Digital Common Sense

On Monday, I had the opportunity to chat on the phone with Tamir Galiliy, CEO of InspiAir. While this subject isn’t driectly related to voice technologies that are our focus here, this enabling technology is loosely related and rapidly evolving. We are on the edge of an exciting break through in muni-wireless technology. Isreal-based InspiAir develops WiFi technology that “defies the laws of physics” making it possible for muni-wireless and other Metropolitan Wide Area WiFi networks to deliver on the promise of WiMax now instead of years’ later. InspiAir has already deployed installations around the globe, most recently in Tel-Aviv and will soon be deploying in Helsinki. They’re also on the cusp of some major work in Milwaukee and Kenosha, Wisconsin.

About InspiAir
Originally established in 1998, InspiAir turned its focus to wireless internet solutions in 2003. It develops and deploys the InspiAir family of innovative wireless telecom infrastructure solutions, based on its proprietary Virtual Transmitting Manager (VTM) software algorithm. InspiAir solutions are suitable for a wide range of wireless communications scenarios, in the commercial, security and defense markets.

InspiAir overcomes the traditional challenges of mass deployment of wireless communications, enabling full throughput of 11 Mbps over the standard Wi-Fi IEEE 802.11, with an output power of 100 mW, over an extended range of up to 5 km (Point-to-Multipoint) and 40km (Point-to-Point). InspiAir’s technology supports seamless “hand-off” between Wi-Fi cells and enhanced encryption ensures unmatched security.

InspiAir’s systems operate in the unlicensed 2.4 GHz band, and are ideal for providing multi-channel and high-capacity bandwidth communication for all types of wireless Metropolitan Area Network (MAN), LAN, or WAN deployments. Using standard Wi-Fi protocol (IEEE 802.11) and CPE boards, InspiAir’s solution is compatible with standard hardware, and supports both Point-to-Point and Point-to-Multipoint full duplex connectivity. The system components can also function as a wireless Access Point (AP), a station adaptor or a bridge with repeating function.

Based in Herzlia, Israel, InspiAir is a privately owned company.

WiMAX(802.16) - Worldwide Interoperability for Microwave Access
WiMAX provides high throughput using a dedicated technology that’s built on cellular orientation. The carrier bands: 2-11GHz, 10-66GHz, with typical throughput of 70Mbps at 5-8KM. WiMAX can, at least in principle, provide a connection at 50KM. It hasn’t been widely tested thus far, and there’s ongoing disagreement among the dominant vendors. In short, it’s a high cost infrastructure with evolving standards that aren’t fully developed.

Mesh WiFi
Using the meshed WiFi network topology, there is more that one path between 2 nodes. This is the current leading approach to providing Metropolitan Area Networks (MANs). Typically a full mesh, connecting every node to every other node, is deployed, although this is likely unnecessary. Wireless MESH often deploys using 802.11a. It’s a very simliar principle to packet switching in many ways.

The Mesh WiFI approach has some disadvantages. It generally doesn’t support realtime streaming applications well (video and voice) The nodal processing for packet reassembly adds too much latency. There’s added overhead for syncrhonization, and handoffs often take up too 400ms. Design requires solid channel utilization planning. Many implementors feel Mesh WiFi is fairly high maintenance due to the large number of elements that must be deployed. In short, for many organizations, the ROI/ROE analyses just don’t pan out.

There’s an excellent 24 page paper comparing InspiAir’s solution to typical mesh solutions on their website at http://inspiair.com/Assets/InspiAir_Mesh_Comparison.pdf

In talking with Tamir, InspiAir really focuse on what I see as two fundamental areas, the MAN, the campus and the enterprise.

The MAN need, or latent customer demand, is quite clear. People want to connect to the Internet, Email, VoIP applications from everywhere. Most current solutions allow connectivity only in certain areas. Mo bility and roaming from one network from another. may not be supported. There’s also a compelling need to support existing WiFi technologies (NICs in laptops, for example). And csutomers want the full triple play of data (Internet), voice (perhaps using VoIP) and video in all kinds over a single device and single network. This is a key tenet of the ongoing network neutrality debate.

InspiAir’s approach to the MAN solution uses “Star” topology in cellular like deployment methods. They suggest a single, centralized NOC for the MAN and install towers with overlapping areas to increase coverage and usage potentials. One thing I noted in talking with Tamir and in reviewing the materials provided is InspiAir strongly recommends gathering as much information possible about the deployment area (Architectural, Economical, Topographical etc.). This readiness assessment and information gathering phase is so critical to the broad suite of unified communications technologies, and too often overlooked. It’s nice to see a vendor stress the importance.

Tha campus solution is really a scaled down MAN implementation. The campus examples they use include marinas, colleges, and hospitals. I’d suggest that many a large enterprise campus also fits this model. City centers, conventions centers, and federal/state/local centers of activity probably also fit the campus model nicely.

In the enterprise, the need is a bit different. Enterprise business needs to extend access to the corporate LAN. They need to broaden the reach of the corporate wired network at the employees desks to the entire enterprise. Enterprise businesses need to increase productivity by enabling employee connectivity from anywhere.

InspiAir’s approach to the enterprise problem is to integrate a seamless IP network with the customer network using both indoor and outdoor transmitters to build a service footprint that covers the enterprise environment. And they recommend third-party and existing security solutions to prevent data leakage.

The Network Operation Center (NOC)
InspiAir’s NOC allows customers to set up a Wireless ISP quickly and at a cost far lower than the existing WiMAX and Mesh WiFi solutions. Their approach includes using a robust AAA server to support Authentication, Authorization and Accounting. The solution supports PPPoE, DCHP and a captive portal approach, with traffic shaping capabilities to manage upload and download limits per user.

Here’s a slide I snagged from one of their presentations with a look at their next transmitter.

