Issue No. 05 - September/October (2006 vol. 10)
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MIC.2006.99
Digital Rights Management
6 July 2006
"Declare Your Digital Rights," by Trent Henry
An enterprise rights management (ERM) system is a corporate information-protection mechanism, frequently used to protect sensitive data, and sometimes to make sure users work with enterprise data in controlled ways. Jupitermedia predicts the ERM market will increase from US$36 million in 2003 to $278 million by 2008. Still, ERM faces an uphill battle, due in part to the bad press garnered by companies such as Sony BMG and its handling of its digital rights management (DRM) rootkit debacle. As a result, enterprise circles have recently met "rights management" technologies with some trepidation.
Henry argues that it's IT's responsibility to explain to users that although ERM and DRM have some shared issues, they're different animals, and the former is too important to be overlooked without serious consideration.
He reviews the risks associated with ERM, including possible backdoors in ERM suites and the creation of a single focal point for possible attacks. He also provides an overview of the players in the market, which has grown from a small group of vendors to include several large firms such as Adobe, EMC, and Microsoft. To help IT departments select a vendor, Henry provides a "decision matrix" with 30 key issues to consider, from management, integration, and security to remote accessibility and hierarchical administration.
Dr. Dobb's Journal
"Sun, Java, and the Middle Course," by Michael Swaine
Sun Microsystems is beset on all sides: open-source projects like Eclipse are challenging its commitment to openness and to its development tools; Ruby on Rails is giving it a run for its money in speed of development; and users are clamoring for open-source Java.
Although Sun pushes its Java Community Process program (JCP; www.jcp.org) as evidence that it is committed to openness, the drumbeats calling for it to open source Java are growing. Rich Green, once Sun's chief Java advocate, has returned as executive vice president of Sun Software. Recently, he said, "It is not a question of whether, but … of how" Sun will release the Java source code. Swaine examines how this question is key to Sun's future and how the company might find a middle course that balances openness with control and compatibility with community.
The Globus Consortium Journal
"SOA and Storage Virtualization Trends Meet Grid," by Dave Pearson
Pearson says the scientific and academic arenas are where most of the progress in Grid is taking place, but enterprise adoption is beginning to take off. For the latter, he says, one of the major challenges involves the difficulty in managing vast amounts of data and making it easily available. Thanks to a host of new networking technologies that simplify the integration of storage systems, such as iSCSI, 10-Gigabit Ethernet, and InfiniBand, more enterprise users are virtualizing their storage into single pools and managing it dynamically.
He also examines some of the security issues that arise as more data is added to grid environments. Once reliable anonymization techniques emerge to ensure data privacy, for example, the medical and pharmaceutical industries could work to improve phenotype identification to produce drugs that are more effective on targeted populations, rather than working with larger populations in which researchers know a drug probably won't work on 30 percent of the participants.
Programming and Development
26 July 2006
"US 'May Give Up' Some Net Control," by Rebecca Morelle
John Kneuer, the US Department of Commerce's acting assistant secretary for communications and information, told a public hearing that the US remains "committed to the private-sector management of the Domain Name System." The hearing was part of the US government's process of deciding whether the Internet Corporation for Assigned Names and Numbers (ICANN), which is currently overseen by the Department of Commerce, is ready to manage the DNS on its own. Various international critics believe the US exacts too much control over the way ICANN hands out domain names, yet Kneuer's comment indicates a change of heart from a June 2005 statement that the US wanted to retain control of top-level root domain names to maintain the system's security and stability. A September 2006 deadline for fully privatizing the DNS is looming, but the Department of Commerce has the option of extending the deadline.
IBM's Think Research Magazine
"Fetch!" by David R. Millen and Jonathan Feinberg
The creation of social bookmarking services like del.icio.us has changed the way users find information on the Internet. In June, IBM announced dogear, the first social bookmarking service for corporations and other large organizations.
Dogear differs in many ways from its nonenterprise brethren. For instance, to make the concept work in an enterprise setting, dogear requires users' real names and includes authentication with a corporate directory. As a result, a user who is looking for someone familiar with Java might look for a coworker who has bookmarked Java articles and then email that person for more information. Dogear also works behind corporate firewalls, so that users can bookmark useful intranet resources as well.
