Israeli Software

At the beginning of the week, Steve Ballmer dropped a bomb on Linux users, giving them notice that since they may be using Microsoft Intellectual property, they will have balance-sheet exposure to paying Microsoft for IP in their Linux software.

Well, "balance sheet exposure" certainly sounds pretty ominous to me, although as a software geek, I am certainly not qualified to ascertain that even if there was substance to Microsoft claims, that they would have to be accounted for in the balance sheet.

But Ballmer's FUD bomb did create a huge wave in the Linux FOSS (Free Open Source) community sparking off intense debate on licensing, the GPL, Microsoft and Novell in general.

The Linux IL community was saying things like this:

MSFT cannot give/sell Linux solutions AND claim patent infringement. That much is covered by the GPL. If they distribute GPLed code, they cannot claim that they hold patents over said code without violating section 6 of it (not imposing additional restrictions), which would revoke their license to distribute, and make them copyright violators (or, using their own terminology, pirates).

and this:

You don't have to actually listen to them. The first time that either:
1. Novell claims that it is the only one you can buy Linux from due to said deal or
2. MS sues ANYONE for Linux patent infringement Novell must, immediately, either shake loose (retroactively) from the MSFT deal or open itself up for copyright infringement claims.
In other words, I don't know what the deal is, but the GPL seems to be doing it's job ok so far.

Who would - and how could they - sue Novell for copyright infringement based on any lawsuit Microsoft initiates for Linux patent infringement? What is Novell's legal liability for anything MS does that is not clearly specified in their deal? Novell wouldn't be suing the Linux user and therefore isn't violating the GPL. Novell and Microsoft have not merged their corporate entities, so Novell has no shared liability for MS challenging the GPL.

Regarding point 1., Novell has made it clear that it has entered into an agreement with MS that shields its users from Linux litigation; it is stating a fact that resonates with business clients. It doesn't need to - and probably won't - state that MS's claims lack merit or are otherwise FUD.

The GPL has worked well, up to now. But up to now Microsoft has not become involved in the Linux market. And Microsoft is one hell of a disruptive corporate entity in the markets it enters. It can also be a legal juggernaut with bottomless pockets to drag out proceedings if it does not achieve its legal goals outright. How many years has MS's anti-trust issue dragged out?

BUT - and THIS IS A HUGE BUT - I dont think this is about the GPL. I think its about the market and positioning products versus services. Stay tuned.

Yesterday I quoted some of the folks in the Israeli Linux community who got their hackles up about the GPL.

I claim that this has nothing to do with Intellectual property.

I still remember from the late 90s how much Microsoft hates Novell - and Ballmer is a killer shark with a long memory. Ballmer will not rest until Netware is gutted. The Novell Suse - Microsoft licensing deal is a classic Microsoft engulf and devour tactic. It is a move to get more people on Active Directory and off NDS.

We need to understand that the patent infringement thing is just FUD, smoke and mirrors.
The real battle (which Microsoft has a credible shot at) is to displace the Linux professional service market by selling products to enterprises for Linux/Windows integration, Oracle/Mysql alternatives etc.

Let's start thinking about where Microsoft wants to go with this.

About 10 years ago, Microsoft drove margins to nothing on their software products and told the channel that they needed to make their profit on services - training , customization and development. This is the state of the market today where hardware and commodity proprietary software margins are in the low single digits and both the Microsoft and the FOSS channel live on services in a variety of business models. Microsoft is a software product company selling in mass markets - they have high gross margins (over 80%) and they need to protect that margin and grow their market share.

Now we understand that Microsoft needs to displace services from FOSS community consultants with Microsoft products. As someone else correctly pointed out on the list - the majority of enterprise IT shops prefer products to to services, as the risk level of a proprietary product from Microsoft is perceived to be much lower than the risk level of hiring an independent consultant for his knowledge. The first target is Linux/Windows integration - things like an OpenLDAP-AD connector for W2003 server.