Tamir, and the InspiAir team clearly understand what smoe of the market drivers and needs are for both muni deployments and enterprise business. Everything I’ve seen shows that they can provide a clean solution for both.

As for personal experience, I haven’t directly used this technology personally. But I’ve been on the other end. If you read my post entitled SightSpeed Land Distance Record, you’ll find my notes on a SightSpeed conversation with Andy Abramson. SightSpeed’s my favorite VVoIP (Video/VoIP) application for collaboration. Andy was in Wisconsin at the time, using InspiAir’s technology to communicate with me. He was 1/4 mile from the WiFi access point.

InspiAir is clearly in the game for the long haul. They’ve been doing international deployment. They’re winning more business around the globe. They are a company to watch in the wireless space for sure.

Technorati Tags: InspiAir, Tamir Galily, Ken Camp

Filed by Ken at 1:17 pm under Technology, Unified Communications
No Comments

I’ve confirmed this morning that I will be presenting a one-day workshop on VoIP Security in the Enterprise at the InfoSec World Conference and Expo on Orlando on March 22.

W10 VoIP Security in the Enterprise
Ken Camp, Author, IP Telephony Demystified and Enterprise VoIP Security
Date: Thursday, 22 March 2007
Time: 9am - 5pm
VoIP security is a challenge that is inextricably linked with issues such as interoperability with data networks and quality of service. In the integrated services environment, voice security must be treated as data security; and data security must be treated as voice security. In this workshop you will identify common industry best practices and techniques for creating an effective VoIP security plan that balances securing the network against the VoIP requirements for availability, reliability and performance.
This workshop will cover:

• Key VoIP security challenges
• Design planning in VoIP security
• Anticipating exposures in confidentiality, integrity and availability
• Responding to VoIP security challenges
• Identifying what to protect in the VoIP infrastructure as well as the total IP network
• The threat vectors of attack: internal vs. external
• Protecting the network, the services and the armor
• Detection: technology combined with process
• Proactive vs. reactive response techniques
• Security vs. VoIP service quality: finding balance
• Security as a performance measure
• A sustainable model for security and service management

Tech = medium

There are a number of workshops being presented around this premier security conference event. The conference is very focused on audti security and I’m extremely pleased to see these folks broadening out and embracnig VoIP and Unified Communications as part of the security architecture. At a glance, this sessions is the only one I spotted related directly to VoIP or Unified Communications, but I do feel this again signals that VoIP has achieved critical mass and is now recognize as a mainstream, sustaining technology.

I hope to see some of you there.

Technorati Tags: VoIP, VoIP Security, VoIPSec, Ken Camp

Filed by Ken at 11:46 am under InfoSec, Technology, Unified Communications
No Comments

Mike Rothman at Security Incite, one of my favorite InfoSec blogs, has this interesting effort coming up soon

Coming Soon: The Pragmatic CSO

As I mentioned this morning, today is a special day for Security Incite. After almost a year of finding my “sea legs” by getting back in the research game and building an audience - it’s now time to take my research and advisory to the next level. To do this, I’m writing a book called The Pragmatic CSO: 12 Steps to Becoming a Security Master. The book will be available on January 2. I’ve put up a teaser website at http://www.pragmaticcso.com to provide a bit more detail on the project.

Why am I doing this? Because a lot of the folks I talk to every day are in pain. They appreciate the daily information I provide because it keeps them current, but many still struggle with how to get beyond the tactical mayhem of fighting fires. These folks need help in defining and executing on a security PROGRAM that allows them to both act strategically and also show the value to the folks that hold the purse strings.

I looked at Mike’s teaser, and expect I’ll be recommending it to a pretty large number of folks I work with.

Technorati Tags: Mike Rothman, Security Incite, Pragmatic CSO, InfoSec

Filed by Ken at 11:06 am under InfoSec
No Comments

The US-CERT Quarterly Trends and Analysis Reprot came out today. It’s a look at events reporte to US-CERT from 7/1/06 to 9/30/06. It’s a fair snapshot into a specific window of time.

Here are some points of interest:

• Scans, Probes and Access Attempts was the largest incident category at 85.6%. Followed by Malicious Code at 4.1% and Unauthorized Access at 3.6%.
• Phishing reports made up 83.9% of reported incidents, reinforcing the point that phishing is the biggest security issue on the Internet today.

Zero-day exploits comprised a large concern, fueled by a zero-day exploit affectingMicrosoft’s Vector Markup Language (VML) in InternetExplorer in September. This has led to a great deal of discussion around third-party patches. US-CERT maintains a “buyer beware” approach to third-party patches.

Emerging Threats

• Blended threats stay high on the radar
• Threats to electronic devices like MP3 players and PDAs rose into high visibility
• Phishing remains a major concern

Stay informed and involved by subscribing to the products included in the US-CERT National Cyber Alert System. There are four products available for various technical levels and needs. They are as follows:

Technical Cyber Security Alerts – Provide timely information about current security issues, vulnerabilities, and exploits.

Cyber Security Bulletins – Summarize information that has been published about new vulnerabilities.

Cyber Security Alerts – Alert readers to security issues that affect the general public.

Cyber Security Tips – Provide information and advice for non-technical readers about a variety of common security topics. Visit http://www.us-cert.gov/cas/signup.html to subscribe or learn more.

Technorati Tags: US-CERT, InfoSec

Filed by Ken at 10:59 am under InfoSec
No Comments

For those who care, here’s a trancsript of Michael Chertoff’s keynote address at a DHS grant and training conference. For those of you who haven’t had the pleasure of working with Secretary Chertoff’s DHS bureaucracy, G&T seems to be the root bottleneck for some, but controls lots of purse strings for other.

KEYNOTE ADDRESS BY SECRETARY OF HOMELAND SECURITY MICHAEL CHERTOFF TO THE 2006 GRANT & TRAINING NATIONAL CONFERENCE

Well, thank you for that welcome and thank you for being a little patient with me. We hit a little bit of traffic coming in today.

