Mike Rothman insinuated in his Security Incite blog yesterday that OEM AV vendors other than the "big brands" are licensing their engines entirely on price. That is just not the case - if it were, MSSPs would all be running Clam, or freeware.
There are three reasons why IT buyers choose technology: price, brand and performance. The appliance manufacturers and managed security service providers (MSSPs) that we work for are the industry leaders and they make their decisions based on performance. They are more than willing to pay for highly-optimized, heuristics-based engines, and superior malware databases (like those owned by Kaspersky and Authentium, the two largest in the world).
Why? Because there are significant cost-savings to be gained from implementing better technology approaches that are unrelated to the base cost per unit, or cost per event of the OEM license. These companies, many of whom run thousands of square feet of Linux or freeBSD boxes, run very extensive technology bake-offs and often pay more to license in a particular engine because their TCO analysis shows it makes sense.
In most situations we're deployed in, our AV engine sits alongside many better-known "brands". In every one of these situations, our engine has consistently outperformed the branded offering in every one of four key respects: 1) size of memory footprint, 2) size of database, 3) event throughput, and 4) malware detection rate.
Recently, the Authentium engine not only stopped all major variants of the Warezov worm, but we stopped the Storm virus heuristically as well - without requiring an update. At a though-put rate of nearly four billion emails a week, that's a lot of money saved, and a lot of customer email sorted and delivered without delay. The big "brands" sitting right alongside our engine did not fare nearly as well - which is why they continue to pour money into branding, while we pour money into R&D.
Wednesday, January 31, 2007
Mike Rothman insinuated in his Security Incite blog yesterday that OEM AV vendors other than the "big brands" are licensing their engines entirely on price. That is just not the case - if it were, MSSPs would all be running Clam, or freeware.
Raleigh-Durham, home of Duke University, and the world's largest research facility, North Carolina's Research Triangle Park, has an enviable reputation for intellectual activity. I figured out why within five minutes of arriving: the shoeshine guy at the RDU airport codes in C.
As I took my seat up atop the shoeshine stand at RDU airport this week, with the objective of getting my shoes into presentable shape for a high-level meeting, I got into a conversation with the stall operator. The dialog went something like this:
Him: "So where'd you come in from?"
Me: "Palm Beach. Florida"
Him: "Florida. What line of business are you in?"
The guy nodded in a knowing kind of way.
Me. "You got a computer?"
Him: "Not right now. Used to have though. I used to program in Pascal."
"You were a programmer?"
"That's right. I started in Pascal, then I moved to C."
"Nah, I never was that attracted by that object-oriented stuff. Never appealed to me. Only got five pages into the manual."
"You should take it up again. Or take up C# - that stuff is drag and drop - you'd pick it up in a heartbeat".
He smiled and shrugged and kept on shining. "Maybe - got to get me a computer first". His smile said he was pretty content. He went back to work.
His friend arrived. His badge said he worked on the same stand. He was reading a newspaper. He frowned and tut-tutted and commented on what a terrible world it is when a four year old in the Middle East can hate her neighbors. I said something from my high chair along the lines of "the tragedy is, there's probably another four year old across the border that feels the same way about her."
"Which is ridiculous", I added, "because all religions come from the same father - Abraham."
The second shoeshine guy put down the paper and looked at me like I was from Mars. "I got a good heart", he said, poking himself in the chest. "You got a good heart", he said, pointing to my heart. "Two thousand years and where are we? Religions, they just want to control the Truth. We should just treat each other *nice*. That's what matters."
His friend nodded, and tapped the bottom of my shoes - the shine was done. Pascal, C, object-oriented programming, four thousand years of religion, and the Control of Truth: just another day at the RDU shoeshine stand.
WHISHER, a startup out of Spain, announced its launch today. It plans on creating the first wifi-based social network, based on what sounds to me like peer-to-peer connections that share a single connection with a hot spot.
To get this right, WHISHER is going to have to be *very* focused on security - because the kind of social connections currently advertising themselves to wireless users in public places are the kind of peers you should actively avoid. Changing the mindset from "never trust" to "always trust" is going to be a challenge.
We recently published the results of several studies of airport wireless networks conducted at Atlanta Hartsfield, New York's La Guardia, and O'Hare in Chicago that show wireless networks often advertise themselves as being something other than what they are. Google "Authentium" and "wireless" and "airports" and you'll find the news stories.
Example: Yesterday, I was sitting at Legal Seafoods at Reagan National in DC, trying to find a wireless network, when a computer-to-computer network connection advertised itself to me as "Verizon Wireless". Verizon Wireless, it wasn't. But I'm not sure the lawyer sitting next to me would have caught that.
No other environment is as hard for the average consumer to navigate as wireless right now. The interfaces of home networking devices remain difficult to use and way too technical for the average user, and, if my neighborhood is anything to go by, securing these home networks remains far too tough a task for the average home user to easily implement.
Not that it's impossible - all it takes it good communication. There are a number of companies starting to play in the space of "making wifi easy". We've started working with one Texas-based company, Affinegy, and plan on incorporating their easy home network setup apps into the next generation of Authentium ESP and ESP Elements. The play? Wide distribution to our ISP subscriber base, combined with a reduction in support calls for our provider partners, combined with a great set of security tools. Ease of use meets understanding meets happy customers = reduced costs and longer customer lifetimes.
I personally think the hierarchical social networking wifi idea that WHISHER plans on implementing is very cool. If they can pull this off, and keep me secure and well-informed as to the legitimacy of potential peer device connection points when I'm scouting for connections, I'll give it a try.
Sunday, January 28, 2007
Mary Landesman of About.com sent me a summary yesterday of the Conn. law regarding endangerment of minors that formed the basis of the instructions given to the jury in State vs. Amero. Moral and physical injury to a child are viewed equally under this law. With both prosecutor and judge supporting its applicability in the case, questions should be asked regarding who was actually responsible for the URLs getting in front of the kids.
There is no shortage of terrific content filtering and antispyware technologies out there. As the largest licensee of Internet content filtering and antispyware technology in the world, we get to see just about every filtering methodology there is. Bottom line: if you want to lock down a school computer and analyze and log every event, and re-image PC's automatically, you can. However, many schools face bottom-line challenges in bringing this about.
We do a lot of business with schools. Our Command/F-Prot, ESP and Foolproof Security technologies reside on millions of school desktops. I know a lot of the procurement and IT folks personally, and I can tell you the biggest issues these teams face when it comes to deploying end point or perimeter security software are "budget" and "availability of personnel/expertise". Often, school IT departments are provided with no money, no training, no personnel.
On a plane last year coming back to Palm Beach from California last year, I sat next to a teacher who was doing double-time as his school's IT guy, because "no one was doing it" and the school had no dedicated IT manager. He told me a story of a shipment of brand new Dells sitting under plastic in a school storeroom because no one had the time or expertise to set them up. Turns out that his school committee has a history of budgeting a lot of money for hardware, and virtually *zero* for software and service personnel. Budgeters, this is bad strategy.
I know parents are pretty upset at what happened at Kelly Middle School. But perhaps they should consider moving their inquiries upstream, and start asking why the right level of technology wasn't deployed on the computer used by Ms. Amero and her students. Parents, start with the IT manager, then move on to the principal and school budget committee, then move onto the district, then up to the State. Follow the money. See if any proposals were submitted for this kind of software, then rejected. Ask why.
Incidentally, Kelly seems to have much more IT money available (and end point security software installed) today versus December 2004. Parents, what caused this change? Why didn't Kelly Middle School's IT department deploy more protection back then?
If Julie Amero does end up in jail, it will have at least one positive effect: school teachers and IT personnel around the country are going to start demanding more money be spent on content filtering and end point protection, lest they face the same fate. And children will be better protected as a result.
Saturday, January 27, 2007
Fox News just did a live report on the Julie Amero story and they did an excellent job.
Some of the details that are now emerging - that Julie was four months pregnant at the time of her arrest, that another teacher was actually logged in at the time of the downloaded files, and that the computer in question was "totally in the clear" (i.e. not running any updated security software) are disturbing to say the least.
Upon examining both new and old code for www.hair-styles.org and www.new-hair-styles.com, the sites visited by Julie Amero back in 2004, several things are immediately obvious: neither site is a "hair design site". Both sites are obvious fronts for Russian and Ukrainian porn, hair-loss and penis-enlargement sites. Browsing these sites, it is clear that what we're looking at are the types of landing pages typically associated with malicious spyware and bot-nets.
Sure, they *look* like hair style web sites, but the style sheet is named "images/sex_style.css" and the background image lives at "http://sex.sweetmeet.ru/" and if you scroll down the page far enough you get to a penis enlargement ad that is a fixed component of the page. Want more proof this is a fake site? The ">>>" images beside the links on the left of the page link to - you guessed it - "sweetmeat.ru".
None of this is visible by the way. It only becomes visible when you click on it. Are you guilt of malicious intent when you click on a link that has an invisible destination?
I could go on, but it should be clear to anyone now that the judge in this two-day case didn't want to listen to technical "hocus-pocus", the defense lawyer wasn't "on the case" (literally), and the prosecutor on this case just wanted to get a conviction and move up in life. Sound familiar? Prediction: This will end up being Connecticut's "Duke Lacrosse Team" case.
