Studies suggest that 30-50 percent of patients are likely to give up treatments early.  Microsoft Research has developed an innovative, hand-held medical device called Anatonme to help patients understand their issue and complete their treatment plan more often.

We’ve been doing research and development into private, controlled social networking to reinforce private communications between doctor and patient. It’s gratifying to see Microsoft Research doing work in this area.

Private social networking for doctors and patients provides highly effective secure data sharing between doctors and patients. It allows patient-mediated input of data before visits to the office, making the clinical data more accurate and complete and boosting the trust between doctor/healthcare worker and patient.

A private social network has a controlled 1 to N (doctor to patients) topology and physiological and emotional context, unlike Facebook that has a distracting social graph and entertainment context.

A private social network for doctors and patients also provides powerful information exchange and search:

1. Capture critical events on a timeline (for example blood pressure, dizziness etc) that enables the doctor to respond in a timely fashion.
2. Reconciles differences between what the doctor ordered and what the patient did.
3. Granular access control for sharing of data between doctor, patient and referrals.

If you’re interested in hearing more – contact us.

George Colony, the chairman and CEO of Forrester Research, re-ignited a minor firestorm recently, with a presentation at the LeWeb conference in which he argued that the web is dead, and being replaced by the app economy — with mobile and smartphone apps that leverage the cloud or other services rather than the open web.

I have written here and here about the close correlation between Web application security and Web performance.

I know that Mr. Colony has sparked some strong sentiment in the community, in particular from Dave Winer:

If I can’t link in and out of your world, it’s not even close to a replacement for the web. It would be as silly as saying that you don’t need oceans because you have a bathtub. How nice your bathtub is. Try building a continent around it.

Of course, that is neither true nor relevant.

Many apps are indeed well connected, and the apps that are not wired-in, don’t have to be wired; the app is simply doing something useful for the individual consumer (like iAnnotate displaying a PDF file of music on a iPad or Android tablet).

iAnnotate turns your iPad into a world-class productivity tool for reading, annotating, organizing, and sending PDF files. Join the 100,000s of users who turn to iAnnotate for their PDF annotating needs. We designed iAnnotate to suit your individual workflow.

I became even more cognizant that apps may overtake the open Web over the past 2 weeks when Google Apps was going through some rough spots and it was almost impossible to read email to  software.co.il or access or calendars…except from our Android tablets and Nexus S smartphones.   Chrome and Google Apps was almost useless but Android devices just chugged on.

There is a good reason why apps are overtaking the open browser-based web.

They are simply more accessible, easier to use and faster.

This is no surprise as I noted last year:

The current rich Web 2.0 application development and execution model is broken.

Consider that a Web 2.0 application has to serve browsers and smart phones. It’s based on a heterogeneous server stack with 5-7 layers (database, database connectors, middleware, scripting languages like PHP, Java and C#, application servers, web servers, caching servers and proxy servers.  On the client-side there is an additional  heterogeneous stack of HTML, XML, Javascript, CSS and Flash.

On the server-side, we have

• 2-5 languages (PHP, SQL, tcsh, Java, C/C++, PL/SQL)
• Lots of interface methods (hidden fields, query strings, JSON)
• Server-side database management (MySQL, MS SQL Server, Oracle, PostgreSQL)

On the client side, we have

• 2-5 languages ((Javascript, XML, HTML, CSS, Java, ActionScript)
• Lots of interface methods (hidden fields, query strings, JSON)
• Local data storage – often duplicating session and application data stored on the server data tier.

A minimum of 2 languages on the server side (PHP, SQL) and 3 on the client side (Javascript, HTML, CSS) turns developers into frequent searchers for answers on the Internet (many of which are incorrect)  driving up the frequency of software defects relative to a single language development platform where the development team has a better chance of attaining maturity and proficiency. More bugs means more security vulnerabilities.

More bugs in this complex, broken execution stack means more things will go wrong and as devices and apps are almost universally accessible now; it means that customers like you and me will not tolerate 2 weeks of downtime from a Web 2.0 service provider.  If we have the alternative to use an app on a tablet  device, we will take that alternative and not look back.

The Little Engine That Could

Copyright 2004 Joel Isaacson. This work is licensed under the Creative Commons Attribution License.

I  try to explain what are the top 10 mistakes made by Linux developers as I see it. I’m aware that one person’s mistake is another person’s best practice. My comments are therefore subjective.

I will use an embedded Linux device, the WRT54GS, a wireless router as an illustration of an embedded Linux device.An interesting article about this device can be found in: http://www.pbs.org/cringely/pulpit/pulpit20040527.html.

“The Little Engine That Could” How Linux is Inadvertently Poised to Remake the Telephone and Internet Markets – By Robert X. Cringely

So what are the top 10 mistakes made by Linux developers?

10 – Pick a vendor.
9 – Then pick a platform.
8 – We are not in Kansas anymore.

Support Issues

10 – Pick a Vendor

• In my experience picking a large foreign company for support is not the best way to go for various reasons.
• More about this later.

Which Linux?

From: ” Snapshot of the Embedded Linux market March, 2004″
http://linuxdevices.com/articles/AT8693703925.html

Which Vendor?

From: ” Snapshot of the Embedded Linux market March, 2004″
Instead of rolling their own OS from scratch, embedded developers now roll their own OS from Linux source. The barchart shows that, collectively, embedded Linux vendors including MontaVista, Metrowerks, TimeSys, Denx, Sysgo, LynuxWorks, and FSMLabs have supplied Linux for only 22 percent of projects during the last two years, projected to reach 24.2 percent over the next two years.

http://linuxdevices.com/articles/AT8693703925.html

9 – Then Pick a Platform

• Most people immediately turn to Intel for a platform.
• If you are running high performance commodity systems this makes sense.
• For smaller embedded systems the Intel X86 architecture isn’t necessarily the best choice.

Which Processor?

ARM — including StrongARM and XScale architectures – are gaining on x86 as the most popular processor architecture for embedded development. This year’s results show that trend continuing. And, for the first time, embedded Linux developers are projecting that they’ll base more projects on ARM than x86 processors in their projects during the next two years.

http://linuxdevices.com/articles/AT8693703925.html

8 – We are not in Kansas anymore.

• Linux is a disruptive technology. A once in a generation paradigm change.
• If you don’t change your methods of dealing withsoftware support, you will not benefit.
• Let’s examine the issue of support in Open Source Systems.

Commercial vs. Open Source Knowledge Base – cost and access

Who Do You Turn To?

