StillSecure, After All These Years

Over the weekend I wrote an article about what a Yahoo shareholder would do with a copy of Steve Ballmer's letter to Jerry Yang. Well, it didn't take very long for a class action law suit being filed, led by two pension funds. Attorneys for the pension funds said, "The actions taken by Yahoo's CEO this past weekend confirm that the company's board of directors pursued all manner of value-destructive third-party deals to fight off Microsoft's bid". The attorneys further claim that Yang never negotiated with Microsoft in good faith.

Not everyone thinks this way about the deal though. Steven Vaughan-Nichols over at ComputerWorld thinks that business textbooks in 2025 will show that Microsoft's slow collapse will be accelerated by Steve Ballmer blowing the Yahoo deal. I think he is wrong. I think business classes will look at Yang's failure to lock this deal up for such a premium over current price will be studied as not only a blunder but a classic case letting ones pride and ego get in the way of what is best for the shareholders. I think in addition to the lawsuits, look for Wall Street to now start punishing the stock as well. I stick with my prediction, Yahoo has no where to go but down. They will wind up getting acquired for significantly less within 24 to 36 months.

As you probably know Microsoft has officially withdrawn their offer for Yahoo.  I had a look at the letter Steve Ballmer sent to Jerry Yang officially withdrawing the offer and offering his reasons why. Must say that it is rare that a document like this is made public.  I must also say that if I were a Yahoo shareholder, it would be a key piece of evidence when I sued Jerry Yang and the rest of the Yahoo board and management for not accepting Microsoft's generous offer.

What I found particularly disturbing (as did Ballmer and Microsoft evidently) was Yahoo's threat to basically outsource their search advertising to Google if Microsoft pursued proxy fight takeover.  Talk about cutting off your nose to spite your face!  That would be suicidal for Yahoo, but just goes to show you that Yang and gang had a no Microsoft at any cost strategy.

With the passage of time I think this will be looked on as a terrible mistake by Yahoo and at some point in the next 24 to 36 months they are going to be acquired for a lot less money.  They cannot compete with Google alone, they have not executed well for years and this will force Microsoft to do something else to become more competitive in search. 

Back in February I wrote about how much I liked Xobni for Outlook. Now Fred Wilson reports thats Microsoft has bought Xobni. Fred is linking to this Techcrunch article on it. Though it is still sketchy at this point, I think it would be a great pick up for Microsoft. After using it for a few months, I find it very useful. I think picking it up now, while still in beta is a cheap deal for Microsoft and will save them a ton of money having to buy it later!

Congrats to the team at Xobni for building a product that had obvious appeal.

Anybody remember that slick marketing line?  You are a winner if you picked OS/2. OK I will admit it, I was an OS/2 user. I liked it much better than Windows 3.1 and used it even after Windows 95 came out. I still think it was a superior product to anything that the guys from Redmond put out.  Why don't we all run OS/2 today instead of Windows?  Good question, I ask myself that all the time.  Some say it is because Microsoft used strong arm tactics to persuade ISV's from developing apps for OS/2.  That may be true, but for me the real problem was IBM's strategy was instead of fighting the fight to get OS/2 apps developed, they said go ahead and run Windows and DOS apps on OS/2, we can run them better.  They could, but at the end of the day they were still Windows and DOS apps and this gave Microsoft an inherent advantage that could not be overcome.

I was reminded of this today while reading an article in eWeek by Joe Wilcox on how Microsoft is in so much trouble and how nobody is using Vista (better not tell the 100 million or so users of Vista that). Joe points out the recent Gartner report that says Microsoft is headed for a train wreck around 2011 or so because Windows is vulnerable (to competition that is, not necessarily to vulnerabilities.  Well actually it is vulnerable to those too, but that is for another blog).  Not to be outdone by the G-men, straight off the shrimp boat the Forest-er Gump crew come out with a pair of reports (here and here), that detail Vista's adoption issues.  The net of one is that while tech folks see the benefit of upgrading to Vista, it is a tough sell to the CIOs and CFOs of the world.  Many according to the article are saying they will wait for Windows 7, whenever that comes out.  I don't buy this myself. I remember similar talk when XP came out. 

Where I really disagree with Wilcox though is his comments regarding Mac OSX replacing Windows in the enterprise:

I disagree that Mac OS X is no alternative, particularly when businesses must swap out hardware anyway and Exchange-supporting Office 2008 is available. Mac OS X nicely plugs into Active Directory. I don't expect massive conversions to Mac OS X, but I strongly disagree with contention that it's "simply not a viable option."

What will enable this Mac revolution? Virtualization according to Wilcox and those who believe as he does. This is where they step in the footsteps of OS/2 before them.  If OSX is a better OS, fine. But don't fool yourself. If you are going to rely on Microsoft Exchange, Microsoft AD and other Microsoft server products plus Microsoft applications and you are going to run your Mac hardware running Windows in a virtual hypervisor on top of it, you are just a "better Windows than Windows" but you still run Windows.  Microsoft will use its stranglehold on the applications to make sure that they run better, faster, cheaper on the real Windows.

