StillSecure, After All These Years

Tim Greene's NAC column today goes back to the recent Gartner IT Security Conference. At Lawrence Oran's session on NAC, using the handheld voting machines he asked the audience if and when they planned on deploying an 892.1x capable network.  Of course answers are always dependant on how the question is framed.  But in this session about 50% of respondents said they were going to go .1x by 2011.  You know what they say, once you go .1x you don't go back.  That bodes well for NAC deployments.  802.1x remains the most secure and powerful way of implementing NAC.  However, .1x is also useful for other security and network functionality.  If you want to read more about .1x my friend JJ has a ton of good .1x stuff up on her blog.

A couple of interesting points though.  Gartner themselves as Tim points out estimates that .1x adoption will be closer to 70% by 2011.  The difference between the 50% in the survey and Gartner's estimates will be realized due to increasing ease of implementation of .1x networks. Perhaps, I know at StillSecure we are always looking for ways to make it easier to implement .1x and NAC.  However, lets be clear. Installing new supplicants because Cisco and Juniper say the Microsoft supplicant is not good enough is a red herring. Yes the Odyssey client is cool, but it is a nice to have in the .1x equation, not a must have.  The same goes for the Cisco/Meetinghouse supplicant. Also, not all .1x is created equal.  There are still enough differences between switch vendors in how and what they support in .1x to make it maddening.

Finally, like I have said before if you are going to do 802.1x just for NAC, don't bother.  But if you are going to go to 802.1x you should give NAC a good look.

I have been a Yahoo customer since at least 1996 or 1997.  I remember when Yahoo was a plain gray page and all they had was search.  I have used MyYahoo as my home page since it first came out. I had a Yahoo email account (most people know that now), used Yahoo for fantasy football and for most of my personal email.  Though the world went to Google, I stayed with Yahoo.

Though by 72 hours after the attack I had everything else back under control, here we are over a week later and I still don't have my Yahoo account back. It is shut down because the attackers sent out disgusting porn to people in my Yahoo address book.  Of course this was mostly parents of the little league baseball, football and soccer teams I coach.  But that is indicative of the quality type of people who were involved in this attack.

I have written and called to every address you can think of.  They have asked for copies of my drivers license.  They wanted all of my information when I first applied for an account (yes from 12 years ago). I have had to give them every email address I ever had (anytime you fill out information for a new account you should make a record of it and keep it somewhere safe.  Don't ask me where, but somewhere safe).  Every mail address and zip code I have had. I sent them the answer to every secret question I can think of, but they won't give me the question they want to answer. I sent them the hackers post bragging about getting my email account.

Finally on Sunday I received an email that if I would call with the 8 digits of the credit card on file with my Yahoo wallet (I didn't even know I had a Yahoo wallet.  Again, if you fill something out, keep a copy and record of it somewhere) I could have my account back. I called and left a message.  I called again and left a message. I called again, and again and again. I have called about 12 times in 2 days and have not gotten one call back or even an email response.  What does it take?

At this point I don't know if and when I may ever get my Yahoo account back. What a shame, all of that data and history lost.  In the meantime I have made Google my homepage and am using iGoogle. I have to say, it is better than Yahoo.  I have my gmail account. I am registering for new fantasy football on other sites.  I am done with Yahoo.  They are not a company I want to do business with anymore.

For a web giant, they should have better process and procedures in place to deal with an account being hijacked like this. Shame on me for having this happen, but shame on Yahoo for just not being a company that values its customers.

My friend Tyler Reguly of nCircle and computerdefense.org is conducting some research on denial of service attacks, peoples perceptions of them, etc. He posted a request for help on the nCircle360 blog here. The actual very short (did I say very short) survey is on computerdefense.org here.  If you have 30 seconds to spare (it should not take you more than that) could you take the survey for Tyler?  You don't have to be a security whiz and the survey is open to everyone.

I thank you, Tyler thanks you, yada, yada.

As I mentioned in my previous post, the hardest part of recovering from the recent hacking attack has been the lack of process and procedures in place by many of the "utilities" we depend on to use the web.  In this post, I am going to highlight two specific examples:

1. Go Daddy - the hackers best friend. The reason it took so long for my domain to point to my blog after the attack was due to Go Daddy.  The fact is my domain should never had been pointed away from my blog. My domain registered through Go Daddy was supposed to be locked.  In fact it was. I received an email Sunday morning that my domain had been moved from locked to unlocked. This was when I first became aware of what was going on. I immediately called Go Daddy (to be fair, Go Daddy was one of the only companies that had 24 hour phone support) and told them I did not give my permission to unlock my domain, I was under attack and to lock it down and let no changes happen.

