The Good, Bad, and Ugly of Technology Acquisitions

It is the foundation for the free market system and capitalism and it is every entrepreneurs dream; build a great technology, execute and achieve excellence in GTM, deliver fantastic value to customers and take great pride in watching your passion grow – fast.

Then it happens; the exit, the liquidation event, the ‘golden ticket’ and in a blip of your time on this tiny little rock your life changes.

Last year, after spending almost four years as the CTO of BigFix, we were acquired by IT industry behemoth IBM (IBM to acquire BigFix) for what was the largest acquisition of a private software company in 2010 (second was CA’s acquisition of Nimsoft at around $380m) and my life changed…

Continue reading

Client Hosted Virtual Desktops Part 1; Own the OS

We all know that IT security and operations is becoming a more challenging and untenable problem day by day – see “Top 10 Reasons Your Security Program Sucks and Why You Can’t Do Anything About it” – The reality is that we continue to build on top of inherently insecure and fundamentally weak foundations, such as the operating systems and routing infrastructures that power much of the global economy.

We need an alternative to the current computing paradigms that all organizations struggle with.

Continue reading

The Broken Windows Economics of IT Security

To economists, the term “Broken Windows” refers to the question that if a shopkeeper pays a glazier to repair a broken window at his store, does this deliver an economic benefit to society? Many people would say yes, because it generates demand for glass and work for the glazier.

Have you ever been witness to the fury of that solid citizen, James Goodfellow, when his incorrigible son has happened to break a pane of glass? If you have been present at this spectacle, certainly you must also have observed that the onlookers, even if there are as many as thirty of them, seem with one accord to offer the unfortunate owner the selfsame consolation: “It’s an ill wind that blows nobody some good. Such accidents keep industry going. Everybody has to make a living. What would become of the glaziers if no one ever broke a window?

Excerpt from the 1850 essay “That Which is Seen and That Which is Unseen” By Frederic Bastiat Continue reading

Cyber Warfare: Should We Be On The Offensive?

The world needs a treaty to prevent cyber attacks becoming an all-out war, the head of the main UN communications and technology agency warned Saturday.

“A cyber war would be worse than a tsunami — a catastrophe,” the UN official said, highlighting examples such as attacks on Estonia last year Continue reading

Top 10 Reasons Your Security Program Sucks and Why You Can’t Do Anything About It

In the security industry we like to fool ourselves into thinking that we can materially impact an organizations security posture. We believe that new tools, a new framework, a new regulation, a new school of thought will lift the veil of organizational ignorance and enable us to attain the state of enlightened security practitioner.

But as we trudge through the mud and haste of our increasingly digital lives we embrace the continuity of failure that is security, only we have more of it…more threats, more tools to deal with the threats, more people to deal with the tools, more process to deal with the people, more adoption of technology leading to more threats, which of course leads to more of the same – more fail.

Maybe it is time to stop fooling ourselves and recognize that to move forward we have to know our limitations and start to question the status quo that so many others rely on for their livelihood.

So as you stare out the window, morning cup of coffee in hand, a tear rolling listlessly down toward your chin and as your sitting there pondering what went so terribly wrong take a moment to reflect on the top 10 reasons your security program sucks and why no matter how much you kick and scream it will continue to suck…

Continue reading

Note to Self: 2009 Holiday Gift List

From Computer World UK (here)

Black Friday and Cyber Monday have come and gone. Now it’s time for Amrit Wednesday, or Thursday, or Friday—oh, whatever—to pay our industry back for all the dubious cheer it spread in 2009. Believe me, when it comes to this list, it’s much better to give than receive. Here goes:

Continue reading

On Conficker: The Return of the High-Profile Mass Infection Worm


They’re back!

It has been awhile since we had a good old fashioned, highly publicized, hysteria inducing, globally distributed, mass-infecting worm. The AV vendors (here) and (here) must be ecstatic that 2009 is really turning out to be the year of the largest security incidents since the beginning of forever as I predicted it would be back in January (here). Of course you could make that prediction every year for the next 20-30 years and pretty much experience an 80%+ success rate, it’s like predicting that as social media becomes ubiquitous we will experience more social media related security threats, or that as the economic condition worsens it will drive even more financially motivated cybercrime buoying an already burgeoning digital black market, or that there will be more high-profile data breaches – all no brainers. Continue reading

Fear and Loathing in Davos


Few things can evoke more uncertainty and doubt than fear (here)…

The threat of cybercrime is rising sharply, experts have warned at the World Economic Forum in Davos.

Online theft costs $1 trillion a year, the number of attacks is rising sharply and too many people do not know how to protect themselves, they said.

On-line theft costs $1 trillion US dollars a year?  We have certainly come a long way since the Dark Avenger first crafted his polymorphic virus in the late 80’s but a $1 trillion a year? Seriously? Where the hell did the figure come from? To give you some perspective of size the total US GDP is about 14 trillion and that includes EVERYTHING.

But it gets worse…

“2008 was the year when cyber warfare began.. it showed that you can bring down a country within minutes,” one panelist said.