Now those of you who’ve been to Washington or lived in Washington know this room is also the location for the infamous White House Correspondents Dinner. And the difference between that dinner and this is, first of all, they’re not serving you rubber chicken, and second, I’m not going to be that funny.

But I do appreciate the opportunity to be with you here today to talk about the importance of preparedness and partnership in the country. As Corey told you, preparedness is one of the foundation stones of what we do at the Department of Homeland Security. And as witnessed by the fact that you’re here today, I think all of us understand that whether we are dealing with an act of terror or a natural disaster, preparedness is a shared responsibility. We all have to work together to protect our communities and our country, and we have to do it not by mandates from the top down but by networking from the bottom up, community by community, state by state, and throughout the federal government.

Effective preparedness requires teamwork across all levels of the government and society, and it requires joint planning, coordination, training and execution. We have to have a common approach, a coordinated approach, across all of the phases of what we have to do to create homeland security — prevention, protection, response and recovery. So what I’d like to do today is talk a little bit about our vision at the department for managing the full breadth of preparedness activities in partnership with all of you, how we can add value to your efforts, and where we want to go in the future.

I’m going to repeat something I’ve said a lot in the almost two years I’ve been on this job, which is the core principle that animates what we do at DHS, and that is risk management. It is a recognition of the fact that management of risk is not elimination of risk. There is no elimination of risk in life, and anybody who promises every single person protection against every threat at every moment in every place in the country is making a false promise.

What we do have to do is identify and prioritize risks — understanding the threat, the vulnerability and the consequence. And then we have to apply our resources in a cost-effective manner, using discipline and common sense in order to minimize the risk without imposing undue cost on our communities and our families. Now what that means from my standpoint is that I have to look at the totality of risk across the United States and I have to work with the department to figure out where to make the investments to reduce risks in the most efficient way possible and build the necessary capabilities across the country to help you do your jobs.

That means a few specific things. Obviously it means that the high risk locations are going to get a disproportionate amount of money. I think that’s the intent of Congress. I think that’s the intent of the people. But it doesn’t mean that the high risk people or places get all the money. So that while, for example, we do put a lot of emphasis on protecting the big cities and the major elements of infrastructure, we do have to recognize that we have a responsibility to elevate protection for the entire nation.

So we have to invest our resources that balance the need to give the most to the high risk areas, but also to make sure that everybody is getting a basic level of capability to do what they need to do to protect Americans in our towns and our rural areas from sea to sea. I also know that every single person from every community quite rightly is an advocate for the needs and requirements of that community. That’s your job; that is what I would do if I were in your place. You quite rightly have the perspective of the people that you are representing in terms of what their needs are. But we also know that if you were to add up all of those needs as perceived by the representatives of every community, we would have to give out 10 or 15 times as much money as we actually have in the pool of what is appropriated. So of necessity, there’s going to be some disappointment and some need to balance all of these requests across a common template of risk.

Now it may startle you to hear me remind you that since 9/11 the federal government has provided more than $18 billion in grants to state and local governments, and that is a lot of money. As Everett Dirksen, the late Everett Dirksen used to say, you know, a billion here and a billion there, pretty soon it does start to sound like real money. And that’s money that’s been important to give to you. It’s also money that has to be wisely spent and supervised.

But even with this large infusion of funds, we do have finite resources, and we can’t — in fact, it would be a mathematical responsibility to suggest that we could fully fund capabilities to meet every imaginable risk. So what I want to do today is talk to you about the steps we’re going to take going forward to make our grant process more effective, more transparent, and more user friendly consistent with the principles of risk management that I’ve just talked about.

I also want to say, before I discuss what we’re going to do, that we have a very keen recognition of the primacy of state and local government in developing the skills and capabilities for preparedness. State and local governments know communities the best. They know their communities much better than the federal government in Washington knows their communities. And therefore, the expertise to tailor planning and capabilities to specific needs best resides with the lowest level of government. What we can do is not federalize preparedness but help you do your jobs by adding value where federal government resources have a particular help that we can generate, or where our planning capability, looking across the entire horizon, can give you a boost in terms of the specific planning that you need to do for your individual communities.

So let me talk about some of the areas where I think we can add value without preempting you and where I think we can add these values of clarity, transparency, and common sense and user friendliness in how we assist you in doing your jobs. Well, first let me talk about prevention. Obviously, when it comes to terrorism, our best solution is a solution that prevents a terrorist act before it actually comes about. And a critical element in that is our early warning system, which is intelligence — intelligence gathering, intelligence analysis, and intelligence dissemination to people who need to know.

And since September 11th, we have accomplished a paradigm shift in how we share information and intelligence across the government and the private sector. We’ve done it by fusing and integrating our intelligence analytic capabilities, by developing and building upon an information sharing environment, by lowering some of the walls to information sharing that used to exist before the passage of the Patriot Act.

One of the critical insights we’ve had is that we have to do, not only a better job of horizontal sharing, as we have succeeded, I think, in doing over the last five years, but we have to do more in terms of vertical sharing. And that’s, by the way, not a one-way street. It’s not just us pushing information down to you; it’s you — helping you collect and push information up to us because increasingly the threats we have to worry about are not merely those that come from overseas, but homegrown threats of the kind, for example, that the United Kingdom has lately faced in 2005 and 2006 with some of the homegrown plots that came to light over there.

One of the keys to moving this vertical pathway in information sharing — are fusion centers that are now being created in many of the states and the major urban areas in this country. We see a tremendous value in having a national network of linked intelligence fusion centers to facilitate the two-way sharing of information, and we look forward to enabling and assisting the creation and development of those fusion centers.