I was assured by the Go Daddy tech support person that this is exactly what they were doing and not to worry, Go Daddy was on the job.  In fact he sent me a customer satisfaction survey to fill out about how Go Daddy had thwarted this attempt to hijack the domain. Wong!  When I called Go Daddy back later that afternoon (always double check that these companies are doing what they claim they are going to do, don't trust them to follow through without you staying on top of it), it was as if I had never called that morning.  By that time the contacts on my domain were changed.  When I finally got a supervisor (ask for the supervisor quickly, don't insult the first level guy, just explain that you are going to need a supervisor for this emergency) on the phone it was too late for that. No I had to go to the "undo" department.  By now it was Sunday night and the undo department is only in during normal business hours, so I had to wait till the next day.

The undo department has no phone and you can only communicate via email.  In spite of everything I showed them about my situation, they were writing to the hackers to "hear there side of it", as if this was some run of the mill dispute over who owned a domain.  All through Monday I literally had to call every hour to keep this moving.  Getting a supervisor and making them walk down to the undo department.  Finally,  by Tuesday morning, after lots of help from some contacts in the blog world (thanks Jennifer L), Go Daddy finally put through to give me control back of the domain.  Than it takes 24 hours to 48 hours for DNS to update.  If not for the help and the constant calling it take up to a week for this process!

That is just bull.  Go Daddy and others in this position should do better. Having an undo department is commendable. If they would have taken more than a minute to actually look into the facts here and heaven forbid get on a phone, this could have been taken care of in 5 minutes.

2.Typepad - Again Typepad offers no phone support whatsoever. So I followed the process and sent an email to open a ticket.  I explained that my blog had been compromised as well as the contact email address. I needed to either have the blog shut down or I needed new passwords and usernames set up.  So what did the Typepad tech support do?  They sent new passwords to the compromised email box!  Finally, my friends at Feedburner reached out to their friends at Typepad and someone from Typepad called my from home and helped me out.  So I owned my blog by Sunday night, though the domain was now pointed somewhere else. 

I don't know what I would have done without the Feedburner help.  Typepad needs to offer some sort of process for this type of situation if they are going to be a quality host going forward.

Another failure of Typepad is their back ups.  Many of you have commented that many posts from February to August are missing from my blog.  The thoughtful hackers tried to save some of my storage space by deleting these posts :-(  I have been assured by Typepad that everything on these blogs are kept in a database which is backed up regularly.  Great, right? Wrong.  Though it is supposedly backed up, there is no real way to restore the posts.  The Typepad team is supposedly working on how to accomplish this.  They are busy and will try to get to it and I am patient.  But waiting a week for a back up restore seems a bit much.  What do you think? I would pay extra for a real back up service for my blog with a restore feature.  This seems easy enough, what is the story?

Tomorrow I will talk about the biggest problem I have had with web providers in this adventure: Yahoo!

This is going to be the first in a series of posts I am going to write about my experience in recovering from the recent attack against me. Many people have asked me "what do you do if this happens to you".  Well first of all it helps to have a team like the StillSecure Security Alert Team (SAT).  In particular, Brad Doctor, the director of our SAT was my rock during this whole ordeal.  Brad quickly saw the full scope of the attack against me and guided me in my steps.

First thing was to take care of financial exposure.  Getting your credit and debit cards canceled is relatively easy. You get on the phone and just about every financial institution had an option for lost or stolen cards or other fraud.  Within a half hour or so that is taken care of.  The card companies will send you out new cards and credit you for any charges on your accounts. Protecting your credit and identity financially speaking was fairly easy as well. There are any number of firms that offer great services in locking down anyone trying to open accounts in your name or social security number. I will give more details on who I choose on this in a later article.

Next Brad had me cleaning out my own computer and my online identity.  I wish that this was easy as protecting my financial exposure. The fact is our web infrastructure that so many of us depend on is just not up to the challenge.  The shame is that at this point in time web companies are almost utility like.  If something happens to your electric or water or cable, you can pick up a phone and eventually get someone on a phone to help you. Not the case with our web utilities.  They are set up for volume and scale, but not customer support in emergency time frames.  The standard response in contacting any of the web companies was an auto-generated reply that someone would email me back in 24 to 72 hours or more! When you are dealing with an emergency, you are locked out of your accounts and your identity is being stolen and abused, that is just not good enough.

As I have written earlier, I was lucky in that I was able to call on people to help me out.  For instance my friends at FeedBurner/Google, Matt Shobe and Dick Costollo, quickly took control of my FeedBurner accounts, including the SBN feed.  They were also to get someone live at Typepad to allow me to take back the blog.  This took more time than it should have though.  Until the Feedburner reached out to someone, the Typepad support team just kept sending a new password to mailboxes that the attackers controlled, even though I was mailing them from my stillsecure mail box! You could not get any of these people on a phone.  Very frustrating!

