Archive | Technology

Partial Bibliography

I’ve written a whole lot of stuff. At some point I made a partial bibliography of the technology stuff.

Cyber Crime

Gragido, W; Molina, D; Pirc, J; Selby, N (2012) Blackhatonomics: An Inside Look At The Economics of Cybercrime Syngress, Boston.

Data Loss Prevention

Selby, Nick. 2008. Mind The Data Gap. New York: The 451 Group. Print.

Selby, N. 2009. [Online] Safend, building out its DLP portfolio, updates Encryptor. New York: The 451 Group. 5 Jun 09.

Selby, N. 2009. [Online] GuardianEdge, with 60% bookings growth, approaches a turning point. New York: The 451 Group. 8 May 09.

Selby, N. 2009. [Online] Fidelis announces XPS 5.2 with scanning within local network, and a granted US patent. New York: The 451 Group. 22 Jan 09.

Selby, N. 2009. [Online] Unmitigated chutzpah or the next big thing? BitArmor guarantees against breach. New York: The 451 Group. 21 Jan 09.

Selby, N. 2009. [Online] CA swoops in on Orchestria to connect the dots between data and identity. New York: The 451 Group. 6 Jan 09.

Selby, N. 2008. [Online] Not to be outdone by EMC/Microsoft, McAfee and Liquid Machines join forces in DLP/IRM. New York: The 451 Group. 11 Dec 08.

Selby, N. 2008. [Online] Microsoft licenses EMC data classification kit for Active Directory Rights Management. New York: The 451 Group. 5 Dec 08.

Selby, N. 2008. [Online] Code Green launches TrueDLP, an enterprise-class anti-data-leakage offering. New York: The 451 Group. 7 Nov 08.

Selby, N. 2008. [Online] McAfee takes out Reconnex in a $46m deal that can set the DLP-acquisition bar low. New York: The 451 Group. 31 Jul 08.

Selby, N. 2008. [Online] With good income and a pocket full of euros, Utimaco is going shopping. New York: The 451 Group. 10 Jul 08.

Selby, N. 2008. [Online] Dan Geer becomes In-Q-Tel’s CISO, will continue as Verdasys’ chief scientist emeritus. New York: The 451 Group. 29 May 08.

Selby, N. 2008. [Online] Fidelis and Verdasys team for agent- and network-based anti-data-leakage. New York: The 451 Group. 5 May 08.

Selby, N. 2008. [Online] Varonis expands its flavor of data governance to Unix systems. New York: The 451 Group. 29 Feb 08.

Selby, N. 2008. [Online] Vericept quietly builds out anti-data-leakage business after management restart. New York: The 451 Group. 4 Jan 08.

Selby, N. 2008. [Online] Orchestria evolves into full-blown hybrid anti-data-leakage tool. New York: The 451 Group. 16 Jan 08.

Selby, N. 2008. [Online] After the story leaks, RSA acknowledges. New York: The 451 Group. 8 Jan 08.

Selby, N. 2007. [Online] Symantec and Vontu finally tie the knot for $350m; who’s next to go in ADL?. New York: The 451 Group. 5 Nov 07.

Selby, N. 2007. [Online] Trend Micro continues ADL consolidation, takes out itsy-bitsy Provilla. New York: The 451 Group. 25 Oct 07.

Selby, N. 2007. [Online] Code Green Networks saws off the shotgun for bigger spread at its sweet spot. New York: The 451 Group. 10 Oct 07.

Selby, N. 2007. [Online] Raytheon could tell you what it paid for Oakley, but then it would have to kill you. New York: The 451 Group. 25 Sep 07.

Selby, N. 2007. [Online] EMC’s RSA moves to fill anti-data-leakage gap with purchase of Tablus. New York: The 451 Group. 9 Aug 07.

Selby, N. 2007. [Online] After years of mostly organic growth, endpoint security firm GFI takes on North America. New York: The 451 Group. 25 Jul 07.

Selby, N. 2007. [Online] Check Point’s Pointsec earns FIPS 140-2 certification for Protector, crypto module. New York: The 451 Group. 17 Jul 07.

Selby, N. 2007. [Online] Data leakage: technical or HR problem? 42 vendors think they know the answer. New York: The 451 Group. 2 Jul 07.

Selby, N. 2007. [Online] Fidelis 4.0 expands management console workflow and adds a Milter-based mail agent. New York: The 451 Group. 28 Jun 07.

Selby, N. 2007. [Online] Safend, nearing breakeven, considers a funding round in 2008 and announces Lenovo deal. New York: The 451 Group. 22 Jun 07.

Selby, N. 2007. [Online] PatchLink goes serial with acquisition of whitelisting vendor SecureWave. New York: The 451 Group. 22 Jun 07.

Selby, N. 2007. [Online] Websense, expanding its data-leakage offering, takes out SurfControl for $400m. New York: The 451 Group. 4 May 07.

Selby, N. 2007. [Online] Chronicle’s ADL ties users to documents. New York: The 451 Group. 3 May 07.

Selby, N. 2007. [Online] Check Point earnings off 25%, but acquisitions and R&D in hot spaces show promise. New York: The 451 Group. 27 Apr 07.

Selby, N. 2007. [Online] Bluefire announces Symantec OEM deal; may seek strategic funding in 2007. New York: The 451 Group. 23 Jan 07.

Selby, N. 2007. [Online] Anti-data-leakage vendor Tablus inks VeriSign PCI deal. New York: The 451 Group. 22 Feb 07.

Selby, N. 2007. [Online] McAfee launches anti-data-leakage product based on Onigma acquisition. New York: The 451 Group. 16 Feb 07.

Selby, N. 2007. [Online] DB security vendor Imperva releases Scuba, a free database vulnerability scanner. New York: The 451 Group. 6 Feb 07.

Selby, N. 2007. [Online] On the back of strong growth, anti-data-leakage vendor Vontu adds an endpoint agent. New York: The 451 Group. 31 Jan 07.

Selby, N. 2007. [Online] Guardium updates core modules, launches Change AuditGuard. New York: The 451 Group. 26 Jan 07.

Selby, N. 2007. [Online] Verdasys bolsters its application monitoring capabilities. New York: The 451 Group. 16 Jan 07.

Selby, N. 2007. [Online] Websense solidifies its ADL play with $90m PortAuthority swoop. New York: The 451 Group. 5 Jan 07.

Selby, N. 2006. [Online] Like McAfee, Symantec will address data leakage through acquisition. New York: The 451 Group. 27 Oct 06.

Selby, N. 2006. [Online] McAfee fires president, and CEO quits, then it buys ADL vendor Onigma for $20m. New York: The 451 Group. 20 Oct 06.

Selby, N. 2006. [Online] Reconnex, emerging from shakeup, prepares for a relaunch. New York: The 451 Group. 8 Sep 06.

Selby, N. 2006. [Online] SanDisk buys msystems for $1.5bn, boosting its position in NAND flash market. New York: The 451 Group. 4 Aug 06.


Selby, N. 2005. [Online] M-Systems’ Xkey Shield provides USB media security management. New York: The 451 Group. 23 Nov 05.


Penetration Testing and Vulnerability Analysis

Crawford, S. and Selby, N. 2010. [Online] It92s the Adversaries who are Advanced and Persistent. ThreatPost. January 26, 2010. [Available:]

Selby, N. 2009. [Online] The Penetration Testing Marketplace in 2010. ThreatPost. December 1, 2009. [Available:]

Selby, N. 2009. [Online] Reloading Risk Back Onto The Utilities. November 26, 2009. [Available:]

Selby, N. 2009. [Online] Losing the Echo Chamber in the Critical Infrastructure Security Debate. ThreatPost. November 18, 2009. [Available:]

Naraine, R & Selby, N. 2009. [Online, multimedia] Trident Risk Management’s Nick Selby on Metasploit and Rapid7. The Big Story podcast with Ryan Naraine, ThreatPost. October 22, 2009 [Available:]

Selby, Nick. 2008. Mind The Data Gap. The 451 Security Quarterly New York: The 451 Group. Print.

Selby, Nick. 2007. Sector View: Current Security Trends and Developments. The 451 Security Quarterly New York: The 451 Group. Print.

Selby, Nick. 2009. [Online] Immunity’s Canvas releases Cloudburst, allowing breakout from guest OS. New York: The 451 Group. 6/4/2009.

— 2009. [Online] Immunity, growing fast and profitably, expands reach through partnerships. New York: The 451 Group. 3/19/2009.

