Droid
Since I posted a one word status update that just said “Droid” I have had many folks ask what I think about the Droid and whether or not they should get it. Back in the day I would have posted earlier, but lately work has been a little too busy to try to throw together a post about it (read – I’m busy, but really I’m just lazy). So here is a quick take on my thoughts on the Droid so far. Also keep in mind that I was coming from a 3+ year old Blackberry Curve running on AT&T so my iPhone comparisons are mostly from all of my friends who took the plunge and got the free Birkenstocks when they bought it.
Screen, Video, and Audio
The screen on the Droid is really pretty fantastic. The screen is a little wider than the iPhone and video and movies look great (in particular, Shakira looks great). I have watched Family Guy episodes, movie trailers, and played games and all look great. I remember when I almost bought a ZuneHD instead of a iPod Nano a couple of months ago. Glad I didn’t…really no need for another portable media device (you iPhone users already know this joy).
As for actually managing audio and video, the solutions aren’t as slick as what is available with iTunes and the iPhone. As you would expect, the Droid can’t play DRMed content from iTunes (which is why I buy all my mp3s from Napster or Amazon). Morotola has an application that can sync non-DRMed content directly from iTunes, but it is a bit of a pig. The media player on the device is OK, but it could use an update…it just isn’t that user friendly. BUT, it works…mostly. I have noticed some weird crackling for some songs when I plug the Droid into my car via the aux jack. These same songs are on my Nano and I have no problems. This is seldom however, and I have solved the problem by turning the content down on the Droid and up on the stereo.
You can buy music directly on the device from the Amazon store. That being said I haven’t used it yet. I just buy them on the computer and then sync to the Droid.
Keyboard
So the Droid has a slide out keyboard and the requiste touchscreen keyboards. As a long time Blackberry user the physical keyboard was pretty appealing to me…until I used it. It has been described as mushy by others, and I see what they mean. It is difficult to tell the difference between keys without looking. I have gotten used to it, but it still isn’t great.
Like the iPhone, the Droid supports on screen keyboard in both portrait and landscape modes. It took some getting used to, but luckily the predictive engine on the Droid is pretty slick so very often it is smart enough to choose a word for you.
Android Applications
The Droid comes pre-installed with what you would expect. Email clients, browser, Google Maps, Alarm Clock, etc. Facebook is pre-installed and it is a big leap from the Blackberry version, but is still not quite as impressive as the iPhone version. The browser is quite good and fast (the 3g network helps). Email clients can access web clients like Yahoo, but it is a “pull” from Yahoo so your Droid has to go out and pull your new emails. Gmail integration is far superior and supports push email so email almost immediately is delivered to your phone as it hits Gmail. Google Calendar and Contacts will also sync to the phone. It basically just finally forced my hand to make the switch to Gmail.
The Droid can talk to Microsoft Exchange, and even other solutions like Zimbra. Email is then pushed, and contact and calendars are synced JUST like the Blackberry.
The Droid can run over 10,000 applications that are available via direct download to your Droid from the Android Market. Although Apple likes to brag about having over 100,000 apps, I have found all the apps that I really need. Pandora, Bump, Lightsaber, Google Sky (a really cool app), Weather, etc. Perhaps in another post I’ll put up a list of useful apps as I did with Blackberry.
The Droid also allows supports voice recognition. You can use it to call someone, navigate to a restaurant, search your music, and search the web. So far, I have been very impressed with accuracy. However, it does require that you have a connection to the network for voice recognition to work (although so far Verizon’s network is fine everywhere except my office…awesome).
Of special note is Google Navigation. Google Navigation is basically a full blown navigation system on your phone. It uses GPS to determine your location and has the ability to dynamically route you to your destination. I have navigation in my car, but it is such a PITA to enter a new destination. Instead, I have found myself using my voice to simply state “Navigate to Rhino Bar & Pumphouse” and the phone takes over. The one downside is that to you need a network connection for this to work. However, I have read that if you lose a connection, the app will “catch up” once you have signal.
Usability
Overall I find the phone to very usable. There are some functions that are not intuitive, but once I have gotten used to it I find that it just as quick as any other phone. The phone allows you to do more customization of your experience, which in turn can make things more complex. BUT, additions like gadgets (mini applets that run on your home screen and can tell you information, what music is playing, etc) make it worth thte learning curve. What’s more, since the Droid can multitask, you can play tunes over Pandora while browsing the web, checking your calendar, and sending email. However, the more you multitask, the more you kill the battery (more on that below).