In any event, if you don't know anyone with some "juice", you have to go through the process.  You can keep sending emails. I think it is important that you write full emails that really explain the gravity of the situation.  Eventually when a live person looks at it, it does help.

But all in all, generally once I was able to get a live person on the phone, I was able to undo some of the damage done.  Our web providers like Yahoo, Microsoft, Google, etc. need to have emergency phone numbers that people can use for these type of situations!  However, even having a phone number does not guarantee success.  In the case of Go Daddy, it was just the opposite. In fact Go Daddy can be the hackers best friend!  More about that in my next post.

For those who don't know StillSecure is headquartered in Superior, CO, which right outside of Boulder, CO.  Besides being a beautiful, funky college town nestled in the foothills of the Rockies, the Boulder area is a leading tech center. 

One of the more coveted local recognition awards is the Boulder County Business Report IQ awards. In this case IQ does not stand for how smart you are, but Innovation Quotient. StillSecure was just named the winner in the Computer category. This was just not security, but virtually computer technology. 

This follows my pal, Rajat Bhargava, StillSecure CEO, winning an entrepreneur of distinction Espirit award from the Boulder Chamber of Commerce as well.

Linus Torvalds complains to Ellen Messmer about the "security circus" he sees. Linus is talking about the constant friction between the disclose immediately versus "responsible disclosure" crowd.  While I agree that the when to disclose arguments get tiresome, the long pole in the tent of this circus are the clowns who do a lot of the coding for the products that we use.

With the pressure of getting out code on time and on budget, there are just too many vulnerabilities in the products we rely on.  Racing to get the next greatest feature in this release or that must have functionality that was promised to the customer, too often pushes security and bullet proof code into the shadows.  Then when someone finds the all too often holes in the code, somehow the people finding it are wrong? 

Yes, it would be much better if the whole disclosure timing thing went away. I don't think that will ever happen. But if we had more quality control around code, perhaps it would not be so acute.  So, when talking about the circus, instead of blaming the security people, maybe take a good look at the clowns.

It has certainly been an interesting week.  If there is anything else you want to know about me that has not already been posted, please feel free to send me your questions.  As most of you know, on Sunday morning my blog was hijacked/hacked as well as my yahoo mail address and the domain for this blog.  A lot of my personal information from these sources were posted on a public message list, along with some particularly hateful, ignorant, anti-Semitic ranting.  This event while traumatic has also resulted in some positives.

First of all let me say that I cannot go into a lot of the details of how this took place, as I am working with the authorities in this matter.  Secondly, let me say that all of the information exposed was my own personal information.  StillSecure infrastructure was not pierced or exposed at all, though the StillSecure SAT team treated this as a major breach and pulled out all of the stops in investigating and protecting our corporate infrastructure.

All of the above notwithstanding, it was not easy. Of course part of me would like to just be in a room with some of the people  (and I use that term loosely) who committed this crime and take care of this, but that is probably not going to happen (one can hope though).  In some way I feel that in order to make steel, iron has to be put through the fire.  This event has resulted in steel being made. Where before I viewed security as a business that I was in, security from here on in will be a much more passionate endeavor for me.  In many ways this has made me truly a security person.  You will see a much deeper commitment by me in keeping the slime of the world from being successful.  I am going to do everything I can to making myself, my family and all of us more secure.  Security for me has gone from a business to a way of life.

I am also extremely humbled and grateful for all of the help that so many of you have rendered over this week. I never truly felt part of the security "community" until this week. Over the coming days I am going to talk about what you should do if this happens to you.  However, having friends and support in the industry is something that most of us just don't have.  The security community has reached out and picked me up by the bootstraps, performing incredible acts of kindness and generosity in recovering from this. I realize now that in my years in this industry I have made some great friendships. On top of this, the people I have made friends with are just incredible people! I will detail some of these acts and people in days and weeks to come.  For now though know that I will never forget and will do my best to be worthy of your kindness and help. I think some of the other security bloggers in the community are going to speak out on this as well. I will be interested in what they have to say.

In case any of you are wondering, I will not stop blogging and speaking out.  I would never let the likes of these people silence or intimidate me.  In truth the fact that they targeted me tells me that I must have struck a nerve or did some good work, that they would feel it necessary to attack me. In looking at the list of some of the names targeted along with me, I was  almost honored to be included in such a prestigious group. I recognize that my blog and StillSecure is pretty well known and I guess that this shows that I am a target.  For now my blog will remain sparse.  As I continue to build it back up, I want to make sure that everything that is going in is clean of any malicious code. 

Stay tuned for more to come and thanks for sticking with me!

