February 27, 2007

If it had been The Great Firewall of China, Would the Manchus Still Have Invaded?

It's a war out there.

The Forces of Good have been battling the Forces of Evil ever since someone made up the first law. Since not everyone agrees that following the rules is in their best interest, enforcers (traditionally ranging from hired thugs to your friendly neighborhood policeman) have been in place. The point of this mini history lesson? To highlight the fact that it's never going to end. Good is never going to triumph over Evil, because part of being Good is not hitting first. Good has to wait for Evil to do something before enforcing the law.

Cyberspace is no different. Hackers and spammers and phishers and all others out there making victims of Joe Q. always get the first blow in the war. The only preemptive move Good can make is to build a wall; but even the Great Wall of China failed, so we shouldn't put all of our trust in our defenses. Once a cybercriminal strikes, all the security companies can do is mop up the pieces and try to make sure that that particular avenue is closed.

It's a neverending, frustrating battle that is going to by definition have innocent victims. (No victim, no crime, right?) So when one is shopping for cybersecurity products, one should keep in mind that they are all based on past attacks and won't necessarily be precognitive enough to protect precious data from the Next Evil Thing.

That's not to say that our cyberspace enforcers aren't doing their best - they are certainly making an all-out effort to try to predict and prevent the next attack. Law enforcement in the real world is working with security specialists in the cyber world, but I believe that more needs to be done. Cyber crime and real world crime are becoming increasingly enmeshed, as is highlighted by the real world crime of a stolen laptop enabling the cyber crime of stolen data and identity theft. The recent theft of a cell phone triggered the real world embarrassment of certain celebrity figures, but what if a stolen PDA results in a criminal being able to ambush someone?

Guarding cell phones, laptops, PDAs or other personal electronics should be on the same level of priority as guarding one's house keys. The sooner the public at large realizes the dangers of not taking their electronic privacy seriously, the better. And perhaps, if enough awareness is raised, my teenager will quit losing his cell phone.

February 20, 2007

Happy Birthday Blade.org

Last week I attended a party in San Francisco that was celebrating the first birthday of blade.org. As expected, various VIPs from blade.org and ancillary organizations were present to celebrate, but there were also guests from the VC community as well as two authors/professors namely, Raymond Miles, and Henry Chesbrough. There was the slate of presentations one would expect at such an occasion, but if you were expecting to hear a pitch about how great IBM BladeCenter was, you were in the wrong place. Rather, the tone of the morning was intriguing, as it did not focus on blades per se, but on a far more compelling topic, collaboration in the marketplace.

At the highest level, one could argue the premise of blade.org is simple, get more companies interested in designing blades to fit in the BladeCenter, and then sell more BladeCenters. At one level, this is true; Big Blue likes to sell things and make money just like everyone else. Nevertheless, what is much more fascinating is not what is being done, but how it is being done. In 2006, blade.org had eight companies/members pondering the potential of the blade architecture. That number quickly jumped to 40, and now exceeds 100. At the same time, $1B in VC funding has poured in to member companies. It does not take long to realize that blade.org is much more than a front to promote IBM BladeCenter; rather it is a thriving example of what Raymond Miles dubbed, “Collaborative Entrepreneurship.”

When you look at the array of companies participating in blade.org, you see a wide spectrum of players, not just server, switch, or networking vendors, but component vendors, application developers, integrators, etc. Each of these is bringing complementary expertise to the blade opportunity and while some may be competitors, the embodiment of blade.org is a shared experience aiming to raise the water level for all boats floating in the blade harbor. This phenomenon of implied trust at the highest levels was a focal point for all of the speakers that morning. When such trust can be achieved, then collaborative innovation can take place even in a competitive marketplace.

Until recently, such an approach would be limited to a narrowly defined consortium of interests, or would be treated as suspect by participants, always looking out for the inevitable competitive stab in the back. But as blade.org has illustrated, it is possible to come together in a well-defined and trusted environment to innovate. The financial backing of VCs is evidence of the trust that has been garnered, as VCs are not quick to part with their money unless they have a high degree of faith and trust in the situation. The result is that vendors are looking at the opportunities for blades with a greater deal of interest than might have otherwise occurred. Further, the R&D and S&M efforts of each member have leveraged the investments of others to grow the overall opportunity at much more rapid pace than any single vendor or very small group of vendors could do.

