Heading to 3GSM

Posted on February 11, 2007 by Simeon Simeonov

Barcelona is host to more than 50,000 attendees of this year’s 3GSM World Congress. I can’t think of a much better way to make a great city less inviting but there are lots of interesting things going on in mobile and wireless and this is the place to be so we must all converge like butterflies to the flame.

For me this is the third week of more or less constant travel and the appeal of nice hotels is starting to wear out, especially given the potential of some recent meetings I’ve had in SF and Sidney’s.

Posted in Mobile | Tagged | Leave a comment

Rich Internet Applications and the Future of Software

Posted on February 10, 2007 by Simeon Simeonov

Ryan Stewart at ZDNet writes about a topic near and dear to me–the arrival of RIAs to the desktop. Some of my posts on the subject are here and here.

Posted in Uncategorized | Tagged , , | Leave a comment

SaaS Brings Increased Responsibilities

Posted on February 8, 2007 by Simeon Simeonov

Software-as-a-service vendors carry the responsibility of taking care of their customers’ data. They must protect it from corruption, loss, and theft. From architecture to operations, it takes careful planning to build a good, scalable SaaS offering. Yesterday, at an RSA panel, Veracode CTO Chris Wysopal brought up a related issue I hadn’t previously considered: the discovery & disclosure of SaaS vulnerabilities.

Most software vendors perform some type of security audit and vulnerability analysis using a combination of code reviews, static and dynamic analysis tools, automated and manual penetration tests, etc. Vulnerabilities are prioritized as a function of impact of exploit, likelihood of exploitability and other factors such as cost of fix. High priority vulnerabilities are fixed. Lower priority vulnerabilities are deferred. There are two problems with this approach. First, there is the issue of undiscovered vulnerabilities in the software. Then, there is the issue of the known vulnerabilities that the software ships with.

That’s where the independents come in: security outfits, aficionados, hackers, organized criminals, etc. If the bad guys get to a vulnerability first, it’s bad news. If the good guys get to it first, they’d usually notify the vendor so that the software can be patched. Both groups are attacking the software to break it. It’s a race.

How does the situation change with SaaS?

It’s best to start with an email example. Take Microsoft Exchange vs. gmail. If you’re looking for vulnerabilities in Exchange, you’d get a server and mess with it. Given enough time you can even reverse-engineer key components and look for vulnerabilities that can lead to exploits. Since gmail is hosted, you couldn’t get access to the code. Some type of penetration testing the is the only approach to discovering vulnerabilities in gmail.

So, on the surface, SaaS seems more secure in the sense that the bad guys have a limited attack toolset. There is an additional dimension, however. When you launch an attack against gmail, Google can, in theory, know about it. If you’re a legit security outfit in the Valley, how long do you think it’ll take Google to figure out that it was you who was scanning their servers or creating fake HTTP requests and bock you? On the other hand, if you’re some Russian criminals using zombies you may be able to attack gmail for months from different locations. In other words, in a SaaS world, the bad guys have an advantage in discovering new vulnerabilities (unless the good guys switch to using bad guy tactics, which carries risks for them).

It seems that in addition to taking care of their customers’ data, SaaS vendors have the added responsibility of engaging the good guys and allowing them to do their job of vulnerability discovery. Otherwise, the bad guys will always be a step ahead.

Posted in SaaS | Tagged , | 4 Comments

Best RSA Quote

Posted on February 7, 2007 by Simeon Simeonov

Saw Chris Darby (Managing Director of In-Q-Tel and ex-CEO of Sarvega and @stake) this morning. We talked about the mess of companies on the exhibit floor. Chris’s comment was:

“Many are solving yesterday’s problems with today’s money.”

Yup.

Tagged | Leave a comment

Mobile giants plot secret rival to Google

Posted on February 6, 2007 by Simeon Simeonov

Courtesy of my friend Ajit Jaokar comes this speculation, reported in the Telegraph.

Europe’s biggest telecoms groups are aiming to create a mobile phone search engine that could challenge Yahoo! and Google, the US giants.

Vodafone, France Telecom, Telefonica, Deutsche Telekom, Hutchison Whampoa, Telecom Italia and one American network, Cingular, are among the companies that will come together for secret, high-level talks at the mobile industry’s biggest annual trade show in Barcelona next week.

Big companies trying to launch a joint venture in a space they don’t understand. Let me guess–Google must be trembling. It’s doomed to fail unless they put a good startup at the core + fund them + give them special deals + leave them alone.

Source: Mobile giants plot secret rival to Google

Posted in Google, Mobile | Tagged , , | Leave a comment

RSA Keynotes

Posted on February 6, 2007 by Simeon Simeonov

It may be the lack of sleep but I’m unimpressed by the keynotes so far this year.

