Blog, Security

New Blog: Security For All by Joe Webster

6 Sep , 2008  

A former co-worker and security software developer dude Joe Webster  started up his own blog, Security For All ( Joe joined StillSecure back when I was CTO and I remember he was interested in the whole blogging and podcasting thing back even then. Hey, Joe… I'm surprised it took you so long to start the blog! 🙂

Seriously, Joe's not only a sharp guy but is also dedicated to improving securty. Plus, he's a really nice guy and great keyboard/composer. So check out Joe's new Security For All blog. He has a good post up there in response to one of Joel Snyder's videocasts about Network Access Control.


Shimel Violates Cardinal Rule Of Vegas at Black Hat Conference

6 Aug , 2008  

Well, I have to say that we had a great time last night, "networking" in LasVegas at the Black Hat conference. A whole crew of us checked out the variousvendor bashes, including the Qualys and Fortify parties. You know me, I'm notone of those elitist security vendors, I just hang with the common securitypractitioner, sharing my knowledge and experiences, trying to help the overallcause for better security. But I have to say, something's gotten into AlanShimel. He's just become some kind of unrecognizable person since I saw him last(it was only a few weeks ago when he was visiting Colorado, after all.) I thinkit had to be the high gas prices, maybe that the airlines now charge you for adrink of water, or maybe the bathrooms on his airplane were converted to thecoin operated kind. It has to be something. Here's the situation I'm talkingabout…

First, Alan comes up with some wild, totally off the wall story about meborrowing his shoes to get into some Vegas club because I was wearing "Coloradocountry bumpkin" sandals. Now, I have been working in Boulder, Colorado, a lotrecently so I could see how he might mistake "Colorado Wingtips" for sandals.They go over perfectly fine on the Pearl St. mall in Boulder, after all. But, togo public with such a crazy story on his blog is clearly a violation of thefundamental code of conduct of Vegas. What's come of the well acceptedaxiom, What happens in Vegas, stays in Vegas?

Is there no trust left among security friends and former co-workers? Mylittle notebook is full of titillating Shimel stories, but do I go public withthem, tossing them around carelessly for all to read? Certainly not, and not onmy blog! Do I talk about Shimel's case of prairie dog mistaken identity andManhattan rodents, or his curiousness about air conditioning and cattle? No!Those are to remain strictly private, something only the intimate details shallbe known among Alan, myself and an unnamed source at the Gartner Group. (No,It's not Rich Mogull.)

Despite Alan's other significant contributions on his blog, flogging thelatest security vendor who writes a fluffy bunny or woefully inaccurate pressrelease, and his building up of the Black Hat Security Bloggers Network, thissituation is still one that must be dealt with, and dealt with swiftly. It isunfortunate to inform everyone of this, but I have petitioned the BlackHat security ethics committee for a formal review of Alan's conduct in thismatter. While their punishment can be very harsh (too graphic to talk about on ablog), I'm sure this matter will be dealt with swiftly and justly. I'm justrelieved to know that caning is still illegal in the U.S. (but, I'm not 100% sureabout Vegas).

In the meantime, please take with a grain of salt any further tall tales byAlan regarding other Black Hat members' actions here in Las Vegas. I wouldn'twant to see additional claims made against what has otherwise been a fine,upstanding contributing member to our security community. I'll will keep you all updated for those who follow me on Twitter.

Podcasts, Security

Podcast #”I Can’t Drive”55 – NAC Attack

20 Jun , 2008  


Welcome to podcast #55. This week Alan and I are joined by security practitioner Jenifer Jabbusch (JJ) who also blogs at Security Uncorked.

Jennifer took a real liking to 802.1X early on, became a believer, and now regularly implements 802.1X for her customers, which course has expanded into NAC as well. It was great to have her on the show so we could talk to someone who does this work regularly, rather than Alan and I who simply create the products and like to blab about implementing it.

During the podcast we talk 802.1X, NAC, the analyst’s views on NAC (JJ has some pretty blunt thoughts on this one), and a company called Rohati.

Alan and Richard Steinnon have been going at each other recently about Rohati. Just looks to me like Stiennon is back to his two favorite hobbies; ranking on NAC (because he’s still smarting about that Gartner IPS doomsday prediction), and finding any opportunity to poke Shimel in the eye with a stick. I’m amazed at how little true innovation there seems to be in the security industry these days and I have my doubts about Rohati being more than a fancy "layer 7" inline proxy-like device. Looks like another group of Cisco ejects creating a product four years ahead of Cisco’s plans so they can sell the company back to Cisco! It’s worked in the past so why not do it again. Rohati’s not something I think’s going to take the world by store, but hey, that’s why we have blogs and podcasts so we can debate this stuff.