One of the things, for example, we’re in the process of doing is deploying DHS intelligence and analytic personnel to all the major fusion centers, and getting that done by the end of 2008. We’re already getting that done in a number of major cities. This will allow us to build a vertical network to match the horizontal network of intelligence and information sharing for all of our communities across the country.

Second, let me talk about the issue of grants. Again, we recognize that we have high risk regions that are going to get a disproportionate amount of the assistance because they have the greater risk. We also recognize, though, that we cannot give them all the money. We have to make sure that all communities in all states have some basic capabilities.

Now let me tell you what we’ve tried to do over the last few years. We’ve tried to move in a more disciplined fashion in two ways, first of all in terms of understanding risk, which again is threat vulnerability and consequence. And part of that means not only looking at what’s happened in the past, although understanding what’s happened in the past is important, but trying to anticipate what’s going to happen in the future, and trying to do it in a way that is based upon hard analytics and not just anecdote and whatever happens to be in the news.

At the same time, we need to be more disciplined about what we give communities grants to spend money on. There were stories early on after the creation of the department and even before the department was created about money being spent for homeland security with what I might describe as a very generous description of homeland security. And we all know that anybody with a modicum of creativity can find a way to take almost any governmental function and spin it in a way that says it enhances homeland security. But we also know that’s not what Congress and the public thinks we’re doing with homeland security funds. So we have to build a way of describing what we do so that we have a more specific and clear definition of what is appropriate spending. And that, by the way, gives us a better ability to hold people accountable for the way they actually spend the money, so we have fewer of those stories about leather jackets and gym equipment that I think we all remember reading after the first round of grants went out early in the period after 9/11.

So let me tell you how we’re going about getting to the next level of clarity and discipline in doing this. We are using risk-tiering as a way of identifying communities with higher risks so we can allocate an appropriate portion of the total funds to those communities. And I’ll give you a concrete example based on what we did with mass transit during our grants for the 2006 grant cycle.

We identified through tier one a number of communities that we believed had the highest risk in terms of mass transit. That was based upon ridership; it was based upon the architecture of the system in which we were able to identify those systems with a higher degree of vulnerability. If one tries to analyze for example what a specific bomb could do in system number one as opposed to system number two, we looked at the different architecture. And then, having analyzed the risk, we granted a significant proportion of the total funds to the big cities and regions where we knew that the risks were highest. And then we identified a second category of cities, what we call tier two cities, which we opened up for some competitive bidding or competitive grant applications so that we could give some money out to other communities, again based on the way it would be most efficiently used.

What you’ll see if you look at the numbers from last year is that 90 percent of the total mass transit funding went to the tier one big cities and urban areas, which of course, received the lion’s share.

But an additional 19 urban areas shared the balance of the remaining funds. So what you would expect, and what I think Congress expected happened. Cities like New York, Chicago with very large systems and particular vulnerabilities and high consequences got the lion’s share of the money. But we also were able to give some money to boost basic capabilities in other systems, particularly where they were able to demonstrate that they had very good use to which that money could be put.

We did the same thing with port security grants. We expanded our list of ports that would be eligible to compete, but we did capture the highest risk ports with a significant share of the money. That is putting the money where the risk is, which is what I think again the public wants and where Congress has directed us to move.

Another thing we’ve done is increasingly focus on regionalization. We know that threats don’t comfortably come confined to the political line drawing that describes what falls within one political jurisdiction or another political jurisdiction. Threats are risk-based, and the consequences of threats are risk-based — I’m sorry region-based. And that means we have to look regionally at what we doing to deal with risk. And of course, that was vividly exhibited on September 11th and in Katrina, where the spill-over effect of an event in one jurisdiction was acutely felt in multiple other jurisdictions. So we’ve begun to look at regionalization as an important positive element in determining where we put money. And we’ve used that, particularly in our urban areas security initiative grants.

Finally, I want to say there was a lot of criticism last year about some of the microscopic detail that seemed to go into the analysis distinguishing between one area and another in terms of risk. And I think as we’ve looked at that, we’ve come to the conclusion that perhaps there was a little too much bean counting and a little less standing back and applying common sense to look at the total picture, so I think this year as we move forward, we’re going to look to definitions of risk that have fewer microscopic calculations and broader, more easily understandable rules of principle that explain why we are allocating risk the way we are among the various urban areas or states that are competing for money.

So using these principles, which are tiring to put the most money where the highest risk is; regionalization, which is looking at the impact of risk on a region and not really on a political jurisdiction; and clarity and principle-based risk analysis, as opposed to a lot of microscopic bean counting, I think we’re going to have a system that is more understandable and more transparent. But there’s one additional piece which I think is going to be very good news for all of you, which is it’s got to be a user-friendly process.

This year we’re going to get grant guidance for all of our grants out this coming month, the month of December, which is going to be earlier than we’ve ever done it before. And there’s a reason that I’ve directed that we do it. It’s because in the past when we’ve gotten the grant guidance out later in the cycle, those applying for grants have put together proposals, and they’ve tended to be accepted or rejected almost on what I would call a pass-fail basis.

And I’ve heard the complaints about it, looking like we’re playing kind of a pop quiz type of game with local communities. They have to try to guess what we’re looking for, and if they guess wrong, they don’t get the money that they think they’re entitled to, and that they may be entitled to.

So again, having taken that critique into mind, we’ve looked at the process and said, how do we make this more of a give-and-take. By getting the guidance out earlier this year, we’re going to give you an opportunity to submit your proposals in enough time for us to do one turn-around and get back to you with a critique of what we think is good and what we think is not good. That will give you an opportunity to fine tune your proposals for a second round to maximize the ability for you to get funds that a risk-based analysis says you should be entitled to get by being able to tailor your proposal in a way that is most likely to satisfy our requirements in terms of the preparedness goals that we believe are important for getting capabilities out across the country.

