Dawn of Vista

30 Nov , 2006  

sunriseToday welcomes Vista to market, at least to the businesses that have early access to Vista. (Those that have volume purchase agreements or small businesses willing to buy 5 or more copies.) The mass market will have to wait until January to get Vista. Those buying a new PC aren’t left out in the cold as Microsoft offers an Express Upgrade program for free or with a cost depending on which Vista upgrade path you choose. IPv6, kernel protection, whole disk encryption, IE 7 enhancements, etc. – many new security features.

Vista vulnerability announcementsExpect many vulnerability reports about the Vista release in the coming months. Most will say it’s news that new security problems are found and security issues are fixed in patches. And yes, of course we want to know about them but when they says it’s big news we all knew to expect it. Most of it won’t really be as big a deal as made out to be. Just like happened with Firefox 2.0, Mac OS X 10, WinXP, etc.

So, let the Vista upgrades and security vulnerability reports begin!


Trust and Truth

30 Nov , 2006  

I was fortunate to receive some great feedback and dialog regarding my post yesterday on the Conflicts of Interests, analysts and integrity issues.

liquid paperBefore I get started, I did some more research and I need to make a correction. Vendors, including those who do not pay anythng, can request as many briefing meetings with Gartner as they wish. The difference is if you are not a paying vendor then the briefing is one way; they listen but do not provide any feedback. You must pay to receive that or get advice and analysis. I do know that some other large analyst firms limit free vendor briefings to one or two per year. Paying more gets you more access. So I wanted to correct what I said in my earlier blog entry. Thanks to my PR department for confirming this for me.

I also had some very interesting exchanges with the analyst community about my post as well. I’ve included some comments from some of those conversations.

“Analysts tend to develop an almost anti-vendor sentiment due to the extensive attempts to influence.”

You don’t have to listen too hard to pick up a sense of distain (delivered professionally of course) at times from analysts about vendors. That shouldn’t be news to anyone. Obviously, vendors (whether paying the analyst or not) are going to do their best to spin things in the most favorable light possible. Of course maintaining your credibility with the analyst is going to be a challenge based on how much over-spin is chucked at them. But getting exposure of your company to the analysts is a necessity and just like selling products to customers, vendors have to sell their story to the analysts. They can’t write about you if they don’t know about you.

anti-spin spray“Yes, the more you’re in someone’s face the more they’ll remember you, but good analysts never trust anything a vendor tells them. Even when it’s from someone they like.”

This makes sense to a point. If you don’t believe anything the vendor is saying in a briefing then that doesn’t help anyone. But the point here is that analysts must maintain a very healthy dose of skepticism in addition to their finely honed spin filters. We all understand that, I just hope that they believe at least some of what we say, lol.

So what’s the best way for vendors to communicate with an analyst?

the truth will set you free“I like to say the best way to influence me is to be open and honest, and make good products that customers tell me work.”

“To tell the truth, honesty tends to influence me because I often (rightly or not) assume that’s also how they deal with their customers.”

For me what all this really boils down to is two things; what customers say about you and vendors being straight with analysts. Yes, we have to sell them but they hear spin all day every day. Give it to them straight. Your customers will. 🙂


Conflicts of Interests

29 Nov , 2006  

Analysts, their  career changes, and their integrity are all the rage this week in the security blogosphere. I guess that’s what happens when it’s a slow week in security, lol. Anyway, Thomas Ptacek at Matasano sparked up a firestorm about Amrit Williams/Gartner heading to Big Fix and Richard Steinnon/ IT-Harvest + Gartner going to Fortinet. In addition to numerous comments on Thomas’ blog, Mike Rothman, Chris Hoff, and Alan Shimel (and I’m sure others that’s I’ve missed) have all chimed in. Alan spins a circular yarn (with some sexual overtones) that eventually lands back in the customer’s lap. (Maybe a lap dance metaphor would have worked there Alan, lol, but I digress).

The analyst/vendor/customer relationship is a convoluted one which has it’s share of conflicted interests. What’s interesting is that no one really talks about this openly. I’m always amazed when some IT pup pipes up and says "but the analysts are independent, they’re not biased".  Oh grasshopper, everyone is biased. You just have to follow the money trail. Analysts have a delicate balance to achieve.

Most analysts such as Big G are paid by their customers. I know, I’ve been some of those large customers. (IDC is an exception because they are paid by vendors.) But they are also paid by vendors, to a lesser extent. (And I’ve been on that side of it too, like now.) As a vendor you can get one free briefing a year with Big G. To get more, you pay more. The benefit of paying more is that you not only can pitch them on your latest vendor news but also bring your questions as a vendor to the analyst. They are talking to customers all the time, and most importantly, customers are asking the analysts questions. There’s valuable insight there for vendors. Paying more to the analysts get vendors more access. Does it mean they will now write about you? Will it be positive? Well, it’s not a one-to-one direct correlation but it’s safe to say the more they know about you, the more likely you’ll appear in their writings, positive or negative. Frankly customers asking the analysts about the vendor carries a lot of weight too. But it is a pretty good bet that money gets you access and visibility. So lets call it what it is, whether direct or indirect, we’re talking paid influence. It’s not under the table, just under the radar. It is what it is.

