Blog, Cloud, Security

Podcast 54: A p00ned FBI network, Barracuda, vulnerable Mac, G.hos.st, fired TJX employee, and Sourcefire walk into a bar…

30 May , 2008  

Microphone

Alan and I finally got off our duffs and recorded a podcast. Can you believe it? We have the evidence right here in our grimy little podcasting hands to prove it. But, you’ll have to listen to believe it for yourself.

In podcast #54 Alan and I are back to our old antics, and discuss:

  • How the FBI’s network easily got p00ned by a pen tester in just a few minutes, right up to the NCIC crime database
  • Hot off the presses Barracuda unsolicited (serious?) bid for Sourcefire
  • Mac’s nasty track record for security vulnerabilities (we won’t see those commercials anytime soon, will we)
  • Some new fangled service called G.hos.st that Alan’s all hot about
  • The ethics of security issues, or, how to get fired from TJX without really trying

Alan and I also take some time to put a plug in there for the news about the origins of Stonehenge, and NASA’s Mars Phoenix lander. We also pay homage to two greats who passed in the last few days, comedian Harvey Korman and director/actor Sidney Pollack. "That’s Headley!" Thanks for the wonderful years, guys.

Enjoy the podcast and please drop us any suggestions or questions at podcast@stillsecure.com.

Icon_enclosure_music_7mp3 file

Security

Please Don’t Tell Me Symantec Is Your Client

30 May , 2008  

Like everyone else who’s connected with software development in one form or another, I’m constantly bombarded by various firms interested in a "partnership" to funnel some development, QA or other work to an India firm. In different jobs, I’ve frequently entertained outsourcing various kinds of work to India and have done so in a few cases. Various of my compatriots have done this too, with every kind of success and horror story you can imagine.

But one theme I’ve found consistent in almost every firm that’s contacted me is that Symantec is one of their banner clients. Symantec’s almost always one of the first companies mentioned, proudly held up making that firm legit because they’ve done work for Symantec. These days, I regularly tell callers that having Symantec as a client is not a differentiator. Everybody tells me Symantec is their client. They must hire every India outsourcing firm on the planet, well at least the ones in India. 🙂 Having a large facility in Pune also probably has a lot to do with it.

The other reason naming Symantec as your client isn’t helpful is I don’t work for companies that look much like or operate like Symantec. Entrepreneurial and startup companies have much different needs and capabilities than corporate behemoths like Symantec. Because you’ve done work for Symantec doesn’t necessarily mean your firm would be the best fit for my situation. I’d much rather hear about companies in my space, and that are closer to my size, or were and how you helped them succeed to produce more revenue.

Cloud

Growing The World of SaaS With Parallels and FORTRUST

19 May , 2008  

This week my company where I’m CTO, Absolute Performance, made a couple of announcements. First, we are attending the Parallels Summit 2008 conference in Washington D.C. where Absolute CEO Jerry Champlin had a talk today about exploiting the explosion of opportunities in the SaaS market. At the show we announced Absolute is adding support for Parallels Virtuozzo Containers, which is how Parallels virtualizes applications above the operating system level, sometimes referred to as OS virtualization. Containers abstract the OS from the application, rather than just the hardware as hypervisors do, allowing you to use the OS as a service to applications in multiple containers. Absolute has already announced support for instrumenting VMware ESX and with the addition of Virtuozzo Containers we’ll begin to provide deep instrumentation of virtualized Parallels environments.

How do you rapidly deploy applications, when they all install, have various requirements, and are managed differently? The effort to install applications can be complex and time consuming. The Application Packaging Standard is a standard, created by Parallels which they are now turning into an industry supported standard, which allows you to package an application once. Control panels, provisioning information, etc., are all standardized through APS. There are also useful services within APS, such as the APS Catalog (lists applications in one place with all their associated updates), APS Identity Service for single sign on for APS apps, and APS licensing (under development) for centralizing and standardizing licensing. There are about 150 applications within the APS catalog today. Absolute Performance announced our support for the APS standard, and also that we will have templates for instrumenting some APS right out the box. After some more research into which are the most widely utilized, we’ll start releasing templates for APS apps in the APS Catalog. Lastly, we announced we are deepening our partnership with Parallels and will work together on future initiatives to help managed services and hosting partners effectively thrive in the world of SaaS.