• There are three viable approaches in dealing with support issues in Linux.
  • Get support from a large foreign software company.
  • Get support from a smaller local software company
  • Support yourself.

Support:
Large Foreign Company

• There are a number of fairly large companies that support embedded Linux:
  • IBM
  • Montavista
  • RedHat
• You have to be careful of ” vendor lockin”
• Why go to Linux and then sell your soul to the devil?

Support: Small Local Company

• There are a number of local companies that can provide support for embedded Linux.
• The nice thing about this approach is that the local companies are not at a disadvantage since there is no proprietary or hidden software in the embedded Linux solution.
• Just look around you, there is plenty of talent in this country.

• No ” vendor lockin” .

Support Yourself:

• Since everything is open you can provide your own support.
• This is definitely the most effective, but it needs the largest investment of time and talent.
• There is a lot of help available on the Internet and recently published books.

7 – I want it to run real fast.

Well boy you need real time.

Real Time Systems

• A large amount of confusion exists about the uses of commercial RTOS’s
• This confusion is largely propagated by companies that sell RTOS’s.
• The use of RTOS’s in embedded systems is mostly a historical anomaly.

Real Time Systems

• Real time systems are optimized to minimize worse case latency (the response time).
• Interrupt latency is usually the criterion that defines how “Real Time” the operating system is.
• RTOS are usually needed to control hardware that has strict time constraints.

Embedded Systems

• Embedded systems are systems with limited human interaction.
• These systems are sometime very small but not necessarily.
• The embedded computer market is huge The shipment volume of embedded systems is much larger than the PC computer market.

Latency vs Throughput

RTOS
Linux
Real Time – Says Who?

• The majority of realtime systems aren’t.
• Embedded systems are often misclassified as realtime systems. However, most systems simply do not require realtime capabilities, in fact these capabilities are detrimental.

• Realtime requirements are often simply designed out through the use of a deeper hardware FIFO, scatter/gather DMA engines and custom hardware.

So You Still Want Real Time!

• There are a number of approaches that can be used to provide Real Time Response:
• Soft Real time: There are various low latency patches to the standard Linux kernel:
  • Montavista’s
  • Redhat’s
• Hard Real time: The are a number of hard real time kernel patches:
  • Rtai
  • RtLinux

6 – Posix RealTime Extensions

Posix.4 RealTime Extensions to Linux

• Posix.4 adds realtime facilities to Posix.
• This standard add the facilities typically used in RTOS’s.
• In my opinion using these facilities are a recipe for trouble.
• There are no standard Linux programs that use these facilities, just look at your favorite Linux distribution.

Use Linux’s Strong Simple Abstractions

• Linux supports some very powerful abstractions that should be preferred over many weaker techniques.
• The major strong abstractions of Linux are:
  • Files
  • Processes
  • Memory spaces
  • IPC

5 – Java

• While this is difficult to classify as a mistake, it is worth noting that virtually no standard Linux programs are written in Java.

• Sun itself uses GnomeGtk for its desktop, which is written in C. If Java is so good why doesn’t Sun use it.
• Sun releases a SUSE version of Linux, without any Java programs, and dubs it the ” Java Desktop System” .

4 – Scaling

• Embedded environments many times have restrictive resources and the software must be properly scaled to run on the platform.
• Things that are appropriate for a large enterprise server, such as Apache, PHP, graphical toolkits that are familiar to many Linux users are just too big for restricted embedded hardware.
• Trying to squeeze these large programs into small flash memory is just no fun.

3 – Threads

• The main problem with threads is that they are hard to use correctly. Even for experts,development is painful.

http://www.cc.gatech.edu/ccg/people/rob/software/threads/ousterhout_threads.html

Why Threads are Hard

• Synchronization:
  • Must coordinate access to shared data with locks.
  • Forget a lock. Corrupted data.
• Deadlock:
  • Circular dependencies among locks.
  • Each process waits for some other process.

Why Threads are Hard, cont’d

• Achieving good performance is hard:
  • Simple locking (e.g. monitors) yields low concurrency.
  • Finegrain locking increases complexity, reduces performance in normal case.
  • OSes limit performance (scheduling, context switches).
• Threads not well supported:
  • Hard to port threaded code (PCs? Macs?).
  • Standard libraries not threadsafe.
  • Kernel calls, window systems not multithreaded.
  • Few debugging tools (LockLint, debuggers?).

Debugging Threaded Programs

If Not Threads Then: EventDriven Programming

• One execution stream: no CPU concurrency.
• Register interest in events (callbacks).
• Event loop waits for events, invokes handlers.
• No preemption of event handlers.
• Handlers generally shortlived.

• Main loop architecture.

Process Based Concurrency

Process Based Concurrency Another Alternative

• Use processes for concurrency rather than threads.
• Synchronize processes with event based IPC.
• Advantages:
  Simpler and surprisingly more efficient synchronization than threads.
• send/rcv is self synchronizing and buffered.
  No race conditions. Much simpler to debug. Trivial to distribute.

Process Based Concurrency

P1 P2 P3 P4
Event Based Manager
Process Based Threading
Another Alternative

• Instead of sharing all memory, create processes with a shared memory region.
  • This allows you to minimize the interaction of the processes to a well defined subset of the total memory space of the application.
  • Thread safe libraries are not needed.
  • Use POSIX 1003.1b semaphores to synchronize shared data.
  • No performance hit.

2 – Use the Source Luke

• The source is your friend.
• The GPL creates a unique situation that makes many embedded devices transparent.
• The WRT54G wireless router is a case in point.
• Linksys (a Cisco company) shipped this box without any indication that the software was GPL’ed
• Someone noticed that this was a Linux box and sent an email:

The Letter

From Andrew Miklas <>
Subject Linksys WRT54G and the GPL
Date Sat, 7 Jun 2003 22:41:23 0400
Hi,
Awhile ago, I mentioned that the Linksys WRT54G wireless access point used
several GPL projects in its firmware, but did not seem to have any of the
source available, or acknowledge the use of the GPLed software. Four weeks
ago, I spoke with an employee at Linksys who confirmed that the system did
use Linux, and also mentioned that he would work with his management to
ensure that the source was released. Unfortunately, my emails
to this
individual over the past three weeks have gone unanswered. Of course, I also
tried contacting Linksys through their common public email
accounts
(
 pr@linksys.com,
 mailroom@linksys.com) to no avail.