Since I chimed in on Super Bowl Sunday, let me press my luck and talk about the primaries of Super Tuesday. I stayed up late tonight switching between CNN and Fox News to really get a "fair and balanced" view of what was going on.  I must say that in all of the years I have been watching presidential races (and the first one I remember was '68), I don't remember both parties having such close races this late in the season.  Without letting my own political beliefs get in the way here is my analysis:

1. The Republicans - They are in a fight for the soul of this party.  Though all three leading candidates claim the title of heir to the Regan revolution, in my mind it is a bit different.  Mike Huckabee, clearly is the choice of the Karl Rove wing of the party. He is the choice of the religious right and the South.  This is the bedrock of the Republican presidential majority.  Taking them on is John McCain who is a genuine war hero, but independent enough to stand for what he believes in and has the record and stature to stand up for it.  He makes no bones that he is all about the traditional Republican argument of being strong in foreign policy and probably a bit less involved in economic matters. Finally, you have Mitt Romney who represents, to me anyway, the traditional Republican big business view.  So who wins this fight for what it means to be a Republican.  Are the Republicans a party of the religious right who vote primarily on social issues such as abortion, gay rights, etc.  Are the Republicans the party of big business/small government which was their traditional stand as I grew up. Or finally are they the party who is best suited to keeping America safe and recognizing our own self-proclaimed "manifest destiny".  I guess the rest of the primary season will answer that question.

2. The Democrats - Obama has certainly energized a large section of the populace. He is bringing people who never voted or are usually very under represented in elections into the process and that is a good thing.  However, when you examine the wins, a Democratic winning their primary in Utah, Alaska and Idaho is just not very exciting. He has as no chance of winning those states in the general election. On the other hand Hillary has certainly demonstrated her ability to win in the traditional Democratic states (including Michigan and Florida, whose votes will have to count in a close race). But is she electable in a general election.  She is a lightening rod for Republican wrath it seems.  Maybe it is part of that vast right wing conspiracy that she always spoke about.  What is interesting on the Democratic side, is I really don't just see a lot of difference in their positions.  In fact most people I speak to say it would be cool if they would just join up and run as a ticket.  Of course who is on top and bottom is the key to that one, but I don't think it will happen, to much ego there.

So, here we are Super Tuesday is over and still no conclusive answers. This is what I do know.  No matter who wins the primaries, 40% of this country is going to vote Republican and 40% is going to vote Democrat.  It is who the other 20% vote for that will will determine the next President.  But as someone who remembers the Civil Rights movement and the womans lib movement.  I can tell you that I am thrilled as an American to see in my life time that either an African-American or a woman will be the nominee of one of the major parties.  I think it will be a while until we see something like that on the Republican side, but it will come.  In the meantime I am looking forward to seeing how this all plays out. But this race is not done so yet, it is up to you to decide who wins.  Get out and vote!

Yesterday we announced our latest version of our Safe Access NAC product.  This release has several new wrinkles for Safe Access which keep it at the forefront of NAC functionality, but the biggest thing is that we finally are offering StillSecure branded appliances. We still offer Safe Access as software that you can run on your own hardware, but after years of swimming against the tide we have come to the realization that it is just easier for people to buy an appliance than anything else. So with this version of Safe Access we now offer a StillSecure branded appliance.   

Designing and putting in the processes to sell and support these appliances has been a long time in the making, but we think we have it down now. I am looking forward to see what difference this is going to make.  We will soon have StillSecure appliances for the rest of our products as well.

There are several other new features in Safe Access that are worthy of mention. One is a plug in that allows for DHCP NAC to be done not in line and more scalability. Vista testing is another.  Post-connect integration with StillSecure Strata Guard as well as the ability to integrate with other IDS is another important feature. One of the most important is what we are calling Deep Checks.  This gives us the ability to audit at a much deeper level for policy compliance. I will probably do a full article on deep checks in the near future.  There is a laundry list of other new features and improvements in the product as well, but you can check the release for the whole story.

Many are saying that this is the year NAC gets real and NAC vendors have to stand and deliver. With this release of Safe Access I think StillSecure has the goods to win.

I am down here in beautiful Clearwater Beach, Florida this week at the 15th annual Competitive Intelligence MindXchange hosted by Frost & Sullivan. The F&S folks invited me down to speak on CI based on some of the stuff they read in my blog. I was flattered and since it wasn't that far from home agreed to appear.  The conference has opened my eyes to huge effort that many companies especially larger public companies are putting into gather market intelligence and information.  Also the global focus of CI.  I always find it refreshing to meet people from outside my core discipline.  So security is not top of the mindshare here, but I kind of enjoying learning about something else.  You can never tell what you may learn that helps you later on.