We also announced our partnership with FORTRUST, a Colorado data center services and collocation facilities provider, who brought out their FORTRUST Managed Services. We’re exciting about partnering with them because they clearly recognize the move towards providing high value services to customers. And not just the typical basic monitoring either, but the full suite of monitoring, management, pre-production load testing, end user experience validation and reporting functions of its managed services offering. FORTRUST has some of the highest quality facilities you’ll see and I think you’ll find the same true of their managed services offerings. All my best to the team there and the new managed services offerings.

As I’ve talked about previously in my NWW blog, SaaS is all about partnering and without effective partnering strategies, it’s a tough go to be a one-vendor show. Partnerships, like those we announced this week, show why it’s the case.

General

A Day In The Studio For The Kingdom Project

12 May , 2008  

The_kingdom_project_logo_smFriday was one of those truly fabulous days. I was able to spend all dayFriday in the recording studio. We were laying down the rhythm tracks for someChristian music written by fellow guitar player, songwriter, and goodfriend, Ike Elliott. Ike has a post up about Friday on his blog too. The music ispart of a non-profit company I’m involved in called The Kingdom Project. I’lltell you more about that in a bit.

Ike’s been writing some songs over the past year or so, all of which I likevery much. He has a real gift, writing in a style somewhere between TheBeatles and Newsboys. After soliciting various opinions, the songs were whittleddown to seven which we recorded the basic tracks for on Friday.

Ike_jeremiah_in_studioRecording music is a fascinating process. I’ve recorded in my home studio andprofessional studios. But the process is pretty much the same. The songwriterhas a message and a vision woven into their songs. If you are recording your ownsongs, you get to decide the next steps. But here comes the courageous part. Toreally do a song justice you have to free it into the hands of other musicianswho are part of the recording and creative process. That can be scary or it canbe a very liberating experience. It’s all comes down to communicating the visionof the music, and the kind of connection you have with your fellow musicians.

The process in the studio can become very technical at times, becomingall about dialing in the instruments, keeping in time with the pulse, playingthe right chords and notes, keeping it in the pocket, etc. Recording is likelooking into the mirror – it doesn’t lie. What’s recorded is what you played. Ifyou were ahead of the pulse, even just a little bit, it all shows up. If themusicians aren’t connecting, you can hear it. And when the are connecting, themusic just flows. The best part is seeing what other musicians do with the songand the ideas from the producer and songwriter.

Each person brings their own talents, ideas, roots in music, etc. Mostimportantly is a desire to try and achieve what the producer and songwriterare looking for. They may give you freedom to do whatever you feel would work,or they may say "give me a tasty David Gilmour kind of lick right there." At onepoint during our recording, the producer, Jeremiah Horner, asked me to give him"the biggest pick slide you’ve ever done." I set my Strat so it would get thekind of sound I thought he wanted, and let’er rip as he punched it into therecording. We all had a huge laugh at just how over the top the pick slide was,but you know, it worked in the song and it’s what Jeremiah had in mind. And weall liked it. It was a fun moment that everyone got a lot of enjoymentfrom.

We spent from 9am to 8pm in the studio and the time just flew by. I onlychecked the clock twice; once at 12:45pm when my stomach started growling, andthen again at 6pm. Each time it only seemed like an hour or so had gone by. Timein the studio goes fast because you’re so focused on what you’re doing, andbecause you’re having so much fun.

We’re planning to go back in the studio in June to do some doubling,overdubs, vocals and solos. That’s yet another kind of creative process that I’mlooking forward to. In the mean time, I’ll be practicing using the rough mixesJeremiah gave us on Sunday.