— 2009. [Online] Core Security, with Impact at version 8 and customers above 800, hits its stride. New York: The 451 Group. 2/6/2009.

— 2009. [Online] With a longer runway than it expected, Cenzic hits rotation speed. New York: The 451 Group. 2/3/2009.

— 2008. [Online] With new funding, Palamida moves toward vulnerabilities in open source code. New York: The 451 Group. 12/5/2008.

— 2008. [Online] nCircle updates its approach with Suite360 and a Web app scanner. New York: The 451 Group. 11/20/2008.

— 2008. [Online] WhiteHat builds out cross marketing with F5 and expands training. New York: The 451 Group. 11/7/2008.

— 2008. [Online] Core, claiming profits, hires former Sophos North America president as new CEO. New York: The 451 Group. 3/12/2008.

— 2008. [Online] Mu Security’s gains in SCADA, network equipment manufacturing push it past fuzzing. New York: The 451 Group. 3/6/2008.

— 2007. [Online] WhiteHat Security, reporting significant growth, doubles headcount. New York: The 451 Group. 12/10/2007.

— 2007. [Online] Core’s Impact 7.5 and Grasp focus on Web application security. New York: The 451 Group. 10/16/2007.

— 2007. [Online] Legal settlement forces Cenzic and HP (SPI) to play nice and share. New York: The 451 Group. 10/3/2007.

— 2007. [Online] Cenzic looks to mold itself into an acquisition target, starting with Hailstorm 5.0. New York: The 451 Group. 7/19/2007.

— 2007. [Online] Core Security loses flash and substance 96 CEO and product manager 96 in shakeup. New York: The 451 Group. 7/18/2007.

— 2007. [Online] Gleg acquires Argeniss’ zero-day exploit update pack. New York: The 451 Group. 7/12/2007.

— 2007. [Online] HP takes out SPI Dynamics in latest Web application security acquisition. New York: The 451 Group. 6/22/2007.

— 2007. [Online] IBM buys Watchfire, brings Web application penetration testing to the Rational line. New York: The 451 Group. 6/8/2007.

— 2007. [Online] Profitable SPI Dynamics launches Phoenix and WebInspect 7.0. New York: The 451 Group. 2/1/2007.

— 2007. [Online] Sabre Security, with a 80100,000 tech prize, expands BinNavi and VXClass. New York: The 451 Group. 1/18/2007.

— 2007. [Online] Profitable Watchfire releases AppScan Reporting Console and AppScan 7.0. New York: The 451 Group. 1/9/2007.

— 2007. [Online] Core 6.2 adds enhanced encryption, authentication and shell access to exploited hosts. New York: The 451 Group. ½/2007.

— 2006. [Online] Metasploit completes license change, updates pen-test platform. New York: The 451 Group. 8/2/2006.

— 2006. [Online] Immunity integrates Spike, launches VisualSploit and builds out its partner program. New York: The 451 Group. 7/21/2006.

— 2006. [Online] Beyond Security launches beStorm vulnerability assessment software. New York: The 451 Group. 4/17/2006.

— 2006. [Online] Emerging from stealth, Mu Security launches a commercial-grade fuzzing appliance. New York: The 451 Group. 4/5/2006.

— 2005. [Online] Cenzic releases version 3.0 of its Hailstorm Web application pen tester. New York: The 451 Group. 12/15/2005.

— 2005. [Online] Immunity takes an open source approach to penetration testing. New York: The 451 Group. 11/30/2005.

— 2005. [Online] Core Security’s Impact brings pen testing in-house to network admins. New York: The 451 Group. 11/29/2005.

Security Information and Event Management

Selby, N (2009) Enterprise Security Information Management. New York: The 451 Group.

Selby, N (2006) ESIM: Security Information Management Moves Upstream. New York: The 451 Group.

Selby, N. (June 10, 2009) [Online]. Decurity, with some flagship accounts under its belt, branches out. New York: The 451 Group

— (June 4, 2009) [Online]. Vigilant launches Fulcrum, a config library to scale its ESIM deployment chops. New York: The 451 Group

— (June 2, 2009) [Online]. LogLogic extends its series D by $8.8m, bringing total raised to $58.8m. New York: The 451 Group

— (June 1, 2009) [Online]. ArcSight launches ArcSight Express and announces a Cisco partnership. New York: The 451 Group

— (May 1, 2009) [Online]. New trends in enterprise security information management, 05/01/09. New York: The 451 Group

— (April 22, 2009) [Online]. LogLogic buys Exaprotect to shore up its total ESIM/log management story. New York: The 451 Group

— (March 13, 2009) [Online]. RSA’s enVision 4.0 targets smarter sourcing of event data and better reporting. New York: The 451 Group

— (March 5, 2009) [Online]. ArcSight nails another quarter 96 has it yet felt the pain of recession?. New York: The 451 Group

— (February 17, 2009) [Online]. LogLogic and Exaprotect join forces for converged ESIM and log management. New York: The 451 Group

— (February 17, 2009) [Online]. netForensics buys High Tower assets. New York: The 451 Group

— (January 23, 2009) [Online]. ESIM vendor eIQnetworks closes $10m series A funding from Venrock. New York: The 451 Group

— (December 12, 2008) [Online]. With one hand firmly gripping its BatBelt, Splunk markets to the C-level. New York: The 451 Group

— (December 9, 2008) [Online]. ArcSight hits profitability and positive cash flow 96 now to keep it up. New York: The 451 Group

— (November 14, 2008) [Online]. Q1 Labs, extending upselling success of SLIM, launches QRadar SLIM-Free Edition. New York: The 451 Group

— (November 7, 2008) [Online]. ArcSight Logger 3 captures faster, reports better and increases onboard storage. New York: The 451 Group

— (September 23, 2008) [Online]. eIQnetworks hires a new president, fires channel and a low-cost product line. New York: The 451 Group

— (July 30, 2008) [Online]. Government hunting is so happy for Tier-3 that it’s breaking out its product lines. New York: The 451 Group

— (July 11, 2008) [Online]. Inspekt Security launches behavioral and security event analysis service. New York: The 451 Group

— (June 10, 2008) [Online]. Mazu can see clearly now; 8.1 targets network ops as much as security. New York: The 451 Group

— (April 7, 2008) [Online]. EMC and RSA integrate enVision and VoyenceControl. New York: The 451 Group

— (February 6, 2008) [Online]. Alert Logic, in new Houston digs, launches on-demand grid-hosted log management. New York: The 451 Group

— (January 30, 2008) [Online]. eIQnetworks, stepping up its competitive heat, launches SecureVue appliance. New York: The 451 Group

— (January 28, 2008) [Online]. In an aggressive counter to Cisco, Q1 Labs cuts OEM deals with Nortel and Juniper. New York: The 451 Group

— (December 17, 2007) [Online]. Extending its Logger functionality, ArcSight launches Log Management Suite. New York: The 451 Group

— (December 6, 2007) [Online]. TriGeo launches Splunk integration, adds more PCI punch to its SEM. New York: The 451 Group

— (November 27, 2007) [Online]. Mazu Networks continues NOC-SOC intermediary push with Profiler 8. New York: The 451 Group

— (November 14, 2007) [Online]. To make a huge managed security play, what will Cisco buy?, 11/14/07. New York: The 451 Group

— (November 12, 2007) [Online]. eIQnetworks launches SecureVue 3.0, adding flow and GRC to its enterprise ESIM. New York: The 451 Group

— (November 5, 2007) [Online]. Q1 Labs’ SLIM gets log management foot in the door, then goes for ESIM gusto. New York: The 451 Group

— (October 1, 2007) [Online]. ArcSight’s latest feature-based upgrade targets PCI monitoring. New York: The 451 Group

— (September 13, 2007) [Online]. After hinting for three years, ArcSight files for an IPO; uh, does it earn money?, 09/13/07. New York: The 451 Group

— (September 12, 2007) [Online]. ArcSight’s S-1 reveals big revenue, persistent losses and a compliance ding. New York: The 451 Group

— (June 28, 2007) [Online]. With Solsoft integration nearly complete, Paris-based Exaprotect moves west, 06/28/07. New York: The 451 Group

— (June 26, 2007) [Online]. With network operations in mind, Mazu Networks and eIQnetworks partner. New York: The 451 Group

— (June 7, 2007) [Online]. eIQnetworks announces SecureVue 2.5 and licensing deal with Huawei-3Com. New York: The 451 Group