In other words, it’s not going to be like a pass-fail test. It’s going to be an iterative back-and-forth process in which you will have an opportunity to absorb our suggestions and come back for a second round before we finalize these arrangements.

I’m convinced that this kind of two-way communication is going to go a long way to alleviating some of the frustration that you have rightly expressed in past years. And after we get this year’s cycle done, I’m going to predict to you that next year, we will be even earlier in getting the grant guidance out — hopefully within a matter of 30 to 60 days after Congress appropriates the money for the 2008 grant cycle. What that’s going to mean again is better planning for you, better understanding and better communication between our department and the states and localities.

Now, with that, of course, comes accountability. Homeland Security funding, first of all, is not only a federal responsibility. State and local governments also have to put resources in and prioritize resources for homeland security. And in order to do the job you have to do, as well as for us to make sure we’re doing our job in the way we’re dispensing grants and assistance to you, we need to have accountability, performance measures and benchmarks.

This year marks a banner year for performance management with the release of the National Incident Management Systems Compliance Measures to state governors. And another example of the use of performance measures is the nationwide plan review, a plan that many of you played a critical role in developing, as well as the National Preparedness Goal and Target Capabilities List.

What these planning documents allow us to do and you to do is have a baseline for measuring preparedness with respect to some very specific skills and resources so that we know what our targets are and we can measure the progress we are making toward those targets. And I’d suggest that in your own work, and in terms of applying state and local funds, as well as applying our funds, if you look to see what additional performance measures you can develop to help you monitor the progress you’re making and ensure accountability from the people in your communities who are spending the money that Congress and state legislators have appropriated for homeland security.

Finally, a critical element of preparedness means boosting response and recovery if we are unable to prevent or protect against a major disaster — whether it be natural or manmade. And we’ve worked very hard this past year, particularly after the experience of the hurricane season of 2005 to help enhance our mutual capabilities in response and recovery.

Our goal is, again, not to supplant state and local government as the principal point of the spear in dealing with disasters, which is the customary and constitutional way we operate in this country.

Rather, our intent is to add value to your efforts and capabilities and to help you ensure a coordinated response when we do face a major, multi-jurisdictional incident that requires all levels of support — federal, state and local.

So what are our major goals over the next year or two? First, we are determined to ensure that the Urban Area Security Initiative cities, the major cities, have inter-operable communications in effect by the end of this coming year, and that all states have inter-operable communications in effect by the end of 2008. We have the first generation of equipment. We know that what’s needed at this point is finishing the governance plans and the documents, and we also know that we need to complete the job of getting the specifications for the next generation of digital equipment out there so you can complete the process of being able to do your own planning for your next generation of purchases.

The bottom line is we have to be able to communicate during a disaster, and this remains a priority for all of us. We’re going to get it done. And again, as part of our performance measurement approach, we anticipate that after a collaborative effort we have undertaken with you over the last few months, we are going to be able to issue interoperability score cards for the UASI cities this coming month. The idea again being this is going to help guide those cities that need more money to get to where they have to be in terms of prioritizing their grant applications using our 2007 money.

Another goal is NIMS compliance. We’re well on our way to NIMS compliance all across the nation. This, by the way, was a 9/11 Commission recommendation. And it’s important work we have to complete.

By having a common set of protocols, a play book so to speak that emergency responders at all levels understand, train against and exercise with, we’re going to be much closer to having a nation that can be robust and better prepared when a cross-jurisdictional catastrophe actually occurs. We want to make sure that as we get into FY2008, we continue to build measures of effectiveness to make sure that we are training to NIMS, managing our resources to NIMS, and exercising to NIMS.

For our part, the federal government is making sure we’re doing some things better to service you. We have this year for hurricane season put into effect a level of commodity management capability never before seen at FEMA. The good news was we didn’t have a terribly serious hurricane season. We did have a couple of very serious tropical storms and near hurricanes. We did get to exercise the system. It worked well. We tweaked it somewhat. This next year going into the 2007 hurricane season, we’re going to go to the next level of commodity tracking which is going to give us visibility at all levels of where essential supplies are when you call for them.

We’ve also revised the National Response Plan, using lessons from the 2005 hurricane season. And perhaps even more important, we have begun working with DOD what we call a deliberative planning process for 15 major catastrophic national planning scenarios, which we would need to plan against if there were truly a catastrophe in this country.

These include everything from pandemic flu, to the detonation of a nuclear improvised explosive device, to a major biological attack, to an earthquake in California or at New Madrid, or at any of the other major 15 planning scenarios that have in our national preparedness goal.

And in order to make sure that we’re adequately focused on warning people when a catastrophe comes, the President earlier this year issued an executive order mandating that we put in place a comprehensive system to alert and warn the public during national emergencies. Those of you who grew up in the ’50s remember that they used to break into television programming with this warning system, which was the first primitive version of this. But we’re in the 21st century. We have text messaging. We have the Internet. We have digital cable. We have satellite television. We have to upgrade the current patchwork system and build one that is national in scope for the 21st century. Therefore, in the next two years, we’re committed to implementing this system for the 21st century with the goal of establishing the capability to reach 85 percent of the listening public in 10 minutes with warnings. And that’s going to be a major step forward for protecting this country against any foreseeable catastrophe.

Let me conclude by saying something which I know you all know: Preparedness is not at the end of the day just a government responsibility. The government does not own most of the assets in this country. We don’t operate the business, and we don’t employ most of the people. That’s why it’s a civic duty and a personal responsibility for individuals and private businesses all across the country to do their part in personal preparedness. We have to continue to promote a culture of preparedness through the Citizens Corps, which has at this point close to 2,100 councils in every state and which is training hundreds of thousands of people in communities all over the country in preparedness. And I want to thank you for your support and participation.

We also have to continue to promote preparedness through a robust media campaign known as our Ready Campaign. I want to tell you that the Ready Campaign has generated almost $600 million in donated media, and the website has received more than 1.9 billion hits and 24.3 million unique visitors. That is getting the message out so people can do what they have to do to put themselves in a position to deal with emergencies.