A little bit more about the project… This recording is part of a non-profitcompany called The Kingdom Project. KP is all about helping emerging Christianartists get their music produced, recorded and promoted. We’re developing a website with all kinds of resources to help new songwriters get a leg up on the insand outs of copyrighting their music, and getting a demo or a CD made, andconnecting with others who can help them. We also connect folks interested insponsoring new artists or projects with songwriters, producers and musicians.Ike’s recording is the first project we’ve initiated. We’ll plan to begin oursecond project sometime later this year.

So if you are interested in learning more or getting involved, please feelfree to contact me. We’re looking for songwriters, sponsors, and help with theweb site and content.

Cloud

Sun Engineers – I Know Where The Rock Star Jobs In SaaS Are!

8 May , 2008  

Rock_starWith the eminent round of additional layoffs coming at Sun, there have to besome real rock stars out their looking for their next move. So… if you are arock star pre-sales engineer who knows how to sell solutions and would like toget into the exploding SaaS market… or you are a top QA engineer wholoves testing, automation, and digging out the toughest to find bugs… you oweit to yourself to check out these open positions at my new company, AbsolutePerformance.

Send your information to jobs@absolute-performance.com. Tell ’em you read about it on The Converging Network blog.

Rock On!

Cloud

Get Ready For XaaS Everywhere

7 May , 2008  

XaasWith the soaring interest in Software-as-a-Service (SaaS), we are alreadyseeing the same metaphor used for other service offerings.Platform-as-a-Service, or PaaS, is becoming a common place term. Now I’ve alsoseen IaaS, or Infrastructure-as-a-Service. As I like to say, no good idea goesun-copied. What that means is we should all expect to be overrun by the use ofXaaS terms, where X equals whatever word or phrase any vendor, analyst ormarketer chooses to promote their product or service. If Sausage-as-a-Servicewill help sell more processed meats, you can bet someone will jump on thebandwagon and leverage XaaS to their benefit.

If imitation (being copied) is the most sincere form of flattery, then I’dsay SaaS is gaining enough traction that others are coping the XaaS term fortheir use. But we shouldn’t forget, what this all really means to us is thatsoftware, infrastructure, data, etc., etc,. are all moving into the cloud, beingoffered as a service.

So if anyone needs any Blogging-as-a-Service, you know where to contact me.:)

Security

Unbelievably Bad Web Password Security

7 May , 2008  

I was shocked today because I had two very strange but similar experiences with passwords. Both involved accounts with online web sites/services, and both involved some pretty fundamentally bad password limitations. I’m half tempted to name the sites here but elected to contact them privately about the issues. What were the issues?

Absurd limitations in user account passwords. The first site would not allow a user password longer than 10 characters. Ah… last I heard, longer passwords (to some extent) are generally better, as long as other policies like requiring caps and numbers mixed in. All of these, including password length, help against brute force attacks. The second site did not allow special characters in the password. Adding a special character here or there is another common method of making passwords more difficult to crack. I just found it strange to run into two sites with such odd password limitations.

Wikipedia has some good information on basic password security. I hope it can be of help to the sites I visited today.

General, Uncategorized

Measuring Leadership – What Happens When You’re Not There

6 May , 2008  

Last week a close friend lost her spouse very unexpectedly. All of us whoparticipate under her leadership in our music program (band) at church wereshocked and grieved for such a devastating loss for a close friend. It was trulyheartbreaking. The experience is one I would of course not want to have gothrough if given the choice, but it did reawakened for mesomething I’ve believed about leadership for some time. So I share thesethoughts about leadership, keeping in mind they pale in comparison tothe gravity of last week’s events.

House_of_cardsThere are many ways to assess, evaluate and measure leadership. Bottom lineresults, leadership style, strengths surveys, 360 degree performance reviews,action under fire… I could go on and on. But one measurement that is oftenoverlooked is, what happens when the leader’s not there?