Linksys Releases The Source

• Linksys eventually released the sources.
• You can just download it from their web site.
• This launched ” The Little Engine That Could” .
• They have done very well with this product.
• If you want to design an embedded Linux product just look at the completely transparent design of the WRT54G for a guide on how to design an embedded system.

1. GPL Violations

• Israeli companies tend to ignore the finer details of legalities.
• Violations of the GPL are a serious matter.
• Recently the GPL has been upheld in its first court test in Germany.
• The authors of netfilter, Linux’s firewall, has been granted an injunction against Sitecom Germany GmbH for GPL violations.

Typical to flawed security countermeasures, HDCP and AACS exacerbate and enlarge the threat surface rather than enhance revenues and reduce risk.

In this article we will show that Network PVR services may be an effective strategy for studios to mitigate the risk of content piracy.

Background

NetFlix, Vudu and Universal Studios Home Entertainment are skipping over HD-DVD/Blu-ray formats in favor of what some industry observers say is inevitable – download-only distribution.

Beginning November 23 2007, Vudu started giving new buyers “The Bourne Identity” and “The Bourne Supremacy” pre-loaded on their set-top boxes in HD. Buyers can purchase a downloaded copy of “The Bourne Ultimatum”, for $25 starting December 11, 2007.

The VUDU box and services sounded pretty cool to me when I first saw it – until I realized that the price of the “The Bourne Ultimatum HD” on Amazon is $27.99 with free Super Saver Shipping and the I don’t need to buy the Vudu and commit to their service. It’s two bucks less with Vudu but the VUDU STB sets you back $250 (reduced from $400). The Vudu business model does not seem extremely compelling. Although you have a hard disk – you cannot go back and view a movie if you ran out of time in a single sitting. The Netflix business model of having 3-5 movies for unlimited usage still seems a winner and in comparison, Vudu just doesn’t seem to have all the movies we’d want to see.

The price of SD (standard definition) DVDs is between USD2-5, depending on where you live and HD DVD seems to be going for about USD25-30, depending on the movie and season of the year. It’s cheaper and more convenient for a consumer to rent or buy a DVD from NetFlix or Blockbuster then to pay Vudu. if you want to see the latest episode ofDexter you can’t even get it on Vudu, and BitTorrent is more accessible not to mention, free.

While Vudu seem to have done some impressive engineering work on their STB, if they get any widespread traction, it may only be a matter of time until some irritated user cracks their box or bypassess the content protection.

What is HD (High Definition) video?

There is a good deal of confusion regarding exact definitions and consumer electronics product requirements for HD (high definition). HD refers to the quality of the picture (not to the means of digital content protection). Digital HDTV broadcast systems are defined by the number of lines in the vertical display resolution, the scanning system: (progressive (p) or interlaced (i) and the number of frames per second. The 720p60 format is 1280×720 pixels, with progressive encoding at 30 frames per second. The 1080i50 format is 1920×1080 pixels, with interlaced encoding at 25 frames per second. For commercial naming of the product, either the frame rate or the field rate is dropped, e.g. a “1080i television set” label indicates only the image resolution.

Is HD for digital TV only? (no)

If you have have an older TV set with an analog RCA interface, you’re in luck – the issues of digital HDTV are eliminated by connecting your TV set to a DVD player using the analog HD signal output with RCA connectors instead of HDMI. The analog outputs of most HD devices will replicate the resolutions of the digital outputs i.e. 720p and 1080i, so fidelity of the picture is maintained. Connectivity is via standard VGA HD15 connector or high-resolution component video output using 3 x RCA connectors. Analog HD signals can also be distributed over standard Cat5 cable up to a few hundred meters, which is pretty convenient if you have a large house or a small hotel.

What is HDCP?

High-bandwidth Digital Content Protection (HDCP) is a proprietary DRM scheme for protecting premium HD content. HDCP was developed by Intel Corporation to control digital audio and video content transmitted on DVI (digital video) and HDMI (high definition media) interfaces in consumer electronics devices such as DVD, STB, TV Sets. Compliance with HDCP requires a license from Digital Content Protection LLC, a subsidiary of Intel. In addition to paying fees, manufacturers agree to downgrade quality when interfacing to non-HDCP compliant devices. For example, HD video is downgraded to DVD quality on a non-HDCP compliant TV set. HDCP also incorporates a black-listing scheme of cracked devices using a key-revocation scheme where the black list is stored on the DVD media.

HD content protection – fundamentally flawed

The HDCP black-listing scheme defies the laws of physics and reason. For example, you may be a perfectly law-abiding citizen, but if someone in Timbuktu hacks your model XY500 DVD player, the device key is revoked, and you will never be able to play discs that came out after the date the device was compromised. If a hacker taps into the HDMI / HDCP signal copies a movie enroute to your model TV Set, the HDCP device key can be revoked and your 80 inch TV will never play high-definition again.

Blu-Ray copy protection was broken in the beginning of this year (January 2007) (Courtesy of muslix64, the same fellow who cracked HD-DVD). Both HD DVD and Blu-ray use HDCP (High-Bandwidth Digital Content Protection) for authentication and content playing, and both use the AACS (Advanced Access Content System) for content encryption. (AACS is the content protection for the video on DVDs and HDCP is the content protection on the HDMI link between the DVD player and the TV). It appears that muslix64 took a snapshot in memory of a running process, then used selective keying – serially trying bytes 1-4, then 2-5, 3-6 etc as the keys until the MPEG frame decrypted. (much faster than a pure brute force attack). If the video player process stores the key in clear text in memory, this type of attack will always work. Like most flawed encryption schemes, AACS is vulnerable to threats to due a poor software implementation.

” The AACS design prevents legitimate purchasers from playing legitimately purchased content on legitimately purchased machines, and fails to prevent people from ripping the content and sharing it through bittorrent. The DRM people wanted something that could not be done, so unsurprisingly they winded up buying something that does not do it”

James Donald.

Now you understand why BitTorrent is so popular.

A popular TV series like Heroes is available for download on BitTorrents worldwide in AVI format within a few hours after airing with the commercials edited out. OK – Heroes is SD, not premium content like ” The Bourne Ultimatum” but so far I reckon the quality of the AVI download is not deterring users from watching Heroes off BitTorrent.

In world of download-only distribution, studios have an opportunity for expanding business using the Internet and a huge digital asset protection challenge. From the perspective of piracy (protecting intellectual property of the studio) and revenue assurance; being able to download HD content to a PC or PVR disk is an ugly threat, especially considering how easy it has been to crack or bypass AACS content protection in Blu-Ray and HD DVD until now. Once the content is stored on a hard disk on a Windows PC, you’ve lost control for ever.