— (June 4, 2007) [Online]. Tier-3’s ESIM and anomaly detection targets network threats and fraud. New York: The 451 Group

— (May 25, 2007) [Online]. Clavister adds ESIM to its unified threat management platform. New York: The 451 Group

— (May 21, 2007) [Online]. With 4.0, ArcSight hopes ESM will move toward enterprise-wide relevance. New York: The 451 Group

— (May 15, 2007) [Online]. Seeking to widen its appeal outside security, LogLogic announces new features. New York: The 451 Group

— (April 12, 2007) [Online]. With new partners and management, SenSage raises $5m in series D funding. New York: The 451 Group

— (February 12, 2007) [Online]. TriGeo’s 4.0 combines network anomaly detection and service management. New York: The 451 Group

— (February 8, 2007) [Online]. eIQnetworks releases SecureVue, an aggressive up-stack move toward ITSM. New York: The 451 Group

— (December 8, 2006) [Online]. IBM buys Consul Risk Management to extend Tivoli Security Operations Manager. New York: The 451 Group

— (December 8, 2006) [Online]. Seven months on, Novell readies the next generation of e-Security ESIM, 12/08/06. New York: The 451 Group

— (December 4, 2006) [Online]. ArcSight moves the goalposts with Logger and Network Configuration Manager. New York: The 451 Group

— (November 27, 2006) [Online]. Intellitactics shifts from pure security to ESIM-based risk metrics. New York: The 451 Group

— (November 21, 2006) [Online]. Cambia and ArcSight play key security roles in HP-Mercury’s Universal CMDB. New York: The 451 Group

— (October 24, 2006) [Online]. LogRhythm 96 lean, mean and bootstrapped 96 takes new angel money, rolls out 3.5. New York: The 451 Group

— (October 18, 2006) [Online]. NitroSecurity plans new funding, prepares to launch NBAD/IPS/ESIM hybrid. New York: The 451 Group

— (October 13, 2006) [Online]. ExaProtect and Solsoft in an ‘acquisition by merger’. New York: The 451 Group

— (September 29, 2006) [Online]. SenSage-EMC deal brings SenSage from security into a new world of data management. New York: The 451 Group

— (September 28, 2006) [Online]. Consul morphs log collection and mining into a policy management play. New York: The 451 Group

— (September 25, 2006) [Online]. Q1 Labs upgrades device discovery, improves its UI and expands its channel. New York: The 451 Group

— (September 22, 2006) [Online]. EMC, its RSA buy approved, adds Network Intelligence for $175m. New York: The 451 Group

— (September 18, 2006) [Online]. EMC gets RSA shareholder nod, buys Network Intelligence for $175m. New York: The 451 Group

— (September 14, 2006) [Online]. TriGeo adds features, doubles customer count; can it keep that small-town charm?. New York: The 451 Group

— (September 12, 2006) [Online]. ArcSight releases ITP to bolster insider-threat claims, proposes CEF standard. New York: The 451 Group

— (August 25, 2006) [Online]. Will HP extend OpenView and OpenCall functionality into ESIM through M&A?, 08/25/06. New York: The 451 Group

— (August 18, 2006) [Online]. ArcSight launches Network Response Manager, extending reach into infrastructure. New York: The 451 Group

— (July 25, 2006) [Online]. With ESA 2.5, eIQnetworks is latest ESIM vendor to scrap relational databases. New York: The 451 Group

— (July 13, 2006) [Online]. Securify adds identity correlation and predefined rules to version 5.2. New York: The 451 Group

— (July 6, 2006) [Online]. Symantec shuns relational database event storage in its security event manager. New York: The 451 Group

— (June 26, 2006) [Online]. Claiming sales and product momentum, PatchLink looks for more partners. New York: The 451 Group

— (May 26, 2006) [Online]. ArcSight buys configuration and quarantine vendor Enira Technologies. New York: The 451 Group

— (May 11, 2006) [Online]. Self-funded LogRhythm releases version 3.0, then cautiously considers external funding. New York: The 451 Group

— (April 28, 2006) [Online]. AttachmateWRQ acquires NetIQ for $495m. New York: The 451 Group

— (April 21, 2006) [Online]. Novell buys e-Security to integrate identity management and security management. New York: The 451 Group

— (April 11, 2006) [Online]. Security information management approaches a fork in the road, 04/11/06. New York: The 451 Group

— (March 24, 2006) [Online]. Mazu claims new partners and doubled revenue. Is it next on Symantec’s hit list?) [Online]. TDM Target IQ, 03/24/06. New York: The 451 Group

— (March 22, 2006) [Online]. Splunk ventures into the cavernous maw of enterprise log data. New York: The 451 Group

— (March 13, 2006) [Online]. Q1 Labs plans out-of-the-box interoperability with Packeteer. New York: The 451 Group

— (February 6, 2006) [Online]. LogLogic releases version 3.2, beefs up compliance reporting. New York: The 451 Group

— (February 3, 2006) [Online]. ArcSight looks for NBAD, end-point configuration and policy management functions, 02/03/06. New York: The 451 Group

— (January 30, 2006) [Online]. ArcSight homes in on compliance-insight marketing. New York: The 451 Group

— (December 19, 2005) [Online]. eIQnetworks brings high-volume, low-cost ESIM to the enterprise masses. New York: The 451 Group

— (November 14, 2005) [Online]. Q1 Labs targets midrange enterprises with QRadar 5.0 release. New York: The 451 Group

— (November 11, 2005) [Online]. Intellitactics emphasizes executive reporting and horizontal scalability. New York: The 451 Group

— (November 10, 2005) [Online]. e-Security hones its workflow integration and event enrichment for ESIM. New York: The 451 Group

— (November 1, 2005) [Online]. Network Intelligence repositions and targets ESIM big game. New York: The 451 Group

— (October 28, 2005) [Online]. TriGeo happily targets low end and midrange of ESIM market. New York: The 451 Group

— (October 27, 2005) [Online]. SenSage emphasizes security event analytics over incident response. New York: The 451 Group

— (October 19, 2005) [Online]. With version 3.5, ArcSight targets insider threats, subtle attacks… and an IPO?. New York: The 451 Group

All I Want Is A Combo WiFi/GSM/CDMA Device. In Black.

Despite a predilection for triple-shot lattes, it wasn’t just caffeine that had me spending hours a day in coffee bars across America recently, shouting into my mobile phone above the din of the grinders. Mostly, it was the Wi-Fi connection.

For three months I’ve lived a salesman’s life away from my Munich home. I travel by single-engine airplane across America, pitching my company’s services to airport businesses. Contact with the office (and my wife and son) is through e-mail and mobile phone calls.

Every day I find the nearest Starbucks or Borders books, where a T-Mobile HotSpot provides a high-speed 802.11b, or Wi-Fi, Internet connection. I download dozens of e-mails and swap sales presentations with co-workers.

There are niftier alternatives to Wi-Fi, some argue, but I hate reading e-mail on my mobile phone’s tiny screen, and I refuse to click four times for an “s” or quibble with the phone’s dictionary over whether mañana is an English word. Nor will I spend $400 for a Blackberry device that does little more than e-mail.

Full-blown personal digital assistants permit me to open simple presentations and, with an added folding keyboard, type documents. But at their best, mobile data services in the United States merely double the dial-up speed. The average presentation is well over a megabyte; that can be a battery-sucking 20-minute download.

PDA’s like Hewlett-Packard’s iPAQ h5500 have integrated Wi-Fi but don’t connect to mobile networks without more than $300 in add-ons.

Most PDA-phone hybrid devices offered by U.S. mobile providers, like the Kyocera 7135, Samsung SPH-i330 and T-Mobile’s Pocket PC Phone, let you do e-mails and limited Web surfing, but they have few or no expansion capabilities.

Geeky friends say, “Just set your PDA’s Bluetooth to use your mobile phone as a modem.” Oh, good: a new device, dependent on an existing one, to provide a mediocre connection. With all this on my belt, I’ll look like Batman. Why is this all so clunky? Where is the single handheld device that lets me connect to e-mail and voice via mobile and high-speed Internet via Wi-Fi – for under $1,000?

While I’m at it, my device should, when connected to a Wi-Fi hotspot, let me make calls using voice over Internet protocol, or VOIP. Apart from the Wi-Fi fee and perhaps a service charge to the VOIP provider, the calls would basically be free.

Wi-Fi is here today, typically offering connection speeds faster than even the best 3G network will offer – when 3G gets here.

