically, the customer was using encryption to render PANs unreadable and wanted to know if their algorithm was indeed classified as "strong cryptography." Really, the customer was interested in making sure this particular encryption algorithm would pass their upcoming PCI audit. While I was happy to voice my opinion, I stressed the critical importance of open and honest communication when it comes to passing an audit and successful PCI compliance in general...

Coding Spyware and Malware for Hire

Mon, 21 Jul 2008 23:52:14 +0000

What type of antivirus evasion do you want today? For the past several years, we have been witnessing the emerging customerization applied in malware and spyware for hire services. What used to be a situation where the malware authors would code and then start promoting a piece of malware including features that he thinks his potential customers would want by generalizing a cybercriminal's needs, is today's "listening to the customer" win-win situation that they've reached already.

The whole maturity from a product concept to customerization is in fact so prevalent these days, that malware authors wanting to preserve their intellectual property are forbidding their customers from reverse engineering their malware modules, presumably fearing that remotely exploitable flaws like this one in one of the most popular Ebanker malwares for the last two yers Zeus, could be discovered due to the malware author's insecure coding practices. Moreover, limiting the distribution of a single license they are given to more than three people will result in the malware author ignoring any future business relationships with the party that ruined the exclusiveness of the malware, thereby leaking it to the public, something that's been happening and will continue happening with web malware exploitation kits.

What would be the price of a custom malware module coded on demand? How much does it cost to have a built in email harvester that would sniff all the incoming and outgoing email addresses from the infected host to later on include them in upcoming spam and malware campaigns? Would the malware author also provide a managed hosting service for the command and control and the actual binaries on a revenue sharing

Here's an automatically translated, and fairly easy to understand random proposition for coding spyware and malware for hire, aiming to answer many of these questions, clearly demonstrating that today's malware is coded in exactly the same way the customer wants it to :

"As you can see in the history of its development turned directly into the combine, while almost no raspuh in weight, full-size pack аж 18 kb and minialno 5 kb, for all nampomnyu again, all descriptions below can be done as otdelnym bot, and any combination of cross except for a few restrictions. This product is targeted at mass-user and will not be all prodavatsya row. So, you can choose from:

Actually loader - is able to load a file from adminki, by country and other characteristics, such as the number of animals on board with a specific bot, a country group of countries, the availability of certain authors or Fire, sredenemu time online, etc. etc.. You can adjust the speed of shipping limits for each file, can load 1 as well as how files simultaneously
300 €

FTP and not only Graber
Analyzes user traffic and collects from the ftp acclamation, that is ftp acclamation would you regardless of how the customer uses ftp user, thus can be obtained most valuable ftp aka (even those to which the password is not saved), you can also grab other in a way not only acclamation acclamation and other tasty things more)
150 €

Assembler spam bases
Analyzes user traffic and collects from all email, snifit http pop3 smtp protocols, keeps records unikallnosti locally on each boat to reduce the burden on the server as well as globally on a server has 2 mode of operation - ie passive with only collects user to please and active - the very beginning to download the entire inet) in search of soap
220 €

Socks 4 / 5
Normal soks with competently implemented multithreading, is activated only if the user real Ip, otherwise not. And also optional, depending on the connection type and speed ineta.
70 €

Indicates
The primitive method, contamination fleshek avtoranom gives 2-3% increase in the first week and up to 7% in the next, a pleasant trifle)
35 €

Scripts
Loader supports internal scripting language - jscript, to carry out arbitrary actions on the victim machine, whether recording data in the register, setting authentic hon-Pago, opening URL in your browser (it was done so to please with 90% punching)), apload arbitrary files on a server, even theoretically possible to form and grabing inzhekty in IE) has only to write the script zaebetes, vobschem lyuboye actions soul who wish)
70 € basic functionality

Assembler passwords
Collects data such as passwords pstorage IE, MSN, etc., will be added at the request of other sources of passwords
70 €

Mini-AV
When installing loadera wheelbarrows to remove BHO shaped three, zevso-shaped, the majority of shit from all avtoranov, render most keylogerov until all) forward proposals to improve
70 €

File-default
In exe loadera program URL (in adminke) to the file which once progruzit 1 and run at first start loadera on wheelbarrows, while simultaneously helping progruzke Trojan for example, in its entire botnet that does not paired with challenges in adminke, the module operates in 20 seconds after the mini - av which excludes the removal of your Trojan bot, after progruza this exe bot continues to normal activities.
35 €

Form Graber
While in beta version, robbed IE. Sends logs in adminku, folding country. Logs are like logs agent. It consists of:

Graber certificats
On the idea is part formgrabera but could work and of itself, actually there is nothing to describe)

Injections
Literacy sold inzhekty, did not begin work after full progruza pages (as in bolshistve three) and immediately supported injection yavaskript code, which allows avtozalivy and DC inzhekty for data collection. For example not to yuzat acclamation at all is not yet introduce the necessary number of Britain, after which inzhekt ceases to operate. Вобщем mdelat can be anything and in any form) rather than the meager request field pin) And also inzhektov subspecies - a substitute for the issuance of search enginee.

