Update – the booth babe discussion

Since the original post, Zenobia and myself received many responses. The twitter feeds have been extremely busy. I want to provide a short update here and will follow up with an updated summary a bit later in the week. 

In the Facebook group that we started, “Starting a new dialogue”, Winn Schwartau stated a challenge to exhibitors, he said: “HOW ABOUT A CHALLENGE? … Some really smart person can/should/etc. write up a simple short online “Declaration of Booth Professionalism” and get vendors to sign up. … 

1. No booth babes.
2. Tell us what you do in 30 secs or less (signage, etc.)
3. Have informed people in the booth

That’s all I’m looking for. “

Debbie Rosen of Sonatype stepped up and responded with this declaration: 

 I, the undersigned vendor, agree to uphold the standards of professionalism as a conference participant at all future events. Specifically, I agree to abide by the following 4 common-sense laws of “usefulness” to provide information that is valuable to all conference attendees. These include:
1) The use of meaningful words (i.e. not jargon or sales-y) on my booth that provide a summary of what we do so the passer-by can choose to stop or not stop; 
2) The engagement of booth personnel that are effectively skilled to deliver the answer to “what do we do?” in one minute or less; 
3) The utilization of easily digestible demos and/or collateral that help the visitor delve to the next level of information, should they be interested. (note: whitepapers are great but not digestible); 
4) The banning of booth babes or other gimmicks that scream “I don’t know how to market so I will do it the lazy way.”

I like the language, very simple, to the point. 

What do you think? Is this realistic, for exhibitors at trade shows? 


Posted in Uncategorized | 1 Comment

It’s Time To Start A New Dialogue – Saying Goodbye to Booth Babes, Once And For ALL

(co-authored with Zenobia Godschalk, CEO of ZAG Communications)

At the recent RSA conference, it was apparent the exuberance and spending of the 90s are back, and with them, the dreaded accessory known as “booth babes”. In many areas of the show floor, scantily clad women scanned badges, strutted their stuff, hawked wares they knew nothing about, and in general, made many conference goers, men and women, highly uncomfortable.

One company even had their female receptionist dressed in hot soccer pants greeting visitors at the booth while the demo-giving male engineers donned soccer referee shirts.

RSA (the conference) hit a new low”, many said.

Because so much of the conference this year was devoted to issues like government surveillance, nation state threats, mass data theft, and the un-RSA conference threatened to unseat the incumbent, booth babes seemed like the furthest thing from anyone’s mind.

But still, we had them galore. In between discussions of exploits and Big Data, a teen beauty queen was trotted out to sign autographs; Jane Doe here handed out data sheets from her skin-tight bustier, and mystery woman there displayed her acrobatic skills in barely-there fabric before the demo went underway.

All of which made the implication that, for those companies that chose to do so, the promotion of their technologies/products was not possible without scantily-clad women, it feels like a cruel insult to the efforts of the men and women who worked hard to create, build, Q/A, and demo the product.

It was no less harsh an offense to the intelligence of many, both men and women, who walked the show floor with the goal to learn, to engage in intellectual exchanges, and to debate serious issues.

Putting in the most tolerant light, this behavior is a “lazy way of marketing”, Debbie Rosen of Sonatype said, “this happens when you do not have any creative or otherwise more positive ways of getting attention.”

We are not in the “Mad men” era. Women have stepped up and “leaned in”. However, statistics still show that women’s participation in computer science and engineering remains below 30% [1] . As an industry, we have a collective obligation to promote, to foster, rather than discourage and demean the next generation of women IT leaders.

It’s not just women who are offended by this. Winn Schwartu, a noted security industry veteran, wrote a pointed piece on this subject in SC Magazine last month: “The RSA Conference expo floor offended me – and why I blame the exhibitors”. Marcus Ranum has also commented on this topic with a similar sentiment. So did the Ashimmy blog.

So how do we change this behavior?

Writing blog posts and expressing outrage on social media alone won’t work. We need to make this issue a practical, rather than a rhetorical one. Those of us who are in positions of power, those of us in sales, marketing, and executive positions, need to do something real to effect changes.

