Archive | Technology

Partial Bibliography

I’ve written a whole lot of stuff. At some point I made a partial bibliography of the technology stuff.

Cyber Crime

Gragido, W; Molina, D; Pirc, J; Selby, N (2012) Blackhatonomics: An Inside Look At The Economics of Cybercrime Syngress, Boston.

Data Loss Prevention

Selby, Nick. 2008. Mind The Data Gap. New York: The 451 Group. Print.

Selby, N. 2009. [Online] Safend, building out its DLP portfolio, updates Encryptor. New York: The 451 Group. 5 Jun 09.

Selby, N. 2009. [Online] GuardianEdge, with 60% bookings growth, approaches a turning point. New York: The 451 Group. 8 May 09.

Selby, N. 2009. [Online] Fidelis announces XPS 5.2 with scanning within local network, and a granted US patent. New York: The 451 Group. 22 Jan 09.

Selby, N. 2009. [Online] Unmitigated chutzpah or the next big thing? BitArmor guarantees against breach. New York: The 451 Group. 21 Jan 09.

Selby, N. 2009. [Online] CA swoops in on Orchestria to connect the dots between data and identity. New York: The 451 Group. 6 Jan 09.

Selby, N. 2008. [Online] Not to be outdone by EMC/Microsoft, McAfee and Liquid Machines join forces in DLP/IRM. New York: The 451 Group. 11 Dec 08.

Selby, N. 2008. [Online] Microsoft licenses EMC data classification kit for Active Directory Rights Management. New York: The 451 Group. 5 Dec 08.

Selby, N. 2008. [Online] Code Green launches TrueDLP, an enterprise-class anti-data-leakage offering. New York: The 451 Group. 7 Nov 08.

Selby, N. 2008. [Online] McAfee takes out Reconnex in a $46m deal that can set the DLP-acquisition bar low. New York: The 451 Group. 31 Jul 08.

Selby, N. 2008. [Online] With good income and a pocket full of euros, Utimaco is going shopping. New York: The 451 Group. 10 Jul 08.

Selby, N. 2008. [Online] Dan Geer becomes In-Q-Tel’s CISO, will continue as Verdasys’ chief scientist emeritus. New York: The 451 Group. 29 May 08.

Selby, N. 2008. [Online] Fidelis and Verdasys team for agent- and network-based anti-data-leakage. New York: The 451 Group. 5 May 08.

Selby, N. 2008. [Online] Varonis expands its flavor of data governance to Unix systems. New York: The 451 Group. 29 Feb 08.

Selby, N. 2008. [Online] Vericept quietly builds out anti-data-leakage business after management restart. New York: The 451 Group. 4 Jan 08.

Selby, N. 2008. [Online] Orchestria evolves into full-blown hybrid anti-data-leakage tool. New York: The 451 Group. 16 Jan 08.

Selby, N. 2008. [Online] After the story leaks, RSA acknowledges. New York: The 451 Group. 8 Jan 08.

Selby, N. 2007. [Online] Symantec and Vontu finally tie the knot for $350m; who’s next to go in ADL?. New York: The 451 Group. 5 Nov 07.

Selby, N. 2007. [Online] Trend Micro continues ADL consolidation, takes out itsy-bitsy Provilla. New York: The 451 Group. 25 Oct 07.

Selby, N. 2007. [Online] Code Green Networks saws off the shotgun for bigger spread at its sweet spot. New York: The 451 Group. 10 Oct 07.

Selby, N. 2007. [Online] Raytheon could tell you what it paid for Oakley, but then it would have to kill you. New York: The 451 Group. 25 Sep 07.

Selby, N. 2007. [Online] EMC’s RSA moves to fill anti-data-leakage gap with purchase of Tablus. New York: The 451 Group. 9 Aug 07.

Selby, N. 2007. [Online] After years of mostly organic growth, endpoint security firm GFI takes on North America. New York: The 451 Group. 25 Jul 07.

Selby, N. 2007. [Online] Check Point’s Pointsec earns FIPS 140-2 certification for Protector, crypto module. New York: The 451 Group. 17 Jul 07.

Selby, N. 2007. [Online] Data leakage: technical or HR problem? 42 vendors think they know the answer. New York: The 451 Group. 2 Jul 07.

Selby, N. 2007. [Online] Fidelis 4.0 expands management console workflow and adds a Milter-based mail agent. New York: The 451 Group. 28 Jun 07.

Selby, N. 2007. [Online] Safend, nearing breakeven, considers a funding round in 2008 and announces Lenovo deal. New York: The 451 Group. 22 Jun 07.

Selby, N. 2007. [Online] PatchLink goes serial with acquisition of whitelisting vendor SecureWave. New York: The 451 Group. 22 Jun 07.

Selby, N. 2007. [Online] Websense, expanding its data-leakage offering, takes out SurfControl for $400m. New York: The 451 Group. 4 May 07.

Selby, N. 2007. [Online] Chronicle’s ADL ties users to documents. New York: The 451 Group. 3 May 07.

Selby, N. 2007. [Online] Check Point earnings off 25%, but acquisitions and R&D in hot spaces show promise. New York: The 451 Group. 27 Apr 07.

Selby, N. 2007. [Online] Bluefire announces Symantec OEM deal; may seek strategic funding in 2007. New York: The 451 Group. 23 Jan 07.

Selby, N. 2007. [Online] Anti-data-leakage vendor Tablus inks VeriSign PCI deal. New York: The 451 Group. 22 Feb 07.

Selby, N. 2007. [Online] McAfee launches anti-data-leakage product based on Onigma acquisition. New York: The 451 Group. 16 Feb 07.

Selby, N. 2007. [Online] DB security vendor Imperva releases Scuba, a free database vulnerability scanner. New York: The 451 Group. 6 Feb 07.

Selby, N. 2007. [Online] On the back of strong growth, anti-data-leakage vendor Vontu adds an endpoint agent. New York: The 451 Group. 31 Jan 07.

Selby, N. 2007. [Online] Guardium updates core modules, launches Change AuditGuard. New York: The 451 Group. 26 Jan 07.

Selby, N. 2007. [Online] Verdasys bolsters its application monitoring capabilities. New York: The 451 Group. 16 Jan 07.

Selby, N. 2007. [Online] Websense solidifies its ADL play with $90m PortAuthority swoop. New York: The 451 Group. 5 Jan 07.

Selby, N. 2006. [Online] Like McAfee, Symantec will address data leakage through acquisition. New York: The 451 Group. 27 Oct 06.

Selby, N. 2006. [Online] McAfee fires president, and CEO quits, then it buys ADL vendor Onigma for $20m. New York: The 451 Group. 20 Oct 06.

Selby, N. 2006. [Online] Reconnex, emerging from shakeup, prepares for a relaunch. New York: The 451 Group. 8 Sep 06.

Selby, N. 2006. [Online] SanDisk buys msystems for $1.5bn, boosting its position in NAND flash market. New York: The 451 Group. 4 Aug 06.


Selby, N. 2005. [Online] M-Systems’ Xkey Shield provides USB media security management. New York: The 451 Group. 23 Nov 05.


