Georgeo Pulikkathara's Microsoft Blog

Still think security and privacy are no big deal for developers to worry about? Well then take a look at what AT&T testified to in front of the United States Congress early last week. AT&T write below...

"And if Google does combine its third-party cookie information, with user's search histories, with Gmail summaries, and with Google Analytics data, among other data sources, they would be a proper domestic intelligence agency."

//from www.blog.wired.com //

Online advertising networks -- particularly Google's -- are more dangerous than the fledgling plans and dreams of ISPs to install eavesdropping equipment inside their internet pipes to serve tailored ads to their customers, AT&T says.

At least that's what the company told Congress in a letter early this week, responding to four prominent House lawmakers who are bird-dogging ISPs about their online profiling practices. Those lawmakers asked 33 internet companies on Aug. 1 to explain some of their monitoring practices, Most have replied.

In its letter (.pdf), AT&T denies that it currently digs deep into the net habits of its users "for the purpose [of] developing a profile of a particular consumer's online behavior."* (AT&T is currently facing a class action lawsuit for allegedly helping the NSA spy on Americans' internet usage, but that's a different issue since the NSA does not run ads.)

However, it says it may bake this kind of surveillance into its tubes in  the future using so-called Deep Packet Inspection technology. The company rightly says could be also be used to detect copyright infringement, speed up packets of streaming video and detect child pornography.

But even if it did, that's nothing compared to Google, it says.

"If anything the largely invisible practices of ad-networks raise even greater privacy concerns than do the behavioral advertising techniques that ISPs could employ, such as deep-packet-inspection," AT&T wrote.

AT&T rightly points out that Google can know almost as much a snooping ISP could -- which, is the case for users who install Google's toolbar and don't know to opt out of Google's Web History program. And if Google does combine its third-party cookie information, with user's search histories, with Gmail summaries, and with Google Analytics data, among other data sources, they would be a proper domestic intelligence agency.

AT&T writes:

Advertising-network operators such as Google have evolved beyond merely tracking consumer web surfing activity on sites for which they have a direct ad-serving relationship. They now have the ability to observe a user's entire web browsing experience at a granular level, including all URLs visited, all searches, and actual page-views.

AT&T goes on to say then that because of Google's singular ability to gather online data that online advertising networks are substantially similar to ISPs monitoring their customers.

Google and Yahoo are perhaps the only two online empires that AT&T could realistically point towards to make that argument.

It's a clever argument, since online advertising cookies are nearly universally accepted and there are voluntary codes of conduct that most advertisers agree to in order to keep government regulators away.

And certainly any ISP thinking about looking at what its users are doing has got to be worried given that the House Energy and Commerce Committee is on a roll -- taking on ISPs that want to or have watched what their customers do online in order to serve them targeted ads. That roll is reportedly heading towards a long-fabled online privacy omnibus bill. Add to that, this month's unprecedented decision by the Federal Communications Commission to slap down Comcast for its secret and deceptive interference with file sharing traffic.

But the argument is also just wrong.

You pay your ISP to carry your traffic to and fro.

It can see everything you do online, unless you take extreme measures. It could know where you bank, the contents of your emails and chats, what sites you shop at, what you search about --regardless of search engine -- and everything you read or watch online.

Your ISP does not need to be peering into your traffic to decide whether to show you ads for hemorrhoid cream or sports bobble heads.

They just need to get that health information and that gallery of hockey's worst bobble heads to your browser quickly.

* Threat Level readers may enjoy this full sentence from the letter: "AT&T does not at this time engage in practices that allow it to track a consumer's search and browsing activities across multiple unrelated websites for the purpose [of] developing a profile of a particular consumer's online behavior."

//from www.blog.wired.com //

Be sure to check out Talhah Mir's blog on threat modeling.

http://blogs.msdn.com/threatmodeling/

Also check out the last post  from Talhah Mir on a post by Akshay Aggarwal on threatmodeling. Here's Akshay's post from his blog site.

http://blogs.msdn.com/akshay_aggarwal/archive/2008/06/11/application-security-development-lifecycle-5a-is-threat-modeling-right-for-you.aspx

Microsoft has invested considerable time and effort along with other software companies to ensure children and families are safe online. It's best to check out these resources now before you actually need them. Too name a few:

www.staysafe.org

http://pointsmartclicksafe.org

http://www.microsoft.com/protect

If you're a developer working for a ISV, you can help by providing better software security to ensure children's safety online.

Google Says Complete Privacy Does Not Exist.