Let’s consider first and foremost, instilling in our own companies the “radical thinking” that we can showcase technology simply by celebrating the ideas and ingenuity went into its creation, and to establish the belief that we can differentiate and standout by articulating the strength of, rather than the distractions from, the products and technology that many of us have worked so hard to create.

Zenobia Godschalk, CEO of ZAG Communications, and myself have created this Facebook group: Starting a new dialogue. Please consider going to the FB group to pledge your support — that you will leverage your influence to ensure that your company/organization will not use booth babes or otherwise sexually objectify either men or women for PR/marketing purposes at trade shows.

It’s time to start a new dialogue.  We can’t afford not to.

[1]: See NSF report “Women, Minories, and Persons with Disabilities in Science and Engineering

Posted in Uncategorized | Tagged , | 1 Comment

Be A Good Marketer And Win Over Your Analyst In 8 Slides

As a former analyst (I spent 6 years as Research VP at Forrester), I have been asked many times “what makes a good analyst presentation?”

Throughout my time at Forrester, I saw countless vendor presentations; some great, some mediocre, others were a downright waste of time. As I began reflecting on all the presentations and demos that I sat through, it became apparent that how few marketers actually know the art of making an impactful, concise presentation that leaves a long-lasting impression.

Years ago, I took a briefing from Google Apps team when they released Google App Engine. The entire presentation had 10 slides. We finished it within 30 minutes; I understood precisely what they were trying to say; they said it with finesse, and it rocked my world. Early last year, I had the good fortune of being briefed by Sonatype. The team over there brought a visually compelling deck with precisely-crafted messaging and highly organized content; it was another memorable experience. Other notable encounters included those with Kony Solutions, MobileIron, and Dome9.

What do all these presentations have in common?

They are all concise, to the point, with a central message to drive. With little superfluous information, and good support evidence to boot, they were all fashioned by the hands of an experienced marketer who was also an excellent communicator.

A good communicator can get points across and leave a powerful impression with a minimum amount of content. My thesis is that anyone can do a good presentation in eight slides, as long as you focus on this structure,

  • What is the problem & why is it interesting? (1 or 2 slides) 
  • How do you solve the problem? ( 3 slides)
  • Why are you uniquely qualified to solve the problem? (1 slide)
  • Interesting customer deployments (1 slide)
  • Forward looking roadmap (1 slide)
  • Takeaways (1 slide)

 1. What is the problem you are solving and why is it interesting?

If you can’t explain the problem in one or two slides, perhaps the problem is not that compelling.  A common mistake of marketers is overhyping the problem. Trust me, a good analyst knows the problem space—you don’t need to pile on statistics and market trends to convince him/her.

On this slide, you need to articulate the problem, indicate the scope, and get the analyst interested. Tall order, you bet it is, but it can be done. Shown below was Google’s opening slide that teed up the motivation for Google App Engine.

Google motivates the problemm.

Figure 1: Google’s first slide motivating the problemm.

There is very little text on this slide, but it includes everything that needs to be said. The slide conveyed that there are many development paradigms, languages, and platforms, which can lead to complex application development tasks.

Sonatype used two slides to motivate and frame the problem.



Both slides have well organized content, visually interesting, and a focused message.

At this point, the analyst should know what the problem is that you are trying to tackle and her interest, hopefully, is heightened because of the way you described the problem. Now, onto the next step…

2. How do you solve the problem?

This is of course the meat of the presentation. In this section, you should cover these basics:

  • You value proposition
  • Description of your technology
  • Ways to operationalize your product

Google put up one slide on App Engine, what it is (Python and Java run-times), what it includes (Servlet and APIs), and some sample applications (cron jobs and DB I/O). (see below)


Google also had another slide on Secure Data Connector to show how you would access data behind the firewall. Google was light on value proposition, but we got that through discussions.

Sonatype’s three slides mirrored the three basic points perfectly. First was the value proposition slide.


And there was the system description.


Finally the operational picture.


It’s extremely important to keep in mind, as you develop content for this section, that your aim should be to describe how the product help solve customer’s problem, not how awesome the product is. There is a subtle but important difference here.