OK, it is Super Bowl Sunday and after that game how can I not write something.  Both of these teams played their hearts out there tonight.  Wes Welker has the biggest heart for a little man you ever saw.  But in the end I think the Giants out Belichick-ed Bill Bellichick by crafting a game plan that ate up the clock, kept the Pats offense off the field and set up the Giants to pull it out in the end.  The Giants defense did something that no team has done this year, that is stop the Pats when they had to be stopped. The Giants offense did something that no one has done on the Pats all year either. That was scoring when they had to score.  Congratulations to the whole Giants franchise.  Also congrats to the Pats.  Yes they are not 19-0, but they have had a magical season and just came up a little short.

But my commentary here would not be complete without mentioning the NY-Boston thing.  As many of you know, I am a huge Steeler fan.  I like the Giants and the Jets because they are from NY, but especially when they are playing Boston.  I am not a Pats fan at all because they are from Boston (they can call themselves New England all they want, they are from Boston).  That being the same Boston that the Red Sox are from.  With all due respect to fans from across the country and some of the great rivalries out there, but for my money there is nothing like a NY-Boston big time game.  I don't care if it is baseball, football, hockey or basketball. When there is a big game on the line, it just does not get any better or bitter-sweet as the NY-Boston thing. To all of my friends who are Boston fans (and I have many), hey sorry guys.  Be grateful for the Sox.  Maybe we can pick this up in the AL playoffs in October!

Disclaimer: This is another nothing to do about security article.  Today's Super Bowl Sunday so lets write about baseball. The other shoe has finally dropped on the biggest deal in baseball this off-season.  They NY Mets have won the Johan Santana sweepstakes.  The deal costs the Mets dearly. 4 young prospects, including 3 pitchers and 137.5 million over six years. What did they get for all that? Maybe the best pitcher in baseball today. A sturdy 2 time Cy Young award winner, Santana will anchor the Mets rotation for years to come.  The Mets beat out the Yankees and the Red Sox to win the prize.

Here is the funny thing though.  I think both the Yankees and Red Sox are happy the Mets got him. If you look at the Red Sox they are coming off of a World Series season. Their pitching appears solid and though you can never have enough pitching, the price to the Sox would have been either Jon Lester, a great pitching prospect or Jacoby Ellsbury or both.  A steep price to pay, not to mention the big fat contract on top of that.  And who knows how the other Sox players would have reacted to another big contract. It could have upset their whole payroll order  On the other hand, the Yankees would have had to deal one, if not two of their big three baby arms.  Hughes, Kennedy and Chamberlain.  These three could be the rock the Yankees build their next dynasty on.  The Yankees are finally going to let the young arms develop on the Yankees. Plus even the Yankees have to worry about yet another big contract.  I think one of the things driving both the Yanks and Sox quest for Santana was to keep their arch rivals from getting him!  Now the Mets have come in and taken that problem off the table. Yankees and Sox fans know that the only time they will have to regret this trade is if they meet the Mets in the World Series. If so, I am sure they will take their chances.

Here is hoping the deal works out for the Mets, it already has for the Yankees and Red Sox!

and Sears ain't no Microsoft and Yahoo! ain't KMart. Robert tries to make an analogy of Microsoft's bid for Yahoo and Sears buying KMart.  First off Robert, you should no that the Sears/Kmart deal was not so much about retail shopping and more about the real estate that both organizations owned. That was the reason for the high stock value.  But lets be clear Robert, though Google may own the search business, neither Microsoft nor Yahoo were exactly hurting.  In fact Google at best has an uphill climb to knock Microsoft down from anywhere.  Anyone who has used Google Apps can tell you that. 

Yes search is a cash cow for Google, but they have to use that cash to take on Microsoft on Microsoft's own turf - applications, OS, etc.  In the meantime Microsoft is into everything from game consoles to set top boxes and automobile software. Google in the meantime has not proved that it can monetize anything beyond search. But to be fair search is a part of this. By taking Yahoo's search business and combining it with MSN it puts pressure on Google to keep innovating in search. it pins Google down on that and could de-focus them from competing with Microsoft on other fronts.  Also, base on Google's latest financial s and stock price maybe we have seen the peak of paid search? Not to say Google is hurting either.  You are talking about an online war of behemoths in which search is one small part of the eyeball game.

It will be interesting to see how it plays out and whether Microsoft can in fact absorb an acquisition the size of Yahoo.  They have not done one this big before.  But lets be clear and lets not kid ourselves. Microsoft/Yahoo is a far, far cry from Sears/Kmart.  Now in the meantime, let me go look for the bluelight special.

Jennifer Leggio over on her Mediaphyter blog has an article talking about the growing number of security folks using Twitter.  They are called Twits.  OK, maybe not a flattering name but you know what I mean.  Jennifer has done a great job of amassing a list of Twits so you can follow them pretty easily. If you are using Twitter and dabble in security, let Jennifer know so she can make you an official Twit!

