StillSecure, After All These Years

Short and sweet.  It appears Ross Brown is moving on from his CEO post at eEye.  For those who read my blog, you know that Ross and I have had some great disagreements over the months.  But let me state something for everyone to read right now. Over the time that Ross and I butted heads, I have found him to be an intelligent, considerate and quality individual.  You learn a lot about a person when you are arguing with them and I learned a great deal about Ross. I also learned a great deal from Ross, including who the hell Ricky Romero is. There is no doubt in my mind that Ross brought a needed maturity and professionalism to eEye.  According to the article announcing his departure, the team he put in place is staying on.  While that may be good, I can tell you that there is no doubt in my mind that they will suffer losing Ross.

I am sure Ross is already looking at his next gig.  I hope he finds it challenging and rewarding.  If not, I say this:  Ross I would be honored to work with you anytime!  Good Luck my friend and I hope the journey continues being exciting and adventurous for you.

Back in September of 2006, I wrote an article about this being a "golden age" for security blogging and podcasting.  I was afraid at the time that this golden age of innocence may be short-lived due to commercial pressures that would take away the special comradeship that exists among the security blogging community.  I am happy to report that so far that is not the case.  The folks at ITSecurity.com have put out a list of the 59 Top Influencers in IT Security.  Reading the list I was amazed at how many of these folks I have developed relationships with over the years via blogging.  The community is really making a difference and leading the industry.  I know Martin (number 11 on the list, congratulations!) thinks we are just talkers and the real heroes are the doers, but still I am very proud to be associated with this group of folks.  I hope we can use our leadership and influence to do good things around security.

Of course, I would be remiss if I did not mention that I was listed number 2 on the list behind Amrit Williams.  I am humbled and grateful for the recognition.  Other notables and friends Mike Rothman at 7, Mitchell at number 9, Michael Farnum and Michael Santangelo and just about everyone else.  Congratulations to you all, you all deserve it.  I was also really proud to see at number 19 the Security Bloggers Network, which is now 65 blogs strong.  I feel responsible for starting the Network and hope to see it continue to grow in influence and usefulness.

My buddy Ross Brown (you know I really do consider Ross a buddy, having had a chance to get to know him in person at RSA, but that is another story) has an article up taking a shot at nCircle's 24 hour SLA.  To tell you the truth, I was not aware of nCircle's SLA, but a long dormant brain cell in my head fired up something about me having written on this before.  A Technorati search of my blog turns up that exactly one year ago, Feb 16, 2006, I wrote about last years RSA and some of the SLA's and guarantees that were being offered.  Besides showing that very little in security is ever really new, I thought even back then, that SLAs in security seem to be long on marketing and short on real protection.

For the record, I agree with Ross, I think a 24 hour SLA is nothing to write home about.  We, like eEye and I am going to guess nCircle and most other companies do a good job of getting tests out for the new vulnerabilities (Ross I don't think nCircle is putting out patches, but rather tests to see if the patch is applied or if the vulnerability is present) pretty quickly.  Usually in just a few hours.  However, when you are going to put your money where your mouth is, I think you tend to be conservative. The 24 hour SLA  is not meant to be the normal expectation, but the worse case scenario.  Frankly, if you want to force nCircle to do better, come out with a better SLA, that they will have to match to compete. Let me know when you do and we will look at matching it here.  However, my question is this:  Is anybody buying product based on this SLA?  If the answer is no, who gives a hoot.

Well the answer can be summed up in 3 bullets:

1. Mitchell is lucky most of his necessary organs and appendages are attached to his body.  First he lost his Motorola Q phone on the shuttle bus from the show.  Luckily he had phone insurance and was able to get a replacement. Of course he lost all of the numbers and info stored on the phone.  Then at the bloggers party (more on that later) after a full day of recording some great interviews (including a fantastic discussion on booth babes with Ross, Rothman, the Phantom Blogger and me), Mitchell leaves the damn, brand new portable recorder at the place and it is now gone!  They don't have portable podcaster machine insurance so Mitchell is out on that one.  Frankly, I wouldn't have been quite so heartbroken if we had at least downloaded the audio files on there.  I am going to start bringing a tag with Mitchell's name and phone number as well as the hotel he is staying at for Mitchell to wear at these events, in case he gets lost too.

