Subscribe

Archive | Wireless

Family Radios Keep You In Touch

It’s a holiday nightmare: your child, found tearfully tugging at the skirts of a grinning theme park employee, has ratted you out as the parents that lost him.

As hundreds of university students in air conditioned fur character suits have your description, the net closes in. Goofy’s speaking into his wrist and pointing at you!

Now you’ve got to face dozens at the dreaded Guest Relations, where you collect your wayward child and sheepishly explain that, “I only turned my back for a SECOND!” For families and groups of even two visiting American theme parks or malls, Walkie Talkies on the new US Family Radio Service can be a Godsend.

A new range of inexpensive handheld radios operate on the FRS, a set of US radio frequencies that are available to users without an FCC license. Hand-held CB radios, while powerful, couldn’t provide a traffic-free channel, and carrying a roaring pocket full of “good buddies” through the Magic Kingdom just didn’t seem practical.

So radio manufacturers Motorola and Radio Shack made the FCC a deal: loosen restrictions on the airwaves, and they would produce low-cost walkie talkies that would allow friends and families to communicate. Say, across the wilds of a theme park, shopping mall, park or forest.

The FCC passed the Family Radio Service act in 1995, clearing the way for Motorola, Radio Shack and other manufacturers to produce some of the coolest little handheld radios on the market.

Motorola’s main entry, selling at around US$89 a piece in shops (but listed as $129 by Motorola), is the neon-colored TalkAbout: very colorful and retro-modern looking (think Buck Rogers) two-way radios with a range, they claim, of up to two miles.

Radio Shack’s 2-Way Personal Radio models, which are actually built by Motorola and cost about the same as the TalkAbout, look somewhat more Mission Impossible. They’re clumsily marketed, but the Radio Shack models, along with FRS walkie talkies from companies including Kenwood and Midland, are very good products with just about the same technical specs as the Motorola branded models.

I recently took the Motorola radios on a little trip through Walt Disney World, the Sawgrass Mills Shopping Mall, the Kennedy Space Center and the entire state of Florida, and the Radio Shack radios through Orlando. I’m happy to report that when you’re in the theme parks or on the same floor of a mall, these things are absolutely fantastic.

Plop! One shortcoming was that despite the rugged looking case, the TalkAbout is by no means waterproof. While planning our day poolside, I read with interest the TalkAbout manual, which said, “Water Resistant…” and before I finished reading the sentence I tossed the little yellow box into the pool, expecting it to float.

I have never seen something sink so quickly.

I dived in after it, and when it surfaced, I turned the power switch on. It made the most pathetic electronic noise since R2D2 was deactivated: Beeeeeewooop. After an hour with a newly-bought six-point star socket wrench and a hair dryer, I’m happy to report it worked as good as new.

“Water resistant”, apparently, means it can be rained on lightly. Tempting as it may be, don’t expect the thing to work under water unless it’s in a waterproof plastic bag.

Vowing to use it only as intended, my wife Corinna and I set out for Orlando and the theme parks.

Disney
The thing to remember is that the range conditions stated on the box are optimal – as in, optimally you’ll use it at night, at sea level, with clear skies, and in Tahiti.

The actual range we found was just about a mile, which is perfect for, say, the whole family in the same Disney park. Across the Magic Kingdom, we were able to communicate perfectly, making this a natural for parents to let their kids run off with one radio while they keep the other.

We did a range test, with my wife on the monorail to Epcot. We were able to hear each other only for a little while before her comments became just about,

“Im gzzrbth with baazrrrb CRACK Epcot”

But within the parks themselves, the radios functioned absolutely as promised. We even had no interference – our own private channel – despite the sight of about seven or eight other families in the area using their FRS radios.

That’s because all brands of these radios allow you to broadcast subaudible tones which effectively multiply the available channel sets tremendously: there are 14 channels and 38 subtones from which to choose.

The Radio Shack model worked great throughout the Belz discount outlet mall. We had some fading in and out, but could always hear each other.

Since specs are all very similar, your choice is really which one you like best or, more likely, which one’s cheapest at the time you;re shopping for them.

The TalkAbout and TalkAbout Plus, while not water resistant, are certainly rugged, and stood up to drops and bumps. We saw a kid at the Kennedy Space Center kicking his radio and then speaking on it. The manual didn’t mention anything about this but I assume it is not recommended.

The best place to buy the radios – whichever brand you decide on getting – is in the States, where the prices are better than in Europe. They’re sold at many electronics shops, all Radio Shack locations and in ham and commercial two way radio shops. You can also buy them over the internet, and have them delivered to your hotel in the US, saving on international shipping and import duties.

Motorola’s website is www.motorola.com. Radio Shack’s website is at http://radioshack.com. Midland and Kenwood FRS Radios are available through Northern Mountain, www.northernmountain.com

Bluetooth Is Coming…And How…

What do feisty contenders like Germany’s Hüft and Wessel and Sweden’s C-Technologies have in common with giants such as Ericsson, Nokia and Siemens? Bluetooth technology: the most quickly adopted industry standard in history.

And very soon you’ll own something that’s Bluetooth enabled – whether you know it or not.

Analysts say that Bluetooth, which allows broadband-speed wireless communication between computing and other devices, is at the cusp of ignition, but that its mainstream use is still one-and-a-half to two years away, despite the early release of British Telecommunications-enabled devices this year.

But oh, how it will go mainstream: in a June 29 report on Bluetooth, Merrill Lynch upped its market estimates of Bluetooth device penetration to an astounding 2.1 billion devices by 2005.

Early Problems
The main obstacles right now are robust software to operate the chips and a perception–if flawed–of the chips as being overly expensive. Not quite accurate, said Karl Hicks, a manager at Datamonitor’s technology division.

“Some would say that there’s a problem with price at the moment,” Hicks said, “but the cost is really only $15 or $20 per chip currently, and when you see the kinds of announcements and developments in Bluetooth, the large economies of scale will begin to bring prices down very soon.”

Merrill Lynch vice president and European seminconductor analyst, Andrew Griffin, who co-authored the Merrill Lynch report on Bluetooth, agreed. “We’re looking at the average price per chip dipping below $5 in 2002, but some firms will have reached that price level by 2001,” he said.

Another mildly worrying subject, according to Griffen, is the development of “bulletproof, robust software that won’t irritate the end user.” Point-to-point solutions are one thing, but software that can cope consistently with other kinds of applications–for example, cell phones speaking with PDAs, laptops and other devices–is still under development.

“Software issues aren’t going to prevent Bluetooth from taking off,” Griffen said, “but it will prevent it from taking off this year, and we won’t be seeing any of the really super sexy applications just yet.”

Why It Will Work
“It’s really simple,” said Johan Boman, chief financial officer of Sweden’s C-Technologies, which recently unveiled the first mass-market Bluetooth enabled device. “We expect Bluetooth to be the definitive standard for communications, replacing infrared and all other existing options. Companies simply must cope with it to have a place in the market.”

While the technology is currently under heavy development by major American manufacturers like Motorola, Dell, Microsoft and Intel, smaller European firms have some distinct advantages.

Ericsson, which initiated the standard, had the stunningly good sense to see that a) they had a hot one on their hands, and b) in order for it to succeed the standard must be open and royalty free. The result has been industry support by all major computer manufacturers, and a current membership of almost 1900 companies in the Bluetooth Special Interest Group (SIG) of Bluetooth device manufacturers.

The beauty of the open standard is that it allows smaller companies, which can move much faster on a new technology, the luxury of full entry to the market at this early stage. For example, take Neuer Markt gem, Hanover-based Höft and Wessel, which specializes in interactivity and mobile communications (they make the gizmo that the conductor uses to charge your credit card for tickets aboard European trains, and the one you paid for your rental car with at the airport last month).

The company, which made a name for itself in European mobile computing with the wildly successful “Taschen Kasse” mobile cash register, is now looking to empower its Web Panel with Bluetooth. The Web Panel is already a model of inteconnectivity, a wireless web device that can run both Windows Pocket PC and Linux operating systems.

Or take C-Technologies, whose Anoto division recently brought the first mass-market Bluetooth-enabled product, the Anoto Pen, to market. The pen, a bit chubbier than a Mont Blanc but with thinner versions planned, has a built-in camera and recognition engine that allows users to write a note on patterned paper by hand, and then send it as an e-mail via Bluetooth.

