Tuesday 27 May 2008

A worrying trend

People often complain that there are too many TLAs in IT. We have DVD, RAM, ROM, PCI (MCIA and DSS), WAP, ERP, CRM, PKI, DTS, etc... it's all very TDS. However, I think the reason that so many of us resort to abbreviation is that the alternatives are sometimes too horrifying to put down in type.

When I was in Spain it was common to hear people talk of "plannifying" and "authentification", but as I couldn't speak a word of Spanish apart from "caffe con leche" and "jamon", I kind of let it slide. It is also common to hear and read our American cousins speaking a different form of English to, erm, the English. Think "-or" instead of "-our" and how you pronounce the following words: "pasta" and "pastor". Cross the Atlantic and you pronounce them the other way around. I accept and even celebrate these differences.

However, I've spotted a worrying trend today which I hope to be able to nip in the bud before it becomes too popular and an "accepted failing" that gets into everyday speech. I speak of "deduplification".

Let's get this straight, we "duplicate", and therefore we must "de-duplicate". We do not duplificate, or at least I don't. I expect you could get away with it in Barcelona. If we're going to be making words up though, I prefer the more straightforward "singlification", but I wouldn't want to confuse things...

Saturday 24 May 2008

<rant>

I've spent the last couple of months trying to be lazy. Had it not been for British Airways messing up my flight to San Francisco back in April, then my flat flooding when I got back, and then this month Abbey sensationally screwing up the renewal of my mortgage, then I would have had very little to do. As it is, I've been rushed off my feet complaining about various things, banging my head against brick walls and generally getting up people's noses. The mortgage STILL isn't sorted out, and is in fact the fault of the solicitor, Pannone, who have lost EVERY piece of information I've sent them in the past 4 weeks. Terrible service, and they were quite rude to me in an email.

The management company which looks after the building I live in also sent me a couple of unpleasant emails whilst giving me an awful service. British Airways have given me back my money now, but they are extremely unhelpful whilst trying to reclaim.

My phone company, O2, seemed to be the best service I've received in a long time. I broke my phone on Monday at the gym, and had it replaced on Tuesday morning by courier. Mind you, I have had to pay for this, and my bills are frankly huge. Close to £100 a month so far (only had the phone 2 months).

Whilst chatting about this phenomenon to friends a very worrying trend showed up for me. Terminal 5, where my fated flight left from, is actually run by BAA, not British Airways. BAA is run by a company named Ferrovial, who runs the public transport in Spain. They aren't that good.

Abbey National used to be a great little building society, until it was bought by Santander a few years back. Santander are a big bank based in... Spain.

The solicitors, Pannone, are not pronounced "Pan-own" as you might expect from reading it, but "Pan-oh-ni". Sounds a bit suspect to me, probably Italian, but certainly southern european.

And O2? Well, they were bought by Telefonica, who provides Spain's public telephone system, and whilst I lived in Barcelona, ripped me off consistently for months. I moved out and ran away from the problem rather than trying to get the phone cut off. I couldn't deal with them in any language. If I ever go back there I fully expect the Mossos D'Esquadra to beat me to a pulp before I get out of the airport.

Spain's economy has relied heavily on construction for a number of years now, ever since Franco decided that Marbella and the rest of the south coast should be dedicated to tourism. It kind of took hold and they carried on building until... well, until they had so many places to stay and live that they didn't need any more. At this point, even a surplus of one causes the price point to drop exponentially. This is basic economics. Read "The Logic of Life" if you need a better explanation.

Spain has needed to branch out and invest in other areas for some time, and now it seems to have found somewhere willing to take it's money. Unfortunately, it's Britain. Unfortunately, the Spanish are the best providers of fun in the known world, but the worst providers of service. You can sit in a cafe in Barcelona for over an hour BEFORE you get served. This is expected over there. Over here, it's not. Living in Barcelona you get perks like weeks of sunshine all year round, cheap everything, street parties and a beach. Living in the UK, you do not.

No wonder I've been missing Spain recently. I'm getting Spanish service, but crappy English weather and prices. Not sure how this happened, but I'm seriously considering going back the other way - maybe the service wouldn't be much better, but at least I could take my trousers off and forget about it. Isn't that always the best way?

</rant>

Friday 23 May 2008

Article in the popular press

I've been blogging for quite some time now, and of course it's a very ego-centric thing to do, but I still get a buzz from seeing my name in print. Seeing it willingly printed on someone else's website is of course the biggest buzz of all, and having articles accepted by Computer Weekly makes me all warm and fuzzy inside.

Of course the rest of you won't have a Google alert for "Rob Newby" (if you do, I'm already scared), so here's a link to what I'm talking about:
http://computerweekly.com/Articles/2008/05/22/230777/pci-a-matter-of-timing.htm
Enjoy!

