Tag Archives: managing director

A Lesson From the Underground

Security is as much about giving people information as it is about building security systems. That’s the message from the managing director of the London Undergound, Tim O’Toole, but it could as easily apply to personal computer security. Don Phillips’ piece in today’s International Herald Tribune could offer useful lessons to software developers and anyone trying to keep trojans, viruses and spyware at bay:

Tim O’Toole, the managing director of the London Underground, who said a terrorist attack last summer was the greatest Underground crisis since the Nazi blitz of World War II, was telling U.S. transit and rail officials they should avoid the temptation to spend lavishly on new security systems just to reassure the riding public.

Instead, he said, spend first on human resources, including constant training and a system to lavish fresh information continually on every employee in the system during a crisis, even if there is a chance some information could fall into the wrong hands.

O’Toole’s message may not have gone down very well since, “outside the hall where he spoke were many exhibits of expensive new equipment to battle terrorism on transit and rail systems.” One could imagine the same thing happening at a computer security conference. But here, I think, a difference emerges. What I think firewall and antivirus vendors need to think about is this: giving timely, useful and intelligible information to users so they can make good decisions. It’s not about locking everything out, because that’s clearly impossible.

Neither is it about ‘educating the user’. Vendors usually complain that they try to do this but fail, so go the other way — software that does everything silently, behind the scenes, and automatically, with an interface that gives only the barest information or choice to the user. Neither option — education or invisibility — works. Instead, the secret is like the Underground lesson: let people know what’s happening in the context of the situation and threat.

Back to Don’s piece:

O’Toole said the greatest mistake the London Underground had made after the bomb attacks of July 7 was its “poor performance” in keeping employees fully informed of everything that was happening even if that information is sensitive and could not be released to the public right away. In an information vacuum, employees may grow suspicious of authorities just at the time they need to be full members of a crisis team, he said. Management did a “poor job” of information flow during last summer’s attacks, he said. In the future, “We will be pumping everything we know out internally. Some of it may get out, but that’s O.K.”

There’s a clear parallel, in my mind, to Internet threats. Don’t hide knowledge about newly discovered vulnerabilities — newly found holes in existing software that might let bad guys in, if they knew about it — until a fix is found. It’s clear that attacks happen too quickly for antivirus vendors and software developers to be able to cover all contingencies, so better to inform customers and let them assess the risk. The trick is, how to do this?

I would suggest the following guidelines:

  • Most people now have firewalls installed on their desktop computers. These programs — or anti-virus programs, or antispyware programs, or combinations thereof — could become a sort of signalling service giving timely information to the user. For example, the current Kama Sutra worm, Nyxem.E or Grew.A, could be flagged with a small pop-up message informing the user of the danger and offering suggestions.
  • Make the information relevant to the situation. How do I know whether the new updates to my firewall keep me safe from the WinAmp bug identified by Secunia? If something big is happening, letting people know quickly might be more worthwhile than feverishly working on an update which doesn’t reach the user in time. Worst case scenario, the user can just unplug their computer for the rest of the day. Let them make that decision, but give them the information first.
  • The text of such alerts or advisories has got to be useful and clear. ZoneAlarm and other vendors often leave their messages too vague to be meaningful for us ordinary folk, scaring us out of our wits the first few times and then, gradually, just like the wolf crying scenario, we get blasé.

Sadly we’ve become accustomed to ignoring messages we don’t understand. This needs to change. Just like in the ordinary world, we’ve become both numb and constantly terrorized at the same time because of poor or insufficient information. We need to learn lessons about security from other fields. I don’t recommend bombarding users with alerts, but if they are used sparingly, judiciously and with good solid guidance contained inside, I think they are the best way to keep the user in the loop.

BBC ‘Is Devaluing Music’ With Free Downloads

Not everyone is happy that the BBC has given away Beethoven’s symphonies: The Independent Online  reports (via TechDirt) :

Managing director of the Naxos label, Anthony Anderson, said: “I think there is a question of whether a publicly funded broadcaster should be doing this and there is the obvious issue that it is devaluing the perceived value of music. You are also leading the public to think that it is fine to download and own these files for nothing.”