C-Tech is already a producer of popular handheld devices that lend themselves quite naturally to Bluetooth, such as the C-Pen and handheld scanners–and the company has already unveiled prototypes of these devices enabled for Bluetooth.

These companies are far from alone. This week, IBM and Toshiba announced they will offer Motorola Bluetooth devices across a range of their products. IBM also said it will produce Bluetooth-enabled PCMCIA cards, allowing users of current notebooks and laptops to connect easily with future Bluetooth devices.

And Ericsson will soon release its Bluetooth-enabled cellular phone wireless handset, which will work with any make or model Bluetooth-enabled phone. Analysts agree that Bluetooth, whose standard operates on the same frequencies worldwide, allowing users to use Bluetooth devices anywhere on earth, will substantially change the way devices communicate.

“That’s the really exciting aspect of Bluetooth,” said Jörg Müller, research analyst for new technologies at Value Research Management.

“People talk about the cable-free revolution; I’m not really interested in avoiding cables, but I really mind if I have to use 15 different adapters, like when I have my Alcatel cell phone that can’t connect to my car, which is wired for Siemens,” he said. “Or when I already own a Siemens headset and buy a new Motorola phone. In these cases, Bluetooth would let me use all my devices together.”

What It Does & How It Works
Bluetooth wireless technology lets a device speak, at broadband rates, with other nearby Bluetooth devices instantly and securely, and uses the same frequencies worldwide, so your cell-phone from the US can speak with your VCR in Hong Kong. Each chip can support up to seven “slave” devices, and that mini-network can in turn can be slaved to a second master–the possibilities are mind boggling.

The buzz over Bluetooth is just beginning, and while many products are in development, there’s a somewhat slow ignition process at the moment, but that won’t last long: it’s merely a matter of momentum.

“It’s a bit like the first fax machine or the first video phone,” said VMR’s Müller, “until there are more users you’re not going anywhere. The consumer only benefits when there’s a broad range of Bluetooth devices on the market. I’m really sure that this has a very big future, but at the moment, there’s a struggle to get enough products to market for the concept and the platform to really take off.”

Analysts agree. “I don’t think we’ll see very much happening this year,” said Johan Montelius, an analyst with Jupiter Communications. “We’ll see lots of press releases and a few products coming out, but the big thing is next year.”

For European investment opportunities, look to manufacturers like C-Tech and Höft and Wessel, as well as infrastructure and mobile telephony companies. But don’t forget an important player: “white devices”. Dishwashers, refrigerators and other kitchen appliances will be heavy users of Bluetooth in the future. As a Massachusetts Institute of Technology guru told the crowd last week at a London advertising convention, the majority of Internet communication in the coming years will be “machines, not people.”

So when your fridge calls your grocer to order more Nutella, Bluetooth will have come of age.

Clinitrac’s Brick Could Save Pharmaceutical Companies Millions

The development cost of a pharmaceutical drug can easily run between $500 million to $800 million, and clinical trials alone can cost between $1 million and $2 million per day in lost future revenues. So imagine a service that could reduce by a year the time it takes to perform a clinical trial, analyze the results and submit them to the US Food and Drug Administration (FDA).

That’s the dream of Stockholm-based Clinitrac, which has produced a working prototype of its GSM-based wireless solution geared to the problem of initiating, gathering, analyzing and accessing the information generated through medical clinical trials. The time to market is, of course, dependent on loads of factors, but probably refers to larger, longer trials.

VCs Believe
Clinitrac received $3 million in seed funding in May 2000, mainly from BrainHeart Capital and HealthCap, but also netted stakes by the Swedish Industry Fund and others. The company is currently entering a second round with the original funders, to the tune of an additional “three to four times that amount,” and are seeking to bring in an additional, US-based venture partner to the fray.

The company has yet to produce revenues, but its working prototype is impressive. It has already cut a deal with Psion for the Netpad and is in discussions with a major PDA manufacturer. And it has had meetings with US GSM operators to ensure that Clinitrac’s product will have all the GSM network coverage it needs when it offers its product to US markets in 2001.

Patients enter information on a half-brick-sized Psion NetPad, which has a wireless Internet connection, a touch-activated screen and enough shock absorption around its edges to tolerate a month in a New York City public secondary school. The information is then transferred back to the company performing the testing, and made immediately available to doctors, scientists, product managers and developers.

“This sounds like an interesting technology,” said Nick Woolf, biotech analyst for ABN AMRO. “There are other companies in clinical trial services who claim to have various systems – voice recognition systems and others – but it’s certain that real-time information on a clinical study is valuable.”

Clinical Trials Today
The process is, in a word, revolutionary. Today, patients are asked to fill in paper forms, and they often forget, fill them in late or inaccurately. This information is delivered to a doctor after 30 days, which means that a patient who repeatedly misses his noontime dosage or has an adverse reaction to a drug would not be identified until after at least a month.

“The biggest problem with clinical trials,” said Clinitrac CEO Andreas Segerros, “is keeping the patient in the trial. Once they blow the protocol a certain number of times, you need to take them out. Our product would allow monitors to see, on a daily basis, that Mr. Thompson over there keeps missing his 3 p.m. pill, and call him early enough to keep him in the study by making sure he took the drug.”

That indicates a level of involvement and monitoring of tested subjects unheard of today. Currently, paper forms are stacked up from around the world, flown to central data processing facilities and keypunched into systems before anyone can even have an idea of the nature of the data.

The major risk, Woolf said, is getting the product out there and recognized as a clinical trial service. Most large pharmaceutical companies, he said, contract out much of the work of clinical trials to Contract Research Organizations (CROs).

“Today there are CRO subcontractors that do nothing but take dirty paper forms filled in by patients and scan in the results,” said Henrik Linder, Clinitrac’s clinical research operations senior director. “[Our] system gives you clean data, digitally, directly where you need it and in real time. And when we approach the pharmaceutical companies, they’re like, “Finally! Thank you!””

There are potentially several areas in the pharmaceutical industry where a product like this could be used to affect both savings for the end user as well as increased profits for the manufacturers. Traditionally, on approval of a drug, the onus is on the drug companies to appeal to the FDA in order to maintain a high price – the FDA is in effect negotiating on behalf of the American Medicaid system, which will pay or not pay for a drug based on the assessment of the FDA.

The pharmaceutical company will argue that a) the thing took them years and billions of dollars to research, b) it meets an immediate, and heretofore unaddressed, need of the general public, and c) the quality of life improvement, or simply the decrease in necessary medical attention required by a patient taking this drug, is so compelling as to justify a higher dose or daily cost of the drug.

Clinitrac said its product can help in this process as well, by allowing pharmaceutical manufacturers to have access to a broader-than-ever range of quality-of-life questions, or information above and beyond the physical effects of the drug.

For example, in addition to hard medical questions of efficacy to a patient on a clinical trial for a drug that attacks skin rash, they would also be asked questions such as: “In the last week, how often did embarrassment about your condition cause you to make more conservative clothing choices?”

The answers to questions such as these would enable pharmaceutical makers to argue that in addition to straight efficacy, the drug in question has a positive impact on the patient’s quality of life – a compelling argument for a higher price for the drug.

“As a monitoring tool it could be extremely effective,” said ABN AMRO’s Woolf, although he stopped well short of saying that the technology alone would amount to a stronger negotiating position. “Whether you can correlate the monitoring tool to a gain of negotiating points with the FDA, HMOs and other reimbursement agencies would be difficult to claim.”

He added: “These guys need to team up with a Quintiles or a Covance,” referring to two of the larger CROs. “Because those are the ones that already have the relationships and access to clinical hospitals.”

Absolutely true, Clinitrac agreed. For now.

But the company is convinced that eventually pharmaceutical companies will see the savings involved in their real-time offerings, and Clinitrac won’t be keeping many friends in the CRO world for long.

Phoenix Struts Its Wireless Stuff

scared audienceI’m watching on a wide-screen television the most painfully revolting thing I’ve ever seen, and Mikael Hällström is gleefully pointing at the screen.

“This is almost…almost…broadcast quality, and there’s no delay at all,” he said proudly. Hällström’s biggest problem in the coming months is whether to stay at Ericsson, where he has been for four years, or to head out with the spin-off he helped create.

These are good problems to have.

Truth be told, the resolution is more than “almost broadcast” – in fact it’s clear enough to give me nightmares for weeks and ponder each future meal carefully. We’re in Ericsson’s Stockholm headquarters, in a conference room that has been temporarily turned into both a highly impressive display of very cool technology and a chamber of horrors.