The software and algorithms for Premium HD content protection are fundamentally flawed as Peter Gutmann shows in his article: A Cost Analysis of Windows Vista Content Protection

Alternatives for a download world.

As the consumer Internet moves towards a download-only distribution model, the motion picture industry needs to find answers to their digital asset protection challenge without biting the hand that feeds them.Network PVR may conceivably be the most effective method for protecting digital movie content from the perspective of both the studios and the consumer.

There is no such thing as a single silver-bullet, optimally-effective countermeasure to the vulnerabilities of flawed content protection schemes, flawed software implementations and vulnerable PC operating systems. That is the mistake of an over-reaching scheme like HDCP.

Gutmann’s analysis is outstanding in its breadth and depth but he doesn’t propose a system of countermeasures which would help the studios protect their intellectual property. In order to identify the most cost-effective set of countermeasures to the threat of piracy, we start off by examining risk profiles of different digital content distribution implementations.

Digital content distribution vulnerabilities

Fortunately, a threat analysis of digital content distribution (VOD and live content) is simplified by having one asset (the digital content) and one major threat; piracy (people who want to make unauthorized copies of the content and give it away for free). This means that we can focus on the vulnerabilities.

The below heat diagram provides a qualitative threat analysis of digital content distribution. The Y-axis is the channel – broadcast or Unicast (for the sake of classification, we call distribution of physical DVDs – ” Unicast ” since sale of a DVD is performed between only two parties – the seller and buyer). The X-axis classifies whether or not the subscriber stores the content on a hard disk.

Red is high risk, Orange is medium risk and Yellow is low risk.

As seen in the bottom left quadrant of the above heat diagram, network PVR has less vulnerabilties and lower risk. Note that the video servers are stored in the operator premises in a controlled and secure operating environment and are much less vulnerable than subscriber set-top boxes.

An introduction to Network PVR

Cablevision, the New York suburban cable provider, took an aggressive approach to Network PVR (NPVR) services that ran into strong resistance from the content industry. Cablevision uses an NPVR service where they record broadcast TV channels at the head-end and the subscriber can replay specific programs at a later time on a disk-less set top box (the NPVR). If the area of personal video recording is not familiar to the reader – see the Wikipedia article on Digital video recorders

Cablevision felt that it had the right to do this, but the TV networks disagreed. They sued, Cablevision lost and is now appealing that decision.

FastWeb in Italy is a service based on Cisco technology that provides 100MB/s to the home. FastWeb launched their NPVR service with a nuanced approach – the subscriber requests that a TV program be recorded. FastWeb records that program and allows only that viewer and any other viewers who requested recording the program to view it later. This was no worse that if the viewer owned a Tivo, so the TV broadcasters in Italy accepted it.

The Cablevision case is particularly relevant for IP network providers. Their IPTV networks are better suited than cable networks to support NPVR and other on demand services. NPVR can give the telcos a significant advantage over the cable companies.In addition, it keeps all the traffic in the network provider cloud and significantly removes the load on WAN connectivity to the Internet from all those home users downloading pirated copies of the Lord of the Rings movie and the latest episode of Heroes

A threat analysis of a Network PVR service

There are three main security concerns for a TCP/IP Unicast Network PVR system:

1. Digital content protection at the subscriber premise.
2. Digital content protection for content in motion and content at rest in video servers.
3. Authentication (identifying a valid subscriber with a STB and protecting the VOD provider from fraudulent usage)

In light of the Cablevision case, we constructed a scenario based on a Unicast NPVR service that provides VOD, and live-content recording of shows at subscriber-requests, and performed a threat analysis using the PTA (Practical Threat Analysis) methodology, Assuming that the operator installs diskless set-top Boxes (STB) at the subscriber premise and video servers in the network operation,we identified the following threats, vulnerabilities and countermeasures.

Threats are labelled TX, exploited vulnerabilities are labelled VX and countermeasures that mitigate the vulnerabilities are labelled CX.

T1 – The subscriber may steal plain-text content by tapping the STB ethernet link.

V1- Transmission of clear-text content enables interception using off-the-shelf network tap devices that cost less than USD 500 The breakeven point on a network tap is about 20-25 movies which makes it worthwhile to buy a tap for a semi-serious hacker.
Call Netoptics Network Taps for a quote.

C1 – Encrypt content on video servers, decrypt content on STB
C2 – Encrypt keys on video servers or don’t store keys
C3 – Place physical safeguards on key access
 

T2 – The subscriber may capture an output signal from STB to home TV set and distribute by a Bit Torrent

V2 – The DVI/HDMI cable from STB to TV set can be tapped.

C4 – Let subscribers use an analog cable (so-called ” analog-hole “)
According to FCC fair-use rulings, free over-the-air broadcast signals may be copied freely, and may not be reduced in resolution (” down-res’d” ) when output from unprotected high-definition analog ports.
C5 – Protect content with an economic ” dis-incentives”
It’s easier and cheaper to buy the HD DVD movie for USD 25-30 at Amazon than to hack the technology. If the IPTV operator provides a rich collection of SD, HD and Television series content for an attractive price, without changing the way a subscriber runs her life, the economic incentive for piracy becomes minimal.

T3- A subscriber may redirect a video stream to other NPVR users who did not pay for the content

V4 – The STB vendor may sell boxes to competitors
V5 – STB Middleware commands can be manipulated
V6 – Unauthorized users may engineer STB clones to access the NPVR service

C7 – Restrict redirection of content in the STB middleware to the IP address of the STB that made the command request.
C8 – Require subscriber authentication by the video server for each NPVR content request.

T4 – Malicious attackers may mount a denial-of-service attack and overload video servers.

V7 – VOD servers may be accessible from the public Internet

C9 – Segregate the VOD network from the public Internet with firewall and VLAN.

T5 – A trusted insider in the IPTV operation may steal clear-text content.

V3 – Employee with who work for the network provider may have physical access to content before source-encryption

C10 – Vet employees, have them work in pairs; don’t employ students or temporary contractors.
C11 – Check bags leaving the building for removable media
C12 – Detect unauthorized network transfer of clear text content using extrusion detection techniques in network core.

