Massimo Re Ferre’, vCloud Architect at VMware, has posted an excellent article on Custom Portals and Backend Integrations in a Service Provider Environment

VMware, and the ecosystem as a whole, is coming out with a number of tools that interact with the vCloud APIs natively. VMware vFabric AppDirector is another good example of these tools consuming these programmable interfaces. I encourage you to have a look at the brief demo video available here.

If it isn’t clear yet, this is the reason for which developing a ton of logic right above the vCloud APIs isn’t a good strategy if SPs want to offer a VMware compatible cloud service. You want the vCloud APIs to be widely available and well exposed. Not obscured by “a ton of scripts and workflows”.

Another thing to consider before building custom logic is the associated risk of customization. Yes, this is the same old build versus buy debate but in context of security risks and how they relate to compliance. Generally speaking compliance is more complicated and expensive with customized portals. I will give several examples of this in my presentation at BayThreat.

There are many interesting elements to the recent decision on the RockYou.com case (Claridge v. Rockyou, Case No. 4:09-cv-06032-PJH) as clearly explained on the Data Privacy Monitor blog. Here are just a couple examples:

1) The company was found liable, due to marketing language found in their public privacy policy, for not preventing a breach.

The court’s decision also provides a practical consideration when drafting limitation of liability clauses for website privacy policies. RockYou.com’s privacy policy provided that: “RockYou! . . . assumes no liability or responsibility for . . . (III) any unauthorized access to or use of our secure servers and/or any and all personal information and/or financial information stored therein . . .” RockYou.com argued that this provision barred the plaintiff’s breach of contract claims. The court, however, found that the policy language did not automatically preclude the claim because the plaintiff alleged that the servers were not secure.

The servers stored passwords in plain text. The breach was based on a SQL injection attack that simply dumped all the passwords. Definitely not secure.

2) While the court dismissed 8 out of 9 complaints they still heard the plaintiff’s argument that PII loses value (e.g. harmed) if breached. It ended in settlement but the plaintiff’s argument was left standing.

The proposed settlement is very modest—under the proposed terms RockYou: (1) consents to a 36-month injunction during which it will retain a third-party to conduct two audits of its security policies concerning consumer records; (2) agrees to pay the plaintiff $2,000 as well as the plaintiff’s attorney’s fees of $290,000; and (3) represents and warrants that it is financially unable to provide the monetary relief sought by the plaintiff. Because only the plaintiff’s claims would be dismissed with prejudice, other putative class members may still assert claims for monetary damages. It is important to note that the proposed settlement does not vacate the district court’s April 2011 decision, leaving it of record for other plaintiffs to reference in future putative class actions.

Ok, so the $292K is really $290K in legal fees — maybe RockYou.com put up quite a fight before settling. But they left themselves, and other companies, open to face others who want to make the same arguments.

Earlier this month the Kansas governor joked with reporters about the qualifications necessary to run the state’s IT environment. He was defending his recent appointment.

The governor, a Kansas agriculture secretary from 1986 to 1993, said his technology specialist at that agency did a fine job without a diploma.

“My IT guy was a former meat cutter,” the governor said.

Gov. Brownback’s “IT guys” prepare the new state backbone

Something tells me his department needs from ’86 to ’93 consisted of two 486s, a shared modem and a dot-matrix printer. I guess what he means is back in the day when a PC would go down his IT guy would shoot a bolt through its CPU, throw it in the grinder, make silicon sandwiches and then order a new one from Compaq. Best IT guy ever.

But seriously, this has been a bad month for Brownback to show he has a clue about technology. First he hires a guy who has a dubious resume and then has to accept his resignation. Then he steps into a huge steaming pile of controversy over freedom of expression by trying to shutdown speech of a student his office considered “disrespectful”.

Gov. Sam Brownback apologized Monday for his office’s reaction to a Kansas high school senior’s disparaging tweet about the Republican during a visit to the Statehouse.

I think the flap about control over speech and Twitter is far more illustrative than many people might realize. As a former Kansan I see shades of what has plagued the state in the recent past. This governor looks set to dismantle programs that create long-term value and jobs in order to garner some sweet short-term investments from his business associates and campaign friends. He is in process of a big sell-out of the state for personal/selfish gains.

Note, for example, an urgency to dismantle public support of the arts and shift them to private interests who will control content, as stated in this comment in the Topeka Capitol Journal.

Funding the arts in Kansas was a mere 29 cents per person, with a HUGE return on investment. See kansasarts.org for more information. Now we get nothing and our money goes to other states. […] Koch is partly responsible for this agenda item, as they are against public arts funding and donate a lot of private money to the arts. As donors they get to select on what they consider “art”. Don’t forget the David H. Koch Theater (formerly the New York State Theater) in New York. The City Opera now has to move because it can’t afford to stay in such an elaborate building that was created just to have the Koch name on it. Business WANT to move to cities that are vibrant and have arts communities. Look at Mars and their criteria for moving to Topeka.

Brownback’s extreme position to zero out the art programs and reinvent them as corporate-backed programs doesn’t make a lot of sense as a move to save money. It mainly impacts avenues of dissent and puts a chill over the state — drops the quality of eduction and initiates brain drain to other states.

If I put Brownback’s public comments together from the three stories I get the image of a leader set to auction public interests to a corporate bidder and shutdown what he considers wasteful pursuits such as quality education and free expression. That’s the real story here. It seems to me that a leader who valued the potential of IT to bring freedom and prosperity to the residents of a state would be far less likely to make such rash decisions.

Alas, for those who think I may be reading too much into the news I submit to you a description by Pat Roberts of Brownback’s Chief of Staff:

The true Machiavelli of Kansas, David Kensinger, our pitbull without lipstick, whose expertise in this new and very different world of political campaigns is unrivaled. David mounted the parapets, waved the flag, fired the first and last shots and led our troops to victory.

There is a good chance that Brownback’s ignorance is a mistake, but there is also a very good chance that it has been very carefully and consciously allowed. I remember well the good-humored but extreme right-wing views of David Kensinger. When I defeated him the one and only time we faced each other in competition I learned he will attempt every subtle trick imaginable; if he intends (or helps) to expand corporate control of government and the dismantling of freedom in Kansas then it will be very hard to stop him.

“Should have played baseball. Too many liberals in politics”

Attrition.org has a list of 23 security researchers since 2000 who have faced legal threats by vendors. They offer this analysis/message.

Companies: embrace researchers who are trying to improve the security of your products. Work with them, fix vulnerabilities, and coordinate disclosure. This will go a lot farther toward building customer confidence and help avoid negative publicity.

That number surprises me. Only 23? Given thousands of security bugs reported each year and nearly 50,000 reported to NIST there must be more threats, no?

The Attrition.org site also includes a few counter-examples of “incidents where it was not ‘security research’, but rather activity that was considered a crime by current laws (at the time)” such as installing a keylogger.