Posted by samzenpus on Thursday July 31, @07:57AM
from the open-books dept.

schliz writes "In a submission to court, Google is arguing that in the modern world there can be no expectation of privacy. Google is being sued by a Pennsylvania couple after their home appeared on Google's Street View pages. The couple's house is on a private road clearly marked as private property." Here is our previous story about Google Street View privacy issues.

I believe this to be the difference between a socialist view and a free republic when ordinary citizens have rights to privacy and keep others from their Personally Identifiable Information(PII) data. Might does not make right. 

Every time someone uses Google search,  they are enabling this kind of behavior in Google and their employees. Microsoft has been around since 1975 and we've certainly made some mistakes in the past, but we've always been staunch supporters of customer privacy. Our efforts with the Microsoft Security Development Lifecycle(SDL) and our mandatory internal training on customer Privacy policies are aimed at safeguarding any data that comes to Microsoft through transactional means. While I was on the MSDN Webcasts team, we couldn't pull any customer data directly, and we couldn't store in on our laptops or our side the MS firewall. Doing so means severe disciplinary actions up to and including termination. While this impedes our ability to get to market quicker and conduct on the fly analytics, it's the right thing to do for our customers. You don't need PII data to determine what your customers want or to get metrics in terms of how many attending and where they are coming from. The PII data can be hid to protect our customers right to privacy.

Google has had issues with Google maps where they would show images of military bases from above, people’s backyard just because the technology is there. Just because you can the ability to do something doesn’t give you the right to do it. Microsoft is a more mature company, and we’ve come a long way from that way of thinking. I’m glad we have policies and procedures to safeguard our customers data. Google's statements about privacy doesn't exist in the modern world is a decision that's not theirs to make. They're looking for a easy way out, and customers will pay the ultimate price. Think about that the next time you do a Google search.

Try Microsoft Live Search next time.

I was at my Vice President's (Scott Charney) all hands meeting last month. Scott was talking about the need to discuss online safety and Green IT to IT Pros and developers. I was taking some notes and Maslow's Hierarchy of Needs pyramid came to mind.

I thought of what Scott was saying and realized that there was a order to what we need to communicate and drive awareness for. Before we can talk about data privacy to developers and IT Professionals, it was necessary to ensure that the customers platform and applications were secure. Only then can you even think of approaching data privacy.

If an ISV or a corporate development team is to consider data privacy as a requirement, then Security is mandatory. If you're a ISV or a independent software vendor, then you're going to have to answer the questions to your customers who are going to ask you the obvious question, "Am I safe online?".

Online Safety is comprised of Privacy and Security. Let's say you want to provide online safety to your customers who buy your software. You'll probably want to ensure that there is legislation/compliance in place to drive the online safety to protect the customer as well as independent software vendors to limit your liability when you've taken the time and due diligence to ensure your application development efforts coincide with the Microsoft Development Lifecycle.

The way we drive awareness and provide privacy and security for customers is by ensuring that independent software vendors are utilizing the Microsoft SDL in their software development efforts along with organization that expose customer data through online banking portals, or online account access.

This week I switched to Live Search after listening to Steve Ballmer's keynote speech at MGX FY09. I've used live search in the past, but have been disappointed with the results. So I've been using Google Search for the past few years. I tried Live search this Monday, and I have to say, it's as good as the Google search, and I'm finding what I'm looking for. Try it yourself and see.

Be sure to check out the cash back program that's offered through live search. I signed up for search and give and now donate every time I search.  I'm Giving To Catholic Charities Foundation Of The Archdiocese Of Seattle.

Michael Walsh asked me to mention this on my blog again. Frankly, I'm more than happy to do so, as it's my Microsoft that's stepping up again to do the right thing. So I (Georgeo Xavier Pulikkathara) am calling for ISVs worldwide to join  the Ingenuity Point Contest. Microsoft wants to make you famous. If you're working on software to make our world a better place to live, then you need to be in this contest. This is your chance to share your innovative solution within healthcare, education, or environment.  It's also a chance to position your company as an industry leader, and introduce your technology solutions to a larger audience.

If you win, here's what you'll get:

Period 1 and 2 Awards
Gold Ingenuity Point Awards
At the end of each contest period, our judging panel will choose their favorite software solution from each of the 3 Verticals. A total of 6 Gold Ingenuity Point Awards will be presented over the course of the year. The recipients of this award will receive:

• $25,000-$50,000+ in marketing, PR and video production.
• A video documentary. We'll film a video about your company and the impact your technology is having on the world. This story will be featured in The Ingenuity Point Showcase. There, both peers and prospective clients can check out your great work. This exposure will help establish your company's presence in the worldwide market, and may help you secure new customers!
• A written feature story. In addition to the video, you'll receive a feature story detailing your successful solution to share with clients.
• Microsoft marketing exposure. We'll announce winners to our international Microsoft audience.