2. In the immortal words of Dean Wormer in Animal House, "fat, drunk and stupid is no way to go through life". I try not to get too crazy at shows and make sure I get a good nights sleep, as my schedule at these things are usually packed.  Well, I was so excited about meeting so many virtual friends in person at the bloggers party, I went to three more places drinking with the boys and stayed out until almost 3am.  Even with Mitchell losing the podcasting equipment, I still could have put an update on the days activities up. I didn't when I finally got to my room, because I was afraid at what drunken ramblings would find there way on to the blog.  I guess Mitchell was not as worried about that. Instead I threw my clothes all over the room and went right to bed.  Four hours later, I woke up still buzzing and headed over to the show before going back to pack and finally flying home.  I think for the next show, I am going to go on a diet, so I will just be drunk and stupid.

3. The Blogger/Podcaster party- As Martin, Michael Farnum, Rothman, Mitchell and I don't know how many others have mentioned, the party even exceeded our expectations. I have not had this much fun in a long time.  I was really looking forward to this event for a long time. I really felt like I knew most of these folks already.  Some of them like Farnum, Martin, Rothman and even Ross, I count on as my blogger family (maybe posse is a better word).  I can't wait for next years show and have some ideas I will be blogging and discussing later.  One fact that was really heartening to me was that most of the folks there were also part of the Security Bloggers Network.  The network has really picked up and if anyone security blogger/podcaster wants to join, drop me a line at podcast@stillsecure.com. Also, Rich Mogul is someone I was really looking forward to meeting. I think we will continue to keep in touch and become fast friends.  As a result of the good will and free drinks (thanks Microsoft and Fortinet), it resulted in me continuing on a binge for the rest of the night. As Michael mentioned I did have an altercation with a cab driver, but it was all in a nights work. I am not going to rehash it here, Mitchell and Michael can if they want.  Just another moment with Shimel, as far as I am concerned.

So, I have no update for day 3, the dog did not eat my homework and now you know why.  If I can ever get around to it, I will try to

So my buddy Ross is yanking my chain again.  This time it is over the whole bias thing with Amrit and Rothman.  Great after those two introverts are done, just what I need, Ross putting his 2 cents in.  And here is a news flash, Ross is biased too.  Geez I thought Ross was just studying to be an ophthalmologist with all the ranting he does about retina, blink, REM, Iris and other eye stuff at eEye on his blog ;-)  Then in a final pique of chutzpa (I can link to wikipedia too), he wants to know if I am at all passionate about StillSecure.  Nah, Ross I can give a flying f*%^ whether it succeeds or fails. Of course I am passionate about it and of course I am biased.   Ultimately as a co-founder here, my long term financial well being is intimately linked to our success. But then again I have been accused of being biased and a blog bully before.  In fact, I usually come out and say I am biased when I write something and to take it with a grain of salt.

Ross, there is another thing I want to point out to you.  There is a difference between being biased and being a whore.  When you say Amrit was paid to be biased in his job at Gartner toward cutting through the hype, yada, yada and is now biased at Big Fix because he is working there, I think you do Amrit a disservice.  Amrit can be biased, but he is not going to say anything he does not truly believe.  You know what, neither am I, neither is Rothman and surprise, I believe in the bottom of my heart, neither are you Ross.  We all say what we believe to be true based upon our view of the world.  I think that is the difference between biased and being a whore, who just says what they get paid to say.

So cutting through all of this, what was I trying to say when I started this whole thread.  First of all I thought it interesting as Mike pointed out that with Amrit not being at Gartner, his opinions just don't seem quite as official.  Also, I wanted to remind these readers that all of us (as I pointed out, including Mitchell and I) have our own bias.  That does not mean that we don't speak the truth, we just have a obvious bias and partiality. In fact Ross, if you show me yours, I will show you mine.  Don't we both blog to influence the influencers and help market our companies. Yes we both have large egos (you too Amrit and Rothman) and like to hear ourselves talk or write, but underneath that, we seek to further our own aims with this blog.  So lets all come down off our high horses here and call it like it is.

BTW, if you are going to cite some newsman, don't be so provincial to think we all watch the local SoCal news.  Go with a nationwide anchor next time ;-)

I have been following the Sourefire IPO saga for some time now, literally since the Checkpoint deal was quashed and Team Marty announced they were going to IPO.  Like others here and here, I never thought that the IPO would actually happen.  I thought that someone would come in and snatch them up.  However, recently there has been some scuttlebutt about the potential liability from the Predator Watch/Net Clarity lawsuit hanging over the IPO.  Nick Selby over at the 451 Group wrote an article detailing the facts as they are known publicly here.  Then Dave Rosenberg questions how there can be IP questions when the source code is readily available for review.