Mitchell has an article up on his Microsoft subnet blog asking if NAP is ready for its awakening.  I had visions of Bill Gates kissing the NAP sleeping beauty and awakening her from her slumber.  But NAP hasn't been sleeping, it instead has never really been born!  Mitchell has some of the facts wrong here as well. I don't think the NAP client came out with the original XP SP2, it might have been a hotfix recently though. But given that other than Microsoft themselves we have seen zero NAP installs.  In fact for all the hoopla, we have not seen many customers using Vista at all except for Universities where students bring it in. I was talking to one security admin at a medium enterprise yesterday and said that the June deadline for MS to stop offering XP was way to soon, as they will never be ready for Vista by than.

In my mind, rather than sleeping beauty waiting to be awakened by Prince Charming's kiss, NAP is more like an ugly frog hoping to kiss the princess and turn into a prince.  Microsoft has done an artful job of freezing the NAC market by pre-announcing NAP all those years ago.  When people talk about NAC adoption being slower than expected, I think the single biggest factor is the "waiting for Microsoft" factor.  At the end of the day by the time NAP is finally adopted (and don't think just because Windows Server 2008 is released the floodgates will open) I think the NAC market will have evolved far beyond the rather rudimentary functionality that NAP offers.  But my mother did not raise a fool.  NAP will capture its share of customers because it is from Microsoft and it is free.  Every NAC vendor has to come up with their value proposition on how it complements NAP or they can start dressing for the funeral. 

All in all though, I think if NAP wakes up soon, it won't be getting out of bed until 2009 or even 2010.

With Junipers long awaited release of their EX switch line, many have said that there is just nothing distinguishing about the line up.  Just speeds and feeds.  Others are saying that the real secret sauce is the JUNOS.  That very well may be.  However, Tim Greene in this article says that Junipers built in NAC may be Junipers not-so-secret weapon. He quotes two analysts, Phil Hochmuth of Yankee Group and Rob Whiteley of Forrest-er.  The article rightfully points out that Junipers competition in the switch market is Cisco and HP ProCurve. 

It then goes on from there to talk about Junipers new ability to perform access control at layer 4 with identity based access control with ACLs in addition to VLANs. You can perform QoS as part of a users access rights and they can mirror traffic and send it to a Juniper IDP for post-admission NAC. Juniper wants to evolve NetScreen Security Manager into a central policy-control platform.  This is all great stuff, however it ain't new.  My research shows that HP ProCurve (the 2nd leading switch vendor) actually does much if not all of this right now. Using the ProCurve IDM (identity driven management) application which is now bundled on ProCurve's NAC appliance  with their NAC application, they can do this already. They can do the QoS thing as well as sending the traffic to several IPS brands.  In fact a close reading of what ProCurve's security capabilities show that there is little if anything ground breaking in what Juniper is advocating and what these analysts seem to be eating up.

Yes, Junipers entry I think does spell C-O-M-P-E-T-I-T-I-O-N for the likes of Nevis and ConSentry (sorry Dan and Dom), but that is not what Juniper is in this game for.  They have to keep their eye on the prize. And the prize is taking market share from Cisco and HP ProCurve.  If this is all they got, I am going to have to agree with those folks who are asking Juniper "where's the beef?"

Like anyone else there are some days where I just ask myself what am I doing.  Daily frustrations, the world not moving at my speed, my atrocious spelling and grammar mistakes all serve to have me ask myself if there is not a better way. However, there are other moments when I positively love what I do.  I think the key is making sure those moments outweigh the times you just feel like packing it in.  If not, it is probably time to pack it in.

Anyway, where was I? Oh yeah, one of the cool things I like about my job is talking to the various analysts and talking shop about the industry.  You know the kind of chit-chat, did you hear about this one or that?  I enjoy the give and take and have made some great friends over the years with the analysts I meet. Today I had the chance to speak with Derek Brink over at the Aberdeen Group, who are conducting research on how companies enhance their enterprise security based on the principles of trusted computing and the use of Trusted Platform Modules (TPMs). If you’re interested in this topic and want to contribute to the research by taking the survey (here is the link: http://www.aberdeen.com/survey/tctpm), you’ll be able to see how your experiences in this area compare with those of your peers, benchmark your performance, and see how you can achieve “Best-in-Class” results.End-user participation is a vital part of their research process, and serves as the foundation of Aberdeen’s reports. They’ll even provide you with complimentary access to the final benchmark report when it publishes at the end of February.

Derek is a very nice guy and very interested in what is happening with the NAC and 802.1x market.  If you want to help shape policy and public opinion this survey is a great way to do it.  I am going to try and get together with Derek in person.  In the meantime speaking to him today was enough to remind me why I love what I do!