And I want to continue to encourage you at your community level to work with schools and other institutions to make sure you are fostering a preparedness outreach program that helps you by making sure the public is prepared to help itself.

Every one of you plays a critical role in our nation’s ability to prevent, protect against and respond to potentially life-threatening and life-disrupting incidents or disasters. Those of us at DHS count on your partnership and your collaboration every single day. I want to thank you for joining us here. I want thank you for your ongoing commitment and partnership as we meet this challenge together. Whether you’re a state and local official, whether you’re the owner, operator of a private business, or whether you’re simply a member of a family and a private citizen, we look forward to working with you in the days and months ahead. We want to be clear. We want to be transparent. We want to be helpful. And as I hope I’ve demonstrated in this speech, we will continue to listen to you, hear you, and adapt what we do to make sure that we are best meeting your needs.

Thank you very much. (Applause.)

###

Technorati Tags: Michael Chertoff, DHS, Depatrment of Homeland Security, G&T

Filed by Ken at 5:48 pm under General, InfoSec, Technology
No Comments

Thanks to David Isenberg for this quote from Rupert Murdoch.

“They do it in Japan, they do it in South Korea. We should be able to do it here. We are being left behind and we will pay for it . . . When you have broadband - real broadband, not the type they’re talking about here - where you get, say, 20Mbps of data into your home, it changes everything . . . Broadband certainly is going to become ubiquitous around the world, and if you don’t have it, you’re left behind . . . I think it’s a disgrace . . .”

Technorati Tags: Rupert Murdoch, broadband, disgrace

Filed by Ken at 2:33 pm under Technology
No Comments

Not big changes, but some changes. There’s something coming soon that will doubtless have me video blogging more than I have been. It’s something I’d anticipated, and confess laziness as much as anything.

I’m also tweaking the old podcast feed here and expect to be doing more podcasting here. My work on the Realtime Unified Communications community leads to quite a few podcast interviews there, but there are many other technologies and security initiatives I’m involved with that don’t quite fit there. Since I am positioned pretty well as an analyst, I find I have a number of interviews, briefings and podcasts that don’t quite fit the scope there, so I’ll be putting more of those things online here.

And while Digital Common Sense will stay mostly focused on the broad business and technology areas I’ve focused on here for six years now, it does remain also a personal blog where I’ll continue posting pictures and other things that interest me.

Technorati Tags: Digital Common Sense, Ken Camp

Filed by Ken at 2:30 pm under General
No Comments

mnhtn-1, originally uploaded by kencamp.

Fumbling through pictures this evening I stumbled across this one. Taken from the right hand window seat on a takeoff from Newark that took the stunning climb out giving a magnificent view. Have no recollection of the business trip, but I do remember taking pictures during the altitude climb.

‘Twas a different place the day this was taken that it’s been in a long time now. Just remembering NYC of the past.

Filed by Ken at 12:23 am under General
No Comments

Connor’s 1st Snow of 2006, originally uploaded by kencamp.

While the snow in Olympia caused minor consternation among the staid growunup generation, the important people (like Connor here),found it quite invigorating.

Filed by Ken at 10:36 pm under General
No Comments

Snowy afternoon in Olympia

Originally uploaded by kencamp.

Filed by Ken at 5:04 pm under General
No Comments

Congrats to friend and colleague Anne Zelenka. First she joined the GigaOm machine with her work at Web Worker Daily. Now she joins RedMonk as an analyst. Good news Anne, Congrats!

Announcing My New Technology Gig and Blog at RedMonk
I am pleased–no, thrilled–to announce that I am joining RedMonk as an analyst. The bulk of my technology blogging will now happen at tech decentral, where I have some initial posts up describing what’s so great about RedMonk, what technologies I’ll be covering, and why I named the blog tech decentral.

Technorati Tags: Anne Zelenka

Filed by Ken at 1:59 pm under Technology
No Comments

.flickr-photo { border: solid 2px #000000; }
.flickr-yourcomment { }
.flickr-frame { text-align: left; padding: 3px; }
.flickr-caption { font-size: 0.8em; margin-top: 0px; }

Around Mt. Rainier, originally uploaded by kencamp.

I’ve been posting lots of pictures to Flickr lately. Also been taking pictures with the N73, N93 and my Nikon. I’m just posting this to verify new picture size setting works ok.

Filed by Ken at 3:03 pm under General
No Comments

Mt. Rainier

Originally uploaded by kencamp.

I’m already thinking about spring, road trips and camping expeditions. Looking at the calendar thinking about when to plan a waterfall exploration up at Mt Rainer in the spring.

Filed by Ken at 2:59 pm under General
No Comments

I’m not a big Sony fan. Actually never have been. But I might have to get myself one of these.

Ultra-mobile Windows PC

Sony VAIO UX90P

The design goal: a full-featured mobile PC small enough to fit in a
pocket. Weighing just over a pound, this PC has a 4.5-inch touchscreen
that slides up to reveal a keyboard. A U.S. version is expected soon,
starting at $2,000.

Now, if it will support both WiFi and EVDO with at least a 80G hard drive and 2G RAM capacity, I’ll really get excited.

Filed by Ken at 1:02 pm under Technology
2 Comments

I’ve been using the Nokia N73 as part of the Nokia Blogger Relations Program for a week or two now, but using it with some constraints.

First, I’m a Verizon customer, and their CDMA network doesn’t support Nokia GSM phones. I wish it did. But for testing the N73 and N93 I went a picked up a couple of prepaid SIM cards on the T-Mobile network. So for starters, I’m constrained to somewhat basic telephony…no data service. I’ll be rectifying that shortly with a Cingular SIM, and my testing will continue for some time to come. But you need to understand the constraints I set on myself for starters.