And as usual, Alan and I are up to our crazy antics on the podcast. Thanks to JJ for putting up with it too. Enjoy the podcast and please drop us any suggestions or questions at

Icon_enclosure_music_7mp3 file

Blog, Cloud, Security

Podcast 54: A p00ned FBI network, Barracuda, vulnerable Mac,, fired TJX employee, and Sourcefire walk into a bar…

30 May , 2008  


Alan and I finally got off our duffs and recorded a podcast. Can you believe it? We have the evidence right here in our grimy little podcasting hands to prove it. But, you’ll have to listen to believe it for yourself.

In podcast #54 Alan and I are back to our old antics, and discuss:

  • How the FBI’s network easily got p00ned by a pen tester in just a few minutes, right up to the NCIC crime database
  • Hot off the presses Barracuda unsolicited (serious?) bid for Sourcefire
  • Mac’s nasty track record for security vulnerabilities (we won’t see those commercials anytime soon, will we)
  • Some new fangled service called that Alan’s all hot about
  • The ethics of security issues, or, how to get fired from TJX without really trying

Alan and I also take some time to put a plug in there for the news about the origins of Stonehenge, and NASA’s Mars Phoenix lander. We also pay homage to two greats who passed in the last few days, comedian Harvey Korman and director/actor Sidney Pollack. "That’s Headley!" Thanks for the wonderful years, guys.

Enjoy the podcast and please drop us any suggestions or questions at

Icon_enclosure_music_7mp3 file


Please Don’t Tell Me Symantec Is Your Client

30 May , 2008  

Like everyone else who’s connected with software development in one form or another, I’m constantly bombarded by various firms interested in a "partnership" to funnel some development, QA or other work to an India firm. In different jobs, I’ve frequently entertained outsourcing various kinds of work to India and have done so in a few cases. Various of my compatriots have done this too, with every kind of success and horror story you can imagine.

But one theme I’ve found consistent in almost every firm that’s contacted me is that Symantec is one of their banner clients. Symantec’s almost always one of the first companies mentioned, proudly held up making that firm legit because they’ve done work for Symantec. These days, I regularly tell callers that having Symantec as a client is not a differentiator. Everybody tells me Symantec is their client. They must hire every India outsourcing firm on the planet, well at least the ones in India. 🙂 Having a large facility in Pune also probably has a lot to do with it.

The other reason naming Symantec as your client isn’t helpful is I don’t work for companies that look much like or operate like Symantec. Entrepreneurial and startup companies have much different needs and capabilities than corporate behemoths like Symantec. Because you’ve done work for Symantec doesn’t necessarily mean your firm would be the best fit for my situation. I’d much rather hear about companies in my space, and that are closer to my size, or were and how you helped them succeed to produce more revenue.


Unbelievably Bad Web Password Security

7 May , 2008  

I was shocked today because I had two very strange but similar experiences with passwords. Both involved accounts with online web sites/services, and both involved some pretty fundamentally bad password limitations. I’m half tempted to name the sites here but elected to contact them privately about the issues. What were the issues?

Absurd limitations in user account passwords. The first site would not allow a user password longer than 10 characters. Ah… last I heard, longer passwords (to some extent) are generally better, as long as other policies like requiring caps and numbers mixed in. All of these, including password length, help against brute force attacks. The second site did not allow special characters in the password. Adding a special character here or there is another common method of making passwords more difficult to crack. I just found it strange to run into two sites with such odd password limitations.

Wikipedia has some good information on basic password security. I hope it can be of help to the sites I visited today.


It Takes a Village.. ah, actually, being there first and tons of hard work

10 Apr , 2008  

I’m proud to say my old company pulled a two out of three and wonthe SC Magazine best endpoint solution of 2008 award again at RSA. They werealso finalists in three other product categories, products all of which I canbeamingly say I had a hand in creating. What’s different about the SC Mag awardsfrom many others is these awards are voted on by the readers, both users andfollowers of what’s happening in the market. While others have suffered the percentages of the startup business, othersmarch on to live another day.

