ShoreTel Dock Gives iPhones and iPads Desktop Phone Features</h1> <article> <h1>ShoreTel Dock Gives iPhones and iPads Desktop Phone Features</h1> <p>Steve Maxey — Tue, 07 May 2013 19:58:12 +0000</p> <div class="fb-social-like-widget"><fb:like href="http://www.messagingnews.com/story/shoretel-dock-gives-iphones-and-ipads-desktop-phone-features" send="false" layout="box_count" show_faces="false" width="55" action="like" font="arial" colorscheme="light"></fb:like></div><div class="tweetbutton"><a href="http://twitter.com/share" class="twitter-share-button" data-count="vertical" data-via="messagingnews" data-related="messagingnews:messagingnews" data-text="" data-counturl="http://www.messagingnews.com/story/shoretel-dock-gives-iphones-and-ipads-desktop-phone-features" data-url="http://www.messagingnews.com/story/shoretel-dock-gives-iphones-and-ipads-desktop-phone-features" data-lang="en">Tweet</a></div><h3>ShoreTel: “Docking station enables employees to ‘undesk’ their desk phone.”</h3> <p></p> <p>Yesterday, <a href="http://www.shoretel.com/">ShoreTel</a> announced <a href="http://www.shoretel.com/products/ip_phones/ShoreTel_Dock.html">ShoreTel Dock</a>, a docking station for iPhones and iPads that enables them with the functionality traditionally associated with deskphones. While there has been a lot of development in mobile device management and in apps for mobile devices to leverage business cloud services, actually enhancing the devices themselves to provide some of the business user pain points when migrating from desk phones has been neglected.</p> <p>Users slide iPhones and iPads running ShoreTel’s Mobility app into the dock and get the comfort of a regular phone handset for making longer calls, improved speakerphone capabilities, and improved call quality. The dock also charges the phone, so employees have a full battery when they leave the office. Instant messaging (IM), presence and conferencing are enhanced by ShoreTel conferencing applications.</p> <p>Pejman Roshan, ShoreTel VP of product management, says: “We didn’t try to change or replace devices users already love, but instead enabled those same devices with enterprise UC to give end users a dynamic productivity tool that supports their own work rhythm.”</p> <p>Since ShoreTel Mobility works over both Wi-Fi and cellular, users can be reached on their same extension whether they are working at their office or at home. The ShoreTel Dock is planned to be available Q3 2013 for both premises-based and cloud platforms. The announced version of the dock works with older-version iOS devices, but a lightning-pin adapter version is expected, as is an eventual version for Android-based devices, although the wide variety of form factors and manufacturers for Android-based devices could make that a bigger challenge.</p> </article> <article> <h1>Messaging Security 2012: Experts Offer Advice on Where to Place Focus This Year</h1> <p>Stephanie Jordan — Mon, 27 Feb 2012 08:25:09 +0000</p> <div class="fb-social-like-widget"><fb:like href="http://www.messagingnews.com/story/messaging-security-2012-experts-offer-advice-where-place-focus-year" send="false" layout="box_count" show_faces="false" width="55" action="like" font="arial" colorscheme="light"></fb:like></div><div class="tweetbutton"><a href="http://twitter.com/share" class="twitter-share-button" data-count="vertical" data-via="messagingnews" data-related="messagingnews:messagingnews" data-text="" data-counturl="http://www.messagingnews.com/story/messaging-security-2012-experts-offer-advice-where-place-focus-year" data-url="http://www.messagingnews.com/story/messaging-security-2012-experts-offer-advice-where-place-focus-year" data-lang="en">Tweet</a></div><div class="clearfix"> <p>In preparation for <a href="http://www.rsaconference.com/events/2012/usa/">RSA Conference 2012</a>, happening in San Francisco’s Moscone Center all this week, <em>Messaging News</em> asked a few industry insiders for a response to this question: “If an organization could only focus on one security-oriented thing or issue in 2012, what should that be?” The answers were varied and insightful, and as expected influenced by the responder’s company specialty. Nevertheless, the below is good information and offers thoughtful considerations for an organization to use as a checklist for this year.</p> </div> <div class="clearfix"> <h2>Protect Data</h2> <p>“The twin pressures of consumerization and cloud should place data security initiatives at the top of the corporate security agenda for 2012. We’ve known for a few years now that the network-based security model breaks down, whether through endpoint leaks through USB flash drives, or files forwarded through email or Skype. New, cloud-based models for collaborating on content may make desktop or device-based manipulation of files obsolete, reducing an organization’s need to control those devices. So organizations should embrace the cloud and the paradigm shift in collaboration—and focus on protecting data, not networks and devices.” <br />—John Thielens, Chief Security Officer, <a href="http://www.axway.com">Axway</a></p> </div> <div class="clearfix"> <h2>Prepare for Breaches</h2> <p>“Rather than trying to predict what the next big security event is going to be, my advice is to prepare for the unpredictable. This means accepting that irrespective of the necessary investments we make in preventative security technologies, breaches will occur, and organizations of all sectors and sizes should prepare to deal with them. Effective incident response for the purpose of damage control and remediation can make the difference between a manageable and a devastating security event. The emerging class of network security analytics platforms with data retention and efficient data mining capabilities provides the sort of historical visibility that is key to such preparation.</p> <p>Bottom line, any operation with valuable information system assets should invest in the ability to really understand what’s entering and exiting their networks, to ascertain with confidence the scope of a breach, and to respond quickly and intelligently to security incidents of any sort.”<br />—Joe Levy, Chief Technology Officer, <a href="http://www.soleranetworks.com/">Solera Networks</a></p> </div> <div class="clearfix"> <h2>Have Data-Centric Security</h2> <p>“The number one goal needs to be protecting data, and leveraging a data-centric strategy. In a borderless enterprise, there is no perimeter in the traditional sense‹data is the new perimeter. And if data isn’t’ protected, hackers will steal it. History has shown that traditional defenses can be bypassed, and once inside, it’s fair game. Breach after breach proves this. So protect the data; if the systems are breached, the hackers will have nothing of value.”<br />—Mark Bower, Vice President Product Management, <a href="http://www.voltage.com/">Voltage Security, Inc.</a></p> </div> <div class="clearfix"> <h2>Implement DMARC</h2> <p>“Stop email identity theft. Data theft malware is the weapon of choice for the most damaging attacks, and targeted phishing is the number one propagation method. Thirty years after SMTP, a new email standard, DMARC, has been published to put an end to these types of attacks. The new Domain-based Message Authentication, Reporting and Conformance (DMARC) standard is a framework for protecting email at the domain level so criminals can’t spoof a legitimate email sender’s domain for phishing or other malicious purposes. Be sure to implement DMARC.”<br />—Daniel Raskin, Vice President of Marketing, <a href="http://agari.com/">Agari</a></p> </div> <div class="clearfix"> <h2>Get Complete Network Visibility</h2> <p>“One of the most important security concerns for organizations in 2012 is to ensure that their network intelligence tools can keep up with new and evolving cyber threats—a problem exacerbated by ever-increasing network speeds and the explosive traffic growth driven by Big Data.</p> <p>Over the next year, organizations must find new ways to get multiples more out of their network intelligence tools—including the ability to accelerate their security information intelligence by gaining complete network visibility across logical and cloud boundaries.”<br />—Rob Markovich, Senior Vice President of Sales and Marketing, <a href="http://www.vssmonitoring.com/">VSS Monitoring</a></p> </div> <div class="clearfix"> <h2>Secure Passageways</h2> <p>“The content transport layer of the networks is the most vital passage that needs to be secured in order to prevent breaches. The organization needs to make sure that this passage is secure so that no malicious attacks can get in; and no confidential information can leak out. For this to be a reality, organizations needs to have the confidence in the underlying technology platform: no degradation to the end-user experience, no massive reengineering of the current infrastructure and the peace of mind that there are no unsecured passageways: not just email-only, web-only, Windows-only or Android-only.”<br />—Dr. Hongwen Zhang, Chief Executive Officer, <a href="http://www.wedgenetworks.com/">Wedge Networks</a></p> </div> <div class="clearfix"> <h2>Get Back to Fundamentals</h2> <p>“Vince Lombardi, a famous American football coach for the Greenbay Packers, was known for believing that basic blocking and tackling, the fundamentals of football, would win more games than fancy strategies. The same applies to information and network security.</p> <p>In 2011, many organizations were breached. In many of these cases, diligently following security best practices (the fundamentals) could have prevented these breaches. Defense in depth, or building multiple layers of security, such as an application-layer firewall, antivirus, and IPS, is one of the most practical and beneficial best practices. In 2012, getting back to the fundamentals will be instrumental in network protection.”<br />—Corey Nachreiner, Director of Security Strategy, <a href="http://www.watchguard.com/">WatchGuard Technologies, Inc.</a></p> </div> <div class="clearfix"> <h2>Manage Device Proliferation</h2> <p>“Recognize and meet the challenges of device proliferation accelerating within and beyond corporate networks. Organizations that embrace the trend can empower a uniquely productive mobile workforce, while ensuring that core assets—the network, applications, and data—remain secure and in their control. </p> <p>IT organizations need a broad policy-based approach to security to seamlessly and intelligently enable the right user on the right device to access the right resources. Both the explosion of new devices and ongoing innovation demand a security architecture flexible enough to address today’s critical issues and adapt to a future of rapidly multiplying possibilities.” <br />—Russell Rice, Security Director of Product Management, <a href="http://www.cisco.com/">Cisco Systems, Inc.</a></p> </div> <div class="clearfix"> <h2>Upgrade Browsers, Adopt DMARC</h2> <p>“There is no single security silver bullet, but there are solutions that can provide immediate impact. Businesses need to upgrade employees and users to modern browsers as the first line of defense. Today’s <a href="https://otalliance.org/browser">browsers</a> offer significant innovation analyzing the reputation of sites, content and downloads. Second as spoofed and forged email continues to grow as a distribution mechanism for malware, bots and phishing, the value of inbound and outbound email authentication has been heightened. <a href="https://otalliance.org/dmarc.html">DMRAC</a> takes this to the next level to help protect your brand, domain and customers. These solutions are free and available today. Failure to do both is bad for your business, your employees and your users.”<br />—Craig Spiezle, Executive Director, Founder and Chief Executive Officier, <a href="https://otalliance.org/">Online Trust Alliance</a></p> </div> <div class="clearfix"> <h2>Have a Layered Security Plan</h2> <p>“It may sound like a bit of a cop out, but my ‘one security thing’ is to adopt a layered cyber-security strategy. From what we’ve seen over the past couple of years—mobile malware, targeted malware, social networking scams and other sophisticated attacks—it’s pretty clear that businesses have to defend their data on every front. You have to have security measures in place to detect and respond to threats in real time. A layered security plan is one that incorporates data loss prevention, intrusion prevention and detection systems, anti-malware, antivirus, firewalls and awareness training for staff. It’s only when companies put these systems into place—and commit to keeping them updated—that organizations are responsibly and realistically protected.”<br />—Joel Smith, Co-Founder and Chief Technology Officer, <a href="http://www.appriver.com/">AppRiver</a></p> </div> </article> <article> <h1>Email Accountability: A Vision Worth Pursuing?</h1> <p>Stephanie Jordan — Fri, 07 Oct 2011 08:21:01 +0000</p> <div class="fb-social-like-widget"><fb:like href="http://www.messagingnews.com/story/email-accountability-vision-worth-pursuing" send="false" layout="box_count" show_faces="false" width="55" action="like" font="arial" colorscheme="light"></fb:like></div><div class="tweetbutton"><a href="http://twitter.com/share" class="twitter-share-button" data-count="vertical" data-via="messagingnews" data-related="messagingnews:messagingnews" data-text="" data-counturl="http://www.messagingnews.com/story/email-accountability-vision-worth-pursuing" data-url="http://www.messagingnews.com/story/email-accountability-vision-worth-pursuing" data-lang="en">Tweet</a></div><p><em>Plain talk about our commitment to safe and secure messaging in email</em></p> <p>The virtually free and anonymous nature of email has frustrated its use by legitimate marketers since the earliest days of the medium. From the point where email achieved critical mass (sufficient adoption for reach and revenue), the bad guys have been exploiting the enormous potential of email as well as its weaknesses for their greater profit, or elicit gain. Spam, spoofing and a host of other negligent, abusive and criminal behaviors all come from the lure of lots of money made at very low cost and with little risk of being stopped or caught; it’s a compelling value proposition for the bad guys, and one that we must change to preserve the integrity of email.</p> <p>Of course, the ISPs have been waging war on the bad guys for many years now. And it’s been their efforts to shield customers from schemes perpetrated by the bad guys that’s led to the challenges with email deliverability for the good guys. Yet more critical than the collateral damage done to the good guys is a key question: can the war be won without fundamentally altering the bad guys’ value proposition? I’d suggest not, and to date, the key enablers of their business model—low cost and anonymity—remain intact, and so their motivation to make a lot of money still holds sway. Not surprising then, the war continues to rage in a point/counterpoint game of escalating technical sophistication and imagination.</p> <p>In this article, I connect the two issues—cost and anonymity—and discuss them in the context of an industry-wide solution for Email Accountability that establishes identity, imposes cost and improves the email ecosystem for the benefit of all stakeholders, including you as an email marketer. Or rather, I want to talk about our collective commitment to an industry solution that’s been hanging around incomplete for over seven years—50 years in dog time, an <em>eternity</em> in Internet time.</p> <h2>The Price of Anonymity</h2> <p>There’s no question that ‘free’ incents (or at least enables) behaviors in email that wouldn’t be feasible in another, more costly medium (direct mail, for example). Cost can definitely function as a constraint even when a marketer’s actions aren’t constrained by his own conscience or respect for the customer. I guess ‘spammer’ is the right term for such a marketer in email, if not called worse.</p> <p>The lack of identity in email feeds this behavioral problem in a major way—it allows the bad guys to get away with their misbehaviors. And the same thing holds when you graduate from spam to more malicious schemes where the intent is truly criminal. Regardless of the degree of ‘badness,’ anonymity is the bad guy’s shield from being held accountable. And ‘getting away with it’ is a potent motivator when coupled with the big bucks to be made.</p> <p>What does allowing the bad guys to ‘get away with it’ mean to you?</p> <p>As a legitimate email marketer, it means your bottom line takes a hit whenever your email gets caught up in the ongoing battle between the ISPs and bad guys. It means you sometimes can’t get relevant email delivered to your own customers or properly targeted prospects. It means you suffer a potentially huge brand and opportunity loss. That’s true, even if you put aside all the frustrations and headaches, diversions of time and technical resources that go into managing deliverability and recovering from the occasional train wrecks.</p> <p>Yes, you, email marketer, bear a heavy cost for us allowing anonymity to shield the bad guys from accountability. And I’d suggest that your only recourse is to fight anonymity with clear, persistent and unambiguous identity. Proper identity credentials are what enable you to differentiate yourself from the bad guys, assert that you’re a reputable sender (good guy) and for the ISPs to accept those assertions. Without such credentials, how do the ISPs know that you are whom you say and not just someone spoofing you?</p> <p>If this is all true, why haven’t brands universally adopted email identity standards? And for that matter, why aren’t ISPs universally checking email identity credentials and acting on what they check? Because what good does it do if you fully and properly disclose your identity when the ISPs don’t bother to check or act?</p> <h2>You First. No, After You.</h2> <p>The answers to these questions come down to one thing—adoption. Brands don’t adopt identity standards because they don’t see the risks and rewards of doing so, partly because the ISPs don’t strictly enforce them. And ISPs don’t strictly enforce the standards because adoption by brands hasn’t reached critical mass.</p> <p>Am I overdrawing this chicken/egg situation a bit? Yes, but it’s pretty much where things are at—and where they’ve been for some time now. Despite the best efforts of the Online Trust Alliance (OTA), Email Sender & Provider Coalition (ESPC), Direct Marketing Association (DMA) and other industry groups to push the email authentication agenda, we’re stalled in implementing this critical component to our vision for Email Accountability. So maybe it’s time to revisit that vision and ask ourselves: “Do we have it right?”</p> <p>When I speak of <em>Identity</em>, my frame of reference is what was envisioned in Project Lumos years ago as the conceptual blueprint for <a href="http://www.espcoalition.org/Project_Lumos_White_Paper.pdf">Email Accountability</a>. [PDF] It was the genesis, at least in part, for the authentication protocols and reputation systems that subsequently emerged.</p> <p>In Lumos, <em>Identity</em> and <em>Accountability</em> were seen as interlocking principles, but it was recognized that Identity had to come first for a simple reason: you can’t hold people accountable for their actions if you don’t know who they are. But Lumos postulated that if you could identify the good guys, it would then be possible to isolate the bad, hold them accountable and impose a ‘cost’ that would destroy their business model. (The ‘cost’ would take the form of denied access (blocks) that would depress response to a point where spamming was no longer financially viable.) While email is very low cost, it’s not accurate to say it’s actually free—even for a spammer. But therein lies the rub. Since spamming can be highly profitable at incredibly low response rates, it takes broad adoption and strict enforcement of the authentication protocols to impact a spammer’s business model and for the benefits of an improved email ecosystem to materialize.</p> <p>I’ve always felt this vision for Email Accountability was a pretty nifty one for choking off spam. But of course, our environment has changed since Lumos was proposed—it’s become much more dangerous. Now we have extremely targeted elicit schemes to deal with, such as phishing and spear phishing. Yet, the monetary motivation is the same and today’s bad guys are enabled by the same email weaknesses—anonymity and cost. For phishers, anonymity is achieved by masquerading as legitimate brands, and it’s that identify spoofing that makes company employees and customers alike vulnerable to exploitation. And all that’s made possible because senders aren’t authenticating their email, receivers aren’t checking or both. So by the time a phishing scheme is discovered, it’s usually too late. The assets have been stolen and the perpetrator has moved on, often using those assets in new, more dangerous exploits. The cost is low because phishing schemes are inexpensive to launch and the risk of being caught is low too.