Gartner, Forester and Joe Wilcox miss the point here.  Windows will not be in serious danger of losing its preeminent position on the desktop until there are enough applications that run natively on another OS and don't run on Windows.  I don't see many application developers willing to walk away from the Windows market for that to be a reality.  That makes desktop Linux, Mac OS and the rest just more OS/2s.

Among the many appointments yesterday was a quick lunch roundtable hosted by Microsoft about blogging.  Some of the folks from the Microsoft research team wanted to better understand the art of blogging. Who better to ask than some members of the Security Bloggers Network.  Several of us had a chance to talk about why blog, what we think makes it successful and what Microsoft can do to make their blogs successful and useful. We will see what becomes of it.

The point for me is that Microsoft, the monolithic empire is really seeking to understand blogging and how to do it right.  This is a very different company and attitude from the we know everything attitude many of us saw from Microsoft years ago.  It almost makes you want to pull for them to succeed!  Lets see how it works out.

I had an interesting meeting with Microsoft on NAP the other day.  While, I think you would have to pretty delusional to not realize that eventually NAP will dominate pre-connect health checks of devices, I was surprised at the "Microsoft-ease" they still speak about around NAP. First of all they insist that NAP is not a product or even in deference to my friend Hoff, a feature. Instead NAP is a platform. Implying that other products will run on top of it. Next they again reiterated what we have heard before, that NAP is not a security tool, but just a real estate play.  Enabling devices to be up to spec.

My take on this is I don't know if the Microsoft folks are being disingenuous regarding these two points or just are they that naive?  My gut tells me that Microsoft is usually not naive.Yes, third party vendors can show that they can add more tests than NAP will have. Yes, you can use SHVs and SHAs, but how much are people really going to value them?  You can take the information it generates and do some reporting around it. But lets be clear the NAP "platform" is most certainly going to be used as a product. 

It will be used as a product, it will be a security product at that.  Configuration management could be said to be borderline security by some.  But when you add the ability to deny access to those not up to snuff on configuration, I think you have clearly crossed the line into security.  I think Microsoft would come of better saying that NAP is not meant to keep out the determined hacker, but saying it is not a security tool just doesn't ring well.

So what is the rest of the NAC vendor world to do?  Should we all pack up and follow Vernier and Lockdown to the next cool thing?  No, not at all.  I think there are exciting opportunities at hand with NAP. Yes it is a security product, but it also is an enabler for more NAC features. The successful NAC vendor has to figure out what those are and capitalize on them.  Also NAP is all about health checks.  Post-connect, identity based NAC and other NAC  features can be used here to enhance the health checks.  Overall NAP will drive the NAC market to move beyond just health checks and that will be a good thing for the NAC market and customers.  But guys lets be real, it is a security product!

Over the past few weeks there has been a ton written about Windows Server 2008 and the brave new world of NAP. It seems like every NAC player who had a half-baked NAC implementation is now counting on NAP's on device agent, policy server and enforcement to make their solution whole. Basically many of these solutions, especially the host based variety are just going to provide more tests for NAP and lets Microsoft do the rest. I think the market may want more than that, but that is a blog for another day.

The single biggest factor in my mind holding up adoption of NAP is who is using Vista and Server 2008. The short answer is not many people yet. Yes in the higher education market, where several NAC vendors live or die, there is a lot of Vista because students with new laptops are coming into school with their shiny new computers. But these same universities generally are not the first ones to upgrade to the latest version of Microsoft Server software. On the commercial side of the house, Vista is just not a factor yet. In fact many customers we speak to are no where close to be ready to support Vista. So if Vista is a pre-req for NAP, we won't see NAP as a major factor until 2009 and probably later in the year at that.

However, Tim Greene points out in his NAC newsletter today, that the long anticipated XP SP3 is now due out soon. This will include a NAP client for XP. This will bring NAP to the masses. Also as Tim points out, once the NAP agent is out there, you don't necessarily need to use Windows Server 2008 to implement a multi-vendor NAC solution. You could use a TCG/TNC compliant policy server instead. This all sounds great, but here is my one caveat. When is soon? We have heard this from Microsoft before. Remember when Longhorn was supposed to be out in 2006? 2007?  Vista itself was very, very late. This type of freezing the market with the promise of an imminent release is SOP it seems.

So if you really want to get me excited about XP SP3 and NAP, give me some hard dates on when it is real!

I saw an article up in ComputerWorld by Greg Schaffer today called NAC: now or later. I have spoken to Greg several times so wanted to see what he had to say.The article was about NAC standards and mentioned and quoted Steve Hanna (can you have an article on NAC standards without Steve?) and for the first time that I have seen in print, Mauricio Sanches from HP ProCurve. I have met Mauricio at some TCG events and such and think he is a pretty sharp guy about security in general and NAC in particular. Frankly though, the article was about what you would expect in an article on NAC standards.