Barbara Tuchman, one of the best historians ever in my book, once wrote a great book that encompassed Troy, Vietnam, the Renaiisance Popes, and the loss of America by the British called "The March of Folly". In the book, she defines folly as "the pursuit of policy contrary to self-interest". Advisers to the Connecticut Governor should advise quick action now, because the folks Fox News had on tonight are smart people, and the "folly ranking" of what is happening in Norwich is headed for the red zone - fast.
A substitute teacher in Norwich, CT is facing a sentence of *40 years in jail* because pornography appeared on a computer screen used by her and some of her students.
She says “the spyware did it”. You know what? She’s probably right.
From all the available evidence, including an excellent piece of reporting by Sunbelt Software chief and Authentium partner Alex Eckelberry, the recent conviction of Julie Amero is an appalling travesty of justice. If she gets sentenced, I’m going to sit outside and picket the jail until she’s released.
I’m tired of reading stories about misguided prosecutions like this - what’s next - reintroduction of burning at the stake? My opinion: this is misguided, politically-motivated, witch-hunting at its worst.
Fact 1: Spyware is more prevalent on school computers than any other computer systems. Why? Because they are used by large numbers of younger users, many of whom like clicking on things that adults wouldn’t find appealing - including spyware-riddled pop-ups.
Fact 2: Malware works best when it copies or co-opts user behavior. Most of the easter-egg malware is *designed* to cause the kind of behavior described. What better way to induce a user to come to a gambling or porn site than to pop up a graphic invitation based on a command to do something else? Spyware guys have used this technique for years.
Did the court hear testimony to this effect? “We analyzed the activity log and noted that there were spyware/adware programs installed on the hard drive,” computer expert W. Herbert Horner told the court. He then went on to say that he wasn’t allowed to provide full testimony.
David Smith, the prosecutor, says that he has proof that Amero visited the site. He says that she had to “physically click” through to the page. Obviously this guy doesn’t exactly have a computer science degree.
Mr. Smith: I hereby challenge you to tell between a past click action caused by installed spyware, and a click action caused by a human being, using the exact same methods you used to convict Ms. Amero. If you are able to do this consistently, I will personally donate $1000 to a charity of your choosing. If you are not able to do this, you will drop all charges? Deal?
Note: In olden days, there was a quaint legal concept that used to apply called “reasonable doubt”. If two computer experts - Alex Eckelberry and Herbert Horner - were able to ascertain that spyware a) is capable of doing this, and b) was installed on Ms. Amero’s computer, wouldn’t it be *reasonable* to assume that the pornagraphic images that popped up on the school computer *might* have appeared by accident?
Prior to this incident, I’m sure Ms. Amero had a nice, normal life. I really hope she gets it back.
Many stock market investors make investments on the basis of a single Planning, Investment and Execution (PIE) cycle. They plan their investment (i.e. study a stock, or financial instrument), then buy it, then sell it.
Venture investing is different. Information technology (IT) or biotech startups usually require multiple rounds of venture investment - usually designated in alphabetical order in reverse order of seniority of equity (i.e. Series A, Series B, Series C, and so on) - prior to a value realization event, such as a trade sale, or an IPO.
Only a very small percentage of companies exit on the basis of a single PIE cycle - even Silicon Valley darlings YouTube went through three PIE cycles (i.e. an angel round, followed by a Series A round, followed by a Series B round) before being bought by Google.
If you count all angel rounds as one, Google went through five PIE cycles - its last equity offering was Series D preferred stock before exiting. PayPal’s last round was also Series D, prior to its sale to eBay.
A single-PIE-cycle entrepreneurial “hit” is extremely rare. The most common scenario? Three to four PIE cycles, prior to exit. What is the maximum number of PIE cycles prior to value realization? US-based VOIP technology company Vonage made it through their Series E round prior to jumping onto NASDAQ (which makes six PIE cycles if you group their angel rounds into one, or seven PIE cycles if you count the funds raised through their IPO).
For first-time angel investors used to the stock market, sitting through multiple PIE cycles while waiting for an exit can be frustrating. However, most VC’s understand the “multiple PIE Cycle” paradigm, and structure deals to enable them to have preferential rights when future offerings are made.
Once an investment has been made, the firms usually keep capital in reserve to apply to these future rounds of funding - because in virtually all cases, the problem the entrepreneur set the company up to solve turns out to be much harder to solve than it first appeared (hint to first-time angel investors: virtually all technical problems turn out to be harder to solve than they first appear - structure in some warrants with your angel cash.)
The take-away lesson from this for first-in angel investors is: there are no overnight hits. Venture investment requires patience, and a tolerance of long incubation periods. The benefit is, when the entrepreneur finally solves that problem, the rewards can be great.
RSS is not yet being adopted by mainstream marketers. A new report from JupiterResearch shows just 5% of marketers use RSS in their campaigns - and just 6% of consumers have adopted it at home.
In other words, while RSS is potentially a great technology and communications medium, it has not yet taken off. To gain adoption, it will needs to be “rewrapped” as a great *product* in order for the technology to really blossom. We’ve seen this movie before: the Internet, pre-www.
JupiterRearch says the challenge for marketers is that RSS is not well suited to promotional-offer-oriented content because it doesn’t offer the targeting and personalization capabilities of e-mail. Plus, over 40% of respondents said they lack the resources and experience to deploy RSS.
So what do RSS backers need to do to start turning this technology into the next killer app? Amanda Watlington’s blog offers up four bullet points for success:
* Demystify the technology so non-technical marketers can grasp the power
* Identify or develop tools that are friendly to the non-technical user
* Develop easy-to-implement solutions for use in pilot projects that will demonstrate the value
* Work with vendors for better tracking solutions — a long range project.
Okay, I’ll fess up: the impetus for this blog is a couple of our Elements guys are working on a secure RSS-based Element that achieves all four of the top bullet points. It’s pretty mindblowing, and does a great job of making RSS simple to use. I’ll blog again once we’ve shown it to a few folks.
One of my favorite press articles on Authentium came out in August 2005, on the heels of a press release announcing that our computer virus definition database had passed the 200,000 unique entry mark.
In that press release, we predicted that computer virus databases would continue to double every year, and that based on the growth of detected threats, our malware database would pass the million unique definition mark by the end of 2008.
One of the journalists at TheRegister.com took our math and extrapolated it to show that by the year 2020, there would be more computer viruses than humans. It was a great piece. At the time, we all had a good laugh - it is always nice to be noticed by The Register, and the thought that there may one day be more computer viruses than humans was certainly a little absurd.
However, since August 2005, the rate of malware production has indeed continued unabated, and is showing for the first time the influence of automated variant creation. It isn’t growing at quite the rate predicted in 2005 - rather than doubling, we are seeing a 66% per year increase - but it is also showing no signs of slowing down.
Currently, as of 2030 EST Saturday Jan 13th 2006, the database stands at 368,700 identified examples of malware and variants. Assuming current trends continue, within two months we will hit the 400,000 mark - which means that the number of unique computer viruses is propagating at almost exactly the same rate as Moore’s Law - i.e. every eighteen months.
Back in 1991, the Authentium/Frisk F-Prot Professional malware database stood at all of 200 identified threats, most of which were highly visible, but did nothing particularly malicious. It’s a different story today.
I recently reviewed the online video of Guy Kawasaki’s 2006 youth forum - the one that brought together college kids and… well, people considerably older than college kids.
There were some priceless moments during the Q&A. Several times, the camera caught the kids looking at some of the older audience members like they were looking at aliens from another planet. The expressions on the audience member faces were equally enjoyable to watch, as they tried to figure out the thoughts moving inside the brains of the seven young people lined up in front of them.
One of the most interesting responses to one of Guy’s questions involved the forum’s use of email. Guy asked each of the young panel members how much time they spent on the medium. Not everyone struggled with the answer, but one guy clearly did. In the end, he admitted that he only used email for “formal communications… like applying for a job or something.”
The audience laughed, then fell into an uneasy silence. But the deed was done: at that moment, email’s future was sealed - for me, at least. In the eyes of this young man, email was barely better than a letter with a stamp on it. In his mind, email was suited only for the *most formal* of communications.
Which brings me to the announcement today from the UK: according to the Washington Post, Britain’s second-most secret spy agency, MI5, has announced that it intends to start issuing terrorism alerts on a subscription basis, via email.
Email terrorism alerts from MI5. Upon hearing this, a kind of sad feeling seeped through my body. MI5? Email? Aren’t these guys supposed to be fitting mini-defibulators into the glove compartments of Aston Martins? Aren’t these guys supposed to be twenty/thirty years ahead of us, when it comes to technology?
Who is going to receive these alerts - my 68 year old auntie? Is her perimeter spam filtering appliance set to allow this to come through, or will it delete the alert because there has been too many false positives, or too many hoaxes? How will my auntie know that the alert that tells her to seal up every crack in her house with duct tape is real, or a college prank? Is she at all aware of how incredibly easily email can be faked?
MI5 guys - terrorist activity email alerts are a *really bad idea*. Not only can they be easily faked by every prankster on the planet, they fail every basic test of security and reliability:
1. The originator cannot be authenticated
2. The message content cannot be authenticated
3. The time and size/content length of the alert cannot be trusted
4. The terrorism alert transmission infrastructure relies on power grid and communication grid survival
5. If the terrorist’s intent is to create terror, what if someone combines phishing + the MI5 brand?
Let’s imagine for a moment that all the terrorist wants to do is “create terror” (cheap), rather than “cause actual mayhem” (expensive).
