Rick’s Playground

Recently I visited a number of outsourcing partners in India, Philippines and Malaysia. They are providing various back office operations, sales and marketing services for the bank. It is not a secret that most fortune 500 IT firms have operations in India, however I didn’t expect that in places such as Manila, Philippines, there is a significant presence of the world’s major financial institutions’ outsourced activities. It is true that most of the outsourcing activities were initially cost-driven although it is debatable whether the cost-saving is still significant with the rising operation cost in these emerging economies.(see this) However despite the diminishing cost-saving, there is still a steady growth of outsourcing activities in this region. For example, Infosys - voted the best outsource partner, is still projecting a 20% growth in year 2008. Most of these off-shore services providers have successfully transform the local workforce to be skillful, productive, disciplined and most importantly passionate to their work. I have seen credit card sales teams cheering together whenever they make a successful sale. Their energy level is incredible even in the middle of zombie hours. That’s the attributes which companies are seeking for a successful outsourced business partners.

While benefits of outsourced operation are tremendous, the risk is also significant. Information security risk is very often the first in the list. In most cases, an outsourced operations means handing part of your business to your outsourcing partners and providing an interface for the business partner to have direct interaction with your core business operation. In some cases, while you are lowering your operating cost, you are also lowering the threshold of launching attacks over the confidential information through your outsourcing partners. There are already quite a few cases of ID/accounts theft (see this ), privacy information violation. Sometimes the cause of the incident may just due to cultural differences. In India, personal matters such as marriage status, age, pay package are just common topics during chatting sessions. Measures to mitigate these risks should be implemented as part of the supplier management programs.

1. Clearly define the information wall/boundary between outsourced operation and in-house business operation so that a need-to-know style practices can be established for the outsourced partners.

2. Education, education and education - convey the information security control practice to your outsourcing partners especially if there is a significant gap between the current practices between the two entities. One thing I noticed that outsourcing service providers in this region do have the initiative and willingness to learn from their business partners.

3. Risk Assessment and Contractual obligation - risk assessment/audit should be included as part of SLA or general terms in outsouring contract. It’s critical for both parties practicing due diligence to ensure information security policy, procedures and guidelines are followed and practiced accordingly.

The recent release of Internet Banking And Technology Risk Management Framework version 3.0 by Monetary Authority of Singapore (MAS) includes a specific chapter on outsourcing management. (MAS is the central bank of Singapore and also the regulator of the financial industry in Singapore)

This is absolutely ridiculous that a Singapore based company is trying to charge patent fees for web pages linking image to contact information. This is not the first time we hear that companies intend to charge patent fee for commonly known technologies. Just a few months ago, someone in China filed patent application for booting Linux OS through USB devices.

Claiming itself as “pioneers of visual search technology”, Vuestar Technologies started issuing invoices to various SME(Small/Medium Enterprise) websites owner to demand annual fees from s$500 to s$10000. It is such a blatant act of bullying - the company stated that they are not going after government agencies and big boys. Vuestar’s patent–tagged under publication number 95940–appears also to have been granted in Australia, New Zealand and United States. The company’s website shows no business related activities other than requesting people to pay for their license. Local lawyers urge clients to practice caution and seek legal advice before reaching any settlement with the claiming firm.

This scene is very similar to the domain squatters back in 90s. However Patent squatters are more aggressive and they like to use loopholes in current patent systems and obtain greater financial gains. But this also makes poeple ponder how did these patent squatters manage to get their applications accepted in the first place.  

Links: http://en.wikipedia.org/wiki/Vuestar_Technologies

Crowd Control Productions (CCP) has had its Eve Online client code hacked and mass distributed via torrent. Here’s the Official CCP statement on the incident:

We are aware that an individual claims to have access to the source code of the EVE client, but this access is not a security risk to CCP or our customers in any way. The Python scripting language that is used by the client can be easily decompiled to generate readable code, and we have designed our server-side systems with that understanding. Therefore, there is no reason to believe that the code was leaked by an employee and our internal investigations confirm that.

Access to the source code for the EVE client exposes no security vulnerabilities, has no privacy protection issues, and poses no threat to our customers billing information. The server-side interface used by the client is carefully protected to ensure that no abusive or unwanted information is transmitted to or from the EVE system.

Nothing the EVE client can do can affect the game state, a manipulated EVE client cannot affect the server, no advantageous or disadvantageous information can be transmitted to other EVE users by altering the EVE client. The EVE client is signed with a security certificate registered to CCP. Hashes are available on our web site for those who wish to ensure the integrity of EVE client download files they may have received from a source other than direct download from CCP’s web site.

Finally, there have been no mass bannings, as reported in some news articles, though we do remove all message board posts regarding violations of our EULA and Terms of Service as per standard policy and procedures. We consider any alterations of the client software, including decompilation, or discussions thereof, to represent such a violation.

Let’s just cross our fingers and pray that EVE-online was truly developed with Server-side security in mind and follow the principle of “Whatever client-side submitted is unreliable”.