8 Aug. 2006
"Surfing in 3D," by Sebastian Rupley
Three overhauled browsers — 3B, Browse3D, and SphereXplorer — are renewing efforts to revive 3D Web surfing, which was supposed to change the Web into innumerable virtual worlds but never got off the ground. X3D (an XML format that's under development), Microsoft's DirectX 10 technology, and the Extensible Application Markup Language (XAML) are making 3D application programming easier. Most 3D surfing creates a very different feel from ordinary Web surfing: users stroll down virtual hallways or through World Cup stadiums, for example, and Browse3D lets users view several Web pages at once.
6 June 2006
"Tracking Customers Click by Click," by Lori MacVittie
It's a sales department's dream: a product that lets businesses offer an interactive online shopping experience, assist customers, offer special discounts, or customize services based on the user's actual surfing choices.
The software firm Genius might have helped make that dream a reality with its SalesGenius 1.0, which uses conventional email-tracking mechanisms and a proxy service to not only track marketing campaigns but also replay entire Web sessions and real-time presence indicators. As a result, it offers a nonintrusive method for quantitatively measuring marketing campaigns, as well as gaining insight into customer behavior.
SalesGenius 1.0 uses a proxy to track users' every move once they click on a link embedded in a marketing email. Although proxies sometimes raise red flags about performance, Network Computing conducted a test that showed no measurable impact.
15 June 2006
"The Standards Balancing Act," by Cris Neckar
Sometimes, close adherence to protocol standards isn't considered important in information security, but the recent disclosure of a flaw in the popular Snort open-source intrusion-detection system (IDS) used by many large businesses and government agencies illustrates the critical nature of industry standards. The flaw lets hackers navigate around several of Snort's HTTP content-inspection rules by manipulating its implementation of the HTTP standard.
If Snort's developers had more closely adhered to the standard, the flaw might have been prevented — a decision that gives greater ammunition to standards advocates who have long warned about the dangers of straying from protocols.
Software Development Times
15 July 2006
"Sun Joins Open AJAX, Dojo," by Alex Handy
Sun said it waited to join the Alliance until after it was convinced that the Alliance's goals weren't tied to Eclipse, an open-source effort focused on providing an extensible development platform and application framework for software development that competes with Sun.
13 June 2006
"Open-Source Security Tools: Ignore These Apps at Your Own Risk," by Jeff Ballard
Several free open-source tools that offer more features than off-the-shelf security options are available for testing network security and altering network settings. However, hackers have access to these tools as well, so Ballard argues that it's prudent to become familiar with them to avoid misuse.
Ballard also offers an overview of some of these tools, which fall into three categories: network probes; those that listen on the network; and those that change or alter the network. Tools that use hping use layer-3 methods to find computers and can send almost any kind of packet in any manner. Tools that use arping, which uses the Ethernet Address Resolution Protocol to see if a computer answers on a particular Ethernet segment, are often considered harmless, but they can be abused, says Ballard.
He further explains that his department at the University of Wisconsin-Madison's Computer-Aided Engineering Center uses netcat, which allows the creation of inbound or outbound connections on any TCP or User Datagram Protocol (UDP) port, to connect to Internet services, giving "vastly superior support" for input and output streams.
In addition, Ballard recommends nmap and amap, tools that identify computers and their open ports on a network. Using amap, for example, Ballard identified several Secure Shell (SSH) daemons running on nonstandard ports and on his network.
Ballard cautions to be on the lookout for Dsniff, an open-source security tool that listens in on networks and can recover passwords from a variety of network protocols, including HTTP, FTP, Post Office Protocol version 3 (POP3), Internet Message Access Protocol (IMAP), and Simple Mail Transfer Protocol (SMTP).
6 July 2006
"F5 and Reactivity Get Cozy," by Lori MacVittie
The recently announced partnership between F5 Networks and Reactivity signals a link between the traffic-management market and the service-oriented architecture (SOA) security and management market.
Plans call for integrating Reactivity's software into F5's Traffic Management Operating System (TMOS) architecture, essentially making it an extension of F5's Big-IP platforms. Until now, SOA security and management products, which mediate for back-end Web services, have had poor performance because they must parse XML twice and weren't focused on maximizing performance. If the integration plan works, XML code would be parsed just once, and only one intermediary would handle TCP sessions.