What better medium could they choose than an email branded by MI5? Email is probably the most ubiquitous and trusted communications system on the planet. Most people remain unaware that not only can the sender’s domain be faked, but literally everything within an email can be faked.
Look at the phishing stats - increasing amounts of people are being fooled by logos and real-looking HTML-based emails. And now, in addition to the banks, we have the MI5 brand: By announcing that their brand has “weight”, MI5 has created a potential terrorism problem, not a potential solution.
Falsely creating and/or manipulating content in the name of MI5 is now easily within the reach of terrorists: creating a message designed to induce panic under an MI5 letterhead, creating a fake originating MI5 domain, creating a fake sender, creating an official-sounding message, and pushing “Send” - all of this could take less than five minutes.
Britain’s MI5 should rethink this approach. By giving their endorsement to email alerts, they are creating an uncontrollable opportunity for misuse of email by pranksters - or worse.
On Friday Jan 5th, our ESP Enterprise Manager 2.2 security software-as-a-service (SAAS) management system entered General Availability. QA reports from the field and our test labs indicate that ESP-EM is working to spec and that there are no functional bugs that warrant attention, or additional releases, prior to delivery of the next feature set.
This release is a major milestone, and not just for Authentium. Why? Because ESP Enterprise Manager represents a fundamental move away from the way network admins and CIOs have been forced to procure, configure, deploy and manage end point security software for the past fifteen years.
Currently, the typical security software procurement process involves weeks of protracted pain: internal negotiation over what to buy (brand vs. price vs. performance * number of applications required), days spent on the phone or negotiating in person with different sales reps (ditto), further days spent accumulating licenses and management and deployment technologies from multiple vendors via email, and much additional time (usually weeks) spent testing for technology conflicts.
(Note: you should hear what most security vendors say when a customer calls them regarding a system-level conflict with another vendor. It is *always* the other guy’s fault, regardless of whom you call!)
Inevitably, this pain is compounded by more: the installation of multiple versions of multiple management consoles from multiple vendors (some requiring workstations running different operating systems), multiple staged deployments to groups, punching of holes in the corporate firewall to account for multiple update locations, and retraining of help-desk staff to take into account multiple interfaces, terminologies, and multiple vendor support procedures.
Talk about pain - it was painful just writing that down. After fifteen years of experiencing that, I’m frankly amazed that there are any CIOs and network admins out there that still have their own hair.
Still, pain has its purpose. Useful inventions are almost always formed in its presence, and ESP-EM is no different. ESP Enterprise was invented to remove and/or reduce the pain points listed above. It enables vendor choice, choice of performance, and choice of price - plus the ability to buy, configure, deploy and manage applications from multiple vendors using one common management console and update server. All applications are pre-tested to ensure freedom from technology conflicts as part of our QA process.
This may sound like a commercial, but ESP-EM was designed with one objective in mind: reducing the workload involved with the above process from weeks of work to minutes. If you’re interested in trying it, there are no price barriers: ESP-EM is free. You pay only for the apps.
I was in our Network Operations Center on Friday as our IT Manager used the latest version of Authentium ESP Enterprise Manager to kick off a remote install of the FastTracker for ESP content filtering module across a subset of our network.
First, he procured the modules from the Content Filtering section of our store inside Enterprise Manager. The store then deposited the licenses into Enterprise Manager. Then he configured the settings, and kicked off the deployment.
Procurement, configuration and deployment of these client-server, enterprise-class content filtering modules to fifty remote machines took five minutes, start to finish. We had one failed deployment, because the machine was out on a sales call, but every other machine installed perfectly.
Within ten minutes of deciding to procure and deploy our modules, we were generating reports. And I can tell you, it was smiles all around - network administrators included.
Over the past fifteen months, we have helped our partners filter almost a quarter of a trillion emails for viruses.
Two investments have enabled us to do this better than the competition: our investment in scanner engine optimization (email processing speed), and our continuing drive to improve our well-respected Command Antivirus heuristics-based malware detection technologies.
When you optimize a scanning engine for speed, it enables faster processing of email. Many of our partners have literally tens of thousands of square feet of data centers filled with racks stacked with boxes running Linux or Unix, or Windows. If the antivirus software you run has a 50% advantage in speed over the competition, capital investment is reduced, and ROI is significantly increased.
When you include advanced heuristics, the system loses no time to updating, and provides improved interception rates over a longer period of time. Again, more mail can be processed using less equipment, which makes for healthier businesses, and happier end users.
Several years ago, several of our scientists and researchers embarked on these twin passions and achieved some tremendous gains in productivity. As proud as I am of them and this technology, I’m most pleased at the thought that we were able to utilize these approaches to filter over a quarter of a trillion emails for our partners.
I’ve been around a lot of small businesses in my life. Sometimes, the only thing that stands between many small business owners and the overdraft limit is “the kindness of vendors” (otherwise known as “vendor financing”.)
Which is why software-as-a-service (SAAS) matters to small business. Because if SAAS is about anything, it’s about putting the “cash” back into “cash flow”.
Imagine a business that employs 50 people at $75,000 average salary per year. That business has to come up with a payroll of $144,231 every two weeks. As a rule of thumb, total annual software costs are likely to average half a payroll: 50 people usually adds up to around 50*1.5 computing devices (including servers), depending on the industry segment. Let’s assume that the annual software bill is in the range of 75*$500=$37,500, and web-based services are approximately as much again, or $75,000 in all.
Let’s assume the business is generating $175,000 per employee, or around $8,750,000 per year. Let’s further assume the small business uses a factoring company and the cost of capturing 50% of this money early (using factoring) is 4%. 4% of $4.375m is $175,000.
In the SAAS model, you don’t have to pay the $75,000 software license fees up front, like you would have to with a software manufacturer. You can opt to pay it monthly, in service fees, across twelve months, or the length of contract. Which means rather than being $75,000 down, you get to keep that $68,750 balance *in the bank* month one - and lower your financing costs/keep that superstar software team employed - all because of SAAS.
If you’re a Not-For-Profit stuck between budget years, SAAS can work for you too - by enabling payments to be structured to span budget periods, or structured to free up vital funds for services that you need, but are not in your budget.
Wikipedia has listed a bunch of very good reasons for adopting SAAS, but my bet is that the improved availability of cash and the ability to make dollars stretch further are going to become major reasons why small businesses and government adopt SAAS in 2007.
I’m sitting in transit at Incheon airport, chowing down on spicy shrimp enchiladas, thinking about what I’ve just seen in Asia.
A lot of folks that I talk to in the US think of Asia as their “follow-on” market, to be tackled once other “more developed” markets have been conquered. I’m not sure that’s the right kind of thinking. Asians are displaying every indication they not only want to be market leaders (and have the populations to do this), but they understand how to get there: by design.
The leadership being shown by Asian designers in the area of user interface design is palpable - and obvious on every street corner, and in every building. It doesn’t matter if it is an elevator control panel, a 3G cell phone, or a massive, border-less, “CNN Situation Room”-style video display: Asian designers continue to invent, consume and discard new interfaces at an incredible rate. Just being in Asia gives you the feeling that you’re living life at a faster pace.
One of the trends I have noticed on this trip is the move away from tactile (i.e. physical) response mechanisms to non-tactile buttons and motion-response systems, for everything from mobile phone interfaces to parking garage ticketing machines to moving walkways. The “push button” is becoming a thing of the past, and will soon become as quaint as a ringing phone. The border merely tells you where to wave your hand, or place your finger - it no longer acts to place your finger inside a mechanism with moving parts.
Moving parts. What a quaint concept. Mind you, Asian designers appear to have a grip on designs involving moving parts as well. I caught a Japanese robotics championship on NHK last night, during which, all robot contenders for the crown had to jump and skip rope, multiple times in one jump. The winner managed five skips of the rope in one jump before dropping to the floor. The reason I know this is because there was a large, real-time LED display on the side of the robot.
Before I close, let me put in a plug for the “developed countries” - fuzzy though that descriptor is. I realized a few years ago during a lecture for something entirely unrelated to instrumentation and interface design that the US is the world’s leading economy not because it jumps onto every new thing soonest, but because its business leaders understand that to maximize profit, you need to empty the inventory out of the warehouse.
So here’s my plan for Asia: make certain that our software continues to be informed by Asian design qualities. Asian design is without doubt cutting edge. And then - empty the warehouse.
I was out in the Valley this week for a bunch of meetings with partners and SPs (service providers). As you can imagine, a lot of the discussions revolved around generating revenue through value-added services and the future of SPs.
A lot of SPs are betting there will be a huge market for centralized “just in time” provisioning of services, and warehousing of data, to the digital home. Some SPs, such as AOL and MSN, are betting the farm on a centralized provisioning strategy.
I’m not at all certain that the centralized SP approach will pay off. I believe the digital homes of the future may not be all that “thin”, and as a result, the real revenue opportunity may lie in on-demand utilization of “local to the ZIP code” human assets, rather than the assets of the network.
