Recently I was talking to someone that was telling me about how he is going to start a business that helps people find things on the internet. He went on to explain that it is very difficult for people to find what they are looking for because there is just too much information on the Internet. I couldn’t resist, so asked if he had ever heard of Google. So he explained to me that Google sucks as do the other online search engines. He told me that his idea was a different way of thinking about search.

He started telling me why it was a different way of thinking but I had a question that I wanted him to answer first, and that was: What would you do differently from Google? After looking at me with a very perplexed look on his face he responded with: Well I don’t really know how they do what they do, but I know it can be done better.

Unfortunately this is all too the case. People try coming up with solutions without understanding the problem or how current solutions work. Why reinvent the wheel? Understand the problem. Understand the current solutions. Then you are in a better position to not only know what you are talking about, but prove it as well.

A few months ago I read the book Born to Run by Christopher McDougall and it motivated me to get off my ass and start running.  I was a little too motivated and ended up fracturing my foot, but this post isn’t about me being a dumbass so we’ll skip over that part.  Anyhow, so I start running around my neighborhood and all is fine except I have no idea how far I’m running and therefore don’t know if the times I am clocking are good or bad.  There are a few different ways to accomplish this but I chose to use a website called MapMyRun.com.

It doesn’t take a genius to figure out what this site does, you punch in a location and then use the map to click along your running path to calculate distance. So I mapped out a few different routes to figure out how far I had been running and then made some changes to give myself a 2 mile and a 3 mile option.  It is pretty cool, and accurate to boot but where am I going with this?

Well when you map a route you can save it.  When you save it you have the option of the map being public or private…public being the default.  You can also search these public maps saved by other users.  A quick search in my small town and there are 192 maps found!  Now where do most people start their runs from?  If you said their house, you would be correct.  So now I can see all of these runners and where they live based on their map.  This site also offers up the username of the person who submitted the map.  As with most internet services, some of the usernames are bizarre like techdulla, but some are like johnsmith22.  Now I know where you live and what your name is.  I also know that you run a particular 10 mile loop every Saturday morning. <Insert evil laugh here>

Just another example of people sharing information about themselves without realizing it.

Soon I’ll be boarding a plane to Vegas for a week of information overload.  This year I am going with a less structured plan of attack.  Usually I try to schedule out my time at the conference, committing every waking hour to something…but not this time.  I haven’t committed to any sessions, meetings, interviews, parties, nada!  I feel less stressed about the week already.

A little story for all of you about a small start up firm I am helping.  Usually I don’t share these stories because we have an investment in the company but this is not the case here.  Too many startups are so interested in getting to market that they let everything else fall through the cracks, especially security.  These folks needed to get a server that is currently in someone’s home in California shipped out to their Massachusetts office.  My involvement was very limited, pretty much just telling them where to plug it in.  I can’t help but ask questions though…..so my involvement grew.

First basic question was how did they plan on protecting this server since all they had was a public IP address.  They hadn’t thought of that.  THEY WERE GOING TO PLUG THE SERVER DIRECTLY ONTO THE PUBLIC NETWORK!  That kicked off a quick lecture from me on why they need a firewall and general best practices.  Next question was whether their internal people needed access  to this server an how that was going to be accomplished.  Again….they hadn’t thought about that either.  They assumed the internal staff would magically have secure access to this server they were connecting only to the public network.  I could continue with these basic questions and the lack of answers but you get the idea.

To make the story better, they plan to go live this weekend.  The firewall is being delivered today and the server tomorrow.  All they will have access to are a few wall jacks that have been preconfigured, one with a public connection and one on a private VLAN.  They sublet space, so the in-house IT Staff where they work will not be around this weekend to assist in any issues that arise.    What if the firewall is DOA?  What if it never arrives?  What if FedEx doesn’t come through with the Saturday delivery to a closed office?  More stellar planning.

Glad it isn’t my server…

Well not really.  I disappeared for the past few months, no blog, no twitter, not much of anything except work and golf.  The project I was spending most of my time on after RSA was one I couldn’t really talk about without breaching agreements and getting in trouble so going dark for a bit seemed like a good idea.  A bit turned into much longer than I anticipated…think of it like a reboot, except interrupted by a BSOD that took me a while to recover from.  I did manage to shave 10 strokes off my golf game though so it wasn’t all bad.

Enough of that and onto a story that should make you shake your head.  About a month ago I had a meeting with the IT Leaders of various firms.  We covered some good topics and offered advice on how people could solve specific problems they were facing.  Most of these folks are intelligent, hardworking, and always willing to learn as well as teach when the opportunity arises.  Some however, well, not so much.  One conversation stood out and made me think WTF!  A particular firm is building a portal to allow their partners/customers to share information with them.  Contractors were implementing at the time of the meeting.  There were a slew of questions around implementation, maintenance, and security….none of which could be answered by the IT Director of the firm.