</p> <p>And this brings us back to the problem at hand—achieving the levels of adoption and enforcement required to make authentication work. How many years have we been discussing this topic? Yet, as the OTA notes in its May report, while 56% of sampled entities apply SPF and/or DKIM, “the volume of authenticated mail sent from these domains is estimated to be significantly lower due to inconsistent adoption across all domains, sub-domains and mailstreams” thereby limiting the value of authentication in brand and consumer protection. The <a href="//localhost/news/releases/2011scorecard.html">OTA report</a> also confirms that ISP enforcement remains limited at best.</p> <h2>Authentication: Its Time Has Come</h2> <p>I believe that it’s well past time for our industry—senders and receivers alike—to implement email authentication as the first step toward true accountability. And implementation means full and consistent compliance by senders, and, most importantly, more than ‘wink and nod’ enforcement by receivers. Enforcement must mean that receivers routinely check and block senders who don’t comply with the authentication protocols, whether their reputations warrant acceptance of their mail or not. Period. No exceptions.</p> <p>I know this may seem like an extreme position for a marketer to take, but I have three good reasons for it.</p> <p><strong>First</strong>, all players in our ecosystem have a big stake in winning this war against the bad guys. But to win the war, they must first join the war—and I’m speaking here to my marketing colleagues at enterprises and service providers. Up to now, their primary motivation in supporting authentication has been the deliverability of their own email. However, recent breaches should convince them that they have much more at stake than mere collateral damage. The war has shifted, expanded. The customers, employees and assets of enterprises and services providers are now being targeted too—and more often than not, email is the vehicle of access and exploitation with cost and anonymity being the key drivers.</p> <p>What does this mean? Just in case you missed the inference in my use of the generic term ‘receiver,’ let me be clear: <em>enforcement isn’t an issue for just ISPs anymore</em>. With all the exploits being directed at enterprises and service providers, everyone needs to be both authenticating their outbound email and blocking email that fails their inbound checks. The stakes are too high not to do so. Authentication is not only central to safeguarding our individual companies, but also to the integrity of our ecosystem—the way we interact with each other and conduct business together. And all stakeholders have a highly vested interest in protecting that. Senders and receivers must close ranks, aggressively pursue the bad players together, and give them no quarter by stripping them of their anonymity and imposing the ultimate cost on their operations—put them out of business.</p> <p>Admittedly, email authentication won’t solve all the data and network security problems plaguing our industry at the moment. There’s much more that will need to be done. Nonetheless, authentication is an essential plank in a broader security platform that will solve these problems. Because by establishing identity and imposing a cost, we can shut down the use of email as a transport agent for unwanted messages and those that might carry malicious code targeting companies and their customers. And that’s certainly essential to maintaining consumer trust and confidence in the integrity of email for safe communication and commerce.</p> <p>And this leads to the <strong>second</strong> reason for my position. It relates to the great promise of Email Accountability—an improved ecosystem. It’s a promise that’s as compelling today as it was years ago when Lumos was first proposed, namely an ecosystem that would enhance the experience for customers <em>and</em> ensure the reliable delivery of email for the legitimate marketers who’ve long suffered collateral damage in the ongoing fight and are now incurring direct financial and brand damage. To me that promise is worth the pursuit.</p> <p>My <strong>third</strong> and final reason stems from concern for the future of digital communication beyond email. If the history of direct marketing teaches us anything, it’s that the bad guys are opportunists. They follow the media adoption curve—junk mail, phone scams, email abuse—because that’s where the money is. It’s easy to see what’s next. What form will abuse take in an increasingly mobile, multi-channel digital messaging environment? That’s a scary thought. But scarier still is what our inability to solve today’s problem in email says about our readiness to tackle this greater challenge.</p> <p>So why don’t we get on with it? Let’s get serious about achieving our vision of Email Accountability. There’s no better time than now since ‘safe and secure’ messaging is very much part of the whole data security debate. And no better place than the upcoming <a href="//localhost/events/2011_Forum/2011Forum.html">OTA Forum</a> to join with others of like mind.</p> <p>Either that, or let’s admit our vision for Email Accountability is unachievable or fatally flawed, and rethink what our vision should be. We’ve lived in limbo land long enough. This can’t be our permanent residence.</p> </article> <article> <h1>The Newest Kids on the Group Chat Playground</h1> <p>Melisa LaBancz-Bleasdale — Mon, 14 Mar 2011 03:37:44 +0000</p> <div class="fb-social-like-widget"><fb:like href="http://www.messagingnews.com/story/newest-kids-group-chat-playground" send="false" layout="box_count" show_faces="false" width="55" action="like" font="arial" colorscheme="light"></fb:like></div><div class="tweetbutton"><a href="http://twitter.com/share" class="twitter-share-button" data-count="vertical" data-via="messagingnews" data-related="messagingnews:messagingnews" data-text="" data-counturl="http://www.messagingnews.com/story/newest-kids-group-chat-playground" data-url="http://www.messagingnews.com/story/newest-kids-group-chat-playground" data-lang="en">Tweet</a></div><p>Unable to join the hordes of lucky attendees at <a href="http://sxsw.com/" target="_blank">South by Southwest</a> (SXSW), the Austin, Texas technology and music festival, I decided to placate myself by looking into news of what new must-have things I am missing out on. I now know that I <em>need</em> a group chat app. There is no shortage of upstarts developing ever-cooler apps to help us simplify our always-connected world. This is good. Too many communications choices end up overwhelming everyone and undervaluing the technology. Group chat is simple, it allows multiple people to participate in the same conversation on a mobile phone, like a group chat room or text only “conference call”. The most promising apps have already garnered national coverage. Among the free and nearly free standouts are: <a href="http://belugapods.com/">Beluga</a>, <a href="http://kik.com/">Kik</a>, <a href="http://www.textplus.com/">TextPlus</a>, <a href="http://fastsociety.com/">FastSociety</a>, <a href="http://www.pingchat.com/">PingChat</a>, <a href="http://www.groupme.com">GroupMe</a>, and <a href="http://www.yobongo.com">Yobongo</a>.</p> <p>Each is different and which one you choose will depend on your preferences for usability, speed, and functionality. Beluga, Kik, GroupMe,TextPlus, and PingChat enable you to create a chat session and invite the people who will attend. Yobongo allows its users to join a group chat with nearby people, say, if you are actually at SXSW and don’t want to eat dinner alone. This would be great at a conference when you want to arrange an impromptu collaborative knowledge dump or debate over the hottest new whatsit.</p> <p>San Francisco-based Yobongo, released their app the week <em>prior</em> to SXSW to ensure maximum exposure and leverage because everyone knows that if you are looking to be the next best thing, you have to see and be seen at SXSW. The company says it already has tens of thousands of users so it seems to be on its way to becoming part of our cultural lingo.</p> <p>On the About page, Yobongo is described as a new way for people to communicate with people nearby. They believe connecting with people in the real world is much harder than it should be and I agree! Actually, I think it’s way too easy to connect with too <em>many </em>people. That’s my real issue. By giving people the opportunity to connect with other like-minded people Yobongo hopes to help foster authentic communications about everything and anything. Do you see the gleam in the eyes of the marketing department over at Big Brands? GroupMe is open to allowing advertisers to show user-specific ads that veer toward local activities or coupons. The company is angling to be the app of choice for Coachella and Bonnaroo. Who wants to be out of touch at a big music festival? There’s nothing worse than losing Bonnie in the nacho line! </p> <p>Don’t think that big boys aren’t paying attention to these scene newbies, because you know they are. In fact, seems that Facebook was paying attention before we even knew there was something to pay attention to. They acquired Beluga (which is the brainchild of former Googlers), in March. The different group chat sessions are called “belugapods” and a cheery whale is the logo. Do you think it’s the same whale that Twitter birds are seen carrying away in a net when their system gets bogged down? Although that whale is not cheerful. The iconography of it all is very confusing to me!</p> <p>Anyway, Salesforce.com’s Chatter is the same in theory, but totally different. By the very essence that it’s big company it’s not “cool”, despite the spend on Will.i.am at the Superbowl. However, they, too, could tweak their product and if Bieber uses it, you know I’m downloading!</p> <p>Why would you need group chat when you can just mass post to Facebook or have a meaningful Twitter-stream of consciousness with all 800 of your followers? Exactly. That’s why. You have too many friends and followers. Groupme limits your fellow conversationalists to 25 at a time. You can be 1 of the 25 in 600 different convos if you like, but they try to keep it simple.</p> <p>Oh I can’t wait until see what will happen next in the group chat arena!</p> </article> <article> <h1>What to Focus on in 2011: Web Security, Outbound Controls, Social Media Security, and Next Generation Threats</h1> <p>Stephanie Jordan — Thu, 03 Feb 2011 14:06:16 +0000</p> <div class="fb-social-like-widget"><fb:like href="http://www.messagingnews.com/story/what-focus-2011-web-security-outbound-controls-social-media-security-and-next-generation-threa" send="false" layout="box_count" show_faces="false" width="55" action="like" font="arial" colorscheme="light"></fb:like></div><div class="tweetbutton"><a href="http://twitter.com/share" class="twitter-share-button" data-count="vertical" data-via="messagingnews" data-related="messagingnews:messagingnews" data-text="" data-counturl="http://www.messagingnews.com/story/what-focus-2011-web-security-outbound-controls-social-media-security-and-next-generation-threa" data-url="http://www.messagingnews.com/story/what-focus-2011-web-security-outbound-controls-social-media-security-and-next-generation-threa" data-lang="en">Tweet</a></div><p>Although economists and other experts believe we are seeing light at the end of the recession tunnel, and IDC analysts expect IT spending to resume in 2011, we nevertheless still need to be very careful with our resources this year. If we are to be wise in the outlook for 2011, what should we be focusing on? This is the question that was put to several messaging insiders and the responses are as varied as the messaging field itself. How best to prepare for the road just up ahead? While it depends on a number of variables and there is no one-size-fits-all answer, presented here are a few thoughts on what to expect or what to think about this year in messaging. (Also see the related story “<a href="/story/what-focus-2011-road-ahead">What to Focus on in 2011: The Road Ahead</a>” for more views from messaging insiders.)</p> <h3>Social Media and Web Security</h3> <p>When Facebook emerged several years ago it was a common strategy to simply block the site. Today, the site is mainstream, and while it may or may not be right for marketing your company, you can bet a lot of your employees are on it. “One of the most popular questions from businesses around Web security is how to control Facebook specifically,” observes Paul Judge, chief research officer for <a href="http://www.barracudanetworks.com/">Barracuda Networks, Inc</a>. Judge notes that the types of questions are evolving. “A year ago people would ask: ‘Can you block Facebook?’ Now, we get more complex questions, such as: ‘Can you allow Facebook, but block chat? Can you allow Facebook, but block access to FarmVille during business hours?’ Just this week a customer asked about allowing access to fan pages, but not personal people pages.”</p> <p>Judge goes on to say that responding to administrators and management that ask for more complete ways to control Facebook and how to create specific policies around Facebook that allow people to use it in limited ways has resulted in changes in their product line. “We have been adding a lot of functionality in the last six months,” he says noting that others in the Web security space have been doing the same. “We have seen Web security go from ‘control my users’ back five or six years ago attempting to keep people from going to porn sites and sports sites. Then it morphed to threat protection, AJAX protection, JavaScript protection and now we are once again seeing requests about control, but it is around the social networks.”</p> <p>Getting granular with Facebook is probably the better approach, over trying to shut down the application. With the popularity of Facebook, many companies are using the application as part of their marketing efforts and as such people within the organization need access. “It has been all too easy for security folks to take a rigid stance on a lot of things that are blocked at the corporate level and just denied,” says Tim Helming, director of product management for <a href="http://www.watchguard.com/">WatchGuard Technologies, Inc.</a> “However, it is getting to be where ‘no’ isn’t always the right answer. With something like Facebook, for example, most companies don’t want their employees wasting a lot of time at work just looking up Facebook and sending photos to their friends.” Helming says companies need to be able to control who can use it or during what hours or even getting more granular than that, doing things like controlling who can post to Facebook or use the games versus using the more basic functions. “That is going to become very important to organizations. These apps that were never designed for businesses are going to become a new reality, we are never going to go back to complete allow or deny.”</p> <p>While the marketing advantages some companies have achieved with social media are very real, so are the possible threats. “We have spent a fair amount of time tracking malicious activity on social networks—especially Facebook and Twitter,” says Judge. “In the last year to year and a half, we have spent time analyzing behavior on Twitter network and also looking at how many accounts are legitimate and how attackers are evolving in how they try to use the network. We have recently done similar studies on Facebook.” Barracuda plans to announce the findings of these studies in February when it releases its 2010 Security Report.</p> <h3>Search Engine Malware</h3> <p>Another place to watch for next generation malware this year is search engines. According to Judge, Barracuda Labs is trying to quantify how much search engine malware is happening, and in particular study the types of topics that attackers are targeting most. Why target malware towards Google, Bing, Yahoo! and others? Barracuda Labs 2010 Midyear Security Report states that search volumes have reached new highs with 88 billion per month on Google sites, 24 billion per month on Twitter, 9 billion per month on Yahoo! sites and 4 billion per month on Microsoft sites. As the report notes, that is a lot of eyeballs. Judge reports everyday hundreds of pieces of malware are found by simply searching for popular terms and that search engine ranking and optimization contribute to the effectiveness for attackers.</p> <h3>Archiving</h3> <p>When money is tight even the things you might like to implement may not happen. One of the observations towards the end of last year, as the recession started to loosen its hold, and as we move into this year is a spike in the demand for archiving. “We saw a rapid increase in the number of customers that were purchasing message archiving solutions,” reports Steven Pao, vice president of product management with Barracuda Networks, Inc. “It’s been a largely predictable growing business for us, but we saw an initiation on the part of end customers beyond what we were pushing as a vendor. When we asked what was driving this, we’re told by customers that they had been deferring it.” Pao also suspects that enough time has elapsed where “poor email administrators have had to manually go through and hunt for messages” in response to Federal Rules of Civil Procedure (FRCP) and other similar mandates for document management and retrieval.</p> <h3>Mobile Devices </h3> <p>All experts agree that the prevalence and popularity of mobile devices will continue this year. The recommendation is to ensure that the device is as secure as if the user were in the office. “We have a number of customers coming to us asking how do I protect the iPads that I just launched to my marketing group, or my BlackBerry devices, so we have spent our time as it relates to mobile to get to the same level of security that you would have at your desk,” says Judge. </p> <p>Securing devices is essential, agrees Julian Lovelock, senior director of product marketing for <a href="http://www.actividentity.com/">ActivIdentity Corporation</a> that has primarily government, enterprise, healthcare, banking and high technology customers. “Wind the clock back 10 years, all those emails that the average government employee got came to their desktop. Today a good proportion of them, from the President down, are now coming in through BlackBerry, so securing mobile devices, as communication devices with all the same areas around encryption and signing is an area that we work heavily on. </p> <p>The device itself is growing into a security tool in its own right. Companies are finding the use of the mobile phone as a replacement to a credential you might otherwise carry—to get into the building, or to securely access the network when out of the office, etc. “I’m still communicating through a desktop whether it’s a Skype session, email or IM chat, but rather than use my smartcard to secure that communication, the credentials are managed through my mobile device, and I am using my mobile device to actually secure the communication from the desktop,” explains Lovelock.</p> <p>In many ways the mobile device is perhaps more secure from loss than a token. “If we lose a token, we might not notice for a couple of days, if we lose our phone, we notice that within 20 minutes,” states Lovelock “Because it’s a device of more importance to you, you notice it quicker.” Lovelock also points out that a phone is a device that is always connected. “I can remotely deactivate a phone in terms of it being used for security purposes, but I cannot remotely deactivate a token or a smartcard or other authentication methods. This is another reason why the mobile phone is actually more secure.”</p> <h3>Multi-Platforms</h3> <p>In companies of all sizes IT organizations are struggling with the sheer variety of devices coming into the workplace. This year the expectation is that the diversity will continue, especially as employees bring in more media tablets. “iPad is making serious inroads into businesses,” states Helming. “For so many years tablets have been trying to push their way into organizations and up until lately, we have said ‘no thanks’ but now everybody wanted an iPad for Christmas and they are popping up everywhere.”</p> <p>Helming goes on to say that all Apple products, not just the iPads but OS X in general have been widely adopted in businesses. “I would urge IT folks to take Apple security seriously. Apple OS has the most vulnerability, according to some of the security research I have seen. There has been this assumption—whether it has been tacit or explicit—that Apple is more secure than Windows or that it was less prone to attack. Boy, that is just not the case right now. It is so important to have good anti-virus and intrusion prevention at the gateway and also on the device itself. Taking Apple security seriously is paramount.” He also sees Android “growing like mad.”