The other night I was reading Hans Christian Andersen's classic "The Emperors New Clothes" with 6 year old Bradley.  Bradley cracked up that the king was walking around naked.  I was reminded about how no one wants to be thought of as ignorant or not fit for their job, so they will say and do things that they think other people want to hear.  It is a great, timeless story.  Today, I had my own emperors new clothes experience.

For the past several days I have been writing about this whole Barracuda-Trend Micro affair.  In several articles I used the word Calvary. I was talking about the soldiers riding in on the horses.  Every time I wrote it though I kept getting visions of a cemetery out on Long Island.  Finally, someone had the gumption to write me today and tell me that I meant cavalry, not Calvary.  Well I certainly felt like the emperor with no clothes!

I apologize for my butchery of the English language.  I am also grateful to Jack Walsh for pointing out my error. To the rest of you I ask:  (fixed after the fact) Were you not reading? Were you afraid to be wrong, so didn't want to say anything?  Did you not realize that this was wrong? Or perhaps you just took silent satisfaction in seeing me mess up?  In any event below are the definitions of the two words. I was right Calvary is the place where the crucifixion took place and there is a cemetery in Long Island by the same name.


Cal·va·ry /ˈkælvəri/ Pronunciation Key - Show Spelled Pronunciation[kal-vuh-ree] Pronunciation Key - Show IPA Pronunciation
–noun, plural -ries for 2, 3.
1. Golgotha, the place where Jesus was crucified. Luke 23:33.
2. (often lowercase) a sculptured representation of the Crucifixion, usually erected in the open air.
3. (lowercase) an experience or occasion of extreme suffering, esp. mental suffering.

cav·al·ry   /ˈkævəlri/ Pronunciation Key - Show Spelled Pronunciation[kav-uhl-ree] Pronunciation Key - Show IPA Pronunciation –noun, plural -ries.

Over the last day I have had more of a chance to think on the Trend Micro-Barracuda patent war.  I have also done some more research and reading on this one.  In my earlier article I said that this is not about open source so much as it is about gateway anti-virus.  Upon further reflection though I am not as sure.  Here are some other facts to consider:

1. ClamAV may have as many as 1 million users downloaded updates daily. This makes them at least a potential formidable competitor to Trend.  One that I am sure Trend would like to see go away because they can't compete with them on price.
2. Going after individual users of Clam would be like herding cats.  There is no way you can hit them all.  At best you may get a few high profile cases.
3. Barracuda has deep pockets. Instead of herding cats go after one fat cat who has deep pockets to pay you the kind of money you want and send a message to the rest of the cats that they could be next, so either use another AV (like Trend for instance) or pony up some fee for patent use. 

In fact the above scenario is not terribly different than the recording industry going after napster. It was easy to go after one relatively fat cat, rather than herding and chasing a bunch of smaller cats.  In fact the recording industry has given themselves something of a black eye by going after poor grandmothers and children for illegal downloads. I think Trend tries to avoid the same type of black eye by saying this is not about open source but just AV. It is about open source.  They just don't want to be perceived as going after open source and don't want to chase the small fry. But do they want ClamAV as a competitor? Probably not.

4. Trend's decision to pursue this in the ITC seems abusive.  Barracuda does not import the ClamAV software. It is downloaded from servers here in the US. The servers are assembled here in the US as well.  This case does not belong in the ITC and should be thrown out of there. It may have served Trend well with Fortinet who was importing their products into the US, but it is the wrong venue for this suit.

All that being said, I think that this more than ever still demands that Sourcefire as the owners of ClamAV step up to the plate here. If I was a paying customer of Sourcefire for Clam and was subject to a patent infringement case, I would expect them to defend.  I think the fact that Barracuda does not pay them today evidently for the use of Clam is not reason enough to let Barracuda take the brunt of this battle on.

Also looking at the proof gathered, I think there is a better than even chance that this patent will be thrown out. If so Barracuda will have done the open source community and the gateway AV industry a huge service.

I can't help but be a little excited about the start of baseball season tonight.  Thats right baseball season.  I live in Florida, the land of the grapefruit league and both of my sons little league teams kick off practice tonight.  I know you are thinking that the Super Bowl isn't even played yet, but need I remind you it is but just about 2 weeks from pitchers and catchers reporting to spring training.

Of course the fact that I coach both of boys on their teams makes it more exciting for me.  My youngest son Bradley will be in modified coach pitch again, so I get to toss the balls to the kids to hit.  No outs, everyone gets up and goes out in the field.  It is hard keeping 5 and 6 year olds focused on the game.  My oldest son Landon, makes the jump to real baseball this year in the rookie league. Though only 8 he is in with 9 and 10 year olds with the kids actually pitching.  I am hoping for a great season with both of them!