Bill Gates + Craig Mundie, MS

  • We’ve made mistakes in the past but now we get it.
  • Acronym overload: SDLC is also Secure Design Life Cycle, not just Software Development Life Cycle.
  • IPv6 is going to enable micro trust domains and put users in control. No mention of the massive pain managing the various rights over time will be.
  • Vista has a lot of neat security features. For example, it will help you manage multiple online personas and payment profiles.

Art Coviello, RSA/EMC (and later Joe Tucci)

  • The bad guys are really smart and capable but don’t panic. There is a $1B industry in trading stolen identities.
  • Now that we are part of EMC we really care about securing not just perimeters but also the data. Please buy Centera, Symmerix, etc. Also, EMC just acquired Valyd Software.
  • Security will move from static to dynamic with more intelligence in grant/deny policy decisions. Patterns analysis (EMC’s SMARTs technology) will become very important in decision making.
  • Defense in depth means you can never buy enough security products.

I was looking forward to Thompson’s keynote but had to leave for a meeting.

Tagged , | 1 Comment

Archivas Goes to Hitachi/HDS

Posted on February 6, 2007 by Simeon Simeonov

The cat’s out of the bag. HDS acquires Archivas for up to $120M. Archivas was my first investment at Polaris. This is a great exit for the team and for the investors.

Founder Andres Rodriguez envisioned a new kind of infrastructure optimized for managing very large amounts of information (petabytes) over long periods of time (decades) at very low cost (below the TCO of tape). What started as whiteboard diagrams in the fall of 2002 became the best-architected solution for reference information (fixed content) management. Built from the ground up, Archivas resembles nothing else on the market. It’s 1/3 storage system, 1/3 distributed database and 1/3 content management system. Data, meta-data and policy are managed together on a RAIN cluster of symmetrical nodes.

HDS will benefit greatly in its battle with EMC by arming its sales force with Archivas technology.

Posted in startups | Tagged , , | Leave a comment

At RSA

Posted on February 6, 2007 by Simeon Simeonov

Flew to SF today for the RSA Security Conference where Veracode is launching.

CEO Matt Moynahan was on a panel at the Churchill Club tonight. The title was “It’s a Small, Small, Dangerous World – What Global Business Means for Your Security.” The moderator was not able to keep the panel on track, unfortunately. The discussion was all over the place. The two most unbiased people were Matt (who kept trying to bring the discussion on point) and Josh Levine (ex-CIO/COO at e-Trade and Archivas board member). Some key points:

  • Some panelists alluded to conspiracy to hide the fraud losses in the financial sector. Josh strongly disagreed, arguing that the losses are decreasing as a percentage of business transacted online.
  • Enterprises have no good way to measure software security risk and so there is no good way to measure security ROI and so there is no good way to tune security investments.
  • The bad guys are smarter, faster, richer and have better looking girlfriends (OK, that last piece wasn’t explicitly mentioned). They are running circles around the FBI, which is cybercrime-clueless.
  • It’s going to get worse before it gets better.
  • It may not get better. Internet 1.0 was a utopia of implicit trust. Getting security right means some hassle for consumers (two- or three-factor authentication) and more cost as all points in the information chain.
  • Trust may develop in sub-regions, e.g., a set of e-commerce and banking sites, accessible via a trusted browser, which cannot browse the general internet.

Best quote, from Eugene Kaspersky:

The Internet used to connect people with people. Now it connects people with criminals.

Tagged | Leave a comment

Go Bears!

Posted on February 4, 2007 by Simeon Simeonov

Update: oops!

Posted in Uncategorized | Tagged | 2 Comments

One-To-One Computing

Posted on February 3, 2007 by Simeon Simeonov

The movement towards one-to-one computing is picking up steam, from Maine’s gutsy move towards giving laptops to all students to Project Inkwell (initially organized by my friend Mark Anderson to establish standards for one-to-one computing) to Nicholas Negroponte‘s $100 laptop project.

A few months ago I wrote a letter to Technology Review sharing some personal experiences about how students and teachers use computing resources under different conditions of scarcity. The main insight is that both average and peak productivity/benefit vary significantly with the availability of computing resources.

One topic I couldn’t address in the TR letter (because of word count limitations) is that of opportunity cost. PCs are the new boob tubes. They can be used productively or not. I believe that the marginal utility of an additional hour of computer time for a K-12 student can decline quite rapidly without appropriate education (how to make the best use of the machine), social foundation (let’s communicate and collaborate virtually in a meaningful way as opposed to become isolated or shallow communicators) and software (to engage students in relevant activities).

Posted in Uncategorized | Tagged | 1 Comment