If you are thinking about the Droid though, goto the store and play. You will find out pretty quick if it can work for you.
Camera
Like ALL camera phones, the camera in the Droid is subpar. Sure, if the conditions are right, you don’t move AT ALL, the picture is fine. There is also a focus problem that is supposed to be covered in an update this week. BUT, you do get a flash (so less people screwing with you when taking pics with the iPhone…who knows when they actually take the pic?), and it is a 5.0 megapixel camera. If the fix can take care of some of these problems, the camera will be much improved. I still wanna know WHY cell phone vendors can’t get a damn camera right? I’d love to not have to carry my Canon Elph if I already have my camera.
Battery Life
So so far, this has been the Achilles heal of the Droid. Although the Droid can do so many things, first and foremost I need it as a phone AND for email/txting. My first couple of days I would unplug when I wake and by the time I was heading home the battery was close to 20-30%. That is CRAP. Part of the problem is the custom nature of the Android OS. Since you do so much, you can almost do too much and kill the battery. The iPhone has been optimized over time to have better battery performance. I have learned that I need to make sure that services like GPS and WiFi are off when they are not needed, the screen is set for low brightness, and to turn it off when I leave it at home or the car.
Still, I have contemplated over the last month that I may return it. Like I said, I want to be able to count on my phone. However, I now have gotten my phone to last almost 20-24 hours (I let it run all the way down yesterday…good to let this happen every 30-40 charges). ALSO, there is a software update for the phone that is supposed to improve battery life. My hope is that Verizon will continue to support the phone and keep on optimizing battery life (there is another rumored update coming in January.
Definitely recommend that you buy a car charger and maybe even a charger for work to cover your bases. BUT, buy it off of ebay and not from Verizon. It is WAY cheaper.
Overall
SO, should you get the Droid? If you want something that is less customizable but more intuitive, then you may want to still consider the iPhone (here is some patchouli for you as well). If you’re a heavy email user, the keyboard weakness may be a tough and the Blackberry still may be what you want. However, when I first saw this was coming out I wanted to try something different, and overall I am happy with the phone. Google is ALL IN when it comes to the Android OS and you should be seeing dozens of Android phones in the next months. I am counting on Google and Motorola maintaining an interest in this market and continuing to enhance the Android OS and the Droid phone.
Another Cybersecurity Official Resigns
The Washington Post reported over the weekend that yet another cybersecurity official has resigned. This follows the news of the pending resignation of the lead White House cybersecurity official Melissa Hathaway. Ms. Hathaway’s quote from the Post article:
“I wasn’t willing to continue to wait any longer, because I’m not empowered right now to continue to drive the change,” she said. “I’ve concluded that I can do more now from a different role,” most likely in the private sector.
I think both of these resignations, as well as others, underscores the challenge that the U.S. Government is in trying to keep up in the technology sector…hiring people. From reading the article, it is fairly clear that Ms. Hathaway’s resignation was a fueled by an inability to work in the system and get the right people hired. DoD and other agencies desperately need talented, smart people to lead cybersecurity efforts. However, from personal experience it is a very difficult sell.
From a contractor perspective, I see the folks who are hard working and attempting to be progressive in government. It is HARD. And many times, I think that more can be done from the contractor side simply b/c it is MUCH easier to build an effective team around a hard working and progressive leader. The government’s hiring practices make it very difficult to compete with private industry. It can sometimes take months to hire someone into the government. How long does it take a beltway bandit to do the same? It is measured in days or weeks instead.
Somehow the government needs to come up with a good way of attracting talented engineers to help run their programs. Otherwise, our cybersecurity stance will continue to fall behind and beltway bandits will continue to take advantage of programs like FCS and NCES.
UPDATE: Looks like Mischel Kwon, the person who resigned, is joining RSA/EMC.
Ministry of Defence Issues Social Networking Tips
This is a somewhat refreshing approach. Rather than ban social networking services altogether like the Marines, the British military has decided to encourage their troops to Tweet or post on Facebook their experiences in the military. This past week the MOD issued a 13 page document outlining the guidelines for using these services. Granted, the document has a bit of a CYA tone for the higher ups, but at least it addresses the issue head on rather than bury its head in the sand like some organizations. Instead you have the Marines who have banned it outright, but the Joint Chiefs of Staff still tweets and has said he will continue to do so.
Of course DoD has kicked off a study to determine the vulnerabilities of technologies like Facebook and Twitter. Wish I got that cherry contract.
