This reality of the information age might be particularly stark for the president, but it's no less true for all of us. Conversation used to be ephemeral. Whether face-to-face or by phone, we could be reasonably sure that what we said disappeared as soon as we said it. Organized crime bosses worried about phone taps and room bugs, but that was the exception. Privacy was just assumed.

This has changed. We chat in e-mail, over SMS and IM, and on social networking websites like Facebook, MySpace, and LiveJournal. We blog and we Twitter. These conversations -- with friends, lovers, colleagues, members of our cabinet -- are not ephemeral; they leave their own electronic trails.

We know this intellectually, but we haven't truly internalized it. We type on, engrossed in conversation, forgetting we're being recorded and those recordings might come back to haunt us later.

Oliver North learned this, way back in 1987, when messages he thought he had deleted were saved by the White House PROFS system, and then subpoenaed in the Iran-Contra affair. Bill Gates learned this in 1998 when his conversational e-mails were provided to opposing counsel as part of the antitrust litigation discovery process. Mark Foley learned this in 2006 when his instant messages were saved and made public by the underage men he talked to. Paris Hilton learned this in 2005 when her cell phone account was hacked, and Sarah Palin learned it earlier this year when her Yahoo e-mail account was hacked. Someone in George W. Bush's administration learned this, and millions of e-mails went mysteriously and conveniently missing.

Ephemeral conversation is dying.

Cardinal Richelieu famously said, :If one would give me six lines written by the hand of the most honest man, I would find something in them to have him hanged." When all our ephemeral conversations can be saved for later examination, different rules have to apply. Conversation is not the same thing as correspondence. Words uttered in haste over morning coffee, whether spoken in a coffee shop or thumbed on a Blackberry, are not official pronouncements. Discussions in a meeting, whether held in a boardroom or a chat room, are not the same as answers at a press conference. And privacy isn't just about having something to hide; it has enormous value to democracy, liberty, and our basic humanity.

We can't turn back technology; electronic communications are here to stay and even our voice conversations are threatened. But as technology makes our conversations less ephemeral, we need laws to step in and safeguard ephemeral conversation. We need a comprehensive data privacy law, protecting our data and communications regardless of where it is stored or how it is processed. We need laws forcing companies to keep it private and delete it as soon as it is no longer needed. Laws requiring ISPs to store e-mails and other personal communications are exactly what we don't need.

Rules pertaining to government need to be different, because of the power differential. Subjecting the president's communications to eventual public review increases liberty because it reduces the government's power with respect to the people. Subjecting our communications to government review decreases liberty because it reduces our power with respect to the government. The president, as well as other members of government, need some ability to converse ephemerally -- just as they're allowed to have unrecorded meetings and phone calls -- but more of their actions need to be subject to public scrutiny.

But laws can only go so far. Law or no law, when something is made public it's too late. And many of us like having complete records of all our e-mail at our fingertips; it's like our offline brains.

In the end, this is cultural.

The Internet is the greatest generation gap since rock and roll. We're now witnessing one aspect of that generation gap: the younger generation chats digitally, and the older generation treats those chats as written correspondence. Until our CEOs blog, our Congressmen Twitter, and our world leaders send each other LOLcats – until we have a Presidential election where both candidates have a complete history on social networking sites from before they were teenagers– we aren't fully an information age society.

When everyone leaves a public digital trail of their personal thoughts since birth, no one will think twice about it being there. Obama might be on the younger side of the generation gap, but the rules he's operating under were written by the older side. It will take another generation before society's tolerance for digital ephemera changes.

This essay previously appeared on The Wall Street Journal website (not the print newspaper), and is an update of something I wrote previously.

After meetings and calls, I was finally able to slip into a conference session – just in time to catch uber-smart analysts Rachel Chalmers (The 451 Group) and Dan Golding (Tier1 Research) engage in a lively and not-so-mock debate on “Hosting Meets the Cloud”.

Now this doesn’t cover the entire debate – and part II is coming tomorrow. But what it does cover is the most interesting questions (to me) and paraphrase the points made by the analysts. I thought they both had very interesting points and more similarities than differences in the end; the real difference is how they thought about the issues and through what lens – for Rachel it was the enterprise and for Dan it was managed hosting providers. (image from inmagine)

Question: What is a cloud and why?

Dan: Shared infrastructure leveraged/run by third parties for the benefit of enterprises, developers, etc. This is not a new idea – just recently “rebranded.” Given all the discussion and disagreement over this now, what will the cloud end up looking like?

Rachel: The cloud is “IT infrastructure as a service” down to the level of a server operating system. Take the example of Amazon web services – in this case it’s not just the infrastructure but also the internal processes built around service delivery, e.g., provisioning, that are being exposed as a commodity to external customers.