On the second page of the article I came across this insightful quote, "Microsoft Server 2008 will go a long way towards adoption of NAC" says Shimel, who adds that the proliferation of NAP "is going to really help the TNC standards course." Now how is that for prophetic, huh? Doesn't take much of a crystal ball to to see that one coming does it? What was I thinking? Than I remember that I had spoken to Greg for this article some time ago. At the time I said this NAP still seemed very far away and who new when Server 2008 would come out (OK 2008 would have been a good guess). That just goes to show you that when you read some articles with quotes from people, you really don't know when those quotes were given and have subsequent events rendered them irrelevant or painfully obvious.

On the other hand I wanted to mention that Microsoft's launch this week of Server 2008 has certainly seen many people jumping into the NAC band wagon. Sort of looks like a pick up truck driving by one of those corners where "undocumented workers" wait for work with a help wanted sign displayed. While I still think NAP is going to be a linchpin in NAC adoption, it will be interesting to see how some of these folks pledging enhanced NAP functionality fare over the months to come. To be fair I have to say that we are NAP partners ourselves with Microsoft and have our own plans around NAP support and extensions. My prediction is that some of these folks will find out that NAP doesn't leave them enough of the pie to live on and they will quickly start complaining about Microsoft relegating them to the dark corners.

In the meantime the real question is how long is it going to take for customers to roll out Vista, Server 2008 and NAP. My prediction is not really until the 2nd half of 2009. So says Shimel the NAC prophet.

A couple of weeks ago Parag Khanna had an article in the NY Sunday Times Magazine called "Waving Goodbye to Hegemony". I thought this was one of the most important and enlightening articles I have read in years.  For me it crystallized up my own thoughts about what is going on in the crazy world we all live in. The gist of the article is that over the first decade of the 21st century we have seen a fundamental shift in the distribution of power in the world.  While we were busy fighting a crusade, the so called peace dividend of the post-cold war "new world order" never materialized and the unipolar American hegemony that was going to bring peace, prosperity and democracy to the world never materialized.  Instead we find ourselves increasingly in a multi-polar world with two budding new superpowers (could Europe and China really be new?) - the European Union and China, competing very successfully, filling the vacuum we have left in many parts of the world.  There has been no lessening of violence or new golden age of mankind. Instead it seems like more of the same old, with the peoples of the world vying for more and more scarce resources.  The only thing for sure is certainly we are all interconnected economically more than ever.  This presents its own unique challenges and strategies. Who knows how the rest of this century will play out and whether or not it will be another "American Century" or not.  My blog is also not the right forum to explore my feelings on this topic either.

However, while reading an article in InfoWorld by Galen Gruman today on whether it is "Time to dump Windows", I was struck by the parallels (no pun intended with the Mac VM program which enables so much Mac adoption) between Microsoft and the US.  Like the US, about 10 or 15 years ago Microsoft was officially declared a monopoly.  It was the one true superpower of IT. Yeah, Larry Ellison and Scott McNealy could tweak Bill's nose and drive fast cars, boats and planes, but lets face it they were midgets compared to the Redmond giants.  Microsoft rolled over competition like Lotus, Wordperfect and Netscape the way we did Mexico in the US-Mexican war. They even invested in Apple to prop them up as a potential rival like the US did in setting up banana republics. By the late 90's did anyone in the mainstream dare to speak out in public about Microsoft being potentially vulnerable and competing with them? Quite the contrary, companies who found out that Microsoft was entering their space would roll over and die.  I didn't think I would live to see in my lifetime so much talk of Microsoft being a dinosaur and not able to compete.

But as I wrote about last week, it seems articles like Grumans are the topic du jour. It is quite fashionable to say that Microsoft's time as the undisputed alpha dog may be drawing to a close.  They are under attack via the SaaS/Web 2.0 space from Google (and who knows what a Google dominated world looks like, it could be the frying pan to the fryer), their OS monopoly is being eroded like a bite out of the apple everday by shiny silver laptops and sleek wide screen monitors.  On the server front, Linux continues to capture share. The specter of thin clients running some java based non-windows OS still hangs out there.  The list goes on and on.

So is it the sunset of the American dynasty and Microsofts?  I think not.  As I wrote earlier, rumors of their demise are pre-mature. Yes, all things change and one company or country (or political party or sports team for that matter) cannot dominate forever.  But just because viable competitors come to the fore, does not mean that great companies or countries shrivel up and die.  In fact good competition can drive these old dogs to learn new tricks and become greater than ever.  I for one would not vote against either Microsoft or the US in the coming years continuing their pre-eminent positions in the world.

I am a child of my times (OK not quite a child anymore, but I still think of myself as a kid, don't you?). In my time there were only two evil empires, the USSR and Microsoft. I lived to see one of those empires crumble from within, but I never thought I would see both fall. I came into tech at the tail end of the Big Blue - IBM dynasty. For the most part there has been only one dominant champion in tech who has rolled over all competitors.  That is not to say I think of Microsoft as evil.  I think they were very heavy handed and used their monopolistic position to their greatest advantage, however they have also brought many positives to the IT world over their years.