I enjoy, respect and thrive under many leadership styles, but value much lesscharismatic and personality driven teams. They rarely hold up in the long term,and usually hit some ceiling frequently not surpassable without a significantchange of leadership. Those approaches are usually too dependent upon thecapabilities and characteristics of one person. Leadership solely vested in thatone person also means you live with their limitations too. At least that’s beenmy view.

I believe leadership is about enabling the team and organization to achieveits best results, growing and thriving in the process. Flourishing is a greatway to describe a high performance team. It’s about enabling people tosucceed. It’s also about creating a shared vision, with clarity of purpose,goals and a high degree of mutual accountability within and outside the team. Ialso subscribe to the view that if you believe in people, truly believe in theirpower to succeed, they’ll do just that, and more.

Want to see how effective leadership is? Remove the leader and see whathappens. You’ll quickly spot where there’s deficiencies in communications,continuity, goals, empowerment, decision making and many other areas. You’ll seebottlenecks or pent up issues pretty quickly. If the team can’t continueto excel, at least for a reasonably short time, you don’t have a team, you havea group of followers. Now, see what happens when a curve ball shows up. Thatalso gives great insight into how effective the team’s leadership is.

So, bringing this all back home to last week’s experiences. Sunday’s serviceswent off without a hitch, even without the week’s normal 2 1/2 hour rehearsal.Some band members had never even heard the music prior to Sunday’s earlyrehearsal. Everyone involved (probably 25-30 people) all to a person stepped upand volunteered to help out in whatever way was needed. Teammembers changed previous commitments to be available. And we’ll continue thisand more until our leader returns, whether that’s one week or six weeks fromnow. We have a shared vision and purpose for our music, we know how to executeand fill in when someone suddenly needs to step out, we know how to adjust(flexibility is one of our key attributes), and there are many capable leaderswithin the team who can step up and fill the gap until she returns. 

Most importantly, none of us wants to let down the leaders in ourorganization. Our mission is to continue delivering on our goals without a drop inthe quality or capabilities of our music. Matter of fact, our goal stillcontinues to be raising the bar of our music program. We value our leaders toomuch to do anything less.

Blog

Back From Hiatus, Saved by Web 2.0 Technology

5 May , 2008  

Sos_web_serviceWell, I’m fresh back from my unannounced trip to Hiatus. It’s a long, sortedand torrid story. To make a long story short, I was held captive in a primitivecave in the mountains of Afghanistan. But thanks to my recent training at RSA, Iwas able to communicate an SOS via a crudely crafted, low-fi Web 2.0 webservice. Fortunately, some Yahoo! stockholders happened across my plea, andaided in my rescue in the hopes that after returning to civilization I might beable to use my Network World blog to sway Microsoft and Yahoo back into activemerger talks. Alas, despite my best efforts, Yahoo continues to stumble along onits own, suffering a 14% devaluation in the markets today. None the less, it’sgreat to be back!

Okay, seriously… I wasn’t in Hiatus, but just on hiatus from blogging herefor a bit. ("Back from Hiatus" is an old joke from one of Alan andmy podcasts a whileback.) I’ve just been overwhelmed recently with all kinds of work and personalactivities, that includes attending four different conferences in the last 2months, practicing for an upcoming CD recording project (we’re in the studiothis Friday), launching a new product release for Absolute Performance, setting up several new partnerships, rebuilding a corporate web site, diggingdeep into Microsoft’s Live Mesh strategy, and building up my blog readershipon my Network Worldblog. No excuses, but that’s some of the things which have been occupying mytime.

So… back to more blogging on The Converging Network. I’m really energizedabout what I’ve learned from the SaaS marketplace, and activities by the likesof Microsoft, Google, Salesforce and Yahoo. Some of it also comes from readingNicholas Carr’s book, The Big Switch. And of course, I have a lot to say aboutsecurity, networking, virtualization and creating products.

It’s good to be back.