Application Security: Instant messaging and Mobile computing

Business week published articles on adoption of two new models centered around application security. There appears to be tremendous potential for vendors in this space. What does not make sense is when Software applications and (web) services introduce new loopholes and these models thrive on closing those loopholes. I don’t appreciate the inter-dependency. Instead, I would like to see companies who build these applications and services to fix the loopholes and offer monitoring and prevention services. This would imply that the associated cost to the customer may rise, but I don’t see why companies cannot guarantee the integrity of their systems.

Do not misunderstand me – selling your knowledge of exploits and vulnerabilities is not what I argue against. Instead, I would like to see the responsibility of fixing and prevention lie with the maker. I also realize that “dumb” users are a hard problem and are the source of many issues. I am specificially aiming at exploits that target design weaknesses (for example, being able to ‘hijack’ the host machine threw a instant messaging application). Similarly, handset provider Nokia and Symantec sell anti-virus solutions to the end user, while I would think every PC or mobile platform should already ship with these services built into the the platform.

IM Security is one tough sell. The article discusses companies (startups) in the business of providing monitoring and prevention of attacks over IM networks.

Mobile viruses, if not now soon. The article discusses the threat of viruses infecting mobile information systems, handsets and the potential for disruption and spread.

Palm Treo 700w: The ‘W’ stands for Windows!

An interesting development, the newest version of Treo now ships with Microsoft Windows Mobile. This CNet article nails it right on the head – “Treo 700w: a marriage not made in heaven“. It’s an in-depth review, the author has found many pain points with the new handheld and its OS. While I did feel he was being very picky, overall I found him to be scarily accurate. For example, there seems to be a mismatch between the buttons implied meaning and its true function.

Palm didn’t help matters by adding a prominent OK key, which actually means just the opposite. That is, instead of Yes, Go or Forward, it means Cancel, Back or Stop. You use it, for example, to cancel out of a dialogue box or window, to backtrack to a previous screen, or to close a menu without making a choice. It must have been designed by the same person who, in the full-blown Windows, put the Shut Down command in the Start menu.

However, for that one mistake, Palm has succeeded in getting so many other things right. It involved tremendous effort for Palm since this development required them to throw out their existing Palm OS. Is it a move in the right direction? With any dramatic changes you also get a number of new aspects that will not seem to work as they did in the original version. I would echo the authors views, the replacement OS will not appeal to the core Treo user group. I would also add that eventually Treo fans will warm up to the new device. Palm will try to ensure that with the next few software upgrades.
RIM ought to sit up and take notice. It appears to me that if RIM were to guarantee the vitality and appeal of the BlackBerry handhelds, they should take their role as a device and mobile software platform developer seriously. While they are backed up by their decision to stick with the J2Me spec. they must also exploit the generality of the platform by providing more frequent hardware enhancements (not just one upgrade annually). Just providing the best email solution ever is not going to provide the steam necessary to prevent Microsoft from dominating the device space. The BlackBerry is a key device for the corporate user group and I hope it stays so.

To conclude, what is more important to RIM? Handheld sales or revenue from data-flow? I can’t answer that question definitively. RIM will probably continue to license BBConnect to other platforms and vendors to ensure its hold on mobile email. I would strongly suggest a greater share of the handheld market as a higher priority.

Sahara International Airport, Mumbai

Reference: Baggage Regulations (Central board of excise and customs).

Talk about unashamed, barefaced corruption, Customs officials at the Mumbai international airport are up there with the best.

November 2003: As a student, my companion was a Toshiba Satellite, a decent machine and a tremendous asset for any student. Back then, Laptops were dutiable under Indian customs. Legally, if you have been outside India for longer than 10 days, you were allowed to import certain items, including electronics worth less than Rs. 25,000/-. The spirit of the law clearly applies only when your importing the item – i.e. you intend to leave it in India and not take it back outside the country.

My Laptop was worth $500 at best. I took it with me to Pune under the naive assumption that it won’t attract any attention. At the customs checkpoint just before the airport terminal exit, a customs official asked me to stand aside. He obviously had noticed the laptop bag. He asked me pointedly, what was I carrying in the bag? I replied, its a used personal laptop. He asked me to walk over to the red channel (i.e. I had something to declare). This was an obvious attempt to shake me up. I joined someone else at the red channel desk (who also appeared to be a student carrying a laptop). About 10 minutes later, the official who asked us to stand aside approached us. Passengers who I had disembarked with had already left the terminal. The pressure was on us. He began with the other guy first, a few harsh words on the value of the laptop followed. He added a threat about how he could impose a duty on the value of the laptop. The threat had its intended effect as my fellow passenger caved in and forked out $10.

I was obviously stunned, but not surprised. As I followed their brief interaction, I had resolved to stand my ground, partly because I knew I was right and partly because I did not want to pay (see “Indians are cheap, man!” haha). As the official turned his gaze towards me, I made a critical mistake. I buckled and pleaded, saying that I was a student and that the laptop was mine, I did not intend to sell it or leave it behind in India. If I was looking for any pity, there was none to be found. He quickly countered saying that he would have to apply import duty as he did not know if it was really for my personal use. I held my ground, I was a student, I could not pay him – implying that I knew he wanted a token bribe to let me through.