Whenever I fly into cities around the world, I am always struck by the number of swimming pools that have been installed in private homes - in many cases, just a block or two from a large public swimming facility. When I look at the amount of computing power being installed in my friend’s homes, I see the same trend. And then there are the extremes, which, given the rising wealth of the middle class, provide a glimpse of what the world will look like a few years from now.
A few years ago, I was invited to a dinner party at the home of a billionaire in Park City, Utah. The owner took me for a tour of the house, which was, of course, impressive.
The chateau was, the owner informed me, located between the equally-large mansions of two Hollywood moguls. The massive kitchen was able to cater for up to 250 guests. The winding staircase, adorned with floor-to-ceiling portraits (in oils) of my host’s three children, was carved from imported hardwood. The in-house cinema facilities included velvet-covered reclining chairs. The wine we had at dinner was… well, you get the idea.
But all that aside, what really caught my eye was the basement. The scale of the technology crammed in there, illuminated by the blinking lights of two full racks of servers, would have put many NOCs (network operations centers) to shame. Not only did he have an entire library of media assets on tap, but you could access it throughout the house, without once a request being made to an outside service provider.
The point of this story is this - as great a customer as this guy must be for his chosen data access provider, I doubt he will ever centralize his data warehousing requirements, or maintain a single media assets provider: this guy will never be a “thin client” when it comes to provisioning service to his home. The play here is not selling the guy a fatter pipe - the play here is the money an SP can make “on demand” when the home owner suddenly smells that “model train engine” smell in his hallway and opens the basement door to find his the blinking lights in his home NOC have gone out.
Sure, it’s a different kind of revenue-generation play, but SPs already have the assets in place they need to generate revenue from this customer. The “here and now” play lies in leveraging services over network assets, including teams of roving service technicians, to provide a high quality of professional services on demand.
Of course, there is money to be made in providing secure access from the home “NOC” via VPN, and/or security apps such as continuous data backup and restore - but the real money lies in leveraging the power of the local “truck roll” to provide on-demand live support, in conjunction with a well-equipped centralized service desk.
Call it “Triple Play Plus”: Internet, telephone, television - plus support.
As predicted, fake desktop programs are starting to appear, wrapped in brands that have nothing to do with the brand’s owners, or the program’s stated intentions. This combination of “phishing” and “widget” technologies was predicted in one of my earlier blogs: Widgets, Mashups and Brand Insecurity.
Now that it’s here, we need to give this threat a name. Based on the suggestion of Ray Dickenson, our head of Products, we have decided to call this activity “phidgeting” (PHIshing using wiDGETets).
Phidgeting is not good news for computer users. Phidgeting is what happens when identity thieves deceive computer users by building programs that look like security suites, video viewers, or desktop media players - but behave like the worst kind of spyware, viruses or root kits.
This week, a fake YouTube player appeared on MySpace and was downloaded by thousands of end users. It installed the ZangoCash toolbar on target machines and included links to “yootube.com” - a site containing bogus credentials, according to our friends at WebSense in San Diego. It could have easily been so much worse - once an end user makes the “install” decision, anything is possible, including root kits of the worst kind.
Phidgeting hasn’t yet moved into the area of bogus banking or stock trading browser toolbars and tickers, but these programs are so easy to make, and the widget-making tools so readily available, we should expect these bogus, yet highly-visible programs to start popping up *very* frequently - with potentially dire consequences.
What is Authentium doing about this? Keep an eye out for ESP Elements, our new controlled widget environment. It is based in part on the patent-pending, kernel-level technology we have used to build VirtualATM. We’re in beta as of today. IMH(and totally unbiased)O, it looks awesome.
How to make sure you don’t get caught by fake widgets or “phidgeting”? Easy. Don’t download anything you can’t verify the author of, or don’t know the origin of, no matter how pretty it looks. Or wait for the ESP Elements release.
Security software sales folks often use a “higher frequency of updates” argument to get customers to buy their products. The truth is more complex - in our world, sometimes the vendors that provide the least amount of updates provide the highest levels of protection.
I spent this morning with the team in our anti-malware labs, talking about strategy and current threats. Warezov has been in the news a lot lately, so it was natural that we should touch on this threat in this meeting. When I asked how many updates had gone out to our scanning engine specific to Warezov, I was not surprised to hear that the answer was “virtually none”.
The reason for this is that the heuristic technologies we use in our anti-malware engines are really excellent. Whereas other antivirus and antimalware technology vendors are having to send out a ton of updates to deal with this threat, we are currently detecting virtually all variants of Warezov “in the wild” - using heuristics/behavior-based detection.
So while it might appear that we are not pushing out the same number of updates, we’re actually keeping our customers much safer - by providing “zero day” protection against Warezov variants “out of the box”.
Purchasers, the next time someone comes to you with a threat detection product or service, ask them how good their heuristics are. You will improve your quality of service metrics as a result. Because there is always going to be a lag between detection and protection in an update-driven model, detecting threats “in the wild” using advanced heuristics provides a potentially better level of quality of service than relying on an update-driven mechanism alone.
Over the past year, I’ve read probably a dozen white papers from folks like SurfControl, NetSweeper, and WebSense, to name just a few of the vendors, on content filtering for the enterprise or government market. Virtually all of them sell their services to these large organizations using a “productivity gain” argument. Some of the associated sites even offer calculators that allow you to type in:
“Employees” x “hours spent surfing shopping/porn/gambling/video sites” x “average salary” = “lost productivity”
I have to admit, as well as some of these guys make their arguments, I’ve never really bought it. I’ve never been able to bring myself to believe that employees would waste enough time for it to show up on a graph. Then, last week, I saw a demo install of the new Fast Data Technologies “FastTracker for ESP” module.
The Fast Data Technologies “FastTracker” reporting module includes a color-coded “tree view” report that enables an executive or HR person to view all employee surfing behavior *in real time*. It allows executives to instantly see which individual employees are spending time at “non business” sites (or worse), and click instantly through to the detail.
The minute I saw the data and clicked through to the first user color-coded in the “bad behavior” table, I was sold. About 60% of the sites showing up were ESPN and fantasy football: The time spent surfing was almost 20% of that user’s day!
Forget white papers. Content filtering and productivity should be an experiential sale. From now on I’m going to insist that our sales engineering folks travel out to customer networks, plug in ESP, and show them this report - live. I guarantee there will be some very interesting looks on the executive’s faces as watch the demo.
Note regarding privacy when it comes to web surfing at work: we provide the tools. What is actually monitored or blocked is entirely up to the employer. All of our content filtering and compliance technology vendors - and Authentium has five of the best developers in the business as its partners on this - enable employers to create windows of “private time”, or “allowed lists of non-business sites”, such as approved news sites, health sites, child-minding sites, employee rights sites, etc. Need access to something not on the list? Talk to your employer.
We were in Toronto and Buffalo the other day, meeting with customers and technology partners. Midway between Guelph and Buffalo, still on the Canadian side of the border, something amazing happened when we stopped at a rest stop: I had my first encounter with socially-responsible graffiti.
I’m not making this up. The graffiti, scrawled in large, easy-to-read letters with a blue pen, read “Attention Daylight Drivers - Please turn on your headlights so we can see you better.”
I waited for the punchline to kick in, but it didn’t. I tried a few anagrams, then tried seeing if the first letters of each word added up to something offensive. It didn’t. As far as I can tell, what I saw was what it was - someone doing some good in the world through graffiti. Wonderful.
I caught an episode of South Park the other night which featured World of Warcraft. In the episode, the cast were gathered in a room pecking away on regular PC keyboards, yelling out key stroke combination to each other.
I enjoyed watching it, but more for reasons of nostalgia. Because when it comes to games, I’m not sure the PC has a solid future.
The numbers show that younger users are migrating to dedicated game platforms - in large numbers. A survey on the web site of ESA, the Entertainment Software Alliance, shows that people *under* the age of 35 are 33% more likely to use a game console (i.e. 360, PS3 or Wii) than a PC to play video games.
Aside from this cost efficiency, other factors pushing this change are processing efficiencies and time efficiencies. Travel on any subway or plane virtually anywhere in the world and you’ll see a generation that is becoming increasingly efficient when it comes to utilizing computing cycles, watching content - and making purchases. It’s a generation that increasingly uses remote portable computers (e.g. the iPod or cell phone) in combination with networked, centralized servers (e.g. iTunes or Limewire) to achieve these efficiencies.
For them, a single, all-powerful computer unit doesn’t cut it. This generation uses portable devices to talk and text informally, to shop, to play games, and to listen to music ripped from “fixed” collections at home, or on remote servers. At home, or at their parent’s houses, they use larger “desktop” devices such as game consoles to render CPU-intensive, graphically-rich environments, or to occasionally manipulate databases and online profiles, download and store content, and archive communications.
Live TV on your PC? In the super-efficient world, it’s not needed. As Guy Kawasaki’s excellent forum recently demonstrated, there is no guaranteed “intersection point” for broadcast television advertisers anymore - because watching TV shows containing ads is inefficient. 18-25 year olds Tivo the programs they like, skip the commercials, and avoid email in favor of content they can view on their own terms, and communication methods that are instantaneous.
The numbers don’t lie: Cell phones and hand-held and console game units will sell about a billion units in 2006 - almost 4x the forecast number of PCs. Which leads to the question - who will buy those 250 million PCs?