It’s not just me. Mobile professionals – sales people, journalists, investment bankers and other early-adopter types – all want this $1,000 dream device. We are a clear market segment, and we’re willing to pay.

Don’t tell me the technology isn’t here: Miami-based Calypso Wireless developed the C1250i Wi-Fi-enabled cellular phone and announced a deal for $500 million with China Telecom to begin delivering phones this year. If tiny Calypso can do it with a phone, can’t somebody do it with a PDA?

“We know that’s the right solution,” said Brant Jones, a marketing manager for the iPAQ pocket PC at Hewlett-Packard, “but we just can’t do it yet for the technically intolerant.”

Wi-Fi, with spotty coverage and the fact that there is no widely available way to roam between networks, is far from perfect. But Wi-Fi use is rising. Most new notebook PC’s and many new PDA’s have integrated Wi-Fi.

Increased demand for hotspots has already initiated a fundamental shift in how operators intend to provide Wi-Fi services. Big players like AT&T, British Telecom, Virgin, IBM, Vodafone and Intel are realizing that sharing infrastructure makes more sense than having each company build its own.

For example, T-Mobile HotSpots provides wireless Internet connections at more than 2,000 Starbucks locations. But their business model is a classic “walled garden.” To use it, you need a U.S. T-Mobile HotSpot account. A British T-Mobile account won’t work. That’s silly.

A better way of getting more people to use more hotspots is more democratic. “Neutral hosts” let multiple providers share the same hotspots. They install hotspots in retail stores, airports and train stations. They then go to operators and say: “We’ve got 5,000 hotspots in retail stores around the country. We’ll let you use them to give your customers access; they pay you, and you pay us a percentage of the take.”

So as an end user, you log in with your existing credentials rather than opening a new account. If you use BT Openworld for Internet access at home, you’ll use BT Openworld when you’re in Paddington Station in London.

It’s self-propagating, too: Once a neutral host has cut deals with several operators, it can walk into a supermarket chain and say, “We’ve got 4.5 million customers who want Internet access; we can bring them into your stores if you give us permission to set up a wireless network in each one.”

It’s an elegant solution to a big problem. “People don’t want different bills,” said Magnus Mcewen-King, chief executive of Broadreach Networks, a neutral host operating Wi-Fi hotspots for Virgin and BT Openworld. “They want one account spanning access methods – cellular, Internet and voice.”

“Neutral hosting shows greater promise than roaming to succeed in offering end users easy access to public Wi-Fi,” said Bjorn Thorngren in a report for the wireless investment firm BrainHeart Capital. Thorngren forecast that providers that used the walled-garden approach to Wi-Fi billing will not survive: “They will have to change strategy or vanish.”

Cometa Networks, a neutral host backed by Intel, IBM and AT&T, plans more than 20,000 hotspots across the United States by 2004. The company’s plan is to “sublet” to brand-name Internet service providers like AT&T and IBM. This approach should bring Wi-Fi coverage up to mainstream levels – within a five-minute walk or drive for most people.

Job Hunter’s Heaven

The loneliest people at this week’s European Conference on Optical Communication (ECOC) in Munich were upstairs, through the small fire door, around the corner and down the hall. If you were to enter through the first door on your right, about two dozen heads would pop out from behind paper-plastered cubicle dividers and stare at you wistfully, as if you’d shone a searchlight into a woods full of deer.

Welcome to the world of photonics industry recruitment.

“Staffing is definitely an issue,” said Walter Hobbs, director of ACT Venture Capital. “We get a lot of technology companies coming to us and saying, ‘Yeah, we can do this, but we need 30 engineers’ and our first question is, ‘Well, where are you going to get them?’ In general, this is a big concern for our companies – how to build the team.”

Steven Storey, managing director of Equate Human Resources, which sponsored the ECO recruitment area, agreed. “There are thousands, ridiculous numbers, of vacancies across Europe, and there’s simply not the candidates to fill the positions,” he said.

That sentiment was echoed among recruitment representatives from several companies, which included large players like Alcatel, Siemens and Lucent – all of whom have stands plastered with job openings for engineers at locations around the world – as well as by representatives from venture-funded companies like England’s Southampton Photonics and Scotland’s Kymata.

Southampton, a manufacturer of DWDM (Dense Wave Division Multiplexing) products, which recently received a $55 million (€61.76 million) in seed funding, says that it needs to fill 200 high-tech positions in the next 18 months. Southampton intends to establish design, production and sales facilities in California, where it wants to hire an additional 250 staff by the end of 2002. The new jobs will consist of professional engineers and manufacturing personnel, as well as sales and marketing staff.

“We’re aggressively seeking employees,” said Southampton’s product marketing manager Adam Reeves, “and the way we can do it is that we offer a really good package, but we also have something else. We’re a young company, but we’re very well-funded, so working for us is less risky than it would be for less well-funded companies.”

Equate’s Storey, who also consults for companies by seeking trained technicians working in other technical fields with crossover potential, including medical imaging, lighting systems and even semiconductor fields, says that in attracting talent, high-tech companies in Europe are finding increased competition from US firms – which offer salaries that human resources people at the conference called “outrageous” – as well as finding a trend among European firms to look for talent across Europe and Asia rather than just locally.

Large salaries and employee stock option packages, so common in the US, are beginning to pop up in Europe as well, as top-flight engineers begin to realize that they are in the midst of a revolution, in which they ply a vital role, that some say further increases the challenge for the smaller companies to find and retain the talent they need.

But Brendan Hyland, CEO of Kymata, which makes DWDM opto-electronic devices for the telecoms industry, dismisses the idea that there’s no one to fill the jobs. This March, Kymata completed a third round of venture funding for $72 million (€80.85 million) from 3i, Kleiner Perkins Caufield & Byers, Bowman Capital, ACT Venture Capital, CommVenture and Telesoft Partners.

“We’ve grown from 12 to 250 employees in the past 12 months, and our turnover rate has been effectively zero,” Hyland said, “and we didn’t do that with stock options alone. Yes, you have to treat people well and we do, but the thing that attracts and keeps people is to challenge their minds.”

Kymata, founded in England, relocated to central Scotland where, Hyland says, it found one of the richest pools of high-tech talent they could hope for: Within an hour and a half, they’re surrounded by five university research facilities, which produce 450 graduates and 60 to 70 PhDs per year.

And the region has a history of large-scale semiconductor fabrication, which meant that there was an ample supply of people already used to working in a clean-room environment.

Kymata, too, is looking to fill positions, in areas of optical packaging development, wave-guide device and sub-system design and failure analysis, as well as in non-technical fields including marketing and, of course, human resources.

Indeed, perhaps as important to these companies as engineers are salespeople. “This isn’t pots and pans these guys are selling,” said ACT’s Hobbs. “You need some pretty specific skills to go out and sell products of a sunrise industry. But fortunately with sales people, you can recruit them from the territory in which you want them to sell, as opposed to trying to get engineers to relocate themselves and their families to be near your headquarters.”

“This is a problem in the economy in general and in high-tech, high-growth industries in particular,” said an analyst at Merrill Lynch, “and part of it is the issue of huge compensation packages and part of it is keeping the people interested.”

While Kymata’s Hyland points to several universities cranking out 450 graduates a year, that number is bound to increase tremendously as students push to learn skills required to get them into the ground floor of such a fast-growing industry. This will, in turn, eventually lead to a glut.

“It’s nothing radically different in photonics,” said the Merrill analyst, “Last year we had thousands of programmers running around doing Y2K work – need a programmer? There are thousands of them available right now waiting for work in e-commerce. And in four years, you’ll have 25,000+ highly trained and qualified photonics engineers sitting around doing nothing.”

Eurolabels Have To Wake Up And Smell The Gnutella

The debate in the US over Napster, which allows people to trade music files from one another’s computers via the Internet, is affecting more than just disgruntled college students and sullen heavy metal bands. European record labels, conscious of the overwhelming tide of digital free-trading that’s sprouted in the past year, are looking at making fundamental changes in the way they deliver products via the Internet.

What’s at the Heart
Napster, and sites like it, allow users to take a CD recording they own, copy it to their hard disk in a format called MP3, which affords low file size while maintaining the CD recording standard sampling rate of 44.1 Khz. The Napster site then allows others to download the file from the user’s computer, at no cost to either party.