Dan’s Question for Rachel: In your opinion, how much is the cloud a fad versus CIOs really trying to solve a problem?

Rachel: For the practical, roll-up-your-sleeves types of CIOs – those coming up from the engineering ranks – that I talk to, the cloud is real, as opposed to SOA and middleware.

What about “internal” cloud computing – built and maintained by an enterprise versus a third-party provider?

Dan: Cloud computing is done by providers for customers. Certainly there are enterprises that have made internal computing investments, e.g., for publishing, large-scale phone systems, etc - but they were stupid ideas made by companies that have too much money. A better question here is does it make any sense for an enterprise to create their own cloud? While an enterprise can play at it, they can’t do it cost-effectively, not in a way that a third party provider can do it.

Rachel: Many CIOs have “managed-hoster” envy – for things like chargeback and billing that hosters understand a do better. Of course there has been a rise in automation and virtualization tools in the enterprise which may not be as efficient and built for scalability as a hoster can achieve, but what is important is that they are customized/specialized for that business.

Dan: Can you give a specific example of optimization to make it worthwhile for enterprises to do it themselves?

Rachel: One example is sovereignty. The privacy laws around financial and healthcare information are not the same everywhere. Clouds and their geographically-dispersed data centers don’t necessarily have “national” borders. This is definitely a concern for the CIO that has to comply with regulations in their industry around privacy protection, for instance. Another example is security. Dow Chemical does a lot of work via joint ventures and has a need to provide but lock down desktops given to contractors as corporate workspaces. For their level of security, they need to “own” their computing resources.

Dan: But why can’t someone like SunGard provide that as they do for many other large companies?

Rachel: It comes down to a question of trust.

Do people trust their hosting providers?

Dan: Yes. Whether it’s for a content delivery network or collocation, hosting the customers of hosting providers are some of the largest companies in the world in industries like energy and financial services. Give me a case when there was a major security issue with a hosting company. In fact, managed hosting providers usually provide better security than enterprises are capable of.

And a question provided by an attendee from EMC: A few years ago, this would have been a grid discussion. How is the cloud different?

Rachel: Grid computing ended up being applicable only for niches – which I predicted. The real opportunity for everyone else with the cloud only comes up when you combine the kinds of automation tools (originally developed for grid computing) with x86 virtualization.

Dan: I agree. Grid was a niche play. There were very few orgs that needed it and that the economics worked for. There were very few enterprises for whom it made sense to build their own for. The cloud is shared/leveraged versus grid computing. It economically makes sense in a way grid never did.

Steps are now being taken, rather faster since Dan Kaminsky came up with a really effective DNS poisoning attack, to secure DNS by using DNSSEC.

The basic idea of DNSSEC is that when you get an answer from the DNS it will be signed by someone you trust. At some point the “trust anchor” for the system will be “.” the DNS root, but for the moment there’s just a handful of “trust anchors” one level down from that. One such anchor is the “.se” country code domain for Sweden. Additionally, Brazil (.br), Puerto Rico (.pr), and Bulgaria (.bg) have signed their zones, but that’s about it for today.

So, wishing to get some experience with the brave new world of DNSSEC, I decided that Sweden was the “in” place to be, and to purchase “cloudba.se” and roll out my first DNSSEC signed domain.

The purchase wasn’t as easy as it might have been — when you buy a domain, Sweden insists that people provide their identity numbers (albeit they have absolutely no way of checking if you’re telling the truth) — or if a company they want a VAT or registration number (which are checkable, albeit I suspect they didn’t bother). I also found that they don’t like spaces in the VAT number — which held things up for a while!

However, eventually they sent me a PGP signed email to tell me I was now the proud owner of “cloudba.se”. Unfortunately, this email wasn’t in RFC3156 PGP/MIME format (or any other format that my usually pretty capable email client understood).

The email was signed with key 0xF440EE9B which was reassuring because the .se registry gives the fingerprint for this key on their website here. Rather less reassuringly footnote (*) next to the fingerprint says “.SE signature for outgoing e-mail. (**) June 1 through August 31.” (the (**) is for a second level of footnote, which is absent — and of course it is now September).

They also enable you to fetch the key through a link on this page to their “PGP nyckel-ID” at http://subkeys.pgp.net.

Unfortunately, fetching the key shows that the signature on the email is invalid.

Since the email seems to have originated in the Windows world, but was signed on a Linux box (giving it a mixture of 0D 0A and 0A line endings), then pushed through a three year old copy of MIME-tools I suppose the failure isn’t too surprising. But strictly the invalid signature means that I shouldn’t trust the email’s contents at all — because the contents have definitely been tampered with since the signature was applied.

Since the point of the email was to get me to login for the first time to the registry website and set my password to control the domain, this is a little unfortunate.