I suspect the answer is - business. The 35+ group. Sure, they’re still playing ad-supported games online, but mostly, this group is *all* about business. That’s not to say they’re not looking for greater efficiency - this group is also going mobile. They’re creating Powerpoints on laptops in the back of taxis. They’re building spreadsheets in the departure lounge. They’re writing sales proposals, complete with high-resolution graphics - on the airplane.
Try doing that on a cell phone or PS3.
One of the concerns some commentators have mentioned with respect to the ongoing discussion around PatchGuard is that documenting a PatchGuard API may provide a “road map” to hackers bent on compromising Vista.
We strongly disagree. We believe withholding documentation may actually have the reverse effect - not providing documentation may actually make Vista *less* secure.
How so? Sophisticated, financially-motivated hackers make more money when their hacks last longer. Which is why they tend to seek out *undocumented* methods of compromising operating systems - because using secret (undocumented) methods further obfuscates their actions. Hackers will break Vista with or without documentation.
Which is why withholding documentation on PatchGuard hurts only potential allies. Without documentation, there can be no agreed or reliable methods of fighting these guys - of determining “good” technologies from “bad” when it comes to PatchGuard interactions, with the result that threat remediation technologies become risky to develop, and outcomes difficult to predict.
Will large public companies such as Symantec or McAfee take the risk and invest development dollars in the hope of turning a profit from an undocumented threat remediation method that Microsoft can potentially close down? I doubt it. Which begs the question: Why compromise “the good guys” if you know the hackers aren’t going to use the same tools?
To paraphase Bruce Schneier, secrecy doesn’t necessarily lead to security. Our prediction is that sophisticated hackers will continue to break PatchGuard/KPP - regardless of whether or not Microsoft provides a documented API to PatchGuard. Without an agreed, documented method for interacting with PatchGuard, security vendors, including Microsoft, will face growing challenges when it comes to keeping Vista secure.
Our suggestion is that Microsoft provide ISVs with a documented API designed to enable authenticated interaction with PatchGuard as soon as possible, or license in the necessary technology. Confidence is a big reason why consumers buy. Fully-engaging with security vendors can only help build buyer confidence in Vista.
Occasionally, I’ll be sitting in a staff meeting listening to someone talk about achieving a small amount of value over a long period of time, and I’ll think to myself “this person just doesn’t get it.”
When you work for a dinosaur company, this is how you work - you add incremental value to your company in return for salary, basically - and if it’s well-managed, the whole dinosaur company sees an incremental increase in the value of its stock. If you’re lucky, you achieve a 2x return for your efforts over ten years.
Life at a hyper-ventilating, highly-strung, unstable startup is entirely different. At a startup, you are expected to work 25x harder for 5 times the return - in 20% of the time. Put simply, your target return is 10x growth in the value of the equity within a *two* year period from product launch. No product developed? Then it’s 10x in *5* (years).
I know what you’re thinking - it isn’t possible to work 25 times harder. I disagree. Most of the time it comes down to working 25x more efficiently (i.e. provisioning a new employee with a laptop in 1 day rather than 25 days), or 25x smarter (i.e. forcing a decision at the first meeting instead of 25th meeting), or aiming 25x higher (i.e. why sell to a company that has 1000 potential users when for the same effort you can sell to a company with 25,000 potential customers?).
Another way of reaching this goal is to develop stuff that is designed to be 25x *easier to get to market* (i.e. smarter development resource scheduling, reduced non-core features, focus on a single core benefit), or designed to be 25x *easier to use* (i.e. easier to ship, explain, market, and support).
Building a “ten-bagger” (a startup that grows 10x in value within two years) is not hard. Every month, someone comes along and shows you how it can be done - YouTube, Skype, PayPal, Google. The key is making sure the people at your startup *understand* the 10x in 2 years rule.
Because, as CEO, if your plan is 10x in 2 years, you cannot afford to work with colleagues that are thinking “2x in 10 years”. You either need to change that employee’s thinking, or change that employee - fast. “10x in 2″ requires *total* commitment from everyone on the staff - and that understanding needs to extend to their spouse and family as well.
Spouses usually just want to know that you have a plan - that you intend to work hard for a fixed period of time, and be rewarded when the company’s stock grows 10x in value. So explain “10x in 2″ rule. Expand your support network. Then get out there and start working harder and smarter - 25x harder and smarter. It will be worth it.
In his thriller “The Moscow Vector”, Robert Ludlum’s villain kills his victims using a “designer virus” that triggers when it encounters the target’s DNA. While not yet common in the biological world, this form of attack is becoming increasingly prevalent in the world of computer viruses.
Targeted denial of service, or hostageware attacks, aimed at companies highly reliant on online transaction gateway availability, such as online casinos and stock-trading firms, are already well-documented. However, “one-off” designer rootkits designed to target individuals and trigger upon identifying your computer’s MAC address, IP address, email address, or other unique identifier, are now starting to emerge.
I trust that I don’t need describe what is at stake when it comes to targeting the computer of a single high net worth person, or executive at a large corporation, with a “one off” designer rootkit.
At the recent Virus Bulletin conference in Montreal, several companies, notably Message Labs, weighed in on this issue. Specifically at risk are companies facing external enemies steeped in corporate espionage techniques. User ID-triggered malware is an ideal way for criminals or spies to steal information from a single computer - or user - without raising suspicions.
Why? Because the odds of a globally-focused manufacturer detecting and profiting from a single instance of a previously unknown virus in user space are tiny relative to the odds of them detecting (and profiting from) a major outbreak. Hackers know that the money to be made from policing this kind of specific attack is small - so small that only a locally-distributed, service-based company could possibly police this activity at a profit*.
Right now, such companies are in the minority. But this philosophical sea-change - from policing global virus outbreaks to policing targeted attacks using designer rootkits - is forcing a rethink. Enterprise and small business customers, and large network operators, are starting to move away from centralist “product in a box” manufacturers towards locally-focused Managed Security Service Providers (MSSPs).
A big part of the reason is that many MSSPs are willing to stand behind an enterprise-class, SOX-compliant, service level agreement (SLA). A second reason is that they’re able to respond locally. A third reason is that the MSSP business model is designed to enable profit through performance - a concept that most CIOs find quite refreshing.
As an industry, we’re not there yet - but take my word for it, we’re moving fast in that direction. In the meantime, if your job involves handling sensitive information related to valuable assets via a computer, consider every attachment you open and every file you download your own personal potential “Moscow Vector”: i.e. a targeted, user ID-triggered piece of malware. If you suspect an attack, call your MSSP. You might just save your company - or yourself - a lot of money.
*Note to some of the folks weighing in on the Microsoft vs. security vendors argument: the argument that security software vendors should not profit from policing the Internet or providing computer security is naive. Assets need quality protection and providing this protection is costly. Economics 101 says vendors need to grow their profits at least as fast as the criminals, or they will not be able to produce innovations at the same rate.
On Thursday, during an interview in front of an audience of Stanford students, Bill Gates chided security vendors for trying to “castrate” Vista.
Gates is being disingenuous. Vista isn’t in danger of being castrated. Microsoft customers? That’s potentially a very different story.
Many critical functions within SCADA (Supervisory Control And Data Acquisition) systems, government organizations, financial institutions, medical facilities, pharmaceutical and bio-research labs, and defense departments around the world are now performed on PCs. Huge amounts of the data manipulated in these systems are now stored on Microsoft-based servers, or in Microsoft-based databases. Virtually every government in the world now uses Microsoft as the standard operating system at the core of these critical operations.
You can remove competitive word processing innovations from these organizations, and while it can be argued that some amount of value-creation is removed as a result, the assets are not placed at risk. This is not the case when it comes to removing security options: when you remove weapons from the troops, you place assets at risk.
There isn’t a government in the world that would knowingly remove useful arms from its armory, and I suspect the more senior members of the EU’s regulatory boards understand this. They know if Microsoft manages to reduce security options by “innovating” a standard set of security applications into Vista, hackers will be able to line up against a single set of tools, and government and private assets will be made more vulnerable, not less vulnerable, for however many years/decades it takes Microsoft to solidify its defenses.
Now you might say, well it all comes down to technology performance and quality of service. Unfortunately, it doesn’t. When the IT administrator or CIO of a budget-driven organization takes a software budget upstairs for approval, the lower-cost, lesser-performance (or no cost) bundled option often wins, despite the best efforts of the person charged with asset protection and incident response. Short-term gain, long term loss of choice.
It is time for governments to look past the commercial arguments and start thinking seriously about the implications of allowing Microsoft to “go it alone” in security, as sole innovator, and sole responder. Because a wrong decision made over the course of the next 12 months could indeed result in castration - of IT consumers - in years to come.
My wife and I got married at the Plaza Hotel in New York on Saturday February 2nd, 2002.
It almost didn’t happen. Three hours before the wedding was supposed to start, I found myself the wrong side of a police line, trapped in a dinner suit and bow tie among three hundred anti-globalists demonstrating against the World Economic Forum meetings taking place in the hotel.
As the demonstrators chanted, I pushed my way through to the front and positioned myself in front of one of the NYPD riot police. “Look,” I said, pointing to my Brioni dinner suit. “I’m not a demonstrator. I’m here to get married. I just went out to get some cuff-links.”