Penetration Testing and Vulnerability Analysis

Crawford, S. and Selby, N. 2010. [Online] It92s the Adversaries who are Advanced and Persistent. ThreatPost. January 26, 2010. [Available:]

Selby, N. 2009. [Online] The Penetration Testing Marketplace in 2010. ThreatPost. December 1, 2009. [Available:]

Selby, N. 2009. [Online] Reloading Risk Back Onto The Utilities. November 26, 2009. [Available:]

Selby, N. 2009. [Online] Losing the Echo Chamber in the Critical Infrastructure Security Debate. ThreatPost. November 18, 2009. [Available:]

Naraine, R & Selby, N. 2009. [Online, multimedia] Trident Risk Management’s Nick Selby on Metasploit and Rapid7. The Big Story podcast with Ryan Naraine, ThreatPost. October 22, 2009 [Available:]

Selby, Nick. 2008. Mind The Data Gap. The 451 Security Quarterly New York: The 451 Group. Print.

Selby, Nick. 2007. Sector View: Current Security Trends and Developments. The 451 Security Quarterly New York: The 451 Group. Print.

Selby, Nick. 2009. [Online] Immunity’s Canvas releases Cloudburst, allowing breakout from guest OS. New York: The 451 Group. 6/4/2009.

— 2009. [Online] Immunity, growing fast and profitably, expands reach through partnerships. New York: The 451 Group. 3/19/2009.

— 2009. [Online] Core Security, with Impact at version 8 and customers above 800, hits its stride. New York: The 451 Group. 2/6/2009.

— 2009. [Online] With a longer runway than it expected, Cenzic hits rotation speed. New York: The 451 Group. 2/3/2009.

— 2008. [Online] With new funding, Palamida moves toward vulnerabilities in open source code. New York: The 451 Group. 12/5/2008.

— 2008. [Online] nCircle updates its approach with Suite360 and a Web app scanner. New York: The 451 Group. 11/20/2008.

— 2008. [Online] WhiteHat builds out cross marketing with F5 and expands training. New York: The 451 Group. 11/7/2008.

— 2008. [Online] Core, claiming profits, hires former Sophos North America president as new CEO. New York: The 451 Group. 3/12/2008.

— 2008. [Online] Mu Security’s gains in SCADA, network equipment manufacturing push it past fuzzing. New York: The 451 Group. 3/6/2008.

— 2007. [Online] WhiteHat Security, reporting significant growth, doubles headcount. New York: The 451 Group. 12/10/2007.

— 2007. [Online] Core’s Impact 7.5 and Grasp focus on Web application security. New York: The 451 Group. 10/16/2007.

— 2007. [Online] Legal settlement forces Cenzic and HP (SPI) to play nice and share. New York: The 451 Group. 10/3/2007.

— 2007. [Online] Cenzic looks to mold itself into an acquisition target, starting with Hailstorm 5.0. New York: The 451 Group. 7/19/2007.

— 2007. [Online] Core Security loses flash and substance 96 CEO and product manager 96 in shakeup. New York: The 451 Group. 7/18/2007.

— 2007. [Online] Gleg acquires Argeniss’ zero-day exploit update pack. New York: The 451 Group. 7/12/2007.

— 2007. [Online] HP takes out SPI Dynamics in latest Web application security acquisition. New York: The 451 Group. 6/22/2007.

— 2007. [Online] IBM buys Watchfire, brings Web application penetration testing to the Rational line. New York: The 451 Group. 6/8/2007.

— 2007. [Online] Profitable SPI Dynamics launches Phoenix and WebInspect 7.0. New York: The 451 Group. 2/1/2007.

— 2007. [Online] Sabre Security, with a 80100,000 tech prize, expands BinNavi and VXClass. New York: The 451 Group. 1/18/2007.

— 2007. [Online] Profitable Watchfire releases AppScan Reporting Console and AppScan 7.0. New York: The 451 Group. 1/9/2007.

— 2007. [Online] Core 6.2 adds enhanced encryption, authentication and shell access to exploited hosts. New York: The 451 Group. ½/2007.

— 2006. [Online] Metasploit completes license change, updates pen-test platform. New York: The 451 Group. 8/2/2006.

— 2006. [Online] Immunity integrates Spike, launches VisualSploit and builds out its partner program. New York: The 451 Group. 7/21/2006.

— 2006. [Online] Beyond Security launches beStorm vulnerability assessment software. New York: The 451 Group. 4/17/2006.

— 2006. [Online] Emerging from stealth, Mu Security launches a commercial-grade fuzzing appliance. New York: The 451 Group. 4/5/2006.

— 2005. [Online] Cenzic releases version 3.0 of its Hailstorm Web application pen tester. New York: The 451 Group. 12/15/2005.

— 2005. [Online] Immunity takes an open source approach to penetration testing. New York: The 451 Group. 11/30/2005.

— 2005. [Online] Core Security’s Impact brings pen testing in-house to network admins. New York: The 451 Group. 11/29/2005.

Security Information and Event Management

Selby, N (2009) Enterprise Security Information Management. New York: The 451 Group.

Selby, N (2006) ESIM: Security Information Management Moves Upstream. New York: The 451 Group.

Selby, N. (June 10, 2009) [Online]. Decurity, with some flagship accounts under its belt, branches out. New York: The 451 Group

— (June 4, 2009) [Online]. Vigilant launches Fulcrum, a config library to scale its ESIM deployment chops. New York: The 451 Group

— (June 2, 2009) [Online]. LogLogic extends its series D by $8.8m, bringing total raised to $58.8m. New York: The 451 Group

— (June 1, 2009) [Online]. ArcSight launches ArcSight Express and announces a Cisco partnership. New York: The 451 Group

— (May 1, 2009) [Online]. New trends in enterprise security information management, 05/01/09. New York: The 451 Group

— (April 22, 2009) [Online]. LogLogic buys Exaprotect to shore up its total ESIM/log management story. New York: The 451 Group

— (March 13, 2009) [Online]. RSA’s enVision 4.0 targets smarter sourcing of event data and better reporting. New York: The 451 Group

— (March 5, 2009) [Online]. ArcSight nails another quarter 96 has it yet felt the pain of recession?. New York: The 451 Group

— (February 17, 2009) [Online]. LogLogic and Exaprotect join forces for converged ESIM and log management. New York: The 451 Group

— (February 17, 2009) [Online]. netForensics buys High Tower assets. New York: The 451 Group

— (January 23, 2009) [Online]. ESIM vendor eIQnetworks closes $10m series A funding from Venrock. New York: The 451 Group

— (December 12, 2008) [Online]. With one hand firmly gripping its BatBelt, Splunk markets to the C-level. New York: The 451 Group

— (December 9, 2008) [Online]. ArcSight hits profitability and positive cash flow 96 now to keep it up. New York: The 451 Group

— (November 14, 2008) [Online]. Q1 Labs, extending upselling success of SLIM, launches QRadar SLIM-Free Edition. New York: The 451 Group

