Passport, Magazines of Failure.

[Dave Aitel <dave () immunitysec com>]

I think it's interesting to see that Passport failed. 
http://seattletimes.nwsource.com/html/businesstechnology/2002136272_passport31.html

It seemed like a good idea at the time, I'm sure. All the VC's I knew 
were telling me about it's "compelling offering" and extremely excited 
about it. Yet my sources on internal to Microsoft felt it was a bit 
kludgy. On the other hand, everyone at MS loves Palladium (NGSCB), and 
it's possible we'll see a relaunch of "Passport" when we see Longhorn. 
Because with hardware tokens, we really can authenticate users as 
individuals, and Gates is already talking about how people should stop 
using passwords...

But I still think Passport was a good idea. Authentication is hard. It's 
a pain in the ass, and that means it's expensive. In fact, a lot of the 
gibberish that goes into doing a real portal is hard. I don't want to 
maintain a huge database just to hold user data. Why can't all the tiny 
companies like me offload it onto a trusted third party like Microsoft? 
I guess the small companies don't have 10K to spend on it. And Microsoft 
doesn't want to do it for free, or for regulatory reasons can't just 
offer it to every Tom, Dick, and Harry on the interweb.

But that doesn't mean the whole idea has to die. The OpenSource 
community should take it as a mandate to fill the void. We won't though, 
I'm sure. Much like Bush can't really move a carrier group onto the 
shores of Indonesia as floating hospitals and aide stations, the OS 
community can't tackle something this politically complex this quickly.

Anyways, I meant to make fun of Chris Wysopal/Weld's netcat overflow, 
but not in a mean way. So consider that done, please. Weld was head of 
R&D over at @stake, and I hear he still runs SRA. I think it's extremely 
funny how much money has gone into SRA, Fortify, and the rest of the 
source/binary analysis products and how amazingly nothing they all have 
to show for it. You KNOW that if any of them actually had a product that 
could produce any kind of results, it would be "Samba bug of the day" 
month.

It's interesting because you can see the VC money pouring into these 
companies, and you can imagine the meetings they're having a few years 
later when it turns out they completely misjudged how hard the problem 
was. I notice Fortify now has a "Attack Simulation" software. Some sort 
of customized debugger, I have to guess. Maybe eventually they'll build 
a fuzzer into it. They have 3 more years until the 5-year "VC wants 
money back" mark comes up and bites them on the ass, so it'll be 
interesting to see.

At least Fortify is still trying though. Check out this sample from Cigital:
"Cigital offers enterprise-level software development process 
improvement programs that leverage SQM while increasing productivity on 
current and future projects."

Someone needs to fire their Marketing VP. Compare and contrast these 
self-serving "magazines": http://www.sqmmagazine.com/ versus. 
http://www.sbq.com/. There must have been an article in the Harvard 
Business Review that mentioned starting your own trade magazine as 
something for floundering start-ups to do. Then, of course, the 
inevitable "all-electronic" format failure message looks real good on 
the website.

Anyways, happy new years everyone! May next year's worms be more 
interesting than last years!

-dave







_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave