James O'Neill's Blog

October 19, 2010

Thinking about the cloud (part 1).

Filed under: Azure / Cloud Services,Exchange,Office,Real Time Collaboration — jamesone111 @ 5:49 pm

I was telling someone recently that before I joined Microsoft I spent the late 1990s running a small training company. The number of employees varied, averaging out at a dozen or so. I delivered training, did the business management, helped the win over customers and I looked after the IT. It was like doing two or three jobs.

I’ve been quite reticent about our  “Business Productivity Online Service“partly because it takes a long and closely argued post to cover why, from an IT professional’s point of view, getting rid of your servers isn’t abdicating. (This is not going to be that post). But as chance would have it I was looking at BPOS again with my old job in my thoughts.  B-POS sounds like it should be something… ”points of sale”, but it is Exchange,Communications server and Sharepoint provided as Pay-monthly “Cloud services”

In the training company we ran all our own IT services, but there’s no way I’d host my own web-server today: the sense of using a hosting company was clear before I left for Microsoft.  The launch of BPOS gave businesses a way to get hosted Mail (Exchange), Presence & IM (OCS) and Collaboration & Document management (Sharepoint) for $10 US per month – or in round numbers £80 annually – per user. Comparing that with the cost of server hardware and software and especially the time that in-house systems took up, if I were running that business today, my head would say get rid of the servers.  You can mix in-house and in-cloud servers; users keep the same desktop software which is crucial: you don’t give up Outlook to move your mailboxes to the cloud.

It needs a change of attitude to give up the server. If my head argued costs and figures,  my heart might have come back with benefits like “You are master of your own destiny with the servers in-house”. But are you ? Back then we couldn’t justify clustering our servers, so if hardware failed – work would stop until it was repaired. Paying for a service in a Microsoft datacentre means it runs on clustered hardware, which someone else maintains. Microsoft’s datacentre is a bigger target for attack, but the sheer scale of the operation allows investment in tiers of defence. Small businesses tend not to worry about these things until something goes wrong, and you can always tell yourself that the risk is OK if you’re getting a better service in-house. But the truth is you’re probably not getting  better service.  As a Microsoft employee I’m used to having access to my mail and calendar from anything that connect to the internet – laptop at home, or on the move, any PC with web access, or Sync’d to a phone. I doubt if I would have set that up for the training company but it’s part of BPOS – even to the extent of supporting iPhones and Blackberries.   Getting rid of servers could not only save money but give users a better set of tools to use in their jobs – an easier thing to accept now that I don’t run servers for a business.

Now if you’ve come across the idea of the HypeCycle (see Wikipedia if not) – I agree with Gartner that cloud technologies somewhere near “peak of inflated expectations”  – in other words people are talking up “the cloud” beyond it’s true capabilities, and if things follow a normal course there will be a “trough of disillusionment” before things find their true level. I don’t buy into the idea that in the future scarcely any business will bother with keeping their own server, any more than they would generate their own electricity.  Nor do I buy into the polar opposite – that very few organisations, and none with any sense, will keep critical services in the cloud – that idea seems just as implausible to me. So the truth must lie in between: the method of delivering services to users won’t change from one foregone conclusion (the in-house server) to another foregone conclusion (the service in the cloud), like so many things it will be a question of businesses asking “does it make sense to do this in-house”, and I think IT professionals will want to avoid depending on that question being answered one way.

This post originally appeared on my technet blog.

October 18, 2010

An unexpected call from a help desk? Hang up.

Filed under: Privacy,Security and Malware — jamesone111 @ 2:04 pm

My phone rang: it was my dad. Father/son combinations don’t ring to chat like mother/daughter ones do, and Dad had been having computer problems. Specifically, Excel had been crashing but managing to recover his work. Each time it had offered to send data to Microsoft and each time he had declined. Then his phone had rung and the caller said it was about the problems he was having problems with his computer.