Here’s the story: Malmö University Hospital in southern Sweden wished to demonstrate to a hotel conference center packed with leading international medical observers a controversial, highly unorthodox and possibly revolutionary approach to an operation to remove a cancer in a patient’s rectum – going in from the top.

I’m watching the “highlights.”

I’m watching this to see a clear end-use example of the types of networks Ericsson believes will be prevalent in the very near future. And Ericsson Business Innovations (EBI), the “incubator” arm of Ericsson, is looking into using technology like this to create a number of businesses.

For example, EBI has also been working on something it calls the Phoenix Project, based around Ericsson’s Open Service Gateway Initiative (OSGi) protocol. Phoenix was set up to establish a solution for home health care, security and safety products, and EBI is looking internally at Ericsson, as well as at third parties, to develop other OSGi applications.

Now, that horrible tele-operation challenge I am trying not to remember was not part of Phoenix, but with it Phoenix saw a chance to strut its technological stuff. To this end it established a 24-megabit-per-second (MB/s) upstream and downstream connection between the hospital and the conference center (which are meters from one another) by way of a 750km loop through public networks using existing technology and infrastructure.

The setup included two cameras in the operating theatre – one on the surgeons and the other on the action – that broadcast to two projection devices in the conference center, both producing crystal clear 20 and 35 square-meter images. Real-time voice communication between the center and the theatre was a key element, allowing the surgeon to converse with the observers.

“You can’t have voice delays,” said Hällström, the simultaneously mild-mannered and intense architect of Phoenix, “and we did this without compression or echo canceling – if we used those, we could have gone several times farther.”

With traditional broadcasts, such as television, a gap between the time of broadcast and arrival at the user’s device doesn’t matter as it’s a one-way signal. But anyone who’s watched the poor CNN reporter, listening to a question by satellite and standing clueless, staring blankly at the camera for two to six seconds, can understand why a satellite hookup would be unacceptable in a tele-medical situation, where seconds count.

You might well wonder why Ericsson is in the television business, and the answer is that it’s not. It’s in the business of building up teams that will form the core of new units within Ericsson or of new companies that will be spun off.

The broadband system above grew out of research by Ericsson Media Lab and the work of Hällström and others in Ericsson working on telemedicine applications.

Phoenix To Be Spun Off

The goal is to have Phoenix, now still part of Ericsson, build up its system around OSGi, establish and maintain its standards and protocols, license users of the system from health care, security and other industries, and then eventually remove itself from the fray, licensing third party operators who will pay Phoenix for the right to operate the slice of the network in their special fields. Phoenix, of course, would then sit back and count its royalty and licensing income.

Phoenix’s E-Box is an OSGi-based system. It’s a home-running device that brays at you if you leave the iron on and potentially allows you to, for example, let your kids in before you’re home but deny them access to the garage, oven and VCR. The box controls safety issues like those, security (locks and alarms), as well as health-monitoring systems. EBI announced in October that it began an E-box trial run in 3,000 homes in Sweden.

“The Phoenix group deals with infrastructure and we need to have a network,” Hällström said. “We don’t want to operate the network, but we need to make sure that it is, in fact, a network, and it will be maintained and operated in the proper way.”

Working with partners in those related industries (they’ve embargoed us from saying even which space within the industries), other groups deal with the health care and security aspects of the applications, and another deals with the construction and installation aspects.

“We will start to roll this out in new houses initially,” Hällström said, “because then the costs of building the infrastructure in the house is near zero when looked at in context of the building costs. And we want to have a large base of customers.”

Opportunity for VCs

That’s an opportunity for VCs looking to back products in the related industries. EBI is actively seeking venture partners and offering support and resources for venture-funded companies who develop related technologies or end-user applications that would use the OSGi protocol.

“We believe a very strong part of Phoenix is the partner program, which is mainly venture-funded companies – and it’s not just the money, it’s the knowledge the VCs and third-party companies bring to the table,” Hällström said.

If the demonstration I saw is any indication, EBI has a lock on the networking part. Observers interviewed afterward said on camera that the setup was incredibly valuable and remarked that it could have an untold number of applications in medicine.

And, of course, they mentioned the vivacity of the colors. “I’ve seen lots of these types of presentations,” said one doctor. “Many times the details are fuzzy, and the colors are often washed. But here the colors were perfect, the resolution and clarity better than I’ve ever seen.”

 

Smart money would say that, at least technologically speaking, Phoenix should make the cut as a spin-off.

Nokia: Let ’em Make Cake…

The future is wireless, or at least that is what Nokia, Ericsson and a host of startups and network operators are earnestly hoping. But the quick success of 3G – The Third Generation of mobile telephony – is more than profitable icing for these companies; it has now become a matter of survival….

This article, which ran in the February, 2001 issue of Tornado Insider magazine, looks at the overall climate in European development of 3G, and then explores how each of Europe’s largest telecom networking manufacturers, Ericsson and Nokia, is coping with the challenge.

…………………………………………………….

In the main lobby of Nokia House, a wood-steel-and-glass curiosity in the Finnish city of Espoo, is an impromptu cell-phone museum. In it, alongside all the sexy phones that rocketed the Finnish manufacturer to No. 1 in handsets, we viewed the suitcase-sized Mobira Talkman “portable” cell phone all the yuppies were buying in 1986.

For all its prescience in handset design and user habits, no one knows better than Nokia how difficult it is to predict future trends. Painfully aware of industry missteps earlier in the 1990s, Nokia discusses 3G with a reverence, and makes predictions about “classes” of applications and “styles” of usage.

But it won’t predict specific applications that will emerge as killers. The logic is cunning: Predict the next SMS? Thanks, no. But it will hot-house every person with an idea for an application, maintain an open API (application program interface), provide technical details to everyone, and market support to the successful few. Now there’s a situation in which Nokia doesn’t care what the next big thing is, because in theory at least, it will already have it under its wing.

“Nokia’s approach is absolutely that,” says Mika Koskinen, CEO of Entirem, which develops a secure wireless transaction platform for banks and portals in cooperation with Nokia. “The general impression is: focus very strongly on our core business, and don’t then get too heavily involved with third parties, at least at the early stages.”

For startups, this is great news. “It’s impossible for us to define the killer apps,” says Mikko Pyykka, Nokia’s 3G application marketing manager, “so we just need to cooperate with a large number of developers. But we think that at the end of the day the real killers will be somehow related to messaging.”

Messaging is what Nokia says will be the main application when it comes to revenues for 3G, and it, like Ericsson, farms its developer community for the latest and greatest. But unlike Ericsson, Nokia seems to be cut-and-dried about the application developers in the overall food chain – they’re valued, to be sure, but they’re outsiders.

During the Sydney Olympics, MobileChannel.Network set up a one-way messaging system for Nokia to provide sport content services. MC.N now cooperates with Nokia on a number of levels. “We did some basic business studies with them,” says MC.N’s Janne Makinen.

“It’s kind of a two-way development cycle. They give us technical access and early releases of new products for us to develop new versions of our product, and we give them feedback of how things work. They also give us a live environment in which to test our solutions before we go to operators.” Makinen says he believes that Nokia’s involvement will play a significant role in MC.N’s development as a company, creating a need for MC.N products by delivering Nokia’s goal of a complete end-to-end system, from network to handsets to applications.

Another Nokia developer is Genimap (formerly Karttakeskus), which began cooperation with Nokia in 1996 when it released its first Communicator – Nokia’s hinged-brick PDA, aimed at the high-flying business and “poser” crowd (that’s Nokia’s own internal market-segment term). The first mapping products were popular address finders; the user entered an address and was served a digital map.

“There are different levels of cooperation,” says Mikko Salonen, CEO of Genimap. “In the beginning, it was very important for us to get cooperation on development tools – how to make WAP-based applications, and so on. Nokia gave us technical papers and documentation, but there was also a two-way exchange of technical information – we also gave our ideas to them and shared our views.”

Currently, Genimap is working with Nokia to develop location-based services such as “turn-left, turn-right” maps complete with street-level content. But Salonen stops short of saying that his company’s relationship with Nokia has changed his life. “The relationship has accelerated our business plan, and they are important for us, but I’m not willing to say this is so very extraordinary or different – they’re just a partner,” he says.