Blade.org typifies an open approach. Yes, open in the sense of technical standards, but more importantly, open in the approach of sharing information, and doing business. The resultant trust encourages all to participate at a greater level and with a higher expectation of success. The recognition of this need for trust is not new in business, as the Japanese keiretsus of the latter 20th century illustrated another approach to maintain the trust, i.e. cross ownership of all the participants. However, this approach was closed by nature, and dependant upon a single source of financing. Blade.org has the best of both worlds, a strong environment of trust, and incentives to contribute, but an open model for participation, financial independence of its members, and an affirming position to independent and collaborative entrepreneurship.

The notion of Collaborative Entrepreneurship in general and Blade.org in particular, is an exciting experiment/activity to watch. We look forward to see what it will have achieved when Blade.org's second birthday comes around.

February 14, 2007

Cuba and Venezuela – Unlikely Good Examples of Open Source Preference

A recent headline in my local paper, the San Jose Mercury News, attracted my attention: “Cuba moving to ditch Microsoft, its products” (http://www.mercurynews.com/mld/mercurynews/news/world/16721400.htm). While many would tend to chalk this up to anti-US security paranoia, in my opinion this would be the wrong conclusion.

During 2006 I had the opportunity of meeting with many government officials from around the world and uniformly they were all interested in one thing: saving money on their software license costs. While this was especially prevalent in Asia, this goal was not unique to developing countries. Even the most developed of nations such as Japan is aggressively exploring ways to make better use of open source software and reduce their dependency on Microsoft.

Government users, particularly those in the defense sector have always harbored a distrust of commercial software for sensitive applications. The cry of “Commercial Off the Shelf” (COTS) or “Government Off The Shelf” (GOTS) does not echo as loudly as the crescendo of less budget dollars going out the door. Many organizations will likely be able to increase their size through the promise of reduced software purchasing and support costs.

The article mentions China, Brazil and Norway as countries that have encouraged the development of Linux and the move from Microsoft. They are by no means alone and it would follow that the Cuban model of mobilizing university students to develop open source products is a model that could be easily emulated by many nations. In fact, once upon a time (1997) in a far off land called Bosnia I suggested to the US trade officials that the country’s universities would be ideal places to check Y2K code. Engineering students and graduates had been trained in the old Soviet mainframe mold and could easily adapt to the tasks inherent in riding any code of a potential Y2K problem. Alas, no one thought this was such a good idea.

When I look at this open source movement from a geographical perspective, it strikes me that the big winners in open source product trade are likely to be China, Brazil and India.

In the case of open source the innovator’s dilemma may be more of how to make a profit than to make a usable product.

RSA San Francisco 2007 - A Perspective

The RSA Conference has emerged as the leading annual US information security event. The one time crypto-geek fest originally held in the Sofitel Hotel in Redwood City, CA in the early 1990s has blossomed from a gathering of the cryptographic community to the anchor of the information security marketing year.

I’ve been on the Security Speaker circuit for quite some time. I did my first CSI in New York in 1983 and as I recall, my first RSA speaker slot in 1996. The growth of RSA in both size and scope has been nothing short of remarkable. This year’s event featured over 340 exhibitors, 500 speakers and 200 sessions. Many of the keynote speakers called for the conference to broaden its coverage and extend into more general business topics.

Frankly this would be a sad thing. There are plenty of general venues, but not very many places where security oriented start-ups and new technology companies can mingle with end users, venture capital companies, competitors, would be acquirers and of course, analysts. This year’s event was upbeat and by all accounts successful. I’ve noticed that the number of end user attendees has increased. Attendees tend to be people actually doing the work rather than executive management. Engineers and project leaders apparently use RSA as way to stay abreast of industry developments in the sessions and see all the key vendors in one spot. As with many other shows, once the workshops start, the exhibit floor empties out.

Last year may have been the year of compliance where every vendor seemed to base their marketing appeal on ‘compliance’. This year would have to be the year of leakage where many vendors were touting their ability to prevent leakage of sensitive data or intellectual presence.

This year, as with years past, there is growing attention to legal and government matters. While this trend may pay tribute to the early days when bashing NASA over crypto export restrictions was de rigueur, it strikes me that legal penalties, data forensics, electronic discovery and government policy concerns have taken a higher mind share with information users and security vendors alike.

For me, the highlight of the event is always the Speaker’s dinner. Being selected as a speaker or panelist is always an accomplishment. Art Coviello, head of the RSA Division of EMC and former CEO of RSA told us that 500 speakers were accepted from 2300 applicants. In years past the number of acceptances has been a tenth of the applications. It’s also interesting to see the body of speakers and appreciate the range of talent from cryptographers to attorneys. As you might expect the table chatter is lively and often sarcastic, cynical and even thought provoking.

See you there in San Francisco next April?