To me this was immediately suspicious, there is nothing in the Microsoft reporting process which sends personal information like phone-numbers. In fact when you register Windows you don’t put a phone number in, and it is not stored anywhere in the configuration of the machine.  Dad doesn’t have a support contract with anyone so even if personal information were being sent I wouldn’t expect a phone call.  It would need quite some call centre to manage a courtesy call every time an app crashed. The  only way the caller could know that there was a problem and have his details was if something malign on the machine was telling them.
Dad assumed the caller was legitimate:  he assumed they’d been given his details by Microsoft, we only give your personal information to a 3rd party if you have requested a specific service which needs us to do that, or said you were happy to be called about something specific by a partner (which is Opt-in, not opt-out).   
They had his confidence and things now went from bad to worse, the caller got Dad to give him remote access to the PC for 50 minutes. There’s no telling what went on in that time, but at this stage I had to assume his machine could be doing anything and everything on it machine was potentially compromised. Changing passwords would do no good if a key-logger had been installed.
After 50 minutes they called back and told Dad they’d removed 300 viruses from his machine (A bit of a dent for the Anti-virus software he was using, and almost certainly untrue) and signed him up for a £180 support contract which he paid by credit card. When he went to use the card… as if you couldn’t guess, it bounced.  

I told him to turn everything off and quarantine the PC. Having realised he’d been taken in, he took steps to get his credit card re-issued, and he set about changing all the passwords which might have been exposed on this machine -using a different one. He’d heard about someone whose stock portfolio had been compromised: the crook had changed address and bank details and it was only when they tried to sell everything, that the broker’s system spotted something might be wrong. I had to visit, and

  • Remove the hard disk and connect it to another machine.
  • Copy all the data off, for safety,
  • Scan for Malware (nothing found)
  • Roll windows back to a checkpoint before all this occurred.
  • Re-apply updates from Windows updates since that check point
  • Replace the anti-virus he was using with Microsoft Security essentials and let it scan the machine (nothing found).
  • Re-run the Malicious Software Removal tool (MRT.EXE) – again nothing was found.

My father was a smart man – smarter than me if I’m honest – and although he has been retired for nearly 20 years I don’t think he has lost his wits. I spent the afternoon of that phone call moving between rage and incomprehension – how could he be so stupid. (Many readers will know the famous “Word Perfect support call ” story – put that into Bing or Google if you don’t: it ends with  "unplug your system and pack it up just like it was when you got it. Then take it back to the store you bought it from."  “What do I tell them?" "Tell them you’re too stupid to own a computer." ) . The problem is – of course – that confidence tricksters are plausible, and anyone can fall for social engineering if it is well enough done. 

It turns out that this is a scam being used by a couple of firms in India – they don’t get malware onto the machine and then call to fix it; they randomly call people and tell them they have a problem. It was a company using the name of OnlinePcCare.com who scammed my Dad . One interesting thing was they put the credit card transaction through a third party G2S.com, and it may be that which triggered a fraud alert, the credit card company wouldn’t say. A search on Bing for “onlinePcCare +scam” finds plenty of other victims or near misses. This one from Ireland was immediately familiar “can you start event viewer…  are there any errors in the application log ?”.  If the event log is empty, logging itself is broken. Some people recorded the scammers and have posted the call to you-tube – these come near the top in a search and Digital toast has a selection – together with a list of other names used by these people.

Charles Arthur at The Guardian has been covering this story for a little while, see Police crack down on computer support phone scam, and Virus phone scam being run from call centres in India. His blog post Those ‘PC virus’ phone call scams: the unanswered questions is a worth reading too; it confirms my finding that no malware seems to get installed, and shares my opinion that this fits the definition of obtaining money by deception. (Dad’s call to the police got a response of “here’s a crime number – we’ve got a big file on this and we’ll add you to it”) 

If you act as family tech support, do yourselves a favour.  As well as pointing out that none of those nice men in Nigeria will really have a fortune which they will share, and that it is statistically nearly impossible to have a large lottery win and at the same time be unaware of entering the draw, now you need to add  “no one really knows if you have a problem with your computer and calls to fix it” (you may be yelling at the computer but in cyberspace no-one can hear you scream.)  

You might add “If you don’t like unsolicited calls register with the telephone preference service,  no reputable company will call you once you’ve registered and any company which does call you is, by definition, not reputable

Postscript. While I was working on this post I got a call from OnlinePcCare. It may be one of those random things or they may be stepping up their activities.

This post originally appeared on my technet blog.

Blog at WordPress.com.