Anton Chuvakin from Gartner, a friend of mine, has always had a beef on this issue and said multiple times that how few people understand the difference between the two.  But once you do, and know how to leverage it, your presentation and demo will be on a different level.

Be prepared to engage in an active discussion in this part of the presentation. Encourage the analyst to ask as many questions as he/she cares to.

 3. Why are you uniquely qualified to solve the problem?

This one is a bit tricky. Here you need to highlight your strength – what you are doing that your competitors are not doing or not capable of doing. This is often the most contentious of the discussion topics. Your best bet is to focus on your strength, rather than the competitor’s weaknesses. If the analyst is any good, he or she will be naturally suspicious if you talk down your competitor too much.

A few things to keep in mind when you articulate your competitive strength:

–          Be proud of your technology: Does it show, in the text, in the way content flows, and in the way you talk, that you are proud of what you will present? Do you believe in the technology? You need to believe to be proud. Being proud is infectious and it will set a tone for the presentation.

–          Focus on your strength, not other’s weaknesses:  It is the analyst’s job to compare you against your competition. Your job is to ensure that the analyst is well informed of your strength.

–          Articulate your value with facts, not claims: Statements such as: “Because we already have function A and function B, we are in a good position to provide deep integration from these two vantage points” will be well received. In contrast, statements like “no one else can do this because we are the number one vendor in the market” will go over poorly.

The slide below is how Google articulated why they are uniquely qualified to solve the problem – with 1500 businesses signing up to Google Apps, more than half a million corporate accounts, and millions of active users. These are indeed powerful statistics.


And below is how Sonatype communicated why they are uniquely positioned. They handle 8 million  component requests a day, with an extensive coverage of open source component usage, popularity, and development tool integration.


4. Interesting customer deployments

I cannot stress enough how important it is to have customer examples/testimonials as part of your content. In fact, you should not go in front of an analyst unless you have good customer deployment examples to discuss. They do not have to be named customers, but it’s highly desirable to show an interesting customer use case (or two) to ground the discussion. I would
be even more interesting if you can show a customer deployment scenario with uncommon challenges, e.g., scale, complexity, or problem nature, that you technology helped to tackle.

This was Google’s customer adoption slide.


Followed by another example,


Sonatype did it slightly differently. On each slide that explained their technology, they included a user quote at the bottom. On the slide depicting IDE integration, the quote says: “I can quickly pick the best component from the start, eliminating downstream work”. On the slide discussing real time component selection, the quote says: “Our research time has been reduced significantly with the component suggestion info”

Customer’s words, not yours. Plain and simple.

5. Forward-looking roadmap

This maybe optional for some presentations, but it’s always fun to show where you’d go next. Google summed it up in one simple slide – launching partnerships.


6. Takeaways

Think about what you want the analyst to remember, even if she doesn’t remember anything else from the presentation. Focus on that as your take-way slide. Sonatype did a nice job of exactly that; the final slide was simple, direct, and impactful. Nearly a year later, I still remember the “Go fast, be secure” tag line.


So there you have it – the secret to making a good analyst presentation.

Before I end this blog post, it bears repeating a few “Do’s” and “Don’ts” in analyst communication.


  • Think low entropy. Focus on what you want to say and articulate that. Do not overwhelm the presentation with unnecessary or secondary information. Remember, you only have 30 minutes or 1 hour with the analyst, edit yourself and make it count.
  • Be visual: Usually when the analyst takes a vendor briefing, she is on the phone staring into a computer monitor. Please, give her something visual to keep her interested.
  • Show how you solve problems, not how you use the product: The analyst can care less about how one might use your product, if the product is not interesting or the value proposition is not compelling. Frame your discussion in the context of solving customer’s problems is the only way to keep a bleary-eyed analyst engaged throughout the discussion.
  • Research the analyst: Read their reports ahead of time. Understand the point of view of the analyst. Understand how she defines the market and talk to that angle. Remove quotes form Gartner if you are talking to Forrester, and vice versa.
  • Stress test your presentation: You only get to make the first impression once. Before you get in front of the analyst, put the presentation in front of your customers, run it through your partners, and get them to critique it.