The next milestone might a version of MS office for Linux or a version of MS SQL for Linux in order to displace Mysql or Oracle.

It's all a question of market share and margin - nothing to do with technology and free speech - it might as well be womyn's fashion.

You may not like this or even agree with it but that is the prevailing attitude with most enterprise IT managers.

I met with a prospective client for a software security risk assessment last week and after I explained our methodology and practical threat analysis tools for improving software security he responded by saying, well that is pretty impressive but aren't you concerned about a competing service from ISS (now part of IBM) that offers risk assessment on the Internet?

What?

Do we really believe that a canned service based on check-list network vulnerabilities (that is about the extent of what ISS can do online) can replace detailed, inside-out, source-code examination of software vulnerabilities?

Ask a rookie programmer if you can do threat analysis with black-box testing. She will tell you that it's a ridiculous assumption that a black-box can figure out all the vulnerabilities in her code.

What ISS is apparently doing is on the heels of similar announcements from Symantec and McAfee about their move into the professional services arena.

I can understand that ISS is influenced by IBM's marketing strategy of SaaS, the market for IDS / IPS (intrusion detection/prevention systems) looks like Grand Central Station on a Friday afternoon - it's tough, dense with players and increasingly commoditized.

I can see a similar trend with Symantec and McAfee - the Anti virus market is commoditized - so they're looking to diversify into professional services.

I have a lot of trouble believing that they are going to get a lot of traction with this move. There is a huge difference between selling services and selling products. But most of all, how many customers are going to believe the risk assessment recommendations from a product vendor?

I dont think they will have any motivation to recommend competing products - and I dont believe they will have credibility for impartiality with clients.

Time will tell - but I predict that 3 years down the road - ISS, Symantec and McAfee will still be product companies.

There is a HUGE amount of press on operational risk, enterprise risk management and Basel-2, but the closer I look - the less I see customers buying.

I see the external drivers. With the steep rise in information security breaches, global terror and regulations such as anti-money laundering controls and Basel-II, risk management has become central to the operation of any sized business.

However, solutions from current vendors do not provide the right cost/value proposition.

Historically developed for applications of credit, market or vertical industries, risk management solutions are typically targeted to large organizations and provide very little differentiation for customers. These systems have an over-focus on technology. Large institutions find that there is no financial justification to use the advanced analytics and scenarios if they don’t have enough historical data (most don’t). While large firms can afford an expensive risk assessment, small to medium sized enterprises will do nothing and often, out of ignorance, accept the risk exposure in their balance sheet from the lack of appropriate controls.

I think that the solution is to provide online access to light-weight risk management applications that focus on the user and the business and scale to his risk requirements and budget.

An online exchange of applications would enable small to medium sized enterprises to quickly find and then put appropriate risk controls into place and be self-sufficient. It would also enable business units in large institutions to effectively justify and implement operational risk management by small expert in-house teams without the burden of large professional services projects and excess functionality they may never use. A financial services business unit could build out their operational risk control incrementally; for example by starting with Basel-II basic principles and moving on to AMA when management is ready.

While I'm on my looking for relationships between phenomona kick, I confess to being uncomfortable with tech startups that run through a lot of money, generating more press releases and industry announcements than named customer wins.

Color me jealous I suppose.

One of the biggest offenders in the Israeli high-tech pond is an extrusion prevention software company called Port Authority Technologies; formerly called Vidius - they have been in business for over 5 years, have raised over $36 million in 4 rounds and still have only a handful of customers.

The article touting Port Authority Technologies capabilities in this Highly-hyped PR Item is a case in point of high far a startup can stretch gross inaccuracies in a press release.

1. Port Authority exaggerates their TAM (Total Available Market):
Can we believe Raj Dinghra when he implies that the extrusion prevention in 2006 is $500M/year?
"He estimates that the extrusion prevention industry alone will grow to roughly $1 billion by 2009, approximately doubling its size compared to today."