Nokia likes it that way. “In some cases, as with customer-specific services tailored and run for one operator, we might have an exclusive,” says Nokia 3G strategist Ilkka Pukkila, “but we would never go with one single application provider, for example rich SMS. Our strategy is to give operators as much choice as we can, but to offer value added – such as with the interplay between applications, like adding theater tickets to your datebook. We control the platform, and integrate the applications to suit the specific needs of the customer.”

Pukkila says very soon you and I will use our “personal trusted device,” a kind of handheld multimedia terminal to buy a Big Mac. Why would we ever buy a burger with the phone? Pukkila points out that is the wrong way of thinking. “You wouldn’t want to do it just out of the blue. But, for example, McDonald’s will have its own 3G wireless LAN in the restaurant, and when you walk in, you’d get, for example, messages about specials, which you could buy with your phone. And while you ate, you could view McDonald’s content. Or you could pre-order and pick up your paid-for meal with no waiting when you arrived,” he says.

To Nokia, it would seem, development of these kinds of applications will for the foreseeable future be left to the third parties, allowing Nokia – and McDonald’s for that matter – to pick the best of breed of every single app it buys. In fostering this climate, Nokia will likely never again have to say that the latest hot thing just never appeared on its radar.

In concentrating on the network vendors’ efforts to develop applications, we leave un-discussed, for now, the solidity of the model of UMTS as telecom savior. This could be far from certain. Industry analysts, notably those within Forrester Research, have been increasingly pointing to flaws in the revenue models the telecom operators are banking on. “There’s no killer application. There is no such thing. Let’s go for a killer environment. We don’t want to be bound by specific applications.”

This quote, from an executive at a European mobile operator, was featured in Lars Godell’s January Forrester report on the future of UMTS, which the report called “a survival question.”

“Of course it makes more sense for the equipment manufacturers to do the lion’s share of the application hot-housing,” Godell told Tornado-Insider, “But every operator must also have an open mind, to nurture niche and local applications developers as well as creating strong local partnerships.”

Forrester remains skeptical that, even with the hottest applications, incumbent European mobile operators as we know them today will survive the shakeout. Forrester predicts that by 2011, impending pressure from the network vendors to upgrade again to 4G technology will fuel a desperation to reach profits from UMTS amid an environment of saturated subscriber markets, continued spending on marketing and network upgrades and declining average revenue per user (ARPU).

Could it be that eventually the network vendors end up swapping gear for equity to bail out operators? Will forced consolidation result in the death of all independent operators and allow the survival of only the largest pan-European players?

Other analysts say that the Forrester report is overly gloomy and that it does not take into account the improved capital efficiency of investment in 3G as compared to 2G. But most agree that evolution, and indeed consolidation is not an unlikely prediction. “The shape of the mobile communications industry has not stopped evolving,” said Peter Knox, a telecom analyst at Commerzbank Securities, “and consolidation is probably a likely result.”

Visiting The Front Lines

The future is wireless, or at least that is what Nokia, Ericsson and a host of startups and network operators are earnestly hoping. But the quick success of 3G – The Third Generation of mobile telephony – is more than profitable icing for these companies; it has now become a matter of survival….

This article, which ran in the February, 2001 issue of Tornado Insider magazine, looks at the overall climate in European development of 3G, and then explores how each of Europe’s largest telecom networking manufacturers, Ericsson and Nokia, is coping with the challenge.

…………………………………………………….

For some time, both Ericsson and Nokia have vigorously embraced the role of global industry hothouse by developing new divisions and enhancing old ones to deal with the 3G challenge. But it is about more than money.

“For a fraction of what the operators spent on 3G licenses, they could buy 10 application startups to help with rollout,” says Martti Malka, a partner in Nokia Venture Partners, which is independent from parent Nokia. “It’s not the money; it’s the business model, and the successful operator is going to look to third parties to come up with the innovative business propositions.”

Resources for innovation, too, are only part of the problem. Ericsson has established itself as a curious anomaly. The heavily bureaucratic, press release-driven monolith commands a sensational ability to introduce and gather support for industry-wide protocol initiatives, like Bluetooth and OSGI, its home gateway protocol. Nokia, meanwhile, has made huge progress in end-user customer loyalty through its desirable handsets, capturing 30 percent of the worldwide handset market. Nokia is claiming great gains in GPRS and 3G networking contracts as well.

Nokia and Ericsson realize that in order to give their customers, the operators, the return they’re demanding, they must aggressively court small startups working on applications, services, and hardware for 3G. They’ve partnered with VCs for some, and will continue to do so for others. They have also spent considerable time and money making sure that when 3G rolls out it will live up to the hype.

Enter the startups
“We know we have to develop this market and the key issue is getting the right applications,” says Bengt Larsson, marketing manager for Ericsson Business Innovations (EBI), an independent subsidiary of Ericsson. “It’s not until we have the applications on board that we will see the 3G market take off.”

Nokia Venture Partners, with $500 million under management, concentrates on early stage mobile Internet companies, and looks specifically toward those creating enabling technologies. A perfect example is AVS Technologies, an Espoo, Finland, company whose MVQ (motion vector quantization) method is a high-end video compression and transfer technology that compresses video streams 10 times more effectively than RealPlayer or Windows Media.

For its part, EBI, as well as main divisions of Ericsson such as its Mobile Location Services, work closely with small startup companies developing applications that would eventually work with an Ericsson 3G network. For instance, Ericsson Mobile Location Services works and co-markets with It’sAlive, a startup games-maker funded by Speed Ventures in Stockholm. It’sAlive just rolled out its first product, a location-based game called BotFighters, in which SMS messages appear when opponents are in firing range.

BotFighters is currently running in Sweden on regular public networks. “Ericsson would welcome any application developer who would like to try out a 3G application to come and use it on our demo network in Kista. It’s one of the few places in the world where you can actually test 3G applications in a practical environment,” says EBI’s Larsson.

The first step taken by application startups is a visit to the Ericsson and Nokia developers’ websites, which allow any company to register to receive technical specifications, assistance, emulators, and limited access to the developers’ community for the particular product in which they’re interested. Companies that push past that point and go for a more formal partnership, like It’sAlive, are given co-marketing support and access to live research and development projects, not out-of-the-box technology.

While Ericsson and Nokia are both taking to their roles with gusto, developing deals with laundry lists of third parties from startups to global players, there are subtle differences in their approaches. The following profiles look at the efforts by each of the vendors, and compare and contrast their approaches.

WiFi encryption standards

There are three commonly-used standards of Wi-Fi AP security in the world today. The best known, Wired Equivalent Privacy (WEP), is readily vulnerable to exploits and must not be trusted except for the flimsiest of protection. WEP is widely considered to be a trivial barrier to even barely competent hackers, and to afford only a bare minimum of protection on its own.

Wi-Fi Protected Access (WPA) was developed as an intermediate solution to the revelation that WEP’s encryption had been highly compromised. The second generation of WPA security is called WPA2, and this is the current state of the art. WPA2 delivers (to date) very good encryption and protection against eavesdropping. WPA2 Personal provides strong encryption and uses Temporal Key Integrity Protocol (TKIP), which dynamically encrypts the key used for authentication. WPA2 Enterprise uses an authentication server to authenticate users.

Until recently, implementing WPA and WPA2 was something of a hassle; if you’ve been wireless for some time now, and still have Wireless B Cards (see sidebar), you’ll have challenges using WPA. If you have fairly new equipment, such as an Intel Centrino notebook, you’ll be able to use at least WPA if not WPA2.


 

Also in this series…
A proposal for Reasonable Wireless Security for law firms

A sample network access policy

Wifi encryption standards

“There’s nothing on my desk worth stealing”

…and free hotspots for all

 


Startups To Benefit From UMTS Spending

Imagine you’re a telecom, and you wake up this sunny Friday to realize it’s not a dream, you really did just pay £8 billion for two German third-generation mobile license blocks. Yes, you paid much more than you wanted for fewer license blocks than you’d hoped. And when your friends ask you what, specifically, you will do with this license, you can’t answer.

If you think you hear laughing, it’s probably coming from Denmark.

“We were all laughing about this just yesterday,” said Soren Jessen Nielsen, head of strategic business development in Europe for BlueKite, which just closed a $36 million round of funding from a VC group headed by Texas Pacific Group and including Credit Suisse First Boston. The investors purchased a 21 percent stake in BlueKite, which develops proprietary bandwidth optimizing technologies and a software platform aimed at increasing network capacity and Internet access speeds for fixed and mobile networks.