</p> <p>One of the benefits of the multiple platform mobile device trend might be that malware writers may not show as much interest in targeting a specific maker. “We will see some big headlines that will get a lot of airplay,” predicts Lovelock. “In reality, with the proliferation of mobile platforms, we will not see malware on mobile phones because as a fraudster, there is no one single point to compromise that can get 90 percent of the users. Fraudsters will go to where the easiest targets are. If I can write a virus that will compromise 90 percent of the machines, I am going to focus on that. The cost/benefit analysis for investing time in writing a virus to compromise Android doesn’t look that appealing, because it only gets a relatively small proportion of the market. Yes, we will see some compromises. Yes, they will be high-profile because they make good headlines, but whether they actually represent substantial percent of the fraud in 2011, I doubt it.”</p> <p>That’s not to say security is not needed. With so many new device types, not to mention traditional hardware in use today, security is still a major concern. What is the best way to secure a variety of platforms? “One thing that IT can do is ensure that the perimeter is equipped with the latest and greatest generations of security appliances and software,” says Helming. “Also, make sure access points within the organization are under IT control and you sweep for rogue access points. Be sure that those iPads and iPhones are associating to access points that IT controls and runs. Given the reality of so many non-corporate issued devices floating around, those are a few common sense kind of measures that IT can take to help get a handle on security.”</p> <p>If there is a very limited budget for messaging security, Judge recommends that resources be put towards Web security and making sure that the laptops or mobile devices that leave the office are secured. “We are still seeing glaring holes,” he explains. “Many organizations have something in place for email, and many organizations have some appliance-based solution at the gateway for Web security, but as soon as someone picks up their laptop and goes across the street to Starbucks or goes to a conference; they are out there unprotected. They come back and bring an infection back into the office. So many of the infections we see happen like this. With a limited budget, I’d at least consider what you’re doing about it.”</p> <h3>The Cloud</h3> <p>The popularity of the cloud for business is expected to continue as more companies move to cloud-based email infrastructures. “There are tremendous business benefits to be gained. The cloud is not so much powerful because it is all Internet enabled and all the technical aspects of it, but rather it has proven to be one of the easiest delivery mechanisms on which to do outsourcing and to gain the economies of scale associated with that,” believes Pao. “Email happens to be an application that doesn’t really differ that much as you go from business to business.”</p> <p>The cloud is also appealing because it isn’t necessarily an all or nothing proposition. Many offer hybrid solutions that allow the use of the cloud, as well as keeping some parts on premises. “Inbound filtering can be done in the cloud, outbound is still best done on-premises,” says Pao. “Just because you decide you want to move your email off premise or outsource the management of email, it doesn’t mean you don’t continue to want granular control of your email policy and it doesn’t mean that you don’t still want to continue to provide the same level of security protection that you always did.”</p> <h3>User Behavior Changing</h3> <p>Perhaps one of the most important pointers for messaging in 2011 is not so much about technology as with the people using it. Lovelock thinks a trend worth watching is the active engagement of the user in security-related decisions. “We have already seen some of that in what Facebook has been forced to do,” he says. “Users have to think about their profiles online, and how much they want to share with people and define a security profile that says this group of people can access this much information and that group of people can access that information. This is a trend that is likely to continue.”</p> <p>This concept of users being in control is also seen in the way the various devices are coming into the workplace. Users are deciding what mobile phone they want to use or iPad or apps. This might be a carry over to how we as consumers have increasingly become in control of how we want to communicate and using which channel (email, Facebook, SMS, etc.). In a recent whitepaper, “<a href="http://www.messagesystems.com/landing_pages/eec2011.html">Preparing for Message Convergence: Prescriptive Advice for the CMO and Senior Management</a>,” Dave Lewis, chief marketing officer for <a href="http://www.messagesystems.com/">Message Systems</a> explores this shift. “Technology is changing the way we communicate. It is changing the nature of how we communicate. We are not only emailing, we use SMS, IM, social and all those forms of communication are being accessed simultaneously. We are on the move constantly; we are not tethered to our desks anymore. The point is, we communicate through multiple channels and we often shift from one channel to the next.”</p> <p>The user being in control plays a significant part in Lewis’ argument. As an example, he points to Facebook’s introduction of the unified inbox as one more step in this direction. “It’s not just a social inbox, it gives Facebook members an element of control that they have not had in the past to block the messages that they do not want to receive, and block the messengers they do not want to hear from. That form of blocking is making the consumer the final arbiter of what reaches them and that changes the nature of the game, relative to how enterprises interact with ISPs and telcos. If the consumer is the final arbiter of what they receive, they are making the decision not just on email but also across channels. The risk of not meeting the customers’ expectations is that you could lose your connections to the customer.”</p> <p>Lewis doesn’t think many companies are acting on the preferences, needs and wants of customers, nor are they communicating via the right channel. “Our view is there are significant risks to those enterprises that do not rise to the occasion. Those that do, there are some real advantages.”</p> <p>Asked if this is only a business-to-consumer issue, Lewis replies, “I don’t think it matters a whole lot. If you think about how technology is affecting us, the line isn’t between B2B or B2C. It is not really between customers and employees. We are all part of this sea change that is taking place. It’s not just a customer issue; it is an employee issue too. As you look forward, the types of employees that you will be taking into the workforce are using communications this way. These changes and the way that we are communicating are touching us all. It is applies to everyone.”</p> </article> <article> <h1>The Road Ahead: Insiders Give Insight on What to Focus on in 2011</h1> <p>Stephanie Jordan — Thu, 03 Feb 2011 13:06:16 +0000</p> <div class="fb-social-like-widget"><fb:like href="http://www.messagingnews.com/story/road-ahead-insiders-give-insight-what-focus-2011" send="false" layout="box_count" show_faces="false" width="55" action="like" font="arial" colorscheme="light"></fb:like></div><div class="tweetbutton"><a href="http://twitter.com/share" class="twitter-share-button" data-count="vertical" data-via="messagingnews" data-related="messagingnews:messagingnews" data-text="" data-counturl="http://www.messagingnews.com/story/road-ahead-insiders-give-insight-what-focus-2011" data-url="http://www.messagingnews.com/story/road-ahead-insiders-give-insight-what-focus-2011" data-lang="en">Tweet</a></div><p>If we are to be wise in the outlook for 2011, what should we be focusing on? This is the question that was put to several messaging insiders. While it depends on a number of variables and there is no one-size-fits-all answer, presented here are a few thoughts on what to expect or what to think about this year in messaging. (Also see the related story “<a href="/story/what-focus-2011-web-security-outbound-controls-social-media-security-and-next-generation-threa">What to Focus on in 2011: Web Security, Outbound Controls, Social Media Security, and Next Generation Threats</a>” for more details about the issues that messaging insiders think are critical for 2011.)</p> <div class="clearfix"> <p>“For spammers and scammers, it has gotten a lot harder to penetrate most business email systems. But the Web is still an unlocked back door to a lot of company networks. That leaves them exposed to malware, viruses and even lawsuits in some cases. That’s why we’re going to see a greater focus this year on intelligent, business-grade Web security solutions.”<em>—Joel Smith, Chief Technology Officer, <a href="http://www.appriver.com/">AppRiver</a> </em></p> </div> <div class="clearfix"> <p>“We’re in a time of profound change that is unlocking amazing benefits. But to leverage these changes we must re-think security for the New Enterprise. The next year companies must place heightened focus on targeted attacks as well as richer outbound controls for email. Targeted phishing and low volume attacks will require both email and Web security technology and the increasing need for controlling sensitive data will lead to extensions to DLP solutions and features that give senders more control and visibility into outbound mail.”<em>—Tom Gillis, Vice President and General Manager of <a href="http://www.cisco.com/">Cisco’s</a> Security Technology Business Unit</em></p> </div> <div class="clearfix"> <p>“With analysts like Gartner predicting that by 2014 social networking will overtake email as the primary communications vehicle for businesses, 2011 needs to be the year that organizations enable the safe use of social media in the workplace. It is no longer sufficient to be concerned solely about traditional email communications. Email administrators need to evolve to become messaging administrators and plan for how to replicate the same AUP/Regulation and corporate governance policies they have in email to social media security solutions.”<em>—Bradley Anstis, Vice President of Technical Strategy, <a href="http://www.m86security.com/">M86 Security</a></em></p> </div> <div class="clearfix"> <p>“Securing data stored in the cloud should be a primary focus for 2011. If these things aren’t your core expertise, you won’t be up to speed on the latest security threats or the best practices for storage management. But, SaaS vendors can plan for and build in security features in every part of the solution, leveraging things like secure software development lifecycles to ensure that security best practices are accounted in our core software, tools, processes and monitoring systems.”<em>—Andrés Kohn, Vice President of Technology, <a href="http://www.proofpoint.com/">Proofpoint, Inc.</a></em></p> </div> <div class="clearfix"> <p>“As the economy continues to pull out of the long recession, IT organizations are re-evaluating their computing architectures so they can take better advantage of advancements in technologies such as virtualization and cloud computing. At the top of their investment priority list is their aging messaging infrastructure. However, in order to gain the benefits that virtualization and cloud technologies provide, enterprises must first focus on modernizing their messaging backbone. With a modern messaging backbone in place, businesses can architect cost effective, secure, and agile hybrid messaging infrastructures that will satisfy all of their messaging requirements well into the future.”<em>—Don Massaro, Chief Executive Officer, <a href="http://www.sendmail.com/">Sendmail, Inc.</a></em></p> </div> <div class="clearfix"> <p>“Multi-stage, multi-vector tactics are becoming a key characteristic of Next Generation Threats like malware, APT, and botnets. Attacks often begin through email, IM, or social networking then morph or mutate into persistent threats with the ability to expose secrets or cause major productivity loss. Many enterprises do not yet have the ability to detect, visualize, and eliminate these threats on their network. 2011 is the year that enterprise security must adopt technologies—like active network forensics—to give IT real situational awareness of the network.”<em>—Peter Schlampp, Vice President Product Management, <a href="http://www.soleranetworks.com/">Solera Networks</a></em></p> </div> <div class="clearfix"> <p>“Tackling the vulnerability and patch management challenge will be a top security priority in 2011. More than 60 percent of malware attacks come from known vulnerabilities, and besides office applications, recent attacks have focused on programs like Adobe Reader, Flash, Java, media players, graphic design tools, and various browsers and browser plug-ins. No matter whether you’re a one-person shop, or manage many thousands of desktops, maintaining not only the operating system, but also the third party applications should be a top priority.”<em>—Gerhard Eschelbeck, Chief Technology Officer of <a href="http://www.webroot.com/">Webroot</a></em></p> </div> </article> <article> <h1>SSL Is Critical Infrastructure at Risk</h1> <p>Ben Gross — Thu, 03 Feb 2011 16:46:47 +0000</p> <div class="fb-social-like-widget"><fb:like href="http://www.messagingnews.com/story/ssl-is-critical-infrastructure-risk" send="false" layout="box_count" show_faces="false" width="55" action="like" font="arial" colorscheme="light"></fb:like></div><div class="tweetbutton"><a href="http://twitter.com/share" class="twitter-share-button" data-count="vertical" data-via="messagingnews" data-related="messagingnews:messagingnews" data-text="" data-counturl="http://www.messagingnews.com/story/ssl-is-critical-infrastructure-risk" data-url="http://www.messagingnews.com/story/ssl-is-critical-infrastructure-risk" data-lang="en">Tweet</a></div><p>The security of the transactions for much of the consumer Internet relies on the Secure Socket Layer (SSL) protocol. SSL and its Public Key Infrastructure (PKI) are critical Internet infrastructure. Most consumer Web, email, and VoIP traffic relies on SSL for security as does substantial portions of enterprise Internet traffic both from SSL enabled Web applications and SSL-based VPNs.</p> <p>Fundamental problems increasingly put this infrastructure at risk. Significant risks include flawed implementations of the SSL protocol and PKI, inadequate verification mechanisms for certificate issuance, limited implementation of revocation mechanisms, and involvement by state actors in the issuance process. There are no viable alternatives to the mainstream use of SSL that are currently widely accepted or deployed.</p> <h3>Major Problem Areas for SSL: Cryptographic Flaws</h3> <p>The first analyses of problems with the protocol focused on the cryptographic aspects of the implementations, which largely stabilized with the release of TLS 1.0/SSL 3.1 in 1999. The IETF (Internet Engineering Task Force) released the last version of SSL in 1996, which it superseded with the Transport Layer Security (TLS) protocol released in 1999. Still the protocol is primarily referenced as SSL.</p> <p>TLS versions 1.1 and 1.2 added further security refinements, although they are not yet widely implemented or deployed. Recent flaws target weakness in the SSL framework and not the encryption itself. One notable exception is the 2008 discovery of weakness in the MD5 cryptographic hash function that allowed security researchers to create a false Certificate Authority certificate that could sign other valid SSL certificates.</p> <h3>User Interface Problems</h3> <p>The second phase focused on user interface and user experience aspects of SSL. In particular, people simply ignored the large number of security warnings about SSL certificate problems no matter what their severity. Users are more vulnerable to both hijacking and phishing attacks when they become desensitized to certificate warnings. The Mozilla Foundation investigated usability problems and experimented with multiple user interfaces to prevent and train users from navigating to sites with invalid SSL certificates.</p> <h3>Implementation Flaws</h3> <p>The OpenSSL toolkit is widely used to generate cryptographic keys for SSL certificates and SSH keys. In 2006, a developer on the Debian Linux distribution team modified the OpenSSL source to eliminate errors generated by a debugging tool. The change had an unintended side effect that eliminated most of the entropy destined to seed the pseudo-random number generator, which caused the modified version of OpenSSL to produce weak cryptographic keys for the <a href="http://wiki.debian.org/SSLkeys">Debian version of OpenSSL</a>. Another Debian developer discovered the flaw in 2008. In the intervening time, flawed versions of OpenSSL created an estimated 25,000 weak and easily compromised SSL keys.</p> <p>In 2009, researchers discovered the potential for man-in-the-middle type attacks by targeting the renegotiation feature of SSL, which allowed changes to keys in-connection to accomplish tasks such as upgrading the key strength. I described the problem in “<a href="/onmessage/ben-gross/practical-attack-and-fixes-current-ssltls-vulnerabilities">A Practical Attack and Fixes for Current SSL/TLS Vulnerabilities</a>.”</p> <p>Moxie Marlinspike published a series of man-in-the-middle-based attacks on SSL starting in 2002 with the <a href="http://www.thoughtcrime.org/software/sslsniff/">sslsniff</a> tool, which exploited a vulnerability that allowed leaf certificates to act as signing certificates. In 2009, Marlinspike published a new tool called <a href="//www.thoughtcrime.org/software/sslstrip/">sslstrip</a>, which could forcibly downgrade HTTPS connections to insecure HTTP connections. He also published a “null prefix attack” that could trick some browsers such as Firefox into accepting specially crafted certificates as wildcard certificates. Finally, he published an attack on the Online Certificate Status Protocol (OCSP), which allowed him to present revoked certificates as valid. Marlinspike and others have created widely available software and techniques to compromise the security of SSL via man-in-the-middle attacks.</p> <h3>Infrastructure Constraints</h3> <p>The implementation flaws highlight the problem that the SSL and PKI infrastructure is both distributed and constructed from many different implementations of SSL, which can be difficult to patch or upgrade quickly. The large number of SSL implementations for embedded devices further compounds the problem.</p> <p>The tools to verify the integrity of digital certificates, certificate authority roots, and the chain of trust between them are not widely deployed. While modern browsers increasingly include support for certificate revocation, the support is uneven. Many non-browser implementations of SSL do not check for revoked certificates. Recent large-scale surveys of SSL certificates have found substantial numbers of certificates with intentional and unintentional errors, including a significant number of possibly malicious certificates.</p> <h3>Problems with Certificate Issuance</h3> <p>There are a limited number of root certificates that are widely accepted by nearly every browser, which can be highly profitable for the certificate authorities that own them. At the same time, there is a financial incentive to offer certificates with the least possible overhead. Because of this, many certificate authorities require only limited verification to issue certificates.</p> <p>This type of limited validation called domain validation typically only requires that the certificate requestor be able to receive email to certain administrative email addresses. Limited validation periodically results in attackers devising ways to inappropriately request certificates for domains that may not be legitimate.</p> <p>Extended Validation certificates are an attempt by certificate authorities to offer higher cost certificates with substantially higher verification requirements to ensure that only legitimate requests receive certificates. Still, the process of purchasing certificates is overly complex and many sites do not have SSL certificates, even when they would be well served by them. I discussed some of the difficulties in purchasing certificates in “<a href="/onmessage/ben-gross/no-frills-ssl-certificates-are-inexpensive-and-useful">No Frills SSL Certificates Are Inexpensive and Useful</a>.”</p> <h3>Root Certificate Bundles</h3> <p>Root certificate bundles or root certificate stores contain the collection of root certificates that the browser or other SSL enabled service will automatically accept as trusted. However, root certificate bundles often contain many certificates without detailed provenance information. In April 2010, the Mozilla project discovered a root certificate that had been included in the root certificate bundle for many years, but whose owner was unknown. Eventually, Mozilla determined there was a miscommunication and that the root certificate belonged to RSA, but the situation underscored the tenuous provenance of some of the certificates of the bundles.