VideoNeil Charney, director of Microsoft's .Net enterprise solutions group, says that "it's not easy or obvious how to do it, but the tools are here today. It's not a future vision." The release of Microsoft's VisualStudio.Net developing environment later this year, not to mention a stream of product announcements from other major companies, will ensure that "Web services" remains a hot buzz phrase for many months to come. Whether the availability of so many picks and shovels proves there's gold in them thar' hills, however, remains to be seen.
THE ABCS OF WEB SERVICES
XML (extensible mark-up language). This is the single most important standard for Web services, and for any application that requires structured documents to be exchanged over the Internet. It allows various components of a data stream to be properly identified and interchanged, something Web pages written in HTML can't do. "With XML, my purchase order can talk to your processing system," is how Microsoft's Neil Charney puts it.
SOAP (simple object access protocol). This standard allows applications that want to share XML-encoded data to connect with one another and initiate a transaction.
UDDI (universal description, discovery, and integration). This is a specification for Web-based registries or directories of Web services. A UDDI directory would essentially be a Yellow Pages of Web services. More than 2,000 companies have already signed on. For more information, see www.uddi.org.
COMPUTER SECURITY
Encryption Remains a Secret
Phil Zimmermann, the man who successfully battled the federal government over the issue of E-mail privacy, now faces a more formidable foe: corporate indifference. Zimmermann invented PGP (Pretty Good Privacy), an encryption program that is virtually uncrackable. The State Department spent three years rattling its legal sabers, claiming that the propagation of the code around the world (via the Internet) violated the Arms Export Control Act. Once that threat passed, Zimmermann turned his attention to private enterprise. In his darker moments, he must miss the Washington suits: they, at least, paid attention to him.
Companies have spent hundreds of millions of dollars on antivirus software and other security measures, yet almost none has bothered to encrypt E-mail. This despite the fact that it is a treasure trove of intellectual property, rich with details on new products, impending deals, executive transitions, and other critical business information. "We've had trouble getting PGP deployed in large enterprises," says Zimmermann, "even though the effects of E-mail intrusion could be devastating, beyond what any insurance coverage could compensate you for."
One problem with E-mail encryption is that it's not always easy to use. "I presumed an opponent on the level of the NSA [National Security Agency]," says Zimmermann. "But most threats aren't like that, so encryption products can be made easier to use."
Many companies are trying, including Zimmermann's current employer, Hush Communications, makers of Hushmail. Last month, Aegis Systems announced products that use "anonymous key" technology, versus the more widely known "public key" method. Most public-key systems require that a third party manage the "keys," or codes that encrypt and decrypt E- mails. The Aegis system allows a user to encrypt or decrypt a message by just hitting a button and entering a password, and the company says the password part of the process may be phased out soon. Mirapoint Inc.'s new Message Director sys-tem encrypts messages between servers, rather than desktop-to-desktop, so users don't do anything at all. In March, Tumbleweed Communications Corp., one of the market leaders, introduced software that allows IT departments to determine which E- mails should be sent over Tumbleweed's secure channel versus over the Internet. Companies are also bundling encryption with other forms of E- mail protection, such as virus-scanning software and secure archives. "One reason encryption hasn't caught on," says Bruce Schneier, co-founder and chief technical officer of Counterpane Internet Security Inc., "is because it protects mail only in transit, and that's not really where the threat is."
Determining just where the threat is, or whether it exists at all, has also hampered the acceptance of encryption. Viruses and denial-of- service attacks are conspicuous, while E-mail snooping is not, so even companies that have purchased other forms of E-mail security resist encryption. CoSine Communications Inc. signed on with Mirapoint primarily for its antivirus-scanning technology. Tony Boersma, the telecommunications company's director of IT, says that "encryption would have to approach zero cost and zero effort for us to take a look. The client-support issues pose too great a burden."
If the latest figures from the FBI Computer Security Institute survey are any indication, however, there is scarcely any aspect of computing that remains invulnerable to hackers, internal abuse, or other threats. Of the 538 companies, universities, and government agencies that responded, 64 percent said they had been the victim of some form of attack or misuse in the past 12 months. The 196 respondents willing or able to quantify their losses suffered an average $2 million in damages, double the average loss in the previous year. -- S.L.
Reader Comments» Post a comment