— (November 7, 2008) [Online]. ArcSight Logger 3 captures faster, reports better and increases onboard storage. New York: The 451 Group

— (September 23, 2008) [Online]. eIQnetworks hires a new president, fires channel and a low-cost product line. New York: The 451 Group

— (July 30, 2008) [Online]. Government hunting is so happy for Tier-3 that it’s breaking out its product lines. New York: The 451 Group

— (July 11, 2008) [Online]. Inspekt Security launches behavioral and security event analysis service. New York: The 451 Group

— (June 10, 2008) [Online]. Mazu can see clearly now; 8.1 targets network ops as much as security. New York: The 451 Group

— (April 7, 2008) [Online]. EMC and RSA integrate enVision and VoyenceControl. New York: The 451 Group

— (February 6, 2008) [Online]. Alert Logic, in new Houston digs, launches on-demand grid-hosted log management. New York: The 451 Group

— (January 30, 2008) [Online]. eIQnetworks, stepping up its competitive heat, launches SecureVue appliance. New York: The 451 Group

— (January 28, 2008) [Online]. In an aggressive counter to Cisco, Q1 Labs cuts OEM deals with Nortel and Juniper. New York: The 451 Group

— (December 17, 2007) [Online]. Extending its Logger functionality, ArcSight launches Log Management Suite. New York: The 451 Group

— (December 6, 2007) [Online]. TriGeo launches Splunk integration, adds more PCI punch to its SEM. New York: The 451 Group

— (November 27, 2007) [Online]. Mazu Networks continues NOC-SOC intermediary push with Profiler 8. New York: The 451 Group

— (November 14, 2007) [Online]. To make a huge managed security play, what will Cisco buy?, 11/14/07. New York: The 451 Group

— (November 12, 2007) [Online]. eIQnetworks launches SecureVue 3.0, adding flow and GRC to its enterprise ESIM. New York: The 451 Group

— (November 5, 2007) [Online]. Q1 Labs’ SLIM gets log management foot in the door, then goes for ESIM gusto. New York: The 451 Group

— (October 1, 2007) [Online]. ArcSight’s latest feature-based upgrade targets PCI monitoring. New York: The 451 Group

— (September 13, 2007) [Online]. After hinting for three years, ArcSight files for an IPO; uh, does it earn money?, 09/13/07. New York: The 451 Group

— (September 12, 2007) [Online]. ArcSight’s S-1 reveals big revenue, persistent losses and a compliance ding. New York: The 451 Group

— (June 28, 2007) [Online]. With Solsoft integration nearly complete, Paris-based Exaprotect moves west, 06/28/07. New York: The 451 Group

— (June 26, 2007) [Online]. With network operations in mind, Mazu Networks and eIQnetworks partner. New York: The 451 Group

— (June 7, 2007) [Online]. eIQnetworks announces SecureVue 2.5 and licensing deal with Huawei-3Com. New York: The 451 Group

— (June 4, 2007) [Online]. Tier-3’s ESIM and anomaly detection targets network threats and fraud. New York: The 451 Group

— (May 25, 2007) [Online]. Clavister adds ESIM to its unified threat management platform. New York: The 451 Group

— (May 21, 2007) [Online]. With 4.0, ArcSight hopes ESM will move toward enterprise-wide relevance. New York: The 451 Group

— (May 15, 2007) [Online]. Seeking to widen its appeal outside security, LogLogic announces new features. New York: The 451 Group

— (April 12, 2007) [Online]. With new partners and management, SenSage raises $5m in series D funding. New York: The 451 Group

— (February 12, 2007) [Online]. TriGeo’s 4.0 combines network anomaly detection and service management. New York: The 451 Group

— (February 8, 2007) [Online]. eIQnetworks releases SecureVue, an aggressive up-stack move toward ITSM. New York: The 451 Group

— (December 8, 2006) [Online]. IBM buys Consul Risk Management to extend Tivoli Security Operations Manager. New York: The 451 Group

— (December 8, 2006) [Online]. Seven months on, Novell readies the next generation of e-Security ESIM, 12/08/06. New York: The 451 Group

— (December 4, 2006) [Online]. ArcSight moves the goalposts with Logger and Network Configuration Manager. New York: The 451 Group

— (November 27, 2006) [Online]. Intellitactics shifts from pure security to ESIM-based risk metrics. New York: The 451 Group

— (November 21, 2006) [Online]. Cambia and ArcSight play key security roles in HP-Mercury’s Universal CMDB. New York: The 451 Group

— (October 24, 2006) [Online]. LogRhythm 96 lean, mean and bootstrapped 96 takes new angel money, rolls out 3.5. New York: The 451 Group

— (October 18, 2006) [Online]. NitroSecurity plans new funding, prepares to launch NBAD/IPS/ESIM hybrid. New York: The 451 Group

— (October 13, 2006) [Online]. ExaProtect and Solsoft in an ‘acquisition by merger’. New York: The 451 Group

— (September 29, 2006) [Online]. SenSage-EMC deal brings SenSage from security into a new world of data management. New York: The 451 Group

— (September 28, 2006) [Online]. Consul morphs log collection and mining into a policy management play. New York: The 451 Group

— (September 25, 2006) [Online]. Q1 Labs upgrades device discovery, improves its UI and expands its channel. New York: The 451 Group

— (September 22, 2006) [Online]. EMC, its RSA buy approved, adds Network Intelligence for $175m. New York: The 451 Group

— (September 18, 2006) [Online]. EMC gets RSA shareholder nod, buys Network Intelligence for $175m. New York: The 451 Group

— (September 14, 2006) [Online]. TriGeo adds features, doubles customer count; can it keep that small-town charm?. New York: The 451 Group

— (September 12, 2006) [Online]. ArcSight releases ITP to bolster insider-threat claims, proposes CEF standard. New York: The 451 Group

— (August 25, 2006) [Online]. Will HP extend OpenView and OpenCall functionality into ESIM through M&A?, 08/25/06. New York: The 451 Group

— (August 18, 2006) [Online]. ArcSight launches Network Response Manager, extending reach into infrastructure. New York: The 451 Group

— (July 25, 2006) [Online]. With ESA 2.5, eIQnetworks is latest ESIM vendor to scrap relational databases. New York: The 451 Group

— (July 13, 2006) [Online]. Securify adds identity correlation and predefined rules to version 5.2. New York: The 451 Group

— (July 6, 2006) [Online]. Symantec shuns relational database event storage in its security event manager. New York: The 451 Group

— (June 26, 2006) [Online]. Claiming sales and product momentum, PatchLink looks for more partners. New York: The 451 Group

— (May 26, 2006) [Online]. ArcSight buys configuration and quarantine vendor Enira Technologies. New York: The 451 Group

— (May 11, 2006) [Online]. Self-funded LogRhythm releases version 3.0, then cautiously considers external funding. New York: The 451 Group

— (April 28, 2006) [Online]. AttachmateWRQ acquires NetIQ for $495m. New York: The 451 Group

— (April 21, 2006) [Online]. Novell buys e-Security to integrate identity management and security management. New York: The 451 Group