My thoughts on this issue are fairly simple. If you simply prohibit an effective way for people to communicate, they will find another way to do it, and it will NOT be on your terms. Instead users will find a workaround that is probably less secure. and may even expose your data and network more.
What’s the Point of Twitter?
I have noticed recently that several of my friends have started getting Twitter accounts. However, I have also noticed that the same folks have not tweeted anything, or have asked me “What is the point of Twitter?”.
It’s a fine question. One that I actually ask myself.
Twitter is one of the newer trendy online services that allows you to keep in contact with your social web. Users can post tweets (short messages) up to 140 characters in length for their world to see. You can choose “follow” other users to see their updates, and of course others can choose to “follow” you. Tweets are public by default, but you can choose to keep these private only to those who follow you.
So that brings us back to the original question. What’s the point?
To me, the importance of Twitter is the concept it has introduced, less the service itself. Twitter popularized the concept of micro-blogging. The idea is that Twitter gives you a forum to tell the world about something you found, a useful web resource, or what you had for breakfast. So instead of writing a full blog post, or sending a group email, you can post a very quick short message declaring that the eggs you just had were too runny. I actually do use it in the morning to check up on anything new going on in the world of PKI. I run TweetDeck (a twitter client, there are literally dozens of them) which has the capability to store searches. I browse through the Twitterverse for new items related to PKI (b/c I’m a PKI geek) and post items that I may think are relevant.
The real problem that I have with Twitter is that trying to keep up with others users and relevant information is like trying to find a needle in a haystack. Some Twitter users literally post tens or not hundreds of tweets a day. If you start doing the math of how many updates that is to sort through, the numbers are staggering.
Instead, to keep up with my social web, I actually use Facebook’s micro-blogging service. Yup, Facebook’s status updates are more or less a micro-blogging service. Most just don’t really refer to it as such b/c Facebook offers so much more. However, every time you post on Facebook about what your baby just did you are micro-blogging. What’s more is that Facebook is smart enough to loosely define an inner circle for you so you don’t always see everyone’s updates, just the ones it thinks you care about. Then, you can further define what updates you see by creating groups.
What you can do (and what I do) is have your Facebook status updates automatically become Tweets for your Twitter account. That way anything you post on Facebook will automatically make it to the Twitterverse. There are several ways to do this, and so far I haven’t found a real easy way. Per instructions found on the FriendFeed blog, I actually ended up creating a free FriendFeed account that pulls updates from other services (including Facebook) and posts them to Twitter.
- Create a FriendFeed account.
- Click on “settings” in the upper right hand corner.
- Click on add/edit next to “services”.
- Click Facebook and add your account.
- Click on “settings” again and then “twitter publishing preferences” and configure for your twitter account.
I know…a bit of clunky workaround. You can also add other services to FriendFeed and they will update your Twitter account. I have added Facebook, LinkedIn, Picasa, Twitter, Yelp, and Delicious.
Prevent Your Pics from Becoming Facebook Ads
I remembered reading about this awhile back, but didn’t really think about making the change to prevent my pictures from becoming ads. To prevent this:
- Go to Settings -> Privacy Settings
- Click on News Feed and Wall
- Click on the Facebook Ads tab
- Change the Appearance in Facebook Ads to No One.
Of course, if you want to try to be a FB star, you can just leave it alone!
The Certificate Revocation List Distribution Point
The Certificate Revocation List Distribution Point (CRLDP or CDP) is the attribute in a PKI certificate that tells a relying party where to retrieve the signed binary file that contains a list of revoked certificates (there are other reason codes that can be used, be most clients essentially still interpret those certificates as revoked). This file is generated by the Certificate Authority (CA) on a regular basis. This is one way that applications and systems can verify the revocation status of a certificate (there are other methods as well).
The challenge associated with CRLs, and the CRLDP for that matter, is getting those files down to each relying party. This is mainly a problem is larger PKIs. In smaller PKIs, the CRLs are small enough that clients and server shouldn’t have too much trouble downloading the files (although some CRL retrieval implementations are very brittle). For larger PKIs, this becomes more and more of problem as the PKI grows. The CRL files get larger, and since each CA issues a CRL and larger PKIs may have multiple CAs, there may be multiple files to contend with. As your users use your PKI more, more relying parties have to verify those certificates. The bandwidth demands can grow exponentially, stressing your infrastructure and potentially preventing some relying parties from actually retrieving the information.
