In a presentation late last week at the Director of National Intelligence Open Source Conference in Washington, Dr. Dwight Toavs, a professor at the Pentagon-funded National Defense University, gave a bit of a primer on virtual worlds to an audience largely ignorant about what happens in these online spaces. Then he launched into a scenario, to demonstrate how a meatspace plot might be hidden by in-game chatter.

In it, two World of Warcraft players discuss a raid on the "White Keep" inside the "Stonetalon Mountains." The major objective is to set off a "Dragon Fire spell" inside, and make off with "110 Gold and 234 Silver" in treasure. "No one will dance there for a hundred years after this spell is cast," one player, "war_monger," crows.

Except, in this case, the White Keep is at 1600 Pennsylvania Avenue. "Dragon Fire" is an unconventional weapon. And "110 Gold and 234 Silver" tells the plotters how to align the game's map with one of Washington, D.C.

I don't know why he thinks that the terrorists will use World of Warcraft and not some other online world. Or Facebook. Or Usenet. Or a chat room. Or e-mail. Or the telephone. I don't even know why the particular form of communication is in any way important.

The article ends with this nice paragraph:

Steven Aftergood, the Federation of the American Scientists analyst who's been following the intelligence community for years, wonders how realistic these sorts of scenarios are, really. "This concern is out there. But it has to be viewed in context. It's the job of intelligence agencies to anticipate threats and counter them. With that orientation, they're always going to give more weight to a particular scenario than an objective analysis would allow," he tells Danger Room. "Could terrorists use Second Life? Sure, they can use anything. But is it a significant augmentation? That's not obvious. It's a scenario that an intelligence officer is duty-bound to consider. That's all."

My guess is still that some clever Pentagon researchers have figured out how to play World of Warcraft on the job, and they're not giving that perk up anytime soon.

As some of you may know Richard Stiennon and I have had our disagreements over the years around NAC.  But say what you want about Rich, at least he had the stones to ask what many of you would probably like to ask but wouldn't. Here is Rich's comment and my reply:

Posted by Stiennon: OK, so one well regarded security company turns out not to be that successful after all. As you point out Allen, from the press releases everything seemed like it was going great for Lockdown. As you know I think NAC is a waste of time (the health checking part, not the access control part). And of course I am going to say that companies founded on purely bad concepts like admission control are going to fail and Lockdown is a great example. So here is the question, thou supporter of NAC. How are we to know whether or not StillSecure is on the brink of shuttering its doors as well? How can you assure us that NAC is such a great concept that customers are beating down your doors to get some of that magic? Just wondering..... -Stiennon

Richard, first of all thanks for the opportunity to respond. Secondly, you would think after all this time you would know that my name is spelled Alan.  With that out of the way, lets dive in here. 

First of all on your characterization of NAC being all about health checking, Richard NAC has grown beyond that a long time ago and I don't see much sense in us wasting time on that one.  But for the record maybe you should let Microsoft, Symantec, McAfee and all the rest of the host based health checkers in on your revelation.

Next Richard, who said Lockdown was a well regarded security company and that it was founded on a pure concept of admission control?  You know what happens when you ass-u-me Richard, don't you?  I have been out here hammering on a lot of these companies that I don't think have real solutions.  There has been a ton of smoke and mirror games from marketing people (you wouldn't know about any of that would you Richard?).  When I called these companies on the BS, too many people said I was just being biased against them.

You don't see StillSecure putting out those kinds of releases. Fact is Lockdown with all due respect to the folks there, was set up from the beginning to be a quick flip.  It was a speculative an endeavor as some of the condo owners who are left holding the bag down here in South Florida.  They were going to do something around vulnerability management and flip this quick.  Richard, I have been there.  When you dress up a pig for market, often times you end up with a dressed up pig. No amount of lipstick is going to help. On the other hand, we just keep executing.  At the end of the day Richard, companies who succeed are companies that execute.  You have certainly been at your share of companies and should know that by now.

Now lets get down to brass tacks.  Just because Lockdown and a few other NAC companies that did not have competitive products went out of business, does that mean all NAC companies are going out of business?  Talk about painting with a broad brush Richard!  Thats like saying all analysts are ignorant because look how many times some of their predictions are wrong (anybody see any IDS out there today?)  Not all analysts are ignorant Richard, just the ones who keep making the wrong assumptions and predictions (and they usually wind up going to VP of marketing roles).  Cream always rises to the top Richard and quality never goes out of style. If you have a product that works and solves peoples problems you will do fine.

As far as living up to expectations, that is a question of whose expectations. It was no secret that the analysts were smoking their socks with some of the numbers being thrown around regarding NAC. The fact that you call it magic should not be lost on you or others.  NAC ain't magic, it is bread and potatoes security. Internally here at StillSecure we always had our own internal compass and business plan guiding us.  According to those, our NAC product is doing just fine, thanks! Also remember that StillSecure has a number of products that actually work well together, so we are not overly dependant on any one of our products.  That is smart business Richard. Again, to paraphrase Al Davis, "just execute baby!"

Are customers beating our door down?  I think so, but frankly our goal is to have our customers beat our partners doors down and that is happening too.  A key difference in our NAC plan was having distribution partners in the "network fabric". We have accomplished that goal and it serves us well. NAC for us continues to evolve and grow, but we are doing just fine with it.  We don't do rah, rah BS press release stuff, but you know Richard there is a saying in NY that I learned as a little boy growing up.  I am sure you probably never heard it in the mid-west.  It goes something like this:  "Those who know don't talk and those who talk don't know"  Those that need to know about our financial position know.  The fact that you question our position I guess means you have been placed in the category of the don't need to knows. Sorry Richard.