Graber balances
Makes loot aka balances at the entrance to the user acclamation, detail added to the logs.

Screen
Universal method to grab information from absolutely any species and varieties klaiviatur screens, in particular html, flash, in one picture, with a drop-down fields after choosing your encrypted, as well as information such as "enter 3 yu secret letter word" etc. as well as any information which is visible a user but not seen in the logs. Screen settings of adminki, set URL where do screen as well as the type of screen: for virtual keyboard (done several small images of areas around the clique) or to "enter 3 yu secret letter words" (makes 1 full shot). With the withdrawal screen recorded in the log entry with the name of the file to the screen this position.

Antiabuznost for botneta
Feachem adminki, keep botnet enables fast, normal, bezglyuchnyh NEabuzoustoychivyh hosting, with features that you forget what abuzy, nohistory week saporta "abuzoustoychivogo" hosting inaccessibility host to half ineta etc., etc., also with the help of the supplement will be able to keep huge botnety (over SL) at 1 dedike with 512 Lake) and well on the price of hosting a savings, not $ 500 a month and 150. It may use this feature to stroronnim development, Trojans, bots, etc., actually is a separate product. And incidentally, if you do not understand the theory that nenado ask "and how does it work?" imagine that it works and point and neubivaemo in pritsnipe.
600 € +

All prices are in euros, the calculation is made at the rate of CB on the day of purchase. ps I will not disappear as most authors after months of sales, I DONT how to please you get to the assembly ftp, I DONT how many soap collects soap-graber, I DONT what otstuk from loadera, I DONT soksov how many will be from 1 to downloads, and how best To work load a file is not dead quickly, if you are confused my ignorance - that my loader so you do not need more tries)

Rules / Licence
-- Customer has no right to transfer any of his three 3 persons except options for harmonizing with me
-- Customer does not have the right to make any decompile, research, malicious modification of any three parts
-- Customer has no right where either rasprostanyat information about three and a public discussion with the exception of three entries.
-- For violating the rules - without any license denial manibekov and further conversations"

This malware coder seems to be participating in an affiliate program with a malicious ISP that is offering hosting services for the entire campaign, not just the malware binaries, so you have a rather good example that incentives and revenue-sharing models result in value-added services, a all-in-one shop for a customer to take advantage of without bothering to approach a third-party.

Cybercrime is getting even more easier to outsource these days, and with the malicious parties improving their communication and incentives model, the resulting transparency in the underground market

Related posts:
The Underground Economy's Supply of Goods and Services
The Dynamics of the Malware Industry - Proprietary Malware Tools
Using Market Forces to Disrupt Botnets
Multiple Firewalls Bypassing Verification on Demand
Managed Spamming Appliances - The Future of Spam
Localizing Cybercrime - Cultural Diversity on Demand
E-crime and Socioeconomic Factors
Russia's FSB vs Cybercrime
Malware as a Web Service
Localizing Open Source Malware
Quality and Assurance in Malware Attacks
Benchmarking and Optimising Malware

Decrypting and Restoring GPcode Encrypted Files

Tue, 01 Jul 2008 04:26:39 +0000

The futile attempt to directly attack the encryption algorithm used by the GPcode ransomware, is prompting Kaspersky Labs to invest in a more pragmatic solutions to the problem, with a new version of the StopGpcode tool released last week. More info :

"It turns out that if a user has files that are encrypted by Gpcode and versions of those same files that are unencrypted, then the pairs of files (the encrypted and corresponding unencrypted file) can be used to restore other files on the victim machine. This is the method that the StopGpcode2 tool uses.

Where can these unencrypted files be found? They may be the result of using PhotoRec. Moreover, these files may be found in a backup storage or on removable media (e.g., the original files of photographs copied to the hard disk of a computer that has been attacked by Gpcode may still be on a camera’s memory card). Unencrypted files may also have been saved somewhere on a network resource (e.g., films or video clips on a public server) that the Gpcode virus has not reached."