“You have ID? A room key?” The NYPD cop said. “No,” I said. “I left them upstairs because I’ve put on ten pounds since I bought this suit and I can’t fit a playing card in any of the pockets, let alone my wallet. All I have is twenty dollars and change.”
The cop looked me up and down. I certainly didn’t look like any of the protesters. He sighed and lifted the rope.
I thanked him and ran around through the snow to the main entrance as the demonstrators kept up their chanting. A Plaza doorman in a red coat and gloves stopped me and asked me for my room key. I told him the same story, adding that we had booked the White and Gold room for our wedding. He looked me up and down and waved me up the stairs.
I dashed to the elevator, keen to ensure that the room was ready and pressed the button for the second floor. The door opened and I stepped out and walked ten feet to the White and Gold room and opened the door - and suddenly found myself face to face with the Russian President, Vladimir Putin.
He was seated at a long table with many other men and women in suits. He looked up at me like he expected me to be delivering some form of urgent news. The bodyguards looked at me wide-eyed like I was a terrorist (this was NYC, barely four months after 9/11, after all, and I was wearing a dinner suite from 007’s tailor). The nearest Russian grabbed me by the elbow and hustled me out of the room.
“I am supposed to be getting married in this room in less than two hours,” I told him is a forced whisper, as he closed the door. He stopped and scrutinized my face. Then he smiled. His shoulders dropped. The bodyguard in him relaxed.
“We will be finished soon,” he said.
“You promise?” I said.
“I promise,” he said.
I nodded and turned back to the lift, tailed by two more Russians. I got in, went and had a coffee, and came back forty minutes later to find the room full of flowers. One hour and fifteen minutes later, we were married.
Which brings me to the point of this story: none of this should have been possible. This conference should have been impregnable. The fact that it did happen is not the fault of any one individual - it just shows that the security architects of the conference did not use a coordinated Defense in Depth strategy.
Let’s examine. In an environment known to have hazards (post 9/11 New York City), two forms of perimeter security protecting some extremely important assets (world leaders) were compromised in a matter of minutes by a guy without any authorized right to access the perimeter, using a relatively easy-to-rent form of dress (a tuxedo), a well-engineered story (the wedding), and some relevant knowledge (the White and Gold room). The final form of security (let’s call Putin’s security detail the “end point security” to complete the analogy) was caught by surprise - I suspect because of the proximity of the elevator, and the fact that I looked like a waiter.
Defense in Depth is not difficult to conceive in theory, but it’s a hard thing to implement in practice. It requires layering of integrated “best of breed” technologies, and effective communication between the detection mechanisms and the reporting framework. There are very few companies that enable this, and no other companies that I know that can do this “out of the box”.
Peter Laakkonen, one of the founders of F-Secure and now Kaspersky Labs’ main executive in the US, dropped by our offices to say “hi” last week. We like Kaspersky’s antivirus technology - so much so, that we just became licensees. One of the reasons we did was so we can extend the Authentium ESP platform to include multiple “best of breed” antivirus approaches. Doing this enables “Defense in Depth” - the ability to stop viruses using multiple methods and multiple databases, at different places on the network.
I’ve been in this business a long time now. So has Peter. Our firms have two of the largest malware databases in the world, and our engines are both super-efficient, professional-grade solutions. Before Peter left, we agreed that combining Authentium and Kaspersky antivirus technologies at different points on the network is a great way of enabling Defense in Depth.
When I was a kid growing up in rural Australia, there was nothing I wanted more in life than to be an American astronaut.
Sure, we had a launch base (Woomera), and even a nuclear testing site (the Outback), but Woomera was really just about giant firecrackers. Then, at around nine years old, I got my first set of glasses. I knew from reading about the astronaut program that the gig was up - back then, you couldn’t be an astronaut without 20-20 vision, a Corvette, and the ability to hold your breath for roughly ten minutes. I knew I’d have to “go private”.
My first attempt at this was a rocket made out of an irrigation pipe that me and my best friend Mark Mclean strapped to the side of my father’s wheat silo and filled with diesel fuel and gunpowder - made the old-fashioned way from ground-up saltpeter, sulphur and crushed charcoal, painstakingly ground and baked tinder-dry in my mother’s electric oven.
Unfortunately, fifteen minutes from lift-off, a farm-hand (Mark’s father) discovered the wheat silo was on its way to the moon and informed “the authorities”. The rocket was dismantled and the irrigation pipe carted back to the field. We were not allowed to explode the gunpowder.
My next attempt at getting some of my DNA into space was more successful. After realizing that normal people could get into the space business courtesy of a chance meeting with STAR TV engineer Phil Braden in Hong Kong (Phil is the co-founder of Authentium and just moved back to Hong Kong after a 12 year absense), I ended up several years later as the CEO of a genuine space company - WorldSpace Asia - with responsibility for launching a geo-stationary satellite into orbit.
Part of the reason that satellites cost tens of millions of dollars is that they undergo an enormously complex manufacturing process (casual Microsoft Project users take note: there were over 32,000 dependencies in our project). Because Alcatel was our prime contractor, most of this manufacturing took place deep underground in the French city of Toulouse in a dark lair filled with white-jacketed men and women driving electric golf carts. Upon entering, dressed myself in a white lab coat, hair net and gloves, I determined that this was a place that even the most discerning James Bond villain could love.
We were ushered onto carts and shown the place. The highlight of the tour was seeing “our” satellite - AsiaStar - being readied for launch outside the vibrator that would test its resilience pre-launch. I was asked to say a few words. Keeping my hairnet on, I nonetheless took off one white glove and placed a fingerprint on the outside of the satellite. “I have been waiting thirty years to get into space” I said. “I guess a fingerprint will have to do”.
My colleagues laughed, the French rocket scientists shrugged, then we all went off and welcomed in the new Beaujolais over a lunch of mussels - at midday. You have to love France.
And that is how, courtesy of a successful Ariane 4 launch of AsiaStar from Devil’s Island by the European Space Agency several months later, my DNA (albeit in fingerprint form) joined that of a select group of a handful of Apollo astronauts and Russian Soyez cosmonauts in outer space.
This week, iDefense publicly announced to the world that antivirus firms had not yet decompiled the “secret” payload inside the Warezov worm, otherwise known as “Stration”. They basically came out and said we’ve been collectively sitting on our tails, missing the payload for weeks. This is rubbish.
As investigators at the FBI can attest, one of our researchers, Patrick Knight, actually nailed the Warezov threat weeks ago, before anyone else, literally within hours of identification. Using some really smart detective skills, he deduced that the worm indeed has a hidden purpose, and went further to decompile information from the payload that we felt could help bring the perps to justice.
As is normal for us, we called the FBI and gave them what we’d uncovered. At that time there was no public announcement regarding the fact that the Warzov/Stration worm had a sophisticated payload, so the FBI asked us to stay quiet about our discoveries. So we just updated our def files to protect our customers and otherwise kept silent.
That was weeks ago. Then yesterday, iDefense decided to come out and collectively bash the antivirus industry, us included, for not having “cracked the code” on Warezov (Stration). They took this opportunity to announce their discovery of the previously-secret payload, and mess up any chance of this international investigation going anywhere. Great job, guys.
Here’s a suggestion for a certain security firm in Virginia: Rather than beat up the entire anti-malware industry for no good reason, next time, consider making a call to the authorities when you find something. You might actually make the world a more secure place - and save yourself from the embarrassment of being called out for an inaccurate public statement.
You have to see the HBO documentary “Hacking Democracy”.
It is riveting. I did not realize that more than 80% of US elections are already carried out using electronic voting machines. I did not realize that the tabulation program is basically a simple database program running on a Windows workstation - with files that I can access right out of “My Programs”. I did not realize there is no effective security event log.
I did not realize that election staffers are taking these machines home with them (thank you NPR, for ruining my day yesterday). Most of all, I did not realize until watching this show that these things are *so* badly designed: i.e. so easy to break into and hack. The lock on the back of those voting machines isn’t remotely tamper-proof - or sealed.
Building on the previous solid work of Johns Hopkins and Princeton, the Hacking Democracy program employs Harry Hursti, the former CEO of F-Secure, a very well-respected security company based in Finland. In the program, Harry claims to find an executable hidden on the AccuVote memory card. The manufacturer denies this could have happened. I, for one, am pretty sure that if Harry says he found an executable, he found one.
What Harry does with the memory card in the next sequence is worth watching the program for by itself - as is the tearful reaction of one well-meaning official.
Folks, this is what happens when trust is place exclusively in one organization. Cliche alert: Absolute power corrupts absolutely. Software can always be hacked, and if there are not excellent controls, and dire consequences, it *will* be hacked. Without an audit trail, and without sophisticated and open monitoring systems, democracy in America is indeed going to become compromised beyond recognition, and may eventually be destroyed (see my last post on this below for the Episode Four version of this post).
The annoying thing about this is that the fix is so easy - simply audit the code, plug in the printers, and monitor every single input to the device - every keystroke or on-screen input into the system (including logging the screen coordinates during interaction: if hackers can do this during your online banking transaction, and they can, it should be easy enough to plug this technology in here).
The question is, does anyone, other than Bill Richardson and a resourceful Erin Brockovitch-like grandmother in California, care enough about the coming demise of democracy to fix it?