I find Dave's comments frankly naive.  I don' t think the Predator Watch/Net Clarity law suit has anything to do with open source or a similarity in source code, but rather a similarity in functionality. Nor would a similarity in source code have anything definitively to do with the merits of the suit, unless the source code itself was copied, which is not the claim here I believe.  I think the claim is that the idea of how it works was what was allegedly divulged to Sourcefire. That being said though, I think Nick gives this suit more than its due. I think ultimately this suit amounts to little more than aneffort by a small business trying to cash in on someone else's success.  What is even more ironic about this particular tale is that the company doing the suing does not exactly have clean hands, as far as I can tell about using someone elses IP.  I think they still are using the Nessus scanner and NASL rule set in possible violation of the license for such as issued by Tenable Network Security.  There is a principle in law that a plaintiff should have "clean hands".  If that principle is applied here, Net Clarity's use of Nessus and NASL scripts could be construed as not having clean hands on the matter. Now they are calling in Checkpoint, to see if they found anything out about this in the due diligence for the aborted acquisition.  Sounds like a classic fishing trip to me and the court should stop this farce and waste of time and get to the facts of the case.

For a good look at a VC's view of this sort of issue, I know Brad Feld has written about why VC's don't sign non-disclosure agreements.  It is exactly for this type of situation.  I think the Predator Watch/Net Clarity people are going to find out that they are better off trying to build a business based on their products working better than the competition, than trying to beat them in the courtroom.

So I guess Ross really was as he says, in a snarky mood today.  After lashing out about what a failure open source has been in the security space, Ross next takes a swipe at the SC Magazine awards.  Seeing how all three of our products have made the finals for two years in a row, I feel compelled to refute this one as well.

First in way of background, lets talk Gartner.  Like Ross, I also do the obligatory  analyst dance with Gartner and the rest.  You can listen to our podcast with Amrit Williams to hear more about that jig.  However, lets be clear about how Gartner ranks companies and who they are geared to.  Gartner is geared to the Fortune 500, large enterprise market.  Nothing gets you further up a Gartner report than having large enterprise customers sing your praise.  Even up and comers need large references to make it to the top of the Gartner heap.  Now, everyone knows that large enterprises are usually more risk adverse and do not use the latest and greatest technology. Few big enterprise security managers want to take a chance on an up and comer.  So you cannot put much weight behind the fact that Gartner rankings do not equate with SC Magazine rankings.  If the awards were just based on revenue or big company presence, it would not be much of an awards show.  Sort of why a Star Wars should win best picture Oscar (hey maybe it should have) versus a more "artistic" movie just because it brought in more box office dollars.

Now, the SC awards themselves. Yes you have to pay to nominate your product.  I think the cost is a big 100 or 200 dollars.  Hardly a budget breaker for a company like Microsoft, Symantec or McAfee or even eEye I might add.  After that, for the readers choice awards anyway, I believe it is just a matter of how many votes are cast for each product.  Yes, companies try to get votes.  I think SC Magazine limits how many votes can come from a company email and you must fill out a questionnaire that I think is designed to thwart people from voting over and over again. 

Proof to refute Ross comes from the fact that even the major sponsors of the awards do not win the finals.  I remember last year having heard that Qualys underwrote a large chunk of the award sponsorship and yet Rapid 7 took the vulnerability management award.  The best proof I can give you though is our own example.  Truth be told, we spend very little money with SC Magazine.  I like Illena and the gang, I read the magazine regularly but anyone at SC Magazine will tell you that StillSecure does not spend much with SC  Magazine.  We really don't do print ads or on line ads for that matter.  We do our own webcasts .  I do remember doing one of their forums in wine country a few years back, but that is it.  We are not winning anything because of the money we spend with them.  Now, maybe the good PR they get on my blog has something to do with it :-)  Seriously, we do not have a PR roadmap or anything that has helped us here.

Ross you should know better than to believe the drunken ramblings of some PR person from a competitor.  I say put it to the test, put your products up and see how they do!  You really want to impress me go for it, I may even pay your hundred buck nomination fee if you need me to.