So it is with a certain amount of shock and disbelief that I read reports of Microsoft losing their grip or Microsoft Live being a miserable failure and not able to "save" Microsoft.  Please people, give me a break.  Talk about crying with two loaves of bread under each arm! Microsoft is not going anywhere.  Yes Google makes a lot of money with search and ad revenue.  Yes, Microsoft does not have a search product to compete and trying to buy Yahoo is a lame effort of taking two also rans and putting them together to take on the leader.  But there is much more to the machine that is Microsoft than search.  Also it remains to be seen if SaaS office type applications will every overtake PC based office suites.  Microsoft's play of combining SaaS with functionality from their suite being on the box offers many advantages to pure SaaS.  But look at the chart to the left, that kind of revenue does not disappear. 

It is natural to root for the underdog and we have been so used Microsoft being unbeatable, that Google appearing as the "great white hope is also natural.  But are we know going to cast Microsoft as the underdog here?  Have their fortunes sunk so low that we think they are lost?  I think not.  A company with the assets of Microsoft will continue to make their presence felt.  Just as the US could not remain forever as the only super power and has to play in an increasingly global community, Microsoft will play in a global community of software providers.  But they will still be a giant among men for a long time to come!

InfoWorld has started a site called SaveXP.com. It is dedicated towards convincing Microsoft to extend the current deadline for selling XP beyong June 30th. Complete with a countdown clock they have prepared a petition that almost 80,000 people have already signed. When it reaches 100k signatures they will present it to Microsoft.

The site is organized as a blog with links to different categories of stories on the subject from InfoWorld and other sources. Many of the stories are geared towards why people don't like Vista.  I don't remember seeing this kind of outcry for earlier versions of Windows.  I think it says a lot about Vista at this stage.  I personally don't run Vista on my own machines and in my limited experience with it was less than impressed. It seems that this might be a popular opinion.  So if you want to see XP availability extended, head on over and be heard.

and Sears ain't no Microsoft and Yahoo! ain't KMart. Robert tries to make an analogy of Microsoft's bid for Yahoo and Sears buying KMart.  First off Robert, you should no that the Sears/Kmart deal was not so much about retail shopping and more about the real estate that both organizations owned. That was the reason for the high stock value.  But lets be clear Robert, though Google may own the search business, neither Microsoft nor Yahoo were exactly hurting.  In fact Google at best has an uphill climb to knock Microsoft down from anywhere.  Anyone who has used Google Apps can tell you that. 

Yes search is a cash cow for Google, but they have to use that cash to take on Microsoft on Microsoft's own turf - applications, OS, etc.  In the meantime Microsoft is into everything from game consoles to set top boxes and automobile software. Google in the meantime has not proved that it can monetize anything beyond search. But to be fair search is a part of this. By taking Yahoo's search business and combining it with MSN it puts pressure on Google to keep innovating in search. it pins Google down on that and could de-focus them from competing with Microsoft on other fronts.  Also, base on Google's latest financial s and stock price maybe we have seen the peak of paid search? Not to say Google is hurting either.  You are talking about an online war of behemoths in which search is one small part of the eyeball game.

It will be interesting to see how it plays out and whether Microsoft can in fact absorb an acquisition the size of Yahoo.  They have not done one this big before.  But lets be clear and lets not kid ourselves. Microsoft/Yahoo is a far, far cry from Sears/Kmart.  Now in the meantime, let me go look for the bluelight special.

Mitchell has an article up on his Microsoft subnet blog asking if NAP is ready for its awakening.  I had visions of Bill Gates kissing the NAP sleeping beauty and awakening her from her slumber.  But NAP hasn't been sleeping, it instead has never really been born!  Mitchell has some of the facts wrong here as well. I don't think the NAP client came out with the original XP SP2, it might have been a hotfix recently though. But given that other than Microsoft themselves we have seen zero NAP installs.  In fact for all the hoopla, we have not seen many customers using Vista at all except for Universities where students bring it in. I was talking to one security admin at a medium enterprise yesterday and said that the June deadline for MS to stop offering XP was way to soon, as they will never be ready for Vista by than.

In my mind, rather than sleeping beauty waiting to be awakened by Prince Charming's kiss, NAP is more like an ugly frog hoping to kiss the princess and turn into a prince.  Microsoft has done an artful job of freezing the NAC market by pre-announcing NAP all those years ago.  When people talk about NAC adoption being slower than expected, I think the single biggest factor is the "waiting for Microsoft" factor.  At the end of the day by the time NAP is finally adopted (and don't think just because Windows Server 2008 is released the floodgates will open) I think the NAC market will have evolved far beyond the rather rudimentary functionality that NAP offers.  But my mother did not raise a fool.  NAP will capture its share of customers because it is from Microsoft and it is free.  Every NAC vendor has to come up with their value proposition on how it complements NAP or they can start dressing for the funeral. 

All in all though, I think if NAP wakes up soon, it won't be getting out of bed until 2009 or even 2010.

When it comes to Microsoft, I am not alone in wondering what is next.  With Bill Gates retiring (click here for a great video on Bills retirement), more people using Macs then ever and almost universal grumbling about Vista, how will Microsoft retain its dominance and fight off Google and the rest of the pack? I read an article today that gives us some insight into how. It talks about Microsoft's plans for video ads on the shopping carts you use at the supermarket.