</p> <p>There are a number of widely used certificate stores on a single machine that are controlled by multiple entities. For example, while Microsoft Windows and Mac OS X offer system wide root certificate stores, Firefox uses a certificate bundle maintained by the Mozilla Corporation. Server applications, especially on UNIX systems may contain their own root certificate bundle.</p> <p>The policies for inclusion in certificate stores vary widely and the influence of payment is unclear. The Microsoft Windows root store may load new certificates on demand, meaning that there is no precise list of valid root certificates.</p> <h3>Influence by State Actors</h3> <p>There is growing and widespread awareness of the policy and political dimensions of SSL certificates, especially as we find that state actors may have undue influence over some certificate authorities. State actors may compel vendors, carriers, or paid attackers to insert additional certificates into the root certificate stores either openly or surreptitiously. Christopher Soghoian and Sid Stamm published an analysis of what they call a “compelled certificate creation attack” in their paper <a href="http://files.cloudprivacy.net/ssl-mitm.pdf">“Certified Lies: Detecting and Defeating Government Interception Attacks Against SSL” (PDF)</a>.</p> <p>Root certificates are high value targets as they can produce certificates that can decrypt communications and effectively verify identities of individuals with client certificates and for entities with host certificates.</p> <p>In 2010, the EFF petitioned the Cybertrust division of Verizon to revoke the certificate for Etisalat in the United Arab Emirates after the telecommunications company issued a BlackBerry firmware update that included surveillance software. Also in 2010, there was a significant debate on the Mozilla policy list about the inclusion of a root certificate for the China Internet Network Information Center (CNNIC) certificate authority in the Firefox certificate store. The argument was that while CNNIC was affiliated with an academic institution, it was not free of government influence.</p> <p>The problem is that any certificate authority may issue a certificate for any domain on the Internet. The problem is further complicated by the fact that each browser, operating system, and a great many server applications may use independent root certificate stores that may contain an unknown collection of root certificates, which will automatically trust any SSL certificate signed by that root.</p> </article> <article> <h1>How Messaging Technology Is Making IT Jobs Harder, Not Easier</h1> <p>Stephanie Jordan — Wed, 12 Jan 2011 02:14:08 +0000</p> <div class="fb-social-like-widget"><fb:like href="http://www.messagingnews.com/story/how-messaging-technology-is-making-it-jobs-harder-not-easier" send="false" layout="box_count" show_faces="false" width="55" action="like" font="arial" colorscheme="light"></fb:like></div><div class="tweetbutton"><a href="http://twitter.com/share" class="twitter-share-button" data-count="vertical" data-via="messagingnews" data-related="messagingnews:messagingnews" data-text="" data-counturl="http://www.messagingnews.com/story/how-messaging-technology-is-making-it-jobs-harder-not-easier" data-url="http://www.messagingnews.com/story/how-messaging-technology-is-making-it-jobs-harder-not-easier" data-lang="en">Tweet</a></div><p>The promise behind office technology is to make our lives easier. Remember the grand goal of the “paperless office”? Or the idea of how much freedom working from anywhere could bring? In many instances, we have seen some amazing results. The mobile revolution is really something, if you stop texting for a minute to think about it. As for me, the thing I use my phone least for is making actual phone calls. </p> <p>But all this advancement has also lead to a profound change for many IT departments: less control over the network and business tools than ever before. One reason for this influx is consumer-oriented technology being brought into the workplace. I cover this topic in more detail in the article <a href="http://www.messagingnews.com/story/consumer-messaging-business">Consumer Messaging In Business</a>. In talking with sources for that story, I asked about what this influx has meant to IT and if, like me, the thought has occurred that IT today is often asked to manage an ever-widening array of messaging technology.</p> <p>“IT folks are in a pretty difficult position,” responds Pete Schlampp, vice president of marketing for <a href="http://www.soleranetworks.com">Solera Networks, Inc.</a> “They are unable to say no anymore. Consumers have been empowered. It’s similar to what has happened to doctors in the last ten years with people saying ‘This is what I have’. IT has users coming in, knowing a lot about IT. They know what they want, and the IT teams, without the budget are saying OK (to user’s personal tools being brought into the workplace).”</p> <p>In times such as these, many IT departments are running lean and with limited budgets. With these budget shortfalls, IT staff face not only the diversity of technology coming into an organization, but also threats to the organization from external malware on the rise. “I joke with IT people that they are between a rock and a hard place,” says Ian Moyse, channel director for <a href="http://www.webroot.com">Webroot Software, Inc.</a> “Because of the recession, IT is looked at like an expense in the business. IT is being asked to sustain at the same budget as last year, or less budget when attackers are extremely well-funded and have no limitations.” </p> <p>Moyse notes that the average company is less than 400 people, and that IT staff is typically a few people or often one IT person doing everything. “They may not be security experts. They are reacting to problems in the business – my printer doesn’t work or help desk tickets. They are not proactive, just by the nature of the pressures they are put under and IT is changing all the time. It is a never-ending list of things, as fast as they get something stabilized; there are new versions, or patches or whatever. They are challenged just in the nature of the job they do.”</p> <p>Moyse goes on to comment on how today’s users are more IT literate than ever before, citing how younger employees come into business having grown up with Facebook, phones and apps. “They are coming into the business with all of it and every year it’s going to get worse. They expect to continue to use what they know and IT hasn’t been given any resources or extra tools to deal with it.”</p> <p>The general role of IT is shifting, and the area of IT administrators for messaging systems is no different. As messaging products get easier to use and more interconnected with one another, the IT literacy of the average user increases. “We went through a period where IT decided what technology went into a company, then we went through a period where everybody grumbled abut how restrictive IT was and now we are in an era where people think IT is irrelevant,” observes Dr. Nathaniel Borenstein, the co-creator of the Multipurpose Internet Mail Extensions (MIME) email standard (the standard that still holds to this day) and chief scientist for <a href="http://www.mimecast.com">Mimecast</a>.</p> <p>As users get more comfortable and make individual choices for mobile phone or laptop brands, it makes it harder for IT to keep a tight rein on what the company network is being used for. </p> <p>“Because users are more literate, they are coming in and challenging the status quo,” says Moyse. “IT hasn’t been given more money; IT hasn’t been given more resource. How do we do this then? We think we need changes to our industry to help IT people.”</p> <p>IT’s role is evolving. As Borenstein noted, there was a time when the technology was selected by IT and then rolled out. Now not only are the technology choices coming from users, but from other influencers too. Dan Nemo, chief operating officer of <a href="http://www.textguard.com">TextGuard Inc</a>. says that especially when it comes to regulated industries, IT is almost subservient to compliance. “They (IT) end up sourcing options, but before anything gets rolled out, it has to be cleared through compliance,” he states. “It definitely adds a layer of complexity.”</p> <p>Taken altogether the change in how technology is being introduced into an organization is impacting IT. “It is causing the IT guys to raise the level of their game,” believes Schlampp. “It is causing them to take an active role in monitoring their networks, monitoring the devices that are on their networks, and monitoring what those devices are doing. IT can no longer rely on security technology that is simply built for blocking and preventing – that just doesn’t work anymore in this landscape.”</p> <p>I’d be interested to know how the role for messaging IT has been impacted in your organization.</p> <p>–</p> <p>Stephanie Jordan, editor in chief of Messaging News. If you have story ideas or news to share, please email her: <span class="spamspan"><span class="u">sjordan</span> [at] <span class="d">messagingnews [dot] com</span></span></p> <p> </p> </article> <article> <h1>Consumer Messaging in Business</h1> <p>Stephanie Jordan — Wed, 01 Dec 2010 11:00:58 +0000</p> <div class="fb-social-like-widget"><fb:like href="http://www.messagingnews.com/story/consumer-messaging-business" send="false" layout="box_count" show_faces="false" width="55" action="like" font="arial" colorscheme="light"></fb:like></div><div class="tweetbutton"><a href="http://twitter.com/share" class="twitter-share-button" data-count="vertical" data-via="messagingnews" data-related="messagingnews:messagingnews" data-text="" data-counturl="http://www.messagingnews.com/story/consumer-messaging-business" data-url="http://www.messagingnews.com/story/consumer-messaging-business" data-lang="en">Tweet</a></div><p>Earlier this year, in its <em>Internet Trends</em> report, Morgan Stanley wrote about two rapidly emerging commerce platforms, social networking and mobile, calling them “game-changing communications.” Game-changing is an excellent descriptor, as the coming together of a number of factors have paved the way for a phenomenon happening throughout businesses, regardless of industry or size, that have had a profound impact on messaging technologies, employees and IT. Even though these products and tools were originally designed for consumers, they are finding their way into the corporate world at a staggering pace.</p> <p>One of the key reasons is the adoption of these communications for personal use. “We have seen such an adoption of technology in the home,” observes Ian Moyse, channel director for <a href="http://www.webroot.com/">Webroot Software, Inc.</a> “If you think about it, the home has become much more IT literate. It wasn’t so long ago that we didn’t have a PC at home, or if you did it was a really big box and quite expensive. Now people have laptops.” Moyse points to how in the U.K. ISPs have been known to give away cheap laptops with broadband connections. “On the home PC, you have the freedom of choice for anything you install. If you have an iPad or iPhone, of course you need iTunes, so that is installed. Then there is social media: Facebook, Twitter, etc. People are used to using all these things at home and then they come to work and want to use a particular device or application.” Because people are more IT literate than ever before, Moyse believes employees are much more likely to make technology choices without the approval of IT.</p> <p>Pete Schlampp, vice president of marketing for <a href="http://www.soleranetworks.com/">Solera Networks</a> characterizes this shift as the perfect storm. “First, Apple starts making these really cool products that everyone wants to have” iPhone, Mac laptop, iPads. Then you have this other trend where people are used to Facebook or Gmail, and there is this consumerization of IT, where people are very comfortable with IT. Then you have this massive recession, where companies aren’t spending money on the IT that they want to—whether it’s new computers, new servers, or better security. Finally, you have employees saying: ‘Why can’t I use my Mac or my iPhone?’ And so what has happened, is IT has let their guard down, and don’t have a good answer as to why not.”</p> <p>This IT literacy is a driving force in the shift, as more and more employees are taking it upon themselves to choose the messaging technologies and tools they want in the workplace. “Almost every customer that I have talked to in the last month or two is dealing with this in some form or fashion,” acknowledges Fred Kost, director of marketing for security and borderless networks at <a href="http://www.cisco.com/">Cisco Systems, Inc.</a> “Users are procuring their own devices. It used to be BlackBerrys, but now we are seeing this huge influx of the popularity of a full-featured hybrid in the consumer’s hand and it is driving this desire to say: ‘Why can’t I get on the network and use this device?’ There are consumers that are pushing it into the IT environment just by numbers, price point and functionality.”</p> <h2>Personal vs. Company Issued</h2> <p>A recent study, <em>The Cisco Connected World Report</em>, which surveyed 2,600 workers and IT professionals in 13 countries, revealed that two of every three employees surveyed (66 percent) expect IT to allow them to use any device—personal or company-issued—to access corporate networks, applications, and information anywhere, at any time, and they expect the types of devices to continue diversifying.</p> <p>“When a person gets a device, they are going to take it to work,” believes Dr. Nathaniel Borenstein, the co-creator of the Multipurpose Internet Mail Extensions (MIME) email standard (the standard that still holds today) and chief scientist for <a href="http://www.mimecast.com/">Mimecast</a>. “I think there is no getting around it. How openly they do it and how soon they do it is a function of the corporate culture. If you value a device enough to spend your own money for it, you probably are going to find it valuable at work, unless they give you something very similar.”</p> <p>This trend seems to be taking hold. According to a recent Forrester Research report, almost half of U.S. and European businesses surveyed are embracing the notion of allowing personally owned devices access to a secure corporate network.</p> <p>“Most of the companies we talk to have a majority of their employees on personally liable or individually liable phones vs. corporate,” confirms Dan Nemo, chief operating officer of <a href="http://www.textguard.com/">TextGuard Inc.</a> “This means they are bringing the phone into the workplace, but it is owned by the employee.” Nemo estimates that it is 60 to 70 percent of the companies he deals with. “Employees are bringing their personal devices to work and saying I want to get this connected and the employer has a choice. They can get better productivity, figuring the employee will work at home, at the doctor’s office, etc, plus the company doesn’t have to buy a big package, instead it can reimburse the employee for a piece. We hear many companies don’t want to take on the administrative hassle and the expense of phone plans. We expect this phenomenon will continue to happen, driven by employees that want the newest devices out there.”</p> <p>The challenge to IT, as a result, is a host of mobile phone types to deal with. “We have two dynamics going on, one is the consumer wanting to do it, and the other is the IT organization trying to figure out how to support it,” says Kost. “Maybe it is more economical if employees do buy their own devices. So clearly, the device itself is having an impact.”</p> <p>But can IT manage all the devices equally well? “I don’t think you can, yet,” says Borenstein. “I remember when people wanted to write user interfaces, applications that worked on the PC, Mac and UNIX. What they really wanted was a tool kit that would make them work on all of them with minimal modifications by the programmer, at one point that was an impossible dream. But now we have tool kits that do exactly that. It is likely to happen in the smartphone market, but not when it is evolving as quickly as it is. It <em>can’t</em> happen when it is evolving as quickly as it is! But once a few vendors shake out, and Android stabilizes and it becomes clear what Apple is and isn’t going to change about multi-tasking, and stuff like that, then you can imagine a software layer that produces an interface for the BlackBerry, the iPhone, etc. But I think we have a really difficult period for several years before that.”</p> <p>With the days of a company supplying an employee with a phone dwindling these past three or four years, companies have benefited financially by avoiding expensive plans and employees get to use the phone of their choosing. “Employees definitely think it is great,” says Schlampp. “But it opens up a lot of security challenges. Certainly one of them is when someone brings in a device onto the network. How do you know where that device has been? How do you know if the person who is using it is the right person? Frankly, the technology to ensure that is not at the same level as if I was to bring my Dell laptop, which can be authenticated. So you have that trend going on, with companies unable to stem the tide and they do not have the resources to be able to say anything about it.”</p> <p>Perhaps feeding this trend toward personal mobile phone use is the pace of adoption of these impressive mobile devices. In the same Morgan Stanley report, the authors noted that mobile is ramping faster than desktop Internet did and will be bigger than most people expect. The report predicts that more users will likely connect to the Internet via mobile devices than desktop PCs within five years. With mobile growth such as this, it might have been impossible to tell employees that they could not use their personal mobile devices at work anyway. But what of other consumer oriented messaging, like social media?</p> <p>“Unless the user at work is locked down totally, there comes the dilemma in the particular world we are in, of security,” says Moyse. “The further you lock down a machine you impede the user to a point that they can’t work. So there has to be a balance. What we see in a lot of organizations is an element of lock down, but they can’t lock down as much as they’d like, because the help desk calls go up incredibly as users can’t do this or that. If you lock everyone down and take the big brother approach in the work environment, users are dissatisfied.” </p> <p>Moyse also notes, because employees are so IT literate, that if users are impeded, they start to look for work arounds. “You often see a department that has one expert user that is really IT literate, install something. And someone else says: ‘Where did you get that?’ And the expert says: ‘I’ll install that for you’ and word gets around how to do it. It’s that viral thing, where someone downloads it and then emails it to three colleagues. That is the nature of the Web and email that has opened up the world to anyone with a PC. The implications for the IT department and the security of the business can be huge. This is the particular challenge with email or the Web; you can’t turn those applications off. You have to have the Internet open for your business.”</p> <p>Kost agrees that locking employees down is not really an option. “Twenty-odd years ago, when employees came to work, they used the telephone on their desk to make some personal calls during the day, check in on the kids, make a dentist appointment, make a reservation. The modern workforce now are doing those same things with Facebook or Twitter, or other social media and communication tools and keeping up with all those people that in another age they might have called. Users coming to the office expect to use these tools, just like the phone used to be.”</p> <p>But complete openness is surely not an option either. <em>The 2nd Annual Network Forensics Survey</em> published in October by Solera Networks found that visits to malicious Web sites and instant messaging (IM) use was particularly worrisome, with 96 percent feeling threatened by employee Web activity, and 71 percent fearing that IM poses security threats. </p> <h2>IT Cannot Say No</h2> <p>Employees today have high expectations when it comes to messaging technologies. “People are used to running their own networks at home,” observes Kost. “So, when IT says ‘no’ employees don’t understand why. ‘I can do this at home, why can’t I do it at work?’ IT is finding that ‘no’ doesn’t work. There is an employee moral, cultural thing, which some companies might say, big deal but to attract and retain talent that is a factor. Some of the research we did showed people are willing to make a trade off in compensation for some of this work flexibility, use of tools and applications.” </p> <p><em>The Cisco Connected World Report</em>, points to the expectation that employees demand to be able to access information from anywhere, revealing three of every five employees (60 percent) believe it is unnecessary to be in the office to be productive.