The record labels are panicked because this setup kicks the traditional business model of the industry in the teeth. The record industry’s model is intricate and has taken the labels years to perfect. Artists write (or sometimes just perform) the music, and sign contracts with the label to produce “albums”.

The artists or the record label then hires a producer, who works with the artists in the recording studio to perform and record each song. The producer shapes the work to fit a vision that is, in the best cases, a perfect fusion of the artist’s vision and the record label’s commercial interests. The record label takes the completed master recordings, which they own; copies them to media (CD, tape, or vinyl); and packages, markets, and distributes through its network of retailers and direct sales outlets. Of the wholesale price, the record label grabs the lion’s share and brush a few crumbs toward the artist and producer. Retailers then bring home fat profits from slapping on a multiple of the wholesale price.

So, with the advent of music available online, the traditional model is at risk of evaporating for not only the record labels and retailers but the artists as well. “When you sign an agreement as an artist,” said entertainment attorney and artist representative Harry J Getzov, who represents, among other people, The Jerky Boys, “you give away, if you’re lucky, 85% of your work – and actually, after packaging and other deductions that have been built in over the years, it’s often less than that.”

Enormous Potential
Online music is not a small market. A recent report by e-commerce research group Jupiter Communications found that online commerce revenues for Western Europe would rise eight-fold by 2005, from a current €8 billion to €64 billion; the number of European online buyers would increase from the current 20 million to 85 million. In 1999, music comprised 44% of European online purchases. But as music downloading proliferates, the current leading distributors could find themselves at the wrong end of hot new competition.

“It’s been clear for the past five years that music distribution would change tremendously,” said Michael Blok, senior analyst with Rabo Securities, “At this point, consumers are saying, €Why would I pay $25 for a bundled product of two or three songs I like, and two or three that I don’t? Out of that $25, about $14 goes to the record store, packaging, shipping, etc, etc.”

The Opportunity For Online Music Retailers
“When someone hears a song on the radio,” said Blok, “and they want that song, they go to Napster and download it free. But Napster, while unreliable, slow and of mixed quality, is such an excellent concept. The labels just have to offer something better: reliability, high quality, and value added. Then if someone forced me to pay 50 cents for the same service, I would easily do it cause I get better quality and extra services I would love.”

Jupiter analyst Stacey Herron agrees. “Napster’s popularity with music fans demonstrates the constant demand for online music,” wrote Herron in her report, “but represents only one aspect of the future of online music. Labels and artists should take a cue from Napster’s success and work towards releasing more comprehensive catalogs of music online. They should also move away from the goal of charging fees to download individual songs and towards more flexible distribution and payment models.”

Those extra services are exactly what the record labels must do to survive instead of filing lawsuits in an effort to stave off the inevitable. Consumers polled by Jupiter said that the most important aspects to them were quality and virus protection. Offering that, in addition to exclusive content, artist interviews and chats, and other services, is the only way to get the music lovers to pay for what is currently free and probably illegal.

Bertelsmann Leads The Way
Record labels are gradually coming around to embrace the Jeannie that’s already well out of the bottle. As usual, Bertelsmann is moving fast in this space to make music download align with its stated strategy. “Our core strategic focus is on further development of our positions in our different content markets,” said Bertelsmann spokesman Markus Payer, “so on the technological side, we’re working to digitize all our content.”

Bertelsmann owns BMG, the world’s fourth largest music label, and has a stake in Lycos Europe. Last month, BMG Entertainment Group bought struggling online CD retailer CDNow for $117 million. Last week, Bertelsmann, BMG and Lycos Europe announced that they would establish on August 17, allowing German-speakers access to MP3-formatted music content.

Publicly traded European record labels in the online music retailing space, such as EMI Group PLC, Vivendi (through its purchase of Universal, including the Universal Music Group); BMG, owned by quasi-public Bertelsmann, which sells profit participation shares; and AOL, through its Time-Warner merger, could all benefit significantly if they learn to transform their business model. And they must move quickly. Napster, while raising the ire of the RIAA and such plausible champions of justice as Metallica, is not alone. Other websites allowing such trading are springing up daily, such as Scour, which offered as of this writing almost 2.5 million music files, Gnutella, and Freenet.

Startups To Benefit From UMTS Spending

Imagine you’re a telecom, and you wake up this sunny Friday to realize it’s not a dream, you really did just pay £8 billion for two German third-generation mobile license blocks. Yes, you paid much more than you wanted for fewer license blocks than you’d hoped. And when your friends ask you what, specifically, you will do with this license, you can’t answer.

If you think you hear laughing, it’s probably coming from Denmark.

“We were all laughing about this just yesterday,” said Soren Jessen Nielsen, head of strategic business development in Europe for BlueKite, which just closed a $36 million round of funding from a VC group headed by Texas Pacific Group and including Credit Suisse First Boston. The investors purchased a 21 percent stake in BlueKite, which develops proprietary bandwidth optimizing technologies and a software platform aimed at increasing network capacity and Internet access speeds for fixed and mobile networks.

“Bandwidth is finite; it’s absolute,” said Nielson, who scoffs at UMTS hype. “A 2MB line into a PDA? Please. When UMTS comes, no one has any idea what they’re going to do with it. But I’ll tell you, whatever they (the telcos) do, they’re going to run into the same bandwidth problems and capacity issues that you have with GSM and Edge. You ain’t gonna have multimedia while traveling on a train, forget that one – that’s marketing hype.”

But whether BlueKite believes the UMTS dream or not, it’s hoping to profit from it. The San Francisco-based company, with roots in Copenhagen, may be one example of how startups in Europe can benefit from the trucks full of money being thrown at UMTS. Whether you believe UMTS is the Great White Hope or a Big Fat Joke, one thing European VCs seem to agree on is that companies developing applications for next-generation mobile networks are worth funding. With telcos around Europe set to pay up to $200 billion for licenses, they may have little money left to develop their own applications to run on these networks. Enter wireless communications, software and technology startups.

“There is a ton of work to be done to create these UMTS-based applications, and this is an area where small companies are really needed, and where they can do a good job,” said Peter Dietz, managing director of TakeOff VC Management. He believes the UMTS bidding war will cause larger companies to leave to small companies the work of making the applications that will make UMTS sexy. “I can’t name names at the moment, but we have already been discussing this with two of the German companies in our portfolio; one is something of a cross between an IT service and a multimedia agency, and the other is a pure software development company.”

Kim Bach, vice president at 2m Invest in Copenhagen added: “This is a perfect example of the “Tornado effect.’ There’s so much money being spent in this area that it’s impossible to imagine it won’t have a positive effect on the small suppliers.”

Bach has seen this market development coming for a long while. 2m has been sinking money into the organization that is now BlueKite since 1993, when it was called RadioMail, and it had teamed up with Motorola to make Newton-like handheld devices.

“We really knew the idea of wireless computers was the way to go in the future, but we were out,well, let’s say a bit too early,” Bach said. “But we were sure this technology would have to have a breakthrough sometime, so we kept feeding what would become BlueKite until a couple of years ago when they really took off.”

BlueKite’s reincarnation about two-and-a-half years ago, headed up by CEO David Cox, was funded by $1 million in seed money from 2m, which owns 41.6 percent of the company. BlueKite started with offices in Silicon Valley, but fleeing high prices and labor costs, it moved it kept its administration in San Francisco, but moved research and development to Los Angeles. In the last year, the company has grown from 10 employees to more than 70, and has offices in Copenhagen, London, Frankfurt, Amsterdam and Paris.

2m invested an additional $3 million last year. BlueKite’s aim is to develop technologies that better manage bandwidth and compress data, but still utilize existing infrastructure. For example, on a standard ISDN line, BlueKite technology can determine, on an ongoing basis, whether a given user needs two or three channels, or just to keep one open on an idle mode.

In fact, BlueKite already offers a technology that allows ISDN-speed data transfer rates over existing wireless networks for companies including British Telecom, Swisscom and Telecell Portugal, as well as Connect Austria.

“We looked at everyone offering solutions to bring high-speed mobile data transfer,” said Lars Reichelt, currently COO of Connect Austria and soon to be director of wireless for Europe at Yahoo. “When we finished, BlueKite came up by far the best,” even with competitors including Nokia and Ericsson offering similar products. “This is a great tool, and it makes the workplace truly mobile. You don’t have to worry about fumbling around looking for a proper phone plug – in Austria there are seven approved types of phone plugs. It costs 3 shillings ($0.20) a minute, and you can work while others watch in wonder.”