I'm an active hands-on practitioner and my numbers are pretty much the same as Gartner and IDC - i..e the network security extrusion prevention market is about $50-70M today i.e. Raj is overstating his total available market by a factor of no less than 10, probably hyping the numbers for his investors.

2. Port Authority capabilities are overstated:

a. They dont have USB capability yet, they pre-announced a partnership with Safend that isn't released to production. It will ready - "real soon",

b. They use a forward proxy, which means that it is trivial to bypass their appliance in about 50 different ways, starting with a simple HTTP GET.

c. They require scanning Windows file shares which is fine if you have placed all your sensitive files in a limited number of directories which is totally non-scalable, doesn't fit most larger organizations and is like waving a red flag in front of hackers not to mention that their file system scanner is a Windows server with domain read privileges and is vulnerable to a man in the middle attack.

d. They are dependent on third party software for file format analysis - i.e. they imply but do not have any original IP here, if their supplier were ever to change the licensing the startup would be in a bind.

e. Since they are based on a proxy - they miss 20-40% of all network traffic which is non-proxied and cannot by definition mitigate non- Windows users which rules out spyware and trojans and Linux/Unix users and people with group domain privileges who can turn off their proxy definitions.

I think all the hoopla and bull-shit is made possible by the notion that closed source software is a good thing. If this vendor was in the OSS - Open Source Software world, they would not be able to hide behind 40,000 foot press releases. The hoopla is also often stimulated by VC involvement and employess that need to figure out how they're going to spend all that venture capital.

Like I said - color me jealous.

There was a BBC Channel 4 documentary the other night on data theft. (Mind you, I dont watch BBC, the only program I watch on TV is CSI Miami, but I read UK bloggers that do watch TV).

BBC Channel 4 reporter Sue Turton went undercover posing as a business woman wanting to obtain personal details of potential marks, in an effort to see how bad call center data security was.

The going rate for extruding a data set of thousands of names, birth dates and credit card details was 8 UKP.

Man - that is cheap.

I have been writing and lecturing about call center data security issues for over 3 years and not much seems to has moved on that front.

Unfortunately, the concern about customer data protection has been overshadowed by the more basic issue of customers being pissed off by the call center response.This stems from mega-irritation with the low-quality of call center response from India and difficult to understand Indian-English that compounds a poor customer experience one almost always experiences with outsourced customer service.

It has nothing to do with extrusion prevention in India - it has everything to do with call centers everywhere being more careful about customer data and putting extrusion prevention controls into place.

It's not that hard. You can mitigate most of the human vulnerability by getting all the employees to sign a one page AUP (acceptable usage policy - you can download a free AUP here. After you write your AUP, make it clear that this is do or die for the employee.

Stage two, you want to mitigate your data vulnerability with all channels extrusion detection technology from a company like Fidelis Security Systems. Fidelis use Layer 2 content interception and monitor all channels; Fidelis also offers prevention which is a must for very critical data when you want to shoot first and ask questions later. My experience with Fidelis XPS is that you can install one of their appliances in about 15 minutes and start monitoring outgoing data flows. The results of what is going out is always an eye-opener.

And by the way, whatever you do - don't forget to let the employees in your call center know that they are being monitored.

That notice is worth its weight in gold.

A lot of heat has been put on the security of Vista and other Microsoft software products.

However, Microsoft has a software security architecture which they use and also have the advantage of not being dependent on third party proprietary software in their core operating system, desktop and Back Office products.

With all the criticism of Microsoft, I say people who live in glass houses should not throw rocks.

Most IT security startups take short cuts and don't bother with software security assessment of their own product. They license proprietary closed-source components for their products and they dont publish CVSS (Common Vulernability Scoring System Scores).

I am personally familiar with the extrusion prevention space - a denses, highly-competitive group of vendors that develop products that monitor outgoing content from a network.

