How you know you’re in Silicon Valley

Scoble had this post on his blog a couple of days ago. I have a few more to add to this:

• The ads that precede the “coming attractions” in the local movie hall include plugs for jobs local companies. Also, a sign of the feel good times around here. I would’nt have expected to see this kind of publicity circa 2001.

• The guy sitting next to me at the coffee shop lifts his (5 month old) baby over the table and goes “Alice, would you like to help daddy read this interesting book on (I didn’t get this part) Computer Science. Some day, you might enjoy reading books like this one... Ok Alice, its time to let daddy finish reading the proof on this theorem.”

• One of the guys at the coffee shop is walking around wearing a T-shirt advertising Google Earth. It has a satellite image of the planet earth with an accompanying slogan – “4.6 Billion years. Still in Beta?”

Fireeye – Pye in the Skye?

Fireeye came out of stealth last week. The company has raised $6.5 in Series A funding from two of Silicon Valley’s marquee Venture Capital firms – Sequoia Capital and Norwest Venture Partners. The Sequoia partner involved is Gaurav Garg (my fellow ARL alum) and Promod Haque (who else?) is leading the round from Norwest. The fact that Haque’s success in enterprise networking is rivaled only by his fellow Delhi-ite means that this company might be worth watching.

Fireeye works on what they call effortless Network Admission Control (NAC). Before I get into what I think their product does, a short blurb on what NAC is: a huge security threat to organizations in recent years has been employees and visitors bringing in their (potentially infected) laptops into the corporate network. Since this is something that cannot be caught by a gateway device, what is needed is a policy that decides what hosts to let into the network and what hosts to leave out. NAC is a Cisco led initiative that helps IT-managers make that decision. Cisco has a list of NAC partners whose products it recommends. Since Fireeye is not on that list, it looks to me that they’re using the term (NAC) to differentiate themselves from Cisco recommended solutions.

The reason? The use case for most NAC products on the market is pretty much the same today. Someone who wants to bring their laptop on the network takes it to their sysadmin who makes a call on whether or not to admit the laptop based on the recommendation on the NAC product in use. Pretty much every NAC product that’s in use today does one of two things: Determine whether or not a host (1) is patched (2) complies with an organization’s security policy. While Fireeye does not claim to do either of these things, what they claim to have is the ability to detect whether or not a host is an imminent threat to the network (thereby eliminating the overhead incurred by the sysadmin while using state-of-the-art NAC products). Their catch-phrase seems to be -- "If it doesn't infect, let it connect."

How is this done? (Anything past this point in the post is a result of conjecture – isn’t that what blogs are for? :)). The Fireeye device runs multiple instances of Windows that are used as a sandbox of sorts. The device receives a port mirror of all traffic that traverses a switch. It downloads executables that are traversing the network and observes the effect of running them (by monitoring the IDT/GDT or attempts to write to the Windows registry for example). This is certainly not the first time sandboxing is being used to identify malware. Security vendors routinely use systems like these as an integral part of their research infrastructure. But what Fireeye has done represents the first attempt by a company to move this functionality to the network switch. The key question for any gateway based product is how real-time can it be? Malware authors are known to employ stealth techniques (the executable remains dormant for several hours or even days (thanks to Rajesh for this piece of insight)) to defeat precisely these types of systems. I am not sure if Fireeye does anything to get past these sorts of tactics.

The other thing that product literature said about this product is the sysadmin is alerted via email or SNMP once the device has made a determination that a host constitutes an imminent threat to the network. If I were a sysadmin, this would be a hard sell to me. What if I were away eating Masaman curry at my favorite Thai restaurant when I get that critical email that says – “Host X is about to hose your network and cost you your job.” The point I am trying to make is this product will at best serve to compliment existing NAC solutions and not replace them. Yet another weapon in an organization’s security arsenal (which is what most security products are anyways). Companies are likely to continue being anal about admitting only patched hosts and policy compliance (esp. in the wake of SOX).

Just how (anti)-trustworthy is Microsoft?

The debate over the extent of the Big-M’s anti-competitive practices is almost as old as the software industry itself. So it seems like a little late in the day to join the debate. Most people who have anything to say on the issue take the overly sensationalist position (I think) that Microsoft is this evil colossus out to grind its rivals to dust (while we are on the topic, isn’t that what business is all about?). Well, I have a (slightly) different opinion on the topic (I think).