Even if the signature had been correct, then should I trust the PGP key?

Well it is pointed to from the registry website which is a Good Thing. However, they do themselves no favours by referencing a version on the public key servers. I checked who had signed the key (which is an alternative way of trusting its provenance — since the email had arrived to a non-DNSSEC secured domain). Turned out there was no-one I knew, and of 4 individual signatures, 2 were from expired keys. The other signature was the IIS root key — which sounds promising. That has 8 signatures, once again not people I know — but only 1 from a non-expired key, so perhaps I can get to know some of the other 7?

Of course, anyone can sign a key on a public key server, so perhaps it makes sense for .se to suggest that people fetch a key with as many signatures as possible — there’s more chance of it being signed by someone they know. Anyway, I have now added my own signature, using an email address at my nice shiny new domain. However, it is possible that I may not have increased the level of trust

He’s a bit indignant that so much energy goes to sporting events like the Olympics rather than more important news that isn’t getting reported around the world.

This is in a year when tons of journalists are getting laid off.

This is in a year when there are tons of stories around the world that aren’t getting reported on.

Could we take half of those photographers and send them to Russia, for instance

Reminds me of a feeling I had back in college as an undergrad student studying social sciences and humanities, about the way my friends who were physicists interacted with the world. They were so awed by the stars, Mars, astrophysics, and it seemed to me interesting but altogether unimportant. They argued they may find something outside our planet that could help solve Earth-bound problems like disease, or find the origins of earth and humanity — but really they were doing it because they loved it. One of my friends had a good argument, though — there are enough people right now that we can specialize in what we care about, and there will still be others covering other topics. He could be a physicist and look into the universe’s origin, while I studied social interaction and writing, and our other friends looked into solving cancer or eradicating invasive plants in the native wetlands. We have to specialize, and there are enough of us to do it too.

I think it’s the same way in journalism — whether it’s sports, celebrity journalism, or coverage of politics and war, there are a lot of opportunities right now for journalists. Of course the business model is changing, and some old-schoolers won’t know how to roll with that, but generations change slowly; we’re learning.

Also, the Olympics is seen as more than a sporting event, it’s also a symbol of world competition and cooperation too — a way for countries to come together and share entertainment globally. I think that’s worth covering.

In the second post, Robert Scoble says there are plenty of great journalists but the public doesn’t care. In some ways I have to agree with that, but I don’t think it’s negative, necessarily. I had a conversation with someone the other day about world news reportage. He says, “I was just reading this story, but what does it matter to me if there’s a flood in some city in another country I’ll never visit and some farmer lost his sheep?” World news is only important when it’s relevant, so it’s no wonder that many people don’t care — if they don’t know much about the area, and it doesn’t affect them, they have no incentive to give it full attention. You can call that apathy, but I think it’s an important selectivity skill that humans have. We have to choose what to give priority to, so if nothing stands out as being particularly important, we just ignore it or gloss over it. Human nature…

Also I think the common person today just gets desensitized and doesn’t know where to turn their energy, when surrounded by so many crises. Either you focus on one specialty and do your best to work toward one cause in your life — and maybe that’s just in the course of your daily work — or you become a complete Attention-Deficit-Disorder case and bounce from one problem to the next, without knowing how to solve anything. That just causes a sense of bewilderment, despair, and either that bogs you down or eventually you get desensitized.

There’s a commenter on Scoble’s blog, Spencer, who talks about this generation’s apathy. There are so many people who want to blame today’s generation or the young generation for this “apathy” that they sense. But I see it as a survival mechanism that arises from the way information flows these days. We’re surrounded by crises, everyone wants us to know about them — the water shortage, global warming, death in Iraq, the national deficit. Okay, crisis, I get it. But no one gives a real clear idea on what any individual is really supposed to do to solve the problem. You can’t get involved with one global cause, without ignoring all the others, and if you do get involved it’s likely to become your life’s purpose. Most people are concerned with other things — their families, their work, personal development, their homes and futures, and really that’s enough to take up all their time.

I’m always amazed when I read about the early unionists. Emma Goldman for example, the activist who pushed for the 8-hr workday, and campaigned for free love in the early 1900s when women were still wearing corsets, used to work 16 hour factory days as a seamstress, then lead meetings late into the night. Today we lead cushy lives comparatively–8 hour days, plus commute and lunch, family time, dinner time, gym maybe, sleep… but it still doesn’t seem like we ever have enough energy and time.

What Emma had that most people today don’t, is a community living in the same conditions as herself, with clear goals about what they were campaigning for, and a cause that affected their own daily lives. Today, unionism and local activism is in much shorter supply, in part due to the many people who work fairly comfy desk jobs, and the problem that everyone has his own specialization, works in a cubicle, does his or her own thing. The problems we’re facing today in terms of global warming, global water shortage, aren’t the same kinds of problems that activists have fought for in the past, and there’s no clear road map for how to solve them. Our leaders sure aren’t leading the way.

What we do have, at least, is the Olympics, which is an age old symbol of international cooperation, play and competition…so, uh, go sports! As for full disclosure, I don’t actually have a TV and haven’t watched the Olympics in many years, but I do try taking short showers–does that help?

For the third year in a row, the government’s overall FISMA grade improved. But don’t get too excited; the grade only improved from a C- to a C this year. (And D+ in 2005).

But there’s a lot to hide in an “average grade”. Turns out that the reality is a split between overachievers and underachievers.

The agencies/departments with a grade of A-, A or A+:

• Department of Justice
• US AID
• EPA
• NSF
• SSA
• HUD
• OPM (I would hope so)

And, sadly the ones that got an F:

• Department of the Interior
• Department of Treasury
• Nuclear Regulatory Commission
• Department of Veterans Affairs
• Department of Agriculture

FISMA (Federal Information Security Management Act) became a federal law back in 2002 as part of the E-Government Act. Six years later, there has been improvement, but there’s still clearly a long way to go.

So what’s the disconnect? Speaking from a vendor perspective, we’ve had first-hand experience with the lack of actionable, concrete guidelines around FISMA – for processes, monitoring and check-list assessment items. We even contacted NIST directly to get more guidance on how their very broad guidelines should be translated to actual features and reporting in something like our monitoring solution. The end goal, after all, is to help our government customers not only meet the FISMA requirements but also to be seen/assessed as meeting those requirements. As we do for other compliance/governance requirements like Sarbanes-Oxley, the more that EM7 can automate and report on, the better.

But that leads to the second issue here. How accurate is the FISMA scorecard? SC Magazine writes, “Many have seen organizations get an A when they believe they should have received an F, and vice versa” and some experts “blame this on the lack of a standardized evaluation, as well as censorship among auditors.” There’s talk about language ambiguities and opinions that the scorecard is not “one size fits all” – that small agencies face different IT security challenges than the big guys.

So what’s right about FISMA? We can point to a heightened awareness about the importance of security and the “security picture” in each federal agency. Certainly, from our own survey at FOSE, we saw the difference just from last year to this one:

• 91% surveyed said FISMA was important (up from 66% last year)
• Over 50% had solutions installed to help with FISMA (up from only 14% last year)

Based on these numbers, we’re not surprised to see the FISMA average grade go up, but we expected it to be even higher. So what will it take to get the government on the honor roll? From Rep. Tom Davis, “We need to seriously consider incentives for agency success and funding penalties and personnel reforms for agencies that don’t measure up…We need a bill with teeth, and we need agencies to understand the goal is to keep information safe, not to check a statutory box.”

ShareThis

The thing is that developers are at least a decade ahead of the infosec people who continue to roll like its 1995 with SSL and network firewalls. By itself this is already a problem, but its made worse because attackers are a decade ahead as well.

By now you have probably heard that Brocade is making a big push from storage networking switches into Ethernet switches by buying Foundry Networks for almost 3 billion in cash.  Actually the deal is valued at about 2.8 billion.  However, Foundry has about 800 million or so in cash and liquid assets.  So taking that into account, the deal is for about 2 billion really, according to the San Jose Mercury News. Still that is quite a number when you consider that $18.50 of the $19.25 price per share is in cash.  That works out to about 2.7 billion.  Considering Brocade only had about 700 to 800 million in cash itself, that means someone is lending them about a billion and half.  Again according the Mercury News, it is Bank of America and Morgan Stanley. This is a 41% premium over Foundry's closing price.  Pretty sweet!

The real question is what does Brocade do with this.  With all of that debt, do they have what it takes to go on and take on Cisco now?  The highways and byways of Silicon Valley are littered with companies that have tried to take Cisco out of this market.  What about the 7 dwarfs who currently compete in this market.  Companies like HP ProCurve, Extreme Networks, Nortel, Enterasys, Alcatel-Lucent and Force 10 are not small little companies. These are companies with 100's of millions, if not billions of dollars of market cap themselves.  They are not going to roll over and die here. Will this set off a round of consolidation for these players to bulk up in order to compete in this brave new world of networking? I think so. What about next gen secure switches like ConSentry, Nevis and Napera? Or some of the other smaller switch vendors like D-link?  Do they view this a a good opportunity to get bought by one of the giants or do they think they can run through the legs of these giants?  I don't know but it is going to be a high barrier of entry into this market.

Ultimately though I don't think Cisco will lose its place of dominance very easily. Brocade will be another competitor among the other switch vendors fighting over 25% of the market. But it sure will be interesting in the switch market for a while.