BlueKite may well be poised for growth during the development of the so-called mobile future, but it won’t be alone for long. Software companies are desperately needed to build the very applications that will make UMTS profitable, and most startups aren’t clueless to the trend. Some industry estimates put the number of WAP development companies at over 600 in Europe alone, and VCs are desperately trying to plunk their cash into the right wireless companies. Yesterday, every VC wanted a in its portfolio, now they want wireless startups.

“This (the development of UMTS) creates opportunities for smaller companies,” said Stephan Uhlmann at Deutsche Venture Capital Gesellschaft. “There’s a great opportunity here for developers of applications that will bring products to end users via UMTS.”

Eaten By Snakes: Virus Hoaxes & How To Spot Them

Every year businesses worldwide spend more money soothing the nerves of employees who’ve received hoax virus warnings than they do on actual viruses. So before you pass on the note your friend Ned sent you about a new virus that will make snakes eat your hard drive, give it a little thought.

If you didn’t receive an email from a friend a while back warning you about the deadly SULFNBK virus, you probably haven’t gotten out much on the net yet. SULFNBK, the email warned, can hide in your computer and exact terror on a certain date, and it helpfully goes on to tell you how to delete the renegade file.

SULFNK was another hoax. SULFNBK.exe is a standard Windows operating system file, allowing Windows to handle large file names like “memo to dad.doc”. (Read Mcafee Associates warning about Sulfnbk)

At the U.S. Department of Energy, a group called the Computer Incident Advisory Capability monitors and debunks phony virus alerts and chain letters as an integral part of its overall security program – check their site at <href=‘’ target=‘_blank’>

Rule Number 1:
If you see request in an email warning to “Pass it on,” you should immediately be highly suspicious of the message. The fastest way to prove a virus warning is to look it up in Symantec’s online <href=‘’ target=‘_blank’>hoax and virus encyclopedia.

Another excellent resource is from <href=‘’ target=‘_blank’>Stiller Research, which lists the top five hoaxes of the month including, in April 2000, a hoax regarding asbestos being used in tampon production.

Spotting a Hoax
Hoaxes usually include sentences in ALL CAPITAL LETTERS in the subject line and lots of exclamation points!!!!!! They also have, almost universally, this syntax:

“If you receive an email with a file called ‘Such-and-such’, do not open it. It contains the email virus E’This and that’ which will ‘do this or that’ your hard drive.”


Another type of hoax involves having you forward chain letters on the theory that if you send the email to 1,400 of your closest email buddies you’ll win a free phone, Microsoft stock, Disney tickets, yadda yadda yadda. No one gives you something to email someone. No one. Not even Nokia. What to send someone who sends you a “Forward this message and get a free cigar” message? An excellent sample is up at

Not All Are Hoaxes, Of course…
As the “I Love You” virus which struck at the beginning of May 2000 showed once again, the threat of a virus in the form of an attachment to an email is very real, and a big pain in the kiester. However, note that it ismost often clicking on the attachment that creates the problem, not the email itself.

I personally have no clue why it is that people just go ahead and click on something called ILOVEYOU in an email from an editor – a position uniformly filled by people with a demonstrated inability to love anyone. I would indeed find the idea of an editor telling me to “click here to see how much I love you” menacing enough to shut down my computer and proceed to the nearest bar.

But even if the file had been attached to a message from my sainted sister I would have viewed it with suspicion and virus checked it before opening.

As a colleague, Ed Hasbrouck, points out: “Most security attacks and viruses are directed at – and depend on interactions between – the most common combinations of software; Windows 9X OS, MSIE 4 or 5 browser, MS Outlook or Eudora e-mail, and MS Office word processing, spreadsheet, etc. applications.

“The fewer components of this bundle you use, the less vulnerable to the most common attacks and viruses there are. Viruses that propagate by getting MS-Outlook to launch an MS-Word macro can thrive. No one writes viruses that depend on using Pegasus Mail to launch a WordPerfect macro, since too small a percentage of recipients would have that combination, and they wouldn’t succeed in spreading.”

Note, though, that viruses don’t spread through an email message. You can’t “destroy your hard drive” or have your hard drive eaten by monsters just because you open a message that came with an infected attachment (I myself opened the message saying “I love you”, saw the file and immediately deleted the attachment – easy peasy). Some simple steps can prevent your getting infected by a virus.

1. Use a non-standard mail program. Ed and I use Pegasus Mail, a free program that makes Eudora’s new 4.3 release look positively clunky. It’s free on the web at <href=‘’ target=‘_blank’>

2. Be suspicious of any attachments, even from people you trust.

3. Be highly suspicious of attachments that are an executable program (that is, the document ends in “.exe”).

4. Be suspicious of and never fail to virus-scan attachments of Microsoft Office documents (Word, Excel, Power Point, etc) for macro viruses.

5. Be highly suspicious of any attachments that have an unfamiliar extension (the last three characters of the file name). “I Love You” was attached to a file with a “.vbs” extension. If you’ve never seen a file extension before, do one of two things:

    a) If it’s from someone you know and trust, virus check it using the latest version of your favorite virus scanning software – and update the virus scanner monthly from the company’s website.

    b) If it’s from someone you don’t know or someone you know casually, delete the sucker. Send a message to the sender saying you did, and if it was something important, ask them to send it again, then repeat step A.

6. Use Macintosh or Linux machines instead of Windows. Okay, okay, that’s asking a bit much. But because so relatively few people use those platforms, virus scares for them are far fewer.

Lessons of the HBGary Hack

“My father was in the secret service, Mr Manfredjin St. John, and I know that you don’t ‘keep the public informed’ when you are debriefing KGB defectors in a safe house.”
– Wendy, A Fish Called Wanda

I’ve been speaking quite a bit lately about how information security professionals can work with law enforcement – in fact, I’m speaking about it next week at BSides San Francisco. The attacks by Anonymous against HBGary, and the accompanying defecation-hitting-the-ventilation raises some important rules of the road for this.

Private-public sector cooperation is at the heart of nearly all successful initiatives. The public sector relies on private-sector innovation and expertise – indeed, organizations like In-Q-Tel and the Chesapeake Innovation Center count on it to make crucial advances in security. There’s great satisfaction in working for the greater good – which can come in a warm, fuzzy feeling of accomplishment, or even in the warmth of some “non-recurring engineering funds” from some grinning, creepy guys in “Maryland”. Trying to get the specifics of your good deeds into the limelight, though, for personal or company public-relations gain is just bad business.

When speaking with journalists and analysts, executives at information security companies – especially venture-funded, non-profitable, non-cash-flow-positive ones – have long used implication, hints, wink-wink gestures and other sometimes adorable intimations that they ‘work with’ ‘three-letter agencies’* or law enforcement in darkly secret and very important ways. They do this because they are trying to build their brand credibility.

They often end up sounding like a tool.

Now, often-times, they actually are using their technologies and their skills to support the work of law enforcement, but they’re not supposed to talk about it. Nor should they want to, necessarily. If I sound snarky, let me be clear that public service is not to be mocked, it is absolutely to be lauded, and anyone helping a law enforcement agency fight crime, whether for money or service, is to be encouraged.

But don’t forget that, as you help out, it is just that: public service. You can’t publicize the specifics of your assistance without jeopardizing its very value. This is the line, apparently, that HBGary employees inadvertently crossed, and the results were terrible.

[Let me say that, while I am using this as a cautionary tale, everything I know about the HBGary folks is that they are good, innovative and really smart people who care, who are passionate about technology and security. They’re good people who made a tactical marketing blunder.]

In the Financial Times last Saturday, in an article entitled, “Cyberactivists warned of arrest,” Joseph Menn quoted HBGary researcher Aaron Barr as saying that, “he had collected information on the core leaders, including many of their real names, and that they could be arrested if law enforcement had the same data.”

They could be arrested if? What hubris! Now, I don’t know much about law enforcement, but I do think that, if you’re planning, say, to serve a felony warrant, it’s a bad idea to phone ahead and let the guy know you’ll be by in 15 minutes. If?

A good rule of thumb is that you don’t tip your hand about the specifics of your work on any case for any reason. And drumming up business through publicizing your specific public service is as bad a reason as any.

Reasons for this fall into two categories. The first is that fighting crime is, you know, dangerous. Criminals generally engage in criminal enterprises for the money (few people have a driving passion to establish, say, an industry-leading counterfeiting ring for the societal benefit), and those who stand between criminals and their goal risk the ire of the criminals. This is not fair or just, but it is so.