As the customer support desk behind GPcode pointed out in an interview, the malware is prone to evolve, and the simplistic file deletion process will be replaced by secure file deletion in order to render all data recovery tols useless, unless of course backups of the affected data are available. They often aren't, and depending on the importance of the files encrypted, the successful ransom is all a matter of the momentum.

"A person, presumably the author of Gpcode, contacted at one of the e-mail addresses left behind by the program stated that future development efforts will likely increase the key size to 4,096 bits, "if AV companies or other (people) crack the current key, but (that's) impossible. The self-proclaimed author, who used the name "Daniel Robertson," also said that other standard techniques to defeat antivirus will be added, including polymorphic encryption, anti-heuristic features and the ability to self propagate, turning the program into a computer virus. It well pays back itself," he said"

There are even more pragmatic approaches to dealing with this problem, next to backups undermining their business model. Try following the virtual money for instance.

Scrawlr: Are We Being Too Greedy?

Wed, 25 Jun 2008 12:19:45 +0000

HP released a new tool called Scrawlr yesterday that can be used to identify a subset of SQL Injection vulnerabilities in a website. It was a joint effort with Microsoft and a direct response to the mass SQL Injection attacks of late.

Scrawlr quickly came under fire on the Web Security mailing list for having some pretty major limitations. Billy Hoffman et al have been quick to point out that the tool was designed to address a very specific subset of SQL Injection vulnerability — the type affected by the mass attacks — and is not designed to be a general purpose replacement for existing SQL Injection scanners. Let’s look at the limitations, as outlined on the HP page, one by one.

Limitation: Will only crawl up to 1500 pages

Depends on what they mean by 1500 pages. For example, if I have these links on my front page, is that one URL or three?

http://www.veracode.com/blog/?p=111&foo=1
http://www.veracode.com/blog/?p=111&foo=2
http://www.veracode.com/blog/?p=111&foo=3

Or, does it mean that it will really only crawl 1500 pages total, so if I have the same link 1500 times on the front page, it won’t go any further? Either way, for most smaller websites this is probably fine. If you need more than 1500 you could give it different starting URLs in an attempt to improve coverage. It would be nice to have a clearer definition of what it means to “crawl up to 1500 pages” though.

Limitation: Does not support sites requiring authentication

Well, this will render it useless for the majority of enterprise apps. But there are still a lot of sites out there that don’t require authentication, including some of the ones that got hit during the mass attacks, such as the United Nations, UK government, etc.

Limitation: Does not perform Blind SQL injection

They have taken a lot of flack for this but Billy describes it as a conscious choice:

An early version of the tool checked for blind SQL injection, but the final verison of Scrawlr did not. … The biggest feedback we got from early testing was developers wanted to “see” the vulnerability. Differential analysis is kind of difficult to visualize in a way that is helpful for the average dev, and pulling the table names through blind was too much of a performance issue.

I can sort of understand this rationale. Blind SQL Injection testing is much more susceptible to false positives. As users of any commercial web scanner or source code analyzer will attest, the more time you spend chasing down FPs, the less likely you are to put any faith in future results. It’d be nice if there was a way to toggle Blind SQL Injection testing on and off, though (could be off by default so nobody gets confused).

Limitation: Cannot retrieve database contents

Who cares? Find and fix the vulnerability. Pulling down the entire database “because you can” is a total ego move.

Limitation: Does not support JavaScript or flash parsing

Nobody does this very well anyway, particularly the JavaScript part. Writing a great crawler is probably the hardest part of writing an automated web scanner and it’s one of the biggest differentiators from one product to the next. You’re not going to get that for free.

Limitation: Will not test forms for SQL Injection (POST Parameters)

This is probably the toughest one to swallow. It’s not that difficult to parse out forms from HTML, and form POSTs can represent a major chunk of the attack surface. Granted, the Chinese tool associated with the mass attacks did operate solely on GET requests (i.e. parameters in the query string) so HP can defend this again by saying the tool is really aimed at the sites being targeted by the mass attacks. I think it’s a little short-sighted though; chances are that the mass attacks will evolve and it’s better to be proactive about it than reactive.

Conclusion

It’s tough to bash someone for releasing a free tool. I personally think HP should add an option for enabling Blind SQL Injection testing, and that they should consider supporting POSTs as well as GETs. You’re basically getting a (massively) stripped-down WebInspect for free, so take it for what it is. No single tool is a panacea.