What ever happened to understanding your environment?  How can you be in charge of IT for an organization but not have the ability to explain how the pieces all go together?  I don’t know about you, but if I don’t fully understand how it works, how I will manage it, and the security implications of implementation it sure as hell is not going into production. Ugh!

A few months back Chris Hoff – then Chief Security Architect at Unisys challenged Simon Crosby – CTO at Citrix Systems to a sumo match.  My oh my that would have been fun to watch, but alas it never came to fruition.  I figured the next best thing would be to attend the Virtualization Security panel where the two of them could duel it out.  On the panel with them were Michael Berman – CTO at Catbird and Steve Herrod – CTO and VP of R&D at VMWare, the moderator was Andreas Antonopoulos – Sr. Vice President at Nemertes Research.  A good lineup for sure but would it live up to the hype?

It was very good, but it could have been even better.  Andreas did an excellent job keeping everyone in line so props to him for that.  Hoff was his usual self – poking, prodding and making his points as only he can.  Crosby was trying hard to push buttons and seemed to succeed but there were points he tried to make without any legit information.  Berman was very quiet and looked like he just wanted to stay out of the fray, probably a good choice.  Herrod had many opportunities to bitch slap Crosby and in turn Citrix but unfortunately he didn’t.  It was as if VMWare had put a gag order on him and gave him a script with a few phrases he was able to use.  If Herrod had been more open and direct this panel would have been UNBELIEVABLE!

Crosby is fun to listen to but sometimes taking him seriously is difficult.  For those who don’t know, he is of the belief that a virtualization platform company should secure the hypervisor but the remaining security in the virtual environment is someone else’s problem.  His justification for this statement is that they are not security companies and should leave that to the professionals.  He bashed VMSafe calling it weak, without ever seeing it mind you.  He actually called Herrod incompetent at implementing security and when Hoff spoke up mentioning that Steve is not actually implementing the security Crosby then said that all of VMWare is incompetent.  If he was on the street pitching this shit I would give him a few bucks thinking this poor crazy homeless guy needs something to eat before losing his mind.  If the CTO gig doesn’t pan out for him at least he has a fall back.  Seriously though, he is obviously a smart guy but seemed to just be tossing out the most absurd statements to get Herrod fired up hoping he would snap.

Herrod didn’t appear to be fired up but he should have been.  I wanted to hear the VMWare representative flex some muscle and teach Crosby a thing or two about why it is important for VMWare to roll security into the product.  There are so many examples he could have thrown out to prove his point, but he didn’t.  Instead VMWare got slapped around without any real defensive action, or worse, without any offensive action.  Luckily for Herrod and VMWare, The Hoff was on the panel.  Hoff had no problem calling Crosby out on his outlandish remarks and mostly played the role Herrod should have.  When he gets on a roll it is fun to watch, and he was rolling.  VMWare should pay him some serious cash for protecting them against the bully. 

Look, I don’t care that VMWare is not a security company.  I don’t care that their expertise isn’t on all things security.  As far as I am concerned they are taking steps toward helping their customers implement more secure virtualized environments than they have today and that is the right thing to do.  They will not get it 100% right out of the box, but something is better than nothing.

–DanO

Had a really good conversation with a group of guys this past week at RSA about some new technologies that are going to change, or try to change, different aspects of technology and specifically technology as we know it today.  I had a bunch of examples of things I’ve seen or people I have spoken with which stirred up a lot of conversation.  At the end I was asked why I don’t blog about all this cool new stuff hopefully coming down the pipeline.

The truth is I would love to but I also don’t want to get fired.  Working for an organization that invests in technology companies means I have to be careful about what I write about.  We have some cool portfolio companies, a few that are in stealth mode right now.  Writing about what they are doing and how would certainly increase my readership but at the expense of potentially saying something that needs to stay private.  This would not be good.  While I love blogging and sharing cool stuff with you guys, I love being able to pay my mortgage even more.

Another thing I would love to write about are start-ups that are doing something cool and are looking for funding.  This isn’t going happen much either because more than likely I am going to get them talking with our investment guys about a potential partnership.  I obviously don’t want to write about a company we are trying to fund and as a result drum up competition from a Venture firm.

So, that is why I don’t write about most of the new and cool stuff I see and work with.  Trust me, I would like to and it would mean more blogging for sure but I don’t think it would be a good move.  On that note, I love when friends or readers contact me with companies to look at, so keep them coming.  At least you know I won’t write about it. 

–DanO

I was put off by quite a few vendors this year because they didn’t have people that could answer basic technical questions.  At more than one booth I was told “The person I need to speak with isn’t here today but they would call me to set up a meeting tomorrow.”  Today?  You mean there is a whole day where you will not have anyone in the booth that can answer technical questions?  It isn’t like I was asking about the details of some crazy algorithm that creates the secret sauce.  This is pretty much what my booth questions are like:

• Give me your 30 second elevator pitch
• What are you doing differently from when I talked to you with last year?
• How do you differentiate yourself from your competitors in the space?
• What is a typical entry level price point?