It is public knowledge that Stellar, Tablus, Port Authority, Vontu, Proofpoint (and others) all use the Verity Key View SDK to decode content. Thats how they all amazingly enough, have the same number of content decoders in their press releases. They somehow manage to imply that this is part of their core IP but in fact it is not.

More importantly, these products (which are supposed to mitigate the risk of insider theft and insider stupidity) are vulnerable because of the vulnerabilities they inherit from their licensed software. Being closed-source products themselves, it is a no-brainer that none of these vendors have submitted their source code to third-party testing, defect reduction and software security improvement.

As reported earlier this year, the Verity KeyView Filter SDK contains a flaw that allows a remote attacker to delete arbitrary files. The issue is due to 'kvarcve.dll' not properly checking the filenames of compressed files in ZIP, UUE, and TAR archives for traversal style attacks (../../) when generating their previews.

According to the Secunia Web site an upgrade is required as there are no known workarounds.

Next time a salesperson from one of these vendors calls you, ask her some simple questions:

1) How many of their customers have unpatched and vulnerable products?

2) How do they handle patch distribution and management in the field of a proprietary third-party product where a) the patch needs to be available and b) the vendor needs to make sure all users have received and installed the patch.

3)What additional vulnerabilities were introduced because of the programming interfaces to the Verity KeyView Filter SDK?

4) Are these and other vulnerabilties documented with CVSS on the vendor Web site? (Like Skype and Symantec...)

The Article 29 Working Group has told SWIFT (the worldwide electronic funds transfer network) that they are in violation of of EU and and Belgian data privacy laws. They went even further and chastised SWIFT for violating civil rights:

"Any measure taken in the fight against crime and terrorism should not and must not reduce standards of protection and fundamental rights which characterize democratic societies".

What happened exactly?

After the 9/11 terror attacks in New York, Swift provided messaging information to the US Treasury Department in order to track financial transactions by suspected terrorists after receiving a court order.

What is wrong with the EU panel chastizing SWIFT?

1. The Article 29 Panel operated outside its own charter.

Article 29 is a pre-9/11-recommendation from the ICRT (International Communications Round Table) to limit general interception and surveillance of telecommunications. (I am quoting from their Web site)

It was not general since Swift sent specific subsets of data to the Treasury based on narrow court-ordered requests to help with financial intelligence for terrorism investigations and reduce exposure of personal records.

There was no interception involved by SWIFT since they sent their own files to Treasury under a court order.

2. It is an immoral and improper ruling.
Article 29 is pre 9/11 and was never updated to strike a fair balance between the need for customer data protection and the war against global terror. During the American revolution, Thomas Jefferson never called for the destruction of England and suicide bombers never blew up thousands of civilians in London pubs.

Let's remind the EU and Belgium in particular that human life is the most fundamental right of all and that the protection of human life should ALWAYS take precedence over the protection of personal data Belgium unfortunately has a record of supporting Islamic and Palestinian terror interests - recall Belgian attempts to get Israeli Army officers on trial for war crimes.

3. The ruling disregards perfectly acceptable legal alternatives in the EU

For example, The EU data privacy directive, EU Directive 95/46/EC, took effect in 1998. The EU privacy laws include the directive itself plus the various laws enacted by EU member nations to adopt the directive in their respective states. These laws dictate the specific ways that personal data may be collected, processed, used and transferred.

The EU and the U.S. have negotiated a "safe harbor" agreement. For example, a US Corporation could agree to comply with safe harbor principles set forth by the U.S. Department of Commerce, which have been accepted by the EU. These principles cover many of the same concepts as the directive, touching on requirements for notice, choice, and onward transfer of
data, security, data integrity, access and enforcement.

I am not a lawyer and am not privy to the interchange between SWIFT and Treasury but I imagine that SWIFT could be covered under such a safe-harbor agreement or at the very least, the EU panel could have proposed such an arrangement.

It is sad that the Article 29 panel has decided to make a political statement instead of providing constructive support in the war against Islamic terror.