“Bandwidth is finite; it’s absolute,” said Nielson, who scoffs at UMTS hype. “A 2MB line into a PDA? Please. When UMTS comes, no one has any idea what they’re going to do with it. But I’ll tell you, whatever they (the telcos) do, they’re going to run into the same bandwidth problems and capacity issues that you have with GSM and Edge. You ain’t gonna have multimedia while traveling on a train, forget that one – that’s marketing hype.”

But whether BlueKite believes the UMTS dream or not, it’s hoping to profit from it. The San Francisco-based company, with roots in Copenhagen, may be one example of how startups in Europe can benefit from the trucks full of money being thrown at UMTS. Whether you believe UMTS is the Great White Hope or a Big Fat Joke, one thing European VCs seem to agree on is that companies developing applications for next-generation mobile networks are worth funding. With telcos around Europe set to pay up to $200 billion for licenses, they may have little money left to develop their own applications to run on these networks. Enter wireless communications, software and technology startups.

“There is a ton of work to be done to create these UMTS-based applications, and this is an area where small companies are really needed, and where they can do a good job,” said Peter Dietz, managing director of TakeOff VC Management. He believes the UMTS bidding war will cause larger companies to leave to small companies the work of making the applications that will make UMTS sexy. “I can’t name names at the moment, but we have already been discussing this with two of the German companies in our portfolio; one is something of a cross between an IT service and a multimedia agency, and the other is a pure software development company.”

Kim Bach, vice president at 2m Invest in Copenhagen added: “This is a perfect example of the “Tornado effect.’ There’s so much money being spent in this area that it’s impossible to imagine it won’t have a positive effect on the small suppliers.”

Bach has seen this market development coming for a long while. 2m has been sinking money into the organization that is now BlueKite since 1993, when it was called RadioMail, and it had teamed up with Motorola to make Newton-like handheld devices.

“We really knew the idea of wireless computers was the way to go in the future, but we were out,well, let’s say a bit too early,” Bach said. “But we were sure this technology would have to have a breakthrough sometime, so we kept feeding what would become BlueKite until a couple of years ago when they really took off.”

BlueKite’s reincarnation about two-and-a-half years ago, headed up by CEO David Cox, was funded by $1 million in seed money from 2m, which owns 41.6 percent of the company. BlueKite started with offices in Silicon Valley, but fleeing high prices and labor costs, it moved it kept its administration in San Francisco, but moved research and development to Los Angeles. In the last year, the company has grown from 10 employees to more than 70, and has offices in Copenhagen, London, Frankfurt, Amsterdam and Paris.

2m invested an additional $3 million last year. BlueKite’s aim is to develop technologies that better manage bandwidth and compress data, but still utilize existing infrastructure. For example, on a standard ISDN line, BlueKite technology can determine, on an ongoing basis, whether a given user needs two or three channels, or just to keep one open on an idle mode.

In fact, BlueKite already offers a technology that allows ISDN-speed data transfer rates over existing wireless networks for companies including British Telecom, Swisscom and Telecell Portugal, as well as Connect Austria.

“We looked at everyone offering solutions to bring high-speed mobile data transfer,” said Lars Reichelt, currently COO of Connect Austria and soon to be director of wireless for Europe at Yahoo. “When we finished, BlueKite came up by far the best,” even with competitors including Nokia and Ericsson offering similar products. “This is a great tool, and it makes the workplace truly mobile. You don’t have to worry about fumbling around looking for a proper phone plug – in Austria there are seven approved types of phone plugs. It costs 3 shillings ($0.20) a minute, and you can work while others watch in wonder.”

BlueKite may well be poised for growth during the development of the so-called mobile future, but it won’t be alone for long. Software companies are desperately needed to build the very applications that will make UMTS profitable, and most startups aren’t clueless to the trend. Some industry estimates put the number of WAP development companies at over 600 in Europe alone, and VCs are desperately trying to plunk their cash into the right wireless companies. Yesterday, every VC wanted a dot.com in its portfolio, now they want wireless startups.

“This (the development of UMTS) creates opportunities for smaller companies,” said Stephan Uhlmann at Deutsche Venture Capital Gesellschaft. “There’s a great opportunity here for developers of applications that will bring products to end users via UMTS.”

A proposal for Reasonable Wireless Security for law firms

It’s just past 8.30 am on a busy Tuesday. A five-person legal team
has just arrived to work with your firm on that big case. For the
next four days, these five lawyers will be camped in your conference
room. And their first question is, “How do we get Internet
access?”

[Ian Sacklow co-wrote this white paper]

At
many small and mid-sized firms in the US, the answer is increasingly,
“We’ve got Wi-Fi1.”
A Wi-Fi Access Point (WAP) allows your computer or personal digital
assistant (PDA) to connect to the Internet, or a computer network, at
high speed, without wires (see sidebar).

Wi-Fi lets your clients use the Internet or access their corporate
network. It allows your partners, associates and interns access to
the web and your Local Area Network (LAN) from the library or
lunchroom – or the coffee shop across the street.

In
the immediate future, lack of a Wi-Fi connection to the Internet will
be as disruptive to a law firm as the lack of an Internet connection,
or a mobile phone.

As
we adopt new technologies, no matter how revolutionary or wonderful
they may be, we must not be reluctant to address their
vulnerabilities. An improperly or incompletely configured WAP has
vulnerabilities. Fortunately, there
are inexpensive and easy-to-employ safeguards against many of them.

Executive Summary
This article is intended to provide attorneys and support staff with
an overview of Wi-Fi, and the challenges they face as they maintain
the confidentiality of client documents and information in a wireless
network setting. This article proposes a standard comprising the
steps which law firms should take to reasonably prevent intrusion
into their LAN via their WAP, and thereby protect the confidentiality
of their clients’ information.

The
article is geared towards those in the many law firms which don’t
have full time Information Technology (IT) departments, or formal
computer training. The steps suggested do not provide a guarantee
against unauthorized intrusion. They do provide a reasonable amount
of security at reasonable expense2.

When
it comes to a lawyer’s duties to maintain confidentiality, I’ve been
told there has been no landmark ruling about what are reasonable
measures to protect client data across a WAP. A poorly configured WAP
can expose your clients’ confidential information. Unless you wish to
be the test case to establish that standard, you should establish and
maintain reasonable levels of security when deploying a WAP.

It
is submitted that the steps I propose are reasonable, and it is hoped
that they would therefore be adopted as a standard to be followed and
provide a safe harbor for law firms seeking to protect the
confidentiality of client information in a wireless network setting.

The proposed standard includes four steps to protect and encrypt the
traffic on the WAP. Any WAP not so protected shall be considered to
be an “Open WAP.”

The
proposed standard also includes a written security policy covering:

  • WAPs in the office
  • WAPs at the homes of those with remote-access authorization to the
    firm’s local area network
  • Computers which contain client data and access publicly-accessible
    WAPs (at coffee bars, airports, Bar Association Libraries, airports,
    etc.)

Wi-Fi: An Indispensable Tool

  • Wi-Fi is everywhere, and it’s no fad.

There were more than 10 million WAPs in US homes by the end of 2004, with an expected 14 million by the end of 2005.

At coffee bars, restaurants and offices throughout the world, you’ll see people working on Wi-Fi-enabled devices like notebook computers. Publicly-accessible WAPs, known as Hotspots,
are provided in scores of cities to
encourage Internet use. Many Hotspots provide the Internet access at no cost, to encourage foot traffic.

Other Hotspots, such as those at most Starbucks, Barnes and Noble,
Borders and Kinkos locations, charge access fees for Wi-Fi – about
$1.30 a day for a monthly subscription.

WAP Overview

  • The vast difference between connecting via Wi-Fi to the Internet, and connecting via Wi-Fi to your LAN is an important distinction.

Components
comprising a Wi-Fi network work in much the same way as
walkie-talkies and a base station. When you set up a WAP (sometimes
also referred to as a, “Wireless Router”), you are broadcasting a
radio signal to the area within a radius of up to 3003
feet from the WAP. By default, anyone with a mobile device equipped
with a Wi-Fi transceiver (“Wi-Fi Adapter”) can detect this
signal and request a connection. When the WAP recognizes the request,
by default it assigns to the requesting device a unique identifier
(an “IP Address”) which permits the WAP and mobile device to
communicate. Once this connection has been made, the mobile device is
granted access to the network to which the WAP is connected.