Early on in PKI, LDAP was used for many CRLDPs. However, LDAP is actually blocked at some firewalls. In addition, as LDAP is an older protocol, it doesn’t offer you the same advantages as using a HTTP reference. By using HTTP in the CRLDP, you can take full advantage of HTTP 1.1 enhancements like resumption and compression.
However, one must be cautious to not get too fancy on how they actually serve the CRL content. Most PKI implementations on the relying party side are fairly simple. There is typically no user interaction when retrieving the CRL…it happens in the background.
In my experience, it is best to take advantage of what web servers do best…serve static content. It is tempting to make use of scripts or applets in serving CRLs. One not make the reference a “dynamic” URL that includes the passing of a parameter to Java App? That is certainly an option, but I truly believe that in PKI where you can make it simple, keep it simple. In addition, many web proxies will actually not be able to cache this content without manual intervention (although to be fair, many PKI implementations use http conventions like pragma: no cache to force the retrieval of the freshest CRL).
So instead of http://pki.company.com/crlscript?CA11, use http://pki.company.com/crls/CA11.crl. Local users and networks can then easily replicate this directory through mirroring using standard scripts, FTP clients, and/ordownload managers. By locally caching the content, the Infrastructure piece of your PKI will incur less bandwidth stress and you’ll have less headaches.
Revocation Checking in PKI
In order to verify a certificate, a relying party must perform three operations:
- Ensure the certificate is issued from a trusted PKI
- Verify the certificate is not expired
- Check that the certificate has not been revoked by the issuing certificate authority (CA)
Trust is typically a simple matter of installing the Root CA for the PKI that a relying party would like to trust. I say typically because although this is trivial when one PKI is involved, it is very quickly getting more complicated in a bridge enabled world.
Expiration is a time check against the relying party’s system clock. There is always some variation in clock times, but most relying party applications have some wiggle in time checking. Even if they don’t, a matter of a few minutes is really only important for highly valuable or sensitive transactions (and I don’t have time to get into signed and authoritative time sources).
Of the three, revocation seems to be the one that causes folks the most trouble, especially in larger PKIs like DoD. There are two main revocation methods, with one additional emerging.
- Certificate Revocation Lists (CRLs) – CRLs are signed binary files that contain a listing of serial numbers and other information of certificates that have been revoked by an issuing CA. Relying parties wishing to check revocation need to download the CRL and parse the file. Each issuing CA issues a CRL (including the Root), so relying parties will likely need to retrieve multiple files. These files can be cached according to how long they are valid (this value is in the CRL itself). As your PKI grows, your CRLs grow along with you.
- Online Certificate Status Protocol (OCSP) – This is a HTTP request for the status of certificates. The response from an OCSP server can contain more than one response. Relying parties will need to make a OCSP call for every certificate that it checks. Like CRLs, theses files can be cached. However, the cache is somewhat less useful since it contains a small set of certificates.
- Server-based Certificate Validation Protocol (SCVP) – Although SCVP is a standard, support for the protocol is still emerging. SCVP allows for out-sourced trust processing. It is especially valuable in PKI interoperability scenarios.
So as an IT admistrator or application owner, what do you choose?
First and foremost this depends on the size of your PKI and the lifetime of your certificates. If you are dealing with a smaller PKI and shorter lived certificates (say 10,000 users and one year certs) than most of your applications should be able to handle CRL downloads. However, larger PKIs (50,000+ users and 3 years certs) need to consider different revocation checking methods for different scenarios. Some PKIs have a series of CRLs over 100+ MBs!
For client applications, especially email, I typically recommend that OCSP be considered. However, using OCSP means that your PKI has to have an OCSP server up and running 24×7x365. If OCSP services are down, your uses will NOT be able to verify transactions (and they will get error message and then in turn call you). Even if your PKI is outsourced, you may have to purchase OCSP client licenses. Microsoft added support to Windows with Vista, and even then the client has limited functionality and configurability (although we have tested that newer OCSP server software now supports OCSP requests from Vista and 7). Using CRLs for clients can get VERY messy. Think of it this way, do you really want every email client in your domain pulling down upwards of 100+ MBs of files?
For server applications, it really depends on transaction volume. Keep in mind that for every certificate your application needs to process, a revocation check needs to be performed. For OCSP, this means a HTTP request to an OCSP server that may not be on the same network as your application. So if you have a lot of users or transaction in your applicaiton, this could mean a lot of OCSP requests. If CRLs are used, then you need only retrieve a CRL once every time it is produced (or less often if you desire) and cache it locally. Keep in mind however that many web and applicaiton servers have fairly brittle CRL implementations. Many administrators will create scripts that will allow them greater control over CRL downloads.