</p> <p>This cross of personal and business information and tools can quickly get sticky. As Schlampp points out, “If I bring my iPhone into the office, and I pick up the corporate Wi-Fi, I am sending email, etc. All that email is now going through the corporate network. It could be my Gmail account or it could be my Exchange account. All that data is flowing through the corporate network and I have an identity there. Then I hop onto my laptop, and I have the same identity. All of a sudden, you have a single person using multiple identities on multiple IP addresses and that can become a big problem for security. That is where having the ability to see everything and replay everything and correlate that data is essential.”</p> <p>Kost says that in most organizations the number one concern is the fine line between company data and user data and how it is stored on that one device. “A policy must be in place that says the company retains the right, if it must, to wipe the device. You need some policy in place that says if you bring your own device in with music that is yours, contacts, etc, that the company can take some security actions, such as monitoring and that some of your personal activity might be captured. It is important that people know that their expectation of privacy might be changed because you are getting onto the network at work. The employee needs to know that backing up personal data is their responsibility and that wiping the device is a possibility. So there is an employee, employer understanding that needs to happen, or a code of ethics or device policy needs to exist independent of the technologies and that can be different in different parts of the world that have different privacy expectations.”</p> <p>Moyse agrees, noting, “What about the content that is on these machines? At home, I may download iTunes. If I copy that, I have paid for the license, I am legitimately able to use that music on this machine. If I email one of those tracks to someone at work, or put it on a USB key or download off an illegal site at work or if there is an unlicensed music track on a work PC, the Directors of that business are liable for the license. Under UK law, even if the user installed it, you can’t delegate responsibility or liability to the user. A company acceptable use policy says you are not allow to have contents like that, you can fire the employee, you can take action, should the music publisher find out about the download, but it is still the company they are coming after.”</p> <p>“The challenge we are getting into now is a lot of these sites, for example Twitter or Facebook, you can find a good business reason for using them,” adds Moyse. “Where do you draw the line? If you use it this way, it is beneficial to the company, if you use it that way, it can be dangerous.”</p> <p>So what is IT to do? “It is easy to think of users as children—they want something, they take it. If they have a problem, they cry and they can’t always explain the problem,” says Borenstein. “It sounds kind of patronizing, but the truth is, if you conceptualize your users this way it can be a useful guide in how to deal with them. In this case, a child has a new toy, he loves his toy, do you tell him, ‘don’t use your toy’ or do you tell him how to change the batteries safely?”</p> <p>With messaging technology and devices being driven into IT, instead of the former state of out from IT, how does IT get a handle on security? “From our perspective, on the security side, there is a new concept called ‘zero trust’ from Forrester,” says Schlampp. “This is their new framework for thinking about security. The title of it is great: <em>No More Chewy Centers: The Zero Trust Model</em> and they say we should think of the network security world as an M&M. You have this crunchy outer shell, where you kept out all the bad stuff, and inside it was tasty and you knew what it was and you could trust it. Well, no more chewy centers, because inside that M&M you now have all sorts of devices and people that you did not know about or were able to keep out before. But the reality is: We never really had the security that we perceived we did, turns out the chocolate was never that great anyway.” </p> <p>Schlampp goes on to explain that we can’t treat network security like an M&M anymore. “Basically, you can’t trust anybody on your network, so you have to raise the level of the game of your network security team. Their job is not to just keep people out, their job is to actively monitor what is happening. So that if something bad starts to unfold, you have the tools and capabilities to understand what is happening and shut it down quickly.”</p> <p>Today, IT is between a rock and a hard place. “IT administrators, the people who run IT departments are people who like to bring order out of chaos, they like control,” believes Borenstein. “Bless those people, I do not know what we would do without them, but I think they are going to have to let go of some of this. The question to ask is not, can they keep these devices out, because there is an easy answer, which is no, instead it is how can we manage the flow of information into and around these devices, how can they make them more secure? There are ways to do that.” Borenstein goes on to say that Mimecast is integrating corporate email with BlackBerry devices so both can be archived and support secure communications. “We are hoping to have that before long for other devices too. The message we would like to give employees is sure, use an iPhone, use a BlackBerry, but run this software so that mail is handled more securely.”</p> <p>Kost warns that a whole new class of device is imminently expected, as he notes that according to Gartner just under 20 million tablets will ship this year and next year 55 million will ship. “These may or may not replace the laptop, but millions and millions of these devices are going to be out there,” he says.</p> <p>IT organizations are going to need to rely on the technology more than ever before believes Moyse. “We are going to need to put protection into place that does not hinder the user. A lot of the products now consistently use pop-ups asking the user, do you really want to do this? Is this secure? We are imposing too much on the user. Customers want the best protection they can get, as simply as you can get it, and as cost-effectively as you can get it. There is a great opportunity for the industry if we get this right.”</p> </article> <article> <h1>Spotlight Shines on Alice and Bob for RSA Conference 2011 Anniversary</h1> <p>Stephanie Jordan — Wed, 01 Dec 2010 10:47:17 +0000</p> <div class="fb-social-like-widget"><fb:like href="http://www.messagingnews.com/story/spotlight-shines-alice-and-bob-rsa-conference-2011-anniversary" send="false" layout="box_count" show_faces="false" width="55" action="like" font="arial" colorscheme="light"></fb:like></div><div class="tweetbutton"><a href="http://twitter.com/share" class="twitter-share-button" data-count="vertical" data-via="messagingnews" data-related="messagingnews:messagingnews" data-text="" data-counturl="http://www.messagingnews.com/story/spotlight-shines-alice-and-bob-rsa-conference-2011-anniversary" data-url="http://www.messagingnews.com/story/spotlight-shines-alice-and-bob-rsa-conference-2011-anniversary" data-lang="en">Tweet</a></div><p>Take a quick quiz: What does <a href="http://www.rsaconference.com//2011">RSA</a> stand for? Who do Alice and Bob represent? If you are like me, you might have attended many RSA conferences and given little thought to the name itself. As one of many faithful RSA conference attendees, I’m looking forward to the event, being held February 14-18 in San Francisco’s Moscone Center.</p> <p>This year marks the conference’s 20th anniversary. I can just imagine the event planners brainstorming theme ideas, wanting something that could convey the 20 years and yet still befit the impressive and creative security themes of the past, like last year’s The Rosetta Stone and people like Edgar Allen Poe or Alan Turing or the contributions of ancient mathematicians. I have to confess that I learn something about these historical people and times whenever the event rolls out its registration campaigns.</p> <p>This brings us back to the quiz. RSA represents the initials of three then MIT gentlemen, Ron Rivest, Adi Shamir and Leonard Adleman, who in 1978 released the RSA algorithm, the first known to be suitable for signing, as well as encryption. It is widely held that this invention is one of the first great advances in public key cryptography and that its impact has guided and shaped the world of information security for the past 30+ years.</p> <p>At the RSA conference this year, the founders of the RSA algorithm are the focus of the theme and it was Rivest that created Alice and Bob. So who are Alice and Bob? According to Sandra Toms LaPedis, area vice president and general manager for RSA Conference, these two personas were created to simplify the explanation of a complex encryption method. Instead of saying “person A” and “person B” it became Alice and Bob.</p> <p>Another individual we’ll hear about at RSA 2011 is Bruce Schneier, also a founding father of modern information security. He explains Alice and Bob as the sender and receiver, or the signer and authenticator of messages. “Alice and Bob were the players,” says Schneier. It was Schneier that introduced other characters into the cryptography game explaining the creation of Eve, the person in the middle that was trying to eavesdrop on the message. Schneier goes on to say: “I needed another character, because Eve was passive and just sat there and listened. I needed someone that was active and malicious, I called her Mallory.” Other characters were also created as needed like Carol and Dave (C and D personas). </p> <p>Schneier recalls how authors of papers would talk about Alice and Bob, Carol and Dave to explain what they were doing. These characters have lived full lives to hear Schneier describe it: “Alice and Bob have sent each other secrets, they get locked in jail, they date each other, they get married, they get divorced, anything that two people might want to do securely, Alice and Bob have done it.”</p> <p>Another pioneer of cryptography is Whitfield Diffie. It was Diffie and Martin Hellman, that co-invented the first practical method for establishing a shared secret over an unprotected communications channel in 1976. A self-described hippie and counterculturalist, Diffie was concerned that technology could either “be used to protect an individual or could be used to assault the individual.” Diffie says, ”I had this vision of cryptography as one of the only technologies I knew that would actually protect the individual.” Diffie says he tried to get others to join him at the time, but few were interested in working on the issue. Hellman for his part, saw the coming marriage of computers and communications by observing how much money IBM was investing, and the need for commercial encryption. Undaunted by the view of others that it was “foolish to work in cryptography,” Hellman says, “Instead that attracted me. I wanted to show that they were wrong.”</p> <p>Indeed Diffie, Hellman, Schneier, Rivest, Shamir and Adleman among others have laid the groundwork to cryptography. To hear Rivest describe it, cryptography is downright exciting: “You have human conflict, you have the good guys and the bad guys, that make it interesting. You have questions of coding, questions of algorithms.” Rivest sees these issues, and others “all tangled together making cryptography a wonderfully rich source of interesting problems with the source of the problems butting up against each other.”</p> <p>Toms LaPedis says these pioneers will be honored during the 20th anniversary of the conference, noting that past conference themes have honored “historical people no longer with us.” Instead she says this year: “We are celebrating pioneers in our industry that are still alive. It is a bit of a departure on what we have done in the past, by celebrating the birth of public-private key encryption through Alice, Bob and Mallory.”</p> <p>Observes Toms LaPedis, “But for them (Diffie, Hellman, Schneier, Rivest, Shamir and Adleman) we would not have an RSA conference. But for them we would not have the wealth of security products we have out there, because of what they did with algorithms. If you think about it, they did this at a really interesting time. In the 70s World War II was still fresh and the Cold War was on, cryptography and encryption were tightly regulated and viewed as national security secrets. In fact, it was considered munitions, regulated as if a gun or a bomb. This made it hard to export any kind of cryptologic message. And of course there was no Web nor email. The invention that they did really created this whole industry and everything after.”</p> <h2>RSA Conference 2011</h2> <p>The RSA Conference planners expect as many, if not more, attendees than last year—which exceeded 15,000. This year’s roaster of speakers includes former President Bill Clinton (on Friday, February 18), as well as a keynote familiar to <em>Messaging News </em>readers: Tom Gillis, vice president and general manager, Security Technology Business Unit, for Cisco Systems, Inc. (Wednesday, February 16). Of interest to us, a new track has been added this year: Cloud Security, which will cover SLAs, security architecture in the cloud, cloud security governance, migrating to the cloud, cloud security risks and other related topics. Virtualization will also be found in this track too. An entire roaster of speakers, sessions and more on the conference can be found online. Be sure to look for Messaging News at RSA too. Not only are we media sponsors of the week-long event, our magazine appears in the magazine racks and we attend much of the conference and expo.</p> </article> <article> <h1>Data Evaporation and the Security of Recycled Accounts</h1> <p>Ben Gross — Wed, 01 Dec 2010 10:50:55 +0000</p> <div class="fb-social-like-widget"><fb:like href="http://www.messagingnews.com/story/data-evaporation-and-security-recycled-accounts" send="false" layout="box_count" show_faces="false" width="55" action="like" font="arial" colorscheme="light"></fb:like></div><div class="tweetbutton"><a href="http://twitter.com/share" class="twitter-share-button" data-count="vertical" data-via="messagingnews" data-related="messagingnews:messagingnews" data-text="" data-counturl="http://www.messagingnews.com/story/data-evaporation-and-security-recycled-accounts" data-url="http://www.messagingnews.com/story/data-evaporation-and-security-recycled-accounts" data-lang="en">Tweet</a></div><h3>Disappearing Data</h3> <p>What happens to our data when we are gone? What happens to us, when our data is gone? Does any of this missing data make us vulnerable? These questions that once seemed theoretical are increasingly relevant to our everyday lives. The consequences include not only the potential for lost communications, but also lost data in cloud services, and risk for security breaches for individuals and businesses alike.</p> <p>We all understand that data deteriorates along with the physical media it is stored on–photographs fade and hard disks crash. This is why we have backups, or at least should have them. The problem is, unfortunately, not so simple these days as much of our data in the cloud depends on multiple systems and services acting in concert to exist. This means that data may disappear for reasons independent of the physical media, even with backups and replication.</p> <p>I think evaporation is a useful analogy for describing the complex array of factors that cause data to disappear–including services going out of business, enforced retention policies, missed subscription payments, malicious deletion, and loss due to system migrations. One new problem is that the loss of modern data often includes not only documents and media on file systems, but also accounts and identifiers.</p> <h3>Lost Identifiers = Lost Access = Lost Data</h3> <p>It is not a stretch to say our online identifiers are now essential for daily communication. As part of my dissertation research, I began to investigate the lifecycle–selection, increased use, decreased use, discontinuation, and points in between–of online identifiers including email addresses, instant messenger IDs, and social network services. I was particularly interested in what caused people to stop using their identifiers and if it was by choice. I found that often people lost access to identifiers for reasons out of their control, such as account lockouts, account inactivity, and failure to renew subscriptions. There is often a limited window of time before that data begins to evaporate due to account inactivity or missed payments for a service.</p> <p>I began to look at the policies from major service providers related to inactive accounts. The policies I found were conflicting, inconsistently presented and followed, and are evolving rapidly. Email services tend to mark accounts inactive, while social networks do not. Paid email accounts do not have activity requirements.</p> <p>Here are some of the policies from large providers of webmail and other services:</p> <ul> <li>AOL: May mark free email account as inactive after 30 days and data may be deleted.</li> <li>Gmail: Marks account as inactive after six months. Inactive accounts may still receive email. After nine months of inactivity, addresses may be deleted. Deleted addresses are not recycled or recoverable.</li> <li>Hotmail: Microsoft says free Hotmail accounts will become inactive after 270 days or if you do not log in for 10 days after creating the account. Inactive accounts will not receive email. Account names may be deleted after 360 days of inactivity and Window’s Live IDs may be deleted after 365 days of inactivity. I also found conflicting documents on the - Microsoft site that said Hotmail accounts might be marked inactive after 30 days or 120 days of not logging in.</li> <li>Yahoo: Deactivates free email accounts after four months. After this time, accounts may be reactivated, however any existing email is deleted and cannot be recovered.</li> </ul> <h3>Security and Recycled Identifiers</h3> <p>Depending on the circumstances, services may recycle expired identifiers. This means that old identifiers may have new owners. The consequences may be much more than needing a new email address after forgetting to renew a domain name or the loss of a loved one’s letters after an account becomes inactive. There are serious security and privacy implications ranging from potential identity theft to corporate espionage.</p> <p>If your old email address ends up with a new owner, that new owner will receive any email that was once destined for you. Why is this a problem? Suppose that email address was listed as the primary address or the recovery address for another account. Most systems send either one-time links to reset passwords, or worse, the password in plain text to the email primary or recovery email address. Unfortunately, people tend to reuse passwords across accounts. It is also not uncommon for people to list the older email address as the recovery address for a newer email account, meaning it would be possible to reset the password for a new account as well. Gaining access to an individual’s primary email account is the key to gaining access to most other accounts.</p> <p>This is a not a theoretical problem. In 2009, Twitter’s internal systems were compromised when an attacker systematically evaluated Twitter employee’s personal accounts looking for potential points of access. The attacker realized that one employee registered a Gmail account using a Hotmail account that had since been marked inactive. </p> <p>Hotmail recycled the Twitter employee’s account as it had been inactive more than a year and so the attacker simply registered the old username and then used it to reset the current Gmail password. The attacker then found messages in the Gmail account that contained plain text passwords and correctly guessed that the password had also been the Gmail password and simply reset the password to the old password to remain unnoticed. The hacker then used his access to the Gmail account and passwords to compromise other personal accounts of the employee and then those of other employees. One compromise led to another and eventually the hacker gained access to internal Twitter systems. He downloaded hundreds of internal documents, posted screen shots proving his exploits and released more than 300 internal documents to Techcrunch.</p> <h3>Domain Names</h3> <p>The rules and policies under which domain names expire and may be transferred to other parties are complex and vary widely–both by registrar, TLD, and ccTLD–but in general this is not much more than two months and after two to three months the domain will be resold. Here is a brief overview to give you a sense of the time frame and the complications related to expiring domain names.