— (April 11, 2006) [Online]. Security information management approaches a fork in the road, 04/11/06. New York: The 451 Group

— (March 24, 2006) [Online]. Mazu claims new partners and doubled revenue. Is it next on Symantec’s hit list?) [Online]. TDM Target IQ, 03/24/06. New York: The 451 Group

— (March 22, 2006) [Online]. Splunk ventures into the cavernous maw of enterprise log data. New York: The 451 Group

— (March 13, 2006) [Online]. Q1 Labs plans out-of-the-box interoperability with Packeteer. New York: The 451 Group

— (February 6, 2006) [Online]. LogLogic releases version 3.2, beefs up compliance reporting. New York: The 451 Group

— (February 3, 2006) [Online]. ArcSight looks for NBAD, end-point configuration and policy management functions, 02/03/06. New York: The 451 Group

— (January 30, 2006) [Online]. ArcSight homes in on compliance-insight marketing. New York: The 451 Group

— (December 19, 2005) [Online]. eIQnetworks brings high-volume, low-cost ESIM to the enterprise masses. New York: The 451 Group

— (November 14, 2005) [Online]. Q1 Labs targets midrange enterprises with QRadar 5.0 release. New York: The 451 Group

— (November 11, 2005) [Online]. Intellitactics emphasizes executive reporting and horizontal scalability. New York: The 451 Group

— (November 10, 2005) [Online]. e-Security hones its workflow integration and event enrichment for ESIM. New York: The 451 Group

— (November 1, 2005) [Online]. Network Intelligence repositions and targets ESIM big game. New York: The 451 Group

— (October 28, 2005) [Online]. TriGeo happily targets low end and midrange of ESIM market. New York: The 451 Group

— (October 27, 2005) [Online]. SenSage emphasizes security event analytics over incident response. New York: The 451 Group

— (October 19, 2005) [Online]. With version 3.5, ArcSight targets insider threats, subtle attacks… and an IPO?. New York: The 451 Group

In-Q-Tel as Cyber Security Tsar? Weirder Things Have Happened

ed_harris[This is the second of a two-part blogpost that originally appeared in Plausible Deniability, the blog of the enterprise security practice at The 451 Group. I wrote it in August, 2008.]

Last Friday I began to discuss In-Q-Tel and its investment in Veracode, and went a little into IQT’s investment strategy. As we said, IQT exists to determine an answer the question, ‘Is it possible to solve [problem set here]?’. If the answer is, ‘yes’, IQT’s job is to identify fiscally viable, practically capable, innovative private organizations which might be able to solve the problem at hand.

We also said that the political winds in Washington were shifting like Dick Nixon’s eyes during a bad news briefing.

Among the key problems I think IQT is now looking at is the oft-lamented fact that the US has no cogent strategy to deal with cyberwarfare, no leadership on the issue (in fact the issues surrounding this are so complex it’s hard to find anything people don’t want to talk about more. Simultaneously, political winds are blowing funds in the form of budget dollars from many places (including my wallet) towards the white tower that is the Office of the Director of National Intelligence.

It is said that the CIA under George Tenet somehow recognized that private industry was surpassing government talent in the field of technological innovation. Is it possible that the CIA was prescient enough to recognize over the past few years that its budgetary influence was waning and that to re-increase its stature in the intelligence community it would need to get really geeky about cyber-warfare and get itself some really cool kit?

The CIA? Prescient? It’s become so hip to make the CIA the butt of jokes recently that people forget (this is a technological, not a political, discussion) just how much seriously cool stuff it has done.

In his 2002 review of The Bourne Identity, the New York Times’ A.O. Scott wrote that,

The movie … trots out a quaint view of the C.I.A. as not only bottomlessly malevolent, but also endlessly and terrifyingly competent. Shortly after they see Marie’s image on a security camera satellite feed, the folks at Langley are in possession of her entire life history, and they are able to track her movements across Europe with a few clicks of the mouse. This is inadvertently hilarious in light of recent news reports. If Marie had only thought to disguise herself as an international terrorist, she might never have attracted the agency’s notice in the first place.

Well, IQT itself has been a monster success. Its investments are absolutely classic examples of how to do it right: tons of due diligence, heaps of knowledgeable people asking sensible questions about the technology, the leadership of the innovative company-prospect. That they don’t make large investments (generally they’re capped at $3m) or take an equity position is a question of taste, or style, or, you know, propaganda value. But the investments are made in the form of, essentially, non-recurring engineering fees to make something wicked-cool out of something more pedestrian, and come complete with a promise to buy a bunch of it if it works out right.

But back to cyberwarfare.

If our current policies and the reality of the US’ digital security stance is any indication, policy makers would rather read tax code than infosec material – hell, even I’m reading a book on tax code, and I think this security stuff is a gas.

You take a look at something like H. R. 130, the Smarter Funding for All of America’s Homeland Security Act of 2007, whose dense prose mentions the word ‘cyber’ a total of once, and you wonder. I digress.).

We wrote in this blog back in April about Aaron Turner & Michael Assante’s excellent article in CSO Magazine, in which they compare and contrast the response in the 18th century by the United States to pirates on the high seas with today’s federal response to Internet crime. (read Turner’s prescient testimony to the House Committee on Homeland Security, Subcommittee on Emerging Threats, Cybersecurity, Science and technology here).

In that blog post we also mentioned that, back in 2004 MIT Technology Review published a terrific piece by Eric Hellweg, Cyber Security’s Cassandra Syndrome which discussed the stalled and possibly addle-headed Bush administration approach to the problem of leadership of the effort to protect the nation’s computing infrastructure.

The problem, Hellweg argued, was that you couldn’t get the right people to do the job of protecting the nation’s critical infrastructure (which is basically our government’s ability to use computers and the Internet) because, well, it’s impossible. You can’t get anyone to take all the responsibility while having none of the authority to do what’s necessary. The fact of the matter is that it’s not defense against being attacked, it’s long since devolved to the point that our government should be asking itself, to paraphrase Ed Harris playing Gene Kranz in Apollo 13, ‘Whadda we got in this country’s critical infrastructure that’s good?’

More specifically, how badly are we already owned by foreign nation-states and commercial entities, and how can we look at ways to fix that? Then we can start talking about ways to have ‘Smarter Funding for All of America’s Homeland Security’.

So: IQT as savior? Are Darby and Geer (who raised some fascinating and common sense points on security metrics in his testimony before the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology last year) and the infosec team at IQT the stand-in Cyber tsars by forfeit?

Well, there’s an argument for it. Geer (and Assante, by the way) sits on The Center for Strategic and International Studies (CSIS) Commission on Cybersecurity for the 44th Presidency, which is working to develop recommendations for a comprehensive strategy to improve cybersecurity in federal systems and in critical infrastructure. So do a lot of other really smart people. But as several of them have admitted, the danger is that the need to reach high level consensus will lead to watered-down pablum despite the best intentions of a truly smart group of people.

It’s Washington. It’s almost inevitable. Don’t get me wrong: some great ideas will come out of the CSIS deliberations. Our biggest fear is that politics will pare down the final recommendations to be on par with ‘Don’t-click-on-attachments, wear-mittens, study-hard-caliber advice.