Friday 16 May 2008

Clearing up

I had a mail yesterday after my DLP post expressing concern that I was endorsing Orchestria. It wasn't from any of the Vontu crowd, nor Vericept, nor any of the others in this space, just to be clear.

I'm not going to say who it was as they wouldn't thank me for making it public, but just for the record, I was deliberately not endorsing them. I think it's hard to tell in print, but it was supposed to be slightly tongue in cheek. I was told a lot of impressive stuff by the CTO, and without any proof. I have no idea if they are any good or just have a big marketing budget. Personally I would be surprised if it was all true, as they wouldn't need any advertising budget if it was, it would sell itself - and they seem to have blown a huge wedge on getting out into the media. I am still surprised by the suddenness with which they appeared on the scene, even though they had been around for 5/6 years previously working in the compliance space. I've just come out of the compliance space myself, and never saw them there.

I was slightly mystified by the claim that they do 'more than just DLP', and then described what they do, which was... erm, DLP. If they DO do DLP to the extent they say, then they still just do DLP I'm afraid, not super-DLP, not DLP-extreme, or even DLP-with-knobs-on, just plain old DLP. They may be doing it super well (or well-extreme, or even well-with-knobs-on), but DLP doesn't break down into subsets, it's already an all encompassing term. This makes me think that they might be a little confused about what they are selling.

This often seems to happen when a company has to make a swingeing turnaround from their original product marketing direction. I've worked for a couple of companies (again, no names) where the original idea has been technically sound, but completely unsellable, and changing the message serves to confuse not only the customers, but the internal staff. I wasn't at Ingrian when the focus changed from SSL to data security, but I was selling their kit in the UK. People loved the SSL device, I still do, they are still used in the UK deployments I performed. People didn't understand the data security device, and a complete change of architecture really stalled the company for a short while. They recovered of course to be purchased recently by the marvelous SafeNet (it really doesn't work in print does it?), but it was a tough time.

I've been through that twice with other companies, and changing the marketing message can be as time consuming as changing the product direction, sales model, or any other part of the organisation. Something I will say for Orchestria though is that they have the right attitude towards this to succeed - complete self-confidence in the face of adversity, and seemingly infinite marketing dollars. What I can't yet do is endorse them, I hope this is all clear now!

Thursday 15 May 2008

New kid on the DLP block

When I was at InfoSec, my friend and Ingrian predecessor Norberto Costa, now at RSA, asked me if I'd seen Orchestria. I immediately got a mental picture of their stand at RSA2008, and realised that that was all I knew of them.

"Yes, they were at RSA," I said helpfully. When I got home I looked up their site and saw that they had an international presence, but an R&D centre in Taunton. For those of you not familiar with UK geography or anthropology, Taunton is in Somerset, on the west coast of the UK, which is not quite as cosmopolitan at the west coast of the US. Somerset is famed for its cider, cheese (Cheddar is in Somerset) and holes (Wookey Hole is a cave, near Cheddar), not its technology.

I dropped them an email, explaining my fondness of all things west country and my desire to speak to them, and managed to get a half hour on the phone to the CTO yesterday. I was most disappointed to find that he did not speak about combine harvesters with a Somerset burr. In fact he was very obviously a professional business man, as proven by his opening gambit.

"I was a technical specialist at Benchmark Capital, who invested in Google amongst others."

Benchmark paid for him to set up Orchestria, with proper funding, a proper team, and some real experience. This was in 2001, and I hadn't heard anything about them until last month. Since then I have been asked about them a number of times. For someone who pretends to be familiar with the data security space, this was slightly embarrassing. Not any more though.

"Orchestria was set up as a compliance tool, and was sold as such into very large companies for the last 5-6 years."

It was only the DLP bandwagon coming along which made them realise that they had something which could do that and a whole load more. If they are to be believed, Orchestria are beating the likes of Vontu in accounts where they appear together. I fully expect a mail from Kevin to explain why this is untrue, and will print it here in the interests of fair play. If this is the case, it is little wonder they have been so hyped recently.

Digging a little deeper into the technical side, Orchestria uses a natural language engine, hundreds of times faster than regex and other methods used in current DLP. They have 26 agents, covering every possible exit point on the network, on every popular platform. They cover email protection, which few of the others manage to do well. It all sounds very impressive.

I have yet to see proof, and I'm sure to get a barrage of emails from my other DLP contacts saying why theirs is better. In fact I hope I do, this is exciting stuff.

There you go Norberto, I asked.

Saturday 3 May 2008

Encryption does what?

A couple of weeks ago, after I wrote a piece about data security, a friend of mine wrote to me to say he had chosen 'none of the above' for the question 'why do we encrypt'. My answer was 'to keep data secret'. His argument was that encryption was actually only preventing physical theft.