As much as I love football, there is something about baseball in the air that gets the blood flowing.

A couple of weeks ago I followed a link and wound up on a blog called Security Uncorked, JJ's complete unofficial guide to Infosec.  Though it was a fairly new blog, the person writing it obviously was a pretty hands on security practitioner who knew what they were doing and was doing a good job of writing about it. with some good tips and tricks.  Further investigation revealed that the blog belonged to Jennifer Jabbusch. I don't know a lot about Jennifer other than what she has up on the blog, but she is obviously very deeply involved in nuts and bolts information security and has a great writing style.

The first thing I did was contact her about joining the Security Bloggers Network, which she promptly did.  I thought she was an excellent addition to the network. Since then I follow her blog and though she doesn't write often enough, her articles are quality work.  I hope to have her as a guest on the podcast soon.  But I wanted to call this blog out to all of you to check out, it is good stuff.

For an in depth review of how the new Juniper switches work with NAC, check out what Mike Fratto has up on his blog at Network Computing. It pretty much sums it up and nothing more for me.

Just a little while ago I wrote about the Trend Micro - Barracuda Networks legal tussle where Barracuda is alleging Trend with patent trolling with its controversial patent '600.  I made reference to the fact that why didn't Trend go after the big boys. I wanted to know where was the calvary coming to the rescue here, not leaving Barracuda to fight this fight alone.  Well it takes a big man to admit he did not know all there was to know on the subject.  As several folks pointed out to me, Trend has in fact sued both McAfee and Symantec over this very same patent. Though I have not been able to find anything that points to the outcome of this suit, it makes the most sense that probably there was a quiet cross-licensing deal worked out with some cash changing hands. Symantec and McAfee were not the only ones to be sued either. According to this article, Fortinet actually had a disruption in its distribution as a result of ITC investigation instigated by Trend (the same tactic they are using here), and then totally redid their AV module to avoid any technology that could be deemed to violate the patent in question. This article claims that several companies have been sued in the past and have settled out of court, despite never admitting to the validity of the patent.

I guess that means that Trend must be working out reasonable terms with these companies and begs the question, why didn't Barracuda take a deal?  Dean Drako claims he was never able to speak to someone to work out a deal, but who knows at this point. What does seem clear is that Barracuda has done some real research in trying to have this patent overturned.  If Dean and Barracuda are successful in doing so, more power to them and another blow struck against silly patents. 

Now what about the rest of the calvary? It still seems to me that this is too important an issue for Sourcefire who owns Clam to be sitting on the sidelines.  I am still waiting for them to join the fray or has Trend already scalped them too?

For those who don't know, Barracuda is involved in a wicked patent fight with Trend Micro over the use of Clam AV gateway anti-virus. It seems according to a 1995 patent issued to Trend Micro, they claim that virtually all gateway AV that removes viruses as they move through a SMTP or FTP proxy servers are covered under this patent. Barracuda uses the popular, open source Clam AV product in their appliances and Trend says their use violates the patent.  Evidently this little tiff has been going on for some time, with Trend filing a complaint with the US International Trade Commission in addition to the conventional law suits. Trend also claims that their position here is well established and several previous suits and claims have been upheld including a settlement with Fortinet (does Fortinet use Clam AV too?).

My position is that this is a perfect case of why so much of this patent  stuff is just full of beans.  How can Trend have a patent on gateway AV. If they do why are they wasting time piddling around with the likes of Barracuda.  Why don't they go after the big boys like Symantec or McAfee? Something tells me there is a reason why Trend does not.  Either they are not as confident in their claim as they make out to be or Symantec and McAfee know something that the rest of us don't.  Maybe they have proof of prior use before the patent was filed. 

Many in the open source community including Richard Stallman (no surprise there) and Eben Moglen of the Software Freedom Law Center have joined in to support Barracuda in this legal battle.  Barracuda is in fact very much painting this as an attack on open source and looking to the community for support.  Trend for their part says that this is not about open source or even Clam AV, it is about filtering virus pursuant to the techniques they patented.  Again, my view is I don't think Barracuda is doing anything different than other ClamAV users.  Though Trend's claims may go to all gateway AVs, clearly this is about Barracuda using Clam and about Clam. 

So here is my question: Why haven't we heard from the owners of ClamAV. Sourcefire bought them in August I thought.  This could effect them as much as anyone. They are big supporters of open source and as a public company can bring resources to bear on this.  Why has Marty, Wayne and gang been silent on this.  I would think they should be leading the charge here and standing up for their product.  Leaving Dean Drako and Barracuda to fight this fight on behalf of the Clam community is not fair and also could have repercussions down the road to Sourcefire without them being involved. Is it that Barracuda is not paying for their use of Clam?  I don't know what the answer is but it will be interesting how this plays out.