The NAC market has been a tough slog, one of those markets that’s experienceda great deal of attention and hype. None the less, products have to provethemselves, no matter how shiny and exciting they seem to be or how big theanalysts say the market will be in five years. NAC’s not an easy problem tosolve and I’m proud the StillSecure has stuck with it to continue leading themarket against heavyweights like Cisco. Frankly, this market could be all sownup if Cisco had purchased the right product several years back. (And guess whichproduct that would be, I say tongue in check. 🙂 )

I always enjoyed the claims other startup vendors would make about "beingthere first" and owning "xx" double percentages of the market, when in fact Iwas part of creating one of the first purpose-built NAC products from the groundup before NAC was even a term. The idea came from customer experience interviewsI was doing for a completely different product idea, and up popped the customerproblem that later became a NAC product. I still remember the excitement ofsharing the idea with the team. Serendipity I say.

Net-Net, congratz to my old team on the awards and the continued marketsuccesses. The award is just one of the ways to visibly see all that hard workpay off.

Cloud, Security

Security Industry Missing Ride On The Cloud

10 Apr , 2008  

CloudOne of the things I was interested to investigate at this week’s RSAconference was whether SaaS and cloud services (compute, storage, etc.) hadentered into the horizon of the security market. The answer is easy. NO. Noteven close. Security doesn’t get where the software market is headed and we needto get after it now.

There’s two perspectives to assess this from; What are security vendors doingto build products for the On Demand, SaaS and cloud computing world we arerapidly moving into? And, are security vendors moving into offerings based inthe cloud themselves? Again, with a very few exceptions this isn’t somethingthat even appears on the radar screen of RSA exhibitors.

Regarding the first question, the themes of RSA is still very much in theworld of data protection, data lose prevention, network access control, USBstorage containment, and infatuation with the latest 10 gigabit doodad appliancebox.  Maybe its too early for security in the cloud to be the issue of the day -security in the virtualized world isn’t even a topic for conversation. At leasta few smart people like The Hoff are playing virtualization MythBuster, keeping ushonest about what challenges and interesting problems need to be solved asvirtualization continues its march into data centers, storage and applications.

How about those offering their security wares via the cloud? Clearly Qualyssuffered the arrows of being an early SaaS security vendor but crazy frenchman Philippe Courtotis still riding high knowing the SaaS market is doing well within other segmentsof IT and security will eventually get there. But they are still pretty much a lone SaaS delivered security player.Another company doing SaaS delivered security products is Alertlogic, providing logmanagement, analysis, and compliance software On Demand. I spent some time withAlertlogic CTO Misha Govshteyn, someone who has been through the transition toSaaS and learned the lessons needed to scale a multi-tenant product. (Misha’s asmart guy, btw. You sooooo need to start blogging dude!)

I think Misha’s approach also shows some insight into where we’ll see SaaSenter into security – in the mid-enterprise and SME markets. Those are buyerswho don’t necessarily have access to full time security, storage or otherspecialized resources. They also are more accepting and can get over theperceived privacy concerns that surface when considering an On Demand service,especially private companies who don’t fall under SOX compliance. I stillrecall selling against Qualys and pushing the issue of your vulnerability databeing stored in the cloud – many saw the advantages and convenience from an OnDemand offering, and for yet many others it was a no-op. But mid-enterprise andSME’s adoption of On Demand software solutions could show us this is wheresecurity will make it’s first SaaS market beachhead.

As security professionals, we can’t wait for the market and vendors to catchup. We need to be creating the security dialog and debates about virtualization, on demand and cloudbased services. While Microsoft may be trumpeting the call of End-To-End Trust,trying to get the other elephants to tap dance with them, we’ve got to working ahead of the curve onthe tough problems, vocalizing the security needs while services are being created and moving intothe cloud, not after. I’m glad that Hoff, Misha and others are thinking ahead of thecurve.

Product Mgmt, Security

Zero Day Threat&My First Book Jacket Quote

29 Mar , 2008  

I’m a big believer in serendipity, karma and helping people whenever I can. A lot of people have been very gracious to me throughout my career, and I’m always looking for ways to pay it forward. That’s one of the reasons I coach entrepreneurs and enjoy starting new companies so much.

Back in 2001-2003 I started getting much more involved in the external aspects of the CTO role, working with press and analysts, writing byline articles, speaking, etc. Though I had been in a few press interviews (my first quote was in the London Financial Times in 1986 while helping with some story background), I was a huge neophyte when it came to doing media work. I received some extremely valuable coaching from Sonya Caprio at StillSecure along the way and now am pretty comfortable doing just about any media, writing and speaking work.

Early during that learning process, USAToday reporter Byron Acohido got a hold of me while researching stories about various computer security threats posed to the average computer user. This was back in the Code Red and Melissa virus days. While I’m no security researcher guru by any stretch, I’ve been working and creating security and networking products since the early ’90s, so I was able to help Byron on background, tutoring him on the various kinds of threats, how they worked and what the current and emerging threats were around the corner. Though I didn’t expect any quotes from those conversations, Byron was kind enough to quote me in 4 or 5 USAToday stories.