Conclusions

• It’s a lot easier to protect content on IPTV video servers in a controlled environment of a Telecom service provider than on a Windows PC in someone’s home.
• An attack could be mounted on the STB/NPVR network in order to steal master keys and decrypt encrypted content. The cost of mounting such an attack is far greater than the economic alternative of buying HD DVD media on the open market and producing pirated copies or ripping the media and putting it on a Torrent.
• Since BitTorrent is both a strong competitor and sucks up a lot of ISP bandwidth (over 20 percent last time I looked), operators and studios have an opportunity to use an” if you can’t beat them join them”strategy. Considering FCC fair-usage rulings on free-to-air content, the studios and operators are better off using NPVR to serve up shows like Dexter and Heroes and tack a bit extra on the monthly charge. Unicast NPVR serves video on demand without loading the entire network with multicast traffic, subscribers get faster response times (by not having to go out to the public Internet) and the studios gain residual revenue on the shows.
• NPVR security countermeasures use open standards for encryption and network security and have no dependencies on what a third party vendor or subscriber may or may not do. There are no side effects on the entire system if an individual subscriber hacks her IPTV set-top box

It’s interesting to compare the TV / movies market with the PC / Internet market. The TV world is groping towards 1080p and the PC industry long since moved beyond it. The TV world is floundering in shallow waters with an ill-conceved, and poorly implemented scheme of HD content protection written by one of the major vendors (Intel) whereas the the PC / Internet market is overtaking all competition having adopted vendor-neutral standards such as HTTP over 20 years ago.

As seen from the above threat analysis, Unicast network PVR provides the smallest threat surface of current content distribution schemes lowest risk profile and some additional revenue opportunities. It uses standard security measures with no massive side effects like HDCP and plays well with the market economics of providers, studios and subscribers.

Unicast NPVR may just be the most effective way for both the studios and the network service providers to distribute and monetize content with the widest audience and at the lowest cost.

• Why are big companies like Microsoft, Sony, Sanyo, NEC and Intel involved in PC-living room integration.
• Do consumers really want Web services on their TV set?
• Why are the big Telecom service providers driving deployment of IP (Internet Protocol) TV?
• What will happen with DRM? Will it happen or will it break?
• Will digital asset protection become a central issue ?

Summary

Back in 2005, I looked at three technology directions for PC-TV living room integration. The article goes on to examine how the technology fits into a competitive marketing strategy. We follow Michael Porter’s model of strategy as resting on a tightly fitting system of unique activities.

The three technology directions examined are:

• PC and media extender that relays content from the PC to the TV
• A media station that attaches directly to the Internet and transmits to the TV
• An IP TV set top box that enables transmission of content to the TV set over an IP network (either the public Internet or a private network).

An analysis of competitive strategies suggests that generally speaking, this is a game for big players with a strong presence in consumer markets. However, small players may find opportunities in niche markets using unregulated TV over Internet or Web to TV content delivery. For example, a media station is an excellent way of serving up interactive Web content to underserved segments such as the retired persons market that watch a lot of TV, have general interests and a need to socialize.

Background

What are the market drivers?

• Why are big companies like Sony and Intel involved?
• Is this consumer electronics gadget?
• Are we witnessing the beginning of TV-PC-Web convergence?

To understand the answers to these questions and others, we need to look at the motivation for change inside three groups: consumers, Telco service providers and content providers.
From the standpoint of the consumer, the home PC stores growing quantities of digital media assets, but the living room experience remains the preferred choice when it comes to watching video or DVD or listening to music. As a result, there is a need to convert PC content to the living room TV set. Consumers also want to listen to music and watch video anywhere in the home without being tethered down to the PC. Therefore it is necessary to establish a Home Wifi network. Such networks are becoming prevalent, CE (consumer electronics) firms have capitalized on that need. One of the most important things for the cosumer is his freedom of choice, nobody wants to pay for content they don’t want. In Israel and elsewhere, it is generaly true, that consumers hate the cable companies and tolerate their ISP’s. Check your email; you may have received an offer like this recently:

Dear Digital-Cable-TV Member Did you know cable-TV-filters Permits consumers to get any-amount of in-demand-Payperview-movies, mature channels and sports for nothing. Click here: http://www.100100008159441947.resent.59.haynetsv.com

Telco service providers are threatened by cable operators; and in response are rolling out next generation IP-TV networks that require new (incompatible) IP set top boxes.
From the standpoint of the content creators and providers, distribution of video and TV programs is much easier and chieper on an IP network than on a broadcast TV network. The creation of interactive Web content is much cheaper than developing interactive TV programs using current generation of set top boxes.

What are the directions in product development?

The directions in product development are HT-PC: a Home theater on PC, Media-PC: networked PC, DVD and TV receiver all in one box, Networked DVD: DVD on a home Wifi network and IP-TV: television over an IP network.

What is already happening in the industry?

Major consumer electronics firms (Sony, HP, BenQ, LG, etc) are involved with media PC’s, and Networked DVD’s have been on the market since 2003. Media extenders are sold by Major datacom manufacturers like Cisco and D-Link. Microsoft promotes its Windows XP Media Center 2005, which is based on the notion of taking rich media from the PC in the study to the TV in the living room. Other companies involved in this emerging industry are chip companies (like TI, Intel, Freescale and Sigma Design) as well as an Israeli startup, Softier (www.softier.com) that is working with TI in developing Media Linux.

Technologies

We have identified three main technology trends among vendors in this field.

A1: Media extender that transmits content from the PC to the TV over home Wifi network.

A2: Media station that attaches directly to the Internet using a cable (or ADSL) modem and transmits content from Internet Web servers to the TV.

A3: IP Set top box that attaches directly to a Telco x-DSL modem and transmits content from the Internet Web servers to the TV over the Telco’s all-IP network.

A1: Home wireless network and media extender – how does it work?

Control menus are displayed on the TV set using a 10 foot user interface. Using the remote, the user can choose a file to play on the TV set or an interactive game. In order to play the chosen file, the PC install and run a local Web server that listens for play requests, accesses the local disk and streams the media back to the media extender that converts it into TV format. In order to interact with a multi-media game that runs on the client’s Web server, requests are sent to the PC and routed to the Web server, responses are sent back to the PC and routed to the media extender. The PC server may perform local caching of content in order to improve the end-user experience and reduce network latency. Most media extenders support Internet browsing using the remote and the TV set.
The most important advantage of this technology is that the hardware required is readily available, it is almost off the shelf. On the other hand there are a few down sides to this technology. Most media extenders don’t support Flash and most Web content is not suited for TV. The current systems are not Web-interactive, for example they don’t send a request to the Web and return a response. They use locally downloaded files stored on the PC in order to reduce latency. In general, the software development environment for media extender is poor. The quality of technology damages the user’s satifaction from the product. Browsing experience with the media extender is terrible and Global language support is poor. The media extenders are expensive. Compared to a digital set-top box that costs less than $100, media extenders cost between $250 and $1500 (Linksys).