  • Don’t start with a solution and look for a problem: Too often we get briefings that are clearly solutions looking for problems. A good analyst who sat through many presentations can see through that quickly and will lose interest before you can say “next slide”. Again, if it takes a while to explain why you work on this problem, the problem ain’t worth it.
  • Don’t dwell on your competitors: Focus on your solution and your strength. Unless the analyst asks, do not spend time discussing your competitors. Describing what your competitor can and cannot do is a minefield of a topic that is best avoided.
  • Don’t jam your slide with text: There is nothing worse than sitting in front of webex and seeing it load a slide that looks like this one below. (This was from an actual vendor presentation, the names of which have been removed). And please, under no circumstances should you read word after word from the slide. That is the single biggest offense you can commit for a remote presentation – a sure way of putting your audience to sleep.
  • badexample
  • Don’t treat the analyst as an extension of your marketing department: Remember that the analyst does not work for your company; they do not have to care what you have to say. It is your job to get them intrigued and interested. Your goal should not be to get them to write about you (if you start with this goal, you will most likely fail). Your goal, instead, is to get them interested in what you have to say. As long as there is interest, there will be possibilities.


Posted in Analyst Communications, Marketing | 4 Comments

At the Churchillclub, with Scott McNealy and Ed Zander (and Lady Gaga)

Last Thursday evening I went to a Churchillclub event: Scott McNealy in conversation with Ed Zander. I was attracted to the event because of the two speakers. Scott McNealy, the former CEO of Sun Microsystems, is a Silicon Valley legend. Ed Zander, the former CEO of Motorola and former COO and President of Sun, is another highly influential figure in the high tech industry.

The event turned out to be much larger than the typical Churchuillclub get-togethers–apparently more than half of the attendees were ex-Sun employees. At the cocktail hour, all round people were catching up, embracing, and reminiscing on old times at Sun.  

McNealy walked in around 6:30, looking fit and thin. You know as soon as he is in the room, because practically everyone stood up to greet him. As he moved about, there was a human bubble moved with him around the room. The ex-Sun folks lined up to shake his hands; many had tears in their eyes. “Sun was an institution. You have to be there to understand”, the ex-SUN employee sitting to my right said. 

The evening started with Zander playing a music video of McNealy singing in a “rock band”. The video was clearly taken in the heyday of Sun, which included footages of McNealy and co. kicking two SGI boxes off the roof of a Sun building with McNealy singing the lyrics: “The Sun will always shine”. <Hilarious>. There are clearly some inside jokes in the video, as the room was rolling with laughter’s.

As the evening went on, I learned a great deal about Mr. McNealy and his time as Sun’s chief. But what came across more loud and clear than anything else were his staunch political views. When asked which corporation is the “evil empire” today, McNealy responded: “Big corporations are not the problem, I think the biggest threat to innovation and our economy today is the public sector.”  Later on, he said: “More than 20% of the GDP is tied up in the public sector, and that is what is stifling innovation”. Clearly not a fan of President Obama, when asked to describe Obama in one word, McNealy responded: “Unfortunate”.

McNealy was vocal about Sun’s achievements. He said: “If we didn’t put TCP/IP in the computers we built back in the days, there will not be cloud computing today.” Sun is credited with the phrase: “The network is the computer”, a visionary phrase, perhaps, but to say without Sun computers, there would not be cloud computing is, with all due respect, a bit overreaching. He said the best decision he ever made at Sun was bringing Bill Joy onboard. <No argument there>. McNealy also acknowledged a few mistakes. He said: “If we took Solaris and put it on a commodity Intel chip, and slap together some pizza boxes, Linux would not be around today. Companies like Google and Amazon will be running Solaris.”  Yep. Hindsight is 20-20. On archenemy Microsoft, McNealy said, in a resigned tone: “They clearly won, they are still around.”