This is the newest ranking report by Javelin Strategy & Research on US-based Credit card issuers’ protection of customer identity and fight against various credit card fraud cases. 25 top US credit card issuers were evaluated based on the criterias of Prevention, Detection and Resolution. Here is the results:

Also based on the information in Javelin’s report preview brochure, banks generally did well in Resolution aspect and Detection is still the weakest link. This again reminds credit card users to be pro-active to identify potential fraud cases instead of waiting for your banks to notice the case. On the other hand, it will be interesting to know what are the current detection mechanisms used and whether innovative products such as automated credit card account fraud detection system (someting like IDS for network security) will come into the market?

Surprise, surprise, surprise! I can’t launch my newly baked VMware server 2.0 Beta on my Ubuntu 7.10 console. vm-anywhere patch? dependency issue? in-compatible customized kernel? But there is no error message and it just asks me to read the man page. Everything works fine when I use the web-ui … mmmm… . May the force be with you and my star-war heroes/villain’s chat cleared all my questions.

Quoted from Linux Mag http://www.linux-mag.com/id/4403
============================================

We take you now to the Planet Virtual, where two combatants are already engaged in mortal combat. Laser swords drawn and at the ready, and facing each other on opposing levitating anti-gravity platforms hovering over a fiery river of molten metal, the opponents utter their final words.

Open Source Kernobi: Darth, slow, memory hogging and less functional Web interfaces compared to native Linux software are evil. Why did you remove the native Linux console client from VMware Server in the 2.0 release? We’ve been using it for years and its worked great.

Darth VMware: Evil from your point of view! From my point of view, the Open Source freeloaders and non-paying end-users are evil. You should be lucky that we give you a free Server product, period. And besides, if you don’t like the Web interface, you can always use the Windows-based Virtual Infrastructure client. You want native? Use our free VMware Player or buy VMware Workstation.

Open Source Kernobi: Well, then you are lost! That’s not what we Linux users want! Don’t you remember who and what you started with, back in 1999? Developers and power users need a free server with a native client!

Darth VMware: This is the end for you, My Linux community. I wish it were otherwise.

The fighting continues for what seems like an eternity, with the opponents trading blows against each other, until what seems like a stalemate. Finally, Kernobi opens up his Targus laptop bag, and produces a huge stack of DVDs, containing Linux distro builds with integrated Xen, KVM, and Virtualbox — all native and Open Source Virtualization packages for Linux.

Kernobi: It’s over, Darth. Open Source has the the high ground. Our hypervisors and management tools are catching up to you in polish and functionality, while you lag behind in driver support in your enterprise product offerings, produce bloatware, and alienate the fan base which got your company started in the first place.

Darth VMware: We’ve outgrown your community, Kernobi. You underestimate our power! We have more than 80 percent market share and we’re backed by one of the biggest names in enterprise storage. We can sit on our laurels, force end-users to eat what ever we give them, and we’ll get away with it too.

Kernobi: Don’t try it, Darth. Once the end users get a taste of free and open source virtualization, they’ll want to go to Citrix, Oracle, Red Hat, Novell, SWsoft or any other vendor that will give them support at their enterprise. Your 80 percent market share will shrink like a slice of Bantha bacon hitting a cast iron pan.

And so it went. Well, we all know how that sucky movie ended. Darth got burnt to a cinder and ended up having to wear a permanent sleep apnea mask welded to his face, and Kernobi and the rest of his kind retreated into the safety of their Open Source development model, one day to return and conquer the proprietary villains.

Of course, it didn’t have to end that way if Darth didn’t want to maintain the native Linux client anymore, they could have open sourced it for the community to maintain it themselves. Or better yet, release their entire hosted virtualization product as open source, since their enterprise hypervisor-based version ESX Server and its derivative products are what make them the big bucks anyway.

And as to Darth’s concerns of an open source version detracting from sales of their hosted VMware Workstation product, from which VMware Server shares much of its technology? Well, think of it as free development resources. Red Hat and Novell have been able to make that work for them. People still want to pay for support for a fully regression tested and stable version.

Of course, if I were one of Darth’s competitors and one of Kernobi’s friends — such as the aforementioned Citrix, Oracle, Red Hat or Novell all of which are using Open Source hypervisors as basis for their commercial virtualization products — I’d come out with an easy to install free product that seamlessly and easily converted VMware images over to whatever their native VM file format is, as well as a physical-to-virtual converter utility, with a nice, fast and native Linux GUI front-end. I might write it in a multi-platform toolset like QT, or maybe even Java so the client will run on Macs and Windows too.

Oh yeah, and if they want support and enterprise capabilities, they should charge them for that too. Cause, like, people pay for that. Even the Linux freeloaders, when they go to their day jobs in corporate America.

Jason Perlow is Senior Technology Editor of Linux Magazine. You can send Jason email at jperlow@linux-mag.com.
==============================================