I had some problems with the PC Suite software initially. It wouldn’t connect via cable, but worked fine over Bluetooth. An uninstall/reinstall of the PC Suite took care of that problem. Like Phoneboy, I’m finding that once I’ve synched information over, I really lie connecting and using the N73 as a portable drive. It’s the easiest way to get pictures and videos where I want them on my laptop.

As a phone, this unit is sleek and sexy, but not pretentious. Sounds like a fine wine, and it is. This is a phone that can simply be desribed as classy. Trim lines, clean look. Easy to use dialpad. I found the five-way navigation button a tad awkard with my large hands, but I quickly adapted.

I’ve had no dropped calls or problems in that regard. The controls all work well. It’s a nice littel speakerphone. I’ve done two rather long conference calls with it lying on the desk and had no problems hearing or being heard. I’d rate the speakerphone a tad better than the one in my Treo 700w.

It’s got all the necessary applications built in and they’ve worked flawlessly for me. PDF reader works for what I’ve tried, although reading PDFs on a phone screen is always an iffy proposition, If I have a complaint about the applications, it’s the functionality of QuickOffice. The suite works well enough, although without a workign bluetooth keyboard, it has limitations. But the lack of ability to create documents is, for me, problematic. I need to be able to connect a keyboard and create a new document.

The Outlook synchronization all seems to work without a hitch. Again, the only drawback I found was attempting to work with the dialpad rather than a QWERTY keyboard. As a basis for capacity, I loaded about 1600 contacts, appointments, to-dos and notes into the phone with no problem at all.

The camera is one of the best I’ve seen in a smartphone…period. It’s
been noted by others, and while it doesn’t begin to match my Nikon D50,
it has to be among the best cameras available in smartphone today. What I noted is how quickly the display scrolls and follows camera motion. It has a lesser quality secondary camera so when you take your own picture you don’t have to run to the bathroom and use a mirror. Actually, it works really well and, in the right network environment could be handy for video calling.

The sliding lens cover on the back for the camera is, as many people have noted, smooth. A great cover and an easy to use feature. I liked that a lot.

One personal use for a smartphone camera for me is in meetings. I commonly take pictures of whiteboard drawings and send them to myself. These wind up becoming parts of Visio diagrams, Powerpoint presentations and the like. I have to say the 3.2 megapixel Carl Zeiss lens ias far superior for this than the camera in my Treo.

Low light photography is, as I expected, marginal. That really requires a quality camera to pull off well. The focal length doesn’t allow for any real closeup work either. I believe the new N80 supports closeups and I’m really hoping to get my hands on one of those when they’re rolled for bloggers to review.

Like Luca, I didn’t have an min-SDIO card to use with the phone, but the built in memory was plenty for testing purposes. If I were to use it every day, I’d put a 2 gig mini-SDIO card in the slot.

 Here’s a webcam shot to show the display

I found SMS and MMS to work nicely, and as expected. There’s a network limitation on MMS file sizes, so sending video just didn’t work well. I transferred both pictures and video over cable, Bluetooth and infrared too. All worked seamlessly and without a problem. It was interesting beaming pictures from the Nokia to my Treo, but worked the first try.

Another feature I liked is the built in voice recorder. Lots of phones have them and many don’t. I couldn’t figure out how to shortcut it to a button or erally easy access, but it worked great. It’s another reason to insert a large capacity min-SDIO card.

For me, the coolest application on the N73 is one I haven’t been able to use. There’s a Flickr application that let’s you easily send straight from the phone to Flickr. Without an Internet data plan of some kind, that doesn’t work. Rest assured, I’ll be testing it and posting about where you can see the pictures once I’ve got a Cingular SIM and some time to get those done. Flickr’s the premier photo sharing site on the web.

Speaking of photos, I’ll actually be creating some full Flickr photosets from both the N73 and N93 (along with any other phones I’m able to test) and tagging them for easy location. Once that’s all done and underway, I’ll write up a post on where the photosets are and linking to them.

The Lifeblog software that’s included is a nice feature addition, but only works with Typepad blogs. I think that makes it a software set that 75% or more of the people who use the Nokia’s will just not use. I’ve uninstalled it myself. But the idea has huge potential as smartphones become the tools we use to document our daily lives.

At this point, this is the mobile handest I’d recommend to anyone who needs a good solid phone, and doesn’t require the QWERTY functionality of full email integration. I’d recommend it to my mother. Actually, once her current contract is up, I will recommend it to my mother. It’s a great phone with only minor drawbacks.

Drawbacks

• One drawback is the PC connection cable. Or the fact that the phone won’t charge from the PC when connected.
• The mini-SDIO slot cover is somewhat difficult to open and put back in place. I’d probably just rip it off and throw it away at some point.
• I’d like to see the QuickOffice suite enhanced to ease file creation, but that’s a need that doesn’t apply to everyone.
• I’ve yet to see a Nokia phone with a vibrate function to alert to calls. Silent doesn’t work for me. Neither does beep. I couldn’t find it here and I know there are sound engineering reasons not to vibrate a device like this. Still, for me personally, that’s actually an important feature. When you spend almost all of every day in meetings, sounds, no matter how unobtrusive, can present a problem.

Overall, I like it a lot. I’m not finished with it. I’ll be testing some of the web capabilities and the Flickr app in greater depth when I can find time to get over to the Cingular store.

Rest assured, I’ll be posting more as I keep using the N73

Update Note:  Phoneboy called me and told me where I’d overlooked profile setup features for vibrate. One issue resolved!

Technorati Tags: Nokia, N73, Nokia N73, Nokia Blogger Relations Program

Filed by Ken at 3:38 pm under Mobility & Handheld, Technology
1 Comment

I’ve read some interestin posts over at SnapVoIP in the past few months. On Monday, this one caught my eye and I’ve been juggling time constraints to comment.