</p> <p>When the owner of a domain fails to pay, the domain is typically assigned an “Expired” status usually lasting between 30 and 45 days. During this time the domain is usually renewable, but may not be accessible or transferable. Afterwards the domain enters what is known as the Redemption Grace Period (RGP), which is 30 days. Individual details are removed from the WHOIS database and the DNS are deleted so the domain is inaccessible. During the RGP, no edits or transfers are allowed, although the domain may be restored by paying the registrar a fee of $100-$250 USD. After this time, the domain is assigned a “Pending Delete” status, which lasts for five days. At the end of this period, the domain is generally either placed up for auction or released to the general registration pool.</p> <p>Once a domain is reregistered, the new domain owner may create addresses and Web pages that match the old ones. Domains of defunct businesses may have potentially hosted many email accounts. As with the Twitter breach, these accounts could potentially lead to the compromise of other accounts.</p> <h3>Risk Analysis</h3> <p>The following are some risks to consider, and a few thoughts on how to mitigate those risks.</p> <h3>Potential Risks</h3> <ul> <li>A complex web of interlocking accounts and systems may affect your risk of a security breach.</li> <li>Do not disregard the risk of “low value” accounts, as they may allow access to more sensitive accounts.</li> <li>Inactive accounts may introduce as much liability as accounts with weak passwords.</li> <li>Best practices may demand a clear separation of business and personal accounts and data, but there are often lapses in the real world.</li> </ul> <h3>Suggestions to Mitigate Risk</h3> <ul> <li>Document usernames and recovery addresses for each account.</li> <li>Set recurring calendar tasks for account renewal payments and to log into infrequently used accounts.</li> <li>Consider purchasing a subscription for infrequently used email accounts used as recovery addresses.</li> <li>Consider using a password manager to generate and store unique strong passwords for each site.</li> <li>Services should never send passwords in plain text.</li> <li>Services should not allow password changes to recently used passwords.</li> <li>Services should offer more notification options about accounts with a pending inactive or deleted status.</li> </ul> <p> You should <a href="http://twitter.com/bengross">follow me on Twitter</a>.</p> </article> <article> <h1>SHORT TAKES: GSA Data Breach; Military Mobile Healthcare; Online Banking Security; Zuckerberg on Facebook Mail</h1> <p>Stephanie Jordan — Wed, 15 Dec 2010 01:16:25 +0000</p> <div class="fb-social-like-widget"><fb:like href="http://www.messagingnews.com/story/short-takes-gsa-data-breach-military-mobile-healthcare-online-banking-security-zuckerberg-face" send="false" layout="box_count" show_faces="false" width="55" action="like" font="arial" colorscheme="light"></fb:like></div><div class="tweetbutton"><a href="http://twitter.com/share" class="twitter-share-button" data-count="vertical" data-via="messagingnews" data-related="messagingnews:messagingnews" data-text="" data-counturl="http://www.messagingnews.com/story/short-takes-gsa-data-breach-military-mobile-healthcare-online-banking-security-zuckerberg-face" data-url="http://www.messagingnews.com/story/short-takes-gsa-data-breach-military-mobile-healthcare-online-banking-security-zuckerberg-face" data-lang="en">Tweet</a></div><h3>Data Breach Sends GSA Employees on Alert</h3> <p>A GSA employee sent the names and social security numbers of the agency’s entire staff to a private email address. The <em>San Francisco Chronicle</em> reports that the GSA apologized to its employees for the incident and is paying for employees to enroll in a one-year program to monitor their credit reports, along with up to $25,000 USD in identity theft insurance coverage. The GSA says that the employee sent the file accidentally.</p> <p>–––</p> <h3>Wounded Military Benefit from Mobile Healthcare</h3> <p>Following the completion of a one-year pilot program using <a href="http://www.diversinet.com/">Diversinet’s MobiSecure Health platform</a>, the U.S. Army is expanding its mCare telehealth-outreach program for members of the military recovering from mild traumatic brain injuries (TBI) and other wounds. The Army hopes to hasten the recovery and track the progress of as many as 10,000 patients who return home or to community-based transition units following initial recuperation in military medical facilities. The application lets users store all of their essential healthcare information on their mobile phones, and securely send and receive healthcare-related messages.</p> <p>–––</p> <h3>Safety Concerns Limit Online Banking<strong></strong></h3> <p>A recent survey shows that 1 in 3 people don’t use online banking because they are concerned with safety, and that almost 50 percent are wary of online banking. Source: <a href="http://www.avira.com">Avira</a> </p> <ul> <li>20.5 percent - I feel secure in my online banking.</li> <li>48.5 percent - I do online banking, but I’m concerned about the increase of Internet crime.</li> <li>31 percent - I never do online banking, due to security concerns. Instead, I go to the bank.</li> </ul> <p>–––</p> <p>“This is not an email killer. This is a messaging system that includes email as one part of it. We don’t expect anyone to wake up tomorrow and say, ‘I’m going to shut down my Yahoo Mail or Gmail account, and switch to Facebook.’”</p> <p><em>Facebook CEO Mark Zuckerberg on the company’s recent announcement of a new service intended to unify email, instant messaging, text messaging and its existing message system in a “social inbox,” intended to be a hub for all its users’ online communications.</em></p> </article> <article> <h1>We're All Sheriffs in the Land of the Walking Dead: The Botnet Fight</h1> <p>Stephanie Jordan — Mon, 22 Nov 2010 18:36:26 +0000</p> <div class="fb-social-like-widget"><fb:like href="http://www.messagingnews.com/story/were-all-sheriffs-land-walking-dead-botnet-fight" send="false" layout="box_count" show_faces="false" width="55" action="like" font="arial" colorscheme="light"></fb:like></div><div class="tweetbutton"><a href="http://twitter.com/share" class="twitter-share-button" data-count="vertical" data-via="messagingnews" data-related="messagingnews:messagingnews" data-text="" data-counturl="http://www.messagingnews.com/story/were-all-sheriffs-land-walking-dead-botnet-fight" data-url="http://www.messagingnews.com/story/were-all-sheriffs-land-walking-dead-botnet-fight" data-lang="en">Tweet</a></div><p>“Wake up!” Or so one might want to shout at those enterprise network operators and IT managers who consistently act as if their operations were islands unto themselves. These are the mavericks that ignore industry best practices and go their own way, believing their networks immune to zombies or bot infections, and who disregard the lessons learned by their peers.</p> <p>The sad reality is that we all suffer once zombies or bots find their way onto these susceptible networks or Web sites. The bot-delivered malware that ends up surreptitiously installed on users’ computers is a finely tuned parasite, capable of stealing valuable informational assets such as personal identity records or credit card numbers. The bot then turns the computer into an efficient spam machine, sending abusive email just under the network operator’s radar and often launching highly-targeted phishing expeditions—all without the computer owner’s permission or knowledge. Enterprises and their banking operations are being precisely targeted by malware such as Zeus and SpyEye, which is designed and, is very successful, in compromising banking credentials, thereby gaining access to corporate bank accounts and stealing millions of dollars.</p> <p>Spam from bot-infected computers clogs the Internet and is often loaded with malicious code aimed at other unsuspecting users. According to metrics aggregated by the <a href="http://www.maawg.org">Messaging Anti-Abuse Working Group (MAAWG)</a>, almost 90 percent of all email traffic on the Internet is abusive. Together with social engineering and compromised Web sites, spam is one of the most important ways to get end-user machines compromised with malware.</p> <p>Beyond the personal and business setbacks it spawns, abusive messaging also has become a huge budgetary drain. <a href="http://www.ferris.com">Ferris Research, Inc.</a> estimated that spam cost the U.S. $42 billion in 2009. This is just slightly less than the $40 billion that <a href="http://www.globalissues.org/article/26/poverty-facts-and-stats">globalissues.org</a> calculates it would cost to provide universal access to basic social services in all developing countries. Ferris puts the worldwide outlay for spam last year at more than three times this amount, around $130 billion globally.</p> <p>Given the scope of the problem, no one entity alone can stop bots or the resulting spam they generate. Creating a safe online environment is the responsibility of all of us who have an interest in the free exchange of information. This includes network operators and email providers, industry vendors, corporate networks, small business users, and yes, even end-users. We all have a role to play in protecting the Internet.</p> <h2>Taking a Stand</h2> <p>The first priority for end-users is to learn good computing habits and to understand the dangers inherent in spam. Half of the email users in North America and Western Europe opened or accessed spam last year, according to the 2010 MAAWG Email Security Awareness and Usage Survey. Tens of millions clicked on links or opened attachments that could leave their computers vulnerable to a bot. As long as users continue to interact with spam, and as long as spam remains a profitable commerce model, the cybercriminals will be open for business.</p> <p>In some respects, battling spam and cybercrime is a never-ending arms race. As soon as the industry identifies a bot or a cleverly devised phishing scheme, the cybercriminals quickly morph the code or change their mode of operation, making the malware more difficult to detect. We have to remember that in the time of open source and Internet standards, the tools available to the good guys are just as easily used by the bad guys too.</p> <p>Yet, there are definite remedies in sight. From the industry’s perspective, one of the best weapons in this battle is the development of generally accepted procedures and tactics. Industry best practices tackle the thorny issues that require a broad, consensus approach to problem solving. They incorporate the industry’s collective wisdom on avoiding common mistakes and how to provide a better online experience for users. Best practices are guidelines freely offered by the industry to be voluntarily applied within a relevant organization’s strategic and technical framework.</p> <p>The question any enterprise or business should be asking is not if it should implement anti-abuse best practices. Given the enormous cost and risk associated with spam and bots, the question is why would an organization not make adopting best practices a priority? Many of these practices cost next to nothing to implement, in many cases just requiring simple configuration changes or minor modifications to working practices.</p> <h2>Best Practices Illuminate Industry’s Shared Knowledge</h2> <p>Industry associations like MAAWG bring together representatives from all perspectives to work out solutions to common problems. As a result, the best practices developed through MAAWG tend to be more balanced rather than advancing a specific company’s or business sector’s interests. For example, many of the bulk senders in MAAWG worked closely with our network operator members to understand all sides of the issues when developing the MAAWG best practices for email marketers. Likewise, ISPs talked with abuse desk professionals in developing the best practices for notifying users when they have a bot on their computer and in addressing other issues related to remediation of infected machines, which often are placed in walled gardens.</p> <p>Best practices also help to clarify the processes and technological strategies proven to be most effective in combating abuse. They often spell out common steps abuse and IT managers can take to better serve end users. MAAWG recently issued the first best practices aimed at providers of Web messaging systems. Among the recommendations were several well-known tactics that might otherwise be undervalued by Web messaging developers, such as auditing user account metrics and requiring registration before users can post or send messages.</p> <p>The outcome of the effort within organizations like MAAWG to develop best practices is that smaller enterprises or regional operators have access to the broader and more varied experience of larger companies. These larger operations, with access to more resources and higher R&D budgets to invest in anti-abuse strategies, willingly share their knowledge and expertise to help advance the industry.</p> <p>The only way to take down zombies, bots and spam is through this type of socially responsible action. By working together to protect the Internet and users’ online experience, we all profit. To that end, we have all been deputized in the Internet posse.</p> <p>—</p> <h2>About Michael O’Reirdan</h2> <p>Michael O’Reirdan<strong> </strong>is serving his third term as chairman of the Messaging Anti-Abuse Working Group (MAAWG), the industry’s largest global trade association that works against messaging spam, viruses, denial-of-service attacks and other online exploitation. Professionally, O’Reirdan is a Distinguished Engineer at a major ISP in North America with over 18 years of experience in the ISP field and with public facing messaging platforms. He has served on executive advisory boards for several major computer vendors and academic institutions and is active in other industry organizations.</p> </article> <article> <h1>SharePoint 2010 for Collaboration: Something Old, Something New, Something Blue</h1> <p>Michael Sampson — Thu, 11 Nov 2010 02:21:29 +0000</p> <div class="fb-social-like-widget"><fb:like href="http://www.messagingnews.com/story/sharepoint-2010-collaboration-something-old-something-new-something-blue" send="false" layout="box_count" show_faces="false" width="55" action="like" font="arial" colorscheme="light"></fb:like></div><div class="tweetbutton"><a href="http://twitter.com/share" class="twitter-share-button" data-count="vertical" data-via="messagingnews" data-related="messagingnews:messagingnews" data-text="" data-counturl="http://www.messagingnews.com/story/sharepoint-2010-collaboration-something-old-something-new-something-blue" data-url="http://www.messagingnews.com/story/sharepoint-2010-collaboration-something-old-something-new-something-blue" data-lang="en">Tweet</a></div><p>It’s been over a year since Microsoft announced the details of <a href="http://sharepoint.microsoft.com">SharePoint 2010</a>, and now six months since the product has been on the market. SharePoint 2010 is a substantial update to the SharePoint product, with new capabilities and enhancements strewn throughout the code. Microsoft has continued its policy of tightly linking the latest release of the Office productivity suite with capabilities in SharePoint 2010 too, in order to drive uptake. In this article, I look at the collaboration capabilities of SharePoint 2010—what’s old, what’s new, and what’s blue.</p> <p><strong>Something Old</strong></p> <p>Collaboration—providing specific software capabilities to support people working together on common projects and activities—has always been central to the technology of SharePoint. If we look back a decade, the 2001 edition of SharePoint was composed of two parts. The first was “SharePoint Team Services,” and the second was the Portal. Team Services laid the foundation for the collaboration capabilities—sites, lists, and libraries—that have continued over the subsequent four releases. Of course new capabilities have been added in other areas, such as search starting from SharePoint 2003, and content management and business intelligence making a first appearance in SharePoint 2007.</p> <p>However, we should call out a change in ethos with the collaboration support in SharePoint. While SharePoint has always been about supporting teams and groups in their collaborative activities, both SharePoint 2007 and 2010 include a much greater focus on organizational or social collaboration. Profiles, shared wikis for collective intelligence, and Twitter-style updates in SharePoint 2010 are all part of this added focus. </p> <p>Collaboration is also the most commonly-embraced SharePoint capability by organizations. Three different surveys published in August 2010 report that collaboration was the number one active use case for organizations using SharePoint; the surveys were from Colligo Networks, Global360, and The Michael Sampson Company. For historical purposes, if we look back two years, the data for the <em>Global Intranet Strategies Survey 2009</em> reported the same finding. Supporting collaboration between people is clearly firmly entrenched in organizations with SharePoint.</p> <p>Before we turn our attention to the new collaboration capabilities in SharePoint 2010, it’s important to note that governance for collaboration with SharePoint remains a critical issue. For example, in a survey I recently conducted on what organizations did with project or team collaboration sites in SharePoint at the end of the project, over 70 percent of respondents said their organization had no site closure policy. Sites were left in place after the project had finished, and there was no active management of the content therein or associated risk. We have had this problem with earlier collaboration technologies (think Lotus Notes for example) and have learned that failing to close sites will lead to significant problems downstream. </p> <p><strong>Something New</strong></p> <p>Microsoft added new collaboration capabilities to SharePoint 2010, or capabilities that greatly aid in SharePoint’s ability to support collaboration between people. The three key additions in my opinion are Managed Metadata Services, SharePoint Workspace, and content scalability. Let’s look at each in turn.</p> <p>Managed Metadata Services enables everyone across the organization to speak the same language. Classification of documents draws from the same set of terms. Country names, city names, business unit descriptors, customer classifications—all of these can share a vocabulary so similarities and differences between items can be intentionally set, not unintentionally propagated. </p> <p>SharePoint Workspace 2010 provides the ability for users to take SharePoint site content offline, with full-fidelity synchronization and conflict checking. SharePoint Workspace is the update for Office 2010 of the Groove technology, acquired by Microsoft in 2005. The initial Microsoft Groove product, in the 2007 wave, offered only the ability to take document libraries offline from SharePoint. With the 2010 update, most lists and libraries can be taken offline, with the calendar and wiki being two exclusions. Users now have much better support for out-of-the-office and mobile work styles, a reality for many information workers. SharePoint Workspace 2010 is one of the applications included in Microsoft Office Professional Plus 2010. Third-party vendors such as Colligo Networks have offered offline clients for SharePoint for some years, and while SharePoint Workspace meets a broad set of requirements, IT organizations should still do a feature-by-feature evaluation between SharePoint Workspace and alternatives before deciding on their particular approach. </p> <p>SharePoint 2010 offers much improved content scalability. Document libraries in SharePoint 2007 had a recommended limit of 2,000 items in a view, which led to unnatural acts being done to work around this limitation. Microsoft claims this limit has been blown away in SharePoint 2010, with the ability to now scale to 50 million items! Whether it really is 50 million or not remains to be seen in customer situations, but regardless, there’s a big difference between 2,000 and 50 million.</p> <p><strong>Something Blue</strong></p> <p>There is no escaping the color blue in SharePoint 2010! The colorful MOSS 2007 pie has given way to an all-blue pie with SharePoint 2010; it looks much more staid and corporate, illustrating perhaps that SharePoint is growing up. But beyond the actual color, blue can denote feelings or reactions - the reaction of “cool” or the feeling of being “depressed.” </p> <p>Some of the new collaboration capabilities in SharePoint 2010 are cool - no doubt about it. Office Web Apps enables real-time collaboration between people using Office 2010 or a browser. With Word 2010, the dreaded “Checked Out” notification can be gone for good, since multiple people can open and edit a Word document simultaneously. With paragraph-level locking and paragraph-level in-document presence notification, Microsoft has taken a great first step with real-time collaboration. Excel spreadsheets can also be shared between multiple users in real-time, with cell-level locking in place. Based on a couple of early adopter experiences, there could be a 10-20 percent efficiency gain available by getting rid of document co-authoring using check-in and check-out.