A2: Home media station-Internet to TV- how does it work?

The media station runs the Linux operating system and can run applications such as a Web browser or an interactive game client that communicates with a Web server. The media station outputs TV grade video supporting standard codecs for Windows Media Player 9, H.264, MPEG4 and MPEG2. The system hooks directly to a cable modem, next to the TV set and accesses content on Web servers using the http protocol and streams the media to the TV. Control menus are displayed on the TV set using a 10 foot user interface. Content is supplied from Internet Web servers; such as digital photos ( www.ofoto.com) and educational games (http://www.renaissanceconnection.org) In order to interact with a multi-media game that runs on the client’s Web server, requests are sent to the media station using a remote and routed to the Web server. The media station may perform local caching of content in order to improve the end-user experience and reduce network latency.
The home media station is a simpler solution compared to the media extender. It does not require integration with the PC or having a home Wifi network. It also provides better value than a media extender, the media station can run videophone, a local Web server and as a CE product it is easier to operate than a PC. Compatibility with future solutions for IP set-top boxes is another important feature of the media station. The application software development environment for media station is excellent and familiar. The media station can OEM client software into potentially very large install base of Telcos. In spite it’s many advantages it is important to remember that the technology used here is new, you might find yourself at the bleeding edge. Home media sation technology does not solve the TV content compatibility issue.

A3: IP Set top box – how does it work?

The IP STB runs the Linux operating system and can run applications such as a Web browser or an interactive game client that communicates with a Web server. The media station outputs TV grade video supporting standard codecs for Windows Media Player 9, H.264, MPEG4 and MPEG2. It uses the same platform as the media station. The STB hooks directly to the Telco IP network using a x-DSL modem, next to the TV set. iT accesses content on Web servers using http and streams the media to the TV. Control menus are displayed on the TV set using a 10 foot user interface. Content is supplied from Internet Web servers; such as digital photos (www.ofoto.com) and educational games (http://www.renaissanceconnection.org). In order to interact with a multi-media game that runs on the client’s Web server, requests are sent to the media station using a remote and routed to the Web server. The media station may perform local caching of content in order to improve the end-user experience and reduce network latency.
The direct connection of the STB to a digital IP network of a Telco provider is a better and more reliable connection than cable modems. The STB Provides better value than a media extender. IP STB is owned by the Telco, therefore providing and provisioning the box is not your problem. STB Can OEM client software into potentially very large install base.The major problem of this technology is that few Telco service providers are ready with the network. The IP set-top boxes are still quite new and not widely available. Like the home media station, this technology is also new and might place you at the bleeding edge. STB technology does not solve the TV content compatibility issue.

Requirements/Alternative Matrix

Recommended echnology

As described above, there are three technology directions: the media extender + PC approach, the media station and the IP STB (Set top box). Of these options the most recommended one is the media station approach. The system’s instalation and deployment is simpler than the media extender. Since it is based on Web server/browser architecture all software and content is managed centrally, thus reducing cost of operation and customer support. The media station technology is available now, opposed to STB technology, which depends on the Telco to provide an IP-TV service. It Can run local application software and While not a PC, it provides more value than a media extender (as can be seen from the comparison matrix). For Israeli vendors there is the added advantage of working with a local vendor (Softier) as opposed to working with a Korean or US vendor.

The essence of strategy is choosing what not to do (Michael Porter)

The first question: what exactly are we selling and who are our customers?

Entering this field of technology as a vendor requires careful examination of products, markets, positioning and unique activity system in order to compose a competitive strategy. The chosen products and markets need to be a good fit for the vendor’s size and unique capabilities. In today’s highly competitive content market low cost or advanced technology alone are insufficient. The winning combination is of unique content to a highly segmentized market (for example Persians living in LA), delivered to TV over the Web.

What not to do…

Low-cost consumer electronics media extenders will probably not succeed. Don’t enter a low margin or highly competitive market. The client may not have proper distribution channels. Manufacturers are busy developing new products for media extender/station/IP STB; use their work to your best advantage, focus on application software development.
High-tech consumer electronics may not be a wise choice either, for example, a consumer electronics device for Internet media that delivers a better TV experience than a media PC with fewer headaches. Do you want to compete with Sony, Dell, Microsoft and Intel?

The road to success…

The key is to find an underserved segment, such as the retired persons market, and serve their unique needs. Many have money, they watch a lot of TV, they have hobbies, interests and a need to socialize. Provide interactive content, add unique services that can be coded into media station software that would provide P2P game interaction, secure file-storage, presence (are you home?). Deliver content from your Web server to the TV set in the living room. Implement a Web site rich in media and interactive content, remote control and media extender into a single integrated system. Become more efficient by using highly automated operations for advertising, provisioning and billing.

The second question: Whom are we selling to?
Customers and channels

The third question: what should be your market positioning?

What not to do…

Blockbuster streaming video servers failed in the past (2001), trying it again would not be a wise step.
File-sharing involves too many digital rights issues, and DRM is too sticky, it is better keep it simple and leverage
an open source approach. It is useful to remember that general media playing has no relative advantage.

The road to success…

Positioning can be either variety-based (interactive content, person to game, person to person) or access-based (ethnic, retired, other segments that use TV intensively). You should provide the network and interactive products, which can be In-house products or obtained through a partnership with a content producer.In addition, provide a standard setup package (media station, software and remote) with no options. Content is provided on a subscription basis, either fixed or pay per use. Subscription with a fixed price per month and unlimited content is a simple scheme but may reduce loyalty since it is too similar to cable providers. Pay per days used may result in lower revenue per consumer but may increase consumer loyalty and total revenue overall. Either way, subscription does not subsidize the setup.