A look at the political climate in Washington, especially that surrounding the intelligence community, shows that the winds are being shifted by a Bush administration miffed at…Well, who knows.

The unclassified Annual Threat Assessment of the Director of National Intelligence from this past February had this to say about Cyber warfare:

The US information infrastructure — including telecommunications and computer networks and systems, and the data that reside on them — is critical to virtually every aspect of modern life. Therefore, threats to our IT infrastructure are an important focus of the Intelligence Community. As government, private sector, and personal activities continue to move to networked operations, as our digital systems add ever more capabilities, as wireless systems become even more ubiquitous, and as the design, manufacture, and service of information technology has moved overseas, our vulnerabilities will continue to grow.

In an Op-Ed piece in The Wall St Journal this past April by DNI Mike McConnell and House Intelligence Committee sub-committee chair Anna G. Eshoo, they talked about responsible domestic surveillance:

If we are going to ask our intelligence agencies to help defend our country, we need to carefully construct policies that give them access to this information when necessary, and protect the rights of Americans. The National Security Agency, for example, is governed by strict rules that protect the information of U.S. citizens. It must apply protections to all of its foreign surveillance activities, regardless of the source. As we add new authorities and programs to secure our country, we must ensure appropriate safeguards and protections to secure our liberties. We must maintain the balance between safety and freedom.

And then pooh-poohed technology…

Too often, our country has invested in dazzling new technology as the solution to our intelligence woes. Technology is vitally important. But a computer is only as good as the person who programs it. No piece of technology can substitute human judgment. A computer — even one that costs millions — cannot recruit a spy.

Meanwhile, Joe Lieberman (IND-CT) and Susan Collins (R-ME) are asking good questions that are worth reading. If you’re up for it, answers to those questions are in a letter (that inadvertently serves to highlight the marvels of redaction.

We, like you, can only speculate about what the CIA will do with Veracode’s technology, but I would be willing to bet it has something to do with finding weaknesses in code. Which is quite useful stuff, if it works. I bet there’s more where it came from, and I bet IQT will be and is looking at other infosec investments.

And with regards to Cyber warfare, we would say that, at the very least, IQT and its staffers are raising the level of discourse about the problems faced by the US – or at least by the CIA.

IQT turns to old school shaking-and-breaking with Veracode investment

Ernie8Salesman(Written August 14th, 2008 as part I of a two-part post for Plausible Deniability, the blog of The 451 Group’s Enterprise Security Practice. Read Part II here)

In late July, binary code analysis-as-a-service provider Veracode announced that it had received an investment from In-Q-Tel, the not-for-profit that serves as the venture arm of the Central Intelligence Agency.

This is a two part blog about IQT, its investment in Veracode (and what I think is IQT’s future), and then how IQT and the CIA intend to compete in an intelligence community atmosphere whose political winds are shifting like Dick Nixon’s eyes at a tough press briefing. To be fair, whether Veracode works or not, in fact the specifics of the Veracode investment are less interesting to us than the apparent shift in investment strategy at IQT.

Many people sort of wink knowingly when they hear about IQT, but don’t really have a sense of what the thing does, or in fact, its successes to date. The interesting thing, which we will go into in a bit, is that for the most part, IQT – which sounds really spooky and security-ish, has invested in hugely successful companies that could not be less directly related to information security.

Like OpGen, which does single molecule DNA analysis technology to identify and analyze microorganisms. The closest it gets to something like IPS is, well, IPS, or Infinite Power Solutions, which makes thin-film energy storage devices for microelectronics. It’s not like it’s a bunch of guys dressed like Lefty skulking around corridors in Silicon Valley saying, “Psssst! Hey Bud…Wanna take some NRE money?”

IQT exists to determine an answer the question, ‘Is it possible to solve [problem set here]?’. If the answer is, ‘yes’, IQTE’s job is to identify fiscally viable, practically capable, innovative private organizations which might be able to solve the problem at hand. By providing availability to these technologies, often by repurposing existing ones to accomplish things outside thre scope of their original design, IQT will increase the capabilities of its main customer, the CIA.

So going out on a long, unsupported limb, we think that the Veracode investment is the first in what will be a string of more traditional infosec investments, especially in the areas of digital identity and access control technologies addressing the concepts of digital persona. And we think that this is being driven in part by a several-years’ long political climate change that has led money and influence away from the CIA.

More on that next week.

By the way, IQT has not spoken to me about this issue other than typically flacky guff about the Veracode investment, to wit:

“…We have relatively recently expanded our internal organization in terms of the technology practice, derived from the specific problems we see; we spend lots of time examining not just the technical capabilities but the company itself. Our selection of Veracode speaks for itself; as a strategic investment firm it’s there to meet a strategy.” Blah, blah, blah [blah, blah, blah added].

IQT is, intriguingly, a 501(c)(3) not-for-profit organization, meaning, I suppose, that donations to it are tax deductible. I’ll try to donate fifty bucks and blog about how that works out, and what kind of newsletter I get for it.

Its activities are unclassified, and the company only deals with open source (in the spook sense, not the licensing sense) stuff.

Corona_spysat_camera_systemThere are some fascinating documents available on the CIA’s website about IQT’s history and on IQT’s website about the organization and how it has been operated, especially including a report excoriating the handwringing at the CIA as it tried to get past its, ‘Private sector? Pah! We made CORONA! We can read the gender of a newt from nine miles in space!’ attitude.

In the past, this has often not been a case of information security in a standard sense of the phrase. Still, the perception of IQT as a ‘security’ investor remains.

When the investment in Veracode was announced, many felt that it was par for the course – code analysis, security, CIA… All goes hand in hand.

Except that for most of its nearly ten year history, IQT has been anything but an investor in information security companies. Sure, since its inception it’s made investments in lots of things that seem cloak and dagger. Keyhole, the satellite imagery and 3-D Earth visualization company, was an early investment (in 2003 my accountant, reviewing my expenses, saw a credit card charge to ‘Keyhole’ and asked me if I was trying to write off a visit to a strip club); it ended up becoming Google Earth.

Many other investments are in areas like zoom lens development, chemical analysis tools, entity extraction and semantic analysis stuff. An analysis of the investments that the, uh, firm, has made since its inception under the George Tenet-led CIA of 1998 shows that most of the investments are of the build-a-cooler-mousetrap variety for things that seem decidedly bookish.

Of its 76 investments, IQT has made ten in what I would consider to be classic infosec investments. The other 66 investments have been spread across IQT’s other practice areas: Application Software and Analytics, Bio, Nano, and Chemical Technologies, Communications and Infrastructure and Embedded Systems and Power.

