What an interesting time to hold a technology conference. The DLA Piper Global Technology Leaders Summit last week brought together CXOs from Amazon, Walmart.com, Stanford, Safeway, Microsoft, Sun, Cisco and others to discuss the state of IT in general and how the economy is impacting it. Some highlights:

“Cloud computing for large enterprises is a dead duck, in the opinion of several venture capital firms.”

“The current slowdown in the U.S. macroeconomy is definitely going to hurt the IT industry, as it will most of the nation’s businesses, for at least the next year and most likely into the next two years.”

NetApp cancelled its first user conference slated for 2009 citing economy-driven restrictions on business travel.

We recently wrote about the possible upside for MSPs in this economic downtown. A survey from EquaTerra of more than 200 outsourcing service suppliers announced that “more than 40 percent of those polled had seen increased demand levels, despite the economic downturn.” The survey suggests that outsourcing projects are changing, with a strong focus on quick return on investment replacing longer-term initiatives to improve end-to-end business processes, according to InfoWorld. So as we saw during our own surveys this year, it looks like IT will spend time and money against the practical projects that should and could get done and not taking on ITIL and CMDB projects.

Jonathan Schwartz as a puppet talking about open source and his ponytail. The driest Sesame Street take-off you’ll ever see. Check out the video here. For those of you playing a drinking game at home, “ponytail”.

Denise Dubie posted a follow up to her article Novell’s Managed Objects buy, and shared insights from different commenters, including yours truly.

One of our favorites, the IT Skeptic was featured on John Willis’ blog this week, answering some questions about CMDB, ITSMF and more. He also provided his insight into IBM Tivoli, although he “tries to stay non-partisan”.

Inexplicable. HP posted Halloween-themed videos about datacenters on YouTube this week. Unlike the great IBM videos about the mainframe, these videos speak techno-babble without tempering the lingo with being funny or tongue-in-cheek. Various frightening creatures share information on service management processes and discuss virtualization techniques to help consolidate hardware. Scary.

But it is sometimes desirable to transition the employee out of the organization as quickly as possible. For example, you would not want a lame-duck network engineer to continue to have access to critical IT infrastructure. In such cases, it is appropriate to relieve the employee of keys, computer access and other company property and to escort him or her off the premises immediately.

Of course, it’s good to plan ahead for this event — make sure all critical admins are documenting their jobs, and keeping documentation for their network as they go. It would be highly annoying, and probably embarrassing, to escort your newly resigned network admin off premises, only to realize he was the only guy who knew how to access your important file systems.

Image via Wikipedia

Much has been written lately about annoying sales tactics and how many in the security field try to duck vendor calls.  Believe it or not, I get my share of annoying sales calls as well.  Whether it is the great conference that is being organized with all of the CIOs that I would ever want to speak to or the latest, greatest new product that is going to make my life easier and define the road to riches, I am swamped with spam telephone calls (on my cell phone no less) every day. 

One thing that I have come to see is that many of these unsolicited calls come in with an unknown caller ID. I don't mean no name for entity, but no number either.  Most of these people don't leave a voice mail either, they just keep calling until the get an answer.  My view is that if the caller has to go to the effort of hiding their name and number, than they have something to hide and are not being upfront.  I don't want to do business with anyone like that. I think this just puts two strikes against anyone calling.  Why are you hiding who you are?  Are you ashamed of what you are doing?

So here is my Shimel rule on sales calls. If your caller ID does not identify you, than I don't want to talk to you!

Image via Wikipedia

Much has been written lately about annoying sales tactics and how many in the security field try to duck vendor calls.  Believe it or not, I get my share of annoying sales calls as well.  Whether it is the great conference that is being organized with all of the CIOs that I would ever want to speak to or the latest, greatest new product that is going to make my life easier and define the road to riches, I am swamped with spam telephone calls (on my cell phone no less) every day. 

One thing that I have come to see is that many of these unsolicited calls come in with an unknown caller ID. I don't mean no name for entity, but no number either.  Most of these people don't leave a voice mail either, they just keep calling until the get an answer.  My view is that if the caller has to go to the effort of hiding their name and number, than they have something to hide and are not being upfront.  I don't want to do business with anyone like that. I think this just puts two strikes against anyone calling.  Why are you hiding who you are?  Are you ashamed of what you are doing?

So here is my Shimel rule on sales calls. If your caller ID does not identify you, than I don't want to talk to you!

Whether it is a train fire, a highrise building fire or worse. People should have more protection than a necktie, their shirt or paper towel to cover their mouth, nose and eyes. As you know an emergency can happen at anytime and in anyplace, leaving one vulnerable. Don't be a sitting duck. The Subivor® Subway Emergency Kit can aid you in seeing and breathing while exiting. This all-in-one compact, portable and easy to use subway emergency kit contains some items never seen before in a kit.