When I first saw this article my first thought was, "great, just what we need, more ads in our lives". So this is what they were going to do with the aQuantive technology they paid 6 billion for? But the more I read, the more impressed I was. Yes the serving of ads is a vital piece of this technology, but it goes far beyond that.  It starts with you registering your supermarket loyalty or discount card on the web.  Then you can actually type up your grocery lists on the web.  When you get to the market and get your smart cart (a whole new meaning of shopping cart and e-commerce), you swipe your card and your grocery list is automatically displayed on the carts console.  The carts have RFID technology that will allow it to sense when you are near any items on your list and alert you.  As you put the items into your cart, you scan them you are given a running tally and the items are marked off of your list.  Checkout is a breeze at that point. You just swipe your credit card and off you go. Pretty damn cool if you ask me!

The ads will be targeted based upon where you are in the market and your past buying habits.  Yes, it is a little big brother and the potential to bombard with ads could make this whole thing to annoying to use.  But I think the potential to revolutionize the way we shop in the supermarket is amazing.  The ShopRite supermarket on the East Coast is going to test the system soon.  Next time I am up in the area I may check it out myself!

OK, back from yet another road trip (hopefully the last one of the year). Microsoft is making good on one of their promises around NAP.  They always said that they would retro-fit NAP onto Windows XP.  Frankly with the corporate adoption of Vista being so slow, if NAP was not on XP, NAP would not be of much use at all (even with the Mac and Linux agents available).  Well according to this article in APCMag, the quietly announced release candidate of Service Pack 3 for XP contains the highly anticipated NAP client.

I am downloading it now, but without Server 2008 (also in final public release candidate) or a TCG policy server, there is not much I can do with it. In any event, it does show that Microsoft is making good on its promises around NAP and XP.

Blogging this while waiting on the phone for a Microsoft Live One Care technical support person.  I have been on the phone for about 25 minutes, oops someone just picked up, hold on. OK I am back.  The friendly Microsoft technical person, David has me on hold while he researches my problem.  He doesn't sound like a Dave though.  I know that outsourced call centers like to have their people use Western sounding names to make us more comfortable, but frankly I always feel like I am talking to some dancer at a strip club who tells me her name is Kitty or something.  I would perfer they use their real name.  I am a big boy and can deal with it.

Anyway, back to the story. I had installed (and paid for) OneCare on Bonnie's computer a while back. For the most part it has been fine, but frankly Bonnie doesn't get into many high risk activities on line. I knew I was in trouble though a while back when I asked my youngest son Bradley (5 at the time) what he was doing on the computer and he told me he was "Googling".  Then just a few weeks ago, my oldest son Landon told me about this cool 3-D screen saver of fishes he can get for free.  I knew we were headed for trouble.

Anyway tonight I noticed the little green one care icon was no longer in the tray.  My security center was in the red with firewall and AV off. When I manually tried to start OneCare I got an error message that said to restart the machine.  I did that, same problem.  Then I uninstalled OneCare (another reboot) and installed it again.  Same problem.  When I tried to start the service I get another error message. So I log onto the OneCare help site and follow the automated FAQ, useless.  I then try to do a live chat with support after figuring out how to log in to my account (they don't make it obvious). The chat asks to run a diagnostic to help which takes another 10 minutes.  Then the chat client loads only half way and freezes.  Back to go, don't collect the 200 bucks!

Now I log back into help and pick 24 hour phone support.  Same diagnostic gathering takes another 10 to 15 minutes and they give me a phone number and case number.  25 minutes minutes I am on the phone on hold and finally Kitty, I mean Dave gets on to help.  Dave tells me he is going to log into my computer (BTW I find out Dave's name is Jesus, I would have been fine with that).  He logs in with my permission and after 3 or 4 or 5 reboots and checking he confirms it was a corrupted file that he had to reinstall which he did.  Bada bing, badda boom, we are all fixed and good to go. We than rechecked everything and its all good.  While we are on the phone I talk him into downloading Cobia and playing with it, hey ABC (always be closing).

So while the whole thing took over an hour and a half, Dave from Manilla did a heck of a job.  What started out as bitch rant about Microsoft's OneCare support doesn't end that way and as they say in Manilla we have a "happy ending".  Now lets hope it keeps the computer protected from the next thing my kids play with!

Saw an eWeek article by Peter Galli today that just struck me as off. It is a report from TechEd IT Forum in Barcelona about Microsoft NAP.  The title is Microsoft adds NAP for Linux and Mac, but the under title is " Network Access Protection is now deployed in more than 150,000 desktops worldwide, including 70,000 at Microsoft".  The whole article is on the Linux and Mac NAP stuff except for almost a footnoted afterthought at the end right before an ad for eWeeks Security Center and says that NAP is now deployed by more than 150,000 desktops, including 70,000 at Microsoft and points to a Microsoft case study detailing this. I think it great that Microsoft has pushed NAP to all of its desktops and another 70k of its closest friends and relatives, but why make this a secondary title of the article and give it no play?