Next time I get the chance to post, I’m going to cover how PKIs make CRLs available, and what NOT to put into a CRL Distribution Point (CDP). Yes…I know it is very exciting!
10 Steps for a Military Sharepoint Contract
Stumbled upon a posting entitled “10 Steps for a Military Sharepoint Contract” on Adam Buenz’s Sharepoint Shelter. Ten very good points (and the blog is an overall good resource for Sharepoint folks). One in particular I enjoyed, and I TOTALLY agree with.
Hiring A Generic Project Manager Will Go Over Like A Fart In Church
If you are responsible for staffing, do not under any circumstances hire a generic project manager for a military SharePoint contract. A project manager in a military environment is a specialized position since they have to understand the inner working of the military, this type of knowledge is disseminated through experience and not through book smarts or nonspecific PM knowledge. While a generic PM might understand the fundamental ranking and command hierarchy concepts, they will have no clue about how the military cogs make the overall federal machine work. Unless you want to send a lamb to the slaughter, just avoid it and shell out the money for a PM either with direct military background or previous federal work history (state governments generally do not count). Going back to the above point about acclimation of product, the PM will heavily be responsible for facilitating the rely of operational information that will affect the whole project. When they get the aggregate picture along with the intricate unit workings, their contributions are unmistakably noticeable and will cause the project to run much smoother.
I have seen good PMs with no tech or military experience get chewed up b/c of this very point. Generic PMs do NOT work in the Federal space. You have to find someone who can walk the walk and talk the talk.
NCES E-Collabcenter Ending in June
Word is that E-Collabcenter, IBM’s NCES Collaboration Service offering (also referred to as “Button 1″) will be shutting down in early June. This comes from a notice on their home page.
E-Collabcenter was the first of two NCES Collaboration Services acquired by DISA. The intent was to foster competition between the vendors so that enhancements would come quicker in order to capture the DoD market. The second service or “button” called Defense Connect Online (DCO) is based off of Adobe Connect and utilizes XMPP for IM/Presence.
The question is, will DISA purchase a third button, or extend DCO?
Seat Belts and the Password Problem
I actually used WordPress’s “Tag Surfer” feature for the first time today, and stumbled upon a post on Identity Blogger. In his post, Jeff Bohren discusses the challenge of getting users to adopt passwords. He also references a post by Mark Dixon on the same topic.
I think both articles make good points…intellectually it makes a TON of sense to get rid of passwords. Mark actually makes an interesting point that passwords are like seatbelts.
It was ease of use, not a technology-driven obsession with safety, that led to wide adoption of the seat belt.
What I do not agree with is why seat belts were adopted. I don’t think it is just because seat belts are easy to use and they make us safer. A lot of the reason that I think a lot of people started to use seat belts is it because it became law. States started mandating seat belt use in 1984, and very quickly the states all fell in line and start adopting it. So instead of choosing to use seat belts, people were required to use seat belts or they broke the law. A fortunate side effect to making this a law is that now for generations that drive after this law was enacted (like my own), wearing seat belts is second nature.
I believe that a similar kind of action is going to be needed for web applications and enterprises to get off passwords. However, it may not be the Government that actually steps in to mandate this…at least not directly. As it stands now, banks and credit card companies have the ability to write off fraud when accounts are stolen. So the cost is really passed on…they aren’t really paying the $40 billion plus in fraud every year. But what would happen if banks and credit card companies were limited in how much fraud they could actually write off? I think that all of a sudden you would see a HUGE uptake in the use of improved identity technologies and the discontinued use of passwords. Users would be forced to stop using passwords b/c the banks and credit cards would be financially dis-incentivized to support them any longer. Of course the financial institutions would still find a way to pass the costs onto the consumer or the government…
A quick and dirty case study for you. DoD has been issuing smart cards to their population of 4+ million for years. The primary use for a long time was secure email. It wasn’t until it was mandated by DoD that the cards be used for log on to networks and applications that passwords finally started going away. Sure it was painful, but the networks are now more secure b/c of it.
In my experience, people don’t necessarily change b/c it is good for them or b/c it is easy. They do it b/c there is a dis-incentive to continue the status quo.
Kevin Heald
Recent Comments