I think some interesting and unavoidable conflicts arrise when analysts move back into vendor-land. (Now which is the dark side again? lol) Analysts leave with a head full of knowledge about competitors; their plans, how they view the market, effectiveness of marketing on customers, customer views and feedback, etc. It’s unavoidable. And frankly, that’s a big coo for the hiring vendor. Amrit claimed in the podcast we recorded last night that that information is only valuable for 3 months at most. And Alan agreed in his post today. (What? Alan agreed?)

One word: BULL! I don’t believe that. You mean vendors shift their strategies and turn over their products every three months? Maybe after a year or so the information is old enough that it has little use. But if you didn’t capitalize on it within the first six months then the people that hired away the analyst are idiots. (And you are for going there.)

So it’s a game that has plenty of conflicted interests. Most know it, many naively ignore it. What’s funny in this situation is that I think Thomas was just poking a fun jab at a friend but it opened a nascent issue worthy of discussion.


Microsoft podcast

28 Nov , 2006  

Are you here for the Microsoft podcast with Amrith Krishnan on Microsoft NAP? You can find it a few entries down (you’ll see the microphone) of just click here. Previous podcasts can be found on the right hand column of my blog or at

The interview with Amrith is about 10-15 minutes into the podcast. Amrith has a lot of interesting things to say about NAP that we haven’t heard previously from Microsoft including very strongly positioning NAP as a multi-vendor approach (vs. Microsoft only) and also some pretty strong hints about TCG/TNC support. We can also expect to see a significant presence by Microsoft at security and networking events in ’07. Enjoy the podcast.

While you are here take a look around and feel free to send along any questions or comments to me at And please subscribe to the blog and/or the podcast.

If you haven’t already, check out Alan Shimel’s blog (my blogging and podcasting buddy, and fellow StillSecure co-founder) at

Thanks for stopping by!


La deuxième révolution française

27 Nov , 2006  

frenchlinuxEst-ce que vous parlez français? Pas un problème. Je présente mon ami, Linux.

It may be 2006 but there’s another revolution in France, this time within the French parliament (albeit a small revolution in this case). They are boycotting Windows in favor of open source Linux and OpenOffice for 1,154 desktop computers of parliamentary members. Is this to avoid the upgrade to Vista, save money, or just to send a perfunctory slap in the face to an American company with a world monopoly (shake your head yes).

We’ll see more of this with the onset of Vista. It certainly creates an opportunity to ask whether it make sense to budget and spend money on Vista upgrades in ’07, and the years to come, or consider an open source alternative.

So there’s only one question for the French parliament; which distro of Linux are you going to use for your desktops? (There, that’ll keep the French government busy for another 16 months.) 🙂

Podcasts, Security

Podcast #22 – Microsoft NAP with Amith Krishnan

27 Nov , 2006  

podcast microphoneThis week’s SAATY podcast #22 is very special. We go prime time with our first interview guest from Microsoft; Amrith Krishnan, Senior Security Product Manager (including Microsoft NAP.)

Amrith joins Alan and me to get in depth about NAP and how Microsoft is delivering NAP in Vista and Longhorn. We also talk about Microsoft’s plans to make the NAP APIs available for 3rd parties to create non-Windows NAP agents. The Microsoft NAP and Cisco NAC announcement gets some scrutiny and we work really hard to pin down Amrith on Microsoft’s plans for TCG/TNC support (you’ll be very interested in what he has to say about TNC). Overall I think Amrith was very forthcoming about NAP and our podcast listeners will find this interview extremely interesting. This isn’t your typical corporate PR sanitized interview.

In my The Converging Minute segment I discuss Why Appliances Are Dinosaurs due to changes in standard computing hardware technology/cost/performance and virtualization software. Tune in because over priced appliances are being threaten by commodity off-the-shelf hardware for network, security and network applications. A non-appliance revolution is underway. See my previous blog entry about this as well.

Last week being Thanksgiving we have a shorter This Week In Security segment. Topics include fundamental changes in the SANS Top 20 list to which everyone should understand and make adjustments in their security benchmarking, Symantec’s release of beta product for Vista (despite their whining about Microsoft cutting them out of the Vista picture), and Check Point’s acquisition of the Swedish data encryption company Pointsec (is this the emergence of Check Point’s post-Sourcefire strategy?).

Thanks to Amrith Krishnan from Microsoft for joining us on this week’s podcast and thank you to all of you for downloading and listening. Please send any questions, comments and suggestions to or feel free to email me directly.

Listen to podcast #22 at


Why appliances are dinosaurs

27 Nov , 2006  

dinosaurIf you haven’t noticed, there’s a revolution happening in hardware. We thought Moore’s law would never be broken but it has. Now rather than relying on ever increasing microprocessor speeds for better performance, we’ve seen a dramatic shift in philosophy of processors – the move to multi-core. Dual Intel and AMD CPUs are all the rage. It’s getting difficult to buy a laptop or desktop without a dual core processor. Plus, quad’s are on their way (and you can guess what’s coming after that.)