We’ve been asked several times this week to articulate what we’re doing with the Windows kernel in Vista 64 bit. For various reasons, we’re not going to get specific about what we’re doing. It is true what you’ve read - our folks are talking with the folks in Redmond about how we can move forward on this and enable a positive outcome. Stay tuned.
By the way, for an excellent overview of the APIs, the research firm Gartner has produced a concise and articulate overview. Great work, guys. For the record, it is the Windows Security Center API that was released by Microsoft - not the KPP/PatchGuard API.
One thing for sure - the focus on PatchGuard has brought with it a healthy amount of discussion. What we’re seeing on some blogs now is discussion about non-traditional approaches to security in Windows, such as controlled single-process approaches to security, which is great. This is essentially what we’re doing in VirtualATM. One of the other approaches I think has merit is what FarStone is doing re data backup and recovery. It is using Linux to protect Windows.
First, full disclosure - FarStone are one of Authentium’s technology partners, and we’re just about to release their RestoreIT module for ESP. I think it’s a really useful technology, which is why we’re partnering. AOL think so too - they just did a deal to distribute FarStone as well. But the bottom line is: we’re partners. If you don’t like reading non-arm’s length opinions, please stop reading here.
The approach that FarStone uses in enabling local backup and restore is it boots your PC using Linux, and provides you with options at that moment as to continuing to boot into Windows (just push the space bar), or reverting to a saved image of the hard disk.
Although this Linux/Windows approach has been done before (MacBook anyone?), I think FarStone’s backup plan is an elegant approach, and another great example of how technical and security problems in Windows can be solved through innovative uses of non-Windows technology.
It also strikes me as being nicely secure. By temporarily booting up a PC in Linux, using code they presumably control, FarStone enables end users to make decisions that involve single-purpose use of the CPU, such as rolling back to a saved image of your hard disk from six hours in the past.
By the way, this glowing review is based on personal experience: this technology saved my bacon one night when I was mocking up a VB prototype for a meeting and experienced a crash upon debugging my program. No, I was not running VMWare at the time. After fretting for a few minutes, I remembered I was running the alpha version of RestoreIT for ESP. I rebooted, restored the image (there was one from an hour earlier), and voila - I was saved. And very happy.
I have noticed some postings from folks out there - particularly Mac users - who report that the Vista EULA may attempt not to permit such interoperability, but I can’t see how. I bought my computer. I own the Intel chip that sits inside it. If I want the CPU that I own to run Linux for a few seconds while I boot up, that’s my business.
There’s been some press the past couple of days regarding the work we’ve been doing in Vista. Let’s clear a few things up:
1. We are Microsoft’s partner. We have a close working relationship. and have had for many years.
2. We support PatchGuard 100%. Contrary to some reports, the technology that we have developed in support of our VirtualATM product does not compromise PatchGuard. Our approach leaves PatchGuard in place and fully operational. Our approach adds a *complementary* layer of security that further protects users of the Microsoft Vista operating system.
3. This is not about anti-virus (1) - our Vista 64 bit anti-virus products are fully-compliant with Microsoft’s mini-filter approach. What we want Microsoft to do is continue to certify new security innovations, such as our TSX technology, as it has always done, so we can provide better protection against financially-motivated threats. Certification would provide a path to interpreting “good” versus “bad” interactions with PatchGuard. We believe this is the best approach.
4. This is not about anti-virus (2) - this is about enabling innovative new technologies and countering new emerging threats and criminal strategies. If new security innovations are not encouraged, consumers will lose out. Competition and innovation in this area can easily be accomplished by continuing Microsoft’s tradition of vendor certification.
5. Many of the threats that we see these days are small, targeted attacks on individual companies or organizations. We believe a certification system is necessary so that non-Microsoft companies can provide these organizations with a choice of innovative approaches, specialized products, or localized services.
6. Our core concern is this - if we (the good guys) can gain access to the Vista kernel, so can sophisticated, well-financed hackers. These days, most hackers are exactly that - sophisticated and well-financed. We implore Microsoft not to “go it alone” in security. We, and other innovative ISVs, have technologies that can help protect Microsoft’s customers.
Note: This technology is not “an integrated part of the ESP platform” as has been reported, although it is possible we may make a module that includes this technology for ESP at some point in the future. The KPP interface currently exists as a standalone technology SDK designed to permit secure end-to-end transactions, currently due for release in December.
Yes, it’s true. Our engineers have developed a sophisticated capability that enables us to leave PatchGuard protection in place, except in situations where control of the kernel is needed to protect a user’s data or behavior.
One example of why we need kernel-level access: we have a product coming out in December - VirtualATM - that enables us to turn an end user’s PC into a “single process device” for the purposes of establishing a secure online banking session (hence the name “VirtualATM”). Using proprietary, patent-pending technologies, we are able to protect access to memory and network access, and shut out key-loggers, sniffers, Trojans, and virtually all forms of spyware.
Windows, by design, enables the opposite to this - Windows is designed to run all applications, all the time, virtually without limitation. However, Authentium takes the opposite approach and focuses on enabling “goodware” in the form of a single trusted process. By ensuring that only this process can access the network - and memory - we can greatly reduce the chances that usernames and or passwords will be stolen and reused.
Don’t think this is necessary? According to this article on ZDNet from Bloomberg News, eTrade and TDWaterhouse lost $22 million just last week in a sophisticated scam involving key-loggers installed on end user computers. This may just be the start of things - according to the hard-working guys in our virus lab, a majority of the threats coming into our lab (and we sifted through more than 2,100 just today) are designed for extorting money over the Internet.
In order to stop this epidemic, it is enormously important that government ensure that all security software development companies continue to partner with operating system developers. Microsoft does not have the level of technology that our company has developed and is highly unlikely to be able to provide the kind of process-control and malware-suppression technologies that online banking customers will need in the near future.
It is this need - to protect people, and their identities and their assets - that has driven our engineers to come up with their methods of controlling PatchGuard in Vista.
Note: in addition to our kernel protection technologies described above - and referenced in the announcement tonight by Microsoft, we have also separately completed development of a Microsoft-compliant anti-virus and anti-malware product for Vista 64 bit using the Microsoft mini-filter approach that is fully-compliant with Microsoft specifications.
At a recent conference, I got to ask the Prime Minister of Singapore, BG Lee Hsien Loong, a question. The question I posed was, in essense, “how did Singapore manage to rid itself of corruption after independence, and what lessons can the emerging democracies of today take away from Singapore’s experience?”.
In his answer, Prime Minister Lee gave credit to the system of government left behind by the British in 1959, and to the work of past Prime Ministers since independence, including his father, Lee Kuan Yew, for Singapore’s rise to First World status. But what he didn’t say- perhaps so as not to be rude to the British members of the audience - was how much work Singapore has done over the past fifty years to cut the red tape out of the system of bureacracy they inherited from the British, and why this has been such an important factor in reducing corruption.
Deep down, every businessman knows that “red tape” and Third World corruption are corelated. In many Third World countries, control of the red tape is a “gravy train”. Want a business license? Pay up. Need a telephone connected? Money, please. Need capital to start a business? Kick me back a percentage of the profits.
In First World countries, such as Singapore, or the US, it is the *ease* of doing business, virtually universal access to capital, and the corresponding *speed* of wealth creation that enables these countries to prosper, and corruption to be controlled - not anything else. Because in countries where wealth can be created legally and fast, corruption doesn’t stand a chance.
In his highly-readable book “Hackers and Painters”, author Paul Graham shows that if an intelligent person is able to earn money through business faster than they can through criminal activities, they will choose to go into business, rather than pursue corrupt or illegal activities. He successfully articulates the view that “speed of doing business” is probably the most critical factor that drives a country’s success as a business destination.
According to Graham, in too many countries, “the fastest way to obtain wealth is to steal it”. However in so-called First World societies, the opposite is generally true. In Singapore or Silicon Valley, you can obtain fabulous levels of wealth much faster by creating assets legitimately - such as Google ($130b), YouTube ($1.6b) or MySpace ($0.5b), using available education and private capital - than you can by theft, or corruption. And in these places, sophisticated safeguards make it hard for criminals to accumulate meaningful amounts of wealth via corrupt activities.
You can see the results today in places where corruption is low, and trust is high - like Singapore. Singapore is experiencing an explosion in private banking activities - the result of wealth-creation on an unprecedented scale. The capital entrusted to these private banks will undoubtedly find its way back into the Singapore economy and the country will continue its cycle of growth. If only other countries would take note - when corruption is relegated to the back seat in terms of wealth-creation, it is possible to establish a permanent cycle of growth.
It isn’t only about speed - universal access is another important factor. Singapore, like the United States, is one of the few places on Earth where pretty-much anyone in society has a chance at becoming wealthy - relatively fast. As in the US, in Singapore, you can initiate all the actions essential to creating wealth - finding investors, forming companies, creating teams of educated employees, building assets, moving inventory and information between markets, and taking your company public - with respect for the genuinely disadvantaged, all most people need is the will.
Note: In the past ninety days, we’ve expanded our worldwide operations significantly, both through wholly-owned offices and reseller relationships. We’ve chosen countries that have fast-growing economies friendly to entrepreneurs - Australia, Hong Kong, Singapore, South Africa, the United Arab Emirates, the United Kingdom. In each one of these places, we have not encountered corruption at any level. We have been able to register a company and get our operations up and running in less than a week.