I think this is a bit of marketing spin, and not really looking at it from a pure security viewpoint. The fact that my friend was a very successful SE, now Engineering Director for a software company may confirm this. Let me explain. Of course encrypting deters from physical theft, if it is known about. So without splitting too many hairs, let's assume my friend meant that it prevents access to the data after it has physically been taken. Therefore physical theft hasn't been prevented or deterred, so there is no benefit to the encryption. So what are we left with? Well, the data is still secret of course.

OK, now let me assume that company X has bought encryption and is now boasting about it in the newspapers. Data thief Y, external to the company, with no knowledge of the systems, thinks twice before stealing from company X, and steals from company Z instead, as there are easier pickings. Great marketing of encryption. But what happens when encryption becomes a commodity, as it surely must if current storage trends continue. Assume all valuable data is encrypted, what is the best way to crack that encrypted data?

Well, personally I'd steal the physical device and take it home, get my botnet to search out a few thousand PCs for extra computing power and set them to work on breaking the algorithm. So, does encryption really deter physical theft?

Once again the successful crackers are going to be internal people, who already have access to the data. You still need to make sure your physical controls and policies are strong, even when you have all of this put to rights.

Friday 2 May 2008

A position of power

I’ve just got back to London from Chicago O'Hare airport where I was driven from Milwaukee. My driver was Joe Sturonas, CTO of PKWare. He liked to refer to himself as a bit of a geek when it comes to number crunching and IT (he may well not like me referring to him as ‘my driver’ however). Joe studied Artificial Intelligence whilst at University, and subsequently worked for the Illinois Department of Transportation's Traffic Systems Center (TSC) before ending up where he is now. [I hope the details here are right, I blame jetlag and artistic license for inaccuracies.]

The Chicago based TSC has sensors on most of the main routes surrounding the city. These count cars and their speeds, giving a fair indication of congestion levels in each of the lanes on Joe's commute to and from work. The TSC used static data, daily counts and average speeds to designate 2 different types of roads for different types of road user – these are Express (E) and Local (L). Thus on Joe’s route to work each morning, the first part of the journey he could choose from 2 L roads and 1 E, and later on 2 E roads and 1 L. Once a lane was picked, it was impossible and impractical to change. Most people ended up picking either L or E and sticking in that until the end of their journey for the sake of getting anywhere at all.

Using his knowledge of the transport department's IT systems, Joe managed to pick up transmissions (legally) from traffic sensors in the roads. He then applied a simple algorithm to the traffic reports using his AI knowledge, and programmed his PC to send him a text message each morning, telling him which route to take, in the form of either EE, EL, LE, or LL, in this way he would choose which lanes to take at the beginning and end of his journey. He even went as far as factoring in weather and seasonal conditions, holidays, etc.

He calculated over time that in an average week he was saving between 90 and 120 minutes compared to the 'average' commuter, taking pot luck and sticking with it. This was a huge saving and meant Joe could spend more time at work, AND more time with his family, possibly why he made it to CTO whilst remaining a devoted family man. Needless to say, this also gave Joe excellent geek bragging rights, which he duly exercised at a party amongst commuter friends. Obviously the idea was to share his funny little idea and get some respect, but, also rather obviously in hindsight, his friends nearly ripped his arms off to get a piece of the time-saving action, frustrated as they were with the extra 20-40 minutes in the car during their working day.

Joe complied and allowed a select group of his friends to receive the same information as he did every morning, but took his idea no further. So what stopped him? Joe, being a mathematician and logician by nature, realised the fatal flaw in commercialising his invention. What happens when more than his select group of friends gets interested? Of course, the routes become just as blocked, if not more so than the ones being reported on. So the algorithm has to be real time, perhaps different for each subscriber. This was far too complex a problem to warrant the launch of a company, so the idea died out when Joe moved jobs and his commute reversed, out to Milwaukee.

This neatly demonstrated the value of requirements and reality to me, something I thought was a great idea, was great only if you remain the one single person using it. Not so profitable if you are a vendor trying to sell it. Joe also pointed out that there was a point of ‘critical mass’ of subscribers to your service, where if you know that you are controlling the majority of commuters’ traffic decisions, in Joe's words, it becomes 'less of a math problem, more of a routing problem, and of course I get QoS'. I noted that he was only one step away from making his own weather machine with that sort of approach, to which he laughed - "MWAHAHAHAHAAA!".

Dr. Joe Evil dropped me off at the airport and sped off into the distance, leaving me to ponder if he really was controlling the weather already. A crack of thunder in the distance and a puff of smoke where Joe’s car had been a moment before confirmed my suspicions.

Thanks for the lift Joe, and for the good weather on the flight back.

MadKasting