At one point in the interview, Zander asked: “I remember we were this close to buying Apple, for $5 or $6 a share, what happened?” Interesting. This was a fact that I had known. McNealy said: “A tough i-banker on Apple’s side spoiled the deal … Heck, there wouldn’t have been any iPhones/iPads if we had bought Apple, ‘coz I would’ve screwed that one up too!” The audience laughed and the Twitterverse heaved a collective sigh: “Ah, we dodged that one”. (For those of you who are counting scores out there, Sun instead bought Cobalt networks. Apple’s share today stood at $350)  

No. McNealy is not a Facebook or Twitter user. When asked about social media, McNealy said: “I just don’t see what you can do with social media that you cannot do with good, old-fashioned email.” <Really?> McNealy compared Twitter to mass mailing, and questioned whether LinkedIn provides anything beyond what emails offer. On the point of user-generated content, he said: “Emails ARE user-generated content”. He later added: “Guess what Facebook’s latest invention is, it’s email!” <Hmm… I’m starting to detect a pattern here… > When Zander asked him to describe Facebook in one word, McNealy replied: “Zucks”. We also learned that McNealy was not a fan of Lady Gaga. When Zander asked him what he thought of the fact that Lady Gaga had 8+ million followers on Twitter, “That’s just unfortunate.” McNealy said.  

A point McNealy went back to over and over again in the course of the evening was that government should not be meddling with the private sector. He contended that corporations are the stewards of innovation, and as such, they should be left alone. Of course McNealy completely failed to mention that the practices of some of the corporations, acting out of greed, nearly collapsed the American financial system and in turn ignited a global economic crisis.

The night closed with one final question from the audience, a former Sun employee. “The dotcom crash was hard on a lot of companies”, the audience member said, “but there were still plenty of opportunities around; e-commerce was growing, commodity computing market was growing, I want to know why we missed the boat. I am not sure that I got a satisfactory answer form tonight’s discussion.” Before McNealy ventured an answer, Zander said, “Let’s not go there. Let’s move on. Tonight is about celebration”

McNealy was clearly a natural leader. He was articulate, passionate about what he believed in, charismatic, occasionally self-deprecating, all qualities of a good leader. It was easy to see why 2/3 of the room respected and revered him. But the man couldn’t be more wrong about social media, and his complete conviction that he was right was simply mindboggling.

At the end of the evening, as the crowd dissipated and I drove west on 237 in the light rain, with a Lady Gaga song appropriately playing on the radio, I thought about my evening at the Churchill club and caught myself saying: “Lady Gaga: 1, Scott McNealy: 0”.

Posted in Uncategorized | 3 Comments

HBGary, Anonymous, WikiLeaks, and the concept of Openness

Recently I’ve been reading the excellent work by Jamais Cascio and thinking about the concept of Openness. Much of Jamais’ work is focused on geoengineering but the concept of openness has profound implications on many fields, including computer security.

For those of you who have been following the unfolding story of HB Gary Federal and the Anonymous Group, this story is what Hollywood movies are made of. In fact, I don’t think a script writer could have penned any better than the real life version. If you haven’t been following the minute details of this story, this Tech Herald article is an excellent read on how the whole thing started.

A condensed version of the events is as follows,

  1. A week before RSA 2011, the CEO of HB Gary Federal, Aaron Barr, said in a Financial Times interview that his firm had infiltrated and discovered the identities of the high level operatives for the well known Internet hacktivism group Anonymous, and that he planned to publicly discuss his findings at the RSA conference.
  2. Anonymous responded in force and compromised the entire infrastructure of HBGary and HBGary Federal (HGF). They obtained confidential data, erased files, and defaced both companies’ websites.
  3. Anonymous subsequently released  4TB worth of confidential company emails. In the emails that have been disclosed to date, Barr was seen engaging in discussions with a major US bank (believed to be Bank of America) to use HGF’s offensive attack tactics to launch a cyber attack against Wikileaks. The rumor mill at RSA had it that the said US bank was going to pay HB Gary $600,000 a month to carry out this attack campaign.

Whola, what seemed like a classic white-vs-black hat story just turned interesting. What’s more interesting is that prior to this whole incident, WikiLeaks had been making noise that they were about to publish data from a major US financial institution (What? Interesting, you say?)  What apparently was also discussed in those emails was that Barr would use, among other techniques, exclusive zero-days for the attack against Wikileaks. This will make the attack extremely dangerous.