In every one of these countries, our business development employees didn’t need to wait for a visa to get in (China and India, please take note), and we didn’t need to wait long on licenses, either. In each location, we got the strong feeling these governments understand that “speed of doing business” and “trust in the system” are the essential ingredients of wealth creation - and eradicating corruption.
Robert Kennedy Jr’s recent article in Rolling Stone magazine, coming on the heels of a report out of Princeton University questioning the defensiblity of the Diebold electronic Accuvote-TS voting machine, has once again thrust electronic voting into the public eye.
While reading Rolling Stone, I learned that Robert Kennedy Jr believes that the Diebold machines may have cost the Democrats the Ohio 2004 election. Based on analysis by staticians, he believes that Diebold significantly influenced the outcome of elections in Florida during the same period.
Now, this is the first time I’ve read Rolling Stone in years, and I’ll be honest, while I enjoyed the Jack Nicholson article, I didn’t entirely buy the article on Diebold. After reading it, and after viewing Diebold’s rebuttal of the article on their web site (in which Diebold makes the rather damning counter-claim that “zero” Accuvote-TS machines were deployed in the state of Ohio and the three Florida counties mentioned during the 2004 election), I found myself less concerned with what is going on *right now*, compared to what *might* happen in a theoretical future, once electronic voting becomes the dominant method of voting.
I found myself musing on the futue of machine-aided democracy - and our ability to safeguard our rights in the face of unauditable election results, potential software vulnerabilities, and power-hungry politicians - or combinations thereof. Because one possible outcome of a software-based, non-auditable system that lacks strong centralized control and oversight capabilities is “Terminator”-style governance, or “technofascism”: government by the man that owns the machines.
A quick recap: In the technofascist future depicted in Terminator 3, a network of machines (SkyNet), backed initially by an evil entrepreneur, has coopted governance of human decisions and assets (including most of the better-looking weapons of the day) and is preparing the rest of the humans to face their “Judgement Day”.
Only a small band of human rebels living “off the grid”, disconnected from the SkyNet network controlled by the machines, remain undetected and functional. Protected by anonymity (and a Cyborg 101 “whistle-blower” from the future), they battle the SkyNet machines and eventually destroy the machines by attacking their central command and control infrastructure. Humanity is saved, along with the rights of the individual.
In the curious world of electronic voting, a “prequel” version of this story is emerging. This story doesn’t end with “Judgement Day”, it starts with “Election Day”. Instead of humans living “off the grid” in order to avoid being “controlled”, it’s the machines that are “off the grid” and unaudited - their operating systems (and patches, and backers) invisible to the voters, and in some instances, invisible even to government.
In this movie, rather than the humans, it is the machines that emerge the winners - because, by avoiding the auditors and other controlling mechanisms, and removing the traditional “ink and paper” checks and balances, the machines are in a position to erode the centralized command and control infrastructure of the humans, and render democracy “invisible”, resulting in a technofascist government run by the man that owns the machines.
Okay, stop the melodrama, I hear you say. This story just isn’t plausible. No men, nor any amount of machines they control, will *ever* be in a position to take control over America’s vast weapons cache, natural resources, market-leading economy, 300 million people, and $52 trillion in household wealth (Forbes). Write a useful post next time - because this will never happen.
My answer to this, is: you’re almost certainly right. There will probably never come a day when a group of businessmen, fueled by lust for money or political power, will use billions of dollars to corner a market, then take over a system by 1) coopting a previously-trusted central authority, 2) walking around the audit mechanisms, and 3) exploiting hidden systems, including backdoors built into well-distributed software and operating systems.
None of that is ever likely to happen.
Yes, desktop widgets and web service mashups are fun things to create and own. Yes, they probably are the future of desktop user interactions, and Microsoft may well end up as “middleware”, no matter how sexy Vista turns out to be. But watch out - the widget party is about to turn nasty.
Up until now, the creators of computer malware, including viruses, Trojans and spyware, have usually stuck to a strategy of hiding their code inside “trustworthy” documents or applications, such as Microsoft Word or Excel documents, or within an email proporting to be from a trusted party.
Things are changing. Readily-available widget and gadget-making engines are now making it possible for *anyone*, including an experienced hacker or phishing scammer, to create a slick-looking downloadable desktop application, slap a trusted brand on it, distribute it via one of the large, social-networking sites to millions of people, and start doing “bad things” to their data.
Don’t think this is an issue? Download any of the freely-available widget creation tools and see how long it takes you to create a slick-looking, desktop application with a web browser embedded in it. Pretty fast, right? Now download and embed the logo of a leading brand in that application, so that it looks “trustworthy”. Now put your app up at a social network site frequented by millions of users. Now use standard social engineering techniques to convince someone to click a button on your app or in the app’s browser that will take them to a bogus site that you’ve created (free apps that promise to fix your computer by removing spyware, or games that allow you to win large amounts of money online are proven converters), … and, voila.
Why is this so easy? Because, once again, we’re witnessing the emergence of a wave of new, disruptive technologies created by good guys, that will very soon be coopted by the bad guys. Once again, the good guys will have to scramble because they didn’t think the bad guys would think “bad thoughts” - and use their good technology for evil.
But there’s more to it than that. Brands are under attack. And, as evidenced by the rising wave of sophisticated phishing attacks, brands are becoming *very* easy to manipulate (especially now that the “phishers” are learning to spell and use correct grammar). What I believe we are about to see is the slow but steady emergence of bogus, branded, desktop apps (and browser toolbars), based on a wide range of emerging widget, gadget and mashup development tools and the same proven social engineering rules that the phishing guys like to try and fool us with - interesting content/functionality, allied with a trusted brand.
Expect to see lots of leading brands (including many from the financial space), some extemely tasty interfaces - and lots of stories involving compromised data. And expect to see lots of headlines. Because unless we start seeing some industry-standardized moves towards widget authentication, and start pushing for adoption on a habit-forming level, the coming wave of non-secure, branded desktop widgets and mashups is going to make us long for the old days, where all we had to worry about were Macro viruses.
Note: Please don’t think that I’m giving any black hats any “ideas” here: people far far smarter than me are already hard at work on this stuff. I get to talk with a lot of financial institutions in my job, and hacking for financial gain is exploding as a business, and, according to the FBI and CSI reports, it is responsible for more than 50% of all malware, and receiving tremendous backing from organized crime syndicates. You think slick-looking emails are a concern? Wait until we have to deal with slick-looking *desktop applications* that look and feel exactly like the real thing.
There is some good news out there. This week, Yahoo started pushing its BBAuth (Browser Based Authentication) system, which at least provides Yahoo widget developers with the ability to authenticate users, and user data (with their permission). But this is just one side of the story - and with new widget and mashup development shops popping up everyday, this is one subject that you can expect to see a lot more entries on over the coming months.
A few years back, my wife and I went to visit Vietnam. One of the more interesting stops on this fascinating trip was a visit to the Cu-Chi Tunnels - a network of hand-dug caves that formed part of a materiel and personnel supply chain that ran the length of the country during the Vietnam war. Inside the caves were dining halls, sleeping compartments, munitions stores - even a hospital. Pieces of the cotton ceiling of what was once the operating theater of the surgery were still visible. But that wasn’t what stayed with me.
During the tour, the tour guide, a gruff, ex-Viet Cong colonel, took us to see some of the craters left by the visiting B-52s. Despite years of tropical rain, the craters were still immense - I went down inside one and the resulting photo shows me standing in a crater at least twice as high as myself. Because there were many of these craters spaced closely together, I asked the colonel how it was possible that any of the local population had survived these attacks.
“Simple”, he replied, pointing to his watch. “Everyday, they come at the same time. Every day, exactly. Because of this, we know. So we hide,” he said, pointing to the tunnel entrance.
Which brings me to Patch Tuesday.
If you’ve not heard of Patch Tuesday, this is the one day every month that Microsoft releases patches for its operating system and applications. Like lots of policies, Patch Tuesday was created by Microsoft for what seemed at the time to be sensible reasons - i.e. to enable administrators to plan in advance for patch releases and more easily manage their IT resources against a timeline.
Unfortunately, when you create a timeline for the good guys, you create a timeline for the bad guys as well. It is hard for me to believe that hackers, especially of the financially-motivated persuasion, would not be timing their own “product release schedules” around Patch Tuesday. And, after asking around this week, it seemed that there is at least anecdotal evidence that they are doing so.
So where does this leave us? As we all know, Microsoft is moving into antivirus vendor territory - and is starting to compete with traditional vendors, many of whom have labs that are dedicated to issuing virus definition updates - and application patches - often at a rate of several times per day (certainly Authentium, F-Secure and Kaspersky can back up that claim). If Microsoft is going to gain our respect about being serious on security, “Patch Tuesday” needs to be consigned to history.
There is evidence that this might be happening - slowly. Microsoft’s recent “non-Patch Tuesday” release of Security Advisory MS06-055 may signal a new trend. If so, this is a move in the right direction. Allowing hackers to “look at their watches”, plan their “product” releases, and target business and consumer devices for a full month between Patch Tuesdays is *not* a good policy when it comes to winning a battle - just ask the colonel.