Most
people connect the WAP to a high-speed Internet connection. Once a
mobile device is connected to such a WAP that device can access the
Internet.

Some
people also connect the WAP to their Local Area Network (LAN). Your
LAN is the network of computers which contain your data and client
information. LAN access must be protected by a firewall, which
prevents unauthorized communications originating outside the LAN from
getting in.

For
reasons which will be made clear below, I highly recommend that
anyone accessing your LAN from anywhere outside the firewall –
be it through your WAP, their home computer or network (wired or
wireless) or a public Hotspot – do so through a Virtual Private
Network (VPN). A VPN creates a “tunnel” through which your
data is transported, crytographically encrypted, through the firewall
and on to the LAN.

VPNs are the number one thing people should be doing. A VPN lets trusted4 users be as productive as possible. Even if an unauthorized user gets
on to your WAP, you can keep him locked out of your LAN.

The
proposed standard therefore requires you place the WAP outside
your firm’s firewall. By creating a “demilitarized zone”
(DMZ) which is inside the WAP but outside the firewall, you grant
wireless Internet access via your WAP, while only Trusted users may
access the LAN, through the VPN.

Unless you intend to offer public Internet access (which you might,
see below), then you must also protect your WAP with encryption and
an authentication scheme, which requires user name and password, to
help keep unauthorized users out. While less important than
protecting your LAN, protecting your WAP from just anyone getting
Internet access can be important as well (see sidebar).

What’s
Your Responsibility?

  • Connecting an Open WAP to your firm’s LAN is literally as unsafe
    as placing your client files in an unlocked file cabinet in the
    center of a city street.

Lawyers in New York State mustn’t knowingly “… reveal a confidence or secret of a client”, and “…shall exercise reasonable care to
prevent … employees, associates, and others whose services are utilized by the lawyer from disclosing or using confidences or secrets of a client.”5

An
Open WAP is a Hotspot – a publicly shared computer network open to
anyone, anywhere within 300 feet. In 2001, the DC Legal
Ethics Committee stated it is “…impermissible for unaffiliated
attorneys to have unrestricted access to each other’s electronic
files (including e-mails and word processing documents) and other
client records. If separate computer systems are not utilized, each
attorney’s confidential client information should be protected in a
way that guards against unauthorized access and preserves client
confidences and secrets.”6

The Delaware Bar opined that client confidentiality is
broken when a lawyer, “should reasonably anticipate the
possibility that his or her communication could be intercepted and
confidences disclosed.”7

An
irate client whose opponent became aware of embarrassing information
via such an interception might well make the argument that
maintaining an Open WAP doesn’t protect his data in a way that guards
against unauthorized access and preserves client confidences and
secrets.

Protecting
the confidentiality of client information on an Open WAP is
impossible. Cheap and simple steps can solve this problem.

Criminal Liability of Accessing a ‘Public’ Hotspot

  • You
    cannot rely on existing laws to prosecute “unauthorized” WAP
    access. It is difficult to determine how a user becomes authorized
    to access a WAP, and there’s no common mechanism by which to post a
    notice that he is not.

In
early July, 2005, police in St Petersburg, FL, arrested Benjamin Smith III
for accessing a residential WAP and connecting to the Internet –
from his car. Smith was charged with unauthorized access to a
computer network.

He
might get off. Who’s to say it was unreasonable for Smith to assume
what he did was Kosher? The WAP he used was wide open. With the
proliferation of Hotspots,
who can say whether a person can reasonably infer an Open WAP is
intended for public use?

Under
current New York law, it is illegal to intentionally access someone
else’s computer, computer network or equipment without authorization
to do so where such computer or equipment, “…is equipped or
programmed with any device or coding system, a function of which is
to prevent the unauthorized use of said computer or computer
system.”8.

The
New York Penal Law also attempts to define “authorization”
by providing that to establish authorization, one must be either

(i)
give actual notice in writing or orally to the user;

(ii)
prominently post written notice adjacent to the computer being
utilized; or

(iii)
a notice that is displayed on, printed out on or announced by the
computer being utilized by the user9.

Significantly,
the Penal Law also provides for a presumption that notice of such
authorization is given where, “the computer is programmed to
automatically display, print or announce such notice ….”10

Scott R. Almas, who was instrumental in developing the business and
technology model to implement many of the Hotspots throughout
downtown Albany, New York, is a technology attorney at the law
firm of Lemery Greisler LLC. While Almas does not endorse the
unauthorized use of open WAPs, he points out significant problems
with New York’s law when viewed against the practical reality of the
proliferation of Open WAPs.

“I
am particularly troubled,” Almas said, “by how a user is supposed
to know whether or not the owner of the Open WAP is authorizing use
of the access point where the owner broadcasts to the world the
presence of the access point and takes no steps to secure it. By the
very nature of WAPs, there is no reasonable way to post or provide
oral notice, and it can be difficult to interpret from the
broadcasted name of the access point whether authorization is
intended.”

“In light of the fact that protecting the WAP is free, simple to do, and
strongly recommended by the access point manufacturers during the set
up process,” Almas said, “I believe anyone who sets up a
WAP and does not follow the advice to install even the most basic,
minimal safeguards should be presumed to be providing authorization
to access the Open AP for otherwise lawful Internet use.”

“The presumption should not,” adds Almas “extend to authority to access information on the WAP owner’s LAN, or other illegal or
harmful activities.”

Oops. Was That Your WAP?

    <li><p>
    <strong>If
    a mobile device automatically seeks and connects to a WAP, then
    accessing an Open WAP needn't even be intentional. </strong>
    </li>
    

    Most
    new notebook computers ship with the Microsoft Windows XP or
    Macintosh OSX operating systems, and are equipped with internal
    wireless adapters (see sidebar). If the wireless adapter is switched
    on, the notebook will seek, and attempt to connect with, WAPs – even
    before the screen comes to life.

    People set their notebooks to connect to any available network, so
    the onus is on the owner of the WAP. I would think that if your WAP offers credentials to enter – such as an IP address – a user might reasonably think that they’ve been granted access to your WAP.

    And New York Penal Law Section 156.50 provides a defense for persons who
    had reasonable grounds to believe that they had authorization to use
    the computer. Therefore, unfortunately, the issue will likely be left
    for the Courts to decide whether such a presumption exists and is
    applicable in any given case.

    Attorneys
    and the public must properly frame these issues and arguments, so
    that the Courts can properly interpret and apply the law.

    Determine
    Your Needs

      <li>
      <strong>You can protect your LAN while providing public access to your
      WAP and the Internet - so long as you configure your WAP properly</strong></li>
      

      Lemery Greisler, Almas’ Albany, New York law firm, provides a Hotspot
      to afford anyone in the area free access to the Internet. By giving
      pedestrians a good reason to mill about, this is a fine goodwill
      gesture towards local businesses at low cost.

      That’s
      a perfectly reasonable thing to do, so long as you reasonably ensure (as did Lemery Greisler) that it is difficult for strangers to
      access your LAN from the Hotspot. They placed the Hotspot outside
      their firm’s firewall, thereby providing a public service at little
      risk to their own network.

      It’s
      important that you, too, determine what you want your WAP to do, and
      deploy it properly.

      Don’t Panic … But Set A Policy

        <li>
        <strong>A clearly communicated and strongly enforced written policy
        governing remote network access is essential. </strong>
        </li>
        

        A
        written wireless data security policy is vital in any environment; in
        a law firm, the lack of one could be expensive, embarrassing and
        time-consuming. It could create civil liability – and even criminal
        liability (see sidebar) – for the firm.

        All
        people in the firm must be made aware of the policy, not matter their
        position: it does you no good to take steps to increase security if
        your receptionist or even a junior associate tells a caller
        information about your WAP and network. This happens far more often
        than you’d think. Specifics on what the policy should cover are
        listed below, within the proposed standard.

        Everybody’s Not Doing It

          <li>
          If you haven't
          locked down your firm's WAP, you're not alone. This problem is
          widespread and international.</strong> 
          </li>
          

          In March, 2005, data
          protection company RSA Security reported that a survey it
          commissioned from netSurity found more than one third of wireless
          business networks in four major cities were unsecured – 38% of
          businesses in New York, 35% in San Francisco, 36% in London and 34%
          in Frankfurt.