Cyber warfare began in 2008 – between which countries? It showed you can bring down a country within minutes? Seriously, bring down a country, really, are you kidding? Is this some kind of sick world economic forum humor or just sheer ignorance?

So people are unable to browse to youtube or update facebook, or download Goth porn, or make their way over to my blog and up my readership – these things are all terrible, no question, but bring down a country? I can hear the threats now “Either your country surrenders or we will DoS you back to 1995”, just doesn’t have the same kick as “bomb you back to the stone age” does it.

There is no question that we have a problem, the increased reliance on technology, the ubiquitous nature of broadband connectivity and more digital commerce all create an environment that will breed crime. I believe that awareness is important, people should understand the dynamics and risks inherent in this new digital environment, but FUD doesn’t work, it drives up hysteria and then it crashes into ambivalence, FUD is the drug of the security industry and apparently many are addicted.

Moving Security through Visibility to Implementing Operational Controls


Quick thought for the day. Most technologies in the security world move through a predictable cycle of adoption. First an organization implements a solution to gain visibility into the scope of the problem (VA, IDS, DLP/CMF, SIEM) then once it becomes apparent that the problem is vast and overwhelming they move to operationally implement technical controls to protect the environment and to enforce organizational policies, when this switch over occurs the adoption of the pure visibility tools becomes eclipsed by the control tools. This doesn’t mean that the visibility tools are ineffective, it generally means that the scope of the problem is understood to the point that an organization can effectively implement controls, it also means that the problem has successfully moved from the security team to the operations team. You can apply this same logic to any segment of security and to any new technology, including cloud computing, virtualization and all the little shiny obejcts in between.

Examples of this movement from visibility to control include intrusion detection, vulnerability assessment and content monitoring and filtering. Let’s look at VA, It’s initial use was to determine the scope of the ‘exposure’ problem, that is to scan the environment against a database of known vulnerabilities to determine the extent of exposure. Unfortunately the volume of output was very high and was presented in a format that was not easily consumable or actionable by the IT operations team. What exactly does one expect the server admin to do with 300 pages of vulnerability data? There were also inherent issues of fidelity. The use of VA tools moved into targeted scans to determine what needed to be patched, which resulted in the operational implementation of patch management technologies, which soon overtook the market adoption of vulnerability assessment tools. There was also the pressure of auditors looking for the implementation of technical controls and although vulnerability assessments were viewed as an important first step, without the work-flow and controls to address the volume of vulnerability data they proved to be less effective in improving operational security than was originally thought.

It became clear that vulnerability management needed to cross the chasm to become an operationally actionable tool, without remediation capabilities the organization would always be under a mountain of vulnerabilities and the use of the technology would linger in the trough of disillusionment. Security configuration management met that need, it allowed an organization to define the desired configuration state of an environment against industry best practices (NIST, DISA, CIS, etc) and then to operationally implement technical controls to identify non-compliant devices and enforce policy. Security configuration management also had the benefit of providing a common language between the security, audit, and operations teams. I wrote about this in a series of posts (here), (here), and (here).

Hilarity Ensues: 10 Years of Tech Fail


Well friends we are nearing the end of another year and closing in on the first decade of the century. As we prepare for the onslaught of 2009 predictions I thought it would be appropriate to look back on all that is FAIL in the world of technology over the past decade so we can learn, grow and laugh at someone else’s expense. So I give you the top 10 worst technology failures of the last decade…

10. Oakley MP3 sunglasses (The Death of Cool)


A WAGNERIAN ARIA plays, a crystalline TENOR SOLO haunting in its beauty consumes an executive board room


Oakley Executive #1

“Let’s take one of the hottest sunglass brands and combine them with one

of the hottest consumer gadgets and make millions”


“Yeah, we will make millions, let’s do it”

This is definitely a case of two things that do not go well together, sort of like Mento’s and Soda, or Symantec and Innovation, aside from the logistical issues of having to wear sunglasses to listen to music, there is simply no way to look cool wearing a pair of dork specs, and honestly who buys a pair of Oakleys if they didn’t want to look cool.

Full Disclosure: I owned stock in Oakley, was actually quite happy that they signed a contract with the Army and when they released the oil drum model I was sure the stock would sky rocket, oh well.

9. The Original DIVX (Making Betamax look genius)

In an awe inspiring moment of fail Circuit City (here), the now gasping for air consumer electronics chain, made an attempt to corner the movie rental industry with the introduction of the Digital Video Express (DIVX) format. The concept was simple, you – the consumer – pay them $4 for a disc that is only viewable for 48 hours and only on a DIVX player – after 48 hours it became as useless as silicone thigh implants, unless you coughed up an additional $3-4 for another 48 hours.