I actually had people that couldn’t satisfy #1.  Not sure why they are employed and in your booth if they can’t get that one right.

What are you doing different compared to last years conference is an interesting question.  Many of the folks use the “I’m new here” excuse, having started in the past few months.  I don’t care if you started yesterday, know why your company is spending lots of money to have a booth.  Give me something to work with.

It is amazing to me how many vendors don’t know their competition.  Outside of just flat out not knowing, which is bad, lying is even worse.  I had the CTO of one company explain a feature they had that no one else in the space had.  It was actually a feature that is common amongst various competitors so I called him on it.  He disagreed, and then I explained how it works with a few of him competitors.  His response was: “Well yeah, but nobody implements it.”  Give me a break!

What really bothers me is when I ask about pricing and no one can give me numbers.  I understand my price will vary based on size, services, etc. but lets get past that and give me some ballpark numbers.  I do not want you taking my info to pass along to a sales person to then set up a meeting to talk about pricing.

For next year:  Know your company, your products, and your pricing.  In addition to that, know the same about your competitors!  Spend more money to staff the booth with intelligent people and less on the booth babes that can’t even tell me the company name without turning around to look at the signs.

–DanO

As many of you are aware, I spent last week in San Francisco attending the RSA Conference.  My blog qualifies for press creds which makes whether or not to attend a no brainer.  I am planning to break down bits and pieces of the conference over the next few days of blogging but here are some quick observations.

Attendance was down this year from previous.  Due to the economy this shouldn’t have been much of a surprise to anyone.  I don’t have any hard numbers but one RSA staffer mentioned 12k attendees this year compared to 17k last year.

Being as how I was there with press creds I felt obligated to talk with LOTS of vendors, afterall without them spending tons of cash for booths, parties, and advertising we wouldn’t be having this conference.  The vibe from vendors I spoke with was mixed.  On one side of the spectrum they were complaining about lower traffic and lack of interest from attendees but on the other side of the spectrum some vendors were claiming this to be the most successful conference they have ever been to (some citing deals being inked on the show floor).

I registered as Press but listed my employer on the badge.  This caused much confusion on behalf of the vendors.  When I asked a question they seemed conflicted with how to answer me, wanting to know if I am asking as a member of the press, an investor, or a potential client.  This should not be a major concern to a vendor when you are asked to give me your elevator pitch.  Next year I plan to keep it press oriented only.

The sessions I attended were good and were worth my time.  I wish there were sessions going on during keynotes so that you had a choice.  With that said I realize the vendors giving keynotes are paying mucho dollars to on stage and as a result the conference organizers want to make sure people attend.  And whats up with the Expo floor not opening until 11am….come on!

As with any conference some of the most interesting knowledge is picked up outside of the conference walls.  I was fortunate to meet up with some great people this trip for meals, drinks, parties, briefings, and even elevator rides.  I have lots to follow up on with these folks and some great ideas.

Last but not least I am glad to be home.  Echoed by many:  It was a long week.

–DanO

If you have nothing to do on Wednesday night then I have two good options for you.

The MIT Enterprise Forum is hosting a cloud computing event.  It looks like it will be an interesting event, and for $30 you can’t go wrong.

If the cloud isn’t your thing or you just can scrounge up $30 there is always BeanSec! Always a great time with great people.

I’ll be at the MIT event and if time allows will try to make an appearance at BeanSec!, hope to see you at one or the other.

–DanO

Last week I was at a conference for IT folks in the Private Equity and Venture Capital Industry.  It wasn’t a huge conference but there was some good people and good content being shared.  I gave a presentation on “Avoiding Virtual Fail” which basically touched on some common areas that virtualization projects fail and how to avoid letting that happen.  It was well received, and since I only had a week to pull it together I was happy with the results.  I may post the slides at some point.

Over drinks one night I decided to ask some of the attendees what worried them the most for 2009, what was their biggest concern.  I was expecting to hear about client side attacks, lack of visibility into their networks, or something along the technical lines.  Much to my surprise in most cases it came back to management.  Either they felt that their boss didn’t understand their role at the company, didn’t understand the risks associated with delaying or canceling projects, or flat out didn’t trust that their boss had their best interest in mind.

So we talked at length about dealing with management.  Getting them to understand IT’s role in the organization and how it can be a strategic component to the business.  Understanding the business and speaking of technology as it relates to the business is key.  Getting them to accept risk and properly document it.  If your boss tells you not to have any DR plan because it is unlikely that you will need one make sure he puts that in writing to you but also make sure you did all that you could to make him aware of the situation and what no DR plan will mean.  Lastly, if you seriously think your boss is out to get you it may be time to look for a new job.  Could you go over their head?  You could if your standing in the company is strong enough but make sure you want to pick that fight and think about what your end goal is.

One little blog post isn’t going to address the issues raised, nor did talking about it over multiple mojito’s at the bar….but it is fun to talk about.