No one came off this looking pretty. Not only HBGary, a company that claims malware analysis their business, was unable to properly secure their infrastructure, the “victim” turns out is plotting a cyber war itself. HBGary is now claiming that the leaked data had been tampered with, implying that the discussion between BofA and Barr isn’t authentic, while Anonymous (and other security researchers) is saying that Barr’s initial research (which you can read here in PDF) was flawed in that some of the identities of the individuals that he claimed to be part of Anonymous group had nothing to do with the group. Anonymous argued that if Barr’s research was allowed to continue, it may put innocent individuals in jail (as Barr was supposedly working with the FBI).

At RSA last week, HB Gary was noticeably absent from the conference, their booth instead displayed a sign that reads: “A group of aggressive hackers known as “Anonymous” illegally broke into computer systems and stole proprietary and confidential information from HBGary, Inc. …. In addition to the data theft, HBGary individuals have received numerous threats of violence including threats at our tradeshow booth…”.  

This event ignited an Internet debate storm; is it ethical for security companies to engage in offensive tactics? Traditionally, security’s role is to defend, not offend. But as modern warfare migrates from physical battlefields to the digital frontier, more and more nation states and companies engage in offensive campaigns. Persons with deep security expertise are hot commodities in this game—it can be an extremely lucrative undertaking. But as you go down this road, is there really a difference between the black and the whitehats anymore?

This is where the link to Openness (or the lack of it) comes in: as we all know, and the execs at BofA and HGF reinforce, that zero-days can be powerful weapons. Exclusive knowledge of zero-days gives the possessor incredible power, and in cases such as these, almost always lead to corruption and misuse. It can be argued that we are better off as an industry if openness is employed as a means of elevating collective knowledge and also as a way to enforce checks and balances, so that no one company or individual is significantly more powerful in its knowledge and expertise than others. In such an industry, cyber offense is only a distant possibility as you will be on a level playing ground as your adversaries.

Creating such an open culture for the security community requires a shift in thinking, because this is an industry that thrives on secrecy and obscurity. It requires that we recognize that secrecy, obscurity, and the act to restrict information can ultimately do more harm than good. It requires that we promote open research and build an ecosystem that rewards openness.

How to achieving this open culture is the question on the table. Let’s discuss one specific example how some form of openness is achieved–a bug bounty program. I was a skeptic, in the beginning, of the merits of such bounty programs, but I have come around. Indeed, I’ve come to realize that economic incentives maybe one way we can achieve openness–in a bug bounty program, the researcher is encouraged to share his/her findings, through economic incentives, with the software vendor and ultimately with the entire community.

Economic incentives alone don’t always work, as that is one card the dark side can play as well. Other means, such as increasing collaboration, technological transparency, and … must be explored. But the steps we take today to promote an open culture will shape the course of the industry and help to determine whether we head towards a scenario of digital apocalypse (as Eddie Schwartz of Netwitness calls it on a recent RSA panel) or a more responsible, democratic, and open model for computer security.  

Other sources of note:

–          Jamais Cascio’s Open the future website

–          Threat Post’s Paul Roberts wrote several excellent articles on the HBGary story.

Posted in Uncategorized | 2 Comments

HP misses opportunity with Watercooler

Michael Brzozowski, the creator of Watercooler, the internal social media system for HP, recently left HP for Google.

Talents move around all the time, especially in the bay area where the industry is rife with interesting opportunities. However, in this case, the departure of Mr. Brzozowski has put the fate of the Watercooler system in question.

To understand why this is worth blogging, we need to first understand what the Watercooler system is about. Many of you may not know this, but Watercooler is a social media system that currently has 100,000 users! Brzozowski originally started Watercooler aggregate RSS feeds from across the company. Overtime, it has morphed into a social media aggregation platform that aggregates content from  HP’s internal wikis, microblogs, various discussion forums, and social bookmarks. The system has a documented set of open APIs and supports a powerful and expressive set of content filters across different social media systems. It is also integrated with HP’s user directories.   

Brzozowski wrote a nice paper on a study he conducted with Watercooler data. Published in Group 2009, the study revealed some interesting facts about social media usage inside HP. Perhaps one of the most concrete statistic to date arguing for the value of enterprise social networks, Brzozowski’s paper, points out that 69% of all Watercooler blog users subscribe to content generated by someone outside their business unit. This kind of cross-company instant collaboration is a huge benefit social media system provides its user community.  