8. HD DVD (The FAIL of a new generation)

The now obsolete high-definition digital video format introduced by Toshiba lost the HD format wars to Blu-Ray, I wold love to weave a David and Goliath story that touched the four corners of the entertainment industry, spin a tale of how the XBox and PS3 were instrumental in the success of one and demise of the other, or how tech savvy consumers, battle hardened from decades of format evolution, were able to understand the nuances of quality, cost, storage capacity and available content. I would have loved to post that the porn industry won the battle, but in the US they actually standardized on HD DVD. So how did HD DVD lose? purely conjecture on my part, but it would appear that Sony simply out biz dev’d Toshiba, scoring retailer and major studio support and amassing a larger collection of movie titles.

7. The Millennium Bug (Y2Fail)

Billed as the technology equivalent of the “Day After” (here), a movie depicting the devastating effects of a nuclear holocaust, the Y2K, or Millennium bug, was supposed to result in a total technology breakdown. It was feared that planes would fall from the sky, critical services would cease to function and the world’s power grids would go dark. I remember at the time I was working at McAfee (here) and as the clock moved closer to New Years the office was crawling with reporters hungry for a front row seat to digital Armageddon. Of course, nothing happened and all the doomsayers were forced to take down their sandbags and unload their automatic rifles – to some this was a really disappointing turn of events, for others it marked the most visible technology FUD fail of all time.

6. Windows ME (Mistake Edition)

I would have said Bob, but that fail was so 1995. Windows ME (here), dubbed the slowest, buggiest, and most unstable operating system ever released, has won top honors as the worst Microsoft OS to date. The biggest flaw in Windows ME, and earlier versions of the Windows OS, is a lack of memory protection. This problem was exasperated in Windows ME as they attempted to introduce a broad set of new capabilities, such as new system utilities like system/virus restore, media support, automatic updates and the new TCP/IP stack all of which allowed Micrsoft to achieve a whole new level of stabiilty fail.

5. The Sony BMG Rootkit (Meine kleine digitale Parasiten)

In what has probably become the epic DRM (digital rights management) fail of all time (here), Sony BMG implemented a copy protection scheme that was distributed through music CD’s to consumer desktops, essentially installing a nearly undetectable rootkit that collected user information and sent it to the Borg collective. It was eventually detected and there was a major backlash from the security industry. Sony is still in the middle of fending off class-action lawsuits as a result.

4. Second Life (Give us your marginal, your dispossessed, your virtually lost)

Second life (here), the internet based virtual world created by Linden labs, in which virtual “residents” roam a 3D virtual world, virtually interacting with each other and virtually trading virtual money, called Linden dollars. No mythical creatures, no battle axes, or quests, or zombies, or explosions, or really any point to it at all. What kind of folks spend their time in a virtual world? Well according to Linden Labs Chairman of the board, Mitch Kapor…

the earliest wave of pioneers in any new disruptive platform, the marginal and the dispossessed are over represented, not the sole constituents by any means but people who feel they don’t fit, who have nothing left to lose or who were impelled by some kind of dream, who may be outsiders to whatever mainstream they are coming from, all come and arrive early in disproportionate numbers.

Just massive amounts of time doing nothing “virtually” with a group of marginal and dispossessed individuals, really? seriously? is this for real? perhaps they should change the name to

3. Windows Vista (Windows ME Take 2)

Windows Vista (here), the successor to Windows XP was supposed to herald in a new era of Windows security, stability, and functionality, unfortuantely it failed on at least 2 of those fronts as there was widespread incompatibility and performance issues. In one of the oddest enterprise software ad campaigns to date, Microsoft unveiled “Mojave” the “Ha! I tricked you it really is just Vista” experiment (here) – call it what you will, fail is as fail does. Windows is now looking to fast track the release of Windows 7, which is the final nail in the Vista coffin. The folks over at ZDNet have a nice writeup on the top 5 reasons Vista failed (here)

2. The Internet bubble and dot com bomb of the early decade (E Pluribus, deficio)

I loved the 90’s back then you could get your money for nothing and your chicks for free, but like every wild party someone has to deal with the massive hangover the next day (here), and that hangover was the sudden reality that more than half of the .com companies were not only poorly managed and had ridiculous valuations, but were based on business models that seemed to be developed by third graders. Seriously not just one company that sells pet food over the internet but 5? Remember when the market cap for Amazon was greater than the entire addressable market they served, not only the digital market place but brick and mortar included. I know, I know, greed trumps common sense as we are experiencing with the sudden, although not unexpected, mortgage collapse and financial crisis, but didn’t someone think to ask “Seriously, you are willing to invest $20m in my company if I add a .com after the name – that’s just stupid”

1. The paperless office

No greater fail in our lifetime has had the impact that the myth of the paperless office has had. It has driven an entire industry in the PC and shaped a new generation of technical gadgetry and digital fail, from ebooks to digital document management systems, the paperless office has been a myth of epic proportions. Now I wasn’t around in the 40’s, which is when I believe the term was coined, but I imagine that there was far less paper floating around then there is now and there seems to be no let up in the tsunami of felled trees and charred Brazilian rain forest that fuel our appetite to print everything even if a new ink jet print cartridge costs more than a weeks worth of groceries.

Of course this is just one analysts opinion (and an entire market of data) so let me know – what did I get wrong and what did I miss?