The jury is still out on how effective Scrawlr is against the things it does claim support for. Keep watching the Web Security list; the reviews are filtering in.

The Inevitable iPhone 3G Post

Wed, 11 Jun 2008 08:37:46 +0000

Yes, I touched an iPhone 3G: At Apple's big developer event kickoff on Monday, Steve Jobs introduced the iPhone 3G. Later that day, in a briefing, I was able to handle and use the phone briefly. It's lovely. But its inclusion of 3G service coupled with Wi-Fi, as well as a real GPS chip coupled with assistive cell-tower triangulation and Wi-Fi network location approximation means that you have a device that might fairly replace a computer for many purposes. I've had an iPhone with 2G (EDGE) service since its release, and I recently took a two-day trip with my older son leaving my computer behind. (I was able to use a relative's machine, but only did so to be able to type email more efficiently.) If Apple would simply allow the use of the Bluetooth HID profile (human interface devices) for keyboard and mouse support, a compact foldable keyboard would be the only accessory I would need.

Note that the iPhone 2G and 3G aren't more powerful than other, similar devices. Symbian platform devices from Nokia and others are in notably short supply in the US, but come in great quantities and varieties elsewhere, and have some pretty impressive computational power; Nokia owns nearly 50 percent of the worldwide smartphone market. Likewise, you can run desktop-to-mobile programs under Windows Mobile that let you have real computer applications repackaged for better use in the smaller form.

But that's not what the iPhone is about. It's a non-compromise device, even when a little compromise might help. The lack of a touch-typist keyboard hinders data entry, but it doesn't restrict any other purpose of the device. The inclusion of those keyboards is a huge compromise for all its competitors, even though it allows those competitors to act more like little computers.

And that's where it's odd for me. The iPhone is much more like a full-blown computer than any smartphone I've used. It might be the superior browser, and the fact that a single company and design vision has ensured the maximum CPU is available for each current task, and that the interface and actions are nearly always consistent across every piece of software. Contrast that with many smartphones that don't just have ugly interfaces, crippled Web browsers, and varying input methods, but also require you to learn a different approach to using nearly every different piece of software on the phone.

Apple isn't about to kill its competitors, but they are providing an odd amount of support for killing a laptop.

On a slightly tangential front, Apple CEO Steve Jobs claim that their phone's 3G speed was nearly that of Wi-Fi requires some explanation. Jobs needed a footnote: "compared to typical Wi-Fi hotspots that have about 1.5 Mbps of downstream backhaul." The iPhone is clearly processor limited for how fast it can render Web pages and handle network processing. If you stick an iPhone on a 10 Mbps-backed network via Wi-Fi, the browsing experience isn't very different than on a 1.5 Mbps-backed Wi-Fi hotspot, in my experience with the current phone.

So clearly, there's more optimization to be done and more hardware upgrades to come in order to have a mobile device that can live up to whatever network it generally works on. For the iPhone 3G, Wi-Fi is an alternative, but it's clearly not intended as a superior alternative.

Cloud computing - I want my cake and eat it too

Sun, 08 Jun 2008 18:20:19 +0000

Its easy to dismiss Don Dodge's asking "Do you really want your data in the cloud" as a Microsoft guy defending their turf. Don uses some recent uptime problems at Amazon, Twitter, Disqus and Typepad to show that keeping your information in the cloud and relying on the net to deliver your applications gives you less control, less security, less scalability and less reliability.

Don has a point, even though net access and SaaS services are much more mature than they were in the past, there is always the times when it does not work. For that matter, cell phones, blackberries, and cable TV don't always work either. An indication of how vital something has become is how much we miss it if it is not available. But to the point, I remember when the personal computer first came into being. The idea of your data and the applications being "portable" to your device was revolutionary. The idea of keeping your data on those big floppy discs was so empowering. But even than, problems accessing data on a disk or an application not behaving or security problems could render you just as frustrated on your non-networked device as an Amazon or twitter being down does now.

Ultimately I think these things go in cycles and we are entering a centralized cycle now. However, I think this turn of the cycle could be different. Never before has net access been so ubiquitous. Never before have we seen the depth of optimized applications for the net. The infrastructure is finally in place to recognize the dreams of many of "thin clients" and net terminals. But I think the best model is a hybrid model. I like the Microsoft solution where I can work on stuff online and off line on my computer, than sync up later. Ultimately when it comes cloud versus local computing, I want my cake and eat it too.