Unfortunately, though Watercooler can be considered a success from HP labs, it has not generated the kind of support from HP proper. Brzozowski has been trying for the last 2 years to get the system out of HP labs and into the hands of HP operations. But his efforts proved futile – HP operations were not interested, or at least not interested enough to take actions. After Brzozowsi’s departure, another researcher from HP labs took over the system. But this person is only doing it on a volunteer basis — he’s got his other core tasks. As we all know, researchers are not great maintaining production systems, especially one that requires such scale and performance. Now you might ask why HP would ignore a social media system that’s already got such a large user base? Do you know how many social media start ups would kill to have 100,000 users? Well, perhaps only HP can answer this question.  

This whole thing came to its head a few weeks ago when some of HP’s executives were meeting with SalesForce. The latter mentioned Chatter, the new Social media system SFDC is launching at DreamForce this week. Chatter is a cool system, but is not nearly as developed or as widely used as Watercooler. Especially when you consider Watercooler had supported a documented API for users to modify for their own purposes, pro

The HP executives, after meeting with Salesforce, said about Chatter: “Hmm, that’s a good idea, we should have something like that.” [obviously this is a mock conversation, not the dude’s actual words]. Finally someone in HP said, “Well, we do have something like it, it’s called Watercooler”. The executive then said: “Really? Well, let’s take a look at that. Maybe we can make something out of it”.

As if on cue, Watercooler stopped working because the whole system had been running on one server (what? One server? You asked. Yep. You heard right, one server to support 100,00 users. That’s how Research Labs typically work). The researcher who had been supporting it after Brzozowski left was unable to get it up running again quickly.

HP labs had many top industry talents, but these people are now leaving the organization, for the reason that their work has not been properly respected and utilized. Last year, they lost one of their HP fellows, John Wilkes, to Google. In addition to the recent departure of Michael Brzozowski and Kevin Lai, a game theory specialist, Joe Pato, a noted Computer Security expert, though ostensibly still an HP person, has been spending most of his time at MIT. HP has come a long ways since the garage company days of Hewlett and Packard, but it seems like the company has lost some of its innovative spirit along the way. Yes, it’s difficult to remain innovative when you’ve got 30,000 employees. But people are the greatest asset of any organization, if you lose them, you lose the future of the company. This is why Google recently implemented measures of 10% payraise and bonuses to retain talents against the new-kids-on-the-block competitors like Facebook. Companies like HP should take notice. Innovations like Watercooler should have flourished instead of being left to flounder.

Posted in Uncategorized | 2 Comments

iPad infrastructure hacked – iPad owners’ email addresses leaked

apple ipad

On Tuesday, popular tech gossip site Valleywag reported a hack targeting AT&T’s infrastructure that led to the accidental disclosure of 100,000 iPad owners’ email addresses.

As far as we can gather at this point, this is most likely a parameter tampering attack. The hackers attacked AT&T’s iPad support web application, traversed through a range of ICCIDs (Integrated Circuit Card identifiers), and were able to eventually obtain valid iPad owners’ email addresses without proper authentication.

If this is indeed true, AT&T has done a poor job designing their web applications.  Being able to guard against automated parameter traversal attacks is one of the first things you do to secure your web apps. An automatic parameter traversal attack can be launched fairly easily these days – it does not require sophisticated technology or advanced reconnaissance on the victim web application.

Included in the email addresses disclosed were several prominent celebrities, politicians, and high-profile industry figures, including Rahm Emanuel and Michael Bloomberg.

This attack apparently only affects iPad 3G users, not the Wifi-only iPads. AT&T has stated that this particular flaw on their web application has now been remediated.

Posted in Uncategorized | 3 Comments

Are you rethinking Facebook?