Remove skype from your computer and use a “portable skype”, on any computer.
The Skype, one of the leading VOIP IP Telephony solutions today, has much benefits and drawbacks to a user. Whatever the reason, the popularity of the application, shows that users are satisfied or it is providing whatever VOIP needs a user has.

Then again time and time, many network admins run around trying to find out how to stop skype users. Be it company policies, bandwidth usage or security reasons.

I have written earlier about “remove skype”, one of the popular articles;
VOIP IP Telephony: Remove skype, stop skype or detect skype with skypekiller.

But say you want to use skype application but do not want to be /or want to be a skype supernode, then the post;
VOIP IP Telephony: How to be or not to be a skype supernode?
should help.

But how about carrying your skype with you, and sneak past the admins that stopped your skype on your office computer? yes, you need “portable Skype”.

The easiest method is to grab a U3 USB stick. U3 drive, according to the U3 sites statement;
“Imagine carrying your software on the same flash drive that carries your files. That’s what you can do with a U3 smart drive. You can plug it into any PC and work, play a game, message friends, send email, edit photos and more. A U3 smart drive makes any PC your own PC. And when you unplug it, it leaves no personal data behind.”

I feel compelled to add a caveat or two here. First, the article is absolutely accurate and on target. U3 technology in thumbdrives makes portable applications very, very easy to use. The SANS Cruzer U3 thumbdrives come with Skye pre-loaded and make it incredibly easy to use.

They also make it incredibly easy for users to either knowingly or naively breach network security in the corporate environment.

I’ve taken my Cruzer thumbdrive and tried it out. What I found is that any machine that’s connected to the net in most corporate environments, including servers, that’s equipped with a USB port, easily turn into a Skype workstation.

For Skype users, this is a benefit to be sure. For corporate security admins, it may be a nightmare. This technique works even if users don’t have admin rights to the machine. It doesn’t write to the registry. It doesn’t leave a trace that I can find. In short, if there’s a corporate policy forbidding Skype, it is, by default, followed by behaviour only in most cases today.

That said, there are technologies that easily control access to the USB ports, enabling or disabling them, and more importantly, actually controlling what USB devices are allowed to connect. I’ve worked on two implementations that allow PDAs and smartphones to connect, but disallow access to the SDIO card and won’t allow thumbdrives to operate.

Thumbdrives can pose a number of risks to corporate intellectual capital. They make it easy for data to walk out the door. In most cases, they don’t require user authentication and encryption. There’s probably been far more corporate data lost to misplaced/stolen thumbdrives than to laptops, but that scenario is very poorly documented.

User education is critical to enterprise security. The organization that doesn’t establish a corporate culture of stewardship in protecting proprietary information and intellectual capital is courting disaster.

Corporate policies regardin the use of Skype, the use of thumbdrives, and the use of other U3-based applications are all very weak today. That will have to change over time, but the education really needs to begin now, and become an ongoing part of the corporate culture.

I know of several organizations where running Skype will get an employee fired. And while plugging in a thumbdrive might allow it to work technically, and users might think their footprints have been erased, there’s an ever widening array of network monitoring technologies that easily detect and prevent Skype at the network border.

Users, follow your company’s policy and keep your job. Don’t be the example who gets fired for Slyping from a thumbdrive just because you think you can. First and foremost, employees owe it to the company’s they work for to adhere to corporate policies and practices. Technology making policy violation easy don’t change the fact that it’s a policy violation.

I posted months ago that I could foresee an employee beign fired for using Skype. I actually know of three instance where employees in different organizations have been formally warned and put on notice that their next offense will result in termination.

Don’t lose your job through naivete and ease of use.

Technorati Tags: Skype, thumbdrive, U3, Infosec, VoIP security

Filed by Ken at 1:04 pm under InfoSec, Technology, Unified Communications
No Comments

Ensenada

Originally uploaded by kencamp.

I’d rather be somewhere warm today. Like Ensenada

Filed by Ken at 11:23 am under General
1 Comment

Filed by Ken at 6:00 pm under General
3 Comments

I’ve had a Nokia N73 and N93 for a short time for evaluation. I’ve been using the N73 quite a bit and will be posting a more detailed writeup in the next few days about that one. if I were to recommend a phone to a basic user, this would be the one. Think Motorola V265 re-engineered to be a solid, reliable device. That’s the closest near comparison, but I’ll write more later. This is a phone I’d recommend to my mother. with no hesitation.

I used the N93 to take a few pictures and some video while I was in Texas, but I really haven’t used it much. Today I started on that one. Mostly I want to report in that it synchs fine via the cable. I suspect the N73 will also now that I’ve reloaded the PC Suite software. But I can’t check that until later this evening.

In the meantime, I’m on a quest for a Bluetooth keyboard that will work with both the N93 and my Treo700w. Nokia lists a keyboard for $149, and I may pick that up and see if I can get a driver to work with Windows Mobuile 5.0 on the Treo. That would be sweet.

I’m also intrigued by the soon to appear N80. Not quite as nice a camera or as large a display as the N93, but it shows close-up mode on the camera which could make for some very cool macro photography. It looks like a great form factor if everything else works like we’d expect.

I’m a longtime Verizon Wireless customer, but I have to say Nokia phones rock!

Technorati Tags: Nokia N73, Nokia N93, Nokia N80

Filed by Ken at 5:20 pm under Technology
2 Comments

Thanks to Victoria for a really neat new Wordpress plug-in Twitter Updater.

Twitter Updater (a WordPress plugin)

The Twitter Updater automatically sends a Twitter status update to your Twitter account when you create, publish, or edit your WordPress post. You can specify the text for the updates, and also have the option to turn the auto update on/off for the different post actions in the admin panel.

Technorati Tags: Twitter

Filed by Ken at 2:17 pm under Technology
No Comments