</p> <p>A second cool aspect of SharePoint 2010 is the softening of the Enterprise licensing requirements. Microsoft’s hard line approach in SharePoint 2007 of requiring everyone to be licensed for Enterprise if only one person required Enterprise-level capabilities has given way to user-level licensing. Only those users who require the Enterprise capabilities have to be provisioned for an Enterprise license; everyone else can have Standard. Part of making this approach work involved shifting away from two separate installations for SharePoint Server—a Standard installation and an Enterprise installation in the 2007 wave. With 2010, it’s a single server installation, and depending on which license the user has dictated, they are presented with Standard or Enterprise features.</p> <p>Blue can also mean depressed, and I continue to shake my head in disbelief over the poor integration between Outlook 2010 and SharePoint 2010. Simple things like the inability to drag-and-drop an email from Outlook to a connected SharePoint document library are beyond belief—there are third-party offerings that provide this functionality, but surely after 10 years on the market, this should be a standard capability from Microsoft. More complex integrations like seamless calendaring between Outlook and SharePoint also remain unresolved by Microsoft. Of course no technology is perfect, but when Microsoft controls both products, and there are natural points of integration between the two, doing a half-baked job is inexcusable.</p> <p><strong>User Adoption</strong></p> <p> SharePoint 2010 includes a lot that is new and improved on the collaboration side, and the people I speak with at organizations are very keen to get their hands on the new capabilities. As with any technology, features and functions are merely opportunities for doing work in a different way, so IT organizations and departments need to create strong engagement strategies for exploring fitness to task with their business department clients. Once opportunities for improving business activities have been identified, they then need to cultivate various user adoption strategies to ensure that the hoped-for-value translates into delivered-value. </p> <p>—</p> <p>Messaging News writer Michael Sampson advises organizations on Making Collaboration Work. He blogs at <a href="http://currents.michaelsampson.net">currents.michaelsampson.net</a> and can be reached at <span class="spamspan"><span class="u">michael</span> [at] <span class="d">michaelsampson [dot] net</span></span>. His latest book, “<em>User Adoption Strategies: Shifting Second Wave People to New Collaboration Technology</em>” was published in June, and is available from <a href="http://www.michaelsampson.net/useradoption.html">http://www.michaelsampson.net/useradoption.html</a>. </p> </article> <article> <h1>Go Beyond User Education</h1> <p>Stephanie Jordan — Tue, 30 Nov 2010 15:56:20 +0000</p> <div class="fb-social-like-widget"><fb:like href="http://www.messagingnews.com/story/go-beyond-user-education" send="false" layout="box_count" show_faces="false" width="55" action="like" font="arial" colorscheme="light"></fb:like></div><div class="tweetbutton"><a href="http://twitter.com/share" class="twitter-share-button" data-count="vertical" data-via="messagingnews" data-related="messagingnews:messagingnews" data-text="" data-counturl="http://www.messagingnews.com/story/go-beyond-user-education" data-url="http://www.messagingnews.com/story/go-beyond-user-education" data-lang="en">Tweet</a></div><p>Ian Moyse, channel director for Webroot Software, Inc. is wary of policy that puts too much emphasis on user education, when it comes to securing an organization’s data and messaging systems. “What I have seen recently is a number of articles that I disagree with that says this is about user education. I do think there is an element of user education you can do in a business as duty of care, showing examples of the bad things that can happen on Facebook, but it is very hard to change people’s behavior.” He draws an analogy to speeding in a car. “You can’t get them to not speed on the road, even with road safety campaigns, police, etc, it still happens. You cannot rely on just educating users, especially when things change so quickly. Facebook wasn’t even around a few years ago. Definitely educate them, but how often can you do it? Monthly? The technology moves so quickly now.”</p> <p>Moyse recommends to start with an acceptable use policy. Define, update and maintain a good acceptable use policy. Communicate it electronically. Maybe it is a link that can be easily updated, and that lets you as a business take action if an employee does something wrong.</p> <p>Next, have some sort of education, but understand that it has limitations within the business. “Tell them you can’t use Facebook in this way, show them examples of the horror stories that have happened.”</p> <p>Finally, Moyse believes organizations need some technology in place to police what is going on. “Get the balance right, you can’t be big brother to users, because it will have a negative impact on your technical team, everyone will hate working for you because of everything they can’t do. But you need to have some limitations, so it might be ‘you can go to certain Web sites, you can view the content, but you can’t download executables or movies. So we aren’t taking away everything from you totally, but there is an element of you can’t do everything’. The trick is striking the balance, take some away, but not all.”</p> </article> <article> <h1>From Outer Space to Earth: Managed File Transfer at the Speed of Light</h1> <p>Stephanie Jordan — Mon, 22 Nov 2010 00:29:49 +0000</p> <div class="fb-social-like-widget"><fb:like href="http://www.messagingnews.com/story/outer-space-earth-managed-file-transfer-speed-light" send="false" layout="box_count" show_faces="false" width="55" action="like" font="arial" colorscheme="light"></fb:like></div><div class="tweetbutton"><a href="http://twitter.com/share" class="twitter-share-button" data-count="vertical" data-via="messagingnews" data-related="messagingnews:messagingnews" data-text="" data-counturl="http://www.messagingnews.com/story/outer-space-earth-managed-file-transfer-speed-light" data-url="http://www.messagingnews.com/story/outer-space-earth-managed-file-transfer-speed-light" data-lang="en">Tweet</a></div><p>Permanently attached to the <a href="http://www.esa.int/esaHS/ESAFRG0VMOC_iss_0.html">International Space Station (ISS)</a>—the highest and fastest research facility in the world—the European Columbus Laboratory specializes in fluid physics and material and life science research.</p> <p>Over the next few years, astronauts in the laboratory will dedicate their research to collecting and generating data on musculoskeletal, biomechanical and neuromuscular human physiology, with the goal of better understanding the effects of microgravity on the muscular system.</p> <h2>The Challenge</h2> <p>At the heart of the European Columbus Laboratory’s research into the muscular system is data—and lots of it. Astronauts working onboard the ISS expect to collect hundreds of megabytes of data for each research session they complete. With the team operating in outer space, the research crew needed a secure way to share information between scientists in space, and back down to Earth.</p> <p>Transferring scientific data from the ISS located 250 miles high to research facilities on Earth is incredibly complex. First, the data collected and stored on the MARES (Muscle Atrophy Research and Exercise System) research hard drive must be transferred through space to a monitoring laptop used by astronauts. Then, through the ISS’s ground link capability, the research is transferred down to Cadmos, the scientific support facility at the Centre National d’Etudes Spatiales, Toulouse, France, which is responsible for monitoring the experiments here on Earth.</p> <p>The ISS needed a solution that could:</p> <ul> <li>Provide the highest levels of automation and speed to enable astronauts to quickly and easily share information</li> <li>Protect sensitive scientific findings, as well as medical or private data</li> <li>Move large volumes of data quickly</li> <li>Ensure system reliability</li> </ul> <p>“Our astronauts have a limited amount of time to complete critical and extensive research,” says Alain Maillet, Cadmos engineer. “They simply don’t have time to waste navigating file transfer failures.”<strong></strong></p> <h2>The Solution</h2> <p>After evaluating several network file transfer solutions, the MARES equipment manufacturer selected <a href="http://www.IpswitchFT.com">Ipswitch</a>’s WS_FTP server and uploaded the software onto the Russian Progress spacecraft bound for the International Space Station. Ipswitch’s server was the only solution that could provide the simplicity, speed, security and automation needed to handle the MARES’s file transfers.</p> <p>Through Ipswitch’s server, the scientific data transferred between astronauts in space and back down to Earth is fully secure with 256-bit AES encryption and file integrity validation. Additionally, the WS_FTP server automates the entire transfer process, including essential post-file transfer actions like deleting, archiving, moving and renaming file sources.</p> <h2>Results</h2> <p>The MARES equipment is being commissioned for the next three years. Over the course of the research and experiments, MARES will use Ipswitch’s WS_FTP server for secure and reliable network file transfer. Having uploaded the software to the station, researchers expect Ipswitch’s tool to speed file transfers, improve data security and streamline operations.</p> <p>—</p> <h2>About the International Space Station</h2> <p>The International Space Station is an internationally developed research facility, located 250 miles high in space. With a unique microgravity environment, the ISS serves as a primary research laboratory for the advanced study of space medicine, physical sciences, life sciences, meteorology and astronomy.</p> </article> <article> <h1>Social Media Grows Up: Connecting Email and Social Marketing</h1> <p>Stephanie Jordan — Thu, 26 Aug 2010 10:53:34 +0000</p> <div class="fb-social-like-widget"><fb:like href="http://www.messagingnews.com/story/social-media-grows-connecting-email-and-social-marketing" send="false" layout="box_count" show_faces="false" width="55" action="like" font="arial" colorscheme="light"></fb:like></div><div class="tweetbutton"><a href="http://twitter.com/share" class="twitter-share-button" data-count="vertical" data-via="messagingnews" data-related="messagingnews:messagingnews" data-text="" data-counturl="http://www.messagingnews.com/story/social-media-grows-connecting-email-and-social-marketing" data-url="http://www.messagingnews.com/story/social-media-grows-connecting-email-and-social-marketing" data-lang="en">Tweet</a></div><p>Chances are you are a friend, a fan or a follower. Social networking tools like Facebook, LinkedIn, Twitter, and others have become a part of our electronic communications toolbox. As the original adopters of social media enter the workplace and the channel itself matures, the interest in using the medium for business purposes has increased. A 2010 Annual Collaborative Internet Survey published earlier this year by <a href="http://www.facetime.com/">FaceTime Communications</a> revealed that 61 percent of end-users access social media sites at least once per day, with 15 percent admitting to visiting social media sites “constantly throughout the day”. It appears from the study that social media use is not contained to just a few in the workplace as 95 percent of employees use social media for work or personal reasons. FaceTime reports that Facebook, LinkedIn and Twitter are particularly popular business tools because of their ability to contact prospects, screen job candidates, promote events and extend business communications.</p> <p>Social media in the workplace is expanding the outreach of companies in ways not available previously. There are some friends, followers and fans (and media hype) that say it is better than email to the extent that some claim it will replace email, but don’t cue Buggles’ “Video Killed the Radio Star” just yet. Many email marketing experts believe that social is the best thing that could have happened to email marketing. Stephanie Miller, vice president global market development, <a href="http://www.returnpath.net/">ReturnPath</a> holds such a belief and notes that there have been many challenges to email marketing over the years, spam being a primary one. Miller thinks that email marketers should not fear social media, but embrace it. “I know it sounds ironic because everyone is always saying that social is going to kill email, but I think the social revolution has created very empowered consumers, and those consumers are not just able to voice their opinions, they are <em>willing</em> to voice their opinions, they <em>want</em> to. They are ennobled by it.”</p> <h2>It’s Not Email Vs. Social</h2> <p>One of the first things a savvy email marketer needs to understand is that it is not an either/or situation. “There have been so many salacious stories in the press of late that say email is dead or proclaim the death of email and that social is replacing it. But it’s certainly not true at all,” says David Daniels, CEO of <a href="http://www.relavancygroup.com/">The Relevancy Group</a> and former Forrester Research analyst. “You have to remember that you need an email account to have a social networking account to pay your bills online, and when you have social interactions, there is an email communication. Social has driven even greater email volume to the inbox, which consumers or the people you are targeting have to wade through.”</p> <p>Many businesses seem to be experimenting with social media in a rudimentary way, as Miller observes: “There are a lot of people that have Facebook pages, but that doesn’t mean that they are creating a great customer experience.” To do that, most online marketing experts recommend not replacing the email channel with social media, but rather integrate social into overall online marketing strategies.</p> <p>In witnessing the first wave of social marketing by businesses, Simms Jenkins, CEO of <a href="http://www.brightwavemarketing.com/">BrightWave Marketing</a>, describes efforts at integrating social into email programs as being “a pretty elementary one where marketing folks are adding buttons at the bottom of their email like ‘forward to a friend’ that no one really uses. I think people have done that to sort of keep upper management at bay to say: ‘Yes, we are doing that’ but at the end of the day, it is not really the most compelling user experience or just from an integration level it is not really integration. It is just putting a button there. It is better than nothing, but people don’t really respond to it. What we have seen so far is pretty minor jumps into the whole email and social integration.”</p> <h2>How Email and Social Can Work Together</h2> <p>A common marketing mistake is treating email and social too differently. “Figure out how to integrate these marketing channels, instead of isolate them,” recommends Jenkins. “The easiest thing to say is: ‘I’m not going to do this anymore, I am going to do this instead.’ That is pretty foolish, unless you know that whatever you are removing definitely doesn’t work, and that it is not something people care about. Removing email and replacing it with other channels is foolish unless you are losing money with your email programs, which is pretty hard to do, or if you don’t have any subscribers left.”</p> <p>What are the best ways to integrate social media and email marketing? Begin by taking a look at the similarities, suggests Miller. “There are a number of similarities between the two channels—for one they both have the perception of being free or very inexpensive, but they’re not. Social has a cost in terms of time and resources of employees and content creation. Email is perceived to be very inexpensive, but if you are doing it well, you really need to make an investment, if you want to create actual subscriber-level experiences, rather than batch and blast,” she says. “Another thing they have in common: both are driven by content. The content that you create for your email program is something that becomes an asset for your social program and vice-versa. Content that your employees create for Twitter feeds, or Facebook pages or promotions that are put into communities, or even the customer service Q & A that happens in a community—all this is great content for the email program.”</p> <p>Daniels agrees that integration over silos is the right approach. “We see social as additive,” he says. Daniels believes direct marketing should incorporate all channels: online, offline, email, social, mobile, with a traditional database marketing foundation—all centered on data. “A lot of the tactics that you need to apply in social or mobile are the same as direct marketing tactics. You have to test. You have to optimize, particularly as you enter a channel like social that may be new to the business. All those rules still apply. It is really about business transformation or change. The company culture has to be ready to accept that and really break down the silos. Today, there is a really strong connection between marketing and customer service, stronger than it’s ever been before.”</p> <p>As Miller describes it, marketers should think of email as the hub to the other channels because it is especially driven by content. “Email marketers create a tremendous amount of content every week and they have a lot of data on what is welcome by customers and prospects. For business-to-business, they know what whitepapers get downloaded, or which promotions work best and drive the most traffic. With email as the hub, the spokes are your social program, your mobile program, etc. That content drives all that interaction. I think the email marketer is in a really good position to, if not run the social program, at least partner with it in a good way.”</p> <h2>Before You Start</h2> <p>Take time for evaluations, prior to investing in social marketing. It is important to point out that for some businesses, it may not make sense to join in the social media revolution. “You really have to know your audience,” says Jenkins. “Some companies shouldn’t be wasting their energy on social media. Knowing your audience and where they are is very important.”</p> <p>If you need ammunition for social marketing initiatives, Daniels suggests starting with measuring the value of your email subscriber to your organization. What are email subscribers worth? Determine subscribers that are engaged, those that are clicking, those that are buying consistently and compare to those that are not. “Come up with those two numbers,” he says. “You are going to need that number to get some funding or attention from executives to go out and dabble with social.” Next, Daniels recommends that you look at possible social transactions that happen, and assess if those are in addition or would a subscriber have purchased anyway? Daniels then asks: “What about the other people that the subscribers are bringing in? What is the average cost of acquisition? Flip that to the credit. Are you generating a lot of additional followers?” Daniels believes this exercise can help determine the value of the channel. “Know your share rate, and who the people are that are sharing. Then after that, it would be recognizing those people, and targeting them.”</p> <h2>Building and Using Social Communities</h2> <p>Many marketers build their community through their email files by asking those subscribers to join. Miller points out that businesses can build communities and add to subscriber lists simultaneously. “You can build them back and forth, they are the same people,” she says. “There is a sort of incestuous relationship between your email file and social communities. Those people are the same so marketers must embrace that and say: ‘I am going to communicate with these people in multiple ways’ and then coordinate the messaging.”</p> <p>Jenkins offers this suggestion for email and social marketing synergy: “A big untapped area is using the social networks to drive email interest.” Jenkins tells of one client (Ted Turners’ restaurant chain Ted’s Montana Grill) as an example of where BrightWave manages both its Facebook page as well as its email program. “To us, it is really the bread and butter of any email program to give something of unique value. So on the Facebook page, where there is close to 10,000 fans, we said: ‘If you are on the email list, you are going to get a great offer next week, no one will get this offer except email subscribers’. We used social to drive subscription interest in the other channel. Most people say: ‘We have this mature email list, we want to drive social.’ But it can work the other way around too. Beyond Facebook, LinkedIn is a great opportunity to further your own personal brand.”