As some of you may know Richard Stiennon and I have had our disagreements over the years around NAC.  But say what you want about Rich, at least he had the stones to ask what many of you would probably like to ask but wouldn't. Here is Rich's comment and my reply:

Posted by Stiennon: OK, so one well regarded security company turns out not to be that successful after all. As you point out Allen, from the press releases everything seemed like it was going great for Lockdown. As you know I think NAC is a waste of time (the health checking part, not the access control part). And of course I am going to say that companies founded on purely bad concepts like admission control are going to fail and Lockdown is a great example. So here is the question, thou supporter of NAC. How are we to know whether or not StillSecure is on the brink of shuttering its doors as well? How can you assure us that NAC is such a great concept that customers are beating down your doors to get some of that magic? Just wondering..... -Stiennon

Richard, first of all thanks for the opportunity to respond. Secondly, you would think after all this time you would know that my name is spelled Alan.  With that out of the way, lets dive in here. 

First of all on your characterization of NAC being all about health checking, Richard NAC has grown beyond that a long time ago and I don't see much sense in us wasting time on that one.  But for the record maybe you should let Microsoft, Symantec, McAfee and all the rest of the host based health checkers in on your revelation.

Next Richard, who said Lockdown was a well regarded security company and that it was founded on a pure concept of admission control?  You know what happens when you ass-u-me Richard, don't you?  I have been out here hammering on a lot of these companies that I don't think have real solutions.  There has been a ton of smoke and mirror games from marketing people (you wouldn't know about any of that would you Richard?).  When I called these companies on the BS, too many people said I was just being biased against them.

You don't see StillSecure putting out those kinds of releases. Fact is Lockdown with all due respect to the folks there, was set up from the beginning to be a quick flip.  It was a speculative an endeavor as some of the condo owners who are left holding the bag down here in South Florida.  They were going to do something around vulnerability management and flip this quick.  Richard, I have been there.  When you dress up a pig for market, often times you end up with a dressed up pig. No amount of lipstick is going to help. On the other hand, we just keep executing.  At the end of the day Richard, companies who succeed are companies that execute.  You have certainly been at your share of companies and should know that by now.

Now lets get down to brass tacks.  Just because Lockdown and a few other NAC companies that did not have competitive products went out of business, does that mean all NAC companies are going out of business?  Talk about painting with a broad brush Richard!  Thats like saying all analysts are ignorant because look how many times some of their predictions are wrong (anybody see any IDS out there today?)  Not all analysts are ignorant Richard, just the ones who keep making the wrong assumptions and predictions (and they usually wind up going to VP of marketing roles).  Cream always rises to the top Richard and quality never goes out of style. If you have a product that works and solves peoples problems you will do fine.

As far as living up to expectations, that is a question of whose expectations. It was no secret that the analysts were smoking their socks with some of the numbers being thrown around regarding NAC. The fact that you call it magic should not be lost on you or others.  NAC ain't magic, it is bread and potatoes security. Internally here at StillSecure we always had our own internal compass and business plan guiding us.  According to those, our NAC product is doing just fine, thanks! Also remember that StillSecure has a number of products that actually work well together, so we are not overly dependant on any one of our products.  That is smart business Richard. Again, to paraphrase Al Davis, "just execute baby!"

Are customers beating our door down?  I think so, but frankly our goal is to have our customers beat our partners doors down and that is happening too.  A key difference in our NAC plan was having distribution partners in the "network fabric". We have accomplished that goal and it serves us well. NAC for us continues to evolve and grow, but we are doing just fine with it.  We don't do rah, rah BS press release stuff, but you know Richard there is a saying in NY that I learned as a little boy growing up.  I am sure you probably never heard it in the mid-west.  It goes something like this:  "Those who know don't talk and those who talk don't know"  Those that need to know about our financial position know.  The fact that you question our position I guess means you have been placed in the category of the don't need to knows. Sorry Richard.

The other night I was reading Hans Christian Andersen's classic "The Emperors New Clothes" with 6 year old Bradley.  Bradley cracked up that the king was walking around naked.  I was reminded about how no one wants to be thought of as ignorant or not fit for their job, so they will say and do things that they think other people want to hear.  It is a great, timeless story.  Today, I had my own emperors new clothes experience.

For the past several days I have been writing about this whole Barracuda-Trend Micro affair.  In several articles I used the word Calvary. I was talking about the soldiers riding in on the horses.  Every time I wrote it though I kept getting visions of a cemetery out on Long Island.  Finally, someone had the gumption to write me today and tell me that I meant cavalry, not Calvary.  Well I certainly felt like the emperor with no clothes!

I apologize for my butchery of the English language.  I am also grateful to Jack Walsh for pointing out my error. To the rest of you I ask:  (fixed after the fact) Were you not reading? Were you afraid to be wrong, so didn't want to say anything?  Did you not realize that this was wrong? Or perhaps you just took silent satisfaction in seeing me mess up?  In any event below are the definitions of the two words. I was right Calvary is the place where the crucifixion took place and there is a cemetery in Long Island by the same name.


Cal·va·ry /ˈkælvəri/ Pronunciation Key - Show Spelled Pronunciation[kal-vuh-ree] Pronunciation Key - Show IPA Pronunciation
–noun, plural -ries for 2, 3.
1. Golgotha, the place where Jesus was crucified. Luke 23:33.
2. (often lowercase) a sculptured representation of the Crucifixion, usually erected in the open air.
3. (lowercase) an experience or occasion of extreme suffering, esp. mental suffering.

cav·al·ry   /ˈkævəlri/ Pronunciation Key - Show Spelled Pronunciation[kav-uhl-ree] Pronunciation Key - Show IPA Pronunciation –noun, plural -ries.

1.	Military. a. the part of a military force composed of troops that serve on horseback. b. mounted soldiers collectively. c. the motorized, armored units of a military force organized for maximum mobility.