It’s no big secret that Microsoft’s priorities today lie squarely in the media space. Look at who their rivals are today. Google, Apple and Sony. In each case, Microsoft is trying to compete with what it (and the rest of the world) sees as a fast growing and lucrative segment (search, digital music (only a matter of time) and gaming). Heck, the fact that they’ve integrated an RSS reader into the Vista desktop means that they think this whole Web 2.0 thing is worth their attention.

In all of these segments, Microsoft spares no effort in its quest to (eventually) become the dominant player. MSN prides itself on calling itself Project Underdog. IE7 defaults to MSN search. Xbox boss J Allard is known to have a Sony Playstation in his office with a bullet hole through it.

You don’t have to be Larry Sonsini to figure out that having IE7 default to MSN search is anti-competitive. All Microsoft has to say about the issue is its time-tested cliché -- “the user is still in control.” While that may be true technically speaking, let us for 1 minute consider the median IE user – my dad (I’ve managed to convert my mom to Firefox). Would he consider worth his effort to change the search default? Not really. For that matter no median user would -- in a search world where PageRank is no longer king. As far as Microsoft is concerned Google can go ahead and sue them (which is going to be the most likely outcome – the way things are headed) and they could not care less.

All of this well documented. So whats the point of this post, then? The point is, Microsoft does not care about companies which work on products that fall outside what it considers to be critical to its very existence. This is something I thought of while sitting through a presentation on the Windows Filtering Platform (WFP). You can think of the WFP as a sexed up raw socket API that does things like keep per flow state and in general, allows applications access to network traffic at the header level. It is being touted by Microsoft as a brand new Vista feature. It seems to me that by architecting (and promoting) this thing, Microsoft is in fact aiding and abetting vendors who might be competing with its homegrown solutions (Windows Defender and OneCare). Take Zonelabs for example. That company makes a personal firewall that will likely benefit from WFP (when they port their solution to Vista). Does Microsoft care? Not really. Why? Because personal firewalls do not constitute a critical growth segment for the company. That’s all there is to it. Microsoft is a behemoth that likes to take on other behemoths (or in the case of Netscape, a company that threatens to morph into one). The fact that Google has a name that’s all hip doesn’t change the fact that they’re yet another corporation.

This pattern of behavior is all too well documented. Larry Ellison often gloats about how Oracle became the world’s most successful database vendor while Microsoft was busy fighting the browser wars. I wonder who’s going to sneak under the radar this time.

A Week on the Microsoft Campus

So, I spent most of the last week on the Microsoft campus in Redmond attending a “Vista Readiness Event”. It was hosted at the PAC (located right next door to the much dreaded Building 19 aka the Recruiting Building).

There were 17 or so talks targeted at ISVs (Independent Software Vendors) who need to be concerned about Vista. Specifically, the presentations were by Program Managers who talked about features that might have an impact on third party security products (AV, vulnerability scanners, the whole shebang).

Rahul once told me that the key differentiator between Microsoft and Apple is the fact that MS gets developer relations (provides a comprehensive API + developer support) and that’s what really differentiates them from Apple. Never really thought much of it until I had a chance to experience it first hand last week. Almost all of the PMs gave enthusiastic pitches for their features, solicited feedback and volunteered their email ids. The message was loud and clear – “Microsoft cares about your development experience.” The Microsoft people who were hosting the event showed us a good time as well. We went down to The Garage in downtown Seattle for an evening of bowling and pool.

I haven’t really had a chance to follow the blog chatter on Vista. But now seems like an appropriate time to chime in (briefly) while I am on the topic. At first glance, it seems like rootkits (or any other malware that rely on kernel level exploitation to work) don’t have much of a future in Vista (thanks to mandated driver signing and PatchGuard). The UI? Well, as with any release of Windows, the UI is revamped. Its no big secret that the folks in Redmond have been borrowing ideas off of Steve for some time now. But at no other time has the convergence with the Mac UI been clearer than now. Small wonder then that he sounds so pissed off. The widgets on the side of the screen -- Anyone heard of konfabulator?