In the ensuing debate, he repeatedly stated that the laptop could not be for my personal use, and that the rules clearly require that duty be imposed on it. I countered, I was on a student visa, I had a valid return ticket and the laptop would be leaving India with me in about a month. We had reached an impasse. The ordeal had already lasted 30 minutes. His last ditch attempt was to take me to his superior officer. I thought to myself, this is it, every time I enter the country with this laptop, I was going to have pay duty – these guys hated me for not bribing them.

His superior inspected my passport, return ticket and student visa and said that I should go through, no worries. I wish I had done something about the trouble the earlier officer had caused, I guess I was just glad to get out of the airport. After having spent 45 minutes dealing with crooked customs officials, who would not?

December 2004: This was the year where IT in India was beginning to make it’s mark. The finance minister had just declared that a single laptop maybe brought into the country without any issues. He had gone to the extent of identifying this one item – the weapon of choice for the many IT warriors. I was sure this was a result of irate IT employees and others who had gone through the same wringer that I had been through. I had a brand new laptop with me, although I did not intend to sell it, I did want to leave it behind with my Brother. Dutiable? Grey area, I say. I’m not profiting from it. The downside is, Indian laptop importers who do pay duty will lose out. Is it justifiable? I would not bother answering that question.

January 2006: I got here expecting no trouble 🙂 how naive, I did not have a laptop on me (my Brother had one I could use) and I did not give into temptation to buy some Sake to take back home. I did have gifts, all was worth less than 25,000/-. Mumbai airport had some more surprises in store. A lot of folks from Mumbai advise that you should not draw attention to yourself at the airport for good reason.

As we waited near the luggage belt, a swarm of luggage handlers descended on us. They offered to carry our bags out. Every one of them had an official Mumbai airport employee badge. The game being played was revealed to me when one of them came up to me and asked me if I needed help with my bags. He asked for $20. A princely sum to simply carry the bags. Perhaps he had seen the BlackBerry on my belt. I countered that the bags were not very heavy and that I would be ok. In a low voice he added that the $20 would be good enough to get by customs without any issues. I said, I was all legal and that there was no reason to stop me. This is the part I like – he had the audacity to warn me that I could be stopped and troubled for no reason! I did not relent, emboldened by my previous experience. In the 15 minutes that he spent trying to convince me to let him carry my bags through, he probably lost 2 customers.

If I want to part with $20 so easily, I would definitely not do so at Mumbai airport. These guys get into your hair like ticks, they want a FAST BUCK! If you fork out $20 now, they will make you pay twice as much eventually. It’s hard not to miss these guys. Year after year, I always spot the same customs officials mingling amongst the passengers. Maybe they are looking for the big offenders. It’s hard to be sure if they are straight or crookied. In fact, my Dad says that the $20 offer could be a honey trap. If you pay up, your sure as hell going to have the customs guy go through the bags. Indeed, a very plausible scenario. All this was going on bang in front of the office of the deputy commisioner for customs.

As I was about to leave customs, I was questioned by the official about one bag. I was carrying a network router, chocolates but nothing to warrant the questions. They let me through this time.

Can anyone fill me in on the real story? Mumbai airport security is a laugh. Mumbai customs is even better humour. These baggage handlers who are involved with the customs officials probably don’t even have adequate security clearances. What have your experiences been?

An Update: I am not the only one baffled by Mumbai airport procedures. I came across some feedback from other passengers. Passenger Opinions about Bombay (Mumbai) airport.

At one stage we crossed paths with people on their way to boarding a jet and could quite easily have slipped onto the runway through the nearby exit. Even the Hindi-reading Indian girl who sat next to us had difficulty and was clearly embarrassed. The staff were totally unhelpful. After collecting our luggage we joined a huge queue for what looked like a luggage scanner. Why we needed our luggage scanned on exit is anyone’s guess. After queuing here for quite a while I thought it was pointless and walked straight pass. No one stopped us. A chap (in a uniform) did stop me at the exit gate because I didn’t hand in the little tear-off slip on the bottom of my landing card. What he was going to do with that info I have no idea but it was obviously important to him. Indian bureacracy is legendary and still amazes me. On our return the journey through the airport was a bit smoother and seating area after immigration was quite clean. There was one small hitch regarding customs wanting to see what was in my case despite the security section having already sealed it!

The average gamer

… is 26 years old 🙂 [“Consoles herald games revolution” – BBC World]. The industry is worth $25bn. RIAA, your problem isn’t music piracy. Your just losing your core market to the gaming industry ;-).

But seriously, I cannot believe the number of people here in the U.S who grew up with an Atari 2600 and have subconciously decided to stick with playing video games even into their 20’s, 30’s, and sometimes even 40’s. This holiday season, thanks to my housemate Doug, I got to fight as a clone soldier and as a droid in Star Wars – Battlefront 2.

India: January 1st to 24th.

For most of January, I will be in Pune, India. I hope to spend the vacation with friends and family. Maybe catch an international film festival :-). If your a fellow blogger, or just a friend and you happen to be in Pune around the same time, I would look forward to hearing from you.