In-Q-Tel’s Digital Identity and Security group invests and seeks technologies in the truly hot if not downright sexy areas of identity management and access control as well as risk analysis capabilities, system design and analysis tools and policy definition and management. The investments have been:

  • 3VR Security (wicked-cool video facial recognition, like, ‘Show me where this guy has been on every camera you have’ kind of recognition – you have to watch the demo);
  • A4Vision (facial biometric and camera tracking systems technology acquired in January 2007 by BioScrypt, which itself was acquired in January, 2008 for $44.3m by L-1 Identity Solutions, Inc;
  • ArcSight (the enterprise security information management vendor which has since, of course, gone public and whose stock has recently recovered from elephant-tranquilizer-territory);
  • PKI and ID infrastructure vendor CoreStreet;
  • Encryption vendor Decru (bought by Network Appliance, Inc for $272.1m in June, 2005);
  • Master data management vendor Initiate Systems (whose $26m series F round takes total funding to about $61m);
  • Awesome-cool ‘where’s-that-RF-device?’ vendor Network Chemistry, which sold its security assets to Aruba in July 2007 and got waaaay pissed off with us when we priced that deal at $3m;
  • SRD Software (if you thought RSA’s Verid is spooky you should talk to these guys; it was acquired in January, 2005 by IBM for $69m);
  • and, of course, Veracode.

But the Veracode investment is interesting. The core technology of Veracode’s on-demand service was developed in 2002 at @stake, the pen testing and assessment firm acquired for $49m by Symantec in April, 2004. Want to know what’s also interesting? IQT President and CEO Chris Darby was Chairman and CEO of @stake. And the Veracode investment comes three months after the appointment by IQT of Dan Geer as its Chief Information Security Officer.

Now, Geer is a plain-spoken star in the security world. He was CTO at @stake (and a gazillion banks) before a much celebrated and reviled paper declaring that Microsoft was a national security threat hastened his departure; to quote another former @Staker, ‘It’s hard not to suck deep, deep down when you are Microsoft Windows’). Geer has also worked at Verdasys and on a host of other projects and organizations (more on him and some of those other projects tomorrow).

Based on what I know of IQT and of Geer (IE’ve never met Darby but I think Geer is a truly honorable guy), I don’t believe that there is much connection that Geer is on the board of Veracode and the IQT investment in Veracode. We understand that IQT has actual conflict-of-interest firewalls that are taken seriously by the firm, so we don’t believe Geer would have been involved in the investment decision on the IQT side). I am much more willing to believe, based on IQT’s investment history and the people involved that these guys simply knew that the stuff was out there to meet the specific requirements that were presented, and that Darby and Geer would naturally have said, ‘Oh yeah, that stuff – you wanna talk to the guys at Veracode.’ As I said, maybe I am being a sucker, but I think not.

For Veracode, the cachet of the investment is PR no one can buy, and the cache of having sold stuff to the CIA will be on its own enough to open doors at other government agencies (especially, one would assume, the three-letter kind). And for reasons I will get into tomorrow, I think that the statement I made earlier – that it is the first in what will prove to be a series of straight-up infosec and ID and Access management-related investments – will prove true.

Part II

Location Based Services: A Primer

[This article was jointly written with Rick Mitchell]

One of the hottest buzz terms these days [2000] is “location-based services” – products that can serve up extremely localized content to mobile phone users. Let’s say you are standing on a corner in Amsterdam and punch in a request to your handset or personal digital assistant for directions to the nearest cyber cafe. The request goes to a server that combines it with your position, and sends back useful information via SMS or WAP [Told you it was 2000].

This is not a 3G phenomenon – some mobile operators have already implemented mobile positioning systems. Those operators are offering customers entirely new types of value added services based on the their location and preferences.

There are several techniques to position subscribers, but the most common one today is based on the information of the cell (sector) and a calculated distance between the subscriber and the base station. In the US, the Federal Communications Commission has mandated that operators be able to locate users to effect emergency services. In Europe, commercial ventures are poised to drive the technology every bit as hard while the EU also pushes legal restraints forward.

Depending on network topology, current operators with the GSM standard can also calculate your position, to within, say, 300 to 400 meters, or even better when combined with intelligent software. Ericsson has, for about a year now, hooked up Tommy’s, a Stockholm-based parcel delivery service, with location services that allow the company to track its trucks throughout the city.

The level of accuracy desired for useful location based services, such as a “turn-left, turn right” set of walking directions, is generally higher in urban areas than in rural ones. Similarly, emergency services like an ambulance would need less accuracy to find a car accident in the countryside (where there are few roads and a position within, say 500 meters would suffice) than in the city (where 500 meters could place an ambulance on the other side of a city block). However, legal restraints by the FCC require better emergency accuracy than 50 meters independent of whereabouts, thereby almost guaranteeing the widespread implementation of network assisted global positioning system (A-GPS), which gives location to within 10 meters.

Getting a signal Positioning techniques can be either “Terminal based” if the positioning system to some extent uses the terminal as a logical entity to calculate positioning data or “network based” where the terminal is not used as a logical node to calculate positioning data.

The network-based system of cell global identity and timing advance, or CGI-TA, is one of the broader location methods, though it has very useful applications running both in test and business systems. In the overall scheme of things, from least accurate to most are the network-based uplink time of arrival (UL-TOA), and network/terminal- fusion based techniques of Enhanced Observed Time difference (E-OTD) and A-GPS.

“Fleet management systems, using a combination of intelligent software and CGI-TA,” says Ericsson’s x Swedberg, the senior market manager for Mobile Positioning, “the application can trace a vehicle with a GSM phone. The “banana shaped’ footprint that would be created by this method is interpreted by the software, which compares movements with a map and can therefore mark very precise locations – it actually works better practically than it would seem to technically.”

A-GPS is perhaps the most reliably accurate system, giving very precise location information. The assistance comes in because GPS signals are rather weak, and the information needs boosting when users are in buildings or in streets surrounded by very tall buildings.

The whole thing is a trade-off: network-based solutions can use current handsets, giving operators 100 percent penetration of devices now. But more accurate terminal-based designs will have to wait until the terminals are actually here, rendering meaningful penetration four years away.

“It’s in the operator’s interest to make sure that they get the value from network-assisted solutions,” said Jeremy Nassau, head of wireless for Netdecisions in London, “But it could still go in several directions – you may find, for example, that GPS is good enough without the network. If the penetration gets up to reasonable levels, you’ll reach the point where you don’t need the operator anymore to provide LBSs.”

A buddy system application developed by the UK-based company iProx would even tell you if there’s a friend or relative in the vicinity that might want to dine with you and if you’ll pass an ATM on the way. A platform developed by the French company Opt[e]way would, among other things, make it possible for a taxi company to convey your location to a driver via a dashboard-mounted screen, allowing him or her to arrive at your corner within minutes, greeting you by name. A nearby department store could notify you of a sale; a bookstore could tell you that your favorite author has a new masterpiece out.

“You’ll have that 3G telephone with lovely color display and high bandwidth, and location-based services are going to enable that device to be really useful,” said Ravi Kanodia, co-founder of iProx.

These scenarios involve several distinct tasks and hardware levels, and companies are taking a multitude of approaches. In fact most LBS companies today are concentrating on B2B applications that will only eventually lead to end-user services.