Now, stating in a newspaper that you possess the secret identity of a criminal? This falls squarely into the category of “standing between a criminal and his goal.” That’s a tip, kids. Write it down. To paraphrase Wendy in A Fish Called Wanda, one only briefs the public on an upcoming law enforcement action if one is congenitally insane or irretrievably stupid.

Second, law enforcement officers, agents and agencies fight crime for a living. It’s dangerous and often thankless; it’s a calling, and these folks work hard under difficult conditions that require dedication, passion and purpose. Implying that they’re somehow not up to the task by stating that you have the X-factor that can be the secret of their success alienates those you seek to help.

Security firms and security professionals who want to help law enforcement should recognize a few things:

  1. Helping law enforcement is rarely a straightforward task. Sure, in movies, “we need your help” is followed by specific tasks that lead to the capture of the bad guys, the breaking up of the crime syndicate and windsurfing at Disneyland.
  2. Relationships in law enforcement must be carefully cultivated. Sworn officers and agents need to learn that you are trustworthy. You must learn the extents of their capabilities and authority. This takes time.
  3. Your help can’t be more trouble than it’s worth. In the movies, the brilliant but eccentric mathematician/hacker/systems expert can be un-bathed, wild-eyed and unpredictable. When you’re working with the fuzz, one press release costs you any and all good-will you’ve developed to date.
  4. The time to talk about arrests is a year later. The people to talk about arrests are cops. You’re helping law enforcement as part of your civic duty. While the cops will often be happy to mention your help in a press release at some point down the road, your primary driver for helping is public service, not self-promotion. If you’re in it for the publicity, get a cooking show.
  5. Criminals are dangerous. Criminals seek profit, and seek through illegal means to thwart those who would prevent these profits from being realized. Fighting criminals can absolutely be a cooperative exercise between public and private sector, but private sector people should keep the details of their cooperation as secret as the “sauce” they love to say makes their product work.

In short, companies wishing to help out might consider following the advice of Chris Rock, as he described some of the best ways Not to Get your Ass Kicked by the Police.

  • Obey the law;
  • Use common sense;
  • Be polite; and
  • Shut the #!@k up.

Nick Selby is CEO of a stealth-mode technology start-up. He is a sworn law enforcement officer in Texas, and will speak at BSIdes San Francisco on February 14th about ways in which information security professionals can work with law enforcement.

*a phrase which itself provides proof that they do not

A Pornographer Plumbs the Depths of What is ‘Reasonable’

A decision in the US Court of Appeals, Ninth District in the case of United States V Borowy1, addresses the issue of the expectation of privacy in communications. I’m so not a lawyer, but as a security consultant I am someone with a vested interest in understanding privacy, so I find some of the language the court used to be very interesting. And when I consulted a good friend, a lawyer (who IS a lawyer), he said, “If it comes from the Ninth Circuit, it’s solid.”

Mr Charles Borowy is a child pornographer who installed the file-sharing program LimeWire on his computer. As a feature, LimeWire made his hard drive available to anyone with LimeWire. On May 3, 2007, and one such person was FBI Special Agent Byron Mitchell, who logged onto LimeWire to monitor trafficking in child pornography. According to the opinion, Agent Mitchell searched LimeWire for the term “Lolitaguy,” a term known to be associated with child pornography. After getting hits on that phrase from Borowy’s computer, using LimeWire’s “View-files-on-this-host” feature, Agent Mitchell saw about 240 files that his FBI software identified as being known child pornography.

Using that as probable cause, Agent Mitchell, still using LimeWire’s out-of-the-box functions, downloaded copies of files from Borowy’s computer, confirmed that they were child pornography and Borowy was arrested. Later it was discovered that Borowy had more than 600 images and 75 videos of child pornography.

Did the FBI violate Borowy’s privacy? Do people have a reasonable expectation of privacy on their computer when they connect it to the Internet?

I say that not only didn’t the FBI violate Borowy’s privacy, but also that Borowy was a) literally and figuratively publishing his files for the world to see and b) an idiot2.

In a passage of the decision upholding the actions of the FBI and affirming that it acted properly and not in violation of Borowy’s fourth amendment rights, the court says that the earlier decision in US v Ganoe was spot on:

“Under Katz v. United States, 389 U.S. 347 (1967), government conduct qualifies as a search only if it violates a reasonable expectation of privacy. Whether Agent Mitchell engaged in an unconstitutional search and seizure is largely controlled by United States v. Ganoe, 538 F.3d 1117, 1127 (9th Cir. 2008), cert. denied, 129 S.Ct. 2037 (2009), which held that the defendant92s expectation of privacy in his personal computer could not “survive [his] decision to install and use file-sharing software, thereby opening his computer to anyone else with the same freely available program.”(US Court of Appeals, 2010)

The last sentence of that passage is absolutely crucial in inferring the attitude of the court towards privacy in the Internet era. It says that the moment I install software that opens my computer to anyone else with the same freely available program, I give up my expectation of privacy. Later the Borowy ruling raises “Cf. California v. Ciraolo, 476 U.S. 207, 213-14 (1986) (finding the use of an aircraft to observe marijuana plants was not a Fourth Amendment search as it only revealed information accessible to any member of the public flying in the airspace).”

I would say that unencrypted Internet email will, in the next five years, be found to be analagous to the marijuana nursery, and outside the scope of fourth amendment protection or indeed any reasonable expectation of privacy. When users sign up for Gmail or Hotmail they understand (or should) that Google and Microsoft are mining the contents of their messages for a range of things, including what they say (for the purpose of placing ads within the messages, etc) and with whom they communicate (for the purpose of determining networks of people to whom they will eventually target ads, etc) and myriad other reasons. Users expect no privacy from Google or Microsoft, but they somehow cling to the concept that, once they hit, “send”, the message is protectively wrapped on the way to the intended recipient. Without getting into too many technical details, this is to say the least a charmingly naive concept. Email sent in plan text can be monitored, viewed, copied and is stored all along its multitudinous pathways from sender to recipient.

I’ll make a statement as a published and widely quoted information security person: it is a trivial matter to intercept and read unencrypted email using freely available programs. If I did so, I would expect that a court would find, as did the Ninth Circuit, that someone who sued me for doing so had given up their expectation of privacy when they decided to use software that opened their communications to anyone using freely available tools to intercept it.

Should this understanding signal a change of attitude? Bruce Schneier seems to think so – last March he wrote on his blog:

Between the NSA’s massive internet eavesdropping program and Gmail’s content-dependent advertising, does anyone actually expect their e-mail to be private? Between calls for ISPs to retain user data and companies serving content-dependent web ads, does anyone expect their web browsing to be private? Between the various computer-infecting malware, and world governments increasingly demanding to see laptop data at borders, hard drives are barely private. I certainly don’t believe that my SMSes, any of my telephone data, or anything I say on LiveJournal or Facebook – regardless of the privacy settings – is private.

I would say that with this opinion, the court is further clarifying the judicial attitude towards what is reasonable of a contemporary person to expect in the way of privacy when he lives a life enriched by Internet-based communication between computers. I don’t think that this means that the US system of government as we know it is at risk of collapse – but I do think that it further strengthens the argument that an unencrypted communication across the public Internet is analogous to a conversation on a crowded street corner. And as such, there should be no expectation of privacy.

[1] (United States. Court of Appeals, Ninth Circuit. 2010. [Online] United States v Charles A Borowy. [Available: here])

[2] Within the case, see below, Borowy claims to have tried and failed to make private his hard drive in a number of dumb ways. He tried to claim that because he tried to make it private it should have remained private. The court found that as funny as I did.

The Consolidating Fiber Industry

The proposed $100 billion merger between Corning and Canadian network provider Nortel Networks would create a fiber optics company with a market cap of $170 billion. Analysts say that this is just one of a series of upcoming mergers and acquisitions that will transform and consolidate the lucrative fiber optics industry. [1999]

The European high-tech investor must be aware of two recurring scenarios in consolidating industries. On the one hand, small- to mid-size companies developing fiber optic technology are certain to be takeover targets and will therefore skyrocket in value while the acquiring companies’ share prices will suffer for perceived overpayment. On the other hand, regulators are watching the sector’s mergers like hawks, to ensure that buyouts don’t create an anti-competitive climate.

However, though regulators sometimes slow things down, they won’t stop the consolidation.