• A guest judging spot at the Imagine Cup 2008. You'll have the honor of serving as a guest judge for this premier student technology competition in France. This prize package includes roundtrip airfare for 2 to Paris and 7 day/6 night luxury accommodations.
• Premium marketing exposure. We'll announce your win at the Microsoft Worldwide Partner Conference in July 2008, on Microsoft.com and in various marketing campaigns. In short, we'll spread the word about the great work you do.

Not bad, eh? So, if this is up your alley, please register now.

//from InfoWorld Article//

You likely know already what a resource hog Windows Vista is. The fat code has high system requirements and puts a heavy strain on your hardware, as evidenced by the data Randall Kennedy has collected through InfoWorld's Window Sentinel program. And guess what? Fat code also translates to higher energy consumption as a machine works extra hard to process queries.

[Add your Windows systems to the exo.performance community, plus monitor how they specifically perform, with InfoWorld's Windows Sentinel tool.]

The folks at Microsoft know this first-hand. Michael Manos, the company's chief of datacenters, made that abundantly clear as he touted Redmond's internal datacenter monitoring program, called Scry, at the recent Uptime Institute Green Enterprise Computing Symposium.

The system gathers all sorts of data on energy usage, temperature, carbon emissions, and more from all of Microsoft's datacenters. It also ties in to the company's asset management, ticketing, and CMDB (configuration management database) systems.

Users can log in to Scry via a Web browser to view information on power consumption, carbon emissions, and such for multiple datacenters, a single datacenter, a group of servers; they can even drill down to a very granular application level. That's how the company is able to charge business units for the specific datacenter resources they use.

According to Manos, the chargeback program has driven Microsoft developers to alter their code to make it more efficient. The reasoning: More efficient code requires fewer computing cycles, which means a lower energy bill for the department at the end of the period.

"Now that we're exposing the power costs and the cost of the infrastructure ... we now have product groups making decisions on, 'Does this query take more power or less power? Is it more efficient or less efficient?'," Manos says. "We have decisions being made based on their overall power consumption in addition to the overall efficiency of the code itself."

Now that Microsoft is visibly pushing the green-computing movement, and now that it's demonstrating to the world that fat code does translate to inefficiency, one can only hope that the next version of Windows will prove far trimmer than Vista.

Posted by Ted Samson on May 7, 2008 10:33 AM

//from InfoWorld Article//

I got this question alot at TechEd 2008. "Hey George, do you have anything I can show my management to justify the developer resources to focus on security throughout my application development process?" or "Hey George, do you have any case studies that show the business case for implementing the SDL?"

Or my favorite one, "I know Microsoft has implemented the SDL, but we're not a software company, so we don't need to worry about security." Bottom line is you deal with customer transactions and have customer data you want to ensure your safeguard your customers privacy. Security is the fundamental base requirement before you can talk about Privacy, Online Safety, software legislation or even self actualization such as Green IT initiatives. So relax, grab a cup of coffee(Maxwell House, Folgers, or Farmers coffee, since no one can afford Starbucks coffee with so much of our coin going to pay for gas) and check out the The Business Case for the Microsoft Security Development Lifecycle (SDL).

Kim Sanchez on our team forwarded this to me. It's really good interview from a psychological aspect on the online behavior and how it differs from the offline public behavior that people display and act on. Definitely worth listening to. If your a developer out there writing software for social networking and chat rooms, online safety for children/teens and cyber-bullying are real issues that we can IT can help solve and drive legislation for.

I actually got a chance to present to the Bill Gates for several hours on Real Time Collaboration (RTC) day back in April 2002. I was busy creating the MSDN Webcast program in the CMG/ US BMO under Jon Roskill.

Years later in 2005, I even accidentally tripped him (my apologies to Bill again) while he went to give the key note at the first ever Office Developer Conference in 2005 here in Redmond, WA. I was there to webcast him on my MSDN Webcasts show. I was hiding in the dark corner that day as I was wearing my special pressed starched pants that was too short and wouldn't zip up completely (I had gained weight, any my pants shrunk). Bill came by when they announced him and he tripped over my (short) legs when I was sitting in a chair by the door as he walked in. Bill was surprisingly agile as he caught himself on some microphone stands, and kept going up the steps to the stage.  He gave a great key note to thundering applause and I got to keep my job that day. whew.