At the same time virtualization, the ability to run multiple virtual OSs and applications as tasks within the same machine, is having huge impacts on hardware utilization. I hate to think of what my lab at StillSecure would look like if we had a 1:1 ratio of actual hardware to virtual instances of machines.

We’ve all bought into the myths that networking requires special processing chips. That may have been true in the past, and may still be required in the biggest networks, but we are seeing that change as well. Most appliances are generic computing architectures when you take the metal cover off. Many run open source Linux. We don’t rely much on specialized network processing chips any longer for normal network traffic. Vendors are rapidly moving to multi-core processing architectures for both appliances and blades.

4G networks are also forcing this change. Processing power is being pushed out to the edge of the network to deliver 1,000 and 100-Mbit access, security and applications. Multi-core systems can handle much of the light-weight packet processing needed by most network appliances. Intel/AMD and PCI-Express technologies can cut typical costs considerably. As virtualization performance improvements continue we’ll see multiple network systems and applications operating on the same hardware platform.

Virtualization offers other capabilities interesting to networking and security – the ability to migrate and move network and security functions without changing hardware. Imagine moving your IPS from one edge appliance to another via a management console on your desktop.

We’re not far away from such a scenario. So get ready to rethink your appliance strategy.


Patent, patent, who has the patent?

27 Nov , 2006  

shell game
Like the Jake Plummer/Jay Cutler Denver Broncos QB controversy, speculation goes on and on about the Microvell deal. When big companies do something as unusual as this deal it causes all of us to pause, try to understand why, and then dig deeper into why it really might have happened.

Last week Dave Rosenberg on the InfoWorld Open Sources blog site speculated it could be Microsoft that has the patent issues, not just Novell/Suse Linux. I suspected the same back in my blog on Nov 16. I also think that some large customers may have pressured Microsoft to do such a deal. Dave includes a response (or lack of one) by a Microsoft representative, which could be telling, or could be just spin. Hard to say.

I’m not familiar with what Dave mentions in his post about the possibility of a Linux license change, unless he’s referring to the upcoming GPLv3. (But LT has been pretty clear he’s not in favor of GPLv3 and if I recall correctly LT’s issues were with patent protection in the proposed GPLv3.)

So check out Dave’s post on InfoWorld Open Sources. Send me an email if you’ve got any views on this too.


The Converging Minute

17 Nov , 2006  

Announcement: New podcast segment The Converging Minute

If you listen to this week’s podcast (SAATY #21) you’ll hear a new segment I’m doing called The Converging Minute. You’ll also notice a new area in the righthand column of this blog listing The Converging Minute topics in each podcast. In this new podcast segment I’ll be discussing topics around the convergence of networking, security, software and computing hardware.

I regularly blog about my thoughts and news announcements about how network devices are becoming security appliances, security boxes are also routers (have you bought a true standalone router lately?), security is being pushed into the switching fabric, open source enables so many aspects of networking and security, and applications like VoIP and video are bringing new security requirements into the network. During each week’s segment of The Converging Minute I’ll be highlighting one of these topics and how it is changing the paradigm we all work in. I also have my own convergence product development effort underway at StillSecure and I’ll be talking about how that’s progressing and resulting in products from StillSecure and our partners.

So please join me for The Converging Minute. And please send in your ideas, suggestions, comments and questions. It is always appreciated. Thanks for listening.


Blog, Podcasts, Security

Podcast #21 – Jason Van Orden&Eric Green

17 Nov , 2006  

podcast microphoneThe bits, sound levels and mp3 files have all been massaged and SAATY podcast #21 is in the can. This week Alan and I are joined by two web 2.0 pros in the publishing and podcasting field, Jason Van Orden and Eric Green. Jason is a pioneer in podcasting and author of the book Promoting Your Podcast. Eric has also done a lot of podcasting and is the publisher (Larstan Publishing) of Jason’s book. While not a security topic I think many listeners will enjoy the conversation with these guys.

In our This Week In Security segment we discuss Juniper’s UAC 2.0 announcement (NAC product, TCG compliant), the patent issues surfacing around the Microsoft / Novell agreement, upcoming plans for RSA and the SC Magazines awards, and Source Media’s former IT exec who used a three year old password to access company email and warn friends about impending personnel actions.

We also add a new segment beginning in this show called The Converging Minute. This segment is to discuss happenings in the network. security, software and hardware convergence field. In this week’s segment I discuss “Is the Linux under the hood?” exposing some of the far reaching implications of the Microsoft / Linux patent issues that could be very disruptive to the networking and security industry.

We have some very exciting guests on our upcoming podcasts. Microsoft will be joining us to talk about NAP. Alan and I do our best to ask the questions everybody wants to know but haven’t been answered. And we have other exciting guests lined up for future podcasts as well.

Thanks for joining us for this week’s podcast. The listener and subscriber response has been simply amazing. Both Alan and I appreciate everyone taking the time to listen to the two of us rant about security. (I suspect most of you tune in to listen to the interviews.)

As always, please send your comments, questions and feedback to us at or to me directly. Enjoy and thanks!