</p> <h2>Content Creation</h2> <p>A benefit of social is that there can be a number of content contributors. To Daniels’ earlier point, this is where you see a synergy between different organizations within a company that did not exist in quite this way before. “There is a lot of business-to-business examples of community driven content which is put up by employees that are not in the marketing department,” says Miller. “They are customer service people or product managers.” She offers an example of Cisco as a community that is driven by employees from all over the organization. “All that content is an amazing resource for the email marketer who is trying to come up with nurturing programs. If I download a whitepaper, now what do I get? What information should I receive? When it comes from the product manager, it has a credibility factor, or if it’s a response to a customer question. That is a real asset. So part of it is learning how to reach across the aisle between the social and the email people to embrace each other.”</p> <p>The goal, according to Jenkins, is to create integrated programs where email is the first part of the message and is extended through social for the second part. “Email is where we get their attention. Facebook is where we then have a conversation with them and get them to engage a little bit further. That is really powerful, otherwise, you are just shouting out—and no matter what business you are in, it is pretty crowded everywhere. Email is the delivery mechanism for a conversation and then social network is where you want that conversation to develop further. This is something that works well for our clients.”</p> <p>The concept of social is something we have always done. “We have always purchased on the recommendations of other people. How did you find your realtor, or doctor, or appliances?” asks Daniels. “Often these are based on the recommendations of our peers and colleagues. The difference now is that it is highly measurable.” Daniels says that he can point to many different companies that have been able to improve their conversion rates based on reviews used as content. “With social and all this user-generated content, whether on your own site or scrapping it from people that ‘follow’ you or ‘like’ you, you can leverage that content and push it back in an email. Those testimonials are often hard to come by, but they are very powerful. With social, it has really amplified our buying behavior.”</p> <p>Experts agree that customers interact differently in the different channels, and that it is important that the right voice be used to communicate on Facebook versus Twitter or email. Jenkins reveals that recent research supports the notion that people do not pick one channel over others. “We have a lot of people ask: ‘What if my email subscribers are also Facebook fans or following us on Twitter? We don’t want to just drown them out.’ That is definitely something you want to be aware of. I tell people you want to avoid the cut and paste social marketer approach where you are literally saying the same thing in email, Facebook and Twitter. That really is the wrong approach.” Jenkins believes people that go to different channels are expecting different pieces of information or to be engaged in different ways. “Email is still the first thing people do in the morning; it is where they expect to get special offers and unique content. Facebook is where they expect to get entertained and engaged with the brand in a different way and Twitter is for a smaller subset of people that want real in the know, breaking news information. The people who are really passionate about brands are opting in all those channels and if you are delivering information that fits all those channels, it is going to be a lot more beneficial. You can accomplish a lot more than just sending the same information to all the channels, which deludes your information.”</p> <p>The point is to make the various channels continue to engage the target customer. It isn’t enough to offer a coupon for $5.00 (USD) in exchange for a ‘like’ on Facebook. While people might respond to acquire the coupon, they may never actually interact. The content strategy is what is going to lead to long-term success. “The natural arch of an email campaign is that usually within three to eight hours you receive 80 to 90 percent of your responses back,” explains Daniels. “But the life of a social campaign can be much longer. With natural evolution, it might be a week or several weeks for that campaign to continue on with a life of its own.” Another content consideration is how we have evolved as communicators. “For marketers to get it right, they have to recognize we are living in a short burst society,” continues Daniels. “More and more, our conversations are defined by status updates, by text messages, and by Twitter making the content of a postcard seem verbose! As a result, make sure there are nuggets of content that can be shared.”</p> <p>The importance of compelling content only gets stronger with the increase in channels. While marketing nirvana may be viral in nature, Jenkins says: “A lot of people used to say: ‘How do I make my email go viral’, which is kind of vague and impossible. Now the question is: ‘How do I get my email campaigns to be shared, or be socialized?’ It doesn’t really matter what kind of technology, or how many people are on your list, or how many bells and whistles you have, if your content or the value isn’t there. Who and why would anyone want to share it with their friends?” Jenkins believes that people should spend more time on crafting a really valuable and powerful message and less time on how many people might share it on Facebook. “If it is of real value, it will get out there. It is proven every day. That is why email and social make an incredible one-two combo, but if the value isn’t there on either of them, you are missing out.”</p> <p>Daniels wants to be sure it is understood that the same rules of relevance apply, regardless of channel. “People are going to be more sensitive if you are spewing stuff at them in their own social network, then if you would be sending them email that looks like spam. People will have a greater reaction,” he warns.</p> <h2>Who Owns Social Media?</h2> <p>Within the business, what organization takes ownership of the integrated social and email marketing strategy? Jason Baer of <a href="http://www.convinceandconvert.com/">Convince and Convert</a>, a social media consulting firm, notes in his blog: “As I’ve written several times, the people in your company responsible for email, and the people responsible for social media should be the same people. Remember, the first step in social media effectiveness shouldn’t be building an empire of half-baked, free-standing social outposts, but rather determining how to add social frosting to your existing marketing cake.”</p> <p>The difficulty in answering where the responsibility falls is compounded by the fact that email marketing itself is often still under debate. “Email has never really found a proper home in a lot of companies because it is a blend of technology and marketing,” states Jenkins. “Email has struggled to find the right home. With social I think there is an internal power struggle for where it belongs. One could argue that it is a public relations initiative. Some like Comcast, have made it all about customer service. Dell is using it primarily as a revenue channel. Others are doing social as more of a market awareness, industry thought-leadership type channel. Really we are seeing it in a lot of places, so it will be interesting to see where it ends up.”</p> <p>Regardless of which organization ends up with social, the important thing is to avoid the silo approach and establish a shared set of business goals to ensure optimizing. For example: Twitter might be managed through a PR person, but the community or Facebook page might be owned by ecommerce or a professional services group.</p> <h2>Increasing Reach</h2> <p>Email will not go away as a result of social adoption. In fact, email marketing is expanded by social, because not only can you send messages to your subscriber list, you can also increase your reach with your social fans, resulting in potentially higher responses. “The beauty of email has always been that it is permission-based,” says Jenkins. “If someone gives you an email address, they have given you permission. Everyone wants to talk about why you should do social more and email less, or instead of email and that to me defeats the whole purpose. It you have people signed up for emails, talk to them one way, or if you have people opting into social networks, talk to them another way. Then you have some amazing opportunities that 10 years ago were unheard of in terms of delivering real measurable performance on your marketing.”</p> <p>Indeed the title of email service provider (ESP) is now outdated. Daniels calls it a misnomer, because as he points out: “If you are looking for an ESP you need to make sure they have a mobile strategy for you, a social strategy, an email strategy, and that it is all under one unified system. I think we are going to see a lot more consolidation in the space of email plus these other channels. To me, it is all messaging.”</p> <p>What remains is sorting out the integrated strategy and assessing how to develop the appropriate content for the various channels. “The only reason why a marketer would not try to synergize all their digital channels—search, online advertising, email, mobile, and social—and to have a true multi-channel strategy is resources,” reasons Miller. It benefits the customer to synergize all the content for the different channels, and it benefits the company from a brand standpoint, and a data management standpoint. “As a marketer, I want to be able to manage the interactions and optimize the interactions across all those channels, because that is how I am going to build stronger relationships and sell more. I think there is no question that we have a huge opportunity here.”</p> </article> <article> <h1>Email As a Two-Way Communication</h1> <p>Melisa LaBancz-Bleasdale — Thu, 26 Aug 2010 08:16:24 +0000</p> <div class="fb-social-like-widget"><fb:like href="http://www.messagingnews.com/story/email-two-way-communication" send="false" layout="box_count" show_faces="false" width="55" action="like" font="arial" colorscheme="light"></fb:like></div><div class="tweetbutton"><a href="http://twitter.com/share" class="twitter-share-button" data-count="vertical" data-via="messagingnews" data-related="messagingnews:messagingnews" data-text="" data-counturl="http://www.messagingnews.com/story/email-two-way-communication" data-url="http://www.messagingnews.com/story/email-two-way-communication" data-lang="en">Tweet</a></div><p>Starting a conversation with your subscribers begins with content that is relatable to your audience. If your content is targeted, there is a higher probability that subscribers will respond. Consider using these ways to initiate subscriber interaction:</p> <h2>Raise Questions</h2> <p>If sending a newsletter or at the end of an article, ask readers a question. Make sure to provide an easy way to respond.</p> <h2>Use Q&A</h2> <p>Encourage subscribers to send in questions, which will be answered publicly. If readers see others asking and getting a response, it is more likely they will engage. Plus it creates great content.</p> <h2>Draw On Social Media Resources</h2> <p>If you are using social media ask readers to join you there. You can start a conversation in email, and continue it in social media.</p> <h2>Ask for Feedback</h2> <p>Provide a way for readers to give feedback on everything you do. Be ready to mange the incoming comments in a timely manner, usually within 24 hours.</p> <p><em>Source: <a href="http://www.constantcontact.com/">Constant Contact</a></em></p> </article> <article> <h1>Email Marketers Active in Social Marketing, Many Primed to Implement These Emerging Best Practices</h1> <p>Stephanie Jordan — Thu, 26 Aug 2010 08:01:28 +0000</p> <div class="fb-social-like-widget"><fb:like href="http://www.messagingnews.com/story/email-marketers-active-social-marketing-many-primed-implement-these-emerging-best-practices" send="false" layout="box_count" show_faces="false" width="55" action="like" font="arial" colorscheme="light"></fb:like></div><div class="tweetbutton"><a href="http://twitter.com/share" class="twitter-share-button" data-count="vertical" data-via="messagingnews" data-related="messagingnews:messagingnews" data-text="" data-counturl="http://www.messagingnews.com/story/email-marketers-active-social-marketing-many-primed-implement-these-emerging-best-practices" data-url="http://www.messagingnews.com/story/email-marketers-active-social-marketing-many-primed-implement-these-emerging-best-practices" data-lang="en">Tweet</a></div><p>In his blog, Jason Baer of <a href="http://www.convinceandconvert.com/">Convince and Convert</a> wrote seven reasons why Facebook is especially well suited to build your social media strategy around.</p> <ol> <li><strong>Reach:</strong> One of the great axioms of marketing is “Fish Where the Fish Are.” Increasingly, fish of all shapes and sizes are on Facebook.</li> <li><strong>Clarity of Purpose:</strong> Facebook enables brands to interact with their fans via wall, discussions, events, photos, videos, etc. without a bunch of other corporate content getting in the way.</li> <li><strong>Analytics:</strong> Facebook provides substantial data on the affinity and demographics of your fans. In comparison to Web analytics, Facebook provides a much better sense of who your audience is in real life.</li> <li><strong>Ease of Use:</strong> Facebook pages can be established and maintained by everyone in your company that is not Amish. No fancy programming skills required.</li> <li><strong>Promotion:</strong> When consumers become fans of your company, that fact is shared with their friends via the real-time update component of Facebook. No public announcement is made when somebody visits your Web site.</li> <li><strong>Personal:</strong> The fact that Facebook users have to be real people (unlike MySpace and Twitter, no fakes allowed) and have to be authenticated before use, consumers can’t hide behind anonymous usernames. Plus, because the vast majority of Facebook members use authentic profile pictures, the “relationships” between consumer and brand have an out in the open characteristic that isn’t available on most Web sites.</li> <li><strong>Cost:</strong> Free. Totally free. Web developers, insert shudder.</li> </ol> <p><em>Source: Convince and Convert</em></p> </article> <article> <h1>Privacy, Security & Innovation: Converging Responsibilities & Business Opportunities</h1> <p>Stephanie Jordan — Thu, 26 Aug 2010 08:24:21 +0000</p> <div class="fb-social-like-widget"><fb:like href="http://www.messagingnews.com/story/privacy-security-innovation-converging-responsibilities-business-opportunities" send="false" layout="box_count" show_faces="false" width="55" action="like" font="arial" colorscheme="light"></fb:like></div><div class="tweetbutton"><a href="http://twitter.com/share" class="twitter-share-button" data-count="vertical" data-via="messagingnews" data-related="messagingnews:messagingnews" data-text="" data-counturl="http://www.messagingnews.com/story/privacy-security-innovation-converging-responsibilities-business-opportunities" data-url="http://www.messagingnews.com/story/privacy-security-innovation-converging-responsibilities-business-opportunities" data-lang="en">Tweet</a></div><p>It is hard not to see, hear and feel the buzz around privacy and security circles pertaining to security, privacy, identity theft and data breaches. These issues are filling the sails for legislators and advocates who are pushing for self-governance and solutions. While their concerns are valid, the media headlines may also be sensationalizing and conflating the actual threat and potential harm to consumers. The number and scope of proposed legislative efforts in play may be daunting for businesses to comprehend. Senators Rockefeller and Lieberman have bills on cybersecurity, the White House is advancing a strategy for trusted identities and Representatives Boucher, Sterns and Rush have introduced privacy bills with potential impact to online and offline data collection.</p> <p>For the past five years the <a href="https://otalliance.org/dc.html">Online Trust Alliance</a> (OTA) has been advocating best practices to enhance online trust and confidence as a key requirement to ensure the vitality of online services. It turns out we are not alone. U.S. Commerce Secretary Gary Locke stated at a meeting in late July that “the importance of cyber security can be summed up in one word: confidence.” I cannot agree more. Trust and confidence is what underpins everything we do on the Internet; they are the foundation of the Internet economy.</p> <p>As business and industry groups debate these issues, questionable privacy practices and identity theft continue to make headlines. So whose responsibility are these issues? The scope crosses nearly every work discipline and it is clear we can no longer “stove pipe” the responsibility and defer accountability to others. Cybercriminals are basking in our indecision and protracted efforts to reach consensus. While we chase their shadows, the fraudsters continue to out flank us.</p> <h2>Shifting Targets</h2> <p>In the early 2000s, links and images in email became disabled by default due to the rising fear of virus laden documents, beacons and the like. Fast forward 10 years and we find the threats remain the same, but the attack vectors have shifted. Criminals have moved to softer targets, focusing on Web sites and infrastructure. Based on data provided by Microsoft and Symantec, over the past five years malware infected email has decreased by over 90 percent while infected Web pages have increased over 500 percent.</p> <p>As sites and browsers have become more secure, we have experienced a shift of malicious activity infiltrating the online advertising ecosystem. By compromising legitimate sites, they are leveraging and ultimately defrauding a trusted and legitimate distribution network. By simply purchasing advertisements and infecting them with malicious code they have uncovered a fast and efficient delivery vector. Consider the facts. Based on Alexa, it is estimated over 1 million sites carry advertising, served by upwards of 300 plus ad networks and ad exchanges. Multiply that by the number of advertising agencies and advertisers submitting creative, the number of potential touch points is overwhelming. The design and structure of the ad marketplace, which provides flexibility and significant value to the dynamic needs of the market place, has by its same design proven ripe for exploits. In the absence of integrated controls we can only expect these attacks to flourish. Do we need to make structural and systemic changes to the way we operate?</p> <p>In early August <em>The Wall Street Journal</em> launched a series of investigative reports titled “<a href="http://online.wsj.com/article/SB10001424052748703999304575399041849931612.html">What They Know</a>.” While some of the articles may be alarmist, they underscore the challenges business and technical decision makers are facing. Data mining and Web analytics have helped fuel the Internet economy. Consumers are realizing significant value from unlimited free email accounts, news services, cloud storage and geo location services, but do they understand and appreciate how their online behavior has become the currency which supports these services?</p> <p>If we continue down the path of business as usual, without data stewardship and accountability we may risk a “tragedy of the trust commons” with long-term ramifications. While businesses are prospering and industry sales are on the upswing, do we fully understand the long term impact and responsibilities? How will this data be used and can it be exploited tomorrow? What technologies should be used to protect data and users and what constitutes reasonable efforts to render it anonymous?</p> <h2>Security and Privacy</h2> <p>These questions, issues and trade offs can be perplexing. The chasm between consumer’s expectations, privacy advocates and today’s business operations must be aligned. It is no longer the issue of security <em>or</em> privacy, but security <em>and</em> privacy.</p> <p>The Commerce Department has created an Internet Policy Task Force focusing on four critical issues; privacy, cybersecurity, protection of intellectual property and freedom of flow of information. I believe these are of vital importance to innovation, economic prosperity, education, civic activity, cultural life and last but not least our national security. Not only should these be top priorities of the government, but business leaders must share the responsibility to ensure that the Internet remains an open and trusted infrastructure. Businesses have become stewards of consumer trust. Stewardship includes leadership and responsibility for not short term gains, but long term prosperity.</p> </article> </main></body></html>