The Consolidating Fiber Optics Industry
“It has to consolidate,” said John Nicholls, CEO of Scotland’s Photonic Materials to “Most of these companies are seen as a base to grow the business into some sort of merger with a larger strategic partner which manufactures crystals and other components used in the construction of fiber- optic networks.”

European fiber companies like Photonic, as well as publicly traded firms such as Bookham Technologies, France’s HighWave Optical Technologies, and even to a certain extent Marconi Communications are well positioned to take advantage of the attention. Each makes parts of the fiber optics food chain that is highly valuable to larger international network companies, and each knows it. “There’s such a demand for capacity, and in terms of our company, we’re strategically important,” said Photonic’s Nicholls.

Telecommunications consulting firm RHK has reported more than 20 fiber-related mergers this year, compared to three last year, and that even before the JDS Uniphase takeover of SDL for $41 billion, the average price per acquisition as of June was already seven times that of 1999. Venture capital investment in the sector is five times 1999 levels.

The Initial Stage
The initial stage of the consolidation sees relatively smaller players forging value-adding strategic relationships to carry out specific aspects of the manufacturing process. This week, British Telecommunications announced that it had cut a $3.04 billion deal with Marconi to provide optical network gear. Earlier this month, Marconi announced a deal with Bookham to supply multi-channel DWDM optical components for Marconi’s networking products.

Where are the Best Investments?
Does this mean that fiber optic companies in Europe are particularly positioned technologically or strategically to make them more attractive those in the US? Yes and no.

“If you look at the technology from a market adoption perspective, or in terms of technological development, with the number of wireless equipment and major handset manufacturers, then Europe is ahead of the US,” said Krishna Visvanathan, communications team investment manager for 3I, which has had investments in many European fiber optics companies, including Bookham and Photonic Materials. “But in terms of sheer numbers of optical networking companies, the US is significantly ahead.

“It’s interesting that some specific geography does have more photonics technology than others” Visvanathan said. “The US is hot, and there’s lots of start ups, but there are a fair few in the UK as well. But overall, the geography doesn’t have a major impact. The entire optics network market space is so hot that any company, European, Israeli or American, has fantastic exit prospects, assuming the technology is sound.”

Indeed, the major headlines aside, important deals continue to take place outside Europe: Altitun, a tunable laser company with good technology, but scant revenues, was bought in May by ADC Telecommunications, Inc (ADCT) for $872 million, and Israeli-founded US company Chromatis Networks was bought in June by Lucent Technologies for $4.5 billion in Lucent shares.

But, the European consolidation is keeping apace. “Given today’s climate, we’ll definitely be a takeover target,” said Photonic’s Nicholls. “I’m not building a business to sell it,” he said, but then readily agreed that with so much money being offered by companies increasingly desperate for his products, his position could be far worse.

Linux Gets Easier. Businesses Are Noticing.

A Cannes-based private investigator, Alain Stevens, recently switched computer operating systems from Windows to Linux. “It’s a security issue,” Stevens said. “Viruses which target Windows could send confidential documents from my machines to random people – and that could send me to prison.”

Citing cost savings, open standards and enhanced security, the German government in June reached a Linux deal with International Business Machines Corp. and SuSE Linux AG of Germany for its local, state and federal computer infrastructure.

And as the City Council in Nottingham, England, plans a new software application for 10,000 employee workstations, it is seriously asking the question, “Are we going to run this on Windows or open-source, like Linux?”

Throughout Europe, companies and governments large and small have recently been asking the same thing. Information technology departments are looking at what they have and rethinking what they want.

The resulting groundswell could soon make the Linux-based desktop more prevalent in Europe than anyone could have predicted even a year ago. Dan Kusnetzky, an analyst for International Data Corp., said Linux had a 3.9 percent share of desktops worldwide, outpacing Macintosh’s 3.1 percent.

Richard Heggs, Nottingham’s systems analyst, described the process this way: “We’re looking at Linux as a possible replacement for Windows as council desktop standard. It’s looking favorable. Senior management is saying, ‘We like this, but can it do what people say it can?’”

The stimulus to find out has been manifold. A new generation of user-friendly Linux products spearheaded by SuSE and MandrakeSoft SA of France – both of which are small, as yet unprofitable companies – has eased migration.

Legislative incentives have put open-source on corporate tongue-tips. Countries including Britain, Germany, France, Italy, Norway and Malta have introduced a flurry of initiatives to give open-source software access to a level playing field – and mandate the use of open standards for official communications. And Microsoft Corp.’s unpopular license-fee revamping has contributed to a general re-evaluation of IT purchasing criteria: Some tech managers say their feasibility studies of Linux migration may be justified by reasoning that, at a minimum, the results are ammunition for negotiations with Microsoft.

Microsoft’s Europe office would not comment. Companies still look for big names – like Microsoft’s – behind any new software they might buy. Now, other big names in computing are putting money behind Linux products. Sun Microsystems Inc., which recently announced an Intel-based server pre-loaded with Sun Linux 5.0, contends that the concept of having “one folk to choke” support for an open-source product lends credibility to open-source. “The key value Sun’s bringing to Linux isn’t really ‘on the tin,’” said Simon Tindall, volume products business manager for Sun in London, “but that we will support it directly as a vendor.”

This type of Linux support means that corporate IT departments and purchasing managers, ever wary of getting stuck with something forever, can now say, “Well, Sun’s providing support for it.” For example, BEA Systems Inc., IBM, Oracle Corp., SAP AG and Veritas Software Corp. have all ported their applications to run on Linux systems. All this effort may raise costs (Linux costs typically have nowhere to go but up), but that may not be a deterring factor.

Consider StarOffice, Sun Microsystems’ open-source challenge to Microsoft Office, its word-processing business software suite. Until recently, it cost nothing. Since release of version 6.0, Sun has begun charging up to $79 per license.

[The free product was renamed and is still available under that name. The products are identical except in name and the fact that Star Office is released in a boxed set with printed documentation and Sun Microsystems installation support by telephone.]

The price seems to make businesses trust it more, some analysts say – it is a real product with a viable revenue model, which is a lot easier to explain to your boss than a product supported only by eleemosynary efforts by some vaguely hippie-sounding “open-source community.”

James Jarvie, IT manager of the Central Scotland Police, said the £245,000 ($380,000) they saved on licensing fees with StarOffice paid for more police on the streets. Councils in Aberdeen and Penwrith have embraced it, and the British Office of Government Finance has now endorsed it, along with Office and Lotus’s SmartSuite.

“Unless Microsoft makes significant concessions in its new Office licensing policies,” Gartner Inc. said in a research report, “StarOffice will gain at least 10 percent market share at the expense of Microsoft Office by year-end 2004.”

To stand a chance, an operating system must provide applications that allow users to seamlessly edit and exchange documents with others (which often means “with Microsoft Office users”). StarOffice is about 95 percent compatible with Microsoft Office (macros don’t translate, but for everyday files it is more than adequate). It runs on Windows, Linux and Solaris, and since the user interface looks identical on Windows and Linux desktops, a major changeover for users would be easier.

“Running StarOffice on Windows,” said MandrakeSoft’s chief executive, Jacques Le Marois, “is almost always a strategic migration choice.”

Martijn Dekkers, chief enterprise architect for the prime minister’s office in Malta, agrees.

“The key barrier,” Dekkers said, “is office suites and collaborative tools like e-mail and Web browsers. Interface similarities ease transitions between different operating systems.”

Ten months ago, Malta began investigating the culture and benefits of open-source. Where big software vendors claim that open-source is unreliable, unsupported and untrustworthy, open-sourcers assert that its products are the solutions to the world’s ills. The truth is perhaps neither, but on the issue of support, Dekkers found open-source viable.

“We have found,” Dekkers said, “that one of the major issues put forward – no support and no accountability – is false.

“Small and large open-source vendors offer support which is equal to or better than support from main commercial developers.”

While large organizations typically take a long time to weigh such issues, some smaller businesses in Europe are switching to SuSE and MandrakeSoft for their desktops.

Last year, SuSE implemented its SmartClient architecture on Linux for Debeka-Gruppe, a German insurance and financial services group.

More than 3,000 workstations in 230 German locations are administered from its corporate headquarters in Koblenz. Where governments deal with issues of open-source culture and monopoly-busting, small companies indicate three main reasons for taking the plunge: reliability, security and cost.

“I switched,” said Mervyn Cottenden, an Essex accountant who runs two MandrakeSoft Linux machines, “because Windows is unreliable. I can’t afford to lose a client’s work because a machine goes down in the middle of a job.”