But back to the main gist.  If you all remember when we last left our hero, Microsoft, they said they were going to "license and make available" the code to develop NAP clients for non-Windows OSs.  It seems true to their word that they in fact have.  Two companies, UNETsystem and Avenda Systems will release NAP products for Linux and Macintosh next year.  UNET will will release both Linux and Mac versions of its Anyclick for NAP and Avenda will release Avenda Linux Network Access Protection Agent.  A third company, Celestix Networks will be releasing an appliance the the NAP policy-enforcement platform, shortly after Server 2008 and ships.

Here is where I smell something fishy though.  First of all there is no mention of what the Celestix appliance will do or why one would want that over Server 2008.  Second as to UNET and Avenda, Paul Mayfield (who I know and is generally an upfront guy) refused to give any specifics as to what these non-Windows NAC agents would test for.  Obviously, it ain't Windows Hotfixes or Windows personal firewall, and most Mac and Linux users don't run anti-virus.  Last I checked, that about exhausts NAPs out of the box health checking.  They might check identity and services or ports, but I think you may need their own NAP policy server for that.

Here is what I smell.  I think Microsoft wants to show they are playing nice on NAP.  They want to show they have followed through on their promise and there is NAP for Macintosh and Linux.  The pickings are kind of slim, but hey mention 150k desktops using it and trot out a couple of half-baked examples and some reported will write it up as we want to. 

I think Microsoft would have been better off trotting out some TCG/TNC stuff.  Show a TCG vendor that has a policy server and agent for Linux and/or Mac and show it inter-operating with NAP.  OK so maybe it would not have proven the NAP on Linux and Mac stuff, but I think it would have showed some real functionality.  Absent more information, what this article does show otherwise is not much!

Like I said earlier, it is if someone is willing to pay it.  And that appears to be exactly the case, as Microsoft according to reports have ponied up 240 million for a stake in Facebook that values the company at about 15 billion dollars. I guess the fact that Google was supposedly courting Facebook as well might have driven up the price.  Could it be Microsoft paid the money just to keep it out of Google's grasp?  I don't know but someone is making a lot of money here. I just don't see the justification for that kind of valuation. 

I am sure there will be a lot of pundits on both sides of the argument over whether this was a wise investment or not.  I think that this is just more proof of some good old "irrational exuberance" taking hold in the tech industry.  Hey maybe its not a bad thing.

Hot on the heels of the CapGemini announcement to offer and support Google Apps, comes word that IBM is officially joining the OpenOffice.org community. Big Blue will start contributing code to the project and tightly integrating their Lotus Notes applications with OpenOffice apps.  It seems this may have a lot to do with the recent ISO decision rejecting Microsoft's  Open XML format, while supporting OpenOffice's ODF format.

In any event, IBM's support of Linux was a pivotal factor in Linux gaining critical mass. Their support of OpenOffice could signal a new assault on the Microsoft Office franchise.  Certainly between Google and OpenOffice, Microsoft is fighting a two front war to maintain their Office suite market share going forward.

With a tin ear for customer sentiment, Symantec's CEO says consumers are paying less for security products and John Thompson says Microsoft is to blame, according to this article in Network World. And this is a bad thing because?  The Symantec CEO trots out the "M" word to describe Microsoft's pricing scheme.  He says price isn't everything and the Microsoft products still don't measure up to his own companies products. 

However, I have to wonder if his marketing/PR people could not come up with a better angle then blaming Microsoft for people paying less for security. Are we supposed to shed yellow tears for poor Symantec not being able to charge more? I for one am glad that consumer AV and security is finally following the pattern of other consumer software by getting cheaper as time goes by.  For too long consumer AV was artificially high and never seemed to suffer from price competition.  What could John say next, Microsoft's competition is forcing Symantec to make a better product?  Come on John, give us a break.

Well the FSF has responded to Microsoft's declaration that they are not bound by the "anti-Microsoft" provisions of the GPL v3.  Matt Asay writes about it in his blog and says that clearly the gauntlets have been thrown down.  Of course Matt being the open source evangelist says that there will be plenty of people coming forward to the help the FSF and that Microsoft, if they push this could be in a heap of trouble.  I am not so sure.  I am not sure if the FSF crowd really wants to see the courts finally rule on some of the theories wrapped up around the GPL.  Mitchell has a good article up on a recent ruling that could have implications in any potential legal ruling on this stuff.  Me personally, I would like to see the courts get their hands on this and get a definitive answer, rather than the perpetual pi$$*ng match that we currently operate under with this stuff.

Whenever Matt Asay roams beyond open source into security he usually shows that he speaks from his open source heart and not his head.  Matt wears his open source passion on his sleeve and consequently it colors everything he sees.  So when Jeff Jones, strategy director of Microsoft's security technology unit, shows that Windows users faced fewer days of security risks on average last year than users of Apple, Novell, Red Hat and Sun, Matt has a cow. How could the evil empire be more secure than his open source darlings, let alone his own OS of choice OSX. 