Activity system: tight-fitting, optimized and difficult to copy

Provide interactive games and educational content such as person to game and person to person. Your market needs to be as segmented as possible, sell to carefully selected customer segments, for example retired persons that have a need to socialize and connect and tend to spend more time watching TV. Operating a Web site for customers that includes content, news, forums, and downloads promotes customers involvment and loyalty. Users can access the content using a standard browser (Firefox or Explorer) and use the self-service applications to view their bill and get assistance. Use Web services for provisioning and billing, enable the operator to easily register and activate new users that plug in their new media station and measure system usage. Use standard welcome kit (Media station and remote control), ready to be plugged into a cable modem with no options available. Implement proprietary media station software that processes remote control commands and caches content in order to reduce latency. Utilize distributed file storage based on a decentralized architecture to pool unused disk space on the user’s desktop computers. This is not an absolute requirement for the system, as the file storage can be implemented in a central Web server farm; however it may prove to be an economical way of improving scalability and an attractive feature that enables content users and creators to store files in anonymity.

Graphical view of the activity system

Keywords and Links

IPTV: Television broadcasting over an all IP network

• http://www.dave.tv/ TV over IP network, launching Jan 2005
• http://www.microsoft.com/tv/content/Solutions/IPTV/mstv_IPTV_Overview.mspx
• www.digeo.com

Windows XP Media Center 2005

• http://www.microsoft.com/windowsxp/mediacenter/default.mspx XP Media Center
• http://digitaljoy.com/2_1.htm HP Digital Entertainment center

Home Media Networking

• http://www.cnet.com/4520-10602_1-5619005-1.html Review of CES 2004.
• www.ucentric.com Home media networking software for CE media centers and media gateways; whole-home applications: multi-TV, PVR and music.
• www.sonos.com Digital music system for the home.
• http://www.tomsnetworking.com/Reviews-157-ProdID-PLAYATTV.php A network media player that sits between your computer and your television. It translates the computer-based audio, video and picture formats into a format that the television can understand
• http://www.kiss-technology.com/
• http://www.sigmadesigns.com/

Games for TV http://www.gametime.tv/

On-Line/Internet – PC/TV Combinations

• www.benq.com AV playback, TV, Web, PC, wireless keyboard and mouse
• http://www.visson.com.tw/e-prod-smartv_spec.html - SmarTV 2010
• http://www.neuston.com/en/mc500.asp
• http://www.dmuze.com/product/dmc_en.php
• http://forums.eyo.com.au/showthread.php?t=58439
• http://linuxdevices.com/news/NS8570522277.html
• http://www.ezhometech.com/
• http://graphics.tomshardware.com/video/20020621/sigma-01.html

Software and remote control products

• Software - http://www.snapstream.com/Products/beyondtv/
• Remotes http://www.globalsources.com/si/6008816262086/CompanyProfile.htm
• Remotes http://www.ruwido.com/en/oem.htm

Shows and other online resources

• Streaming Media Show – May 17-18, 2005 http://www.streamingmedia.com/east/exhibitors.asp
• Digital Content online resource http://www.econtentmag.com/

We designed and implemented a large scale IT infrastructure modernization project that was tasked with improving availability, scalability and security of the online diamond trading networks at diamonds.com and diamonds.net. Network DLP appliances were deployed in the US and in EMEA at the company’s hosted server farms in order to help protect sensitive customer and commercial data.

Read the Customer solution case study

One of our most interesting projects recently was a digital content protection and secure content distribution software development projects  in the field of IPTV and video on demand.

We were called in at a critical stage in project delivery to help manage the development and design the encryption for the digital content protection.

Read more about the VOD IPTV solution

Did you ever have a feeling that your IT integrator was treating you like a couple of guys selling you a Persian rug?  ”Take it now – it’s so beautfiful, just perfect for your living room, a steal  for only $10,000 and it’s on sale” and when you ask if it will last, they tell you “Why do you want it to last? Enjoy, use it in good health, wear it out quickly and come back to the store so that we can sell you Persian Rug 2012″.

I had a meeting with a long-time client today – I’ve developed some systems for them in the FDA regulatory and clinical trial management space. We met for lunch to discuss a new project which involved an extension to an existing multi-center study.

The question of disaster recovery planning and offsite backup came up and  they asked me what I thought about backing up their clinical trial data together with their office file backups taken by their outsourcing IT provider.

I said this is a very bad idea because while their IT contractor specializes in providing Microsoft Windows/Office support for small businesses, they just don’t have the know-how or security expertise for HIPAA compliant data storage.

In general, small business IT integrators are  behind the curve on data security, compliance, disaster recovery and application software security. Their job is to keep Microsoft SBS running smoothly and install anti-virus software, not mitigate data security and HIPAA compliance attacks. The typical SMB integrator mindset is dominated by the Microsoft monoculture, and I would not expect them to be able to analyze data security threats correctly.

Whenever I go somewhere – I’m always looking at things with a security perspective – open doors, windows – things that could be easily lifted. Who might be a threat. Storing clinical data with a bunch of Microsoft Office files is just too big a risk to take. The CEO accepted my recommendation to encrypt data on a secure, hardened virtual server instance in the cloud and monitor potential exposure to new emerging threats as their application and project portfolio evolves.

After lunch and getting back into the office, I realized that Risk analysis is a threat to IT vendors.

Not every security countermeasure is effective or even relevant for your company. This is definitely a threat to an IT vendor salesperson who must make quota.

I am a big proponent of putting vendor suggestions aside and taking some time to perform a business threat analysis (shameless plug for our business threat analysis services,  download our free white paper and learn more about Business Threat Modeling and security management). In a business threat  analysis you ignore technology for a week or 2 and systematically collect assets, threats, vulnerabilities …and THEN examine the cost-effective security countermeasures.

Your vendor wants to sell you a fancy $20,000 application security/database firewall, but it may turn out that your top vulnerability is from 10 contract field service engineers who shlep your company’s source code on their notebook computers. You can mitigate the risk of a stolen notebook by installing a simple security countermeasure - Free open-source disk encryption software for Windows Vista/XP, Mac OS X, and Linux.

Information security vendors often promote their backup/data loss prevention/data retention/application security products using a compliance boogeyman.

The marketing communications often reaches levels of the absurd as we can see in the following example:

NetClarity (which is a NAC appliance) claims that it provides “IT Compliance Automation” and that it “Generates regulatory compliance gap analysis and differential compliance reports” and “self-assessment, auditing and policy builder tools for Visa/Mastercard PCI, GLBA (sic), HIPAA, CFR21-FDA-11,SOX-404, EO13231 government and international (ISO270001/17799) compliance.”

A network access control appliance is hardly an appropriate tool for compliance gap analysis but asserting that a NAC appliance or Web application firewall automates SOX 404 compliance is absurd.