          Those numbers are about
          right – a safe, if not conservative, figure. It’s analagous to a car, which comes with locks built right in to the doors, but it’s up to you to depress the lock button.

          From Elite Geeks to An Unruly Mob

            <li>
            One no longer
            needs to be a gifted programmer to be a successful intruder.</strong></li>
            

            Cracking WEP, the lowest form of Wi-Fi encryption, is increasingly trivial
            (see sidebar), and attorneys must never entrust WEP – no
            matter how large the bit-size – to be the sole means of protecting
            a LAN.

            The popular image of a “Hacker,” as a young, pale-skinned
            male perched behind a complex computer using arcane tools to
            penetrate computer systems is dated.

            Hacking, password- and encryption-breaking tools have become
            ubiquitous, sophisticated, simple to use and are totally free to
            download from the Internet.

            PROPOSED
            STANDARD

            A
            determined intruder with the right tools will get in no matter what
            you do – nothing offers 100% security or guarantees, but you
            should employ the best security you can install and maintain without
            unreasonably disrupting productivity. Take all reasonable steps to
            secure client information on your LAN with a well-configured
            firewall.

            If
            you merely wish to allow Trusted users wireless Internet access,
            securing your WAP can likely be done by Dan – that geeky intern who
            likes Star Trek. It can take as little as 15 minutes, and can
            cost nothing: if you’ve got a WAP, you’ve almost certainly got the
            hardware needed (and if you don’t, you can spend as little as $40 to
            get it).

            If
            you wish to allow the WAP to also grant LAN access, and you don’t
            have an IT person in-house, you might buy a combination VPN/WAP for
            as little as $149 (see sidebar). Otherwise, you may need to hire an
            outside consultant or installation specialist for a few hours’
            consultation or work to set up the VPN.

            Four Main Steps

            Because
            Linksys is the most popular WAP maker, examples below refer to
            Linksys products; your WAP’s instruction manual contains specific
            How-Tos and instructions to do all the following. All brands provide
            similar steps and menus, and all use the same terminology.

            STEP ONE: CHANGE THE DEFAULTS

            The simplest solution for a range of common problems raised by WAPs is to
            change the default information on the WAP itself. This is
            accomplished by opening a web browser and surfing to the IP address
            of the WAP device.

            First go to the Setup Page:

              <li>
              Change the Router Name<a class="sdfootnoteanc" name="sdfootnote11anc" href="#sdfootnote11sym"><SUP>11</SUP></a>.
                  </li>
              <li>
              Change the last two fields in the WAP's Local IP address to
              something other than what's there. Reasonable entries include
              192.168.11.1 or 192.168.0.25. 
              </li>
              

              Next,
              go to the Wireless Basic Settings Page. The Service Set Identifier
              (SSID) is the name of the wireless network your users will connect
              to. By default it is set to “Linksys.”

                <li>
                Change the SSID to something non-descriptive - not your firm's
                name. While the concept of security through obscurity is not to be solely relied upon, choose for your SSID something obscure, like B3QXR25. 
                </li>
                <li>
                Then, disable the SSID broadcast, so it won't be readily visible to
                users who don't know that the WAP is there (though &quot;war-drivers&quot;
                - people who drive around looking for Open WAPs - might see it.
                Yes, there's a war-driving subculture). 
                </li>
                

                STEP TWO: CHANGE THE ADMINISTRATIVE PASSWORD

                A hacker, using the default username of (nothing) and the default
                password of “admin” can take over your WAP and lock you out. In the Administration page:

                  <li>
                  Set a new, hard-to-guess administration password, using at least an
                  eight character string which is not a word found in a dictionary,
                  and which comprises upper and lower case letters and numbers.</li>
                  

                  STEP
                  THREE: ENCRYPT THE SIGNAL

                  Use
                  the best encryption method you possibly can, preferably WPA2 (see
                  sidebar). If WPA2 is not available, then deploy, in descending order
                  of preferability, either WPA or WEP. If you absolutely must use
                  WEP, use 128-bit encryption – which takes a bit longer to crack
                  than weaker versions of WEP.

                  STEP FOUR: VPN INTO THE LAN

                  You absolutely, positively may not allow access to your LAN through the
                  WAP except with the use of a VPN.

                  Because
                  the VPN’s authentication is vastly more secure than Wi-Fi’s and
                  encrypts all data between the client (that’s your notebook computer
                  or PDA) and the LAN, it helps ensure that anyone gaining access to
                  the LAN is authorized.

                  Written Policy

                  Anyone who has been granted remote access to your LAN must abide by
                  the written remote access policy. This policy must cover the remote
                  users’ notebook computers, PDAs and other mobile data devices; their
                  home LAN and any home computers, and any other machines which they
                  may use to access the company LAN.

                  The policy must be clearly posted in the firm, and discussed with all
                  remote users and staff. It must explicitly set forth rules governing
                  what employees may tell outsiders about your computers, your network,
                  your WAP and your security policies. It must be regularly reviewed.

                  For a sample written policy, see http://www.nickselby.com/wifi

                  Protect Home WAPs

                  Anyone granted permission to access the LAN via VPN must apply all
                  four steps above to their home or other remote WAP. This not only
                  protects your LAN, it protects personal data they store on their home
                  machines.

                  Current OS Patches, Anti-Virus, Firewall & Spyware Blockers

                  Anyone accessing the LAN must ensure that their device is updated
                  with the most recent security patches for their Operating System.

                  All machines on the LAN must run current versions of anti-virus
                  software with regularly updated virus definitions. Note that new
                  viruses are introduced every hour; “regularly updated virus
                  definitions” means at a minimum of once each week. It could be
                  argued it is reasonable to update every 24 hours.

                  Any
                  device accessing from outside the LAN must be running a
                  properly-configured firewall program such as Zone Alarm or Computer
                  Associates eTrust. The Basic Signal Set (BSS) is shared by all users of an AP; should the hotspot not block inner BSS connections, and you should assume it is not blocked, then if you connect to that AP and you are not running a firewall, a malicious user can gain access to your machine and install software or remove files from your hard drive. If you’re not encrypting your e-mail, it (and your password and username) can be very, very easily captured and viewed in plain text by others on the Hotspot –
                  unless you’re encrypting your email through a VPN, or an encryption
                  program such as PGP.

                  Always
                  assume that others can see you on a Hotspot. Make sure you have a firewall running, and anything
                  you care about – such as email or confidential files – is encrypted
                  across a tunnel.

                  Call
                  For Discussion

                  As when you access a Hotspot, you’re always looking for the balance
                  between ease of access and loss of security. The best we can do
                  is educate people about the upside and downsides of using WAPs, and discuss ways to protect yourself so that your information remains reasonably secure.

                  As I mentioned earlier, this is all very new. The proposed standard
                  is a first step towards reducing the likelihood that your LAN will be
                  compromised, or your Internet connection abused. In order to further
                  this recommendation and develop a final specification, I welcome your
                  comments.

                  Ian Sacklow, the founder of the Capital District Linux Users Group and
                  Information Systems Manager for Dodge Chamberlain Luzine Weber
                  Associates, an architectural firm with offices in East Greenbush,
                  Plattsburgh and Jericho, New York, co-authoried this white paper.

                  Members
                  of the Capital District Linux Users Group contributed technical
                  information and fact checking for this article.