Matt's evidence to back this up is the fact (he tells us twice) that he has not had a single security risk (in his opinion I guess, I wonder if he was at CanSec West) or security breach in over 5 years.  He then runs the tired "if Microsoft had any record of security" stuff.  Hey Matt, take a good look around and take off the open source rose colored glasses.  Microsoft has been serious and working on security for some time and has built a record.  Ask Stephen "Steptoe" Toulose what record Microsoft has. BTW, Microsoft points to a Symantec executive who acknowledges the accuracy of Jones' data.

Frankly, I think there are arguments both ways over which OS is less of a security risk.  I don't mind an informed debate.  What I don't like is the knee jerk reaction of some in the media who are not even familiar with the facts, crucifying Microsoft.  In this case because he does not like their take on open source and what they are doing with the Linux vendors.  Matt, I don't agree with a lot of your views around open source but acknowledge your expertise there, but you have no standing to be speaking about security and tainting the facts with your prejudice against Microsoft.

What is that you say? What is so different about this Patch Tuesday.  For my Jewish friends out there, am I adding another question to the existing 4. Well it ain't cause we eat unleavened bread or anything like that.  This Patch Tuesday will go down in history as the first Patch Tuesday to contain a specific patch for a vulnerability in the vaunted Vista.  Oh well, it was good while it lasted but did you think there would never be one.

According to this article in TechNewsWorld, the Vista vulnerability is not critical but only moderate. However, unlike other vulnerabilities that effected Vista, this is the first one that effects only Vista and is probably a flaw in the newer core.  There is some good commentary about the other patches in this release including some quotes from the security architect at Vernier Network, Mark Loveless.  What a great name for a security guy!

Anyway, by now your patching process is probably pretty standard so hopefully you are protected already. 

Its a common saying in the tech business to never buy a 1.0 version of a Microsoft product.  However, even the most rabid Redmond hater would have to admit, that eventually Microsoft gets it right, making improvements with every subsequent release.  It looks like the same thing can be said with Microsoft's OneCare AV product.  According to this article in the ITPro (which I heard about in this article on infosecsellout blog), in the latest round of testing Microsoft has made some improvements in OneCare and actually did better than they have in the past.  In fact they came out ahead of AVG and Fortinet.  Bad news for those two, but bad news for the rest of the AV market as well.  Microsoft will continue to improve OneCare and eventually it will be a market leader.  It is the Microsoft way.

For those interested, Eset's NOD32 came out on top.  Good for them, I have heard good things about their product.

ITPro: News: Microsoft improves OneCare anti-virus product

Mike Rothman pragmatically sitting back in Hotlanta, instead of being here "in country" at Vegas Interop, says that Mitchell misses the point in his article on the implications to Cisco of the MS-TCG alliance. While I myself am not sure of what this means for Cisco, I think Mike is wrong about this being a bad thing for supporters of the TCG/TNC. 

Two things on this.  One is as Mike says, TCG needed this to gain credibility and momentum.  However, Microsoft needed no one to help them "taking control of the desktop agentry that will drive pre-admission host integrity checking."  Microsoft had this all along Mike. It was just a matter of time as to when they wanted to claim it. I don't think anyone in the TCG or any other NAC vendor except maybe Cisco, had any delusions that when Microsoft wanted to provide the agent for NAC, it would be spitting in the wind to offer an alternative.  I think the realy story here is that at some point early on, Cisco looked at NAC as a way of moving on Microsoft's turf which is the desktop.  Between this move with TCG and their earlier announcement with Cisco, Microsoft has solidified their choke hold on the desktop and ensured that no NAC vendor or framework will take that.

Speaking on behalf of a NAC vendor, I am fine using the Microsoft agent to help me perform checks. My only hope is that we do see NAP agents for Mac and Linux.  I think the real value is in making up the policies and health checks and then working on how to enforce them.  To paraphrase something else "give unto Microsoft, what is Microsofts, and give unto God that which is Gods".  I don't think this puts any NAC vendor in the Netscape or Novell model, unless all they were banking on was having their own agent.

I guess Steve Ballmer wasn't joking about wanting to possibly do a large acquisition.  While it is not quite buying Yahoo!, Microsoft tired of being outbid by Google, today announced they were buying Aquantive, a digital marketing technology provider for 6 billion dollars, all cash!  This is an 85% premium over Aquantive's closing price Thursday.  That is not like Microsoft to do such a big acquisition and pay such a premium, but I guess the cash was burning a hole in Steve's pocket. Anyway, some folks are going to make out pretty good on this one.

As a little kid who did not dream of being an astronaut? I know I went through my astronaut phase.  Actually l never graduated out of the space cadet stage, but that is another story.  In a perfect example of all roads go through software developement, Charles Simonyi, the man who led the teams that developed Microsoft Word and Excel, blasted off today in a Soyuz spacecraft on the way to the International Space Station.  Simonyi, a billionaire from his software development career, fulfilled a life long dream blasting into space.  The trip is only costing him 25 million.  A mere drop in the bucket to someone of his means.  His girlfriend, Martha Stewart had a meal prepared by all star chef, Alain Decasse, for Charles and his playdate friends aboard the ISS.