“There’s a variety of players trying to get a stake in the market, but the battle is well-advanced. Most of the companies already exist,” said Paris-based Thomas Gubler, who manages the 3i Group’s wireless investments in France. He added, “I don’t see any new players getting in at the platform and infrastructure level now. It’s too advanced. Still, there will be many opportunities in this field, based on technological advances.”

Network infrastructure companies like Nortel, Nokia and Ericsson provide the basic telecom equipment. UK-based Cambridge Positioning Systems – which has a cooperation agreement with Nortel and funding from 3i Group – and the American firm SignalSoft – with $2.5 million in funding – uses signals received from operators to determine a user’s geographic position.

Iprox’s Buddy System takes this geo-positioning data, feeding it into a “correlation engine that allows you to track up to millions of users, like an air traffic control system. We can keep track of Maria and her friends all the time, and tell her when she’s close to one of them. A little like instant messaging works on the Internet.” Iprox garnered $1 million in funding through Brainspark at Tornado-Insider’s Upstart Paris conference in April.

Opt[e]way’s star product, opt[e]go TopoServer, is a platform middleware for creating end-user applications and services, aimed at telecom operators, wireless ISPs and corporate mobile intranets, says company spokesman Christophe Lefort. Released in mid-November, opt[e]go uses a patented, vector-based file format to convey location-specific information – traffic, weather, nearby gas-stations, etc. The company recently raised 18 million euros from 3i Group, Morgan Stanley Dean Witter, Goldman Sachs and Part’Com.

Sweden’s is one of the few companies already offering early LBS services via WAP, SMS and the Web. Its yachtPosition combines GPS and GSM data to give captains information on nearby ports and approaching weather. The service also allows tracking open-ocean yacht races via a position map on the Internet. can, among other things, tell riders of nearby biker friends and locate brand-name part stores. MobilePositon recently got $4.9 million from Kaupthing, an Icelandic investment bank, and the Swiss investment company Qino Flagship. The US investment bank KKR invested $3.5 million.

In addition to higher bandwidth, another factor that will jumpstart LBS, according to Rahim Adatia, CEO of Lokah, is that when the market goes from GSM to 2.5G networks, it will shift from circuit-switched data transmissions to packet-switched, meaning the user will pay only for data received, not connection time, allowing him or her to stay connected indefinitely.

This raises the question of just who profits from this new technology. So far, telecom operators insist they own the positioning data, hence the lion’s share of the profits. “The main thing people are forgetting here, is who’s going to get charged,” said Adatia, a small British developer of B2B wireless software that, like Lokah, is currently making the rounds to acquire VC funding. “Business models are still evolving, both in technology and business. Most importantly, the LBS company’s relationship with operators is still evolving.”

“Some LBS companies make the assumption that they will own their customers,” Adatia says, adding, “I think that will become a big problem for them. We aggregate a billing component into our server, so if the billing arrangement changes, with the operator for instance, we can easily adjust.”

Lost in all the hype over all these nifty services is the question of privacy. What if Maria does not want her telephone company to track her everywhere she goes? “Let’s face it, the police are always going to know where you are with these phones,” said Opt[e]way’s Lefort, adding, “If that also occurred on the mass market, of course that could be a problem. Profiled services will be very important to success. It will all depend on the user’s ability to disable the service. I think the problem will be solved because the service is worth it.”

Location Based Services Find Their Niche

On Thursday, the Hong Kong mobile phone company Sunday Communications Ltd. started “Loved-Ones Radar,” allowing parents to track, within 150 meters (500 feet), the location of their cellular-toting child.

Last week in Britain, the makers of London’s black taxis began an automated service that locates a cell phone caller, identifies the taxi nearest that person and then puts the caller in direct voice contact with the driver. For this you pay £1.60 ($2.60) on top of the metered fare.

And since last month, Hong Kong residents have been able to dial a number on their mobile phones to get free SARS-related data. The service determines the caller’s location and sends a text message containing addresses of buildings within 1,000 meters that have reported severe acute respiratory syndrome infections.

Three years ago, the hype about such so-called location-based services, or LBS, was overwhelming, with operators openly threatening to beep your phone with coupon offers whenever you passed a Starbucks. Today, the arrival of LBS is relatively unheralded, even as the services are filtering into the mainstream of mobile applications.

Depending on your location, your handset and the services your mobile phone company uses, you can use a cell phone to get buzzed when a friend is nearby, play hide-and-seek-like games with friends or strangers, find apartments to rent near where you are standing or get medical help, all without opening your mouth. Services that locate the nearest towing company, automated teller machine or florist have also been popular, analysts say.

“The applications that make the cut,” said Jed Kolko, lead analyst for consumer devices at Forrester Research Inc. in California, “are simple, quick hits of information that the customer needs here and now and cannot do without a mobile phone.”

Unlike cell phone services like video calling that require new, high-speed data networks still under development, most LBS offerings work on existing networks, allowing operators to provide the services without major investment. For the consumer, the cost can vary widely from about 19 euro cents (21 U.S. cents) to E2 a message.

The simplest technology locates where your phone is – and, presumably, you – by identifying which cellular antenna is picking up and transmitting your phone’s signal. But that antenna can be as much as one kilometer (six-tenths of a mile) away.

Better software in the network essentially triangulates among antennas to determine the caller’s position to within 300 to 500 meters. Still more accurate technology uses the satellite-based Global Positioning System to locate a transmitter in the phone. But these phones cost more.

With technology not a barrier, the question in the telecom industry, then, was what services to offer. It turned out that it wasn’t going to be coupons after all.

“We launched ‘push-based’ coupon-messaging in Hong Kong shopping malls in 1997,” said Bruce Hicks, group managing director of Sunday Communications. “Its failure proved that people don’t adjust their social habits just because a technology is available. To succeed, it must be simple and complement the way that they already do things.”

“Changing social behavior takes forever,” said Swen Halling, chief executive of It’s Alive Mobile Games AB, a Stockholm-based LBS developer that makes the location-based games Supafly and BotFighters, a phone-based role-playing offering.

Many operators provide services like TeliaSonera Corp.’s Friend Finder, which allows a subscriber of the Nordic telecom to set up lists of friends and get an alert when one is nearby.

While this kind of buddy-finder service was one of the first to appear in many countries, in France the earlier priority, according to Frederic Jarjat, LBS product manager for France Telecom SA, was LBS-enabled chat – or, more specifically, “flirt,” a service whereby subscribers can exchange text messages with total strangers who are in their vicinity.

TeliaSonera also has a service with a novel twist: You’re walking down a pleasant street in Uppsala and think that it looks like a nice place to live. You send a text message on your phone to the number 4412, and you get a return message listing the nearest three available apartments – and the phone numbers to call about them.

LBS technology also leads naturally to security-based products, such as “panic buttons” for older or ill users, or a Find My Kid service like Sunday’s, which several operators are already testing.

But, in general, LBS offerings rank low on the list of what people do with mobile phones.

Operators do not publicize usage figures for any given service, but industry analysts and applications developers say LBS options make up less than 1 percent of mobile usage.

Michelle de Lussanet, telecommunications analyst at Forrester in Amsterdam, said that in terms of average revenue per user, data services as a whole make up 10 percent to 14 percent of cell phone carriers’ business. Almost 98 percent of that is person-to-person text messages.