This could have won my Third Movie-Plot Threat Contest.

The 26th episode of The Silver Bullet Security Podcast features Adam Shostack, a security expert on Microsoft’s Secure Development Lifecycle team who has also worked for Zero Knowledge and Reflective. Gary and Adam discuss how Adam got started in computer security, how art/literature informs Adam’s current work, and the main ideas behind Adam’s new book The New School of Information Security. They go on to chat about Adam’s aversion to the term “best practices,” the role IEEE Security & Privacy magazine plays in bringing the science of security to a practical level, and whether the biggest problem of the CardSystems breach was the following the letter, rather than the spirit, of PCI. Also on the agenda, duck-billed platypuses, Kandinski, and books by Pynchon.

(Beginning with this episode, Silver Bullet will be available as a 192k MP3.)

• Emergent Chaos blog
• The New School of Information Security
• Microsoft’s SDL
• Cigital’s Touchpoints
• IEEE Security & Privacy magazine
• Wassily Kandinsky
• The CardSystems breach (2005)
• Thomas Pynchon

I had an interesting meeting with Microsoft on NAP the other day.  While, I think you would have to pretty delusional to not realize that eventually NAP will dominate pre-connect health checks of devices, I was surprised at the "Microsoft-ease" they still speak about around NAP. First of all they insist that NAP is not a product or even in deference to my friend Hoff, a feature. Instead NAP is a platform. Implying that other products will run on top of it. Next they again reiterated what we have heard before, that NAP is not a security tool, but just a real estate play.  Enabling devices to be up to spec.

My take on this is I don't know if the Microsoft folks are being disingenuous regarding these two points or just are they that naive?  My gut tells me that Microsoft is usually not naive.Yes, third party vendors can show that they can add more tests than NAP will have. Yes, you can use SHVs and SHAs, but how much are people really going to value them?  You can take the information it generates and do some reporting around it. But lets be clear the NAP "platform" is most certainly going to be used as a product. 

It will be used as a product, it will be a security product at that.  Configuration management could be said to be borderline security by some.  But when you add the ability to deny access to those not up to snuff on configuration, I think you have clearly crossed the line into security.  I think Microsoft would come of better saying that NAP is not meant to keep out the determined hacker, but saying it is not a security tool just doesn't ring well.

So what is the rest of the NAC vendor world to do?  Should we all pack up and follow Vernier and Lockdown to the next cool thing?  No, not at all.  I think there are exciting opportunities at hand with NAP. Yes it is a security product, but it also is an enabler for more NAC features. The successful NAC vendor has to figure out what those are and capitalize on them.  Also NAP is all about health checks.  Post-connect, identity based NAC and other NAC  features can be used here to enhance the health checks.  Overall NAP will drive the NAC market to move beyond just health checks and that will be a good thing for the NAC market and customers.  But guys lets be real, it is a security product!

I had an interesting meeting with Microsoft on NAP the other day.  While, I think you would have to pretty delusional to not realize that eventually NAP will dominate pre-connect health checks of devices, I was surprised at the "Microsoft-ease" they still speak about around NAP. First of all they insist that NAP is not a product or even in deference to my friend Hoff, a feature. Instead NAP is a platform. Implying that other products will run on top of it. Next they again reiterated what we have heard before, that NAP is not a security tool, but just a real estate play.  Enabling devices to be up to spec.

My take on this is I don't know if the Microsoft folks are being disingenuous regarding these two points or just are they that naive?  My gut tells me that Microsoft is usually not naive.Yes, third party vendors can show that they can add more tests than NAP will have. Yes, you can use SHVs and SHAs, but how much are people really going to value them?  You can take the information it generates and do some reporting around it. But lets be clear the NAP "platform" is most certainly going to be used as a product. 

It will be used as a product, it will be a security product at that.  Configuration management could be said to be borderline security by some.  But when you add the ability to deny access to those not up to snuff on configuration, I think you have clearly crossed the line into security.  I think Microsoft would come of better saying that NAP is not meant to keep out the determined hacker, but saying it is not a security tool just doesn't ring well.

So what is the rest of the NAC vendor world to do?  Should we all pack up and follow Vernier and Lockdown to the next cool thing?  No, not at all.  I think there are exciting opportunities at hand with NAP. Yes it is a security product, but it also is an enabler for more NAC features. The successful NAC vendor has to figure out what those are and capitalize on them.  Also NAP is all about health checks.  Post-connect, identity based NAC and other NAC  features can be used here to enhance the health checks.  Overall NAP will drive the NAC market to move beyond just health checks and that will be a good thing for the NAC market and customers.  But guys lets be real, it is a security product!