Some people think it is a tremendous waste for people to spend that kind of money. I disagree. These space "tourists" first of all allow Russia to continue to operate their space program in the face of continuing budget cuts. Also, if these people have the means to afford such trips, I say it is their choice on how to spend it. 

In the meantime admit it, reading this story there is a little kid inside of you wishing that you can afford such a trip and going through that 10, 9, 8, 7, etc. countdown in your mind. Hey, if you really want to do it, get busy writing software right now!

Saw an article in ComputerWorld today that consumers in Japan have so far given Windows Vista a cool reception.  This is on top of an article I saw last week that after a full month there are actually more Windows 98 computers out there than Vista. I still remember the computer stores being open at midnight for the launch of Windows 95.  I also remember running out and getting XP as soon as it was out too.  So far I have just not felt any urge to go out and get Vista.  There is nothing there that has caught my eye. Nothing that is a must have versus a nice to have. It looks like the rest of the market shares my apathy.  What will be the killer feature that makes you get Vista?  In the absence of one, I think Vista will propagate via the normal course of folks getting new computers to replace old ones.  Vista will be preloaded, but not THE reason people are buying the new box.

After the discussion this weekend about innovation being dead in security, I wonder if innovation is dead in the OS market?  Maybe it is just up in Redmond, I don't know.  What do you think?

So, another patch Tuesday and another flood of press releases announcing that these great security companies protect against them.  We used to do this at StillSecure, but realized that our customers expected us to provide protection against these almost as soon as they came out.  Is it really worth putting out a press release over, month after month?  Is it newsworthy?  Does it influence you in any way? I don't think so.  I would like to see a company put out a press release that they don't protect against the latest vulnerabilities. That would be news.

Guys lets save the paper.  Protecting against the latest vulnerabilities by Tuesday night is table stakes to sit at the table.  Not anything to jump up and down about.

Happy Valentines Day!

Microsoft announced yesterday that they have added their 100th partner in the NAP program.  This makes NAP the largest partner ecosystem for NAC.  Bigger than the TCG/TNC and bigger than Cisco's NAC.  That is all well and good, but to me the important metric was that at RSA this year, more than 40 of these partners are going to be showing working integrations and NAP solutions.  I think this may be bigger than the amount of working integrations that Cisco has with NAC, despite it being around a lot longer. Another positive that jumps out is the wide range of switch and network gear folks who have their integrations working.

With NAP interoperating with Cisco NAC and rumors of an impending integration with TCG/TNC, this does position NAP as the most successful so far of the 3 frameworks.  Of course some like Mike Rothman, say frameworks, shmameworks, people just want solutions that work and solve their problems.  At this still early stage in the NAC world, this is still true.  But by this time next year, I think NAP integration will be a key component for any NAC solution.

If so, welcome to my blog.  The podcast is just a few articles down, it is podcast #22. The interview starts about 10 minutes into the podcast. There is a ton of good info in the interview about what Microsoft's plans are around NAP, working with open standards, other NAC vendors, non-Microsoft OS's etc.  There is some other content on the podcast as well that you may find very good.  Our podcast is a weekly show and we usually have some great guests, many of them around NAC. Podcast #20 is with Andrew Braunberg of Current Analysis and is also about the NAC market.  I hope you find them useful and informative.  Also, if this is your first time here, take a look around at some of the blog articles as well.  You will find a variety of topics covered, most on network security.  If you like either the blog or podcast, please take the time to subscribe to one, the other or both!  If you have any questions, please write at podcast(at)stillsecure(dot)com.

Enjoy!

StillSecure, After all these years, episode #22 is here.  This weeks interview is very good.  Mr. Amith Krishnan, Senior Security Product Manager from Microsoft is our guest.  Amith works in the NAP group.  For all of you who have questions about NAC, NAP, TCG/TNC, Vista, etc., there are lots of answers here.  Be sure to listen!

In this weeks "Converging Minute", Mitchell talks about COTS hardware making custom network appliances obsolete.

For "This Week in Security", Mitchell and I talk about:

1. The new SANS Top 20
2. Symantec releases a beta of Norton Internet Security 2007 with Vista support
3. Checkpoint buys PointSec

We hope you enjoy the show and please send any questions, comments or suggestions to us at podcast@stillsecure.com

Thanks to ClickCaster for hosting our podcast. Tonights music is the usual, To the Summit by Jon Schmidt. You can hear more from Jon at http://www.jonschmidt.com.  Music transitions between segments are by our own Mitchell Ashley!

http://clickcaster.com/resource/audio/stillsecure-after-all-these-years-podcast-22.mp3

OK, don't worry this is not another article about the election results.  Instead I am talking about Vista, coming to a computer near you, sooner than later.  I have to admit, I was one of the Doubting Thomas group who thought we would be lucky to see Vista before June '07.  Microsoft though is going to have Vista available on November 30th and out to consumers for January 30th.  I know that some cynics would say that even these dates are much later than earlier estimates, but still they are putting this out before the end of the year.

Is it worth the upgrade?  Is it more secure?  These are questions that I guess time will tell.  I also think we will see it being adopted both at enterprises and homes much quicker than some are estimating.  It will fairly wide spread by the end of '07.