When I talk to press I always offer to help on background, specifically noting I have no expectations for quotes. Part of my job of course is pitching media about my companies and products when that’s the topic, but I also believe in helping people outside of my own agenda. I do this with no expectations of any payback or reciprocal quid pro quo to me. If you help people, even if they don’t return the favor directly, someone else down the line might return the favor to you. And even if the favor is never returned, that’s okay.

Helping people with the expectation of something in return isn’t helping, it’s trading. You don’t help people with a payment expected in return. You do it because it’s something you want to do. Good karma, serendipity, etc. will take care of everything else. Trading has an expectation of something in return, helping doesn’t. I’m not naive enough to believe that everyone has this philosophy — many don’t. Even with some, everything has strings attached, but that’s not me. As long as people don’t take advantage of that goodwill I’m happy to help, and if they do, it says a lot more about them and than me. I just have my own philosophy about helping others.

After my media work became more focused on the business market and Byron expanded his sources to researchers much more talented than me, we talked less frequently but still kept in touch via emails. Bryon is good about emailing his network whenever he writes a new piece, is looking for feedback or is seeking out knowledge in new areas..

A year or so ago, Byron sent out an email about a new book he and USAToday reporter Jon Swartz (who I’ve also done interviews with) were working on. Bryon has a background in investigative reporting, having won a Pulitzer Prize for beat reporting about his investigative reporting of Boeing 737 tail rudder problems and related government foul ups. Jon has also been nominated in the same Pulitzer Prize category.

Zero_day_threatI checked out Byron’s and Jon’s site they’d set up about the book, Zero Day Threat. Byron sent me an early look at some sections of the book, which I blogged about in a post last year.  Later Alan Shimel and I had Byron on the SSAATY podcast to talk about the book they were writing. Later, Bryon also offered my some sage advice to me about setting up my Converging Network LLC company and doing additional media work after leaving StillSecure.

Zero Day Threat is a fresh, unique look at how actions by financial, credit, technology companies and "the bad guys" not only put everyone at risk for identify theft, but result in a large number of identity theft victims because they fall in the margin of acceptable risk. Companies are playing lose with our identities because it’s an acceptable level of risk to them, not us. The book is available in books stores April 1, and has already started shipping through Amazon.

This week I received a copy of Zero Day Threat in the mail from Byron. I’m very to pleased to have my first book jacket quote on Byron’s and Jon’s book (see below). And I also appear in the acknowledgments, along with a very nice hand written note from Bryon inside the front cover of the book I received. The quote came from something I wote on my blog back when I reviewed some early parts of the book.

I definitely never expected or even thought I’d receiving such acknowledgments, and I’m totally honored and flattered Bryon, Jon and their editors chose to acknowledge my small contributions. I also owe a dept of gratitude to Sonya, who helped me be in a position to contribute to Byron and Jon.

What this experience says to me isn’t that "doing something good will get you quoted", but that you don’t always know the impact you have when helping someone else. My few conversations with Byron must have been much more valuable to him that I ever realized. The satisfaction I’m feeling is more about playing some small part in helping Byron and Jon be able to write their book. The quote is gravy, and really something I take as a thank you from them both.

You never know the impact you have on people. Sometimes you learn about it later, such as in this case, but most of the time you don’t. That tidbit, coaching, idea, compliment, comment in passing or something you didn’t even realize, may have had a very significant impact.

Whether my philosophy about helping others has zero, a little or a huge impact on readers, I’ll likely never know. Maybe it won’t have an impact on anyone. Whatever the result, I hope you received some enjoyment from reading about my experiences with Bryon and Jon.

Here’s my quote that appears on the Zero Day Threat book jacket:

"Rushing in to profit from online commerce and banking, financial institutions knowingly put our personal information and identities at risk — the digital-age equivalent of tobacco companies making sure cigarettes have highly addictive properties." – Mitchell Ashley, security consultant, The Converging Network

Please check out their new book and the blog at their site. I hope they are both wildly successful.

Podcasts, Security

In Eon Security Top 10 Podcasts

18 Feb , 2008  

Alan sent me an email earlier today that our SSAATY podcast episode #47 with Jeremiah Grossman and Robert Hansen (Rsnake) is listed in the Eon Security blog as one of the top 10 podcast picks.

Given the knowledge and talent of our guests on that podcast episode I have to say I’m not entirely surprised. If you haven’t heard the podcast with Jeremiah and Rsnake, check it out.