Anyway, check out Bill's last Channel 9 Interview.

One of the questions he answers is, "What's top of mind for Bill that Developers who target our platform should pay attention to now and in the next decade?"

It's good stuff. Thank you Bill for all you've done for the technology industry, and for your larger than life humanitarian efforts and generosity.

Saturday Night, Michael Walsh over here in Microsoft Trustworthy Computing sent me an email asking me to take a look at the Microsoft Environment site here at http://www.microsoft.com/environment and blog my thoughts on it.  We work  with the technology industry and with our partners  in a responsible manner to address these issues worldwide. The quote on the Website does a great job of summarizing how Microsoft works these days.

"At Microsoft, we believe in the potential of software and technology to help people and businesses around the world foster environmental sustainability. Discover how Microsoft and its partners use innovative technologies and responsible business practices to address environmental challenges worldwide."

Environmental conservation can be addressed intelligently. Microsoft Tools and technologies can help minimize the carbon footprint technology makes on our planet.  I've cited some examples below, but if you're not looking at Windows Server 2008 or other energy saving measures in light of today's ever increasing energy prices, you're going to have to start soon. The Microsoft Environment Site has lots of useful information for students, governmental agencies, non governmental agencies (NGOs), business decision makers, technical decision makers, consumers, and our partners who want to know how they can help sustain the environment with the power of software.

Windows 2008 Power Savings

Be sure to check out this PDF on Windows 2008 out of the box Power Savings. The graph below says it all.

Energy Efficiency Best Practices in Microsoft Data Center Operations

How Can Technology Sustain the Environment in the 21st Century?

This is a very cool section and has section on application power management best practices for Windows Vista.

Too funny. You guys need to watch this.

I got a few questions today about my pen. It's a Montblanc  - Meisterstück 149 Fountain Pen.

I got this pen through my American Express Rewards program.  It didn't cost me a dime. I took the pen that American Express shipped me to a Montblanc store in the Bellevue Mall here in Bellevue, WA. Since it was brand new, I was able to exchange it for one with a extra fine nib for no charge. However, I did also buy the ink and the leather case to protect it. I'm told this pens costs about $600 USD retail. This is one expense pen. I may however make sure it's on my insurance.

So, I'm going to go environmentally green with a fountain pen. Yes, you read correctly. Having a fountain pen is a great way to reduce the amount of plastics we waste each year. This pen is reusable with a refillable piston ink reservoir.All I have to do is keep buying ink. or I can also make the ink if I have to.

It's got an extra fin nib, that I really enjoy writing with. I've always wanted a fountain pen for some time, as I like the idea of having a fine writing instrument that I can use over and over again, that's dependable and tasteful.

Writing with a fountain pen is much different that writing with a ballpoint with ink paste in it, or a roller ball that has gel ink. Rather than pressing down onto the paper, you have to paint the paper with it. It also takes less pressure than a roller ball or ball point, so your hand gets less tired.

So rather than buying pens with refillable cartridges, I can buy just one pen and use different kinds of ink as needed. Yes, this is an expensive pen. I believe waterman and pelican have more economical fountain pens out there, so if you want to try and go green with a fountain pen, and enjoy writing, I recommend you visit your local pen store.

Microsoft has been thinking green for some time now. We've been trying to practice energy conservation through ways such as using Toyota Prius hybrid vehicles on campus, promoting mass transit flex passes, and bike to work, and showers for folks when they get here.

But it looks like Monday, we went to compostable cups, bowls, plates, and silverware. The cutlery is made from a blend of corn and potato starch, and is 100% biodegradable. The bowls and plates are made from Bagasse products which are derived from sugar cane fiber. The cups are made from paper with a water proof lining that is made from corn starch, a renewable resource.

It's not perfect, but it's workable. Awkward, but workable. I've been trying them out, and they're not bad, but you got to be careful as the cups soften and the cutlery will warp if left in hot liquids or foods. The cups will definitely soften if left sitting for sometime with liquids in it. My cup leaked yesterday, but I'm told it was condensation. I know it was my tea leaking out of the bottom of my paper cup.

I don't believe in the global warming hysteria, but I do believe in environmental conservation, regardless of how much natural resources we do have. I'm glad to see my Microsoft go green with compostable cups, bowls, plates, and cutlery. Even if my tea leaks out of my cup every now and then.