I love the idea of devaluing music (sorry, ‘devaluing the perceived value of music’; can you devalue the value of something?) by giving it away. Presumably everybody giving a free lunchtime concert or playing their violin for pleasure in the comfort of their own home is devaluing music and should be discouraged from doing so.

I didn’t really express myself well when I posted on this before (what’s new). I wrote

But why is it that listening to free classical music is seen as a way of encouraging a broader interest in the genre (and, presumably, encouraging the listener to buy classical music) but when the music is pop, it’s seen as dangerous encroachment on the rights and prerogative of the music industry and has to be stamped out?

Some reader replied:

Is it becasue [sic] the classical music is in the public domain?

That gave me pause. Is it? Sort of. But it’s not just that. The copyright of the music itself may be in the public domain, but the performance isn’t. The BBC still has to pay for the recording, for the musicians, for the studio etc. And Mr. Anderson’s ill-conceived comments show that in fact much of this idea of giving music away for free has less to do with the idea of protecting the performers or composers as about protecting the ‘perceived value’ of music itself. The usual argument about preventing MP3 file sharing is that it takes money away from the creators, so they won’t be able to afford to produce new music. But Mr. Anderson’s idea is different: The value of music is not an aesthetic one, but a financial one. Give something away and it won’t be appreciated.

Another argument was offered by Ralph Couzens, managing director of the Chandos label who was quoted by the Independent as saying:

“We have to pay premium prices to record big orchestras and pay full union rates and we have to pass those costs on to the consumer. If the BBC is going to offer recordings for free, that is going to be a major problem.”

Huh? Don’t the BBC have to pay the same fees? I suppose you could argue that as a public funded broadcaster it doesn’t have to make a profit and so therefore those fees are discounted, but if this was a valid argument, wouldn’t every commercial TV and radio station, every record label and studio make it against any publicly funded broadcaster?

Others have pointed out the narrow-mindedness of such arguments: If more people listen to Beethoven for free, the more people will love his music and want more of it, in the form of more recordings or more concerts, or more books, or whatever. With classical music that argument has long been won: That’s why my Dad dragged me along to every concert he could. He knew I would hate most of them, but eventually somehow the music would enter my blood and I would become addicted. But I guess my original post was asking, somewhat incoherently, why the same question is not so readily made of pop music? Surely if I heard Coldplay on the radio — for which I don’t pay — I’m going to be more likely to buy their CD if I see it in a shop? Likewise, if I can download legitimately one song — or even half a CD — of their stuff for free, aren’t I more, rather than less, likely to shell out for the full album (assuming I can’t download the other half for free)? With music, there’s no real end to one’s appetite. Surely any kind of music can only benefit by such gifts as the BBC made in its Beethoven experiment?

Windows 98 Users Face A Scary Future

A by-product of Microsoft’s decision to phase out support for some of its ‘old’ products, citing Java-related legal issues: users are going to be very exposed to viruses and bad stuff like that. Ottawa-based AssetMetrix Research Labs found that more than 80 percent of companies surveyed were still using Windows 98 and/or Windows 95.

“On January 16th, 2004, Microsoft Windows 98 enters the non-support portion of its support lifecycle. Windows 98 is considered obsolete, and security-based hot fixes will not be generally available for users of Windows 98 or Windows 98-Second Edition,” eWeek quoted Steve O’Halloran, managing director of AssetMetrix Research Labs, as saying.

This is daft. According to some reports, Microsoft doesn’t need to do all this until next September, raising suspicions that it’s just trying to make Sun — owner of Java — look like the evil wolf, and to force buying folk to migrate to XP. If any of this is true, I’d like to see Microsoft agree to provide security updates for at least Windows 98 users for as long as they can. I can’t see Sun, or the courts, objecting to that.