Facebook is currently the world’s most popular social media site, with
over 400 million users. Long plagued by accusations of security leaks
and lackluster privacy practices, the corporation is currently defending itself against
a barrage of new criticism. CEO Mark Zuckerberg gave an interview
earlier this year arguing that privacy is no longer a “social norm.”
Facebook privacy policies have been rapidly shifting to reflect this

The latest firestorm centers around a new feature called “instant
personalization,” a targeted advertising service that supplies
personal user data to advertising partners like Pandora and Microsoft
Docs. All Facebook accounts were included in this service when it was
rolled out, and opting out is a convoluted, multi-step process. In a
move that some users are calling deliberately deceptive, simply
clicking an “opt out” check box does not protect your user data from
being shared.

So far, the beta service is limited to three corporate partners — all
of whom have promised not to behave inappropriately with the shared
user data — but the feature is slated to be expanded over time. This
puts millions of user accounts and their personal information at the
mercy not just of Facebook, but of the ethics of every company who
becomes an instant personalization partner in the future.

Other unintentional security breaches are also making headlines. A Russian
hacker who calls himself “kirllos” recently claimed to possess the
logins and passwords to 1.5 million Facebook user accounts — and he
is putting them up for sale, cheap. Though no one has officially verified whether these user credentials are real or fake, kirllos has already sold off around 700,000 of them.

If true, this incident puts another crack into Facebook’s already-besieged reputation. Account compromises not only leaks a user’s private information, including photos, status updates, and private messages sent between users, but can also lead to increased phishing risks – imagine a trusted Facebook friend sending you a message with a malicious embedded link, once clicked, can direct you to a malware laden site.

What does this mean for corporate users? Opening up your company to Facebook access could lead to increased phishing and malware threats, which could further cause data breaches and other more serious forms of security incidents within your corporate network. Given the soaring popularity of Facebook as a casual communication tool, the usual acceptable usage recommendations — urging employees to use discretion and avoid discussing sensitive information via Facebook – is far from sufficient.

Social media can be a corporate asset. Facebook provides a high-profile tool for company exposure and branding, and the wide reach of such a social platform can facilitate business networking. But if you had known that the media giant would be
riddled with security holes, while at the same time deliberately taking on a cavalier attitude toward user privacy — would you have allowed your users access to Facebook?

Posted in Uncategorized | Leave a comment

Ok. There is more (or may be less) to the VPN story, Google says

Google called me again after I posted the latest follow up to the Google hack story. Wow, two calls from Google AR in the span of an hour! They were uncomfortable about the way I characterized the involvement of the corporate VPN in the Google attack. The official on-the-record word from Google is that: “This is not accurate”.  So, I should rephrase how the attack happened:

a) A Google employee’s machine that was running IE v6 was compromised via the IE vulnerability.

b) The attacker used the compromised machine to somehow gain access to Google servers (some of which housed critical information). The method of access, at some point, may have involved VPN, but Google does not agree with the characterization that “the compromised client used their corporate VPN to gain access to the servers”.

At Google’s request, I retract that particular statement.

This is what we do know factually:

1) The attack on Google server happened

2) Google immediately decided to do an emergency update of their entire corporate VPN infrastructure.

Could these two things be entirely unrelated? I doubt it. But Google isn’t going on the record to say that the attack came in via the VPN, and that’s their official position.

Posted in Application Security, Cloud security | 7 Comments

Follow up: Google calls and confirms the VPN story.

Google called me, five minutes ago, confirmed that the attacker indeed came in via the corporate VPN access. On top of that, they told me that the victim machine was a corporate managed machine, not a home computer.

As to why Google employees were running IE v6, Google’s position is that someone might be running IE v6 for testing purposes. Whether this was indeed what happened, they wouldn’t say. Ok, I can buy that you might be running an older version of browser for testing purposes (for backwards compatibility), but why wasn’t the testing environment isolated from production and from access to critical assets? Isn’t that one of the first thing you do in setting up a test environment? Google assured me that they are taking steps to rectify the situation, and for the sake of everyone who trusts Google with their data and applications, I hope they do it soon.

A funny related note: I’ve been trying to get Google’s attention for over a week on a security interview, but they were too busy to respond (understandably, I guess), but five minutes after I put up this blog entry. Google calls me on my mobile. :-).

Posted in Application Security, Cloud security | 2 Comments