Sarbanes-Oxley Section 404, requires management and the external auditor to report on the adequacy of the company’s internal control over financial reporting. This means that a company has to audit, document and test important financial reporting manual and automated controls. I remember the CEO of a client a few years ago insisting that he would not accept any financial reports from his accounting department unless they were automatic output from the General Ledger system – he would not accept Excel spreadsheets from his controller, since he knew that the data could be massaged and fudged. If there was a bug in the GL or missing / incorrect postings he wanted to fix the problem not cut and paste it.

Appropriate, timely and accurate financial reporting has absolutely nothing to do with network access control.

But the best part is the piece on the NetClarity Web site that claims that their product will help “Deter auditors from finding and writing up IT Security flaws on your network”.

And I suppose this really proves my point best of all.

Information security vendors like NetClarity do not have any economic incentive to really reduce data security and compliance breaches that would reduce  sales, making it better business for them  (not for their customers) to sell ineffective products.

This raises an interesting question about information security business models – but that’s a topic best left to another post.

The question in any risk assessment is how do you get from point A (current state) to point B (cost effective security that is the right fit for your business).

The key to cost-effective security is data collection.  Let’s recall that compliance regulation like PCI DSS 2 and the certifiable information security management standard ISO 27001 are based on fixed control frameworks. It’s easy to turn the risk analysis exercise into a check this/check that exercise, which by definition, is not guaranteed to get you to point B since the standard was never designed for your business. This is where we see the difference between ISO 27001 and ISO 27002.

ISO/IEC 27002 is an advisory standard meant to be applied to any type and size of business according to the particular security risks they face.

ISO/IEC 27001 (Information technology – Security techniques – Information security management systems – Requirements) is a certifiable standard. ISO/IEC 27001 specifies a number of firm requirements for establishing, implementing, maintaining and improving an ISMS (information security management standard), and specifies a set of 133 information security controls. These controls are derived from and aligned with ISO/IEC 27002 - this enables a business to implement the security controls that fit their business,and help them prepare for formal certification to ISO 27001.

Let me explain the importance of data collection by telling a story.

After reading this article in the NY Times  An Annual Report on one mans life, I was reminded about a story I read about Rabbi Joseph Horowitz (the “Alter from Novardok”) (1849–1919), relating his practice of writing a daily report on his life.

One of the things I learned from the musical director of the JP Big Band, Eli Benacot, is the importance of knowing where you are really holding in terms of your musical capabilities.  Many musicians, it turns out, have the wrong self-perception of their capabilities.  Sometimes, one sees a professional musician who is convinced of his proficiency and even within an ensemble he (or she) is incapable of really hearing how poorly they actually play.

Many times we feel secure but are not, or don’t feel secure when we really are. For example – a company may feel secure behind a well-maintained firewall but if employees are bringing smart phones and flash drives to work, this is an attack vector which may result in a high level of data loss risk. On the other hand – some people are afraid of flying and would prefer to drive, when in fact, flying is much safer than driving.

After we collect the data and organize it in a clear way, we then have the ability to understand where we are really holding.  That is the first step to building the correct security portfolio.

So, let’s return to the Rabbi Joseph Horowitz, who wrote a daily and annual report on his life. Here is his insight to implementing change – certainly a startling approach for information technology professionals who are used to incremental, controlled change:

“Imagine this scenario: A person decides that he wants to kasher his kitchen. But he claims, ‘Changing my dishes all at once involves throwing out an entire set and buying a brand new one. That’s quite an expense at one time. I’ll go about the kashering step by step. Today I’ll throw out one plate and replace it with a new one, tomorrow with a second and the next day with a third.’

“Of course, once a new plate is mixed with the old ones, it becomes treife like the rest. To kasher a kitchen, one must throw out all of his old dishes at once.

“The same holds true in respect to changing one’s character traits or way of life. One must change them in an instant because there is no guarantee that the anxieties and pressures that deter him on any given day will not deter him the following day, too, since anxieties and pressures are never ending. ”

(Madreigat Ha’adam, Rav Yosef Yoizel Horowitz).

 

I think we’re ignoring the emotional content of security and I don’t necessarily mean FUD (fear uncertainty and doubt).

Perhaps it’s time to reconstruct market boundaries of the security industry.

At the beginning, there was the notion of “selling security with FUD“, starting with anti-virus and peaking in the early 90s with the outbreak of RPC worms on Wall Street. It was pretty easy to sell security with FUD tactics. Then we had 9/11.   You couldn’t frighten people anymore.   Security FUD doesn’t work when the customer thinks he might be killed by an Al Qaeda or Hamas or Fatah terrorist.

Then there was the “selling security as an enabler” play, sponsored by Gartner, ISACA and a bunch of other people.  This sort of made sense – but the number of real use cases where security actually enables new business (VPN, secure ecommerce sites) is rather limited and besides, the big IT vendors can build (or at least purport to build) security into their products. Educating customers on “security as a business enabler“ is a wonderful example of how market education  pays off at the beginning of a new product life-cycle launch, but low or no benefits at all when the product has mainstreamed into general market acceptance and everyone is selling and buying.

A good example of a product that mainstreamed extremely quickly is the Apple iPad,  Now after CES  we have dozens of mobile tablets, Android tablets, Windows Mobile tablets, Ubuntu tablets alternatives of all shapes, sizes and qualities. No one is questioning that a tablet is a great thing – Apple already did the market education for the other vendors.

Market education of  CEOs to the business  advantages of data security is like motherhood and apple pie, it’s a good thing. Similar to the tablet PC case, however, this sort of market education has zero or low ROI – because the CEO has already decided to buy or not buy security based on what someone else said – whether its’ Perot Outsourcing services, IBM, Oracle or his golf-partner.

Consultants explaining to a CEO that security is a business enabler are selling the same security coolade as Oracle, IBM, ISACA and SAP. The only problem is that a security  consultant doesn’t sell a product, but bolt-on/after sale services – and generally doesn’t get compensated for his deep security insights over coffee.

Let’s note that the information security industry is an industry like most other industries:

• They define their industry similarly, focusing on being the best.
• They look at accepted strategic groups of buyer and market segments, for example CSOs and firewalls
• They focus on the same buyer groups – e.g influencers (security officers, CIOs, analysts and thought leaders)
• They define the scope of products similarly- data security, firewalls, DLP, software security assessments etc..
• They focus on the same point in time and current competitive threats in formulating strategy; now it’s cloud, last year was DLP etc…

But there is one factor we are missing and that is emotion:

Does the security industry accept the functional/emotional orientation of their buyers?

I’m not sure.  And that – will be the topic for the next post