                  <p><a class="sdfootnotesym" name="sdfootnote1sym" href="#sdfootnote1anc">1</a>
                  Wi-Fi is short for &quot;Wireless Fidelity,&quot; the nickname for a
                  wireless area network (WAN) complying with IEEE 802.11
                  specifications. Wi-Fi&reg;
                  is a Registered Trademark of the Wi-Fi Alliance. 
                  </p>
                  

                  <p><a class="sdfootnotesym" name="sdfootnote2sym" href="#sdfootnote2anc">2</a>Of
                  course as the state of the art changes, so must any standard be
                  updated.</p>
                  

                  <p><a class="sdfootnotesym" name="sdfootnote3sym" href="#sdfootnote3anc">3</a>One
                  can extend this range in a variety of ways, all fairly technical.
                  300 feet is the default, stock range without modification, and
                  therefore the range I discuss here.</p>
                  

                  <p><a class="sdfootnotesym" name="sdfootnote4sym" href="#sdfootnote4anc">4</a>On
                  a network, a &quot;Trusted&quot; user is given access to sensitive
                  files. An &quot;Untrusted&quot; user may be granted access to
                  certain parts of the network, but not to areas containing sensitive
                  data. 
                  </p>
                  

                  <p><a class="sdfootnotesym" name="sdfootnote5sym" href="#sdfootnote5anc">5</a>
                  New York Lawyer's Code of
                  Professional Responsibility , DR
                  4-101 [1200.19] 
                  </p>
                  

                  <p><a class="sdfootnotesym" name="sdfootnote6sym" href="#sdfootnote6anc">6</a>
                   District of Columbia
                  Ethics Opinion 303, February 2, 2001</p>
                  

                  <p><a class="sdfootnotesym" name="sdfootnote7sym" href="#sdfootnote7anc">7</a>
                   Delaware State Bar Association Opinion 2001-02
                  </p>
                  

                  <p><a class="sdfootnotesym" name="sdfootnote8sym" href="#sdfootnote8anc">8</a>
                   New York Penal Law Section 156.05</p>
                  

                  <p><a class="sdfootnotesym" name="sdfootnote9sym" href="#sdfootnote9anc">9</a>
                   New York Penal Law Section 156.00</p>
                  

                  <p><a class="sdfootnotesym" name="sdfootnote10sym" href="#sdfootnote10anc">10</a> id.</p>
                  

                  <p><a class="sdfootnotesym" name="sdfootnote11sym" href="#sdfootnote11anc">11</a>You
                  change the Router Name to slow down would-be intruders. Router Names
                  provide enough information to attackers to obtain all default
                  information for that WAP. <a href='http://coffer.com/mac_find/' target='_blank'>http://coffer.com/mac_find/</a> is one
                  Website which provides lookups which match Router Names with
                  manufacturer and model number, linking to the manufacturer website
                  which lists that machine's default settings and password.</p>
                  


                  Also in this series…
                  A proposal for Reasonable Wireless Security for law firms

                  A sample network access policy

                  Wifi encryption standards

                  “There’s nothing on my desk worth stealing”

                  …and free hotspots for all


Data breaches may be new boon for mobile security

We’ve noted recently that laptops are becoming ever more portable, holding more data and processing power than ever before, and rapidly replacing the enterprise desktop as a primary computing device. We also noted that along the way they are fast becoming a major point of security failure that enterprises must address.

That proved a timely assertion, especially now that the nation’s mainstream media is buzzing about the theft from a U.S. Department of Veterans Affairs (VA) employee of a laptop computer and CD-ROM containing personally identifiable information (PII) of at least 26 million veterans. It’s safe to say that the data loss and intellectual property theft associated with mobile laptops and storage devices is a hot topic. Veterans groups have filed a lawsuit against the VA in connection with the breach, seeking $26.5 billion in damages. This monetizes – perhaps for the first time on such a large scale – the problem.

Nearly 85 million records containing PII have been compromised since February 2005, when Alpharetta, Ga.-based ChoicePoint Inc. announced the loss to hackers of 145,000 records containing PII. Ten days later, another breach announcement was made, but this time the problem wasn’t hackers – it was butterfingers: Bank of America in Charlotte, N.C., announced that it had lost an unencrypted backup tape holding 1.2 million records containing PII. Not stolen or hacked… lost.

We reckon that 40% of those 85 million compromised records were lost not to evil hackers cleverly breaking through security or social-engineering credentials from unsuspecting employees, but instead to stolen or lost laptops, computers or backup tapes, or inadvertent emailing. This kind of data compromise is a national problem affecting everything from small business, to all sizes of enterprises, to government on every level. It’s also a massive opportunity because to a large extent, this problem can be reduced.

Compliant or secure?
Much marketing ink has been spilled around the word ‘compliance’ in the past couple of years. The term sometimes refers to compliance with state regulations, like California’s, New York’s and Connecticut’s regarding data breaches. But more often, it refers to compliance with federal regulations and industry guidelines, like SOX, HIPAA, the Federal Financial Institutions Examination Council, the Payment Card Industry Data Security Standard and other acronym-laden best-practices lists designed to introduce more accountability and technical oversight into the worlds of enterprise and government data.

The ChoicePoint announcement rang in de facto national compliance with the California state law requiring notification of affected parties of a breach in security, confidentiality or integrity of unencrypted data containing PII. For each reported breach, press coverage intensifies. As identity theft becomes more common and better publicized, the consumer response to such data compromise has become angrier, which leads to still more media coverage. Data loss, which used to mean some bad PR if you got found out, now means an instant share price punishment, heaps of bad publicity and customer rage. Those are the three most significant drivers of enterprise adoption of security products.

The biggest immediate winners would seem to be mobile device security vendors. Companies like Bluefire Security Technologies, Credant Technologies, Mobile Armor, PGP Corp, Pointsec Mobile Technologies, SafeBoot, Trust Digital, Utimaco Safeware and WinMagic all offer products that encrypt sensitive data on enterprise mobile computing and storage devices.

Mobile device security
For the past several years, vendors in the mobile device security space have been hollering their heads off about just these issues. Mobile device security in this case boils down to the ability to encrypt sensitive data on the hard drive and removable media of any device or storage media capable of being carried out of the enterprise.

That’s a sensible enough goal, and unlike the case with intrusion detection or edge defense, most people can intuitively understand it. In this space there are religious differences – a constant discussion over whether it’s best to encrypt every single bit that hits the hard drive, or selectively encrypt only the data deemed by some policy to be ‘sensitive.’

And there are logistical challenges. Think of how many devices are capable of taking a walk with 60,000 or 6 million records, and your thoughts would have to extend to laptops, mobile phones, CDs and DVDs, USB flash storage drives and mass storage devices like iPods, MP3 players, digital cameras and the like, plus backup tapes, external hard drives and tape drives… There’s a pretty long list.

Most, if not all, of the vendors in this space build in some kind of remote-destruct feature to thwart Fred from Purchasing from absconding with the company sales list: The device typically phones home on boot and gets instructions, or checks in when connected to the Internet. This is all useful stuff of course, but the main concern most people have is whether disks can go on a walkabout without endangering the customer data and the company’s reputation.

The reason we say that vendors in this space will benefit from the recent events far faster than those in others (such as, for example, database protection, storage encryption and key management and the worlds of intellectual property loss prevention) is because the technology is simple, fairly cheap and can be deployed on what you have now.

It’s a fairly easy purchase that the enterprise doesn’t have to live with forever – the technology on which it is deployed, often a laptop or handheld, will almost certainly be replaced in three to five years (as opposed to a database protection system, which would be expected to last longer, or storage encryption and key management system, which would be expected to last until the end of time, or at least a decade). Also, mobile devices are frankly the most likely to be lost or stolen or otherwise compromised – like when an employee is fired and ‘forgets’ to return it.

Vendors
Partial disk encryption sets aside areas of the disk to be encrypted, and/or examines content to determine by policy whether the information is sensitive. And these days, products from companies like Bluefire, Credant and Trust Digital offer extremely granular controls over what sensitive means, including encryption of all data from certain applications, data containing patterns (such as Social Security and credit card numbers) and other triggers. Whole-disk encryption encrypts everything on the disk. The arguments against this are as numerous as those for it and revolve around restoration of system files and re-provisioning without destroying all the data. Mobile Armor, PGP, Utimaco’s SafeGuard Easy and WinMagic all offer robust whole-disk encryption products.

All these vendors offer controls, from basic to fairly sophisticated, to ensure that data saved to removable media of any sort is encrypted. This stops short of products from M-Systems, which place an agent on Windows machines preventing all but M-Systems hardware-encrypted USB drives from being mounted by the computer, and requires all data stored on the removable media to be encrypted; a central management system handles provisioning, remote-destruct, lost passwords and other features. Safend, GFI Software and other companies have less granular systems that provide control of all external media devices as well.

Opportunities
Compliance – in this case, compliance with best practices that result in your enterprise’s name not featuring prominently in the national media – is the key driver for these technologies, and the sky is the limit. The terabytes of data just floating around unencrypted on removable media only scratches the surface of the problem. That special report we published on mobile laptops as desktops points out that mobile laptop deployment already outpaces that of desktops. After the third loss of a laptop in a year (resulting in the compromise of at least 280,000 records), Ernst & Young is said to be looking into an enterprise-wide encryption policy. More of those will be forthcoming in the immediate future. And the mobile security vendors will try as hard as they can not to say &quot;We told you so.&quot;