“The remainder is mainly ring tones and operator logos,” she said. “This doesn’t leave a lot of room for other services.”

Zingo, the taxi locater that is a unit of Manganese Bronze Holdings PLC, said that of the 12,000 licensed black taxis that cruise London’s streets on any given day, 500 are outfitted with its equipment. More than 6,300 people have tried it since the beginning of the company’s trial this year.

Sunday said that in the first week of its SARS service, 16,000 of its 650,000 Hong Kong subscribers used it.

Operators and analysts say a large-scale introduction of LBS will take years; Forrester predicts that data applications like LBS will not take off until 2006 or so, when today’s teenagers become the next generation of high-tech adults.

And some services also could suffer if they are too accurate. The director of new technologies at Sunday, Henry Wong, said, “Our focus group of Hong Kong youths showed us that teens overwhelmingly don’t want the kid-finder because it doesn’t let them lie about where they are.”

Cheesy Feet & Ducks: IBM’s Voice Recognition Software

ducksThe idea of speaking into my computer and having it correctly type what I say has intrigued me since I saw the Star Trek episode Assignment: Earth, in which Gary Seven dictates to his IBM Selectric typewriter while plotting to sabotage a NASA launch.

The thought that I can now actually say – and have my computer type – the phrase, “The museum is open Monday to Friday from 9 am to 6 pm, Saturday from 9 am to 3 pm, Sunday from noon to 4 pm, closed major holidays,” makes me positively giddy – covering Disney World doesn’t look so daunting anymore.

It was with this light thought that I cheerfully set about installing IBM’s new SimplySpeaking Gold (remember: IBM made the Selectric! No one gets fired for buying IBM!), touted by Big Blue as the software that would change the world. My father was with me, and as I was describing what the software would do (‘yeah, that’s it… I can just talk into it and it will type what I say,’) he was shooting me looks of open dubiousness, if not mild derision.

“Youe’re skeptical,” I said.

“I’m not skeptical,” he said, “I know it won’t work.”

“Why,” I asked, supremely patient with my dottering dad, “would IBM offer a 30 day money back guarantee on it if it didn’t work?”

” I don’t know” said my father,” But it won’t work.”

Chuckling to myself (what does he know?) I set to installing SimplySpeaking Gold. Following the directions to the letter, I donned the little headset that came with the software. The training session lasted about half an hour, after which I started talking and it started typing.

Unfortunately, those two actions were entirely independent. It was as if had installed Tourette’sSyndrome for Windows95. I said,” Hey, look Dad, I’m talking and this thing is typing,” and it typed, “pay stark land vice talking in myths saying it is typing.” (“typing”, I noticed later, was one word it consistently spelled correctly, along with “SimplySpeaking Gold” ) I said, “This system sucks.” It typed, “cheesy feet and ducks.” Okay, it wasn’t really that bad – I am exaggerating a little (just a little) – but it was, in fact, terrible.

I returned it the following day. Later I spoke with a software salesman, who told me that almost everyone who bought the IBM software at his shop (one of New York’s largest) brought it back.

“That’s not to say it’s bad,” he was careful to say, “it’s just that a lot of people bring it back.”


This salesman went on to tell me that a lot of the people who were disappointed with IBM really liked Dragon NaturallySpeaking, but that that software was much more difficult to learn then IBM’s. Since I thought that learning IBM’s was simply a matter of training myself to speak in the manner of one of those VCR manuals that has been translated from the original Korean via Swahili, I was game for anything.

To be fair, IBM’s ViaVoice is said (well, said by IBM) to be better than SimplySpeaking. But in an article in the San Francisco Chronicle, David Einstein reported something hauntingly similar to my experience:

” …when I said, ” This is my first dictation” ViaVoice wrote ” This is mild irritation.” I repeated the sentence and it came out, ” This is missus sophistication’.

Why, that is much better!

My next test was with Dragon’s NaturallySpeaking. With doubt in my heart, I installed the software and went through its training session. One thing that struck me immediately was that while I was reading through the training session’s text (it gives you a choice of three, I chose Dave Barry’s Adventures in Cyberspace) it was recognizing my voice right out of the box.

But I was truly astounded when, after finishing the session, I was able to write a long letter with very few mistakes: this thing actually works! Don’t believe it? Come over to my house and I’ll show you (two of my neighbours are going out to buy it after one demo).

For example, I’m writing the following five paragraphs by speaking into my computer. It’s an absolutely joyous thing: I’m sitting here with my feet on my desk speaking absolutely normally and watching it type everything I say.

And okay, there are some drawbacks (like the fact that it just wrote ” arson” instead of ” all are some’, and I had to go back and correct): I sit at my desk wearing this funky headset and looking for all the world like a Time-Life operator ready to take your phone call (E’Good morning, my name is Nick, are you calling about our Sports Illustrated swimsuit issue?’).

But the fact is, I can dictate into this thing at about 100 words per minute after three days of use – and the folks at Dragon say that this will only improve over time.

I have noticed that in the last few days of using this software intensely it has made the same mistakes on a couple of occasions. But it also learns incredibly quickly. I only had to train ” Minas Gerais” and ” São Paulo” once, and never even had to tell it to recognize Rio de Janeiro. Handy, when IE’m working on Brazil (it also recognized, after training, “rodoviária” and “real”, which are pronounced decidedly not as they’re written).

But you’ve got to have patience (it just wrote ” patients’), and realize that it will take about a solid week before you begin to get close to 96% recognition.

The mistakes NaturallySpeaking made while I recited the last five paragraphs were, “good morning, my name is neck”; “… with my field on my desk”; and the aforementioned, “arson” and “patients”. Still, thatE’s not so bad. Earlier OCR scanning devices made far more mistakes, and for most of the friends of mine who can’t type to save their lives, a couple of mistakes in each paragraph is a far happier situation than a blank page.

But Naturally Speaking – or its presence – did cause some problems on my machine. After running it and other programs simultaneously, my computer crashed – but it turned out to be a Microsoft problem, and I had to download a small patch to fix it. You’ll also need a relatively good machine: while Dragon says you need at least a Pentium 133 Mhz, 32MB of RAM and 65MB of hard drive space, I’d say that’s conservative.

Another good question is whether you can dictate into a tape recorder on the road – some smarter authors (and now I) use a tape recorder for mapping (” J&R Music World on the south side of Park row 200 metres south of John St” ) and it would be a hoot to have the machine transcribe it. Well, short of spending upwards of $250 on a mini disk recorder, you’re out of luck: traditional minicassette and other analog recorders just don’t have the quality to work with NaturallySpeaking.

NaturallySpeaking has several models to choose from, but the recognition engine is the same on all – bells and whistles change as you spend more money. But their basic Point & Speak (US$59 RRP in the US) model allows you to do everything I did here. The Personal edition and Preferred Editions (US$99 and US$149 to US$159) have greater customization abilities, and very expensive Deluxe editions are available as well. SimplySpeaking Gold sells for US$139 in the US.